Monthly Archive: August 2009

The Admin media handler in core/servers/basehttp.py in Django 1.0 and 0.96 does not properly map URL requests to expected "static media files," which allows remote attackers to conduct directory traversal attacks and read arbitrary...

Directory traversal vulnerability in ZNC before 0.072 allows remote attackers to overwrite arbitrary files via a crafted DCC SEND request. Date published : 2009-08-04 http://en.znc.in/w/index.php?title=ZNC&oldid=3209#WARNING http://en.znc.in/wiki/ChangeLog/0.072

nilfs-utils before 2.0.14 installs multiple programs with unnecessary setuid privileges, which allows local users to execute arbitrary commands via the device string in a -c command line option to mkfs.nilfs2. Date published : 2009-08-04...

Mozilla Firefox before 3.0.12, and 3.5.x before 3.5.2, allows remote SOCKS5 proxy servers to cause a denial of service (data stream corruption) via a long domain name in a reply. Date published : 2009-08-04...

Apple GarageBand before 5.1 reconfigures Safari to accept all cookies regardless of domain name, which makes it easier for remote web servers to track users. Date published : 2009-08-04 http://lists.apple.com/archives/security-announce/2009/Aug/msg00000.html http://www.securityfocus.com/bid/35926

login.php in 3CX Phone System 6.0.806.0, when 100% disk capacity is reached, allows remote attackers to gain sensitive information via unspecified vectors that reveal the installation path. Date published : 2009-08-03 http://marc.info/?l=full-disclosure&m=122868146707468&w=2 https://exchange.xforce.ibmcloud.com/vulnerabilities/52452

3CX Phone System 6.0.806.0 allows remote attackers to cause a denial of service (unstable service or crash) via unspecified vectors, as demonstrated by vulnerability scans from Nessus or SAINT. Date published : 2009-08-03 http://marc.info/?l=full-disclosure&m=122868146707468&w=2...

Multiple cross-site scripting (XSS) vulnerabilities in login.php in 3CX Phone System Free Edition 6.1793 and 6.0.806.0 allow remote attackers to inject arbitrary web script or HTML via the (1) fName and (2) fPassword parameters....

Cross-site scripting (XSS) vulnerability in Alt-N MDaemon WorldClient 10.0.2, when Internet Explorer 7 is used, allows remote attackers to inject arbitrary web script or HTML via a crafted img tag. Date published : 2009-08-03...

SQL injection vulnerability in lire/index.php in Peel 3.1 allows remote attackers to execute arbitrary SQL commands via the rubid parameter. NOTE: this might be the same issue as CVE-2005-3572. Date published : 2009-08-03 http://www.securityfocus.com/bid/32715...

Multiple cross-site scripting (XSS) vulnerabilities in ASP Forum Script allow remote attackers to inject arbitrary web script or HTML via the (1) forum_id parameter to (a) new_message.asp and (b) messages.asp, and the (2) query...

SQL injection vulnerability in messages.asp in ASP Forum Script allows remote attackers to execute arbitrary SQL commands via the message_id parameter. Date published : 2009-08-03 http://www.securityfocus.com/bid/32571 http://packetstormsecurity.org/0812-exploits/aspforum-cmsqlxss.txt

SQL injection vulnerability in Merchantsadd.asp in ASPReferral 5.3 allows remote attackers to execute arbitrary SQL commands via the AccountID parameter. Date published : 2009-08-03 http://www.securityfocus.com/bid/32534 https://www.exploit-db.com/exploits/7274

Cross-site scripting (XSS) vulnerability in signup.asp in Pre Classified Listings 1.0 allows remote attackers to inject arbitrary web script or HTML via the address parameter. Date published : 2009-08-03 http://www.securityfocus.com/bid/32567 http://packetstormsecurity.org/0812-exploits/preclass-sqlxss.txt