Monthly Archive: March 2010

Heap-based buffer overflow in Internet Explorer 8 on Microsoft Windows 7 allows remote attackers to discover the base address of a Windows .dll file, and possibly have unspecified other impact, via unknown vectors, as...

LookMer Music Portal stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for dbmdb/LookMerSarkiMDB.mdb. Date published : 2010-03-25 http://www.packetstormsecurity.com/1001-exploits/lookmer-disclose.txt http://osvdb.org/61845

Directory traversal vulnerability in news/include/customize.php in Web Server Creator – Web Portal 0.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the l parameter. Date published : 2010-03-25 http://www.securityfocus.com/bid/37841...

Multiple PHP remote file inclusion vulnerabilities in Web Server Creator – Web Portal 0.1 allow remote attackers to execute arbitrary PHP code via a URL in the (1) pg parameter to index.php and the...

Cross-site scripting (XSS) vulnerability in the forum page in Web Server Creator – Web Portal 0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors to index.php. Date published :...

Cross-site scripting (XSS) vulnerability in cat.php in KloNews 2.0 allows remote attackers to inject arbitrary web script or HTML via the cat parameter. Date published : 2010-03-25 http://packetstormsecurity.org/1001-exploits/klonews-xss.txt http://secunia.com/advisories/38268

Multiple cross-site scripting (XSS) vulnerabilities in Jokes Complete Website allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to joke.php and the (2) searchingred parameter to results.php. Date...

Directory traversal vulnerability in index.php in phpMySport 1.4 allows remote attackers to list arbitrary directories via a .. (dot dot) in the current_folder parameter. Date published : 2010-03-25 http://www.securityfocus.com/bid/37856 http://packetstormsecurity.org/1001-exploits/phpmysport-sqlaccess.txt

Multiple SQL injection vulnerabilities in index.php in phpMySport 1.4, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) v2 parameter in a member view action, (2) v1 parameter...

Cross-site scripting (XSS) vulnerability in the Control Panel module 5.x through 5.x-1.5 and 6.x through 6.x-1.2 for Drupal allows remote authenticated users, with "administer blocks" privileges, to inject arbitrary web script or HTML via...

Cross-site scripting (XSS) vulnerability in the Recent Comments module 5.x through 5.x-1.2 and 6.x through 6.x-1.0 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via a "custom block title...

PHP remote file inclusion vulnerability in cgi/index.php in AdvertisementManager 3.1.0 allows remote attackers to execute arbitrary PHP code via a URL in the req parameter. NOTE: this can also be leveraged to include and...

Cross-site scripting (XSS) vulnerability in cgi/index.php in AdvertisementManager 3.1.0 and 3.6 allows remote attackers to inject arbitrary web script or HTML via the usr parameter. Date published : 2010-03-25 http://www.securityfocus.com/bid/40151 http://www.packetstormsecurity.com/1001-exploits/advertisemanager-xssrfitraversal.txt

Cross-site scripting (XSS) vulnerability in Zope 2.8.x before 2.8.12, 2.9.x before 2.9.12, 2.10.x before 2.10.11, 2.11.x before 2.11.6, and 2.12.x before 2.12.3 allows remote attackers to inject arbitrary web script or HTML via vectors...