[CLOSE] OSVDB ID : 15701 - Disclosed: 2005-04-19

Description:

AZ Bulletin Board contains a flaw that may allow a malicious admin to delete arbitrary files. The issue is triggered when an input validation error occurs in admin_avatar.php. It is possible that the flaw may allow arbitrary file deletion resulting in a loss of availability.

[CLOSE] OSVDB ID : 15702 - Disclosed: 2005-04-19

Description:

AZ Bulletin Board contains a flaw that may allow a malicious admin to delete arbitrary files. The issue is triggered when an input validation error occurs in admin_attachment.php. It is possible that the flaw may allow arbitrary file deletion resulting in a loss of availability.

[CLOSE] OSVDB ID : 15703 - Disclosed: 2005-04-19

Description:

AZ Bulletin Board contains a flaw related to the input validation errors in "admin_avatar.php" and "admin_attachment.php" that may allow an attacker to exploited to delete arbitrary files.Input passed to the "dir_src" and "abs_layer" parameters in "main_index.php" isn't properly verified, before it is used to include files. This may be exploited to include arbitrary files from external and local resources.An input validation error in "attachment.php" can be exploited to enumerate local files via the "attachment" parameter.

[CLOSE] OSVDB ID : 15649 - Disclosed: 2005-04-15

Description:

eGroupWare contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'ab_id', 'page', 'lang' or 'type' parameters upon submission to the index.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 15750 - Disclosed: 2005-04-15

Description:

eGroupWare contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'page' or 'lang' variables upon submission to the wiki/index.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 15751 - Disclosed: 2005-04-15

Description:

eGropuWare contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the category_id variable upon submission to the sitemgr-site/index.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 15752 - Disclosed: 2005-04-15

Description:

eGroupWare contains a flaw that may allow an attacker to inject arbitrary SQL queries. The issue is due to the 'filter' variable in the tts/index.php script not being properly sanitized and may allow an attacker to inject or manipulate SQL queries.

[CLOSE] OSVDB ID : 15753 - Disclosed: 2005-04-15

Description:

eGroupWare contains a flaw that may allow an attacker to inject arbitrary SQL queries. The issue is due to the 'cats_app' variable in the index.php script not being properly sanitized and may allow an attacker to inject or manipulate SQL queries.

[CLOSE] OSVDB ID : 15426 - Disclosed: 2005-04-10

Description:

ModernBill contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'c_code' or 'aid' variables upon submission to the orderwiz.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 15427 - Disclosed: 2005-04-10

Description:

ModernBill contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to news.php not properly sanitizing user input supplied to the 'DIR' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

[CLOSE] OSVDB ID : 15160 - Disclosed: 2005-03-29

Description:

phpCOIN contains a flaw that will allow a remote attacker to inject arbitrary SQL code. The problem is that user-supplied input in the 'Search For' field is not verified properly and will allow a remote attacker to inject or manipulate SQL queries.

[CLOSE] OSVDB ID : 15161 - Disclosed: 2005-03-29

Description:

phpCOIN contains a flaw that will allow a remote attacker to inject arbitrary SQL code. The problem is that user-supplied input in the 'Domain Name' field when ordering a product is not verified properly and will allow a remote attacker to inject or manipulate SQL queries.

[CLOSE] OSVDB ID : 15162 - Disclosed: 2005-03-29

Description:

phpCOIN contains a flaw that will allow a remote attacker to inject arbitrary SQL code. The problem is that user-supplied input in the 'username' and 'email' fields when requesting a forgotten password are not verified properly and will allow a remote attacker to inject or manipulate SQL queries.

[CLOSE] OSVDB ID : 15163 - Disclosed: 2005-03-29

Description:

phpCOIN contains a flaw that allows a remote attacker to arbitrary access files outside of the web path. The issue is due to the 'auxpage.php' script not properly sanitizing user input, specifically traversal style attacks (../../) supplied via the 'page' variable.

[CLOSE] OSVDB ID : 12703 - Disclosed: 2005-01-03

Description:

ReviewPost PHP Pro contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'si' variables upon submission to the 'showcat.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 12704 - Disclosed: 2005-01-03

Description:

ReviewPost PHP Pro contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate multiple variables upon submission to the 'showproduct.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 12705 - Disclosed: 2005-01-03

Description:

ReviewPost PHP Pro contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'report' variables upon submission to the 'reportproduct.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 12706 - Disclosed: 2005-01-03

Description:

ReviewPost PHP Pro contains a flaw that will allow a remote attacker to inject arbitrary SQL code. The problem is that the 'cat' parameter in the 'showcat.php' script is not verified properly and will allow an attacker to inject or manipulate SQL queries.

[CLOSE] OSVDB ID : 12707 - Disclosed: 2005-01-03

Description:

ReviewPost PHP Pro contains a flaw that will allow a remote attacker to inject arbitrary SQL code. The problem is that the 'product' parameter in the 'addfav.php' script is not verified properly and will allow an attacker to inject or manipulate SQL queries.

[CLOSE] OSVDB ID : 12708 - Disclosed: 2005-01-03

Description:

(Description Provided by CVE) : ReviewPost PHP Pro before 2.84 allows remote attackers to upload and execute arbitrary PHP files by posting a review file with multiple extensions, which bypasses the intended restrictions.

[CLOSE] OSVDB ID : 12741 - Disclosed: 2005-01-03

Description:

PhotoPost PHP Pro contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate multiple variables upon submission to the 'showgallery.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 12742 - Disclosed: 2005-01-03

Description:

PhotoPost PHP Pro contains a flaw that will allow a remote attacker to inject arbitrary SQL code. The problem is that multiple parameters in the 'showgallery.php' script are not verified properly and will allow an attacker to inject or manipulate SQL queries.

[CLOSE] OSVDB ID : 12737 - Disclosed: 2005-01-01

Description:

PhotoPost Classifieds contains a flaw that may allow a remote attacker to upload arbitrary files. The issue is triggered due to the improper handling of file names with multiple extensions. It is possible that the flaw may allow a remote attacker to upload arbitrary PHP files, which could execute arbitrary code resulting in a loss of integrity.

[CLOSE] OSVDB ID : 12728 - Disclosed: 2005-01-01

Description:

PhotoPost Classified contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'si' variables upon submission to the 'showcat.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 12729 - Disclosed: 2005-01-01

Description:

PhotoPost Classified contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'report' variables upon submission to the 'reportproduct.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 12730 - Disclosed: 2005-01-01

Description:

PhotoPost Classified contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'productid' variables upon submission to the 'contact.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 12731 - Disclosed: 2005-01-01

Description:

PhotoPost Classifieds contains a flaw that will allow a remote attacker to inject arbitrary SQL code. The problem is that multiple parameters in the 'showproduct.php' script are not verified properly and will allow an attacker to inject or manipulate SQL queries.

[CLOSE] OSVDB ID : 12732 - Disclosed: 2005-01-01

Description:

PhotoPost Classifieds contains a flaw that will allow a remote attacker to inject arbitrary SQL code. The problem is that the 'productid' parameter in the 'contact.php' script is not verified properly and will allow an attacker to inject or manipulate SQL queries.

[CLOSE] OSVDB ID : 12733 - Disclosed: 2005-01-01

Description:

PhotoPost Classifieds contains a flaw that will allow a remote attacker to inject arbitrary SQL code. The problem is that the 'product' parameter in the 'addfav.php' script is not verified properly and will allow an attacker to inject or manipulate SQL queries.

[CLOSE] OSVDB ID : 12734 - Disclosed: 2005-01-01

Description:

PhotoPost Classifieds contains a flaw that will allow a remote attacker to inject arbitrary SQL code. The problem is that the 'cat' parameter in the 'showcat.php' script is not verified properly and will allow an attacker to inject or manipulate SQL queries.

[CLOSE] OSVDB ID : 12735 - Disclosed: 2005-01-01

Description:

PhotoPost Classifieds contains a flaw that will allow a remote attacker to inject arbitrary SQL code. The problem is that the 'cat' parameter in the 'index.php' script is not verified properly and will allow an attacker to inject or manipulate SQL queries.

[CLOSE] OSVDB ID : 12736 - Disclosed: 2005-01-01

Description:

PhotoPost Classifieds contains a flaw that will allow a remote attacker to inject arbitrary SQL code. The problem is that the 'cedit' parameter in the 'comments.php' script is not verified properly and will allow an attacker to inject or manipulate SQL queries.

[CLOSE] OSVDB ID : 12597 - Disclosed: 2004-12-24

Description:

Help Center Live contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the find variable upon submission to the index.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 12598 - Disclosed: 2004-12-24

Description:

Help Center Live contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to pipe.php not properly sanitizing user input supplied to the HCL_path variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

[CLOSE] OSVDB ID : 12631 - Disclosed: 2004-12-24

Description:

Help Center Live contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to skin.php not properly sanitizing user input. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

[CLOSE] OSVDB ID : 12390 - Disclosed: 2004-12-14

Description:

phpGroupware contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when sending a specially crafted URL request to the 'preferences.php' script, which will disclose the installation path resulting in a loss of confidentiality.

[CLOSE] OSVDB ID : 12391 - Disclosed: 2004-12-14

Description:

phpGroupware contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when sending a specially crafted URL request to the 'index.php' script, which will disclose the installation path resulting in a loss of confidentiality.

[CLOSE] OSVDB ID : 12392 - Disclosed: 2004-12-14

Description:

phpGroupWare contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'kp3' variables upon submission to the 'index.php' script ('wiki' directory). This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 12393 - Disclosed: 2004-12-14

Description:

phpGroupWare contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate multiple variables upon submission to the 'index.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 12394 - Disclosed: 2004-12-14

Description:

phpGroupWare contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'ticket_id' variables upon submission to the 'viewticket_details.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.