[CLOSE] OSVDB ID : 12735 - Disclosed: 2005-01-01

Description:

PhotoPost Classifieds contains a flaw that will allow a remote attacker to inject arbitrary SQL code. The problem is that the 'cat' parameter in the 'index.php' script is not verified properly and will allow an attacker to inject or manipulate SQL queries.

[CLOSE] OSVDB ID : 12736 - Disclosed: 2005-01-01

Description:

PhotoPost Classifieds contains a flaw that will allow a remote attacker to inject arbitrary SQL code. The problem is that the 'cedit' parameter in the 'comments.php' script is not verified properly and will allow an attacker to inject or manipulate SQL queries.

[CLOSE] OSVDB ID : 12597 - Disclosed: 2004-12-24

Description:

Help Center Live contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the find variable upon submission to the index.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 12598 - Disclosed: 2004-12-24

Description:

Help Center Live contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to pipe.php not properly sanitizing user input supplied to the HCL_path variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

[CLOSE] OSVDB ID : 12631 - Disclosed: 2004-12-24

Description:

Help Center Live contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to skin.php not properly sanitizing user input. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

[CLOSE] OSVDB ID : 12390 - Disclosed: 2004-12-14

Description:

phpGroupware contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when sending a specially crafted URL request to the 'preferences.php' script, which will disclose the installation path resulting in a loss of confidentiality.

[CLOSE] OSVDB ID : 12391 - Disclosed: 2004-12-14

Description:

phpGroupware contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when sending a specially crafted URL request to the 'index.php' script, which will disclose the installation path resulting in a loss of confidentiality.

[CLOSE] OSVDB ID : 12392 - Disclosed: 2004-12-14

Description:

phpGroupWare contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'kp3' variables upon submission to the 'index.php' script ('wiki' directory). This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 12393 - Disclosed: 2004-12-14

Description:

phpGroupWare contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate multiple variables upon submission to the 'index.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 12394 - Disclosed: 2004-12-14

Description:

phpGroupWare contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'ticket_id' variables upon submission to the 'viewticket_details.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 12395 - Disclosed: 2004-12-14

Description:

phpGroupWare contains a flaw that will allow a remote attacker to inject arbitrary SQL code. The problem is that the 'ticket_id' parameter in the 'viewticket_details.php' script is not verified properly and will allow an attacker to inject or manipulate SQL queries.

[CLOSE] OSVDB ID : 12396 - Disclosed: 2004-12-14

Description:

phpGroupWare contains a flaw that will allow a remote attacker to inject arbitrary SQL code. The problem is that multiple parameters in the 'index.php' script are not verified properly and will allow an attacker to inject or manipulate SQL queries.

[CLOSE] OSVDB ID : 12120 - Disclosed: 2004-12-01

Description:

SugarCRM contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate user-supplied input upon submission to multiple modules. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 12228 - Disclosed: 2004-12-01

Description:

SugarCRM contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate user-supplied input when calling certain scripts directly. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 12229 - Disclosed: 2004-12-01

Description:

SugarCRM contains a flaw that will allow a remote attacker to inject arbitrary SQL code. The problem is that the 'record' parameter in multiple modules is not verified properly and will allow a remote attacker to inject or manipulate SQL queries.

[CLOSE] OSVDB ID : 12230 - Disclosed: 2004-12-01

Description:

SugarCRM contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to multiple modules not properly sanitizing user-supplied input. This may allow a remote attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

[CLOSE] OSVDB ID : 13269 - Disclosed: 2004-12-01

Description:

SugarCRM contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate user-supplied input upon submission to multiple modules. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 10380 - Disclosed: 2004-09-27

Description:

A remote overflow exists in dBpowerAMP Music Converter and Audio Player. The application fails to perform proper bounds checking resulting in a buffer overflow. With a specially crafted playlist file (*.pls or *.m3u), a remote attacker can cause arbitrary code execution or cause the applications to crash resulting in a loss of integrity and/or availability.

[CLOSE] OSVDB ID : 11126 - Disclosed: 2004-09-27

Description:

A remote overflow exists in dBpowerAMP Music Converter and Audio Player. The application fails to perform proper bounds checking resulting in a buffer overflow. With a specially crafted *.mcc file, a remote attacker can cause arbitrary code execution or cause the applications to crash resulting in a loss of integrity and/or availability.

[CLOSE] OSVDB ID : 11127 - Disclosed: 2004-09-27

Description:

A remote overflow exists in dBpowerAMP Music Converter and Audio Player. The application fails to perform proper bounds checking resulting in a buffer overflow. With a specially crafted mp3 file containing malformed ID3 tags, a remote attacker can cause arbitrary code execution or cause the applications to crash resulting in a loss of integrity and/or availability.

[CLOSE] OSVDB ID : 10176 - Disclosed: 2004-09-20

Description:

EmuLive Server4 contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a specially crafted URL is used, which will disclose Administrator information resulting in a loss of confidentiality.

[CLOSE] OSVDB ID : 10177 - Disclosed: 2004-09-20

Description:

EmuLive Server4 contains a flaw that may allow a a remote denial of service. The issue is triggered by sending a malicious TCP packet to a specific port, and will result in loss of availability for the platform.

[CLOSE] OSVDB ID : 10038 - Disclosed: 2004-09-16

Description:

DNS4Me contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate HTTP GET requests. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 10039 - Disclosed: 2004-09-16

Description:

DNS4Me contains a flaw that may allow a remote denial of service. The issue is triggered when sending a large amount of data to port 80, which causes the service to consume all available CPU resources and eventually crash resulting in a loss of availability.

[CLOSE] OSVDB ID : 9444 - Disclosed: 2004-08-31

Description:

phpWebSite contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the "cal_template" variable in the Calendar Module is not verified properly and will allow an attacker to inject or manipulate SQL queries.

[CLOSE] OSVDB ID : 9445 - Disclosed: 2004-08-31

Description:

phpWebSite contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the "CM_pis" variable upon submission to the Comment Module. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 9446 - Disclosed: 2004-08-31

Description:

phpWebSite contains a flaw that may allow a malicious user to execute arbitrary scripts within a user's browser. The issue is triggered when a malicious user sends specially crafted scripts via the 'subject' and 'message' fields within the notes module. It is possible that the flaw may allow the execution of the script within the users browser in the context of the affected phpWebSite while accessing the notes module, resulting in a loss of integrity.

[CLOSE] OSVDB ID : 9447 - Disclosed: 2004-08-31

Description:

phpWebSite contains a flaw that may allow a malicious user to force an administrator to execute malicious code. The issue is triggered when a malicious user sends specially crafted code to an administrator which forces commands to be executed via POST requests instead of GET requests, bypassing some authentication checks. It is possible that the flaw may allow a remote attacker to create an adminsitrative account and/or take over the system resulting in a loss of confidentiality and/or integrity.

[CLOSE] OSVDB ID : 9387 - Disclosed: 2004-08-30

Description:

Xedus Webserver contains a flaw that may allow a remote denial of service. The issue is triggered when establishing multiple connections from the same host, which causes the Web server to stop accepting requests from other users resulting in a loss of availability for the server.

[CLOSE] OSVDB ID : 9388 - Disclosed: 2004-08-30

Description:

Xedus Webserver contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'username' variable upon submission to the 'test.x' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 9389 - Disclosed: 2004-08-30

Description:

Xedus Webserver contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the "username" variable upon submission to the "TestServer.x" script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 9390 - Disclosed: 2004-08-30

Description:

Xedus Webserver contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'username' variable upon submission to the 'testgetrequest.x' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 9391 - Disclosed: 2004-08-30

Description:

Xedus Webserver contains a flaw that may allow a malicious user to access files outside the web root via directory traversal resulting in a loss of confidentiality. The issue is triggered when a user supplies a specially crafted link containing directory traversal characters.

[CLOSE] OSVDB ID : 9174 - Disclosed: 2004-08-24

Description:

Easy File Sharing Web Server contains a flaw that may allow a malicious user to bypass username checks. The issue is triggered when an attacker makes a request directly to the virtual folder disk_c. It is possible that the flaw may allow read access to the entire filesystem resulting in a loss of confidentiality.

[CLOSE] OSVDB ID : 9175 - Disclosed: 2004-08-24

Description:

Easy File Sharing Web Server contains a flaw that may allow a remote denial of service. The issue is triggered when a number of large HTTP requests are sent, and will result in loss of availability for the service and possibly the platform by using all available CPU resources.

[CLOSE] OSVDB ID : 9180 - Disclosed: 2004-08-23

Description:

Multiple products of LiveWorld, such as LiveForum, LiveQ&A, LiveChat and Focus Groups contains flaws that allows a remote cross site scripting attack. These flaws exists because the application does not validate certain variables upon submission to some scripts. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 8592 - Disclosed: 2004-08-11

Description:

Keene Digital Media Server contains a flaw that allows a remote attacker to view arbitrary files. The issue is due to the server not sanitizing URL requests. With a specially crafted URL request containing %2E and %5C characters, a remote attacker could view arbitrary files outside of the web root.

[CLOSE] OSVDB ID : 4771 - Disclosed: 2004-03-28

Description:

PhotoPost contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'addfav.php' script not properly sanitizing user-supplied input to the 'photo' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 10261 - Disclosed: 2004-03-28

Description:

PhotoPost PHP Pro contains a flaw that will allow a remote attacker to inject arbitrary SQL code. The problem is that multiple variables in the 'comments.php' script are not verified properly and will allow an attacker to inject or manipulate SQL queries.

[CLOSE] OSVDB ID : 10262 - Disclosed: 2004-03-28

Description:

PhotoPost PHP Pro contains a flaw that will allow a remote attacker to inject arbitrary SQL code. The problem is that the 'cat' variable in the 'index.php' script are not verified properly and will allow an attacker to inject or manipulate SQL queries.