[CLOSE] OSVDB ID : 9389 - Disclosed: 2004-08-30

Description:

Xedus Webserver contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the "username" variable upon submission to the "TestServer.x" script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 9390 - Disclosed: 2004-08-30

Description:

Xedus Webserver contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'username' variable upon submission to the 'testgetrequest.x' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 9391 - Disclosed: 2004-08-30

Description:

Xedus Webserver contains a flaw that may allow a malicious user to access files outside the web root via directory traversal resulting in a loss of confidentiality. The issue is triggered when a user supplies a specially crafted link containing directory traversal characters.

[CLOSE] OSVDB ID : 9174 - Disclosed: 2004-08-24

Description:

Easy File Sharing Web Server contains a flaw that may allow a malicious user to bypass username checks. The issue is triggered when an attacker makes a request directly to the virtual folder disk_c. It is possible that the flaw may allow read access to the entire filesystem resulting in a loss of confidentiality.

[CLOSE] OSVDB ID : 9175 - Disclosed: 2004-08-24

Description:

Easy File Sharing Web Server contains a flaw that may allow a remote denial of service. The issue is triggered when a number of large HTTP requests are sent, and will result in loss of availability for the service and possibly the platform by using all available CPU resources.

[CLOSE] OSVDB ID : 9180 - Disclosed: 2004-08-23

Description:

Multiple products of LiveWorld, such as LiveForum, LiveQ&A, LiveChat and Focus Groups contains flaws that allows a remote cross site scripting attack. These flaws exists because the application does not validate certain variables upon submission to some scripts. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 8592 - Disclosed: 2004-08-11

Description:

Keene Digital Media Server contains a flaw that allows a remote attacker to view arbitrary files. The issue is due to the server not sanitizing URL requests. With a specially crafted URL request containing %2E and %5C characters, a remote attacker could view arbitrary files outside of the web root.

[CLOSE] OSVDB ID : 4771 - Disclosed: 2004-03-28

Description:

PhotoPost contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'addfav.php' script not properly sanitizing user-supplied input to the 'photo' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 10261 - Disclosed: 2004-03-28

Description:

PhotoPost PHP Pro contains a flaw that will allow a remote attacker to inject arbitrary SQL code. The problem is that multiple variables in the 'comments.php' script are not verified properly and will allow an attacker to inject or manipulate SQL queries.

[CLOSE] OSVDB ID : 10262 - Disclosed: 2004-03-28

Description:

PhotoPost PHP Pro contains a flaw that will allow a remote attacker to inject arbitrary SQL code. The problem is that the 'cat' variable in the 'index.php' script are not verified properly and will allow an attacker to inject or manipulate SQL queries.

[CLOSE] OSVDB ID : 10263 - Disclosed: 2004-03-28

Description:

PhotoPost PHP Pro contains a flaw that will allow a remote attacker to inject arbitrary SQL code. The problem is that multiple variables in the 'showgallery.php' script are not verified properly and will allow an attacker to inject or manipulate SQL queries.

[CLOSE] OSVDB ID : 10264 - Disclosed: 2004-03-28

Description:

PhotoPost PHP Pro contains a flaw that will allow a remote attacker to inject arbitrary SQL code. The problem is that the 'cat' variable in the 'uploadphoto.php' script are not verified properly and will allow an attacker to inject or manipulate SQL queries.

[CLOSE] OSVDB ID : 10265 - Disclosed: 2004-03-28

Description:

PhotoPost PHP Pro contains a flaw that will allow a remote attacker to inject arbitrary SQL code. The problem is that multiple variables in the 'useralbums.php' script are not verified properly and will allow an attacker to inject or manipulate SQL queries.

[CLOSE] OSVDB ID : 10266 - Disclosed: 2004-03-28

Description:

PhotoPost PHP Pro contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate multiple variables upon submission to the 'showmembers.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 10267 - Disclosed: 2004-03-28

Description:

PhotoPost PHP Pro contains a flaw that may allow a remote attacker to inject arbitrary commands. The issue is triggered due to improper validation of user-supplied input in certain fields (e.g. photo descriptions). It is possible that the flaw may allow a remote attacker to inject arbitrary commands in the photo description field, which will be executed once an administrative user views an album, resulting in a loss of integrity.

[CLOSE] OSVDB ID : 4333 - Disclosed: 2004-03-15

Description:

Phorum contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'HTTP_REFERER' parameter upon submission to the 'register.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 4334 - Disclosed: 2004-03-15

Description:

Phorum contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'HTTP_REFERER' parameter upon submission to the 'login.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 4335 - Disclosed: 2004-03-15

Description:

Phorum contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'target' variables upon submission to the 'profile.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 4646 - Disclosed: 2003-06-03

Description:

Pablo FTP Service contains a flaw that may lead to an unauthorized password exposure. It is possible to gain access to plaintext passwords when the anonymous account is enabled, which may lead to a loss of confidentiality.

[CLOSE] OSVDB ID : 4647 - Disclosed: 2003-06-03

Description:

Pablo FTP Service contains a flaw that may allow a remote attacker to retrieve arbitrary files. The problem is that the anonymous account defaults to allow download privileges of any file on the system. It is possible that the flaw may allow a remote attacker to retrieve any file in the C:\ directory resulting in a loss of confidentiality.