[CLOSE] OSVDB ID : 18634 - Disclosed: 2005-08-07

Description:

Gravity Board X contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker makes a direct request to the 'adminforum.php' script, which will disclose the software's installation path resulting in a loss of confidentiality. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.

[CLOSE] OSVDB ID : 18635 - Disclosed: 2005-08-07

Description:

Gravity Board X contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker makes direct requests to multiple scripts in the 'forms' directory, which will disclose the software's installation path resulting in a loss of confidentiality. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.

[CLOSE] OSVDB ID : 18549 - Disclosed: 2005-08-04

Description:

FlatNuke contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker makes a direct request to the 'structure.php' script, which will disclose the software's installation path resulting in a loss of confidentiality. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.

[CLOSE] OSVDB ID : 18550 - Disclosed: 2005-08-04

Description:

FlatNuke contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker provides malformed input to the 'mod' variable in the 'index.php' script, which will disclose the software's installation path resulting in a loss of confidentiality. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.

[CLOSE] OSVDB ID : 18551 - Disclosed: 2005-08-04

Description:

FlatNuke contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'bodycolor', 'backimage', 'theme' and 'logo' variables upon submission to the 'structure.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 18552 - Disclosed: 2005-08-04

Description:

FlatNuke contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'admin', 'admin_mail' and 'back' variables upon submission to the 'footer.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 18553 - Disclosed: 2005-08-04

Description:

FlatNuke contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the content of news items upon submission to a moderator. This could allow a user to create a specially crafted new item that would execute arbitrary code in a moderator's browser within the trust relationship between the browser and the server, possibly allowing an attacker to steal authentication cookies or other information of a privileged account, leading to a loss of integrity.

[CLOSE] OSVDB ID : 18554 - Disclosed: 2005-08-04

Description:

Flatnuke contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the program not properly sanitizing user input supplied to the user registration function. This may allow an attacker to include an arbitrary command in the user registration file [username].php which can be executed by the attacker.

[CLOSE] OSVDB ID : 18517 - Disclosed: 2005-08-03

Description:

SilverNews contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the "login.php" script not properly sanitizing user-supplied input to the username field. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 18524 - Disclosed: 2005-07-29

Description:

web content management contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when a regular user accesses AddModifyInput.php and is granted permission to create a privileged administrator account.

[CLOSE] OSVDB ID : 18451 - Disclosed: 2005-07-29

Description:

PHPFreeNews contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'ScriptVersion' variable upon submission to the Footer.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 18452 - Disclosed: 2005-07-29

Description:

PHPFreeNews contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'NewsDir', 'PopupWidth', or 'PopupHeight' variables upon submission to the ScriptFunctions.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 18453 - Disclosed: 2005-07-29

Description:

PHPFreeNews contains a flaw that may allow a remote attacker to trick a user into visiting an arbitrary site under the apparent trust of a legitimate site. The issue is due to the Logout.php script providing a site redirect to an arbitrary web site. This may give an attacker a way to trick a user into clicking what appears to be a legitimate URL of a valid site, but really leads them to an arbitrary site with malicious content.

[CLOSE] OSVDB ID : 18454 - Disclosed: 2005-07-29

Description:

PHPFreeNews contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker directly requests any number of scripts in the /inc/ directory, which will disclose the software's installation path resulting in a loss of confidentiality. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.

[CLOSE] OSVDB ID : 18455 - Disclosed: 2005-07-29

Description:

PHPFreeNews contains a flaw that may lead to an unauthorized information disclosure.  The issue is triggered when an attacker visits the admin.php script, which will disclose the PHP and MySQL versions resulting in a loss of confidentiality. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.

[CLOSE] OSVDB ID : 18456 - Disclosed: 2005-07-29

Description:

By default, PHPFreeNews installs with a default password. The 'Admin' account has a password of 'Admin' which is publicly known and documented. This allows attackers to trivially access the program or system.

[CLOSE] OSVDB ID : 18457 - Disclosed: 2005-07-29

Description:

PHPFreeNews contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the Login routine not properly sanitizing user-supplied input to the 'password' field. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 18277 - Disclosed: 2005-07-25

Description:

Netquery contains a flaw that may lead to an unauthorized information disclosure. The issue is that the nqlog.txt file is publicly available, which will disclose user activity information resulting in a loss of confidentiality.

[CLOSE] OSVDB ID : 18278 - Disclosed: 2005-07-25

Description:

Netquery contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'portnum' variable upon submission to the 'submit.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 18279 - Disclosed: 2005-07-25

Description:

Netquery contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'step' and 'body' variables upon submission to the 'nqgeoip2.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 18280 - Disclosed: 2005-07-25

Description:

Netquery contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'step' variable upon submission to the 'nqgeoip.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 18281 - Disclosed: 2005-07-25

Description:

Netquery contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'step' variable upon submission to the 'nqports.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 18282 - Disclosed: 2005-07-25

Description:

Netquery contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'step' and 'body' variables upon submission to the 'nqports2.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 18283 - Disclosed: 2005-07-25

Description:

Netquery contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'portnum' variable upon submission to the 'portlist.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 18486 - Disclosed: 2005-07-24

Description:

FlexPHPNews contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'front_indextitle', 'front_searchsubmit', and 'front_latestnews' variables upon submission to the 'index.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 18487 - Disclosed: 2005-07-24

Description:

FlexPHPNews contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'newsid', 'front_rating', 'salt', 'front_letmerateit', 'front_ratebest', 'front_ratesubmit', and 'front_searchsubmit' variables upon submission to the 'news.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 18488 - Disclosed: 2005-07-24

Description:

FlexPHPNews contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'front_searchresult' and 'front_searchsubmit' variables upon submission to the 'search.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 18489 - Disclosed: 2005-07-24

Description:

FlexPHPNews contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'front_searchsubmit', 'front_latestnews' and 'catalogid' variables upon submission to the 'catalog.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 18490 - Disclosed: 2005-07-24

Description:

FlexPHPNews contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker provides malformed input to the 'logincheck' variable in the 'usercheck.php' script, which will disclose the software's installation path resulting in a loss of confidentiality. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.

[CLOSE] OSVDB ID : 18491 - Disclosed: 2005-07-24

Description:

FlexPHPNews contains a flaw that may allow a remote denial of service. The issue is triggered when a remote attacker provides an overly long value to the 'prenumber' and/or 'nextnumber' variables in the 'news.php' script, which causes the application to consume all available CPU resources resulting in a loss of availability.

[CLOSE] OSVDB ID : 18492 - Disclosed: 2005-07-24

Description:

FlexPHPNews contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'usercheck.php' script not properly sanitizing user-supplied input to the 'username' and 'password' fields. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 18295 - Disclosed: 2005-07-22

Description:

phpBook contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'admin' variable upon submission to the 'guestbook.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 18142 - Disclosed: 2005-07-21

Description:

PHPSiteSearch contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'query' variable upon submission to the search.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 18143 - Disclosed: 2005-07-21

Description:

Ultimate PHP Board (UPB) Gold contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'css' variable upon submission to the send.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 18144 - Disclosed: 2005-07-21

Description:

Ultimate PHP Board (UPB) Gold contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'css' variable upon submission to the users.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 18145 - Disclosed: 2005-07-21

Description:

Ultimate PHP Board (UPB) Gold contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'css' variable upon submission to the top.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 18146 - Disclosed: 2005-07-21

Description:

Ultimate PHP Board (UPB) Gold contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'css' variable upon submission to the main.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 18147 - Disclosed: 2005-07-21

Description:

Ultimate PHP Board (UPB) Gold contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'title' variable upon submission to the header.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 18227 - Disclosed: 2005-07-20

Description:

Asn Guestbook contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'version' variable upon submission to the 'header.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 18228 - Disclosed: 2005-07-20

Description:

Asn Guestbook contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'version' variable upon submission to the 'footer.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.