The Confixx PERL debugging utility functionality has been reported to be prone to a remote command execution vulnerability. The issue is reported to occur when a command sequence is appended to a HTTP request for a PERL script resource, the command sequence must contain a prefixed ';' semi-colon character. When this request is processed, the command sequence will be reportedly executed with the privileges of the process that invokes the Confixx PERL debugging utility.
It has been reported that an input validation error with the potential for use in a SQL injection attack is present in the "db_mysql_loeschen2.php" script. When a user is requesting the "db_mysql_loeschen2.php" script, one of the parameters that can be passed to the script is "db". There are no checks on the value of this variable before it is used in an SQL query string. Consequently, malicious users may corrupt the resulting SQL queries by specially crafting a value for the "db" variable.
Microsoft Outlook is prone to a vulnerability that may permit execution of arbitrary code on client systems. This issue is exposed through Outlook, but will reportedly cause Internet Explorer to load malicious content in the Local Zone. This issue will permit a remote attacker to influence how Outlook invoked via mailto URIs, allowing for execution of malicious scripting in the Local Zone through an attacker-specified Outlook profile parameter.
It has been reported that PWebServer is prone to a remote directory traversal vulnerability. This issue is due to a failure of the server process to properly filter user supplied URI requests. Information acquired by exploiting this issue may be used to aid further attacks against a vulnerable system.
Apple Safari Web Browser is reported to be prone to a security vulnerability related to handling of large JavaScript arrays (with 99999999999999999999999 or 0x23000000 elements). By declaring such an array and then attempting to access it, it may be possible to cause a browser crash. This issue is likely due to memory corruption but it is not known if it could be further exploitable to execute arbitrary code.
It has been reported that the VirtuaNews non-default modules 'Files' and 'Vulns' are prone to multiple cross-site scripting vulnerabilities. These problems surround the application's failure to properly validate user supplied URI input. When exploited an attacker can execute arbitrary script and HTML code in the context of the vulnerable application. The supplied code is rendered in the browser in the context of the affected application. This may allow an attacker to craft a malicious link, facilitating a cross-site scripting attack. Attackers may exploit this vulnerability to steal authentication credentials. Other attacks may also be possible.
The application is prone to an SQL injection vulnerability that may allow an attacker to gain administrative level access to the underlying database. The issues exist due to improper implementation of the RSA cryptosystem by SpiderSales and failure to sanitize user-supplied input via the 'userId' URI parameter employed by various scripts.
Cross-Zone Scripting is a vulnerability in Microsoft Internet Explorer that allows malicious scripts and Active Content to access document properties across different Security Zones and foreign domains. This vulnerability is exposed when search panes are opened via the window.open method. It is possible for malicious script code to access the properties of a foreign domain opened within the search pane. An example of this vulnerability is demonstrated in the code snippets provided, where a malicious script is used to create a file on the user's desktop.
An issue in the handling of specific web requests by SureCom network devices has been identified. By placing a malformed request to the web configuration interface, it is possible for an attacker to deny service to legitimate users of a vulnerable device.
An issue in the handling of specific web requests by SureCom network devices has been identified. By placing a malformed request to the web configuration interface, it is possible for an attacker to deny service to legitimate users of a vulnerable device.
Services By CQR