WorldClient is a web interface packaged with MDaemon, an email server for Microsoft Windows. An input validation vulnerability exists in WorldClient that allows for an attacker to delete an arbitrary file on the webserver that it resides on. The vulnerability is due to a lack of input validation on the supplied filename for an attachment delete operation.
A remotely exploitable buffer overflow condition has been reported in cachefsd. The overflow occurs in the heap and is reportedly exploitable as valid malloc() chunk structures are overwritten. Successful attacks may result in remote attackers gaining root access on the affected system.
B2 is a news/weblog tool written in php. A variable that is referenced in the PHP scripts does not actually exist. Thus, an attacker may be able to define the value of the variable. By creating a PHP script on the remote side and embedding commands in it, the attacker is able to reference the remote file. This could potentially allow the attacker to execute commands on the vulnerable system.
askSam Web Publisher (versions 1 and 4) is reportedly vulnerable to cross site scripting vulnerability in the as_web.exe (or as_web4.exe) component. This is due to a failure to strip script and HTML when returning error messages that include user input. The same component can also disclose paths on the server when non-existant files are requested.
Spooky Login is a commerical web access control and account management software package designed for Microsoft IIS Webservers. Under some circumstances, it may be possible for a remote user to gain unauthorized access to pages protected by Spooky Login due to a SQL query manipulation vulnerability in the authentication component. By supplying a username of 'admin' and a password of ' OR ''=' it is possible for remote attackers to corrupt the logic of queries such that a successful login will occur regardless of the supplied password.
MyGuestbook is freely available guestbook software. It does not adequately filter script code from various fields, which may enable an attacker to inject script code which will be executed in the web client of an arbitrary user who views the guestbook. Attackers may potentially exploit this issue to hijack web content or to steal cookie-based authentication credentials.
It is possible to create a denial of Service condition by appending a null character to a request for a MS-DOS device name (such as AUX). Multiple malformed requests will cause the server to hang.
A vulnerability exists in some versions of the Performance Co-Pilot (PCP) daemon. It is possible to cause a denial of service condition by sending the daemon a large string of arbitrary data. An example of this exploit is using a Perl script to generate a large string of data and sending it to the PCP daemon via telnet.
Messagerie is a web message board application maintained by La Basse. An issue has been discovered in Messagerie, which could allow an attacker to delete arbitrary user accounts. Reportedly, submitting a specially crafted URL will successfully remove user accounts. It should be noted that known usernames of the system is required.
MiniBB does not filter script code from URL parameters, making it prone to cross-site scripting attacks. This may enable a remote attacker to steal cookie-based authentication credentials from legitimate users of a website running MiniBB.
Services By CQR