Tag: My Vulnerabilities

[This was originally published on OSVDB, now gone. VulnDB IDs 50321, 50322, 50323, 50324] Release Date: 2008-12-01Application: Octeth Technologies, Oempro 3.5.5.1Cross Ref: CVE-2008-3057, CVE-2008-3058, CVE-2008-3059OSVDB: 50321 .. 50324Reference: http://osvdb.org/ref/50/oempro.txt Description: “What is Oempro? Newsletters, product release announcement emails, e-cards, happy birthday emails, email reminders, auto responders, simply all kind of emails can easily be generated…

[This was originally disclosed on the VIM mail list. VulnDB IDs 90794, 90795, 90796. This was the result of watching Apache logs on attrition.org and observing a wide variety of RFI attacks. I started comparing some of the scripts being attempted with OSVDB and noticed some were not found. That means these were essentially 0days…

http://www.intralearn.com/ 1) Cross-site Scripting (XSS) URL Variables/library/description_link.cfm outline, course/library/courses_catalog.cfm records_to_display, the_start 2) Login Information Cached In Memory The login POST requests for the IntraLearn returns a 200 OK HTTP response code. As long as the browser window is not closed, it is possible for someone to use the browsers “Back” button until the page after…

[This was originally disclosed on the VIM mail list. VulnDB ID 34154] Watchfire’s Appscan product looks for this vulnerability (not sure what they officially title it, the title above is my own), but I can’t find any reference to it. Google finds a lot of indirect references suggesting it is common knowledge to the folks…

[This was originally published on OSVDB, now gone. VulnDB IDs 24302, 24303] Comment left on feedback page:http://www.brunox.org/modules.php?op=modload&name=FeedBack&file=index While testing your demo of Annuaire (Directory), I noticed a few security vulnerabilities: Many pages are calling /include/lang-en.php which is showing the full installation path. Additionally, directly requesting this script will reveal the full path. inscription.php The comment…

[This was originally published on OSVDB, now gone. VulnDB ID 24255] From: security curmudgeonTo: jflechtner[at]users.sourceforge.netDate: Tue, 28 Mar 2006 11:25:02 -0500 (EST)Subject: ARIA security issue Hey Josh, Not sure if you are still maintaining this project, but while playing with the demo I noticed a small security issue. The genmessage.php script doesn’t sanitize user input…

[This was originally published on OSVDB, now gone. VulnDB 24235, 24236, 24237, 24238] Ticket has been submitted. The ticket number is SCR00994. While looking at some of your scripts, I noticed there are a few security issues: UPOINT @1 Event Publishereventpublisher_admin.htm does not validate input to the Event, Description, Time, Website, and Public Remarks fields.…