Search | Research | Contact Us Sunday September 11, 2021
Languages
Most Viewed Items
  1 PHPXMLRPC Library Remote Code Execution
  2 Multiple Invision Power Board Vulnerabilities
  3 eBay And Amazon Still Vulnerable
  4 When Small Mistakes Can Cause Big Problems
  5 Woltlab Burning Board SQL Injection Vulnerability
  6 Multiple Vulnerabilities In phpWebsite
  7 XOOPS 2.0.11 && Earlier Multiple Vulnerabilities
  8 Critical Vulnerability In Help Center Live
  9 dbPowerAmp Buffer Overflow And DoS Vulnerabilities
10 Document Object Model Hijacking Explained
Need Secure Code?
Quick Search
You can use the form below to search our site. Just enter the keywords to search.
Home Services Archives Research Downloads Contact
Simple Machines Forum SQL Injection July 03, 2022
SMF or Simple Machines Forum as it is probably better known as is a very popular forum system, and developed by members of the YaBB SE development team. Simple Machine Forums versions prior to the recently released 1.0.5 are vulnerable to a very serious SQL Injection hole, as well as a more obscure, harder to exploit SQL Injection hole. Both vulnerabilities have been resolved and users should upgrade to the latest version of SMF immediately.
Read This Article Article Read 783 Times
PHPXMLRPC Library Remote Code Execution July 02, 2022
PHPXMLRPC aka XML-RPC For PHP is a PHP implementation of the XML-RPC web RPC protocol, and was originally developed by Edd Dumbill of Useful Information Company. As of the 1.0 stable release, the project has been opened to wider involvement and moved to SourceForge. PHPXMLRPC is used in a large number of popular web applications such as PostNuke, Drupal, b2evolution, and TikiWiki. Unfortunately PHPXMLRPC is vulnerable to a remote php code execution vulnerability that may be exploited by an attacker to compromise a vulnerable system.
Read This Article Article Read 9299 Times
PEAR XML_RPC Library Remote Code Execution July 01, 2022
PEAR XML_RPC is a PHP implementation of the XML-RPC web RPC protocol, and used by many different developers across the world. PEAR XML_RPC was originally developed by Edd Dumbill of Useful Information Company, but has since been expanded by several individuals. Unfortunately PEAR XML_RPC is vulnerable to a remote php code execution vulnerability that may allow for an attacker to compromise a vulnerable server. Version 1.3.1 has been released to address these issues.
Read This Article Article Read 1300 Times
XOOPS 2.0.11 && Earlier Multiple Vulnerabilities June 29, 2022
XOOPS is a very popular dynamic web content management system written in Object Oriented PHP. One of the features of XOOPS is it's own XMLRPC server that handles incoming XMLRPC requests. This particular feature is vulnerable to a highly critical SQL Injection issue. Additionally there are several cross site scripting issues in XOOPS as well which could allow for theft of user data or client side code execution in the context of the victim's web browser.
Read This Article Article Read 1756 Times
WordPress 1.5.1.2 And Earlier Multiple Vulnerabilities June 28, 2022
WordPress is a very popular personal publishing platform aka blog software, and is used by everyone from celebrities, to government officials, to non technical average joe's. There are a number of vulnerabilities in WordPress that may allow an attacker to ultimately run arbitrary code on the vulnerable system. These vulnerabilities include SQL Injection, Cross Site Scripting, and also issues that may aid an attacker in social engineering. An updated version of WordPress is available and users are strongly advised to.
Read This Article Article Read 1400 Times
Infopop UBB Threads Multiple Vulnerabilities June 23, 2022
UBB Threads is a very popular forum system developed by Infopop. There are a number of vulnerabilities in UBB Threads that may allow an attacker to execute cross site scripting, http response splitting, and cross site request forgery attacks. Also, an attacker may include, execute, or read arbitrary local files. These vulnerabilities may allow for an attacker to completely compromise an installation of UBB Threads and possibly more. Users are encouraged to upgrade as soon as possible to the latest UBB Threads release.
Read This Article Article Read 1336 Times
paFaq Multiple Vulnerabilities June 20, 2022
paFAQ is a FAQ/Knowledge base system that allows webmasters to keep an organized database of Frequently Asked Questions; a Knowledge Database for problems and solutions. There are a number of vulnerabilities in paFaq. These vulnerabilities include arbitrary unauthorized access to the entire paFaq database, as well as admin authentication bypass, sql injection, arbitrary code execution and cross site scripting. An attacker can gain a remote shell on a vulnerable system using these vulnerabilities.
Read This Article Article Read 534 Times
paFileDB Multiple Vulnerabilities June 14, 2022
paFileDB is a popular open source web application offered by php Arena. paFileDB allows webmasters to open up an interactive file repository on their website. There are a number of vulnerabilities in paFileDB that may allow for an attacker to include arbitrary files, retrieve sensitive user and/or database information, and completely bypass admin, and team member authentication. Users should upgrade immediately.
Read This Article Article Read 562 Times
FusionBB Multiple Vulnerabilities June 13, 2022
FusionBB is a popular online message board written in php and developed by InteractivePHP, INC. There are several vulnerabilities in FusionBB such as SQL Injection and Arbitrary Local File Inclusion. These issues could allow for an attacker to execute arbitrary scripts residing on the web server, retrieve sensitive data from the underlying database, or bypass the FusionBB authentication mechanisms.
Read This Article Article Read 441 Times
osCommerce HTTP Response Splitting June 10, 2022
osCommerce is a very popular eCommerce application that allows for individuals to host their own online shop. All current versions of osCommerce are vulnerable to HTTP Response Splitting. These HTTP Response Splitting vulnerabilities may allow for an attacker to steal sensitive user information, or cause temporary web site defacement. The suggested fix for this issue is to make sure that CRLF sequences are not passed to the application.
Read This Article Article Read 1308 Times
Invision Gallery Vulnerabilities June 09, 2022
Invision Gallery is a community based gallery software that can be integrated into Invision Power Board. There are several security issues in Invision Gallery that may allow for an attacker to force a user into unknowingly / unwillingly perform actions on behalf of an attacker, or an attacker may influence SQL queries and retrieve sensitive information contained within the underlying database. An upgrade has been released for several weeks now and all users should upgrade their gallery installations as soon as possible.
Read This Article Article Read 550 Times
Invision Community Blog Vulnerabilities June 07, 2022
Invision Blog is a community based blogging software that can be integrated into Invision Power Board. There are several dangerous SQL Injection vulnerabilities, as well as a cross site scripting vulnerability. These vulnerabilities could allow for an attacker to gain access to sensitive data such as password information and render hostile script in the context of a victims browser which could lead to disclosure of sensitive data such as cookie data.
Read This Article Article Read 417 Times
Format String Vulnerability In Peercast May 28, 2022
Peercast is a popular p2p streaming media server (similar to shoutcast). There is a serious security issue in peercast versions 0.1211 and earlier that may allow for an attacker to execute arbitrary code on the remote target with the privileges of the user running peercast (usually administrator) or crash the vulnerable server. There is an updated version of peercast available and all users should upgrade as soon as possible.
Read This Article Article Read 801 Times
Help Center Live Vulnerabilities May 17, 2022
Help Center Live is a `Live` help desk system written in PHP using a MySql database backend that features Live Support, Trouble Tickets and FAQ within one project. This is a very popular application, especially with webhosts and other services. Unfortunately Help Center Live is vulnerable to Sql injection, Script Injection, and Cross Site Scripting attacks, but the most serious of the vulnerabilities mentioned (The SQL Injection attacks) require magic_quotes_gpc to be set to off.
Read This Article Article Read 442 Times
Woltlab Burning Board SQL Injection Vulnerability May 16, 2022
Burning Board is a popular, multi purpose forum / community software offered by WoltLab GmbH. There is an SQL Injection vulnerability in Burning Board 2.* and earlier that allows for an attacker to influence SQL Queries and possibly query arbitrary data from the database, such as admin password hashes. The developers are said to have made a patch available as of late last week, and all users should upgrade their Burning Board installations as soon as possible.
Read This Article Article Read 1910 Times
Yappa-NG Multiple Vulnerabilities May 11, 2022
Yappa-NG is the second generation (new and improved) version of Yappa (yet another php photo album). There are several vulnerabilities in Yappa-NG that may allow an attacker to possibly take control of the vulnerable server. In order to exploit these vulnerabilities register_globals must be on. An updated version of Yappa-NG is available, and users should upgrade as soon as possible.
Read This Article Article Read 392 Times
Multiple Invision Power Board Vulnerabilities May 5, 2022
Invision Power Board (IPB) is a professional forum system that has been built from the ground up with speed and security in mind. It is used by a great many people all over the world. All versions of Invision Power Board are vulnerable to a serious SQL Injection vulnerability. An attacker does not have to be logged in, or even have access or permission to view the forums in order to exploit this vulnerability. Users should upgrade immediately.
Read This Article Article Read 2516 Times
Multiple SitePanel2 Vulnerabilities May 3, 2022
SitePanel2 is a helpdesk / trouble ticket / support system used by businesses and individuals alike. There are a number of vulnerabilities in SitePanel2, some of which are fairly serious. If an attacker is able to successfully exploit these vulnerabilities in SitePanel2 he may be able to successfully compromise user accounts or completely compromise the target web server. A security patch has been released to address these issues and all users are strongly encouraged to upgrade their SitePanel2 installations as soon as possible.
Read This Article Article Read 516 Times
Multiple Vulnerabilities In osTicket May 2, 2022
osTicket is a widely-used open source support ticket system. It is a lightweight support ticket tool written mainly using PHP scripting language. There are several vulnerabilities in the osTicket software that may allow for an attacker to take control of the affected web server, disclose sensitive data from the database, or read arbitrary files. These issues have been reported to the developers and a new updated version of osTicket is available for download. All affected users should upgrade their osTicket installations immediately.
Read This Article Article Read 845 Times
phpBB Notes Mod SQL Injection Vulnerability April 27, 2022
oxpus.de author many popular modules and hacks for the amazingly popular phpBB software. One of these modules allows users to keep their own personal memo pad of sorts in the usercp. This particular mod comes standard with packages like orion_phpbb and others. This "notes" module is vulnerable to a serious SQL Injection vulnerability that will allow for an attacker to pull sensitive information from the underlying database, and possibly compromise the integrity of the affected phpBB installation.
Read This Article Article Read 833 Times
Multiple eGroupware Vulnerabilities April 20, 2022
eGroupware is a very popular open source web based collaboration software that can be used within an intranet, or externally via the internet to build a community and/or help coordinate large projects. eGroupware also comes pre packaged in some linux distributions. GulfTech Security Research has found a few high risk SQL Injection vulnerabilities as well as Cross Site Scripting vulnerabilities. A new version of eGroupware is now available and all eGroupware users should upgrade immediately. Not only does the new eGroupware release address these security issues, but it also includes a number of bugfixes!
Read This Article Article Read 617 Times
Multiple Security Issues Found In AZBB April 19, 2022
azbb is a forum that was written with a primary focus on security. azbb does not require a database such as MySQL, PostGres or MSSQL and can even be used as a blog, or portal of sorts. Unfortunately there are a number of security issues in AZBB versions prior to 1.0.08, but none of these issues are considered "high risk". However, the developer has addressed these issues and all users should upgrade to the current 1.0.08 version. These vulnerabilities include file enumeration, arbitrary file deletion, and file inclusion.
Read This Article Article Read 367 Times
Multiple ModernBill 4.3.0 And Earlier Vulnerabilities April 10, 2022
ModernBill is a widely used billing and management software used by webhosts to manage billing and financial data. ModernBill is prone to remote file inclusion and cross site scripting in version prior to 4.3.1. These vulnerabilities could allow for an attacker to execute client side code in the context of the victims web browser, steal sensitive user data, and run system commands remotely on the affected web server. A fixed version is available and users are advised to upgrade immediately.
Read This Article Article Read 817 Times
Double Choco Latte Vulnerabilities April 8, 2022
Double Choco Latte is a GNU Enterprise package that provides basic project management capabilities, time tracking on tasks, call tracking, email notifications, online documents, statistical reports, a report engine, and more features are either working or being developed/planned. It can be displayed inside of a phpGroupWare installation or be used stand-alone. It is licensed under the GPL (GNU Public License), which means it is free to study, distribute, modify, and use. Double Choco Latte 0.9.4 .3 and earlier are prone to php code execution vulnerabilities which allows an attacker to run php code with privileges of the webserver.
Read This Article Article Read 366 Times
phpCoin Multiple Vulnerabilities March 29, 2022
phpCoin is a free software package originally designed for web-hosting resellers to handle clients, orders, invoices, notes and helpdesk. phpCoin versions 1.2.1b and earlier are prone to multiple vulnerabilities such as SQL Injection and File Inclusion vulnerabilities. A new version has been released, and users should upgrade as soon as possible. Updated packages can be found at the official phpCoin website, located at http://www.phpcoin.com Thanks to the developers for a quick resolution to these issues!
Read This Article Article Read 544 Times
eBay And Amazon Still Vulnerable January 4, 2022
With the holidays over and everyone heading back to work many people are breathing a sigh of relief. With the holiday rush over, and a new year ahead you probably give no thought to the question of "Was my online holiday shopping done safely and securely?". Unfortunately the answer to this question could very well be no. Despite millions and millions of dollars being spent each and every year by big name online ecommerce outfits a good number still remains vulnerable to security flaws.
Read This Article Article Read 2253 Times
Multiple Vulnerabilities In PhotoPost Pro January 3, 2022
PhotoPost was designed to help you give your users exactly what they want. Your users will be thrilled to finally be able to upload and display their photos for your entire community to view and discuss, all with no more effort than it takes to post a text message to a forum. If you already have a forum (vBulletin, UBB Threads, phpBB, DCForum, or InvisionBoard), you'll appreciate that PhotoPost was designed to seamlessly integrate into your site without the need for your users to register twice and maintain two logins. PhotoPost Pro is vulnerable to some serious SQL Injection issues as well as cross site scripting. An update is available and all users should upgrade now.
Read This Article Article Read 861 Times
Serious Vulnerabilities In PhotoPost ReviewPost January 2, 2022
Your community of users represents a wealth of knowledge. Now your users can help build and maintain your site by writing reviews of any product imaginable. With ReviewPost, you will quickly amass a valuable collection of user opinions about products that relate to your site. ReviewPost can even use your existing forum login system (if you have one) to keep your users from having to register twice, and makes an excellent companion to ReviewPost. PhotoPost ReviewPost are vulnerable to cross site scripting, SQL Injection, and Arbitrary File Upload. There is a new version of the software available and users are encouraged to upgrade.
Read This Article Article Read 658 Times
Serious Vulnerabilities In PhotoPost Classifieds January 1, 2022
Add a full-featured user-to-user classified ads system to your website to connect buyers with sellers. No matter what your users interestes may be, they likely want to buy and sell items related to your site's topic, and PhotoPost Classifieds makes it easy. PhotoPost Classifieds is designed to integrate seamlessly into your current site design, and can even use your existing forum user database (if you have one) for one central login. PhotoPost Classifieds are vulnerable to cross site scripting, SQL Injection, and Arbitrary File Upload. There is a new version of the software available and users are encouraged to upgrade.
Read This Article Article Read 522 Times
File Include Vulnerability In php-Calendar December 29, 2021
I was searching for a decent calendar which my group at school could use to keep track of events, etc. We were previously using localendar, which I didn't like and it had some problems. I found CST-Calendar which did most of what I wanted, but was rather ugly and missed some features others in the group wanted. So, I gradually re-wrote CST-Calendar since that project seems to have stopped work entirely. [ As quoted from their website ] This program includes several potentially very dangerous file include vulnerabilities. Since php-calendar is an open source calendar it has been said that some developers use the php-calendar in their own projects, thus potentially making their applications vulnerable as well.
Read This Article Article Read 818 Times
Vulnerabilities In WHM Autopilot December 27, 2021
Started by a webhost looking for more out of a simple managment script, Brandee Diggs (Owner of Spinn A Web Cafe, Founder of Benchmark Designs) setout to build an internal management system that could handle the day to day operations of a normal hosting company. The key was to remove the need to constantly watch your orders and manage the installs. Alas, WHM AutoPilot was born. [ as quoted from their official website ] WHM Autopilot is vulnerable to a number of vulnerabilities such as cross site scripting, file inclusion, and information disclosure.
Read This Article Article Read 1113 Times
Critical Vulnerability In Help Center Live December 24, 2021
Help Center Live is a `Live` help desk system written in PHP using a MySql database backend that features Live Support, Trouble Tickets and FAQ within one project. This is a very popular application, especially with webhosts and other services. There lies two file include vulnerabilities (both remote and local) that could allow an attacker to execute malicious server side code on your webserver. Aditionally a cross site scripting issue was found in Help Center Live.
Read This Article Article Read 1604 Times
Cross Site Scripting In Psychostats December 22, 2021
PsychoStats is a statistics generator for games. Currently there is support for a handful of Half-Life "MODs" including Counter-Strike, Day of Defeat, and Natural Selection. PsychoStats gathers statistics from the log files that game servers create by reading through the logs and then calculating detailed statistics for players, maps, weapons and clans. These detailed statistics are stored in a MySQL database which are then viewed online from your website using a set of PHP web pages. Cross site scripting exists in Jason Morriss PsychoStats. This vulnerability exists due to user supplied input not being checked properly. This vulnerability could be used to steal cookie based authentication credentials within the scope of the current domain, or render hostile code in a victim's browser.
Read This Article Article Read 522 Times
Multiple Kayako eSupport Vulnerabilities December 18, 2021
Kayako eSupport is one of the most feature packed support systems. This program is used by many online businesses and webhosts to help with technical support and other various support issues. This application is vulnerable to both Cross Site Scripting and SQL Injection vulnerabilities. The SQL Injection vulnerabilities are fairly serious and may allow for an attacker to influence SQL queries. Full details inside.
Read This Article Article Read 733 Times
Document Object Model Hijacking Explained December 10, 2021
The 2004 Merriam-Webster word of the year was “blog�. For those of you that do not know, blog is short for weblog. Millions of people around the world keep blogs, and these people are not just limited to the tech savvy crowd. Blogs are not the only increasingly popular web applications though. Wiki’s for example allow many users to build an entire community and more by allowing anyone who wants to contribute, to do so. Security is usually a fairly primary concern in an environment with many users, and measures such as script filtering are taken to ensure that no one tries anything “bad�, and that if they do they are unsuccessful in their attempts. Unfortunately though, a good number of these applications are susceptible to Document Object Model Hijacking.
Read This Article Article Read 1419 Times
Multiple phpGroupWare Vulnerabilities December 14, 2021
phpGroupWare (formerly known as webdistro) is a multi-user groupware suite written in PHP. It provides a Web-based calendar, todo-list, addressbook, email, news headlines, and a file manager. The calendar supports repeating events. The email system supports inline graphics and file attachments. The system as a whole supports user preferences, themes, user permissions, multi-language support, an advanced API, and user groups. There have been a number of vulnerabilities found in phpGroupWare, including Cross Site Scripting, SQL Injection, and Full Path Disclosure. This application comes with some linux distributions, so check to see if you have it installed. The SQL Injection can be fairly critical.
Read This Article Article Read 984 Times
Multiple Vulnerabilities In SugarCRM December 1, 2021
Sugar Sales Professional is the solution for companies who use Sugar Sales in a production environment for mission-critical sales knowledge management. Sugar Sales Professional is a visible source CRM application that offers more features than the open source application. It also includes support by SugarCRM staff. Sugar Sales Professional expands the open source application benefits so that your company experiences better performance, integration and support. Multiple vulnerabilities (some high risk) have been discovered in SugarCRM. A recet version was released recently, and was believed to include security fixes, but several of the vulnerabilities still exist in the recently released version 2.0
Read This Article Article Read 859 Times
dbPowerAmp Buffer Overflow And DoS Vulnerabilities September 27, 2021
Often called the Swiss Army knife of audio, dMC can digitally rip sound from audio CDs to a multitude of formats. Convert from one format to another while preserving ID tags. Nearly every audio type is supported, including MP3, MP4, Windows Media Audio (WMA), OGG Vorbis, AAC, Monkey's Audio, and FLAC (with optional installs from Codec Central). For Windows Explorer integration, right-click Convert To to pop up useful information on audio files (such as bit rate and length). Record from LPs with an optional Auxiliary Input install. dBpowerAmp Audio Player (dAP) has a digital conditioning equalizer and an advanced music collection. It's skinnable and has a cross-fader, a playlist editor, and a tag editor. dAP plays MP3s, WMA, Ogg Vorbis, Monkeys Audio, Real Audio, WAV, MIDI, and many more. These programs are vulnerable to buffer overflow as well as denial of service vulnerabilities.
Read This Article Article Read 1459 Times
Multiple Vulnerabilities In EmuLive Server4 September 20, 2021
Server4 is real-time media broadcasting software that works in conjunction with Emulive producer software to create digital television-like channels on the Internet. To web browsers, Server4 appears as a standard web server. Visitors to a Server4 system can browse and view available channels, chat with other users, remotely control cameras, remotely control devices, create user accounts, extend user accounts, purchase time and access controlled subscriptions, purchase one-to-one exclusive conferences, tip channel hosts, purchase additional time and more. Server4 is prone to unauthorized remote administrative access as well as a vulnerability that will allow an attacker to crash a Server4 instalattion remotely. Proof Of Concept code is included.
Read This Article Article Read 705 Times
When Small Mistakes Can Cause Big Problems September 18, 2021
GulfTech Security Research was able to find in the past few weeks, cross site scripting issues that existed on eBay, Amazon, Half.com, HBO, CareerBuilder, AOL, CNN, MTV, and many others. The cross site scripting issues on these websites could allow an attacker to take control of arbitrary accounts, or steal sensitive info. Websites such as eBay, Amazon, and Half.com (for example) have fairly good Security when it comes to protecting their user’s accounts, but even they are vulnerable to data theft via these vulnerabilities. For example, it may be somewhat useless to steal a victim’s cookie, or try and render malicious code, or force command execution on a website with tight account security. So instead of relying on some great technological advantage an attacker could simply attempt to take advantage of the human element and have the victim simply give the attacker their account information. This can be done by using the cross site scripting vulnerabilities to temporarily deface a website. So, instead of rendering malicious code, or trying to steal a user’s cookie, the attacker can link to an offsite JavaScript, and have it render a login form using the vulnerable website’s own HTML and Style Sheet so that it looks nearly identical to the legitimate login form. Of course when a victim logs in to this form it actually just steals their login credentials. The attacker could also use the same methods of temporarily defacing the website to show someone a fictitious news story on a major news website.
Read This Article Article Read 2007 Times
RhinoSoft DNS4ME HTTP Server Vulnerabilities September 16, 2021
DNS4Me is the dynamic DNS service that you need to start hosting your own Internet services. When you have a dynamic IP address, you need something to associate a static domain name with it to make it easier for visitors to access the services you provide. With DNS4Me, you can take control of your Web site by running your own HTTP server. Without a hosting company, you've eliminated the cost of hosting as well as a layer of contact between you and your Web site. This gives you unparalleled control overits configuration, content, and delivery. But the benefits of dynamic DNS aren't just for HTTP servers. Any service that can make use of a domain name can benefit from DNS4Me. This includes FTP servers, e-mail servers, daemons for today's popular computer games, NetMeeting… With the reliability and excellent support you've come to expect of RhinoSoft.com backing up DNS4Me, you'll get a powerful, no hassle dynamic DNS solution. The RhinoSoft DNS4ME HTTP server is prone to multiple vulnerabilities, and users are encouraged to upgrade as soon as possible.
Read This Article Article Read 674 Times
Multiple Vulnerabilities In phpWebsite August 31, 2021
phpWebSite provides a complete web site content management solution. All client output is valid XHTML 1.0 and meets the W3C's Web Accessibility Initiative requirements. Currently features: announcement posting, form generator, user management with granulated administration, calendar, poll, faq, photoalbum, bulletin board, rss feeds, user customizable theme support and more. It is one of the most popular content managment systems in the world. However, it is vulnerabile to a number of attacks, some of which allow an attacker to completely take control of a vulnerable phpWebsite installation. Other vulnerabilties in phpWebsite include script injection, SQL injection, forced command execution, and cross site scripting. A security update is available and all phpWebsite users should upgrade their installation as soon as possible.
Read This Article Article Read 1806 Times
Multiple Vulnerabilities In Xedus Webserver August 30, 2021
Xedus is a Peer-to-Peer web server and provides you with the ability to share files, music, and any other media, as well as create robust and dynamic web sites, which can feature database access, file system access, with full .net support. Powered by a built in server-side, Microsoft C#, scripting language; Xedus boasts the ability to create sites that can rival web applications built on any other enterprise servers like Apache, IIS, Iplanet… With Xedus, you will never need to pay to host your sites again. Using the peer-to-peer mode, other members of LIVE can access you site by keyword using Internet Explorer even if you do not have a static IP address! Xedus is prone to a number of vulnerabilities, which include Denial Of Service, Cross Site Scripting, and Directory Traversal attacks. These vulnerabilities can allow an attacker to retrieve arbitrary files from the host machine, as well as deny legitimate users access to the webserver.
Read This Article Article Read 501 Times
Keene Digital Media Server Directory Traversal August 25, 2021
Keene Digital Media Server is an easy and affordable way to share all things digital with friends, family, and customers over your broadband connection. DMS turns your computer into a highly secure Web server that automatically converts your files and folders into Web pages, thumbnails, and media shows with no Web programming required. Integrated user and file access security management provide the ultimate control over your content. Keene Digital Media Server allows an attacker to traverse out of the web directory, and retrieve arbitrary files.
Read This Article Article Read 461 Times
Easy File Sharing Webserver v1.25 Vulnerabilities August 24, 2021
Easy File Sharing Web Server is a file sharing software that allows visitors to upload/download files easily through a Web Browser (IE,Netscape,Opera etc.). It can help you share files with your friends and colleagues. They can download files from your computer or upload files from theirs. They will not be required to install this software or any other software because an internet browser is enough. Easy File Sharing Web Server also provides a Bulletin Board System (Forum). The Easy File Sharing Web Server is vulnerable to both Denial Of Service attacks, and unauthorized access to the virtual folders used by the webserver. These vulnerabilities could allow an attacker to crash/DoS the server, or gain read access to arbitrary folders on the server.
Read This Article Article Read 938 Times
Possible Security Issues In LiveWorld Products August 23, 2021
LiveWorld provides collaborative services for online meetings, customer care, and loyalty marketing. Supporting communication between a company and its customers, employees, or partners and among those people themselves - our services help corporations cut costs, increase revenue, and solidify relationships with groups critical to their success. The affected products are beleived to be prone to Cross Site Scripting issues which allow a malicious user to steal sensitive data, temporarily deface a page, or render any malicious script in the context of the victim's browser. The software believed to be vulnerable is LiveForum, LiveQ&A;, and LiveFocusGroups. LiveWorld products are used on major websites such as HBO, eBay, and others.
Read This Article Article Read 583 Times
BadBlue Web Server Denial of Service Vulnerability August 20, 2021
BadBlue lets you run a no-hassle Web site on your own PC for free, including a domain name you can choose. Within seconds, you can transform your PC into a friendly, file-sharing Web server with all the power of a real server on the Internet. Remote users can search for files, explore your shared folders, and run full-blown applications created in HTML, PHP, Perl, and so on. This HTTP server is vulnerable to a Denial of Service attack. This attack can take place when a malicious user makes a certain number of connections to the server. Included is proof of concept code.
Read This Article Article Read 356 Times
SubScan 1.3 DNS Enumeration Utility Released August 18, 2021
After a way too long awaited release SubScan 1.3 is here. It is a beta copy, but works. I call it a beta because right now it is only for the Windows OS. I plan changing this in the very near future, but until then the source is available if you want to make it better. Some of the new features in SubScan 1.3 are netblock scans, deep scan, and a wildcard DNS option that helps ignore duplicate records. The deep scan is my favorite feature of the new release, and allows for the enumaration of up to one hundred times more DNS records than in SubScan 1.2. If you have any questions about this release you can get them answered on our forums. Please read the README file before asking any questions though
Read This Article Article Read 745 Times
Invision Power Board IP Spoofing Vulnerability June 16, 2022
Invision Power Board (IPB) is a professional forum system that has been built from the ground up with speed and security in mind, taking advantage of object oriented code, highly-optimized SQL queries, and the fast PHP engine. A comprehensive administration control panel is included to help you keep your board running smoothly. Moderators will also enjoy the full range of options available to them via built-in tools and moderators control panel. Members will appreciate the ability to subscribe to topics, send private messages, and perform a host of other options through the user control panel. It is used by millions of people over the world. There lies a vulnerability in all version of Invision Power Board that allow a user to spoof his/her IP address by creating a bogus X_FORWARDED_FOR HTTP Header entry. This condition can also be caused by a user unknowingly if they use a proxy to access the internet. For example, private LAN based IP's will be logged which are impossible to trace.
Read This Article Article Read 687 Times
Multiple Vulnerabilities In PHPX 3.26 And Earlier May 04, 2022
PHPX is a constantly evolving and changing Content Management System (CMS). PHPX is highly customizable and high powered all in one system. PHPX provides content management combined with the power of a portal by including in the core package modules such as FAQ, polls, and forums. PHPX uses dynamic-template-design, what this means is that you have the power to control what your site will look like. Themes are included, but not required. You can create the page however you want, and PHPX will just insert code where you want it. No more 3 columns if you don’t want it! Written in the powerful server language, PHP, and utilizing the amazingly fast and secure database MySQL, PHPX is a great solution for all size website communities, at the best price possible…free! Vulnerabilities are present in version(s) 3.2.6 and earlier and present themselves in the form of cross site scripting, path disclosure, and arbitrary command execution. Users are advised to upgrade immeadiately.
Read This Article Article Read 304 Times
Results 6 - 50 of 50 Results per-page: 5 | 10 | 20 | 50