|
Search
|
|
You can use the form below to search our site. Just enter the
keywords to search.
|
|
 |
| Title |
Autorank PHP SQL Injection Vulnerability
|
| Info |
Autorank PHP is a widely used topsite script offered by JMB Software.
It is vulnerable to SQL Injection attacks in the "accounts.php" file.
These vulnerabilities can be exploited by a malicious user via the lost
password form, account edit form, or the registration form. The
vulnerabilities leave user accounts open to compromise as well as the
entire database that is being used for a particular top site. |
| Date |
December 18, 2021 |
| BID |
9251
|
| Credit |
James Bercegay |
| Title |
osCommerce Malformed Session ID XSS Vulnerability
|
| Info |
osCommerce is a very powerful open source e-commerce solution. It has been found however to be vulnerable to an XSS vuln due to the session id parameter not being properly sanitized. This seems to take place only over a secure, SSL connection, however it is believed to affect even regular http connections in the current CVS version. In some cases (namely the CVS version) the full path of the web directory may also be exposed when exploiting this vulnerability. |
| Date |
December 17, 2021 |
| BID |
9238
|
| Credit |
James Bercegay |
| Title |
Multiple Vulnerabilities In Aardvark Topsites
|
| Info |
Aardvark Topsites is a very powerful, and popular Topsites Ranking
web application. Versions prior to 4.1.1 are vulnerable to a number
of issues though. These issues include SQL Injection, Path Disclosure,
Plaintext Weaknesses, and information disclosure vulnerabilities. You
can update your Aardvark Topsite at the official download site. All
users should upgrade as soon as possible.
|
| Date |
December 16, 2021 |
| BID |
9231
|
| Credit |
James Bercegay |
| Title |
Invision Power Board SQL Injection Vulnerability
|
| Info |
Invision Power Board is one of the most popular and powerful forums available today. It is used by millions of people worldwide and businesses alike. There is however an SQL Injection vulnerability that affects ALL versions (even the non public releases). The people at Invision power were very prompt and professional in addressing the issue and there is now an available fix less than a week after I discovered the vulnerability. Details and a link to the fix are available in the report by GulfTech Security Research. |
| Date |
December 16, 2021 |
| BID |
9232
|
| Credit |
James Bercegay |
| Title |
Invision Power Top Site List SQL Injection
|
| Info |
Invision Power Top Site List is a flexible site ranking script written in PHP. Featuring an impressive feature set with a user-friendly interface. However It is vulnerable to SQL injection. This flaw is hard to exploit, thus it will not be addressed until the next release of the Invision Power Top Site List. No patches or immediate upgrade will be released. |
| Date |
December 15, 2021 |
| BID |
9229
|
| Credit |
James Bercegay |
| Title |
Multiple Vulnerabilities In DU Ware Products
|
| Info |
DU Ware are a company that offers a very large number of web based applications for both purchase and free download. Their products are vulnerable to a substantial number of attacks, and contain many weaknesses. This includes but is not limited to: Account HiJacking, Code Execution, Arbitrary File Upload, Privilege Escalation and more. There are currently no fixes for these issues, and no patches will be issued. I guess thier customers will have to wait til the new software versions to have thier data and servers be secure.
|
| Date |
December 15, 2021 |
| BID |
9246
|
| Credit |
James Bercegay |
| Title |
Security Issues In CGINews And CGIForum
|
| Info |
CGINews and CGIForum are two fairly popular scripts by Markus Triska.
CGINews is a multi-user Web site news posting system written in Perl.
And CGIForum is A template based discussion board also written in Perl.
However they both rely on a very weak encryption algorithm that can be
decrypted easily. The author has no plans on switching to a more secure
one way encryption, so if security is a concern try another forum system. |
| Date |
December 14, 2021 |
| BID |
9214
|
| Credit |
James Bercegay |
| Title |
osCommerce 2.2-MS1 SQL Injection Vulnerability
|
| Info |
osCommerce is one of the most popular Open Source e-commerce solutions in the world today.
It comes with many out of the box features and is constantly being developed by the Open
Source Community. Recently GulfTech Security Research has discovered an SQL Injection vuln
in the create_account_process.php and the account_edit_process.php files. This vulnerability
is present in osCommerce 2.2-MS1 but does not appear to be an issue in osCommerce 2.2-MS2.
Advice to all osCommerce shop owners is to upgrade to the latest version of osCommerce by
clicking here. |
| Date |
December 12, 2021 |
| BID |
9211
|
| Credit |
James Bercegay |
| Title |
Multiple Vulnerabilities In Snitz Forums 2000
|
| Info |
Snitz forums is a full-featured UBB-style ASP discussion
board application used by thousands of people across the
web. Recently I found many serious vulnerabilities in this
application that may allow an attacker to take over an
entire Snitz forum. The vulnerabilities include cross
site scripting issues, cookie authentication bypass
vulnerability, and a password reset vulnerability. Users
are encouraged to upgrade as soon as possible. |
| Date |
June 16, 2022 |
| BID |
7922
7924
7925
|
| Credit |
James Bercegay |
| Title |
Multiple Vulnerabilities In Max Web Portal
|
| Info |
MaxWebPortal is a web portal and online community
system which includes advanced features such as
web-based administration, poll, private/public
events calendar, user customizable color themes,
classifieds, user control panel, online pager,
link, file, article, picture managers and much
more. Easy-to-use and powerful user interface
allows members to add news, content, write
reviews and share information among other
registered users. MaxWebPortal has multiple
vulnerabilities which include cross site
scripting, hidden form weaknesses, Database
exposure, and a password reset vulnerability. |
| Date |
June 06, 2022 |
| BID |
7837
|
| Credit |
James Bercegay |
|
|
