[CLOSE] OSVDB ID : 8984 - Disclosed: 2004-08-18

Description:

PlaySMS contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that if the magic_quotes_gpc option is disabled, the "vc2" variable in the cookie is not verified properly and will allow an attacker to inject or manipulate SQL queries. (NOTE: Note that setting "magic_quotes_gpc" to "Off" is discouraged by the author of the program in the INSTALL file).

[CLOSE] OSVDB ID : 8181 - Disclosed: 2004-07-22

Description:

LBE Web HelpDesk contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the 'id' parameter within jobedit.asp is not verified properly and will allow an attacker to inject or manipulate SQL queries.

[CLOSE] OSVDB ID : 8180 - Disclosed: 2004-07-22

Description:

Web+Center contains a flaw that may allow a malicious user to add a privelleged user account to the server. The issue is triggered when a user sends a specially crafted SQL statement to the cookie object. It is possible that the flaw may allow the user remote Administrative access, resulting in a loss of integrity.

[CLOSE] OSVDB ID : 8168 - Disclosed: 2004-07-22

Description:

Polar HelpDesk contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when a user sends a specially crafted cookie to the server. This flaw may lead to a loss of integrity.

[CLOSE] OSVDB ID : 8169 - Disclosed: 2004-07-22

Description:

NetSupport DNA HelpDesk contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the 'where' parameter in problist.asp is not verified properly and will allow an attacker to inject or manipulate SQL queries.

[CLOSE] OSVDB ID : 8182 - Disclosed: 2004-07-21

Description:

Serena TeamTrack contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'Message' variables upon submission to the 'tmtrack.dll' library. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 8183 - Disclosed: 2004-07-21

Description:

Serena TeamTrack contains a flaw that may allow a malicious user to access unauthorized information. The issue is due to insufficient access control for the "LoginPage drective" of "tmtrack.dll". By sending a specially crafted URL, a remote attacker can enumerate users resulting in a loss of confidentiality.

[CLOSE] OSVDB ID : 8170 - Disclosed: 2004-07-21

Description:

HelpBox contains a flaw that will allow a remote attacker to inject arbitrary SQL code. The problem is that the 'sys_comment_id' variable in the 'editcommentenduser.asp' script is not verified properly and will allow an attacker to inject or manipulate SQL queries.

[CLOSE] OSVDB ID : 8171 - Disclosed: 2004-07-21

Description:

HelpBox contains a flaw that will allow a remote attacker to inject arbitrary SQL code. The problem is that the 'sys_suspend_id' variable in the 'editsuspensionuser.asp' script is not verified properly and will allow an attacker to inject or manipulate SQL queries.

[CLOSE] OSVDB ID : 8172 - Disclosed: 2004-07-21

Description:

HelpBox contains a flaw that will allow a remote attacker to inject arbitrary SQL code. The problem is that the 'table' variable in the 'export_data.asp' script is not verified properly and will allow an attacker to inject or manipulate SQL queries.

[CLOSE] OSVDB ID : 8173 - Disclosed: 2004-07-21

Description:

HelpBox contains a flaw that will allow a remote attacker to inject arbitrary SQL code. The problem is that the 'sys_analgroup' variable in the 'manageanalgrouppreference.asp' script is not verified properly and will allow an attacker to inject or manipulate SQL queries.

[CLOSE] OSVDB ID : 8174 - Disclosed: 2004-07-21

Description:

HelpBox contains a flaw that will allow a remote attacker to inject arbitrary SQL code. The problem is that the 'sys_asset_id' variable in the 'quickinfoassetrequests.asp' script is not verified properly and will allow an attacker to inject or manipulate SQL queries.

[CLOSE] OSVDB ID : 8175 - Disclosed: 2004-07-21

Description:

HelpBox contains a flaw that will allow a remote attacker to inject arbitrary SQL code. The problem is that the 'sys_eusername' variable in the 'quickinfoenduserrequests.asp' script is not verified properly and will allow an attacker to inject or manipulate SQL queries.

[CLOSE] OSVDB ID : 8176 - Disclosed: 2004-07-21

Description:

HelpBox contains a flaw that will allow a remote attacker to inject arbitrary SQL code. The problem is that the 'sys_request_id' variable in the 'requestauditlog.asp' script is not verified properly and will allow an attacker to inject or manipulate SQL queries.

[CLOSE] OSVDB ID : 8177 - Disclosed: 2004-07-21

Description:

HelpBox contains a flaw that will allow a remote attacker to inject arbitrary SQL code. The problem is that the 'sys_request_id' variable in the 'requestcommentsenduser.asp' script is not verified properly and will allow an attacker to inject or manipulate SQL queries.

[CLOSE] OSVDB ID : 8178 - Disclosed: 2004-07-21

Description:

HelpBox contains a flaw that will allow a remote attacker to inject arbitrary SQL code. The problem is that the 'sys_request_id' variable in the 'selectrequestapplytemplate.asp' script is not verified properly and will allow an attacker to inject or manipulate SQL queries.

[CLOSE] OSVDB ID : 8179 - Disclosed: 2004-07-21

Description:

HelpBox contains a flaw that will allow a remote attacker to inject arbitrary SQL code. The problem is that the 'sys_request_id' variable in the 'selectrequestlink.asp' script is not verified properly and will allow an attacker to inject or manipulate SQL queries.

[CLOSE] OSVDB ID : 2155 - Disclosed: 2003-06-09

Description:

Mailtraq contains a flaw that allows a remote attacker to access arbitrary files and directories outside of the web path. The issue is due to the server not properly sanitizing user input, specifically traversal style attacks (../../) supplied via the URI.

[CLOSE] OSVDB ID : 4089 - Disclosed: 2003-06-09

Description:

Mailtraq contains a flaw that may allow a remote denial of service. The issue is triggered when sending repeated SMTP commands (from, rcpt to, helo) with "%s%p%n" as the argument, and will result in loss of availability for the service.

[CLOSE] OSVDB ID : 4090 - Disclosed: 2003-06-09

Description:

Mailtraq contains a flaw that may allow a remote denial of service. The issue is triggered when an overly long string is supplied to the username or password field of the logon CGI script, and will result in loss of availability for the service.

[CLOSE] OSVDB ID : 4091 - Disclosed: 2003-06-09

Description:

Mailtraq contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the e-mail subject variables upon submission to the e-mail script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 4092 - Disclosed: 2003-06-09

Description:

Mailtraq allows an attacker to trivially decrypt stored passwords. The issue is due to the software using a weak obscuring scheme to protect passwords. Using a short perl script, an attacker can reverse the hash to obtain the password.