| OSVDB ID | Disclosure Date | Title |
|---|
|
5903
Description:
PHPX contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate multiple variables upon submission to the "forums.php" script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
|
2004-05-04
|
PHPX forums.php Multiple Parameter XSS
|
|
5904
Description:
PHPX contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate multiple variables upon submission to the "users.php" script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
|
2004-05-04
|
PHPX users.php Multiple Parameter XSS
|
|
5905
Description:
PHPX contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the "news_id" variable upon submission to the "news.php" script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
|
2004-05-04
|
PHPX news.php news_id Parameter XSS
|
|
5906
Description:
PHPX contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker requests the "forums.php" script with invalid arguments, which will disclose the physical path of the web server resulting in a loss of confidentiality.
|
2004-05-04
|
PHPX forums.php Server Path Disclosure
|
|
5907
Description:
PHPX contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the /admin/page.php script not properly sanitizing arguments or validating user identity. With a specially crafted URL, an attacker can potentially execute custom commands by posting it to a message forum that will be read by the administrator. Upon reading the message, the malicious URL will be processed and executed with administrative privileges.
|
2004-05-04
|
PHPX admin/page.php CSRF Arbitrary Command Execution
|
|
5908
Description:
PHPX contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the /admin/news.php script not properly sanitizing arguments or validating user identity. With a specially crafted URL, an attacker can potentially execute custom commands by posting it to a message forum that will be read by the administrator. Upon reading the message, the malicious URL will be processed and executed with administrative privileges.
|
2004-05-04
|
PHPX admin/news.php CSRF Arbitrary Command Execution
|
|
5909
Description:
PHPX contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the /admin/user.php script not properly sanitizing arguments or validating user identity. With a specially crafted URL, an attacker can potentially execute custom commands by posting it to a message forum that will be read by the administrator. Upon reading the message, the malicious URL will be processed and executed with administrative privileges.
|
2004-05-04
|
PHPX admin/user.php CSRF Arbitrary Command Execution
|
|
5910
Description:
PHPX contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the /admin/images.php script not properly sanitizing arguments or validating user identity. With a specially crafted URL, an attacker can potentially execute custom commands by posting it to a message forum that will be read by the administrator. Upon reading the message, the malicious URL will be processed and executed with administrative privileges.
|
2004-05-04
|
PHPX admin/images.php CSRF Arbitrary Command Execution
|
|
5911
Description:
PHPX contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the /admin/forums.php script not properly sanitizing arguments or validating user identity. With a specially crafted URL, an attacker can potentially execute custom commands by posting it to a message forum that will be read by the administrator. Upon reading the message, the malicious URL will be processed and executed with administrative privileges.
|
2004-05-04
|
PHPX admin/forums.php CSRF Arbitrary Command Execution
|
|
5649
Description:
OpenBB contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the "redirect" variable upon submission to the "member.php" script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
|
2004-04-24
|
OpenBB member.php redirect Parameter XSS
|
|
5650
Description:
OpenBB contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the "to" variable upon submission to the "myhome.php" script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
|
2004-04-24
|
OpenBB myhome.php to Parameter XSS
|
|
5651
Description:
OpenBB contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the "TID" variable upon submission to the "post.php" script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
|
2004-04-24
|
OpenBB post.php TID Parameter XSS
|
|
5652
Description:
OpenBB contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the "redirect" variable upon submission to the "index.php" script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
|
2004-04-24
|
OpenBB index.php redirect Parameter XSS
|
|
5653
Description:
OpenBB contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the "FID" variable in the "board.php" script is not verified properly and will allow an attacker to inject or manipulate SQL queries.
|
2004-04-24
|
OpenBB board.php FID Parameter SQL Injection
|
|
5654
Description:
OpenBB contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the "sortorder", "perpage" and "id" variables in the "member.php" script are not verified properly and will allow an attacker to inject or manipulate SQL queries.
|
2004-04-24
|
OpenBB member.php Multiple Parameter SQL Injection
|
|
5655
Description:
OpenBB contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the "q" variable in the "search.php" script is not verified properly and will allow an attacker to inject or manipulate SQL queries.
|
2004-04-24
|
OpenBB search.php q Parameter SQL Injection
|
|
5656
Description:
OpenBB contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the "PID" and "FID" variables in the "post.php" script are not verified properly and will allow an attacker to inject or manipulate SQL queries.
|
2004-04-24
|
OpenBB post.php Multiple Parameter SQL Injection
|
|
5657
Description:
OpenBB contains a flaw that allows remote attackers to execute arbitrary OpenBB commands. The issue is due to the bulletin board not properly utilizing session IDs or authentication tokens. If an attacker supplies a malicious command embedded in an image tag which is posted or sent as a private message, the command will be executed without confirmation by the administrator.
|
2004-04-24
|
OpenBB [IMG] Tag Arbitrary BB Command Execution
|
|
5383
Description:
phpBugTracker contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the multiple variables in the "query.php" script are not verified properly and will allow an attacker to inject or manipulate SQL queries.
|
2004-04-14
|
phpBugTracker query.php Multiple Parameter SQL Injection
|
|
5384
Description:
phpBugTracker contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the multiple variables in the "bug.php" script are not verified properly and will allow an attacker to inject or manipulate SQL queries.
|
2004-04-14
|
phpBugTracker bug.php Multiple Parameter SQL Injection
|
|
5385
Description:
phpBugTracker contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the "bugid" variable in the "user.php" script is not verified properly and will allow an attacker to inject or manipulate SQL queries.
|
2004-04-14
|
phpBugTracker user.php bugid Parameter SQL Injection
|
|
5386
Description:
phpBugTracker contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate multiple variables upon submission to the "bug.php" script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
|
2004-04-14
|
phpBugTracker bug.php Multiple Parameter XSS
|
|
5387
Description:
phpBugTracker contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate multiple variables upon submission to the "query.php" script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
|
2004-04-14
|
phpBugTracker query.php Multiple Parameter XSS
|
|
5388
Description:
phpBugTracker contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the "bugid" variables upon submission to the "user.php" script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
|
2004-04-14
|
phpBugTracker user.php bugid Parameter XSS
|
|
5181
Description:
TikiWiki contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the "theme" variable upon submission to the "tiki-switch_theme.php" script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
|
2004-04-11
|
TikiWiki tiki-switch_theme.php theme Parameter XSS
|
|
5182
Description:
TikiWiki contains a flaw that may allow a remote attacker to upload arbitrary files to the system. The issue is due to the "wiki_up" function not sanitizing or restricting what type of files are uploaded. If an attacker uploads a specially crafted script, they may be able to execute it and leverage additional privileges.
|
2004-04-11
|
TikiWiki img/wiki_up Arbitrary File Upload
|
|
5183
Description:
TikiWiki contains a flaw that allows a remote attacker to verify the existance of files or directories outside of the web path. The issue is due to the "tiki-map.phtml" script not properly sanitizing user input, specifically traversal style attacks (../../) supplied via the "mapfile" variable.
|
2004-04-11
|
TikiWiki tiki-map.phtml Traversal Arbitrary File / Directory Enumeration
|
|
5184
Description:
TikiWiki contains a flaw that allows remote code injection. This flaw exists because the application does not validate User Profile variables upon submission to the application. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
|
2004-04-11
|
TikiWiki User Profile Multiple Option Arbitrary Remote Code Injection
|
|
5185
Description:
TikiWiki contains a flaw that allows remote code injection. This flaw exists because the application does not validate Add Site variables upon submission to the application. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
|
2004-04-11
|
TikiWiki Add Site Multiple Options Arbitrary Remote Code Injection
|
|
5186
Description:
TikiWiki contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker calls the "banner_click.php" script with abnormal parameters, which will disclose the physical path of the web server resulting in a loss of confidentiality.
|
2004-04-11
|
TikiWiki banner_click.php Direct Request Path Disclosure
|
|
5187
Description:
TikiWiki contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker calls the "categorize.php" script with abnormal parameters, which will disclose the physical path of the web server resulting in a loss of confidentiality.
|
2004-04-11
|
TikiWiki categorize.php Direct Request Path Disclosure
|
|
5188
Description:
TikiWiki contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker calls the "tiki-admin_include_directory.php" script with abnormal parameters, which will disclose the physical path of the web server resulting in a loss of confidentiality.
|
2004-04-11
|
TikiWiki tiki-admin_include_directory.php Direct Request Path Disclosure
|
|
5189
Description:
TikiWiki contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker calls the "tiki-directory_search.php" script with abnormal parameters, which will disclose the physical path of the web server resulting in a loss of confidentiality.
|
2004-04-11
|
TikiWiki tiki-directory_search.php Direct Request Path Disclosure
|
|
5190
Description:
TikiWiki contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker calls the "tiki-searchindex.php" script with abnormal parameters, which will disclose the physical path of the web server resulting in a loss of confidentiality.
|
2004-04-11
|
TikiWiki tiki-searchindex.php Path Disclosure
|
|
5191
Description:
TikiWiki contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker calls the "messu-read.php" script with abnormal parameters, which will disclose the physical path of the web server resulting in a loss of confidentiality.
|
2004-04-11
|
TikiWiki messu-read.php Path Disclosure
|
|
5192
Description:
TikiWiki contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker calls the "tiki-list_file_gallery.php" script with abnormal parameters, which will disclose the physical path of the web server resulting in a loss of confidentiality.
|
2004-04-11
|
TikiWiki tiki-list_file_gallery.php Path Disclosure
|
|
5193
Description:
TikiWiki contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker calls the "tiki-usermenu.php" script with abnormal parameters, which will disclose the physical path of the web server resulting in a loss of confidentiality.
|
2004-04-11
|
TikiWiki tiki-usermenu.php Path Disclosure
|
|
5194
Description:
TikiWiki contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker calls the "tiki-browse_categories.php" script with abnormal parameters, which will disclose the physical path of the web server resulting in a loss of confidentiality.
|
2004-04-11
|
TikiWiki tiki-browse_categories.php Path Disclosure
|
|
5195
Description:
TikiWiki contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker calls the "tiki-index.php" script with abnormal parameters, which will disclose the physical path of the web server resulting in a loss of confidentiality.
|
2004-04-11
|
TikiWiki tiki-index.php Path Disclosure
|
|
5196
Description:
TikiWiki contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker calls the "tiki-user_tasks.php" script with abnormal parameters, which will disclose the physical path of the web server resulting in a loss of confidentiality.
|
2004-04-11
|
TikiWiki tiki-user_tasks.php Path Disclosure
|
