[Full-disclosure] Vulnerabilities in E107

Hello Full-Disclosure! I want to warn you about Insufficient Anti-automation and Cross-Site Scripting vulnerabilities in E107. I found XSS holes in October 2006 and Insufficient Anti-automation in November 2007, and disclosed them at 30.01.2009. Insufficient Anti-Automation: Vulnerability is in

[Full-disclosure] [SECURITY] [DSA 1897-1] New horde3 packages fix arbitrary code execution

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA-1897-1secur...@debian.org http://www.debian.org/security/ Nico Golde September 28th, 2009

[Full-disclosure] [USN-838-1] Dovecot vulnerabilities

=== Ubuntu Security Notice USN-838-1 September 28, 2009 dovecot vulnerabilities CVE-2008-4577, CVE-2008-5301, CVE-2009-2632, CVE-2009-3235 === A security issue affects the

[Full-disclosure] Full Path Disclosure in most wordpress' plugins [?]

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Exists an call to add_action() without validate with function_exists(). When I run the php script directly, I get the full path of wp installation. Example: [+] http://www.marco2010.cl/wp-content/plugins/akismet/akismet.php [+]

[Full-disclosure] Drupal XML-Sitemap 5.x-1.6 XSS Vulnerability

The Drupal XML Sitemap module version 5.x-1.6 ( http://drupal.org/project/xmlsitemap) contains a cross site scripting vulnerability because it fails to properly sanitize 'Path' output in the XML Sitemap administration area. If you install XML Sitemap and click on Administer, Site configuration,

[Full-disclosure] For sale - Microsoft Internet Explorer 0day

MS Internet Explorer 0day exploit for sale - remote code execution via memory corruption. Serious offers only - fred.vici...@gmail.com -- Best wishes, Freddie Vicious ___ Full-Disclosure - We believe in it. Charter:

Re: [Full-disclosure] Full Path Disclosure in most wordpress' plugins [?]

Hello, this kind of vulnerabilities exists whenever a PHP scripts issue a fatal error on a poorly configured server. PHP should log errors in a local file and not on the client screen. With this configuration, you will not see a full path disclosure in each uncatched PHP exception. IMHO the

Re: [Full-disclosure] Full Path Disclosure in most wordpress' plugins [?]

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 majinboo wrote: Hello, Hi this kind of vulnerabilities exists whenever a PHP scripts issue a fatal error on a poorly configured server. PHP should log errors in a local file and not on the client screen. With this configuration, you will not

Re: [Full-disclosure] Full Path Disclosure in most wordpress' plugins [?]

Hello, That definitely can be fixed easily with two lines of code but is still something that should have been prevented at earlier stages of plugin development if (!empty($_SERVER['SCRIPT_FILENAME']) 'akismet.php' == basename($_SERVER['SCRIPT_FILENAME'])) die ('Please do not load this

Re: [Full-disclosure] Full Path Disclosure in most wordpress' plugins [?]

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Glafkos Charalambous wrote: Hello, Hi Glafkos, That definitely can be fixed easily with two lines of code but is still something that should have been prevented at earlier stages of plugin development if

[Full-disclosure] WinRAR v3.80 - ZIP Filename Spoofing

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ++ | ...| | ..''xxx'...| |