Hello Full-Disclosure!
I want to warn you about Insufficient Anti-automation and Cross-Site
Scripting vulnerabilities in E107. I found XSS holes in October 2006 and
Insufficient Anti-automation in November 2007, and disclosed them at
30.01.2009.
Insufficient Anti-Automation:
Vulnerability is in
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- --
Debian Security Advisory DSA-1897-1secur...@debian.org
http://www.debian.org/security/ Nico Golde
September 28th, 2009
===
Ubuntu Security Notice USN-838-1 September 28, 2009
dovecot vulnerabilities
CVE-2008-4577, CVE-2008-5301, CVE-2009-2632, CVE-2009-3235
===
A security issue affects the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Exists an call to add_action() without validate with function_exists().
When I run the php script directly, I get the full path of wp installation.
Example:
[+] http://www.marco2010.cl/wp-content/plugins/akismet/akismet.php
[+]
The Drupal XML Sitemap module version 5.x-1.6 (
http://drupal.org/project/xmlsitemap) contains a cross site scripting
vulnerability because it fails to properly sanitize 'Path' output in the XML
Sitemap administration area. If you install XML Sitemap and click on
Administer, Site configuration,
MS Internet Explorer 0day exploit for sale - remote code execution via
memory corruption.
Serious offers only - fred.vici...@gmail.com
--
Best wishes,
Freddie Vicious
___
Full-Disclosure - We believe in it.
Charter:
Hello,
this kind of vulnerabilities exists whenever a PHP scripts issue a fatal
error on a poorly configured server. PHP should log errors in a local file
and not on the client screen. With this configuration, you will not see a
full path disclosure in each uncatched PHP exception. IMHO the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
majinboo wrote:
Hello,
Hi
this kind of vulnerabilities exists whenever a PHP scripts issue a
fatal error on a poorly configured server. PHP should log errors in a
local file and not on the client screen. With this configuration, you
will not
Hello,
That definitely can be fixed easily with two lines of code but is still
something that should have been prevented at earlier stages of plugin
development
if (!empty($_SERVER['SCRIPT_FILENAME']) 'akismet.php' ==
basename($_SERVER['SCRIPT_FILENAME']))
die ('Please do not load this
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Glafkos Charalambous wrote:
Hello,
Hi Glafkos,
That definitely can be fixed easily with two lines of code but is still
something that should have been prevented at earlier stages of plugin
development
if
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
++
| ...|
| ..''xxx'...|
|
11 matches
Mail list logo