southern writes:  

Tricks · Secrets · Bugs · Fixes

The main goal of these pages is to transform your PC into the ultimate, extremely tweaked, mean machine you have always dreamed of, even if you don't have the fastest hardware available under the sun. Nonetheless, if you do own a fast rig, this will squeeze the last atom of performance it is capable of, making it soar at MAX Speed.

For all the info, visit MDGX!

SECUNIA ADVISORY ID: SA22969

VERIFY ADVISORY: http://secunia.com/advisories/22969/

CRITICAL: Less critical

IMPACT: Cross Site Scripting

SOFTWARE: phpMyAdmin 2.x - http://secunia.com/product/1720/

DESCRIPTION: Laurent Gaffié and Benjamin Mossé have discovered a vulnerability in phpMyAdmin, which can be exploited by malicious users to conduct script insertion attacks. Input passed to the "Table comments" form field parameter in tbl_create.php and tbl_properties_operations.php is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the database containing the table is viewed. Successful exploitation requires valid user credentials. The vulnerability is confirmed in version 2.9.1. Other versions may also be affected.

SOLUTION: Edit the source code to ensure that input is properly sanitised. Don't grant untrusted users the permission to create or alter tables.

PROVIDED AND/OR DISCOVERED BY: Laurent Gaffié and Benjamin Mossé

ORIGINAL ADVISORY: http://s-a-p.ca/index.php?page=OurAdvisories&id=37

SECUNIA ADVISORY ID: SA22973

VERIFY ADVISORY: http://secunia.com/advisories/22973/

CRITICAL: Moderately critical

IMPACT: Exposure of system information, Exposure of sensitive information, System access

SOFTWARE: PHP Upload Tool 1.x - http://secunia.com/product/12655/

DESCRIPTION: Some vulnerabilities have been discovered in PHP Upload Tool, which can be exploited by malicious users to gain system access or by malicious people to expose sensitive information. The vulnerabilities are confirmed in version 1.0. Other versions may also be affected.

1) The bin/main_user.php script fails to validate the extension of an uploaded file. This can be exploited to upload files with arbitrary extensions (e.g. ".php") and execute arbitrary PHP code on the server. Successful exploitation requires valid user credentials.

2) Input passed to the "filename" parameter in bin/download.php is not properly sanitised before being used to download files. Successful exploitation allows for downloading of arbitrary files on the system, e.g. "/etc/passwd" or "conf/users.conf" (the product's usernames and password hashes).

SOLUTION: Edit the source code to ensure that input is properly verified and sanitised. Restrict access to the application, e.g. with an ".htaccess" file.

PROVIDED AND/OR DISCOVERED BY: Craig Heffner and an anonymous person

ORIGINAL ADVISORY: 2) http://www.craigheffner.com/security/exploits/upload_tool_php.txt

SECUNIA ADVISORY ID: SA22955

VERIFY ADVISORY: http://secunia.com/advisories/22955/

CRITICAL: Moderately critical

IMPACT: Manipulation of data

SOFTWARE: Enthrallweb eShopping Cart - http://secunia.com/product/12651/

DESCRIPTION: Laurent Gaffié and Benjamin Mossé have reported some vulnerabilities in Enthrallweb eShopping Cart, which can be exploited by malicious people to conduct SQL injection attacks. Input passed to the "ProductID" in reviews.asp and productdetail.asp, and to the "cat_id" and "sub_id" parameters in subProducts.asp is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

SOLUTION: Edit the source code to ensure that input is properly sanitised.

PROVIDED AND/OR DISCOVERED BY: Laurent Gaffié and Benjamin Mossé

Nukeum66 writes:  

The BuTToN GeN module allows you to create button type banners 80x15 to 130x15, for your site or blog. This module does require the current version of GD Library be installed on the web server.

Registration is not required.

DEMO

Download BuTToN GeN Now

DarK_Gamers writes:  

A New Anti-Cheat community as born dedicated to help Medal of Honor to be a better place.

Sharing valuable information between Server Admins,Clan Admins and general MoH fans about the problem that is "cheating" on online Medal of Honor Game Series we believe to be an asset for MoH.

As this community is now starting,we are in need of capable Staff to help Anti-Cheat Movement to achieve victory on our favorite game,MoH.

Join your Clan or MoH Game community to the New Medal of Honor Anti-Cheat Alliance - www.mohanticheat.com