Please view the original advisory here. The Joomla component JE Job suffers from a Local File Inclusion vulnerability. Furthermore XSS attacks may be possible. Example URI = index.php?option=com_jejob&view=../../../../../../etc/passwd%00 It is highly recommended to activate the PHP var OpenBaseDir and configure it correctly.

On the 6th May 2010 a new version of Google Skipfish (penetration testing tool/vulnerability scanner) was released. View the changelog here. Download it here. According to the changelog not many things were changed.

Please view the original advisory here. The free shoutbox script from damianov.net suffers from a XSS vulnerability. Injecting arbitrary HTML and Java Script code is possible while adding a new shout, no matter if HTML is allowed in the shoutsettings.php or not. #1 Example: <SCRIPT src=some-script.js></SCRIPT> #2 Example: <SCRIPT>alert(“XSS”)</SCRIPT> #3 Example: <SCRIPT>alert(document.cookie)</SCRIPT> #4 Example: <script>document.location.href=”http://www.google.de”</script> [...]

Please view the original advisory here.

Please view original advisory here.

View the txt advisory/exploit here. >> #1 Vulnerability Type = XSS Almost every parameter accepting user input is vulnerable. Examples: members/login.php?username=[XSS] members/signup.php?username=[XSS] admin/userdetails.php?userId=[XSS] >> Additional Information When being installed, the Rad User Manager creates two accounts with default passwords: Login: “admin” Password: “radmin” Login: “user” Password: “radmin”

I recently had the time to test Google’s Skipfish. It is a fully automated penetration testing tool and was just published some weeks ago. This little tutorial will show Debian/Ubuntu users how to install it and perform the first test. I. Introduction Tools like Nessus and Nmap are indispensable when it comes down to security [...]

View the original advisory here. This is most probably the most funny advisory I ever published. I found some decent vulnerabilities within the code of the very popular counter “chCounter”. It is fact a very cool counter. Simply implement the counter file into your website and view the stats in the admin backend. >> #1 [...]

Please view the advisory here. The small guestbook “Sethi Family Guestbook” suffers from several XSS vulnerabilities. Please read the advisory for details.

View the advisory here. The image gallery script “Auto-Img-Gallery” suffers from a XSS vulnerability. Furthermore SQL injection might be possible since I got some SQL errors just by browsing trough the script and playing around with the URI. Still need to find out if there is a way to exploit this.