Dear bugtraq@xxxxxxxxxxxxxxxxx, there is a number of vulnerabilities unpublished in English yet 1. Dmitry Zubov reports Planet VC-200M VDSL2 router administration interface DoS vulnerability. HTTP request with missed Host: header prevents administration interface access until reboot. Vendor was reportedly contacted, but failed to react. SecurityVulns issue: http://securityvulns.com/news/Planet/VC-200M/DoS.html Original message (in Russian): http://securityvulns.ru/Rdocument847.html 2. MustLive reports low-risk (requires social engineering), yet interesting example of crossite scripting in Internet Explorer. Local zone scripting is possible on accessing saved page with original URL in the form of http://site/-->[script]alert("XSS")[/script] Internet Explorer 6.0 was tested. SecurityVulns Issue: http://securityvulns.com/news/Microsoft/IE/saved-css.html Additional Information (in Ukranian): http://websecurity.com.ua/1241/ Original message (in Russian): http://securityvulns.ru/Rdocument865.html 3. MustLive reports crossite scripting vulnerability in Search Engine Builder. Request http://site/search/search.html?searWords=%3Cscript%3Ealert(document.cookie)%3C/script%3E leads to crossite scripting. Additional information (in Ukranian): http://websecurity.com.ua/1159/ Original message (in Russian): http://securityvulns.ru/Rdocument843.html 4. MustLive reports vulnerability in Sirius 1.0, Blix 0.9.1 and Blix 0.9.1 Rus, Pool 1.0.7 themes for WordPress and also WordPress Classic 1.5 theme, last one is already fixed in WordPress 2.1.3. Insuficcient filtering of PHP_SELF variable leads to crossite scripting with request like http://site/index.php/%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E Additional information (in Ukranian): http://websecurity.com.ua/1252/ http://websecurity.com.ua/1248/ http://websecurity.com.ua/1238/ http://websecurity.com.ua/1234/ Original messages (in Russian): http://securityvulns.ru/Rdocument839.html http://securityvulns.ru/Rdocument825.html http://securityvulns.ru/Rdocument771.html http://securityvulns.ru/Rdocument751.html 5. MustLive reports crossite scripting in coWiki with request http://site/?cmd=srchdoc&q=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E Additional information: http://websecurity.com.ua/1131/ Original message: http://securityvulns.ru/Rdocument692.html 6. Ivan Niiiil (http://uNkn0wn.eu) reports vulnerabilities in Linkliste 1.2, Butterfly online vistors counter 1.08, mcLinksCounter 1.2, My_REFERER 1.08. Original messages in English are available from http://securityvulns.com/source26994.html 7. Okan Alp (http://www.expw0rm.com) reports vulnerabilities in different Web applications. Original messages in English are available from http://securityvulns.com/source13951.html -- http://securityvulns.com/ /\_/\ { , . } |\ +--oQQo->{ ^ }<-----+ \ | ZARAZA U 3APA3A } You know my name - look up my number (The Beatles) +-------------o66o--+ / |/
