lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 26 Jan 2007 09:17:25 +0100
From: Matteo Beccati <>
Cc: Jennifer Langdon <>,
	Oliver George <>
Subject: [OPENADS-SA-2007-002] Max Media Manager v0.1.29 and v0.3.30 vulnerability

Openads security advisory                            OPENADS-SA-2007-002
Advisory ID:           OPENADS-SA-2007-002
Date:                  2007-Jan-25
Security risk:         low risk
Applications affetced: Max Media Manager
Versions affected:     <= Max Media Manager v0.1.29-rc and v0.3.30-alpha
Versions not affected: >= Max Media Manager v0.3.31-alpha-pr2

Vulnerability:  Cross-site scripting

This is the description of the vulnerability recieved by JPCERT:

"We have confirmed that in admin-search.php, scripts included in
'keyword' parameter is shown without proper sanitization thus the
script could be executed.

However a user needs to login the system as administrator, which makes
the exploit technically difficult.

If this vulnerability is exploited, by script execution, a user's
session ID included in HTTP Cookie might be stolen. Also there's a risk
that the contents of phpAdsNew are falsified temporarily."

Note: Max Media Manager is derived from phpAdsNew and was affected by
the same vulnerability. MMM v0.3.30-alpha also has affiliate-search.php
which was vulnerable as well.

- JVN#07274813:

- If you are running v0.3.x, upgrade to v0.3.30-alpha-pr2
- If you are running v0.1.x, a patch is available here:

Contact informations

The security contact for Openads can be reached at:
<security AT openads DOT org>

Best regards
Matteo Beccati

Powered by blists - more mailing lists