WINDOWS CENTER: SecurityFocus Newsletter #376

SecurityFocus Newsletter #376
----------------------------------------

This Issue is Sponsored by: eEye

Too Many Security Agents Cluttering Your System?
Replace your Firewall, IPS, Anti-Spyware and more with Blink® Professional for less than what you are currently paying in renewals.
Learn more on how you can experience the simplicity of one. One agent. One console. One Policy. One Solution.
Introducing eEye Digital Security's Blink® Professional, the first all-in-one security agent.

http://www.eeye.com/ctrack.asp?ref=SFBlink20061031

------------------------------------------------------------------
I. FRONT AND CENTER
1. Using Nepenthes Honeypots to Detect Common Malware
2. FreeBSD Security Event Auditing
II. BUGTRAQ SUMMARY
1. Microsoft Windows Client Service For Netware Remote Code Execution Vulnerability
2. Microsoft Agent ActiveX Control Remote Code Execution Vulnerability
3. Car Site Manager Multiple Input Validation Vulnerabilities
4. Pilot Cart Pilot.ASP SQL Injection Vulnerability
5. DMXReady Site Engine Manager Index.ASP SQL Injection Vulnerability
6. ASP Smiley Default.ASP SQL Injection Vulnerability
7. ASPIntranet Default.ASP SQL Injection Vulnerability
8. WinZip ActiveX Control Remote Code Execution Vulnerability
9. SiteXpress E-Commerce System Dept.ASP SQL Injection Vulnerability
10. AlTools ALFTP Authentication Bypass And Information Disclosure Vulenrabilities
11. PHPPeanuts Inspect.PHP Remote File Include Vulnerability
12. FunkyASP Glossary Glossary.ASP SQL Injection Vulnerability
13. XLineSoft PHPRunner PHPRunner.INI Local Information Disclosure Vulnerability
14. Apple Safari JavaScript Regular Expression Match Remote Denial of Service Vulnerability
15. E-Xoopport Multiple Unspecified Security Vulnerabilities
16. 20/20 Real Estate Listings.ASP SQL Injection Vulnerability
17. Microsoft Client Service for Netware Denial of Service Vulnerability
18. Speedywiki Multiple Input Validation Vulnerabilities
19. Microsoft November Advance Notification Multiple Vulnerabilities
20. Portix-PHP Multiple HTML Injection Vulnerabilities
21. Portix-PHP Multiple SQL Injection Vulnerabilities
22. Xoops NewList.PHP Cross-Site Scripting Vulnerability
23. GNUTLS PKCS RSA Signature Forgery Vulnerability
24. War FTP Daemon CWD Command Remote Denial Of Service Vulnerability
25. SAP Web Application Server Remote Denial of Service Vulnerability
26. WheatBlog Multiple HTML Injection Vulnerabilities
27. Microsoft PowerPoint Remote Denial of Service Vulnerability
28. Adobe Flash Player Plugin HTTP Header Injection Weakness
29. Bugzilla Syncshadowdb Insecure Temporary File Creation Vulnerability
30. Microsoft Internet Explorer Daxctle.OCX KeyFrame Method Heap Buffer Overflow Vulnerability
31. Microsoft Internet Explorer HTML Rendering Remote Code Execution Vulnerability
32. ShopSystems Index.PHP SQL Injection Vulnerability
33. Microsoft Internet Explorer Daxctle.OCX Spline Method Heap Buffer Overflow Vulnerability
34. Macromedia Flash Malformed SWF File Multiple Vulnerabilities
35. ExoPHPdesk Pipe.PHP Remote File Include Vulnerability
36. Microsoft Office Embedded Shockwave Flash Object Security Bypass Weakness
37. Microsoft XML Core Service XMLHTTP ActiveX Control Remote Code Execution Vulnerability
38. PHPKit Multiple SQL Injection Vulnerabilities
39. Microsoft Windows Workstation Service NetpManageIPCConnect Remote Code Execution Vulnerability
40. EncapsCMS Core.PHP Remote File Include Vulnerability
41. Adobe Flash Player Multiple Remote Code Execution Vulnerabilities
42. FreeType LWFN Files Buffer Overflow Vulnerability
43. Samba Internal Data Structures Denial of Service Vulnerability
44. Linux Kernel Ssockaddr_In.Sin_Zero Kernel Memory Disclosure Vulnerabilities
45. NetKit FTP Server ChDir Information Disclosure Vulnerability
46. PCRE Regular Expression Heap Overflow Vulnerability
47. Retired: Bitweaver Multiple Parameter Multiple Input Validation Vulnerabilities
48. Net-SNMP Unspecified Remote Stream-Based Protocol Denial Of Service Vulnerability
49. Apache Struts Error Response Cross-Site Scripting Vulnerability
50. ContentNow Multiple Input Validation Vulnerabilities
51. Marshal MailMarshal UNARJ Extraction Remote Directory Traversal Vulnerability
52. LibRPM Query Report Arbitrary Code Execution Vulnerability
53. OpenSSH LoginGraceTime Remote Denial Of Service Vulnerability
54. Wireshark Multiple Protocol Dissectors Denial of Service Vulnerabilities
55. Multiple Vendor AMD CPU Local FPU Information Disclosure Vulnerability
56. MiniBB Multiple Remote File Include Vulnerabilities
57. Drake CMS Index.PHP Cross-Site Scripting Vulnerability
58. Mozilla Firefox, SeaMonkey, Camino, and Thunderbird Multiple Remote Vulnerabilities
59. Mozilla Firefox/Thunderbird/Seamonkey Multiple Remote Vulnerabilities
60. Linux Kernel SMBFS CHRoot Security Restriction Bypass Vulnerability
61. Linux Kernel Shared Memory Security Restriction Bypass Vulnerabilities
62. ProFTPD Unspecified Remote Code Execution Vulnerability
63. Portable OpenSSH GSSAPI Remote Code Execution Vulnerability
64. OpenSSL PKCS Padding RSA Signature Forgery Vulnerability
65. OpenSSH-Portable GSSAPI Authentication Abort Information Disclosure Weakness
66. Linux Kernel SCTP SO_LINGER Local Denial of Service Vulnerability
67. Omnistar Article Manager Multiple SQL Injection Vulnerabilities
68. Linux Kernel CD-ROM Driver Local Buffer Overflow Vulnerability
69. Samedia LandShop LS.PHP Multiple Input Validation Vulnerabilities
70. Iyzi Forum Uye_Ayrinti.ASP SQL Injection Vulnerability
71. Linux Kernel SNMP NAT Helper Remote Denial of Service Vulnerability
72. Apache Mod_SSL Custom Error Document Remote Denial Of Service Vulnerability
73. Linux Kernel NFS and EXT3 Combination Remote Denial of Service Vulnerability
74. Aspired2Poll MoreInfo.ASP SQL Injection Vulnerability
75. GNU GZip Archive Handling Multiple Remote Vulnerabilities
76. Modx CMS Thumbnail.PHP Remote File Include Vulnerability
77. Intego VirusBarrier Filter Bypass Vulnerability
78. MySQL MERGE Privilege Revoke Bypass Vulnerability
79. Texinfo File Handling Buffer Overflow Vulnerability
80. T.G.S. CMS Logout.PHP SQL Injection Vulnerability
81. Exhibit Engine Toroot Parameter Multiple Remote File Include Vulnerabilities
82. Apple Mac OS X FPathConf System Call Local Denial of Service Vulnerability
83. Netquery NQUser.PHP Cross-Site Scripting Vulnerability
84. Unicore Client Keystore File Insecure File Permissions Vulnerability
85. Trolltech QT Pixmap Images Integer Overflow Vulnerability
86. Mozilla Firefox FTP Denial of Service Vulnerability
87. LetterIt Session.PHP Remote File Include Vulnerability
88. Mono System.CodeDom.Compiler Class Insecure Temporary File Creation Vulnerability
89. Linksys WRT54GS POST Request Configuration Change Authentication Bypass Vulnerability
90. GimeScripts Shopping Catalog Index.PHP Remote File Include Vulnerability
91. Essentia Web Server GET And HEAD Requests Remote Buffer Overflow Vulnerability
92. GNU Texinfo Insecure Temporary File Creation Vulnerability
93. Campware Campsite Thankyou.PHP Remote File Include Vulnerability
94. GraphicsMagick PALM DCM Buffer Overflow Vulnerabilities
95. Mozilla Client Products Multiple Remote Vulnerabilities
96. Megamail Product_Review.PHP Multiple SQL Injection Vulnerabilities
97. Blogme Multiple Input Validation Vulnerabilities
98. Evolve Merchant Viewcart.ASP SQL Injection Vulnerability
99. Inventory Manager Multiple Input Validation Vulnerabilities
100. Plesk Multiple HTML Injection Vulnerabilities
III. SECURITYFOCUS NEWS
1. E-voting worries focus on failures, not fraud
2. Attackers end-run around IE security
3. Quantum attacks worry computer scientists
4. Bot nets likely behind jump in spam
IV. SECURITY JOBS LIST SUMMARY
1. [SJ-JOB] Principal Software Engineer, Arlington
2. [SJ-JOB] Senior Software Engineer, Arlington
3. [SJ-JOB] Manager, Information Security, New Castle
4. [SJ-JOB] Security Engineer, Charlotte
5. [SJ-JOB] Security Engineer, San Diego
6. [SJ-JOB] Security System Administrator, Arlington
7. [SJ-JOB] Security Engineer, WASHINGTON
8. [SJ-JOB] Security Engineer, Washington
9. [SJ-JOB] Auditor, Melbourne
10. [SJ-JOB] Security Engineer, WASHINGTON
11. [SJ-JOB] Security Engineer, Fairfax
12. [SJ-JOB] Sr. Security Analyst, Baltimore
13. [SJ-JOB] Sales Representative, Los Angeles
14. [SJ-JOB] Sr. Security Engineer, Anywhere
15. [SJ-JOB] Jr. Security Analyst, Corning
16. [SJ-JOB] Sr. Security Engineer, Zurich
17. [SJ-JOB] Sr. Security Analyst, New York
18. [SJ-JOB] Security Architect, Santa Ana
19. [SJ-JOB] VP of Regional Sales, Seattle
20. [SJ-JOB] Security Engineer, Metro DC/VA/MD
21. [SJ-JOB] Account Manager, Watford
22. [SJ-JOB] VP / Dir / Mgr engineering, Boston
23. [SJ-JOB] Technical Support Engineer, London
24. [SJ-JOB] Penetration Engineer, London and South
V. INCIDENTS LIST SUMMARY
1. \x HTTP requests
VI. VULN-DEV RESEARCH LIST SUMMARY
VII. MICROSOFT FOCUS LIST SUMMARY
1. outlook sending email messages to mapped drives randomly
2. DNS recursive
3. SecurityFocus Microsoft Newsletter #316
VIII. SUN FOCUS LIST SUMMARY
IX. LINUX FOCUS LIST SUMMARY
X. UNSUBSCRIBE INSTRUCTIONS
XI. SPONSOR INFORMATION

I. FRONT AND CENTER
---------------------
1. Using Nepenthes Honeypots to Detect Common Malware
By Jamie Riden
This article describes the use of Nepenthes, a low-interaction honeypot, as an additional layer of network defense. Nepenthes can be used to capture malware, alert an administrator about a network compromise, and assist in containing and removing the infection.
http://www.securityfocus.com/infocus/1880

2. FreeBSD Security Event Auditing
By Federico Biancuzzi
The upcoming release of FreeBSD 6.2 includes the new Security Event Auditing system, that "permits the selective and fine-grained logging of security-relevant system events for the purposes of post-mortem analysis, intrusion detection, and run-time monitoring analysis." Federico Biancuzzi interviewed Robert Watson, founder of the TrustedBSD project, and discussed the advantages and potentialities it brings.
http://www.securityfocus.com/columnists/422

II. BUGTRAQ SUMMARY
--------------------
1. Microsoft Windows Client Service For Netware Remote Code Execution Vulnerability
BugTraq ID: 21023
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/21023
Summary:
Microsoft Client Service for Netware is prone to a remote code-execution vulnerability.

A remote attacker can exploit this vulnerability to execute arbitrary code in the context of the user running the affected service.

Note that the Client Service for Netware is not installed by default on any affected operating system.

2. Microsoft Agent ActiveX Control Remote Code Execution Vulnerability
BugTraq ID: 21034
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/21034
Summary:
The Microsoft Agent ActiveX control is prone to remote code execution.

An attacker could exploit this issue to execute code in the context of the user visiting a malicious web page.

3. Car Site Manager Multiple Input Validation Vulnerabilities
BugTraq ID: 21066
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/21066
Summary:
Car Site Manager is prone to multiple SQL-injection and cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.

Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation.

4. Pilot Cart Pilot.ASP SQL Injection Vulnerability
BugTraq ID: 21065
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/21065
Summary:
Pilot Cart is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.

A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation.

Version 7.2 is vulnerable to this issue; other versions may also be affected.

5. DMXReady Site Engine Manager Index.ASP SQL Injection Vulnerability
BugTraq ID: 21064
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/21064
Summary:
DMXReady Site Engine Manager is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation.

Versions 1.0 is vulnerable; other versions may also be affected.

6. ASP Smiley Default.ASP SQL Injection Vulnerability
BugTraq ID: 21063
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/21063
Summary:
ASP Smiley is prone to an SQL injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation.

ASP Smiley version 1.0 is vulnerable.

7. ASPIntranet Default.ASP SQL Injection Vulnerability
BugTraq ID: 21061
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/21061
Summary:
ASPIntranet is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation.

Version 1.2 is vulnerable; other versions may also be affected.

8. WinZip ActiveX Control Remote Code Execution Vulnerability
BugTraq ID: 21060
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/21060
Summary:
WinZip is prone to a remote code-execution vulnerability in an ActiveX control that is installed with the package.

This issue allows remote attackers to execute arbitrary machine code in the context of applications utilizing the affected ActiveX control. This issue facilitates the remote compromise of affected computers.

WinZip versions in the 10.0 series prior to build 7245 are vulnerable to this issue.

9. SiteXpress E-Commerce System Dept.ASP SQL Injection Vulnerability
BugTraq ID: 21059
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/21059
Summary:
SiteXpress E-Commerce System is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.

A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation.

10. AlTools ALFTP Authentication Bypass And Information Disclosure Vulenrabilities
BugTraq ID: 21058
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/21058
Summary:
The ALTOOLS ALFTP server is prone to authentication bypass and information disclosure vulnerabilities. These issues occur when specific commands are submitted by a user.

These issues could allow an attacker to gain sensitive directory information or to create directories in unauthorized locations. This could aid in further attacks.

Version 4.1 BETA1 is vulnerable; other version may also be affected.

11. PHPPeanuts Inspect.PHP Remote File Include Vulnerability
BugTraq ID: 21057
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/21057
Summary:
PHPPeanuts is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied data.

Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible.

12. FunkyASP Glossary Glossary.ASP SQL Injection Vulnerability
BugTraq ID: 21055
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/21055
Summary:
FunkyASP Glossary is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation.

13. XLineSoft PHPRunner PHPRunner.INI Local Information Disclosure Vulnerability
BugTraq ID: 21054
Remote: No
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/21054
Summary:
XLineSoft PHPRunner is prone to an information disclosure vulnerability due to a design error.

This issue could be exploited to access sensitive information which could aid in further attacks against the affected computer and related databases.

Version 3.1 is vulnerable; other version may be affected.

14. Apple Safari JavaScript Regular Expression Match Remote Denial of Service Vulnerability
BugTraq ID: 21053
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/21053
Summary:
Apple Safari web browser is prone to a denial-of-service vulnerability when executing certain JavaScript code.

An attacker can exploit this issue to crash an affected browser. It is conjectured that this issue may also result in remote code-execution, but this has not been confirmed.

Apple Safari version 2.0.4 is vulnerable to this issue; other versions may also be affected.

15. E-Xoopport Multiple Unspecified Security Vulnerabilities
BugTraq ID: 21052
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/21052
Summary:
E-Xoopport is prone to multiple unspecified security vulnerabilities. The cause and impact of these issues is currently unknown.

This BID will be updated when more information becomes available.

Versions prior to 2.2.0 are vulnerable to these issues.

16. 20/20 Real Estate Listings.ASP SQL Injection Vulnerability
BugTraq ID: 21036
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/21036
Summary:
20/20 Real Estate is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation.

17. Microsoft Client Service for Netware Denial of Service Vulnerability
BugTraq ID: 20984
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/20984
Summary:
Microsoft Client Service for Netware is prone to a denial-of-service vulnerability.

Exploiting this issue would cause the affected computer to crash, denying service to legitimate users.

18. Speedywiki Multiple Input Validation Vulnerabilities
BugTraq ID: 20976
Remote: Yes
Last Updated: 2006-11-13
Relevant URL: http://www.securityfocus.com/bid/20976
Summary:
Speedywiki is prone to multiple input-validation vulnerabilities because the application fails to sufficiently sanitize user-supplied input. These issues include an arbitrary file-upload vulnerability and a cross-site scripting vulnerability.

An attacker may leverage these issues to upload and execute arbitrary code within the context of the affected webserver and to steal cookie-based authentication credentials. Other attacks are also possible.

Version 2.0 is vulnerable to this issue; other versions may also be affected.

19. Microsoft November Advance Notification Multiple Vulnerabilities
BugTraq ID: 20991
Remote: Yes
Last Updated: 2006-11-13
Relevant URL: http://www.securityfocus.com/bid/20991
Summary:
Microsoft has released advance notification that the vendor will be releasing six security bulletins for Windows and Microsoft XML Core Services on November 14, 2006. The highest severity rating for these issues is 'Critical'.

Further details about these issues are not currently available. Individual BIDs will be created for each issue; this record will be removed when the security bulletins are released.

20. Portix-PHP Multiple HTML Injection Vulnerabilities
BugTraq ID: 20975
Remote: Yes
Last Updated: 2006-11-13
Relevant URL: http://www.securityfocus.com/bid/20975
Summary:
Portix-PHP is prone to multiple HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input data.

Exploiting these issues may allow an attacker to execute HTML and script code in the context of the affected site, to steal cookie-based authentication credentials, or to control how the site is rendered to the user; other attacks are also possible.

Portix-PHP version 0.4.2 is vulnerable; earlier versions may also be affected.

21. Portix-PHP Multiple SQL Injection Vulnerabilities
BugTraq ID: 20974
Remote: Yes
Last Updated: 2006-11-13
Relevant URL: http://www.securityfocus.com/bid/20974
Summary:
Portix-PHP is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.

A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation.

Portix version 0.4.2 is vulnerable; earlier versions may also be affected.

22. Xoops NewList.PHP Cross-Site Scripting Vulnerability
BugTraq ID: 20927
Remote: Yes
Last Updated: 2006-11-13
Relevant URL: http://www.securityfocus.com/bid/20927
Summary:
Xoops is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to have arbitrary script code execute in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

Version 1.0 is vulnerable; other versions may also be affected.

23. GNUTLS PKCS RSA Signature Forgery Vulnerability
BugTraq ID: 20027
Remote: Yes
Last Updated: 2006-11-13
Relevant URL: http://www.securityfocus.com/bid/20027
Summary:
GnuTLS is prone to a vulnerability that may allow an attacker to forge an RSA signature. The attacker may be able to forge a PKCS #1 v1.5 signature when verifying a X.509 certificate.

An attacker may exploit this issue to sign digital certificates or RSA keys and take advantage of trust relationships that depend on these credentials, possibly posing as a trusted party and signing a certificate or key.

This vulnerability is a variant of the issue discussed in BID 19849 (OpenSSL PKCS Padding RSA Signature Forgery Vulnerability) and affects GnuTLS versions prior to version 1.4.3.

24. War FTP Daemon CWD Command Remote Denial Of Service Vulnerability
BugTraq ID: 20973
Remote: Yes
Last Updated: 2006-11-13
Relevant URL: http://www.securityfocus.com/bid/20973
Summary:
War FTP Daemon is prone to a remote denial-of-service vulnerability.

An attacker can exploit this issue to crash the affected application, denying service to legitimate users.

War FTP Daemon 1.82.00-RC11 is reported vulnerable to this issue; other versions may also be affected.

This issue may be related to the issue described in BID 12384 (War FTP Daemon Remote Denial Of Service Vulnerability).

25. SAP Web Application Server Remote Denial of Service Vulnerability
BugTraq ID: 20873
Remote: Yes
Last Updated: 2006-11-13
Relevant URL: http://www.securityfocus.com/bid/20873
Summary:
SAP Web Application Server is prone to a remote denial-of-service vulnerability.

Exploiting this issue allows remote attackers to consume excessive system resources until the software becomes unresponsive to further calls, effectively denying service to legitimate users.

These versions are affected:

- 6.40 patch 135 and prior
- 7.00 patch 55 and prior.

26. WheatBlog Multiple HTML Injection Vulnerabilities
BugTraq ID: 20306
Remote: Yes
Last Updated: 2006-11-13
Relevant URL: http://www.securityfocus.com/bid/20306
Summary:
WheatBlog is prone to multiple HTML-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.

Attacker-supplied HTML and script code would execute in the context of the affected website, potentially allowing an attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user; other attacks are also possible.

27. Microsoft PowerPoint Remote Denial of Service Vulnerability
BugTraq ID: 20495
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/20495
Summary:
Microsoft PowerPoint is prone to a remote denial-of-service vulnerability.

Successfully exploiting this issue allows a remote attacker to crash the affected application.

This issue was first reported as a remote code-execution vulnerability. Microsoft's Secure Windows Initiative is now reporting that this issue is not exploitable for remote code execution. Further research has indicated that the issue is caused by a null-pointer dereference that apparently cannot be exploited to execute code, yet can be used to predictably crash the application.

28. Adobe Flash Player Plugin HTTP Header Injection Weakness
BugTraq ID: 20592
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/20592
Summary:
Adobe Flash Player Plugin is prone to a weakness that permits the injection of arbitrary HTTP headers because it fails to sanitize user-supplied input.

A successful attack may allow attackers to perform arbitrary HTTP requests facilitating cross-site request forgery, cross-site scripting, HTTP request smuggling, and other attacks.

Since this weakness would typically be used as one component in a larger attack scenario, the consequences of an attack will depend on the vulnerabilities exploited along with this weakness.

Version 9.0.16 for Windows and 7.0.63 for Linux are affected by this issue.

29. Bugzilla Syncshadowdb Insecure Temporary File Creation Vulnerability
BugTraq ID: 16061
Remote: No
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/16061
Summary:
Bugzilla creates temporary files in an insecure manner.

Exploitation would most likely result in loss of data or a denial of service if critical files are overwritten in the attack. Other attacks may be possible as well.

30. Microsoft Internet Explorer Daxctle.OCX KeyFrame Method Heap Buffer Overflow Vulnerability
BugTraq ID: 20047
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/20047
Summary:
Microsoft Internet Explorer is prone to a heap buffer-overflow vulnerability.

The vulnerability arises because of the way Internet Explorer tries to instantiate certain COM objects as ActiveX controls.

An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.

This issue is similar to, but separate from, the one described in BID 19738 (Microsoft Internet Explorer Daxctle.OCX Spline Method Heap Buffer Overflow Vulnerability).

Microsoft has released information stating this issue is being exploited publicly in limited attacks.

31. Microsoft Internet Explorer HTML Rendering Remote Code Execution Vulnerability
BugTraq ID: 21020
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/21020
Summary:
Microsoft Internet Explorer is prone to a remote code-execution vulnerability.

This vulnerability is related to how the browser renders HTML with certain layout combinations. An attacker could exploit this issue to execute arbitrary code in the context of the affected web browser.

This issue affects Internet Explorer on Windows 2000, Windows XP, and Windows Server 2003.

32. ShopSystems Index.PHP SQL Injection Vulnerability
BugTraq ID: 21005
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/21005
Summary:
ShopSystems is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation.

ShopSystems 4.0 and prior versions are vulnerable; other versions may also be affected.

33. Microsoft Internet Explorer Daxctle.OCX Spline Method Heap Buffer Overflow Vulnerability
BugTraq ID: 19738
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/19738
Summary:
Microsoft Internet Explorer is prone to a heap buffer-overflow vulnerability..

The vulnerability arises because of the way Internet Explorer tries to instantiate certain COM objects as ActiveX controls.

An attacker can exploit this issue to execute arbitrary code within context of the affected application. Failed exploit attempts will result in a denial-of-service condition.

34. Macromedia Flash Malformed SWF File Multiple Vulnerabilities
BugTraq ID: 18894
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/18894
Summary:
The Macromedia Flash plug-in is prone to multiple remote vulnerabilities.

An attacker can exploit these vulnerabilities to execute arbitrary code or to crash the application hosting the Flash player (typically a web browser). Attackers exploit these issues through maliciously malformed SWF files that have been placed on a website or emailed to unsuspecting users.

Version 8.0.24.0 of Flash is vulnerable to these issues; other versions may also be affected.

35. ExoPHPdesk Pipe.PHP Remote File Include Vulnerability
BugTraq ID: 21003
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/21003
Summary:
Exophpdesk is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied data.

Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible.

Exophpdesk version 1.2 is vulnerable.

36. Microsoft Office Embedded Shockwave Flash Object Security Bypass Weakness
BugTraq ID: 18583
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/18583
Summary:
Microsoft Office is prone to a weakness that may allow remote attackers to execute arbitrary script code contained in Shockwave Flash Objects without first requiring confirmation from users.

A successful attack may allow attackers to access sensitive information and potentially execute malicious commands on a vulnerable computer.

The researcher responsible for discovering this issue has indicated that it presents itself on Windows 2003 SP1, Windows XP Professional Edition SP1 and SP2 running Microsoft Office 2003, and Windows 2000 Professional running Microsoft Office 2003. Other versions may be vulnerable as well.

37. Microsoft XML Core Service XMLHTTP ActiveX Control Remote Code Execution Vulnerability
BugTraq ID: 20915
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/20915
Summary:
Microsoft XML Core Service is prone to a remote code-execution vulnerability.

An attacker can exploit this issue to execute arbitrary code within the affected application, facilitating the remote compromise of affected computers. Failed exploit attempts will result in a denial-of-service condition.

38. PHPKit Multiple SQL Injection Vulnerabilities
BugTraq ID: 21002
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/21002
Summary:
PHPKit is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.

A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation.

PHPKit version 1.6.1 RC2 is vulnerable; earlier versions may also be affected.

39. Microsoft Windows Workstation Service NetpManageIPCConnect Remote Code Execution Vulnerability
BugTraq ID: 20985
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/20985
Summary:
Microsoft Windows Workstation service is prone to a remote code-execution vulnerability.

This issue allows remote, anonymous attackers to execute arbitrary machine-code on affected computers with SYSTEM-level privileges. This facilitates the complete compromise of affected computers.

Attackers require administrative privileges to exploit this issue on Windows XP SP2 computers. Anonymous attackers may exploit this issue on Windows 2000 computers.

40. EncapsCMS Core.PHP Remote File Include Vulnerability
BugTraq ID: 21001
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/21001
Summary:
EncapsCMS is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied data.

Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible.

EncapsCMS 0.3.6 is vulnerable.

41. Adobe Flash Player Multiple Remote Code Execution Vulnerabilities
BugTraq ID: 19980
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/19980
Summary:
Adobe Flash Player is prone to multiple remote code-execution vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker could exploit this issue by creating a media file containing large, dynamically generated string data and submitting it to be processed by the media player.

These issues allow remote attackers to execute arbitrary machine code in the context of the user running the application. Other attacks are also possible.

Adobe Flash Player 8.0.24.0 and prior, Adobe Flash Professional 8, Flash Basic, Adobe Flash MX, and 2004Adobe Flex 1.5 are affected.

42. FreeType LWFN Files Buffer Overflow Vulnerability
BugTraq ID: 18034
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/18034
Summary:
FreeType is prone to a buffer-overflow vulnerability. This issue is due to an integer-overflow that results in a buffer being overrun with attacker-supplied data.

This issue allows remote attackers to execute arbitrary machine code in the context of applications that use the affected library. Failed exploit attempts will likely crash applications, denying service to legitimate users.

FreeType versions prior to 2.2.1 are vulnerable to this issue.

43. Samba Internal Data Structures Denial of Service Vulnerability
BugTraq ID: 18927
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/18927
Summary:
The smbd daemon is prone to a denial-of-service vulnerability.

An attacker can exploit this issue to consume excessive memory resources, ultimately crashing the affected application.

This issue affects Samba versions 3.0.1 through 3.0.22 inclusive.

44. Linux Kernel Ssockaddr_In.Sin_Zero Kernel Memory Disclosure Vulnerabilities
BugTraq ID: 17203
Remote: No
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/17203
Summary:
The Linux kernel is affected by local memory-disclosure vulnerabilities. These issues are due to the kernel's failure to properly clear previously used kernel memory before returning it to local users.

These issues allow an attacker to read kernel memory and potentially gather information to use in further attacks.

45. NetKit FTP Server ChDir Information Disclosure Vulnerability
BugTraq ID: 21000
Remote: No
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/21000
Summary:
Netkit FTP Server ('ftpd') is prone to an information-disclosure vulnerability due to a design error.

A local attacker could exploit this issue to bypass access restrictions and gain access to the root directory of the FTP server. Directory information gained may aid in further attacks.

Netkit FTP Server 0.17 and prior versions are affected.

46. PCRE Regular Expression Heap Overflow Vulnerability
BugTraq ID: 14620
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/14620
Summary:
PCRE is prone to a heap-overflow vulnerability. This issue is due to the library's failure to properly perform boundary checks on user-supplied input before copying data to an internal memory buffer.

The impact of successful exploitation of this vulnerability depends on the application and the user credentials using the vulnerable library. A successful attack may ultimately permit an attacker to control the contents of critical memory control structures and write arbitrary data to arbitrary memory locations.

47. Retired: Bitweaver Multiple Parameter Multiple Input Validation Vulnerabilities
BugTraq ID: 20996
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/20996
Summary:
Bitweaver is prone to multiple SQL-injection and cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.

Bitweaver 1.3.1 and prior versions are vulnerable; other versions may also be affected.

This issue is a duplicate of the the issue described in BID 20988 (Bitweaver Multiple Input Validation Vulnerabilities), therefore this BID is being retired.

48. Net-SNMP Unspecified Remote Stream-Based Protocol Denial Of Service Vulnerability
BugTraq ID: 14168
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/14168
Summary:
Net-SNMP is prone to a remote denial-of-service vulnerability. The issue is exposed when Net-SNMP is configured to have an open stream-based protocol port, such as TCP.

The exact details describing this issue are not available. This BID will be updated when further details are made available.

49. Apache Struts Error Response Cross-Site Scripting Vulnerability
BugTraq ID: 15512
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/15512
Summary:
Struts is prone to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input.

An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may facilitate the theft of cookie-based authentication credentials as well as other attacks.

50. ContentNow Multiple Input Validation Vulnerabilities
BugTraq ID: 21024
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/21024
Summary:
ContentNow is prone to multiple input validation vulnerabilities. These issues include multiple local file-include vulnerabilities, an unauthorized directory access vulnerability, multiple directory-traversal vulnerabilities and a cross-site scripting vulnerability.

An attacker can exploit these issues to upload and execute malicious PHP code execute in the context of the webserver process and view sensitive information and steal cookie-based authentication credentials. This may allow the attacker to compromise the application and the underlying system; other attacks are also possible.

These issues affect version 1.30; other versions may also be vulnerable.

51. Marshal MailMarshal UNARJ Extraction Remote Directory Traversal Vulnerability
BugTraq ID: 20999
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/20999
Summary:
Marshal MailMarshal is affected by a remote directory-traversal vulnerability because the application fails to properly sanitize or validate filenames prior to decompression.

Exploiting this issue may allow an attacker to arbitrarily overwrite files with a user's privileges when a malicious compressed file is decompressed with the affected application.

MailMarshal SMTP 5.x, MailMarshal SMTP 6.x, MailMarshal SMTP 2006, and MailMarshal for Exchange 5.x are vulnerable; other versions may also be affected.

52. LibRPM Query Report Arbitrary Code Execution Vulnerability
BugTraq ID: 20906
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/20906
Summary:
The 'librpm' library is prone to an arbitrary code-execution vulnerability.

An attacker can exploit this issue to execute arbitrary machine code with the privileges of the currently logged-in user or to crash the affected application.

53. OpenSSH LoginGraceTime Remote Denial Of Service Vulnerability
BugTraq ID: 14963
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/14963
Summary:
OpenSSH is susceptible to a remote denial-of-service vulnerability. This issue is due to a design flaw when servicing timeouts related to the 'LoginGraceTime' server-configuration directive.

Specifically, when 'LoginGraceTime' in conjunction with 'MaxStartups' and 'UsePrivilegeSeparation' are configured and enabled in the server, a condition may arise where the server refuses further remote connection attempts.

This issue may be exploited by remote attackers to deny SSH service to legitimate users.

54. Wireshark Multiple Protocol Dissectors Denial of Service Vulnerabilities
BugTraq ID: 20762
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/20762
Summary:
Wireshark is prone to multiple denial-of-service vulnerabilities.

Exploiting these issues may permit attackers to cause crashes and deny service to legitimate users of the application.

Wireshark versions prior to 0.99.4 are affected.

55. Multiple Vendor AMD CPU Local FPU Information Disclosure Vulnerability
BugTraq ID: 17600
Remote: No
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/17600
Summary:
Multiple vendors' operating systems are prone to a local information-disclosure vulnerability. This issue is due to a flaw in the operating systems that fail to properly use AMD CPUs.

Local attackers may exploit this vulnerability to gain access to potentially sensitive information regarding other processes executing on affected computers. This may aid attackers in retrieving information regarding cryptographic keys or other sensitive information.

This issue affects Linux and FreeBSD operating systems that use generations 7 and 8 AMD CPUs.

56. MiniBB Multiple Remote File Include Vulnerabilities
BugTraq ID: 20757
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/20757
Summary:
miniBB is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.

Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.

miniBB 2.0.2 and prior versions are vulnerable to this issue.

57. Drake CMS Index.PHP Cross-Site Scripting Vulnerability
BugTraq ID: 20998
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/20998
Summary:
Drake CMS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

Version 0.2 is vulnerable; other versions may also be affected.

58. Mozilla Firefox, SeaMonkey, Camino, and Thunderbird Multiple Remote Vulnerabilities
BugTraq ID: 18228
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/18228
Summary:
The Mozilla Foundation has released thirteen security advisories specifying security vulnerabilities in Mozilla Firefox, SeaMonkey, Camino, and Thunderbird.

These vulnerabilities allow attackers to:

- execute arbitrary machine code in the context of the vulnerable application
- crash affected applications
- run JavaScript code with elevated privileges, potentially allowing the remote execution of machine code
- gain access to potentially sensitive information.

Other attacks may also be possible.

The issues described here will be split into individual BIDs as further information becomes available.

These issues are fixed in:
- Mozilla Firefox version 1.5.0.4
- Mozilla Thunderbird version 1.5.0.4
- Mozilla SeaMonkey version 1.0.2
- Mozilla Camino 1.0.2

59. Mozilla Firefox/Thunderbird/Seamonkey Multiple Remote Vulnerabilities
BugTraq ID: 20042
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/20042
Summary:
The Mozilla Foundation has released six security advisories specifying vulnerabilities in Mozilla Firefox, SeaMonkey, and Thunderbird.

These vulnerabilities allow attackers to:

- execute arbitrary code
- perform cross-site scripting attacks
- supply malicious data through updates
- inject arbitrary content
- execute arbitrary JavaScript
- crash affected applications and potentially execute arbitrary code.

Other attacks may also be possible.

The issues described here will be split into individual BIDs as more information becomes available.

These issues are fixed in:

- Mozilla Firefox version 1.5.0.7
- Mozilla Thunderbird version 1.5.0.7
- Mozilla SeaMonkey version 1.0.5

60. Linux Kernel SMBFS CHRoot Security Restriction Bypass Vulnerability
BugTraq ID: 17735
Remote: No
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/17735
Summary:
The Linux Kernel is prone to a vulnerability that allows attackers to bypass a security restriction. This issue is due to a failure in the kernel to properly sanitize user-supplied data.

The problem affects chroot inside of an SMB-mounted filesystem ('smbfs'). A local attacker who is bounded by the chroot can exploit this issue to bypass the chroot restriction and gain unauthorized access to the filesystem.

61. Linux Kernel Shared Memory Security Restriction Bypass Vulnerabilities
BugTraq ID: 17587
Remote: No
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/17587
Summary:
The Linux kernel is prone to vulnerabilities regarding access to shared memory.

A local attacker could potentially gain read and write access to shared memory and write access to read-only tmpfs filesystems, bypassing security restrictions.

An attacker can exploit these issues to possibly corrupt applications and their data when the applications use temporary files or shared memory.

62. ProFTPD Unspecified Remote Code Execution Vulnerability
BugTraq ID: 20992
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/20992
Summary:
ProFTPD is prone to an unspecified remote code-execution vulnerability.

Presumably, a remote attacker can exploit this issue to gain unauthorized access to a computer in the context of the server.

This issue is reported to affected version 1.3.0; other versions may be vulnerable as well.

63. Portable OpenSSH GSSAPI Remote Code Execution Vulnerability
BugTraq ID: 20241
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/20241
Summary:
Portable OpenSSH is prone to a remote code-execution vulnerability. The issue derives from a race condition in a vulnerable signal handler.

Reportedly, under specific conditions, it is theoretically possible to execute code remotely prior to authentication when GSSAPI authentication is enabled. This has not been confirmed; the chance of a successful exploit of this nature is considered minimal.

On non-Portable OpenSSH implementations, this same race condition can be exploited to cause a pre-authentication denial of service.

This issue occurs when OpenSSH and Portable OpenSSH are configured to accept GSSAPI authentication.

64. OpenSSL PKCS Padding RSA Signature Forgery Vulnerability
BugTraq ID: 19849
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/19849
Summary:
OpenSSL is prone to a vulnerability that may allow an attacker to forge an RSA signature. The attacker may be able to forge a PKCS #1 v1.5 signature when an RSA key with exponent 3 is used.

All versions of OpenSSL prior to and including 0.9.7j and 0.9.8b are affected by this vulnerability. Updates are available.

65. OpenSSH-Portable GSSAPI Authentication Abort Information Disclosure Weakness
BugTraq ID: 20245
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/20245
Summary:
OpenSSH-Portable is prone to an information-disclosure weakness. The issue stems from a GSSAPI authentication abort.

Reportedly, attackers may leverage a GSSAPI authentication abort to determine the presence and validity of usernames on unspecified platforms.

This issue occurs when OpenSSH-Portable is configured to accept GSSAPI authentication.

OpenSSH-Portable 4.3p1 and prior versions exhibit this weakness.

66. Linux Kernel SCTP SO_LINGER Local Denial of Service Vulnerability
BugTraq ID: 20087
Remote: No
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/20087
Summary:
The Linux kernel SCTP module is prone to a local denial-of-service vulnerability.

This issue allows local attackers to cause kernel crashes, denying service to legitimate users.

Specific information regarding affected versions of the Linux kernel is currently unavailable. This BID will be updated as further information is disclosed.

67. Omnistar Article Manager Multiple SQL Injection Vulnerabilities
BugTraq ID: 20990
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/20990
Summary:
Omnistar Article Manager is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.

A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation.

68. Linux Kernel CD-ROM Driver Local Buffer Overflow Vulnerability
BugTraq ID: 18847
Remote: No
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/18847
Summary:
The Linux kernel is prone to a local buffer-overflow vulnerability because it fails to properly bounds-check user-supplied input before using it in a memory copy operation.

This issue allows local attackers to overwrite kernel memory with arbitrary data, potentially allowing them to execute malicious machine code in the context of affected kernels. This vulnerability facilitates the complete compromise of affected computers.

Linux kernel version 2.6.17.3 and prior are affected by this issue.

69. Samedia LandShop LS.PHP Multiple Input Validation Vulnerabilities
BugTraq ID: 20989
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/20989
Summary:
LandShop is prone to multiple input-validation vulnerabilities because it fails to sufficiently sanitize user-supplied input data.

Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, access or modify sensitive data, execute arbitrary script code in the context of the application, compromise the application, and possibly exploit latent vulnerabilities in the underlying system; other attacks are also possible.

70. Iyzi Forum Uye_Ayrinti.ASP SQL Injection Vulnerability
BugTraq ID: 20168
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/20168
Summary:
Iyzi Forum is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.

A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation.

Iyzi Forum 1.0 beta 3 and prior versions are reported affected.

71. Linux Kernel SNMP NAT Helper Remote Denial of Service Vulnerability
BugTraq ID: 18081
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/18081
Summary:
The Linux SNMP NAT helper is susceptible to a remote denial-of-service vulnerability.

This issue allows remote attackers to potentially corrupt memory and ultimately trigger a denial of service for legitimate users.

Kernel versions prior to 2.6.16.18 are vulnerable to this issue.

72. Apache Mod_SSL Custom Error Document Remote Denial Of Service Vulnerability
BugTraq ID: 16152
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/16152
Summary:
Apache's mod_ssl module is susceptible to a remote denial-of-service vulnerability. A flaw in the module results in a NULL-pointer dereference that causes the server to crash. This issue is present only when virtual hosts are configured with a custom 'ErrorDocument' statement for '400' errors or 'SSLEngine optional'.

Depending on the configuration of Apache, attackers may crash the entire webserver or individual child processes. Repeated attacks are required to deny service to legitimate users when Apache is configured for multiple child processes to handle connections.

This issue affects Apache 2.x versions.

73. Linux Kernel NFS and EXT3 Combination Remote Denial of Service Vulnerability
BugTraq ID: 19396
Remote: No
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/19396
Summary:
The Linux kernel is susceptible to a remote denial-of-service vulnerability because the EXT3 filesystem code fails to properly handle unexpected conditions.

Remote attackers may trigger this issue by sending crafted UDP datagrams to affected computers that are configured as NFS servers, causing filesystem errors. Depending on the mount-time options of affected filesystems, this may result in remounting filesystems as read-only or cause a kernel panic.

Linux kernel versions 2.6.14.4, 2.6.17.6, and 2.6.17.7 are vulnerable to this issue; other versions in the 2.6 series are also likely affected.

74. Aspired2Poll MoreInfo.ASP SQL Injection Vulnerability
BugTraq ID: 20987
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/20987
Summary:
ASPired2Poll is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation.

ASPired2Poll 1.0 and prior versions are vulnerable; other versions may also be affected.

75. GNU GZip Archive Handling Multiple Remote Vulnerabilities
BugTraq ID: 20101
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/20101
Summary:
The gzip utility is prone to multiple remote buffer-overflow and denial-of-service vulnerabilities when handling malicious archive files.

Successful exploits may allow a remote attacker to corrupt process memory by triggering an overflow condition. This may lead to arbitrary code execution in the context of an affected user and may facilitate a remote compromise. Attackers may also trigger denial-of-service conditions by crashing or hanging the application.

Specific information regarding affected versions of gzip is currently unavailable. This BID will be updated as more information is released.

76. Modx CMS Thumbnail.PHP Remote File Include Vulnerability
BugTraq ID: 20898
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/20898
Summary:
MODx CMS is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied data.

Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible.

MODx CMS 0.9.2.1 and prior versions are vulnerable.

77. Intego VirusBarrier Filter Bypass Vulnerability
BugTraq ID: 20983
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/20983
Summary:
Intego VirusBarrier is prone to a filter-bypass vulnerability.

This issue occurs because the application fails to filter malicious virus files properly.

VirusBarrier X4 is vulnerable.

78. MySQL MERGE Privilege Revoke Bypass Vulnerability
BugTraq ID: 19279
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/19279
Summary:
MySQL is prone to a vulnerability that allows users with revoked privileges to a particular table to access these tables without permission.

Exploiting this issue allows attackers to access data when access privileges have been revoked. The specific impact of this issue depends on the data that the attacker may retrieve.

79. Texinfo File Handling Buffer Overflow Vulnerability
BugTraq ID: 20959
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/20959
Summary:
Texinfo is prone to a buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer.

Exploiting this issue allows attackers to cause the affected applications using Texinfo to crash, denying service to legitimate users. Arbitrary code execution may also be possible, but this has not been confirmed.

80. T.G.S. CMS Logout.PHP SQL Injection Vulnerability
BugTraq ID: 20850
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/20850
Summary:
T.G.S. CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation.

T.G.S. CMS 0.1.7 and prior versions are vulnerable.

81. Exhibit Engine Toroot Parameter Multiple Remote File Include Vulnerabilities
BugTraq ID: 20793
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/20793
Summary:
Exhibit Engine Software is prone to multiple remote file-include vulnerabilities because it fails to properly sanitize user-supplied input.

A successful exploit of these issues allows an attacker to execute arbitrary server-side script code on an affected computer with the privileges of the webserver process. This may facilitate unauthorized access.

Version 1.22 is vulnerable to these issues; other versions may also be affected.

82. Apple Mac OS X FPathConf System Call Local Denial of Service Vulnerability
BugTraq ID: 20982
Remote: No
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/20982
Summary:
Apple Mac OS X is prone to a local denial-of-service vulnerability because the kernel fails to properly handle the execution of a system call.

Exploiting this issue allows local, unprivileged users to crash affected kernels, denying further service to legitimate users.

83. Netquery NQUser.PHP Cross-Site Scripting Vulnerability
BugTraq ID: 20837
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/20837
Summary:
Netquery is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.

84. Unicore Client Keystore File Insecure File Permissions Vulnerability
BugTraq ID: 20981
Remote: No
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/20981
Summary:
Unicore Client is prone to an insecure-file-permissions vulnerability. This issue is due to a design flaw in the affected application.

An attacker could exploit this issue to access sensitive application; this may lead to other attacks.

Versions prior to 5.6 build 5 are vulnerable to this issue.

85. Trolltech QT Pixmap Images Integer Overflow Vulnerability
BugTraq ID: 20599
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/20599
Summary:
Qt is prone to an integer-overflow vulnerability because the library fails to do proper bounds checking on user-supplied data.

An attacker can exploit this vulnerability to execute arbitrary code in the context of the application using the vulnerable library. Failed exploit attempts will likely cause denial-of-service conditions.

86. Mozilla Firefox FTP Denial of Service Vulnerability
BugTraq ID: 19678
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/19678
Summary:
Mozilla Firefox is prone to a denial-of-service vulnerability when making FTP connections.

An attacker may exploit this vulnerability to cause Mozilla Firefox to crash, resulting in denial-of-service conditions.

Mozilla Firefox 1.5.0.6 and prior versions are prone to this issue.

87. LetterIt Session.PHP Remote File Include Vulnerability
BugTraq ID: 20980
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/20980
Summary:
LetterIt is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied data.

Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible.

88. Mono System.CodeDom.Compiler Class Insecure Temporary File Creation Vulnerability
BugTraq ID: 20340
Remote: No
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/20340
Summary:
The Mono 'System.CodeDom.Compiler' class creates temporary files in an insecure manner.

An attacker with local access could potentially exploit this issue to perform symlink attacks, overwriting arbitrary files in the context of the affected application.

Successfully exploiting a symlink attack may allow an attacker to overwrite or corrupt sensitive files. This may result in a denial of service; other attacks may also be possible.

Versions 1.0 and 2.0 are vulnerable; other versions may also be affected.

89. Linksys WRT54GS POST Request Configuration Change Authentication Bypass Vulnerability
BugTraq ID: 19347
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/19347
Summary:
Linksys WRT54GS is prone to an authentication-bypass vulnerability. Reportedly, the device permits changes in its configuration settings without requring authentication.

Linksys WRT54GS is prone to an authentication-bypass vulnerability. The problem presents itself when a victim user visits a specially crafted web page on an attacker-controlled site. An attacker can exploit this vulnerability to bypass authentication and modify the configuration settings of the device.

This issue is reported to affect firmware version 1.00.9; other firmware versions may also be affected.

90. GimeScripts Shopping Catalog Index.PHP Remote File Include Vulnerability
BugTraq ID: 20979
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/20979
Summary:
Shopping Catalog is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied data.

Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible.

Shopping Catalog 0.9.1 and prior versions are vulnerable to this issue.

91. Essentia Web Server GET And HEAD Requests Remote Buffer Overflow Vulnerability
BugTraq ID: 20910
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/20910
Summary:
Essentia Web Server is prone to a stack-based buffer-overflow vulnerability because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer.

An attacker can exploit this issue to execute arbitrary code within the context of the webserver. Failed exploit attempts will result in a denial-of-service condition.

This issue affects version 2.15; other versions may also be affected.

This issue may be related to the one described in BID 4159 (Essentia Web Server Long URL Buffer Overflow Vulnerability).

92. GNU Texinfo Insecure Temporary File Creation Vulnerability
BugTraq ID: 14854
Remote: No
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/14854
Summary:
Texinfo creates temporary files in an insecure manner. The issue resides in the 'textindex.c' file.

Exploitation would most likely result in loss of data or a denial of service if critical files are overwritten in the attack. Other attacks may be possible as well.

93. Campware Campsite Thankyou.PHP Remote File Include Vulnerability
BugTraq ID: 20519
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/20519
Summary:
CampSite is prone to a remote file-include vulnerability because the application fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary server-side script code on an affected computer with the privileges of the webserver process. This may facilitate unauthorized access.

CampSite 2.6.1 and prior versions are vulnerable to this issue.

94. GraphicsMagick PALM DCM Buffer Overflow Vulnerabilities
BugTraq ID: 20707
Remote: No
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/20707
Summary:
GraphicsMagick is prone to multiple buffer-overflow vulnerabilities because it fails to perform adequate boundary checks on user-supplied data before copying it to insufficiently sized buffers.

Successful exploits may allow an attacker to execute arbitrary machine code to compromise an affected computer or to cause denial-of-service conditions.

GraphicsMagick 1.1.7 and prior versions are vulnerable.

95. Mozilla Client Products Multiple Remote Vulnerabilities
BugTraq ID: 20957
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/20957
Summary:
The Mozilla Foundation has released two security advisories specifying vulnerabilities in Mozilla Firefox, SeaMonkey, and Thunderbird.

These vulnerabilities allow attackers to:

- crash the applications and potentially execute arbitrary machine code in the context of the vulnerable applications.
- run arbitrary JavaScript bytecode.

Other attacks may also be possible.

The issues described here will be split into individual BIDs as more information becomes available.

These issues are fixed in:

- Mozilla Firefox version 1.5.0.8
- Mozilla Thunderbird version 1.5.0.8
- Mozilla SeaMonkey version 1.0.6

96. Megamail Product_Review.PHP Multiple SQL Injection Vulnerabilities
BugTraq ID: 21072
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/21072
Summary:
Megamail is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation.

97. Blogme Multiple Input Validation Vulnerabilities
BugTraq ID: 21071
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/21071
Summary:
Blogme is prone to multiple input-validation vulnerabilities because the application fails to sufficiently sanitize user-supplied input. These issues include multiple HTML-injection issues and multiple SQL-injection issues.

Successfully exploiting these vulnerabilities could allow an attacker to compromise the application, access or modify data, steal cookie-based authentication credentials, or even exploit vulnerabilities in the underlying database implementation. Other attacks are also possible.

Version 3 is vulnerable to this issue; other versions may also be affected.

98. Evolve Merchant Viewcart.ASP SQL Injection Vulnerability
BugTraq ID: 21070
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/21070
Summary:
Evolve Merchant is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.

A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation.

99. Inventory Manager Multiple Input Validation Vulnerabilities
BugTraq ID: 21069
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/21069
Summary:
Inventory Manager is prone to multiple input-validation vulnerabilities. The issues include cross-site scripting and SQL-injection vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input.

Successful exploits of these vulnerabilities could allow an attacker to compromise the application, access or modify data, steal cookie-based authentication credentials, or even exploit vulnerabilities in the underlying database implementation. Other attacks are also possible.

100. Plesk Multiple HTML Injection Vulnerabilities
BugTraq ID: 21067
Remote: Yes
Last Updated: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/21067
Summary:
Plesk is prone to multiple HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input data.

Plesk versions 8.0.1 and prior are vulnerable.

III. SECURITYFOCUS NEWS ARTICLES
--------------------------------
1. E-voting worries focus on failures, not fraud
By: Robert Lemos
No obvious election fraud tainted the midterm elections, but e-voting machine critics stress that Election Day failures should raise a red flag.
http://www.securityfocus.com/news/11423

2. Attackers end-run around IE security
By: Robert Lemos
Microsoft shored up the security of its flagship browser with the latest release, but the software still lets through attacks on ActiveX flaws in other components of Windows.
http://www.securityfocus.com/news/11422

3. Quantum attacks worry computer scientists
By: Robert Lemos
Malicious software and viruses could inhabit the weird world of quantum computing, a fact that has convinced some researchers to study how to defend against non-classical attacks.
http://www.securityfocus.com/news/11421

4. Bot nets likely behind jump in spam
By: Robert Lemos
A significant rise in the global volume of spam in the past two months worries security analysts and suggests that bot-net-based bulk e-mail operations are rapidly becoming the norm.
http://www.securityfocus.com/news/11420

IV. SECURITY JOBS LIST SUMMARY
-------------------------------
1. [SJ-JOB] Principal Software Engineer, Arlington
http://www.securityfocus.com/archive/77/451495

2. [SJ-JOB] Senior Software Engineer, Arlington
http://www.securityfocus.com/archive/77/451496

3. [SJ-JOB] Manager, Information Security, New Castle
http://www.securityfocus.com/archive/77/451558

4. [SJ-JOB] Security Engineer, Charlotte
http://www.securityfocus.com/archive/77/451559

5. [SJ-JOB] Security Engineer, San Diego
http://www.securityfocus.com/archive/77/451560

6. [SJ-JOB] Security System Administrator, Arlington
http://www.securityfocus.com/archive/77/451493

7. [SJ-JOB] Security Engineer, WASHINGTON
http://www.securityfocus.com/archive/77/451494

8. [SJ-JOB] Security Engineer, Washington
http://www.securityfocus.com/archive/77/451497

9. [SJ-JOB] Auditor, Melbourne
http://www.securityfocus.com/archive/77/451021

10. [SJ-JOB] Security Engineer, WASHINGTON
http://www.securityfocus.com/archive/77/451032

11. [SJ-JOB] Security Engineer, Fairfax
http://www.securityfocus.com/archive/77/451028

12. [SJ-JOB] Sr. Security Analyst, Baltimore
http://www.securityfocus.com/archive/77/451022

13. [SJ-JOB] Sales Representative, Los Angeles
http://www.securityfocus.com/archive/77/451024

14. [SJ-JOB] Sr. Security Engineer, Anywhere
http://www.securityfocus.com/archive/77/451027

15. [SJ-JOB] Jr. Security Analyst, Corning
http://www.securityfocus.com/archive/77/450937

16. [SJ-JOB] Sr. Security Engineer, Zurich
http://www.securityfocus.com/archive/77/450938

17. [SJ-JOB] Sr. Security Analyst, New York
http://www.securityfocus.com/archive/77/450940

18. [SJ-JOB] Security Architect, Santa Ana
http://www.securityfocus.com/archive/77/450941

19. [SJ-JOB] VP of Regional Sales, Seattle
http://www.securityfocus.com/archive/77/450945

20. [SJ-JOB] Security Engineer, Metro DC/VA/MD
http://www.securityfocus.com/archive/77/450909

21. [SJ-JOB] Account Manager, Watford
http://www.securityfocus.com/archive/77/450906

22. [SJ-JOB] VP / Dir / Mgr engineering, Boston
http://www.securityfocus.com/archive/77/450907

23. [SJ-JOB] Technical Support Engineer, London
http://www.securityfocus.com/archive/77/450908

24. [SJ-JOB] Penetration Engineer, London and South
http://www.securityfocus.com/archive/77/450910

V. INCIDENTS LIST SUMMARY
---------------------------
1. \x HTTP requests
http://www.securityfocus.com/archive/75/451031

VI. VULN-DEV RESEARCH LIST SUMMARY
-----------------------------------
VII. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. outlook sending email messages to mapped drives randomly
http://www.securityfocus.com/archive/88/451487

2. DNS recursive
http://www.securityfocus.com/archive/88/451486

3. SecurityFocus Microsoft Newsletter #316
http://www.securityfocus.com/archive/88/450867

VIII. SUN FOCUS LIST SUMMARY
----------------------------
IX. LINUX FOCUS LIST SUMMARY
----------------------------
X. UNSUBSCRIBE INSTRUCTIONS
-----------------------------
To unsubscribe send an e-mail message to sf-news-unsubscribe@securityfocus.com from the subscribed address. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer. Alternatively you can also visit http://www.securityfocus.com/newsletters and unsubscribe via the website.

If your email address has changed email listadmin@securityfocus.com and ask to be manually removed.

XI. SPONSOR INFORMATION
------------------------
This Issue is Sponsored by: eEye

http://www.eeye.com/ctrack.asp?ref=SFBlink20061031

News

Tuesday, November 14, 2006

SecurityFocus Newsletter #376

No comments:

WINDOWS CENTER

Blog Archive