WINDOWS CENTER: SecurityFocus Newsletter #382

SecurityFocus Newsletter #382
----------------------------------------

This Issue is Sponsored by: Watchfire

Privilege Escalation vulnerabilities in web applications have existed since the earliest days of web applications, yet since testing for them is such a complicated and tedious manual task, they are often overlooked in web application assessments. This paper will examine Privilege Escalation issues in web applications, including highlighting horizontal and vertical examples, and how to automate the challenging process of testing for them. Download it today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008fGg

------------------------------------------------------------------
I. FRONT AND CENTER
1. Wireless Forensics: Part One - Tapping the Air
II. BUGTRAQ SUMMARY
1. Linux Kernel Unspecified Remote Vulnerability
2. Yahoo! Messenger YMailAttach ActiveX Control Remote Buffer Overflow Vulnerability
3. OpenMPT Multiple Remote Code Execution Vulnerabilities
4. Linux Kernel PPP Driver Unspecified Remote Denial Of Service Vulnerability
5. FishyShoop Administrative Bypass Vulnerability
6. Pike Unspecified SQL Injection Vulnerability
7. Linux Kernel User Triggerable BUG() Unspecified Local Denial of Service Vulnerability
8. Linux Kernel MinCore User Space Access Locking Local Denial of Service Vulnerability
9. Okul Merkezi Portal Page Variable Remote File Include Vulnerability
10. Novell Netmail IMAP APPEND Denial of Service Vulnerability
11. Flex Code Generation Buffer Overflow Vulnerability
12. Novell Netmail IMAP SUBSCRIBE Buffer Overflow Vulnerability
13. OpenSSL SSLv2 Null Pointer Dereference Client Denial of Service Vulnerability
14. Linux Kernel Symmetrical Multiprocessing Page Fault Local Privilege Escalation Vulnerability
15. Linux Kernel Multiple Local MOXA Serial Driver Buffer Overflow Vulnerabilities
16. Linux kernel Uselib() Local Privilege Escalation Vulnerability
17. Linux Kernel USB io_edgeport Driver Local Integer Overflow Vulnerability
18. Linux Kernel ELF Binary Loading Denial Of Service Vulnerability
19. Future Internet Multiple Input Validation Vulnerabilities
20. Linux Kernel Multiple Local Vulnerabilities
21. PHP 5 User-Supplied Session ID Input Validation Vulnerability
22. Efkan Forum Grup Variable SQL Injection Vulnerability
23. KOffice PPT Files Integer Overflow Vulnerability
24. Linux Kernel SCM_SEND Local Denial of Service Vulnerability
25. PHP Error Message Cross-Site Scripting Vulnerability
26. Linux Kernel Local Denial Of Service And Memory Disclosure Vulnerabilities
27. ELOG Nonexistent File Download Cross-Site Scripting Vulnerability
28. SH-News Misc.PHP Remote File Include Vulnerability
29. ELOG Web Logbook ELogD Server Denial Of Service Vulnerability
30. ELOG Multiple Cross-Site Scripting Vulnerabilities
31. Ultimate PHP Board Username Parameter Remote Code Execution Vulnerability
32. ELOG EL_Submit Function Remote Format String Vulnerability
33. Computer Associates BrightStor ARCserve Backup Tape Engine Remote Buffer Overflow Vulnerability
34. PNAmazu Unspecified Cross-Site Scripting Vulnerability
35. The Classified Ad System Default.ASP SQL Injection Vulnerability
36. Dovecot IMAP Server Mapped Pages Off-By-One Buffer Overflow Vulnerability
37. Linux Kernel Get_FDB_Entries Buffer Overflow Vulnerability
38. Ciberia Content Federator Maquetacion_Socio.PHP Remote File Include Vulnerability
39. D-Bus Signals.C Local Denial of Service Vulnerability
40. NetPBM PSToPNM Arbitrary Code Execution Vulnerability
41. CMS Made Simple Comment Form HTML Injection Vulnerability
42. Linux Kernel IPv6 FlowLable Denial Of Service Vulnerability
43. Mxmania File Upload Manager Detail.ASP SQL Injection Vulnerability
44. Linux Kernel PTrace CLONE_THREAD Local Denial of Service Vulnerability
45. PHP Multiple Input Validation Vulnerabilities
46. Shadowed Portal Include.PHP Remote File Include Vulnerability
47. PHP SSCANF() Safe_Mode Restriction-Bypass Vulnerability
48. Linux IBM S/390 Kernel SACF Instruction Local Privilege Escalation Vulnerability
49. Enthrallweb ePages Actualpic.ASP SQL Injection Vulnerability
50. Linux Kernel ICMP_Push_Reply Remote Denial Of Service Vulnerability
51. PHP ZendEngine ECalloc Integer Overflow Vulnerability
52. RETIRED: VBulletin SWF Script Injection Vulnerability
53. Linux Kernel Time_Out_Leases PrintK Local Denial of Service Vulnerability
54. Cafelog B2 Blog B2Verifauth.PHP Remote File Include Vulnerability
55. Linux Kernel Multiple Security Vulnerabilities
56. Trolltech QT Pixmap Images Integer Overflow Vulnerability
57. Linux Kernel Bluetooth CAPI Packet Remote Buffer Overflow Vulnerability
58. Linux Kernel ISO9660 Denial of Service Vulnerability
59. Linux Kernel IPV6 Seqfile Handling Local Denial of Service Vulnerability
60. Linux Kernel IPV6 Local Denial of Service Vulnerability
61. Enthrallweb eCars Types.ASP SQL Injection Vulnerability
62. Dragon Business Directory Bus_Details.ASP SQL Injection Vulnerability
63. Linux Kernel Multiple Unspecified ISO9660 Filesystem Handling Vulnerabilities
64. Newsletter MX admin_mail_adressee.ASP SQL Injection Vulnerability
65. Linux Kernel SDLA_XFER Kernel Memory Disclosure Vulnerability
66. Mozilla Firefox/SeaMonkey/Thunderbird Multiple Remote Vulnerabilities
67. FFmpeg LibAVCodec Heap Buffer Overflow Vulnerability
68. MyPHPNuke My_EGallery Module DisplayCategory.PHP Remote File Include Vulnerability
69. KDE KJS Encodeuri / Decodeuri Remote Heap Overflow Vulnerability
70. Logahead UNU Edition _Widged.PHP Arbitrary File Upload Vulnerability
71. IBM Lotus Notes Multiple Java Applet Vulnerabilities
72. Enthrallweb ePhotos SubLevel2.ASP SQL Injection Vulnerability
73. Drake CMS XHTML.PHP Remote File Include Vulnerability
74. Jinzora Include_Path Multiple Remote File Include Vulnerabilities
75. Knusperleicht Shoutbox Shout.php HTML Injection Vulnerability
76. Clam Anti-Virus CHM Unpacker Denial Of Service Vulnerability
77. Apache Struts Error Response Cross-Site Scripting Vulnerability
78. HLStats HLStats.PHP Multiple Input Validation Vulnerabilities
79. Serendipity Lang.Inc.PHP Local File Include Vulnerability
80. Mambo Flyspray Startdown.PHP Information Disclosure Vulnerability
81. Adobe Flash Player Plugin HTTP Header Injection Weakness
82. EnthrallWeb Multiple Products Myprofile.ASP Arbitrary User Password Change Vulnerability
83. PHPBBXtra Archive_Topic.PHP Remote File Include Vulnerability
84. GNU Tar GNUTYPE_NAMES Remote Directory Traversal Vulnerability
85. OpenLDAP Server Bind Request Denial Of Service Vulnerability
86. OpenSER Parse_Expression Remote Buffer Overflow Vulnerability
87. Clam AntiVirus ClamAV Multiple Vulnerabilities
88. Symantec Antivirus Remote Stack Buffer Overflow Vulnerability
89. PHP Live! Multiple Cross-Site Scripting Vulnerabilities
90. SquirrelMail Multiple Cross Site Scripting and Input Validation Vulnerabilities
91. XPDF Multiple Unspecified Vulnerabilities
92. RealNetworks Multiple Products Multiple Buffer Overflow Vulnerabilities
93. Netbula Anyboard User Login SQL Injection Vulnerability
94. TimberWolf ShowNews.PHP Cross-Site Scripting Vulnerability
95. GnuPG Incorrect Non-Detached Signature Verification Vulnerability
96. Linux Kernel ATM SkBuff Dereference Remote Denial of Service Vulnerability
97. Chatwm SelGruFra.ASP SQL Injection Vulnerabilities
98. PAFileDB Pafiledb_Constants.PHP Remote File Include Vulnerability
99. Linux Kernel Coda_Pioctl Local Buffer Overflow Vulnerability
100. Linux Kernel Unw_Unwind_To_User Local Denial of Service Vulnerability
III. SECURITYFOCUS NEWS
1. Bots, breaches and bugs plague 2006
2. Stock scammer gets coal for the holidays
3. PHP security under scrutiny
4. UCLA alerts 800,000 to data breach
IV. SECURITY JOBS LIST SUMMARY
1. [SJ-JOB] Security Consultant, San Francisco
2. [SJ-JOB] Director, Information Security, White Plains
3. [SJ-JOB] Software Engineer, Columbia
4. [SJ-JOB] Information Assurance Analyst, London
5. [SJ-JOB] Security System Administrator, Iowa City
6. [SJ-JOB] Sr. Security Analyst, Seattle
7. [SJ-JOB] Sr. Security Analyst, San Francisco
8. [SJ-JOB] Security Consultant, Seattle
9. [SJ-JOB] Sr. Security Analyst, Bangalore
10. [SJ-JOB] Developer, Fairfax
11. [SJ-JOB] Sr. Security Analyst, Charlotte
12. [SJ-JOB] Security Engineer, Burlington
13. [SJ-JOB] Application Security Engineer, Dulles
14. [SJ-JOB] Auditor, Milwaukee
15. [SJ-JOB] Sales Representative, Tampa
16. [SJ-JOB] Auditor, Poughkeepsie
V. INCIDENTS LIST SUMMARY
VI. VULN-DEV RESEARCH LIST SUMMARY
1. SEH overwrite technique
2. [NGSEC] ngGame #3 - BrainStorming
3. Debugger
VII. MICROSOFT FOCUS LIST SUMMARY
1. Secure Remote access - windows 2003
VIII. SUN FOCUS LIST SUMMARY
IX. LINUX FOCUS LIST SUMMARY
X. UNSUBSCRIBE INSTRUCTIONS
XI. SPONSOR INFORMATION

I. FRONT AND CENTER
---------------------
1. Wireless Forensics: Part One - Tapping the Air
By Raul Siles, GSE
This two-part series looks at the issues associated with collecting and analyzing network traffic from wireless networks in an accurate and comprehensive way; a discipline known as wireless forensics. Part one of this article focuses on the technical details and challenges for traffic acquisition, and provides design requirements and best practices for wireless forensics tools.

http://www.securityfocus.com/infocus/1884

II. BUGTRAQ SUMMARY
--------------------
1. Linux Kernel Unspecified Remote Vulnerability
BugTraq ID: 21835
Remote: Yes
Last Updated: 2007-12-29
Relevant URL: http://www.securityfocus.com/bid/21835
Summary:
The Linux kernel is prone to an unspecified vulnerability.

Versions prior to 2.4.34 are vulnerable to this issue.

2. Yahoo! Messenger YMailAttach ActiveX Control Remote Buffer Overflow Vulnerability
BugTraq ID: 21607
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/21607
Summary:
The YMailAttach ActiveX control shipped with Yahoo! Messenger is prone to a buffer-overflow vulnerability. The software fails to perform sufficient bounds-checking of user-supplied input before copying it to an insufficiently sized memory buffer.

Yahoo! Messenger versions released prior to November 2, 2006 are vulnerable to this issue.

3. OpenMPT Multiple Remote Code Execution Vulnerabilities
BugTraq ID: 19448
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/19448
Summary:
OpenMPT is prone to multiple remote code-execution vulnerabilities because it fails to properly bounds-check user-supplied data before copying it to an insufficiently sized memory buffer.

These issues allow remote attackers to execute arbitrary machine code in the context of affected servers. This facilitates the remote compromise of affected computers.

These versions are affected:

- 1.17.02.43 and earlier
- SVN versions 157 and earlier.

4. Linux Kernel PPP Driver Unspecified Remote Denial Of Service Vulnerability
BugTraq ID: 12810
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/12810
Summary:
Linux Kernel (Point-to-Point Protocol) PPP Driver is reported prone to an unspecified remote denial-of-service vulnerability.

A successful attack can cause a denial-of-service condition in the server and can prevent access to legitimate users.

Linux Kernel 2.6.8 was reported vulnerable. Subsequent versions may be affected as well.

Due to a lack of details, further information is not available at the moment. This BID will be updated when more information becomes available.

5. FishyShoop Administrative Bypass Vulnerability
BugTraq ID: 21731
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/21731
Summary:
FishyShoop is prone to a vulnerability that may let remote attackers gain administrative access to the program.

The application fails to do sufficient checks on user-supplied POST data, allowing an attacker to elevate their access level with the application. A successful attack will compromise the web application.

This issue was reported to affect 0.930 beta; other versions may also be affected.

6. Pike Unspecified SQL Injection Vulnerability
BugTraq ID: 19367
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/19367
Summary:
Pike is prone to an unspecified SQL-injection vulnerability because it fails to properly sanitize user-supplied input before using it in an SQL query.

A successful attack could allow an attacker to compromise the application, access or modify data, gain administrative access to the application, or exploit vulnerabilities in the underlying database implementation.

Versions prior to 7.6.86 are vulnerable to this issue.

7. Linux Kernel User Triggerable BUG() Unspecified Local Denial of Service Vulnerability
BugTraq ID: 12261
Remote: No
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/12261
Summary:
Linux Kernel is reported prone to a local denial-of-service vulnerability.

Reportedly, this issue presents itself when a user creates a large Virtual Memory Area (VMA) that overlaps with arg pages during the exec() system call.

Successful exploitation will lead to a denial-of-service condition in a vulnerable computer.

No further details are available at this time. This issue will be updated as more information becomes available.

8. Linux Kernel MinCore User Space Access Locking Local Denial of Service Vulnerability
BugTraq ID: 21663
Remote: No
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/21663
Summary:
The Linux Kernel is prone to a denial-of-service vulnerability due to a design error.

A local attacker can exploit this issue to cause the kernel to become unresponsive, denying further service to legitimate users.

Linux Kernel versions prior to 2.4.33.6 are vulnerable.

9. Okul Merkezi Portal Page Variable Remote File Include Vulnerability
BugTraq ID: 21730
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/21730
Summary:
Okul Merkezi Portal is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied data.

Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible.

10. Novell Netmail IMAP APPEND Denial of Service Vulnerability
BugTraq ID: 21729
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/21729
Summary:
Novell Netmail is prone to a remotely exploitable denial-of-service vulnerability. A malformed IMAP APPEND argument can trigger this issue.

A successful exploit could let an authenticated remote attacker crash the affected server.

11. Flex Code Generation Buffer Overflow Vulnerability
BugTraq ID: 16896
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/16896
Summary:
Flex is prone to a buffer-overflow vulnerability. This issue is due to a failure in the application to do proper bounds checking on user-supplied data before using it in finite-sized memory buffers.

An attacker can exploit this issue to execute arbitrary code in the context of the user running the affected application. This may facilitate a compromise of the underlying computer.

Flex versions 2.5.31 and prior are vulnerable.

12. Novell Netmail IMAP SUBSCRIBE Buffer Overflow Vulnerability
BugTraq ID: 21728
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/21728
Summary:
Novell Netmail is prone to a remotely exploitable buffer-overflow vulnerability because it fails to do proper bounds checking on arguments for IMAP SUBSCRIBE commands.

A successful exploit could let an authenticated remote attacker execute arbitrary code in the context of the affected program.

13. OpenSSL SSLv2 Null Pointer Dereference Client Denial of Service Vulnerability
BugTraq ID: 20246
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/20246
Summary:
OpenSSL is prone to a denial-of-service vulnerability.

A malicious server could cause a vulnerable client application to crash, effectively denying service.

14. Linux Kernel Symmetrical Multiprocessing Page Fault Local Privilege Escalation Vulnerability
BugTraq ID: 12244
Remote: No
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/12244
Summary:
A local privilege-escalation vulnerability affects the page-fault handler of the Linux Kernel on symmetric multiprocessor (SMP) computers. This issue is due to a race-condition error that may allow an attacker to gain superuser privileges.

A malicious local attacker may exploit this issue to gain superuser privileges on an affected computer.

15. Linux Kernel Multiple Local MOXA Serial Driver Buffer Overflow Vulnerabilities
BugTraq ID: 12195
Remote: No
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/12195
Summary:
The MOXA serial driver in the Linux kernel is reported prone to multiple buffer-overflow vulnerabilities. The driver fails to perform proper bounds checks before copying user-supplied data to fixed-size memory buffers.

These vulnerabilities reside in the 'drivers/char/moxa.c' file.

The vulnerable functions perform a 'copy_from_user()' call to copy user-supplied, user-space data to a fixed-size, static kernel memory buffer (moxaBuff) of 10240 bytes in length while using the user-supplied length argument as passed from 'MoxaDriverIoctl()'. This reportedly results in improperly bounded operations, potentially causing locally exploitable buffer overflows.

Linux kernels from 2.2 through 2.4 and 2.6 are all reported prone to these vulnerabilities.

16. Linux kernel Uselib() Local Privilege Escalation Vulnerability
BugTraq ID: 12190
Remote: No
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/12190
Summary:
Linux kernel is reported prone to a local privilege-escalation vulnerability. This issue arises in the 'uselib()' functions of the Linux binary-format loader as a result of a race condition. Successful exploitation of this vulnerability can allow a local attacker to gain elevated privileges on a vulnerable computer.

The ELF and a.out loaders are reportedly affected by this vulnerability.

17. Linux Kernel USB io_edgeport Driver Local Integer Overflow Vulnerability
BugTraq ID: 12102
Remote: No
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/12102
Summary:
A local integer-overflow vulnerability affects the Linux kernel's 'io_edgeport' USB driver. This issue is due to the driver's failure to validate integer bounds.

An attacker may leverage this issue to execute arbitrary instructions or cause the affected kernel to crash.

18. Linux Kernel ELF Binary Loading Denial Of Service Vulnerability
BugTraq ID: 12101
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/12101
Summary:
The Linux kernel is affected by a denial-of-service vulnerability that occurs when malformed ELF binaries are loaded.

An attacker may leverage this issue to cause the affected kernel to crash, denying service to legitimate users.

19. Future Internet Multiple Input Validation Vulnerabilities
BugTraq ID: 21727
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/21727
Summary:
Future Internet is prone to multiple input-validation vulnerabilities, including cross-site scripting and SQL-injection issues, because it fails to sufficiently sanitize user-supplied input.

An attacker could exploit these issues to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation.

20. Linux Kernel Multiple Local Vulnerabilities
BugTraq ID: 11956
Remote: No
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/11956
Summary:
The Linux kernel is reported prone to multiple local vulnerabilities. The following individual issues are reported:

- An integer overflow is reported to exist in 'ip_options_get()' of the 'ip_options.c' kernel source file. This vulnerability is reported to exist only in the 2.6 kernel tree. Although unconfirmed, due to its nature this issue presumably may be further leveraged to execute arbitrary code with ring-0 privileges.

A local attacker may exploit this vulnerability to deny service to legitimate users. Other attacks are also likely possible.

- A second integer-overflow vulnerability is reported to exist in the 'vc_resize()' function of the Linux kernel. This vulnerability is reported to exist in the 2.6 and 2.4 kernel trees. Although unconfirmed, due to its nature this issue presumably may be further leveraged to execute arbitrary code with ring-0 privileges.

A local attacker may exploit this vulnerability to deny service to legitimate users. Other attacks are also likely possible.

- A memory leak is reported to exist in 'ip_options_get()' of the 'ip_options.c' kernel source file. This vulnerability is reported to exist in the 2.6, and 2.4 kernel tree.

A local attacker may exploit this vulnerability to consume kernel heap memory resources and in doing so may impact system performance, ultimately resulting in a denial of service to legitimate users.

21. PHP 5 User-Supplied Session ID Input Validation Vulnerability
BugTraq ID: 16220
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/16220
Summary:
PHP 5 is prone to an input-validation vulnerability. This is due to a lack of proper sanitization of user-supplied input of PHP session IDs, transmitted by way of HTTP headers.

An attacker may use this vulnerability to perform HTTP response splitting, often resulting in content spoofing and cross-site scripting attacks.

PHP 5 version 5.1.1 and prior are affected.

22. Efkan Forum Grup Variable SQL Injection Vulnerability
BugTraq ID: 21726
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/21726
Summary:
Efkan Forum is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.

A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation.

23. KOffice PPT Files Integer Overflow Vulnerability
BugTraq ID: 21354
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/21354
Summary:
KOffice is prone to an integer-overflow vulnerability because it fails to properly validate user-supplied data.

An attacker can exploit this vulnerability to execute arbitrary code in the context of the application. Failed exploit attempts will likely cause denial-of-service conditions.

KOffice versions prior to 1.6.1 are affected.

24. Linux Kernel SCM_SEND Local Denial of Service Vulnerability
BugTraq ID: 11921
Remote: No
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/11921
Summary:
Linux kernel is reported prone to a local denial-of-service vulnerability. This issue presents itself in the SCM logical sub-layer of the socket API.

An unprivileged application can craft a malformed auxiliary message and send it to a socket, which results in the kernel invoking '__scm_send()' in a manner that leads to a crash. This issue can allow local attackers to cause a denial-of-service condition on a vulnerable computer. It is not confirmed if this vulnerability can be leveraged to gain elevated privileges.

25. PHP Error Message Cross-Site Scripting Vulnerability
BugTraq ID: 16803
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/16803
Summary:
PHP is prone to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input.

An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

Exploitation of this issue requires PHP to be configured with 'display_errors' and 'html_errors' enabled in the local site configuration.

26. Linux Kernel Local Denial Of Service And Memory Disclosure Vulnerabilities
BugTraq ID: 11754
Remote: No
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/11754
Summary:
The Linux kernel is reported prone to multiple local vulnerabilities:

- A handcrafted 'a.out' file may be used to trigger a local denial-of-service condition. A local attacker may exploit this vulnerability to trigger a system-wide denial of service, potentially resulting in a kernel panic.

- A memory-disclosure vulnerability reportedly affects only SMP computers with more than 4GB of memory. A local attacker may exploit this vulnerability to access random pages of physical memory.

27. ELOG Nonexistent File Download Cross-Site Scripting Vulnerability
BugTraq ID: 20881
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/20881
Summary:
ELOG is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.

An attacker may leverage this issue to have arbitrary script code execute in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

ELOG version 2.6.2 is vulnerable; other versions may also be affected.

28. SH-News Misc.PHP Remote File Include Vulnerability
BugTraq ID: 21761
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/21761
Summary:
SH-News is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied input.

An attacker can exploit this issue to execute arbitrary PHP code in the context of the webserver process.

Version 0.93 is vulnerable to this issue; other versions may also be affected.

29. ELOG Web Logbook ELogD Server Denial Of Service Vulnerability
BugTraq ID: 21028
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/21028
Summary:
ELOG Web Logbook is prone to a remote denial-of-service vulnerability because the application fails to properly handle specific HTTP requests that contain invalid information.

Successful exploits may allow remote attackers to cause denial-of-service conditions on computers running the affected application.

30. ELOG Multiple Cross-Site Scripting Vulnerabilities
BugTraq ID: 20882
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/20882
Summary:
ELOG is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.

An attacker may leverage these issues to have arbitrary script code execute in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

ELOG version 2.6.2 is vulnerable; other versions may also be affected.

31. Ultimate PHP Board Username Parameter Remote Code Execution Vulnerability
BugTraq ID: 21760
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/21760
Summary:
Ultimate PHP Board is prone to an arbitrary remote code-execution vulnerability because the application fails to sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary PHP code on an affected computer with the privileges of the webserver process. This may facilitate unauthorized access.

Ultimate PHP Board 2.01b and prior versions are vulnerable.

32. ELOG EL_Submit Function Remote Format String Vulnerability
BugTraq ID: 20876
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/20876
Summary:
ELOG is prone to a remote format-string vulnerability because the application fails to properly sanitize user-supplied input before including it in the format-specifier argument of a formatted-printing function.

Successfully exploiting this issue allows remote attackers to execute arbitrary machine code in the context of users running the affected application. This facilitates the remote compromise of affected computers.

ELOG version 2.0.2 is vulnerable to this issue.

33. Computer Associates BrightStor ARCserve Backup Tape Engine Remote Buffer Overflow Vulnerability
BugTraq ID: 21221
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/21221
Summary:
Computer Associates BrightStor ARCserve Backup is affected by a remote buffer-overflow vulnerability because the application fails to perform proper bounds-checking on data supplied to the application.

A remote attacker may exploit this issue to execute arbitrary code on a vulnerable computer with SYSTEM privileges. Failed exploit attempts may cause denial-of-service conditions.

BrightStore ARCserver Backup 11.5 is vulnerable to this issue; other versions may also be affected.

34. PNAmazu Unspecified Cross-Site Scripting Vulnerability
BugTraq ID: 21759
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/21759
Summary:
The 'pnamazu' application is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

Versions prior to 2006.12.23 are vulnerable.

35. The Classified Ad System Default.ASP SQL Injection Vulnerability
BugTraq ID: 21758
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/21758
Summary:
The Classified Ad System is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation.

Version 1.0 is vulnerable; other versions may also be affected.

36. Dovecot IMAP Server Mapped Pages Off-By-One Buffer Overflow Vulnerability
BugTraq ID: 21183
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/21183
Summary:
Dovecot is prone to an off-by-one buffer-overflow condition due to an error that results in insufficient memory allocation.

An attacker may exploit this issue to trigger denial-of-service conditions. Presumably, arbitrary code execution may be possible as well.

Versions 1.0test53 to 1.0.rc14 are vulnerable.

37. Linux Kernel Get_FDB_Entries Buffer Overflow Vulnerability
BugTraq ID: 21353
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/21353
Summary:
The Linux kernel is prone to a buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data before copying it to an insufficiently sized memory buffer.

Attackers may potentially exploit this issue to execute arbitrary code within the context of the affected kernel, but this has not been confirmed. Successfully exploiting this issue would cause the complete compromise of the affected computer.

Little information is currently known about this vulnerability. Since the affected function is in the network-bridging code, remote attacks may be possible.

38. Ciberia Content Federator Maquetacion_Socio.PHP Remote File Include Vulnerability
BugTraq ID: 21757
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/21757
Summary:
Ciberia Content Federator is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied input.

An attacker can exploit this issue to execute arbitrary PHP code in the context of the webserver process.

Version 1.0 is vulnerable to this issue.

39. D-Bus Signals.C Local Denial of Service Vulnerability
BugTraq ID: 21571
Remote: No
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/21571
Summary:
D-Bus is prone to a local denial-of-service vulnerability.

Exploiting this issue allows local attackers to disable the ability of a specific process to receive certain messages, effectively denying service to legitimate users.

D-Bus versions prior to 1.0.2 are vulnerable to this issue.

40. NetPBM PSToPNM Arbitrary Code Execution Vulnerability
BugTraq ID: 14379
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/14379
Summary:
The 'pstopnm' command is susceptible to an arbitrary command-execution vulnerability. This issue is due to the program's failure of to ensure that GhostScript is executed in a secure manner.

This issue allows attackers to create malicious PostScript files that allow arbitrary commands to be executed when the affected utility parses the files. This occurs in the context of the user running the affected utility.

This vulnerability was reported in version 10.0 of netpbm. Other versions may also be affected.

41. CMS Made Simple Comment Form HTML Injection Vulnerability
BugTraq ID: 21756
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/21756
Summary:
CMS Made Simple is prone to an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied input data.

Exploiting this issue may allow an attacker to execute HTML and script code in the context of the affected site, to steal cookie-based authentication credentials, or to control how the site is rendered to the user; other attacks are also possible.

Version 1.0.2 is vulnerable to this issue; other versions may also be affected.

42. Linux Kernel IPv6 FlowLable Denial Of Service Vulnerability
BugTraq ID: 15729
Remote: No
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/15729
Summary:
Linux Kernel is prone to a local denial-of-service vulnerability.

Local attackers can exploit this vulnerability to corrupt kernel memory or free non-allocated memory. Successful exploitation will crash the kernel, effectively denying service to legitimate users.

43. Mxmania File Upload Manager Detail.ASP SQL Injection Vulnerability
BugTraq ID: 21754
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/21754
Summary:
Mxmania File Upload Manager is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation.

Versions prior to 1.0.6 are vulnerable.

44. Linux Kernel PTrace CLONE_THREAD Local Denial of Service Vulnerability
BugTraq ID: 15642
Remote: No
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/15642
Summary:
Linux kernel is susceptible to a local denial-of-service vulnerability.

In instances where a process is created via the 'clone()' system call with the 'CLONE_THREAD' argument ptraced, the kernel fails to properly ensure that the ptracing process is not attempting to trace itself.

This issue allows local users to crash the kernel, denying service to legitimate users.

Kernel versions prior to 2.6.14.2 are vulnerable to this issue.

45. PHP Multiple Input Validation Vulnerabilities
BugTraq ID: 19582
Remote: No
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/19582
Summary:
PHP is prone to multiple input-validation vulnerabilities. Successful exploits could allow an attacker to write files in unauthorized locations, cause a denial-of-service condition, and potentially execute code.

These issues are reported to affect PHP versions 4.4.3 and 5.1.4; other versions may also be vulnerable.

46. Shadowed Portal Include.PHP Remote File Include Vulnerability
BugTraq ID: 21753
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/21753
Summary:
Shadowed Portal is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied input.

An attacker can exploit this issue to execute arbitrary PHP code in the context of the webserver process.

Version 5.7 is vulnerable to this issue; other versions may also be affected.

47. PHP SSCANF() Safe_Mode Restriction-Bypass Vulnerability
BugTraq ID: 19415
Remote: No
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/19415
Summary:
PHP is prone to a 'safe_mode' restriction-bypass vulnerability. Successful exploits could allow an attacker to write files in unauthorized locations and potentially execute code.

This vulnerability would be an issue in shared-hosting configurations where multiple users can create and execute arbitrary PHP script code, all assuming that the 'safe_mode' restriction will isolate the users from each other.

This issue is reported to affect PHP versions 4.4.3 and 5.1.4; other versions may also be vulnerable.

48. Linux IBM S/390 Kernel SACF Instruction Local Privilege Escalation Vulnerability
BugTraq ID: 11489
Remote: No
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/11489
Summary:
The Linux Kernel on IBM S/390 platforms is prone to a local privilege-escalation vulnerability. The security vulnerability occurs in the handling of the SACF (Set Address Space Control Fast) instruction.

A local attacker may exploit this vulnerability to escalate privileges.

49. Enthrallweb ePages Actualpic.ASP SQL Injection Vulnerability
BugTraq ID: 21750
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/21750
Summary:
Enthrallweb ePages is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.

A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation.

50. Linux Kernel ICMP_Push_Reply Remote Denial Of Service Vulnerability
BugTraq ID: 16044
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/16044
Summary:
Linux kernel is prone to a remote denial-of-service vulnerability.

Remote attackers can exploit this to leak kernel memory. Successful exploitation will result in a crash of the kernel, effectively denying service to legitimate users.

Linux kernel versions 2.6.12.5 and prior in the 2.6 series are vulnerable to this issue.

51. PHP ZendEngine ECalloc Integer Overflow Vulnerability
BugTraq ID: 20349
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/20349
Summary:
PHP is prone to an integer-overflow vulnerability because the application fails to do proper bounds checking on user-supplied data.

An attacker can exploit this vulnerability to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely cause denial-of-service conditions.

52. RETIRED: VBulletin SWF Script Injection Vulnerability
BugTraq ID: 21736
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/21736
Summary:
vBulletin is prone to a vulnerability that may let remote attackers to inject arbitrary script code into the application.

If exploited, this vulnerability may let attackers steal cookie-based authentication credentials. Other attacks are also possible.

Update: it should be noted that the ability to upload SWF files is disabled by default, and must be enabled by site administrators to expose this issue.

This BID is being retired because further information shows that the application is not vulnerable to this issue.

53. Linux Kernel Time_Out_Leases PrintK Local Denial of Service Vulnerability
BugTraq ID: 15627
Remote: No
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/15627
Summary:
Linux kernel is susceptible to a local denial-of-service vulnerability.

Local attackers may trigger this issue by obtaining numerous file-lock leases, which will consume excessive kernel log memory. Once the leases timeout, the event will be logged, and kernel memory will be consumed.

This issue allows local attackers to consume excessive kernel memory, eventually leading to an out-of-memory condition and a denial of service for legitimate users.

Kernel versions prior to 2.6.15-rc3 are vulnerable to this issue.

54. Cafelog B2 Blog B2Verifauth.PHP Remote File Include Vulnerability
BugTraq ID: 21749
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/21749
Summary:
The 'b2 blog' program is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied input.

An attacker can exploit this issue to execute arbitrary PHP code in the context of the webserver process.

Version 0.5 and prior are vulnerable to this issue.

55. Linux Kernel Multiple Security Vulnerabilities
BugTraq ID: 15049
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/15049
Summary:
Linux kernel is prone to multiple vulnerabilities. These issues may allow local and remote attackers to trigger denial-of-service conditions or to access sensitive kernel memory.

Linux kernel 2.6.x versions are known to be vulnerable at the moment. Other versions may be affected as well.

56. Trolltech QT Pixmap Images Integer Overflow Vulnerability
BugTraq ID: 20599
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/20599
Summary:
Qt is prone to an integer-overflow vulnerability because the library fails to do proper bounds checking on user-supplied data.

An attacker can exploit this vulnerability to execute arbitrary code in the context of the application using the vulnerable library. Failed exploit attempts will likely cause denial-of-service conditions.

57. Linux Kernel Bluetooth CAPI Packet Remote Buffer Overflow Vulnerability
BugTraq ID: 21604
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/21604
Summary:
The Linux kernel is prone to a remote buffer-overflow vulnerability because the kernel fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer.

An attacker may exploit this issue to execute arbitrary code with kernel-level privileges, facilitating the complete compromise of affected computers. Failed exploit attempts will result in denial-of-service conditions.

Versions prior to 2.4.33.5 are vulnerable to this issue.

58. Linux Kernel ISO9660 Denial of Service Vulnerability
BugTraq ID: 20920
Remote: No
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/20920
Summary:
The Linux kernel is prone to a local denial-of-service vulnerability. This issue affects the ISO9660 filesystem handling code.

An attacker can exploit this issue to crash the affected computer, denying service to legitimate users.

59. Linux Kernel IPV6 Seqfile Handling Local Denial of Service Vulnerability
BugTraq ID: 20847
Remote: No
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/20847
Summary:
The Linux kernel is prone to a local denial-of-service vulnerability. This issue is due to a design error in the way seqfiles are handled in the kernel.

This vulnerability allows local users to cause an infinite loop, resulting in a crash and denying further service to legitimate users.

This issue affects the Linux kernel 2.6 series up to 2.6.18-stable.

60. Linux Kernel IPV6 Local Denial of Service Vulnerability
BugTraq ID: 15156
Remote: No
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/15156
Summary:
Linux Kernel is reported prone to a local denial-of-service vulnerability.

This issue arises from an infinite loop when binding IPv6 UDP ports.

61. Enthrallweb eCars Types.ASP SQL Injection Vulnerability
BugTraq ID: 21748
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/21748
Summary:
Enthrallweb eCars is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.

A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation.

62. Dragon Business Directory Bus_Details.ASP SQL Injection Vulnerability
BugTraq ID: 21747
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/21747
Summary:
Dragon Business Directory is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.

A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation.

Dragon Business Directory 3.01.12 and prior versions are vulnerable to this issue.

63. Linux Kernel Multiple Unspecified ISO9660 Filesystem Handling Vulnerabilities
BugTraq ID: 12837
Remote: No
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/12837
Summary:
The Linux kernel is reported prone to multiple vulnerabilities that occur because of "range-checking flaws" present in the ISO9660 handling routines.

An attacker may exploit these issues to trigger kernel-based memory corruption. Ultimately, the attacker may be able to execute arbitrary malicious code with ring-zero privileges.

These vulnerabilities are reported to be present in the ISO9660 filesystem handler including Rock Ridge and Juliet extensions for the Linux kernel up to and including version 2.6.11.

64. Newsletter MX admin_mail_adressee.ASP SQL Injection Vulnerability
BugTraq ID: 21746
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/21746
Summary:
Newsletter MX is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.

A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation.

65. Linux Kernel SDLA_XFER Kernel Memory Disclosure Vulnerability
BugTraq ID: 16759
Remote: No
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/16759
Summary:
The Linux kernel is affected by a local memory-disclosure vulnerability.

This issue allows an attacker to read kernel memory. Information gathered via exploitation may aid malicious users in further attacks.

This issue affects kernel versions 2.4.x up to 2.4.29-rc1, and 2.6.x up to 2.6.5.

66. Mozilla Firefox/SeaMonkey/Thunderbird Multiple Remote Vulnerabilities
BugTraq ID: 21668
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/21668
Summary:
The Mozilla Foundation has released nine security advisories specifying vulnerabilities in Firefox, SeaMonkey, and Thunderbird.

These vulnerabilities allow attackers to:

- execute arbitrary code
- perform cross-site scripting attacks
- inject arbitrary content
- gain escalated privileges
- crash affected applications and potentially execute arbitrary code.

Other attacks may also be possible.

67. FFmpeg LibAVCodec Heap Buffer Overflow Vulnerability
BugTraq ID: 15743
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/15743
Summary:
FFmpeg's 'libavcodec' is prone to a heap buffer-overflow vulnerability. This issue is due to the library's failure to properly bounds-check user-supplied data before using it in memory allocation and copy operations.

Attackers may exploit this vulnerability to execute arbitrary code in the context of applications that use an affected version of the libavcodec library.

An attacker can exploit this issue by enticing a user to open a malformed PNG file with an application that uses a vulnerable version of libavcodec. If the application is configured as the default handler for PNG files, this could present a viable web or email attack vector -- when the PNG is clicked from an appropriate client application, the application using the vulnerable library will automatically be invoked.

68. MyPHPNuke My_EGallery Module DisplayCategory.PHP Remote File Include Vulnerability
BugTraq ID: 21744
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/21744
Summary:
The myPHPNuke My_eGallery module is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied input.

An attacker can exploit this issue to execute arbitrary PHP code in the context of the webserver process.

Version 2.5.6 is vulnerable to this issue; other versions may also be affected.

69. KDE KJS Encodeuri / Decodeuri Remote Heap Overflow Vulnerability
BugTraq ID: 16325
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/16325
Summary:
KDE KJS is prone to a remote heap-overflow vulnerability.

Specifically, the issue presents itself when the application decodes specially crafted UTF-8 encoded URI sequences.

A successful attack can result in a remote compromise in the context of the user running the vulnerable application.

KDE versions 3.2.0, up to and including KDE 3.5.0, are vulnerable to this issue.

70. Logahead UNU Edition _Widged.PHP Arbitrary File Upload Vulnerability
BugTraq ID: 21743
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/21743
Summary:
logahead UNU edition is prone to an arbitrary file-upload vulnerability because it fails to sufficiently sanitize user-supplied input.

Exploiting this issue could allow an attacker to upload and execute arbitrary script code in the context of the affected webserver process. This may help the attacker compromise the application; other attacks are possible.

Version 1.0 is vulnerable to this issue; other versions may also be affected.

71. IBM Lotus Notes Multiple Java Applet Vulnerabilities
BugTraq ID: 10704
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/10704
Summary:
IBM Lotus Notes is affected by three vulnerabilities concerning Java applets.

An attacker can exploit these issues to disclose potentially sensitive information, cause a web browser to open an arbitrary web page, and cause a stack-based buffer overflow that may be exploited to execute arbitrary code.

IBM has confirmed these vulnerabilities and has stated that they are currently under investigation. IBM problem reports for these vulnerabilities are KSPR5YS6GR, KSPR62F4D3, and KSPR62F4KN.

72. Enthrallweb ePhotos SubLevel2.ASP SQL Injection Vulnerability
BugTraq ID: 21742
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/21742
Summary:
Enthrallweb ePhotos is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.

A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation.

73. Drake CMS XHTML.PHP Remote File Include Vulnerability
BugTraq ID: 20914
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/20914
Summary:
Drake CMS is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied data.

Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible.

Drake CMS v0.2.2 alpha rev.846 and prior versions are vulnerable to this issue.

74. Jinzora Include_Path Multiple Remote File Include Vulnerabilities
BugTraq ID: 21741
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/21741
Summary:
Multiple remote file-include vulnerabilities affect Jinzora because the application fails to properly sanitize user-supplied input before using it in a PHP 'include()' function call.

An attacker may leverage these issues to execute arbitrary server-side script code on an affected computer with the privileges of the webserver process.

Jinzora 2.7 and prior versions are vulnerable to this issue; other versions may also be affected.

75. Knusperleicht Shoutbox Shout.php HTML Injection Vulnerability
BugTraq ID: 21637
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/21637
Summary:
Knusperleicht Shoutbox is prone to an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied input data.

76. Clam Anti-Virus CHM Unpacker Denial Of Service Vulnerability
BugTraq ID: 20537
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/20537
Summary:
ClamAV is prone to a denial-of-service vulnerability because of an unspecified failure in the CHM unpacker.

Exploitation could cause the application to crash, resulting in a denial of service.

77. Apache Struts Error Response Cross-Site Scripting Vulnerability
BugTraq ID: 15512
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/15512
Summary:
Struts is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.

An attacker may leverage this issue to have arbitrary script code execute in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

78. HLStats HLStats.PHP Multiple Input Validation Vulnerabilities
BugTraq ID: 21740
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/21740
Summary:
HLstats is prone to multiple input-validation vulnerabilities because it fails to sufficiently sanitize user-supplied data.

Exploiting these issues could allow an attacker to compromise the application, access or modify sensitive data, or exploit latent vulnerabilities in the underlying database implementation.

HLstats versions 1.20 to 1.34 are vulnerable.

79. Serendipity Lang.Inc.PHP Local File Include Vulnerability
BugTraq ID: 21367
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/21367
Summary:
Serendipity is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.

An attacker may inject malicious code into webserver log files and execute it in the context of the user running the webserver process.

Serendipity 1.0.3 and prior versions are vulnerable to this issue; other versions may also be affected.

80. Mambo Flyspray Startdown.PHP Information Disclosure Vulnerability
BugTraq ID: 21315
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/21315
Summary:
Mambo Flyspray is prone to an information-disclosure vulnerability because it fails to properly sanitize user-supplied parameters.

An attacker can exploit this issue to retrieve arbitrary files with the privileges of the vulnerable application. Information harvested during successful exploits will aid in further attacks.

Mambo Flyspray 1.0.1 and prior versions are vulnerable to this issue.

81. Adobe Flash Player Plugin HTTP Header Injection Weakness
BugTraq ID: 20592
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/20592
Summary:
Adobe Flash Player Plugin is prone to a weakness that permits the injection of arbitrary HTTP headers because it fails to sanitize user-supplied input.

A successful attack may allow attackers to perform arbitrary HTTP requests facilitating cross-site request forgery, cross-site scripting, HTTP request smuggling, and other attacks.

Since this weakness would typically be used as one component in a larger attack scenario, the consequences of an attack will depend on the vulnerabilities exploited along with this weakness.

Version 9.0.16 for Windows and 7.0.63 for Linux are affected by this issue.

82. EnthrallWeb Multiple Products Myprofile.ASP Arbitrary User Password Change Vulnerability
BugTraq ID: 21739
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/21739
Summary:
Multiple Enthrallweb applications are prone to a vulnerability that may permit attackers to change arbitrary passwords.

Exploiting this issue may allow an attacker to change an arbitrary user's password, bypass the authentication mechanism, and gain unauthorized access to the affected applications. This may lead to other attacks.

83. PHPBBXtra Archive_Topic.PHP Remote File Include Vulnerability
BugTraq ID: 21738
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/21738
Summary:
phpbbXtra is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied input.

An attacker can exploit this issue to execute arbitrary PHP code in the context of the webserver process.

Version 2.0 is vulnerable to this issue; other versions may also be affected.

84. GNU Tar GNUTYPE_NAMES Remote Directory Traversal Vulnerability
BugTraq ID: 21235
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/21235
Summary:
GNU Tar is prone to a vulnerability that may allow an attacker to place files and overwrite files in arbitrary locations on a vulnerable computer. These issues present themselves when the application processes malicious archives.

A successful attack can allow the attacker to place potentially malicious files and overwrite files on a computer in the context of the user running the affected application. Successful exploits may aid in further attacks.

85. OpenLDAP Server Bind Request Denial Of Service Vulnerability
BugTraq ID: 20939
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/20939
Summary:
OpenLDAP server is prone to a denial-of-service vulnerability because it fails to handle exceptional conditions.

An attacker can exploit this issue to cause a crash in the LDAP server, effectively denying service to legitimate users.

86. OpenSER Parse_Expression Remote Buffer Overflow Vulnerability
BugTraq ID: 21706
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/21706
Summary:
OpenSER is prone to a remote buffer-overflow vulnerability because the software fails to perform adequate bounds-checks on user-supplied input before copying it to an insufficiently sized buffer.

An attacker could exploit this issue to execute arbitrary code with the permissions of the application.

OpenSER 1.1.0 is vulnerable; other versions may also be affected.

87. Clam AntiVirus ClamAV Multiple Vulnerabilities
BugTraq ID: 17388
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/17388
Summary:
ClamAV is prone to multiple vulnerabilities:

- An integer-overflow vulnerability.
- A format-string vulnerability.
- A denial-of-service vulnerability.

The first two issues may permit attackers to execute arbitrary code, which can facilitate a compromise of an affected computer.

If an attacker can successfully exploit the denial-of-service issue, this may crash the affected application, which may aid an attacker in further attacks if the antivirus software no longer works.

88. Symantec Antivirus Remote Stack Buffer Overflow Vulnerability
BugTraq ID: 18107
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/18107
Summary:
Multiple Symantec products are susceptible to a remote stack buffer-overflow vulnerability.

This issue allows remote attackers to execute arbitrary machine code with SYSTEM-level privileges, facilitating the complete compromise of affected computers.

Symantec Antivirus Corporate Edition 10.1 and Symantec Client Security 3.1 are currently known to be vulnerable to this issue.

89. PHP Live! Multiple Cross-Site Scripting Vulnerabilities
BugTraq ID: 21737
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/21737
Summary:
PHP Live! is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.

An attacker may leverage these issues to have arbitrary script code execute in the browser of an unsuspecting user. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

Version 3.2.2 was reported vulnerable; other versions may also be affected.

90. SquirrelMail Multiple Cross Site Scripting and Input Validation Vulnerabilities
BugTraq ID: 21414
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/21414
Summary:
SquirrelMail is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.

Exploiting these issues could allow an attacker to steal cookie-based authentication credentials and to launch other attacks.

Versions prior to 1.4.9a are vulnerable.

91. XPDF Multiple Unspecified Vulnerabilities
BugTraq ID: 16748
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/16748
Summary:
The 'xpdf' utility is reportedly prone to multiple unspecified security vulnerabilities. The cause and impact of these issues are currently unknown.

All versions of xpdf are considered vulnerable at the moment. This BID will updated when more information becomes available.

92. RealNetworks Multiple Products Multiple Buffer Overflow Vulnerabilities
BugTraq ID: 17202
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/17202
Summary:
Various RealNetworks products are prone to multiple buffer-overflow vulnerabilities.

These issues can result in memory corruption and facilitate arbitrary code execution. A successful attack can allow remote attackers to execute arbitrary code in the context of the application to gain unauthorized access.

93. Netbula Anyboard User Login SQL Injection Vulnerability
BugTraq ID: 21734
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/21734
Summary:
Netbula Anyboard is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.

A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation.

94. TimberWolf ShowNews.PHP Cross-Site Scripting Vulnerability
BugTraq ID: 21733
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/21733
Summary:
TimberWolf is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.

Version 1.2.2 is vulnerable to this issue; other versions may also be affected.

95. GnuPG Incorrect Non-Detached Signature Verification Vulnerability
BugTraq ID: 17058
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/17058
Summary:
GnuPG is prone to a vulnerability involving incorrect verification of non-detached signatures.

A successful attack can allow an attacker to simply take a signed message, inject arbitrary data into it, and bypass verification.

Note that this issue also affects verification of signatures embedded in encrypted messages. Scripts and applications using gpg are affected, as are applications using the GPGME library.

GnuPG versions prior to 1.4.2.2 are vulnerable to this issue.

96. Linux Kernel ATM SkBuff Dereference Remote Denial of Service Vulnerability
BugTraq ID: 20363
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/20363
Summary:
The Linux kernel is prone to a remote denial-of-service vulnerability.

This issue is triggered when the kernel processes incoming ATM data.

Exploiting this vulnerability may allow remote attackers to crash the affected kernel, resulting in denial-of-service conditions.

This issue affects only systems that have ATM hardware and are configured for ATM kernel support.

Kernel versions from 2.6.0 up to and including 2.6.17 are vulnerable to this issue.

97. Chatwm SelGruFra.ASP SQL Injection Vulnerabilities
BugTraq ID: 21732
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/21732
Summary:
Chatwm is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.

A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation.

98. PAFileDB Pafiledb_Constants.PHP Remote File Include Vulnerability
BugTraq ID: 17930
Remote: Yes
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/17930
Summary:
paFileDB is prone to a remote file-include vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input.

An attacker can exploit this issue to include an arbitrary remote file containing malicious PHP code and execute it in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system; other attacks are also possible.

This issue affects version 2.0.1 and prior.

99. Linux Kernel Coda_Pioctl Local Buffer Overflow Vulnerability
BugTraq ID: 14967
Remote: No
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/14967
Summary:
Linux kernel is prone to a local buffer-overflow vulnerability.

Specifically, the vulnerability affects the 'coda_pioctl()' function of the 'pioctl.c' file.

A successful attack may result in a denial-of-service condition or arbitrary code execution with superuser privileges.

This issue may be related to the issues described in BID 12239 (Linux Kernel Multiple Unspecified Vulnerabilities).

100. Linux Kernel Unw_Unwind_To_User Local Denial of Service Vulnerability
BugTraq ID: 13266
Remote: No
Last Updated: 2007-01-02
Relevant URL: http://www.securityfocus.com/bid/13266
Summary:
A local denial-of-service vulnerability affects the Linux kernel.

A local attacker may leverage this issue to cause an affected Linux kernel to panic, effectively denying service to legitimate users.

III. SECURITYFOCUS NEWS ARTICLES
--------------------------------
1. Bots, breaches and bugs plague 2006
By: Robert Lemos
Vulnerabilities, especially in Web applications, take off, while bot nets and their controllers cause a jump in spam, and data breaches continue to worry companies and their customers.
http://www.securityfocus.com/news/11432

2. Stock scammer gets coal for the holidays
By: Robert Lemos
The U.S. Securities and Exchange Commission puts a suspected Russian brokerage-account thief's money on ice, after he allegedly used illicit access to people's portfolios to drive up stock prices.
http://www.securityfocus.com/news/11431

3. PHP security under scrutiny
By: Robert Lemos
The departure of a security team member and recent data showing that PHP Web applications account for four out of every ten security flaws found in 2006 highlight the need for better protections, say experts.
http://www.securityfocus.com/news/11430

4. UCLA alerts 800,000 to data breach
By: Robert Lemos
An unknown attacker uses a security flaw to access a restricted database containing Social Security numbers and other personal information on students, faculty and staff of the University of California, Los Angeles.
http://www.securityfocus.com/news/11429

IV. SECURITY JOBS LIST SUMMARY
-------------------------------
1. [SJ-JOB] Security Consultant, San Francisco
http://www.securityfocus.com/archive/77/455796

2. [SJ-JOB] Director, Information Security, White Plains
http://www.securityfocus.com/archive/77/455778

3. [SJ-JOB] Software Engineer, Columbia
http://www.securityfocus.com/archive/77/455780

4. [SJ-JOB] Information Assurance Analyst, London
http://www.securityfocus.com/archive/77/455781

5. [SJ-JOB] Security System Administrator, Iowa City
http://www.securityfocus.com/archive/77/455782

6. [SJ-JOB] Sr. Security Analyst, Seattle
http://www.securityfocus.com/archive/77/455798

7. [SJ-JOB] Sr. Security Analyst, San Francisco
http://www.securityfocus.com/archive/77/455779

8. [SJ-JOB] Security Consultant, Seattle
http://www.securityfocus.com/archive/77/455804

9. [SJ-JOB] Sr. Security Analyst, Bangalore
http://www.securityfocus.com/archive/77/455672

10. [SJ-JOB] Developer, Fairfax
http://www.securityfocus.com/archive/77/455493

11. [SJ-JOB] Sr. Security Analyst, Charlotte
http://www.securityfocus.com/archive/77/455393

12. [SJ-JOB] Security Engineer, Burlington
http://www.securityfocus.com/archive/77/455394

13. [SJ-JOB] Application Security Engineer, Dulles
http://www.securityfocus.com/archive/77/455391

14. [SJ-JOB] Auditor, Milwaukee
http://www.securityfocus.com/archive/77/455392

15. [SJ-JOB] Sales Representative, Tampa
http://www.securityfocus.com/archive/77/455396

16. [SJ-JOB] Auditor, Poughkeepsie
http://www.securityfocus.com/archive/77/455398

V. INCIDENTS LIST SUMMARY
---------------------------
VI. VULN-DEV RESEARCH LIST SUMMARY
-----------------------------------
1. SEH overwrite technique
http://www.securityfocus.com/archive/82/455643

2. [NGSEC] ngGame #3 - BrainStorming
http://www.securityfocus.com/archive/82/455642

3. Debugger
http://www.securityfocus.com/archive/82/455354

VII. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. Secure Remote access - windows 2003
http://www.securityfocus.com/archive/88/455670

VIII. SUN FOCUS LIST SUMMARY
----------------------------
IX. LINUX FOCUS LIST SUMMARY
----------------------------
X. UNSUBSCRIBE INSTRUCTIONS
-----------------------------
To unsubscribe send an e-mail message to sf-news-unsubscribe@securityfocus.com from the subscribed address. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer. Alternatively you can also visit http://www.securityfocus.com/newsletters and unsubscribe via the website.

If your email address has changed email listadmin@securityfocus.com and ask to be manually removed.

XI. SPONSOR INFORMATION
------------------------
This Issue is Sponsored by: Watchfire

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008fGg

News

Friday, January 05, 2007

SecurityFocus Newsletter #382

No comments:

WINDOWS CENTER

Blog Archive