WINDOWS CENTER: SecurityFocus Newsletter #396

SecurityFocus Newsletter #396
----------------------------------------

This Issue is Sponsored by: SPI Dynamics

ALERT: "How A Hacker Launches A Blind SQL Injection Attack Step-by-Step"!"- White Paper
Blind SQL Injection can deliver total control of your server to a hacker giving them the ability to read, write and
manipulate all data stored in your backend systems! Download this *FREE* white paper from SPI Dynamics for a
complete guide to protection!

https://download.spidynamics.com/1/ad/bsq.asp?Campaign_ID=70160000000ClcR

SECURITY BLOGS
SecurityFocus has selected a few syndicated sources that stand out as conveying topics of interest for our community. We are proud to offer content from Matasano at this time and will be adding more in the coming weeks.
http://www.securityfocus.com/blogs

------------------------------------------------------------------
I. FRONT AND CENTER
1. Metasploit 3.0 day
2. Blanket Discovery for Stolen Laptops
II. BUGTRAQ SUMMARY
1. Hewlet Packard HP-UX Portable File System Unspecified Privilege Escalation Vulnerability
2. LibWPD Library Multiple Buffer Overflow Vulnerabilities
3. Kaspersky AntiVirus SysInfo ActiveX Control Arbitrary File Exfiltration Vulnerability
4. Kaspersky Antivirus Engine ARJ Archive Remote Heap Overflow Vulnerability
5. Kaspersky AntiVirus Prod60 ActiveX Control Arbitrary File Exfiltration Vulnerability
6. Xoops Jobs Module Index.PHP SQL Injection Vulnerability
7. XOOPS WF-Link Module Viewcat.PHP SQL Injection Vulnerability
8. Microsoft April 2007 Advance Notification Multiple Vulnerabilities
9. Sisplet CMS Komentar.PHP Remote File Include Vulnerability
10. Lite-CMS Index.PHP Local File Include Vulnerability
11. CodeWand PHPBrowse Include_Stream.Inc.PHP Remote File Include Vulnerability
12. PHP-Generics _App_Relative_Path Multiple Remote File Include Vulnerabilities
13. Kaspersky Internet Security Suite Klif.SYS Driver Local Heap Overflow Vulnerability
14. Centrino Intel PRO/Wireless Network Connection Drivers Remote Code Execution Vulnerability
15. LedgerSMB Unspecified SQL Injection Vulnerabilities
16. XOOPS Multiple Modules ViewCat.PHP SQL Injection Vulnerabilities
17. Linux Kernel IPV6_Getsockopt_Sticky Memory Leak Information Disclosure Vulnerability
18. XMMS Skins Integer Overflow And Underflow Vulnerabilities
19. Linux Kernel Omnikey CardMan 4040 Driver Local Buffer Overflow Vulnerability
20. VMware Unspecified Buffer Overflow Vulnerability
21. Zlib Compression Library gzprintf() Buffer Overrun Vulnerability
22. Zlib Compression Library Decompression Buffer Overflow Vulnerability
23. XOOPS Rha7 Downloads Module Visit.PHP SQL Injection Vulnerability
24. GNU Texinfo Insecure Temporary File Creation Vulnerability
25. PHPBB Mutant Mutant_Functions.PHP Remote File Include Vulnerability
26. IrfanView Multiple BMP Denial of Service Vulnerabilities
27. Microsoft Windows UPnP Remote Stack Buffer Overflow Vulnerability
28. Windows VDM Zero Page Race Condition Local Privilege Escalation Vulnerability
29. Microsoft Agent URI Processing Remote Code Execution Vulnerability
30. Microsoft Windows CSRSS CSRFinalizeContext Local Privilege Escalation Vulnerability
31. Microsoft Windows CSRSS HardError Messages Denial of Service Vulnerability
32. Microsoft Windows CSRSS MSGBox Remote Code Execution Vulnerability
33. MIT Kerberos 5 KAdminD Server Stack Buffer Overflow Vulnerability
34. MIT Kerberos Administration Daemon Kadmind Double Free Memory Corruption Vulnerabilities
35. MIT Kerberos 5 Telnet Daemon Authentication Bypass Vulnerability
36. OpenOffice Meta Character Remote Shell Command Execution Vulnerability
37. Microsoft Internet Explorer Script Error Handling Remote Code Execution Vulnerability
38. Microsoft Content Management Server Remote Code Execution Vulnerability
39. Microsoft Content Management Server Cross-Site Scripting Vulnerability
40. Microsoft Windows Cursor And Icon ANI Format Handling Remote Buffer Overflow Vulnerability
41. HIOX Free Guest Book Index.PHP HTML Injection Vulnerability
42. Apple AirPort Extreme Base Station Firmware Information Disclosure Vulnerability
43. IPSec-Tools Remote Denial Of Service Vulnerability
44. PHP121 Instant Messenger php121db.PHP Local File Include Vulnerability
45. OpenSSH Duplicated Block Remote Denial of Service Vulnerability
46. CattaDoc Arbitrary Files Information Disclosure Vulnerability
47. Xrousse Beryo Downloadpic.PHP Arbitrary File Download Vulnerability
48. Linux Kernel DCCP Proto.C Buffer Overflow Vulnerability
49. Battle.net Clan Script Login.PHP SQL Injection Vulnerability
50. Einfacher Passworschutz Index.PHP Cross-Site Scripting Vulnerability
51. Microsoft Windows Help File Unspecified Heap Overflow Vulnerability
52. Portable OpenSSH GSSAPI Remote Code Execution Vulnerability
53. IPIX Image Well ActiveX Controls Multiple Buffer Overflow Vulnerabilities
54. eCardMAX HotEditor Keyboard.PHP Local File Include Vulnerability
55. Linux Kernel AppleTalk ATalk_Sum_SKB Function Denial Of Service Vulnerability
56. Pathos Warn.PHP Remote File Include Vulnerability
57. AOL AIM and ICQ Clients Directory Traversal Vulnerability
58. JustSystem Ichitaro Unspecified Remote Code Execution Vulnerability
59. DeskPro Login.PHP HTML Injection Vulnerability
60. Microsoft Word 2007 WWLib.DLL Unspecified Document File Buffer Overflow Vulnerability
61. Yahoo! Messenger Audio Conferencing ActiveX Control Remote Buffer Overflow Vulnerability
62. Microsoft Windows GDI Invalid Window Size Local Privilege Escalation Vulnerability
63. IrfanView Cursor And Icon ANI Format Handling Remote Buffer Overflow Vulnerability
64. Microsoft Windows Graphics Rendering Engine GDI Local Privilege Escalation Vulnerability
65. Microsoft Windows Graphics Device Interface Font Rasterizer Local Privilege Escalation Vulnerability
66. Microsoft Windows Graphics Rendering Engine EMF File Privilege Escalation Vulnerability
67. ScarNews Scarnews.Inc.PHP Local File Include Vulnerability
68. SignKorea SKCrypAX ActiveX Control Multiple Buffer Overflow Vulnerabilities
69. Microsoft Windows GDI WMF Remote Denial of Service Vulnerability
70. Microsoft Windows Explorer ANI File Denial of Service Vulnerability
71. ArchiveXpert Multiple Directory Traversal Vulnerabilities
72. Requestit Index.PHP Remote File Include Vulnerability
73. UBB.Threads UBBThreads.PHP SQL Injection Vulnerability
74. QuizShock Auth.PHP HTML Injection Vulnerability
75. DirectAdmin Multiple Cross-Site Scripting Vulnerabilities
76. EBoard Member.PHP Local File Include Vulnerability
77. phpGalleryScript Init.Gallery.PHP Remote File Include Vulnerability
78. MyNews Week_Events.PHP Remote File Include Vulnerability
79. SmodCMS Dictionary.PHP SQL Injection Vulnerability
80. Youngzsoft CMailServer Comment Parameter Cross-Site Scripting Vulnerability
81. Microsoft Windows GDI Kernel Local Privilege Escalation Vulnerability
82. CompreXX Multiple Directory Traversal Vulnerabilities
83. Intervations FileCopa Unspecified Remote Stack Buffer Overflow Vulnerability
84. X.Org LibXFont Multiple Integer Overflow Vulnerabilities
85. Youngzsoft CMailServer Signup.ASP Cross-Site Scripting Vulnerability
86. PHP Filter_Var FILTER_VALIDATE_EMAIL Newline Injection Vulnerability
87. WitShare Index.PHP Local File Include Vulnerability
88. Apache Mod_Rewrite Off-By-One Buffer Overflow Vulnerability
89. PHP GD Extension WBMP File Integer Overflow Vulnerabilities
90. GNU GV Stack Buffer Overflow Vulnerability
91. SmodBIP Index.PHP SQL Injection Vulnerability
92. Man Command -H Flag Local Buffer Overflow Vulnerability
93. Nuke ET User Account Deletion Input Validation Vulnerability
94. Livor Index.PHP Cross-Site Scripting Vulnerability
95. SQL-Ledger/LedgerSMB Insecure User Access Restriction Vulnerability
96. Winamp LibSNDFile.DLL Component Remote Code Execution Vulnerability
97. Winamp IN_Mod.DLL Plugin Remote Code Execution Vulnerability
98. Firebug Rep.JS Script Code Injection Vulnerability
99. WebSpell Picture.PHP Multiple Local File Include Vulnerabilities
100. ImageMagick DCM XWD Formats Multiple Integer Overflow Vulnerabilities
III. SECURITYFOCUS NEWS
1. Developers warned to secure AJAX design
2. TJX theft tops 45.6 million card numbers
3. Groups team to test secure-coding skill
4. Oracle sues rival for hacking, data theft
IV. SECURITY JOBS LIST SUMMARY
V. INCIDENTS LIST SUMMARY
VI. VULN-DEV RESEARCH LIST SUMMARY
VII. MICROSOFT FOCUS LIST SUMMARY
1. [Fwd: Finding License Codes for Re-install]
2. Running commands on workstations from domain controller
3. blocking thru IE
4. SecurityFocus Microsoft Newsletter #336
5. Discovering Active Direcory users with blank passwords
VIII. SUN FOCUS LIST SUMMARY
IX. LINUX FOCUS LIST SUMMARY
X. UNSUBSCRIBE INSTRUCTIONS
XI. SPONSOR INFORMATION

I. FRONT AND CENTER
---------------------
1. Metasploit 3.0 day
By Federico Biancuzzi
The Metasploit Framework is a development platform for creating security tools and exploits. Federico Biancuzzi interviewed H D Moore to discuss what's new in release 3.0, the new license of the framework, plans for features and exploits development, and the links among the bad guys and Metasploit and the law.
http://www.securityfocus.com/columnists/439

2. Blanket Discovery for Stolen Laptops
By Mark Rasch
Mark Rasch discusses the legal issues behind the discovery and recovery of stolen laptops that use LoJack-style homing devices to announce their location, and the location of the thieves, anywhere in the world.
http://www.securityfocus.com/columnists/438

II. BUGTRAQ SUMMARY
--------------------
1. Hewlet Packard HP-UX Portable File System Unspecified Privilege Escalation Vulnerability
BugTraq ID: 23401
Remote: Yes
Last Updated: 2007-04-10
Relevant URL: http://www.securityfocus.com/bid/23401
Summary:
HP-UX running PFS (Portable File System) is prone to an unspecified privilege-escalation vulnerability.

Remote attackers can exploit this issue to gain elevated privileges on affected computers.

2. LibWPD Library Multiple Buffer Overflow Vulnerabilities
BugTraq ID: 23006
Remote: Yes
Last Updated: 2007-04-10
Relevant URL: http://www.securityfocus.com/bid/23006
Summary:
The libwpd library is prone to multiple buffer-overflow vulnerabilities because it fails to adequately check boundaries on user-supplied input.

A successful exploit could let a remote attacker execute arbitrary code in the context of an application using the affected library.

Version 0.8.7 is vulnerable; other versions prior to 0.8.9 may also be affected.

3. Kaspersky AntiVirus SysInfo ActiveX Control Arbitrary File Exfiltration Vulnerability
BugTraq ID: 23325
Remote: Yes
Last Updated: 2007-04-09
Relevant URL: http://www.securityfocus.com/bid/23325
Summary:
Kaspersky Anti-Virus is prone to an arbitrary-file-exfiltration vulnerability.

An attacker can exploit this issue to steal files from a victim machine.

This issue affects Kaspersky Anti-Virus 6.0 and Kaspersky Internet Security 6.0.

4. Kaspersky Antivirus Engine ARJ Archive Remote Heap Overflow Vulnerability
BugTraq ID: 23346
Remote: Yes
Last Updated: 2007-04-09
Relevant URL: http://www.securityfocus.com/bid/23346
Summary:
Kaspersky Anti-Virus Engine is prone to a remote heap-overflow vulnerability because it fails to perform sufficient boundary checks on user-supplied data before copying it to a buffer.

An attacker could leverage this issue to execute arbitrary code with SYSTEM-level privileges. A successful exploit could result in the complete compromise of affected computers.

5. Kaspersky AntiVirus Prod60 ActiveX Control Arbitrary File Exfiltration Vulnerability
BugTraq ID: 23345
Remote: Yes
Last Updated: 2007-04-09
Relevant URL: http://www.securityfocus.com/bid/23345
Summary:
Kaspersky AntiVirus is prone to an arbitrary-file-exfiltration vulnerability.

An attacker can exploit this issue to steal files from a victim machine.

This issue affects Kaspersky Anti-Virus 6.0 and Kaspersky Internet Security 6.0.

6. Xoops Jobs Module Index.PHP SQL Injection Vulnerability
BugTraq ID: 23344
Remote: Yes
Last Updated: 2007-04-09
Relevant URL: http://www.securityfocus.com/bid/23344
Summary:
The XOOPS Jobs module is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation.

This issue affects Jobs 2.4 and prior versions; other versions may also be affected.

7. XOOPS WF-Link Module Viewcat.PHP SQL Injection Vulnerability
BugTraq ID: 23340
Remote: Yes
Last Updated: 2007-04-09
Relevant URL: http://www.securityfocus.com/bid/23340
Summary:
The XOOPS WF-Link module is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation.

This issue affects WF-Link 1.03; prior versions may also be affected.

8. Microsoft April 2007 Advance Notification Multiple Vulnerabilities
BugTraq ID: 23335
Remote: Yes
Last Updated: 2007-04-09
Relevant URL: http://www.securityfocus.com/bid/23335
Summary:
Microsoft has released advance notification that the vendor will be releasing five security bulletins on April 10, 2007. The highest severity rating for these issues is 'Critical'.

Further details about these issues are not currently available. Individual BIDs will be created for each issue; this record will be removed when the security bulletins are released.

9. Sisplet CMS Komentar.PHP Remote File Include Vulnerability
BugTraq ID: 23334
Remote: Yes
Last Updated: 2007-04-09
Relevant URL: http://www.securityfocus.com/bid/23334
Summary:
Sisplet CMS is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied data.

Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible.

Version 05.10 is vulnerable; other versions may also be affected.

10. Lite-CMS Index.PHP Local File Include Vulnerability
BugTraq ID: 23330
Remote: Yes
Last Updated: 2007-04-09
Relevant URL: http://www.securityfocus.com/bid/23330
Summary:
Lite-CMS is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.

Exploiting this issue may allow an unauthorized user to view files and execute local scripts.

Version 0.2.1 is vulnerable; other versions may also be affected.

11. CodeWand PHPBrowse Include_Stream.Inc.PHP Remote File Include Vulnerability
BugTraq ID: 23329
Remote: Yes
Last Updated: 2007-04-09
Relevant URL: http://www.securityfocus.com/bid/23329
Summary:
phpBrowse is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied data.

Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible.

12. PHP-Generics _App_Relative_Path Multiple Remote File Include Vulnerabilities
BugTraq ID: 23328
Remote: Yes
Last Updated: 2007-04-09
Relevant URL: http://www.securityfocus.com/bid/23328
Summary:
PHP-Generics is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.

Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.

These issues affect version 1.0 beta; other versions may also be vulnerable.

13. Kaspersky Internet Security Suite Klif.SYS Driver Local Heap Overflow Vulnerability
BugTraq ID: 23326
Remote: No
Last Updated: 2007-04-06
Relevant URL: http://www.securityfocus.com/bid/23326
Summary:
Kaspersky Internet Security Suite is prone to a heap-overflow vulnerability because it fails to perform sufficient boundary checks on user-supplied data before copying it to a buffer.

An attacker could leverage this issue to execute arbitrary code with kernel-level privileges. A successful exploit could result in the complete compromise of the affected system.

Kaspersky Internet Security Suite 6.0.1.411 for Microsoft Windows is reported vulnerable; previous versions may be vulnerable as well.

14. Centrino Intel PRO/Wireless Network Connection Drivers Remote Code Execution Vulnerability
BugTraq ID: 19864
Remote: Yes
Last Updated: 2007-04-06
Relevant URL: http://www.securityfocus.com/bid/19864
Summary:
Intel PRO/Wireless Network Connection drivers are prone to a remote code-execution vulnerability.

An attacker may trigger this vulnerability to corrupt memory and execute arbitrary code in the vulnerable system with kernel-level credentials.

A successful attack can result in a complete compromise of the affected computer.

15. LedgerSMB Unspecified SQL Injection Vulnerabilities
BugTraq ID: 20749
Remote: Yes
Last Updated: 2007-04-06
Relevant URL: http://www.securityfocus.com/bid/20749
Summary:
LedgerSMB is prone to multiple unspecified SQL-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in an SQL query.

A successful attack could allow an attacker to compromise the application, access or modify data, gain administrative access to the application, or exploit vulnerabilities in the underlying database implementation.

LedgerSMB 1.1.0 is vulnerable to these issues; other versions may be vulnerable as well.

16. XOOPS Multiple Modules ViewCat.PHP SQL Injection Vulnerabilities
BugTraq ID: 23229
Remote: Yes
Last Updated: 2007-04-06
Relevant URL: http://www.securityfocus.com/bid/23229
Summary:
Multiple XOOPS Modules are prone to SQL-injection vulnerabilities because they fail to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation.

17. Linux Kernel IPV6_Getsockopt_Sticky Memory Leak Information Disclosure Vulnerability
BugTraq ID: 22904
Remote: No
Last Updated: 2007-04-06
Relevant URL: http://www.securityfocus.com/bid/22904
Summary:
Linux Kernel is prone to an information-disclosure vulnerability because it fails to handle unexpected user-supplied input.

Successful exploits will allow attackers to obtain portions of kernel memory. Information harvested may be used in further attacks.

Kernel versions 2.6.0 up to 2.6.20.1 are vulnerable to this issue.

18. XMMS Skins Integer Overflow And Underflow Vulnerabilities
BugTraq ID: 23078
Remote: Yes
Last Updated: 2007-04-06
Relevant URL: http://www.securityfocus.com/bid/23078
Summary:
XMMS is prone to an integer-overflow vulnerability and an integer-underflow vulnerability because it fails to adequately handle user-supplied data.

An attacker can leverage these issues to corrupt stack-based memory and execute arbitrary code with the privileges of a user running the application. A successful attack may result in the compromise of affected computers. Failed attempts will likely cause denial-of-service conditions.

Version 1.2.10 is vulnerable; other versions may also be affected.

19. Linux Kernel Omnikey CardMan 4040 Driver Local Buffer Overflow Vulnerability
BugTraq ID: 22870
Remote: No
Last Updated: 2007-04-06
Relevant URL: http://www.securityfocus.com/bid/22870
Summary:
The Linux kernel is prone to a local buffer-overflow vulnerability because it fails to properly bounds-check user-supplied input before using it in a memory copy operation.

This issue allows local attackers to overwrite kernel memory with arbitrary data, potentially allowing them to execute malicious machine code in the context of affected kernels. Exploiting this vulnerability facilitates the complete compromise of affected computers.

Linux kernel versions prior to 2.6.21-rc3 are affected by this issue.

20. VMware Unspecified Buffer Overflow Vulnerability
BugTraq ID: 23322
Remote: No
Last Updated: 2007-04-06
Relevant URL: http://www.securityfocus.com/bid/23322
Summary:
VMware is prone to an unspecified buffer-overflow vulnerability because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer.

An attacker can exploit this issue to execute arbitrary code with administrative privileges. Successfully exploiting this issue will result in the complete compromise of affected computers. Failed exploit attempts will result in a denial of service.

21. Zlib Compression Library gzprintf() Buffer Overrun Vulnerability
BugTraq ID: 6913
Remote: Yes
Last Updated: 2007-04-06
Relevant URL: http://www.securityfocus.com/bid/6913
Summary:
A buffer-overrun vulnerability has been reported in the Zlib compression library. Due to the use of 'vsprintf()' by an internal Zlib function, an attacker can cause memory to become corrupted. This buffer overrun occurs becuase the software fails to check the boundaries of user-supplied data given to the 'gzprintf()' function.

Successful exploitation of this vulnerability may allow an attacker to execute arbitrary instructions.

Note that only Zlib 1.1.4 has been reported vulnerable to this issue. It is not yet known whether earlier versions are also affected.

22. Zlib Compression Library Decompression Buffer Overflow Vulnerability
BugTraq ID: 14340
Remote: Yes
Last Updated: 2007-04-06
Relevant URL: http://www.securityfocus.com/bid/14340
Summary:
Zlib is susceptible to a buffer-overflow vulnerability. This issue is due to the library's failure to properly handle unexpected input to its decompression routines.

Certain values used during decompression are incorrectly specified, allowing invalid inflate input to corrupt memory.

This vulnerability allows attackers to crash applications that use the affected library. This could also potentially allow for arbitrary code execution in the context of an affected application.

23. XOOPS Rha7 Downloads Module Visit.PHP SQL Injection Vulnerability
BugTraq ID: 23320
Remote: Yes
Last Updated: 2007-04-06
Relevant URL: http://www.securityfocus.com/bid/23320
Summary:
The XOOPS Rha7 Downloads module is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation.

This issue affects Rha7 Downloads 1.0; prior versions may also be affected.

24. GNU Texinfo Insecure Temporary File Creation Vulnerability
BugTraq ID: 14854
Remote: No
Last Updated: 2007-04-06
Relevant URL: http://www.securityfocus.com/bid/14854
Summary:
Texinfo creates temporary files in an insecure manner. The issue resides in the 'textindex.c' file.

Exploitation would most likely result in loss of data or a denial of service if critical files are overwritten in the attack. Other attacks may be possible as well.

25. PHPBB Mutant Mutant_Functions.PHP Remote File Include Vulnerability
BugTraq ID: 23319
Remote: Yes
Last Updated: 2007-04-06
Relevant URL: http://www.securityfocus.com/bid/23319
Summary:
Mutant is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied input.

Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible.

This issue affects Mutant 0.9.2; other versions may also be vulnerable.

26. IrfanView Multiple BMP Denial of Service Vulnerabilities
BugTraq ID: 23318
Remote: Yes
Last Updated: 2007-04-06
Relevant URL: http://www.securityfocus.com/bid/23318
Summary:
IrfanView is prone to multiple denial-of-service vulnerabilities because the application fails to properly handle malformed BMP image files.

Successfully exploiting these issues allows attackers to crash the affected application. Due to the nature of the issues, code execution may also be possible, but this has not been confirmed.

IrfanView 3.99 is affected; other versions may also be vulnerable.

27. Microsoft Windows UPnP Remote Stack Buffer Overflow Vulnerability
BugTraq ID: 23371
Remote: Yes
Last Updated: 2007-04-10
Relevant URL: http://www.securityfocus.com/bid/23371
Summary:
Microsoft Windows is prone to a remote stack-based buffer-overflow vulnerability because it fails to adequately bounds-check user-supplied data before copying it to an insufficiently sized memory buffer. This occurs when handling certain HTTP requests.

To exploit this issue, an attacker must be in the same network segment as the victim.

Successful exploits may allow attackers to execute arbitrary code with the privileges of the affected service. Failed exploits attempts will likely result in denial-of-service conditions.

28. Windows VDM Zero Page Race Condition Local Privilege Escalation Vulnerability
BugTraq ID: 23367
Remote: No
Last Updated: 2007-04-10
Relevant URL: http://www.securityfocus.com/bid/23367
Summary:
Microsoft Windows is prone to a local privilege-escalation vulnerability because of a race condition in the Virtual DOS Machine (VDM).

A local attacker can exploit this issue to execute arbitrary code with kernel-level privileges. A successful exploit will result in the complete compromise of affected computers. Failed exploit attempts will result in a denial-of-service condition.

29. Microsoft Agent URI Processing Remote Code Execution Vulnerability
BugTraq ID: 23337
Remote: Yes
Last Updated: 2007-04-10
Relevant URL: http://www.securityfocus.com/bid/23337
Summary:
The Microsoft Agent ActiveX control is prone to remote code execution.

An attacker could exploit this issue to execute code in the context of the user visiting a malicious web page.

Note that users who are running Windows Internet Explorer 7 are not affected by this vulnerability.

30. Microsoft Windows CSRSS CSRFinalizeContext Local Privilege Escalation Vulnerability
BugTraq ID: 23338
Remote: No
Last Updated: 2007-04-10
Relevant URL: http://www.securityfocus.com/bid/23338
Summary:
Microsoft Windows CSRSS (client/server run-time subsystem) is prone to local privilege-escalation vulnerability.

Successful attacks will result in the complete compromise of affected computers.

31. Microsoft Windows CSRSS HardError Messages Denial of Service Vulnerability
BugTraq ID: 21688
Remote: No
Last Updated: 2007-04-10
Relevant URL: http://www.securityfocus.com/bid/21688
Summary:
Microsoft Windows is prone to a local denial-of-service vulnerability because the operating system fails to handle certain API calls with unexpected parameters.

A local unprivileged attacker may exploit this issue by executing a malicious application.

Successful exploits will allow attackers to crash the operating system, denying further service to legitimate users.

32. Microsoft Windows CSRSS MSGBox Remote Code Execution Vulnerability
BugTraq ID: 23324
Remote: Yes
Last Updated: 2007-04-10
Relevant URL: http://www.securityfocus.com/bid/23324
Summary:
Microsoft Windows CSRSS (client/server run-time subsystem) MsgBox is prone to a remote code-execution vulnerability.

An attacker can exploit this issue to execute arbitrary code with SYSTEM-level privileges.

Note that this issue can also be exploited locally by an authenticated user to gain elevated privileges.

Under default settings, Windows Vista is not prone to remote attacks that attempt to exploit this issue.

Update: This issue was originally disclosed as part of BID 21688, but has now been assigned its own record.

33. MIT Kerberos 5 KAdminD Server Stack Buffer Overflow Vulnerability
BugTraq ID: 23285
Remote: Yes
Last Updated: 2007-04-10
Relevant URL: http://www.securityfocus.com/bid/23285
Summary:
Kerberos 5 kadmind (Kerberos Administration Daemon) server is prone to a stack-based buffer-overflow vulnerability because the software fails to adequately bounds-check user-supplied data before copying it to an insufficiently sized buffer.

An attacker can exploit this issue to execute arbitrary code with administrative privileges. A successful attack can result in the complete compromise of the application. Failed attempts will likely result in denial-of-service conditions.

All kadmind servers run on the master Kerberos server. Since the master server holds the KDC principal and policy database, an attack may not only compromise the affected computer, but could also compromise multiple hosts that use the server for authentication.

Kerberos 5 kadmind 1.6 and prior versions are vulnerable.

34. MIT Kerberos Administration Daemon Kadmind Double Free Memory Corruption Vulnerabilities
BugTraq ID: 23282
Remote: Yes
Last Updated: 2007-04-10
Relevant URL: http://www.securityfocus.com/bid/23282
Summary:
MIT Kerberos 5 is prone to a double-free memory-corruption vulnerability.

An attacker can exploit this issue to execute arbitrary code with superuser or SYSTEM-level privileges, completely compromising affected computers. Failed exploit attempts will likely result in a denial-of-service conditions.

This issue also affects third-party applications using the affected API.

35. MIT Kerberos 5 Telnet Daemon Authentication Bypass Vulnerability
BugTraq ID: 23281
Remote: Yes
Last Updated: 2007-04-10
Relevant URL: http://www.securityfocus.com/bid/23281
Summary:
MIT Kerberos 5 is prone to an authentication-bypass vulnerability.

An attacker can exploit this issue to gain superuser or SYSTEM-level privileges on the affected computer. Successfully exploiting this issue will result in the complete compromise of affected computers.

This issue occurs in Kerberos 5 versions 1.6 and prior.

36. OpenOffice Meta Character Remote Shell Command Execution Vulnerability
BugTraq ID: 22812
Remote: Yes
Last Updated: 2007-04-10
Relevant URL: http://www.securityfocus.com/bid/22812
Summary:
OpenOffice is prone to a vulnerability that allows arbitrary shell commands to run because the software fails to sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary shell commands on an affected computer with the privileges of the applicaiton.

37. Microsoft Internet Explorer Script Error Handling Remote Code Execution Vulnerability
BugTraq ID: 21552
Remote: Yes
Last Updated: 2007-04-10
Relevant URL: http://www.securityfocus.com/bid/21552
Summary:
Microsoft Internet Explorer is prone to a remote code-execution vulnerability.

This vulnerability is related to how the browser handles script errors. An attacker may exploit this vulnerability to execute arbitrary code in the context of the user running the affected browser.

38. Microsoft Content Management Server Remote Code Execution Vulnerability
BugTraq ID: 22861
Remote: Yes
Last Updated: 2007-04-10
Relevant URL: http://www.securityfocus.com/bid/22861
Summary:
Microsoft Content Management Server (MCMS) is prone to an arbitrary code-execution vulnerability because the software fails to properly validate user-supplied input.

Exploiting this issue allows remote attackers to execute arbitrary machine code on affected computers with the privileges of the vulnerable application.

39. Microsoft Content Management Server Cross-Site Scripting Vulnerability
BugTraq ID: 22860
Remote: Yes
Last Updated: 2007-04-10
Relevant URL: http://www.securityfocus.com/bid/22860
Summary:
Microsoft Content Management Server (MCMS) is prone to an unspecified cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials, spoof content, or perform actions on behalf of the victim user; this could aid in further attacks.

40. Microsoft Windows Cursor And Icon ANI Format Handling Remote Buffer Overflow Vulnerability
BugTraq ID: 23194
Remote: Yes
Last Updated: 2007-04-10
Relevant URL: http://www.securityfocus.com/bid/23194
Summary:
Microsoft Windows is prone to a stack buffer-overflow vulnerability because of insufficient format validation that occurs when handling malformed ANI cursor or icon files.

An attacker can exploit this issue to execute arbitrary code with the privileges of an unsuspecting user. A successful attack can result in the compromise of affected user accounts and computers.

This issue affects Windows Vista, Windows XP SP2, and Windows Server 2003 SP1 when running Internet Explorer 6 and 7; other versions and client applications may also be affected.

Microsoft has recently disclosed that Outlook 2007 is not vulnerable, that Windows Mail on Vista is vulnerable in replying to or forwarding emails containing malicious ANI files, and that Outlook Express is vulnerable to this issue.

Third-party applications such as browsers that handle ANI files and call the ANI rendering functionality in GDI pose an attack vector for this vulnerability.

41. HIOX Free Guest Book Index.PHP HTML Injection Vulnerability
BugTraq ID: 23397
Remote: Yes
Last Updated: 2007-04-10
Relevant URL: http://www.securityfocus.com/bid/23397
Summary:
HIOX FREE Guest Book is prone to an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied input data.

Exploiting this issue may allow an attacker to execute HTML and script code in the context of the affected site, to steal cookie-based authentication credentials, or to control how the site is rendered to the user; other attacks are also possible.

HIOX FREE Guest Book 4.0 is vulnerable; other versions may also be affected.

42. Apple AirPort Extreme Base Station Firmware Information Disclosure Vulnerability
BugTraq ID: 23396
Remote: Yes
Last Updated: 2007-04-10
Relevant URL: http://www.securityfocus.com/bid/23396
Summary:
Apple AirPort Extreme Base Station is prone to an information-disclosure vulnerability.

An attacker can exploit this issue to view filenames on a password-protected AirPort Disk without supplying a password.

Firmware versions prior to 7.1 are vulnerable.

43. IPSec-Tools Remote Denial Of Service Vulnerability
BugTraq ID: 23394
Remote: Yes
Last Updated: 2007-04-10
Relevant URL: http://www.securityfocus.com/bid/23394
Summary:
IPSec-Tools is affected by a remote denial-of-service vulnerability because the application fails to properly handle certain network packets.

A successful attack allows a remote attacker to crash the application, denying further service to legitimate users.

IPSec-Tools versions prior to 0.6.7 are vulnerable to this issue.

44. PHP121 Instant Messenger php121db.PHP Local File Include Vulnerability
BugTraq ID: 23392
Remote: Yes
Last Updated: 2007-04-10
Relevant URL: http://www.securityfocus.com/bid/23392
Summary:
PHP121 is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.

Exploiting this issue may allow an unauthorized user to view files and execute local scripts.

PHP121 2.2 is vulnerable; other versions may also be affected.

45. OpenSSH Duplicated Block Remote Denial of Service Vulnerability
BugTraq ID: 20216
Remote: Yes
Last Updated: 2007-04-10
Relevant URL: http://www.securityfocus.com/bid/20216
Summary:
OpenSSH is prone to a remote denial-of-service vulnerability because it fails to properly handle incoming duplicate blocks.

Remote attackers may exploit this issue to consume excessive CPU resources, potentially denying service to legitimate users.

This issue occurs only when OpenSSH is configured to accept SSH Version One traffic.

46. CattaDoc Arbitrary Files Information Disclosure Vulnerability
BugTraq ID: 23390
Remote: Yes
Last Updated: 2007-04-10
Relevant URL: http://www.securityfocus.com/bid/23390
Summary:
cattaDoc is prone to a remote information-disclosure vulnerability.

An attacker can leverage this issue to access sensitive data that could aid in further attacks.

47. Xrousse Beryo Downloadpic.PHP Arbitrary File Download Vulnerability
BugTraq ID: 23387
Remote: Yes
Last Updated: 2007-04-10
Relevant URL: http://www.securityfocus.com/bid/23387
Summary:
Xrousse Beryo is prone to an issue that allows an attacker to download arbitrary files.

The attacker can exploit this issue to obtain sensitive information and download arbitrary files from the webserver.

This issue affects Xrousse Beryo 2.4 and prior versions.

48. Linux Kernel DCCP Proto.C Buffer Overflow Vulnerability
BugTraq ID: 23384
Remote: Yes
Last Updated: 2007-04-10
Relevant URL: http://www.securityfocus.com/bid/23384
Summary:
The Linux kernel is prone to a buffer-overflow vulnerability because it fails to adequately bounds-check user-supplied data before copying it to an insufficiently sized buffer.

An attacker can exploit this issue to cause denial-of-service conditions. Arbitrary code execution may also be possible, but this has not been confirmed.

Versions prior to 2.6.20.5 are vulnerable.

49. Battle.net Clan Script Login.PHP SQL Injection Vulnerability
BugTraq ID: 23383
Remote: Yes
Last Updated: 2007-04-10
Relevant URL: http://www.securityfocus.com/bid/23383
Summary:
Battle.net Clan Script is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation.

Battle.net Clan Script 1.5 is vulnerable; other versions may also be affected.

50. Einfacher Passworschutz Index.PHP Cross-Site Scripting Vulnerability
BugTraq ID: 23395
Remote: Yes
Last Updated: 2007-04-10
Relevant URL: http://www.securityfocus.com/bid/23395
Summary:
Einfacher Passworschutz is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.

51. Microsoft Windows Help File Unspecified Heap Overflow Vulnerability
BugTraq ID: 23382
Remote: Yes
Last Updated: 2007-04-10
Relevant URL: http://www.securityfocus.com/bid/23382
Summary:
The Microsoft Windows Help File viewer is reported prone to a heap-overflow vulnerability because it fails to perform boundary checks before copying user-supplied data into insufficiently sized memory buffers.

This vulnerability presents itself when the application handles a specially crafted Windows Help ('.hlp') file.

A successful attack may facilitate arbitrary code execution in the context of a vulnerable user who opens a malicious file. Failed exploit attempts will likely result in denial-of-service conditions.

52. Portable OpenSSH GSSAPI Remote Code Execution Vulnerability
BugTraq ID: 20241
Remote: Yes
Last Updated: 2007-04-10
Relevant URL: http://www.securityfocus.com/bid/20241
Summary:
Portable OpenSSH is prone to a remote code-execution vulnerability. The issue derives from a race condition in a vulnerable signal handler.

Reportedly, under specific conditions, it is theoretically possible to execute code remotely prior to authentication when GSSAPI authentication is enabled. This has not been confirmed; the chance of a successful exploit of this nature is considered minimal.

On non-Portable OpenSSH implementations, this same race condition can be exploited to cause a pre-authentication denial of service.

This issue occurs when OpenSSH and Portable OpenSSH are configured to accept GSSAPI authentication.

53. IPIX Image Well ActiveX Controls Multiple Buffer Overflow Vulnerabilities
BugTraq ID: 23379
Remote: Yes
Last Updated: 2007-04-10
Relevant URL: http://www.securityfocus.com/bid/23379
Summary:
IPIX Image Well ActiveX controls are prone to multiple buffer-overflow vulnerabilities because the software fails to properly bounds-check user-supplied data before copying it into an insufficiently sized memory buffer.

Exploiting these issues allows remote attackers to execute arbitrary code in the context of applications using the affected ActiveX controls and to compromise affected computers. Failed attempts will likely result in denial-of-service conditions.

54. eCardMAX HotEditor Keyboard.PHP Local File Include Vulnerability
BugTraq ID: 23377
Remote: Yes
Last Updated: 2007-04-10
Relevant URL: http://www.securityfocus.com/bid/23377
Summary:
eCardMAX HotEditor is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.

Exploiting this issue may allow an unauthorized user to view files and execute local scripts.

HotEditor 4.0 is vulnerable; other versions may also be affected. This issue also affects versions that may be integrated into phpBB2, MyBB, Simple Machine Forum, and PunBB Forum.

55. Linux Kernel AppleTalk ATalk_Sum_SKB Function Denial Of Service Vulnerability
BugTraq ID: 23376
Remote: Yes
Last Updated: 2007-04-10
Relevant URL: http://www.securityfocus.com/bid/23376
Summary:
The Linux kernel is prone to a denial-of-service vulnerability. This issue presents itself when malformed AppleTalk frames are processed.

An attacker can exploit this issue to crash host computers, effectively denying service to legitimate users.

Versions prior to 2.6.20.5 are vulnerable.

56. Pathos Warn.PHP Remote File Include Vulnerability
BugTraq ID: 23393
Remote: Yes
Last Updated: 2007-04-10
Relevant URL: http://www.securityfocus.com/bid/23393
Summary:
Pathos is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied data.

Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible.

This issue affects Pathos 0.92-2; other versions may also be vulnerable.

57. AOL AIM and ICQ Clients Directory Traversal Vulnerability
BugTraq ID: 23391
Remote: Yes
Last Updated: 2007-04-10
Relevant URL: http://www.securityfocus.com/bid/23391
Summary:
AOL AIM and ICQ Clients are prone to a directory-traversal vulnerability because the software fails to properly sanitize user-supplied input during a file transfer.

An attacker may exploit this issue by enticing victims into receiving a malicious file via the application.

Successful exploits will allow attackers to save files on arbitrary locations on a victim's computer.

58. JustSystem Ichitaro Unspecified Remote Code Execution Vulnerability
BugTraq ID: 23386
Remote: Yes
Last Updated: 2007-04-10
Relevant URL: http://www.securityfocus.com/bid/23386
Summary:
Ichitaro is prone to an unspecified remotely exploitable code-execution vulnerability.

Remote attackers may exploit this issue to execute arbitrary code within the context of the affected system or to cause a denial of service.

Few details are available regarding this issue. This BID will be updated when more information emerges.

59. DeskPro Login.PHP HTML Injection Vulnerability
BugTraq ID: 23381
Remote: Yes
Last Updated: 2007-04-10
Relevant URL: http://www.securityfocus.com/bid/23381
Summary:
DeskPRO is prone to an HTML-injection scripting vulnerability because the application fails to properly sanitize user-supplied input.

Attacker-supplied HTML and script code would execute in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user; other attacks are also possible.

DeskPRO 2.0.1 is vulnerable to this issue.

60. Microsoft Word 2007 WWLib.DLL Unspecified Document File Buffer Overflow Vulnerability
BugTraq ID: 23380
Remote: Yes
Last Updated: 2007-04-10
Relevant URL: http://www.securityfocus.com/bid/23380
Summary:
Microsoft Word is prone to a buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied data before copying it to an insufficiently sized memory buffer.

An attacker can exploit this issue by enticing a victim to open a malicious Word file.

Successful exploits may allow an attacker to execute arbitrary code in the context of the currently logged-in user. Failed exploit attempts will likely result in denial-of-service conditions.

61. Yahoo! Messenger Audio Conferencing ActiveX Control Remote Buffer Overflow Vulnerability
BugTraq ID: 23291
Remote: Yes
Last Updated: 2007-04-10
Relevant URL: http://www.securityfocus.com/bid/23291
Summary:
The Audio Conferencing ActiveX control shipped with Yahoo! Messenger is prone to a buffer-overflow vulnerability. The software fails to perform sufficient bounds-checking of user-supplied input before copying it to an insufficiently sized memory buffer.

Yahoo! Messenger versions released prior to March 13, 2007 are vulnerable to this issue.

62. Microsoft Windows GDI Invalid Window Size Local Privilege Escalation Vulnerability
BugTraq ID: 23277
Remote: No
Last Updated: 2007-04-10
Relevant URL: http://www.securityfocus.com/bid/23277
Summary:
Microsoft Windows is prone to a local privilege-escalation vulnerability.

An attacker can exploit this issue to execute arbitrary code with SYSTEM-level privileges. A successful exploit will result in the complete compromise of affected computers. Failed exploit attempts will result in a denial-of-service condition.

63. IrfanView Cursor And Icon ANI Format Handling Remote Buffer Overflow Vulnerability
BugTraq ID: 23262
Remote: Yes
Last Updated: 2007-04-10
Relevant URL: http://www.securityfocus.com/bid/23262
Summary:
IrfanView is prone to a buffer-overflow vulnerability because it fails to validate formats. Specifically, the issue occurs when handling malformed ANI cursor or icon files.

An attacker can exploit this issue to execute arbitrary code with the privileges of an unsuspecting user. A successful attack can result in the compromise of affected user accounts and computers.

This issue affects version 3.99.

64. Microsoft Windows Graphics Rendering Engine GDI Local Privilege Escalation Vulnerability
BugTraq ID: 23273
Remote: No
Last Updated: 2007-04-10
Relevant URL: http://www.securityfocus.com/bid/23273
Summary:
Microsoft Windows Graphics Rendering Engine is prone to local privilege-escalation vulnerability.

Successful exploits may result in a complete compromise of affected computers.

65. Microsoft Windows Graphics Device Interface Font Rasterizer Local Privilege Escalation Vulnerability
BugTraq ID: 23276
Remote: No
Last Updated: 2007-04-10
Relevant URL: http://www.securityfocus.com/bid/23276
Summary:
Microsoft Windows GDI Font Rasterizer is prone to a local privilege-escalation vulnerability.

An attacker can exploit this issue to gain complete control of an affected computer. Failed attempts will likely cause the operating system to crash, resulting in denial-of-service conditions.

66. Microsoft Windows Graphics Rendering Engine EMF File Privilege Escalation Vulnerability
BugTraq ID: 23278
Remote: No
Last Updated: 2007-04-10
Relevant URL: http://www.securityfocus.com/bid/23278
Summary:
Microsoft Windows Graphics Rendering Engine is prone to a local privilege-escalation vulnerability when rendering malformed EMF image files.

An attacker may exploit this issue to execute arbitrary code with SYSTEM-level privileges, facilitating the complete compromise of affected computers.

67. ScarNews Scarnews.Inc.PHP Local File Include Vulnerability
BugTraq ID: 23375
Remote: Yes
Last Updated: 2007-04-10
Relevant URL: http://www.securityfocus.com/bid/23375
Summary:
ScarNews is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.

Exploiting this issue may allow an unauthorized user to view files and execute local scripts.

ScarNews 1.2.1 is vulnerable; other versions may also be affected.

68. SignKorea SKCrypAX ActiveX Control Multiple Buffer Overflow Vulnerabilities
BugTraq ID: 23374
Remote: Yes
Last Updated: 2007-04-10
Relevant URL: http://www.securityfocus.com/bid/23374
Summary:
SignKorea SKCrypAX is prone to multiple remote buffer-overflow vulnerabilities because the application fails to properly bounds-check user-supplied data before copying it into an insufficiently sized memory buffer.

Exploiting these issues allows remote attackers to execute arbitrary code in the context of applications using the affected ActiveX control and to compromise affected computers. Failed attempts will likely result in denial-of-service conditions.

These issues affect SKCrypAX 5.4.1.2; other versions may also be affected.

69. Microsoft Windows GDI WMF Remote Denial of Service Vulnerability
BugTraq ID: 23275
Remote: Yes
Last Updated: 2007-04-10
Relevant URL: http://www.securityfocus.com/bid/23275
Summary:
Microsoft Windows is prone to a remote denial-of-service vulnerability because the software fails to handle malicious WMF files.

Exploiting this issue may cause Microsoft Windows to crash, denying service to legitimate users.

70. Microsoft Windows Explorer ANI File Denial of Service Vulnerability
BugTraq ID: 23373
Remote: Yes
Last Updated: 2007-04-10
Relevant URL: http://www.securityfocus.com/bid/23373
Summary:
Windows Explorer is prone to a denial-of-service vulnerability.

An attacker could exploit this issue to cause Explorer to crash, effectively denying service. Arbitrary code execution may be possible, but this has not been confirmed.

This issue affects Windows Explorer on Microsoft Windows XP SP2; other operating systems and versions may also be affected.

71. ArchiveXpert Multiple Directory Traversal Vulnerabilities
BugTraq ID: 23372
Remote: Yes
Last Updated: 2007-04-10
Relevant URL: http://www.securityfocus.com/bid/23372
Summary:
ArchiveXpert is prone to multiple directory-traversal vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker can exploit this issue to extract files into arbitrary directories and overwrite arbitrary files. Successful exploits may aid in further attacks.

These issues affect ArchiveXpert 2.02 build 80; other versions may also be affected.

72. Requestit Index.PHP Remote File Include Vulnerability
BugTraq ID: 23370
Remote: Yes
Last Updated: 2007-04-10
Relevant URL: http://www.securityfocus.com/bid/23370
Summary:
Requestit is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied data.

Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible.

This issue affects Requestit 1.0b; other versions may also be vulnerable.

73. UBB.Threads UBBThreads.PHP SQL Injection Vulnerability
BugTraq ID: 23369
Remote: Yes
Last Updated: 2007-04-10
Relevant URL: http://www.securityfocus.com/bid/23369
Summary:
UBB.threads is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation.

UBB.threads 6.1.1 and prior versions are vulnerable; other versions may also be affected.

74. QuizShock Auth.PHP HTML Injection Vulnerability
BugTraq ID: 23368
Remote: Yes
Last Updated: 2007-04-10
Relevant URL: http://www.securityfocus.com/bid/23368
Summary:
QuizShock is prone to an HTML-injection scripting vulnerability because the application fails to properly sanitize user-supplied input.

QuizShock 1.5.8 through 1.6.1 are vulnerable.

75. DirectAdmin Multiple Cross-Site Scripting Vulnerabilities
BugTraq ID: 21049
Remote: Yes
Last Updated: 2007-04-10
Relevant URL: http://www.securityfocus.com/bid/21049
Summary:
DirectAdmin is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

Versions 1.28.1 and 2.29 are vulnerable; other versions may also be affected.

76. EBoard Member.PHP Local File Include Vulnerability
BugTraq ID: 23365
Remote: Yes
Last Updated: 2007-04-10
Relevant URL: http://www.securityfocus.com/bid/23365
Summary:
eBoard is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.

Exploiting this issue may allow an unauthorized user to view files and execute local scripts.

eBoard 1.0.7 is vulnerable; other versions may also be affected.

77. phpGalleryScript Init.Gallery.PHP Remote File Include Vulnerability
BugTraq ID: 23399
Remote: Yes
Last Updated: 2007-04-10
Relevant URL: http://www.securityfocus.com/bid/23399
Summary:
phpGalleryScript is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied data.

Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible.

This issue affects phpGalleryScript 1.0; other versions may also be vulnerable.

78. MyNews Week_Events.PHP Remote File Include Vulnerability
BugTraq ID: 23398
Remote: Yes
Last Updated: 2007-04-10
Relevant URL: http://www.securityfocus.com/bid/23398
Summary:
MyNews is prone to a remote file-include vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit this issue to include arbitrary remote files containing malicious PHP code and execute it in the context of the webserver process. This may allow the attacker to compromise the application and to gain access to the underlying system.

This issue affects MyNews 4.2.2 and prior versions.

79. SmodCMS Dictionary.PHP SQL Injection Vulnerability
BugTraq ID: 23364
Remote: Yes
Last Updated: 2007-04-09
Relevant URL: http://www.securityfocus.com/bid/23364
Summary:
SmodCMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation.

SmodCMS 2.10 and prior versions are vulnerable.

80. Youngzsoft CMailServer Comment Parameter Cross-Site Scripting Vulnerability
BugTraq ID: 23363
Remote: Yes
Last Updated: 2007-04-09
Relevant URL: http://www.securityfocus.com/bid/23363
Summary:
Youngzsoft CMailServer is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.

Youngzsoft CMailServer 5.4.3 is vulnerable to this issue; other versions may also be affected.

81. Microsoft Windows GDI Kernel Local Privilege Escalation Vulnerability
BugTraq ID: 20940
Remote: No
Last Updated: 2007-04-09
Relevant URL: http://www.securityfocus.com/bid/20940
Summary:
Microsoft Windows is prone to a local privilege-escalation vulnerability because data structures mapped by the GDI Kernel can be re-mapped as read-write by other processes.

An attacker could exploit this issue to execute arbitrary machine code with SYSTEM-level privileges. A successful exploit could result in the complete compromise of the affected computer. Failed attempts could cause denial-of-service conditions.

82. CompreXX Multiple Directory Traversal Vulnerabilities
BugTraq ID: 23362
Remote: Yes
Last Updated: 2007-04-09
Relevant URL: http://www.securityfocus.com/bid/23362
Summary:
CompreXX is prone to multiple directory-traversal vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker can exploit this issue to extract files into arbitrary directories and overwrite arbitrary files. Successful exploits may aid in further attacks.

These issues affect CompreXX 4.1; other versions may also be affected.

83. Intervations FileCopa Unspecified Remote Stack Buffer Overflow Vulnerability
BugTraq ID: 23056
Remote: Yes
Last Updated: 2007-04-09
Relevant URL: http://www.securityfocus.com/bid/23056
Summary:
FileCopa is prone to a buffer-overflow vulnerability because it fails to adequately bounds-check user-supplied data before copying it to an insufficiently sized buffer.

An attacker can exploit this issue to execute arbitrary code in the context of the application. Failed attempts may cause denial-of-service conditions.

84. X.Org LibXFont Multiple Integer Overflow Vulnerabilities
BugTraq ID: 23283
Remote: No
Last Updated: 2007-04-09
Relevant URL: http://www.securityfocus.com/bid/23283
Summary:
The 'libXfont' library is prone to multiple local integer-overflow vulnerabilities because it fails to adequately bounds-check user-supplied data.

An attacker can exploit these vulnerabilities to execute arbitrary code with superuser privileges. Failed exploit attempts will likely cause denial-of-service conditions.

These issues affect libXfont 1.2.2; other versions may also be vulnerable.

85. Youngzsoft CMailServer Signup.ASP Cross-Site Scripting Vulnerability
BugTraq ID: 23360
Remote: Yes
Last Updated: 2007-04-09
Relevant URL: http://www.securityfocus.com/bid/23360
Summary:
Youngzsoft CMailServer is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.

Youngzsoft CMailServer 5.3.4 is vulnerable to this issue; other versions may also be affected.

86. PHP Filter_Var FILTER_VALIDATE_EMAIL Newline Injection Vulnerability
BugTraq ID: 23359
Remote: Yes
Last Updated: 2007-04-09
Relevant URL: http://www.securityfocus.com/bid/23359
Summary:
PHP is prone to an email-newline-injection vulnerability because it fails to properly sanitize user-supplied input.

Exploiting this issue may allow a malicious user to create arbitrary email headers, and then create and transmit spam messages from the affected computer.

87. WitShare Index.PHP Local File Include Vulnerability
BugTraq ID: 23358
Remote: Yes
Last Updated: 2007-04-09
Relevant URL: http://www.securityfocus.com/bid/23358
Summary:
WitShare is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.

Exploiting this issue may allow an unauthorized user to view files and execute local scripts.

WitShare 0.9 is vulnerable; other versions may also be affected.

88. Apache Mod_Rewrite Off-By-One Buffer Overflow Vulnerability
BugTraq ID: 19204
Remote: Yes
Last Updated: 2007-04-09
Relevant URL: http://www.securityfocus.com/bid/19204
Summary:
Apache mod_rewrite is prone to an off-by-one buffer-overflow condition.

The vulnerability arising in the mod_rewrite module's ldap scheme handling allows for potential memory corruption when an attacker exploits certain rewrite rules.

An attacker may exploit this issue to trigger a denial-of-service condition. Reportedly, arbitrary code execution may be possible as well.

89. PHP GD Extension WBMP File Integer Overflow Vulnerabilities
BugTraq ID: 23357
Remote: Yes
Last Updated: 2007-04-09
Relevant URL: http://www.securityfocus.com/bid/23357
Summary:
PHP's GD extension is prone to two integer-overflow vulnerabilities because it fails to ensure that integer values aren't overrun.

Successfully exploiting these issues allows attackers to crash the affected application, potentially denying service to legitimate users. Due to the nature of the issues, code execution may also be possible, but this has not been confirmed.

PHP 5.2.1 and prior versions are vulnerable.

90. GNU GV Stack Buffer Overflow Vulnerability
BugTraq ID: 20978
Remote: Yes
Last Updated: 2007-04-09
Relevant URL: http://www.securityfocus.com/bid/20978
Summary:
GNU gv is prone to a stack-based buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied data before copying it into an insufficiently sized memory buffer.

Exploiting this issue allows attackers to execute arbitrary machine code in the context of users running the affected application. Failed attempts will likely crash the application, resulting in denial-of-service conditions.

Version 3.6.2 is reported vulnerable; other versions may also be affected.

NOTE: Various other applications may employ embedded GNU gv code and could also be vulnerable as a result.

91. SmodBIP Index.PHP SQL Injection Vulnerability
BugTraq ID: 23356
Remote: Yes
Last Updated: 2007-04-09
Relevant URL: http://www.securityfocus.com/bid/23356
Summary:
SmodBIP is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation.

SmodBIP 1.06 and prior versions are vulnerable.

92. Man Command -H Flag Local Buffer Overflow Vulnerability
BugTraq ID: 23355
Remote: No
Last Updated: 2007-04-09
Relevant URL: http://www.securityfocus.com/bid/23355
Summary:
The 'man' command is prone to a local buffer-overflow vulnerability because it fails to properly bounds-check user-supplied input before using it in a memory copy operation.

NOTE: Presumably, this issue is exploitable only when 'man' has been installed setuid.

Exploiting this issue allows attackers to execute malicious machine code with the privileges of the 'man' utility. This can result in the compromise of affected computers. Failed exploit attempts will likely result in denial-of-service conditions.

93. Nuke ET User Account Deletion Input Validation Vulnerability
BugTraq ID: 23354
Remote: Yes
Last Updated: 2007-04-09
Relevant URL: http://www.securityfocus.com/bid/23354
Summary:
Nuke ET is prone to an input-validation vulnerability because it fails to verify user-supplied data before performing certain actions.

An attacker can exploit this issue to delete arbitrary user accounts from the application.

Nuke ET 3.4 and prior versions are vulnerable.

94. Livor Index.PHP Cross-Site Scripting Vulnerability
BugTraq ID: 23353
Remote: Yes
Last Updated: 2007-04-09
Relevant URL: http://www.securityfocus.com/bid/23353
Summary:
Livor is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.

Livor 2.5 is vulnerable; other versions may also be affected.

95. SQL-Ledger/LedgerSMB Insecure User Access Restriction Vulnerability
BugTraq ID: 23352
Remote: Yes
Last Updated: 2007-04-09
Relevant URL: http://www.securityfocus.com/bid/23352
Summary:
SQL-Ledger/LedgerSMB is prone to an access-restriction vulnerability because it fails to adequately implement ACLs (Acess Control Lists) for SQL database access.

Exploiting this issue can allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation.

All versions of SQL-Ledger and LedgerSMB are prone to this issue.

NOTE: This issue is documented in LedgerSMB documentation.

96. Winamp LibSNDFile.DLL Component Remote Code Execution Vulnerability
BugTraq ID: 23351
Remote: Yes
Last Updated: 2007-04-09
Relevant URL: http://www.securityfocus.com/bid/23351
Summary:
Winamp is prone to a remote code-execution vulnerability resulting from an off-by-zero memory-corruption error.

An attacker can exploit this issue to execute arbitrary code with the privileges of the user running the application.

Winamp 5.33 is vulnerable; other versions may also be affected.

97. Winamp IN_Mod.DLL Plugin Remote Code Execution Vulnerability
BugTraq ID: 23350
Remote: Yes
Last Updated: 2007-04-09
Relevant URL: http://www.securityfocus.com/bid/23350
Summary:
The IN_MOD.DLL plugin for Winamp is prone to a remote code-execution issue because it fails to handle malformed files.

An attacker can exploit this issue to execute arbitrary code with the privileges of the user running the application.

IN_MOD.DLL 5.33 is vulnerable; other versions may also be affected.

98. Firebug Rep.JS Script Code Injection Vulnerability
BugTraq ID: 23349
Remote: Yes
Last Updated: 2007-04-09
Relevant URL: http://www.securityfocus.com/bid/23349
Summary:
Firebug is prone to a script-code-injection vulnerability because it fails to adequately escape user-supplied data.

An attacker can exploit this issue to execute arbitrary script code in the context of the application.

Versions prior to 1.04 are vulnerable.

99. WebSpell Picture.PHP Multiple Local File Include Vulnerabilities
BugTraq ID: 23348
Remote: Yes
Last Updated: 2007-04-09
Relevant URL: http://www.securityfocus.com/bid/23348
Summary:
WebSPELL is prone to multiple local file-include vulnerabilities because the application fails to adequately sanitize user-supplied input.

Exploiting these issues may allow an attacker to access potentially sensitive information that may aid in further attacks.

WebSPELL 4.01.02 and prior versions are vulnerable.

100. ImageMagick DCM XWD Formats Multiple Integer Overflow Vulnerabilities
BugTraq ID: 23347
Remote: Yes
Last Updated: 2007-04-09
Relevant URL: http://www.securityfocus.com/bid/23347
Summary:
ImageMagick is prone to multiple integer-overflow vulnerabilities because it fails to adequately handle user-supplied data.

An attacker can exploit these issues to execute arbitrary code in the context of the application. Failed exploit attempts will likely cause denial-of-service conditions.

ImageMagick 6.2.9 through 6.3.3-4 are vulnerable.

III. SECURITYFOCUS NEWS ARTICLES
--------------------------------
1. Developers warned to secure AJAX design
By: Robert Lemos
A flaw in the way many asynchronous JavaScript and XML (AJAX) frameworks use the scripting to communicate data between a server and client allows malicious sites to hijack the conversation.
http://www.securityfocus.com/news/11456

2. TJX theft tops 45.6 million card numbers
By: Robert Lemos
In its annual filing to the U.S. Securities and Exchange Commission, the retail giant states that it will never be able to fully account for all the data stolen.
http://www.securityfocus.com/news/11455

3. Groups team to test secure-coding skill
By: Robert Lemos
A coalition of security companies and organizations team to create assessment tests to certify programmers knowledge of secure-coding practices.
http://www.securityfocus.com/news/11454

4. Oracle sues rival for hacking, data theft
By: Robert Lemos
The database and enterprise software firm files a lawsuit against competitor SAP claiming that the German firm pilfered an enormous number of documents and software from Oracle's customer-only support systems.
http://www.securityfocus.com/news/11453

IV. SECURITY JOBS LIST SUMMARY
-------------------------------
V. INCIDENTS LIST SUMMARY
---------------------------
VI. VULN-DEV RESEARCH LIST SUMMARY
-----------------------------------
VII. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. [Fwd: Finding License Codes for Re-install]
http://www.securityfocus.com/archive/88/465217

2. Running commands on workstations from domain controller
http://www.securityfocus.com/archive/88/465105

3. blocking thru IE
http://www.securityfocus.com/archive/88/465056

4. SecurityFocus Microsoft Newsletter #336
http://www.securityfocus.com/archive/88/464824

5. Discovering Active Direcory users with blank passwords
http://www.securityfocus.com/archive/88/464483

VIII. SUN FOCUS LIST SUMMARY
----------------------------
IX. LINUX FOCUS LIST SUMMARY
----------------------------
X. UNSUBSCRIBE INSTRUCTIONS
-----------------------------
To unsubscribe send an e-mail message to sf-news-unsubscribe@securityfocus.com from the subscribed address. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer. Alternatively you can also visit http://www.securityfocus.com/newsletters and unsubscribe via the website.

If your email address has changed email listadmin@securityfocus.com and ask to be manually removed.

XI. SPONSOR INFORMATION
------------------------
This Issue is Sponsored by: SPI Dynamics

https://download.spidynamics.com/1/ad/bsq.asp?Campaign_ID=70160000000ClcR

News

Tuesday, April 10, 2007

SecurityFocus Newsletter #396

No comments:

WINDOWS CENTER

Blog Archive