News

Wednesday, May 23, 2007

SecurityFocus Newsletter #402

SecurityFocus Newsletter #402
----------------------------------------

This Issue is Sponsored by: SPI Dynamics

ALERT: "How A Hacker Launches A Cross-Site Scripting Attack"- White Paper
Cross-site scripting vulnerabilities in web apps allow hackers to compromise confidential information, steal cookies and create requests that can be mistaken for those of a valid user!! Download this *FREE* white paper from SPI Dynamics for a complete guide to protection!

https://download.spidynamics.com/1/ad/xss.asp?Campaign_ID=70160000000CqBQ


SECURITY BLOGS
SecurityFocus has selected a few syndicated sources that stand out as conveying topics of interest for our community. We are proud to offer content from Matasano at this time and will be adding more in the coming weeks.
http://www.securityfocus.com/blogs

------------------------------------------------------------------
I. FRONT AND CENTER
1. Your Space, My Space, Everybody's Space
II. BUGTRAQ SUMMARY
1. Multiple Citrix Products Session Reliability Server Security Bypass Vulnerability
2. PHP Shared Memory Functions Resource Verification Arbitrary Code Execution Vulnerability
3. VIM Feedkeys and Writefile Functions Remote Code Execution Vulnerabilities
4. PHP PHP_Binary Heap Information Leak Vulnerability
5. ISC BIND Query_AddSOA Denial Of Service Vulnerability
6. ABC Excel Parser Pro Parser_Path Remote File Include Vulnerability
7. PHP GD Extension WBMP File Integer Overflow Vulnerabilities
8. PHP Filter_Var FILTER_VALIDATE_EMAIL Newline Injection Vulnerability
9. HLstats HLStats.PHP Multiple Cross Site Scripting Vulnerabilities
10. ClonusWiki Index.PHP HTML Injection Vulnerability
11. CubeCart Cart.Inc.PHP SQL Injection Vulnerability
12. Dart ZipLite Compression DartZipLite.DLL ActiveX Control Buffer Overflow Vulnerability
13. rdiffWeb Directory Traversal Vulnerability
14. Microsoft VDT Database Designer VDT70.DLL ActiveX Control Denial Of Service Vulnerability
15. Dokeos Multiple SQL Injection and Cross-Site Scripting Vulnerabilities
16. Scallywag Template.PHP Multiple Remote File Include Vulnerabilities
17. 2z Project Rating.PHP Cross Site Scripting Vulnerability
18. Apple Safari Cross-Domain Browser Location Information Disclosure Vulnerability
19. NavBoard Admin_config.PHP Arbitrary Code Execution Vulnerability
20. Cisco CallManager Search Form Cross Site Scripting Vulnerability
21. Microsoft Office 2000 UA OUACTRL.OCX ActiveX Control Buffer Overflow Vulnerability
22. WÝYS Index.PHP Cross Site Scripting Vulnerability
23. NOD32 Multiple Buffer Overflow Vulnerabilities
24. SquirrelMail Multiple Cross Site Scripting Vulnerabilities
25. PopTop PPTP Server GRE Packet Denial Of Service Vulnerability
26. Cisco IOS SSL Packets Multiple Denial Of Service Vulnerabilities
27. PHP 5 Substr_Compare Integer Overflow Vulnerability
28. PHPPgAdmin SQLEdit.PHP Cross Site Scripting Vulnerability
29. MadWifi Multiple Denial of Service Vulnerabilities
30. Sky Software Shell MegaPack ActiveX ShComboBox ActiveX Control Buffer Overflow Vulnerability
31. EScan Agent Service MWAGENT.EXE Remote Buffer Overflow Vulnerability
32. PHP PEAR INSTALL-AS Attribute Arbitrary File Overwrite Vulnerability
33. Sun Java System Messenger Express Cross-Site Scripting Vulnerability
34. Magic ISO Maker Cue File Stack Buffer Overflow Vulnerability
35. KnowledgeTree Open Source Unspecified Security Bypass Vulnerability
36. PHP Prior to 5.2.2/4.4.7 Multiple Remote Buffer Overflow Vulnerabilities
37. PHP Soap Engine Make_HTTP_Soap_Request Weak Nonce HTTP Authentication Weakness
38. PHP FTP_Putcmd Function HTTP Response Splitting Vulnerability
39. Samba NDR RPC Request Multiple Heap-Based Buffer Overflow Vulnerabilities
40. GIMP RAS File Buffer Overflow Vulnerability
41. Linux Kernel IPv6 TCP Sockets Local Denial of Service Vulnerability
42. Linux Kernel Netfilter NFNetLink_Log Multiple NULL Pointer Dereference Vulnerabilities
43. Linux Kernel IPV6_Getsockopt_Sticky Memory Leak Information Disclosure Vulnerability
44. Linux Kernel IPV6_SockGlue.c NULL Pointer Dereference Vulnerability
45. Linux Kernel Netfilter nf_conntrack IPv6 Packet Reassembly Rule Bypass Vulnerability
46. MySQL IF Query Handling Remote Denial Of Service Vulnerability
47. MySQL Single Row SubSelect Remote Denial Of Service Vulnerability
48. Linux Kernel BINFMT_ELF PT_INTERP Local Information Disclosure Vulnerability
49. Samba SID Names Local Privilege Escalation Vulnerability
50. Linux Kernel NFSACL Denial of Service Vulnerability
51. Linux Kernel Omnikey CardMan 4040 Driver Local Buffer Overflow Vulnerability
52. Linux Kernel Key_Alloc_Serial() Local Denial of Service Vulnerability
53. Linux Kernel IBMTR.C Remote Denial of Service Vulnerability
54. Libevent DNS Parsing Denial Of Service Vulnerability
55. Freeciv Multiple Remote Denial of Service Vulnerabilities
56. KSign KSignSWAT ActiveX Control Multiple Buffer Overflow Vulnerabilities
57. Blender KMZ/KML Remote Command Execution Vulnerability
58. Mozilla Thunderbird/SeaMonkey/Firefox Multiple Remote Vulnerabilities
59. TCPDump IEEE802.11 printer Remote Buffer Overflow Vulnerability
60. GnuPG Signed Message Arbitrary Content Injection Weakness
61. Util-Linux Umount Filesystem NULL Pointer Dereference Vulnerability
62. Amarok Magnature Shell Command Injection Vulnerability
63. SpamAssassin Long URI Handling Remote Denial of Service Vulnerability
64. ClamAV MIME Header ID Parameter String Directory Traversal Vulnerability
65. ClamAV CAB File Remote Denial of Service Vulnerability
66. PHP Crypt Function Authentication Bypass Vulnerability
67. Samba MS-RPC Remote Shell Command Execution Vulnerability
68. Multiple BEA WebLogic Applications Multiple Vulnerabilities
69. GMTT Music Distro ShowOwn.PHP Cross Site Scripting Vulnerability
70. PHP FOpen Safe_Mode Restriction-Bypass Vulnerability
71. Xine DirectShow Loader Remote Buffer Overflow Vulnerability
72. MPlayer DMO File Parsing Buffer Overflow Vulnerability
73. Multiple Vendor Web Browser JavaScript Denial Of Service Vulnerability
74. Opera Web Browser JavaScript Denial Of Service Vulnerability
75. Microsoft Windows Vector Markup Language Buffer Overrun Vulnerability
76. Notepad++ Ruby Source File Processing Buffer Overflow Vulnerability
77. Opera Web Browser IRC Chat Client Remote Denial of Service Vulnerability
78. File(1) Command File_PrintF Integer Underflow Vulnerability
79. PHP 5 PHP_Stream_Filter_Create() Function Buffer Overflow Vulnerability
80. PHP Folded Mail Headers Email Header Injection Vulnerability
81. PHP Msg_Receive() Memory Allocation Integer Overflow Vulnerability
82. PHP Mail Function ASCIIZ Message Truncation Weakness
83. Opera Web Browser Torrent File Handling Buffer Overflow Vulnerability
84. PHP Hash Table Overwrite Arbitrary Code Execution Vulnerability
85. PHP Mb_Parse_Str Function Register_Globals Activation Weakness
86. PHP Session Identifier Rejection Double Free Memory Corruption Vulnerability
87. PHP Session_Regenerate_ID Function Double Free Memory Corruption Vulnerability
88. PostgreSQL Information Disclosure and Denial of Service Vulnerabilities
89. Samba Server VFS Plugin AFSACL.SO Remote Format String Vulnerability
90. Samba Deferred CIFS File Open Denial of Service Vulnerability
91. PHP Array_User_Key_Compare Function Memory Corruption Vulnerability
92. PsychoStats Multiple Scripts Multiple Cross-Site Scripting Vulnerabilities
93. PHP BZip2/Zip Wrappers Multiple Safe_Mode and Open_Basedir Restriction Bypass Vulnerabilities
94. PHP EXT/Filter HTML Stripping Bypass Vulnerability
95. Microsoft Internet Information Server Hit Highlighting Authentication Bypass Vulnerability
96. PHP EXT/Filter Function Remote Buffer Overflow Vulnerability
97. PHP ZVAL Reference Counter Integer Overflow Vulnerability
98. MIT Kerberos Administration Daemon Kadmind Double Free Memory Corruption Vulnerabilities
99. RSA BSAFE Library Remote ASN.1 Denial of Service Vulnerability
100. Apache Tomcat Mod_JK.SO Arbitrary Code Execution Vulnerability
III. SECURITYFOCUS NEWS
1. "Data storm" blamed for nuclear-plant shutdown
2. Experts scramble to quash IPv6 flaw
3. E-Gold charged with money laundering
4. A Mac gets whacked, a second survives
IV. SECURITY JOBS LIST SUMMARY
V. INCIDENTS LIST SUMMARY
VI. VULN-DEV RESEARCH LIST SUMMARY
1. FINAL Call For Papers: Chaos Communication Camp 2007, Berlin
2. TCP/IP Vulnerability
3. program for SyScan'07
4. Remider: VNSECON 07 Call for Papers ends on June 08
VII. MICROSOFT FOCUS LIST SUMMARY
1. Compromising the Windows Service or Driver failure event sink
VIII. SUN FOCUS LIST SUMMARY
IX. LINUX FOCUS LIST SUMMARY
1. Security Videos
X. UNSUBSCRIBE INSTRUCTIONS
XI. SPONSOR INFORMATION

I. FRONT AND CENTER
---------------------
1. Your Space, My Space, Everybody's Space
By Mark Rasch
Privacy is about protecting data when somebody wants it for some purpose. It is easy to protect data that nobody wants.
http://www.securityfocus.com/columnists/444


II. BUGTRAQ SUMMARY
--------------------
1. Multiple Citrix Products Session Reliability Server Security Bypass Vulnerability
BugTraq ID: 24116
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/24116
Summary:
Multiple Citrix products are prone to a security-bypass vulnerability because they fail to adequately enforce network-security policies.

An attacker can exploit this issue to gain unauthorized access to otherwise restricted ports on a vulnerable computer.

NOTE: This issue affects only Citrix products that have Session Reliability enabled.

2. PHP Shared Memory Functions Resource Verification Arbitrary Code Execution Vulnerability
BugTraq ID: 22862
Remote: No
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/22862
Summary:
PHP shared memory functions (shmop) are prone to an arbitrary-code-execution vulnerability.

An attacker may exploit this issue to execute arbitrary code within the context of the affected webserver. The attacker may also gain access to RSA keys of the SSL certificate.

This issue affects PHP 4 versions prior to 4.4.5 and PHP 5 versions prior to 5.2.1.

3. VIM Feedkeys and Writefile Functions Remote Code Execution Vulnerabilities
BugTraq ID: 23725
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/23725
Summary:
VIM is prone to multiple vulnerabilities that permit a remote attacker to execute arbitrary code.

The attacker could exploit these issues by enticing a victim to load a malicious file. A successful exploit could allow arbitrary code to run within the context of the affected application.

4. PHP PHP_Binary Heap Information Leak Vulnerability
BugTraq ID: 22805
Remote: No
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/22805
Summary:
PHP 'php_binary' serialization handler is prone to a heap-information leak.

The vulnerability arises because of a missing boundary check in the extraction of variable names. A local attacker can exploit this issue to obtain sensitive information (such as heap offsets and canaries) that may aid in other attacks.

These versions are affected:

PHP4 versions prior to 4.4.5
PHP5 versions prior to 5.2.1

Updates are available.

5. ISC BIND Query_AddSOA Denial Of Service Vulnerability
BugTraq ID: 23738
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/23738
Summary:
ISC BIND is prone to a denial-of-service vulnerability because it fails to handle certain sequences of malicious queries.

NOTE: Only applications configured with the 'recursion' directive/attribute enabled are vulnerable to this issue.

An attacker can exploit this issue to cause the application to exit, denying service to legitimate users.

ISC BIND 9.40, 9.5.0a1, 9.5.0a2, and 9.5.0a3 are vulnerable.

6. ABC Excel Parser Pro Parser_Path Remote File Include Vulnerability
BugTraq ID: 24103
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/24103
Summary:
ABC Excel Parser Pro is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied data.

Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible.

ABC Excel Parser Pro 4.0 is vulnerable; other versions may also be affected.

7. PHP GD Extension WBMP File Integer Overflow Vulnerabilities
BugTraq ID: 23357
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/23357
Summary:
PHP's GD extension is prone to two integer-overflow vulnerabilities because it fails to ensure that integer values aren't overrun.

Successfully exploiting these issues allows attackers to crash the affected application, potentially denying service to legitimate users. Due to the nature of the issues, code execution may also be possible, but this has not been confirmed.

PHP 5.2.1 and prior versions are vulnerable.

8. PHP Filter_Var FILTER_VALIDATE_EMAIL Newline Injection Vulnerability
BugTraq ID: 23359
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/23359
Summary:
PHP is prone to an email-newline-injection vulnerability because it fails to properly sanitize user-supplied input.

Exploiting this issue may allow a malicious user to create arbitrary email headers, and then create and transmit spam messages from the affected computer.

9. HLstats HLStats.PHP Multiple Cross Site Scripting Vulnerabilities
BugTraq ID: 24102
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/24102
Summary:
HLstats is prone to mulitiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied data.

Exploiting these issues may help an attacker steal cookie-based authentication credentials and launch other attacks.

HLstats 1.35 is vulnerable; other versions may also be affected.

10. ClonusWiki Index.PHP HTML Injection Vulnerability
BugTraq ID: 24101
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/24101
Summary:
ClonusWiki is prone to an HTML-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.

Attacker-supplied HTML and script code would run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible.

This issue is reported to affect ClonusWiki 0.5.

11. CubeCart Cart.Inc.PHP SQL Injection Vulnerability
BugTraq ID: 24100
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/24100
Summary:
CubeCart is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

CubeCart 3.0.16 is reported vulnerable; other versions may also be affected.

12. Dart ZipLite Compression DartZipLite.DLL ActiveX Control Buffer Overflow Vulnerability
BugTraq ID: 24099
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/24099
Summary:
The Dart ZipLite Compression ActiveX control is prone to a buffer-overflow vulnerability because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer.

Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed exploit attempts likely result in denial-of-service conditions.

Dart ZipLite Compression ActiveX control 1.8.5.3 is vulnerable to this issue; other versions may also be affected.

13. rdiffWeb Directory Traversal Vulnerability
BugTraq ID: 24092
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/24092
Summary:
rdiffWeb is prone to a directory-traversal vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit this vulnerability to retrieve arbitrary files from the vulnerable system in the context of the webserver process. Information obtained may aid in further attacks.

This issue affects rdiffWeb 0.3.5; other versions may also be affected.

14. Microsoft VDT Database Designer VDT70.DLL ActiveX Control Denial Of Service Vulnerability
BugTraq ID: 24127
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/24127
Summary:
Microsoft Visual Database Tools Database Designer ActiveX Control is prone to a denial-of-service vulnerability because the application fails to handle overly-long user-supplied strings.

Attackers can exploit this issue to crash Internet Explorer or other applications that use the vulnerable ActiveX control, resulting in denial-of-service conditions.

NOTE: Due to the nature of this vulnerability, attackers may be able to leverage the issue to execute remote code, however, this has not been confirmed.

15. Dokeos Multiple SQL Injection and Cross-Site Scripting Vulnerabilities
BugTraq ID: 24125
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/24125
Summary:
Dokeos is prone to multiple input-validation vulnerabilities, including SQL-injection and cross-site scripting issues, because it fails to sufficiently sanitize user-supplied data.

Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation.

Version 1.8.0 is vulnerable; other versions may also be affected.

16. Scallywag Template.PHP Multiple Remote File Include Vulnerabilities
BugTraq ID: 24124
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/24124
Summary:
Scallywag is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied input.

Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.

17. 2z Project Rating.PHP Cross Site Scripting Vulnerability
BugTraq ID: 24122
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/24122
Summary:
2z Project is prone to a cross-site scripting vulnerability.

This vulnerability potentially allows an attacker to perform cross-site scripting attacks on unsuspecting users in the context of the affected website. As a result, the attacker may be able to steal cookie-based authentication credentials and to launch other attacks.

Version 0.9.5 is reported vulnerable; other versions may also be affected.

18. Apple Safari Cross-Domain Browser Location Information Disclosure Vulnerability
BugTraq ID: 24121
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/24121
Summary:
Apple Safari is prone to an information-disclosure vulnerability because it fails to properly enforce cross-domain JavaScript restrictions.

This issue may allow attackers to obtain access to locations that a user visits, even if it's in a different domain than the attacker's site. The most common manifestation of this condition would typically be in blogs or forums. This may allow attackers to gain access to potentially sensitive information that would facilitate the success of phishing attacks.

This issue affects Safari version 2.0.4; other versions may also be affected.

19. NavBoard Admin_config.PHP Arbitrary Code Execution Vulnerability
BugTraq ID: 24120
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/24120
Summary:
NavBoard is prone to an arbitrary-code-execution vulnerability.

An attacker can exploit this vulnerability to create and execute arbitrary script code in the context of the webserver process.

NavBoard version 1.6.0 is vulnerable to this issue.

It should be noted that a successful exploit of this vulnerability requires that the attacker has administrative privileges to the application.

20. Cisco CallManager Search Form Cross Site Scripting Vulnerability
BugTraq ID: 24119
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/24119
Summary:
Cisco CallManager is prone to a cross-site scripting vulnerability because, the application fails to sufficiently sanitize user-supplied input.

This vulnerability potentially allows an attacker to perform cross-site scripting attacks on unsuspecting users in the context of the affected website. As a result, the attacker may be able to steal cookie-based authentication credentials and to launch other attacks.

Version 4.1.1 is reported vulnerable; other versions may also be affected.

21. Microsoft Office 2000 UA OUACTRL.OCX ActiveX Control Buffer Overflow Vulnerability
BugTraq ID: 24118
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/24118
Summary:
Microsoft Office 2000 UA ActiveX Control is prone to a buffer-overflow vulnerability because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer.

Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed exploit attempts likely result in denial-of-service conditions.

22. WÝYS Index.PHP Cross Site Scripting Vulnerability
BugTraq ID: 24117
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/24117
Summary:
WÝYS is prone to a cross-site scripting vulnerability.

This vulnerability may allow an attacker to perform cross-site scripting attacks on unsuspecting users in the context of the affected website. As a result, the attacker may be able to steal cookie-based authentication credentials and to launch other attacks.

WÝYS version 1.0 is reported vulnerable; other versions may also be affected.

23. NOD32 Multiple Buffer Overflow Vulnerabilities
BugTraq ID: 24098
Remote: No
Last Updated: 2007-05-22
Relevant URL: http://www.securityfocus.com/bid/24098
Summary:
NOD32 is prone to multiple stack-based buffer-overflow vulnerabilities because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer.

An attacker can exploit these issues to execute arbitrary code with SYSTEM-level privileges. Successful exploits will result in the complete compromise of affected computers. Failed exploit attempts will cause denial-of-service conditions.

These issue affects NOD32 2.7 prior to update 2.70.37.0

24. SquirrelMail Multiple Cross Site Scripting Vulnerabilities
BugTraq ID: 23910
Remote: Yes
Last Updated: 2007-05-22
Relevant URL: http://www.securityfocus.com/bid/23910
Summary:
SquirrelMail is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.

Exploiting these issues could allow an attacker to steal cookie-based authentication credentials and to launch other attacks.

25. PopTop PPTP Server GRE Packet Denial Of Service Vulnerability
BugTraq ID: 23886
Remote: Yes
Last Updated: 2007-05-22
Relevant URL: http://www.securityfocus.com/bid/23886
Summary:
PoPToP PPTP Server is prone to a denial-of-service vulnerability because it fails to adequately handle certain malformed packet data.

Attackers can exploit this issue to disconnect arbitrary PPTP connections.

PoPToP PPTP Server 1.3.4 is vulnerable; other versions may also be affected.

26. Cisco IOS SSL Packets Multiple Denial Of Service Vulnerabilities
BugTraq ID: 24097
Remote: Yes
Last Updated: 2007-05-22
Relevant URL: http://www.securityfocus.com/bid/24097
Summary:
Cisco IOS is prone to multiple denial-of-service vulnerabilities because it fails to handle malformed SSL packets.

Attackers can exploit these issues to cause denial-of-service conditions on an affected device.

NOTE: Attackers can exploit these issues only via an established TCP connection, but only prior to security authentication. An attacker can, however, interrupt a secure session and inject malicious packets when a new session is started. Due to these factors, the likelihood of successful attacks is reduced.

27. PHP 5 Substr_Compare Integer Overflow Vulnerability
BugTraq ID: 22851
Remote: No
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/22851
Summary:
PHP 5 'substr_compare()' function is prone to an integer-overflow vulnerability because it fails to ensure that integer values aren't overrun.

A local attacker can exploit this vulnerability to obtain sensitive information (such as stack offsets, variables, and canaries) that may aid in other attacks.

PHP 5.2.1 and earlier versions are reported vulnerable to this issue.

28. PHPPgAdmin SQLEdit.PHP Cross Site Scripting Vulnerability
BugTraq ID: 24115
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/24115
Summary:
phpPgAdmin is prone to a cross-site scripting vulnerability.

Exploiting this vulnerability may allow an attacker to perform cross-site scripting attacks on unsuspecting users in the context of the affected website. As a result, the attacker may be able to steal cookie-based authentication credentials and to launch other attacks.

phpPgAdmin 4.1.1 is reported vulnerable; other versions may also be affected.

29. MadWifi Multiple Denial of Service Vulnerabilities
BugTraq ID: 24114
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/24114
Summary:
MadWifi is prone to multiple denial-of-service vulnerabilities.

Exploiting these issues may permit attackers to cause system crashes and deny service to legitimate users.

Versions of MadWifi prior to 0.9.3.1 are vulnerable.

30. Sky Software Shell MegaPack ActiveX ShComboBox ActiveX Control Buffer Overflow Vulnerability
BugTraq ID: 24113
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/24113
Summary:
Sky Software Shell MegaPack ActiveX ShComboBox ActiveX control is prone to a buffer-overflow vulnerability because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer.

Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed exploit attempts likely result in denial-of-service conditions.

Shell MegaPack ActiveX 8.0 is vulnerable to this issue; other versions may also be affected.

31. EScan Agent Service MWAGENT.EXE Remote Buffer Overflow Vulnerability
BugTraq ID: 24112
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/24112
Summary:
eScan is prone to a buffer-overflow vulnerability because it fails to sufficiently bounds-check user-supplied input.

An attacker can exploit this issue to execute arbitrary code with SYSTEM-level privileges. A successful remote exploit of this issue would result in the complete compromise of affected computers.

This issue affects eScan 9.0.715.1; other versions may also be affected.

32. PHP PEAR INSTALL-AS Attribute Arbitrary File Overwrite Vulnerability
BugTraq ID: 24111
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/24111
Summary:
PEAR is prone to a vulnerability that lets attackers overwrite arbitrary files.

An attacker-supplied package may supply directory-traversal strings through the 'install-as' attribute to create and overwrite files in arbitrary locations.

This issue affects PEAR 1.0 to 1.5.3.

33. Sun Java System Messenger Express Cross-Site Scripting Vulnerability
BugTraq ID: 20832
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/20832
Summary:
Sun Java System Messenger Express is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.

An attacker may leverage this issue to have arbitrary script code execute in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

Specific information regarding affected versions of Sun Java System Messenger Express is not currently available; this BID will be updated as more information is disclosed.

34. Magic ISO Maker Cue File Stack Buffer Overflow Vulnerability
BugTraq ID: 24029
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/24029
Summary:
Magic ISO Maker is prone to a remote stack-based buffer-overflow vulnerability because it fails to adequately bounds-check user-supplied data before copying it to an insufficiently sized memory buffer.

Successful exploits may allow attackers to execute arbitrary code with the privileges of the affected library. Failed exploit attempts will likely result in denial-of-service conditions.

Magic ISO Maker 5.4(build239) is vulnerable; other versions may also be affected.

35. KnowledgeTree Open Source Unspecified Security Bypass Vulnerability
BugTraq ID: 24110
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/24110
Summary:
KnowledgeTree Open Source is prone to a security-bypass vulnerability.

A remote attacker may logon to the KnowledgeTree DMS Administration panel from Active Directory without a password. Attackers can exploit this issue to compromise the application; other attacks are also possible.

Versions of KnowledgeTree Open Source prior to 3.3.7 are vulnerable to this issue.

36. PHP Prior to 5.2.2/4.4.7 Multiple Remote Buffer Overflow Vulnerabilities
BugTraq ID: 23813
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/23813
Summary:
PHP is prone to three remote buffer-overflow vulnerabilities because the application fails to perform boundary checks before copying user-supplied data to insufficiently sized memory buffers.

An attacker can exploit these issues to execute arbitrary machine code in the context of the affected webserver. Failed exploit attempts will likely crash the webserver, denying service to legitimate users.

All three issues affect PHP 5.2.1 and prior versions; PHP 4.4.6 and prior versions are affected only by one of the issues.

Few details are available at the moment. These issues may have been previously described in other BIDs. This record may be updated or retired if further analysis shows that these issues have been reported in the past.

37. PHP Soap Engine Make_HTTP_Soap_Request Weak Nonce HTTP Authentication Weakness
BugTraq ID: 24034
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/24034
Summary:
PHP Soap Engine is prone to an authentication weakness.

Successfully exploiting this issue would allow an attacker to obtain information about the nonce used for the digest authentication. Information obtained may allow the attacker to bypass certain security restrictions and potentially gain unauthorized access to the affected application.

38. PHP FTP_Putcmd Function HTTP Response Splitting Vulnerability
BugTraq ID: 23818
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/23818
Summary:
PHP is prone to an HTTP-response-splitting vulnerability because it fails to sanitize user-supplied input.

A remote attacker may exploit this vulnerability to influence or misrepresent how web content is served, cached, or interpreted. This could aid in various attacks that attempt to entice client users into a false sense of trust.

This issue affects these versions:

PHP 5 prior to 5.2.2
PHP 4 prior to 4.4.7.

39. Samba NDR RPC Request Multiple Heap-Based Buffer Overflow Vulnerabilities
BugTraq ID: 23973
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/23973
Summary:
Samba is prone to multiple remote heap-based buffer-overflow vulnerabilities because it fails to properly bounds-check user-supplied data before copying it to an insufficiently sized memory buffer.

An attacker can exploit these issues to execute arbitrary code with superuser privileges, facilitating the complete remote compromise of affected computers. Failed exploit attempts will result in a denial of service.

These issues affect Samba 3.0.25rc3 and prior versions.

40. GIMP RAS File Buffer Overflow Vulnerability
BugTraq ID: 23680
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/23680
Summary:
GIMP is prone to a buffer-overflow vulnerability because it fails to properly bounds-check user-supplied input data before copying it to an insufficiently sized memory buffer.

Successful exploits of this vulnerability allow remote attackers to execute arbitrary machine code in the context of the affected application.

GIMP 2.2.14 is vulnerable to this issue; other versions may also be affected.

41. Linux Kernel IPv6 TCP Sockets Local Denial of Service Vulnerability
BugTraq ID: 23104
Remote: No
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/23104
Summary:
The Linux kernel is prone to a denial-of-service vulnerability.

Exploiting this issue allows local attackers to cause the kernel to crash, effectively denying service to legitimate users. Attackers may also be able to execute arbitrary code with elevated privileges, but this has not been confirmed.

This issue affects the Linux kernel 2.6 series.

42. Linux Kernel Netfilter NFNetLink_Log Multiple NULL Pointer Dereference Vulnerabilities
BugTraq ID: 22946
Remote: No
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/22946
Summary:
The Linux kernel is prone to multiple NULL-pointer dereference vulnerabilities.

A local attacker can exploit these issues to crash the affected kernel, denying service to legitimate users.

43. Linux Kernel IPV6_Getsockopt_Sticky Memory Leak Information Disclosure Vulnerability
BugTraq ID: 22904
Remote: No
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/22904
Summary:
Linux Kernel is prone to an information-disclosure vulnerability because it fails to handle unexpected user-supplied input.

Successful exploits will allow attackers to obtain portions of kernel memory. Information harvested may be used in further attacks.

Kernel versions 2.6.0 up to 2.6.20.1 are vulnerable to this issue.

44. Linux Kernel IPV6_SockGlue.c NULL Pointer Dereference Vulnerability
BugTraq ID: 23142
Remote: No
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/23142
Summary:
The Linux kernel is prone to a NULL-pointer dereference vulnerability.

A local attacker can exploit this issue to crash the affected application, denying service to legitimate users. The attacker may also be able to execute arbitrary code with elevated privileges, but this has not been confirmed.

45. Linux Kernel Netfilter nf_conntrack IPv6 Packet Reassembly Rule Bypass Vulnerability
BugTraq ID: 23976
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/23976
Summary:
The Linux kernel is prone to a vulnerability that lets attackers bypass firewall rules. This issue occurs because the Linux 'netfilter' code fails to properly classify network packets.

Successfully exploiting this issue allows attackers to bypass firewall rules, potentially aiding them in further network-based attacks.

Linux kernel versions in the 2.6 series prior to 2.6.20.3 are vulnerable to this issue.

46. MySQL IF Query Handling Remote Denial Of Service Vulnerability
BugTraq ID: 23911
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/23911
Summary:
MySQL is prone to a remote denial-of-service vulnerability because it fails to handle certain specially crafted queries.

An attacker can exploit this issue to crash the application, denying access to legitimate users.

NOTE: An attacker must be able to execute arbitrary SELECT statements against the database to exploit this issue. This may be through legitimate means or by exploiting other latent SQL-injection vulnerabilities.

Versions prior to 5.0.40 are vulnerable.

47. MySQL Single Row SubSelect Remote Denial Of Service Vulnerability
BugTraq ID: 22900
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/22900
Summary:
MySQL is prone to a remote denial-of-service vulnerability because it fails to handle certain select statements to database metadata.

An attacker can exploit this issue to crash the application, denying access to legitimate users. The attacker may also be able to execute arbitrary code, but this has not yet been confirmed.

NOTE: An attacker must be able to execute arbitrary SELECT statements on the vulnerable computer to exploit this issue. This may be through legitimate means or by exploiting other latent SQL-injection vulnerabilities.

Versions prior to 5.0.36 are vulnerable.

48. Linux Kernel BINFMT_ELF PT_INTERP Local Information Disclosure Vulnerability
BugTraq ID: 22903
Remote: No
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/22903
Summary:
The Linux kernel is prone to a vulnerability in the Linux ELF binary loader. Exploiting this issue can allow local attackers to gain access to privileged information.

An attacker may be able to obtain sensitive data that can potentially be used to gain elevated privileges.

This issue is a variant of the vulnerability assigned CVE candidate ID CAN-2004-1073, which is documented in BID 11646.

Linux Kernel versions in the 2.6.0 branch prior to 2.6.20 are vulnerable; versions in the 2.4.0 branch may also be affected.

49. Samba SID Names Local Privilege Escalation Vulnerability
BugTraq ID: 23974
Remote: No
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/23974
Summary:
Samba is prone to a local privilege-escalation vulnerability due to a logic error in the 'smbd' daemon's internal security stack.

An attacker can exploit this issue to temporarily perform SMB/CIFS operations with superuser privileges. The attacker may leverage this issue to gain superuser access to the server.

Samba 3.0.23d through 3.0.25pre2 are vulnerable.

50. Linux Kernel NFSACL Denial of Service Vulnerability
BugTraq ID: 22625
Remote: No
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/22625
Summary:
The Linux kernel is prone to a local denial-of-service vulnerability.

An attacker can exploit this issue to crash the affected computer, denying service to legitimate users.

This issue affects the Linux kernel 2.6 series up to 2.6.20.

51. Linux Kernel Omnikey CardMan 4040 Driver Local Buffer Overflow Vulnerability
BugTraq ID: 22870
Remote: No
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/22870
Summary:
The Linux kernel is prone to a local buffer-overflow vulnerability because it fails to properly bounds-check user-supplied input before using it in a memory copy operation.

This issue allows local attackers to overwrite kernel memory with arbitrary data, potentially allowing them to execute malicious machine code in the context of affected kernels. Exploiting this vulnerability facilitates the complete compromise of affected computers.

Linux kernel versions prior to 2.6.21-rc3 are affected by this issue.

52. Linux Kernel Key_Alloc_Serial() Local Denial of Service Vulnerability
BugTraq ID: 22539
Remote: No
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/22539
Summary:
The Linux Kernel is prone to a denial-of-service vulnerability.

A successful attack can allow local attackers to trigger a crash and deny service to legitimate users.

Kernel versions 2.6.x are vulnerable.

53. Linux Kernel IBMTR.C Remote Denial of Service Vulnerability
BugTraq ID: 21490
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/21490
Summary:
The Linux kernel is prone to a remote denial-of-service vulnerability.

This vulnerability resides in the 'drivers/net/tokenring/ibmtr.c' file.

Exploiting this vulnerability can allow remote attackers to crash the affected kernel, resulting in denial-of-service conditions. Attackers may also be able to execute arbitrary code, but this has not been confirmed.

Kernel versions from 2.6.0 up to and including 2.6.19 are vulnerable to this issue.

54. Libevent DNS Parsing Denial Of Service Vulnerability
BugTraq ID: 22606
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/22606
Summary:
Libevent is prone to a denial-of-service vulnerability.

A remote attacker may exploit this issue to cause the application to crash, denying further service to legitimate users.

Versions 1.2 to 1.2a are vulnerable to this issue.

55. Freeciv Multiple Remote Denial of Service Vulnerabilities
BugTraq ID: 19117
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/19117
Summary:
Freeciv server is prone to multiple remote denial-of-service vulnerabilities.

A remote attacker may exploit these issues to deny service to legitimate users by sending malicious packets to a server.

Freeciv 2.1.0-beta1 and prior versions are affected by these issues.

56. KSign KSignSWAT ActiveX Control Multiple Buffer Overflow Vulnerabilities
BugTraq ID: 24088
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/24088
Summary:
KSign KSignSWAT ActiveX control is prone to multiple buffer-overflow vulnerabilities because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer.

Successfully exploiting these issues allows remote attackers to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed exploit attempts likely result in denial-of-service conditions.

KSign KSignSWAT ActiveX control 2.0.3.3 is vulnerable; other versions may also be affected.

57. Blender KMZ/KML Remote Command Execution Vulnerability
BugTraq ID: 22770
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/22770
Summary:
Blender is prone to a remote command-execution vulnerability.

An attacker could exploit this issue by enticing an unsuspecting victim to open a malicious file. A successful exploit will allow arbitrary Python commands to run within the privileges of the currently logged-in user.

58. Mozilla Thunderbird/SeaMonkey/Firefox Multiple Remote Vulnerabilities
BugTraq ID: 22694
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/22694
Summary:
The Mozilla Foundation has released six security advisories specifying vulnerabilities in Firefox, SeaMonkey, and Thunderbird.

These vulnerabilities allow attackers to:

- Execute arbitrary code
- Cause denial-of-service conditions
- Perform cross-site scripting attacks
- Obtain potentially sensitive information
- Spoof legitimate content

Other attacks may also be possible.

59. TCPDump IEEE802.11 printer Remote Buffer Overflow Vulnerability
BugTraq ID: 22772
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/22772
Summary:
The 'tcpdump' utility is prone to a heap-based buffer-overflow vulnerability because it fails to bounds-check user-supplied input before copying it into an insufficiently sized memory buffer.

An attacker can exploit this issue to execute arbitrary malicious code in the context of the user running the affected application. Failed exploit attempts will likely crash the affected application.

This issue affects tcpdump 3.9.5 and prior versions.

60. GnuPG Signed Message Arbitrary Content Injection Weakness
BugTraq ID: 22757
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/22757
Summary:
GnuPG is prone to a weakness that may allow an attacker to add arbitrary content into a message without the end user knowing.

An attacker may be able to exploit this issue in applications using GnuPG to add arbitrary content into a signed and/or encrypted message.

Exploiting this issue depends on the individual application's use of GnuPG. Individual records will be created detailing this issue in affected applications.

61. Util-Linux Umount Filesystem NULL Pointer Dereference Vulnerability
BugTraq ID: 22850
Remote: No
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/22850
Summary:
Util-Linux 'umount' is prone to a NULL-pointer dereference vulnerability.

A local attacker can exploit this issue to crash the affected application, denying service to legitimate users. The attacker may also be able to obtain sensitive information, including the contents of core files.

Util-Linux Umount implemented on Linux kernel 2.6.15 is reported vulnerable to this issue.

62. Amarok Magnature Shell Command Injection Vulnerability
BugTraq ID: 22568
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/22568
Summary:
Amarok Magnature is prone to a shell command-injection vulnerability.

Commands executed through this vulnerability could permit an attacker to gain access to a vulnerable system.

63. SpamAssassin Long URI Handling Remote Denial of Service Vulnerability
BugTraq ID: 22584
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/22584
Summary:
SpamAssassin is prone to a remote denial-of-service vulnerability.

This issue arises when the application handles excessively long URIs.

SpamAssassin versions prior to 3.1.8 are vulnerable to this issue.

64. ClamAV MIME Header ID Parameter String Directory Traversal Vulnerability
BugTraq ID: 22581
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/22581
Summary:
ClamAV is prone to a directory-traversal vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit this vulnerability to create or overwrite arbitrary files on vulnerable computers in the context of the affected application. This may aid in further attacks.

This issue affects ClamAV versions prior to the 0.90 stable release.

65. ClamAV CAB File Remote Denial of Service Vulnerability
BugTraq ID: 22580
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/22580
Summary:
ClamAV is prone to a denial-of-service vulnerability.

An attacker can exploit this vulnerability to prevent the software from scanning certain types of data. When it encounters the data, the application will reject it. This can result in denial-of-service conditions.

Versions prior to 0.90 stable are vulnerable.

66. PHP Crypt Function Authentication Bypass Vulnerability
BugTraq ID: 24109
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/24109
Summary:
PHP is prone to an authentication-bypass vulnerability that stems from a race condition in the 'crypt()' function.

An attacker could exploit the vulnerability in the 'crypt()' function to gain unauthorized access to an affected application.

67. Samba MS-RPC Remote Shell Command Execution Vulnerability
BugTraq ID: 23972
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/23972
Summary:
Samba is prone to a vulnerability that allows attackers to execute arbitrary shell commands because the software fails to sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary shell commands on an affected computer with the privileges of the application.

This issue affects Samba 3.0.0 to 3.0.25rc3.

68. Multiple BEA WebLogic Applications Multiple Vulnerabilities
BugTraq ID: 23979
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/23979
Summary:
Multiple BEA WebLogic applications are affected by multiple vulnerabilities, including cross-site scripting, HTML-injection, information-disclosure, directory-traversal, security-bypass, brute-force, and denial-of-service issues.

An attacker can exploit these issues to gain privileged access to affected applications, to access potentially sensitive information that could aid in further attacks, or to deny service to legitimate users. Successful attacks can result in the compromise of the applications. Other attacks are also possible.

69. GMTT Music Distro ShowOwn.PHP Cross Site Scripting Vulnerability
BugTraq ID: 24108
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/24108
Summary:
GMTT Music Distro is prone to a cross-site scripting vulnerability.

This vulnerability potentially allows an attacker to perform cross-site scripting attacks on unsuspecting users in the context of the affected website. As a result, the attacker may be able to steal cookie-based authentication credentials and to launch other attacks.

GMTT Music Distro 1.2 is reported vulnerable; other versions may also be affected.

70. PHP FOpen Safe_Mode Restriction-Bypass Vulnerability
BugTraq ID: 22261
Remote: No
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/22261
Summary:
PHP is prone to a 'safe_mode' restriction-bypass vulnerability. Successful exploits could allow an attacker to write files in unauthorized locations; other attacks may also be possible.

This vulnerability would be an issue in shared-hosting configurations where multiple users can create and execute arbitrary PHP script code, all assuming that the 'safe_mode' restriction will isolate users from each other.

This issue is reported to affect PHP version 5.2.0; other versions may also be vulnerable.

71. Xine DirectShow Loader Remote Buffer Overflow Vulnerability
BugTraq ID: 22933
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/22933
Summary:
Xine is prone to a remote buffer-overflow vulnerability because the application fails to perform boundary checks before copying user-supplied input into finite-sized buffers.

Successfully exploiting this issue allows remote attackers to execute arbitrary machine code in the context of the application and to compromise affected computers.

72. MPlayer DMO File Parsing Buffer Overflow Vulnerability
BugTraq ID: 22771
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/22771
Summary:
MPlayer is susceptible to a buffer-overflow vulnerability when it attempts to process malformed video files. This issue occurs because the application fails to perform proper bounds-checking on user-supplied data before copying it to an insufficiently sized memory buffer.

An attacker may exploit this issue to execute arbitrary code with the privileges of the user that activated the vulnerable application. This may facilitate unauthorized access or privilege escalation.

MPlayer version 1.0rc1 is vulnerable to this issue; previous versions may also be affected.

73. Multiple Vendor Web Browser JavaScript Denial Of Service Vulnerability
BugTraq ID: 10998
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/10998
Summary:
Web browsers from multiple different vendors are reported susceptible to a denial of service vulnerability.

The specified JavaScript code will consume 100% of the CPU resources of the affected computer. The browser will then reportedly crash.

Mozilla Firefox, Microsoft Internet Explorer, and Opera are all reportedly affected by this vulnerability.

Update: This BID is being retired as this is not considered a security vulnerability.

74. Opera Web Browser JavaScript Denial Of Service Vulnerability
BugTraq ID: 10997
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/10997
Summary:
Opera is a web browser available for a number of platforms, including Microsoft Windows, Linux and Unix variants and Apple MacOS.

Opera Web Browser is reported to be susceptible to a JavaScript denial of service vulnerability.

This vulnerability presents itself when Opera attempts to execute a specific JavaScript command. Upon executing this command, Opera will reportedly crash.

This vulnerability was reported to exist in version 7.23 of Opera for Microsoft Windows. Other versions are also likely affected.

75. Microsoft Windows Vector Markup Language Buffer Overrun Vulnerability
BugTraq ID: 21930
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/21930
Summary:
Microsoft Windows is prone to a buffer-overrun vulnerability that arises because of an error in the processing of Vector Markup Language documents.

An attacker can exploit this issue to execute arbitrary code within the context of the affected application.

76. Notepad++ Ruby Source File Processing Buffer Overflow Vulnerability
BugTraq ID: 23961
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/23961
Summary:
Notepad++ is prone to a buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied data before copying it to an insufficiently sized memory buffer while importing Ruby source files.

Exploiting this issue allows attackers to execute arbitrary machine code in the context of the user running the affected application.

Notepad++ 4.1 is vulnerable to this issue; previous versions may be affected as well.

Scintilla 1.73 is vulnerable to this issue; other versions and applications that use the vulnerable Scintilla DLL file ('SciLexer.dll') are vulnerable as well.

77. Opera Web Browser IRC Chat Client Remote Denial of Service Vulnerability
BugTraq ID: 19491
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/19491
Summary:
Opera Web Browser IRC chat client is prone to a remote denial-of-service vulnerability.

A successful attack can allow the attacker to trigger a crash in the client and deny service to legitimate users.

This issue affects Opera Web Browser 9. Other versions may be vulnerable as well.

78. File(1) Command File_PrintF Integer Underflow Vulnerability
BugTraq ID: 23021
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/23021
Summary:
The file(1) command is prone to an integer-underflow vulnerability because the command fails to adequately handle user-supplied data.

An attacker can leverage this issue to corrupt heap memory and execute arbitrary code with the privileges of a user running the command. A successful attack may result in the compromise of affected computers. Failed attempts will likely cause denial-of-service conditions.

Versions prior to 4.20 are vulnerable.

79. PHP 5 PHP_Stream_Filter_Create() Function Buffer Overflow Vulnerability
BugTraq ID: 23237
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/23237
Summary:
PHP is prone to a buffer-overflow vulnerability because the application fails to perform boundary checks before copying user-supplied data to insufficiently sized memory buffers.

An attacker can exploit this issue remotely by supplying a 'php://filter' URL to one of the file functions.

The attacker can exploit this issue to execute arbitrary machine code in the context of the affected webserver. Failed exploit attempts will likely crash the webserver, denying service to legitimate users.

Successful exploits for this issue will depend on the application's heap-memory implementation. PHP version 5.2.0 introduced a new memory manager that makes all little-endian platforms exploitable.

This issue affects PHP versions prior to 5.2.1.

80. PHP Folded Mail Headers Email Header Injection Vulnerability
BugTraq ID: 23145
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/23145
Summary:
PHP is prone to an email-header-injection vulnerability because it fails to properly sanitize user-supplied input when constructing email messages.

Exploiting this issue allows a malicious user to create arbitrary email headers, and then create and transmit spam messages from the affected computer.

The following versions are vulnerable:

PHP 4 up to and including 4.4.6
PHP 5 up to and including 5.2.1

81. PHP Msg_Receive() Memory Allocation Integer Overflow Vulnerability
BugTraq ID: 23236
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/23236
Summary:
PHP is prone to an integer-overflow vulnerability because it fails to ensure that integer values aren't overrun. Attackers may exploit this issue to cause a buffer overflow and to corrupt process memory.

Exploiting this issue may allow attackers to execute arbitrary machine code in the context of the affected application. Failed exploit attempts will likely result in a denial-of-service condition.

This issue affects PHP versions prior to 4.4.5 and 5.2.1.

82. PHP Mail Function ASCIIZ Message Truncation Weakness
BugTraq ID: 23146
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/23146
Summary:
PHP is prone to a weakness that allows attackers to truncate email text.

Successful exploits may allow attackers to truncate email text to manipulate message content. This may potentially assist in phishing or other attacks.

This issue affects PHP versions 4 to 4.4.6 and 5 to 5.2.1.

83. Opera Web Browser Torrent File Handling Buffer Overflow Vulnerability
BugTraq ID: 24080
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/24080
Summary:
The Opera Web Browser is prone to a buffer-overflow vulnerability because it fails to sufficiently bounds-check user-supplied input.

Exploiting this issues may allow an attacker to execute arbitrary code with the privileges of the user running the affected application.

Versions of Opera prior to 9.21 are vulnerable.

NOTE: This issue is reported to affect only Opera running on Microsoft Windows.

84. PHP Hash Table Overwrite Arbitrary Code Execution Vulnerability
BugTraq ID: 23119
Remote: No
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/23119
Summary:
PHP is prone to an arbitrary-code-execution vulnerability.

An attacker may exploit this issue to execute arbitrary code within the context of the affected webserver.

This issue affects PHP 4 (prior to 4.4.5) and PHP 5 (prior to 5.2.1).

85. PHP Mb_Parse_Str Function Register_Globals Activation Weakness
BugTraq ID: 23016
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/23016
Summary:
PHP is prone to a weakness that allows attackers to enable the 'register_globals' directive because the application fails to handle a memory-limit exception.

Enabling the PHP 'register_globals' directive may allow attackers to further exploit latent vulnerabilities in PHP scripts.

This issue is related to the weakness found in the non-multibyte 'parse_str()' from BID 15249 - PHP Parse_Str Register_Globals Activation Weakness.

This issue affects PHP versions 4 to 4.4.6 and 5 to 5.2.1.

86. PHP Session Identifier Rejection Double Free Memory Corruption Vulnerability
BugTraq ID: 22971
Remote: No
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/22971
Summary:
PHP is prone to a double-free memory-corruption vulnerability.

Attackers may be able to exploit this issue to execute arbitrary code in the context of the webserver process or to cause denial-of-service conditions.

This issue is proven to be locally exploitable. Remote attack vectors may also be possible, but this is yet to be confirmed.

This issue affects PHP versions 5.2.0 and 5.2.1.

87. PHP Session_Regenerate_ID Function Double Free Memory Corruption Vulnerability
BugTraq ID: 22968
Remote: No
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/22968
Summary:
PHP is prone to a double-free memory-corruption vulnerability.

Attackers may be able to exploit this issue to execute arbitrary code in the context of the webserver process or to cause denial-of-service conditions.

This issue is proven to be locally exploitable. Remote attack vectors may also be possible, but this is yet to be confirmed.

This issue affects PHP versions 5 to 5.2.1. PHP version 4 is vulnerable only if successful remote exploits are proven.

88. PostgreSQL Information Disclosure and Denial of Service Vulnerabilities
BugTraq ID: 22387
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/22387
Summary:
PostgreSQL is prone to information-disclosure and denial-of-service vulnerabilities; fixes are available.

An attacker can exploit these vulnerabilities to cause the backend database to crash and reveal sensitive information. This may lead to other attacks.

These issues affect versions 8.0, 8.1, and 8.2. The second issue described also affects version 7.3 and 7.4.

89. Samba Server VFS Plugin AFSACL.SO Remote Format String Vulnerability
BugTraq ID: 22403
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/22403
Summary:
Samba is prone to a remote format-string vulnerability because the application fails to properly sanitize user-supplied input before including it in the format-specifier argument of a formatted-printing function.

Successfully exploiting this issue allows remote attackers to execute arbitrary machine code in the context of users running the affected application. This facilitates the remote compromise of affected computers.

Samba versions 3.06 to 3.0.23d are vulnerable.

90. Samba Deferred CIFS File Open Denial of Service Vulnerability
BugTraq ID: 22395
Remote: No
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/22395
Summary:
The smbd daemon is prone to a denial-of-service vulnerability.

An attacker can exploit this issue to consume excessive memory resources, ultimately crashing the affected application.

This issue affects Samba versions 3.0.6 through 3.0.23d, inclusive.

91. PHP Array_User_Key_Compare Function Memory Corruption Vulnerability
BugTraq ID: 22990
Remote: No
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/22990
Summary:
PHP is prone to a memory-corruption vulnerability.

Attackers can exploit this issue to execute arbitrary code in the context of the webserver process or to cause denial-of-service conditions.

This issue is proven to be locally exploitable.

The vulnerability affects these versions:

PHP 4.x but prior to 4.4.6
PHP 5.x but prior to 5.2.1

92. PsychoStats Multiple Scripts Multiple Cross-Site Scripting Vulnerabilities
BugTraq ID: 24106
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/24106
Summary:
PsychoStats is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

PsychoStats 3.0.6b is vulnerable; other versions may also be affected.

93. PHP BZip2/Zip Wrappers Multiple Safe_Mode and Open_Basedir Restriction Bypass Vulnerabilities
BugTraq ID: 22954
Remote: No
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/22954
Summary:
PHP is prone to multiple 'safe_mode' and 'open_basedir' restriction-bypass vulnerabilities. Successful exploits could allow an attacker to access sensitive information or to write files in unauthorized locations.

These vulnerabilities would be issues in shared-hosting configurations where multiple users can create and execute arbitrary PHP script code; in such cases, the 'safe_mode' and 'open_basedir' restrictions are expected to isolate users from each other.

PHP 5.2.1 and prior versions are vulnerable to these issues.

94. PHP EXT/Filter HTML Stripping Bypass Vulnerability
BugTraq ID: 22914
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/22914
Summary:
The PHP ext/filter content filter is prone to a filter-bypass vulnerability.

Successful exploitation can allow an attacker to bypass the security filter responsible for blocking potentially malicious HTML content.

An attacker can exploit this issue in PHP applications that use the vulnerable filter to potentially inject malicious HTML content.

95. Microsoft Internet Information Server Hit Highlighting Authentication Bypass Vulnerability
BugTraq ID: 24105
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/24105
Summary:
Microsoft IIS is prone to an authentication-bypass vulnerability due to its implementation of 'Hit-highlighting' functionality.

Attackers can exploit this issue to access private files hosted on an IIS website. Successful exploits may allow attackers to gain access to potentially sensitive information. Other attacks are possible.

NOTE: Presumably, accessing a Trusted Zone may allow attackers to execute commands; this has not been confirmed.

96. PHP EXT/Filter Function Remote Buffer Overflow Vulnerability
BugTraq ID: 22922
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/22922
Summary:
PHP is prone to a remote buffer-overflow vulnerability because the application fails to perform boundary checks before copying user-supplied data to insufficiently sized memory buffers.

An attacker can exploit this issue to execute arbitrary machine code in the context of the affected webserver. Failed exploit attempts will likely crash the webserver, denying service to legitimate users.

PHP 5.2.0 is reported vulnerable; other versions may also be affected.

This issue was originally reported as an unspecified vulnerability in BID 22496 (PHP Version 5.2.0 and Prior Multiple Vulnerabilities). Due to the availability of more details, this issue is being assigned a new BID.

97. PHP ZVAL Reference Counter Integer Overflow Vulnerability
BugTraq ID: 22765
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/22765
Summary:
PHP is prone to an integer-overflow vulnerability because it fails to ensure that integer values are not overrun.

A local attacker can exploit this vulnerability to execute arbitrary PHP scripts within the context of the affected application. Failed exploit attempts will likely cause denial-of-service conditions.

Note: According to 'MOPB-04-2007:PHP 4 unserialize() ZVAL Reference Counter Overflow', this issue may be remotely triggered in PHP 4.4.4 environments because many legacy PHP applications still use 'unserialize()' on user-supplied data. 'Unserialize()' uses the '__wakeup()' method of deserialized objects in an unsafe manner that may lead to remote arbitrary code execution. This BID has been changed to reflect the possibility of remote exploitation in PHP 4.4.4 environments.

98. MIT Kerberos Administration Daemon Kadmind Double Free Memory Corruption Vulnerabilities
BugTraq ID: 23282
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/23282
Summary:
MIT Kerberos 5 is prone to a double-free memory-corruption vulnerability.

An attacker can exploit this issue to execute arbitrary code with superuser or SYSTEM-level privileges, completely compromising affected computers. Failed exploit attempts will likely result in a denial-of-service conditions.

This issue also affects third-party applications using the affected API.

99. RSA BSAFE Library Remote ASN.1 Denial of Service Vulnerability
BugTraq ID: 24104
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/24104
Summary:
The RSA BSAFE library is prone to a denial-of-service vulnerability because it fails to properly handle malformed ASN.1 data.

Exploiting this vulnerability allows attackers to crash applications that use the affected library. The specific impact of this vulnerability depends on the nature of the applications. Local and remote attacks may be possible. Depending on the nature of vulnerable applications, attackers may be able to exploit this issue without authentication.

These versions are vulnerable:

RSA BSAFE Crypto-C prior to 6.3.1
Cert-C prior to 2.8

The vendor tracks this issue by RSA Bug ID 46337.

Cisco tracks this issue as Bug IDs:
Cisco IOS: CSCsd85587
Cisco IOS XR: CSCsg41084
Cisco PIX and ASA Security Appliances: CSCse91999
Cisco Firewall Services Module (FWSM): CSCsi97695
Cisco Unified CallManager: CSCsg44348

100. Apache Tomcat Mod_JK.SO Arbitrary Code Execution Vulnerability
BugTraq ID: 22791
Remote: Yes
Last Updated: 2007-05-23
Relevant URL: http://www.securityfocus.com/bid/22791
Summary:
Apache Tomcat is prone to a vulnerability that will allow remote attackers to execute arbitrary code on an affected computer. A successful attack may result in a complete compromise.

III. SECURITYFOCUS NEWS ARTICLES
--------------------------------
1. "Data storm" blamed for nuclear-plant shutdown
By: Robert Lemos
A Congressional committee calls for the Nuclear Regulatory Commission to further investigate the cause of excessive network traffic that shut down an Alabama nuclear plant.
http://www.securityfocus.com/news/11465

2. Experts scramble to quash IPv6 flaw
By: Robert Lemos
Only a few weeks after researchers raised the design issue in the next-generation Internet protocol, two drafts to the Internet Engineering Task Force propose different fixes.
http://www.securityfocus.com/news/11463

3. E-Gold charged with money laundering
By: Robert Lemos
Federal prosecutors claim the company and its owners violated federal funds transfer laws, saying it knowingly served online scammers, identity thieves and child pornographers.
http://www.securityfocus.com/news/11462

4. A Mac gets whacked, a second survives
By: Robert Lemos
Researchers use a previously unknown flaw in Apple's Safari browser to compromise a MacBook Pro and win the PWN to Own contest, but does the hack actually prove anything?
http://www.securityfocus.com/news/11461

IV. SECURITY JOBS LIST SUMMARY
-------------------------------
V. INCIDENTS LIST SUMMARY
---------------------------
VI. VULN-DEV RESEARCH LIST SUMMARY
-----------------------------------
1. FINAL Call For Papers: Chaos Communication Camp 2007, Berlin
http://www.securityfocus.com/archive/82/469296

2. TCP/IP Vulnerability
http://www.securityfocus.com/archive/82/469389

3. program for SyScan'07
http://www.securityfocus.com/archive/82/469183

4. Remider: VNSECON 07 Call for Papers ends on June 08
http://www.securityfocus.com/archive/82/469140

VII. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. Compromising the Windows Service or Driver failure event sink
http://www.securityfocus.com/archive/88/469330

VIII. SUN FOCUS LIST SUMMARY
----------------------------
IX. LINUX FOCUS LIST SUMMARY
----------------------------
1. Security Videos
http://www.securityfocus.com/archive/91/469297

X. UNSUBSCRIBE INSTRUCTIONS
-----------------------------
To unsubscribe send an e-mail message to sf-news-unsubscribe@securityfocus.com from the subscribed address. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer. Alternatively you can also visit http://www.securityfocus.com/newsletters and unsubscribe via the website.

If your email address has changed email listadmin@securityfocus.com and ask to be manually removed.

XI. SPONSOR INFORMATION
------------------------
This Issue is Sponsored by: SPI Dynamics

ALERT: "How A Hacker Launches A Cross-Site Scripting Attack"- White Paper
Cross-site scripting vulnerabilities in web apps allow hackers to compromise confidential information, steal cookies and create requests that can be mistaken for those of a valid user!! Download this *FREE* white paper from SPI Dynamics for a complete guide to protection!

https://download.spidynamics.com/1/ad/xss.asp?Campaign_ID=70160000000CqBQ

No comments:

Blog Archive