News

Wednesday, June 27, 2007

SecurityFocus Newsletter #407

SecurityFocus Newsletter #407
----------------------------------------

This Issue is Sponsored by: SPI Dynamics

ALERT: "How A Hacker Launches A Cross-Site Scripting Attack"- White Paper
Cross-site scripting vulnerabilities in web apps allow hackers to compromise confidential information, steal cookies and create requests that can be mistaken for those of a valid user!! Download this *FREE* white paper from SPI Dynamics for a complete guide to protection!

https://download.spidynamics.com/1/ad/xss.asp?Campaign_ID=70160000000CsFU


SECURITY BLOGS
SecurityFocus has selected a few syndicated sources that stand out as conveying topics of interest for our community. We are proud to offer content from Matasano at this time and will be adding more in the coming weeks.
http://www.securityfocus.com/blogs

------------------------------------------------------------------
I. FRONT AND CENTER
1. Don't Be Evil
2. Persistence of data on storage media
II. BUGTRAQ SUMMARY
1. Wireshark Multiple Protocol Denial of Service Vulnerabilities
2. Sun Grid Engine Local Privilege Escalation Vulnerability
3. Apache HTTP Server Mod_Status Cross-Site Scripting Vulnerability
4. phpTrafficA Multiple Input Validation Vulnerabilities
5. Apache HTTP Server Mod_Cache Denial of Service Vulnerability
6. EQDKP Login.PHP Arbitrary Variable Overwrite Vulnerability
7. Novell NetWare XNFS.NLM Remote Denial Of Service Vulnerability
8. Papoo Plugin.PHP Authentication Bypass Vulnerability
9. Symantec Mail Security For SMTP Remote Denial Of Service Vulnerability
10. MIT Kerberos Administration Daemon Free Pointers Remote Code Execution Vulnerability
11. WordPress Custom Field Arbitrary File Upload Vulnerability
12. Sun Solaris ACE_SETACL Local Denial Of Service Vulnerability
13. BugMall Shopping Cart Multiple Input Validation Vulnerabilities
14. Mozilla Multiple Products Remote Vulnerabilities
15. Sun Solaris NFS Server XDR Handling Denial of Service Vulnerability
16. Samba MS-RPC Remote Shell Command Execution Vulnerability
17. Samba NDR RPC Request RFNPCNEX Heap-Based Buffer Overflow Vulnerability
18. Samba NDR RPC Request DFSEnum Heap-Based Buffer Overflow Vulnerability
19. Samba NDR RPC Request NetSetFileSecurity Heap-Based Buffer Overflow Vulnerability
20. Samba NDR RPC Request LsarLookupSids/LsarLookupSids2 Heap-Based Buffer Overflow Vulnerability
21. Samba NDR RPC Request LsarAddPrivilegesToAccount Heap-Based Buffer Overflow Vulnerability
22. Samba SID Names Local Privilege Escalation Vulnerability
23. AGEPhone SIP Soft Phone Message Parsing Denial of Service Vulnerability
24. AGEPhone SIP Soft Phone Malformed Delimiter Denial of Service Vulnerability
25. EXIF Library EXIF File Processing Integer Overflow Vulnerability
26. Gnome Evolution Data Server Array Index Memory Access Vulnerability
27. Sun Java Web Start Unauthorized Access Vulnerability
28. Oracle Diagnostics Multiple Vulnerabilities
29. Microsoft Office Embedded Shockwave Flash Object Security Bypass Weakness
30. Microsoft .NET Framework SDK MSIL Tools Buffer Overflow Vulnerabilities
31. Microsoft ASP.NET COM Components W3WP Remote Denial Of Service Vulnerability
32. Microsoft Internet Explorer IsComponentInstalled Buffer Overflow Vulnerability
33. MIT Kerberos 5 KAdminD Server Rename_Principal_2_SVC() Function Stack Buffer Overflow Vulnerability
34. Cisco IOS IPv6 Processing Arbitrary Code Execution Vulnerability
35. MIT Kerberos 5 KAdminD Server RPC Type Conversion Stack Buffer Overflow Vulnerability
36. MIT Kerberos Administration Daemon RPC Library Free Pointer Remote Code Execution Vulnerability
37. Microsoft Visual Studio UserControl Remote Code Execution Vulnerability
38. McAfee Webshield SMTP Remote Format String Vulnerability
39. IBM WebSphere Application Server Multiple Remote Vulnerabilities
40. IBM Websphere Application Server Prior to 6.0.2.11 Multiple Vulnerabilities
41. IBM DB2 Universal Database Multiple Denial of Service Vulnerabilities
42. IBM AIX LSMCode Local Privilege Escalation Vulnerability
43. Lotus Domino SMTP Meeting Request Remote Denial of Service Vulnerability
44. IBM Websphere Application Server Multiple Vulnerabilities
45. IBM WebSphere Application Server Welcome Page Security Restriction Bypass Vulnerability
46. IBM Tivoli Business Systems Manager APWC_Win_Main.JSP Cross-Site Scripting Vulnerability
47. IBM Tivoli Lightweight Client Framework Information Disclosure Vulnerability
48. IBM WebSphere Application Server JSP Source Code Disclosure Vulnerability
49. IBM Lotus Domino iNotes Multiple HTML and Script Injection Vulnerabilities
50. IBM Lotus Notes File Attachment Handling Multiple Remote Vulnerabilities
51. Lotus Domino LDAP Denial of Service Vulnerability
52. IBM Lotus Domino and Notes Multiple Unspecified Vulnerabilities
53. APOP Protocol Insecure MD5 Hash Weakness
54. Mozilla Products Multiple Remote Vulnerabilities
55. HP-UX SU Local Unauthorized Access Vulnerability
56. Mozilla FireFox FTP PASV Port-Scanning Vulnerability
57. HP OpenView Storage Data Protector Remote Arbitrary Command Execution Vulnerability
58. HP OpenView Network Node Manager Multiple Remote Vulnerabilities
59. HP-UX Passwd Unspecified Local Denial of Service Vulnerability
60. PsychoStats Server.PHP Path Disclosure Vulnerability
61. HP-UX Swagentd Remote Denial Of Service Vulnerability
62. HP-UX Usermod Local Unauthorized Access Vulnerability
63. PHPMailer Remote Shell Command Execution Vulnerability
64. HP Tru64 IKE Exchange Denial Of Service Vulnerabilities
65. Mozilla Thunderbird Multiple Remote Information Disclosure Vulnerabilities
66. HP Tru64 DNS BIND Unspecified Remote Unauthorized Access Vulnerability
67. HP Systems Insight Manager Unspecified Directory Traversal Vulnerability
68. EMC Retrospect Client Buffer Overflow Vulnerability
69. Computer Associates Scan Job Format String Vulnerability
70. Computer Associates Unicenter Remote Control DM Primer Remote Denial of Service Vulnerability
71. Computer Associates iTechnology iGateway Service Content-Length Heap Overflow Vulnerability
72. Cisco IOS SSL Packets Multiple Denial Of Service Vulnerabilities
73. Symantec AntiVirus Scan Engine Multiple Remote Vulnerabilities
74. Symantec LiveUpdate for Macintosh Local Privilege Escalation Vulnerability
75. Symantec Sygate Management Server SMS Authentication Servlet SQL Injection Vulnerability
76. Symantec Multiple Products SymEvent Driver Local Denial of Service Vulnerability
77. Symantec Mail Security for Domino Server Premium AntiSpam Email Relay Vulnerability
78. Symantec Enterprise Security Manager Denial of Service Vulnerability
79. NCTAudioStudio2 ActiveX Control NCTWavChunksEditor.DLL Arbitrary File Overwrite Vulnerability
80. Symantec NetBackup PureDisk Authentication Bypass Vulnerability
81. RealPlayer/HelixPlayer ParseWallClockValue Function Buffer Overflow Vulnerability
82. Symantec Brightmail AntiSpam Control Center Multiple Vulnerabilities
83. Sun Solaris Netscape Portable Runtime API Local Privilege Escalation Vulnerability
84. Sun Solaris Format(1M) Local Privilege Escalation Vulnerability
85. OpenSSL SSLv2 Null Pointer Dereference Client Denial of Service Vulnerability
86. Sun Solaris N1 Grid Engine Multiple Local Vulnerabilities
87. Sun Solaris Net Mount Point Denial of Service Vulnerability
88. Sun Solaris LibsLDAP NSCD Local Denial of Service Vulnerability
89. Sun Solaris Event Port API Denial of Service Vulnerability
90. OpenSSL SSL_Get_Shared_Ciphers Buffer Overflow Vulnerability
91. Sun Solaris Kernel Debugger KMDB(1) Local Denial of Service Vulnerability
92. Sun Solaris 10 Kernel Patches Denial of Service Vulnerability
93. Sun Solaris NIS Server YPServ Unspecified Denial of Service Vulnerability
94. E107 Signup.PHP Arbitrary File Upload Vulnerability
95. Warzone Long File Name Buffer Overflow Vulnerability
96. HP System Management Homepage Unspecified Directory Traversal Vulnerability
97. Microsoft Excel File Rebuilding Remote Code Execution Vulnerability
98. SILC Toolkit Multiple Unspecified Vulnerabilities
99. OpenSSH SCP Shell Command Execution Vulnerability
100. PHPVideoPro Unspecified Vulnerability
III. SECURITYFOCUS NEWS
1. Lawmakers worry over gov't network breaches
2. Amero case spawns effort to educate
3. Group: Anti-hacking laws can hobble Net security
4. Judge nixes teacher's conviction on porn pop-ups
IV. SECURITY JOBS LIST SUMMARY
V. INCIDENTS LIST SUMMARY
1. ARAKIS early warning system public web interface
2. Suspicious files in /tmp
VI. VULN-DEV RESEARCH LIST SUMMARY
1. Exotic vulnerability
2. creating a "cc" opcode from ASCII shell code
3. vulnerabilities in this code chunk
VII. MICROSOFT FOCUS LIST SUMMARY
VIII. SUN FOCUS LIST SUMMARY
IX. LINUX FOCUS LIST SUMMARY
X. UNSUBSCRIBE INSTRUCTIONS
XI. SPONSOR INFORMATION

I. FRONT AND CENTER
---------------------
1. Don't Be Evil
By Mark Rasch
A series of developments raise the specter that remotely stored or created documents may be subject to subpoena or discovery all without the knowledge or consent of the document's creators.
http://www.securityfocus.com/columnists/447

2. Persistence of data on storage media
By Jamie Ridden
Jamie Ridden discusses the re-use of storage media and how slack space can prevent sensitive data from being completely removed.
http://www.securityfocus.com/infocus/1891


II. BUGTRAQ SUMMARY
--------------------
1. Wireshark Multiple Protocol Denial of Service Vulnerabilities
BugTraq ID: 24662
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/24662
Summary:
Wireshark is prone to multiple denial-of-service vulnerabilities.

Exploiting these issues may permit attackers to cause crashes and deny service to legitimate users of the application.

Wireshark versions prior to 0.99.6 are affected.

2. Sun Grid Engine Local Privilege Escalation Vulnerability
BugTraq ID: 16366
Remote: No
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/16366
Summary:
Sun Grid Engine is susceptible to a local privilege-escalation vulnerability.

This issue allows local users to gain superuser privileges, facilitating the complete compromise of affected computers.

Sun Grid Engine versions prior to 6.0u7_1 are vulnerable to this issue.

3. Apache HTTP Server Mod_Status Cross-Site Scripting Vulnerability
BugTraq ID: 24645
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/24645
Summary:
The Apache HTTP Server mod_status module is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

4. phpTrafficA Multiple Input Validation Vulnerabilities
BugTraq ID: 24615
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/24615
Summary:
phpTrafficA is prone to input-validation vulnerabilities, including an SQL-injection issue and a cross-site scripting issue, because the application fails to sanitize user-supplied input.

A successful exploit may allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

phpTrafficA 1.4.2 is affected; prior versions may also be vulnerable.

5. Apache HTTP Server Mod_Cache Denial of Service Vulnerability
BugTraq ID: 24649
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/24649
Summary:
The Apache mod_cache module is prone to a denial-of-service vulnerability.

A remote attacker may be able to exploit this issue to crash the child process. This could lead to denial-of-service conditions if the server is using a multithreaded Multi-Processing Module (MPM).

6. EQDKP Login.PHP Arbitrary Variable Overwrite Vulnerability
BugTraq ID: 24643
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/24643
Summary:
EQdkp is prone to a vulnerability that permits an attacker to overwrite arbitrary variables due to a design error.

Successful exploits will result in the compromise of vulnerable applications or denial-of-service conditions; other attacks are possible.


EQdkp 1.3.2d and prior versions are vulnerable.

7. Novell NetWare XNFS.NLM Remote Denial Of Service Vulnerability
BugTraq ID: 24489
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/24489
Summary:
Novell NetWare is prone to a remote denial-of-service vulnerability because of inadequate boundary checks.

A remote attacker can exploit this issue to deny access to legitimate users and possibly to execute code, but this has not been confirmed.

NetWare 6.5 SP6 is vulnerable; other versions may also be affected.

8. Papoo Plugin.PHP Authentication Bypass Vulnerability
BugTraq ID: 24634
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/24634
Summary:
Papoo is prone to an authentication-bypass vulnerability because the application fails to check user privileges when accessing the administration pages.

An attacker can exploit this issue to gain access to administration plugins. This may lead to other attacks.

This issue affects Papoo 3.6; prior versions may also be affected.

9. Symantec Mail Security For SMTP Remote Denial Of Service Vulnerability
BugTraq ID: 24625
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/24625
Summary:
Symantec Mail Security for SMTP is prone to a remote denial-of-service vulnerability when parsing certain attachments.

An attacker can exploit this issue to cause denial-of-service conditions.

These versions are vulnerable:

Symantec Mail Security for SMTP 5.0 series prior to 5.01 Patch 181
Symantec Mail Security Appliance 5.0 series prior to 5.0.0-36

10. MIT Kerberos Administration Daemon Free Pointers Remote Code Execution Vulnerability
BugTraq ID: 21975
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/21975
Summary:
MIT Kerberos 5 is prone to a remote code-execution vulnerability.

This issue occurs because of memory-management problems in the abstraction interface of the GSS-API implementation.

An attacker can exploit this issue to execute arbitrary code with superuser privileges, completely compromising affected computers. Failed exploit attempts will likely result in a denial-of-service conditions.

This issue also affects third-party applications using the affected API.

11. WordPress Custom Field Arbitrary File Upload Vulnerability
BugTraq ID: 24642
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/24642
Summary:
WordPress is prone to an arbitrary-file-upload vulnerability.

An attacker can exploit this vulnerability to upload PHP script code and execute it in the context of the webserver process.

This issue affects WordPress 2.2.1, WordPress MU 1.2.3, and prior versions.

12. Sun Solaris ACE_SETACL Local Denial Of Service Vulnerability
BugTraq ID: 23863
Remote: No
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/23863
Summary:
Sun Solaris is prone to a local denial-of-service vulnerability.

An attacker can exploit this issue on an affected computer to cause a kernel panic, resulting in a denial-of-service condition.

Presumably, attackers may be able to exploit this issue on 64-bit systems to execute arbitrary code, but this has not been confirmed. We will update this BID as more information emerges.

Solaris 10 is vulnerable; prior versions may also be affected.

13. BugMall Shopping Cart Multiple Input Validation Vulnerabilities
BugTraq ID: 24629
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/24629
Summary:
BugMall Shopping Cart is prone to input-validation vulnerabilities, including an SQL-injection issue and a cross-site scripting issue, because the application fails to sanitize user-supplied input.

A successful exploit may allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

BugMall Shopping Cart 2.5 and prior versions are affected.

14. Mozilla Multiple Products Remote Vulnerabilities
BugTraq ID: 19181
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/19181
Summary:
The Mozilla Foundation has released thirteen security advisories specifying vulnerabilities in Mozilla Firefox, SeaMonkey, and Thunderbird.

These vulnerabilities allow attackers to:

- execute arbitrary machine code in the context of the vulnerable application
- crash affected applications
- run arbitrary script code with elevated privileges
- gain access to potentially sensitive information
- carry out cross-domain scripting attacks.

Other attacks may also be possible.

The issues described here will be split into individual BIDs as more information becomes available.

These issues are fixed in:

- Mozilla Firefox version 1.5.0.5
- Mozilla Thunderbird version 1.5.0.5
- Mozilla SeaMonkey version 1.0.3

15. Sun Solaris NFS Server XDR Handling Denial of Service Vulnerability
BugTraq ID: 24466
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/24466
Summary:
Sun Solaris is prone to a denial-of-service vulnerability because the operating system fails to handle exceptional conditions.

An attacker can exploit this issue to cause the affected kernel to panic, resulting in a denial-of-service condition.

This issue affects the Solaris 10 operating system.

16. Samba MS-RPC Remote Shell Command Execution Vulnerability
BugTraq ID: 23972
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/23972
Summary:
Samba is prone to a vulnerability that allows attackers to execute arbitrary shell commands because the software fails to sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary shell commands on an affected computer with the privileges of the application.

This issue affects Samba 3.0.0 to 3.0.25rc3.

17. Samba NDR RPC Request RFNPCNEX Heap-Based Buffer Overflow Vulnerability
BugTraq ID: 24197
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/24197
Summary:
Samba is prone to a remote heap-based buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data before copying it to an insufficiently sized memory buffer.

An attacker can exploit this issue to execute arbitrary code with superuser privileges, facilitating the complete remote compromise of affected computers. Failed exploit attempts will result in a denial of service.

This issue affects Samba 3.0.25rc3 and prior versions.

18. Samba NDR RPC Request DFSEnum Heap-Based Buffer Overflow Vulnerability
BugTraq ID: 24198
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/24198
Summary:
Samba is prone to a remote heap-based buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data before copying it to an insufficiently sized memory buffer.

An attacker can exploit this issue to execute arbitrary code with superuser privileges, facilitating the complete remote compromise of affected computers. Failed exploit attempts will result in a denial of service.

This issue affects Samba 3.0.25rc3 and prior versions.

19. Samba NDR RPC Request NetSetFileSecurity Heap-Based Buffer Overflow Vulnerability
BugTraq ID: 24196
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/24196
Summary:
Samba is prone to a remote heap-based buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data before copying it to an insufficiently sized memory buffer.

An attacker can exploit this issue to execute arbitrary code with superuser privileges, facilitating the complete remote compromise of affected computers. Failed exploit attempts will result in a denial of service.

This issue affects Samba 3.0.25rc3 and prior versions.

20. Samba NDR RPC Request LsarLookupSids/LsarLookupSids2 Heap-Based Buffer Overflow Vulnerability
BugTraq ID: 24195
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/24195
Summary:
Samba is prone to a remote heap-based buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data before copying it to an insufficiently sized memory buffer.

An attacker can exploit this issue to execute arbitrary code with superuser privileges, facilitating the complete remote compromise of affected computers. Failed exploit attempts will result in a denial of service.

This issue affects Samba 3.0.25rc3 and prior versions.

21. Samba NDR RPC Request LsarAddPrivilegesToAccount Heap-Based Buffer Overflow Vulnerability
BugTraq ID: 23973
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/23973
Summary:
Samba is prone to a remote heap-based buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data before copying it to an insufficiently sized memory buffer.

An attacker can exploit this issue to execute arbitrary code with superuser privileges, facilitating the complete remote compromise of affected computers. Failed exploit attempts will result in a denial of service.

This issue affects Samba 3.0.25rc3 and prior versions.

This BID previously documented multiple heap-based buffer-overflow vulnerabilities affecting Samba. Each issue has been assigned its own individual record. The issues are covered in this BID and the following records:

BID 24195 - Samba NDR RPC Request LsarLookupSids/LsarLookupSids2 Heap-Based Buffer Overflow Vulnerability
BID 24196 - Samba NDR RPC Request NetSetFileSecurity Heap-Based Buffer Overflow Vulnerability
BID 24197 - Samba NDR RPC Request RFNPCNEX Heap-Based Buffer Overflow Vulnerability
BID 24198 - Samba NDR RPC Request DFSEnum Heap-Based Buffer Overflow Vulnerability

22. Samba SID Names Local Privilege Escalation Vulnerability
BugTraq ID: 23974
Remote: No
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/23974
Summary:
Samba is prone to a local privilege-escalation vulnerability due to a logic error in the 'smbd' daemon's internal security stack.

An attacker can exploit this issue to temporarily perform SMB/CIFS operations with superuser privileges. The attacker may leverage this issue to gain superuser access to the server.

Samba 3.0.23d through 3.0.25pre2 are vulnerable.

23. AGEPhone SIP Soft Phone Message Parsing Denial of Service Vulnerability
BugTraq ID: 24540
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/24540
Summary:
AGEphone SIP softphone is prone to a remote denial-of-service vulnerability, because the application fails to properly handle malformed data.

Successful exploits can allow remote attackers to disconnect currently active calls or crash the device's operating system.

This issue affects AGEphone 1.41.2 running on HTC HyTN wireless smartphone using Windows Mobile 5 PPC. Other versions may also be affected.

24. AGEPhone SIP Soft Phone Malformed Delimiter Denial of Service Vulnerability
BugTraq ID: 24543
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/24543
Summary:
AGEphone SIP softphone is prone to a remote denial-of-service vulnerability, because the application fails to properly handle malformed data.

Successful exploits can allow remote attackers to crash the affected application, denying further service to legitimate users.

This issue affects AGEphone 1.41.2 running on HTC HyTN wireless smartphone using Windows Mobile 5 PPC. Other versions may also be affected.

25. EXIF Library EXIF File Processing Integer Overflow Vulnerability
BugTraq ID: 24461
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/24461
Summary:
The 'libexif' library is reported prone to an integer-overflow vulnerability. Reportedly, the issue presents itself when the affected library is processing malformed EXIF files.

Attackers may leverage this issue to execute arbitrary code in the context of an application that is linked to the vulnerable library. Failed exploit attempts will likely result in denial-of-service conditions.

This issue affects 'libexif' 0.6.13 to 0.6.15; other versions may also be affected.

26. Gnome Evolution Data Server Array Index Memory Access Vulnerability
BugTraq ID: 24567
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/24567
Summary:
Evolution is prone to an input-validation error that attackers may exploit to execute arbitrary code. The vulnerability stems from an input-validation error for a critical array index value.

Versions prior to Evolution Data Server 1.11.4 are vulnerable.

27. Sun Java Web Start Unauthorized Access Vulnerability
BugTraq ID: 23728
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/23728
Summary:
Sun Java Web Start is prone to a vulnerability that may allow remote attackers to gain unauthorized access to a vulnerable computer.

The vendor has reported that this vulnerability allows untrusted applications to gain read/write privileges to local files on a vulnerable computer.

The following versions for Windows, Solaris and Linux platforms are vulnerable:

Java Web Start in JDK and JRE 5.0 Update 10 and earlier
Java Web Start in SDK and JRE 1.4.2_13 and earlier

28. Oracle Diagnostics Multiple Vulnerabilities
BugTraq ID: 16844
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/16844
Summary:
The Oracle Diagnostics module is susceptible to multiple vulnerabilities. These issues include insecure permissions, insecure default access, and SQL injection.

- Insecure-permissions vulnerability. This may allow remote attackers to gain access to potentially sensitive information that may aid them in further attacks.

- Default-access vulnerabilities. Successful exploits could allow an attacker to gain access to potentially sensitive information that may aid them in further attacks.

- Unspecified SQL-injection issues. Successful exploits could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation.

Oracle has released the 'Diagnostics Support Pack February 2006' with 'Oracle Diagnostics 2.3 RUP A' to address these vulnerabilities. This update addresses the vulnerabilities for supported releases. Earlier, unsupported releases are likely to be affected by the issues as well.

Other issues may have also been addressed with these fixes. This BID will be updated as further information is disclosed.

29. Microsoft Office Embedded Shockwave Flash Object Security Bypass Weakness
BugTraq ID: 18583
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/18583
Summary:
Microsoft Office is prone to a weakness that may allow remote attackers to execute arbitrary script code contained in Shockwave Flash Objects without first requiring confirmation from users.

A successful attack may allow attackers to access sensitive information and potentially execute malicious commands on a vulnerable computer.

The researcher responsible for discovering this issue has indicated that it presents itself on Windows 2003 SP1, Windows XP Professional Edition SP1 and SP2 running Microsoft Office 2003, and Windows 2000 Professional running Microsoft Office 2003. Other versions may be vulnerable as well.

30. Microsoft .NET Framework SDK MSIL Tools Buffer Overflow Vulnerabilities
BugTraq ID: 17243
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/17243
Summary:
Microsoft .NET Framework SDK contains tools for assembling and disassembling MSIL files. These tools are prone to buffer-overflow vulnerabilities that attackers could exploit to cause a denial of service or potentially execute arbitrary code.

These issues were reported to affect the .NET Framework SDK version 1.1 SP1; earlier versions may also be affected. Version 2.0 may also be affected, but code execution does not seem possible.

31. Microsoft ASP.NET COM Components W3WP Remote Denial Of Service Vulnerability
BugTraq ID: 17188
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/17188
Summary:
Improper access of COM and COM+ components in ASP.NET applications can cause a denial-of-service condition in 'w3wp.exe' processes.

A remote attacker can exploit this issue to cause denial-of-service conditions in applications using improperly coded ASP.NET, effectively denying service to legitimate users.

32. Microsoft Internet Explorer IsComponentInstalled Buffer Overflow Vulnerability
BugTraq ID: 16870
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/16870
Summary:
Microsoft Internet Explorer is prone to a remote buffer-overflow vulnerability in the 'IsComponentInstalled()' method. A successful exploit results in arbitrary code execution in the context of the user running the browser.

This issue was reportedly addressed in Windows 2000 SP4 and Windows XP SP1, but this has not been confirmed.

Internet Explorer 6 is vulnerable to this issue; earlier versions may also be affected.

33. MIT Kerberos 5 KAdminD Server Rename_Principal_2_SVC() Function Stack Buffer Overflow Vulnerability
BugTraq ID: 24653
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/24653
Summary:
Kerberos 5 kadmind (Kerberos Administration Daemon) server is prone to a stack-based buffer-overflow vulnerability because the software fails to adequately bounds-check user-supplied data before copying it to an insufficiently sized buffer.

An attacker can exploit this issue to execute arbitrary code with administrative privileges. A successful attack can result in the complete compromise of the application. Failed attempts will likely result in denial-of-service conditions.

All kadmind servers run on the master Kerberos server. Since the master server holds the KDC principal and policy database, an attack may not only compromise the affected computer, but could also compromise multiple hosts that use the server for authentication.

Kerberos 5 kadmind 1.6.1, kadmind 1.5.3 and prior versions are vulnerable.

34. Cisco IOS IPv6 Processing Arbitrary Code Execution Vulnerability
BugTraq ID: 14414
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/14414
Summary:
A remote arbitrary code execution vulnerability affects the IPv6 processing functionality of Cisco IOS.

A successful attack may allow a remote attacker to execute arbitrary code and gain unauthorized access to the device. An attacker can also leverage this issue to cause an affected device to reload, denying service to legitimate users.

This issue may be related to BID 12368 (Cisco IOS IPv6 Processing Remote Denial Of Service Vulnerability).

Cisco has stated that exploitation of this vulnerability in Cisco IOS XR may cause the IPv6 neighbor discovery process to restart. If exploited repeatedly, this could result in a prolonged denial of service affecting IPv6 traffic travelling through the device.

35. MIT Kerberos 5 KAdminD Server RPC Type Conversion Stack Buffer Overflow Vulnerability
BugTraq ID: 24657
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/24657
Summary:
Kerberos 5 kadmind (Kerberos Administration Daemon) server is prone to a stack-based buffer-overflow vulnerability because the software fails to adequately bounds-check user-supplied data before copying it to an insufficiently sized buffer.

An attacker can exploit this issue to execute arbitrary code with administrative privileges. A successful attack can result in the complete compromise of the application. Failed attempts will likely result in denial-of-service conditions.

This issue also affects third-party applications using the affected RPC library.

All kadmind servers run on the master Kerberos server. Since the master server holds the KDC principal and policy database, an attack may not only compromise the affected computer, but could also compromise multiple hosts that use the server for authentication.

Kerberos 5 kadmind 1.6.1and prior versions are vulnerable.

36. MIT Kerberos Administration Daemon RPC Library Free Pointer Remote Code Execution Vulnerability
BugTraq ID: 24655
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/24655
Summary:
MIT Kerberos 5 Administration Daemon (kadmind) is prone to a remote code-execution vulnerability.

An attacker can exploit this issue to execute arbitrary code with superuser privileges, completely compromising affected computers. Failed exploit attempts will likely result in a denial-of-service conditions.

All kadmind servers run on the master Kerberos server. Since the master server holds the KDC principal and policy database, an attack may not only compromise the affected computer, but could also compromise multiple hosts that use the server for authentication.

This issue also affects third-party applications using the affected RPC library.

kadmind versions prior to krb5-1.6.1 are vulnerable.

37. Microsoft Visual Studio UserControl Remote Code Execution Vulnerability
BugTraq ID: 16225
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/16225
Summary:
Microsoft Visual Studio is prone to a vulnerability that could allow remote attackers to execute arbitrary code. This issue stems from a design flaw that executes code contained in a project file without first notifying users.

Exploiting this issue allows attackers to execute arbitrary code in the context of the user viewing a malicious project file. Since viewing a project file is usually considered a safe operation, users may have a false sense of security by attempting to inspect unknown code before compiling or executing it.

This vulnerability may be remotely exploited due to project files originating from untrusted sources.

Visual Studio 2005 is reportedly vulnerable to this issue; other versions may also be affected.

38. McAfee Webshield SMTP Remote Format String Vulnerability
BugTraq ID: 16742
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/16742
Summary:
McAfee WebShield SMTP is susceptible to a remote format-string vulnerability. This issue is due to the application's failure to properly sanitize user-supplied input before including it in a format-specifier argument to a formatted-printing function.

This issue allows remote attackers to execute arbitrary machine code in the context of the affected application.

39. IBM WebSphere Application Server Multiple Remote Vulnerabilities
BugTraq ID: 18672
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/18672
Summary:
IBM WebSphere Application Server is prone to multiple remote vulnerabilities. These include an unspecified vulnerability affecting the Core Console Plugin Module of the administrative console and an information-disclosure issue affecting the Web Container Implementation.

IBM WebSphere Application Server versions prior to 5.1.1 Cumulative Fix 11 for Windows are vulnerable.

40. IBM Websphere Application Server Prior to 6.0.2.11 Multiple Vulnerabilities
BugTraq ID: 18578
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/18578
Summary:
IBM WebSphere Application Server is prone to multiple vulnerabilities.

These issues include vulnerabilities of unknown impact as well as serveral information-disclosure vulnerabilities. Other potentially security-related issues were also addressed.

41. IBM DB2 Universal Database Multiple Denial of Service Vulnerabilities
BugTraq ID: 18428
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/18428
Summary:
IBM DB2 Universal Database is prone to multiple denial-of-service vulnerabilities.

An attacker may be able to exploit these issues to cause the database to crash or hang, effectively denying service to legitimate users.

These issues affect DB2 versions prior to 8 FixPak 12 (also known as version 8.2 FixPak 5).

42. IBM AIX LSMCode Local Privilege Escalation Vulnerability
BugTraq ID: 18114
Remote: No
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/18114
Summary:
IBM AIX is prone to a local vulnerability in the 'lsmcode' command. Attackers may be able to execute arbitrary machine code with superuser privileges.

IBM AIX 5.1, 5.2, and 5.3 are affected by this issue.

43. Lotus Domino SMTP Meeting Request Remote Denial of Service Vulnerability
BugTraq ID: 18020
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/18020
Summary:
Lotus Domino is prone to a remote denial-of-service vulnerability because it fails to properly handle malformed email.

This issue allows remote attackers to consume excessive CPU resources on affected computers and to block all email delivery until administrators manually remove the malicious message from the mail queue. This will deny further email service to legitimate users.

Restarting the affected service will not clear this problem, because the offending message will remain in the mail queue.

Lotus Domino versions prior to 6.5.4 FP1, 6.5.5, and 7.0 are vulnerable to this issue.

44. IBM Websphere Application Server Multiple Vulnerabilities
BugTraq ID: 17919
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/17919
Summary:
IBM Websphere Application Server is prone to multiple vulnerabilities.

These issues include vulnerabilities of unknown impact, information-disclosure vulnerabilities, and security-bypass vulnerabilities.

Other potentially security-related issues were also addressed.

45. IBM WebSphere Application Server Welcome Page Security Restriction Bypass Vulnerability
BugTraq ID: 17900
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/17900
Summary:
IBM WebSphere Application Server is prone to a security restriction-bypass vulnerability. This issue is due to the application's failure to properly enforce security restrictions.

This issue allows remote attackers to gain access to the contents of potentially sensitive web pages, aiding them in further attacks.

46. IBM Tivoli Business Systems Manager APWC_Win_Main.JSP Cross-Site Scripting Vulnerability
BugTraq ID: 17210
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/17210
Summary:
IBM Tivoli Business Systems Manager is prone to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input.

An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

47. IBM Tivoli Lightweight Client Framework Information Disclosure Vulnerability
BugTraq ID: 17085
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/17085
Summary:
Tivoli LCF is prone to an information-disclosure vulnerability.

An attacker can exploit this issue to view sensitive files with elevated privileges. Information obtained may aid in further attacks.

48. IBM WebSphere Application Server JSP Source Code Disclosure Vulnerability
BugTraq ID: 16908
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/16908
Summary:
IBM WebSphere Application Server is prone to a sourcecode-disclosure vulnerability. An attacker can exploit this issue by supplying malformed HTTP requests to the server to disclose JSP sourcecode.

This issue allows remote attackers to gain access to the contents of potentially sensitive JSP source pages, aiding them in further attacks.

49. IBM Lotus Domino iNotes Multiple HTML and Script Injection Vulnerabilities
BugTraq ID: 16577
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/16577
Summary:
IBM Lotus Domino iNotes is prone to multiple HTML- and script-injection vulnerabilities.

These vulnerabilities can allow attackers to carry out a variety of attacks, including theft of cookie-based authentication credentials.

50. IBM Lotus Notes File Attachment Handling Multiple Remote Vulnerabilities
BugTraq ID: 16576
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/16576
Summary:
IBM Lotus Notes is prone to multiple remote vulnerabilities. The buffer-overflow issues could allow arbitrary code execution in the context of the user running the application.

The issues are:

- A buffer overflow exists when extracting files from ZIP archives.
- A buffer overflow exists when extracting files from UUE encoded files.
- A buffer overflow exists when extracting files from TAR archives.
- A buffer overflow exists when handling HTML file attachments with malicious links.
- A directory traversal exists when generating previews of ZIP, UUE, and TAR archives. This could be exploited to overwrite arbitrary files in the context of the current user.


Lotus Notes 6.5.4 and 7.0 are prone to these issues. Other versions may also be vulnerable.

51. Lotus Domino LDAP Denial of Service Vulnerability
BugTraq ID: 16523
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/16523
Summary:
Lotus Domino LDAP server is prone to a denial-of-service vulnerability when handling malformed requests.

Lotus Domino version 7.0 is vulnerable; earlier versions may also be affected.

52. IBM Lotus Domino and Notes Multiple Unspecified Vulnerabilities
BugTraq ID: 16158
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/16158
Summary:
IBM Lotus Domino and Notes are prone to multiple unspecified vulnerabilities. Exploiting these issues causes the server to fail, thus denying service to legitimate users.

Versions prior to Lotus Domino and Notes 6.5.5 are considered vulnerable.

53. APOP Protocol Insecure MD5 Hash Weakness
BugTraq ID: 23257
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/23257
Summary:
Applications that implement the APOP protocol may be vulnerable to a password-hash weakness. This issue occurs because the MD5 hash algorithm fails to properly prevent collisions.

Attackers may exploit this issue in man-in-the-middle attacks to potentially gain access to the first three characters of passwords. This will increase the likelihood of successful brute-force attacks against APOP authentication.

To limit the possibility of successful exploits, applications that implement the APOP protocol should set up safeguards to ensure that message IDs are RFC-compliant.

Mozilla Thunderbird, Evolution, mutt, and fetchmail are reportedly affected by this issue.

54. Mozilla Products Multiple Remote Vulnerabilities
BugTraq ID: 24242
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/24242
Summary:
The Mozilla Foundation has released six security advisories specifying vulnerabilities in Firefox, SeaMonkey, and Thunderbird.

These vulnerabilities allow attackers to:

- Execute arbitrary code
- Cause denial-of-service conditions
- Perform cross-site scripting attacks
- Obtain potentially sensitive information
- Spoof legitimate content

Other attacks may also be possible.

55. HP-UX SU Local Unauthorized Access Vulnerability
BugTraq ID: 17400
Remote: No
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/17400
Summary:
HP-UX su(1) is prone to a local unauthorized-access vulnerability.

Exploiting this issue may allow attackers to gain elevated privileges. This may facilitate the complete compromise of affected computers.

HP-UX B.11.11 is vulnerable to this issue.

56. Mozilla FireFox FTP PASV Port-Scanning Vulnerability
BugTraq ID: 23082
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/23082
Summary:
Mozilla Firefox is prone to vulnerability that may allow attackers to obtain potentially sensitive information.

A successful exploit of this issue would cause the affected application to connect to arbitrary TCP ports and potentially reveal sensitive information about services that are running on the affected computer. Information obtained may aid attackers in further attacks.

57. HP OpenView Storage Data Protector Remote Arbitrary Command Execution Vulnerability
BugTraq ID: 18095
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/18095
Summary:
HP OpenView Storage Data Protector is prone to an arbitrary command-execution vulnerability.

Attackers can exploit this vulnerability to execute arbitrary commands in the context of the affected process. This may aid attackers in the compromise of the underlying system; other attacks are also possible.

58. HP OpenView Network Node Manager Multiple Remote Vulnerabilities
BugTraq ID: 18096
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/18096
Summary:
HP OpenView Network Node Manager is prone to multiple remote vulnerabilities.

Attackers may exploit these issues to:

- Execute arbitrary commands in the context of the affected process
- Create arbitrary files
- Gain privileged access.

This may facilitate the compromise of affected computers.

59. HP-UX Passwd Unspecified Local Denial of Service Vulnerability
BugTraq ID: 17280
Remote: No
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/17280
Summary:
HP-UX passwd(1) is prone to an unspecified local denial-of-service vulnerability.

This issue arises because the software fails to handle exceptional conditions in a proper manner.

Due to a lack of details, further information cannot be provided at the moment. This BID will be updated when more information becomes available.

60. PsychoStats Server.PHP Path Disclosure Vulnerability
BugTraq ID: 24039
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/24039
Summary:
PsychoStats is prone to a path-disclosure issue when invalid data is submitted.

Exploiting this issue can allow an attacker to access sensitive data that may be used to launch further attacks against a vulnerable computer.

PsychoStats 3.0.6b and prior versions are vulnerable to this issue.

61. HP-UX Swagentd Remote Denial Of Service Vulnerability
BugTraq ID: 17215
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/17215
Summary:
A remote denial-of-service vulnerability has been reported in the HP-UX 'swagentd' daemon.

A remote unauthenticated user may cause the swagentd server daemon to become unresponsive.

The precise technical details of this vulnerability are currently unknown. This BID will be updated as further information becomes available.

62. HP-UX Usermod Local Unauthorized Access Vulnerability
BugTraq ID: 17143
Remote: No
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/17143
Summary:
HP-UX usermod(1M) is prone to a local unauthorized-access vulnerability.

This may facilitate various attacks including information disclosure and potential code execution leading to privilege escalation.

HP-UX B.11.00, B.11.11, and B.11.23 are vulnerable.

63. PHPMailer Remote Shell Command Execution Vulnerability
BugTraq ID: 24417
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/24417
Summary:
PHPMailer is prone to a vulnerability that allows attackers to execute arbitrary shell commands because the software fails to sanitize user-supplied input.

This issue affects PHPMailer when configured to use sendmail.

An attacker may leverage this issue to execute arbitrary shell commands on an affected computer with the privileges of the application using the affected class utility.

PHPMailer 1.73 and prior versions are vulnerable to this issue.

64. HP Tru64 IKE Exchange Denial Of Service Vulnerabilities
BugTraq ID: 17030
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/17030
Summary:
HP Tru64 is prone to denial-of-service vulnerabilities. These issues are due to security flaws in HP's IPSec implementation. These vulnerabilities may be triggered by malformed IKE traffic.

These issues were discovered with the PROTOS ISAKMP Test Suite and are related to the handling of malformed IKEv1 traffic.

65. Mozilla Thunderbird Multiple Remote Information Disclosure Vulnerabilities
BugTraq ID: 16881
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/16881
Summary:
Mozilla Thunderbird is susceptible to multiple remote information-disclosure vulnerabilities. These issues are due to the application's failure to properly enforce the restriction for downloading remote content in email messages.

These issues allow remote attackers to gain access to potentially sensitive information, aiding them in further attacks. Attackers may also exploit these issues to know whether and when users read email messages.

Mozilla Thunderbird version 1.5 is vulnerable to these issues; other versions may also be affected.

66. HP Tru64 DNS BIND Unspecified Remote Unauthorized Access Vulnerability
BugTraq ID: 16455
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/16455
Summary:
HP Tru64 DNS BIND is prone to an unspecified remote unauthorized-access vulnerability.

Further details are not currently available; this BID will be updated when more information becomes available.

67. HP Systems Insight Manager Unspecified Directory Traversal Vulnerability
BugTraq ID: 16571
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/16571
Summary:
HP Systems Insight Manager (SIM) is prone to an unspecified directory-traversal vulnerability. This issue is most likely due to a failure in the application to properly sanitize user-supplied input.

Presumably, an attacker can exploit this issue to retrieve arbitrary files in the context of the affected application. This issue may also permit the overwriting of arbitrary files.

The exact nature of this vulnerability is not currently known; this BID will be updated as further information becomes available.

This issue affects only HP SIM on Microsoft Windows 2000, 2003, and XP.

68. EMC Retrospect Client Buffer Overflow Vulnerability
BugTraq ID: 18064
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/18064
Summary:
Retrospect Client for Windows is prone to a remote buffer-overflow vulnerability. This issue is due to a failure in the application to properly verify user-supplied input before copying it into a finite-sized buffer.

Successful exploits may result in memory corruption leading to a denial-of-service condition or arbitrary code execution.

Retrospect 7.5 Client for Windows is reported vulnerable. Other versions may be affected as well.

69. Computer Associates Scan Job Format String Vulnerability
BugTraq ID: 18689
Remote: No
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/18689
Summary:
Multiple Computer Associates applications are prone to a format-string vulnerability because they fail to properly sanitize user-supplied input. The following applications are vulnerable:

- CA Integrated Threat Management r8
- eTrust Antivirus r8
- eTrust PestPatrol Anti-spyware Corporate Edition r8

A successful attack may crash the application or lead to arbitrary code execution. This may facilitate unauthorized access or privilege escalation.

70. Computer Associates Unicenter Remote Control DM Primer Remote Denial of Service Vulnerability
BugTraq ID: 16276
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/16276
Summary:
Computer Associates Unicenter Remote Control DM Primer is prone to a denial-of-service vulnerability.

Attackers may trigger a denial of service due to a hang. Note that an attacker may easily source IP addresses because the service uses UDP.

71. Computer Associates iTechnology iGateway Service Content-Length Heap Overflow Vulnerability
BugTraq ID: 16354
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/16354
Summary:
The iGateway component of various Computer Associates products allows remote attackers to execute arbitrary code by exploiting a heap-overflow vulnerability.

The attacker can trigger the vulnerability by supplying a negative HTTP Content-Length value and a large URI to the service.

A successful attack can result in corrupting process memory and the execution of arbitrary code with SYSTEM privileges on Windows platforms. The vendor has reported that this issue triggers only a denial-of-service condition on other platforms.

Products containing iGateway 4.0.051230 are vulnerable to this issue.

72. Cisco IOS SSL Packets Multiple Denial Of Service Vulnerabilities
BugTraq ID: 24097
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/24097
Summary:
Cisco IOS is prone to multiple denial-of-service vulnerabilities because it fails to handle malformed SSL packets.

Attackers can exploit these issues to cause denial-of-service conditions on an affected device.

NOTE: Attackers can exploit these issues only via an established TCP connection, but only prior to security authentication. An attacker can, however, interrupt a secure session and inject malicious packets when a new session is started. Due to these factors, the likelihood of successful attacks is reduced.

73. Symantec AntiVirus Scan Engine Multiple Remote Vulnerabilities
BugTraq ID: 17637
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/17637
Summary:
Symantec AntiVirus Scan Engine is susceptible to multiple remote vulnerabilities.

These issues allow remote attackers to:
- bypass authentication and gain complete control of the application
- conduct man-in-the-middle attacks
- gain access to the potentially sensitive contents of arbitrary files contained in the application's installation directory

Version 5.0 of Symantec AntiVirus Scan Engine is affected by these vulnerabilities.

74. Symantec LiveUpdate for Macintosh Local Privilege Escalation Vulnerability
BugTraq ID: 17571
Remote: No
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/17571
Summary:
Symantec LiveUpdate for Macintosh is prone to a local privilege-escalation vulnerability. This issue is due to the application's failure to properly use the PATH environment variable in some of its components.

A successful exploit allows local attackers to gain superuser privileges, leading to a complete compromise of the affected computer.

75. Symantec Sygate Management Server SMS Authentication Servlet SQL Injection Vulnerability
BugTraq ID: 16452
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/16452
Summary:
Symantec Sygate Management Server is prone to an SQL-injection vulnerability.

The vulnerability specifically affects the SMS Authentication Servlet component of the server.

A remote attacker can pass malicious input to database queries through HTTP GET requests, resulting in modification of query logic or other attacks.

This issue can allow attackers to overwrite the password of any account on the server. This can facilitate a complete compromise if the attacker can overwrite the administrator password.

76. Symantec Multiple Products SymEvent Driver Local Denial of Service Vulnerability
BugTraq ID: 20051
Remote: No
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/20051
Summary:
Multiple Symantec products are prone to a local denial-of-service vulnerability. This issue occurs when attackers send malformed data to the 'SymEvent' driver.

A local authenticated attacker may exploit this issue to crash affected computers, denying service to legitimate users.

Please see the vulnerable systems section for details regarding affected Symantec products.

77. Symantec Mail Security for Domino Server Premium AntiSpam Email Relay Vulnerability
BugTraq ID: 19866
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/19866
Summary:
Symantec Mail Security for Domino Server Premium AntiSpam may allow remote attackers to employ a vulnerable server as a spam relay.

Exploiting this issue can cause the Domino Server protected by Symantec Mail Security to accept and relay email messages that are addressed to a specific non-RFC-compliant SMTP email address.

An attacker may leverage this issue to send unsolicited bulk email or spam to users.

Symantec Mail Security for Domino Server 5.1.0 is affected by this vulnerability.

78. Symantec Enterprise Security Manager Denial of Service Vulnerability
BugTraq ID: 19580
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/19580
Summary:
Symantec Enterprise Security Manager is prone to a denial-of-service vulnerability; fixes are available.

Symantec Enterprise Security Manager is prone to a race condition that can cause the application to lock up, resulting in a denial of service.

ESM Agent and Manager Platforms 6.0-6.5x are affected by this vulnerability.

79. NCTAudioStudio2 ActiveX Control NCTWavChunksEditor.DLL Arbitrary File Overwrite Vulnerability
BugTraq ID: 24656
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/24656
Summary:
NCTsoft NCTAudioStudio2 ActiveX control is prone to a vulnerability that lets attackers overwrite arbitrary files on the victim's computer in the context of the vulnerable application using the ActiveX control (typically Internet Explorer).

This issue affects NCTsoft 2.6.1.148; other versions may also be affected.

80. Symantec NetBackup PureDisk Authentication Bypass Vulnerability
BugTraq ID: 19524
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/19524
Summary:
Symantec NetBackup PureDisk is prone to an authentication-bypass vulnerability.

An attacker may exploit this issue to gain administrative access to the vulnerable application and to the underlying operating system.

To exploit this issue, the atttacker must have valid authentication credentials to access the network.

81. RealPlayer/HelixPlayer ParseWallClockValue Function Buffer Overflow Vulnerability
BugTraq ID: 24658
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/24658
Summary:
RealPlayer and HelixPlayer are prone to a buffer-overflow vulnerability because the applications fail to bounds-check user-supplied data before copying it into an insufficiently sized buffer.

Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed exploit attempts likely result in denial-of-service conditions.

This issue affects version 10.5-GOLD for both RealPlayer and HelixPlayer; other versions may also be affected.

82. Symantec Brightmail AntiSpam Control Center Multiple Vulnerabilities
BugTraq ID: 19182
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/19182
Summary:
Symantec Brightmail AntiSpam is prone to multiple vulnerabilities, including an unauthorized-access vulnerability, a directory-traversal vulnerability, and a denial-of-service vulnerability.

An attacker can exploit these issues to expose potentially sensitive information, overwrite existing data, or cause the application to hang, effectively denying service to legitimate users.

83. Sun Solaris Netscape Portable Runtime API Local Privilege Escalation Vulnerability
BugTraq ID: 20471
Remote: No
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/20471
Summary:
The Netscape Portable Runtime API running on Sun Solaris 10 operating system is prone to a local privilege-escalation vulnerability.

A successful exploit of this issue allows an attacker to gain superuser privileges, completely compromising the affected computer.

Version 4.6.1 running on Sun Solaris 10 is vulnerable to this issue.

84. Sun Solaris Format(1M) Local Privilege Escalation Vulnerability
BugTraq ID: 19647
Remote: No
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/19647
Summary:
Sun Solaris is prone to a local privilege-escalation vulnerability.

A successful exploit would allow an attacker to write device files to local disks with superuser privileges.

85. OpenSSL SSLv2 Null Pointer Dereference Client Denial of Service Vulnerability
BugTraq ID: 20246
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/20246
Summary:
OpenSSL is prone to a denial-of-service vulnerability.

A malicious server could cause a vulnerable client application to crash, effectively denying service.

86. Sun Solaris N1 Grid Engine Multiple Local Vulnerabilities
BugTraq ID: 19218
Remote: No
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/19218
Summary:
N1 Grid Engine is prone to a multiple local vulnerabilities.

An unprivileged local attacker may be able to trigger the following vulnerabilities:

- A denial-of-service condition by shutting down the grid service.
- An unspecified buffer-overflow vulnerability.

Successful exploits of these vulnerabilities may allow local attackers to execute arbitrary machine code resulting in privilege escalation or to deny service to legitimate users.

87. Sun Solaris Net Mount Point Denial of Service Vulnerability
BugTraq ID: 19085
Remote: No
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/19085
Summary:
Sun Solaris is prone to a local denial-of-service vulnerability.

An attacker can use the '/net' mountpoint (or any mount point that uses the '-hosts' special map) in a manner that causes a system panic.

88. Sun Solaris LibsLDAP NSCD Local Denial of Service Vulnerability
BugTraq ID: 24654
Remote: No
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/24654
Summary:
The Solaris 'libsldap' library is prone to a local denial-of-service vulnerability.

An attacker may be able to exploit this issue to disable the Name Service Caching Daemon (NSCD).

89. Sun Solaris Event Port API Denial of Service Vulnerability
BugTraq ID: 19081
Remote: No
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/19081
Summary:
Sun Solaris is prone to a local denial-of-service vulnerability.

An attacker can execute an application that calls the event-port API in a manner that causes a system panic.

90. OpenSSL SSL_Get_Shared_Ciphers Buffer Overflow Vulnerability
BugTraq ID: 20249
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/20249
Summary:
OpenSSL is prone to a buffer-overflow vulnerability because the library fails to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer.

Successfully exploiting this issue may result in the execution of arbitrary machine code in the context of applications that use the affected library. Failed exploit attempts may crash applications, denying service to legitimate users.

91. Sun Solaris Kernel Debugger KMDB(1) Local Denial of Service Vulnerability
BugTraq ID: 19080
Remote: No
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/19080
Summary:
Sun Solaris is prone to a local denial-of-service vulnerability.

An attacker can trigger a kernel panic by loading the kernel debugger 'kmdb(1)' on an x86 system.

92. Sun Solaris 10 Kernel Patches Denial of Service Vulnerability
BugTraq ID: 19064
Remote: No
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/19064
Summary:
Sun Solaris 10 is vulnerable to a denial-of-service vulnerability.

The vendor has reported that local users on affected computers may trigger kernel panics, corrupt kernel memory, crash applications, or corrupt system files. This issue arises subsequent to the installation of certain kernel patches issued by the vendor.

A successful attack may allow attackers to trigger denial-of-service conditions.

93. Sun Solaris NIS Server YPServ Unspecified Denial of Service Vulnerability
BugTraq ID: 18972
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/18972
Summary:
Sun Solaris NIS Server 'ypserv' is prone to a denial-of-service vulnerability.

The cause of this issue is currently unknown.

Sun Solaris 8, 9, and 10 are vulnerable.

94. E107 Signup.PHP Arbitrary File Upload Vulnerability
BugTraq ID: 24609
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/24609
Summary:
e107 is prone to an arbitrary-file-upload vulnerability because the application fails to sufficiently sanitize user-supplied input.

An attacker can exploit this vulnerability to upload PHP script code and execute it in the context of the webserver process.

This issue affects e107 0.7.8; prior versions may also be vulnerable.

Reports indicate that this may not be an issue if the '/e107_admin/filetypes_.php' script is properly configured. By default, this script does not allow 'PHP' files to be uploaded.

95. Warzone Long File Name Buffer Overflow Vulnerability
BugTraq ID: 24650
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/24650
Summary:
Warzone 2100 Resurrection is prone to a remote buffer-overflow because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer.

An attacker could exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial of service.

This issue affects Warzone 2100 Resurrection 2.0.6; other versions may also be affected.

96. HP System Management Homepage Unspecified Directory Traversal Vulnerability
BugTraq ID: 16876
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/16876
Summary:
HP System Management Homepage (SMH) is prone to an unspecified directory-traversal vulnerability. This issue is most likely due to a failure in the application to properly sanitize user-supplied input.

Presumably, an attacker can exploit this issue to retrieve arbitrary files in the context of the affected application. This issue may also permit the overwriting of arbitrary files.

The exact nature of this vulnerability is not currently known; this BID will be updated as further information becomes available.

This issue affects HP SMH only on the Microsoft Windows platform.

This issue is likely similar to the one described in BID 16571 (HP Systems Insight Manager Unspecified Directory Traversal Vulnerability), possibly due to code reuse among products.

97. Microsoft Excel File Rebuilding Remote Code Execution Vulnerability
BugTraq ID: 18938
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/18938
Summary:
Microsoft Excel is prone to a remote code-execution vulnerability.

Successfully exploiting this issue allows attackers to corrupt process memory and to execute arbitrary code in the context of targeted users.

Note that Microsoft Office applications include functionality to embed Office files as objects contained in other Office files. As an example, Microsoft Word files may contain embedded malicious Microsoft Excel files, making Word documents another possible attack vector.

98. SILC Toolkit Multiple Unspecified Vulnerabilities
BugTraq ID: 24647
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/24647
Summary:
SILC Toolkit is prone to multiple unspecified vulnerabilities.

No further details are currently available. We will update this BID as more information emerges.

Versions prior to SILC Toolkit 1.1.1 are vulnerable to these issues.

99. OpenSSH SCP Shell Command Execution Vulnerability
BugTraq ID: 16369
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/16369
Summary:
OpenSSH is prone to an SCP shell command-execution vulnerability because the application fails to properly sanitize user-supplied input before using it in a 'system()' function call.

This issue allows attackers to execute arbitrary shell commands with the privileges of users executing a vulnerable version of SCP.

This issue reportedly affects OpenSSH 4.2; other versions may also be affected.

100. PHPVideoPro Unspecified Vulnerability
BugTraq ID: 24644
Remote: Yes
Last Updated: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/24644
Summary:
phpVideoPro is prone to an unspecified vulnerability.

Few technical details are currently available. We will update this BID as more information emerges.

This issue affects versions prior to phpVideoPro 0.8.8.

III. SECURITYFOCUS NEWS ARTICLES
--------------------------------
1. Lawmakers worry over gov't network breaches
By: Robert Lemos
Hearings on the Hill reveal a significant number of security breaches at the Departments of Commerce, Defense, Homeland Security, State and Energy.
http://www.securityfocus.com/news/11472

2. Amero case spawns effort to educate
By: Robert Lemos
Following a judge's ruling to throw out a verdict based on faulty digital forensics, a group of security professionals, legal experts and educators look to the future.
http://www.securityfocus.com/news/11471

3. Group: Anti-hacking laws can hobble Net security
By: Robert Lemos
A working group of security researchers, digital-rights activists and government prosecutors discuss whether bug hunters can find vulnerabilities in Web sites without violating laws.
http://www.securityfocus.com/news/11470

4. Judge nixes teacher's conviction on porn pop-ups
By: Robert Lemos
A Connecticut judge grants a new trial for substitute teacher Julie Amero, saying that forensics information discovered after her conviction has direct bearing on her case.
http://www.securityfocus.com/news/11469

IV. SECURITY JOBS LIST SUMMARY
-------------------------------
V. INCIDENTS LIST SUMMARY
---------------------------
1. ARAKIS early warning system public web interface
http://www.securityfocus.com/archive/75/471935

2. Suspicious files in /tmp
http://www.securityfocus.com/archive/75/471627

VI. VULN-DEV RESEARCH LIST SUMMARY
-----------------------------------
1. Exotic vulnerability
http://www.securityfocus.com/archive/82/472390

2. creating a "cc" opcode from ASCII shell code
http://www.securityfocus.com/archive/82/472028

3. vulnerabilities in this code chunk
http://www.securityfocus.com/archive/82/472027

VII. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
VIII. SUN FOCUS LIST SUMMARY
----------------------------
IX. LINUX FOCUS LIST SUMMARY
----------------------------
X. UNSUBSCRIBE INSTRUCTIONS
-----------------------------
To unsubscribe send an e-mail message to sf-news-unsubscribe@securityfocus.com from the subscribed address. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer. Alternatively you can also visit http://www.securityfocus.com/newsletters and unsubscribe via the website.

If your email address has changed email listadmin@securityfocus.com and ask to be manually removed.

XI. SPONSOR INFORMATION
------------------------
This Issue is Sponsored by: SPI Dynamics

ALERT: "How A Hacker Launches A Cross-Site Scripting Attack"- White Paper
Cross-site scripting vulnerabilities in web apps allow hackers to compromise confidential information, steal cookies and create requests that can be mistaken for those of a valid user!! Download this *FREE* white paper from SPI Dynamics for a complete guide to protection!

https://download.spidynamics.com/1/ad/xss.asp?Campaign_ID=70160000000CsFU

No comments:

Blog Archive