News

Thursday, September 27, 2007

SecurityFocus Newsletter #420

SecurityFocus Newsletter #420
----------------------------------------

This Issue is Sponsored by: SPI Dynamics

ALERT: "How A Hacker Launches A Cross-Site Scripting Attack"- White Paper
Cross-site scripting vulnerabilities in web apps allow hackers to compromise confidential information, steal cookies and create requests that can be mistaken for those of a valid user!! Download this *FREE* white paper from SPI Dynamics for a complete guide to protection!

https://download.spidynamics.com/1/ad/xss.asp?Campaign_ID=70160000000D3WW


SECURITY BLOGS
SecurityFocus has selected a few syndicated sources that stand out as conveying topics of interest for our community. We are proud to offer content from Matasano at this time and will be adding more in the coming weeks.
http://www.securityfocus.com/blogs

------------------------------------------------------------------
I. FRONT AND CENTER
1.Windows Anti-Debug Reference
2.VoIP Hopping: A Method of Testing VoIP security or Voice VLANs
II. BUGTRAQ SUMMARY
1. Linux Kernel Ptrace Local Privilege Escalation Vulnerability
2. Cisco Catalyst 6500 and Cisco 7600 Loopback Access Control Bypass Vulnerability
3. Linux Kernel PTrace NULL Pointer Dereference Local Denial Of Service Vulnerability
4. Microsoft Live Messenger Shared Files Denial of Service Vulnerability
5. ChironFS File Creation Local Privilege Escalation Vulnerability
6. ebCrypt ActiveX Control SaveToFile Arbitrary File Overwrite Vulnerability
7. VMware Workstation DHCP Server Multiple Remote Code Execution Vulnerabilities
8. LevelOne WBR3404TX Broadband Router RC Parameter Cross Site Scripting Vulnerabilities
9. KDE KDM Unspecified Password Authentication Bypass Vulnerability
10. MPlayer AVIHeader.C Heap Based Buffer Overflow Vulnerability
11. DFD Cart Multiple Remote File Include Vulnerabilities
12. Urchin session.cgi Cross-Site Scripting Vulnerability
13. Nuke Mobile Entertainment Compatible.PHP Local File Include Vulnerability
14. ADOdb Lite AdodB-Perf-Module.Inc.PHP Remote Code Execution Vulnerability
15. Helplink Show.PHP Remote File Include Vulnerability
16. phpFullAnnu mod Parameter SQL Injection Vulnerability
17. Balsa Fetch Command Remote Stack Buffer Overflow Vulnerability
18. KDE Konqueror Address Bar URI Spoofing Vulnerability
19. KDE Konqueror SetInterval Function Address Bar URI Spoofing Vulnerability
20. ISC BIND 9 Remote Cache Poisoning Vulnerability
21. HP-UX Logins Command Remote Unauthorized Access Vulnerability
22. PHPBB2 Plus Language Packs PHPBB_Root_Path Parameter Multiple Remote File Include Vulnerabilities
23. PHPBB Plus German Language Pack PHPBB_Root_Path Parameter Remote File Include Vulnerability
24. Webmin Unspecified Command Execution Vulnerability
25. Sun Java System Server XSLT Processing Remote Java Method Execution Vulnerability
26. Sun JSSE SSL/TLS Handshake Processing Denial Of Service Vulnerability
27. Microsoft XML Core Services SubstringData Integer Overflow Vulnerability
28. Flatnuke Cross-Site Request Forgery Vulnerability
29. Computer Associates BrightStor Hierarchical Storage Manager CsAgent Multiple Remote Vulnerabilities
30. IntegraMOD Nederland phpbb_root_path Remote File Include Vulnerability
31. lustig.cms Forum.PHP Remote File Include Vulnerability
32. Novus Buscar.ASP Cross-Site Scripting Vulnerability
33. NukeSentinel NukeSentinel.PHP SQL Injection Vulnerability
34. FileZilla Options And QueueCTRL Modules Multiple Unspecified Buffer Overflow Vulnerabilities
35. Tcl/Tk ReadImage Buffer Overflow Vulnerability
36. Xen pygrub TOOLS/PYGRUB/SRC/GRUBCONF.PY Local Command Injection Vulnerability
37. NukeSentinel NSBypass.PHP SQL Injection Vulnerability
38. F-Secure Anti-Virus for Windows Servers Malware Detection Bypass Vulnerability
39. GNU Tar Dot_Dot Function Remote Directory Traversal Vulnerability
40. GIMP Multiple File Plugins Multiple Remote Denial of Service Vulnerabilities
41. File Multiple Denial of Service Vulnerabilities
42. RETIRED: Anders Møller JWIG Template Remote Denial Of Service Vulnerability
43. IBM Tivoli Storage Manager Client Multiple Vulnerabilities
44. Chupix CMS Header.PHP Remote File Include
45. OpenSSL SSL_Get_Shared_Ciphers Off-by-One Buffer Overflow Vulnerability
46. NukeSentinel NukeSentinel.PHP Admin Cookie Variant SQL Injection Vulnerability
47. Linux Kernel ALSA snd-page-alloc Local Proc File Information Disclosure Vulnerability
48. Microsoft Windows Explorer PNG Image Local Denial Of Service Vulnerability
49. Freeside cust_bill_event.cgi Cross-Site Scripting Vulnerability
50. GreenSQL Web Management Tool Multiple HTML Injection Vulnerabilities
51. Novus Notas.ASP SQL Injection Vulnerability
52. WebYep Webyep_SIncludePath Parameter Multiple Remote File Include Vulnerabilities
53. PHP ZendEngine Variable Destruction Remote Denial of Service Vulnerability
54. PHP Chunk_Split() Function Integer Overflow Vulnerability
55. PHP 5.2.3 and Prior Versions Multiple Vulnerabilities
56. PHP EXT/Session HTTP Response Header Injection Vulnerability
57. GD Graphics Library PNG File Processing Denial of Service Vulnerability
58. PHP Prior to 5.2.2/4.4.7 Multiple Remote Buffer Overflow Vulnerabilities
59. PHP FTP_Putcmd Function HTTP Response Splitting Vulnerability
60. GNU Image Manipulation Program Multiple Integer Overflow Vulnerabilities
61. GIMP PSD File Integer Overflow Vulnerability
62. Apache Tomcat Host Manager Servlet Cross Site Scripting Vulnerability
63. Apache Tomcat Multiple Remote Information Disclosure Vulnerabilities
64. Bugzilla User.PM Unauthorized Account Creation Security Bypass Vulnerability
65. FrontAccounting Multiple Remote File Include Vulnerabilities
66. Fetchmail Failed Warning Message Remote Denial of Service Vulnerability
67. APOP Protocol Insecure MD5 Hash Weakness
68. AOL Instant Messenger Notification Window Remote Script Code Execution Vulnerability
69. Sun Solaris Thread Handling Local Denial Of Service Vulnerability
70. ActiveKB Index.PHP SQL Injection Vulnerability
71. Softbiz Classifieds store_info.PHP SQL Injection Vulnerability
72. ELinks HTTPS POST Request Information Disclosure Weakness
73. IBM Rational ClearQuest Data Corruption Denial of Service Vulnerability
74. SimpNews Multiple Cross-Site Scripting Vulnerabilities
75. Motorola Timbuktu Pro Directory Traversal Vulnerability
76. PHP-Nuke Dance Music Module Index.PHP Local File Include Vulnerability
77. Imatix Xitami If-Modified-Since Remote Buffer Overflow Vulnerability
78. GCALDaemon Content-Length Header Denial of Service Vulnerability
79. JSPWiki Multiple Input Validation Vulnerabilities
80. Simple PHP Blog Multiple Cross-Site Scripting Vulnerabilities
81. gMotor2 Game Engine Multiple Vulnerabilities
82. OpenSSL Insecure Protocol Negotiation Weakness
83. eGroupWare CLASS.UICATEGORIES.INC.PHP Multiple Cross-Site Scripting Vulnerabilities
84. OpenSSL PKCS Padding RSA Signature Forgery Vulnerability
85. OpenSSL Montgomery Exponentiation Side-Channel Local Information Disclosure Vulnerability
86. KDE KPDF/KWord/XPDF StreamPredictor Function Stack Buffer Overflow Vulnerability
87. Kaspersky Internet Security 6 SSDT Hooks Multiple Local Vulnerabilities
88. libsndfile FLAC.C Buffer Overflow Vulnerability
89. Apache Mod_AutoIndex.C Undefined Charset Cross-Site Scripting Vulnerability
90. Apache HTTP Server Mod_Proxy Denial of Service Vulnerability
91. OpenOffice TIFF File Parser Multiple Integer Overflow Vulnerabilities
92. Linux Kernel CIFS Local Privilege Escalation Vulnerability
93. Linux Kernel ATM Module CLIP Support Local Denial of Service Vulnerability
94. AskJeeves Toolbar Settings Plugin ActiveX Control Remote Heap Based Buffer Overflow Vulnerability
95. Symantec Veritas Backup Exec for Windows Unspecified Vulnerability
96. ebCrypt ActiveX Control AddString Denial of Service Vulnerability
97. sk.log Log.Inc.PHP Remote File Include Vulnerability
98. Sun Solaris Human Interface Device Local Denial of Service Vulnerability
99. SimpGB Multiple Cross-Site Scripting Vulnerabilities
100. Apache Geronimo Management EJB Security Bypass Vulnerability
III. SECURITYFOCUS NEWS
1. DHS, Unisys scrutinized after data breach
2. Customers: TD Ameritrade failed to warn of breach
3. Max Vision charged with hacking -- again
4. Embassy leaks highlight pitfalls of Tor
IV. SECURITY JOBS LIST SUMMARY
1. [SJ-JOB] Sales Engineer, New York
2. [SJ-JOB] Security Director, Reston
3. [SJ-JOB] Forensics Engineer, Brisbane-Gold Coast
4. [SJ-JOB] Certification & Accreditation Engineer, McLean
5. [SJ-JOB] Security System Administrator, Boulder
6. [SJ-JOB] Security Engineer, San Francisco
7. [SJ-JOB] Account Manager, Latin America Territory
8. [SJ-JOB] Sales Engineer, Chicago
9. [SJ-JOB] Customer Support, Mountain View
10. [SJ-JOB] Security Engineer, Reston
11. [SJ-JOB] CHECK Team Leader, Reading or London
12. [SJ-JOB] Security Engineer, Melbourne
13. [SJ-JOB] Account Manager, Reading or London
14. [SJ-JOB] Sr. Product Manager, Reading or London
15. [SJ-JOB] CISO, UK Wide
16. [SJ-JOB] Compliance Officer, UK Wide
17. [SJ-JOB] Management, London
18. [SJ-JOB] Compliance Officer, UK Wide
19. [SJ-JOB] Account Manager, Reston
20. [SJ-JOB] Sr. Security Engineer, Foster City
V. INCIDENTS LIST SUMMARY
1. Interesting mail sender
VI. VULN-DEV RESEARCH LIST SUMMARY
1. Oracle 11g password algorithm revealed
2. ToorCon Final Lineup Announcement
VII. MICROSOFT FOCUS LIST SUMMARY
VIII. SUN FOCUS LIST SUMMARY
IX. LINUX FOCUS LIST SUMMARY
X. UNSUBSCRIBE INSTRUCTIONS
XI. SPONSOR INFORMATION

I. FRONT AND CENTER
---------------------
1.Windows Anti-Debug Reference
By Nicolas Falliere
This paper classifies and presents several anti-debugging techniques used on Windows NT-based operating systems.

http://www.securityfocus.com/infocus/1893

2.VoIP Hopping: A Method of Testing VoIP security or Voice VLANs
By Jason Ostrom and John Kindervag
Testing Protection Controls on a VoIP Network - A Case Study and Method
http://www.securityfocus.com/infocus/1892


II. BUGTRAQ SUMMARY
--------------------
1. Linux Kernel Ptrace Local Privilege Escalation Vulnerability
BugTraq ID: 25774
Remote: No
Last Updated: 2007-09-27
Relevant URL: http://www.securityfocus.com/bid/25774
Summary:
The Linux kernel is prone to a local privilege-escalation vulnerability.

Exploiting this issue may allow local attackers to gain elevated privileges, facilitating the complete compromise of affected computers.

Versions of Linux kernel prior to 2.4.35.3 and 2.6.22.7 are vulnerable to this issue.

2. Cisco Catalyst 6500 and Cisco 7600 Loopback Access Control Bypass Vulnerability
BugTraq ID: 25822
Remote: Yes
Last Updated: 2007-09-27
Relevant URL: http://www.securityfocus.com/bid/25822
Summary:
Cisco Catalyst 6500 and Cisco 7600 devices are prone to a vulnerability that may allow attackers to bypass access control lists (ACL).

Attackers may leverage this issue to access a device from an unauthorized remote location; this may aid in further attacks.

3. Linux Kernel PTrace NULL Pointer Dereference Local Denial Of Service Vulnerability
BugTraq ID: 25801
Remote: No
Last Updated: 2007-09-25
Relevant URL: http://www.securityfocus.com/bid/25801
Summary:
The Linux kernel is prone to a local denial-of-service vulnerability.

This issue occurs because of a NULL-pointer dereference in certain 'ptrace' operations.

A local attacker can exploit this issue to crash the affected kernel, denying service to legitimate users.

4. Microsoft Live Messenger Shared Files Denial of Service Vulnerability
BugTraq ID: 25795
Remote: Yes
Last Updated: 2007-09-24
Relevant URL: http://www.securityfocus.com/bid/25795
Summary:
Microsoft Live Messenger is prone to a denial-of-service vulnerability because the application fails to properly bounds-check user-supplied input.

Successfully exploiting this issue allows remote attackers to crash affected applications, denying service to legitimate users. Given the nature of this issue, remote attackers may also be able to execute code, but this has not been confirmed.

Live Messenger 8.1 is vulnerable to this issue; other versions may also be affected.

5. ChironFS File Creation Local Privilege Escalation Vulnerability
BugTraq ID: 25780
Remote: No
Last Updated: 2007-09-24
Relevant URL: http://www.securityfocus.com/bid/25780
Summary:
ChironFS is prone to a local privilege-escalation vulnerability.

An attacker could exploit this issue to execute arbitrary code with privileges of the user who mounted the filesystem.

This issue affects versions prior to ChironFS 1.0 RC7.

6. ebCrypt ActiveX Control SaveToFile Arbitrary File Overwrite Vulnerability
BugTraq ID: 25787
Remote: Yes
Last Updated: 2007-09-24
Relevant URL: http://www.securityfocus.com/bid/25787
Summary:
ebCrypt ActiveX control is prone to an arbitrary-file-overwrite vulnerability.

An attacker can exploit this issue to overwrite arbitrary local files. This may aid in further attacks.

This issue affects ebCrypt 2.0; other versions may also be vulnerable.

7. VMware Workstation DHCP Server Multiple Remote Code Execution Vulnerabilities
BugTraq ID: 25729
Remote: Yes
Last Updated: 2007-09-24
Relevant URL: http://www.securityfocus.com/bid/25729
Summary:
VMware Workstation's DHCP server is prone to multiple remote code-execution issues, including a stack-based integer-underflow issue, a stack-based buffer-overflow issue, and an unspecified vulnerability.

An attacker can exploit these issues to execute arbitrary code with the privileges of the user running the affected application.

Versions prior to VMware Workstation 6.0.1 Build 55017 are vulnerable.

8. LevelOne WBR3404TX Broadband Router RC Parameter Cross Site Scripting Vulnerabilities
BugTraq ID: 25738
Remote: Yes
Last Updated: 2007-09-24
Relevant URL: http://www.securityfocus.com/bid/25738
Summary:
The LevelOne WBR3404TX Broadband Router is prone to multiple cross-site scripting vulnerabilities because the software fails to sufficiently sanitize user-supplied input. These issues occurs in the web management panel.

Exploiting these vulnerabilities may allow an attacker to perform cross-site scripting attacks on unsuspecting users in the context of the affected site. As a result, the attacker may be able to steal cookie-based authentication credentials and to launch other attacks.

LevelOne WBR3404TX firmware version R1.94p0vTIG is vulnerable; other versions may also be affected.

9. KDE KDM Unspecified Password Authentication Bypass Vulnerability
BugTraq ID: 25730
Remote: No
Last Updated: 2007-09-24
Relevant URL: http://www.securityfocus.com/bid/25730
Summary:
KDM is prone to an authentication-bypass vulnerability under certain circumstances.

Attackers can exploit this issue to gain superuser privileges, resulting in the complete compromise of affected computers.

This issue affects KDM shipped with KDE 3.3.0 up to and including 3.5.7.

10. MPlayer AVIHeader.C Heap Based Buffer Overflow Vulnerability
BugTraq ID: 25648
Remote: Yes
Last Updated: 2007-09-24
Relevant URL: http://www.securityfocus.com/bid/25648
Summary:
MPlayer is prone to a heap-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input data.

Attackers can exploit this issue to execute arbitrary code with the privileges of the user running the application. Failed attacks will result in denial-of-service conditions.

MPlayer 1.0rc1 is vulnerable; other versions may also be affected.

NOTE: The vendor states that this issue is present only on operating systems with a 'calloc' implementation that is prone to an integer-overflow issue.

11. DFD Cart Multiple Remote File Include Vulnerabilities
BugTraq ID: 25775
Remote: Yes
Last Updated: 2007-09-24
Relevant URL: http://www.securityfocus.com/bid/25775
Summary:
DFD Cart is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.

Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.

This issue affects DFD Cart 1.1; other versions may also be affected.

12. Urchin session.cgi Cross-Site Scripting Vulnerability
BugTraq ID: 25788
Remote: Yes
Last Updated: 2007-09-24
Relevant URL: http://www.securityfocus.com/bid/25788
Summary:
Urchin is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

13. Nuke Mobile Entertainment Compatible.PHP Local File Include Vulnerability
BugTraq ID: 25784
Remote: Yes
Last Updated: 2007-09-24
Relevant URL: http://www.securityfocus.com/bid/25784
Summary:
Nuke Mobile Entertainment is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.

Exploiting this issue may allow an unauthorized remote user to view files and execute local scripts in the context of the webserver process.

This issue affects Nuke Mobile Entertainment 1; other versions may also be vulnerable.

14. ADOdb Lite AdodB-Perf-Module.Inc.PHP Remote Code Execution Vulnerability
BugTraq ID: 25768
Remote: Yes
Last Updated: 2007-09-24
Relevant URL: http://www.securityfocus.com/bid/25768
Summary:
ADOdb Lite is prone to a vulnerability that lets remote attackers execute arbitrary code because the application fails to sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary PHP code on an affected computer with the privileges of the webserver process. This may facilitate unauthorized access.

15. Helplink Show.PHP Remote File Include Vulnerability
BugTraq ID: 25782
Remote: Yes
Last Updated: 2007-09-24
Relevant URL: http://www.securityfocus.com/bid/25782
Summary:
Helplink is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied data.

Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible.

This issue affects Helplink 0.1.0; other versions may also be vulnerable.

16. phpFullAnnu mod Parameter SQL Injection Vulnerability
BugTraq ID: 25779
Remote: Yes
Last Updated: 2007-09-24
Relevant URL: http://www.securityfocus.com/bid/25779
Summary:
phpFullAnnu is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

This issue affects phpFullAnnu 6.0; other versions may also be affected.

17. Balsa Fetch Command Remote Stack Buffer Overflow Vulnerability
BugTraq ID: 25777
Remote: Yes
Last Updated: 2007-09-24
Relevant URL: http://www.securityfocus.com/bid/25777
Summary:
Balsa is prone to a remote stack-based buffer-overflow vulnerability because the application fails to perform adequate boundary-checks on user-supplied data.

This issue affects the application's IMAP functionality.

An attacker can exploit this issue to execute arbitrary machine code within the context of the user running the application. Failed exploit attempts will result in a denial-of-service vulnerability.

Versions prior to Balsa 2.3.20 are vulnerable.

18. KDE Konqueror Address Bar URI Spoofing Vulnerability
BugTraq ID: 24912
Remote: Yes
Last Updated: 2007-09-24
Relevant URL: http://www.securityfocus.com/bid/24912
Summary:
KDE Konqueror is affected by a URI-spoofing vulnerability because it fails to adequately handle user-supplied data.

An attacker may leverage this issue by padding the URI and inserting arbitrary content to spoof the source URI of a file presented to an unsuspecting user. This may lead to a false sense of trust because the victim may be presented with a source URI of a trusted site while interacting with the attacker's malicious site.

Konqueror 3.5.7 is vulnerable; other versions may also be affected.

NOTE: This issue also affects the Opera browser. This BID originally tracked the issue for both products but has been split into two separate BIDs. The issue affecting Opera is now being tracked as BID 24917.

19. KDE Konqueror SetInterval Function Address Bar URI Spoofing Vulnerability
BugTraq ID: 25219
Remote: Yes
Last Updated: 2007-09-24
Relevant URL: http://www.securityfocus.com/bid/25219
Summary:
KDE Konqueror is affected by a URI-spoofing vulnerability because it fails to sufficiently sanitize user-supplied input.

An attacker can exploit this issue to display arbitrary content while displaying the URL of a trusted website in the address bar. This may lead to a false sense of trust because the victim may be presented with a source URI of a trusted site while interacting with the attacker's malicious site.

Konqueror 3.5.7 is vulnerable; other versions may also be affected.

20. ISC BIND 9 Remote Cache Poisoning Vulnerability
BugTraq ID: 25037
Remote: Yes
Last Updated: 2007-09-24
Relevant URL: http://www.securityfocus.com/bid/25037
Summary:
BIND 9 is prone to a remote cache-poisoning vulnerability because of a weakness in its random number generator.

An attacker may leverage this issue to manipulate cache data, potentially facilitating man-in-the-middle, site-impersonation, or denial-of-service attacks.

Versions up to BIND 9.4.1 are vulnerable to this issue.

21. HP-UX Logins Command Remote Unauthorized Access Vulnerability
BugTraq ID: 25740
Remote: Yes
Last Updated: 2007-09-24
Relevant URL: http://www.securityfocus.com/bid/25740
Summary:
HP-UX is prone to a remote unauthorized-access vulnerability because the software fails to properly report password status to administrators.

Malicious users may exploit this issue to gain unauthorized access to computers because administrators may not have sufficient knowledge of their account status.

22. PHPBB2 Plus Language Packs PHPBB_Root_Path Parameter Multiple Remote File Include Vulnerabilities
BugTraq ID: 25776
Remote: Yes
Last Updated: 2007-09-24
Relevant URL: http://www.securityfocus.com/bid/25776
Summary:
phpBB2 Plus is prone to multiple remote file-include vulnerabilities because the application fails to properly sanitize user-supplied input.

An attacker can exploit these issues to include arbitrary remote files containing malicious PHP code and execute it in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system; other attacks are also possible.

Versions prior to phpBB2 Plus 1.53a are affected.

23. PHPBB Plus German Language Pack PHPBB_Root_Path Parameter Remote File Include Vulnerability
BugTraq ID: 25737
Remote: Yes
Last Updated: 2007-09-24
Relevant URL: http://www.securityfocus.com/bid/25737
Summary:
phpBB Plus is prone to a remote file-include vulnerability when the German language pack is installed, because the application fails to properly sanitize user-supplied input.

An attacker can exploit this issue to include arbitrary remote files containing malicious PHP code and execute it in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system; other attacks are also possible.

This issue affects phpBB Plus 1.53; other versions may also be vulnerable.

24. Webmin Unspecified Command Execution Vulnerability
BugTraq ID: 25773
Remote: Yes
Last Updated: 2007-09-24
Relevant URL: http://www.securityfocus.com/bid/25773
Summary:
Webmin is prone to a vulnerability that allows attackers to execute arbitrary commands.

An attacker may leverage this issue to run arbitrary commands on an affected computer with the privileges of the application. This can lead to privilege escalation or other attacks.

Versions prior to Webmin 1.370 are vulnerable to this issue.

25. Sun Java System Server XSLT Processing Remote Java Method Execution Vulnerability
BugTraq ID: 24850
Remote: Yes
Last Updated: 2007-09-24
Relevant URL: http://www.securityfocus.com/bid/24850
Summary:
Sun Java System Web Servers and Application Servers are prone to a vulnerability that lets attackers execute arbitrary Java methods. This issue occurs because the application fails to securely process XSLT stylesheets.

Successfully exploiting this issue may allow remote attackers to execute arbitrary Java methods, aiding them in further attacks.

Sun Java System Web Server 7.0 for the following operating systems is affected:
- Sun Solaris SPARC and x86 platforms
- Linux
- Microsoft Windows
- HP-UX

Sun Java System Application Server Platform and Enterprise Editions 8.2 and Platform Edition 9.0 for the following operating systems are also affected:
- Sun Solaris SPARC and x86 platforms
- Linux
- Microsoft Windows

26. Sun JSSE SSL/TLS Handshake Processing Denial Of Service Vulnerability
BugTraq ID: 24846
Remote: Yes
Last Updated: 2007-09-24
Relevant URL: http://www.securityfocus.com/bid/24846
Summary:
The Sun JSSE (Java Secure Socket Extension) is prone to a denial-of-service vulnerability.

An attacker can exploit this issue to crash the computer, denying access to legitimate users.

27. Microsoft XML Core Services SubstringData Integer Overflow Vulnerability
BugTraq ID: 25301
Remote: Yes
Last Updated: 2007-09-27
Relevant URL: http://www.securityfocus.com/bid/25301
Summary:
Microsoft XML Core Services is prone to an integer-overflow vulnerability because the application fails to ensure that integer values are not overrun.

Attackers can exploit this issue by enticing unsuspecting users to view malicious web content. Specially crafted scripts could issue requests to MSXML that trigger memory corruption.

Successfully exploiting this issue allows remote attackers to corrupt heap memory and execute arbitrary code in the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.

28. Flatnuke Cross-Site Request Forgery Vulnerability
BugTraq ID: 25817
Remote: Yes
Last Updated: 2007-09-27
Relevant URL: http://www.securityfocus.com/bid/25817
Summary:
Flatnuke is prone to a cross-site request-forgery vulnerability.

Exploiting this issue may allow a remote attacker to use a victim's currently active session to perform actions with the application.

This issue affects Flatnuke 2.6.1 and 2.6; other versions may also be affected.

29. Computer Associates BrightStor Hierarchical Storage Manager CsAgent Multiple Remote Vulnerabilities
BugTraq ID: 25823
Remote: Yes
Last Updated: 2007-09-27
Relevant URL: http://www.securityfocus.com/bid/25823
Summary:
Computer Associates BrightStor Hierarchical Storage Manager is prone to multiple remote vulnerabilities.

A remote attacker may exploit these issues to execute arbitrary code with SYSTEM-level privileges. Successful exploits can result in a complete compromise of affected computers. Other attacks and failed exploit attempts may also cause denial-of-service conditions.

BrightStor Hierarchical Storage Manager r11.5 is affected.

30. IntegraMOD Nederland phpbb_root_path Remote File Include Vulnerability
BugTraq ID: 25832
Remote: Yes
Last Updated: 2007-09-27
Relevant URL: http://www.securityfocus.com/bid/25832
Summary:
IntegraMOD Nederland is prone to a remote file-include vulnerability because the application fails to properly sanitize user-supplied input before using it in a PHP 'include()' function call.

An attacker may leverage this issue to execute arbitrary server-side script code on an affected computer with the privileges of the webserver process.

This issue affects IntegraMOD Nederland 1.4.2; other versions may also be vulnerable.

31. lustig.cms Forum.PHP Remote File Include Vulnerability
BugTraq ID: 25833
Remote: Yes
Last Updated: 2007-09-27
Relevant URL: http://www.securityfocus.com/bid/25833
Summary:
lustig.cms is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied data.

Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible.

lustig.cms beta 2.5.2 is vulnerable; other versions may also be affected.

32. Novus Buscar.ASP Cross-Site Scripting Vulnerability
BugTraq ID: 25828
Remote: Yes
Last Updated: 2007-09-27
Relevant URL: http://www.securityfocus.com/bid/25828
Summary:
Novus is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

33. NukeSentinel NukeSentinel.PHP SQL Injection Vulnerability
BugTraq ID: 25827
Remote: Yes
Last Updated: 2007-09-27
Relevant URL: http://www.securityfocus.com/bid/25827
Summary:
NukeSentinel is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

NukeSentinel 2.5.11 is vulnerable; other versions may also be affected.

34. FileZilla Options And QueueCTRL Modules Multiple Unspecified Buffer Overflow Vulnerabilities
BugTraq ID: 22057
Remote: Yes
Last Updated: 2007-09-27
Relevant URL: http://www.securityfocus.com/bid/22057
Summary:
FileZilla is prone to multiple unspecified buffer-overflow vulnerabilities because it fails to perform adequate boundary checks on user-supplied data.

An attacker an exploit these issues to have arbitrary code run in the context of the application. Failed attempts could crash the applicaiton and deny service to legitimate users.

Versions prior to 2.2.30a are vulnerable.

35. Tcl/Tk ReadImage Buffer Overflow Vulnerability
BugTraq ID: 25826
Remote: Yes
Last Updated: 2007-09-27
Relevant URL: http://www.securityfocus.com/bid/25826
Summary:
Tcl/Tk is prone to a buffer-overflow vulnerability that resides in the Tk library shipped with Tcl.

An attacker can exploit this issue to execute arbitrary code or cause denial-of-service conditions in applications implementing the affected library.

Versions prior to Tcl/Tk 8.4.16 are vulnerable to this issue.

36. Xen pygrub TOOLS/PYGRUB/SRC/GRUBCONF.PY Local Command Injection Vulnerability
BugTraq ID: 25825
Remote: No
Last Updated: 2007-09-27
Relevant URL: http://www.securityfocus.com/bid/25825
Summary:
Xen is prone to a local command-injection vulnerability that can lead to privilege escalation.

This issue occurs because the application fails to validate input in the 'tools/pygrub/src/GrubConf.py' script.

This vulnerability affects Xen 3.0.3; other versions may be affected as well.

37. NukeSentinel NSBypass.PHP SQL Injection Vulnerability
BugTraq ID: 25805
Remote: Yes
Last Updated: 2007-09-27
Relevant URL: http://www.securityfocus.com/bid/25805
Summary:
NukeSentinel is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

NukeSentinel 2.5.11 is vulnerable; other versions may also be affected.

38. F-Secure Anti-Virus for Windows Servers Malware Detection Bypass Vulnerability
BugTraq ID: 25824
Remote: Yes
Last Updated: 2007-09-27
Relevant URL: http://www.securityfocus.com/bid/25824
Summary:
F-Secure Anti-Virus for Windows Servers is prone to a vulnerability that may allow certain malware to bypass detection.

An attacker may exploit this issue by placing maliciously crafted archives or packed executables in specific locations on a victim's computer.

Successful exploits will allow attackers to place on the computer malicious code that the antivirus application will fail to detect. If this code is subsequently run, this may result in a malware infection.

F-Secure Anti-Virus for Windows Servers 7.0 is affected by this issue.

39. GNU Tar Dot_Dot Function Remote Directory Traversal Vulnerability
BugTraq ID: 25417
Remote: Yes
Last Updated: 2007-09-27
Relevant URL: http://www.securityfocus.com/bid/25417
Summary:
GNU Tar is prone to a directory-traversal vulnerability because the application fails to validate user-supplied data.

A successful attack can allow the attacker to overwrite files on a computer in the context of the user running the affected application. Successful exploits may aid in further attacks.

40. GIMP Multiple File Plugins Multiple Remote Denial of Service Vulnerabilities
BugTraq ID: 25424
Remote: Yes
Last Updated: 2007-09-27
Relevant URL: http://www.securityfocus.com/bid/25424
Summary:
GIMP is prone to a multiple denial-of-service vulnerabilities because the application fails to perform sufficient validation on user-supplied data.

An attacker could exploit these issues to crash the affected application, denying service to legitimate users.

41. File Multiple Denial of Service Vulnerabilities
BugTraq ID: 24146
Remote: Yes
Last Updated: 2007-09-27
Relevant URL: http://www.securityfocus.com/bid/24146
Summary:
The 'file' utility is prone to multiple denial-of-service vulnerabilities because it fails to handle exceptional conditions.

An attacker could exploit this issue by enticing a victim to open a specially crafted file. A denial-of-service condition can occur. Arbitrary code execution may be possible, but Symantec has not confirmed this.

42. RETIRED: Anders Møller JWIG Template Remote Denial Of Service Vulnerability
BugTraq ID: 24974
Remote: Yes
Last Updated: 2007-09-27
Relevant URL: http://www.securityfocus.com/bid/24974
Summary:
Anders Møller JWIG is prone to a remote denial-of-service vulnerability.

An attacker can exploit this issue to cause denial-of-service conditions and to execute loop control statements in the browser context of a victim user.

Anders Møller JWIG 1.1-1 is vulnerable; prior versions may also be affected.

NOTE: This BID is being retired because further investigation shows that JWIG is not vulnerable to this issue.

43. IBM Tivoli Storage Manager Client Multiple Vulnerabilities
BugTraq ID: 25743
Remote: Yes
Last Updated: 2007-09-27
Relevant URL: http://www.securityfocus.com/bid/25743
Summary:
IBM Tivoli Storage Manager client is prone to multiple vulnerabilities that can allow attackers to crash the client, execute arbitrary code in the context of the application, or gain unauthorized access to a client's data.

These issues affect Tivoli Storage Manager client 5.1, V5.2, V5.3, and V5.4.

44. Chupix CMS Header.PHP Remote File Include
BugTraq ID: 25835
Remote: Yes
Last Updated: 2007-09-27
Relevant URL: http://www.securityfocus.com/bid/25835
Summary:
Chupix CMS is prone to a remote file-include vulnerability because the application fails to properly sanitize user-supplied input before using it in a PHP 'include()' function call.

An attacker may leverage this issue to execute arbitrary server-side script code on an affected computer with the privileges of the webserver process.

This issue affects Chupix CMS 0.2.3; other versions may also be vulnerable.

45. OpenSSL SSL_Get_Shared_Ciphers Off-by-One Buffer Overflow Vulnerability
BugTraq ID: 25831
Remote: Yes
Last Updated: 2007-09-27
Relevant URL: http://www.securityfocus.com/bid/25831
Summary:
OpenSSL is prone to an off-by-one buffer-overflow vulnerability because the library fails to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer.

Successfully exploiting this issue may allow attackers to execute arbitrary machine code in the context of applications that use the affected library, but this has not been confirmed. Failed exploit attempts may crash applications, denying service to legitimate users.

NOTE: This issue was introduced in the fix for the vulnerability described in BID 20249 (OpenSSL SSL_Get_Shared_Ciphers Buffer Overflow Vulnerability).

46. NukeSentinel NukeSentinel.PHP Admin Cookie Variant SQL Injection Vulnerability
BugTraq ID: 25830
Remote: Yes
Last Updated: 2007-09-27
Relevant URL: http://www.securityfocus.com/bid/25830
Summary:
NukeSentinel is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

NukeSentinel 2.5.12 is vulnerable; other versions may also be affected.

NOTE: This issue may be related to a fix for NukeSentinel as documented in BID 25827 (NukeSentinel NukeSentinel.PHP SQL Injection Vulnerability).

47. Linux Kernel ALSA snd-page-alloc Local Proc File Information Disclosure Vulnerability
BugTraq ID: 25807
Remote: No
Last Updated: 2007-09-26
Relevant URL: http://www.securityfocus.com/bid/25807
Summary:
The Linux kernel is prone to an information-disclosure vulnerability.

Successful exploits will allow attackers to obtain portions of kernel memory. Information harvested may aid in further attacks.

Versions of the Linux kernel prior to 2.6.22.8 are vulnerable.

48. Microsoft Windows Explorer PNG Image Local Denial Of Service Vulnerability
BugTraq ID: 25816
Remote: Yes
Last Updated: 2007-09-26
Relevant URL: http://www.securityfocus.com/bid/25816
Summary:
Microsoft Windows Explorer is prone to a denial-of-service vulnerability because it fails to handle malformed PNG image files.

Attackers can exploit this issue to cause Windows Explorer to exhaust CPU cycles and become unresponsive.

49. Freeside cust_bill_event.cgi Cross-Site Scripting Vulnerability
BugTraq ID: 25811
Remote: Yes
Last Updated: 2007-09-26
Relevant URL: http://www.securityfocus.com/bid/25811
Summary:
Freeside is prone to a cross-site scripting vulnerability.

Exploiting this issue allows attackers to execute arbitrary HTML or script code in a user's browser session in the context of an affected site. This may allow attackers to steal cookie-based authentication credentials and launch other attacks.

This issue affects Freeside v1.7.2; other versions may also be affected.

50. GreenSQL Web Management Tool Multiple HTML Injection Vulnerabilities
BugTraq ID: 25767
Remote: Yes
Last Updated: 2007-09-26
Relevant URL: http://www.securityfocus.com/bid/25767
Summary:
GreenSQL is prone to multiple HTML-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.

Attacker-supplied HTML and script code would execute in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user; other attacks are also possible.

These issues affect GreenSQL 0.2.2; prior versions may also be affected.

51. Novus Notas.ASP SQL Injection Vulnerability
BugTraq ID: 25815
Remote: Yes
Last Updated: 2007-09-26
Relevant URL: http://www.securityfocus.com/bid/25815
Summary:
Novus is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

This issue affects Novus 1.0; other versions may also be affected.

52. WebYep Webyep_SIncludePath Parameter Multiple Remote File Include Vulnerabilities
BugTraq ID: 20406
Remote: Yes
Last Updated: 2007-09-26
Relevant URL: http://www.securityfocus.com/bid/20406
Summary:
WebYep is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.

Exploiting these issues could allow an attacker to compromise the application and the underlying system; other attacks are also possible.

WebYep 1.1.9 and prior versions are affected by these issues.

53. PHP ZendEngine Variable Destruction Remote Denial of Service Vulnerability
BugTraq ID: 22764
Remote: Yes
Last Updated: 2007-09-26
Relevant URL: http://www.securityfocus.com/bid/22764
Summary:
PHP is prone to a denial-of-service vulnerability because it fails to properly sanitize user-supplied input.

An attacker who can run PHP code on a vulnerable computer may exploit this vulnerability to crash PHP and the webserver, denying service to legitimate users.

This issue affects all versions of PHP.

54. PHP Chunk_Split() Function Integer Overflow Vulnerability
BugTraq ID: 24261
Remote: Yes
Last Updated: 2007-09-26
Relevant URL: http://www.securityfocus.com/bid/24261
Summary:
PHP is prone to an integer-overflow vulnerability because it fails to ensure that integer values aren't overrun. Attackers may exploit this issue to cause a buffer overflow and to corrupt process memory.

Attackers may be able to execute arbitrary machine code in the context of the affected application. Failed exploit attempts will likely result in a denial-of-service condition.

This issue affects versions prior to PHP 5.2.3.

55. PHP 5.2.3 and Prior Versions Multiple Vulnerabilities
BugTraq ID: 25498
Remote: Yes
Last Updated: 2007-09-26
Relevant URL: http://www.securityfocus.com/bid/25498
Summary:
PHP 5.2.3 and prior versions are prone to multiple security vulnerabilities. Successful exploits could allow an attacker to bypass security restrictions, cause a denial-of-service condition, and potentially execute code.

56. PHP EXT/Session HTTP Response Header Injection Vulnerability
BugTraq ID: 24268
Remote: Yes
Last Updated: 2007-09-26
Relevant URL: http://www.securityfocus.com/bid/24268
Summary:
PHP is prone to an HTTP-response-header-injection vulnerability because it fails to sanitize user-supplied input.

An attacker can exploit this issue to inject additional cookie attributes into session cookies. This may lead to other attacks.

This issue affects PHP 5.2.3 (and prior versions) and PHP 4.4.7 (and prior versions).

57. GD Graphics Library PNG File Processing Denial of Service Vulnerability
BugTraq ID: 24089
Remote: Yes
Last Updated: 2007-09-26
Relevant URL: http://www.securityfocus.com/bid/24089
Summary:
The GD graphics library is prone to a denial-of-service vulnerability.

An attacker can exploit this issue to cause denial-of-service conditions in applications implementing the affected library.

GD graphics library 2.0.34 is reported vulnerable; other versions may be affected as well.

58. PHP Prior to 5.2.2/4.4.7 Multiple Remote Buffer Overflow Vulnerabilities
BugTraq ID: 23813
Remote: Yes
Last Updated: 2007-09-26
Relevant URL: http://www.securityfocus.com/bid/23813
Summary:
PHP is prone to three remote buffer-overflow vulnerabilities because the application fails to perform boundary checks before copying user-supplied data to insufficiently sized memory buffers.

An attacker can exploit these issues to execute arbitrary machine code in the context of the affected webserver. Failed exploit attempts will likely crash the webserver, denying service to legitimate users.

All three issues affect PHP 5.2.1 and prior versions; PHP 4.4.6 and prior versions are affected only by one of the issues.

Few details are available at the moment. These issues may have been previously described in other BIDs. This record may be updated or retired if further analysis shows that these issues have been reported in the past.

59. PHP FTP_Putcmd Function HTTP Response Splitting Vulnerability
BugTraq ID: 23818
Remote: Yes
Last Updated: 2007-09-26
Relevant URL: http://www.securityfocus.com/bid/23818
Summary:
PHP is prone to an HTTP-response-splitting vulnerability because it fails to sanitize user-supplied input.

A remote attacker may exploit this vulnerability to influence or misrepresent how web content is served, cached, or interpreted. This could aid in various attacks that attempt to entice client users into a false sense of trust.

This issue affects these versions:

PHP 5 prior to 5.2.2
PHP 4 prior to 4.4.7.

60. GNU Image Manipulation Program Multiple Integer Overflow Vulnerabilities
BugTraq ID: 24835
Remote: Yes
Last Updated: 2007-09-26
Relevant URL: http://www.securityfocus.com/bid/24835
Summary:
GNU Image Manipulation Program (GIMP) is prone to multiple integer-overflow vulnerabilities because it fails to adequately bounds-check user-supplied data.

An attacker can exploit these vulnerabilities to execute arbitrary code with the privileges of the user running GIMP. Failed exploit attempts will likely cause denial-of-service conditions.

Versions prior to GIMP 2.2.16 are vulnerable.

61. GIMP PSD File Integer Overflow Vulnerability
BugTraq ID: 24745
Remote: Yes
Last Updated: 2007-09-26
Relevant URL: http://www.securityfocus.com/bid/24745
Summary:
GIMP is prone to an integer-overflow vulnerability because it fails to properly bounds-check user-supplied input data before copying it to an insufficiently sized memory buffer.

Successful exploits of this vulnerability allow remote attackers to execute arbitrary machine code in the context of the affected application.

GIMP 2.2.15 is vulnerable to this issue; other versions may also be affected.

62. Apache Tomcat Host Manager Servlet Cross Site Scripting Vulnerability
BugTraq ID: 25314
Remote: Yes
Last Updated: 2007-09-26
Relevant URL: http://www.securityfocus.com/bid/25314
Summary:
Apache Tomcat Host Manager Servlet is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.

An attacker can exploit this vulnerability to inject HTML and script code into the browser of an unsuspecting victim. The attacker may then steal cookie-based authentication credentials and launch other attacks.

Apache Tomcat 5.5.0 through 5.5.24 and 6.0.0 through 6.0.13 are affected.

63. Apache Tomcat Multiple Remote Information Disclosure Vulnerabilities
BugTraq ID: 25316
Remote: Yes
Last Updated: 2007-09-26
Relevant URL: http://www.securityfocus.com/bid/25316
Summary:
Apache Tomcat is prone to multiple information-disclosure vulnerabilities because it fails to adequately sanitize user-supplied data.

Attackers can exploit these issues to access potentially sensitive data that may aid in further attacks.

Versions prior to Apache Tomcat 6.0.14 are vulnerable.

64. Bugzilla User.PM Unauthorized Account Creation Security Bypass Vulnerability
BugTraq ID: 25725
Remote: Yes
Last Updated: 2007-09-26
Relevant URL: http://www.securityfocus.com/bid/25725
Summary:
Bugzilla is prone to a security-bypass vulnerability because it fails to adequately validate user-supplied input.

Attackers can exploit this issue to create Bugzilla user accounts on computers that also have the 'SOAP::Lite' Perl module installed.

NOTE: The application is vulnerable even if account creation has been disabled.

Versions prior to Bugzilla 3.0.2 and 3.1.2 are vulnerable.

65. FrontAccounting Multiple Remote File Include Vulnerabilities
BugTraq ID: 25812
Remote: Yes
Last Updated: 2007-09-26
Relevant URL: http://www.securityfocus.com/bid/25812
Summary:
FrontAccounting is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.

Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.

This issue is reported to affect FrontAccounting 1.13 and prior versions.

66. Fetchmail Failed Warning Message Remote Denial of Service Vulnerability
BugTraq ID: 25495
Remote: Yes
Last Updated: 2007-09-26
Relevant URL: http://www.securityfocus.com/bid/25495
Summary:
Fetchmail is prone to a denial-of-service vulnerability because the application fails to handle exceptional conditions.

An attacker can exploit this issue to crash the affected application, denying service to legitimate users.

This issue affects Fetchmail 4.6.8 through to 6.3.8.

67. APOP Protocol Insecure MD5 Hash Weakness
BugTraq ID: 23257
Remote: Yes
Last Updated: 2007-09-26
Relevant URL: http://www.securityfocus.com/bid/23257
Summary:
Applications that implement the APOP protocol may be vulnerable to a password-hash weakness. This issue occurs because the MD5 hash algorithm fails to properly prevent collisions.

Attackers may exploit this issue in man-in-the-middle attacks to potentially gain access to the first three characters of passwords. This will increase the likelihood of successful brute-force attacks against APOP authentication.

To limit the possibility of successful exploits, applications that implement the APOP protocol should set up safeguards to ensure that message IDs are RFC-compliant.

Mozilla Thunderbird, Evolution, mutt, and fetchmail are reportedly affected by this issue.

68. AOL Instant Messenger Notification Window Remote Script Code Execution Vulnerability
BugTraq ID: 25659
Remote: Yes
Last Updated: 2007-09-26
Relevant URL: http://www.securityfocus.com/bid/25659
Summary:
AOL Instant Messenger is prone to a remote script-code-execution vulnerability.

An attacker may leverage this issue to execute arbitrary script code in the notification window of an unsuspecting user. This may help the attacker launch other attacks.

69. Sun Solaris Thread Handling Local Denial Of Service Vulnerability
BugTraq ID: 25821
Remote: No
Last Updated: 2007-09-26
Relevant URL: http://www.securityfocus.com/bid/25821
Summary:
Sun Solaris is prone to a local denial-of-service vulnerability because of a race condition in the affected kernel.

An attacker could exploit this issue to cause a kernel panic, denying further service to legitimate users

70. ActiveKB Index.PHP SQL Injection Vulnerability
BugTraq ID: 25820
Remote: Yes
Last Updated: 2007-09-26
Relevant URL: http://www.securityfocus.com/bid/25820
Summary:
ActiveKB is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

71. Softbiz Classifieds store_info.PHP SQL Injection Vulnerability
BugTraq ID: 25818
Remote: Yes
Last Updated: 2007-09-26
Relevant URL: http://www.securityfocus.com/bid/25818
Summary:
Softbiz Classifieds is prone to an SQL injection vulnerability.

A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.

72. ELinks HTTPS POST Request Information Disclosure Weakness
BugTraq ID: 25799
Remote: Yes
Last Updated: 2007-09-25
Relevant URL: http://www.securityfocus.com/bid/25799
Summary:
ELinks is prone to an information disclosure weakness.

In certain circumstances, the application may not encrypt HTTP POST data sent to servers using SSL.

This issue creates a false sense of security for a user because they may assume that sensitive data is being encrypted before it is sent to the remote server.

Versions prior to ELinks 0.11.3 are vulnerable to this issue.

73. IBM Rational ClearQuest Data Corruption Denial of Service Vulnerability
BugTraq ID: 25810
Remote: Yes
Last Updated: 2007-09-25
Relevant URL: http://www.securityfocus.com/bid/25810
Summary:
IBM Rational ClearQuest is prone to a denial-of-service vulnerability.

Successfully exploiting this issue allows attackers to corrupt data stored in Microsoft SQL Server- or IBM DB2-based ClearQuest databases. Oracle-based databases are not prone to this issue. A successful attack will deny service to legitimate users.

74. SimpNews Multiple Cross-Site Scripting Vulnerabilities
BugTraq ID: 25809
Remote: Yes
Last Updated: 2007-09-25
Relevant URL: http://www.securityfocus.com/bid/25809
Summary:
SimpNews is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

These issues affect SimpNews 2.41.03; prior versions may also be affected.

75. Motorola Timbuktu Pro Directory Traversal Vulnerability
BugTraq ID: 25453
Remote: Yes
Last Updated: 2007-09-25
Relevant URL: http://www.securityfocus.com/bid/25453
Summary:
Motorola Timbuktu Pro is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input data.

Exploiting this issue may allow an attacker to delete or create arbitrary files with SYSTEM-level privileges. This could completely compromise affected computers.

Timbuktu Pro 8.6.3.1367 for Windows is vulnerable; other versions and platforms may also be affected.

76. PHP-Nuke Dance Music Module Index.PHP Local File Include Vulnerability
BugTraq ID: 25806
Remote: Yes
Last Updated: 2007-09-25
Relevant URL: http://www.securityfocus.com/bid/25806
Summary:
Dance Music is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.

Exploiting this issue may allow an unauthorized remote user to view files and execute local scripts in the context of the webserver process.

77. Imatix Xitami If-Modified-Since Remote Buffer Overflow Vulnerability
BugTraq ID: 25772
Remote: Yes
Last Updated: 2007-09-25
Relevant URL: http://www.securityfocus.com/bid/25772
Summary:
Xitami is prone to a remote buffer-overflow vulnerability because the software fails to properly bounds-check user-supplied input before copying it into an insufficiently sized memory buffer.

Attackers may exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions.

Xitami 2.5 is vulnerable to this issue; other versions may also be affected.

78. GCALDaemon Content-Length Header Denial of Service Vulnerability
BugTraq ID: 25704
Remote: Yes
Last Updated: 2007-09-25
Relevant URL: http://www.securityfocus.com/bid/25704
Summary:
GCALDaemon is prone to a remote denial-of-service vulnerability because the application fails to handle specially crafted HTTP GET requests

An attacker can exploit this issue to crash the affected application, denying service to legitimate users.

This issue affects GCALDaemon 1.0-beta13; other versions may also be affected.

79. JSPWiki Multiple Input Validation Vulnerabilities
BugTraq ID: 25803
Remote: Yes
Last Updated: 2007-09-25
Relevant URL: http://www.securityfocus.com/bid/25803
Summary:
JSPWiki is prone to multiple input-validation vulnerabilities, including multiple cross-site scripting issues and an HTML-injection issue, because the application fails to adequately sanitize user-supplied input.

Attacker-supplied HTML and script code will run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user; other attacks are also possible.

Versions prior to JSPWiki 2.4.104 are vulnerable.

80. Simple PHP Blog Multiple Cross-Site Scripting Vulnerabilities
BugTraq ID: 25802
Remote: Yes
Last Updated: 2007-09-25
Relevant URL: http://www.securityfocus.com/bid/25802
Summary:
Simple PHP Blog is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

These issues affect Simple PHP Blog 0.5.0.1, 0.4.8, and prior versions.

81. gMotor2 Game Engine Multiple Vulnerabilities
BugTraq ID: 25358
Remote: Yes
Last Updated: 2007-09-25
Relevant URL: http://www.securityfocus.com/bid/25358
Summary:
The gMotor2 game engine is prone to multiple code-execution and denial-of-service vulnerabilities. Four vulnerabilities were reported.

These vulnerabilities may be triggered by malicious client requests to games that use the affected engine, including rFactor. Successful exploits could crash a game server or let remote attackers execute arbitrary code on the computer hosting affected software.

NOTE: This BID originally stated that the vulnerabilities were in the rFactor game. New information shows that the gMotor2 game engine and multiple games that use the engine are vulnerable. This BID was updated to reflect this new information.

82. OpenSSL Insecure Protocol Negotiation Weakness
BugTraq ID: 15071
Remote: Yes
Last Updated: 2007-09-25
Relevant URL: http://www.securityfocus.com/bid/15071
Summary:
OpenSSL is susceptible to a remote protocol-negotiation weakness. This issue is due to the implementation of the 'SSL_OP_MSIE_SSLV2_RSA_PADDING' option to maintain compatibility with third-party software.

This issue presents itself when two peers try to negotiate the protocol they wish to communicate with. Attackers who can intercept and modify the SSL communications may exploit this weakness to force SSL version 2 to be chosen.

The attacker may then exploit various insecurities in SSL version 2 to gain access to or tamper with the cleartext communications between the targeted client and server.

Note that the 'SSL_OP_MSIE_SSLV2_RSA_PADDING' option is enabled with the frequently used 'SSL_OP_ALL' option.

SSL peers that are configured to disallow SSL version 2 are not affected by this issue.

83. eGroupWare CLASS.UICATEGORIES.INC.PHP Multiple Cross-Site Scripting Vulnerabilities
BugTraq ID: 25800
Remote: Yes
Last Updated: 2007-09-25
Relevant URL: http://www.securityfocus.com/bid/25800
Summary:
eGroupWare is prone to multiple cross-site scripting vulnerabilities.

These issues affect the 'class.uicategories.inc.php' script.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

These issues affect eGroupWare 1.4.001; other versions may also be affected.

84. OpenSSL PKCS Padding RSA Signature Forgery Vulnerability
BugTraq ID: 19849
Remote: Yes
Last Updated: 2007-09-25
Relevant URL: http://www.securityfocus.com/bid/19849
Summary:
OpenSSL is prone to a vulnerability that may allow an attacker to forge an RSA signature. The attacker may be able to forge a PKCS #1 v1.5 signature when an RSA key with exponent 3 is used.

An attacker may exploit this issue to sign digital certificates or RSA keys and take advantage of trust relationships that depend on these credentials, possibly posing as a trusted party and signing a certificate or key.

All versions of OpenSSL prior to and including 0.9.7j and 0.9.8b are affected by this vulnerability. Updates are available.

85. OpenSSL Montgomery Exponentiation Side-Channel Local Information Disclosure Vulnerability
BugTraq ID: 25163
Remote: No
Last Updated: 2007-09-25
Relevant URL: http://www.securityfocus.com/bid/25163
Summary:
OpenSSL is prone to a local information-disclosure vulnerability because of an implementation flaw in the RSA algorithm.

Successfully exploiting this issue allows local attackers to gain access to private key information of other processes that use the affected library. Information harvested may aid in further attacks.

OpenSSL 0.9.8 is vulnerable to this issue; other versions may also be affected.

86. KDE KPDF/KWord/XPDF StreamPredictor Function Stack Buffer Overflow Vulnerability
BugTraq ID: 25124
Remote: Yes
Last Updated: 2007-09-25
Relevant URL: http://www.securityfocus.com/bid/25124
Summary:
KDE kpdf, kword, and xpdf are prone to a stack-based buffer-overflow vulnerability because the applications fail to bounds-check user-supplied data before copying it into an insufficiently sized buffer.

An attacker can exploit this issue to execute arbitrary code within the context of the affected application or cause the affected application to crash, denying service to legitimate users.

87. Kaspersky Internet Security 6 SSDT Hooks Multiple Local Vulnerabilities
BugTraq ID: 24491
Remote: No
Last Updated: 2007-09-25
Relevant URL: http://www.securityfocus.com/bid/24491
Summary:
Kaspersky Internet Security 6 is prone to multiple local vulnerabilities.

Exploiting these vulnerabilities allows local attackers to crash affected computers, denying service to legitimate users. Attackers might also be able to gain elevated privileges by executing arbitrary machine code in the context of the kernel, but this has not been confirmed.

Kaspersky Internet Security 6.0.2.614 and 6.0.2.621 are vulnerable; other versions may also be affected.

NOTE: These issues may be related to BID 23326 (Kaspersky Internet Security Suite Klif.SYS Drive Local Heap Overflow Vulnerability), but this has not been confirmed. If we find that this BID is a duplicate, we will retire it and merge its information into BID 23326.

88. libsndfile FLAC.C Buffer Overflow Vulnerability
BugTraq ID: 25758
Remote: Yes
Last Updated: 2007-09-25
Relevant URL: http://www.securityfocus.com/bid/25758
Summary:
The 'libsndfile' library is prone to a heap-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.

Attackers can exploit this issue to execute arbitrary code with the permission of an application using the library. This can compromise the affected application and possibly the underlying computer. Failed attacks will likely cause denial-of-service conditions.

This issue affects libsndfile 1.0.17; previous versions may also be vulnerable.

89. Apache Mod_AutoIndex.C Undefined Charset Cross-Site Scripting Vulnerability
BugTraq ID: 25653
Remote: Yes
Last Updated: 2007-09-25
Relevant URL: http://www.securityfocus.com/bid/25653
Summary:
Apache is affected by a vulnerability that may cause certain web pages to be prone to a cross-site scripting attack. This issue stems from a lack of a defined charset on certain generated pages.

Web pages generated by the affected source code may be prone to a cross-site scripting issue.

Versions prior to Apache 2.2.6 are affected.

NOTE: Reports indicate that this issue does not occur when the application is running on Windows operating systems.

90. Apache HTTP Server Mod_Proxy Denial of Service Vulnerability
BugTraq ID: 25489
Remote: Yes
Last Updated: 2007-09-25
Relevant URL: http://www.securityfocus.com/bid/25489
Summary:
The Apache mod_proxy module is prone to a denial-of-service vulnerability.

A remote attacker may be able to exploit this issue to crash the child process. This could lead to denial-of-service conditions if the server is using a multithreaded Multi-Processing Module (MPM).

91. OpenOffice TIFF File Parser Multiple Integer Overflow Vulnerabilities
BugTraq ID: 25690
Remote: Yes
Last Updated: 2007-09-25
Relevant URL: http://www.securityfocus.com/bid/25690
Summary:
OpenOffice is prone to multiple remote integer-overflow vulnerabilities because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer.

Remote attackers may exploit these issues by enticing victims into opening maliciously crafted TIFF files.

An attacker can exploit these issues to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial of service.

92. Linux Kernel CIFS Local Privilege Escalation Vulnerability
BugTraq ID: 25672
Remote: No
Last Updated: 2007-09-25
Relevant URL: http://www.securityfocus.com/bid/25672
Summary:
The Linux kernel is prone to a local privilege-escalation vulnerability.

An attacker could exploit this issue to execute arbitrary code with the privileges of the victim.

93. Linux Kernel ATM Module CLIP Support Local Denial of Service Vulnerability
BugTraq ID: 25798
Remote: No
Last Updated: 2007-09-25
Relevant URL: http://www.securityfocus.com/bid/25798
Summary:
Linux kernel is prone to a local denial-of-service vulnerability.

This issue affects the ATM module when configured for CLIP module support.

Versions of Linux kernel prior to 2.4.35.3 or 2.6.22.7 are affected by this issue.

94. AskJeeves Toolbar Settings Plugin ActiveX Control Remote Heap Based Buffer Overflow Vulnerability
BugTraq ID: 25785
Remote: Yes
Last Updated: 2007-09-25
Relevant URL: http://www.securityfocus.com/bid/25785
Summary:
AskJeeves Toolbar Settings Plugin ActiveX control is prone to a remote heap-based buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied data before copying it to an insufficiently sized buffer.

Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed exploit attempts likely result in denial-of-service conditions.

95. Symantec Veritas Backup Exec for Windows Unspecified Vulnerability
BugTraq ID: 25793
Remote: Yes
Last Updated: 2007-09-25
Relevant URL: http://www.securityfocus.com/bid/25793
Summary:
Symantec Veritas Backup Exec for Windows is prone to an unspecified vulnerability.

Very few technical details are currently available. We will update this BID as more information emerges.

This issue affects Backup Exec 11d for Windows Servers.

96. ebCrypt ActiveX Control AddString Denial of Service Vulnerability
BugTraq ID: 25789
Remote: Yes
Last Updated: 2007-09-25
Relevant URL: http://www.securityfocus.com/bid/25789
Summary:
ebCrypt ActiveX control is prone to a denial-of-service vulnerability.

Exploiting this issue allows remote attackers to crash applications that employ the vulnerable control (typically Microsoft Internet Explorer).

ebCrypt 2.0 is vulnerable; other versions may also be affected.

97. sk.log Log.Inc.PHP Remote File Include Vulnerability
BugTraq ID: 25791
Remote: Yes
Last Updated: 2007-09-25
Relevant URL: http://www.securityfocus.com/bid/25791
Summary:
sk.log is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied data.

Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible.

This issue affects sk.log 0.5.3; other versions may also be vulnerable.

98. Sun Solaris Human Interface Device Local Denial of Service Vulnerability
BugTraq ID: 25814
Remote: No
Last Updated: 2007-09-25
Relevant URL: http://www.securityfocus.com/bid/25814
Summary:
Sun Solaris is prone to a local denial-of-service vulnerability.

This issue stems from an unspecified error in the Human Interface Device (HID) Class Driver. Local attackers may exploit this issue to trigger kernel panics or system hangs, denying service to legitimate users.

These versions are affected:

Solaris 8, 9, and 10 SPARC
Solaris 9 and 10 x86

99. SimpGB Multiple Cross-Site Scripting Vulnerabilities
BugTraq ID: 25808
Remote: Yes
Last Updated: 2007-09-25
Relevant URL: http://www.securityfocus.com/bid/25808
Summary:
SimpGB is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

These issues affect SimpGB 1.46.02; other versions may also be vulnerable.

100. Apache Geronimo Management EJB Security Bypass Vulnerability
BugTraq ID: 25804
Remote: Yes
Last Updated: 2007-09-25
Relevant URL: http://www.securityfocus.com/bid/25804
Summary:
Apache Geronimo is prone to a security-bypass vulnerability. This issue occurs in the management EJB (MEJB).

An attacker could exploit this issue to gain unauthorized access to the affected application. This may lead to further attacks.

This issue affects Apache Geronimo 2.0.1; other versions may also be affected.

III. SECURITYFOCUS NEWS ARTICLES
--------------------------------
1. DHS, Unisys scrutinized after data breach
By: Robert Lemos
A Congressional committee claims that Unisys allowed malicious code to infect federal systems.
http://www.securityfocus.com/news/11489

2. Customers: TD Ameritrade failed to warn of breach
By: Robert Lemos
Numerous account holders complained over the past year that the consumer brokerage had sold or leaked e-mail addresses to pump-and-dump spammers.
http://www.securityfocus.com/news/11488

3. Max Vision charged with hacking -- again
By: Robert Lemos
Federal prosecutors charge former security consultant Max Butler, better known amongst security researchers as "Max Vision," alleging that he supplied and managed a ring of identity thieves.
http://www.securityfocus.com/news/11487

4. Embassy leaks highlight pitfalls of Tor
By: Robert Lemos
The security researcher that posted the e-mail addresses and passwords for 100 accounts at embassies and political groups reveals that he exploited the victims' incorrect usage of the Tor Project's anonymous Web surfing software.
http://www.securityfocus.com/news/11486

IV. SECURITY JOBS LIST SUMMARY
-------------------------------
1. [SJ-JOB] Sales Engineer, New York
http://www.securityfocus.com/archive/77/480517

2. [SJ-JOB] Security Director, Reston
http://www.securityfocus.com/archive/77/480522

3. [SJ-JOB] Forensics Engineer, Brisbane-Gold Coast
http://www.securityfocus.com/archive/77/480524

4. [SJ-JOB] Certification & Accreditation Engineer, McLean
http://www.securityfocus.com/archive/77/480525

5. [SJ-JOB] Security System Administrator, Boulder
http://www.securityfocus.com/archive/77/480514

6. [SJ-JOB] Security Engineer, San Francisco
http://www.securityfocus.com/archive/77/480516

7. [SJ-JOB] Account Manager, Latin America Territory
http://www.securityfocus.com/archive/77/480518

8. [SJ-JOB] Sales Engineer, Chicago
http://www.securityfocus.com/archive/77/480521

9. [SJ-JOB] Customer Support, Mountain View
http://www.securityfocus.com/archive/77/480523

10. [SJ-JOB] Security Engineer, Reston
http://www.securityfocus.com/archive/77/480515

11. [SJ-JOB] CHECK Team Leader, Reading or London
http://www.securityfocus.com/archive/77/480506

12. [SJ-JOB] Security Engineer, Melbourne
http://www.securityfocus.com/archive/77/480505

13. [SJ-JOB] Account Manager, Reading or London
http://www.securityfocus.com/archive/77/480507

14. [SJ-JOB] Sr. Product Manager, Reading or London
http://www.securityfocus.com/archive/77/480508

15. [SJ-JOB] CISO, UK Wide
http://www.securityfocus.com/archive/77/480509

16. [SJ-JOB] Compliance Officer, UK Wide
http://www.securityfocus.com/archive/77/480499

17. [SJ-JOB] Management, London
http://www.securityfocus.com/archive/77/480500

18. [SJ-JOB] Compliance Officer, UK Wide
http://www.securityfocus.com/archive/77/480501

19. [SJ-JOB] Account Manager, Reston
http://www.securityfocus.com/archive/77/480502

20. [SJ-JOB] Sr. Security Engineer, Foster City
http://www.securityfocus.com/archive/77/480503

V. INCIDENTS LIST SUMMARY
---------------------------
1. Interesting mail sender
http://www.securityfocus.com/archive/75/480919

VI. VULN-DEV RESEARCH LIST SUMMARY
-----------------------------------
1. Oracle 11g password algorithm revealed
http://www.securityfocus.com/archive/82/480581

2. ToorCon Final Lineup Announcement
http://www.securityfocus.com/archive/82/480159

VII. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
VIII. SUN FOCUS LIST SUMMARY
----------------------------
IX. LINUX FOCUS LIST SUMMARY
----------------------------
X. UNSUBSCRIBE INSTRUCTIONS
-----------------------------
To unsubscribe send an e-mail message to sf-news-unsubscribe@securityfocus.com from the subscribed address. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer. Alternatively you can also visit http://www.securityfocus.com/newsletters and unsubscribe via the website.

If your email address has changed email listadmin@securityfocus.com and ask to be manually removed.

XI. SPONSOR INFORMATION
------------------------
This Issue is Sponsored by: SPI Dynamics

ALERT: "How A Hacker Launches A Cross-Site Scripting Attack"- White Paper
Cross-site scripting vulnerabilities in web apps allow hackers to compromise confidential information, steal cookies and create requests that can be mistaken for those of a valid user!! Download this *FREE* white paper from SPI Dynamics for a complete guide to protection!

https://download.spidynamics.com/1/ad/xss.asp?Campaign_ID=70160000000D3WW

No comments:

Blog Archive