WINDOWS CENTER: SecurityFocus Newsletter #424

SecurityFocus Newsletter #424
----------------------------------------

This issue is Sponsored by: SPI Dynamics

ALERT: "How A Hacker Launches A Blind SQL Injection Attack Step-by-Step!" - White Paper
Blind SQL Injection can deliver total control of your server to a hacker giving them the ability to read, write and manipulate all data stored in your backend systems! Download this *FREE* white paper from SPI Dynamics for a complete guide to protection!

https://download.spidynamics.com/1/ad/bsq.asp?Campaign_ID=70160000000D5K3

SECURITY BLOGS
SecurityFocus has selected a few syndicated sources that stand out as conveying topics of interest for our community. We are proud to offer content from Matasano at this time and will be adding more in the coming weeks.
http://www.securityfocus.com/blogs

------------------------------------------------------------------
I. FRONT AND CENTER
1.Rebinding attacks unbound
2.Aspect-Oriented Programming and Security
II. BUGTRAQ SUMMARY
1. Multiple Vendor Web Browser JavaScript Key Filtering Vulnerability
2. Sun Java Runtime Environment Virtual Machine Remote Privilege Escalation Vulnerability
3. Nagios Unspecified Cross-Site Scripting Vulnerability
4. FreeType LWFN Files Buffer Overflow Vulnerability
5. Simple PHP Blog Multiple Remote Vulnerabilities
6. SocketMail FNC-Readmail3.PHP Remote File Include Vulnerability
7. Linux Kernel eHCA Driver Physical Address Space Information Disclosure Vulnerability
8. OpenH323 Opal SIP Protocol Remote Denial of Service Vulnerability
9. Support Incident Tracker SiT! Multiple Unspecified Security Vulnerabilities
10. Red Hat Linux Kernel Stack Unwinder Local Denial Of Service Vulnerability
11. Zaptel SetHDLC.C Local Buffer Overflow Vulnerability
12. PHP Project Management Multiple Remote File Include Vulnerabilities
13. PHP Project Management Multiple Local File Include Vulnerabilities
14. IBM Lotus Notes Local Insecure Default Directory Permissions Vulnerability
15. BBsProcesS BBPortalS TNEWS.PHP SQL Injection Vulnerability
16. IBM Lotus Domino Information Disclosure Vulnerabilities and Buffer Overflow Vulnerability
17. PHP Chunk_Split() Function Integer Overflow Vulnerability
18. PHP 5.2.3 and Prior Versions Multiple Vulnerabilities
19. Mozilla Firefox ParseFTPList Remote Denial of Service Vulnerability
20. PHP EXT/Session HTTP Response Header Injection Vulnerability
21. PHP .Htaccess Safe_Mode and Open_Basedir Restriction-Bypass Vulnerability
22. PHP Prior to 5.2.2/4.4.7 Multiple Remote Buffer Overflow Vulnerabilities
23. Bacula MySQL Password Information Disclosure Vulnerability
24. Broadband Mechanics PeopleAggregator Multiple Remote File Include Vulnerabilities
25. Sun Java Runtime Environment Multiple Weaknesses
26. Lussumo Vanilla Sortcategories.PHP SQL Injection Vulnerability
27. Flatnuke3 Myforum Cookie Parameter Authentication Bypass Vulnerability
28. efileman Arbitrary File Upload And Access Validation Vulnerabilities
29. BosDev BosMarket Multiple HTML Injection Vulnerabilities
30. Platinum Favorites.PHP Remote File Include Vulnerability
31. IBM AIX xlplm Local Buffer Overflow Vulnerability
32. GHBoard Multiple Arbitrary File Access Vulnerabilities
33. Miranda Multiple Buffer Overflow Vulnerabilities
34. ISC DHCPD Server Remote Stack Corruption Vulnerability
35. BugHotel Reservation System Main.PHP Authentication Bypass Vulnerability
36. WPA_Supplicant ASN1_Get_Next Buffer Overflow Vulnerability
37. 3proxy FTP Proxy Double Free Memory Corruption Vulnerability
38. KTorrent Remote Directory Traversal Variant Vulnerability
39. Xfce-Terminal Remote Command Injection Vulnerability
40. IBM Lotus Notes Attachment Viewer Multiple Buffer Overflow Vulnerabilities
41. Japanese PHP Gallery Hosting Arbitrary File Upload Vulnerability
42. Mobile Spy Insecure Password Storage Information Disclosure Vulnerability
43. RealPlayer ierpplug.dll ActiveX Control Playlist Name Stack Buffer Overflow Vulnerability
44. Apache Tomcat WebDav Remote Information Disclosure Vulnerability
45. Adobe Acrobat Mailto PDF File Command Execution Vulnerability
46. Zoph _Order Multiple SQL Injection Vulnerabilities
47. Multiple Web Browsers Digest Authentication HTTP Response Splitting Vulnerability
48. Mozilla Firefox OnKeyDown Event File Upload Vulnerability
49. Mozilla Firefox/Thunderbird/SeaMonkey Chrome-Loaded About:Blank Script Execution Vulnerability
50. Mozilla Firefox 2.0.0.7 Multiple Remote Vulnerabilities
51. Mozilla Firefox OnUnload Javascript Browser Entrapment Vulnerability
52. Drupal Prior To 4.7.8 and 5.3 Multiple Remote Vulnerabilities
53. Oracle interMedia Multiple SQL Injection Vulnerabilities
54. DeleGate Multiple Denial of Service Vulnerabilities
55. PHP FTP_Putcmd Function HTTP Response Splitting Vulnerability
56. MIT Kerberos 5 KAdminD Server SVCAuth_GSS_Validate Stack Buffer Overflow Vulnerability
57. Lotus Domino Memory Mapped Files Arbitrary Access Vulnerability
58. Microsoft Windows IGMPv3 Denial of Service Vulnerability
59. MultiXTpm Application Server DebugPrint() Remote Buffer Overflow Vulnerability
60. InstaGuide Weather Index.PHP Local File Include Vulnerability
61. OpenOffice TIFF File Parser Multiple Integer Overflow Vulnerabilities
62. ImageMagick ReadDIBImage Integer Overflow Vulnerability
63. ImageMagick ReadBlob Multiple Remote Denial Of Service Vulnerabilities
64. ImageMagick DCM, DIB, XBM, XCF, and XWD Image Files Multiple Integer Overflow Vulnerabilities
65. ImageMagick Blob.C Off-By-One Buffer Overflow Vulnerability
66. HP Linux Imaging and Printing System HSSPD.PY Daemon Arbitrary Command Execution Vulnerability
67. Samba Deferred CIFS File Open Denial of Service Vulnerability
68. Jeebles Technology Jeebles Directory Download.PHP Local File Include Vulnerability
69. Samba MS-RPC Remote Shell Command Execution Vulnerability
70. Samba NDR RPC Request LsarLookupSids/LsarLookupSids2 Heap-Based Buffer Overflow Vulnerability
71. Samba NDR RPC Request RFNPCNEX Heap-Based Buffer Overflow Vulnerability
72. Samba NDR RPC Request DFSEnum Heap-Based Buffer Overflow Vulnerability
73. LibTIFF TIFFFindFieldInfo Remote Buffer Overflow Vulnerability
74. JasPer JPC_QCX_GetCompParm Function JP2 File Handling Remote Denial of Service Vulnerability
75. Hackish Blocco.PHP Cross-Site Scripting Vulnerability
76. Samba NDR RPC Request NetSetFileSecurity Heap-Based Buffer Overflow Vulnerability
77. Samba NDR RPC Request LsarAddPrivilegesToAccount Heap-Based Buffer Overflow Vulnerability
78. Citrix Access Gateway Standard and Advanced Edition Multiple Remote Vulnerabilities
79. Samba SID Names Local Privilege Escalation Vulnerability
80. LibTIFF TiffFetchShortPair Remote Buffer Overflow Vulnerability
81. JustSystem Ichitaro JSTARO4.OCX and TJSVDA.DLL Multiple Buffer Overflow Vulnerabilities
82. GSview Multiple Unspecified Security Vulnerabilities
83. Mono System.Web StaticFileHandler.CS Source Code Information Disclosure Vulnerability
84. LiteSpeed Web Server Null-Byte Handling Information Disclosure Vulnerability
85. Sun Solaris RPC Services Library librpcsvc(3LIB) Denial of Service Vulnerability
86. DMCMS Index.PHP SQL Injection Vulnerability
87. The Online Web Library Site Scripture.PHP Remote File Include Vulnerability
88. GNU Tar Dot_Dot Function Remote Directory Traversal Vulnerability
89. Red Hat Cluster Suite DLM Remote Denial Of Service Vulnerability
90. Linux Kernel Parent Process Death Signal Local Security Bypass Weakness
91. X.Org X Server Composite Extension Local Buffer Overflow Vulnerability
92. Linux Kernel Random Number Generator Local Denial of Service and Privilege Escalation Vulnerability
93. Linux Kernel USBLCD Memory Consumption Denial Of Service Vulnerability
94. Linux Kernel PTrace NULL Pointer Dereference Local Denial Of Service Vulnerability
95. Linux Kernel HugeTLB Local Denial Of Service Vulnerability
96. Linux Kernel AACRAID Driver Local Security Bypass Vulnerability
97. WebIf Webif.exe Cross-Site Scripting Vulnerability
98. FLAC libFLAC Multiple Unspecified Integer Overflow Vulnerabilities
99. CandyPress Store Logon.ASP Cross-Site Scripting Vulnerability
100. Flatnuke3 File Manager Module Unauthorized Access Vulnerability
III. SECURITYFOCUS NEWS
1. Identity thieves likely to be first-timers, strangers
2. Retailers look to exorcise credit-card data
3. DHS, Unisys scrutinized after data breach
4. Customers: TD Ameritrade failed to warn of breach
IV. SECURITY JOBS LIST SUMMARY
1. [SJ-JOB] Penetration Engineer, arlington
2. [SJ-JOB] Application Security Architect, Hopkinton
3. [SJ-JOB] Security Consultant, Louisville
4. [SJ-JOB] Sr. Security Analyst, Fairfax
5. [SJ-JOB] Compliance Officer, Pentagon City
6. [SJ-JOB] Information Assurance Engineer, arlington
7. [SJ-JOB] Security Engineer, Crystal City
8. [SJ-JOB] Security Consultant, Los Angeles
9. [SJ-JOB] Security Engineer, arlington
10. [SJ-JOB] Security Engineer, Chantilly
11. [SJ-JOB] Security Engineer, Arlington
12. [SJ-JOB] Training / Awareness Specialist, London
13. [SJ-JOB] Application Security Engineer, Amsterdam
14. [SJ-JOB] Software Engineer, St Paul
15. [SJ-JOB] Software Engineer, St Paul
16. [SJ-JOB] Security Consultant, Longmont
17. [SJ-JOB] Software Engineer, Redmond
18. [SJ-JOB] Developer, Beverly Hills
19. [SJ-JOB] Software Engineer, Columbia
20. [SJ-JOB] Application Security Engineer, Denver
21. [SJ-JOB] Sr. Security Engineer, Beverly Hills
22. [SJ-JOB] Security Engineer, Beverly Hills
23. [SJ-JOB] Management, Columbia
24. [SJ-JOB] Penetration Engineer, Washington, DC
25. [SJ-JOB] Security System Administrator, Los Angeles area
26. [SJ-JOB] Security Consultant, Reston
27. [SJ-JOB] Forensics Engineer, San Francisco
28. [SJ-JOB] Software Engineer, Redmond
29. [SJ-JOB] Quality Assurance, Redmond
30. [SJ-JOB] Security Architect, Valley Forge
V. INCIDENTS LIST SUMMARY
1. CFP for HITBSecConf2008 - Dubai now open
VI. VULN-DEV RESEARCH LIST SUMMARY
1. CFP for HITBSecConf2008 - Dubai now open
2. Cracking the iPhone (5 article series)
VII. MICROSOFT FOCUS LIST SUMMARY
1. SecurityFocus Microsoft Newsletter #364
VIII. SUN FOCUS LIST SUMMARY
IX. LINUX FOCUS LIST SUMMARY
X. UNSUBSCRIBE INSTRUCTIONS
XI. SPONSOR INFORMATION

I. FRONT AND CENTER
---------------------
1.Rebinding attacks unbound
By Federico Biancuzzi
DNS rebinding was discovered in 1996 and affected the Java Virtual Machine (VM). Recently a group of researchers at Stanford found out that this vulnerability is still present in browsers and that the common solution, known as DNS pinning, is not effective anymore.
http://www.securityfocus.com/columnists/455

2.Aspect-Oriented Programming
By Rohit Sethi
Aspect-oriented programming (AOP) is a paradigm that is quickly gaining traction in the development world. At least partially spurred by the popularity of the Java Spring framework [1], people are beginning to understand the substantial benefits that AOP brings to development.
http://www.securityfocus.com/infocus/1895

II. BUGTRAQ SUMMARY
--------------------
1. Multiple Vendor Web Browser JavaScript Key Filtering Vulnerability
BugTraq ID: 18308
Remote: Yes
Last Updated: 2007-10-25
Relevant URL: http://www.securityfocus.com/bid/18308
Summary:
Multiple web browsers are prone to a JavaScript key-filtering vulnerability because the browsers fail to securely handle keystroke input from users.

This issue is demonstrated to allow attackers to divert keystrokes from one input form in a webpage to a hidden file-upload dialog in the same page. This may allow remote attackers to initiate file uploads from unsuspecting users. Other attacks may also be possible.

Exploiting this issue requires that users manually type the full path of files that attackers wish to download. This may require substantial typing from targeted users, so attackers will likely use keyboard-based games, blogs, or other similar pages to entice users to enter the required keyboard input to exploit this issue.

Reportedly, Mozilla Suite, Mozilla Firefox, Mozilla SeaMonkey, Netscape Navigator, and Microsoft Internet Explorer are all vulnerable to this issue.

2. Sun Java Runtime Environment Virtual Machine Remote Privilege Escalation Vulnerability
BugTraq ID: 26185
Remote: Yes
Last Updated: 2007-10-25
Relevant URL: http://www.securityfocus.com/bid/26185
Summary:
The Sun Java Runtime Environment is prone to a remote privilege-escalation vulnerability.

An attacker can exploit this issue to execute arbitrary code within the context of the user who invoked the Java applet. Successfully exploiting this issue may result in the remote compromise of affected computers.

3. Nagios Unspecified Cross-Site Scripting Vulnerability
BugTraq ID: 26152
Remote: Yes
Last Updated: 2007-10-24
Relevant URL: http://www.securityfocus.com/bid/26152
Summary:
Nagios is prone to an unspecified cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

Versions prior to Nagios 2.10 are vulnerable.

4. FreeType LWFN Files Buffer Overflow Vulnerability
BugTraq ID: 18034
Remote: Yes
Last Updated: 2007-10-24
Relevant URL: http://www.securityfocus.com/bid/18034
Summary:
FreeType is prone to a buffer-overflow vulnerability because of an integer overflow that causes a buffer to be overrun with attacker-supplied data.

Exploiting this issue allows remote attackers to execute arbitrary machine code in the context of applications that use the affected library. Failed exploit attempts will likely crash applications, denying service to legitimate users.

Versions prior to FreeType 2.2.1 are vulnerable.

5. Simple PHP Blog Multiple Remote Vulnerabilities
BugTraq ID: 26154
Remote: Yes
Last Updated: 2007-10-24
Relevant URL: http://www.securityfocus.com/bid/26154
Summary:
Simple PHP Blog is prone to multiple remote issues, including:

- An IP-spoofing vulnerability
- An HTML-injection vulnerability
- A session-fixation vulnerability
- An open-email-relay vulnerability
- A local file-include vulnerability
- A cross-site request-forgery vulnerability
- An arbitrary-file-upload vulnerability.

An attacker could exploit these issues to compromise the affected application, execute arbitrary code within the context of the webserver process, send unsolicited spam email to users, steal cookie-based authentication credentials, obtain sensitive information, and gain unauthorized access to the affected application. Other attacks are also possible.

These issues affect Simple PHP Blog 0.5.1 and prior versions.

6. SocketMail FNC-Readmail3.PHP Remote File Include Vulnerability
BugTraq ID: 26162
Remote: Yes
Last Updated: 2007-10-24
Relevant URL: http://www.securityfocus.com/bid/26162
Summary:
SocketMail is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied data.

Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible.

SocketMail 2.2.8 is vulnerable; other versions may also be affected.

7. Linux Kernel eHCA Driver Physical Address Space Information Disclosure Vulnerability
BugTraq ID: 26161
Remote: No
Last Updated: 2007-10-24
Relevant URL: http://www.securityfocus.com/bid/26161
Summary:
The Linux kernel is prone to an information-disclosure vulnerability.

Successful exploits will allow attackers to obtain a portion of the physical address space. Information harvested may aid in further attacks.

8. OpenH323 Opal SIP Protocol Remote Denial of Service Vulnerability
BugTraq ID: 25955
Remote: Yes
Last Updated: 2007-10-24
Relevant URL: http://www.securityfocus.com/bid/25955
Summary:
OpenH323 is prone to a remote denial-of-service vulnerability because of memory mismanagement when handling user-supplied data.

Successfully exploiting this issue allows remote attackers to deny service to legitimate users.

This issue affects OpenH323 2.2.4; earlier versions may also be vulnerable. Applications using the affected library may also be vulnerable.

9. Support Incident Tracker SiT! Multiple Unspecified Security Vulnerabilities
BugTraq ID: 26151
Remote: Yes
Last Updated: 2007-10-24
Relevant URL: http://www.securityfocus.com/bid/26151
Summary:
Support Incident Tracker (SiT!) is prone to multiple unspecified vulnerabilities.

Very few details are available regarding these issues. We will update this BID as more information emerges.

These issues affect versions prior to Support Incident Tracker (SiT!) 3.30.

10. Red Hat Linux Kernel Stack Unwinder Local Denial Of Service Vulnerability
BugTraq ID: 26158
Remote: No
Last Updated: 2007-10-24
Relevant URL: http://www.securityfocus.com/bid/26158
Summary:
The Red Hat Linux kernel is prone to a local denial-of-service vulnerability.

A local attacker can exploit this issue to crash the affected kernel, denying service to legitimate users.

11. Zaptel SetHDLC.C Local Buffer Overflow Vulnerability
BugTraq ID: 26160
Remote: No
Last Updated: 2007-10-24
Relevant URL: http://www.securityfocus.com/bid/26160
Summary:
Zaptel is prone to a local buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input.

Attackers can exploit this issue to execute arbitrary code with the privileges of the application using the library. Successful exploits can compromise affected applications and possibly the underlying computer. Failed exploit attempts will result in a denial of service.

Zaptel 1.4.5.1 is vulnerable; other versions may also be affected.

12. PHP Project Management Multiple Remote File Include Vulnerabilities
BugTraq ID: 26150
Remote: Yes
Last Updated: 2007-10-24
Relevant URL: http://www.securityfocus.com/bid/26150
Summary:
PHP Project Management is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.

Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.

These issues affect PHP Project Management 0.8.10 and prior versions.

13. PHP Project Management Multiple Local File Include Vulnerabilities
BugTraq ID: 26148
Remote: Yes
Last Updated: 2007-10-24
Relevant URL: http://www.securityfocus.com/bid/26148
Summary:
PHP Project Management is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input.

Exploiting these issues may allow an unauthorized remote user to view files and execute local scripts in the context of the webserver process.

These issues affect PHP Project Management 0.8.10 and prior versions.

14. IBM Lotus Notes Local Insecure Default Directory Permissions Vulnerability
BugTraq ID: 20612
Remote: No
Last Updated: 2007-10-24
Relevant URL: http://www.securityfocus.com/bid/20612
Summary:
IBM Lotus Notes is prone to a vulnerability regarding insecure default permissions on the application directory.

A local attacker can exploit this issue to access and modify arbitrary files in the application directory; this may aid in further attacks.

15. BBsProcesS BBPortalS TNEWS.PHP SQL Injection Vulnerability
BugTraq ID: 26149
Remote: Yes
Last Updated: 2007-10-24
Relevant URL: http://www.securityfocus.com/bid/26149
Summary:
BBsProcesS BBPortalS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

This issue affects BBPortals 1.5.10, 1.5.11, 1.6.2, and 2.0; other versions may also be affected.

16. IBM Lotus Domino Information Disclosure Vulnerabilities and Buffer Overflow Vulnerability
BugTraq ID: 26176
Remote: Yes
Last Updated: 2007-10-24
Relevant URL: http://www.securityfocus.com/bid/26176
Summary:
IBM Lotus Domino is prone to multiple information-disclosure vulnerabilities and a buffer-overflow vulnerability.

An attacker can exploit these issues to disclose sensitive information, execute arbitrary code with the SYSTEM-level privileges and crash the affected application.

17. PHP Chunk_Split() Function Integer Overflow Vulnerability
BugTraq ID: 24261
Remote: Yes
Last Updated: 2007-10-24
Relevant URL: http://www.securityfocus.com/bid/24261
Summary:
PHP is prone to an integer-overflow vulnerability because it fails to ensure that integer values aren't overrun. Attackers may exploit this issue to cause a buffer overflow and to corrupt process memory.

Attackers may be able to execute arbitrary machine code in the context of the affected application. Failed exploit attempts will likely result in a denial-of-service condition.

This issue affects versions prior to PHP 5.2.3.

18. PHP 5.2.3 and Prior Versions Multiple Vulnerabilities
BugTraq ID: 25498
Remote: Yes
Last Updated: 2007-10-24
Relevant URL: http://www.securityfocus.com/bid/25498
Summary:
PHP 5.2.3 and prior versions are prone to multiple security vulnerabilities. Successful exploits could allow an attacker to bypass security restrictions, cause a denial-of-service condition, and potentially execute code.

19. Mozilla Firefox ParseFTPList Remote Denial of Service Vulnerability
BugTraq ID: 26159
Remote: Yes
Last Updated: 2007-10-24
Relevant URL: http://www.securityfocus.com/bid/26159
Summary:
Mozilla Firefox is prone to a remote denial-of-service vulnerability because it fails to adequately sanitize user-supplied input.

Attackers can exploit this issue to cause denial-of-service conditions.

Firefox 2.0.0.7 is vulnerable; other versions may also be affected.

20. PHP EXT/Session HTTP Response Header Injection Vulnerability
BugTraq ID: 24268
Remote: Yes
Last Updated: 2007-10-24
Relevant URL: http://www.securityfocus.com/bid/24268
Summary:
PHP is prone to an HTTP-response-header-injection vulnerability because it fails to sanitize user-supplied input.

An attacker can exploit this issue to inject additional cookie attributes into session cookies. This may lead to other attacks.

This issue affects PHP 5.2.3 (and prior versions) and PHP 4.4.7 (and prior versions).

21. PHP .Htaccess Safe_Mode and Open_Basedir Restriction-Bypass Vulnerability
BugTraq ID: 24661
Remote: Yes
Last Updated: 2007-10-24
Relevant URL: http://www.securityfocus.com/bid/24661
Summary:
PHP is prone to a 'safe_mode' and 'open_basedir' restriction-bypass vulnerability. Successful exploits could allow an attacker to write files in unauthorized locations.

These vulnerabilities would be an issue in shared-hosting configurations where multiple users can create and execute arbitrary PHP script code, with the 'safe_mode' and 'open_basedir' restrictions assumed to isolate the users from each other.

This issue is reported to affect PHP 5.2.3 and 4.4.7; previous versions may also be vulnerable.

22. PHP Prior to 5.2.2/4.4.7 Multiple Remote Buffer Overflow Vulnerabilities
BugTraq ID: 23813
Remote: Yes
Last Updated: 2007-10-24
Relevant URL: http://www.securityfocus.com/bid/23813
Summary:
PHP is prone to three remote buffer-overflow vulnerabilities because the application fails to perform boundary checks before copying user-supplied data to insufficiently sized memory buffers.

An attacker can exploit these issues to execute arbitrary machine code in the context of the affected webserver. Failed exploit attempts will likely crash the webserver, denying service to legitimate users.

All three issues affect PHP 5.2.1 and prior versions; PHP 4.4.6 and prior versions are affected only by one of the issues.

Few details are available at the moment. These issues may have been previously described in other BIDs. This record may be updated or retired if further analysis shows that these issues have been reported in the past.

23. Bacula MySQL Password Information Disclosure Vulnerability
BugTraq ID: 26156
Remote: Yes
Last Updated: 2007-10-24
Relevant URL: http://www.securityfocus.com/bid/26156
Summary:
Bacula is prone to an information-disclosure vulnerability because it fails to protect the MySQL director password.

Attackers can exploit this issue to gain unauthorized access to the affected database and then manipulate or delete sensitive information.

24. Broadband Mechanics PeopleAggregator Multiple Remote File Include Vulnerabilities
BugTraq ID: 26147
Remote: Yes
Last Updated: 2007-10-24
Relevant URL: http://www.securityfocus.com/bid/26147
Summary:
Broadband Mechanics PeopleAggregator is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.

Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.

These issues affect PeopleAggregator 1.2pre6 and prior versions.

25. Sun Java Runtime Environment Multiple Weaknesses
BugTraq ID: 25918
Remote: Yes
Last Updated: 2007-10-24
Relevant URL: http://www.securityfocus.com/bid/25918
Summary:
Sun Java Runtime Environment is prone to multiple weaknesses that may allow JavaScript code or applets to connect to resources other than the one the scripts or applets were downloaded from. One of the weaknesses may allow an attacker to obscure a Java warning about an untrusted applet from the user.

These issues affect the following packages for Windows, Solaris, and Linux:

JDK and JRE 6 Update 2 and earlier
JDK and JRE 5.0 Update 12 and earlier
SDK and JRE 1.4.2_15 and earlier
SDK and JRE 1.3.1_20 and earlier

26. Lussumo Vanilla Sortcategories.PHP SQL Injection Vulnerability
BugTraq ID: 26145
Remote: Yes
Last Updated: 2007-10-24
Relevant URL: http://www.securityfocus.com/bid/26145
Summary:
Vanilla is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

This issue affects Vanilla 1.1.3; other versions may also be affected.

27. Flatnuke3 Myforum Cookie Parameter Authentication Bypass Vulnerability
BugTraq ID: 26157
Remote: Yes
Last Updated: 2007-10-25
Relevant URL: http://www.securityfocus.com/bid/26157
Summary:
Flatnuke3 is prone to an authentication-bypass vulnerability because it fails to adequately sanitize user-supplied input used for cookie-based authentication.

An attacker can exploit this vulnerability to gain administrative access to the affected application; other attacks are also possible.

This issue affects Flatnuke3-2007-10-10; other versions may also be vulnerable.

28. efileman Arbitrary File Upload And Access Validation Vulnerabilities
BugTraq ID: 26184
Remote: Yes
Last Updated: 2007-10-25
Relevant URL: http://www.securityfocus.com/bid/26184
Summary:
The 'efileman' program is prone to multiple arbitrary-file-upload vulnerabilities and an access-validation vulnerability.

An attacker can exploit these issues to upload and execute arbitrary code in the context of the affected application or to view and modify sensitive configuration data.

These issues affect efileman 7.1; other versions may also be affected.

29. BosDev BosMarket Multiple HTML Injection Vulnerabilities
BugTraq ID: 26197
Remote: Yes
Last Updated: 2007-10-25
Relevant URL: http://www.securityfocus.com/bid/26197
Summary:
BosDev BosMarket is prone to multiple HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input data.

Exploiting these issues may allow an attacker to execute HTML and script code in the context of the affected site, to steal cookie-based authentication credentials, or to control how the site is rendered to the user; other attacks are also possible.

30. Platinum Favorites.PHP Remote File Include Vulnerability
BugTraq ID: 26183
Remote: Yes
Last Updated: 2007-10-25
Relevant URL: http://www.securityfocus.com/bid/26183
Summary:
Platinum is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied input.

Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible.

This issue affects Platinum 7.6.b.5; other versions may also be vulnerable.

31. IBM AIX xlplm Local Buffer Overflow Vulnerability
BugTraq ID: 25560
Remote: No
Last Updated: 2007-10-25
Relevant URL: http://www.securityfocus.com/bid/25560
Summary:
IBM AIX is prone to a local buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input.

Attackers can exploit this issue to execute arbitrary code using superuser privileges. Successful exploits will completely compromise affected computers. Failed exploit attempts will result in a denial of service.

32. GHBoard Multiple Arbitrary File Access Vulnerabilities
BugTraq ID: 26182
Remote: Yes
Last Updated: 2007-10-25
Relevant URL: http://www.securityfocus.com/bid/26182
Summary:
GHBoard is prone to multiple vulnerabilities that let attackers upload and download arbitrary files and execute arbitrary code within the context of the webserver process.

33. Miranda Multiple Buffer Overflow Vulnerabilities
BugTraq ID: 26115
Remote: Yes
Last Updated: 2007-10-25
Relevant URL: http://www.securityfocus.com/bid/26115
Summary:
Miranda is prone to multiple unspecified buffer-overflow vulnerabilities because it fails to perform adequate boundary checks on user-supplied data before copying it to insufficiently sized buffers.

Successful exploits may allow attackers to execute arbitrary code in the context of a vulnerable application; failed attempts will likely cause denial-of-service conditions.

These issues affect versions prior to Miranda 0.7.1.

34. ISC DHCPD Server Remote Stack Corruption Vulnerability
BugTraq ID: 25984
Remote: Yes
Last Updated: 2007-10-25
Relevant URL: http://www.securityfocus.com/bid/25984
Summary:
ISC DHCPD is prone to a remote stack-corruption vulnerability because the software fails to properly bounds-check user-supplied input.

Successfully exploiting this issue allows attackers in the same LAN segment of the vulnerable DHCP server to corrupt the application's stack. This may allow attackers to run arbitrary machine code and to compromise affected computers.

ISC DHCP versions in the 2.x series are vulnerable to this issue. OpenBSD's 'dhcpd' is a fork of ISC DHCPD and is also vulnerable.

35. BugHotel Reservation System Main.PHP Authentication Bypass Vulnerability
BugTraq ID: 26178
Remote: Yes
Last Updated: 2007-10-25
Relevant URL: http://www.securityfocus.com/bid/26178
Summary:
BugHotel Reservation System is prone to an authentication-bypass vulnerability due to a design error.

An attacker can exploit this issue to gain unauthorized access to the affected application. This may lead to further attacks.

This issue affects versions prior to BugHotel Reservation System 4.9.9 P3.

36. WPA_Supplicant ASN1_Get_Next Buffer Overflow Vulnerability
BugTraq ID: 26181
Remote: Yes
Last Updated: 2007-10-25
Relevant URL: http://www.securityfocus.com/bid/26181
Summary:
wpa_supplicant is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.

Successfully exploiting this issue may allow attackers to execute arbitrary machine code in the context of the affected application, but this has not been confirmed. Failed exploit attempts may trigger crashes, denying service to legitimate users.

This issue affects wpa_supplicant 0.5.8; other versions may also be affected.

37. 3proxy FTP Proxy Double Free Memory Corruption Vulnerability
BugTraq ID: 26180
Remote: Yes
Last Updated: 2007-10-25
Relevant URL: http://www.securityfocus.com/bid/26180
Summary:
3proxy is prone to a double-free memory-corruption vulnerability.

Attackers may be able to exploit this issue to cause denial-of-service conditions.

This issue affects 3proxy 0.5.3i; other versions may also be vulnerable.

38. KTorrent Remote Directory Traversal Variant Vulnerability
BugTraq ID: 23745
Remote: Yes
Last Updated: 2007-10-25
Relevant URL: http://www.securityfocus.com/bid/23745
Summary:
KTorrent is prone to a remote directory-traversal vulnerability.

An attacker can exploit this issue by using modified '..' sequences to overwrite arbitrary files on a victim user's system.

This issue is due to an incomplete vendor fix of the issue discussed in BID 22930.

Versions of KTorrent prior to 2.1.3 are vulnerable to this issue.

39. Xfce-Terminal Remote Command Injection Vulnerability
BugTraq ID: 24889
Remote: Yes
Last Updated: 2007-10-25
Relevant URL: http://www.securityfocus.com/bid/24889
Summary:
Xfce Terminal is prone to a remote command-injection vulnerability because it fails to adequately sanitize user-supplied input data.

Attackers can exploit this issue to execute arbitrary commands in the context of the application, facilitating the remote compromise of affected computers.

Xfce Terminal 0.2.6 is vulnerable; other versions may also be affected.

40. IBM Lotus Notes Attachment Viewer Multiple Buffer Overflow Vulnerabilities
BugTraq ID: 26175
Remote: Yes
Last Updated: 2007-10-25
Relevant URL: http://www.securityfocus.com/bid/26175
Summary:
IBM Lotus Notes is prone to multiple buffer-overflow vulnerabilities.

Successfully exploiting these issues could allow an attacker to execute arbitrary code in the context of the user running the application.

Lotus Notes 7.0.2 is prone to these issues; other versions may also be vulnerable.

41. Japanese PHP Gallery Hosting Arbitrary File Upload Vulnerability
BugTraq ID: 26179
Remote: Yes
Last Updated: 2007-10-25
Relevant URL: http://www.securityfocus.com/bid/26179
Summary:
Japanese PHP Gallery Hosting is prone to an arbitrary-file-upload vulnerability because it fails to adequately sanitize user-supplied input.

An attacker can exploit this vulnerability to upload arbitrary code and execute it in the context of the webserver process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.

Versions of Japanese PHP Gallery Hosting released prior to 10/2007 are vulnerable.

42. Mobile Spy Insecure Password Storage Information Disclosure Vulnerability
BugTraq ID: 26177
Remote: No
Last Updated: 2007-10-25
Relevant URL: http://www.securityfocus.com/bid/26177
Summary:
Mobile Spy is prone to an information-disclosure vulnerability because it fails to securely store username and password data.

Users of a phone can gain control of the application as well as full access to the related webservice account.

43. RealPlayer ierpplug.dll ActiveX Control Playlist Name Stack Buffer Overflow Vulnerability
BugTraq ID: 26130
Remote: Yes
Last Updated: 2007-10-25
Relevant URL: http://www.securityfocus.com/bid/26130
Summary:
RealPlayer is prone to a stack-based buffer-overflow vulnerability because it fails to perform adequate boundary checks of user-supplied input before copying it to an insufficiently sized memory buffer.

Currently there is very little information available regarding this issue. This BID will be updated as details emerge.

Attackers can exploit this issue to execute arbitrary code in the context of the application using the affected control (typically Internet Explorer). Successful attacks can compromise the application and possibly the underlying computer. Failed attacks will likely cause denial-of-service conditions.

44. Apache Tomcat WebDav Remote Information Disclosure Vulnerability
BugTraq ID: 26070
Remote: Yes
Last Updated: 2007-10-25
Relevant URL: http://www.securityfocus.com/bid/26070
Summary:
Apache Tomcat is prone to a remote information-disclosure vulnerability

Remote attackers can exploit this issue to obtain the contents of sensitive files stored on the server.

45. Adobe Acrobat Mailto PDF File Command Execution Vulnerability
BugTraq ID: 25748
Remote: Yes
Last Updated: 2007-10-25
Relevant URL: http://www.securityfocus.com/bid/25748
Summary:
Adobe Acrobat is prone to a command-execution vulnerability when handling malicious PDF files.

Remote attackers can exploit this issue to compromise affected computers..

The vendor reports, this issue can only be exploited through Internet Explorer 7 installed on Microsoft Windows XP.

This issue is related to the issue described in BID 25945 (Microsoft Windows URI Handler Command Execution Vulnerability).

Note: The issue is being exploited in the wild by Trojan.Pdief.A.

http://www.symantec.com/business/security_response/writeup.jsp?docid=2007-102310-3513-99

46. Zoph _Order Multiple SQL Injection Vulnerabilities
BugTraq ID: 24933
Remote: Yes
Last Updated: 2007-10-25
Relevant URL: http://www.securityfocus.com/bid/24933
Summary:
Zoph is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in SQL queries.

Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

47. Multiple Web Browsers Digest Authentication HTTP Response Splitting Vulnerability
BugTraq ID: 23668
Remote: Yes
Last Updated: 2007-10-25
Relevant URL: http://www.securityfocus.com/bid/23668
Summary:
Multiple browsers are prone to an HTTP-response-splitting vulnerability because the software fails to properly sanitize user-supplied input.

A remote attacker may exploit this vulnerability to influence or misrepresent how web content is served, cached, or interpreted. This could aid in various attacks that try to entice client users into a false sense of trust.

This issue affects Microsoft Internet Explorer 7.0.5730.11 and Mozilla Firefox 2.0.0.3; other versions and browsers may also be affected.

48. Mozilla Firefox OnKeyDown Event File Upload Vulnerability
BugTraq ID: 24725
Remote: Yes
Last Updated: 2007-10-25
Relevant URL: http://www.securityfocus.com/bid/24725
Summary:
Mozilla Firefox is prone to an information-disclosure vulnerability that can allow an attacker to access sensitive files.

This issue stems from a design error resulting from the improper handling of form fields.

All versions of Firefox are considered vulnerable.

49. Mozilla Firefox/Thunderbird/SeaMonkey Chrome-Loaded About:Blank Script Execution Vulnerability
BugTraq ID: 25142
Remote: Yes
Last Updated: 2007-10-25
Relevant URL: http://www.securityfocus.com/bid/25142
Summary:
Mozilla Firefox, Thunderbird, and SeaMonkey are prone to a vulnerability that allows JavaScript to execute with unintended privileges.

A malicious site may be able to cause the execution of a script with Chrome privileges. Attackers could exploit this issue to execute hostile script code with privileges that exceed those that were intended. Certain Firefox extensions may not intend 'about:blank' to execute script code with Chrome privileges.

NOTE: This issue was introduced by the fix for MFSA 2007-20.

50. Mozilla Firefox 2.0.0.7 Multiple Remote Vulnerabilities
BugTraq ID: 26132
Remote: Yes
Last Updated: 2007-10-25
Relevant URL: http://www.securityfocus.com/bid/26132
Summary:
The Mozilla Foundation has released multiple security advisories specifying various vulnerabilities in Firefox 2.0.0.7 and prior versions.

These vulnerabilities allow attackers to:

- Execute arbitrary code due to memory corruption
- Carry out content spoofing and phishing attacks
- Gain unauthorized access to files on a user's computer running the Linux operating system
- Execute script code with elevated privileges

Other attacks may also be possible.

These issues are present in Firefox 2.0.0.7 and prior versions. Mozilla Thunderbird 2.0.0.7 and prior versions as well as SeaMonkey 1.1.4 and prior versions are also affected by many of these vulnerabilities.

51. Mozilla Firefox OnUnload Javascript Browser Entrapment Vulnerability
BugTraq ID: 22688
Remote: Yes
Last Updated: 2007-10-25
Relevant URL: http://www.securityfocus.com/bid/22688
Summary:
Mozilla Firefox is prone to a vulnerability that allows attackers to trap users at a particular webpage and spoof page transitions.

Attackers may exploit this via a malicious page to spoof the contents and origin of a page that the victim may trust. This vulnerability may be useful in phishing or other attacks that rely on content spoofing.

52. Drupal Prior To 4.7.8 and 5.3 Multiple Remote Vulnerabilities
BugTraq ID: 26119
Remote: Yes
Last Updated: 2007-10-25
Relevant URL: http://www.securityfocus.com/bid/26119
Summary:
Drupal is prone to multiple remote vulnerabilities:

- A cross-site request-forgery vulnerability.
- An HTTP response-splitting vulnerability.
- An HTML-injection vulnerability.
- A vulnerability that may allow an attacker to mail unpublished comments.
- An arbitrary-code-execution vulnerability.

An attacker may exploit these vulnerabilities to:

- Influence or misrepresent how web content is served, cached, or interpreted.
- Execute arbitrary code within the context of the webserver process.
- Steal cookie-based authentication credentials, allowing the attacker to launch other attacks.

53. Oracle interMedia Multiple SQL Injection Vulnerabilities
BugTraq ID: 26101
Remote: Yes
Last Updated: 2007-10-25
Relevant URL: http://www.securityfocus.com/bid/26101
Summary:
Oracle interMedia is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in SQL queries.

Successful exploits may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

NOTE: These issues were previously documented in BID 26039 (Oracle October 2007 Critical Patch Update Multiple Vulnerabilities). The issue was given its own BID because further technical details are now available.

54. DeleGate Multiple Denial of Service Vulnerabilities
BugTraq ID: 26174
Remote: Yes
Last Updated: 2007-10-25
Relevant URL: http://www.securityfocus.com/bid/26174
Summary:
DeleGate is prone to multiple denial-of-service vulnerabilities.

Attackers can exploit these issues to crash the affected server, block access to the affected server, or cause other denial-of-service conditions. Given the nature of some of these issues, attackers may also be able to execute code, but this has not been confirmed.

Versions prior to DeleGate 9.7.5 may be affected.

55. PHP FTP_Putcmd Function HTTP Response Splitting Vulnerability
BugTraq ID: 23818
Remote: Yes
Last Updated: 2007-10-25
Relevant URL: http://www.securityfocus.com/bid/23818
Summary:
PHP is prone to an HTTP-response-splitting vulnerability because it fails to sanitize user-supplied input.

A remote attacker may exploit this vulnerability to influence or misrepresent how web content is served, cached, or interpreted. This could aid in various attacks that attempt to entice client users into a false sense of trust.

This issue affects these versions:

PHP 5 prior to 5.2.2
PHP 4 prior to 4.4.7.

56. MIT Kerberos 5 KAdminD Server SVCAuth_GSS_Validate Stack Buffer Overflow Vulnerability
BugTraq ID: 25534
Remote: Yes
Last Updated: 2007-10-25
Relevant URL: http://www.securityfocus.com/bid/25534
Summary:
Kerberos 5 'kadmind' (Kerberos Administration Daemon) server is prone to a stack-based buffer-overflow vulnerability because the software fails to adequately bounds-check user-supplied data before copying it to an insufficiently sized buffer.

An attacker can exploit this issue to execute arbitrary code with superuser privileges. A successful attack can result in the complete compromise of the application. Failed attempts will likely result in denial-of-service conditions.

All 'kadmind' servers run on the master Kerberos server. Since the master server holds the KDC principal and policy database, an attack may not only compromise the affected computer, but could also compromise multiple hosts that use the server for authentication.

Kerberos 5 'kadmind' 1.4 through 1.6.2 are vulnerable; third-party applications using the affected RPC library are also affected.

57. Lotus Domino Memory Mapped Files Arbitrary Access Vulnerability
BugTraq ID: 26146
Remote: No
Last Updated: 2007-10-25
Relevant URL: http://www.securityfocus.com/bid/26146
Summary:
Lotus Domino is prone to a vulnerability that may allow attackers to access other users' sessions.

An attacker could exploit this issue to read or write content to arbitrary Lotus Notes sessions when deployed in a shared environment.

58. Microsoft Windows IGMPv3 Denial of Service Vulnerability
BugTraq ID: 16645
Remote: Yes
Last Updated: 2007-10-25
Relevant URL: http://www.securityfocus.com/bid/16645
Summary:
A vulnerability in the handling of IGMPv3 (Internet Group Management Protocol) packets could result in a denial of service.

An attacker can exploit this issue through a broadcast attack to cause vulnerable computers on the subnet to become unresponsive, effectively denying service to legitimate users.

59. MultiXTpm Application Server DebugPrint() Remote Buffer Overflow Vulnerability
BugTraq ID: 26173
Remote: Yes
Last Updated: 2007-10-25
Relevant URL: http://www.securityfocus.com/bid/26173
Summary:
MultiXTpm Application Server is prone to a remote buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input.

A remote attacker may be able to exploit this issue to execute arbitrary code and gain unauthorized access.

Versions prior to MultiXTpm Application Server 4.0.2d are vulnerable.

60. InstaGuide Weather Index.PHP Local File Include Vulnerability
BugTraq ID: 26170
Remote: Yes
Last Updated: 2007-10-25
Relevant URL: http://www.securityfocus.com/bid/26170
Summary:
InstaGuide Weather is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.

Exploiting this issue may allow an unauthorized user to execute local scripts or to view arbitrary files that may contain sensitive information that can aid in further attacks.

61. OpenOffice TIFF File Parser Multiple Integer Overflow Vulnerabilities
BugTraq ID: 25690
Remote: Yes
Last Updated: 2007-10-25
Relevant URL: http://www.securityfocus.com/bid/25690
Summary:
OpenOffice is prone to multiple remote integer-overflow vulnerabilities because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer.

Remote attackers may exploit these issues by enticing victims into opening maliciously crafted TIFF files.

An attacker can exploit these issues to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial of service.

62. ImageMagick ReadDIBImage Integer Overflow Vulnerability
BugTraq ID: 25765
Remote: Yes
Last Updated: 2007-10-25
Relevant URL: http://www.securityfocus.com/bid/25765
Summary:
ImageMagick is prone to an integer-overflow vulnerability because it fails to properly validate user-supplied data.

An attacker can exploit this issue to execute arbitrary code in the context of the application. Failed exploit attempts will likely cause denial-of-service conditions.

Versions prior to ImageMagick 6.3.5-9 are vulnerable to this issue.

63. ImageMagick ReadBlob Multiple Remote Denial Of Service Vulnerabilities
BugTraq ID: 25764
Remote: Yes
Last Updated: 2007-10-25
Relevant URL: http://www.securityfocus.com/bid/25764
Summary:
ImageMagick is prone to multiple remote denial-of-service vulnerabilities.

An attacker could exploit these issues by enticing an unsuspecting victim to open a malicious image file.

Successfully exploiting these issues will allow the attacker to consume excessive amounts of CPU resources on affected computers, denying service to legitimate users.

These issues affect ImageMagick 6.3.4; prior versions are also affected.

64. ImageMagick DCM, DIB, XBM, XCF, and XWD Image Files Multiple Integer Overflow Vulnerabilities
BugTraq ID: 25763
Remote: Yes
Last Updated: 2007-10-25
Relevant URL: http://www.securityfocus.com/bid/25763
Summary:
ImageMagick is prone to multiple integer-overflow vulnerabilities because it fails to adequately handle user-supplied data.

An attacker can exploit these issues to execute arbitrary code in the context of the application. Failed exploit attempts will likely cause denial-of-service conditions.

These issues affect versions prior to ImageMagick 6.3.5-9.

65. ImageMagick Blob.C Off-By-One Buffer Overflow Vulnerability
BugTraq ID: 25766
Remote: Yes
Last Updated: 2007-10-25
Relevant URL: http://www.securityfocus.com/bid/25766
Summary:
ImageMagick is prone to an off-by-one buffer-overflow vulnerability because it fails to properly bounds-check user-supplied input.

Successfully exploiting this issue allows attackers to execute arbitrary code with the privileges of a user running the application.

Versions prior to ImageMagick 6.3.5-9 are vulnerable.

66. HP Linux Imaging and Printing System HSSPD.PY Daemon Arbitrary Command Execution Vulnerability
BugTraq ID: 26054
Remote: Yes
Last Updated: 2007-10-25
Relevant URL: http://www.securityfocus.com/bid/26054
Summary:
HP Linux Imaging and Printing System (HPLIP) is prone to an arbitrary command-execution vulnerability because it fails to adequately sanitize user-supplied input.

Attackers can exploit this issue to execute arbitrary commands with superuser privileges. Successful attacks will completely compromise affected computers.

NOTE: By default the application's 'hpssd' daemon listens only on localhost, but it can be configured (via /etc/hp/hplip.conf) to listen to remote requests as well.

HPLIP versions in the 1.0 and 2.0 series are vulnerable.

67. Samba Deferred CIFS File Open Denial of Service Vulnerability
BugTraq ID: 22395
Remote: No
Last Updated: 2007-10-25
Relevant URL: http://www.securityfocus.com/bid/22395
Summary:
The smbd daemon is prone to a denial-of-service vulnerability.

An attacker can exploit this issue to consume excessive memory resources, ultimately crashing the affected application.

This issue affects Samba versions 3.0.6 through 3.0.23d, inclusive.

68. Jeebles Technology Jeebles Directory Download.PHP Local File Include Vulnerability
BugTraq ID: 26171
Remote: Yes
Last Updated: 2007-10-25
Relevant URL: http://www.securityfocus.com/bid/26171
Summary:
Jeebles Directory is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.

Exploiting this issue may allow an unauthorized user to execute local scripts or to view arbitrary files that may contain sensitive information that can aid in further attacks.

This issue affects Jeebles Directory 2.9.60; other versions may also be affected.

69. Samba MS-RPC Remote Shell Command Execution Vulnerability
BugTraq ID: 23972
Remote: Yes
Last Updated: 2007-10-25
Relevant URL: http://www.securityfocus.com/bid/23972
Summary:
Samba is prone to a vulnerability that allows attackers to execute arbitrary shell commands because the software fails to sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary shell commands on an affected computer with the privileges of the application.

This issue affects Samba 3.0.0 to 3.0.25rc3.

70. Samba NDR RPC Request LsarLookupSids/LsarLookupSids2 Heap-Based Buffer Overflow Vulnerability
BugTraq ID: 24195
Remote: Yes
Last Updated: 2007-10-25
Relevant URL: http://www.securityfocus.com/bid/24195
Summary:
Samba is prone to a remote heap-based buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data before copying it to an insufficiently sized memory buffer.

An attacker can exploit this issue to execute arbitrary code with superuser privileges, facilitating the complete remote compromise of affected computers. Failed exploit attempts will result in a denial of service.

This issue affects Samba 3.0.25rc3 and prior versions.

71. Samba NDR RPC Request RFNPCNEX Heap-Based Buffer Overflow Vulnerability
BugTraq ID: 24197
Remote: Yes
Last Updated: 2007-10-25
Relevant URL: http://www.securityfocus.com/bid/24197
Summary:
Samba is prone to a remote heap-based buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data before copying it to an insufficiently sized memory buffer.

This issue affects Samba 3.0.25rc3 and prior versions.

72. Samba NDR RPC Request DFSEnum Heap-Based Buffer Overflow Vulnerability
BugTraq ID: 24198
Remote: Yes
Last Updated: 2007-10-25
Relevant URL: http://www.securityfocus.com/bid/24198
Summary:
Samba is prone to a remote heap-based buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data before copying it to an insufficiently sized memory buffer.

This issue affects Samba 3.0.25rc3 and prior versions.

73. LibTIFF TIFFFindFieldInfo Remote Buffer Overflow Vulnerability
BugTraq ID: 19793
Remote: Yes
Last Updated: 2007-10-25
Relevant URL: http://www.securityfocus.com/bid/19793
Summary:
LibTIFF is prone to a buffer-overflow vulnerability because the library fails to do proper boundary checks before copying user-supplied data into a finite-sized buffer.

This issue allows remote attackers to execute arbitrary machine code in the context of appications using the affected library. Failed exploit attempts will likely crash the application, denying service to legitimate users.

This issue is known to affect versions of LibTIFF included with Sony PSP devices running firmware versions 2.0 through 2.8.

Specific information regarding affected versions of LibTIFF is currently unavailable. We will update this BID as more information emerges.

74. JasPer JPC_QCX_GetCompParm Function JP2 File Handling Remote Denial of Service Vulnerability
BugTraq ID: 24052
Remote: Yes
Last Updated: 2007-10-25
Relevant URL: http://www.securityfocus.com/bid/24052
Summary:
JasPer is prone to a remote denial-of-service vulnerability because the application fails to handle specially crafted JP2 files.

An attacker may exploit this issue by enticing victims to open a maliciously crafted file.

Exploiting this issue allows remote attackers to crash the application, denying further service to legitimate users.

This issue affects JasPer 1.900 and 1.900.1; other versions may also be affected.

75. Hackish Blocco.PHP Cross-Site Scripting Vulnerability
BugTraq ID: 26167
Remote: Yes
Last Updated: 2007-10-25
Relevant URL: http://www.securityfocus.com/bid/26167
Summary:
Hackish is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

Hackish BETA 1.1 is vulnerable to this issue; other versions may also be affected.

76. Samba NDR RPC Request NetSetFileSecurity Heap-Based Buffer Overflow Vulnerability
BugTraq ID: 24196
Remote: Yes
Last Updated: 2007-10-25
Relevant URL: http://www.securityfocus.com/bid/24196
Summary:
Samba is prone to a remote heap-based buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data before copying it to an insufficiently sized memory buffer.

This issue affects Samba 3.0.25rc3 and prior versions.

77. Samba NDR RPC Request LsarAddPrivilegesToAccount Heap-Based Buffer Overflow Vulnerability
BugTraq ID: 23973
Remote: Yes
Last Updated: 2007-10-25
Relevant URL: http://www.securityfocus.com/bid/23973
Summary:
Samba is prone to a remote heap-based buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data before copying it to an insufficiently sized memory buffer.

This issue affects Samba 3.0.25rc3 and prior versions.

This BID previously documented multiple heap-based buffer-overflow vulnerabilities affecting Samba. Each issue has been assigned its own individual record. The issues are covered in this BID and the following records:

BID 24195 - Samba NDR RPC Request LsarLookupSids/LsarLookupSids2 Heap-Based Buffer Overflow Vulnerability
BID 24196 - Samba NDR RPC Request NetSetFileSecurity Heap-Based Buffer Overflow Vulnerability
BID 24197 - Samba NDR RPC Request RFNPCNEX Heap-Based Buffer Overflow Vulnerability
BID 24198 - Samba NDR RPC Request DFSEnum Heap-Based Buffer Overflow Vulnerability

78. Citrix Access Gateway Standard and Advanced Edition Multiple Remote Vulnerabilities
BugTraq ID: 24975
Remote: Yes
Last Updated: 2007-10-25
Relevant URL: http://www.securityfocus.com/bid/24975
Summary:
Citrix Access Gateway Standard and Advanced Edition are prone to multiple remote vulnerabilities. Exploiting these issues could allow an attacker to:

- Obtain sensitive information
- Execute code remotely
- Hijack sessions
- Redirect users to arbitrary sites
- Make unauthorized configuration changes

Citrix has released patches for these vulnerabilities.

79. Samba SID Names Local Privilege Escalation Vulnerability
BugTraq ID: 23974
Remote: No
Last Updated: 2007-10-25
Relevant URL: http://www.securityfocus.com/bid/23974
Summary:
Samba is prone to a local privilege-escalation vulnerability due to a logic error in the 'smbd' daemon's internal security stack.

An attacker can exploit this issue to temporarily perform SMB/CIFS operations with superuser privileges. The attacker may leverage this issue to gain superuser access to the server.

Samba 3.0.23d through 3.0.25pre2 are vulnerable.

80. LibTIFF TiffFetchShortPair Remote Buffer Overflow Vulnerability
BugTraq ID: 19283
Remote: Yes
Last Updated: 2007-10-25
Relevant URL: http://www.securityfocus.com/bid/19283
Summary:
LibTIFF is prone to a buffer-overflow vulnerability because the library fails to do proper boundary checks before copying user-supplied data into a finite-sized buffer.

81. JustSystem Ichitaro JSTARO4.OCX and TJSVDA.DLL Multiple Buffer Overflow Vulnerabilities
BugTraq ID: 26206
Remote: Yes
Last Updated: 2007-10-25
Relevant URL: http://www.securityfocus.com/bid/26206
Summary:
JustSystem Ichitaro is prone to multiple unspecified buffer-overflow vulnerabilities because it fails to perform adequate boundary checks on user-supplied data before copying it to insufficiently sized buffers.

Successful exploits may allow attackers to execute arbitrary code in the context of a vulnerable application; failed attempts will likely cause denial-of-service conditions.

These issues affect Ichitaro 11, 12, 13, 2004, 2005, 2006, 2007, Ichitaro for Linux, Ichitaro Lite2, Punch and Ichitaro viewer; other version may also be affected.

82. GSview Multiple Unspecified Security Vulnerabilities
BugTraq ID: 26168
Remote: Yes
Last Updated: 2007-10-24
Relevant URL: http://www.securityfocus.com/bid/26168
Summary:
GSview is prone to multiple unspecified vulnerabilities.

Very few details are available regarding these issues. We will update this BID as more information emerges.

These issues affect GSview 4.8; other versions may also be affected.

83. Mono System.Web StaticFileHandler.CS Source Code Information Disclosure Vulnerability
BugTraq ID: 26166
Remote: Yes
Last Updated: 2007-10-24
Relevant URL: http://www.securityfocus.com/bid/26166
Summary:
Mono is prone to a vulnerability that lets attackers access source code because it fails to properly sanitize user-supplied input.

An attacker can exploit this vulnerability to retrieve arbitrary files from the vulnerable system in the context of the webserver process. Information obtained may aid in further attacks.

This issue affects versions prior to Mono 1.2.5.2 running on Windows platforms.

84. LiteSpeed Web Server Null-Byte Handling Information Disclosure Vulnerability
BugTraq ID: 26163
Remote: Yes
Last Updated: 2007-10-24
Relevant URL: http://www.securityfocus.com/bid/26163
Summary:
LiteSpeed Web Server is prone to an information-disclosure vulnerability because it fails to adequately sanitize user-supplied input.

Attackers can exploit this issue to access potentially sensitive information that could aid in further attacks.

Versions prior to LiteSpeed Web Server 3.2.4 are vulnerable.

85. Sun Solaris RPC Services Library librpcsvc(3LIB) Denial of Service Vulnerability
BugTraq ID: 26071
Remote: Yes
Last Updated: 2007-10-24
Relevant URL: http://www.securityfocus.com/bid/26071
Summary:
Sun Solaris is prone to a denial-of-service vulnerability that stems from an unspecified error in Solaris RPC Services Library 'librpcsvc(3LIB)'. Remote and local attackers may exploit this issue to deny service to legitimate users.

Sun Solaris 8, 9, and 10 for SPARC and x86 architectures are affected.

86. DMCMS Index.PHP SQL Injection Vulnerability
BugTraq ID: 26169
Remote: Yes
Last Updated: 2007-10-24
Relevant URL: http://www.securityfocus.com/bid/26169
Summary:
DMCMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

This issue affects DMCMS 0.7.0; other versions may also be affected.

87. The Online Web Library Site Scripture.PHP Remote File Include Vulnerability
BugTraq ID: 26165
Remote: Yes
Last Updated: 2007-10-24
Relevant URL: http://www.securityfocus.com/bid/26165
Summary:
The Online Web Library Site is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied input.

Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible.

This issue affects The Online Web Library Site 0.1; other versions may also be vulnerable.

88. GNU Tar Dot_Dot Function Remote Directory Traversal Vulnerability
BugTraq ID: 25417
Remote: Yes
Last Updated: 2007-10-24
Relevant URL: http://www.securityfocus.com/bid/25417
Summary:
GNU Tar is prone to a directory-traversal vulnerability because the application fails to validate user-supplied data.

A successful attack can allow the attacker to overwrite files on a computer in the context of the user running the affected application. Successful exploits may aid in further attacks.

89. Red Hat Cluster Suite DLM Remote Denial Of Service Vulnerability
BugTraq ID: 24968
Remote: Yes
Last Updated: 2007-10-24
Relevant URL: http://www.securityfocus.com/bid/24968
Summary:
Red Hat Cluster Suite is prone to a remote denial-of-service vulnerability.

An attacker can exploit this issue to cause denial-of-service conditions.

NOTE: This issue was originally reported in the Ubuntu distribution of the software, but other distributions may also be affected.

90. Linux Kernel Parent Process Death Signal Local Security Bypass Weakness
BugTraq ID: 25387
Remote: No
Last Updated: 2007-10-24
Relevant URL: http://www.securityfocus.com/bid/25387
Summary:
The Linux kernel is prone to a security-bypass weakness when dealing with signal handling.

This issue occurs because the software fails to properly validate access when the parent process tries to deliver its death signal to the child that registered it via 'prctl'.

A local attacker may exploit this issue to bypass certain security restrictions, which may lead to other attacks.

Linux kernel versions prior to 2.6.22.4 are vulnerable.

91. X.Org X Server Composite Extension Local Buffer Overflow Vulnerability
BugTraq ID: 25606
Remote: No
Last Updated: 2007-10-24
Relevant URL: http://www.securityfocus.com/bid/25606
Summary:
The X.Org X Window System is prone to a local buffer-overflow vulnerability.

A local attacker can exploit this issue to execute arbitrary code with elevated privileges. This may facilitate a compromise of the affected computer.

92. Linux Kernel Random Number Generator Local Denial of Service and Privilege Escalation Vulnerability
BugTraq ID: 25348
Remote: No
Last Updated: 2007-10-24
Relevant URL: http://www.securityfocus.com/bid/25348
Summary:
The Linux kernel is prone to a local vulnerability that may result in a denial of service or privilege escalation. This issue stems from a stack-based overflow in kernel memory.

Successfully exploiting this issue allows local attackers to trigger kernel crashes, denying service to legitimate users. In certain circumstances, attackers may also gain elevated privileges. The attacker may require partial administrative access via granular assignments of superuser privileges.

Linux kernel versions prior to 2.6.22.3 are affected by this issue.

93. Linux Kernel USBLCD Memory Consumption Denial Of Service Vulnerability
BugTraq ID: 24734
Remote: No
Last Updated: 2007-10-24
Relevant URL: http://www.securityfocus.com/bid/24734
Summary:
The Linux Kernel is prone to a denial-of-service vulnerability because it fails to limit memory consumption by 'fast writers'.

Attackers can exploit this issue to consume memory, resulting in denial-of-service conditions.

Versions prior to 2.6.22-rc7 are vulnerable.

94. Linux Kernel PTrace NULL Pointer Dereference Local Denial Of Service Vulnerability
BugTraq ID: 25801
Remote: No
Last Updated: 2007-10-24
Relevant URL: http://www.securityfocus.com/bid/25801
Summary:
The Linux kernel is prone to a local denial-of-service vulnerability.

This issue occurs because of a NULL-pointer dereference in certain 'ptrace' operations.

A local attacker can exploit this issue to crash the affected kernel, denying service to legitimate users.

95. Linux Kernel HugeTLB Local Denial Of Service Vulnerability
BugTraq ID: 25904
Remote: No
Last Updated: 2007-10-24
Relevant URL: http://www.securityfocus.com/bid/25904
Summary:
The Linux Kernel is prone to a local denial-of-service vulnerability caused by a design error in the 'hugetlbfs' handling procedures.

This issue affects kernel 2.6.x versions prior to 2.6.18.

96. Linux Kernel AACRAID Driver Local Security Bypass Vulnerability
BugTraq ID: 25216
Remote: No
Last Updated: 2007-10-24
Relevant URL: http://www.securityfocus.com/bid/25216
Summary:
The Linux kernel is prone to a security-bypass vulnerability.

A local attacker may exploit this vulnerability to issue IOCTL commands to AACRAID devices. This may lead to denial-of-service conditions, including data loss and computer crashes.

Versions prior to 2.6.23-rc2 are vulnerable.

97. WebIf Webif.exe Cross-Site Scripting Vulnerability
BugTraq ID: 26164
Remote: Yes
Last Updated: 2007-10-24
Relevant URL: http://www.securityfocus.com/bid/26164
Summary:
WebIf is prone to a cross-site scripting vulnerability because the application fails to sufficiently sanitize user-supplied input.

98. FLAC libFLAC Multiple Unspecified Integer Overflow Vulnerabilities
BugTraq ID: 26042
Remote: Yes
Last Updated: 2007-10-24
Relevant URL: http://www.securityfocus.com/bid/26042
Summary:
FLAC (Free Lossless Audio Codec) is prone to multiple remote integer-overflow vulnerabilities because the application fails to bounds-check user-supplied data before allocating memory.

Remote attackers may exploit these issues by enticing victims into opening maliciously crafted FLAC files.

An attacker can exploit these issues to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial of service.

FLAC 1.2.0 is vulnerable; other versions may also be affected.

NOTE: Applications that include the affected libFLAC library are also affected.

99. CandyPress Store Logon.ASP Cross-Site Scripting Vulnerability
BugTraq ID: 26153
Remote: Yes
Last Updated: 2007-10-24
Relevant URL: http://www.securityfocus.com/bid/26153
Summary:
CandyPress Store is prone to a cross-site scripting vulnerability because the application fails to sufficiently sanitize user-supplied input.

This issue affects CandyPress Store 4.1; other versions may also be affected.

100. Flatnuke3 File Manager Module Unauthorized Access Vulnerability
BugTraq ID: 26155
Remote: Yes
Last Updated: 2007-10-24
Relevant URL: http://www.securityfocus.com/bid/26155
Summary:
Flatnuke3 is prone to an unauthorized-access vulnerability because it fails to adequately verify administrative credentials while logging in via the 'File Manager' module.

An attacker can exploit this vulnerability to gain administrative control of the application; other attacks are also possible.

This issue affects Flatnuke3-2007-10-10; other versions may also be vulnerable.

III. SECURITYFOCUS NEWS ARTICLES
--------------------------------
1. Identity thieves likely to be first-timers, strangers
By: Robert Lemos
Six years of U.S. Secret Service cases reveal that the majority of identity thieves do not know their victims and do not have a prior criminal record.
http://www.securityfocus.com/news/11492

2. Retailers look to exorcise credit-card data
By: Robert Lemos
The National Retail Federation sends a letter asking that its members be allowed to decide what credit-card data to keep.
http://www.securityfocus.com/news/11491

3. DHS, Unisys scrutinized after data breach
By: Robert Lemos
A Congressional committee claims that Unisys allowed malicious code to infect federal systems.
http://www.securityfocus.com/news/11489

4. Customers: TD Ameritrade failed to warn of breach
By: Robert Lemos
Numerous account holders complained over the past year that the consumer brokerage had sold or leaked e-mail addresses to pump-and-dump spammers.
http://www.securityfocus.com/news/11488

IV. SECURITY JOBS LIST SUMMARY
-------------------------------
1. [SJ-JOB] Penetration Engineer, arlington
http://www.securityfocus.com/archive/77/482634

2. [SJ-JOB] Application Security Architect, Hopkinton
http://www.securityfocus.com/archive/77/482635

3. [SJ-JOB] Security Consultant, Louisville
http://www.securityfocus.com/archive/77/482636

4. [SJ-JOB] Sr. Security Analyst, Fairfax
http://www.securityfocus.com/archive/77/482638

5. [SJ-JOB] Compliance Officer, Pentagon City
http://www.securityfocus.com/archive/77/482628

6. [SJ-JOB] Information Assurance Engineer, arlington
http://www.securityfocus.com/archive/77/482630

7. [SJ-JOB] Security Engineer, Crystal City
http://www.securityfocus.com/archive/77/482631

8. [SJ-JOB] Security Consultant, Los Angeles
http://www.securityfocus.com/archive/77/482633

9. [SJ-JOB] Security Engineer, arlington
http://www.securityfocus.com/archive/77/482637

10. [SJ-JOB] Security Engineer, Chantilly
http://www.securityfocus.com/archive/77/482621

11. [SJ-JOB] Security Engineer, Arlington
http://www.securityfocus.com/archive/77/482622

12. [SJ-JOB] Training / Awareness Specialist, London
http://www.securityfocus.com/archive/77/482619

13. [SJ-JOB] Application Security Engineer, Amsterdam
http://www.securityfocus.com/archive/77/482620

14. [SJ-JOB] Software Engineer, St Paul
http://www.securityfocus.com/archive/77/482629

15. [SJ-JOB] Software Engineer, St Paul
http://www.securityfocus.com/archive/77/482618

16. [SJ-JOB] Security Consultant, Longmont
http://www.securityfocus.com/archive/77/482627

17. [SJ-JOB] Software Engineer, Redmond
http://www.securityfocus.com/archive/77/482521

18. [SJ-JOB] Developer, Beverly Hills
http://www.securityfocus.com/archive/77/482522

19. [SJ-JOB] Software Engineer, Columbia
http://www.securityfocus.com/archive/77/482512

20. [SJ-JOB] Application Security Engineer, Denver
http://www.securityfocus.com/archive/77/482516

21. [SJ-JOB] Sr. Security Engineer, Beverly Hills
http://www.securityfocus.com/archive/77/482520

22. [SJ-JOB] Security Engineer, Beverly Hills
http://www.securityfocus.com/archive/77/482523

23. [SJ-JOB] Management, Columbia
http://www.securityfocus.com/archive/77/482524

24. [SJ-JOB] Penetration Engineer, Washington, DC
http://www.securityfocus.com/archive/77/482513

25. [SJ-JOB] Security System Administrator, Los Angeles area
http://www.securityfocus.com/archive/77/482517

26. [SJ-JOB] Security Consultant, Reston
http://www.securityfocus.com/archive/77/482518

27. [SJ-JOB] Forensics Engineer, San Francisco
http://www.securityfocus.com/archive/77/482519

28. [SJ-JOB] Software Engineer, Redmond
http://www.securityfocus.com/archive/77/482509

29. [SJ-JOB] Quality Assurance, Redmond
http://www.securityfocus.com/archive/77/482510

30. [SJ-JOB] Security Architect, Valley Forge
http://www.securityfocus.com/archive/77/482511

V. INCIDENTS LIST SUMMARY
---------------------------
1. CFP for HITBSecConf2008 - Dubai now open
http://www.securityfocus.com/archive/75/482678

VI. VULN-DEV RESEARCH LIST SUMMARY
-----------------------------------
1. CFP for HITBSecConf2008 - Dubai now open
http://www.securityfocus.com/archive/82/482684

2. Cracking the iPhone (5 article series)
http://www.securityfocus.com/archive/82/482685

VII. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. SecurityFocus Microsoft Newsletter #364
http://www.securityfocus.com/archive/88/482537

VIII. SUN FOCUS LIST SUMMARY
----------------------------
IX. LINUX FOCUS LIST SUMMARY
----------------------------
X. UNSUBSCRIBE INSTRUCTIONS
-----------------------------
To unsubscribe send an e-mail message to sf-news-unsubscribe@securityfocus.com from the subscribed address. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer. Alternatively you can also visit http://www.securityfocus.com/newsletters and unsubscribe via the website.

If your email address has changed email listadmin@securityfocus.com and ask to be manually removed.

XI. SPONSOR INFORMATION
------------------------
This issue is Sponsored by: SPI Dynamics

https://download.spidynamics.com/1/ad/bsq.asp?Campaign_ID=70160000000D5K3

News

Thursday, October 25, 2007

SecurityFocus Newsletter #424

No comments:

WINDOWS CENTER

Blog Archive