WINDOWS CENTER: SecurityFocus Newsletter #426

SecurityFocus Newsletter #426
----------------------------------------

This issue is Sponsored by: Watchfire

As web applications become increasingly complex, tremendous amounts of sensitive data - including personal, medical and financial information - are exchanged, and stored.
This paper examines a few vulnerability detection methods - specifically comparing and contrasting manual penetration testing with automated scanning tools.
Download Watchfire's "Web Application Security: Automated Scanning or Manual Penetration Testing?" whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=7017000000093zv

SECURITY BLOGS
SecurityFocus has selected a few syndicated sources that stand out as conveying topics of interest for our community. We are proud to offer content from Matasano at this time and will be adding more in the coming weeks.
http://www.securityfocus.com/blogs

------------------------------------------------------------------
I. FRONT AND CENTER
1.E-mail privacy to disappear?
2.Rebinding attacks unbound
II. BUGTRAQ SUMMARY
1. Multiple Vendor System V Derived 'login' Buffer Overflow Vulnerability
2. Sun Solaris RWall Daemon Syslog Format String Vulnerability
3. Work System e-commerce Unspecified Ajax Pages Security Vulnerability
4. Samba NDR RPC Request LsarAddPrivilegesToAccount Heap-Based Buffer Overflow Vulnerability
5. Coppermine Photo Gallery Displayecard.PHP Cross-Site Scripting Vulnerability
6. IBM WebSphere Application Server UDDI Console Multiple Input Validation Vulnerabilities
7. Apache Geronimo SQLLoginModule Authentication Bypass Vulnerability
8. SAP EnjoySAP KWEdit.DLL ActiveX Control Stack Buffer Overflow Vulnerability
9. PoPToP PPTP Negative read() Argument Remote Buffer Overflow Vulnerability
10. Microsoft DirectX Media SDK DXTLIPI.DLL ActiveX Control Buffer Overflow Vulnerability
11. Mozilla Firefox About:Blank IFrame Cross Domain Information Disclosure Vulnerability
12. Mozilla Firefox/Thunderbird/SeaMonkey Chrome-Loaded About:Blank Script Execution Vulnerability
13. PHP memory_limit Remote Code Execution Vulnerability
14. Linux Kernel IEEE80211 HDRLen Remote Denial Of Service Vulnerability
15. OpenSSL Public Key Processing Denial of Service Vulnerability
16. Mozilla Client Products Multiple Remote Vulnerabilities
17. Multiple Portable OpenSSH PAM Vulnerabilities
18. Xoops Friendfinder Module View.PHP SQL Injection Vulnerability
19. OpenSSH Privilege Separation Key Signature Weakness
20. Trolltech QT Pixmap Images Integer Overflow Vulnerability
21. X.Org DBE And Render Extensions Multiple Local Integer Overflow Vulnerabilities
22. OpenSSL ASN.1 Structures Denial of Service Vulnerability
23. Linux Kernel ULE Packet Handling Remote Denial of Service Vulnerability
24. Ekiga GM_Main_Window_Flash_Message Remote Format String Vulnerability
25. Windows VDM Zero Page Race Condition Local Privilege Escalation Vulnerability
26. OpenOffice StarCalc Parser Unspecified Buffer Overflow Vulnerability
27. Multiple Linux Vendor rpc.statd Remote Format String Vulnerability
28. Mono System.Math BigInteger Buffer Overflow Vulnerability
29. Oracle Database Server PITRIG_DROPMETADATA Remote Buffer Overflow Vulnerability
30. GForge Insecure Temporary File Creation Vulnerability
31. Mcstrans Mcstrans.C Local Denial of Service Vulnerability
32. T1lib intT1_Env_GetCompletePath Buffer Overflow Vulnerability
33. CUPS IPP Tag Handling Remote Buffer Overflow Vulnerability
34. Libpng Library Multiple Remote Denial of Service Vulnerabilities
35. Apache HTTP Server Mod_Cache Denial of Service Vulnerability
36. MadWifi Xrates Element Remote Denial of Service Vulnerability
37. Cypress for BitchX Information Disclosure Backdoor Vulnerability
38. Python ImageOP Module Multiple Integer Overflow Vulnerabilities
39. HP Linux Imaging and Printing System HSSPD.PY Daemon Arbitrary Command Execution Vulnerability
40. CoolKey PK11IPC1 Insecure Temporary File Creation Vulnerability
41. Apache HTTP Server Worker Process Multiple Denial of Service Vulnerabilities
42. Apache Mod_AutoIndex.C Undefined Charset Cross-Site Scripting Vulnerability
43. Apache Mod_Mem_Cache Information Disclosure Vulnerability
44. Apache HTTP Server Mod_Status Cross-Site Scripting Vulnerability
45. Xpdf Multiple Remote Stream.CC Vulnerabilities
46. Apache HTTP Server Mod_Proxy Denial of Service Vulnerability
47. Adobe PageMaker MAIPM6.dll Long Font Name Buffer Overflow Vulnerability
48. MyWebFTP Pass.PHP Hashed Password Information Disclosure Vulnerability
49. Microsoft Internet Explorer IsComponentInstalled Buffer Overflow Vulnerability
50. IBM AIX Setlocale Function Local Privilege Escalation Vulnerability
51. ManageEngine OpManager JSP/Login.DO Multiple Cross Site Scripting Vulnerabilities
52. OpenSSL SSLv3 Session ID Buffer Overflow Vulnerability
53. X.Org X Font Server Multiple Memory Corruption Vulnerabilities
54. LibTIFF TiffScanLineSize Remote Buffer Overflow Vulnerability
55. tcpdump Print-bgp.C Remote Integer Underflow Vulnerability
56. TCPDump IEEE802.11 printer Remote Buffer Overflow Vulnerability
57. OpenSSH-Portable GSSAPI Authentication Abort Information Disclosure Weakness
58. OpenSSH LINUX_AUDIT_RECORD_EVENT Remote Log Injection Weakness
59. Wireshark Multiple Protocol Denial of Service Vulnerabilities
60. RETIRED: CandyPress Store Logon.ASP Cross-Site Scripting Vulnerability
61. emagiC CMS (ASP) EMC.ASP SQL Injection Vulnerability
62. SiteBar Multiple Input Validation Vulnerabilities
63. JLMForo System Buscado.PHP Cross-Site Scripting Vulnerability
64. JLMForo System ModificarPerfil.PHP HTML Injection Vulnerability
65. Link Grammar SEPARATE_WORD Function Remote Buffer Overflow Vulnerability
66. IBM Informix Dynamic Server Multiple Vulnerabilities
67. Cisco Unified MeetingPlace Web Conference Login Multiple Cross Site Scripting Vulnerabilities
68. PicoFlat CMS Multiple Remote Security Bypass Vulnerabilities
69. C++ Sockets Library HTTPSocket Class Remote Denial Of Service Vulnerability
70. JPortal Mailer.PHP SQL Injection Vulnerability
71. Microsoft DebugView Kernel Module Dbgv.SYS Local Privilege Escalation Vulnerability
72. PCRE Regular Expression Library Multiple Security Vulnerabilities
73. Perl Archive::Tar Module Remote Directory Traversal Vulnerability
74. Plone Multiple Modules Script Execution Vulnerabilities
75. Viewpoint Media Player AxMetaStream.DLL ActiveX Control Multiple Buffer Overflow Vulnerabilities
76. Micro CMS MicroCMS-include.PHP Remote File Include Vulnerability
77. Apple QuickTime Color Table Atom Remote Heap Buffer Overflow Vulnerability
78. Apple QuickTime Panorama Sample Atoms Remote Heap Buffer Overflow Vulnerability
79. Apple QuickTime STSD Atom Remote Heap Buffer Overflow Vulnerability
80. Apple QuickTime PICT Image Remote Multiple Heap Buffer Overflow Vulnerabilities
81. Apple QuickTime for Java Multiple Unspecified Remote Privilege Escalation Vulnerabilities
82. Apple QuickTime Image Description Atom Remote Memory Corruption Vulnerability
83. Computer Associates Message Queuing Buffer Overflow Vulnerability
84. Apple QuickTime PICT Image Remote Stack Buffer Overflow Vulnerability
85. Computer Associates BrightStor ARCserve Backup Remote Buffer Overflow Vulnerability
86. Weblord.it MS-TopSites Unauthorized Access Vulnerability and HTML Injection Vulnerability
87. awrate.com message board 404.PHP and TopBar.PHP Multiple Remote File Include Vulnerabilities
88. Gnome Evolution Data Server Array Index Memory Access Vulnerability
89. Avaya Messaging Storage Server and Avaya Message Networking Input Validation Vulnerability
90. Sun Java Runtime Environment WebStart JNLP File Stack Buffer Overflw Vulnerability
91. Microsoft Exchange Server Calendar Remote Code Execution Vulnerability
92. Macrovision SafeDisc SecDRV.SYS Method_Neither Local Privilege Escalation Vulnerability
93. RGameScript Pro Page.PHP Remote File Include Vulnerability
94. GNU GV Stack Buffer Overflow Vulnerability
95. Sun Java Web Proxy Server Multiple Buffer Overflow Vulnerabilities
96. Sun Java Web Console LibWebconsole_Services.SO Format String Vulnerability
97. Samba NDR RPC Request RFNPCNEX Heap-Based Buffer Overflow Vulnerability
98. Samba NDR RPC Request DFSEnum Heap-Based Buffer Overflow Vulnerability
99. Synergiser Index.PHP Local File Include Vulnerability
100. Samba NDR RPC Request LsarLookupSids/LsarLookupSids2 Heap-Based Buffer Overflow Vulnerability
III. SECURITYFOCUS NEWS
1. Task force aims to improve U.S. cybersecurity
2. Court filings double estimate of TJX breach
3. Identity thieves likely to be first-timers, strangers
4. Retailers look to exorcise credit-card data
IV. SECURITY JOBS LIST SUMMARY
1. [SJ-JOB] Security Engineer, Alpharetta
2. [SJ-JOB] Security Engineer, Napa
3. [SJ-JOB] Sr. Security Engineer, Washington
4. [SJ-JOB] Security Engineer, Norfolk
5. [SJ-JOB] Security Consultant, Manama
6. [SJ-JOB] Application Security Engineer, Bloomington
7. [SJ-JOB] Security Architect, Brussels
8. [SJ-JOB] Sales Engineer, Any US Location
9. [SJ-JOB] Security Engineer, Reston
10. [SJ-JOB] Security Architect, Brussels
11. [SJ-JOB] Security Engineer, New York
12. [SJ-JOB] Security Engineer, Hunt Valley
13. [SJ-JOB] Forensics Engineer, Durham
14. [SJ-JOB] Technical Support Engineer, Dallas
15. [SJ-JOB] Jr. Security Analyst, Sydney
16. [SJ-JOB] Security Engineer, Alpharetta
17. [SJ-JOB] Security Engineer, New York
V. INCIDENTS LIST SUMMARY
VI. VULN-DEV RESEARCH LIST SUMMARY
1. Browser Heaps
2. understanding buffer overflows
VII. MICROSOFT FOCUS LIST SUMMARY
VIII. SUN FOCUS LIST SUMMARY
IX. LINUX FOCUS LIST SUMMARY
1. How secure is the openSUSE Build Service?
X. UNSUBSCRIBE INSTRUCTIONS
XI. SPONSOR INFORMATION

I. FRONT AND CENTER
---------------------
1.E-mail privacy to disappear?
On October 8, 2007, the United States Court of Appeals for the Sixth Circuit in Cincinnati granted the government's request for a full-panel hearing in United States v. Warshak case centering on the right of privacy for stored electronic communications. At issue is whether the procedure whereby the government can subpoena stored copies of your e-mail -- similar to the way they could simply subpoena any physical mail sitting on your desk -- is unconstitutionally broad.

http://www.securityfocus.com/columnists/456

2.Rebinding attacks unbound
By Federico Biancuzzi
DNS rebinding was discovered in 1996 and affected the Java Virtual Machine (VM). Recently a group of researchers at Stanford found out that this vulnerability is still present in browsers and that the common solution, known as DNS pinning, is not effective anymore.
http://www.securityfocus.com/columnists/455

II. BUGTRAQ SUMMARY
--------------------
1. Multiple Vendor System V Derived 'login' Buffer Overflow Vulnerability
BugTraq ID: 3681
Remote: Yes
Last Updated: 2007-11-08
Relevant URL: http://www.securityfocus.com/bid/3681
Summary:
The 'login' program is used in UNIX systems to authenticate users with a username and password. The utility is typically invoked at the console, by 'telnetd', 'rlogind', and if configured to do so, SSH.

Versions of 'login' descended from System V UNIX contain a buffer overflow when handling environment variables. Several operating systems such as Solaris/SunOS, HP-UX, AIX, IRIX, and Unixware contain vulnerable versions of 'login'.

Unauthenticated clients can exploit this issue to execute arbitrary code as root. On systems where 'login' is installed setuid root, local attackers can elevate privileges.

2. Sun Solaris RWall Daemon Syslog Format String Vulnerability
BugTraq ID: 4639
Remote: Yes
Last Updated: 2007-11-08
Relevant URL: http://www.securityfocus.com/bid/4639
Summary:
Solaris is the freely available UNIX-derivative operating system developed and distributed by Sun Microsystems.

A format-string vulnerability allows attackers to execute arbitrary code on vulnerable systems. When malicious format strings are sent from one system to another, an insecure 'syslog' call may allow a remote attacker to exploit the call to execute arbitrary code.

3. Work System e-commerce Unspecified Ajax Pages Security Vulnerability
BugTraq ID: 26292
Remote: Yes
Last Updated: 2007-11-06
Relevant URL: http://www.securityfocus.com/bid/26292
Summary:
WORK system e-commerce is prone to an unspecified vulnerability in some Ajax pages.

Very few details are available regarding this issue. We will update this BID as more information emerges.

This issue affects versions prior to WORK system e-commerce 4.0.2.

4. Samba NDR RPC Request LsarAddPrivilegesToAccount Heap-Based Buffer Overflow Vulnerability
BugTraq ID: 23973
Remote: Yes
Last Updated: 2007-11-06
Relevant URL: http://www.securityfocus.com/bid/23973
Summary:
Samba is prone to a remote heap-based buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data before copying it to an insufficiently sized memory buffer.

An attacker can exploit this issue to execute arbitrary code with superuser privileges, facilitating the complete remote compromise of affected computers. Failed exploit attempts will result in a denial of service.

This issue affects Samba 3.0.25rc3 and prior versions.

This BID previously documented multiple heap-based buffer-overflow vulnerabilities affecting Samba. Each issue has been assigned its own individual record. The issues are covered in this BID and the following records:

BID 24195 - Samba NDR RPC Request LsarLookupSids/LsarLookupSids2 Heap-Based Buffer Overflow Vulnerability
BID 24196 - Samba NDR RPC Request NetSetFileSecurity Heap-Based Buffer Overflow Vulnerability
BID 24197 - Samba NDR RPC Request RFNPCNEX Heap-Based Buffer Overflow Vulnerability
BID 24198 - Samba NDR RPC Request DFSEnum Heap-Based Buffer Overflow Vulnerability

5. Coppermine Photo Gallery Displayecard.PHP Cross-Site Scripting Vulnerability
BugTraq ID: 26357
Remote: Yes
Last Updated: 2007-11-06
Relevant URL: http://www.securityfocus.com/bid/26357
Summary:
Coppermine Photo Gallery is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

Versions prior to Coppermine 1.4.14 are vulnerable.

6. IBM WebSphere Application Server UDDI Console Multiple Input Validation Vulnerabilities
BugTraq ID: 26276
Remote: Yes
Last Updated: 2007-11-06
Relevant URL: http://www.securityfocus.com/bid/26276
Summary:
WebSphere Application Server is prone to multiple cross-site request-forgery and cross-site scripting vulnerabilities.

Attackers can exploit these issues to steal cookie-based authentication credentials, execute arbitrary script code, and use a victim's currently active session to perform actions with the application.

WebSphere Application Server 6.0 and 6.1 are vulnerable; other versions may also be affected.

7. Apache Geronimo SQLLoginModule Authentication Bypass Vulnerability
BugTraq ID: 26287
Remote: Yes
Last Updated: 2007-11-06
Relevant URL: http://www.securityfocus.com/bid/26287
Summary:
Apache Geronimo is prone to an authentication-bypass vulnerability that occurs in SQLLoginModule.

An attacker can exploit this vulnerability to access the affected application; other attacks are also possible.

This issue affects Apache Geronimo 2.1, 2.0, 2.0.1, 2.0.2.

IBM WebSphere Application Server Community Edition 2.0.0.0 is vulnerable as well because it uses the affected component.

8. SAP EnjoySAP KWEdit.DLL ActiveX Control Stack Buffer Overflow Vulnerability
BugTraq ID: 24772
Remote: Yes
Last Updated: 2007-11-06
Relevant URL: http://www.securityfocus.com/bid/24772
Summary:
EnjoySAP is prone to a stack-based buffer-overflow vulnerability because the software fails to adequately check boundaries on data supplied to an ActiveX control method.

An attacker can exploit this issue to execute arbitrary code in the context of a user running the application. Failed attempts will likely result in denial-of-service conditions.

9. PoPToP PPTP Negative read() Argument Remote Buffer Overflow Vulnerability
BugTraq ID: 7316
Remote: Yes
Last Updated: 2007-11-06
Relevant URL: http://www.securityfocus.com/bid/7316
Summary:
A buffer overflow vulnerability has been discovered in PoPToP PPTP. The problem occurs due to insufficient sanity checks when referencing user-supplied input used in various calculations. As a result, it may be possible for an attacker to trigger a condition where sensitive memory can be corrupted.

Successful exploitation of this issue may allow an attacker to execute arbitrary code with the privileges of the affected server.

10. Microsoft DirectX Media SDK DXTLIPI.DLL ActiveX Control Buffer Overflow Vulnerability
BugTraq ID: 25279
Remote: Yes
Last Updated: 2007-11-06
Relevant URL: http://www.securityfocus.com/bid/25279
Summary:
Microsoft DirectX Media SDK 'DXTLIPI.DLL' ActiveX control is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.

Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed exploit attempts likely result in denial-of-service conditions.

Microsoft DirectX Media SDK 6.0 with DXTLIPI.DLL 6.0.2.827 is reported vulnerable.

11. Mozilla Firefox About:Blank IFrame Cross Domain Information Disclosure Vulnerability
BugTraq ID: 24286
Remote: Yes
Last Updated: 2007-11-06
Relevant URL: http://www.securityfocus.com/bid/24286
Summary:
Mozilla Firefox is prone to a cross-domain information-disclosure vulnerability because scripts may persist across navigations.

A malicious site may be able to modify the iframe of a site in an arbitrary external domain. Attackers could exploit this to gain access to sensitive information that is associated with the external domain. Other attacks are also possible, such as executing script code in other browser security zones.

This issue is being tracked by Bugzilla Bug 382686 and is reportedly related to Bug 343168.

Firefox 2.0.0.4 and prior versions are vulnerable.

12. Mozilla Firefox/Thunderbird/SeaMonkey Chrome-Loaded About:Blank Script Execution Vulnerability
BugTraq ID: 25142
Remote: Yes
Last Updated: 2007-11-06
Relevant URL: http://www.securityfocus.com/bid/25142
Summary:
Mozilla Firefox, Thunderbird, and SeaMonkey are prone to a vulnerability that allows JavaScript to execute with unintended privileges.

A malicious site may be able to cause the execution of a script with Chrome privileges. Attackers could exploit this issue to execute hostile script code with privileges that exceed those that were intended. Certain Firefox extensions may not intend 'about:blank' to execute script code with Chrome privileges.

NOTE: This issue was introduced by the fix for MFSA 2007-20.

13. PHP memory_limit Remote Code Execution Vulnerability
BugTraq ID: 10725
Remote: Yes
Last Updated: 2007-11-06
Relevant URL: http://www.securityfocus.com/bid/10725
Summary:
Reportedly PHP modules compiled with memory_limit support are affected by a remote code execution vulnerability. This issue is due to a failure of the PHP module to properly handle memory_limit request termination.

This issue is reportedly exploitable by exploiting the Apache ap_escape_html Memory Allocation Denial Of Service Vulnerability (BID 10619); an attacker can cause premature termination during critical code execution. It should be noted that although the above-mentioned Apache vulnerability is the only known attack vector, there might be other attack vectors that are currently unknown.

An attacker can exploit this issue to execute arbitrary code on an affected computer within the context of the vulnerable application, facilitating unauthorized access.

14. Linux Kernel IEEE80211 HDRLen Remote Denial Of Service Vulnerability
BugTraq ID: 26337
Remote: Yes
Last Updated: 2007-11-06
Relevant URL: http://www.securityfocus.com/bid/26337
Summary:
The Linux kernel ieee80211 driver is prone to a remote denial-of-service vulnerability because it fails to perform adequate boundary checks on user-supplied data.

An attacker can exploit this issue to crash a victim computer, effectively denying service.

Versions prior to Linux kernel 2.6.22.11 are vulnerable.

15. OpenSSL Public Key Processing Denial of Service Vulnerability
BugTraq ID: 20247
Remote: Yes
Last Updated: 2007-11-06
Relevant URL: http://www.securityfocus.com/bid/20247
Summary:
OpenSSL is prone to a denial-of-service vulnerability because it fails to validate the lengths of public keys being used.

An attacker can exploit this issue to crash an affected server using OpenSSL.

16. Mozilla Client Products Multiple Remote Vulnerabilities
BugTraq ID: 20957
Remote: Yes
Last Updated: 2007-11-06
Relevant URL: http://www.securityfocus.com/bid/20957
Summary:
The Mozilla Foundation has released two security advisories specifying vulnerabilities in Mozilla Firefox, SeaMonkey, and Thunderbird.

These vulnerabilities allow attackers to:

- Crash the applications and potentially execute arbitrary machine code in the context of the vulnerable applications.
- Run arbitrary JavaScript bytecode.

Other attacks may also be possible.

The issues described here will be split into individual BIDs as more information becomes available.

These issues are fixed in:

- Mozilla Firefox 1.5.0.8
- Mozilla Thunderbird 1.5.0.8
- Mozilla SeaMonkey 1.0.6

17. Multiple Portable OpenSSH PAM Vulnerabilities
BugTraq ID: 8677
Remote: Yes
Last Updated: 2007-11-06
Relevant URL: http://www.securityfocus.com/bid/8677
Summary:
Multiple vulnerabilities have been reported to affect Portable OpenSSH PAM support implementation. It has been reported that at least one of these vulnerabilities may be exploitable, under a non-standard configuration with privsep disabled, by a remote attacker.

18. Xoops Friendfinder Module View.PHP SQL Injection Vulnerability
BugTraq ID: 23184
Remote: Yes
Last Updated: 2007-11-06
Relevant URL: http://www.securityfocus.com/bid/23184
Summary:
The Xoops Friendfinder module is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation. This issue may help the attacker gain unauthorized access.

Xoops Friendfinder 3.3 and prior versions are reported vulnerable.

19. OpenSSH Privilege Separation Key Signature Weakness
BugTraq ID: 20956
Remote: Yes
Last Updated: 2007-11-06
Relevant URL: http://www.securityfocus.com/bid/20956
Summary:
OpenSSH is prone to a weakness that may allow attackers to authenticate without proper key signatures. This issue is due to a design error between privileged processes and their child processes.

Little is known regarding this vulnerability; more information will be added to this BID when it becomes available.

OpenSSH version 4.4 is vulnerable; other versions may also be affected.

Note that this weakness is not known to be exploitable unless other vulnerabilites are present.

20. Trolltech QT Pixmap Images Integer Overflow Vulnerability
BugTraq ID: 20599
Remote: Yes
Last Updated: 2007-11-06
Relevant URL: http://www.securityfocus.com/bid/20599
Summary:
Qt is prone to an integer-overflow vulnerability because the library fails to do proper bounds checking on user-supplied data.

An attacker can exploit this vulnerability to execute arbitrary code in the context of the application using the vulnerable library. Failed exploit attempts will likely cause denial-of-service conditions.

21. X.Org DBE And Render Extensions Multiple Local Integer Overflow Vulnerabilities
BugTraq ID: 21968
Remote: No
Last Updated: 2007-11-06
Relevant URL: http://www.securityfocus.com/bid/21968
Summary:
X.Org is prone to multiple local integer-overflow vulnerabilities.

Attackers can exploit this issue to execute arbitrary code with superuser privileges. A successful exploit will result in the complete compromise of affected computers. Failed exploit attempts will likely result in denial-of-service conditions.

22. OpenSSL ASN.1 Structures Denial of Service Vulnerability
BugTraq ID: 20248
Remote: Yes
Last Updated: 2007-11-06
Relevant URL: http://www.securityfocus.com/bid/20248
Summary:
OpenSSL is prone to a denial-of-service vulnerability.

An attacker may exploit this issue to cause applications that use the vulnerable library to consume excessive CPU and memory resources and crash, denying further service to legitimate users.

23. Linux Kernel ULE Packet Handling Remote Denial of Service Vulnerability
BugTraq ID: 19939
Remote: Yes
Last Updated: 2007-11-06
Relevant URL: http://www.securityfocus.com/bid/19939
Summary:
The Linux kernel is prone to a remote denial-of-service vulnerability.

This issue is triggered when the kernel handles a specially crafted ULE packet.

This issue allows remote attackers to trigger a denial of service for legitimate users.

Kernel version 2.6.17.8 is reported vulnerable; other versions may be affected as well.

24. Ekiga GM_Main_Window_Flash_Message Remote Format String Vulnerability
BugTraq ID: 22613
Remote: Yes
Last Updated: 2007-11-06
Relevant URL: http://www.securityfocus.com/bid/22613
Summary:
Ekiga is prone to a remote format-string vulnerability because the application fails to properly sanitize user-supplied input before including it in the format-specifier argument of a formatted-printing function.

A remote attacker may execute arbitrary code with the privileges of the currently logged-in user. Failed exploit attempts will result in a denial of service.

This issue affects versions prior to 2.0.5.

25. Windows VDM Zero Page Race Condition Local Privilege Escalation Vulnerability
BugTraq ID: 23367
Remote: No
Last Updated: 2007-11-06
Relevant URL: http://www.securityfocus.com/bid/23367
Summary:
Microsoft Windows is prone to a local privilege-escalation vulnerability because of a race condition in the Virtual DOS Machine (VDM).

A local attacker can exploit this issue to execute arbitrary code with kernel-level privileges. A successful exploit will result in the complete compromise of affected computers. Failed exploit attempts will result in a denial-of-service condition.

26. OpenOffice StarCalc Parser Unspecified Buffer Overflow Vulnerability
BugTraq ID: 23067
Remote: Yes
Last Updated: 2007-11-06
Relevant URL: http://www.securityfocus.com/bid/23067
Summary:
OpenOffice is prone to a remote stack-based buffer-overflow vulnerability. This issue occurs because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer.

An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service.

27. Multiple Linux Vendor rpc.statd Remote Format String Vulnerability
BugTraq ID: 1480
Remote: Yes
Last Updated: 2007-11-07
Relevant URL: http://www.securityfocus.com/bid/1480
Summary:
A vulnerability exists in the 'rpc.statd' program, which is part of the 'nfs-utils' package that is shipped with a number of popular Linux distributions. Because of a format-string vulnerability when calling the 'syslog()' function, a remote attacker can execute code as root.

The 'rpc.statd' server is an RPC server that implements the Network Status and Monitor RPC protocol. It's a component of the Network File System (NFS) architecture.

The logging code in 'rpc.statd' uses the 'syslog()' function, passing it as the format string user-supplied data. A malicious user can construct a format string that injects executable code into the process address space and overwrites a function's return address, thus forcing the program to execute the code.
The 'rpc.statd' server requires root privileges for opening its network socket, but fails to drop these privileges later on. Therefore, code run by the malicious user will execute with root privileges.

Debian, Red Hat, and Connectiva have all released advisories. Presumably, any Linux distribution that runs the statd process is vulnerable unless patched for the problem.

28. Mono System.Math BigInteger Buffer Overflow Vulnerability
BugTraq ID: 26279
Remote: Yes
Last Updated: 2007-11-07
Relevant URL: http://www.securityfocus.com/bid/26279
Summary:
Mono is prone to a buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data.

Successfully exploiting this issue could allow attackers to execute arbitrary code in the context of the user running an affected application. Failed exploit attempts will likely result in a denial-of-service condition.

29. Oracle Database Server PITRIG_DROPMETADATA Remote Buffer Overflow Vulnerability
BugTraq ID: 26374
Remote: Yes
Last Updated: 2007-11-07
Relevant URL: http://www.securityfocus.com/bid/26374
Summary:
Oracle Database Server is prone to a remote buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data before copying it to an insufficiently sized memory buffer.

An authenticated attacker can exploit this issue to execute arbitrary code within the context of the database account. Failed exploit attempts will result in a denial of service.

30. GForge Insecure Temporary File Creation Vulnerability
BugTraq ID: 26373
Remote: No
Last Updated: 2007-11-07
Relevant URL: http://www.securityfocus.com/bid/26373
Summary:
GForge creates temporary files in an insecure way.

An attacker with local access could potentially exploit this issue to perform symbolic-link attacks, overwriting arbitrary files in the context of the affected application. This may result in denial-of-service conditions; other attacks are also possible.

31. Mcstrans Mcstrans.C Local Denial of Service Vulnerability
BugTraq ID: 26371
Remote: No
Last Updated: 2007-11-07
Relevant URL: http://www.securityfocus.com/bid/26371
Summary:
Mcstrans is prone to a local denial-of-service vulnerability because it fails to adequately check user-supplied data.

Successfully exploiting this issue allows local attackers to deny service to legitimate users.

32. T1lib intT1_Env_GetCompletePath Buffer Overflow Vulnerability
BugTraq ID: 25079
Remote: Yes
Last Updated: 2007-11-07
Relevant URL: http://www.securityfocus.com/bid/25079
Summary:
T1lib is prone to a buffer-overflow vulnerability because the library fails to perform boundary checks before copying user-supplied data to insufficiently sized memory buffers.

An attacker can exploit this issue to execute arbitrary machine code in the context of applications that use the affected library. Failed exploit attempts will likely trigger crashes, denying service to legitimate users.

We do not know which versions of T1lib are affected.

33. CUPS IPP Tag Handling Remote Buffer Overflow Vulnerability
BugTraq ID: 26268
Remote: Yes
Last Updated: 2007-11-07
Relevant URL: http://www.securityfocus.com/bid/26268
Summary:
CUPS is prone to a remote buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data before copying it to an insufficiently sized memory buffer.

An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial of service.

CUPS 1.3.3 is reported vulnerable; other versions may be affected as well.

34. Libpng Library Multiple Remote Denial of Service Vulnerabilities
BugTraq ID: 25956
Remote: Yes
Last Updated: 2007-11-07
Relevant URL: http://www.securityfocus.com/bid/25956
Summary:
The 'libpng' library is prone to multiple remote denial-of-service vulnerabilities because the library fails to handle malicious PNG files.

Successful exploits may allow remote attackers to cause denial-of-service conditions on computers running the affected library.

These issues affect 'libpng' 1.2.20 and prior versions.

35. Apache HTTP Server Mod_Cache Denial of Service Vulnerability
BugTraq ID: 24649
Remote: Yes
Last Updated: 2007-11-07
Relevant URL: http://www.securityfocus.com/bid/24649
Summary:
The Apache mod_cache module is prone to a denial-of-service vulnerability.

A remote attacker may be able to exploit this issue to crash the child process. This could lead to denial-of-service conditions if the server is using a multithreaded Multi-Processing Module (MPM).

36. MadWifi Xrates Element Remote Denial of Service Vulnerability
BugTraq ID: 26052
Remote: Yes
Last Updated: 2007-11-07
Relevant URL: http://www.securityfocus.com/bid/26052
Summary:
MadWifi is prone to a remote denial-of-service vulnerability because the application limits the size of the extended supported rates element in beacon frames transmitted from wireless access points.

An attacker can exploit this issue to cause the affected computer to crash, denying further service to legitimate users.

This issue affects MadWifi 0.9.3.2 and prior versions.

37. Cypress for BitchX Information Disclosure Backdoor Vulnerability
BugTraq ID: 26372
Remote: Yes
Last Updated: 2007-11-07
Relevant URL: http://www.securityfocus.com/bid/26372
Summary:
An attacker compromised the source code for Cypress for BitchX and altered it to include a malicious backdoor. This backdoor introduces an information-disclosure vulnerability that will let remote users gain access to potentially sensitive information.

Cypress 1.0k is affected by this issue. It is not currently known when this malicious code was inserted into the archive.

38. Python ImageOP Module Multiple Integer Overflow Vulnerabilities
BugTraq ID: 25696
Remote: Yes
Last Updated: 2007-11-07
Relevant URL: http://www.securityfocus.com/bid/25696
Summary:
Python's imageop module is prone to multiple integer-overflow vulnerabilities because it fails to properly bounds-check user-supplied input to ensure that integer operations do not overflow.

To successfully exploit these issues, an attacker must be able to control the arguments to imageop functions. Remote attackers may be able to do this, depending on the nature of applications that use the vulnerable functions.

Attackers would likely submit invalid or specially crafted images to applications that perform imageop operations on the data.

A successful exploit may allow attacker-supplied machine code to run in the context of affected applications, facilitating the remote compromise of computers.

39. HP Linux Imaging and Printing System HSSPD.PY Daemon Arbitrary Command Execution Vulnerability
BugTraq ID: 26054
Remote: Yes
Last Updated: 2007-11-07
Relevant URL: http://www.securityfocus.com/bid/26054
Summary:
HP Linux Imaging and Printing System (HPLIP) is prone to an arbitrary command-execution vulnerability because it fails to adequately sanitize user-supplied input.

Attackers can exploit this issue to execute arbitrary commands with superuser privileges. Successful attacks will completely compromise affected computers.

NOTE: By default the application's 'hpssd' daemon listens only on localhost, but it can be configured (via /etc/hp/hplip.conf) to listen to remote requests as well.

HPLIP versions in the 1.0 and 2.0 series are vulnerable.

40. CoolKey PK11IPC1 Insecure Temporary File Creation Vulnerability
BugTraq ID: 26369
Remote: No
Last Updated: 2007-11-07
Relevant URL: http://www.securityfocus.com/bid/26369
Summary:
CoolKey creates temporary files in an insecure manner.

An attacker with local access could potentially exploit this issue to perform symbolic-link attacks to alter the permissions of an arbitrary attacker-specified file, such as '/etc/shadow'. This could facilitate a complete compromise of the affected computer.

41. Apache HTTP Server Worker Process Multiple Denial of Service Vulnerabilities
BugTraq ID: 24215
Remote: Yes
Last Updated: 2007-11-07
Relevant URL: http://www.securityfocus.com/bid/24215
Summary:
Apache is prone to multiple denial-of-service vulnerabilities.

An attacker with the ability to execute arbitrary server-side script-code can exploit these issues to stop arbitrary services on the affected computer in the context of the master webserver process; other attacks may also be possible.

42. Apache Mod_AutoIndex.C Undefined Charset Cross-Site Scripting Vulnerability
BugTraq ID: 25653
Remote: Yes
Last Updated: 2007-11-07
Relevant URL: http://www.securityfocus.com/bid/25653
Summary:
Apache is affected by a vulnerability that may cause certain web pages to be prone to a cross-site scripting attack. This issue stems from a lack of a defined charset on certain generated pages.

Web pages generated by the affected source code may be prone to a cross-site scripting issue.

Versions prior to Apache 2.2.6 are affected.

NOTE: Reports indicate that this issue does not occur when the application is running on Windows operating systems.

43. Apache Mod_Mem_Cache Information Disclosure Vulnerability
BugTraq ID: 24553
Remote: Yes
Last Updated: 2007-11-07
Relevant URL: http://www.securityfocus.com/bid/24553
Summary:
Apache is prone to a path-information-disclosure vulnerability. Remote unauthorized attackers may be able to access sensitive data.

Information obtained may aid attackers in launching further attacks against an affected server.

Apache 2.2.4 is reported vulnerable to this issue; other versions may be affected as well.

44. Apache HTTP Server Mod_Status Cross-Site Scripting Vulnerability
BugTraq ID: 24645
Remote: Yes
Last Updated: 2007-11-07
Relevant URL: http://www.securityfocus.com/bid/24645
Summary:
The Apache HTTP Server mod_status module is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.

45. Xpdf Multiple Remote Stream.CC Vulnerabilities
BugTraq ID: 26367
Remote: Yes
Last Updated: 2007-11-07
Relevant URL: http://www.securityfocus.com/bid/26367
Summary:
Xpdf is prone to multiple remote vulnerabilities because of flaws in various functions in the 'Stream.cc' source file.

Attackers exploit these issues by coercing users to view specially crafted PDF files with the affected application.

Successfully exploiting these issues allows attackers to execute arbitrary machine code in the context of the vulnerable application. This facilitates the remote compromise of affected computers.

Xpdf 3.02pl1 is vulnerable to these issues; other versions may also be affected.

46. Apache HTTP Server Mod_Proxy Denial of Service Vulnerability
BugTraq ID: 25489
Remote: Yes
Last Updated: 2007-11-07
Relevant URL: http://www.securityfocus.com/bid/25489
Summary:
The Apache mod_proxy module is prone to a denial-of-service vulnerability.

A remote attacker may be able to exploit this issue to crash the child process. This could lead to denial-of-service conditions if the server is using a multithreaded Multi-Processing Module (MPM).

47. Adobe PageMaker MAIPM6.dll Long Font Name Buffer Overflow Vulnerability
BugTraq ID: 25989
Remote: Yes
Last Updated: 2007-11-07
Relevant URL: http://www.securityfocus.com/bid/25989
Summary:
Adobe PageMaker is prone to a buffer-overflow vulnerability because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer.

An attacker could exploit this issue to crash affected applications, deny service to legitimate users, or take over the system. A vendor-supplied fix is available.

This issue affects PageMaker 7.0.1 and 7.0.2; other versions may also be affected.

48. MyWebFTP Pass.PHP Hashed Password Information Disclosure Vulnerability
BugTraq ID: 26366
Remote: Yes
Last Updated: 2007-11-07
Relevant URL: http://www.securityfocus.com/bid/26366
Summary:
MyWebFTP is prone to an information-disclosure vulnerability.

An attacker can exploit this issue to access sensitive information that may lead to other attacks.

MYWebFTP 5.3.2 is vulnerable; other versions may also be affected.

49. Microsoft Internet Explorer IsComponentInstalled Buffer Overflow Vulnerability
BugTraq ID: 16870
Remote: Yes
Last Updated: 2007-11-07
Relevant URL: http://www.securityfocus.com/bid/16870
Summary:
Microsoft Internet Explorer is prone to a remote buffer-overflow vulnerability in the 'IsComponentInstalled()' method. A successful exploit results in arbitrary code execution in the context of the user running the browser.

This issue was reportedly addressed in Windows 2000 SP4 and Windows XP SP1, but this has not been confirmed.

Internet Explorer 6 is vulnerable to this issue; earlier versions may also be affected.

50. IBM AIX Setlocale Function Local Privilege Escalation Vulnerability
BugTraq ID: 19578
Remote: No
Last Updated: 2007-11-07
Relevant URL: http://www.securityfocus.com/bid/19578
Summary:
IBM AIX is prone to a local privilege-escalation vulnerability.

A local attacker may be able to exploit this issue to gain elevated privileges on the affected computer. A successful exploit will lead to the complete compromise of the affected computer.

IBM AIX 5.1, 5.2, and 5.3 are vulnerable to this issue.

51. ManageEngine OpManager JSP/Login.DO Multiple Cross Site Scripting Vulnerabilities
BugTraq ID: 26368
Remote: Yes
Last Updated: 2007-11-07
Relevant URL: http://www.securityfocus.com/bid/26368
Summary:
ManageEngine OpManager is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

52. OpenSSL SSLv3 Session ID Buffer Overflow Vulnerability
BugTraq ID: 5362
Remote: Yes
Last Updated: 2007-11-07
Relevant URL: http://www.securityfocus.com/bid/5362
Summary:
OpenSSL is prone to a buffer-overflow vulnerability involving overly long SSLv3 session IDs.

Reportedly, when an oversized SSLv3 session ID is supplied to a client from a malicious server, a buffer may overflow on the remote system. Key memory areas on the vulnerable remote system may be overwritten, and arbitrary code may run as the client process.

53. X.Org X Font Server Multiple Memory Corruption Vulnerabilities
BugTraq ID: 25898
Remote: Yes
Last Updated: 2007-11-07
Relevant URL: http://www.securityfocus.com/bid/25898
Summary:
X.Org X Font Server (XFS) is prone to multiple memory-corruption vulnerabilities, including an integer-overflow issue and a heap-based memory-corruption issue.

An attacker could exploit this issue to execute arbitrary code with the privileges of the X Font Server. Failed exploit attempts will likely result in a denial-of-service condition.

NOTE: These issues are exploitable remotely only on Solaris operating systems; by default the server is listening on TCP port 7100. For other UNIX-like operating systems, an attacker can exploit these issues only locally.

These issues affect X Font Server 1.0.4; prior versions may also be affected.

54. LibTIFF TiffScanLineSize Remote Buffer Overflow Vulnerability
BugTraq ID: 19288
Remote: Yes
Last Updated: 2007-11-07
Relevant URL: http://www.securityfocus.com/bid/19288
Summary:
LibTIFF is prone to a buffer-overflow vulnerability because the library fails to do proper boundary checks before copying user-supplied data into a finite-sized buffer.

This issue allows remote attackers to execute arbitrary machine code in the context of applications using the affected library. Failed exploit attempts will likely crash the application, denying service to legitimate users.

55. tcpdump Print-bgp.C Remote Integer Underflow Vulnerability
BugTraq ID: 24965
Remote: Yes
Last Updated: 2007-11-07
Relevant URL: http://www.securityfocus.com/bid/24965
Summary:
The 'tcpdump' utility is prone to an integer-underflow vulnerability because it fails to bounds-check user-supplied input before copying it into an insufficiently sized memory buffer.

An attacker can exploit this issue to execute arbitrary malicious code in the context of the user running the affected application. Failed exploit attempts will likely crash the affected application.

This issue affects tcpdump 3.9.6 and prior versions.

56. TCPDump IEEE802.11 printer Remote Buffer Overflow Vulnerability
BugTraq ID: 22772
Remote: Yes
Last Updated: 2007-11-07
Relevant URL: http://www.securityfocus.com/bid/22772
Summary:
The 'tcpdump' utility is prone to a heap-based buffer-overflow vulnerability because it fails to bounds-check user-supplied input before copying it into an insufficiently sized memory buffer.

57. OpenSSH-Portable GSSAPI Authentication Abort Information Disclosure Weakness
BugTraq ID: 20245
Remote: Yes
Last Updated: 2007-11-07
Relevant URL: http://www.securityfocus.com/bid/20245
Summary:
OpenSSH-Portable is prone to an information-disclosure weakness. The issue stems from a GSSAPI authentication abort.

Reportedly, attackers may leverage a GSSAPI authentication abort to determine the presence and validity of usernames on unspecified platforms.

This issue occurs when OpenSSH-Portable is configured to accept GSSAPI authentication.

OpenSSH-Portable 4.3p1 and prior versions exhibit this weakness.

58. OpenSSH LINUX_AUDIT_RECORD_EVENT Remote Log Injection Weakness
BugTraq ID: 26097
Remote: Yes
Last Updated: 2007-11-07
Relevant URL: http://www.securityfocus.com/bid/26097
Summary:
OpenSSH is prone to a weakness that allows remote attackers to inject invalid data into log entries.

OpenSSH 4.3p2 is affected by this issue; other versions may also be affected.

59. Wireshark Multiple Protocol Denial of Service Vulnerabilities
BugTraq ID: 24662
Remote: Yes
Last Updated: 2007-11-07
Relevant URL: http://www.securityfocus.com/bid/24662
Summary:
Wireshark is prone to multiple denial-of-service vulnerabilities.

Exploiting these issues may permit attackers to cause crashes and deny service to legitimate users of the application.

Versions prior to Wireshark 0.99.6 are affected.

60. RETIRED: CandyPress Store Logon.ASP Cross-Site Scripting Vulnerability
BugTraq ID: 26153
Remote: Yes
Last Updated: 2007-11-07
Relevant URL: http://www.securityfocus.com/bid/26153
Summary:
CandyPress Store is prone to a cross-site scripting vulnerability because the application fails to sufficiently sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

This issue affects CandyPress Store 4.1; other versions may also be affected.

NOTE: This BID has been retired because the vendor states that this vulnerability does not exist.

61. emagiC CMS (ASP) EMC.ASP SQL Injection Vulnerability
BugTraq ID: 26229
Remote: Yes
Last Updated: 2007-11-07
Relevant URL: http://www.securityfocus.com/bid/26229
Summary:
emagiC CMS (ASP) is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

62. SiteBar Multiple Input Validation Vulnerabilities
BugTraq ID: 26126
Remote: Yes
Last Updated: 2007-11-07
Relevant URL: http://www.securityfocus.com/bid/26126
Summary:
SiteBar is prone to multiple input-validation vulnerabilities because it fails to properly sanitize user-supplied input.

These issues include:

- A local file-include vulnerability
- Multiple arbitrary-script-code-execution vulnerabilities
- Multiple cross-site scripting vulnerabilities
- A URI-redirection vulnerability.

Exploiting these issues can allow attackers to access potentially sensitive information, to execute arbitrary script code in the context of the webserver process, to steal cookie-based authentication credentials, and to redirect users to malicious webpages.

SiteBar 3.3.8 and prior versions are vulnerable.

63. JLMForo System Buscado.PHP Cross-Site Scripting Vulnerability
BugTraq ID: 26331
Remote: Yes
Last Updated: 2007-11-07
Relevant URL: http://www.securityfocus.com/bid/26331
Summary:
JLMForo System is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.

64. JLMForo System ModificarPerfil.PHP HTML Injection Vulnerability
BugTraq ID: 26311
Remote: Yes
Last Updated: 2007-11-07
Relevant URL: http://www.securityfocus.com/bid/26311
Summary:
JLMForo System is prone to an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied input data.

Exploiting this issue may allow an attacker to execute HTML and script code in the context of the affected site, to steal cookie-based authentication credentials, or to control how the site is rendered to the user; other attacks are also possible.

65. Link Grammar SEPARATE_WORD Function Remote Buffer Overflow Vulnerability
BugTraq ID: 26365
Remote: Yes
Last Updated: 2007-11-07
Relevant URL: http://www.securityfocus.com/bid/26365
Summary:
Link Grammar is prone to a stack-based buffer-overflow issue because it fails to perform adequate boundary checks on user-supplied data.

An attacker can exploit this issue by enticing an unsuspecting user to open a specially crafted document with overly long words.

Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the user running the application. Failed exploit attempts likely result in denial-of-service conditions.

This issue affects Link Grammar 4.1b and AbiWord Link Grammar 4.2.4.

Please note that other versions of Link Grammar and other application that use Link Grammar may also be vulnerable.

66. IBM Informix Dynamic Server Multiple Vulnerabilities
BugTraq ID: 26363
Remote: Yes
Last Updated: 2007-11-07
Relevant URL: http://www.securityfocus.com/bid/26363
Summary:
IBM Informix Dynamic Server is prone to multiple vulnerabilities.

Attackers can exploit these issues to cause denial-of-service conditions or obtain information using directory-traversal attacks.

Very few details are available regarding these issues. We will update this BID as more information emerges.

67. Cisco Unified MeetingPlace Web Conference Login Multiple Cross Site Scripting Vulnerabilities
BugTraq ID: 26364
Remote: Yes
Last Updated: 2007-11-07
Relevant URL: http://www.securityfocus.com/bid/26364
Summary:
Cisco Unified MeetingPlace Web Conference is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied data.

Exploiting these issues may help the attacker steal cookie-based authentication credentials and launch other attacks.

These issues affect Unified MeetingPlace 6.0, 5.4, 5.3, and prior versions.

68. PicoFlat CMS Multiple Remote Security Bypass Vulnerabilities
BugTraq ID: 26362
Remote: Yes
Last Updated: 2007-11-07
Relevant URL: http://www.securityfocus.com/bid/26362
Summary:
PicoFlat CMS is prone to multiple security-bypass vulnerabilities because the application fails to properly validate user privileges.

An unprivileged attacker may exploit these issues to bypass certain security restrictions and gain access to perform certain actions.

These issues affect versions prior to PicoFlat CMS 0.4.18.

69. C++ Sockets Library HTTPSocket Class Remote Denial Of Service Vulnerability
BugTraq ID: 26361
Remote: Yes
Last Updated: 2007-11-07
Relevant URL: http://www.securityfocus.com/bid/26361
Summary:
'HTTPSocket' class in C++ Sockets Library is prone to a remote denial-of-service vulnerability because it fails to handle specially crafted HTML requests.

Remote attackers can exploit this issue to crash an application that uses the affected library, denying service to legitimate users.

This issue affects versions prior to C++ Sockets Library 2.2.5.

Note that all applications using the affected HTTPSocket class may be vulnerable.

70. JPortal Mailer.PHP SQL Injection Vulnerability
BugTraq ID: 26360
Remote: Yes
Last Updated: 2007-11-07
Relevant URL: http://www.securityfocus.com/bid/26360
Summary:
JPortal is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

JPortal 2 is vulnerable; other versions may also be affected.

71. Microsoft DebugView Kernel Module Dbgv.SYS Local Privilege Escalation Vulnerability
BugTraq ID: 26359
Remote: No
Last Updated: 2007-11-07
Relevant URL: http://www.securityfocus.com/bid/26359
Summary:
Microsoft DebugView is prone to a local privilege-escalation vulnerability because it allows user-supplied data to be copied into memory addresses reserved for the kernel.

An attacker could exploit this issue to execute arbitrary machine code with SYSTEM-level privileges. A successful exploit could result in the complete compromise of the affected computer. Failed attempts could cause denial-of-service conditions.

Microsoft DebugView 4.64 is vulnerable; other versions may also be affected.

72. PCRE Regular Expression Library Multiple Security Vulnerabilities
BugTraq ID: 26346
Remote: Yes
Last Updated: 2007-11-07
Relevant URL: http://www.securityfocus.com/bid/26346
Summary:
PCRE regular-expression library is prone to multiple security vulnerabilities.

Attackers can exploit these issues to execute arbitrary code, cause denial-of-service conditions, or launch other attacks in the context of the application using the affected library.

73. Perl Archive::Tar Module Remote Directory Traversal Vulnerability
BugTraq ID: 26355
Remote: Yes
Last Updated: 2007-11-07
Relevant URL: http://www.securityfocus.com/bid/26355
Summary:
Perl Archive::Tar module is prone to a directory-traversal vulnerability because it fails to validate user-supplied data.

A successful attack can allow the attacker to overwrite files on a computer in the context of the user running the affected application. Successful exploits may aid in further attacks.

Note that all applications using Perl Archive::Tar module may be affected.

74. Plone Multiple Modules Script Execution Vulnerabilities
BugTraq ID: 26354
Remote: Yes
Last Updated: 2007-11-07
Relevant URL: http://www.securityfocus.com/bid/26354
Summary:
Plone is affected by multiple script-execution vulnerabilities.

Exploiting these issues may allow remote attackers to execute arbitrary Python code in the context of the application. This may facilitate remote unauthorized access to an affected computer.

These versions are affected:

Plone 2.5.4 and prior versions of the 2.5 branch
Plone 3.0.2 and prior versions of the 3.0 branch

75. Viewpoint Media Player AxMetaStream.DLL ActiveX Control Multiple Buffer Overflow Vulnerabilities
BugTraq ID: 26356
Remote: Yes
Last Updated: 2007-11-07
Relevant URL: http://www.securityfocus.com/bid/26356
Summary:
Viewpoint Media Player is prone to multiple stack-based buffer-overflow vulnerabilities because the software fails to adequately check boundaries on data supplied to ActiveX control methods.

An attacker can exploit these issues to execute arbitrary code in the context of a user running the application. Failed attempts will likely result in denial-of-service conditions.

Viewpoint Media Player 3.2 is vulnerable; other versions may also be affected.

76. Micro CMS MicroCMS-include.PHP Remote File Include Vulnerability
BugTraq ID: 18537
Remote: Yes
Last Updated: 2007-11-07
Relevant URL: http://www.securityfocus.com/bid/18537
Summary:
Micro CMS is prone to a remote file-include vulnerability.

An attacker can exploit this issue to include an arbitrary remote file containing malicious PHP code and execute it in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system; other attacks are also possible.

Version 0.3.5 is reported vulnerable; other versions may also be affected.

77. Apple QuickTime Color Table Atom Remote Heap Buffer Overflow Vulnerability
BugTraq ID: 26338
Remote: Yes
Last Updated: 2007-11-07
Relevant URL: http://www.securityfocus.com/bid/26338
Summary:
Apple QuickTime is prone to a heap-based buffer-overflow issue because it fails to perform adequate boundary checks on user-supplied data.

An attacker can exploit this issue by enticing an unsuspecting user to open a specially crafted movie file.

This issue affects Apple QuickTime running on Microsoft Windows Vista, Microsoft Windows XP SP2, and Mac OSX.

78. Apple QuickTime Panorama Sample Atoms Remote Heap Buffer Overflow Vulnerability
BugTraq ID: 26342
Remote: Yes
Last Updated: 2007-11-07
Relevant URL: http://www.securityfocus.com/bid/26342
Summary:
Apple QuickTime is prone to a heap-based buffer-overflow issue because it fails to perform adequate boundary checks on user-supplied data.

An attacker can exploit this issue by enticing an unsuspecting user to open a specially crafted movie file.

This issue affects Apple QuickTime running on Microsoft Windows Vista, Microsoft Windows XP SP2, and Mac OS X.

79. Apple QuickTime STSD Atom Remote Heap Buffer Overflow Vulnerability
BugTraq ID: 26341
Remote: Yes
Last Updated: 2007-11-07
Relevant URL: http://www.securityfocus.com/bid/26341
Summary:
Apple QuickTime is prone to a heap-based buffer-overflow issue because it fails to perform adequate boundary-checks on user-supplied data.

An attacker can exploit this issue by enticing an unsuspecting user to open a specially crafted movie file.

This issue affects Apple QuickTime running on Microsoft Windows Vista, Microsoft Windows XP SP2, and Mac OS X.

80. Apple QuickTime PICT Image Remote Multiple Heap Buffer Overflow Vulnerabilities
BugTraq ID: 26345
Remote: Yes
Last Updated: 2007-11-07
Relevant URL: http://www.securityfocus.com/bid/26345
Summary:
Apple QuickTime is prone to multiple heap-based buffer-overflow vulnerabilities because it fails to perform adequate boundary checks on user-supplied data.

An attacker can exploit these issues by enticing an unsuspecting user to open a specially crafted PICT image file.

Successfully exploiting these issues allows remote attackers to execute arbitrary code in the context of the user running the application. Failed exploit attempts likely result in denial-of-service conditions.

These issues affects Apple QuickTime running on Microsoft Windows Vista, Microsoft Windows XP SP2, and Mac OS X.

81. Apple QuickTime for Java Multiple Unspecified Remote Privilege Escalation Vulnerabilities
BugTraq ID: 26339
Remote: Yes
Last Updated: 2007-11-07
Relevant URL: http://www.securityfocus.com/bid/26339
Summary:
Apple QuickTime for Java is prone to multiple unspecified privilege-escalation vulnerabilities.

Successfully exploiting these issues allows remote attackers to access potentially sensitive information or to execute arbitrary code with elevated privileges. These issues facilitate the remote compromise of affected computers.

These issues affect QuickTime for Java for both Apple Mac OS X and Microsoft Windows platforms.

82. Apple QuickTime Image Description Atom Remote Memory Corruption Vulnerability
BugTraq ID: 26340
Remote: Yes
Last Updated: 2007-11-07
Relevant URL: http://www.securityfocus.com/bid/26340
Summary:
Apple QuickTime is prone to a memory-corruption vulnerability.

An attacker can exploit this issue by enticing an unsuspecting user to open a specially crafted movie file.

This issue affects Apple QuickTime running on Microsoft Windows Vista, Microsoft Windows XP SP2, and Mac OS X.

83. Computer Associates Message Queuing Buffer Overflow Vulnerability
BugTraq ID: 14622
Remote: Yes
Last Updated: 2007-11-07
Relevant URL: http://www.securityfocus.com/bid/14622
Summary:
Computer Associates Message Queuing (CAM) is prone to a buffer-overflow vulnerability because the application fails to perform proper bounds checking on user-supplied data.

A successful attack can cause the process's execution stack to overflow and may ultimately allow arbitrary code to run in the context of the affected application. This may allow an attacker to escalate their privileges to SYSTEM level.

84. Apple QuickTime PICT Image Remote Stack Buffer Overflow Vulnerability
BugTraq ID: 26344
Remote: Yes
Last Updated: 2007-11-07
Relevant URL: http://www.securityfocus.com/bid/26344
Summary:
Apple QuickTime is prone to a stack-based buffer-overflow issue because it fails to perform adequate boundary checks on user-supplied data.

An attacker can exploit this issue by enticing an unsuspecting user to open a specially crafted image file.

This issue affects Apple QuickTime running on Microsoft Windows Vista, Microsoft Windows XP SP2, and Mac OS X.

85. Computer Associates BrightStor ARCserve Backup Remote Buffer Overflow Vulnerability
BugTraq ID: 14453
Remote: Yes
Last Updated: 2007-11-07
Relevant URL: http://www.securityfocus.com/bid/14453
Summary:
Computer Associates BrightStor ARCserve Backup and BrightStor Enterprise Backup Agents for Windows are affected by a remote stack-based buffer-overflow vulnerability because the application fails to perform proper bounds checking on data supplied to the application.

A remote attacker may exploit this issue to execute arbitrary code on a vulnerable computer with SYSTEM privileges. A denial-of-service condition may arise as well.

86. Weblord.it MS-TopSites Unauthorized Access Vulnerability and HTML Injection Vulnerability
BugTraq ID: 26358
Remote: Yes
Last Updated: 2007-11-07
Relevant URL: http://www.securityfocus.com/bid/26358
Summary:
MS-TopSites is prone to an unauthorized-access vulnerability and an HTML-injection vulnerability because the application fails to sufficiently sanitize user-supplied data.

An attacker can exploit these issues to gain elevated privileges on the affected application, execute arbitrary code within the context of the webserver, and steal cookie-based authentication credentials.

87. awrate.com message board 404.PHP and TopBar.PHP Multiple Remote File Include Vulnerabilities
BugTraq ID: 26336
Remote: Yes
Last Updated: 2007-11-07
Relevant URL: http://www.securityfocus.com/bid/26336
Summary:
'awrate.com' is prone to multiple remote file-include vulnerabilities because it fails to properly sanitize user-supplied input.

A successful exploit of these issues allows an attacker to execute arbitrary server-side script code on an affected computer with the privileges of the webserver process. This may facilitate unauthorized access.

'awrate.com' 1.0 is vulnerable; other versions may also be affected.

88. Gnome Evolution Data Server Array Index Memory Access Vulnerability
BugTraq ID: 24567
Remote: Yes
Last Updated: 2007-11-07
Relevant URL: http://www.securityfocus.com/bid/24567
Summary:
Evolution is prone to an input-validation error that attackers may exploit to execute arbitrary code. The vulnerability stems from an input-validation error for a critical array index value.

Versions prior to Evolution Data Server 1.11.4 are vulnerable.

89. Avaya Messaging Storage Server and Avaya Message Networking Input Validation Vulnerability
BugTraq ID: 26295
Remote: Yes
Last Updated: 2007-11-07
Relevant URL: http://www.securityfocus.com/bid/26295
Summary:
Avaya Messaging Storage Server and Avaya Message Networking are prone to an input-validation vulnerability.

An attacker could exploit this issue to cause the affected software to stop responding, denying service to legitimate users.

90. Sun Java Runtime Environment WebStart JNLP File Stack Buffer Overflw Vulnerability
BugTraq ID: 24832
Remote: Yes
Last Updated: 2007-11-07
Relevant URL: http://www.securityfocus.com/bid/24832
Summary:
Sun Java Runtime Environment is prone to a stack-based buffer-overflow vulnerability because it fails to adequately bounds-check user-supplied input before copying it to an insufficiently sized memory buffer.

An attacker can exploit this issue to execute arbitrary code with the privileges of the user running the affected application. Failed exploit attempts will likely result in a denial-of-service condition.

This issue affects these versions:

Java Runtime Environment 6 update 1
Java Runtime Environment 5 update 11

Prior versions are also affected.

91. Microsoft Exchange Server Calendar Remote Code Execution Vulnerability
BugTraq ID: 17908
Remote: Yes
Last Updated: 2007-11-06
Relevant URL: http://www.securityfocus.com/bid/17908
Summary:
Microsoft Exchange Server is prone to a vulnerability that may let attackers execute code remotely. This issue is exposed when the server handles emails that contain malicious calendar data that is included in meeting requests.

If the issue is successfully exploited, this could completely compromise the computer hosting the mail server.

92. Macrovision SafeDisc SecDRV.SYS Method_Neither Local Privilege Escalation Vulnerability
BugTraq ID: 26121
Remote: No
Last Updated: 2007-11-06
Relevant URL: http://www.securityfocus.com/bid/26121
Summary:
Macrovision SafeDisc is prone to a local privilege-escalation vulnerability because it fails to adequately sanitize user-supplied input.

Exploiting this vulnerability allows local attackers to execute arbitrary malicious code with SYSTEM-level privileges, facilitating the complete compromise of affected computers.

Update: This issue only affects Microsoft Windows XP and 2003 platforms. Microsoft Vista is not affected.

93. RGameScript Pro Page.PHP Remote File Include Vulnerability
BugTraq ID: 24995
Remote: Yes
Last Updated: 2007-11-06
Relevant URL: http://www.securityfocus.com/bid/24995
Summary:
RGameScript Pro is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied data.

Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible.

94. GNU GV Stack Buffer Overflow Vulnerability
BugTraq ID: 20978
Remote: Yes
Last Updated: 2007-11-06
Relevant URL: http://www.securityfocus.com/bid/20978
Summary:
GNU gv is prone to a stack-based buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied data before copying it into an insufficiently sized memory buffer.

Exploiting this issue allows attackers to execute arbitrary machine code in the context of users running the affected application. Failed attempts will likely crash the application, resulting in denial-of-service conditions.

Version 3.6.2 is reported vulnerable; other versions may also be affected.

NOTE: Various other applications may employ embedded GNU gv code and could also be vulnerable as a result.

95. Sun Java Web Proxy Server Multiple Buffer Overflow Vulnerabilities
BugTraq ID: 24165
Remote: Yes
Last Updated: 2007-11-06
Relevant URL: http://www.securityfocus.com/bid/24165
Summary:
Sun Java System Web Proxy Server is prone to multiple buffer-overflow vulnerabilities because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer.

An attacker can exploit these issues to execute arbitrary code with superuser privileges, leading to the complete compromise of affected computers. Failed exploit attempts will result in a denial of service.

These issues affect Web Proxy Server 4.0.3; prior versions may also be affected.

96. Sun Java Web Console LibWebconsole_Services.SO Format String Vulnerability
BugTraq ID: 23539
Remote: Yes
Last Updated: 2007-11-06
Relevant URL: http://www.securityfocus.com/bid/23539
Summary:
Sun Java Web Console is prone to a format-string vulnerability because the application fails to properly sanitize user-supplied input before passing it as the format specifier to a formatted-printing function.

A successful attack may crash the application or possibly lead to arbitrary code execution, which may help the attacker gain unauthorized access to privileged data or escalate their privileges in the context of the user running the application.

97. Samba NDR RPC Request RFNPCNEX Heap-Based Buffer Overflow Vulnerability
BugTraq ID: 24197
Remote: Yes
Last Updated: 2007-11-06
Relevant URL: http://www.securityfocus.com/bid/24197
Summary:
Samba is prone to a remote heap-based buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data before copying it to an insufficiently sized memory buffer.

This issue affects Samba 3.0.25rc3 and prior versions.

98. Samba NDR RPC Request DFSEnum Heap-Based Buffer Overflow Vulnerability
BugTraq ID: 24198
Remote: Yes
Last Updated: 2007-11-06
Relevant URL: http://www.securityfocus.com/bid/24198
Summary:
Samba is prone to a remote heap-based buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data before copying it to an insufficiently sized memory buffer.

This issue affects Samba 3.0.25rc3 and prior versions.

99. Synergiser Index.PHP Local File Include Vulnerability
BugTraq ID: 26289
Remote: Yes
Last Updated: 2007-11-06
Relevant URL: http://www.securityfocus.com/bid/26289
Summary:
Synergiser is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.

Exploiting this issue may allow an unauthorized user to view files and execute local scripts.

Synergiser 1.2 RC1 is vulnerable to this issue; other versions may also be affected.

100. Samba NDR RPC Request LsarLookupSids/LsarLookupSids2 Heap-Based Buffer Overflow Vulnerability
BugTraq ID: 24195
Remote: Yes
Last Updated: 2007-11-06
Relevant URL: http://www.securityfocus.com/bid/24195
Summary:
Samba is prone to a remote heap-based buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data before copying it to an insufficiently sized memory buffer.

This issue affects Samba 3.0.25rc3 and prior versions.

III. SECURITYFOCUS NEWS ARTICLES
--------------------------------
1. Task force aims to improve U.S. cybersecurity
By: Robert Lemos
A blue-ribbon panel of three dozen security experts hopes to craft a strategy to improve cybersecurity by the time the next president takes office.
http://www.securityfocus.com/news/11494

2. Court filings double estimate of TJX breach
By: Robert Lemos
Online attackers stole information on more than 94 million credit- and debit-card accounts, more than double the original estimates, according to court documents.
http://www.securityfocus.com/news/11493

3. Identity thieves likely to be first-timers, strangers
By: Robert Lemos
Six years of U.S. Secret Service cases reveal that the majority of identity thieves do not know their victims and do not have a prior criminal record.
http://www.securityfocus.com/news/11492

4. Retailers look to exorcise credit-card data
By: Robert Lemos
The National Retail Federation sends a letter asking that its members be allowed to decide what credit-card data to keep.
http://www.securityfocus.com/news/11491

IV. SECURITY JOBS LIST SUMMARY
-------------------------------
1. [SJ-JOB] Security Engineer, Alpharetta
http://www.securityfocus.com/archive/77/483239

2. [SJ-JOB] Security Engineer, Napa
http://www.securityfocus.com/archive/77/483240

3. [SJ-JOB] Sr. Security Engineer, Washington
http://www.securityfocus.com/archive/77/483241

4. [SJ-JOB] Security Engineer, Norfolk
http://www.securityfocus.com/archive/77/483243

5. [SJ-JOB] Security Consultant, Manama
http://www.securityfocus.com/archive/77/483232

6. [SJ-JOB] Application Security Engineer, Bloomington
http://www.securityfocus.com/archive/77/483233

7. [SJ-JOB] Security Architect, Brussels
http://www.securityfocus.com/archive/77/483235

8. [SJ-JOB] Sales Engineer, Any US Location
http://www.securityfocus.com/archive/77/483236

9. [SJ-JOB] Security Engineer, Reston
http://www.securityfocus.com/archive/77/483244

10. [SJ-JOB] Security Architect, Brussels
http://www.securityfocus.com/archive/77/483237

11. [SJ-JOB] Security Engineer, New York
http://www.securityfocus.com/archive/77/483238

12. [SJ-JOB] Security Engineer, Hunt Valley
http://www.securityfocus.com/archive/77/483226

13. [SJ-JOB] Forensics Engineer, Durham
http://www.securityfocus.com/archive/77/483227

14. [SJ-JOB] Technical Support Engineer, Dallas
http://www.securityfocus.com/archive/77/483228

15. [SJ-JOB] Jr. Security Analyst, Sydney
http://www.securityfocus.com/archive/77/483234

16. [SJ-JOB] Security Engineer, Alpharetta
http://www.securityfocus.com/archive/77/483224

17. [SJ-JOB] Security Engineer, New York
http://www.securityfocus.com/archive/77/483225

V. INCIDENTS LIST SUMMARY
---------------------------
VI. VULN-DEV RESEARCH LIST SUMMARY
-----------------------------------
1. Browser Heaps
http://www.securityfocus.com/archive/82/483277

2. understanding buffer overflows
http://www.securityfocus.com/archive/82/483083

VII. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
VIII. SUN FOCUS LIST SUMMARY
----------------------------
IX. LINUX FOCUS LIST SUMMARY
----------------------------
1. How secure is the openSUSE Build Service?
http://www.securityfocus.com/archive/91/483116

X. UNSUBSCRIBE INSTRUCTIONS
-----------------------------
To unsubscribe send an e-mail message to sf-news-unsubscribe@securityfocus.com from the subscribed address. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer. Alternatively you can also visit http://www.securityfocus.com/newsletters and unsubscribe via the website.

If your email address has changed email listadmin@securityfocus.com and ask to be manually removed.

XI. SPONSOR INFORMATION
------------------------
This issue is Sponsored by: Watchfire

https://www.watchfire.com/securearea/whitepapers.aspx?id=7017000000093zv

News

Wednesday, November 07, 2007

SecurityFocus Newsletter #426

No comments:

WINDOWS CENTER

Blog Archive