WINDOWS CENTER: SecurityFocus Newsletter #431

SecurityFocus Newsletter #431
----------------------------------------

This issue is Sponsored by: SPI Dynamics

ALERT: "How A Hacker Launches A Cross-Site Scripting Attack"- White Paper
Cross-site scripting vulnerabilities in web apps allow hackers to compromise confidential information, steal cookies and create requests that can be mistaken for those of a valid user!! Download this *FREE* white paper from SPI Dynamics for a complete guide to protection!

https://download.spidynamics.com/1/ad/xss.asp?Campaign_ID=70160000000D8v9

SECURITY BLOGS
SecurityFocus has selected a few syndicated sources that stand out as conveying topics of interest for our community. We are proud to offer content from Matasano at this time and will be adding more in the coming weeks.
http://www.securityfocus.com/blogs

------------------------------------------------------------------
I. FRONT AND CENTER
1.Copyrights and Wrongs
2.The Man in the Machine
II. BUGTRAQ SUMMARY
1. Valve Software Half-Life CSTRIKE Server Remote Denial of Service Vulnerability
2. Mozilla Firefox Multiple Remote Unspecified Memory Corruption Vulnerabilities
3. DOSBox Unauthorized File System Access Vulnerability
4. Bitweaver 2.0.0 and Prior Multiple Input Validation Vulnerabilities
5. RoundCube Webmail CSS Expression Input Validation Vulnerability
6. GESTDOWN Multiple SQL Injection Vulnerabilities
7. Falcon Series One Multiple Input Validation Vulnerabilities
8. E-Xoops Multiple SQL Injection Vulnerabilities
9. WordPress wp-db.php Character Set SQL Injection Vulnerability
10. bttlxe Forum Multiple SQL Injection and Cross-Site Scripting Vulnerabilities
11. SquirrelMail G/PGP Encryption Plugin Access Validation And Input Validation Vulnerabilities
12. webSPELL Usergallery.PHP and Calendar.PHP Multiple Cross-Site Scripting Vulnerabilities
13. HFS HTTP File Server Arbitrary File Upload Vulnerability
14. Autonomy KeyView Lotus 1-2-3 File Multiple Buffer Overflow Vulnerabilities
15. SiteBar Multiple Input Validation Vulnerabilities
16. S9Y Serendipity Remote RSS sidebar Plugin Cross Site Scripting Vulnerability
17. Heimdal FTPD gss_userok() Free Uninitialized Pointer Memory Corruption Vulnerability
18. wwwstats Clickstats.PHP Multiple HTML Injection Vulnerabilities
19. Computer Associates BrightStor ARCserve Backup mediasvr caloggerd Denial Of Service Vulnerabilities
20. XIGLA SOFTWARE Absolute Banner Manager .NET SQL Injection Vulnerability
21. PenPal Multiple SQL Injection Vulnerabilities
22. Computer Associates BrightStor ARCserve Backup Multiple Remote Vulnerabilities
23. SING Log Option Local Privilege Escalation Vulnerability
24. Lxlabs HyperVM Cross-Site Scripting Vulnerability
25. CA BrightStor ARCserve Backup Memory Corruption Remote Code Execution Vulnerabilities
26. phpBB .PNG and .RAR Multiple Arbitrary File Upload Vulnerabilities
27. ZABBIX daemon_start Local Privilege Escalation Vulnerability
28. GNU Emacs Local Variable Handling Code Execution Vulnerability
29. Dominion Web DWdirectory Search Parameter SQL Injection Vulnerability
30. Trolltech Qt QTextEdit Multiple Format String Vulnerabilities
31. Falt4 CMS Multiple Input Validation Vulnerabilities
32. Flat PHP Board Multiple Remote Vulnerabilities
33. SquirrelMail G/PGP Encryption Plug-in Multiple Remote Command Execution Vulnerabilities
34. ActiveKB Index.PHP SQL Injection Vulnerability
35. ActiveKB NX Index.PHP Cross-Site Scripting Vulnerability
36. Samba Send_MailSlot Stack-Based Buffer Overflow Vulnerability
37. Linux Kernel IEEE80211 HDRLen Remote Denial Of Service Vulnerability
38. Drupal TAXONOMY_SELECT_NODES() SQL Injection Vulnerability
39. Linux Kernel SysFS_ReadDir NULL Pointer Dereference Vulnerability
40. Linux Kernel wait_task_stopped Local Denial of Service Vulnerability
41. Mozilla Firefox and SeaMonkey Windows.Location Property HTTP Referer Header Spoofing Weakness
42. Trolltech Qt ToUnicode Function Off By One Buffer Overflow Vulnerability
43. Nagios Unspecified Cross-Site Scripting Vulnerability
44. p3mbo Content Injector Index.PHP Id Parameter SQL Injection Vulnerability
45. Firebird Process_Packet Remote Buffer Overflow Vulnerability
46. SH-News Comments.PHP SQL Injection Vulnerability
47. Mozilla Firefox Jar URI Cross-Site Scripting Vulnerability
48. OpenOffice HSQLDB Database Engine Unspecified Java Code Execution Vulnerability
49. Linux Kernel TCP_Input.C Remote Denial of Service Vulnerability
50. Ruby-GNOME2 Gtk::MessageDialog.new Function Format String Vulnerability
51. Lookup Insecure Temporary File Creation Vulnerability
52. Novell NetMail and M+NetMail Antivirus Agent Multiple Heap Buffer Overflow Vulnerabilities
53. Mozilla Products Multiple Remote Vulnerabilities
54. Xpdf Multiple Remote Stream.CC Vulnerabilities
55. X.Org X Font Server Multiple Memory Corruption Vulnerabilities
56. Eggdrop Server Module Message Handling Remote Buffer Overflow Vulnerability
57. Borland InterBase Multiple Remote Buffer Overflow Vulnerabilities
58. ACE Image Hosting Script Albums.PHP SQL Injection Vulnerability
59. PEAR::MDB2 BLOB Field Information Disclosure Vulnerability
60. Cisco 7940 SIP Phone INVITE Message Remote Denial of Service Vulnerability
61. PolDoc Document Management System Download_File.PHP Directory Traversal Vulnerability
62. MySQL Access Validation and Denial of Service Vulnerabilities
63. MySQL Server RENAME TABLE System Table Overwrite Vulnerability
64. MySQL Server InnoDB CONVERT_SEARCH_MODE_TO_INNOBASE Function Denial Of Service Vulnerability
65. Winamp MP4 File Parsing Buffer Overflow Vulnerability
66. Ext2 Filesystem Utilities e2fsprogs libext2fs Multiple Unspecified Integer Overflow Vulnerabilities
67. Simple HTTPD Aux Remote Denial of Service Vulnerability
68. Microsoft Internet Explorer DHTML Object Memory Corruption Vulnerability
69. Easy File Sharing Web Server Directory Traversal and Multiple Information Disclosure Vulnerabilities
70. Apache Tomcat JSP Example Web Applications Cross Site Scripting Vulnerability
71. Apache Tomcat Host Manager Servlet Cross Site Scripting Vulnerability
72. Apache Tomcat Multiple Remote Information Disclosure Vulnerabilities
73. Apache Tomcat Manager and Host Manager Upload Script Cross-Site Scripting Vulnerability
74. Apache HTTP Server Tomcat Directory Traversal Vulnerability
75. Apache Tomcat WebDav Remote Information Disclosure Vulnerability
76. netkit-ftp getreply() Uninitialized Output Stream Memory Corruption Vulnerability
77. IBM Hardware Management Console Unspecified Privilege Escalation Vulnerability
78. netkit-ftpd dataconn() Uninitialized File Stream Memory Corruption Vulnerability
79. Cairo PNG Image Processing Remote Integer Overflow Vulnerability
80. TCExam Multiple Unspecified SQL Injection Vulnerabilities
81. WordPress Edit-Post-Rows.PHP Cross-Site Scripting Vulnerability
82. Websense Reporting Tools Login Page Cross-Site Scripting Vulnerability
83. Squid Proxy Cache Update Reply Processing Remote Denial of Service Vulnerability
84. 3ivx MPEG-4 Multiple Remote Stack Based Buffer Overflow Vulnerabilities
85. PCRE Regular Expression Library Multiple Integer and Buffer Overflow Vulnerabilities
86. Python ImageOP Module Multiple Integer Overflow Vulnerabilities
87. Python PyLocale_strxfrm Function Remote Information Leak Vulnerability
88. RETIRED: Media Player Classic Unspecified Remote Stack Buffer Overflow Vulnerability
89. SyndeoCMS MAIN.INC.PHP Remote File Include Vulnerability
90. Joomla! Index.PHP Multiple SQL Injection Vulnerabilities
91. Apache::AuthCAS Cookie SQL Injection Vulnerability
92. WebDoc Multiple SQL Injection Vulnerabilities
93. Firefly Media Server Multiple Information Disclosure and Denial of Service Vulnerabilities
94. SHTTPD Multiple File Access And Directory Traversal Vulnerabilities
95. NFSv4 ID Mapper nfsidmap Username Lookup Local Privilege Escalation Vulnerability
96. Monalbum Multiple Remote Vulnerabilities
97. Thomson Speedtouch 716 URL Parameter Cross-Site Scripting Vulnerability
98. PHP-Nuke autohtml.php Local File Include Vulnerability
99. BarracudaDrive Web Server Denial of Service and Multiple Input Validation Vulnerabilities
100. BadBlue Directory Traversal and Buffer Overflow Vulnerability
III. SECURITYFOCUS NEWS
1. Researchers reverse Netflix anonymization
2. Group drafts rules to nix credit-card storage
3. Task force aims to improve U.S. cybersecurity
4. Court filings double estimate of TJX breach
IV. SECURITY JOBS LIST SUMMARY
V. INCIDENTS LIST SUMMARY
1. FW: Anyone have a reason for 2x the email flow today?
2. HITBSecConf2007 Malaysia Videos Now Available
3. Anyone have a reason for 2x the email flow today?
VI. VULN-DEV RESEARCH LIST SUMMARY
1. HITBSecConf2007 Malaysia Videos Now Available
2. SEH and overwrite EIP
VII. MICROSOFT FOCUS LIST SUMMARY
1. SecurityFocus Microsoft Newsletter #371
VIII. SUN FOCUS LIST SUMMARY
IX. LINUX FOCUS LIST SUMMARY
X. UNSUBSCRIBE INSTRUCTIONS
XI. SPONSOR INFORMATION

I. FRONT AND CENTER
---------------------
1.Copyrights and Wrongs
By Mark Rasch
On October 1, 2007, Jammie Thomas -- a single mother living in Brainerd, Minnesota -- was sued in civil court for copyright infringement by the Recording Industry Association of America. Three days later, the jury returned the verdict; Ms. Thomas was liable for willfully infringing the copyrights on 24 songs. The fine: $222,000.

http://www.securityfocus.com/columnists/460

2.The Man in the Machine
By Federico Biancuzzi
In April 2007, when two security researchers demonstrated a flaw in the next-generation IPv6 routing scheme that would allow attackers to significantly amplify any denial-of-service attack by a factor of at least 80, networking expert Jun-ichiro "Itojun" Hagino worked to get Internet engineers to take the threat seriously.

http://www.securityfocus.com/columnists/459

II. BUGTRAQ SUMMARY
--------------------
1. Valve Software Half-Life CSTRIKE Server Remote Denial of Service Vulnerability
BugTraq ID: 16619
Remote: Yes
Last Updated: 2007-12-11
Relevant URL: http://www.securityfocus.com/bid/16619
Summary:
Valve Software Half-Life CSTRIKE Dedicated Server is reportedly prone to a remote denial-of-service vulnerability.

Half-Life CSTRIKE 1.6 Dedicated Server for Windows and Linux are prone to this vulnerability. Earlier versions may also be affected.

2. Mozilla Firefox Multiple Remote Unspecified Memory Corruption Vulnerabilities
BugTraq ID: 26593
Remote: Yes
Last Updated: 2007-12-11
Relevant URL: http://www.securityfocus.com/bid/26593
Summary:
The Mozilla Foundation has released a security advisory disclosing three unspecified memory-corruption vulnerabilities.

Successfully exploiting these issues may allow attackers to execute code, facilitating the compromise of affected computers. Failed exploit attempts will likely crash the application.

Versions prior to Mozilla Firefox 2.0.0.10 and Mozilla SeaMonkey 1.1.7 are vulnerable to these issues.

3. DOSBox Unauthorized File System Access Vulnerability
BugTraq ID: 26802
Remote: No
Last Updated: 2007-12-10
Relevant URL: http://www.securityfocus.com/bid/26802
Summary:
DOSBox is prone to a vulnerability that may allow a client application to access files on the host operating system.

The application does not properly restrict access to specific commands that may allow a client application to access arbitrary files on the host computer.

This issue affects DOSBox 0.72 and earlier. The CVS repository, at the time of this writing, is also reported vulnerable.

4. Bitweaver 2.0.0 and Prior Multiple Input Validation Vulnerabilities
BugTraq ID: 26801
Remote: Yes
Last Updated: 2007-12-10
Relevant URL: http://www.securityfocus.com/bid/26801
Summary:
Bitweaver is prone to multiple input-validation vulnerabilities because the application fails to sufficiently sanitize user-supplied input including multiple cross-site scripting vulnerabilities, multiple HTML-injection vulnerabilities and an SQL-injection vulnerability.

A successful exploit of these vulnerabilities could allow an attacker to compromise the application, access or modify data, steal cookie-based authentication credentials, or exploit vulnerabilities in the underlying database implementation. Other attacks are also possible.

Bitweaver 2.0.0 and prior are vulnerable to these issues.

5. RoundCube Webmail CSS Expression Input Validation Vulnerability
BugTraq ID: 26800
Remote: Yes
Last Updated: 2007-12-10
Relevant URL: http://www.securityfocus.com/bid/26800
Summary:
RoundCube Webmail is prone to an input-validation vulnerability because it fails to sanitize HTML email messages.

Attackers can exploit this issue to execute arbitrary script code in the browser of an unsuspecting user. Successful attacks can allow attackers to steal cookie-based authentication credentials from legitimate users of the site; other attacks are also possible.

RoundCube Webmail 0.1rc2 is vulnerable; other versions may also be affected.

6. GESTDOWN Multiple SQL Injection Vulnerabilities
BugTraq ID: 26799
Remote: Yes
Last Updated: 2007-12-10
Relevant URL: http://www.securityfocus.com/bid/26799
Summary:
GESTDOWN is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

GESTDOWN 1.00 Beta is vulnerable; other versions may also be affected.

7. Falcon Series One Multiple Input Validation Vulnerabilities
BugTraq ID: 26798
Remote: Yes
Last Updated: 2007-12-10
Relevant URL: http://www.securityfocus.com/bid/26798
Summary:
Falcon Series One is prone to multiple input-validation vulnerabilities because it fails to properly sanitize user-supplied input.

These issues include a remote file-include vulnerability and multiple HTML-injection vulnerabilities.

Exploiting these issues can allow attacker-supplied HTML or script code to run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible.

Falcon Series One 1.4.3 stable is vulnerable; other versions may also be affected.

8. E-Xoops Multiple SQL Injection Vulnerabilities
BugTraq ID: 26796
Remote: Yes
Last Updated: 2007-12-10
Relevant URL: http://www.securityfocus.com/bid/26796
Summary:
E-Xoops is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

9. WordPress wp-db.php Character Set SQL Injection Vulnerability
BugTraq ID: 26795
Remote: Yes
Last Updated: 2007-12-10
Relevant URL: http://www.securityfocus.com/bid/26795
Summary:
WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation.

10. bttlxe Forum Multiple SQL Injection and Cross-Site Scripting Vulnerabilities
BugTraq ID: 26790
Remote: Yes
Last Updated: 2007-12-10
Relevant URL: http://www.securityfocus.com/bid/26790
Summary:
bttlxe Forum is prone to multiple input-validation vulnerabilities, including SQL-injection issues and a cross-site scripting issue, because it fails to sufficiently sanitize user-supplied data.

Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

These issues affect bttlxe Forum 2.0; other versions may also be affected.

11. SquirrelMail G/PGP Encryption Plugin Access Validation And Input Validation Vulnerabilities
BugTraq ID: 26788
Remote: Yes
Last Updated: 2007-12-10
Relevant URL: http://www.securityfocus.com/bid/26788
Summary:
The G/PGP encryption plugin for SquirrelMail is prone to an input-validation vulnerability and an access-validation vulnerability.

Attackers can exploit these issues to inject arbitrary script code into public key data or to delete and overwrite arbitrary files with the privileges of the application.

SquirrelMail G/PGP Encryption Plugin versions 2.0, 2.0.1, and 2.1 are vulnerable; other versions may also be affected.

NOTE: One or more of these issues may already have been documented in the following BIDs, but sufficient information is not currently available to distinguish between them:

- 24782, SquirrelMail G/PGP Encryption Plug-in Unspecified Remote Command Execution Vulnerability
- 24828, SquirrelMail G/PGP Encryption Plug-in Multiple Unspecified Remote Command Execution Vulnerabilities
- 24874, SquirrelMail G/PGP Encryption Plug-in Multiple Remote Command Execution
Vulnerabilities

12. webSPELL Usergallery.PHP and Calendar.PHP Multiple Cross-Site Scripting Vulnerabilities
BugTraq ID: 26787
Remote: Yes
Last Updated: 2007-12-10
Relevant URL: http://www.securityfocus.com/bid/26787
Summary:
webSPELL is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

webSPELL 4.01.02 is affected; other versions may also be vulnerable.

13. HFS HTTP File Server Arbitrary File Upload Vulnerability
BugTraq ID: 26732
Remote: Yes
Last Updated: 2007-12-08
Relevant URL: http://www.securityfocus.com/bid/26732
Summary:
HFS HTTP File Server is prone to a vulnerability that lets attackers upload files and place them in arbitrary locations on the server. The issue occurs because the software fails to adequately sanitize user-supplied input.

A successful exploit may allow the attacker to upload malicious files and potentially execute them; this may lead to various attacks.

This issue affects versions prior to HTTP File Server 2.2b.

14. Autonomy KeyView Lotus 1-2-3 File Multiple Buffer Overflow Vulnerabilities
BugTraq ID: 26604
Remote: Yes
Last Updated: 2007-12-08
Relevant URL: http://www.securityfocus.com/bid/26604
Summary:
Autonomy KeyView is prone to multiple buffer-overflow vulnerabilities.

Successfully exploiting these issues could allow an attacker to execute arbitrary code in the context of the user running the application.

Multiple applications incorporate the vulnerable KeyView component, so they are also considered vulnerable to these issues.

NOTE: These issues are similar to those described in BID 26175 (Autonomy KeyView Multiple Buffer Overflow Vulnerabilities) but affect a different component.

15. SiteBar Multiple Input Validation Vulnerabilities
BugTraq ID: 26126
Remote: Yes
Last Updated: 2007-12-08
Relevant URL: http://www.securityfocus.com/bid/26126
Summary:
SiteBar is prone to multiple input-validation vulnerabilities because it fails to properly sanitize user-supplied input.

These issues include:

- A local file-include vulnerability
- Multiple arbitrary-script-code-execution vulnerabilities
- Multiple cross-site scripting vulnerabilities
- A URI-redirection vulnerability.

Exploiting these issues can allow attackers to access potentially sensitive information, to execute arbitrary script code in the context of the webserver process, to steal cookie-based authentication credentials, and to redirect users to malicious webpages.

SiteBar 3.3.8 and prior versions are vulnerable.

16. S9Y Serendipity Remote RSS sidebar Plugin Cross Site Scripting Vulnerability
BugTraq ID: 26783
Remote: Yes
Last Updated: 2007-12-08
Relevant URL: http://www.securityfocus.com/bid/26783
Summary:
S9Y Serendipity Remote RSS sidebar plugin is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.

Exploiting this issue allows an attacker to execute arbitrary HTML or script code in a user's browser session in the context of an affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.

This issue affects S9Y Serendipity versions prior to 1.2.1.

17. Heimdal FTPD gss_userok() Free Uninitialized Pointer Memory Corruption Vulnerability
BugTraq ID: 26758
Remote: Yes
Last Updated: 2007-12-07
Relevant URL: http://www.securityfocus.com/bid/26758
Summary:
Heimdal is prone to a memory-corruption vulnerability because it performs a 'free()' call on an uninitialized pointer.

This issue affects the application's FTP daemon.

The implications of this issue are currently unknown. Arbitrary code execution or denial-of-service attacks may be possible. We will update this BID as more information emerges.

Heimdal 0.7.2 and prior versions are vulnerable.

18. wwwstats Clickstats.PHP Multiple HTML Injection Vulnerabilities
BugTraq ID: 26759
Remote: Yes
Last Updated: 2007-12-07
Relevant URL: http://www.securityfocus.com/bid/26759
Summary:
The 'wwwstats' program is prone to multiple HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input data.

Exploiting these issues may allow an attacker to execute HTML and script code in the context of the affected site, to steal cookie-based authentication credentials, or to control how the site is rendered to the user; other attacks are also possible.

Versions prior to wwwstats 3.22 are vulnerable.

19. Computer Associates BrightStor ARCserve Backup mediasvr caloggerd Denial Of Service Vulnerabilities
BugTraq ID: 24017
Remote: Yes
Last Updated: 2007-12-07
Relevant URL: http://www.securityfocus.com/bid/24017
Summary:
Computer Associates BrightStor ARCserve Backup is prone to multiple denial-of-service vulnerabilities due to memory-corruption issues caused by errors in processing arguments passed to RPC procedures.

A remote attacker may exploit these issues to crash the affected services, resulting in denial-of-service conditions.

The following applications are affected:

BrightStor ARCserve Backup v9.01, r11.1, r11.5, r11 for Windows
BrightStor Enterprise Backup r10.5
CA Server Protection Suite r2,
CA Business Protection Suite r2
CA Business Protection Suite for Microsoft Small Business Server Standard Edition r2
CA Business Protection Suite for Microsoft Small Business Server Premium Edition r2

20. XIGLA SOFTWARE Absolute Banner Manager .NET SQL Injection Vulnerability
BugTraq ID: 26754
Remote: Yes
Last Updated: 2007-12-07
Relevant URL: http://www.securityfocus.com/bid/26754
Summary:
Absolute Banner Manager .NET is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Absolute Banner Manager .NET 4.0 is reported vulnerable; other versions may be affected as well.

21. PenPal Multiple SQL Injection Vulnerabilities
BugTraq ID: 26755
Remote: Yes
Last Updated: 2007-12-07
Relevant URL: http://www.securityfocus.com/bid/26755
Summary:
PenPal is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

These issues affect PenPal 2.0; other versions may also be vulnerable.

22. Computer Associates BrightStor ARCserve Backup Multiple Remote Vulnerabilities
BugTraq ID: 26015
Remote: Yes
Last Updated: 2007-12-07
Relevant URL: http://www.securityfocus.com/bid/26015
Summary:
Computer Associates BrightStor ARCserve is prone to multiple remote vulnerabilities, including buffer-overflow issues, memory-corruption issues, and privilege-escalation issues.

Successful exploits allow remote attackers to cause denial-of-service conditions, execute arbitrary machine code in the context of the affected application, or perform actions with elevated privileges. This may result in a complete compromise of affected computers.

23. SING Log Option Local Privilege Escalation Vulnerability
BugTraq ID: 26679
Remote: No
Last Updated: 2007-12-07
Relevant URL: http://www.securityfocus.com/bid/26679
Summary:
SING is prone to a local privilege-escalation vulnerability.

Exploiting this issue may allow local attackers to gain elevated privileges, facilitating the complete compromise of affected computers.

SING 1.1 is vulnerable to this issue; other versions may also be affected.

24. Lxlabs HyperVM Cross-Site Scripting Vulnerability
BugTraq ID: 26751
Remote: Yes
Last Updated: 2007-12-07
Relevant URL: http://www.securityfocus.com/bid/26751
Summary:
HyperVM is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

This issue affects HyperVM 2.0.

25. CA BrightStor ARCserve Backup Memory Corruption Remote Code Execution Vulnerabilities
BugTraq ID: 24680
Remote: Yes
Last Updated: 2007-12-07
Relevant URL: http://www.securityfocus.com/bid/24680
Summary:
Computer Associates BrightStor ARCserve Backup is prone to remote code-execution vulnerabilities due to memory-corruption issues.

Successfully exploiting these issues would allow an attacker to corrupt memory and execute arbitrary code in the context of the affected application. This in turn may result in a complete compromise of affected computers.

The following applications are affected:

BrightStor ARCserve Backup v9.01, r11.1, r11.5, r11 for Windows
BrightStor Enterprise Backup r10.5
CA Server Protection Suite r2,
CA Business Protection Suite r2
CA Business Protection Suite for Microsoft Small Business Server Standard Edition r2
CA Business Protection Suite for Microsoft Small Business Server Premium Edition r2

26. phpBB .PNG and .RAR Multiple Arbitrary File Upload Vulnerabilities
BugTraq ID: 26740
Remote: Yes
Last Updated: 2007-12-07
Relevant URL: http://www.securityfocus.com/bid/26740
Summary:
phpBB is prone to multiple vulnerabilities that allow attackers to upload arbitrary files because it fails to properly verify the content of attachments posted to web-log entries.

Exploiting these issues may allow an attacker to upload arbitrary code and execute it in the context of the webserver process.

phpBB 2.0.22 is vulnerable; other versions may also be affected.

UPDATE (December 7, 2007): The vendor refutes these issues, indicating that files cannot be uploaded to posts.

27. ZABBIX daemon_start Local Privilege Escalation Vulnerability
BugTraq ID: 26680
Remote: No
Last Updated: 2007-12-11
Relevant URL: http://www.securityfocus.com/bid/26680
Summary:
ZABBIX is prone to a local privilege-escalation vulnerability.

An attacker can exploit this issue to execute commands with superuser privileges. Successfully exploiting this issue will result in the complete compromise of affected computers.

This issue affects ZABBIX 1.4.2; prior versions may also be affected.

28. GNU Emacs Local Variable Handling Code Execution Vulnerability
BugTraq ID: 26327
Remote: Yes
Last Updated: 2007-12-11
Relevant URL: http://www.securityfocus.com/bid/26327
Summary:
Emacs is prone to a vulnerability that lets attackers execute arbitrary code.

Due to a design error, the application ignores certain security settings and modifies local variables.

By supplying a malicious file, an attacker can exploit this issue to carry out various attacks, including executing arbitrary code in the context of the application. This may facilitate remote unauthorized access.

This issue affects Emacs 22.1; other versions may be vulnerable as well.

29. Dominion Web DWdirectory Search Parameter SQL Injection Vulnerability
BugTraq ID: 26779
Remote: Yes
Last Updated: 2007-12-11
Relevant URL: http://www.securityfocus.com/bid/26779
Summary:
Dominion Web DWdirectory is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

This issue affects DWdirectory 2.1 and prior versions.

30. Trolltech Qt QTextEdit Multiple Format String Vulnerabilities
BugTraq ID: 25154
Remote: Yes
Last Updated: 2007-12-11
Relevant URL: http://www.securityfocus.com/bid/25154
Summary:
Trolltech Qt is prone to multiple format-string vulnerabilities because it fails to securely display error messages.

Exploiting these issues can allow remote attackers to execute arbitrary code in the context of the application using the framework or to cause denial-of-service conditions.

These issues affect only Qt 3; other versions of Qt are not affected. Note that KDE and other applications that use the affected framework are inherently affected.

31. Falt4 CMS Multiple Input Validation Vulnerabilities
BugTraq ID: 26786
Remote: Yes
Last Updated: 2007-12-11
Relevant URL: http://www.securityfocus.com/bid/26786
Summary:
Falt4 Extreme CMS is prone to three input-validation vulnerabilities, including cross-site scripting and SQL-injection issues, that occur because the application fails to adequately sanitize user-supplied input.

A successful exploit may allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

This issue was reported to affect Falt4 Extreme (RC4). Other versions may also be affected.

32. Flat PHP Board Multiple Remote Vulnerabilities
BugTraq ID: 26782
Remote: Yes
Last Updated: 2007-12-11
Relevant URL: http://www.securityfocus.com/bid/26782
Summary:
Flat PHP Board is prone to multiple remote vulnerabilities, including remote arbitrary-code-execution, file-include, security-bypass, and information-disclosure issues.

Exploiting these issues may allow an attacker to compromise the application and a webserver hosting the vulnerable software; other attacks are also possible.

These issues affect Flat PHP Board 1.2 and prior versions.

33. SquirrelMail G/PGP Encryption Plug-in Multiple Remote Command Execution Vulnerabilities
BugTraq ID: 24874
Remote: Yes
Last Updated: 2007-12-11
Relevant URL: http://www.securityfocus.com/bid/24874
Summary:
Vulnerabilities in the SquirrelMail G/PGP encryption plugin may allow attackers to execute shell commands and PHP script code. These issues occur because the application fails to sufficiently sanitize user-supplied data.

Commands and scripts would run in the context of the webserver hosting the vulnerable software.

Three separate shell command-injection vulnerabilities and one local file-include vulnerability are present in various versions of the affected plugin. One of these issues has been addressed in G/PGP Encryption 2.1, but the others are still unfixed.

One or more of these issues may already have been documented in the following BIDs, but sufficient information is not currently available to distinguish between them:

All affected BIDs will be updated when more information is released.

34. ActiveKB Index.PHP SQL Injection Vulnerability
BugTraq ID: 25820
Remote: Yes
Last Updated: 2007-12-11
Relevant URL: http://www.securityfocus.com/bid/25820
Summary:
ActiveKB is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

UPDATE December 11, 2007: The vendor refutes this issue stating they are unable to replicate the vulnerability.

35. ActiveKB NX Index.PHP Cross-Site Scripting Vulnerability
BugTraq ID: 26027
Remote: Yes
Last Updated: 2007-12-11
Relevant URL: http://www.securityfocus.com/bid/26027
Summary:
ActiveKB NX is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal potentially sensitive information and launch other attacks.

This issue affects ActiveKB NX 2.6; other versions may also be vulnerable.

36. Samba Send_MailSlot Stack-Based Buffer Overflow Vulnerability
BugTraq ID: 26791
Remote: Yes
Last Updated: 2007-12-11
Relevant URL: http://www.securityfocus.com/bid/26791
Summary:
Samba is prone to a remote stack-based buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data before copying it to an insufficiently sized memory buffer.

NOTE: This issue occurs only when the 'domain logons' option is enabled.

An attacker can exploit this issue to execute arbitrary code with superuser privileges. Successful attacks will completely compromise affected computers. Failed exploit attempts will result in a denial of service.

37. Linux Kernel IEEE80211 HDRLen Remote Denial Of Service Vulnerability
BugTraq ID: 26337
Remote: Yes
Last Updated: 2007-12-11
Relevant URL: http://www.securityfocus.com/bid/26337
Summary:
The Linux kernel ieee80211 driver is prone to a remote denial-of-service vulnerability because it fails to perform adequate boundary checks on user-supplied data.

An attacker can exploit this issue to crash a victim computer, effectively denying service.

Versions prior to Linux kernel 2.6.22.11 are vulnerable.

38. Drupal TAXONOMY_SELECT_NODES() SQL Injection Vulnerability
BugTraq ID: 26735
Remote: Yes
Last Updated: 2007-12-11
Relevant URL: http://www.securityfocus.com/bid/26735
Summary:
Drupal is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Versions prior to Drupal 4.7.9 and 5.4 are vulnerable.

39. Linux Kernel SysFS_ReadDir NULL Pointer Dereference Vulnerability
BugTraq ID: 24631
Remote: No
Last Updated: 2007-12-11
Relevant URL: http://www.securityfocus.com/bid/24631
Summary:
The Linux kernel is prone to a NULL-pointer dereference vulnerability.

A local attacker can exploit this issue to crash the affected kernel, denying service to legitimate users.

UPDATE (June 26, 2007): Given the nature of this issue, remote code execution may also be possible but has not been confirmed.

40. Linux Kernel wait_task_stopped Local Denial of Service Vulnerability
BugTraq ID: 26477
Remote: No
Last Updated: 2007-12-11
Relevant URL: http://www.securityfocus.com/bid/26477
Summary:
The Linux kernel is prone to a local denial-of-service vulnerability because it fails to properly handle certain process-exit conditions.

Attackers can exploit this issue to trigger kernel crashes, denying service to legitimate users.

Linux kernel versions prior to 2.6.23.8 as well as 2.6.24-rc1 and 2.6.24-rc1 are vulnerable.

41. Mozilla Firefox and SeaMonkey Windows.Location Property HTTP Referer Header Spoofing Weakness
BugTraq ID: 26589
Remote: Yes
Last Updated: 2007-12-11
Relevant URL: http://www.securityfocus.com/bid/26589
Summary:
Mozilla Firefox and SeaMonkey are prone to a weakness that allows an attacker to spoof HTTP Referer headers. This issue stems from a race condition in the affected application. The weakness arises because of a small timing difference when using a modal 'alert()' dialog, which allows users to generate fake HTTP Referer headers.

An attacker can exploit this issue to spoof HTTP referer headers. This may cause other security mechanisms that rely on this data to fail or to return misleading information.

This issue affects versions prior to Mozilla FireFox 2.0.0.10 and Mozilla SeaMonkey 1.1.7.

42. Trolltech Qt ToUnicode Function Off By One Buffer Overflow Vulnerability
BugTraq ID: 25657
Remote: Yes
Last Updated: 2007-12-11
Relevant URL: http://www.securityfocus.com/bid/25657
Summary:
Qt is prone to a buffer-overflow vulnerability because the framework fails to perform adequate boundary checks on user-supplied data.

An attacker can exploit this issue to execute arbitrary code within the context of applications that use the affected framework. Failed exploit attempts will result in a denial-of-service condition.

43. Nagios Unspecified Cross-Site Scripting Vulnerability
BugTraq ID: 26152
Remote: Yes
Last Updated: 2007-12-11
Relevant URL: http://www.securityfocus.com/bid/26152
Summary:
Nagios is prone to an unspecified cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

Versions prior to Nagios 2.10 are vulnerable.

44. p3mbo Content Injector Index.PHP Id Parameter SQL Injection Vulnerability
BugTraq ID: 26781
Remote: Yes
Last Updated: 2007-12-11
Relevant URL: http://www.securityfocus.com/bid/26781
Summary:
p3mbo Content Injector is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

This issue affects Content Injector 1.53; other versions may also be vulnerable.

45. Firebird Process_Packet Remote Buffer Overflow Vulnerability
BugTraq ID: 26011
Remote: Yes
Last Updated: 2007-12-11
Relevant URL: http://www.securityfocus.com/bid/26011
Summary:
Firebird is prone to a remote stack-based buffer-overflow vulnerability.

An attacker can exploit this issue to execute arbitrary machine code in the context of the affected database server. Failed exploit attempts will likely crash the server, denying service to legitimate users.

Firebird 2.0.2 is vulnerable; previous versions may also be affected.

46. SH-News Comments.PHP SQL Injection Vulnerability
BugTraq ID: 26778
Remote: Yes
Last Updated: 2007-12-11
Relevant URL: http://www.securityfocus.com/bid/26778
Summary:
SH-News is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

This issue affects SH-News 3.0; other versions may also be vulnerable.

47. Mozilla Firefox Jar URI Cross-Site Scripting Vulnerability
BugTraq ID: 26385
Remote: Yes
Last Updated: 2007-12-11
Relevant URL: http://www.securityfocus.com/bid/26385
Summary:
Mozilla Firefox is prone to a cross-site scripting vulnerability because the application fails to sufficiently sanitize user-supplied input.

An attacker can exploit this issue to steal cookie-based authentication credentials and other sensitive data that may aid in further attacks.

48. OpenOffice HSQLDB Database Engine Unspecified Java Code Execution Vulnerability
BugTraq ID: 26703
Remote: Yes
Last Updated: 2007-12-11
Relevant URL: http://www.securityfocus.com/bid/26703
Summary:
OpenOffice is prone to a code-execution vulnerability.

Successful exploits allow remote attackers to execute arbitrary Java code in the context of the vulnerable application.

Versions prior to OpenOffice 2.3.1 are vulnerable.

49. Linux Kernel TCP_Input.C Remote Denial of Service Vulnerability
BugTraq ID: 26474
Remote: Yes
Last Updated: 2007-12-11
Relevant URL: http://www.securityfocus.com/bid/26474
Summary:
The Linux kernel is prone to a remote denial-of-service vulnerability because it fails to adequately sanitize specially crafted ACK responses.

Attackers can exploit this issue to cause a NULL-pointer dereference and crash the kernel.

Linux kernel versions prior to 2.6.23.8 as well as 2.6.24-rc1 and 2.6.24-rc1 are vulnerable.

50. Ruby-GNOME2 Gtk::MessageDialog.new Function Format String Vulnerability
BugTraq ID: 26616
Remote: Yes
Last Updated: 2007-12-11
Relevant URL: http://www.securityfocus.com/bid/26616
Summary:
The Ruby-GNOME2 library is prone to a format-string vulnerability because it fails to properly sanitize user-supplied input before passing it as the format specifier to a formatted-printing function.

An attacker can exploit this issue to execute arbitrary machine code in the context of an application using the affected library. A successful attack will compromise the application. Failed attempts may cause denial-of-service conditions.

This issue affects Ruby-GNOME2 0.16.0; other version may be also vulnerable.

51. Lookup Insecure Temporary File Creation Vulnerability
BugTraq ID: 23026
Remote: No
Last Updated: 2007-12-11
Relevant URL: http://www.securityfocus.com/bid/23026
Summary:
Lookup creates temporary files in an insecure manner.

An attacker with local access could potentially exploit this issue to perform symlink attacks, overwriting arbitrary files in the context of the affected application.

Successfully exploiting a symlink attack may allow the attacker to overwrite or corrupt sensitive files. This may result in a denial of service; other attacks may also be possible.

Lookup version 1.4 is vulnerable to this issue; other versions may also be affected.

52. Novell NetMail and M+NetMail Antivirus Agent Multiple Heap Buffer Overflow Vulnerabilities
BugTraq ID: 26753
Remote: Yes
Last Updated: 2007-12-11
Relevant URL: http://www.securityfocus.com/bid/26753
Summary:
Novell NetMail and M+NetMail are prone to multiple heap-based buffer-overflow vulnerabilities. These issues occur because the applications fail to perform adequate boundary checks on user-supplied data.

A successful exploit will allow remote attackers to execute arbitrary code in the context of the affected software. Failed exploit attempts may result in denial-of-service conditions.

53. Mozilla Products Multiple Remote Vulnerabilities
BugTraq ID: 24242
Remote: Yes
Last Updated: 2007-12-11
Relevant URL: http://www.securityfocus.com/bid/24242
Summary:
The Mozilla Foundation has released six security advisories specifying vulnerabilities in Firefox, SeaMonkey, and Thunderbird.

These vulnerabilities allow attackers to:

- Execute arbitrary code
- Cause denial-of-service conditions
- Perform cross-site scripting attacks
- Obtain potentially sensitive information
- Spoof legitimate content

Other attacks may also be possible.

54. Xpdf Multiple Remote Stream.CC Vulnerabilities
BugTraq ID: 26367
Remote: Yes
Last Updated: 2007-12-11
Relevant URL: http://www.securityfocus.com/bid/26367
Summary:
Xpdf is prone to multiple remote vulnerabilities because of flaws in various functions in the 'Stream.cc' source file.

Attackers exploit these issues by coercing users to view specially crafted PDF files with the affected application.

Successfully exploiting these issues allows attackers to execute arbitrary machine code in the context of the vulnerable application. This facilitates the remote compromise of affected computers.

Xpdf 3.02pl1 is vulnerable to these issues; other versions may also be affected.

55. X.Org X Font Server Multiple Memory Corruption Vulnerabilities
BugTraq ID: 25898
Remote: Yes
Last Updated: 2007-12-11
Relevant URL: http://www.securityfocus.com/bid/25898
Summary:
X.Org X Font Server (XFS) is prone to multiple memory-corruption vulnerabilities, including an integer-overflow issue and a heap-based memory-corruption issue.

An attacker could exploit this issue to execute arbitrary code with the privileges of the X Font Server. Failed exploit attempts will likely result in a denial-of-service condition.

NOTE: These issues are exploitable remotely only on Solaris operating systems; by default the server is listening on TCP port 7100. For other UNIX-like operating systems, an attacker can exploit these issues only locally.

These issues affect X Font Server 1.0.4; prior versions may also be affected.

56. Eggdrop Server Module Message Handling Remote Buffer Overflow Vulnerability
BugTraq ID: 24070
Remote: Yes
Last Updated: 2007-12-11
Relevant URL: http://www.securityfocus.com/bid/24070
Summary:
Eggdrop Server Module is prone to a remote buffer-overflow vulnerability because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer.

An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.

Eggdrop 1.6.18 is known to be vulnerable; other versions may be affected as well.

57. Borland InterBase Multiple Remote Buffer Overflow Vulnerabilities
BugTraq ID: 25917
Remote: Yes
Last Updated: 2007-12-11
Relevant URL: http://www.securityfocus.com/bid/25917
Summary:
Borland InterBase is prone to multiple remote buffer-overflow vulnerabilities because the application fails to bounds-check user-supplied input before copying it into an insufficiently sized memory buffer.

Successfully exploiting these issues allows remote attackers to execute arbitrary machine code with SYSTEM-Level privileges. This will result in a complete compromise of affected computers.

Borland InterBase 2007 for Linux and Windows is considered vulnerable.

58. ACE Image Hosting Script Albums.PHP SQL Injection Vulnerability
BugTraq ID: 26780
Remote: Yes
Last Updated: 2007-12-11
Relevant URL: http://www.securityfocus.com/bid/26780
Summary:
ACE Image Hosting Script is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

59. PEAR::MDB2 BLOB Field Information Disclosure Vulnerability
BugTraq ID: 26382
Remote: Yes
Last Updated: 2007-12-11
Relevant URL: http://www.securityfocus.com/bid/26382
Summary:
PEAR::MDB2 is prone to an information-disclosure vulnerability because the library fails to securely handle URIs in BLOB and CLOB database fields.

Successfully exploiting this issue allows attackers to access potentially sensitive information that may aid in further attacks. Because of the unknown nature of applications that use the affected library, other attacks may also be possible.

MDB2 2.5.0a1 is vulnerable to this issue; other versions may also be affected.

60. Cisco 7940 SIP Phone INVITE Message Remote Denial of Service Vulnerability
BugTraq ID: 26711
Remote: Yes
Last Updated: 2007-12-11
Relevant URL: http://www.securityfocus.com/bid/26711
Summary:
Cisco 7940 SIP phones are prone to a denial-of-service vulnerability because the device fails to handle specially crafted SIP INVITE messages.

Exploiting this issue allows remote attackers to cause the device to fail to respond to further call requests and to potentially crash, denying service to legitimate users.

This issue affects version P0S3-08-7-00 of Cisco 7940 SIP phones; other versions may also be affected.

61. PolDoc Document Management System Download_File.PHP Directory Traversal Vulnerability
BugTraq ID: 26775
Remote: Yes
Last Updated: 2007-12-11
Relevant URL: http://www.securityfocus.com/bid/26775
Summary:
PolDoc Document Management System is prone to a directory-traversal vulnerability because it fails to properly sanitize user-supplied input.

Exploiting this issue may allow an unauthorized user to access potentially sensitive information that could aid in further attacks.

PolDoc Document Management System 0.96 is vulnerable to this issue; other versions may also be affected.

62. MySQL Access Validation and Denial of Service Vulnerabilities
BugTraq ID: 25017
Remote: Yes
Last Updated: 2007-12-11
Relevant URL: http://www.securityfocus.com/bid/25017
Summary:
MySQL is prone to a access-validation vulnerability and a denial-of-service vulnerability.

An attacker can exploit these issues to create arbitrary MySQL tables or to crash the affected application, denying service to legitimate users.

This issue affects versions prior to MySQL 5.0.45.

63. MySQL Server RENAME TABLE System Table Overwrite Vulnerability
BugTraq ID: 26765
Remote: No
Last Updated: 2007-12-11
Relevant URL: http://www.securityfocus.com/bid/26765
Summary:
MySQL is prone to a local denial-of-service vulnerability because the database server fails to properly handle unexpected symbolic links.

Exploiting this issue allows attackers with local access to affected computers to overwrite MySQL system tables. Further attacks against the MySQL database and potentially the underlying operating system may be possible.

This issue affects versions prior to MySQL 5.0.51.

64. MySQL Server InnoDB CONVERT_SEARCH_MODE_TO_INNOBASE Function Denial Of Service Vulnerability
BugTraq ID: 26353
Remote: Yes
Last Updated: 2007-12-11
Relevant URL: http://www.securityfocus.com/bid/26353
Summary:
MySQL is prone to a remote denial-of-service vulnerability because the database server fails to properly handle unexpected input.

Exploiting this issue allows remote attackers to crash affected database servers, denying service to legitimate users. Attackers must be able to execute arbitrary SQL statements on affected servers, which requires valid credentials to connect to affected servers.

This issue affects MySQL 5.1.23 and prior versions.

65. Winamp MP4 File Parsing Buffer Overflow Vulnerability
BugTraq ID: 23723
Remote: Yes
Last Updated: 2007-12-11
Relevant URL: http://www.securityfocus.com/bid/23723
Summary:
Winamp is prone to a buffer-overflow vulnerability when it attempts to process certain files. This issue occurs because the application fails to properly check boundaries on user-supplied data before copying it to an insufficiently sized memory buffer.

Successful exploits can allow attackers to execute arbitrary code with the privileges of the user running the vulnerable application. Failed exploit attempts will likely result in denial-of-service conditions.

This issue affects Winamp 5.02 through 5.34.

UPDATE: The vendor states that this issue will be addressed in Winamp 5.35.

66. Ext2 Filesystem Utilities e2fsprogs libext2fs Multiple Unspecified Integer Overflow Vulnerabilities
BugTraq ID: 26772
Remote: Yes
Last Updated: 2007-12-11
Relevant URL: http://www.securityfocus.com/bid/26772
Summary:
e2fsprogs is prone to multiple unspecified integer-overflow vulnerabilities because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer.

An attacker can exploit these issues to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial of service.

e2fsprogs versions 1.38 through 1.40.2 are vulnerable; other versions may also be affected.

67. Simple HTTPD Aux Remote Denial of Service Vulnerability
BugTraq ID: 26813
Remote: Yes
Last Updated: 2007-12-11
Relevant URL: http://www.securityfocus.com/bid/26813
Summary:
Simple HTTPD is prone to a denial-of-service vulnerability.

An attacker can exploit this issue to cause the affected application to crash, effectively denying service to legitimate users.

This issue affects Simple HTTPD 1.3; other versions may also be affected.

68. Microsoft Internet Explorer DHTML Object Memory Corruption Vulnerability
BugTraq ID: 26427
Remote: Yes
Last Updated: 2007-12-11
Relevant URL: http://www.securityfocus.com/bid/26427
Summary:
Microsoft Internet Explorer is prone to a remote memory-corruption vulnerability because it fails to adequately handle user-supplied input to certain DHTML object methods.

Attackers can exploit this issue to execute arbitrary code in the context of a user running the application. Successful attacks would compromise the application and possibly the underlying computer. Failed attacks will cause denial-of-service conditions.

69. Easy File Sharing Web Server Directory Traversal and Multiple Information Disclosure Vulnerabilities
BugTraq ID: 26771
Remote: Yes
Last Updated: 2007-12-10
Relevant URL: http://www.securityfocus.com/bid/26771
Summary:
Easy File Sharing Web Server is prone to a directory-traversal and multiple information-disclosure vulnerabilities.

Successfully exploiting these issues allows remote attackers to upload files to arbitrary locations and to access potentially sensitive information, which may aid in further attacks.

Easy File Sharing Web Server 4.5 is vulnerable to these issues; other versions may also be affected.

70. Apache Tomcat JSP Example Web Applications Cross Site Scripting Vulnerability
BugTraq ID: 24476
Remote: Yes
Last Updated: 2007-12-10
Relevant URL: http://www.securityfocus.com/bid/24476
Summary:
Apache Tomcat is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

Exploiting this vulnerability may allow an attacker to perform cross-site scripting attacks on unsuspecting users in the context of the affected website. As a result, the attacker may be able to steal cookie-based authentication credentials and to launch other attacks.

71. Apache Tomcat Host Manager Servlet Cross Site Scripting Vulnerability
BugTraq ID: 25314
Remote: Yes
Last Updated: 2007-12-10
Relevant URL: http://www.securityfocus.com/bid/25314
Summary:
Apache Tomcat Host Manager Servlet is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.

An attacker can exploit this vulnerability to inject HTML and script code into the browser of an unsuspecting victim. The attacker may then steal cookie-based authentication credentials and launch other attacks.

Apache Tomcat 5.5.0 through 5.5.24 and 6.0.0 through 6.0.13 are affected.

72. Apache Tomcat Multiple Remote Information Disclosure Vulnerabilities
BugTraq ID: 25316
Remote: Yes
Last Updated: 2007-12-10
Relevant URL: http://www.securityfocus.com/bid/25316
Summary:
Apache Tomcat is prone to multiple information-disclosure vulnerabilities because it fails to adequately sanitize user-supplied data.

Attackers can exploit these issues to access potentially sensitive data that may aid in further attacks.

Versions prior to Apache Tomcat 6.0.14 are vulnerable.

73. Apache Tomcat Manager and Host Manager Upload Script Cross-Site Scripting Vulnerability
BugTraq ID: 24475
Remote: Yes
Last Updated: 2007-12-10
Relevant URL: http://www.securityfocus.com/bid/24475
Summary:
Apache Tomcat Manager and Host Manager are prone to a cross-site scripting vulnerability because the applications fail to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

74. Apache HTTP Server Tomcat Directory Traversal Vulnerability
BugTraq ID: 22960
Remote: Yes
Last Updated: 2007-12-10
Relevant URL: http://www.securityfocus.com/bid/22960
Summary:
Apache HTTP servers running with the Tomcat servlet container are prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input data.

Exploiting this issue allows attackers to access arbitrary files in the Tomcat webroot. This can expose sensitive information that could help the attacker launch further attacks.

Versions in the 5.0 series prior to 5.5.22 and in the 6.0 series prior to 6.0.10 are vulnerable.

75. Apache Tomcat WebDav Remote Information Disclosure Vulnerability
BugTraq ID: 26070
Remote: Yes
Last Updated: 2007-12-10
Relevant URL: http://www.securityfocus.com/bid/26070
Summary:
Apache Tomcat is prone to a remote information-disclosure vulnerability

Remote attackers can exploit this issue to obtain the contents of sensitive files stored on the server.

76. netkit-ftp getreply() Uninitialized Output Stream Memory Corruption Vulnerability
BugTraq ID: 26764
Remote: Yes
Last Updated: 2007-12-10
Relevant URL: http://www.securityfocus.com/bid/26764
Summary:
The 'netkit-ftp' package is prone to a memory-corruption vulnerability because it performs an 'fclose()' call on an uninitialized output stream.

Successful attacks will cause denial-of-service conditions. Other attacks may also be possible.

This issue affects netkit-ftp 0.17; other versions may also be affected.

77. IBM Hardware Management Console Unspecified Privilege Escalation Vulnerability
BugTraq ID: 26769
Remote: Yes
Last Updated: 2007-12-10
Relevant URL: http://www.securityfocus.com/bid/26769
Summary:
IBM Hardware Management Console is prone to an unspecified privilege-escalation vulnerability.

Currently, very little is known about this issue. We will update this BID as more information emerges.

This issue affects Hardware Management Console Version 3 Release 3.7; other versions may also be affected.

78. netkit-ftpd dataconn() Uninitialized File Stream Memory Corruption Vulnerability
BugTraq ID: 26763
Remote: Yes
Last Updated: 2007-12-10
Relevant URL: http://www.securityfocus.com/bid/26763
Summary:
The 'netkit-ftpd' package is prone to a memory-corruption vulnerability because it performs an 'fclose()' call on an uninitialized FILE pointer.

Successful attacks will cause denial-of-service conditions and may allow arbitrary code to run, but this has not been confirmed. We will update this BID as more information emerges.

This issue affects 'netkit-ftpd' 0.17; other versions may also be affected.

79. Cairo PNG Image Processing Remote Integer Overflow Vulnerability
BugTraq ID: 26650
Remote: Yes
Last Updated: 2007-12-10
Relevant URL: http://www.securityfocus.com/bid/26650
Summary:
Cairo is prone to an integer-overflow vulnerability because it fails to ensure that integer values aren't overrun. Attackers may exploit this issue to overflow a buffer and to corrupt process memory.

Attackers may be able to execute arbitrary machine code in the context of an affected application. Failed exploit attempts will likely result in a denial-of-service condition.

This issue affects versions prior to Cairo 1.4.12.

80. TCExam Multiple Unspecified SQL Injection Vulnerabilities
BugTraq ID: 26760
Remote: Yes
Last Updated: 2007-12-10
Relevant URL: http://www.securityfocus.com/bid/26760
Summary:
TCExam is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Versions prior to TCExam 5.1.000 are vulnerable.

81. WordPress Edit-Post-Rows.PHP Cross-Site Scripting Vulnerability
BugTraq ID: 26228
Remote: Yes
Last Updated: 2007-12-10
Relevant URL: http://www.securityfocus.com/bid/26228
Summary:
WordPress is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

This issue affects WordPress 2.3; other versions may also be vulnerable.

82. Websense Reporting Tools Login Page Cross-Site Scripting Vulnerability
BugTraq ID: 26793
Remote: Yes
Last Updated: 2007-12-10
Relevant URL: http://www.securityfocus.com/bid/26793
Summary:
Websense Reporting Tools is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

83. Squid Proxy Cache Update Reply Processing Remote Denial of Service Vulnerability
BugTraq ID: 26687
Remote: Yes
Last Updated: 2007-12-10
Relevant URL: http://www.securityfocus.com/bid/26687
Summary:
Squid is prone to a remote denial-of-service vulnerability because the proxy server fails to perform boundary checks before copying user-supplied data into process buffers.

Successfully exploiting this issue allows remote attackers to crash the affected application, denying further service to legitimate users. Attackers may also be able to execute arbitrary code, but this has not been confirmed.

This issue affects Squid 2.6.STABLE16 and prior versions. All Squid-3 snapshots and prereleases up to the November 28 snapshot are also vulnerable.

84. 3ivx MPEG-4 Multiple Remote Stack Based Buffer Overflow Vulnerabilities
BugTraq ID: 26773
Remote: Yes
Last Updated: 2007-12-10
Relevant URL: http://www.securityfocus.com/bid/26773
Summary:
3ivx MPEG-4 is prone to multiple stack-based buffer-overflow issues because it fails to perform adequate boundary checks on user-supplied data.

Successfully exploiting these issues allows remote attackers to execute arbitrary code in the context of the application. Failed exploit attempts likely result in denial-of-service conditions.

3ivx MPEG-4 5.0.1 is vulnerable; other versions may also be affected.

NOTE: This BID originally listed Windows Media Player as vulnerable but it has been updated to reflect that the issues reside in 3ivx MPEG-4.

85. PCRE Regular Expression Library Multiple Integer and Buffer Overflow Vulnerabilities
BugTraq ID: 26462
Remote: Yes
Last Updated: 2007-12-10
Relevant URL: http://www.securityfocus.com/bid/26462
Summary:
PCRE regular-expression library is prone to multiple integer- and buffer-overflow vulnerabilities.

Attackers can exploit these issues to execute arbitrary code, cause denial-of-service conditions, or launch other attacks in the context of the application using the affected library.

86. Python ImageOP Module Multiple Integer Overflow Vulnerabilities
BugTraq ID: 25696
Remote: Yes
Last Updated: 2007-12-10
Relevant URL: http://www.securityfocus.com/bid/25696
Summary:
Python's imageop module is prone to multiple integer-overflow vulnerabilities because it fails to properly bounds-check user-supplied input to ensure that integer operations do not overflow.

To successfully exploit these issues, an attacker must be able to control the arguments to imageop functions. Remote attackers may be able to do this, depending on the nature of applications that use the vulnerable functions.

Attackers would likely submit invalid or specially crafted images to applications that perform imageop operations on the data.

A successful exploit may allow attacker-supplied machine code to run in the context of affected applications, facilitating the remote compromise of computers.

87. Python PyLocale_strxfrm Function Remote Information Leak Vulnerability
BugTraq ID: 23887
Remote: Yes
Last Updated: 2007-12-10
Relevant URL: http://www.securityfocus.com/bid/23887
Summary:
Python applications that use the 'PyLocale_strxfrm' function are prone to an information leak.

Exploiting this issue allows remote attackers to read portions of memory.

Python 2.4.4-2 and 2.5 are confirmed vulnerable to this issue.

88. RETIRED: Media Player Classic Unspecified Remote Stack Buffer Overflow Vulnerability
BugTraq ID: 26774
Remote: Yes
Last Updated: 2007-12-10
Relevant URL: http://www.securityfocus.com/bid/26774
Summary:
Media Player Classic is prone to a stack-based buffer-overflow issue because it fails to perform adequate boundary checks on user-supplied data.

Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the user running the application. Failed exploit attempts likely result in denial-of-service conditions.

RETIRED: This BID is being retired. This issue affects 3ivx MPEG-4, Please see BID 26773 (3ivx MPEG-4 Multiple Remote Stack Buffer Overflow Vulnerabilities) for further information.

89. SyndeoCMS MAIN.INC.PHP Remote File Include Vulnerability
BugTraq ID: 26321
Remote: Yes
Last Updated: 2007-12-10
Relevant URL: http://www.securityfocus.com/bid/26321
Summary:
SyndeoCMS is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied data.

Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible.

SyndeoCMS 2.5.01 is vulnerable; other versions may also be affected.

90. Joomla! Index.PHP Multiple SQL Injection Vulnerabilities
BugTraq ID: 26707
Remote: Yes
Last Updated: 2007-12-10
Relevant URL: http://www.securityfocus.com/bid/26707
Summary:
Joomla! is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Joomla! 1.5 RC3 is vulnerable; other versions may also be affected.

UPDATE (Dec. 10, 2007): The validity of the issues is being disputed on the Joomla! Bug Tracker. Please see the references for information. Reports indicate that the related message was posted by a Joomla! developer but this has not been confirmed.

91. Apache::AuthCAS Cookie SQL Injection Vulnerability
BugTraq ID: 26762
Remote: Yes
Last Updated: 2007-12-10
Relevant URL: http://www.securityfocus.com/bid/26762
Summary:
Apache::AuthCAS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

This issue affects Apache::AuthCAS 0.4; other versions may also be affected.

92. WebDoc Multiple SQL Injection Vulnerabilities
BugTraq ID: 26761
Remote: Yes
Last Updated: 2007-12-10
Relevant URL: http://www.securityfocus.com/bid/26761
Summary:
WebDoc is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

WebDoc 3.0 is vulnerable; other versions may also be affected.

93. Firefly Media Server Multiple Information Disclosure and Denial of Service Vulnerabilities
BugTraq ID: 26770
Remote: Yes
Last Updated: 2007-12-10
Relevant URL: http://www.securityfocus.com/bid/26770
Summary:
Firefly Media Server is prone to multiple information-disclosure and denial-of-service vulnerabilities because it fails to handle specially crafted HTTP GET requests.

Attackers can exploit these issues to access potentially sensitive information, crash the server, or consume excessive resources. Successful exploits could aid in further attacks or deny service to legitimate users.

Firefly Media Server 2.4.1 is vulnerable; other versions may also be affected.

94. SHTTPD Multiple File Access And Directory Traversal Vulnerabilities
BugTraq ID: 26768
Remote: Yes
Last Updated: 2007-12-10
Relevant URL: http://www.securityfocus.com/bid/26768
Summary:
SHTTPD is prone to multiple file-access vulnerabilities and a directory-traversal vulnerability.

An attacker can exploit these issues to obtain sensitive information and to read arbitrary files on the affected computer with the privileges of the user running the application.

Note that these issues apply only to the Windows implementation of SHTTPD.

95. NFSv4 ID Mapper nfsidmap Username Lookup Local Privilege Escalation Vulnerability
BugTraq ID: 26767
Remote: No
Last Updated: 2007-12-10
Relevant URL: http://www.securityfocus.com/bid/26767
Summary:
The 'nfsidmap' utility is prone to a local privilege-escalation vulnerability because it fails to adequately handle files that have unknown owners.

Attackers can leverage this issue to gain superuser privileges. Successful exploits will completely compromise affected computers.

Versions prior to 'nfsidmap' 0.17 are vulnerable.

96. Monalbum Multiple Remote Vulnerabilities
BugTraq ID: 26811
Remote: Yes
Last Updated: 2007-12-10
Relevant URL: http://www.securityfocus.com/bid/26811
Summary:
Monalbum is prone to multiple remote vulnerabilities including security-bypass and file-include issues.

Exploiting these issues may allow an attacker to compromise the application and a webserver hosting the vulnerable software; other attacks are also possible.

These issues affect Monalbum 0.8.7; other versions may also be affected.

97. Thomson Speedtouch 716 URL Parameter Cross-Site Scripting Vulnerability
BugTraq ID: 26808
Remote: Yes
Last Updated: 2007-12-10
Relevant URL: http://www.securityfocus.com/bid/26808
Summary:
Thomson Speedtouch 716 is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.

This issue affects Thomson Speedtouch 716 firmwares 6.2.17.50 and 5.4.0.14; other versions may also be affected.

98. PHP-Nuke autohtml.php Local File Include Vulnerability
BugTraq ID: 26807
Remote: Yes
Last Updated: 2007-12-10
Relevant URL: http://www.securityfocus.com/bid/26807
Summary:
Dance Music is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.

Exploiting this issue may allow an unauthorized remote user to view files and execute local scripts in the context of the webserver process.

99. BarracudaDrive Web Server Denial of Service and Multiple Input Validation Vulnerabilities
BugTraq ID: 26805
Remote: Yes
Last Updated: 2007-12-10
Relevant URL: http://www.securityfocus.com/bid/26805
Summary:
BarracudaDrive Web Server is prone to a denial-of-service vulnerability and multiple input-validation vulnerabilities because it fails to sufficiently sanitize user-supplied input.

Exploiting these issues can allow an attacker to retrieve, view or delete arbitrary files, inject hostile HTML or script code in the context of the application running the vulnerable software, or crash the webserver, denying service to legitimate users.

100. BadBlue Directory Traversal and Buffer Overflow Vulnerability
BugTraq ID: 26803
Remote: Yes
Last Updated: 2007-12-10
Relevant URL: http://www.securityfocus.com/bid/26803
Summary:
BadBlue is prone to a directory-traversal vulnerability and a buffer-overflow vulnerability.

An attacker can exploit these issues to upload arbitrary files outside the destination folder (potentially overwrite existing files), execute arbitrary code within the context of the affected application or crash the affected application.

BadBlue 2.72b is vulnerable; prior versions may also be affected.

III. SECURITYFOCUS NEWS ARTICLES
--------------------------------
1. Researchers reverse Netflix anonymization
By: Robert Lemos
Two computer scientists show that a large set of transactional data poses privacy risks by finding a way to link movie ratings from the Netflix Prize dataset to publicly available information.
http://www.securityfocus.com/news/11497

2. Group drafts rules to nix credit-card storage
By: Robert Lemos
The organization responsible for technical and best-practice standards in the payment industry plans to require the makers of merchant software to certify that their programs do not store sensitive data.
http://www.securityfocus.com/news/11496

3. Task force aims to improve U.S. cybersecurity
By: Robert Lemos
A blue-ribbon panel of three dozen security experts hopes to craft a strategy to improve cybersecurity by the time the next president takes office.
http://www.securityfocus.com/news/11494

4. Court filings double estimate of TJX breach
By: Robert Lemos
Online attackers stole information on more than 94 million credit- and debit-card accounts, more than double the original estimates, according to court documents.
http://www.securityfocus.com/news/11493

IV. SECURITY JOBS LIST SUMMARY
-------------------------------
V. INCIDENTS LIST SUMMARY
---------------------------
1. FW: Anyone have a reason for 2x the email flow today?
http://www.securityfocus.com/archive/75/484668

2. HITBSecConf2007 Malaysia Videos Now Available
http://www.securityfocus.com/archive/75/484666

3. Anyone have a reason for 2x the email flow today?
http://www.securityfocus.com/archive/75/484505

VI. VULN-DEV RESEARCH LIST SUMMARY
-----------------------------------
1. HITBSecConf2007 Malaysia Videos Now Available
http://www.securityfocus.com/archive/82/484673

2. SEH and overwrite EIP
http://www.securityfocus.com/archive/82/484427

VII. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. SecurityFocus Microsoft Newsletter #371
http://www.securityfocus.com/archive/88/484683

VIII. SUN FOCUS LIST SUMMARY
----------------------------
IX. LINUX FOCUS LIST SUMMARY
----------------------------
X. UNSUBSCRIBE INSTRUCTIONS
-----------------------------
To unsubscribe send an e-mail message to sf-news-unsubscribe@securityfocus.com from the subscribed address. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer. Alternatively you can also visit http://www.securityfocus.com/newsletters and unsubscribe via the website.

If your email address has changed email listadmin@securityfocus.com and ask to be manually removed.

XI. SPONSOR INFORMATION
------------------------
This issue is Sponsored by: SPI Dynamics

https://download.spidynamics.com/1/ad/xss.asp?Campaign_ID=70160000000D8v9

News

Tuesday, December 11, 2007

SecurityFocus Newsletter #431

No comments:

WINDOWS CENTER

Blog Archive