News

Wednesday, January 02, 2008

SecurityFocus Newsletter #434

SecurityFocus Newsletter #434
----------------------------------------

This issue is Sponsored by: Black Hat DC

Attend Black Hat DC, February 18-21, the Washington, DC version of the world's premier technical event for ICT security experts. Featuring hands-on training courses and Briefings presentations with lots of new content-including a focus on wireless security and offensive attack analysis. Network with 400+ delegates and review products from leading vendors in a relaxed setting, including Diamond sponsor Microsoft.

www.blackhat.com


SECURITY BLOGS
SecurityFocus has selected a few syndicated sources that stand out as conveying topics of interest for our community. We are proud to offer content from Matasano at this time and will be adding more in the coming weeks.
http://www.securityfocus.com/blogs

------------------------------------------------------------------
I. FRONT AND CENTER
1.Real Flaws in Virtual Worlds
2.Copyrights and Wrongs
II. BUGTRAQ SUMMARY
1. Adobe Flash Player 'asfunction' Cross Site Scripting Vulnerability
2. PHP ZLink 'go.php' SQL Injection Vulnerability
3. libsndfile FLAC.C Buffer Overflow Vulnerability
4. CustomCMS 'vars.php' SQL Injection Vulnerability
5. Makale Scripti Cross-Site Scripting Vulnerability
6. PHCDownload 'search.php' SQL Injection and Cross-Site Scripting Vulnerability
7. NoseRub 'identity.php' SQL Injection Vulnerability
8. ClamAV Multiple Insecure File Handling and Scanner Bypass Vulnerabilities
9. ClamAV BZ_GET_FAST Bzip2 Decompression Vulnerability
10. BarracudaDrive Web Server Denial of Service and Multiple Input Validation Vulnerabilities
11. Websense Reporting Tools Login Page Cross-Site Scripting Vulnerability
12. webSPELL Usergallery.PHP and Calendar.PHP Multiple Cross-Site Scripting Vulnerabilities
13. Falt4 CMS Multiple Input Validation Vulnerabilities
14. inotify-tools C Library inotifytools_snfprintf() Local Buffer Overflow Vulnerability
15. KLab HttpLogger Unspecified Cross Site Scripting Vulnerability
16. JFreeChart Multiple HTML Injection Vulnerabilities
17. TYPO3 'indexed_search' Extension SQL Injection Vulnerability
18. wwwstats Clickstats.PHP Multiple HTML Injection Vulnerabilities
19. Drupal TAXONOMY_SELECT_NODES() SQL Injection Vulnerability
20. OpenNewsletter Compose.PHP Cross-Site Scripting Vulnerability
21. Drupal Shoutbox Module Multiple HTML Injection Vulnerabilities
22. PeerCast HandshakeHTTP Multiple Buffer Overflow Vulnerabilities
23. GNU TAR and CPIO safer_name_suffix Remote Denial of Service Vulnerability
24. GNU Tar Dot_Dot Function Remote Directory Traversal Vulnerability
25. Plone Multiple Modules Script Execution Vulnerabilities
26. Feng Multiple Remote Buffer Overflow and Denial of Service Vulnerabilities
27. AdultScript 'id' Parameter Multiple SQL Injection Vulnerabilities
28. Adobe Flash Player Unspecified Privilege-Escalation Vulnerability
29. Brand039 MMSLamp 'default.php' SQL Injection Vulnerability
30. autofs nodev Mount Option Privilege Escalation Vulnerability
31. OpenSSL SSLv2 Null Pointer Dereference Client Denial of Service Vulnerability
32. zBlog 'index.php' Multiple SQL Injection Vulnerabilities
33. Sun Solaris NFS 'netgroups' Security Bypass Vulnerability
34. IP Reg Multiple SQL Injection Vulnerabilities
35. Microsoft Office Publisher Multiple Denial Of Service Vulnerabilities
36. PHCDownload Username HTML Injection Vulnerability
37. Microsoft Word Wordart Doc Denial Of Service Vulnerability
38. Apache HTTP Server Worker Process Multiple Denial of Service Vulnerabilities
39. Apache HTTP Server Mod_Status Cross-Site Scripting Vulnerability
40. Social Engine 'global_lang' Multiple Local File Include Vulnerabilities
41. 3ivx MPEG-4 Multiple Remote Stack Based Buffer Overflow Vulnerabilities
42. mBlog 'index.php' Local File Include Vulnerability
43. Shadowed Portal 'control.php' Local File Include Vulnerability
44. HP Software Update 'RulesEngine.dll' ActiveX Control Multiple File Overwrite Vulnerabilities
45. Arcadem LE 'frontpage_right.php' Remote File Include Vulnerability
46. MyBlog Games.PHP ID Remote File Include Vulnerability
47. NmnNewsletter 'confirmUnsubscription.php' Remote File Include Vulnerability
48. Wallpaper Complete Website 'category.php' SQL Injection Vulnerability
49. nicLOR CMS sezione_news.php SQL Injection Vulnerability
50. Plone 'LiveSearch' Module HTML Injection Vulnerability
51. MODx 'AjaxSearch.php' Local File Include Vulnerability
52. MODx 'htcmime.php' Source Code Information Disclosure Vulnerability
53. AGENCY4NET WEBFTP 'download2.php' Local File Include Vulnerability
54. RealPlayer 11 Unspecified Buffer Overflow Vulnerability
55. phpWebSite Search Module Cross-Site Scripting Vulnerability
56. Vantage Linguistics AnswerWorks ActiveX Controls Multiple Unspecified Vulnerabilities
57. IBM Rational ClearQuest Username Parameter SQL Injection Vulnerability
58. Old Guy's Scripts TalkBack Comments and Guestbook Multiple Remote File Include Vulnerabilities
59. Agares Media phpAutoVideo Multiple Remote and Local File Include Vulnerabilities
60. Info-ZIP UnZip Privilege Escalation Vulnerability
61. MailMachinePRO 'showMsg.php' SQL Injection Vulnerability
62. BT Home Hub and Thomson/Alcatel Speedtouch 7G Multiple Vulnerabilities
63. Appian Business Process Management Suite Remote Denial of Service Vulnerability
64. Wireshark 0.99.6 Multiple Remote Vulnerabilities
65. Macrovision InstallShield Update Service 'isusweb.dll' Remote Buffer Overflow Vulnerability
66. IBM Lotus Domino Web Access Upload Module ActiveX Control Memory Corruption Vulnerability
67. OpenOffice HSQLDB Database Engine Unspecified Java Code Execution Vulnerability
68. Cairo PNG Image Processing Remote Integer Overflow Vulnerability
69. Opera Web Browser Multiple Security Vulnerabilities
70. Pragmatic Utopia PU Arcade 'fid' parameter SQL Injection Vulnerability
71. WebPortal CMS 'index.php' SQL Injection Vulnerability
72. LiveCart Multiple Cross-Site Scripting Vulnerabilities
73. FireGPG PGP Key Issuer Name HTML Injection Vulnerability
74. Netchemia oneSCHOOL 'login.asp' SQL Injection Vulnerability
75. Zenphoto 'rss.php' SQL Injection Vulnerability
76. MyPHP Forum 'faq.php' and 'member.php' Multiple SQL Injection Vulnerabilities
77. IPTBB 'index.php' SQL Injection Vulnerability
78. bitweaver 'edit.php' Source Code Information Disclosure Vulnerability
79. InstantSoftware Dating Site Login SQL Injection Vulnerability
80. bitweaver 'upload.php' Arbitrary File Upload Vulnerability
81. MilliScripts 'dir.php' Cross-Site Scripting Vulnerability
82. Mihalism Multi Host 'download.php' Directory Traversal Vulnerability
83. MatPo.de Kontakt Formular 'function.php' Remote File Include Vulnerability
84. CMS Made Simple TinyMCE Module 'content_css.php' SQL Injection Vulnerability
85. MatPo.de MatPo Bilder Galerie 'tumbnail.php' Remote File Include Vulnerability
86. SanyBee Gallery 'index.php' Local File Include Vulnerability
87. w-Agora 'index.php' SQL Injection Vulnerability
88. Persits Software XUpload ActiveX Control Remote Buffer Overflow Vulnerability
89. Mozilla Firefox Jar URI Cross-Site Scripting Vulnerability
90. Mozilla Firefox and SeaMonkey Windows.Location Property HTTP Referer Header Spoofing Weakness
91. Mozilla Firefox Multiple Remote Unspecified Memory Corruption Vulnerabilities
92. ClamAV 'libclamav/pe.c' MEW Packed PE File Integer Overflow Vulnerability
93. ClamAV 'mspack.c' Off-By-One Buffer Overflow Vulnerability
94. BalaBit IT Security syslog-ng NULL-Pointer Dereference Denial of Service Vulnerability
95. Firefly Media Server Multiple Null Pointer Dereference Vulnerabilities
96. Firefly Media Server Webserver.C Multiple Format String Vulnerabilities
97. exiftags Multiple Unspecified Buffer Overflow And Denial Of Service Vulnerabilities
98. libexif Image Tag Remote Integer Overflow Vulnerability
99. Exiv2 EXIF File Handling Integer Overflow Vulnerability
100. libexif Image Tag Remote Denial Of Service Vulnerability
III. SECURITYFOCUS NEWS
1. Senate delays vote on spy bill
2. Researchers reverse Netflix anonymization
3. Group drafts rules to nix credit-card storage
4. Task force aims to improve U.S. cybersecurity
IV. SECURITY JOBS LIST SUMMARY
V. INCIDENTS LIST SUMMARY
VI. VULN-DEV RESEARCH LIST SUMMARY
1. Blog Entry of Interest
VII. MICROSOFT FOCUS LIST SUMMARY
1. SecurityFocus Microsoft Newsletter #374
VIII. SUN FOCUS LIST SUMMARY
IX. LINUX FOCUS LIST SUMMARY
X. UNSUBSCRIBE INSTRUCTIONS
XI. SPONSOR INFORMATION

I. FRONT AND CENTER
---------------------
1.Real Flaws in Virtual Worlds
By Federico Biancuzzi
Massively multiplayer online role playing games (MMORPGs), such as World of Warcraft, have millions of subscribers interacting online, which makes security tricky business.

http://www.securityfocus.com/columnists/461

2.Copyrights and Wrongs
By Mark Rasch
On October 1, 2007, Jammie Thomas -- a single mother living in Brainerd, Minnesota -- was sued in civil court for copyright infringement by the Recording Industry Association of America. Three days later, the jury returned the verdict; Ms. Thomas was liable for willfully infringing the copyrights on 24 songs. The fine: $222,000.

http://www.securityfocus.com/columnists/460


II. BUGTRAQ SUMMARY
--------------------
1. Adobe Flash Player 'asfunction' Cross Site Scripting Vulnerability
BugTraq ID: 26949
Remote: Yes
Last Updated: 2008-01-02
Relevant URL: http://www.securityfocus.com/bid/26949
Summary:
Adobe Flash Player is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

2. PHP ZLink 'go.php' SQL Injection Vulnerability
BugTraq ID: 26997
Remote: Yes
Last Updated: 2008-01-02
Relevant URL: http://www.securityfocus.com/bid/26997
Summary:
PHP ZLink is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

PHP ZLink 0.3 is reported vulnerable; other versions may be vulnerable as well.

3. libsndfile FLAC.C Buffer Overflow Vulnerability
BugTraq ID: 25758
Remote: Yes
Last Updated: 2007-12-29
Relevant URL: http://www.securityfocus.com/bid/25758
Summary:
The 'libsndfile' library is prone to a heap-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.

Attackers can exploit this issue to execute arbitrary code with the permission of an application using the library. This can compromise the affected application and possibly the underlying computer. Failed attacks will likely cause denial-of-service conditions.

This issue affects libsndfile 1.0.17; previous versions may also be vulnerable.

4. CustomCMS 'vars.php' SQL Injection Vulnerability
BugTraq ID: 27069
Remote: Yes
Last Updated: 2007-12-29
Relevant URL: http://www.securityfocus.com/bid/27069
Summary:
CustomCMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Version 3.1 of CustomCMS is vulnerable to this issue; other versions may also be affected.

5. Makale Scripti Cross-Site Scripting Vulnerability
BugTraq ID: 27067
Remote: Yes
Last Updated: 2007-12-29
Relevant URL: http://www.securityfocus.com/bid/27067
Summary:
Makale Scripti is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

6. PHCDownload 'search.php' SQL Injection and Cross-Site Scripting Vulnerability
BugTraq ID: 27066
Remote: Yes
Last Updated: 2007-12-29
Relevant URL: http://www.securityfocus.com/bid/27066
Summary:
PHCDownload is prone to an SQL-injection and cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Attackers may also exploit this issue to compromise the application,
access or modify data, or exploit latent vulnerabilities in the underlying database.

PHCDownload version 1.1.0 is vulnerable to this issue; other versions may also be affected.

7. NoseRub 'identity.php' SQL Injection Vulnerability
BugTraq ID: 27065
Remote: Yes
Last Updated: 2007-12-29
Relevant URL: http://www.securityfocus.com/bid/27065
Summary:
NoseRub is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Version 0.5.2 of NoseRub is vulnerable to this issue; other versions may also be affected.

8. ClamAV Multiple Insecure File Handling and Scanner Bypass Vulnerabilities
BugTraq ID: 27064
Remote: Yes
Last Updated: 2007-12-29
Relevant URL: http://www.securityfocus.com/bid/27064
Summary:
ClamAV is prone to multiple vulnerabilities due to the insecure handling of files, and due to a failure to scan certain files.

A successful attack may allow malicious users to perform symbolic-link attacks, or to bypass scanning. Exploits may aid in further attacks.

ClamAV version 0.92 is vulnerable to these issues; other versions may also be affected.

9. ClamAV BZ_GET_FAST Bzip2 Decompression Vulnerability
BugTraq ID: 27063
Remote: Yes
Last Updated: 2007-12-29
Relevant URL: http://www.securityfocus.com/bid/27063
Summary:
ClamAV is prone to a vulnerability due to a flaw in its Bzip2 decompression support.

Successful exploits of this vulnerability may potentially allow remote attackers to execute arbitrary code in the context of the vulnerable application or to trigger denial-of-service conditions. These affects have not been confirmed.

Further information is not currently available; this BID will be updated as more information is disclosed.

ClamAV 0.91.2 is vulnerable to this issue; other versions may also be affected.

10. BarracudaDrive Web Server Denial of Service and Multiple Input Validation Vulnerabilities
BugTraq ID: 26805
Remote: Yes
Last Updated: 2007-12-28
Relevant URL: http://www.securityfocus.com/bid/26805
Summary:
BarracudaDrive Web Server is prone to a denial-of-service vulnerability and multiple input-validation vulnerabilities because it fails to sufficiently sanitize user-supplied input.

Exploiting these issues can allow an attacker to retrieve, view, or delete arbitrary files; inject hostile HTML or script code in the context of the application running the vulnerable software; or crash the webserver, denying service to legitimate users.

11. Websense Reporting Tools Login Page Cross-Site Scripting Vulnerability
BugTraq ID: 26793
Remote: Yes
Last Updated: 2007-12-28
Relevant URL: http://www.securityfocus.com/bid/26793
Summary:
Websense Reporting Tools is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

12. webSPELL Usergallery.PHP and Calendar.PHP Multiple Cross-Site Scripting Vulnerabilities
BugTraq ID: 26787
Remote: Yes
Last Updated: 2007-12-28
Relevant URL: http://www.securityfocus.com/bid/26787
Summary:
webSPELL is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

webSPELL 4.01.02 is affected; other versions may also be vulnerable.

13. Falt4 CMS Multiple Input Validation Vulnerabilities
BugTraq ID: 26786
Remote: Yes
Last Updated: 2007-12-28
Relevant URL: http://www.securityfocus.com/bid/26786
Summary:
Falt4 Extreme CMS is prone to three input-validation vulnerabilities, including cross-site scripting and SQL-injection issues, that occur because the application fails to adequately sanitize user-supplied input.

A successful exploit may allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

This issue was reported to affect Falt4 Extreme (RC4). Other versions may also be affected.

14. inotify-tools C Library inotifytools_snfprintf() Local Buffer Overflow Vulnerability
BugTraq ID: 25724
Remote: No
Last Updated: 2007-12-28
Relevant URL: http://www.securityfocus.com/bid/25724
Summary:
The 'inotify-tools' C library is prone to a local buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input.

Attackers can exploit this issue to execute arbitrary code with the privileges of the application using the library. Successful exploits can compromise affected applications and possibly the underlying computer. Failed exploit attempts will result in a denial of service.

Versions prior to inotify-tools 3.11 are vulnerable.

15. KLab HttpLogger Unspecified Cross Site Scripting Vulnerability
BugTraq ID: 26810
Remote: Yes
Last Updated: 2007-12-28
Relevant URL: http://www.securityfocus.com/bid/26810
Summary:
KLab HttpLogger is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

The issue affects HttpLogger 0.8.1; other versions may also be vulnerable.

16. JFreeChart Multiple HTML Injection Vulnerabilities
BugTraq ID: 26752
Remote: Yes
Last Updated: 2007-12-28
Relevant URL: http://www.securityfocus.com/bid/26752
Summary:
JFreeChart is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input.

Attacker-supplied HTML and script code could execute in the context of the affected website, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user; other attacks are also possible.

These issues affect JFreeChart 1.0.8; other versions may be affected as well.

17. TYPO3 'indexed_search' Extension SQL Injection Vulnerability
BugTraq ID: 26871
Remote: Yes
Last Updated: 2007-12-28
Relevant URL: http://www.securityfocus.com/bid/26871
Summary:
TYPO3 is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

This issue affects versions prior to:

TYPO3 4.0.8 from the 3.x and 4.x branches
TYPO3 4.1.4 from the 4.1.x branch

18. wwwstats Clickstats.PHP Multiple HTML Injection Vulnerabilities
BugTraq ID: 26759
Remote: Yes
Last Updated: 2007-12-28
Relevant URL: http://www.securityfocus.com/bid/26759
Summary:
The 'wwwstats' program is prone to multiple HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input data.

Exploiting these issues may allow an attacker to execute HTML and script code in the context of the affected site, to steal cookie-based authentication credentials, or to control how the site is rendered to the user; other attacks are also possible.

Versions prior to wwwstats 3.22 are vulnerable.

19. Drupal TAXONOMY_SELECT_NODES() SQL Injection Vulnerability
BugTraq ID: 26735
Remote: Yes
Last Updated: 2007-12-28
Relevant URL: http://www.securityfocus.com/bid/26735
Summary:
Drupal is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Versions prior to Drupal 4.7.9 and 5.4 are vulnerable.

20. OpenNewsletter Compose.PHP Cross-Site Scripting Vulnerability
BugTraq ID: 26745
Remote: Yes
Last Updated: 2007-12-28
Relevant URL: http://www.securityfocus.com/bid/26745
Summary:
OpenNewsletter is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

OpenNewsletter 2.5 is vulnerable; other versions may also be affected.

21. Drupal Shoutbox Module Multiple HTML Injection Vulnerabilities
BugTraq ID: 26736
Remote: Yes
Last Updated: 2007-12-28
Relevant URL: http://www.securityfocus.com/bid/26736
Summary:
Drupal Shoutbox module is prone to multiple HTML-injection vulnerabilities because the application fails to sufficiently sanitize user-supplied input data before using it in dynamically generated content.

Attacker-supplied HTML and script code could execute in the context of the affected website, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user; other attacks are also possible.

Versions prior to Shoutbox 5.x-1.1 are affected by these issues.

22. PeerCast HandshakeHTTP Multiple Buffer Overflow Vulnerabilities
BugTraq ID: 26899
Remote: Yes
Last Updated: 2007-12-28
Relevant URL: http://www.securityfocus.com/bid/26899
Summary:
PeerCast is prone to multiple buffer-overflow vulnerabilities because it fails to adequately bounds-check user-supplied input before copying it to an insufficiently sized buffer.

Successfully exploiting these issues will allow an attacker to execute arbitrary code with the privileges of the user running the affected application. Failed exploit attempts will likely crash the application.

These issues affect PeerCast 0.12.17, SVN 334 and prior versions.

23. GNU TAR and CPIO safer_name_suffix Remote Denial of Service Vulnerability
BugTraq ID: 26445
Remote: Yes
Last Updated: 2007-12-28
Relevant URL: http://www.securityfocus.com/bid/26445
Summary:
GNU's tar and cpio utilities are prone to a denial-of-service vulnerability because of insecure use of the 'alloca()' function.

Successfully exploiting this issue allows attackers to crash the affected utilities and possibly to execute code, but this has not been confirmed.

GNU tar and cpio utilities share the same vulnerable code and are both affected. Other utilities sharing this code may also be affected.

24. GNU Tar Dot_Dot Function Remote Directory Traversal Vulnerability
BugTraq ID: 25417
Remote: Yes
Last Updated: 2007-12-28
Relevant URL: http://www.securityfocus.com/bid/25417
Summary:
GNU Tar is prone to a directory-traversal vulnerability because the application fails to validate user-supplied data.

A successful attack can allow the attacker to overwrite files on a computer in the context of the user running the affected application. Successful exploits may aid in further attacks.

25. Plone Multiple Modules Script Execution Vulnerabilities
BugTraq ID: 26354
Remote: Yes
Last Updated: 2007-12-28
Relevant URL: http://www.securityfocus.com/bid/26354
Summary:
Plone is affected by multiple script-execution vulnerabilities.

Exploiting these issues may allow remote attackers to execute arbitrary Python code in the context of the application. This may facilitate remote unauthorized access to an affected computer.

These versions are affected:

Plone 2.5.4 and prior versions of the 2.5 branch
Plone 3.0.2 and prior versions of the 3.0 branch

26. Feng Multiple Remote Buffer Overflow and Denial of Service Vulnerabilities
BugTraq ID: 27049
Remote: Yes
Last Updated: 2007-12-28
Relevant URL: http://www.securityfocus.com/bid/27049
Summary:
Feng is prone to multiple remote buffer-overflow and denial-of-service vulnerabilities.

Successfully exploiting these issues allows remote attackers to execute arbitrary code in the context of the server application. Attackers may also crash the application, denying service to legitimate users.

Feng version 0.1.15 is vulnerable to these issues; other versions may also be affected.

27. AdultScript 'id' Parameter Multiple SQL Injection Vulnerabilities
BugTraq ID: 26996
Remote: Yes
Last Updated: 2008-01-02
Relevant URL: http://www.securityfocus.com/bid/26996
Summary:
AdultScript is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.

A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.

These issues affect AdultScript 1.6.5 and prior versions.

28. Adobe Flash Player Unspecified Privilege-Escalation Vulnerability
BugTraq ID: 26965
Remote: Yes
Last Updated: 2008-01-02
Relevant URL: http://www.securityfocus.com/bid/26965
Summary:
Adobe Flash Player is prone to a vulnerability that allows attackers to gain elevated privileges on affected computers.

Very few technical details are currently available. We will update this BID as more information emerges.

NOTE: This issue occurs only when the application is running on a Linux operating system.

Versions prior to Adobe Flash Player 9.0.115.0 are vulnerable.

This issue was previously covered by BID 26929 (Adobe Flash Player Multiple Security Vulnerabilities).

29. Brand039 MMSLamp 'default.php' SQL Injection Vulnerability
BugTraq ID: 26995
Remote: Yes
Last Updated: 2008-01-02
Relevant URL: http://www.securityfocus.com/bid/26995
Summary:
MMSLamp is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

All versions are considered vulnerable.

30. autofs nodev Mount Option Privilege Escalation Vulnerability
BugTraq ID: 26970
Remote: No
Last Updated: 2008-01-02
Relevant URL: http://www.securityfocus.com/bid/26970
Summary:
The 'autofs' utility is prone to a privilege-escalation vulnerability because of a flaw in its default configuration. Filesystems mounted under '/net' using the 'hosts' automount map do not have the 'nodev' mount option enabled by default.

Attackers can leverage this issue to interact with arbitrary system devices. Successful exploits will completely compromise affected computers.

31. OpenSSL SSLv2 Null Pointer Dereference Client Denial of Service Vulnerability
BugTraq ID: 20246
Remote: Yes
Last Updated: 2008-01-02
Relevant URL: http://www.securityfocus.com/bid/20246
Summary:
OpenSSL is prone to a denial-of-service vulnerability.

A malicious server could cause a vulnerable client application to crash, effectively denying service.

32. zBlog 'index.php' Multiple SQL Injection Vulnerabilities
BugTraq ID: 26994
Remote: Yes
Last Updated: 2008-01-02
Relevant URL: http://www.securityfocus.com/bid/26994
Summary:
zBlog is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.

A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.

These issues affect zBlog 1.2; other versions may also be affected.

33. Sun Solaris NFS 'netgroups' Security Bypass Vulnerability
BugTraq ID: 26872
Remote: Yes
Last Updated: 2008-01-02
Relevant URL: http://www.securityfocus.com/bid/26872
Summary:
Sun Solaris is prone to a security-bypass vulnerability due to an unspecified error.

A successful attack will allow an unauthorized remote user to gain superuser access to shared NFS resources on the vulnerable system with 'netgroups' access configured.

This issue affects Sun Solaris 10 for SPARC and x86 platforms.

34. IP Reg Multiple SQL Injection Vulnerabilities
BugTraq ID: 26993
Remote: Yes
Last Updated: 2008-01-02
Relevant URL: http://www.securityfocus.com/bid/26993
Summary:
IP Reg is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.

A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.

These issues affect IP Reg 0.3; other versions may also be affected.

35. Microsoft Office Publisher Multiple Denial Of Service Vulnerabilities
BugTraq ID: 26982
Remote: Yes
Last Updated: 2008-01-02
Relevant URL: http://www.securityfocus.com/bid/26982
Summary:
Microsoft Office Publisher is prone to multiple denial-of-service vulnerabilities.

An attacker can exploit these issues to cause the affected application to crash. The attacker may also be able to execute arbitrary code in the context of the user running the affected application, but this has not been confirmed.

36. PHCDownload Username HTML Injection Vulnerability
BugTraq ID: 26991
Remote: Yes
Last Updated: 2008-01-02
Relevant URL: http://www.securityfocus.com/bid/26991
Summary:
PHCDownload is prone to an HTML-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.

Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing an attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible.

This issue affects PHCDownload 1.10; other versions may also be vulnerable.

37. Microsoft Word Wordart Doc Denial Of Service Vulnerability
BugTraq ID: 26981
Remote: Yes
Last Updated: 2008-01-02
Relevant URL: http://www.securityfocus.com/bid/26981
Summary:
Microsoft Word is prone to a denial-of-service vulnerability.

An attacker can exploit this issue to cause the affected application to crash. The attacker may also be able to execute arbitrary code in the context of the user running the affected application, but this has not been confirmed.

This issue affects Word 2003; other versions may also be vulnerable.

38. Apache HTTP Server Worker Process Multiple Denial of Service Vulnerabilities
BugTraq ID: 24215
Remote: Yes
Last Updated: 2008-01-02
Relevant URL: http://www.securityfocus.com/bid/24215
Summary:
Apache is prone to multiple denial-of-service vulnerabilities.

An attacker with the ability to execute arbitrary server-side script-code can exploit these issues to stop arbitrary services on the affected computer in the context of the master webserver process; other attacks may also be possible.

39. Apache HTTP Server Mod_Status Cross-Site Scripting Vulnerability
BugTraq ID: 24645
Remote: Yes
Last Updated: 2008-01-02
Relevant URL: http://www.securityfocus.com/bid/24645
Summary:
The Apache HTTP Server mod_status module is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

40. Social Engine 'global_lang' Multiple Local File Include Vulnerabilities
BugTraq ID: 26990
Remote: Yes
Last Updated: 2008-01-02
Relevant URL: http://www.securityfocus.com/bid/26990
Summary:
Social Engine is prone to multiple local file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.

An attacker can exploit these issues to execute arbitrary local scripts and retrieve potentially sensitive information.

These issues affect Social Engine 2.0; other versions may also be vulnerable.

41. 3ivx MPEG-4 Multiple Remote Stack Based Buffer Overflow Vulnerabilities
BugTraq ID: 26773
Remote: Yes
Last Updated: 2008-01-02
Relevant URL: http://www.securityfocus.com/bid/26773
Summary:
3ivx MPEG-4 is prone to multiple stack-based buffer-overflow issues because it fails to perform adequate boundary checks on user-supplied data.

Successfully exploiting these issues allows remote attackers to execute arbitrary code in the context of the application. Failed exploit attempts likely result in denial-of-service conditions.

3ivx MPEG-4 5.0.1 is vulnerable; other versions may also be affected.

NOTE: This BID originally listed Windows Media Player as vulnerable, but has been updated to reflect the fact that the issues reside in 3ivx MPEG-4.

42. mBlog 'index.php' Local File Include Vulnerability
BugTraq ID: 26989
Remote: Yes
Last Updated: 2008-01-02
Relevant URL: http://www.securityfocus.com/bid/26989
Summary:
mBlog is prone to a local file-include vulnerability because it fails to sufficiently sanitize user-supplied data.

An attacker can exploit this issue to execute arbitrary local scripts and retrieve potentially sensitive information.

This issue affects mBlog 1.2; other versions may also be vulnerable.

43. Shadowed Portal 'control.php' Local File Include Vulnerability
BugTraq ID: 26988
Remote: Yes
Last Updated: 2008-01-02
Relevant URL: http://www.securityfocus.com/bid/26988
Summary:
Shadowed Portal is prone to a local file-include vulnerability because it fails to sufficiently sanitize user-supplied data.

Exploiting this issue may allow an attacker to compromise the application and the underlying system.

This issue affects Shadowed Portal 5.7d3; other versions may also be vulnerable.

44. HP Software Update 'RulesEngine.dll' ActiveX Control Multiple File Overwrite Vulnerabilities
BugTraq ID: 26950
Remote: Yes
Last Updated: 2008-01-02
Relevant URL: http://www.securityfocus.com/bid/26950
Summary:
HP Software Update 'RulesEngine.dll' ActiveX control is prone to multiple vulnerabilities that attackers can exploit to overwrite arbitrary user files and SYSTEM files. The issues stem from insecure methods used within 'RulesEngine.dll'.

An attacker can exploit these issues by enticing an unsuspecting victim to visit a malicious HTML page.

Successfully exploiting these issues allows remote attackers to overwrite arbitrary user files as well as critical SYSTEM files, which can prevent the computer from restarting.

HP Software Update 3.0.8.4 with 'RulesEngine.dll' ActiveX control 1.0 is vulnerable; other versions may also be affected.

Note that multiple HP laptop models ship with this software.

45. Arcadem LE 'frontpage_right.php' Remote File Include Vulnerability
BugTraq ID: 26986
Remote: Yes
Last Updated: 2008-01-02
Relevant URL: http://www.securityfocus.com/bid/26986
Summary:
Arcadem LE is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied data.

Exploiting this issue may allow an attacker to compromise the application and the underlying system.

This issue affects Arcadem LE 2.04; other versions may also be vulnerable.

46. MyBlog Games.PHP ID Remote File Include Vulnerability
BugTraq ID: 26987
Remote: Yes
Last Updated: 2008-01-02
Relevant URL: http://www.securityfocus.com/bid/26987
Summary:
MyBlog is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied data.

Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible.

47. NmnNewsletter 'confirmUnsubscription.php' Remote File Include Vulnerability
BugTraq ID: 26985
Remote: Yes
Last Updated: 2008-01-02
Relevant URL: http://www.securityfocus.com/bid/26985
Summary:
NmnNewsletter is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied data.

Exploiting this issue may allow an attacker to compromise the application and the underlying system.

This issue affects NmnNewsletter 1.0.7; other versions may also be vulnerable.

48. Wallpaper Complete Website 'category.php' SQL Injection Vulnerability
BugTraq ID: 26984
Remote: Yes
Last Updated: 2008-01-02
Relevant URL: http://www.securityfocus.com/bid/26984
Summary:
Wallpaper Complete Website is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

This issue affects Wallpaper Complete Website 1.0.09; other versions may also be vulnerable.

49. nicLOR CMS sezione_news.php SQL Injection Vulnerability
BugTraq ID: 26983
Remote: Yes
Last Updated: 2008-01-02
Relevant URL: http://www.securityfocus.com/bid/26983
Summary:
nicLOR CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

50. Plone 'LiveSearch' Module HTML Injection Vulnerability
BugTraq ID: 27098
Remote: Yes
Last Updated: 2008-01-02
Relevant URL: http://www.securityfocus.com/bid/27098
Summary:
Plone is prone to an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied input data before using it in dynamically generated content.

Exploiting this issue may allow an attacker to execute HTML and script code in the context of the affected site, to steal cookie-based authentication credentials, or to control how the site is rendered to the user; other attacks are also possible.

This issue affects Plone 3.0.3 and prior.

51. MODx 'AjaxSearch.php' Local File Include Vulnerability
BugTraq ID: 27097
Remote: Yes
Last Updated: 2008-01-02
Relevant URL: http://www.securityfocus.com/bid/27097
Summary:
MODx is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.

Attackers can exploit this vulnerability using directory-traversal strings to have local script code execute in the context of the application. This may allow the attacker to access sensitive information that may aid in further attacks.

MODx 0.9.6.1 is vulnerable to this issue; other versions may also be affected.

52. MODx 'htcmime.php' Source Code Information Disclosure Vulnerability
BugTraq ID: 27096
Remote: Yes
Last Updated: 2008-01-02
Relevant URL: http://www.securityfocus.com/bid/27096
Summary:
MODx is prone to a vulnerability that allows attackers to access source code because the application fails to properly sanitize user-supplied input.

An attacker can exploit this vulnerability to retrieve arbitrary files from the vulnerable system in the context of the webserver process. Information obtained may aid in further attacks.

MODx 0.9.6.1 is vulnerable; other versions may also be affected.

53. AGENCY4NET WEBFTP 'download2.php' Local File Include Vulnerability
BugTraq ID: 27092
Remote: Yes
Last Updated: 2008-01-01
Relevant URL: http://www.securityfocus.com/bid/27092
Summary:
AGENCY4NET WEBFTP is prone to a local file-include vulnerability because it fails to sufficiently sanitize user-supplied data.

An attacker can exploit this issue to execute arbitrary local scripts and retrieve potentially sensitive information.

54. RealPlayer 11 Unspecified Buffer Overflow Vulnerability
BugTraq ID: 27091
Remote: Yes
Last Updated: 2008-01-01
Relevant URL: http://www.securityfocus.com/bid/27091
Summary:
RealPlayer is prone to an unspecified buffer-overflow vulnerability because the software fails to properly bounds-check user-supplied data before copying it to an insufficiently sized buffer.

A remote attacker may exploit this vulnerability by presenting a malicious file to a victim and enticing them to open it with the vulnerable application.

Successful exploits can allow attackers to run arbitrary code in the context of the user running the affected application. Failed attacks will likely cause denial-of-service conditions.

This issue affects RealPlayer 11; other versions may also be affected.

55. phpWebSite Search Module Cross-Site Scripting Vulnerability
BugTraq ID: 27090
Remote: Yes
Last Updated: 2008-01-01
Relevant URL: http://www.securityfocus.com/bid/27090
Summary:
phpWebSite is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

This issue affects phpWebSite 1.4.0; other versions may also be vulnerable.

56. Vantage Linguistics AnswerWorks ActiveX Controls Multiple Unspecified Vulnerabilities
BugTraq ID: 26815
Remote: Yes
Last Updated: 2007-12-31
Relevant URL: http://www.securityfocus.com/bid/26815
Summary:
Multiple Vantage Linguistics AnswerWorks ActiveX controls are prone to multiple unspecified vulnerabilities.

Successfully exploiting these issues will allow remote attackers to execute arbitrary code in the context of an application using the ActiveX control or to trigger denial-of-service conditions. However, the precise impact has not been confirmed.

AnswerWorks 3.0.0.0 - 4.0.0.100 and 5.0.0.0 - 5.0.0.6 are vulnerable.

NOTE: Currently, very few details are available regarding these issues. We will update this BID as more information emerges. Individual issues may be given separate BIDs.

UPDATE (December 31, 2007): Three of these issues are known to be buffer-overflow vulnerabilities.

57. IBM Rational ClearQuest Username Parameter SQL Injection Vulnerability
BugTraq ID: 25324
Remote: Yes
Last Updated: 2007-12-31
Relevant URL: http://www.securityfocus.com/bid/25324
Summary:
IBM Rational ClearQuest is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

IBM Rational ClearQuest 7.0.0.0 and 7.0.0.1 are vulnerable; other versions may also be affected.

58. Old Guy's Scripts TalkBack Comments and Guestbook Multiple Remote File Include Vulnerabilities
BugTraq ID: 26520
Remote: Yes
Last Updated: 2007-12-31
Relevant URL: http://www.securityfocus.com/bid/26520
Summary:
TalkBack Comments and Guestbook is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.

Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.

Talkback Comments and Guestbook 2.2.7 is vulnerable; other versions may also be affected.

59. Agares Media phpAutoVideo Multiple Remote and Local File Include Vulnerabilities
BugTraq ID: 27023
Remote: Yes
Last Updated: 2007-12-31
Relevant URL: http://www.securityfocus.com/bid/27023
Summary:
Agares Media phpAutoVideo is prone to multiple remote and local file-include vulnerabilities because it fails to properly sanitize user-supplied input.

Exploiting these issues will allow an attacker to access potentially sensitive information and execute arbitrary scripts or PHP code in the context of the webserver process. This may allow the attacker to compromise the application and the underlying computer; other attacks are also possible.

These issues affect phpAutoVideo 2.21; other versions may also be affected.

60. Info-ZIP UnZip Privilege Escalation Vulnerability
BugTraq ID: 14447
Remote: No
Last Updated: 2007-12-31
Relevant URL: http://www.securityfocus.com/bid/14447
Summary:
Info-ZIP UnZip is prone to a privilege-escalation issue because of improper handling of permissions contained in ZIP archives during decompression.

If users with superuser privileges use UnZip to decompress archives with setuid or setgid permissions, malicious binaries may be created that allow attackers to gain superuser privileges and compromise the computer.

61. MailMachinePRO 'showMsg.php' SQL Injection Vulnerability
BugTraq ID: 27030
Remote: Yes
Last Updated: 2007-12-31
Relevant URL: http://www.securityfocus.com/bid/27030
Summary:
MailMachinePRO is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

MailMachinePRO 2.2.4 is reported to be vulnerable; prior versions may also be vulnerable.

62. BT Home Hub and Thomson/Alcatel Speedtouch 7G Multiple Vulnerabilities
BugTraq ID: 25972
Remote: Yes
Last Updated: 2007-12-31
Relevant URL: http://www.securityfocus.com/bid/25972
Summary:
BT Home Hub and Thomson/Alcatel Speedtouch 7G routers are prone to multiple web-interface vulnerabilities, including a cross-site request-forgery issue, a cross-site scripting issue, multiple HTML-injection issues, and multiple authentication-bypass issues.

Successful exploits of many of these issues will allow an attacker to completely compromise the affected device.

These issues affect the BT Home Hub and Thomson/Alcatel Speedtouch 7G routers.

63. Appian Business Process Management Suite Remote Denial of Service Vulnerability
BugTraq ID: 26913
Remote: Yes
Last Updated: 2007-12-31
Relevant URL: http://www.securityfocus.com/bid/26913
Summary:
Appian Business Process Management Suite (BPMS) is prone to a remote denial-of-service vulnerability because it fails to handle specially crafted packets.

Successfully exploiting this issue allows remote attackers to crash the affected application, denying further service to legitimate users.

This issue affects Appian BPMS 5.6 SP1; other versions may be vulnerable as well.

64. Wireshark 0.99.6 Multiple Remote Vulnerabilities
BugTraq ID: 26532
Remote: Yes
Last Updated: 2007-12-31
Relevant URL: http://www.securityfocus.com/bid/26532
Summary:
Wireshark is prone to multiple denial-of-service and buffer-overflow vulnerabilities.

Exploiting these issues may allow attackers to cause crashes and deny service to legitimate users of the application. Attackers may be able to leverage some of these vulnerabilities to execute arbitrary code, but this has not been confirmed.

Versions prior to Wireshark 0.99.7 are affected.

65. Macrovision InstallShield Update Service 'isusweb.dll' Remote Buffer Overflow Vulnerability
BugTraq ID: 27013
Remote: Yes
Last Updated: 2007-12-31
Relevant URL: http://www.securityfocus.com/bid/27013
Summary:
InstallShield Update Service is prone to a remote buffer-overflow vulnerability because it fails to adequately sanitize user-supplied data.

Successfully exploiting this issue will allow an attacker to execute arbitrary code with the permissions of the user running the application.

This issue affects InstallShield Update Service 5.1.100.47363; other versions may also be affected.

This issue is reportedly different than the ones documented in BID 26280 (Macrovision InstallShield Update Service Isusweb.DLL Multiple Remote Code Execution Vulnerabilities).

66. IBM Lotus Domino Web Access Upload Module ActiveX Control Memory Corruption Vulnerability
BugTraq ID: 26972
Remote: Yes
Last Updated: 2007-12-31
Relevant URL: http://www.securityfocus.com/bid/26972
Summary:
IBM Lotus Domino Web Access Upload module is prone to a memory-corruption vulnerability because of an insecure method in the Upload module ActiveX control.

Successfully exploiting this issue can allow remote attackers to execute arbitrary code in the context of the application using the affected ActiveX control. Failed exploit attempts will likely result in denial-of-service conditions.

67. OpenOffice HSQLDB Database Engine Unspecified Java Code Execution Vulnerability
BugTraq ID: 26703
Remote: Yes
Last Updated: 2007-12-31
Relevant URL: http://www.securityfocus.com/bid/26703
Summary:
OpenOffice is prone to a code-execution vulnerability.

Successful exploits allow remote attackers to execute arbitrary Java code in the context of the vulnerable application.

Versions prior to OpenOffice 2.3.1 are vulnerable.

68. Cairo PNG Image Processing Remote Integer Overflow Vulnerability
BugTraq ID: 26650
Remote: Yes
Last Updated: 2007-12-31
Relevant URL: http://www.securityfocus.com/bid/26650
Summary:
Cairo is prone to an integer-overflow vulnerability because it fails to ensure that integer values aren't overrun. Attackers may exploit this issue to overflow a buffer and to corrupt process memory.

Attackers may be able to execute arbitrary machine code in the context of an affected application. Failed exploit attempts will likely result in a denial-of-service condition.

This issue affects versions prior to Cairo 1.4.12.

69. Opera Web Browser Multiple Security Vulnerabilities
BugTraq ID: 26937
Remote: Yes
Last Updated: 2007-12-31
Relevant URL: http://www.securityfocus.com/bid/26937
Summary:
Opera Web Browser is prone to multiple security vulnerabilities, including remote code-execution, information-disclosure, and cross-domain scripting issues.

Attackers can exploit these issues to execute remote code and obtain sensitive information in the context of the affected application. Attackers may be able to exploit some of the issues to carry out cross-domain scripting attacks.

These issues affect versions prior to Opera 9.25.

Very few technical details are currently available. We will update this BID as more information emerges.

70. Pragmatic Utopia PU Arcade 'fid' parameter SQL Injection Vulnerability
BugTraq ID: 27089
Remote: Yes
Last Updated: 2007-12-31
Relevant URL: http://www.securityfocus.com/bid/27089
Summary:
PU Arcade is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

This issue affects PU Arcade 2.0.3 and 2.1.3 Beta; other versions may also be affected.

71. WebPortal CMS 'index.php' SQL Injection Vulnerability
BugTraq ID: 27088
Remote: Yes
Last Updated: 2007-12-31
Relevant URL: http://www.securityfocus.com/bid/27088
Summary:
WebPortal CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

This issue affects WebPortal CMS 0.6.0; other versions may also be vulnerable.

72. LiveCart Multiple Cross-Site Scripting Vulnerabilities
BugTraq ID: 27087
Remote: Yes
Last Updated: 2007-12-31
Relevant URL: http://www.securityfocus.com/bid/27087
Summary:
LiveCart is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

LiveCart version 1.0.1 is vulnerable to these issues; other versions may also be affected.

73. FireGPG PGP Key Issuer Name HTML Injection Vulnerability
BugTraq ID: 27086
Remote: Yes
Last Updated: 2007-12-31
Relevant URL: http://www.securityfocus.com/bid/27086
Summary:
FireGPG is prone to an HTML-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.

Attacker-supplied HTML or JavaScript code could run in the context of the website that the application is triggered from, potentially allowing an attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible.

This issue affects FireGPG 0.4.6; prior versions may also be affected.

74. Netchemia oneSCHOOL 'login.asp' SQL Injection Vulnerability
BugTraq ID: 27085
Remote: Yes
Last Updated: 2007-12-31
Relevant URL: http://www.securityfocus.com/bid/27085
Summary:
Netchemia oneSCHOOL is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

75. Zenphoto 'rss.php' SQL Injection Vulnerability
BugTraq ID: 27084
Remote: Yes
Last Updated: 2007-12-31
Relevant URL: http://www.securityfocus.com/bid/27084
Summary:
Zenphoto is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

This issue affects Zenphoto 1.1, 1.1.1, 1.1.2 and 1.1.3; other versions may also be affected.

76. MyPHP Forum 'faq.php' and 'member.php' Multiple SQL Injection Vulnerabilities
BugTraq ID: 27083
Remote: Yes
Last Updated: 2007-12-31
Relevant URL: http://www.securityfocus.com/bid/27083
Summary:
MyPHP Forum is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

MyPHP Forum 3.0 is vulnerable; other versions may also be affected.

77. IPTBB 'index.php' SQL Injection Vulnerability
BugTraq ID: 27082
Remote: Yes
Last Updated: 2007-12-31
Relevant URL: http://www.securityfocus.com/bid/27082
Summary:
IPTBB is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

IPTBB 0.5.4 is vulnerable; other versions may also be affected.

78. bitweaver 'edit.php' Source Code Information Disclosure Vulnerability
BugTraq ID: 27081
Remote: Yes
Last Updated: 2007-12-31
Relevant URL: http://www.securityfocus.com/bid/27081
Summary:
bitweaver is prone to a vulnerability that allows attackers to access source code because the application fails to properly sanitize user-supplied input.

An attacker can exploit this vulnerability to retrieve arbitrary files from the vulnerable system in the context of the webserver process. Information obtained may aid in further attacks.

bitweaver 2.0; other versions may also be affected.

79. InstantSoftware Dating Site Login SQL Injection Vulnerability
BugTraq ID: 27080
Remote: Yes
Last Updated: 2007-12-31
Relevant URL: http://www.securityfocus.com/bid/27080
Summary:
InstantSoftware Dating Site is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

80. bitweaver 'upload.php' Arbitrary File Upload Vulnerability
BugTraq ID: 27079
Remote: Yes
Last Updated: 2007-12-31
Relevant URL: http://www.securityfocus.com/bid/27079
Summary:
bitweaver is prone to a vulnerability that lets attackers upload arbitrary files because it fails to adequately secure access to administrative scripts.

An attacker can exploit this issue to upload arbitrary files and execute malicious code in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system; other attacks are also possible.

bitweaver 2.0 is vulnerable; other versions are also affected.

81. MilliScripts 'dir.php' Cross-Site Scripting Vulnerability
BugTraq ID: 27078
Remote: Yes
Last Updated: 2007-12-31
Relevant URL: http://www.securityfocus.com/bid/27078
Summary:
MilliScripts is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

82. Mihalism Multi Host 'download.php' Directory Traversal Vulnerability
BugTraq ID: 27076
Remote: Yes
Last Updated: 2007-12-30
Relevant URL: http://www.securityfocus.com/bid/27076
Summary:
Mihalism Multi Host is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input data.

Exploiting this issue may allow an attacker to access sensitive information that could aid in further attacks.

Mihalism Multi Host 2.0.7 is vulnerable; other versions may be affected as well.

83. MatPo.de Kontakt Formular 'function.php' Remote File Include Vulnerability
BugTraq ID: 27075
Remote: Yes
Last Updated: 2007-12-30
Relevant URL: http://www.securityfocus.com/bid/27075
Summary:
Kontakt Formular is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied data.

Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible.

This issue affects Kontakt Formular 1.4; other versions may be vulnerable as well.

84. CMS Made Simple TinyMCE Module 'content_css.php' SQL Injection Vulnerability
BugTraq ID: 27074
Remote: Yes
Last Updated: 2007-12-30
Relevant URL: http://www.securityfocus.com/bid/27074
Summary:
CMS Made Simple TinyMCE module is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

CMS Made Simple 1.2.2 and prior versions are reported to be vulnerable.

85. MatPo.de MatPo Bilder Galerie 'tumbnail.php' Remote File Include Vulnerability
BugTraq ID: 27073
Remote: Yes
Last Updated: 2007-12-30
Relevant URL: http://www.securityfocus.com/bid/27073
Summary:
MatPo Bilder Galerie is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied data.

Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible.

This issue affects MatPo Bilder Galerie 1.1 and prior versions.

86. SanyBee Gallery 'index.php' Local File Include Vulnerability
BugTraq ID: 27072
Remote: Yes
Last Updated: 2007-12-30
Relevant URL: http://www.securityfocus.com/bid/27072
Summary:
SanyBee Gallery is prone to a local file-include vulnerability because it fails to sufficiently sanitize user-supplied data.

An attacker can exploit this issue to execute arbitrary local scripts and retrieve potentially sensitive information.

SanyBee Gallery 0.1.1 is affected by this issue; other versions may be vulnerable as well.

87. w-Agora 'index.php' SQL Injection Vulnerability
BugTraq ID: 27070
Remote: Yes
Last Updated: 2007-12-30
Relevant URL: http://www.securityfocus.com/bid/27070
Summary:
w-Agora is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

w-Agora 4.2.1 and prior versions are reported to be vulnerable.

88. Persits Software XUpload ActiveX Control Remote Buffer Overflow Vulnerability
BugTraq ID: 27025
Remote: Yes
Last Updated: 2007-12-29
Relevant URL: http://www.securityfocus.com/bid/27025
Summary:
XUpload is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input.

An attacker may exploit this issue to execute arbitrary code in the context of an application using the ActiveX control (typically Internet Explorer). Failed attacks will likely cause denial-of-service conditions.

XUpload 2.1.0.1 is vulnerable to this issue; other versions may also be affected. Reports indicate that XUpload 3.0 is not affected by this vulnerability.

89. Mozilla Firefox Jar URI Cross-Site Scripting Vulnerability
BugTraq ID: 26385
Remote: Yes
Last Updated: 2007-12-29
Relevant URL: http://www.securityfocus.com/bid/26385
Summary:
Mozilla Firefox is prone to a cross-site scripting vulnerability because the application fails to sufficiently sanitize user-supplied input.

An attacker can exploit this issue to steal cookie-based authentication credentials and other sensitive data that may aid in further attacks.

90. Mozilla Firefox and SeaMonkey Windows.Location Property HTTP Referer Header Spoofing Weakness
BugTraq ID: 26589
Remote: Yes
Last Updated: 2007-12-29
Relevant URL: http://www.securityfocus.com/bid/26589
Summary:
Mozilla Firefox and SeaMonkey are prone to a weakness that allows an attacker to spoof HTTP Referer headers. This issue stems from a race condition in the affected application. The weakness arises because of a small timing difference when using a modal 'alert()' dialog, which allows users to generate fake HTTP Referer headers.

An attacker can exploit this issue to spoof HTTP referer headers. This may cause other security mechanisms that rely on this data to fail or to return misleading information.

This issue affects versions prior to Mozilla FireFox 2.0.0.10 and Mozilla SeaMonkey 1.1.7.

91. Mozilla Firefox Multiple Remote Unspecified Memory Corruption Vulnerabilities
BugTraq ID: 26593
Remote: Yes
Last Updated: 2007-12-29
Relevant URL: http://www.securityfocus.com/bid/26593
Summary:
The Mozilla Foundation has released a security advisory disclosing three unspecified memory-corruption vulnerabilities.

Successfully exploiting these issues may allow attackers to execute code, facilitating the compromise of affected computers. Failed exploit attempts will likely crash the application.

Versions prior to Mozilla Firefox 2.0.0.10 and Mozilla SeaMonkey 1.1.7 are vulnerable to these issues.

92. ClamAV 'libclamav/pe.c' MEW Packed PE File Integer Overflow Vulnerability
BugTraq ID: 26927
Remote: Yes
Last Updated: 2007-12-29
Relevant URL: http://www.securityfocus.com/bid/26927
Summary:
ClamAV is prone to an integer-overflow vulnerability because it fails to properly verify user-supplied data.

Successful exploits of this vulnerability can allow remote attackers to execute arbitrary machine code in the context of applications using the 'libclamav' library. Failed exploits may crash the application.

ClamAV 0.91.2 is vulnerable to this issue; other versions may also be affected.

93. ClamAV 'mspack.c' Off-By-One Buffer Overflow Vulnerability
BugTraq ID: 26946
Remote: Yes
Last Updated: 2007-12-29
Relevant URL: http://www.securityfocus.com/bid/26946
Summary:
ClamAV is prone to a buffer-overflow vulnerability because it fails to properly bounds-check user-supplied input before copying it to insufficiently sized memory buffers.

Successful exploits of this vulnerability can allow remote attackers to execute arbitrary machine code in the context of applications using the 'libclamav' library. Failed exploits may crash the application.

ClamAV 0.91.2 is vulnerable to this issue; other versions may also be affected.

94. BalaBit IT Security syslog-ng NULL-Pointer Dereference Denial of Service Vulnerability
BugTraq ID: 26897
Remote: Yes
Last Updated: 2007-12-29
Relevant URL: http://www.securityfocus.com/bid/26897
Summary:
BalaBit IT Security 'syslog-ng' is prone to a denial-of-service vulnerability because it fails to adequately sanitize user-supplied input.

Attackers can leverage this issue to cause denial-of-service conditions. Given the nature of this issue, attackers may also be able to execute arbitrary code, but this has not been confirmed.

This issue affects versions prior to syslog-ng and syslog-ng-premium-edition 2.0.6 and 2.1.8.

95. Firefly Media Server Multiple Null Pointer Dereference Vulnerabilities
BugTraq ID: 26309
Remote: Yes
Last Updated: 2007-12-29
Relevant URL: http://www.securityfocus.com/bid/26309
Summary:
Firefly Media Server is prone to multiple NULL-pointer-dereference vulnerabilities.

An attacker can exploit these issues to crash the affected application, denying service to legitimate users. Given the nature of these issues, remote attackers may also be able to execute code, but this has not been confirmed.

Firefly Media Server 0.2.4 is vulnerable; other versions may also be affected.

96. Firefly Media Server Webserver.C Multiple Format String Vulnerabilities
BugTraq ID: 26310
Remote: Yes
Last Updated: 2007-12-29
Relevant URL: http://www.securityfocus.com/bid/26310
Summary:
Firefly Media Server (formerly known as mt-daapd) is affected by multiple format-string vulnerabilities because the application fails to adequately sanitize user-supplied input before passing it as the format-specifier to a formatted-printing function.

Exploiting these issues can allow remote attackers to execute arbitrary code in the context of the application.

Versions prior to Firefly Media Server 0.2.4.1 are affected.

97. exiftags Multiple Unspecified Buffer Overflow And Denial Of Service Vulnerabilities
BugTraq ID: 26892
Remote: Yes
Last Updated: 2007-12-29
Relevant URL: http://www.securityfocus.com/bid/26892
Summary:
The 'exiftags' utility is prone to multiple unspecified buffer-overflow and denial-of-service vulnerabilities.

An attacker can exploit these issues to deny access to legitimate users. Attackers may also be able to execute arbitrary code, but this has not been confirmed.

Very few technical details are currently available. We will update this BID as more information emerges.

These issues affect versions prior to exiftags 1.01.

98. libexif Image Tag Remote Integer Overflow Vulnerability
BugTraq ID: 26942
Remote: Yes
Last Updated: 2007-12-29
Relevant URL: http://www.securityfocus.com/bid/26942
Summary:
The libexif library is prone to an integer-overflow vulnerability because the software fails to ensure that integer values are not overrun.

Successful exploits of this vulnerability allow remote attackers to execute arbitrary machine code in the context of an application using the vulnerable library. Failed attempts will likely result in denial-of-service conditions.

99. Exiv2 EXIF File Handling Integer Overflow Vulnerability
BugTraq ID: 26918
Remote: Yes
Last Updated: 2007-12-29
Relevant URL: http://www.securityfocus.com/bid/26918
Summary:
Exiv2 is prone to an integer-overflow vulnerability because it fails to properly verify user-supplied data when handling EXIF files.

Successful exploits of this vulnerability allow remote attackers to execute arbitrary machine code in the context of the affected application. Failed exploits may crash the application.

Exiv2 0.15 is reported vulnerable to this issue; other versions may also be affected.

100. libexif Image Tag Remote Denial Of Service Vulnerability
BugTraq ID: 26976
Remote: Yes
Last Updated: 2007-12-29
Relevant URL: http://www.securityfocus.com/bid/26976
Summary:
The libexif library is prone to a denial-of-service vulnerability because of an infinite-recursion error.

Exploiting this issue allows remote attackers to cause denial-of-service conditions in the context of an application using the vulnerable library.

III. SECURITYFOCUS NEWS ARTICLES
--------------------------------
1. Senate delays vote on spy bill
By: Robert Lemos
A bill that would modernize the United States' legal framework for eavesdropping and grant telecommunications companies retroactive immunity for wiretapping customers will have to wait until January.
http://www.securityfocus.com/news/11498

2. Researchers reverse Netflix anonymization
By: Robert Lemos
Two computer scientists show that a large set of transactional data poses privacy risks by finding a way to link movie ratings from the Netflix Prize dataset to publicly available information.
http://www.securityfocus.com/news/11497

3. Group drafts rules to nix credit-card storage
By: Robert Lemos
The organization responsible for technical and best-practice standards in the payment industry plans to require the makers of merchant software to certify that their programs do not store sensitive data.
http://www.securityfocus.com/news/11496

4. Task force aims to improve U.S. cybersecurity
By: Robert Lemos
A blue-ribbon panel of three dozen security experts hopes to craft a strategy to improve cybersecurity by the time the next president takes office.
http://www.securityfocus.com/news/11494

IV. SECURITY JOBS LIST SUMMARY
-------------------------------
V. INCIDENTS LIST SUMMARY
---------------------------
VI. VULN-DEV RESEARCH LIST SUMMARY
-----------------------------------
1. Blog Entry of Interest
http://www.securityfocus.com/archive/82/485659

VII. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. SecurityFocus Microsoft Newsletter #374
http://www.securityfocus.com/archive/88/485652

VIII. SUN FOCUS LIST SUMMARY
----------------------------
IX. LINUX FOCUS LIST SUMMARY
----------------------------
X. UNSUBSCRIBE INSTRUCTIONS
-----------------------------
To unsubscribe send an e-mail message to sf-news-unsubscribe@securityfocus.com from the subscribed address. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer. Alternatively you can also visit http://www.securityfocus.com/newsletters and unsubscribe via the website.

If your email address has changed email listadmin@securityfocus.com and ask to be manually removed.

XI. SPONSOR INFORMATION
------------------------
This issue is Sponsored by: Black Hat DC

Attend Black Hat DC, February 18-21, the Washington, DC version of the world's premier technical event for ICT security experts. Featuring hands-on training courses and Briefings presentations with lots of new content-including a focus on wireless security and offensive attack analysis. Network with 400+ delegates and review products from leading vendors in a relaxed setting, including Diamond sponsor Microsoft.

www.blackhat.com

No comments:

Blog Archive