News

Tuesday, March 25, 2008

SecurityFocus Newsletter #446

SecurityFocus Newsletter #446
----------------------------------------

This issue is sponsored by bmighty:

How Much Will A Security Breech Cost Your Company?
Many smaller businesses have lax security policies, leaving their customers' confidential data vulnerable to identity thieves. Learn the steps to protect sensitive data.
http://www.bmighty.com/security/showArticle.jhtml?articleID=206901276&cid=LSM-sfS


SECURITY BLOGS
SecurityFocus has selected a few syndicated sources that stand out as conveying topics of interest for our community. We are proud to offer content from Matasano at this time and will be adding more in the coming weeks.
http://www.securityfocus.com/blogs

------------------------------------------------------------------
I. FRONT AND CENTER
1.On the Border
2.Catch Them if You can
II. BUGTRAQ SUMMARY
1. F5 Big-IP Web Management Audit Log HTML Injection Vulnerability
2. eGroupWare '_bad_protocol_once()' HTML Security Bypass Vulnerability
3. Apple Safari File Download Remote Denial of Service Vulnerability
4. Apple Mac OS X Universal Disc Format Remote Denial of Service Vulnerability
5. Apple Safari Window.setTimeout Variant Content Spoofing Vulnerability
6. Joomla! and Mambo Datsogallery Component 'id' Parameter SQL Injection Vulnerability
7. MySQL INFORMATION_SCHEMA Remote Denial Of Service Vulnerability
8. ASUS Remote Console DPC Proxy Buffer Overflow Vulnerability
9. MIT Kerberos 5 KDC Multiple Memory Corruption Based Information Disclosure Vulnerabilities
10. MIT Kerberos Multiple Memory Corruption Vulnerabilities
11. MIT Kerberos5 kadmind Excessive File Descriptors Multiple Remote Code Execution Vulnerabilities
12. debian-goodies Checkrestart Script Local Privilege Escalation Vulnerability
13. Info-ZIP UnZip 'inflate_dynamic()' Remote Code Execution Vulnerability
14. phpMyChat Connected_Users.Lib.PHP3 Local File Include Vulnerability
15. Apache::AuthCAS Cookie SQL Injection Vulnerability
16. WordPress wp-db.php Character Set SQL Injection Vulnerability
17. Microsoft Internet Explorer 7 'setRequestHeader()' Multiple Vulnerabilities
18. Simple Machine SMF Shoutbox Module 'sboxDB.php' HTML Injection Vulnerability
19. Multiple Vendors BIND 'inet_network()' Off-by-One Buffer Overflow Vulnerability
20. MYPHPCalendar Cal_Dir Parameter Multiple Remote File Include Vulnerabilities
21. Audacity Insecure Temporary File Creation Vulnerability
22. 'libarchive' Multiple Remote Vulnerabilities
23. Apple Mac OS X AppKit NSDocument API's Stack Based Buffer Overflow Vulnerability
24. Apple Mac OS X Printing to PDF Insecure Encryption Weakness
25. Apple Mac OS X Preview PDF Insecure Encryption Weakness
26. Apple Mac OS X NetCfgTool Local Privilege Escalation Vulnerability
27. Le Forum 'Fichier_Acceuil' Parameter Remote File Include Vulnerability
28. DotNetNuke Prior to 4.8.2 Multiple Remote Vulnerabilities
29. snircd And ircu 'set_user_mode' Remote Denial of Service Vulnerability
30. Ruby WEBrick Remote Directory Traversal and Information Disclosure Vulnerabilities
31. Joomla! and Mambo Cinema Component 'id' Parameter SQL Injection Vulnerability
32. Joomla! and Mambo Rekry Component 'op_id' Parameter SQL Injection Vulnerability
33. Joomla! and Mambo Download3000 Component 'id' Parameter SQL Injection Vulnerability
34. IBM AIX 'usr/sbin/chnfsmnt' Unspecified Vulnerability
35. Apache HTTP Server 2.2.6, 2.0.61 and 1.3.39 'mod_status' Cross-Site Scripting Vulnerability
36. Microsoft Internet Explorer Argument Handling Memory Corruption Vulnerability
37. CUPS CGI Interface Remote Buffer Overflow Vulnerability
38. Microsoft Internet Explorer HTML Rendering Remote Memory Corruption Vulnerability
39. Microsoft Windows Active Directory LDAP Request Validation Remote Denial Of Service Vulnerability
40. Microsoft Internet Explorer Property Method Remote Memory Corruption Vulnerability
41. Microsoft IIS File Change Notification Local Privilege Escalation Vulnerability
42. CUPS 'process_browse_data()' Remote Double Free Denial of Service Vulnerability
43. Microsoft Object Linking and Embedding (OLE) Automation Heap Based Buffer Overflow Vulnerability
44. Adobe Flash Player Policy File Cross Domain Security Bypass Vulnerability
45. Microsoft Visual FoxPro FPOLE.OCX ActiveX Control Buffer Overflow Vulnerability
46. xine-lib 'sdpplin_parse()' Remote Buffer Overflow Vulnerability
47. PHP-Nuke Platinum 'dynamic_titles.php' SQL Injection Vulnerability
48. XLPortal 'index.php' SQL Injection Vulnerability
49. ooComments 'PathToComment' Parameter Multiple Remote File Include Vulnerabilities
50. Joomla! Custompages Component 'cpage' Parameter Remote File Include Vulnerability
51. PostNuke 'pnVarPrepForStore()' SQL Injection Vulnerability
52. phpMyChat 'setup.php3' Cross-Site Scripting Vulnerability
53. cPanel 'manpage.html' Cross-Site Scripting Vulnerability
54. TinyPortal 'index.php' Cross-Site Scripting Vulnerability
55. YourFreeWorld Short Url & Url Tracker Script Multiple HTML Injection Vulnerabilities
56. My Web Doc Administration Pages Multiple Authentication Bypass Vulnerabilities
57. D.E. Classifieds 'showCat.php' SQL Injection Vulnerability
58. Iatek Knowledge Base 'content_by_cat.asp' SQL Injection Vulnerability
59. Webutil 'webutil.pl' Multiple Remote Command Execution Vulnerabilities
60. DotNetNuke Default 'ValidationKey' and 'DecriptionKey' Weak Encryption Vulnerability
61. Namazu 'namazu.cgi' Cross-Site Scripting Vulnerability
62. Linksys WRT54G Wireless-G Router Multiple Remote Authentication Bypass Vulnerabilities
63. Speedport W500 'b_banner.stm' Password Information Disclosure Vulnerability
64. XWine WINE Configuration File Local Arbitrary Command Execution Vulnerability
65. w-Agora 'bn_dir_default' Parameter Multiple Remote File Include Vulnerabilities
66. Piczo Fast Picture Uploader 'ImageUploader4.ocx' ActiveX Control Buffer Overflow Vulnerability
67. CenterIM URI Hanlding Remote Arbitrary Command Execution Vulnerability
68. Multiple Vendor RPC.YPUpdated Command Execution Vulnerability
69. Gentoo 'ssl-cert' eclass Information Disclosure Vulnerability
70. News-Template 'print.php' Multiple Cross Site Scripting Vulnerabilities
71. Yehe 'envoyer' Arbitrary File Upload Vulnerability
72. Elastic Path Multiple Input Validation Vulnerabilities
73. PowerPHPBoard 'settings[]' Parameter Multiple Local File Include Vulnerabilities
74. Mitsubishi Electric GB-50A Multiple Remote Authentication Bypass Vulnerabilities
75. International Components for Unicode Library (libicu) Multiple Memory Corruption Vulnerabilities
76. RunCMS 'sections' Module 'artid' Parameter SQL Injection Vulnerability
77. RunCMS 'photo' Module 'cid' Parameter SQL Injection Vulnerability
78. phpAddressBook 'index.php' Local File Include Vulnerability
79. SurgeMail IMAP LSUB Command Remote Stack Buffer Overflow Vulnerability
80. PHP 5 'php_sprintf_appendstring()' Remote Integer Overflow Vulnerability
81. Joomla! and Mambo Alphacontent Component 'id' Parameter SQL Injection Vulnerability
82. LEADTOOLS Multimedia 'LTMM15.DLL' ActiveX Control Arbitrary File Overwrite Vulnerabilities
83. Novell eDirectory eMBox Utility 'edirutil' Command Unspecified Vulnerability
84. e107 My_Gallery Plugin 'dload.php' Arbitrary File Download Vulnerability
85. Multiple D-Link Products Multiple Cross-Site Scripting and Denial of Service Vulnerabilities
86. Clever Copy 'postview.php' SQL Injection Vulnerability
87. Aeries Browser Interface Multiple SQL Injection and Cross-Site Scripting Vulnerabilities
88. Bomba Haber 'haberoku.php' SQL Injection Vulnerability
89. Orb Networks Orb RPC Request Remote Integer Overflow Vulnerability
90. CA BrightStor 'AddColumn()' ListCtrl.ocx ActiveX Control Buffer Overflow Vulnerability
91. Wireshark 0.99.7 Multiple Denial of Service Vulnerabilities
92. PowerClan Footer.Inc.PHP Remote File Include Vulnerability
93. S9Y Serendipity Trackbacks HTML Injection Vulnerability
94. S9Y Serendipity 'Real Name' Field HTML Injection Vulnerability
95. S9Y Serendipity Remote RSS sidebar Plugin Cross Site Scripting Vulnerability
96. xine-lib Multiple Heap Based Remote Buffer Overflow Vulnerabilities
97. Asterisk Call Authentication Security Bypass Vulnerability
98. Asterisk Predictable HTTP Manager Session ID Security Bypass Vulnerability
99. Asterisk RTP Codec Payload Handling Multiple Buffer Overflow Vulnerabilities
100. bzip2 Unspecified File Handling Vulnerability
III. SECURITYFOCUS NEWS
1. Hacking contest highlights value of vulnerabilities
2. House aims to scrutinize warrantless taps
3. Browser makers focus on beating malware
4. Law makers voice concerns over cybersecurity plan
IV. SECURITY JOBS LIST SUMMARY
V. INCIDENTS LIST SUMMARY
VI. VULN-DEV RESEARCH LIST SUMMARY
1. CanSecWest 2008 PWN2OWN - Mar 26-28
VII. MICROSOFT FOCUS LIST SUMMARY
1. SecurityFocus Microsoft Newsletter #386
2. More along the lines of malware disinfection
VIII. SUN FOCUS LIST SUMMARY
IX. LINUX FOCUS LIST SUMMARY
X. UNSUBSCRIBE INSTRUCTIONS
XI. SPONSOR INFORMATION

I. FRONT AND CENTER
---------------------
1.On the Border
By Mark Rasch
Recently, I was going through an airport with my shoes, coat, jacket, and belt off as well as with my carry-on bag, briefcase, and laptop all separated for easy inspection. I was heading through security at the Washington D.C., Ronald Reagan National Airport in Arlington, Virginia, or "National" as we locals call it. As I passed through the new magnetometer which gently puffed air all over my body -- which to me seems to be a cross between a glaucoma test and Marilyn Monroe in Gentlemen Prefer Blondes -- a TSA employee absent-mindedly asked if he could "inspect" my laptop computer. While the inspection was cursory, the situation immediately gave me pause: What was in my laptop anyway?
http://www.securityfocus.com/columnists/469

2.Catch Them if You Can
By Don Parker
High-profile network security breaches have proliferated over the past few years. While many "breaches" consist of lost data or a stolen laptop, true breaches -- where a online attacker compromises a network and removes data -- have become very common
http://www.securityfocus.com/columnists/468


II. BUGTRAQ SUMMARY
--------------------
1. F5 Big-IP Web Management Audit Log HTML Injection Vulnerability
BugTraq ID: 28416
Remote: Yes
Last Updated: 2008-03-25
Relevant URL: http://www.securityfocus.com/bid/28416
Summary:
F5 Big-IP is prone to an HTML-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.

Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing an attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible.

F5 Big-IP 9.4.3 is vulnerable; other versions may also be affected.

2. eGroupWare '_bad_protocol_once()' HTML Security Bypass Vulnerability
BugTraq ID: 28424
Remote: Yes
Last Updated: 2008-03-25
Relevant URL: http://www.securityfocus.com/bid/28424
Summary:
eGroupWare is prone to a vulnerability that allows arbitrary code to bypass HTML filtering.

An attacker can exploit this issue to execute arbitrary script code in the context of the application, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user; other attacks are also possible.

Versions prior to eGroupWare 1.4.003 are vulnerable; other versions may also be affected.

3. Apple Safari File Download Remote Denial of Service Vulnerability
BugTraq ID: 28404
Remote: Yes
Last Updated: 2008-03-24
Relevant URL: http://www.securityfocus.com/bid/28404
Summary:
Apple Safari is prone to a remote denial-of-service vulnerability.

An attacker can exploit this issue to crash the affected application, denying service to legitimate users. Arbitrary code execution may be possible, but this has not been confirmed.

This issue affects Safari 3.1 running on Microsoft Windows.

4. Apple Mac OS X Universal Disc Format Remote Denial of Service Vulnerability
BugTraq ID: 28389
Remote: Yes
Last Updated: 2008-03-24
Relevant URL: http://www.securityfocus.com/bid/28389
Summary:
Apple Mac OS X is prone to a remote denial-of-service vulnerability because it fails to adequately validate UDF filesystems.

Attackers can leverage this issue to cause denial-of-service conditions.

NOTE: This vulnerability was previously covered in BID 28304 (Apple Mac OS X 2008-002 Multiple Security Vulnerabilities), but has been given its own record to better document the issue.

5. Apple Safari Window.setTimeout Variant Content Spoofing Vulnerability
BugTraq ID: 28405
Remote: Yes
Last Updated: 2008-03-24
Relevant URL: http://www.securityfocus.com/bid/28405
Summary:
Apple Safari is prone to a content-spoofing vulnerability that allows attackers to populate a vulnerable Safari browser window with arbitrary malicious content. During such an attack, the URL and window title will display the intended site, while the body of the webpage is spoofed.

Safari 3.1 running on Microsoft Windows is reported vulnerable.

NOTE: This issue may be related to the vulnerability discussed in BID 24457 (Apple Safari for Windows Window.setTimeout Content Spoofing Vulnerability).

6. Joomla! and Mambo Datsogallery Component 'id' Parameter SQL Injection Vulnerability
BugTraq ID: 28361
Remote: Yes
Last Updated: 2008-03-24
Relevant URL: http://www.securityfocus.com/bid/28361
Summary:
The Datsogallery component for Joomla! and Mambo is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

7. MySQL INFORMATION_SCHEMA Remote Denial Of Service Vulnerability
BugTraq ID: 28351
Remote: Yes
Last Updated: 2008-03-24
Relevant URL: http://www.securityfocus.com/bid/28351
Summary:
MySQL is prone to a remote denial-of-service vulnerability because it fails to handle certain specially crafted queries.

An attacker can exploit this issue to crash the application, denying access to legitimate users.

NOTE: An attacker must be able to execute arbitrary SELECT statements against the database to exploit this issue. This may be done through legitimate means or by exploiting other latent SQL-injection vulnerabilities.

This issue affects versions prior to MySQL 5.0.32 and 5.1.14.

8. ASUS Remote Console DPC Proxy Buffer Overflow Vulnerability
BugTraq ID: 28394
Remote: Yes
Last Updated: 2008-03-24
Relevant URL: http://www.securityfocus.com/bid/28394
Summary:
ASUS Remote Console is prone to a buffer-overflow vulnerability because it fails to adequately bounds-check user-supplied data before copying it to an insufficiently sized buffer.

Attackers can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.

ASUS Remote Console 2.0.0.19 is vulnerable; other versions may also be affected.

9. MIT Kerberos 5 KDC Multiple Memory Corruption Based Information Disclosure Vulnerabilities
BugTraq ID: 28303
Remote: Yes
Last Updated: 2008-03-24
Relevant URL: http://www.securityfocus.com/bid/28303
Summary:
MIT Kerberos 5 KDC is prone to multiple information-disclosure vulnerabilities resulting from memory corruption.

These issues occur when KDC is configured to support Kerberos 4 and processes malformed krb4 messages.

An attacker can exploit these issues to obtain potentially sensitive information that will aid in further attacks. Failed exploit attempts will likely result in denial-of-service conditions. Given the nature of these vulnerabilities, the attacker could leverage these issues to execute arbitrary code, but this has not been confirmed.

MIT Kerberos 5 version 1.6.3 KDC is vulnerable; other versions may also be affected.

10. MIT Kerberos Multiple Memory Corruption Vulnerabilities
BugTraq ID: 26750
Remote: Yes
Last Updated: 2008-03-24
Relevant URL: http://www.securityfocus.com/bid/26750
Summary:
Multiple memory-corruption vulnerabilities with unknown impacts affect MIT Kerberos 5. These issues include a use-after-free vulnerability, an integer-overflow vulnerability, and two double-free vulnerabilities.

11. MIT Kerberos5 kadmind Excessive File Descriptors Multiple Remote Code Execution Vulnerabilities
BugTraq ID: 28302
Remote: Yes
Last Updated: 2008-03-24
Relevant URL: http://www.securityfocus.com/bid/28302
Summary:
The 'kadmind' server is prone to multiple vulnerabilities that can allow attackers to execute remote code because of array overruns in the RPC library code.

Exploiting these issues may allow attackers to execute arbitrary code with superuser privileges, facilitating in the complete compromise of affected computers. Failed attempts will cause crashes and deny service to legitimate users of the application.

Note that a compromise of a Master KDC (Key Distribution Center) principal and policy server will affect multiple hosts that use the server for authentication, potentially contributing to their compromise as well.

These issues affect:

- krb5-1.4 through krb5-1.63, where configurations allow large numbers of open file descriptors.
- krb5-1.2.2 through krb5-1.3, where '<unistd.h>' does not define FD_SETSIZE. Note that this is likely the case in many GNU/Linux distributions; Solaris 10 and Mac OS X 10.4 may be unaffected.

12. debian-goodies Checkrestart Script Local Privilege Escalation Vulnerability
BugTraq ID: 25569
Remote: No
Last Updated: 2008-03-24
Relevant URL: http://www.securityfocus.com/bid/25569
Summary:
The 'checkrestart' utility in the 'debian-goodies' package is prone to a local privilege-escalation vulnerability because the application fails to sufficiently validate user-supplied data.

An attacker can exploit this issue to execute arbitrary commands with superuser privileges. Successfully exploiting this issue will result in the complete compromise of affected computers.

This issue affects versions prior to debian-goodies 0.34.

13. Info-ZIP UnZip 'inflate_dynamic()' Remote Code Execution Vulnerability
BugTraq ID: 28288
Remote: Yes
Last Updated: 2008-03-24
Relevant URL: http://www.securityfocus.com/bid/28288
Summary:
UnZip is prone to a remote code-execution vulnerability.

Attackers may exploit this issue by enticing victims into opening a maliciously crafted ZIP file ('.zip').

Successful exploits may allow attackers to execute arbitrary code with the privileges of the user running the application. This may facilitate a compromise of vulnerable computers.

UnZip 5.52 is vulnerable; other versions may be affected as well.

14. phpMyChat Connected_Users.Lib.PHP3 Local File Include Vulnerability
BugTraq ID: 20219
Remote: Yes
Last Updated: 2008-03-24
Relevant URL: http://www.securityfocus.com/bid/20219
Summary:
phpMyChat is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.

A successful exploit may allow an unauthorized user to view files and to execute local scripts.

This issue affects phpMyChat 0.1; other versions may also be affected.

15. Apache::AuthCAS Cookie SQL Injection Vulnerability
BugTraq ID: 26762
Remote: Yes
Last Updated: 2008-03-24
Relevant URL: http://www.securityfocus.com/bid/26762
Summary:
Apache::AuthCAS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

This issue affects Apache::AuthCAS 0.4; other versions may also be affected.

16. WordPress wp-db.php Character Set SQL Injection Vulnerability
BugTraq ID: 26795
Remote: Yes
Last Updated: 2008-03-24
Relevant URL: http://www.securityfocus.com/bid/26795
Summary:
WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

17. Microsoft Internet Explorer 7 'setRequestHeader()' Multiple Vulnerabilities
BugTraq ID: 28379
Remote: Yes
Last Updated: 2008-03-24
Relevant URL: http://www.securityfocus.com/bid/28379
Summary:
Microsoft Internet Explorer 7 is prone to multiple vulnerabilities that allow for referer-spoofing, HTTP-request-splitting, and HTTP-request-smuggling attacks.

A remote attacker may leverage these classes of attacks to poison web caches, steal credentials, evade IDS signatures, and launch cross-site scripting, HTML-injection, and session-hijacking attacks. Other attacks are also possible.

This issue reportedly affects Microsoft Internet Explorer 7.

18. Simple Machine SMF Shoutbox Module 'sboxDB.php' HTML Injection Vulnerability
BugTraq ID: 27727
Remote: Yes
Last Updated: 2008-03-24
Relevant URL: http://www.securityfocus.com/bid/27727
Summary:
SMF Shoutbox is prone to an HTML-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.

Attacker-supplied HTML and script code would execute in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user; other attacks are also possible.

SMF Shoutbox 1.16b is vulnerable; other versions may also be affected.

19. Multiple Vendors BIND 'inet_network()' Off-by-One Buffer Overflow Vulnerability
BugTraq ID: 27283
Remote: Yes
Last Updated: 2008-03-24
Relevant URL: http://www.securityfocus.com/bid/27283
Summary:
Multiple applications that use the 'libbind' BIND library are prone to an off-by-one buffer-overflow vulnerability because the 'inet_network()' function fails to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer.

Successfully exploiting this issue may allow attackers to execute arbitrary machine code in the context of applications that use the affected library. Failed exploit attempts may crash applications, denying service to legitimate users.

20. MYPHPCalendar Cal_Dir Parameter Multiple Remote File Include Vulnerabilities
BugTraq ID: 21785
Remote: Yes
Last Updated: 2008-03-24
Relevant URL: http://www.securityfocus.com/bid/21785
Summary:
myPHPCalendar is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.

Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.

myPHPCalendar 10.1 is vulnerable; other versions may also be affected.

21. Audacity Insecure Temporary File Creation Vulnerability
BugTraq ID: 26608
Remote: No
Last Updated: 2008-03-24
Relevant URL: http://www.securityfocus.com/bid/26608
Summary:
Audacity is prone to a security vulnerability because it creates temporary files in an insecure manner.

An attacker with local access could potentially exploit this issue to perform symlink attacks, overwriting arbitrary files in the context of the affected application.

Successfully mounting a symlink attack may allow the attacker to delete or corrupt sensitive files, which may result in a denial of service. Other attacks may also be possible.

This issue affects Audacity 1.3.2; other versions may also be vulnerable.

22. 'libarchive' Multiple Remote Vulnerabilities
BugTraq ID: 24885
Remote: Yes
Last Updated: 2008-03-24
Relevant URL: http://www.securityfocus.com/bid/24885
Summary:
The 'libarchive' library is prone to multiple vulnerabilities because it fails to properly handle malformed TAR and PAX archives.

Successfully exploiting these issues allows remote attackers to trigger application crashes, consume excessive CPU resources, and potentially execute arbitrary machine code in the context of applications that use the affected library.

23. Apple Mac OS X AppKit NSDocument API's Stack Based Buffer Overflow Vulnerability
BugTraq ID: 28388
Remote: Yes
Last Updated: 2008-03-24
Relevant URL: http://www.securityfocus.com/bid/28388
Summary:
Apple Mac OS X is prone to a stack-based buffer-overflow vulnerability because the software fails to perform adequate boundary checks on user-supplied data.

An attacker can exploit this issue to execute arbitrary code with the privileges of the user running the affected application. Failed attacks will cause denial-of-service conditions.

NOTE: This vulnerability was previously covered in BID 28304 (Apple Mac OS X 2008-002 Multiple Security Vulnerabilities), but has been given its own record to better document the issue.

24. Apple Mac OS X Printing to PDF Insecure Encryption Weakness
BugTraq ID: 28387
Remote: Yes
Last Updated: 2008-03-24
Relevant URL: http://www.securityfocus.com/bid/28387
Summary:
Apple Mac OS X is prone to a weakness that stems from the use of an insecure encryption algorithm when printing to PDF.

Attackers can use trivial brute-force tactics to view data that was encrypted with the insecure algorithm. Information harvested may aid in further attacks.

NOTE: This vulnerability was previously covered in BID 28304 (Apple Mac OS X 2008-002 Multiple Security Vulnerabilities), but has been given its own record to better document the issue.

25. Apple Mac OS X Preview PDF Insecure Encryption Weakness
BugTraq ID: 28386
Remote: Yes
Last Updated: 2008-03-24
Relevant URL: http://www.securityfocus.com/bid/28386
Summary:
Apple Mac OS X is prone to a weakness that stems from the use of an insecure encryption algorithm.

Attackers can use trivial brute-force tactics to view data that was encrypted with the insecure algorithm. Information harvested may aid in further attacks.

NOTE: This vulnerability was previously covered in BID 28304 (Apple Mac OS X 2008-002 Multiple Security Vulnerabilities), but has been given its own record to better document the issue.

26. Apple Mac OS X NetCfgTool Local Privilege Escalation Vulnerability
BugTraq ID: 28385
Remote: No
Last Updated: 2008-03-24
Relevant URL: http://www.securityfocus.com/bid/28385
Summary:
Apple Mac OS X is prone to a local privilege-escalation vulnerability.

An attacker can exploit this issue to execute arbitrary code with superuser privileges. Successfully exploiting this issue will result in the complete compromise of affected computers. Failed exploit attempts will result in a denial-of-service condition.

NOTE: This vulnerability was previously covered in BID 28304 (Apple Mac OS X 2008-002 Multiple Security Vulnerabilities), but has been given its own record to better document the issue.

27. Le Forum 'Fichier_Acceuil' Parameter Remote File Include Vulnerability
BugTraq ID: 28423
Remote: Yes
Last Updated: 2008-03-25
Relevant URL: http://www.securityfocus.com/bid/28423
Summary:
Le Forum is prone to a remote file-include vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit this issue to execute malicious PHP code in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system; other attacks are also possible.

28. DotNetNuke Prior to 4.8.2 Multiple Remote Vulnerabilities
BugTraq ID: 28438
Remote: Yes
Last Updated: 2008-03-25
Relevant URL: http://www.securityfocus.com/bid/28438
Summary:
DotNetNuke is prone to multiple remote vulnerabilities, including:

- A vulnerability that allows attackers to execute server-side application logic.
- A vulnerability that allows attackers to upload arbitrary files.

An attacker can exploit these issues to compromise the affected application and to upload and execute arbitrary code within the context of the webserver.

Versions prior to DotNetNuke 4.8.2 are vulnerable.

29. snircd And ircu 'set_user_mode' Remote Denial of Service Vulnerability
BugTraq ID: 28413
Remote: Yes
Last Updated: 2008-03-25
Relevant URL: http://www.securityfocus.com/bid/28413
Summary:
The 'snircd' and 'ircd' daemons are prone to a remote denial-of-service vulnerability because the application fails to properly sanitize user-supplied input.

Successfully exploiting this issue allows remote attackers to crash the application, denying service to legitimate users.

This issue affects versions up to and including 'snircd' 1.3.4 and 'ircu' 2.10.12.12.

30. Ruby WEBrick Remote Directory Traversal and Information Disclosure Vulnerabilities
BugTraq ID: 28123
Remote: Yes
Last Updated: 2008-03-25
Relevant URL: http://www.securityfocus.com/bid/28123
Summary:
Ruby's WEBrick server is prone to remote directory-traversal and information-disclosure vulnerabilities.

Successfully exploiting these issues allows remote attackers to access the contents of arbitrary files. Information harvested may aid in further attacks.

These issues affect only operating systems that allow backslash (\) characters as path separators and operating systems that use case-insensitive filenames. This exposes Microsoft Windows and Apple Mac OS X operating systems to attack.

31. Joomla! and Mambo Cinema Component 'id' Parameter SQL Injection Vulnerability
BugTraq ID: 28427
Remote: Yes
Last Updated: 2008-03-25
Relevant URL: http://www.securityfocus.com/bid/28427
Summary:
The Cinema component for Joomla! and Mambo is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

The issue affects Cinema 1.0; other versions may also be vulnerable.

32. Joomla! and Mambo Rekry Component 'op_id' Parameter SQL Injection Vulnerability
BugTraq ID: 28422
Remote: Yes
Last Updated: 2008-03-25
Relevant URL: http://www.securityfocus.com/bid/28422
Summary:
The Rekry component for Joomla! and Mambo is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

This issue affects Rekry 1.0.0; other versions may also be affected.

33. Joomla! and Mambo Download3000 Component 'id' Parameter SQL Injection Vulnerability
BugTraq ID: 28428
Remote: Yes
Last Updated: 2008-03-25
Relevant URL: http://www.securityfocus.com/bid/28428
Summary:
The Download3000 component for Joomla! and Mambo is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

The issue affects Download3000 1.0; other versions may also be vulnerable.

34. IBM AIX 'usr/sbin/chnfsmnt' Unspecified Vulnerability
BugTraq ID: 28429
Remote: No
Last Updated: 2008-03-25
Relevant URL: http://www.securityfocus.com/bid/28429
Summary:
IBM AIX is prone to an unspecified vulnerability that affects the 'usr/sbin/chnfsmnt' command.

Few details are currently available regarding this issue. We will update this BID as more information emerges.

The impact of successful exploits is currently unknown.

35. Apache HTTP Server 2.2.6, 2.0.61 and 1.3.39 'mod_status' Cross-Site Scripting Vulnerability
BugTraq ID: 27237
Remote: Yes
Last Updated: 2008-03-25
Relevant URL: http://www.securityfocus.com/bid/27237
Summary:
The Apache HTTP Server 'mod_status' module is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Reportedly, attackers can also use this issue to redirect users' browsers to arbitrary locations, which may aid in phishing attacks.

The issue affects versions prior to Apache 2.2.7-dev, 2.0.62-dev, and 1.3.40-dev.

36. Microsoft Internet Explorer Argument Handling Memory Corruption Vulnerability
BugTraq ID: 27689
Remote: Yes
Last Updated: 2008-03-25
Relevant URL: http://www.securityfocus.com/bid/27689
Summary:
Microsoft Internet Explorer is prone to a remote memory-corruption vulnerability.

Remote attackers can exploit this issue to execute arbitrary code in the context of the user running the application. Successful exploits will compromise the application and possibly the underlying computer. Failed attacks will cause denial-of-service conditions.

37. CUPS CGI Interface Remote Buffer Overflow Vulnerability
BugTraq ID: 28307
Remote: Yes
Last Updated: 2008-03-25
Relevant URL: http://www.securityfocus.com/bid/28307
Summary:
CUPS is prone to a remote buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data before copying it to an insufficiently sized memory buffer.

An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial of service.

CUPS 1.3.5 is reported vulnerable; other versions may be affected as well.

NOTE: This issue was originally covered in BID 28304 (Apple Mac OS X 2008-002 Multiple Security Vulnerabilities), but has been given its own record because further information has emerged.

38. Microsoft Internet Explorer HTML Rendering Remote Memory Corruption Vulnerability
BugTraq ID: 27668
Remote: Yes
Last Updated: 2008-03-25
Relevant URL: http://www.securityfocus.com/bid/27668
Summary:
Microsoft Internet Explorer is prone to a remote memory-corruption vulnerability.

Attackers can exploit this issue to execute arbitrary code in the context of the user running the application. Successful exploits will compromise the application and possibly the underlying computer. Failed attacks will cause denial-of-service conditions.

39. Microsoft Windows Active Directory LDAP Request Validation Remote Denial Of Service Vulnerability
BugTraq ID: 27638
Remote: Yes
Last Updated: 2008-03-25
Relevant URL: http://www.securityfocus.com/bid/27638
Summary:
Microsoft Windows is prone to a remote denial-of-service vulnerability because Microsoft Active Directory and ADAM (Active Directory Application Mode) fail to handle specially crafted Lightweight Directory Access Protocol (LDAP) requests.

An attacker can exploit this issue to cause the affected application to stop responding, denying further service to legitimate users.

Note that an attacker requires valid logon credentials to exploit this issue on Windows Server 2003 and Windows XP.

This issue affects Active Directory on Microsoft Windows 2000 and Windows Server 2003. The issue affects ADAM when installed on Windows XP and Windows Server 2003.

40. Microsoft Internet Explorer Property Method Remote Memory Corruption Vulnerability
BugTraq ID: 27666
Remote: Yes
Last Updated: 2008-03-25
Relevant URL: http://www.securityfocus.com/bid/27666
Summary:
Microsoft Internet Explorer is prone to a remote memory-corruption vulnerability.

Remote attackers can exploit this issue to execute arbitrary code in the context of the user running the application. Successful exploits will compromise the application and possibly the underlying computer. Failed attacks will cause denial-of-service conditions.

41. Microsoft IIS File Change Notification Local Privilege Escalation Vulnerability
BugTraq ID: 27101
Remote: No
Last Updated: 2008-03-25
Relevant URL: http://www.securityfocus.com/bid/27101
Summary:
Microsoft Internet Information Service (IIS) is prone to a local privilege-escalation vulnerability that occurs when handling file change notifications.

A local attacker can exploit this issue to execute arbitrary code with SYSTEM-level privileges. Successfully exploiting this issue will result in the complete compromise of affected computers.

42. CUPS 'process_browse_data()' Remote Double Free Denial of Service Vulnerability
BugTraq ID: 27906
Remote: Yes
Last Updated: 2008-03-25
Relevant URL: http://www.securityfocus.com/bid/27906
Summary:
CUPS is prone to a remote denial-of-service vulnerability because it fails to protect against a double-free condition.

Attackers may exploit this issue to crash the application, denying service to legitimate users. Remote code execution may also be possible, but this has not been confirmed.

CUPS 1.3.5 is vulnerable to this issue; other versions may also be affected.

43. Microsoft Object Linking and Embedding (OLE) Automation Heap Based Buffer Overflow Vulnerability
BugTraq ID: 27661
Remote: Yes
Last Updated: 2008-03-25
Relevant URL: http://www.securityfocus.com/bid/27661
Summary:
Microsoft Object Linking and Embedding (OLE) Automation is prone to a heap-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input before copying it to an insufficiently sized buffer.

An attacker could exploit this issue by enticing a victim to open a malicious web document.

Successfully exploiting this issue would allow the attacker to execute arbitrary code in the context of the currently logged-in user.

44. Adobe Flash Player Policy File Cross Domain Security Bypass Vulnerability
BugTraq ID: 26966
Remote: Yes
Last Updated: 2008-03-25
Relevant URL: http://www.securityfocus.com/bid/26966
Summary:
The Adobe Flash Player is prone to a cross-domain security-bypass vulnerability.

An attacker can exploit this issue to connect to arbitrary hosts on affected computers. This may allow the application to perform generic TCP requests to determine what services are running on the affected computer.

This issue affects Adobe Flash Player 9.0.48.0, 8.0.35.0. 7.0.70.0, and prior versions.

NOTE: This issue was previously disclosed in BID 26929 (Adobe Flash Player Multiple Security Vulnerabilities) but has been assigned to this BID because of new technical details.

45. Microsoft Visual FoxPro FPOLE.OCX ActiveX Control Buffer Overflow Vulnerability
BugTraq ID: 25571
Remote: Yes
Last Updated: 2008-03-25
Relevant URL: http://www.securityfocus.com/bid/25571
Summary:
Microsoft Visual FoxPro ActiveX control is prone to a stack-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.

Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed exploit attempts likely result in denial-of-service conditions.

Microsoft Visual FoxPro 6.0 is vulnerable to this issue; other versions may also be affected.

46. xine-lib 'sdpplin_parse()' Remote Buffer Overflow Vulnerability
BugTraq ID: 28312
Remote: Yes
Last Updated: 2008-03-25
Relevant URL: http://www.securityfocus.com/bid/28312
Summary:
The 'xine-lib' library is prone to a remote buffer-overflow vulnerability because the software fails to perform adequate boundary checks on user-supplied data.

An attacker can exploit this issue to execute arbitrary code with the privileges of the user running an application that relies on the affected library. Failed exploit attempts will result in a denial-of-service condition.

This issue affects xine-lib 1.1.10.1; other versions may also be vulnerable.

47. PHP-Nuke Platinum 'dynamic_titles.php' SQL Injection Vulnerability
BugTraq ID: 28410
Remote: Yes
Last Updated: 2008-03-25
Relevant URL: http://www.securityfocus.com/bid/28410
Summary:
PHP-Nuke Platinum is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

This issue affects PHP-Nuke Platinum 7.6.b.5; other versions may also be vulnerable.

48. XLPortal 'index.php' SQL Injection Vulnerability
BugTraq ID: 28408
Remote: Yes
Last Updated: 2008-03-25
Relevant URL: http://www.securityfocus.com/bid/28408
Summary:
XLPortal is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

XLPortal 2.2.4 is vulnerable; other versions may also be affected.

49. ooComments 'PathToComment' Parameter Multiple Remote File Include Vulnerabilities
BugTraq ID: 28401
Remote: Yes
Last Updated: 2008-03-25
Relevant URL: http://www.securityfocus.com/bid/28401
Summary:
ooComments is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.

Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.

ooComments 1.0 is vulnerable; other versions may also be affected.

50. Joomla! Custompages Component 'cpage' Parameter Remote File Include Vulnerability
BugTraq ID: 28409
Remote: Yes
Last Updated: 2008-03-25
Relevant URL: http://www.securityfocus.com/bid/28409
Summary:
The Joomla! Custompages component is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied data.

Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible.

Custompages 1.1 is vulnerable; other versions may also be affected.

51. PostNuke 'pnVarPrepForStore()' SQL Injection Vulnerability
BugTraq ID: 28407
Remote: Yes
Last Updated: 2008-03-25
Relevant URL: http://www.securityfocus.com/bid/28407
Summary:
PostNuke is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

PostNuke 0.764 is vulnerable; other versions may also be affected.

52. phpMyChat 'setup.php3' Cross-Site Scripting Vulnerability
BugTraq ID: 28399
Remote: Yes
Last Updated: 2008-03-25
Relevant URL: http://www.securityfocus.com/bid/28399
Summary:
phpMyChat is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

phpMyChat 0.14.5 is vulnerable; other versions may also be affected.

53. cPanel 'manpage.html' Cross-Site Scripting Vulnerability
BugTraq ID: 28403
Remote: Yes
Last Updated: 2008-03-25
Relevant URL: http://www.securityfocus.com/bid/28403
Summary:
cPanel is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

54. TinyPortal 'index.php' Cross-Site Scripting Vulnerability
BugTraq ID: 28402
Remote: Yes
Last Updated: 2008-03-25
Relevant URL: http://www.securityfocus.com/bid/28402
Summary:
TinyPortal is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

55. YourFreeWorld Short Url & Url Tracker Script Multiple HTML Injection Vulnerabilities
BugTraq ID: 18046
Remote: Yes
Last Updated: 2008-03-25
Relevant URL: http://www.securityfocus.com/bid/18046
Summary:
Short Url & Url Tracker Script is prone to multiple HTML-injection vulnerabilities because the software fails to properly sanitize user-supplied input before using it in dynamically generated content.

Attacker-supplied HTML and script code would be executed in the context of the affected website, potentially allowing an attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.

56. My Web Doc Administration Pages Multiple Authentication Bypass Vulnerabilities
BugTraq ID: 28400
Remote: Yes
Last Updated: 2008-03-25
Relevant URL: http://www.securityfocus.com/bid/28400
Summary:
My Web Doc is prone to multiple authentication-bypass vulnerabilities.

Attackers can leverage these issues to compromise the application, which could aid in other attacks.

My Web Doc 2000 Final is vulnerable; other versions may also be affected.

57. D.E. Classifieds 'showCat.php' SQL Injection Vulnerability
BugTraq ID: 28396
Remote: Yes
Last Updated: 2008-03-25
Relevant URL: http://www.securityfocus.com/bid/28396
Summary:
D.E. Classifieds is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

58. Iatek Knowledge Base 'content_by_cat.asp' SQL Injection Vulnerability
BugTraq ID: 28376
Remote: Yes
Last Updated: 2008-03-25
Relevant URL: http://www.securityfocus.com/bid/28376
Summary:
Iatek Knowledge Base is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

59. Webutil 'webutil.pl' Multiple Remote Command Execution Vulnerabilities
BugTraq ID: 28393
Remote: Yes
Last Updated: 2008-03-25
Relevant URL: http://www.securityfocus.com/bid/28393
Summary:
Webutil is prone to multiple vulnerabilities that attackers can leverage to execute arbitrary commands. These issues occur because the application fails to adequately sanitize user-supplied input.

Successful attacks can compromise the affected application and possibly the underlying computer.

These issues affect Webutil 2.3 and 2.7.

60. DotNetNuke Default 'ValidationKey' and 'DecriptionKey' Weak Encryption Vulnerability
BugTraq ID: 28391
Remote: Yes
Last Updated: 2008-03-25
Relevant URL: http://www.securityfocus.com/bid/28391
Summary:
DotNetNuke is prone to a weak encryption vulnerability.

An attacker can exploit this issue to decrypt sensitive data. Information obtained may lead to further attacks.

This issue affects DotNetNuke 4.8.1; other versions may also be affected.

61. Namazu 'namazu.cgi' Cross-Site Scripting Vulnerability
BugTraq ID: 28380
Remote: Yes
Last Updated: 2008-03-25
Relevant URL: http://www.securityfocus.com/bid/28380
Summary:
Namazu is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

Versions prior to Namazu 2.0.18 are vulnerable.

62. Linksys WRT54G Wireless-G Router Multiple Remote Authentication Bypass Vulnerabilities
BugTraq ID: 28381
Remote: Yes
Last Updated: 2008-03-25
Relevant URL: http://www.securityfocus.com/bid/28381
Summary:
Linksys WRT54G Wireless-G Router is prone to multiple authentication-bypass vulnerabilities.

Successful exploits will allow unauthorized attackers to gain access to administrative functionality and completely compromise vulnerable devices; other attacks are also possible.

The issues affect firmware version v1.00.9; other versions may also be vulnerable.

63. Speedport W500 'b_banner.stm' Password Information Disclosure Vulnerability
BugTraq ID: 28382
Remote: Yes
Last Updated: 2008-03-25
Relevant URL: http://www.securityfocus.com/bid/28382
Summary:
Speedport W500 is prone to an information-disclosure vulnerability.

Exploiting this issue may allow an unauthenticated remote attacker to retrieve sensitive information that may lead to further attacks.

64. XWine WINE Configuration File Local Arbitrary Command Execution Vulnerability
BugTraq ID: 28369
Remote: No
Last Updated: 2008-03-25
Relevant URL: http://www.securityfocus.com/bid/28369
Summary:
XWine is prone to a vulnerability that can allow local attackers to execute arbitrary commands.

Local attackers can exploit this issue to execute arbitrary commands whenever a local user executes a program under WINE.

This issue affects XWine 1.0.1; other versions may also be vulnerable.

65. w-Agora 'bn_dir_default' Parameter Multiple Remote File Include Vulnerabilities
BugTraq ID: 28366
Remote: Yes
Last Updated: 2008-03-25
Relevant URL: http://www.securityfocus.com/bid/28366
Summary:
w-Agora is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.

Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.

w-Agora 4.0 is vulnerable; other versions may also be affected.

66. Piczo Fast Picture Uploader 'ImageUploader4.ocx' ActiveX Control Buffer Overflow Vulnerability
BugTraq ID: 28354
Remote: Yes
Last Updated: 2008-03-25
Relevant URL: http://www.securityfocus.com/bid/28354
Summary:
Piczo Fast Picture Uploader ActiveX control is prone to a buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data.

Successfully exploiting this issue may allow remote attackers to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed exploit attempts likely result in denial-of-service conditions.

ImageUploader4.ocx 4.1.36.0 is vulnerable; other versions may also be affected.

NOTE: This issue may be related to the issues covered in BID 27533 (MySpace Uploader 'MySpaceUploader.ocx' ActiveX Control Buffer Overflow), BID 27534 (Facebook Photo Uploader 4 'ImageUploader4.1.ocx' ActiveX Control Buffer Overflow Vulnerability), and BID 27539 (Aurigma Image Uploader 'ImageUploader4.ocx' ActiveX Control Buffer Overflow Vulnerability).

67. CenterIM URI Hanlding Remote Arbitrary Command Execution Vulnerability
BugTraq ID: 28362
Remote: Yes
Last Updated: 2008-03-25
Relevant URL: http://www.securityfocus.com/bid/28362
Summary:
CenterIM is prone to a remote command-execution vulnerability.

Successful exploits can allow arbitrary commands to run in the context of the affected application.

CenterIM 4.22.3 is vulnerable; other versions may be affected as well.

68. Multiple Vendor RPC.YPUpdated Command Execution Vulnerability
BugTraq ID: 1749
Remote: Yes
Last Updated: 2008-03-25
Relevant URL: http://www.securityfocus.com/bid/1749
Summary:
The 'rpc.ypupdated' deamon is part of the Network Information Service (NIS) or Yellow Pages (YP). It allows clients to update NIS maps. A vulnerability in 'rpc.ypupdated' allows a malicious user to execute commands as root.

After receiving a request to update the Yello Pages maps, 'ypupdated' executes a copy of the bource shell to run the 'make' command to recompute the maps whether the request for changes was sucessful or not. Because of bad input validation while executing 'make', an attacker can pass shell metacharacters to the shell and can execute commands.

This is issue is tracked by Sun BugIDs 1230027 and 1232146.

69. Gentoo 'ssl-cert' eclass Information Disclosure Vulnerability
BugTraq ID: 28350
Remote: No
Last Updated: 2008-03-25
Relevant URL: http://www.securityfocus.com/bid/28350
Summary:
Gentoo is prone to an information-disclosure vulnerability.

An attacker can exploit this issue to obtain sensitive information and gain access to SSL private encryption keys. Information obtained may aid in further attacks.

The issue affects multiple ebuilds included in Gentoo Linux.

70. News-Template 'print.php' Multiple Cross Site Scripting Vulnerabilities
BugTraq ID: 28353
Remote: Yes
Last Updated: 2008-03-25
Relevant URL: http://www.securityfocus.com/bid/28353
Summary:
News-Template is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

71. Yehe 'envoyer' Arbitrary File Upload Vulnerability
BugTraq ID: 28355
Remote: Yes
Last Updated: 2008-03-25
Relevant URL: http://www.securityfocus.com/bid/28355
Summary:
Yehe is prone to a vulnerability that lets an attacker upload and execute arbitrary script code in the context of the affected webserver process. The issue occurs because the application fails to sufficiently sanitize user-supplied input.

This issue affects Yehe 2.0; other versions may also be vulnerable.

72. Elastic Path Multiple Input Validation Vulnerabilities
BugTraq ID: 28352
Remote: Yes
Last Updated: 2008-03-25
Relevant URL: http://www.securityfocus.com/bid/28352
Summary:
Elastic Path is prone to multiple input-validation vulnerabilities because it fails to properly sanitize user-supplied input.

These issues include:

- A local file-include vulnerability.
- An arbitrary file-upload vulnerability.
- A directory-traversal vulnerability.

Note that attackers must be logged into the application to exploit issues.

Exploiting these issues can allow attackers to access potentially sensitive information or to execute arbitrary script code in the context of the webserver process. Other attacks may also be possible.

Elastic Path 4.1 and 4.1.1 are vulnerable; other versions may also be affected.

73. PowerPHPBoard 'settings[]' Parameter Multiple Local File Include Vulnerabilities
BugTraq ID: 28421
Remote: Yes
Last Updated: 2008-03-25
Relevant URL: http://www.securityfocus.com/bid/28421
Summary:
PowerPHPBoard is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker can exploit these issues using directory-traversal strings to execute local script code in the context of the application. This may allow the attacker to access sensitive information that may aid in further attacks.

PowerPHPBoard 1.00b is vulnerable; other versions may also be affected.

74. Mitsubishi Electric GB-50A Multiple Remote Authentication Bypass Vulnerabilities
BugTraq ID: 28406
Remote: Yes
Last Updated: 2008-03-25
Relevant URL: http://www.securityfocus.com/bid/28406
Summary:
The Mitsubishi Electric GB-50A is prone to multiple authentication-bypass vulnerabilities.

Successful exploits will allow unauthorized attackers to gain access to administrative functionality and completely compromise vulnerable devices; other attacks are also possible.

75. International Components for Unicode Library (libicu) Multiple Memory Corruption Vulnerabilities
BugTraq ID: 27455
Remote: Yes
Last Updated: 2008-03-25
Relevant URL: http://www.securityfocus.com/bid/27455
Summary:
The International Components for Unicode library (libicu) is prone to multiple memory-corruption vulnerabilities.

Successfully exploiting these issues allows remote attackers to corrupt and overflow memory and possibly execute remote code. Failed exploit attempts will likely crash applications.

These issues affect libicu 3.8.1 and prior versions.

76. RunCMS 'sections' Module 'artid' Parameter SQL Injection Vulnerability
BugTraq ID: 28378
Remote: Yes
Last Updated: 2008-03-25
Relevant URL: http://www.securityfocus.com/bid/28378
Summary:
The RunCMS 'sections' module is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

77. RunCMS 'photo' Module 'cid' Parameter SQL Injection Vulnerability
BugTraq ID: 28395
Remote: Yes
Last Updated: 2008-03-25
Relevant URL: http://www.securityfocus.com/bid/28395
Summary:
The RunCMS 'photo' module is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

78. phpAddressBook 'index.php' Local File Include Vulnerability
BugTraq ID: 28397
Remote: Yes
Last Updated: 2008-03-25
Relevant URL: http://www.securityfocus.com/bid/28397
Summary:
phpAddressBook is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit this vulnerability using directory-traversal strings to execute local script code in the context of the application. This may allow the attacker to access sensitive information that may aid in further attacks.

phpAddressBook 2.11 is vulnerable to this issue; other versions may also be affected.

79. SurgeMail IMAP LSUB Command Remote Stack Buffer Overflow Vulnerability
BugTraq ID: 28377
Remote: Yes
Last Updated: 2008-03-25
Relevant URL: http://www.securityfocus.com/bid/28377
Summary:
SurgeMail is prone to a remote stack-based buffer-overflow vulnerability because it fails to properly bounds-check user-supplied input.

Successfully exploiting this issue may allow remote attackers to execute arbitrary machine code in the context of the affected service. Failed exploit attempts will likely result in denial-of-service conditions.

SurgeMail 3.8k4 is vulnerable; other versions may also be affected.

80. PHP 5 'php_sprintf_appendstring()' Remote Integer Overflow Vulnerability
BugTraq ID: 28392
Remote: Yes
Last Updated: 2008-03-25
Relevant URL: http://www.securityfocus.com/bid/28392
Summary:
PHP 5 is prone to an integer-overflow vulnerability because the software fails to ensure that integer values are not overrun.

Successful exploits of this vulnerability allow remote attackers to execute arbitrary machine code in the context of a webserver affected by the issue. Failed attempts will likely result in denial-of-service conditions.

PHP 5.2.5 and prior versions are vulnerable.

81. Joomla! and Mambo Alphacontent Component 'id' Parameter SQL Injection Vulnerability
BugTraq ID: 28443
Remote: Yes
Last Updated: 2008-03-25
Relevant URL: http://www.securityfocus.com/bid/28443
Summary:
The Alphacontent component for Joomla! and Mambo is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

This issue affects Alphacontent 2.5.8; other versions may also be affected.

82. LEADTOOLS Multimedia 'LTMM15.DLL' ActiveX Control Arbitrary File Overwrite Vulnerabilities
BugTraq ID: 28442
Remote: Yes
Last Updated: 2008-03-25
Relevant URL: http://www.securityfocus.com/bid/28442
Summary:
LEADTOOLS Multimedia is prone to multiple vulnerabilities that allow attackers overwrite arbitrary files. These issues affect multiple ActiveX controls.

An attacker can exploit these issues by enticing an unsuspecting victim to view a malicious HTML page.

Successfully exploiting these issues will allow the attacker to corrupt and overwrite arbitrary files on the victim's computer in the context of the vulnerable application using the ActiveX control (typically Internet Explorer).

LEADTOOLS Multimedia 15 is vulnerable; other versions may also be affected.

83. Novell eDirectory eMBox Utility 'edirutil' Command Unspecified Vulnerability
BugTraq ID: 28441
Remote: Yes
Last Updated: 2008-03-25
Relevant URL: http://www.securityfocus.com/bid/28441
Summary:
Novell eDirectory is prone to an unspecified vulnerability that can result in unauthorized file access or denial of service.

This issue can be exploited by unauthenticated attackers.

eDirectory version 8.8 and prior as well as 8.7.3.9 and prior are affected.

84. e107 My_Gallery Plugin 'dload.php' Arbitrary File Download Vulnerability
BugTraq ID: 28440
Remote: Yes
Last Updated: 2008-03-25
Relevant URL: http://www.securityfocus.com/bid/28440
Summary:
The e107 My_Gallery plugin is prone to a vulnerability that lets attackers to download arbitrary files because the application fails to sufficiently sanitize user-supplied input.

An attacker can exploit this issue to download arbitrary files within the context of the webserver process. Information obtained may aid in further attacks.

This issue affects My_Gallery 2.3; other versions may also be affected.

85. Multiple D-Link Products Multiple Cross-Site Scripting and Denial of Service Vulnerabilities
BugTraq ID: 28439
Remote: Yes
Last Updated: 2008-03-25
Relevant URL: http://www.securityfocus.com/bid/28439
Summary:
Multiple D-Link products are prone to multiple cross-site scripting and denial-of-service vulnerabilities because the devices fail to properly handle user-supplied input.

An attacker may leverage these issues to cause denial-of-service conditions or to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

86. Clever Copy 'postview.php' SQL Injection Vulnerability
BugTraq ID: 28437
Remote: Yes
Last Updated: 2008-03-25
Relevant URL: http://www.securityfocus.com/bid/28437
Summary:
Clever Copy is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Clever Copy 3.0 is vulnerable; other versions may also be affected.

87. Aeries Browser Interface Multiple SQL Injection and Cross-Site Scripting Vulnerabilities
BugTraq ID: 28436
Remote: Yes
Last Updated: 2008-03-25
Relevant URL: http://www.securityfocus.com/bid/28436
Summary:
Aeries Browser Interface is prone to multiple SQL-injection and cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.

Exploiting these issues could allow an attacker to compromise the application, access or modify data, to exploit latent vulnerabilities in the underlying database, or to have arbitrary script code execute in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

Aeries Browser Interface 3.8.3.14 is vulnerable; other versions may also be affected.

88. Bomba Haber 'haberoku.php' SQL Injection Vulnerability
BugTraq ID: 28435
Remote: Yes
Last Updated: 2008-03-25
Relevant URL: http://www.securityfocus.com/bid/28435
Summary:
Bomba Haber is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Bomba Haber 2.0 is vulnerable; other versions may also be affected.

89. Orb Networks Orb RPC Request Remote Integer Overflow Vulnerability
BugTraq ID: 28431
Remote: Yes
Last Updated: 2008-03-25
Relevant URL: http://www.securityfocus.com/bid/28431
Summary:
Orb is prone to a remote integer-overflow vulnerability.

A remote attacker may exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will likely crash the application, denying service to legitimate users.

The issue affects Orb 2.00.1014; other versions may also be vulnerable.

90. CA BrightStor 'AddColumn()' ListCtrl.ocx ActiveX Control Buffer Overflow Vulnerability
BugTraq ID: 28268
Remote: Yes
Last Updated: 2008-03-24
Relevant URL: http://www.securityfocus.com/bid/28268
Summary:
The Unicenter DSM r11 List Control ATX ActiveX control, included with CA BrightStor ARCserve Backup, is prone to a buffer-overflow vulnerability because it fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer.

An attacker can exploit this issue to execute arbitrary code in the context of an application running the control (typically Internet Explorer). Failed attacks will cause denial-of-service conditions.

Unicenter DSM r11 List Control ATX 11.2.3.1895 on CA BrightStor ARCserve Backup r11.5 is vulnerable; other versions may also be affected.

91. Wireshark 0.99.7 Multiple Denial of Service Vulnerabilities
BugTraq ID: 28025
Remote: Yes
Last Updated: 2008-03-24
Relevant URL: http://www.securityfocus.com/bid/28025
Summary:
Wireshark is prone to multiple denial-of-service vulnerabilities.

Exploiting these issues may allow attackers to cause crashes and deny service to legitimate users of the application. Attackers may be able to leverage some of these vulnerabilities to execute arbitrary code, but this has not been confirmed.

Wireshark 0.6.0 to 0.99.7 are affected.

92. PowerClan Footer.Inc.PHP Remote File Include Vulnerability
BugTraq ID: 21707
Remote: Yes
Last Updated: 2008-03-24
Relevant URL: http://www.securityfocus.com/bid/21707
Summary:
PowerClan is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied data.

Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible.

PowerClan 1.14a is vulnerable to this issue; other versions may also be affected.

93. S9Y Serendipity Trackbacks HTML Injection Vulnerability
BugTraq ID: 28298
Remote: Yes
Last Updated: 2008-03-24
Relevant URL: http://www.securityfocus.com/bid/28298
Summary:
Serendipity is prone to an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied input data.

Exploiting this issue may allow an attacker to execute HTML and script code in the context of the affected site, to steal cookie-based authentication credentials, or to control how the site is rendered to the user; other attacks are also possible.

Versions prior to Serendipity 1.3 are vulnerable.

94. S9Y Serendipity 'Real Name' Field HTML Injection Vulnerability
BugTraq ID: 28003
Remote: Yes
Last Updated: 2008-03-24
Relevant URL: http://www.securityfocus.com/bid/28003
Summary:
Serendipity is prone to an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied input data.

Exploiting this issue may allow an attacker to execute HTML and script code in the context of the affected site, to steal cookie-based authentication credentials, or to control how the site is rendered to the user; other attacks are also possible.

Versions prior to Serendipity 1.3-beta1 are vulnerable.

95. S9Y Serendipity Remote RSS sidebar Plugin Cross Site Scripting Vulnerability
BugTraq ID: 26783
Remote: Yes
Last Updated: 2008-03-24
Relevant URL: http://www.securityfocus.com/bid/26783
Summary:
S9Y Serendipity Remote RSS sidebar plugin is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.

Exploiting this issue allows an attacker to execute arbitrary HTML or script code in a user's browser session in the context of an affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.

This issue affects versions prior to S9Y Serendipity 1.2.1.

96. xine-lib Multiple Heap Based Remote Buffer Overflow Vulnerabilities
BugTraq ID: 28370
Remote: Yes
Last Updated: 2008-03-24
Relevant URL: http://www.securityfocus.com/bid/28370
Summary:
The 'xine-lib' library is prone to multiple heap-based buffer-overflow vulnerabilities because it fails to perform adequate boundary checks on user-supplied input.

Attackers can exploit these issues to execute arbitrary code in the context of applications that use the library. Failed attacks will cause denial-of-service conditions.

These issues affect xine-lib 1.1.11; other versions may also be affected.

97. Asterisk Call Authentication Security Bypass Vulnerability
BugTraq ID: 28310
Remote: Yes
Last Updated: 2008-03-24
Relevant URL: http://www.securityfocus.com/bid/28310
Summary:
Asterisk is prone to a security-bypass vulnerability that allows attackers to make unauthenticated calls through the SIP channel driver.

Exploiting this issue may also aid in other attacks.

This issue affects the following versions:

Asterisk Open Source prior to 1.2.27
Asterisk Open Source prior to 1.4.18.1 and 1.4.19-rc3.
Asterisk Open Source prior to 1.6.0-beta6
Asterisk Business Edition all A versions
Asterisk Business Edition prior to B.2.5.1
Asterisk Business Edition prior to C.1.6.2
AsteriskNOW prior to 1.0.2
Asterisk Appliance Developer Kit prior to Asterisk 1.4 revision 109393
s800i (Asterisk Appliance) prior to 1.1.0.2

98. Asterisk Predictable HTTP Manager Session ID Security Bypass Vulnerability
BugTraq ID: 28316
Remote: Yes
Last Updated: 2008-03-24
Relevant URL: http://www.securityfocus.com/bid/28316
Summary:
Asterisk is prone to a vulnerability that can allow an attacker to predict the 'manager' session ID in the AsteriskGUI HTTP server.

Attackers can exploit this issue to hijack 'manager' HTTP sessions, which can lead to further attacks.

99. Asterisk RTP Codec Payload Handling Multiple Buffer Overflow Vulnerabilities
BugTraq ID: 28308
Remote: Yes
Last Updated: 2008-03-24
Relevant URL: http://www.securityfocus.com/bid/28308
Summary:
Asterisk is prone to multiple buffer-overflow vulnerabilities because it fails to perform adequate boundary checks on user-supplied data before copying it to insufficiently sized buffers.

Exploiting these issues may allow an attacker to corrupt memory and cause denial-of-service conditions or potentially execute arbitrary code in the context of the application.

These issues affect the following versions:

Asterisk Open Source prior to 1.4.18.1 and 1.4.19-rc3.
Asterisk Open Source prior to 1.6.0-beta6
Asterisk Business Edition prior to C.1.6.1
AsteriskNOW prior to 1.0.2
Asterisk Appliance Developer Kit prior to Asterisk 1.4 revision 109386
s800i (Asterisk Appliance) prior to 1.1.0.2

100. bzip2 Unspecified File Handling Vulnerability
BugTraq ID: 28286
Remote: Yes
Last Updated: 2008-03-24
Relevant URL: http://www.securityfocus.com/bid/28286
Summary:
The 'bzip2' application is prone to a remote file-handling vulnerability because the application fails to properly handle malformed files.

Successful exploits may allow remote code to run, but this has not been confirmed. Exploit attempts will likely crash the application.

This issue affects bzip2 1.0.4; prior versions may also be affected.

III. SECURITYFOCUS NEWS ARTICLES
--------------------------------
1. Hacking contest highlights value of vulnerabilities
By: Robert Lemos
After a handful of critics slammed the modest cash prizes, larger bounties will be offered to the security pros that successfully compromise any of three laptops at a coming conference.
http://www.securityfocus.com/news/11510

2. House aims to scrutinize warrantless taps
By: Robert Lemos
The fight over a law to grant the U.S. government greater surveillance capabilities intensifies as House Democrats refuse to give telcos immunity for allowing past wiretaps without warrants.
http://www.securityfocus.com/news/11509

3. Browser makers focus on beating malware
By: Robert Lemos
Microsoft announces two features in Internet Explorer 8 aimed at better securing Web surfers, and Mozilla incorporates more security into Firefox 3.
http://www.securityfocus.com/news/11508

4. Law makers voice concerns over cybersecurity plan
By: Robert Lemos
Members of Congress seek more details of cyber attacks targeting the federal government and worry that the recently announced Cyber Initiative will undermine privacy.
http://www.securityfocus.com/news/11507

IV. SECURITY JOBS LIST SUMMARY
-------------------------------
V. INCIDENTS LIST SUMMARY
---------------------------
VI. VULN-DEV RESEARCH LIST SUMMARY
-----------------------------------
1. CanSecWest 2008 PWN2OWN - Mar 26-28
http://www.securityfocus.com/archive/82/489998

VII. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. SecurityFocus Microsoft Newsletter #386
http://www.securityfocus.com/archive/88/489849

2. More along the lines of malware disinfection
http://www.securityfocus.com/archive/88/489751

VIII. SUN FOCUS LIST SUMMARY
----------------------------
IX. LINUX FOCUS LIST SUMMARY
----------------------------
X. UNSUBSCRIBE INSTRUCTIONS
-----------------------------
To unsubscribe send an e-mail message to sf-news-unsubscribe@securityfocus.com from the subscribed address. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer. Alternatively you can also visit http://www.securityfocus.com/newsletters and unsubscribe via the website.

If your email address has changed email listadmin@securityfocus.com and ask to be manually removed.

XI. SPONSOR INFORMATION
------------------------
This issue is sponsored by bmighty:

How Much Will A Security Breech Cost Your Company?
Many smaller businesses have lax security policies, leaving their customers' confidential data vulnerable to identity thieves. Learn the steps to protect sensitive data.
http://www.bmighty.com/security/showArticle.jhtml?articleID=206901276&cid=LSM-sfS

No comments:

Blog Archive