WINDOWS CENTER: SecurityFocus Newsletter #447

SecurityFocus Newsletter #447
----------------------------------------

This issue is sponsored by IBM® Rational® AppScan

Failure to properly secure Web applications significantly impacts your ability to protect sensitive client and corporate data. IBM Rational AppScan is an automated scanner that monitors, identifies and helps remediate vulnerabilities.
Download a free trial of AppScan and see how it can help prevent against the threat of attack.
https://www.watchfire.com/securearea/appscan.aspx?id=701700000009T0r

SECURITY BLOGS
SecurityFocus has selected a few syndicated sources that stand out as conveying topics of interest for our community. We are proud to offer content from Matasano at this time and will be adding more in the coming weeks.
http://www.securityfocus.com/blogs

------------------------------------------------------------------
I. FRONT AND CENTER
1.On the Border
2.Catch Them if You can
II. BUGTRAQ SUMMARY
1. Parallels Virtuozzo Containers VZPP Interface Change Pass Cross-Site Request Forgery Vulnerability
2. Smart Classified ADS and Smart Photo ADS 'view.cgi' Multiple Cross Site Scripting Vulnerabilities
3. exiftags Multiple Unspecified Buffer Overflow And Denial Of Service Vulnerabilities
4. EasyNews Multiple Input Validation Vulnerabilities
5. Phorum Multiple Unspecified SQL Injection Vulnerabilities
6. Microsoft Crypto API X.509 Certificate Validation Remote Information Disclosure Vulnerability
7. Sympa 'Content-Type' Header Remote Denial Of Service Vulnerability
8. LANDesk Management Suite TFTP service Directory Traversal Vulnerability
9. Xpdf PDFTOPS Multiple Integer Overflow Vulnerabilities
10. xine-lib Matroska Demuxer Remote Buffer Overflow Vulnerability
11. Sava's Place Sava's Link Manager 'category' Parameter SQL Injection Vulnerability
12. Sava's Place Sava's Link Manager 'index.php' Local File Include Vulnerability
13. Sava's Place Sava's Guestbook 'index.php' Local File Include Vulnerability
14. Chilkat Email 'ChilkatCert.dll' ActiveX Control Insecure Method Vulnerability
15. Xine DirectShow Loader Remote Buffer Overflow Vulnerability
16. xine-lib 'sdpplin_parse()' Remote Buffer Overflow Vulnerability
17. Neat weblog 'articleId' Parameter SQL Injection Vulnerability
18. JGS-Treffen 'jgs_treffen.php' SQL Injection Vulnerability
19. Macrovision InstallShield InstallScript OCI Untrusted Library Remote Code Execution Vulnerability
20. EfesTECH Video 'catID' Parameter SQL Injection Vulnerability
21. Apache mod_jk2 Host Header Multiple Stack Based Buffer Overflow Vulnerabilities
22. MPlayer 'demux_audio.c' Remote Stack Based Buffer Overflow Vulnerability
23. MPlayer DMO File Parsing Buffer Overflow Vulnerability
24. Cisco IOS Multiple DLSw Denial of Service Vulnerablities
25. PHP Spam Manager 'body.php' Local File Include Vulnerability
26. OpenSSH ForceCommand Command Execution Weakness
27. KwsPHP Archives Module 'id' Parameter SQL Injection Vulnerability
28. RETIRED: Dokeos Multiple Remote Code Execution and Cross-Site Scripting Vulnerabilities
29. RETIRED: eGroupWare '_bad_protocol_once()' HTML Security Bypass Vulnerability
30. KwsPHP Galerie Module 'id_gal' Parameter SQL Injection Vulnerability
31. Parallels Virtuozzo Containers VZPP Interface File Manger Cross-Site Request Forgery Vulnerability
32. PhpBlock 'basicfogfactory.class.php' Remote File Include Vulnerability
33. Drupal Flickr Module Multiple Unspecified Cross-Site Scripting Vulnerabilities
34. mcGallery 'lang' Parameter Multiple Cross Site Scripting Vulnerabilities
35. Gnome Desktop Screensaver NIS Authentication Local Unauthorized Access Vulnerability
36. Microsoft April 2008 Advance Notification Multiple Vulnerabilities
37. Sun Java RunTime Environment Read and Write Permission Multiple Privilege Escalation Vulnerabilities
38. Sun Java SE Multiple Security Vulnerabilities
39. Sun Java Runtime Environment Image Parsing Heap Buffer Overflow Vulnerability
40. RealNetworks RealPlayer 'rmoc3260.dll' ActiveX Control Memory Corruption Vulnerability
41. Cisco Unified Communications Disaster Recovery Framework Remote Command Execution Vulnerability
42. Joomla! and Mambo Joomlearn LMS Component 'cat' Parameter SQL Injection Vulnerability
43. Microsoft Visual InterDev SLN File Buffer Overflow Vulnerability
44. Sentinel Protection Server/Keys Server Backslash Directory Traversal Vulnerability
45. Mozilla Thunderbird/Seamonkey/Firefox 2.0.0.12 Multiple Remote Vulnerabilities
46. JBoss Seam 'order' Parameter SQL Injection Vulnerability
47. JFreeChart Multiple HTML Injection Vulnerabilities
48. OpenOffice HSQLDB Database Engine Unspecified Java Code Execution Vulnerability
49. Xpdf Multiple Remote Stream.CC Vulnerabilities
50. XnView FontName Buffer Overflow Vulnerability
51. Online FlashQuiz Joomla! Component 'db_config.inc.php' Remote File Include Vulnerability
52. DivXDB 2002 Multiple Cross-Site Scripting Vulnerabilities
53. DaZPHP 'makepost.php' Local File Include Vulnerability
54. Opera Web Browser 9.26 Multiple Security Vulnerabilities
55. LANDesk Management Suite 8.80.1.1 PXE TFTP Service Directory Traversal Vulnerability
56. Sun Solaris 'inetd(1M)' Daemon Insecure Temporary File Creation Vulnerability
57. OpenSSH X connections Session Hijacking Vulnerability
58. CUPS 'gif_read_lzw()' GIF File Buffer Overflow Vulnerability
59. CUPS CGI Interface Remote Buffer Overflow Vulnerability
60. CUPS Multiple Unspecified Input Validation Vulnerabilities
61. CUPS 'process_browse_data()' Remote Double Free Denial of Service Vulnerability
62. Apple QuickTime Multiple Remote Vulnerabilities
63. Nuked-Klan HTTP Referer Header SQL Injection Vulnerability
64. suPHP Multiple Local Privilege Escalation Vulnerabilities
65. bzip2 Unspecified File Handling Vulnerability
66. MySQL Security Invoker Privilege Escalation Vulnerability
67. Secure Computing WebWasher Malformed URL Remote Denial of Service Vulnerability
68. kses Multiple Input Validation Vulnerabilities
69. Drupal Webform Module Multiple Unspecified HTML Injection Vulnerabilities
70. Simple Gallery 'album' Parameter Cross-Site Scripting Vulnerability
71. Orbit Downloader 'Download Failed' Remote Buffer Overflow Vulnerability
72. Microsoft Internet Explorer 'ieframe.dll' Script Injection Vulnerability
73. Microsoft Internet Explorer XDR Prototype Hijacking Denial of Service Vulnerability
74. Symantec AutoFix Tool ActiveX Control Remote Share 'launchProcess()' Insecure Method Vulnerability
75. Symantec AutoFix Support Tool 'SYMADATA.DLL' ActiveX Control Remote Buffer Overflow Vulnerability
76. EasySite 'EASYSITE_BASE' Parameter Multiple Remote File Include Vulnerabilities
77. Apache-SSL Environment Variable Information Disclosure and Privilege Escalation Vulnerability
78. HP OpenView Network Node Manager 'OVAS.EXE' Buffer Overflow Vulnerability
79. Joomla! and Mambo actualite Component 'id' Parameter SQL Injection Vulnerability
80. Novell eDirectory HTTP HEAD Request Handling Denial Of Service Vulnerability
81. Novell NetWare iPrint Request Handling Denial Of Service Vulnerability
82. phpMyAdmin Local Information Disclosure Vulnerability
83. IBM DB2 Content Manager Unspecified Security Vulnerability
84. McAfee ePolicy Orchestrator 'FrameworkService.exe' Remote Denial of Service Vulnerability
85. Writer's Block 'permalink.php' SQL Injection Vulnerability
86. NoticeWare Corporation NoticeWare Email Server Denial Of Service Vulnerability
87. HP Select Identity Local Unauthorized Access Vulnerability
88. bamaGalerie 'viewcat.php' SQL Injection Vulnerability
89. CenterIM URI Hanlding Remote Arbitrary Command Execution Vulnerability
90. xine-lib Multiple Heap Based Remote Buffer Overflow Vulnerabilities
91. PostgreSQL Multiple Privilege Escalation and Denial of Service Vulnerabilities
92. Cisco IOS Dual-stack Router IPv6 Denial Of Service Vulnerability
93. Terracotta 'index.php' Local File Include Vulnerability
94. Joomla! and Mambo Ahsshop Component 'vara' Parameter SQL Injection Vulnerability
95. Comix 'filename' Remote Command Execution Vulnerability
96. Red Hat 'capp-lspp-config' Local Privilege Escalation Vulnerability
97. Chilkat HTTP 'ChilkatHttp.dll' ActiveX Control Insecure Method Vulnerabilities
98. FaScript Faphoto 'show.php' SQL Injection Vulnerability
99. eggBlog 'eggblogpassword' SQL Injection Vulnerability
100. Trend Micro ServerProtect Multiple Remote Insecure Method Exposure Vulnerabilities
III. SECURITYFOCUS NEWS
1. Web developers, fix thy Flash
2. Hacking contest highlights value of vulnerabilities
3. House aims to scrutinize warrantless taps
4. Browser makers focus on beating malware
IV. SECURITY JOBS LIST SUMMARY
1. [SJ-JOB] Application Security Engineer, San Diego
2. [SJ-JOB] Application Security Engineer, Anywhere in Washington, Telecommute, Travel
3. [SJ-JOB] Application Security Engineer, Anywhere in Oregon, Telecommute, Travel
4. [SJ-JOB] Application Security Engineer, Anywhere in Washington, Telecommute, Travel
5. [SJ-JOB] Director, Information Security, San Francisco Bay Area
V. INCIDENTS LIST SUMMARY
1. SPAM drop?
VI. VULN-DEV RESEARCH LIST SUMMARY
1. Windows Vista winsat.exe Integer Overflow
2. Immunity Debugger v1.5
VII. MICROSOFT FOCUS LIST SUMMARY
1. More along the lines of malware disinfection
VIII. SUN FOCUS LIST SUMMARY
IX. LINUX FOCUS LIST SUMMARY
X. UNSUBSCRIBE INSTRUCTIONS
XI. SPONSOR INFORMATION

I. FRONT AND CENTER
---------------------
1.On the Border
By Mark Rasch
Recently, I was going through an airport with my shoes, coat, jacket, and belt off as well as with my carry-on bag, briefcase, and laptop all separated for easy inspection. I was heading through security at the Washington D.C., Ronald Reagan National Airport in Arlington, Virginia, or "National" as we locals call it. As I passed through the new magnetometer which gently puffed air all over my body -- which to me seems to be a cross between a glaucoma test and Marilyn Monroe in Gentlemen Prefer Blondes -- a TSA employee absent-mindedly asked if he could "inspect" my laptop computer. While the inspection was cursory, the situation immediately gave me pause: What was in my laptop anyway?
http://www.securityfocus.com/columnists/469

2.Catch Them if You Can
By Don Parker
High-profile network security breaches have proliferated over the past few years. While many "breaches" consist of lost data or a stolen laptop, true breaches -- where a online attacker compromises a network and removes data -- have become very common
http://www.securityfocus.com/columnists/468

II. BUGTRAQ SUMMARY
--------------------
1. Parallels Virtuozzo Containers VZPP Interface Change Pass Cross-Site Request Forgery Vulnerability
BugTraq ID: 28593
Remote: Yes
Last Updated: 2008-04-03
Relevant URL: http://www.securityfocus.com/bid/28593
Summary:
Parallels Virtuozzo Containers is prone to a cross-site request-forgery vulnerability.

Exploiting the issue will allow a remote attacker to use a victim's currently active session to change the victim's password. Successful exploits will compromise affected computers.

Virtuozzo Containers 3.0.0-25.4.swsoft is vulnerable; other versions are also affected.

2. Smart Classified ADS and Smart Photo ADS 'view.cgi' Multiple Cross Site Scripting Vulnerabilities
BugTraq ID: 28595
Remote: Yes
Last Updated: 2008-04-03
Relevant URL: http://www.securityfocus.com/bid/28595
Summary:
Smart Classified ADS and Smart Photo ADS are prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied input.

Exploiting these vulnerabilities may allow an attacker to perform cross-site scripting attacks on unsuspecting users in the context of the affected site. As a result, the attacker may be able to steal cookie-based authentication credentials and to launch other attacks.

3. exiftags Multiple Unspecified Buffer Overflow And Denial Of Service Vulnerabilities
BugTraq ID: 26892
Remote: Yes
Last Updated: 2008-04-01
Relevant URL: http://www.securityfocus.com/bid/26892
Summary:
The 'exiftags' utility is prone to multiple unspecified buffer-overflow and denial-of-service vulnerabilities.

An attacker can exploit these issues to deny access to legitimate users. Attackers may also be able to execute arbitrary code, but this has not been confirmed.

Very few technical details are currently available. We will update this BID as more information emerges.

These issues affect versions prior to exiftags 1.01.

4. EasyNews Multiple Input Validation Vulnerabilities
BugTraq ID: 28542
Remote: Yes
Last Updated: 2008-04-01
Relevant URL: http://www.securityfocus.com/bid/28542
Summary:
EasyNews is prone to multiple input-validation vulnerabilities because it fails to sufficiently sanitize user-supplied data. The issues include SQL-injection, cross-site scripting, and local file-include vulnerabilities.

Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, execute arbitrary local scripts, retrieve potentially sensitive information, or exploit latent vulnerabilities in the underlying database.

These issues affect EasyNews 4.0tr; other versions may also be vulnerable.

5. Phorum Multiple Unspecified SQL Injection Vulnerabilities
BugTraq ID: 28540
Remote: Yes
Last Updated: 2008-04-01
Relevant URL: http://www.securityfocus.com/bid/28540
Summary:
Phorum is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in SQL queries.

Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Versions prior to Phorum 5.2.6 are vulnerable.

6. Microsoft Crypto API X.509 Certificate Validation Remote Information Disclosure Vulnerability
BugTraq ID: 28548
Remote: Yes
Last Updated: 2008-04-01
Relevant URL: http://www.securityfocus.com/bid/28548
Summary:
Microsoft's Crypto API library is prone to an information-disclosure vulnerability because HTTP requests to arbitrary hosts and ports may be automatically triggered when validating X.509 certificates.

Successful exploits allow attackers to trigger HTTP requests to arbitrary hosts and ports without confirmation or notification to unsuspecting users. Attackers may use this for determining when email and documents are read, for port scanning, or for aiding in other attacks.

The following products are known to exhibit this issue:

Microsoft Outlook 2007
Microsoft Windows Live Mail 2008
Microsoft Office 2007

Other products that use the Crypto API provided by Windows may also be affected.

7. Sympa 'Content-Type' Header Remote Denial Of Service Vulnerability
BugTraq ID: 28539
Remote: Yes
Last Updated: 2008-04-01
Relevant URL: http://www.securityfocus.com/bid/28539
Summary:
Sympa is prone to a remote denial-of-service vulnerability because it fails to handle specially crafted 'Content-Type' headers.

An attacker can exploit this issue to cause the application to crash. Successful attacks will deny service to legitimate users.

Versions prior to Sympa 5.4 are affected.

8. LANDesk Management Suite TFTP service Directory Traversal Vulnerability
BugTraq ID: 28535
Remote: Yes
Last Updated: 2008-04-01
Relevant URL: http://www.securityfocus.com/bid/28535
Summary:
LANDesk Management Suite is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input data.

Exploiting this issue allows an attacker to access arbitrary files outside of the TFTP application's root directory. This can expose sensitive information that could help the attacker launch further attacks.

LANDesk Management Suite 8.8 as well as 8.7 SP5 and prior service packs are vulnerable.

9. Xpdf PDFTOPS Multiple Integer Overflow Vulnerabilities
BugTraq ID: 11501
Remote: Yes
Last Updated: 2008-04-01
Relevant URL: http://www.securityfocus.com/bid/11501
Summary:
The pdftops utility is reported prone to multiple integer-overflow vulnerabilities because it fails to properly ensure that user-supplied input doesn't result in the overflowing of integer values. This may result in data being copied past the end of a memory buffer.

These overflows cause the application to allocate memory regions that are smaller than expected. Subsequent operations are likely to overwrite memory regions past the end of the allocated buffer, allowing attackers to overwrite critical memory control structures. This may allow attackers to control the flow of execution and potentially execute attacker-supplied code in the context of the affected application.

Applications using embedded xpdf code may be vulnerable to these issues as well.

10. xine-lib Matroska Demuxer Remote Buffer Overflow Vulnerability
BugTraq ID: 28543
Remote: Yes
Last Updated: 2008-04-01
Relevant URL: http://www.securityfocus.com/bid/28543
Summary:
The 'xine-lib' library is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input.

Attackers can exploit this issue to cause denial-of-service conditions and possibly execute arbitrary code in the context of applications that use the library.

Versions prior to xine-lib 1.1.10.1 are vulnerable.

11. Sava's Place Sava's Link Manager 'category' Parameter SQL Injection Vulnerability
BugTraq ID: 28538
Remote: Yes
Last Updated: 2008-04-01
Relevant URL: http://www.securityfocus.com/bid/28538
Summary:
Sava's Link Manager is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Sava's Link Manager 2.0 is vulnerable; other versions may also be affected.

12. Sava's Place Sava's Link Manager 'index.php' Local File Include Vulnerability
BugTraq ID: 28537
Remote: Yes
Last Updated: 2008-04-01
Relevant URL: http://www.securityfocus.com/bid/28537
Summary:
Sava's Link Manager is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit this vulnerability using directory-traversal strings to view files and execute local scripts in the context of the webserver process. This may aid in further attacks.

The issue affects Sava's Link Manager 2.0; other versions may be vulnerable as well.

13. Sava's Place Sava's Guestbook 'index.php' Local File Include Vulnerability
BugTraq ID: 28536
Remote: Yes
Last Updated: 2008-04-01
Relevant URL: http://www.securityfocus.com/bid/28536
Summary:
Sava's Guestbook is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit this vulnerability using directory-traversal strings to view files and execute local scripts in the context of the webserver process. This may aid in further attacks.

The issue affects Sava's Guestbook 2.0; other versions may be vulnerable as well.

14. Chilkat Email 'ChilkatCert.dll' ActiveX Control Insecure Method Vulnerability
BugTraq ID: 27493
Remote: Yes
Last Updated: 2008-04-01
Relevant URL: http://www.securityfocus.com/bid/27493
Summary:
Chilkat Email ActiveX control is prone to a vulnerability that allows attackers to create or overwrite arbitrary data with the privileges of the application using the control (typically Internet Explorer).

Successful exploits can compromise affected computers or cause denial-of-service conditions; other attacks are possible.

This issue affects the 'ChilkatCert.dll' library of the Chilkat Email ActiveX control 7.8; other versions may also be affected.

15. Xine DirectShow Loader Remote Buffer Overflow Vulnerability
BugTraq ID: 22933
Remote: Yes
Last Updated: 2008-04-01
Relevant URL: http://www.securityfocus.com/bid/22933
Summary:
Xine is prone to a remote buffer-overflow vulnerability because the application fails to perform boundary checks before copying user-supplied input into finite-sized buffers.

Successfully exploiting this issue allows remote attackers to execute arbitrary machine code in the context of the application and to compromise affected computers.

16. xine-lib 'sdpplin_parse()' Remote Buffer Overflow Vulnerability
BugTraq ID: 28312
Remote: Yes
Last Updated: 2008-04-01
Relevant URL: http://www.securityfocus.com/bid/28312
Summary:
The 'xine-lib' library is prone to a remote buffer-overflow vulnerability because the software fails to perform adequate boundary checks on user-supplied data.

An attacker can exploit this issue to execute arbitrary code with the privileges of the user running an application that relies on the affected library. Failed exploit attempts will result in a denial-of-service condition.

This issue affects xine-lib 1.1.10.1; other versions may also be vulnerable.

17. Neat weblog 'articleId' Parameter SQL Injection Vulnerability
BugTraq ID: 28534
Remote: Yes
Last Updated: 2008-04-01
Relevant URL: http://www.securityfocus.com/bid/28534
Summary:
Neat weblog is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Neat weblog 0.2 is vulnerable; other versions may also be affected.

18. JGS-Treffen 'jgs_treffen.php' SQL Injection Vulnerability
BugTraq ID: 28530
Remote: Yes
Last Updated: 2008-04-01
Relevant URL: http://www.securityfocus.com/bid/28530
Summary:
The JGS-Treffen addon for WoltLab Burning Board is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.

A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.

This issue affects JGS-Treffen 2.0.2 and prior versions.

19. Macrovision InstallShield InstallScript OCI Untrusted Library Remote Code Execution Vulnerability
BugTraq ID: 28533
Remote: Yes
Last Updated: 2008-04-01
Relevant URL: http://www.securityfocus.com/bid/28533
Summary:
Macrovision InstallShield InstallScript OCI (One-Click Install) is prone to a remote code-execution vulnerability because it fails to adequately sanitize user-supplied data.

Successfully exploiting this issue will allow an attacker to execute arbitrary code with the permissions of the user running the application.

20. EfesTECH Video 'catID' Parameter SQL Injection Vulnerability
BugTraq ID: 28532
Remote: Yes
Last Updated: 2008-04-01
Relevant URL: http://www.securityfocus.com/bid/28532
Summary:
EfesTECH Video is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

EfesTECH Video 5.0 is vulnerable; other versions may also be affected.

21. Apache mod_jk2 Host Header Multiple Stack Based Buffer Overflow Vulnerabilities
BugTraq ID: 27752
Remote: Yes
Last Updated: 2008-04-01
Relevant URL: http://www.securityfocus.com/bid/27752
Summary:
Apache mod_jk2 is prone to multiple stack-based buffer-overflow vulnerabilities because it fails to perform adequate boundary checks on user-supplied data before copying it to insufficiently sized buffers.

Successful exploits may allow attackers to execute arbitrary code in the context of a vulnerable application; failed attempts will likely cause denial-of-service conditions.

Versions prior to mod_jk2 2.0.4 are vulnerable.

NOTE: mod_jk2 is a legacy branch of mod_jk that is now deprecated; mod_jk is a currently supported module and is reportedly unaffected by these issues.

22. MPlayer 'demux_audio.c' Remote Stack Based Buffer Overflow Vulnerability
BugTraq ID: 27441
Remote: Yes
Last Updated: 2008-04-01
Relevant URL: http://www.securityfocus.com/bid/27441
Summary:
MPlayer is prone to a remote stack-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input before copying it to an insufficiently sized buffer.

Attackers can exploit this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.

MPlayer 1.0 rc2 is vulnerable; other versions may also be affected.

23. MPlayer DMO File Parsing Buffer Overflow Vulnerability
BugTraq ID: 22771
Remote: Yes
Last Updated: 2008-04-01
Relevant URL: http://www.securityfocus.com/bid/22771
Summary:
MPlayer is prone to a buffer-overflow vulnerability when it attempts to process malformed video files. This issue occurs because the application fails to perform proper bounds-checking on user-supplied data before copying it to an insufficiently sized memory buffer.

An attacker may exploit this issue to execute arbitrary code with the privileges of the user that activated the vulnerable application. This may facilitate unauthorized access or privilege escalation.

MPlayer 1.0rc1 is vulnerable to this issue; previous versions may also be affected.

24. Cisco IOS Multiple DLSw Denial of Service Vulnerablities
BugTraq ID: 28465
Remote: Yes
Last Updated: 2008-04-01
Relevant URL: http://www.securityfocus.com/bid/28465
Summary:
Cisco IOS is prone to multiple remote denial-of-service vulnerabilities because the software fails to properly handle malformed network datagrams.

Successfully exploiting these issues allows remote attackers to trigger memory leaks or crashes in targeted devices. This will lead to denial-of-service conditions.

These issues are tracked by Cisco Bug ID CSCsk73104.

25. PHP Spam Manager 'body.php' Local File Include Vulnerability
BugTraq ID: 28529
Remote: Yes
Last Updated: 2008-04-01
Relevant URL: http://www.securityfocus.com/bid/28529
Summary:
PHP Spam Manager is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit this vulnerability using directory-traversal strings to view local files in the context of the webserver process. This may aid in further attacks.

PHP Spam Manager 0.53 beta is vulnerable; other versions may also be affected.

26. OpenSSH ForceCommand Command Execution Weakness
BugTraq ID: 28531
Remote: No
Last Updated: 2008-04-01
Relevant URL: http://www.securityfocus.com/bid/28531
Summary:
OpenSSH is prone to a weakness that may allow attackers to execute arbitrary commands.

Successful exploits may allow attackers to execute arbitrary commands, contrary to the wishes of administrators and bypassing the intent of the 'ForceCommand' option.

Versions prior to OpenSSH 4.9 are vulnerable.

27. KwsPHP Archives Module 'id' Parameter SQL Injection Vulnerability
BugTraq ID: 28592
Remote: Yes
Last Updated: 2008-04-03
Relevant URL: http://www.securityfocus.com/bid/28592
Summary:
KwsPHP is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

KwsPHP 1.3.456 is vulnerable; other versions may also be affected.

28. RETIRED: Dokeos Multiple Remote Code Execution and Cross-Site Scripting Vulnerabilities
BugTraq ID: 28121
Remote: Yes
Last Updated: 2008-04-03
Relevant URL: http://www.securityfocus.com/bid/28121
Summary:
Dokeos is prone to multiple unspecified cross-site scripting vulnerabilities and multiple unspecified remote code-execution vulnerabilities because the application fails to sufficiently sanitize user-supplied data.

Attackers can exploit these issues to execute arbitrary code in the context of the webserver, compromise the affected application, and steal cookie-based authentication credentials from legitimate users of the site. Other attacks are also possible.

These issues affect Dokeos 1.8.4 prior to SP3.

NOTE: This BID is now retired. It has been incorporated into BID 28599 (kses Multiple Input Validation Vulnerabilities), because the underlying problems are caused by the kses HTML filter.

29. RETIRED: eGroupWare '_bad_protocol_once()' HTML Security Bypass Vulnerability
BugTraq ID: 28424
Remote: Yes
Last Updated: 2008-04-03
Relevant URL: http://www.securityfocus.com/bid/28424
Summary:
eGroupWare is prone to a vulnerability that allows arbitrary code to bypass HTML filtering.

An attacker can exploit this issue to execute arbitrary script code in the context of the application, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user; other attacks are also possible.

Versions prior to eGroupWare 1.4.003 are vulnerable; other versions may also be affected.

NOTE: This BID is now retired. It has been incorporated into BID 28599 (kses Multiple Input Validation Vulnerabilities), because the underlying problems are caused by the kses HTML filter.

30. KwsPHP Galerie Module 'id_gal' Parameter SQL Injection Vulnerability
BugTraq ID: 28590
Remote: Yes
Last Updated: 2008-04-03
Relevant URL: http://www.securityfocus.com/bid/28590
Summary:
KwsPHP is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

KwsPHP 1.3.456 is vulnerable; other versions may also be affected.

31. Parallels Virtuozzo Containers VZPP Interface File Manger Cross-Site Request Forgery Vulnerability
BugTraq ID: 28589
Remote: Yes
Last Updated: 2008-04-03
Relevant URL: http://www.securityfocus.com/bid/28589
Summary:
Parallels Virtuozzo Containers is prone to a cross-site request-forgery vulnerability.

Exploiting the issue will allow a remote attacker to use a victim's currently active session to perform certain file-management actions with the privileges of the user running the application. Successful exploits will compromise affected computers.

Virtuozzo Containers 3.0.0-25.4.swsoft and 4.0.0-365.6.swsoft are vulnerable; other versions are also affected.

32. PhpBlock 'basicfogfactory.class.php' Remote File Include Vulnerability
BugTraq ID: 28588
Remote: Yes
Last Updated: 2008-04-03
Relevant URL: http://www.securityfocus.com/bid/28588
Summary:
PhpBlock is prone to a remote file-include vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit this issue to execute malicious PHP code in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system; other attacks are also possible.

PhpBlockhttp://sourceforge.net/forum/forum.php?forum_id=804801 A8.4 is vulnerable; other versions may also be affected.

33. Drupal Flickr Module Multiple Unspecified Cross-Site Scripting Vulnerabilities
BugTraq ID: 28594
Remote: Yes
Last Updated: 2008-04-03
Relevant URL: http://www.securityfocus.com/bid/28594
Summary:
The Flickr module for Drupal is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input data.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

These issues affect Flickr 5.x prior to 5.x-1.3 and 6.x prior to 6.x-1.0-alpha1.

34. mcGallery 'lang' Parameter Multiple Cross Site Scripting Vulnerabilities
BugTraq ID: 28587
Remote: Yes
Last Updated: 2008-04-03
Relevant URL: http://www.securityfocus.com/bid/28587
Summary:
mcGallery is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.

mcGallery 1.1 is vulnerable; other versions may also be affected.

35. Gnome Desktop Screensaver NIS Authentication Local Unauthorized Access Vulnerability
BugTraq ID: 28575
Remote: No
Last Updated: 2008-04-03
Relevant URL: http://www.securityfocus.com/bid/28575
Summary:
Gnome Desktop is prone to a local unauthorized-access vulnerability.

A local attacker can exploit this issue to gain access to the affected computer. Successfully exploiting this issue may lead to other attacks.

36. Microsoft April 2008 Advance Notification Multiple Vulnerabilities
BugTraq ID: 28598
Remote: Yes
Last Updated: 2008-04-03
Relevant URL: http://www.securityfocus.com/bid/28598
Summary:
Microsoft has released advance notification that the vendor will be releasing eight security bulletins on April 8, 2008. The highest severity rating for these issues is 'Critical'.

Successfully exploiting these issues may allow remote or local attackers to compromise affected computers.

37. Sun Java RunTime Environment Read and Write Permission Multiple Privilege Escalation Vulnerabilities
BugTraq ID: 27650
Remote: Yes
Last Updated: 2008-04-03
Relevant URL: http://www.securityfocus.com/bid/27650
Summary:
Sun Java Runtime Environment is prone to multiple privilege-escalation vulnerabilities when running untrusted applications or applets.

Successful exploits will compromise arbitrary data and possibly the underlying computer.

These issues affect the following versions:

JDK and JRE 6 Update 1 and earlier
JDK and JRE 5.0 Update 13 and earlier.

38. Sun Java SE Multiple Security Vulnerabilities
BugTraq ID: 28083
Remote: Yes
Last Updated: 2008-04-03
Relevant URL: http://www.securityfocus.com/bid/28083
Summary:
Sun has released advisories addressing multiple vulnerabilities affecting the following software:

JDK and JRE 6 Update 5
JDK and JRE 5.0 Update 15
SDK and JRE 1.4.2_17
SDK and JRE 1.3.1_22

39. Sun Java Runtime Environment Image Parsing Heap Buffer Overflow Vulnerability
BugTraq ID: 28125
Remote: Yes
Last Updated: 2008-04-03
Relevant URL: http://www.securityfocus.com/bid/28125
Summary:
Sun Java Runtime Environment is prone to a heap-based buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data.

An attacker can exploit this issue to execute arbitrary code with the privileges of the user running the affected application. Failed exploit attempts will likely crash the application.

This issue affects the following products and versions:

JDK and JRE 6 prior to Update 5
JDK and JRE 5.0 prior to Update 15
SDK and JRE prior to 1.4.2_17
SDK and JRE prior to 1.3.1_22

This vulnerability was previously covered in BID 28083 (Sun Java SE Multiple Security Vulnerabilities), but has been given its own record to better document the issue.

40. RealNetworks RealPlayer 'rmoc3260.dll' ActiveX Control Memory Corruption Vulnerability
BugTraq ID: 28157
Remote: Yes
Last Updated: 2008-04-03
Relevant URL: http://www.securityfocus.com/bid/28157
Summary:
RealNetworks RealPlayer 'rmoc3260.dll' ActiveX control is prone to a memory-corruption vulnerability.

Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the application using the affected ActiveX control. Failed exploit attempts will likely crash the application.

41. Cisco Unified Communications Disaster Recovery Framework Remote Command Execution Vulnerability
BugTraq ID: 28591
Remote: Yes
Last Updated: 2008-04-03
Relevant URL: http://www.securityfocus.com/bid/28591
Summary:
Multiple Cisco Unified Communications products are prone to a remote command-execution vulnerability. This issue occurs in the Disaster Recovery Framework.

An attacker can exploit this issue to execute arbitrary commands with full administrative privileges.

The following products are affected:

Cisco Unified Communications Manager (CUCM) 5.x and 6.x
Cisco Unified Communications Manager Business Edition
Cisco Unified Presence 1.x and 6.x
Cisco Emergency Responder 2.x
Cisco Mobility Manager 2.x

42. Joomla! and Mambo Joomlearn LMS Component 'cat' Parameter SQL Injection Vulnerability
BugTraq ID: 28586
Remote: Yes
Last Updated: 2008-04-03
Relevant URL: http://www.securityfocus.com/bid/28586
Summary:
The Joomlearn LMS component for Joomla! and Mambo is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

43. Microsoft Visual InterDev SLN File Buffer Overflow Vulnerability
BugTraq ID: 27250
Remote: Yes
Last Updated: 2008-04-03
Relevant URL: http://www.securityfocus.com/bid/27250
Summary:
Microsoft Visual InterDev is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.

Successfully exploiting this issue will allow an attacker to execute arbitrary code with the privileges of the user running the affected application. Failed exploit attempts will result in a denial-of-service condition.

This issue affects Visual InterDev 6.0; other versions may also be affected.

44. Sentinel Protection Server/Keys Server Backslash Directory Traversal Vulnerability
BugTraq ID: 27735
Remote: Yes
Last Updated: 2008-04-03
Relevant URL: http://www.securityfocus.com/bid/27735
Summary:
Sentinel Protection Server and Keys Server are prone to a directory-traversal vulnerability because the software fails to sufficiently sanitize user-supplied input data.

Exploiting this issue may allow an attacker to access sensitive information that could aid in further attacks.

This issue affects Protection Server 7.4.1.0 and Keys Server 1.0.4; earlier versions may also be vulnerable.

NOTE: This issue may be caused by an incomplete security patch released in November 2007 that was documented in BID 26583 ('Sentinel Protection Server/Keys Server Directory Traversal Vulnerability').

45. Mozilla Thunderbird/Seamonkey/Firefox 2.0.0.12 Multiple Remote Vulnerabilities
BugTraq ID: 28448
Remote: Yes
Last Updated: 2008-04-03
Relevant URL: http://www.securityfocus.com/bid/28448
Summary:
The Mozilla Foundation has released multiple security advisories specifying various vulnerabilities in Firefox 2.0.0.12 and prior versions.

Exploiting these issues can allow attackers to:

- steal authentication credentials
- obtain potentially sensitive information
- violate the same-origin policy
- execute scripts with elevated privileges
- cause denial-of-service conditions
- potentially execute arbitrary code
- perform cross-site request-forgery attacks

Other attacks are possible.

These issues are present in Firefox 2.0.0.12 and prior versions. Many of these issues are present in Mozilla Thunderbird 2.0.0.12 and prior versions as well as SeaMonkey 1.1.8 and prior versions.

46. JBoss Seam 'order' Parameter SQL Injection Vulnerability
BugTraq ID: 26850
Remote: Yes
Last Updated: 2008-04-03
Relevant URL: http://www.securityfocus.com/bid/26850
Summary:
JBoss Seam is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise applications using the JBoss Seam framework, access or modify data, or exploit latent vulnerabilities in the underlying database.

This issue affects versions prior to JBoss Seam 2.0.0 GA.

47. JFreeChart Multiple HTML Injection Vulnerabilities
BugTraq ID: 26752
Remote: Yes
Last Updated: 2008-04-03
Relevant URL: http://www.securityfocus.com/bid/26752
Summary:
JFreeChart is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input.

Attacker-supplied HTML and script code could execute in the context of the affected website, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user; other attacks are also possible.

These issues affect JFreeChart 1.0.8; other versions may be affected as well.

48. OpenOffice HSQLDB Database Engine Unspecified Java Code Execution Vulnerability
BugTraq ID: 26703
Remote: Yes
Last Updated: 2008-04-03
Relevant URL: http://www.securityfocus.com/bid/26703
Summary:
OpenOffice is prone to a code-execution vulnerability.

Successful exploits allow remote attackers to execute arbitrary Java code in the context of the vulnerable application.

Versions prior to OpenOffice 2.3.1 are vulnerable.

49. Xpdf Multiple Remote Stream.CC Vulnerabilities
BugTraq ID: 26367
Remote: Yes
Last Updated: 2008-04-03
Relevant URL: http://www.securityfocus.com/bid/26367
Summary:
Xpdf is prone to multiple remote vulnerabilities because of flaws in various functions in the 'Stream.cc' source file.

Attackers exploit these issues by coercing users to view specially crafted PDF files with the affected application.

Successfully exploiting these issues allows attackers to execute arbitrary machine code in the context of the vulnerable application. This facilitates the remote compromise of affected computers.

Xpdf 3.02pl1 is vulnerable to these issues; other versions may also be affected.

50. XnView FontName Buffer Overflow Vulnerability
BugTraq ID: 28579
Remote: Yes
Last Updated: 2008-04-03
Relevant URL: http://www.securityfocus.com/bid/28579
Summary:
XnView is prone to a buffer-overflow vulnerability because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer.

An attacker can exploit this issue to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will result in a denial of service.

This issue affects XnView 1.92.1; other versions may also be vulnerable.

51. Online FlashQuiz Joomla! Component 'db_config.inc.php' Remote File Include Vulnerability
BugTraq ID: 28574
Remote: Yes
Last Updated: 2008-04-03
Relevant URL: http://www.securityfocus.com/bid/28574
Summary:
The Elearningforce Online FlashQuiz component for Joomla! is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied data.

Exploiting this issue can allow an attacker to compromise the application and the underlying system; other attacks are also possible.

Online FlashQuiz 1.0.2 is vulnerable; other versions may also be affected.

52. DivXDB 2002 Multiple Cross-Site Scripting Vulnerabilities
BugTraq ID: 28566
Remote: Yes
Last Updated: 2008-04-03
Relevant URL: http://www.securityfocus.com/bid/28566
Summary:
DivXDB 2002 is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

DivXDB 2002 0.94b is vulnerable; other versions may also be affected.

53. DaZPHP 'makepost.php' Local File Include Vulnerability
BugTraq ID: 28582
Remote: Yes
Last Updated: 2008-04-03
Relevant URL: http://www.securityfocus.com/bid/28582
Summary:
DaZPHP is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit this vulnerability using directory-traversal strings to view local files in the context of the webserver process. This may aid in further attacks.

DaZPHP 0.1 is vulnerable; other versions may also be affected.

54. Opera Web Browser 9.26 Multiple Security Vulnerabilities
BugTraq ID: 28585
Remote: Yes
Last Updated: 2008-04-03
Relevant URL: http://www.securityfocus.com/bid/28585
Summary:
Opera Web Browser is prone to multiple security vulnerabilities that may allow remote attackers to execute code.

These issues lead to memory corruption and may result in remote unauthorized access and denial-of-service attacks.

Versions prior to Opera 9.27 are vulnerable.

55. LANDesk Management Suite 8.80.1.1 PXE TFTP Service Directory Traversal Vulnerability
BugTraq ID: 28577
Remote: Yes
Last Updated: 2008-04-03
Relevant URL: http://www.securityfocus.com/bid/28577
Summary:
LANDesk Management Suite is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input data.

LANDesk Management Suite 8.80.1.1 is vulnerable; other versions may also be affected.

56. Sun Solaris 'inetd(1M)' Daemon Insecure Temporary File Creation Vulnerability
BugTraq ID: 28584
Remote: No
Last Updated: 2008-04-03
Relevant URL: http://www.securityfocus.com/bid/28584
Summary:
Sun Solaris 'inetd(1M)' creates temporary files in an insecure manner.

An attacker with local access could potentially exploit this issue to perform symbolic-link attacks, overwriting arbitrary files in the context of the affected application.

Successfully mounting a symlink attack may allow the attacker to delete or corrupt sensitive files, which may result in a denial of service. Other attacks may also be possible.

This issue affects Sun Solaris 10 for SPARC and x86 platforms.

57. OpenSSH X connections Session Hijacking Vulnerability
BugTraq ID: 28444
Remote: No
Last Updated: 2008-04-03
Relevant URL: http://www.securityfocus.com/bid/28444
Summary:
OpenSSH is prone to a vulnerability that allows attackers to hijack forwarded X connections.

Successfully exploiting this issue may allow an attacker run arbitrary shell commands with the privileges of the user running the affected application.

This issue affects OpenSSH 4.3p2; other versions may also be affected.

NOTE: This issue affects the portable version of OpenSSH and may not affect OpenSSH running on OpenBSD.

58. CUPS 'gif_read_lzw()' GIF File Buffer Overflow Vulnerability
BugTraq ID: 28544
Remote: Yes
Last Updated: 2008-04-03
Relevant URL: http://www.securityfocus.com/bid/28544
Summary:
CUPS is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied GIF image data before copying it to an insufficiently sized buffer.

Successful exploits allow attackers to execute arbitrary code with the privileges of a user running the utilities. Failed exploit attempts likely cause denial-of-service conditions.

CUPS 1.3.6 is vulnerable; other versions may also be affected.

59. CUPS CGI Interface Remote Buffer Overflow Vulnerability
BugTraq ID: 28307
Remote: Yes
Last Updated: 2008-04-03
Relevant URL: http://www.securityfocus.com/bid/28307
Summary:
CUPS is prone to a remote buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data before copying it to an insufficiently sized memory buffer.

An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial of service.

CUPS 1.3.5 is reported vulnerable; other versions may be affected as well.

NOTE: This issue was originally covered in BID 28304 (Apple Mac OS X 2008-002 Multiple Security Vulnerabilities), but has been given its own record because further information has emerged.

60. CUPS Multiple Unspecified Input Validation Vulnerabilities
BugTraq ID: 28334
Remote: Yes
Last Updated: 2008-04-03
Relevant URL: http://www.securityfocus.com/bid/28334
Summary:
CUPS is prone to multiple unspecified input-validation vulnerabilities.

An attacker can exploit these issues to execute arbitrary code with SYSTEM-privileges. Failed attacks will cause denial-of-service conditions.

Very few technical details are currently available. We will update this BID as more information is disclosed.

NOTE: This vulnerability was previously covered in BID 28304 (Apple Mac OS X 2008-002 Multiple Security Vulnerabilities), but has been given its own record to better document the issue.

61. CUPS 'process_browse_data()' Remote Double Free Denial of Service Vulnerability
BugTraq ID: 27906
Remote: Yes
Last Updated: 2008-04-03
Relevant URL: http://www.securityfocus.com/bid/27906
Summary:
CUPS is prone to a remote denial-of-service vulnerability because it fails to protect against a double-free condition.

Attackers may exploit this issue to crash the application, denying service to legitimate users. Remote code execution may also be possible, but this has not been confirmed.

CUPS 1.3.5 is vulnerable to this issue; other versions may also be affected.

62. Apple QuickTime Multiple Remote Vulnerabilities
BugTraq ID: 28583
Remote: Yes
Last Updated: 2008-04-03
Relevant URL: http://www.securityfocus.com/bid/28583
Summary:
Apple QuickTime is prone to multiple remote vulnerabilities that may allow remote attackers to obtain sensitive information, execute arbitrary code, and carry out denial-of-service attacks.

These issues arise when the application handles specially crafted Java applets, image files, and movie files. Successful exploits may allow attackers to obtain sensitive information, gain remote unauthorized access in the context of a vulnerable user, and trigger a denial-of-service condition.

Versions prior to QuickTime 7.4.5 are affected by these vulnerabilities.

63. Nuked-Klan HTTP Referer Header SQL Injection Vulnerability
BugTraq ID: 28578
Remote: Yes
Last Updated: 2008-04-03
Relevant URL: http://www.securityfocus.com/bid/28578
Summary:
Nuked-Klan is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Nuked-Klan 1.7.6 is vulnerable; other versions may also be affected.

64. suPHP Multiple Local Privilege Escalation Vulnerabilities
BugTraq ID: 28568
Remote: No
Last Updated: 2008-04-03
Relevant URL: http://www.securityfocus.com/bid/28568
Summary:
suPHP is prone to multiple local privilege-escalation vulnerabilities, due to various race conditions that occur in the affected application.

Successfully exploiting these issues will allow attackers to gain elevated privileges on the affected computer.

65. bzip2 Unspecified File Handling Vulnerability
BugTraq ID: 28286
Remote: Yes
Last Updated: 2008-04-03
Relevant URL: http://www.securityfocus.com/bid/28286
Summary:
The 'bzip2' application is prone to a remote file-handling vulnerability because the application fails to properly handle malformed files.

Successful exploits may allow remote code to run, but this has not been confirmed. Exploit attempts will likely crash the application.

This issue affects bzip2 1.0.4; prior versions may also be affected.

66. MySQL Security Invoker Privilege Escalation Vulnerability
BugTraq ID: 24011
Remote: Yes
Last Updated: 2008-04-03
Relevant URL: http://www.securityfocus.com/bid/24011
Summary:
MySQL is prone to a privilege-escalation vulnerability because it fails to adequately restore access privileges during certain routines.

A remote authenticated attacker can exploit this issue to gain elevated privileges on an affected database.

These versions are vulnerable:

MySQL 5 prior to 5.0.40
MySQL 5.1 prior to 5.1.18

67. Secure Computing WebWasher Malformed URL Remote Denial of Service Vulnerability
BugTraq ID: 28600
Remote: Yes
Last Updated: 2008-04-03
Relevant URL: http://www.securityfocus.com/bid/28600
Summary:
WebWasher is prone to a remote denial-of-service vulnerability.

Exploiting this issue allows remote attackers to crash the application, denying further service to legitimate users.

These issues affect the following versions:

- WebWasher 6.3.0 prior to build 3150
- WebWasher 5.3.0 prior to build 3159

68. kses Multiple Input Validation Vulnerabilities
BugTraq ID: 28599
Remote: Yes
Last Updated: 2008-04-03
Relevant URL: http://www.securityfocus.com/bid/28599
Summary:
The kses HTML filter is prone to multiple input-validation vulnerabilities that can lead to client-side script execution.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. PHP code-execution is also reportedly possible, but may only be exploitable in limited, unknown circumstances.

The issues affect multiple projects that have incorporated kses. The following are known to be affected:
- Dokeos in versions prior to 1.8.4 SP3
- eGroupWare in version prior to 1.4.003
- WordPress in versions prior to 2.5
- Moodle in versions prior to 1.9.

Other applications may also be affected.

These issues were previously documented in the following BIDs:
- 28424 eGroupWare '_bad_protocol_once()' HTML Security Bypass Vulnerability
- 28121 Dokeos Multiple Remote Code Execution and Cross-Site Scripting Vulnerabilities
Since these issues were determined to originate in the same kses-based source code, this BID has been created to cover all the affected packages.

69. Drupal Webform Module Multiple Unspecified HTML Injection Vulnerabilities
BugTraq ID: 28597
Remote: Yes
Last Updated: 2008-04-03
Relevant URL: http://www.securityfocus.com/bid/28597
Summary:
The Webform module for Drupal is prone to multiple HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input data.

Exploiting these issues may allow an attacker to execute HTML and script code in the context of the affected site, to steal cookie-based authentication credentials, or to control how the site is rendered to the user; other attacks are also possible.

These issues affected Webform 5.x versions prior to 5.x-1.10 and 5.x-2.0-beta3, as well as, 6.x versions prior to 6.x-1.0-beta3.

70. Simple Gallery 'album' Parameter Cross-Site Scripting Vulnerability
BugTraq ID: 28596
Remote: Yes
Last Updated: 2008-04-03
Relevant URL: http://www.securityfocus.com/bid/28596
Summary:
Simple Gallery is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

Simple Gallery 2.2 is vulnerable; other versions may also be affected.

71. Orbit Downloader 'Download Failed' Remote Buffer Overflow Vulnerability
BugTraq ID: 28541
Remote: Yes
Last Updated: 2008-04-03
Relevant URL: http://www.securityfocus.com/bid/28541
Summary:
Orbit Downloader is prone to a remote buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.

An attacker can exploit this issue to execute arbitrary code with the privileges of the user running the application. Failed exploit attempts will result in a denial-of-service condition.

This issue affects Orbit Downloader prior to version 2.6.5.

72. Microsoft Internet Explorer 'ieframe.dll' Script Injection Vulnerability
BugTraq ID: 28581
Remote: Yes
Last Updated: 2008-04-02
Relevant URL: http://www.securityfocus.com/bid/28581
Summary:
Microsoft Internet Explorer is prone to a script-injection vulnerability when handling specially crafted requests to 'acr_error.htm' via the 'res://' protocol. The file resides in the 'ieframe.dll' dynamic-link library.

An attacker may leverage this issue to execute arbitrary code in the context of a user's browser. Successful exploits can allow the attacker to steal cookie-based authentication credentials, obtain potentially sensitive information stored on the victim's computer, and launch other attacks.

Internet Explorer 8 is vulnerable. Internet Explorer 7 is likely vulnerable as well, but this has not been confirmed.

73. Microsoft Internet Explorer XDR Prototype Hijacking Denial of Service Vulnerability
BugTraq ID: 28580
Remote: Yes
Last Updated: 2008-04-02
Relevant URL: http://www.securityfocus.com/bid/28580
Summary:
Microsoft Internet Explorer is prone to a denial-of-service vulnerability.

An attacker may exploit this issue by enticing victims into opening a maliciously crafted webpage.

Successfully exploiting this issue will allow attackers to crash the application, denying service to legitimate users.

This issue affects Microsoft Internet Explorer 8 Beta 1.

74. Symantec AutoFix Tool ActiveX Control Remote Share 'launchProcess()' Insecure Method Vulnerability
BugTraq ID: 28509
Remote: Yes
Last Updated: 2008-04-02
Relevant URL: http://www.securityfocus.com/bid/28509
Summary:
An ActiveX control in the Symantec AutoFix Tool is prone to a vulnerability due to an insecure method.

Attackers can leverage this issue to load an arbitrary file onto a victim's computer and then execute it with the privileges of the application running the control (typically Internet Explorer). This issue is exploitable only when a victim's computer is configured to allow remote connections to WebDav or SMB shares.

Successful exploits will compromise affected computers.

This issue affects the 'SYMADATA.DLL' 2.7.0.1 ActiveX control, which is part of the following Symantec products:

Norton 360 1.0
Norton AntiVirus 2006-2008
Norton Internet Security 2006-2008
Norton System Works 2006-2008

75. Symantec AutoFix Support Tool 'SYMADATA.DLL' ActiveX Control Remote Buffer Overflow Vulnerability
BugTraq ID: 28507
Remote: Yes
Last Updated: 2008-04-02
Relevant URL: http://www.securityfocus.com/bid/28507
Summary:
Symantec AutoFix Support Tool ActiveX control is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input.

An attacker can exploit this issue to execute arbitrary code in the context of an application using the ActiveX control (typically Internet Explorer). Failed attacks will likely cause denial-of-service conditions.

NOTE: To exploit this issue, an attacker must entice an unsuspecting victim to to visit a malicious website masquerading as a trusted Symantec site.

This issue affects 'SYMADATA.DLL' 2.7.0.1 ActiveX control, which is part of the following Symantec products:

Norton 360 1.0
Norton AntiVirus 2006-2008
Norton Internet Security 2006-2008
Norton System Works 2006-2008

76. EasySite 'EASYSITE_BASE' Parameter Multiple Remote File Include Vulnerabilities
BugTraq ID: 28563
Remote: Yes
Last Updated: 2008-04-02
Relevant URL: http://www.securityfocus.com/bid/28563
Summary:
EasySite is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.

Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.

EasySite 2.0 is vulnerable; other versions may also be affected.

77. Apache-SSL Environment Variable Information Disclosure and Privilege Escalation Vulnerability
BugTraq ID: 28576
Remote: Yes
Last Updated: 2008-04-02
Relevant URL: http://www.securityfocus.com/bid/28576
Summary:
Apache-SSL is prone to a remote information-disclosure and privilege-escalation vulnerability because it fails to adequately validate user-supplied input.

An attacker can exploit this issue to obtain sensitive information or gain control of applications that use environment variables provided by Apache-SSL; this may lead to further attacks.

This issue affects Apache-SSL apache_1.3.34+ssl_1.57; other versions may also be vulnerable.

78. HP OpenView Network Node Manager 'OVAS.EXE' Buffer Overflow Vulnerability
BugTraq ID: 28569
Remote: Yes
Last Updated: 2008-04-02
Relevant URL: http://www.securityfocus.com/bid/28569
Summary:
HP OpenView Network Node Manager is prone to a buffer-overflow vulnerability.

Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the Network Node Manager process. This facilitates the remote compromise of affected computers.

Network Node Manager 7.51 running on Microsoft Windows is affected by this issue; other versions and platforms may also be vulnerable.

79. Joomla! and Mambo actualite Component 'id' Parameter SQL Injection Vulnerability
BugTraq ID: 28565
Remote: Yes
Last Updated: 2008-04-02
Relevant URL: http://www.securityfocus.com/bid/28565
Summary:
The 'actualite' component for Joomla! and Mambo is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

80. Novell eDirectory HTTP HEAD Request Handling Denial Of Service Vulnerability
BugTraq ID: 28572
Remote: Yes
Last Updated: 2008-04-02
Relevant URL: http://www.securityfocus.com/bid/28572
Summary:
Novell eDirectory is prone to a denial-of-service vulnerability when handling specially crafted HTTP HEAD requests.

Remote attackers can exploit this issue to deny service to legitimate users.

eDirectory 8.8.2 is vulnerable; other versions may also be affected.

81. Novell NetWare iPrint Request Handling Denial Of Service Vulnerability
BugTraq ID: 28561
Remote: Yes
Last Updated: 2008-04-02
Relevant URL: http://www.securityfocus.com/bid/28561
Summary:
Novell NetWare is prone to a denial-of-service vulnerability due to an unspecified error.

Remote attackers can exploit this issue to deny service to legitimate users.

The issue affects Novell NetWare 6.5; other versions may also be vulnerable.

82. phpMyAdmin Local Information Disclosure Vulnerability
BugTraq ID: 28560
Remote: No
Last Updated: 2008-04-02
Relevant URL: http://www.securityfocus.com/bid/28560
Summary:
phpMyAdmin is prone to a local information-disclosure vulnerability because it fails to securely protect login credentials and secret keys.

Local attackers can exploit this issue to harvest sensitive information that may lead to further attacks.

Versions prior to phpMyAdmin 2.11.5.1 are affected.

83. IBM DB2 Content Manager Unspecified Security Vulnerability
BugTraq ID: 28567
Remote: No
Last Updated: 2008-04-02
Relevant URL: http://www.securityfocus.com/bid/28567
Summary:
IBM DB2 Content Manager is prone to an unspecified security vulnerability.

Very few technical details are currently available. We will update this BID as more information emerges.

Versions prior to 8.3 Fix Pack 8 are vulnerable.

84. McAfee ePolicy Orchestrator 'FrameworkService.exe' Remote Denial of Service Vulnerability
BugTraq ID: 28573
Remote: Yes
Last Updated: 2008-04-02
Relevant URL: http://www.securityfocus.com/bid/28573
Summary:
McAfee ePolicy Orchestrator is prone to a remote denial-of-service vulnerability.

Successfully exploiting this issue allows remote attackers to crash the affected application, denying further service to legitimate users.

McAfee ePolicy Orchestrator 4.0 is vulnerable; other versions may also be affected.

85. Writer's Block 'permalink.php' SQL Injection Vulnerability
BugTraq ID: 28564
Remote: Yes
Last Updated: 2008-04-02
Relevant URL: http://www.securityfocus.com/bid/28564
Summary:
Writer's Block is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Writer's Block 3.8 is vulnerable; other versions may also be affected.

86. NoticeWare Corporation NoticeWare Email Server Denial Of Service Vulnerability
BugTraq ID: 28559
Remote: Yes
Last Updated: 2008-04-02
Relevant URL: http://www.securityfocus.com/bid/28559
Summary:
NoticeWare Email Server is prone to a denial-of-service vulnerability due to an unspecified error.

Remote attackers can exploit this issue to deny service to legitimate users.

The issue affects NoticeWare Email Server 4.6.1.0; other versions may also be vulnerable.

87. HP Select Identity Local Unauthorized Access Vulnerability
BugTraq ID: 28558
Remote: No
Last Updated: 2008-04-02
Relevant URL: http://www.securityfocus.com/bid/28558
Summary:
HP Select Identity is prone to a local unauthorized-access vulnerability.

Successfully exploiting this issue may lead to privilege escalation, but this has not been confirmed.

88. bamaGalerie 'viewcat.php' SQL Injection Vulnerability
BugTraq ID: 28229
Remote: Yes
Last Updated: 2008-04-02
Relevant URL: http://www.securityfocus.com/bid/28229
Summary:
bamaGalerie is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

89. CenterIM URI Hanlding Remote Arbitrary Command Execution Vulnerability
BugTraq ID: 28362
Remote: Yes
Last Updated: 2008-04-02
Relevant URL: http://www.securityfocus.com/bid/28362
Summary:
CenterIM is prone to a remote command-execution vulnerability.

Successful exploits can allow arbitrary commands to run in the context of the affected application.

CenterIM 4.22.3 is vulnerable; other versions may be affected as well.

90. xine-lib Multiple Heap Based Remote Buffer Overflow Vulnerabilities
BugTraq ID: 28370
Remote: Yes
Last Updated: 2008-04-02
Relevant URL: http://www.securityfocus.com/bid/28370
Summary:
The 'xine-lib' library is prone to multiple heap-based buffer-overflow vulnerabilities because it fails to perform adequate boundary checks on user-supplied input.

Attackers can exploit these issues to execute arbitrary code in the context of applications that use the library. Failed attacks will cause denial-of-service conditions.

These issues affect xine-lib 1.1.11; other versions may also be affected.

91. PostgreSQL Multiple Privilege Escalation and Denial of Service Vulnerabilities
BugTraq ID: 27163
Remote: Yes
Last Updated: 2008-04-02
Relevant URL: http://www.securityfocus.com/bid/27163
Summary:
PostgreSQL is prone to multiple remote vulnerabilities, including:

- Three privilege-escalation vulnerabilities
- Three denial-of-service vulnerabilities

An attacker can exploit these issues to gain complete control of the affected application or to cause a denial-of-service condition.

These issues affect PostgreSQL 8.2, 8.1, 8.0, 7.4, and 7.3; other versions may also be affected.

92. Cisco IOS Dual-stack Router IPv6 Denial Of Service Vulnerability
BugTraq ID: 28461
Remote: Yes
Last Updated: 2008-04-02
Relevant URL: http://www.securityfocus.com/bid/28461
Summary:
Cisco IOS-based dual-stack routers are prone to a denial-of-service vulnerability. This issue can occur when a specially crafted IPv6 packet is sent to the device. However, for an exploit to succeed, the device must have certain IPv4 UDP services enabled.

A successful exploit may cause the affected interface to stop responding, or in some scenarios, may crash the device.

Cisco has assigned Bug ID CSCse56501 to this vulnerability.

93. Terracotta 'index.php' Local File Include Vulnerability
BugTraq ID: 28550
Remote: Yes
Last Updated: 2008-04-02
Relevant URL: http://www.securityfocus.com/bid/28550
Summary:
Terracotta is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit this vulnerability using directory-traversal strings to view local files in the context of the webserver process. This may aid in further attacks.

94. Joomla! and Mambo Ahsshop Component 'vara' Parameter SQL Injection Vulnerability
BugTraq ID: 28549
Remote: Yes
Last Updated: 2008-04-02
Relevant URL: http://www.securityfocus.com/bid/28549
Summary:
The Ahsshop component for Joomla! and Mambo is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

95. Comix 'filename' Remote Command Execution Vulnerability
BugTraq ID: 28547
Remote: Yes
Last Updated: 2008-04-02
Relevant URL: http://www.securityfocus.com/bid/28547
Summary:
Comix is prone to a remote shell command-execution vulnerability because the application fails to sufficiently sanitize user-supplied data.

Successfully exploiting this issue will allow an attacker to execute arbitrary commands with the privileges of the user running the affected application.

Comix 3.6.4 is vulnerable; other versions may also be affected.

96. Red Hat 'capp-lspp-config' Local Privilege Escalation Vulnerability
BugTraq ID: 28557
Remote: No
Last Updated: 2008-04-02
Relevant URL: http://www.securityfocus.com/bid/28557
Summary:
The 'capp-lspp-config' script is prone to a local privilege-escalation vulnerability because it creates insecure permissions on the '/etc/pam.d/system-auth-ac' file.

Local attackers can exploit this issue to escalate their privileges. This may lead to the complete compromise of affected computers.

This issue affects the 'lspp-eal4-config-ibm' and 'capp-lspp-eal4-config-hp' packages.

97. Chilkat HTTP 'ChilkatHttp.dll' ActiveX Control Insecure Method Vulnerabilities
BugTraq ID: 28546
Remote: Yes
Last Updated: 2008-04-02
Relevant URL: http://www.securityfocus.com/bid/28546
Summary:
Chilkat HTTP ActiveX Control is prone to multiple vulnerabilities that allow attackers to overwrite arbitrary files. These issues affect multiple CLSIDs associated with the control.

An attacker can exploit these issues by enticing an unsuspecting victim to view a malicious HTML page.

Successfully exploiting these issues will allow the attacker to corrupt and overwrite arbitrary files on the victim's computer in the context of the vulnerable application using the ActiveX control (typically Internet Explorer).

Chilkat HTTP ActiveX control 2.3 is vulnerable; other versions may also be affected.

98. FaScript Faphoto 'show.php' SQL Injection Vulnerability
BugTraq ID: 28545
Remote: Yes
Last Updated: 2008-04-02
Relevant URL: http://www.securityfocus.com/bid/28545
Summary:
FaScript Faphoto is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

This issue affects Faphoto 1; other versions may also be affected.

99. eggBlog 'eggblogpassword' SQL Injection Vulnerability
BugTraq ID: 27168
Remote: Yes
Last Updated: 2008-04-02
Relevant URL: http://www.securityfocus.com/bid/27168
Summary:
eggBlog is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.

A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.

This issue affects eggBlog 3.10; other versions may also be affected.

100. Trend Micro ServerProtect Multiple Remote Insecure Method Exposure Vulnerabilities
BugTraq ID: 26912
Remote: Yes
Last Updated: 2008-04-02
Relevant URL: http://www.securityfocus.com/bid/26912
Summary:
Trend Micro ServerProtect is prone to multiple vulnerabilities that let remote attackers gain full access to the filesystem. The issues occur because the application fails to properly restrict access to certain DCE/RPC methods.

Will full access to the filesystem, attackers may be able to execute arbitrary code with SYSTEM-level privileges and completely compromise affected computers.

These issues were reported to affect ServerProtect 5.58 (Security Patch 3). Earlier versions may also be affected.

Reports indicate that these vulnerabilities have been fixed in Security Patch 4.

III. SECURITYFOCUS NEWS ARTICLES
--------------------------------
1. Web developers, fix thy Flash
By: Robert Lemos
Flaws that allow cross-site scripting attacks through Adobe Flash files could let attackers compromise online accounts and local networks. Yet, Web publishers have been slow to fix their sites, a security researcher says.
http://www.securityfocus.com/news/11511

2. Hacking contest highlights value of vulnerabilities
By: Robert Lemos
After a handful of critics slammed the modest cash prizes, larger bounties will be offered to the security pros that successfully compromise any of three laptops at a coming conference.
http://www.securityfocus.com/news/11510

3. House aims to scrutinize warrantless taps
By: Robert Lemos
The fight over a law to grant the U.S. government greater surveillance capabilities intensifies as House Democrats refuse to give telcos immunity for allowing past wiretaps without warrants.
http://www.securityfocus.com/news/11509

4. Browser makers focus on beating malware
By: Robert Lemos
Microsoft announces two features in Internet Explorer 8 aimed at better securing Web surfers, and Mozilla incorporates more security into Firefox 3.
http://www.securityfocus.com/news/11508

IV. SECURITY JOBS LIST SUMMARY
-------------------------------
1. [SJ-JOB] Application Security Engineer, San Diego
http://www.securityfocus.com/archive/77/490423

2. [SJ-JOB] Application Security Engineer, Anywhere in Washington, Telecommute, Travel
http://www.securityfocus.com/archive/77/490424

3. [SJ-JOB] Application Security Engineer, Anywhere in Oregon, Telecommute, Travel
http://www.securityfocus.com/archive/77/490425

4. [SJ-JOB] Application Security Engineer, Anywhere in Washington, Telecommute, Travel
http://www.securityfocus.com/archive/77/490426

5. [SJ-JOB] Director, Information Security, San Francisco Bay Area
http://www.securityfocus.com/archive/77/490422

V. INCIDENTS LIST SUMMARY
---------------------------
1. SPAM drop?
http://www.securityfocus.com/archive/75/490318

VI. VULN-DEV RESEARCH LIST SUMMARY
-----------------------------------
1. Windows Vista winsat.exe Integer Overflow
http://www.securityfocus.com/archive/82/490297

2. Immunity Debugger v1.5
http://www.securityfocus.com/archive/82/490284

VII. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. More along the lines of malware disinfection
http://www.securityfocus.com/archive/88/489751

VIII. SUN FOCUS LIST SUMMARY
----------------------------
IX. LINUX FOCUS LIST SUMMARY
----------------------------
X. UNSUBSCRIBE INSTRUCTIONS
-----------------------------
To unsubscribe send an e-mail message to sf-news-unsubscribe@securityfocus.com from the subscribed address. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer. Alternatively you can also visit http://www.securityfocus.com/newsletters and unsubscribe via the website.

If your email address has changed email listadmin@securityfocus.com and ask to be manually removed.

XI. SPONSOR INFORMATION
------------------------
This issue is sponsored by IBM® Rational® AppScan

News

Thursday, April 03, 2008

SecurityFocus Newsletter #447

No comments:

WINDOWS CENTER

Blog Archive