WINDOWS CENTER: SecurityFocus Newsletter #473

SecurityFocus Newsletter #473
----------------------------------------

This issue is sponsored by HP:

Download a FREE trial of HP WebInspect
Application attacks are growing more prevalent. New attacks are in the news each day. Now it's time for you to assess your applications and start detecting and removing vulnerabilities.
HP can help, with a full suite of application security solutions. Get started today with a complimentary trial download that uses an HP test application. Thoroughly analyze today's complex web applications in a runtime environment with fast scanning capabilities, broad assessment coverage and accurate web application scanning results.
Download WebInspect now:https://h10078.www1.hp.com/cda/hpdc/navigation.do?action=downloadBinStart&zn=bto&cp=54_4012_100__&caid=14563&jumpid=ex_r11374_us/en/large/tsg/WebInspect_Eval_Security_Focus/3-1QN6MIF_3-UTM2ZJ/20080920&origin_id=3-1QN6MIF

SECURITY BLOGS
SecurityFocus has selected a few syndicated sources that stand out as conveying topics of interest for our community. We are proud to offer content from Matasano at this time and will be adding more in the coming weeks.
http://www.securityfocus.com/blogs

------------------------------------------------------------------
I. FRONT AND CENTER
1.Blaming the Good Samaritan
2.The Boston Trio and the MBTA
II. BUGTRAQ SUMMARY
1. Ultra Office Control 'HttpUpload()' Method Buffer Overflow Vulnerability
2. Multiple Vendors IPv6 Neighbor Discovery Protocol Implementation Address Spoofing Vulnerability
3. Citrix Presentation Server Unspecified Local Privilege Escalation Vulnerability
4. Multiple Vendor FTP Server Long Command Handling Security Vulnerability
5. pam_mount 'luserconf' Local Privilege Escalation Vulnerability
6. Mono 'System.Web' HTTP Header Injection Vulnerability
7. Trend Micro OfficeScan and Worry-Free Business Security Multiple Vulnerabilities
8. Hewlett-Packard Insight Diagnostics Unspecified Unauthorized Access Vulnerability
9. Concord Consortium CoAST 'header.php' Remote File Include Vulnerability
10. pfSense DHCPREQUEST Hostname HTML Injection Vulnerability
11. HP OpenView Network Node Manager 'ovalarmsrv.exe' Multiple Remote Vulnerabilities
12. OpenAFS Fileserver Denial of Service Vulnerability
13. MPlayer 'stream_read' Function Remote Heap Based Buffer Overflow Vulnerability
14. Nokia PC Suite Remote Buffer Overflow Vulnerability
15. LnBlog 'showblog.php' Local File Include Vulnerability
16. Pro Chat Rooms Multiple SQL Injection Vulnerabilities
17. Joomla Image Browser Component 'index.php' Directory Traversal Vulnerability
18. PlugSpace 'index.php' Local File Include Vulnerability
19. ParsaGostar ParsaWeb Multiple SQL Injection Vulnerabilities
20. ZoneAlarm HTTP Proxy Remote Denial of Service Vulnerability
21. FAAD2 Frontend 'decodeMP4file()' Heap Based Buffer Overflow Vulnerability
22. MySQL Empty Binary String Literal Remote Denial Of Service Vulnerability
23. RETIRED: SoftAcid Hotel Reservation System 'city.asp' SQL Injection Vulnerability
24. Acoustica Beatcraft '.bcproj' Instrument Title Buffer Overflow Vulnerability
25. Camera Life Arbitrary File Upload Vulnerability
26. PowerPortal 2 'path' Parameter Directory Traversal Vulnerability
27. Crux Gallery 'index.php' Local File Include Vulnerability
28. Portable OpenSSH GSSAPI Remote Code Execution Vulnerability
29. OpenSSH ForceCommand Command Execution Weakness
30. Podcast Generator Multiple Remote And Local File Include Vulnerabilities
31. MySQL Quick Admin 'index.php' Local File Include Vulnerability
32. EC-CUBE SQL Injection and Cross-Site Scripting Vulnerabilities
33. GdPicture Pro 'gdpicture4s.ocx' ActiveX Control Arbitrary File Overwrite Vulnerability
34. Celoxis Multiple Cross-Site Scripting Vulnerabilities
35. ASPapp Knowledge Base 'catid' Parameter SQL Injection Vulnerability
36. Hardkap Pritlog 'filename' Parameter File Disclosure Vulnerability
37. Mozilla Firefox/SeaMonkey UTF-8 Stack-Based Buffer Overflow Vulnerability
38. Mozilla SeaMonkey/Thunderbird Newsgroup Cancel Message Handling Buffer Overflow Vulnerability
39. eFront Multiple Arbitrary File Upload Vulnerabilities
40. QEMU Security Bypass Vulnerability
41. Xen Para Virtualized Frame Buffer 'ioemu' Frontend Frame Buffer Denial of Service Vulnerability
42. Wireshark 0.99.8 Multiple Denial of Service Vulnerabilities
43. Debian xsabre Insecure Temporary File Creation Vulnerability
44. Linux kernel 'fs/direct-io.c' Local Denial of Service Vulnerability
45. Linux Kernel TTY Operations NULL Pointer Dereference Denial of Service Vulnerabilities
46. Linux Kernel 'snd_seq_oss_synth_make_info()' Information Disclosure Vulnerability
47. Linux Kernel UBIFS Orphan Inode Local Denial of Service Vulnerability
48. Linux Kernel BER Decoding Remote Buffer Overflow Vulnerability
49. Wireshark 1.0.1 Denial of Service Vulnerability
50. Wireshark 1.0.0 Multiple Vulnerabilities
51. Wireshark 1.0.2 Multiple Vulnerabilities
52. Wireshark 0.99.7 Multiple Denial of Service Vulnerabilities
53. eZoneScripts Adult Banner Exchange Website 'click.php' SQL Injection Vulnerability
54. Freeway Multiple SQL Injection Vulnerabilities
55. QuidaScript BookMarks Favourites Script 'id' Parameter SQL Injection Vulnerability
56. Flip4Mac WMV Unspecified Vulnerability
57. A4Desk Event Calendar 'v' Parameter Remote File Include Vulnerability
58. Mozilla Firefox User Interface Dispatcher Null Pointer Dereference Denial of Service Vulnerability
59. WordPress MU 'wp-admin/wpmu-blogs.php' Multiple Cross Site Scripting Vulnerabilities
60. Emacspeak 'extract-table.pl' Insecure Temporary File Creation Vulnerability
61. Rianxosencabos CMS 'id' Parameter SQL Injection Vulnerability
62. Juniper ScreenOS HTML Injection Vulnerability
63. phpscripts Ranking Script Cookie Authentication Bypass Vulnerability
64. eZoneScripts Link Trader Script 'ratelink.php' SQL Injection Vulnerability
65. WikyBlog Multiple Cross-Site Scripting Vulnerabilities
66. H-Sphere WebShell 'actions.php' Multiple Cross Site Scripting Vulnerabilities
67. RPortal 'file_op' Parameter Remote File Include Vulnerability
68. BMForum 'plugins.php' SQL Injection Vulnerability
69. ESET SysInspector 'esiadrv.sys' Local Privilege Escalation Vulnerability
70. phpScheduleIt 'reserve.php' Remote Code Execution Vulnerability
71. noName CMS Multiple SQL Injection Vulnerabilities
72. Discussion Forums 2k Multiple SQL Injection Vulnerabilities
73. Xen XenStore Domain Configuration Data Unsafe Storage Vulnerability
74. SG Real Estate Portal Cookie Authentication Bypass Vulnerability
75. SG Real Estate Portal Local File Include and SQL Injection Vulnerabilities
76. NASM 'ppscan()' Off-By-One Buffer Overflow Vulnerability
77. MiNBank 'minsoft_path' Parameter Multiple Remote File Include Vulnerabilities
78. moziloCMS Prior to 1.10.3 Multiple Vulnerabilities
79. moziloWiki Prior to 1.0.2 Multiple Vulnerabilities
80. MySQL Command Line Client HTML Special Characters HTML Injection Vulnerability
81. Autodesk 'LiveUpdate16.DLL' ActiveX Control Arbitrary Program Execution Vulnerability
82. Marshal MailMarshal SMTP Spam Quarantine Management Multiple HTML Injection Vulnerabilities
83. ArabCMS 'rss.php' Local File Include Vulnerability
84. XAMPP for Windows 'adodb.php' Multiple Cross-Site Scripting Vulnerabilities
85. Easy PHP Calendar Add New Event HTML Injection Vulnerability
86. PG Matchmaking 'id' Parameter Multiple SQL Injection Vulnerabilities
87. FileAlyzer Version Information Remote Stack Buffer Overflow Vulnerability
88. Autodesk DWF Viewer Control 'AdView.dll' Arbitrary File Download Vulnerability
89. Events Calendar 'header_setup.php' Multiple Remote File Include Vulnerabilities
90. Mozilla Firefox/SeaMonkey/Thunderbird Multiple Remote Vulnerabilities
91. JasPer 1.900.1 Multiple Vulnerabilities
92. RPG.Board Cookie Authentication Bypass Vulnerability
93. PHP-Fusion Freshlinks Module 'linkid' Parameter SQL Injection Vulnerability
94. PHPJabbers Post Comments Cookie Authentication Bypass Vulnerability
95. Wireshark Packet Capture File Denial of Service Vulnerability
96. BbZL.PhP 'lien_2' Parameter Directory Traversal Vulnerability
97. BbZL.PhP Cookie Authentication Bypass Vulnerability
98. WinZip 'gdiplus.dll' Microsoft Module Unspecified Security Vulnerability
99. CAcert 'analyse.php' Cross Site Scripting Vulnerability
100. RETIRED: Multiple Vendors IMAP Servers Denial of Service Vulnerability
III. SECURITYFOCUS NEWS
1. Researchers weigh "clickjacking" threat
2. Security of Google's browser gets mixed marks
3. Online intruders hit Red Hat, Fedora Project
4. Researchers race to zero in record time
IV. SECURITY JOBS LIST SUMMARY
1. [SJ-JOB] Security Consultant, Newark
2. [SJ-JOB] Sr. Security Analyst, Richmond
3. [SJ-JOB] VP of Marketing, Alexandria
4. [SJ-JOB] Security Director, Portland
5. [SJ-JOB] Security Consultant, New York
6. [SJ-JOB] Director, Information Security, Waterbury
7. [SJ-JOB] Security Engineer, Moscow/St Petersburg or Home Working
8. [SJ-JOB] Certification & Accreditation Engineer, Springfield
9. [SJ-JOB] Security Engineer, Kiev
10. [SJ-JOB] Security Consultant, Nairobi
11. [SJ-JOB] Application Security Engineer, Washington
12. [SJ-JOB] Incident Handler, Any major US City (Cincinnati preferred)
13. [SJ-JOB] Security Engineer, Ashburn
14. [SJ-JOB] Incident Handler, Any US GIS Location/Unspecified State/USA
15. [SJ-JOB] Security Director, Minsk
16. [SJ-JOB] Sales Engineer, Chantilly
17. [SJ-JOB] Security Engineer, Schaumburg
V. INCIDENTS LIST SUMMARY
VI. VULN-DEV RESEARCH LIST SUMMARY
VII. MICROSOFT FOCUS LIST SUMMARY
1. SecurityFocus Microsoft Newsletter #413
VIII. SUN FOCUS LIST SUMMARY
IX. LINUX FOCUS LIST SUMMARY
X. UNSUBSCRIBE INSTRUCTIONS
XI. SPONSOR INFORMATION

I. FRONT AND CENTER
---------------------
1.Blaming the Good Samaritan
By Houston Carr
In the early 90's, I attended an academic conference in Hawaii. At one presentation, a colleague from the University of California at Berkeley whom I'll refer to as "the supervisor," told a story of young hackers, who he referred to as the Urchins
http://www.securityfocus.com/columnists/481

2.The Boston Trio and the MBTA
By Mark Rasch
The annual DEFCON conference in Las Vegas in early August got a bit more interesting than usual when three graduate students from the Massachusetts Institute of Technology were enjoined from giving a presentation by a Court in Boston.
http://www.securityfocus.com/columnists/480

II. BUGTRAQ SUMMARY
--------------------
1. Ultra Office Control 'HttpUpload()' Method Buffer Overflow Vulnerability
BugTraq ID: 30861
Remote: Yes
Last Updated: 2008-10-02
Relevant URL: http://www.securityfocus.com/bid/30861
Summary:
Ultra Office Control is prone to a buffer-overflow vulnerability because the application fails to perform adequate boundary-checks on user-supplied data.

An attacker can exploit this issue to execute arbitrary code in the context of an application using the ActiveX control (typically Internet Explorer). Failed attacks will likely cause denial-of-service conditions.

Ultra Office Control 2.0.2008.501 is vulnerable; other versions may also be affected.

2. Multiple Vendors IPv6 Neighbor Discovery Protocol Implementation Address Spoofing Vulnerability
BugTraq ID: 31529
Remote: Yes
Last Updated: 2008-10-02
Relevant URL: http://www.securityfocus.com/bid/31529
Summary:
Multiple vendors' IPv6 Neighbor Discovery Protocol (NDP) implementations are prone to a security vulnerability.

The issue may allow attackers to intercept network traffic, perform man-in-the-middle type of attacks or cause congested links to become overloaded.

Please see the affected technologies section of this BID for a list of affected software.

3. Citrix Presentation Server Unspecified Local Privilege Escalation Vulnerability
BugTraq ID: 31484
Remote: No
Last Updated: 2008-09-30
Relevant URL: http://www.securityfocus.com/bid/31484
Summary:
Citrix Presentation Server is prone to a privilege-escalation vulnerability caused by an unspecified error.

Local attackers can leverage this issue to gain escalated privileges. Successful exploits may compromise affected computers.

The following products are vulnerable:

Citrix XenApp (formerly Presentation Server) 4.5, including Feature Pack 1
Citrix Presentation Server 4.0
Citrix Access Essentials 2.0, 1.5 and 1.0

4. Multiple Vendor FTP Server Long Command Handling Security Vulnerability
BugTraq ID: 31289
Remote: Yes
Last Updated: 2008-09-30
Relevant URL: http://www.securityfocus.com/bid/31289
Summary:
FTP servers by multiple vendors are prone to a security vulnerability that allows attackers to perform cross-site request-forgery attacks.

Successful exploits can run arbitrary FTP commands on the server in the context of an unsuspecting user's session. This may lead to further attacks.

5. pam_mount 'luserconf' Local Privilege Escalation Vulnerability
BugTraq ID: 31041
Remote: No
Last Updated: 2008-09-30
Relevant URL: http://www.securityfocus.com/bid/31041
Summary:
The 'pam_mount' PAM (Pluggable Authentication Module) module is prone to a local privilege-escalation vulnerability that stems from a regression error.

Exploiting this issue could allow attackers to execute arbitrary code with elevated privileges. Successful exploits can completely compromise affected computers.

This issue affects 'pam_mount' 0.10 through 0.45.

6. Mono 'System.Web' HTTP Header Injection Vulnerability
BugTraq ID: 30867
Remote: No
Last Updated: 2008-09-30
Relevant URL: http://www.securityfocus.com/bid/30867
Summary:
Mono is prone to a vulnerability that allows attackers to inject arbitrary HTTP headers because it fails to sanitize input.

By inserting arbitrary headers into an HTTP response, attackers may be able to launch cross-site request-forgery, cross-site scripting, HTTP-request-smuggling, and other attacks.

This issue affects Mono 2.0 and earlier.

7. Trend Micro OfficeScan and Worry-Free Business Security Multiple Vulnerabilities
BugTraq ID: 31531
Remote: Yes
Last Updated: 2008-09-30
Relevant URL: http://www.securityfocus.com/bid/31531
Summary:
Trend Micro OfficeScan and Worry-Free Business Security are prone to multiple security vulnerabilities.

Successful exploits may allow an attacker to crash the application, execute arbitrary code or disclose sensitive information within the context of the affected application.

These issues affect the following:

- OfficeScan 8.0 Service Pack 1
- OfficeScan 8.0 Service Pack 1 Patch 1
- OfficeScan 7.3 patch 4 with critical patches 1355, 1362, and 1367 applied.
- Worry-Free Business Security 5.0

8. Hewlett-Packard Insight Diagnostics Unspecified Unauthorized Access Vulnerability
BugTraq ID: 31479
Remote: Yes
Last Updated: 2008-09-29
Relevant URL: http://www.securityfocus.com/bid/31479
Summary:
Hewlett-Packard Insight Diagnostics is prone to an unspecified unauthorized-access issue.

Versions prior to Insight Diagnostics 7.9.1.2402 are vulnerable.

9. Concord Consortium CoAST 'header.php' Remote File Include Vulnerability
BugTraq ID: 31461
Remote: Yes
Last Updated: 2008-09-29
Relevant URL: http://www.securityfocus.com/bid/31461
Summary:
CoAST is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied data.

Exploiting this issue can allow an attacker to compromise the application and the underlying system; other attacks are also possible.

CoAST 0.95 is vulnerable; other versions may also be affected.

10. pfSense DHCPREQUEST Hostname HTML Injection Vulnerability
BugTraq ID: 31334
Remote: Yes
Last Updated: 2008-09-29
Relevant URL: http://www.securityfocus.com/bid/31334
Summary:
pfSense is prone to an HTML-injection vulnerability because its administrative web interface fails to sufficiently sanitize user-supplied input data.

Attacker-supplied HTML and script code would run in the context of the affected application, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user; other attacks are also possible.

The issue affects pfSense 1.0.1.

11. HP OpenView Network Node Manager 'ovalarmsrv.exe' Multiple Remote Vulnerabilities
BugTraq ID: 28668
Remote: Yes
Last Updated: 2008-09-29
Relevant URL: http://www.securityfocus.com/bid/28668
Summary:
HP OpenView Network Node Manager is prone to multiple vulnerabilities affecting the 'ovalarmsrv.exe' process. These issues include a format-string vulnerability, multiple buffer-overflow vulnerabilities, and a denial-of-service vulnerability.

Attackers can exploit these issues to execute arbitrary code with the privileges of the affected application or to consume excessive system resources. Successful exploits will compromise affected computers or cause denial-of-service conditions.

HP OpenView Network Node Manager 7.50 is vulnerable; the denial-of-service issue also affects version 7.53; other versions may also be affected.

12. OpenAFS Fileserver Denial of Service Vulnerability
BugTraq ID: 27132
Remote: Yes
Last Updated: 2008-09-29
Relevant URL: http://www.securityfocus.com/bid/27132
Summary:
OpenAFS fileserver is prone to a denial-of-service vulnerability caused by a race-condition error.

Successfully exploiting this issue allows attackers to crash the affected fileserver, denying service to legitimate users.

The issue affects these versions:

OpenAFS 1.3.50 to 1.4.5
OpenAFS 1.5.0 to 1.5.27

13. MPlayer 'stream_read' Function Remote Heap Based Buffer Overflow Vulnerability
BugTraq ID: 31473
Remote: Yes
Last Updated: 2008-09-29
Relevant URL: http://www.securityfocus.com/bid/31473
Summary:
MPlayer is prone to a remote heap-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input before copying it to an insufficiently sized buffer.

Attackers can exploit this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.

MPlayer 1.0 rc2 is vulnerable; prior versions are also affected.

14. Nokia PC Suite Remote Buffer Overflow Vulnerability
BugTraq ID: 31475
Remote: Yes
Last Updated: 2008-09-29
Relevant URL: http://www.securityfocus.com/bid/31475
Summary:
Nokia PC Suite is prone to a remote stack-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.

An attacker can exploit this issue to execute arbitrary code in the context of the affected application. This may facilitate the complete compromise of affected computers. Failed exploit attempts may result in a denial-of-service condition.

15. LnBlog 'showblog.php' Local File Include Vulnerability
BugTraq ID: 31459
Remote: Yes
Last Updated: 2008-09-29
Relevant URL: http://www.securityfocus.com/bid/31459
Summary:
LnBlog is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit this vulnerability using directory-traversal strings to view local files and execute local scripts within the context of the webserver process.

LnBlog 0.9.0 and prior versions are affected.

16. Pro Chat Rooms Multiple SQL Injection Vulnerabilities
BugTraq ID: 31463
Remote: Yes
Last Updated: 2008-09-29
Relevant URL: http://www.securityfocus.com/bid/31463
Summary:
Pro Chat Rooms is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in SQL queries.

Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Pro Chat Rooms 3.0.3 is vulnerable; other versions may also be affected.

17. Joomla Image Browser Component 'index.php' Directory Traversal Vulnerability
BugTraq ID: 31458
Remote: Yes
Last Updated: 2008-09-29
Relevant URL: http://www.securityfocus.com/bid/31458
Summary:
Joomla Image Browser is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input data.

Exploiting the issue may allow the attacker to obtain sensitive information that could aid in further attacks.

Image Browser 0.1.5 is vulnerable; other versions may also be affected.

18. PlugSpace 'index.php' Local File Include Vulnerability
BugTraq ID: 31457
Remote: Yes
Last Updated: 2008-09-29
Relevant URL: http://www.securityfocus.com/bid/31457
Summary:
PlugSpace is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit this vulnerability using directory-traversal strings to view local files and execute local scripts within the context of the webserver process.

PlugSpace 0.1 is vulnerable; other versions may also be affected.

19. ParsaGostar ParsaWeb Multiple SQL Injection Vulnerabilities
BugTraq ID: 31450
Remote: Yes
Last Updated: 2008-09-29
Relevant URL: http://www.securityfocus.com/bid/31450
Summary:
ParsaWeb is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in SQL queries.

Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

20. ZoneAlarm HTTP Proxy Remote Denial of Service Vulnerability
BugTraq ID: 31431
Remote: Yes
Last Updated: 2008-09-29
Relevant URL: http://www.securityfocus.com/bid/31431
Summary:
ZoneAlarm Internet Security Suite is prone to a remote denial-of-service vulnerability that occurs in the TrueVector component when connecting to a malicious HTTP proxy.

ZoneAlarm Internet Security Suite 8.0.020 is vulnerable; other versions may also be affected.

21. FAAD2 Frontend 'decodeMP4file()' Heap Based Buffer Overflow Vulnerability
BugTraq ID: 31219
Remote: Yes
Last Updated: 2008-09-29
Relevant URL: http://www.securityfocus.com/bid/31219
Summary:
FAAD2 (Freeware Advanced Audio Decoder) is prone to a remote heap-based buffer-overflow vulnerability because the command-line frontend fails to adequately validate input from a buffer returned by the decoder library.

Remote attackers can exploit this issue by enticing victims into opening maliciously crafted files with the application's command-line frontend.

Successful exploits may allow attackers to execute arbitrary code within the context of the affected application. Failed exploit attempts will likely result in a denial of service.

FAAD2 2.6 is vulnerable; other versions may also be affected.

22. MySQL Empty Binary String Literal Remote Denial Of Service Vulnerability
BugTraq ID: 31081
Remote: Yes
Last Updated: 2008-09-29
Relevant URL: http://www.securityfocus.com/bid/31081
Summary:
MySQL is prone to a remote denial-of-service vulnerability because it fails to handle empty binary string literals.

An attacker can exploit this issue to crash the application, denying access to legitimate users.

This issue affects versions prior to MySQL 5.0.66, 5.1.26, and 6.0.6.

23. RETIRED: SoftAcid Hotel Reservation System 'city.asp' SQL Injection Vulnerability
BugTraq ID: 31211
Remote: Yes
Last Updated: 2008-09-29
Relevant URL: http://www.securityfocus.com/bid/31211
Summary:
SoftAcid Hotel Reservation System (HRS) is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

UPDATE (September 29, 2008): This BID is being retired because the application is not exploitable in the manner described.

24. Acoustica Beatcraft '.bcproj' Instrument Title Buffer Overflow Vulnerability
BugTraq ID: 30938
Remote: Yes
Last Updated: 2008-09-29
Relevant URL: http://www.securityfocus.com/bid/30938
Summary:
Acoustica Beatcraft is prone to a buffer-overflow vulnerability because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer.

An attacker could exploit this issue by enticing a victim to load a malicious '.bcproj' file. If successful, the attacker can execute arbitrary code in the context of the affected application.

Acoustica Beatcraft 1.02 Build 19 is vulnerable; other versions may also be affected.

25. Camera Life Arbitrary File Upload Vulnerability
BugTraq ID: 31456
Remote: Yes
Last Updated: 2008-09-29
Relevant URL: http://www.securityfocus.com/bid/31456
Summary:
Camera Life is prone to a vulnerability that lets remote attackers upload and execute arbitrary script code on an affected computer with the privileges of the webserver process. The issue occurs because the application fails to sanitize user-supplied input.

Camera Life 2.6.2b4 is vulnerable; other versions may also be affected.

26. PowerPortal 2 'path' Parameter Directory Traversal Vulnerability
BugTraq ID: 31454
Remote: Yes
Last Updated: 2008-09-29
Relevant URL: http://www.securityfocus.com/bid/31454
Summary:
PowerPortal 2 is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input data.

Exploiting the issue may allow an attacker to obtain sensitive information that could aid in further attacks.

PowerPortal 2.0.13 is vulnerable; other versions may also be affected.

27. Crux Gallery 'index.php' Local File Include Vulnerability
BugTraq ID: 31516
Remote: Yes
Last Updated: 2008-10-02
Relevant URL: http://www.securityfocus.com/bid/31516
Summary:
Crux Gallery is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit this vulnerability using directory-traversal strings to view local files within the context of the webserver process. Information harvested may aid in further attacks.

Crux Gallery 1.32 is vulnerable; other versions may also be affected.

28. Portable OpenSSH GSSAPI Remote Code Execution Vulnerability
BugTraq ID: 20241
Remote: Yes
Last Updated: 2008-10-02
Relevant URL: http://www.securityfocus.com/bid/20241
Summary:
Portable OpenSSH is prone to a remote code-execution vulnerability. The issue derives from a race condition in a vulnerable signal handler.

Reportedly, under specific conditions, it is theoretically possible to execute code remotely prior to authentication when GSSAPI authentication is enabled. This has not been confirmed; the chance of a successful exploit of this nature is considered minimal.

On non-Portable OpenSSH implementations, this same race condition can be exploited to cause a pre-authentication denial of service.

This issue occurs when OpenSSH and Portable OpenSSH are configured to accept GSSAPI authentication.

29. OpenSSH ForceCommand Command Execution Weakness
BugTraq ID: 28531
Remote: No
Last Updated: 2008-10-02
Relevant URL: http://www.securityfocus.com/bid/28531
Summary:
OpenSSH is prone to a weakness that may allow attackers to execute arbitrary commands.

Successful exploits may allow attackers to execute arbitrary commands, contrary to the wishes of administrators and bypassing the intent of the 'ForceCommand' option.

Versions prior to OpenSSH 4.9 are vulnerable.

30. Podcast Generator Multiple Remote And Local File Include Vulnerabilities
BugTraq ID: 28038
Remote: Yes
Last Updated: 2008-10-02
Relevant URL: http://www.securityfocus.com/bid/28038
Summary:
Podcast Generator is prone to multiple remote and local file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.

Exploiting these issues may allow an attacker to execute arbitrary local and remote scripts in the context of the webserver process or access potentially sensitive information. This may result in a compromise of the application and the underlying system; other attacks are also possible.

Podcast Generator 1.0 BETA 2 is vulnerable; other versions may also be affected.

31. MySQL Quick Admin 'index.php' Local File Include Vulnerability
BugTraq ID: 31517
Remote: Yes
Last Updated: 2008-10-02
Relevant URL: http://www.securityfocus.com/bid/31517
Summary:
MySQL Quick Admin is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit this vulnerability using directory-traversal strings to view local files and execute local scripts within the context of the webserver process.

MySQL Quick Admin 1.5.5 is vulnerable; other versions may also be affected.

32. EC-CUBE SQL Injection and Cross-Site Scripting Vulnerabilities
BugTraq ID: 31509
Remote: Yes
Last Updated: 2008-10-02
Relevant URL: http://www.securityfocus.com/bid/31509
Summary:
EC-CUBE is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker may leverage the cross-site scripting issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

The attacker may exploit the SQL-injection issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

The following versions are vulnerable:

EC-CUBE 2.1.2a and earlier
EC-CUBE 2.3.0-rc1 and earlier
EC-CUBE 2.2.0-beta and earlier
EC-CUBE 2.1.1-beta and earlier

EC-CUBE 1.4.6 and earlier
EC-CUBE 1.5.0-beta and earlier

EC-CUBE Community Edition 1.3.4 and earlier
EC-CUBE Community Edition Nightly-Build r17319 and earlier
EC-CUBE Community Edition Nightly-Build r17336 and earlier
EC-CUBE Community Edition Nightly-Build r17623 and earlier

33. GdPicture Pro 'gdpicture4s.ocx' ActiveX Control Arbitrary File Overwrite Vulnerability
BugTraq ID: 31504
Remote: Yes
Last Updated: 2008-10-01
Relevant URL: http://www.securityfocus.com/bid/31504
Summary:
An ActiveX control in GdPicture Pro SDK is prone to a vulnerability that lets attackers overwrite files with arbitrary, attacker-controlled content. The issue occurs because the control fails to sanitize user-supplied input.

Successful exploits may compromise affected computers and could aid in further attacks.

This issue affects gdpicture4s.ocx 4.7.0.1. This control is included in GdPicture Light Imaging Toolkit 4.7.1. Other versions may also be affected.

34. Celoxis Multiple Cross-Site Scripting Vulnerabilities
BugTraq ID: 31514
Remote: Yes
Last Updated: 2008-10-01
Relevant URL: http://www.securityfocus.com/bid/31514
Summary:
Celoxis is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

35. ASPapp Knowledge Base 'catid' Parameter SQL Injection Vulnerability
BugTraq ID: 31513
Remote: Yes
Last Updated: 2008-10-01
Relevant URL: http://www.securityfocus.com/bid/31513
Summary:
ASPapp Knowledge Base is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

36. Hardkap Pritlog 'filename' Parameter File Disclosure Vulnerability
BugTraq ID: 31503
Remote: Yes
Last Updated: 2008-10-01
Relevant URL: http://www.securityfocus.com/bid/31503
Summary:
Pritlog is prone to a file-disclosure vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit this vulnerability using directory-traversal attacks to view local files in the context of the webserver process. This may aid in further attacks.

Versions up to and including Pritlog 0.4 are vulnerable.

37. Mozilla Firefox/SeaMonkey UTF-8 Stack-Based Buffer Overflow Vulnerability
BugTraq ID: 31397
Remote: Yes
Last Updated: 2008-10-01
Relevant URL: http://www.securityfocus.com/bid/31397
Summary:
Mozilla Firefox and SeaMonkey are prone to a stack-based buffer-overflow vulnerability.

An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.

Versions prior to Firefox 2.0.0.17 and prior to SeaMonkey 1.1.12 are vulnerable.

NOTE: This issue was originally documented in BID 31346 (Mozilla Firefox/SeaMonkey/Thunderbird Multiple Remote Vulnerabilities). It has been given its own record to better document the details.

38. Mozilla SeaMonkey/Thunderbird Newsgroup Cancel Message Handling Buffer Overflow Vulnerability
BugTraq ID: 31411
Remote: Yes
Last Updated: 2008-10-01
Relevant URL: http://www.securityfocus.com/bid/31411
Summary:
Mozilla SeaMonkey and Thunderbird are prone to a remote heap-based buffer-overflow vulnerability because they fail to properly bounds-check user-supplied data.

Successfully exploiting this issue may allow remote attackers to execute arbitrary machine code in the context of the vulnerable application; failed exploit attempts will likely crash the application. This may facilitate the remote compromise of affected computers.

The issue affects versions prior to Mozilla Thunderbird 2.0.0.17 and prior to Mozilla SeaMonkey 1.1.12.

39. eFront Multiple Arbitrary File Upload Vulnerabilities
BugTraq ID: 31491
Remote: Yes
Last Updated: 2008-10-01
Relevant URL: http://www.securityfocus.com/bid/31491
Summary:
eFront is prone to multiple vulnerabilities that allow remote attackers to upload and execute arbitrary script code on an affected computer with the privileges of the webserver process. The issues occur because the application fails to sanitize user-supplied input.

eFront 3.5.1 is vulnerable; other versions may also be affected.

40. QEMU Security Bypass Vulnerability
BugTraq ID: 30604
Remote: No
Last Updated: 2008-10-01
Relevant URL: http://www.securityfocus.com/bid/30604
Summary:
QEMU is prone to a security-bypass vulnerability because the application fails to properly restrict access to certain functionality.

Attackers in a guest system can exploit this issue to bypass certain security restrictions and carry out some unauthorized tasks. This may lead to various attacks.

41. Xen Para Virtualized Frame Buffer 'ioemu' Frontend Frame Buffer Denial of Service Vulnerability
BugTraq ID: 30646
Remote: No
Last Updated: 2008-10-01
Relevant URL: http://www.securityfocus.com/bid/30646
Summary:
Xen is prone to a local denial-of-service vulnerability.

Successfully exploiting this issue will allow attackers to crash the affected application, denying service to legitimate users.

42. Wireshark 0.99.8 Multiple Denial of Service Vulnerabilities
BugTraq ID: 28485
Remote: Yes
Last Updated: 2008-10-01
Relevant URL: http://www.securityfocus.com/bid/28485
Summary:
Wireshark is prone to multiple denial-of-service vulnerabilities.

Exploiting these issues may allow attackers to cause crashes and deny service to legitimate users of the application. Attackers may be able to leverage some of these vulnerabilities to execute arbitrary code, but this has not been confirmed.

These issues affect Wireshark 0.99.2 up to and including 0.99.8.

43. Debian xsabre Insecure Temporary File Creation Vulnerability
BugTraq ID: 31512
Remote: No
Last Updated: 2008-10-01
Relevant URL: http://www.securityfocus.com/bid/31512
Summary:
Debian xsabre creates temporary files in an insecure manner.

An attacker with local access could potentially exploit this issue to perform symbolic-link attacks, overwriting arbitrary files in the context of the affected application.

Successfully mounting a symlink attack may allow the attacker to delete or corrupt sensitive files, which may result in a denial of service. Other attacks may also be possible.

Debian xsabre 0.2.4b-23 is vulnerable; other versions may also be affected.

44. Linux kernel 'fs/direct-io.c' Local Denial of Service Vulnerability
BugTraq ID: 31515
Remote: No
Last Updated: 2008-10-01
Relevant URL: http://www.securityfocus.com/bid/31515
Summary:
The Linux kernel is prone to a local denial-of-service vulnerability.

Local attackers can exploit this issue to crash the affected computer, denying service to legitimate users.

Versions prior to Linux kernel 2.6.23 are vulnerable.

45. Linux Kernel TTY Operations NULL Pointer Dereference Denial of Service Vulnerabilities
BugTraq ID: 30076
Remote: No
Last Updated: 2008-10-01
Relevant URL: http://www.securityfocus.com/bid/30076
Summary:
The Linux kernel is prone to multiple local denial-of-service vulnerabilities.

Attackers can exploit these issues to crash the affected kernel, denying service to legitimate users. Given the nature of these issues, attackers may also be able to execute arbitrary code, but this has not been confirmed.

These issues affect versions prior to Linux kernel 2.6.25.10.

46. Linux Kernel 'snd_seq_oss_synth_make_info()' Information Disclosure Vulnerability
BugTraq ID: 30559
Remote: No
Last Updated: 2008-10-01
Relevant URL: http://www.securityfocus.com/bid/30559
Summary:
The Linux kernel is prone to an information-disclosure vulnerability.

Successful exploits will allow attackers to obtain sensitive information that may aid in further attacks.

Versions prior to Linux kernel 2.6.27-rc2 are vulnerable.

47. Linux Kernel UBIFS Orphan Inode Local Denial of Service Vulnerability
BugTraq ID: 30647
Remote: No
Last Updated: 2008-10-01
Relevant URL: http://www.securityfocus.com/bid/30647
Summary:
The Linux kernel is prone to a local denial-of-service vulnerability affecting the VFS behavior in UBIFS (UBI File System).

Attackers can exploit this issue to cause the kernel to crash, denying service to legitimate users.

48. Linux Kernel BER Decoding Remote Buffer Overflow Vulnerability
BugTraq ID: 29589
Remote: Yes
Last Updated: 2008-10-01
Relevant URL: http://www.securityfocus.com/bid/29589
Summary:
The Linux Kernel is prone to a remote buffer-overflow vulnerability because the software fails to perform adequate boundary checks on user-supplied data.

An attacker can exploit this issue to execute arbitrary code with kernel-level privileges. Successfully exploiting this issue will result in the complete compromise of affected computers. Failed exploit attempts will result in a denial-of-service condition.

49. Wireshark 1.0.1 Denial of Service Vulnerability
BugTraq ID: 30181
Remote: Yes
Last Updated: 2008-10-01
Relevant URL: http://www.securityfocus.com/bid/30181
Summary:
Wireshark is prone to a denial-of-service vulnerability.

Exploiting this issue may allow attackers to cause crashes and deny service to legitimate users of the application.

This issue affects Wireshark 0.8.19 to 1.0.1.

50. Wireshark 1.0.0 Multiple Vulnerabilities
BugTraq ID: 30020
Remote: Yes
Last Updated: 2008-10-01
Relevant URL: http://www.securityfocus.com/bid/30020
Summary:
Wireshark is prone to multiple vulnerabilities, including an information-disclosure issue and denial-of-service issues.

Exploiting these issues may allow attackers to obtain potentially sensitive information, cause crashes, and deny service to legitimate users of the application. Attackers may be able to leverage some of these vulnerabilities to execute arbitrary code, but this has not been confirmed.

These issues affect Wireshark 0.9.5 up to and including 1.0.0.

51. Wireshark 1.0.2 Multiple Vulnerabilities
BugTraq ID: 31009
Remote: Yes
Last Updated: 2008-10-01
Relevant URL: http://www.securityfocus.com/bid/31009
Summary:
Wireshark is prone to multiple vulnerabilities, including buffer-overflow and denial-of-service issues.

Exploiting these issues may allow attackers to crash the application and deny service to legitimate users. Attackers may be able to leverage some of these vulnerabilities to execute arbitrary code, but this has not been confirmed.

These issues affect Wireshark 0.9.7 up to and including 1.0.2.

52. Wireshark 0.99.7 Multiple Denial of Service Vulnerabilities
BugTraq ID: 28025
Remote: Yes
Last Updated: 2008-10-01
Relevant URL: http://www.securityfocus.com/bid/28025
Summary:
Wireshark is prone to multiple denial-of-service vulnerabilities.

Wireshark 0.6.0 to 0.99.7 are affected.

53. eZoneScripts Adult Banner Exchange Website 'click.php' SQL Injection Vulnerability
BugTraq ID: 31510
Remote: Yes
Last Updated: 2008-10-01
Relevant URL: http://www.securityfocus.com/bid/31510
Summary:
eZoneScripts Adult Banner Exchange Website is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

54. Freeway Multiple SQL Injection Vulnerabilities
BugTraq ID: 31508
Remote: Yes
Last Updated: 2008-10-01
Relevant URL: http://www.securityfocus.com/bid/31508
Summary:
Freeway is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in SQL queries.

Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

These issues affect versions prior to Freeway 1.4.3.210.

55. QuidaScript BookMarks Favourites Script 'id' Parameter SQL Injection Vulnerability
BugTraq ID: 31506
Remote: Yes
Last Updated: 2008-10-01
Relevant URL: http://www.securityfocus.com/bid/31506
Summary:
QuidaScript BookMarks Favourites Script is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

56. Flip4Mac WMV Unspecified Vulnerability
BugTraq ID: 31505
Remote: Yes
Last Updated: 2008-10-01
Relevant URL: http://www.securityfocus.com/bid/31505
Summary:
Flip4Mac WMV is prone to an unspecified vulnerability.

Very few details are available regarding this issue. We will update this BID as more information emerges.

This issue affects versions prior to Flip4Mac WMV 2.2.1.

57. A4Desk Event Calendar 'v' Parameter Remote File Include Vulnerability
BugTraq ID: 31507
Remote: Yes
Last Updated: 2008-10-01
Relevant URL: http://www.securityfocus.com/bid/31507
Summary:
A4Desk Event Calendar is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied data.

Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible.

58. Mozilla Firefox User Interface Dispatcher Null Pointer Dereference Denial of Service Vulnerability
BugTraq ID: 31476
Remote: Yes
Last Updated: 2008-10-01
Relevant URL: http://www.securityfocus.com/bid/31476
Summary:
Mozilla Firefox is prone to a remote denial-of-service vulnerability.

Successful exploits can allow attackers to crash the affected browser, resulting in denial-of-service conditions.

NOTE: This issue may be related to the issues covered in BID 30486 (Mozilla Firefox Unspecified Denial of Service Vulnerability).

Firefox 3.0.3 is vulnerable; other versions may also be affected.

59. WordPress MU 'wp-admin/wpmu-blogs.php' Multiple Cross Site Scripting Vulnerabilities
BugTraq ID: 31482
Remote: Yes
Last Updated: 2008-10-01
Relevant URL: http://www.securityfocus.com/bid/31482
Summary:
WordPress MU is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.

Versions prior to WordPress MU 2.6 are vulnerable.

60. Emacspeak 'extract-table.pl' Insecure Temporary File Creation Vulnerability
BugTraq ID: 31241
Remote: No
Last Updated: 2008-10-01
Relevant URL: http://www.securityfocus.com/bid/31241
Summary:
Emacspeak creates temporary files in an insecure manner.

An attacker with local access could potentially exploit these issues to perform symbolic-link attacks, overwriting arbitrary files in the context of the affected application.

Successfully mounting a symlink attack may allow the attacker to delete or corrupt sensitive files, which may result in a denial of service. Other attacks may also be possible.

61. Rianxosencabos CMS 'id' Parameter SQL Injection Vulnerability
BugTraq ID: 31502
Remote: Yes
Last Updated: 2008-10-01
Relevant URL: http://www.securityfocus.com/bid/31502
Summary:
Rianxosencabos CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

The issue affects Rianxosencabos CMS 0.9; other versions may also be affected.

62. Juniper ScreenOS HTML Injection Vulnerability
BugTraq ID: 31528
Remote: Yes
Last Updated: 2008-10-01
Relevant URL: http://www.securityfocus.com/bid/31528
Summary:
ScreenOS is prone to an HTML-injection vulnerability because its administrative web interface fails to sufficiently sanitize user-supplied input data.

63. phpscripts Ranking Script Cookie Authentication Bypass Vulnerability
BugTraq ID: 31527
Remote: Yes
Last Updated: 2008-10-01
Relevant URL: http://www.securityfocus.com/bid/31527
Summary:
phpscripts Ranking Script is prone to an authentication-bypass vulnerability because it fails to adequately verify user-supplied input used for cookie-based authentication.

An attacker can exploit this vulnerability to gain administrative access to the affected application; other attacks are also possible.

64. eZoneScripts Link Trader Script 'ratelink.php' SQL Injection Vulnerability
BugTraq ID: 31526
Remote: Yes
Last Updated: 2008-10-01
Relevant URL: http://www.securityfocus.com/bid/31526
Summary:
eZoneScripts Link Trader Script is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

65. WikyBlog Multiple Cross-Site Scripting Vulnerabilities
BugTraq ID: 31525
Remote: Yes
Last Updated: 2008-10-01
Relevant URL: http://www.securityfocus.com/bid/31525
Summary:
WikyBlog is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

WikyBlog 1.7.1 is vulnerable; other versions may also be affected.

66. H-Sphere WebShell 'actions.php' Multiple Cross Site Scripting Vulnerabilities
BugTraq ID: 31524
Remote: Yes
Last Updated: 2008-10-01
Relevant URL: http://www.securityfocus.com/bid/31524
Summary:
H-Sphere WebShell is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.

Version 4.3.10 of H-Sphere WebShell is vulnerable; other versions may also be affected.

67. RPortal 'file_op' Parameter Remote File Include Vulnerability
BugTraq ID: 31523
Remote: Yes
Last Updated: 2008-10-01
Relevant URL: http://www.securityfocus.com/bid/31523
Summary:
RPortal is prone to a remote file-include vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit this issue to include an arbitrary remote file containing malicious PHP code and execute it in the context of the webserver process. This may allow the attacker to compromise the application and the underlying computer; other attacks are also possible.

RPortal 1.1 is vulnerable; other versions may also be affected.

68. BMForum 'plugins.php' SQL Injection Vulnerability
BugTraq ID: 31522
Remote: Yes
Last Updated: 2008-10-01
Relevant URL: http://www.securityfocus.com/bid/31522
Summary:
BMForum is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

BMForum 5.6 is vulnerable; other versions may also be affected.

69. ESET SysInspector 'esiadrv.sys' Local Privilege Escalation Vulnerability
BugTraq ID: 31521
Remote: No
Last Updated: 2008-10-01
Relevant URL: http://www.securityfocus.com/bid/31521
Summary:
ESET SysInspector is prone to a local privilege-escalation vulnerability that occurs in the 'esiadrv.sys' driver.

An attacker can exploit this issue to execute arbitrary code with kernel-level privileges on a Microsoft Windows host operating system. Successfully exploiting this issue will result in the complete compromise of affected computers. Failed exploit attempts will result in a denial-of-service condition.

ESET SysInspector 1.1.1.0 is vulnerable; other versions may also be affected.

70. phpScheduleIt 'reserve.php' Remote Code Execution Vulnerability
BugTraq ID: 31520
Remote: Yes
Last Updated: 2008-10-01
Relevant URL: http://www.securityfocus.com/bid/31520
Summary:
phpScheduleIt is prone to a vulnerability that lets remote attackers execute arbitrary code because the application fails to sanitize user-supplied input.

An attacker can leverage this issue to execute arbitrary PHP code on an affected computer with the privileges of the webserver process.

phpScheduleIt 1.2.10 is vulnerable; other versions may also be affected.

71. noName CMS Multiple SQL Injection Vulnerabilities
BugTraq ID: 31519
Remote: Yes
Last Updated: 2008-10-01
Relevant URL: http://www.securityfocus.com/bid/31519
Summary:
noName CMS is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in SQL queries.

Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

noName CMS 1.0 is vulnerable; other versions may also be affected.

72. Discussion Forums 2k Multiple SQL Injection Vulnerabilities
BugTraq ID: 31518
Remote: Yes
Last Updated: 2008-10-01
Relevant URL: http://www.securityfocus.com/bid/31518
Summary:
Discussion Forums 2k is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in SQL queries.

Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Discussion Forums 2k 3.3 is vulnerable; other versions may also be affected.

73. Xen XenStore Domain Configuration Data Unsafe Storage Vulnerability
BugTraq ID: 31499
Remote: No
Last Updated: 2008-09-30
Relevant URL: http://www.securityfocus.com/bid/31499
Summary:
Xen is prone to a vulnerability that results in configuration information being stored in a location that is writable by guest domains.

Xen 3.3 is vulnerable; other versions may also be affected.

74. SG Real Estate Portal Cookie Authentication Bypass Vulnerability
BugTraq ID: 31500
Remote: Yes
Last Updated: 2008-09-30
Relevant URL: http://www.securityfocus.com/bid/31500
Summary:
SG Real Estate Portal is prone to an authentication-bypass vulnerability because it fails to adequately verify user-supplied input used for cookie-based authentication.

An attacker can exploit this vulnerability to gain administrative access to the affected application; other attacks are also possible.

SG Real Estate Portal 2.0 is vulnerable; other versions may also be affected.

75. SG Real Estate Portal Local File Include and SQL Injection Vulnerabilities
BugTraq ID: 31489
Remote: Yes
Last Updated: 2008-09-30
Relevant URL: http://www.securityfocus.com/bid/31489
Summary:
SG Real Estate Portal is prone to multiple local file-include vulnerabilities and an SQL-injection vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit the local file-include vulnerabilities using directory-traversal strings to view local files within the context of the webserver process. Information harvested may aid in further attacks.

The attacker can exploit the SQL-injection vulnerability to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

SG Real Estate Portal 2.0 is vulnerable; other versions may also be affected.

76. NASM 'ppscan()' Off-By-One Buffer Overflow Vulnerability
BugTraq ID: 29656
Remote: Yes
Last Updated: 2008-09-30
Relevant URL: http://www.securityfocus.com/bid/29656
Summary:
NASM is prone to an off-by-one buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data.

Successfully exploiting this issue will allow attackers to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.

NASM 2.02 and prior versions are vulnerable.

77. MiNBank 'minsoft_path' Parameter Multiple Remote File Include Vulnerabilities
BugTraq ID: 31492
Remote: Yes
Last Updated: 2008-09-30
Relevant URL: http://www.securityfocus.com/bid/31492
Summary:
MiNBank (Micronation Banking System) is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.

Exploiting these issues may allow an attacker to compromise the application and the underlying computer; other attacks are also possible.

MiNBank 1.5.0 is vulnerable; other versions may also be affected.

78. moziloCMS Prior to 1.10.3 Multiple Vulnerabilities
BugTraq ID: 31495
Remote: Yes
Last Updated: 2008-09-30
Relevant URL: http://www.securityfocus.com/bid/31495
Summary:
moziloCMS is prone to multiple vulnerabilities, including a session-fixation issue, multiple directory-traversal issues, and multiple cross-site scripting issues.

An attacker may leverage these issues to view arbitrary local files within the context of the webserver, to execute arbitrary script code in the browser of an unsuspecting user, or to hijack a valid user's session.

Versions prior to moziloCMS 1.10.3 are vulnerable.

79. moziloWiki Prior to 1.0.2 Multiple Vulnerabilities
BugTraq ID: 31493
Remote: Yes
Last Updated: 2008-09-30
Relevant URL: http://www.securityfocus.com/bid/31493
Summary:
moziloWiki is prone to multiple vulnerabilities, including a directory-traversal issue, a session-fixation issue, and multiple cross-site scripting issues.

Versions prior to moziloWiki 1.0.2 are vulnerable.

80. MySQL Command Line Client HTML Special Characters HTML Injection Vulnerability
BugTraq ID: 31486
Remote: Yes
Last Updated: 2008-09-30
Relevant URL: http://www.securityfocus.com/bid/31486
Summary:
MySQL is prone to an HTML-injection vulnerability because the application's command-line client fails to properly sanitize user-supplied input before using it in dynamically generated content.

Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.

81. Autodesk 'LiveUpdate16.DLL' ActiveX Control Arbitrary Program Execution Vulnerability
BugTraq ID: 31490
Remote: Yes
Last Updated: 2008-09-30
Relevant URL: http://www.securityfocus.com/bid/31490
Summary:
The Autodesk LiveUpdate Module 'LiveUpdate16.DLL' ActiveX control is prone to a vulnerability that lets attackers execute arbitrary local programs.

Successfully exploiting this issue allows remote attackers to execute arbitrary local programs in the context of the application using the ActiveX control (typically Internet Explorer).

'LiveUpdate61.DLL' 17.2.56 is vulnerable; other versions may also be affected.

82. Marshal MailMarshal SMTP Spam Quarantine Management Multiple HTML Injection Vulnerabilities
BugTraq ID: 31483
Remote: Yes
Last Updated: 2008-09-30
Relevant URL: http://www.securityfocus.com/bid/31483
Summary:
Marshal MailMarshal SMTP Spam Quarantine Management component is prone to multiple HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input data.

Exploiting these issues may allow an attacker to execute HTML and script code in the context of the affected site, to steal cookie-based authentication credentials, or to control how the site is rendered to the user; other attacks are also possible.

Reportedly, the attacker may be able to further exploit these issues to install arbitrary files on a victim's computer.

These issues affect MailMarshal SMTP 6.0 up to and including 6.3.

83. ArabCMS 'rss.php' Local File Include Vulnerability
BugTraq ID: 31480
Remote: Yes
Last Updated: 2008-09-30
Relevant URL: http://www.securityfocus.com/bid/31480
Summary:
ArabCMS is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit this vulnerability using directory-traversal strings to view local files and execute local scripts within the context of the webserver process.

ArabCMS 2.0 beta 1 is vulnerable; other versions may also be affected.

84. XAMPP for Windows 'adodb.php' Multiple Cross-Site Scripting Vulnerabilities
BugTraq ID: 31472
Remote: Yes
Last Updated: 2008-09-30
Relevant URL: http://www.securityfocus.com/bid/31472
Summary:
XAMPP for Windows is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

XAMPP 1.6.8 for Windows is vulnerable; other versions may also be affected.

85. Easy PHP Calendar Add New Event HTML Injection Vulnerability
BugTraq ID: 31478
Remote: Yes
Last Updated: 2008-09-30
Relevant URL: http://www.securityfocus.com/bid/31478
Summary:
Easy PHP Calendar is prone to an HTML-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.

Easy PHP Calendar 6.3.25 is vulnerable; other versions may also be affected.

86. PG Matchmaking 'id' Parameter Multiple SQL Injection Vulnerabilities
BugTraq ID: 31477
Remote: Yes
Last Updated: 2008-09-30
Relevant URL: http://www.securityfocus.com/bid/31477
Summary:
PG Matchmaking is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in SQL queries.

Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

87. FileAlyzer Version Information Remote Stack Buffer Overflow Vulnerability
BugTraq ID: 31474
Remote: Yes
Last Updated: 2008-09-30
Relevant URL: http://www.securityfocus.com/bid/31474
Summary:
FileAlyzer is prone to a remote stack-based buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data.

An attacker can exploit this issue to execute arbitrary code with the privileges of the user running the affected application. Failed exploit attempts will result in a denial-of-service condition.

FileAlyzer 1.6.0.3 is vulnerable; other versions may also be affected.

88. Autodesk DWF Viewer Control 'AdView.dll' Arbitrary File Download Vulnerability
BugTraq ID: 31487
Remote: Yes
Last Updated: 2008-09-30
Relevant URL: http://www.securityfocus.com/bid/31487
Summary:
Autodesk DWF Viewer Control is prone to a vulnerability that can allow malicious files to be downloaded and saved to arbitrary locations on an affected computer.

Attackers may exploit this issue to write to sensitive files with malicious data, which will compromise the affected computer. Other attacks are possible.

'AdView.dll' 9.0.0.96 is vulnerable; other versions may also be affected.

89. Events Calendar 'header_setup.php' Multiple Remote File Include Vulnerabilities
BugTraq ID: 31471
Remote: Yes
Last Updated: 2008-09-30
Relevant URL: http://www.securityfocus.com/bid/31471
Summary:
Events Calendar is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.

Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.

Events Calendar 1.1 is vulnerable; other versions may also be affected.

90. Mozilla Firefox/SeaMonkey/Thunderbird Multiple Remote Vulnerabilities
BugTraq ID: 31346
Remote: Yes
Last Updated: 2008-09-30
Relevant URL: http://www.securityfocus.com/bid/31346
Summary:
The Mozilla Foundation has released multiple security advisories specifying various vulnerabilities in Firefox 2.0.0.16 and prior versions, Firefox 3.0.1 and prior versions, Thunderbird 2.0.0.16 and prior versions, and SeaMonkey 1.1.11 and prior versions.

Exploiting these issues can allow attackers to:

- traverse directories
- obtain potentially sensitive information
- execute scripts with elevated privileges
- execute arbitrary code
- cause denial-of-service conditions
- carry out cross-site scripting attacks
- steal authentication credentials
- force users to download files
- violate the same-origin policy

Other attacks are also possible.

91. JasPer 1.900.1 Multiple Vulnerabilities
BugTraq ID: 31470
Remote: Yes
Last Updated: 2008-09-30
Relevant URL: http://www.securityfocus.com/bid/31470
Summary:
JasPer is prone to multiple vulnerabilities, including a buffer-overflow vulnerability, a temporary file race condition, and multiple integer-overflow vulnerabilities.

Successful exploits may allow attackers to execute arbitrary code with the privileges of a user running the software. Failed exploit attempts are likely to cause denial-of-service conditions.

JasPer 1.900.1 is vulnerable; other versions may also be affected.

92. RPG.Board Cookie Authentication Bypass Vulnerability
BugTraq ID: 31466
Remote: Yes
Last Updated: 2008-09-30
Relevant URL: http://www.securityfocus.com/bid/31466
Summary:
RPG.Board is prone to an authentication-bypass vulnerability because it fails to adequately verify user-supplied input used for cookie-based authentication.

An attacker can exploit this vulnerability to gain administrative access to the affected application; other attacks are also possible.

RPG.Board 0.0.8 Beta2 is vulnerable; other versions may also be affected.

93. PHP-Fusion Freshlinks Module 'linkid' Parameter SQL Injection Vulnerability
BugTraq ID: 31469
Remote: Yes
Last Updated: 2008-09-30
Relevant URL: http://www.securityfocus.com/bid/31469
Summary:
PHP-Fusion is prone to an SQL-injection vulnerability affecting the 'freshlinks' module because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

94. PHPJabbers Post Comments Cookie Authentication Bypass Vulnerability
BugTraq ID: 31467
Remote: Yes
Last Updated: 2008-09-30
Relevant URL: http://www.securityfocus.com/bid/31467
Summary:
PHPJabbers Post Comments is prone to an authentication-bypass vulnerability because it fails to adequately verify user-supplied input used for cookie-based authentication.

An attacker can exploit this vulnerability to gain administrative access to the affected application; other attacks are also possible.

PHPJabbers Post Comments 3.0 is vulnerable; other versions may also be affected.

95. Wireshark Packet Capture File Denial of Service Vulnerability
BugTraq ID: 31468
Remote: Yes
Last Updated: 2008-09-30
Relevant URL: http://www.securityfocus.com/bid/31468
Summary:
Wireshark is prone to a denial-of-service vulnerability.

Exploiting this issue may allow attackers to cause crashes and deny service to legitimate users of the application.

Wireshark 1.0.3 is vulnerable; other versions may also be affected.

96. BbZL.PhP 'lien_2' Parameter Directory Traversal Vulnerability
BugTraq ID: 31464
Remote: Yes
Last Updated: 2008-09-30
Relevant URL: http://www.securityfocus.com/bid/31464
Summary:
BbZL.PhP is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input data.

Exploiting the issue may allow an attacker to obtain sensitive information that could aid in further attacks.

BbZL.PhP 0.92 is vulnerable; other versions may also be affected.

97. BbZL.PhP Cookie Authentication Bypass Vulnerability
BugTraq ID: 31462
Remote: Yes
Last Updated: 2008-09-30
Relevant URL: http://www.securityfocus.com/bid/31462
Summary:
BbZL.PhP is prone to an authentication-bypass vulnerability because it fails to adequately verify user-supplied input used for cookie-based authentication.

An attacker can exploit this vulnerability to gain administrative access to the affected application; other attacks are also possible.

BbZL.PhP 0.92 is vulnerable; other versions may also be affected.

98. WinZip 'gdiplus.dll' Microsoft Module Unspecified Security Vulnerability
BugTraq ID: 31485
Remote: Yes
Last Updated: 2008-09-30
Relevant URL: http://www.securityfocus.com/bid/31485
Summary:
WinZip is prone to an unspecified vulnerability that stems from an error in the Microsoft 'gdiplus.dll' component included with the application.

NOTE: The issues described in this BID may be related to one or more of the issues described in the Microsoft MS08-052 security bulletin.

Reports indicate that this issue may allow attackers to execute arbitrary code in the context of the affected application, but Symantec has not confirmed this information.

This issue affects WinZip 11.x (prior to 11.2 SR-1) on Windows 2000 systems.

99. CAcert 'analyse.php' Cross Site Scripting Vulnerability
BugTraq ID: 31481
Remote: Yes
Last Updated: 2008-09-30
Relevant URL: http://www.securityfocus.com/bid/31481
Summary:
CAcert is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

This issue affects versions of the CAcert source code released on or before September 21, 2008.

100. RETIRED: Multiple Vendors IMAP Servers Denial of Service Vulnerability
BugTraq ID: 31318
Remote: Yes
Last Updated: 2008-09-30
Relevant URL: http://www.securityfocus.com/bid/31318
Summary:
Multiple vendors' IMAP servers are prone to a remote denial-of-service vulnerability caused by an unspecified error when handling IMAP login requests.

An attacker can exploit this issue to make the affected applications unresponsive, denying service to legitimate users.

This issue affects:

University of Washington imapd
Carnegie Mellon University Cyrus IMAP Server
GNU Mailutils imapd

NOTE: Reports indicate that this issue arises when the affected serves are used with the Debian Sarge platform. Therefore these issues may affect only Debian-specific instances. We will update this BID as more information emerges.

UPDATE: The issue is being retired because it has been determined not to be a vulnerability.

III. SECURITYFOCUS NEWS ARTICLES
--------------------------------
1. Researchers weigh "clickjacking" threat
By: Robert Lemos
A canceled presentation at a Web security summit attracts attention to the danger of overlaying Web pages with graphics to persuade a victim to click where an attacker wants.
http://www.securityfocus.com/news/11534

2. Security of Google's browser gets mixed marks
By: Robert Lemos
The search giant uses process isolation, least privilege rules, and sandboxing as the security foundation for its Chrome browser, but security experts say more is needed.
http://www.securityfocus.com/news/11533

3. Online intruders hit Red Hat, Fedora Project
By: Robert Lemos
A leading Linux company and its open-source distribution acknowledge that attackers breached several systems, including one that manages the Fedora signing process.
http://www.securityfocus.com/news/11532

4. Researchers race to zero in record time
By: Robert Lemos
On the first day, three teams of security professional finished the Race to Zero contest, successfully modifying nine well-known viruses and exploits to escape detection by major antivirus engines.
http://www.securityfocus.com/news/11531

IV. SECURITY JOBS LIST SUMMARY
-------------------------------
1. [SJ-JOB] Security Consultant, Newark
http://www.securityfocus.com/archive/77/496909

2. [SJ-JOB] Sr. Security Analyst, Richmond
http://www.securityfocus.com/archive/77/496896

3. [SJ-JOB] VP of Marketing, Alexandria
http://www.securityfocus.com/archive/77/496907

4. [SJ-JOB] Security Director, Portland
http://www.securityfocus.com/archive/77/496910

5. [SJ-JOB] Security Consultant, New York
http://www.securityfocus.com/archive/77/496913

6. [SJ-JOB] Director, Information Security, Waterbury
http://www.securityfocus.com/archive/77/496890

7. [SJ-JOB] Security Engineer, Moscow/St Petersburg or Home Working
http://www.securityfocus.com/archive/77/496895

8. [SJ-JOB] Certification & Accreditation Engineer, Springfield
http://www.securityfocus.com/archive/77/496908

9. [SJ-JOB] Security Engineer, Kiev
http://www.securityfocus.com/archive/77/496911

10. [SJ-JOB] Security Consultant, Nairobi
http://www.securityfocus.com/archive/77/496912

11. [SJ-JOB] Application Security Engineer, Washington
http://www.securityfocus.com/archive/77/496888

12. [SJ-JOB] Incident Handler, Any major US City (Cincinnati preferred)
http://www.securityfocus.com/archive/77/496889

13. [SJ-JOB] Security Engineer, Ashburn
http://www.securityfocus.com/archive/77/496893

14. [SJ-JOB] Incident Handler, Any US GIS Location/Unspecified State/USA
http://www.securityfocus.com/archive/77/496894

15. [SJ-JOB] Security Director, Minsk
http://www.securityfocus.com/archive/77/496897

16. [SJ-JOB] Sales Engineer, Chantilly
http://www.securityfocus.com/archive/77/496886

17. [SJ-JOB] Security Engineer, Schaumburg
http://www.securityfocus.com/archive/77/496887

V. INCIDENTS LIST SUMMARY
---------------------------
VI. VULN-DEV RESEARCH LIST SUMMARY
-----------------------------------
VII. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. SecurityFocus Microsoft Newsletter #413
http://www.securityfocus.com/archive/88/496752

VIII. SUN FOCUS LIST SUMMARY
----------------------------
IX. LINUX FOCUS LIST SUMMARY
----------------------------
X. UNSUBSCRIBE INSTRUCTIONS
-----------------------------
To unsubscribe send an e-mail message to sf-news-unsubscribe@securityfocus.com from the subscribed address. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer. Alternatively you can also visit http://www.securityfocus.com/newsletters and unsubscribe via the website.

If your email address has changed email listadmin@securityfocus.com and ask to be manually removed.

XI. SPONSOR INFORMATION
------------------------
This issue is sponsored by HP:

News

Thursday, October 02, 2008

SecurityFocus Newsletter #473

No comments:

WINDOWS CENTER

Blog Archive