News

Thursday, October 16, 2008

SecurityFocus Newsletter #475

SecurityFocus Newsletter #475
----------------------------------------

This issue is sponsored by HP:

Download a FREE trial of HP WebInspect
Application attacks are growing more prevalent. New attacks are in the news each day. Now it's time for you to assess your applications and start detecting and removing vulnerabilities.
HP can help, with a full suite of application security solutions. Get started today with a complimentary trial download that uses an HP test application. Thoroughly analyze today's complex web applications in a runtime environment with fast scanning capabilities, broad assessment coverage and accurate web application scanning results.
Download WebInspect now:

https://h10078.www1.hp.com/cda/hpdc/navigation.do?action=downloadBinStart&zn=bto&cp=54_4012_100__&caid=14563&jumpid=ex_r11374_us/en/large/tsg/WebInspect_Eval_Secutiy_Focus/3-1QN6MII_3-UTM2ZJ/20081015&origin_id=3-1QN6MII


SECURITY BLOGS
SecurityFocus has selected a few syndicated sources that stand out as conveying topics of interest for our community. We are proud to offer content from Matasano at this time and will be adding more in the coming weeks.
http://www.securityfocus.com/blogs

------------------------------------------------------------------
I. FRONT AND CENTER
1.The Vice of Vice Presidential E-Mail
2.Blaming the Good Samaritan
II. BUGTRAQ SUMMARY
1. Lenovo System Update SSL Certificate Validation Security Bypass Vulnerability
2. Microsoft Windows Internet Printing Service Integer Overflow Vulnerability
3. Ignite Gallery 'gallery' Parameter SQL Injection Vulnerability
4. Joomla! and Mambo Mad4Joomla Mailforms Component SQL Injection Vulnerability
5. MunzurSoft Wep Portal 'kategori.asp' SQL Injection Vulnerability
6. Easynet4u Link Host 'directory.php' SQL Injection Vulnerability
7. Easynet4u Faq Host 'faq.php' SQL Injection Vulnerability
8. Easynet4u Forum Host 'forum.php' SQL Injection Vulnerability
9. Ayco Okul Portali 'default.asp' SQL Injection Vulnerability
10. Scriptsez Mini Hosting Panel 'members.php' Local File Include Vulnerability
11. Nokia Web Browser for S60 Infinite Array Sort Denial of Service Vulnerability
12. Microsoft Outlook Web Access for Exchange Server 'redir.asp' URI Redirection Vulnerability
13. Microsoft Excel Calendar Object Validation Remote Code Execution Vulnerability
14. Microsoft Internet Explorer Uninitialized Object Remote Memory Corruption Vulnerability
15. Microsoft Windows AFD Driver Local Privilege Escalation Vulnerability
16. Microsoft Excel BIFF File Format Parsing Remote Code Execution Vulnerability
17. Apple Mac OS X 10.5 'launchd' Unspecified Security Bypass Vulnerability
18. Apple PSNormalizer PostScript Buffer Overflow Vulnerability
19. Apple Mac OS X Server Weblog Access Control List Security Bypass Vulnerability
20. Apple Mac OS X 10.5 Postfix Security Bypass Vulnerability
21. Apple Finder Denial of Service Vulnerability
22. Apple Script Editor Unspecified Insecure Temporary File Creation Vulnerability
23. Apple Mac OS X ColorSync ICC Profile Remote Buffer Overflow Vulnerability
24. Apple Mac OS X 'configd' EAPOLController Plugin Local Heap Based Buffer Overflow Vulnerability
25. Apple Mac OS X 'hosts.equiv' Security Bypass Vulnerability
26. Apple OS X QuickLook Excel File Integer Overflow Vulnerability
27. Multiple Telecom Italia Routers Authentication Bypass Vulnerability
28. WP Comment Remix 1.4.3 SQL Injection and HTML Injection Vulnerabilities
29. Mon 'alert.d/test.alert' Insecure Temporary File Creation Vulnerability
30. IndexScript 'sug_cat.php' SQL Injection Vulnerability
31. Websense Reporter 'CreateDbInstall.log' Local Information Disclosure Vulnerability
32. ParsBlogger 'links.asp' SQL Injection Vulnerability
33. XOOPS xhresim Module 'index.php' SQL Injection Vulnerability
34. IBM ENOVIA Security Bypass Vulnerability
35. Mozilla Firefox '.url' Shortcut Processing Information Disclosure Vulnerability
36. IP Reg Multiple SQL Injection Vulnerabilities
37. Postfix Local Information Disclosure and Local Privilege Escalation Vulnerabilities
38. Ruby on Rails ':offset' And ':limit' Parameters SQL Injection Vulnerabilities
39. Hewlett-Packard Systems Insight Manager Unspecified Unauthorized Access Vulnerability
40. Sun Solstice AdminSuite 'sadmind' 'adm_build_path()' Remote Stack Buffer Overflow Vulnerability
41. RaidenFTPD 'MLST' Command Remote Stack Based Buffer Overflow Vulnerability
42. Linksys WAP4400N Marvell Wireless Chipset Driver Remote Denial of Service Vulnerability
43. ASP Indir Iltaweb Alisveris Sistemi 'xurunler.asp' SQL Injection Vulnerability
44. Lenovo Rescue and Recovery 'tvtumon.sys' Heap Overflow Vulnerability
45. XM Easy Personal FTP Server 'NSLT' Command Remote Denial of Service Vulnerability
46. Oracle Database Server 'CREATE ANY DIRECTORY' Privilege Escalation Vulnerability
47. Debian chm2pdf Insecure Temporary File Creation Vulnerability
48. SlimCMS 'redirect.php' Security Bypass Vulnerability
49. mini-pub 'cat.php' Remote Command Execution Vulnerability
50. EEB-CMS 'index.php' Cross-Site Scripting Vulnerability
51. 'com_jeux' Joomla! Component 'id' Parameter SQL Injection Vulnerability
52. GuildFTPd 'LIST' Command Heap Overflow Vulnerability
53. Oracle WebLogic Server Apache Connector Stack Based Buffer Overflow Vulnerability
54. Husdawg System Requirements Lab Multiple Remote Code Execution Vulnerabilities
55. Oracle October 2008 Oracle Critical Patch Update Multiple Vulnerabilities
56. CUPS Multiple Heap Based Buffer Overflow Vulnerabilities
57. CUPS 'HP-GL/2' Filter Remote Code Execution Vulnerability
58. Drupal Multiple Remote Access Validation Vulnerabilities and Weaknesses
59. Drupal Insecure Cookie Disclosure Weakness
60. Neon Digest Authentication Null Pointer Exception Denial Of Service Vulnerability
61. BlueZ SDP Payload Processing Multiple Buffer Overflow Vulnerabilities
62. CafeEngine Easy Cafe Engine 'itemid' Parameter SQL Injection Vulnerability
63. Mic_blog SQL Injection and Unauthorized Access Vulnerabilities
64. CafeEngine 'id' Parameter Multiple SQL Injection Vulnerabilities
65. Kure Multiple Local File Include Vulnerabilities
66. PokerMax Poker League Tournament Script Cookie Authentication Bypass Vulnerability
67. Hummingbird HostExplorer ActiveX Control 'PlainTextPassword()' Buffer Overflow Vulnerability
68. Mosaic Commerce 'category.php' SQL Injection Vulnerability
69. IP Reg 'locationdel.php' SQL Injection Vulnerability
70. Drupal Node Clone Module Information Disclosure Vulnerability
71. Drupal Node Vote Module Cast Vote SQL Injection Vulnerability
72. myPHPNuke 'displayCategory.php' Multiple Remote File Include Vulnerabilities
73. WEB//NEWS Multiple SQL Injection Vulnerabilities
74. Microsoft Host Integration Server RPC Remote Command Execution Vulnerability
75. CUPS PNG Filter Multiple Integer Overflow Vulnerabilities
76. Microsoft Windows SeImpersonatePrivilege Local Privilege Escalation Vulnerability
77. D-Bus 'dbus_signature_validate()' Type Signature Denial of Service Vulnerability
78. Adobe Flash CS3 Professional SWF File Heap Buffer Overflow Vulnerability
79. NewLife Blogger 'nlb3' Cookie SQL Injection Vulnerability
80. Microsoft Message Queuing Service RPC Query Heap Corruption Vulnerability
81. mini-pub Multiple Information Disclosure Vulnerabilities
82. LokiCMS 'index.php' Information Disclosure Vulnerability
83. Globsy 'globsy_edit.php' Arbitrary File Overwrite Vulnerability
84. My PHP Indexer 'index.php' Directory Traversal Vulnerability
85. OwnBiblio Joomla! Component 'catid' Parameter SQL Injection Vulnerability
86. Absolute Poll Manager 'xlacomments.asp' SQL Injection Vulnerability
87. Real Estate Classifieds 'index.php' SQL Injection Vulnerability
88. Exiv2 EXIF File Handling Integer Overflow Vulnerability
89. Exiv2 Pretty Printing for Nikon Lens Metadata Denial of Service Vulnerability
90. libexif Image Tag Remote Denial Of Service Vulnerability
91. Quick Tftp Server Pro 'mode' Remote Buffer Overflow Vulnerability
92. HP OpenView Network Node Manager Directory Traversal and Multiple Denial Of Service Vulnerabilities
93. Sun Java System Web Proxy Server FTP Subsytem Heap Based Buffer Overflow Vulnerability
94. libxml2 Denial of Service Vulnerability
95. Apache 'mod_proxy_ftp' Wildcard Characters Cross-Site Scripting Vulnerability
96. Adobe Flash Player Policy File Cross Domain Security Bypass Vulnerability
97. Adobe Flash Player Clipboard Security Weakness
98. Adobe ActionScript SecurityErrorEvent Security Bypass Vulnerability
99. Xen Para Virtualized Frame Buffer Backend Local Buffer Overflow Vulnerability
100. libexif Image Tag Remote Integer Overflow Vulnerability
III. SECURITYFOCUS NEWS
1. You don't know (click)jack
2. Researchers weigh "clickjacking" threat
3. Security of Google's browser gets mixed marks
4. Online intruders hit Red Hat, Fedora Project
IV. SECURITY JOBS LIST SUMMARY
1. [SJ-JOB] Sr. Security Analyst, Dallas
2. [SJ-JOB] Security System Administrator, Eagan
3. [SJ-JOB] Information Assurance Engineer, San Diego
4. [SJ-JOB] Information Assurance Engineer, San Diego
5. [SJ-JOB] Security Consultant, London
6. [SJ-JOB] Security Engineer, Milwaukee
7. [SJ-JOB] Sales Engineer, Worcester
8. [SJ-JOB] Security Researcher, France
V. INCIDENTS LIST SUMMARY
VI. VULN-DEV RESEARCH LIST SUMMARY
VII. MICROSOFT FOCUS LIST SUMMARY
1. SecurityFocus Microsoft Newsletter #415
VIII. SUN FOCUS LIST SUMMARY
IX. LINUX FOCUS LIST SUMMARY
X. UNSUBSCRIBE INSTRUCTIONS
XI. SPONSOR INFORMATION

I. FRONT AND CENTER
---------------------
1.The Vice of Vice Presidential E-Mail
By Mark Rasch
Seems like a simple question, but the law is not so clear. In mid-September 2008, a hacker using the handle "Rubico" claim credit for breaking into the Yahoo! e-mail account of Governor Sarah Palin, the Republican Vice Presidential candidate. In a post online, Rubico wrote that he had been following news reports that claimed Palin had been using her personal Yahoo e-mail account for official government business.
http://www.securityfocus.com/columnists/482

2.Blaming the Good Samaritan
By Houston Carr
In the early 90's, I attended an academic conference in Hawaii. At one presentation, a colleague from the University of California at Berkeley whom I'll refer to as "the supervisor," told a story of young hackers, who he referred to as the Urchins
http://www.securityfocus.com/columnists/481


II. BUGTRAQ SUMMARY
--------------------
1. Lenovo System Update SSL Certificate Validation Security Bypass Vulnerability
BugTraq ID: 29366
Remote: Yes
Last Updated: 2008-10-16
Relevant URL: http://www.securityfocus.com/bid/29366
Summary:
Lenovo System Update is prone to a security-bypass vulnerability because the application fails to properly check SSL certificates.

Successfully exploiting this issue allows attackers to perform man-in-the-middle attacks by impersonating trusted servers, which can lead to the installation of arbitrary software on an affected computer. This may result in a complete compromise of the computer.

This issue affects Lenovo System Update 3 (Version 3.13.0005, Build date 2008-1-3); other versions may also be vulnerable.

2. Microsoft Windows Internet Printing Service Integer Overflow Vulnerability
BugTraq ID: 31682
Remote: Yes
Last Updated: 2008-10-16
Relevant URL: http://www.securityfocus.com/bid/31682
Summary:
Microsoft Internet Printing Service is prone to an integer-overflow vulnerability.

Exploiting this vulnerability allows attackers to execute arbitrary code with the privileges of the user running the affected service.

3. Ignite Gallery 'gallery' Parameter SQL Injection Vulnerability
BugTraq ID: 31714
Remote: Yes
Last Updated: 2008-10-15
Relevant URL: http://www.securityfocus.com/bid/31714
Summary:
Ignite Gallery is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Ignite Gallery 0.8.3 is vulnerable; other versions may also be affected.

4. Joomla! and Mambo Mad4Joomla Mailforms Component SQL Injection Vulnerability
BugTraq ID: 31712
Remote: Yes
Last Updated: 2008-10-15
Relevant URL: http://www.securityfocus.com/bid/31712
Summary:
The Mad4Joomla Mailforms component for Joomla! and Mambo is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

5. MunzurSoft Wep Portal 'kategori.asp' SQL Injection Vulnerability
BugTraq ID: 31713
Remote: Yes
Last Updated: 2008-10-15
Relevant URL: http://www.securityfocus.com/bid/31713
Summary:
MunzurSoft Wep Portal is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data.

A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

MunzurSoft Wep Portal W3 is vulnerable; other versions may also be affected.

6. Easynet4u Link Host 'directory.php' SQL Injection Vulnerability
BugTraq ID: 31717
Remote: Yes
Last Updated: 2008-10-15
Relevant URL: http://www.securityfocus.com/bid/31717
Summary:
Easynet4u Link Host is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data.

A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

7. Easynet4u Faq Host 'faq.php' SQL Injection Vulnerability
BugTraq ID: 31710
Remote: Yes
Last Updated: 2008-10-15
Relevant URL: http://www.securityfocus.com/bid/31710
Summary:
Easynet4u Faq Host is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data.

A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

8. Easynet4u Forum Host 'forum.php' SQL Injection Vulnerability
BugTraq ID: 31709
Remote: Yes
Last Updated: 2008-10-15
Relevant URL: http://www.securityfocus.com/bid/31709
Summary:
Easynet4u Forum Host is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data.

A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

9. Ayco Okul Portali 'default.asp' SQL Injection Vulnerability
BugTraq ID: 31704
Remote: Yes
Last Updated: 2008-10-15
Relevant URL: http://www.securityfocus.com/bid/31704
Summary:
Ayco Okul Portali is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data.

A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

10. Scriptsez Mini Hosting Panel 'members.php' Local File Include Vulnerability
BugTraq ID: 31701
Remote: Yes
Last Updated: 2008-10-15
Relevant URL: http://www.securityfocus.com/bid/31701
Summary:
Scriptsez Mini Hosting Panel is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit this vulnerability using directory-traversal strings to view local files within the context of the webserver process. Information harvested may aid in further attacks.

11. Nokia Web Browser for S60 Infinite Array Sort Denial of Service Vulnerability
BugTraq ID: 31703
Remote: Yes
Last Updated: 2008-10-15
Relevant URL: http://www.securityfocus.com/bid/31703
Summary:
Nokia Web Browser for S60 is prone to a denial-of-service vulnerability when handling malicious HTML files.

A successful exploit of this issue allows remote attackers to consume excessive system resources in the affected browser, which will cause the application to crash and deny service to legitimate users. Attackers may also be able to run arbitrary code, but this has not been confirmed.

12. Microsoft Outlook Web Access for Exchange Server 'redir.asp' URI Redirection Vulnerability
BugTraq ID: 31765
Remote: Yes
Last Updated: 2008-10-15
Relevant URL: http://www.securityfocus.com/bid/31765
Summary:
Outlook Web Access is prone to a remote URI-redirection vulnerability because the application fails to properly sanitize user-supplied input.

A successful exploit may aid in phishing attacks.

OWA 6.5 SP 2 is vulnerable; other versions may also be affected.

13. Microsoft Excel Calendar Object Validation Remote Code Execution Vulnerability
BugTraq ID: 31702
Remote: Yes
Last Updated: 2008-10-15
Relevant URL: http://www.securityfocus.com/bid/31702
Summary:
Microsoft Excel is prone to a remote code-execution vulnerability.

Attackers may exploit this issue by enticing victims into opening a maliciously crafted Excel file.

Successful exploits may allow attackers to execute arbitrary code with the privileges of the user running the application.

14. Microsoft Internet Explorer Uninitialized Object Remote Memory Corruption Vulnerability
BugTraq ID: 31617
Remote: Yes
Last Updated: 2008-10-15
Relevant URL: http://www.securityfocus.com/bid/31617
Summary:
Microsoft Internet Explorer is prone to a remote memory-corruption vulnerability.

Attackers can exploit this issue to execute arbitrary code in the context of the user running the application. Successful exploits will compromise the application and possibly the underlying computer. Failed attacks will cause denial-of-service conditions.

15. Microsoft Windows AFD Driver Local Privilege Escalation Vulnerability
BugTraq ID: 31673
Remote: No
Last Updated: 2008-10-15
Relevant URL: http://www.securityfocus.com/bid/31673
Summary:
Microsoft Windows is prone to a local privilege-escalation vulnerability in the Ancillary Function Driver ('afd.sys').

A successful exploit of this vulnerability will let a local attacker completely compromise an affected computer.

16. Microsoft Excel BIFF File Format Parsing Remote Code Execution Vulnerability
BugTraq ID: 31705
Remote: Yes
Last Updated: 2008-10-15
Relevant URL: http://www.securityfocus.com/bid/31705
Summary:
Microsoft Excel is prone to a remote code-execution vulnerability.

Attackers may exploit this issue by enticing victims into opening a maliciously crafted Excel file.

Successful exploits may allow attackers to execute arbitrary code with the privileges of the user running the application.

17. Apple Mac OS X 10.5 'launchd' Unspecified Security Bypass Vulnerability
BugTraq ID: 31722
Remote: Yes
Last Updated: 2008-10-15
Relevant URL: http://www.securityfocus.com/bid/31722
Summary:
Apple Mac OS X 'launchd' is prone to a security-bypass vulnerability.

Attackers may be able to leverage this issue to perform certain actions with higher privileges, in the context of the affected application, since the affected application failed to enter the sandbox.

This issue affects Mac OS X v10.5.

NOTE: This issue was previously covered in BID 31681 (Apple Mac OS X 2008-007 Multiple Security Vulnerabilities) but has been given its own record to better document the vulnerability.

18. Apple PSNormalizer PostScript Buffer Overflow Vulnerability
BugTraq ID: 31719
Remote: Yes
Last Updated: 2008-10-15
Relevant URL: http://www.securityfocus.com/bid/31719
Summary:
Apple's PSNormalizer is prone to a buffer-overflow vulnerability that may allow remote attackers to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.

The following versions are affected:

Mac OS X v10.4.11 and prior
Mac OS X Server v10.4.11 and prior
Mac OS X v10.5.5 and prior
Mac OS X Server v10.5.5 and prior

NOTE: This issue was previously covered in BID 31681 (Apple Mac OS X 2008-007 Multiple Security Vulnerabilities) but has been given its own record to better document the vulnerability.

19. Apple Mac OS X Server Weblog Access Control List Security Bypass Vulnerability
BugTraq ID: 31718
Remote: Yes
Last Updated: 2008-10-15
Relevant URL: http://www.securityfocus.com/bid/31718
Summary:
Apple Mac OS X Server Weblog is prone to a security-bypass vulnerability because it may fail to properly save ACLs (Access Control Lists) in certain cases.

Attackers can exploit this issue to bypass ACL restrictions to perform unauthorized actions with the application.

Mac OS X Server 10.4 through 10.4.11 is vulnerable to this issue.

NOTE: This issue was previously covered in BID 31681 (Apple Mac OS X 2008-007 Multiple Security Vulnerabilities) but has been given its own record to better document this vulnerability.

20. Apple Mac OS X 10.5 Postfix Security Bypass Vulnerability
BugTraq ID: 31721
Remote: Yes
Last Updated: 2008-10-15
Relevant URL: http://www.securityfocus.com/bid/31721
Summary:
Apple Mac OS X Postfix is prone to a security-bypass vulnerability.

Attackers may be able to send email to local users and otherwise make use of the SMTP protocol.

This issue affects Mac OS X v10.5.

NOTE: This issue was previously covered in BID 31681 (Apple Mac OS X 2008-007 Multiple Security Vulnerabilities) but has been given its own record to better document the vulnerability.

21. Apple Finder Denial of Service Vulnerability
BugTraq ID: 31720
Remote: Yes
Last Updated: 2008-10-15
Relevant URL: http://www.securityfocus.com/bid/31720
Summary:
Apple Finder is prone to a denial-of-service vulnerability.

This issue arises when the application tries to create an icon for maliciously crafted files that are located on the desktop. Successful exploits may allow attackers to crash the affected application, denying service to legitimate users.

This issue affects Mac OS X v10.5.5 and Mac OS X Server v10.5.5.

NOTE: This issue was previously covered in BID 31681 (Apple Mac OS X 2008-007 Multiple Security Vulnerabilities) but has been given its own record to better document the vulnerability.

22. Apple Script Editor Unspecified Insecure Temporary File Creation Vulnerability
BugTraq ID: 31716
Remote: No
Last Updated: 2008-10-15
Relevant URL: http://www.securityfocus.com/bid/31716
Summary:
Apple Script Editor creates temporary files in an insecure manner.

An attacker with local access may exploit this issue to gain the privileges of a local user of the vulnerable program.

No further details are available. We will update this BID as more information emerges.

The following versions are affected:

Mac OS X 10.4.11 and prior
Mac OS X Server 10.4.11 and prior
Mac OS X 10.5.5 and prior
Mac OS X Server 10.5.5 and prior

NOTE: This issue was previously covered in BID 31681 (Apple Mac OS X 2008-007 Multiple Security Vulnerabilities) but has been given its own record to better document this vulnerability.

23. Apple Mac OS X ColorSync ICC Profile Remote Buffer Overflow Vulnerability
BugTraq ID: 31715
Remote: Yes
Last Updated: 2008-10-15
Relevant URL: http://www.securityfocus.com/bid/31715
Summary:
Apple Mac OS X is prone to a remote buffer-overflow vulnerability that occurs in ColorSync. This issue occurs because the software fails to perform adequate boundary checks on user-supplied data.

An attacker can exploit this issue to execute arbitrary code within the context of the affected software. Failed exploit attempts will result in a denial-of-service condition.

NOTE: This issue was previously covered in BID 31681 (Apple Mac OS X 2008-007 Multiple Security Vulnerabilities) but has been given its own record to better document this vulnerability.

24. Apple Mac OS X 'configd' EAPOLController Plugin Local Heap Based Buffer Overflow Vulnerability
BugTraq ID: 31711
Remote: No
Last Updated: 2008-10-15
Relevant URL: http://www.securityfocus.com/bid/31711
Summary:
Apple Mac OS X is prone to a local heap-based buffer-overflow vulnerability because it fails to adequately bounds-check user-supplied input.

Attackers can exploit this issue to execute arbitrary code in the context of the affected software or to obtain SYSTEM-level privileges. Failed attempts will cause denial-of-service conditions.

The following versions are affected:

Mac OS X v10.4.11 and prior
Mac OS X Server v10.4.11 and prior
Mac OS X v10.5.5 and prior
Mac OS X Server v10.5.5 and prior

NOTE: This issue was previously covered in BID 31681 (Apple Mac OS X 2008-007 Multiple Security Vulnerabilities) but has been given its own record to better document this vulnerability.

25. Apple Mac OS X 'hosts.equiv' Security Bypass Vulnerability
BugTraq ID: 31708
Remote: Yes
Last Updated: 2008-10-15
Relevant URL: http://www.securityfocus.com/bid/31708
Summary:
Apple Mac OS X is prone to a security-bypass vulnerability related to the 'hosts.equiv' configuration file.

Attackers may be able to exploit this issue to log in as the root user via 'rlogind' without proper authentication from specific trusted hosts.

NOTE: This issue was previously covered in BID 31681 (Apple Mac OS X 2008-007 Multiple Security Vulnerabilities) but has been given its own record to better document this vulnerability.

26. Apple OS X QuickLook Excel File Integer Overflow Vulnerability
BugTraq ID: 31707
Remote: Yes
Last Updated: 2008-10-15
Relevant URL: http://www.securityfocus.com/bid/31707
Summary:
Apple OS X QuickLook is prone to an integer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input. Specifically, this issue is related to the handling of Microsoft Excel spreadsheet files.

Successfully exploiting this issue may allow remote attackers to execute arbitrary code in the context of the application. Failed exploit attempts will cause denial-of-service conditions.

NOTE: This issue was previously covered in BID 31681 (Apple Mac OS X 2008-007 Multiple Security Vulnerabilities) but has been given its own record to better document this vulnerability.

27. Multiple Telecom Italia Routers Authentication Bypass Vulnerability
BugTraq ID: 31754
Remote: Yes
Last Updated: 2008-10-16
Relevant URL: http://www.securityfocus.com/bid/31754
Summary:
Multiple Telecom Italia routers are prone to an authentication bypass vulnerability that may allow attackers to gain access to a router's administration interface and unauthorized access to certain services.

Successfully exploiting this issue will allow attackers to gain unauthorized administrative access to the affected device and activate services such as telnet, ftp, and tftp.

The following routers are affected.

AGA (Alice Gate2 plus Wi-Fi])
AGB (Alice Gate2 plus)
AG2P-AG3 (AG2P-AG3[Alice Gate W2+)
AGPV-AGPF (Alice Gate VoIP 2 Plus Wi-Fi)

28. WP Comment Remix 1.4.3 SQL Injection and HTML Injection Vulnerabilities
BugTraq ID: 31750
Remote: Yes
Last Updated: 2008-10-16
Relevant URL: http://www.securityfocus.com/bid/31750
Summary:
WP Comment Remix is prone to an SQL-injection issue and multiple HTML-injection issues because it fails to properly sanitize user-supplied input.

An attacker may leverage the HTML-injection issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

The attacker may exploit the SQL-injection issues to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

WP Comment Remix 1.4.3 is vulnerable; other versions may also be affected.

29. Mon 'alert.d/test.alert' Insecure Temporary File Creation Vulnerability
BugTraq ID: 31597
Remote: No
Last Updated: 2008-10-16
Relevant URL: http://www.securityfocus.com/bid/31597
Summary:
mon creates temporary files in an insecure manner.

An attacker with local access could potentially exploit this issue to perform symbolic-link attacks, overwriting arbitrary files in the context of the affected application.

Successfully mounting a symlink attack may allow the attacker to delete or corrupt sensitive files, which may result in a denial of service. Other attacks may also be possible.

30. IndexScript 'sug_cat.php' SQL Injection Vulnerability
BugTraq ID: 31744
Remote: Yes
Last Updated: 2008-10-16
Relevant URL: http://www.securityfocus.com/bid/31744
Summary:
IndexScript is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data.

A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

IndexScript 3.0 is vulnerable; other versions may also be affected.

31. Websense Reporter 'CreateDbInstall.log' Local Information Disclosure Vulnerability
BugTraq ID: 31746
Remote: No
Last Updated: 2008-10-16
Relevant URL: http://www.securityfocus.com/bid/31746
Summary:
Websense Reporter is prone to a local information-disclosure vulnerability because it fails to securely store sensitive data.

Local attackers can exploit this issue to obtain the SQL administrator's login credentials.

Websense Reporter 6.3.2 is vulnerable; other versions may also be affected.

32. ParsBlogger 'links.asp' SQL Injection Vulnerability
BugTraq ID: 31745
Remote: Yes
Last Updated: 2008-10-16
Relevant URL: http://www.securityfocus.com/bid/31745
Summary:
ParsBlogger is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data.

A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

33. XOOPS xhresim Module 'index.php' SQL Injection Vulnerability
BugTraq ID: 31749
Remote: Yes
Last Updated: 2008-10-16
Relevant URL: http://www.securityfocus.com/bid/31749
Summary:
XOOPS 'xhresim' module is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

34. IBM ENOVIA Security Bypass Vulnerability
BugTraq ID: 31748
Remote: Yes
Last Updated: 2008-10-16
Relevant URL: http://www.securityfocus.com/bid/31748
Summary:
IBM ENOVIA is prone to an unspecified security-bypass vulnerability.

Attackers may be able to exploit this vulnerability to open documents for which they do not have appropriate permissions.

This issue affects versions prior to ENOVIA V5R18 SP5.

35. Mozilla Firefox '.url' Shortcut Processing Information Disclosure Vulnerability
BugTraq ID: 31747
Remote: Yes
Last Updated: 2008-10-16
Relevant URL: http://www.securityfocus.com/bid/31747
Summary:
Mozilla Firefox is prone to an information-disclosure vulnerability when processing '.url' shortcut files in HTML elements.

An attacker can exploit the issue to obtain sensitive information such as browser cache files, cookie data, or local filesystem details. Information harvested may aid in further attacks.

Mozilla Firefox 3.0.1, 3.0.2, and 3.0.3 are reported vulnerable.

36. IP Reg Multiple SQL Injection Vulnerabilities
BugTraq ID: 26993
Remote: Yes
Last Updated: 2008-10-16
Relevant URL: http://www.securityfocus.com/bid/26993
Summary:
IP Reg is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.

A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.

These issues affect IP Reg 0.3 and 0.4; other versions may also be affected.

37. Postfix Local Information Disclosure and Local Privilege Escalation Vulnerabilities
BugTraq ID: 30691
Remote: No
Last Updated: 2008-10-16
Relevant URL: http://www.securityfocus.com/bid/30691
Summary:
Postfix is prone to a local privilege-escalation vulnerability and a local information-disclosure vulnerability.

Local attackers can exploit this issue to read other users' mail or execute arbitrary commands with superuser privileges.

Versions prior to Postfix 2.5.4 Patchlevel 4 are vulnerable.

38. Ruby on Rails ':offset' And ':limit' Parameters SQL Injection Vulnerabilities
BugTraq ID: 31176
Remote: Yes
Last Updated: 2008-10-16
Relevant URL: http://www.securityfocus.com/bid/31176
Summary:
Ruby on Rails is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in SQL queries.

A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.

Versions prior to Ruby on Rails 2.1.1 are affected.

39. Hewlett-Packard Systems Insight Manager Unspecified Unauthorized Access Vulnerability
BugTraq ID: 31777
Remote: Yes
Last Updated: 2008-10-16
Relevant URL: http://www.securityfocus.com/bid/31777
Summary:
Systems Insight Manager (SIM) is prone to an unspecified unauthorized-access vulnerability. A remote attacker may exploit this issue to gain unauthorized access to data.

Versions prior to SIM 5.2 SP2 are vulnerable.

40. Sun Solstice AdminSuite 'sadmind' 'adm_build_path()' Remote Stack Buffer Overflow Vulnerability
BugTraq ID: 31751
Remote: Yes
Last Updated: 2008-10-16
Relevant URL: http://www.securityfocus.com/bid/31751
Summary:
Sun Solstice AdminSuite is prone to a remote stack-based buffer-overflow vulnerability because the software fails to perform adequate boundary checks on user-supplied input.

Attackers can leverage this issue to execute arbitrary code in the context of the application. Successful exploits will compromise the application and the underlying computer. Failed attacks will cause denial-of-service conditions.

We don't know which specific versions of Solstice AdminSuite are affected, but versions for Solaris 8 and 9 are reported to be vulnerable. We will update this BID as more information emerges.

41. RaidenFTPD 'MLST' Command Remote Stack Based Buffer Overflow Vulnerability
BugTraq ID: 31741
Remote: Yes
Last Updated: 2008-10-16
Relevant URL: http://www.securityfocus.com/bid/31741
Summary:
RaidenFTPD is prone to a remote stack-based buffer-overflow vulnerability.

An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.

RaidenFTPD 2.4 build 3620 is vulnerable; other versions may also be affected.

42. Linksys WAP4400N Marvell Wireless Chipset Driver Remote Denial of Service Vulnerability
BugTraq ID: 31742
Remote: Yes
Last Updated: 2008-10-16
Relevant URL: http://www.securityfocus.com/bid/31742
Summary:
Linksys WAP4400N wireless access point devices are prone to a denial-of-service vulnerability because they fail to adequately verify user-supplied input.

Remote attackers can exploit this issue to hang or reboot a vulnerable device, denying service to legitimate users. Attackers may also be able to run arbitrary code, but this has not been confirmed.

Linksys WAP4400N devices running firmware 1.2.14 are vulnerable.

NOTE: Since the flaw is in the Marvell 88W8361P-BEM1 chipset driver, other devices and firmware versions using the same code may also be affected.

43. ASP Indir Iltaweb Alisveris Sistemi 'xurunler.asp' SQL Injection Vulnerability
BugTraq ID: 31740
Remote: Yes
Last Updated: 2008-10-16
Relevant URL: http://www.securityfocus.com/bid/31740
Summary:
ASP Indir Iltaweb Alisveris Sistemi is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data.

A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

44. Lenovo Rescue and Recovery 'tvtumon.sys' Heap Overflow Vulnerability
BugTraq ID: 31737
Remote: No
Last Updated: 2008-10-16
Relevant URL: http://www.securityfocus.com/bid/31737
Summary:
Lenovo Rescue and Recovery is prone to a heap-based overflow vulnerability.

A successful exploit of this vulnerability can allow a local attacker to completely compromise the affected computer.

Lenovo Rescue and Recover 4.20 is vulnerable.

45. XM Easy Personal FTP Server 'NSLT' Command Remote Denial of Service Vulnerability
BugTraq ID: 31739
Remote: Yes
Last Updated: 2008-10-16
Relevant URL: http://www.securityfocus.com/bid/31739
Summary:
XM Easy Personal FTP Server is prone to a remote denial-of-service vulnerability.

This issue allows remote attackers to crash affected FTP servers, denying service to legitimate users.

XM Easy Personal FTP Server 5.6.0 is vulnerable; other versions may also be affected.

46. Oracle Database Server 'CREATE ANY DIRECTORY' Privilege Escalation Vulnerability
BugTraq ID: 31738
Remote: Yes
Last Updated: 2008-10-16
Relevant URL: http://www.securityfocus.com/bid/31738
Summary:
Oracle Database Server is prone to a privilege-escalation issue related to the 'CREATE ANY DIRECTORY' user privilege.

Attackers may exploit this issue to gain full SYSDBA privileges on the vulnerable database server.

This issue affects Oracle Database 10.1, 10.2, and 11g; additional versions may also be vulnerable.

47. Debian chm2pdf Insecure Temporary File Creation Vulnerability
BugTraq ID: 31735
Remote: No
Last Updated: 2008-10-16
Relevant URL: http://www.securityfocus.com/bid/31735
Summary:
Debian 'chm2pdf' creates temporary files in an insecure manner.

An attacker with local access could potentially exploit this issue to perform symbolic-link attacks, overwriting arbitrary files in the context of the affected application.

Successfully mounting a symlink attack may allow the attacker to delete or corrupt sensitive files, which may result in a denial of service. Other attacks may also be possible.

Debian 'chm2pdf' 0.9.1 is vulnerable; other versions may also be affected.

48. SlimCMS 'redirect.php' Security Bypass Vulnerability
BugTraq ID: 31736
Remote: Yes
Last Updated: 2008-10-16
Relevant URL: http://www.securityfocus.com/bid/31736
Summary:
SlimCMS is prone to a vulnerability that allows an attacker to add an arbitrary new user to the system.

An attacker can leverage this vulnerability to gain administrative access to the application.

SlimCMS 1.0.0 is vulnerable; other versions may also be affected.

49. mini-pub 'cat.php' Remote Command Execution Vulnerability
BugTraq ID: 31734
Remote: Yes
Last Updated: 2008-10-16
Relevant URL: http://www.securityfocus.com/bid/31734
Summary:
'mini-pub' is prone to a vulnerability that attackers can leverage to execute arbitrary commands in the context of the application. This issue occurs because the application fails to adequately sanitize user-supplied input.

Successful attacks can compromise the affected application and possibly the underlying computer.

This issue affects mini-pub 0.3; other versions may also be affected.

50. EEB-CMS 'index.php' Cross-Site Scripting Vulnerability
BugTraq ID: 31732
Remote: Yes
Last Updated: 2008-10-16
Relevant URL: http://www.securityfocus.com/bid/31732
Summary:
EEB-CMS is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input data.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

EEB-CMS 0.95 is affected; other versions may be vulnerable as well.

51. 'com_jeux' Joomla! Component 'id' Parameter SQL Injection Vulnerability
BugTraq ID: 31731
Remote: Yes
Last Updated: 2008-10-16
Relevant URL: http://www.securityfocus.com/bid/31731
Summary:
The 'com_jeux' component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

52. GuildFTPd 'LIST' Command Heap Overflow Vulnerability
BugTraq ID: 31729
Remote: Yes
Last Updated: 2008-10-16
Relevant URL: http://www.securityfocus.com/bid/31729
Summary:
GuildFTPd is prone to a heap-based buffer-overflow vulnerability because it fails to properly bounds-check user-supplied input. The vulnerability occurs when handling FTP 'LIST' requests.

Successfully exploiting this issue allows attackers to execute arbitrary code with the privileges of a user running the application. Failed exploit attempts will result in a denial-of-service condition.

GuildFTPd 0.999.8.11 and v0.999.14 are vulnerable; other versions may also be affected.

53. Oracle WebLogic Server Apache Connector Stack Based Buffer Overflow Vulnerability
BugTraq ID: 31761
Remote: Yes
Last Updated: 2008-10-16
Relevant URL: http://www.securityfocus.com/bid/31761
Summary:
Oracle WebLogic Server Apache Connector is prone to a stack-based buffer-overflow vulnerability because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer.

An attacker can exploit this issue to execute arbitrary code in the context of the application. Failed exploit attempts will likely result in a denial-of-service condition.

54. Husdawg System Requirements Lab Multiple Remote Code Execution Vulnerabilities
BugTraq ID: 31752
Remote: Yes
Last Updated: 2008-10-16
Relevant URL: http://www.securityfocus.com/bid/31752
Summary:
Husdawg System Requirements Lab ActiveX controls and Java applets are prone to multiple remote code-execution vulnerabilities.

Successful exploit will allow attackers to download and execute arbitrary files on the affected computer in the context of the application that uses the plugins.

55. Oracle October 2008 Oracle Critical Patch Update Multiple Vulnerabilities
BugTraq ID: 31683
Remote: Yes
Last Updated: 2008-10-16
Relevant URL: http://www.securityfocus.com/bid/31683
Summary:
Oracle has released the October 2008 critical patch update addressing 36 vulnerabilities affecting the following software:

Oracle Database
Oracle Application Server
Oracle E-Business Suite
Oracle PeopleSoft Enterprise PeopleTools
Oracle PeopleSoft Enterprise
Oracle JD Edwards EnterpriseOne Tools
Oracle WebLogic Server (formerly BEA WebLogic Server)
Oracle Workshop for WebLogic (formerly BEA WebLogic Workshop)

56. CUPS Multiple Heap Based Buffer Overflow Vulnerabilities
BugTraq ID: 31690
Remote: Yes
Last Updated: 2008-10-16
Relevant URL: http://www.securityfocus.com/bid/31690
Summary:
CUPS is prone to multiple heap-based buffer-overflow vulnerabilities because it fails to perform adequate boundary checks on user-supplied data before using it to allocate memory buffers.

Remote attackers can exploit these issues to execute arbitrary code within the context of the affected application. Failed exploit attempts will likely cause a denial-of-service condition. Note that local attackers may also exploit these vulnerabilities to elevate privileges.

Successful remote exploits may require printer sharing to be enabled on the vulnerable system.

These issues affect versions prior to CUPS 1.3.9.

57. CUPS 'HP-GL/2' Filter Remote Code Execution Vulnerability
BugTraq ID: 31688
Remote: Yes
Last Updated: 2008-10-16
Relevant URL: http://www.securityfocus.com/bid/31688
Summary:
CUPS is prone to a remote code-execution vulnerability caused by an error in the 'HP-GL/2 filter.

Attackers can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will likely cause a denial-of-service condition. Note that local users may also exploit this vulnerability to elevate privileges.

Successful remote exploits may require printer sharing to be enabled on the vulnerable system.

The issue affects versions prior to CUPS 1.3.9.

NOTE: This issue was previously discussed in BID 31681 (Apple Mac OS X 2008-007 Multiple Security Vulnerabilities), but has been assigned its own record to better document the vulnerability.

58. Drupal Multiple Remote Access Validation Vulnerabilities and Weaknesses
BugTraq ID: 31662
Remote: Yes
Last Updated: 2008-10-16
Relevant URL: http://www.securityfocus.com/bid/31662
Summary:
Drupal is prone to multiple remote access-validation vulnerabilities and a weakness.

Exploiting these issues can allow an attacker to upload arbitrary files, obtain sensitive information, or perform unauthorized actions on affected sites. Other attacks may also be possible.

Versions prior to Drupal 5.11 and 6.5 are vulnerable.

59. Drupal Insecure Cookie Disclosure Weakness
BugTraq ID: 31285
Remote: Yes
Last Updated: 2008-10-16
Relevant URL: http://www.securityfocus.com/bid/31285
Summary:
Drupal is prone to a cookie-disclosure weakness.

An attacker may leverage this issue to obtain sensitive information and steal cookie-based authentication credentials. This may aid in other attacks.

60. Neon Digest Authentication Null Pointer Exception Denial Of Service Vulnerability
BugTraq ID: 30710
Remote: Yes
Last Updated: 2008-10-16
Relevant URL: http://www.securityfocus.com/bid/30710
Summary:
The Neon library is prone to a remote denial-of-service vulnerability that occurs in the digest authentication mechanism.

An attacker can exploit this vulnerability to crash the application using the library, effectively denying service to legitimate users.

Neon 0.28.0 through 0.28.2 are vulnerable; other versions may also be affected.

61. BlueZ SDP Payload Processing Multiple Buffer Overflow Vulnerabilities
BugTraq ID: 30105
Remote: Yes
Last Updated: 2008-10-16
Relevant URL: http://www.securityfocus.com/bid/30105
Summary:
BlueZ is prone to multiple buffer-overflow vulnerabilities.

Successfully exploiting these issues may allow remote attackers to execute arbitrary code in the context of the application. Failed attempts will result in a denial-of-service condition.

BlueZ 3.34 and prior versions are affected.

62. CafeEngine Easy Cafe Engine 'itemid' Parameter SQL Injection Vulnerability
BugTraq ID: 31788
Remote: Yes
Last Updated: 2008-10-16
Relevant URL: http://www.securityfocus.com/bid/31788
Summary:
CafeEngine Easy Cafe Engine is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data.

A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Easy Cafe Engine 1.1 is vulnerable; other versions may also be affected.

63. Mic_blog SQL Injection and Unauthorized Access Vulnerabilities
BugTraq ID: 31787
Remote: Yes
Last Updated: 2008-10-16
Relevant URL: http://www.securityfocus.com/bid/31787
Summary:
Mic_blog is prone to an SQL-injection vulnerability and an unauthorized access vulnerability.

Exploiting these issues could allow an attacker to gain unauthorized administrative access to the application, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Mic_blog 0.0.3 is vulnerable; other versions may also be affected.

64. CafeEngine 'id' Parameter Multiple SQL Injection Vulnerabilities
BugTraq ID: 31786
Remote: Yes
Last Updated: 2008-10-16
Relevant URL: http://www.securityfocus.com/bid/31786
Summary:
CafeEngine is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in SQL queries.

Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

65. Kure Multiple Local File Include Vulnerabilities
BugTraq ID: 31785
Remote: Yes
Last Updated: 2008-10-16
Relevant URL: http://www.securityfocus.com/bid/31785
Summary:
Kure is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker can exploit these vulnerabilities using directory-traversal strings to view local files in the context of the webserver process. This may aid in further attacks.

Kure 0.6.3 is vulnerable; other versions may also be affected.

66. PokerMax Poker League Tournament Script Cookie Authentication Bypass Vulnerability
BugTraq ID: 31784
Remote: Yes
Last Updated: 2008-10-16
Relevant URL: http://www.securityfocus.com/bid/31784
Summary:
PokerMax Poker League Tournament Script is prone to an authentication-bypass vulnerability because it fails to adequately verify user-supplied input used for cookie-based authentication.

An attacker can exploit this vulnerability to gain administrative access to the affected application; other attacks are also possible.

67. Hummingbird HostExplorer ActiveX Control 'PlainTextPassword()' Buffer Overflow Vulnerability
BugTraq ID: 31783
Remote: Yes
Last Updated: 2008-10-16
Relevant URL: http://www.securityfocus.com/bid/31783
Summary:
Hummingbird HostExplorer ActiveX control is prone to a buffer-overflow vulnerability because the application fails to adequately check boundaries on user-supplied input.

An attacker can exploit this issue to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed attacks will likely cause denial-of-service conditions.

68. Mosaic Commerce 'category.php' SQL Injection Vulnerability
BugTraq ID: 31782
Remote: Yes
Last Updated: 2008-10-16
Relevant URL: http://www.securityfocus.com/bid/31782
Summary:
Mosaic Commerce is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data.

A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

69. IP Reg 'locationdel.php' SQL Injection Vulnerability
BugTraq ID: 31781
Remote: Yes
Last Updated: 2008-10-16
Relevant URL: http://www.securityfocus.com/bid/31781
Summary:
IP Reg is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.

A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.

This issue affects IP Reg 0.4; other versions may also be vulnerable.

70. Drupal Node Clone Module Information Disclosure Vulnerability
BugTraq ID: 31780
Remote: Yes
Last Updated: 2008-10-16
Relevant URL: http://www.securityfocus.com/bid/31780
Summary:
The Drupal Node Clone module is prone to an information-disclosure vulnerability because the application fails to restrict access to certain portions of the affected application.

Attackers can exploit this issue to gain access to sensitive information. Information obtained may lead to further attacks.

71. Drupal Node Vote Module Cast Vote SQL Injection Vulnerability
BugTraq ID: 31779
Remote: Yes
Last Updated: 2008-10-16
Relevant URL: http://www.securityfocus.com/bid/31779
Summary:
Drupal Node Vote module is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

72. myPHPNuke 'displayCategory.php' Multiple Remote File Include Vulnerabilities
BugTraq ID: 31778
Remote: Yes
Last Updated: 2008-10-16
Relevant URL: http://www.securityfocus.com/bid/31778
Summary:
MyPHPNuke is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.

Exploiting these issues may allow an attacker to compromise the application and the underlying computer; other attacks are also possible.

MyPHPNuke 188_8 rc2 is vulnerable; other versions may also be affected.

73. WEB//NEWS Multiple SQL Injection Vulnerabilities
BugTraq ID: 31776
Remote: Yes
Last Updated: 2008-10-16
Relevant URL: http://www.securityfocus.com/bid/31776
Summary:
WEB//NEWS is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.

Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Versions of WEB//NEWS prior to 1.4.1a are vulnerable.

74. Microsoft Host Integration Server RPC Remote Command Execution Vulnerability
BugTraq ID: 31620
Remote: Yes
Last Updated: 2008-10-15
Relevant URL: http://www.securityfocus.com/bid/31620
Summary:
Microsoft Windows is prone to a remote command-execution vulnerability in the SNA service through a remote procedure call (RPC).

Successfully exploiting this issue would allow an attacker to execute arbitrary commands on an affected computer in the context of the affected service.

75. CUPS PNG Filter Multiple Integer Overflow Vulnerabilities
BugTraq ID: 28781
Remote: Yes
Last Updated: 2008-10-15
Relevant URL: http://www.securityfocus.com/bid/28781
Summary:
CUPS is prone to multiple integer-overflow vulnerabilities because it fails to perform adequate boundary checks on user-supplied PNG image sizes before using them to allocate memory buffers.

Successful exploits may allow attackers to execute arbitrary code with the privileges of a user running the utilities. Failed exploit attempts likely cause denial-of-service conditions.

CUPS 1.3.7 is vulnerable; other versions may also be affected.

76. Microsoft Windows SeImpersonatePrivilege Local Privilege Escalation Vulnerability
BugTraq ID: 28833
Remote: No
Last Updated: 2008-10-15
Relevant URL: http://www.securityfocus.com/bid/28833
Summary:
Microsoft Windows is prone to a privilege-escalation vulnerability.

Successful exploits may allow authenticated users to elevate their privileges to LocalSystem. This facilitates the complete compromise of affected computers.

The issue affects Microsoft Windows XP Professional SP2 and all versions and editions of Windows Server 2003, Windows Vista, and Windows Server 2008.

77. D-Bus 'dbus_signature_validate()' Type Signature Denial of Service Vulnerability
BugTraq ID: 31602
Remote: No
Last Updated: 2008-10-15
Relevant URL: http://www.securityfocus.com/bid/31602
Summary:
D-Bus is prone to a local denial-of-service vulnerability because it fails to handle malformed signatures contained in messages.

Local attackers can exploit this issue to crash an application that uses the affected library, denying service to legitimate users.

This issue affects D-BUS 1.2.1; other versions may also be affected.

78. Adobe Flash CS3 Professional SWF File Heap Buffer Overflow Vulnerability
BugTraq ID: 31769
Remote: Yes
Last Updated: 2008-10-15
Relevant URL: http://www.securityfocus.com/bid/31769
Summary:
Adobe Flash CS3 Professional is prone to a heap-buffer overflow vulnerability.

An attacker may exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions.

Flash CS3 Professional for Microsoft Windows is vulnerable.

79. NewLife Blogger 'nlb3' Cookie SQL Injection Vulnerability
BugTraq ID: 31728
Remote: Yes
Last Updated: 2008-10-15
Relevant URL: http://www.securityfocus.com/bid/31728
Summary:
NewLife Blogger is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

An attacker can exploit this issue by manipulating the SQL query logic to carry out unauthorized actions on the underlying database.

NewLife Blogger 3.0 and prior versions are vulnerable.

80. Microsoft Message Queuing Service RPC Query Heap Corruption Vulnerability
BugTraq ID: 31637
Remote: Yes
Last Updated: 2008-10-15
Relevant URL: http://www.securityfocus.com/bid/31637
Summary:
The Microsoft Message Queuing service (MSMQ) is prone to a remote heap-corruption vulnerability.

An attacker can exploit this issue to execute arbitrary code with SYSTEM-level privileges, facilitating the complete compromise of an affected computer. Failed exploit attempts will result in a denial-of-service condition.

This issue is exploitable remotely on Windows 2000 systems only. The MSMQ service is not installed or enabled by default. For a computer to be exploited, an administrator must have explicitly installed and enabled the service.

81. mini-pub Multiple Information Disclosure Vulnerabilities
BugTraq ID: 31733
Remote: Yes
Last Updated: 2008-10-15
Relevant URL: http://www.securityfocus.com/bid/31733
Summary:
mini-pub is prone to multiple information-disclosure vulnerabilities.

An unprivileged attacker may exploit these issues to obtain sensitive information that may aid in launching further attacks.

mini-pub 0.3 and prior versions are vulnerable.

82. LokiCMS 'index.php' Information Disclosure Vulnerability
BugTraq ID: 31730
Remote: Yes
Last Updated: 2008-10-15
Relevant URL: http://www.securityfocus.com/bid/31730
Summary:
LokiCMS is prone to an information-disclosure vulnerability because it fails to sufficiently sanitize user-supplied input data.

Exploiting the issue may allow the attacker to obtain sensitive information that could aid in further attacks.

This issue affects LokiCMS 0.3.4 and prior versions.

83. Globsy 'globsy_edit.php' Arbitrary File Overwrite Vulnerability
BugTraq ID: 31727
Remote: Yes
Last Updated: 2008-10-15
Relevant URL: http://www.securityfocus.com/bid/31727
Summary:
Globsy is prone to a vulnerability that could permit an attacker to overwrite arbitrary files within the context of the webserver process. This may allow the attacker to execute arbitrary script code or perform other attacks. This issue occurs because the software fails to verify user-supplied input.

Versions up to and including Globsy 1.0 are vulnerable.

84. My PHP Indexer 'index.php' Directory Traversal Vulnerability
BugTraq ID: 31726
Remote: Yes
Last Updated: 2008-10-15
Relevant URL: http://www.securityfocus.com/bid/31726
Summary:
My PHP Indexer is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input data.

Exploiting the issue may allow an attacker to obtain sensitive information that could aid in further attacks.

My PHP Indexer 1.0 is vulnerable; other versions may also be affected.

85. OwnBiblio Joomla! Component 'catid' Parameter SQL Injection Vulnerability
BugTraq ID: 31725
Remote: Yes
Last Updated: 2008-10-15
Relevant URL: http://www.securityfocus.com/bid/31725
Summary:
The OwnBiblio component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

This issue affects OwnBiblio 1.5.3; other versions may also be affected.

86. Absolute Poll Manager 'xlacomments.asp' SQL Injection Vulnerability
BugTraq ID: 31724
Remote: Yes
Last Updated: 2008-10-15
Relevant URL: http://www.securityfocus.com/bid/31724
Summary:
Absolute Poll Manager is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data.

A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

This issue affects Absolute Poll Manager XE 4.1; other versions may also be vulnerable.

87. Real Estate Classifieds 'index.php' SQL Injection Vulnerability
BugTraq ID: 31723
Remote: Yes
Last Updated: 2008-10-15
Relevant URL: http://www.securityfocus.com/bid/31723
Summary:
Real Estate Classifieds is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data.

A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

88. Exiv2 EXIF File Handling Integer Overflow Vulnerability
BugTraq ID: 26918
Remote: Yes
Last Updated: 2008-10-15
Relevant URL: http://www.securityfocus.com/bid/26918
Summary:
Exiv2 is prone to an integer-overflow vulnerability because it fails to properly verify user-supplied data when handling EXIF files.

Successful exploits of this vulnerability allow remote attackers to execute arbitrary machine code in the context of the affected application. Failed exploits may crash the application.

Exiv2 0.15 is reported vulnerable to this issue; other versions may also be affected.

89. Exiv2 Pretty Printing for Nikon Lens Metadata Denial of Service Vulnerability
BugTraq ID: 29586
Remote: Yes
Last Updated: 2008-10-15
Relevant URL: http://www.securityfocus.com/bid/29586
Summary:
The Exiv2 library is prone to a denial-of-service vulnerability caused by a divide-by-zero error when processing certain Nikon lens metadata.

An attacker can exploit this issue to cause denial-of-service conditions in applications using a vulnerable version of the library.

The issue affects Exiv2 0.16; other versions may also be vulnerable.

90. libexif Image Tag Remote Denial Of Service Vulnerability
BugTraq ID: 26976
Remote: Yes
Last Updated: 2008-10-15
Relevant URL: http://www.securityfocus.com/bid/26976
Summary:
The libexif library is prone to a denial-of-service vulnerability because of an infinite-recursion error.

Exploiting this issue allows remote attackers to cause denial-of-service conditions in the context of an application using the vulnerable library.

91. Quick Tftp Server Pro 'mode' Remote Buffer Overflow Vulnerability
BugTraq ID: 28459
Remote: Yes
Last Updated: 2008-10-15
Relevant URL: http://www.securityfocus.com/bid/28459
Summary:
Quick Tftp Server Pro is prone to a buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied data before storing it in a finite-sized buffer.

An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.

Quick Tftp Server Pro 2.1 is vulnerable; other versions may also be affected.

92. HP OpenView Network Node Manager Directory Traversal and Multiple Denial Of Service Vulnerabilities
BugTraq ID: 28745
Remote: Yes
Last Updated: 2008-10-15
Relevant URL: http://www.securityfocus.com/bid/28745
Summary:
HP OpenView Network Node Manager is prone to multiple vulnerabilities affecting the 'ovalarmsrv.exe' and 'ovtopmd.exe' processes. These issues include a directory-traversal issue and multiple denial-of-service issues.

UPDATE (April 14, 2008): Secunia Research discovered, independently, that the 'OpenView5.exe' process is also prone to the directory-traversal issue; this affects Network Node Manager 7.51. Note that 'ovalarmsrv.exe' may also be named 'OpenView5.exe'.

Attackers can exploit these issues to access potentially sensitive data on the affected computer or to deny service to legitimate users.

HP OpenView Network Node Manager 7.53 is vulnerable; other versions may also be affected.

93. Sun Java System Web Proxy Server FTP Subsytem Heap Based Buffer Overflow Vulnerability
BugTraq ID: 31691
Remote: Yes
Last Updated: 2008-10-15
Relevant URL: http://www.securityfocus.com/bid/31691
Summary:
Sun Java System Web Proxy Server is prone to a heap-based buffer-overflow vulnerability because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer.

An attacker can exploit this issue to execute arbitrary code in the context of the application. Failed exploit attempts will likely result in a denial-of-service condition.

This issue affects Sun Java System Web Proxy Server 4.0 up to and including 4.0.7.

94. libxml2 Denial of Service Vulnerability
BugTraq ID: 31555
Remote: Yes
Last Updated: 2008-10-15
Relevant URL: http://www.securityfocus.com/bid/31555
Summary:
The libxml2 library is prone to a denial-of-service vulnerability caused by an error when handling files using entities in entity definitions.

An attacker can exploit this issue to cause the library to consume an excessive amount of memory, denying service to legitimate users.

The issue affects libxml2 2.7 prior to 2.7.2.

95. Apache 'mod_proxy_ftp' Wildcard Characters Cross-Site Scripting Vulnerability
BugTraq ID: 30560
Remote: Yes
Last Updated: 2008-10-15
Relevant URL: http://www.securityfocus.com/bid/30560
Summary:
The Apache 'mod_proxy_ftp' module is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

This issue is reported to affect Apache 2.0.63 and 2.2.9; other versions may also be affected.

96. Adobe Flash Player Policy File Cross Domain Security Bypass Vulnerability
BugTraq ID: 26966
Remote: Yes
Last Updated: 2008-10-15
Relevant URL: http://www.securityfocus.com/bid/26966
Summary:
The Adobe Flash Player is prone to a cross-domain security-bypass vulnerability.

An attacker can exploit this issue to connect to arbitrary hosts on affected computers. This may allow the application to perform generic TCP requests to determine what services are running on the affected computer.


NOTE: This issue was previously disclosed in BID 26929 (Adobe Flash Player Multiple Security Vulnerabilities), but has been assigned its own record because of new technical details.

97. Adobe Flash Player Clipboard Security Weakness
BugTraq ID: 31117
Remote: Yes
Last Updated: 2008-10-15
Relevant URL: http://www.securityfocus.com/bid/31117
Summary:
Adobe Flash Player is prone to a security weakness that may allow attackers to inject arbitrary content into a user's clipboard.

Attackers can exploit this issue to overwrite content that is contained in a victim's clipboard. As a result, attacker-supplied URIs can persist in the victim's clipboard.

98. Adobe ActionScript SecurityErrorEvent Security Bypass Vulnerability
BugTraq ID: 25260
Remote: Yes
Last Updated: 2008-10-15
Relevant URL: http://www.securityfocus.com/bid/25260
Summary:
Adobe ActionScript is prone to a security-bypass vulnerability because the application allows Flash movies compiled by ActionScript to connect to arbitrary TCP ports on a host running a vulnerable version of Flash.

Successfully exploiting this issue allows an attacker to bypass the application's sandbox security model and scan other hosts that are connected to the computer running the vulnerable application.

99. Xen Para Virtualized Frame Buffer Backend Local Buffer Overflow Vulnerability
BugTraq ID: 29183
Remote: No
Last Updated: 2008-10-15
Relevant URL: http://www.securityfocus.com/bid/29183
Summary:
Xen is prone to a local buffer-overflow vulnerability.

Successfully exploiting this issue may allow attackers to execute arbitrary code within the context of the privileged domain (Dom0). Failed attempts will likely cause denial-of-service conditions.

100. libexif Image Tag Remote Integer Overflow Vulnerability
BugTraq ID: 26942
Remote: Yes
Last Updated: 2008-10-15
Relevant URL: http://www.securityfocus.com/bid/26942
Summary:
The libexif library is prone to an integer-overflow vulnerability because the software fails to ensure that integer values are not overrun.

Successful exploits of this vulnerability allow remote attackers to execute arbitrary machine code in the context of an application using the vulnerable library. Failed attempts will likely result in denial-of-service conditions.

III. SECURITYFOCUS NEWS ARTICLES
--------------------------------
1. You don't know (click)jack
By: Robert Lemos
Security professionals Robert "RSnake" Hansen and Jeremiah Grossman discuss a class of attacks, known as clickjacking, on user interfaces of Web browsers.
http://www.securityfocus.com/news/11535

2. Researchers weigh "clickjacking" threat
By: Robert Lemos
A canceled presentation at a Web security summit attracts attention to the danger of overlaying Web pages with graphics to persuade a victim to click where an attacker wants.
http://www.securityfocus.com/news/11534

3. Security of Google's browser gets mixed marks
By: Robert Lemos
The search giant uses process isolation, least privilege rules, and sandboxing as the security foundation for its Chrome browser, but security experts say more is needed.
http://www.securityfocus.com/news/11533

4. Online intruders hit Red Hat, Fedora Project
By: Robert Lemos
A leading Linux company and its open-source distribution acknowledge that attackers breached several systems, including one that manages the Fedora signing process.
http://www.securityfocus.com/news/11532

IV. SECURITY JOBS LIST SUMMARY
-------------------------------
1. [SJ-JOB] Sr. Security Analyst, Dallas
http://www.securityfocus.com/archive/77/497252

2. [SJ-JOB] Security System Administrator, Eagan
http://www.securityfocus.com/archive/77/497255

3. [SJ-JOB] Information Assurance Engineer, San Diego
http://www.securityfocus.com/archive/77/497243

4. [SJ-JOB] Information Assurance Engineer, San Diego
http://www.securityfocus.com/archive/77/497250

5. [SJ-JOB] Security Consultant, London
http://www.securityfocus.com/archive/77/497251

6. [SJ-JOB] Security Engineer, Milwaukee
http://www.securityfocus.com/archive/77/497253

7. [SJ-JOB] Sales Engineer, Worcester
http://www.securityfocus.com/archive/77/497254

8. [SJ-JOB] Security Researcher, France
http://www.securityfocus.com/archive/77/497245

V. INCIDENTS LIST SUMMARY
---------------------------
VI. VULN-DEV RESEARCH LIST SUMMARY
-----------------------------------
VII. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. SecurityFocus Microsoft Newsletter #415
http://www.securityfocus.com/archive/88/497234

VIII. SUN FOCUS LIST SUMMARY
----------------------------
IX. LINUX FOCUS LIST SUMMARY
----------------------------
X. UNSUBSCRIBE INSTRUCTIONS
-----------------------------
To unsubscribe send an e-mail message to sf-news-unsubscribe@securityfocus.com from the subscribed address. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer. Alternatively you can also visit http://www.securityfocus.com/newsletters and unsubscribe via the website.

If your email address has changed email listadmin@securityfocus.com and ask to be manually removed.

XI. SPONSOR INFORMATION
------------------------
This issue is sponsored by HP:

Download a FREE trial of HP WebInspect
Application attacks are growing more prevalent. New attacks are in the news each day. Now it's time for you to assess your applications and start detecting and removing vulnerabilities.
HP can help, with a full suite of application security solutions. Get started today with a complimentary trial download that uses an HP test application. Thoroughly analyze today's complex web applications in a runtime environment with fast scanning capabilities, broad assessment coverage and accurate web application scanning results.
Download WebInspect now:

https://h10078.www1.hp.com/cda/hpdc/navigation.do?action=downloadBinStart&zn=bto&cp=54_4012_100__&caid=14563&jumpid=ex_r11374_us/en/large/tsg/WebInspect_Eval_Secutiy_Focus/3-1QN6MII_3-UTM2ZJ/20081015&origin_id=3-1QN6MII

No comments:

Blog Archive