News

Thursday, November 13, 2008

SecurityFocus Newsletter #478

SecurityFocus Newsletter #478
----------------------------------------

This issue is sponsored by IronKey:

IronKey flash drives lock down your most sensitive data using today's most advanced security technology.
IronKey uses military-grade AES CBC-mode hardware encryption that cannot be disabled by malware or an intruder and provides rugged and waterproof protection to safeguard your data.
https://www.ironkey.com/secure-flash-drive1a


SECURITY BLOGS
SecurityFocus has selected a few syndicated sources that stand out as conveying topics of interest for our community. We are proud to offer content from Matasano at this time and will be adding more in the coming weeks.
http://www.securityfocus.com/blogs

------------------------------------------------------------------
I. FRONT AND CENTER
1. Clicking to the Past
2. The Vice of Vice Presidential E-Mail
II. BUGTRAQ SUMMARY
1. Sweex RO002 Router Default Password Security Bypass Vulnerability
2. AJ Classifieds Authentication Bypass Vulnerability
3. Linux Kernel '__scm_destroy()' Local Denial of Service Vulnerability
4. RETIRED: Savvy Content Manager Multiple Cross Site Scripting Vulnerabilities
5. Microsoft XML Core Services Transfer Encoding Cross Domain Information Disclosure Vulnerability
6. Microsoft XML Core Services Race Condition Memory Corruption Vulnerability
7. Microsoft Windows SMB Credential Reflection Vulnerability
8. Microsoft XML Core Services DTD Cross Domain Information Disclosure Vulnerability
9. Pre Real Estate Listings 'login.php' Multiple SQL Injection Vulnerabilities
10. Linux Kernel 'ndiswrapper' Remote Buffer Overflow Vulnerability
11. Linux Kernel 'hfsplus_find_cat()' Local Denial of Service Vulnerability
12. HP System Management Homepage Unspecified Security Bypass Vulnerability
13. Blender 'BPY_interface.c' Remote Command Execution Vulnerability
14. OpenOffice WMF and EMF File Handling Multiple Heap Based Buffer Overflow Vulnerabilities
15. MunzurSoft Wep Portal 'kategori.asp' SQL Injection Vulnerability
16. mIRC 'PRIVMSG' Buffer Overflow Vulnerability
17. Castle Rock Computing SNMPc Community String Stack Based Buffer Overflow Vulnerability
18. Apache 'mod_proxy_ftp' Wildcard Characters Cross-Site Scripting Vulnerability
19. Apache 'mod_proxy_http' Interim Response Denial of Service Vulnerability
20. Panda Internet Security/Antivirus+Firewall 2008 CPoint.sys Memory Corruption Vulnerability
21. Gnome Desktop Screensaver NIS Authentication Local Unauthorized Access Vulnerability
22. Multiple Vendor DNS Protocol Insufficient Transaction ID Randomization DNS Spoofing Vulnerability
23. Gnome Screensaver Local Information Disclosure Vulnerability
24. OpenBSD GNU Screen Locked Authentication Bypass Vulnerability
25. Yosemite Backup 'DtbClsLogin()' Remote Buffer Overflow Vulnerability
26. smcFanControl Local Buffer Overflow Vulnerability
27. AJ Article Authentication Bypass Vulnerabilities
28. AJPoll Security Bypass and SQL Injection Vulnerabilities
29. Google Chrome Pop-Up Address Bar URI Spoofing Vulnerability
30. sISAPILocation HTTP Header Rewrite Security Bypass Vulnerability
31. WIMS Insecure Temporary File Creation Vulnerabilities
32. AJ Auction Pro Authentication Bypass Vulnerabilities
33. FreshScripts Fresh Email Script Session Fixation and Remote File Include Vulnerabilities
34. Multiple phpstore.info Scripts Arbitrary File Upload Vulnerability
35. rtgdictionary for TYPO3 Arbitrary File Upload Vulnerability
36. libcdaudio 'cddb.c' Remote Heap Buffer Overflow Vulnerability
37. Adobe Acrobat and Reader JavaScript Method Remote Code Execution Vulnerability
38. Oracle October 2008 Oracle Critical Patch Update Multiple Vulnerabilities
39. Ourgame 'GLIEDown2.dll' ServerList Method ActiveX Control Remote Code Execution Vulnerability
40. Retired: Microsoft October 2008 Advance Notification Multiple Vulnerabilities
41. Retired: Microsoft November 2008 Advance Notification Multiple Vulnerabilities
42. Linux Kernel i915 Driver 'drivers/char/drm/i915_dma.c' Memory Corruption Vulnerability
43. Sun System Firmware Unspecified Local Information Disclosure Vulnerability
44. initscripts Arbitrary File Deletion Vulnerability
45. Mozilla Firefox '.url' Shortcut Processing Information Disclosure Vulnerability
46. Libpng Library 'png_handle_tEXt()' Memory Leak Denial of Service Vulnerability
47. Belkin F5D7230-4 Wireless G Router 'setup_dns.exe' Authentication Vulnerability
48. Net-SNMP GETBULK Remote Denial of Service Vulnerability
49. Microsoft Outlook Web Access for Exchange Server 'redir.asp' URI Redirection Vulnerability
50. Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability
51. Adobe ActionScript SecurityErrorEvent Security Bypass Vulnerability
52. Adobe Acrobat Reader Unspecified Remote Denial Of Service Vulnerability
53. RETIRED: Quick Poll 'product_info.php' SQL Injection Vulnerability
54. Net-SNMP Perl Module Buffer Overflow Vulnerability
55. UltraVNC VNCViewer 'FileTransfer.cpp' Multiple Remote Buffer Overflow Vulnerabilities
56. OptiPNG BMP Reader Buffer Overflow Vulnerability
57. Mozilla Firefox/Thunderbird/SeaMonkey Multiple Remote Vulnerabilities
58. GnuTLS X.509 Certificate Chain Security Bypass Vulnerability
59. Free simple PHP guestbook 'act.php' Arbitrary Script Injection Vulnerability
60. Dizi Portali 'film.asp' SQL Injection Vulnerability
61. TYPO3 Wir ber uns Extension SQL Injection and Cross Site Scripting Vulnerabilities
62. IBM Tivoli Netcool Service Quality Manager Cross Site Scripting And HTML Injection Vulnerabilities
63. Trac Denial of Service And Phishing Vulnerabilities
64. Exocrew ExoPHPDesk 'username' SQL Injection Vulnerability
65. OTManager 'Admin/ADM_Pagina.php' Remote File Include Vulnerability
66. Collabtive Multiple Remote Vulnerabilities
67. Linux Kernel 'hfs_cat_find_brec()' Local Denial of Service Vulnerability
68. pi3Web ISAPI Directory Remote Denial Of Service Vulnerability
69. TYPO3 Core Multiple Cross Site Scripting Vulnerabilities
70. x10 Automatic MP3 Script 'url' Parameter File Disclosure Vulnerability
71. Cyberfolio 'theme' Parameter Local File Include Vulnerability
72. Joomla! JooBlog Component 'PostID' Parameter SQL Injection Vulnerability
73. Zeeways ZEEJOBSITE Arbitrary File Upload Vulnerability
74. Zeeways ZEEPROPERTY Arbitrary File Upload and Cross Site Scripting Vulnerabilities
75. Zeeways ZEEMATRI 'bannerclick.php' SQL Injection Vulnerability
76. Zeeways PHOTOVIDEOTUBE 'admin/home.php' Authentication Bypass Vulnerability
77. Zeeways SHAADICLONE 'admin/home.php' Authentication Bypass Vulnerability
78. Mole Group Airline Ticket Script 'username' SQL Injection Vulnerability
79. Multiple V3 Chat Products Cookie Authentication Bypass Vulnerability
80. TYPO3 advCalendar Extension Unspecified SQL Injection Vulnerability
81. TYPO3 CMS Poll system Extension Unspecified SQL Injection Vulnerability
82. TYPO3 'eluna_pagecomments' Extension SQL Injection and Cross Site Scripting Vulnerabilities
83. Sun Solstice X.25 '/dev/xty' Local Denial Of Service Vulnerability
84. Sun Solaris DHCP Denial of Service And Remote Code Execution Vulnerabilities
85. IBM Lotus Quickr Multiple Unspecified Cross-Site Scripting Vulnerabilities
86. Digiappz DigiAffiliate Script SQL Injection Vulnerabilities
87. Joomla! and Mambo Catalog Production Component 'id' Parameter SQL Injection Vulnerability
88. Joomla! and Mambo com_marketplace Component 'catid' Parameter SQL Injection Vulnerability
89. NOS Microsystems getPlus Download Manager ActiveX Control Buffer Overflow Vulnerability
90. Adobe Acrobat and Reader 8.1.2 Multiple Security Vulnerabilities
91. Adobe Flash Player Multiple Security Vulnerabilities
92. Adobe Flash Player Clipboard Security Weakness
93. Adobe Flash Player Policy File Cross Domain Security Bypass Vulnerability
94. V3 Chat Profiles/Dating Script SQL Injection Vulnerabilities
95. Multiple 2Wire DSL Routers 'xslt' HTTP Request Denial of Service Vulnerability
96. MemHT Portal 'lang/english.php' SQL Injection Vulnerability
97. MoinMoin Cross-Site Scripting and Information Disclosure Vulnerabilities
98. ClamAV 'get_unicode_name()' Off-By-One Heap Based Buffer Overflow Vulnerability
99. Openfire Multiple Input Validation Vulnerabilities
100. Indiscripts Enthusiast 'show_joined.php' Remote File Include Vulnerability
III. SECURITYFOCUS NEWS
1. Researchers find more flaws in wireless security
2. Secure hash competition kicks off
3. You don't know (click)jack
4. Researchers weigh "clickjacking" threat
IV. SECURITY JOBS LIST SUMMARY
V. INCIDENTS LIST SUMMARY
VI. VULN-DEV RESEARCH LIST SUMMARY
VII. MICROSOFT FOCUS LIST SUMMARY
VIII. SUN FOCUS LIST SUMMARY
IX. LINUX FOCUS LIST SUMMARY
X. UNSUBSCRIBE INSTRUCTIONS
XI. SPONSOR INFORMATION

I. FRONT AND CENTER
---------------------
1. Clicking to the Past
By Chris Wysopal
When the first details trickled out about a new attack, dubbed .clickjacking. by the researchers who found it, the descriptions made me think of the tricks I used to pull during penetration tests ten years ago to get administrator privileges: Tricking the user into issuing a command on an attacker.s behalf is one of the oldest attack vectors in the book.
http://www.securityfocus.com/columnists/483

2a .The Vice of Vice Presidential E-Mail
By Mark Rasch
Is it a crime to read someone else's e-mail without their consent? Seems like a simple question, but the law is not so clear. In mid-September 2008, a hacker using the handle "Rubico" claim credit for breaking into the Yahoo! e-mail account of Governor Sarah Palin, the Republican Vice Presidential candidate. In a post online, Rubico wrote that he had been following news reports that claimed Palin had been using her personal Yahoo e-mail account for official government business.
In the early 90's, I attended an academic conference in Hawaii. At one presentation, a colleague from the University of California at Berkeley whom I'll refer to as "the supervisor," told a story of young hackers, who he referred to as the Urchins
http://www.securityfocus.com/columnists/482


II. BUGTRAQ SUMMARY
--------------------
1. Sweex RO002 Router Default Password Security Bypass Vulnerability
BugTraq ID: 32249
Remote: Yes
Last Updated: 2008-11-13
Relevant URL: http://www.securityfocus.com/bid/32249
Summary:
Sweex RO002 Router is affected by a vulnerability that allows attackers to bypass security restrictions using an undocumented default password.

Successful exploitation will allow attackers to gain access to the router's web configuration interface.

RO002 Router with firmware Ts03-072 is vulnerable; other versions may be affected as well.

2. AJ Classifieds Authentication Bypass Vulnerability
BugTraq ID: 32256
Remote: Yes
Last Updated: 2008-11-13
Relevant URL: http://www.securityfocus.com/bid/32256
Summary:
AJ Classifieds is prone to an authentication-bypass vulnerability.

Attackers can exploit this vulnerability to gain administrative access to the affected application.

3. Linux Kernel '__scm_destroy()' Local Denial of Service Vulnerability
BugTraq ID: 32154
Remote: No
Last Updated: 2008-11-12
Relevant URL: http://www.securityfocus.com/bid/32154
Summary:
The Linux kernel is prone to a local denial-of-service vulnerability.

Attackers can exploit this issue to cause the kernel to crash, denying service to legitimate users.

The Linux kernel 2.6.26 and prior versions are affected.

4. RETIRED: Savvy Content Manager Multiple Cross Site Scripting Vulnerabilities
BugTraq ID: 32253
Remote: Yes
Last Updated: 2008-11-12
Relevant URL: http://www.securityfocus.com/bid/32253
Summary:
Savvy Content Manager is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

NOTE: Information from the vendor shows that the application is not affected by these issues. This BID is being retired.

5. Microsoft XML Core Services Transfer Encoding Cross Domain Information Disclosure Vulnerability
BugTraq ID: 32204
Remote: Yes
Last Updated: 2008-11-12
Relevant URL: http://www.securityfocus.com/bid/32204
Summary:
Microsoft XML Core Services (MSXML) is prone to a cross-domain information-disclosure vulnerability because the application fails to properly enforce the same-origin policy.

An attacker can exploit this issue to harvest potentially sensitive information from a web page in another domain. Information obtained may aid in further attacks.

6. Microsoft XML Core Services Race Condition Memory Corruption Vulnerability
BugTraq ID: 21872
Remote: Yes
Last Updated: 2008-11-12
Relevant URL: http://www.securityfocus.com/bid/21872
Summary:
Microsoft XML Core Services (MSXML) is prone to a remote memory-corruption vulnerability because of a race condition that may cause a NULL-pointer dereference, read or write operations to invalid addresses, or other memory-corruption issues.

Attackers may exploit this issue to execute arbitrary machine code in the context of the vulnerable application. Failed exploit attempts will likely crash the application.

NOTE: SANS has provided new information that lowers the impact of this vulnerability. Please see the reference section for details.

7. Microsoft Windows SMB Credential Reflection Vulnerability
BugTraq ID: 7385
Remote: Yes
Last Updated: 2008-11-12
Relevant URL: http://www.securityfocus.com/bid/7385
Summary:
Microsoft Windows is prone to a vulnerability that could let attackers replay NTLM credentials over the SMB protocol. A successful exploit would let an attacker execute arbitrary code in the context of the affected user.

8. Microsoft XML Core Services DTD Cross Domain Information Disclosure Vulnerability
BugTraq ID: 32155
Remote: Yes
Last Updated: 2008-11-12
Relevant URL: http://www.securityfocus.com/bid/32155
Summary:
Microsoft XML Core Services (MSXML) is prone to a cross-domain information-disclosure vulnerability because the application fails to properly handle certain error checks.

An attacker can exploit this issue to harvest potentially sensitive information from a web page in another domain. Information obtained may aid in further attacks.

9. Pre Real Estate Listings 'login.php' Multiple SQL Injection Vulnerabilities
BugTraq ID: 32134
Remote: Yes
Last Updated: 2008-11-12
Relevant URL: http://www.securityfocus.com/bid/32134
Summary:
Pre Real Estate Listings is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

10. Linux Kernel 'ndiswrapper' Remote Buffer Overflow Vulnerability
BugTraq ID: 32118
Remote: Yes
Last Updated: 2008-11-12
Relevant URL: http://www.securityfocus.com/bid/32118
Summary:
The Linux Kernel is prone to a remote buffer-overflow vulnerability because the software fails to perform adequate boundary checks on user-supplied data.

An attacker can exploit this issue to execute arbitrary code with kernel-level privileges. Successfully exploiting this issue will result in the complete compromise of affected computers. Failed exploit attempts will result in a denial-of-service condition.

The issue affects Linux Kernel 2.6.27; other versions may also be vulnerable.

11. Linux Kernel 'hfsplus_find_cat()' Local Denial of Service Vulnerability
BugTraq ID: 32093
Remote: No
Last Updated: 2008-11-12
Relevant URL: http://www.securityfocus.com/bid/32093
Summary:
The Linux kernel is prone to a local denial-of-service vulnerability because it fails to properly bounds-check data before copying it to an insufficiently sized memory buffer.

Attackers can exploit this issue to cause the kernel to crash, denying service to legitimate users. Given the nature of this issue, attackers may also be able to run arbitrary code, but this has not been confirmed.

This issue affects versions prior to Linux kernel 2.6.28-rc1.

12. HP System Management Homepage Unspecified Security Bypass Vulnerability
BugTraq ID: 32088
Remote: No
Last Updated: 2008-11-12
Relevant URL: http://www.securityfocus.com/bid/32088
Summary:
HP System Management Homepage (SMH) is prone to a security-bypass vulnerability caused by an unspecified error.

Attackers can leverage this issue to gain local unauthorized access.

The following products are vulnerable:

SMH 2.2.6 and earlier running on HP-UX B.11.11 and B.11.23
SMH 2.2.6 and v2.2.8 and earlier running on HP-UX B.11.23 and B.11.31

13. Blender 'BPY_interface.c' Remote Command Execution Vulnerability
BugTraq ID: 31931
Remote: Yes
Last Updated: 2008-11-12
Relevant URL: http://www.securityfocus.com/bid/31931
Summary:
Blender is prone to a remote command-execution vulnerability.

An attacker could exploit this issue by enticing an unsuspecting victim to execute Blender in a directory containing a malicious Python file. A successful exploit will allow arbitrary Python commands to run within the privileges of the currently logged-in user.

Blender 2.48a is vulnerable; other versions may also be affected.

14. OpenOffice WMF and EMF File Handling Multiple Heap Based Buffer Overflow Vulnerabilities
BugTraq ID: 31962
Remote: Yes
Last Updated: 2008-11-12
Relevant URL: http://www.securityfocus.com/bid/31962
Summary:
OpenOffice is prone to multiple remote heap-based buffer-overflow vulnerabilities because of errors in processing certain files.

Remote attackers can exploit these issues by enticing victims into opening maliciously crafted EMF or WMF files.

Successful exploits may allow attackers to execute arbitrary code within the context of the affected application. Failed exploit attempts will likely result in a denial of service.

The issues affect OpenOffice 2 prior to 2.4.2.

15. MunzurSoft Wep Portal 'kategori.asp' SQL Injection Vulnerability
BugTraq ID: 31713
Remote: Yes
Last Updated: 2008-11-12
Relevant URL: http://www.securityfocus.com/bid/31713
Summary:
MunzurSoft Wep Portal is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data.

A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

MunzurSoft Wep Portal W3 is vulnerable; other versions may also be affected.

16. mIRC 'PRIVMSG' Buffer Overflow Vulnerability
BugTraq ID: 31552
Remote: Yes
Last Updated: 2008-11-12
Relevant URL: http://www.securityfocus.com/bid/31552
Summary:
mIRC is prone to a stack-based buffer-overflow vulnerability.

An attacker can exploit this issue by enticing an unsuspecting user into connecting to a malicious IRC server. Successful attacks will allow arbitrary code to run within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.

mIRC 6.34 is vulnerable; other versions may be affected as well.

17. Castle Rock Computing SNMPc Community String Stack Based Buffer Overflow Vulnerability
BugTraq ID: 28990
Remote: Yes
Last Updated: 2008-11-12
Relevant URL: http://www.securityfocus.com/bid/28990
Summary:
Castle Rock Computing SNMPc is prone to a stack-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input.

Attackers can leverage this issue to execute arbitrary code in the context of the application, which typically runs with LocalSystem privileges. Successful exploits will compromise affected computers. Failed attacks will likely cause denial-of-service conditions.

Versions prior to SNMPc 7.1.1 are vulnerable.

18. Apache 'mod_proxy_ftp' Wildcard Characters Cross-Site Scripting Vulnerability
BugTraq ID: 30560
Remote: Yes
Last Updated: 2008-11-12
Relevant URL: http://www.securityfocus.com/bid/30560
Summary:
The Apache 'mod_proxy_ftp' module is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

This issue is reported to affect Apache 2.0.63 and 2.2.9; other versions may also be affected.

19. Apache 'mod_proxy_http' Interim Response Denial of Service Vulnerability
BugTraq ID: 29653
Remote: Yes
Last Updated: 2008-11-12
Relevant URL: http://www.securityfocus.com/bid/29653
Summary:
The Apache 'mod_proxy_http' module is prone to a denial-of-service vulnerability that affects the processing of interim responses.

Attackers may exploit this issue to cause denial-of-service conditions.

Reportedly, the issue affects Apache 2.2.8 and 2.0.63; other versions may also be affected.

20. Panda Internet Security/Antivirus+Firewall 2008 CPoint.sys Memory Corruption Vulnerability
BugTraq ID: 28150
Remote: No
Last Updated: 2008-11-12
Relevant URL: http://www.securityfocus.com/bid/28150
Summary:
Panda Internet Security/Antivirus+Firewall 2008 is prone to a vulnerability that allows local attackers to corrupt kernel memory. This vulnerability occurs because the application fails to sufficiently validate IOCTL requests.

Local users may exploit this vulnerability to cause a denial of service or to execute arbitrary code in the context of the kernel.

21. Gnome Desktop Screensaver NIS Authentication Local Unauthorized Access Vulnerability
BugTraq ID: 28575
Remote: No
Last Updated: 2008-11-12
Relevant URL: http://www.securityfocus.com/bid/28575
Summary:
Gnome Desktop is prone to a local unauthorized-access vulnerability.

A local attacker can exploit this issue to gain access to the affected computer. Successfully exploiting this issue may lead to other attacks.

22. Multiple Vendor DNS Protocol Insufficient Transaction ID Randomization DNS Spoofing Vulnerability
BugTraq ID: 30131
Remote: Yes
Last Updated: 2008-11-12
Relevant URL: http://www.securityfocus.com/bid/30131
Summary:
Multiple vendors' implementations of the DNS protocol are prone to a DNS-spoofing vulnerability because the software fails to securely implement random values when performing DNS queries.

Successfully exploiting this issue allows remote attackers to spoof DNS replies, allowing them to redirect network traffic and to launch man-in-the-middle attacks.

This issue affects Microsoft Windows DNS Clients and Servers, ISC BIND 8 and 9, and multiple Cisco IOS releases; other DNS implementations may also be vulnerable.

23. Gnome Screensaver Local Information Disclosure Vulnerability
BugTraq ID: 30096
Remote: No
Last Updated: 2008-11-12
Relevant URL: http://www.securityfocus.com/bid/30096
Summary:
Gnome Screensaver is prone to a local information-disclosure vulnerability.

A local attacker can exploit this issue to obtain potentially sensitive clipboard contents. Information harvested may aid in further attacks.

Gnome Screensaver 2.20.0 is vulnerable to this issue; other versions may also be affected.

24. OpenBSD GNU Screen Locked Authentication Bypass Vulnerability
BugTraq ID: 29810
Remote: No
Last Updated: 2008-11-12
Relevant URL: http://www.securityfocus.com/bid/29810
Summary:
GNU Screen for OpenBSD is prone to a vulnerability that allows local attackers to bypass the password prompt to unlock the screen.

An attacker with local physical access to the console can exploit this issue to bypass the password prompt and gain access to the locked screen session.

The issue affects GNU Screen 4.0.3 for OpenBSD 4.3; other versions may also be vulnerable.

25. Yosemite Backup 'DtbClsLogin()' Remote Buffer Overflow Vulnerability
BugTraq ID: 32246
Remote: Yes
Last Updated: 2008-11-12
Relevant URL: http://www.securityfocus.com/bid/32246
Summary:
Yosemite Backup is prone to a buffer-overflow vulnerability because it fails to adequately bounds-check user-supplied data before copying it to an insufficiently sized buffer.

Attackers can exploit this issue to execute arbitrary code within the context of the affected application or cause a denial-of-service condition.

NOTE: Reportedly successful exploits allow remote code execution on Linux systems and denial of service on Windows systems.

Yosemite Backup 8.70 is vulnerable; other versions may also be affected.

26. smcFanControl Local Buffer Overflow Vulnerability
BugTraq ID: 32252
Remote: No
Last Updated: 2008-11-12
Relevant URL: http://www.securityfocus.com/bid/32252
Summary:
smcFanControl is prone to a local buffer-overflow vulnerability because it fails to adequately bounds-check user-supplied input.

Local attackers can exploit this issue to execute arbitrary code in the context of the affected application or to obtain SYSTEM-level privileges. Failed attempts will cause denial-of-service conditions.

smcFanControl 2.1.2 is vulnerable; other versions may also be affected.

27. AJ Article Authentication Bypass Vulnerabilities
BugTraq ID: 32254
Remote: Yes
Last Updated: 2008-11-13
Relevant URL: http://www.securityfocus.com/bid/32254
Summary:
AJ Article is prone to multiple authentication-bypass vulnerabilities.

Attackers can exploit these vulnerabilities to gain administrative access to the affected application.

28. AJPoll Security Bypass and SQL Injection Vulnerabilities
BugTraq ID: 32245
Remote: Yes
Last Updated: 2008-11-13
Relevant URL: http://www.securityfocus.com/bid/32245
Summary:
AJPoll is prone to a security-bypass vulnerability and an SQL-injection issue.

Exploiting the security-bypass issue may allow an attacker to bypass certain security restrictions and perform unauthorized actions. The attacker can exploit the SQL-injection issue by manipulating the SQL query logic to carry out unauthorized actions on the underlying database. This may compromise the application and may aid in further attacks.

29. Google Chrome Pop-Up Address Bar URI Spoofing Vulnerability
BugTraq ID: 32258
Remote: Yes
Last Updated: 2008-11-13
Relevant URL: http://www.securityfocus.com/bid/32258
Summary:
Google Chrome is affected by a URI-spoofing vulnerability because it fails to adequately handle user-supplied data.

An attacker may leverage this issue by inserting arbitrary content to spoof the source URI of a file presented to an unsuspecting user in a popup window. This may lead to a false sense of trust because the victim may be presented with a source URI of a trusted site while interacting with the attacker's malicious site.

Versions prior to Chrome 0.3.154.9 are vulnerable.

30. sISAPILocation HTTP Header Rewrite Security Bypass Vulnerability
BugTraq ID: 32247
Remote: Yes
Last Updated: 2008-11-13
Relevant URL: http://www.securityfocus.com/bid/32247
Summary:
sISAPILocation is prone to a security-bypass vulnerability.

Attackers can exploit this issue to bypass certain configuration settings such as character encoding and the secure flag for cookies.

sISAPILocation 1.0.2.1 and prior versions are affected.

31. WIMS Insecure Temporary File Creation Vulnerabilities
BugTraq ID: 32244
Remote: No
Last Updated: 2008-11-13
Relevant URL: http://www.securityfocus.com/bid/32244
Summary:
WIMS creates temporary files in an insecure manner.

An attacker with local access could perform symbolic-link attacks, overwriting arbitrary files in the context of the affected application.

Successfully mounting a symlink attack may allow the attacker to delete or corrupt sensitive files, which may result in a denial of service. Other attacks may also be possible.

WIMS 3.64 is vulnerable; other versions may also be affected.

32. AJ Auction Pro Authentication Bypass Vulnerabilities
BugTraq ID: 32243
Remote: Yes
Last Updated: 2008-11-13
Relevant URL: http://www.securityfocus.com/bid/32243
Summary:
AJ Auction Pro is prone to multiple authentication-bypass vulnerabilities.

Attackers can exploit these vulnerabilities to gain administrative access to the affected application.

33. FreshScripts Fresh Email Script Session Fixation and Remote File Include Vulnerabilities
BugTraq ID: 32241
Remote: Yes
Last Updated: 2008-11-13
Relevant URL: http://www.securityfocus.com/bid/32241
Summary:
FreshScripts Fresh Email Script is prone to multiple vulnerabilities, including a session-fixation vulnerability and a remote file-include vulnerability.

An attacker may leverage the session-fixation issue to hijack an unsuspecting user's session. The attacker may exploit the remote file-include issue to include an arbitrary remote file containing malicious PHP code and execute it in the context of the webserver process. This may allow the attacker to compromise the application and the underlying computer; other attacks are also possible.

These issues affect Fresh Email Script 1.0 to 1.11; other versions may also be affected.

34. Multiple phpstore.info Scripts Arbitrary File Upload Vulnerability
BugTraq ID: 32242
Remote: Yes
Last Updated: 2008-11-13
Relevant URL: http://www.securityfocus.com/bid/32242
Summary:
Multiple phpstore.info scripts are prone to a vulnerability that lets remote attackers upload and execute arbitrary script code on an affected computer within the context of the webserver process. This issue occurs because the applications fail to validate user-supplied input.

The following phpshop.info products are vulnerable:

Car Dealers
PHP Job Search
Complete Classifieds Script
Real Estate

35. rtgdictionary for TYPO3 Arbitrary File Upload Vulnerability
BugTraq ID: 32234
Remote: Yes
Last Updated: 2008-11-13
Relevant URL: http://www.securityfocus.com/bid/32234
Summary:
The rtgdictionary extension for TYPO3 is prone to a vulnerability that lets remote attackers upload and execute arbitrary script code on an affected computer with the privileges of the webserver process. The issue occurs because the application fails to sanitize user-supplied input.

This issue affects rtgdictionary 0.1.9 and prior versions.

36. libcdaudio 'cddb.c' Remote Heap Buffer Overflow Vulnerability
BugTraq ID: 32122
Remote: Yes
Last Updated: 2008-11-13
Relevant URL: http://www.securityfocus.com/bid/32122
Summary:
The 'libcdaudio' library is prone to a remote heap buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input before copying it to an insufficiently sized buffer.

Attackers can exploit this issue to execute arbitrary code in the context of an application that uses the library. Failed attacks will cause denial-of-service conditions.

This issue affects libcdaudio 0.99.12p2; other versions may also be affected. Additional applications that use this library may also be vulnerable.

37. Adobe Acrobat and Reader JavaScript Method Remote Code Execution Vulnerability
BugTraq ID: 29908
Remote: Yes
Last Updated: 2008-11-13
Relevant URL: http://www.securityfocus.com/bid/29908
Summary:
Adobe Acrobat and Reader are prone to a remote code-execution vulnerability because the software fails to sufficiently sanitize user-supplied input.

An attacker can exploit this issue to execute arbitrary code with the privileges of the user running the application or crash the application, denying service to legitimate users.

The following applications are affected:

- Adobe Reader 8.0 through 8.1.2
- Adobe Reader 7.0.9 and prior
- Adobe Acrobat Professional, 3D and Standard 8.0 through 8.1.2
- Adobe Acrobat Professional, 3D and Standard 7.0.9 and prior

NOTE: This vulnerability may be related to the issue described in BID 29420 (Adobe Acrobat Reader Unspecified Remote Denial Of Service Vulnerability).

38. Oracle October 2008 Oracle Critical Patch Update Multiple Vulnerabilities
BugTraq ID: 31683
Remote: Yes
Last Updated: 2008-11-13
Relevant URL: http://www.securityfocus.com/bid/31683
Summary:
Oracle has released the October 2008 critical patch update addressing 36 vulnerabilities affecting the following software:

Oracle Database
Oracle Application Server
Oracle E-Business Suite
Oracle PeopleSoft Enterprise PeopleTools
Oracle PeopleSoft Enterprise
Oracle JD Edwards EnterpriseOne Tools
Oracle WebLogic Server (formerly BEA WebLogic Server)
Oracle Workshop for WebLogic (formerly BEA WebLogic Workshop)

39. Ourgame 'GLIEDown2.dll' ServerList Method ActiveX Control Remote Code Execution Vulnerability
BugTraq ID: 29446
Remote: Yes
Last Updated: 2008-11-13
Relevant URL: http://www.securityfocus.com/bid/29446
Summary:
Ourgame 'GLIEDown2.dll' ActiveX control is prone to a remote code-execution vulnerability because it fails to sufficiently verify user-supplied input.

An attacker can exploit this issue to run arbitrary attacker-supplied code in the context of the currently logged-in user. Failed exploits attempts will trigger denial-of-service conditions.

Note that GlobalLink 2.8.1.2 beta is also affected by this issue.

40. Retired: Microsoft October 2008 Advance Notification Multiple Vulnerabilities
BugTraq ID: 31667
Remote: Yes
Last Updated: 2008-11-13
Relevant URL: http://www.securityfocus.com/bid/31667
Summary:
Microsoft has released advance notification that the vendor will be releasing eleven security bulletins on October 14, 2008. The highest severity rating for these issues is 'Critical'.

Successfully exploiting these issues may allow remote or local attackers to compromise affected computers.

The following individual records have been created to better document these issues:

29960 Microsoft Internet Explorer 'location' & 'location.href' Cross Domain Security Bypass Vulnerability
31609 Microsoft Windows Active Directory LDAP Request Handling Remote Code Execution Vulnerability
31615 Microsoft Internet Explorer HTML Element Cross Domain Security Bypass Vulnerability
31616 Microsoft Internet Explorer Event Handling Cross Domain Security Bypass Vulnerability
31617 Microsoft Internet Explorer Uninitialized Object Remote Memory Corruption Vulnerability
31618 Microsoft Internet Explorer HTML Objects Uninitialized Memory Corruption Vulnerability
31620 Microsoft Host Integration Server RPC Remote Code Execution Vulnerability
31637 Microsoft Message Queuing Service RPC Query Heap Corruption Vulnerability
31647 Microsoft Windows SMB Buffer Underflow Code Execution Vulnerability
31651 Microsoft Windows Kernel Window Creation Local Privilege Escalation Vulnerability
31652 Microsoft Windows Kernel Memory Corruption Local Privilege Escalation Vulnerability
31653 Microsoft Windows Kernel Unhandled System Call Local Privilege Escalation Vulnerability
31654 Microsoft Internet Explorer Cross Domain Information Disclosure Vulnerability
31673 Microsoft Windows AFD Driver Local Privilege Escalation Vulnerability
31675 Microsoft Windows VAD Local Privilege Escalation Vulnerability
31682 Microsoft Windows Internet Printing Service Integer Overflow Vulnerability
31693 Microsoft Office CDO Protocol Cross Site Scripting Vulnerability
31702 Microsoft Excel Calendar Object Validation Remote Code Execution Vulnerability
31705 Microsoft Excel BIFF File Format Parsing Remote Code Execution Vulnerability
31706 Microsoft Excel Formula Parsing Remote Code Execution Vulnerability

41. Retired: Microsoft November 2008 Advance Notification Multiple Vulnerabilities
BugTraq ID: 32153
Remote: Yes
Last Updated: 2008-11-13
Relevant URL: http://www.securityfocus.com/bid/32153
Summary:
Microsoft has released advance notification that the vendor will be releasing two security bulletins on November 11, 2008. The highest severity rating for these issues is 'Critical'.

Successfully exploiting these issues may allow remote or local attackers to compromise affected computers.

The following individual records cover these issues:

7385 Microsoft Windows SMB Credential Reflection Vulnerability
21872 Microsoft XML Core Services Race Condition Memory Corruption Vulnerability
32155 Microsoft XML Core Services DTD Cross Domain Information Disclosure Vulnerability
32204 Microsoft XML Core Services Transfer Encoding Cross Domain Information Disclosure Vulnerability

42. Linux Kernel i915 Driver 'drivers/char/drm/i915_dma.c' Memory Corruption Vulnerability
BugTraq ID: 31792
Remote: No
Last Updated: 2008-11-13
Relevant URL: http://www.securityfocus.com/bid/31792
Summary:
The Linux kernel is prone to a memory-corruption vulnerability because of insufficient boundary checks in the i915 driver.

Local attackers could exploit this issue to cause denial-of-service conditions, bypass certain security restrictions, and potentially access sensitive information or gain elevated privileges.

This issue affects Linux kernel 2.6.24.6 and prior versions.

43. Sun System Firmware Unspecified Local Information Disclosure Vulnerability
BugTraq ID: 32143
Remote: No
Last Updated: 2008-11-13
Relevant URL: http://www.securityfocus.com/bid/32143
Summary:
Sun System Firmware is prone to a local information-disclosure vulnerability caused by an unspecified error.

Successful exploits may allow local privileged attackers in one logical domain to gain access to memory in another logical domain. This may aid in further attacks.

The issue affects certain Sun SPARC Systems using the Sun UltraSPARC T1, UltraSPARC T2, and UltraSPARC T2+ processors.

The issue can occur on the following platforms running various versions of Sun System Firmware 6.6 or 7.1:

SPARC Enterprise T5140/T5240 running Sun System Firmware 7.1.3.d or 7.1.3.e
Netra T5220 running Sun System Firmware 7.1.3
SPARC Enterprise T5120/T5220 running Sun System Firmware 7.1.3.d or 7.1.3.e
Blade T6320 running Sun System Firmware 7.1.3.d or 7.1.3.e
Fire / SPARC Enterprise T2000 running Sun System Firmware 6.6.3, 6.6.4 or 6.6.5
Fire / SPARC Enterprise T1000 running Sun System Firmware 6.6.3, 6.6.4 or 6.6.5
Netra T2000 running Sun System Firmware 6.6.3, 6.6.4 or 6.6.5
Netra CP3060 running Sun System Firmware 6.6.3, 6.6.4 or 6.6.5
Blade T6300 running Sun System Firmware 6.6.3, 6.6.4 or 6.6.5

44. initscripts Arbitrary File Deletion Vulnerability
BugTraq ID: 31385
Remote: No
Last Updated: 2008-11-13
Relevant URL: http://www.securityfocus.com/bid/31385
Summary:
The 'initscripts' package is prone to a file-deletion vulnerability.

An attacker can exploit this issue to delete any files or directories on the affected computer.

This issue affects initscripts 8.76.3; other versions may also be affected.

45. Mozilla Firefox '.url' Shortcut Processing Information Disclosure Vulnerability
BugTraq ID: 31747
Remote: Yes
Last Updated: 2008-11-13
Relevant URL: http://www.securityfocus.com/bid/31747
Summary:
Mozilla Firefox is prone to an information-disclosure vulnerability when processing '.url' shortcut files in HTML elements.

An attacker can exploit the issue to obtain sensitive information such as browser cache files, cookie data, or local filesystem details. Information harvested may aid in further attacks.

NOTE: To exploit this issue, the attacker must trick a victim into saving a malicious HTML file to the local system and then following a malicious URI.

Mozilla Firefox 3.0.1, 3.0.2, and 3.0.3 are reported vulnerable.

46. Libpng Library 'png_handle_tEXt()' Memory Leak Denial of Service Vulnerability
BugTraq ID: 31920
Remote: Yes
Last Updated: 2008-11-13
Relevant URL: http://www.securityfocus.com/bid/31920
Summary:
The 'libpng' library is prone to a remote denial-of-service vulnerability because it fails to handle malicious PNG files.

Successful exploits may allow remote attackers to cause denial-of-service conditions on computers running the affected library.

This issue affects 'libpng' 1.2.32; other versions may also be affected.

47. Belkin F5D7230-4 Wireless G Router 'setup_dns.exe' Authentication Vulnerability
BugTraq ID: 28319
Remote: Yes
Last Updated: 2008-11-13
Relevant URL: http://www.securityfocus.com/bid/28319
Summary:
The Belkin F5D7230-4 Wireless G Router is prone to a vulnerability because of a lack of authentication when users access 'cgi-bin/setup_dns.exe'.

Attackers can exploit this issue to perform administrative functions without authorization.

Belkin F5D7230-4 running firmware 9.01.10 is vulnerable; other devices and firmware versions may also be affected.

48. Net-SNMP GETBULK Remote Denial of Service Vulnerability
BugTraq ID: 32020
Remote: Yes
Last Updated: 2008-11-13
Relevant URL: http://www.securityfocus.com/bid/32020
Summary:
Net-SNMP is prone to a remote denial-of-service vulnerability.

Successfully exploiting this issue allows remote attackers to cause denial-of-service conditions.

This issue affects versions *prior to* the following:

Net-SNMP 5.2.5.1
Net-SNMP 5.3.2.3
Net-SNMP 5.4.2.1

49. Microsoft Outlook Web Access for Exchange Server 'redir.asp' URI Redirection Vulnerability
BugTraq ID: 31765
Remote: Yes
Last Updated: 2008-11-13
Relevant URL: http://www.securityfocus.com/bid/31765
Summary:
Outlook Web Access is prone to a remote URI-redirection vulnerability because the application fails to properly sanitize user-supplied input.

A successful exploit may aid in phishing attacks.

OWA 6.5 SP 2 is vulnerable; other versions may also be affected.

50. Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability
BugTraq ID: 31874
Remote: Yes
Last Updated: 2008-11-13
Relevant URL: http://www.securityfocus.com/bid/31874
Summary:
Microsoft Windows is prone to a remote-code execution vulnerability that affects RPC (Remote Procedure Call) handling in the Server service.

An attacker could exploit this issue to execute arbitrary code with SYSTEM-level privileges. Successful exploits will result in the complete compromise of vulnerable computers. This issue may be prone to widespread automated exploits. Attackers require authenticated access on Windows Vista and Server 2008 platforms to exploit this issue.

This vulnerability affects Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

51. Adobe ActionScript SecurityErrorEvent Security Bypass Vulnerability
BugTraq ID: 25260
Remote: Yes
Last Updated: 2008-11-13
Relevant URL: http://www.securityfocus.com/bid/25260
Summary:
Adobe ActionScript is prone to a security-bypass vulnerability because the application allows Flash movies compiled by ActionScript to connect to arbitrary TCP ports on a host running a vulnerable version of Flash.

Successfully exploiting this issue allows an attacker to bypass the application's sandbox security model and scan other hosts that are connected to the computer running the vulnerable application.

52. Adobe Acrobat Reader Unspecified Remote Denial Of Service Vulnerability
BugTraq ID: 29420
Remote: Yes
Last Updated: 2008-11-13
Relevant URL: http://www.securityfocus.com/bid/29420
Summary:
Acrobat Reader is prone to a remote denial-of-service vulnerability. The cause of this issue is unknown.

Exploiting this issue allows remote attackers to crash the application and trigger denial-of-service conditions, denying further service to legitimate users. Given the nature of this issue, code execution may be possible, but this has not been confirmed.

53. RETIRED: Quick Poll 'product_info.php' SQL Injection Vulnerability
BugTraq ID: 32279
Remote: Yes
Last Updated: 2008-11-13
Relevant URL: http://www.securityfocus.com/bid/32279
Summary:
Quick Poll is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Note: This BID is being retired; it is a duplicate of BID 30724 (Quick Poll 'code.php' SQL Injection Vulnerability)

54. Net-SNMP Perl Module Buffer Overflow Vulnerability
BugTraq ID: 29212
Remote: Yes
Last Updated: 2008-11-13
Relevant URL: http://www.securityfocus.com/bid/29212
Summary:
Net-SNMP is prone a remote buffer-overflow vulnerability because the software fails to properly bounds-check user-supplied data before copying it to an insufficiently sized buffer.

Exploiting this issue may allow attackers to execute arbitrary machine code in the context of applications using the affected Net-SNMP Perl module. Failed exploit attempts will likely cause denial-of-service conditions.

This issue affects Net-SNMP 5.4.1, 5.2.4, and 5.1.4; other versions may also be vulnerable.

55. UltraVNC VNCViewer 'FileTransfer.cpp' Multiple Remote Buffer Overflow Vulnerabilities
BugTraq ID: 27687
Remote: Yes
Last Updated: 2008-11-13
Relevant URL: http://www.securityfocus.com/bid/27687
Summary:
UltraVNC VNCViewer is affected by multiple remote buffer-overflow vulnerabilities because the application fails to properly validate user-supplied string lengths before copying them into static process buffers.

An attacker might leverage these issues to execute arbitrary code on the affected computer with the privileges of the user running the vulnerable application. Failed exploit attempts may lead to a denial-of-service condition.

UltraVNC 1.0.2 and UltraVNC 104 release candidates released prior to February 4, 2008 are vulnerable to these issues.

NOTE: This issue affects only VNCViewer. The UltraVNC server is not affected.

56. OptiPNG BMP Reader Buffer Overflow Vulnerability
BugTraq ID: 32248
Remote: Yes
Last Updated: 2008-11-13
Relevant URL: http://www.securityfocus.com/bid/32248
Summary:
OptiPNG is prone to a buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied input.

Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.

Versions prior to OptiPNG 0.6.2 are vulnerable.

57. Mozilla Firefox/Thunderbird/SeaMonkey Multiple Remote Vulnerabilities
BugTraq ID: 32281
Remote: Yes
Last Updated: 2008-11-13
Relevant URL: http://www.securityfocus.com/bid/32281
Summary:
The Mozilla Foundation has released multiple security advisories specifying various vulnerabilities in Mozilla Firefox, Thunderbird and SeaMonkey.

Exploiting these issues can allow attackers to:

- steal authentication credentials
- obtain potentially sensitive information
- violate the same-origin policy
- execute scripts with elevated privileges
- cause denial-of-service conditions
- execute arbitrary code

Other attacks are also possible.

These issues are present in the following applications

- Mozilla Firefox 3.0.3 and prior
- Mozilla Firefox 2.0.0.17 and prior
- Mozilla Thunderbird: 2.0.0.17 and prior
- Mozilla SeaMonkey 1.1.13 and prior

58. GnuTLS X.509 Certificate Chain Security Bypass Vulnerability
BugTraq ID: 32232
Remote: Yes
Last Updated: 2008-11-13
Relevant URL: http://www.securityfocus.com/bid/32232
Summary:
GnuTLS is prone to a security-bypass vulnerability because the application fails to properly validate chained X.509 certificates.

Successfully exploiting this issue allows attackers to perform man-in-the-middle attacks by impersonating trusted servers. Unsuspecting users may feel a false sense of security which can aid attackers in launching further attacks.

Versions prior to GnuTLS 2.6.1 are vulnerable.

59. Free simple PHP guestbook 'act.php' Arbitrary Script Injection Vulnerability
BugTraq ID: 32240
Remote: Yes
Last Updated: 2008-11-13
Relevant URL: http://www.securityfocus.com/bid/32240
Summary:
Free simple PHP guestbook is prone to a vulnerability that allows attackers to execute arbitrary script code because it fails to properly sanitize user-supplied input.

An attacker can exploit this issue to execute arbitrary script code in the context of the webserver. This may aid in further attacks.

60. Dizi Portali 'film.asp' SQL Injection Vulnerability
BugTraq ID: 32239
Remote: Yes
Last Updated: 2008-11-13
Relevant URL: http://www.securityfocus.com/bid/32239
Summary:
Dizi Portali is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

61. TYPO3 Wir ber uns Extension SQL Injection and Cross Site Scripting Vulnerabilities
BugTraq ID: 32237
Remote: Yes
Last Updated: 2008-11-13
Relevant URL: http://www.securityfocus.com/bid/32237
Summary:
The 'Wir ber uns' (fsmi_people) extension for TYPO3 is prone to an SQL-injection vulnerability and a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.

Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

These issues affect fsmi_people 0.0.24; other versions may also be affected.

62. IBM Tivoli Netcool Service Quality Manager Cross Site Scripting And HTML Injection Vulnerabilities
BugTraq ID: 32233
Remote: Yes
Last Updated: 2008-11-13
Relevant URL: http://www.securityfocus.com/bid/32233
Summary:
IBM Tivoli Netcool Service Quality Manager is prone to multiple cross-site scripting and an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied data.

Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible.

We don't know which versions of IBM Tivoli Netcool Service Quality Manager are affected. We will update this BID when more details emerge.

NOTE: IBM Tivoli Netcool Service Quality Manager may also have been known as 'Vallent Metrica Service Assurance'.

63. Trac Denial of Service And Phishing Vulnerabilities
BugTraq ID: 32226
Remote: Yes
Last Updated: 2008-11-13
Relevant URL: http://www.securityfocus.com/bid/32226
Summary:
Trac is prone to multiple remote vulnerabilities, including a denial-of-service issue and a phishing issue.

Attackers may exploit these issues to perform phishing attacks or cause a denial-of-service condition.

Versions prior to Trac 0.11.2 are vulnerable.

64. Exocrew ExoPHPDesk 'username' SQL Injection Vulnerability
BugTraq ID: 32220
Remote: Yes
Last Updated: 2008-11-13
Relevant URL: http://www.securityfocus.com/bid/32220
Summary:
ExoPHPDesk is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

This issue affects ExoPHPDesk 1.2; other versions may also be vulnerable.

65. OTManager 'Admin/ADM_Pagina.php' Remote File Include Vulnerability
BugTraq ID: 32235
Remote: Yes
Last Updated: 2008-11-13
Relevant URL: http://www.securityfocus.com/bid/32235
Summary:
OTManager is prone to a remote file-include vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit this issue to include an arbitrary remote file containing malicious PHP code and execute it in the context of the webserver process. This may allow the attacker to compromise the application and the underlying computer; other attacks are also possible.

OTManager 2.4 is vulnerable; other versions may also be affected.

66. Collabtive Multiple Remote Vulnerabilities
BugTraq ID: 32229
Remote: Yes
Last Updated: 2008-11-13
Relevant URL: http://www.securityfocus.com/bid/32229
Summary:
Collabtive is prone to multiple remote vulnerabilities, including:

- An HTML-injection vulnerability
- An arbitrary-file-upload vulnerability
- An authentication-bypass vulnerability
- An information-disclosure vulnerability

A successful exploit of these issues may allow an attacker to obtain sensitive information, execute arbitrary script code within the context of the browser, steal cookie-based authentication credentials, gain unauthorized access to the affected application, compromise the application, and execute arbitrary script code within the context of the webserver process. Other attacks are also possible.

Collabtive 0.4.8 is vulnerable; other versions may also be affected.

67. Linux Kernel 'hfs_cat_find_brec()' Local Denial of Service Vulnerability
BugTraq ID: 32289
Remote: No
Last Updated: 2008-11-13
Relevant URL: http://www.securityfocus.com/bid/32289
Summary:
The Linux kernel is prone to a local denial-of-service vulnerability because it fails to properly bounds-check data before copying it to an insufficiently sized memory buffer.

Attackers can exploit this issue to cause the kernel to crash, denying service to legitimate users. Given the nature of this issue, attackers may also be able to run arbitrary code, but this has not been confirmed.

This issue affects versions prior to Linux kernel 2.6.27.6.

68. pi3Web ISAPI Directory Remote Denial Of Service Vulnerability
BugTraq ID: 32287
Remote: Yes
Last Updated: 2008-11-13
Relevant URL: http://www.securityfocus.com/bid/32287
Summary:
pi3Web is prone to a remote denial-of-service vulnerability.

Attackers can exploit this issue to crash the server, denying access to legitimate users.

pi3Web 2.0.13 is vulnerable; other versions may also be affected.

69. TYPO3 Core Multiple Cross Site Scripting Vulnerabilities
BugTraq ID: 32284
Remote: Yes
Last Updated: 2008-11-13
Relevant URL: http://www.securityfocus.com/bid/32284
Summary:
TYPO3 is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.

Attacker-supplied HTML and script code would execute in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials.

TYPO3 4.2.0 up to and including 4.2.2 are affected.

70. x10 Automatic MP3 Script 'url' Parameter File Disclosure Vulnerability
BugTraq ID: 32227
Remote: Yes
Last Updated: 2008-11-12
Relevant URL: http://www.securityfocus.com/bid/32227
Summary:
x10 Automatic MP3 Script is prone to a file-disclosure vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit this vulnerability to view local files in the context of the webserver process. This may aid in further attacks.

Versions up to and including x10 Automatic MP3 Script 1.6 are vulnerable.

71. Cyberfolio 'theme' Parameter Local File Include Vulnerability
BugTraq ID: 32218
Remote: Yes
Last Updated: 2008-11-12
Relevant URL: http://www.securityfocus.com/bid/32218
Summary:
Cyberfolio is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the underlying computer; other attacks are also possible.

Cyberfolio 7.12.2 and prior versions are vulnerable.

72. Joomla! JooBlog Component 'PostID' Parameter SQL Injection Vulnerability
BugTraq ID: 32236
Remote: Yes
Last Updated: 2008-11-12
Relevant URL: http://www.securityfocus.com/bid/32236
Summary:
The JooBlog component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

The issue affects JooBlog 0.1.1; other versions may also be vulnerable.

73. Zeeways ZEEJOBSITE Arbitrary File Upload Vulnerability
BugTraq ID: 32225
Remote: Yes
Last Updated: 2008-11-12
Relevant URL: http://www.securityfocus.com/bid/32225
Summary:
Zeeways ZEEJOBSITE is prone to a vulnerability that lets remote attackers upload and execute arbitrary script code on an affected computer with the privileges of the webserver process. The issue occurs because the application fails to sanitize user-supplied input.

ZEEJOBSITE 2.0 is vulnerable; other versions may also be affected.

74. Zeeways ZEEPROPERTY Arbitrary File Upload and Cross Site Scripting Vulnerabilities
BugTraq ID: 32224
Remote: Yes
Last Updated: 2008-11-12
Relevant URL: http://www.securityfocus.com/bid/32224
Summary:
Zeeways ZEEPROPERTY is prone to an arbitrary-file-upload vulnerability that lets attackers upload and execute arbitrary code. The application is also prone to a cross-site scripting issue. These issues occur because the application fails to sufficiently sanitize user-supplied input.

Attackers can exploit these issues to steal cookie information, execute arbitrary client side script code in the context of browser, upload and execute arbitrary files in the context of the webserver, and launch other attacks.

These issues affect ZEEPROPERTY 1.0; other versions may also be affected.

75. Zeeways ZEEMATRI 'bannerclick.php' SQL Injection Vulnerability
BugTraq ID: 32221
Remote: Yes
Last Updated: 2008-11-12
Relevant URL: http://www.securityfocus.com/bid/32221
Summary:
Zeeways ZEEMATRI is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

ZEEMATRI 3.0 is vulnerable; other versions may also be affected.

76. Zeeways PHOTOVIDEOTUBE 'admin/home.php' Authentication Bypass Vulnerability
BugTraq ID: 32223
Remote: Yes
Last Updated: 2008-11-12
Relevant URL: http://www.securityfocus.com/bid/32223
Summary:
Zeeways PHOTOVIDEOTUBE is prone to an authentication-bypass vulnerability.

Attackers can exploit this issue to gain administrative access to the affected application.

PHOTOVIDEOTUBE 1.1 is vulnerable; other versions may also be affected.

77. Zeeways SHAADICLONE 'admin/home.php' Authentication Bypass Vulnerability
BugTraq ID: 32222
Remote: Yes
Last Updated: 2008-11-12
Relevant URL: http://www.securityfocus.com/bid/32222
Summary:
Zeeways SHAADICLONE is prone to an authentication-bypass vulnerability.

Attackers can exploit this issue to gain administrative access to the affected application.

SHAADICLONE 2.0 is vulnerable; other versions may also be affected.

78. Mole Group Airline Ticket Script 'username' SQL Injection Vulnerability
BugTraq ID: 32219
Remote: Yes
Last Updated: 2008-11-12
Relevant URL: http://www.securityfocus.com/bid/32219
Summary:
Mole Group Airline Ticket Script is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

79. Multiple V3 Chat Products Cookie Authentication Bypass Vulnerability
BugTraq ID: 32216
Remote: Yes
Last Updated: 2008-11-12
Relevant URL: http://www.securityfocus.com/bid/32216
Summary:
Multiple products from V3 Chat are prone to an authentication-bypass vulnerability because they fail to adequately verify user-supplied input used for cookie-based authentication.

Attackers can exploit this vulnerability to gain administrative access to the affected applications, which may aid in further attacks.

This issue affects the following products:

Profiles/Dating Script 3.0.2
Live Support 3.0.4

80. TYPO3 advCalendar Extension Unspecified SQL Injection Vulnerability
BugTraq ID: 32230
Remote: Yes
Last Updated: 2008-11-12
Relevant URL: http://www.securityfocus.com/bid/32230
Summary:
TYPO3 advCalendar ('advcalendar') extension is prone to an unspecified SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

This issue affects advcalendar 0.3.1; other versions may also be affected.

81. TYPO3 CMS Poll system Extension Unspecified SQL Injection Vulnerability
BugTraq ID: 32231
Remote: Yes
Last Updated: 2008-11-12
Relevant URL: http://www.securityfocus.com/bid/32231
Summary:
TYPO3 CMS Poll system ('cms_poll') extension is prone to an unspecified SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Versions prior to cms_poll 0.1.1 are vulnerable.

82. TYPO3 'eluna_pagecomments' Extension SQL Injection and Cross Site Scripting Vulnerabilities
BugTraq ID: 32228
Remote: Yes
Last Updated: 2008-11-12
Relevant URL: http://www.securityfocus.com/bid/32228
Summary:
The 'eluna_pagecomments' extension for TYPO3 is prone to an SQL-injection vulnerability and a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.

Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

These issues affect 'eluna_pagecomments' 1.1.2; other versions may also be affected.

83. Sun Solstice X.25 '/dev/xty' Local Denial Of Service Vulnerability
BugTraq ID: 32215
Remote: No
Last Updated: 2008-11-12
Relevant URL: http://www.securityfocus.com/bid/32215
Summary:
Sun Solstice X.25 is prone to a local denial-of-service vulnerability.

Attackers may exploit this issue to panic a system with multiple CPUs.

This issue affects Solstice X.25 9.2 on both x86 and SPARC platforms.

84. Sun Solaris DHCP Denial of Service And Remote Code Execution Vulnerabilities
BugTraq ID: 32213
Remote: Yes
Last Updated: 2008-11-12
Relevant URL: http://www.securityfocus.com/bid/32213
Summary:
The DHCP server daemon in Sun Solaris is prone to multiple vulnerabilities.

Attackers can exploit these issues to execute arbitrary code with root privileges or cause the DHCP server daemon to crash. Successful exploits may completely compromise the vulnerable system.

Note that one of the issues is related to the issue described in BID 25984.

These issues affect the following on both x86 and SPARC platforms:

Solaris 8
Solaris 9
Solaris 10
OpenSolaris based on builds snv_01 through snv_102

85. IBM Lotus Quickr Multiple Unspecified Cross-Site Scripting Vulnerabilities
BugTraq ID: 32212
Remote: Yes
Last Updated: 2008-11-12
Relevant URL: http://www.securityfocus.com/bid/32212
Summary:
IBM Lotus Quickr is prone to multiple unspecified cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied inputs.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

These issues affect Lotus Quickr 8.1; other versions may also be affected.

86. Digiappz DigiAffiliate Script SQL Injection Vulnerabilities
BugTraq ID: 32217
Remote: Yes
Last Updated: 2008-11-12
Relevant URL: http://www.securityfocus.com/bid/32217
Summary:
DigiAffiliate is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

These issues affect DigiAffiliate 1.4 and prior versions.

87. Joomla! and Mambo Catalog Production Component 'id' Parameter SQL Injection Vulnerability
BugTraq ID: 32259
Remote: Yes
Last Updated: 2008-11-12
Relevant URL: http://www.securityfocus.com/bid/32259
Summary:
Joomla! and Mambo Catalog Production ('com_catalogproduction') component is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

88. Joomla! and Mambo com_marketplace Component 'catid' Parameter SQL Injection Vulnerability
BugTraq ID: 27600
Remote: Yes
Last Updated: 2008-11-12
Relevant URL: http://www.securityfocus.com/bid/27600
Summary:
The Joomla! and Mambo 'com_marketplace' component is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

89. NOS Microsystems getPlus Download Manager ActiveX Control Buffer Overflow Vulnerability
BugTraq ID: 32105
Remote: Yes
Last Updated: 2008-11-12
Relevant URL: http://www.securityfocus.com/bid/32105
Summary:
NOS Microsystems getPlus Download Manager ActiveX control is prone to a buffer-overflow vulnerability because the application fails to adequately check boundaries on user-supplied input.

An attacker can exploit this issue to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed attacks will likely cause denial-of-service conditions.

The following applications use the getPlus Download Manager:

Adobe Acrobat Professional
Adobe Acrobat Reader

getPlus Download Manager 1.2.2.50 is vulnerable; other versions may also be affected.

90. Adobe Acrobat and Reader 8.1.2 Multiple Security Vulnerabilities
BugTraq ID: 32100
Remote: Yes
Last Updated: 2008-11-12
Relevant URL: http://www.securityfocus.com/bid/32100
Summary:
Adobe Acrobat and Reader are prone to multiple security vulnerabilities:

1. Multiple remote code-execution vulnerabilities.
2. A privilege-escalation vulnerability affecting computers running Unix-like operating systems.
3. An input-validation issue in a JavaScript method may lead to remote code execution.

Attackers can exploit these issues to execute arbitrary code, elevate privileges, or cause a denial-of-service condition.

91. Adobe Flash Player Multiple Security Vulnerabilities
BugTraq ID: 32129
Remote: Yes
Last Updated: 2008-11-12
Relevant URL: http://www.securityfocus.com/bid/32129
Summary:
Adobe Flash Player is prone to multiple security vulnerabilities.

Attackers can exploit these issues to obtain sensitive information, steal cookie-based authentication credentials, control how webpages are rendered, or execute arbitrary script code in the context of the application. Other attacks may also be possible.

These issues affect Flash Player 9.0.124.0 and prior versions.

92. Adobe Flash Player Clipboard Security Weakness
BugTraq ID: 31117
Remote: Yes
Last Updated: 2008-11-12
Relevant URL: http://www.securityfocus.com/bid/31117
Summary:
Adobe Flash Player is prone to a security weakness that may allow attackers to inject arbitrary content into a user's clipboard.

Attackers can exploit this issue to overwrite content that is contained in a victim's clipboard. As a result, attacker-supplied URIs can persist in the victim's clipboard.

93. Adobe Flash Player Policy File Cross Domain Security Bypass Vulnerability
BugTraq ID: 26966
Remote: Yes
Last Updated: 2008-11-12
Relevant URL: http://www.securityfocus.com/bid/26966
Summary:
The Adobe Flash Player is prone to a cross-domain security-bypass vulnerability.

An attacker can exploit this issue to connect to arbitrary hosts on affected computers. This may allow the application to perform generic TCP requests to determine what services are running on the affected computer.


NOTE: This issue was previously disclosed in BID 26929 (Adobe Flash Player Multiple Security Vulnerabilities), but has been assigned its own record because of new technical details.

94. V3 Chat Profiles/Dating Script SQL Injection Vulnerabilities
BugTraq ID: 32214
Remote: Yes
Last Updated: 2008-11-12
Relevant URL: http://www.securityfocus.com/bid/32214
Summary:
V3 Chat Profiles/Dating Script is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

These issues affect V3 Chat Profiles/Dating Script 3.0.2; other versions may also be affected.

95. Multiple 2Wire DSL Routers 'xslt' HTTP Request Denial of Service Vulnerability
BugTraq ID: 32211
Remote: No
Last Updated: 2008-11-12
Relevant URL: http://www.securityfocus.com/bid/32211
Summary:
Multiple 2Wire DSL routers are prone to a denial-of-service vulnerability because they fail to adequately handle specially crafted HTTP requests.

Successful exploits will cause the DSL connection to be dropped, denying service to legitimate users.

This issue affects the following devices:

1701HG
1800HW
2071HG
2700HG Gateway

96. MemHT Portal 'lang/english.php' SQL Injection Vulnerability
BugTraq ID: 32210
Remote: Yes
Last Updated: 2008-11-12
Relevant URL: http://www.securityfocus.com/bid/32210
Summary:
MemHT Portal is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

This issue affects MemHT Portal 4.0; other versions may also be affected.

97. MoinMoin Cross-Site Scripting and Information Disclosure Vulnerabilities
BugTraq ID: 32208
Remote: Yes
Last Updated: 2008-11-12
Relevant URL: http://www.securityfocus.com/bid/32208
Summary:
MoinMoin is prone to cross-site scripting and information-disclosure vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials or other sensitive information and to launch other attacks.

MoinMoin 1.5.9 and 1.8.0 are vulnerable; other versions may also be affected.

98. ClamAV 'get_unicode_name()' Off-By-One Heap Based Buffer Overflow Vulnerability
BugTraq ID: 32207
Remote: Yes
Last Updated: 2008-11-12
Relevant URL: http://www.securityfocus.com/bid/32207
Summary:
ClamAV is prone to an off-by-one heap-based buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data.

Successfully exploiting this issue will allow attackers to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.

Versions prior to ClamAV 0.94.1 are vulnerable.

99. Openfire Multiple Input Validation Vulnerabilities
BugTraq ID: 32189
Remote: Yes
Last Updated: 2008-11-12
Relevant URL: http://www.securityfocus.com/bid/32189
Summary:
Openfire is prone to multiple input-validation vulnerabilities:

- An SQL-injection issue.
- Multiple cross-site scripting issues.
- An authentication-bypass issue.

A successful exploit of these issues may allow an attacker to gain unauthorized access to the affected application, compromise the application, access or modify data, exploit vulnerabilities in the underlying database, execute arbitrary script code within the context of the browser, and steal cookie-based authentication credentials. Other attacks are also possible.

Openfire 3.6.0a is vulnerable; other versions may also be affected.

100. Indiscripts Enthusiast 'show_joined.php' Remote File Include Vulnerability
BugTraq ID: 32205
Remote: Yes
Last Updated: 2008-11-12
Relevant URL: http://www.securityfocus.com/bid/32205
Summary:
Indiscripts Enthusiast is prone to a remote file-include vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit this issue to include an arbitrary remote file containing malicious PHP code and execute it in the context of the webserver process. This may allow the attacker to compromise the application and the underlying computer; other attacks are also possible.

Enthusiast 3.1.4 is vulnerable; other versions may also be affected.

III. SECURITYFOCUS NEWS ARTICLES
--------------------------------
1. Researchers find more flaws in wireless security
By: Robert Lemos
Two security experts plan to show a limited attack against the popular Wi-Fi Protected Access (WPA) -- a replacement for insecure WEP -- at a conference in Tokyo.
http://www.securityfocus.com/news/11537

2. Secure hash competition kicks off
By: Robert Lemos
Dozens of amateur and professional cryptographers have joined the United States' first open competition for creating an uncrackable algorithm for generating hashes -- the digital fingerprints widely used in a variety of security functions.
http://www.securityfocus.com/news/11536

3. You don't know (click)jack
By: Robert Lemos
Security professionals Robert "RSnake" Hansen and Jeremiah Grossman discuss a class of attacks, known as clickjacking, on user interfaces of Web browsers.
http://www.securityfocus.com/news/11535

4. Researchers weigh "clickjacking" threat
By: Robert Lemos
A canceled presentation at a Web security summit attracts attention to the danger of overlaying Web pages with graphics to persuade a victim to click where an attacker wants.
http://www.securityfocus.com/news/11534

IV. SECURITY JOBS LIST SUMMARY
-------------------------------
V. INCIDENTS LIST SUMMARY
---------------------------
VI. VULN-DEV RESEARCH LIST SUMMARY
-----------------------------------
VII. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
VIII. SUN FOCUS LIST SUMMARY
----------------------------
IX. LINUX FOCUS LIST SUMMARY
----------------------------
X. UNSUBSCRIBE INSTRUCTIONS
-----------------------------
To unsubscribe send an e-mail message to sf-news-unsubscribe@securityfocus.com from the subscribed address. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer. Alternatively you can also visit http://www.securityfocus.com/newsletters and unsubscribe via the website.

If your email address has changed email listadmin@securityfocus.com and ask to be manually removed.

XI. SPONSOR INFORMATION
------------------------
This issue is sponsored by IronKey:

IronKey flash drives lock down your most sensitive data using today's most advanced security technology.
IronKey uses military-grade AES CBC-mode hardware encryption that cannot be disabled by malware or an intruder and provides rugged and waterproof protection to safeguard your data.
https://www.ironkey.com/secure-flash-drive1a

No comments:

Blog Archive