WINDOWS CENTER: SecurityFocus Newsletter #479

SecurityFocus Newsletter #479
----------------------------------------

This issue is Sponsored by Symantec

Symantec NetBackup Design Best Practices with Data Domain
This white paper walks you through how Data Domain integrates with NBU, including planning and sizing considerations, operational considerations, offsite replication, and other integration basics so you can get the most out of this powerful solution.
http://dinclinx.com/Redirect.aspx?36;2173;45;189;0;10;259;46b98cc7718e4a7c

SECURITY BLOGS
SecurityFocus has selected a few syndicated sources that stand out as conveying topics of interest for our community. We are proud to offer content from Matasano at this time and will be adding more in the coming weeks.
http://www.securityfocus.com/blogs

------------------------------------------------------------------
I. FRONT AND CENTER
1.Microsoft's Stance on Piracy Affects Us All
2.Clicking to the Past
II. BUGTRAQ SUMMARY
1. OpenSSH CBC Mode Information Disclosure Vulnerability
2. uTorrent and BitTorrent File Handling Remote Buffer Overflow Vulnerability
3. htop Hidden Process Name Input Filtering Vulnerability
4. GnuTLS X.509 Certificate Chain Security Bypass Vulnerability
5. Adobe Flash Player Multiple Security Vulnerabilities
6. No-IP Dynamic Update Client for Linux Remote Buffer Overflow Vulnerability
7. WIMS Insecure Temporary File Creation Vulnerabilities
8. Microsoft Windows SMB Credential Reflection Vulnerability
9. Microsoft XML Core Services Race Condition Memory Corruption Vulnerability
10. Microsoft XML Core Services DTD Cross Domain Information Disclosure Vulnerability
11. Pluck 'g_pcltar_lib_dir' Parameter Local File Include Vulnerability
12. Microsoft XML Core Services Transfer Encoding Cross Domain Information Disclosure Vulnerability
13. Kimson CMS 'id' Parameter Cross Site Scripting Vulnerability
14. UltraStats 'login.php' SQL Injection Vulnerability
15. Simple Customer 'login.php' SQL Injection Vulnerability
16. Balabit syslog-ng Insecure 'chroot()' Implementation Weakness
17. phpFan 'init.php' Remote File Include Vulnerability
18. Jadu Galaxies 'documents.php' SQL Injection Vulnerability
19. SaturnCMS 'Username' Login Page SQL Injection Vulnerability
20. Microsoft Communicator RTCP Unspecified Remote Denial of Service Vulnerability
21. ClamAV 'get_unicode_name()' Off-By-One Heap Based Buffer Overflow Vulnerability
22. KKE Info Media Kmita Gallery Multiple Cross-Site Scripting Vulnerabilities
23. Mozilla Firefox '.url' Shortcut Processing Information Disclosure Vulnerability
24. Chilkat Socket ActiveX 'SaveLastError()' Arbitrary File Overwrite Vulnerability
25. Parallels Plesk Billing 'new_language' Parameter Cross Site Scripting Vulnerability
26. Pre Simple CMS 'adminlogin.php' SQL Injection Vulnerability
27. Easyedit Multiple SQL Injection Vulnerabilities
28. Grip CDDB Response Multiple Matches Buffer Overflow Vulnerability
29. W3matter AskPert 'index.php' SQL Injection Vulnerability
30. Linux Kernel s390 ptrace Denial Of Service Vulnerability
31. wPortfolio '/admin/upload_form.php' Arbitrary File Upload Vulnerability
32. Roundup XML-RPC Server Security Bypass Vulnerability
33. Oracle mod_wl HTTP POST Request Remote Buffer Overflow Vulnerability
34. Fantastico Cross-Site Scripting Vulnerabilities and Local File Include Vulnerability
35. Pre ASP Job Board 'emp_login.asp' SQL Injection Vulnerability
36. Adam Wright HTMLTidy 'html-tidy-logic.php' Cross Site Scripting Vulnerability
37. Cobbler Web Interface Kickstart Template Remote Privilege Escalation Vulnerability
38. phpBLASTER CMS Multiple Local File Include Vulnerabilities
39. Exodus URI Handler Command Line Parameter Injection Vulnerability
40. pam_mount Insecure Temporary File Creation Vulnerability
41. MailEnable IMAP Service Multiple Buffer Overflow Vulnerabilities
42. RevSense 'index.php' SQL Injection Vulnerability
43. libxml2 'xmlSAX2Characters()' Integer Overflow Vulnerability
44. libxml2 'xmlBufferResize()' Remote Denial of Service Vulnerability
45. MauryCMS 'Rss.php' SQL Injection Vulnerability
46. Symantec Backup Exec for Windows Server Remote Agent Authentication Bypass Vulnerability
47. Apache HTTP Server 2.2.6, 2.0.61 and 1.3.39 'mod_status' Cross-Site Scripting Vulnerability
48. Apache mod_imagemap and mod_imap Cross-Site Scripting Vulnerability
49. Mozilla Firefox Arbitrary Image Cross Domain Security Bypass Vulnerability
50. Mozilla Firefox/Thunderbird/SeaMonkey Multiple Remote Vulnerabilities
51. Linux Kernel 'snd_seq_oss_synth_make_info()' Information Disclosure Vulnerability
52. Linux kernel 'fs/direct-io.c' Local Denial of Service Vulnerability
53. Linux Kernel 32-bit/64bit Emulation Local Information Disclosure Vulnerability
54. Linux Kernel UBIFS Orphan Inode Local Denial of Service Vulnerability
55. Linux Kernel 'truncate()' Local Privilege Escalation Vulnerability
56. Yasna Yazd Discussion Forum Multiple Cross-Site Scripting Vulnerabilities
57. AceFTP 'LIST' Command Directory Traversal Vulnerability
58. PHP 'error_log' Safe Mode Restriction-Bypass Vulnerability
59. SocialEngine HTTP Response Splitting and SQL-injection Vulnerabilities
60. PunPortal 'login.php' Local File Include Vulnerability
61. boastMachine 'mail.php' SQL Injection Vulnerability
62. GeSHi XML Parsing Remote Denial Of Service Vulnerability
63. Softbiz Classifieds Script Cross Site Scripting Vulnerability
64. Symantec Backup Exec Data Management Protocol Buffer Overflow Vulnerability
65. Mozilla Thunderbird and SeaMonkey 'mailnews' Information Disclosure Vulnerability
66. Opera Web Browser 'file://' Heap Based Buffer Overflow Vulnerability
67. Dovecot ACL Plugin Multiple Security Bypass Vulnerabilities
68. MyTopix 'send' Parameter SQL Injection Vulnerability
69. HP Linux Imaging and Printing System Privilege Escalation And Denial Of Service Vulnerabilities
70. libxml XML Entity Name Heap Buffer Overflow Vulnerability
71. libxml2 Recursive Entity Remote Denial of Service Vulnerability
72. PHPCow Unspecified Remote File Include Vulnerability
73. PunBB 'pun_user[language]' Parameter Multiple Local File Include Vulnerabilities
74. Ruby on Rails ':offset' And ':limit' Parameters SQL Injection Vulnerabilities
75. Python Multiple Buffer Overflow Vulnerabilities
76. Ruby on Rails 'redirect_to()' HTTP Header Injection Vulnerability
77. 3Com Wireless 8760 Dual-Radio 11a/b/g PoE Multiple Security Vulnerabilities
78. Microsoft Windows Vista 'iphlpapi.dll' Local Kernel Buffer Overflow Vulnerability
79. Linux Kernel USB PWC Driver Local Denial Of Service Vulnerability
80. FCKeditor 'connector.php' Arbitrary File Upload Vulnerability
81. Sun Java System Identity Manager Multiple Vulnerabilities
82. Cisco IOS MPLS VPN Information Disclosure Vulnerability
83. Streamripper Multiple Buffer Overflow Vulnerabilities
84. IBM Lotus Domino Web Access ActiveX Control Memory Corruption Vulnerabilities
85. MDaemon Server WorldClient Script Injection Vulnerability
86. Microsoft Internet Explorer 6 RDS.DataControl Denial of Service Vulnerability
87. Ext2 Filesystem Utilities e2fsprogs libext2fs Multiple Unspecified Integer Overflow Vulnerabilities
88. refbase 'headerMsg' Parameter Cross Site Scripting Vulnerabilities
89. Link Back Checker Cookie Authentication Bypass Vulnerability
90. vBulletin 'admincp/image.php' SQL Injection Vulnerability
91. vBulletin 'admincp/attachmentpermission.php' SQL Injection Vulnerability
92. vBulletin 'admincp/verify.php' SQL Injection Vulnerability
93. vBulletin 'admincalendar.php' SQL Injection Vulnerability
94. RETIRED: Tribiq CMS Cookie Authentication Bypass Vulnerability
95. Adobe AIR Unspecified JavaScript Code Execution Vulnerability
96. Musicbox 'viewalbums.php' SQL Injection Vulnerability
97. Zope PythonScript Multiple Remote Denial Of Service Vulnerabilities
98. OptiPNG BMP Reader Buffer Overflow Vulnerability
99. Novell eDirectory Multiple Buffer Overflow And Cross-Site Scripting Vulnerabilities
100. Net-SNMP GETBULK Remote Denial of Service Vulnerability
III. SECURITYFOCUS NEWS
1. Researchers find more flaws in wireless security
2. Secure hash competition kicks off
3. You don't know (click)jack
4. Researchers weigh "clickjacking" threat
IV. SECURITY JOBS LIST SUMMARY
1. [SJ-JOB] Security Auditor, Reston
2. [SJ-JOB] Sr. Security Engineer, St Louis
3. [SJ-JOB] Compliance Officer, Pentagon City
4. [SJ-JOB] Software Engineer, St. Paul
5. [SJ-JOB] Manager, Information Security, Bedford Heights
6. [SJ-JOB] Software Engineer, St. Paul
7. [SJ-JOB] Senior Software Engineer, St. Paul
8. [SJ-JOB] Sr. Security Analyst, Denver
9. [SJ-JOB] Sales Representative, Bedford Heights
10. [SJ-JOB] Security Consultant, Central New Jersey
11. [SJ-JOB] Management, Glendale
12. [SJ-JOB] Security System Administrator, San Diego
13. [SJ-JOB] Technical Support Engineer, St. Paul
14. [SJ-JOB] Security Consultant, San Francisco
15. [SJ-JOB] Security Researcher, Bangalore
16. [SJ-JOB] Senior Software Engineer, Alameda
17. [SJ-JOB] Management, Newark
18. [SJ-JOB] Management, Houston
19. [SJ-JOB] Penetration Engineer, San Francisco
20. [SJ-JOB] Security Researcher, Los Angeles
21. [SJ-JOB] Sales Representative, Nashville
22. [SJ-JOB] Security Consultant, Bedford Heights
23. [SJ-JOB] Director, Information Security, Chicago
V. INCIDENTS LIST SUMMARY
VI. VULN-DEV RESEARCH LIST SUMMARY
VII. MICROSOFT FOCUS LIST SUMMARY
1. SecurityFocus Microsoft Newsletter #419
VIII. SUN FOCUS LIST SUMMARY
IX. LINUX FOCUS LIST SUMMARY
X. UNSUBSCRIBE INSTRUCTIONS
XI. SPONSOR INFORMATION

I. FRONT AND CENTER
---------------------
1.Microsoft's Stance on Piracy Affects Us All
By Oliver Day
For the last few years, Microsoft has wrestled with their stance on piracy. Pirated operating systems are just like legitimate operating systems in terms of their exposure to vulnerabilities: Users must install patches or they will be compromised.
http://www.securityfocus.com/columnists/484

2.Clicking to the Past
By Chris Wysopal
When the first details trickled out about a new attack, dubbed .clickjacking. by the researchers who found it, the descriptions made me think of the tricks I used to pull during penetration tests ten years ago to get administrator privileges: Tricking the user into issuing a command on an attacker.s behalf is one of the oldest attack vectors in the book.
http://www.securityfocus.com/columnists/483

II. BUGTRAQ SUMMARY
--------------------
1. OpenSSH CBC Mode Information Disclosure Vulnerability
BugTraq ID: 32319
Remote: Yes
Last Updated: 2008-11-20
Relevant URL: http://www.securityfocus.com/bid/32319
Summary:
OpenSSH is prone to an information-disclosure vulnerability.

Successful exploits will allow attackers to obtain four bytes of plaintext from an encrypted session.

OpenSSH 4.7p1 is vulnerable; other versions may also be affected. Various versions of SSH Tectia are also affected.

2. uTorrent and BitTorrent File Handling Remote Buffer Overflow Vulnerability
BugTraq ID: 30653
Remote: Yes
Last Updated: 2008-11-20
Relevant URL: http://www.securityfocus.com/bid/30653
Summary:
uTorrent and BitTorrent are prone to a remote buffer-overflow vulnerability because the software fails to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer.

Successful exploits allow remote attackers to execute arbitrary machine code in the context of a vulnerable application. Failed exploit attempts will likely result in denial-of-service conditions.

uTorrent 1.7.7 (build 8179) and BitTorrent 6.0.3 (build 8642) are vulnerable; other versions may also be affected.

3. htop Hidden Process Name Input Filtering Vulnerability
BugTraq ID: 32081
Remote: No
Last Updated: 2008-11-18
Relevant URL: http://www.securityfocus.com/bid/32081
Summary:
The 'htop' program is prone to an input-filtering vulnerability that can result in hidden process names.

An attacker can exploit this issue to hide potentially malicious processes, resulting in a false sense of security. This may also aid in launching further attacks against the underlying shell.

This issue affects htop 0.7; other versions may also be affected.

4. GnuTLS X.509 Certificate Chain Security Bypass Vulnerability
BugTraq ID: 32232
Remote: Yes
Last Updated: 2008-11-18
Relevant URL: http://www.securityfocus.com/bid/32232
Summary:
GnuTLS is prone to a security-bypass vulnerability because the application fails to properly validate chained X.509 certificates.

Successfully exploiting this issue allows attackers to perform man-in-the-middle attacks by impersonating trusted servers. Unsuspecting users may be under a false sense of security that can aid attackers in launching further attacks.

Versions prior to GnuTLS 2.6.1 are vulnerable.

5. Adobe Flash Player Multiple Security Vulnerabilities
BugTraq ID: 32129
Remote: Yes
Last Updated: 2008-11-18
Relevant URL: http://www.securityfocus.com/bid/32129
Summary:
Adobe Flash Player is prone to multiple security vulnerabilities.

Attackers can exploit these issues to obtain sensitive information, steal cookie-based authentication credentials, control how webpages are rendered, execute arbitrary script code in the context of the application, and execute arbitrary code in the context of the application. Other attacks may also be possible.

These issues affect Flash Player 9.0.124.0 and prior versions.

6. No-IP Dynamic Update Client for Linux Remote Buffer Overflow Vulnerability
BugTraq ID: 32344
Remote: Yes
Last Updated: 2008-11-18
Relevant URL: http://www.securityfocus.com/bid/32344
Summary:
No-IP Dynamic Update Client (DUC) is prone to a stack-based buffer-overflow vulnerability because it fails to adequately bounds-check input messages.

An attacker can exploit this issue by enticing an unsuspecting user into connecting to a malicious server. Successful attacks will allow arbitrary code to run within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.

DUC 2.1.7 for Linux is vulnerable; other versions may also be affected.

7. WIMS Insecure Temporary File Creation Vulnerabilities
BugTraq ID: 32244
Remote: No
Last Updated: 2008-11-18
Relevant URL: http://www.securityfocus.com/bid/32244
Summary:
WIMS creates temporary files in an insecure manner.

An attacker with local access could perform symbolic-link attacks, overwriting arbitrary files in the context of the affected application.

Successfully mounting a symlink attack may allow the attacker to delete or corrupt sensitive files, which may result in a denial of service. Other attacks may also be possible.

WIMS 3.64 is vulnerable; other versions may also be affected.

8. Microsoft Windows SMB Credential Reflection Vulnerability
BugTraq ID: 7385
Remote: Yes
Last Updated: 2008-11-18
Relevant URL: http://www.securityfocus.com/bid/7385
Summary:
Microsoft Windows is prone to a vulnerability that could let attackers replay NTLM credentials over the SMB protocol. A successful exploit would let an attacker execute arbitrary code in the context of the affected user.

9. Microsoft XML Core Services Race Condition Memory Corruption Vulnerability
BugTraq ID: 21872
Remote: Yes
Last Updated: 2008-11-18
Relevant URL: http://www.securityfocus.com/bid/21872
Summary:
Microsoft XML Core Services (MSXML) is prone to a remote memory-corruption vulnerability because of a race condition that may cause a NULL-pointer dereference, read or write operations to invalid addresses, or other memory-corruption issues.

Attackers may exploit this issue to execute arbitrary machine code in the context of the vulnerable application. Failed exploit attempts will likely crash the application.

NOTE: SANS has provided new information that lowers the impact of this vulnerability. Please see the reference section for details.

10. Microsoft XML Core Services DTD Cross Domain Information Disclosure Vulnerability
BugTraq ID: 32155
Remote: Yes
Last Updated: 2008-11-18
Relevant URL: http://www.securityfocus.com/bid/32155
Summary:
Microsoft XML Core Services (MSXML) is prone to a cross-domain information-disclosure vulnerability because the application fails to properly handle certain error checks.

An attacker can exploit this issue to harvest potentially sensitive information from a web page in another domain. Information obtained may aid in further attacks.

11. Pluck 'g_pcltar_lib_dir' Parameter Local File Include Vulnerability
BugTraq ID: 32342
Remote: Yes
Last Updated: 2008-11-18
Relevant URL: http://www.securityfocus.com/bid/32342
Summary:
Pluck is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the underlying computer; other attacks are also possible.

Pluck 4.5.3 is vulnerable; other versions may also be affected.

12. Microsoft XML Core Services Transfer Encoding Cross Domain Information Disclosure Vulnerability
BugTraq ID: 32204
Remote: Yes
Last Updated: 2008-11-18
Relevant URL: http://www.securityfocus.com/bid/32204
Summary:
Microsoft XML Core Services (MSXML) is prone to a cross-domain information-disclosure vulnerability because the application fails to properly enforce the same-origin policy.

An attacker can exploit this issue to harvest potentially sensitive information from a web page in another domain. Information obtained may aid in further attacks.

13. Kimson CMS 'id' Parameter Cross Site Scripting Vulnerability
BugTraq ID: 32343
Remote: Yes
Last Updated: 2008-11-18
Relevant URL: http://www.securityfocus.com/bid/32343
Summary:
Kimson CMS is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.

14. UltraStats 'login.php' SQL Injection Vulnerability
BugTraq ID: 32340
Remote: Yes
Last Updated: 2008-11-18
Relevant URL: http://www.securityfocus.com/bid/32340
Summary:
UltraStats is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

UltraStats 0.3.11 and 0.2.144 are vulnerable; other versions may also be affected.

15. Simple Customer 'login.php' SQL Injection Vulnerability
BugTraq ID: 32339
Remote: Yes
Last Updated: 2008-11-18
Relevant URL: http://www.securityfocus.com/bid/32339
Summary:
Simple Customer is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Simple Customer 1.2 is vulnerable; other versions may also be affected.

16. Balabit syslog-ng Insecure 'chroot()' Implementation Weakness
BugTraq ID: 32338
Remote: No
Last Updated: 2008-11-18
Relevant URL: http://www.securityfocus.com/bid/32338
Summary:
Balabit 'syslog-ng' is prone to a weakness in its use of 'chroot()'.

By executing code as the 'syslog-ng' process, an attacker may be able to take advantage of this weakness to escape the 'chroot()' jail.

This issue affects 'syslog-ng' 2.0.9; other versions may also be affected.

17. phpFan 'init.php' Remote File Include Vulnerability
BugTraq ID: 32335
Remote: Yes
Last Updated: 2008-11-18
Relevant URL: http://www.securityfocus.com/bid/32335
Summary:
phpFan is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied input.

Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible.

phpFan 3.3.4 is vulnerable; other versions may also be affected.

18. Jadu Galaxies 'documents.php' SQL Injection Vulnerability
BugTraq ID: 32337
Remote: Yes
Last Updated: 2008-11-18
Relevant URL: http://www.securityfocus.com/bid/32337
Summary:
Jadu Galaxies is prone to an SQL-injection vulnerability because it fails to properly sanitize user-supplied input before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.

19. SaturnCMS 'Username' Login Page SQL Injection Vulnerability
BugTraq ID: 32336
Remote: Yes
Last Updated: 2008-11-18
Relevant URL: http://www.securityfocus.com/bid/32336
Summary:
SaturnCMS is prone to an SQL-injection vulnerability because it fails to adequately sanitize user-supplied data.

A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

20. Microsoft Communicator RTCP Unspecified Remote Denial of Service Vulnerability
BugTraq ID: 32341
Remote: Yes
Last Updated: 2008-11-18
Relevant URL: http://www.securityfocus.com/bid/32341
Summary:
Microsoft Communicator is prone to a remote denial-of-service vulnerability that affects the Real-time Transport Control Protocol (RTCP) handling. The cause of this issue is unknown.

Exploiting this issue allows remote attackers to crash the application and trigger denial-of-service conditions, denying further service to legitimate users.

This issue affects Microsoft Communicator, Office Communications Server (OCS), and Windows Live Messenger.

21. ClamAV 'get_unicode_name()' Off-By-One Heap Based Buffer Overflow Vulnerability
BugTraq ID: 32207
Remote: Yes
Last Updated: 2008-11-17
Relevant URL: http://www.securityfocus.com/bid/32207
Summary:
ClamAV is prone to an off-by-one heap-based buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data.

Successfully exploiting this issue will allow attackers to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.

Versions prior to ClamAV 0.94.1 are vulnerable.

22. KKE Info Media Kmita Gallery Multiple Cross-Site Scripting Vulnerabilities
BugTraq ID: 31970
Remote: Yes
Last Updated: 2008-11-17
Relevant URL: http://www.securityfocus.com/bid/31970
Summary:
Kmita Gallery is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

23. Mozilla Firefox '.url' Shortcut Processing Information Disclosure Vulnerability
BugTraq ID: 31747
Remote: Yes
Last Updated: 2008-11-17
Relevant URL: http://www.securityfocus.com/bid/31747
Summary:
Mozilla Firefox is prone to an information-disclosure vulnerability when processing '.url' shortcut files in HTML elements.

An attacker can exploit the issue to obtain sensitive information such as browser cache files, cookie data, or local filesystem details. Information harvested may aid in further attacks.

NOTE: To exploit this issue, the attacker must trick a victim into saving a malicious HTML file to the local system and then following a malicious URI.

Mozilla Firefox 3.0.1, 3.0.2, and 3.0.3 are reported vulnerable.

24. Chilkat Socket ActiveX 'SaveLastError()' Arbitrary File Overwrite Vulnerability
BugTraq ID: 32333
Remote: Yes
Last Updated: 2008-11-17
Relevant URL: http://www.securityfocus.com/bid/32333
Summary:
Chilkat Socket ActiveX control is prone to a vulnerability that lets attackers overwrite arbitrary files.

Successful exploits may result in denial-of-service conditions. Other attacks are also possible.

Chikat Socket ActiveX control 2.3.1.1 is vulnerable; other versions may also be affected.

25. Parallels Plesk Billing 'new_language' Parameter Cross Site Scripting Vulnerability
BugTraq ID: 32185
Remote: Yes
Last Updated: 2008-11-17
Relevant URL: http://www.securityfocus.com/bid/32185
Summary:
Parallels Plesk Billing (formerly known as ModernBill) is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.

Parallels Plesk Billing 4.4 is vulnerable; other versions may also be affected.

26. Pre Simple CMS 'adminlogin.php' SQL Injection Vulnerability
BugTraq ID: 32132
Remote: Yes
Last Updated: 2008-11-17
Relevant URL: http://www.securityfocus.com/bid/32132
Summary:
Pre Simple CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

27. Easyedit Multiple SQL Injection Vulnerabilities
BugTraq ID: 32369
Remote: Yes
Last Updated: 2008-11-20
Relevant URL: http://www.securityfocus.com/bid/32369
Summary:
Easyedit is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

28. Grip CDDB Response Multiple Matches Buffer Overflow Vulnerability
BugTraq ID: 12770
Remote: Yes
Last Updated: 2008-11-20
Relevant URL: http://www.securityfocus.com/bid/12770
Summary:
A buffer-overflow in Grip occurs when the software processes a response to a CDDB query that has more than 16 matches.

To exploit this issue, an attacker must be able to influence the response to a CDDB query, either by controlling a malicious CDDB server or through some other means. Successful exploits will allow arbitrary code to run.

Grip 3.1.2 and 3.2.0 are affected; other versions may also be affected.

29. W3matter AskPert 'index.php' SQL Injection Vulnerability
BugTraq ID: 32368
Remote: Yes
Last Updated: 2008-11-20
Relevant URL: http://www.securityfocus.com/bid/32368
Summary:
AskPert is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

30. Linux Kernel s390 ptrace Denial Of Service Vulnerability
BugTraq ID: 31177
Remote: No
Last Updated: 2008-11-20
Relevant URL: http://www.securityfocus.com/bid/31177
Summary:
The Linux kernel is prone to a denial-of-service vulnerability when process traces are performed on 32-bit computers.

Local attackers can leverage the issue to crash the kernel and deny service to legitimate users.

The vulnerability affects versions prior to 2.6.27-rc6 for the s390 architecture.

31. wPortfolio '/admin/upload_form.php' Arbitrary File Upload Vulnerability
BugTraq ID: 32367
Remote: Yes
Last Updated: 2008-11-20
Relevant URL: http://www.securityfocus.com/bid/32367
Summary:
wPortfolio is prone to a vulnerability that lets attackers upload arbitrary files because it fails to adequately secure access to administrative scripts.

An attacker can exploit this issue to upload arbitrary files and execute malicious code in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system; other attacks are also possible.

Versions up to and including wPortfolio 0.3 are vulnerable.

32. Roundup XML-RPC Server Security Bypass Vulnerability
BugTraq ID: 28238
Remote: Yes
Last Updated: 2008-11-20
Relevant URL: http://www.securityfocus.com/bid/28238
Summary:
Roundup is prone to a security-bypass vulnerability.

An attacker can exploit this issue to access and modify sensitive information that may help in further attacks.

This issue affects Roundup 1.4.4; other versions may be vulnerable as well.

33. Oracle mod_wl HTTP POST Request Remote Buffer Overflow Vulnerability
BugTraq ID: 30273
Remote: Yes
Last Updated: 2008-11-20
Relevant URL: http://www.securityfocus.com/bid/30273
Summary:
Oracle mod_wl (formerly BEA mod_wl) is prone to a remote buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data.

An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.

34. Fantastico Cross-Site Scripting Vulnerabilities and Local File Include Vulnerability
BugTraq ID: 32016
Remote: Yes
Last Updated: 2008-11-20
Relevant URL: http://www.securityfocus.com/bid/32016
Summary:
Fantastico is prone to multiple cross-site scripting vulnerabilities and a local file-include vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit the local file-include vulnerability to access potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the underlying computer.

The attacker can exploit the cross-site scripting vulnerabilities to execute arbitrary script code within the context of the affected site and steal cookie-based authentication credentials.

35. Pre ASP Job Board 'emp_login.asp' SQL Injection Vulnerability
BugTraq ID: 32366
Remote: Yes
Last Updated: 2008-11-20
Relevant URL: http://www.securityfocus.com/bid/32366
Summary:
Pre ASP Job Board is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

36. Adam Wright HTMLTidy 'html-tidy-logic.php' Cross Site Scripting Vulnerability
BugTraq ID: 31908
Remote: Yes
Last Updated: 2008-11-20
Relevant URL: http://www.securityfocus.com/bid/31908
Summary:
Adam Wright HTMLTidy is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.

HTMLTidy 0.5 is vulnerable; other versions may also be affected. Products that include HTMLTidy as a component will also be vulnerable.

NOTE: This record was previously titled 'Kayako eSupport html-tidy-logic.php Cross Site Scripting Vulnerability'. It has been updated to properly describe the vulnerability as an HTMLTidy issue.

37. Cobbler Web Interface Kickstart Template Remote Privilege Escalation Vulnerability
BugTraq ID: 32317
Remote: Yes
Last Updated: 2008-11-20
Relevant URL: http://www.securityfocus.com/bid/32317
Summary:
The web interface of Cobbler is prone to a remote privilege-escalation vulnerability.

Remote attackers who can edit kickstart templates may exploit this issue to execute arbitrary Python code with root privileges. Successfully exploiting this issue may compromise the affected computer.

Versions prior to Cobbler 1.2.9 are affected.

38. phpBLASTER CMS Multiple Local File Include Vulnerabilities
BugTraq ID: 29983
Remote: Yes
Last Updated: 2008-11-20
Relevant URL: http://www.securityfocus.com/bid/29983
Summary:
phpBLASTER is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker can exploit these vulnerabilities using directory-traversal strings to view files and execute local scripts in the context of the webserver process. This may aid in further attacks.

phpBLASTER 1.0 RC1 is vulnerable; other versions may also be affected.

39. Exodus URI Handler Command Line Parameter Injection Vulnerability
BugTraq ID: 32330
Remote: Yes
Last Updated: 2008-11-20
Relevant URL: http://www.securityfocus.com/bid/32330
Summary:
Exodus is prone to a vulnerability that lets attackers inject command-line parameters through protocol handlers. This issue occurs because the application fails to adequately sanitize user-supplied input.

Exploiting this issue would permit remote attackers to influence command options that can be called through the vulnerable protocol handler and to execute commands with the privileges of a user running the application. It is also possible to leverage this issue to execute arbitrary code with the privileges of the user running the vulnerable application.

Exodus 0.10 is vulnerable; other versions may also be affected.

40. pam_mount Insecure Temporary File Creation Vulnerability
BugTraq ID: 32374
Remote: No
Last Updated: 2008-11-20
Relevant URL: http://www.securityfocus.com/bid/32374
Summary:
The 'pam_mount' module creates temporary files in an insecure manner.

An attacker with local access could perform symbolic-link attacks, overwriting arbitrary files in the context of the affected application.

Successfully mounting a symlink attack may allow the attacker to delete or corrupt sensitive files, which may result in a denial of service. Other attacks may also be possible.

This issue affects pam_mount 0.43; other versions may also be affected.

41. MailEnable IMAP Service Multiple Buffer Overflow Vulnerabilities
BugTraq ID: 21362
Remote: Yes
Last Updated: 2008-11-20
Relevant URL: http://www.securityfocus.com/bid/21362
Summary:
MailEnable is prone to multiple buffer-overflow vulnerabilities in the IMAP service because the application fails to properly bounds-check various types of user-supplied data.

An attacker may leverage these issues to execute arbitrary code in the context of the running application or to crash the application, causing a denial of service.

This issues are reported to affect the following MailEnable versions, but other versions may also be vulnerable:

1.6-1.86 Professional Edition
1.1-1.40 Enterprise Edition
2.0-2.33 Professional Edition
2.0-2.33 Enterprise Edition

42. RevSense 'index.php' SQL Injection Vulnerability
BugTraq ID: 32365
Remote: Yes
Last Updated: 2008-11-20
Relevant URL: http://www.securityfocus.com/bid/32365
Summary:
RevSense is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

RevSense 1.0 is vulnerable; other versions may also be affected.

43. libxml2 'xmlSAX2Characters()' Integer Overflow Vulnerability
BugTraq ID: 32326
Remote: Yes
Last Updated: 2008-11-20
Relevant URL: http://www.securityfocus.com/bid/32326
Summary:
The 'libxml2' library is prone to an integer-overflow vulnerability because it fails to properly verify user-supplied data when handling XML files.

Successful exploits of this vulnerability allow remote attackers to execute arbitrary machine code in the context of an affected application. Failed exploits may crash the application.

This issue affects libxml2-2.7.2; other versions may also be affected.

44. libxml2 'xmlBufferResize()' Remote Denial of Service Vulnerability
BugTraq ID: 32331
Remote: Yes
Last Updated: 2008-11-20
Relevant URL: http://www.securityfocus.com/bid/32331
Summary:
The 'libxml2' library is prone to a remote denial-of-service vulnerability.

Attackers can exploit this issue to cause the affected application using the library to fall into an infinite loop, denying service to legitimate users.

This issue affects libxml2-2.7.2; other versions may also be affected.

45. MauryCMS 'Rss.php' SQL Injection Vulnerability
BugTraq ID: 32364
Remote: Yes
Last Updated: 2008-11-20
Relevant URL: http://www.securityfocus.com/bid/32364
Summary:
MauryCMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

MauryCMS 0.53.2 is vulnerable; other versions may also be affected.

46. Symantec Backup Exec for Windows Server Remote Agent Authentication Bypass Vulnerability
BugTraq ID: 32347
Remote: Yes
Last Updated: 2008-11-20
Relevant URL: http://www.securityfocus.com/bid/32347
Summary:
Symantec Backup Exec for Windows Server is prone to a vulnerability that allows an attacker to bypass authentication and gain unauthorized access to the affected application.

Attackers with authorized network access can exploit this issue to bypass the logon process using the remote agents. Successfully exploits may allow attackers to retrieve or delete files on the targeted computer.

47. Apache HTTP Server 2.2.6, 2.0.61 and 1.3.39 'mod_status' Cross-Site Scripting Vulnerability
BugTraq ID: 27237
Remote: Yes
Last Updated: 2008-11-20
Relevant URL: http://www.securityfocus.com/bid/27237
Summary:
The Apache HTTP Server 'mod_status' module is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Reportedly, attackers can also use this issue to redirect users' browsers to arbitrary locations, which may aid in phishing attacks.

The issue affects versions prior to Apache 2.2.7-dev, 2.0.62-dev, and 1.3.40-dev.

48. Apache mod_imagemap and mod_imap Cross-Site Scripting Vulnerability
BugTraq ID: 26838
Remote: Yes
Last Updated: 2008-11-20
Relevant URL: http://www.securityfocus.com/bid/26838
Summary:
Apache is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

This issue affects the following:

- The 'mod_imagemap' module in Apache 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, and 2.2.0

- The 'mod_imap' module in Apache 1.3.39, 1.3.37, 1.3.36, 1.3.35, 1.3.34, 1.3.33, 1.3.32, 1.3.31, 1.3.29, 1.3.28, 1.3.27, 1.3.26, 1.3.24, 1.3.22, 1.3.20, 1.3.19, 1.3.17, 1.3.14, 1.3.12, 1.3.11, 1.3.9, 1.3.6, 1.3.4, 1.3.3, 1.3.2, 1.3.1, and 1.3.0.

49. Mozilla Firefox Arbitrary Image Cross Domain Security Bypass Vulnerability
BugTraq ID: 32351
Remote: Yes
Last Updated: 2008-11-20
Relevant URL: http://www.securityfocus.com/bid/32351
Summary:
Mozilla Firefox is prone to a cross-domain security-bypass vulnerability that can allow an attacker to bypass the same-origin policy.

The attacker can exploit this issue to access arbitrary images from other domains.

Versions prior to Firefox 2.0.0.18 are vulnerable.

NOTE: This issue was previously included in BID 32281 'Mozilla Firefox/Thunderbird/SeaMonkey Multiple Remote Vulnerabilities', but has been given its own record to better document the issue.

50. Mozilla Firefox/Thunderbird/SeaMonkey Multiple Remote Vulnerabilities
BugTraq ID: 32281
Remote: Yes
Last Updated: 2008-11-20
Relevant URL: http://www.securityfocus.com/bid/32281
Summary:
The Mozilla Foundation has released multiple security advisories specifying various vulnerabilities in Mozilla Firefox, Thunderbird, and SeaMonkey.

Exploiting these issues can allow attackers to:

- steal authentication credentials
- obtain potentially sensitive information
- violate the same-origin policy
- execute scripts with elevated privileges
- cause denial-of-service conditions
- execute arbitrary code

Other attacks are also possible.

These issues are present in the following applications:

Firefox 3.0.3 and prior
Firefox 2.0.0.17 and prior
Thunderbird: 2.0.0.17 and prior
SeaMonkey 1.1.12 and prior

51. Linux Kernel 'snd_seq_oss_synth_make_info()' Information Disclosure Vulnerability
BugTraq ID: 30559
Remote: No
Last Updated: 2008-11-20
Relevant URL: http://www.securityfocus.com/bid/30559
Summary:
The Linux kernel is prone to an information-disclosure vulnerability.

Successful exploits will allow attackers to obtain sensitive information that may aid in further attacks.

Versions prior to Linux kernel 2.6.27-rc2 are vulnerable.

52. Linux kernel 'fs/direct-io.c' Local Denial of Service Vulnerability
BugTraq ID: 31515
Remote: No
Last Updated: 2008-11-20
Relevant URL: http://www.securityfocus.com/bid/31515
Summary:
The Linux kernel is prone to a local denial-of-service vulnerability.

Local attackers can exploit this issue to crash the affected computer, denying service to legitimate users.

Versions prior to Linux kernel 2.6.23 are vulnerable.

53. Linux Kernel 32-bit/64bit Emulation Local Information Disclosure Vulnerability
BugTraq ID: 29942
Remote: No
Last Updated: 2008-11-20
Relevant URL: http://www.securityfocus.com/bid/29942
Summary:
The Linux kernel is prone to an information-disclosure vulnerability.

Successfully exploiting this issue may allow attackers to gain access to uninitialized and potentially sensitive data. Information obtained may lead to other attacks.

54. Linux Kernel UBIFS Orphan Inode Local Denial of Service Vulnerability
BugTraq ID: 30647
Remote: No
Last Updated: 2008-11-20
Relevant URL: http://www.securityfocus.com/bid/30647
Summary:
The Linux kernel is prone to a local denial-of-service vulnerability affecting the VFS behavior in UBIFS (UBI File System).

Attackers can exploit this issue to cause the kernel to crash, denying service to legitimate users.

55. Linux Kernel 'truncate()' Local Privilege Escalation Vulnerability
BugTraq ID: 31368
Remote: No
Last Updated: 2008-11-20
Relevant URL: http://www.securityfocus.com/bid/31368
Summary:
The Linux kernel is prone to a local privilege-escalation vulnerability related to the 'truncate()' and 'ftruncate()' functions.

Versions prior to Linux kernel 2.6.22-rc1 are vulnerable.

56. Yasna Yazd Discussion Forum Multiple Cross-Site Scripting Vulnerabilities
BugTraq ID: 29980
Remote: Yes
Last Updated: 2008-11-20
Relevant URL: http://www.securityfocus.com/bid/29980
Summary:
Yazd Discussion Forum is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

57. AceFTP 'LIST' Command Directory Traversal Vulnerability
BugTraq ID: 29989
Remote: Yes
Last Updated: 2008-11-20
Relevant URL: http://www.securityfocus.com/bid/29989
Summary:
AceFTP is prone to a directory-traversal vulnerability because the application fails to sufficiently sanitize user-supplied input.

Exploiting this issue allows an attacker to write arbitrary files to locations outside of the application's current directory. This could help the attacker launch further attacks.

AceFTP Freeware 3.80.3 and AceFTP Freeware 3.80.3 are vulnerable; other versions may also be affected.

58. PHP 'error_log' Safe Mode Restriction-Bypass Vulnerability
BugTraq ID: 32383
Remote: Yes
Last Updated: 2008-11-20
Relevant URL: http://www.securityfocus.com/bid/32383
Summary:
PHP is prone to a 'safe_mode' restriction-bypass vulnerability. Successful exploits could allow an attacker to write files in unauthorized locations.

This vulnerability would be an issue in shared-hosting configurations where multiple users can create and execute arbitrary PHP script code, with the 'safe_mode' restrictions assumed to isolate the users from each other.

This issue is reported to affect PHP 5.2.6; other versions may also be vulnerable.

59. SocialEngine HTTP Response Splitting and SQL-injection Vulnerabilities
BugTraq ID: 32382
Remote: Yes
Last Updated: 2008-11-20
Relevant URL: http://www.securityfocus.com/bid/32382
Summary:
Social Engine is prone to an HTTP response-splitting vulnerability and an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data.

Attackers can leverage these issues to influence or misrepresent how web content is served, cached, or interpreted, compromise the application, access or modify data or exploit latent vulnerabilities in the underlying database.

SocialEngine 2.7 is vulnerable; other versions may also be affected.

60. PunPortal 'login.php' Local File Include Vulnerability
BugTraq ID: 32380
Remote: Yes
Last Updated: 2008-11-20
Relevant URL: http://www.securityfocus.com/bid/32380
Summary:
PunPortal is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.

61. boastMachine 'mail.php' SQL Injection Vulnerability
BugTraq ID: 32379
Remote: Yes
Last Updated: 2008-11-20
Relevant URL: http://www.securityfocus.com/bid/32379
Summary:
boastMachine is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

62. GeSHi XML Parsing Remote Denial Of Service Vulnerability
BugTraq ID: 32377
Remote: Yes
Last Updated: 2008-11-20
Relevant URL: http://www.securityfocus.com/bid/32377
Summary:
GeSHi is prone to a remote denial-of-service vulnerability.

Remote attackers can exploit this issue to cause the vulnerable application to enter an infinite loop, consuming excessive resources.

This issue affects versions prior to GeSHi 1.0.8.

63. Softbiz Classifieds Script Cross Site Scripting Vulnerability
BugTraq ID: 32375
Remote: Yes
Last Updated: 2008-11-20
Relevant URL: http://www.securityfocus.com/bid/32375
Summary:
Softbiz Classifieds Script is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.

64. Symantec Backup Exec Data Management Protocol Buffer Overflow Vulnerability
BugTraq ID: 32346
Remote: Yes
Last Updated: 2008-11-19
Relevant URL: http://www.securityfocus.com/bid/32346
Summary:
Symantec Backup Exec is prone to a buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data.

Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the application. Failed exploit attempts will likely result in denial-of-service conditions.

65. Mozilla Thunderbird and SeaMonkey 'mailnews' Information Disclosure Vulnerability
BugTraq ID: 32363
Remote: Yes
Last Updated: 2008-11-19
Relevant URL: http://www.securityfocus.com/bid/32363
Summary:
Mozilla Thunderbird and SeaMonkey are prone to an information-disclosure vulnerability because they allow JavaScript to access certain DOM properties.

An attacker can exploit the issue to obtain sensitive 'mailnews' information such as the computer account name. Information harvested may aid in further attacks.

Versions prior to Mozilla Thunderbird 2.0.0.18 and SeaMonkey 1.1.13 are vulnerable.

66. Opera Web Browser 'file://' Heap Based Buffer Overflow Vulnerability
BugTraq ID: 32323
Remote: Yes
Last Updated: 2008-11-19
Relevant URL: http://www.securityfocus.com/bid/32323
Summary:
Opera Web Browser is prone to a heap-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input before copying it to an insufficiently sized buffer.

Attackers can exploit this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.

Opera Web Browser 9.62 is vulnerable; other versions may also be affected.

67. Dovecot ACL Plugin Multiple Security Bypass Vulnerabilities
BugTraq ID: 31587
Remote: Yes
Last Updated: 2008-11-19
Relevant URL: http://www.securityfocus.com/bid/31587
Summary:
Dovecot is prone to multiple security-bypass vulnerabilities affecting the ACL plugin.

Attackers can exploit these issues to bypass certain mailbox restrictions and obtain potentially sensitive data; other attacks are also possible.

These issues affect versions prior to Dovecot 1.1.4.

68. MyTopix 'send' Parameter SQL Injection Vulnerability
BugTraq ID: 32362
Remote: Yes
Last Updated: 2008-11-19
Relevant URL: http://www.securityfocus.com/bid/32362
Summary:
MyTopix is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

MyTopix 1.3.0 is vulnerable; other versions may also be affected.

69. HP Linux Imaging and Printing System Privilege Escalation And Denial Of Service Vulnerabilities
BugTraq ID: 30683
Remote: No
Last Updated: 2008-11-19
Relevant URL: http://www.securityfocus.com/bid/30683
Summary:
HP Linux Imaging and Printing System (HPLIP) is prone to multiple vulnerabilities, including privilege-escalation and denial-of-service issues.

Exploiting the privilege-escalation vulnerability may allow attackers to perform certain actions with elevated privileges. Successful exploits of the denial-of-service issue will cause the 'hpssd' process to crash, denying service to legitimate users.

These issues affect HPLIP 1.6.7; other versions may also be affected.

70. libxml XML Entity Name Heap Buffer Overflow Vulnerability
BugTraq ID: 31126
Remote: Yes
Last Updated: 2008-11-19
Relevant URL: http://www.securityfocus.com/bid/31126
Summary:
The 'libxml' library is prone to a heap-based buffer-overflow vulnerability because the software fails to perform adequate boundary checks on user-supplied data.

An attacker can exploit this issue to execute arbitrary within the context of an application using the affected library. Failed exploit attempts will result in a denial-of-service vulnerability.

71. libxml2 Recursive Entity Remote Denial of Service Vulnerability
BugTraq ID: 30783
Remote: Yes
Last Updated: 2008-11-19
Relevant URL: http://www.securityfocus.com/bid/30783
Summary:
The libxml2 library is prone to a denial-of-service vulnerability.

An attacker can exploit this issue to cause the library to consume an excessive amount of memory, denying service to legitimate users.

72. PHPCow Unspecified Remote File Include Vulnerability
BugTraq ID: 32361
Remote: Yes
Last Updated: 2008-11-19
Relevant URL: http://www.securityfocus.com/bid/32361
Summary:
PHPCow is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied input.

Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible.

73. PunBB 'pun_user[language]' Parameter Multiple Local File Include Vulnerabilities
BugTraq ID: 32360
Remote: Yes
Last Updated: 2008-11-19
Relevant URL: http://www.securityfocus.com/bid/32360
Summary:
PunBB is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker can exploit these vulnerabilities using directory-traversal strings to execute arbitrary local PHP scripts within the context of the webserver process.

PunBB 1.2 is vulnerable; other versions may also be affected.

74. Ruby on Rails ':offset' And ':limit' Parameters SQL Injection Vulnerabilities
BugTraq ID: 31176
Remote: Yes
Last Updated: 2008-11-19
Relevant URL: http://www.securityfocus.com/bid/31176
Summary:
Ruby on Rails is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in SQL queries.

A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.

Versions prior to Ruby on Rails 2.1.1 are affected.

75. Python Multiple Buffer Overflow Vulnerabilities
BugTraq ID: 30491
Remote: Yes
Last Updated: 2008-11-19
Relevant URL: http://www.securityfocus.com/bid/30491
Summary:
Python is prone to multiple buffer-overflow vulnerabilities.

Successful exploits may allow attackers to execute arbitrary code in the context of applications using the vulnerable Python modules. This may result in a compromise of the underlying system. Failed attempts may lead to a denial-of-service condition.

These issues affect versions prior to Python 2.5.2-r6.

76. Ruby on Rails 'redirect_to()' HTTP Header Injection Vulnerability
BugTraq ID: 32359
Remote: No
Last Updated: 2008-11-19
Relevant URL: http://www.securityfocus.com/bid/32359
Summary:
Ruby on Rails is prone to a vulnerability that allows attackers to inject arbitrary HTTP headers because it fails to sufficiently sanitize input.

By inserting arbitrary headers into an HTTP response, attackers may be able to launch cross-site request-forgery, cross-site scripting, HTTP-request-smuggling, and other attacks.

This issue affects versions prior to Ruby on Rails 2.0.5.

77. 3Com Wireless 8760 Dual-Radio 11a/b/g PoE Multiple Security Vulnerabilities
BugTraq ID: 32358
Remote: Yes
Last Updated: 2008-11-19
Relevant URL: http://www.securityfocus.com/bid/32358
Summary:
3Com Wireless 8760 Dual-Radio 11a/b/g PoE Access Point is prone to multiple security vulnerabilities, including an HTML-injection issue and an authentication-bypass issue.

Successfully exploiting these issues will allow an attacker to obtain administrative credentials, bypass security mechanisms, or run attacker-supplied HTML and script code in the context of the web administration interface. The attacker may then be able to steal cookie-based authentication credentials or control how the site is rendered to the user; other attacks are also possible.

78. Microsoft Windows Vista 'iphlpapi.dll' Local Kernel Buffer Overflow Vulnerability
BugTraq ID: 32357
Remote: No
Last Updated: 2008-11-19
Relevant URL: http://www.securityfocus.com/bid/32357
Summary:
Microsoft Windows Vista is prone to a buffer-overflow vulnerability because of insufficient boundary checks.

Local attackers could exploit this issue to cause denial-of-service conditions. Given the nature of this issue, attackers may also be able to execute arbitrary code with SYSTEM-level privileges, but this has not been confirmed.

Windows Vista SP1 is vulnerable to this issue.

79. Linux Kernel USB PWC Driver Local Denial Of Service Vulnerability
BugTraq ID: 25504
Remote: No
Last Updated: 2008-11-19
Relevant URL: http://www.securityfocus.com/bid/25504
Summary:
The Linux Kernel is prone to a local denial-of-service vulnerability because it fails to properly free resources of USB PWC devices.

Attackers can exploit this issue to block the USB subsystem, resulting in denial-of-service conditions.

Versions prior to 2.6.22.6 are vulnerable.

80. FCKeditor 'connector.php' Arbitrary File Upload Vulnerability
BugTraq ID: 31812
Remote: Yes
Last Updated: 2008-11-19
Relevant URL: http://www.securityfocus.com/bid/31812
Summary:
FCKeditor is prone to an arbitrary-file-upload vulnerability because it fails to adequately sanitize user-supplied input.

An attacker can exploit this vulnerability to upload arbitrary code and execute it in the context of the webserver process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.

81. Sun Java System Identity Manager Multiple Vulnerabilities
BugTraq ID: 32262
Remote: Yes
Last Updated: 2008-11-19
Relevant URL: http://www.securityfocus.com/bid/32262
Summary:
Sun Java System Identity Manager is prone to multiple web-interface vulnerabilities, including a cross-site request-forgery issue, multiple cross-site scripting issues, multiple HTML-injection issues, and a directory-traversal vulnerability.

Successful exploits of many of these issues will allow an attacker to completely compromise the affected application.

These issues affect the following versions:

Sun Java System Identity Manager 6.0
Sun Java System Identity Manager 6.0 SP1
Sun Java System Identity Manager 6.0 SP2
Sun Java System Identity Manager 6.0 SP3
Sun Java System Identity Manager 6.0 SP4
Sun Java System Identity Manager 7.0
Sun Java System Identity Manager 7.1

82. Cisco IOS MPLS VPN Information Disclosure Vulnerability
BugTraq ID: 31366
Remote: Yes
Last Updated: 2008-11-19
Relevant URL: http://www.securityfocus.com/bid/31366
Summary:
Cisco IOS (Internetwork Operating System) is an operating system commonly used on Cisco routers and network switches.

Cisco ISO Multiprotocol Label Switching (MPLS) Virtual Private Networks (VPNs) and VPN Routing and Forwarding Lite (VRF Lite) are prone to an information-disclosure vulnerability.

This vulnerability is tracked by Cisco Bug ID CSCee83237 and CVE-2008-3803.

83. Streamripper Multiple Buffer Overflow Vulnerabilities
BugTraq ID: 32356
Remote: Yes
Last Updated: 2008-11-19
Relevant URL: http://www.securityfocus.com/bid/32356
Summary:
Streamripper is prone to multiple buffer-overflow vulnerabilities.

Successful exploits may allow attackers to execute arbitrary code in the context of the application. This may result in a compromise of the underlying system. Failed attempts may lead to a denial-of-service condition.

Streamripper 1.63.5 is vulnerable; other versions may also be affected.

84. IBM Lotus Domino Web Access ActiveX Control Memory Corruption Vulnerabilities
BugTraq ID: 26972
Remote: Yes
Last Updated: 2008-11-19
Relevant URL: http://www.securityfocus.com/bid/26972
Summary:
IBM Lotus Domino Web Access ActiveX control is prone to multiple memory-corruption vulnerabilities because the application fails to properly bounds-check user-supplied input.

Successfully exploiting these issues can allow remote attackers to execute arbitrary code in the context of the application using the affected ActiveX control. Failed exploit attempts will likely result in denial-of-service conditions.

85. MDaemon Server WorldClient Script Injection Vulnerability
BugTraq ID: 32355
Remote: Yes
Last Updated: 2008-11-19
Relevant URL: http://www.securityfocus.com/bid/32355
Summary:
WorldClient is prone to a script-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.

Attacker-supplied script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.

WorldClient HTTP Server and WorldClient DLL 10.0.1 included in MDaemon PRO 10.0.1 for Windows are affected; other versions may also be vulnerable.
http://drupal.org/node/207891

86. Microsoft Internet Explorer 6 RDS.DataControl Denial of Service Vulnerability
BugTraq ID: 18900
Remote: Yes
Last Updated: 2008-11-19
Relevant URL: http://www.securityfocus.com/bid/18900
Summary:
Microsoft Internet Explorer 6 is reportedly prone to a denial-of-service vulnerability because the application fails to perform boundary checks before copying user-supplied data into sensitive process buffers.

This issue is triggered when an attacker convinces a victim to activate a malicious ActiveX control object.

Remote attackers may exploit this issue to crash Internet Explorer 6, effectively denying service to legitimate users.

A stack-based heap overflow may be possible; as a result, remote code could run in the context of the user running the affected application. This has not been confirmed.

87. Ext2 Filesystem Utilities e2fsprogs libext2fs Multiple Unspecified Integer Overflow Vulnerabilities
BugTraq ID: 26772
Remote: Yes
Last Updated: 2008-11-19
Relevant URL: http://www.securityfocus.com/bid/26772
Summary:
The 'e2fsprogs' package is prone to multiple unspecified integer-overflow vulnerabilities because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer.

An attacker can exploit these issues to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial of service.

These issues affect e2fsprogs 1.38 through 1.40.2; other versions may also be affected.

88. refbase 'headerMsg' Parameter Cross Site Scripting Vulnerabilities
BugTraq ID: 32372
Remote: Yes
Last Updated: 2008-11-19
Relevant URL: http://www.securityfocus.com/bid/32372
Summary:
refbase is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.

Attacker-supplied HTML and script code would execute in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials.

refbase versions prior to 0.9.5 are vulnerable.

89. Link Back Checker Cookie Authentication Bypass Vulnerability
BugTraq ID: 32354
Remote: Yes
Last Updated: 2008-11-18
Relevant URL: http://www.securityfocus.com/bid/32354
Summary:
Link Back Checker is prone to an authentication-bypass vulnerability because it fails to adequately verify user-supplied input used for cookie-based authentication.

Attackers can exploit this vulnerability to gain unauthorized access to the affected application, which may aid in further attacks.

90. vBulletin 'admincp/image.php' SQL Injection Vulnerability
BugTraq ID: 32353
Remote: Yes
Last Updated: 2008-11-18
Relevant URL: http://www.securityfocus.com/bid/32353
Summary:
vBulletin is prone to an SQL-injection vulnerability because it fails to properly sanitize user-supplied input before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.

vBulletin 3.7.4 is vulnerable; other versions may also be affected.

91. vBulletin 'admincp/attachmentpermission.php' SQL Injection Vulnerability
BugTraq ID: 32352
Remote: Yes
Last Updated: 2008-11-18
Relevant URL: http://www.securityfocus.com/bid/32352
Summary:
vBulletin is prone to an SQL-injection vulnerability because it fails to properly sanitize user-supplied input before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.

vBulletin 3.7.4 is vulnerable; other versions may also be affected.

92. vBulletin 'admincp/verify.php' SQL Injection Vulnerability
BugTraq ID: 32349
Remote: Yes
Last Updated: 2008-11-18
Relevant URL: http://www.securityfocus.com/bid/32349
Summary:
vBulletin is prone to an SQL-injection vulnerability because it fails to properly sanitize user-supplied input before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.

vBulletin 3.7.4 is vulnerable; other versions may also be affected.

93. vBulletin 'admincalendar.php' SQL Injection Vulnerability
BugTraq ID: 32348
Remote: Yes
Last Updated: 2008-11-18
Relevant URL: http://www.securityfocus.com/bid/32348
Summary:
vBulletin is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Note that to succeed, the attacker must have an administrative account with 'calendar' administrator access.

vBulletin 3.7.3.pl1 is vulnerable; other versions may also be affected.

94. RETIRED: Tribiq CMS Cookie Authentication Bypass Vulnerability
BugTraq ID: 32001
Remote: Yes
Last Updated: 2008-11-18
Relevant URL: http://www.securityfocus.com/bid/32001
Summary:
Tribiq CMS is prone to an authentication-bypass vulnerability because it fails to adequately verify user-supplied input used for cookie-based authentication.

Attackers can exploit this vulnerability to gain administrative access, which may aid in further attacks.

Tribiq CMS 5.0.9a (beta) is vulnerable; other versions may also be affected.

NOTE: Information from the vendor shows that the application is not affected by this issue. This BID is being retired.

95. Adobe AIR Unspecified JavaScript Code Execution Vulnerability
BugTraq ID: 32334
Remote: Yes
Last Updated: 2008-11-18
Relevant URL: http://www.securityfocus.com/bid/32334
Summary:
Adobe AIR is prone to a security vulnerability that allows attackers to execute arbitrary JavaScript code with elevated privileges in the context of the application.

In addition, since Adobe AIR employs Flash Player, the application is prone to the same recent security vulnerabilities announced for that product. For details, please see the following BIDs:

BID 31117 'Adobe Flash Player Clipboard Security Weakness'
BID 32129 'Adobe Flash Player Multiple Security Vulnerabilities'

Versions prior to Adobe AIR 1.5 are vulnerable.

96. Musicbox 'viewalbums.php' SQL Injection Vulnerability
BugTraq ID: 29100
Remote: Yes
Last Updated: 2008-11-18
Relevant URL: http://www.securityfocus.com/bid/29100
Summary:
Musicbox is prone to an SQL-injection vulnerability because it fails to properly sanitize user-supplied input before using it in an SQL query.

A successful attack could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.

97. Zope PythonScript Multiple Remote Denial Of Service Vulnerabilities
BugTraq ID: 32267
Remote: Yes
Last Updated: 2008-11-18
Relevant URL: http://www.securityfocus.com/bid/32267
Summary:
Zope is prone to multiple remote denial-of-service vulnerabilities.

Remote attackers can exploit this issue to cause the Zope server to halt or to consume excessive server resources, resulting in denial-of-service conditions.

These issues affect Zope 2.7.0 through 2.11.2.

98. OptiPNG BMP Reader Buffer Overflow Vulnerability
BugTraq ID: 32248
Remote: Yes
Last Updated: 2008-11-18
Relevant URL: http://www.securityfocus.com/bid/32248
Summary:
OptiPNG is prone to a buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied input.

Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.

Versions prior to OptiPNG 0.6.2 are vulnerable.

99. Novell eDirectory Multiple Buffer Overflow And Cross-Site Scripting Vulnerabilities
BugTraq ID: 30947
Remote: Yes
Last Updated: 2008-11-18
Relevant URL: http://www.securityfocus.com/bid/30947
Summary:
Novell eDirectory is prone to multiple buffer-overflow and multiple cross-site scripting vulnerabilities.

Successful exploits of buffer-overflow vulnerabilities may allow attackers to execute arbitrary code in the context of the application. This may result in a compromise of the underlying system. Failed attempts may lead to a denial-of-service condition.

Exploiting cross-site scripting vulnerabilities may allow an attacker to steal cookie-based information or execute script code in the context of the browser of an unsuspecting user.

Versions prior to Novell eDirectory 8.8 SP3 are vulnerable.

100. Net-SNMP GETBULK Remote Denial of Service Vulnerability
BugTraq ID: 32020
Remote: Yes
Last Updated: 2008-11-18
Relevant URL: http://www.securityfocus.com/bid/32020
Summary:
Net-SNMP is prone to a remote denial-of-service vulnerability.

Successfully exploiting this issue allows remote attackers to cause denial-of-service conditions.

This issue affects versions *prior to* the following:

Net-SNMP 5.2.5.1
Net-SNMP 5.3.2.3
Net-SNMP 5.4.2.1

III. SECURITYFOCUS NEWS ARTICLES
--------------------------------
1. Researchers find more flaws in wireless security
By: Robert Lemos
Two security experts plan to show a limited attack against the popular Wi-Fi Protected Access (WPA) -- a replacement for insecure WEP -- at a conference in Tokyo.
http://www.securityfocus.com/news/11537

2. Secure hash competition kicks off
By: Robert Lemos
Dozens of amateur and professional cryptographers have joined the United States' first open competition for creating an uncrackable algorithm for generating hashes -- the digital fingerprints widely used in a variety of security functions.
http://www.securityfocus.com/news/11536

3. You don't know (click)jack
By: Robert Lemos
Security professionals Robert "RSnake" Hansen and Jeremiah Grossman discuss a class of attacks, known as clickjacking, on user interfaces of Web browsers.
http://www.securityfocus.com/news/11535

4. Researchers weigh "clickjacking" threat
By: Robert Lemos
A canceled presentation at a Web security summit attracts attention to the danger of overlaying Web pages with graphics to persuade a victim to click where an attacker wants.
http://www.securityfocus.com/news/11534

IV. SECURITY JOBS LIST SUMMARY
-------------------------------
1. [SJ-JOB] Security Auditor, Reston
http://www.securityfocus.com/archive/77/498419

2. [SJ-JOB] Sr. Security Engineer, St Louis
http://www.securityfocus.com/archive/77/498422

3. [SJ-JOB] Compliance Officer, Pentagon City
http://www.securityfocus.com/archive/77/498424

4. [SJ-JOB] Software Engineer, St. Paul
http://www.securityfocus.com/archive/77/498426

5. [SJ-JOB] Manager, Information Security, Bedford Heights
http://www.securityfocus.com/archive/77/498428

6. [SJ-JOB] Software Engineer, St. Paul
http://www.securityfocus.com/archive/77/498415

7. [SJ-JOB] Senior Software Engineer, St. Paul
http://www.securityfocus.com/archive/77/498416

8. [SJ-JOB] Sr. Security Analyst, Denver
http://www.securityfocus.com/archive/77/498417

9. [SJ-JOB] Sales Representative, Bedford Heights
http://www.securityfocus.com/archive/77/498421

10. [SJ-JOB] Security Consultant, Central New Jersey
http://www.securityfocus.com/archive/77/498405

11. [SJ-JOB] Management, Glendale
http://www.securityfocus.com/archive/77/498414

12. [SJ-JOB] Security System Administrator, San Diego
http://www.securityfocus.com/archive/77/498418

13. [SJ-JOB] Technical Support Engineer, St. Paul
http://www.securityfocus.com/archive/77/498423

14. [SJ-JOB] Security Consultant, San Francisco
http://www.securityfocus.com/archive/77/498425

15. [SJ-JOB] Security Researcher, Bangalore
http://www.securityfocus.com/archive/77/498410

16. [SJ-JOB] Senior Software Engineer, Alameda
http://www.securityfocus.com/archive/77/498411

17. [SJ-JOB] Management, Newark
http://www.securityfocus.com/archive/77/498412

18. [SJ-JOB] Management, Houston
http://www.securityfocus.com/archive/77/498413

19. [SJ-JOB] Penetration Engineer, San Francisco
http://www.securityfocus.com/archive/77/498427

20. [SJ-JOB] Security Researcher, Los Angeles
http://www.securityfocus.com/archive/77/498401

21. [SJ-JOB] Sales Representative, Nashville
http://www.securityfocus.com/archive/77/498402

22. [SJ-JOB] Security Consultant, Bedford Heights
http://www.securityfocus.com/archive/77/498403

23. [SJ-JOB] Director, Information Security, Chicago
http://www.securityfocus.com/archive/77/498404

V. INCIDENTS LIST SUMMARY
---------------------------
VI. VULN-DEV RESEARCH LIST SUMMARY
-----------------------------------
VII. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. SecurityFocus Microsoft Newsletter #419
http://www.securityfocus.com/archive/88/498317

VIII. SUN FOCUS LIST SUMMARY
----------------------------
IX. LINUX FOCUS LIST SUMMARY
----------------------------
X. UNSUBSCRIBE INSTRUCTIONS
-----------------------------
To unsubscribe send an e-mail message to sf-news-unsubscribe@securityfocus.com from the subscribed address. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer. Alternatively you can also visit http://www.securityfocus.com/newsletters and unsubscribe via the website.

If your email address has changed email listadmin@securityfocus.com and ask to be manually removed.

XI. SPONSOR INFORMATION
------------------------
This issue is Sponsored by Symantec

News

Thursday, November 20, 2008

SecurityFocus Newsletter #479

No comments:

WINDOWS CENTER

Blog Archive