News

Thursday, December 04, 2008

SecurityFocus Newsletter #481

SecurityFocus Newsletter #481
----------------------------------------

This issue is Sponsored by Verisign

Learn how to protect your online customers with SSL technology that not only keeps their information safe, but also lets them know your site is secure - Extended Validation (EV) SSL.
This new technology turns the address bar green in high security browsers.
http://ad.doubleclick.net/clk;208565397;30663982;v


SECURITY BLOGS
SecurityFocus has selected a few syndicated sources that stand out as conveying topics of interest for our community. We are proud to offer content from Matasano at this time and will be adding more in the coming weeks.
http://www.securityfocus.com/blogs

------------------------------------------------------------------
I. FRONT AND CENTER
1. Standing on Other's Shoulders
2. Just Encase It's Not a Search
II. BUGTRAQ SUMMARY
1. Rae Media Web Based Contact Management Login SQL Injection Vulnerability
2. Mxmania Gallery MX 'pics_pre.asp' SQL Injection Vulnerability
3. RevSense SQL Injection and Cross Site Scripting Vulnerabilities
4. Adobe Acrobat 9 Unspecified PDF Document Encryption Weakness
5. CUPS PNG Filter '_cupsImageReadPNG()' Integer Overflow Vulnerability
6. Massimiliano Montoro Cain & Abel Malformed '.rdp' File Buffer Overflow Vulnerability
7. ImpressCMS 'PHPSESSID' Session Fixation Vulnerability
8. Linux kernel 'fs/direct-io.c' Local Denial of Service Vulnerability
9. WordPress 'wp-includes/feed.php' Cross-Site Scripting Vulnerability
10. Perl 'rmdir()' Local Race Condition Privilege Escalation Vulnerability
11. MAXSITE Guestbook Component 'message' Parameter Remote Command Execution Vulnerability
12. Dovecot ManageSieve Service '.sieve' Files Directory Traversal Vulnerability
13. BigAnt IM Server HTTP GET Request Remote Buffer Overflow Vulnerability
14. Ocean12 Mailing List Manager Gold SQL Injection and Cross Site Scripting Vulnerabilities
15. libsamplerate Buffer Overflow Vulnerability
16. Mantis 'string_api.php' Issue Number Information Disclosure Vulnerability
17. Wireshark 1.0.4 SMTP Denial of Service Vulnerability
18. Mantis Insecure Cookie Disclosure Weakness
19. Mantis 'manage_proj_page.php' PHP Code Injection Vulnerability
20. Debian chm2pdf Insecure Temporary File Creation Vulnerability
21. Fantastico 'index.php' Local File Include Vulnerability
22. IPsec-Tools Multiple Remote Denial Of Service Vulnerabilities
23. No-IP Dynamic Update Client for Linux Remote Buffer Overflow Vulnerability
24. DATAC RealWin SCADA Server Remote Stack Buffer Overflow Vulnerability
25. IBM Rational ClearQuest Web Multiple Unspecified Cross Site Scripting Vulnerabilities
26. bzip2 Unspecified File Handling Vulnerability
27. RadASM '.rap' Project File Buffer Overflow Vulnerability
28. Sun Java Runtime Environment and Java Development Kit Multiple Security Vulnerabilities
29. JMovies Joomla! Component 'id' Parameter SQL Injection Vulnerability
30. Nagios External Commands and Adaptive Commands Unspecified Vulnerability
31. Calendar MX Professional 'calendar_Eventupdate.asp' SQL Injection Vulnerability
32. Pro Clan Manager 'PHPSESSID' Session Fixation Vulnerability
33. Movable Type Unspecified Cross-Site Scripting Vulnerability
34. 'nfs-utils' Package 'hosts_ctl()' Security Bypass Vulnerability
35. Retired: Joomla! and Mambo GameQ Component SQL Injection Vulnerability
36. Apache 'mod_proxy_http' Interim Response Denial of Service Vulnerability
37. i-Net Solution Orkut Clone SQL Injection and Cross Site Scripting Vulnerabilities
38. mvnForum Cross Site Scripting Vulnerability
39. Z1Exchange SQL Injection and Cross Site Scripting Vulnerabilities
40. Linux Kernel 'hfsplus_find_cat()' Local Denial of Service Vulnerability
41. Linux Kernel 'hfs_cat_find_brec()' Local Denial of Service Vulnerability
42. Linux Kernel '__scm_destroy()' Local Denial of Service Vulnerability
43. Linux Kernel 'do_splice_from()' Local Security Bypass Vulnerability
44. Linux Kernel SCTP Protocol Violation Remote Denial of Service Vulnerability
45. Linux Kernel SCTP INIT-ACK AUTH Extension Remote Denial of Service Vulnerability
46. Linux Kernel 'sendmsg()' Local Denial of Service Vulnerability
47. Linux Kernel 'lbs_process_bss()' Remote Denial of Service Vulnerability
48. WebGUI 'lib/WebGUI/Storage.pm' Remote Script Code Execution Vulnerability
49. Retired: Egi Zaberl E.Z.Poll 'login.asp' Multiple SQL Injection Vulnerabilities
50. Check Up New Generation 'findoffice.php' SQL Injection Vulnerability
51. Jbook SQL Injection Vulnerability
52. Sun Java Web Start and Java Plug-in Multiple Privilege Escalation Vulnerabilities
53. Apache 'mod_proxy_ftp' Wildcard Characters Cross-Site Scripting Vulnerability
54. Apache 'mod_proxy_balancer' Multiple Vulnerabilities
55. SquirrelMail Malformed HTML Mail Message HTML Injection Vulnerability
56. Ruby Multiple Security Bypass and Denial of Service Vulnerabilities
57. Linux Kernel 'truncate()' Local Privilege Escalation Vulnerability
58. Linux Kernel 'ndiswrapper' Remote Buffer Overflow Vulnerability
59. HP-UX Unspecified Local Denial Of Service Vulnerability
60. Sunbyte eFlower 'popupproduct.php' SQL Injection Vulnerability
61. Microsoft Internet Explorer DHTML Method Buffer Overflow Vulnerability
62. WebLogic Server and Express HTTP TRACE Credential Theft Vulnerability
63. Multiple Vendor RPC.YPUpdated Command Execution Vulnerability
64. CUPS Multiple Heap Based Buffer Overflow Vulnerabilities
65. Digiappz Freekot ASP SQL Injection Vulnerability
66. CUPS 'HP-GL/2' Filter Remote Code Execution Vulnerability
67. ClamAV 'cli_check_jpeg_exploit' Function Malformed JPEG File Remote Denial Of Service Vulnerability
68. ClamAV 'get_unicode_name()' Off-By-One Heap Based Buffer Overflow Vulnerability
69. Vim 'tar.vim' Plugin Arbitrary Command Execution Vulnerability
70. Vim Insufficient Shell Escaping Multiple Command Execution Vulnerabilities
71. Netrw Vim Script Information Disclosure Vulnerability
72. Netrw Vim Script Multiple Command Execution Vulnerabilities
73. Vim 'zip.vim' Plugin Arbitrary Command Execution Vulnerability
74. Vim Vim Script Multiple Command Execution Vulnerabilities
75. Vim HelpTags Command Remote Format String Vulnerability
76. FutureSoft TFTP Server 2000 Multiple Remote Vulnerabilities
77. pi3Web ISAPI Directory Remote Denial Of Service Vulnerability
78. Sun Solaris RPC Request Denial of Service Vulnerability
79. NOS Microsystems getPlus Download Manager ActiveX Control Buffer Overflow Vulnerability
80. NOS Microsystems getPlus Download Manager Unauthorized Access Vulnerability
81. Jamit Job Board 'index.php' SQL Injection Vulnerability
82. Lynx URI Handlers Arbitrary Command Execution Vulnerability
83. Samba Arbitrary Memory Contents Information Disclosure Vulnerability
84. Net-SNMP GETBULK Remote Denial of Service Vulnerability
85. Net-SNMP Remote Authentication Bypass Vulnerability
86. Net-SNMP Perl Module Buffer Overflow Vulnerability
87. AWStats 'awstats.pl' Cross-Site Scripting Vulnerability
88. Adobe Acrobat and Reader 8.1.2 Multiple Security Vulnerabilities
89. Adobe Reader 'util.printf()' JavaScript Function Stack Buffer Overflow Vulnerability
90. Adobe Acrobat Reader Unspecified Remote Denial Of Service Vulnerability
91. ASPApps.com Template Creature 'media_level.asp' SQL Injection Vulnerability
92. Joomla! and Mambo Mydyngallery Component 'directory' Parameter SQL Injection Vulnerability
93. Linux Kernel 'parisc_show_stack()' Local Denial of Service Vulnerability
94. PHPSTREET Webboard 'show.php' SQL Injection Vulnerability
95. Microsoft December 2008 Advance Notification Multiple Vulnerabilities
96. ccTiddly 'cct_base' Parameter Multiple Remote File Include Vulnerabilities
97. RSyslog '$AllowedSender' Configuration Directive Security Bypass Vulnerability
98. Ubuntu Privacy Remix S/ATA-Disks Security Bypass Vulnerability
99. Orb Networks Orb Unspecified Remote Denial Of Service Vulnerability
100. PHP ZipArchive::extractTo() '.zip' Files Directory Traversal Vulnerability
III. SECURITYFOCUS NEWS
1. Microsoft hopes free security means less malware
2. Researchers find more flaws in wireless security
3. Secure hash competition kicks off
4. You don't know (click)jack
IV. SECURITY JOBS LIST SUMMARY
V. INCIDENTS LIST SUMMARY
1. incidents from history
VI. VULN-DEV RESEARCH LIST SUMMARY
VII. MICROSOFT FOCUS LIST SUMMARY
1. SecurityFocus Microsoft Newsletter #421
VIII. SUN FOCUS LIST SUMMARY
IX. LINUX FOCUS LIST SUMMARY
X. UNSUBSCRIBE INSTRUCTIONS
XI. SPONSOR INFORMATION

I. FRONT AND CENTER
---------------------
1.Standing on Other's Shoulders
By Chris Wysopal
"If I have seen a little further it is by standing on the shoulders of Giants," Issac Netwon once wrote to describe how he felt that his scientific work was an extension of the work of those who went before him. In the scientific realm it is dishonorable not to credit those upon whose work you build.
http://www.securityfocus.com/columnists/486

2.Just Encase It's Not a Search
By Mark Rasch
When is a search not really a search? If it's done by computer, according to U.S. government lawyers.
http://www.securityfocus.com/columnists/485


II. BUGTRAQ SUMMARY
--------------------
1. Rae Media Web Based Contact Management Login SQL Injection Vulnerability
BugTraq ID: 32616
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/32616
Summary:
Rae Media Web Based Contact Management is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

2. Mxmania Gallery MX 'pics_pre.asp' SQL Injection Vulnerability
BugTraq ID: 32607
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/32607
Summary:
Mxmania Gallery MX is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Mxmania Gallery MX 2.0.0 is vulnerable; other versions may also be affected.

3. RevSense SQL Injection and Cross Site Scripting Vulnerabilities
BugTraq ID: 32624
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/32624
Summary:
RevSense is prone to an SQL-injection vulnerability and a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.

Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

RevSense 1.0 is vulnerable; other versions may also be affected.

4. Adobe Acrobat 9 Unspecified PDF Document Encryption Weakness
BugTraq ID: 32610
Remote: Yes
Last Updated: 2008-12-03
Relevant URL: http://www.securityfocus.com/bid/32610
Summary:
Adobe Acrobat 9 is prone to an unspecified weakness related to encrypted PDF documents.

Attackers may be able to view encrypted documents or gain access to encryption passwords.

5. CUPS PNG Filter '_cupsImageReadPNG()' Integer Overflow Vulnerability
BugTraq ID: 32518
Remote: Yes
Last Updated: 2008-12-03
Relevant URL: http://www.securityfocus.com/bid/32518
Summary:
CUPS is prone to an integer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied PNG image sizes before using them to allocate memory buffers.

Successful exploits may allow attackers to execute arbitrary code with the privileges of a user running the utilities. Failed exploit attempts likely cause denial-of-service conditions.

Versions prior to CUPS 1.3.10 are vulnerable.

6. Massimiliano Montoro Cain & Abel Malformed '.rdp' File Buffer Overflow Vulnerability
BugTraq ID: 32543
Remote: Yes
Last Updated: 2008-12-03
Relevant URL: http://www.securityfocus.com/bid/32543
Summary:
Cain & Abel is prone to a buffer-overflow vulnerability because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer.

An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.

This issue affects Cain & Abel 4.9.24 and prior versions.

7. ImpressCMS 'PHPSESSID' Session Fixation Vulnerability
BugTraq ID: 32495
Remote: Yes
Last Updated: 2008-12-03
Relevant URL: http://www.securityfocus.com/bid/32495
Summary:
ImpressCMS is prone to a session-fixation vulnerability.

Attackers can exploit this issue to hijack a user's session and gain unauthorized access to the affected application.

ImpressCMS 1.1 is vulnerable; other versions may also be affected.

8. Linux kernel 'fs/direct-io.c' Local Denial of Service Vulnerability
BugTraq ID: 31515
Remote: No
Last Updated: 2008-12-03
Relevant URL: http://www.securityfocus.com/bid/31515
Summary:
The Linux kernel is prone to a local denial-of-service vulnerability.

Local attackers can exploit this issue to crash the affected computer, denying service to legitimate users.

Versions prior to Linux kernel 2.6.23 are vulnerable.

9. WordPress 'wp-includes/feed.php' Cross-Site Scripting Vulnerability
BugTraq ID: 32476
Remote: Yes
Last Updated: 2008-12-03
Relevant URL: http://www.securityfocus.com/bid/32476
Summary:
WordPress is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

Versions prior to WordPress 2.6.5 are vulnerable.

10. Perl 'rmdir()' Local Race Condition Privilege Escalation Vulnerability
BugTraq ID: 12767
Remote: No
Last Updated: 2008-12-03
Relevant URL: http://www.securityfocus.com/bid/12767
Summary:
Perl is reported prone to a local race-condition vulnerability. The issue resides in the 'rmtree()' function provided by the 'File::Path.pm' module.

A successful attack may allow an attacker to gain elevated privileges on a vulnerable computer.

UPDATE (December 2, 2008): This issue has been reported in Perl 5.8.8 and 5.10.

11. MAXSITE Guestbook Component 'message' Parameter Remote Command Execution Vulnerability
BugTraq ID: 32588
Remote: Yes
Last Updated: 2008-12-03
Relevant URL: http://www.securityfocus.com/bid/32588
Summary:
MAXSITE Guestbook Component is prone to a vulnerability that attackers can leverage to execute arbitrary commands in the context of the application. This issue occurs because the application fails to adequately sanitize user-supplied input.

Remote attackers may exploit this issue to execute arbitrary PHP commands within the context of the vulnerable webserver.

12. Dovecot ManageSieve Service '.sieve' Files Directory Traversal Vulnerability
BugTraq ID: 32582
Remote: Yes
Last Updated: 2008-12-03
Relevant URL: http://www.securityfocus.com/bid/32582
Summary:
The Dovecot ManageSieve service is prone to a directory-traversal vulnerability because the application fails to adequately sanitize user-supplied input. An attacker may exploit this issue to read or write to arbitrary '.sieve' files.

A successful attack may allow an attacker to obtain potentially sensitive information, cause denial-of-service conditions, or execute arbitrary script code in the context of another user; this may aid in further attacks.

Versions *prior to* the following are affected:

Dovecot 1.2 ManageSieve 0.11.1
Dovecot 1.1 ManageSieve 0.10.4
Dovecot 1.0.15 ManageSieve 9.4

13. BigAnt IM Server HTTP GET Request Remote Buffer Overflow Vulnerability
BugTraq ID: 28795
Remote: Yes
Last Updated: 2008-12-03
Relevant URL: http://www.securityfocus.com/bid/28795
Summary:
BigAnt IM Server is prone to a remote buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input.

An attacker can exploit this issue to execute arbitrary code with the privileges of the user running the server. Failed exploit attempts will result in a denial-of-service condition.

BigAnt IM Server 2.2 is vulnerable; other versions may also be affected.

14. Ocean12 Mailing List Manager Gold SQL Injection and Cross Site Scripting Vulnerabilities
BugTraq ID: 32587
Remote: Yes
Last Updated: 2008-12-03
Relevant URL: http://www.securityfocus.com/bid/32587
Summary:
Ocean12 Mailing List Manager Gold is prone to an SQL-injection vulnerability and a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.

Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

15. libsamplerate Buffer Overflow Vulnerability
BugTraq ID: 32090
Remote: Yes
Last Updated: 2008-12-03
Relevant URL: http://www.securityfocus.com/bid/32090
Summary:
The 'libsamplerate' program (aka Secret Rabbit Code) is prone to a buffer-overflow vulnerability because of insufficient boundary checks.

Remote attackers can exploit this issue by enticing victims into opening maliciously crafted files with an application that uses the affected library.

Successful exploits may allow attackers to execute arbitrary code within the context of an affected application. Failed exploit attempts will likely result in a denial of service.

16. Mantis 'string_api.php' Issue Number Information Disclosure Vulnerability
BugTraq ID: 31868
Remote: Yes
Last Updated: 2008-12-03
Relevant URL: http://www.securityfocus.com/bid/31868
Summary:
Mantis is prone to an information-disclosure vulnerability because the application fails to protect private information.

Attackers may exploit this issue to retrieve sensitive information that may aid in further attacks.

Versions prior to Mantis 1.1.3 are vulnerable.

17. Wireshark 1.0.4 SMTP Denial of Service Vulnerability
BugTraq ID: 32422
Remote: Yes
Last Updated: 2008-12-03
Relevant URL: http://www.securityfocus.com/bid/32422
Summary:
Wireshark is prone to a denial-of-service vulnerability.

Exploiting this issue may allow attackers to cause the application to hang, which may aid in other attacks.

This issue affects Wireshark 1.0.4; other versions may also be vulnerable.

18. Mantis Insecure Cookie Disclosure Weakness
BugTraq ID: 31344
Remote: Yes
Last Updated: 2008-12-03
Relevant URL: http://www.securityfocus.com/bid/31344
Summary:
Mantis is prone to a weakness that may allow an attacker to sniff network traffic and obtain cookie data.

An attacker may leverage this issue to obtain sensitive information, steal cookie-based authentication credentials, and carry out session-hijacking attacks; other attacks are also possible.

19. Mantis 'manage_proj_page.php' PHP Code Injection Vulnerability
BugTraq ID: 31789
Remote: Yes
Last Updated: 2008-12-03
Relevant URL: http://www.securityfocus.com/bid/31789
Summary:
Mantis is prone to a remote PHP code-injection vulnerability.

An attacker can exploit this issue to inject and execute arbitrary malicious PHP code in the context of the webserver process. This may facilitate a compromise of the application and the underlying system; other attacks are also possible.

Mantis 1.1.3 and prior versions are vulnerable.

20. Debian chm2pdf Insecure Temporary File Creation Vulnerability
BugTraq ID: 31735
Remote: No
Last Updated: 2008-12-03
Relevant URL: http://www.securityfocus.com/bid/31735
Summary:
Debian 'chm2pdf' creates temporary files in an insecure manner.

An attacker with local access could potentially exploit this issue to perform symbolic-link attacks, overwriting arbitrary files in the context of the affected application.

Successfully mounting a symlink attack may allow the attacker to delete or corrupt sensitive files, which may result in a denial of service. Other attacks may also be possible.

Debian 'chm2pdf' 0.9.1 is vulnerable; other versions may also be affected.

21. Fantastico 'index.php' Local File Include Vulnerability
BugTraq ID: 32578
Remote: Yes
Last Updated: 2008-12-03
Relevant URL: http://www.securityfocus.com/bid/32578
Summary:
Fantastico is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit this vulnerability to view files and execute local scripts in the context of the webserver process. This may aid in further attacks.

22. IPsec-Tools Multiple Remote Denial Of Service Vulnerabilities
BugTraq ID: 30657
Remote: Yes
Last Updated: 2008-12-03
Relevant URL: http://www.securityfocus.com/bid/30657
Summary:
IPsec-Tools is affected by multiple remote denial-of-service vulnerabilities because the software fails to properly handle certain network packets.

A successful attack allows a remote attacker to crash the software, denying further service to legitimate users.

Versions prior to IPsec-Tools 0.7.1 are vulnerable.

23. No-IP Dynamic Update Client for Linux Remote Buffer Overflow Vulnerability
BugTraq ID: 32344
Remote: Yes
Last Updated: 2008-12-03
Relevant URL: http://www.securityfocus.com/bid/32344
Summary:
No-IP Dynamic Update Client (DUC) is prone to a stack-based buffer-overflow vulnerability because it fails to adequately bounds-check input messages.

An attacker can exploit this issue by enticing an unsuspecting user into connecting to a malicious server. Successful attacks will allow arbitrary code to run within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.

DUC 2.1.7 for Linux is vulnerable; other versions may also be affected.

24. DATAC RealWin SCADA Server Remote Stack Buffer Overflow Vulnerability
BugTraq ID: 31418
Remote: Yes
Last Updated: 2008-12-03
Relevant URL: http://www.securityfocus.com/bid/31418
Summary:
DATAC RealWin SCADA server is prone to a remote stack-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.

An attacker can exploit this issue to execute arbitrary code in the context of the affected application. This may facilitate the complete compromise of affected computers. Failed exploit attempts may result in a denial-of-service condition.

RealWin SCADA server 2.0 is affected; other versions may also be vulnerable.

25. IBM Rational ClearQuest Web Multiple Unspecified Cross Site Scripting Vulnerabilities
BugTraq ID: 32576
Remote: Yes
Last Updated: 2008-12-03
Relevant URL: http://www.securityfocus.com/bid/32576
Summary:
IBM Rational ClearQuest Web is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.

Attacker-supplied HTML and script code would execute in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials.

Versions prior to ClearQuest 7.0.0.4 and 7.0.1.3 are vulnerable.

26. bzip2 Unspecified File Handling Vulnerability
BugTraq ID: 28286
Remote: Yes
Last Updated: 2008-12-03
Relevant URL: http://www.securityfocus.com/bid/28286
Summary:
The 'bzip2' application is prone to a remote file-handling vulnerability because it fails to properly handle malformed files.

Successful exploits may allow remote code to run, but this has not been confirmed. Exploit attempts will likely crash the application.

This issue affects bzip2 1.0.4; prior versions may also be affected.

27. RadASM '.rap' Project File Buffer Overflow Vulnerability
BugTraq ID: 32617
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/32617
Summary:
RadASM is prone to a buffer-overflow vulnerability because it fails to perform adequate checks on user-supplied input.

Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.

RadASM 2.2.1.4 is vulnerable; other versions may also be affected.

28. Sun Java Runtime Environment and Java Development Kit Multiple Security Vulnerabilities
BugTraq ID: 32608
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/32608
Summary:
Sun Java Runtime Environment and Java Development Kit are prone to multiple security vulnerabilities.

Successful exploits may allow attackers to violate the same-origin policy, obtain sensitive information, bypass security restrictions, run untrusted applets with elevated privileges, and cause denial-of-service conditions. This may result in a compromise of affected computers.

These issues affect versions prior to the following:

JDK and JRE 6 Update 11 or later
JDK and JRE 5.0 Update 17 or later
SDK and JRE 1.4.2_19 or later
SDK and JRE 1.3.1_24 or later

29. JMovies Joomla! Component 'id' Parameter SQL Injection Vulnerability
BugTraq ID: 32615
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/32615
Summary:
JMovies Joomla! component is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

JMovies 1.1 is vulnerable; other versions may also be affected.

30. Nagios External Commands and Adaptive Commands Unspecified Vulnerability
BugTraq ID: 32611
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/32611
Summary:
Nagios is prone to an unspecified vulnerability related to the CGI submission of external commands and the processing of adaptive commands.

Very little information is known about this issue. We will update this BID as soon as more information becomes available.

The issue affects versions prior to Nagios 3.0.6.

31. Calendar MX Professional 'calendar_Eventupdate.asp' SQL Injection Vulnerability
BugTraq ID: 32609
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/32609
Summary:
Calendar MX Professional is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Calendar MX Professional 2.0.0 is vulnerable; other versions may also be affected.

32. Pro Clan Manager 'PHPSESSID' Session Fixation Vulnerability
BugTraq ID: 32606
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/32606
Summary:
Pro Clan Manager is a PHP-based content manager.

Attackers can exploit this issue to hijack a user's session and gain unauthorized access to the affected application.

Pro Clan Manager 0.4.2 is vulnerable; other versions may also be affected.

33. Movable Type Unspecified Cross-Site Scripting Vulnerability
BugTraq ID: 32604
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/32604
Summary:
Movable Type is prone to an unspecified cross-site scripting vulnerability because the application fails to sufficiently sanitize user-supplied data.

An attacker can leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.

The following versions are affected:

Movable Type 4
Movable Type 4 Enterprise
Movable Type 4 Community Edition
Movable Type 4 (Open Source)
Movable Type 3
Movable Type Enterprise 1.5

34. 'nfs-utils' Package 'hosts_ctl()' Security Bypass Vulnerability
BugTraq ID: 31823
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/31823
Summary:
The 'nfs-utils' package is prone to a security-bypass vulnerability.

Remote attackers can exploit this issue to bypass certain security restrictions and gain access to vulnerable computers.

This issue affects the 'nfs-utils' 1.0.9; other versions prior to 1.1.3 may also be vulnerable.

35. Retired: Joomla! and Mambo GameQ Component SQL Injection Vulnerability
BugTraq ID: 32633
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/32633
Summary:
The GameQ component for Joomla! and Mambo is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Further analysis reveals that this vulnerability is the same issue described in BID 29592 (Joomla! GameQ Component 'category_id' Parameter SQL Injection Vulnerability) therefore this BID is being retired.

36. Apache 'mod_proxy_http' Interim Response Denial of Service Vulnerability
BugTraq ID: 29653
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/29653
Summary:
The Apache 'mod_proxy_http' module is prone to a denial-of-service vulnerability that affects the processing of interim responses.

Attackers may exploit this issue to cause denial-of-service conditions.

Reportedly, the issue affects Apache 2.2.8 and 2.0.63; other versions may also be affected.

37. i-Net Solution Orkut Clone SQL Injection and Cross Site Scripting Vulnerabilities
BugTraq ID: 32600
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/32600
Summary:
Orkut Clone is prone to an SQL-injection vulnerability and a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.

Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

38. mvnForum Cross Site Scripting Vulnerability
BugTraq ID: 32605
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/32605
Summary:
mvnForum is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

mvnForum 1.2 GA and prior versions are vulnerable.

39. Z1Exchange SQL Injection and Cross Site Scripting Vulnerabilities
BugTraq ID: 32598
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/32598
Summary:
Z1Exchange is prone to an SQL-injection vulnerability and a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.

Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Z1Exchange 1.0 is vulnerable; other versions may also be affected.

40. Linux Kernel 'hfsplus_find_cat()' Local Denial of Service Vulnerability
BugTraq ID: 32093
Remote: No
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/32093
Summary:
The Linux kernel is prone to a local denial-of-service vulnerability because it fails to properly bounds-check data before copying it to an insufficiently sized memory buffer.

Attackers can exploit this issue to cause the kernel to crash, denying service to legitimate users. Given the nature of this issue, attackers may also be able to run arbitrary code, but this has not been confirmed.

This issue affects versions prior to Linux kernel 2.6.28-rc1.

41. Linux Kernel 'hfs_cat_find_brec()' Local Denial of Service Vulnerability
BugTraq ID: 32289
Remote: No
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/32289
Summary:
The Linux kernel is prone to a local denial-of-service vulnerability because it fails to properly bounds-check data before copying it to an insufficiently sized memory buffer.

Attackers can exploit this issue to cause the kernel to crash, denying service to legitimate users. Given the nature of this issue, attackers may also be able to run arbitrary code, but this has not been confirmed.

This issue affects versions prior to Linux kernel 2.6.27.6.

42. Linux Kernel '__scm_destroy()' Local Denial of Service Vulnerability
BugTraq ID: 32154
Remote: No
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/32154
Summary:
The Linux kernel is prone to a local denial-of-service vulnerability.

Attackers can exploit this issue to cause the kernel to crash, denying service to legitimate users.

The Linux kernel 2.6.26 and prior versions are affected.

43. Linux Kernel 'do_splice_from()' Local Security Bypass Vulnerability
BugTraq ID: 31903
Remote: No
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/31903
Summary:
The Linux kernel is prone to a local security-bypass vulnerability because the 'do_splice_from()' function fails to correctly reject file descriptors when performing certain file operations.

Attackers can exploit this issue to bypass restrictions on append mode when updating files to update arbitrary locations in the file.

Versions prior to Linux kernel 2.6.27 are vulnerable.

44. Linux Kernel SCTP Protocol Violation Remote Denial of Service Vulnerability
BugTraq ID: 31848
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/31848
Summary:
The Linux kernel is prone to a remote denial-of-service vulnerability because it fails to handle SCTP protocol violations.

Attackers can exploit this issue to cause a kernel panic, denying service to legitimate users.

Versions prior to Linux kernel 2.6.27 are vulnerable.

45. Linux Kernel SCTP INIT-ACK AUTH Extension Remote Denial of Service Vulnerability
BugTraq ID: 31634
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/31634
Summary:
The Linux kernel is prone to a remote denial-of-service vulnerability because it fails to handle mismatched SCTP AUTH extension settings between peers.

Attackers can exploit this issue to cause a kernel panic, denying service to legitimate users.

Versions prior to Linux kernel 2.6.27-rc6-git6 are vulnerable.

46. Linux Kernel 'sendmsg()' Local Denial of Service Vulnerability
BugTraq ID: 32516
Remote: No
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/32516
Summary:
The Linux kernel is prone to a local denial-of-service vulnerability.

Attackers can exploit this issue to create a soft lockup of the vulnerable kernel or to invoke the 'oom-killer' kernel functionality, which may halt unrelated processes. This may result in a denial-of-service condition.

NOTE: This issue was either caused or revealed by the fix for BID 32154 (Linux Kernel '__scm_destroy()' Local Denial of Service Vulnerability).

The Linux kernel 2.6.27 and prior versions are affected.

47. Linux Kernel 'lbs_process_bss()' Remote Denial of Service Vulnerability
BugTraq ID: 32484
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/32484
Summary:
The Linux Kernel is prone to a remote denial-of-service vulnerability because of a buffer-overflow error in the 'libertas' subsystem.

Successful exploits will allow attackers to crash the affected computer, denying service to legitimate users. Given the nature of this issue, attackers may also be able to execute code, but this has not been confirmed.

Versions prior to Linux Kernel 2.6.27.5 are vulnerable.

48. WebGUI 'lib/WebGUI/Storage.pm' Remote Script Code Execution Vulnerability
BugTraq ID: 32602
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/32602
Summary:
WebGUI is prone to a vulnerability that may allow a remote attacker to upload and run arbitrary script code in the context of the hosting webserver process.

WebGUI 7.x prior to 7.6.5 (beta) and 7.5.35 are vulnerable.

49. Retired: Egi Zaberl E.Z.Poll 'login.asp' Multiple SQL Injection Vulnerabilities
BugTraq ID: 32562
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/32562
Summary:
Egi Zaberl E.Z.Poll is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

E.Z.Poll 2 is vulnerable; other versions may also be affected.

Further analysis reveals that these vulnerabilities are the same issues described in BID 30536 (E.Z.Poll 'admin/login.asp' Multiple SQL Injection Vulnerabilities) therefore this BID is being retired.

50. Check Up New Generation 'findoffice.php' SQL Injection Vulnerability
BugTraq ID: 32590
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/32590
Summary:
Check Up New Generation is prone to an SQL-injection vulnerability because it fails to adequately sanitize user-supplied input.

A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Check Up New Generation 4.52 is vulnerable; other versions may also be affected.

51. Jbook SQL Injection Vulnerability
BugTraq ID: 32599
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/32599
Summary:
Jbook is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

52. Sun Java Web Start and Java Plug-in Multiple Privilege Escalation Vulnerabilities
BugTraq ID: 32620
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/32620
Summary:
Sun Java Web Start and Java Plug-in are prone to multiple privilege-escalation vulnerabilities.

Successful exploits may allow attackers to violate the same-origin policy, obtain sensitive information, bypass security, or read, write, and execute arbitrary files in the context of the user running a vulnerable application. This may result in a compromise of the underlying system.

This issue affects the following versions:

JDK and JRE 6 Update 10 and earlier
JDK and JRE 5.0 Update 16 and earlier
SDK and JRE 1.4.2_18 and earlier
SDK and JRE 1.3.1_23 and earlier

53. Apache 'mod_proxy_ftp' Wildcard Characters Cross-Site Scripting Vulnerability
BugTraq ID: 30560
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/30560
Summary:
The Apache 'mod_proxy_ftp' module is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

This issue is reported to affect Apache 2.0.63 and 2.2.9; other versions may also be affected.

54. Apache 'mod_proxy_balancer' Multiple Vulnerabilities
BugTraq ID: 27236
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/27236
Summary:
The Apache 'mod_proxy_balancer' module is prone to multiple vulnerabilities, including denial-of-service, memory-corruption, cross-site scripting, HTML-injection, and cross-site request-forgery issues.

Attackers can exploit these issues to inject arbitrary script code into vulnerable sections of the application, execute this script code in the browser of a user in the context of the affected site, and perform certain actions using the user's active session. Attackers can exploit the denial-of-service issue to deny further service to legitimate users. Exploiting the memory-corruption vulnerability is likely to cause a crash and could allow arbitrary code to run, but this has not been confirmed.

The issues affect Apache 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0; other versions may also be vulnerable.

55. SquirrelMail Malformed HTML Mail Message HTML Injection Vulnerability
BugTraq ID: 32603
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/32603
Summary:
SquirrelMail is prone to an HTML-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.

Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.

The vulnerability affects SquirrelMail 1.4.16; other versions may also be affected.
http://drupal.org/node/207891

56. Ruby Multiple Security Bypass and Denial of Service Vulnerabilities
BugTraq ID: 30644
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/30644
Summary:
Ruby is prone to multiple vulnerabilities that can be leveraged to bypass security restrictions or cause a denial of service:

- Multiple security-bypass vulnerabilities occur because of errors in the 'safe level' restriction implementation. Attackers can leverage these issues to make insecure function calls and perform 'Syslog' operations.

- An error affecting 'WEBrick::HHTP::DefaultFileHandler' can exhaust system resources and deny service to legitimate users.

- A flaw in 'dl' can allow attackers to call unauthorized functions.

Attackers can exploit these issues to perform unauthorized actions on affected applications. This may aid in compromising the application and possibly the underlying computers. Attackers can also cause denial-of-service conditions.

These issues affect Ruby 1.8.5, 1.8.6-p286, 1.8.7-p71, and 1.9 r18423. Prior versions are also vulnerable.

57. Linux Kernel 'truncate()' Local Privilege Escalation Vulnerability
BugTraq ID: 31368
Remote: No
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/31368
Summary:
The Linux kernel is prone to a local privilege-escalation vulnerability related to the 'truncate()' and 'ftruncate()' functions.

Versions prior to Linux kernel 2.6.22-rc1 are vulnerable.

58. Linux Kernel 'ndiswrapper' Remote Buffer Overflow Vulnerability
BugTraq ID: 32118
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/32118
Summary:
The Linux Kernel is prone to a remote buffer-overflow vulnerability because the software fails to perform adequate boundary checks on user-supplied data.

An attacker can exploit this issue to execute arbitrary code with kernel-level privileges. Successfully exploiting this issue will result in the complete compromise of affected computers. Failed exploit attempts will result in a denial-of-service condition.

The issue affects Linux Kernel 2.6.27; other versions may also be vulnerable.

59. HP-UX Unspecified Local Denial Of Service Vulnerability
BugTraq ID: 32601
Remote: No
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/32601
Summary:
HP-UX is prone to a local denial-of-service vulnerability.

This issue affects HP-UX B.11.31; other versions may be vulnerable as well.

60. Sunbyte eFlower 'popupproduct.php' SQL Injection Vulnerability
BugTraq ID: 32589
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/32589
Summary:
Sunbyte eFlower is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

61. Microsoft Internet Explorer DHTML Method Buffer Overflow Vulnerability
BugTraq ID: 12475
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/12475
Summary:
Microsoft Internet Explorer is prone to a heap-based buffer-overflow vulnerability caused by a boundary condition error that is exposed when passing data to the 'createControlRange()' DHTML method. As a result, heap-based memory can be corrupted with attacker-supplied data.

An attacker could exploit this issue to execute arbitrary code in the context of the currently logged-in user.

62. WebLogic Server and Express HTTP TRACE Credential Theft Vulnerability
BugTraq ID: 9506
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/9506
Summary:
It has been reported that WebLogic Server and Express may prone to a user credential theft vulnerability that that may allow a remote attacker to steal sensitive information such as cookie-based authentication credentials. The problem exists because WebLogic Server responds to the HTTP TRACE request by default. Successful exploitation of this issue may allow an attacker to compromise user accounts by gaining access to sensitive header information. This issue may be combined with other attacks such as cross-site scripting, to steal cookie-based authentication credentials.

63. Multiple Vendor RPC.YPUpdated Command Execution Vulnerability
BugTraq ID: 1749
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/1749
Summary:
The 'rpc.ypupdated' deamon is part of the Network Information Service (NIS) or Yellow Pages (YP). It allows clients to update NIS maps. A vulnerability in 'rpc.ypupdated' allows a malicious user to execute commands as root.

After receiving a request to update the Yello Pages maps, 'ypupdated' executes a copy of the bource shell to run the 'make' command to recompute the maps whether the request for changes was sucessful or not. Because of bad input validation while executing 'make', an attacker can pass shell metacharacters to the shell and can execute commands.

This is issue is tracked by Sun BugIDs 1230027 and 1232146.

64. CUPS Multiple Heap Based Buffer Overflow Vulnerabilities
BugTraq ID: 31690
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/31690
Summary:
CUPS is prone to multiple heap-based buffer-overflow vulnerabilities because it fails to perform adequate boundary checks on user-supplied data before using it to allocate memory buffers.

Remote attackers can exploit these issues to execute arbitrary code within the context of the affected application. Failed exploit attempts will likely cause a denial-of-service condition. Note that local attackers may also exploit these vulnerabilities to elevate privileges.

Successful remote exploits may require printer sharing to be enabled on the vulnerable system.

These issues affect versions prior to CUPS 1.3.9.

65. Digiappz Freekot ASP SQL Injection Vulnerability
BugTraq ID: 19768
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/19768
Summary:
Digiappz Freekot is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data.

A successful exploit could allow an attacker to compromise the application, retrieve sensitive information, or modify data; other consequences are possible as well.

66. CUPS 'HP-GL/2' Filter Remote Code Execution Vulnerability
BugTraq ID: 31688
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/31688
Summary:
CUPS is prone to a remote code-execution vulnerability caused by an error in the 'HP-GL/2 filter.

Attackers can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will likely cause a denial-of-service condition. Note that local users may also exploit this vulnerability to elevate privileges.

Successful remote exploits may require printer sharing to be enabled on the vulnerable system.

The issue affects versions prior to CUPS 1.3.9.

NOTE: This issue was previously discussed in BID 31681 (Apple Mac OS X 2008-007 Multiple Security Vulnerabilities), but has been assigned its own record to better document the vulnerability.

67. ClamAV 'cli_check_jpeg_exploit' Function Malformed JPEG File Remote Denial Of Service Vulnerability
BugTraq ID: 32555
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/32555
Summary:
ClamAV is prone to a denial-of-service vulnerability.

Attackers can exploit this issue to cause denial-of-service conditions. Given the nature of this issue, attackers may also be able to run arbitrary code, but this has not been confirmed.

Versions prior to ClamAV 0.94.2 are vulnerable.

68. ClamAV 'get_unicode_name()' Off-By-One Heap Based Buffer Overflow Vulnerability
BugTraq ID: 32207
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/32207
Summary:
ClamAV is prone to an off-by-one heap-based buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data.

Successfully exploiting this issue will allow attackers to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.

Versions prior to ClamAV 0.94.1 are vulnerable.

69. Vim 'tar.vim' Plugin Arbitrary Command Execution Vulnerability
BugTraq ID: 32462
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/32462
Summary:
The 'tar.vim' plugin for Vim is prone to a command-execution vulnerability because the application fails to sufficiently sanitize user-supplied data.

Successfully exploiting this issue can allow an attacker to execute arbitrary commands with the privileges of the user running the affected application.

Vim 7.0 and 7.1 are vulnerable.

70. Vim Insufficient Shell Escaping Multiple Command Execution Vulnerabilities
BugTraq ID: 30795
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/30795
Summary:
Vim is prone to multiple command-execution vulnerabilities because the application fails to sufficiently sanitize user-supplied data.

Successfully exploiting these issues can allow an attacker to execute arbitrary commands with the privileges of the user running the affected application.

Versions prior to Vim 7.2.010 are vulnerable.

71. Netrw Vim Script Information Disclosure Vulnerability
BugTraq ID: 30670
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/30670
Summary:
Netrw is prone to an information-disclosure vulnerability because the application fails to clear login credentials between FTP sessions.

Successfully exploiting this issue can allow an attacker to obtain login credentials form previous FTP sessions.

Netrw 131 is vulnerable; other versions may also be affected.

72. Netrw Vim Script Multiple Command Execution Vulnerabilities
BugTraq ID: 30115
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/30115
Summary:
Netrw is prone to multiple command-execution vulnerabilities because the application fails to sufficiently sanitize user-supplied data.

Successfully exploiting these issues can allow an attacker to execute arbitrary commands with the privileges of the user running the affected application.

Netrw 125 is vulnerable; other versions may also be affected.

73. Vim 'zip.vim' Plugin Arbitrary Command Execution Vulnerability
BugTraq ID: 32463
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/32463
Summary:
The 'zip.vim' plugin for Vim is prone to a command-execution vulnerability because the application fails to sufficiently sanitize user-supplied data.

Successfully exploiting this issue can allow an attacker to execute arbitrary commands with the privileges of the user running the affected application.

Vim 7.0 and 7.1 are vulnerable.

74. Vim Vim Script Multiple Command Execution Vulnerabilities
BugTraq ID: 29715
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/29715
Summary:
Vim is prone to multiple command-execution vulnerabilities because the application fails to sufficiently sanitize user-supplied data.

Successfully exploiting these issues can allow an attacker to execute arbitrary commands with the privileges of the user running the affected application.

Vim 7.1.298 is vulnerable; other versions may also be affected.

75. Vim HelpTags Command Remote Format String Vulnerability
BugTraq ID: 25095
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/25095
Summary:
Vim is prone to a remote format-string vulnerability because the application fails to properly sanitize user-supplied input before including it in the format-specifier argument of a formatted-printing function.

A remote attacker may execute arbitrary code with the privileges of the user running the affected application. Failed exploit attempts may cause denial-of-service conditions.

Vim 6.4 and 7.1 are vulnerable; other versions may also be affected.

76. FutureSoft TFTP Server 2000 Multiple Remote Vulnerabilities
BugTraq ID: 13821
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/13821
Summary:
FutureSoft TFTP Server 2000 is affected by multiple remote vulnerabilities. Exploiting these issues can allow an attacker to retrieve arbitrary files and carry out buffer-overflow attacks.

The following specific issues were identified:

- Multiple buffer overflow vulnerabilities. A successful attack may allow the attacker to execute arbitrary code on a vulnerable computer and gain unauthorized access in the context of the server. A denial-of-service condition may arise as well.

- A directory-traversal vulnerability. A successful attack may allow the attacker to access arbitrary files (if the server has permissions to access the file).

These issues have been confirmed on TFTP Server 2000 Evaluation Version 1.0.0.1. Other versions may be affected as well.

77. pi3Web ISAPI Directory Remote Denial Of Service Vulnerability
BugTraq ID: 32287
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/32287
Summary:
pi3Web is prone to a remote denial-of-service vulnerability.

Attackers can exploit this issue to cause the server to become unresponsive, denying access to legitimate users.

This issue affects pi3Web 2.0.3.

78. Sun Solaris RPC Request Denial of Service Vulnerability
BugTraq ID: 21964
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/21964
Summary:
The Solaris operating system is prone to a denial-of-service vulnerability.

An attacker can exploit this issue to crash the 'rpcbind(1M)' server, denying service to legitimate users.

79. NOS Microsystems getPlus Download Manager ActiveX Control Buffer Overflow Vulnerability
BugTraq ID: 32105
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/32105
Summary:
NOS Microsystems getPlus Download Manager ActiveX control is prone to a buffer-overflow vulnerability because the application fails to adequately check boundaries on user-supplied input.

An attacker can exploit this issue to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed attacks will likely cause denial-of-service conditions.

The following applications use the getPlus Download Manager:

Adobe Acrobat Professional
Adobe Acrobat Reader

getPlus Download Manager 1.2.2.50 is vulnerable; other versions may also be affected.

80. NOS Microsystems getPlus Download Manager Unauthorized Access Vulnerability
BugTraq ID: 32103
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/32103
Summary:
NOS Microsystems getPlus Download Manager is prone to a security vulnerability that may allow unauthorized modifications of internet options on affected computers.

Successfully exploiting this issue may allow attackers to modify internet configuration settings, which may lead to other attacks.

The following applications use the getPlus Download Manager:

Adobe Acrobat Professional
Adobe Acrobat Reader

81. Jamit Job Board 'index.php' SQL Injection Vulnerability
BugTraq ID: 32478
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/32478
Summary:
Jamit Job Board is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Versions prior to Jamit Job Board 3.4.6 are vulnerable.

82. Lynx URI Handlers Arbitrary Command Execution Vulnerability
BugTraq ID: 15395
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/15395
Summary:
Lynx is prone to a vulnerability that lets attackers execute arbitrary commands. This issue occurs because the application fails to properly sanitize user-supplied input.

A remote attacker can exploit this vulnerability by tricking a victim user into following a malicious link, thus enabling the attacker to execute arbitrary commands in the context of the victim user.

UPDATE (October 27, 2008): The fix for this issue did not disable the 'lynxcgi' handler when in 'advanced' mode. This may still be an issue if Lynx is called from the command line.

83. Samba Arbitrary Memory Contents Information Disclosure Vulnerability
BugTraq ID: 32494
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/32494
Summary:
Samba is prone to an information-disclosure vulnerability.

Successful exploits will allow attackers to obtain arbitrary memory contents.

This issue affects Samba 3.0.29 up to and including 3.2.4.

84. Net-SNMP GETBULK Remote Denial of Service Vulnerability
BugTraq ID: 32020
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/32020
Summary:
Net-SNMP is prone to a remote denial-of-service vulnerability.

Successfully exploiting this issue allows remote attackers to cause denial-of-service conditions.

This issue affects versions *prior to* the following:

Net-SNMP 5.2.5.1
Net-SNMP 5.3.2.3
Net-SNMP 5.4.2.1

85. Net-SNMP Remote Authentication Bypass Vulnerability
BugTraq ID: 29623
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/29623
Summary:
Net-SNMP is prone to a remote authentication-bypass vulnerability caused by a design error.

Successfully exploiting this issue will allow attackers to gain unauthorized access to the affected application.

Net-SNMP 5.4.1, 5.3.2, 5.2.4, and prior versions are vulnerable.

86. Net-SNMP Perl Module Buffer Overflow Vulnerability
BugTraq ID: 29212
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/29212
Summary:
Net-SNMP is prone a remote buffer-overflow vulnerability because the software fails to properly bounds-check user-supplied data before copying it to an insufficiently sized buffer.

Exploiting this issue may allow attackers to execute arbitrary machine code in the context of applications using the affected Net-SNMP Perl module. Failed exploit attempts will likely cause denial-of-service conditions.

This issue affects Net-SNMP 5.4.1, 5.2.4, and 5.1.4; other versions may also be vulnerable.

87. AWStats 'awstats.pl' Cross-Site Scripting Vulnerability
BugTraq ID: 30730
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/30730
Summary:
AWStats is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

AWStats 6.8 is vulnerable; other versions may also be affected.

88. Adobe Acrobat and Reader 8.1.2 Multiple Security Vulnerabilities
BugTraq ID: 32100
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/32100
Summary:
Adobe Acrobat and Reader are prone to multiple security vulnerabilities:

1. Multiple remote code-execution vulnerabilities.
2. A privilege-escalation vulnerability affecting computers running Unix-like operating systems.
3. An input-validation issue in a JavaScript method may lead to remote code execution.

Attackers can exploit these issues to execute arbitrary code, elevate privileges, or cause a denial-of-service condition.

89. Adobe Reader 'util.printf()' JavaScript Function Stack Buffer Overflow Vulnerability
BugTraq ID: 30035
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/30035
Summary:
Adobe Reader is prone to a stack-based buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data.

An attacker can exploit this issue to execute arbitrary code with the privileges of the user running the application or crash the application, denying service to legitimate users.

90. Adobe Acrobat Reader Unspecified Remote Denial Of Service Vulnerability
BugTraq ID: 29420
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/29420
Summary:
Acrobat Reader is prone to a remote denial-of-service vulnerability. The cause of this issue is unknown.

Exploiting this issue allows remote attackers to crash the application and trigger denial-of-service conditions, denying further service to legitimate users. Given the nature of this issue, code execution may be possible, but this has not been confirmed.

91. ASPApps.com Template Creature 'media_level.asp' SQL Injection Vulnerability
BugTraq ID: 32641
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/32641
Summary:
ASPApps.com Template Creature is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

92. Joomla! and Mambo Mydyngallery Component 'directory' Parameter SQL Injection Vulnerability
BugTraq ID: 32639
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/32639
Summary:
Mydyngallery is prone to an SQL-injection vulnerability because it fails to adequately sanitize user-supplied input.

A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

93. Linux Kernel 'parisc_show_stack()' Local Denial of Service Vulnerability
BugTraq ID: 32636
Remote: No
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/32636
Summary:
The Linux kernel is prone to a local denial-of-service vulnerability.

Local attackers can exploit this issue to crash the affected computer, denying service to legitimate users.

Versions prior to Linux kernel 2.6.28-rc7 are vulnerable. Note that this issue applies to PA-RISC 32-bit and 64-bit architectures.

94. PHPSTREET Webboard 'show.php' SQL Injection Vulnerability
BugTraq ID: 32635
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/32635
Summary:
PHPSTREET Webboard is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

95. Microsoft December 2008 Advance Notification Multiple Vulnerabilities
BugTraq ID: 32632
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/32632
Summary:
Microsoft has released advance notification that the vendor will be releasing eight security bulletins on December 9, 2008. The highest severity rating for these issues is 'Critical'.

Successfully exploiting these issues may allow remote or local attackers to compromise affected computers.

Individual records will be created for the issues when the bulletins are released.

96. ccTiddly 'cct_base' Parameter Multiple Remote File Include Vulnerabilities
BugTraq ID: 32631
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/32631
Summary:
ccTiddly is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.

Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.

ccTiddly 1.7.4 is vulnerable; other versions may also be affected.

97. RSyslog '$AllowedSender' Configuration Directive Security Bypass Vulnerability
BugTraq ID: 32630
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/32630
Summary:
RSyslog is prone to a security-bypass vulnerability because of an error in the daemon's ACL (Access Control List) handling.

Attackers can exploit this issue to bypass ACL restrictions that limit which hosts may send messages to the daemon. Successful exploits can result in misleading log entries or denial-of-service conditions. Other attacks may also be possible.

98. Ubuntu Privacy Remix S/ATA-Disks Security Bypass Vulnerability
BugTraq ID: 32629
Remote: No
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/32629
Summary:
Ubuntu Privacy Remix (UPR) is prone to a security-bypass vulnerability that may allow attackers to modify the operating system.

Attackers can exploit this issue to mount S-/ATA-Disks onto the affected computer. This will allow attackers to bypass the privacy mechanism used by the live-CD. Successfully exploiting this issue may compromise the privacy of users.

Versions prior to Ubutnu Privacy Remix 8.04 r1 are vulnerable.

99. Orb Networks Orb Unspecified Remote Denial Of Service Vulnerability
BugTraq ID: 32628
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/32628
Summary:
Orb Networks Orb is prone to a remote denial-of-service vulnerability. The cause of this issue is unknown.

Exploiting this issue allows remote attackers to crash the application and trigger denial-of-service conditions, denying further service to legitimate users. Given the nature of this issue, code execution may be possible, but this has not been confirmed.

100. PHP ZipArchive::extractTo() '.zip' Files Directory Traversal Vulnerability
BugTraq ID: 32625
Remote: Yes
Last Updated: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/32625
Summary:
PHP is prone to a directory-traversal vulnerability because the application fails to adequately sanitize user-supplied input.


A successful attack may allow an attacker to create or overwrite arbitrary files on the system. This may allow execution of arbitrary script code in the context of the webserver.

PHP 5.2.6 and prior versions are vulnerable.

III. SECURITYFOCUS NEWS ARTICLES
--------------------------------
1. Microsoft hopes free security means less malware
By: Robert Lemos
The software giant says shutting down Windows Live OneCare to release the software as a free tool could make consumers more secure.
http://www.securityfocus.com/news/11538

2. Researchers find more flaws in wireless security
By: Robert Lemos
Two security experts plan to show a limited attack against the popular Wi-Fi Protected Access (WPA) -- a replacement for insecure WEP -- at a conference in Tokyo.
http://www.securityfocus.com/news/11537

3. Secure hash competition kicks off
By: Robert Lemos
Dozens of amateur and professional cryptographers have joined the United States' first open competition for creating an uncrackable algorithm for generating hashes -- the digital fingerprints widely used in a variety of security functions.
http://www.securityfocus.com/news/11536

4. You don't know (click)jack
By: Robert Lemos
Security professionals Robert "RSnake" Hansen and Jeremiah Grossman discuss a class of attacks, known as clickjacking, on user interfaces of Web browsers.
http://www.securityfocus.com/news/11535

IV. SECURITY JOBS LIST SUMMARY
-------------------------------
V. INCIDENTS LIST SUMMARY
---------------------------
1. incidents from history
http://www.securityfocus.com/archive/75/498797

VI. VULN-DEV RESEARCH LIST SUMMARY
-----------------------------------
VII. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. SecurityFocus Microsoft Newsletter #421
http://www.securityfocus.com/archive/88/498758

VIII. SUN FOCUS LIST SUMMARY
----------------------------
IX. LINUX FOCUS LIST SUMMARY
----------------------------
X. UNSUBSCRIBE INSTRUCTIONS
-----------------------------
To unsubscribe send an e-mail message to sf-news-unsubscribe@securityfocus.com from the subscribed address. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer. Alternatively you can also visit http://www.securityfocus.com/newsletters and unsubscribe via the website.

If your email address has changed email listadmin@securityfocus.com and ask to be manually removed.

XI. SPONSOR INFORMATION
------------------------
This issue is Sponsored by Verisign

Learn how to protect your online customers with SSL technology that not only keeps their information safe, but also lets them know your site is secure - Extended Validation (EV) SSL.
This new technology turns the address bar green in high security browsers.
http://ad.doubleclick.net/clk;208565397;30663982;v

No comments:

Blog Archive