WINDOWS CENTER: SecurityFocus Newsletter #483

SecurityFocus Newsletter #483
----------------------------------------

This issue is sponsored by Purewire

NEW! White Paper:
"Hackers Announce Open Season on Web 2.0 Users and Browsers"

Learn how hackers are exploiting your employees Web surfing to gain entry into your network. Drive-by Downloads, Click Jacking, AJAX, XSS and Browser vulns are just some of the nasty attack methods hackers are coming up with and it's no longer good enough to block known bad URL's.
Download this white paper now to mitigate your online security risks.
http://www.purewire.com/lp/sec

SECURITY BLOGS
SecurityFocus has selected a few syndicated sources that stand out as conveying topics of interest for our community. We are proud to offer content from Matasano at this time and will be adding more in the coming weeks.
http://www.securityfocus.com/blogs

------------------------------------------------------------------
I. FRONT AND CENTER
1.Time to Exclude Bad ISPs
2.Standing on Other's Shoulders
II. BUGTRAQ SUMMARY
1. Sun Solaris IP Tunnel Param Local Code Execution Vulnerability
2. Sun Solaris IPv4 Forwarding Denial of Service Vulnerability
3. Sun Java Runtime Environment and Java Development Kit Multiple Security Vulnerabilities
4. Avahi Multicast DNS Denial Of Service Vulnerability
5. PCRE Regular Expression Heap Based Buffer Overflow Vulnerability
6. PHP 'rfc822_write_address()' Function Buffer Overflow Vulnerability
7. PHP FastCGI Module File Extension Denial Of Service Vulnerabilities
8. PHP 'mbstring' Extension Buffer Overflow Vulnerability
9. PHP Multiple Buffer Overflow Vulnerabilities
10. Multiple Vendor FTP Server Long Command Handling Security Vulnerability
11. CUPS 'pstopdf' Insecure Temporary File Creation Vulnerability
12. chuggnutt.com HTML to Plain Text Conversion Remote Code Execution Vulnerability
13. W2B phpGreetCards 'category' Parameter Cross Site Scripting Vulnerability
14. W2B phpEmployment 'auth.php' Arbitrary File Upload Vulnerability
15. W2B phpAdBoard 'index.php' Arbitrary File Upload Vulnerability
16. W2B phpGreetCards 'index.php' Arbitrary File Upload Vulnerability
17. Getleft HTML Tags Multiple Buffer Overflow Vulnerabilities
18. stormBoards 'thread.php' SQL Injection Vulnerability
19. AIST Netcat 3.1.2 Multiple Input Validation Vulnerabilities
20. PGP Desktop 'PGPweded.sys' Local Denial of Service Vulnerability
21. AIST NetCat 'password_recovery.php' SQL Injection Vulnerability
22. PHP Link Directory 'page.php' SQL Injection Vulnerability
23. Mozilla Firefox 'location.hash' Remote Denial of Service Vulnerability
24. Psi Malformed Packet Remote Denial of Service Vulnerability
25. TYPO3 TU-Clausthal ODIN Extension Unspecified SQL Injection Vulnerability
26. Linux Kernel 'qdisc_run()' Local Denial of Service Vulnerability
27. phpPgAdmin '_language' Parameter Local File Include Vulnerability
28. phpPgAdmin SQLEDIT.PHP Cross Site Scripting Vulnerability
29. phpPgAdmin Redirect.PHP Cross Site Scripting Vulnerability
30. Xajax Unspecified Cross-Site Scripting Vulnerability
31. IntelliTamper 'MAP' File Buffer Overflow Vulnerability
32. SPIP 'rubriques.php' SQL Injection Vulnerability
33. KDE Konqueror HTML Color Attribute Denial of Service Vulnerability
34. Facebook Photo Uploader 'ImageUploader4.1.ocx' FileMask Method ActiveX Buffer Overflow Vulnerability
35. Xen XenStore Domain Configuration Data Unsafe Storage Vulnerability
36. FreeBSD netgraph and bluetooth Local Privilege Escalation Vulnerabilities
37. QEMU Multiple Local Vulnerabilities
38. Qemu and KVM VNC Server Remote Denial of Service Vulnerability
39. Linux Kernel 'sendmsg()' Local Denial of Service Vulnerability
40. Linux Kernel 'net/atm/proc.c' Local Denial of Service Vulnerability
41. MediaWiki Cross Site Scripting And Multiple HTML Injection Vulnerabilities
42. Apache Tomcat Cookie Quote Handling Remote Information Disclosure Vulnerability
43. Trend Micro HouseCall ActiveX Control Library File Remote Code Execution Vulnerability
44. Joomla HBS Multiple Components 'showhoteldetails' SQL Injection Vulnerability
45. Google Chrome 'chromeHTML://' Command Line Parameter Injection Vulnerability
46. Trend Micro HouseCall ActiveX Control Remote Code Execution Vulnerability
47. Microsoft SQL Server 'sp_replwritetovarbin' Remote Memory Corruption Vulnerability
48. PHP-Fusion TI Blog System Module 'blog.php' SQL Injection Vulnerability
49. Microsoft Windows Media Player WAV/MID/SND File Parsing Integer Overflow Vulnerability
50. Personal Sticky Threads vBulletin Addon Unauthorized Access Vulnerability
51. SapporoWorks BlackJumboDog Web Server Unspecified Authentication Bypass Vulnerability
52. Mayaa Default Error Page Cross-Site Scripting Vulnerability
53. Internet Explorer 'chromeHTML://' Command Line Parameter Injection Vulnerability
54. PHP-Fusion 'submit.php' SQL Injection Vulnerability
55. Adobe Flash Player Unspecified Remote Security Vulnerability
56. Citrix Broadcast Server 'login.asp' SQL Injection Vulnerability
57. Linux Kernel MIPS Untrusted User Application Local Denial of Service Vulnerability
58. F-PROT Antivirus for Linux ELF File Scanning Denial of Service Vulnerability
59. GpsDrive Multiple Insecure Temporary File Creation Vulnerabilities
60. Verlihub Trigger Remote Command Execution Vulnerability
61. Verlihub Insecure Temporary File Creation Vulnerability
62. Microsoft Internet Explorer XML Handling Remote Code Execution Vulnerability
63. Mozilla Firefox/Thunderbird/SeaMonkey Multiple Remote Vulnerabilities
64. Sun Solaris OpenSSL 'PKCS#11' Engine Remote Denial Of Service Vulnerability
65. OpenSSH CBC Mode Information Disclosure Vulnerability
66. Sun Solaris 'libICE' Unspecified Denial of Service Vulnerability
67. Sun Solaris Kerberos Remote Denial Of Service Vulnerability
68. Perl 'rmdir()' Local Race Condition Privilege Escalation Vulnerability
69. MPlayer TwinVQ Handling Stack Buffer Overflow Vulnerability
70. Perl Archive::Tar Module Remote Directory Traversal Vulnerability
71. Perl Unicode '\Q...\E' Quoting Construct Regular Expression Buffer Overflow Vulnerability
72. VLC Media Player Multiple Stack Based Buffer Overflow Vulnerabilities
73. VLC Media Player Real demuxer Heap Buffer Overflow Vulnerability
74. Sun SNMP Management Agent Insecure Temporary File Creation Vulnerability
75. bloofoxCMS 'dialog.php' Local File Include Vulnerability
76. Acoustica Mixcraft '.mx4' Project File Buffer Overflow Vulnerability
77. SAWStudio '.prf' File Buffer Overflow Vulnerability
78. Joomla! LiveTicker 'tid' Parameter SQL Injection Vulnerability
79. mDigg Component for Joomla! 'category' Parameter SQL Injection Vulnerability
80. Joomla! Ice Gallery Component 'catid' Parameter SQL Injection Vulnerability
81. BulletProof FTP Client Bookmark File Heap Buffer Overflow Vulnerability
82. ILIAS 'repository.php' SQL Injection Vulnerability
83. doop Administration Page Arbitrary File Upload Vulnerability
84. PHP 'imageRotate()' Uninitialized Memory Information Disclosure Vulnerability
85. 'imlib2' Library 'load()' Function Buffer Overflow Vulnerability
86. Ampache Insecure Temporary File Creation Vulnerability
87. ClamAV 'cli_check_jpeg_exploit' Function Malformed JPEG File Remote Denial Of Service Vulnerability
88. ClamAV 'get_unicode_name()' Off-By-One Heap Based Buffer Overflow Vulnerability
89. Novell Netware ApacheAdmin Security Bypass Vulnerability
90. WordPress 'wp-admin/options.php' Remote Code Execution Vulnerability
91. Sun Fire Servers IP Spoofing Security Bypass Vulnerability
92. OpenOffice WMF and EMF File Handling Multiple Heap Based Buffer Overflow Vulnerabilities
93. OpenOffice 'senddoc' Insecure Temporary File Creation Vulnerability
94. WFTPD Server Multiple Buffer Overflow Vulnerabilities
95. ACLogic CesarFTP Multiple Commands Remote Buffer Overflow Vulnerability
96. GNU Enscript 'src/psgen.c' Stack Based Buffer Overflow Vulnerability
97. Microsoft Works 7 'WkImgSrv.dll' ActiveX Control Remote Code Execution Vulnerability
98. Nagios Web Interface Privilege Escalation Vulnerability
99. phpMyAdmin 'table' Parameter SQL Injection Vulnerability
100. Git gitweb 'diff.external' Local Privilege Escalation Vulnerability
III. SECURITYFOCUS NEWS
1. Commission calls for cybersecurity czar
2. Microsoft hopes free security means less malware
3. Researchers find more flaws in wireless security
4. Secure hash competition kicks off
IV. SECURITY JOBS LIST SUMMARY
V. INCIDENTS LIST SUMMARY
VI. VULN-DEV RESEARCH LIST SUMMARY
VII. MICROSOFT FOCUS LIST SUMMARY
VIII. SUN FOCUS LIST SUMMARY
IX. LINUX FOCUS LIST SUMMARY
X. UNSUBSCRIBE INSTRUCTIONS
XI. SPONSOR INFORMATION

I. FRONT AND CENTER
---------------------
1. Time to Exclude Bad ISPs
By Oliver Day
In recent months, three questionable Internet service providers - EstDomains, Atrivo, and McColo - were effectively taken offline resulting in noticeable drops of malware and spam.
http://www.securityfocus.com/columnists/487

2. Standing on Other's Shoulders
By Chris Wysopal
"If I have seen a little further it is by standing on the shoulders of Giants," Issac Netwon once wrote to describe how he felt that his scientific work was an extension of the work of those who went before him. In the scientific realm it is dishonorable not to credit those upon whose work you build.
http://www.securityfocus.com/columnists/486

II. BUGTRAQ SUMMARY
--------------------
1. Sun Solaris IP Tunnel Param Local Code Execution Vulnerability
BugTraq ID: 32904
Remote: No
Last Updated: 2008-12-27
Relevant URL: http://www.securityfocus.com/bid/32904
Summary:
Sun Solaris is prone to a local code-execution vulnerability.

Attackers can exploit this issue to execute arbitrary code within the context of the kernel on x86 systems. Successful exploits may completely compromise the vulnerable system.

On all architectures, attackers can exploit this issue to create a denial-of-service condition.

This issue affects the following on both x86 and SPARC platforms:

Solaris 10
OpenSolaris based on builds snv_01 through snv_76

2. Sun Solaris IPv4 Forwarding Denial of Service Vulnerability
BugTraq ID: 32861
Remote: Yes
Last Updated: 2008-12-27
Relevant URL: http://www.securityfocus.com/bid/32861
Summary:
Sun Solaris is prone to a denial-of-service vulnerability.

A remote attacker can exploit this issue to panic the system, denying service to legitimate users.

The following versions are affected:

Solaris 10 with patch 120011-14(SPARC) or 120012-14 (x86)
OpenSolaris based on builds snv_47 through snv_82

3. Sun Java Runtime Environment and Java Development Kit Multiple Security Vulnerabilities
BugTraq ID: 32608
Remote: Yes
Last Updated: 2008-12-23
Relevant URL: http://www.securityfocus.com/bid/32608
Summary:
Sun Java Runtime Environment and Java Development Kit are prone to multiple security vulnerabilities.

Successful exploits may allow attackers to violate the same-origin policy, obtain sensitive information, bypass security restrictions, run untrusted applets with elevated privileges, and cause denial-of-service conditions. This may result in a compromise of affected computers.

These issues affect versions prior to the following:

JDK and JRE 6 Update 11 or later
JDK and JRE 5.0 Update 17 or later
SDK and JRE 1.4.2_19 or later
SDK and JRE 1.3.1_24 or later

4. Avahi Multicast DNS Denial Of Service Vulnerability
BugTraq ID: 32825
Remote: Yes
Last Updated: 2008-12-23
Relevant URL: http://www.securityfocus.com/bid/32825
Summary:
Avahi is prone to a denial-of-service vulnerability when processing multicast DNS data.

A remote attacker may exploit this issue to terminate the application, denying further service to legitimate users.

Versions prior to 0.6.24 are vulnerable to this issue.

5. PCRE Regular Expression Heap Based Buffer Overflow Vulnerability
BugTraq ID: 30087
Remote: Yes
Last Updated: 2008-12-23
Relevant URL: http://www.securityfocus.com/bid/30087
Summary:
PCRE is prone to a heap-based buffer-overflow vulnerability because the library fails to properly handle user-supplied input before copying data to an internal memory buffer.

The impact of successful exploits of this vulnerability depends on the application and the privileges of the user running the vulnerable library. A successful attack may ultimately permit an attacker to control the contents of critical memory control structures and write arbitrary data to arbitrary memory locations. This may allow the attacker to execute arbitrary code in the context of the application using the vulnerable library.

Versions up to and including PCRE 7.7 are vulnerable.

6. PHP 'rfc822_write_address()' Function Buffer Overflow Vulnerability
BugTraq ID: 29829
Remote: Yes
Last Updated: 2008-12-23
Relevant URL: http://www.securityfocus.com/bid/29829
Summary:
PHP is prone to a buffer-overflow vulnerability because it fails to perform boundary checks before copying user-supplied data to insufficiently sized memory buffers.

An attacker can exploit this issue to execute arbitrary machine code in the context of the affected webserver. Failed exploit attempts will likely crash the webserver, denying service to legitimate users.

PHP 5.2.6 and prior versions are vulnerable.

7. PHP FastCGI Module File Extension Denial Of Service Vulnerabilities
BugTraq ID: 31612
Remote: Yes
Last Updated: 2008-12-23
Relevant URL: http://www.securityfocus.com/bid/31612
Summary:
PHP is prone to a denial-of-service vulnerability because the application fails to handle certain file requests.

Attackers can exploit this issue to crash the affected application, denying service to legitimate users.

PHP 4.4 prior to 4.4.9 and PHP 5.2 through 5.2.6 are vulnerable.

8. PHP 'mbstring' Extension Buffer Overflow Vulnerability
BugTraq ID: 32948
Remote: Yes
Last Updated: 2008-12-23
Relevant URL: http://www.securityfocus.com/bid/32948
Summary:
PHP is prone to a buffer-overflow vulnerability because it fails to perform boundary checks before copying user-supplied data to insufficiently sized memory buffers. The issue affects the 'mbstring' extension included in the standard distribution.

PHP versions 4.3.0 up to and including 5.2.6 are vulnerable.

9. PHP Multiple Buffer Overflow Vulnerabilities
BugTraq ID: 30649
Remote: Yes
Last Updated: 2008-12-23
Relevant URL: http://www.securityfocus.com/bid/30649
Summary:
PHP is prone to multiple buffer-overflow vulnerabilities.

Successful exploits may allow attackers to execute arbitrary code in the context of applications using the vulnerable PHP functions. This may result in a compromise of the underlying system. Failed attempts may lead to a denial-of-service condition.

Versions prior to PHP 4.4.9 and PHP 5.2.8 are vulnerable.

10. Multiple Vendor FTP Server Long Command Handling Security Vulnerability
BugTraq ID: 31289
Remote: Yes
Last Updated: 2008-12-23
Relevant URL: http://www.securityfocus.com/bid/31289
Summary:
FTP servers by multiple vendors are prone to a security vulnerability that allows attackers to perform cross-site request-forgery attacks.

Successful exploits can run arbitrary FTP commands on the server in the context of an unsuspecting user's session. This may lead to further attacks.

11. CUPS 'pstopdf' Insecure Temporary File Creation Vulnerability
BugTraq ID: 32745
Remote: No
Last Updated: 2008-12-23
Relevant URL: http://www.securityfocus.com/bid/32745
Summary:
CUPS creates temporary files in an insecure manner.

An attacker with local access could potentially exploit this issue to perform symbolic-link attacks, overwriting arbitrary files in the context of the affected application.

Successfully mounting a symlink attack may allow the attacker to delete or corrupt sensitive files, which may result in a denial of service. Other attacks may also be possible. Please note that under certain circumstances attackers may be able to write controlled content to arbitrary files. This will likely result in other attacks.

CUPS 1.3,8 is vulnerable; other versions may also be affected.

12. chuggnutt.com HTML to Plain Text Conversion Remote Code Execution Vulnerability
BugTraq ID: 32799
Remote: Yes
Last Updated: 2008-12-23
Relevant URL: http://www.securityfocus.com/bid/32799
Summary:
The HTML to Plain Text Conversion class from chuggnutt.com is prone to a remote code-execution vulnerability.

Attackers can exploit this issue to inject and execute malicious server-side script in the context of the application using the vulnerable class. Successful exploits will compromise the affected application and possibly the underlying computer.

The issue affects version 1.0 of the class; other versions may also be affected.

Note that this issue was initially reported in Roundcube Webmail. RoundCube Webmail 0.2-1 alpha, 0.2-2 beta, and possibly other versions are vulnerable because they use the vulnerable HTML to Plain Text Conversion class.

13. W2B phpGreetCards 'category' Parameter Cross Site Scripting Vulnerability
BugTraq ID: 33001
Remote: Yes
Last Updated: 2008-12-23
Relevant URL: http://www.securityfocus.com/bid/33001
Summary:
W2B phpGreetCards is prone to a cross-site scripting vulnerability.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and to steal cookie-based authentication credentials.

phpGreetCards 3.7 is vulnerable; other versions may also be affected.

14. W2B phpEmployment 'auth.php' Arbitrary File Upload Vulnerability
BugTraq ID: 33000
Remote: Yes
Last Updated: 2008-12-23
Relevant URL: http://www.securityfocus.com/bid/33000
Summary:
W2B phpEmployment is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.

An attacker can exploit this vulnerability to upload arbitrary code and execute it in the context of the webserver process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.

phpEmployment 1.8 is vulnerable; other versions may also be affected.

15. W2B phpAdBoard 'index.php' Arbitrary File Upload Vulnerability
BugTraq ID: 32998
Remote: Yes
Last Updated: 2008-12-23
Relevant URL: http://www.securityfocus.com/bid/32998
Summary:
W2B phpAdBoard is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.

phpAdBoard 1.8 is vulnerable; other versions may also be affected.

16. W2B phpGreetCards 'index.php' Arbitrary File Upload Vulnerability
BugTraq ID: 32995
Remote: Yes
Last Updated: 2008-12-23
Relevant URL: http://www.securityfocus.com/bid/32995
Summary:
W2B phpGreetCards is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.

phpGreetCards 3.7 is vulnerable; other versions may also be affected.

17. Getleft HTML Tags Multiple Buffer Overflow Vulnerabilities
BugTraq ID: 32994
Remote: Yes
Last Updated: 2008-12-23
Relevant URL: http://www.securityfocus.com/bid/32994
Summary:
Getleft is prone to multiple buffer-overflow vulnerabilities because the application fails to perform adequate boundary checks on user-supplied input.

Attackers may leverage these issues to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.

Getleft 1.2 is vulnerable; other versions may also be affected.

18. stormBoards 'thread.php' SQL Injection Vulnerability
BugTraq ID: 32993
Remote: Yes
Last Updated: 2008-12-23
Relevant URL: http://www.securityfocus.com/bid/32993
Summary:
stormBoards is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

stormBoards 1.0.1 is vulnerable; other versions may also be affected.

19. AIST Netcat 3.1.2 Multiple Input Validation Vulnerabilities
BugTraq ID: 32992
Remote: Yes
Last Updated: 2008-12-23
Relevant URL: http://www.securityfocus.com/bid/32992
Summary:
AIST Netcat is prone to multiple input-validation vulnerabilities, including:

Multiple local file-include vulnerabilities
Multiple cross-site scripting vulnerabilities
Multiple HTTP response-splitting vulnerabilities
A CRLF injection vulnerability

Attackers can exploit these issues to compromise the affected application, misrepresent how web content is served, cached, or interpreted, execute arbitrary script code and PHP code within the context of the webserver process and gain access to sensitive information. Other attacks are also possible.

AIST Netcat 3.1.2 is vulnerable; other versions may also be affected.

20. PGP Desktop 'PGPweded.sys' Local Denial of Service Vulnerability
BugTraq ID: 32991
Remote: No
Last Updated: 2008-12-23
Relevant URL: http://www.securityfocus.com/bid/32991
Summary:
PGP Desktop is prone to a local denial-of-service vulnerability that occurs in the 'PGPweded.sys' driver.

A local attacker can exploit this issue to crash the affected computer, resulting in a denial-of-service condition. It may be possible to leverage this issue to execute arbitrary code with SYSTEM level privileges; however this has not been confirmed.

PGP Desktop 9.0.6 build 6060 is vulnerable; other versions may also be affected.

21. AIST NetCat 'password_recovery.php' SQL Injection Vulnerability
BugTraq ID: 32990
Remote: Yes
Last Updated: 2008-12-23
Relevant URL: http://www.securityfocus.com/bid/32990
Summary:
AIST NetCat is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

NetCat 3.12 is vulnerable; other versions may also be affected.

22. PHP Link Directory 'page.php' SQL Injection Vulnerability
BugTraq ID: 32989
Remote: Yes
Last Updated: 2008-12-23
Relevant URL: http://www.securityfocus.com/bid/32989
Summary:
PHP Link Directory is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

PHP Link Directory 3.3 is vulnerable; other versions may also be affected.

23. Mozilla Firefox 'location.hash' Remote Denial of Service Vulnerability
BugTraq ID: 32988
Remote: Yes
Last Updated: 2008-12-23
Relevant URL: http://www.securityfocus.com/bid/32988
Summary:
Mozilla Firefox is prone to a remote denial-of-service vulnerability.

Successful exploits can allow attackers to crash the affected browser, resulting in denial-of-service conditions. Due to the nature of this issue arbitrary code-execution may be possible; however this has not been confirmed.

Firefox 3.0.5 is vulnerable; other versions may also be affected.

24. Psi Malformed Packet Remote Denial of Service Vulnerability
BugTraq ID: 32987
Remote: Yes
Last Updated: 2008-12-23
Relevant URL: http://www.securityfocus.com/bid/32987
Summary:
Psi is prone to a remote denial-of-service vulnerability.

Exploiting this issue may allow attackers to cause the application to crash, denying service to legitimate users.

This issue affects Psi 0.12; other versions may also be vulnerable.

25. TYPO3 TU-Clausthal ODIN Extension Unspecified SQL Injection Vulnerability
BugTraq ID: 32986
Remote: Yes
Last Updated: 2008-12-23
Relevant URL: http://www.securityfocus.com/bid/32986
Summary:
TYPO3 TU-Clausthal ODIN ('tuc_odin') extension is prone to an unspecified SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

26. Linux Kernel 'qdisc_run()' Local Denial of Service Vulnerability
BugTraq ID: 32985
Remote: No
Last Updated: 2008-12-23
Relevant URL: http://www.securityfocus.com/bid/32985
Summary:
The Linux kernel is prone to a local denial-of-service vulnerability.

Local attackers can exploit this issue to cause a soft lockup, denying service to legitimate users.

Versions prior to Linux kernel 2.6.25 are vulnerable.

27. phpPgAdmin '_language' Parameter Local File Include Vulnerability
BugTraq ID: 32670
Remote: Yes
Last Updated: 2008-12-27
Relevant URL: http://www.securityfocus.com/bid/32670
Summary:
phpPgAdmin is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit this vulnerability to view files and execute local scripts in the context of the webserver process. This may aid in further attacks.

The issue affects phpPgAdmin 4.2.1 and prior versions.

28. phpPgAdmin SQLEDIT.PHP Cross Site Scripting Vulnerability
BugTraq ID: 24115
Remote: Yes
Last Updated: 2008-12-27
Relevant URL: http://www.securityfocus.com/bid/24115
Summary:
phpPgAdmin is prone to a cross-site scripting vulnerability.

Exploiting this vulnerability may allow an attacker to perform cross-site scripting attacks on unsuspecting users in the context of the affected website. As a result, the attacker may be able to steal cookie-based authentication credentials and to launch other attacks.

phpPgAdmin 4.1.1 is reported vulnerable; other versions may also be affected.

29. phpPgAdmin Redirect.PHP Cross Site Scripting Vulnerability
BugTraq ID: 24182
Remote: Yes
Last Updated: 2008-12-27
Relevant URL: http://www.securityfocus.com/bid/24182
Summary:
phpPgAdmin is prone to a cross-site scripting vulnerability.

30. Xajax Unspecified Cross-Site Scripting Vulnerability
BugTraq ID: 24006
Remote: Yes
Last Updated: 2008-12-27
Relevant URL: http://www.securityfocus.com/bid/24006
Summary:
Xajax is prone to an unspecified cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

This issue affects versions of Xajax prior to 0.2.5.

31. IntelliTamper 'MAP' File Buffer Overflow Vulnerability
BugTraq ID: 33022
Remote: Yes
Last Updated: 2008-12-27
Relevant URL: http://www.securityfocus.com/bid/33022
Summary:
IntelliTamper is prone to a buffer-overflow vulnerability because the application fails to properly validate the size of attacker-supplied data before copying it into a finite-sized buffer.

This issue allows remote attackers to execute arbitrary machine code in the context of applications that use IntelliTamper. Failed exploit attempts will likely crash the application, denying service to legitimate users.

IntelliTamper 2.07 and 2.08 are vulnerable; other versions may also be affected.

This issue may be related to the vulnerability covered in BID 18039 (IntelliTamper Map Files Buffer Overflow Vulnerability). This BID will be updated pending further investigation.

32. SPIP 'rubriques.php' SQL Injection Vulnerability
BugTraq ID: 33021
Remote: Yes
Last Updated: 2008-12-27
Relevant URL: http://www.securityfocus.com/bid/33021
Summary:
SPIP is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

33. KDE Konqueror HTML Color Attribute Denial of Service Vulnerability
BugTraq ID: 31605
Remote: Yes
Last Updated: 2008-12-26
Relevant URL: http://www.securityfocus.com/bid/31605
Summary:
KDE Konqueror is prone to a remote denial-of-service vulnerability because it fails to handle specially crafted HTML tags.

An attacker may exploit this vulnerability to cause Konqueror to crash, resulting in denial-of-service conditions.

The issue affects Konqueror 3.5.9; other versions may also be affected.

34. Facebook Photo Uploader 'ImageUploader4.1.ocx' FileMask Method ActiveX Buffer Overflow Vulnerability
BugTraq ID: 27756
Remote: Yes
Last Updated: 2008-12-26
Relevant URL: http://www.securityfocus.com/bid/27756
Summary:
Facebook Photo Uploader ActiveX control is prone to a buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data.

Successfully exploiting this issue may allow remote attackers to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed exploit attempts will result in denial-of-service conditions.

Image Uploader 4.5.57.0 is vulnerable; other versions may also be affected.

35. Xen XenStore Domain Configuration Data Unsafe Storage Vulnerability
BugTraq ID: 31499
Remote: No
Last Updated: 2008-12-26
Relevant URL: http://www.securityfocus.com/bid/31499
Summary:
Xen is prone to a vulnerability that results in configuration information being stored in a location that is writable by guest domains.

UPDATE (December 19, 2008): The initial proposed patches did not resolve this issue.

Xen 3.3 is vulnerable; other versions may also be affected.

36. FreeBSD netgraph and bluetooth Local Privilege Escalation Vulnerabilities
BugTraq ID: 32976
Remote: No
Last Updated: 2008-12-26
Relevant URL: http://www.securityfocus.com/bid/32976
Summary:
FreeBSD is prone to multiple local privilege-escalation vulnerabilities.

An attacker can exploit these vulnerabilities to run arbitrary code with elevated privileges.

All versions of FreeBSD are considered vulnerable.

37. QEMU Multiple Local Vulnerabilities
BugTraq ID: 23731
Remote: No
Last Updated: 2008-12-26
Relevant URL: http://www.securityfocus.com/bid/23731
Summary:
QEMU is prone to multiple locally exploitable buffer-overflow and denial-of-service vulnerabilities. The buffer-overflow issues occur because the software fails to properly check boundaries of user-supplied input when copying it to insufficiently sized memory buffers. The denial-of-service issues stem from design errors.

Attackers may be able to exploit these issues to escalate privileges, execute arbitrary code, or trigger denial-of-service conditions in the context of the affected applications.

38. Qemu and KVM VNC Server Remote Denial of Service Vulnerability
BugTraq ID: 32910
Remote: Yes
Last Updated: 2008-12-26
Relevant URL: http://www.securityfocus.com/bid/32910
Summary:
Qemu and KVM are prone to a remote denial-of-service vulnerability which affects the included VNC server.

Attackers can exploit this issue to create a denial-of-service condition.

The following are vulnerable to this issue:

Qemu 0.9.1 and prior.
KVM-79 and prior.

39. Linux Kernel 'sendmsg()' Local Denial of Service Vulnerability
BugTraq ID: 32516
Remote: No
Last Updated: 2008-12-26
Relevant URL: http://www.securityfocus.com/bid/32516
Summary:
The Linux kernel is prone to a local denial-of-service vulnerability.

Attackers can exploit this issue to create a soft lockup of the vulnerable kernel or to invoke the 'oom-killer' kernel functionality, which may halt unrelated processes. This may result in a denial-of-service condition.

NOTE: This issue was either caused or revealed by the fix for BID 32154 (Linux Kernel '__scm_destroy()' Local Denial of Service Vulnerability).

The Linux kernel 2.6.27 and prior versions are affected.

40. Linux Kernel 'net/atm/proc.c' Local Denial of Service Vulnerability
BugTraq ID: 32676
Remote: No
Last Updated: 2008-12-26
Relevant URL: http://www.securityfocus.com/bid/32676
Summary:
The Linux kernel is prone to a local denial-of-service vulnerability.

Attackers can exploit this issue to cause the Linux kernel to go into an infinite loop, which may cause a denial-of-service condition.

41. MediaWiki Cross Site Scripting And Multiple HTML Injection Vulnerabilities
BugTraq ID: 32844
Remote: Yes
Last Updated: 2008-12-26
Relevant URL: http://www.securityfocus.com/bid/32844
Summary:
MediaWiki is prone to a cross-site scripting vulnerability and multiple HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data.

Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible.

Versions prior to MediaWiki 1.13.3, 1.12.1, and 1.6.11 are vulnerable to these issues.

42. Apache Tomcat Cookie Quote Handling Remote Information Disclosure Vulnerability
BugTraq ID: 27706
Remote: Yes
Last Updated: 2008-12-26
Relevant URL: http://www.securityfocus.com/bid/27706
Summary:
Apache Tomcat is prone to an information-disclosure vulnerability because it fails to adequately sanitize user-supplied data.

Attackers can exploit this issue to access potentially sensitive data that may aid in further attacks.

Versions prior to Apache Tomcat 6.0.16 and 5.5.26 are vulnerable.

NOTE: This vulnerability is caused by an incomplete fix for BID 25316 - Apache Tomcat Multiple Remote Information Disclosure Vulnerabilities (CVE-2007-3385).

43. Trend Micro HouseCall ActiveX Control Library File Remote Code Execution Vulnerability
BugTraq ID: 32965
Remote: Yes
Last Updated: 2008-12-26
Relevant URL: http://www.securityfocus.com/bid/32965
Summary:
The Trend Micro HouseCall ActiveX control is prone to a remote code-execution vulnerability.

An attacker can exploit this issue to execute arbitrary code in the context of an application using the affected ActiveX control (typically Internet Explorer). Failed attacks will likely cause denial-of-service conditions.

This issue affects HouseCall versions 6.51.0.1028 and 6.6.0.1278; other versions may be affected as well.

44. Joomla HBS Multiple Components 'showhoteldetails' SQL Injection Vulnerability
BugTraq ID: 32952
Remote: Yes
Last Updated: 2008-12-25
Relevant URL: http://www.securityfocus.com/bid/32952
Summary:
Multiple Joomla HBS components are prone to an SQL-injection vulnerability because they fail to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the applications, access or modify data, or exploit latent vulnerabilities in the underlying database.

The following components are vulnerable; other components may also be affected:
'com_tophotelmodule' 1.0
'com_lowcosthotels'
'com_allhotels'
'com_5starhotels'

45. Google Chrome 'chromeHTML://' Command Line Parameter Injection Vulnerability
BugTraq ID: 32997
Remote: Yes
Last Updated: 2008-12-25
Relevant URL: http://www.securityfocus.com/bid/32997
Summary:
Google Chrome is prone to a vulnerability that lets attackers inject command-line parameters through protocol handlers. This issue occurs because the application fails to adequately sanitize user-supplied input.

Exploiting this issue would permit remote attackers to influence command options that can be called through the vulnerable protocol handler and to execute commands with the privileges of a user running the application. Attackers may also be able to leverage this issue to execute arbitrary code with the privileges of the user running the vulnerable application.

Google Chrome 1.0.154.36 is vulnerable; other versions may also be affected.

Further reports suggest this issue may not be exploited as described. This record may be retired at a later date.

46. Trend Micro HouseCall ActiveX Control Remote Code Execution Vulnerability
BugTraq ID: 32950
Remote: Yes
Last Updated: 2008-12-25
Relevant URL: http://www.securityfocus.com/bid/32950
Summary:
The Trend Micro HouseCall ActiveX control is prone to a remote code-execution vulnerability.

This issue affects HouseCall versions 6.51.0.1028 and 6.6.0.1278; other versions may be affected as well.

47. Microsoft SQL Server 'sp_replwritetovarbin' Remote Memory Corruption Vulnerability
BugTraq ID: 32710
Remote: Yes
Last Updated: 2008-12-25
Relevant URL: http://www.securityfocus.com/bid/32710
Summary:
Microsoft SQL Server is prone to a remote memory-corruption vulnerability because it fails to properly handle user-supplied input.

Authenticated attackers can exploit this issue to execute arbitrary code and completely compromise affected computers. Failed attacks will likely cause denial-of-service conditions.

The issue affects the following:

Microsoft SQL Server 2000
Microsoft SQL Server 2005

48. PHP-Fusion TI Blog System Module 'blog.php' SQL Injection Vulnerability
BugTraq ID: 33019
Remote: Yes
Last Updated: 2008-12-25
Relevant URL: http://www.securityfocus.com/bid/33019
Summary:
TI Blog System is prone to an SQL-injection vulnerability affecting the 'manuals' module because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

49. Microsoft Windows Media Player WAV/MID/SND File Parsing Integer Overflow Vulnerability
BugTraq ID: 33018
Remote: Yes
Last Updated: 2008-12-25
Relevant URL: http://www.securityfocus.com/bid/33018
Summary:
Microsoft Windows Media Player is prone to an integer-overflow vulnerability.

An attacker can exploit this issue by tricking an unsuspecting victim into opening a malicious file with the vulnerable application. A successful exploit will result in the execution of arbitrary code in the context of the user running the application.

50. Personal Sticky Threads vBulletin Addon Unauthorized Access Vulnerability
BugTraq ID: 33017
Remote: Yes
Last Updated: 2008-12-25
Relevant URL: http://www.securityfocus.com/bid/33017
Summary:
Personal Sticky Threads is prone to an unauthorized-access vulnerability.

An attacker can exploit this vulnerability to gain unauthorized access to restricted threads. This may result in the disclosure of potentially sensitive information. Information obtained may aid in further attacks.

Personal Sticky Threads 1.0.3c is vulnerable; other versions may also be affected.

51. SapporoWorks BlackJumboDog Web Server Unspecified Authentication Bypass Vulnerability
BugTraq ID: 33016
Remote: Yes
Last Updated: 2008-12-25
Relevant URL: http://www.securityfocus.com/bid/33016
Summary:
BlackJumboDog is prone to an authentication-bypass vulnerability.

Attackers can exploit this vulnerability to gain unauthorized access to the affected application, which may aid in further attacks.

BlackJumboDog 4.2.2 and earlier are vulnerable.

52. Mayaa Default Error Page Cross-Site Scripting Vulnerability
BugTraq ID: 33015
Remote: Yes
Last Updated: 2008-12-25
Relevant URL: http://www.securityfocus.com/bid/33015
Summary:
Mayaa is prone a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input data.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected application. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

Mayaa 1.1.22 and earlier are vulnerable.

53. Internet Explorer 'chromeHTML://' Command Line Parameter Injection Vulnerability
BugTraq ID: 32999
Remote: Yes
Last Updated: 2008-12-24
Relevant URL: http://www.securityfocus.com/bid/32999
Summary:
Internet Explorer is prone to a vulnerability that lets attackers inject command-line parameters through protocol handlers. This issue occurs because the application fails to adequately sanitize user-supplied input.

Internet Explorer 8 beta 2 is vulnerable; other versions may also be affected.

54. PHP-Fusion 'submit.php' SQL Injection Vulnerability
BugTraq ID: 28855
Remote: Yes
Last Updated: 2008-12-24
Relevant URL: http://www.securityfocus.com/bid/28855
Summary:
PHP-Fusion is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

PHP-Fusion 6.00.307 and 7.0.2 are vulnerable to this issue; other versions may also be affected.

55. Adobe Flash Player Unspecified Remote Security Vulnerability
BugTraq ID: 32896
Remote: Yes
Last Updated: 2008-12-24
Relevant URL: http://www.securityfocus.com/bid/32896
Summary:
Adobe Flash Player is prone to an unspecified security vulnerability.

Remote attackers may exploit this vulnerability to compromise an affected computer.

No further technical details are currently available. We will update this BID as more information emerges.

This issue affects Flash Player on Linux platforms.

Versions prior to Flash Player 10.0.15.3 and 9.0.152.0 are vulnerable.

56. Citrix Broadcast Server 'login.asp' SQL Injection Vulnerability
BugTraq ID: 32832
Remote: Yes
Last Updated: 2008-12-24
Relevant URL: http://www.securityfocus.com/bid/32832
Summary:
Citrix Broadcast Server is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Versions prior to the following are vulnerable:

Broadcast Server 6.1 for Citrix Application Gateway
Broadcast Server 2.0 for Avaya AG250

57. Linux Kernel MIPS Untrusted User Application Local Denial of Service Vulnerability
BugTraq ID: 32716
Remote: No
Last Updated: 2008-12-24
Relevant URL: http://www.securityfocus.com/bid/32716
Summary:
The Linux kernel is prone to a local denial-of-service vulnerability affecting 64-bit MIPS architectures.

Attackers can exploit this issue to cause the kernel to crash, denying service to legitimate users.

58. F-PROT Antivirus for Linux ELF File Scanning Denial of Service Vulnerability
BugTraq ID: 32753
Remote: Yes
Last Updated: 2008-12-24
Relevant URL: http://www.securityfocus.com/bid/32753
Summary:
F-PROT Antivirus for Linux is a virus scanning application for the Linux operating system.

The application is prone to a denial-of-service vulnerability because it fails to handle malformed files.

Successfully exploits will crash the affected application, resulting in a denial-of-service condition. Given the nature of this issue, code execution may be possible, but this has not been confirmed.

F-PROT Antivirus for Linux 4.6.8 is vulnerable; other versions may also be affected.

59. GpsDrive Multiple Insecure Temporary File Creation Vulnerabilities
BugTraq ID: 32887
Remote: No
Last Updated: 2008-12-24
Relevant URL: http://www.securityfocus.com/bid/32887
Summary:
GpsDrive create temporary files in an insecure manner.

An attacker with local access could perform symbolic-link attacks, overwriting arbitrary files in the context of an affected application.

Successfully mounting a symlink attack may allow the attacker to delete or corrupt sensitive files, which may result in a denial of service. Other attacks may also be possible.

GpsDrive 2.10~pre4-6.dfsg-1 is vulnerable; other versions may also be affected.

60. Verlihub Trigger Remote Command Execution Vulnerability
BugTraq ID: 32420
Remote: Yes
Last Updated: 2008-12-24
Relevant URL: http://www.securityfocus.com/bid/32420
Summary:
Verlihub is prone to a remote command-execution vulnerability because it fails to sufficiently validate user input.

Successfully exploiting this issue would allow an attacker to execute arbitrary commands on an affected computer in the context of the affected application.

Verlihub 0.9.8d RC2 is vulnerable; other versions may also be affected.

61. Verlihub Insecure Temporary File Creation Vulnerability
BugTraq ID: 32889
Remote: No
Last Updated: 2008-12-24
Relevant URL: http://www.securityfocus.com/bid/32889
Summary:
Verlihub creates temporary files in an insecure manner.

An attacker with local access could potentially exploit this issue to perform symbolic-link attacks, overwriting arbitrary files in the context of the affected application.

Successfully mounting a symlink attack may allow the attacker to delete or corrupt sensitive files, which may result in a denial of service. Other attacks may also be possible.

Verlihub 0.9.8d RC2 is vulnerable; other versions may also be affected.

62. Microsoft Internet Explorer XML Handling Remote Code Execution Vulnerability
BugTraq ID: 32721
Remote: Yes
Last Updated: 2008-12-24
Relevant URL: http://www.securityfocus.com/bid/32721
Summary:
Microsoft Internet Explorer is prone to a remote code-execution vulnerability.

Attackers can exploit this issue to execute arbitrary code in the context of the user running the application. Successful exploits will compromise the application and possibly the underlying computer. Failed attacks will cause denial-of-service conditions.

NOTE: Symantec has received reports that this issue is being actively exploited in the wild.

63. Mozilla Firefox/Thunderbird/SeaMonkey Multiple Remote Vulnerabilities
BugTraq ID: 32882
Remote: Yes
Last Updated: 2008-12-24
Relevant URL: http://www.securityfocus.com/bid/32882
Summary:
The Mozilla Foundation has released multiple security advisories specifying various vulnerabilities in Mozilla Firefox, Thunderbird, and SeaMonkey.

Attackers can exploit these issues to bypass same-origin restrictions, obtain potentially sensitive information, help launch cross-site scripting attacks, and execute arbitrary script code with elevated privileges; other attacks are also possible.

Update (18th December, 2008): Mozilla Firefox 2.0.0.19 for Windows is vulnerable to the cross-domain information-disclosure vulnerability documented by MFSA 2008-65. Firefox 2.0.0.20 is available and addresses this issue.

64. Sun Solaris OpenSSL 'PKCS#11' Engine Remote Denial Of Service Vulnerability
BugTraq ID: 32671
Remote: Yes
Last Updated: 2008-12-24
Relevant URL: http://www.securityfocus.com/bid/32671
Summary:
Sun Solaris OpenSSL 'PKCS#11' engine is prone to a denial-of-service vulnerability.

Attackers can exploit this issue to cause denial-of-service conditions.

This issue affects the OpenSSL 'PKCS#11' engine implementation that ships with Solaris 10.

65. OpenSSH CBC Mode Information Disclosure Vulnerability
BugTraq ID: 32319
Remote: Yes
Last Updated: 2008-12-24
Relevant URL: http://www.securityfocus.com/bid/32319
Summary:
OpenSSH is prone to an information-disclosure vulnerability.

Successful exploits will allow attackers to obtain four bytes of plaintext from an encrypted session.

OpenSSH 4.7p1 is vulnerable; other versions may also be affected. Various versions of SSH Tectia are also affected.

66. Sun Solaris 'libICE' Unspecified Denial of Service Vulnerability
BugTraq ID: 32807
Remote: Yes
Last Updated: 2008-12-24
Relevant URL: http://www.securityfocus.com/bid/32807
Summary:
Sun Solaris is prone to an unspecified denial-of-service vulnerability.

Remote attackers may exploit this issue to deny service to legitimate users.

67. Sun Solaris Kerberos Remote Denial Of Service Vulnerability
BugTraq ID: 32793
Remote: No
Last Updated: 2008-12-24
Relevant URL: http://www.securityfocus.com/bid/32793
Summary:
Sun Solaris Kerberos is prone to a remote denial-of-service vulnerability because the application fails to validate user-supplied data.

An attacker may exploit this issue to prevent legitimate users from authenticating to Kerberos servers.

68. Perl 'rmdir()' Local Race Condition Privilege Escalation Vulnerability
BugTraq ID: 12767
Remote: No
Last Updated: 2008-12-24
Relevant URL: http://www.securityfocus.com/bid/12767
Summary:
Perl is reported prone to a local race-condition vulnerability. The issue resides in the 'rmtree()' function provided by the 'File::Path.pm' module.

A successful attack may allow an attacker to gain elevated privileges on a vulnerable computer.

UPDATE (December 2, 2008): This issue has been reported in Perl 5.8.8 and 5.10.

69. MPlayer TwinVQ Handling Stack Buffer Overflow Vulnerability
BugTraq ID: 32822
Remote: Yes
Last Updated: 2008-12-24
Relevant URL: http://www.securityfocus.com/bid/32822
Summary:
MPlayer is prone to a stack-based buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied input.

Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.

This issue affects MPlayer 1.0rc2; other versions may also be affected.

70. Perl Archive::Tar Module Remote Directory Traversal Vulnerability
BugTraq ID: 26355
Remote: Yes
Last Updated: 2008-12-24
Relevant URL: http://www.securityfocus.com/bid/26355
Summary:
Perl Archive::Tar module is prone to a directory-traversal vulnerability because it fails to validate user-supplied data.

A successful attack can allow the attacker to overwrite files on a computer in the context of the user running the affected application. Successful exploits may aid in further attacks.

Note that all applications using Perl Archive::Tar module may be affected.

71. Perl Unicode '\Q...\E' Quoting Construct Regular Expression Buffer Overflow Vulnerability
BugTraq ID: 28928
Remote: Yes
Last Updated: 2008-12-24
Relevant URL: http://www.securityfocus.com/bid/28928
Summary:
Perl is prone to a buffer-overflow vulnerability because it fails to sufficiently bounds-check user-supplied input.

Successfully exploiting this issue may allow attackers to execute arbitrary machine code in the context of Perl applications using regular expressions in a vulnerable manner. This facilitates the remote compromise of affected computers. Failed exploits can cause denial-of-service conditions.

Perl 5.8.8 is vulnerable to this issue; other versions may also be affected.

NOTE: This issue may be related to BID 26350 ('Perl Unicode Regular Expression Buffer Overflow Vulnerability').

72. VLC Media Player Multiple Stack Based Buffer Overflow Vulnerabilities
BugTraq ID: 32125
Remote: Yes
Last Updated: 2008-12-24
Relevant URL: http://www.securityfocus.com/bid/32125
Summary:
VLC media player is prone to multiple stack-based buffer-overflow vulnerabilities because the application fails to perform adequate boundary checks on user-supplied input.

Attackers may leverage these issues to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.

Versions prior to VLC media player 0.9.6 are vulnerable.

73. VLC Media Player Real demuxer Heap Buffer Overflow Vulnerability
BugTraq ID: 32545
Remote: Yes
Last Updated: 2008-12-24
Relevant URL: http://www.securityfocus.com/bid/32545
Summary:
VLC media player is prone to a heap buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied input.

Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.

This issues affects VLC 0.9.0 through 0.9.6.

74. Sun SNMP Management Agent Insecure Temporary File Creation Vulnerability
BugTraq ID: 33014
Remote: No
Last Updated: 2008-12-24
Relevant URL: http://www.securityfocus.com/bid/33014
Summary:
Sun SNMP Management Agent creates temporary files in an insecure manner.

An attacker with local access could potentially exploit this issue to perform symbolic-link attacks, overwriting arbitrary files in the context of the affected application.

Successfully mounting a symlink attack may allow the attacker to delete or corrupt sensitive files, which may result in privilege escalation or cause a denial-of-service condition. Other attacks may also be possible.

Sun SNMP Management Agent 'SUNWmasf' versions 1.4u2 up to and including 1.5.4 are vulnerable.

75. bloofoxCMS 'dialog.php' Local File Include Vulnerability
BugTraq ID: 33013
Remote: Yes
Last Updated: 2008-12-24
Relevant URL: http://www.securityfocus.com/bid/33013
Summary:
bloofoxCMS is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit this vulnerability to view files and execute local scripts in the context of the webserver process. This may aid in further attacks.

bloofoxCMS 0.3.4 is affected; other versions may also be vulnerable.

76. Acoustica Mixcraft '.mx4' Project File Buffer Overflow Vulnerability
BugTraq ID: 33012
Remote: Yes
Last Updated: 2008-12-24
Relevant URL: http://www.securityfocus.com/bid/33012
Summary:
Acoustica Mixcraft is prone to a buffer-overflow vulnerability because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer.

An attacker could exploit this issue by enticing a victim to load a malicious '.mx4' file. If successful, the attacker can execute arbitrary code in the context of the affected application.

Acoustica Mixcraft 4.2 is vulnerable; other versions may also be affected.

77. SAWStudio '.prf' File Buffer Overflow Vulnerability
BugTraq ID: 33011
Remote: Yes
Last Updated: 2008-12-24
Relevant URL: http://www.securityfocus.com/bid/33011
Summary:
SAWStudio is prone a buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data.

Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the application. Failed exploit attempts likely result in denial-of-service conditions.

SAWStudio version 3.9i is vulnerable; other versions may also be affected.

78. Joomla! LiveTicker 'tid' Parameter SQL Injection Vulnerability
BugTraq ID: 33010
Remote: Yes
Last Updated: 2008-12-24
Relevant URL: http://www.securityfocus.com/bid/33010
Summary:
The LiveTicker component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

LiveTicker 1.0.0 is vulnerable; other versions may also be affected.

79. mDigg Component for Joomla! 'category' Parameter SQL Injection Vulnerability
BugTraq ID: 33009
Remote: Yes
Last Updated: 2008-12-24
Relevant URL: http://www.securityfocus.com/bid/33009
Summary:
The mDigg Component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

mDigg Component 2.2.8 is affected by the issue; other versions may also be vulnerable.

80. Joomla! Ice Gallery Component 'catid' Parameter SQL Injection Vulnerability
BugTraq ID: 33008
Remote: Yes
Last Updated: 2008-12-24
Relevant URL: http://www.securityfocus.com/bid/33008
Summary:
The Ice Gallery component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Ice Gallery 0.5 beta 2 is affected by the issue; other versions may also be vulnerable.

81. BulletProof FTP Client Bookmark File Heap Buffer Overflow Vulnerability
BugTraq ID: 33007
Remote: Yes
Last Updated: 2008-12-24
Relevant URL: http://www.securityfocus.com/bid/33007
Summary:
BulletProof FTP Client is prone to a heap-based buffer-overflow vulnerability because the application fails to perform adequate boundary-checks on user-supplied data.

An attacker may exploit this issue to execute arbitrary code in the context of the vulnerable application. Failed exploit attempts will likely result in a denial-of-service condition.

BulletProof FTP Client version 2.63 is vulnerable; other versions may also be affected.

82. ILIAS 'repository.php' SQL Injection Vulnerability
BugTraq ID: 33006
Remote: Yes
Last Updated: 2008-12-24
Relevant URL: http://www.securityfocus.com/bid/33006
Summary:
ILIAS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

ILIAS 3.7.4 is vulnerable; other versions may also be affected.

83. doop Administration Page Arbitrary File Upload Vulnerability
BugTraq ID: 33005
Remote: Yes
Last Updated: 2008-12-24
Relevant URL: http://www.securityfocus.com/bid/33005
Summary:
doop is prone to a vulnerability that lets attackers upload arbitrary files because it fails to sufficiently sanitize user-supplied input.

An attacker can exploit this issue to execute malicious code in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system; other attacks are also possible.

doop version 1.4.0b is vulnerable; other versions may also be affected.

84. PHP 'imageRotate()' Uninitialized Memory Information Disclosure Vulnerability
BugTraq ID: 33002
Remote: Yes
Last Updated: 2008-12-24
Relevant URL: http://www.securityfocus.com/bid/33002
Summary:
PHP is prone to an information-disclosure vulnerability.

Attackers can exploit this issue to obtain sensitive information that may lead to further attacks.

PHP 5.2.8 and prior versions are vulnerable.

85. 'imlib2' Library 'load()' Function Buffer Overflow Vulnerability
BugTraq ID: 32371
Remote: Yes
Last Updated: 2008-12-23
Relevant URL: http://www.securityfocus.com/bid/32371
Summary:
The 'imlib2' library is prone to a buffer-overflow vulnerability because the software fails to properly bounds-check user-supplied data.

An attacker can exploit this issue to execute arbitrary machine code in the context of applications using the vulnerable library. Failed exploit attempts will likely cause denial-of-service conditions.

This issue affects imlib2 1.4.2; other versions may also be affected.

86. Ampache Insecure Temporary File Creation Vulnerability
BugTraq ID: 30875
Remote: No
Last Updated: 2008-12-23
Relevant URL: http://www.securityfocus.com/bid/30875
Summary:
Ampache creates temporary files in an insecure manner.

An attacker with local access could potentially exploit this issue to perform symbolic-link attacks, overwriting arbitrary files in the context of the affected application.

Successfully mounting a symlink attack may allow the attacker to delete or corrupt sensitive files, which may result in a denial of service. Other attacks may also be possible.

Ampache 3.4.1 is vulnerable; other versions may also be affected.

87. ClamAV 'cli_check_jpeg_exploit' Function Malformed JPEG File Remote Denial Of Service Vulnerability
BugTraq ID: 32555
Remote: Yes
Last Updated: 2008-12-23
Relevant URL: http://www.securityfocus.com/bid/32555
Summary:
ClamAV is prone to a denial-of-service vulnerability.

Attackers can exploit this issue to cause denial-of-service conditions. Given the nature of this issue, attackers may also be able to run arbitrary code, but this has not been confirmed.

Versions prior to ClamAV 0.94.2 are vulnerable.

88. ClamAV 'get_unicode_name()' Off-By-One Heap Based Buffer Overflow Vulnerability
BugTraq ID: 32207
Remote: Yes
Last Updated: 2008-12-23
Relevant URL: http://www.securityfocus.com/bid/32207
Summary:
ClamAV is prone to an off-by-one heap-based buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data.

Successfully exploiting this issue will allow attackers to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.

Versions prior to ClamAV 0.94.1 are vulnerable.

89. Novell Netware ApacheAdmin Security Bypass Vulnerability
BugTraq ID: 32657
Remote: Yes
Last Updated: 2008-12-23
Relevant URL: http://www.securityfocus.com/bid/32657
Summary:
Novell Netware is prone to a security-bypass vulnerability.

Attackers can exploit this issue to gain unauthorized access to the ApacheAdmin console. Successfully exploiting this issue will lead to further attacks.

90. WordPress 'wp-admin/options.php' Remote Code Execution Vulnerability
BugTraq ID: 27633
Remote: Yes
Last Updated: 2008-12-23
Relevant URL: http://www.securityfocus.com/bid/27633
Summary:
WordPress is prone to a vulnerability that lets remote attackers execute arbitrary code because the application fails to sanitize user-supplied input.

Attackers can exploit this issue to execute arbitrary PHP code within the context of the affected webserver process.

This issue affects these versions:

WordPress 2.3.2 and earlier
WordPress MU 1.3.1 and earlier

91. Sun Fire Servers IP Spoofing Security Bypass Vulnerability
BugTraq ID: 32805
Remote: Yes
Last Updated: 2008-12-23
Relevant URL: http://www.securityfocus.com/bid/32805
Summary:
Sun Fire Servers are prone to a security-bypass vulnerability.

Attackers can exploit this vulnerability to gain unauthorized access to the System Controller (SC) and possibly the host operating system. This may allow attackers to perform actions that will result in denial-of-service conditions and possibly other attacks.

92. OpenOffice WMF and EMF File Handling Multiple Heap Based Buffer Overflow Vulnerabilities
BugTraq ID: 31962
Remote: Yes
Last Updated: 2008-12-23
Relevant URL: http://www.securityfocus.com/bid/31962
Summary:
OpenOffice is prone to multiple remote heap-based buffer-overflow vulnerabilities because of errors in processing certain files.

Remote attackers can exploit these issues by enticing victims into opening maliciously crafted EMF or WMF files.

Successful exploits may allow attackers to execute arbitrary code within the context of the affected application. Failed exploit attempts will likely result in a denial of service.

The issues affect OpenOffice 2 prior to 2.4.2.

93. OpenOffice 'senddoc' Insecure Temporary File Creation Vulnerability
BugTraq ID: 30925
Remote: No
Last Updated: 2008-12-23
Relevant URL: http://www.securityfocus.com/bid/30925
Summary:
OpenOffice creates temporary files in an insecure manner.

An attacker with local access could potentially exploit this issue to perform symbolic-link attacks, overwriting arbitrary files in the context of the affected application.

Successfully mounting a symlink attack may allow the attacker to delete or corrupt sensitive files, which may result in a denial of service. Other attacks may also be possible.

OpenOffice 2.4.1 is vulnerable; other versions may also be affected.

94. WFTPD Server Multiple Buffer Overflow Vulnerabilities
BugTraq ID: 19617
Remote: Yes
Last Updated: 2008-12-23
Relevant URL: http://www.securityfocus.com/bid/19617
Summary:
WFTPD is prone to multiple buffer-overflow vulnerabilities because the application fails to do proper bounds checking on user-supplied data before storing it in finite-sized buffers.

An attacker can exploit these issues to execute arbitrary code and gain unauthorized remote access to a computer. Attack attempts may cause denial-of-service conditions as well.

WFTPD 3.23 is reported vulnerable; other versions may also be affected.

95. ACLogic CesarFTP Multiple Commands Remote Buffer Overflow Vulnerability
BugTraq ID: 18586
Remote: Yes
Last Updated: 2008-12-23
Relevant URL: http://www.securityfocus.com/bid/18586
Summary:
CesarFTP is prone to a buffer-overflow vulnerability when handling data through the MKD command.
Reportedly, passing excessive data may overflow a finite-sized internal memory buffer. A successful attack may result in memory corruption as memory adjacent to the buffer is overwritten with user-supplied data.

This issue may lead to a denial-of-service condition or to the execution of arbitrary code.

Version 0.99g of CesarFTP is vulnerable to this issue; other versions may also be affected.

96. GNU Enscript 'src/psgen.c' Stack Based Buffer Overflow Vulnerability
BugTraq ID: 31858
Remote: Yes
Last Updated: 2008-12-23
Relevant URL: http://www.securityfocus.com/bid/31858
Summary:
GNU Enscript is prone to a stack-based buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied input.

Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.

GNU Enscript 1.6.1 and 1.6.4 (beta) are vulnerable; other versions may also be affected.

97. Microsoft Works 7 'WkImgSrv.dll' ActiveX Control Remote Code Execution Vulnerability
BugTraq ID: 28820
Remote: Yes
Last Updated: 2008-12-23
Relevant URL: http://www.securityfocus.com/bid/28820
Summary:
Microsoft Works 7 'WkImgSrv.dll' ActiveX control is prone to a remote code-execution vulnerability because it fails to sufficiently verify user-supplied input.

An attacker can exploit this issue to run arbitrary attacker-supplied code in the context of the currently logged-in user. Failed exploits attempts will trigger denial-of-service conditions.

This issue affects Microsoft Works 7 'WkImgSrv.dll' ActiveX control 7.03.0616; other versions may also be vulnerable.

NOTE: This ActiveX control is not marked 'safe for scripting' and would therefore prompt the victim before executing the script. Typically, we would not classify this issue as a security vulnerability. However, given the nature of the issue and the existence of exploit code in the wild, this BID will not be retired so that a record of the issue can be maintained.

98. Nagios Web Interface Privilege Escalation Vulnerability
BugTraq ID: 32156
Remote: Yes
Last Updated: 2008-12-23
Relevant URL: http://www.securityfocus.com/bid/32156
Summary:
Nagios is prone to an unspecified privilege-escalation scripting vulnerability.

An attacker with low-level privileges may exploit this issue to bypass authorization and cause arbitrary commands to run within the context of the Nagios server. This may aid in further attacks.

Few technical details are available at this time; we will update this BID as more information emerges.

The issue affects versions prior to Nagios 3.0.5.

99. phpMyAdmin 'table' Parameter SQL Injection Vulnerability
BugTraq ID: 32720
Remote: Yes
Last Updated: 2008-12-23
Relevant URL: http://www.securityfocus.com/bid/32720
Summary:
phpMyAdmin is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Authentication is required to access these scripts, but attackers may also make use of cross-site-request-forgery attacks to exploit this issue.

This issue affects versions prior to phpMyAdmin 2.11.9.4 and 3.1.1.0.

100. Git gitweb 'diff.external' Local Privilege Escalation Vulnerability
BugTraq ID: 32967
Remote: No
Last Updated: 2008-12-23
Relevant URL: http://www.securityfocus.com/bid/32967
Summary:
Git gitweb is prone to a local privilege-escalation vulnerability.

A local attacker may exploit this issue to gain elevated privileges.

Versions prior to Git 1.5.4.7, 1.5.5.6, 1.5.6.6 and 1.6.0.6 are vulnerable.

III. SECURITYFOCUS NEWS ARTICLES
--------------------------------
1. Commission calls for cybersecurity czar
By: Robert Lemos
A group of technology and government experts warns that, without significant changes to the U.S. approach to cyberspace, foreign companies and other nations will continue to steal valuable technologies.
http://www.securityfocus.com/news/11540

2. Microsoft hopes free security means less malware
By: Robert Lemos
The software giant says shutting down Windows Live OneCare to release the software as a free tool could make consumers more secure.
http://www.securityfocus.com/news/11538

3. Researchers find more flaws in wireless security
By: Robert Lemos
Two security experts plan to show a limited attack against the popular Wi-Fi Protected Access (WPA) -- a replacement for insecure WEP -- at a conference in Tokyo.
http://www.securityfocus.com/news/11537

4. Secure hash competition kicks off
By: Robert Lemos
Dozens of amateur and professional cryptographers have joined the United States' first open competition for creating an uncrackable algorithm for generating hashes -- the digital fingerprints widely used in a variety of security functions.
http://www.securityfocus.com/news/11536

IV. SECURITY JOBS LIST SUMMARY
-------------------------------
V. INCIDENTS LIST SUMMARY
---------------------------
VI. VULN-DEV RESEARCH LIST SUMMARY
-----------------------------------
VII. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
VIII. SUN FOCUS LIST SUMMARY
----------------------------
IX. LINUX FOCUS LIST SUMMARY
----------------------------
X. UNSUBSCRIBE INSTRUCTIONS
-----------------------------
To unsubscribe send an e-mail message to sf-news-unsubscribe@securityfocus.com from the subscribed address. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer. Alternatively you can also visit http://www.securityfocus.com/newsletters and unsubscribe via the website.

If your email address has changed email listadmin@securityfocus.com and ask to be manually removed.

XI. SPONSOR INFORMATION
------------------------
This issue is sponsored by Purewire

NEW! White Paper:
"Hackers Announce Open Season on Web 2.0 Users and Browsers"

News

Saturday, December 27, 2008

SecurityFocus Newsletter #483

No comments:

WINDOWS CENTER

Blog Archive