News

Tuesday, January 20, 2009

SecurityFocus Newsletter #487

SecurityFocus Newsletter #487
----------------------------------------

This issue is sponsored by The Computer Forensics Show

THE COMPUTER FORENSICS SHOW IS THE "DON'T MISS" EVENT OF THE YEAR FOR ALL LITIGATION, ACCOUNTING AND IT PROFESSIONALS
www.computerforensicshow.com

April 27-29, 2009
Washington DC Convention Center
Washington, DC

August 3-5, 2009
San Jose Convention Center
San Jose, CA


SECURITY BLOGS
SecurityFocus has selected a few syndicated sources that stand out as conveying topics of interest for our community. We are proud to offer content from Matasano at this time and will be adding more in the coming weeks.
http://www.securityfocus.com/blogs

------------------------------------------------------------------
I. FRONT AND CENTER
1.Time to Take the Theoretical Seriously
2.The Drew Verdict Makes Us All Hackers
II. BUGTRAQ SUMMARY
1. McAfee E-Business Server Authentication Remote Code Execution Vulnerability
2. IBM AIX 'piox25.c/piox25remote.sh' Local Buffer Overflow Vulnerability
3. Excel Viewer OCX ActiveX 'open()' Buffer Overflow Vulnerability
4. No-IP Dynamic Update Client for Linux Remote Buffer Overflow Vulnerability
5. Apache Tomcat Cookie Quote Handling Remote Information Disclosure Vulnerability
6. GNUBoard 'common.php' Remote File Include Vulnerability
7. Free Bible Search 'readbible.php' SQL Injection Vulnerability
8. FhImage 'g_desc' Parameter Remote Command Execution Vulnerability
9. PDFjam Multiple Unspecified Security Vulnerabilities
10. JamDTA ActiveX Control 'SaveToFile()' Arbitrary File Overwrite Vulnerability
11. WebSVN Known Path Access Restriction Security Bypass Vulnerability
12. 53KF Web IM 'msg' Parameter Cross Site Scripting Vulnerability
13. Multiple Ralinktech Wireless Drivers MAC/BSS/SSID Integer Overflow Vulnerability
14. Enhanced Simple PHP Gallery Directory Traversal Vulnerability
15. WSS-PRO SCMS 'index.php' Local File Include Vulnerability
16. MKPortal Multiple Security Vulnerabilities
17. Ganglia gmetad 'process_path()' Remote Stack Buffer Overflow Vulnerability
18. TimeTools NTP Time Server Syslog Monitor Remote Denial of Service Vulnerability
19. Joomla! RD-Autos Component SQL Injection Vulnerability
20. AN Guestbook 'country' Parameter HTML Injection Vulnerability
21. Ciansoft PDFBuilderX Control (ActiveX) Arbitrary File Overwrite Vulnerability
22. TFTPUtil GUI Malformed Packet Remote Denial of Service Vulnerability
23. Blue Eye CMS 'clanek' Parameter SQL Injection Vulnerability
24. Eventing Component for Joomla! 'com_eventing' SQL Injection Vulnerability
25. Multiple Avira AntiVir Products 'CreateProcess()' Local Privilege Escalation Vulnerabilty
26. TFTPUtil GUI TFTP GET Request Directory Traversal Vulnerability
27. SmartVMD ActiveX Control 'StartVideoSaving()' Method Arbitrary File Delete Vulnerability
28. Linux Kernel i915 Driver 'drivers/char/drm/i915_dma.c' Memory Corruption Vulnerability
29. Linux Kernel 'hfs_cat_find_brec()' Local Denial of Service Vulnerability
30. Linux Kernel 'hfsplus_find_cat()' Local Denial of Service Vulnerability
31. SmartVMD ActiveX Control 'SaveMaskToFile()' Arbitrary File Overwrite Vulnerability
32. Linux Kernel '__scm_destroy()' Local Denial of Service Vulnerability
33. Linux Kernel 'do_splice_from()' Local Security Bypass Vulnerability
34. Linux Kernel 'sendmsg()' Local Denial of Service Vulnerability
35. Oracle Application Server Oracle Containers for J2EE Directory Traversal Vulnerability
36. Linux Kernel 'ib700wdt.c' Buffer Underflow Vulnerability
37. Linux Kernel 'net/atm/proc.c' Local Denial of Service Vulnerability
38. Cisco IOS FTP Server Multiple Vulnerabilities
39. Microsoft Windows Mobile OBEX FTP Service Directory Traversal Vulnerability
40. Apache Jackrabbit 'q' Parameter Multiple Cross Site Scripting Vulnerabilities
41. Ninja Blog Comments HTML Injection Vulnerability
42. HP OpenView Network Node Manager HTTP Request Multiple Buffer Overflow Vulnerabilities
43. Ninja Blog 'cat' Parameter Directory Traversal Vulnerability
44. Trend Micro Multiple Products Network Security Component Modules Multiple Vulnerabilities
45. DMXReady SDK Arbitrary File Download Vulnerability
46. Joomla! and Mambo 'com_news' Component 'id' Parameter SQL Injection Vulnerability
47. Joomla! WATicketSystem Component 'catid' SQL Injection Vulnerability
48. D-Bus 'dbus_signature_validate()' Type Signature Denial of Service Vulnerability
49. KTorrent PHP Code Injection And Security Bypass Vulnerabilities
50. Joomla! and Mambo gigCalendar Component 'id' Parameter SQL Injection Vulnerability
51. Joomla! and Mambo 'com_pccookbook' Component 'recipe_id' Parameter SQL Injection Vulnerability
52. 'imlib2' Library 'load()' Function Buffer Overflow Vulnerability
53. xterm DECRQSS Remote Command Execution Vulnerability
54. Multiple Java Runtime Implementations UTF-8 Input Validation Vulnerability
55. MoinMoin 'AttachFile.py' Cross-Site Scripting Vulnerability
56. streber Prior to 0.09 Multiple Unspecified Security Vulnerabilities
57. easyHDR Pro 1.60.2 Multiple Buffer Overflow Vulnerabilities
58. OpenSG 'OSGHDRImageFileType.cpp' Radiance RGBE File Stack Buffer Overflow Vulnerability
59. Git Snapshot Generation and Pickaxe Search Arbitrary Command Injection Vulnerability
60. Red Hat SquirrelMail Package Session Management Vulnerability
61. Adobe RoboHelp Server Help Errors Log Cross-Site Scripting and SQL-Injection Vulnerabilities
62. CUPS PNG Filter '_cupsImageReadPNG()' Integer Overflow Vulnerability
63. CUPS 'HP-GL/2' Filter Remote Code Execution Vulnerability
64. QEMU Multiple Local Vulnerabilities
65. QEMU and KVM VNC Server Remote Denial of Service Vulnerability
66. QEMU VNC 'monitor.c' Insecure Password Vulnerability
67. QNX RTOS Malformed ELF Binary File Local Denial Of Service Vulnerability
68. Lynx URI Handlers Arbitrary Command Execution Vulnerability
69. Lynx '.mailcap' and '.mime.type' Files Local Code Execution Vulnerability
70. ActionCalendar 'admin.asp' Multiple SQL Injection Vulnerabilities
71. BlogIt! 'index.asp' SQL Injection and Cross Site Scripting Vulnerabilities
72. MetaProducts MetaTreeX ActiveX Control 'SaveToBMP()' Arbitrary File Overwrite Vulnerability
73. WarHound Walking Club 'login.aspx' Multiple SQL Injection Vulnerabilities
74. eFAQ Login SQL Injection Vulnerability
75. Multiple AJ Classifieds Scripts 'index.php' Arbitrary File Upload Vulnerability
76. BibCiter Multiple SQL Injection Vulnerabilities
77. Active Bids Multiple SQL Injection and Cross-Site Scripting Vulnerabilities
78. DMXReady Blog Manager 'inc_weblogmanager.asp' Cross-Site Scripting and SQL Injection Vulnerabilities
79. LemonLDAP:NG User Enumeration Weakness and Cross Site Scripting Vulnerability
80. KDE KDM Unspecified Local Denial Of Service Vulnerability
81. Sagem F@st 2404 Router 'restoreinfo.cgi' Unauthorized Access Vulnerability
82. eReservations Login SQL Injection Vulnerability
83. Simple PHP Newsletter 'olang' Parameter Multiple Local File Include Vulnerabilities
84. WarHound Ping IP 'admin.aspx' Multiple SQL Injection Vulnerabilities
85. Sophos TAO/Remote Management System (RMS) GIOP Message Remote Denial of Service Vulnerability
86. Syslserve Remote Denial of Service Vulnerability
87. w3bcms 'admin/index.php' SQL Injection Vulnerability
88. Masir Camp 'SearchKeywords' Parameter SQL Injection Vulnerability
89. Microsoft Windows SMB NT Trans2 Remote Code Execution Vulnerability
90. FFmpeg File Parsing Multiple Buffer Overflow Vulnerabilities
91. Fujitsu Systemcast Wizard Lite PXE Request Remote Buffer Overflow Vulnerability
92. Symantec AppStream Client 'LaunchObj' ActiveX Control Arbitrary File Download Vulnerability
93. ICEsoft Technologies ICEbrowser Remote Denial of Service Vulnerability
94. Active Auction 'search' Parameter SQL Injection and Cross Site Scripting Vulnerabilities
95. RankEm 'rankup.asp' Cookie Manipulation and Cross Site Scripting Vulnerabilities
96. Oracle January 2009 Critical Patch Update Multiple Vulnerabilities
97. LinksPro 'OrderDirection' Parameter SQL Injection Vulnerability
98. Drupal Security Bypass Vulnerability and SQL Injection Weakness
99. Linux Kernel 'keyctl_join_session_keyring()' Denial of Service Vulnerability
100. OpenSSL 'EVP_VerifyFinal' Function Signature Verification Vulnerability
III. SECURITYFOCUS NEWS
1. Group releases list to kill most-dangerous bugs
2. Group attacks flaw in browser crypto security
3. Commission calls for cybersecurity czar
4. Microsoft hopes free security means less malware
IV. SECURITY JOBS LIST SUMMARY
V. INCIDENTS LIST SUMMARY
VI. VULN-DEV RESEARCH LIST SUMMARY
VII. MICROSOFT FOCUS LIST SUMMARY
1. SecurityFocus Microsoft Newsletter #427
VIII. SUN FOCUS LIST SUMMARY
IX. LINUX FOCUS LIST SUMMARY
X. UNSUBSCRIBE INSTRUCTIONS
XI. SPONSOR INFORMATION

I. FRONT AND CENTER
---------------------
1.Time to Take the Theoretical Seriously
By Chris Wysopal
Software developers response to "theoretical" research is fundamentally broken. By now, everyone in the security industry knows about the Rogue CA presentation that Alex Sotirov and Jacob Appelbaum gave at 25th Chaos Communications Congress. It was one of the most interesting I saw all last year, and it's a good example of why software companies continue to be vulnerable to attackers
http://www.securityfocus.com/columnists/490

2.The Drew Verdict Makes Us All Hackers
By Mark Rasch
Last month, Lori Drew - the middle-aged Missouri mother who participated in a plan to deceive a 13-year-old girl that ultimately led to the girl's suicide - was convicted by a Los Angeles federal jury of several misdemeanor counts of unauthorized access to MySpace's computers.
http://www.securityfocus.com/columnists/489


II. BUGTRAQ SUMMARY
--------------------
1. McAfee E-Business Server Authentication Remote Code Execution Vulnerability
BugTraq ID: 27197
Remote: Yes
Last Updated: 2009-01-20
Relevant URL: http://www.securityfocus.com/bid/27197
Summary:
McAfee E-Business Server is prone to a remote code-execution vulnerability that occurs prior to authentication.

Attackers can leverage this issue to execute arbitrary code with superuser privileges. Successful exploits will completely compromise affected computers. Failed attacks will cause denial-of-service conditions.

E-Business Server 8.5.2 and prior versions are vulnerable.

NOTE: This issue may be related to the issue described in BID 26269 (McAfee E-Business Server Authentication Packet Handling Integer Overflow Vulnerability).

2. IBM AIX 'piox25.c/piox25remote.sh' Local Buffer Overflow Vulnerability
BugTraq ID: 27510
Remote: No
Last Updated: 2009-01-20
Relevant URL: http://www.securityfocus.com/bid/27510
Summary:
IBM AIX is prone to a local buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input.

Attackers can exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will result in a denial of service.

3. Excel Viewer OCX ActiveX 'open()' Buffer Overflow Vulnerability
BugTraq ID: 33322
Remote: Yes
Last Updated: 2009-01-19
Relevant URL: http://www.securityfocus.com/bid/33322
Summary:
Excel Viewer OCX is prone to a buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data before copying it into an insufficiently sized memory buffer.

An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in denial-of-service conditions.

Excel Viewer OCX 3.1 and 3.2 are vulnerable; other versions may also be affected.

4. No-IP Dynamic Update Client for Linux Remote Buffer Overflow Vulnerability
BugTraq ID: 32344
Remote: Yes
Last Updated: 2009-01-19
Relevant URL: http://www.securityfocus.com/bid/32344
Summary:
No-IP Dynamic Update Client (DUC) is prone to a stack-based buffer-overflow vulnerability because it fails to adequately bounds-check input messages.

An attacker can exploit this issue by enticing an unsuspecting user into connecting to a malicious server. Successful attacks will allow arbitrary code to run within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.

DUC 2.1.7 for Linux is vulnerable; other versions may also be affected.

5. Apache Tomcat Cookie Quote Handling Remote Information Disclosure Vulnerability
BugTraq ID: 27706
Remote: Yes
Last Updated: 2009-01-19
Relevant URL: http://www.securityfocus.com/bid/27706
Summary:
Apache Tomcat is prone to an information-disclosure vulnerability because it fails to adequately sanitize user-supplied data.

Attackers can exploit this issue to access potentially sensitive data that may aid in further attacks.

Versions prior to Apache Tomcat 6.0.16 and 5.5.26 are vulnerable.

NOTE: This vulnerability is caused by an incomplete fix for BID 25316 - Apache Tomcat Multiple Remote Information Disclosure Vulnerabilities (CVE-2007-3385).

6. GNUBoard 'common.php' Remote File Include Vulnerability
BugTraq ID: 33304
Remote: Yes
Last Updated: 2009-01-19
Relevant URL: http://www.securityfocus.com/bid/33304
Summary:
GNUBoard is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied input.

Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible.

GNUBoard 4.31.03 is vulnerable; other versions may also be affected.

7. Free Bible Search 'readbible.php' SQL Injection Vulnerability
BugTraq ID: 33301
Remote: Yes
Last Updated: 2009-01-19
Relevant URL: http://www.securityfocus.com/bid/33301
Summary:
Free Bible Search is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

8. FhImage 'g_desc' Parameter Remote Command Execution Vulnerability
BugTraq ID: 33334
Remote: Yes
Last Updated: 2009-01-19
Relevant URL: http://www.securityfocus.com/bid/33334
Summary:
FhImage is prone to a vulnerability that attackers can leverage to execute arbitrary commands. This issue occurs because the application fails to adequately sanitize user-supplied input.

Successful attacks can compromise the affected application and possibly the underlying computer.

FhImage 1.2.1 is vulnerable; other versions may also be affected.

9. PDFjam Multiple Unspecified Security Vulnerabilities
BugTraq ID: 33357
Remote: Yes
Last Updated: 2009-01-19
Relevant URL: http://www.securityfocus.com/bid/33357
Summary:
PDFjam is prone to multiple unspecified vulnerabilities.

Very few details are available. We will update this BID as more information emerges.

These issues affect versions prior to PDFjam 1.21.

10. JamDTA ActiveX Control 'SaveToFile()' Arbitrary File Overwrite Vulnerability
BugTraq ID: 33345
Remote: Yes
Last Updated: 2009-01-19
Relevant URL: http://www.securityfocus.com/bid/33345
Summary:
JamDTA ActiveX control is prone to a vulnerability that lets attackers overwrite files with arbitrary, attacker-controlled content.

Successfully exploiting this issue will allow an attacker to corrupt and overwrite arbitrary files on the victim's computer in the context of the vulnerable application using the ActiveX control (typically Internet Explorer).

JamDTA 4.0.4 is vulnerable; other versions may also be affected.

11. WebSVN Known Path Access Restriction Security Bypass Vulnerability
BugTraq ID: 33343
Remote: Yes
Last Updated: 2009-01-19
Relevant URL: http://www.securityfocus.com/bid/33343
Summary:
WebSVN is prone to a security-bypass vulnerability because it fails to properly implement access control mechanisms.

An attacker can exploit this issue to bypass intended security restrictions and gain access to potentially sensitive files.

Versions prior to WebSVN 2.1 are vulnerable.

12. 53KF Web IM 'msg' Parameter Cross Site Scripting Vulnerability
BugTraq ID: 33341
Remote: Yes
Last Updated: 2009-01-19
Relevant URL: http://www.securityfocus.com/bid/33341
Summary:
53KF Web IM is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

This issue affects the following:

53KF Web IM Home Edition
53KF Web IM Enterprise
53KF Web IM Professional

13. Multiple Ralinktech Wireless Drivers MAC/BSS/SSID Integer Overflow Vulnerability
BugTraq ID: 33340
Remote: Yes
Last Updated: 2009-01-19
Relevant URL: http://www.securityfocus.com/bid/33340
Summary:
Multiple Ralinktech wireless drivers are prone to an integer-overflow vulnerability because they fail to ensure that integer values are not overrrun.

Successful exploits may allow remote attackers to execute arbitrary code with kernel-level privileges, resulting in the complete compromise of affected device. Failed exploit attempts will likely cause denial-of-service conditions.

The following devices are affected:

Ralink USB Wireless Adapter (RT73) version 3.08.

Other unspecified devices are also affected.

14. Enhanced Simple PHP Gallery Directory Traversal Vulnerability
BugTraq ID: 33335
Remote: Yes
Last Updated: 2009-01-19
Relevant URL: http://www.securityfocus.com/bid/33335
Summary:
Enhanced Simple PHP Gallery is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input data.

Exploiting the issue may allow an attacker to obtain sensitive information that could aid in further attacks.

Enhanced Simple PHP Gallery 1.72 is vulnerable; other versions may be affected as well.

15. WSS-PRO SCMS 'index.php' Local File Include Vulnerability
BugTraq ID: 33330
Remote: Yes
Last Updated: 2009-01-18
Relevant URL: http://www.securityfocus.com/bid/33330
Summary:
SCMS (Simple Content Management System) is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit this vulnerability to view files and execute local scripts in the context of the webserver process. This may aid in further attacks.

SCMS 1.0 is affected; other versions may also be vulnerable.

16. MKPortal Multiple Security Vulnerabilities
BugTraq ID: 33300
Remote: Yes
Last Updated: 2009-01-17
Relevant URL: http://www.securityfocus.com/bid/33300
Summary:
MKPortal is prone to multiple security vulnerabilities, including SQL-injection, HTML-injection, cross-site scripting, arbitrary-file-upload, and insecure-temporary-file-creation vulnerabilities.

Attackers can exploit these issues to execute arbitrary script code in the context of the webserver, compromise the application, steal cookie-based authentication credentials from legitimate users of the site, modify the way the site is rendered, access or modify data, or exploit latent vulnerabilities in the underlying database. Other attacks may also be possible.

MKPortal 1.2.1 is vulnerable; other versions may also be affected.

17. Ganglia gmetad 'process_path()' Remote Stack Buffer Overflow Vulnerability
BugTraq ID: 33299
Remote: Yes
Last Updated: 2009-01-17
Relevant URL: http://www.securityfocus.com/bid/33299
Summary:
Ganglia is prone to a remote stack-based buffer-overflow vulnerability because the software fails to perform adequate boundary checks on user-supplied input.

Attackers can leverage this issue to execute arbitrary code in the context of the application. Successful exploits will compromise the application and the underlying computer. Failed attacks will cause denial-of-service conditions.

18. TimeTools NTP Time Server Syslog Monitor Remote Denial of Service Vulnerability
BugTraq ID: 33290
Remote: Yes
Last Updated: 2009-01-17
Relevant URL: http://www.securityfocus.com/bid/33290
Summary:
TimeTools NTP Time Server Syslog Monitor is prone to a denial-of-service vulnerability because the application fails to adequately sanitize user-supplied input.

An attacker can exploit this issue to crash the affected application, denying service to legitimate users.

19. Joomla! RD-Autos Component SQL Injection Vulnerability
BugTraq ID: 33297
Remote: Yes
Last Updated: 2009-01-17
Relevant URL: http://www.securityfocus.com/bid/33297
Summary:
The RD-Autos component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

This affects RD-Autos 1 5.2; other versions may also be affected.

20. AN Guestbook 'country' Parameter HTML Injection Vulnerability
BugTraq ID: 33292
Remote: Yes
Last Updated: 2009-01-17
Relevant URL: http://www.securityfocus.com/bid/33292
Summary:
AN Guestbook is prone to an HTML-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.

Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.

Versions prior to AN Guestbook 0.7.7 are vulnerable.

21. Ciansoft PDFBuilderX Control (ActiveX) Arbitrary File Overwrite Vulnerability
BugTraq ID: 33233
Remote: Yes
Last Updated: 2009-01-17
Relevant URL: http://www.securityfocus.com/bid/33233
Summary:
Ciansoft PDFBuilderX Control (ActiveX) is prone to a vulnerability that lets attackers overwrite files with arbitrary, attacker-controlled content.

Successfully exploiting this issue will allow an attacker to corrupt and overwrite arbitrary files on the victim's computer in the context of the vulnerable application using the ActiveX control (typically Internet Explorer).

Ciansoft PDFBuilderX Control (ActiveX) 2.2.0.1 is vulnerable; other versions may also be affected.

22. TFTPUtil GUI Malformed Packet Remote Denial of Service Vulnerability
BugTraq ID: 33289
Remote: Yes
Last Updated: 2009-01-17
Relevant URL: http://www.securityfocus.com/bid/33289
Summary:
TFTPUtil GUI is prone to a remote denial-of-service vulnerability because it fails to handle user-supplied input.

Successfully exploiting this issue allows remote attackers to crash the affected application, denying service to legitimate users.

TFTPUtil GUI 1.2.0 and 1.3.0 are vulnerable; other versions may also be affected.

23. Blue Eye CMS 'clanek' Parameter SQL Injection Vulnerability
BugTraq ID: 33303
Remote: Yes
Last Updated: 2009-01-17
Relevant URL: http://www.securityfocus.com/bid/33303
Summary:
Blue Eye CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

24. Eventing Component for Joomla! 'com_eventing' SQL Injection Vulnerability
BugTraq ID: 33296
Remote: Yes
Last Updated: 2009-01-17
Relevant URL: http://www.securityfocus.com/bid/33296
Summary:
The 'com_eventing' component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

25. Multiple Avira AntiVir Products 'CreateProcess()' Local Privilege Escalation Vulnerabilty
BugTraq ID: 33291
Remote: No
Last Updated: 2009-01-16
Relevant URL: http://www.securityfocus.com/bid/33291
Summary:
Multiple Avira products are prone to a local privilege-escalation vulnerability because they insecurely make a 'CreateProcess()' API function call.

A local attacker can exploit this issue to execute arbitrary code with SYSTEM-level privileges, which may facilitate a complete compromise of the affected computer.

The following applications are vulnerable:

Avira AntiVir Premium
Avira Premium Security Suite
Avira AntiVir Professional

26. TFTPUtil GUI TFTP GET Request Directory Traversal Vulnerability
BugTraq ID: 33287
Remote: Yes
Last Updated: 2009-01-16
Relevant URL: http://www.securityfocus.com/bid/33287
Summary:
TFTPUtil GUI is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input.

Exploiting this issue can allow an attacker to access arbitrary files outside of the TFTP server root directory. This can expose sensitive information that could help the attacker launch further attacks.

TFTPUtil GUI 1.2.0 and 1.3.0 are vulnerable; other versions may also be affected.

27. SmartVMD ActiveX Control 'StartVideoSaving()' Method Arbitrary File Delete Vulnerability
BugTraq ID: 33349
Remote: Yes
Last Updated: 2009-01-20
Relevant URL: http://www.securityfocus.com/bid/33349
Summary:
SmartVMD ActiveX control is prone to a vulnerability that lets attackers delete arbitrary files on the affected computer in the context of the application using the ActiveX control (typically Internet Explorer). Successful attacks can result in denial-of-service conditions.

SmartVMD 1.1 is vulnerable; other versions may also be affected.

28. Linux Kernel i915 Driver 'drivers/char/drm/i915_dma.c' Memory Corruption Vulnerability
BugTraq ID: 31792
Remote: No
Last Updated: 2009-01-20
Relevant URL: http://www.securityfocus.com/bid/31792
Summary:
The Linux kernel is prone to a memory-corruption vulnerability because of insufficient boundary checks in the i915 driver.

Local attackers could exploit this issue to cause denial-of-service conditions, bypass certain security restrictions, and potentially access sensitive information or gain elevated privileges.

This issue affects Linux kernel 2.6.24.6 and prior versions.

29. Linux Kernel 'hfs_cat_find_brec()' Local Denial of Service Vulnerability
BugTraq ID: 32289
Remote: No
Last Updated: 2009-01-20
Relevant URL: http://www.securityfocus.com/bid/32289
Summary:
The Linux kernel is prone to a local denial-of-service vulnerability because it fails to properly bounds-check data before copying it to an insufficiently sized memory buffer.

Attackers can exploit this issue to cause the kernel to crash, denying service to legitimate users. Given the nature of this issue, attackers may also be able to run arbitrary code, but this has not been confirmed.

This issue affects versions prior to Linux kernel 2.6.27.6.

30. Linux Kernel 'hfsplus_find_cat()' Local Denial of Service Vulnerability
BugTraq ID: 32093
Remote: No
Last Updated: 2009-01-20
Relevant URL: http://www.securityfocus.com/bid/32093
Summary:
The Linux kernel is prone to a local denial-of-service vulnerability because it fails to properly bounds-check data before copying it to an insufficiently sized memory buffer.

Attackers can exploit this issue to cause the kernel to crash, denying service to legitimate users. Given the nature of this issue, attackers may also be able to run arbitrary code, but this has not been confirmed.

This issue affects versions prior to Linux kernel 2.6.28-rc1.

31. SmartVMD ActiveX Control 'SaveMaskToFile()' Arbitrary File Overwrite Vulnerability
BugTraq ID: 33348
Remote: Yes
Last Updated: 2009-01-20
Relevant URL: http://www.securityfocus.com/bid/33348
Summary:
SmartVMD ActiveX control is prone to a vulnerability that lets attackers overwrite files with arbitrary, attacker-controlled content.

Successfully exploiting this issue will allow an attacker to corrupt and overwrite arbitrary files on the victim's computer in the context of the vulnerable application using the ActiveX control (typically Internet Explorer).

SmartVMD 1.1 is vulnerable; other versions may also be affected.

32. Linux Kernel '__scm_destroy()' Local Denial of Service Vulnerability
BugTraq ID: 32154
Remote: No
Last Updated: 2009-01-20
Relevant URL: http://www.securityfocus.com/bid/32154
Summary:
The Linux kernel is prone to a local denial-of-service vulnerability.

Attackers can exploit this issue to cause the kernel to crash, denying service to legitimate users.

The Linux kernel 2.6.26 and prior versions are affected.

33. Linux Kernel 'do_splice_from()' Local Security Bypass Vulnerability
BugTraq ID: 31903
Remote: No
Last Updated: 2009-01-20
Relevant URL: http://www.securityfocus.com/bid/31903
Summary:
The Linux kernel is prone to a local security-bypass vulnerability because the 'do_splice_from()' function fails to correctly reject file descriptors when performing certain file operations.

Attackers can exploit this issue to bypass restrictions on append mode when updating files to update arbitrary locations in the file.

Versions prior to Linux kernel 2.6.27 are vulnerable.

34. Linux Kernel 'sendmsg()' Local Denial of Service Vulnerability
BugTraq ID: 32516
Remote: No
Last Updated: 2009-01-20
Relevant URL: http://www.securityfocus.com/bid/32516
Summary:
The Linux kernel is prone to a local denial-of-service vulnerability.

Attackers can exploit this issue to create a soft lockup of the vulnerable kernel or to invoke the 'oom-killer' kernel functionality, which may halt unrelated processes. This may result in a denial-of-service condition.

NOTE: This issue was either caused or revealed by the fix for BID 32154 (Linux Kernel '__scm_destroy()' Local Denial of Service Vulnerability).

The Linux kernel 2.6.27 and prior versions are affected.

35. Oracle Application Server Oracle Containers for J2EE Directory Traversal Vulnerability
BugTraq ID: 33361
Remote: Yes
Last Updated: 2009-01-20
Relevant URL: http://www.securityfocus.com/bid/33361
Summary:
Oracle Containers for J2EE is prone to a directory-traversal vulnerability because the application fails to sufficiently sanitize user-supplied input.

This issue is associated with Oracle security bug ID 7391479.

Exploiting this issue will allow an attacker to view arbitrary local files within the context of the webserver. Information harvested may aid in launching further attacks.

This issue affects Oracle Application Server 10g 10.1.3.1.0; other versions may also be affected.

36. Linux Kernel 'ib700wdt.c' Buffer Underflow Vulnerability
BugTraq ID: 33003
Remote: No
Last Updated: 2009-01-20
Relevant URL: http://www.securityfocus.com/bid/33003
Summary:
The Linux kernel is prone to a buffer-underflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.

A local attacker can exploit this issue to execute arbitrary code with kernel-level privileges or crash the affected computer, denying service to legitimate users.

Versions prior to Linux kernel 2.6.28-rc1 are vulnerable.

37. Linux Kernel 'net/atm/proc.c' Local Denial of Service Vulnerability
BugTraq ID: 32676
Remote: No
Last Updated: 2009-01-20
Relevant URL: http://www.securityfocus.com/bid/32676
Summary:
The Linux kernel is prone to a local denial-of-service vulnerability.

Attackers can exploit this issue to cause the Linux kernel to go into an infinite loop, which may cause a denial-of-service condition.

38. Cisco IOS FTP Server Multiple Vulnerabilities
BugTraq ID: 23885
Remote: Yes
Last Updated: 2009-01-20
Relevant URL: http://www.securityfocus.com/bid/23885
Summary:
Cisco IOS FTP Server is prone to multiple vulnerabilities including a denial-of-service issue and an authentication-bypass issue.

Attackers can exploit these issues to deny service to legitimate users, gain unauthorized access to an affected device, or execute arbitrary code.

Only IOS devices that have the FTP Server feature enabled are vulnerable; this feature is disabled by default.

39. Microsoft Windows Mobile OBEX FTP Service Directory Traversal Vulnerability
BugTraq ID: 33359
Remote: Yes
Last Updated: 2009-01-20
Relevant URL: http://www.securityfocus.com/bid/33359
Summary:
Microsoft Windows Mobile is prone to a directory-traversal vulnerability in the OBEX FTP service.

Exploiting this issue allows an attacker to write arbitrary files to locations outside the application's current directory, download arbitrary files, and obtain sensitive information. Other attacks may also be possible.

Windows Mobile 5.0 and 6.0 are vulnerable; other versions may also be affected.

40. Apache Jackrabbit 'q' Parameter Multiple Cross Site Scripting Vulnerabilities
BugTraq ID: 33360
Remote: Yes
Last Updated: 2009-01-20
Relevant URL: http://www.securityfocus.com/bid/33360
Summary:
Apache Jackrabbit is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

Versions prior to Apache Jackrabbit 1.5.2 are vulnerable.

41. Ninja Blog Comments HTML Injection Vulnerability
BugTraq ID: 33356
Remote: Yes
Last Updated: 2009-01-20
Relevant URL: http://www.securityfocus.com/bid/33356
Summary:
Ninja Blog is prone to an HTML-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.

Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.

Ninja Blog 4.8 is vulnerable; other versions may also be affected.

42. HP OpenView Network Node Manager HTTP Request Multiple Buffer Overflow Vulnerabilities
BugTraq ID: 33147
Remote: Yes
Last Updated: 2009-01-20
Relevant URL: http://www.securityfocus.com/bid/33147
Summary:
HP OpenView Network Node Manager is prone to multiple buffer-overflow vulnerabilities because it fails to adequately bounds-check user-supplied input before copying it to insufficiently sized buffers.

Successfully exploiting these issues may allow an attacker to execute arbitrary code with the privileges of the user running the affected application. Failed exploit attempts will likely crash the application.

These issues affect HP OpenView Network Node Manager 7.51 with NNM_01168; other versions may also be affected.

43. Ninja Blog 'cat' Parameter Directory Traversal Vulnerability
BugTraq ID: 33351
Remote: Yes
Last Updated: 2009-01-20
Relevant URL: http://www.securityfocus.com/bid/33351
Summary:
Ninja Blog is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input data.

Exploiting the issue may allow an attacker to obtain sensitive information that could aid in further attacks.

Ninja Blog 4.8 is vulnerable; other versions may be affected as well.

44. Trend Micro Multiple Products Network Security Component Modules Multiple Vulnerabilities
BugTraq ID: 33358
Remote: Yes
Last Updated: 2009-01-20
Relevant URL: http://www.securityfocus.com/bid/33358
Summary:
Multiple products from Trend Micro are prone to multiple security vulnerabilities that affect the Network Security Component modules.

Successful exploits may allow an attacker to crash an affected application, execute arbitrary code, or bypass security.

These issues affect the following:

Trend Micro OfficeScan Corporate Edition 8.0 SP1 Patch 1
Trend Micro Internet Security 2008
Trend Micro Internet Security Pro 2008
Trend Micro PC-cillin Internet Security 2007

45. DMXReady SDK Arbitrary File Download Vulnerability
BugTraq ID: 33281
Remote: Yes
Last Updated: 2009-01-20
Relevant URL: http://www.securityfocus.com/bid/33281
Summary:
DMXReady SDK is prone to an issue that allows an attacker to download arbitrary files.

The attacker can exploit this issue to obtain sensitive information.

This issue affects versions up to and including DMXReady SDK 1.1.

46. Joomla! and Mambo 'com_news' Component 'id' Parameter SQL Injection Vulnerability
BugTraq ID: 33350
Remote: Yes
Last Updated: 2009-01-20
Relevant URL: http://www.securityfocus.com/bid/33350
Summary:
The Joomla! and Mambo 'com_news' component is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

47. Joomla! WATicketSystem Component 'catid' SQL Injection Vulnerability
BugTraq ID: 33353
Remote: Yes
Last Updated: 2009-01-20
Relevant URL: http://www.securityfocus.com/bid/33353
Summary:
The Joomla! WATicketSystem component is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

48. D-Bus 'dbus_signature_validate()' Type Signature Denial of Service Vulnerability
BugTraq ID: 31602
Remote: No
Last Updated: 2009-01-20
Relevant URL: http://www.securityfocus.com/bid/31602
Summary:
D-Bus is prone to a local denial-of-service vulnerability because it fails to handle malformed signatures contained in messages.

Local attackers can exploit this issue to crash an application that uses the affected library, denying service to legitimate users.

This issue affects D-BUS 1.2.1; other versions may also be affected.

49. KTorrent PHP Code Injection And Security Bypass Vulnerabilities
BugTraq ID: 31927
Remote: Yes
Last Updated: 2009-01-20
Relevant URL: http://www.securityfocus.com/bid/31927
Summary:
KTorrent is prone to a remote PHP code-injection vulnerability and a security-bypass vulnerability. The issues affect the the application's web interface.

An attacker can exploit these issues to perform certain actions without authorization and execute arbitrary malicious PHP code in the context of the webserver process. This may facilitate a compromise of the application and the underlying system; other attacks may also be possible.

The issue affects KTorrent 3.1.3; other versions may also be vulnerable.

50. Joomla! and Mambo gigCalendar Component 'id' Parameter SQL Injection Vulnerability
BugTraq ID: 33332
Remote: Yes
Last Updated: 2009-01-20
Relevant URL: http://www.securityfocus.com/bid/33332
Summary:
The gigCalendar component for Joomla! and Mambo is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

gigCalendar 1.0 is vulnerable; other versions may also be affected.

51. Joomla! and Mambo 'com_pccookbook' Component 'recipe_id' Parameter SQL Injection Vulnerability
BugTraq ID: 33346
Remote: Yes
Last Updated: 2009-01-20
Relevant URL: http://www.securityfocus.com/bid/33346
Summary:
The Joomla! and Mambo 'com_pccookbook' component is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

52. 'imlib2' Library 'load()' Function Buffer Overflow Vulnerability
BugTraq ID: 32371
Remote: Yes
Last Updated: 2009-01-20
Relevant URL: http://www.securityfocus.com/bid/32371
Summary:
The 'imlib2' library is prone to a buffer-overflow vulnerability because the software fails to properly bounds-check user-supplied data.

An attacker can exploit this issue to execute arbitrary machine code in the context of applications using the vulnerable library. Failed exploit attempts will likely cause denial-of-service conditions.

This issue affects imlib2 1.4.2; other versions may also be affected.

53. xterm DECRQSS Remote Command Execution Vulnerability
BugTraq ID: 33060
Remote: Yes
Last Updated: 2009-01-20
Relevant URL: http://www.securityfocus.com/bid/33060
Summary:
The 'xterm' program is prone to a remote command-execution vulnerability because it fails to sufficiently validate user input.

Successfully exploiting this issue would allow an attacker to execute arbitrary commands on an affected computer in the context of the affected application.

The issue affects xterm with patch 237; other versions may also be affected.

54. Multiple Java Runtime Implementations UTF-8 Input Validation Vulnerability
BugTraq ID: 30633
Remote: Yes
Last Updated: 2009-01-20
Relevant URL: http://www.securityfocus.com/bid/30633
Summary:
Multiple Java runtime implementations are prone to a vulnerability because the applications fail to sufficiently sanitize user-supplied input.

Exploiting this issue in Apache Tomcat will allow an attacker to view arbitrary local files within the context of the webserver. Information harvested may aid in launching further attacks. Other attacks may also be possible.

Exploiting this issue in other applications will depend on the individual application. Successful exploits may result in a bypass of intended security filters. This may have various security impacts. We will update this BID pending further investigation.

UPDATE (December, 18, 2008): Reports indicate that this issue may affect additional, unspecified Java Virtual Machine (JVM) implementations distributed by Sun, HP, IBM, Apple, and Apache. We will update this BID as more information becomes available.

UPDATE (January 9, 2009): This BID previously documented an issue in Apache Tomcat. Further reports indicate that the underlying issue is in various Java runtime implementations.

55. MoinMoin 'AttachFile.py' Cross-Site Scripting Vulnerability
BugTraq ID: 33365
Remote: Yes
Last Updated: 2009-01-20
Relevant URL: http://www.securityfocus.com/bid/33365
Summary:
MoinMoin is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input data.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

Versions prior to MoinMoin 1.8.1 are vulnerable.

56. streber Prior to 0.09 Multiple Unspecified Security Vulnerabilities
BugTraq ID: 33364
Remote: Yes
Last Updated: 2009-01-20
Relevant URL: http://www.securityfocus.com/bid/33364
Summary:
streber is prone to multiple unspecified security vulnerabilities.

Very few details are available. We will update this BID as more information emerges.

Theses issues affect versions prior to streber 0.09.

57. easyHDR Pro 1.60.2 Multiple Buffer Overflow Vulnerabilities
BugTraq ID: 33363
Remote: Yes
Last Updated: 2009-01-20
Relevant URL: http://www.securityfocus.com/bid/33363
Summary:
easyHDR Pro is prone to multiple buffer-overflow vulnerabilities because the application fails to perform adequate boundary checks on user-supplied data.

Attackers may leverage these issues to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.

easyHDR Pro 1.60.2 is vulnerable; prior versions may also be affected.

58. OpenSG 'OSGHDRImageFileType.cpp' Radiance RGBE File Stack Buffer Overflow Vulnerability
BugTraq ID: 33362
Remote: Yes
Last Updated: 2009-01-20
Relevant URL: http://www.securityfocus.com/bid/33362
Summary:
OpenSG is prone to a stack-based buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data.

An attacker can exploit this issue to execute arbitrary machine code in the context of applications using the vulnerable library. Failed exploit attempts will likely cause denial-of-service conditions.

This issue affects OpenSG 1.8.0; other versions may also be affected.

59. Git Snapshot Generation and Pickaxe Search Arbitrary Command Injection Vulnerability
BugTraq ID: 33355
Remote: Yes
Last Updated: 2009-01-19
Relevant URL: http://www.securityfocus.com/bid/33355
Summary:
Git is prone to a vulnerability that lets attackers inject arbitrary commands. The issue occurs because the software fails to sufficiently sanitize user-supplied input.

An attacker can exploit this issue to execute arbitrary commands in the context of the user running the application.

60. Red Hat SquirrelMail Package Session Management Vulnerability
BugTraq ID: 33354
Remote: Yes
Last Updated: 2009-01-19
Relevant URL: http://www.securityfocus.com/bid/33354
Summary:
The Red Hat 'squirrelmail' package is prone to an authentication-bypass vulnerability because of a session-handling error introduced by patches provided by Red Hat Security Advisory RHSA-2009:0010.

Attackers can exploit this issue to hijack other users' sessions and obtain sensitive information that can aid in further attacks.

61. Adobe RoboHelp Server Help Errors Log Cross-Site Scripting and SQL-Injection Vulnerabilities
BugTraq ID: 30137
Remote: Yes
Last Updated: 2009-01-19
Relevant URL: http://www.securityfocus.com/bid/30137
Summary:
Adobe RoboHelp Server is prone to cross-site scripting and SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input.

A successful exploit may allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

62. CUPS PNG Filter '_cupsImageReadPNG()' Integer Overflow Vulnerability
BugTraq ID: 32518
Remote: Yes
Last Updated: 2009-01-19
Relevant URL: http://www.securityfocus.com/bid/32518
Summary:
CUPS is prone to an integer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied PNG image sizes before using them to allocate memory buffers.

Successful exploits may allow attackers to execute arbitrary code with the privileges of a user running the utilities. Failed exploit attempts likely cause denial-of-service conditions.

Versions prior to CUPS 1.3.10 are vulnerable.

63. CUPS 'HP-GL/2' Filter Remote Code Execution Vulnerability
BugTraq ID: 31688
Remote: Yes
Last Updated: 2009-01-19
Relevant URL: http://www.securityfocus.com/bid/31688
Summary:
CUPS is prone to a remote code-execution vulnerability caused by an error in the 'HP-GL/2 filter.

Attackers can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will likely cause a denial-of-service condition. Note that local users may also exploit this vulnerability to elevate privileges.

Successful remote exploits may require printer sharing to be enabled on the vulnerable system.

The issue affects versions prior to CUPS 1.3.9.

NOTE: This issue was previously discussed in BID 31681 (Apple Mac OS X 2008-007 Multiple Security Vulnerabilities), but has been assigned its own record to better document the vulnerability.

64. QEMU Multiple Local Vulnerabilities
BugTraq ID: 23731
Remote: No
Last Updated: 2009-01-19
Relevant URL: http://www.securityfocus.com/bid/23731
Summary:
QEMU is prone to multiple locally exploitable buffer-overflow and denial-of-service vulnerabilities. The buffer-overflow issues occur because the software fails to properly check boundaries of user-supplied input when copying it to insufficiently sized memory buffers. The denial-of-service issues stem from design errors.

Attackers may be able to exploit these issues to escalate privileges, execute arbitrary code, or trigger denial-of-service conditions in the context of the affected applications.

65. QEMU and KVM VNC Server Remote Denial of Service Vulnerability
BugTraq ID: 32910
Remote: Yes
Last Updated: 2009-01-19
Relevant URL: http://www.securityfocus.com/bid/32910
Summary:
QEMU and KVM are prone to a remote denial-of-service vulnerability that affects the included VNC server.

Attackers can exploit this issue to create a denial-of-service condition.

The following are vulnerable:

QEMU 0.9.1 and prior
KVM-79 and prior

66. QEMU VNC 'monitor.c' Insecure Password Vulnerability
BugTraq ID: 33020
Remote: Yes
Last Updated: 2009-01-19
Relevant URL: http://www.securityfocus.com/bid/33020
Summary:
QEMU is prone to an insecure-password vulnerability.

Attackers may exploit this issue to make brute-force attacks against passwords that are weaker than expected.

QEMU 9.1 is vulnerable; other versions may also be affected.

67. QNX RTOS Malformed ELF Binary File Local Denial Of Service Vulnerability
BugTraq ID: 33352
Remote: No
Last Updated: 2009-01-19
Relevant URL: http://www.securityfocus.com/bid/33352
Summary:
QNX RTOS is prone to a local denial-of-service vulnerability.

Attackers can exploit this issue to cause a kernel panic, denying service to legitimate users.

QNX RTOS 6.4.0 is vulnerable; other versions may also be affected.

68. Lynx URI Handlers Arbitrary Command Execution Vulnerability
BugTraq ID: 15395
Remote: Yes
Last Updated: 2009-01-19
Relevant URL: http://www.securityfocus.com/bid/15395
Summary:
Lynx is prone to a vulnerability that lets attackers execute arbitrary commands. This issue occurs because the application fails to properly sanitize user-supplied input.

A remote attacker can exploit this vulnerability by tricking a victim user into following a malicious link, thus enabling the attacker to execute arbitrary commands in the context of the victim user.

UPDATE (October 27, 2008): The fix for this issue did not disable the 'lynxcgi' handler when in 'advanced' mode. This may still be an issue if Lynx is called from the command line.

69. Lynx '.mailcap' and '.mime.type' Files Local Code Execution Vulnerability
BugTraq ID: 31917
Remote: No
Last Updated: 2009-01-19
Relevant URL: http://www.securityfocus.com/bid/31917
Summary:
Lynx is prone to a local code-execution vulnerability.

Successful exploits may allow attackers to execute arbitrary code within the context of the user running the affected application.

Versions prior to Lynx 2.8.6rel.4 are affected.

70. ActionCalendar 'admin.asp' Multiple SQL Injection Vulnerabilities
BugTraq ID: 33326
Remote: Yes
Last Updated: 2009-01-19
Relevant URL: http://www.securityfocus.com/bid/33326
Summary:
ActionCalendar is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

ActionCalendar 1.3 is vulnerable; other versions may also be affected.

71. BlogIt! 'index.asp' SQL Injection and Cross Site Scripting Vulnerabilities
BugTraq ID: 33325
Remote: Yes
Last Updated: 2009-01-19
Relevant URL: http://www.securityfocus.com/bid/33325
Summary:
BlogIt! is prone to an SQL-injection vulnerability and a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.

Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

72. MetaProducts MetaTreeX ActiveX Control 'SaveToBMP()' Arbitrary File Overwrite Vulnerability
BugTraq ID: 33318
Remote: Yes
Last Updated: 2009-01-19
Relevant URL: http://www.securityfocus.com/bid/33318
Summary:
MetaTreeX ActiveX control is prone to a vulnerability that lets attackers overwrite files with arbitrary, attacker-controlled content.

Successfully exploiting this issue will allow an attacker to corrupt and overwrite arbitrary files on the victim's computer in the context of the vulnerable application using the ActiveX control (typically Internet Explorer).

MetaTreeX ActiveX control 1.5.100 is vulnerable; other versions may also be affected.

73. WarHound Walking Club 'login.aspx' Multiple SQL Injection Vulnerabilities
BugTraq ID: 33317
Remote: Yes
Last Updated: 2009-01-19
Relevant URL: http://www.securityfocus.com/bid/33317
Summary:
WarHound Walking Club is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

74. eFAQ Login SQL Injection Vulnerability
BugTraq ID: 33316
Remote: Yes
Last Updated: 2009-01-19
Relevant URL: http://www.securityfocus.com/bid/33316
Summary:
eFAQ is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

75. Multiple AJ Classifieds Scripts 'index.php' Arbitrary File Upload Vulnerability
BugTraq ID: 33328
Remote: Yes
Last Updated: 2009-01-19
Relevant URL: http://www.securityfocus.com/bid/33328
Summary:
Multiple AJ Classifieds scripts are prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the software fails to adequately sanitize user-supplied input.

An attacker can exploit this vulnerability to upload arbitrary code and execute it in the context of the webserver process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.

The following products are vulnerable:

AJ Classifieds Personals 3
AJ Classifieds Real Estate 3
AJ Classifieds For Sale 3

76. BibCiter Multiple SQL Injection Vulnerabilities
BugTraq ID: 33329
Remote: Yes
Last Updated: 2009-01-19
Relevant URL: http://www.securityfocus.com/bid/33329
Summary:
BibCiter is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

BibCiter 1.4 is vulnerable; other versions may also be affected.

77. Active Bids Multiple SQL Injection and Cross-Site Scripting Vulnerabilities
BugTraq ID: 33315
Remote: Yes
Last Updated: 2009-01-19
Relevant URL: http://www.securityfocus.com/bid/33315
Summary:
Active Bids is prone to multiple SQL-injection issues and cross-site scripting issues because it fails to sufficiently sanitize user-supplied data.

Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Active Bids 3.5 is vulnerable; other versions may also be affected.

78. DMXReady Blog Manager 'inc_weblogmanager.asp' Cross-Site Scripting and SQL Injection Vulnerabilities
BugTraq ID: 33314
Remote: Yes
Last Updated: 2009-01-19
Relevant URL: http://www.securityfocus.com/bid/33314
Summary:
DMXReady Blog Manager is prone to a cross-site scripting vulnerability and an SQL-injection vulnerability because the application fails to sufficiently sanitize user-supplied input.

Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

79. LemonLDAP:NG User Enumeration Weakness and Cross Site Scripting Vulnerability
BugTraq ID: 33312
Remote: Yes
Last Updated: 2009-01-19
Relevant URL: http://www.securityfocus.com/bid/33312
Summary:
LemonLDAP:NG is prone to a user-enumeration weakness and a cross-site scripting vulnerability.

A remote attacker can exploit the user-enumeration weakness to enumerate valid usernames and then perform brute-force attacks; other attacks are also possible.

The attacker may leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

Versions prior to LemonLDAP::NG 0.9.3.2 are vulnerable.

80. KDE KDM Unspecified Local Denial Of Service Vulnerability
BugTraq ID: 26909
Remote: No
Last Updated: 2009-01-19
Relevant URL: http://www.securityfocus.com/bid/26909
Summary:
KDE KDM is prone to a local denial-of-service vulnerability.

Exploiting this issue allows local attackers to deny service to legitimate users.

Very few details are currently available regarding this issue. We will update this BID as information becomes available.

81. Sagem F@st 2404 Router 'restoreinfo.cgi' Unauthorized Access Vulnerability
BugTraq ID: 33323
Remote: Yes
Last Updated: 2009-01-19
Relevant URL: http://www.securityfocus.com/bid/33323
Summary:
Sagem F@st 2404 is prone to an unauthorized-access vulnerability.

Attackers can exploit this issue to reset the router, possibly resulting in denial-of-service conditions. Other security implications that could aid in further attacks may also occur.

82. eReservations Login SQL Injection Vulnerability
BugTraq ID: 33321
Remote: Yes
Last Updated: 2009-01-19
Relevant URL: http://www.securityfocus.com/bid/33321
Summary:
eReservations is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

83. Simple PHP Newsletter 'olang' Parameter Multiple Local File Include Vulnerabilities
BugTraq ID: 33327
Remote: Yes
Last Updated: 2009-01-19
Relevant URL: http://www.securityfocus.com/bid/33327
Summary:
Simple PHP Newsletter is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker can exploit these issues to view files and execute local scripts in the context of the webserver process. This may aid in further attacks.

Simple PHP Newsletter 1.5 is affected; other versions may also be vulnerable.

84. WarHound Ping IP 'admin.aspx' Multiple SQL Injection Vulnerabilities
BugTraq ID: 33319
Remote: Yes
Last Updated: 2009-01-19
Relevant URL: http://www.securityfocus.com/bid/33319
Summary:
WarHound Ping IP is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

85. Sophos TAO/Remote Management System (RMS) GIOP Message Remote Denial of Service Vulnerability
BugTraq ID: 33313
Remote: Yes
Last Updated: 2009-01-19
Relevant URL: http://www.securityfocus.com/bid/33313
Summary:
Sophos Remote Management System (RMS) is prone to a denial-of-service vulnerability because the application fails to handle very large or corrupt GIOP messages.

An attacker can exploit this issue to crash the affected application, denying service to legitimate users.

Versions prior to RMS 3.0.9 are vulnerable.

86. Syslserve Remote Denial of Service Vulnerability
BugTraq ID: 33311
Remote: Yes
Last Updated: 2009-01-19
Relevant URL: http://www.securityfocus.com/bid/33311
Summary:
Syslserve is prone to a denial-of-service vulnerability because the application fails to adequately sanitize user-supplied input.

An attacker can exploit this issue to crash the affected application, denying service to legitimate users.

The issue affects Syslserve 1.058; other versions may also be affected.

87. w3bcms 'admin/index.php' SQL Injection Vulnerability
BugTraq ID: 33310
Remote: Yes
Last Updated: 2009-01-19
Relevant URL: http://www.securityfocus.com/bid/33310
Summary:
The 'w3bcms' application is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

88. Masir Camp 'SearchKeywords' Parameter SQL Injection Vulnerability
BugTraq ID: 33309
Remote: Yes
Last Updated: 2009-01-19
Relevant URL: http://www.securityfocus.com/bid/33309
Summary:
Masir Camp is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

89. Microsoft Windows SMB NT Trans2 Remote Code Execution Vulnerability
BugTraq ID: 33122
Remote: Yes
Last Updated: 2009-01-19
Relevant URL: http://www.securityfocus.com/bid/33122
Summary:
Microsoft Windows is prone to a remote code-execution vulnerability that occurs in the SMB (Server Message Block) protocol implementation.

An attacker can exploit this issue to execute arbitrary code with SYSTEM-level privileges. Successful exploits will facilitate in the complete compromise of affected computers. Failed exploit attempts will result in a denial-of-service condition.

90. FFmpeg File Parsing Multiple Buffer Overflow Vulnerabilities
BugTraq ID: 33308
Remote: Yes
Last Updated: 2009-01-19
Relevant URL: http://www.securityfocus.com/bid/33308
Summary:
FFmpeg is prone to multiple buffer-overflow vulnerabilities because the application fails to perform adequate boundary checks on user-supplied input.

Attackers may leverage these issues to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.

FFmpeg 0.4.9 is affected; other versions may also be vulnerable.

91. Fujitsu Systemcast Wizard Lite PXE Request Remote Buffer Overflow Vulnerability
BugTraq ID: 33342
Remote: Yes
Last Updated: 2009-01-19
Relevant URL: http://www.securityfocus.com/bid/33342
Summary:
Fujitsu Systemcast Wizard Lite is prone to a remote stack-based buffer-overflow vulnerability because the software fails to perform adequate boundary checks on user-supplied input.

Attackers can leverage this issue to execute arbitrary code with SYSTEM-level privileges. Successful exploits will compromise the application and the underlying computer. Failed attacks will cause denial-of-service conditions.

Systemcast Wizard Lite 2.0A and prior are vulnerable.

92. Symantec AppStream Client 'LaunchObj' ActiveX Control Arbitrary File Download Vulnerability
BugTraq ID: 33247
Remote: Yes
Last Updated: 2009-01-19
Relevant URL: http://www.securityfocus.com/bid/33247
Summary:
Symantec AppStream Client is prone to a vulnerability that can allow malicious files to be downloaded and saved to arbitrary locations on an affected computer.

93. ICEsoft Technologies ICEbrowser Remote Denial of Service Vulnerability
BugTraq ID: 33307
Remote: Yes
Last Updated: 2009-01-19
Relevant URL: http://www.securityfocus.com/bid/33307
Summary:
ICEsoft Technologies ICEbrowser is prone to a remote denial-of-service vulnerability.

Attackers can exploit this issue by enticing an unsuspecting victim to view a malicious web page.

Successfully exploiting this issue may cause the application and the underlying operating system to crash and restart, denying service to legitimate users.

ICEbrowser 6.1.2 running on Novell NetWare 6.5 is affected. Other versions running on different platforms may also be affected.

94. Active Auction 'search' Parameter SQL Injection and Cross Site Scripting Vulnerabilities
BugTraq ID: 33306
Remote: Yes
Last Updated: 2009-01-19
Relevant URL: http://www.securityfocus.com/bid/33306
Summary:
Active Auction House and Active Auction Pro are prone to SQL-injection and cross-site scripting vulnerabilities because they fail to sufficiently sanitize user-supplied data.

Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

95. RankEm 'rankup.asp' Cookie Manipulation and Cross Site Scripting Vulnerabilities
BugTraq ID: 33324
Remote: Yes
Last Updated: 2009-01-19
Relevant URL: http://www.securityfocus.com/bid/33324
Summary:
RankEm is prone to a cookie-manipulation vulnerability and a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage these issues to masquerade as another user and to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

96. Oracle January 2009 Critical Patch Update Multiple Vulnerabilities
BugTraq ID: 33177
Remote: Yes
Last Updated: 2009-01-19
Relevant URL: http://www.securityfocus.com/bid/33177
Summary:
Oracle has released the January 2009 critical patch update. The update addresses 41 vulnerabilities affecting the following software:

Oracle Database
Oracle Secure Backup
Oracle TimesTen In-Memory Database
Oracle Application Server
Oracle Collaboration Suite
Oracle E-Business Suite Release
Oracle Enterprise Manager Grid Control
PeopleSoft Enterprise HRMS
JD Edwards Tools
Oracle WebLogic Server (formerly BEA WebLogic Server)
Oracle WebLogic Portal (formerly BEA WebLogic Portal)

97. LinksPro 'OrderDirection' Parameter SQL Injection Vulnerability
BugTraq ID: 33305
Remote: Yes
Last Updated: 2009-01-19
Relevant URL: http://www.securityfocus.com/bid/33305
Summary:
LinksPro is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

98. Drupal Security Bypass Vulnerability and SQL Injection Weakness
BugTraq ID: 33285
Remote: Yes
Last Updated: 2009-01-19
Relevant URL: http://www.securityfocus.com/bid/33285
Summary:
Drupal is prone to a security-bypass vulnerability and a weakness that attackers can leverage to launch SQL-injection attacks.

Exploiting these issues may allow attackers to gain access to sensitive areas of the application without the appropriate privileges or to perform SQL-injection attacks and carry out unauthorized actions on the underlying database.

Versions prior to Drupal 5.15 and 6.9 are vulnerable. Note that the security-bypass issue affects only Drupal 6.x.

99. Linux Kernel 'keyctl_join_session_keyring()' Denial of Service Vulnerability
BugTraq ID: 33339
Remote: No
Last Updated: 2009-01-19
Relevant URL: http://www.securityfocus.com/bid/33339
Summary:
The Linux kernel is prone to a denial-of-service vulnerability because it fails to manage memory in a proper manner.

Attackers can exploit this issue to cause a crash by exhausting memory resources.

This issue affects Linux kernel 2.6.x.

100. OpenSSL 'EVP_VerifyFinal' Function Signature Verification Vulnerability
BugTraq ID: 33150
Remote: Yes
Last Updated: 2009-01-19
Relevant URL: http://www.securityfocus.com/bid/33150
Summary:
OpenSSL is prone to a signature-verification vulnerability.

An attacker would likely leverage this issue by first carrying out a man-in-the-middle attack. The attacker would most likely exploit this issue to conduct phishing attacks or to impersonate legitimate sites. Other attacks are likely possible.

Releases prior to OpenSSL 0.9.8j are affected.

III. SECURITYFOCUS NEWS ARTICLES
--------------------------------
1. Group releases list to kill most-dangerous bugs
By: Robert Lemos
Software makers, security vendors, and government agencies team up to create a list of the 25 most severe software issues, aiming to get developers to stop making mistakes.
http://www.securityfocus.com/news/11542

2. Group attacks flaw in browser crypto security
By: Robert Lemos
A group of researchers warns browser makers and certificate authorities to drop support for MD5 digital signatures, after successfully creating a fake, but valid, certificate.
http://www.securityfocus.com/news/11541

3. Commission calls for cybersecurity czar
By: Robert Lemos
A group of technology and government experts warns that, without significant changes to the U.S. approach to cyberspace, foreign companies and other nations will continue to steal valuable technologies.
http://www.securityfocus.com/news/11540

4. Microsoft hopes free security means less malware
By: Robert Lemos
The software giant says shutting down Windows Live OneCare to release the software as a free tool could make consumers more secure.
http://www.securityfocus.com/news/11538

IV. SECURITY JOBS LIST SUMMARY
-------------------------------
V. INCIDENTS LIST SUMMARY
---------------------------
VI. VULN-DEV RESEARCH LIST SUMMARY
-----------------------------------
VII. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. SecurityFocus Microsoft Newsletter #427
http://www.securityfocus.com/archive/88/500135

VIII. SUN FOCUS LIST SUMMARY
----------------------------
IX. LINUX FOCUS LIST SUMMARY
----------------------------
X. UNSUBSCRIBE INSTRUCTIONS
-----------------------------
To unsubscribe send an e-mail message to sf-news-unsubscribe@securityfocus.com from the subscribed address. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer. Alternatively you can also visit http://www.securityfocus.com/newsletters and unsubscribe via the website.

If your email address has changed email listadmin@securityfocus.com and ask to be manually removed.

XI. SPONSOR INFORMATION
------------------------
This issue is sponsored by The Computer Forensics Show

THE COMPUTER FORENSICS SHOW IS THE "DON'T MISS" EVENT OF THE YEAR FOR ALL LITIGATION, ACCOUNTING AND IT PROFESSIONALS
www.computerforensicshow.com

April 27-29, 2009
Washington DC Convention Center
Washington, DC

August 3-5, 2009
San Jose Convention Center
San Jose, CA

No comments:

Blog Archive