SecurityFocus Newsletter #501
----------------------------------------
This issue is sponsored by Thawte
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194
SECURITY BLOGS
SecurityFocus has selected a few syndicated sources that stand out as conveying topics of interest for our community. We are proud to offer content from Matasano at this time and will be adding more in the coming weeks.
http://www.securityfocus.com/blogs
------------------------------------------------------------------
I. FRONT AND CENTER
1. Projecting Borders into Cyberspace
2. Celebrity Viruses Improve Security
II. BUGTRAQ SUMMARY
1. Adobe Reader 'spell.customDictionaryOpen()' JavaScript Function Remote Code Execution Vulnerability
2. FreeType Multiple Integer Overflow Vulnerabilities
3. Linux Kernel 'NFS filename' Local Denial of Service Vulnerability
4. Linux Kernel 'kill_something_info()' Local Denial of Service Vulnerability
5. Linux Kernel Audit System 'audit_syscall_entry()' System Call Security Bypass Vulnerability
6. Linux Kernel 'locks_remove_flock()' Local Race Condition Vulnerability
7. Linux Kernel Cloned Process 'CLONE_PARENT' Local Origin Validation Weakness
8. Linux Kernel 'seccomp' System Call Security Bypass Vulnerability
9. Linux Kernel Console Selection Local Privilege Escalation Vulnerability
10. Cisco Unified Communications Manager CTI Service Denial of Service Vulnerability
11. Linux Kernel 'exit_notify()' CAP_KILL Verification Local Privilege Escalation Vulnerability
12. Multiple Trend Micro Products RAR/ZIP/CAB Files Scan Evasion Vulnerability
13. FFmpeg 'libavformat/4xm.c' Remote Code Execution Vulnerability
14. FFmpeg File Parsing Multiple Buffer Overflow Vulnerabilities
15. MPlayer TwinVQ Handling Stack Buffer Overflow Vulnerability
16. Microsoft Windows Explorer saved-search File Remote Code Execution Vulnerability
17. Pablo Software Solutions Quick 'n Easy Web Server Directory Traversal Vulnerability
18. DBD::Pg BYTEA Values Memory Leak Denial of Service Vulnerability
19. DBD::Pg 'pg_getline()' and 'getline()' Heap Buffer Overflow Vulnerabilities
20. TIBCO SmartSockets RTserver Stack Buffer Overflow Vulnerability
21. WebSPELL 'picture.php' Local File Disclosure Vulnerability
22. MIM:InfiniX Multiple SQL Injection Vulnerabilities
23. VisionLMS 'changePW.php' Remote Password Change Vulnerability
24. Multiple Symantec Products Alert Management System Console Arbitrary Code Execution Vulnerability
25. Citrix Web Interface Unspecified Cross-Site Scripting Vulnerability
26. Citrix Licensing License Server Unspecified Security Vulnerability
27. Apache Web Server Linefeed Memory Allocation Denial Of Service Vulnerability
28. Apache Web Server Configuration File Environment Variable Local Buffer Overflow Vulnerability
29. Multiple China-on-site.com Products Username and Password SQL Injection Vulnerabilities
30. Joomla HBS Multiple Components 'showhoteldetails' SQL Injection Vulnerability
31. Symantec Brightmail Gateway Control Center Cross Site Scripting Vulnerability
32. Symantec Brightmail Gateway Control Center Remote Privilege Escalation Vulnerability
33. Gowon Designs Leap Multiple Input Validation Vulnerabilities
34. LimeSurvey '/admin/remotecontrol' Remote Code Execution Vulnerability
35. Tiger DMS Login SQL Injection Vulnerability
36. GnuTLS Prior to 2.6.6 Multiple Remote Vulnerabilities
37. Coppermine Photo Gallery 'css' Parameter Cross-Site Scripting Vulnerability
38. Zubrag Smart File Download 'download.php' File Download Security Bypass Vulnerability
39. Baby Web Server URL File Disclosure Vulnerability
40. S-CMS 'plugin.php' Local File Include Vulnerability
41. Google Chrome 'throw()' function Null Pointer Dereference Remote Denial of Service Vulnerability
42. Mpegable Player '.YUV' File Remote Stack Buffer Overflow Vulnerability
43. Drupal Node Access User Reference Module Security Bypass Vulnerability
44. News Page Drupal Module Unspecified SQL Injection Vulnerability
45. Sun Solaris DTrace Handler IOCTL Request Multiple Local Denial of Service Vulnerabilities
46. Microsoft XML Core Services Transfer Encoding Cross Domain Information Disclosure Vulnerability
47. Microsoft XML Core Services DTD Cross Domain Information Disclosure Vulnerability
48. Drupal HTML Injection and Information Disclosure Vulnerabilities
49. Exif Drupal Module HTML Injection Vulnerability
50. udev Netlink Message Validation Local Privilege Escalation Vulnerability
51. Microsoft Windows SeImpersonatePrivilege Local Privilege Escalation Vulnerability
52. Symantec WinFax Pro 'DCCFAXVW.DLL' Heap Buffer Overflow Vulnerability
53. Microsoft Windows Media Components ISATAP URL Handling Information Disclosure Vulnerability
54. Microsoft Windows Media Components 'Service Principle Name' Remote Code Execution Vulnerability
55. eLitius 'banner-details.php' SQL Injection Vulnerability
56. GNU Tar Invalid Headers Buffer Overflow Vulnerability
57. Ubuntu Apport Local Arbitrary File Deletion Vulnerability
58. OpenSSL Multiple Vulnerabilities
59. McAfee Products RAR/ZIP Files Scan Evasion Vulnerability
60. SCO UnixWare IGMP Driver Unspecified Denial Of Service Vulnerability
61. JBC Explorer Auth.Inc.PHP Authentication Bypass Vulnerability
62. IBM Tivoli Continuous Data Protection for Files Insecure Default Permissions Vulnerability
63. Adobe Flash Media Server Unspecified RPC Call Privilege Escalation Vulnerability
64. BaoFeng Storm ActiveX Control 'OnBeforeVideoDownload()' Buffer Overflow Vulnerability
65. Mercury Audio Player '.m3u' File Remote Stack Buffer Overflow Vulnerability
66. doop Index.php Local File Include Vulnerability
67. Kaspersky Online Scanner KAVWebScan.DLL ActiveX Control Format String Vulnerability
68. NVClock Local Privilege Escalation Vulnerability
69. Apache Tomcat Accept-Language Cross Site Scripting Vulnerability
70. Linux Kernel CPUSet Tasks Memory Leak Information Disclosure Vulnerability
71. Sun Java Web Start Unauthorized Access Vulnerability
72. Roxio CinePlayer SonicDVDDashVRNav.DLL ActiveX Control Remote Buffer Overflow Vulnerability
73. Microsoft Windows Vista Neighbor Discovery Spoofing Vulnerability
74. Adobe Acrobat and Reader Unspecified Remote Heap Memory Corruption Vulnerability
75. Cisco IOS Multiple Features UDP Packet Denial of Service Vulnerability
76. Linux Kernel 'do_splice_from()' Local Security Bypass Vulnerability
77. Cisco IOS NAT Skinny Call Control Protocol Multiple Remote Denial of Service Vulnerabilities
78. Cisco IOS AIC HTTP Transit Packet Remote Denial of Service Vulnerability
79. ProjectCMS 'sn' Parameter SQL Injection Vulnerability
80. HP Enterprise Discovery Unspecified Remote Privilege Escalation Vulnerability
81. HP OpenView Network Node Manager HTTP Request Multiple Buffer Overflow Vulnerabilities
82. Samba Group Mappings File Insecure Permissions Local Security Vulnerability
83. Ruby REXML Remote Denial Of Service Vulnerability
84. JBoss Enterprise Application Platform Information Disclosure Vulnerability
85. Apple Safari Automatic File Launch Remote Code Execution Vulnerability
86. Multiple ESET Products CAB File Scan Evasion Vulnerability
87. LevelOne AMG-2000 Security Bypass Vulnerability
88. Linux Kernel RLIMIT_CPU Zero Limit Handling Local Security Bypass Vulnerability
89. Linksys WRT54G Wireless-G Router Multiple Remote Authentication Bypass Vulnerabilities
90. TorrentTrader 'msg' Parameter HTML Injection Vulnerability
91. GFL SDK Library Buffer Overflow Vulnerability
92. TikiWiki CMS 'tiki-listmovies.php' Directory Traversal Vulnerability
93. DotNetNuke PayPal IPN 'paypalipn.aspx' Cross-Site Scripting Vulnerability
94. IBM Informix Dynamic Server Multiple Vulnerabilities
95. GScripts.net DNS Tools 'dig.php' Remote Command Execution Vulnerability
96. Ghostscript Multiple Input Validation and Integer Overflow Vulnerabilities
97. Ghostscript 'CCITTFax' Decoding Filter Denial of Service Vulnerability
98. Microsoft Internet Explorer 'EMBED' Tag Uninitialized Memory Remote Code Execution Vulnerability
99. Memcached and MemcacheDB ASLR Information Disclosure Weakness
100. @Mail 'admin.php' Cross-Site Scripting Vulnerabilities
III. SECURITYFOCUS NEWS
1. Browsers bashed first in hacking contest
2. Experts: U.S. needs to defend its "cyber turf"
3. Advisor: U.S. needs policy to defend cyberspace
4. Cabal forms to fight Conficker, offers bounty
IV. SECURITY JOBS LIST SUMMARY
V. INCIDENTS LIST SUMMARY
VI. VULN-DEV RESEARCH LIST SUMMARY
VII. MICROSOFT FOCUS LIST SUMMARY
1. SecurityFocus Microsoft Newsletter #441
VIII. SUN FOCUS LIST SUMMARY
IX. LINUX FOCUS LIST SUMMARY
1. curuncula dbr rootkit detection tool
X. UNSUBSCRIBE INSTRUCTIONS
XI. SPONSOR INFORMATION
I. FRONT AND CENTER
---------------------
1. Projecting Borders into Cyberspace
By Jeffrey Carr
Two recent stories of significant cyber attacks come close to blaming the Chinese for the intrusions but stop short.
http://www.securityfocus.com/columnists/500
2. Celebrity Viruses Improve Security
By Adam O'Donnell
Every so often, a computer virus becomes more than just a novelty for anti-virus researchers and moves into the consciousness of the mass media, even if it's not a grave threat.
http://www.securityfocus.com/columnists/499
II. BUGTRAQ SUMMARY
--------------------
1. Adobe Reader 'spell.customDictionaryOpen()' JavaScript Function Remote Code Execution Vulnerability
BugTraq ID: 34740
Remote: Yes
Last Updated: 2009-04-30
Relevant URL: http://www.securityfocus.com/bid/34740
Summary:
Adobe Reader is prone to a remote code-execution vulnerability.
An attacker can exploit this issue to execute arbitrary code with the privileges of the user running the application or crash the application, denying service to legitimate users.
Reader 8.1.4 for Linux is vulnerable; other versions or platforms may also be affected.
UPDATE (April 30, 2009): Further information from the reporter states that the issue does not affect Reader 9.1; only 8.1.4 is affected.
2. FreeType Multiple Integer Overflow Vulnerabilities
BugTraq ID: 34550
Remote: Yes
Last Updated: 2009-04-30
Relevant URL: http://www.securityfocus.com/bid/34550
Summary:
FreeType is prone to multiple integer-overflow vulnerabilities because it fails to properly validate user-supplied input.
Successful exploits may allow attackers to execute arbitrary code in the context of applications that use the affected library. Failed exploit attempts will likely result in denial-of-service conditions.
These issues affect FreeType 2.3.9; other versions may also be affected.
3. Linux Kernel 'NFS filename' Local Denial of Service Vulnerability
BugTraq ID: 34390
Remote: No
Last Updated: 2009-04-29
Relevant URL: http://www.securityfocus.com/bid/34390
Summary:
The Linux kernel is prone to a local denial-of-service vulnerability.
Attackers can exploit this issue to trigger a kernel oops, resulting in a denial-of-service condition.
4. Linux Kernel 'kill_something_info()' Local Denial of Service Vulnerability
BugTraq ID: 34558
Remote: No
Last Updated: 2009-04-29
Relevant URL: http://www.securityfocus.com/bid/34558
Summary:
The Linux kernel is prone to a local denial-of-service vulnerability.
Attackers can exploit this issue to signal all processes on the affected computer, resulting in a denial-of-service condition.
The Linux Kernel 2.6.24 through 2.6.27.12 are vulnerable.
5. Linux Kernel Audit System 'audit_syscall_entry()' System Call Security Bypass Vulnerability
BugTraq ID: 33951
Remote: No
Last Updated: 2009-04-29
Relevant URL: http://www.securityfocus.com/bid/33951
Summary:
The Linux kernel is prone to a local security-bypass vulnerability.
A local attacker may be able to exploit this issue to bypass audit mechanisms imposed on system calls. This may allow malicious behavior to escape notice.
6. Linux Kernel 'locks_remove_flock()' Local Race Condition Vulnerability
BugTraq ID: 33237
Remote: No
Last Updated: 2009-04-29
Relevant URL: http://www.securityfocus.com/bid/33237
Summary:
The Linux kernel is prone to a local race-condition vulnerability because it fails to properly handle POSIX locks.
A local attacker may exploit this issue to crash the computer or gain elevated privileges.
7. Linux Kernel Cloned Process 'CLONE_PARENT' Local Origin Validation Weakness
BugTraq ID: 33906
Remote: No
Last Updated: 2009-04-29
Relevant URL: http://www.securityfocus.com/bid/33906
Summary:
The Linux kernel is prone to an origin-validation weakness when dealing with signal handling.
This weakness occurs when a privileged process calls attacker-supplied processes as children. Attackers may exploit this to send arbitrary signals to the privileged parent process.
A local attacker may exploit this issue to kill vulnerable processes, resulting in a denial-of-service condition. In some cases, other attacks may also be possible.
Linux kernel 2.6.28 is vulnerable; other versions may also be affected.
8. Linux Kernel 'seccomp' System Call Security Bypass Vulnerability
BugTraq ID: 33948
Remote: No
Last Updated: 2009-04-29
Relevant URL: http://www.securityfocus.com/bid/33948
Summary:
The Linux kernel is prone to a local security-bypass vulnerability.
A local attacker may be able to exploit this issue to bypass access control and make restricted system calls, which may result in an elevation of privileges.
9. Linux Kernel Console Selection Local Privilege Escalation Vulnerability
BugTraq ID: 33672
Remote: No
Last Updated: 2009-04-29
Relevant URL: http://www.securityfocus.com/bid/33672
Summary:
The Linux kernel is prone to a local privilege-escalation vulnerability.
A local attacker can exploit this issue to execute arbitrary code with elevated privileges or crash the affected kernel, denying service to legitimate users.
Versions prior to Linux kernel 2.6.28.4 are vulnerable.
10. Cisco Unified Communications Manager CTI Service Denial of Service Vulnerability
BugTraq ID: 29933
Remote: Yes
Last Updated: 2009-04-29
Relevant URL: http://www.securityfocus.com/bid/29933
Summary:
Cisco Unified Communications Manager is prone to a denial-of-service vulnerability because it fails to handle malformed input.
An attacker can exploit this issue to cause an interruption in voice services.
This issue is documented by Cisco Bug ID CSCso75027.
11. Linux Kernel 'exit_notify()' CAP_KILL Verification Local Privilege Escalation Vulnerability
BugTraq ID: 34405
Remote: No
Last Updated: 2009-04-29
Relevant URL: http://www.securityfocus.com/bid/34405
Summary:
The Linux kernel is prone to a local privilege-escalation vulnerability.
A local attacker can exploit this issue to execute arbitrary code with superuser privileges, resulting in a complete compromise of the affected computer.
Versions prior to Linux kernel 2.6.29-git14 are vulnerable.
12. Multiple Trend Micro Products RAR/ZIP/CAB Files Scan Evasion Vulnerability
BugTraq ID: 34763
Remote: Yes
Last Updated: 2009-04-29
Relevant URL: http://www.securityfocus.com/bid/34763
Summary:
Multiple Trend Micro products are prone to a vulnerability that may allow certain compressed archives to bypass the scan engine.
Successful exploits will allow attackers to distribute files containing malicious code that the antivirus application will fail to detect.
ServerProtect for Microsoft Windows/Novell NetWare
ServerProtect for EMC Celerra
ServerProtect for NetApp
ServerProtect for Linux
ServerProtect for Network Appliance Filers
Internet Security Pro Internet Security
OfficeScan Component
Worry Free Business Security - Standard
Worry Free Business Security - Advanced
Worry Free Business Security Hosted
Housecall
InterScan Web Security Suite
InterScan Web Protect for ISA
InterScan Messaging Security Appliance
Neatsuite Advanced
ScanMail for Exchange
ScanMail for Domino Suites
13. FFmpeg 'libavformat/4xm.c' Remote Code Execution Vulnerability
BugTraq ID: 33502
Remote: Yes
Last Updated: 2009-04-29
Relevant URL: http://www.securityfocus.com/bid/33502
Summary:
FFmpeg is prone to a remote code-execution vulnerability because it fails to adequately validate user-supplied input.
An attacker can exploit this issue to execute arbitrary code in the context of the application. Failed exploit attempts will result in a denial-of-service condition.
Versions prior to FFmpeg trunk revision 16846 are vulnerable.
14. FFmpeg File Parsing Multiple Buffer Overflow Vulnerabilities
BugTraq ID: 33308
Remote: Yes
Last Updated: 2009-04-29
Relevant URL: http://www.securityfocus.com/bid/33308
Summary:
FFmpeg is prone to multiple buffer-overflow vulnerabilities because the application fails to perform adequate boundary checks on user-supplied input.
Attackers may leverage these issues to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.
FFmpeg 0.4.9 is affected; other versions may also be vulnerable.
15. MPlayer TwinVQ Handling Stack Buffer Overflow Vulnerability
BugTraq ID: 32822
Remote: Yes
Last Updated: 2009-04-29
Relevant URL: http://www.securityfocus.com/bid/32822
Summary:
MPlayer is prone to a stack-based buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied input.
Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.
This issue affects MPlayer 1.0rc2; other versions may also be affected.
16. Microsoft Windows Explorer saved-search File Remote Code Execution Vulnerability
BugTraq ID: 30109
Remote: Yes
Last Updated: 2009-04-29
Relevant URL: http://www.securityfocus.com/bid/30109
Summary:
Microsoft Windows Explorer is prone to a remote code-execution vulnerability.
Successfully exploiting this issue will allow attackers to execute arbitrary code with the privileges of the user running the affected application.
17. Pablo Software Solutions Quick 'n Easy Web Server Directory Traversal Vulnerability
BugTraq ID: 34758
Remote: Yes
Last Updated: 2009-04-29
Relevant URL: http://www.securityfocus.com/bid/34758
Summary:
Quick 'n Easy Web Server is prone to a directory-traversal vulnerability.
An attacker can exploit this issue to obtain sensitive information that may lead to other attacks.
Quick 'n Easy Web Server 3.3.5 is vulnerable; other versions may also be affected.
18. DBD::Pg BYTEA Values Memory Leak Denial of Service Vulnerability
BugTraq ID: 34757
Remote: Yes
Last Updated: 2009-04-29
Relevant URL: http://www.securityfocus.com/bid/34757
Summary:
DBD::Pg is prone to a denial-of-service vulnerability caused by a memory leak when handling BYTEA data.
Successful exploits may allow remote attackers to cause denial-of-service conditions on computers running the affected software.
DBD::Pg 1.49 as distributed with Debian 4.0 is vulnerable; other versions may also be affected.
19. DBD::Pg 'pg_getline()' and 'getline()' Heap Buffer Overflow Vulnerabilities
BugTraq ID: 34755
Remote: Yes
Last Updated: 2009-04-29
Relevant URL: http://www.securityfocus.com/bid/34755
Summary:
DBD::Pg is prone to multiple heap-based buffer-overflow vulnerabilities that occur because the application fails to perform adequate boundary checks on user-supplied data.
Attackers may be able to exploit these issues to execute arbitrary code within the context of an application that uses the vulnerable module. Failed exploit attempts will result in a denial-of-service condition.
DBD::Pg 1.49 as distributed with Debian 4.0 is vulnerable; other versions may also be affected.
20. TIBCO SmartSockets RTserver Stack Buffer Overflow Vulnerability
BugTraq ID: 34754
Remote: Yes
Last Updated: 2009-04-29
Relevant URL: http://www.securityfocus.com/bid/34754
Summary:
TIBCO SmartSockets is prone to a stack-based buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data.
Attackers can exploit this issue to execute arbitrary code with SYSTEM-level privileges, facilitating the complete compromise of affected computers. Failed exploit attempts will likely crash the affected application, denying service to legitimate users.
Versions prior to SmartSockets 6.8.2 are vulnerable.
21. WebSPELL 'picture.php' Local File Disclosure Vulnerability
BugTraq ID: 34751
Remote: Yes
Last Updated: 2009-04-29
Relevant URL: http://www.securityfocus.com/bid/34751
Summary:
WebSPELL is prone to a local file-disclosure vulnerability because it fails to adequately validate user-supplied input.
An attacker can exploit this vulnerability to obtain potentially sensitive information from local files on computers running the vulnerable application. This may aid in further attacks.
This issue may be related to the vulnerability described in BID 23348 (WebSpell Picture.PHP Multiple Local File Include Vulnerabilities).
WebSPELL 4.2.0d is vulnerable; other versions may also be affected.
22. MIM:InfiniX Multiple SQL Injection Vulnerabilities
BugTraq ID: 34750
Remote: Yes
Last Updated: 2009-04-29
Relevant URL: http://www.securityfocus.com/bid/34750
Summary:
MIM:InfiniX is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
MIM:InfiniX 1.2.003 is vulnerable; other versions may also be affected.
23. VisionLMS 'changePW.php' Remote Password Change Vulnerability
BugTraq ID: 34749
Remote: Yes
Last Updated: 2009-04-29
Relevant URL: http://www.securityfocus.com/bid/34749
Summary:
VisionLMS is prone to a vulnerability that may permit an attacker to change the password of arbitrary users.
Exploiting this issue may allow the attacker to gain unauthorized access to the affected application. Successful exploits will completely compromise victims' accounts.
VisionLMS 1.0 is vulnerable; other versions may also be affected.
24. Multiple Symantec Products Alert Management System Console Arbitrary Code Execution Vulnerability
BugTraq ID: 34675
Remote: Yes
Last Updated: 2009-04-29
Relevant URL: http://www.securityfocus.com/bid/34675
Summary:
Multiple Symantec products are prone to a remote code-execution vulnerability.
Successfully exploiting this issue will allow an attacker to execute arbitrary code with SYSTEM-level privileges, completely compromising affected computers. Failed exploit attempts will result in a denial-of-service condition.
25. Citrix Web Interface Unspecified Cross-Site Scripting Vulnerability
BugTraq ID: 34761
Remote: Yes
Last Updated: 2009-04-29
Relevant URL: http://www.securityfocus.com/bid/34761
Summary:
Citrix Web Interface is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Citrix Web Interface 4.6, 5.0, and 5.0.1 are vulnerable.
26. Citrix Licensing License Server Unspecified Security Vulnerability
BugTraq ID: 34759
Remote: Yes
Last Updated: 2009-04-29
Relevant URL: http://www.securityfocus.com/bid/34759
Summary:
Citrix Licensing is prone to an unspecified vulnerability affecting Citrix License Server.
The impact of this vulnerability is currently unknown.
Very few details are available regarding this issue. We will update this BID as more information emerges.
Citrix Licensing 11.5 is vulnerable.
27. Apache Web Server Linefeed Memory Allocation Denial Of Service Vulnerability
BugTraq ID: 7254
Remote: Yes
Last Updated: 2009-04-30
Relevant URL: http://www.securityfocus.com/bid/7254
Summary:
Apache web servers are prone to a denial of service condition. This is due to how Apache handles excessive amounts of consecutive linefeed characters, which may cause the server to allocate large amounts of memory, resulting in a denial of service.
28. Apache Web Server Configuration File Environment Variable Local Buffer Overflow Vulnerability
BugTraq ID: 11182
Remote: No
Last Updated: 2009-04-30
Relevant URL: http://www.securityfocus.com/bid/11182
Summary:
Reportedly the Apache Web Server is affected by a configuration file environment variable local buffer overflow vulnerability. This issue is due to a failure of the affected application to validate user-supplied string lengths before copying them into finite process buffers.
An attacker may leverage this issue to execute arbitrary code on the affected computer with the privileges of the Apache Web Server process.
29. Multiple China-on-site.com Products Username and Password SQL Injection Vulnerabilities
BugTraq ID: 32810
Remote: Yes
Last Updated: 2009-04-30
Relevant URL: http://www.securityfocus.com/bid/32810
Summary:
Multiple China-on-site.com products are prone to multiple SQL-injection vulnerabilities because they fail to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
The following products are affected:
FlexPHPNews 0.0.6
FlexPHPNews Pro 0.0.6
FlexPHPDirectory 0.0.1
FlexPHPSite 0.0.1
FlexPHPLink Pro 0.0.7
Flexcustomer 0.0.6
FlexPHPic 0.0.4
FlexPHPic Pro 0.0.3
Other versions may also be affected.
30. Joomla HBS Multiple Components 'showhoteldetails' SQL Injection Vulnerability
BugTraq ID: 32952
Remote: Yes
Last Updated: 2009-04-30
Relevant URL: http://www.securityfocus.com/bid/32952
Summary:
Multiple Joomla HBS components are prone to an SQL-injection vulnerability because they fail to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the applications, access or modify data, or exploit latent vulnerabilities in the underlying database.
The following components are vulnerable; other components may also be affected:
'com_tophotelmodule' 1.0
'com_lowcosthotels'
'com_allhotels'
'com_5starhotels'
31. Symantec Brightmail Gateway Control Center Cross Site Scripting Vulnerability
BugTraq ID: 34641
Remote: Yes
Last Updated: 2009-04-30
Relevant URL: http://www.securityfocus.com/bid/34641
Summary:
Symantec Brightmail Gateway is prone to a cross-site scripting vulnerability.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and to steal cookie-based authentication credentials.
Versions prior to Brightmail Gateway 8.0.1 are vulnerable.
32. Symantec Brightmail Gateway Control Center Remote Privilege Escalation Vulnerability
BugTraq ID: 34639
Remote: Yes
Last Updated: 2009-04-30
Relevant URL: http://www.securityfocus.com/bid/34639
Summary:
Symantec Brightmail Gateway is prone to a remote privilege-escalation vulnerability.
Remote authorized attackers who have access to the targeted host's local network can exploit this issue to gain elevated access. Successful exploits may compromise the affected computer and may aid in other attacks.
Versions prior to Brightmail Gateway 8.0.1 are vulnerable.
33. Gowon Designs Leap Multiple Input Validation Vulnerabilities
BugTraq ID: 34787
Remote: Yes
Last Updated: 2009-04-30
Relevant URL: http://www.securityfocus.com/bid/34787
Summary:
Gowon Designs Leap is prone to multiple security vulnerabilities because the application fails to properly sanitize user-supplied input.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, execute arbitrary script code in the context of the webserver process, compromise the application, obtain sensitive information, access or modify data, or exploit latent vulnerabilities in the underlying database.
Leap 0.1.4 is vulnerable; other versions may also be affected.
34. LimeSurvey '/admin/remotecontrol' Remote Code Execution Vulnerability
BugTraq ID: 34785
Remote: Yes
Last Updated: 2009-04-30
Relevant URL: http://www.securityfocus.com/bid/34785
Summary:
LimeSurvey is prone to a remote code-execution vulnerability because the software fails to adequately sanitize user-supplied input.
Exploiting this issue could allow an attacker to execute arbitrary code in the context of the vulnerable application and obtain sensitive information.
LimeSurvey 1.80RC4, 1.80, 1.80+, 1.81, 1.81+ are vulnerable.
35. Tiger DMS Login SQL Injection Vulnerability
BugTraq ID: 34775
Remote: Yes
Last Updated: 2009-04-30
Relevant URL: http://www.securityfocus.com/bid/34775
Summary:
Tiger DMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
36. GnuTLS Prior to 2.6.6 Multiple Remote Vulnerabilities
BugTraq ID: 34783
Remote: Yes
Last Updated: 2009-04-30
Relevant URL: http://www.securityfocus.com/bid/34783
Summary:
GnuTLS is prone to multiple remote vulnerabilities:
- A remote code-execution vulnerability.
- A denial-of-service vulnerability
- A signature-generation vulnerability.
- A signature-verification vulnerability.
An attacker can exploit these issues to potentially execute arbitrary code, trigger denial-of-service conditions, carry out attacks against data signed with weak signatures, and cause clients to accept expired or invalid certificates from servers.
Versions prior to GnuTLS 2.6.6 are vulnerable.
37. Coppermine Photo Gallery 'css' Parameter Cross-Site Scripting Vulnerability
BugTraq ID: 34782
Remote: Yes
Last Updated: 2009-04-30
Relevant URL: http://www.securityfocus.com/bid/34782
Summary:
Coppermine Photo Gallery is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Versions prior to Coppermine Photo Gallery 1.4.22 are vulnerable.
38. Zubrag Smart File Download 'download.php' File Download Security Bypass Vulnerability
BugTraq ID: 34773
Remote: Yes
Last Updated: 2009-04-30
Relevant URL: http://www.securityfocus.com/bid/34773
Summary:
Zubrag Smart File Download is prone to a vulnerability that lets attackers bypass intended security restrictions. The issue occurs because the application fails to adequately sanitize user-supplied input.
An attacker can exploit this vulnerability to bypass intended restrictions and download additional files, which may aid in further attacks.
Smart File Download 1.3 is vulnerable; other versions may also be affected.
39. Baby Web Server URL File Disclosure Vulnerability
BugTraq ID: 34772
Remote: Yes
Last Updated: 2009-04-30
Relevant URL: http://www.securityfocus.com/bid/34772
Summary:
Baby Web Server is prone to a vulnerability that lets attackers obtain potentially sensitive information because it fails to properly sanitize user-supplied input.
An attacker can exploit this issue to download arbitrary files with the privileges of the webserver process. Information obtained may aid in further attacks.
Baby Web Server 2.7.2 is vulnerable; other versions may also be affected.
40. S-CMS 'plugin.php' Local File Include Vulnerability
BugTraq ID: 34771
Remote: Yes
Last Updated: 2009-04-30
Relevant URL: http://www.securityfocus.com/bid/34771
Summary:
S-CMS is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability to view files and execute local scripts in the context of the webserver process. This may aid in further attacks.
S-CMS 1.1 Stable is vulnerable; other versions may also be affected.
41. Google Chrome 'throw()' function Null Pointer Dereference Remote Denial of Service Vulnerability
BugTraq ID: 34786
Remote: Yes
Last Updated: 2009-04-30
Relevant URL: http://www.securityfocus.com/bid/34786
Summary:
Google Chrome is prone to a remote denial-of-service vulnerability caused by a NULL-pointer deference.
Attackers can exploit this issue to crash the affected application, denying service to legitimate users.
Google Chrome 1.0.154.53 is vulnerable; other versions may also be affected.
42. Mpegable Player '.YUV' File Remote Stack Buffer Overflow Vulnerability
BugTraq ID: 34770
Remote: Yes
Last Updated: 2009-04-30
Relevant URL: http://www.securityfocus.com/bid/34770
Summary:
Mpegable Player is prone to a remote stack-based buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied input.
Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.
Mpegable Player 2.12 is vulnerable; other versions may also be affected.
43. Drupal Node Access User Reference Module Security Bypass Vulnerability
BugTraq ID: 34778
Remote: Yes
Last Updated: 2009-04-30
Relevant URL: http://www.securityfocus.com/bid/34778
Summary:
The Node Access User Reference module for Drupal is prone to a security-bypass vulnerability that may allow attackers to gain access to sensitive areas of the application.
This issue affects versions prior to 5.x-2.0-beta4 and 6.x-2.0-beta6.
44. News Page Drupal Module Unspecified SQL Injection Vulnerability
BugTraq ID: 34777
Remote: Yes
Last Updated: 2009-04-30
Relevant URL: http://www.securityfocus.com/bid/34777
Summary:
News Page is prone to an unspecified SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Versions prior to News Page 5.x-1.2 are vulnerable.
45. Sun Solaris DTrace Handler IOCTL Request Multiple Local Denial of Service Vulnerabilities
BugTraq ID: 34753
Remote: No
Last Updated: 2009-04-30
Relevant URL: http://www.securityfocus.com/bid/34753
Summary:
Sun Solaris is prone to multiple local denial-of-service vulnerabilities.
An attacker can exploit these issues to cause a system panic, denying service to legitimate users.
Very few technical details are currently available. We will update this BID as more information emerges.
These issues affect Solaris 10 and OpenSolaris builds snv_01 through snv_113.
46. Microsoft XML Core Services Transfer Encoding Cross Domain Information Disclosure Vulnerability
BugTraq ID: 32204
Remote: Yes
Last Updated: 2009-04-30
Relevant URL: http://www.securityfocus.com/bid/32204
Summary:
Microsoft XML Core Services (MSXML) is prone to a cross-domain information-disclosure vulnerability because the application fails to properly enforce the same-origin policy.
An attacker can exploit this issue to harvest potentially sensitive information from a web page in another domain. Information obtained may aid in further attacks.
47. Microsoft XML Core Services DTD Cross Domain Information Disclosure Vulnerability
BugTraq ID: 32155
Remote: Yes
Last Updated: 2009-04-30
Relevant URL: http://www.securityfocus.com/bid/32155
Summary:
Microsoft XML Core Services (MSXML) is prone to a cross-domain information-disclosure vulnerability because the application fails to properly handle certain error checks.
An attacker can exploit this issue to harvest potentially sensitive information from a web page in another domain. Information obtained may aid in further attacks.
48. Drupal HTML Injection and Information Disclosure Vulnerabilities
BugTraq ID: 34779
Remote: Yes
Last Updated: 2009-04-30
Relevant URL: http://www.securityfocus.com/bid/34779
Summary:
Drupal is prone to a cross-site scripting vulnerability and an information-disclosure vulnerability.
An attacker may leverage these issues to obtain potentially sensitive information, execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, or control how the site is rendered to the user; other attacks are also possible.
These issues affect the following:
Drupal 5.x (prior to 5.17)
Drupal 6.x (prior to 6.11)
49. Exif Drupal Module HTML Injection Vulnerability
BugTraq ID: 34774
Remote: Yes
Last Updated: 2009-04-30
Relevant URL: http://www.securityfocus.com/bid/34774
Summary:
The Exif module for Drupal is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input.
Attacker-supplied HTML and script code would run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user; other attacks are also possible.
The following are vulnerable:
Exif 5.x prior to 5.x-1.2
Exif 6.x-1.x-dev prior to the release on April 13, 2009
50. udev Netlink Message Validation Local Privilege Escalation Vulnerability
BugTraq ID: 34536
Remote: No
Last Updated: 2009-04-30
Relevant URL: http://www.securityfocus.com/bid/34536
Summary:
The 'udev' Linux application is prone to a local privilege-escalation vulnerability because it fails to properly handle netlink messages.
Local attackers may exploit this issue to gain elevated privileges, which may lead to a complete compromise of the system.
Versions prior to udev 141 are vulnerable.
51. Microsoft Windows SeImpersonatePrivilege Local Privilege Escalation Vulnerability
BugTraq ID: 28833
Remote: No
Last Updated: 2009-04-30
Relevant URL: http://www.securityfocus.com/bid/28833
Summary:
Microsoft Windows is prone to a privilege-escalation vulnerability.
Successful exploits may allow authenticated users to elevate their privileges to NetworkService. This allows attackers to execute code with elevated privileges and aids in further exploits.
52. Symantec WinFax Pro 'DCCFAXVW.DLL' Heap Buffer Overflow Vulnerability
BugTraq ID: 34766
Remote: Yes
Last Updated: 2009-04-30
Relevant URL: http://www.securityfocus.com/bid/34766
Summary:
Symantec WinFax Pro ActiveX control is prone to a heap-based buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied input.
An attacker can exploit this issue to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed attacks will likely cause denial-of-service conditions.
Symantec WinFax Pro 10.03 is vulnerable; other versions may also be affected.
53. Microsoft Windows Media Components ISATAP URL Handling Information Disclosure Vulnerability
BugTraq ID: 32654
Remote: Yes
Last Updated: 2009-04-30
Relevant URL: http://www.securityfocus.com/bid/32654
Summary:
Microsoft Windows Media Components is prone to an information-disclosure vulnerability when handling 'ISATAP' (Intra-Site Automatic Tunnel Addressing Protocol) URLs.
An attacker can use this vulnerability to obtain information that may aid in further attacks.
54. Microsoft Windows Media Components 'Service Principle Name' Remote Code Execution Vulnerability
BugTraq ID: 32653
Remote: Yes
Last Updated: 2009-04-30
Relevant URL: http://www.securityfocus.com/bid/32653
Summary:
Microsoft Windows Media Components is prone to a remote code-execution vulnerability in the SPN (Service Principle Name) implementation.
A successful exploit of this vulnerability may allow a remote attacker to execute code in the context of the logged-in user.
55. eLitius 'banner-details.php' SQL Injection Vulnerability
BugTraq ID: 34769
Remote: Yes
Last Updated: 2009-04-30
Relevant URL: http://www.securityfocus.com/bid/34769
Summary:
eLitius is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
eLitius 1.0 is vulnerable; other versions may also be affected.
56. GNU Tar Invalid Headers Buffer Overflow Vulnerability
BugTraq ID: 16764
Remote: Yes
Last Updated: 2009-04-30
Relevant URL: http://www.securityfocus.com/bid/16764
Summary:
GNU Tar is prone to a buffer overflow when handling invalid headers. Successful exploitation could potentially lead to arbitrary code execution, but this has not been confirmed.
Tar 1.14 through 1.15.90 are affected; other versions may also be vulnerable.
57. Ubuntu Apport Local Arbitrary File Deletion Vulnerability
BugTraq ID: 34776
Remote: No
Last Updated: 2009-04-30
Relevant URL: http://www.securityfocus.com/bid/34776
Summary:
Ubuntu Apport deletes crash-report files in an unsafe manner.
A local attacker may exploit this issue to delete arbitrary files, resulting in a denial-of-service condition. Other attacks may also be possible.
58. OpenSSL Multiple Vulnerabilities
BugTraq ID: 34256
Remote: Yes
Last Updated: 2009-04-30
Relevant URL: http://www.securityfocus.com/bid/34256
Summary:
OpenSSL is prone to multiple vulnerabilities that may allow attackers to trigger denial-of-service conditions or bypass certain security checks.
Versions prior to OpenSSL 0.9.8k are vulnerable.
59. McAfee Products RAR/ZIP Files Scan Evasion Vulnerability
BugTraq ID: 34780
Remote: Yes
Last Updated: 2009-04-30
Relevant URL: http://www.securityfocus.com/bid/34780
Summary:
Multiple McAfee products are prone to a vulnerability that may allow certain compressed archives to bypass the scan engine.
Successful exploits will allow attackers to distribute files containing malicious code that the antivirus application will fail to detect.
The issue affects all McAfee software that uses DAT files.
60. SCO UnixWare IGMP Driver Unspecified Denial Of Service Vulnerability
BugTraq ID: 34781
Remote: Yes
Last Updated: 2009-04-30
Relevant URL: http://www.securityfocus.com/bid/34781
Summary:
SCO UnixWare is prone to a denial-of-service vulnerability.
Exploiting this issue allows attackers to trigger denial-of-service conditions.
The issue affects SCO UnixWare 7.1.4 Maintenance Pack 4.
61. JBC Explorer Auth.Inc.PHP Authentication Bypass Vulnerability
BugTraq ID: 26332
Remote: Yes
Last Updated: 2009-04-30
Relevant URL: http://www.securityfocus.com/bid/26332
Summary:
JBC Explorer is prone to an authentication-bypass vulnerability.
An attacker could exploit this issue to gain administrative access to the affected application.
JBC Explorer 7.20 RC1 is vulnerable; other versions may also be affected.
62. IBM Tivoli Continuous Data Protection for Files Insecure Default Permissions Vulnerability
BugTraq ID: 26293
Remote: No
Last Updated: 2009-04-30
Relevant URL: http://www.securityfocus.com/bid/26293
Summary:
IBM Tivoli Continuous Data Protection for Files is prone to an insecure-permissions vulnerability that affects the application's 'Global Download' directory.
Successfully exploiting this issue allows attackers to distribute and execute arbitrary executables to client computers managed by the vulnerable software. This may facilitate the complete compromise of all client computers.
IBM Tivoli Continuous Data Protection for Files 3.1 is vulnerable; other versions may also be affected.
63. Adobe Flash Media Server Unspecified RPC Call Privilege Escalation Vulnerability
BugTraq ID: 34790
Remote: Yes
Last Updated: 2009-04-30
Relevant URL: http://www.securityfocus.com/bid/34790
Summary:
Adobe Flash Media Server is prone to a vulnerability that allows attackers to gain elevated privileges via an unspecified RPC (Remote Procedures Call) issue.
Very few technical details are currently available. We will update this BID as more information emerges.
Versions prior to Flash Media Streaming Server or Flash Media Interactive Server versions 3.5.2 or 3.0.4 are vulnerable.
64. BaoFeng Storm ActiveX Control 'OnBeforeVideoDownload()' Buffer Overflow Vulnerability
BugTraq ID: 34789
Remote: Yes
Last Updated: 2009-04-30
Relevant URL: http://www.securityfocus.com/bid/34789
Summary:
BaoFeng Storm ActiveX control is prone to a buffer-overflow vulnerability because the application fails to adequately check boundaries on user-supplied input.
An attacker can exploit this issue to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed attacks will likely cause denial-of-service conditions.
65. Mercury Audio Player '.m3u' File Remote Stack Buffer Overflow Vulnerability
BugTraq ID: 34788
Remote: Yes
Last Updated: 2009-04-30
Relevant URL: http://www.securityfocus.com/bid/34788
Summary:
Mercury Audio Player is prone to a remote stack-based buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied input.
Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.
Mercury Audio Player 1.21 is vulnerable; other versions may also be affected.
66. doop Index.php Local File Include Vulnerability
BugTraq ID: 26075
Remote: Yes
Last Updated: 2009-04-29
Relevant URL: http://www.securityfocus.com/bid/26075
Summary:
The 'doop' CMS is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
Exploiting this issue may allow an unauthorized remote user to view files and execute local scripts in the context of the webserver process.
This issue affects doop 1.3.7; other versions may also be affected.
67. Kaspersky Online Scanner KAVWebScan.DLL ActiveX Control Format String Vulnerability
BugTraq ID: 26004
Remote: Yes
Last Updated: 2009-04-29
Relevant URL: http://www.securityfocus.com/bid/26004
Summary:
The Kaspersky Online Scanner ActiveX control is prone to a remote format-string vulnerability because it fails to properly sanitize user-supplied data that contains format specifiers.
A successful attack will allow the attacker to execute arbitrary code in the context of an application using the control (typically Internet Explorer).
Kaspersky Online Scanner 5.0.93.1 and prior versions are vulnerable.
68. NVClock Local Privilege Escalation Vulnerability
BugTraq ID: 25052
Remote: No
Last Updated: 2009-04-29
Relevant URL: http://www.securityfocus.com/bid/25052
Summary:
NVClock is prone to a privilege-escalation vulnerability.
An attacker can exploit this issue to gain unauthorized access to local resources or gain escalated privileges on affected computers. Presumably, this utility runs with superuser privileges.
NVClock 0.7 is reported vulnerable; other versions may be affected as well.
69. Apache Tomcat Accept-Language Cross Site Scripting Vulnerability
BugTraq ID: 24524
Remote: Yes
Last Updated: 2009-04-29
Relevant URL: http://www.securityfocus.com/bid/24524
Summary:
Apache Tomcat is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability to inject HTML and script code into the browser of an unsuspecting victim. The attacker may then steal cookie-based authentication credentials and launch other attacks.
This issue may have been reported as part of the vulnerabilities described in BID 24058 (Apache Tomcat Documentation Sample Application Multiple Cross-Site Scripting Vulnerabilities). Symantec has not been able to confirm this information. We will update this BID when more information emerges.
70. Linux Kernel CPUSet Tasks Memory Leak Information Disclosure Vulnerability
BugTraq ID: 24389
Remote: No
Last Updated: 2009-04-29
Relevant URL: http://www.securityfocus.com/bid/24389
Summary:
The Linux kernel is prone to an information-disclosure vulnerability because it fails to handle unexpected user-supplied input.
Successful exploits will allow attackers to obtain portions of kernel memory. Information harvested may aid in further attacks.
Versions of the Linux kernel prior to 2.6.21.4 and 2.6.20.13 are vulnerable.
This issue was initially reported in BID 24376 Linux Kernel Multiple Weaknesses and Vulnerabilities, but has been assigned its own record.
71. Sun Java Web Start Unauthorized Access Vulnerability
BugTraq ID: 23728
Remote: Yes
Last Updated: 2009-04-29
Relevant URL: http://www.securityfocus.com/bid/23728
Summary:
Sun Java Web Start is prone to a vulnerability that may allow remote attackers to gain unauthorized access to a vulnerable computer.
The vendor has reported that this vulnerability allows untrusted applications to gain read/write privileges to local files on a vulnerable computer.
The following versions for Windows, Solaris, and Linux platforms are vulnerable:
Java Web Start in JDK and JRE 5.0 Update 10 and earlier
Java Web Start in SDK and JRE 1.4.2_13 and earlier
72. Roxio CinePlayer SonicDVDDashVRNav.DLL ActiveX Control Remote Buffer Overflow Vulnerability
BugTraq ID: 23412
Remote: Yes
Last Updated: 2009-04-29
Relevant URL: http://www.securityfocus.com/bid/23412
Summary:
Roxio CinePlayer is prone to a stack-based buffer-overflow vulnerability because it fails to sufficiently check boundaries of user-supplied input before copying it to an insufficiently sized memory buffer.
An attacker may exploit this issue by enticing victims into opening a malicious HTML document.
Exploiting this issue allows remote attackers to execute arbitrary code in the context of applications using the affected ActiveX control and to compromise affected computers. Failed attempts will likely result in denial-of-service conditions.
Roxio CinePlayer 3.2 is vulnerable to this issue; other versions may also be affected.
73. Microsoft Windows Vista Neighbor Discovery Spoofing Vulnerability
BugTraq ID: 23293
Remote: Yes
Last Updated: 2009-04-29
Relevant URL: http://www.securityfocus.com/bid/23293
Summary:
Microsoft Windows Vista is prone to a discovery-spoofing vulnerability.
An attacker can exploit this issue to conduct redirect attacks on another host on the network. This may lead to further attacks.
Note that to exploit this issue, the attacker must have access to the local network segment of a target computer.
74. Adobe Acrobat and Reader Unspecified Remote Heap Memory Corruption Vulnerability
BugTraq ID: 34768
Remote: Yes
Last Updated: 2009-04-29
Relevant URL: http://www.securityfocus.com/bid/34768
Summary:
Adobe Acrobat and Reader are prone to a remote heap-memory-corruption vulnerability because they fail to sufficiently sanitize user-supplied input.
Very few details are currently known. We will update this BID when more information emerges.
An attacker can exploit this issue to execute arbitrary code with the privileges of the user running the affected application. Failed exploit attempts will result in a denial of service.
75. Cisco IOS Multiple Features UDP Packet Denial of Service Vulnerability
BugTraq ID: 34245
Remote: Yes
Last Updated: 2009-04-29
Relevant URL: http://www.securityfocus.com/bid/34245
Summary:
Multiple features of Cisco IOS (Internetwork Operating System) are prone to a denial-of-service vulnerability when handling specially crafted UDP packets.
An attacker can exploit this issue to trigger an affected device to block an interface and silently drop packets, causing denial-of-service conditions.
This issue is documented by Cisco Bug ID CSCsk64158.
The following features are affected:
IP Service Level Agreements (SLA) Responder
Session Initiation Protocol (SIP)
H.323 Annex E Call Signaling Transport
Media Gateway Control Protocol (MGCP)
76. Linux Kernel 'do_splice_from()' Local Security Bypass Vulnerability
BugTraq ID: 31903
Remote: No
Last Updated: 2009-04-29
Relevant URL: http://www.securityfocus.com/bid/31903
Summary:
The Linux kernel is prone to a local security-bypass vulnerability because the 'do_splice_from()' function fails to correctly reject file descriptors when performing certain file operations.
Attackers can exploit this issue to bypass restrictions on append mode when updating files to update arbitrary locations in the file.
Versions prior to Linux kernel 2.6.27 are vulnerable.
77. Cisco IOS NAT Skinny Call Control Protocol Multiple Remote Denial of Service Vulnerabilities
BugTraq ID: 31359
Remote: Yes
Last Updated: 2009-04-29
Relevant URL: http://www.securityfocus.com/bid/31359
Summary:
Cisco IOS is prone to multiple remote denial-of-service vulnerabilities that occur in the Skinny Call Control Protocol (SCCP).
A successful exploit may cause affected devices to reload, denying service to legitimate users.
78. Cisco IOS AIC HTTP Transit Packet Remote Denial of Service Vulnerability
BugTraq ID: 31354
Remote: Yes
Last Updated: 2009-04-29
Relevant URL: http://www.securityfocus.com/bid/31354
Summary:
Cisco IOS when configured for IOS firewall AIC (Application Inspection Control) with an HTTP application-specific policy is prone to a denial-of-service vulnerability.
A successful exploit may cause affected devices to reload, denying service to legitimate users.
79. ProjectCMS 'sn' Parameter SQL Injection Vulnerability
BugTraq ID: 34767
Remote: Yes
Last Updated: 2009-04-29
Relevant URL: http://www.securityfocus.com/bid/34767
Summary:
ProjectCMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
80. HP Enterprise Discovery Unspecified Remote Privilege Escalation Vulnerability
BugTraq ID: 30865
Remote: Yes
Last Updated: 2009-04-29
Relevant URL: http://www.securityfocus.com/bid/30865
Summary:
HP Enterprise Discovery is prone to an unspecified remote privilege-escalation vulnerability.
Remote authorized attackers can exploit this issue to gain SYSTEM-level privileges, completely compromising affected computers.
81. HP OpenView Network Node Manager HTTP Request Multiple Buffer Overflow Vulnerabilities
BugTraq ID: 33147
Remote: Yes
Last Updated: 2009-04-29
Relevant URL: http://www.securityfocus.com/bid/33147
Summary:
HP OpenView Network Node Manager is prone to multiple buffer-overflow vulnerabilities because it fails to adequately bounds-check user-supplied input before copying it to insufficiently sized buffers.
Successfully exploiting these issues may allow an attacker to execute arbitrary code with the privileges of the user running the affected application. Failed exploit attempts will likely crash the application.
These issues affect HP OpenView Network Node Manager 7.51 with NNM_01168; other versions may also be affected.
82. Samba Group Mappings File Insecure Permissions Local Security Vulnerability
BugTraq ID: 30837
Remote: No
Last Updated: 2009-04-29
Relevant URL: http://www.securityfocus.com/bid/30837
Summary:
Samba is prone to a local security vulnerability because it sets insecure permissions for a certain configuration file.
Successfully exploiting this issue allows a local attacker to modify Samba group-mapping information and bypass certain security restrictions.
This issue affects Samba 3.2.0 up to and including 3.2.2.
83. Ruby REXML Remote Denial Of Service Vulnerability
BugTraq ID: 30802
Remote: Yes
Last Updated: 2009-04-29
Relevant URL: http://www.securityfocus.com/bid/30802
Summary:
Ruby is prone to a remote denial-of-service vulnerability in its REXML module.
Successful exploits may allow remote attackers to cause denial-of-service conditions in applications that use the vulnerable module.
Versions up to and including Ruby 1.9.0-3 are vulnerable.
84. JBoss Enterprise Application Platform Information Disclosure Vulnerability
BugTraq ID: 30540
Remote: Yes
Last Updated: 2009-04-29
Relevant URL: http://www.securityfocus.com/bid/30540
Summary:
JBoss Enterprise Application Platform is prone to a remote information-disclosure vulnerability.
Remote attackers can exploit this issue to obtain potentially sensitive details about deployed web contexts. Information obtained may lead to further attacks.
The issue affects versions prior to JBoss Enterprise Application Platform 4.3.0.CP01 and 4.2.0.CP03.
85. Apple Safari Automatic File Launch Remote Code Execution Vulnerability
BugTraq ID: 29835
Remote: Yes
Last Updated: 2009-04-29
Relevant URL: http://www.securityfocus.com/bid/29835
Summary:
Apple Safari is prone to a remote code-execution vulnerability.
An attacker can exploit this issue by enticing an unsuspecting victim to visit a malicious webpage contained in a trusted Internet Explorer 7 zone or in an Internet Explorer 6 'local intranet' or 'Trusted site' zone.
Successfully exploiting this issue will allow attackers to run arbitrary code with the privileges of the user running the affected application.
This issue affects versions prior to Apple Safari 3.1.2 running on Microsoft Windows XP and Windows Vista.
86. Multiple ESET Products CAB File Scan Evasion Vulnerability
BugTraq ID: 34764
Remote: Yes
Last Updated: 2009-04-29
Relevant URL: http://www.securityfocus.com/bid/34764
Summary:
Multiple ESET products are prone to a vulnerability that may allow certain compressed archives to bypass the scan engine.
Successful exploits will allow attackers to distribute files containing malicious code that the antivirus application will fail to detect.
ESET products prior to Update 4036 are vulnerable.
87. LevelOne AMG-2000 Security Bypass Vulnerability
BugTraq ID: 34760
Remote: Yes
Last Updated: 2009-04-29
Relevant URL: http://www.securityfocus.com/bid/34760
Summary:
LevelOne AMG-2000 is prone to a security-bypass vulnerability.
Attackers may exploit this issue to gain access to the administrative interface and internal computers from an outside network. This may aid in further attacks.
Note that valid authentication credentials must still be provided to authenticate to the device's administrative interface. Attackers may use default accounts such as 'operator' or 'manager' if the default passwords have not been changed.
LevelOne AMG-2000 running firmware 2.00.00build00600 and prior versions are affected.
88. Linux Kernel RLIMIT_CPU Zero Limit Handling Local Security Bypass Vulnerability
BugTraq ID: 29004
Remote: No
Last Updated: 2009-04-29
Relevant URL: http://www.securityfocus.com/bid/29004
Summary:
The Linux kernel is prone to a local security-bypass vulnerability because it fails to properly handle certain RLIMIT_CPU time limitations.
Attackers can exploit this issue to bypass certain security restrictions, which may lead to further attacks.
Versions prior to Linux kernel 2.6.22 are affected.
89. Linksys WRT54G Wireless-G Router Multiple Remote Authentication Bypass Vulnerabilities
BugTraq ID: 28381
Remote: Yes
Last Updated: 2009-04-29
Relevant URL: http://www.securityfocus.com/bid/28381
Summary:
Linksys WRT54G Wireless-G Router is prone to multiple authentication-bypass vulnerabilities.
Successful exploits will allow unauthorized attackers to gain access to administrative functionality and completely compromise vulnerable devices; other attacks are also possible.
The issues affect firmware v1.00.9; other versions may also be vulnerable.
90. TorrentTrader 'msg' Parameter HTML Injection Vulnerability
BugTraq ID: 28082
Remote: Yes
Last Updated: 2009-04-29
Relevant URL: http://www.securityfocus.com/bid/28082
Summary:
TorrentTrader is prone to an HTML-injection vulnerability because it fails to adequately sanitize user-supplied input.
Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible.
NOTE: This BID was previously titled 'TorrentTrader 'msg' Parameter Cross Site Scripting Vulnerability'. Following further analysis, the title and multiple details throughout have been changed to better document the issue.
TorrentTrader Classic 1.08 is affected; other versions may also be vulnerable.
91. GFL SDK Library Buffer Overflow Vulnerability
BugTraq ID: 27514
Remote: Yes
Last Updated: 2009-04-29
Relevant URL: http://www.securityfocus.com/bid/27514
Summary:
GFL SDK library is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.
Successfully exploiting this issue may allow remote attackers to execute arbitrary code in the context of the application using the library. Failed exploit attempts likely result in denial-of-service conditions.
GFL SDK 2.870 is vulnerable. The issue also affects XnView 1.91 and 1.92, which use the library, and NConvert 4.85; other versions may be affected as well.
92. TikiWiki CMS 'tiki-listmovies.php' Directory Traversal Vulnerability
BugTraq ID: 27008
Remote: Yes
Last Updated: 2009-04-29
Relevant URL: http://www.securityfocus.com/bid/27008
Summary:
TikiWiki CMS is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input data.
Exploiting this issue may allow an attacker to access sensitive information that could aid in further attacks.
Versions prior to TikiWiki CMS 1.9.9 are vulnerable.
93. DotNetNuke PayPal IPN 'paypalipn.aspx' Cross-Site Scripting Vulnerability
BugTraq ID: 34484
Remote: Yes
Last Updated: 2009-04-29
Relevant URL: http://www.securityfocus.com/bid/34484
Summary:
DotNetNuke is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
The issue affects versions prior to DotNetNuke 4.9.3.
94. IBM Informix Dynamic Server Multiple Vulnerabilities
BugTraq ID: 26363
Remote: Yes
Last Updated: 2009-04-29
Relevant URL: http://www.securityfocus.com/bid/26363
Summary:
IBM Informix Dynamic Server is prone to multiple vulnerabilities.
Attackers can exploit these issues to cause denial-of-service conditions or obtain information using directory-traversal attacks.
Very few details are available regarding these issues. We will update this BID as more information emerges.
95. GScripts.net DNS Tools 'dig.php' Remote Command Execution Vulnerability
BugTraq ID: 34559
Remote: Yes
Last Updated: 2009-04-29
Relevant URL: http://www.securityfocus.com/bid/34559
Summary:
GScripts.net DNS Tools is prone to a remote command-execution vulnerability because the software fails to adequately sanitize user-supplied input.
Successful attacks can compromise the affected software and possibly the computer.
96. Ghostscript Multiple Input Validation and Integer Overflow Vulnerabilities
BugTraq ID: 34184
Remote: Yes
Last Updated: 2009-04-29
Relevant URL: http://www.securityfocus.com/bid/34184
Summary:
Ghostscript is prone to multiple integer-overflow and input-validation vulnerabilities.
Successful exploits may allow remote attackers to execute arbitrary code in the context of the user running the affected application. Failed attacks will cause denial-of-service conditions.
97. Ghostscript 'CCITTFax' Decoding Filter Denial of Service Vulnerability
BugTraq ID: 34337
Remote: Yes
Last Updated: 2009-04-29
Relevant URL: http://www.securityfocus.com/bid/34337
Summary:
Ghostscript is prone to a remote denial-of-service vulnerability because it fails to properly validate user-supplied input.
Exploiting this issue allows remote attackers to crash the application and possibly to execute code, but this has not been confirmed.
98. Microsoft Internet Explorer 'EMBED' Tag Uninitialized Memory Remote Code Execution Vulnerability
BugTraq ID: 34424
Remote: Yes
Last Updated: 2009-04-29
Relevant URL: http://www.securityfocus.com/bid/34424
Summary:
Microsoft Internet Explorer is prone to a remote code-execution vulnerability.
Attackers can exploit this issue to execute arbitrary code in the context of the user running the application. Successful exploits will compromise the application and possibly the computer. Failed attacks may cause denial-of-service conditions.
99. Memcached and MemcacheDB ASLR Information Disclosure Weakness
BugTraq ID: 34756
Remote: Yes
Last Updated: 2009-04-29
Relevant URL: http://www.securityfocus.com/bid/34756
Summary:
Memcached and MemcacheDB are prone to an information-disclosure weakness that may aid attackers in bypassing Address Space Layout Randomization (ASLR) protections.
Attackers can exploit this weakness to gain access to sensitive information such as stack, heap, and shared-library memory locations. Information obtained may aid in other attacks.
memcached v1.2.7 and MemcacheDB v1.2.0 are vulnerable.
100. @Mail 'admin.php' Cross-Site Scripting Vulnerabilities
BugTraq ID: 34762
Remote: Yes
Last Updated: 2009-04-29
Relevant URL: http://www.securityfocus.com/bid/34762
Summary:
@Mail is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
The issues affect @Mail 5.61; other versions may also be affected.
III. SECURITYFOCUS NEWS ARTICLES
--------------------------------
1. Browsers bashed first in hacking contest
By: Robert Lemos
A security researcher keeps a vulnerability on ice for an entire year, before using it at the Pwn2Own contest to exploit Apple's browser. Microsoft's Internet Explorer 8 falls soon after.
http://www.securityfocus.com/news/11549
2. Experts: U.S. needs to defend its "cyber turf"
By: Robert Lemos
The United States must develop a Monroe Doctrine for the Internet, defining what constitutes its cyberspace and pledging to defend its virtual borders, security experts told Congress.
http://www.securityfocus.com/news/11548
3. Advisor: U.S. needs policy to defend cyberspace
By: Robert Lemos
An Obama transition-team member argues that any future cyber policy needs to deal with the role of the intelligence community, the militarization of cyberspace and designating a lead disaster agency.
http://www.securityfocus.com/news/11547
4. Cabal forms to fight Conficker, offers bounty
By: Robert Lemos
Microsoft offers $250,000 for information leading to the arrest of the author and, along with security firms and Internet service providers, pledges to work to prevent the prolific worm from spreading further.
http://www.securityfocus.com/news/11546
IV. SECURITY JOBS LIST SUMMARY
-------------------------------
V. INCIDENTS LIST SUMMARY
---------------------------
VI. VULN-DEV RESEARCH LIST SUMMARY
-----------------------------------
VII. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. SecurityFocus Microsoft Newsletter #441
http://www.securityfocus.com/archive/88/503001
VIII. SUN FOCUS LIST SUMMARY
----------------------------
IX. LINUX FOCUS LIST SUMMARY
----------------------------
1. curuncula dbr rootkit detection tool
http://www.securityfocus.com/archive/91/502934
X. UNSUBSCRIBE INSTRUCTIONS
-----------------------------
To unsubscribe send an e-mail message to sf-news-unsubscribe@securityfocus.com from the subscribed address. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer. Alternatively you can also visit http://www.securityfocus.com/newsletters and unsubscribe via the website.
If your email address has changed email listadmin@securityfocus.com and ask to be manually removed.
XI. SPONSOR INFORMATION
------------------------
This issue is sponsored by Thawte
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194
