[ISN] Secunia Weekly Summary - Issue: 2003-47

From: InfoSec News (isn@private)
Date: Thu Nov 20 2003 - 23:11:34 PST

  • Next message: InfoSec News: "[ISN] Sandia Labs studies phony computer network for hackers"

    ========================================================================
    
                      The Secunia Weekly Advisory Summary                  
                            2003-11-13 - 2003-11-20                        
    
                           This week : 51 advisories                       
    
    ========================================================================
    Table of Contents:
    
    1.....................................................Word From Secunia
    2....................................................This Week In Brief
    3...............................This Weeks Top Ten Most Read Advisories
    4.......................................Vulnerabilities Summary Listing
    5.......................................Vulnerabilities Content Listing
    
    ========================================================================
    1) Word From Secunia:
    
    Secunia Advisory IDs
    
    Every advisory issued by Secunia has an unique identifier: the Secunia
    Advisory ID (SA ID). The SA IDs makes it very easy to reference,
    identify, and find Secunia advisories.
    
    A Shortcut to Secunia Advisories
    
    Finding Secunia Advisories using SA IDs is easily done at the Secunia
    website, either by simply entering the SA ID in our search form placed
    on the right side of every Secunia web page, or by entering the SA ID
    directly after the domain when visiting the Secunia website e.g.:
    http://secunia.com/SA10222
    
    In the Secunia Weekly Summary SA IDs are displayed in brackets e.g.:
    [SA10222]
    
    ========================================================================
    2) This Week in Brief:
    
    Two privilege escalation vulnerabilities have been published in
    Symantec's remote administration tool pcAnywhere. Symantec has issued
    patches for one of the vulnerabilities; the other was reported
    in version 9.x, which is no longer supported by Symantec.
    Ref.: [SA10238] & [SA10222]
    
    OpenBSD released a patch, which fixes a vulnerability that could be
    used to escalate privileges on OpenBSD 3.3. However, on OpenBSD 3.4
    such an attack will detected by ProPolice and only result in a local
    DoS.
    Ref.: [SA10246]
    
    Again this week, several PHP scripts have been proven vulnerable to
    remote file inclusion vulnerabilities, which can lead to a full system
    compromise.
    
    Secunia highly recommends that you perform a comprehensive source
    review and also look at the security track history of such products
    before taking them into use. It is in general a very good idea to
    search the Secunia database for vulnerabilities before installing new
    products on a production system.
    Ref.: [SA10249], [SA10231] & [SA10231] 
    
    ========================================================================
    3) This Weeks Top Ten Most Read Advisories:
    
    1.  [SA10192] Microsoft Internet Explorer Multiple Vulnerabilities
    2.  [SA10238] Symantec pcAnywhere Chat Session Privilege Escalation
                  Vulnerability
    3.  [SA10194] Microsoft Word and Excel Execution of Arbitrary Code
    4.  [SA10222] Symantec pcAnywhere Privilege Escalation Vulnerability
    5.  [SA10193] Microsoft Windows Workstation Service Buffer Overflow
    6.  [SA10218] BEA WebLogic Multiple Vulnerabilities
    7.  [SA10225] PeopleSoft PeopleTools Multiple Vulnerabilities
    8.  [SA10226] Sun Solaris CDE DtHelp Library Privilege Escalation
                  Vulnerability
    9.  [SA8742]  Microsoft Windows Media Player skin download 
                  vulnerability
    10. [SA10224] HP-UX Partition Manager Certificate Validation
                  Vulnerability
    
    ========================================================================
    4) Vulnerabilities Summary Listing
    
    Windows:
    [SA10253] NetServe Web Server Directory Traversal Vulnerability
    [SA10225] PeopleSoft PeopleTools Multiple Vulnerabilities
    [SA10227] PostMaster Proxy Service Cross-Site Scripting Vulnerability
    [SA10221] Web Wiz Forums Cross Site Scripting Vulnerability
    [SA10238] Symantec pcAnywhere Chat Session Privilege Escalation
    Vulnerability
    [SA10222] Symantec pcAnywhere Privilege Escalation Vulnerability
    
    UNIX/Linux:
    [SA10241] OpenLinux update for webmin
    [SA10240] OpenLinux update for sendmail
    [SA10234] Debian update for Minimalist
    [SA10233] Minimalist Unspecified Command Execution Vulnerability
    [SA10213] Clam AntiVirus clamav-milter Format String Vulnerability
    [SA10216] Conectiva update for mpg123
    [SA10242] Red Hat update for EPIC
    [SA10239] OpenLinux update for nfs-utils
    [SA10232] Debian update for HylaFAX
    [SA10224] HP-UX Partition Manager Certificate Validation Vulnerability
    [SA10214] Conectiva update for hylafax
    [SA10243] Trustix update for fileutils
    [SA10237] Sun ONE Web Server Log Entry Manipulation Vulnerability
    [SA10236] monopd Denial of Service Vulnerability
    [SA10215] Conectiva update for xinetd
    [SA10212] OpenLinux update for unzip
    [SA10211] Mandrake update for fileutils/coreutils
    [SA10258] HP-UX Unspecified DCE Denial of Service Vulnerability
    [SA10256] Red Hat update for XFree86
    [SA10254] SuSE update for sane
    [SA10245] Trustix update for postgresql
    [SA10223] Conectiva update for postgresql
    [SA10208] Red Hat update for XFree86
    [SA10257] HP-UX dtmailpr Privilege Escalation Vulnerability
    [SA10247] HP-UX libDtHelp Privilege Escalation Vulnerability
    [SA10246] OpenBSD compat_ibcs2 Buffer Overflow Vulnerability
    [SA10244] Trustix update for apache
    [SA10226] Sun Solaris CDE DtHelp Library Privilege Escalation
    Vulnerability
    [SA10217] Open UNIX / UnixWare procfs Privilege Escalation
    Vulnerability
    [SA10207] Red Hat update for stunnel
    [SA10255] Mandrake update for glibc
    [SA10248] Sun Cobalt update for MySQL
    [SA10229] Red Hat update for glibc
    [SA10219] Red Hat update for Quagga
    [SA10209] Red Hat update for glibc
    
    Other:
    [SA10235] Blue Coat OpenSSL ASN.1 Parsing Denial of Service
    Vulnerability
    
    Cross Platform:
    [SA10249] Rolis GuestBook Arbitrary File Inclusion Vulnerability
    [SA10231] MediaWiki Arbitrary File Inclusion Vulnerability
    [SA10228] phplist Arbitrary File Inclusion Vulnerability
    [SA10251] SAP DB Multiple Vulnerabilities
    [SA10250] PHP Web FileManager Directory Traversal Vulnerability
    [SA10218] BEA WebLogic Multiple Vulnerabilities
    [SA10210] PHP-CoolFile Logic Error Vulnerability
    [SA10230] Auto Directory Index Cross Site Scripting Vulnerability
    [SA10220] WebWasher Error Message Cross Site Scripting
    
    ========================================================================
    5) Vulnerabilities Content Listing
    
    Windows:
    
    [SA10253] NetServe Web Server Directory Traversal Vulnerability
    
    Critical:    Moderately critical
    Where:       From remote
    Impact:      Exposure of sensitive information
    Released:    2003-11-18
    
    A vulnerability has been identified in NetServe Web Server allowing
    malicious people to conduct directory traversal attacks.
    
    Full Advisory:
    http://www.secunia.com/advisories/10253/
    
     --
    
    [SA10225] PeopleSoft PeopleTools Multiple Vulnerabilities
    
    Critical:    Moderately critical
    Where:       From remote
    Impact:      Cross Site Scripting, Exposure of system information,
    Exposure of sensitive information, DoS
    Released:    2003-11-14
    
    Multiple vulnerabilities have been identified in PeopleTools, which can
    be exploited by malicious people to conduct Cross-Site Scripting
    attacks, gain knowledge of sensitive information, or cause a DoS
    (Denial of Service).
    
    Full Advisory:
    http://www.secunia.com/advisories/10225/
    
     --
    
    [SA10227] PostMaster Proxy Service Cross-Site Scripting Vulnerability
    
    Critical:    Less critical
    Where:       From remote
    Impact:      Cross Site Scripting
    Released:    2003-11-17
    
    A vulnerability has been reported in PostMaster, which can be exploited
    by malicious people to conduct Cross-Site Scripting attacks.
    
    Full Advisory:
    http://www.secunia.com/advisories/10227/
    
     --
    
    [SA10221] Web Wiz Forums Cross Site Scripting Vulnerability
    
    Critical:    Less critical
    Where:       From remote
    Impact:      Cross Site Scripting
    Released:    2003-11-14
    
    A vulnerability has been reported in Web Wiz Forums allowing malicious
    users to conduct Cross Site Scripting.
    
    Full Advisory:
    http://www.secunia.com/advisories/10221/
    
     --
    
    [SA10238] Symantec pcAnywhere Chat Session Privilege Escalation
    Vulnerability
    
    Critical:    Less critical
    Where:       Local system
    Impact:      Privilege escalation
    Released:    2003-11-17
    
    A vulnerability has been reported in Symantec pcAnywhere, which can be
    exploited by malicious users to escalate their privileges.
    
    Full Advisory:
    http://www.secunia.com/advisories/10238/
    
     --
    
    [SA10222] Symantec pcAnywhere Privilege Escalation Vulnerability
    
    Critical:    Less critical
    Where:       Local system
    Impact:      Privilege escalation
    Released:    2003-11-14
    
    A vulnerability has been identified in Symantec pcAnywhere allowing
    malicious, local users to escalate their privileges.
    
    Full Advisory:
    http://www.secunia.com/advisories/10222/
    
    
    UNIX/Linux:
    
    [SA10241] OpenLinux update for webmin
    
    Critical:    Highly critical
    Where:       From remote
    Impact:      Security Bypass
    Released:    2003-11-18
    
    SCO has issued updated packages for webmin. These fix a vulnerability,
    which allows malicious people to bypass the authentication process.
    
    Full Advisory:
    http://www.secunia.com/advisories/10241/
    
     --
    
    [SA10240] OpenLinux update for sendmail
    
    Critical:    Highly critical
    Where:       From remote
    Impact:      System access
    Released:    2003-11-18
    
    SCO has acknowledged a vulnerability in sendmail, which potentially can
    be exploited by malicious people to compromise a vulnerable system.
    
    Full Advisory:
    http://www.secunia.com/advisories/10240/
    
     --
    
    [SA10234] Debian update for Minimalist
    
    Critical:    Highly critical
    Where:       From remote
    Impact:      System access
    Released:    2003-11-17
    
    Debian has issued updated packages for Minimalist. These fix a
    vulnerability, which can be exploited by malicious users to execute
    certain commands on a vulnerable system.
    
    Full Advisory:
    http://www.secunia.com/advisories/10234/
    
     --
    
    [SA10233] Minimalist Unspecified Command Execution Vulnerability
    
    Critical:    Highly critical
    Where:       From remote
    Impact:      System access
    Released:    2003-11-17
    
    A vulnerability has been identified in Minimalist, which can be
    exploited by malicious users to execute certain commands on a
    vulnerable system.
    
    Full Advisory:
    http://www.secunia.com/advisories/10233/
    
     --
    
    [SA10213] Clam AntiVirus clamav-milter Format String Vulnerability
    
    Critical:    Highly critical
    Where:       From remote
    Impact:      DoS, System access
    Released:    2003-11-13
    
    A vulnerability has been reported in Clam AntiVirus, which can be
    exploited by malicious people to cause a DoS (Denial of Service) and
    potentially compromise a vulnerable system.
    
    Full Advisory:
    http://www.secunia.com/advisories/10213/
    
     --
    
    [SA10216] Conectiva update for mpg123
    
    Critical:    Moderately critical
    Where:       From remote
    Impact:      System access
    Released:    2003-11-13
    
    Conectiva has issued updated packages for mpg123. These fix a
    vulnerability, which potentially can be exploited by malicious people
    to compromise a user's system.
    
    Full Advisory:
    http://www.secunia.com/advisories/10216/
    
     --
    
    [SA10242] Red Hat update for EPIC
    
    Critical:    Moderately critical
    Where:       From local network
    Impact:      System access
    Released:    2003-11-18
    
    Red Hat has issued updated packages for epic4. These fix a
    vulnerability, which can be exploited by malicious people to cause a
    DoS (Denial of Service) and potentially compromise a user's system.
    
    Full Advisory:
    http://www.secunia.com/advisories/10242/
    
     --
    
    [SA10239] OpenLinux update for nfs-utils
    
    Critical:    Moderately critical
    Where:       From local network
    Impact:      System access, DoS
    Released:    2003-11-18
    
    SCO has issued updated packages for nfs-utils. These fix a
    vulnerability, which potentially can be exploited by malicious people
    to compromise a vulnerable system.
    
    Full Advisory:
    http://www.secunia.com/advisories/10239/
    
     --
    
    [SA10232] Debian update for HylaFAX
    
    Critical:    Moderately critical
    Where:       From local network
    Impact:      System access
    Released:    2003-11-17
    
    Debian has issued updated packages for hylafax. These fix a
    vulnerability, which can be exploited by malicious people to compromise
    a vulnerable system.
    
    Full Advisory:
    http://www.secunia.com/advisories/10232/
    
     --
    
    [SA10224] HP-UX Partition Manager Certificate Validation Vulnerability
    
    Critical:    Moderately critical
    Where:       From local network
    Impact:      Exposure of system information, Exposure of sensitive
    information, System access
    Released:    2003-11-14
    
    A vulnerability has been identified in HP-UX, which according to HP can
    be exploited by malicious people to gain knowledge of sensitive
    information or compromise a system.
    
    Full Advisory:
    http://www.secunia.com/advisories/10224/
    
     --
    
    [SA10214] Conectiva update for hylafax
    
    Critical:    Moderately critical
    Where:       From local network
    Impact:      System access
    Released:    2003-11-13
    
    Conectiva has issued updated packages for hylafax. These fix a
    vulnerability, which can be exploited by malicious people to compromise
    a vulnerable system.
    
    Full Advisory:
    http://www.secunia.com/advisories/10214/
    
     --
    
    [SA10243] Trustix update for fileutils
    
    Critical:    Less critical
    Where:       From remote
    Impact:      DoS
    Released:    2003-11-18
    
    Trustix has issued updated packages for fileutils. These fix two
    vulnerabilities in the "ls" program, which can be exploited by
    malicious users to cause a DoS (Denial of Service).
    
    Full Advisory:
    http://www.secunia.com/advisories/10243/
    
     --
    
    [SA10237] Sun ONE Web Server Log Entry Manipulation Vulnerability
    
    Critical:    Less critical
    Where:       From remote
    Impact:      Security Bypass, ID Spoofing
    Released:    2003-11-18
    
    Sun has acknowledged a vulnerability in Sun One Web Server, which can
    be exploited by malicious people to manipulate log entries.
    
    Full Advisory:
    http://www.secunia.com/advisories/10237/
    
     --
    
    [SA10236] monopd Denial of Service Vulnerability
    
    Critical:    Less critical
    Where:       From remote
    Impact:      DoS
    Released:    2003-11-17
    
    A vulnerability has been reported in monopd, which can be exploited by
    malicious users to cause a DoS (Denial of Service).
    
    Full Advisory:
    http://www.secunia.com/advisories/10236/
    
     --
    
    [SA10215] Conectiva update for xinetd
    
    Critical:    Less critical
    Where:       From remote
    Impact:      DoS
    Released:    2003-11-13
    
    Conectiva has issued updated packages for xinetd. These fix a
    vulnerability, which can be exploited by malicious people to cause a
    DoS (Denial of Service) on a vulnerable system.
    
    Full Advisory:
    http://www.secunia.com/advisories/10215/
    
     --
    
    [SA10212] OpenLinux update for unzip
    
    Critical:    Less critical
    Where:       From remote
    Impact:      System access
    Released:    2003-11-13
    
    SCO has issued updated packages for unzip. These fix a vulnerability,
    which potentially can be exploited by malicious people to compromise a
    user's system by overwriting arbitrary files on it.
    
    Full Advisory:
    http://www.secunia.com/advisories/10212/
    
     --
    
    [SA10211] Mandrake update for fileutils/coreutils
    
    Critical:    Less critical
    Where:       From remote
    Impact:      DoS
    Released:    2003-11-13
    
    MandrakeSoft has issued updated packages for fileutils/coreutils. These
    fix two vulnerabilities in the "ls" program, which can be exploited by
    malicious users to cause a DoS (Denial of Service).
    
    Full Advisory:
    http://www.secunia.com/advisories/10211/
    
     --
    
    [SA10258] HP-UX Unspecified DCE Denial of Service Vulnerability
    
    Critical:    Less critical
    Where:       From local network
    Impact:      DoS
    Released:    2003-11-19
    
    HP has reported an unspecified vulnerability in DCE for HP-UX, which
    can be exploited by malicious people to cause a DoS (Denial of
    Service).
    
    Full Advisory:
    http://www.secunia.com/advisories/10258/
    
     --
    
    [SA10256] Red Hat update for XFree86
    
    Critical:    Less critical
    Where:       From local network
    Impact:      Privilege escalation, System access
    Released:    2003-11-19
    
    Red Hat has issued updated packages for XFree86. These fix multiple
    vulnerabilities, which potentially can be exploited by malicious users
    to escalate their privileges on a vulnerable system or compromise it.
    
    Full Advisory:
    http://www.secunia.com/advisories/10256/
    
     --
    
    [SA10254] SuSE update for sane
    
    Critical:    Less critical
    Where:       From local network
    Impact:      DoS
    Released:    2003-11-18
    
    SuSE has issued updated packages for sane. These fix several
    vulnerabilities, which can be exploited by malicious people to cause a
    DoS (Denial of Service).
    
    Full Advisory:
    http://www.secunia.com/advisories/10254/
    
     --
    
    [SA10245] Trustix update for postgresql
    
    Critical:    Less critical
    Where:       From local network
    Impact:      System access
    Released:    2003-11-18
    
    Trustix has issued updated packages for postgresql. These fix some
    vulnerabilities, which potentially can be exploited by malicious users
    to compromise a vulnerable system.
    
    Full Advisory:
    http://www.secunia.com/advisories/10245/
    
     --
    
    [SA10223] Conectiva update for postgresql
    
    Critical:    Less critical
    Where:       From local network
    Impact:      System access
    Released:    2003-11-14
    
    Conectiva has issued updated packages for postgresql. These fix some
    vulnerabilities, which potentially can be exploited by malicious users
    to compromise a vulnerable system.
    
    Full Advisory:
    http://www.secunia.com/advisories/10223/
    
     --
    
    [SA10208] Red Hat update for XFree86
    
    Critical:    Less critical
    Where:       From local network
    Impact:      System access, Privilege escalation
    Released:    2003-11-13
    
    Red Hat has issued updated packages for XFree86. These fix multiple
    vulnerabilities, which potentially can be exploited by malicious users
    to escalate their privileges on a vulnerable system or compromise it.
    
    Full Advisory:
    http://www.secunia.com/advisories/10208/
    
     --
    
    [SA10257] HP-UX dtmailpr Privilege Escalation Vulnerability
    
    Critical:    Less critical
    Where:       Local system
    Impact:      Privilege escalation
    Released:    2003-11-19
    
    A vulnerability has been identified in HP-UX, which can be exploited by
    malicious, local users to escalate their privileges.
    
    Full Advisory:
    http://www.secunia.com/advisories/10257/
    
     --
    
    [SA10247] HP-UX libDtHelp Privilege Escalation Vulnerability
    
    Critical:    Less critical
    Where:       Local system
    Impact:      Privilege escalation
    Released:    2003-11-18
    
    HP has acknowledged a vulnerability in CDE (Common Desktop Environment)
    for HP-UX, which can be exploited by malicious, local users to escalate
    their privileges.
    
    Full Advisory:
    http://www.secunia.com/advisories/10247/
    
     --
    
    [SA10246] OpenBSD compat_ibcs2 Buffer Overflow Vulnerability
    
    Critical:    Less critical
    Where:       Local system
    Impact:      Privilege escalation, DoS
    Released:    2003-11-18
    
    A vulnerability has been reported in OpenBSD, which can be exploited by
    malicious, local users to escalate their privileges or cause a DoS
    (Denial of Service).
    
    Full Advisory:
    http://www.secunia.com/advisories/10246/
    
     --
    
    [SA10244] Trustix update for apache
    
    Critical:    Less critical
    Where:       Local system
    Impact:      Privilege escalation, DoS
    Released:    2003-11-18
    
    Trustix has issued updated packages for apache. These fix some
    vulnerabilities, which can be exploited by malicious, local users to
    cause a DoS (Denial of Service) or escalate privileges.
    
    Full Advisory:
    http://www.secunia.com/advisories/10244/
    
     --
    
    [SA10226] Sun Solaris CDE DtHelp Library Privilege Escalation
    Vulnerability
    
    Critical:    Less critical
    Where:       Local system
    Impact:      Privilege escalation
    Released:    2003-11-14
    
    Sun has acknowledged a vulnerability in the CDE DtHelp Library for
    Solaris, which can be exploited by malicious, local users to escalate
    their privileges.
    
    Full Advisory:
    http://www.secunia.com/advisories/10226/
    
     --
    
    [SA10217] Open UNIX / UnixWare procfs Privilege Escalation
    Vulnerability
    
    Critical:    Less critical
    Where:       Local system
    Impact:      Privilege escalation
    Released:    2003-11-14
    
    A vulnerability has been identified in UnixWare and Open UNIX, which
    can be exploited by malicious, local users to escalate their
    privileges.
    
    Full Advisory:
    http://www.secunia.com/advisories/10217/
    
     --
    
    [SA10207] Red Hat update for stunnel
    
    Critical:    Less critical
    Where:       Local system
    Impact:      Privilege escalation
    Released:    2003-11-13
    
    Red Hat has issued updated packages for stunnel. These fix a
    vulnerability, which can be exploited by malicious users to hijack the
    service.
    
    Full Advisory:
    http://www.secunia.com/advisories/10207/
    
     --
    
    [SA10255] Mandrake update for glibc
    
    Critical:    Not critical
    Where:       Local system
    Impact:      DoS
    Released:    2003-11-19
    
    MandrakeSoft has issued updated packages for glibc. These fix a
    vulnerability allowing malicious users to spoof message sent to the
    kernel netlink interface.
    
    Full Advisory:
    http://www.secunia.com/advisories/10255/
    
     --
    
    [SA10248] Sun Cobalt update for MySQL
    
    Critical:    Not critical
    Where:       Local system
    Impact:      Privilege escalation
    Released:    2003-11-18
    
    Sun has issued an updated package for Sun Cobalt RaQ 550. This fixes a
    vulnerability in MySQL, which can be exploited by malicious users to
    escalate their privileges on a vulnerable system.
    
    Full Advisory:
    http://www.secunia.com/advisories/10248/
    
     --
    
    [SA10229] Red Hat update for glibc
    
    Critical:    Not critical
    Where:       Local system
    Impact:      DoS
    Released:    2003-11-17
    
    Red Hat has issued updated packages for glibc. These fix a
    vulnerability allowing malicious users to cause a Denial of Service
    against certain applications.
    
    Full Advisory:
    http://www.secunia.com/advisories/10229/
    
     --
    
    [SA10219] Red Hat update for Quagga
    
    Critical:    Not critical
    Where:       Local system
    Impact:      DoS
    Released:    2003-11-13
    
    Red Hat has issued updated packages for Quagga. These fix a
    vulnerability, which can be exploited by malicious, local users to
    cause a DoS (Denial of Service).
    
    Full Advisory:
    http://www.secunia.com/advisories/10219/
    
     --
    
    [SA10209] Red Hat update for glibc
    
    Critical:    Not critical
    Where:       Local system
    Impact:      DoS
    Released:    2003-11-13
    
    Red Hat has issued updated packages for glibc. These fix a
    vulnerability allowing malicious users to spoof message sent to the
    kernel netlink interface.
    
    Full Advisory:
    http://www.secunia.com/advisories/10209/
    
    
    Other:
    
    [SA10235] Blue Coat OpenSSL ASN.1 Parsing Denial of Service
    Vulnerability
    
    Critical:    Moderately critical
    Where:       From remote
    Impact:      DoS
    Released:    2003-11-17
    
    Blue Coat Systems has confirmed an OpenSSL vulnerability in some of
    their products, which can be exploited by malicious people to cause a
    DoS (Denial of Service).
    
    Full Advisory:
    http://www.secunia.com/advisories/10235/
    
    
    Cross Platform:
    
    [SA10249] Rolis GuestBook Arbitrary File Inclusion Vulnerability
    
    Critical:    Highly critical
    Where:       From remote
    Impact:      System access
    Released:    2003-11-18
    
    A vulnerability has been reported in Rolis Guestbook, which can be
    exploited by malicious people to compromise a vulnerable system.
    
    Full Advisory:
    http://www.secunia.com/advisories/10249/
    
     --
    
    [SA10231] MediaWiki Arbitrary File Inclusion Vulnerability
    
    Critical:    Highly critical
    Where:       From remote
    Impact:      System access
    Released:    2003-11-17
    
    A vulnerability has been reported in MediaWiki, which can be exploited
    by malicious people to compromise a vulnerable system.
    
    Full Advisory:
    http://www.secunia.com/advisories/10231/
    
     --
    
    [SA10228] phplist Arbitrary File Inclusion Vulnerability
    
    Critical:    Highly critical
    Where:       From remote
    Impact:      System access
    Released:    2003-11-17
    
    A vulnerability has been identified in phplist allowing malicious
    people to gain system access.
    
    Full Advisory:
    http://www.secunia.com/advisories/10228/
    
     --
    
    [SA10251] SAP DB Multiple Vulnerabilities
    
    Critical:    Moderately critical
    Where:       From remote
    Impact:      Hijacking, Security Bypass, Exposure of system
    information, Exposure of sensitive information, Privilege escalation
    Released:    2003-11-18
    
    Multiple vulnerabilities have been reported in SAP DB, which can be
    exploited by malicious users to perform a variety of attacks.
    
    Full Advisory:
    http://www.secunia.com/advisories/10251/
    
     --
    
    [SA10250] PHP Web FileManager Directory Traversal Vulnerability
    
    Critical:    Moderately critical
    Where:       From remote
    Impact:      Exposure of system information, Exposure of sensitive
    information
    Released:    2003-11-18
    
    A vulnerability has been reported in PHP Web FileManager, which can be
    exploited by malicious people to gain knowledge of sensitive
    information.
    
    Full Advisory:
    http://www.secunia.com/advisories/10250/
    
     --
    
    [SA10218] BEA WebLogic Multiple Vulnerabilities
    
    Critical:    Moderately critical
    Where:       From remote
    Impact:      Exposure of sensitive information, DoS
    Released:    2003-11-13
    
    BEA has issued patches for BEA WebLogic Server and Express. These fix 5
    different vulnerabilities, which can be exploited to cause a Denial of
    Service or expose sensitive information.
    
    Full Advisory:
    http://www.secunia.com/advisories/10218/
    
     --
    
    [SA10210] PHP-CoolFile Logic Error Vulnerability
    
    Critical:    Moderately critical
    Where:       From remote
    Impact:      Security Bypass
    Released:    2003-11-13
    
    A vulnerability has been reported in PHP-Coolfile allowing malicious
    people to view the contents of files including the configuration file
    with the administrative username and password.
    
    Full Advisory:
    http://www.secunia.com/advisories/10210/
    
     --
    
    [SA10230] Auto Directory Index Cross Site Scripting Vulnerability
    
    Critical:    Less critical
    Where:       From remote
    Impact:      Cross Site Scripting
    Released:    2003-11-17
    
    A vulnerability has been identified in Auto Directory Index allowing
    malicious people to conduct Cross Site Scripting attacks.
    
    Full Advisory:
    http://www.secunia.com/advisories/10230/
    
     --
    
    [SA10220] WebWasher Error Message Cross Site Scripting
    
    Critical:    Less critical
    Where:       From remote
    Impact:      Cross Site Scripting
    Released:    2003-11-14
    
    A vulnerability has been reported in WebWasher Classic allowing
    malicious people to conduct Cross Site Scripting attacks.
    
    Full Advisory:
    http://www.secunia.com/advisories/10220/
    
    
    
    ========================================================================
    
    Secunia recommends that you verify all advisories you receive,
    by clicking the link.
    Secunia NEVER sends attached files with advisories.
    Secunia does not advise people to install third party patches, only use
    those supplied by the vendor.
    
    Definitions: (Criticality, Where etc.)
    http://www.secunia.com/about_secunia_advisories/
    
    Subscribe:
    http://www.secunia.com/secunia_weekly_summary/
    
    Contact details:
    Web	: http://www.secunia.com/
    E-mail	: support@private
    Tel	: +44 (0) 20 7016 2693
    Fax	: +44 (0) 20 7637 0419
    
    ========================================================================
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Fri Nov 21 2003 - 02:12:24 PST