[ISN] Secunia Weekly Summary - Issue: 2004-24

From: InfoSec News (isn@private)
Date: Fri Jun 11 2004 - 03:19:10 PDT

  • Next message: InfoSec News: "[ISN] Valve announces Half-Life 2 code theft arrests"

    ========================================================================
    
                      The Secunia Weekly Advisory Summary                  
                            2004-06-03 - 2004-06-10                        
    
                           This week : 48 advisories                       
    
    ========================================================================
    Table of Contents:
    
    1.....................................................Word From Secunia
    2....................................................This Week In Brief
    3...............................This Weeks Top Ten Most Read Advisories
    4.......................................Vulnerabilities Summary Listing
    5.......................................Vulnerabilities Content Listing
    
    ========================================================================
    1) Word From Secunia:
    
    The Secunia staff is spending hours every day to assure you the best
    and most reliable source for vulnerability information. Every single 
    vulnerability report is being validated and verified before a Secunia
    advisory is written.
    
    Secunia validates and verifies vulnerability reports in many different
    ways e.g. by downloading the software and performing comprehensive
    tests, by reviewing source code, or by validating the credibility of
    the source from which the vulnerability report was issued.
    
    As a result, Secunia's database is the most correct and complete source
    for recent vulnerability information available on the Internet.
    
    Secunia Online Vulnerability Database:
    http://secunia.com/
    
    
    ========================================================================
    2) This Week in Brief:
    
    
    ADVISORIES:
    
    Jelmer issued a detailed analysis of a very sophisticated "zero-day"
    exploit for Internet Explorer. Jelmer obtained the exploit from an
    ad-ware site, which actively is using this exploit to install a toolbar
    in Internet Explorer on vulnerable users' systems.
    
    Please read Secunia advisory SA11753 below for additional details.
    
    Furthermore, Microsoft has released its monthly security bulletins for
    June, addressing vulnerabilities in DirectX and various products
    implementing Crystal Reports.
    
    Reference:
    http://secunia.com/SA11753
    http://secunia.com/SA11803
    http://secunia.com/SA11802
    
    --
    
    Apple has issued a security update to address the "disk://"
    vulnerability among others. The update has been long awaited by the
    Mac OS X community, as the vulnerabilities addressed have been "public
    knowledge" for several weeks now, and they could be used for a remote
    system compromise.
    
    Reference:
    http://secunia.com/SA11689
    
    --
    
    A vulnerability has been reported in Squid, which potentially could be
    exploited to compromise a vulnerable system.
    
    Squid has issued a patch, which fix this vulnerability.
    
    Reference:
    http://secunia.com/SA11804
    
    
    VIRUS ALERTS:
    
    Secunia has not issued any virus alerts during the last week.
    
    
    ========================================================================
    3) This Weeks Top Ten Most Read Advisories:
    
    1.  [SA11793] Internet Explorer Local Resource Access and Cross-Zone
                  Scripting Vulnerabilities
    2.  [SA11689] Mac OS X Volume URI Handler Registration Code Execution
                  Vulnerability
    3.  [SA11754] Linksys Routers Administrative Web Interface Access
                  Security Issue
    4.  [SA11622] Mac OS X URI Handler Arbitrary Code Execution
    5.  [SA11762] Opera Browser Favicon Displaying Address Bar Spoofing
                  Vulnerability
    6.  [SA10395] Internet Explorer URL Spoofing Vulnerability
    7.  [SA11780] Sun Solaris update for sendmail
    8.  [SA11764] Linksys BEF Series Routers Denial of Service
                  Vulnerabilities
    9.  [SA11792] PHP "escapeshellcmd()" and "escapeshellarg()"
                  Security Bypass Vulnerability
    10. [SA11794] Webmin Unspecified Denial of Service and Security
                  Restriction Bypass
    
    ========================================================================
    4) Vulnerabilities Summary Listing
    
    Windows:
    [SA11793] Internet Explorer Local Resource Access and Cross-Zone
    Scripting Vulnerabilities
    [SA11792] PHP "escapeshellcmd()" and "escapeshellarg()" Security Bypass
    Vulnerability
    [SA11787] Oracle E-Business Suite Unspecified SQL Injection
    Vulnerabilities
    [SA11803] Microsoft Crystal Reports Web Viewer Directory Traversal
    Vulnerability
    [SA11802] Microsoft DirectPlay Packet Validation Denial of Service
    Vulnerability
    [SA11790] FoolProof Security Administrator Password Disclosure
    Weakness
    
    UNIX/Linux:
    [SA11804] Squid NTLM Authentication Helper Buffer Overflow
    Vulnerability
    [SA11795] Sun Crypto Accelerator 4000 Software OpenSSL Vulnerabilities
    [SA11780] Sun Solaris update for sendmail
    [SA11767] NetBSD update for CVS
    [SA11809] Gentoo update for mailman
    [SA11805] Horde IMP "Content-Type:" Header Script Insertion
    Vulnerability
    [SA11798] cPanel suEXEC Privilege Escalation Vulnerability
    [SA11794] Webmin Unspecified Denial of Service and Security Restriction
    Bypass
    [SA11789] Crafty Syntax Live Help Script Insertion Vulnerabilities
    [SA11788] l2tpd "write_packet()" Buffer Overflow Vulnerability
    [SA11786] Gentoo update for sitecopy
    [SA11785] sitecopy Multiple libneon Vulnerabilities
    [SA11784] cPanel killacct Script Arbitrary DNS Information Deletion
    Vulnerability
    [SA11782] Debian update for postgresql
    [SA11781] psqlodbc "PGAPI_Connect()" Buffer Overflow Vulnerability
    [SA11779] Debian update for lha
    [SA11778] Open Webmail "Content-Type:" Header Script Injection
    Vulnerability
    [SA11777] Fedora update for krb5
    [SA11776] Gentoo update for ethereal
    [SA11771] Fedora update for ethereal
    [SA11769] Debian update for log2mail
    [SA11768] log2mail "printlog()" Message Logging Format String
    Vulnerability
    [SA11765] Mandrake update for krb5
    [SA11759] Slackware update for mod_ssl
    [SA11758] Debian update for gallery
    [SA11797] FreeBSD Jailed Process Host Routing Table Manipulation
    Vulnerability
    [SA11796] Mandrake update for tripwire
    [SA11775] Gentoo update for tripwire
    [SA11763] Tripwire Email Reporting Privilege Escalation Vulnerability
    [SA11760] Slackware PHP Insecure Static Library Linking Security Issue
    [SA11770] Fedora update for net-tools
    
    Other:
    [SA11773] NetGear WG602 Wireless Access Point Default Account Security
    Issue
    [SA11764] Linksys BEF Series Routers Denial of Service Vulnerabilities
    
    Cross Platform:
    [SA11774] Mail Manage EX Arbitrary File Inclusion Vulnerability
    [SA11801] Roundup Web Interface Directory Traversal Vulnerability
    [SA11800] Crystal Reports and Crystal Enterprise Directory Traversal
    Vulnerability
    [SA11783] IBM Multiple Products GSKit Denial of Service Vulnerability
    [SA11772] SurgeMail Path Disclosure and Cross-Site Scripting
    Vulnerability
    [SA11762] Opera Browser Favicon Displaying Address Bar Spoofing
    Vulnerability
    [SA11791] jCIFS Arbitrary Username Authentication Security Issue
    [SA11761] IBM Products Forms Authentication Session Hijacking
    [SA11766] PHP-Nuke Direct Script Access Restriction Bypass Weakness
    
    ========================================================================
    5) Vulnerabilities Content Listing
    
    Windows:--
    
    [SA11793] Internet Explorer Local Resource Access and Cross-Zone
    Scripting Vulnerabilities
    
    Critical:    Extremely critical
    Where:       From remote
    Impact:      Security Bypass, System access
    Released:    2004-06-08
    
    Two vulnerabilities have been reported in Internet Explorer, which in
    combination with other known issues can be exploited by malicious
    people to compromise a user's system.
    
    Full Advisory:
    http://secunia.com/advisories/11793/
    
     --
    
    [SA11792] PHP "escapeshellcmd()" and "escapeshellarg()" Security Bypass
    Vulnerability
    
    Critical:    Highly critical
    Where:       From remote
    Impact:      Security Bypass
    Released:    2004-06-07
    
    Daniel Fabian has discovered a vulnerability in PHP, which can be
    exploited by malicious people to bypass certain security restrictions.
    
    Full Advisory:
    http://secunia.com/advisories/11792/
    
     --
    
    [SA11787] Oracle E-Business Suite Unspecified SQL Injection
    Vulnerabilities
    
    Critical:    Highly critical
    Where:       From remote
    Impact:      Manipulation of data, Exposure of system information,
    Exposure of sensitive information, System access
    Released:    2004-06-07
    
    Stephen Kost has reported multiple vulnerabilities in Oracle E-Business
    Suite and Oracle Applications, which can be exploited by malicious
    people to conduct SQL injection attacks.
    
    Full Advisory:
    http://secunia.com/advisories/11787/
    
     --
    
    [SA11803] Microsoft Crystal Reports Web Viewer Directory Traversal
    Vulnerability
    
    Critical:    Moderately critical
    Where:       From remote
    Impact:      Exposure of system information, Exposure of sensitive
    information, DoS
    Released:    2004-06-08
    
    A vulnerability has been discovered in various Microsoft products,
    allowing malicious people to disclose the content of arbitrary files or
    delete these.
    
    Full Advisory:
    http://secunia.com/advisories/11803/
    
     --
    
    [SA11802] Microsoft DirectPlay Packet Validation Denial of Service
    Vulnerability
    
    Critical:    Less critical
    Where:       From remote
    Impact:      DoS
    Released:    2004-06-08
    
    John Lampe has discovered a vulnerability in Microsoft DirectPlay,
    which can be exploited by malicious people to cause a DoS (Denial of
    Service).
    
    Full Advisory:
    http://secunia.com/advisories/11802/
    
     --
    
    [SA11790] FoolProof Security Administrator Password Disclosure
    Weakness
    
    Critical:    Less critical
    Where:       From local network
    Impact:      Exposure of sensitive information
    Released:    2004-06-08
    
    Cyrillium Security has reported a weakness in FoolProof Security, which
    can be exploited by certain malicious users to gain knowledge of
    sensitive information.
    
    Full Advisory:
    http://secunia.com/advisories/11790/
    
    
    UNIX/Linux:--
    
    [SA11804] Squid NTLM Authentication Helper Buffer Overflow
    Vulnerability
    
    Critical:    Highly critical
    Where:       From remote
    Impact:      System access
    Released:    2004-06-09
    
    A vulnerability has been reported in Squid, which can be exploited by
    malicious people to compromise a vulnerable system.
    
    Full Advisory:
    http://secunia.com/advisories/11804/
    
     --
    
    [SA11795] Sun Crypto Accelerator 4000 Software OpenSSL Vulnerabilities
    
    Critical:    Highly critical
    Where:       From remote
    Impact:      DoS, System access
    Released:    2004-06-07
    
    Sun has acknowledged that the Sun Crypto Accelerator 4000 software is
    affected by some OpenSSL vulnerabilities. According to the vendor,
    these can be exploited by malicious people to cause a DoS (Denial of
    Service) and potentially compromise a vulnerable system.
    
    Full Advisory:
    http://secunia.com/advisories/11795/
    
     --
    
    [SA11780] Sun Solaris update for sendmail
    
    Critical:    Highly critical
    Where:       From remote
    Impact:      System access
    Released:    2004-06-07
    
    Sun has acknowledged a vulnerability in sendmail for Solaris, which
    potentially can be exploited by malicious people to compromise a
    vulnerable system.
    
    Full Advisory:
    http://secunia.com/advisories/11780/
    
     --
    
    [SA11767] NetBSD update for CVS
    
    Critical:    Highly critical
    Where:       From remote
    Impact:      System access
    Released:    2004-06-04
    
    NetBSD has issued patches for cvs. These fix a vulnerability, which can
    be exploited by malicious users to compromise a vulnerable system.
    
    Full Advisory:
    http://secunia.com/advisories/11767/
    
     --
    
    [SA11809] Gentoo update for mailman
    
    Critical:    Moderately critical
    Where:       From remote
    Impact:      Exposure of sensitive information
    Released:    2004-06-09
    
    Gentoo has issued an update for mailman. This fixes a vulnerability,
    which can be exploited by malicious people to retrieve members'
    passwords.
    
    Full Advisory:
    http://secunia.com/advisories/11809/
    
     --
    
    [SA11805] Horde IMP "Content-Type:" Header Script Insertion
    Vulnerability
    
    Critical:    Moderately critical
    Where:       From remote
    Impact:      Cross Site Scripting
    Released:    2004-06-09
    
    A vulnerability has been discovered in Horde IMP, which can be
    exploited by malicious people to conduct script insertion attacks.
    
    Full Advisory:
    http://secunia.com/advisories/11805/
    
     --
    
    [SA11798] cPanel suEXEC Privilege Escalation Vulnerability
    
    Critical:    Moderately critical
    Where:       From remote
    Impact:      Privilege escalation
    Released:    2004-06-09
    
    Rob Brown has reported a vulnerability in cPanel, which can be
    exploited by malicious, authenticated users to execute arbitrary code
    with escalated privileges.
    
    Full Advisory:
    http://secunia.com/advisories/11798/
    
     --
    
    [SA11794] Webmin Unspecified Denial of Service and Security Restriction
    Bypass
    
    Critical:    Moderately critical
    Where:       From remote
    Impact:      Security Bypass, DoS
    Released:    2004-06-07
    
    Two vulnerabilities have been discovered in Webmin, which can be
    exploited by malicious people to cause a DoS (Denial of Service) or
    bypass certain security restrictions.
    
    Full Advisory:
    http://secunia.com/advisories/11794/
    
     --
    
    [SA11789] Crafty Syntax Live Help Script Insertion Vulnerabilities
    
    Critical:    Moderately critical
    Where:       From remote
    Impact:      Cross Site Scripting
    Released:    2004-06-08
    
    John C. Hennessy has reported two vulnerabilities in Crafty Syntax Live
    Help, which can be exploited by malicious people to conduct script
    insertion attacks.
    
    Full Advisory:
    http://secunia.com/advisories/11789/
    
     --
    
    [SA11788] l2tpd "write_packet()" Buffer Overflow Vulnerability
    
    Critical:    Moderately critical
    Where:       From remote
    Impact:      System access
    Released:    2004-06-07
    
    Thomas Walpuski has reported a vulnerability in l2tpd, which
    potentially can be exploited by malicious people to compromise a
    vulnerable system.
    
    Full Advisory:
    http://secunia.com/advisories/11788/
    
     --
    
    [SA11786] Gentoo update for sitecopy
    
    Critical:    Moderately critical
    Where:       From remote
    Impact:      System access
    Released:    2004-06-07
    
    Gentoo has issued an advisory for sitecopy. This describes some
    vulnerabilities, which potentially can be exploited by malicious people
    to compromise a vulnerable system.
    
    Full Advisory:
    http://secunia.com/advisories/11786/
    
     --
    
    [SA11785] sitecopy Multiple libneon Vulnerabilities
    
    Critical:    Moderately critical
    Where:       From remote
    Impact:      System access
    Released:    2004-06-07
    
    It has been reported that sitecopy is affected by various libneon
    vulnerabilities, which potentially can be exploited by malicious people
    to compromise a vulnerable system.
    
    Full Advisory:
    http://secunia.com/advisories/11785/
    
     --
    
    [SA11784] cPanel killacct Script Arbitrary DNS Information Deletion
    Vulnerability
    
    Critical:    Moderately critical
    Where:       From remote
    Impact:      Security Bypass, Manipulation of data
    Released:    2004-06-07
    
    verb0s has reported a vulnerability in cPanel, which can be exploited
    by malicious, authenticated, administrative users to bypass certain
    security restrictions.
    
    Full Advisory:
    http://secunia.com/advisories/11784/
    
     --
    
    [SA11782] Debian update for postgresql
    
    Critical:    Moderately critical
    Where:       From remote
    Impact:      DoS, System access
    Released:    2004-06-08
    
    Debian has issued an update for postgresql. This fixes a vulnerability
    in the ODBC driver, which can be exploited by malicious people to cause
    a DoS (Denial of Service) and potentially compromise a vulnerable
    system.
    
    Full Advisory:
    http://secunia.com/advisories/11782/
    
     --
    
    [SA11781] psqlodbc "PGAPI_Connect()" Buffer Overflow Vulnerability
    
    Critical:    Moderately critical
    Where:       From remote
    Impact:      DoS, System access
    Released:    2004-06-08
    
    delman has reported a vulnerability in psqlodbc, which can be exploited
    by malicious people to cause a DoS (Denial of Service) and potentially
    compromise a vulnerable system.
    
    Full Advisory:
    http://secunia.com/advisories/11781/
    
     --
    
    [SA11779] Debian update for lha
    
    Critical:    Moderately critical
    Where:       From remote
    Impact:      System access
    Released:    2004-06-07
    
    Debian has issued an update for lha. This fixes multiple
    vulnerabilities, which potentially can be exploited by malicious people
    to compromise a vulnerable system.
    
    Full Advisory:
    http://secunia.com/advisories/11779/
    
     --
    
    [SA11778] Open Webmail "Content-Type:" Header Script Injection
    Vulnerability
    
    Critical:    Moderately critical
    Where:       From remote
    Impact:      Cross Site Scripting
    Released:    2004-06-05
    
    A vulnerability has been discovered in Open WebMail, which can be
    exploited by malicious people to conduct script injection attacks.
    
    Full Advisory:
    http://secunia.com/advisories/11778/
    
     --
    
    [SA11777] Fedora update for krb5
    
    Critical:    Moderately critical
    Where:       From remote
    Impact:      System access
    Released:    2004-06-05
    
    Fedora has issued an update for krb5. This fixes some vulnerabilities,
    which can be exploited by malicious users to compromise a vulnerable
    system.
    
    Full Advisory:
    http://secunia.com/advisories/11777/
    
     --
    
    [SA11776] Gentoo update for ethereal
    
    Critical:    Moderately critical
    Where:       From remote
    Impact:      DoS, System access
    Released:    2004-06-05
    
    Gentoo has issued an update for ethereal. This fixes multiple
    vulnerabilities, which can be exploited by malicious people to
    compromise a vulnerable system or cause a DoS (Denial-of-Service).
    
    Full Advisory:
    http://secunia.com/advisories/11776/
    
     --
    
    [SA11771] Fedora update for ethereal
    
    Critical:    Moderately critical
    Where:       From remote
    Impact:      DoS, System access
    Released:    2004-06-04
    
    Fedora has issued an update for ethereal. This fixes multiple
    vulnerabilities, which can be exploited by malicious people to
    compromise a vulnerable system or cause a DoS (Denial-of-Service).
    
    Full Advisory:
    http://secunia.com/advisories/11771/
    
     --
    
    [SA11769] Debian update for log2mail
    
    Critical:    Moderately critical
    Where:       From remote
    Impact:      System access
    Released:    2004-06-07
    
    Debian has issued an update for log2mail. This fixes a vulnerability,
    which potentially can be exploited by malicious people to compromise a
    vulnerable system.
    
    Full Advisory:
    http://secunia.com/advisories/11769/
    
     --
    
    [SA11768] log2mail "printlog()" Message Logging Format String
    Vulnerability
    
    Critical:    Moderately critical
    Where:       From remote
    Impact:      System access
    Released:    2004-06-07
    
    Jaguar has reported a vulnerability in log2mail, which potentially can
    be exploited by malicious people to compromise a vulnerable system.
    
    Full Advisory:
    http://secunia.com/advisories/11768/
    
     --
    
    [SA11765] Mandrake update for krb5
    
    Critical:    Moderately critical
    Where:       From remote
    Impact:      System access
    Released:    2004-06-04
    
    MandrakeSoft has issued an update for krb5. This fixes some
    vulnerabilities, which can be exploited by malicious users to
    compromise a vulnerable system.
    
    Full Advisory:
    http://secunia.com/advisories/11765/
    
     --
    
    [SA11759] Slackware update for mod_ssl
    
    Critical:    Moderately critical
    Where:       From remote
    Impact:      DoS, System access
    Released:    2004-06-03
    
    Slackware has issued an update for mod_ssl. This fixes a vulnerability,
    which potentially can be exploited by malicious people to cause a DoS
    (Denial of Service) or compromise a vulnerable system.
    
    Full Advisory:
    http://secunia.com/advisories/11759/
    
     --
    
    [SA11758] Debian update for gallery
    
    Critical:    Moderately critical
    Where:       From remote
    Impact:      Security Bypass
    Released:    2004-06-03
    
    Debian has issued an update for gallery. This fixes a vulnerability,
    which can be exploited by malicious people to bypass the user
    authentication.
    
    Full Advisory:
    http://secunia.com/advisories/11758/
    
     --
    
    [SA11797] FreeBSD Jailed Process Host Routing Table Manipulation
    Vulnerability
    
    Critical:    Less critical
    Where:       Local system
    Impact:      Security Bypass, Manipulation of data
    Released:    2004-06-08
    
    Pawel Malachowski has discovered a vulnerability in FreeBSD, which can
    be exploited by malicious, local users to bypass certain security
    restrictions.
    
    Full Advisory:
    http://secunia.com/advisories/11797/
    
     --
    
    [SA11796] Mandrake update for tripwire
    
    Critical:    Less critical
    Where:       Local system
    Impact:      Privilege escalation
    Released:    2004-06-08
    
    MandrakeSoft has issued an update for tripwire. This fixes a
    vulnerability, which potentially can be exploited by malicious, local
    users to gain escalated privileges.
    
    Full Advisory:
    http://secunia.com/advisories/11796/
    
     --
    
    [SA11775] Gentoo update for tripwire
    
    Critical:    Less critical
    Where:       Local system
    Impact:      Privilege escalation
    Released:    2004-06-05
    
    Gentoo has issued an update for tripwire. This fixes a vulnerability,
    which potentially can be exploited by malicious, local users to gain
    escalated privileges.
    
    Full Advisory:
    http://secunia.com/advisories/11775/
    
     --
    
    [SA11763] Tripwire Email Reporting Privilege Escalation Vulnerability
    
    Critical:    Less critical
    Where:       Local system
    Impact:      Privilege escalation
    Released:    2004-06-05
    
    Paul Herman has discovered a vulnerability in Tripwire, which
    potentially can be exploited by malicious, local users to gain
    escalated privileges.
    
    Full Advisory:
    http://secunia.com/advisories/11763/
    
     --
    
    [SA11760] Slackware PHP Insecure Static Library Linking Security Issue
    
    Critical:    Less critical
    Where:       Local system
    Impact:      Privilege escalation, DoS
    Released:    2004-06-03
    
    Bryce Nichols has discovered a security issue in Slackware, which can
    be exploited by malicious, local users to gain escalated privileges.
    
    Full Advisory:
    http://secunia.com/advisories/11760/
    
     --
    
    [SA11770] Fedora update for net-tools
    
    Critical:    Not critical
    Where:       Local system
    Impact:      DoS
    Released:    2004-06-04
    
    Fedora has issued an update for net-tools. This fixes a vulnerability,
    which can be exploited by malicious, local users to cause a DoS (Denial
    of Service).
    
    Full Advisory:
    http://secunia.com/advisories/11770/
    
    
    Other:--
    
    [SA11773] NetGear WG602 Wireless Access Point Default Account Security
    Issue
    
    Critical:    Moderately critical
    Where:       From local network
    Impact:      System access
    Released:    2004-06-07
    
    Tom Knienieder has reported a security issue in NetGear WG602 Wireless
    Access Point, which can be exploited by malicious people to gain access
    to an affected device.
    
    Full Advisory:
    http://secunia.com/advisories/11773/
    
     --
    
    [SA11764] Linksys BEF Series Routers Denial of Service Vulnerabilities
    
    Critical:    Moderately critical
    Where:       From local network
    Impact:      DoS
    Released:    2004-06-05
    
    b0f has reported two vulnerabilities in various Linksys BEF series
    routers, which can be exploited to cause a DoS (Denial of Service).
    
    Full Advisory:
    http://secunia.com/advisories/11764/
    
    
    Cross Platform:--
    
    [SA11774] Mail Manage EX Arbitrary File Inclusion Vulnerability
    
    Critical:    Highly critical
    Where:       From remote
    Impact:      System access
    Released:    2004-06-04
    
    Jan van de Rijt has reported a vulnerability in Mail Manage EX,
    allowing malicious people to compromise a vulnerable system.
    
    Full Advisory:
    http://secunia.com/advisories/11774/
    
     --
    
    [SA11801] Roundup Web Interface Directory Traversal Vulnerability
    
    Critical:    Moderately critical
    Where:       From remote
    Impact:      Exposure of system information, Exposure of sensitive
    information
    Released:    2004-06-09
    
    Vickenty Fesunov has reported a vulnerability in Roundup, which can be
    exploited by malicious people to view the content of arbitrary files.
    
    Full Advisory:
    http://secunia.com/advisories/11801/
    
     --
    
    [SA11800] Crystal Reports and Crystal Enterprise Directory Traversal
    Vulnerability
    
    Critical:    Moderately critical
    Where:       From remote
    Impact:      Exposure of system information, Exposure of sensitive
    information, DoS
    Released:    2004-06-08
    
    Imperva Application Defense Center has discovered a vulnerability in
    Crystal Reports Web Viewers, allowing malicious people to disclose the
    content of arbitrary files or delete these.
    
    Full Advisory:
    http://secunia.com/advisories/11800/
    
     --
    
    [SA11783] IBM Multiple Products GSKit Denial of Service Vulnerability
    
    Critical:    Moderately critical
    Where:       From remote
    Impact:      DoS
    Released:    2004-06-07
    
    A vulnerability has been discovered in various IBM products, which can
    be exploited by malicious people to cause a DoS (Denial of Service).
    
    Full Advisory:
    http://secunia.com/advisories/11783/
    
     --
    
    [SA11772] SurgeMail Path Disclosure and Cross-Site Scripting
    Vulnerability
    
    Critical:    Less critical
    Where:       From remote
    Impact:      Cross Site Scripting, Exposure of system information
    Released:    2004-06-07
    
    Donnie Werner has reported a vulnerability in SurgeMail, which can be
    exploited by malicious people to disclose certain system information or
    conduct cross-site scripting attacks.
    
    Full Advisory:
    http://secunia.com/advisories/11772/
    
     --
    
    [SA11762] Opera Browser Favicon Displaying Address Bar Spoofing
    Vulnerability
    
    Critical:    Less critical
    Where:       From remote
    Impact:      Spoofing
    Released:    2004-06-03
    
    GreyMagic has discovered a vulnerability in the Opera browser, which
    can be exploited by malicious people to fake (spoof) information
    displayed in various bars.
    
    Full Advisory:
    http://secunia.com/advisories/11762/
    
     --
    
    [SA11791] jCIFS Arbitrary Username Authentication Security Issue
    
    Critical:    Less critical
    Where:       From local network
    Impact:      Security Bypass
    Released:    2004-06-09
    
    A security issue has been discovered in jCIFS, which allows a malicious
    person to authenticate with an invalid username.
    
    Full Advisory:
    http://secunia.com/advisories/11791/
    
     --
    
    [SA11761] IBM Products Forms Authentication Session Hijacking
    
    Critical:    Less critical
    Where:       From local network
    Impact:      Hijacking
    Released:    2004-06-04
    
    A security issue has been discovered in multiple IBM products, which
    under some circumstances potentially can be exploited by malicious
    people to hijack an authenticated user's session.
    
    Full Advisory:
    http://secunia.com/advisories/11761/
    
     --
    
    [SA11766] PHP-Nuke Direct Script Access Restriction Bypass Weakness
    
    Critical:    Not critical
    Where:       From remote
    Impact:      Security Bypass
    Released:    2004-06-04
    
    Squid has reported a weakness in PHP-Nuke, which can be exploited by
    malicious people to bypass certain security restrictions.
    
    Full Advisory:
    http://secunia.com/advisories/11766/
    
    
    
    ========================================================================
    
    Secunia recommends that you verify all advisories you receive,
    by clicking the link.
    Secunia NEVER sends attached files with advisories.
    Secunia does not advise people to install third party patches, only use
    those supplied by the vendor.
    
    Definitions: (Criticality, Where etc.)
    http://secunia.com/about_secunia_advisories/
    
    Subscribe:
    http://secunia.com/secunia_weekly_summary/
    
    Contact details:
    Web	: http://secunia.com/
    E-mail	: support@private
    Tel	: +45 70 20 51 44
    Fax	: +45 70 20 51 45
    
    ========================================================================
    
    
    
    _________________________________________
    ISN mailing list
    Sponsored by: OSVDB.org - For 15 cents a day, you could help feed an InfoSec junkie!
    (Broke? Spend 15 minutes a day on the project!)
    



    This archive was generated by hypermail 2b30 : Fri Jun 11 2004 - 03:50:47 PDT