======================================================================== The Secunia Weekly Advisory Summary 2004-09-16 - 2004-09-23 This week : 70 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: Secunia has implemented new features at Secunia.com SECUNIA ADVISORIES NOW INCLUDE "Solution Status": In addition to the extensive information Secunia advisories already include, Secunia has added a new parameter: "Solution Status". This simply means that all Secunia advisories, including older advisories, now include the current "Solution Status" of a advisory, i.e. if the vendor has released a patch or not. IMPROVED PRODUCT PAGES: The improved product pages now include a detailed listing of all Secunia advisories affecting each product. The listings include a clear indication of the "Solution Status" each advisory has ("Unpatched", "Vendor patch", "Vendor workaround", or "Partial fix"). View the following for examples: Opera 7: http://secunia.com/product/761/ Internet Explorer 6: http://secunia.com/product/11/ Mozilla Firefox: http://secunia.com/product/3256/ EXTRA STATISTICS: Each product page also includes a new pie graph, displaying the "Solution Status" for all Secunia advisories affecting each product in a given period. View the following for an example: Internet Explorer 6: http://secunia.com/product/11/#statistics_solution FEEDBACK SYSTEM: To make it easier to provide feedback to the Secunia staff, we have made an online feedback form. Enter your inquiry and it will immediately be sent to the appropriate Secunia department. Ideas, suggestions, and other feedback is most welcome Secunia Feedback Form: http://secunia.com/contact_form/ ======================================================================== 2) This Week in Brief: ADVISORIES: Chris Evans has found several image related vulnerabilities in GdkPixbuf and libXpm, which can be exploited to compromise vulnerable systems. Many Linux distributions have already issued updated packages addressing these vulnerabilities. Please view secunia.com for information about updated packages. Reference: http://secunia.com/SA12549 http://secunia.com/SA12542 -- Two vulnerabilities have been reported in PHP, which can be exploited to expose system information or to upload files in arbitrary locations. However, in order to upload files in arbitrary locations, PHP has to be used in a special way. Updated versions of PHP are available in the CVS repository. Please refer to the Secunia advisory below for details. Reference: http://secunia.com/SA12560 -- Apple has issued a security update for iChat, which addresses a vulnerability that can be exploited to compromise a vulnerable system. Please read Secunia advisory below for details about the update. Reference: http://secunia.com/SA12575 VIRUS ALERTS: Secunia has not issued any virus alerts during the last week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA12526] Mozilla Multiple Vulnerabilities 2. [SA12528] Microsoft Multiple Products JPEG Processing Buffer Overflow Vulnerability 3. [SA12304] Internet Explorer Address Bar Spoofing Vulnerability 4. [SA12580] Mozilla / Mozilla Firefox Cross-Domain Cookie Injection Vulnerability 5. [SA12542] GdkPixbuf Multiple Image Decoding Vulnerabilities 6. [SA12321] Microsoft Internet Explorer Drag and Drop Vulnerability 7. [SA12581] Internet Explorer Cross-Domain Cookie Injection Vulnerability 8. [SA12535] Netscape Multiple Vulnerabilities 9. [SA11978] Multiple Browsers Frame Injection Vulnerability 10. [SA12575] Apple Mac OS X Security Update Fixes iChat Vulnerability ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA12616] Emulive Server4 Security Bypass and Denial of Service Vulnerabilities [SA12589] Lords of the Realm III Username Handling Denial of Service [SA12587] WebIntelligence Document Deletion and Cross-Site Scripting Vulnerabilities [SA12578] Whatsup Gold Reserved DOS Device Name HTTP Request Denial of Service [SA12611] VP-ASP Shopping Cart Database Connection Denial of Service [SA12595] DNS4Me Web Server Cross-Site Scripting and Denial of Service [SA12581] Internet Explorer Cross-Domain Cookie Injection Vulnerability [SA12612] Pop Messenger Invalid Character Denial of Service Vulnerability [SA12585] Pigeon Server Login Denial of Service Vulnerability UNIX/Linux: [SA12630] Conectiva update for qt3 [SA12629] Gentoo update for xine-lib [SA12628] Mandrake update for mpg123 [SA12625] Mandrake update for ImageMagick [SA12623] Debian update for imlib2 [SA12615] Gentoo update for gtk+ / gdk-pixbuf [SA12608] Debian netkit-telnet-ssl Buffer Overflow Vulnerability [SA12607] Gentoo update for Mozilla/Firefox/Thunderbird/Epiphany [SA12602] xine-lib Multiple Buffer Overflow Vulnerabilities [SA12599] Sun Java Enterprise System NSS Library Vulnerability [SA12598] FreeBSD update for CVS [SA12588] SuSE update for gtk2 and gdk-pixbuf [SA12586] Debian update for gtk+2.0 [SA12583] Mandrake update for XFree86 [SA12579] SuSE update for XFree86 [SA12575] Apple Mac OS X Security Update Fixes iChat Vulnerability [SA12574] OpenBSD update for Xpm [SA12573] Debian update for imlib [SA12568] Red Hat update for gtk2 [SA12565] Gentoo update for mpg123 [SA12564] Debian update for gdk-pixbuf [SA12563] Debian update for imagemagick [SA12619] Gentoo update for freeradius [SA12614] Debian update for lukemftpd [SA12592] Debian update for wv [SA12582] Gentoo update for snipsnap [SA12570] FreeRADIUS Multiple Unspecified Denial of Service Vulnerabilities [SA12562] Gentoo update for heimdal [SA12584] sdd Unspecified RMT Client Vulnerability [SA12624] Conectiva update for spamassassin [SA12577] Gentoo update for apache2 and mod_dav [SA12576] Gentoo update for phpGroupWare [SA12572] Fedora update for apr-util [SA12632] Red Hat redhat-config-nfs Incorrect Share Permissions Security Issue [SA12631] Red Hat update for samba [SA12626] Slackware update for CUPS [SA12617] OpenBSD Radius Authentication "login_radius" Security Bypass [SA12603] Gentoo update for CUPS [SA12571] Red Hat update for CUPS [SA12566] Debian update for cupsys [SA12627] Mandrake update for webmin [SA12610] Fedora update for foomatic [SA12600] RsyncX Privilege Escalation Vulnerabilities [SA12596] sudo Arbitrary File Reading Vulnerability [SA12594] getmail Privilege Escalation Vulnerability [SA12591] Gentoo update for foomatic [SA12567] Mandrake update for printer-drivers Other: [SA12601] SMC Broadband Routers Session Handling Security Bypass Cross Platform: [SA12633] Apache "Satisfy" Directive Access Control Bypass Security Issue [SA12606] TUTOS SQL Injection and Cross-Site Scripting Vulnerabilities [SA12597] ReMOSitory "filecatid" SQL Injection Vulnerability [SA12593] YaBB Cross-Site Scripting and Security Bypass Vulnerabilities [SA12590] Snitz Forums 2000 HTTP Response Splitting Vulnerability [SA12569] SnipSnap HTTP Response Splitting Vulnerability [SA12561] MyServer Directory Traversal Vulnerability [SA12560] PHP Memory Leak and Arbitrary File Location Upload Vulnerabilities [SA12621] Subversion "mod_authz_svn" Unreadable Path Information Disclosure [SA12609] YaBB Input Validation Vulnerabilities [SA12580] Mozilla / Mozilla Firefox Cross-Domain Cookie Injection Vulnerability [SA12604] Symantec ON Command CCM Default Database Administrator Accounts [SA12620] CA UniCenter Management Portal Username Disclosure Weakness ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA12616] Emulive Server4 Security Bypass and Denial of Service Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, DoS Released: 2004-09-22 James Bercegay has reported a vulnerability in Emulive Server4, which can be exploited by malicious people to bypass certain security restrictions and cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12616/ -- [SA12589] Lords of the Realm III Username Handling Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-09-20 Luigi Auriemma has reported a vulnerability in Lords of the Realm III, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12589/ -- [SA12587] WebIntelligence Document Deletion and Cross-Site Scripting Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting Released: 2004-09-18 Corsaire has reported two vulnerabilities in WebIntelligence, which can be exploited by malicious people to delete sensitive information and conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/12587/ -- [SA12578] Whatsup Gold Reserved DOS Device Name HTTP Request Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-09-18 A vulnerability has been reported in WhatsUp Gold, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12578/ -- [SA12611] VP-ASP Shopping Cart Database Connection Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2004-09-22 A vulnerability has been reported in VP-ASP, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12611/ -- [SA12595] DNS4Me Web Server Cross-Site Scripting and Denial of Service Critical: Less critical Where: From remote Impact: Cross Site Scripting, DoS Released: 2004-09-20 James Bercegay has reported two vulnerabilities in DNS4Me Web Server, which can be exploited by malicious people to conduct cross-site scripting attacks and cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12595/ -- [SA12581] Internet Explorer Cross-Domain Cookie Injection Vulnerability Critical: Less critical Where: From remote Impact: Hijacking Released: 2004-09-18 WESTPOINT has reported a vulnerability in Internet Explorer, which potentially can be exploited by malicious people to conduct session fixation attacks. Full Advisory: http://secunia.com/advisories/12581/ -- [SA12612] Pop Messenger Invalid Character Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2004-09-22 Luigi Auriemma has reported a vulnerability in Pop Messenger, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12612/ -- [SA12585] Pigeon Server Login Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2004-09-17 Luigi Auriemma has reported a vulnerability in Pigeon Server, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12585/ UNIX/Linux:-- [SA12630] Conectiva update for qt3 Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-09-23 Conectiva has issued an update for qt3. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12630/ -- [SA12629] Gentoo update for xine-lib Critical: Highly critical Where: From remote Impact: System access Released: 2004-09-23 Gentoo has issued an update for xine-lib. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12629/ -- [SA12628] Mandrake update for mpg123 Critical: Highly critical Where: From remote Impact: System access Released: 2004-09-23 MandrakeSoft has issued an update for mpg123. This fixes two vulnerabilities, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12628/ -- [SA12625] Mandrake update for ImageMagick Critical: Highly critical Where: From remote Impact: System access Released: 2004-09-23 MandrakeSoft has issued an update for ImageMagick. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12625/ -- [SA12623] Debian update for imlib2 Critical: Highly critical Where: From remote Impact: System access, DoS Released: 2004-09-23 Debian has issued an update for imlib2. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12623/ -- [SA12615] Gentoo update for gtk+ / gdk-pixbuf Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-09-22 Gentoo has issued updates for gdk-pixbuf and gtk+. These fix multiple vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12615/ -- [SA12608] Debian netkit-telnet-ssl Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-09-21 A very old vulnerability reportedly still affects the netkit-telnet-ssl package for Debian Linux, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12608/ -- [SA12607] Gentoo update for Mozilla/Firefox/Thunderbird/Epiphany Critical: Highly critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, Exposure of sensitive information, System access Released: 2004-09-21 Gentoo has issued updates for Mozilla, Firefox, Thunderbird, and Epiphany. These fix multiple vulnerabilities, which potentially can be exploited by malicious people to conduct cross-site scripting attacks, access and modify sensitive information, and compromise a user's system. Full Advisory: http://secunia.com/advisories/12607/ -- [SA12602] xine-lib Multiple Buffer Overflow Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2004-09-20 Multiple vulnerabilities have been reported in xine-lib, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12602/ -- [SA12599] Sun Java Enterprise System NSS Library Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-09-20 Sun has acknowledged a vulnerability in the NSS library included with Sun Java Enterprise System, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12599/ -- [SA12598] FreeBSD update for CVS Critical: Highly critical Where: From remote Impact: Exposure of system information, DoS, System access Released: 2004-09-21 FreeBSD has issued an update for CVS. This fixes multiple vulnerabilities, which can be exploited by malicious users to cause a DoS (Denial of Service), compromise a vulnerable system, or gain knowledge of certain system information. Full Advisory: http://secunia.com/advisories/12598/ -- [SA12588] SuSE update for gtk2 and gdk-pixbuf Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-09-17 SuSE has issued updates for gdk-pixbuf and gtk2. These fix multiple vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12588/ -- [SA12586] Debian update for gtk+2.0 Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-09-17 Debian has issued an update for gtk+2.0. This fixes multiple vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12586/ -- [SA12583] Mandrake update for XFree86 Critical: Highly critical Where: From remote Impact: System access Released: 2004-09-17 MandrakeSoft has issued an update for XFree86. This fixes multiple vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12583/ -- [SA12579] SuSE update for XFree86 Critical: Highly critical Where: From remote Impact: System access Released: 2004-09-18 SuSE has issued an update for XFree86. This fixes multiple vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12579/ -- [SA12575] Apple Mac OS X Security Update Fixes iChat Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-09-17 Apple has issued a security update for Mac OS X iChat client. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12575/ -- [SA12574] OpenBSD update for Xpm Critical: Highly critical Where: From remote Impact: System access Released: 2004-09-17 OpenBSD has issued an update for Xpm. This fixes multiple vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12574/ -- [SA12573] Debian update for imlib Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-09-16 Debian has issued an update for imlib. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12573/ -- [SA12568] Red Hat update for gtk2 Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-09-16 Red Hat has issued an update for gtk2. This fixes multiple vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12568/ -- [SA12565] Gentoo update for mpg123 Critical: Highly critical Where: From remote Impact: System access Released: 2004-09-16 Gentoo has issued an update for mpg123. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12565/ -- [SA12564] Debian update for gdk-pixbuf Critical: Highly critical Where: From remote Impact: System access, DoS Released: 2004-09-16 Debian has issued an update for gdk-pixbuf. This fixes multiple vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12564/ -- [SA12563] Debian update for imagemagick Critical: Highly critical Where: From remote Impact: System access Released: 2004-09-20 Debian has issued an update for ImageMagick. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12563/ -- [SA12619] Gentoo update for freeradius Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-09-23 Gentoo has issued an update for freeradius. This fixes multiple vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12619/ -- [SA12614] Debian update for lukemftpd Critical: Moderately critical Where: From remote Impact: Privilege escalation, System access Released: 2004-09-22 Debian has issued an update for lukemftpd. This fixes some vulnerabilities, which potentially can be exploited by malicious users to gain escalated privileges or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12614/ -- [SA12592] Debian update for wv Critical: Moderately critical Where: From remote Impact: System access Released: 2004-09-21 Debian has issued an update for wv. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12592/ -- [SA12582] Gentoo update for snipsnap Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2004-09-20 Gentoo has issued an update for snipsnap. This fixes a vulnerability, which can be exploited by malicious people to conduct script insertion and cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/12582/ -- [SA12570] FreeRADIUS Multiple Unspecified Denial of Service Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-09-20 Multiple unspecified vulnerabilities have been reported in FreeRADIUS, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12570/ -- [SA12562] Gentoo update for heimdal Critical: Moderately critical Where: From remote Impact: System access, Privilege escalation Released: 2004-09-16 Gentoo has issued an update for heimdal. This fixes some vulnerabilities, which potentially can be exploited by malicious users to gain escalated privileges or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12562/ -- [SA12584] sdd Unspecified RMT Client Vulnerability Critical: Moderately critical Where: From local network Impact: Unknown Released: 2004-09-18 A vulnerability with an unknown impact has been reported in sdd. Full Advisory: http://secunia.com/advisories/12584/ -- [SA12624] Conectiva update for spamassassin Critical: Less critical Where: From remote Impact: DoS Released: 2004-09-23 Connectiva has issued an update for spamassassin. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12624/ -- [SA12577] Gentoo update for apache2 and mod_dav Critical: Less critical Where: From remote Impact: Privilege escalation, DoS Released: 2004-09-17 Gentoo has issued updates for apache2 and mod_dav. These fix multiple vulnerabilities, which can be exploited to cause a DoS (Denial of Service) or gain escalated privileges. Full Advisory: http://secunia.com/advisories/12577/ -- [SA12576] Gentoo update for phpGroupWare Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-09-17 Gentoo has issued an update for phpGroupWare. This fixes a vulnerability, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/12576/ -- [SA12572] Fedora update for apr-util Critical: Less critical Where: From remote Impact: DoS Released: 2004-09-16 Fedora has issued an update for apr-util. This fixes a vulnerability which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12572/ -- [SA12632] Red Hat redhat-config-nfs Incorrect Share Permissions Security Issue Critical: Less critical Where: From local network Impact: Security Bypass Released: 2004-09-23 John Buswell has reported a security issue in redhat-config-nfs, which may result in users having more permissions than expected on exported resources. Full Advisory: http://secunia.com/advisories/12632/ -- [SA12631] Red Hat update for samba Critical: Less critical Where: From local network Impact: DoS Released: 2004-09-23 Red Hat has issued an update for samba. This fixes two vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12631/ -- [SA12626] Slackware update for CUPS Critical: Less critical Where: From local network Impact: DoS Released: 2004-09-23 Slackware has issued an update for CUPS. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12626/ -- [SA12617] OpenBSD Radius Authentication "login_radius" Security Bypass Critical: Less critical Where: From local network Impact: Security Bypass Released: 2004-09-22 Eilko Bos has reported a vulnerability in OpenBSD, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/12617/ -- [SA12603] Gentoo update for CUPS Critical: Less critical Where: From local network Impact: DoS Released: 2004-09-21 Gentoo has issued an update for CUPS. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12603/ -- [SA12571] Red Hat update for CUPS Critical: Less critical Where: From local network Impact: DoS Released: 2004-09-16 Red Hat has issued an update for CUPS. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12571/ -- [SA12566] Debian update for cupsys Critical: Less critical Where: From local network Impact: DoS Released: 2004-09-16 Debian has issued an update for cupsys. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12566/ -- [SA12627] Mandrake update for webmin Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-09-23 MandrakeSoft has issued an update for webmin. This fixes a vulnerability, which potentially can be exploited by malicious, local user to perform certain actions on a system with escalated privileges. Full Advisory: http://secunia.com/advisories/12627/ -- [SA12610] Fedora update for foomatic Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-09-22 Fedora has issued an update for foomatic. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/12610/ -- [SA12600] RsyncX Privilege Escalation Vulnerabilities Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-09-20 Matt Johnston has reported two vulnerabilities in RsyncX, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/12600/ -- [SA12596] sudo Arbitrary File Reading Vulnerability Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2004-09-20 Reznic Valery has reported a vulnerability in sudo, which can be exploited by malicious, local users to read arbitrary files. Full Advisory: http://secunia.com/advisories/12596/ -- [SA12594] getmail Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-09-20 David Watson has reported a vulnerability in getmail, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/12594/ -- [SA12591] Gentoo update for foomatic Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-09-21 Gentoo has issued an update for foomatic. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/12591/ -- [SA12567] Mandrake update for printer-drivers Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-09-16 MandrakeSoft has issued an update for printer-drivers. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/12567/ Other:-- [SA12601] SMC Broadband Routers Session Handling Security Bypass Critical: Less critical Where: From local network Impact: Security Bypass Released: 2004-09-20 Jimmy Scott has reported a vulnerability in SMC broadband routers, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/12601/ Cross Platform:-- [SA12633] Apache "Satisfy" Directive Access Control Bypass Security Issue Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2004-09-23 A security issue has been reported in Apache, which may allow malicious people to bypass configured access controls. Full Advisory: http://secunia.com/advisories/12633/ -- [SA12606] TUTOS SQL Injection and Cross-Site Scripting Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2004-09-21 Joxean Koret has reported some vulnerabilities, which can be exploited to conduct SQL injection and cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/12606/ -- [SA12597] ReMOSitory "filecatid" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2004-09-20 khoai has reported a vulnerability in the ReMOSitory add-on for Mambo, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/12597/ -- [SA12593] YaBB Cross-Site Scripting and Security Bypass Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting Released: 2004-09-21 GulfTech Security has discovered two vulnerabilities in YaBB, which can be exploited by malicious people to conduct cross-site scripting attacks and bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/12593/ -- [SA12590] Snitz Forums 2000 HTTP Response Splitting Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2004-09-20 Maestro has reported a vulnerability in Snitz Forums 2000, which can be exploited by malicious people to conduct script insertion and cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/12590/ -- [SA12569] SnipSnap HTTP Response Splitting Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2004-09-20 Maestro De-Seguridad has reported a vulnerability has been reported in SnipSnap, which can be exploited by malicious people to conduct script insertion and cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/12569/ -- [SA12561] MyServer Directory Traversal Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2004-09-16 Arnaud Jacques has reported a vulnerability in MyServer, which can be exploited by malicious people to access sensitive information. Full Advisory: http://secunia.com/advisories/12561/ -- [SA12560] PHP Memory Leak and Arbitrary File Location Upload Vulnerabilities Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information, System access Released: 2004-09-18 Two vulnerabilities have been reported in PHP, which can be exploited by malicious people to disclose sensitive information or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12560/ -- [SA12621] Subversion "mod_authz_svn" Unreadable Path Information Disclosure Critical: Less critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2004-09-23 A security issue has been reported in Subversion, which can be exploited by malicious people to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/12621/ -- [SA12609] YaBB Input Validation Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2004-09-22 Two vulnerabilities have been reported in YaBB, which can be exploited to conduct cross-site scripting attacks and manipulate certain files. Full Advisory: http://secunia.com/advisories/12609/ -- [SA12580] Mozilla / Mozilla Firefox Cross-Domain Cookie Injection Vulnerability Critical: Less critical Where: From remote Impact: Hijacking Released: 2004-09-18 WESTPOINT has reported a vulnerability in Mozilla / Mozilla Firefox, which potentially can be exploited by malicious people to conduct session fixation attacks. Full Advisory: http://secunia.com/advisories/12580/ -- [SA12604] Symantec ON Command CCM Default Database Administrator Accounts Critical: Less critical Where: From local network Impact: Security Bypass Released: 2004-09-22 Jonas Olsson has reported a security issue in ON Command CCM, which can be exploited by malicious people to access sensitive information. Full Advisory: http://secunia.com/advisories/12604/ -- [SA12620] CA UniCenter Management Portal Username Disclosure Weakness Critical: Not critical Where: From local network Impact: Exposure of system information Released: 2004-09-22 Thomas Adams has reported a weakness in UniCenter Management Portal, which can be exploited by malicious people to disclose system information. Full Advisory: http://secunia.com/advisories/12620/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@private Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 ======================================================================== _________________________________________ Donate online for the Ron Santo Walk to Cure Diabetes - http://www.c4i.org/ethan.html
This archive was generated by hypermail 2.1.3 : Fri Sep 24 2004 - 04:42:59 PDT