======================================================================== The Secunia Weekly Advisory Summary 2004-11-18 - 2004-11-25 This week : 58 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: Monitor, Filter, and Manage Security Information - Filtering and Management of Secunia advisories - Overview, documentation, and detailed reports - Alerting via email and SMS Request Trial: https://ca.secunia.com/?f=s ======================================================================== 2) This Week in Brief: ADVISORIES: Winamp is vulnerable to a buffer overflow, which can be exploited to execute arbitrary code on a vulnerable system. Initially, it was reported by the vendor that Winamp version 5.06 fixed this vulnerability. However, according to Brett Moore, the discoverer of the vulnerability, the latest version is also vulnerable to this buffer overflow. Currently, no vendor solution is available. Please review referenced Secunia advisory below for details. References: http://secunia.com/SA13269 -- Security Researcher Jouko Pynnonen has reported a vulnerability in Sun Java, which can be exploited to compromise vulnerable systems. The vendor has released fixes for the vulnerable versions, which can be downloaded from Sun. Please view Secunia advisory below for details. References: http://secunia.com/SA13271 VIRUS ALERTS: During the last week, Secunia issued 1 MEDIUM RISK virus alert and 1 HIGH RISK virus alert. Please refer to the grouped virus profiles below for more information: Sober.I - HIGH RISK Virus Alert - 2004-11-23 23:37 GMT+1 http://secunia.com/virus_information/13463/sober.i/ Sober.I - MEDIUM RISK Virus Alert - 2004-11-19 10:37 GMT+1 http://secunia.com/virus_information/13463/sober.i/ ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA13203] Microsoft Internet Explorer Two Vulnerabilities 2. [SA12959] Internet Explorer IFRAME Buffer Overflow Vulnerability 3. [SA13269] Winamp "IN_CDDA.dll" Buffer Overflow Vulnerability 4. [SA13271] Sun Java Plug-in Sandbox Security Bypass Vulnerability 5. [SA13191] Skype "callto:" URI Handler Buffer Overflow Vulnerability 6. [SA13208] Microsoft Internet Explorer Cookie Path Attribute Vulnerability 7. [SA13239] phpBB Multiple Vulnerabilities 8. [SA12889] Microsoft Internet Explorer Two Vulnerabilities 9. [SA12048] Microsoft Internet Explorer Multiple Vulnerabilities 10. [SA12758] Microsoft Word Document Parsing Buffer Overflow Vulnerability ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA13275] SecureCRT Arbitrary Configuration Folder Specification Vulnerability [SA13269] Winamp "IN_CDDA.dll" Buffer Overflow Vulnerability [SA13248] DMS POP3 Server Authentication Buffer Overflow Vulnerability [SA13282] CoffeeCup Direct/Free FTP ActiveX Component Buffer Overflow Vulnerability [SA13270] wodFtpDLX ActiveX Component Buffer Overflow Vulnerability [SA13273] Halo Client Server List Browsing Denial of Service Vulnerability [SA13268] Fastream NETFile FTP/Web Server Multiple HEAD Requests Denial of Service [SA13264] Sacred Multiple Connection Denial of Service Vulnerability [SA13244] ZoneAlarm Advertising Blocking Denial of Service Vulnerability [SA13304] WinFTP Server Clear Text User Credential Disclosure [SA13279] Prevx Home Intrusion Prevention Feature Bypass Vulnerability [SA13265] Altiris Deployment Solution AClient "View Log File" Privilege Escalation [SA13256] Danware NetOp System Information Disclosure Weakness [SA13246] Citrix MetaFrame Presentation Server Client Debugging Security Issue UNIX/Linux: [SA13297] Mandrake update for xfree86 [SA13296] Gentoo update for twiki [SA13295] Gentoo prozilla Multiple Buffer Overflow Vulnerabilities [SA13294] ProZilla Multiple Buffer Overflow Vulnerabilities [SA13293] Gentoo update for phpbb [SA13288] Mandrake update for libxpm4 [SA13274] Cyrus IMAP Server Multiple Vulnerabilities [SA13249] Gentoo update for xorg-x11/xfree [SA13290] Debian update for bnc [SA13281] Gentoo update for pdftohtml [SA13280] pdftohtml Multiple PDF Document Handling Vulnerabilities [SA13277] Apple iCal Calendar Alarm Program Execution Vulnerability [SA13272] Fedora update for kernel [SA13238] Conectiva update for libxml [SA13237] Cscope Insecure Temporary File Creation and Buffer Overflow Vulnerabilities [SA13240] Mandrake update for samba [SA13250] Timbuktu Buffer Overflow Denial of Service Vulnerability [SA13305] Debian update for sudo [SA13283] Conectiva update for shadow-utils [SA13259] wmFrog Insecure Temporary File Creation Vulnerability [SA13242] Gentoo update for fcron [SA13299] Conectiva update for bugzilla Other: [SA13278] ZyXEL Prestige 650HW Unprotected Reset Functionality [SA13266] W-Channel TC-IDE Shell Command Injection Vulnerabilities Cross Platform: [SA13271] Sun Java Plug-in Sandbox Security Bypass Vulnerability [SA13247] phpBB Cash_Mod Arbitrary File Inclusion Vulnerability [SA13239] phpBB Multiple Vulnerabilities [SA13300] PHPNews "mid" Parameter SQL Injection Vulnerability [SA13289] Soldier of Fortune II Buffer Overflow Vulnerability [SA13287] SugarCRM Unspecified Security Issues [SA13284] Zwiki Link Script Insertion Vulnerability [SA13263] F-Secure Products Zip Archive Virus Detection Bypass Vulnerability [SA13262] PHPKIT SQL injection and Cross-Site Scripting Vulnerabilities [SA13260] Invision Power Board ibProArcade "cat" SQL Injection Vulnerability [SA13255] WebGUI Unspecified "user profile" Vulnerability [SA13245] Invision Power Board "qpid" SQL Injection Vulnerability [SA13301] RediCart Exposure of Configuration File [SA13285] JSPWiki "query" Parameter Cross-Site Scripting Vulnerability [SA13261] SecretSanta Security Bypass Vulnerability [SA13243] IBM HTTP Server Denial of Service Vulnerabilities [SA13241] phpMyAdmin Cross-Site Scripting Vulnerabilities [SA13236] ClickandBuild Constructed Store "listPos" Cross-Site Scripting Vulnerability [SA13286] KorWeblog "path" Directory Listing Information Disclosure Weakness [SA13257] Opera "sun.*" System Information Disclosure Weakness ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA13275] SecureCRT Arbitrary Configuration Folder Specification Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-11-23 Brett Moore has reported a vulnerability in SecureCRT, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13275/ -- [SA13269] Winamp "IN_CDDA.dll" Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-11-23 Brett Moore has reported a vulnerability in Winamp, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13269/ -- [SA13248] DMS POP3 Server Authentication Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-11-19 Reed Arvin has discovered a vulnerability in DMS POP3 Server, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13248/ -- [SA13282] CoffeeCup Direct/Free FTP ActiveX Component Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2004-11-23 Komrade has reported a vulnerability in the third-party wodFtpDLX ActiveX component included in CoffeeCup Direct and CoffeeCup Free FTP, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13282/ -- [SA13270] wodFtpDLX ActiveX Component Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2004-11-23 Komrade has reported a vulnerability in wodFtpDLX ActiveX Component, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13270/ -- [SA13273] Halo Client Server List Browsing Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2004-11-24 Luigi Auriemma has reported a vulnerability in Halo, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13273/ -- [SA13268] Fastream NETFile FTP/Web Server Multiple HEAD Requests Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2004-11-23 bratax has reported a vulnerability in Fastream NETFile FTP/Web Server, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13268/ -- [SA13264] Sacred Multiple Connection Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2004-11-22 soylent has reported a vulnerability in Sacred, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13264/ -- [SA13244] ZoneAlarm Advertising Blocking Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2004-11-19 Nicolas Robillard has reported a vulnerability in ZoneAlarm Pro and ZoneAlarm Security Suite, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13244/ -- [SA13304] WinFTP Server Clear Text User Credential Disclosure Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2004-11-24 Ziv Kamir has discovered a security issue in WinFTP Server, which can be exploited by malicious, local users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/13304/ -- [SA13279] Prevx Home Intrusion Prevention Feature Bypass Vulnerability Critical: Less critical Where: Local system Impact: Security Bypass Released: 2004-11-23 Tan Chew Keong has reported a vulnerability in Prevx Home, which can be exploited certain malicious processes to bypass security features provided by the product. Full Advisory: http://secunia.com/advisories/13279/ -- [SA13265] Altiris Deployment Solution AClient "View Log File" Privilege Escalation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-11-22 Reed Arvin has discovered a vulnerability in Altiris Deployment Solution, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/13265/ -- [SA13256] Danware NetOp System Information Disclosure Weakness Critical: Not critical Where: From remote Impact: Exposure of system information Released: 2004-11-22 Martin O'Neal has reported a weakness in NetOp, which can be exploited by malicious people to disclose some system information. Full Advisory: http://secunia.com/advisories/13256/ -- [SA13246] Citrix MetaFrame Presentation Server Client Debugging Security Issue Critical: Not critical Where: Local system Impact: Exposure of sensitive information Released: 2004-11-22 A security issue has been reported in Citrix MetaFrame Presentation Server Client, which can be exploited by malicious users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/13246/ UNIX/Linux:-- [SA13297] Mandrake update for xfree86 Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-11-24 MandrakeSoft has issued an update for xfree86. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13297/ -- [SA13296] Gentoo update for twiki Critical: Highly critical Where: From remote Impact: System access Released: 2004-11-24 Gentoo has issued an update for twiki. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13296/ -- [SA13295] Gentoo prozilla Multiple Buffer Overflow Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2004-11-24 Gentoo has acknowledged some vulnerabilities in the prozilla package, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13295/ -- [SA13294] ProZilla Multiple Buffer Overflow Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2004-11-24 Multiple vulnerabilities have been reported in ProZilla, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13294/ -- [SA13293] Gentoo update for phpbb Critical: Highly critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, System access Released: 2004-11-24 Gentoo has issued an update for phpbb. This fixes some vulnerabilities, which can be exploited by malicious people to execute arbitrary commands, conduct SQL injection and cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/13293/ -- [SA13288] Mandrake update for libxpm4 Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-11-24 MandrakeSoft has issued an update for libxpm4. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13288/ -- [SA13274] Cyrus IMAP Server Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2004-11-23 Stefan Esser has reported four vulnerabilities in Cyrus IMAP Server, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13274/ -- [SA13249] Gentoo update for xorg-x11/xfree Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-11-22 Gentoo has issued updates for xorg-x11 and xfree. These fix some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13249/ -- [SA13290] Debian update for bnc Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2004-11-24 Debian has issued an update for bnc. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13290/ -- [SA13281] Gentoo update for pdftohtml Critical: Moderately critical Where: From remote Impact: System access Released: 2004-11-23 Gentoo has issued an update for pdftohtml. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13281/ -- [SA13280] pdftohtml Multiple PDF Document Handling Vulnerabilities Critical: Moderately critical Where: From remote Impact: System access Released: 2004-11-23 Some vulnerabilities have been reported in pdftohtml, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13280/ -- [SA13277] Apple iCal Calendar Alarm Program Execution Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2004-11-23 Aaron has reported a vulnerability in iCal, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13277/ -- [SA13272] Fedora update for kernel Critical: Moderately critical Where: From remote Impact: Unknown Released: 2004-11-23 Full Advisory: http://secunia.com/advisories/13272/ -- [SA13238] Conectiva update for libxml Critical: Moderately critical Where: From remote Impact: System access Released: 2004-11-18 Conectiva has issued an update for libxml. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13238/ -- [SA13237] Cscope Insecure Temporary File Creation and Buffer Overflow Vulnerabilities Critical: Moderately critical Where: From remote Impact: Privilege escalation, System access Released: 2004-11-18 Two vulnerabilities have been reported in Cscope, which potentially can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges and by malicious people to potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/13237/ -- [SA13240] Mandrake update for samba Critical: Moderately critical Where: From local network Impact: System access Released: 2004-11-19 MandrakeSoft has issued an update for samba. This fixes a vulnerability, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13240/ -- [SA13250] Timbuktu Buffer Overflow Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2004-11-19 Corsaire has reported a vulnerability in Timbuktu for Mac OS, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13250/ -- [SA13305] Debian update for sudo Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-11-24 Debian has issued an update for sudo. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/13305/ -- [SA13283] Conectiva update for shadow-utils Critical: Less critical Where: Local system Impact: Security Bypass Released: 2004-11-23 Conectiva has issued an update for shadow-utils. This fixes a vulnerability, which can be exploited by malicious, local users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/13283/ -- [SA13259] wmFrog Insecure Temporary File Creation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-11-24 Joey Hess has reported a vulnerability in wmFrog, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/13259/ -- [SA13242] Gentoo update for fcron Critical: Less critical Where: Local system Impact: Security Bypass, Exposure of system information, Exposure of sensitive information Released: 2004-11-19 Gentoo has issued an update for fcron. This fixes four vulnerabilities, which can be exploited by malicious, local users to gain knowledge of sensitive information, bypass access restrictions, and delete arbitrary files. Full Advisory: http://secunia.com/advisories/13242/ -- [SA13299] Conectiva update for bugzilla Critical: Not critical Where: From remote Impact: Security Bypass Released: 2004-11-24 Conectiva has issued an update for bugzilla. This fixes a security issue, which can be exploited by malicious users to remove keywords from bugs, even though the user doesn't have the proper permissions. Full Advisory: http://secunia.com/advisories/13299/ Other:-- [SA13278] ZyXEL Prestige 650HW Unprotected Reset Functionality Critical: Less critical Where: From local network Impact: DoS Released: 2004-11-24 Francisco "José" Canela has reported a vulnerability in ZyXEL Prestige 650HW, which can be exploited by malicious people to reset the configuration of a vulnerable device. Full Advisory: http://secunia.com/advisories/13278/ -- [SA13266] W-Channel TC-IDE Shell Command Injection Vulnerabilities Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-11-24 ECL team has reported some vulnerabilities in W-Channel TC-IDE, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/13266/ Cross Platform:-- [SA13271] Sun Java Plug-in Sandbox Security Bypass Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-11-23 Jouko Pynnonen has reported a vulnerability in Sun Java Plug-in, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13271/ -- [SA13247] phpBB Cash_Mod Arbitrary File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-11-19 Jerome Athias has reported a vulnerability in the Cash_Mod module for phpBB, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13247/ -- [SA13239] phpBB Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, System access Released: 2004-11-19 Some vulnerabilities have been reported in phpBB, which can be exploited by malicious people to execute arbitrary commands, conduct SQL injection and cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/13239/ -- [SA13300] PHPNews "mid" Parameter SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2004-11-24 A vulnerability has been reported in PHPNews, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/13300/ -- [SA13289] Soldier of Fortune II Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-11-24 Luigi Auriemma has reported a vulnerability in Soldier of Fortune II, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13289/ -- [SA13287] SugarCRM Unspecified Security Issues Critical: Moderately critical Where: From remote Impact: Unknown Released: 2004-11-24 Some security issues with unknown impacts have been reported in SugarCRM. Full Advisory: http://secunia.com/advisories/13287/ -- [SA13284] Zwiki Link Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2004-11-24 Jeremy Bae has reported a vulnerability in Zwiki, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/13284/ -- [SA13263] F-Secure Products Zip Archive Virus Detection Bypass Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2004-11-23 A vulnerability has been reported in various F-Secure products, which can be exploited by malware to bypass certain scanning functionality. Full Advisory: http://secunia.com/advisories/13263/ -- [SA13262] PHPKIT SQL injection and Cross-Site Scripting Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2004-11-24 Steve has reported some vulnerabilities in PHPKIT, allowing malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/13262/ -- [SA13260] Invision Power Board ibProArcade "cat" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2004-11-22 Axl has reported a vulnerability in the ibProArcade module for Invision Power Board, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/13260/ -- [SA13255] WebGUI Unspecified "user profile" Vulnerability Critical: Moderately critical Where: From remote Impact: Unknown Released: 2004-11-22 A vulnerability with an unknown impact has been reported in WebGUI. Full Advisory: http://secunia.com/advisories/13255/ -- [SA13245] Invision Power Board "qpid" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2004-11-19 Positive Technologies has reported a vulnerability in Invision Power Board, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/13245/ -- [SA13301] RediCart Exposure of Configuration File Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2004-11-24 Cassiopeia has reported a security issue in RediCart and S-Mart Shopping Cart Script, allowing malicious people to view the configuration file. Full Advisory: http://secunia.com/advisories/13301/ -- [SA13285] JSPWiki "query" Parameter Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-11-24 Jeremy Bae has reported a vulnerability in JSPWiki, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/13285/ -- [SA13261] SecretSanta Security Bypass Vulnerability Critical: Less critical Where: From remote Impact: Security Bypass Released: 2004-11-23 A vulnerability has been reported in SecretSanta, which can be exploited by malicious users to bypass some security restrictions. Full Advisory: http://secunia.com/advisories/13261/ -- [SA13243] IBM HTTP Server Denial of Service Vulnerabilities Critical: Less critical Where: From remote Impact: DoS Released: 2004-11-19 IBM has acknowledged two vulnerabilities in IBM HTTP Server, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13243/ -- [SA13241] phpMyAdmin Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-11-19 Cedric Cochin has reported some vulnerabilities in phpMyAdmin, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/13241/ -- [SA13236] ClickandBuild Constructed Store "listPos" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-11-19 Andrew Smith has reported a vulnerability in Click and Build, which can be exploited by malicious people to conduct cross-site scripting attacks on certain built stores. Full Advisory: http://secunia.com/advisories/13236/ -- [SA13286] KorWeblog "path" Directory Listing Information Disclosure Weakness Critical: Not critical Where: From remote Impact: Exposure of system information Released: 2004-11-24 Jeremy Bae has reported a weakness in KorWeblog, which can be exploited by malicious people to disclose system information. Full Advisory: http://secunia.com/advisories/13286/ -- [SA13257] Opera "sun.*" System Information Disclosure Weakness Critical: Not critical Where: From remote Impact: Exposure of system information Released: 2004-11-22 Marc Schoenefeld has reported a weakness in Opera, which can be exploited by malicious people to disclose some system information. Full Advisory: http://secunia.com/advisories/13257/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@private Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 ======================================================================== _________________________________________ Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/
This archive was generated by hypermail 2.1.3 : Thu Nov 25 2004 - 23:03:15 PST