======================================================================== The Secunia Weekly Advisory Summary 2005-02-24 - 2005-03-03 This week : 61 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: The Mozilla Foundation has released a new version of their popular Firefox browser, which corrects several vulnerabilities. Please view Secunia advisories below for additional details. References: http://secunia.com/SA13258 http://secunia.com/SA14407 http://secunia.com/SA14163 http://secunia.com/SA12712 http://secunia.com/SA13129 http://secunia.com/SA13599 http://secunia.com/SA14160 http://secunia.com/SA13786 -- Various Computer Associates products have been reported vulnerable to a buffer overflow vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Users of Computer Associates products are advised to check if their products are affected by this vulnerability. References: http://secunia.com/SA14438 -- Various products from Trend Micro have been reported vulnerable to a buffer overflow, which can be exploited by malicious people to compromise a vulnerable system. Users of Trend Micro products are advised to check if their products are affected by this vulnerability. References: http://secunia.com/SA14396 -- Two vulnerabilities have been reported in various RealNetworks products, which can be exploited by malicious people to compromise a user's system. Additional details are available in reference advisory below. References: http://secunia.com/SA14456 VIRUS ALERTS: During the last week, Secunia issued 1 MEDIUM RISK virus alert. Please refer to the grouped virus profile below for more information: Bagle.BE - MEDIUM RISK Virus Alert - 2005-03-01 12:58 GMT+1 http://secunia.com/virus_information/15815/bagle.be/ ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA14163] Mozilla Products IDN Spoofing Security Issue 2. [SA14407] Mozilla / Firefox / Thunderbird Multiple Vulnerabilities 3. [SA14396] Trend Micro Products AntiVirus Library Buffer Overflow 4. [SA13258] Mozilla / Firefox "Save Link As" Download Dialog Spoofing 5. [SA14335] Microsoft Internet Explorer Popup Title Bar Spoofing Weakness 6. [SA14406] Mozilla Firefox Image Javascript URI Dragging Cross-Site Scripting 7. [SA13129] Mozilla / Mozilla Firefox Window Injection Vulnerability 8. [SA14160] Mozilla / Firefox Three Vulnerabilities 9. [SA12889] Microsoft Internet Explorer Multiple Vulnerabilities 10. [SA14382] phpMyAdmin Local File Inclusion and Cross-Site Scripting ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA14456] RealPlayer WAV and SMIL File Handling Buffer Overflows [SA14453] RaidenHTTPD Buffer Overflow and PHP Source Code Disclosure [SA14405] BadBlue "mfcisapicommand" Parameter Buffer Overflow Vulnerability [SA14400] KNet HTTP Request Processing Buffer Overflow Vulnerability [SA14435] Scrapland Packet Handling Denial of Service Vulnerabilities [SA14392] CIS WebServer Directory Traversal Vulnerability [SA14454] CA Unicenter Asset Management Multiple Vulnerabilities [SA14455] Einstein Sensitive Information Disclosure [SA14389] PeerFTP_5 User Credentials Disclosure UNIX/Linux: [SA14447] Gentoo update for phpwebsite [SA14412] Debian bsmtpd Arbitrary Command Injection Vulnerability [SA14452] SUSE update for imap [SA14448] Red Hat update for firefox [SA14445] Gentoo update for phpBB [SA14440] Fedora update for Firefox [SA14439] phpCOIN Multiple Vulnerabilities [SA14437] CuteNews Script Insertion Vulnerability [SA14433] PostNuke Multiple Vulnerabilities [SA14431] SUSE update for curl [SA14430] Ubuntu update for libxml1 [SA14425] Gentoo update for unace [SA14421] Ubuntu update for curl [SA14420] Ubuntu update for cyrus21-imapd [SA14419] SUSE Updates for Multiple Packages [SA14393] SUSE update for cyrus-imapd [SA14388] Gentoo update for cyrus-imapd [SA14426] Gentoo update for mediawiki [SA14423] Ubuntu update for reportbug [SA14422] Debian reportbug Exposure of Sensitive Information [SA14411] WU-FTPD Wildcard Denial of Service Vulnerability [SA14398] mkbold-mkitalic BDF Font File Conversion Format String Vulnerability [SA14397] HP-UX ftpd Unspecified File Access Vulnerability [SA14390] Mandrake update for squid [SA14442] Gentoo Qt Insecure Library Path Searching Vulnerability [SA14432] OpenBSD Unspecified Copy Functions Vulnerability [SA14427] KDE kppp Privileged File Descriptor Leak Vulnerability [SA14424] Gentoo update for uim [SA14408] Gentoo update for cmd5checkpw [SA14404] cmd5checkpw Privilege Escalation Vulnerability [SA14402] FreeNX X Server Authentication Bypass Security Issue [SA14391] Mandrake update for uim [SA14446] Gentoo update for gaim [SA14415] Fedora update for gaim [SA14410] Ubuntu update for gaim Other: [SA14395] Cisco ACNS Network Traffic Handling Denial of Service Vulnerabilities [SA14429] Mitel 3300 ICP Web Management Interface Two Vulnerabilities [SA14428] Symantec Firewall Devices SMTP Binding Configuration Bypass Cross Platform: [SA14449] PHPNews Arbitrary File Inclusion Vulnerability [SA14399] phpWebSite Announcement Image Upload Vulnerability [SA14396] Trend Micro Products AntiVirus Library Buffer Overflow [SA14418] Forumwa Two Vulnerabilities [SA14414] MercuryBoard Two Vulnerabilities [SA14413] phpBB "autologinid" Security Bypass [SA14407] Mozilla / Firefox / Thunderbird Multiple Vulnerabilities [SA14394] PunBB Multiple Vulnerabilities [SA14438] CA License Software Multiple Buffer Overflow Vulnerabilities [SA14434] 427BB "user" Cross Site Scripting Vulnerability [SA14416] CubeCart Cross-Site Scripting Vulnerabilities [SA14409] PHP "readfile()" Denial of Service [SA14406] Mozilla Firefox Image Javascript URI Dragging Cross-Site Scripting [SA14417] NX Server X Server Authentication Bypass Security Issue ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA14456] RealPlayer WAV and SMIL File Handling Buffer Overflows Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-02 Two vulnerabilities have been reported in various RealNetworks products, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14456/ -- [SA14453] RaidenHTTPD Buffer Overflow and PHP Source Code Disclosure Critical: Highly critical Where: From remote Impact: Exposure of sensitive information, System access Released: 2005-03-02 Tan Chew Keong has reported two vulnerabilities in RaidenHTTPD, which can be exploited by malicious people to gain knowledge of potentially sensitive information or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14453/ -- [SA14405] BadBlue "mfcisapicommand" Parameter Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-02-28 Andres Tarasco has reported a vulnerability in BadBlue, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14405/ -- [SA14400] KNet HTTP Request Processing Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-02-28 CorryL has reported a vulnerability in KNet, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14400/ -- [SA14435] Scrapland Packet Handling Denial of Service Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-03-01 Luigi Auriemma has reported some vulnerabilities in Scrapland, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14435/ -- [SA14392] CIS WebServer Directory Traversal Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information, Exposure of system information Released: 2005-02-28 CorryL has reported a vulnerability in CIS WebServer, which can be exploited by malicious people to gain knowledge of potentially sensitive information. Full Advisory: http://secunia.com/advisories/14392/ -- [SA14454] CA Unicenter Asset Management Multiple Vulnerabilities Critical: Less critical Where: From local network Impact: Cross Site Scripting, Manipulation of data, Exposure of system information, Exposure of sensitive information Released: 2005-03-02 Three vulnerabilities have been reported in CA Unicenter Asset Management, which can be exploited to gain knowledge of sensitive information or conduct script insertion and SQL injection attacks. Full Advisory: http://secunia.com/advisories/14454/ -- [SA14455] Einstein Sensitive Information Disclosure Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2005-03-02 Kozan has discovered a security issue in Einstein, which can be exploited by malicious, local users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/14455/ -- [SA14389] PeerFTP_5 User Credentials Disclosure Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2005-02-24 Kozan has discovered a security issue in PeerFTP_5, which can be exploited by malicious, local users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/14389/ UNIX/Linux:-- [SA14447] Gentoo update for phpwebsite Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-02 Gentoo has issued an update for phpWebSite. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14447/ -- [SA14412] Debian bsmtpd Arbitrary Command Injection Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-02-28 Bastian Blank has reported a vulnerability in bsmtpd, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14412/ -- [SA14452] SUSE update for imap Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-03-02 SUSE has issued an update for imap. This fixes a vulnerability, which can be exploited by malicious people to bypass the user authentication. Full Advisory: http://secunia.com/advisories/14452/ -- [SA14448] Red Hat update for firefox Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Spoofing, Manipulation of data, Exposure of sensitive information, System access Released: 2005-03-02 Red Hat has issued an update for firefox. This fixes multiple vulnerabilities, which can be exploited to spoof various information, plant malware on a user's system, conduct cross-site scripting attacks, disclose and manipulate sensitive information, bypass certain security restrictions, perform certain actions on a vulnerable system with escalated privileges, and compromise a user's system. Full Advisory: http://secunia.com/advisories/14448/ -- [SA14445] Gentoo update for phpBB Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information Released: 2005-03-02 Gentoo has issued an update for phpBB. This fixes two vulnerabilities, which can be exploited by malicious users to disclose and delete sensitive information. Full Advisory: http://secunia.com/advisories/14445/ -- [SA14440] Fedora update for Firefox Critical: Moderately critical Where: From remote Impact: Spoofing, Manipulation of data, Exposure of system information, Exposure of sensitive information, Privilege escalation, System access Released: 2005-03-01 Fedora has issued an update for Firefox. This fixes multiple vulnerabilities, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges and by malicious people to trick users into downloading malicious files, to conduct spoofing attacks, disclose and manipulate sensitive information, and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/14440/ -- [SA14439] phpCOIN Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-03-01 Lostmon has reported multiple vulnerabilities in phpCOIN, allowing malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/14439/ -- [SA14437] CuteNews Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-03-02 FraMe has reported a vulnerability in CuteNews, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/14437/ -- [SA14433] PostNuke Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-03-01 Maksymilian Arciemowicz has reported multiple vulnerabilities in PostNuke, allowing malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/14433/ -- [SA14431] SUSE update for curl Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-01 SUSE has issued an update for curl. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14431/ -- [SA14430] Ubuntu update for libxml1 Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-01 Ubuntu has issued an update for libxml1. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14430/ -- [SA14425] Gentoo update for unace Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-01 Gentoo has issued an update for unace. This fixes two vulnerabilities, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14425/ -- [SA14421] Ubuntu update for curl Critical: Moderately critical Where: From remote Impact: System access Released: 2005-02-28 Ubuntu has issued an update for curl. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14421/ -- [SA14420] Ubuntu update for cyrus21-imapd Critical: Moderately critical Where: From remote Impact: System access Released: 2005-02-28 Ubuntu has issued an update for cyrus21-imapd. This fixes a vulnerability, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14420/ -- [SA14419] SUSE Updates for Multiple Packages Critical: Moderately critical Where: From remote Impact: Security Bypass, DoS, System access Released: 2005-03-01 SUSE has issued updates for multiple packages. These fix various vulnerabilities, which can be exploited by malicious, local users to bypass certain security restrictions, or by malicious people to cause a DoS (Denial of Service) or compromise a user's system. Full Advisory: http://secunia.com/advisories/14419/ -- [SA14393] SUSE update for cyrus-imapd Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-02-25 SUSE has issued an update for cyrus-imapd. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14393/ -- [SA14388] Gentoo update for cyrus-imapd Critical: Moderately critical Where: From remote Impact: System access Released: 2005-02-24 Gentoo has issued an update for cyrus-imapd. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14388/ -- [SA14426] Gentoo update for mediawiki Critical: Less critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data Released: 2005-03-01 Gentoo has issued an update for mediawiki. This fixes some vulnerabilities, which can be exploited by malicious users to delete arbitrary files, and by malicious people to conduct cross-site scripting attacks and bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14426/ -- [SA14423] Ubuntu update for reportbug Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2005-02-28 Ubuntu has issued an update for reportbug. This fixes two vulnerabilities, which may potentially expose sensitive information in bugreports or can be exploited by malicious, local users to view sensitive information. Full Advisory: http://secunia.com/advisories/14423/ -- [SA14422] Debian reportbug Exposure of Sensitive Information Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2005-02-28 Rolf Leggewie has reported two vulnerabilities in reportbug, which may potentially expose sensitive information in bugreports and can be exploited by malicious, local users to view sensitive information. Full Advisory: http://secunia.com/advisories/14422/ -- [SA14411] WU-FTPD Wildcard Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2005-02-28 Adam Zabrocki has reported a vulnerability in WU-FTPD, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14411/ -- [SA14398] mkbold-mkitalic BDF Font File Conversion Format String Vulnerability Critical: Less critical Where: From remote Impact: System access Released: 2005-02-25 A vulnerability has been reported in mkbold-mkitalic, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14398/ -- [SA14397] HP-UX ftpd Unspecified File Access Vulnerability Critical: Less critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2005-02-25 A vulnerability has been reported in HP-UX, which can be exploited by malicious users to gain knowledge of potentially sensitive information. Full Advisory: http://secunia.com/advisories/14397/ -- [SA14390] Mandrake update for squid Critical: Less critical Where: From remote Impact: System access Released: 2005-02-25 MandrakeSoft has issued an update for squid. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14390/ -- [SA14442] Gentoo Qt Insecure Library Path Searching Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-03-02 Gentoo has issued an update for qt. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14442/ -- [SA14432] OpenBSD Unspecified Copy Functions Vulnerability Critical: Less critical Where: Local system Impact: Unknown Released: 2005-03-01 A vulnerability with an unknown impact has been reported in OpenBSD. Full Advisory: http://secunia.com/advisories/14432/ -- [SA14427] KDE kppp Privileged File Descriptor Leak Vulnerability Critical: Less critical Where: Local system Impact: Manipulation of data Released: 2005-03-01 A vulnerability has been reported in KDE, which can be exploited by malicious, local users to manipulate the contents of certain files. Full Advisory: http://secunia.com/advisories/14427/ -- [SA14424] Gentoo update for uim Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-03-01 Gentoo has issued an update for uim. This fixes a vulnerability, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14424/ -- [SA14408] Gentoo update for cmd5checkpw Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-02-28 Gentoo has issued an update for cmd5checkpw. This fixes a vulnerability allowing malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14408/ -- [SA14404] cmd5checkpw Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-02-28 Florian Westphal has reported a vulnerability in cmd5checkpw, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14404/ -- [SA14402] FreeNX X Server Authentication Bypass Security Issue Critical: Less critical Where: Local system Impact: Security Bypass Released: 2005-02-28 A security issue has been reported in FreeNX, which can be exploited by malicious, local users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14402/ -- [SA14391] Mandrake update for uim Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-02-25 MandrakeSoft has issued an update for uim. This fixes a vulnerability, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14391/ -- [SA14446] Gentoo update for gaim Critical: Not critical Where: From remote Impact: DoS Released: 2005-03-02 Gentoo has issued an update for gaim. This fixes three weaknesses, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14446/ -- [SA14415] Fedora update for gaim Critical: Not critical Where: From remote Impact: DoS Released: 2005-02-28 Fedora has issued an update for gaim. This fixes a weakness, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14415/ -- [SA14410] Ubuntu update for gaim Critical: Not critical Where: From remote Impact: DoS Released: 2005-02-28 Ubuntu has issued an update for gaim. This fixes three weaknesses, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14410/ Other:-- [SA14395] Cisco ACNS Network Traffic Handling Denial of Service Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-02-25 Four vulnerabilities have been reported in Cisco Application and Content Networking System (ACNS), which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14395/ -- [SA14429] Mitel 3300 ICP Web Management Interface Two Vulnerabilities Critical: Moderately critical Where: From local network Impact: Hijacking, DoS Released: 2005-03-01 Stephen de Vries of Corsaire has reported two vulnerabilities in Mitel 3300 Integrated Communications Platform (ICP), which can be exploited by malicious people to hijack sessions or by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14429/ -- [SA14428] Symantec Firewall Devices SMTP Binding Configuration Bypass Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2005-03-01 Arthur Hagen has reported a security issue in various Symantec firewall devices, which may disclose sensitive information to malicious people. Full Advisory: http://secunia.com/advisories/14428/ Cross Platform:-- [SA14449] PHPNews Arbitrary File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-02 Filip Groszynski has reported a vulnerability in PHPNews, allowing malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14449/ -- [SA14399] phpWebSite Announcement Image Upload Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-02-25 nst has reported a vulnerability in phpWebSite, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14399/ -- [SA14396] Trend Micro Products AntiVirus Library Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2005-02-25 ISS X-Force has reported a vulnerability in various Trend Micro products, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14396/ -- [SA14418] Forumwa Two Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-03-02 Raven has reported two vulnerabilities in Forumwa, which can be exploited by malicious people to conduct cross-site scripting attacks and malicious users to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/14418/ -- [SA14414] MercuryBoard Two Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-03-02 Doctor Grim has reported two vulnerabilities in MercuryBoard, which can be exploited by malicious people to conduct script insertion and SQL injection attacks. Full Advisory: http://secunia.com/advisories/14414/ -- [SA14413] phpBB "autologinid" Security Bypass Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-02-28 A vulnerability has been reported in phpBB, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14413/ -- [SA14407] Mozilla / Firefox / Thunderbird Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Spoofing, Manipulation of data, Exposure of system information, Exposure of sensitive information, Privilege escalation, System access Released: 2005-03-01 Details have been released about several vulnerabilities in Firefox, Mozilla and Thunderbird. These can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges and by malicious people to conduct spoofing attacks, disclose and manipulate sensitive information, and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/14407/ -- [SA14394] PunBB Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data, Exposure of sensitive information Released: 2005-02-25 Some vulnerabilities have been reported in PunBB, which potentially can be exploited by malicious users to disclose sensitive information, and by malicious people to bypass certain security restrictions and conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/14394/ -- [SA14438] CA License Software Multiple Buffer Overflow Vulnerabilities Critical: Moderately critical Where: From local network Impact: System access Released: 2005-03-02 Multiple vulnerabilities have been reported in the CA License software, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14438/ -- [SA14434] 427BB "user" Cross Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-03-02 Raven has reported a vulnerability in 427BB, allowing malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/14434/ -- [SA14416] CubeCart Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-02-28 Lostmon has reported multiple vulnerabilities in CubeCart, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/14416/ -- [SA14409] PHP "readfile()" Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2005-03-01 A vulnerability has been reported in PHP, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14409/ -- [SA14406] Mozilla Firefox Image Javascript URI Dragging Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-03-01 Paul has reported a vulnerability in Mozilla Firefox, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/14406/ -- [SA14417] NX Server X Server Authentication Bypass Security Issue Critical: Less critical Where: Local system Impact: Security Bypass Released: 2005-02-28 Two security issues have been reported in NX Server, which can be exploited by malicious, local users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14417/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@private Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 _________________________________________ Bellua Cyber Security Asia 2005 - http://www.bellua.com/bcs2005
This archive was generated by hypermail 2.1.3 : Fri Mar 04 2005 - 03:20:42 PST