======================================================================== The Secunia Weekly Advisory Summary 2005-03-17 - 2005-03-24 This week : 88 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: Want a new IT Security job? Vacant positions at Secunia: http://secunia.com/secunia_vacancies/ ======================================================================== 2) This Week in Brief: Apple has released a new security update for Mac OS X, which corrects several vulnerabilities, including the famous IDN Spoofing Vulnerability. A complete listing of the vulnerabilities can be found in Secunia advisory SA14655. Additional details about the IDN Spoofing vulnerability can be found in SA14164. References: http://secunia.com/SA14655 http://secunia.com/SA14164 -- ISS X-Force has reported a vulnerability in various McAfee products, which can be exploited to compromise a vulnerable system. Please view Secunia advisory below for at complete listing of products affected by this vulnerability. References: http://secunia.com/SA14628 VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA14628] McAfee Multiple Products LHA File Handling Buffer Overflow 2. [SA14163] Mozilla Products IDN Spoofing Security Issue 3. [SA14585] Linux Kernel Multiple Vulnerabilities 4. [SA14631] Microsoft Windows EMF File Denial of Service Vulnerability 5. [SA14565] Firefox "Save Link As..." Status Bar Spoofing Weakness 6. [SA14595] Symantec Products Unspecified DNS Cache Poisoning Vulnerability 7. [SA12889] Microsoft Internet Explorer Multiple Vulnerabilities 8. [SA12758] Microsoft Word Document Parsing Buffer Overflow Vulnerability 9. [SA14640] Java Web Start JNLP File Command Line Argument Injection Vulnerability 10. [SA14555] LimeWire Gnutella Disclosure of Sensitive Information ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA14630] Cain & Abel IKE-PSK / HTTP Sniffer Buffer Overflow Vulnerabilities [SA14627] MailEnable Standard SMTP Format String Vulnerability [SA14668] betaparticle blog Exposure of Sensitive Information and Security Bypass [SA14664] FileZilla Server Denial of Service Vulnerabilities [SA14638] FUN labs Various Games Denial of Service Vulnerabilities [SA14617] NotifyLink Enterprise Server Multiple Vulnerabilities [SA14671] Mozilla Thunderbird Drag and Drop Vulnerability [SA14662] Ocean FTP Server Multiple Connections Denial of Service [SA14660] Proview Disassembler Filename Handling Buffer Overflow [SA14625] ACS Blog "search" Cross-Site Scripting Vulnerability [SA14629] iPool / iSnooker Sensitive Information Disclosure [SA14616] Servers Alive Privilege Escalation Vulnerability [SA14631] Microsoft Windows EMF File Denial of Service Vulnerability [SA14610] IDA Pro Debugger Dynamic Link Library Loading Vulnerability UNIX/Linux: [SA14709] Red Hat update for Mozilla [SA14706] Red Hat update for Thunderbird [SA14705] Fedora update for Firefox [SA14699] Fedora update for Thunderbird [SA14698] Fedora update for mozilla [SA14687] Red Hat update for imagemagick [SA14655] Mac OS X Security Update Fixes Multiple Vulnerabilities [SA14653] Ubuntu update for php4 [SA14650] SUSE Updates for Multiple Packages [SA14623] Red Hat update for tetex [SA14621] Ubuntu update for libxpm4/libxpm4-dbg [SA14704] Fedora update for kdelibs [SA14700] SUSE update for imagemagick [SA14686] Red Hat update for ipsec-tools [SA14683] Debian update for xloadimage [SA14682] Red Hat update for kdelibs [SA14681] Red Hat update for imagemagick [SA14675] IPsec-Tools ISAKMP Header Parsing Denial of Service [SA14666] Red Hat update for libexif [SA14665] Red Hat update for realplayer [SA14661] Debian update for xli [SA14656] Trustix update for mysql / kernel [SA14637] Gentoo update for sylpheed/sylpheed-claws [SA14634] Gentoo update for rxvt-unicode [SA14633] Red Hat update for sylpheed [SA14632] Red Hat update for ethereal [SA14624] Red Hat Postfix IPv6 Relaying Security Issue [SA14622] Sylpheed-Claws Message Reply Buffer Overflow Vulnerability [SA14620] Fedora update for ethereal [SA14619] Gentoo update for curl [SA14614] SUSE update for MozillaFirefox [SA14612] Conectiva update for cyrus-imapd [SA14636] Gentoo update for openslp [SA14708] Interspire ArticleLive 2005 "ArticleId" Cross-Site Scripting Vulnerability [SA14678] Fedora update for mailman [SA14677] Sun Java System Application Server Cross-Site Scripting [SA14674] HP-UX Apache Security Bypass and Denial of Service [SA14673] Gentoo dyndnsupdate Multiple Buffer Overflows [SA14667] Red Hat update for mailman [SA14663] Xzabite dyndnsupdate Multiple Buffer Overflows [SA14646] AnswerBook2 Documentation Server Two Vulnerabilities [SA14643] Fedora update for xloadimage [SA14615] Gentoo update for grip [SA14657] Mandrake update for mysql [SA14618] Gentoo update for mysql [SA14672] Debian update for perl [SA14645] Sun Solaris newgrp Privilege Escalation Vulnerability [SA14639] Gentoo update for ltris [SA14635] LTris Highscore List Buffer Overflow Vulnerability [SA14613] Conectiva update for kdenetwork [SA14626] Gentoo update for kdelibs Other: Cross Platform: [SA14707] Vortex Portal "act" File Inclusion Vulnerability [SA14688] Double Choco Latte Cross-Site Scripting and PHP Code Execution [SA14685] Mozilla Thunderbird GIF Image Processing Buffer Overflow Vulnerability [SA14684] Mozilla Security Bypass and Buffer Overflow Vulnerabilities [SA14670] CzarNews "tpath" File Inclusion Vulnerability [SA14669] TRG News Script "dir" File Inclusion Vulnerability [SA14654] Mozilla Firefox Three Vulnerabilities [SA14649] DeleGate Multiple Unspecified Buffer Overflow Vulnerabilities [SA14640] Java Web Start JNLP File Command Line Argument Injection Vulnerability [SA14628] McAfee Multiple Products LHA File Handling Buffer Overflow [SA14676] BirdBlog "userid" and "userpw" SQL Injection Vulnerability [SA14652] Subdreamer Light Global Variables SQL Injection Vulnerability [SA14648] exoops "file" Exposure of Sensitive Information [SA14647] Runcms "file" Exposure of Sensitive Information [SA14642] phpmyfamily SQL Injection Vulnerabilities [SA14641] ciamos "file" Exposure of Sensitive Information [SA14690] phpSysInfo Cross-Site Scripting Vulnerabilities [SA14680] phorum "body" Parameter HTTP Response Splitting [SA14679] MercuryBoard "title" Script Insertion Vulnerability [SA14658] SurgeMail Three Vulnerabilities [SA14651] PHPOpenChat Cross-Site Scripting Vulnerabilities [SA14644] Icecast XSL Stylesheet Source Exposure [SA14611] Novell Netware Xsession Security Bypass ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA14630] Cain & Abel IKE-PSK / HTTP Sniffer Buffer Overflow Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-18 Two vulnerabilities have been reported in Cain & Abel. One has an unknown impact and the other can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14630/ -- [SA14627] MailEnable Standard SMTP Format String Vulnerability Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-03-18 Mati Aharoni has discovered a vulnerability in MailEnable Standard, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14627/ -- [SA14668] betaparticle blog Exposure of Sensitive Information and Security Bypass Critical: Moderately critical Where: From remote Impact: Security Bypass, Exposure of sensitive information Released: 2005-03-22 farhad koosha has reported a vulnerability and a security issue in betaparticle blog, which can be exploited by malicious people to bypass certain security restrictions and disclose sensitive information. Full Advisory: http://secunia.com/advisories/14668/ -- [SA14664] FileZilla Server Denial of Service Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-03-22 Two vulnerabilities have been reported in FileZilla Server, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14664/ -- [SA14638] FUN labs Various Games Denial of Service Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-03-22 Luigi Auriemma has reported two vulnerabilities in various FUN labs games, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14638/ -- [SA14617] NotifyLink Enterprise Server Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data, Exposure of sensitive information Released: 2005-03-18 NOAA NCIRT Lab has reported some vulnerabilities in NotifyLink Enterprise Server, which can be exploited to disclose sensitive information, bypass certain security restrictions, and conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/14617/ -- [SA14671] Mozilla Thunderbird Drag and Drop Vulnerability Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2005-03-22 A vulnerability has been reported in Thunderbird, which can be exploited by malicious people to plant malware on a user's system. Full Advisory: http://secunia.com/advisories/14671/ -- [SA14662] Ocean FTP Server Multiple Connections Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2005-03-22 GSS-IT has reported a vulnerability in Ocean FTP Server, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14662/ -- [SA14660] Proview Disassembler Filename Handling Buffer Overflow Critical: Less critical Where: From remote Impact: System access Released: 2005-03-22 HaCkZaTaN has discovered a vulnerability in Proview Disassembler, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14660/ -- [SA14625] ACS Blog "search" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-03-18 farhad koosha has reported a vulnerability in ACS Blog, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/14625/ -- [SA14629] iPool / iSnooker Sensitive Information Disclosure Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2005-03-18 Kozan has discovered a security issue in iPool and iSnooker, which can be exploited by malicious, local users to disclose sensitive information. Full Advisory: http://secunia.com/advisories/14629/ -- [SA14616] Servers Alive Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-03-17 Michael Starks has discovered a vulnerability in Servers Alive, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14616/ -- [SA14631] Microsoft Windows EMF File Denial of Service Vulnerability Critical: Not critical Where: From remote Impact: DoS Released: 2005-03-18 Hongzhen Zhou has discovered a vulnerability in Microsoft Windows, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14631/ -- [SA14610] IDA Pro Debugger Dynamic Link Library Loading Vulnerability Critical: Not critical Where: From remote Impact: System access Released: 2005-03-17 Piotr Bania has reported a vulnerability in IDA Pro, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14610/ UNIX/Linux:-- [SA14709] Red Hat update for Mozilla Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Spoofing, System access Released: 2005-03-24 Red Hat has issued an update for Mozilla. This fixes several vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting attacks, conduct spoofing attacks and compromise a user's system. Full Advisory: http://secunia.com/advisories/14709/ -- [SA14706] Red Hat update for Thunderbird Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-24 Red Hat has issued an update for Thunderbird. This fixes two vulnerabilities, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14706/ -- [SA14705] Fedora update for Firefox Critical: Highly critical Where: From remote Impact: Security Bypass Released: 2005-03-24 Fedora has issued an update for Firefox. This fixes three vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions and compromise a user's system. Full Advisory: http://secunia.com/advisories/14705/ -- [SA14699] Fedora update for Thunderbird Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-24 Fedora has issued an update for Thunderbird. This fixes two vulnerabilities, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14699/ -- [SA14698] Fedora update for mozilla Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Spoofing, Exposure of system information, Exposure of sensitive information, System access Released: 2005-03-24 Fedora has issued an update for mozilla. This fixes some vulnerabilities, which can be exploited to bypass certain security restrictions, conduct spoofing and script insertion attacks, disclose various information, or compromise a user's system. Full Advisory: http://secunia.com/advisories/14698/ -- [SA14687] Red Hat update for imagemagick Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-23 Red Hat has issued an update for imagemagick. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14687/ -- [SA14655] Mac OS X Security Update Fixes Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, Spoofing, Exposure of sensitive information, Privilege escalation, DoS, System access Released: 2005-03-22 Apple has issued a security update for Mac OS X, which fixes various vulnerabilities. Full Advisory: http://secunia.com/advisories/14655/ -- [SA14653] Ubuntu update for php4 Critical: Highly critical Where: From remote Impact: Security Bypass, System access Released: 2005-03-21 Ubuntu has issued an update for php4. This fixes some vulnerabilities, which can be exploited to bypass certain security restrictions or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14653/ -- [SA14650] SUSE Updates for Multiple Packages Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-03-21 SUSE has issued updates for multiple packages. These fix various vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14650/ -- [SA14623] Red Hat update for tetex Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-17 Red Hat has issued an update for tetex. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14623/ -- [SA14621] Ubuntu update for libxpm4/libxpm4-dbg Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-17 Ubuntu has issued updates for libxpm4 and libxpm4-dbg. These fix a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14621/ -- [SA14704] Fedora update for kdelibs Critical: Moderately critical Where: From remote Impact: DoS, Privilege escalation, Spoofing Released: 2005-03-24 Fedora has issued an update for kdelibs. This fixes two vulnerabilities and a security issue, which can be exploited by malicious, local users to cause a DoS (Denial of Service), perform certain actions with escalated privileges on a vulnerable system, and by a malicious web site to spoof the URL displayed in the address bar and status bar. Full Advisory: http://secunia.com/advisories/14704/ -- [SA14700] SUSE update for imagemagick Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-24 SUSE has issued an update for imagemagick. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14700/ -- [SA14686] Red Hat update for ipsec-tools Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-03-23 Red Hat has issued an update for ipsec-tools. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14686/ -- [SA14683] Debian update for xloadimage Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-23 Debian has issued an update for xloadimage. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14683/ -- [SA14682] Red Hat update for kdelibs Critical: Moderately critical Where: From remote Impact: Spoofing, Privilege escalation, DoS Released: 2005-03-23 Red Hat has issued an update for kdelibs. This fixes two vulnerabilities and a security issue, which can be exploited by malicious, local users to cause a DoS (Denial of Service), perform certain actions with escalated privileges on a vulnerable system, and by a malicious web site to spoof the URL displayed in the address bar and status bar. Full Advisory: http://secunia.com/advisories/14682/ -- [SA14681] Red Hat update for imagemagick Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-23 Red Hat has issued an update for imagemagick. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14681/ -- [SA14675] IPsec-Tools ISAKMP Header Parsing Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-03-23 A vulnerability has been reported in IPsec-Tools, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14675/ -- [SA14666] Red Hat update for libexif Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-03-22 Red Hat has issued an update for libexif. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14666/ -- [SA14665] Red Hat update for realplayer Critical: Moderately critical Where: From remote Impact: Unknown Released: 2005-03-22 Full Advisory: http://secunia.com/advisories/14665/ -- [SA14661] Debian update for xli Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-22 Debian has issued an update for xli. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14661/ -- [SA14656] Trustix update for mysql / kernel Critical: Moderately critical Where: From remote Impact: System access, DoS, Privilege escalation Released: 2005-03-22 Trustix has issued updates for mysql and the kernel. These fix various vulnerabilities, which can be exploited to cause a DoS (Denial of Service), perform certain actions with escalated privileges, or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14656/ -- [SA14637] Gentoo update for sylpheed/sylpheed-claws Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-21 Gentoo has issued updates for sylpheed and sylpheed-claws. These fix a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14637/ -- [SA14634] Gentoo update for rxvt-unicode Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-21 Gentoo has issued an update for rxvt-unicode. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14634/ -- [SA14633] Red Hat update for sylpheed Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-18 Red Hat has issued an update for sylpheed. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14633/ -- [SA14632] Red Hat update for ethereal Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-03-18 Red Hat has issued an update for ethereal. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14632/ -- [SA14624] Red Hat Postfix IPv6 Relaying Security Issue Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-03-17 Red Hat has issued an update for postfix. This fixes a security issue, which can be exploited by malicious people to use a vulnerable system as an open relay. Full Advisory: http://secunia.com/advisories/14624/ -- [SA14622] Sylpheed-Claws Message Reply Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-21 A vulnerability has been reported in Sylpheed-Claws, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14622/ -- [SA14620] Fedora update for ethereal Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-03-17 Fedora has issued an update for ethereal. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14620/ -- [SA14619] Gentoo update for curl Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-17 Gentoo has issued an update for curl. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14619/ -- [SA14614] SUSE update for MozillaFirefox Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Spoofing, System access Released: 2005-03-17 SUSE has issued an update for MozillaFirefox. This fixes some vulnerabilities, which can be exploited by a malicious web site to spoof the URL displayed in the address bar, SSL certificate, and status bar and by malicious people to conduct cross-site scripting attacks, bypass certain security restrictions and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/14614/ -- [SA14612] Conectiva update for cyrus-imapd Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-03-18 Conectiva has issued an update for cyrus-imapd. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14612/ -- [SA14636] Gentoo update for openslp Critical: Moderately critical Where: From local network Impact: System access Released: 2005-03-21 Gentoo has issued an update for openslp. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14636/ -- [SA14708] Interspire ArticleLive 2005 "ArticleId" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-03-24 mircia has reported a vulnerability in Interspire ArticleLive 2005, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/14708/ -- [SA14678] Fedora update for mailman Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-03-23 Fedora has issued an update for mailman. This fixes a vulnerability, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/14678/ -- [SA14677] Sun Java System Application Server Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-03-23 Eric Hobbs has reported a vulnerability in Sun Java System Application Server, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/14677/ -- [SA14674] HP-UX Apache Security Bypass and Denial of Service Critical: Less critical Where: From remote Impact: Security Bypass, DoS Released: 2005-03-22 HP has acknowledged some vulnerabilities in HP-UX Apache, which can be exploited by malicious people to bypass certain security restrictions or cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14674/ -- [SA14673] Gentoo dyndnsupdate Multiple Buffer Overflows Critical: Less critical Where: From remote Impact: System access Released: 2005-03-22 Gentoo has acknowledged some vulnerabilities in dyndnsupdate, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14673/ -- [SA14667] Red Hat update for mailman Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-03-22 Red Hat has issued an update for mailman. This fixes a vulnerability, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/14667/ -- [SA14663] Xzabite dyndnsupdate Multiple Buffer Overflows Critical: Less critical Where: From remote Impact: System access Released: 2005-03-22 Toby Dickenson has reported multiple vulnerabilities in Xzabite dyndnsupdate, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14663/ -- [SA14646] AnswerBook2 Documentation Server Two Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-03-21 Thomas Liam Romanis has reported two vulnerabilities in AnswerBook2 Documentation Server, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/14646/ -- [SA14643] Fedora update for xloadimage Critical: Less critical Where: From remote Impact: System access Released: 2005-03-21 Fedora has issued an update for xloadimage. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14643/ -- [SA14615] Gentoo update for grip Critical: Less critical Where: From remote Impact: System access Released: 2005-03-18 Gentoo has issued an update for grip. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14615/ -- [SA14657] Mandrake update for mysql Critical: Less critical Where: From local network Impact: Privilege escalation, System access Released: 2005-03-22 MandrakeSoft has issued an update for mysql. This fixes some vulnerabilities, which potentially can be exploited by malicious users to compromise a vulnerable system and by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/14657/ -- [SA14618] Gentoo update for mysql Critical: Less critical Where: From local network Impact: Privilege escalation, System access Released: 2005-03-17 Gentoo has issued an update for mysql. This fixes some vulnerabilities, which potentially can be exploited by malicious users to compromise a vulnerable system and by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/14618/ -- [SA14672] Debian update for perl Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-03-22 Debian has issued an update for perl. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14672/ -- [SA14645] Sun Solaris newgrp Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-03-21 A vulnerability has been reported in Sun Solaris, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14645/ -- [SA14639] Gentoo update for ltris Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-03-21 Gentoo has issued an update for ltris. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14639/ -- [SA14635] LTris Highscore List Buffer Overflow Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-03-21 A vulnerability has been reported in LTris, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14635/ -- [SA14613] Conectiva update for kdenetwork Critical: Less critical Where: Local system Impact: Manipulation of data Released: 2005-03-17 Conectiva has issued an update for kdenetwork. This fixes a vulnerability, which can be exploited by malicious, local users to manipulate the contents of certain files. Full Advisory: http://secunia.com/advisories/14613/ -- [SA14626] Gentoo update for kdelibs Critical: Not critical Where: Local system Impact: DoS Released: 2005-03-21 Gentoo has issued an update for kdelibs. This fixes a vulnerability, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14626/ Other: Cross Platform:-- [SA14707] Vortex Portal "act" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-24 Francisco Alisson has reported a vulnerability in Vortex Portal, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14707/ -- [SA14688] Double Choco Latte Cross-Site Scripting and PHP Code Execution Critical: Highly critical Where: From remote Impact: Cross Site Scripting, System access Released: 2005-03-24 James Bercegay has reported two vulnerabilities in Double Choco Latte, which can be exploited by malicious people to conduct cross-site scripting attacks and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14688/ -- [SA14685] Mozilla Thunderbird GIF Image Processing Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-24 Mark Dowd has reported a vulnerability in Thunderbird, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14685/ -- [SA14684] Mozilla Security Bypass and Buffer Overflow Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, System access Released: 2005-03-24 Two vulnerabilities have been reported in Mozilla, which can be exploited by malicious people to bypass certain security restrictions and compromise a user's system. Full Advisory: http://secunia.com/advisories/14684/ -- [SA14670] CzarNews "tpath" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-22 Frank "brOmstar" Reissner has reported a vulnerability in CzarNews, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14670/ -- [SA14669] TRG News Script "dir" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-22 Frank "brOmstar" Reissner has reported a vulnerability in TRG News Script, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14669/ -- [SA14654] Mozilla Firefox Three Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, System access Released: 2005-03-24 Three vulnerabilities have been reported in Firefox, which can be exploited by malicious people to bypass certain security restrictions and compromise a user's system. Full Advisory: http://secunia.com/advisories/14654/ -- [SA14649] DeleGate Multiple Unspecified Buffer Overflow Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-22 Some vulnerabilities have been reported in DeleGate, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14649/ -- [SA14640] Java Web Start JNLP File Command Line Argument Injection Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-21 Jouko Pynnönen has reported a vulnerability in Java Web Start, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14640/ -- [SA14628] McAfee Multiple Products LHA File Handling Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-18 ISS X-Force has reported a vulnerability in multiple McAfee products, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14628/ -- [SA14676] BirdBlog "userid" and "userpw" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-03-23 A vulnerability has been reported in BirdBlog, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/14676/ -- [SA14652] Subdreamer Light Global Variables SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-03-21 GHC team has reported a vulnerability in Subdreamer Light, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/14652/ -- [SA14648] exoops "file" Exposure of Sensitive Information Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-03-21 NT has reported a vulnerability in exoops, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/14648/ -- [SA14647] Runcms "file" Exposure of Sensitive Information Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-03-21 NT has reported a vulnerability in Runcms, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/14647/ -- [SA14642] phpmyfamily SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-03-22 ADZ Security Team has reported some vulnerabilities in phpmyfamily, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/14642/ -- [SA14641] ciamos "file" Exposure of Sensitive Information Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-03-21 NT has reported a vulnerability in ciamos, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/14641/ -- [SA14690] phpSysInfo Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting, Exposure of system information Released: 2005-03-24 Maksymilian Arciemowicz has reported some vulnerabilities in phpSysInfo, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/14690/ -- [SA14680] phorum "body" Parameter HTTP Response Splitting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-03-23 Positive Technologies has reported a vulnerability in phorum, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/14680/ -- [SA14679] MercuryBoard "title" Script Insertion Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-03-23 Secunia Research has discovered a vulnerability in MercuryBoard, which can be exploited by malicious users to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/14679/ -- [SA14658] SurgeMail Three Vulnerabilities Critical: Less critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information Released: 2005-03-22 Tan Chew Keong has reported three vulnerabilities in SurgeMail, which can be exploited by malicious people to conduct cross-site scripting attacks and by malicious users to conduct script insertion attacks, bypass certain security restrictions, and gain knowledge of various information. Full Advisory: http://secunia.com/advisories/14658/ -- [SA14651] PHPOpenChat Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-03-22 Pi3cH has reported some vulnerabilities in PHPOpenChat, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/14651/ -- [SA14644] Icecast XSL Stylesheet Source Exposure Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2005-03-21 Patrick has discovered a vulnerability in Icecast, which can be exploited by malicious people to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/14644/ -- [SA14611] Novell Netware Xsession Security Bypass Critical: Less critical Where: From local network Impact: Security Bypass Released: 2005-03-17 A vulnerability has been reported in Novell Netware, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14611/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@private Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 _________________________________________ Bellua Cyber Security Asia 2005 - http://www.bellua.com/bcs2005
This archive was generated by hypermail 2.1.3 : Fri Mar 25 2005 - 03:53:53 PST