[ISN] Secunia Weekly Summary - Issue: 2005-50

From: InfoSec News (isn@private)
Date: Sun Dec 18 2005 - 12:40:16 PST


========================================================================

                  The Secunia Weekly Advisory Summary                  
                        2005-12-08 - 2005-12-15                        

                       This week : 67 advisories                       

========================================================================
Table of Contents:

1.....................................................Word From Secunia
2....................................................This Week In Brief
3...............................This Weeks Top Ten Most Read Advisories
4.......................................Vulnerabilities Summary Listing
5.......................................Vulnerabilities Content Listing

========================================================================
1) Word From Secunia:

The Secunia staff is spending hours every day to assure you the best
and most reliable source for vulnerability information. Every single 
vulnerability report is being validated and verified before a Secunia
advisory is written.

Secunia validates and verifies vulnerability reports in many different
ways e.g. by downloading the software and performing comprehensive
tests, by reviewing source code, or by validating the credibility of
the source from which the vulnerability report was issued.

As a result, Secunia's database is the most correct and complete source
for recent vulnerability information available on the Internet.

Secunia Online Vulnerability Database:
http://secunia.com/

========================================================================
2) This Week in Brief:

Microsoft has released their monthly security bulletins for December,
which fixes several vulnerabilities in Internet Explorer and a
privilege escalation vulnerability in Windows 2000.

Among the fixed vulnerabilities is also the 6 months old "Extremely
Critical" vulnerability in Internet Explorer, which can be exploited
to compromise a vulnerable system if the user visits a malicious web
site.

All users of Microsoft products are advised to visit Windows Update and
apply available patches.

References:
http://secunia.com/SA15368
http://secunia.com/SA15821


VIRUS ALERTS:

Secunia has not issued any virus alerts during the week.

========================================================================
3) This Weeks Top Ten Most Read Advisories:

1.  [SA15546] Microsoft Internet Explorer "window()" Arbitrary Code
              Execution Vulnerability
2.  [SA17934] Mozilla Firefox History Information Denial of Service
              Weakness
3.  [SA15368] Microsoft Internet Explorer Multiple Vulnerabilities
4.  [SA17564] Microsoft Internet Explorer CSS Import Disclosure of
              Sensitive Information
5.  [SA11762] Opera Browser Favicon Displaying Address Bar Spoofing
              Vulnerability
6.  [SA17748] Sun Java JRE Sandbox Security Bypass Vulnerabilities
7.  [SA15601] Mozilla / Mozilla Firefox Frame Injection Vulnerability
8.  [SA15781] Opera Suppressed "Download Dialog" File Execution
              Vulnerability
9.  [SA17946] Netscape History Information Denial of Service Weakness
10. [SA17944] Mozilla Suite History Information Denial of Service
              Weakness

========================================================================
4) Vulnerabilities Summary Listing

Windows:
[SA17998] Sights 'n Sounds Streaming Media Server Buffer Overflow
Vulnerability
[SA17989] LogiSphere Directory Traversal and Potential Denial of
Service
[SA17983] LocazoList Classifieds "searchdb.asp" Cross-Site Scripting
Vulnerability
[SA17978] Macromedia Flash Media Server Administration Service Denial
of Service
[SA17966] Pocket Controller Professional Missing Authentication Denial
of Service
[SA17990] MDaemon WorldClient LookOut Theme Inbox Denial of Service
Weakness

UNIX/Linux:
[SA18003] HP Tru64 UNIX Secure Web Server XML_RPC PHP Code Execution
Vulnerability
[SA18012] Debian update for ethereal
[SA18009] Ubuntu updates for xpdf / cupsys / tetex-bin / kdegraphics /
koffice
[SA17980] Gentoo update for openswan / ipsec-tools
[SA17976] CUPS xpdf Multiple Buffer Overflow Vulnerabilities
[SA17965] Debian update for curl
[SA17959] Fedora update for poppler
[SA18029] WHMCompleteSolution "search" Cross-Site Scripting
Vulnerability
[SA18010] UnixWare update for openssh
[SA18005] Trustix update for cpplus
[SA18002] SUSE update for mediawiki
[SA17999] Ubuntu update for courier
[SA17975] CP+ Unspecified Perl Vulnerability
[SA17995] Fedora update for kernel
[SA17986] UnixWare "uidadmin' Buffer Overflow Vulnerability
[SA17977] Ubuntu update for curl
[SA17967] Debian update for osh
[SA17961] Mandriva update for curl
[SA17960] Fedora update for curl
[SA17993] Trustix update for perl

Other:
[SA17974] Nortel SSL VPN Web Interface Arbitrary Command Execution
Vulnerability
[SA17996] Motorola SB5100E Cable Modem LAND Packet Denial of Service

Cross Platform:
[SA18030] phpCOIN SQL Injection and File Inclusion Vulnerabilities
[SA18039] mcGalleryPRO Multiple Vulnerabilities
[SA18023] e107 SQL Injection Vulnerabilities
[SA18022] Snipe Gallery Cross-Site Scripting and SQL Injection
Vulnerabilities
[SA18021] EncapsGallery "id" SQL Injection Vulnerability
[SA18019] PhpWebGallery Multiple SQL Injection Vulnerabilities
[SA18014] Dream Poll "id" SQL Injection Vulnerability
[SA18011] phpWebThings SQL Injection Vulnerabilities
[SA18007] Jamit Job Board "cat" SQL Injection Vulnerability
[SA18000] MyBB SQL Injection and Unspecified Vulnerabilities
[SA17987] Netref "cat" SQL Injection Vulnerability
[SA17985] Apani EpiForce Agent ISAKMP IKE Message Processing Denial of
Service
[SA17984] Arab Portal SQL Injection Vulnerabilities
[SA17979] Scout Portal Toolkit Cross-Site Scripting and SQL Injection
[SA17973] Ethereal OSPF Protocol Dissector Buffer Overflow
Vulnerability
[SA18034] VCD-db Cross-Site Scripting Vulnerabilities
[SA18031] Link Up Gold Cross-Site Scripting Vulnerabilities
[SA18027] ADP Forum "users" Exposure of User Credentials
[SA18024] myBloggie SQL Injection Vulnerabilities
[SA18020] PHP JackKnife Gallery System "sKeywords" Cross-Site
Scripting
[SA18018] Mantis "view_filters_page.php" Cross-Site Scripting
Vulnerability
[SA18016] EveryAuction "searchstring" Cross-Site Scripting
Vulnerability
[SA18015] WikkaWiki "phrase" Cross-Site Scripting Vulnerability
[SA18008] Apache mod_imap "Referer" Cross-Site Scripting Vulnerability
[SA18006] MySQL Auction "keyword" Cross-Site Scripting Vulnerability
[SA17997] milliscripts Redirection "domainname" Cross-Site Scripting
Vulnerability
[SA17988] Utopia News Pro SQL Injection Vulnerabilities
[SA17982] Magic Book Professional "StartRow" Cross-Site Scripting
Vulnerability
[SA17981] QuickPayPro Cross-Site Scripting and SQL Injection
Vulnerabilities
[SA17972] CKGold "keywords" Cross-Site Scripting Vulnerability
[SA17971] Kronolith Script Insertion Vulnerabilities
[SA17970] Horde Script Insertion Vulnerabilities
[SA17969] Nag Script Insertion Vulnerabilities
[SA17968] Turba Script Insertion Vulnerabilities
[SA17964] Mnemo Script Insertion Vulnerabilities
[SA17962] CA CleverPath Portal Login Page Cross-Site Scripting
Vulnerability
[SA17958] UseBB Cross-Site Scripting Vulnerability
[SA17991] Blackboard Learning and Community Portal Systems
"frameset.jsp" Weakness
[SA17963] Opera Bookmark Large Title Denial of Service Weakness

========================================================================
5) Vulnerabilities Content Listing

Windows:--

[SA17998] Sights 'n Sounds Streaming Media Server Buffer Overflow
Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2005-12-12

dr_insane has discovered a vulnerability in Sights 'n Sounds Streaming
Media Server, which can be exploited by malicious users to cause a DoS
(Denial of Service) and potentially to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/17998/

 --

[SA17989] LogiSphere Directory Traversal and Potential Denial of
Service

Critical:    Less critical
Where:       From remote
Impact:      Exposure of system information, Exposure of sensitive
information, DoS
Released:    2005-12-12

dr_insane has discovered two vulnerabilities in LogiSphere, which can
be exploited by malicious users to access arbitrary files on a
vulnerable system and potentially to cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/17989/

 --

[SA17983] LocazoList Classifieds "searchdb.asp" Cross-Site Scripting
Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2005-12-12

r0t has reported a vulnerability in LocazoList Classifieds, which can
be exploited by malicious people to conduct cross-site scripting
attacks.

Full Advisory:
http://secunia.com/advisories/17983/

 --

[SA17978] Macromedia Flash Media Server Administration Service Denial
of Service

Critical:    Less critical
Where:       From local network
Impact:      DoS
Released:    2005-12-13

dr_insane has discovered a vulnerability in Macromedia Flash Media
Server, which can be exploited by malicious people to cause a DoS
(Denial of Service).

Full Advisory:
http://secunia.com/advisories/17978/

 --

[SA17966] Pocket Controller Professional Missing Authentication Denial
of Service

Critical:    Less critical
Where:       From local network
Impact:      Manipulation of data, DoS
Released:    2005-12-09

Airscanner Mobile Security has reported a security issue in Pocket
Controller Professional, which can be exploited by malicious people to
cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/17966/

 --

[SA17990] MDaemon WorldClient LookOut Theme Inbox Denial of Service
Weakness

Critical:    Not critical
Where:       From remote
Impact:      DoS
Released:    2005-12-12

dr_insane has discovered a weakness in MDaemon, which can be exploited
by malicious people to cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/17990/


UNIX/Linux:--

[SA18003] HP Tru64 UNIX Secure Web Server XML_RPC PHP Code Execution
Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2005-12-12

HP has acknowledged a vulnerability in HP Tru64 UNIX Secure Web Server,
which can be exploited by malicious people to compromise a vulnerable
system.

Full Advisory:
http://secunia.com/advisories/18003/

 --

[SA18012] Debian update for ethereal

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2005-12-13

Debian has issued an update for ethereal. This fixes a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of
Service) and potentially to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/18012/

 --

[SA18009] Ubuntu updates for xpdf / cupsys / tetex-bin / kdegraphics /
koffice

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2005-12-13

Ubuntu has issued updates for xpdf / cupsys / tetex-bin / kdegraphics /
koffice . These fix some vulnerabilities, which can be exploited by
malicious people to cause a DoS (Denial of Service) and potentially to
compromise a vulnerable or a user's system.

Full Advisory:
http://secunia.com/advisories/18009/

 --

[SA17980] Gentoo update for openswan / ipsec-tools

Critical:    Moderately critical
Where:       From remote
Impact:      DoS
Released:    2005-12-13

Gentoo has issued an update for openswan / ipsec-tools. This fixes some
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/17980/

 --

[SA17976] CUPS xpdf Multiple Buffer Overflow Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2005-12-13

Some vulnerabilities have been reported in CUPS, which can be exploited
by malicious people to cause a DoS (Denial of Service) and potentially
to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/17976/

 --

[SA17965] Debian update for curl

Critical:    Moderately critical
Where:       From remote
Impact:      Unknown, System access
Released:    2005-12-12

Debian has issued an update for curl. This fixes two vulnerabilities,
where one has an unknown impact and another can be exploited by
malicious people to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/17965/

 --

[SA17959] Fedora update for poppler

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2005-12-09

Fedora has issued an update for poppler. This fixes some
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial of Service) and potentially to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/17959/

 --

[SA18029] WHMCompleteSolution "search" Cross-Site Scripting
Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2005-12-14

r0t has reported a vulnerability in WHMCompleteSolution, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/18029/

 --

[SA18010] UnixWare update for openssh

Critical:    Less critical
Where:       From remote
Impact:      Security Bypass, Privilege escalation
Released:    2005-12-13

SCO has issued an update for openssh. This fixes two security issues,
which can be exploited malicious users to gain escalated privileges or
bypass certain security restrictions.

Full Advisory:
http://secunia.com/advisories/18010/

 --

[SA18005] Trustix update for cpplus

Critical:    Less critical
Where:       From remote
Impact:      DoS
Released:    2005-12-12

Trustix has issued an update for cpplus. This fixes a vulnerability,
which potentially can be exploited by malicious people to cause a DoS
(Denial of Service).

Full Advisory:
http://secunia.com/advisories/18005/

 --

[SA18002] SUSE update for mediawiki

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2005-12-12

SUSE has issued an update for mediawiki. This fixes a vulnerability,
which can be exploited by malicious people to conduct cross-site
scripting attacks.

Full Advisory:
http://secunia.com/advisories/18002/

 --

[SA17999] Ubuntu update for courier

Critical:    Less critical
Where:       From remote
Impact:      Security Bypass
Released:    2005-12-12

Ubuntu has issued an update for courier-authdaemon. This fixes a
vulnerability, which can be exploited by malicious users to bypass
certain security restrictions.

Full Advisory:
http://secunia.com/advisories/17999/

 --

[SA17975] CP+ Unspecified Perl Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      DoS
Released:    2005-12-12

A vulnerability has been reported in CP+ (cpplus), which potentially
can be exploited by malicious people to cause a DoS (Denial of
Service).

Full Advisory:
http://secunia.com/advisories/17975/

 --

[SA17995] Fedora update for kernel

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation, DoS
Released:    2005-12-14

Fedora has issued an update for the kernel. This fixes some
vulnerabilities, which potentially can be exploited by malicious, local
users to gain escalated privileges and to cause a DoS (Denial of
Service).

Full Advisory:
http://secunia.com/advisories/17995/

 --

[SA17986] UnixWare "uidadmin' Buffer Overflow Vulnerability

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation
Released:    2005-12-13

iDEFENSE has reported a vulnerability in UnixWare, which can be
exploited by malicious, local users to gain escalated privileges.

Full Advisory:
http://secunia.com/advisories/17986/

 --

[SA17977] Ubuntu update for curl

Critical:    Less critical
Where:       Local system
Impact:      Unknown
Released:    2005-12-13

Ubuntu has issued an update for curl. This fixes a vulnerability, which
has an unknown impact.

Full Advisory:
http://secunia.com/advisories/17977/

 --

[SA17967] Debian update for osh

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation
Released:    2005-12-09

Debian has issued an update for osh. This fixes two vulnerabilities,
which can be exploited by malicious, local users to gain escalated
privileges.

Full Advisory:
http://secunia.com/advisories/17967/

 --

[SA17961] Mandriva update for curl

Critical:    Less critical
Where:       Local system
Impact:      Unknown
Released:    2005-12-09

Mandriva has issued an update for curl. This fixes a vulnerability with
an unknown impact.

Full Advisory:
http://secunia.com/advisories/17961/

 --

[SA17960] Fedora update for curl

Critical:    Less critical
Where:       Local system
Impact:      Unknown
Released:    2005-12-09

Fedora has issued an update for curl. This fixes a vulnerability with
an unknown impact.

Full Advisory:
http://secunia.com/advisories/17960/

 --

[SA17993] Trustix update for perl

Critical:    Not critical
Where:       From remote
Impact:      DoS
Released:    2005-12-12

Trustix has issued an update for perl. This fixes a vulnerability,
which can be exploited by malicious people to cause a Denial of
Service.

Full Advisory:
http://secunia.com/advisories/17993/


Other:--

[SA17974] Nortel SSL VPN Web Interface Arbitrary Command Execution
Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting, System access
Released:    2005-12-12

Daniel Fabian has reported a vulnerability in Nortel SSL VPN, which can
be exploited by malicious people to  conduct cross-site scripting
attacks and potentially to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/17974/

 --

[SA17996] Motorola SB5100E Cable Modem LAND Packet Denial of Service

Critical:    Less critical
Where:       From local network
Impact:      DoS
Released:    2005-12-13

Alexey Sintsov has reported a vulnerability in Motorola SB5100E, which
can be exploited by malicious people to cause a DoS (Denial of
Service).

Full Advisory:
http://secunia.com/advisories/17996/


Cross Platform:--

[SA18030] phpCOIN SQL Injection and File Inclusion Vulnerabilities

Critical:    Highly critical
Where:       From remote
Impact:      Manipulation of data, Exposure of system information,
System access
Released:    2005-12-14

rgod has reported two vulnerabilities in phpCOIN, which can be
exploited by malicious people to conduct SQL injection attacks and
compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/18030/

 --

[SA18039] mcGalleryPRO Multiple Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting, Manipulation of data, Exposure of
sensitive information
Released:    2005-12-14

r0t has reported some vulnerabilities in mcGalleryPRO, which can be
exploited by malicious people to conduct cross-site scripting and SQL
injection attacks, and disclose sensitive information.

Full Advisory:
http://secunia.com/advisories/18039/

 --

[SA18023] e107 SQL Injection Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2005-12-13

Yichen Xie and Alex Aiken have discovered some vulnerabilities in e107,
which can be exploited by malicious people to conduct SQL injection
attacks.

Full Advisory:
http://secunia.com/advisories/18023/

 --

[SA18022] Snipe Gallery Cross-Site Scripting and SQL Injection
Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting, Manipulation of data
Released:    2005-12-14

r0t has reported some vulnerabilities in Snipe Gallery, which can be
exploited by malicious people to conduct cross-site scripting and SQL
injection attacks.

Full Advisory:
http://secunia.com/advisories/18022/

 --

[SA18021] EncapsGallery "id" SQL Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2005-12-14

r0t has reported a vulnerability in EncapsGallery, which can be
exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/18021/

 --

[SA18019] PhpWebGallery Multiple SQL Injection Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2005-12-14

r0t has discovered some vulnerabilities in PhpWebGallery, which can be
exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/18019/

 --

[SA18014] Dream Poll "id" SQL Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2005-12-14

r0t has reported a vulnerability in Dream Poll, which can be exploited
by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/18014/

 --

[SA18011] phpWebThings SQL Injection Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2005-12-13

Yichen Xie and Alex Aiken have discovered some vulnerabilities in
phpWebThings, which can be exploited by malicious people to conduct SQL
injection attacks.

Full Advisory:
http://secunia.com/advisories/18011/

 --

[SA18007] Jamit Job Board "cat" SQL Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2005-12-14

r0t has reported a vulnerability in Jamit Job Board, which can be
exploited by malicious users to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/18007/

 --

[SA18000] MyBB SQL Injection and Unspecified Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Unknown, Manipulation of data
Released:    2005-12-12

Some vulnerabilities have been reported in MyBB, where some have
unknown impacts and others can be exploited by malicious people to
conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/18000/

 --

[SA17987] Netref "cat" SQL Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2005-12-12

syst3m_f4ult has reported a vulnerability in Netref, which can be
exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/17987/

 --

[SA17985] Apani EpiForce Agent ISAKMP IKE Message Processing Denial of
Service

Critical:    Moderately critical
Where:       From remote
Impact:      DoS
Released:    2005-12-14

A vulnerability has been reported in Apani EpiForce, which potentially
can be exploited by malicious people to cause a DoS (Denial of
Service).

Full Advisory:
http://secunia.com/advisories/17985/

 --

[SA17984] Arab Portal SQL Injection Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2005-12-13

Devil-00 has reported two vulnerabilities in Arab Portal, which can be
exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/17984/

 --

[SA17979] Scout Portal Toolkit Cross-Site Scripting and SQL Injection

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting, Manipulation of data
Released:    2005-12-12

Preddy has reported some vulnerabilities in Scout Portal Toolkit, which
can be exploited by malicious people to conduct cross-site scripting and
SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/17979/

 --

[SA17973] Ethereal OSPF Protocol Dissector Buffer Overflow
Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2005-12-12

A vulnerability has been reported in Ethereal, which can be exploited
by malicious people to cause a DoS (Denial of Service) and potentially
to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/17973/

 --

[SA18034] VCD-db Cross-Site Scripting Vulnerabilities

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting, Exposure of system information
Released:    2005-12-14

r0t has reported two vulnerabilities in VCD-db, which can be exploited
by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/18034/

 --

[SA18031] Link Up Gold Cross-Site Scripting Vulnerabilities

Critical:    Less critical
Where:       From remote
Impact:      DoS
Released:    2005-12-14

r0t has reported some vulnerabilities in Link Up Gold, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/18031/

 --

[SA18027] ADP Forum "users" Exposure of User Credentials

Critical:    Less critical
Where:       From remote
Impact:      Exposure of sensitive information
Released:    2005-12-14

Liz0ziM has discovered a security issue in ADP Forum, which can be
exploited by malicious people to disclose sensitive information.

Full Advisory:
http://secunia.com/advisories/18027/

 --

[SA18024] myBloggie SQL Injection Vulnerabilities

Critical:    Less critical
Where:       From remote
Impact:      Manipulation of data
Released:    2005-12-13

Yichen Xie and Alex Aiken have discovered some vulnerabilities in
myBloggie, which can be exploited by malicious users to conduct SQL
injection attacks.

Full Advisory:
http://secunia.com/advisories/18024/

 --

[SA18020] PHP JackKnife Gallery System "sKeywords" Cross-Site
Scripting

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2005-12-14

r0t has discovered a vulnerability in PHP JackKnife Gallery System,
which can be exploited by malicious people to conduct cross-site
scripting attacks.

Full Advisory:
http://secunia.com/advisories/18020/

 --

[SA18018] Mantis "view_filters_page.php" Cross-Site Scripting
Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2005-12-14

r0t has discovered a vulnerability in Mantis, which can be exploited by
malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/18018/

 --

[SA18016] EveryAuction "searchstring" Cross-Site Scripting
Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2005-12-13

$um$id has discovered a vulnerability in EveryAuction, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/18016/

 --

[SA18015] WikkaWiki "phrase" Cross-Site Scripting Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2005-12-14

r0t has discovered a vulnerability in WikkaWiki, which can be exploited
by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/18015/

 --

[SA18008] Apache mod_imap "Referer" Cross-Site Scripting Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2005-12-13

A vulnerability has been reported in Apache httpd, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/18008/

 --

[SA18006] MySQL Auction "keyword" Cross-Site Scripting Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2005-12-14

r0t has reported a vulnerability in MySQL Auction, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/18006/

 --

[SA17997] milliscripts Redirection "domainname" Cross-Site Scripting
Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2005-12-12

Luis Alberto Cortes Zavala has discovered a vulnerability in
milliscripts Redirection, which can be exploited by malicious people to
conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/17997/

 --

[SA17988] Utopia News Pro SQL Injection Vulnerabilities

Critical:    Less critical
Where:       From remote
Impact:      Manipulation of data
Released:    2005-12-13

Yichen Xie and Alex Aiken have discovered some vulnerabilities in
Utopia News Pro, which can be exploited by malicious users to conduct
SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/17988/

 --

[SA17982] Magic Book Professional "StartRow" Cross-Site Scripting
Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2005-12-12

r0t has reported a vulnerability in Magic Book Professional, which can
be exploited by malicious people to conduct cross-site scripting
attacks.

Full Advisory:
http://secunia.com/advisories/17982/

 --

[SA17981] QuickPayPro Cross-Site Scripting and SQL Injection
Vulnerabilities

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting, Manipulation of data
Released:    2005-12-14

r0t has reported some vulnerabilities in QuickPayPro, which can be
exploited by malicious users to conduct SQL injection attacks and by
malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/17981/

 --

[SA17972] CKGold "keywords" Cross-Site Scripting Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2005-12-14

r0t has reported a vulnerability in CKGold, which can be exploited by
malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/17972/

 --

[SA17971] Kronolith Script Insertion Vulnerabilities

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2005-12-12

SEC Consult has reported some vulnerabilities in Kronolith, which can
be exploited by malicious users to conduct script insertion attacks.

Full Advisory:
http://secunia.com/advisories/17971/

 --

[SA17970] Horde Script Insertion Vulnerabilities

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2005-12-12

SEC Consult has reported some vulnerabilities in Horde, which can be
exploited by malicious users to conduct script insertion attacks.

Full Advisory:
http://secunia.com/advisories/17970/

 --

[SA17969] Nag Script Insertion Vulnerabilities

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2005-12-12

SEC Consult has reported some vulnerabilities in Nag, which can be
exploited by malicious users to conduct script insertion attacks.

Full Advisory:
http://secunia.com/advisories/17969/

 --

[SA17968] Turba Script Insertion Vulnerabilities

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2005-12-12

SEC Consult has reported some vulnerabilities in Turba, which can be
exploited by malicious users to conduct script insertion attacks.

Full Advisory:
http://secunia.com/advisories/17968/

 --

[SA17964] Mnemo Script Insertion Vulnerabilities

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2005-12-12

SEC Consult has reported some vulnerabilities in Mnemo, which can be
exploited by malicious users to conduct script insertion attacks.

Full Advisory:
http://secunia.com/advisories/17964/

 --

[SA17962] CA CleverPath Portal Login Page Cross-Site Scripting
Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2005-12-09

A vulnerability has been reported in CA CleverPath Portal, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/17962/

 --

[SA17958] UseBB Cross-Site Scripting Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2005-12-12

A vulnerability has been reported in UseBB, which potentially can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/17958/

 --

[SA17991] Blackboard Learning and Community Portal Systems
"frameset.jsp" Weakness

Critical:    Not critical
Where:       From remote
Impact:      Security Bypass
Released:    2005-12-12

dr_insane has reported a weakness in Blackboard Learning and Community
Portal Systems, potentially allowing malicious people to conduct
phishing attacks.

Full Advisory:
http://secunia.com/advisories/17991/

 --

[SA17963] Opera Bookmark Large Title Denial of Service Weakness

Critical:    Not critical
Where:       From remote
Impact:      DoS
Released:    2005-12-12

A weakness has been reported in Opera, which can be exploited by
malicious people to cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/17963/



========================================================================

Secunia recommends that you verify all advisories you receive,
by clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only use
those supplied by the vendor.

Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/

Subscribe:
http://secunia.com/secunia_weekly_summary/

Contact details:
Web	: http://secunia.com/
E-mail	: support@private
Tel	: +45 70 20 51 44
Fax	: +45 70 20 51 45



_________________________________________
Earn your Master's degree in Information Security ONLINE
www.msia.norwich.edu/csi
Study IA management practices and the latest infosec issues.
Norwich University is an NSA Center of Excellence.



This archive was generated by hypermail 2.1.3 : Sun Dec 18 2005 - 13:08:40 PST