======================================================================== The Secunia Weekly Advisory Summary 2005-12-08 - 2005-12-15 This week : 67 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: Microsoft has released their monthly security bulletins for December, which fixes several vulnerabilities in Internet Explorer and a privilege escalation vulnerability in Windows 2000. Among the fixed vulnerabilities is also the 6 months old "Extremely Critical" vulnerability in Internet Explorer, which can be exploited to compromise a vulnerable system if the user visits a malicious web site. All users of Microsoft products are advised to visit Windows Update and apply available patches. References: http://secunia.com/SA15368 http://secunia.com/SA15821 VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA15546] Microsoft Internet Explorer "window()" Arbitrary Code Execution Vulnerability 2. [SA17934] Mozilla Firefox History Information Denial of Service Weakness 3. [SA15368] Microsoft Internet Explorer Multiple Vulnerabilities 4. [SA17564] Microsoft Internet Explorer CSS Import Disclosure of Sensitive Information 5. [SA11762] Opera Browser Favicon Displaying Address Bar Spoofing Vulnerability 6. [SA17748] Sun Java JRE Sandbox Security Bypass Vulnerabilities 7. [SA15601] Mozilla / Mozilla Firefox Frame Injection Vulnerability 8. [SA15781] Opera Suppressed "Download Dialog" File Execution Vulnerability 9. [SA17946] Netscape History Information Denial of Service Weakness 10. [SA17944] Mozilla Suite History Information Denial of Service Weakness ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA17998] Sights 'n Sounds Streaming Media Server Buffer Overflow Vulnerability [SA17989] LogiSphere Directory Traversal and Potential Denial of Service [SA17983] LocazoList Classifieds "searchdb.asp" Cross-Site Scripting Vulnerability [SA17978] Macromedia Flash Media Server Administration Service Denial of Service [SA17966] Pocket Controller Professional Missing Authentication Denial of Service [SA17990] MDaemon WorldClient LookOut Theme Inbox Denial of Service Weakness UNIX/Linux: [SA18003] HP Tru64 UNIX Secure Web Server XML_RPC PHP Code Execution Vulnerability [SA18012] Debian update for ethereal [SA18009] Ubuntu updates for xpdf / cupsys / tetex-bin / kdegraphics / koffice [SA17980] Gentoo update for openswan / ipsec-tools [SA17976] CUPS xpdf Multiple Buffer Overflow Vulnerabilities [SA17965] Debian update for curl [SA17959] Fedora update for poppler [SA18029] WHMCompleteSolution "search" Cross-Site Scripting Vulnerability [SA18010] UnixWare update for openssh [SA18005] Trustix update for cpplus [SA18002] SUSE update for mediawiki [SA17999] Ubuntu update for courier [SA17975] CP+ Unspecified Perl Vulnerability [SA17995] Fedora update for kernel [SA17986] UnixWare "uidadmin' Buffer Overflow Vulnerability [SA17977] Ubuntu update for curl [SA17967] Debian update for osh [SA17961] Mandriva update for curl [SA17960] Fedora update for curl [SA17993] Trustix update for perl Other: [SA17974] Nortel SSL VPN Web Interface Arbitrary Command Execution Vulnerability [SA17996] Motorola SB5100E Cable Modem LAND Packet Denial of Service Cross Platform: [SA18030] phpCOIN SQL Injection and File Inclusion Vulnerabilities [SA18039] mcGalleryPRO Multiple Vulnerabilities [SA18023] e107 SQL Injection Vulnerabilities [SA18022] Snipe Gallery Cross-Site Scripting and SQL Injection Vulnerabilities [SA18021] EncapsGallery "id" SQL Injection Vulnerability [SA18019] PhpWebGallery Multiple SQL Injection Vulnerabilities [SA18014] Dream Poll "id" SQL Injection Vulnerability [SA18011] phpWebThings SQL Injection Vulnerabilities [SA18007] Jamit Job Board "cat" SQL Injection Vulnerability [SA18000] MyBB SQL Injection and Unspecified Vulnerabilities [SA17987] Netref "cat" SQL Injection Vulnerability [SA17985] Apani EpiForce Agent ISAKMP IKE Message Processing Denial of Service [SA17984] Arab Portal SQL Injection Vulnerabilities [SA17979] Scout Portal Toolkit Cross-Site Scripting and SQL Injection [SA17973] Ethereal OSPF Protocol Dissector Buffer Overflow Vulnerability [SA18034] VCD-db Cross-Site Scripting Vulnerabilities [SA18031] Link Up Gold Cross-Site Scripting Vulnerabilities [SA18027] ADP Forum "users" Exposure of User Credentials [SA18024] myBloggie SQL Injection Vulnerabilities [SA18020] PHP JackKnife Gallery System "sKeywords" Cross-Site Scripting [SA18018] Mantis "view_filters_page.php" Cross-Site Scripting Vulnerability [SA18016] EveryAuction "searchstring" Cross-Site Scripting Vulnerability [SA18015] WikkaWiki "phrase" Cross-Site Scripting Vulnerability [SA18008] Apache mod_imap "Referer" Cross-Site Scripting Vulnerability [SA18006] MySQL Auction "keyword" Cross-Site Scripting Vulnerability [SA17997] milliscripts Redirection "domainname" Cross-Site Scripting Vulnerability [SA17988] Utopia News Pro SQL Injection Vulnerabilities [SA17982] Magic Book Professional "StartRow" Cross-Site Scripting Vulnerability [SA17981] QuickPayPro Cross-Site Scripting and SQL Injection Vulnerabilities [SA17972] CKGold "keywords" Cross-Site Scripting Vulnerability [SA17971] Kronolith Script Insertion Vulnerabilities [SA17970] Horde Script Insertion Vulnerabilities [SA17969] Nag Script Insertion Vulnerabilities [SA17968] Turba Script Insertion Vulnerabilities [SA17964] Mnemo Script Insertion Vulnerabilities [SA17962] CA CleverPath Portal Login Page Cross-Site Scripting Vulnerability [SA17958] UseBB Cross-Site Scripting Vulnerability [SA17991] Blackboard Learning and Community Portal Systems "frameset.jsp" Weakness [SA17963] Opera Bookmark Large Title Denial of Service Weakness ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA17998] Sights 'n Sounds Streaming Media Server Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-12-12 dr_insane has discovered a vulnerability in Sights 'n Sounds Streaming Media Server, which can be exploited by malicious users to cause a DoS (Denial of Service) and potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17998/ -- [SA17989] LogiSphere Directory Traversal and Potential Denial of Service Critical: Less critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information, DoS Released: 2005-12-12 dr_insane has discovered two vulnerabilities in LogiSphere, which can be exploited by malicious users to access arbitrary files on a vulnerable system and potentially to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17989/ -- [SA17983] LocazoList Classifieds "searchdb.asp" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-12 r0t has reported a vulnerability in LocazoList Classifieds, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17983/ -- [SA17978] Macromedia Flash Media Server Administration Service Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2005-12-13 dr_insane has discovered a vulnerability in Macromedia Flash Media Server, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17978/ -- [SA17966] Pocket Controller Professional Missing Authentication Denial of Service Critical: Less critical Where: From local network Impact: Manipulation of data, DoS Released: 2005-12-09 Airscanner Mobile Security has reported a security issue in Pocket Controller Professional, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17966/ -- [SA17990] MDaemon WorldClient LookOut Theme Inbox Denial of Service Weakness Critical: Not critical Where: From remote Impact: DoS Released: 2005-12-12 dr_insane has discovered a weakness in MDaemon, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17990/ UNIX/Linux:-- [SA18003] HP Tru64 UNIX Secure Web Server XML_RPC PHP Code Execution Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-12-12 HP has acknowledged a vulnerability in HP Tru64 UNIX Secure Web Server, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18003/ -- [SA18012] Debian update for ethereal Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-12-13 Debian has issued an update for ethereal. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/18012/ -- [SA18009] Ubuntu updates for xpdf / cupsys / tetex-bin / kdegraphics / koffice Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-12-13 Ubuntu has issued updates for xpdf / cupsys / tetex-bin / kdegraphics / koffice . These fix some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a vulnerable or a user's system. Full Advisory: http://secunia.com/advisories/18009/ -- [SA17980] Gentoo update for openswan / ipsec-tools Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-12-13 Gentoo has issued an update for openswan / ipsec-tools. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17980/ -- [SA17976] CUPS xpdf Multiple Buffer Overflow Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-12-13 Some vulnerabilities have been reported in CUPS, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17976/ -- [SA17965] Debian update for curl Critical: Moderately critical Where: From remote Impact: Unknown, System access Released: 2005-12-12 Debian has issued an update for curl. This fixes two vulnerabilities, where one has an unknown impact and another can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17965/ -- [SA17959] Fedora update for poppler Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-12-09 Fedora has issued an update for poppler. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/17959/ -- [SA18029] WHMCompleteSolution "search" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-14 r0t has reported a vulnerability in WHMCompleteSolution, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18029/ -- [SA18010] UnixWare update for openssh Critical: Less critical Where: From remote Impact: Security Bypass, Privilege escalation Released: 2005-12-13 SCO has issued an update for openssh. This fixes two security issues, which can be exploited malicious users to gain escalated privileges or bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18010/ -- [SA18005] Trustix update for cpplus Critical: Less critical Where: From remote Impact: DoS Released: 2005-12-12 Trustix has issued an update for cpplus. This fixes a vulnerability, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18005/ -- [SA18002] SUSE update for mediawiki Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-12 SUSE has issued an update for mediawiki. This fixes a vulnerability, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18002/ -- [SA17999] Ubuntu update for courier Critical: Less critical Where: From remote Impact: Security Bypass Released: 2005-12-12 Ubuntu has issued an update for courier-authdaemon. This fixes a vulnerability, which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/17999/ -- [SA17975] CP+ Unspecified Perl Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2005-12-12 A vulnerability has been reported in CP+ (cpplus), which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17975/ -- [SA17995] Fedora update for kernel Critical: Less critical Where: Local system Impact: Privilege escalation, DoS Released: 2005-12-14 Fedora has issued an update for the kernel. This fixes some vulnerabilities, which potentially can be exploited by malicious, local users to gain escalated privileges and to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17995/ -- [SA17986] UnixWare "uidadmin' Buffer Overflow Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-12-13 iDEFENSE has reported a vulnerability in UnixWare, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/17986/ -- [SA17977] Ubuntu update for curl Critical: Less critical Where: Local system Impact: Unknown Released: 2005-12-13 Ubuntu has issued an update for curl. This fixes a vulnerability, which has an unknown impact. Full Advisory: http://secunia.com/advisories/17977/ -- [SA17967] Debian update for osh Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-12-09 Debian has issued an update for osh. This fixes two vulnerabilities, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/17967/ -- [SA17961] Mandriva update for curl Critical: Less critical Where: Local system Impact: Unknown Released: 2005-12-09 Mandriva has issued an update for curl. This fixes a vulnerability with an unknown impact. Full Advisory: http://secunia.com/advisories/17961/ -- [SA17960] Fedora update for curl Critical: Less critical Where: Local system Impact: Unknown Released: 2005-12-09 Fedora has issued an update for curl. This fixes a vulnerability with an unknown impact. Full Advisory: http://secunia.com/advisories/17960/ -- [SA17993] Trustix update for perl Critical: Not critical Where: From remote Impact: DoS Released: 2005-12-12 Trustix has issued an update for perl. This fixes a vulnerability, which can be exploited by malicious people to cause a Denial of Service. Full Advisory: http://secunia.com/advisories/17993/ Other:-- [SA17974] Nortel SSL VPN Web Interface Arbitrary Command Execution Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, System access Released: 2005-12-12 Daniel Fabian has reported a vulnerability in Nortel SSL VPN, which can be exploited by malicious people to conduct cross-site scripting attacks and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/17974/ -- [SA17996] Motorola SB5100E Cable Modem LAND Packet Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2005-12-13 Alexey Sintsov has reported a vulnerability in Motorola SB5100E, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17996/ Cross Platform:-- [SA18030] phpCOIN SQL Injection and File Inclusion Vulnerabilities Critical: Highly critical Where: From remote Impact: Manipulation of data, Exposure of system information, System access Released: 2005-12-14 rgod has reported two vulnerabilities in phpCOIN, which can be exploited by malicious people to conduct SQL injection attacks and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18030/ -- [SA18039] mcGalleryPRO Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, Exposure of sensitive information Released: 2005-12-14 r0t has reported some vulnerabilities in mcGalleryPRO, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks, and disclose sensitive information. Full Advisory: http://secunia.com/advisories/18039/ -- [SA18023] e107 SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-12-13 Yichen Xie and Alex Aiken have discovered some vulnerabilities in e107, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18023/ -- [SA18022] Snipe Gallery Cross-Site Scripting and SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-12-14 r0t has reported some vulnerabilities in Snipe Gallery, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/18022/ -- [SA18021] EncapsGallery "id" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-12-14 r0t has reported a vulnerability in EncapsGallery, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18021/ -- [SA18019] PhpWebGallery Multiple SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-12-14 r0t has discovered some vulnerabilities in PhpWebGallery, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18019/ -- [SA18014] Dream Poll "id" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-12-14 r0t has reported a vulnerability in Dream Poll, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18014/ -- [SA18011] phpWebThings SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-12-13 Yichen Xie and Alex Aiken have discovered some vulnerabilities in phpWebThings, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18011/ -- [SA18007] Jamit Job Board "cat" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-12-14 r0t has reported a vulnerability in Jamit Job Board, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18007/ -- [SA18000] MyBB SQL Injection and Unspecified Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown, Manipulation of data Released: 2005-12-12 Some vulnerabilities have been reported in MyBB, where some have unknown impacts and others can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18000/ -- [SA17987] Netref "cat" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-12-12 syst3m_f4ult has reported a vulnerability in Netref, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17987/ -- [SA17985] Apani EpiForce Agent ISAKMP IKE Message Processing Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-12-14 A vulnerability has been reported in Apani EpiForce, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17985/ -- [SA17984] Arab Portal SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-12-13 Devil-00 has reported two vulnerabilities in Arab Portal, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17984/ -- [SA17979] Scout Portal Toolkit Cross-Site Scripting and SQL Injection Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-12-12 Preddy has reported some vulnerabilities in Scout Portal Toolkit, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/17979/ -- [SA17973] Ethereal OSPF Protocol Dissector Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-12-12 A vulnerability has been reported in Ethereal, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/17973/ -- [SA18034] VCD-db Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting, Exposure of system information Released: 2005-12-14 r0t has reported two vulnerabilities in VCD-db, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18034/ -- [SA18031] Link Up Gold Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: DoS Released: 2005-12-14 r0t has reported some vulnerabilities in Link Up Gold, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18031/ -- [SA18027] ADP Forum "users" Exposure of User Credentials Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2005-12-14 Liz0ziM has discovered a security issue in ADP Forum, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/18027/ -- [SA18024] myBloggie SQL Injection Vulnerabilities Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2005-12-13 Yichen Xie and Alex Aiken have discovered some vulnerabilities in myBloggie, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18024/ -- [SA18020] PHP JackKnife Gallery System "sKeywords" Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-14 r0t has discovered a vulnerability in PHP JackKnife Gallery System, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18020/ -- [SA18018] Mantis "view_filters_page.php" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-14 r0t has discovered a vulnerability in Mantis, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18018/ -- [SA18016] EveryAuction "searchstring" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-13 $um$id has discovered a vulnerability in EveryAuction, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18016/ -- [SA18015] WikkaWiki "phrase" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-14 r0t has discovered a vulnerability in WikkaWiki, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18015/ -- [SA18008] Apache mod_imap "Referer" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-13 A vulnerability has been reported in Apache httpd, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18008/ -- [SA18006] MySQL Auction "keyword" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-14 r0t has reported a vulnerability in MySQL Auction, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18006/ -- [SA17997] milliscripts Redirection "domainname" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-12 Luis Alberto Cortes Zavala has discovered a vulnerability in milliscripts Redirection, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17997/ -- [SA17988] Utopia News Pro SQL Injection Vulnerabilities Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2005-12-13 Yichen Xie and Alex Aiken have discovered some vulnerabilities in Utopia News Pro, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17988/ -- [SA17982] Magic Book Professional "StartRow" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-12 r0t has reported a vulnerability in Magic Book Professional, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17982/ -- [SA17981] QuickPayPro Cross-Site Scripting and SQL Injection Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-12-14 r0t has reported some vulnerabilities in QuickPayPro, which can be exploited by malicious users to conduct SQL injection attacks and by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17981/ -- [SA17972] CKGold "keywords" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-14 r0t has reported a vulnerability in CKGold, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17972/ -- [SA17971] Kronolith Script Insertion Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-12 SEC Consult has reported some vulnerabilities in Kronolith, which can be exploited by malicious users to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/17971/ -- [SA17970] Horde Script Insertion Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-12 SEC Consult has reported some vulnerabilities in Horde, which can be exploited by malicious users to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/17970/ -- [SA17969] Nag Script Insertion Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-12 SEC Consult has reported some vulnerabilities in Nag, which can be exploited by malicious users to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/17969/ -- [SA17968] Turba Script Insertion Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-12 SEC Consult has reported some vulnerabilities in Turba, which can be exploited by malicious users to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/17968/ -- [SA17964] Mnemo Script Insertion Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-12 SEC Consult has reported some vulnerabilities in Mnemo, which can be exploited by malicious users to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/17964/ -- [SA17962] CA CleverPath Portal Login Page Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-09 A vulnerability has been reported in CA CleverPath Portal, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17962/ -- [SA17958] UseBB Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-12-12 A vulnerability has been reported in UseBB, which potentially can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17958/ -- [SA17991] Blackboard Learning and Community Portal Systems "frameset.jsp" Weakness Critical: Not critical Where: From remote Impact: Security Bypass Released: 2005-12-12 dr_insane has reported a weakness in Blackboard Learning and Community Portal Systems, potentially allowing malicious people to conduct phishing attacks. Full Advisory: http://secunia.com/advisories/17991/ -- [SA17963] Opera Bookmark Large Title Denial of Service Weakness Critical: Not critical Where: From remote Impact: DoS Released: 2005-12-12 A weakness has been reported in Opera, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17963/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@private Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 _________________________________________ Earn your Master's degree in Information Security ONLINE www.msia.norwich.edu/csi Study IA management practices and the latest infosec issues. Norwich University is an NSA Center of Excellence.
This archive was generated by hypermail 2.1.3 : Sun Dec 18 2005 - 13:08:40 PST