======================================================================== The Secunia Weekly Advisory Summary 2006-01-19 - 2006-01-26 This week : 59 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: Some vulnerabilities have been reported in various F-Secure products, which can be exploited by malware to bypass detection or malicious people to compromise a vulnerable system. All users of F-Secure products are advised to check for available patches. Reference: http://secunia.com/SA18529 -- Maksim Orlovich has reported a vulnerability in KDE kjs, which can be exploited by malicious people to cause a DoS (Denial of Service) or to compromise a user's system. Additional details may be found in the referenced Secunia advisory below. Reference: http://secunia.com/SA18500 VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA18529] F-Secure Anti-Virus Archive Handling Vulnerabilities 2. [SA18493] Oracle Products Multiple Vulnerabilities and Security Issues 3. [SA11762] Opera Browser Favicon Displaying Address Bar Spoofing Vulnerability 4. [SA18255] Microsoft Windows WMF "SETABORTPROC" Arbitrary Code Execution 5. [SA18579] OpenSSH scp Command Line Shell Command Injection 6. [SA15546] Microsoft Internet Explorer "window()" Arbitrary Code Execution Vulnerability 7. [SA18500] KDE kjs UTF-8 Encoded URI Buffer Overflow Vulnerability 8. [SA18556] Etomite "cij" Shell Command Execution Backdoor Security Issue 9. [SA18560] WebspotBlogging "username" SQL Injection Vulnerability 10. [SA15601] Mozilla / Mozilla Firefox Frame Injection Vulnerability ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA18574] Sami FTP Server USER Command Buffer Overflow [SA18553] Hitachi HITSENSER Data Mart Server SQL Injection [SA18550] FileCOPA FTP Server Directory Traversal Vulnerability [SA18589] Kerio WinRoute Firewall Web Browsing Denial of Service [SA18551] MailSite Cross-Site Scripting and Denial of Service UNIX/Linux: [SA18584] Avaya S87XX/S8500/S8300 Lynx "HTrjis()" NNTP Buffer Overflow [SA18583] Fedora update for kdelibs [SA18570] Gentoo update for kdelibs [SA18568] Debian update for libapache-auth-ldap [SA18561] Debian update for kdelibs [SA18559] SUSE update for kdelibs3 [SA18552] Ubuntu update for kdelibs4c2 [SA18616] Mandriva update for ipsec-tools [SA18612] Debian update for mailman [SA18609] FreeBSD "pf" IP Fragment Denial of Service Vulnerability [SA18607] Ubuntu update for imagemagick [SA18585] Fedora update for httpd [SA18582] Debian update for cupsys [SA18578] Debian update for wine [SA18571] Fetchmail Bounced Message Denial of Service Vulnerability [SA18569] Avaya PDS HP-UX ftpd Denial of Service Vulnerability [SA18555] Debian update for trac [SA18554] SGI Advanced Linux Environment Multiple Updates [SA18606] Debian update for flyspray [SA18594] WeBWorK Arbitrary Command Execution Vulnerability [SA18562] Red Hat update for kernel [SA18600] HP-UX Unspecified Privilege Escalation Vulnerability [SA18599] FreeBSD Kernel Memory Disclosure Vulnerabilities [SA18596] Avaya PDS HP-UX Unspecified Privilege Escalation [SA18586] LibAST Configuration Filename Buffer Overflow Vulnerability [SA18580] Sun Grid Engine rsh Client Privilege Escalation Vulnerability [SA18564] LSH lshd Seed-file File Descriptor Leak Vulnerability [SA18558] Debian update for sudo [SA18587] LibTIFF TIFFVSetField Denial of Service Vulnerability [SA18595] Fedora update for openssh [SA18579] OpenSSH scp Command Line Shell Command Injection [SA18573] Debian update for crawl Other: Cross Platform: [SA18605] Text Rider Exposure of User Credentials [SA18560] WebspotBlogging "username" SQL Injection Vulnerability [SA18556] Etomite "cij" Shell Command Execution Backdoor Security Issue [SA18608] HP Oracle for Openview Multiple Vulnerabilities [SA18604] miniBloggie "user" SQL Injection Vulnerability [SA18601] Reamday Enterprises Magic News Password Change Bypass [SA18597] Phpclanwebsite SQL Injection Vulnerabilities [SA18593] BEA WebLogic Portal Information Disclosure and Security Bypass [SA18592] BEA WebLogic Server/Express Vulnerabilities and Security Issues [SA18575] ADOdb PostgreSQL SQL Injection Vulnerability [SA18572] Pixelpost Comment Script Insertion Vulnerability [SA18567] e-moBLOG SQL Injection Vulnerabilities [SA18563] Zoph SQL Injection Vulnerabilities [SA18557] Gallery Fullname Script Insertion Vulnerability [SA18591] CA Products iGateway Service Content-Length Buffer Overflow [SA18603] MyBB User Control Panel Cross-Site Request Forgery [SA18588] Claroline Single Sign-On System Predictable Cookie [SA18581] BEA WebLogic Server/Express Multiple Domains Administrator Access [SA18576] Tor Hidden Service Disclosure Weakness [SA18566] Note-A-Day Weblog Exposure of User Credentials [SA18565] AZ Bulletin Board Cross-Site Scripting Vulnerabilities [SA18577] MyBB Disclosure of Table Prefix Weakness ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA18574] Sami FTP Server USER Command Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2006-01-25 Critical Security has discovered a vulnerability in Sami FTP Server, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18574/ -- [SA18553] Hitachi HITSENSER Data Mart Server SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-01-20 A vulnerability has been reported in HITSENSER Data Mart Server, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18553/ -- [SA18550] FileCOPA FTP Server Directory Traversal Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of system information, Exposure of sensitive information Released: 2006-01-20 P@r@n01d and $um$id have discovered a vulnerability in FileCopa FTP Server, which can be exploited by malicious users to access files in arbitrary locations on a vulnerable system. Full Advisory: http://secunia.com/advisories/18550/ -- [SA18589] Kerio WinRoute Firewall Web Browsing Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2006-01-25 A vulnerability has been reported in Kerio WinRoute Firewall, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18589/ -- [SA18551] MailSite Cross-Site Scripting and Denial of Service Critical: Less critical Where: From local network Impact: Cross Site Scripting, DoS Released: 2006-01-20 Rahul Mohandas has reported two vulnerabilities in MailSite Email Server, which can be exploited by malicious people to conduct cross-site scripting attacks and cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18551/ UNIX/Linux:-- [SA18584] Avaya S87XX/S8500/S8300 Lynx "HTrjis()" NNTP Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2006-01-25 Avaya has acknowledged a vulnerability in Avaya S87XX/S8500/S8300, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/18584/ -- [SA18583] Fedora update for kdelibs Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-01-23 Fedora has issued an update for kdelibs. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) or to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18583/ -- [SA18570] Gentoo update for kdelibs Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-01-23 Gentoo has issued an update for kdelibs. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) or to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18570/ -- [SA18568] Debian update for libapache-auth-ldap Critical: Highly critical Where: From remote Impact: System access Released: 2006-01-23 Debian has issued an update for libapache-auth-ldap. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18568/ -- [SA18561] Debian update for kdelibs Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-01-23 Debian has issued an update for kdelibs. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) or to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18561/ -- [SA18559] SUSE update for kdelibs3 Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-01-23 SUSE has issued an update for kdelibs3. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) or to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18559/ -- [SA18552] Ubuntu update for kdelibs4c2 Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-01-20 Ubuntu has issued an update for kdelibs4c2. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) or to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18552/ -- [SA18616] Mandriva update for ipsec-tools Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-01-26 Mandriva has issued an update for ipsec-tools. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18616/ -- [SA18612] Debian update for mailman Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-01-26 Debian has issued an update for mailman. This fixes two vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18612/ -- [SA18609] FreeBSD "pf" IP Fragment Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-01-25 A vulnerability has been reported in FreeBSD, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18609/ -- [SA18607] Ubuntu update for imagemagick Critical: Moderately critical Where: From remote Impact: System access Released: 2006-01-25 Ubuntu has issued an update for imagemagick. This fixes two vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/18607/ -- [SA18585] Fedora update for httpd Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, DoS Released: 2006-01-23 Fedora has issued an update for httpd. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18585/ -- [SA18582] Debian update for cupsys Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-01-23 Debian has issued an update for cupsys. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/18582/ -- [SA18578] Debian update for wine Critical: Moderately critical Where: From remote Impact: System access Released: 2006-01-25 Debian has issued an update for wine. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/18578/ -- [SA18571] Fetchmail Bounced Message Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-01-23 A vulnerability has been reported in Fetchmail, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18571/ -- [SA18569] Avaya PDS HP-UX ftpd Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-01-24 Avaya has acknowledged a vulnerability in Predictive Dialing System (PDS), which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18569/ -- [SA18555] Debian update for trac Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-01-23 Debian has issued an update for trac. This fixes two vulnerabilities, which can be exploited by malicious people to conduct script insertion and SQL injection attacks. Full Advisory: http://secunia.com/advisories/18555/ -- [SA18554] SGI Advanced Linux Environment Multiple Updates Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-01-20 SGI has issued a patch for SGI Advanced Linux Environment. This fixes some vulnerabilities, which can be exploited by malicious users to compromise a vulnerable system, and by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/18554/ -- [SA18606] Debian update for flyspray Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-01-25 Debian has issued an update for flyspray. This fixes some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18606/ -- [SA18594] WeBWorK Arbitrary Command Execution Vulnerability Critical: Less critical Where: From remote Impact: System access Released: 2006-01-25 A vulnerability has been reported in WeBWorK, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18594/ -- [SA18562] Red Hat update for kernel Critical: Less critical Where: From local network Impact: Exposure of sensitive information, DoS Released: 2006-01-20 Red Hat has issued an update for the kernel. This fixes some vulnerabilities, which can be exploited by malicious people or local users to cause a DoS (Denial of Service), and by malicious people to disclose certain sensitive information. Full Advisory: http://secunia.com/advisories/18562/ -- [SA18600] HP-UX Unspecified Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-01-25 A vulnerability has been reported in HP-UX, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/18600/ -- [SA18599] FreeBSD Kernel Memory Disclosure Vulnerabilities Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2006-01-25 Two vulnerabilities have been reported in FreeBSD, which can be exploited to malicious, local users to gain knowledge of potentially sensitive information. Full Advisory: http://secunia.com/advisories/18599/ -- [SA18596] Avaya PDS HP-UX Unspecified Privilege Escalation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-01-26 Avaya has acknowledged a vulnerability in Predictive Dialing System (PDS), which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/18596/ -- [SA18586] LibAST Configuration Filename Buffer Overflow Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-01-25 Johnny Mast has reported a vulnerability in LibAST, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/18586/ -- [SA18580] Sun Grid Engine rsh Client Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-01-24 A vulnerability has been reported in Sun Grid Engine (SGE), which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/18580/ -- [SA18564] LSH lshd Seed-file File Descriptor Leak Vulnerability Critical: Less critical Where: Local system Impact: Exposure of sensitive information, DoS Released: 2006-01-23 A vulnerability has been reported in LSH, which can be exploited by malicious, local users to gain knowledge of potentially sensitive information or to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18564/ -- [SA18558] Debian update for sudo Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-01-20 Debian has issued an update for sudo. This fixes some vulnerabilities, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/18558/ -- [SA18587] LibTIFF TIFFVSetField Denial of Service Vulnerability Critical: Not critical Where: From remote Impact: DoS Released: 2006-01-23 Herve Drolon has reported a vulnerability in LibTIFF, which can be exploited by malicious people to crash certain applications on a user's system. Full Advisory: http://secunia.com/advisories/18587/ -- [SA18595] Fedora update for openssh Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2006-01-24 Fedora has issued an update for openssh. This fixes a weakness, which potentially can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/18595/ -- [SA18579] OpenSSH scp Command Line Shell Command Injection Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2006-01-24 Josh Bressers has reported a weakness in OpenSSH, which potentially can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/18579/ -- [SA18573] Debian update for crawl Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2006-01-23 Debian has issued an update for crawl. This fixes a vulnerability, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/18573/ Other: Cross Platform:-- [SA18605] Text Rider Exposure of User Credentials Critical: Highly critical Where: From remote Impact: Exposure of sensitive information, System access Released: 2006-01-25 Aliaksandr Hartsuyeu has discovered a security issue in Text Rider, which can be exploited by malicious people to disclose sensitive information and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18605/ -- [SA18560] WebspotBlogging "username" SQL Injection Vulnerability Critical: Highly critical Where: From remote Impact: Security Bypass, Manipulation of data, System access Released: 2006-01-20 Aliaksandr Hartsuyeu has discovered a vulnerability in WebspotBlogging, which can be exploited by malicious people to conduct SQL injection attacks and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18560/ -- [SA18556] Etomite "cij" Shell Command Execution Backdoor Security Issue Critical: Highly critical Where: From remote Impact: System access Released: 2006-01-20 Luca Ercoli has reported a security issue in Etomite, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18556/ -- [SA18608] HP Oracle for Openview Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown, Manipulation of data, Exposure of system information, Exposure of sensitive information Released: 2006-01-25 HP has acknowledged some vulnerabilities and security issues in HP OfO (Oracle for Openview), which can be exploited with unknown impact, to gain knowledge of certain information, overwrite arbitrary files, and to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18608/ -- [SA18604] miniBloggie "user" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2006-01-25 Aliaksandr Hartsuyeu has discovered a vulnerability in miniBloggie, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18604/ -- [SA18601] Reamday Enterprises Magic News Password Change Bypass Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2006-01-25 cijfer has discovered a vulnerability in Reamday Enterprises Magic News, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18601/ -- [SA18597] Phpclanwebsite SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-01-26 matrix_killer has discovered two vulnerabilities in Phpclanwebsite, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18597/ -- [SA18593] BEA WebLogic Portal Information Disclosure and Security Bypass Critical: Moderately critical Where: From remote Impact: Security Bypass, Exposure of system information, Exposure of sensitive information Released: 2006-01-24 Two security issues and a vulnerability have been reported in WebLogic Portal, which potentially can be exploited by malicious people to disclose sensitive information and bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18593/ -- [SA18592] BEA WebLogic Server/Express Vulnerabilities and Security Issues Critical: Moderately critical Where: From remote Impact: Security Bypass, Exposure of system information, Exposure of sensitive information, DoS Released: 2006-01-24 Multiple vulnerabilities and security issues have been reported in WebLogic Server and WebLogic Express, where the most critical ones potentially can be exploited by malicious people to cause a DoS (Denial of Service), disclose sensitive information, and bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18592/ -- [SA18575] ADOdb PostgreSQL SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-01-24 Andy Staudacher has reported a vulnerability in ADOdb, which potentially can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18575/ -- [SA18572] Pixelpost Comment Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-01-24 Aliaksandr Hartsuyeu has discovered a vulnerability in Pixelpost, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/18572/ -- [SA18567] e-moBLOG SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-01-23 Aliaksandr Hartsuyeu has discovered some vulnerabilities in e-moBLOG, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18567/ -- [SA18563] Zoph SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-01-23 Some vulnerabilities have been reported in Zoph, which potentially can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18563/ -- [SA18557] Gallery Fullname Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-01-20 A vulnerability has been reported in Gallery, which potentially can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/18557/ -- [SA18591] CA Products iGateway Service Content-Length Buffer Overflow Critical: Moderately critical Where: From local network Impact: System access Released: 2006-01-24 Erika Mendoza has reported a vulnerability in various CA products, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18591/ -- [SA18603] MyBB User Control Panel Cross-Site Request Forgery Critical: Less critical Where: From remote Impact: Hijacking Released: 2006-01-25 Roozbeh Afrasiabi has discovered a vulnerability in MyBB, which can be exploited by malicious people to conduct cross-site request forgery attacks. Full Advisory: http://secunia.com/advisories/18603/ -- [SA18588] Claroline Single Sign-On System Predictable Cookie Critical: Less critical Where: From remote Impact: Hijacking, Security Bypass Released: 2006-01-25 karmaguedon has reported a vulnerability in Claroline, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18588/ -- [SA18581] BEA WebLogic Server/Express Multiple Domains Administrator Access Critical: Less critical Where: From remote Impact: Security Bypass Released: 2006-01-24 A security issue has been reported in WebLogic Server and WebLogic Express, which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18581/ -- [SA18576] Tor Hidden Service Disclosure Weakness Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2006-01-23 Lasse Overlier and Paul Syverson have reported a weakness in Tor, which can be exploited by malicious people to disclose certain sensitive information. Full Advisory: http://secunia.com/advisories/18576/ -- [SA18566] Note-A-Day Weblog Exposure of User Credentials Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2006-01-23 Aliaksandr Hartsuyeu has discovered a security issue in Note-A-Day Weblog, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/18566/ -- [SA18565] AZ Bulletin Board Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-01-23 Roozbeh Afrasiabi has reported two vulnerabilities in AZ Bulletin Board, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18565/ -- [SA18577] MyBB Disclosure of Table Prefix Weakness Critical: Not critical Where: From remote Impact: Exposure of system information Released: 2006-01-23 imei has discovered a weakness in MyBB, which can be exploited by malicious people to disclose system information. Full Advisory: http://secunia.com/advisories/18577/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@private Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 _________________________________ InfoSec News v2.0 - Coming Soon! http://www.infosecnews.org
This archive was generated by hypermail 2.1.3 : Fri Jan 27 2006 - 02:37:36 PST