========================================================================
The Secunia Weekly Advisory Summary
2006-02-02 - 2006-02-09
This week : 55 advisories
========================================================================
Table of Contents:
1.....................................................Word From Secunia
2....................................................This Week In Brief
3...............................This Weeks Top Ten Most Read Advisories
4.......................................Vulnerabilities Summary Listing
5.......................................Vulnerabilities Content Listing
========================================================================
1) Word From Secunia:
The Secunia staff is spending hours every day to assure you the best
and most reliable source for vulnerability information. Every single
vulnerability report is being validated and verified before a Secunia
advisory is written.
Secunia validates and verifies vulnerability reports in many different
ways e.g. by downloading the software and performing comprehensive
tests, by reviewing source code, or by validating the credibility of
the source from which the vulnerability report was issued.
As a result, Secunia's database is the most correct and complete source
for recent vulnerability information available on the Internet.
Secunia Online Vulnerability Database:
http://secunia.com/
========================================================================
2) This Week in Brief:
Several vulnerabilities have been reported in various Sun Java
products, which potentially can be exploited by malicious people to
compromise a user's system.
Please refer to the referenced Secunia advisories for additional
details.
References:
http://secunia.com/SA18760
http://secunia.com/SA18762
--
A vulnerability has been reported in Internet Explorer 5.01 and 5.5,
which can be exploited by malicious people to compromise a user's
system.
The vulnerability is caused due to an unspecified error. This can be
exploited to execute arbitrary code on a user's system by e.g.
tricking the user to visit a malicious website that hosts a specially
crafted WMF file or via an email message containing a specially
crafted attachment.
Reference:
http://secunia.com/SA18729
--
Several vulnerabilities have been reported in Mozilla Firefox, Mozilla
Suite, and Mozilla Thunderbird.
For additional information please refer to the following Secunia
advisories.
References:
http://secunia.com/SA18700
http://secunia.com/SA18704
http://secunia.com/SA18703
VIRUS ALERTS:
Secunia has not issued any virus alerts during the week.
========================================================================
3) This Weeks Top Ten Most Read Advisories:
1. [SA18700] Firefox Multiple Vulnerabilities
2. [SA18704] Thunderbird Multiple Vulnerabilities
3. [SA18649] Winamp Three Playlist Parsing Buffer Overflow
Vulnerabilities
4. [SA18760] Sun Java JRE "reflection" APIs Sandbox Security Bypass
Vulnerabilities
5. [SA18703] Mozilla Suite XML Injection and Code Execution
Vulnerabilities
6. [SA18740] Microsoft HTML Help Workshop ".hhp" Parsing Buffer
Overflow
7. [SA15546] Microsoft Internet Explorer "window()" Arbitrary Code
Execution Vulnerability
8. [SA18698] Adobe Products Insecure Default File Permissions
9. [SA18699] Sun Java System Access Manager Administrator Access
Weakness
10. [SA18691] cPanel Cross-Site Scripting Vulnerabilities
========================================================================
4) Vulnerabilities Summary Listing
Windows:
[SA18729] Internet Explorer Unspecified WMF Image Handling
Vulnerability
[SA18740] Microsoft HTML Help Workshop ".hhp" Parsing Buffer Overflow
[SA18744] Lexmark Printers LexBce Server Arbitrary Code Execution
[SA18731] Hosting Controller SQL Injection Vulnerabilities
[SA18730] CyberShop Ultimate Mc Cross-Site Scripting Vulnerabilities
[SA18716] MailEnable Enterprise Edition Webmail Denial of Service
[SA18756] Windows Insecure Service Permissions Privilege Escalation
[SA18728] Lexmark X1100 Series Printing Software Privilege Escalation
[SA18713] The Bat! RFC-822 Mail Header Spoofing Weakness
UNIX/Linux:
[SA18737] MyQuiz "myquiz.pl" Shell Command Injection Vulnerability
[SA18709] Fedora update for mozilla
[SA18708] Fedora update for firefox
[SA18706] Red Hat update for firefox
[SA18705] Red Hat update for mozilla
[SA18774] Fedora update for kernel
[SA18766] Linux Kernel ICMP Error Handling Denial of Service
[SA18763] Mandriva update for php
[SA18748] Mailback Mail Header Injection Vulnerability
[SA18746] Gentoo update for gst-plugins-ffmpeg
[SA18745] Gentoo update for adodb
[SA18742] Debian update for ipsec-tools
[SA18739] GStreamer FFmpeg Plug-in libavcodec Buffer Overflow
[SA18718] MPlayer ASF File Parsing Integer Overflow Vulnerabilities
[SA18717] SUSE Updates for Multiple Packages
[SA18707] KDE kpdf Splash Image Handling Buffer Overflow
[SA18743] Gentoo update for apache
[SA18710] Outblaze throw.main Cross-Site Scripting Vulnerability
[SA18733] Heimdal rshd Server Privilege Escalation Vulnerability
[SA18719] Trustix Fcron "convert-fcrontab" Two Vulnerabilities
[SA18712] OpenBSD Kernfs Kernel Memory Disclosure Vulnerability
[SA18772] Openwall crypt_blowfish Salt Generation Weakness
[SA18741] hcidump Bluetooth L2CAP Denial of Service Vulnerability
[SA18736] Mandriva update for openssh
Other:
[SA18750] QNX Neutrino RTOS Multiple Privilege Escalation
Vulnerabilities
[SA18747] Sony Ericsson Cell Phones Bluetooth L2CAP Denial of Service
Cross Platform:
[SA18762] Java Web Start Sandbox Security Bypass Vulnerability
[SA18760] Sun Java JRE "reflection" APIs Sandbox Security Bypass
Vulnerabilities
[SA18757] eyeOS "_SESSION" PHP Code Execution Vulnerability
[SA18722] Loudblog "path" File Inclusion Vulnerability
[SA18703] Mozilla Suite XML Injection and Code Execution
Vulnerabilities
[SA18761] GuestBookHost SQL Injection Vulnerabilities
[SA18759] Unknown Domain Shoutbox Two Vulnerabilities
[SA18758] phphg Guestbook Multiple Vulnerabilities
[SA18732] PHP Link Directory ADBdb and PHPMailer Vulnerabilities
[SA18726] PluggedOut Blog Cross-Site Scripting and SQL Injection
[SA18721] Papoo Username Script Insertion Vulnerability
[SA18720] AgileBill ADOdb server.php Insecure Test Script Security
Issue
[SA18715] PHP GEN Unspecified Cross-Site Scripting and SQL Injection
[SA18704] Thunderbird Multiple Vulnerabilities
[SA18754] MyBB "posts" SQL Injection Vulnerability
[SA18735] Gallery Unspecified Album Data Manipulation Vulnerability
[SA18725] IBM Tivoli Access Manager for e-business "pkmslogout"
Directory Traversal
[SA18711] MediaWiki Edit Comment Formatting Denial of Service
[SA18738] IBM Lotus Domino LDAP Server Denial of Service Vulnerability
[SA18727] phpBB "gen_rand_string()" Predictable RNG Weakness
========================================================================
5) Vulnerabilities Content Listing
Windows:--
[SA18729] Internet Explorer Unspecified WMF Image Handling
Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-02-08
A vulnerability has been reported in Internet Explorer, which can be
exploited by malicious people to compromise a user's system.
Full Advisory:
http://secunia.com/advisories/18729/
--
[SA18740] Microsoft HTML Help Workshop ".hhp" Parsing Buffer Overflow
Critical: Moderately critical
Where: From remote
Impact: System access
Released: 2006-02-06
bratax has discovered a vulnerability in Microsoft HTML Help Workshop,
which can be exploited by malicious people to compromise a user's
system.
Full Advisory:
http://secunia.com/advisories/18740/
--
[SA18744] Lexmark Printers LexBce Server Arbitrary Code Execution
Critical: Moderately critical
Where: From local network
Impact: System access
Released: 2006-02-08
Peter Winter-Smith of NGSSoftware has reported a vulnerability in the
LexBce Server Service included with various Lexmark printers, which can
be exploited by malicious people to compromise a user's system.
Full Advisory:
http://secunia.com/advisories/18744/
--
[SA18731] Hosting Controller SQL Injection Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Manipulation of data
Released: 2006-02-07
Soroush Dalili has discovered two vulnerabilities in Hosting
Controller, which can be exploited by malicious users to conduct SQL
injection attacks.
Full Advisory:
http://secunia.com/advisories/18731/
--
[SA18730] CyberShop Ultimate Mc Cross-Site Scripting Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-02-06
B3g0k has reported two vulnerabilities in CyberShop Ultimate Mc, which
can be exploited by malicious people to conduct cross-site scripting
attacks.
Full Advisory:
http://secunia.com/advisories/18730/
--
[SA18716] MailEnable Enterprise Edition Webmail Denial of Service
Critical: Less critical
Where: From remote
Impact: DoS
Released: 2006-02-07
A vulnerability has been reported in MailEnable Enterprise Edition,
which potentially can be exploited by malicious people to cause a DoS
(Denial of Service).
Full Advisory:
http://secunia.com/advisories/18716/
--
[SA18756] Windows Insecure Service Permissions Privilege Escalation
Critical: Less critical
Where: Local system
Impact: Privilege escalation
Released: 2006-02-08
Sudhakar Govindavajhala and Andrew W. Appel have reported some security
issues in Microsoft Windows, which can be exploited by malicious, local
users to gain escalated privileges.
Full Advisory:
http://secunia.com/advisories/18756/
--
[SA18728] Lexmark X1100 Series Printing Software Privilege Escalation
Critical: Less critical
Where: Local system
Impact: Privilege escalation
Released: 2006-02-08
Kevin Finisterre has reported a vulnerability in Lexmark X1100 Series,
which can be exploited by malicious, local users to gain escalated
privileges.
Full Advisory:
http://secunia.com/advisories/18728/
--
[SA18713] The Bat! RFC-822 Mail Header Spoofing Weakness
Critical: Not critical
Where: From remote
Impact: Spoofing
Released: 2006-02-08
3APA3A has discovered a weakness in The Bat!, which can be exploited by
malicious people to conduct spoofing attacks.
Full Advisory:
http://secunia.com/advisories/18713/
UNIX/Linux:--
[SA18737] MyQuiz "myquiz.pl" Shell Command Injection Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-02-06
Aliaksandr Hartsuyeu has reported a vulnerability in MyQuiz, which can
be exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/18737/
--
[SA18709] Fedora update for mozilla
Critical: Highly critical
Where: From remote
Impact: Cross Site Scripting, DoS, System access
Released: 2006-02-03
Fedora has issued an update for mozilla. This fixes some
vulnerabilities and a weakness, which can be exploited by malicious
people to cause a DoS (Denial of Service), conduct cross-site scripting
attacks, and potentially compromise a user's system.
Full Advisory:
http://secunia.com/advisories/18709/
--
[SA18708] Fedora update for firefox
Critical: Highly critical
Where: From remote
Impact: Cross Site Scripting, DoS, System access
Released: 2006-02-03
Fedora has issued an update for firefox. This fixes some
vulnerabilities and a weakness, which can be exploited by malicious
people to cause a DoS (Denial of Service), conduct cross-site scripting
attacks, and potentially compromise a user's system.
Full Advisory:
http://secunia.com/advisories/18708/
--
[SA18706] Red Hat update for firefox
Critical: Highly critical
Where: From remote
Impact: System access, DoS, Cross Site Scripting
Released: 2006-02-03
Red Hat has issued an update for firefox. This fixes some
vulnerabilities and a weakness, which can be exploited by malicious
people to cause a DoS (Denial of Service), conduct cross-site scripting
attacks, and potentially compromise a user's system.
Full Advisory:
http://secunia.com/advisories/18706/
--
[SA18705] Red Hat update for mozilla
Critical: Highly critical
Where: From remote
Impact: Cross Site Scripting, DoS, System access
Released: 2006-02-03
Red Hat has issued an update for mozilla. This fixes some
vulnerabilities and a weakness, which can be exploited by malicious
people to cause a DoS (Denial of Service), conduct cross-site scripting
attacks, and potentially compromise a user's system.
Full Advisory:
http://secunia.com/advisories/18705/
--
[SA18774] Fedora update for kernel
Critical: Moderately critical
Where: From remote
Impact: Exposure of sensitive information, DoS
Released: 2006-02-08
Fedora has issued an update for the kernel. This fixes two
vulnerabilities, which can be exploited by malicious, local users to
disclose potentially sensitive information, and by malicious people to
cause a DoS (Denial of Service).
Full Advisory:
http://secunia.com/advisories/18774/
--
[SA18766] Linux Kernel ICMP Error Handling Denial of Service
Critical: Moderately critical
Where: From remote
Impact: DoS
Released: 2006-02-08
A vulnerability has been reported in the Linux Kernel, which can be
exploited by malicious people to cause a DoS (Denial of Service).
Full Advisory:
http://secunia.com/advisories/18766/
--
[SA18763] Mandriva update for php
Critical: Moderately critical
Where: From remote
Impact: Security Bypass
Released: 2006-02-08
Mandriva has issued an update for php. This fixes a vulnerability,
which can be exploited by malicious people to bypass certain security
restrictions.
Full Advisory:
http://secunia.com/advisories/18763/
--
[SA18748] Mailback Mail Header Injection Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Security Bypass
Released: 2006-02-07
coderpunk has discovered a vulnerability in Mailback, which can be
exploited by malicious people to bypass certain security restrictions.
Full Advisory:
http://secunia.com/advisories/18748/
--
[SA18746] Gentoo update for gst-plugins-ffmpeg
Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2006-02-06
Gentoo has issued an update for gst-plugins-ffmpeg. This fixes a
vulnerability, which can be exploited by malicious people to cause a
DoS (Denial of Service) and potentially to compromise a user's system.
Full Advisory:
http://secunia.com/advisories/18746/
--
[SA18745] Gentoo update for adodb
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-02-07
Gentoo has issued an update for adodb. This fixes a vulnerability,
which potentially can be exploited by malicious people to conduct SQL
injection attacks.
Full Advisory:
http://secunia.com/advisories/18745/
--
[SA18742] Debian update for ipsec-tools
Critical: Moderately critical
Where: From remote
Impact: DoS
Released: 2006-02-06
Debian has issued an update for ipsec-tools. This fixes a
vulnerability, which can be exploited by malicious people to cause a
DoS (Denial of Service).
Full Advisory:
http://secunia.com/advisories/18742/
--
[SA18739] GStreamer FFmpeg Plug-in libavcodec Buffer Overflow
Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2006-02-06
A vulnerability has been reported in GStreamer FFmpeg Plug-in, which
can be exploited by malicious people to cause a DoS (Denial of Service)
and potentially compromise a user's system.
Full Advisory:
http://secunia.com/advisories/18739/
--
[SA18718] MPlayer ASF File Parsing Integer Overflow Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2006-02-07
AFI Security Research has discovered two vulnerabilities in mplayer,
which can be exploited by malicious people to cause a DoS (Denial of
Service) and potentially compromise a user's system.
Full Advisory:
http://secunia.com/advisories/18718/
--
[SA18717] SUSE Updates for Multiple Packages
Critical: Moderately critical
Where: From remote
Impact: Security Bypass, Cross Site Scripting, Privilege
escalation, DoS, System access
Released: 2006-02-03
SUSE has issued updates for multiple packages. These fix various
vulnerabilities and a security issue, which can be exploited by
malicious users to gain escalated privileges, bypass certain security
restrictions and conduct script insertion attacks, or by malicious
people to cause a DoS (Denial of Service) and potentially compromise a
vulnerable system
Full Advisory:
http://secunia.com/advisories/18717/
--
[SA18707] KDE kpdf Splash Image Handling Buffer Overflow
Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2006-02-03
A vulnerability has been reported in KDE, which can be exploited by
malicious people to cause a DoS (Denial of Service) and potentially
compromise a user's system.
Full Advisory:
http://secunia.com/advisories/18707/
--
[SA18743] Gentoo update for apache
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting, DoS
Released: 2006-02-07
Gentoo has issued an update for apache. This fixes two vulnerabilities,
which can be exploited by malicious people to conduct cross-site
scripting attacks and to cause a DoS (Denial of Service).
Full Advisory:
http://secunia.com/advisories/18743/
--
[SA18710] Outblaze throw.main Cross-Site Scripting Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-02-03
Simo Ben youssef has reported a vulnerability in Outblaze, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/18710/
--
[SA18733] Heimdal rshd Server Privilege Escalation Vulnerability
Critical: Less critical
Where: Local system
Impact: Privilege escalation
Released: 2006-02-07
A vulnerability has been reported in Heimdal, which can be exploited by
malicious, local users to gain escalated privileges.
Full Advisory:
http://secunia.com/advisories/18733/
--
[SA18719] Trustix Fcron "convert-fcrontab" Two Vulnerabilities
Critical: Less critical
Where: Local system
Impact: Privilege escalation
Released: 2006-02-03
Two vulnerabilities have been reported in Fcron, which can be exploited
by malicious, local users to gain escalated privileges.
Full Advisory:
http://secunia.com/advisories/18719/
--
[SA18712] OpenBSD Kernfs Kernel Memory Disclosure Vulnerability
Critical: Less critical
Where: Local system
Impact: Exposure of sensitive information
Released: 2006-02-03
SecurityLab Technologies has reported a vulnerability in OpenBSD, which
can be exploited by malicious, local users to disclose potentially
sensitive information.
Full Advisory:
http://secunia.com/advisories/18712/
--
[SA18772] Openwall crypt_blowfish Salt Generation Weakness
Critical: Not critical
Where: From remote
Impact: Exposure of sensitive information
Released: 2006-02-08
A weakness has been reported in Openwall crypt_blowfish, which
potentially can be exploited by malicious people to disclose certain
sensitive information.
Full Advisory:
http://secunia.com/advisories/18772/
--
[SA18741] hcidump Bluetooth L2CAP Denial of Service Vulnerability
Critical: Not critical
Where: From remote
Impact: DoS
Released: 2006-02-08
Pierre Betouin has reported a vulnerability in hcidump, which can be
exploited by malicious people to cause a DoS (Denial of Service).
Full Advisory:
http://secunia.com/advisories/18741/
--
[SA18736] Mandriva update for openssh
Critical: Not critical
Where: Local system
Impact: Privilege escalation
Released: 2006-02-07
Mandriva has issued an update for openssh. This fixes a weakness, which
potentially can be exploited by malicious, local users to perform
certain actions with escalated privileges.
Full Advisory:
http://secunia.com/advisories/18736/
Other:--
[SA18750] QNX Neutrino RTOS Multiple Privilege Escalation
Vulnerabilities
Critical: Less critical
Where: Local system
Impact: Privilege escalation, DoS
Released: 2006-02-08
Multiple vulnerabilities have been reported in QNX Neutrino RTOS, which
can be exploited by malicious, local users to cause a DoS (Denial of
Service) or gain escalated privileges.
Full Advisory:
http://secunia.com/advisories/18750/
--
[SA18747] Sony Ericsson Cell Phones Bluetooth L2CAP Denial of Service
Critical: Not critical
Where: From remote
Impact: DoS
Released: 2006-02-08
Pierre Betouin has discovered a vulnerability in various Sony Ericsson
cell phones, which can be exploited by malicious people to cause a DoS
(Denial of Service).
Full Advisory:
http://secunia.com/advisories/18747/
Cross Platform:--
[SA18762] Java Web Start Sandbox Security Bypass Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-02-08
A vulnerability has been reported in Java Web Start, which potentially
can be exploited by malicious people to compromise a user's system.
Full Advisory:
http://secunia.com/advisories/18762/
--
[SA18760] Sun Java JRE "reflection" APIs Sandbox Security Bypass
Vulnerabilities
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-02-08
Seven vulnerabilities have been reported in Sun Java JRE (Java Runtime
Environment), which potentially can be exploited by malicious people to
compromise a user's system.
Full Advisory:
http://secunia.com/advisories/18760/
--
[SA18757] eyeOS "_SESSION" PHP Code Execution Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-02-08
James Bercegay has reported a vulnerability in eyeOS, which can be
exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/18757/
--
[SA18722] Loudblog "path" File Inclusion Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-02-06
rgod has discovered a vulnerability in Loudblog, which can be exploited
by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/18722/
--
[SA18703] Mozilla Suite XML Injection and Code Execution
Vulnerabilities
Critical: Highly critical
Where: From remote
Impact: Cross Site Scripting, System access
Released: 2006-02-02
Two vulnerabilities have been reported in Mozilla Suite, which can be
exploited by malicious people to conduct cross-site scripting attacks
and potentially compromise a user's system.
Full Advisory:
http://secunia.com/advisories/18703/
--
[SA18761] GuestBookHost SQL Injection Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data, Security Bypass
Released: 2006-02-08
Aliaksandr Hartsuyeu has reported two vulnerabilities in GuestBookHost,
which can be exploited by malicious people to conduct SQL injection
attacks.
Full Advisory:
http://secunia.com/advisories/18761/
--
[SA18759] Unknown Domain Shoutbox Two Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting, Manipulation of data
Released: 2006-02-08
Aliaksandr Hartsuyeu has discovered two vulnerabilities in Unknown
Domain Shoutbox, which can be exploited by malicious people to conduct
script insertion and SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/18759/
--
[SA18758] phphg Guestbook Multiple Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Security Bypass, Cross Site Scripting, Manipulation of
data
Released: 2006-02-08
Aliaksandr Hartsuyeu has discovered some vulnerabilities in phphg
Guestbook, which can be exploited by malicious people to conduct script
insertion and SQL injection attacks, and bypass certain security
restrictions.
Full Advisory:
http://secunia.com/advisories/18758/
--
[SA18732] PHP Link Directory ADBdb and PHPMailer Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Security Bypass, Manipulation of data, Exposure of system
information, DoS, System access
Released: 2006-02-06
Mario Oyorzabal Salgado has reported some security issues and
vulnerabilities in PHP Link Directory (phpLD2), which can be exploited
by malicious people to disclose system information, execute arbitrary
SQL code, conduct SQL injection attacks, cause a DoS (Denial of
Service), and potentially compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/18732/
--
[SA18726] PluggedOut Blog Cross-Site Scripting and SQL Injection
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting, Manipulation of data
Released: 2006-02-06
Hamid Ebadi has discovered a vulnerability in PluggedOut Blog, which
can be exploited by malicious people to conduct cross-site scripting
and SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/18726/
--
[SA18721] Papoo Username Script Insertion Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-02-03
Thomas Pollet has reported a vulnerability in Papoo, which can be
exploited by malicious people to conduct script insertion attacks.
Full Advisory:
http://secunia.com/advisories/18721/
--
[SA18720] AgileBill ADOdb server.php Insecure Test Script Security
Issue
Critical: Moderately critical
Where: From remote
Impact: Security Bypass, System access
Released: 2006-02-06
Secunia Research has discovered a vulnerability in AgileBill, which can
be exploited by malicious people to execute arbitrary SQL code and
potentially compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/18720/
--
[SA18715] PHP GEN Unspecified Cross-Site Scripting and SQL Injection
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting, Manipulation of data
Released: 2006-02-03
Some vulnerabilities have been reported in PHP GEN, which can be
exploited by malicious people to conduct cross-site scripting attacks
and potentially conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/18715/
--
[SA18704] Thunderbird Multiple Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Security Bypass, Cross Site Scripting, Exposure of system
information, Exposure of sensitive information, System access
Released: 2006-02-02
Some vulnerabilities have been reported in Thunderbird, which can be
exploited by malicious people to bypass certain security restrictions,
conduct cross-site scripting attacks, potentially disclose sensitive
information, and potentially compromise a user's system.
Full Advisory:
http://secunia.com/advisories/18704/
--
[SA18754] MyBB "posts" SQL Injection Vulnerability
Critical: Less critical
Where: From remote
Impact: Manipulation of data
Released: 2006-02-08
imei addmimistrator has discovered a vulnerability in MyBB, which can
be exploited by malicious users to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/18754/
--
[SA18735] Gallery Unspecified Album Data Manipulation Vulnerability
Critical: Less critical
Where: From remote
Impact: Manipulation of data, System access
Released: 2006-02-07
A vulnerability has been reported in Gallery, which potentially can be
exploited by malicious users to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/18735/
--
[SA18725] IBM Tivoli Access Manager for e-business "pkmslogout"
Directory Traversal
Critical: Less critical
Where: From remote
Impact: Exposure of sensitive information
Released: 2006-02-06
Timothy D. Morgan has reported a vulnerability in IBM Tivoli Access
Manager for e-business, which can be exploited by malicious users to
disclose potentially sensitive information.
Full Advisory:
http://secunia.com/advisories/18725/
--
[SA18711] MediaWiki Edit Comment Formatting Denial of Service
Critical: Less critical
Where: From remote
Impact: DoS
Released: 2006-02-03
A vulnerability has been reported in MediaWiki, which potentially can
be exploited by malicious people to cause a DoS (Denial of Service).
Full Advisory:
http://secunia.com/advisories/18711/
--
[SA18738] IBM Lotus Domino LDAP Server Denial of Service Vulnerability
Critical: Less critical
Where: From local network
Impact: DoS
Released: 2006-02-07
Evgeny Legerov has discovered a vulnerability in Lotus Domino, which
can be exploited by malicious people to cause a DoS (Denial of
Service).
Full Advisory:
http://secunia.com/advisories/18738/
--
[SA18727] phpBB "gen_rand_string()" Predictable RNG Weakness
Critical: Not critical
Where: From remote
Impact: Manipulation of data, Brute force
Released: 2006-02-07
Chinchilla has reported a weakness in phpBB, which potentially can be
exploited by malicious people to change other user's passwords.
Full Advisory:
http://secunia.com/advisories/18727/
========================================================================
Secunia recommends that you verify all advisories you receive,
by clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only use
those supplied by the vendor.
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Subscribe:
http://secunia.com/secunia_weekly_summary/
Contact details:
Web : http://secunia.com/
E-mail : support@private
Tel : +45 70 20 51 44
Fax : +45 70 20 51 45
_________________________________
InfoSec News v2.0 - Coming Soon!
http://www.infosecnews.org
This archive was generated by hypermail 2.1.3 : Thu Feb 09 2006 - 23:25:42 PST