======================================================================== The Secunia Weekly Advisory Summary 2006-03-02 - 2006-03-09 This week : 82 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: Apple has release the first security update for 2006, which fixes multiple vulnerabilities. Among the fixes are also a partial patch for the "Extremely Critical" vulnerability, which was released on the 21st of February 2006. You can test whether or not your system is affected by this vulnerability here: http://secunia.com/mac_os_x_command_execution_vulnerability_test/ For additional details about the other vulnerabilities fixed please refer to the referenced Secunia advisories below. References: http://secunia.com/SA19064 http://secunia.com/SA18963 VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA18963] Mac OS X File Association Meta Data Shell Script Execution 2. [SA19064] Mac OS X Security Update Fixes Multiple Vulnerabilities 3. [SA19083] Linux Kernel Local Denial of Service Vulnerabilities 4. [SA19105] Joomla! Multiple Vulnerabilities 5. [SA19107] PHP Upload Center File Extensions Script Upload Vulnerability 6. [SA19118] AVG Anti-Virus Updated Files Insecure File Permissions 7. [SA19108] Fedora update for kernel 8. [SA19087] Avaya CMS / IR Multiple Vulnerabilities 9. [SA19073] Sun Solaris Multiple Apache Vulnerabilities 10. [SA19040] SecureCRT / SecureFX Potential Buffer Overflow Vulnerability ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA19119] RevilloC MailServer USER Command Buffer Overflow [SA19111] Sauerbraten Engine Multiple Vulnerabilities [SA19110] Cube Engine Buffer Overflow and Denial of Service [SA19079] Liero Xtreme Format String and Denial of Service Vulnerabilities [SA19157] Cilem Haber "haber_id" SQL Injection Vulnerability [SA19156] manas tungare Site Membership Script Cross-Site Scripting and SQL Injection [SA19112] Akarru Social BookMarking Engine SQL Injection Vulnerability [SA19103] Total Ecommerce "id" Parameter SQL Injection Vulnerability [SA19081] Microsoft Visual Studio ".dbp" File Handling Buffer Overflow [SA19163] Novell BorderManager Proxy Potential Denial of Service [SA19097] EMC Retrospect Client Denial of Service Vulnerability [SA19171] Symantec Ghost Multiple Vulnerabilities [SA19140] IM Lock 2006 Insecure Registry Permissions [SA19118] AVG Anti-Virus Updated Files Insecure File Permissions [SA19082] NCP Secure Entry Client Two Vulnerabilities UNIX/Linux: [SA19130] SUSE Updates for Multiple Packages [SA19174] HP Tru64 UNIX IPSEC/ISAKMP Processing Denial of Service [SA19167] Red Hat update for mailman [SA19161] Red Hat update for squid [SA19152] Debian update for tar [SA19148] Gentoo update for zoo [SA19136] Lurker Multiple Vulnerabilities [SA19134] Tenes Empanadas Graciela Denial of Service Vulnerability [SA19133] Monopd String Parsing Denial of Service Vulnerability [SA19126] Ubuntu update for flex / gpc [SA19125] Gentoo update for teTeX / pTeX / CSTeX [SA19123] Gentoo update for wordpress [SA19114] Gentoo update for mplayer [SA19113] Gentoo update for up-imapproxy [SA19093] Red Hat update for tar [SA19092] Debian update for libtasn1-2 [SA19091] Debian update for xpdf [SA19086] Avaya PDS HP-UX TCP/IP "Rose Attack" Denial of Service [SA19080] Debian update for gnutls11 [SA19158] Red Hat update for spamassassin [SA19131] Fedora update for squirrelmail [SA19094] GNOME Evolution Email Handling Denial of Service [SA19090] Ubuntu irssi DCC ACCEPT Parameter Handling Denial of Service [SA19162] Red Hat update for initscripts [SA19160] Red Hat update for kernel [SA19087] Avaya CMS / IR Multiple Vulnerabilities [SA19159] Red Hat update for openssh [SA19128] Sun Solaris "/proc" Denial of Service Vulnerability [SA19108] Fedora update for kernel [SA19083] Linux Kernel Local Denial of Service Vulnerabilities [SA19078] Linux Kernel "die_if_kernel()" Potential Denial of Service Other: [SA19146] Xerox CopyCentre / WorkCentre Pro Multiple Denial of Service Vulnerabilities [SA19137] nCipher Products Multiple Vulnerabilities Cross Platform: [SA19154] Link Bank PHP Code Injection and Cross-Site Scripting [SA19142] Owl Intranet Engine "xrms_file_root" File Inclusion Vulnerability [SA19121] m-phorum "go" File Inclusion Vulnerability [SA19116] Php-Stats Multiple Vulnerabilities and Security Issue [SA19107] PHP Upload Center File Extensions Script Upload Vulnerability [SA19106] LISTSERV WA CGI Script Buffer Overflow Vulnerabilities [SA19172] Loudblog Multiple Vulnerabilities [SA19151] sBlog Multiple Vulnerabilities [SA19147] bMail GBK Charsets SQL Injection Vulnerability [SA19144] Alien Arena 2006 Gold Edition Multiple Vulnerabilities [SA19141] Invision Power Board Cross-Site Scripting and SQL Injection Vulnerabilities [SA19135] Cyboards PHP Lite "parent" SQL Injection Vulnerability [SA19132] IPB D2-Shoutbox Module "load" SQL Injection [SA19127] phpBannerExchange "email" Directory Traversal [SA19120] Freeciv Packet Parsing Denial of Service Vulnerability [SA19117] NMDeluxe Script Insertion and SQL Injection [SA19115] Daverave Simplog File Inclusion Vulnerability [SA19109] Wordpress "User-Agent" Header SQL Injection Vulnerability [SA19104] Gallery Script Insertion and Session Handling Vulnerabilities [SA19102] Gregarius SQL Injection and Cross-Site Scripting Vulnerabilities [SA19101] bitweaver "title" Script Insertion Vulnerability [SA19100] vBulletin User Email Address Script Insertion Vulnerability [SA19096] Aztek Forum Message Body Script Insertion Vulnerability [SA19089] PluggedOut Nexus forgotten_password.php SQL Injection [SA19088] NZ Ecommerce Cross-Site Scripting and SQL Injection [SA19084] VUBB "pass" SQL Injection Vulnerability [SA19155] HitHost Cross-Site Scripting and Directory Deletion [SA19143] Game-Panel "message" Cross-Site Scripting Vulnerability [SA19124] phpArcadeScript Cross-Site Scripting Vulnerabilities [SA19105] Joomla! Multiple Vulnerabilities [SA19099] DVGuestbookV2.0 "page" Cross-Site Scripting Vulnerability [SA19098] DVguestbook "dv_gbook.php" Cross-Site Scripting Vulnerability [SA19085] SAP Web Application Server URL Handling Vulnerability [SA19095] Oreka RTP Handling Denial of Service Vulnerability ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA19119] RevilloC MailServer USER Command Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2006-03-08 securma massine has discovered a vulnerability in RevilloC MailServer, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19119/ -- [SA19111] Sauerbraten Engine Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-03-07 Luigi Auriemma has reported some vulnerabilities in Sauerbraten Engine, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19111/ -- [SA19110] Cube Engine Buffer Overflow and Denial of Service Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-03-07 Luigi Auriemma has reported some vulnerabilities in Cube Engine, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19110/ -- [SA19079] Liero Xtreme Format String and Denial of Service Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-03-08 Luigi Auriemma has reported two vulnerabilities in Liero Xtreme, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/19079/ -- [SA19157] Cilem Haber "haber_id" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-08 Mustafa Can Bjorn has discovered a vulnerability in Cilem Haber, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19157/ -- [SA19156] manas tungare Site Membership Script Cross-Site Scripting and SQL Injection Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-03-08 Syst3m_f4ult has discovered two vulnerabilities in manas tungare Site Membership Script, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/19156/ -- [SA19112] Akarru Social BookMarking Engine SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-06 A vulnerability has been reported in Akarru Social BookMarking Engine, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19112/ -- [SA19103] Total Ecommerce "id" Parameter SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-06 Mustafa Can Bjorn has reported a vulnerability in Total Ecommerce, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19103/ -- [SA19081] Microsoft Visual Studio ".dbp" File Handling Buffer Overflow Critical: Moderately critical Where: From remote Impact: System access Released: 2006-03-07 ATmaCA has reported a vulnerability in Microsoft Visual Studio, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19081/ -- [SA19163] Novell BorderManager Proxy Potential Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2006-03-08 A vulnerability has been reported in BorderManager, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19163/ -- [SA19097] EMC Retrospect Client Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2006-03-03 A vulnerability has been reported in EMC Retrospect Client for Windows, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19097/ -- [SA19171] Symantec Ghost Multiple Vulnerabilities Critical: Less critical Where: Local system Impact: Manipulation of data, Exposure of sensitive information, Privilege escalation Released: 2006-03-08 Three vulnerabilities have been reported in Symantec Ghost, which can be exploited by malicious, local users to gain knowledge of potentially sensitive information, modify certain data, and potentially gain escalated privileges. Full Advisory: http://secunia.com/advisories/19171/ -- [SA19140] IM Lock 2006 Insecure Registry Permissions Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2006-03-07 fRoGGz has discovered a vulnerability in IM Lock 2006, which can be exploited by malicious, local users to gain knowledge of potentially sensitive information. Full Advisory: http://secunia.com/advisories/19140/ -- [SA19118] AVG Anti-Virus Updated Files Insecure File Permissions Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-03-06 RedXII1234 has discovered a security issue in AVG Anti-Virus, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/19118/ -- [SA19082] NCP Secure Entry Client Two Vulnerabilities Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-03-02 Ramon 'ports' Kukla has reported two vulnerabilities in NCP Secure Entry Cilent, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/19082/ UNIX/Linux:-- [SA19130] SUSE Updates for Multiple Packages Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data, DoS, System access Released: 2006-03-06 SUSE has issued an update for multiple packages. This fixes some vulnerabilities, which can be exploited by malicious users to manipulate certain information and by malicious people to conduct cross-site scripting attacks, cause a DoS (Denial of Service), bypass certain security restrictions, to cause files to be extracted to arbitrary locations on a user's system, to trick users into visiting a malicious website by obfuscating URLs displayed in the status bar, and to compromise a user's system. Full Advisory: http://secunia.com/advisories/19130/ -- [SA19174] HP Tru64 UNIX IPSEC/ISAKMP Processing Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-03-08 HP has acknowledged a vulnerability in HP Tru64 UNIX, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19174/ -- [SA19167] Red Hat update for mailman Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-03-08 Red Hat has issued an update for mailman. This fixes some vulnerabilities, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19167/ -- [SA19161] Red Hat update for squid Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-03-08 Red Hat has issued an update for squid. This fixes a vulnerability, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19161/ -- [SA19152] Debian update for tar Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-03-08 Debian has issued an update for tar. This fixes a vulnerability, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) and to compromise a user's system. Full Advisory: http://secunia.com/advisories/19152/ -- [SA19148] Gentoo update for zoo Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-03-07 Gentoo has issued an update for zoo. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/19148/ -- [SA19136] Lurker Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information, Cross Site Scripting Released: 2006-03-06 Some vulnerabilities have been reported in Lurker, which can be exploited by malicious people to conduct cross-site scripting attacks, and disclose and manipulate sensitive information. Full Advisory: http://secunia.com/advisories/19136/ -- [SA19134] Tenes Empanadas Graciela Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-03-06 Luigi Auriemma has reported a vulnerability in Tenes Empanadas Graciela (TEG), which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19134/ -- [SA19133] Monopd String Parsing Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-03-06 Luigi Auriemma has reported a vulnerability in Monopd, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19133/ -- [SA19126] Ubuntu update for flex / gpc Critical: Moderately critical Where: From remote Impact: System access Released: 2006-03-07 Ubuntu has issued an update for flex / gpc. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19126/ -- [SA19125] Gentoo update for teTeX / pTeX / CSTeX Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-03-06 Gentoo has issued updates for teTeX, pTeX, and CSTeX. These fix a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/19125/ -- [SA19123] Gentoo update for wordpress Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-06 Gentoo has issued an update for wordpress. This fixes a vulnerability, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19123/ -- [SA19114] Gentoo update for mplayer Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-03-06 Gentoo has issued an update for mplayer. This fixes multiple vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/19114/ -- [SA19113] Gentoo update for up-imapproxy Critical: Moderately critical Where: From remote Impact: System access Released: 2006-03-06 Gentoo has issued an update for up-imapproxy. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19113/ -- [SA19093] Red Hat update for tar Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-03-02 Red Hat has issued an update for tar. This fixes a vulnerability, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a user's system. Full Advisory: http://secunia.com/advisories/19093/ -- [SA19092] Debian update for libtasn1-2 Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-03-06 Debian has issued an update for libtasn1-2. This fixes some vulnerabilities, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19092/ -- [SA19091] Debian update for xpdf Critical: Moderately critical Where: From remote Impact: Unknown Released: 2006-03-02 Full Advisory: http://secunia.com/advisories/19091/ -- [SA19086] Avaya PDS HP-UX TCP/IP "Rose Attack" Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-03-08 Avaya has acknowledged a vulnerability in Avaya Predictive Dialing System (PDS), which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19086/ -- [SA19080] Debian update for gnutls11 Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-03-06 Debian has issued an update for gnutls11. This fixes some vulnerabilities, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19080/ -- [SA19158] Red Hat update for spamassassin Critical: Less critical Where: From remote Impact: DoS Released: 2006-03-08 Red Hat has issued an update for spamassassin. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19158/ -- [SA19131] Fedora update for squirrelmail Critical: Less critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-03-06 Fedora has issued an update for squirrelmail. This fixes multiple vulnerabilities, which can be exploited by malicious users to manipulate certain information and by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19131/ -- [SA19094] GNOME Evolution Email Handling Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2006-03-02 Alan Cox has discovered a vulnerability in Evolution, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19094/ -- [SA19090] Ubuntu irssi DCC ACCEPT Parameter Handling Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2006-03-02 Scott Sinclair has reported a vulnerability in irssi, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19090/ -- [SA19162] Red Hat update for initscripts Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-03-08 Red Hat has issued an update for initscripts. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/19162/ -- [SA19160] Red Hat update for kernel Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2006-03-08 Red Hat has issued an update for the kernel. This fixes a vulnerability, which can be exploited by malicious, local users to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/19160/ -- [SA19087] Avaya CMS / IR Multiple Vulnerabilities Critical: Less critical Where: Local system Impact: Security Bypass, Privilege escalation Released: 2006-03-04 Avaya has acknowledged some vulnerabilities in CMS and IR, which can be exploited by malicious, local users to gain escalated privileges and to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19087/ -- [SA19159] Red Hat update for openssh Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2006-03-08 Red Hat has issued an update for openssh. This fixes a weakness, which potentially can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/19159/ -- [SA19128] Sun Solaris "/proc" Denial of Service Vulnerability Critical: Not critical Where: Local system Impact: DoS Released: 2006-03-06 A vulnerability has been reported in Solaris, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19128/ -- [SA19108] Fedora update for kernel Critical: Not critical Where: Local system Impact: DoS Released: 2006-03-03 Fedora has issued an update for the kernel. This fixes some vulnerabilities, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19108/ -- [SA19083] Linux Kernel Local Denial of Service Vulnerabilities Critical: Not critical Where: Local system Impact: DoS Released: 2006-03-02 Some vulnerabilities have been reported in the Linux kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19083/ -- [SA19078] Linux Kernel "die_if_kernel()" Potential Denial of Service Critical: Not critical Where: Local system Impact: DoS Released: 2006-03-07 A vulnerability has been reported in the Linux kernel, which potentially can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19078/ Other:-- [SA19146] Xerox CopyCentre / WorkCentre Pro Multiple Denial of Service Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown, DoS Released: 2006-03-08 Some vulnerabilities have been reported in Xerox CopyCentre and Xerox WorkCentre Pro, where one has an unknown impact, and others can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19146/ -- [SA19137] nCipher Products Multiple Vulnerabilities Critical: Less critical Where: From remote Impact: Security Bypass Released: 2006-03-07 Some vulnerabilities have been reported in nCipher products, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19137/ Cross Platform:-- [SA19154] Link Bank PHP Code Injection and Cross-Site Scripting Critical: Highly critical Where: From remote Impact: Cross Site Scripting, System access Released: 2006-03-08 retard has discovered two vulnerabilities in Link Bank, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19154/ -- [SA19142] Owl Intranet Engine "xrms_file_root" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-03-08 rgod has discovered a vulnerability in Owl Intranet Engine, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19142/ -- [SA19121] m-phorum "go" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-03-08 uid0 has discovered a vulnerability in m-phorum, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19121/ -- [SA19116] Php-Stats Multiple Vulnerabilities and Security Issue Critical: Highly critical Where: From remote Impact: Manipulation of data, Exposure of system information, Exposure of sensitive information, System access Released: 2006-03-06 rgod has reported some vulnerabilities and a security issue in Php-Stats, which can be exploited by malicious people to conduct SQL injection attacks, disclose system and sensitive information, and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19116/ -- [SA19107] PHP Upload Center File Extensions Script Upload Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-03-03 Liz0ziM has reported a vulnerability in PHP Upload Center, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19107/ -- [SA19106] LISTSERV WA CGI Script Buffer Overflow Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2006-03-06 Peter Winter-Smith of NGSSoftware has reported some vulnerabilities in LISTSERV, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19106/ -- [SA19172] Loudblog Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information Released: 2006-03-08 kuze has reported some vulnerabilities in Loudblog, which can be exploited by malicious people to disclose sensitive information and conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19172/ -- [SA19151] sBlog Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-08 Kiki has discovered multiple vulnerabilities in sBlog, which can be exploited by malicious people to conduct cross-site scripting and script insertion attacks. Full Advisory: http://secunia.com/advisories/19151/ -- [SA19147] bMail GBK Charsets SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-07 A vulnerability has been reported in bMail, which potentially can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19147/ -- [SA19144] Alien Arena 2006 Gold Edition Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-03-08 Luigi Auriemma has reported some vulnerabilities in Alien Arena 2006 Gold Edition, which can be exploited by malicious users to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19144/ -- [SA19141] Invision Power Board Cross-Site Scripting and SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-03-07 Two vulnerabilities have been reported in Invision Power Board, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/19141/ -- [SA19135] Cyboards PHP Lite "parent" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-06 Aliaksandr Hartsuyeu has discovered a vulnerability in Cyboards PHP Lite, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19135/ -- [SA19132] IPB D2-Shoutbox Module "load" SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-07 SkOd has reported a vulnerability in the D2-Shoutbox module for IPB, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19132/ -- [SA19127] phpBannerExchange "email" Directory Traversal Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2006-03-08 Tix has discovered a vulnerability in phpBannerExchange, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/19127/ -- [SA19120] Freeciv Packet Parsing Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-03-06 Luigi Auriemma has reported a vulnerability in Freeciv, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19120/ -- [SA19117] NMDeluxe Script Insertion and SQL Injection Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-03-07 Aliaksandr Hartsuyeu has reported two vulnerabilities in NMDeluxe, which can be exploited by malicious people to conduct script insertion and SQL injection attacks. Full Advisory: http://secunia.com/advisories/19117/ -- [SA19115] Daverave Simplog File Inclusion Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2006-03-06 retard and jim has discovered a vulnerability in Davrave Simplog, which can be exploited by malicious people to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/19115/ -- [SA19109] Wordpress "User-Agent" Header SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-06 Patrik Karlsson has reported a vulnerability in Wordpress, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19109/ -- [SA19104] Gallery Script Insertion and Session Handling Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data Released: 2006-03-03 James Bercegay has reported some vulnerabilities in Gallery, which can be exploited by malicious people to conduct script insertion attacks and to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19104/ -- [SA19102] Gregarius SQL Injection and Cross-Site Scripting Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-03-06 tzitaroth has reported a vulnerability in Gregarius, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/19102/ -- [SA19101] bitweaver "title" Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-06 Kiki has discovered a vulnerability in bitweaver, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/19101/ -- [SA19100] vBulletin User Email Address Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-03 imei addmimistrator has reported a vulnerability in vBulletin, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/19100/ -- [SA19096] Aztek Forum Message Body Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-03 lorenzo has discovered a vulnerability in Aztek Forum, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/19096/ -- [SA19089] PluggedOut Nexus forgotten_password.php SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-03 Hamid Ebadi has discovered a vulnerability in PluggedOut Nexus, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19089/ -- [SA19088] NZ Ecommerce Cross-Site Scripting and SQL Injection Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-03-02 r0t has reported some vulnerabilities in NZ Ecommerce, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/19088/ -- [SA19084] VUBB "pass" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-02 KingOfSKa has discovered a vulnerability in VUBB, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19084/ -- [SA19155] HitHost Cross-Site Scripting and Directory Deletion Critical: Less critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-03-08 retard has discovered two vulnerabilities in HitHost, which can be exploited by malicious people to delete empty directories and conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19155/ -- [SA19143] Game-Panel "message" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-07 A vulnerability has been reported in Game-Panel, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19143/ -- [SA19124] phpArcadeScript Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-06 retard and jim have reported some vulnerabilities in phpArcadeScript, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19124/ -- [SA19105] Joomla! Multiple Vulnerabilities Critical: Less critical Where: From remote Impact: Unknown, Security Bypass, Manipulation of data, Exposure of system information Released: 2006-03-03 Multiple vulnerabilities have been reported in Joomla!, which can be exploited by malicious users to conduct SQL injection attacks, and by malicious people to disclose system information and potentially bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19105/ -- [SA19099] DVGuestbookV2.0 "page" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-06 Liz0ziM has discovered a vulnerability in DVGuestbookV2.0, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19099/ -- [SA19098] DVguestbook "dv_gbook.php" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-06 Liz0ziM has discovered a vulnerability in DVguestbook, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19098/ -- [SA19085] SAP Web Application Server URL Handling Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-03 Arnold Grossmann has reported a vulnerability in SAP Web Application Server, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19085/ -- [SA19095] Oreka RTP Handling Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2006-03-03 A vulnerability has been reported in Oreka, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19095/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@private Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 _________________________________ InfoSec News v2.0 - Coming Soon! http://www.infosecnews.org
This archive was generated by hypermail 2.1.3 : Thu Mar 09 2006 - 22:31:43 PST