========================================================================
The Secunia Weekly Advisory Summary
2006-04-27 - 2006-05-04
This week: 90 advisories
========================================================================
Table of Contents:
1.....................................................Word From Secunia
2....................................................This Week In Brief
3...............................This Weeks Top Ten Most Read Advisories
4.......................................Vulnerabilities Summary Listing
5.......................................Vulnerabilities Content Listing
========================================================================
1) Word From Secunia:
Secunia Survey
Secunia would like to invite you to participate in an electronic survey
evolving the usefulness of our mailing lists. To value your effort
Secunia will offer you free access to the Secunia Security Manager for
three months as well as have a price draw for an iPod nano.
We hope that you will give us a few minutes of your time, as your
response will help us provide you with better services in the future.
The questionnaire contains 19 questions and it takes approximately 5
minutes to answer the questionnaire.
https://ca.secunia.com/survey/?survey_url=kei933wBid2
The survey is being conducted in accordance with the general Secunia
Security Policy and your answers will of course be kept strictly
confidential.
Best regards,
Niels Henrik Rasmussen
CEO Secunia
========================================================================
2) This Week in Brief:
A vulnerability has been reported in ClamAV, which can be exploited by
malicious people to cause a DoS (Denial of Service) and potentially to
compromise a vulnerable system.
Additional information and a solution is available in the referenced
Secunia advisory.
Reference:
http://secunia.com/SA19880
--
VIRUS ALERTS:
Secunia has not issued any virus alerts during the week.
========================================================================
3) This Weeks Top Ten Most Read Advisories:
1. [SA19762] Internet Explorer "object" Tag Memory Corruption
Vulnerability
2. [SA19802] Firefox "contentWindow.focus()" Deleted Object Reference
Vulnerability
3. [SA19738] Internet Explorer "mhtml:" Redirection Disclosure of
Sensitive Information
4. [SA19631] Firefox Multiple Vulnerabilities
5. [SA19521] Internet Explorer Window Loading Race Condition Address
Bar Spoofing
6. [SA18680] Microsoft Internet Explorer "createTextRange()" Code
Execution
7. [SA19900] X.Org X11 Render Extension Buffer Overflow Vulnerability
8. [SA19868] Linux Kernel CIFS chroot Directory Traversal
Vulnerability
9. [SA19860] Oracle Database "DBMS_EXPORT_EXTENSION" Package SQL
Injection
10. [SA19861] Invision Power Board "from_contact" SQL Injection
Vulnerability
========================================================================
4) Vulnerabilities Summary Listing
Windows:
[SA19942] BankTown BtCxCtl20Com ActiveX Control Buffer Overflow
[SA19934] Argosoft FTP Server "RNTO" Command Buffer Overflow
[SA19889] CyberBuild Multiple Vulnerabilities
[SA19875] Kerio MailServer Attachment Filter Bypass Vulnerability
[SA19965] Gene6 FTP Server MKD/XMKD Denial of Service Vulnerability
[SA19917] Golden FTP Server Pro NLST/APPE Command Denial of Service
[SA19864] Magic ISO Maker ISO File Extraction Directory Traversal
UNIX/Linux:
[SA19962] Debian update for ethereal
[SA19958] Red Hat update for ethereal
[SA19950] Ubuntu update for thunderbird
[SA19941] Debian update for mozilla-thunderbird
[SA19902] Gentoo update for mozilla
[SA19963] Debian update for clamav
[SA19960] Red Hat update for squirrelmail
[SA19959] Red Hat update for dia
[SA19949] Ubuntu update for libtiff4
[SA19936] Mandriva update for libtiff
[SA19926] Linux Kernel SCTP Netfilter Denial of Service Vulnerability
[SA19920] Rsync "xattrs.diff" Patch Integer Overflow Vulnerability
[SA19919] Gentoo update for mplayer
[SA19914] Gentoo update for phpwebsite
[SA19912] Gentoo update for clamav
[SA19897] SUSE Updates for Multiple Packages
[SA19880] ClamAV Freshclam HTTP Header Buffer Overflow Vulnerability
[SA19874] Mandriva update for clamav
[SA19872] Debian update for asterisk
[SA19951] Ubuntu update for xserver-xorg
[SA19943] Mandriva update for xorg-x11
[SA19921] SUSE update for xorg-x11-server
[SA19916] OpenBSD update for x.org
[SA19915] Gentoo update for xorg-x11
[SA19900] X.Org X11 Render Extension Buffer Overflow Vulnerability
[SA19955] Ubuntu update for kernel
[SA19906] NeoMail "sessionid" Cross-Site Scripting Vulnerability
[SA19885] DirectAdmin "domain" Cross-Site Scripting Vulnerability
[SA19879] CPS "pos" Cross-Site Scripting Vulnerability
[SA19966] Hostapd EAPoL Frame Handling Denial of Service
[SA19910] Quagga RIPd RIPv1 Request Handling Security Issue
[SA19928] ejabberd Insecure Temporary File Creation Vulnerability
[SA19903] TrueCrypt External Command Execution Vulnerability
[SA19898] Debian update for resmgr
[SA19887] Resource Manager resmgrd USB Device Granting Security Issue
[SA19869] Linux Kernel SMBFS chroot Directory Traversal Vulnerability
[SA19868] Linux Kernel CIFS chroot Directory Traversal Vulnerability
Other:
[SA19894] Fujitsu NetShelter/FW DNS Handling Denial of Service
[SA19881] Cisco Unity Express Expired Password Change Vulnerability
[SA19953] CA Resource Initialization Manager Privilege Escalation
Cross Platform:
[SA19952] Albinator File Inclusion and Cross-Site Scripting
Vulnerabilities
[SA19944] phpBB phpbb-Auction Module "phpbb_root_path" File Inclusion
[SA19923] FtrainSoft Fast Click "path" File Inclusion Vulnerability
[SA19918] DMCounter "rootdir" File Inclusion Vulnerability
[SA19911] Aardvark Topsites PHP "CONFIG[path]" File Inclusion
Vulnerability
[SA19907] Artmedic Event "page" File Inclusion Vulnerability
[SA19905] phpBB Advanced GuestBook "phpbb_root_path" File Inclusion
[SA19893] OpenPHPNuke master.php File Inclusion Vulnerability
[SA19892] phpBB Knowledge Base Mod File Inclusion Vulnerability
[SA19891] WEBInsta Limbo sql.php File Inclusion Vulnerability
[SA19886] X7 Chat "help_file" Directory Traversal Vulnerability
[SA19884] phpBB TopList "phpbb_root_path" File Inclusion Vulnerability
[SA19866] phpwcms Multiple Vulnerabilities
[SA19948] Invision Gallery "album" SQL Injection Vulnerability
[SA19933] CMScout Multiple Script Insertion Vulnerabilities
[SA19930] Russcom.Loginphp Script Insertion and Open Mail Relay
[SA19927] PHP Multiple Unspecified Vulnerabilities
[SA19925] PHP Linkliste "linkliste.php" Script Insertion Vulnerability
[SA19924] 321soft Php-Gallery Multiple Vulnerabilities
[SA19922] CGI:IRC client.c Buffer Overflow Vulnerability
[SA19908] 4images "sessionid" SQL Injection Vulnerability
[SA19904] PHP Newsfeed SQL Injection Vulnerabilities
[SA19899] Advanced Poll "User-Agent" SQL Injection Vulnerability
[SA19896] HB-NS Multiple Vulnerabilities
[SA19895] Ruperts News Script "username" SQL Injection
[SA19888] AZNEWS "ID" Parameter SQL Injection Vulnerability
[SA19883] TextFileBB BBcode Script Insertion Vulnerability
[SA19882] PHP Pro Publish SQL Injection Vulnerabilities
[SA19876] MaxTrade "categori" SQL Injection Vulnerability
[SA19870] Trac Wiki Macro Script Insertion Vulnerability
[SA19867] Leadhound SQL Injection and Cross-Site Scripting
Vulnerabilities
[SA19940] VHCS "server_day_stats.php" Cross-Site Scripting
Vulnerabilities
[SA19937] JSBoard "table" Cross-Site Scripting Vulnerability
[SA19935] MyNews Cross-Site Scripting Vulnerabilities
[SA19932] SF-Users "register.php" Script Insertion Vulnerability
[SA19913] phpkb Knowledge Base "searchkeyword" Cross-Site Scripting
[SA19909] Thyme "searchfor" Cross-Site Scripting Vulnerability
[SA19901] Invision Power Board Topic Deletion SQL Injection
[SA19878] Pinnacle Cart "setbackurl" Cross-Site Scripting
Vulnerability
[SA19877] OrbitHYIP Multiple Cross-Site Scripting Vulnerabilities
[SA19871] SunShop Shopping Cart Cross-Site Scripting Vulnerabilities
[SA19865] MyBB Multiple SQL Injection Vulnerabilities
[SA19929] MySQL Information Disclosure and Buffer Overflow
Vulnerabilities
========================================================================
5) Vulnerabilities Content Listing
Windows:--
[SA19942] BankTown BtCxCtl20Com ActiveX Control Buffer Overflow
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-05-03
Park Gyu Tae has discovered a vulnerability in BankTown BtCxCtl20Com
ActiveX Control, which potentially can be exploited by malicious people
to compromise a user's system.
Full Advisory:
http://secunia.com/advisories/19942/
--
[SA19934] Argosoft FTP Server "RNTO" Command Buffer Overflow
Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2006-05-03
Infigo Information Security has discovered a vulnerability in Argosoft
FTP Server, which can be exploited by malicious users to cause a DoS
(Denial of Service) and potentially compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/19934/
--
[SA19889] CyberBuild Multiple Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting, Manipulation of data
Released: 2006-05-03
r0t has reported some vulnerabilities in CyberBuild, which can be
exploited by malicious people to conduct cross-site scripting attacks
and SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/19889/
--
[SA19875] Kerio MailServer Attachment Filter Bypass Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Security Bypass
Released: 2006-05-02
A vulnerability has been reported in Kerio MailServer, which
potentially can be exploited by malicious people to bypass certain
security restrictions.
Full Advisory:
http://secunia.com/advisories/19875/
--
[SA19965] Gene6 FTP Server MKD/XMKD Denial of Service Vulnerability
Critical: Less critical
Where: From remote
Impact: DoS
Released: 2006-05-04
Alexey Biznya has discovered a vulnerability in Gene6 FTP Server, which
can be exploited by malicious users to cause a DoS (Denial of Service).
Full Advisory:
http://secunia.com/advisories/19965/
--
[SA19917] Golden FTP Server Pro NLST/APPE Command Denial of Service
Critical: Less critical
Where: From remote
Impact: DoS
Released: 2006-05-03
A vulnerability has been discovered in Golden FTP Server Pro, which can
be exploited by malicious users to cause a DoS (Denial of Service).
Full Advisory:
http://secunia.com/advisories/19917/
--
[SA19864] Magic ISO Maker ISO File Extraction Directory Traversal
Critical: Less critical
Where: From remote
Impact: System access
Released: 2006-04-28
Sowhat has discovered a vulnerability in Magic ISO Maker, which
potentially can be exploited by malicious people to compromise a user's
system.
Full Advisory:
http://secunia.com/advisories/19864/
UNIX/Linux:--
[SA19962] Debian update for ethereal
Critical: Highly critical
Where: From remote
Impact: DoS, System access
Released: 2006-05-04
Debian has issued an update for ethereal. This fixes some
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial of Service) or compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/19962/
--
[SA19958] Red Hat update for ethereal
Critical: Highly critical
Where: From remote
Impact: DoS, System access
Released: 2006-05-04
Red Hat has issued an update for ethereal. This fixes some
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial of Service) or compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/19958/
--
[SA19950] Ubuntu update for thunderbird
Critical: Highly critical
Where: From remote
Impact: Security Bypass, Cross Site Scripting, Exposure of system
information, Exposure of sensitive information, DoS, System access
Released: 2006-05-03
Ubuntu has issued an update for thunderbird. This fixes some
vulnerabilities, which can be exploited by malicious people to bypass
certain security restrictions, conduct cross-site scripting attacks,
disclose sensitive information, and potentially compromise a user's
system.
Full Advisory:
http://secunia.com/advisories/19950/
--
[SA19941] Debian update for mozilla-thunderbird
Critical: Highly critical
Where: From remote
Impact: Security Bypass, Cross Site Scripting, Spoofing, Exposure
of system information, Exposure of sensitive information, DoS, System
access
Released: 2006-05-04
Debian has issued an update for mozilla-thunderbird. This fixes some
vulnerabilities and a weakness, which can be exploited by malicious
people to bypass certain security restrictions, conduct cross-site
scripting and phishing attacks, potentially disclose sensitive
information, cause a DoS (Denial of Service), and potentially
compromise a user's system.
Full Advisory:
http://secunia.com/advisories/19941/
--
[SA19902] Gentoo update for mozilla
Critical: Highly critical
Where: From remote
Impact: Security Bypass, Cross Site Scripting, Spoofing, Exposure
of sensitive information, DoS, System access
Released: 2006-05-01
Gentoo has issued an update for mozilla. This fixes some
vulnerabilities, which can be exploited by malicious people to conduct
cross-site scripting and phishing attacks, bypass certain security
restrictions, cause a DoS (Denial of Service), disclose sensitive
information, and potentially compromise a user's system.
Full Advisory:
http://secunia.com/advisories/19902/
--
[SA19963] Debian update for clamav
Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2006-05-04
Debian has issued an update for clamav. This fixes some
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial of Service) and potentially compromise a vulnerable
system.
Full Advisory:
http://secunia.com/advisories/19963/
--
[SA19960] Red Hat update for squirrelmail
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting, Manipulation of data
Released: 2006-05-04
Red Hat has issued an update for squirrelmail. This fixes some
vulnerabilities, which can be exploited by malicious users to
manipulate certain information, and by malicious people to conduct
cross-site scripting and script insertion attacks.
Full Advisory:
http://secunia.com/advisories/19960/
--
[SA19959] Red Hat update for dia
Critical: Moderately critical
Where: From remote
Impact: System access
Released: 2006-05-04
Red Hat has issued an update for dia. This fixes some vulnerabilities,
which potentially can be exploited by malicious people to compromise a
user's system.
Full Advisory:
http://secunia.com/advisories/19959/
--
[SA19949] Ubuntu update for libtiff4
Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2006-05-04
Ubuntu has issued an update for libtiff4. This fixes some
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial of Service) and potentially to compromise a user's system.
Full Advisory:
http://secunia.com/advisories/19949/
--
[SA19936] Mandriva update for libtiff
Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2006-05-04
Mandriva has issued an update for libtiff. This fixes some
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial of Service) and potentially compromise a user's system.
Full Advisory:
http://secunia.com/advisories/19936/
--
[SA19926] Linux Kernel SCTP Netfilter Denial of Service Vulnerability
Critical: Moderately critical
Where: From remote
Impact: DoS
Released: 2006-05-04
A vulnerability has been reported in Linux Kernel, which can be
exploited by malicious people to cause a DoS (Denial of Service).
Full Advisory:
http://secunia.com/advisories/19926/
--
[SA19920] Rsync "xattrs.diff" Patch Integer Overflow Vulnerability
Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2006-05-02
A vulnerability has been reported in rsync, which can be exploited by
malicious users to cause a DoS (Denial of Service) and potentially
compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/19920/
--
[SA19919] Gentoo update for mplayer
Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2006-05-02
Gentoo has issued an update for mplayer. This fixes some
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial of Service) and potentially compromise a user's system.
Full Advisory:
http://secunia.com/advisories/19919/
--
[SA19914] Gentoo update for phpwebsite
Critical: Moderately critical
Where: From remote
Impact: Exposure of sensitive information, System access
Released: 2006-05-03
Gentoo has issued an update for phpwebsite. This fixes a vulnerability,
which can be exploited by malicious people to disclose sensitive
information and potentially compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/19914/
--
[SA19912] Gentoo update for clamav
Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2006-05-03
Gentoo has issued an update for clamav. This fixes a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of
Service) and potentially to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/19912/
--
[SA19897] SUSE Updates for Multiple Packages
Critical: Moderately critical
Where: From remote
Impact: Security Bypass, Cross Site Scripting, Exposure of
sensitive information, DoS, System access
Released: 2006-05-01
SUSE has issued updates for multiple packages. These fix some
vulnerabilities, which can be exploited by malicious users to conduct
script insertion attacks and by malicious people to disclose sensitive
information, conduct cross-site scripting attacks, execute arbitrary
SQL code, cause a DoS (Denial of Service), and to compromise a user's
system.
Full Advisory:
http://secunia.com/advisories/19897/
--
[SA19880] ClamAV Freshclam HTTP Header Buffer Overflow Vulnerability
Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2006-05-01
A vulnerability has been reported in ClamAV, which can be exploited by
malicious people to cause a DoS (Denial of Service) and potentially to
compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/19880/
--
[SA19874] Mandriva update for clamav
Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2006-05-02
Mandriva has issued an update for clamav. This fixes a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of
Service) and potentially compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/19874/
--
[SA19872] Debian update for asterisk
Critical: Moderately critical
Where: From remote
Impact: Exposure of sensitive information, DoS, System access
Released: 2006-05-01
Debian has issued an update for asterisk. This fixes some
vulnerabilities, which can be exploited by malicious users to disclose
sensitive information, and by malicious people to cause a DoS (Denial
of Service) and potentially to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/19872/
--
[SA19951] Ubuntu update for xserver-xorg
Critical: Moderately critical
Where: From local network
Impact: DoS, System access
Released: 2006-05-04
Ubuntu has issued an update for xserver-xorg. This fixes a
vulnerability, which can be exploited by malicious people to cause a
DoS (Denial of Service) and potentially compromise a vulnerable
system.
Full Advisory:
http://secunia.com/advisories/19951/
--
[SA19943] Mandriva update for xorg-x11
Critical: Moderately critical
Where: From local network
Impact: DoS, System access
Released: 2006-05-03
Mandriva has issued an update for xorg-x11. This fixes a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of
Service) and potentially compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/19943/
--
[SA19921] SUSE update for xorg-x11-server
Critical: Moderately critical
Where: From local network
Impact: DoS, System access
Released: 2006-05-03
SUSE has issued an update for xorg-x11-server. This fixes a
vulnerability, which can be exploited by malicious people to cause a
DoS (Denial of Service) and potentially compromise a vulnerable
system.
Full Advisory:
http://secunia.com/advisories/19921/
--
[SA19916] OpenBSD update for x.org
Critical: Moderately critical
Where: From local network
Impact: DoS, System access
Released: 2006-05-03
OpenBSD has issued an update for xorg-x11. This fixes a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of
Service) and potentially compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/19916/
--
[SA19915] Gentoo update for xorg-x11
Critical: Moderately critical
Where: From local network
Impact: DoS, System access
Released: 2006-05-03
Gentoo has issued an update for xorg-x11. This fixes a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of
Service) and potentially compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/19915/
--
[SA19900] X.Org X11 Render Extension Buffer Overflow Vulnerability
Critical: Moderately critical
Where: From local network
Impact: DoS, System access
Released: 2006-05-03
A vulnerability has been reported in X11, which can be exploited by
malicious people to cause a DoS (Denial of Service) and potentially
compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/19900/
--
[SA19955] Ubuntu update for kernel
Critical: Less critical
Where: From remote
Impact: Security Bypass, Exposure of system information, Exposure
of sensitive information, DoS
Released: 2006-05-04
Ubuntu has issued an update for the kernel. This fixes some
vulnerabilities and weaknesses, which can be exploited by malicious,
local users to disclose potentially sensitive information, bypass
certain security restrictions and cause a DoS (Denial of Service), or
by malicious people to disclose certain system information and
potentially bypass certain security restrictions.
Full Advisory:
http://secunia.com/advisories/19955/
--
[SA19906] NeoMail "sessionid" Cross-Site Scripting Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-05-01
O.u.t.l.a.w has discovered a vulnerability in NeoMail, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/19906/
--
[SA19885] DirectAdmin "domain" Cross-Site Scripting Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-05-01
O.U.T.L.A.W has reported a vulnerability in DirectAdmin, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/19885/
--
[SA19879] CPS "pos" Cross-Site Scripting Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-05-01
r0t has reported a vulnerability in CPS, which can be exploited by
malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/19879/
--
[SA19966] Hostapd EAPoL Frame Handling Denial of Service
Critical: Less critical
Where: From local network
Impact: DoS
Released: 2006-05-04
Matteo Rosi has reported a vulnerability in Hostapd, which potentially
can be exploited by malicious people to cause a DoS (Denial of
Service).
Full Advisory:
http://secunia.com/advisories/19966/
--
[SA19910] Quagga RIPd RIPv1 Request Handling Security Issue
Critical: Less critical
Where: From local network
Impact: Security Bypass, Exposure of system information
Released: 2006-05-03
Konstantin V. Gavrilenko has reported two security issues in Quagga,
which can be exploited by malicious people to bypass certain security
restrictions and to disclose system information.
Full Advisory:
http://secunia.com/advisories/19910/
--
[SA19928] ejabberd Insecure Temporary File Creation Vulnerability
Critical: Less critical
Where: Local system
Impact: Privilege escalation
Released: 2006-05-03
Julien L. has discovered a vulnerability in ejabberd, which can be
exploited by malicious, local users to perform certain actions with
escalated privileges.
Full Advisory:
http://secunia.com/advisories/19928/
--
[SA19903] TrueCrypt External Command Execution Vulnerability
Critical: Less critical
Where: Local system
Impact: Privilege escalation
Released: 2006-05-01
Julien Tinnes has reported a vulnerability in Truecrypt, which
potentially can be exploited by malicious, local users to gain
escalated privileges.
Full Advisory:
http://secunia.com/advisories/19903/
--
[SA19898] Debian update for resmgr
Critical: Less critical
Where: Local system
Impact: Security Bypass
Released: 2006-05-01
Debian has issued an update for resmgr. This fixes a security issue,
which can be exploited by malicious, local users to bypass certain
security restrictions.
Full Advisory:
http://secunia.com/advisories/19898/
--
[SA19887] Resource Manager resmgrd USB Device Granting Security Issue
Critical: Less critical
Where: Local system
Impact: Security Bypass
Released: 2006-05-01
A security issue has been reported in Resource Manager, which can be
exploited by malicious, local users to bypass certain security
restrictions.
Full Advisory:
http://secunia.com/advisories/19887/
--
[SA19869] Linux Kernel SMBFS chroot Directory Traversal Vulnerability
Critical: Less critical
Where: Local system
Impact: Security Bypass
Released: 2006-04-28
Marcel Holtmann has reported a vulnerability in the Linux Kernel, which
can be exploited by malicious, local users to bypass certain security
restrictions.
Full Advisory:
http://secunia.com/advisories/19869/
--
[SA19868] Linux Kernel CIFS chroot Directory Traversal Vulnerability
Critical: Less critical
Where: Local system
Impact: Security Bypass
Released: 2006-04-28
Marcel Holtmann has reported a vulnerability in the Linux Kernel, which
can be exploited by malicious, local users to bypass certain security
restrictions.
Full Advisory:
http://secunia.com/advisories/19868/
Other:--
[SA19894] Fujitsu NetShelter/FW DNS Handling Denial of Service
Critical: Moderately critical
Where: From remote
Impact: DoS
Released: 2006-05-02
A vulnerability has been reported in Fujitsu NetShelter/FW, which can
be exploited by malicious people to cause a DoS (Denial of Service).
Full Advisory:
http://secunia.com/advisories/19894/
--
[SA19881] Cisco Unity Express Expired Password Change Vulnerability
Critical: Less critical
Where: From local network
Impact: Security Bypass, Manipulation of data
Released: 2006-05-02
A vulnerability has been reported in Cisco Unity Express (CUE), which
can be exploited by malicious users to manipulate certain information.
Full Advisory:
http://secunia.com/advisories/19881/
--
[SA19953] CA Resource Initialization Manager Privilege Escalation
Critical: Less critical
Where: Local system
Impact: Privilege escalation
Released: 2006-05-04
A vulnerability has been reported in CA Resource Initialization Manager
(CAIRIM), which can be exploited by malicious, local users to gain
escalated privileges.
Full Advisory:
http://secunia.com/advisories/19953/
Cross Platform:--
[SA19952] Albinator File Inclusion and Cross-Site Scripting
Vulnerabilities
Critical: Highly critical
Where: From remote
Impact: Cross Site Scripting, System access
Released: 2006-05-04
Pridels Sec Crew has reported some vulnerabilities in Albinator, which
can be exploited by malicious people to conduct cross-site scripting
attacks and compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/19952/
--
[SA19944] phpBB phpbb-Auction Module "phpbb_root_path" File Inclusion
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-05-03
VietMafia has discovered a vulnerability in the phpbb-Auction module
for phpBB, which can be exploited by malicious people to compromise a
vulnerable system.
Full Advisory:
http://secunia.com/advisories/19944/
--
[SA19923] FtrainSoft Fast Click "path" File Inclusion Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-05-03
R@1D3N has discovered a vulnerability in FtrainSoft Fast Click, which
can be exploited by malicious people to compromise a vulnerable
system.
Full Advisory:
http://secunia.com/advisories/19923/
--
[SA19918] DMCounter "rootdir" File Inclusion Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-05-02
beford has discovered a vulnerability in the DMCounter, which can be
exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/19918/
--
[SA19911] Aardvark Topsites PHP "CONFIG[path]" File Inclusion
Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-05-01
cijfer has discovered a vulnerability in Aardvark Topsites PHP, which
can be exploited by malicious people to compromise a vulnerable
system.
Full Advisory:
http://secunia.com/advisories/19911/
--
[SA19907] Artmedic Event "page" File Inclusion Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-05-01
A vulnerability been reported in Artmedic Event, which can be exploited
by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/19907/
--
[SA19905] phpBB Advanced GuestBook "phpbb_root_path" File Inclusion
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-05-02
[Oo] has discovered a vulnerability in the Advanced Guestbook module
for phpBB, which can be exploited by malicious people to compromise a
vulnerable system.
Full Advisory:
http://secunia.com/advisories/19905/
--
[SA19893] OpenPHPNuke master.php File Inclusion Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-05-01
[Oo] has reported a vulnerability in OpenPHPNuke, which can be
exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/19893/
--
[SA19892] phpBB Knowledge Base Mod File Inclusion Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-05-01
[Oo] has discovered a vulnerability Knowledge Base Mod for phpBB, which
can be exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/19892/
--
[SA19891] WEBInsta Limbo sql.php File Inclusion Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-05-01
[Oo] has discovered a vulnerability in Limbo, which can be exploited by
malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/19891/
--
[SA19886] X7 Chat "help_file" Directory Traversal Vulnerability
Critical: Highly critical
Where: From remote
Impact: Exposure of system information, Exposure of sensitive
information, System access
Released: 2006-05-02
rgod has discovered a vulnerability in X7 Chat, which can be exploited
by malicious people to disclose sensitive information and by malicious
users to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/19886/
--
[SA19884] phpBB TopList "phpbb_root_path" File Inclusion Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-05-02
[Oo] has discovered a vulnerability in the TopList module for phpBB,
which can be exploited by malicious people to compromise a vulnerable
system.
Full Advisory:
http://secunia.com/advisories/19884/
--
[SA19866] phpwcms Multiple Vulnerabilities
Critical: Highly critical
Where: From remote
Impact: Security Bypass, System access
Released: 2006-05-01
bugreporter has reported some vulnerabilities in phpwcms, which can be
exploited by malicious people to bypass certain security restrictions
or compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/19866/
--
[SA19948] Invision Gallery "album" SQL Injection Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-05-04
Devil-00 has reported a vulnerability in Invision Gallery, which can be
exploited by malicious people to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/19948/
--
[SA19933] CMScout Multiple Script Insertion Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-05-04
Nomenumbra has discovered some vulnerabilities in CMScout, which can be
exploited by malicious users to conduct script insertion attacks.
Full Advisory:
http://secunia.com/advisories/19933/
--
[SA19930] Russcom.Loginphp Script Insertion and Open Mail Relay
Critical: Moderately critical
Where: From remote
Impact: Security Bypass, Cross Site Scripting
Released: 2006-05-03
Nomenumbra has discovered two vulnerabilities in Russcom.Loginphp,
which can be exploited by malicious people to use it as an open mail
relay and conduct script insertion attacks.
Full Advisory:
http://secunia.com/advisories/19930/
--
[SA19927] PHP Multiple Unspecified Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Unknown
Released: 2006-05-04
Some unspecified vulnerabilities with unknown impacts have been
reported in PHP.
Full Advisory:
http://secunia.com/advisories/19927/
--
[SA19925] PHP Linkliste "linkliste.php" Script Insertion Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-05-03
d4igoro has discovered a vulnerability in PHP Linkliste, which can be
exploited by malicious people to conduct script insertion attacks.
Full Advisory:
http://secunia.com/advisories/19925/
--
[SA19924] 321soft Php-Gallery Multiple Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting, Exposure of system information,
Exposure of sensitive information
Released: 2006-05-03
d4igoro has discovered some vulnerabilities in 321soft Php-Gallery,
which can be exploited by malicious people to conduct cross-site
scripting attacks and disclose sensitive information.
Full Advisory:
http://secunia.com/advisories/19924/
--
[SA19922] CGI:IRC client.c Buffer Overflow Vulnerability
Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2006-05-02
A vulnerability has been reported in CGI:IRC, which can be exploited by
malicious users to cause a DoS (Denial of Service) and potentially
compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/19922/
--
[SA19908] 4images "sessionid" SQL Injection Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-05-02
CrAzY CrAcKeR has discovered a vulnerability in 4images, which can be
exploited by malicious people to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/19908/
--
[SA19904] PHP Newsfeed SQL Injection Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-05-01
Aliaksandr Hartsuyeu has reported some vulnerabilities in PHP Newsfeed,
which can be exploited by malicious people to conduct SQL injection
attacks.
Full Advisory:
http://secunia.com/advisories/19904/
--
[SA19899] Advanced Poll "User-Agent" SQL Injection Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-05-02
Aliaksandr Hartsuyeu has reported a vulnerability in Advanced Poll,
which can be exploited by malicious people to conduct SQL injection
attacks.
Full Advisory:
http://secunia.com/advisories/19899/
--
[SA19896] HB-NS Multiple Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting, Manipulation of data
Released: 2006-05-01
Aliaksandr Hartsuyeu has reported some vulnerabilities in HB-NS, which
can be exploited by malicious people to conduct script insertion or SQL
injection attacks.
Full Advisory:
http://secunia.com/advisories/19896/
--
[SA19895] Ruperts News Script "username" SQL Injection
Critical: Moderately critical
Where: From remote
Impact: Security Bypass, Manipulation of data
Released: 2006-05-01
Aliaksandr Hartsuyeu has reported a vulnerability in Ruperts News
Script, which can be exploited by malicious people to conduct SQL
injection attacks.
Full Advisory:
http://secunia.com/advisories/19895/
--
[SA19888] AZNEWS "ID" Parameter SQL Injection Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-05-01
Aliaksandr Hartsuyeu has reported a vulnerability in AZNEWS, which can
be exploited by malicious people to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/19888/
--
[SA19883] TextFileBB BBcode Script Insertion Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-05-01
r0xes.ratm has discovered a vulnerability in TextFileBB, which can be
exploited by malicious people to conduct script insertion attacks.
Full Advisory:
http://secunia.com/advisories/19883/
--
[SA19882] PHP Pro Publish SQL Injection Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-05-01
Aliaksandr Hartsuyeu has discovered some vulnerabilities in PHP Pro
Publish, which can be exploited by malicious people to conduct SQL
injection attacks and by malicious users to compromise a vulnerable
system.
Full Advisory:
http://secunia.com/advisories/19882/
--
[SA19876] MaxTrade "categori" SQL Injection Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-05-01
r0t has reported a vulnerability in MaxTrade, which can be exploited by
malicious people to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/19876/
--
[SA19870] Trac Wiki Macro Script Insertion Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-04-28
A vulnerability has been reported Trac. which can be exploited by
malicious people to conduct script insertion attacks.
Full Advisory:
http://secunia.com/advisories/19870/
--
[SA19867] Leadhound SQL Injection and Cross-Site Scripting
Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting, Manipulation of data
Released: 2006-04-28
r0t has reported some vulnerabilities in Leadhound, which can be
exploited by malicious people to conduct SQL injection and cross-site
scripting attacks.
Full Advisory:
http://secunia.com/advisories/19867/
--
[SA19940] VHCS "server_day_stats.php" Cross-Site Scripting
Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-05-03
O.U.T.L.A.W has reported some vulnerabilities in VHCS, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/19940/
--
[SA19937] JSBoard "table" Cross-Site Scripting Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-05-03
Alexander Klink has reported a vulnerability in JSBoard, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/19937/
--
[SA19935] MyNews Cross-Site Scripting Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-05-03
DreamLord has reported two vulnerabilities in MyNews, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/19935/
--
[SA19932] SF-Users "register.php" Script Insertion Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-05-03
Nomenumbra has discovered a vulnerability in SF-Users, which can be
exploited by malicious people to conduct script insertion attacks.
Full Advisory:
http://secunia.com/advisories/19932/
--
[SA19913] phpkb Knowledge Base "searchkeyword" Cross-Site Scripting
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-05-03
d4igoro has reported a vulnerability in phpkb Knowledge Base, which can
be exploited by malicious people to conduct cross-site scripting
attacks.
Full Advisory:
http://secunia.com/advisories/19913/
--
[SA19909] Thyme "searchfor" Cross-Site Scripting Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-05-02
O.U.T.L.A.W has discovered a vulnerability in Thyme, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/19909/
--
[SA19901] Invision Power Board Topic Deletion SQL Injection
Critical: Less critical
Where: From remote
Impact: Manipulation of data
Released: 2006-05-02
Devil-00 has reported a vulnerability in Invision Power Board, which
can be exploited by malicious users to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/19901/
--
[SA19878] Pinnacle Cart "setbackurl" Cross-Site Scripting
Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-05-02
r0t has reported a vulnerability in Pinnacle Cart, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/19878/
--
[SA19877] OrbitHYIP Multiple Cross-Site Scripting Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-05-01
r0t has reported some vulnerabilities in OrbitHYIP, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/19877/
--
[SA19871] SunShop Shopping Cart Cross-Site Scripting Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-05-01
r0t has reported some vulnerabilities in SunShop Shopping Cart, which
can be exploited by malicious people to conduct cross-site scripting
attacks.
Full Advisory:
http://secunia.com/advisories/19871/
--
[SA19865] MyBB Multiple SQL Injection Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Manipulation of data
Released: 2006-04-28
o.y.6 has discovered some vulnerabilities in MyBB, which can be
exploited by malicious users to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/19865/
--
[SA19929] MySQL Information Disclosure and Buffer Overflow
Vulnerabilities
Critical: Less critical
Where: From local network
Impact: Exposure of sensitive information, System access
Released: 2006-05-03
Stefano Di Paola has reported some vulnerabilities in MySQL, which can
be exploited by malicious users to disclose potentially sensitive
information and compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/19929/
========================================================================
Secunia recommends that you verify all advisories you receive,
by clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only use
those supplied by the vendor.
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Subscribe:
http://secunia.com/secunia_weekly_summary/
Contact details:
Web : http://secunia.com/
E-mail : support@private
Tel : +45 70 20 51 44
Fax : +45 70 20 51 45
_________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.
www.blackhat.com
This archive was generated by hypermail 2.1.3 : Thu May 04 2006 - 22:43:54 PDT