======================================================================== The Secunia Weekly Advisory Summary 2006-06-15 - 2006-06-22 This week: 69 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: Two vulnerabilities have been discovered in Microsoft Windows and Microsoft Excel, which can be exploited to compromise a vulnerable system. The first SA20686 has, according to Microsoft, already been used in targeted "Zero-day" attacks against a few companies. Currently, no patches are available from Microsoft. Please refer to the referenced Secunia advisories below for additional details. References: http://secunia.com/SA20686 http://secunia.com/SA20748 -- A vulnerability has been discovered in WinAmp, which potentially can be exploited by malicious people to compromise a user's system. An updated version has been released by the vendor that fixes this vulnerability. Reference: http://secunia.com/SA20722 -- VIRUS ALERTS: During the past week Secunia collected 224 virus descriptions from the Antivirus vendors. However, none were deemed MEDIUM risk or higher according to the Secunia assessment scale. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA20686] Microsoft Excel Repair Mode Code Execution Vulnerability 2. [SA20748] Microsoft Office Long Link Buffer Overflow Vulnerability 3. [SA20153] Microsoft Word Malformed Object Pointer Vulnerability 4. [SA20595] Microsoft Internet Explorer Multiple Vulnerabilities 5. [SA20576] Adobe Reader Unspecified Vulnerabilities 6. [SA20699] Cisco Secure ACS for Unix Cross-Site Scripting Vulnerability 7. [SA20722] WinAmp MIDI File Handling Buffer Overflow Vulnerability 8. [SA15601] Mozilla / Mozilla Firefox Frame Injection Vulnerability 9. [SA15779] Sendmail Multi-Part MIME Message Handling Denial of Service 10. [SA20661] Horde Cross-Site Scripting Vulnerabilities ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA20748] Microsoft Windows Hyperlink Object Library Buffer Overflow [SA20722] WinAmp MIDI File Handling Buffer Overflow Vulnerability [SA20721] ASP Stats Generator SQL Injection and Code Injection [SA20719] Hitachi Products MDAC RDS.Dataspace ActiveX Vulnerability [SA20756] MAILsweeper for SMTP/Exchange Multiple Vulnerabilities [SA20752] Maximus SchoolMAX "error_msg" Parameter Cross-Site Scripting [SA20743] Hosting Controller Privilege Escalation Vulnerability [SA20698] SSPwiz Plus "message" Cross-Site Scripting Vulnerability UNIX/Linux: [SA20710] SUSE update for awstats [SA20709] Gentoo update for mozilla-thunderbird [SA20708] Gentoo update for typespeed [SA20766] SUSE Updates for Multiple Packages [SA20716] Ubuntu update for kernel [SA20715] Trustix update for libtiff [SA20712] Ubuntu update for mysql-dfsg [SA20703] Linux Kernel "xt_sctp" Denial of Service Vulnerability [SA20694] Mandriva update for sendmail [SA20693] Mandriva update for libtiff [SA20690] Gentoo update for pam_mysql [SA20692] Mandriva update for spamassassin [SA20750] Debian update for horde2 [SA20734] CHM Lib "extract_chmLib" Directory Traversal Vulnerability [SA20699] Cisco Secure ACS for Unix Cross-Site Scripting Vulnerability [SA20754] dhcdbd DHCP Message Handling Denial of Service [SA20702] Mandriva update for kdebase [SA20729] NetPBM pamtofits Off-By-One Buffer Overflow Vulnerability [SA20711] HP-UX Support Tools Manager Denial of Service Vulnerability Other: [SA20726] FortiMail Sendmail Multi-Part MIME Message Handling Vulnerability [SA20720] FortiGate FTP Anti-Virus Scanning Bypass Vulnerability Cross Platform: [SA20771] Ralf Image Gallery File Inclusion Vulnerabilities [SA20769] SmartSiteCMS "root" File Inclusion Vulnerability [SA20768] BandSite CMS "root_path" File Inclusion Vulnerabilities [SA20758] Micro CMS "microcms_path" Parameter File Inclusion Vulnerability [SA20744] Ad Manager Pro "ipath" Parameter File Inclusion Vulnerability [SA20733] easy-CMS Multiple File Extensions Vulnerability [SA20731] Eduha Meeting PHP File Upload Vulnerability [SA20713] CMS Faethon "mainpath" File Inclusion and Cross-Site Scripting Vulnerabilities [SA20695] Bitweaver Multiple Vulnerabilities and Weakness [SA20772] Invision Power Board Hexadecimal HTML Entities Script Insertion [SA20763] IMGallery "galerie.php" SQL Injection Vulnerabilities [SA20761] Ultimate Estate Cross-Site Scripting and SQL Injection [SA20753] BtitTracker "torrents.php" SQL Injection Vulnerabilities [SA20747] thinkWMS Multiple SQL Injection Vulnerabilities [SA20746] Joomla! "Name" SQL Injection Vulnerability [SA20745] Mambo "Name" SQL Injection Vulnerability [SA20740] phpTRADER SQL Injection Vulnerabilities [SA20739] xarancms "id" Parameter SQL Injection Vulnerability [SA20738] tplShop "first_row" Parameter SQL Injection Vulnerability [SA20732] IBM WebSphere Application Server Multiple Vulnerabilities [SA20730] VUBB SQL Injection and Cross-Site Scripting Vulnerabilities [SA20727] e107 Cross-Site Scripting and Script Insertion [SA20724] singapore "template" Parameter Local File Inclusion Vulnerability [SA20706] Clubpage Cross-Site Scripting and SQL Injection Vulnerabilities [SA20705] Free Realty "sort" SQL Injection Vulnerability [SA20704] Open-Realty "sorttype" SQL Injection Vulnerability [SA20701] VBZooM "QuranID" SQL Injection Vulnerability [SA20700] Groupmax Address/Mail Server Denial of Service Vulnerability [SA20696] Virtual War "war.php" SQL Injection Vulnerabilities [SA20767] Atlassian JIRA Enterprise Edition Cross-Site Scripting Vulnerability [SA20764] myPHP Guestbook Cross-Site Scripting Vulnerabilities [SA20742] UltimateGoogle "REQ" Cross-Site Scripting Vulnerability [SA20737] Ultimate eShop "subid" Cross-Site Scripting Vulnerability [SA20736] Tradingeye Shop "image" Cross-Site Scripting Vulnerability [SA20735] Cisco CallManager Web Interface Cross-Site Scripting Vulnerabilities [SA20728] Confixx Pro Cross-Site Scripting Vulnerabilities [SA20725] AssoCIateD "menu" Cross-Site Scripting Vulnerability [SA20718] phpMyDirectory Cross-Site Scripting Vulnerabilities [SA20697] iPostMX 2005 "RETURNURL" Cross-Site Scripting Vulnerabilities [SA20691] NC LinkList "index.php" Cross-Site Scripting Vulnerabilities ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA20748] Microsoft Windows Hyperlink Object Library Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2006-06-20 kcope has discovered a vulnerability in Microsoft Windows, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20748/ -- [SA20722] WinAmp MIDI File Handling Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-06-21 BassReFLeX has discovered a vulnerability in WinAmp, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/20722/ -- [SA20721] ASP Stats Generator SQL Injection and Code Injection Critical: Highly critical Where: From remote Impact: Manipulation of data, System access Released: 2006-06-19 Hamid Ebadi has reported two vulnerabilities in ASP Stats Generator, which can be exploited by malicious people to conduct SQL injection attacks and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20721/ -- [SA20719] Hitachi Products MDAC RDS.Dataspace ActiveX Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-06-20 Hitachi has acknowledged a vulnerability in various products, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20719/ -- [SA20756] MAILsweeper for SMTP/Exchange Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, DoS Released: 2006-06-21 Some vulnerabilities have been reported in MAILsweeper for SMTP/Exchange, which can be exploited by malicious people to bypass certain security restrictions and potentially cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20756/ -- [SA20752] Maximus SchoolMAX "error_msg" Parameter Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-20 Charles H. has reported a vulnerability in Maximus SchoolMAX, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20752/ -- [SA20743] Hosting Controller Privilege Escalation Vulnerability Critical: Less critical Where: From remote Impact: Privilege escalation Released: 2006-06-20 A vulnerability has been reported in Hosting Controller, which can be exploited by malicious users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/20743/ -- [SA20698] SSPwiz Plus "message" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-16 r0t has reported a vulnerability in SSPwiz Plus, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20698/ UNIX/Linux:-- [SA20710] SUSE update for awstats Critical: Highly critical Where: From remote Impact: Security Bypass, System access Released: 2006-06-20 SUSE has issued an update for awstats. This fixes a vulnerability and a security issue, which can be exploited by malicious people to bypass certain security restrictions or to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20710/ -- [SA20709] Gentoo update for mozilla-thunderbird Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, System access Released: 2006-06-20 Gentoo has issued an update for mozilla-thunderbird. This fixes some vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting and HTTP response smuggling attacks, and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/20709/ -- [SA20708] Gentoo update for typespeed Critical: Highly critical Where: From remote Impact: System access Released: 2006-06-20 Gentoo has issued an update for typespeed. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20708/ -- [SA20766] SUSE Updates for Multiple Packages Critical: Moderately critical Where: From remote Impact: Security Bypass, DoS, System access Released: 2006-06-21 SUSE has issued updates for multiple packages. These fix some vulnerabilities and a weakness, which can be exploited by malicious people to bypass certain security restrictions, to cause a DoS (Denial of Service) or potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/20766/ -- [SA20716] Ubuntu update for kernel Critical: Moderately critical Where: From remote Impact: Security Bypass, Exposure of sensitive information, DoS Released: 2006-06-19 Ubuntu has released an update for the kernel. This fixes some vulnerabilities and weaknesses, which can be exploited by malicious, local users to cause a DoS (Denial of Service), gain knowledge of potentially sensitive information and bypass certain security restrictions, and by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20716/ -- [SA20715] Trustix update for libtiff Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-06-19 Trustix has issued updates for multiple packages. These fix some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/20715/ -- [SA20712] Ubuntu update for mysql-dfsg Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-06-19 Ubuntu has issued an update for mysql-dfsg. This fixes a vulnerability, which potentially can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20712/ -- [SA20703] Linux Kernel "xt_sctp" Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-06-20 A vulnerability has been reported in Linux Kernel, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20703/ -- [SA20694] Mandriva update for sendmail Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-06-16 Mandriva has issued an update for sendmail. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20694/ -- [SA20693] Mandriva update for libtiff Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-06-16 Mandriva has issued an update for libtiff. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20693/ -- [SA20690] Gentoo update for pam_mysql Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-06-16 Gentoo has issued an update for pam_mysql. This fixes some vulnerabilities, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20690/ -- [SA20692] Mandriva update for spamassassin Critical: Moderately critical Where: From local network Impact: System access Released: 2006-06-16 Mandriva has issued an update for spamassassin. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20692/ -- [SA20750] Debian update for horde2 Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-19 Debian has issued an update for horde2. This fixes some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20750/ -- [SA20734] CHM Lib "extract_chmLib" Directory Traversal Vulnerability Critical: Less critical Where: From remote Impact: System access Released: 2006-06-19 A vulnerability has been reported in CHM Lib (chmlib), which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/20734/ -- [SA20699] Cisco Secure ACS for Unix Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-16 A vulnerability has been reported in Cisco Secure ACS for Unix, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20699/ -- [SA20754] dhcdbd DHCP Message Handling Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2006-06-21 Florian Hackenberger has reported a vulnerability in dhcdbd, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20754/ -- [SA20702] Mandriva update for kdebase Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2006-06-16 Mandriva has issued an update for kdebase. This fixes a vulnerability, which can be exploited by malicious, local users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/20702/ -- [SA20729] NetPBM pamtofits Off-By-One Buffer Overflow Vulnerability Critical: Not critical Where: From remote Impact: DoS Released: 2006-06-20 A vulnerability has been reported in NetPBM, which can be exploited by malicious people to cause a DoS (Denial of Service) . Full Advisory: http://secunia.com/advisories/20729/ -- [SA20711] HP-UX Support Tools Manager Denial of Service Vulnerability Critical: Not critical Where: Local system Impact: DoS Released: 2006-06-19 A vulnerability has been reported in HP-UX, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20711/ Other:-- [SA20726] FortiMail Sendmail Multi-Part MIME Message Handling Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2006-06-21 A vulnerability has been reported in FortiMail, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20726/ -- [SA20720] FortiGate FTP Anti-Virus Scanning Bypass Vulnerability Critical: Less critical Where: From remote Impact: Security Bypass Released: 2006-06-21 A vulnerability has been reported in FortiGate, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/20720/ Cross Platform:-- [SA20771] Ralf Image Gallery File Inclusion Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2006-06-21 David "Aesthetico" Vieira-Kurz has discovered a vulnerability in Ralf Image Gallery (RIG), which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20771/ -- [SA20769] SmartSiteCMS "root" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-06-21 Archit3ct and IR4DEX GROUP have discovered a vulnerability in SmartSiteCMS, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20769/ -- [SA20768] BandSite CMS "root_path" File Inclusion Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2006-06-21 Kw3[R]Ln has reported some vulnerabilities in BandSite CMS, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20768/ -- [SA20758] Micro CMS "microcms_path" Parameter File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-06-20 CeNGiZ-HaN has discovered a vulnerability in Micro CMS, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20758/ -- [SA20744] Ad Manager Pro "ipath" Parameter File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-06-20 Basti has reported a vulnerability in Ad Manager Pro, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20744/ -- [SA20733] easy-CMS Multiple File Extensions Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-06-19 Liz0ziM has discovered a vulnerability in easy-CMS, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20733/ -- [SA20731] Eduha Meeting PHP File Upload Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-06-19 Liz0ziM has reported a vulnerability in Eduha Meeting, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20731/ -- [SA20713] CMS Faethon "mainpath" File Inclusion and Cross-Site Scripting Vulnerabilities Critical: Highly critical Where: From remote Impact: Cross Site Scripting, System access Released: 2006-06-19 Some vulnerabilities have been discovered in CMS Faethon, which can be exploited by malicious people to conduct cross-site scripting attacks or to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20713/ -- [SA20695] Bitweaver Multiple Vulnerabilities and Weakness Critical: Highly critical Where: From remote Impact: Cross Site Scripting, Exposure of system information, System access Released: 2006-06-17 rgod has reported some vulnerabilities and a weakness in Bitweaver, which can be exploited by malicious people to disclose certain system information, conduct cross-site scripting attacks, and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20695/ -- [SA20772] Invision Power Board Hexadecimal HTML Entities Script Insertion Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-21 A vulnerability has been reported in Invision Power Board, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/20772/ -- [SA20763] IMGallery "galerie.php" SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-06-21 r0t has reported some vulnerabilities in IMGallery, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20763/ -- [SA20761] Ultimate Estate Cross-Site Scripting and SQL Injection Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-06-21 r0t has reported some vulnerabilities in Ultimate Estate, which can be exploited by malicious people to conduct cross-site scripting attacks and SQL injection attacks. Full Advisory: http://secunia.com/advisories/20761/ -- [SA20753] BtitTracker "torrents.php" SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-06-20 r0t has reported two vulnerabilities in BtitTracker, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20753/ -- [SA20747] thinkWMS Multiple SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-06-21 r0t has reported some vulnerabilities in thinkWMS, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20747/ -- [SA20746] Joomla! "Name" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-06-19 rgod has discovered a vulnerability in Joomla!, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20746/ -- [SA20745] Mambo "Name" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-06-19 rgod has discovered a vulnerability in Mambo, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20745/ -- [SA20740] phpTRADER SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-06-21 r0t has reported some vulnerabilities in phpTRADER, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20740/ -- [SA20739] xarancms "id" Parameter SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-06-19 r0t has reported a vulnerability in xarancms, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20739/ -- [SA20738] tplShop "first_row" Parameter SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-06-19 r0t has discovered a vulnerability in tplShop, which can exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20738/ -- [SA20732] IBM WebSphere Application Server Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2006-06-21 Some vulnerabilities have been reported in IBM Websphere Application Server, which can be exploited by malicious, local users and malicious people to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/20732/ -- [SA20730] VUBB SQL Injection and Cross-Site Scripting Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, Exposure of system information Released: 2006-06-20 DarkFig has discovered some vulnerabilities in VUBB, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/20730/ -- [SA20727] e107 Cross-Site Scripting and Script Insertion Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-20 Ellipsis Security has discovered two vulnerabilities in e107, which can be exploited by malicious people to conduct cross-site scripting and script insertion attacks. Full Advisory: http://secunia.com/advisories/20727/ -- [SA20724] singapore "template" Parameter Local File Inclusion Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2006-06-20 Moroccan Security Research Team has discovered a vulnerability in singapore, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/20724/ -- [SA20706] Clubpage Cross-Site Scripting and SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-06-20 r0t has reported some vulnerabilities in Clubpage, which can be exploited by malicious people to conduct cross-site scripting attacks and SQL injection attacks. Full Advisory: http://secunia.com/advisories/20706/ -- [SA20705] Free Realty "sort" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-06-20 r0t has reported a vulnerability in Free Realty, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20705/ -- [SA20704] Open-Realty "sorttype" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-06-20 r0t has discovered a vulnerability in Open-Realty, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20704/ -- [SA20701] VBZooM "QuranID" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-06-21 CrAzY CrAcKeR has reported a vulnerability in VBZooM, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20701/ -- [SA20700] Groupmax Address/Mail Server Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-06-20 A vulnerability has been reported in Groupmax Address/Mail Server, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20700/ -- [SA20696] Virtual War "war.php" SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-06-16 r0t has discovered some vulnerabilities in Virtual War, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20696/ -- [SA20767] Atlassian JIRA Enterprise Edition Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting, Exposure of system information Released: 2006-06-21 r0t has discovered a vulnerability in Atlassian JIRA Enterprise Edition, which can be exploited by malicious people to disclose system information and conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20767/ -- [SA20764] myPHP Guestbook Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-21 Some vulnerabilities have been reported in myPHP Guestbook, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20764/ -- [SA20742] UltimateGoogle "REQ" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-21 r0t has reported a vulnerability in UltimateGoogle, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20742/ -- [SA20737] Ultimate eShop "subid" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-21 r0t has reported a vulnerability in Ultimate eShop, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20737/ -- [SA20736] Tradingeye Shop "image" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-19 r0t has reported a vulnerability in Tradingeye Shop, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20736/ -- [SA20735] Cisco CallManager Web Interface Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-20 FishNet Security has reported some vulnerabilities in Cisco CallManager, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20735/ -- [SA20728] Confixx Pro Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-19 p0w3r has reported two vulnerabilities in Confixx Pro, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20728/ -- [SA20725] AssoCIateD "menu" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-20 r0t has discovered a vulnerability in AssoCIateD, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20725/ -- [SA20718] phpMyDirectory Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-20 r0t has reported two vulnerabilities in phpMyDirectory, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20718/ -- [SA20697] iPostMX 2005 "RETURNURL" Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-16 r0t has reported some vulnerabilities in iPostMX 2005, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20697/ -- [SA20691] NC LinkList "index.php" Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-20 r0t has reported some vulnerabilities in NC LinkList, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20691/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@private Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 _________________________________ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
This archive was generated by hypermail 2.1.3 : Fri Jun 23 2006 - 12:51:46 PDT