======================================================================== The Secunia Weekly Advisory Summary 2006-06-29 - 2006-07-06 This week: 68 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: A vulnerability has been reported in Apple iTunes, which can be exploited by malicious people to compromise a user's system using malicious AAC media files. Additional details can be found in the referenced Secunia advisory. Reference: http://secunia.com/SA20891 -- HD Moore has discovered a vulnerability in the HTML Help ActiveX Control in Internet Explorer, which potentially can be exploited by malicious people to compromise a user's system. References: http://secunia.com/SA20906 -- VIRUS ALERTS: During the past week Secunia collected 142 virus descriptions from the Antivirus vendors. However, none were deemed MEDIUM risk or higher according to the Secunia assessment scale. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA20906] Internet Explorer HTML Help ActiveX Control Memory Corruption 2. [SA20825] Internet Explorer Information Disclosure and HTA Application Execution 3. [SA20867] OpenOffice Multiple Vulnerabilities 4. [SA20748] Microsoft Windows Hyperlink Object Library Buffer Overflow 5. [SA20153] Microsoft Word Malformed Object Pointer Vulnerability 6. [SA20891] Apple iTunes AAC File Parsing Integer Overflow Vulnerability 7. [SA20686] Microsoft Excel Repair Mode Code Execution Vulnerability 8. [SA20860] Cisco Wireless Access Point Web Management Vulnerability 9. [SA20886] Geeklog "connector.php" File Upload Vulnerability 10. [SA20877] Mac OS X Update Fixes Multiple Vulnerabilities ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA20938] iMBCContents ActiveX Control "Execute()" Insecure Method [SA20906] Internet Explorer HTML Help ActiveX Control Memory Corruption [SA20947] NASCAR Racing Empty UDP Datagram Denial of Service [SA20926] Hitachi Products Cross-Site Scripting Vulnerabilities UNIX/Linux: [SA20964] Ubuntu update for libmms [SA20944] Avaya Products Ethereal Vulnerabilities [SA20937] Gentoo mpg123 Heap Overflow Vulnerability [SA20921] libwmf Integer Overflow Vulnerability [SA20897] SUSE update for Opera [SA20951] Avaya Products PHP Multiple Vulnerabilities [SA20931] Red Hat update for Squirrelmail [SA20925] SUSE update for acroread [SA20917] Linux Kernel SCTP Denial of Service Vulnerability [SA20914] Debian update for kernel-source-2.6.8 [SA20913] SUSE update for OpenOffice_org [SA20910] Red Hat update for OpenOffice.org [SA20899] SUSE Updates for Multiple Packages [SA20895] rPath update for mutt [SA20894] HP Tru64 UNIX and HP Internet Express Perl Vulnerability [SA20893] Debian update for openoffice.org [SA20900] Gentoo update for kiax [SA20963] ppp setuid Security Issue [SA20902] Efone "config.inc" Information Disclosure Security Issue [SA20967] Ubuntu update for ppp [SA20966] Ubuntu update for shadow [SA20950] shadow setuid Vulnerability [SA20934] HP-UX mkdir Unspecified Unauthorized Access Vulnerability [SA20890] SUSE update for kdebase3-kdm [SA20939] phpSysInfo "lng" Parameter File Detection Weakness Other: [SA20896] Siemens Speedstream 2624 Password Protection Bypass Cross Platform: [SA20949] Mambo Galleria Module "mosConfig_absolute_path" File Inclusion [SA20923] SiteBuilder-FX "admindir" Parameter File Inclusion Vulnerability [SA20922] phpFormGenerator File Upload Vulnerability [SA20891] Apple iTunes AAC File Parsing Integer Overflow Vulnerability [SA20961] Icculus.org Quake 3 Engine CS_ITEMS Buffer Overflow [SA20957] Glendown Shopping Cart Script Insertion Vulnerabilities [SA20955] BLOG:CMS URL Parameter SQL Injection [SA20946] Quake 3 Buffer Overflow Vulnerabilities [SA20945] Foros "inc/config.inc" Information Disclosure Security Issue [SA20936] Vincent LECLERCQ News Cross-Site Scripting and SQL Injection [SA20933] Buddy Zone Script Insertion and SQL Injection [SA20932] mAds Cross-Site Scripting and Script Insertion [SA20927] DZCP "id" Parameter SQL Injection Vulnerability [SA20920] Drupal Form_mail Module Mail Header Injection Vulnerability [SA20915] MyNewsGroups "grp_id" SQL Injection Vulnerability [SA20911] StarOffice / StarSuite Multiple Vulnerabilities [SA20908] BXCP "where" Parameter SQL Injection Vulnerability [SA20901] FineShop Cross-Site Scripting and SQL Injection [SA20892] Webmin / Usermin Arbitrary File Disclosure Vulnerability [SA20959] PHPMailList "email" Cross-Site Scripting Vulnerability [SA20952] TTCalc Multiple Cross-Site Scripting Vulnerabilities [SA20943] NewsPHP Cross-Site Scripting Vulnerabilities [SA20941] ATutor Cross-Site Scripting Vulnerabilities [SA20935] PHPWebGallery "keyword" Cross-Site Scripting Vulnerability [SA20930] Invision Power Board Cross-Site Scripting and Security Bypass [SA20929] AutoRank PHP "Keyword" Cross-Site Scripting Vulnerability [SA20924] ky2help "Meine Links" SQL Injection Vulnerability [SA20918] Kamikaze-qscm "config.inc" Information Disclosure Security Issue [SA20916] the banner engine Multiple Cross-Site Scripting Vulnerabilities [SA20912] Taskjitsu Task Script Insertion Vulnerabilities [SA20909] MoniWiki "wiki.php" Cross-Site Scripting Vulnerability [SA20907] phpMyAdmin "table" Parameter Cross-Site Scripting [SA20905] CommuniGate Pro POP Service Empty Inbox Denial of Service [SA20904] PHP-Fusion Image Script Insertion Vulnerability [SA20903] AutoRank Pro "Username" Cross-Site Scripting Vulnerability [SA20898] Nuked-Klan Blocks Management Cross-Site Request Forgery [SA20919] Sun Java System Messaging Server Arbitrary File Disclosure [SA20928] WordPress "paged" Disclosure of Table Prefix Weakness ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA20938] iMBCContents ActiveX Control "Execute()" Insecure Method Critical: Highly critical Where: From remote Impact: System access Released: 2006-07-05 Gyu Tae Park has discovered a vulnerability in the iMBCContents ActiveX control, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/20938/ -- [SA20906] Internet Explorer HTML Help ActiveX Control Memory Corruption Critical: Highly critical Where: From remote Impact: System access Released: 2006-07-04 HD Moore has discovered a vulnerability in Internet Explorer, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/20906/ -- [SA20947] NASCAR Racing Empty UDP Datagram Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-07-03 Luigi Auriemma has reported a vulnerability in NASCAR Racing, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20947/ -- [SA20926] Hitachi Products Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-07-05 Some vulnerabilities have been reported in various Hitachi products, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20926/ UNIX/Linux:-- [SA20964] Ubuntu update for libmms Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-07-06 Ubuntu has issued an update for libmms. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/20964/ -- [SA20944] Avaya Products Ethereal Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-07-03 Avaya has acknowledged some vulnerabilities in ethereal included in various Avaya products, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20944/ -- [SA20937] Gentoo mpg123 Heap Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-07-04 Horst Schirmeier has reported a vulnerability in Gentoo's mpg123 package, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/20937/ -- [SA20921] libwmf Integer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-07-03 infamous41md has reported a vulnerability in libwmf, which potentially can be exploited by malicious people to compromise an application using the vulnerable library. Full Advisory: http://secunia.com/advisories/20921/ -- [SA20897] SUSE update for Opera Critical: Highly critical Where: From remote Impact: Spoofing, DoS, System access Released: 2006-07-04 SUSE has issued an update for Opera. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system or to display the SSL certificate from a trusted site on an untrusted site. Full Advisory: http://secunia.com/advisories/20897/ -- [SA20951] Avaya Products PHP Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data, Exposure of sensitive information, DoS, System access Released: 2006-07-06 Avaya has acknowledged some vulnerabilities in PHP included in various Avaya products, which can be exploited by malicious users to cause a DoS (Denial of Service) or compromise a vulnerable system, and by malicious people to conduct cross-site scripting attacks, to gain knowledge of potentially sensitive information, and to use PHP as an open mail relay. Full Advisory: http://secunia.com/advisories/20951/ -- [SA20931] Red Hat update for Squirrelmail Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2006-07-04 Red Hat has issued an update for Squirrelmail. This fixes a vulnerability, which can be exploited by malicious people to disclose certain sensitive information. Full Advisory: http://secunia.com/advisories/20931/ -- [SA20925] SUSE update for acroread Critical: Moderately critical Where: From remote Impact: Unknown Released: 2006-07-05 SUSE has issued an update for acroread. This fixes some vulnerabilities with unknown impacts. Full Advisory: http://secunia.com/advisories/20925/ -- [SA20917] Linux Kernel SCTP Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-07-03 A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20917/ -- [SA20914] Debian update for kernel-source-2.6.8 Critical: Moderately critical Where: From remote Impact: Security Bypass, Exposure of system information, Exposure of sensitive information, DoS, System access Released: 2006-07-04 Debian has issued an update for kernel-source-2.6.8. This fixes some vulnerabilities and weaknesses, which can be exploited to bypass certain security restrictions, disclose potentially sensitive information, and cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20914/ -- [SA20913] SUSE update for OpenOffice_org Critical: Moderately critical Where: From remote Impact: System access Released: 2006-07-04 SUSE has issued an update for OpenOffice_org. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/20913/ -- [SA20910] Red Hat update for OpenOffice.org Critical: Moderately critical Where: From remote Impact: System access Released: 2006-07-04 Red Hat has issued an update for OpenOffice.org. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/20910/ -- [SA20899] SUSE Updates for Multiple Packages Critical: Moderately critical Where: From remote Impact: Security Bypass, Privilege escalation, DoS, System access Released: 2006-07-03 SUSE has issued updates for multiple packages. These fix some vulnerabilities and security issues, which can be exploited by malicious, local users to perform certain actions with escalated privileges, and by malicious people to cause a DoS (Denial of Service), bypass certain security restrictions, or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20899/ -- [SA20895] rPath update for mutt Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-06-30 rPath has released an update for mutt. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/20895/ -- [SA20894] HP Tru64 UNIX and HP Internet Express Perl Vulnerability Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-06-30 HP has acknowledged a vulnerability in HP Tru64 UNIX and HP Internet Express running Perl, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable Perl application. Full Advisory: http://secunia.com/advisories/20894/ -- [SA20893] Debian update for openoffice.org Critical: Moderately critical Where: From remote Impact: System access Released: 2006-06-30 Debian has issued an update for openoffice.org. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/20893/ -- [SA20900] Gentoo update for kiax Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2006-07-03 Gentoo has issued an update for kiax. This fixes two vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20900/ -- [SA20963] ppp setuid Security Issue Critical: Moderately critical Where: Local system Impact: Privilege escalation Released: 2006-07-06 Marcus Meissner discovered a vulnerability in the winbind plugin of ppp, which potentially can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/20963/ -- [SA20902] Efone "config.inc" Information Disclosure Security Issue Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2006-07-04 DarkFig has discovered a security issue in Efone, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/20902/ -- [SA20967] Ubuntu update for ppp Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-07-06 Ubuntu has issued an update for ppp. This fixes a vulnerability, which potentially can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/20967/ -- [SA20966] Ubuntu update for shadow Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-07-06 Ubuntu has issued an update for shadow. This fixes a vulnerability, which potentially can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/20966/ -- [SA20950] shadow setuid Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-07-06 Ilja van Sprundel reported a vulnerability in the passwd application of shadow, which potentially can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/20950/ -- [SA20934] HP-UX mkdir Unspecified Unauthorized Access Vulnerability Critical: Less critical Where: Local system Impact: Security Bypass Released: 2006-07-03 A vulnerability has been reported in HP-UX, which can be exploited by malicious, local users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/20934/ -- [SA20890] SUSE update for kdebase3-kdm Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2006-07-04 SUSE has issued an update for kdebase3-kdm. This fixes a vulnerability, which can be exploited by malicious, local users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/20890/ -- [SA20939] phpSysInfo "lng" Parameter File Detection Weakness Critical: Not critical Where: From remote Impact: Exposure of system information Released: 2006-07-05 Micheal Turner has discovered a weakness in phpSysInfo, which can be exploited by malicious people to detect files on the server. Full Advisory: http://secunia.com/advisories/20939/ Other:-- [SA20896] Siemens Speedstream 2624 Password Protection Bypass Critical: Less critical Where: From local network Impact: Security Bypass, Exposure of sensitive information Released: 2006-06-30 Jaime Blasco has reported a vulnerability in Siemens Speedstream 2624, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/20896/ Cross Platform:-- [SA20949] Mambo Galleria Module "mosConfig_absolute_path" File Inclusion Critical: Highly critical Where: From remote Impact: System access Released: 2006-07-05 ineal has discovered a vulnerability in the Galleria module for Mambo, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20949/ -- [SA20923] SiteBuilder-FX "admindir" Parameter File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-07-03 MazaGi has discovered a vulnerability in SiteBuilder-FX, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20923/ -- [SA20922] phpFormGenerator File Upload Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-07-03 Donnie Werner has discovered a vulnerability in phpFormGenerator, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20922/ -- [SA20891] Apple iTunes AAC File Parsing Integer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-06-30 A vulnerability has been reported in Apple iTunes, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/20891/ -- [SA20961] Icculus.org Quake 3 Engine CS_ITEMS Buffer Overflow Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-07-06 A vulnerability has been reported in the Icculus.org Quake 3 Engine, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/20961/ -- [SA20957] Glendown Shopping Cart Script Insertion Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-07-06 luny has discovered two vulnerabilities in Glendown Shopping Cart, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/20957/ -- [SA20955] BLOG:CMS URL Parameter SQL Injection Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2006-07-06 Ellipsis Security has discovered a vulnerability and a security issue in BLOG:CMS, which can be exploited by malicious people to bypass certain security restrictions and to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20955/ -- [SA20946] Quake 3 Buffer Overflow Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-07-04 RunningBon has reported two vulnerabilities in the Quake 3 Engine, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/20946/ -- [SA20945] Foros "inc/config.inc" Information Disclosure Security Issue Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2006-07-04 DarkFig has reported a security issue in Foros, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/20945/ -- [SA20936] Vincent LECLERCQ News Cross-Site Scripting and SQL Injection Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-07-03 DarkFig has reported some vulnerabilities in Vincent LECLERCQ News, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/20936/ -- [SA20933] Buddy Zone Script Insertion and SQL Injection Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-07-03 luny has reported some vulnerabilities in Buddy Zone, which can be exploited by malicious users to conduct script insertion and SQL injection attacks. Full Advisory: http://secunia.com/advisories/20933/ -- [SA20932] mAds Cross-Site Scripting and Script Insertion Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-07-03 Luny has reported two vulnerabilities in mAds, which can be exploited by malicious people to conduct cross-site scripting and script insertion attacks. Full Advisory: http://secunia.com/advisories/20932/ -- [SA20927] DZCP "id" Parameter SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-07-03 x128 has discovered a vulnerability in DZCP, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20927/ -- [SA20920] Drupal Form_mail Module Mail Header Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2006-07-05 A vulnerability has been reported in the Form_mail module for Drupal, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/20920/ -- [SA20915] MyNewsGroups "grp_id" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-07-03 CrAzY CrAcKeR has discovered a vulnerability in MyNewsGroups, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20915/ -- [SA20911] StarOffice / StarSuite Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: System access Released: 2006-07-03 Three vulnerabilities have been reported in StarOffice, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/20911/ -- [SA20908] BXCP "where" Parameter SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-07-03 x23 has discovered a vulnerability in BXCP, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20908/ -- [SA20901] FineShop Cross-Site Scripting and SQL Injection Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-06-30 r0t has reported some vulnerabilities in Fineshop, which can be exploited by malicious people to conduct cross-site scripting attacks and SQL injection attacks. Full Advisory: http://secunia.com/advisories/20901/ -- [SA20892] Webmin / Usermin Arbitrary File Disclosure Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2006-06-30 A vulnerability has been reported in Webmin and Usermin, which can be exploited by malicious people to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/20892/ -- [SA20959] PHPMailList "email" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-07-06 Lostmon has discovered a vulnerability in PHPMailList, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20959/ -- [SA20952] TTCalc Multiple Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-07-06 luny has discovered some vulnerabilities in TTCalc, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20952/ -- [SA20943] NewsPHP Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-07-03 Ellipsis Security has reported two vulnerabilities in NewsPHP, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20943/ -- [SA20941] ATutor Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-07-06 Security News has discovered some vulnerabilities in ATutor, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20941/ -- [SA20935] PHPWebGallery "keyword" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-07-05 The Moroccan Security Research Team reported a vulnerability in PHPWebGallery, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20935/ -- [SA20930] Invision Power Board Cross-Site Scripting and Security Bypass Critical: Less critical Where: From remote Impact: Security Bypass, Cross Site Scripting Released: 2006-07-03 Two vulnerabilities have been reported in Invision Power Board, which can be exploited by malicious users to bypass certain security restrictions and by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20930/ -- [SA20929] AutoRank PHP "Keyword" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-07-04 David "Aesthetico" Vieira-Kurz has reported a vulnerability in AutoRank PHP, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20929/ -- [SA20924] ky2help "Meine Links" SQL Injection Vulnerability Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2006-07-06 Marc Ruef has reported a vulnerability in ky2help, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20924/ -- [SA20918] Kamikaze-qscm "config.inc" Information Disclosure Security Issue Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2006-07-04 DarkFig has discovered a security issue in Kamikaze-qscm, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/20918/ -- [SA20916] the banner engine Multiple Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-07-04 Ellipsis Security has reported some vulnerabilities in the banner engine, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20916/ -- [SA20912] Taskjitsu Task Script Insertion Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-07-04 Two vulnerabilities have been reported in Taskjitsu, which can be exploited by malicious users to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/20912/ -- [SA20909] MoniWiki "wiki.php" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-07-03 Kil13r has reported a vulnerability in MoniWiki, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20909/ -- [SA20907] phpMyAdmin "table" Parameter Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-07-03 Security News has reported a vulnerability in phpMyAdmin, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20907/ -- [SA20905] CommuniGate Pro POP Service Empty Inbox Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2006-07-03 A vulnerability has been reported in CommuniGate Pro, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20905/ -- [SA20904] PHP-Fusion Image Script Insertion Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-07-04 ZeberuS and Redworm have reported a vulnerability in PHP-Fusion, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/20904/ -- [SA20903] AutoRank Pro "Username" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-07-04 David "Aesthetico" Vieira-Kurz has reported a vulnerability in AutoRank Pro, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20903/ -- [SA20898] Nuked-Klan Blocks Management Cross-Site Request Forgery Critical: Less critical Where: From remote Impact: Hijacking Released: 2006-06-30 Blwood has discovered a vulnerability in Nuked-Klan, which can be exploited by malicious people to conduct cross-site request forgery attacks. Full Advisory: http://secunia.com/advisories/20898/ -- [SA20919] Sun Java System Messaging Server Arbitrary File Disclosure Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2006-07-03 php0t has reported a vulnerability in Sun Java System Messaging Server / iPlanet Messaging Server, which can be exploited by malicious, local users to gain knowledge of potentially sensitive information. Full Advisory: http://secunia.com/advisories/20919/ -- [SA20928] WordPress "paged" Disclosure of Table Prefix Weakness Critical: Not critical Where: From remote Impact: Exposure of system information Released: 2006-07-04 zero has discovered a weakness in WordPress, which can be exploited by malicious people to disclose system information. Full Advisory: http://secunia.com/advisories/20928/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@private Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 _________________________________ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
This archive was generated by hypermail 2.1.3 : Fri Jul 07 2006 - 02:46:49 PDT