======================================================================== The Secunia Weekly Advisory Summary 2006-08-24 - 2006-08-31 This week: 65 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: Secunia Corporate Website has been Released Learn more about what Secunia can offer you and your company, see and download detailed product descriptions, and view comprehensive flash presentations of both our products and corporate profile. Visit the Secunia Corporate Website: http://corporate.secunia.com/ Secunia Vulnerability and Advisory Portal has been Updated Our publicly available Vulnerability and Advisory Portal secunia.com has been updated with improved accessibility and usability, enhanced features, and improved search capabilities along with availability of extensive product reports. Over the years, the Secunia brand has become synonymous with credible, accurate, and reliable vulnerability intelligence and our services are used by more than 5 million unique users every year at secunia.com. Visit the Secunia Vulnerability and Advisory Portal: http://secunia.com/ ======================================================================== 2) This Week in Brief: Some vulnerabilities have been reported in Zend Platform, which can be exploited by malicious people to cause a DoS (Denial of Service), disclose sensitive information, bypass certain security restrictions, and potentially compromise a vulnerable system. Additional details can be found in the referenced Secunia advisory below. Reference: http://secunia.com/SA21573 -- Some vulnerabilities have been reported in Wireshark, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. The vendor has released an updated version fixing these vulnerabilities. Reference: http://secunia.com/SA21597 -- VIRUS ALERTS: During the past week Secunia collected 172 virus descriptions from the Antivirus vendors. However, none were deemed MEDIUM risk or higher according to the Secunia assessment scale. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA21557] Internet Explorer URL Compression Buffer Overflow 2. [SA21637] Sendmail Long Header Denial of Service Vulnerability 3. [SA21616] Cisco Firewall Products Unintentional Password Modification 4. [SA21628] Sun Java System Content Delivery Server Arbitrary File Disclosure 5. [SA21622] Sun Solaris update for mozilla 6. [SA21573] Zend Platform Multiple Vulnerabilities 7. [SA21617] Cisco VPN 3000 Concentrator FTP Management Vulnerabilities 8. [SA21630] Dell Color Laser Printers Multiple Vulnerabilities 9. [SA21597] Wireshark Multiple Vulnerabilities 10. [SA21615] ImageMagick XCF and Sun Rasterfile Buffer Overflows ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA21674] JS ASP Faq Manager SQL Injection Vulnerabilities [SA21670] DUpoll DUpoll.mdb Database Disclosure Security Issue [SA21669] Freekot Login SQL Injection Vulnerabilities [SA21645] MyBB Avatar / Attachment Script Insertion Vulnerability [SA21638] Cybozu Collaborex Arbitrary File Download Vulnerability [SA21623] Cybozu Office Arbitrary File Download and Information Disclosure UNIX/Linux: [SA21699] Mandriva update for musicbrainz [SA21682] Gentoo update for wireshark [SA21675] Debian update for mozilla-firefox [SA21668] Debian update for libmusicbrainz-2.0 [SA21654] Debian update for mozilla-thunderbird [SA21649] Mandriva update for wireshark [SA21639] Gentoo alsaplayer Multiple Buffer Overflow Vulnerabilities [SA21634] Debian update for mozilla [SA21631] Red Hat update for seamonkey [SA21700] Mandriva update for sendmail [SA21696] Debian update for sendmail [SA21679] Mandriva update for ImageMagick [SA21671] rPath update for ImageMagick [SA21658] Debian update for streamripper [SA21657] Debian update for ruby1.8 [SA21652] OpenBSD isakmpd IPSec Sequence Number Verification Bypass [SA21647] Avaya CMS / IR Sun Solaris Sendmail Denial of Service [SA21641] OpenBSD update for sendmail [SA21637] Sendmail Long Header Denial of Service Vulnerability [SA21632] Red Hat update for kdegraphics [SA21628] Sun Java System Content Delivery Server Arbitrary File Disclosure [SA21626] Mandriva update for xorg-x11 [SA21655] OpenBSD update for dhcpd [SA21629] Gentoo update for heartbeat [SA21684] Gentoo update for motor [SA21683] Gentoo update for php [SA21662] Debian update for kdebase [SA21660] Gentoo Update for Multiple Packages [SA21650] X.Org X11 setuid Security Issues [SA21633] Sun Solaris pkgadd Insecure File Permissions [SA21685] rPath update for mysql [SA21627] Mandriva update for MySQL [SA21642] OpenBSD sempahores Denial of Service Vulnerability Other: [SA21630] Dell Color Laser Printers Multiple Vulnerabilities [SA21705] OpenVMS Session Control Password Disclosure Security Issue [SA21646] Avaya Products Perl "PERLIO_DEBUG" Privilege Escalation Cross Platform: [SA21688] MiniBill "config[include_dir]" Parameter File Inclusion [SA21681] ExBB Italia "exbb[home_path]" File Inclusion Vulnerability [SA21676] phpECard "include_path" File Inclusion Vulnerabilities [SA21661] Ay System WCS "path[ShowProcessHandle]" File Inclusion [SA21651] AlberT-EasySite "PSA_PATH" File Inclusion Vulnerability [SA21640] Web3news "PHPSECURITYADMIN_PATH" File Inclusion [SA21636] Joomla Community Builder Component File Inclusion [SA21624] phpCOIN "_CCFG[_PKG_PATH_INCL]" File Inclusion [SA21687] phpGroupWare Local File Inclusion Vulnerability [SA21667] PmWiki Table Markups Script Insertion Vulnerability [SA21666] Joomla! Multiple Vulnerabilities [SA21659] CubeCart Multiple Vulnerabilities [SA21643] Xoops "user_avatar" Parameter SQL Injection Vulnerability [SA21625] eFiction Authentication Bypass Vulnerability [SA21677] MaxDB WebDBM Buffer Overflow Vulnerability [SA21665] Joomla! "id" Parameter SQL Injection Vulnerability [SA21664] Cybozu Garoon SQL Injection Vulnerabilities [SA21663] ModernBill Payment SSL Missing Peer Certificate Verification [SA21656] Cybozu Products Arbitrary File Download Vulnerability [SA21648] Fotopholder "path" Cross-Site Scripting Vulnerability [SA21644] Mambo "id" Parameter SQL Injection Vulnerability [SA21635] HLstats Multiple Cross-Site Scripting Vulnerabilities [SA21686] xbiff2 Insecure File Permissions ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA21674] JS ASP Faq Manager SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-08-30 s3rv3r_hack3r has reported some vulnerabilities in JS ASP Faq Manager, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/21674/ -- [SA21670] DUpoll DUpoll.mdb Database Disclosure Security Issue Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2006-08-30 BoZKuRTSeRDar has discovered a security issue in DUpoll, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/21670/ -- [SA21669] Freekot Login SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2006-08-31 FarhadKey has discovered two vulnerabilities in Freekot, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/21669/ -- [SA21645] MyBB Avatar / Attachment Script Insertion Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-08-28 Redworm has discovered a vulnerability in MyBB, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/21645/ -- [SA21638] Cybozu Collaborex Arbitrary File Download Vulnerability Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2006-08-28 Cybozu has acknowledged a vulnerability in Cybozu Collaborex, which can be exploited by malicious users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/21638/ -- [SA21623] Cybozu Office Arbitrary File Download and Information Disclosure Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2006-08-28 Some vulnerabilities have been reported in Cybozu Office, which can be exploited to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/21623/ UNIX/Linux:-- [SA21699] Mandriva update for musicbrainz Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-08-31 Mandriva has issued an update for musicbrainz. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/21699/ -- [SA21682] Gentoo update for wireshark Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-08-30 Gentoo has issued an update for wireshark. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/21682/ -- [SA21675] Debian update for mozilla-firefox Critical: Highly critical Where: From remote Impact: Cross Site Scripting, DoS, System access Released: 2006-08-30 Debian has issued an update for mozilla-firefox. This fixes some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/21675/ -- [SA21668] Debian update for libmusicbrainz-2.0 Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-08-30 Debian has issued an update for libmusicbrainz-2.0. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/21668/ -- [SA21654] Debian update for mozilla-thunderbird Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, DoS, System access Released: 2006-08-28 Debian has issued an update for mozilla-thunderbird. This fixes some vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting attacks and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/21654/ -- [SA21649] Mandriva update for wireshark Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-08-28 Mandriva has issued an update for wireshark. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/21649/ -- [SA21639] Gentoo alsaplayer Multiple Buffer Overflow Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-08-28 Gentoo has acknowledged some vulnerabilities in alsaplayer, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/21639/ -- [SA21634] Debian update for mozilla Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, DoS, System access Released: 2006-08-29 Debian has issued an update for mozilla. This fixes some vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting attacks and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/21634/ -- [SA21631] Red Hat update for seamonkey Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Exposure of sensitive information, DoS, System access Released: 2006-08-28 Red Hat has issued an update for seamonkey. This fixes some vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting and HTTP response smuggling attacks, disclose sensitive information and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/21631/ -- [SA21700] Mandriva update for sendmail Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-08-31 Mandriva has issued an update for sendmail. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/21700/ -- [SA21696] Debian update for sendmail Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-08-31 Debian has issued an update for sendmail. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/21696/ -- [SA21679] Mandriva update for ImageMagick Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-08-30 Mandriva has issued an update for ImageMagick. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/21679/ -- [SA21671] rPath update for ImageMagick Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-08-30 rPath has issued an update for ImageMagick. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/21671/ -- [SA21658] Debian update for streamripper Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-08-28 Debian has issued an update for streamripper. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/21658/ -- [SA21657] Debian update for ruby1.8 Critical: Moderately critical Where: From remote Impact: Security Bypass, DoS Released: 2006-08-28 Debian has issued an update for ruby1.8. This fixes some vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions or cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/21657/ -- [SA21652] OpenBSD isakmpd IPSec Sequence Number Verification Bypass Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2006-08-28 A security issue has been reported in OpenBSD, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/21652/ -- [SA21647] Avaya CMS / IR Sun Solaris Sendmail Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-08-30 Avaya has acknowledged a vulnerability in Avaya CMS and IR, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/21647/ -- [SA21641] OpenBSD update for sendmail Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-08-28 OpenBSD has issued an update for sendmail. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/21641/ -- [SA21637] Sendmail Long Header Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-08-28 A vulnerability has been reported in Sendmail, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/21637/ -- [SA21632] Red Hat update for kdegraphics Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-08-28 Red Hat has issued an update for kdegraphics. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/21632/ -- [SA21628] Sun Java System Content Delivery Server Arbitrary File Disclosure Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2006-08-25 A vulnerability has been reported in Sun Java System Content Delivery Server, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/21628/ -- [SA21626] Mandriva update for xorg-x11 Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-08-25 Mandriva has issued an update for xorg-x11. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/21626/ -- [SA21655] OpenBSD update for dhcpd Critical: Less critical Where: From local network Impact: DoS Released: 2006-08-28 OpenBSD has issued an update for dhcpd. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/21655/ -- [SA21629] Gentoo update for heartbeat Critical: Less critical Where: From local network Impact: DoS Released: 2006-08-25 Gentoo has issued an update for heartbeat. This fixes some vulnerabilities, which can be exploited by malicious, local users and malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/21629/ -- [SA21684] Gentoo update for motor Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-08-30 Gentoo has issued an update for motor. This fixes a vulnerability, which potentially can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/21684/ -- [SA21683] Gentoo update for php Critical: Less critical Where: Local system Impact: Security Bypass Released: 2006-08-30 Gentoo has issued an update for php. This fixes a vulnerability, which can be exploited by malicious, local users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/21683/ -- [SA21662] Debian update for kdebase Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2006-08-28 Debian has issued an update for kdebase. This fixes a vulnerability, which can be exploited by malicious, local users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/21662/ -- [SA21660] Gentoo Update for Multiple Packages Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-08-29 Gentoo has issued an update for multiple packages. This fixes some security issues, which can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/21660/ -- [SA21650] X.Org X11 setuid Security Issues Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-08-29 Some security issues have been reported in X.Org X11, which can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/21650/ -- [SA21633] Sun Solaris pkgadd Insecure File Permissions Critical: Less critical Where: Local system Impact: Manipulation of data, Privilege escalation Released: 2006-08-28 A security issue has been reported in Sun Solaris, which can be exploited by malicious, local users to disclose sensitive information or gain escalated privileges. Full Advisory: http://secunia.com/advisories/21633/ -- [SA21685] rPath update for mysql Critical: Not critical Where: From local network Impact: Security Bypass Released: 2006-08-30 rPath has issued an update for mysql. This fixes a vulnerability, which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/21685/ -- [SA21627] Mandriva update for MySQL Critical: Not critical Where: From local network Impact: Security Bypass Released: 2006-08-25 Mandriva has issued an update for MySQL. This fixes some vulnerabilities, which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/21627/ -- [SA21642] OpenBSD sempahores Denial of Service Vulnerability Critical: Not critical Where: Local system Impact: DoS Released: 2006-08-28 A vulnerability has been reported in OpenBSD, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/21642/ Other:-- [SA21630] Dell Color Laser Printers Multiple Vulnerabilities Critical: Less critical Where: From local network Impact: Security Bypass, DoS Released: 2006-08-28 Some vulnerabilities have been reported in various Dell Color Laser Printers, which can be exploited by malicious people to bypass certain security restrictions or to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/21630/ -- [SA21705] OpenVMS Session Control Password Disclosure Security Issue Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2006-08-31 A security issue has been reported in OpenVMS, which may disclose sensitive information to malicious, local users. Full Advisory: http://secunia.com/advisories/21705/ -- [SA21646] Avaya Products Perl "PERLIO_DEBUG" Privilege Escalation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-08-28 Avaya has acknowledged some vulnerabilities in perl included in Avaya products, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/21646/ Cross Platform:-- [SA21688] MiniBill "config[include_dir]" Parameter File Inclusion Critical: Highly critical Where: From remote Impact: System access Released: 2006-08-30 the master has discovered a vulnerability in MiniBill, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/21688/ -- [SA21681] ExBB Italia "exbb[home_path]" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-08-30 SHiKaA has discovered a vulnerability in ExBB Italia, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/21681/ -- [SA21676] phpECard "include_path" File Inclusion Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2006-08-30 Some vulnerabilities have been discovered in phpECard, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/21676/ -- [SA21661] Ay System WCS "path[ShowProcessHandle]" File Inclusion Critical: Highly critical Where: From remote Impact: System access Released: 2006-08-28 SHiKaA has discovered some vulnerabilities in Ay System WCS, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/21661/ -- [SA21651] AlberT-EasySite "PSA_PATH" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-08-28 Kacper has reported a vulnerability in AlberT-EasySite, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/21651/ -- [SA21640] Web3news "PHPSECURITYADMIN_PATH" File Inclusion Critical: Highly critical Where: From remote Impact: System access Released: 2006-08-29 SHiKaA has discovered a vulnerability in Web3news, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/21640/ -- [SA21636] Joomla Community Builder Component File Inclusion Critical: Highly critical Where: From remote Impact: System access Released: 2006-08-28 Matdhule has reported a vulnerability in the Community Builder component for Joomla, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/21636/ -- [SA21624] phpCOIN "_CCFG[_PKG_PATH_INCL]" File Inclusion Critical: Highly critical Where: From remote Impact: System access Released: 2006-08-25 Timq has discovered some vulnerabilities in phpCOIN, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/21624/ -- [SA21687] phpGroupWare Local File Inclusion Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2006-08-30 Kacper has discovered a vulnerability in phpGroupWare, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/21687/ -- [SA21667] PmWiki Table Markups Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-08-29 A vulnerability has been reported in PmWiki, which potentially can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/21667/ -- [SA21666] Joomla! Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown, Security Bypass, Cross Site Scripting Released: 2006-08-29 Some vulnerabilities have been reported in Joomla!, where some have unknown impacts, and others can be exploited by malicious people to conduct cross-site scripting attacks and bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/21666/ -- [SA21659] CubeCart Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, Exposure of sensitive information Released: 2006-08-31 James Bercegay has discovered some vulnerabilities in CubeCart, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks, and to disclose sensitive information. Full Advisory: http://secunia.com/advisories/21659/ -- [SA21643] Xoops "user_avatar" Parameter SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-08-28 Omid has reported a vulnerability in Xoops, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/21643/ -- [SA21625] eFiction Authentication Bypass Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2006-08-28 Vipsta has discovered a vulnerability in eFiction, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/21625/ -- [SA21677] MaxDB WebDBM Buffer Overflow Vulnerability Critical: Moderately critical Where: From local network Impact: System access Released: 2006-08-30 Oliver Karow has reported a vulnerability in MaxDB, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/21677/ -- [SA21665] Joomla! "id" Parameter SQL Injection Vulnerability Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2006-08-28 A vulnerability has been discovered in Joomla!, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/21665/ -- [SA21664] Cybozu Garoon SQL Injection Vulnerabilities Critical: Less critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information Released: 2006-08-28 Tan Chew Keong has reported some vulnerabilities in Cybozu Garoon, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/21664/ -- [SA21663] ModernBill Payment SSL Missing Peer Certificate Verification Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2006-08-30 Justin Samuel has reported a security issue in ModernBill, which can be exploited by malicious people to conduct man-in-the-middle (MITM) attacks. Full Advisory: http://secunia.com/advisories/21663/ -- [SA21656] Cybozu Products Arbitrary File Download Vulnerability Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2006-08-28 Cybozu has acknowledged a vulnerability in various Cybozu products, which can be exploited by malicious users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/21656/ -- [SA21648] Fotopholder "path" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-08-28 Vampire has discovered a vulnerability in Fotopholder, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/21648/ -- [SA21644] Mambo "id" Parameter SQL Injection Vulnerability Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2006-08-28 Omid has discovered a vulnerability in Mambo, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/21644/ -- [SA21635] HLstats Multiple Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-08-29 Some vulnerabilities have been discovered in HLstats, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/21635/ -- [SA21686] xbiff2 Insecure File Permissions Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2006-08-30 Thomas Wolff has discovered a security issue in xbiff2, which can be exploited by malicious, local users to disclose sensitive information. Full Advisory: http://secunia.com/advisories/21686/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@private Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 _________________________________ HITBSecConf2006 - Malaysia The largest network security event in Asia 32 internationally renowned speakers 7 tracks of hands-on technical training sessions. Register now: http://conference.hitb.org/hitbsecconf2006kl/
This archive was generated by hypermail 2.1.3 : Fri Sep 01 2006 - 02:20:56 PDT