[ISN] Secunia Weekly Summary - Issue: 2006-36

From: InfoSec News (alerts@private)
Date: Fri Sep 08 2006 - 01:10:09 PDT


========================================================================

                  The Secunia Weekly Advisory Summary                  
                        2006-08-31 - 2006-09-07                        

                       This week: 92 advisories                        

========================================================================
Table of Contents:

1.....................................................Word From Secunia
2....................................................This Week In Brief
3...............................This Weeks Top Ten Most Read Advisories
4.......................................Vulnerabilities Summary Listing
5.......................................Vulnerabilities Content Listing

========================================================================
1) Word From Secunia:

Secunia Corporate Website has been Released

Learn more about what Secunia can offer you and your company, see and
download detailed product descriptions, and view comprehensive flash
presentations of both our products and corporate profile.

Visit the Secunia Corporate Website:
http://corporate.secunia.com/


Secunia Vulnerability and Advisory Portal has been Updated

Our publicly available Vulnerability and Advisory Portal
secunia.com has been updated with improved accessibility and usability,
enhanced features, and improved search capabilities along with
availability of extensive product reports.

Over the years, the Secunia brand has become synonymous with credible,
accurate, and reliable vulnerability intelligence and our services
are used by more than 5 million unique users every year at secunia.com.

Visit the Secunia Vulnerability and Advisory Portal:
http://secunia.com/

========================================================================
2) This Week in Brief:

A vulnerability has been discovered in Microsoft Word 2000, which can
be exploited by malicious people to compromise a user's system.

The rating of this vulnerability has been subject to some debate in
the medias. Unfortunately, the risk of the malware exploiting the
vulnerability has been compared with the criticality of the
vulnerability.

The risk of the currently known malware is not very high as it is
detected by most anti-virus programs by now and only works against
Word 2000. In turn the propagation has not been very successful.

The vulnerability on the other hand is critical for users with 
vulnerable configurations because the exploit easily can be modified
to bypass detection of most anti-virus programs.

Word / Office documents are generally considered trusted document
types, which many users open on a daily basis as part of their normal
work routines, thus most would not hesitate to open a malicious Word
or Office document.

Normally a vulnerability of this kind would be rated "Highly critical"
by Secunia, but because there is a fully working exploit and no patch
it climbs the scale to our highest rating "Extremely critical".

For further information about our rating systems please view the
following page:
http://secunia.com/about_secunia_advisories/

Additional details about the vulnerability can be found in the
referenced Secunia advisory below.

Reference:
http://secunia.com/SA21735

 --

VIRUS ALERTS:

During the past week Secunia collected 170 virus descriptions from the
Antivirus vendors. However, none were deemed MEDIUM risk or higher
according to the Secunia assessment scale.

========================================================================
3) This Weeks Top Ten Most Read Advisories:

1.  [SA21735] Microsoft Word 2000 Unspecified Code Execution
              Vulnerability
2.  [SA21672] Sony PSP TIFF Image Viewing Code Execution Vulnerability
3.  [SA21557] Internet Explorer URL Compression Buffer Overflow
4.  [SA21709] OpenSSL RSA Signature Forgery Vulnerability
5.  [SA21690] Webmin / Usermin Cross-Site Scripting and Source Code
              Disclosure
6.  [SA21718] Tumbleweed EMF ZOO Archive Processing Buffer Overflow
7.  [SA21752] ISC BIND Denial of Service Vulnerabilities
8.  [SA21698] Lyris ListManager User Adding Security Bypass
              Vulnerability
9.  [SA21714] Compression Plus ZOO Archive Processing Buffer Overflow
10. [SA21711] Linux Kernel UDF Denial of Service Vulnerability

========================================================================
4) Vulnerabilities Summary Listing

Windows:
[SA21735] Microsoft Word 2000 Unspecified Code Execution Vulnerability
[SA21795] Ipswitch IMail Server SMTP Service Unspecified Vulnerability
[SA21743] CR64Loader ActiveX Control Buffer Overflow Vulnerability
[SA21718] Tumbleweed EMF ZOO Archive Processing Buffer Overflow
[SA21766] Zix Forum "RepId" SQL Injection Vulnerability
[SA21755] SimpleBlog "id" SQL Injection Vulnerability
[SA21751] Power File Gold Zoo Archive Processing Buffer Overflow
[SA21750] Drag And Zip Zoo Archive Processing Buffer Overflow
[SA21747] Web Dictate Empty Password Authentication Bypass
[SA21741] ICBlogger "yid" SQL Injection Vulnerability
[SA21720] VCOM PowerDesk Pro ZOO Archive Processing Buffer Overflow
[SA21714] Compression Plus ZOO Archive Processing Buffer Overflow
[SA21725] ScatterChat Tor Denial of Service and Traffic Routing
[SA21716] LearnCenter "id" Parameter Cross-Site Scripting
Vulnerability
[SA21782] J. River Media Center Tivo Server Denial of Service
[SA21727] WebAdmin "MDaemon" Account Access Vulnerability
[SA21773] AuditWizard "LaytonCmdSvc.log" Administrator Password
Exposure
[SA21769] Panda Platinum Internet Security Insecure Default Directory
Permissions
[SA21764] AntiVir PersonalEdition "update.exe" Privilege Escalation
[SA21748] TIBCO Rendezvous "rvrd.db" Exposure of User Credentials
[SA21739] AnywhereUSB/5 Software Drivers Denial of Service
Vulnerability
[SA21710] BlackICE PC Protection "NtOpenSection()" Denial of Service

UNIX/Linux:
[SA21749] SUSE Update for Multiple Packages
[SA21726] Capi4Hylafax Shell Command Injection
[SA21722] Debian update for capi4hylafax
[SA21801] Gentoo update for streamripper
[SA21800] Gentoo update for gtetrinet
[SA21799] Gentoo update for openttd
[SA21798] Gentoo update for libXfont
[SA21793] Ubuntu update for xorg / libxfont
[SA21792] Red Hat update for mailman
[SA21790] IBM AIX update for bind
[SA21786] FreeBSD update for bind
[SA21780] Ubuntu update for imagemagick
[SA21759] Debian update for cheesetracker
[SA21757] MySource Classic Equation Attribute PHP Code Injection
[SA21732] Mailman Multiple Vulnerabilities
[SA21731] OpenBSD update for sppp
[SA21719] Debian update for imagemagick
[SA21797] Debian update for gcc-3.4
[SA21791] Red Hat update for openssl
[SA21785] FreeBSD update for openssl
[SA21778] Mandriva update for openssl
[SA21776] Ubuntu update for openssl
[SA21767] rPath update for openssl
[SA21744] Debian update for apache
[SA21721] OpenLDAP slapd "selfwrite" Security Issue
[SA21713] GDB "DWARF" Buffer Overflow Vulnerabilities
[SA21770] Ubuntu update for mysql-dfsg-5.0
[SA21762] Debian update for mysql-dfsg-4.1
[SA21712] Mandriva update for MySQL
[SA21711] Linux Kernel UDF Denial of Service Vulnerability

Other:
[SA21723] Avaya Products PHP Multiple Vulnerabilities
[SA21783] Cisco IOS GRE Decapsulation Vulnerability
[SA21717] Avaya Products elfutils Vulnerability
[SA21724] Avaya Products OpenSSH Shell Command Injection and Security
Bypass
[SA21788] Canon imageRUNNER Products Exposure of User Credentials

Cross Platform:
[SA21806] Beautifier "BEAUT_PATH" Parameter File Inclusion
Vulnerability
[SA21805] phpFullAnnu "repmod" File Inclusion Vulnerability
[SA21804] BP News "bnrep" File Inclusion Vulnerability
[SA21803] phpBB Premod Shadow "phpbb_root_path" File Inclusion
[SA21784] Akarru Social BookMarking Engine "bm_content" File Inclusion
[SA21777] MySpeach "my_ms[root]" Parameter File Inclusion
Vulnerability
[SA21775] GrapAgenda "page" File Inclusion Vulnerability
[SA21772] annoncesV "page" Parameter File Inclusion Vulnerability
[SA21765] ACGV News "PathNews" File Inclusion Vulnerabilities
[SA21760] Sponge News "sndir" File Inclusion Vulnerability
[SA21758] C-News "path" File Inclusion Vulnerabilities
[SA21756] FlashChat "dir[inc]" File Inclusion Vulnerabilities
[SA21746] MyBace Light Skript File Inclusion Vulnerabilities
[SA21738] php-revista Multiple Vulnerabilities
[SA21733] TikiWiki jhot.php File Upload Vulnerability
[SA21729] dyncms "x_admindir" File Inclusion Vulnerability
[SA21715] Membrepass Multiple Vulnerabilities
[SA21789] PhpLeague "id_joueur" SQL Injection Vulnerability
[SA21774] php download script "file" Parameter Directory Traversal
[SA21761] SoftBB SQL and PHP Code Injection Vulnerabilities
[SA21754] Tr Forum SQL Injection and Security Bypass Vulnerabilities
[SA21752] ISC BIND Denial of Service Vulnerabilities
[SA21745] Avaya Products Linux Kernel Multiple Vulnerabilities
[SA21737] Autentificator "user" SQL Injection Vulnerability
[SA21736] ssLinks "id" SQL Injection Vulnerabilities
[SA21734] Annuaire 1Two "id" Parameter SQL Injection Vulnerability
[SA21728] vtiger CRM Script Insertion and Administrative Modules
Access
[SA21787] Attachment Mod Attachment Script Insertion Vulnerability
[SA21781] VCD-db Comments Script Insertion Vulnerability
[SA21779] Drupal Pathauto Module Cross-Site Scripting Vulnerability
[SA21753] PhpCommander "Directory" Local File Inclusion Vulnerability
[SA21742] microforum "members.dat" Exposure of User Credentials
[SA21740] Simple Machines Forum "cur_cat" SQL Injection Vulnerability
[SA21730] PHP iAddressBook Script Insertion Vulnerability
[SA21709] OpenSSL RSA Signature Forgery Vulnerability

========================================================================
5) Vulnerabilities Content Listing

Windows:--

[SA21735] Microsoft Word 2000 Unspecified Code Execution Vulnerability

Critical:    Extremely critical
Where:       From remote
Impact:      System access
Released:    2006-09-05

A vulnerability has been discovered in Microsoft Word 2000, which can
be exploited by malicious people to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/21735/

 --

[SA21795] Ipswitch IMail Server SMTP Service Unspecified Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-09-07

A vulnerability has been reported in IMail Server, which can be
exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/21795/

 --

[SA21743] CR64Loader ActiveX Control Buffer Overflow Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-09-04

CERT/CC has reported a vulnerability in CR64Loader ActiveX Control,
which can be exploited by malicious people to compromise a user's
system.

Full Advisory:
http://secunia.com/advisories/21743/

 --

[SA21718] Tumbleweed EMF ZOO Archive Processing Buffer Overflow

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-09-01

A vulnerability has been reported in Tumbleweed EMF, which can be
exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/21718/

 --

[SA21766] Zix Forum "RepId" SQL Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2006-09-06

Chironex Fleckeri has discovered a vulnerability in Zix Forum, which
can be exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/21766/

 --

[SA21755] SimpleBlog "id" SQL Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2006-09-05

Vipsta and MurderSkillz have discovered a vulnerability in SimpleBlog,
which can be exploited by malicious people to conduct SQL injection
attacks.

Full Advisory:
http://secunia.com/advisories/21755/

 --

[SA21751] Power File Gold Zoo Archive Processing Buffer Overflow

Critical:    Moderately critical
Where:       From remote
Impact:      System access
Released:    2006-09-04

A vulnerability has been discovered in Power File Gold, which can be
exploited by malicious people to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/21751/

 --

[SA21750] Drag And Zip Zoo Archive Processing Buffer Overflow

Critical:    Moderately critical
Where:       From remote
Impact:      System access
Released:    2006-09-04

A vulnerability has been discovered in Drag And Zip, which can be
exploited by malicious people to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/21750/

 --

[SA21747] Web Dictate Empty Password Authentication Bypass

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass
Released:    2006-09-05

Revnic Vasile has discovered a vulnerability in Web Dictate, which can
be exploited by malicious people to bypass certain security
restrictions.

Full Advisory:
http://secunia.com/advisories/21747/

 --

[SA21741] ICBlogger "yid" SQL Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2006-09-04

Chironex Fleckeri has reported a vulnerability in ICBlogger, which can
be exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/21741/

 --

[SA21720] VCOM PowerDesk Pro ZOO Archive Processing Buffer Overflow

Critical:    Moderately critical
Where:       From remote
Impact:      System access
Released:    2006-09-04

A vulnerability has been discovered in PowerDesk Pro, which can be
exploited by malicious people to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/21720/

 --

[SA21714] Compression Plus ZOO Archive Processing Buffer Overflow

Critical:    Moderately critical
Where:       From remote
Impact:      System access
Released:    2006-09-01

A vulnerability has been reported in Compression Plus, which can be
exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/21714/

 --

[SA21725] ScatterChat Tor Denial of Service and Traffic Routing

Critical:    Less critical
Where:       From remote
Impact:      Security Bypass, DoS
Released:    2006-09-04

A vulnerability and a weakness have been reported in ScatterChat, which
can be exploited by malicious people to cause a DoS (Denial of Service)
and bypass certain security restrictions.

Full Advisory:
http://secunia.com/advisories/21725/

 --

[SA21716] LearnCenter "id" Parameter Cross-Site Scripting
Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-09-01

Crack_man has reported a vulnerability in LearnCenter, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/21716/

 --

[SA21782] J. River Media Center Tivo Server Denial of Service

Critical:    Less critical
Where:       From local network
Impact:      DoS
Released:    2006-09-07

n00b has discovered a vulnerability in J. River Media Center, which can
be exploited by malicious people to cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/21782/

 --

[SA21727] WebAdmin "MDaemon" Account Access Vulnerability

Critical:    Less critical
Where:       From local network
Impact:      Security Bypass, Exposure of sensitive information
Released:    2006-09-05

TTG has reported a vulnerability in WebAdmin, which can be exploited by
certain malicious users to disclose sensitive information and bypass
certain security restrictions.

Full Advisory:
http://secunia.com/advisories/21727/

 --

[SA21773] AuditWizard "LaytonCmdSvc.log" Administrator Password
Exposure

Critical:    Less critical
Where:       Local system
Impact:      Exposure of sensitive information
Released:    2006-09-07

Terry Donaldson has reported a security issue in AuditWizard, which can
be exploited by malicious, local users to disclose sensitive
information.

Full Advisory:
http://secunia.com/advisories/21773/

 --

[SA21769] Panda Platinum Internet Security Insecure Default Directory
Permissions

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation
Released:    2006-09-07

3APA3A has discovered a security issue in Panda Platinum Internet
Security, which can be exploited by malicious, local users to gain
escalated privileges.

Full Advisory:
http://secunia.com/advisories/21769/

 --

[SA21764] AntiVir PersonalEdition "update.exe" Privilege Escalation

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation
Released:    2006-09-07

rugginello has discovered a vulnerability in AntiVir PersonalEdition,
which can be exploited by malicious, local users to gain escalated
privileges.

Full Advisory:
http://secunia.com/advisories/21764/

 --

[SA21748] TIBCO Rendezvous "rvrd.db" Exposure of User Credentials

Critical:    Less critical
Where:       Local system
Impact:      Exposure of sensitive information
Released:    2006-09-07

Andres Tarasco Acuña has reported a security issue in TIBCO Rendezvous,
which can be exploited by malicious, local users to disclose sensitive
information.

Full Advisory:
http://secunia.com/advisories/21748/

 --

[SA21739] AnywhereUSB/5 Software Drivers Denial of Service
Vulnerability

Critical:    Not critical
Where:       From local network
Impact:      DoS
Released:    2006-09-04

Safend has reported a vulnerability in AnywhereUSB/5 Software Drivers,
which can be exploited by malicious people to cause a DoS (Denial of
Service).

Full Advisory:
http://secunia.com/advisories/21739/

 --

[SA21710] BlackICE PC Protection "NtOpenSection()" Denial of Service

Critical:    Not critical
Where:       Local system
Impact:      DoS
Released:    2006-09-01

David Matousek has discovered a vulnerability in BlackICE PC
Protection, which can be exploited by malicious, local users to cause a
DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/21710/


UNIX/Linux:--

[SA21749] SUSE Update for Multiple Packages

Critical:    Highly critical
Where:       From remote
Impact:      Security Bypass, Manipulation of data, DoS, System access
Released:    2006-09-04

SUSE has issued an update for multiple packages. These fix some
vulnerabilities, which can be exploited by malicious users to bypass
certain security restrictions, or by malicious people to conduct SQL
injections attacks, cause a DoS (Denial of Service), bypass certain
security restrictions, and compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/21749/

 --

[SA21726] Capi4Hylafax Shell Command Injection

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-09-01

A vulnerability has been reported in Capi4Hylafax, which potentially
can be exploited by malicious people to compromise a vulnerable
system.

Full Advisory:
http://secunia.com/advisories/21726/

 --

[SA21722] Debian update for capi4hylafax

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-09-01

Debian has issued an advisory for capi4hylafax. This fixes a
vulnerability, which potentially can be exploited by malicious people
to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/21722/

 --

[SA21801] Gentoo update for streamripper

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-09-07

Gentoo has issued an update for streamripper. This fixes a
vulnerability, which potentially can be exploited by malicious people
to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/21801/

 --

[SA21800] Gentoo update for gtetrinet

Critical:    Moderately critical
Where:       From remote
Impact:      System access
Released:    2006-09-07

Gentoo has issued an update for gtetrinet. This fixes a vulnerability,
which potentially can be exploited by malicious people to compromise a
user's system.

Full Advisory:
http://secunia.com/advisories/21800/

 --

[SA21799] Gentoo update for openttd

Critical:    Moderately critical
Where:       From remote
Impact:      DoS
Released:    2006-09-07

Gentoo has issued an update for openttd. This fixes a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of
Service).

Full Advisory:
http://secunia.com/advisories/21799/

 --

[SA21798] Gentoo update for libXfont

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-09-07

Gentoo has issued an update for libXfont. This fixes a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of
Service) and potentially compromise an application using the library.

Full Advisory:
http://secunia.com/advisories/21798/

 --

[SA21793] Ubuntu update for xorg / libxfont

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-09-07

Ubuntu has issued an update for xorg / libxfont. This fixes a
vulnerability, which can be exploited by malicious people to cause a
DoS (Denial of Service) and potentially compromise a vulnerable
system.

Full Advisory:
http://secunia.com/advisories/21793/

 --

[SA21792] Red Hat update for mailman

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting, Spoofing, DoS
Released:    2006-09-07

Red Hat has issued an update for mailman. This fixes some
vulnerabilities, which can be exploited by malicious people to conduct
cross-site scripting and phishing attacks, and cause a DoS (Denial of
Service).

Full Advisory:
http://secunia.com/advisories/21792/

 --

[SA21790] IBM AIX update for bind

Critical:    Moderately critical
Where:       From remote
Impact:      DoS
Released:    2006-09-07

IBM has acknowledged a vulnerability in bind, which potentially can be
exploited by malicious people to cause a Denial of Service.

Full Advisory:
http://secunia.com/advisories/21790/

 --

[SA21786] FreeBSD update for bind

Critical:    Moderately critical
Where:       From remote
Impact:      DoS
Released:    2006-09-07

FreeBSD has issued an update for bind. This fixes some vulnerabilities,
which can be exploited by malicious people to cause a DoS (Denial of
Service).

Full Advisory:
http://secunia.com/advisories/21786/

 --

[SA21780] Ubuntu update for imagemagick

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-09-06

Ubuntu has issued an update for imagemagick. This fixes some
vulnerabilities, which can be exploited by malicious people to
compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/21780/

 --

[SA21759] Debian update for cheesetracker

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-09-04

Debian has issued an update for cheesetracker. This fixes a
vulnerability, which can be exploited by malicious people to compromise
a vulnerable system.

Full Advisory:
http://secunia.com/advisories/21759/

 --

[SA21757] MySource Classic Equation Attribute PHP Code Injection

Critical:    Moderately critical
Where:       From remote
Impact:      System access
Released:    2006-09-06

A vulnerability has been reported in MySource Classic, which can be
exploited by certain malicious users to compromise a vulnerable
system.

Full Advisory:
http://secunia.com/advisories/21757/

 --

[SA21732] Mailman Multiple Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting, Spoofing, DoS
Released:    2006-09-04

Some vulnerabilities have been reported in Mailman, which can be
exploited by malicious people to conduct cross-site scripting and
phishing attacks, and cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/21732/

 --

[SA21731] OpenBSD update for sppp

Critical:    Moderately critical
Where:       From remote
Impact:      DoS
Released:    2006-09-04

OpenBSD has issued an update for sppp. This fixes a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of
Service).

Full Advisory:
http://secunia.com/advisories/21731/

 --

[SA21719] Debian update for imagemagick

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-09-05

Debian has issued an update for imagemagick. This fixes some
vulnerabilities, which can be exploited by malicious people to
compromise a user's system.

Full Advisory:
http://secunia.com/advisories/21719/

 --

[SA21797] Debian update for gcc-3.4

Critical:    Less critical
Where:       From remote
Impact:      System access
Released:    2006-09-07

Debian has issued an update for gcc-3.4. This fixes a vulnerability,
which can be exploited by malicious people to compromise a user's
system.

Full Advisory:
http://secunia.com/advisories/21797/

 --

[SA21791] Red Hat update for openssl

Critical:    Less critical
Where:       From remote
Impact:      Security Bypass
Released:    2006-09-07

Red Hat has issued an update for openssl. This fixes a vulnerability,
which can be exploited by malicious people to bypass certain security
restrictions.

Full Advisory:
http://secunia.com/advisories/21791/

 --

[SA21785] FreeBSD update for openssl

Critical:    Less critical
Where:       From remote
Impact:      Security Bypass
Released:    2006-09-07

FreeBSD has issued an update for openssl. This fixes a vulnerability,
which can be exploited by malicious people to bypass certain security
restrictions.

Full Advisory:
http://secunia.com/advisories/21785/

 --

[SA21778] Mandriva update for openssl

Critical:    Less critical
Where:       From remote
Impact:      Security Bypass
Released:    2006-09-07

Mandriva has issued an update for openssl. This fixes a vulnerability,
which can be exploited by malicious people to bypass certain security
restrictions.

Full Advisory:
http://secunia.com/advisories/21778/

 --

[SA21776] Ubuntu update for openssl

Critical:    Less critical
Where:       From remote
Impact:      Security Bypass
Released:    2006-09-06

Ubuntu has issued an update for openssl. This fixes a vulnerability,
which can be exploited by malicious people to bypass certain security
restrictions.

Full Advisory:
http://secunia.com/advisories/21776/

 --

[SA21767] rPath update for openssl

Critical:    Less critical
Where:       From remote
Impact:      Security Bypass
Released:    2006-09-06

rPath has issued an update for openssl. This fixes some
vulnerabilities, which can be exploited by malicious people to bypass
certain security restrictions.

Full Advisory:
http://secunia.com/advisories/21767/

 --

[SA21744] Debian update for apache

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-09-05

Debian has issued an update for apache. This fixes some
vulnerabilities, which can be exploited by malicious people to conduct
cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/21744/

 --

[SA21721] OpenLDAP slapd "selfwrite" Security Issue

Critical:    Less critical
Where:       From remote
Impact:      Security Bypass
Released:    2006-09-04

Howard Chu has reported a security issue in OpenLDAP, which can be
exploited by malicious users to bypass certain security restrictions.

Full Advisory:
http://secunia.com/advisories/21721/

 --

[SA21713] GDB "DWARF" Buffer Overflow Vulnerabilities

Critical:    Less critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-09-01

Will Drewry has reported some vulnerabilities in GDB, which potentially
can be exploited by malicious, local users to gain escalated privileges
or malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/21713/

 --

[SA21770] Ubuntu update for mysql-dfsg-5.0

Critical:    Less critical
Where:       From local network
Impact:      Security Bypass, Privilege escalation
Released:    2006-09-06

Ubuntu has issued an update for mysql-dfsg-5.0. This fixes some
vulnerabilities, which can be exploited by malicious people to bypass
certain security restrictions and perform certain actions with
escalated privileges.

Full Advisory:
http://secunia.com/advisories/21770/

 --

[SA21762] Debian update for mysql-dfsg-4.1

Critical:    Not critical
Where:       From local network
Impact:      Security Bypass, DoS
Released:    2006-09-05

Debian has issued an update for mysql-dfsg-4.1. This fixes some
vulnerabilities, which can be exploited by malicious users to bypass
certain security restrictions or to cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/21762/

 --

[SA21712] Mandriva update for MySQL

Critical:    Not critical
Where:       From local network
Impact:      DoS
Released:    2006-09-01

Mandriva has issued an update for MySQL. This fixes a vulnerability,
which can be exploited by malicious users to cause a DoS (Denial of
Service).

Full Advisory:
http://secunia.com/advisories/21712/

 --

[SA21711] Linux Kernel UDF Denial of Service Vulnerability

Critical:    Not critical
Where:       Local system
Impact:      DoS
Released:    2006-09-01

A vulnerability has been reported in the Linux Kernel, which can be
exploited by malicious. local users to cause a DoS (Denial of
Service).

Full Advisory:
http://secunia.com/advisories/21711/


Other:--

[SA21723] Avaya Products PHP Multiple Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Unknown, Security Bypass, System access
Released:    2006-09-01

Avaya has acknowledged some vulnerabilities in PHP included in various
Avaya products, which can be exploited by malicious, local users to
bypass certain security restrictions and by malicious people to
potentially to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/21723/

 --

[SA21783] Cisco IOS GRE Decapsulation Vulnerability

Critical:    Less critical
Where:       From local network
Impact:      Security Bypass
Released:    2006-09-07

FX has reported a vulnerability in Cisco IOS, which can be exploited by
malicious people to bypass certain security restrictions.

Full Advisory:
http://secunia.com/advisories/21783/

 --

[SA21717] Avaya Products elfutils Vulnerability

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation
Released:    2006-09-01

Avaya has acknowledged a vulnerability in elfutils included in various
Avaya products, which potentially can be exploited by malicious, local
users to gain escalated privileges.

Full Advisory:
http://secunia.com/advisories/21717/

 --

[SA21724] Avaya Products OpenSSH Shell Command Injection and Security
Bypass

Critical:    Not critical
Where:       From remote
Impact:      Security Bypass, Privilege escalation
Released:    2006-09-01

Avaya has acknowledged a vulnerability and a weakness in OpenSSH
included in various Avaya products, which potentially can be exploited
by malicious, local users to perform certain actions with escalated
privileges and by malicious users to bypass certain security
restrictions.

Full Advisory:
http://secunia.com/advisories/21724/

 --

[SA21788] Canon imageRUNNER Products Exposure of User Credentials

Critical:    Not critical
Where:       From local network
Impact:      Exposure of sensitive information
Released:    2006-09-07

GR has reported a security issue in various Canon imageRUNNER products,
which can be exploited by certain malicious users to disclose sensitive
information.

Full Advisory:
http://secunia.com/advisories/21788/


Cross Platform:--

[SA21806] Beautifier "BEAUT_PATH" Parameter File Inclusion
Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-09-07

the master has discovered a vulnerability in Beautifier, which can be
exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/21806/

 --

[SA21805] phpFullAnnu "repmod" File Inclusion Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-09-07

SHiKaA has reported a vulnerability in phpFullAnnu, which can be
exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/21805/

 --

[SA21804] BP News "bnrep" File Inclusion Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-09-07

SHiKaA has reported a vulnerability in BP News, which can be exploited
by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/21804/

 --

[SA21803] phpBB Premod Shadow "phpbb_root_path" File Inclusion

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-09-07

Kw3[R]Ln has discovered a vulnerability in phpBB Premod Shadow, which
can be exploited by malicious people to compromise a vulnerable
system.

Full Advisory:
http://secunia.com/advisories/21803/

 --

[SA21784] Akarru Social BookMarking Engine "bm_content" File Inclusion

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-09-07

ERNE has discovered a vulnerability in Akarru Social BookMarking
Engine, which can be exploited by malicious people to compromise a
vulnerable system.

Full Advisory:
http://secunia.com/advisories/21784/

 --

[SA21777] MySpeach "my_ms[root]" Parameter File Inclusion
Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-09-06

SHiKaA has discovered a vulnerability in MySpeach, which can be
exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/21777/

 --

[SA21775] GrapAgenda "page" File Inclusion Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-09-06

botan has discovered a vulnerability in GrapAgenda, which can be
exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/21775/

 --

[SA21772] annoncesV "page" Parameter File Inclusion Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-09-06

botan has discovered a vulnerability in annoncesV, which can be
exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/21772/

 --

[SA21765] ACGV News "PathNews" File Inclusion Vulnerabilities

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-09-06

Some vulnerabilities have been reported in ACGV News, which can be
exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/21765/

 --

[SA21760] Sponge News "sndir" File Inclusion Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-09-06

SHiKaA has reported a vulnerability in Sponge News, which can be
exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/21760/

 --

[SA21758] C-News "path" File Inclusion Vulnerabilities

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-09-06

Some vulnerabilities have been reported in C-News, which can be
exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/21758/

 --

[SA21756] FlashChat "dir[inc]" File Inclusion Vulnerabilities

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-09-04

NeXtMaN has reported some vulnerabilities in FlashChat, which can be
exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/21756/

 --

[SA21746] MyBace Light Skript File Inclusion Vulnerabilities

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-09-04

Philipp Niedziela has discovered some vulnerabilities in MyBace Light,
which can be exploited by malicious people to compromise a vulnerable
system.

Full Advisory:
http://secunia.com/advisories/21746/

 --

[SA21738] php-revista Multiple Vulnerabilities

Critical:    Highly critical
Where:       From remote
Impact:      Security Bypass, Cross Site Scripting, Manipulation of
data, System access
Released:    2006-09-04

Sirdarckcat has reported some vulnerabilities in php-revista, which can
be exploited by malicious people to conduct cross-site scripting and SQL
injection attacks, bypass certain security restrictions, and compromise
a vulnerable system.

Full Advisory:
http://secunia.com/advisories/21738/

 --

[SA21733] TikiWiki jhot.php File Upload Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-09-04

rgod has discovered a vulnerability in TikiWiki, which can be exploited
by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/21733/

 --

[SA21729] dyncms "x_admindir" File Inclusion Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-09-04

SHiKaA has reported a vulnerability in dyncms, which can be exploited
by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/21729/

 --

[SA21715] Membrepass Multiple Vulnerabilities

Critical:    Highly critical
Where:       From remote
Impact:      Cross Site Scripting, Manipulation of data, System access
Released:    2006-09-01

DarkFig has discovered some vulnerabilities in Membrepass, which can be
exploited by malicious people to conduct cross-site scripting and SQL
injection attacks, and to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/21715/

 --

[SA21789] PhpLeague "id_joueur" SQL Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2006-09-07

DrEiNsTeIn has discovered a vulnerability in PhpLeague, which can be
exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/21789/

 --

[SA21774] php download script "file" Parameter Directory Traversal

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2006-09-06

s3rv3r_hack3r has discovered a vulnerability in php download script,
which can be exploited by malicious people to manipulate sensitive
information.

Full Advisory:
http://secunia.com/advisories/21774/

 --

[SA21761] SoftBB SQL and PHP Code Injection Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data, System access
Released:    2006-09-06

DarkFig has reported some vulnerabilities in SoftBB, which can be
exploited by malicious people to conduct SQL injection attacks or
compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/21761/

 --

[SA21754] Tr Forum SQL Injection and Security Bypass Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass, Manipulation of data
Released:    2006-09-05

DarkFig has discovered some vulnerabilities in Tr Forum, which can be
exploited by malicious people to conduct SQL injection attacks and
bypass certain security restrictions.

Full Advisory:
http://secunia.com/advisories/21754/

 --

[SA21752] ISC BIND Denial of Service Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      DoS
Released:    2006-09-06

Some vulnerabilities have been reported in BIND, which can be exploited
by malicious people to cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/21752/

 --

[SA21745] Avaya Products Linux Kernel Multiple Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass, DoS
Released:    2006-09-04

Avaya has acknowledged some vulnerabilities in the Linux Kernel
included in various Avaya products, which can be exploited by
malicious, local users and by malicious people to bypass certain
security restrictions and cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/21745/

 --

[SA21737] Autentificator "user" SQL Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2006-09-04

Sirdarckcat has discovered a vulnerability in Autenticator, which can
be exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/21737/

 --

[SA21736] ssLinks "id" SQL Injection Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2006-09-04

Sirdarckcat has discovered some vulnerabilities in ssLinks, which can
be exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/21736/

 --

[SA21734] Annuaire 1Two "id" Parameter SQL Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2006-09-04

DarkFig has discovered a vulnerability in Annuaire 1Two, which can be
exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/21734/

 --

[SA21728] vtiger CRM Script Insertion and Administrative Modules
Access

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass, Cross Site Scripting
Released:    2006-09-04

Ivan Markovic has discovered some vulnerabilities in vtiger CRM, which
can be exploited by malicious people to conduct script insertion
attacks and bypass certain security restrictions.

Full Advisory:
http://secunia.com/advisories/21728/

 --

[SA21787] Attachment Mod Attachment Script Insertion Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-09-07

A vulnerability has been reported in the Attachment Mod module for
phpBB, which can be exploited by malicious people to conduct script
insertion attacks.

Full Advisory:
http://secunia.com/advisories/21787/

 --

[SA21781] VCD-db Comments Script Insertion Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-09-06

Some vulnerabilities have been reported in VCD-db, which can be
exploited by malicious users to conduct script insertion attacks.

Full Advisory:
http://secunia.com/advisories/21781/

 --

[SA21779] Drupal Pathauto Module Cross-Site Scripting Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-09-06

A vulnerability has been reported in the Pathauto module for Drupal,
which can be exploited by malicious people to conduct cross-site
scripting attacks.

Full Advisory:
http://secunia.com/advisories/21779/

 --

[SA21753] PhpCommander "Directory" Local File Inclusion Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Exposure of sensitive information
Released:    2006-09-06

Kacper has discovered a vulnerability in PhpCommander, which can be
exploited by malicious users to disclose sensitive information.

Full Advisory:
http://secunia.com/advisories/21753/

 --

[SA21742] microforum "members.dat" Exposure of User Credentials

Critical:    Less critical
Where:       From remote
Impact:      Exposure of sensitive information
Released:    2006-09-04

DarkFig has discovered a security issue in microforum, which can be
exploited by malicious people to disclose sensitive information.

Full Advisory:
http://secunia.com/advisories/21742/

 --

[SA21740] Simple Machines Forum "cur_cat" SQL Injection Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Manipulation of data
Released:    2006-09-04

Omid has discovered a vulnerability in Simple Machines Forum, which can
be exploited by malicious users to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/21740/

 --

[SA21730] PHP iAddressBook Script Insertion Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-09-04

A vulnerability has been reported in PHP iAddressBook, which can be
exploited by malicious users to conduct script insertion attacks.

Full Advisory:
http://secunia.com/advisories/21730/

 --

[SA21709] OpenSSL RSA Signature Forgery Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Security Bypass
Released:    2006-09-05

A vulnerability has been reported in OpenSSL, which potentially can be
exploited by malicious people to bypass certain security restrictions.

Full Advisory:
http://secunia.com/advisories/21709/



========================================================================

Secunia recommends that you verify all advisories you receive,
by clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only use
those supplied by the vendor.

Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/

Subscribe:
http://secunia.com/secunia_weekly_summary/

Contact details:
Web	: http://secunia.com/
E-mail	: support@private
Tel	: +45 70 20 51 44
Fax	: +45 70 20 51 45



_________________________________
HITBSecConf2006 - Malaysia 
The largest network security event in Asia 
32 internationally renowned speakers 
7 tracks of hands-on technical training sessions. 
Register now: http://conference.hitb.org/hitbsecconf2006kl/



This archive was generated by hypermail 2.1.3 : Fri Sep 08 2006 - 01:35:11 PDT