========================================================================
The Secunia Weekly Advisory Summary
2006-09-14 - 2006-09-21
This week: 82 advisories
========================================================================
Table of Contents:
1.....................................................Word From Secunia
2....................................................This Week In Brief
3...............................This Weeks Top Ten Most Read Advisories
4.......................................Vulnerabilities Summary Listing
5.......................................Vulnerabilities Content Listing
========================================================================
1) Word From Secunia:
Secunia Corporate Website has been Released
Learn more about what Secunia can offer you and your company, see and
download detailed product descriptions, and view comprehensive flash
presentations of both our products and corporate profile.
Visit the Secunia Corporate Website:
http://corporate.secunia.com/
Secunia Vulnerability and Advisory Portal has been Updated
Our publicly available Vulnerability and Advisory Portal
secunia.com has been updated with improved accessibility and usability,
enhanced features, and improved search capabilities along with
availability of extensive product reports.
Over the years, the Secunia brand has become synonymous with credible,
accurate, and reliable vulnerability intelligence and our services
are used by more than 5 million unique users every year at secunia.com.
Visit the Secunia Vulnerability and Advisory Portal:
http://secunia.com/
========================================================================
2) This Week in Brief:
A new vulnerability has been identified in Internet Explorer.
The vulnerability is caused due to a boundary error in the Microsoft
Vector Graphics Rendering(VML) library (vgx.dll) when processing
certain content in Vector Markup Language (VML) documents and can be
exploited to compromise a vulnerable system.
Additional details about the vulnerability can be found in the
referenced Secunia advisory below.
Reference:
http://secunia.com/SA2189
--
VIRUS ALERTS:
During the past week Secunia collected 199 virus descriptions from the
Antivirus vendors. However, none were deemed MEDIUM risk or higher
according to the Secunia assessment scale.
========================================================================
3) This Weeks Top Ten Most Read Advisories:
1. [SA21910] Internet Explorer daxctle.ocx "KeyFrame()" Method
Vulnerability
2. [SA21906] Mozilla Firefox Multiple Vulnerabilities
3. [SA21989] Microsoft Vector Graphics Rendering Library Buffer
Overflow
4. [SA21982] Opera SSL RSA Signature Forgery Vulnerability
5. [SA21893] Apple QuickTime Multiple Vulnerabilities
6. [SA21884] Symantec Products Alert Notification Two Vulnerabilities
7. [SA21978] Microsoft PowerPoint Unspecified Code Execution
Vulnerability
8. [SA21938] Symantec Norton Personal Firewall Denial of Service
9. [SA21950] rPath updates for firefox and thunderbird
10. [SA20153] Microsoft Word Malformed Object Pointer Vulnerability
========================================================================
4) Vulnerabilities Summary Listing
Windows:
[SA21989] Microsoft Vector Graphics Rendering Library Buffer Overflow
[SA21978] Microsoft PowerPoint Unspecified Code Execution
Vulnerability
[SA21959] Easy Address Book Web Server Format String Vulnerability
[SA22013] ECardPro "keyword" SQL Injection Vulnerability
[SA22008] Tekman Portal "uye_id" Parameter SQL Injection Vulnerability
[SA22006] EShoppingPro "order" Parameter SQL Injection Vulnerability
[SA21998] MailEnable SPF Lookup Denial of Service
[SA21987] Charon Cart "ProductID" Parameter SQL Injection
[SA21980] ClickBlog Login SQL Injection Vulnerabilities
[SA21977] Techno Dreams FAQ Manager Package "key" SQL Injection
[SA21976] Techno Dreams Articles & Papers Package "key" SQL Injection
[SA21960] HaberX "id" SQL Injection Vulnerability
[SA22051] DotNetNuke "error" Parameter Cross-Site Scripting
Vulnerability
[SA21995] FeedDemon Atom Feed Script Insertion Vulnerabilities
[SA21994] RssReader Feed Script Insertion Vulnerabilities
[SA21963] SharpReader Feed Script Insertion Vulnerabilities
UNIX/Linux:
[SA22036] SGI Advanced Linux Environment Multiple Updates
[SA22018] Debian update for alsaplayer
[SA22043] Mandriva update for gzip
[SA22034] Debian update for gzip
[SA22033] Slackware update for gzip
[SA22020] Gentoo update for mailman
[SA22017] Red Hat update for gzip
[SA22012] rPath update for gzip
[SA22011] Mandriva update for mailman
[SA22009] Ubuntu update for gzip
[SA22002] FreeBSD update for gzip
[SA21985] Debian update for bomberclone
[SA21954] Trustix Updates for Multiple Packages
[SA21953] Debian update for zope2.7
[SA22049] Mandriva update for gnutls
[SA21986] Avaya Products Apache "Expect" Header Cross-Site Scripting
[SA21983] Avaya Products Linux Kernel Multiple Vulnerabilities
[SA21973] Ubuntu update for gnutls
[SA21993] Avaya CMS Sun Solaris libX11 Buffer Overflow
[SA21967] Ubuntu update for kernel
[SA21966] Avaya Modular Messaging Linux Kernel "prctl" Privilege
Escalation
[SA22016] OSU HTTP Server System Information Disclosure Weaknesses
[SA21981] Debian update for usermin
[SA22010] Avaya PDS ARPA Transport Software Denial of Service
[SA21999] Linux Kernel ELF Cross-Region Mapping Denial of Service
[SA21984] Avaya PDS HP-UX Trusted Mode Denial of Service Vulnerability
[SA21968] Usermin "shell" Denial of Service Vulnerability
Other:
[SA22022] Cisco Intrusion Prevention System Fragmented IP Packets
Security Bypass
[SA21974] Cisco IOS DOCSIS Community String Vulnerability
[SA21962] Cisco Guard "meta-refresh" Cross-Site Scripting
Vulnerability
[SA22046] Cisco Intrusion Detection / Prevention System "SSL Hello"
Denial of Service
Cross Platform:
[SA22031] Php Blue Dragon CMS Multiple Vulnerabilities
[SA22029] Neon WebMail for Java Multiple Vulnerabilities
[SA22026] DigitalWebShop "_PHPLIB[libdir]" File Inclusion
Vulnerability
[SA22024] BCWB "root_path" File Inclusion Vulnerability
[SA22019] Dr.Web LHA Directory Name Buffer Overflow
[SA22015] PHPQuiz Multiple Vulnerabilities
[SA22005] Qualiteam X-Cart cmpi.php Variable Overwriting Vulnerability
[SA21990] Simple Discussion Board Remote File Inclusion
Vulnerabilities
[SA21975] Site@School Multiple Vulnerabilities
[SA21971] ReviewPost PHP Pro "RP_PATH" File Inclusion Vulnerability
[SA21970] phpBB XS "phpbb_root_path" File Inclusion Vulnerability
[SA21965] BolinOS "gBRootPath" File Inclusion Vulnerability
[SA21957] Unak-CMS "dirroot" Parameter File Inclusion Vulnerabilities
[SA21955] aeDating "dir[inc]" File Inclusion Vulnerabilities
[SA21951] MobilePublisherPHP "abspath" Parameter File Inclusion
[SA22038] A.l-Pifou "ze_langue_02" Parameter Local File Inclusion
[SA22021] Drupal Search Keywords Module Script Insertion
[SA22014] PHP-Post Multiple Vulnerabilities
[SA22003] Exponent CMS "view" Local File Inclusion Vulnerability
[SA21997] Amazing Little Poll "lp_settings.inc" Password Disclosure
[SA21996] gzip Multiple Vulnerabilities
[SA21991] MyReview "email" Parameter SQL Injection Vulnerability
[SA21988] CMtextS admin.txt Password Disclosure
[SA21964] Roller Weblogger Script Insertion Vulnerabilities
[SA21961] AlstraSoft E-Friends "lang" Local File Inclusion
Vulnerability
[SA21958] RSSOwl Atom Feed Script Insertion Vulnerabilities
[SA21956] Gnuturk Portal "t_id" Parameter SQL Injection Vulnerability
[SA22050] MAXdev MD-Pro Cross-Site Scripting Vulnerability
[SA22035] Drupal Site Profile Directory Module Cross-Site Scripting
[SA22030] NextAge Cart "CatId" and "SearchWd" Cross-Site Scripting
[SA22028] PT News "pgname" Cross-Site Scripting Vulnerability
[SA22007] more.groupware "new_calendarid" SQL Injection Vulnerability
[SA21982] Opera SSL RSA Signature Forgery Vulnerability
[SA21979] eSyndiCat Directory Software "what" Cross-Site Scripting
[SA21972] MyBB Cross-Site Scripting Vulnerabilities
========================================================================
5) Vulnerabilities Content Listing
Windows:--
[SA21989] Microsoft Vector Graphics Rendering Library Buffer Overflow
Critical: Extremely critical
Where: From remote
Impact: System access
Released: 2006-09-19
A vulnerability has been discovered in Microsoft Windows, which can be
exploited by malicious people to compromise a user's system.
Full Advisory:
http://secunia.com/advisories/21989/
--
[SA21978] Microsoft PowerPoint Unspecified Code Execution
Vulnerability
Critical: Extremely critical
Where: From remote
Impact: System access
Released: 2006-09-19
NOTE: This advisory has been revoked. The information in this
particular advisory was based on a claim made by Symantec. Symantec
erroneously concluded that this was a previously undocumented and
unpatched vulnerability. This conclusion was posted in their Symantec
Security Response Weblog.
Full Advisory:
http://secunia.com/advisories/21978/
--
[SA21959] Easy Address Book Web Server Format String Vulnerability
Critical: Highly critical
Where: From remote
Impact: DoS, System access
Released: 2006-09-18
Revnic Vasile has discovered a vulnerability in Easy Address Book Web
Server, which potentially can be exploited by malicious people to
compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/21959/
--
[SA22013] ECardPro "keyword" SQL Injection Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-09-19
ajann has reported a vulnerability in ECardPro, which can be exploited
by malicious people to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/22013/
--
[SA22008] Tekman Portal "uye_id" Parameter SQL Injection Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-09-20
Fix TR has discovered a vulnerability in Tekman Portal, which can be
exploited by malicious people to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/22008/
--
[SA22006] EShoppingPro "order" Parameter SQL Injection Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-09-19
ajann has reported a vulnerability in EShoppingPro, which can be
exploited by malicious people to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/22006/
--
[SA21998] MailEnable SPF Lookup Denial of Service
Critical: Moderately critical
Where: From remote
Impact: DoS
Released: 2006-09-18
A vulnerability has been reported in MailEnable, which can be exploited
by malicious people to cause a DoS (Denial of Service).
Full Advisory:
http://secunia.com/advisories/21998/
--
[SA21987] Charon Cart "ProductID" Parameter SQL Injection
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-09-19
ajann has reported a vulnerability in Charon Cart, which can be
exploited by malicious people to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/21987/
--
[SA21980] ClickBlog Login SQL Injection Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Security Bypass, Manipulation of data
Released: 2006-09-18
ajann has reported some vulnerabilities in ClickBlog, which can be
exploited by malicious people to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/21980/
--
[SA21977] Techno Dreams FAQ Manager Package "key" SQL Injection
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-09-19
ajann has reported a vulnerability in Techno Dreams FAQ Manager
Package, which can be exploited by malicious people to conduct SQL
injection attacks.
Full Advisory:
http://secunia.com/advisories/21977/
--
[SA21976] Techno Dreams Articles & Papers Package "key" SQL Injection
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-09-19
ajann has reported a vulnerability in Techno Dreams Articles & Papers
Package, which can be exploited by malicious people to conduct SQL
injection attacks.
Full Advisory:
http://secunia.com/advisories/21976/
--
[SA21960] HaberX "id" SQL Injection Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-09-18
Fix TR has discovered a vulnerability in HaberX, which can be exploited
by malicious people to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/21960/
--
[SA22051] DotNetNuke "error" Parameter Cross-Site Scripting
Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-09-21
Secure Shapes has reported a vulnerability in DotNetNuke, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/22051/
--
[SA21995] FeedDemon Atom Feed Script Insertion Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-09-19
SPI Dynamics have reported some vulnerabilities in FeedDemon, which can
be exploited by malicious people to conduct script insertion attacks.
Full Advisory:
http://secunia.com/advisories/21995/
--
[SA21994] RssReader Feed Script Insertion Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-09-20
SPI Dynamics has reported some vulnerabilities in RssReader, which can
be exploited by malicious people to conduct script insertion attacks.
Full Advisory:
http://secunia.com/advisories/21994/
--
[SA21963] SharpReader Feed Script Insertion Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-09-20
SPI Dynamics has reported some vulnerabilities in SharpReader, which
can be exploited by malicious people to conduct script insertion
attacks.
Full Advisory:
http://secunia.com/advisories/21963/
UNIX/Linux:--
[SA22036] SGI Advanced Linux Environment Multiple Updates
Critical: Highly critical
Where: From remote
Impact: Security Bypass, Spoofing, DoS, System access
Released: 2006-09-20
SGI has issued a patch for SGI Advanced Linux Environment. This fixes
some vulnerabilities, which can be exploited by malicious people to
bypass certain security restrictions, conduct spoofing attacks, cause a
DoS (Denial of Service), and potentially compromise a vulnerable
system.
Full Advisory:
http://secunia.com/advisories/22036/
--
[SA22018] Debian update for alsaplayer
Critical: Highly critical
Where: From remote
Impact: DoS, System access
Released: 2006-09-19
Debian has issued an update for alsaplayer. This fixes some
vulnerabilities, which can be exploited by malicious people to
compromise a user's system.
Full Advisory:
http://secunia.com/advisories/22018/
--
[SA22043] Mandriva update for gzip
Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2006-09-21
Mandriva has issued an update for gzip. This fixes some
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial of Service) and potentially compromise a vulnerable
system.
Full Advisory:
http://secunia.com/advisories/22043/
--
[SA22034] Debian update for gzip
Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2006-09-20
Debian has issued an updated for gzip. This fixes some vulnerabilities,
which can be exploited by malicious people to cause a DoS (Denial of
Service) or potentially compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/22034/
--
[SA22033] Slackware update for gzip
Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2006-09-20
Slackware has issued an update for gzip. This fixes some
vulnerabilities, which can be exploited by malicious poeple to cause a
DoS (Denial of Service) and potentially compromise a vulnerable
system.
Full Advisory:
http://secunia.com/advisories/22033/
--
[SA22020] Gentoo update for mailman
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting, Spoofing, DoS
Released: 2006-09-19
Gentoo has issued an update for mailman. This fixes some
vulnerabilities, which can be exploited by malicious people to conduct
cross-site scripting or spoofing attacks, and cause a DoS (Denial of
Service).
Full Advisory:
http://secunia.com/advisories/22020/
--
[SA22017] Red Hat update for gzip
Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2006-09-20
Red Hat has issued an update for gzip. This fixes some vulnerabilities,
which can be exploited by malicious people to cause a DoS (Denial of
Service) and potentially compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/22017/
--
[SA22012] rPath update for gzip
Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2006-09-20
rPath has issued an update for gzip. This fixes some vulnerabilities,
which can be exploited by malicious people to cause a DoS (Denial of
Service) and potentially compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/22012/
--
[SA22011] Mandriva update for mailman
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting, Spoofing, DoS
Released: 2006-09-19
Mandriva has issued an update for mailman. This fixes some
vulnerabilities, which can be exploited by malicious people to conduct
cross-site scripting and phishing attacks, and cause a DoS (Denial of
Service).
Full Advisory:
http://secunia.com/advisories/22011/
--
[SA22009] Ubuntu update for gzip
Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2006-09-20
Ubuntu has issued an update for gzip. This fixes some vulnerabilities,
which can be exploited by malicious people to cause a DoS (Denial of
Service) and potentially compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/22009/
--
[SA22002] FreeBSD update for gzip
Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2006-09-20
FreeBSD has issued an update for gzip. This fixes some vulnerabilities,
which can be exploited by malicious people to cause a DoS (Denial of
Service) and potentially compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/22002/
--
[SA21985] Debian update for bomberclone
Critical: Moderately critical
Where: From remote
Impact: Exposure of system information, DoS
Released: 2006-09-20
Debian has issued an update for bomberclone. This fixes some
vulnerabilities, which can be exploited by malicious people to gain
knowledge of system information or cause a DoS (Denial of Service).
Full Advisory:
http://secunia.com/advisories/21985/
--
[SA21954] Trustix Updates for Multiple Packages
Critical: Moderately critical
Where: From remote
Impact: Security Bypass, Exposure of sensitive information, DoS
Released: 2006-09-18
Trustix has issued updates for multiple packages. These fix some
vulnerabilities, which can be exploited by malicious, local users or by
malicious people to disclose potentially sensitive information, bypass
certain security restrictions, and cause a DoS (Denial of Service).
Full Advisory:
http://secunia.com/advisories/21954/
--
[SA21953] Debian update for zope2.7
Critical: Moderately critical
Where: From remote
Impact: Exposure of sensitive information
Released: 2006-09-18
Debian has issued an update for zope2.7. This fixes a vulnerability,
which can be exploited by malicious people to disclose potentially
sensitive information.
Full Advisory:
http://secunia.com/advisories/21953/
--
[SA22049] Mandriva update for gnutls
Critical: Less critical
Where: From remote
Impact: Security Bypass
Released: 2006-09-21
Mandriva has issued an update for gnutls. This fixes a vulnerability,
which can be exploited by malicious people to bypass certain security
restrictions.
Full Advisory:
http://secunia.com/advisories/22049/
--
[SA21986] Avaya Products Apache "Expect" Header Cross-Site Scripting
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-09-19
Avaya has acknowledged a vulnerability in various Avaya products, which
can be exploited by malicious people to conduct cross-site scripting
attacks.
Full Advisory:
http://secunia.com/advisories/21986/
--
[SA21983] Avaya Products Linux Kernel Multiple Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Security Bypass, Exposure of system information, Exposure
of sensitive information, DoS
Released: 2006-09-18
Avaya has acknowledged some vulnerabilities in the Linux Kernel
included in various Avaya products, which can be exploited by
malicious, local users to gain knowledge of system or potentially
sensitive information, bypass certain security restrictions, cause a
DoS (Denial of Service), or by malicious people to cause a DoS.
Full Advisory:
http://secunia.com/advisories/21983/
--
[SA21973] Ubuntu update for gnutls
Critical: Less critical
Where: From remote
Impact: Security Bypass
Released: 2006-09-19
Ubuntu has issued an update for gnutls. This fixes a vulnerability,
which can be exploited by malicious people to bypass certain security
restrictions.
Full Advisory:
http://secunia.com/advisories/21973/
--
[SA21993] Avaya CMS Sun Solaris libX11 Buffer Overflow
Critical: Less critical
Where: Local system
Impact: Privilege escalation
Released: 2006-09-19
Avaya has acknowledged a vulnerability in Avaya Call Management System,
which can be exploited by malicious, local users to gain escalated
privileges.
Full Advisory:
http://secunia.com/advisories/21993/
--
[SA21967] Ubuntu update for kernel
Critical: Less critical
Where: Local system
Impact: DoS
Released: 2006-09-19
Ubuntu has issued an update for the kernel. This fixes some
vulnerabilities, which can be exploited by malicious, local users to
cause a DoS (Denial of Service).
Full Advisory:
http://secunia.com/advisories/21967/
--
[SA21966] Avaya Modular Messaging Linux Kernel "prctl" Privilege
Escalation
Critical: Less critical
Where: Local system
Impact: Security Bypass, Privilege escalation
Released: 2006-09-18
Avaya has acknowledged a vulnerability in the Linux Kernel included in
Avaya Modular Messaging, which can be exploited by malicious, local
users to bypass certain security restrictions or potentially gain
escalated privileges.
Full Advisory:
http://secunia.com/advisories/21966/
--
[SA22016] OSU HTTP Server System Information Disclosure Weaknesses
Critical: Not critical
Where: From remote
Impact: Exposure of system information
Released: 2006-09-20
Two weaknesses have been reported in OSU HTTP Server, which can be
exploited by malicious people to disclose system information.
Full Advisory:
http://secunia.com/advisories/22016/
--
[SA21981] Debian update for usermin
Critical: Not critical
Where: From remote
Impact: DoS
Released: 2006-09-18
Debian has issued an update for usermin. This fixes a vulnerability,
which can be exploited by malicious users to cause a DoS (Denial of
Service).
Full Advisory:
http://secunia.com/advisories/21981/
--
[SA22010] Avaya PDS ARPA Transport Software Denial of Service
Critical: Not critical
Where: Local system
Impact: DoS
Released: 2006-09-19
Avaya has acknowledged a vulnerability in Avaya Predictive Dialing
System (PDS), which potentially can be exploited by a malicious, local
user to cause a DoS (Denial of Service).
Full Advisory:
http://secunia.com/advisories/22010/
--
[SA21999] Linux Kernel ELF Cross-Region Mapping Denial of Service
Critical: Not critical
Where: Local system
Impact: DoS
Released: 2006-09-18
A vulnerability has been reported in Linux Kernel, which can be
exploited by malicious, local users to cause a DoS (Denial of
Service).
Full Advisory:
http://secunia.com/advisories/21999/
--
[SA21984] Avaya PDS HP-UX Trusted Mode Denial of Service Vulnerability
Critical: Not critical
Where: Local system
Impact: DoS
Released: 2006-09-18
Avaya has acknowledged a vulnerability in Avaya Predictive Dialing
System (PDS), which potentially can be exploited by malicious, local
users to cause a DoS (Denial of Service).
Full Advisory:
http://secunia.com/advisories/21984/
--
[SA21968] Usermin "shell" Denial of Service Vulnerability
Critical: Not critical
Where: Local system
Impact: DoS
Released: 2006-09-18
Hendrik Weimer has discovered a vulnerability in Usermin, which can be
exploited by malicious users to cause a DoS (Denial of Service).
Full Advisory:
http://secunia.com/advisories/21968/
Other:--
[SA22022] Cisco Intrusion Prevention System Fragmented IP Packets
Security Bypass
Critical: Moderately critical
Where: From remote
Impact: Security Bypass
Released: 2006-09-21
A vulnerability has been reported in Cisco Intrusion Prevention System,
which can be exploited by malicious people to bypass certain security
restrictions.
Full Advisory:
http://secunia.com/advisories/22022/
--
[SA21974] Cisco IOS DOCSIS Community String Vulnerability
Critical: Moderately critical
Where: From local network
Impact: System access
Released: 2006-09-21
A vulnerability has been reported in Cisco IOS, which can be exploited
by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/21974/
--
[SA21962] Cisco Guard "meta-refresh" Cross-Site Scripting
Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-09-21
A vulnerability has been reported in Cisco Guard, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/21962/
--
[SA22046] Cisco Intrusion Detection / Prevention System "SSL Hello"
Denial of Service
Critical: Less critical
Where: From local network
Impact: DoS
Released: 2006-09-21
A vulnerability has been reported in Cisco Intrusion Detection System
and Cisco Intrusion Prevention System, which can be exploited by
malicious people to cause a DoS (Denial of Service).
Full Advisory:
http://secunia.com/advisories/22046/
Cross Platform:--
[SA22031] Php Blue Dragon CMS Multiple Vulnerabilities
Critical: Highly critical
Where: From remote
Impact: Cross Site Scripting, Manipulation of data, System access
Released: 2006-09-21
Kacper has discovered some vulnerabilities in Php Blue Dragon CMS,
which can be exploited by malicious people to conduct cross-site
scripting and SQL injection attacks, and compromise a vulnerable
system.
Full Advisory:
http://secunia.com/advisories/22031/
--
[SA22029] Neon WebMail for Java Multiple Vulnerabilities
Critical: Highly critical
Where: From remote
Impact: Cross Site Scripting, Manipulation of data, Exposure of
sensitive information, System access
Released: 2006-09-21
Tan Chew Keong has reported some vulnerabilities in Neon WebMail for
Java, which can be exploited by malicious users to manipulate and
disclose sensitive information, and conduct script insertion and SQL
injection attacks, and by malicious people to compromise a vulnerable
system.
Full Advisory:
http://secunia.com/advisories/22029/
--
[SA22026] DigitalWebShop "_PHPLIB[libdir]" File Inclusion
Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-09-20
ajann has reported a vulnerability in DigitalWebShop, which can be
exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/22026/
--
[SA22024] BCWB "root_path" File Inclusion Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-09-20
ajann has discovered a vulnerability in BCWB, which can be exploited by
malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/22024/
--
[SA22019] Dr.Web LHA Directory Name Buffer Overflow
Critical: Highly critical
Where: From remote
Impact: DoS, System access
Released: 2006-09-20
Jean-Sébastien Guay-Leroux has reported a vulnerability in Dr.Web,
which can be exploited by malicious people to cause a DoS (Denial of
Service) and potentially compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/22019/
--
[SA22015] PHPQuiz Multiple Vulnerabilities
Critical: Highly critical
Where: From remote
Impact: Manipulation of data, System access
Released: 2006-09-19
Simo64 has discovered some vulnerabilities in PHPQuiz, which can be
exploited by malicious people to conduct SQL injection attacks and
compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/22015/
--
[SA22005] Qualiteam X-Cart cmpi.php Variable Overwriting Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-09-19
James Bercegay has reported a vulnerability in Qualiteam X-Cart, which
can be exploited by malicious people to compromise a vulnerable
system.
Full Advisory:
http://secunia.com/advisories/22005/
--
[SA21990] Simple Discussion Board Remote File Inclusion
Vulnerabilities
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-09-21
CeNGiZ-HaN has discovered some vulnerabilities in Simple Discussion
Board, which can be exploited by malicious people to compromise a
vulnerable system.
Full Advisory:
http://secunia.com/advisories/21990/
--
[SA21975] Site@School Multiple Vulnerabilities
Critical: Highly critical
Where: From remote
Impact: Exposure of sensitive information, System access
Released: 2006-09-18
Simo64 has discovered some vulnerabilities in Site@School, which can be
exploited by malicious users to disclose certain sensitive information
and by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/21975/
--
[SA21971] ReviewPost PHP Pro "RP_PATH" File Inclusion Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-09-18
home_edition_2001 has reported a vulnerability in ReviewPost PHP Pro,
which can be exploited by malicious people to compromise a vulnerable
system.
Full Advisory:
http://secunia.com/advisories/21971/
--
[SA21970] phpBB XS "phpbb_root_path" File Inclusion Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-09-18
NoGe has discovered a vulnerability in phpBB XS, which can be exploited
by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/21970/
--
[SA21965] BolinOS "gBRootPath" File Inclusion Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-09-18
xoron has discovered a vulnerability in BolinOS, which can be exploited
by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/21965/
--
[SA21957] Unak-CMS "dirroot" Parameter File Inclusion Vulnerabilities
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-09-18
SHiKaA has discovered two vulnerabilities in Unak-CMS, which can be
exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/21957/
--
[SA21955] aeDating "dir[inc]" File Inclusion Vulnerabilities
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-09-18
NeXtMaN has reported some vulnerabilities in aeDating, which can be
exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/21955/
--
[SA21951] MobilePublisherPHP "abspath" Parameter File Inclusion
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-09-18
Timq has reported a vulnerability in MobilePublisherPHP, which can be
exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/21951/
--
[SA22038] A.l-Pifou "ze_langue_02" Parameter Local File Inclusion
Critical: Moderately critical
Where: From remote
Impact: Exposure of sensitive information
Released: 2006-09-20
cdg393 has discovered a vulnerability in A.l-Pifou, which can be
exploited by malicious people to disclose sensitive information.
Full Advisory:
http://secunia.com/advisories/22038/
--
[SA22021] Drupal Search Keywords Module Script Insertion
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-09-20
A vulnerability has been reported in the Search Keywords module for
Drupal, which can be exploited by malicious people to conduct script
insertion attacks.
Full Advisory:
http://secunia.com/advisories/22021/
--
[SA22014] PHP-Post Multiple Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting, Manipulation of data, Exposure of
sensitive information
Released: 2006-09-19
HACKERS PAL has reported some vulnerabilities in PHP-Post, which can be
exploited by malicious people to disclose sensitive information, and
conduct cross-site scripting and SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/22014/
--
[SA22003] Exponent CMS "view" Local File Inclusion Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Exposure of sensitive information, System access
Released: 2006-09-20
rgod has discovered a vulnerability in Exponent CMS, which can be
exploited by malicious people to gain knowledge of sensitive
information and potentially compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/22003/
--
[SA21997] Amazing Little Poll "lp_settings.inc" Password Disclosure
Critical: Moderately critical
Where: From remote
Impact: Exposure of sensitive information
Released: 2006-09-19
AlpEren and tugr have discovered a security issue in Amazing Little
Poll, which can be exploited by malicious people to disclose sensitive
information.
Full Advisory:
http://secunia.com/advisories/21997/
--
[SA21996] gzip Multiple Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2006-09-20
Tavis Ormandy has reported some vulnerabilities in gzip, which can be
exploited by malicious people to cause a DoS (Denial of Service) and
potentially compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/21996/
--
[SA21991] MyReview "email" Parameter SQL Injection Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-09-20
STILPU has discovered a vulnerability in MyReview, which can be
exploited by malicious people to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/21991/
--
[SA21988] CMtextS admin.txt Password Disclosure
Critical: Moderately critical
Where: From remote
Impact: Exposure of sensitive information
Released: 2006-09-19
Kacper has reported a security issue in CMtextS, which can be exploited
by malicious people to disclose sensitive information.
Full Advisory:
http://secunia.com/advisories/21988/
--
[SA21964] Roller Weblogger Script Insertion Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-09-18
Avinash Shenoi has reported some vulnerabilities in Roller Weblogger,
which can be exploited by malicious people to conduct script insertion
attacks.
Full Advisory:
http://secunia.com/advisories/21964/
--
[SA21961] AlstraSoft E-Friends "lang" Local File Inclusion
Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Exposure of sensitive information
Released: 2006-09-19
Kw3[R]Ln has reported a vulnerability in AlstraSoft E-Friends, which
can be exploited by malicious people to disclose sensitive
information.
Full Advisory:
http://secunia.com/advisories/21961/
--
[SA21958] RSSOwl Atom Feed Script Insertion Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting, System access
Released: 2006-09-19
SPI Dynamics has discovered some vulnerabilities in RSSOwl, which can
be exploited by malicious people to conduct script insertion attacks
and potentially compromise a user's system.
Full Advisory:
http://secunia.com/advisories/21958/
--
[SA21956] Gnuturk Portal "t_id" Parameter SQL Injection Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-09-18
p2y has reported a vulnerability in Gnuturk Portal, which can be
exploited by malicious people to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/21956/
--
[SA22050] MAXdev MD-Pro Cross-Site Scripting Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-09-21
A vulnerability has been reported in MAXdev MD-Pro, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/22050/
--
[SA22035] Drupal Site Profile Directory Module Cross-Site Scripting
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-09-20
A vulnerability has been reported in the Site Profile Directory module
for Drupal, which can be exploited by malicious people to conduct
cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/22035/
--
[SA22030] NextAge Cart "CatId" and "SearchWd" Cross-Site Scripting
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-09-20
meto5757 has reported some vulnerabilities in Nextage Cart, which can
be exploited by malicious people to conduct cross-site scripting
attacks.
Full Advisory:
http://secunia.com/advisories/22030/
--
[SA22028] PT News "pgname" Cross-Site Scripting Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-09-20
Snake has discovered a vulnerability in PT News, which can be exploited
by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/22028/
--
[SA22007] more.groupware "new_calendarid" SQL Injection Vulnerability
Critical: Less critical
Where: From remote
Impact: Manipulation of data
Released: 2006-09-20
alexander wilhelm has discovered a vulnerability in more.groupware,
which can be exploited by malicious users to conduct SQL injection
attacks.
Full Advisory:
http://secunia.com/advisories/22007/
--
[SA21982] Opera SSL RSA Signature Forgery Vulnerability
Critical: Less critical
Where: From remote
Impact: Security Bypass, Spoofing
Released: 2006-09-18
A vulnerability has been reported in Opera, which can be exploited by
malicious people to bypass certain security restrictions.
Full Advisory:
http://secunia.com/advisories/21982/
--
[SA21979] eSyndiCat Directory Software "what" Cross-Site Scripting
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-09-20
meto5757 has reported a vulnerability in eSyndicat Directory Software,
which can be exploited by malicious people to conduct cross-site
scripting attacks.
Full Advisory:
http://secunia.com/advisories/21979/
--
[SA21972] MyBB Cross-Site Scripting Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-09-18
HACKERS PAL has discovered some vulnerabilities in MyBB, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/21972/
========================================================================
Secunia recommends that you verify all advisories you receive,
by clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only use
those supplied by the vendor.
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Subscribe:
http://secunia.com/secunia_weekly_summary/
Contact details:
Web : http://secunia.com/
E-mail : support@private
Tel : +45 70 20 51 44
Fax : +45 70 20 51 45
_________________________________
Visit the InfoSec News store!
http://www.shopinfosecnews.org
This archive was generated by hypermail 2.1.3 : Thu Sep 21 2006 - 22:25:01 PDT