[ISN] Secunia Weekly Summary - Issue: 2006-51

From: InfoSec News (alerts@private)
Date: Thu Dec 21 2006 - 22:09:43 PST


========================================================================

                  The Secunia Weekly Advisory Summary
                        2006-12-14 - 2006-12-21

                       This week: 58 advisories

========================================================================
Table of Contents:

1.....................................................Word From Secunia
2....................................................This Week In Brief
3...............................This Weeks Top Ten Most Read Advisories
4.......................................Vulnerabilities Summary Listing
5.......................................Vulnerabilities Content Listing

========================================================================
1) Word From Secunia:

The Secunia Software Inspector is a free service that detects insecure
versions of software that you may have installed in your system. When
insecure versions are detected, the Secunia Software Inspector also
provides thorough guidelines for updating the software to the latest
secure version from the vendor.

Be sure to check your own system:
http://secunia.com/software_inspector/

Feature Overview - The Secunia Software Inspector:
* Detects insecure versions of applications installed
* Verifies that all Microsoft patches are applied
* Assists you in updating your system and applications
* Runs through your browser. No installation or download is required.

Read more in our blog:
http: //secunia.com/blog/4/
http: //secunia.com/blog/3/

========================================================================
2) This Week in Brief:

Yahoo! reported a vulnerability in its instant messaging client for
versions obtained prior to November 2, 2006. The vulnerability is
caused by an unspecified error in Yahoo! Messenger's ActiveX control,
which potentially can be exploited by malicious people to compromise a
user's system.

Users are advised to upgrade to the latest version of Yahoo! Messenger.

Please refer to the Secunia advisory for more information:
http://secunia.com/advisories/23401/

You can also use the Secunia Software Inspector to check if your
version of Yahoo! Messenger is secure:
http://secunia.com/software_inspector/

 --

Nine vulnerabilities were reported in Mozilla Firefox 1.x and 2.x this
week, with impacts ranging from exposure of sensitive information to
system access. Users are advised to upgrade to either version 1.5.0.9
or 2.0.0.1 to avoid falling victim to any of these vulnerabilities.

Please refer to the following Secunia advisory for more information:
http://secunia.com/advisories/23282/

You can also use the Secunia Software Inspector to check if your
version of Firefox is secure:
http://secunia.com/software_inspector/

 --

Three vulnerabilities were reported in IBM Websphere Application Server
this week, one affecting version 5.x, and the others affecting version
6.x.

IBM Websphere Application Server 5.x has an unspecified error in the
Websphere Utility class. No further information is available. This
vulnerability was reported by the vendor, and can be fixed by applying
Cumulative Fix 13 (5.1.1.13).

IBM Websphere Application Server 6.x has an unspecified vulnerability
in the Servlet Engine /Web Container that can potentially be used to
disclose JSP source code. An unspecified error in a General component
amounts to another vulnerability. No other information is available.
This vulnerability was also reported by the vendor, and can be fixed
by updating to version 6.0.2 Fix Pack 17.

Please refer to the following Secunia advisories for more information:
http: //secunia.com/advisories/23414/
http: //secunia.com/advisories/23386/

 --

VIRUS ALERTS:

During the past week Secunia collected 212 virus descriptions from the
Antivirus vendors. However, none were deemed MEDIUM risk or higher
according to the Secunia assessment scale.

========================================================================
3) This Weeks Top Ten Most Read Advisories:

1.  [SA23282] Mozilla Firefox Multiple Vulnerabilities
2.  [SA23401] Yahoo! Messenger Unspecified ActiveX Control Buffer
              Overflow
3.  [SA23232] Microsoft Word Memory Corruption Vulnerabilities
4.  [SA20807] Internet Explorer Script Error Handling Memory Corruption
              Vulnerability
5.  [SA22477] Internet Explorer 7 "mhtml:" Redirection Information
              Disclosure
6.  [SA23205] Microsoft Word Unspecified Code Execution Vulnerability
7.  [SA23386] IBM WebSphere Application Server Unspecified
              Vulnerability
8.  [SA23402] torrentflux-b4rt "path" Directory Traversal Vulnerability
9.  [SA23378] CA Anti-Virus Drivers Denial of Service Vulnerabilities
10. [SA23400] Avaya CMS / IR Sun Solaris libXfont Integer Overflow
Vulnerability

========================================================================
4) Vulnerabilities Summary Listing

Windows:
[SA23401] Yahoo! Messenger Unspecified ActiveX Control Buffer Overflow
[SA23447] Burak Yilmaz Download Portal "id" SQL Injection
Vulnerability
[SA23412] WinFtp Server Data Handling Denial of Service Vulnerability
[SA23403] Nortel CallPilot Server Unspecified Vulnerability
[SA23426] CA Portal Technology Session Handling Vulnerability
[SA23393] Mandiant First Response Multiple Vulnerabilities
[SA23391] Microsoft Project Server Information Disclosure Security
Issue

UNIX/Linux:
[SA23458] TextSend "ROOT_PATH" File Inclusion Vulnerability
[SA23441] Gentoo update for imlib2
[SA23440] Red Hat update for firefox
[SA23439] Red Hat update for thunderbird
[SA23434] cwmVote "abs" File Inclusion Vulnerability
[SA23433] Red Hat update for seamonkey
[SA23423] phpProfiles Multiple File Inclusion Vulnerabilities
[SA23419] Debian update for sql-ledger
[SA23416] Azucar CMS "_VIEW" File Inclusion Vulnerability
[SA23409] SUSE Update for Multiple Packages
[SA23407] PHP-Update blog.php Multiple Vulnerabilities
[SA23394] MxBB Portal mx_meeting Module "module_root_path" File
Inclusion
[SA23443] Red Hat update for tar
[SA23429] Gentoo vlnx Insecure DT_RPATH Vulnerability
[SA23417] Trustix update for clamav
[SA23411] SUSE update for clamav
[SA23404] Gentoo update for clamav
[SA23400] Avaya CMS / IR Sun Solaris libXfont Integer Overflow
Vulnerability
[SA23395] Debian update for kernel-source-2.4.27
[SA23389] Gentoo update for links
[SA23454] Gentoo update for ruby
[SA23449] Mini Web Shop "catname" Cross-Site Scripting
[SA23438] Apple Mac OS X Quicktime/Quartz Composer Information
Disclosure
[SA23428] Gentoo update for pam_ldap
[SA23427] Linux Kernel Bluetooth CAPI Messages Denial of Service
[SA23413] HyperVM "frm_action" Cross-Site Scripting Vulnerability
[SA23408] Linux Kernel Bluetooth CAPI Messages Denial of Service
[SA23402] torrentflux-b4rt "path" Directory Traversal Vulnerability
[SA23385] Ubuntu update for gdm
[SA23387] GNOME Foundation Display Manager "gdmchooser" Vulnerability
[SA23430] NeoScale Systems CryptoStor 700 Series Security Bypass
Weakness
[SA23436] Linux Kernel "mincore()" Deadlock Denial of Service
[SA23392] Mandriva update for proftpd
[SA23390] Mandriva update for dbus

Other:
[SA23406] Novell NetWare Welcome web-app Cross-Site Scripting
Vulnerability
[SA23396] HP FTP Print Server  LIST Denial of Service Vulnerability

Cross Platform:
[SA23445] Sun Java JRE Multiple Vulnerabilities
[SA23442] cwmCounter "path" File Inclusion Vulnerability
[SA23425] CuteNews AJ-Fork "cutepath" File Inclusion Vulnerability
[SA23422] Mozilla SeaMonkey Multiple Vulnerabilities
[SA23420] Mozilla Thunderbird Multiple Vulnerabilities
[SA23415] BitDefender AntiVirus Engine PE File Parsing Buffer Overflow
[SA23388] eyeOS File Upload Vulnerability
[SA23418] VerliAdmin "q" File Inclusion Vulnerability
[SA23414] IBM WebSphere Application Server Multiple Vulnerabilities
[SA23398] Sun Java JRE Applet Security Bypass
[SA23386] IBM WebSphere Application Server Unspecified Vulnerability
[SA23421] Hitachi Directory Server LDAP Multiple Vulnerabilities
[SA23410] Drupal Project / Project issue tracking Module Script
Insertion
[SA23405] Drupal MySite Module "Title" Script Insertion Vulnerability
[SA23397] DB2 Universal Database Denial of Service Vulnerability

========================================================================
5) Vulnerabilities Content Listing

Windows:--

[SA23401] Yahoo! Messenger Unspecified ActiveX Control Buffer Overflow

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-12-15

A vulnerability has been reported in Yahoo! Messenger, which
potentially can be exploited by malicious people to compromise a user's
system.

Full Advisory:
http://secunia.com/advisories/23401/

 --

[SA23447] Burak Yilmaz Download Portal "id" SQL Injection
Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2006-12-20

ShaFuck31 has discovered a vulnerability in Burk Yilmaz Download
Portal, which can be exploited by malicious people to conduct SQL
injection attacks.

Full Advisory:
http://secunia.com/advisories/23447/

 --

[SA23412] WinFtp Server Data Handling Denial of Service Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      DoS
Released:    2006-12-20

shinnai has discovered a vulnerability in WinFtp Server, which can be
exploited by malicious people to cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/23412/

 --

[SA23403] Nortel CallPilot Server Unspecified Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Unknown
Released:    2006-12-19

A vulnerability with unknown impact has been reported in Nortel
CallPilot.

Full Advisory:
http://secunia.com/advisories/23403/

 --

[SA23426] CA Portal Technology Session Handling Vulnerability

Critical:    Less critical
Where:       From local network
Impact:      Security Bypass
Released:    2006-12-20

A vulnerability has been reported in CA's Portal technology, which
potentially can be exploited by malicious users to bypass certain
security restrictions.

Full Advisory:
http://secunia.com/advisories/23426/

 --

[SA23393] Mandiant First Response Multiple Vulnerabilities

Critical:    Less critical
Where:       From local network
Impact:      Hijacking, DoS
Released:    2006-12-19

Some vulnerabilities have been reported in Mandiant First Response,
which can be exploited by malicious, local users to cause a DoS (Denial
of Service) and manipulate data, and by malicious people to cause a
DoS.

Full Advisory:
http://secunia.com/advisories/23393/

 --

[SA23391] Microsoft Project Server Information Disclosure Security
Issue

Critical:    Less critical
Where:       From local network
Impact:      Exposure of sensitive information
Released:    2006-12-18

Brett Moore has reported a security Issue in Microsoft Project Server,
which can be exploited by malicious users to gain knowledge of
sensitive information.

Full Advisory:
http://secunia.com/advisories/23391/


UNIX/Linux:--

[SA23458] TextSend "ROOT_PATH" File Inclusion Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-12-21

nuffsaid has discovered a vulnerability in TextSend, which can be
exploited by malicious people to compromise vulnerable systems.

Full Advisory:
http://secunia.com/advisories/23458/

 --

[SA23441] Gentoo update for imlib2

Critical:    Highly critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-12-21

Gentoo has issued an update for imlib2. This fixes some
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial of Service) and potentially compromise an application using
the library.

Full Advisory:
http://secunia.com/advisories/23441/

 --

[SA23440] Red Hat update for firefox

Critical:    Highly critical
Where:       From remote
Impact:      Cross Site Scripting, System access
Released:    2006-12-20

Red Hat has issued an update for firefox. This fixes some
vulnerabilities, which can be exploited by malicious people to conduct
cross-site scripting attacks and potentially compromise a user's
system.

Full Advisory:
http://secunia.com/advisories/23440/

 --

[SA23439] Red Hat update for thunderbird

Critical:    Highly critical
Where:       From remote
Impact:      Cross Site Scripting, DoS, System access
Released:    2006-12-20

Red Hat has issued an update for thunderbird. This fixes some
vulnerabilities, which can be exploited by malicious people to conduct
cross-site scripting attacks and potentially compromise a user's
system.

Full Advisory:
http://secunia.com/advisories/23439/

 --

[SA23434] cwmVote "abs" File Inclusion Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-12-20

bd0rk has discovered a vulnerability in cwmVote, which can be exploited
by malicious people to compromise vulnerable systems.

Full Advisory:
http://secunia.com/advisories/23434/

 --

[SA23433] Red Hat update for seamonkey

Critical:    Highly critical
Where:       From remote
Impact:      Cross Site Scripting, DoS, System access
Released:    2006-12-20

Red Hat has issued an update for seamonkey. This fixes some
vulnerabilities, which can be exploited by malicious people to conduct
cross-site scripting attacks and potentially compromise a user's
system.

Full Advisory:
http://secunia.com/advisories/23433/

 --

[SA23423] phpProfiles Multiple File Inclusion Vulnerabilities

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-12-20

nuffsaid has discovered several vulnerabilities in phpProfiles, which
can be exploited by malicious people to compromise vulnerable systems.

Full Advisory:
http://secunia.com/advisories/23423/

 --

[SA23419] Debian update for sql-ledger

Critical:    Highly critical
Where:       From remote
Impact:      Hijacking, System access
Released:    2006-12-18

Debian has issued an update for sql-ledger. This fixes some
vulnerabilities, which can be exploited by malicious people to hijack
user sessions and compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/23419/

 --

[SA23416] Azucar CMS "_VIEW" File Inclusion Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-12-19

nuffsaid has reported a vulnerability in Azucar CMS, which can be
exploited by malicious people to compromise vulnerable systems.

Full Advisory:
http://secunia.com/advisories/23416/

 --

[SA23409] SUSE Update for Multiple Packages

Critical:    Highly critical
Where:       From remote
Impact:      Security Bypass, Cross Site Scripting, Privilege
escalation, System access
Released:    2006-12-20

SUSE has issued an update for multiple packages. This fixes some
vulnerabilities, which can be exploited by malicious, local users to
gain escalated privileges and malicious people to conduct cross-site
scripting and script insertion attacks, bypass certain security
restrictions, and compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/23409/

 --

[SA23407] PHP-Update blog.php Multiple Vulnerabilities

Critical:    Highly critical
Where:       From remote
Impact:      Security Bypass, Manipulation of data, System access
Released:    2006-12-20

rgod has discovered some vulnerabilities in PHP-Update, which can be
exploited by malicious people to bypass certain security restrictions
and by malicious users to compromise vulnerable systems and manipulate
data.

Full Advisory:
http://secunia.com/advisories/23407/

 --

[SA23394] MxBB Portal mx_meeting Module "module_root_path" File
Inclusion

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-12-18

ajann has discovered a vulnerability in the mx_meeting module for MxBB
Portal, which can be exploited by malicious people to compromise
vulnerable systems.

Full Advisory:
http://secunia.com/advisories/23394/

 --

[SA23443] Red Hat update for tar

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2006-12-20

Red Hat has issued an update for tar. This fixes a weakness, which can
be exploited by malicious people to overwrite arbitrary files.

Full Advisory:
http://secunia.com/advisories/23443/

 --

[SA23429] Gentoo vlnx Insecure DT_RPATH Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Privilege escalation, System access
Released:    2006-12-18

Gentoo has acknowledged a vulnerability, which can be exploited by
malicious, local users to gain escalated privileges or by malicious
people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/23429/

 --

[SA23417] Trustix update for clamav

Critical:    Moderately critical
Where:       From remote
Impact:      DoS
Released:    2006-12-18

Trustix has issued an update for clamav. This fixes a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of
Service).

Full Advisory:
http://secunia.com/advisories/23417/

 --

[SA23411] SUSE update for clamav

Critical:    Moderately critical
Where:       From remote
Impact:      DoS
Released:    2006-12-18

SUSE has issued an update for clamav. This fixes some vulnerabilities,
which can be exploited by malicious people to cause a DoS (Denial of
Service).

Full Advisory:
http://secunia.com/advisories/23411/

 --

[SA23404] Gentoo update for clamav

Critical:    Moderately critical
Where:       From remote
Impact:      DoS
Released:    2006-12-19

Gentoo has issued an update for clamav. This fixes a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of
Service).

Full Advisory:
http://secunia.com/advisories/23404/

 --

[SA23400] Avaya CMS / IR Sun Solaris libXfont Integer Overflow
Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-12-15

Avaya has acknowledged a vulnerability in Avaya CMS / IR, which can be
exploited by malicious people to cause a DoS (Denial of Service) and
potentially compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/23400/

 --

[SA23395] Debian update for kernel-source-2.4.27

Critical:    Moderately critical
Where:       From remote
Impact:      Exposure of sensitive information, DoS
Released:    2006-12-18

Debian has issued an update for kernel-source-2.4.27. This fixes some
vulnerabilities, which can be exploited by malicious, local users to
gain knowledge of potentially sensitive information or cause a DoS
(Denial of Service), and  by malicious people to cause a DoS.

Full Advisory:
http://secunia.com/advisories/23395/

 --

[SA23389] Gentoo update for links

Critical:    Moderately critical
Where:       From local network
Impact:      Manipulation of data, Exposure of system information,
Exposure of sensitive information
Released:    2006-12-15

Gentoo has issued an update for links. This fixes a vulnerability,
which can be exploited by malicious people to expose sensitive
information and manipulate data.

Full Advisory:
http://secunia.com/advisories/23389/

 --

[SA23454] Gentoo update for ruby

Critical:    Less critical
Where:       From remote
Impact:      DoS
Released:    2006-12-21

Gentoo has issued an update for ruby. This fixes a vulnerability, which
can be exploited by malicious people to cause a DoS (Denial of
Service).

Full Advisory:
http://secunia.com/advisories/23454/

 --

[SA23449] Mini Web Shop "catname" Cross-Site Scripting

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-12-20

Linux_Drox has discovered a vulnerability in Mini Web Shop, which can
be exploited by malicious people to conduct cross-site scripting
attacks.

Full Advisory:
http://secunia.com/advisories/23449/

 --

[SA23438] Apple Mac OS X Quicktime/Quartz Composer Information
Disclosure

Critical:    Less critical
Where:       From remote
Impact:      Exposure of sensitive information
Released:    2006-12-20

A vulnerability has been reported in Mac OS X, which can be exploited
by malicious people to gain knowledge of sensitive information.

Full Advisory:
http://secunia.com/advisories/23438/

 --

[SA23428] Gentoo update for pam_ldap

Critical:    Less critical
Where:       From remote
Impact:      Security Bypass
Released:    2006-12-21

Gentoo has issued an update for pam_ldap. This fixes a security issue,
which can be exploited by malicious people to bypass certain security
restrictions.

Full Advisory:
http://secunia.com/advisories/23428/

 --

[SA23427] Linux Kernel Bluetooth CAPI Messages Denial of Service

Critical:    Less critical
Where:       From remote
Impact:      DoS
Released:    2006-12-18

A vulnerability has been reported in the Linux Kernel, which can be
exploited by malicious people to cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/23427/

 --

[SA23413] HyperVM "frm_action" Cross-Site Scripting Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-12-19

Aria Security has reported a vulnerability in HyperVM, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/23413/

 --

[SA23408] Linux Kernel Bluetooth CAPI Messages Denial of Service

Critical:    Less critical
Where:       From remote
Impact:      DoS
Released:    2006-12-18

A vulnerability has been reported in the Linux Kernel, which can be
exploited by malicious people to cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/23408/

 --

[SA23402] torrentflux-b4rt "path" Directory Traversal Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Exposure of system information, Exposure of sensitive
information
Released:    2006-12-15

r0ut3r has discovered a vulnerability in torrentflux-b4rt, which can be
exploited by malicious users to disclose sensitive information.

Full Advisory:
http://secunia.com/advisories/23402/

 --

[SA23385] Ubuntu update for gdm

Critical:    Less critical
Where:       From remote
Impact:      Privilege escalation
Released:    2006-12-15

Ubuntu has issued an update for gdm. This fixes a vulnerability, which
can be exploited by malicious, local users to gain escalated
privileges.

Full Advisory:
http://secunia.com/advisories/23385/

 --

[SA23387] GNOME Foundation Display Manager "gdmchooser" Vulnerability

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation
Released:    2006-12-15

A vulnerability has been reported in the gdmchooser application of the
GNOME Display Manager, which can be exploited by malicious, local users
to gain escalated privileges.

Full Advisory:
http://secunia.com/advisories/23387/

 --

[SA23430] NeoScale Systems CryptoStor 700 Series Security Bypass
Weakness

Critical:    Not critical
Where:       From local network
Impact:      Security Bypass
Released:    2006-12-19

A weakness has been reported in NeoScale Systems CryptoStor 700 Series,
which can be exploited by malicious people to bypass certain security
restrictions.

Full Advisory:
http://secunia.com/advisories/23430/

 --

[SA23436] Linux Kernel "mincore()" Deadlock Denial of Service

Critical:    Not critical
Where:       Local system
Impact:      DoS
Released:    2006-12-20

Doug Chapman has reported a vulnerability in the Linux Kernel, which
can be exploited by malicious, local users to cause a DoS (Denial of
Service).

Full Advisory:
http://secunia.com/advisories/23436/

 --

[SA23392] Mandriva update for proftpd

Critical:    Not critical
Where:       Local system
Impact:      Privilege escalation
Released:    2006-12-19

Mandriva has issued an update for proftpd. This fixes a vulnerability,
which can be exploited by malicious, local users to gain escalated
privileges.

Full Advisory:
http://secunia.com/advisories/23392/

 --

[SA23390] Mandriva update for dbus

Critical:    Not critical
Where:       Local system
Impact:      DoS
Released:    2006-12-19

Mandriva has issued an update for dbus. This fixes a weakness, which
can be exploited by malicious, local users to cause a DoS (Denial of
Service).

Full Advisory:
http://secunia.com/advisories/23390/


Other:--

[SA23406] Novell NetWare Welcome web-app Cross-Site Scripting
Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-12-20

A vulnerability has been reported in Novell NetWare, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/23406/

 --

[SA23396] HP FTP Print Server  LIST Denial of Service Vulnerability

Critical:    Less critical
Where:       From local network
Impact:      DoS
Released:    2006-12-20

Joxean Koret has reported a vulnerability in HP FTP Print Server, which
can be exploited by malicious users to cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/23396/


Cross Platform:--

[SA23445] Sun Java JRE Multiple Vulnerabilities

Critical:    Highly critical
Where:       From remote
Impact:      Privilege escalation, System access
Released:    2006-12-20

Some vulnerabilities have been reported in Sun Java JRE (Java Runtime
Environment), which can be exploited by malicious people to compromise
a user's system.

Full Advisory:
http://secunia.com/advisories/23445/

 --

[SA23442] cwmCounter "path" File Inclusion Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-12-21

bd0rk has discovered a vulnerability in cwmCounter, which can be
exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/23442/

 --

[SA23425] CuteNews AJ-Fork "cutepath" File Inclusion Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-12-18

DeltahackingTEAM have discovered a vulnerability in CuteNews AJ-Fork,
which can be exploited by malicious people to compromise vulnerable
systems.

Full Advisory:
http://secunia.com/advisories/23425/

 --

[SA23422] Mozilla SeaMonkey Multiple Vulnerabilities

Critical:    Highly critical
Where:       From remote
Impact:      Cross Site Scripting, DoS, System access
Released:    2006-12-19

Multiple vulnerabilities have been reported in Mozilla SeaMonkey, which
can be exploited by malicious people to conduct cross-site scripting
attacks and potentially compromise a user's system.

Full Advisory:
http://secunia.com/advisories/23422/

 --

[SA23420] Mozilla Thunderbird Multiple Vulnerabilities

Critical:    Highly critical
Where:       From remote
Impact:      Cross Site Scripting, DoS, System access
Released:    2006-12-19

Multiple vulnerabilities have been reported in Mozilla Thunderbird,
which can be exploited by malicious people to conduct cross-site
scripting attacks and potentially compromise a user's system.

Full Advisory:
http://secunia.com/advisories/23420/

 --

[SA23415] BitDefender AntiVirus Engine PE File Parsing Buffer Overflow

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-12-18

Sergio Alvarez has reported a vulnerability in BitDefender Anti-Virus,
which can be exploited by malicious people to compromise a vulnerable
system.

Full Advisory:
http://secunia.com/advisories/23415/

 --

[SA23388] eyeOS File Upload Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-12-18

A vulnerability has been discovered in eyeOS, which can be exploited by
malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/23388/

 --

[SA23418] VerliAdmin "q" File Inclusion Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      System access
Released:    2006-12-19

Kacper has discovered a vulnerability in VerliAdmin, which can be
exploited by malicious users to compromise vulnerable systems.

Full Advisory:
http://secunia.com/advisories/23418/

 --

[SA23414] IBM WebSphere Application Server Multiple Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Unknown, Exposure of system information, Exposure of
sensitive information
Released:    2006-12-18

Some vulnerabilities have been reported in IBM WebSphere Application
Server, where some have unknown impacts and others can potentially be
exploited to disclose certain sensitive information.

Full Advisory:
http://secunia.com/advisories/23414/

 --

[SA23398] Sun Java JRE Applet Security Bypass

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass
Released:    2006-12-20

Two vulnerabilities have been reported in Sun Java JRE (Java Runtime
Environment), which can be exploited by malicious people to bypass
certain security restrictions.

Full Advisory:
http://secunia.com/advisories/23398/

 --

[SA23386] IBM WebSphere Application Server Unspecified Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Unknown
Released:    2006-12-15

A vulnerability with unknown impact has been reported in IBM WebSphere
Application Server.

Full Advisory:
http://secunia.com/advisories/23386/

 --

[SA23421] Hitachi Directory Server LDAP Multiple Vulnerabilities

Critical:    Moderately critical
Where:       From local network
Impact:      DoS, System access
Released:    2006-12-21

Some vulnerabilities have been reported in Hitachi Directory Server,
which can be exploited by malicious people to cause a DoS (Denial of
Service) or compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/23421/

 --

[SA23410] Drupal Project / Project issue tracking Module Script
Insertion

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-12-18

Some vulnerabilities have been reported in the Project and Project
issue tracking modules for Drupal, which can be exploited by malicious
users to conduct script insertion attacks.

Full Advisory:
http://secunia.com/advisories/23410/

 --

[SA23405] Drupal MySite Module "Title" Script Insertion Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-12-18

A vulnerability has been reported in the MySite module for Drupal,
which can be exploited by malicious users to conduct script insertion
attacks.

Full Advisory:
http://secunia.com/advisories/23405/

 --

[SA23397] DB2 Universal Database Denial of Service Vulnerability

Critical:    Less critical
Where:       From local network
Impact:      DoS
Released:    2006-12-17

Vivek Rathod has reported a vulnerability in DB2, which can be
exploited by malicious people to cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/23397/



========================================================================

Secunia recommends that you verify all advisories you receive,
by clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only use
those supplied by the vendor.

Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/

Subscribe:
http://secunia.com/secunia_weekly_summary/

Contact details:
Web	: http://secunia.com/
E-mail	: support@private
Tel	: +45 70 20 51 44
Fax	: +45 70 20 51 45


_____________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
 



This archive was generated by hypermail 2.1.3 : Thu Dec 21 2006 - 22:17:23 PST