========================================================================
The Secunia Weekly Advisory Summary
2006-12-21 - 2006-12-28
This week: 53 advisories
========================================================================
Table of Contents:
1.....................................................Word From Secunia
2....................................................This Week In Brief
3...............................This Weeks Top Ten Most Read Advisories
4.......................................Vulnerabilities Summary Listing
5.......................................Vulnerabilities Content Listing
========================================================================
1) Word From Secunia:
The Secunia Software Inspector is a free service that detects insecure
versions of software that you may have installed in your system. When
insecure versions are detected, the Secunia Software Inspector also
provides thorough guidelines for updating the software to the latest
secure version from the vendor.
Be sure to check your own system:
http://secunia.com/software_inspector/
Feature Overview - The Secunia Software Inspector:
* Detects insecure versions of applications installed
* Verifies that all Microsoft patches are applied
* Assists you in updating your system and applications
* Runs through your browser. No installation or download is required.
Read more in our blog:
http://secunia.com/blog/4/
http://secunia.com/blog/3/
========================================================================
2) This Week in Brief:
This week, Secunia published two advisories on the CSRSS subsystem in
Windows. The first allowed possible privilege escalation when handling
HardError messages, while the second allowed possible information
disclosure.
Secunia received reports of a vulnerability due to a double-free error
in the handling of HardError messages within WINSRV.DLL. This can be
used to exploit arbitrary code and gain SYSTEM privileges under the
CSRSS subsystem by setting the caption or text parameters of the
MessageBox() function to a string that starts with “\??\”.
The vulnerability is reported in Windows 2000 SP4, Windows Server
2003 SP1, Windows XP SP1, Windows XP SP2, and Windows Vista.
Reference:
http://secunia.com/SA23448/
--
Another vulnerability was also discovered in CSRSS.EXE that can
potentially be used to disclose sensitive information to malicious,
local users. Due to a problem with the way that CSRSS.EXE validates
arguments passed via NtRaiseHardError, the contents of CSRSS process
memory can be viewed.
The vulnerability is confirmed on a fully-patched Windows XP SP2
system and reportedly affects Windows 2000 SP4 as well. Other
versions may also be affected.
Reference:
http://secunia.com/SA23491/
--
VIRUS ALERTS:
During the past week Secunia collected 91 virus descriptions from the
Antivirus vendors. However, none were deemed MEDIUM risk or higher
according to the Secunia assessment scale.
========================================================================
3) This Weeks Top Ten Most Read Advisories:
1. [SA23282] Mozilla Firefox Multiple Vulnerabilities
2. [SA23448] Microsoft Windows CSRSS Privilege Escalation
Vulnerability
3. [SA21910] Internet Explorer Multiple Vulnerabilities
4. [SA23466] TYPO3 rtehtmlarea Extension "userUid" Command
Execution
5. [SA23424] SugarCRM Sugar Open Source Cross-Site Scripting
Vulnerability
6. [SA20807] Internet Explorer Script Error Handling Memory
Corruption Vulnerability
7. [SA23464] Valdersoft Shopping Cart "commonIncludePath" File
Inclusion
8. [SA23445] Sun Java JRE Multiple Vulnerabilities
9. [SA23461] Oracle Portal Multiple Vulnerabilities
10. [SA23458] TextSend "ROOT_PATH" File Inclusion Vulnerability
========================================================================
4) Vulnerabilities Summary Listing
Windows:
[SA23525] Enthrallweb ePhotos "SUB_ID" SQL Injection Vulnerability
[SA23523] Dragon Business Directory Pro "ID" SQL Injection
Vulnerability
[SA23522] Enthrallweb ePages "Biz_ID" SQL Injection Vulnerability
[SA23521] Enthrallweb emates "ID" SQL Injection Vulnerability
[SA23520] Enthrallweb eJobs "ID" SQL Injection Vulnerability
[SA23518] Enthrallweb eNews "myprofile.asp" Manipulation of Data
[SA23517] Enthrallweb eCoupons "myprofile.asp" Manipulation of Data
[SA23515] Calendar MX BASIC "ID" SQL Injection Vulnerability
[SA23510] Newsletter MX "ID" SQL Injection Vulnerability
[SA23509] Mxmania File Upload Manager "ID" SQL Injection Vulnerability
[SA23506] Ananda Real Estate "agent" SQL Injection Vulnerability
[SA23481] acFTP REST/PBSZ Argument Handling Denial of Service
[SA23471] Dream FTP Server PORT Denial of Service Vulnerability
[SA23491] Microsoft Windows CSRSS Information Disclosure Vulnerability
[SA23487] Windows Workstation Service NetrWkstaUserEnum Denial of
Service
UNIX/Linux:
[SA23514] SGI Advanced Linux Environment Multiple Updates
[SA23513] SGI Advanced Linux Environment Multiple Updates
[SA23512] Slackware update for xine-lib
[SA23486] PHP-Update Multiple Vulnerabilities
[SA23470] logahead UNU edition Security Bypass and File Upload
[SA23468] rPath update for firefox
[SA23502] eNdonesia Multiple Vulnerabilities
[SA23489] DB Hub "clear_user_list()" Denial of Service
[SA23478] 3editor "page" Local File Inclusion
[SA23474] SUSE update for kernel
[SA23467] Debian update for links2
[SA23473] Trustix update for proftpd
Other:
Cross Platform:
[SA23528] Cacti "cmd.php" Command Execution and SQL Injection
[SA23524] SH-News "news_cfg" File Inclusion Vulnerability
[SA23519] Fantastic News "CONFIG[script_path]" File Inclusion
Vulnerabilities
[SA23508] Pagetool "ptconf[src]" File Inclusion Vulnerability
[SA23503] MTCMS "ins_file" File Inclusion Vulnerability
[SA23501] Jinzora "include_path" File Inclusion Vulnerabilities
[SA23498] Ciberia Content Federator "path" File Inclusion
Vulnerability
[SA23497] Irokez CMS Multiple File Inclusion Vulnerabilities
[SA23496] PhpbbXtra "phpbb_root_path" File Inclusion Vulnerability
[SA23492] w3m Certificate Handling Format String Vulnerability
[SA23480] pgmReloaded File Inclusion Vulnerabilities
[SA23479] Newxooper PHP "chemin" File Inclusion Vulnerability
[SA23477] KISGB Multiple File Inclusion Vulnerabilities
[SA23466] TYPO3 rtehtmlarea Extension "userUid" Command Execution
[SA23533] ScriptFrenzy.com Host Directory Pro Database Information
Disclosure
[SA23526] Knusperleicht Shoutbox shout.php Script Insertion
Vulnerability
[SA23505] HLstats "killLimit" SQL Injection Vulnerability
[SA23500] AlstraSoft Web Host Directory Database Information
Disclosure
[SA23476] OpenNewsletter Security Bypass Vulnerability
[SA23507] pnamazu Unspecified Cross-Site Scripting Vulnerability
[SA23499] PHP iCalendar Multiple Cross-Site Scripting Vulnerabilities
[SA23494] TimberWolf CMS "nid" Cross-Site Scripting Vulnerability
[SA23488] PHP Live! Multiple Cross-Site Scripting Vulnerabilities
[SA23472] @Mail Webmail Two Vulnerabilities
========================================================================
5) Vulnerabilities Content Listing
Windows:--
[SA23525] Enthrallweb ePhotos "SUB_ID" SQL Injection Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-12-26
ajann has reported a vulnerability in Enthrallweb ePhotos, which can be
exploited by malicious people to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/23525/
--
[SA23523] Dragon Business Directory Pro "ID" SQL Injection
Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-12-27
ajann has reported a vulnerability in Dragon Business Directory Pro,
which can be exploited by malicious people to conduct SQL injection
attacks.
Full Advisory:
http://secunia.com/advisories/23523/
--
[SA23522] Enthrallweb ePages "Biz_ID" SQL Injection Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-12-26
ajann has reported a vulnerability in Enthrallweb ePages, which can be
exploited by malicious people to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/23522/
--
[SA23521] Enthrallweb emates "ID" SQL Injection Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-12-26
ajann has reported a vulnerability in Enthrallweb emates, which can be
exploited by malicious people to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/23521/
--
[SA23520] Enthrallweb eJobs "ID" SQL Injection Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-12-26
ajann has reported a vulnerability in Enthrallweb eJobs, which can be
exploited by malicious people to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/23520/
--
[SA23518] Enthrallweb eNews "myprofile.asp" Manipulation of Data
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-12-26
ajann has reported a vulnerability in Enthrallweb eNews, which can be
exploited by malicious users to manipulate certain data.
Full Advisory:
http://secunia.com/advisories/23518/
--
[SA23517] Enthrallweb eCoupons "myprofile.asp" Manipulation of Data
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-12-26
ajann has reported a vulnerability in Enthrallweb eCoupons, which can
be exploited by malicious users to manipulate certain data.
Full Advisory:
http://secunia.com/advisories/23517/
--
[SA23515] Calendar MX BASIC "ID" SQL Injection Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-12-27
ajann has reported a vulnerability in Calendar MX BASIC, which can be
exploited by malicious people to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/23515/
--
[SA23510] Newsletter MX "ID" SQL Injection Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-12-27
ajann has reported a vulnerability in Newsletter MX, which can be
exploited by malicious people to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/23510/
--
[SA23509] Mxmania File Upload Manager "ID" SQL Injection Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-12-27
ajann has reported a vulnerability in Mxmania File Upload Manager,
which can be exploited by malicious people to conduct SQL injection
attacks.
Full Advisory:
http://secunia.com/advisories/23509/
--
[SA23506] Ananda Real Estate "agent" SQL Injection Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-12-27
ajann has reported a vulnerability in Ananda Real Estate, which can be
exploited by malicious people to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/23506/
--
[SA23481] acFTP REST/PBSZ Argument Handling Denial of Service
Critical: Moderately critical
Where: From remote
Impact: DoS
Released: 2006-12-26
Gabriel Silva has discovered two vulnerabilities in acFTP, which can be
exploited by malicious users and malicious people to cause a DoS (Denial
of Service).
Full Advisory:
http://secunia.com/advisories/23481/
--
[SA23471] Dream FTP Server PORT Denial of Service Vulnerability
Critical: Less critical
Where: From remote
Impact: DoS
Released: 2006-12-22
InTeL has discovered a vulnerability in Dream FTP Server, which can be
exploited by malicious users to cause a DoS (Denial of Service).
Full Advisory:
http://secunia.com/advisories/23471/
--
[SA23491] Microsoft Windows CSRSS Information Disclosure Vulnerability
Critical: Less critical
Where: Local system
Impact: Exposure of sensitive information
Released: 2006-12-28
Rubn Santamarta has discovered a vulnerability in Microsoft Windows,
which can be exploited by malicious, local users to gain knowledge of
sensitive information.
Full Advisory:
http://secunia.com/advisories/23491/
--
[SA23487] Windows Workstation Service NetrWkstaUserEnum Denial of
Service
Critical: Not critical
Where: From local network
Impact: DoS
Released: 2006-12-26
h07 has discovered a weakness in Microsoft Windows, which can be
exploited by malicious people to cause a DoS (Denial of Service).
Full Advisory:
http://secunia.com/advisories/23487/
UNIX/Linux:--
[SA23514] SGI Advanced Linux Environment Multiple Updates
Critical: Highly critical
Where: From remote
Impact: Cross Site Scripting, Manipulation of data, DoS, System
access
Released: 2006-12-27
SGI has issued a patch for SGI Advanced Linux Environment. This fixes
some vulnerabilities and a security issue, which can be exploited by
malicious people to conduct cross-site scripting attacks, overwrite
arbitrary files and potentially compromise a user's system.
Full Advisory:
http://secunia.com/advisories/23514/
--
[SA23513] SGI Advanced Linux Environment Multiple Updates
Critical: Highly critical
Where: From remote
Impact: Security Bypass, System access
Released: 2006-12-27
SGI has issued a patch for SGI Advanced Linux Environment. This fixes
some vulnerabilities, which can be exploited by malicious people to
bypass certain security restrictions and compromise a vulnerable
system.
Full Advisory:
http://secunia.com/advisories/23513/
--
[SA23512] Slackware update for xine-lib
Critical: Highly critical
Where: From remote
Impact: DoS, System access
Released: 2006-12-26
Slackware has issued an update for xine-lib. This fixes some
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial of Service) and potentially compromise a user's system.
Full Advisory:
http://secunia.com/advisories/23512/
--
[SA23486] PHP-Update Multiple Vulnerabilities
Critical: Highly critical
Where: From remote
Impact: Security Bypass, Manipulation of data, System access
Released: 2006-12-28
Some vulnerabilities have been reported in PHP-Update, which can be
exploited by malicious people to bypass certain security restrictions
and conduct SQL injection attacks and by malicious users to compromise
a vulnerable system.
Full Advisory:
http://secunia.com/advisories/23486/
--
[SA23470] logahead UNU edition Security Bypass and File Upload
Critical: Highly critical
Where: From remote
Impact: Security Bypass, System access
Released: 2006-12-27
CorryL has reported two vulnerabilities in logahead UNU edition, which
can be exploited by malicious people to bypass certain security
restrictions and compromise vulnerable systems.
Full Advisory:
http://secunia.com/advisories/23470/
--
[SA23468] rPath update for firefox
Critical: Highly critical
Where: From remote
Impact: Cross Site Scripting, Exposure of sensitive information,
DoS, System access
Released: 2006-12-22
rPath has issued an update for firefox. This fixes some
vulnerabilities, which can be exploited by malicious people to gain
knowledge of certain information, conduct cross-site scripting attacks,
and potentially compromise a user's system.
Full Advisory:
http://secunia.com/advisories/23468/
--
[SA23502] eNdonesia Multiple Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting, Manipulation of data, Exposure of
system information, Exposure of sensitive information
Released: 2006-12-27
z1ckX has discovered some vulnerabilities in eNdonesia, which can be
exploited by malicious people to disclose sensitive information,
manipulate data and perform cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/23502/
--
[SA23489] DB Hub "clear_user_list()" Denial of Service
Critical: Moderately critical
Where: From remote
Impact: DoS
Released: 2006-12-28
Critical Security have discovered a vulnerability in DB Hub, which can
be exploited by malicious people to cause a DoS (Denial of Service).
Full Advisory:
http://secunia.com/advisories/23489/
--
[SA23478] 3editor "page" Local File Inclusion
Critical: Moderately critical
Where: From remote
Impact: Exposure of system information, Exposure of sensitive
information
Released: 2006-12-26
Dr Max Virus has discovered a vulnerability in 3editor, which can be
exploited by malicious people to disclose sensitive information.
Full Advisory:
http://secunia.com/advisories/23478/
--
[SA23474] SUSE update for kernel
Critical: Moderately critical
Where: From remote
Impact: Security Bypass, Exposure of sensitive information,
Privilege escalation, DoS
Released: 2006-12-22
SUSE has issued an update for the kernel. This fixes some
vulnerabilities, which can be exploited by malicious, local users to
gain escalated privileges, expose sensitive information, or cause a DoS
(Denial of Service), and by malicious people to bypass certain security
restrictions and cause a DoS.
Full Advisory:
http://secunia.com/advisories/23474/
--
[SA23467] Debian update for links2
Critical: Moderately critical
Where: From local network
Impact: Manipulation of data, Exposure of system information,
Exposure of sensitive information
Released: 2006-12-22
Debian has issued an update for links2. This fixes some
vulnerabilities, which can be exploited by malicious people to expose
sensitive information and manipulate data.
Full Advisory:
http://secunia.com/advisories/23467/
--
[SA23473] Trustix update for proftpd
Critical: Not critical
Where: From remote
Impact: Privilege escalation
Released: 2006-12-22
Trustix has issued an update for proftpd. This fixes a vulnerability,
which can be exploited by malicious, local users to gain escalated
privileges.
Full Advisory:
http://secunia.com/advisories/23473/
Other:
Cross Platform:--
[SA23528] Cacti "cmd.php" Command Execution and SQL Injection
Critical: Highly critical
Where: From remote
Impact: Security Bypass, Manipulation of data, System access
Released: 2006-12-28
rgod has discovered three vulnerabilities in Cacti, which can be
exploited by malicious people to bypass certain security restrictions,
manipulate data and compromise vulnerable systems.
Full Advisory:
http://secunia.com/advisories/23528/
--
[SA23524] SH-News "news_cfg" File Inclusion Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-12-27
bd0rk has discovered a vulnerability in SH-News, which can be exploited
by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/23524/
--
[SA23519] Fantastic News "CONFIG[script_path]" File Inclusion
Vulnerabilities
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-12-28
Mr-m07 has reported some vulnerabilities in Fantastic News, which can
be exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/23519/
--
[SA23508] Pagetool "ptconf[src]" File Inclusion Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-12-26
FiSh and godXcel have discovered a vulnerability in Pagetool, which can
be exploited by malicious people to compromise vulnerable systems.
Full Advisory:
http://secunia.com/advisories/23508/
--
[SA23503] MTCMS "ins_file" File Inclusion Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-12-27
nuffsaid has discovered a vulnerability in MTCMS, which can be
exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/23503/
--
[SA23501] Jinzora "include_path" File Inclusion Vulnerabilities
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-12-27
nuffsaid has discovered some vulnerabilities in Jinzora, which can be
exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/23501/
--
[SA23498] Ciberia Content Federator "path" File Inclusion
Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-12-27
DeltahackingTEAM reported a vulnerability in Ciberia Content Federator,
which can be exploited by malicious people to compromise a vulnerable
system.
Full Advisory:
http://secunia.com/advisories/23498/
--
[SA23497] Irokez CMS Multiple File Inclusion Vulnerabilities
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-12-27
nuffsaid has discovered some vulnerabilities in Irokez CMS, which can
be exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/23497/
--
[SA23496] PhpbbXtra "phpbb_root_path" File Inclusion Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-12-27
xoron has discovered a vulnerability in PhpbbXtra, which can be
exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/23496/
--
[SA23492] w3m Certificate Handling Format String Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-12-26
A vulnerability has been reported in w3m, which potentially can be
exploited by malicious people to compromise a user's system.
Full Advisory:
http://secunia.com/advisories/23492/
--
[SA23480] pgmReloaded File Inclusion Vulnerabilities
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-12-22
nuffsaid has discovered some vulnerabilities in pgmReloaded, which can
be exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/23480/
--
[SA23479] Newxooper PHP "chemin" File Inclusion Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-12-22
Dr Max Virus has reported a vulnerability in Newxooper PHP, which can
be exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/23479/
--
[SA23477] KISGB Multiple File Inclusion Vulnerabilities
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-12-26
Some vulnerabilities have been reported in KISGB, which can be
exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/23477/
--
[SA23466] TYPO3 rtehtmlarea Extension "userUid" Command Execution
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-12-21
Daniel Fabian and J. Greil have reported a vulnerability in the
rtehtmlarea extension for TYPO3, which can be exploited by malicious
people to gain system access.
Full Advisory:
http://secunia.com/advisories/23466/
--
[SA23533] ScriptFrenzy.com Host Directory Pro Database Information
Disclosure
Critical: Moderately critical
Where: From remote
Impact: Exposure of sensitive information
Released: 2006-12-28
hack2prison has reported a vulnerability in ScriptFrenzy.com Host
Directory Pro, which can be exploited by malicious people to disclose
certain sensitive information.
Full Advisory:
http://secunia.com/advisories/23533/
--
[SA23526] Knusperleicht Shoutbox shout.php Script Insertion
Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-12-27
IMHOT3B has reported a vulnerability in Knusperleicht Shoutbox, which
can be exploited by malicious people to conduct script insertion
attacks.
Full Advisory:
http://secunia.com/advisories/23526/
--
[SA23505] HLstats "killLimit" SQL Injection Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-12-27
Michael Brooks has discovered a vulnerability in HLstats, which can be
exploited by malicious people to manipulate data.
Full Advisory:
http://secunia.com/advisories/23505/
--
[SA23500] AlstraSoft Web Host Directory Database Information
Disclosure
Critical: Moderately critical
Where: From remote
Impact: Exposure of sensitive information
Released: 2006-12-28
hack2prison has reported a vulnerability in AlstraSoft Web Host
Directory, which can be exploited by malicious people to disclose
certain sensitive information.
Full Advisory:
http://secunia.com/advisories/23500/
--
[SA23476] OpenNewsletter Security Bypass Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Security Bypass, Exposure of sensitive information
Released: 2006-12-27
BlackHawk has discovered a vulnerability in OpenNewsletter, which can
be exploited by malicious people to bypass certain security
restrictions and disclose sensitive data.
Full Advisory:
http://secunia.com/advisories/23476/
--
[SA23507] pnamazu Unspecified Cross-Site Scripting Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-12-26
Fukumori has reported a vulnerability in pnamazu, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/23507/
--
[SA23499] PHP iCalendar Multiple Cross-Site Scripting Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-12-28
Lostmon has discovered some vulnerabilities in PHP iCalendar, which can
be exploited by malicious people to conduct cross-site scripting
attacks.
Full Advisory:
http://secunia.com/advisories/23499/
--
[SA23494] TimberWolf CMS "nid" Cross-Site Scripting Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-12-27
CorryL has discovered a vulnerability in TimberWolf CMS, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/23494/
--
[SA23488] PHP Live! Multiple Cross-Site Scripting Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-12-26
Doz has reported some vulnerabilities in PHP Live!, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/23488/
--
[SA23472] @Mail Webmail Two Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-12-22
Netragard has reported two vulnerabilities in @Mail, which potentially
can be exploited by malicious people to conduct cross-site scripting
attacks or cross-site request forgery attacks.
Full Advisory:
http://secunia.com/advisories/23472/
========================================================================
Secunia recommends that you verify all advisories you receive,
by clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only use
those supplied by the vendor.
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Subscribe:
http://secunia.com/secunia_weekly_summary/
Contact details:
Web : http://secunia.com/
E-mail : support@private
Tel : +45 70 20 51 44
Fax : +45 70 20 51 45
_____________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
This archive was generated by hypermail 2.1.3 : Thu Dec 28 2006 - 22:23:20 PST