[ISN] Secunia Weekly Summary - Issue: 2007-35

From: InfoSec News (alerts@private)
Date: Thu Aug 30 2007 - 23:28:04 PDT


========================================================================

                  The Secunia Weekly Advisory Summary                  
                        2007-08-23 - 2007-08-30                        

                       This week: 61 advisories                        

========================================================================
Table of Contents:

1.....................................................Word From Secunia
2....................................................This Week In Brief
3...............................This Weeks Top Ten Most Read Advisories
4.......................................Vulnerabilities Summary Listing
5.......................................Vulnerabilities Content Listing

========================================================================
1) Word From Secunia:

BETA test the new Secunia Personal Software Inspector!

The Secunia PSI detects installed software on your computer and
categorises it as either Insecure, End-of-Life, or Up-To-Date.
Effectively enabling you to focus your attention on software
installations where more secure versions are available from the
vendors.

Download the free PSI BETA from the Secunia website:
https://psi.secunia.com/

========================================================================
2) This Week in Brief:

Entrust has issued an update for their Entelligence Security
Provider (ESP) to fix a vulnerability, which can lead to untrusted
certificates misleadingly being displayed as trustworthy.

The security issue is caused due to an error in the handling of flags
and error states in Security Provider when the Path Building and
Validation modules are installed. This can lead to untrusted
certificates wrongly being displayed as trusted and e.g. users
connecting to an untrusted SSL server or using an untrusted public key.

For more information refer to:
http://secunia.com/advisories/26630/

 --

Both Yahoo! and MSN Messenger are affected by critical vulnerabilities
allowing malicious people to gain control of client systems this week.

The vulnerability in Yahoo! Messenger is caused due to a boundary error
within the YVerInfo.dll ActiveX control and can be exploited to cause a
buffer overflow e.g. when a user is tricked into viewing a malicious
web page.

For more information refer to:
http://secunia.com/advisories/26579/

The vulnerability in MSN Messenger is caused due to an error in the 
handling of video conversations and can be exploited to cause a
heap-based buffer overflow via specially crafted data sent to a user.

http://secunia.com/advisories/26570/

 --

An eavesdropping vulnerability has been reported in the Grandstream 
GXV3000 IP Video Phone.

The vulnerability is caused due to an unspecified error in the SIP
stack and can be exploited to set the phone to an inconsistent state by
sending an "INVITE" and a "183 Session Progress" message sequence. This
allows an attacker to eavesdrop with the device and also disables it to
hang up.

For more information refer to:
http://secunia.com/advisories/26568/

 --

VIRUS ALERTS:

During the past week Secunia collected 134 virus descriptions from the
Antivirus vendors. However, none were deemed MEDIUM risk or higher
according to the Secunia assessment scale.

========================================================================
3) This Weeks Top Ten Most Read Advisories:

1.  [SA26570] MSN Messenger Video Conversation Buffer Overflow
              Vulnerability
2.  [SA26523] Trend Micro ServerProtect Multiple Buffer Overflow
              Vulnerabilities
3.  [SA26591] Media Player Classic FLI File Processing Buffer Overflow
4.  [SA26584] Bugzilla Security Issue and Multiple Vulnerabilities
5.  [SA26555] Novell Identity Manager Client Login Extension
              Information Disclosure
6.  [SA21910] Internet Explorer Multiple Vulnerabilities
7.  [SA26554] Vavoom Multiple Vulnerabilities
8.  [SA24023] PRISM Guard Shield Asura Engine Packet Handling Buffer
              Overflow
9.  [SA26571] Rogue Trooper Asura Engine Packet Handling Buffer
              Overflow
10. [SA26525] eCentrex VOIP Client Component ActiveX Control Buffer
              Overflow

========================================================================
4) Vulnerabilities Summary Listing

Windows:
[SA26644] Oracle JInitiator "beans.ocx" ActiveX Control Buffer Overflow
Vulnerabilities
[SA26639] PostCast Server EasyMail SMTP ActiveX Control Buffer
Overflow
[SA26622] ACTi NVR Server ActiveX Controls Insecure Methods and Buffer
Overflow
[SA26591] Media Player Classic FLI File Processing Buffer Overflow
[SA26579] Yahoo! Messenger YVerInfo.dll ActiveX Control Buffer
Overflow
[SA26641] Cisco CallManager / CUCM Cross-Site Scripting and SQL
Injection
[SA26632] TortoiseSVN Client Directory Traversal Vulnerability
[SA26625] Subversion Client Directory Traversal Vulnerability
[SA26616] ALPass "Import Site Information" Multiple Vulnerabilities
[SA26630] Entrust ESP Certificate Path Validation Security Issue
[SA26583] Unreal Commander Archive Handling Directory Traversal
Vulnerability
[SA26581] eScan Multiple Products Insecure File Permissions
[SA26608] BufferZone redlight.sys Denial of Service
[SA26606] VMWare Workstation vstor-ws60.sys Denial of Service

UNIX/Linux:
[SA26649] Debian update for postfix-policyd
[SA26635] SUSE update for opera
[SA26602] Debian update for asterisk
[SA26578] BitchX "MODE" Buffer Overflow
[SA26572] Ubuntu update for mozilla-thunderbird
[SA26634] Debian update for rsync
[SA26629] BIND 8 Predictable DNS Query IDs Vulnerability
[SA26627] PDFedit "StreamPredictor" Multiple Vulnerabilities
[SA26620] Mandriva update for kernel
[SA26617] SSHKeychain Unspecified Security Issues
[SA26607] SGI Advanced Linux Environment Multiple Updates
[SA26593] Debian update for lighttpd
[SA26585] 2532|Gigs "language" Local File Inclusion
[SA26575] Mandriva update for gimp
[SA26626] Star Directory Traversal Vulnerability
[SA26623] Python tarfile Module Directory Traversal and Symlink
Vulnerability
[SA26612] Ubuntu update for kdebase and kdelibs
[SA26604] rPath update for tar
[SA26603] Ubuntu update for tar
[SA26601] Asterisk Voicemail IMAP Backend Invalid MIME Denial of
Service
[SA26594] Ubuntu update for vim
[SA26590] Red Hat update for tar
[SA26586] InterWorx-CP Multiple Cross-Site Scripting
[SA26573] GNU tar Directory Traversal Vulnerability
[SA26611] Avaya Products Apache Multi-Processing Module Denial of
Service
[SA26599] HP-UX "get_system_info" Command Configuration Change
Weakness

Other:
[SA26587] Thomson SpeedTouch 2030 Denial of Service Vulnerabilities

Cross Platform:
[SA26631] BEA JRockit Multiple Vulnerabilities
[SA26613] SIDVault LDAP Buffer Overflow Vulnerability
[SA26609] Helix DNA Server RTSP Buffer Overflow
[SA26598] Pakupaku CMS File Upload and Local File Inclusion
[SA26595] SomeryC "skindir" File Inclusion Vulnerability
[SA26588] Motorola Timbuktu Pro Directory Traversal and Buffer
Overflows
[SA26574] Arcadem "loadpage" File Inclusion Vulnerability
[SA26638] Micro CMS "id" SQL Injection
[SA26596] Polipo Aborted POST Request Denial of Service Vulnerability
[SA26580] Sophos Anti-Virus UPX and BZIP Processing Denial of Service
Vulnerabilities
[SA26576] Joomla Nice Talk Component "tagid" SQL Injection
[SA26633] Moon Gallery admin.php File Upload Vulnerability
[SA26628] PhpGedView login.php Cross-Site Scripting Vulnerabilities
[SA26618] Tikiwiki "username" Cross-Site Scripting
[SA26597] Mayaa Character Encoding Cross-Site Scripting Vulnerability
[SA26584] Bugzilla Security Issue and Multiple Vulnerabilities
[SA26582] Dynamic Picture Frame "img_url" Cross-Site Scripting
[SA26577] escafeWeb (Tuigwaa) Cross-Site Scripting Vulnerability
[SA26592] Hitachi DABroker Unspecified Denial of Service Vulnerability
[SA26589] Hitachi Cosminexus Application Server Incorrect Handling of
Group Permissions

========================================================================
5) Vulnerabilities Content Listing

Windows:--

[SA26644] Oracle JInitiator "beans.ocx" ActiveX Control Buffer Overflow
Vulnerabilities

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2007-08-29

Will Dormann has reported some vulnerabilities in the Oracle JInitiator
"beans.ocx" ActiveX control, which can be exploited by malicious people
to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/26644/

 --

[SA26639] PostCast Server EasyMail SMTP ActiveX Control Buffer
Overflow

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2007-08-29

rgod has discovered a vulnerability in PostCast Server, which can be
exploited by malicious people to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/26639/

 --

[SA26622] ACTi NVR Server ActiveX Controls Insecure Methods and Buffer
Overflow

Critical:    Highly critical
Where:       From remote
Impact:      Manipulation of data, System access
Released:    2007-08-28

shinnai has discovered some vulnerabilities in the nvUtility.Utility
and the nvUnifiedControl.AUnifiedControl ActiveX controls, which can be
exploited by malicious people to manipulate data or compromise a user's
system.

Full Advisory:
http://secunia.com/advisories/26622/

 --

[SA26591] Media Player Classic FLI File Processing Buffer Overflow

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2007-08-24

wushi has discovered a vulnerability in Media Player Classic, which can
be exploited by malicious people to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/26591/

 --

[SA26579] Yahoo! Messenger YVerInfo.dll ActiveX Control Buffer
Overflow

Critical:    Highly critical
Where:       From remote
Impact:      DoS, System access
Released:    2007-08-30

A vulnerability has been reported in Yahoo! Messenger, which can be
exploited by malicious people to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/26579/

 --

[SA26641] Cisco CallManager / CUCM Cross-Site Scripting and SQL
Injection

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting, Manipulation of data
Released:    2007-08-30

Some vulnerabilities have been reported in Cisco Unified CallManager
and Unified Communications Manager (CUCM), which can be exploited by
malicious people to conduct cross-site scripting and SQL injection
attacks.

Full Advisory:
http://secunia.com/advisories/26641/

 --

[SA26632] TortoiseSVN Client Directory Traversal Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      System access
Released:    2007-08-28

A vulnerability has been reported in TortoiseSVN, which can be
exploited by malicious people to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/26632/

 --

[SA26625] Subversion Client Directory Traversal Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      System access
Released:    2007-08-28

A vulnerability has been reported in Subversion, which can be exploited
by malicious people to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/26625/

 --

[SA26616] ALPass "Import Site Information" Multiple Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      System access
Released:    2007-08-27

Tan Chew Keong has reported some vulnerabilities in ALPass, which can
be exploited by malicious people to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/26616/

 --

[SA26630] Entrust ESP Certificate Path Validation Security Issue

Critical:    Less critical
Where:       From remote
Impact:      Security Bypass, Spoofing
Released:    2007-08-28

A security issue has been reported in Entrust Entelligence Security
Provider (ESP), which can lead to untrusted certificates misleadingly
being displayed as trustworthy.

Full Advisory:
http://secunia.com/advisories/26630/

 --

[SA26583] Unreal Commander Archive Handling Directory Traversal
Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      System access
Released:    2007-08-24

Gynvael Coldwind has discovered a vulnerability in Unreal Commander,
which potentially can be exploited by malicious people to compromise a
user's system.

Full Advisory:
http://secunia.com/advisories/26583/

 --

[SA26581] eScan Multiple Products Insecure File Permissions

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation
Released:    2007-08-30

Edi Strosar has discovered a security issue in multiple eScan products,
which can be exploited by malicious, local users to gain escalated
privileges.

Full Advisory:
http://secunia.com/advisories/26581/

 --

[SA26608] BufferZone redlight.sys Denial of Service

Critical:    Not critical
Where:       Local system
Impact:      DoS
Released:    2007-08-28

seppi has reported a vulnerability in BufferZone, which can be
exploited by malicious, local users to cause a DoS (Denial of
Service).

Full Advisory:
http://secunia.com/advisories/26608/

 --

[SA26606] VMWare Workstation vstor-ws60.sys Denial of Service

Critical:    Not critical
Where:       Local system
Impact:      DoS
Released:    2007-08-28

seppi has reported a vulnerability in VMWare Workstation, which can be
exploited by malicious, local users to cause a DoS (Denial of
Service).

Full Advisory:
http://secunia.com/advisories/26606/


UNIX/Linux:--

[SA26649] Debian update for postfix-policyd

Critical:    Highly critical
Where:       From remote
Impact:      DoS, System access
Released:    2007-08-30

Debian has issued an update for postfix-policyd. This fixes a
vulnerability, which can be exploited by malicious people to cause a
DoS (Denial of Service) and potentially compromise a vulnerable
system.

Full Advisory:
http://secunia.com/advisories/26649/

 --

[SA26635] SUSE update for opera

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2007-08-30

SUSE has issued an update for opera. This fixes a vulnerability, which
can potentially be exploited by malicious people to compromise
vulnerable system.

Full Advisory:
http://secunia.com/advisories/26635/

 --

[SA26602] Debian update for asterisk

Critical:    Highly critical
Where:       From remote
Impact:      Exposure of sensitive information, DoS, System access
Released:    2007-08-27

Debian has issued an update for asterisk. This fixes some
vulnerabilities, which can be exploited by malicious users to disclose
potentially sensitive information, and by malicious people to cause a
DoS (Denial of Service) or potentially compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/26602/

 --

[SA26578] BitchX "MODE" Buffer Overflow

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2007-08-28

bannedit has reported a vulnerability in BitchX, which can potentially
be exploited by malicious people to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/26578/

 --

[SA26572] Ubuntu update for mozilla-thunderbird

Critical:    Highly critical
Where:       From remote
Impact:      Cross Site Scripting, DoS, System access
Released:    2007-08-27

Ubuntu has issued an update for mozilla-thunderbird. This fixes some
vulnerabilities, which potentially can be exploited by malicious people
to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/26572/

 --

[SA26634] Debian update for rsync

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2007-08-29

Debian has issued an update for rsync. This fixes a vulnerability,
which can potentially be exploited by malicious people to compromise a
vulnerable system.

Full Advisory:
http://secunia.com/advisories/26634/

 --

[SA26629] BIND 8 Predictable DNS Query IDs Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Spoofing
Released:    2007-08-28

Amit Klein has reported a vulnerability in BIND, which can be exploited
by malicious people to poison the DNS cache.

Full Advisory:
http://secunia.com/advisories/26629/

 --

[SA26627] PDFedit "StreamPredictor" Multiple Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      System access
Released:    2007-08-29

Some vulnerabilities have been reported in PDFedit, which can be
exploited by malicious people to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/26627/

 --

[SA26620] Mandriva update for kernel

Critical:    Moderately critical
Where:       From remote
Impact:      Brute force, Exposure of sensitive information, DoS
Released:    2007-08-29

Mandriva has issued an update for the kernel. This fixes some security
issues and vulnerabilities, which can be exploited by malicious, local
users to disclose potentially sensitive information, cause a DoS
(Denial of Service), and by malicious people to cause a DoS.

Full Advisory:
http://secunia.com/advisories/26620/

 --

[SA26617] SSHKeychain Unspecified Security Issues

Critical:    Moderately critical
Where:       From remote
Impact:      Unknown
Released:    2007-08-30

Some security issues with unknown impact have been reported in
SSHKeychain.

Full Advisory:
http://secunia.com/advisories/26617/

 --

[SA26607] SGI Advanced Linux Environment Multiple Updates

Critical:    Moderately critical
Where:       From remote
Impact:      Spoofing, System access
Released:    2007-08-27

SGI has issued multiple updates for SGI Advanced Linux Environment.
This fixes some vulnerabilities, which potentially can be exploited by
malicious people to poison the DNS cache or compromise a user's
system.

Full Advisory:
http://secunia.com/advisories/26607/

 --

[SA26593] Debian update for lighttpd

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass, DoS
Released:    2007-08-30

Debian has issued an update for lighttpd. This fixes some
vulnerabilities, which can be exploited by malicious people to bypass
certain security restrictions or cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/26593/

 --

[SA26585] 2532|Gigs "language" Local File Inclusion

Critical:    Moderately critical
Where:       From remote
Impact:      Exposure of system information, Exposure of sensitive
information
Released:    2007-08-27

bd0rk has discovered a vulnerability in 2532|Gigs, which can be
exploited by malicious people to disclose sensitive information.

Full Advisory:
http://secunia.com/advisories/26585/

 --

[SA26575] Mandriva update for gimp

Critical:    Moderately critical
Where:       From remote
Impact:      System access
Released:    2007-08-24

Mandriva has issued an update for gimp. This fixes some
vulnerabilities, which can be exploited by malicious people to
compromise a user's system.

Full Advisory:
http://secunia.com/advisories/26575/

 --

[SA26626] Star Directory Traversal Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      System access
Released:    2007-08-29

Robert Buchholz has reported a vulnerability in Star, which can be
exploited by malicious people to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/26626/

 --

[SA26623] Python tarfile Module Directory Traversal and Symlink
Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      System access
Released:    2007-08-30

Some vulnerabilities have been reported in the Python tarfile module,
which can be exploited by malicious people to compromise a vulnerable
system.

Full Advisory:
http://secunia.com/advisories/26623/

 --

[SA26612] Ubuntu update for kdebase and kdelibs

Critical:    Less critical
Where:       From remote
Impact:      Spoofing
Released:    2007-08-27

Ubuntu has issued an update for kdebase and kdelibs. This fixes some
vulnerabilities, which can be exploited by malicious people to conduct
spoofing attacks.

Full Advisory:
http://secunia.com/advisories/26612/

 --

[SA26604] rPath update for tar

Critical:    Less critical
Where:       From remote
Impact:      System access
Released:    2007-08-27

rPath has issued an update for tar. This fixes a vulnerability, which
can be exploited by malicious people to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/26604/

 --

[SA26603] Ubuntu update for tar

Critical:    Less critical
Where:       From remote
Impact:      System access
Released:    2007-08-29

Ubuntu has issued an update for tar. This fixes a vulnerability, which
can be exploited by malicious people to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/26603/

 --

[SA26601] Asterisk Voicemail IMAP Backend Invalid MIME Denial of
Service

Critical:    Less critical
Where:       From remote
Impact:      DoS
Released:    2007-08-27

A vulnerability has been reported in Asterisk, which can be exploited
by malicious people to cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/26601/

 --

[SA26594] Ubuntu update for vim

Critical:    Less critical
Where:       From remote
Impact:      System access
Released:    2007-08-29

Ubuntu has issued an update for vim. This fixes a vulnerability, which
can be exploited by malicious people to compromise a vulnerable
system.

Full Advisory:
http://secunia.com/advisories/26594/

 --

[SA26590] Red Hat update for tar

Critical:    Less critical
Where:       From remote
Impact:      System access
Released:    2007-08-24

Red Hat has issued an update for tar. This fixes a vulnerability, which
can be exploited by malicious people to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/26590/

 --

[SA26586] InterWorx-CP Multiple Cross-Site Scripting

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2007-08-30

Doz has reported some vulnerabilities in InterWorx-CP, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/26586/

 --

[SA26573] GNU tar Directory Traversal Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      System access
Released:    2007-08-24

A vulnerability has been reported in GNU tar, which can be exploited by
malicious people to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/26573/

 --

[SA26611] Avaya Products Apache Multi-Processing Module Denial of
Service

Critical:    Not critical
Where:       Local system
Impact:      DoS
Released:    2007-08-27

Avaya has acknowledged a vulnerability in various Avaya products, which
can be exploited by malicious, local users to cause a DoS (Denial of
Service).

Full Advisory:
http://secunia.com/advisories/26611/

 --

[SA26599] HP-UX "get_system_info" Command Configuration Change
Weakness

Critical:    Not critical
Where:       Local system
Impact:      Security Bypass
Released:    2007-08-27

A weakness has been reported in HP-UX, which can lead to unqualified
configuration changes.

Full Advisory:
http://secunia.com/advisories/26599/


Other:--

[SA26587] Thomson SpeedTouch 2030 Denial of Service Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      DoS
Released:    2007-08-27

Some vulnerabilities have been reported in the Thomson SpeedTouch 2030
VoIP phone, which can be exploited by malicious people to cause a DoS
(Denial of Service).

Full Advisory:
http://secunia.com/advisories/26587/


Cross Platform:--

[SA26631] BEA JRockit Multiple Vulnerabilities

Critical:    Highly critical
Where:       From remote
Impact:      Security Bypass, Cross Site Scripting, DoS, System access
Released:    2007-08-29

Some vulnerabilities have been reported in JRockit, which can be
exploited by malicious people to bypass certain security restrictions,
conduct cross-site scripting attacks, to cause a DoS (Denial of
Service), or to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/26631/

 --

[SA26613] SIDVault LDAP Buffer Overflow Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2007-08-27

Joxean Koret has discovered a vulnerability in SIDVault, which can be
exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/26613/

 --

[SA26609] Helix DNA Server RTSP Buffer Overflow

Critical:    Highly critical
Where:       From remote
Impact:      DoS, System access
Released:    2007-08-27

Mu Security has reported a vulnerability in the Helix DNA Server, which
can potentially be exploited by malicious people to compromise a
vulnerable system.

Full Advisory:
http://secunia.com/advisories/26609/

 --

[SA26598] Pakupaku CMS File Upload and Local File Inclusion

Critical:    Highly critical
Where:       From remote
Impact:      Exposure of system information, Exposure of sensitive
information, System access
Released:    2007-08-30

GoLd_M has discovered two vulnerabilities in Pakupaku CMS, which can be
exploited by malicious people to disclose sensitive information or to
compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/26598/

 --

[SA26595] SomeryC "skindir" File Inclusion Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2007-08-29

Katatafish has reported a vulnerability in SomeryC, which can be
exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/26595/

 --

[SA26588] Motorola Timbuktu Pro Directory Traversal and Buffer
Overflows

Critical:    Highly critical
Where:       From remote
Impact:      DoS, System access
Released:    2007-08-28

Some vulnerabilities have been reported in Timbuktu Pro, which can be
exploited by malicious users and malicious people to compromise a
vulnerable system.

Full Advisory:
http://secunia.com/advisories/26588/

 --

[SA26574] Arcadem "loadpage" File Inclusion Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      Exposure of system information, Exposure of sensitive
information, System access
Released:    2007-08-27

David Sopas Ferreira has reported a vulnerability in Arcadem, which can
be exploited by malicious people to disclose sensitive information or
compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/26574/

 --

[SA26638] Micro CMS "id" SQL Injection

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data, Exposure of sensitive information
Released:    2007-08-29

R00T[ATI] has discovered a vulnerability in Micro CMS, which can be
exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/26638/

 --

[SA26596] Polipo Aborted POST Request Denial of Service Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      DoS
Released:    2007-08-27

A vulnerability has been reported in Polipo, which potentially can be
exploited by malicious people to cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/26596/

 --

[SA26580] Sophos Anti-Virus UPX and BZIP Processing Denial of Service
Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      DoS
Released:    2007-08-24

Two vulnerabilities have been reported in Sophos Anti-Virus, which can
be exploited by malicious people to cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/26580/

 --

[SA26576] Joomla Nice Talk Component "tagid" SQL Injection

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2007-08-24

ajann has reported a vulnerability in the Nice Talk component for
Joomla, which can be exploited by malicious people to conduct SQL
injection attacks.

Full Advisory:
http://secunia.com/advisories/26576/

 --

[SA26633] Moon Gallery admin.php File Upload Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      System access
Released:    2007-08-28

s0cratex has discovered a vulnerability in Moon Gallery, which can be
exploited by malicious users to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/26633/

 --

[SA26628] PhpGedView login.php Cross-Site Scripting Vulnerabilities

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2007-08-28

Joshua Morin has discovered two vulnerabilities in PhpGedView, which
can be exploited by malicious people to conduct cross-site scripting
attacks.

Full Advisory:
http://secunia.com/advisories/26628/

 --

[SA26618] Tikiwiki "username" Cross-Site Scripting

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2007-08-27

A vulnerability has been discovered in Tikiwiki, which can be exploited
by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/26618/

 --

[SA26597] Mayaa Character Encoding Cross-Site Scripting Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2007-08-27

A vulnerability has been reported in Mayaa, which can be exploited by
malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/26597/

 --

[SA26584] Bugzilla Security Issue and Multiple Vulnerabilities

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting, Exposure of sensitive information,
System access
Released:    2007-08-24

Some vulnerabilities and a security issue have been reported in
Bugzilla, which can be exploited by malicious users to inject shell
commands, and by malicious people to conduct cross-site scripting
attacks and to disclose potentially sensitive information.

Full Advisory:
http://secunia.com/advisories/26584/

 --

[SA26582] Dynamic Picture Frame "img_url" Cross-Site Scripting

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2007-08-28

Joshua Morin has reported a vulnerability in Dynamic Picture Frame,
which can be exploited by malicious people to conduct cross-site
scripting attacks.

Full Advisory:
http://secunia.com/advisories/26582/

 --

[SA26577] escafeWeb (Tuigwaa) Cross-Site Scripting Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2007-08-27

A vulnerability has been reported in escafeWeb (Tuigwaa), which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/26577/

 --

[SA26592] Hitachi DABroker Unspecified Denial of Service Vulnerability

Critical:    Less critical
Where:       From local network
Impact:      DoS
Released:    2007-08-24

A vulnerability has been reported in Hitachi DABroker, which can be
exploited by malicious people to cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/26592/

 --

[SA26589] Hitachi Cosminexus Application Server Incorrect Handling of
Group Permissions

Critical:    Not critical
Where:       Local system
Impact:      Security Bypass
Released:    2007-08-24

A weakness has been reported in Cosminexus Application Server, which
can potentially allow a server process to perform actions with
escalated privileges.

Full Advisory:
http://secunia.com/advisories/26589/



========================================================================

Secunia recommends that you verify all advisories you receive,
by clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only use
those supplied by the vendor.

Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/

Subscribe:
http://secunia.com/secunia_weekly_summary/

Contact details:
Web	: http://secunia.com/
E-mail	: support@private
Tel	: +45 70 20 51 44
Fax	: +45 70 20 51 45


____________________________________
Attend HITBSecConf2007 - Malaysia 
Taking place September 3-6 2007 featuring seven tracks of technical 
training and a dual-track security conference with keynote speakers 
Lance Spitzner and Mikko Hypponen!  -  Book your seats today! 
http://conference.hitb.org/hitbsecconf2007kl/



This archive was generated by hypermail 2.1.3 : Thu Aug 30 2007 - 23:42:48 PDT