======================================================================== The Secunia Weekly Advisory Summary 2008-07-24 - 2008-07-31 This week: 85 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: Try the Secunia Network Software Inspector (NSI) 2.0 for free! The Secunia NSI 2.0 is available as a 7-day trial download and can be used to scan up to 3 hosts within your network. Download the Secunia NSI trial version from: https://psi.secunia.com/NSISetup.exe ======================================================================== 2) This Week in Brief: Secunia Research has discovered some vulnerabilities in K9 Web Protection, which can be exploited by malicious people to compromise a user's system. 1) A boundary error in the filter service (k9filter.exe) when handling "Referer:" headers during access to the web-based K9 Web Protection Administration interface can be exploited to cause a stack-based buffer overflow via an overly long "Referer:" header. Successful exploitation allows execution of arbitrary code when a user e.g. visits a malicious web site. 2) Two boundary errors in the filter service (k9filter.exe) when handling HTTP version information in responses from a centralised server (sp.cwfservice.net) can be exploited to cause stack-based buffer overflows via a specially crafted response containing overly long HTTP version information. Successful exploitation allows execution of arbitrary code, but requires that the request is intercepted via e.g. DNS poisoning or Man-in-the-Middle attacks. For more information, refer to: http://secunia.com/advisories/25813 -- VIRUS ALERTS: During the past week Secunia collected 184 virus descriptions from the Antivirus vendors. However, none were deemed MEDIUM risk or higher according to the Secunia assessment scale. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA27620] RealNetworks RealPlayer Multiple Vulnerabilities 2. [SA31212] OpenBSD BIND Query Port DNS Cache Poisoning 3. [SA31277] Trend Micro OfficeScan Web-Deployment ObjRemoveCtrl Class Buffer Overflows 4. [SA31172] Linux Kernel LDT Buffer Size Handling Vulnerability 5. [SA31207] Sidewinder and CyberGuard DNS Cache Poisoning 6. [SA31213] BlueCat Networks Adonis DNS Cache Poisoning 7. [SA31177] Blackboard Academic Suite Cross-Site Request Forgery Vulnerabilities 8. [SA31221] Citrix NetScaler DNS Cache Poisoning 9. [SA31198] Red Hat update for kernel 10. [SA31229] Red Hat update for kernel ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA31294] CoolPlayer M3U File Processing Buffer Overflow [SA31277] Trend Micro OfficeScan Web-Deployment ObjRemoveCtrl Class Buffer Overflows [SA31258] BookMine Cross-Site Scripting and SQL Injection [SA31242] ScrewTurn Wiki System Log Script Insertion [SA31239] Pixelpost "language_full" Local File Inclusion [SA31228] cwRsync OpenSSL Denial of Service Vulnerabilities [SA31281] Web Wiz Forum Multiple Vulnerabilities [SA31272] Web Wiz Rich Text Editor "email" Cross-Site Scripting [SA31282] European Performance Systems Probe Builder Arbitrary Process Termination [SA31278] HP OpenView Internet Service Probe Builder Arbitrary Process Termination UNIX/Linux: [SA31308] rPath update for openssl [SA31286] Slackware update for mozillla-thunderbird [SA31270] Ubuntu update for firefox and xulrunner [SA31267] Ubuntu update for poppler [SA31261] rPath update for firefox [SA31256] Debian update for ruby1.9 [SA31253] Debian update for icedove [SA31246] VMware ESX Server update for Samba and vmnix [SA31220] Ubuntu update for thunderbird [SA31311] Fedora update for pdns-recursor [SA31307] Debian update for newsx [SA31289] Slackware update for vim [SA31288] Slackware update for openssl [SA31280] Affinium Campaign Multiple Vulnerabilities [SA31269] Avaya CMS Sun Java JDK / JRE Same Origin Policy Bypass [SA31268] Ubuntu update for ffmpeg [SA31257] rPath update for tshark and wireshark [SA31251] reSIProcate Unspecified Memory Consumption Vulnerabilities [SA31236] NetBSD update for bind [SA31235] PHP Hosting Directory "adm" Security Bypass [SA31224] Red Hat update for rdesktop [SA31223] Red Hat update for vsftpd [SA31222] Red Hat update for rdesktop [SA31314] Fedora update for trac [SA31301] Sun N1 Service Provisioning System Web Server Plugin Vulnerability [SA31287] Slackware update for fetchmail [SA31284] Condor Authorization Policy Wildcard Security Bypass [SA31262] rPath update for fetchmail [SA31255] Debian update for python2.5 [SA31254] Debian update for python-dns [SA31227] Red Hat update for nss_ldap [SA31309] HP-UX System Administration Manager Security Issue [SA31226] Red Hat update for mysql [SA31229] Red Hat update for kernel [SA31312] Fedora update for phpMyAdmin [SA31303] Sun Solaris "picld" Denial of Service [SA31225] Red Hat update for coreutils Other: [SA31221] Citrix NetScaler DNS Cache Poisoning [SA31304] Panasonic Network Cameras Error Page Cross-Site Scripting Vulnerability [SA31285] Axesstel AXW-D800 Authentication Bypass Vulnerabilities Cross Platform: [SA31300] HIOX Random Ad "hm" File Inclusion Vulnerability [SA31299] HIOX Browser Statistics "hm" File Inclusion Vulnerabilities [SA31265] Unreal Tournament 3 Denial of Service and Memory Corruption [SA31297] nzFotolog "action_file" Local File Inclusion [SA31296] ZeeScripts Reviews "ItemID" SQL Injection Vulnerability [SA31292] Article Friendly Two SQL Injection Vulnerabilities [SA31291] PozScripts Classified Ads "cid" SQL Injection Vulnerability [SA31290] AVG Anti-Virus UPX Processing Denial of Service [SA31279] @Mail Multiple Information Disclosure Security Issues [SA31276] TubeGuru Video Sharing Script "UID" SQL Injection Vulnerability [SA31275] ViArt Shop "category_id" SQL Injection Vulnerability [SA31266] Unreal Tournament 2004 Denial of Service [SA31260] Gregarius "rsargs[]" SQL Injection Vulnerability [SA31259] ImpressCMS "modules/admin.php" Unspecified Vulnerability [SA31252] fizzMedia "mid" SQL Injection Vulnerability [SA31250] fipsCMS light "r" SQL Injection Vulnerability [SA31249] Jamroom Authentication Bypass and Multiple Unspecified Vulnerabilities [SA31248] IceBB "username" SQL Injection Vulnerability [SA31247] Mbius for Mimsy XG SQL Injection Vulnerabilities [SA31244] TriO "id" SQL Injection Vulnerability [SA31243] CMScout "bit" Local File Inclusion Vulnerability [SA31241] GC Auction Platinum "cate_id" SQL Injection [SA31240] SiteAdmin "art" SQL Injection Vulnerability [SA31238] Youtuber Clone "UID" SQL Injection Vulnerability [SA31234] Camera Life "id" SQL Injection Vulnerability [SA31218] Cerberus CMS "cerberus_user" Cookie Script Insertion Vulnerability [SA31283] phpFreeChat nickid Hijacking Vulnerability [SA31274] ATutor "type" File Inclusion Vulnerability [SA31264] Owl Intranet Engine "username" Cross-Site Scripting [SA31233] XRMS CRM Information Disclosure and Cross-Site Scripting [SA31231] Trac Wiki Engine Cross-Site Scripting Vulnerability [SA31219] PunBB SMTP Command Injection and Cross-Site Scripting [SA31217] Lore Cross-Site Scripting Vulnerabilities [SA31263] phpMyAdmin Cross-Site Scripting and Spoofing [SA31232] PhpWebGallery E-Mail Address Information Disclosure ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA31294] CoolPlayer M3U File Processing Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2008-07-30 Guido Landi has discovered a vulnerability in CoolPlayer, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/31294/ -- [SA31277] Trend Micro OfficeScan Web-Deployment ObjRemoveCtrl Class Buffer Overflows Critical: Highly critical Where: From remote Impact: System access Released: 2008-07-29 Elazar Broad has discovered some vulnerabilities in Trend Micro OfficeScan, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/31277/ -- [SA31258] BookMine Cross-Site Scripting and SQL Injection Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2008-07-30 Russ McRee has reported some vulnerabilities in BookMine, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/31258/ -- [SA31242] ScrewTurn Wiki System Log Script Insertion Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2008-07-30 Ferruh Mavituna has reported a vulnerability in ScrewTurn Wiki, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/31242/ -- [SA31239] Pixelpost "language_full" Local File Inclusion Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2008-07-29 Digital Security Research Group has reported a vulnerability in Pixelpost, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/31239/ -- [SA31228] cwRsync OpenSSL Denial of Service Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS Released: 2008-07-28 Two vulnerabilities have been reported in cwRsync, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/31228/ -- [SA31281] Web Wiz Forum Multiple Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2008-07-28 CSDT has reported some vulnerabilities in Web Wiz Forum, which can be exploited by malicious people to conduct cross-site request forgery and cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/31281/ -- [SA31272] Web Wiz Rich Text Editor "email" Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2008-07-29 CSDT has discovered a vulnerability in Web Wiz Rich Text Editor, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/31272/ -- [SA31282] European Performance Systems Probe Builder Arbitrary Process Termination Critical: Less critical Where: From local network Impact: DoS Released: 2008-07-29 A vulnerability has been reported in European Performance Systems Probe Builder, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/31282/ -- [SA31278] HP OpenView Internet Service Probe Builder Arbitrary Process Termination Critical: Less critical Where: From local network Impact: DoS Released: 2008-07-29 A vulnerability has been reported in HP OpenView Internet Service, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/31278/ UNIX/Linux:-- [SA31308] rPath update for openssl Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2008-07-31 rPath has issued an update for openssl. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/31308/ -- [SA31286] Slackware update for mozillla-thunderbird Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2008-07-29 Slackware has issued an update for mozilla-thunderbird. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/31286/ -- [SA31270] Ubuntu update for firefox and xulrunner Critical: Highly critical Where: From remote Impact: Security Bypass, Spoofing, DoS, System access Released: 2008-07-29 Ubuntu has issued an update for firefox and xulrunner. This fixes some vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions, potentially conduct spoofing attacks, or compromise a user's system. Full Advisory: http://secunia.com/advisories/31270/ -- [SA31267] Ubuntu update for poppler Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2008-07-29 Ubuntu has issued an update for poppler. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise an application using the library. Full Advisory: http://secunia.com/advisories/31267/ -- [SA31261] rPath update for firefox Critical: Highly critical Where: From remote Impact: Security Bypass, Exposure of sensitive information, System access Released: 2008-07-29 rPath has issued an update for firefox. This fixes some vulnerabilities, which can be exploited by malicious people to disclose potentially sensitive information, bypass certain security restrictions, and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/31261/ -- [SA31256] Debian update for ruby1.9 Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2008-07-28 Debian has issued an update for ruby1.9. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/31256/ -- [SA31253] Debian update for icedove Critical: Highly critical Where: From remote Impact: Security Bypass, Spoofing, Exposure of sensitive information, DoS, System access Released: 2008-07-28 Debian has issued an update for icedove. This fixes some vulnerabilities, which can be exploited by malicious people to conduct spoofing attacks, bypass certain security restrictions, disclose sensitive information, or potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/31253/ -- [SA31246] VMware ESX Server update for Samba and vmnix Critical: Highly critical Where: From remote Impact: Exposure of sensitive information, Privilege escalation, DoS, System access Released: 2008-07-29 VMware has issued an update for VMware ESX Server. This fixes some vulnerabilities, which can be exploited by malicious, local users to disclose potentially sensitive information, to cause a DoS (Denial of Service), or to gain escalated privileges, and malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/31246/ -- [SA31220] Ubuntu update for thunderbird Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Spoofing, Exposure of system information, Exposure of sensitive information, DoS, System access Released: 2008-07-25 Ubuntu has issued an update for thunderbird. This fixes some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting and spoofing attacks, bypass certain security restrictions, disclose sensitive information, or potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/31220/ -- [SA31311] Fedora update for pdns-recursor Critical: Moderately critical Where: From remote Impact: Spoofing Released: 2008-07-31 Fedora has issued an update for pdns-recursor. This fixes a vulnerability, which can be exploited by malicious people to poison the DNS cache. Full Advisory: http://secunia.com/advisories/31311/ -- [SA31307] Debian update for newsx Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2008-07-31 Debian has issued an update for newsx. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/31307/ -- [SA31289] Slackware update for vim Critical: Moderately critical Where: From remote Impact: System access Released: 2008-07-29 Slackware has issued an update for vim. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/31289/ -- [SA31288] Slackware update for openssl Critical: Moderately critical Where: From remote Impact: DoS Released: 2008-07-29 Slackware has issued an update for openssl. This fixes two vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/31288/ -- [SA31280] Affinium Campaign Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, Exposure of system information, Exposure of sensitive information, DoS Released: 2008-07-30 Some vulnerabilities have been reported in Affinium Campaign, which can be exploited by malicious people to disclose potentially sensitive information, manipulate certain data, conduct cross-site scripting and script insertion attacks, or cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/31280/ -- [SA31269] Avaya CMS Sun Java JDK / JRE Same Origin Policy Bypass Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2008-07-28 Avaya has acknowledged a vulnerability in Avaya CMS, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/31269/ -- [SA31268] Ubuntu update for ffmpeg Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2008-07-29 Ubuntu has issued an update for ffmpeg. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/31268/ -- [SA31257] rPath update for tshark and wireshark Critical: Moderately critical Where: From remote Impact: DoS Released: 2008-07-29 rPath has issued an update for tshark and wireshark. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/31257/ -- [SA31251] reSIProcate Unspecified Memory Consumption Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS Released: 2008-07-28 Some vulnerabilities have been reported in reSIProcate, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/31251/ -- [SA31236] NetBSD update for bind Critical: Moderately critical Where: From remote Impact: Spoofing Released: 2008-07-28 NetBSD has issued an update for bind. This fixes a vulnerability, which can be exploited by malicious people to poison the DNS cache. Full Advisory: http://secunia.com/advisories/31236/ -- [SA31235] PHP Hosting Directory "adm" Security Bypass Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2008-07-31 Stack has discovered a vulnerability in PHP Hosting Directory, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/31235/ -- [SA31224] Red Hat update for rdesktop Critical: Moderately critical Where: From remote Impact: System access Released: 2008-07-25 Red Hat has issued an update for rdesktop. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/31224/ -- [SA31223] Red Hat update for vsftpd Critical: Moderately critical Where: From remote Impact: DoS Released: 2008-07-25 Red Hat has issued an update for vsftpd. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/31223/ -- [SA31222] Red Hat update for rdesktop Critical: Moderately critical Where: From remote Impact: System access Released: 2008-07-25 Red Hat has issued an update for rdesktop. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/31222/ -- [SA31314] Fedora update for trac Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2008-07-31 Fedora has issued an update for trac. This fixes a vulnerability, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/31314/ -- [SA31301] Sun N1 Service Provisioning System Web Server Plugin Vulnerability Critical: Less critical Where: From remote Impact: Security Bypass Released: 2008-07-31 A vulnerability has been reported in Sun N1 Service Provisioning System, which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/31301/ -- [SA31287] Slackware update for fetchmail Critical: Less critical Where: From remote Impact: DoS Released: 2008-07-29 Slackware has issued an update for fetchmail. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/31287/ -- [SA31284] Condor Authorization Policy Wildcard Security Bypass Critical: Less critical Where: From remote Impact: Security Bypass Released: 2008-07-30 A security issue has been reported in Condor, which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/31284/ -- [SA31262] rPath update for fetchmail Critical: Less critical Where: From remote Impact: DoS Released: 2008-07-29 rPath has issued an update for fetchmail. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/31262/ -- [SA31255] Debian update for python2.5 Critical: Less critical Where: From remote Impact: Exposure of sensitive information, DoS, System access Released: 2008-07-28 Debian has issued an update for python2.5. This fixes some security issues, which can potentially be exploited by malicious people to disclose sensitive information, cause a DoS (Denial of Service), or to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/31255/ -- [SA31254] Debian update for python-dns Critical: Less critical Where: From remote Impact: Spoofing Released: 2008-07-28 Debian has issued an update for python-dns. This fixes a vulnerability, which can be exploited by malicious people to poison the DNS cache. Full Advisory: http://secunia.com/advisories/31254/ -- [SA31227] Red Hat update for nss_ldap Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2008-07-25 Red Hat has issued an update for nss_ldap. This fixes a security issue, which can be exploited by malicious people to manipulate certain data. Full Advisory: http://secunia.com/advisories/31227/ -- [SA31309] HP-UX System Administration Manager Security Issue Critical: Less critical Where: From local network Impact: Security Bypass Released: 2008-07-31 A security issue has been reported in HP-UX, which can lead to an insecure configuration. Full Advisory: http://secunia.com/advisories/31309/ -- [SA31226] Red Hat update for mysql Critical: Less critical Where: From local network Impact: Security Bypass, DoS Released: 2008-07-25 Red Hat has issued an update for mysql. This fixes some vulnerabilities and security issues, which can be exploited by malicious, local users to bypass certain security restrictions and by malicious users to cause a DoS (Denial of Service) or to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/31226/ -- [SA31229] Red Hat update for kernel Critical: Less critical Where: Local system Impact: Privilege escalation, DoS Released: 2008-07-25 Red Hat has issued an update for kernel. This fixes some vulnerabilities, which can be exploited by malicious, local users to cause a DoS (Denial of Service) and potentially gain escalated privileges. Full Advisory: http://secunia.com/advisories/31229/ -- [SA31312] Fedora update for phpMyAdmin Critical: Not critical Where: From remote Impact: Cross Site Scripting, Spoofing Released: 2008-07-31 Fedora has issued an update for phpMyAdmin. This fixes two vulnerabilities, which can be exploited by malicious local users to conduct cross-site scripting attacks, and by malicious people to conduct spoofing attacks. Full Advisory: http://secunia.com/advisories/31312/ -- [SA31303] Sun Solaris "picld" Denial of Service Critical: Not critical Where: Local system Impact: DoS Released: 2008-07-31 A vulnerability has been reported in Sun Solaris, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/31303/ -- [SA31225] Red Hat update for coreutils Critical: Not critical Where: Local system Impact: Security Bypass Released: 2008-07-25 Red Hat has issued an update for coreutils. This fixes a security issue, which can be exploited by malicious, local users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/31225/ Other:-- [SA31221] Citrix NetScaler DNS Cache Poisoning Critical: Moderately critical Where: From remote Impact: Spoofing Released: 2008-07-25 Citrix has acknowledged a vulnerability in NetScaler, which can be exploited by malicious people to poison the DNS cache. Full Advisory: http://secunia.com/advisories/31221/ -- [SA31304] Panasonic Network Cameras Error Page Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2008-07-31 A vulnerability has been reported in various Panasonic network cameras, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/31304/ -- [SA31285] Axesstel AXW-D800 Authentication Bypass Vulnerabilities Critical: Less critical Where: From local network Impact: Security Bypass Released: 2008-07-31 Bboyhacks has reported some vulnerabilities in Axesstel AXW-D800, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/31285/ Cross Platform:-- [SA31300] HIOX Random Ad "hm" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information, System access Released: 2008-07-31 Ghost Hacker has discovered a vulnerability in HIOX Random Ad, which can be exploited by malicious people to disclose sensitive information and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/31300/ -- [SA31299] HIOX Browser Statistics "hm" File Inclusion Vulnerabilities Critical: Highly critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information, System access Released: 2008-07-31 Ghost Hacker has discovered two vulnerabilities in HIOX Browser Statistics, which can be exploited by malicious people to disclose sensitive information and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/31299/ -- [SA31265] Unreal Tournament 3 Denial of Service and Memory Corruption Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2008-07-30 Luigi Auriemma has reported some vulnerabilities in Unreal Tournament, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/31265/ -- [SA31297] nzFotolog "action_file" Local File Inclusion Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2008-07-31 R3d.W0rm has discovered a vulnerability in nzFotolog, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/31297/ -- [SA31296] ZeeScripts Reviews "ItemID" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2008-07-31 Mr.SQL has reported a vulnerability in ZeeScripts Reviews, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/31296/ -- [SA31292] Article Friendly Two SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2008-07-31 Mr.SQL has reported two vulnerabilities in Article Friendly, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/31292/ -- [SA31291] PozScripts Classified Ads "cid" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2008-07-31 Hussin X has reported a vulnerability in PozScripts Classified Ads, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/31291/ -- [SA31290] AVG Anti-Virus UPX Processing Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2008-07-29 Sergio shadown Alvarez has reported a vulnerability in AVG Anti-Virus, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/31290/ -- [SA31279] @Mail Multiple Information Disclosure Security Issues Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2008-07-30 Some security issues have been discovered in @Mail, which can be exploited by malicious, local users and malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/31279/ -- [SA31276] TubeGuru Video Sharing Script "UID" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2008-07-31 Hussin X has reported a vulnerability in TubeGuru Video Sharing Script, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/31276/ -- [SA31275] ViArt Shop "category_id" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information Released: 2008-07-29 James Bercegay has reported a vulnerability in ViArt Shop, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/31275/ -- [SA31266] Unreal Tournament 2004 Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2008-07-30 Luigi Auriemma has reported a vulnerability in Unreal Tournament 2004, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/31266/ -- [SA31260] Gregarius "rsargs[]" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2008-07-29 James Bercegay has discovered a vulnerability in Gregarius, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/31260/ -- [SA31259] ImpressCMS "modules/admin.php" Unspecified Vulnerability Critical: Moderately critical Where: From remote Impact: Unknown Released: 2008-07-31 A vulnerability with an unknown impact has been reported in ImpressCMS. Full Advisory: http://secunia.com/advisories/31259/ -- [SA31252] fizzMedia "mid" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2008-07-31 Mr.SQL has reported a vulnerability in fizzMedia, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/31252/ -- [SA31250] fipsCMS light "r" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2008-07-28 U238 has reported a vulnerability in fipsCMS light, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/31250/ -- [SA31249] Jamroom Authentication Bypass and Multiple Unspecified Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown, Security Bypass Released: 2008-07-29 Some vulnerabilities have been reported in Jamroom, one of which can be exploited by malicious people to bypass certain security restrictions, while others have unknown impacts. Full Advisory: http://secunia.com/advisories/31249/ -- [SA31248] IceBB "username" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2008-07-28 girex has reported a vulnerability in IceBB, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/31248/ -- [SA31247] Mbius for Mimsy XG SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2008-07-31 dun has reported two vulnerabilities in Mbius for Mimsy XG, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/31247/ -- [SA31244] TriO "id" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2008-07-28 dun has reported a vulnerability in TriO, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/31244/ -- [SA31243] CMScout "bit" Local File Inclusion Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2008-07-28 R3d.W0rm has discovered a vulnerability in CMScout, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/31243/ -- [SA31241] GC Auction Platinum "cate_id" SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information Released: 2008-07-28 Hussin X has reported a vulnerability in GC Auction Platinum, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/31241/ -- [SA31240] SiteAdmin "art" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information Released: 2008-07-28 Cr_at_zy_King has reported a vulnerability in SiteAdmin, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/31240/ -- [SA31238] Youtuber Clone "UID" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2008-07-28 Hussin X has reported a vulnerability in Youtuber Clone, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/31238/ -- [SA31234] Camera Life "id" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2008-07-28 nuclear has discovered a vulnerability in Camera Life, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/31234/ -- [SA31218] Cerberus CMS "cerberus_user" Cookie Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2008-07-29 A vulnerability has been reported in Cerberus CMS, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/31218/ -- [SA31283] phpFreeChat nickid Hijacking Vulnerability Critical: Less critical Where: From remote Impact: Hijacking Released: 2008-07-31 A vulnerability has been reported in phpFreeChat, which can be exploited by malicious users to conduct hijacking attacks. Full Advisory: http://secunia.com/advisories/31283/ -- [SA31274] ATutor "type" File Inclusion Vulnerability Critical: Less critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information, System access Released: 2008-07-29 R3d.W0rm has discovered a vulnerability in ATutor, which can be exploited by malicious users to disclose sensitive information and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/31274/ -- [SA31264] Owl Intranet Engine "username" Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2008-07-29 Fabian Fingerle has discovered a vulnerability in Owl Intranet Engine, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/31264/ -- [SA31233] XRMS CRM Information Disclosure and Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting, Exposure of system information Released: 2008-07-28 AzzCoder has discovered two vulnerabilities in XRMS CRM, which can be exploited by malicious people to conduct cross-site scripting attacks and disclose sensitive information. Full Advisory: http://secunia.com/advisories/31233/ -- [SA31231] Trac Wiki Engine Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2008-07-28 A vulnerability has been reported in Trac, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/31231/ -- [SA31219] PunBB SMTP Command Injection and Cross-Site Scripting Critical: Less critical Where: From remote Impact: Security Bypass, Cross Site Scripting Released: 2008-07-28 Some vulnerabilities have been reported in PunBB, which can be exploited by malicious people to bypass certain security restrictions or conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/31219/ -- [SA31217] Lore Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2008-07-25 Some vulnerabilities have been reported in Lore, which can be exploited by malicious people to conduct cross-site scripting-attacks. Full Advisory: http://secunia.com/advisories/31217/ -- [SA31263] phpMyAdmin Cross-Site Scripting and Spoofing Critical: Not critical Where: From remote Impact: Cross Site Scripting, Spoofing Released: 2008-07-29 Aung Khant has reported two vulnerabilities in phpMyAdmin, which can be exploited by malicious local users to conduct cross-site scripting attacks, and by malicious people to conduct spoofing attacks. Full Advisory: http://secunia.com/advisories/31263/ -- [SA31232] PhpWebGallery E-Mail Address Information Disclosure Critical: Not critical Where: From remote Impact: Exposure of sensitive information Released: 2008-07-30 Pat has reported a vulnerability in PhpWebGallery, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/31232/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support_at_private Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 _______________________________________________ Attend Black Hat USA, August 2-7 in Las Vegas, the world's premier technical event for ICT security experts. Featuring 40 hands-on training courses and 80 Briefings presentations with lots of new content and new tools. Network with 4,000 delegates from 50 nations. Visit product displays by 30 top sponsors in a relaxed setting. http://www.blackhat.comReceived on Fri Aug 01 2008 - 02:05:44 PDT
This archive was generated by hypermail 2.2.0 : Fri Aug 01 2008 - 02:13:24 PDT