Information Security News mailing list archives
Secunia Weekly Summary - Issue: 2008-8
From: InfoSec News <alerts () infosecnews org>
Date: Fri, 22 Feb 2008 05:27:48 -0600 (CST)
========================================================================
The Secunia Weekly Advisory Summary
2008-02-14 - 2008-02-21
This week: 60 advisories
========================================================================
Table of Contents:
1.....................................................Word From Secunia
2....................................................This Week In Brief
3...............................This Weeks Top Ten Most Read Advisories
4.......................................Vulnerabilities Summary Listing
5.......................................Vulnerabilities Content Listing
========================================================================
1) Word From Secunia:
Secunia invites you to join us in the biggest IT Expo event of the year
- the RSA Conference in the Moscone Center, San Francisco, California
from 7 to 11 April 2008. If you are interested in going to the expo
exhibit and meeting us, please contact your Secunia Account Executive
for a FREE EXPO PASS!
========================================================================
2) This Week in Brief:
Some vulnerabilities have been reported in Opera, which can be
exploited by malicious people to conduct cross-site scripting attacks,
disclose sensitive information, or bypass certain security
restrictions.
A security issue caused by a design error when handling input to file
form fields, which can potentially be exploited to trick a user into
uploading arbitrary files. This is related to a previously reported
issue in Mozilla Firefox.
An error within the handling of custom comments in image properties can
be exploited to execute arbitrary script code in the wrong security
context when comments of a malicious image are displayed.
An error in the handling of attribute values when importing XML into a
document can be exploited to bypass filters and conduct cross-site
scripting attacks if these values are used as document content.
The vendor has released Opera version 9.26 to fix these issues. Users
are urged to download the secure version as soon as possible.
For more information, refer to:
http://secunia.com/advisories/29029/
To find out if your home computer is vulnerable to any of these
security problems, scan using the free Personal Software Inspector:
https://psi.secunia.com/
Check if a vulnerable version is installed on computers in your
corporate network, using the Network Software Inspector:
http://secunia.com/network_software_inspector/
--
Some vulnerabilities, security issues, and a weakness have been
reported in various BEA WebLogic products, which can be exploited by
malicious users to conduct script insertion attacks, and by malicious
people to conduct session fixation, cross-site scripting, or brute
force attacks, disclose sensitive information, or to bypass certain
security restrictions.
Some of the vulnerabilities are related to previously-known issues in
prior versions of various BEA products.
The vulnerabilities are reported in various versions of BEA WebLogic
Express, WebLogic Portal, WebLogic Server, and Workshop for WebLogic.
The vendor has released updates for all issues.
For more information, refer to:
http://secunia.com/advisories/29041/
--
A highly critical vulnerability has been reported in IBM Lotus Notes,
which can be exploited by malicious people to compromise a user's
system.
The vulnerability is due to an issue in Java, and is related to a
vulnerability in Sun Java, which has been known since 2004.
Successful exploitation requires that the "Enable Java access from
JavaScript" option is enabled.
The vulnerability is reported in versions 6.5.6 and 7.0, and has
reportedly been fixed in version 7.0.2.
For more information, refer to:
http://secunia.com/advisories/29035/
--
VIRUS ALERTS:
During the past week Secunia collected 163 virus descriptions from the
Antivirus vendors. However, none were deemed MEDIUM risk or higher
according to the Secunia assessment scale.
========================================================================
3) This Weeks Top Ten Most Read Advisories:
1. [SA28935] Cisco Unified IP Phone Multiple Vulnerabilities
2. [SA28980] Joomla! Quiz Component "tid" SQL Injection
3. [SA28940] Joomla! McQuiz Component "tid" SQL Injection
4. [SA28962] Joomla! mediaslide Component "albumnum" SQL Injection
5. [SA28972] freePHPgallery "lang" Local File Inclusion
6. [SA28835] Linux Kernel "vmsplice()" System Call Vulnerabilities
7. [SA28923] PCRE Character Class Buffer Overflow
8. [SA28979] FreeBSD update for ipsec
9. [SA28928] FreeBSD "sendfile" Information Disclosure Security Issue
10. [SA28903] Microsoft Internet Explorer Multiple Vulnerabilities
========================================================================
4) Vulnerabilities Summary Listing
Windows:
[SA29035] IBM Lotus Notes Java Plug-in Sandbox Security Bypass
[SA29003] Now SMS/MMS Gateway HTTP/SMPP Handling Buffer Overflows
[SA29024] SmarterMail Subject Script Insertion Vulnerability
[SA29021] Kerio MailServer Multiple Vulnerabilities
[SA29007] webcamXP Denial of Service and Information Disclosure
[SA29002] freeSSHd SSH Server Denial of Service Vulnerability
[SA29011] EMC RepliStor Data Decompression Buffer Overflows
[SA29031] IBM Lotus Notes Java Applet Signature Execution Control List
Security Bypass
[SA28984] StatCounteX "admin.asp" Security Bypass
[SA29033] Symantec Veritas Storage Foundation Scheduler Service Denial
of Service
[SA29030] Hitachi EUR Print Manager Unspecified Denial of Service
Vulnerability
[SA29005] DESlock+ DLMFDISK.sys/DLMFENC.sys Privilege Escalation
Vulnerabilities
UNIX/Linux:
[SA29026] Kolab Server ClamAV Multiple Vulnerabilities
[SA29012] SWORD diatheke.pl Shell Command Injection Vulnerability
[SA29001] SUSE update for clamav
[SA28989] Mandriva update for xine-lib
[SA28983] SUSE update for acroread
[SA29017] LightBlog "username" Local File Inclusion
[SA28996] Fedora update for pcre
[SA28993] HP Tru64 UNIX Perl Regular Expressions Vulnerability
[SA28985] GNOME GLib PCRE Character Class Buffer Overflow
[SA28994] CUPS "process_browse_data()" Double Free Vulnerability
[SA29004] Lotus Quickr Unspecified Cross-Site Scripting Vulnerability
[SA28987] Fedora update for moin
[SA28982] Multiple Horde Products Security Bypass
[SA29028] Hitachi SEWB3/PLATFORM Unspecified Denial of Service
[SA29009] wyrd Insecure Temporary File
[SA28995] Linux Kernel Multiple Vulnerabilities
[SA28981] Fedora update for scponly
[SA28997] Avaya CMS Solaris X Window System Information Disclosure
[SA28990] Sun Solaris vuidmice STREAMS Modules Local Denial of Service
Other:
Cross Platform:
[SA29049] Netscape Multiple Vulnerabilities
[SA29047] Globsy "globsy_edit.php" Vulnerability
[SA29042] BEA JRockit Multiple Vulnerabilities
[SA29010] MoinMoin Multiple Vulnerabilities
[SA29044] Joomla hwdVideoShare Component "cat_id" SQL Injection
[SA29041] BEA WebLogic Products Multiple Vulnerabilities
[SA29034] Schoolwires Academic Portal browse.asp Cross-Site Scripting
and SQL Injection
[SA29029] Opera Multiple Vulnerabilities
[SA29022] IBM DB2 Multiple Vulnerabilities
[SA29018] iScripts MultiCart "productid" SQL Injection Vulnerability
[SA29008] Joomla astatsPRO Component "id" SQL Injection Vulnerability
[SA29006] XPWeb "Download.php" Arbitrary File Download
[SA28998] Joomla! jooget Component "id" SQL Injection
[SA28992] BanPro-DMS "action" Local File Inclusion Vulnerability
[SA28991] BEA Products Information Disclosure Vulnerability
[SA28988] WordPress WP Photo Album Plugin "photo" SQL Injection
[SA28986] Joomla! Quran Component "surano" SQL Injection
[SA28980] Joomla! Quiz Component "tid" SQL Injection
[SA29050] Symantec Veritas Storage Foundation Administrator Service
Buffer Overflow
[SA29045] Sybase SQL Anywhere MobiLink Buffer Overflow Vulnerability
[SA29055] Invision Power Board BBCodes Script Insertion Vulnerability
[SA29043] PunBB Password Change and Cross-Site Scripting
[SA29040] BEA Products "name" Cross-Site Scripting Vulnerability
[SA29039] Tor World CGI Scripts Multiple Unspecified Cross-Site
Scripting Vulnerabilities
[SA29023] Jinzora Multiple Vulnerabilities
[SA29020] WoltLab Burning Board "sortOrder" SQL Injection
[SA29019] Lyris ListManager Security Bypass Vulnerabilities
[SA29016] ProjectPier Multiple Vulnerabilities
[SA29015] ATutor Script Insertion Vulnerabilities
========================================================================
5) Vulnerabilities Content Listing
Windows:--
[SA29035] IBM Lotus Notes Java Plug-in Sandbox Security Bypass
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2008-02-20
A vulnerability has been reported in IBM Lotus Notes, which can be
exploited by malicious people to compromise a user's system.
Full Advisory:
http://secunia.com/advisories/29035/
--
[SA29003] Now SMS/MMS Gateway HTTP/SMPP Handling Buffer Overflows
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2008-02-20
Luigi Auriemma has discovered some vulnerabilities in Now SMS/MMS
Gateway, which can be exploited by malicious people to compromise a
vulnerable system.
Full Advisory:
http://secunia.com/advisories/29003/
--
[SA29024] SmarterMail Subject Script Insertion Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting
Released: 2008-02-20
Juan Pablo Lopez Yacubian has discovered a vulnerability in
SmarterMail, which can be exploited by malicious people to conduct
script insertion attacks.
Full Advisory:
http://secunia.com/advisories/29024/
--
[SA29021] Kerio MailServer Multiple Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2008-02-19
Some vulnerabilities have been reported in Kerio MailServer, which
potentially can be exploited by malicious people to cause a DoS (Denial
of Service) or compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/29021/
--
[SA29007] webcamXP Denial of Service and Information Disclosure
Critical: Moderately critical
Where: From remote
Impact: Exposure of sensitive information, DoS
Released: 2008-02-19
Luigi Auriemma has discovered a vulnerability in webcamXP, which can be
exploited by malicious people to cause a DoS (Denial of Service) or to
disclose potentially sensitive information.
Full Advisory:
http://secunia.com/advisories/29007/
--
[SA29002] freeSSHd SSH Server Denial of Service Vulnerability
Critical: Moderately critical
Where: From remote
Impact: DoS
Released: 2008-02-18
Luigi Auriemma has discovered a vulnerability in freeSSHd, which can be
exploited by malicious people to cause a DoS (Denial of Service).
Full Advisory:
http://secunia.com/advisories/29002/
--
[SA29011] EMC RepliStor Data Decompression Buffer Overflows
Critical: Moderately critical
Where: From local network
Impact: System access
Released: 2008-02-21
Some vulnerabilities have been reported in EMC RepliStor, which can be
exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/29011/
--
[SA29031] IBM Lotus Notes Java Applet Signature Execution Control List
Security Bypass
Critical: Less critical
Where: From remote
Impact: Security Bypass
Released: 2008-02-20
A security issue has been reported in IBM Lotus Notes, which can be
exploited by malicious people to bypass certain security mechanisms.
Full Advisory:
http://secunia.com/advisories/29031/
--
[SA28984] StatCounteX "admin.asp" Security Bypass
Critical: Less critical
Where: From remote
Impact: Security Bypass, Exposure of sensitive information
Released: 2008-02-18
SekoMirza has discovered a security issue in StatCounteX, which can be
exploited by malicious people to bypass certain security restrictions
and to disclose potentially sensitive information.
Full Advisory:
http://secunia.com/advisories/28984/
--
[SA29033] Symantec Veritas Storage Foundation Scheduler Service Denial
of Service
Critical: Less critical
Where: From local network
Impact: DoS
Released: 2008-02-21
A vulnerability has been reported in Symantec Veritas Storage
Foundation, which can be exploited by malicious people to cause a DoS
(Denial of Service).
Full Advisory:
http://secunia.com/advisories/29033/
--
[SA29030] Hitachi EUR Print Manager Unspecified Denial of Service
Vulnerability
Critical: Less critical
Where: From local network
Impact: DoS
Released: 2008-02-20
A vulnerability has been reported in Hitachi EUR Print Manager, which
can be exploited by malicious people to cause a DoS (Denial of
Service).
Full Advisory:
http://secunia.com/advisories/29030/
--
[SA29005] DESlock+ DLMFDISK.sys/DLMFENC.sys Privilege Escalation
Vulnerabilities
Critical: Less critical
Where: Local system
Impact: Privilege escalation, DoS
Released: 2008-02-19
mu-b has reported some vulnerabilities in DESlock+, which can be
exploited by malicious, local users to cause a DoS (Denial of Service)
or gain escalated privileges.
Full Advisory:
http://secunia.com/advisories/29005/
UNIX/Linux:--
[SA29026] Kolab Server ClamAV Multiple Vulnerabilities
Critical: Highly critical
Where: From remote
Impact: DoS, System access
Released: 2008-02-19
Some vulnerabilities have been reported in Kolab Server, which can be
exploited by malicious people to cause a DoS (Denial of Service) or to
potentially compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/29026/
--
[SA29012] SWORD diatheke.pl Shell Command Injection Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2008-02-19
A vulnerability has been discovered in SWORD, which can be exploited by
malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/29012/
--
[SA29001] SUSE update for clamav
Critical: Highly critical
Where: From remote
Impact: DoS, System access
Released: 2008-02-18
SUSE has issued an update for clamav. This fixes some vulnerabilities,
which can be exploited by malicious people to cause a DoS (Denial of
Service) or to potentially compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/29001/
--
[SA28989] Mandriva update for xine-lib
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2008-02-18
Mandriva has issued an update for xine-lib. This fixes a vulnerability,
which can potentially be exploited by malicious people to compromise a
user's system.
Full Advisory:
http://secunia.com/advisories/28989/
--
[SA28983] SUSE update for acroread
Critical: Highly critical
Where: From remote
Impact: Unknown, DoS, System access
Released: 2008-02-19
SUSE has issued an update for acroread. This fixes some
vulnerabilities, some of which have unknown impacts while others can be
exploited by malicious people to cause a DoS (Denial of Service) or
compromise a user's system.
Full Advisory:
http://secunia.com/advisories/28983/
--
[SA29017] LightBlog "username" Local File Inclusion
Critical: Moderately critical
Where: From remote
Impact: Exposure of system information, Exposure of sensitive
information
Released: 2008-02-19
muuratsalo has discovered a vulnerability in LightBlog, which can be
exploited by malicious people to disclose sensitive information.
Full Advisory:
http://secunia.com/advisories/29017/
--
[SA28996] Fedora update for pcre
Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2008-02-19
Fedora has issued an update for pcre. This fixes a vulnerability, which
potentially can be exploited by malicious people to cause a DoS (Denial
of Service) or compromise an application using the library.
Full Advisory:
http://secunia.com/advisories/28996/
--
[SA28993] HP Tru64 UNIX Perl Regular Expressions Vulnerability
Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2008-02-21
HP has acknowledged a vulnerability in HP Tru64 UNIX, which potentially
can be exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/28993/
--
[SA28985] GNOME GLib PCRE Character Class Buffer Overflow
Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2008-02-18
A vulnerability has been reported in GNOME GLib, which potentially can
be exploited by malicious people to cause a DoS (Denial of Service) or
compromise an application using the library.
Full Advisory:
http://secunia.com/advisories/28985/
--
[SA28994] CUPS "process_browse_data()" Double Free Vulnerability
Critical: Moderately critical
Where: From local network
Impact: DoS, System access
Released: 2008-02-20
A vulnerability has been discovered in CUPS, which can be exploited by
malicious people to cause a DoS (Denial of Service) or to potentially
compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/28994/
--
[SA29004] Lotus Quickr Unspecified Cross-Site Scripting Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2008-02-18
A vulnerability has been reported in Lotus Quickr, which can be
exploited by malicious people to conduct cross-site scripting
attacks.
Full Advisory:
http://secunia.com/advisories/29004/
--
[SA28987] Fedora update for moin
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2008-02-21
Fedora has issued an update for moin. This fixes some vulnerabilities,
which can be exploited by malicious people to conduct cross-site
scripting attacks.
Full Advisory:
http://secunia.com/advisories/28987/
--
[SA28982] Multiple Horde Products Security Bypass
Critical: Less critical
Where: From remote
Impact: Security Bypass
Released: 2008-02-18
A security issue has been reported in multiple Horde products, which
can be exploited by malicious users to bypass certain security
restrictions.
Full Advisory:
http://secunia.com/advisories/28982/
--
[SA29028] Hitachi SEWB3/PLATFORM Unspecified Denial of Service
Critical: Less critical
Where: From local network
Impact: DoS
Released: 2008-02-20
A vulnerability has been reported in Hitachi SEWB3/PLATFORM, which can
be exploited by malicious people to cause a DoS (Denial of Service).
Full Advisory:
http://secunia.com/advisories/29028/
--
[SA29009] wyrd Insecure Temporary File
Critical: Less critical
Where: Local system
Impact: Privilege escalation
Released: 2008-02-18
A vulnerability has been discovered in wyrd, which can be exploited by
malicious, local users to perform certain actions with escalated
privileges.
Full Advisory:
http://secunia.com/advisories/29009/
--
[SA28995] Linux Kernel Multiple Vulnerabilities
Critical: Less critical
Where: Local system
Impact: Privilege escalation, DoS
Released: 2008-02-19
Some vulnerabilities have been reported in the Linux Kernel, which can
be exploited by malicious, local users to cause a DoS (Denial of
Service) and potentially gain escalated privileges.
Full Advisory:
http://secunia.com/advisories/28995/
--
[SA28981] Fedora update for scponly
Critical: Less critical
Where: Local system
Impact: Security Bypass
Released: 2008-02-18
Fedora has issued an update for scponly. This fixes a security issue,
which can be exploited by malicious, local users to bypass certain
security restrictions.
Full Advisory:
http://secunia.com/advisories/28981/
--
[SA28997] Avaya CMS Solaris X Window System Information Disclosure
Critical: Not critical
Where: Local system
Impact: Exposure of sensitive information
Released: 2008-02-19
Avaya has acknowledged a vulnerability in Avaya CMS, which can be
exploited by malicious, local users to disclose potentially sensitive
information.
Full Advisory:
http://secunia.com/advisories/28997/
--
[SA28990] Sun Solaris vuidmice STREAMS Modules Local Denial of Service
Critical: Not critical
Where: Local system
Impact: DoS
Released: 2008-02-18
A vulnerability has been reported in Sun Solaris, which can be
exploited by malicious, local users to cause a DoS (Denial of
Service).
Full Advisory:
http://secunia.com/advisories/28990/
Other:
Cross Platform:--
[SA29049] Netscape Multiple Vulnerabilities
Critical: Highly critical
Where: From remote
Impact: Security Bypass, Cross Site Scripting, Spoofing, Exposure
of sensitive information, DoS, System access
Released: 2008-02-21
Netscape has acknowledged some weaknesses, a security issue, and some
vulnerabilities in Netscape Navigator, which can be exploited by
malicious people to disclose sensitive information, bypass certain
security restrictions, conduct spoofing attacks, or to compromise a
user's system.
Full Advisory:
http://secunia.com/advisories/29049/
--
[SA29047] Globsy "globsy_edit.php" Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2008-02-21
A vulnerability has been discovered an Globsy, which can be exploited
by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/29047/
--
[SA29042] BEA JRockit Multiple Vulnerabilities
Critical: Highly critical
Where: From remote
Impact: Security Bypass, Manipulation of data, Exposure of system
information, Exposure of sensitive information, System access
Released: 2008-02-20
Some vulnerabilities have been reported in BEA JRockit, which can be
exploited by malicious people to bypass certain security restrictions,
manipulate data, disclose sensitive/system information, or potentially
compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/29042/
--
[SA29010] MoinMoin Multiple Vulnerabilities
Critical: Highly critical
Where: From remote
Impact: Cross Site Scripting, DoS, System access
Released: 2008-02-20
Some vulnerabilities have been reported in MoinMoin, which can be
exploited by malicious people to conduct cross-site scripting attacks,
to manipulate certain data, or potentially to compromise a vulnerable
system.
Full Advisory:
http://secunia.com/advisories/29010/
--
[SA29044] Joomla hwdVideoShare Component "cat_id" SQL Injection
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2008-02-21
S@BUN has discovered a vulnerability in the hwdVideoShare component for
Joomla, which can be exploited by malicious people to conduct SQL
injection attacks.
Full Advisory:
http://secunia.com/advisories/29044/
--
[SA29041] BEA WebLogic Products Multiple Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Hijacking, Security Bypass, Cross Site Scripting, Brute
force, Exposure of system information, Exposure of sensitive
information
Released: 2008-02-20
Some vulnerabilities, security issues, and a weakness have been
reported in various BEA WebLogic products, which can be exploited by
malicious users to conduct script insertion attacks, and by malicious
people to conduct session fixation, cross-site scripting, or brute
force attacks, disclose sensitive information, or to bypass certain
security restrictions.
Full Advisory:
http://secunia.com/advisories/29041/
--
[SA29034] Schoolwires Academic Portal browse.asp Cross-Site Scripting
and SQL Injection
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting, Manipulation of data
Released: 2008-02-20
Russ McRee has reported two vulnerabilities in Schoolwires Academic
Portal, which can be exploited by malicious people to conduct
cross-site scripting or SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/29034/
--
[SA29029] Opera Multiple Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Security Bypass, Cross Site Scripting, Exposure of
sensitive information
Released: 2008-02-20
Some vulnerabilities have been reported in Opera, which can be
exploited by malicious people to conduct cross-site scripting attacks,
disclose sensitive information, or to bypass certain security
restrictions.
Full Advisory:
http://secunia.com/advisories/29029/
--
[SA29022] IBM DB2 Multiple Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Unknown, DoS
Released: 2008-02-19
Some vulnerabilities have been reported in IBM DB2, some of which have
unknown impacts, while one can potentially be exploited by malicious
people to cause a DoS (Denial of Service).
Full Advisory:
http://secunia.com/advisories/29022/
--
[SA29018] iScripts MultiCart "productid" SQL Injection Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2008-02-21
t0pP8uZz and xprog have reported a vulnerability in iScripts MultiCart,
which can be exploited by malicious users to conduct SQL injection
attacks.
Full Advisory:
http://secunia.com/advisories/29018/
--
[SA29008] Joomla astatsPRO Component "id" SQL Injection Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data, Cross Site Scripting
Released: 2008-02-21
A vulnerability has been reported in the astatsPRO component for
Joomla, which can be exploited by malicious people to conduct
cross-site scripting and SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/29008/
--
[SA29006] XPWeb "Download.php" Arbitrary File Download
Critical: Moderately critical
Where: From remote
Impact: Exposure of system information, Exposure of sensitive
information
Released: 2008-02-18
GoLd_M has discovered a vulnerability in XPWeb, which can be exploited
by malicious people to disclose sensitive information.
Full Advisory:
http://secunia.com/advisories/29006/
--
[SA28998] Joomla! jooget Component "id" SQL Injection
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data, Exposure of sensitive information
Released: 2008-02-18
S@BUN has discovered a vulnerability in the jooget component for
Joomla!, which can be exploited by malicious people to conduct SQL
injection attacks.
Full Advisory:
http://secunia.com/advisories/28998/
--
[SA28992] BanPro-DMS "action" Local File Inclusion Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Exposure of system information, Exposure of sensitive
information
Released: 2008-02-18
muuratsalo has discovered a vulnerability in BanPro-DMS, which can be
exploited by malicious people to disclose sensitive information.
Full Advisory:
http://secunia.com/advisories/28992/
--
[SA28991] BEA Products Information Disclosure Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Exposure of sensitive information
Released: 2008-02-20
A vulnerability has been reported in some BEA Plumtree Collaboration
and BEA AquaLogic Interaction, which can be exploited by malicious
people to disclose sensitive information.
Full Advisory:
http://secunia.com/advisories/28991/
--
[SA28988] WordPress WP Photo Album Plugin "photo" SQL Injection
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2008-02-20
A vulnerability has been reported in the WP Photo Album (WPPA) plugin
for WordPress, which can be exploited by malicious people to conduct
SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/28988/
--
[SA28986] Joomla! Quran Component "surano" SQL Injection
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data, Exposure of sensitive information
Released: 2008-02-18
breaker_unit and Don have discovered a vulnerability in the Quran
component for Joomla!, which can be exploited by malicious people to
conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/28986/
--
[SA28980] Joomla! Quiz Component "tid" SQL Injection
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data, Exposure of sensitive information
Released: 2008-02-15
S@BUN has discovered a vulnerability in the Quiz component for Joomla!,
which can be exploited by malicious people to conduct SQL injection
attacks.
Full Advisory:
http://secunia.com/advisories/28980/
--
[SA29050] Symantec Veritas Storage Foundation Administrator Service
Buffer Overflow
Critical: Moderately critical
Where: From local network
Impact: DoS, System access
Released: 2008-02-21
A vulnerability has been reported in Symantec Veritas Storage
Foundation, which can be exploited by malicious people to cause a DoS
(Denial of Service) or compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/29050/
--
[SA29045] Sybase SQL Anywhere MobiLink Buffer Overflow Vulnerability
Critical: Moderately critical
Where: From local network
Impact: DoS, System access
Released: 2008-02-21
Luigi Auriemma has discovered a vulnerability in Sybase MobiLink, which
can be exploited by malicious people to cause a DoS (Denial of Service)
or to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/29045/
--
[SA29055] Invision Power Board BBCodes Script Insertion Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2008-02-21
A vulnerability has been reported in Invision Power Board, which can be
exploited by malicious users to conduct script insertion attacks.
Full Advisory:
http://secunia.com/advisories/29055/
--
[SA29043] PunBB Password Change and Cross-Site Scripting
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting, Manipulation of data, Brute force
Released: 2008-02-21
A vulnerability and a weakness have been discovered in PunBB, which can
be exploited by malicious users to manipulate data and by malicious
people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/29043/
--
[SA29040] BEA Products "name" Cross-Site Scripting Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2008-02-20
Jan Fry and Adrian Pastor have reported a vulnerability in BEA
AquaLogic Interaction and BEA Plumtree Foundation, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/29040/
--
[SA29039] Tor World CGI Scripts Multiple Unspecified Cross-Site
Scripting Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2008-02-21
Some vulnerabilities have been reported in various Tor World CGI
Scripts, which can be exploited by malicious people to conduct
cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/29039/
--
[SA29023] Jinzora Multiple Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2008-02-20
Alexandr Polyakov and Stas Svistunovich have discovered some
vulnerabilities in Jinzora, which can be exploited by malicious people
to conduct cross-site scripting and script insertion attacks.
Full Advisory:
http://secunia.com/advisories/29023/
--
[SA29020] WoltLab Burning Board "sortOrder" SQL Injection
Critical: Less critical
Where: From remote
Impact: Manipulation of data
Released: 2008-02-20
NBBN has reported a vulnerability in WoltLab Burning Board, which can
be exploited by malicious users to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/29020/
--
[SA29019] Lyris ListManager Security Bypass Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Security Bypass
Released: 2008-02-20
Tyler Shields has reported some vulnerabilities in Lyris ListManager,
which can be exploited by malicious users to bypass certain security
restrictions.
Full Advisory:
http://secunia.com/advisories/29019/
--
[SA29016] ProjectPier Multiple Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2008-02-19
L4teral has reported some vulnerabilities in ProjectPier, which can be
exploited by malicious people to conduct cross-site scripting and
cross-site request forgery attacks, and by malicious users to conduct
script insertion attacks.
Full Advisory:
http://secunia.com/advisories/29016/
--
[SA29015] ATutor Script Insertion Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2008-02-19
L4teral has discovered some vulnerabilities in ATutor, which can be
exploited by malicious users to conduct script insertion attacks.
Full Advisory:
http://secunia.com/advisories/29015/
========================================================================
Secunia recommends that you verify all advisories you receive,
by clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only use
those supplied by the vendor.
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Subscribe:
http://secunia.com/secunia_weekly_summary/
Contact details:
Web : http://secunia.com/
E-mail : support () secunia com
Tel : +45 70 20 51 44
Fax : +45 70 20 51 45
___________________________________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
Current thread:
- Secunia Weekly Summary - Issue: 2008-8 InfoSec News (Feb 22)