[ISN] Secunia Weekly Summary - Issue: 2006-26

InfoSec News isn at c4i.org
Fri Jun 30 12:36:20 EDT 2006


========================================================================

                  The Secunia Weekly Advisory Summary                  
                        2006-06-22 - 2006-06-29                        

                       This week: 88 advisories                        

========================================================================
Table of Contents:

1.....................................................Word From Secunia
2....................................................This Week In Brief
3...............................This Weeks Top Ten Most Read Advisories
4.......................................Vulnerabilities Summary Listing
5.......................................Vulnerabilities Content Listing

========================================================================
1) Word From Secunia:

The Secunia staff is spending hours every day to assure you the best
and most reliable source for vulnerability information. Every single 
vulnerability report is being validated and verified before a Secunia
advisory is written.

Secunia validates and verifies vulnerability reports in many different
ways e.g. by downloading the software and performing comprehensive
tests, by reviewing source code, or by validating the credibility of
the source from which the vulnerability report was issued.

As a result, Secunia's database is the most correct and complete source
for recent vulnerability information available on the Internet.

Secunia Online Vulnerability Database:
http://secunia.com/

========================================================================
2) This Week in Brief:

Plebo Aesdi Nael has discovered two vulnerabilities in Internet
Explorer, which can be exploited by malicious people to disclose
potentially sensitive information and potentially compromise a user's
system.

Secunia has constructed a test for one of the issues, which is
available at:
http://secunia.com/internet_explorer_information_disclosure_vulnerability_test/

Additional details can be found in the referenced Secunia advisory.

Reference:
http://secunia.com/SA20825

 --

VigilantMinds has reported a vulnerability in the Opera browser, which
potentially can be exploited by malicious people to compromise a
user's system.

Additionally, a weakness has also been reported, which can be
exploited to display the SSL certificate from a trusted site on an
untrusted site.

Further details are available in the referenced Secunia advisories.

References:
http://secunia.com/SA20787
http://secunia.com/SA19480

 --

Two vulnerabilities have been reported in various F-Secure Antivirus
products, which can be exploited by malware to bypass the scanning
functionality.

The vendor has released patches, which corrects these vulnerabilities.
Please refer to referenced Secunia advisory for additional details.

Reference:
http://secunia.com/SA20858

 --

VIRUS ALERTS:

During the past week Secunia collected 253 virus descriptions from the
Antivirus vendors. However, none were deemed MEDIUM risk or higher
according to the Secunia assessment scale.

========================================================================
3) This Weeks Top Ten Most Read Advisories:

1.  [SA20748] Microsoft Windows Hyperlink Object Library Buffer
              Overflow
2.  [SA20722] WinAmp MIDI File Handling Buffer Overflow Vulnerability
3.  [SA20686] Microsoft Excel Repair Mode Code Execution Vulnerability
4.  [SA20787] Opera JPEG Processing Integer Overflow Vulnerability
5.  [SA20825] Internet Explorer Information Disclosure and HTA
              Application Execution
6.  [SA20153] Microsoft Word Malformed Object Pointer Vulnerability
7.  [SA20773] Yahoo! Messenger Denial of Service Weakness
8.  [SA20789] Cisco CallManager RealVNC Password Authentication Bypass
9.  [SA20723] IBM HMC Sendmail and OpenSSH Vulnerabilities
10. [SA20783] GnuPG "parse-packet.c" Denial of Service Vulnerability

========================================================================
4) Vulnerabilities Summary Listing

Windows:
[SA20862] Nokia PC Suite CDDBControl ActiveX Control Buffer Overflow
[SA20861] Gracenote CDDBControl ActiveX Control Buffer Overflow
[SA20789] Cisco CallManager RealVNC Password Authentication Bypass
[SA20858] F-Secure Antivirus Products Scanning Bypass Vulnerability
[SA20855] Lotus Domino Malformed vCal Processing Denial of Service
[SA20851] Icculus.org Quake3 Engine Two Vulnerabilities
[SA20790] MailEnable SMTP Service HELO Denial of Service
[SA20777] Webmin Directory Traversal Vulnerability
[SA20825] Internet Explorer Information Disclosure and HTA Application
Execution
[SA20856] CA Products Scan Job Description Format String Vulnerability
[SA20816] Cisco Secure ACS Session Management Security Issue
[SA20794] Trend Micro Control Manager "Username" Script Insertion
[SA20830] Lanap BotDetect ASP.NET CAPTCHA Bypass Weakness

UNIX/Linux:
[SA20879] Mandriva update for mutt
[SA20866] Mandriva update for tetex
[SA20854] Gentoo update for mutt
[SA20850] Gentoo update for tikiwiki
[SA20846] Gentoo update for hashcash
[SA20844] Gentoo update for wv2
[SA20837] Gentoo update for emech
[SA20836] Ubuntu update for mutt
[SA20831] rPath update for kernel
[SA20829] Mandriva update for gnupg
[SA20828] Mandriva update for xine-lib
[SA20826] Mandriva update for wv2
[SA20824] Mandriva update for libwmf
[SA20811] Slackware update for gnupg
[SA20810] Mutt IMAP Namespace Buffer Overflow Vulnerability
[SA20805] EnergyMech "parse_notice" Denial of Service Vulnerability
[SA20801] Ubuntu update for gnupg
[SA20800] Hashcash "array_push" Buffer Overflow Vulnerability
[SA20792] Debian update for courier
[SA20791] SUSE update for freetype2
[SA20783] GnuPG "parse-packet.c" Denial of Service Vulnerability
[SA20782] SGI Advanced Linux Environment Multiple Updates
[SA20853] Mandriva update for gd
[SA20849] Gentoo update for horde
[SA20848] Ubuntu update for OpenLDAP
[SA20840] cPanel "file" Parameter Cross-Site Scripting Vulnerability
[SA20788] phpQLAdmin "domain" Cross-Site Scripting Vulnerability
[SA20871] Ubuntu update for mysql-server
[SA20832] Mandriva update for MySQL
[SA20869] Slackware update for kdebase
[SA20868] Slackware update for arts
[SA20827] Mandriva update for arts
[SA20786] Gentoo update for aRts
[SA20785] Gentoo update for kdebase / KDM
[SA20834] Debian update for pinball
[SA20818] PHP "error_log()" Safe Mode Bypass Weakness
[SA20809] HP-UX Kernel Denial of Service Vulnerability
[SA20778] Emilia Pinball Compiled Plugins Loading Vulnerability

Other:
[SA20860] Cisco Wireless Access Point Web Management Vulnerability

Cross Platform:
[SA20823] Mambo MOD_CBSMS Module File Inclusion Vulnerability
[SA20819] Mambo Pearl For Mambo Module File Inclusion Vulnerabilities
[SA20815] phpBB THoRCMS Add-On "phpbb_root_path" File Inclusion
[SA20814] Bee-hive Lite Multiple File Inclusion Vulnerabilities
[SA20812] PrivateWire Registration Functionality Buffer Overflow
[SA20787] Opera JPEG Processing Integer Overflow Vulnerability
[SA20784] Helix DNA Server Heap Corruption Vulnerabilities
[SA20779] W-Agora Multiple File Inclusion Vulnerabilities
[SA20857] Scout Portal Toolkit "forumid" Parameter SQL Injection
[SA20847] MF Piadas "page" Parameter File Inclusion Vulnerability
[SA20842] Jaws Cross-Site Scripting and SQL Injection
[SA20839] Custom dating biz dating script Multiple Vulnerabilities
[SA20838] Anthill SQL Injection Vulnerabilities
[SA20813] DeluxeBB Cross-Site Scripting and SQL Injection
[SA20806] ICT "post" Parameter SQL Injection Vulnerability
[SA20802] Softbiz Dating Script SQL Injection Vulnerabilities
[SA20796] Open Guestbook Cross-Site Scripting and SQL Injection
[SA20795] MyBB "showcodebuttons" SQL Injection Vulnerability
[SA20793] IBM WebSphere Application Server Two Vulnerabilities
[SA20780] YaBB SE "user" SQL Injection Vulnerability
[SA20872] Metalhead Usenet Script "group" Cross-Site Scripting
[SA20863] Hostflow Help Desk Script Insertion Vulnerability
[SA20843] Phorum Cross-Site Scripting Vulnerability
[SA20841] SiteBar "command" Cross-Site Scripting Vulnerability
[SA20835] Sun Java System Application Server Cross-Site Scripting
[SA20833] Dating Agent PRO Cross-Site Scripting and Information
Exposure
[SA20822] dotProject "login" Parameter Cross-Site Scripting
Vulnerability
[SA20821] Namo DeepSearch "p" Parameter Cross-Site Scripting
[SA20820] aeDating Multiple Cross-Site Scripting Vulnerabilities
[SA20817] Claroline Unspecified Cross-Site Scripting Vulnerability
[SA20808] Qdig Cross-Site Scripting Vulnerabilities
[SA20804] UebiMiau Cross-Site Scripting Vulnerabilities
[SA20803] mvnForum "activatemember" Cross-Site Scripting
[SA20798] H-Sphere Multiple Cross-Site Scripting Vulnerabilities
[SA20797] XennoBB "tid" Cross-Site Scripting Vulnerability
[SA20781] GL-SH Deaf Forum show.php Cross-Site Scripting

========================================================================
5) Vulnerabilities Content Listing

Windows:--

[SA20862] Nokia PC Suite CDDBControl ActiveX Control Buffer Overflow

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-06-28

A vulnerability has been reported in Nokia PC Suite, which can be
exploited by malicious people to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/20862/

 --

[SA20861] Gracenote CDDBControl ActiveX Control Buffer Overflow

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-06-28

A vulnerability has been reported in GraceNote CDDBControl ActiveX
Control, which can be exploited by malicious people to compromise a
user's system.

Full Advisory:
http://secunia.com/advisories/20861/

 --

[SA20789] Cisco CallManager RealVNC Password Authentication Bypass

Critical:    Highly critical
Where:       From remote
Impact:      Security Bypass
Released:    2006-06-23

Cisco has acknowledged a vulnerability in Cisco CallManager, which can
be exploited by malicious people to bypass certain security
restrictions.

Full Advisory:
http://secunia.com/advisories/20789/

 --

[SA20858] F-Secure Antivirus Products Scanning Bypass Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass
Released:    2006-06-28

Two vulnerabilities have been reported in various F-Secure Antivirus
products, which can be exploited by malware to bypass the scanning
functionality.

Full Advisory:
http://secunia.com/advisories/20858/

 --

[SA20855] Lotus Domino Malformed vCal Processing Denial of Service

Critical:    Moderately critical
Where:       From remote
Impact:      DoS
Released:    2006-06-28

Ollie Whitehouse has reported a vulnerability in Lotus Domino, which
can be exploited by malicious people to cause a DoS (Denial of
Service).

Full Advisory:
http://secunia.com/advisories/20855/

 --

[SA20851] Icculus.org Quake3 Engine Two Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass, DoS, System access
Released:    2006-06-28

Luigi Auriemma has reported two vulnerabilities in Icculus.org Quake3,
which can be exploited by malicious people to bypass certain security
restrictions, cause a DoS (Denial of Service), and potentially to
compromise a user's system.

Full Advisory:
http://secunia.com/advisories/20851/

 --

[SA20790] MailEnable SMTP Service HELO Denial of Service

Critical:    Moderately critical
Where:       From remote
Impact:      DoS
Released:    2006-06-26

DivisionByZero has reported a vulnerability in MailEnable, which can be
exploited by malicious people to cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/20790/

 --

[SA20777] Webmin Directory Traversal Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Exposure of system information, Exposure of sensitive
information
Released:    2006-06-23

Keigo Yamazaki has reported a vulnerability Webmin, which can be
exploited by malicious people to disclose potentially sensitive
information.

Full Advisory:
http://secunia.com/advisories/20777/

 --

[SA20825] Internet Explorer Information Disclosure and HTA Application
Execution

Critical:    Less critical
Where:       From remote
Impact:      Exposure of sensitive information, System access
Released:    2006-06-27

Plebo Aesdi Nael has discovered two vulnerabilities in Internet
Explorer, which can be exploited by malicious people to disclose
potentially sensitive information and potentially compromise a user's
system.

Full Advisory:
http://secunia.com/advisories/20825/

 --

[SA20856] CA Products Scan Job Description Format String Vulnerability

Critical:    Less critical
Where:       From local network
Impact:      DoS, System access
Released:    2006-06-28

A vulnerability has been reported in some CA products, which can be
exploited by malicious users to cause a DoS (Denial of Service) and
potentially compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20856/

 --

[SA20816] Cisco Secure ACS Session Management Security Issue

Critical:    Less critical
Where:       From local network
Impact:      Security Bypass
Released:    2006-06-26

Darren Bounds has reported a security issue in Cisco Secure ACS, which
can be exploited by malicious people to bypass certain security
restrictions.

Full Advisory:
http://secunia.com/advisories/20816/

 --

[SA20794] Trend Micro Control Manager "Username" Script Insertion

Critical:    Less critical
Where:       From local network
Impact:      Cross Site Scripting
Released:    2006-06-27

Darren Bounds has discovered a vulnerability in Trend Micro Control
Manager, which can be exploited by malicious people to conduct script
insertion attacks.

Full Advisory:
http://secunia.com/advisories/20794/

 --

[SA20830] Lanap BotDetect ASP.NET CAPTCHA Bypass Weakness

Critical:    Not critical
Where:       From remote
Impact:      Security Bypass
Released:    2006-06-26

Michael White and Graham Murphy have reported a weakness in Lanap
BotDetect ASP.NET, which can be exploited by malicious people to bypass
certain security restrictions.

Full Advisory:
http://secunia.com/advisories/20830/


UNIX/Linux:--

[SA20879] Mandriva update for mutt

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-06-29

Mandriva has issued an update for mutt. This fixes a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of
Service) and potentially compromise a user's system.

Full Advisory:
http://secunia.com/advisories/20879/

 --

[SA20866] Mandriva update for tetex

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-06-28

Mandriva has issued an update for tetex. This fixes some
vulnerabilities, which potentially can be exploited by malicious people
to cause a DoS (Denial of Service) and to compromise a vulnerable
system.

Full Advisory:
http://secunia.com/advisories/20866/

 --

[SA20854] Gentoo update for mutt

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-06-29

Gentoo has issued an update for mutt. This fixes a vulnerability, which
can be exploited by malicious people to cause a DoS (Denial of Service)
and potentially compromise a user's system.

Full Advisory:
http://secunia.com/advisories/20854/

 --

[SA20850] Gentoo update for tikiwiki

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting, Manipulation of data
Released:    2006-06-29

Gentoo has issued an update for tikiwiki. This fixes some
vulnerabilities, which can be exploited by malicious people to conduct
cross-site scripting and SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/20850/

 --

[SA20846] Gentoo update for hashcash

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-06-27

Gentoo has issued an update for hashcash. This fixes a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of
Service) and potentially compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20846/

 --

[SA20844] Gentoo update for wv2

Critical:    Moderately critical
Where:       From remote
Impact:      System access
Released:    2006-06-26

Gentoo has issued an update for wv2. This fixes a vulnerability, which
potentially can be exploited by malicious people to compromise an
application using the library.

Full Advisory:
http://secunia.com/advisories/20844/

 --

[SA20837] Gentoo update for emech

Critical:    Moderately critical
Where:       From remote
Impact:      DoS
Released:    2006-06-27

Gentoo has issued an update for emech. This fixes a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of
Service).

Full Advisory:
http://secunia.com/advisories/20837/

 --

[SA20836] Ubuntu update for mutt

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-06-28

Ubuntu has issued an update for mutt. This fixes a vulnerability, which
can be exploited by malicious people to cause a DoS (Denial of Service)
and potentially compromise a user's system.

Full Advisory:
http://secunia.com/advisories/20836/

 --

[SA20831] rPath update for kernel

Critical:    Moderately critical
Where:       From remote
Impact:      Exposure of system information, Exposure of sensitive
information, DoS
Released:    2006-06-26

rPath has released an update for the kernel. This fixes some
vulnerabilities, which can be exploited by malicious, local users to
disclose potentially sensitive information and cause a DoS (Denial of
Service), and by malicious people to cause a DoS.

Full Advisory:
http://secunia.com/advisories/20831/

 --

[SA20829] Mandriva update for gnupg

Critical:    Moderately critical
Where:       From remote
Impact:      DoS
Released:    2006-06-26

Mandriva has issued an update for gnupg. This fixes a vulnerability,
which potentially can be exploited by malicious people to cause a DoS
(Denial of Service).

Full Advisory:
http://secunia.com/advisories/20829/

 --

[SA20828] Mandriva update for xine-lib

Critical:    Moderately critical
Where:       From remote
Impact:      System access, DoS
Released:    2006-06-26

Mandriva has issued an update for xine-lib. This fixes a weakness,
which can be exploited by malicious people to crash certain
applications on a user's system

Full Advisory:
http://secunia.com/advisories/20828/

 --

[SA20826] Mandriva update for wv2

Critical:    Moderately critical
Where:       From remote
Impact:      System access
Released:    2006-06-26

Mandriva has issued an update for wv2. This fixes a vulnerability,
which potentially can be exploited by malicious people to compromise an
application using the library.

Full Advisory:
http://secunia.com/advisories/20826/

 --

[SA20824] Mandriva update for libwmf

Critical:    Moderately critical
Where:       From remote
Impact:      System access
Released:    2006-06-28

Mandriva has issued an update for libwmf. This fixes a vulnerability,
which potentially can be exploited by malicious people to compromise a
vulnerable system.

Full Advisory:
http://secunia.com/advisories/20824/

 --

[SA20811] Slackware update for gnupg

Critical:    Moderately critical
Where:       From remote
Impact:      DoS
Released:    2006-06-28

Slackware has issued an update for gnupg. This fixes a vulnerability,
which potentially can be exploited by malicious people to cause a DoS
(Denial of Service).

Full Advisory:
http://secunia.com/advisories/20811/

 --

[SA20810] Mutt IMAP Namespace Buffer Overflow Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-06-26

TAKAHASHI Tamotsu has reported a vulnerability in Mutt, which can be
exploited by malicious people to cause a DoS (Denial of Service) and
potentially compromise a user's system.

Full Advisory:
http://secunia.com/advisories/20810/

 --

[SA20805] EnergyMech "parse_notice" Denial of Service Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      DoS
Released:    2006-06-27

A vulnerability has been reported in EnergyMech, which can be exploited
by malicious people to cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/20805/

 --

[SA20801] Ubuntu update for gnupg

Critical:    Moderately critical
Where:       From remote
Impact:      DoS
Released:    2006-06-27

Ubuntu has issued an update for gnupg. This fixes a vulnerability,
which potentially can be exploited by malicious people to cause a DoS
(Denial of Service).

Full Advisory:
http://secunia.com/advisories/20801/

 --

[SA20800] Hashcash "array_push" Buffer Overflow Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-06-27

A vulnerability has been reported in Hashcash, which can be exploited
by malicious people to cause a DoS (Denial of Service) and potentially
to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20800/

 --

[SA20792] Debian update for courier

Critical:    Moderately critical
Where:       From remote
Impact:      DoS
Released:    2006-06-23

Debian has issued an update for courier. This fixes a vulnerability,
which potentially can be exploited by malicious people to cause a DoS
(Denial of Service).

Full Advisory:
http://secunia.com/advisories/20792/

 --

[SA20791] SUSE update for freetype2

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-06-27

SUSE has issued an update for freetype2. This fixes some
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial of Service) and potentially compromise applications using
the library.

Full Advisory:
http://secunia.com/advisories/20791/

 --

[SA20783] GnuPG "parse-packet.c" Denial of Service Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      DoS
Released:    2006-06-23

A vulnerability has been reported in GnuPG, which potentially can be
exploited by malicious people to cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/20783/

 --

[SA20782] SGI Advanced Linux Environment Multiple Updates

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass, Manipulation of data, Exposure of system
information, Privilege escalation, DoS
Released:    2006-06-23

SGI has issued a patch for SGI Advanced Linux Environment. This fixes
some vulnerabilities, a weakness, and two security issues, which can be
exploited by malicious, local users to perform certain actions with
escalated privileges, to bypass certain security restrictions, and to
cause a DoS (Denial of Service), and by malicious people to bypass
certain security restrictions, to disclose system information, to cause
a DoS (Denial of Service), and to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/20782/

 --

[SA20853] Mandriva update for gd

Critical:    Less critical
Where:       From remote
Impact:      DoS
Released:    2006-06-28

Mandriva has issued an update for gd. This fixes a vulnerability, which
potentially can be exploited by malicious people to cause a DoS (Denial
of Service) against applications and services using libgd.

Full Advisory:
http://secunia.com/advisories/20853/

 --

[SA20849] Gentoo update for horde

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-06-29

Gentoo has issued an update for horde. This fixes some vulnerabilities,
which can be exploited by malicious people to conduct cross-site
scripting attacks.

Full Advisory:
http://secunia.com/advisories/20849/

 --

[SA20848] Ubuntu update for OpenLDAP

Critical:    Less critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-06-27

Ubuntu has issued an update for OpenLDAP. This fixes a vulnerability,
which potentially can be exploited by malicious people to compromise a
vulnerable system.

Full Advisory:
http://secunia.com/advisories/20848/

 --

[SA20840] cPanel "file" Parameter Cross-Site Scripting Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-06-27

Preth00nker has reported a vulnerability in cPanel, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20840/

 --

[SA20788] phpQLAdmin "domain" Cross-Site Scripting Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-06-26

r0t has reported some vulnerabilities in phpQLAdmin, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20788/

 --

[SA20871] Ubuntu update for mysql-server

Critical:    Less critical
Where:       From local network
Impact:      DoS
Released:    2006-06-28

Ubuntu has issued an update for mysql-server. This fixes a
vulnerability, which can be exploited by malicious users to cause a DoS
(Denial of Service).

Full Advisory:
http://secunia.com/advisories/20871/

 --

[SA20832] Mandriva update for MySQL

Critical:    Less critical
Where:       From local network
Impact:      DoS
Released:    2006-06-26

Mandriva has issued an update for MySQL. This fixes a vulnerability,
which can be exploited by malicious users to cause a DoS (Denial of
Service).

Full Advisory:
http://secunia.com/advisories/20832/

 --

[SA20869] Slackware update for kdebase

Critical:    Less critical
Where:       Local system
Impact:      Exposure of sensitive information
Released:    2006-06-28

Slackware has issued an update for kdebase. This fixes a vulnerability,
which can be exploited by malicious, local users to gain knowledge of
sensitive information.

Full Advisory:
http://secunia.com/advisories/20869/

 --

[SA20868] Slackware update for arts

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation
Released:    2006-06-28

Slackware has issued an update for arts. This fixes a vulnerability,
which potentially can be exploited by malicious, local users to perform
certain actions with escalated privileges.

Full Advisory:
http://secunia.com/advisories/20868/

 --

[SA20827] Mandriva update for arts

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation
Released:    2006-06-26

Mandriva has issued an update for arts. This fixes a security issue,
which potentially can be exploited by malicious, local users to perform
certain actions with escalated privileges.

Full Advisory:
http://secunia.com/advisories/20827/

 --

[SA20786] Gentoo update for aRts

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation
Released:    2006-06-23

Gentoo has issued an update for aRts. This fixes a security issue,
which potentially can be exploited by malicious, local users to perform
certain actions with escalated privileges.

Full Advisory:
http://secunia.com/advisories/20786/

 --

[SA20785] Gentoo update for kdebase / KDM

Critical:    Less critical
Where:       Local system
Impact:      Exposure of sensitive information
Released:    2006-06-23

Gentoo has issued an update for kdebase / KDM. This fixes a
vulnerability, which can be exploited by malicious, local users to gain
knowledge of sensitive information.

Full Advisory:
http://secunia.com/advisories/20785/

 --

[SA20834] Debian update for pinball

Critical:    Not critical
Where:       Local system
Impact:      Privilege escalation
Released:    2006-06-26

Debian has issued an update for pinball. This fixes a vulnerability,
which can be exploited by malicious, local users to gain escalated
privileges.

Full Advisory:
http://secunia.com/advisories/20834/

 --

[SA20818] PHP "error_log()" Safe Mode Bypass Weakness

Critical:    Not critical
Where:       Local system
Impact:      Security Bypass
Released:    2006-06-26

Maksymilian Arciemowicz has discovered a weakness in PHP, which can be
exploited by malicious, local users to bypass certain security
restrictions.

Full Advisory:
http://secunia.com/advisories/20818/

 --

[SA20809] HP-UX Kernel Denial of Service Vulnerability

Critical:    Not critical
Where:       Local system
Impact:      DoS
Released:    2006-06-27

A vulnerability has been reported in HP-UX, which can be exploited by
malicious people to cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/20809/

 --

[SA20778] Emilia Pinball Compiled Plugins Loading Vulnerability

Critical:    Not critical
Where:       Local system
Impact:      Privilege escalation
Released:    2006-06-26

A vulnerability has been reported in Pinball, which can be exploited by
malicious, local users to gain escalated privileges.

Full Advisory:
http://secunia.com/advisories/20778/


Other:--

[SA20860] Cisco Wireless Access Point Web Management Vulnerability

Critical:    Less critical
Where:       From local network
Impact:      Security Bypass
Released:    2006-06-29

A vulnerability has been reported in Cisco Wireless Access Point, which
can be exploited by malicious people to bypass certain security
restrictions.

Full Advisory:
http://secunia.com/advisories/20860/


Cross Platform:--

[SA20823] Mambo MOD_CBSMS Module File Inclusion Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-06-27

Kw3[R]Ln has discovered a vulnerability in the MOD_CBSMS module for
Mambo, which can be exploited by malicious people to compromise a
vulnerable system.

Full Advisory:
http://secunia.com/advisories/20823/

 --

[SA20819] Mambo Pearl For Mambo Module File Inclusion Vulnerabilities

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-06-28

Kw3[R]Ln has discovered some vulnerabilities in the Pearl For Mambo
module for Mambo, which can be exploited by malicious people to
compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20819/

 --

[SA20815] phpBB THoRCMS Add-On "phpbb_root_path" File Inclusion

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-06-26

Kw3[R]Ln has reported a vulnerability in the "THoRCMS" add-on for
phpBB, which can be exploited by malicious people to compromise a
vulnerable system.

Full Advisory:
http://secunia.com/advisories/20815/

 --

[SA20814] Bee-hive Lite Multiple File Inclusion Vulnerabilities

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-06-26

Kw3[R]Ln has discovered some vulnerabilities in Bee-hive Lite, which
can be exploited by malicious people to compromise a vulnerable
system.

Full Advisory:
http://secunia.com/advisories/20814/

 --

[SA20812] PrivateWire Registration Functionality Buffer Overflow

Critical:    Highly critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-06-27

Michael Thumann has reported a vulnerability in PrivateWire, which can
be exploited by malicious people to cause a DoS and potentially
compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20812/

 --

[SA20787] Opera JPEG Processing Integer Overflow Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-06-23

VigilantMinds has reported a vulnerability in Opera browser, which can
be exploited by malicious people to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/20787/

 --

[SA20784] Helix DNA Server Heap Corruption Vulnerabilities

Critical:    Highly critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-06-26

Mu Security research team has reported two vulnerabilities in Helix DNA
Server, which can be exploited by malicious people to cause a DoS
(Denial of Service) and potentially compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20784/

 --

[SA20779] W-Agora Multiple File Inclusion Vulnerabilities

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-06-23

Dedi Dwianto has discovered some vulnerabilities in W-Agora, which can
be exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20779/

 --

[SA20857] Scout Portal Toolkit "forumid" Parameter SQL Injection

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2006-06-28

Simo64 has discovered a vulnerability in Scout Portal Toolkit, which
can be exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/20857/

 --

[SA20847] MF Piadas "page" Parameter File Inclusion Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      System access
Released:    2006-06-28

Kurdish Security has discovered a vulnerability in MF Piadas, which can
be exploited by malicious users to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20847/

 --

[SA20842] Jaws Cross-Site Scripting and SQL Injection

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting, Manipulation of data
Released:    2006-06-27

rgod has discovered some vulnerabilities in Jaws, which can be
exploited by malicious people to conduct cross-site scripting attacks
and SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/20842/

 --

[SA20839] Custom dating biz dating script Multiple Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-06-26

luny has reported some vulnerabilities in Custom dating biz dating
script, which can be exploited by malicious people to conduct
cross-site scripting and script insertion attacks.

Full Advisory:
http://secunia.com/advisories/20839/

 --

[SA20838] Anthill SQL Injection Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2006-06-26

r0t has discovered two vulnerabilities in Anthill, which can be
exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/20838/

 --

[SA20813] DeluxeBB Cross-Site Scripting and SQL Injection

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass, Cross Site Scripting, Manipulation of
data
Released:    2006-06-26

Two vulnerabilities have been discovered in DeluxeBB, which can be
exploited by malicious people to conduct cross-site scripting and SQL
injection attacks.

Full Advisory:
http://secunia.com/advisories/20813/

 --

[SA20806] ICT "post" Parameter SQL Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2006-06-26

r0t has reported a vulnerability in ICT, which can be exploited by
malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/20806/

 --

[SA20802] Softbiz Dating Script SQL Injection Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2006-06-26

Ellipsis Security has reported some vulnerabilities in Softbiz Dating
Script, which can be exploited by malicious people to conduct SQL
injection attacks.

Full Advisory:
http://secunia.com/advisories/20802/

 --

[SA20796] Open Guestbook Cross-Site Scripting and SQL Injection

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting, Manipulation of data
Released:    2006-06-27

Moroccan Security Team has discovered two vulnerabilities in Open
Guestbook, which can be exploited by malicious people to conduct
cross-site scripting and SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/20796/

 --

[SA20795] MyBB "showcodebuttons" SQL Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass, Manipulation of data
Released:    2006-06-26

imei addmimistrator has reported a vulnerability in MyBB, which can be
exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/20795/

 --

[SA20793] IBM WebSphere Application Server Two Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Unknown, Exposure of sensitive information
Released:    2006-06-27

Two vulnerabilities have been reported in IBM WebSphere Application
Server, where one has an unknown impact and the other can be exploited
by malicious people to gain knowledge of sensitive information.

Full Advisory:
http://secunia.com/advisories/20793/

 --

[SA20780] YaBB SE "user" SQL Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2006-06-23

Sam Thomas has discovered a vulnerability in YaBB SE, which can be
exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/20780/

 --

[SA20872] Metalhead Usenet Script "group" Cross-Site Scripting

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-06-28

luny has reported a vulnerability in Metalhead Usenet Script, which can
be exploited by malicious people to conduct cross-site scripting
attacks.

Full Advisory:
http://secunia.com/advisories/20872/

 --

[SA20863] Hostflow Help Desk Script Insertion Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-06-28

r0t has reported a vulnerability in Hostflow, which can be exploited by
malicious users to conduct script insertion attacks.

Full Advisory:
http://secunia.com/advisories/20863/

 --

[SA20843] Phorum Cross-Site Scripting Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-06-27

A vulnerability has been reported in Phorum, which can be exploited by
malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20843/

 --

[SA20841] SiteBar "command" Cross-Site Scripting Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-06-28

Botan has discovered a vulnerability in SiteBar, which can be exploited
by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20841/

 --

[SA20835] Sun Java System Application Server Cross-Site Scripting

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-06-26

A vulnerability has been reported in Sun Java System Application
Server, which can be exploited by malicious people to conduct
cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20835/

 --

[SA20833] Dating Agent PRO Cross-Site Scripting and Information
Exposure

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting, Exposure of system information
Released:    2006-06-26

Ellipsis Security has reported some vulnerabilities and a weakness in
Dating Agent PRO, which can be exploited by malicious people to
disclose system information and conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20833/

 --

[SA20822] dotProject "login" Parameter Cross-Site Scripting
Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-06-26

A vulnerability has been reported in dotProject, which can be exploited
by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20822/

 --

[SA20821] Namo DeepSearch "p" Parameter Cross-Site Scripting

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-06-26

Kil13r has reported a vulnerability in Namo DeepSearch, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20821/

 --

[SA20820] aeDating Multiple Cross-Site Scripting Vulnerabilities

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-06-26

Ellipsis Security has reported some vulnerabilities in aeDating, which
can be exploited by malicious people to conduct cross-site scripting
attacks.

Full Advisory:
http://secunia.com/advisories/20820/

 --

[SA20817] Claroline Unspecified Cross-Site Scripting Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-06-27

securitynews has reported a vulnerability in Claroline, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20817/

 --

[SA20808] Qdig Cross-Site Scripting Vulnerabilities

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-06-26

Two vulnerabilities have been discovered in Qdig, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20808/

 --

[SA20804] UebiMiau Cross-Site Scripting Vulnerabilities

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-06-26

r0t has reported some vulnerabilities in UebiMiau, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20804/

 --

[SA20803] mvnForum "activatemember" Cross-Site Scripting

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-06-26

r0t has reported some vulnerabilities in mvnForum, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20803/

 --

[SA20798] H-Sphere Multiple Cross-Site Scripting Vulnerabilities

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-06-27

r0t has reported some vulnerabilities in H-Sphere, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20798/

 --

[SA20797] XennoBB "tid" Cross-Site Scripting Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-06-26

r0t has discovered a vulnerability in XennoBB, which can be exploited
by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20797/

 --

[SA20781] GL-SH Deaf Forum show.php Cross-Site Scripting

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-06-26

Some vulnerabilities have been discovered in GL-SH Deaf Forum, which
can be exploited by malicious people to conduct cross-site scripting
attacks.

Full Advisory:
http://secunia.com/advisories/20781/



========================================================================

Secunia recommends that you verify all advisories you receive,
by clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only use
those supplied by the vendor.

Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/

Subscribe:
http://secunia.com/secunia_weekly_summary/

Contact details:
Web	: http://secunia.com/
E-mail	: support at secunia.com
Tel	: +45 70 20 51 44
Fax	: +45 70 20 51 45





More information about the ISN mailing list