AOH :: ISN-2686.HTM

Secunia Weekly Summary - Issue: 2006-27




Secunia Weekly Summary - Issue: 2006-27
Secunia Weekly Summary - Issue: 2006-27



=======================================================================
                  The Secunia Weekly Advisory Summary                  
                        2006-06-29 - 2006-07-06                        

                       This week: 68 advisories                        

=======================================================================Table of Contents:

1.....................................................Word From Secunia
2....................................................This Week In Brief
3...............................This Weeks Top Ten Most Read Advisories
4.......................................Vulnerabilities Summary Listing
5.......................................Vulnerabilities Content Listing

=======================================================================1) Word From Secunia:

The Secunia staff is spending hours every day to assure you the best
and most reliable source for vulnerability information. Every single 
vulnerability report is being validated and verified before a Secunia
advisory is written.

Secunia validates and verifies vulnerability reports in many different
ways e.g. by downloading the software and performing comprehensive
tests, by reviewing source code, or by validating the credibility of
the source from which the vulnerability report was issued.

As a result, Secunia's database is the most correct and complete source
for recent vulnerability information available on the Internet.

Secunia Online Vulnerability Database:
http://secunia.com/ 

=======================================================================2) This Week in Brief:

A vulnerability has been reported in Apple iTunes, which can be
exploited by malicious people to compromise a user's system using
malicious AAC media files.

Additional details can be found in the referenced Secunia advisory.

Reference:
http://secunia.com/SA20891 

 --

HD Moore has discovered a vulnerability in the HTML Help ActiveX
Control in Internet Explorer, which potentially can be exploited
by malicious people to compromise a user's system.

References:
http://secunia.com/SA20906 

 --

VIRUS ALERTS:

During the past week Secunia collected 142 virus descriptions from the
Antivirus vendors. However, none were deemed MEDIUM risk or higher
according to the Secunia assessment scale.

=======================================================================3) This Weeks Top Ten Most Read Advisories:

1.  [SA20906] Internet Explorer HTML Help ActiveX Control Memory
              Corruption
2.  [SA20825] Internet Explorer Information Disclosure and HTA
              Application Execution
3.  [SA20867] OpenOffice Multiple Vulnerabilities
4.  [SA20748] Microsoft Windows Hyperlink Object Library Buffer
              Overflow
5.  [SA20153] Microsoft Word Malformed Object Pointer Vulnerability
6.  [SA20891] Apple iTunes AAC File Parsing Integer Overflow
              Vulnerability
7.  [SA20686] Microsoft Excel Repair Mode Code Execution Vulnerability
8.  [SA20860] Cisco Wireless Access Point Web Management Vulnerability
9.  [SA20886] Geeklog "connector.php" File Upload Vulnerability
10. [SA20877] Mac OS X Update Fixes Multiple Vulnerabilities

=======================================================================4) Vulnerabilities Summary Listing

Windows:
[SA20938] iMBCContents ActiveX Control "Execute()" Insecure Method
[SA20906] Internet Explorer HTML Help ActiveX Control Memory
Corruption
[SA20947] NASCAR Racing Empty UDP Datagram Denial of Service
[SA20926] Hitachi Products Cross-Site Scripting Vulnerabilities

UNIX/Linux:
[SA20964] Ubuntu update for libmms
[SA20944] Avaya Products Ethereal Vulnerabilities
[SA20937] Gentoo mpg123 Heap Overflow Vulnerability
[SA20921] libwmf Integer Overflow Vulnerability
[SA20897] SUSE update for Opera
[SA20951] Avaya Products PHP Multiple Vulnerabilities
[SA20931] Red Hat update for Squirrelmail
[SA20925] SUSE update for acroread
[SA20917] Linux Kernel SCTP Denial of Service Vulnerability
[SA20914] Debian update for kernel-source-2.6.8
[SA20913] SUSE update for OpenOffice_org
[SA20910] Red Hat update for OpenOffice.org
[SA20899] SUSE Updates for Multiple Packages
[SA20895] rPath update for mutt
[SA20894] HP Tru64 UNIX and HP Internet Express Perl Vulnerability
[SA20893] Debian update for openoffice.org
[SA20900] Gentoo update for kiax
[SA20963] ppp setuid Security Issue
[SA20902] Efone "config.inc" Information Disclosure Security Issue
[SA20967] Ubuntu update for ppp
[SA20966] Ubuntu update for shadow
[SA20950] shadow setuid Vulnerability
[SA20934] HP-UX mkdir Unspecified Unauthorized Access Vulnerability
[SA20890] SUSE update for kdebase3-kdm
[SA20939] phpSysInfo "lng" Parameter File Detection Weakness

Other:
[SA20896] Siemens Speedstream 2624 Password Protection Bypass

Cross Platform:
[SA20949] Mambo Galleria Module "mosConfig_absolute_path" File
Inclusion
[SA20923] SiteBuilder-FX "admindir" Parameter File Inclusion
Vulnerability
[SA20922] phpFormGenerator File Upload Vulnerability
[SA20891] Apple iTunes AAC File Parsing Integer Overflow Vulnerability
[SA20961] Icculus.org Quake 3 Engine CS_ITEMS Buffer Overflow
[SA20957] Glendown Shopping Cart Script Insertion Vulnerabilities
[SA20955] BLOG:CMS URL Parameter SQL Injection
[SA20946] Quake 3 Buffer Overflow Vulnerabilities
[SA20945] Foros "inc/config.inc" Information Disclosure Security Issue
[SA20936] Vincent LECLERCQ News Cross-Site Scripting and SQL Injection
[SA20933] Buddy Zone Script Insertion and SQL Injection
[SA20932] mAds Cross-Site Scripting and Script Insertion
[SA20927] DZCP "id" Parameter SQL Injection Vulnerability
[SA20920] Drupal Form_mail Module Mail Header Injection Vulnerability
[SA20915] MyNewsGroups "grp_id" SQL Injection Vulnerability
[SA20911] StarOffice / StarSuite Multiple Vulnerabilities
[SA20908] BXCP "where" Parameter SQL Injection Vulnerability
[SA20901] FineShop Cross-Site Scripting and SQL Injection
[SA20892] Webmin / Usermin Arbitrary File Disclosure Vulnerability
[SA20959] PHPMailList "email" Cross-Site Scripting Vulnerability
[SA20952] TTCalc Multiple Cross-Site Scripting Vulnerabilities
[SA20943] NewsPHP Cross-Site Scripting Vulnerabilities
[SA20941] ATutor Cross-Site Scripting Vulnerabilities
[SA20935] PHPWebGallery "keyword" Cross-Site Scripting Vulnerability
[SA20930] Invision Power Board Cross-Site Scripting and Security
Bypass
[SA20929] AutoRank PHP "Keyword" Cross-Site Scripting Vulnerability
[SA20924] ky2help "Meine Links" SQL Injection Vulnerability
[SA20918] Kamikaze-qscm "config.inc" Information Disclosure Security
Issue
[SA20916] the banner engine Multiple Cross-Site Scripting
Vulnerabilities
[SA20912] Taskjitsu Task Script Insertion Vulnerabilities
[SA20909] MoniWiki "wiki.php" Cross-Site Scripting Vulnerability
[SA20907] phpMyAdmin "table" Parameter Cross-Site Scripting
[SA20905] CommuniGate Pro POP Service Empty Inbox Denial of Service
[SA20904] PHP-Fusion Image Script Insertion Vulnerability
[SA20903] AutoRank Pro "Username" Cross-Site Scripting Vulnerability
[SA20898] Nuked-Klan Blocks Management Cross-Site Request Forgery
[SA20919] Sun Java System Messaging Server Arbitrary File Disclosure
[SA20928] WordPress "paged" Disclosure of Table Prefix Weakness

=======================================================================5) Vulnerabilities Content Listing

Windows:--

[SA20938] iMBCContents ActiveX Control "Execute()" Insecure Method

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-07-05

Gyu Tae Park has discovered a vulnerability in the iMBCContents ActiveX
control, which can be exploited by malicious people to compromise a
user's system.

Full Advisory:
http://secunia.com/advisories/20938/ 

 --

[SA20906] Internet Explorer HTML Help ActiveX Control Memory
Corruption

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-07-04

HD Moore has discovered a vulnerability in Internet Explorer, which
potentially can be exploited by malicious people to compromise a user's
system.

Full Advisory:
http://secunia.com/advisories/20906/ 

 --

[SA20947] NASCAR Racing Empty UDP Datagram Denial of Service

Critical:    Moderately critical
Where:       From remote
Impact:      DoS
Released:    2006-07-03

Luigi Auriemma has reported a vulnerability in NASCAR Racing, which can
be exploited by malicious people to cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/20947/ 

 --

[SA20926] Hitachi Products Cross-Site Scripting Vulnerabilities

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-07-05

Some vulnerabilities have been reported in various Hitachi products,
which can be exploited by malicious people to conduct cross-site
scripting attacks.

Full Advisory:
http://secunia.com/advisories/20926/ 


UNIX/Linux:--

[SA20964] Ubuntu update for libmms

Critical:    Highly critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-07-06

Ubuntu has issued an update for libmms. This fixes some
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial of Service) and potentially to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/20964/ 

 --

[SA20944] Avaya Products Ethereal Vulnerabilities

Critical:    Highly critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-07-03

Avaya has acknowledged some vulnerabilities in ethereal included in
various Avaya products, which can be exploited by malicious people to
cause a DoS (Denial of Service) or compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20944/ 

 --

[SA20937] Gentoo mpg123 Heap Overflow Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-07-04

Horst Schirmeier has reported a vulnerability in Gentoo's mpg123
package, which potentially can be exploited by malicious people to
compromise a user's system.

Full Advisory:
http://secunia.com/advisories/20937/ 

 --

[SA20921] libwmf Integer Overflow Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-07-03

infamous41md has reported a vulnerability in libwmf, which potentially
can be exploited by malicious people to compromise an application using
the vulnerable library.

Full Advisory:
http://secunia.com/advisories/20921/ 

 --

[SA20897] SUSE update for Opera

Critical:    Highly critical
Where:       From remote
Impact:      Spoofing, DoS, System access
Released:    2006-07-04

SUSE has issued an update for Opera. This fixes some vulnerabilities,
which potentially can be exploited by malicious people to compromise a
user's system or to display the SSL certificate from a trusted site on
an untrusted site.

Full Advisory:
http://secunia.com/advisories/20897/ 

 --

[SA20951] Avaya Products PHP Multiple Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass, Cross Site Scripting, Manipulation of
data, Exposure of sensitive information, DoS, System access
Released:    2006-07-06

Avaya has acknowledged some vulnerabilities in PHP included in various
Avaya products, which can be exploited by malicious users to cause a
DoS (Denial of Service) or compromise a vulnerable system, and by
malicious people to conduct cross-site scripting attacks, to gain
knowledge of potentially sensitive information, and to use PHP as an
open mail relay.

Full Advisory:
http://secunia.com/advisories/20951/ 

 --

[SA20931] Red Hat update for Squirrelmail

Critical:    Moderately critical
Where:       From remote
Impact:      Exposure of sensitive information
Released:    2006-07-04

Red Hat has issued an update for Squirrelmail. This fixes a
vulnerability, which can be exploited by malicious people to disclose
certain sensitive information.

Full Advisory:
http://secunia.com/advisories/20931/ 

 --

[SA20925] SUSE update for acroread

Critical:    Moderately critical
Where:       From remote
Impact:      Unknown
Released:    2006-07-05

SUSE has issued an update for acroread. This fixes some vulnerabilities
with unknown impacts.

Full Advisory:
http://secunia.com/advisories/20925/ 

 --

[SA20917] Linux Kernel SCTP Denial of Service Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      DoS
Released:    2006-07-03

A vulnerability has been reported in the Linux Kernel, which can be
exploited by malicious people to cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/20917/ 

 --

[SA20914] Debian update for kernel-source-2.6.8

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass, Exposure of system information, Exposure
of sensitive information, DoS, System access
Released:    2006-07-04

Debian has issued an update for kernel-source-2.6.8. This fixes some
vulnerabilities and weaknesses, which can be exploited to bypass
certain security restrictions, disclose potentially sensitive
information, and cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/20914/ 

 --

[SA20913] SUSE update for OpenOffice_org

Critical:    Moderately critical
Where:       From remote
Impact:      System access
Released:    2006-07-04

SUSE has issued an update for OpenOffice_org. This fixes some
vulnerabilities, which can be exploited by malicious people to
compromise a user's system.

Full Advisory:
http://secunia.com/advisories/20913/ 

 --

[SA20910] Red Hat update for OpenOffice.org

Critical:    Moderately critical
Where:       From remote
Impact:      System access
Released:    2006-07-04

Red Hat has issued an update for OpenOffice.org. This fixes some
vulnerabilities, which can be exploited by malicious people to
compromise a user's system.

Full Advisory:
http://secunia.com/advisories/20910/ 

 --

[SA20899] SUSE Updates for Multiple Packages

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass, Privilege escalation, DoS, System access
Released:    2006-07-03

SUSE has issued updates for multiple packages. These fix some
vulnerabilities and security issues, which can be exploited by
malicious, local users to perform certain actions with escalated
privileges, and by malicious people to cause a DoS (Denial of Service),
bypass certain security restrictions, or compromise a vulnerable
system.

Full Advisory:
http://secunia.com/advisories/20899/ 

 --

[SA20895] rPath update for mutt

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-06-30

rPath has released an update for mutt. This fixes a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of
Service) and potentially compromise a user's system.

Full Advisory:
http://secunia.com/advisories/20895/ 

 --

[SA20894] HP Tru64 UNIX and HP Internet Express Perl Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-06-30

HP has acknowledged a vulnerability in HP Tru64 UNIX and HP Internet
Express running Perl, which can be exploited by malicious people to
cause a DoS (Denial of Service) and potentially compromise a vulnerable
Perl application.

Full Advisory:
http://secunia.com/advisories/20894/ 

 --

[SA20893] Debian update for openoffice.org

Critical:    Moderately critical
Where:       From remote
Impact:      System access
Released:    2006-06-30

Debian has issued an update for openoffice.org. This fixes some
vulnerabilities, which can be exploited by malicious people to
compromise a user's system.

Full Advisory:
http://secunia.com/advisories/20893/ 

 --

[SA20900] Gentoo update for kiax

Critical:    Moderately critical
Where:       From local network
Impact:      DoS, System access
Released:    2006-07-03

Gentoo has issued an update for kiax. This fixes two vulnerabilities,
which can be exploited by malicious people to cause a DoS (Denial of
Service) and potentially compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20900/ 

 --

[SA20963] ppp setuid Security Issue

Critical:    Moderately critical
Where:       Local system
Impact:      Privilege escalation
Released:    2006-07-06

Marcus Meissner discovered a vulnerability in the winbind plugin of
ppp, which potentially can be exploited by malicious, local users to
perform certain actions with escalated privileges.

Full Advisory:
http://secunia.com/advisories/20963/ 

 --

[SA20902] Efone "config.inc" Information Disclosure Security Issue

Critical:    Less critical
Where:       From remote
Impact:      Exposure of sensitive information
Released:    2006-07-04

DarkFig has discovered a security issue in Efone, which can be
exploited by malicious people to disclose sensitive information.

Full Advisory:
http://secunia.com/advisories/20902/ 

 --

[SA20967] Ubuntu update for ppp

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation
Released:    2006-07-06

Ubuntu has issued an update for ppp. This fixes a vulnerability, which
potentially can be exploited by malicious, local users to perform
certain actions with escalated privileges.

Full Advisory:
http://secunia.com/advisories/20967/ 

 --

[SA20966] Ubuntu update for shadow

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation
Released:    2006-07-06

Ubuntu has issued an update for shadow. This fixes a vulnerability,
which potentially can be exploited by malicious, local users to perform
certain actions with escalated privileges.

Full Advisory:
http://secunia.com/advisories/20966/ 

 --

[SA20950] shadow setuid Vulnerability

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation
Released:    2006-07-06

Ilja van Sprundel reported a vulnerability in the passwd application of
shadow, which potentially can be exploited by malicious, local users to
perform certain actions with escalated privileges.

Full Advisory:
http://secunia.com/advisories/20950/ 

 --

[SA20934] HP-UX mkdir Unspecified Unauthorized Access Vulnerability

Critical:    Less critical
Where:       Local system
Impact:      Security Bypass
Released:    2006-07-03

A vulnerability has been reported in HP-UX, which can be exploited by
malicious, local users to bypass certain security restrictions.

Full Advisory:
http://secunia.com/advisories/20934/ 

 --

[SA20890] SUSE update for kdebase3-kdm

Critical:    Less critical
Where:       Local system
Impact:      Exposure of sensitive information
Released:    2006-07-04

SUSE has issued an update for kdebase3-kdm. This fixes a vulnerability,
which can be exploited by malicious, local users to gain knowledge of
sensitive information.

Full Advisory:
http://secunia.com/advisories/20890/ 

 --

[SA20939] phpSysInfo "lng" Parameter File Detection Weakness

Critical:    Not critical
Where:       From remote
Impact:      Exposure of system information
Released:    2006-07-05

Micheal Turner has discovered a weakness in phpSysInfo, which can be
exploited by malicious people to detect files on the server.

Full Advisory:
http://secunia.com/advisories/20939/ 


Other:--

[SA20896] Siemens Speedstream 2624 Password Protection Bypass

Critical:    Less critical
Where:       From local network
Impact:      Security Bypass, Exposure of sensitive information
Released:    2006-06-30

Jaime Blasco has reported a vulnerability in Siemens Speedstream 2624,
which can be exploited by malicious people to bypass certain security
restrictions.

Full Advisory:
http://secunia.com/advisories/20896/ 


Cross Platform:--

[SA20949] Mambo Galleria Module "mosConfig_absolute_path" File
Inclusion

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-07-05

ineal has discovered a vulnerability in the Galleria module for Mambo,
which can be exploited by malicious people to compromise a vulnerable
system.

Full Advisory:
http://secunia.com/advisories/20949/ 

 --

[SA20923] SiteBuilder-FX "admindir" Parameter File Inclusion
Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-07-03

MazaGi has discovered a vulnerability in SiteBuilder-FX, which can be
exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20923/ 

 --

[SA20922] phpFormGenerator File Upload Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-07-03

Donnie Werner has discovered a vulnerability in phpFormGenerator, which
can be exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20922/ 

 --

[SA20891] Apple iTunes AAC File Parsing Integer Overflow Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-06-30

A vulnerability has been reported in Apple iTunes, which can be
exploited by malicious people to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/20891/ 

 --

[SA20961] Icculus.org Quake 3 Engine CS_ITEMS Buffer Overflow

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-07-06

A vulnerability has been reported in the Icculus.org Quake 3 Engine,
which can be exploited by malicious people to cause a DoS (Denial of
Service) and potentially compromise a user's system.

Full Advisory:
http://secunia.com/advisories/20961/ 

 --

[SA20957] Glendown Shopping Cart Script Insertion Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-07-06

luny has discovered two vulnerabilities in Glendown Shopping Cart,
which can be exploited by malicious people to conduct script insertion
attacks.

Full Advisory:
http://secunia.com/advisories/20957/ 

 --

[SA20955] BLOG:CMS URL Parameter SQL Injection

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass, Manipulation of data
Released:    2006-07-06

Ellipsis Security has discovered a vulnerability and a security issue
in BLOG:CMS, which can be exploited by malicious people to bypass
certain security restrictions and to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/20955/ 

 --

[SA20946] Quake 3 Buffer Overflow Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-07-04

RunningBon has reported two vulnerabilities in the Quake 3 Engine,
which can be exploited by malicious people to cause a DoS (Denial of
Service) and potentially compromise a user's system.

Full Advisory:
http://secunia.com/advisories/20946/ 

 --

[SA20945] Foros "inc/config.inc" Information Disclosure Security Issue

Critical:    Moderately critical
Where:       From remote
Impact:      Exposure of sensitive information
Released:    2006-07-04

DarkFig has reported a security issue in Foros, which can be exploited
by malicious people to disclose sensitive information.

Full Advisory:
http://secunia.com/advisories/20945/ 

 --

[SA20936] Vincent LECLERCQ News Cross-Site Scripting and SQL Injection

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting, Manipulation of data
Released:    2006-07-03

DarkFig has reported some vulnerabilities in Vincent LECLERCQ News,
which can be exploited by malicious people to conduct cross-site
scripting and SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/20936/ 

 --

[SA20933] Buddy Zone Script Insertion and SQL Injection

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting, Manipulation of data
Released:    2006-07-03

luny has reported some vulnerabilities in Buddy Zone, which can be
exploited by malicious users to conduct script insertion and SQL
injection attacks.

Full Advisory:
http://secunia.com/advisories/20933/ 

 --

[SA20932] mAds Cross-Site Scripting and Script Insertion

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-07-03

Luny has reported two vulnerabilities in mAds, which can be exploited
by malicious people to conduct cross-site scripting and script
insertion attacks.

Full Advisory:
http://secunia.com/advisories/20932/ 

 --

[SA20927] DZCP "id" Parameter SQL Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2006-07-03

x128 has discovered a vulnerability in DZCP, which can be exploited by
malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/20927/ 

 --

[SA20920] Drupal Form_mail Module Mail Header Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass
Released:    2006-07-05

A vulnerability has been reported in the Form_mail module for Drupal,
which can be exploited by malicious people to bypass certain security
restrictions.

Full Advisory:
http://secunia.com/advisories/20920/ 

 --

[SA20915] MyNewsGroups "grp_id" SQL Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2006-07-03

CrAzY CrAcKeR has discovered a vulnerability in MyNewsGroups, which can
be exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/20915/ 

 --

[SA20911] StarOffice / StarSuite Multiple Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      System access
Released:    2006-07-03

Three vulnerabilities have been reported in StarOffice, which can be
exploited by malicious people to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/20911/ 

 --

[SA20908] BXCP "where" Parameter SQL Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2006-07-03

x23 has discovered a vulnerability in BXCP, which can be exploited by
malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/20908/ 

 --

[SA20901] FineShop Cross-Site Scripting and SQL Injection

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting, Manipulation of data
Released:    2006-06-30

r0t has reported some vulnerabilities in Fineshop, which can be
exploited by malicious people to conduct cross-site scripting attacks
and SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/20901/ 

 --

[SA20892] Webmin / Usermin Arbitrary File Disclosure Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Exposure of system information, Exposure of sensitive
information
Released:    2006-06-30

A vulnerability has been reported in Webmin and Usermin, which can be
exploited by malicious people to disclose potentially sensitive
information.

Full Advisory:
http://secunia.com/advisories/20892/ 

 --

[SA20959] PHPMailList "email" Cross-Site Scripting Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-07-06

Lostmon has discovered a vulnerability in PHPMailList, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20959/ 

 --

[SA20952] TTCalc Multiple Cross-Site Scripting Vulnerabilities

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-07-06

luny has discovered some vulnerabilities in TTCalc, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20952/ 

 --

[SA20943] NewsPHP Cross-Site Scripting Vulnerabilities

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-07-03

Ellipsis Security has reported two vulnerabilities in NewsPHP, which
can be exploited by malicious people to conduct cross-site scripting
attacks.

Full Advisory:
http://secunia.com/advisories/20943/ 

 --

[SA20941] ATutor Cross-Site Scripting Vulnerabilities

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-07-06

Security News has discovered some vulnerabilities in ATutor, which can
be exploited by malicious people to conduct cross-site scripting
attacks.

Full Advisory:
http://secunia.com/advisories/20941/ 

 --

[SA20935] PHPWebGallery "keyword" Cross-Site Scripting Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-07-05

The Moroccan Security Research Team reported a vulnerability in
PHPWebGallery, which can be exploited by malicious people to conduct
cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20935/ 

 --

[SA20930] Invision Power Board Cross-Site Scripting and Security
Bypass

Critical:    Less critical
Where:       From remote
Impact:      Security Bypass, Cross Site Scripting
Released:    2006-07-03

Two vulnerabilities have been reported in Invision Power Board, which
can be exploited by malicious users to bypass certain security
restrictions and by malicious people to conduct cross-site scripting
attacks.

Full Advisory:
http://secunia.com/advisories/20930/ 

 --

[SA20929] AutoRank PHP "Keyword" Cross-Site Scripting Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-07-04

David "Aesthetico" Vieira-Kurz has reported a vulnerability in AutoRank
PHP, which can be exploited by malicious people to conduct cross-site
scripting attacks.

Full Advisory:
http://secunia.com/advisories/20929/ 

 --

[SA20924] ky2help "Meine Links" SQL Injection Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Manipulation of data
Released:    2006-07-06

Marc Ruef has reported a vulnerability in ky2help, which can be
exploited by malicious users to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/20924/ 

 --

[SA20918] Kamikaze-qscm "config.inc" Information Disclosure Security
Issue

Critical:    Less critical
Where:       From remote
Impact:      Exposure of sensitive information
Released:    2006-07-04

DarkFig has discovered a security issue in Kamikaze-qscm, which can be
exploited by malicious people to disclose sensitive information.

Full Advisory:
http://secunia.com/advisories/20918/ 

 --

[SA20916] the banner engine Multiple Cross-Site Scripting
Vulnerabilities

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-07-04

Ellipsis Security has reported some vulnerabilities in the banner
engine, which can be exploited by malicious people to conduct
cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20916/ 

 --

[SA20912] Taskjitsu Task Script Insertion Vulnerabilities

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-07-04

Two vulnerabilities have been reported in Taskjitsu, which can be
exploited by malicious users to conduct script insertion attacks.

Full Advisory:
http://secunia.com/advisories/20912/ 

 --

[SA20909] MoniWiki "wiki.php" Cross-Site Scripting Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-07-03

Kil13r has reported a vulnerability in MoniWiki, which can be exploited
by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20909/ 

 --

[SA20907] phpMyAdmin "table" Parameter Cross-Site Scripting

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-07-03

Security News has reported a vulnerability in phpMyAdmin, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20907/ 

 --

[SA20905] CommuniGate Pro POP Service Empty Inbox Denial of Service

Critical:    Less critical
Where:       From remote
Impact:      DoS
Released:    2006-07-03

A vulnerability has been reported in CommuniGate Pro, which can be
exploited by malicious users to cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/20905/ 

 --

[SA20904] PHP-Fusion Image Script Insertion Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-07-04

ZeberuS and Redworm have reported a vulnerability in PHP-Fusion, which
can be exploited by malicious people to conduct script insertion
attacks.

Full Advisory:
http://secunia.com/advisories/20904/ 

 --

[SA20903] AutoRank Pro "Username" Cross-Site Scripting Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-07-04

David "Aesthetico" Vieira-Kurz has reported a vulnerability in AutoRank
Pro, which can be exploited by malicious people to conduct cross-site
scripting attacks.

Full Advisory:
http://secunia.com/advisories/20903/ 

 --

[SA20898] Nuked-Klan Blocks Management Cross-Site Request Forgery

Critical:    Less critical
Where:       From remote
Impact:      Hijacking
Released:    2006-06-30

Blwood has discovered a vulnerability in Nuked-Klan, which can be
exploited by malicious people to conduct cross-site request forgery
attacks.

Full Advisory:
http://secunia.com/advisories/20898/ 

 --

[SA20919] Sun Java System Messaging Server Arbitrary File Disclosure

Critical:    Less critical
Where:       Local system
Impact:      Exposure of sensitive information
Released:    2006-07-03

php0t has reported a vulnerability in Sun Java System Messaging Server
/ iPlanet Messaging Server, which can be exploited by malicious, local
users to gain knowledge of potentially sensitive information.

Full Advisory:
http://secunia.com/advisories/20919/ 

 --

[SA20928] WordPress "paged" Disclosure of Table Prefix Weakness

Critical:    Not critical
Where:       From remote
Impact:      Exposure of system information
Released:    2006-07-04

zero has discovered a weakness in WordPress, which can be exploited by
malicious people to disclose system information.

Full Advisory:
http://secunia.com/advisories/20928/ 



=======================================================================
Secunia recommends that you verify all advisories you receive,
by clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only use
those supplied by the vendor.

Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/ 

Subscribe:
http://secunia.com/secunia_weekly_summary/ 

Contact details:
Web	: http://secunia.com/ 
E-mail	: support@secunia.com 
Tel	: +45 70 20 51 44
Fax	: +45 70 20 51 45



_________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.
www.blackhat.com 

Site design & layout copyright © 1986-2014 CodeGods