AOH :: IS1338.HTM

Secunia Weekly Summary - Issue: 2008-45




Secunia Weekly Summary - Issue: 2008-45
Secunia Weekly Summary - Issue: 2008-45



=======================================================================
                  The Secunia Weekly Advisory Summary                  
                        2008-10-30 - 2008-11-06                        

                       This week: 77 advisories                        

=======================================================================Table of Contents:

1.....................................................Word From Secunia
2....................................................This Week In Brief
3...............................This Weeks Top Ten Most Read Advisories
4.......................................Vulnerabilities Summary Listing
5.......................................Vulnerabilities Content Listing

=======================================================================1) Word From Secunia:

Would you like to be notified when the vendor patch gets issued?

The Secunia Vulnerability Intelligence solutions allow you to be
notified via email & SMS as soon as any major update to the
vulnerability occurs. That could be a change in criticality rating,
exploit-code appeared in the wild, patch is issued by the vendor etc.
With the professional solutions you also get access to more detailed
information for work arounds, deep links and support from Secunia
Research.  This is intelligence not part of the mailing list or weekly
summary.

http://secunia.com/advisories/business_solutions/ 

=======================================================================2) This Week in Brief:

Multiple vulnerabilities have been reported in Adobe Reader/Acrobat,
which can be exploited by malicious, local users to gain escalated
privileges or by malicious people to compromise a user's system.

For more information, refer to:
http://secunia.com/advisories/29773/ 

 --

Two vulnerabilities have been reported in VLC Media Player, which
potentially can be exploited by malicious people to compromise a user's
system.

For more information, refer to:
http://secunia.com/advisories/32569/ 

=======================================================================3) This Weeks Top Ten Most Read Advisories:

1.  [SA29773] Adobe Acrobat/Reader Multiple Vulnerabilities
2.  [SA28083] Adobe Flash Player Multiple Vulnerabilities
3.  [SA31010] Sun Java JDK / JRE Multiple Vulnerabilities
4.  [SA21044] Mambo / Joomla perForms "mosConfig_absolute_path"
              File Inclusion
5.  [SA29106] Joomla! "mosConfig_absolute_path" File Inclusion
6.  [SA32326] Microsoft Windows Path Canonicalisation Vulnerability
7.  [SA32452] Opera Command Execution and Cross-Site Scripting
8.  [SA32361] Snoopy "_httpsrequest()" Shell Command Execution
              Vulnerability
9.  [SA32488] VMware ESX Server update for libxml2
10. [SA32419] OpenOffice Multiple Vulnerabilties and Security Issue

=======================================================================4) Vulnerabilities Summary Listing

Windows:
[SA32546] NOS Microsystems getPlus ActiveX Control Buffer Overflow
[SA32513] Chilkat Crypt ActiveX Component "WriteFile()" Insecure
Method

UNIX/Linux:
[SA32538] Gentoo update for opera
[SA32514] Dns2tcp "dns_decode()" Buffer Overflow Vulnerability
[SA32493] Mahara Multiple Command Execution Vulnerabilities
[SA32489] Fedora update for openoffice.org
[SA32530] Ubuntu update for enscript
[SA32521] Fedora update for enscript
[SA32518] Fedora update for ktorrent
[SA32512] Fedora update for uw-imap
[SA32509] Ubuntu update for kernel
[SA32496] Gentoo update for libspf2
[SA32488] VMware ESX Server update for libxml2
[SA32483] UW-imapd "tmail" and "dmail" Buffer Overflow Vulnerabilities
[SA32545] HP-UX Xserver Multiple Vulnerabilities
[SA32553] PTK Command Execution Vulnerability
[SA32543] Nagios Cross-Site Request Forgery Vulnerability
[SA32482] Fedora update for phpMyAdmin
[SA32560] Net-snmp GETBULK Integer Overflow Denial of Service
[SA32539] Red Hat update for net-snmp
[SA32531] Fedora update for net-snmp
[SA32578] Debian update for mysql-dfsg-5.0
[SA32554] Novell Access Manger Identity Server X509 Session Improper
Termination
[SA32544] HP System Management Homepage Unspecified Privilege
Escalation
[SA32485] Red hat update for kernel
[SA32566] Ubuntu update for system-tools-backends
[SA32510] Linux Kernel "hfsplus_find_cat()" and
"hfsplus_block_allocate()" Denial of Service
[SA32487] CrossFire Map Pack combine.pl Insecure Temporary Files

Other:
[SA32498] SonicWALL Products Content Filtering Service Cross-Site
Scripting
[SA32573] Cisco IOS / CatOS VLAN Trunking Protocol Vulnerability

Cross Platform:
[SA32569] VLC Media Player CUE and RealText Processing Buffer
Overflows
[SA32551] Joomla Dada Mail Manager Component "mosConfig_absolute_path"
File Inclusion
[SA32533] Joomla VirtueMart Google Base Component
"mosConfig_absolute_path" File Inclusion
[SA32520] Joomla Flash Tree Gallery Component "mosConfig_live_site"
File Inclusion
[SA32516] Simple Machines Forum Multiple Vulnerabilities
[SA32515] Way Of The Warrior "plancia" File Inclusion Vulnerabilities
[SA32579] Five Dollar Scripts Drinks Script "recid" SQL Injection
Vulnerability
[SA32564] PHPX "news_id" SQL Injection Vulnerability
[SA32563] Pre Podcast Portal "id" SQL Injection Vulnerability
[SA32559] GeSHi Unspecified Code Execution Vulnerability
[SA32558] SFS Multiple Products "cat_id" SQL Injection
[SA32557] PreProjects Products Cookie Security Bypass Vulnerability
[SA32556] nicLOR Sito Includefile "page_file" Local File Inclusion
[SA32552] SFS EZ BIZ PRO "id" SQL Injection Vulnerability
[SA32550] SFS EZ Webring "cat" SQL Injection Vulnerability
[SA32548] Tribiq CMS "template_path" Cross-Site Scripting and Local
File Inclusion
[SA32547] PHP Auto Listings "itemno" SQL Injection Vulnerability
[SA32542] Logz CMS "art" SQL Injection and Cross-Site Scripting
[SA32540] U-Mail "edit.php" Arbitrary File Creation Vulnerability
[SA32536] SFS EZ Hotscripts-like Site Multiple SQL Injection
Vulnerabilities
[SA32532] SFS EZ Hot ot Not "phid" SQL Injection Vulnerability
[SA32528] SFS EZ Auction "cat" SQL Injection Vulnerability
[SA32527] SFS EZ Career "topic" SQL Injection Vulnerability
[SA32526] SFS EZ Top Sites "ts" SQL Injection Vulnerability
[SA32525] SFS EZ e-store "where" SQL Injection Vulnerability
[SA32524] SFS EZ Pub Site "cat" SQL Injection Vulnerability
[SA32523] Joomla Pro Desk Component "include_file" Local File Inclusion
Vulnerability
[SA32522] SFS EZ Gaming Cheats "id" SQL Injection Vulnerability
[SA32519] Article Publisher Pro SQL Injection Vulnerabilities
[SA32517] Acc Scripts Products "username_cookie" Cookie Security
Bypass
[SA32507] Acc PHP eMail "NEWSLETTERLOGIN" Cookie Security Bypass
Vulnerability
[SA32504] YourFreeWorld Products "id" SQL Injection Vulnerability
[SA32503] ToursManager "cityid" SQL Injection Vulnerability
[SA32502] Simple Document Management System "login" and "pass" SQL
Injection
[SA32500] PHP-Nuke BookCatalog Module "catid" SQL Injection
Vulnerability
[SA32497] Apache Struts Security Bypass and Directory Traversal
[SA32495] XWork "ParameterInterceptor" Security Bypass Vulnerability
[SA32492] YourFreeWorld Shopping Cart Script "c" SQL Injection
Vulnerability
[SA32491] Joovili Multiple Cookie Security Bypass Vulnerability
[SA32484] NetRisk Cross-Site Scripting and SQL Injection
Vulnerabilities
[SA32572] Drupal Content Construction Kit Script Insertion
Vulnerabilities
[SA32555] DHCart "order.php" Two Cross-Site Scripting Vulnerabilities
[SA32549] firmCHANNEL Digital Signage "action" Cross-Site Scripting
Vulnerability
[SA32511] RateMe Cross-Site Scripting and Cross-Site Request Forgery
[SA32506] SignMe "hash" Cross-Site Scripting Vulnerability
[SA32505] MyGallery "mghash" Cross-Site Scripting Vulnerability
[SA32567] Adobe ColdFusion Sandbox Security Bypass Vulnerability

=======================================================================5) Vulnerabilities Content Listing

Windows:--

[SA32546] NOS Microsystems getPlus ActiveX Control Buffer Overflow

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2008-11-05

A vulnerability has been reported in the NOS Microsystems getPlus
ActiveX control, which can be exploited by malicious people to
compromise a user's system.

Full Advisory:
http://secunia.com/advisories/32546/ 

 --

[SA32513] Chilkat Crypt ActiveX Component "WriteFile()" Insecure
Method

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2008-11-04

shinnai has discovered a vulnerability in Chilkat Crypt ActiveX
Component, which can be exploited by malicious people to compromise a
user's system.

Full Advisory:
http://secunia.com/advisories/32513/ 


UNIX/Linux:--

[SA32538] Gentoo update for opera

Critical:    Highly critical
Where:       From remote
Impact:      Security Bypass, Cross Site Scripting, Spoofing, Exposure
of system information, Exposure of sensitive information, DoS, System
access
Released:    2008-11-04

Gentoo has issued an update for opera. This fixes some vulnerabilities,
which can be exploited by malicious people to disclose system and
potentially sensitive information, conduct spoofing and cross-site
scripting attacks,  bypass certain security restrictions, and
potentially compromise a user's system.

Full Advisory:
http://secunia.com/advisories/32538/ 

 --

[SA32514] Dns2tcp "dns_decode()" Buffer Overflow Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      DoS, System access
Released:    2008-11-03

A vulnerability has been reported in Dns2tcp, which can be exploited by
malicious people to cause a DoS (Denial of Service) and potentially
compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/32514/ 

 --

[SA32493] Mahara Multiple Command Execution Vulnerabilities

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2008-11-05

Some vulnerabilities have been reported in Mahara, which can be
exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/32493/ 

 --

[SA32489] Fedora update for openoffice.org

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2008-10-31

Fedora has issued an update for openoffice.org. This fixes some
vulnerabilities, which potentially can be exploited by malicious people
to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/32489/ 

 --

[SA32530] Ubuntu update for enscript

Critical:    Moderately critical
Where:       From remote
Impact:      System access
Released:    2008-11-04

Ubuntu has issued an update for enscript. This fixes some
vulnerabilities, which can be exploited by malicious people to
compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/32530/ 

 --

[SA32521] Fedora update for enscript

Critical:    Moderately critical
Where:       From remote
Impact:      System access
Released:    2008-11-06

Fedora has issued an update for enscript. This fixes some
vulnerabilities, which can be exploited by malicious people to
compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/32521/ 

 --

[SA32518] Fedora update for ktorrent

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass, System access
Released:    2008-11-06

Fedora has issued an update for ktorrent. This fixes some
vulnerabilities, which can be exploited by malicious users to
compromise a vulnerable system and malicious people to bypass certain
security restrictions.

Full Advisory:
http://secunia.com/advisories/32518/ 

 --

[SA32512] Fedora update for uw-imap

Critical:    Moderately critical
Where:       From remote
Impact:      Privilege escalation, System access
Released:    2008-11-06

Fedora has issued an update for uw-imap. This fixes some
vulnerabilities, which can be exploited by malicious, local users to
potentially gain escalated privileges, and by malicious people to
potentially compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/32512/ 

 --

[SA32509] Ubuntu update for kernel

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2008-11-05

Ubuntu has issued an update for the kernel. This fixes a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of
Service) or to potentially compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/32509/ 

 --

[SA32496] Gentoo update for libspf2

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2008-10-31

Gentoo has issued an update for libspf2. This fixes a vulnerability,
which can be exploited by malicious people to potentially compromise an
application using the library.

Full Advisory:
http://secunia.com/advisories/32496/ 

 --

[SA32488] VMware ESX Server update for libxml2

Critical:    Moderately critical
Where:       From remote
Impact:      DoS
Released:    2008-10-31

VMware has issued an update for VMware ESX Server. This fixes a
vulnerability, which can be exploited by malicious people to cause a
DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/32488/ 

 --

[SA32483] UW-imapd "tmail" and "dmail" Buffer Overflow Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Privilege escalation, System access
Released:    2008-11-03

Two vulnerabilities have been reported in UW-imapd, which can be
exploited by malicious, local users to potentially gain escalated
privileges, and by malicious people to potentially compromise a
vulnerable system.

Full Advisory:
http://secunia.com/advisories/32483/ 

 --

[SA32545] HP-UX Xserver Multiple Vulnerabilities

Critical:    Moderately critical
Where:       From local network
Impact:      Privilege escalation, DoS, System access
Released:    2008-11-04

HP has acknowledged some vulnerabilities in HP-UX, which can be
exploited by malicious, local users to disclose potentially sensitive
information or gain escalated privileges, and by malicious people to
compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/32545/ 

 --

[SA32553] PTK Command Execution Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      System access
Released:    2008-11-06

A vulnerability has been reported in PTK, which can be exploited by
malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/32553/ 

 --

[SA32543] Nagios Cross-Site Request Forgery Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2008-11-05

A vulnerability has been reported in Nagios, which can be exploited by
malicious people to conduct cross-site request forgery attacks.

Full Advisory:
http://secunia.com/advisories/32543/ 

 --

[SA32482] Fedora update for phpMyAdmin

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2008-10-31

Fedora has issued an update for phpMyAdmin. This fixes a vulnerability,
which can be exploited by malicious people to conduct cross-site
scripting attacks.

Full Advisory:
http://secunia.com/advisories/32482/ 

 --

[SA32560] Net-snmp GETBULK Integer Overflow Denial of Service

Critical:    Less critical
Where:       From local network
Impact:      DoS
Released:    2008-11-03

A vulnerability has been reported in Net-snmp, which can be exploited
by malicious people to cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/32560/ 

 --

[SA32539] Red Hat update for net-snmp

Critical:    Less critical
Where:       From local network
Impact:      DoS
Released:    2008-11-04

Red Hat has issued an update for net-snmp. This fixes a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of
Service).

Full Advisory:
http://secunia.com/advisories/32539/ 

 --

[SA32531] Fedora update for net-snmp

Critical:    Less critical
Where:       From local network
Impact:      DoS
Released:    2008-11-06

Fedora has issued an update for net-snmp. This fixes some
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/32531/ 

 --

[SA32578] Debian update for mysql-dfsg-5.0

Critical:    Less critical
Where:       Local system
Impact:      Security Bypass
Released:    2008-11-06

Debian has issued an update for mysql-dfsg-5.0. This fixes a security
issue, which can be exploited by malicious, local users to bypass
certain security restrictions.

Full Advisory:
http://secunia.com/advisories/32578/ 

 --

[SA32554] Novell Access Manger Identity Server X509 Session Improper
Termination

Critical:    Less critical
Where:       Local system
Impact:      Security Bypass
Released:    2008-11-05

A security issue has been reported in Novell Access Manager Identity
Server, which can be exploited by malicious, local users to bypass
certain security restrictions.

Full Advisory:
http://secunia.com/advisories/32554/ 

 --

[SA32544] HP System Management Homepage Unspecified Privilege
Escalation

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation
Released:    2008-11-04

A vulnerability has been reported in HP System Management Homepage
(SMH), which can be exploited by malicious, local users to perform
certain actions with escalated privileges.

Full Advisory:
http://secunia.com/advisories/32544/ 

 --

[SA32485] Red hat update for kernel

Critical:    Less critical
Where:       Local system
Impact:      DoS, Privilege escalation, Exposure of sensitive
information
Released:    2008-11-04

Red Hat has issued an update for the kernel. This fixes some
vulnerabilities, which can be exploited by malicious, local users to
cause a DoS (Denial of Service), to disclose potentially sensitive
information, or to potentially gain escalated privileges.

Full Advisory:
http://secunia.com/advisories/32485/ 

 --

[SA32566] Ubuntu update for system-tools-backends

Critical:    Not critical
Where:       From remote
Impact:      Brute force
Released:    2008-11-06

Ubuntu has issued an update for system-tools-backend. This fixes a
weakness, which can be exploited by malicious people to conduct brute
force attacks.

Full Advisory:
http://secunia.com/advisories/32566/ 

 --

[SA32510] Linux Kernel "hfsplus_find_cat()" and
"hfsplus_block_allocate()" Denial of Service

Critical:    Not critical
Where:       Local system
Impact:      DoS
Released:    2008-11-04

Some vulnerabilities have been reported in the Linux Kernel, which can
be exploited by malicious, local users to cause a DoS (Denial of
Service).

Full Advisory:
http://secunia.com/advisories/32510/ 

 --

[SA32487] CrossFire Map Pack combine.pl Insecure Temporary Files

Critical:    Not critical
Where:       Local system
Impact:      Privilege escalation
Released:    2008-10-31

A security issue has been reported in CrossFire, which can be exploited
by malicious, local users to perform certain actions with escalated
privileges.

Full Advisory:
http://secunia.com/advisories/32487/ 


Other:--

[SA32498] SonicWALL Products Content Filtering Service Cross-Site
Scripting

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2008-10-31

A vulnerability has been reported in various SonicWALL products, which
can be exploited by malicious people to conduct cross-site scripting
attacks.

Full Advisory:
http://secunia.com/advisories/32498/ 

 --

[SA32573] Cisco IOS / CatOS VLAN Trunking Protocol Vulnerability

Critical:    Less critical
Where:       From local network
Impact:      DoS
Released:    2008-11-06

A vulnerability has been reported in Cisco IOS/CatOS, which can be
exploited by malicious people to cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/32573/ 


Cross Platform:--

[SA32569] VLC Media Player CUE and RealText Processing Buffer
Overflows

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2008-11-06

Two vulnerabilities have been reported in VLC Media Player, which
potentially can be exploited by malicious people to compromise a user's
system.

Full Advisory:
http://secunia.com/advisories/32569/ 

 --

[SA32551] Joomla Dada Mail Manager Component "mosConfig_absolute_path"
File Inclusion

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2008-11-06

NoGe has discovered a vulnerability in the Dada Mail Manager component
for Joomla, which can be exploited by malicious people to compromise a
vulnerable system.

Full Advisory:
http://secunia.com/advisories/32551/ 

 --

[SA32533] Joomla VirtueMart Google Base Component
"mosConfig_absolute_path" File Inclusion

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2008-11-05

NoGe has discovered a vulnerability in the VirtueMart Google Base
component for Joomla, which can be exploited by malicious people to
compromise a vulnerable system

Full Advisory:
http://secunia.com/advisories/32533/ 

 --

[SA32520] Joomla Flash Tree Gallery Component "mosConfig_live_site"
File Inclusion

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2008-11-03

NoGe has reported a vulnerability in the Flash Tree Gallery component
for Joomla!, which can be exploited by malicious people to compromise a
vulnerable system.

Full Advisory:
http://secunia.com/advisories/32520/ 

 --

[SA32516] Simple Machines Forum Multiple Vulnerabilities

Critical:    Highly critical
Where:       From remote
Impact:      Cross Site Scripting, Exposure of sensitive information,
System access
Released:    2008-11-05

Some vulnerabilities have been discovered in Simple Machines Forum,
which can be exploited by malicious people to conduct cross-site
request forgery attacks and by malicious users to disclose potentially
sensitive information and compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/32516/ 

 --

[SA32515] Way Of The Warrior "plancia" File Inclusion Vulnerabilities

Critical:    Highly critical
Where:       From remote
Impact:      Exposure of sensitive information, System access
Released:    2008-11-05

Some vulnerabilities have been discovered in Way Of The Warrior (WOTW),
which can be exploited by malicious people to disclose sensitive
information or compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/32515/ 

 --

[SA32579] Five Dollar Scripts Drinks Script "recid" SQL Injection
Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data, Exposure of sensitive information
Released:    2008-11-06

Ex Tacy has reported a vulnerability in Five Dollar Scripts Drinks
script, which can be exploited by malicious people to conduct SQL
injection attacks.

Full Advisory:
http://secunia.com/advisories/32579/ 

 --

[SA32564] PHPX "news_id" SQL Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data, Exposure of sensitive information
Released:    2008-11-06

StAkeR has discovered a vulnerability in PHPX, which can be exploited
by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/32564/ 

 --

[SA32563] Pre Podcast Portal "id" SQL Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data, Exposure of sensitive information
Released:    2008-11-06

G4N0K has reported a vulnerability in Pre Podcast Portal, which can be
exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/32563/ 

 --

[SA32559] GeSHi Unspecified Code Execution Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      System access
Released:    2008-11-03

A vulnerability has been reported in GeSHI, which can potentially be
exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/32559/ 

 --

[SA32558] SFS Multiple Products "cat_id" SQL Injection

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data, Exposure of sensitive information
Released:    2008-11-03

A vulnerability has been reported in multiple SFS products, which can
be exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/32558/ 

 --

[SA32557] PreProjects Products Cookie Security Bypass Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass
Released:    2008-11-06

G4N0K has reported a vulnerability in multiple PreProjects products,
which can be exploited by malicious people to bypass certain security
restrictions.

Full Advisory:
http://secunia.com/advisories/32557/ 

 --

[SA32556] nicLOR Sito Includefile "page_file" Local File Inclusion

Critical:    Moderately critical
Where:       From remote
Impact:      Exposure of system information, Exposure of sensitive
information
Released:    2008-11-05

StAkeR has discovered a vulnerability in nicLOR Sito Includefile, which
can be exploited by malicious people to disclose sensitive information.

Full Advisory:
http://secunia.com/advisories/32556/ 

 --

[SA32552] SFS EZ BIZ PRO "id" SQL Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data, Exposure of sensitive information
Released:    2008-11-03

d3b4g has reported a vulnerability in SFS EZ BIZ PRO, which can be
exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/32552/ 

 --

[SA32550] SFS EZ Webring "cat" SQL Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data, Exposure of sensitive information
Released:    2008-11-03

d3b4g has reported a vulnerability in SFS EZ Webring, which can be
exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/32550/ 

 --

[SA32548] Tribiq CMS "template_path" Cross-Site Scripting and Local
File Inclusion

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting, Exposure of system information,
Exposure of sensitive information
Released:    2008-11-03

Some vulnerabilities have been discovered in Tribiq CMS, which can be
exploited by malicious people to conduct cross-site scripting attacks
or to disclose sensitive information.

Full Advisory:
http://secunia.com/advisories/32548/ 

 --

[SA32547] PHP Auto Listings "itemno" SQL Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2008-11-06

G4N0K has reported a vulnerability in PHP Auto Listings, which can be
exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/32547/ 

 --

[SA32542] Logz CMS "art" SQL Injection and Cross-Site Scripting

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting, Manipulation of data
Released:    2008-11-03

Some vulnerabilities have been discovered in Logz CMS, which can be
exploited by malicious people to conduct cross-site scripting and SQL
injection attacks.

Full Advisory:
http://secunia.com/advisories/32542/ 

 --

[SA32540] U-Mail "edit.php" Arbitrary File Creation Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass, System access
Released:    2008-11-05

Shennan Wang has reported a vulnerability in U-Mail, which can be
exploited by malicious users to bypass certain security restrictions
and potentially compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/32540/ 

 --

[SA32536] SFS EZ Hotscripts-like Site Multiple SQL Injection
Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data, Exposure of sensitive information
Released:    2008-11-03

Some vulnerabilities have been reported in SFS EZ Hotscripts-like Site,
which can be exploited by malicious people to conduct SQL injection
attacks.

Full Advisory:
http://secunia.com/advisories/32536/ 

 --

[SA32532] SFS EZ Hot ot Not "phid" SQL Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data, Exposure of sensitive information
Released:    2008-11-03

d3b4g has reported a vulnerability in SFS EZ Hot ot Not, which can be
exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/32532/ 

 --

[SA32528] SFS EZ Auction "cat" SQL Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Exposure of sensitive information, Manipulation of data
Released:    2008-11-03

Mountassif Moad has reported a vulnerability in SFS EZ Auction, which
can be exploited by malicious people to conduct SQL Injection attacks.

Full Advisory:
http://secunia.com/advisories/32528/ 

 --

[SA32527] SFS EZ Career "topic" SQL Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data, Exposure of sensitive information
Released:    2008-11-03

Mountassif Moad has reported a vulnerability in SFS EZ Career, which
can be exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/32527/ 

 --

[SA32526] SFS EZ Top Sites "ts" SQL Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data, Exposure of sensitive information
Released:    2008-11-03

Mountassif Moad has reported a vulnerability in SFS EZ Top Sites, which
can be exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/32526/ 

 --

[SA32525] SFS EZ e-store "where" SQL Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data, Exposure of sensitive information
Released:    2008-11-03

ZoRLu has reported a vulnerability in SFS EZ e-store, which can be
exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/32525/ 

 --

[SA32524] SFS EZ Pub Site "cat" SQL Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data, Exposure of sensitive information
Released:    2008-11-03

Hakxer has reported a vulnerability in SFS EZ Pub Site, which can be
exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/32524/ 

 --

[SA32523] Joomla Pro Desk Component "include_file" Local File Inclusion
Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Exposure of system information, Exposure of sensitive
information
Released:    2008-11-05

d3v1l has reported a vulnerability in the Pro Desk component for
Joomla, which can be exploited by malicious people to disclose
sensitive information.

Full Advisory:
http://secunia.com/advisories/32523/ 

 --

[SA32522] SFS EZ Gaming Cheats "id" SQL Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data, Exposure of sensitive information
Released:    2008-11-03

ZoRLu has reported a vulnerability in SFS EZ Gaming Cheats, which can
be exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/32522/ 

 --

[SA32519] Article Publisher Pro SQL Injection Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass, Manipulation of data
Released:    2008-11-03

Some vulnerabilities have been reported in Article Publisher Pro, which
can be exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/32519/ 

 --

[SA32517] Acc Scripts Products "username_cookie" Cookie Security
Bypass

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass
Released:    2008-11-04

Hakxer has reported a vulnerability in multiple Acc Scripts products,
which can be exploited by malicious people to bypass certain security
restrictions.

Full Advisory:
http://secunia.com/advisories/32517/ 

 --

[SA32507] Acc PHP eMail "NEWSLETTERLOGIN" Cookie Security Bypass
Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass
Released:    2008-11-04

Hakxer has reported a vulnerability in Acc PHP eMail, which can be
exploited by malicious people to bypass certain security restrictions.

Full Advisory:
http://secunia.com/advisories/32507/ 

 --

[SA32504] YourFreeWorld Products "id" SQL Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2008-11-03

Hussin X has reported a vulnerability in various YourFreeWorld
products, which can be exploited by malicious people to conduct SQL
injection attacks.

Full Advisory:
http://secunia.com/advisories/32504/ 

 --

[SA32503] ToursManager "cityid" SQL Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2008-11-05

G4N0K has reported a vulnerability in ToursManager, which can be
exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/32503/ 

 --

[SA32502] Simple Document Management System "login" and "pass" SQL
Injection

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data, Exposure of sensitive information
Released:    2008-11-05

Yuri has discovered a vulnerability in Simple Document Management
System (SDMS), which can be exploited by malicious people to conduct
SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/32502/ 

 --

[SA32500] PHP-Nuke BookCatalog Module "catid" SQL Injection
Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data, Exposure of sensitive information
Released:    2008-10-31

Ehsan_Hp200 has reported a vulnerability in the BookCatalog module for
PHP-Nuke, which can be exploited by malicious people to conduct SQL
injection attacks.

Full Advisory:
http://secunia.com/advisories/32500/ 

 --

[SA32497] Apache Struts Security Bypass and Directory Traversal

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass, Exposure of system information, Exposure
of sensitive information
Released:    2008-11-04

Some vulnerabilities have been reported in Apache Struts, which can be
exploited by malicious people to bypass certain security restrictions
or to disclose sensitive information.

Full Advisory:
http://secunia.com/advisories/32497/ 

 --

[SA32495] XWork "ParameterInterceptor" Security Bypass Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass
Released:    2008-11-04

A vulnerability has been reported in XWork, which can be exploited by
malicious people to bypass certain security restrictions.

Full Advisory:
http://secunia.com/advisories/32495/ 

 --

[SA32492] YourFreeWorld Shopping Cart Script "c" SQL Injection
Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2008-11-03

Hussin X has reported a vulnerability in YourFreeWorld Shopping Cart
Script with Affiliate Program, which can be exploited by malicious
people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/32492/ 

 --

[SA32491] Joovili Multiple Cookie Security Bypass Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass
Released:    2008-11-03

ZoRLu has reported a vulnerability in Joovili, which can be exploited
by malicious people to bypass certain security restrictions.

Full Advisory:
http://secunia.com/advisories/32491/ 

 --

[SA32484] NetRisk Cross-Site Scripting and SQL Injection
Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting, Manipulation of data
Released:    2008-11-03

StAkeR has discovered some vulnerabilities in NetRisk, which can be
exploited by malicious people to conduct cross-site scripting and SQL
injection attacks.

Full Advisory:
http://secunia.com/advisories/32484/ 

 --

[SA32572] Drupal Content Construction Kit Script Insertion
Vulnerabilities

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2008-11-06

Some vulnerabilities have been reported in the Drupal Content
Construction Kit (CCK), which can be exploited by malicious users to
conduct script insertion attacks.

Full Advisory:
http://secunia.com/advisories/32572/ 

 --

[SA32555] DHCart "order.php" Two Cross-Site Scripting Vulnerabilities

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2008-11-05

Lostmon has reported two vulnerabilities in DHCart, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/32555/ 

 --

[SA32549] firmCHANNEL Digital Signage "action" Cross-Site Scripting
Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2008-11-05

Brad Antoniewicz has reported a vulnerability in firmCHANNEL Digital
Signage, which can be exploited by malicious people to conduct
cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/32549/ 

 --

[SA32511] RateMe Cross-Site Scripting and Cross-Site Request Forgery

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2008-11-03

Russ McRee has reported some vulnerabilities in RateMe, which can be
exploited by malicious people to conduct cross-site request forgery and
cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/32511/ 

 --

[SA32506] SignMe "hash" Cross-Site Scripting Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2008-11-03

Russ McRee has discovered a vulnerability in SignMe, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/32506/ 

 --

[SA32505] MyGallery "mghash" Cross-Site Scripting Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2008-11-03

Russ McRee has discovered a vulnerability in MyGallery, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/32505/ 

 --

[SA32567] Adobe ColdFusion Sandbox Security Bypass Vulnerability

Critical:    Less critical
Where:       Local system
Impact:      Security Bypass
Released:    2008-11-06

A vulnerability has been reported in Adobe ColdFusion, which can be
exploited by malicious, local users to bypass certain security
restrictions.

Full Advisory:
http://secunia.com/advisories/32567/ 



=======================================================================
Secunia recommends that you verify all advisories you receive,
by clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only use
those supplied by the vendor.

Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/ 

Subscribe:
http://secunia.com/advisories/weekly_summary/ 

Contact details:
Web	: http://secunia.com/ 
E-mail	: support@secunia.com 
Tel	: +45 70 20 51 44
Fax	: +45 70 20 51 45


______________________________________________      
Visit the InfoSec News Security Bookstore
Best Selling Security Books and More!
http://www.shopinfosecnews.org 

Site design & layout copyright © 1986-2014 CodeGods