AOH :: ISNQ5484.HTM

Secunia Weekly Summary - Issue: 2008-15




Secunia Weekly Summary - Issue: 2008-15
Secunia Weekly Summary - Issue: 2008-15



=======================================================================
                  The Secunia Weekly Advisory Summary                  
                        2008-04-03 - 2008-04-10                        

                       This week: 82 advisories                        

=======================================================================Table of Contents:

1.....................................................Word From Secunia
2....................................................This Week In Brief
3...............................This Weeks Top Ten Most Read Advisories
4.......................................Vulnerabilities Summary Listing
5.......................................Vulnerabilities Content Listing

=======================================================================1) Word From Secunia:

Secunia has constructed the Secunia Personal Software Inspector, which
you can use to check if your personal system is vulnerable:
https://psi.secunia.com/

Corporate users can request for a trial of the Secunia Network Software
Inspector, which you can use to check which systems in your network are
vulnerable:
http://secunia.com/network_software_inspector/ 

=======================================================================2) This Week in Brief:

Microsoft has released their monthly security bulletins April 2008.
Please review the listed Secunia advisories for details.

References:
http://secunia.com/advisories/29720/ 
http://secunia.com/advisories/29714/ 
http://secunia.com/advisories/29712/ 
http://secunia.com/advisories/29704/ 
http://secunia.com/advisories/29696/ 
http://secunia.com/advisories/29691/ 
http://secunia.com/advisories/29690/ 
http://secunia.com/advisories/27707/ 

Secunia has constructed the Secunia Personal Software Inspector, which
you can use to check if your personal system is vulnerable:
https://psi.secunia.com/

Corporate users can request for a trial of the Secunia Network Software
Inspector, which you can use to check which systems in your network are
vulnerable:
http://secunia.com/network_software_inspector/ 

 --

Some vulnerabilities have been reported in Adobe Flash Player, which
can be exploited by malicious people to bypass certain security
restrictions, conduct cross-site scripting attacks, or to potentially
compromise a user's system.

Reference:
http://secunia.com/advisories/28083/ 

Secunia has constructed the Secunia Personal Software Inspector, which
you can use to check if your personal system is vulnerable:
https://psi.secunia.com/

Corporate users can request for a trial of the Secunia Network Software
Inspector, which you can use to check which systems in your network are
vulnerable:
http://secunia.com/network_software_inspector/ 

 --

VIRUS ALERTS:

During the past week Secunia collected 143 virus descriptions from the
Antivirus vendors. However, none were deemed MEDIUM risk or higher
according to the Secunia assessment scale.

=======================================================================3) This Weeks Top Ten Most Read Advisories:

1.  [SA29650] Apple QuickTime Multiple Vulnerabilities
2.  [SA29662] Opera Multiple Vulnerabilities
3.  [SA28083] Adobe Flash Player Multiple Vulnerabilities
4.  [SA29641] HP OpenView Network Node Manager Buffer Overflow
              Vulnerability
5.  [SA29660] Symantec Products AutoFix Support Tool ActiveX Control
              Two Vulnerabilities
6.  [SA29670] Cisco Unified Communications Disaster Recovery Framework
              Command Execution
7.  [SA29633] Drupal Webform Module Unspecified Script Insertion
8.  [SA29639] Novell eDirectory Host Environment HTTP Request
              Processing Denial of Service
9.  [SA29595] gnome-screensaver Information Disclosure and Security
              Bypass
10. [SA29543] Blackboard Academic Suite "searchText" Cross-Site
              Scripting

=======================================================================4) Vulnerabilities Summary Listing

Windows:
[SA29733] Interwoven WorkSite Web TransferCtrl Class ActiveX Control
Double-Free Vulnerability
[SA29717] Tumbleweed SecureTransport FileTransfer ActiveX Control
"TransferFile()" Buffer Overflow
[SA29714] Microsoft Windows hxvz.dll ActiveX Control Memory Corruption
[SA29712] Microsoft VBScript/JScript Script Decoding Buffer Overflow
[SA29704] Microsoft Windows GDI Image Parsing Buffer Overflows
[SA29692] CDNetworks Nefficient Download NeffyLauncher ActiveX Control
Directory Traversal
[SA29691] Microsoft Visio Two File Processing Vulnerabilities
[SA29690] Microsoft Project Unspecified Code Execution Vulnerability
[SA29669] Orbit Downloader URL Processing Buffer Overflow
Vulnerability
[SA29732] SmarterMail Web Server Denial of Service Vulnerability
[SA29696] Microsoft Windows DNS Client Predictable Transaction ID
Vulnerability
[SA29713] HP OpenView Network Node Manager ovspmd.exe Buffer Overflow
[SA29758] IBiz E-Banking Integrator ActiveX Control
"WriteOFXDataFile()" Insecure Method
[SA29720] Microsoft Windows Kernel Privilege Escalation Vulnerability

UNIX/Linux:
[SA29768] Ubuntu update for ghostscript
[SA29766] Debian update for vlc
[SA29756] Fedora update for xine-lib
[SA29740] Fedora update for xine-lib
[SA29731] Fedora update for comix
[SA29680] Debian update for alsaplayer
[SA29767] Debian update for libcairo
[SA29764] Debian update for pdns-recursor
[SA29745] Gentoo update for pecl-apc
[SA29737] Fedora update for pdns-recursor
[SA29736] Fedora update for wireshark
[SA29705] Site Sift Listings "id" SQL Injection
[SA29703] PIGMy-SQL "id" SQL Injection Vulnerability
[SA29695] rPath update for wireshark
[SA29688] Debian update for mapserver
[SA29681] Gentoo update for unzip
[SA29750] Fedora update for cups
[SA29670] Cisco Unified Communications Disaster Recovery Framework
Command Execution
[SA29752] Fedora update for konversation
[SA29729] Slackware update for m4
[SA29706] Gentoo update for mysql
[SA29698] Fedora update for bzip2
[SA29682] Debian update for openldap2.3
[SA29677] Slackware update for bzip2
[SA29671] GNU M4 Format String Vulnerability and Security Issue
[SA29718] HP Integrity Servers iLO-2 Management Processors Denial of
Service
[SA29755] Fedora update for PolicyKit
[SA29754] Fedora update for audit
[SA29721] Globus Toolkit GSI-OpenSSH Information Disclosure
[SA29707] Gentoo update for nxnode and nx
[SA29686] cwRsync OpenSSH Security Bypass and Information Disclosure
[SA29683] Gentoo update for openssh
[SA29676] Slackware update for openssh
[SA29742] Fedora update for gnome-screensaver
[SA29693] rPath update for OpenSSH

Other:
[SA29744] Avaya SIP Enablement Services Multiple Vulnerabilities
[SA29708] WatchGuard Firebox Products User Enumeration Weakness

Cross Platform:
[SA29749] LokiCMS "default" PHP Code Execution Vulnerability
[SA29739] ExBB Italia "modules/threadstop/threadstop.php" File
Inclusion
[SA29684] Blogator-script File Inclusion and SQL Injection
[SA29772] Drupal Simple Access Module Security Bypass
[SA29762] Drupal Menu System Security Bypass Vulnerabilities
[SA29751] Openfire Unspecified Denial of Service
[SA29748] Adobe ColdFusion CFC Methods Access Security Bypass
[SA29746] Gallery Script Lite "path" Information Disclosure
Vulnerability
[SA29727] libfishsound Speex Header Processing Vulnerability
[SA29725] iScripts SocialWare SQL Injection and File Upload
Vulnerabilities
[SA29724] LinPHA "maps_type" Local File Inclusion Vulnerability
[SA29723] Prozilla Freelancers "project" SQL Injection Vulnerability
[SA29716] KnowledgeQuest SQL Injection and Security Bypass
[SA29715] Prozilla Entertainers "cat" SQL Injection Vulnerability
[SA29710] Links Directory "cat_id" SQL Injection Vulnerability
[SA29709] Software Index Script "cid" SQL Injection Vulnerability
[SA29701] Prozilla Cheats "id" SQL Injection Vulnerability
[SA29699] Wikepage "wiki" Information Disclosure Vulnerability
[SA29697] Comdev News Publisher "arcmonth" SQL Injection
[SA29689] Prozilla Topsites Security Bypass Vulnerabilities
[SA29685] Mole "viewsource.php" Information Disclosure Vulnerabilities
[SA29667] PHP Photo Gallery "photo_id" SQL Injection
[SA29775] TIBCO Enterprise Message Service Buffer Overflow
Vulnerabilities
[SA29774] TIBCO Rendezvous Multiple Buffer Overflow Vulnerabilities
[SA29722] Prozilla Reviews "DeleteUser.php" Security Bypass
[SA29719] WoltLab Burning Board WCF Error Printing Vulnerability
[SA29700] Xpoze "reed" SQL Injection Vulnerability
[SA29673] e-Classifieds Corporate Edition "db" Cross-Site Scripting
[SA29674] Webwasher URL Processing Denial of Service Vulnerability

=======================================================================5) Vulnerabilities Content Listing

Windows:--

[SA29733] Interwoven WorkSite Web TransferCtrl Class ActiveX Control
Double-Free Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2008-04-08

J Fitzpatrick has reported a vulnerability in Interwoven WorkSite,
which can be exploited by malicious people to compromise a user's
system.

Full Advisory:
http://secunia.com/advisories/29733/ 

 --

[SA29717] Tumbleweed SecureTransport FileTransfer ActiveX Control
"TransferFile()" Buffer Overflow

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2008-04-10

Patrick Webster has reported a vulnerability in Tumbleweed
SecureTransport, which can be exploited by malicious people to
compromise a user's system.

Full Advisory:
http://secunia.com/advisories/29717/ 

 --

[SA29714] Microsoft Windows hxvz.dll ActiveX Control Memory Corruption

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2008-04-08

A vulnerability has been reported in Microsoft Windows, which can be
exploited by malicious people to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/29714/ 

 --

[SA29712] Microsoft VBScript/JScript Script Decoding Buffer Overflow

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2008-04-08

A vulnerability has been reported in Microsoft Windows, which can be
exploited by malicious people to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/29712/ 

 --

[SA29704] Microsoft Windows GDI Image Parsing Buffer Overflows

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2008-04-08

Two vulnerabilities have been reported in Microsoft Windows, which can
be exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/29704/ 

 --

[SA29692] CDNetworks Nefficient Download NeffyLauncher ActiveX Control
Directory Traversal

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2008-04-10

Simon Ryeo has reported a vulnerability in CDNetworks Nefficient
Download, which can be exploited by malicious people to compromise a
user's system.

Full Advisory:
http://secunia.com/advisories/29692/ 

 --

[SA29691] Microsoft Visio Two File Processing Vulnerabilities

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2008-04-08

Two vulnerabilities have been reported in Microsoft Visio, which can be
exploited by malicious people to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/29691/ 

 --

[SA29690] Microsoft Project Unspecified Code Execution Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2008-04-08

A vulnerability has been reported in Microsoft Project, which can be
exploited by malicious people to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/29690/ 

 --

[SA29669] Orbit Downloader URL Processing Buffer Overflow
Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2008-04-04

Diego Juarez has reported a vulnerability in Orbit Downloader, which
potentially can be exploited by malicious people to compromise a user's
system.

Full Advisory:
http://secunia.com/advisories/29669/ 

 --

[SA29732] SmarterMail Web Server Denial of Service Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      DoS
Released:    2008-04-08

Matteo Memelli has reported a vulnerability in SmarterMail, which can
be exploited by malicious people to cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/29732/ 

 --

[SA29696] Microsoft Windows DNS Client Predictable Transaction ID
Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Spoofing
Released:    2008-04-08

A vulnerability has been reported in Microsoft Windows, which can be
exploited by malicious people to poison the DNS cache.

Full Advisory:
http://secunia.com/advisories/29696/ 

 --

[SA29713] HP OpenView Network Node Manager ovspmd.exe Buffer Overflow

Critical:    Moderately critical
Where:       From local network
Impact:      DoS, System access
Released:    2008-04-09

Luigi Auriemma has discovered a vulnerability in HP OpenView Network
Node Manager, which can be exploited by malicious people to cause a DoS
(Denial of Service) or potentially compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/29713/ 

 --

[SA29758] IBiz E-Banking Integrator ActiveX Control
"WriteOFXDataFile()" Insecure Method

Critical:    Less critical
Where:       From remote
Impact:      Manipulation of data
Released:    2008-04-10

shinnai has discovered a vulnerability in IBiz E-Banking Integrator,
which can be exploited by malicious people to overwrite arbitrary
files.

Full Advisory:
http://secunia.com/advisories/29758/ 

 --

[SA29720] Microsoft Windows Kernel Privilege Escalation Vulnerability

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation
Released:    2008-04-08

A vulnerability has been reported in Microsoft Windows, which can be
exploited by malicious, local users to gain escalated privileges.

Full Advisory:
http://secunia.com/advisories/29720/ 


UNIX/Linux:--

[SA29768] Ubuntu update for ghostscript

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2008-04-10

Ubuntu has issued an update for ghostscript. This fixes a
vulnerability, which can be exploited by malicious people to compromise
a user's system.

Full Advisory:
http://secunia.com/advisories/29768/ 

 --

[SA29766] Debian update for vlc

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2008-04-10

Debian has issued an update for vlc. This fixes some vulnerabilities,
which can be exploited by malicious people to compromise a user's
system.

Full Advisory:
http://secunia.com/advisories/29766/ 

 --

[SA29756] Fedora update for xine-lib

Critical:    Highly critical
Where:       From remote
Impact:      DoS, System access
Released:    2008-04-09

Fedora has issued an update for xine-lib. This fixes some
vulnerabilities, which can be exploited by malicious people to
compromise a user's system.

Full Advisory:
http://secunia.com/advisories/29756/ 

 --

[SA29740] Fedora update for xine-lib

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2008-04-09

Fedora has issued an update for xine-lib. This fixes some
vulnerabilities, which can be exploited by malicious people to
compromise a user's system.

Full Advisory:
http://secunia.com/advisories/29740/ 

 --

[SA29731] Fedora update for comix

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2008-04-09

Fedora has issued an update for comix. This fixes a vulnerability,
which can be exploited by malicious people to compromise a user's
system.

Full Advisory:
http://secunia.com/advisories/29731/ 

 --

[SA29680] Debian update for alsaplayer

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2008-04-07

Debian has issued an update for alsaplayer. This fixes some
vulnerabilities, which can be exploited by malicious people to
compromise a user's system.

Full Advisory:
http://secunia.com/advisories/29680/ 

 --

[SA29767] Debian update for libcairo

Critical:    Moderately critical
Where:       From remote
Impact:      System access
Released:    2008-04-10

Debian has issued an update for libcairo. This fixes a vulnerability,
which can be exploited by malicious people to compromise an application
using the library.

Full Advisory:
http://secunia.com/advisories/29767/ 

 --

[SA29764] Debian update for pdns-recursor

Critical:    Moderately critical
Where:       From remote
Impact:      Spoofing
Released:    2008-04-10

Debian has issued an update for pdns-recursor. This fixes a
vulnerability, which can be exploited by malicious people to poison the
DNS cache.

Full Advisory:
http://secunia.com/advisories/29764/ 

 --

[SA29745] Gentoo update for pecl-apc

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass, DoS, System access
Released:    2008-04-09

Gentoo has issued an update for pecl-apc. This fixes a vulnerability,
which can be exploited by malicious users to bypass certain security
restrictions and potentially by malicious people to compromise a
vulnerable system.

Full Advisory:
http://secunia.com/advisories/29745/ 

 --

[SA29737] Fedora update for pdns-recursor

Critical:    Moderately critical
Where:       From remote
Impact:      Spoofing
Released:    2008-04-09

Fedora has issued an update for pdns-recursor. This fixes a
vulnerability, which can be exploited by malicious people to poison the
DNS cache.

Full Advisory:
http://secunia.com/advisories/29737/ 

 --

[SA29736] Fedora update for wireshark

Critical:    Moderately critical
Where:       From remote
Impact:      DoS
Released:    2008-04-09

Fedora has issued an update for wireshark. This fixes some
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/29736/ 

 --

[SA29705] Site Sift Listings "id" SQL Injection

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2008-04-07

S@BUN has reported a vulnerability in Site Sift Listings, which can be
exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/29705/ 

 --

[SA29703] PIGMy-SQL "id" SQL Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2008-04-07

t0pP8uZz has reported a vulnerability in PIGMy-SQL, which can be
exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/29703/ 

 --

[SA29695] rPath update for wireshark

Critical:    Moderately critical
Where:       From remote
Impact:      DoS
Released:    2008-04-07

rPath has issued an update for wireshark. This fixes some
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/29695/ 

 --

[SA29688] Debian update for mapserver

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting, DoS, System access
Released:    2008-04-07

Debian has issued an update for mapserver. This fixes some
vulnerabilities, which can be exploited by malicious people to conduct
cross-site scripting attacks or to potentially compromise a vulnerable
system.

Full Advisory:
http://secunia.com/advisories/29688/ 

 --

[SA29681] Gentoo update for unzip

Critical:    Moderately critical
Where:       From remote
Impact:      System access
Released:    2008-04-07

Gentoo has issued an update for unzip. This fixes a vulnerability,
which potentially can be exploited by malicious people to compromise a
user's system.

Full Advisory:
http://secunia.com/advisories/29681/ 

 --

[SA29750] Fedora update for cups

Critical:    Moderately critical
Where:       From local network
Impact:      DoS, System access
Released:    2008-04-09

Fedora has issued an update for cups. This fixes some vulnerabilities,
which can be exploited by malicious people to cause a DoS (Denial of
Service) or to potentially compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/29750/ 

 --

[SA29670] Cisco Unified Communications Disaster Recovery Framework
Command Execution

Critical:    Moderately critical
Where:       From local network
Impact:      Security Bypass, System access
Released:    2008-04-04

A vulnerability has been reported in various Cisco products, which can
be exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/29670/ 

 --

[SA29752] Fedora update for konversation

Critical:    Less critical
Where:       From remote
Impact:      Security Bypass
Released:    2008-04-09

Fedora has issued an update for konversation. This fixes a
vulnerability, which can be exploited by malicious people to bypass
certain security restrictions.

Full Advisory:
http://secunia.com/advisories/29752/ 

 --

[SA29729] Slackware update for m4

Critical:    Less critical
Where:       From remote
Impact:      Manipulation of data, System access
Released:    2008-04-08

Slackware has issued an update for m4. This fixes a security issue and
a vulnerability, which can be exploited by malicious people to
manipulate certain data or to potentially compromise a user's system.

Full Advisory:
http://secunia.com/advisories/29729/ 

 --

[SA29706] Gentoo update for mysql

Critical:    Less critical
Where:       From remote
Impact:      Manipulation of data, Privilege escalation, DoS
Released:    2008-04-07

Gentoo has issued an update for mysql. This fixes a security issue and
two vulnerabilities, which can be exploited by malicious users to gain
escalated privileges, manipulate certain data, or to cause a DoS
(Denial of Service).

Full Advisory:
http://secunia.com/advisories/29706/ 

 --

[SA29698] Fedora update for bzip2

Critical:    Less critical
Where:       From remote
Impact:      DoS
Released:    2008-04-09

Fedora has issued an update for bzip2. This fixes a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of
Service).

Full Advisory:
http://secunia.com/advisories/29698/ 

 --

[SA29682] Debian update for openldap2.3

Critical:    Less critical
Where:       From remote
Impact:      DoS
Released:    2008-04-09

Debian has issued an update for openldap2.3. This fixes some
vulnerabilities, which can be exploited by malicious users to cause a
DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/29682/ 

 --

[SA29677] Slackware update for bzip2

Critical:    Less critical
Where:       From remote
Impact:      DoS
Released:    2008-04-08

Slackware has issued an update for bzip2. This fixes a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of
Service).

Full Advisory:
http://secunia.com/advisories/29677/ 

 --

[SA29671] GNU M4 Format String Vulnerability and Security Issue

Critical:    Less critical
Where:       From remote
Impact:      Manipulation of data, System access
Released:    2008-04-08

A vulnerability and a security issue have been reported in GNU M4,
which can be exploited by malicious people to manipulate certain data
or to potentially compromise a user's system.

Full Advisory:
http://secunia.com/advisories/29671/ 

 --

[SA29718] HP Integrity Servers iLO-2 Management Processors Denial of
Service

Critical:    Less critical
Where:       From local network
Impact:      DoS
Released:    2008-04-08

A vulnerability has been reported in HP Integrity Servers, which can be
exploited by malicious people to cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/29718/ 

 --

[SA29755] Fedora update for PolicyKit

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation, DoS
Released:    2008-04-09

Fedora has issued an update for PolicyKit. This fixes a vulnerability,
which can be exploited by malicious, local users to cause a DoS (Denial
of Service) or to bypass certain security restrictions.

Full Advisory:
http://secunia.com/advisories/29755/ 

 --

[SA29754] Fedora update for audit

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation
Released:    2008-04-09

Fedora has issued an update for audit. This fixes a vulnerability,
which potentially can be exploited by malicious, local users to gain
escalated privileges.

Full Advisory:
http://secunia.com/advisories/29754/ 

 --

[SA29721] Globus Toolkit GSI-OpenSSH Information Disclosure

Critical:    Less critical
Where:       Local system
Impact:      Exposure of sensitive information
Released:    2008-04-07

Globus has acknowledged a vulnerability in GSI-OpenSSH, which can be
exploited by malicious, local users to disclose potentially sensitive
information.

Full Advisory:
http://secunia.com/advisories/29721/ 

 --

[SA29707] Gentoo update for nxnode and nx

Critical:    Less critical
Where:       Local system
Impact:      Exposure of sensitive information, Privilege escalation,
DoS
Released:    2008-04-07

Gentoo has issued an update for nxnode and nx. This fixes some
vulnerabilities, which can be exploited by malicious, local users to
cause a DoS (Denial of Service), disclose potentially sensitive
information, or to gain escalated privileges.

Full Advisory:
http://secunia.com/advisories/29707/ 

 --

[SA29686] cwRsync OpenSSH Security Bypass and Information Disclosure

Critical:    Less critical
Where:       Local system
Impact:      Security Bypass, Exposure of sensitive information
Released:    2008-04-07

A vulnerability and a weakness have been reported in cwRsync, which can
be exploited by malicious, local users to bypass certain security
restrictions or to disclose sensitive information.

Full Advisory:
http://secunia.com/advisories/29686/ 

 --

[SA29683] Gentoo update for openssh

Critical:    Less critical
Where:       Local system
Impact:      Security Bypass, Exposure of sensitive information
Released:    2008-04-07

Gentoo has issued an update for openssh. This fixes a weakness and a
vulnerability, which can be exploited by malicious, local users to
bypass certain security restrictions or to disclose sensitive
information.

Full Advisory:
http://secunia.com/advisories/29683/ 

 --

[SA29676] Slackware update for openssh

Critical:    Less critical
Where:       Local system
Impact:      Exposure of sensitive information
Released:    2008-04-07

Slackware has issued an update for openssh. This fixes a vulnerability,
which can be exploited by malicious, local users to disclose sensitive
information.

Full Advisory:
http://secunia.com/advisories/29676/ 

 --

[SA29742] Fedora update for gnome-screensaver

Critical:    Not critical
Where:       Local system
Impact:      Security Bypass
Released:    2008-04-09

Fedora has issued an update for gnome-screensaver. This fixes a
security issue, which can be exploited by malicious people with
physical access to bypass certain security restrictions.

Full Advisory:
http://secunia.com/advisories/29742/ 

 --

[SA29693] rPath update for OpenSSH

Critical:    Not critical
Where:       Local system
Impact:      Security Bypass
Released:    2008-04-07

rPath has issued an update for OpenSSH. This fixes a weakness, which
can be exploited by malicious, local users to bypass certain security
restrictions.

Full Advisory:
http://secunia.com/advisories/29693/ 


Other:--

[SA29744] Avaya SIP Enablement Services Multiple Vulnerabilities

Critical:    Highly critical
Where:       From remote
Impact:      Security Bypass, Manipulation of data, System access
Released:    2008-04-09

Some vulnerabilities have been reported in Avaya SIP Enablement
Services, which can be exploited by malicious users and malicious
people to conduct SQL injection attacks, bypass certain security
restrictions, and potentially to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/29744/ 

 --

[SA29708] WatchGuard Firebox Products User Enumeration Weakness

Critical:    Not critical
Where:       From remote
Impact:      Exposure of system information
Released:    2008-04-08

Luke Jennings has reported a weakness in some WatchGuard Firebox
products, which can be exploited by malicious people to determine valid
usernames.

Full Advisory:
http://secunia.com/advisories/29708/ 


Cross Platform:--

[SA29749] LokiCMS "default" PHP Code Execution Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2008-04-09

__GiReX__ has discovered a vulnerability in LokiCMS, which can be
exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/29749/ 

 --

[SA29739] ExBB Italia "modules/threadstop/threadstop.php" File
Inclusion

Critical:    Highly critical
Where:       From remote
Impact:      Exposure of system information, Exposure of sensitive
information, System access
Released:    2008-04-09

The:Paradox has discovered some vulnerabilities in ExBB Italia, which
can be exploited by malicious people to disclose sensitive information
or to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/29739/ 

 --

[SA29684] Blogator-script File Inclusion and SQL Injection

Critical:    Highly critical
Where:       From remote
Impact:      Manipulation of data, Exposure of system information,
Exposure of sensitive information, System access
Released:    2008-04-07

Some vulnerabilities have been discovered in Blogator-script, which can
be exploited by malicious people to conduct SQL injection attacks, to
disclose sensitive information, or to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/29684/ 

 --

[SA29772] Drupal Simple Access Module Security Bypass

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass
Released:    2008-04-10

A security issue has been reported in the Simple Access module for
Drupal, which can be exploited by malicious people to bypass certain
security restrictions.

Full Advisory:
http://secunia.com/advisories/29772/ 

 --

[SA29762] Drupal Menu System Security Bypass Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass
Released:    2008-04-10

Some vulnerabilities have been reported in Drupal, which can be
exploited by malicious users to bypass certain security restrictions.

Full Advisory:
http://secunia.com/advisories/29762/ 

 --

[SA29751] Openfire Unspecified Denial of Service

Critical:    Moderately critical
Where:       From remote
Impact:      DoS
Released:    2008-04-10

A vulnerability has been reported in Openfire, which can be exploited
by malicious people to cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/29751/ 

 --

[SA29748] Adobe ColdFusion CFC Methods Access Security Bypass

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass
Released:    2008-04-09

A security issue has been reported in Adobe ColdFusion 8, which can be
exploited by malicious people to bypass certain security restrictions.

Full Advisory:
http://secunia.com/advisories/29748/ 

 --

[SA29746] Gallery Script Lite "path" Information Disclosure
Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Exposure of sensitive information
Released:    2008-04-10

jiko has discovered a vulnerability in Gallery Script Lite, which can
be exploited by malicious people to disclose potentially sensitive
information.

Full Advisory:
http://secunia.com/advisories/29746/ 

 --

[SA29727] libfishsound Speex Header Processing Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2008-04-08

A vulnerability has been reported in libfishsound, which can
potentially be exploited by malicious people to compromise an
application using the library.

Full Advisory:
http://secunia.com/advisories/29727/ 

 --

[SA29725] iScripts SocialWare SQL Injection and File Upload
Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data, Exposure of sensitive information,
System access
Released:    2008-04-10

t0pP8uZz has reported two vulnerabilities in iScripts SocialWare, which
can be exploited by malicious users to compromise a vulnerable system,
and by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/29725/ 

 --

[SA29724] LinPHA "maps_type" Local File Inclusion Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Exposure of system information, Exposure of sensitive
information
Released:    2008-04-08

A vulnerability has been discovered in LinPHA, which can be exploited
by malicious people to disclose sensitive information.

Full Advisory:
http://secunia.com/advisories/29724/ 

 --

[SA29723] Prozilla Freelancers "project" SQL Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2008-04-09

t0pP8uZz has reported a vulnerability in Prozilla Freelancers, which
can be exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/29723/ 

 --

[SA29716] KnowledgeQuest SQL Injection and Security Bypass

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass, Manipulation of data, Exposure of
sensitive information
Released:    2008-04-10

Some vulnerabilities have been discovered in KnowledgeQuest, which can
be exploited by malicious people to conduct SQL injection attacks or to
bypass certain security restrictions.

Full Advisory:
http://secunia.com/advisories/29716/ 

 --

[SA29715] Prozilla Entertainers "cat" SQL Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2008-04-09

t0pP8uZz and xprog have reported a vulnerability in Prozilla
Entertainers, which can be exploited by malicious people to conduct SQL
injection attacks.

Full Advisory:
http://secunia.com/advisories/29715/ 

 --

[SA29710] Links Directory "cat_id" SQL Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2008-04-07

t0pP8uZz and xprog have reported a vulnerability in Links Directory,
which can be exploited by malicious people to conduct SQL Injection
attacks.

Full Advisory:
http://secunia.com/advisories/29710/ 

 --

[SA29709] Software Index Script "cid" SQL Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data, Exposure of sensitive information
Released:    2008-04-07

t0pP8uZz and xprog have reported a vulnerability in Software Index
Script, which can be exploited by malicious people to conduct SQL
injection attacks.

Full Advisory:
http://secunia.com/advisories/29709/ 

 --

[SA29701] Prozilla Cheats "id" SQL Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2008-04-09

t0pP8uZz has reported a vulnerability in Prozilla Cheats, which can be
exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/29701/ 

 --

[SA29699] Wikepage "wiki" Information Disclosure Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Exposure of system information, Exposure of sensitive
information
Released:    2008-04-08

A.Nosrati has discovered a vulnerability in Wikepage, which can be
exploited by malicious people to disclose sensitive information.

Full Advisory:
http://secunia.com/advisories/29699/ 

 --

[SA29697] Comdev News Publisher "arcmonth" SQL Injection

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data, Exposure of sensitive information
Released:    2008-04-07

t0pP8uZz & xprog have discovered a vulnerability in Comdev News
Publisher, which can be exploited by malicious people to conduct SQL
injection attacks.

Full Advisory:
http://secunia.com/advisories/29697/ 

 --

[SA29689] Prozilla Topsites Security Bypass Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass
Released:    2008-04-09

t0pP8uZz has reported some vulnerabilities in Prozilla Topsites, which
can be exploited by malicious people to bypass certain security
restrictions.

Full Advisory:
http://secunia.com/advisories/29689/ 

 --

[SA29685] Mole "viewsource.php" Information Disclosure Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Exposure of system information, Exposure of sensitive
information
Released:    2008-04-08

GoLd_M has discovered two vulnerabilities in Mole (Make Our Life Easy),
which can be exploited by malicious people to disclose sensitive
information.

Full Advisory:
http://secunia.com/advisories/29685/ 

 --

[SA29667] PHP Photo Gallery "photo_id" SQL Injection

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data, Exposure of sensitive information
Released:    2008-04-07

t0pP8uZz & xprog have reported a vulnerability in PHP Photo Gallery
(Advanced Web Photo Gallery), which can be exploited by malicious
people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/29667/ 

 --

[SA29775] TIBCO Enterprise Message Service Buffer Overflow
Vulnerabilities

Critical:    Moderately critical
Where:       From local network
Impact:      Exposure of sensitive information, DoS, System access
Released:    2008-04-10

Some vulnerabilities have been reported in TIBCO products, which can be
exploited by malicious people to disclose sensitive information, cause a
DoS (Denial of Service), or to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/29775/ 

 --

[SA29774] TIBCO Rendezvous Multiple Buffer Overflow Vulnerabilities

Critical:    Moderately critical
Where:       From local network
Impact:      System access, DoS, Exposure of sensitive information
Released:    2008-04-10

Some vulnerabilities have been reported in multiple TIBCO products,
which can be exploited by malicious people to disclose sensitive
information, cause a DoS (Denial of Service), or to compromise a
vulnerable system.

Full Advisory:
http://secunia.com/advisories/29774/ 

 --

[SA29722] Prozilla Reviews "DeleteUser.php" Security Bypass

Critical:    Less critical
Where:       From remote
Impact:      Security Bypass
Released:    2008-04-09

t0pP8uZz has reported a vulnerability in Prozilla Reviews, which can be
exploited by malicious people to bypass certain security restrictions.

Full Advisory:
http://secunia.com/advisories/29722/ 

 --

[SA29719] WoltLab Burning Board WCF Error Printing Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting, Exposure of sensitive information
Released:    2008-04-08

Jessica Hope has reported a vulnerability in WoltLab Burning Board,
which can be exploited by malicious people to disclose potentially
sensitive information or to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/29719/ 

 --

[SA29700] Xpoze "reed" SQL Injection Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Manipulation of data
Released:    2008-04-07

t0pP8uZz has reported a vulnerability in Xpoze, which can be exploited
by malicious users to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/29700/ 

 --

[SA29673] e-Classifieds Corporate Edition "db" Cross-Site Scripting

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2008-04-04

Russ McRee has reported a vulnerability in e-Classifieds, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/29673/ 

 --

[SA29674] Webwasher URL Processing Denial of Service Vulnerability

Critical:    Less critical
Where:       From local network
Impact:      DoS
Released:    2008-04-04

A vulnerability has been reported in Webwasher, which can be exploited
by malicious people to cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/29674/ 



=======================================================================
Secunia recommends that you verify all advisories you receive,
by clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only use
those supplied by the vendor.

Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/ 

Subscribe:
http://secunia.com/secunia_weekly_summary/ 

Contact details:
Web	: http://secunia.com/ 
E-mail	: support@secunia.com 
Tel	: +45 70 20 51 44
Fax	: +45 70 20 51 45


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn 

Site design & layout copyright © 1986-2014 CodeGods