[ISN] Secunia Weekly Summary - Issue: 2006-9

InfoSec News isn at c4i.org
Fri Mar 3 05:30:24 EST 2006


========================================================================

                  The Secunia Weekly Advisory Summary                  
                        2006-02-23 - 2006-03-02                        

                       This week : 66 advisories                       

========================================================================
Table of Contents:

1.....................................................Word From Secunia
2....................................................This Week In Brief
3...............................This Weeks Top Ten Most Read Advisories
4.......................................Vulnerabilities Summary Listing
5.......................................Vulnerabilities Content Listing

========================================================================
1) Word From Secunia:

The Secunia staff is spending hours every day to assure you the best
and most reliable source for vulnerability information. Every single 
vulnerability report is being validated and verified before a Secunia
advisory is written.

Secunia validates and verifies vulnerability reports in many different
ways e.g. by downloading the software and performing comprehensive
tests, by reviewing source code, or by validating the credibility of
the source from which the vulnerability report was issued.

As a result, Secunia's database is the most correct and complete source
for recent vulnerability information available on the Internet.

Secunia Online Vulnerability Database:
http://secunia.com/

========================================================================
2) This Week in Brief:

Peter Vreugdenhil has reported a vulnerability in Macromedia ShockWave
Player, which can be exploited by malicious people to compromise a
user's system.

For additional details please refer to the referenced Secunia advisory
below.

Reference:
http://secunia.com/SA19009


VIRUS ALERTS:

Secunia has not issued any virus alerts during the week.

========================================================================
3) This Weeks Top Ten Most Read Advisories:

1.  [SA18963] Mac OS X File Association Meta Data Shell Script
              Execution
2.  [SA19009] Macromedia ShockWave Player ActiveX Installer Buffer
              Overflow
3.  [SA16280] IBM Lotus Notes Multiple Vulnerabilities
4.  [SA19013] WinACE RAR and TAR Directory Traversal Vulnerability
5.  [SA15601] Mozilla / Mozilla Firefox Frame Injection Vulnerability
6.  [SA18989] The Bat! Email Subject Header Buffer Overflow
              Vulnerability
7.  [SA19014] Website Generator PHP Code Injection Vulnerability
8.  [SA19010] StuffIt / ZipMagic Directory Traversal Vulnerability
9.  [SA18990] ArGoSoft Mail Server Pro Multiple Vulnerabilities
10. [SA19001] iCal "Calendar Text" Script Insertion Vulnerability

========================================================================
4) Vulnerabilities Summary Listing

Windows:
[SA19009] Macromedia ShockWave Player ActiveX Installer Buffer
Overflow
[SA19067] Mail Transport System Professional Mail Relay Vulnerability
[SA19060] StoreBot 2002 Standard Edition "ShipMethod" Script Insertion
[SA19033] SPiD scan_lang_insert.php File Inclusion Vulnerability
[SA19024] Pentacle In-Out Board SQL Injection Vulnerabilities
[SA19019] StoreBot 2005 Professional Edition "Pwd" SQL Injection
[SA19001] iCal "Calendar Text" Script Insertion Vulnerability
[SA19043] bttlxeForum "err_txt" Cross-Site Scripting Vulnerability
[SA19025] Parodia "AG_ID" Cross-Site Scripting Vulnerability
[SA19013] WinACE RAR and TAR Directory Traversal Vulnerability
[SA19010] StuffIt / ZipMagic Directory Traversal Vulnerability
[SA19006] SpeedProject Products ZIP and JAR Directory Traversal
[SA19059] HP System Management Homepage Directory Traversal
[SA19077] M4 Project enigma-suite Default Account Password Weakness
[SA19057] Internet Explorer Iframe Folder Deletion Weakness

UNIX/Linux:
[SA19000] Mandriva update for metamail
[SA19071] Flex Unspecified Scanner Vulnerabilities
[SA19065] Debian update for gpdf
[SA19041] Sun Solaris update for Perl
[SA19036] iGENUS Webmail File Inclusion Vulnerability
[SA19030] Gentoo update for graphicsmagick
[SA19029] Debian update for bmv
[SA19021] Debian update for pdftohtml
[SA19016] Trustix update for sudo / tar
[SA19012] SUSE Updates for Multiple Packages
[SA19002] Zoo "fullpath()" File Name Handling Buffer Overflow
[SA18999] Ubuntu update for tar
[SA19046] NuFW TLS Socket Handling Denial of Service
[SA19038] SUSE update for kernel
[SA19035] Ubuntu update for postgresql
[SA19017] FreeBSD "nfsd" NFS Mount Request Denial of Service
[SA19015] Trustix update for postgresql
[SA19005] SUSE update for heimdal
[SA19042] Sun Solaris HSFS File System Privilege Escalation
Vulnerability
[SA19027] Gentoo update for noweb

Other:
[SA19069] Thomson SpeedTouch 500 Series Cross-Site Scripting
[SA19037] Compex NetPassage WPE54G Denial of Service Vulnerability

Cross Platform:
[SA19058] RunCMS phpRPC Library Arbitrary Code Execution Vulnerability
[SA19055] PeHePe Membership Management System Two Vulnerabilities
[SA19047] ShoutLIVE Multiple Vulnerabilities
[SA19028] phpRPC Library Arbitrary Code Execution Vulnerability
[SA19020] freeForum Multiple Vulnerabilities
[SA19068] N8cms Cross-Site Scripting and SQL Injection Vulnerabilities
[SA19062] d3jeeb Pro "catid" SQL Injection Vulnerabilities
[SA19061] MyBB "comma" Parameter SQL Injection Vulnerability
[SA19056] sendcard Unspecified SQL Injection Vulnerabilities
[SA19053] DirectContact Directory Traversal Vulnerability
[SA19048] LanSuite LanParty Intranet System "fid" SQL Injection
[SA19045] EKINboard Multiple Vulnerabilities
[SA19044] CrossFire "oldsocketmode" Denial of Service Vulnerability
[SA19023] PwsPHP "sondage" Module SQL Injection Vulnerability
[SA19008] PEAR Auth DB / LDAP Multiple Injection Vulnerabilities
[SA19007] Calcium "EventText" Script Insertion Vulnerability
[SA19004] Simple Machines Forum "X-Forwarded-For" Script Insertion
[SA19003] iUser Ecommerce Unspecified Vulnerabilities
[SA19070] TOPo "gTopNombre" Parameter Cross-Site Scripting
Vulnerability
[SA19066] CGI Calendar Cross-Site Scripting Vulnerabilities
[SA19052] MyPHPNuke Cross-Site Scripting Vulnerabilities
[SA19050] WordPress Cross-Site Scripting Vulnerabilities
[SA19039] PunBB "header.php" Cross-Site Scripting Vulnerability
[SA19031] JFacets "ProfileID" Profile Change Vulnerability
[SA19026] 4images "template" Parameter File Inclusion Vulnerability
[SA19014] Website Generator PHP Code Injection Vulnerability
[SA19011] PEAR Archive_Tar Directory Traversal Vulnerability
[SA19034] MySQL Query Logging Bypass Security Issue
[SA19018] Issue Dealer Unpublished Content Disclosure Weakness

========================================================================
5) Vulnerabilities Content Listing

Windows:--

[SA19009] Macromedia ShockWave Player ActiveX Installer Buffer
Overflow

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-02-24

Peter Vreugdenhil has reported a vulnerability in Macromedia ShockWave
Player, which can be exploited by malicious people to compromise a
user's system.

Full Advisory:
http://secunia.com/advisories/19009/

 --

[SA19067] Mail Transport System Professional Mail Relay Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass
Released:    2006-03-01

A vulnerability has been reported in Mail Transport System (MTS)
Professional, which can be exploited by malicious people to use it as
an open mail relay.

Full Advisory:
http://secunia.com/advisories/19067/

 --

[SA19060] StoreBot 2002 Standard Edition "ShipMethod" Script Insertion

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-03-01

KeyShore and Yog have reported a vulnerability in StoreBot 2002
Standard Edition, which can be exploited by malicious people to conduct
script insertion attacks.

Full Advisory:
http://secunia.com/advisories/19060/

 --

[SA19033] SPiD scan_lang_insert.php File Inclusion Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Exposure of sensitive information
Released:    2006-02-28

Nemesis Security Audit Group has discovered a vulnerability in SPiD,
which can be exploited by malicious people to disclose potentially
sensitive information.

Full Advisory:
http://secunia.com/advisories/19033/

 --

[SA19024] Pentacle In-Out Board SQL Injection Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2006-02-27

Mustafa Can Bjorn has discovered two vulnerability in Pentacle In-Out
Board, which can be exploited by malicious people to conduct SQL
injection attacks.

Full Advisory:
http://secunia.com/advisories/19024/

 --

[SA19019] StoreBot 2005 Professional Edition "Pwd" SQL Injection

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass, Manipulation of data
Released:    2006-03-01

KeyShore and Yog have reported a vulnerability in StoreBot 2005
Professional Edition, which can be exploited by malicious people to
conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/19019/

 --

[SA19001] iCal "Calendar Text" Script Insertion Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-02-24

KeyShore and Yog have discovered a vulnerability in iCal, which can be
exploited by malicious people to conduct script insertion attacks.

Full Advisory:
http://secunia.com/advisories/19001/

 --

[SA19043] bttlxeForum "err_txt" Cross-Site Scripting Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-03-01

runvirus has reported a vulnerability in bttlxeForum, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/19043/

 --

[SA19025] Parodia "AG_ID" Cross-Site Scripting Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting, Exposure of system information
Released:    2006-02-28

KeyShore and Yog have reported a vulnerability in Parodia, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/19025/

 --

[SA19013] WinACE RAR and TAR Directory Traversal Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      System access
Released:    2006-02-24

Hamid Ebadi has discovered a vulnerability in WinACE, which potentially
can be exploited by malicious people to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/19013/

 --

[SA19010] StuffIt / ZipMagic Directory Traversal Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      System access
Released:    2006-02-24

Hamid Ebadi has reported a vulnerability in StuffIt and ZipMagic, which
potentially can be exploited by malicious people to compromise a user's
system.

Full Advisory:
http://secunia.com/advisories/19010/

 --

[SA19006] SpeedProject Products ZIP and JAR Directory Traversal

Critical:    Less critical
Where:       From remote
Impact:      System access
Released:    2006-02-24

Hamid Ebadi has reported a vulnerability in various SpeedProject
products, which potentially can be exploited by malicious people to
compromise a user's system.

Full Advisory:
http://secunia.com/advisories/19006/

 --

[SA19059] HP System Management Homepage Directory Traversal

Critical:    Less critical
Where:       From local network
Impact:      Exposure of system information, Exposure of sensitive
information
Released:    2006-03-01

A vulnerability has been reported in HP System Management Homepage,
which can be exploited by malicious people to gain knowledge of
potentially sensitive information.

Full Advisory:
http://secunia.com/advisories/19059/

 --

[SA19077] M4 Project enigma-suite Default Account Password Weakness

Critical:    Less critical
Where:       Local system
Impact:      Security Bypass
Released:    2006-03-01

A weakness has been reported in M4 Project enigma-suite, which can be
exploited by malicious, local users to bypass certain security
restrictions.

Full Advisory:
http://secunia.com/advisories/19077/

 --

[SA19057] Internet Explorer Iframe Folder Deletion Weakness

Critical:    Not critical
Where:       From remote
Impact:      Manipulation of data
Released:    2006-02-28

cyber flash has discovered a weakness in Internet Explorer, which can
be exploited by malicious people to trick users into deleting local
folders.

Full Advisory:
http://secunia.com/advisories/19057/


UNIX/Linux:--

[SA19000] Mandriva update for metamail

Critical:    Highly critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-02-23

Mandriva has issued an update for metamail. This fixes a vulnerability,
which potentially can be exploited by malicious people to compromise a
user's system.

Full Advisory:
http://secunia.com/advisories/19000/

 --

[SA19071] Flex Unspecified Scanner Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Unknown
Released:    2006-03-01

Some vulnerabilities have been reported in Flex, which has an unknown
impact.

Full Advisory:
http://secunia.com/advisories/19071/

 --

[SA19065] Debian update for gpdf

Critical:    Moderately critical
Where:       From remote
Impact:      Unknown
Released:    2006-02-28



Full Advisory:
http://secunia.com/advisories/19065/

 --

[SA19041] Sun Solaris update for Perl

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-03-01

Sun has issued an update for perl. This fixes a vulnerability, which
can be exploited by malicious people to cause a DoS (Denial of Service)
and potentially compromise a vulnerable Perl application.

Full Advisory:
http://secunia.com/advisories/19041/

 --

[SA19036] iGENUS Webmail File Inclusion Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Exposure of sensitive information
Released:    2006-02-27

rgod has reported a vulnerability in iGENUS Webmail, which can be
exploited by malicious people to disclose potentially sensitive
information.

Full Advisory:
http://secunia.com/advisories/19036/

 --

[SA19030] Gentoo update for graphicsmagick

Critical:    Moderately critical
Where:       From remote
Impact:      System access
Released:    2006-02-27

Gentoo has issued an update for graphicsmagick. This fixes a
vulnerability, which potentially can be exploited by malicious people
to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/19030/

 --

[SA19029] Debian update for bmv

Critical:    Moderately critical
Where:       From remote
Impact:      System access
Released:    2006-02-28

Debian has issued an update for bmv. This fixes a vulnerability, which
potentially can be exploited by malicious people to compromise a user's
system.

Full Advisory:
http://secunia.com/advisories/19029/

 --

[SA19021] Debian update for pdftohtml

Critical:    Moderately critical
Where:       From remote
Impact:      Unknown
Released:    2006-02-28



Full Advisory:
http://secunia.com/advisories/19021/

 --

[SA19016] Trustix update for sudo / tar

Critical:    Moderately critical
Where:       From remote
Impact:      Privilege escalation, DoS, System access
Released:    2006-02-27

Trustix has issued updates for sudo and tar. These fix some
vulnerabilities, which can be exploited by malicious, local users to
gain escalated privileges, and malicious people to cause a DoS (Denial
of Service) or compromise a user's system.

Full Advisory:
http://secunia.com/advisories/19016/

 --

[SA19012] SUSE Updates for Multiple Packages

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass, Cross Site Scripting, DoS, System access
Released:    2006-02-27

SUSE has issued an update for multiple packages. This fixes some
vulnerabilities, which can be exploited by malicious people to conduct
cross-site scripting and  HTTP response splitting attacks, cause a DoS
(Denial of Service), and potentially to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/19012/

 --

[SA19002] Zoo "fullpath()" File Name Handling Buffer Overflow

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-02-24

Jean-Sébastien Guay-Leroux has discovered a vulnerability in zoo, which
can be exploited by malicious people to cause a DoS (Denial of Service)
and potentially to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/19002/

 --

[SA18999] Ubuntu update for tar

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-02-23

Ubuntu has issued an update for tar. This fixes a vulnerability, which
potentially can be exploited by malicious people to cause a DoS (Denial
of Service) and to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/18999/

 --

[SA19046] NuFW TLS Socket Handling Denial of Service

Critical:    Less critical
Where:       From remote
Impact:      DoS
Released:    2006-02-28

A vulnerability has been reported in NuFW, which can be exploited by
malicious users to cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/19046/

 --

[SA19038] SUSE update for kernel

Critical:    Less critical
Where:       From remote
Impact:      Security Bypass, Exposure of sensitive information, DoS
Released:    2006-02-28

SUSE has issued an update for the kernel. This fixes some
vulnerabilities, which can be exploited by malicious, local users to
gain knowledge of potentially sensitive information, bypass certain
security restrictions and cause a DoS (Denial of Service), and by
malicious people to cause a DoS.

Full Advisory:
http://secunia.com/advisories/19038/

 --

[SA19035] Ubuntu update for postgresql

Critical:    Less critical
Where:       From local network
Impact:      DoS
Released:    2006-02-27

Ubuntu has issued an update for PostgreSQL. This fixes a vulnerability,
which can be exploited by malicious users to cause a DoS (Denial of
Service).

Full Advisory:
http://secunia.com/advisories/19035/

 --

[SA19017] FreeBSD "nfsd" NFS Mount Request Denial of Service

Critical:    Less critical
Where:       From local network
Impact:      DoS
Released:    2006-02-27

Evgeny Legerov has reported a vulnerability in FreeBSD, which can be
exploited by malicious people to cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/19017/

 --

[SA19015] Trustix update for postgresql

Critical:    Less critical
Where:       From local network
Impact:      Privilege escalation, DoS
Released:    2006-02-27

Trustix has issued an update for postgresql. This fixes two
vulnerabilities, which can be exploited by malicious users to cause a
DoS (Denial of Service) or gain escalated privileges.

Full Advisory:
http://secunia.com/advisories/19015/

 --

[SA19005] SUSE update for heimdal

Critical:    Less critical
Where:       From local network
Impact:      Privilege escalation, DoS
Released:    2006-02-27

SUSE has issued an update for heimdal. This fixes multiple
vulnerabilities, which can be exploited by malicious, local users to
gain escalated privileges or by malicious people to cause a DoS (Denial
of Service).

Full Advisory:
http://secunia.com/advisories/19005/

 --

[SA19042] Sun Solaris HSFS File System Privilege Escalation
Vulnerability

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation, DoS
Released:    2006-02-27

A vulnerability has been reported in Solaris, which can be exploited by
malicious, local users to cause a DoS (Denial of Service) or gain
escalated privileges.

Full Advisory:
http://secunia.com/advisories/19042/

 --

[SA19027] Gentoo update for noweb

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation
Released:    2006-02-27

Gentoo has issued an update for noweb. This fixes a vulnerability,
which can be exploited by malicious, local users to perform certain
actions on a vulnerable system with escalated privileges.

Full Advisory:
http://secunia.com/advisories/19027/


Other:--

[SA19069] Thomson SpeedTouch 500 Series Cross-Site Scripting

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-02-28

Preben Nyløkken has reported a vulnerability in Thomson SpeedTouch 500
Series, which can be exploited by malicious people to conduct
cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/19069/

 --

[SA19037] Compex NetPassage WPE54G Denial of Service Vulnerability

Critical:    Less critical
Where:       From local network
Impact:      DoS
Released:    2006-03-01

/dev/0id has reported a vulnerability Compex NetPassage WPE54G, which
can be exploited by malicious people to cause a DoS (Denial of
Service).

Full Advisory:
http://secunia.com/advisories/19037/


Cross Platform:--

[SA19058] RunCMS phpRPC Library Arbitrary Code Execution Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-02-27

James Bercegay has reported a vulnerability in RunCMS, which can be
exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/19058/

 --

[SA19055] PeHePe Membership Management System Two Vulnerabilities

Critical:    Highly critical
Where:       From remote
Impact:      Cross Site Scripting, System access
Released:    2006-03-01

Yunus Emre Yilmaz has reported two vulnerabilities in PeHePe Membership
Management System, which can be exploited by malicious people to conduct
cross-site scripting attacks and compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/19055/

 --

[SA19047] ShoutLIVE Multiple Vulnerabilities

Critical:    Highly critical
Where:       From remote
Impact:      Cross Site Scripting, System access
Released:    2006-02-27

Aliaksandr Hartsuyeu has reported some vulnerabilities in ShoutLIVE,
which can be exploited by malicious people to conduct script insertion
attacks and to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/19047/

 --

[SA19028] phpRPC Library Arbitrary Code Execution Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-02-27

James Bercegay has reported a vulnerability in phpRPC, which can be
exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/19028/

 --

[SA19020] freeForum Multiple Vulnerabilities

Critical:    Highly critical
Where:       From remote
Impact:      Cross Site Scripting, System access
Released:    2006-02-28

Aliaksandr Hartsuyeu has reported some vulnerabilities in freeForum,
which can be exploited by malicious people to conduct script insertion
attacks and to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/19020/

 --

[SA19068] N8cms Cross-Site Scripting and SQL Injection Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting, Manipulation of data
Released:    2006-03-01

Liz0ziM has discovered some vulnerabilities in N8cms, which can be
exploited by malicious people to conduct cross-site scripting and SQL
injection attacks.

Full Advisory:
http://secunia.com/advisories/19068/

 --

[SA19062] d3jeeb Pro "catid" SQL Injection Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2006-02-28

SAUDI has reported two vulnerabilities in d3jeeb Pro, which can be
exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/19062/

 --

[SA19061] MyBB "comma" Parameter SQL Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2006-03-01

D3vil-0x1 has discovered a vulnerability in MyBB, which can be
exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/19061/

 --

[SA19056] sendcard Unspecified SQL Injection Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2006-03-01

Sumit Siddharth has reported some vulnerabilities in sendcard, which
can be exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/19056/

 --

[SA19053] DirectContact Directory Traversal Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Exposure of system information, Exposure of sensitive
information
Released:    2006-02-28

Donato Ferrante has discovered a vulnerability in DirectContact, which
can be exploited by malicious people to gain knowledge of potentially
sensitive information.

Full Advisory:
http://secunia.com/advisories/19053/

 --

[SA19048] LanSuite LanParty Intranet System "fid" SQL Injection

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2006-02-27

x128 has discovered a vulnerability in LanSuite LanParty Intranet
System, which can be exploited by malicious people to conduct SQL
injection attacks.

Full Advisory:
http://secunia.com/advisories/19048/

 --

[SA19045] EKINboard Multiple Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass, Cross Site Scripting, Manipulation of
data
Released:    2006-02-28

Aliaksandr Hartsuyeu has reported some vulnerabilities in EKINboard,
which can be exploited by malicious people to conduct SQL injection and
script insertion attacks.

Full Advisory:
http://secunia.com/advisories/19045/

 --

[SA19044] CrossFire "oldsocketmode" Denial of Service Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      DoS
Released:    2006-02-28

Luigi Auriemma has reported a vulnerability in CrossFire, which can be
exploited by malicious people to cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/19044/

 --

[SA19023] PwsPHP "sondage" Module SQL Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data, Exposure of sensitive information
Released:    2006-02-27

papipsycho has reported a vulnerability in PwsPHP, which can be
exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/19023/

 --

[SA19008] PEAR Auth DB / LDAP Multiple Injection Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass, Manipulation of data
Released:    2006-02-23

Matt Van Gundy has reported some vulnerabilities in PEAR Auth, which
can be exploited by malicious people to bypass certain security
restrictions.

Full Advisory:
http://secunia.com/advisories/19008/

 --

[SA19007] Calcium "EventText" Script Insertion Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-02-24

KeyShore and KeyYog have discovered a vulnerability in Calcium, which
can be exploited by malicious people to conduct script insertion
attacks.

Full Advisory:
http://secunia.com/advisories/19007/

 --

[SA19004] Simple Machines Forum "X-Forwarded-For" Script Insertion

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-02-24

Aliaksandr Hartsuyeu has reported a vulnerability in Simple Machines
Forum, which can be exploited by malicious people to conduct script
insertion attacks.

Full Advisory:
http://secunia.com/advisories/19004/

 --

[SA19003] iUser Ecommerce Unspecified Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Unknown
Released:    2006-02-23

Some vulnerabilities with unknown impacts have been reported in iUser
Ecommerce.

Full Advisory:
http://secunia.com/advisories/19003/

 --

[SA19070] TOPo "gTopNombre" Parameter Cross-Site Scripting
Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-03-01

Yunus Emre Yilmaz has discovered a vulnerability in TOPo, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/19070/

 --

[SA19066] CGI Calendar Cross-Site Scripting Vulnerabilities

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-02-28

Revnic Vasile has discovered some vulnerabilities in CGI Calendar,
which can be exploited by malicious people to conduct cross-site
scripting attacks.

Full Advisory:
http://secunia.com/advisories/19066/

 --

[SA19052] MyPHPNuke Cross-Site Scripting Vulnerabilities

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-02-27

Mustafa Can Bjorn has reported some vulnerabilities in MyPHPNuke, which
can be exploited by malicious people to conduct cross-site scripting
attacks.

Full Advisory:
http://secunia.com/advisories/19052/

 --

[SA19050] WordPress Cross-Site Scripting Vulnerabilities

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting, Exposure of system information
Released:    2006-03-01

K4P0 has discovered two vulnerabilities in WordPress, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/19050/

 --

[SA19039] PunBB "header.php" Cross-Site Scripting Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-03-01

A vulnerability has been reported in PunBB, which can be exploited by
malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/19039/

 --

[SA19031] JFacets "ProfileID" Profile Change Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Security Bypass
Released:    2006-02-28

A vulnerability has been reported in JFacets, which can be exploited by
malicious users to bypass certain security restrictions.

Full Advisory:
http://secunia.com/advisories/19031/

 --

[SA19026] 4images "template" Parameter File Inclusion Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Exposure of sensitive information
Released:    2006-02-27

rgod has reported a vulnerability in 4images, which can be exploited by
malicious people to disclose potentially sensitive information.

Full Advisory:
http://secunia.com/advisories/19026/

 --

[SA19014] Website Generator PHP Code Injection Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Security Bypass
Released:    2006-02-24

Nemesis Security Audit Group has discovered a vulnerability in Website
Generator, which can be exploited by malicious users to bypass certain
security restrictions.

Full Advisory:
http://secunia.com/advisories/19014/

 --

[SA19011] PEAR Archive_Tar Directory Traversal Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      System access
Released:    2006-02-24

Hamid Ebadi has discovered a vulnerability in PEAR Archive_Tar, which
potentially can be exploited by malicious people to compromise a user's
system.

Full Advisory:
http://secunia.com/advisories/19011/

 --

[SA19034] MySQL Query Logging Bypass Security Issue

Critical:    Less critical
Where:       Local system
Impact:      Security Bypass
Released:    2006-02-27

1dt.w0lf has discovered a security issue in MySQL, which can be
exploited by malicious users to bypass certain security restrictions.

Full Advisory:
http://secunia.com/advisories/19034/

 --

[SA19018] Issue Dealer Unpublished Content Disclosure Weakness

Critical:    Not critical
Where:       From remote
Impact:      Security Bypass
Released:    2006-02-28

A weakness has been reported in Issue Dealer, which can be exploited by
malicious people to bypass certain security restrictions.

Full Advisory:
http://secunia.com/advisories/19018/



========================================================================

Secunia recommends that you verify all advisories you receive,
by clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only use
those supplied by the vendor.

Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/

Subscribe:
http://secunia.com/secunia_weekly_summary/

Contact details:
Web	: http://secunia.com/
E-mail	: support at secunia.com
Tel	: +45 70 20 51 44
Fax	: +45 70 20 51 45





More information about the ISN mailing list