[ISN] Secunia Weekly Summary - Issue: 2004-35

InfoSec News isn at c4i.org
Fri Aug 27 06:11:59 EDT 2004


========================================================================

                  The Secunia Weekly Advisory Summary                  
                        2004-08-19 - 2004-08-26                        

                       This week : 48 advisories                       

========================================================================
Table of Contents:

1.....................................................Word From Secunia
2....................................................This Week In Brief
3...............................This Weeks Top Ten Most Read Advisories
4.......................................Vulnerabilities Summary Listing
5.......................................Vulnerabilities Content Listing

========================================================================
1) Word From Secunia:

Secunia has implemented new features at Secunia.com


SECUNIA ADVISORIES NOW INCLUDE "Solution Status":
In addition to the extensive information Secunia advisories already
include, Secunia has added a new parameter: "Solution Status". This
simply means that all Secunia advisories, including older advisories,
now include the current "Solution Status" of a advisory, e.g. if the
vendor has released a patch or not.


IMPROVED PRODUCT PAGES:
The improved product pages now include a detailed listing of all
Secunia advisories affecting each product. The listings include a clear
indication of the "Solution Status" each advisory has ("Unpatched",
"Vendor patch", "Vendor workaround", or "Partial fix"). View the
following for examples:

Opera 7:
http://secunia.com/product/761/

Internet Explorer 6:
http://secunia.com/product/11/

Mozilla Firefox:
http://secunia.com/product/3256/


EXTRA STATISTICS:
Each product page also includes a new pie graph, displaying the
"Solution Status" for all Secunia advisories affecting each product in
a given period. View the following for example:

Internet Explorer 6:
http://secunia.com/product/11/#statistics_solution


FEEDBACK SYSTEM:
To make it easier to provide feedback to the Secunia staff, we have
made an online feedback form. Enter your inquiry and it will
immediately be sent to the appropriate Secunia department.

Ideas, suggestions, and other feedback is most welcome

Secunia Feedback Form:
http://secunia.com/contact_form/


========================================================================
2) This Week in Brief:


ADVISORIES:

Yesterday (25-08-2004), K-OTik.COM Security Survey Team reported to
Secunia that a so called "Zero-day" exploit for Winamp is circulating
on the Internet.

After testing the issue, Secunia was able to confirm that the exploit
was working. Using Internet Explorer, this can be exploited to
automatically compromise a user's system.

The vulnerability is caused due to insufficient restrictions on Winamp
skin zip files. This can be exploited to execute arbitrary code on a
user's system.

The exploit is very basic, and allows even less-skilled "Script
Kiddies" to change the exploit to do whatever they would like it to
do.

Currently, the vendor has not issued a patch for this. Therefore, the
only present solution is to uninstall the product and wait for the
vendor to issue a patch.

Reference:
http://secunia.com/SA12381

--

Security researcher "http-equiv", specialised in Internet Explorer,
has demonstrated a new vulnerability in Internet Explorer, which also
affects Internet Explorer with Windows XP Service Pack 2 installed.

The vulnerability allows a malicious website to compromise a user's
system, if the user drags and drop an image on a web page.

However, in several articles issued last week, Microsoft claimed that
this issue is not a "high risk" for users. This is not the case.
The issue is very severe and requires Internet Explorer users to be
very careful, disable Ative Scripting, or use another product.

See also this open letter posted on The Inquirer from Secunia CTO,
Thomas Kristensen:
http://theinq.com/?article=18079

Currently, no solution is available from Microsoft.

Reference:
http://secunia.com/SA12321

--

Chris Evans has discovered a vulnerability in the QT library, which
can be exploited to compromise a vulnerable system. The QT library is
used by many applications on several platforms e.g. Windows,
Linux/Unix, and Mac OS X.

The vulnerability can be exploited through applications that rely
on the QT library to decode or display BMP images.

Please view secunia.com for more information on updated packages and
programs, which address this vulnerability.

Reference:
http://secunia.com/SA12325


VIRUS ALERTS:

Secunia has not issued any virus alerts during the last week.


========================================================================
3) This Weeks Top Ten Most Read Advisories:

1.  [SA12321] Microsoft Internet Explorer Drag and Drop Vulnerability
2.  [SA12304] Internet Explorer Address Bar Spoofing Vulnerability
3.  [SA9711]  Microsoft Internet Explorer Multiple Vulnerabilities
4.  [SA11978] Multiple Browsers Frame Injection Vulnerability
5.  [SA12336] PHP-Fusion Public Accessible Database Backups
6.  [SA12381] Winamp Skin File Arbitrary Code Execution Vulnerability
7.  [SA12376] Microsoft Outlook Express "BCC:" Recipient Disclosure
              Weakness
8.  [SA12303] Adobe Acrobat Reader ActiveX Control Buffer Overflow
              Vulnerability
9.  [SA12048] Microsoft Internet Explorer Multiple Vulnerabilities
10. [SA12305] MySQL "mysql_real_connect" Buffer Overflow Vulnerability


========================================================================
4) Vulnerabilities Summary Listing

Windows:
[SA12381] Winamp Skin File Arbitrary Code Execution Vulnerability
[SA12367] Painkiller Password Processing Buffer Overflow Vulnerability
[SA12334] aGSM Buffer Overflow Vulnerability
[SA12372] Easy File Sharing Web Server Exposure of Sensitive
Information
[SA12347] Nihuo Web Log Analyzer "User-Agent:" Header Script Insertion
Vulnerability
[SA12374] ignitionServer "SERVER" Denial of Service Vulnerability
[SA12365] Bird Chat User Flooding Denial of Service
[SA12346] BadBlue Web Server Multiple Connections Denial of Service
Vulnerability
[SA12386] Cisco Secure Access Control Server Multiple Vulnerabilities
[SA12380] Window Washer "Bleached" Data Exposure Weakness
[SA12376] Microsoft Outlook Express "BCC:" Recipient Disclosure
Weakness

UNIX/Linux:
[SA12382] Fedora update for gaim
[SA12377] Sun Solaris Multiple Apache Vulnerabilities
[SA12357] Slackware update for Qt
[SA12356] Fedora update for Qt
[SA12354] Gentoo update for mozilla/firefox/thunderbird
[SA12350] Red Hat update for qt
[SA12348] BNC SARA Buffer Overflow Vulnerabilities
[SA12342] Gentoo update for qt
[SA12333] Mandrake update for qt3
[SA12373] WebAPP Directory Traversal Vulnerability
[SA12361] Debian update for icecast-server
[SA12358] Hastymail Script Insertion Vulnerability
[SA12355] Gentoo update for cacti
[SA12352] xv Multiple Buffer Overflow Vulnerabilities
[SA12344] Icecast "User-Agent:" Header Script Injection Vulnerability
[SA12343] Mandrake update for kdelibs/kdebase
[SA12351] sredird Client Signature Information Processing
Vulnerabilities
[SA12370] PHP Code Snippet Library Cross-Site Scripting Vulnerability
[SA12369] Gentoo update for kdelibs
[SA12341] Konqueror Cross-Domain Cookie Injection Vulnerability
[SA12339] Sympa Create List Script Insertion Vulnerability
[SA12335] Fedora update for rsync
[SA12363] Sun Solaris CDE Mailer dtmail Privilege Escalation
Vulnerability
[SA12349] IMWheel Insecure Temporary File Creation Vulnerability

Other:
[SA12353] Axis Network Camera / Video Server Command Injection and
Directory Traversal

Cross Platform:
[SA12379] Netscape Multiple Products NSS Library Vulnerability
[SA12378] Sun Java System Web Server NSS Library Vulnerability
[SA12362] NSS Library SSLv2 Connection Negotiation Buffer Overflow
Vulnerability
[SA12371] Symantec Multiple Products ISAKMPd Denial of Service
Vulnerability
[SA12359] eGroupWare Cross-Site Scripting and Script Insertion
Vulnerabilities
[SA12340] MyDMS SQL Injection and Directory Traversal Vulnerabilities
[SA12338] Mantis Cross-Site Scripting and Script Insertion
Vulnerabilities
[SA12336] PHP-Fusion Public Accessible Database Backups
[SA12368] Plesk "login_name" Cross-Site Scripting Vulnerability
[SA12360] PvPGN Unspecified Information Leakage
[SA12345] JShop Server "xPage" Parameter Cross-Site Scripting
Vulnerability
[SA12337] Davenport WebDAV-CIFS Gateway XML Denial of Service
Vulnerability

========================================================================
5) Vulnerabilities Content Listing

Windows:--

[SA12381] Winamp Skin File Arbitrary Code Execution Vulnerability

Critical:    Extremely critical
Where:       From remote
Impact:      System access
Released:    2004-08-25

A vulnerability has been reported in Winamp, which can be exploited by
malicious people to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/12381/

 --

[SA12367] Painkiller Password Processing Buffer Overflow Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2004-08-25

Luigi Auriemma has reported a vulnerability in Painkiller, which
potentially can be exploited by malicious people to compromise a
vulnerable system.

Full Advisory:
http://secunia.com/advisories/12367/

 --

[SA12334] aGSM Buffer Overflow Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2004-08-24

Dmitriy Baranov has reported a vulnerability in aGSM, which potentially
can be exploited by malicious people to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/12334/

 --

[SA12372] Easy File Sharing Web Server Exposure of Sensitive
Information

Critical:    Moderately critical
Where:       From remote
Impact:      Exposure of system information, Exposure of sensitive
information
Released:    2004-08-26

James Bercegay has discovered a vulnerability in Easy File Sharing Web
Server, which can be exploited by malicious people to access sensitive
information.

Full Advisory:
http://secunia.com/advisories/12372/

 --

[SA12347] Nihuo Web Log Analyzer "User-Agent:" Header Script Insertion
Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2004-08-23

Audun Larsen has reported a vulnerability in Nihuo Web Log Analyzer,
which can be exploited by malicious people to conduct script insertion
attacks.

Full Advisory:
http://secunia.com/advisories/12347/

 --

[SA12374] ignitionServer "SERVER" Denial of Service Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      DoS
Released:    2004-08-25

A vulnerability has been reported in ignitionServer, which can be
exploited by malicious people to cause a DoS (Denial of Service) on
vulnerable systems.

Full Advisory:
http://secunia.com/advisories/12374/

 --

[SA12365] Bird Chat User Flooding Denial of Service

Critical:    Less critical
Where:       From remote
Impact:      DoS
Released:    2004-08-24

Donato Ferrante has reported a vulnerability in Bird Chat, which can be
exploited by malicious users to cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/12365/

 --

[SA12346] BadBlue Web Server Multiple Connections Denial of Service
Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      DoS
Released:    2004-08-24

James Bercegay has reported a vulnerability in BadBlue Web Server,
which can be exploited by malicious people to cause a DoS (Denial of
Service).

Full Advisory:
http://secunia.com/advisories/12346/

 --

[SA12386] Cisco Secure Access Control Server Multiple Vulnerabilities

Critical:    Less critical
Where:       From local network
Impact:      Security Bypass, DoS
Released:    2004-08-26

Multiple vulnerabilities have been reported in Cisco Secure Access
Control Server (ACS), which can be exploited by malicious people to
cause a DoS (Denial of Service) or bypass user authentication.

Full Advisory:
http://secunia.com/advisories/12386/

 --

[SA12380] Window Washer "Bleached" Data Exposure Weakness

Critical:    Less critical
Where:       Local system
Impact:      Security Bypass, Exposure of sensitive information
Released:    2004-08-26

First Last has reported a weakness in Window Washer, which can be
exploited by malicious people to disclose "securely" deleted data on a
disk.

Full Advisory:
http://secunia.com/advisories/12380/

 --

[SA12376] Microsoft Outlook Express "BCC:" Recipient Disclosure
Weakness

Critical:    Not critical
Where:       From remote
Impact:      Exposure of sensitive information
Released:    2004-08-25

Juha-Matti Laurio has reported a weakness in Outlook Express 6, which
may disclose email addresses in "BCC:" fields to other recipients.

Full Advisory:
http://secunia.com/advisories/12376/


UNIX/Linux:--

[SA12382] Fedora update for gaim

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2004-08-26

Fedora has issued an update for gaim. This fixes multiple
vulnerabilities, which can be exploited by malicious people to
compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/12382/

 --

[SA12377] Sun Solaris Multiple Apache Vulnerabilities

Critical:    Highly critical
Where:       From remote
Impact:      Security Bypass, Spoofing, DoS, System access
Released:    2004-08-25

Sun has acknowledged multiple vulnerabilities in Apache for Solaris,
which can be exploited to bypass certain security restrictions, cause a
DoS (Denial of Service), or potentially compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/12377/

 --

[SA12357] Slackware update for Qt

Critical:    Highly critical
Where:       From remote
Impact:      DoS, System access
Released:    2004-08-24

Slackware has issued an update for qt. This fixes a vulnerability,
which potentially can be exploited by malicious people to compromise a
vulnerable system.

Full Advisory:
http://secunia.com/advisories/12357/

 --

[SA12356] Fedora update for Qt

Critical:    Highly critical
Where:       From remote
Impact:      System access, DoS
Released:    2004-08-24

Fedora has issued an update for qt. This fixes a vulnerability, which
potentially can be exploited by malicious people to compromise a
vulnerable system.

Full Advisory:
http://secunia.com/advisories/12356/

 --

[SA12354] Gentoo update for mozilla/firefox/thunderbird

Critical:    Highly critical
Where:       From remote
Impact:      Spoofing, DoS, System access
Released:    2004-08-23

Gentoo has issued updates for mozilla, firefox, and thunderbird. These
fix multiple vulnerabilities, which can be exploited to abuse other
sites certificates, cause a DoS (Denial of Service), or compromise a
vulnerable system.

Full Advisory:
http://secunia.com/advisories/12354/

 --

[SA12350] Red Hat update for qt

Critical:    Highly critical
Where:       From remote
Impact:      DoS, System access
Released:    2004-08-23

Red Hat has issued an update for qt. This fixes a vulnerability, which
potentially can be exploited by malicious people to compromise a
vulnerable system.

Full Advisory:
http://secunia.com/advisories/12350/

 --

[SA12348] BNC SARA Buffer Overflow Vulnerabilities

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2004-08-24

Matthias Bethke has reported some vulnerabilities in SARA from British
National Corpus, which can be exploited by malicious people to
compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/12348/

 --

[SA12342] Gentoo update for qt

Critical:    Highly critical
Where:       From remote
Impact:      DoS, System access
Released:    2004-08-23

Gentoo has issued an update for qt. This fixes a vulnerability, which
potentially can be exploited by malicious people to compromise a
vulnerable system.

Full Advisory:
http://secunia.com/advisories/12342/

 --

[SA12333] Mandrake update for qt3

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2004-08-19

MandrakeSoft has issued an update for qt3. This fixes a vulnerability,
which potentially can be exploited by malicious people to compromise a
vulnerable system.

Full Advisory:
http://secunia.com/advisories/12333/

 --

[SA12373] WebAPP Directory Traversal Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Exposure of system information, Exposure of sensitive
information
Released:    2004-08-25

A vulnerability has been reported in WebAPP, which can be exploited by
malicious people to access sensitive information.

Full Advisory:
http://secunia.com/advisories/12373/

 --

[SA12361] Debian update for icecast-server

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2004-08-24

Debian has issued an update for icecast-server. This fixes a
vulnerability, which can be exploited by malicious people to conduct
script insertion attacks.

Full Advisory:
http://secunia.com/advisories/12361/

 --

[SA12358] Hastymail Script Insertion Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2004-08-24

The vendor has reported a vulnerability in Hastymail, allowing
malicious people to conduct script insertion attacks.

Full Advisory:
http://secunia.com/advisories/12358/

 --

[SA12355] Gentoo update for cacti

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data, Exposure of system information
Released:    2004-08-23

Gentoo has issued an update for cacti. This fixes a vulnerability,
which can be exploited by malicious people to conduct SQL injection
attacks.

Full Advisory:
http://secunia.com/advisories/12355/

 --

[SA12352] xv Multiple Buffer Overflow Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      System access
Released:    2004-08-24

infamous41md has reported multiple vulnerabilities in xv, which
potentially can be exploited by malicious people to compromise a user's
system.

Full Advisory:
http://secunia.com/advisories/12352/

 --

[SA12344] Icecast "User-Agent:" Header Script Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2004-08-24

Markus Wörle has reported a vulnerability in Icecast, which can be
exploited by malicious people to conduct script insertion attacks.

Full Advisory:
http://secunia.com/advisories/12344/

 --

[SA12343] Mandrake update for kdelibs/kdebase

Critical:    Moderately critical
Where:       From remote
Impact:      Hijacking, Spoofing, Privilege escalation
Released:    2004-08-23

MandrakeSoft has issued updates for kdelibs and kdebase. These fix
multiple vulnerabilities, which can be exploited to perform certain
actions on a vulnerable system with escalated privileges, spoof the
content of websites, or hijack sessions.

Full Advisory:
http://secunia.com/advisories/12343/

 --

[SA12351] sredird Client Signature Information Processing
Vulnerabilities

Critical:    Moderately critical
Where:       From local network
Impact:      System access
Released:    2004-08-23

Max Vozeler has reported two vulnerabilities in sredird, which
potentially can be exploited by malicious people to compromise a
vulnerable system.

Full Advisory:
http://secunia.com/advisories/12351/

 --

[SA12370] PHP Code Snippet Library Cross-Site Scripting Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2004-08-25

Nikyt0x has reported a vulnerability in PHP Code Snippet Library, which
can be exploited by malicious people to conduct cross-site scripting
attacks.

Full Advisory:
http://secunia.com/advisories/12370/

 --

[SA12369] Gentoo update for kdelibs

Critical:    Less critical
Where:       From remote
Impact:      Hijacking
Released:    2004-08-25

Gentoo has issued an update for kdelibs. This fixes a vulnerability in
Konqueror, which potentially can be exploited by malicious people to
hijack users' sessions via session fixation attacks.

Full Advisory:
http://secunia.com/advisories/12369/

 --

[SA12341] Konqueror Cross-Domain Cookie Injection Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Hijacking
Released:    2004-08-23

WESTPOINT has discovered a vulnerability in Konqueror, which
potentially can be exploited by malicious people to conduct session
fixation attacks.

Full Advisory:
http://secunia.com/advisories/12341/

 --

[SA12339] Sympa Create List Script Insertion Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2004-08-23

Joxean Koret has reported a vulnerability in Sympa, which can be
exploited by malicious, authenticated users to conduct script insertion
attacks.

Full Advisory:
http://secunia.com/advisories/12339/

 --

[SA12335] Fedora update for rsync

Critical:    Less critical
Where:       From remote
Impact:      Exposure of system information, Exposure of sensitive
information
Released:    2004-08-20

Fedora has issued an update for rsync. This fixes a vulnerability,
which potentially can be exploited by malicious users to read or write
arbitrary files on a vulnerable system.

Full Advisory:
http://secunia.com/advisories/12335/

 --

[SA12363] Sun Solaris CDE Mailer dtmail Privilege Escalation
Vulnerability

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation
Released:    2004-08-24

iDEFENSE has discovered a vulnerability in Sun Solaris, which can be
exploited by malicious, local users to gain escalated privileges.

Full Advisory:
http://secunia.com/advisories/12363/

 --

[SA12349] IMWheel Insecure Temporary File Creation Vulnerability

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation, DoS
Released:    2004-08-23

I)ruid has reported a vulnerability in IMWheel, which can be exploited
by malicious, local users to perform certain actions on a vulnerable
system with escalated privileges or cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/12349/


Other:--

[SA12353] Axis Network Camera / Video Server Command Injection and
Directory Traversal

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass, Exposure of sensitive information, System
access
Released:    2004-08-23

bashis has reported two vulnerabilities in Axis Network Camera / Video
Server, which potentially can be exploited by malicious people to
compromise a vulnerable system and gain knowledge of sensitive
information.

Full Advisory:
http://secunia.com/advisories/12353/


Cross Platform:--

[SA12379] Netscape Multiple Products NSS Library Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2004-08-25

ISS X-Force has reported a vulnerability in the NSS library included
with various Netscape products, which can be exploited by malicious
people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/12379/

 --

[SA12378] Sun Java System Web Server NSS Library Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2004-08-25

ISS X-Force has reported a vulnerability in the NSS library included
with Sun Java System Web Server, which can be exploited by malicious
people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/12378/

 --

[SA12362] NSS Library SSLv2 Connection Negotiation Buffer Overflow
Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2004-08-25

ISS X-Force has reported a vulnerability in the NSS library, which can
be exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/12362/

 --

[SA12371] Symantec Multiple Products ISAKMPd Denial of Service
Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      DoS
Released:    2004-08-25

A vulnerability has been reported in multiple Symantec products, which
can be exploited by malicious people to cause a DoS (Denial of
Service).

Full Advisory:
http://secunia.com/advisories/12371/

 --

[SA12359] eGroupWare Cross-Site Scripting and Script Insertion
Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2004-08-24

Joxean Koret has reported some vulnerabilities in eGroupWare, allowing
malicious people to conduct cross-site scripting and script insertion
attacks.

Full Advisory:
http://secunia.com/advisories/12359/

 --

[SA12340] MyDMS SQL Injection and Directory Traversal Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data, Exposure of system information,
Exposure of sensitive information
Released:    2004-08-23

Joxean Koret has reported two vulnerabilities in MyDMS, which can be
exploited by malicious people to conduct SQL injection attacks and for
users to access sensitive information.

Full Advisory:
http://secunia.com/advisories/12340/

 --

[SA12338] Mantis Cross-Site Scripting and Script Insertion
Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2004-08-23

Joxean Koret has reported two vulnerabilities in Mantis, which can be
exploited by malicious people to conduct cross-site scripting and
script insertion attacks.

Full Advisory:
http://secunia.com/advisories/12338/

 --

[SA12336] PHP-Fusion Public Accessible Database Backups

Critical:    Moderately critical
Where:       From remote
Impact:      Exposure of sensitive information
Released:    2004-08-20

y3dips has reported a vulnerability in PHP-Fusion, allowing malicious
people to view sensitive data.

Full Advisory:
http://secunia.com/advisories/12336/

 --

[SA12368] Plesk "login_name" Cross-Site Scripting Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2004-08-25

Sourvivor has reported a vulnerability in Plesk, which can be exploited
by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/12368/

 --

[SA12360] PvPGN Unspecified Information Leakage

Critical:    Less critical
Where:       From remote
Impact:      Exposure of sensitive information
Released:    2004-08-24

The vendor has reported a vulnerability in PvPGN, potentially allowing
malicious people to see sensitive information.

Full Advisory:
http://secunia.com/advisories/12360/

 --

[SA12345] JShop Server "xPage" Parameter Cross-Site Scripting
Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2004-08-23

Dr Ponidi has reported a vulnerability in JShop Server, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/12345/

 --

[SA12337] Davenport WebDAV-CIFS Gateway XML Denial of Service
Vulnerability

Critical:    Less critical
Where:       From local network
Impact:      DoS
Released:    2004-08-23

A vulnerability has been reported in Davenport WebDAV-CIFS Gateway,
which can be exploited by malicious users to cause a DoS (Denial of
Service).

Full Advisory:
http://secunia.com/advisories/12337/



========================================================================

Secunia recommends that you verify all advisories you receive,
by clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only use
those supplied by the vendor.

Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/

Subscribe:
http://secunia.com/secunia_weekly_summary/

Contact details:
Web	: http://secunia.com/
E-mail	: support at secunia.com
Tel	: +45 70 20 51 44
Fax	: +45 70 20 51 45

========================================================================





More information about the ISN mailing list