[ISN] Secunia Weekly Summary - Issue: 2005-26

InfoSec News isn at c4i.org
Fri Jul 1 05:35:37 EDT 2005


========================================================================

                  The Secunia Weekly Advisory Summary                  
                        2005-06-23 - 2005-06-30                        

                       This week : 51 advisories                       

========================================================================
Table of Contents:

1.....................................................Word From Secunia
2....................................................This Week In Brief
3...............................This Weeks Top Ten Most Read Advisories
4.......................................Vulnerabilities Summary Listing
5.......................................Vulnerabilities Content Listing

========================================================================
1) Word From Secunia:

The Secunia staff is spending hours every day to assure you the best
and most reliable source for vulnerability information. Every single 
vulnerability report is being validated and verified before a Secunia
advisory is written.

Secunia validates and verifies vulnerability reports in many different
ways e.g. by downloading the software and performing comprehensive
tests, by reviewing source code, or by validating the credibility of
the source from which the vulnerability report was issued.

As a result, Secunia's database is the most correct and complete source
for recent vulnerability information available on the Internet.

Secunia Online Vulnerability Database:
http://secunia.com/

========================================================================
2) This Week in Brief:

A vulnerability has been reported in XML-RPC for PHP, which can be
exploited by malicious people to compromise a vulnerable system.

Additional detail can be found in the Secunia advisory below.

Reference:
http://secunia.com/SA15852

--

Security researcher Ron van Daal has found a vulnerability in phpBB,
which can be exploited by malicious people to compromise a vulnerable
system.

A very similar vulnerability in phpBB was exploited by the "Santy"
worm last year.

Everyone using phpBB are advised to apply patches as soon as possible.

Reference:
http://secunia.com/SA15845

--

Several vulnerabilities have been reported in RealOne Player,
RealPlayer, Helix Player and Rhapsody, which can be exploited by
malicious people to overwrite local files or to compromise a user's
system.

The vendor has released patches, please review the referenced Secunia
advisory for details.

Reference:
http://secunia.com/SA15806


VIRUS ALERTS:

Secunia has not issued any virus alerts during the week.

========================================================================
3) This Weeks Top Ten Most Read Advisories:

1.  [SA15489] Mozilla / Firefox / Camino Dialog Origin Spoofing
              Vulnerability
2.  [SA15491] Microsoft Internet Explorer Dialog Origin Spoofing
              Vulnerability
3.  [SA15488] Opera Dialog Origin Spoofing Vulnerability
4.  [SA15474] Safari Dialog Origin Spoofing Vulnerability
5.  [SA15806] RealOne / RealPlayer / Helix Player / Rhapsody Multiple
              Vulnerabilities
6.  [SA15601] Mozilla / Mozilla Firefox Frame Injection Vulnerability
7.  [SA15411] Opera "javascript:" URL Cross-Site Scripting
              Vulnerability
8.  [SA15845] phpBB "highlight" PHP Code Execution Vulnerability
9.  [SA15492] Internet Explorer for Mac Dialog Origin Spoofing
              Vulnerability
10. [SA15827] Adobe Reader / Acrobat Two Vulnerabilities

========================================================================
4) Vulnerabilities Summary Listing

Windows:
[SA15837] ActiveBuyandSell Cross-Site Scripting and SQL Injection
[SA15832] Sukru Alatas Guestbook Exposure of User Credentials
[SA15818] Dynamic Biz Website Builder Admin Login SQL Injection
[SA15803] DUware DUclassmate SQL Injection Vulnerabilities
[SA15802] DUware DUforum SQL Injection Vulnerabilities
[SA15801] DUware DUpaypal Pro SQL Injection Vulnerabilities
[SA15800] DUware DUamazon Pro SQL Injection Vulnerabilities
[SA15847] Hosting Controller "error" Cross-Site Scripting
Vulnerability
[SA15838] IA eMailServer LIST Command Denial of Service Vulnerability
[SA15828] Inframail SMTP and FTP Denial of Service Vulnerabilities
[SA15819] NateOn Messenger Directory Listing Disclosure Vulnerability

UNIX/Linux:
[SA15839] SUSE update for realplayer
[SA15825] Fedora update for HelixPlayer
[SA15814] Red Hat update for realplayer/helixplayer
[SA15813] Sun Solaris GNOME libgdk_pixbuf Image Handling
Vulnerabilities
[SA15856] Ubuntu update for ruby
[SA15854] Plans "evt_id" SQL Injection Vulnerability
[SA15848] Mandriva update for imagemagick
[SA15827] Adobe Reader / Acrobat Two Vulnerabilities
[SA15858] Gentoo update for heimdal
[SA15849] Mandriva update for spamassassin
[SA15835] Clam AntiVirus clamav-milter Database Update Denial of
Service
[SA15824] Fedora update for gedit
[SA15823] Gentoo update for clamav
[SA15820] Trustix update for multiple packages
[SA15817] Red Hat update for spamassassin
[SA15815] Red Hat update for FreeRADIUS
[SA15811] ClamAV Quantum Decompressor Denial of Service Vulnerability
[SA15804] SUSE update for razor-agents
[SA15799] SGI Advanced Linux Environment Multiple Updates
[SA15834] Mandriva update for squid
[SA15809] Sun Solaris Samba Wildcard Filename Matching Denial of
Service
[SA15844] Ubuntu update for dbus
[SA15841] Sun Solaris Runtime Linker Privilege Escalation
Vulnerability
[SA15836] Fedora update for kernel
[SA15833] Mandriva update for dbus
[SA15807] SUSE update for sudo
[SA15822] Ubuntu update for kernel
[SA15812] Linux Kernel "syscall()" Argument Handling Denial of Service

Other:
[SA15851] Blue Coat Products TCP Timestamp Denial of Service
[SA15826] Nortel Communication Server FTP Service Denial of Service
[SA15853] Dominion SX Insecure File Permission Security Issues

Cross Platform:
[SA15855] PostNuke XML-RPC Library PHP Code Execution Vulnerability
[SA15852] XML-RPC for PHP Unspecified PHP Code Execution Vulnerability
[SA15845] phpBB "highlight" PHP Code Execution Vulnerability
[SA15842] CSV_DB / i_DB Arbitrary Command Execution Vulnerability
[SA15806] RealOne / RealPlayer / Helix Player / Rhapsody Multiple
Vulnerabilities
[SA15830] PHP-Fusion Two Vulnerabilities
[SA15829] PHP-Nuke "off-site Avatar" Script Insertion Vulnerability
[SA15805] UBB.threads Multiple Vulnerabilities
[SA15808] IBM DB2 Universal Data Authorisation Checking Bypass

========================================================================
5) Vulnerabilities Content Listing

Windows:--

[SA15837] ActiveBuyandSell Cross-Site Scripting and SQL Injection

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting, Manipulation of data
Released:    2005-06-27

Dedi Dwianto has reported some vulnerabilities in ActiveBuyandSell,
which can be exploited by malicious people to conduct cross-site
scripting and SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/15837/

 --

[SA15832] Sukru Alatas Guestbook Exposure of User Credentials

Critical:    Moderately critical
Where:       From remote
Impact:      Exposure of sensitive information
Released:    2005-06-28

basher13 has reported a security issue in Sukru Alatas Guestbook, which
can be exploited by malicious people to disclose sensitive information.

Full Advisory:
http://secunia.com/advisories/15832/

 --

[SA15818] Dynamic Biz Website Builder Admin Login SQL Injection

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass
Released:    2005-06-28

basher13 has reported a vulnerability in Dynamic Biz Website Builder
(QuickWeb), which can be exploited by malicious people to conduct SQL
injection attacks.

Full Advisory:
http://secunia.com/advisories/15818/

 --

[SA15803] DUware DUclassmate SQL Injection Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2005-06-23

Dedi Dwianto has reported some vulnerabilities in DUclassmate, which
can be exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/15803/

 --

[SA15802] DUware DUforum SQL Injection Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2005-06-23

Dedi Dwianto has reported some vulnerabilities in DUforum, which can be
exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/15802/

 --

[SA15801] DUware DUpaypal Pro SQL Injection Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2005-06-23

Dedi Dwianto has reported some vulnerabilities in DUpaypal Pro, which
can be exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/15801/

 --

[SA15800] DUware DUamazon Pro SQL Injection Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2005-06-23

Dedi Dwianto has reported some vulnerabilities in DUamazon Pro, which
can be exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/15800/

 --

[SA15847] Hosting Controller "error" Cross-Site Scripting
Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2005-06-29

ActionSpider has reported a vulnerability in Hosting Controller, which
can be exploited by malicious people to conduct cross-site scripting
attacks.

Full Advisory:
http://secunia.com/advisories/15847/

 --

[SA15838] IA eMailServer LIST Command Denial of Service Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      DoS
Released:    2005-06-28

Reed Arvin has reported a vulnerability in IA eMailServer, which can be
exploited by malicious users to cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/15838/

 --

[SA15828] Inframail SMTP and FTP Denial of Service Vulnerabilities

Critical:    Less critical
Where:       From remote
Impact:      DoS
Released:    2005-06-28

Reed Arvin has reported two vulnerabilities in Inframail Advantage
Server Edition, which can be exploited by malicious people to cause a
DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/15828/

 --

[SA15819] NateOn Messenger Directory Listing Disclosure Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Exposure of system information
Released:    2005-06-29

Park Gyu Tae has reported a vulnerability in NateOn Messenger, which
can be exploited by malicious users to disclose system information.

Full Advisory:
http://secunia.com/advisories/15819/


UNIX/Linux:--

[SA15839] SUSE update for realplayer

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2005-06-27

SUSE has issued an update for realplayer. This fixes a vulnerability,
which can be exploited by malicious people to compromise a user's
system.

Full Advisory:
http://secunia.com/advisories/15839/

 --

[SA15825] Fedora update for HelixPlayer

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2005-06-27

Fedora has issued an update for HelixPlayer. This fixes a
vulnerability, which can be exploited by malicious people to compromise
a user's system.

Full Advisory:
http://secunia.com/advisories/15825/

 --

[SA15814] Red Hat update for realplayer/helixplayer

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2005-06-24

Red Hat has issued updates for RealPlayer and HelixPlayer. These fix a
vulnerability, which can be exploited by malicious people to compromise
a user's system.

Full Advisory:
http://secunia.com/advisories/15814/

 --

[SA15813] Sun Solaris GNOME libgdk_pixbuf Image Handling
Vulnerabilities

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2005-06-24

Sun Microsystems has acknowledged some vulnerabilities in GNOME for
Solaris, which can be exploited by malicious people to compromise a
user's system.

Full Advisory:
http://secunia.com/advisories/15813/

 --

[SA15856] Ubuntu update for ruby

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass
Released:    2005-06-29

Ubuntu has issued an update for ruby. This fixes a vulnerability, which
potentially can be exploited by malicious people to bypass certain
security restrictions.

Full Advisory:
http://secunia.com/advisories/15856/

 --

[SA15854] Plans "evt_id" SQL Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2005-06-29

A vulnerability has been reported in Plans, which can be exploited by
malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/15854/

 --

[SA15848] Mandriva update for imagemagick

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2005-06-29

Mandriva has issued an update for imagemagick. This fixes two
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial of Service) or potentially compromise a user's system.

Full Advisory:
http://secunia.com/advisories/15848/

 --

[SA15827] Adobe Reader / Acrobat Two Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Privilege escalation, System access
Released:    2005-06-28

Two vulnerabilities have been reported in Adobe Reader and Adobe
Acrobat for Mac OS, which may grant elevated permissions on certain
folders or can be exploited by malicious people to execute arbitrary
local programs on a user's system.

Full Advisory:
http://secunia.com/advisories/15827/

 --

[SA15858] Gentoo update for heimdal

Critical:    Moderately critical
Where:       From local network
Impact:      System access
Released:    2005-06-29

Gentoo has issued an update for heimdal. This fixes a vulnerability,
which potentially can be exploited by malicious people to compromise a
vulnerable system.

Full Advisory:
http://secunia.com/advisories/15858/

 --

[SA15849] Mandriva update for spamassassin

Critical:    Less critical
Where:       From remote
Impact:      DoS
Released:    2005-06-29

Mandriva has issued an update for spamassassin. This fixes a
vulnerability, which can be exploited by malicious people to cause a
DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/15849/

 --

[SA15835] Clam AntiVirus clamav-milter Database Update Denial of
Service

Critical:    Less critical
Where:       From remote
Impact:      DoS
Released:    2005-06-28

Damian Menscher has reported a vulnerability in clamav-milter, which
can be exploited by malicious people to cause a DoS (Denial of
Service).

Full Advisory:
http://secunia.com/advisories/15835/

 --

[SA15824] Fedora update for gedit

Critical:    Less critical
Where:       From remote
Impact:      System access
Released:    2005-06-27

Fedora has issued an update for gedit. This fixes a vulnerability,
which potentially can be exploited by malicious people to compromise a
user's system.

Full Advisory:
http://secunia.com/advisories/15824/

 --

[SA15823] Gentoo update for clamav

Critical:    Less critical
Where:       From remote
Impact:      DoS
Released:    2005-06-27

Gentoo has issued an update for clamav. This fixes a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of
Service).

Full Advisory:
http://secunia.com/advisories/15823/

 --

[SA15820] Trustix update for multiple packages

Critical:    Less critical
Where:       From remote
Impact:      Security Bypass, Exposure of system information, Privilege
escalation, DoS
Released:    2005-06-27

Trustix has issued various updated packages. These fix some
vulnerabilities, which can be exploited by malicious, local users to
cause a DoS (Denial of Service) or execute commands with escalated
privileges, or by malicious people to cause a DoS (Denial of Service)
or gain knowledge of certain system infomation.

Full Advisory:
http://secunia.com/advisories/15820/

 --

[SA15817] Red Hat update for spamassassin

Critical:    Less critical
Where:       From remote
Impact:      DoS
Released:    2005-06-24

Red Hat has issued an update for spamassassin. This fixes a
vulnerability, which can be exploited by malicious people to cause a
DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/15817/

 --

[SA15815] Red Hat update for FreeRADIUS

Critical:    Less critical
Where:       From remote
Impact:      Manipulation of data, DoS
Released:    2005-06-24

Red Hat has issued an update for FreeRADIUS. This fixes some
vulnerabilities, which potentially can be exploited by malicious users
to conduct SQL injection attacks or to cause a DoS (Denial of
Service).

Full Advisory:
http://secunia.com/advisories/15815/

 --

[SA15811] ClamAV Quantum Decompressor Denial of Service Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      DoS
Released:    2005-06-24

A vulnerability has been reported in ClamAV, which can be exploited by
malicious people to cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/15811/

 --

[SA15804] SUSE update for razor-agents

Critical:    Less critical
Where:       From remote
Impact:      DoS
Released:    2005-06-23

SUSE has issued an update for razor-agents. This fixes two
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/15804/

 --

[SA15799] SGI Advanced Linux Environment Multiple Updates

Critical:    Less critical
Where:       From remote
Impact:      Security Bypass, Manipulation of data, Exposure of
sensitive information, System access
Released:    2005-06-23

SGI has issued a patch for SGI Advanced Linux Environment. This fixes
multiple vulnerabilities, which can be exploited by malicious people to
disclose sensitive information, conduct directory traversal attacks,
extract files to arbitrary directories, or potentially compromise a
user's system.

Full Advisory:
http://secunia.com/advisories/15799/

 --

[SA15834] Mandriva update for squid

Critical:    Less critical
Where:       From local network
Impact:      Spoofing
Released:    2005-06-27

Mandriva has issued an update for squid. This fixes a vulnerability,
which can be exploited by malicious people to spoof DNS lookups.

Full Advisory:
http://secunia.com/advisories/15834/

 --

[SA15809] Sun Solaris Samba Wildcard Filename Matching Denial of
Service

Critical:    Less critical
Where:       From local network
Impact:      DoS
Released:    2005-06-24

Sun Microsystems has acknowledged a vulnerability in Solaris, which can
be exploited by malicious users to cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/15809/

 --

[SA15844] Ubuntu update for dbus

Critical:    Less critical
Where:       Local system
Impact:      Hijacking
Released:    2005-06-28

Ubuntu has issued an update for dbus. This fixes a vulnerability, which
can be exploited by malicious, local users to hijack a session bus.

Full Advisory:
http://secunia.com/advisories/15844/

 --

[SA15841] Sun Solaris Runtime Linker Privilege Escalation
Vulnerability

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation
Released:    2005-06-29

Przemyslaw Frasunek has reported a vulnerability in Solaris, which can
be exploited by malicious, local users to gain escalated privileges.

Full Advisory:
http://secunia.com/advisories/15841/

 --

[SA15836] Fedora update for kernel

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation, DoS
Released:    2005-06-27

Fedora has issued an update for the kernel. This fixes some
vulnerabilities, which can be exploited by malicious, local users to
cause a DoS (Denial of Service) or gain escalated privileges.

Full Advisory:
http://secunia.com/advisories/15836/

 --

[SA15833] Mandriva update for dbus

Critical:    Less critical
Where:       Local system
Impact:      Hijacking
Released:    2005-06-27

Mandriva has issued an update for dbus. This fixes a vulnerability,
which can be exploited by malicious, local users to hijack a session
bus.

Full Advisory:
http://secunia.com/advisories/15833/

 --

[SA15807] SUSE update for sudo

Critical:    Less critical
Where:       Local system
Impact:      Security Bypass
Released:    2005-06-24

SUSE has issued an update for sudo. This fixes a vulnerability, which
can be exploited by malicious, local users to execute arbitrary
commands with escalated privileges.

Full Advisory:
http://secunia.com/advisories/15807/

 --

[SA15822] Ubuntu update for kernel

Critical:    Not critical
Where:       Local system
Impact:      DoS
Released:    2005-06-27

Ubuntu has issued an update for the kernel. This fixes two
vulnerabilities, which can be exploited by malicious, local users to
cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/15822/

 --

[SA15812] Linux Kernel "syscall()" Argument Handling Denial of Service

Critical:    Not critical
Where:       Local system
Impact:      DoS
Released:    2005-06-27

A vulnerability has been reported in the Linux Kernel, which can be
exploited by malicious, local users to cause a DoS (Denial of
Service).

Full Advisory:
http://secunia.com/advisories/15812/


Other:--

[SA15851] Blue Coat Products TCP Timestamp Denial of Service

Critical:    Less critical
Where:       From remote
Impact:      DoS
Released:    2005-06-29

Blue Coat has acknowledged a vulnerability in some products, which can
be exploited by malicious people to cause a DoS (Denial of Service) on
an active TCP session.

Full Advisory:
http://secunia.com/advisories/15851/

 --

[SA15826] Nortel Communication Server FTP Service Denial of Service

Critical:    Less critical
Where:       From local network
Impact:      DoS
Released:    2005-06-29

Nortel Networks has acknowledged an old vulnerability in Communication
Server 1000 (CS1000), which can be exploited by malicious people to
cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/15826/

 --

[SA15853] Dominion SX Insecure File Permission Security Issues

Critical:    Less critical
Where:       Local system
Impact:      Manipulation of data, Exposure of sensitive information
Released:    2005-06-29

Dirk Wetter has reported two security issues in Dominion SX, which can
be exploited by malicious, local users to disclose sensitive
information, cause a DoS (Denial of Service), and potentially gain
escalated privileges.

Full Advisory:
http://secunia.com/advisories/15853/


Cross Platform:--

[SA15855] PostNuke XML-RPC Library PHP Code Execution Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2005-06-29

A vulnerability has been reported in PostNuke, which can be exploited
by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/15855/

 --

[SA15852] XML-RPC for PHP Unspecified PHP Code Execution Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2005-06-29

A vulnerability has been reported in XML-RPC for PHP, which can be
exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/15852/

 --

[SA15845] phpBB "highlight" PHP Code Execution Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2005-06-28

Ron van Daal has reported a vulnerability in phpBB, which can be
exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/15845/

 --

[SA15842] CSV_DB / i_DB Arbitrary Command Execution Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2005-06-28

blahplok has reported a vulnerability in CSV_DB, which can be exploited
by malicious people to execute arbitrary commands.

Full Advisory:
http://secunia.com/advisories/15842/

 --

[SA15806] RealOne / RealPlayer / Helix Player / Rhapsody Multiple
Vulnerabilities

Critical:    Highly critical
Where:       From remote
Impact:      Manipulation of data, System access
Released:    2005-06-24

Several vulnerabilities have been reported in RealOne Player,
RealPlayer, Helix Player and Rhapsody, which can be exploited by
malicious people to overwrite local files or to compromise a user's
system.

Full Advisory:
http://secunia.com/advisories/15806/

 --

[SA15830] PHP-Fusion Two Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting, Exposure of sensitive information
Released:    2005-06-27

Easyex has discovered two vulnerabilities in PHP-Fusion, which can be
exploited by malicious people to conduct script insertion attacks or
disclose sensitive information.

Full Advisory:
http://secunia.com/advisories/15830/

 --

[SA15829] PHP-Nuke "off-site Avatar" Script Insertion Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2005-06-27

FJLJ has reported a vulnerability in PHP-Nuke, which can be exploited
by malicious people to conduct script insertion attacks.

Full Advisory:
http://secunia.com/advisories/15829/

 --

[SA15805] UBB.threads Multiple Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting, Manipulation of data, Exposure of
sensitive information
Released:    2005-06-24

James Bercegay has reported some vulnerabilities in UBB.threads, which
can be exploited by malicious people to conduct cross-site scripting
and SQL injection attacks, and disclose sensitive information.

Full Advisory:
http://secunia.com/advisories/15805/

 --

[SA15808] IBM DB2 Universal Data Authorisation Checking Bypass

Critical:    Less critical
Where:       From local network
Impact:      Security Bypass, Privilege escalation
Released:    2005-06-24

A vulnerability has been reported in IBM DB2 Universal Database, which
can be exploited by malicious users to bypass certain security
restrictions.

Full Advisory:
http://secunia.com/advisories/15808/



========================================================================

Secunia recommends that you verify all advisories you receive,
by clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only use
those supplied by the vendor.

Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/

Subscribe:
http://secunia.com/secunia_weekly_summary/

Contact details:
Web	: http://secunia.com/
E-mail	: support at secunia.com
Tel	: +45 70 20 51 44
Fax	: +45 70 20 51 45






More information about the ISN mailing list