[ISN] Secunia Weekly Summary - Issue: 2006-8

InfoSec News isn at c4i.org
Fri Feb 24 01:51:16 EST 2006


========================================================================

                  The Secunia Weekly Advisory Summary                  
                        2006-02-16 - 2006-02-23                        

                       This week : 59 advisories                       

========================================================================
Table of Contents:

1.....................................................Word From Secunia
2....................................................This Week In Brief
3...............................This Weeks Top Ten Most Read Advisories
4.......................................Vulnerabilities Summary Listing
5.......................................Vulnerabilities Content Listing

========================================================================
1) Word From Secunia:

The Secunia staff is spending hours every day to assure you the best
and most reliable source for vulnerability information. Every single 
vulnerability report is being validated and verified before a Secunia
advisory is written.

Secunia validates and verifies vulnerability reports in many different
ways e.g. by downloading the software and performing comprehensive
tests, by reviewing source code, or by validating the credibility of
the source from which the vulnerability report was issued.

As a result, Secunia's database is the most correct and complete source
for recent vulnerability information available on the Internet.

Secunia Online Vulnerability Database:
http://secunia.com/

========================================================================
2) This Week in Brief:

Secunia has issued an Extremely Critical advisory regarding a
vulnerability in Mac OS X, which can be exploited by malicious people
to compromise a user's system.

Secunia has constructed a test, which can be used to check if your
system is affected by this issue:
http://secunia.com/mac_os_x_command_execution_vulnerability_test/

Please see the referenced Secunia advisory for additional details.

Reference:
http://secunia.com/SA18963


VIRUS ALERTS:

Secunia has not issued any virus alerts during the week.

========================================================================
3) This Weeks Top Ten Most Read Advisories:

1.  [SA18963] Mac OS X File Association Meta Data Shell Script
              Execution
2.  [SA15852] XML-RPC for PHP PHP Code Execution Vulnerability
3.  [SA14337] Mambo "GLOBALS['mosConfig_absolute_path']" File
              Inclusion
4.  [SA17571] Opera Image Control Status Bar Spoofing Weakness
5.  [SA16280] IBM Lotus Notes Multiple Vulnerabilities
6.  [SA18835] Windows Media Player Bitmap File Processing Vulnerability
7.  [SA18931] PHP-Nuke "Your_Account" Module SQL Injection
              Vulnerability
8.  [SA18924] PerlBLOG Multiple Vulnerabilities
9.  [SA18934] Debian update for gnupg
10  [SA18907] Mac OS X Kernel Local Denial of Service Vulnerability

========================================================================
4) Vulnerabilities Summary Listing

Windows:
[SA18945] WPCeasy Admin Logon SQL Injection Vulnerability
[SA18986] IA eMailServer IMAP SEARCH Command Handling Vulnerability

UNIX/Linux:
[SA18963] Mac OS X File Association Meta Data Shell Script Execution
[SA18987] Red Hat update for metamail
[SA18927] Guestex Shell Command Injection and Cross-Site Scripting
[SA18923] Leif M. Wright's Blog Multiple Vulnerabilities
[SA18983] Gentoo update for gpdf
[SA18979] Bugzilla Multiple Vulnerabilities
[SA18976] Mandriva update for tar
[SA18973] GNU Tar PAX Extended Headers Handling Buffer Overflow
[SA18948] Debian update for pdfkit.framework
[SA18944] CherryPy "staticfilter" Directory Traversal Vulnerability
[SA18943] Mandriva update for libtiff
[SA18926] Quirex convert.cgi File Disclosure Vulnerability
[SA18924] PerlBLOG Multiple Vulnerabilities
[SA18918] Ubuntu update for libtasn
[SA18939] Fedora Directory Server Admin Server Password Disclosure
[SA18984] Melange Chat Server Information Disclosure Security Issue
[SA18977] Mandriva update for kernel
[SA18968] SUSE update for gpg / liby2util
[SA18956] Gentoo update for gnupg
[SA18955] Fedora update for gnupg
[SA18942] Mandriva update for gnupg
[SA18934] Debian update for gnupg
[SA18933] Ubuntu update for gnupg
[SA18974] ViRobot Linux Server Authentication Bypass Vulnerability
[SA18961] Ubuntu update for heimdal
[SA18960] Fedora Directory Server LDAP Denial of Service
Vulnerabilities
[SA18988] Red Hat update for tar
[SA18958] UnixWare ptrace Privilege Escalation Vulnerability
[SA18922] Netcool/NeuSecure Configuration File Permissions Weaknesses
[SA18971] Ubuntu update for bluez-hcidump
[SA18970] Ubuntu update for openssh
[SA18969] Gentoo update for openssh / dropbear
[SA18964] Dropbear SSH Server scp Command Line Shell Command Injection

Other:
[SA18952] Xerox ESS/ Network Controller and MicroServer
Vulnerabilities
[SA18932] DWL-G700AP Web Interface Denial of Service

Cross Platform:
[SA18982] Geeklog Media Gallery Module SQL Injection and File
Inclusion
[SA18941] Coppermine Photo Gallery File Inclusion Vulnerabilities
[SA18935] Mambo Unspecified System Compromise Vulnerability
[SA18930] Admbook "X-Forwarded-For" PHP Code Injection
[SA18920] Geeklog SQL Injection and File Inclusion Vulnerabilities
[SA18917] PunkBuster Cvars Monitoring Format String Vulnerability
[SA18972] PHP-Nuke Personal Menu Script Insertion and SQL Injection
[SA18965] Barracuda Directory Multiple Script Insertion
Vulnerabilities
[SA18951] ilchClan "pid" and "login_name" SQL Injection
Vulnerabilities
[SA18946] Guestbox Two Vulnerabilities and One Security Issue
[SA18938] EmuLinker Packet Handling Denial of Service Vulnerability
[SA18937] PostNuke Multiple Vulnerabilities
[SA18931] PHP-Nuke "Your_Account" Module SQL Injection Vulnerability
[SA18929] BXCP "tid" SQL Injection Vulnerability
[SA18925] My Blog BBCode Script Insertion Vulnerability
[SA18985] SquirrelMail Cross-Site Scripting and IMAP Injection
Vulnerabilities
[SA18981] CuteNews "show" Cross-Site Scripting Vulnerability
[SA18949] PHP-Fusion Cross-Site Scripting Vulnerabilities
[SA18928] ADOdb Cross-Site Scripting Vulnerabilities
[SA18919] CPG Dragonfly CMS "linking.php" Cross-Site Scripting
Vulnerability
[SA18967] Ubuntu update for noweb
[SA18936] PHP-Nuke CAPTCHA Bypass Weakness

========================================================================
5) Vulnerabilities Content Listing

Windows:--

[SA18945] WPCeasy Admin Logon SQL Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2006-02-20

murfie has reported a vulnerability in WPCeasy, which can be exploited
by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/18945/

 --

[SA18986] IA eMailServer IMAP SEARCH Command Handling Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      DoS
Released:    2006-02-22

Joao Antunes has discovered a vulnerability in Internet Anywhere (IA)
eMailServer, which can be exploited by malicious users to cause a DoS
(Denial of Service).

Full Advisory:
http://secunia.com/advisories/18986/


UNIX/Linux:--

[SA18963] Mac OS X File Association Meta Data Shell Script Execution

Critical:    Extremely critical
Where:       From remote
Impact:      System access
Released:    2006-02-21

Michael Lehn has discovered a vulnerability in Mac OS X, which can be
exploited by malicious people to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/18963/

 --

[SA18987] Red Hat update for metamail

Critical:    Highly critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-02-22

Red Hat has issued and update for metamail. This fixes a vulnerability,
which potentially can be exploited by malicious people to compromise a
user's system.

Full Advisory:
http://secunia.com/advisories/18987/

 --

[SA18927] Guestex Shell Command Injection and Cross-Site Scripting

Critical:    Highly critical
Where:       From remote
Impact:      Cross Site Scripting, System access
Released:    2006-02-17

Aliaksandr Hartsuyeu has reported two vulnerabilities in Guestex, which
can be exploited by malicious people to conduct cross-site scripting
attacks and to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/18927/

 --

[SA18923] Leif M. Wright's Blog Multiple Vulnerabilities

Critical:    Highly critical
Where:       From remote
Impact:      Security Bypass, Cross Site Scripting, Exposure of
sensitive information, System access
Released:    2006-02-17

Aliaksandr Hartsuyeu has reported some vulnerabilities in Leif M.
Wright's Blog, which can be exploited by malicious people to disclose
potentially sensitive information, bypass certain security
restrictions, conduct script insertion attacks, and potentially to
compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/18923/

 --

[SA18983] Gentoo update for gpdf

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-02-22

Gentoo has issued an update for gpdf. This fixes a vulnerability, which
can be exploited by malicious people to cause a DoS (Denial of Service)
and potentially compromise a user's system.

Full Advisory:
http://secunia.com/advisories/18983/

 --

[SA18979] Bugzilla Multiple Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting, Manipulation of data, Exposure of
sensitive information
Released:    2006-02-22

Some vulnerabilities have been reported in Bugzilla, which can be
exploited by malicious users to conduct SQL injection attacks, and by
malicious people to disclose sensitive information and conduct script
insertion attacks.

Full Advisory:
http://secunia.com/advisories/18979/

 --

[SA18976] Mandriva update for tar

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-02-22

Mandriva has issued an update for tar. This fixes a vulnerability,
which potentially can be exploited by malicious people to cause a DoS
(Denial of Service) and to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/18976/

 --

[SA18973] GNU Tar PAX Extended Headers Handling Buffer Overflow

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-02-22

A vulnerability has been reported in GNU Tar, which potentially can be
exploited by malicious people to cause a DoS (Denial of Service) and to
compromise a user's system.

Full Advisory:
http://secunia.com/advisories/18973/

 --

[SA18948] Debian update for pdfkit.framework

Critical:    Moderately critical
Where:       From remote
Impact:      Unknown
Released:    2006-02-20



Full Advisory:
http://secunia.com/advisories/18948/

 --

[SA18944] CherryPy "staticfilter" Directory Traversal Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Exposure of sensitive information
Released:    2006-02-21

A vulnerability has been reported in CherryPy, which can be exploited
by malicious people to disclose potentially sensitive information.

Full Advisory:
http://secunia.com/advisories/18944/

 --

[SA18943] Mandriva update for libtiff

Critical:    Moderately critical
Where:       From remote
Impact:      System access
Released:    2006-02-20

Mandriva has issued an update for libtiff. This fixes a vulnerability,
which potentially can be exploited by malicious people to compromise a
vulnerable system.

Full Advisory:
http://secunia.com/advisories/18943/

 --

[SA18926] Quirex convert.cgi File Disclosure Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Exposure of system information, Exposure of sensitive
information
Released:    2006-02-17

Aliaksandr Hartsuyeu has reported a vulnerability in Quirex, which can
be exploited by malicious people to disclose potentially sensitive
information.

Full Advisory:
http://secunia.com/advisories/18926/

 --

[SA18924] PerlBLOG Multiple Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass, Cross Site Scripting
Released:    2006-02-17

Aliaksandr Hartsuyeu has reported some vulnerabilities in PerlBLOG,
which can be exploited by malicious people to conduct script insertion
attacks and to bypass certain security restrictions.

Full Advisory:
http://secunia.com/advisories/18924/

 --

[SA18918] Ubuntu update for libtasn

Critical:    Moderately critical
Where:       From remote
Impact:      DoS
Released:    2006-02-17

Ubuntu has issued an update for gnutls. This fixes some
vulnerabilities, which potentially can be exploited by malicious people
to cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/18918/

 --

[SA18939] Fedora Directory Server Admin Server Password Disclosure

Critical:    Moderately critical
Where:       From local network
Impact:      Exposure of sensitive information
Released:    2006-02-20

Frank Reppin has reported a vulnerability in Fedora Directory Server,
which can be exploited by malicious people to gain knowledge of
sensitive information.

Full Advisory:
http://secunia.com/advisories/18939/

 --

[SA18984] Melange Chat Server Information Disclosure Security Issue

Critical:    Less critical
Where:       From remote
Impact:      Exposure of sensitive information
Released:    2006-02-22

Nexus has discovered a security issue in Melange Chat Server, which
potentially can be exploited by malicious people to disclose certain
sensitive information.

Full Advisory:
http://secunia.com/advisories/18984/

 --

[SA18977] Mandriva update for kernel

Critical:    Less critical
Where:       From remote
Impact:      Exposure of sensitive information, DoS
Released:    2006-02-22

Mandriva has issued an update for the kernel. This fixes some
vulnerabilities, which can be exploited by malicious, local users to
gain knowledge of sensitive information and cause a DoS (Denial of
Service), or by malicious people to cause a DoS.

Full Advisory:
http://secunia.com/advisories/18977/

 --

[SA18968] SUSE update for gpg / liby2util

Critical:    Less critical
Where:       From remote
Impact:      Security Bypass
Released:    2006-02-21

SUSE has issued an update for gpg / liby2util. This fixes a security
issue, which potentially can be exploited by malicious people to bypass
certain security restrictions.

Full Advisory:
http://secunia.com/advisories/18968/

 --

[SA18956] Gentoo update for gnupg

Critical:    Less critical
Where:       From remote
Impact:      Security Bypass
Released:    2006-02-20

Gentoo has issued an update for gnupg. This fixes a security issue,
which potentially can be exploited by malicious people to bypass
certain security restrictions.

Full Advisory:
http://secunia.com/advisories/18956/

 --

[SA18955] Fedora update for gnupg

Critical:    Less critical
Where:       From remote
Impact:      Security Bypass
Released:    2006-02-20

Fedora has issued an update for gnupg. This fixes a security issue,
which potentially can be exploited by malicious people to bypass
certain security restrictions.

Full Advisory:
http://secunia.com/advisories/18955/

 --

[SA18942] Mandriva update for gnupg

Critical:    Less critical
Where:       From remote
Impact:      Security Bypass
Released:    2006-02-20

Mandriva has issued an update for gnupg. This fixes a security issue,
which potentially can be exploited by malicious people to bypass
certain security restrictions.

Full Advisory:
http://secunia.com/advisories/18942/

 --

[SA18934] Debian update for gnupg

Critical:    Less critical
Where:       From remote
Impact:      Security Bypass
Released:    2006-02-17

Debian has issued an update for gnupg. This fixes a security issue,
which potentially can be exploited by malicious people to bypass
certain security restrictions.

Full Advisory:
http://secunia.com/advisories/18934/

 --

[SA18933] Ubuntu update for gnupg

Critical:    Less critical
Where:       From remote
Impact:      Security Bypass
Released:    2006-02-20

Ubuntu has issued an update for gnupg. This fixes a security issue,
which potentially can be exploited by malicious people to bypass
certain security restrictions.

Full Advisory:
http://secunia.com/advisories/18933/

 --

[SA18974] ViRobot Linux Server Authentication Bypass Vulnerability

Critical:    Less critical
Where:       From local network
Impact:      Security Bypass
Released:    2006-02-22

dong-houn yoU has discovered a vulnerability in ViRobot Linux Server,
which can be exploited by malicious people to bypass certain security
restrictions.

Full Advisory:
http://secunia.com/advisories/18974/

 --

[SA18961] Ubuntu update for heimdal

Critical:    Less critical
Where:       From local network
Impact:      DoS
Released:    2006-02-20

Ubuntu has issued an update for heimdal. This fixes a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of
Service).

Full Advisory:
http://secunia.com/advisories/18961/

 --

[SA18960] Fedora Directory Server LDAP Denial of Service
Vulnerabilities

Critical:    Less critical
Where:       From local network
Impact:      DoS
Released:    2006-02-20

Evgeny Legerov has reported some vulnerabilities in Fedora Directory
Server, which can be exploited by malicious people to cause a DoS
(Denial of Service).

Full Advisory:
http://secunia.com/advisories/18960/

 --

[SA18988] Red Hat update for tar

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation
Released:    2006-02-22

Red Hat has issued an update for tar. This fixes a vulnerability, which
can be exploited by malicious people to cause files to be extracted to
arbitrary locations on a user's system.

Full Advisory:
http://secunia.com/advisories/18988/

 --

[SA18958] UnixWare ptrace Privilege Escalation Vulnerability

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation
Released:    2006-02-22

A vulnerability has been reported in UnixWare, which can be exploited
by malicious, local users to gain escalated privileges.

Full Advisory:
http://secunia.com/advisories/18958/

 --

[SA18922] Netcool/NeuSecure Configuration File Permissions Weaknesses

Critical:    Less critical
Where:       Local system
Impact:      Exposure of sensitive information
Released:    2006-02-17

Dimitry Snezhkov has reported two weaknesses in Netcool/NeuSecure,
which can be exploited by malicious, local users to disclose certain
sensitive information.

Full Advisory:
http://secunia.com/advisories/18922/

 --

[SA18971] Ubuntu update for bluez-hcidump

Critical:    Not critical
Where:       From remote
Impact:      DoS
Released:    2006-02-22

Ubuntu has issued an update for bluez-hcidump. This fixes a
vulnerability, which can be exploited by malicious people to cause a
DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/18971/

 --

[SA18970] Ubuntu update for openssh

Critical:    Not critical
Where:       Local system
Impact:      Privilege escalation
Released:    2006-02-22

Ubuntu has issued an update for openssh. This fixes a weakness, which
potentially can be exploited by malicious, local users to perform
certain actions with escalated privileges.

Full Advisory:
http://secunia.com/advisories/18970/

 --

[SA18969] Gentoo update for openssh / dropbear

Critical:    Not critical
Where:       Local system
Impact:      Privilege escalation
Released:    2006-02-21

Gentoo has issued an update for openssh / dropbear. This fixes a
weakness, which potentially can be exploited by malicious, local users
to perform certain actions with escalated privileges.

Full Advisory:
http://secunia.com/advisories/18969/

 --

[SA18964] Dropbear SSH Server scp Command Line Shell Command Injection

Critical:    Not critical
Where:       Local system
Impact:      Privilege escalation
Released:    2006-02-21

A weakness has been reported in Dropbear SSH Server, which potentially
can be exploited by malicious, local users to perform certain actions
with escalated privileges.

Full Advisory:
http://secunia.com/advisories/18964/


Other:--

[SA18952] Xerox ESS/ Network Controller and MicroServer
Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass, Cross Site Scripting, DoS
Released:    2006-02-20

Some vulnerabilities have been reported in Xerox WorkCentre Pro and
Xerox WorkCentre, which can be exploited by malicious people to bypass
certain security restrictions, conduct cross-site scripting attacks, or
cause a Denial of Service (DoS).

Full Advisory:
http://secunia.com/advisories/18952/

 --

[SA18932] DWL-G700AP Web Interface Denial of Service

Critical:    Less critical
Where:       From local network
Impact:      DoS
Released:    2006-02-17

l0om has reported a vulnerability in D-Link DWL-G700AP, which can be
exploited by malicious people to cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/18932/


Cross Platform:--

[SA18982] Geeklog Media Gallery Module SQL Injection and File
Inclusion

Critical:    Highly critical
Where:       From remote
Impact:      Manipulation of data, Exposure of sensitive information,
System access
Released:    2006-02-22

Some vulnerabilities have been reported in the Media Gallery module for
Geeklog, which can be exploited by malicious people to conduct SQL
injection attacks, disclose potentially sensitive information and
potentially to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/18982/

 --

[SA18941] Coppermine Photo Gallery File Inclusion Vulnerabilities

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-02-20

rgod has reported two vulnerabilities in Coppermine Photo Gallery,
which can be exploited by malicious people and by malicious users to
compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/18941/

 --

[SA18935] Mambo Unspecified System Compromise Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-02-22

A vulnerability has been reported in Mambo, which potentially can be
exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/18935/

 --

[SA18930] Admbook "X-Forwarded-For" PHP Code Injection

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-02-20

rgod has reported a vulnerability in Admbook, which can be exploited by
malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/18930/

 --

[SA18920] Geeklog SQL Injection and File Inclusion Vulnerabilities

Critical:    Highly critical
Where:       From remote
Impact:      Manipulation of data, Exposure of sensitive information,
System access
Released:    2006-02-20

James Bercegay has reported some vulnerabilities in Geeklog, which can
be exploited by malicious people to conduct SQL injection attacks,
disclose potentially sensitive information and potentially to
compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/18920/

 --

[SA18917] PunkBuster Cvars Monitoring Format String Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-02-17

Luigi Auriemma has reported a vulnerability in PunkBuster, which can be
exploited by malicious people to cause a DoS (Denial of Service) and
potentially to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/18917/

 --

[SA18972] PHP-Nuke Personal Menu Script Insertion and SQL Injection

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting, Manipulation of data
Released:    2006-02-22

Jason Lau has discovered two vulnerabilities in PHP-Nuke, which can be
exploited by malicious people to conduct SQL injection and script
insertion attacks.

Full Advisory:
http://secunia.com/advisories/18972/

 --

[SA18965] Barracuda Directory Multiple Script Insertion
Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-02-21

pcps has discovered some vulnerabilities in Barracuda Directory, which
can be exploited by malicious people to conduct script insertion
attacks.

Full Advisory:
http://secunia.com/advisories/18965/

 --

[SA18951] ilchClan "pid" and "login_name" SQL Injection
Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2006-02-21

Two vulnerabilities have been discovered in ilchClan, which can be
exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/18951/

 --

[SA18946] Guestbox Two Vulnerabilities and One Security Issue

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass, Cross Site Scripting, Exposure of
sensitive information
Released:    2006-02-21

l0om has discovered two vulnerabilities and a security issue in
Guestbox, which can be exploited by malicious people to disclose
potentially sensitive information, bypass certain security
restrictions, and conduct script insertion attacks.

Full Advisory:
http://secunia.com/advisories/18946/

 --

[SA18938] EmuLinker Packet Handling Denial of Service Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      DoS
Released:    2006-02-20

A vulnerability has been reported in EmuLinker, which can be exploited
by malicious people to cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/18938/

 --

[SA18937] PostNuke Multiple Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass, Cross Site Scripting, Manipulation of
data
Released:    2006-02-21

Maksymilian Arciemowicz has reported some vulnerabilities in PostNuke,
which can be exploited by malicious people to conduct cross-site
scripting and SQL injection attacks, and to bypass certain security
restrictions.

Full Advisory:
http://secunia.com/advisories/18937/

 --

[SA18931] PHP-Nuke "Your_Account" Module SQL Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2006-02-17

sp3x has discovered a vulnerability in PHP-Nuke, which can be exploited
by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/18931/

 --

[SA18929] BXCP "tid" SQL Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2006-02-20

x128 has discovered a vulnerability in BXCP, which can be exploited by
malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/18929/

 --

[SA18925] My Blog BBCode Script Insertion Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-02-17

Aliaksandr Hartsuyeu has reported a vulnerability in My Blog, which can
be exploited by malicious people to conduct script insertion attacks.

Full Advisory:
http://secunia.com/advisories/18925/

 --

[SA18985] SquirrelMail Cross-Site Scripting and IMAP Injection
Vulnerabilities

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting, Manipulation of data
Released:    2006-02-22

Some vulnerabilities have been reported in SquirrelMail, which can be
exploited by malicious users to manipulate certain information and by
malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/18985/

 --

[SA18981] CuteNews "show" Cross-Site Scripting Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-02-22

imei addmimistrator has discovered a vulnerability in CuteNews, which
can be exploited by malicious people to conduct cross-site scripting
attacks.

Full Advisory:
http://secunia.com/advisories/18981/

 --

[SA18949] PHP-Fusion Cross-Site Scripting Vulnerabilities

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting, Unknown
Released:    2006-02-21

Two vulnerabilities have been reported in PHP-Fusion, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/18949/

 --

[SA18928] ADOdb Cross-Site Scripting Vulnerabilities

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-02-20

James Bercegay has reported some vulnerabilities in ADOdb, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/18928/

 --

[SA18919] CPG Dragonfly CMS "linking.php" Cross-Site Scripting
Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting, Exposure of system information
Released:    2006-02-22

albanialove has reported a vulnerability in CPG Dragonfly CMS, which
can be exploited by malicious people to conduct cross-site scripting
attacks.

Full Advisory:
http://secunia.com/advisories/18919/

 --

[SA18967] Ubuntu update for noweb

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation
Released:    2006-02-22

Ubuntu has issued an update for noweb. This fixes multiple
vulnerabilities, which can be exploited by malicious, local users to
perform certain actions on a vulnerable system with escalated
privileges.

Full Advisory:
http://secunia.com/advisories/18967/

 --

[SA18936] PHP-Nuke CAPTCHA Bypass Weakness

Critical:    Not critical
Where:       From remote
Impact:      Security Bypass
Released:    2006-02-20

Janek Vind "waraxe" has reported a weakness in PHP-Nuke, which can be
exploited by malicious people to bypass certain security restrictions.

Full Advisory:
http://secunia.com/advisories/18936/



========================================================================

Secunia recommends that you verify all advisories you receive,
by clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only use
those supplied by the vendor.

Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/

Subscribe:
http://secunia.com/secunia_weekly_summary/

Contact details:
Web	: http://secunia.com/
E-mail	: support at secunia.com
Tel	: +45 70 20 51 44
Fax	: +45 70 20 51 45





More information about the ISN mailing list