Secunia staff spends hours every day to assure you the best
and most reliable source for vulnerability information. Every single
vulnerability report is being validated and verified before a Secunia
advisory is written.
Secunia validates and verifies vulnerability reports in many different
ways e.g. by downloading the software and performing comprehensive
tests, by reviewing source code, or by validating the credibility of
the source from which the vulnerability report was issued.
As a result, Secunia's database is the most correct and complete source
for recent vulnerability information available on the Internet.
2) This Week in Brief:
New OpenSSL packages have been released to address 3 different
vulnerabilities, which can be exploited to cause a Denial of Service
on vulnerable systems.
Many vendors have already updated their products. However, many other
vendors will propably also issue updates for their products within a
short time.
regarding updates for your products.
A vulnerability was reported in the popular FTP client WS_FTP Pro,
which could be exploited by a malicious FTP server to compromise a
connected client.
Currently, no solution is available from the vendor.
Security Research Luigi Auriemma has reported a vulnerability in the
Unreal Engine from Epic Games. The Unreal Engine is used in many
multi player games from different vendors, many games may be affected
by this vulnerability. Please refer to referenced Secunia Advisory for
more information about possible affected games.
3) This Weeks Top Ten Most Read Advisories:
1. [SA10395] Internet Explorer URL Spoofing Vulnerability
2. [SA11111] cPanel Password Reset Command Injection Vulnerability
3. [SA11139] OpenSSL SSL/TLS Handshake Denial of Service
Vulnerabilities
4. [SA11046] Norton AntiVirus 2002 Virus Detection Bypass Issue
5. [SA10736] Internet Explorer File Download Extension Spoofing
6. [SA11127] SPIP "forum.php3" PHP Code Injection Vulnerability
7. [SA11119] Novell Groupwise WebAccess Insecure Default Configuration
8. [SA11124] cPanel Login Command Injection Vulnerability
9. [SA11092] Apache mod_ssl HTTP Request Denial of Service
Vulnerability
10. [SA10706] Serv-U FTP Server "SITE CHMOD" Command Buffer Overflow
Vulnerability
4) Vulnerabilities Summary Listing
Windows:
[SA11159] GlobalSCAPE Secure FTP Server "SITE" Command Vulnerability
[SA11136] WS_FTP Pro Directory Listing Buffer Overflow Vulnerability
[SA11132] Macromedia ColdFusion MX / JRun SOAP Request Denial of
Service
[SA11120] AntiGen for Domino Encrypted Zip File Denial of Service
[SA11131] CA Unicenter TNG Daemons Buffer Overflow Vulnerabilities
[SA11143] IBM Lotus Domino Server Quick Console Cross-Site Scripting
UNIX/Linux:
[SA11124] cPanel Login Command Injection Vulnerability
[SA11155] Red Hat update for Mozilla
[SA11154] OpenBSD update for OpenSSL
[SA11153] Gentoo update for OpenSSL
[SA11152] Slackware update for OpenSSL
[SA11151] Debian update for OpenSSL
[SA11150] FreeBSD update for OpenSSL
[SA11149] Mandrake update for OpenSSL
[SA11148] EnGarde update for OpenSSL
[SA11147] Red Hat update for OpenSSL
[SA11146] SuSE update for OpenSSL
[SA11144] Red Hat update for OpenSSL
[SA11125] OpenPKG update for uudeview
[SA11103] Mandrake update for Mozilla
[SA11116] OpenBSD update for httpd
[SA11113] Chaogic Systems vHost Unspecified Cross-Site Scripting
Vulnerability
[SA11123] Macromedia Multiple Products Privilege Escalation
Vulnerability
[SA11117] Debian update for samba
[SA11115] Debian update for xitalk
[SA11114] xitalk Privilege Escalation Vulnerability
[SA11109] Debian update for Calife
[SA11107] Debian update for sysstat
[SA11106] Red Hat update for sysstat
[SA11105] Sysstat Insecure Temporary File Creation Vulnerability
[SA11137] Debian update for gdk-pixbuf
[SA11104] Red Hat update for nfs-utils
Other:
[SA11119] Novell Groupwise WebAccess Insecure Default Configuration
Cross Platform:
[SA11134] 4nAlbum Multiple Vulnerabilities
[SA11127] SPIP "forum.php3" PHP Code Injection Vulnerability
[SA11118] Oracle Web Cache Unspecified Client Request Handling
Vulnerabilities
[SA11111] cPanel Password Reset Command Injection Vulnerability
[SA11108] Unreal Engine Class Name Format String Vulnerability
[SA11145] Cisco Multiple Products OpenSSL Denial of Service
Vulnerability
[SA11141] Fizmez Web Server Connection Denial of Service Vulnerability
[SA11140] Mambo Cross Site Scripting and SQL Injection Vulnerabilities
[SA11139] OpenSSL SSL/TLS Handshake Denial of Service Vulnerabilities
[SA11138] mod_security POST Request Processing Off-By-One
Vulnerability
[SA11133] 4nGuestbook "x" Parameter SQL Injection and Cross-Site
Scripting
[SA11130] Sun Java System Application Server SOAP Request Denial of
Service
[SA11122] Pegasi Web Server Directory Traversal and Cross-Site
Scripting
[SA11121] phpBB SQL Injection and Cross Site Scripting Vulnerabilities
[SA11112] CFWebstore SQL Injection and Cross-Site Scripting
Vulnerabilities
[SA11126] HP Web Based Management Anonymous Certificate Upload
Vulnerability
[SA11142] vBulletin Cross-Site Scripting Vulnerabilities
[SA11135] PHP-Nuke Cross Site Scripting Vulnerabilities
[SA11128] YaBB / YaBB SE Formatting Tag Cross-Site Scripting
Vulnerability
[SA11110] Emumail Webmail Cross Site Scripting Vulnerability
5) Vulnerabilities Content Listing
Windows:--
[SA11159] GlobalSCAPE Secure FTP Server "SITE" Command Vulnerability
Critical: Moderately critical
Where: From remote
Impact: DoS
Released: 2004-03-18
STORM has reported a vulnerability in GlobalSCAPE Secure FTP Server,
which can be exploited by malicious users to cause a DoS (Denial of
Service).
[SA11136] WS_FTP Pro Directory Listing Buffer Overflow Vulnerability
Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2004-03-17
A vulnerability has been reported in WS_FTP Pro, which can be exploited
by malicious people to cause a DoS (Denial-of-Service) on the
application and potentially compromise a user's system.
[SA11132] Macromedia ColdFusion MX / JRun SOAP Request Denial of
Service
Critical: Moderately critical
Where: From remote
Impact: DoS
Released: 2004-03-16
Amit Klein has discovered a vulnerability in ColdFusion MX and JRun,
which can be exploited by malicious people to cause a DoS
(Denial-of-Service).
[SA11120] AntiGen for Domino Encrypted Zip File Denial of Service
Critical: Moderately critical
Where: From remote
Impact: DoS
Released: 2004-03-15
A vulnerability has been reported in AntiGen for Domino, which can be
exploited by malicious people to cause a DoS (Denial of Service).
[SA11131] CA Unicenter TNG Daemons Buffer Overflow Vulnerabilities
Critical: Moderately critical
Where: From local network
Impact: System access
Released: 2004-03-16
Dave Aitel of Immunity has reported some vulnerabilities in CA
Unicenter TNG, which can be exploited by malicious people to compromise
a vulnerable system.
[SA11143] IBM Lotus Domino Server Quick Console Cross-Site Scripting
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2004-03-17
Dr_insane has reported a vulnerability in IBM Lotus Domino, which can
be exploited by malicious people to conduct cross-site scripting
attacks.
[SA11124] cPanel Login Command Injection Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2004-03-15
Arab VieruZ has reported a vulnerability in cPanel, allowing malicious
people to execute certain system commands on a vulnerable system.
[SA11155] Red Hat update for Mozilla
Critical: Moderately critical
Where: From remote
Impact: Security Bypass, Cross Site Scripting, DoS, System access
Released: 2004-03-18
Red Hat has issued updated packages for mozilla, which fixes various
vulnerabilities.
[SA11154] OpenBSD update for OpenSSL
Critical: Moderately critical
Where: From remote
Impact: DoS
Released: 2004-03-18
OpenBSD has issued a patch for OpenSSL. This fixes a vulnerability,
which can be exploited by malicious people to cause a DoS
(Denial-of-Service).
[SA11153] Gentoo update for OpenSSL
Critical: Moderately critical
Where: From remote
Impact: DoS
Released: 2004-03-18
Gentoo has issued updated packages for OpenSSL. These fix three
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial-of-Service).
[SA11152] Slackware update for OpenSSL
Critical: Moderately critical
Where: From remote
Impact: DoS
Released: 2004-03-18
Slackware has issued updated packages for OpenSSL. These fix two
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial-of-Service).
[SA11151] Debian update for OpenSSL
Critical: Moderately critical
Where: From remote
Impact: DoS
Released: 2004-03-18
Debian has issued updated packages for OpenSSL. These fix two
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial-of-Service).
[SA11150] FreeBSD update for OpenSSL
Critical: Moderately critical
Where: From remote
Impact: DoS
Released: 2004-03-18
FreeBSD has issued a patch for OpenSSL. This fixes a vulnerability,
which can be exploited by malicious people to cause a DoS
(Denial-of-Service).
[SA11149] Mandrake update for OpenSSL
Critical: Moderately critical
Where: From remote
Impact: DoS
Released: 2004-03-18
MandrakeSoft has issued updated packages for OpenSSL. These fix two
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial-of-Service).
[SA11148] EnGarde update for OpenSSL
Critical: Moderately critical
Where: From remote
Impact: DoS
Released: 2004-03-18
Guardian Digital has issued updated packages for OpenSSL. These fix two
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial-of-Service).
[SA11147] Red Hat update for OpenSSL
Critical: Moderately critical
Where: From remote
Impact: DoS
Released: 2004-03-18
Red Hat has issued updated packages for OpenSSL. These fix three
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial-of-Service).
[SA11146] SuSE update for OpenSSL
Critical: Moderately critical
Where: From remote
Impact: DoS
Released: 2004-03-18
SuSE has issued updated packages for OpenSSL. These fix two
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial-of-Service).
[SA11144] Red Hat update for OpenSSL
Critical: Moderately critical
Where: From remote
Impact: DoS
Released: 2004-03-17
Red Hat has issued updated packages for OpenSSL. These fix two
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial-of-Service).
[SA11125] OpenPKG update for uudeview
Critical: Moderately critical
Where: From remote
Impact: System access
Released: 2004-03-15
OpenPKG has issued updated packages for uudeview. These fix a
vulnerability, which potentially can be exploited by malicious people
to compromise a user's system.
[SA11103] Mandrake update for Mozilla
Critical: Moderately critical
Where: From remote
Impact: Security Bypass, Exposure of sensitive information, DoS,
System access
Released: 2004-03-11
MandrakeSoft has issued updated packages for Mozilla. These fix various
older vulnerabilities, which can be exploited by malicious people to
disclose users' proxy server credentials, bypass certain cookie path
restrictions, cause a DoS (Denial of Service), and potentially
compromise a user's system.
[SA11116] OpenBSD update for httpd
Critical: Less critical
Where: From remote
Impact: Security Bypass
Released: 2004-03-15
OpenBSD has issued patches for httpd. These fix a vulnerability, which
can be exploited by malicious people to bypass certain restrictions on
sparc64 systems.
[SA11113] Chaogic Systems vHost Unspecified Cross-Site Scripting
Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2004-03-12
An unspecified vulnerability has been reported in Chaogic Systems
vHost, which can be exploited by malicious people to conduct
cross-site scripting attacks.
[SA11123] Macromedia Multiple Products Privilege Escalation
Vulnerability
Critical: Less critical
Where: Local system
Impact: Privilege escalation
Released: 2004-03-15
Chris Irvine has discovered a vulnerability in Macromedia MX 2004
products, which can be exploited by malicious, local users to escalate
their privileges.
[SA11117] Debian update for samba
Critical: Less critical
Where: Local system
Impact: Privilege escalation
Released: 2004-03-15
Debian has issued updated packages for Samba. These fix a
vulnerability, which can be exploited by malicious, local users to gain
escalated privileges.
[SA11115] Debian update for xitalk
Critical: Less critical
Where: Local system
Impact: Privilege escalation
Released: 2004-03-12
Debian has issued updated packages for xitalk. These fix a
vulnerability, which can be exploited by malicious, local users to gain
group "utmp" privileges on a vulnerable system.
[SA11114] xitalk Privilege Escalation Vulnerability
Critical: Less critical
Where: Local system
Impact: Privilege escalation
Released: 2004-03-12
Steve Kemp has reported a vulnerability in xitalk, which can be
exploited by malicious, local users to gain escalated privileges.
[SA11109] Debian update for Calife
Critical: Less critical
Where: Local system
Impact: Privilege escalation
Released: 2004-03-12
Debian has issued updated packages for Calife. These fix a
vulnerability, which potentially can be exploited by malicious, local
users to escalate their privileges on a vulnerable system.
[SA11107] Debian update for sysstat
Critical: Less critical
Where: Local system
Impact: Privilege escalation
Released: 2004-03-11
Debian has issued updated packages for sysstat. These fix a
vulnerability, which can be exploited by malicious, local users to gain
escalated privileges.
[SA11106] Red Hat update for sysstat
Critical: Less critical
Where: Local system
Impact: Privilege escalation
Released: 2004-03-11
Red Hat has issued updated packages for sysstat. These fix a
vulnerability, allowing malicious local users to escalate their
privileges.
[SA11105] Sysstat Insecure Temporary File Creation Vulnerability
Critical: Less critical
Where: Local system
Impact: Privilege escalation
Released: 2004-03-11
A vulnerability has been discovered in sysstat, which can be exploited
by malicious, local users to escalate their privileges.
[SA11137] Debian update for gdk-pixbuf
Critical: Not critical
Where: From remote
Impact: DoS
Released: 2004-03-16
Debian has issued updated packages for gdk-pixbuf. These fix a
vulnerability, which can be exploited by malicious people to crash
certain applications like Evolution on a vulnerable system.
[SA11104] Red Hat update for nfs-utils
Critical: Not critical
Where: From local network
Impact: DoS
Released: 2004-03-11
Red Hat has issued updated packages for nfs-utils. These fix a
vulnerability, which can be exploited by malicious people to crash
rpc.mountd.
[SA11127] SPIP "forum.php3" PHP Code Injection Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2004-03-15
SIMON Baptiste has discovered a vulnerability in SPIP, allowing
malicious people to inject arbitrary PHP code.
[SA11118] Oracle Web Cache Unspecified Client Request Handling
Vulnerabilities
Critical: Highly critical
Where: From remote
Impact:
Released: 2004-03-15
Oracle has reported that multiple vulnerabilities have been discovered
in Oracle Web Cache.
[SA11111] cPanel Password Reset Command Injection Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2004-03-12
Arab VieruZ has discovered a vulnerability in cPanel, allowing
malicious people to execute certain system commands on a vulnerable
system.
[SA11108] Unreal Engine Class Name Format String Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2004-03-11
Luigi Auriemma has reported a vulnerability in the Unreal engine, which
can be exploited by malicious people to cause a DoS (Denial of Service)
and potentially compromise a vulnerable server.
[SA11145] Cisco Multiple Products OpenSSL Denial of Service
Vulnerability
Critical: Moderately critical
Where: From remote
Impact: DoS
Released: 2004-03-17
Cisco has confirmed a vulnerability in various products, which can be
exploited by malicious people to cause a DoS (Denial of Service).
[SA11141] Fizmez Web Server Connection Denial of Service Vulnerability
Critical: Moderately critical
Where: From remote
Impact: DoS
Released: 2004-03-17
Donato Ferrante has reported a vulnerability in Fizmez Web Server,
which can be exploited by malicious people to cause a DoS
(Denial-of-Service).
[SA11140] Mambo Cross Site Scripting and SQL Injection Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Exposure of system information, Exposure of sensitive
information, Manipulation of data, Cross Site Scripting
Released: 2004-03-17
JeiAr has discovered some vulnerabilities in Mambo, allowing malicious
people to conduct SQL injection and Cross Site Scripting attacks.
[SA11139] OpenSSL SSL/TLS Handshake Denial of Service Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: DoS
Released: 2004-03-17
Three vulnerabilities have been discovered in OpenSSL, which can be
exploited by malicious people to cause a DoS (Denial-of-Service).
[SA11138] mod_security POST Request Processing Off-By-One
Vulnerability
Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2004-03-17
Evgeny Legerov has discovered a vulnerability in mod_security, which
can be exploited by malicious people to cause a DoS (Denial-of-Service)
and potentially compromise a vulnerable system.
[SA11133] 4nGuestbook "x" Parameter SQL Injection and Cross-Site
Scripting
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2004-03-16
Janek Vind "waraxe" has reported a vulnerability in 4nGuestbook,
allowing malicious people to conduct SQL injection and Cross Site
Scripting attacks.
[SA11130] Sun Java System Application Server SOAP Request Denial of
Service
Critical: Moderately critical
Where: From remote
Impact: DoS
Released: 2004-03-16
Amit Klein has discovered a vulnerability in Sun Java System
Application Server, which can be exploited by malicious people to cause
a DoS (Denial-of-Service).
[SA11122] Pegasi Web Server Directory Traversal and Cross-Site
Scripting
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting, Exposure of system information,
Exposure of sensitive information
Released: 2004-03-15
Donato Ferrante has discovered some vulnerabilities in Pegasi Web
Server, which can be exploited to conduct cross-site scripting and
directory traversal attacks.
[SA11121] phpBB SQL Injection and Cross Site Scripting Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting, Manipulation of data
Released: 2004-03-15
Some vulnerabilities have been reported in phpBB, allowing malicious
people to conduct Cross Site Scripting and SQL injection attacks.
[SA11112] CFWebstore SQL Injection and Cross-Site Scripting
Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Security Bypass, Cross Site Scripting, Manipulation of
data, Exposure of system information, Exposure of sensitive
information
Released: 2004-03-12
Nick Gudov has reported some vulnerabilities in CFWebstore, which can
be exploited by malicious people to conduct cross-site scripting and
SQL injection attacks.
[SA11126] HP Web Based Management Anonymous Certificate Upload
Vulnerability
Critical: Moderately critical
Where: From local network
Impact: System access
Released: 2004-03-15
Dave Aitel has discovered a vulnerability in HP HTTP server, allowing
malicious people to gain access to administrative functions.
[SA11142] vBulletin Cross-Site Scripting Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2004-03-17
JeiAr has reported some vulnerabilities in vBulletin, which can be
exploited by malicious people to conduct cross-site scripting attacks.
[SA11135] PHP-Nuke Cross Site Scripting Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2004-03-16
Janek Vind "waraxe" has reported some vulnerabilities in PHP-Nuke,
allowing malicious people to conduct Cross Site Scripting attacks.
[SA11128] YaBB / YaBB SE Formatting Tag Cross-Site Scripting
Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2004-03-16
Cheng Peng Su has reported a vulnerability in YaBB and YaBB SE,
allowing malicious people to conduct cross-site scripting attacks.
[SA11110] Emumail Webmail Cross Site Scripting Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting, Exposure of sensitive information
Released: 2004-03-12
Dr_insane has reported some vulnerabilities in Emumail Webmail,
allowing malicious people to conduct Cross Site Scripting attacks and
see the installation path.
Please verify all advisories you receive.
© 2008; SpywareUninstaller.com Group Project; All Rights Reserved.