samba -- nss_info plugin privilege escalation vulnerability

The Samba development team reports: The idmapad.so library provides an nssinfo extension to Winbind for retrieving a user's home directory path, login shell and primary group id from an Active Directory domain controller. This functionality is enabled by defining the "winbind nss info" smb.conf...

wordpress -- remote sql injection vulnerability

Alexander Concha reports: While testing WordPress, it has been discovered a SQL Injection vulnerability that allows an attacker to retrieve remotely any user credentials from a vulnerable site, this bug is caused because of early database escaping and the lack of validation in query string like...

mediawiki -- cross site scripting vulnerability

The MediaWiki development team reports: A possible HTML/XSS injection vector in the API pretty-printing mode has been found and fixed. The vulnerability may be worked around in an unfixed version by simply disabling the API interface if it is not in use, by adding this to LocalSettings.php:...

lighttpd -- FastCGI header overrun in mod_fastcgi

lighttpd maintainer reports: Lighttpd is prone to a header overflow when using the modfastcgi extension, this can lead to arbitrary code execution in the fastcgi application. For a detailed description of the bug see the external reference. This bug was found by Mattias Bengtsson and Philip Olaus...

apache -- multiple vulnerabilities

Apache HTTP server project reports: The following potential security flaws are addressed: CVE-2007-3847: modproxy: Prevent reading past the end of a buffer when parsing date-related headers. CVE-2007-1863: modcache: Prevent a segmentation fault if attributes are listed in a Cache-Control header...

php -- multiple vulnerabilities

The PHP development team reports: Security Enhancements and Fixes in PHP 5.2.4: Fixed a floating point exception inside wordwrap Reported by Mattias Bengtsson Fixed several integer overflows inside the GD extension Reported by Mattias Bengtsson Fixed size calculation in chunksplit Reported by...

gallery2 -- multiple vulnerabilities

Gallery project reports: Gallery 2.2.3 addresses the following security vulnerabilities: Unauthorized renaming of items possible with WebDAV reported by Merrick Manalastas Unauthorized modification and retrieval of item properties possible with WebDAV Unauthorized locking and replacing of items...

irc/bitchx -- multiple vulnerabilities

bannedit reports: Stack-based buffer overflow in BitchX 1.1 Final allows remote IRC servers to execute arbitrary code via a long string in a MODE command, related to the pmode variable. Nico Golde reports: There is a security issue in ircii-pana in bitchx' hostname command. The ehostname function...

tikiwiki -- multiple vulnerabilities

Secunia reports: Some vulnerabilities have been reported in TikiWiki, which can be exploited by malicious people to conduct cross-site scripting and script insertion attacks and disclose potentially sensitive information. Input passed to the username parameter in tiki-remindpassword.php when remi...

claws-mail -- POP3 Format String Vulnerability

A Secunia Advisory reports: A format string error in the "incputerror" function in src/inc.c when displaying a POP3 server's error response can be exploited via specially crafted POP3 server replies containing format specifiers. Successful exploitation may allow execution of arbitrary code, but...

gtar -- Directory traversal vulnerability

Red Hat reports: A path traversal flaw was discovered in the way GNU tar extracted archives. A malicious user could create a tar archive that could write to arbitrary files to which the user running GNU tar had write access. Red Hat credits Dmitry V. Levin for reporting the issue...

bugzilla -- multiple vulnerabilities

A Bugzilla Security Advisory reports: This advisory covers three security issues that have recently been fixed in the Bugzilla code: A possible cross-site scripting XSS vulnerability when filing bugs using the guided form. When using emailin.pl, insufficiently escaped data may be passed to...

clamav -- multiple remote Denial of Service vulnerabilities

BugTraq reports: ClamAV is prone to multiple denial-of-service vulnerabilities. A successful attack may allow an attacker to crash the application and deny service to users...

id3lib -- insecure temporary file creation

Debian Bug report log reports: When tagging file $foo, a temporary copy of the file is created, and for some reason, libid3 doesn't use mkstemp but just creates $foo.XXXXXX literally, without any checking. This would silently truncate and overwrite an existing $foo.XXXXXX...

rsync -- off by one stack overflow

BugTraq reports: The rsync utility is prone to an off-by-one buffer-overflow vulnerability. This issue is due to a failure of the application to properly bounds-check user-supplied input. Successfully exploiting this issue may allow arbitrary code-execution in the context of the affected utility...

opera -- Vulnerability in javascript handling

An advisory from Opera reports: A specially crafted JavaScript can make Opera execute arbitrary code...

FreeBSD -- Buffer overflow in tcpdump(1)

Problem Description: An un-checked return value in the BGP dissector code can result in an integer overflow. This value is used in subsequent buffer management operations, resulting in a stack based buffer overflow under certain circumstances. Impact: By crafting malicious BGP packets, an attacke...

xpdf -- stack based buffer overflow

The KDE Team reports: kpdf, the KDE pdf viewer, shares code with xpdf. xpdf contains a vulnerability that can cause a stack based buffer overflow via a PDF file that exploits an integer overflow in StreamPredictor::StreamPredictor. Remotely supplied pdf files can be used to disrupt the kpdf viewe...

joomla -- multiple vulnerabilities

A Secunia Advisory reports: joomla can be exploited to conduct session fixation attacks, cross-site scripting attacks or HTTP response splitting attacks. Certain unspecified input passed in comsearch, comcontent and modlogin is not properly sanitised before being returned to a user. This can be...

fetchmail -- denial of service on reject of local warning message

Matthias Andree reports: fetchmail will generate warning messages in certain circumstances for instance, when leaving oversized messages on the server or login to the upstream fails and send them to the local postmaster or the user running it. If this warning message is then refused by the SMTP...

phpsysinfo -- url Cross-Site Scripting

Doz reports: A Input passed in the URL to index.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site...

vim -- Command Format String Vulnerability

A Secunia Advisory reports: A format string error in the "helptagsone" function in src/excmds.c when running the "helptags" command can be exploited to execute arbitrary code via specially crafted help files...

drupal -- Multiple cross-site scripting vulnerabilities

The Drupal Project reports: Some server variables are not escaped consistently. When a malicious user is able to entice a victim to visit a specially crafted link or webpage, arbitrary HTML and script code can be injected and executed in the context of the victim's session on the targeted website...

drupal -- Cross site request forgeries

The Drupal Project reports: Several parts in Drupal core are not protected against cross site request forgeries due to inproper use of the Forms API, or by taking action solely on GET requests. Malicious users are able to delete comments and content revisions and disable menu items by enticing a...

fsplib -- multiple vulnerabilities

A Secunia Advisory reports: fsplib can be exploited to compromise an application using the library. A boundary error exists in the processing of file names in fspreaddirnative, which can be exploited to cause a stack-based buffer overflow if the defined MAXNAMLEN is bigger than 256. A boundary...

FreeBSD -- Predictable query ids in named(8)

Problem Description: When named8 is operating as a recursive DNS server or sending NOTIFY requests to slave DNS servers, named8 uses a predictable query id. Impact: An attacker who can see the query id for some requests sent by named8 is likely to be able to perform DNS cache poisoning by...

lighttpd -- multiple vulnerabilities

Secunia Advisory reports: Some vulnerabilities have been reported in lighttpd, which can be exploited by malicious people to bypass certain security restrictions or cause a DoS Denial of Service...

opera -- multiple vulnerabilities

Opera Software ASA reports of multiple security fixes in Opera, including an arbitrary code execute vulnerability: Opera for Linux, FreeBSD, and Solaris has a flaw in the createPattern function that leaves old data that was in the memory before Opera allocated it in the new pattern. The pattern c...

mozilla -- multiple vulnerabilities

The Mozilla Foundation reports of multiple security issues in Firefox, Seamonkey, and Thunderbird. Several of these issues can probably be used to run arbitrary code with the privilege of the user running the program. MFSA 2007-25 XPCNativeWrapper pollution MFSA 2007-24 Unauthorized access to...

mysql -- remote dos via malformed password packet

MySQL reports: A malformed password packet in the connection protocol could cause the server to crash...

linux-flashplugin -- critical vulnerabilities

Adobe reports: Critical vulnerabilities have been identified in Adobe Flash Player that could allow an attacker who successfully exploits these potential vulnerabilities to take control of the affected system. A malicious SWF must be loaded in Flash Player by the user for an attacker to exploit...

wireshark -- Multiple problems

wireshark Team reports: It may be possible to make Wireshark or Ethereal crash or use up available memory by injecting a purposefully malformed packet onto the wire or by convincing someone to read a malformed packet trace file...

p5-Net-DNS -- multiple Vulnerabilities

A Secunia Advisory reports: An error exists in the handling of DNS queries where IDs are incremented with a fixed value and are additionally used for child processes in a forking server. This can be exploited to poison the DNS cache of an application using the module if a valid ID is guessed. An...

dokuwiki -- XSS vulnerability in spellchecker backend

DokuWiki reports: The spellchecker tests the UTF-8 capabilities of the used browser by sending an UTF-8 string to the backend, which will send it back unfiltered. By comparing string length the spellchecker can work around broken implementations. An attacker could construct a form to let users se...

evolution-data-server -- remote execution of arbitrary code vulnerability

Debian project reports: It was discovered that the IMAP code in the Evolution Data Server performs insufficient sanitising of a value later used an array index, which can lead to the execution of arbitrary code...

gd -- multiple vulnerabilities

gd had been reported vulnerable to several vulnerabilities: CVE-2007-3472: Integer overflow in gdImageCreateTrueColor function in the GD Graphics Library libgd before 2.0.35 allows user-assisted remote attackers has unspecified attack vectors and impact. CVE-2007-3473: The gdImageCreateXbm functi...

p5-Mail-SpamAssassin -- local user symlink-attack DoS vulnerability

SpamAssassin website reports: A local user symlink-attack DoS vulnerability in SpamAssassin has been found, affecting versions 3.1.x, 3.2.0, and SVN trunk...

c-ares -- DNS Cache Poisoning Vulnerability

Secunia reports: The vulnerability is caused due to predictable DNS "Transaction ID" field in DNS queries and can be exploited to poison the DNS cache of an application using the library if a valid ID is guessed...

wordpress -- XMLRPC SQL Injection

Secunia reports: Slappter has discovered a vulnerability in WordPress, which can be exploited by malicious users to conduct SQL injection attacks. Input passed to the "wp.suggestCategories" method in xmlrpc.php is not properly sanitised before being used in SQL queries. This can be exploited to...

mplayer -- cddb stack overflow

Mplayer Team reports: A stack overflow was found in the code used to handle cddb queries. When copying the album title and category, no checking was performed on the size of the strings before storing them in a fixed-size array. A malicious entry in the database could trigger a stack overflow in...

flac123 -- stack overflow in comment parsing

isecpartners reports: flac123, also known as flac-tools, is vulnerable to a buffer overflow in vorbis comment parsing. This allows for the execution of arbitrary code...

libvorbis -- Multiple memory corruption flaws

isecpartners reports: libvorbis contains several vulnerabilities allowing heap overwrite, read violations and a function pointer overwrite. These bugs cause a at least a denial of service, and potentially code execution...

vlc -- format string vulnerability and integer overflow

isecpartners reports: VLC is vulnerable to a format string attack in the parsing of Vorbis comments in Ogg Vorbis and Ogg Theora files, CDDA data or SAP/SDP service discovery messages. Additionally, there are two errors in the handling of wav files, one a denial of service due to an uninitialized...

wordpress -- unmoderated comments disclosure

Blogsecurity reports: An attacker can read comments on posts that have not been moderated. This can be a real security risk if blog admins are using unmoderated comments comments that have not been made public to hide sensitive notes regarding posts, future work, passwords etc. So please be caref...

webmin -- cross site scripting vulnerability

Secunia reports: Input passed to unspecified parameters in pamlogin.cgi is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site...

findutils -- GNU locate heap buffer overrun

James Youngman reports: When GNU locate reads filenames from an old-format locate database, they are read into a fixed-length buffer allocated on the heap. Filenames longer than the 1026-byte buffer can cause a buffer overrun. The overrunning data can be chosen by any person able to control the...

mutt -- buffer overflow vulnerability

Securityfocus reports: Mutt is prone to a local buffer-overflow vulnerability because it fails to properly bounds-check user-supplied input before using it in a memory copy operation. An attacker can exploit this issue to execute arbitrary code with the with the privileges of the victim. Failed...

phppgadmin -- cross site scripting vulnerability

SecurityFocus reports about phppgadmin: Exploiting this vulnerability may allow an attacker to perform cross-site scripting attacks on unsuspecting users in the context of the affected website. As a result, the attacker may be able to steal cookie-based authentication credentials and to launch...

Pubcookie Login Server -- XSS vulnerability

Nathan Dors, Pubcookie Project reports: A new non-persistent XSS vulnerability was found in the Pubcookie login server's compiled binary "index.cgi" CGI program. The CGI program mishandles untrusted data when printing responses to the browser. This makes the program vulnerable to carefully crafte...

FreeBSD -- heap overflow in file(1)

Problem Description: When writing data into a buffer in the fileprintf function, the length of the unused portion of the buffer is not correctly tracked, resulting in a buffer overflow when processing certain files. Impact: An attacker who can cause file1 to be run on a maliciously constructed...