gzip -- multiple vulnerabilities

Problem Description Multiple programming errors have been found in gzip which can be triggered when gzip is decompressing files. These errors include insufficient bounds checks in buffer use, a NULL pointer dereference, and a potential infinite loop. Impact The insufficient bounds checks in buffe...

opera -- RSA Signature Forgery

Opera reports: A specially crafted digital certificate can bypass Opera's certificate signature verification. Forged certificates can contain any false information the forger chooses, and Opera will still present it as valid. Opera will not present any warning dialogs in this case, and the securi...

mozilla -- multiple vulnerabilities

The Mozilla Foundation reports of multiple security issues in Firefox, Seamonkey, and Thunderbird. Several of these issues can probably be used to run arbitrary code with the privilege of the user running the program. MFSA 2006-64 Crashes with evidence of memory corruption rv:1.8.0.7 MFSA 2006-63...

punbb -- NULL byte injection vulnerability

CVE Mitre reports: PunBB 1.2.12 does not properly handle an avatar directory pathname ending in %00, which allows remote authenticated administrative users to upload arbitrary files and execute code, as demonstrated by a query to adminoptions.php with an avatarsdir parameter ending in %00. NOTE:...

phpbb -- NULL byte injection vulnerability

Secunia reports: ShAnKaR has discovered a vulnerability in phpBB, which can be exploited by malicious users to compromise a vulnerable system. Input passed to the "avatarpath" parameter in admin/adminboard.php is not properly sanitised before being used as a configuration variable to store avatar...

linux-flashplugin7 -- arbitrary code execution vulnerabilities

Adobe reports: Multiple input validation errors have been identified in Flash Player 8.0.24.0 and earlier versions that could lead to the potential execution of arbitrary code. These vulnerabilities could be accessed through content delivered from a remote location via the user?s web browser, ema...

drupal-pubcookie -- authentication may be bypassed

The Drupal Project reports: It is possible for a malicious user to spoof a user's identity by bypassing the login redirection mechanism in the pubcookie module. The malicious user may gain the privileges of the user they are spoofing, including the administrative user...

gnutls -- RSA Signature Forgery Vulnerability

Secunia reports: A vulnerability has been reported in GnuTLS, which can be exploited by malicious people to bypass certain security restrictions. The vulnerability is caused due to an error in the verification of certain signatures. If a RSA key with exponent 3 is used, it may be possible to forg...

win32-codecs -- multiple vulnerabilities

The Apple Security Team reports that there are multiple vulnerabilities within QuickTime one of the plugins for win32-codecs. A remote attacker capable of creating a malicious SGI image, FlashPix, FLC movie, or a QuickTime movie can possibly lead to execution of arbitrary code or cause a Denial o...

dokuwiki -- multiple vulnerabilities

Secunia reports: rgod has discovered a vulnerability in DokuWiki, which can be exploited by malicious people to compromise a vulnerable system. Input passed to the "TARGETFN" parameter in bin/dwpage.php is not properly sanitised before being used to copy files. This can be exploited via directory...

bind9 -- Denial of Service in named(8)

Problem Description For a recursive DNS server, a remote attacker sending enough recursive queries for the replies to arrive after all the interested clients have left the recursion queue will trigger an INSIST failure in the named8 daemon. Also for a recursive DNS server, an assertion failure ca...

dircproxy -- remote denial of service

Securiweb reports: dircproxy allows remote attackers to cause a denial of service segmentation fault via an ACTION command without a parameter, which triggers a NULL pointer dereference, as demonstrated using a blank /me message from irssi...

openssl -- Incorrect PKCS#1 v1.5 padding validation in crypto(3)

Problem Description When verifying a PKCS1 v1.5 signature, OpenSSL ignores any bytes which follow the cryptographic hash being signed. In a valid signature there will be no such bytes. Impact OpenSSL will incorrectly report some invalid signatures as valid. When an RSA public exponent of 3 is use...

gtetrinet -- remote code execution

The Debian Security Team reports: Michael Gehring discovered several potential out-of-bounds index accesses in gtetrinet, a multiplayer Tetris-like game, which may allow a remote server to execute arbitrary code...

hlstats -- multiple cross site scripting vulnerabilities

Kefka reports multiple cross site scripting vulnerabilities within hlstats. The vulnerabilities are caused due to improper checking of variables, allowing an attacker to perform cross site scripting...

joomla -- multiple vulnerabilities

The Joomla development team reports multiple vulnerabilities within the joomla application. Joomla is vulnerable to the following vulnerabilities: Improper validation of the mosMail function Improper validation of the JosIsValidEmail function. Remote code execution in PEAR.php Zend Hash del key o...

mambo -- multiple SQL injection vulnerabilities

James Bercegay reports: Mambo is vulnerable to an Authentication Bypass issue that is due to an SQL Injection in the login function. The SQL Injection is possible because the $passwd variable is only sanitized when it is not passed as an argument to the function. Omid reports: There are several s...

openoffice.org -- multiple vulnerabilities

OpenOffice.org Security Team reports: Fixed in OpenOffice.org 3.2 CVE-2006-4339: Potential vulnerability from 3rd party libxml2 libraries CVE-2009-0217: Potential vulnerability from 3rd party libxmlsec libraries CVE-2009-2493: OpenOffice.org 3 for Windows bundles a vulnerable version of MSVC...

sppp -- buffer overflow vulnerability

Problem Description While processing Link Control Protocol LCP configuration options received from the remote host, sppp4 fails to correctly validate option lengths. This may result in data being read or written beyond the allocated kernel memory buffer. Impact An attacker able to send LCP packet...

zope -- restructuredText "csv_table" Information Disclosure

Secunia reports: A vulnerability has been reported in Zope, which can be exploited by malicious people to disclose potentially sensitive information. The vulnerability is caused due to an error in the use of the docutils module to parse and render "restructured" text. This can be exploited to...

tikiwiki -- multiple vulnerabilities

Secunia reports: Thomas Pollet has discovered a vulnerability in TikiWiki, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed to the "highlight" parameter in tiki-searchindex.php is not properly sanitised before being returned to the user. This can be...

cscope -- Buffer Overflow Vulnerabilities

Secunia reports: Will Drewry has reported some vulnerabilities in Cscope, which potentially can be exploited by malicious people to compromise a vulnerable system. Various boundary errors within the parsing of file lists or the expansion of environment variables can be exploited to cause...

php -- multiple vulnerabilities

The PHP development team reports: Added missing safemode/openbasedir checks inside the errorlog, fileexists, imapopen and imapreopen functions. Fixed overflows inside strrepeat and wordwrap functions on 64bit systems. Fixed possible openbasedir/safemode bypass in cURL extension and with realpath...

libmusicbrainz -- multiple buffer overflow vulnerabilities

SecurityFocus reports about libmusicbrainz: The libmusicbrainz library is prone to multiple buffer-overflow vulnerabilities because the application fails to check the size of the data before copying it into a finite-sized internal memory buffer. An attacker can exploit these issues to execute...

horde -- Phishing and Cross-Site Scripting Vulnerabilities

Secunia reports: Some vulnerabilities have been reported in Horde, which can be exploited by malicious people to conduct phishing and cross-site scripting attacks. Input passed to the "url" parameter in index.php isn't properly verified before it is being used to include an arbitrary web site in ...

python -- buffer overrun in repr() for unicode strings

Benjamin C. Wiley Sittler reports: I discovered a buffer overrun in repr for unicode strings. This causes an unpatched non-debug wide UTF-32/UCS-4 build of python to abort. Ubuntu security team reports: If an application uses repr on arbitrary untrusted data, this bug could be exploited to execut...

squirrelmail -- random variable overwrite vulnerability

The SquirrelMail developers report: A logged in user could overwrite random variables in compose.php, which might make it possible to read/write other users' preferences or attachments...

mysql -- database "case-sensitive" privilege escalation

Michal Prokopiuk reports a privilege escalation in MySQL. The vulnerability causes MySQL, when run on case-sensitive filesystems, to allow remote and local authenticated users to create or access a database when the database name differs only in case from a database for which they have permission...

rubygem-rails -- evaluation of ruby code

The Ruby on Rails blog reports: With Rails 1.1.0 through 1.1.5 minus the short-lived 1.1.3, you can trigger the evaluation of Ruby code through the URL because of a bug in the routing code of Rails. This means that you can essentially take down a Rails process by starting something like...

alsaplayer -- multiple vulnerabilities

Luigi Auriemma reports three vulnerabilities within alsaplayer: The function which handles the HTTP connections is vulnerable to a buffer-overflow that happens when it uses sscanf for copying the URL in the Location's field received from the server into the redirect buffer of only 1024 bytes...

x11vnc -- authentication bypass vulnerability

Ludwig Nussel reports that x11vnc is vulnerable to an authentication bypass vulnerability. The vulnerability is caused by an error in auth.c. This could allow a remote attacker to gain unauthorized and unauthenticated access to the system...

globus -- Multiple tmpfile races

The Globus Alliance reports: The proxy generation tool grid-proxy-init creates the file, secures the file to provide access only to owner and writes proxy to the file. A race condition exists between the opening of the proxy credentials file, and making sure it is safe file to write to. The check...

clamav -- heap overflow vulnerability

Clamav team reports: A heap overflow vulnerability was discovered in libclamav which could cause a denial of service or allow the execution of arbitrary code. The problem is specifically located in the PE file rebuild function used by the UPX unpacker. Relevant code from libclamav/upx.c: memcpyds...

drupal -- XSS vulnerability

The Drupal project reports: A malicious user can execute a cross site scripting attack by enticing someone to visit a Drupal site via a specially crafted link...

gnupg -- 2 more possible memory allocation attacks

Author reports: Fixed 2 more possible memory allocation attacks. They are similar to the problem we fixed with 1.4.4. This bug can easily be exploted for a DoS; remote code execution is not entirely impossible...

elinks -- buffer overflow vulnerability

SecurityFocus reports: ELinks is prone to an off-by-one buffer-overflow vulnerability because the application fails to accurately reference the last element of a buffer. Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause...

apache -- mod_rewrite buffer overflow vulnerability

The Apache Software Foundation and The Apache HTTP Server Project reports: An off-by-one flaw exists in the Rewrite module, modrewrite, as shipped with Apache 1.3 since 1.3.28, 2.0 since 2.0.46, and 2.2 since 2.2.0. Depending on the manner in which Apache HTTP Server was compiled, this software...

mozilla -- multiple vulnerabilities

A Mozilla Foundation Security Advisory reports of multiple issues. Several of which can be used to run arbitrary code with the privilege of the user running the program. MFSA 2006-56 chrome: scheme loading remote content MFSA 2006-55 Crashes with evidence of memory corruption rv:1.8.0.5 MFSA...

freeciv -- Denial of Service Vulnerabilities

Secunia reports: Luigi Auriemma has reported a vulnerability in Freeciv, which can be exploited by malicious people to cause a DoS Denial of Service. An error in the "generichandleplayerattributechunk" function in common/packets.c can be exploited to crash the service via a specially crafted...

ruby -- multiple vulnerabilities

Secunia reports: Two vulnerabilities have been reported in Ruby, which can be exploited by malicious people to bypass certain security restrictions. An error in the handling of the "alias" functionality can be exploited to bypass the safe level protection and replace methods called in the trusted...

samba -- memory exhaustion DoS in smbd

The Samba Team reports: The smbd daemon maintains internal data structures used track active connections to file and printer shares. In certain circumstances an attacker may be able to continually increase the memory usage of an smbd process by issuing a large number of share connection requests...

freetype -- LWFN Files Buffer Overflow Vulnerability

SecurityTracker reports: A vulnerability was reported in FreeType. A remote user can cause arbitrary code to be executed on the target user's system. A remote user can create a specially crafted font file that, when loaded by the target user's system, will trigger an integer underflow or integer...

trac -- reStructuredText breach of privacy and denial of service vulnerability

The Trac 0.9.6 Release Notes reports: Fixed reStructuredText breach of privacy and denial of service vulnerability found by Felix Wiemann. The discovered vulnerability requires docutils to be installed and enabled. Systems that do not have docutils installed or enabled are not vulnerable. As of...

zope -- information disclosure vulnerability

Zope team reports: Unspecified vulnerability in Zope2 allows local users to obtain sensitive information via unknown attack vectors related to the docutils module and "restructured text"...

twiki -- multiple file extensions file upload vulnerability

A TWiki Security Alert reports: The TWiki upload filter already prevents executable scripts such as .php, .php1, .phps, .pl from potentially getting executed by appending a .txt suffix to the uploaded filename. However, PHP and some other types allows additional file suffixes, such as .php.en,...

libwmf -- integer overflow vulnerability

Secunia reports: infamous41md has reported a vulnerability in libwmf, which potentially can be exploited by malicious people to compromise an application using the vulnerable library. The vulnerability is caused due to an integer overflow error when allocating memory based on a value taken direct...

webmin, usermin -- arbitrary file disclosure vulnerability

The webmin development team reports: An attacker without a login to Webmin can read the contents of any file on the server using a specially crafted URL. All users should upgrade to version 1.290 as soon as possible, or setup IP access control in Webmin...

phpmyadmin -- cross site scripting vulnerability

phpmyadmin Site reports: It was possible to craft a request that contains XSS by attacking the "table" parameter...

horde -- various problems in dereferrer

Horde 3.1.2 release announcement: Security Fixes: Closed XSS problems in dereferrer IE only, help viewer and problem reporting screen. Removed unused image proxy code from dereferrer...

mysql -- format string vulnerability

Jean-David Maillefer reports a Denial of Service vulnerability within MySQL. The vulnerability is caused by improper checking of the dataformat routine, which cause the MySQL server to crash. The crash is triggered by the following code: "SELECT dateformat'%d%s', 1;...