opera -- XMLHttpRequest security bypass

A Secunia Advisory reports: Secunia Research has discovered a vulnerability in Opera, which can be exploited by malicious people to steal content or to perform actions on other web sites with the privileges of the user. Normally, it should not be possible for the XMLHttpRequest object to access...

opera -- "javascript:" URL cross-site scripting vulnerability

A Secunia Advisory reports: Secunia Research has discovered a vulnerability in Opera, which can be exploited by malicious people to conduct cross-site scripting attacks and to read local files. The vulnerability is caused due to Opera not properly restricting the privileges of "javascript:" URLs...

squirrelmail -- Several cross site scripting vulnerabilities

A SquirrelMail Security Advisory reports: Several cross site scripting XSS vulnerabilities have been discovered in SquirrelMail versions 1.4.0 - 1.4.4. The vulnerabilities are in two categories: the majority can be exploited through URL manipulation, and some by sending a specially crafted email ...

p5-Mail-SpamAssassin -- denial of service vulnerability

Apache SpamAssassin Security Team reports: Apache SpamAssassin 3.0.4 was recently released, and fixes a denial of service vulnerability in versions 3.0.1, 3.0.2, and 3.0.3. The vulnerability allows certain misformatted long message headers to cause spam checking to take a very long time. While th...

acroread -- XML External Entity vulnerability

Sverre H. Huseby discovered a vulnerability in Adobe Acrobat and Adobe Reader. Under certain circumstances, using XML scripts it is possible to discover the existence of local files...

mambo -- multiple vulnerabilities

A Secunia Advisory reports: Some vulnerabilities have been reported in Mambo, where some have unknown impacts and others can be exploited by malicious people to conduct spoofing and SQL injection attacks. Input passed to the "userrating" parameter when voting isn't properly sanitised before being...

gaim -- Yahoo! remote crash vulnerability

Jacopo Ottaviani reports that Gaim can be crashed by being offered files with names containing non-ASCII characters via the Yahoo! protocol...

gaim -- MSN Remote DoS vulnerability

The GAIM team reports: Remote attackers can cause a denial of service crash via a malformed MSN message that leads to a memory allocation of a large size, possibly due to an integer signedness error...

tcpdump -- infinite loops in protocol decoding

Problem Description Several tcpdump protocol decoders contain programming errors which can cause them to go into infinite loops. Impact An attacker can inject specially crafted packets into the network which, when processed by tcpdump, could lead to a denial-of-service. After the attack, tcpdump...

leafnode -- denial of service vulnerability

Matthias Andree reports: A vulnerability was found in the fetchnews program the NNTP client that may under some circumstances cause a wait for input that never arrives, fetchnews "hangs". ... As only one fetchnews program can run at a time, subsequently started fetchnews and texpire programs will...

postnuke -- multiple vulnerabilities

Postnuke Security Announcementss reports of the following vulnerabilities: missing input validation within /modules/Messages/readpmsg.php possible path disclosure within /user.php possible path disclosure within /modules/News/article.php possible remote code injection within /includes/pnMod.php...

qpopper -- multiple privilege escalation vulnerabilities

Jens Steube reports that qpopper is vulnerable to a privilege escalation vulnerability. qpopper does not properly drop root privileges so that user supplied configuration and trace files can be processed with root privileges. This could allow a local attacker to create or modify arbitrary files...

shtool -- insecure temporary file creation

A Zataz advisory reports that shtool contains a security flaw which could allow a malicious local user to create or overwrite the contents of arbitrary files. The attacker could fool a user into executing the arbitrary file possibly executing arbitrary code...

net-snmp -- fixproc insecure temporary file creation

A Gentoo advisory reports: Net-SNMP creates temporary files in an insecure manner, possibly allowing the execution of arbitrary code. A malicious local attacker could exploit a race condition to change the content of the temporary files before they are executed by fixproc, possibly leading to the...

picasm -- buffer overflow vulnerability

Shaun Colley reports: When generating error and warning messages, picasm copies strings into fixed length buffers without bounds checking. If an attacker could trick a user into assembling a source file with a malformed 'error' directive, arbitrary code could be executed with the privileges of th...

gedit -- format string vulnerability

Yan Feng reports a format string vulnerability in gedit. This vulnerability could cause a denial of service with a binary file that contains format string characters within the filename. It had been reported that web browsers and email clients can be configured to provide a filename as an argumen...

ppxp -- local root exploit

A Debian Advisory reports: Jens Steube discovered that ppxp, yet another PPP program, does not release root privileges when opening potentially user supplied log files. This can be tricked into opening a root shell...

fswiki -- XSS problem in file upload form

A Secunia security advisory reports: A vulnerability has been reported in FreeStyle Wiki and FSWikiLite, which can be exploited by malicious people to conduct script insertion attacks. Input passed in uploaded attachments is not properly sanitised before being used. This can be exploited to injec...

freeradius -- sql injection and denial of service vulnerability

A Gentoo Advisory reports: The FreeRADIUS server is vulnerable to an SQL injection attack and a buffer overflow, possibly resulting in disclosure and modification of data and Denial of Service...

kernel -- information disclosure when using HTT

Problem description and impact When running on processors supporting Hyper-Threading Technology, it is possible for a malicious thread to monitor the execution of another thread. Information may be disclosed to local users, allowing in many cases for privilege escalation. For example, on a...

cdrdao -- unspecified privilege escalation vulnerability

The developers of cdrdao report that there is a potential root exploit in the software. In order to be able to succesfully exploit this vulnerability cdrdao must be installed setuid root. When succesfully exploited a local user might get escalated privileges. By default this port is not installed...

mozilla -- "Wrapped" javascript: urls bypass security checks

A Mozilla Foundation Security Advisory reports: Some security checks intended to prevent script injection were incorrect and could be bypassed by wrapping a javascript: url in the view-source: pseudo-protocol. Michael Krax demonstrated that a variant of his favicon exploit could still execute...

mozilla -- privilege escalation via non-DOM property overrides

A Mozilla Foundation Security Advisory reports: Additional checks were added to make sure Javascript eval and Script objects are run with the privileges of the context that created them, not the potentially elevated privilege of the context calling them in order to protect against an additional...

squid -- DNS lookup spoofing vulnerability

The squid patches page notes: Malicious users may spoof DNS lookups if the DNS client UDP port random, assigned by OS as startup is unfiltered and your network is not protected from IP spoofing...

gaim -- remote crash on some protocols

The GAIM team reports that GAIM is vulnerable to a denial-of-service vulnerability which can cause GAIM to crash: It is possible for a remote user to overflow a static buffer by sending an IM containing a very large URL greater than 8192 bytes to the Gaim user. This is not possible on all...

tiff -- buffer overflow vulnerability

A Gentoo Linux Security Advisory reports: Tavis Ormandy of the Gentoo Linux Security Audit Team discovered a stack based buffer overflow in the libTIFF library when reading a TIFF image with a malformed BitsPerSample tag. Successful exploitation would require the victim to open a specially crafte...

gaim -- MSN remote DoS vulnerability

The GAIM team reports: Potential remote denial of service bug resulting from not checking a pointer for non-NULL before passing it to strncmp, which results in a crash. This can be triggered by a remote client sending an SLP message with an empty body...

mozilla -- code execution via javascript: IconURL vulnerability

A Mozilla Foundation Security Advisory reports: Two vulnerabilities have been discovered in Firefox, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a user's system. The problem is that "IFRAME" JavaScript URLs are not properly protected from bein...

mysql-server -- insecure temporary file creation

A Zataz advisory reports that MySQL contains a security flaw which could allow a malicious local user to inject arbitrary SQL commands during the initial database creation process. The problem lies in the mysqlinstalldb script which creates temporary files based on the PID used by the script...

qmail -- 64 bit integer overflows with possible remote code execution on large SMTP requests

Georgi Guninski writes: There are several issues with qmail on 64 bit platforms - classical integer overflow, pointer with signed index and signedness problem not counting the memory consumtion dos, which just helps. Update: the problem with the signed index is exploitable on Freebsd 5.4 amd64 wi...

qmail -- 64 bit integer overflows with possible remote code execution on large SMTP requests

Georgi Guninski writes: There are several issues with qmail on 64 bit platforms - classical integer overflow, pointer with signed index and signedness problem not counting the memory consumtion dos, which just helps. Update: the problem with the signed index is exploitable on Freebsd 5.4 amd64 wi...

qmail -- 64 bit integer overflows with possible remote code execution on large SMTP requests

Georgi Guninski writes: There are several issues with qmail on 64 bit platforms - classical integer overflow, pointer with signed index and signedness problem not counting the memory consumtion dos, which just helps. Update: the problem with the signed index is exploitable on Freebsd 5.4 amd64 wi...

leafnode -- fetchnews denial-of-service triggered by transmission abort/timeout

When an upstream server aborts the transmission or stops sending data after the fetchnews program has requested an article header or body, fetchnews may crash, without querying further servers that are configured. This can prevent articles from being fetched...

ethereal -- multiple protocol dissectors vulnerabilities

An Ethreal Security Advisories reports: An aggressive testing program as well as independent discovery has turned up a multitude of security issues Please reference CVE/URL list for details...

postgresql -- character conversion and tsearch2 vulnerabilities

The postgresql development team reports: The more severe of the two errors is that the functions that support client-to-server character set conversion can be called from SQL commands by unprivileged users, but these functions are not designed to be safe against malicious choices of argument...

libtomcrypt -- weak signature scheme with ECC keys

The Secure Science Corporation reports that libtomcrypt is vulnerable to a weak signature scheme. This allows an attacker to create a valid random signature and use that to sign arbitrary messages without requiring the private key...

plans -- multiple vulnerabilities

Secunia reports: A vulnerability has been reported in Plans, which can be exploited by malicious people to conduct SQL injection attacks. Input passed to the "evtid" parameter in "plans.cgi" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries...

rkhunter -- insecure temporary file creation

Gentoo reports: Sune Kloppenborg Jeppesen and Tavis Ormandy of the Gentoo Linux Security Team have reported that the checkupdate.sh script and the main rkhunter script insecurely creates several temporary files with predictable filenames. A local attacker could create symbolic links in the...

ImageMagick -- ReadPNMImage() heap overflow vulnerability

Damian Put reports about ImageMagick: Remote exploitation of a heap overflow vulnerability could allow execution of arbitrary code or course denial of service. A heap overflow exists in ReadPNMImage function, that is used to decode a PNM image files...

kdelibs -- kimgio input validation errors

A KDE Security Advisory reports: kimgio contains a PCX image file format reader that does not properly perform input validation. A source code audit performed by the KDE security team discovered several vulnerabilities in the PCX and other image file format readers, some of them exploitable to...

egroupware -- multiple cross-site scripting (XSS) and SQL injection vulnerabilities

Multiple cross-site scripting XSS vulnerabilities in eGroupware before 1.0.0.007 allow remote attackers to inject arbitrary web script or HTML via the 1 abid, 2 page, 3 type, or 4 lang parameter to index.php or 5 categoryid parameter. Multiple SQL injection vulnerabilities in index.php in...

gzip -- directory traversal and permission race vulnerabilities

Problem Description Two problems related to extraction of files exist in gzip: The first problem is that gzip does not properly sanitize filenames containing "/" when uncompressing files using the -N command line option. The second problem is that gzip does not set permissions on newly extracted...

kdewebdev -- kommander untrusted code execution vulnerability

A KDE Security Advisory reports: Kommander executes without user confirmation data files from possibly untrusted locations. As they contain scripts, the user might accidentally run arbitrary code. Impact: Remotly supplied kommander files from untrusted sources are executed without confirmation...

coppermine -- IP spoofing and XSS vulnerability

GHC team reports about coppermine The lack of sanitizing of user defined variables may result in undesirable consequences such as IP spoofing or XSS attack. Generally users of Coppermine Gallery can post comments. Remote address & x-forwarded-for variables are logged for admin's eyes...

mplayer & libxine -- MMS and Real RTSP buffer overflow vulnerabilities

A xine security announcement reports: By a user receiving data from a malicious network streaming server, an attacker can overrun a heap buffer, which can, on some systems, lead to or help in executing attacker-chosen malicious code with the permissions of the user running a xine-lib based media...

axel -- remote buffer overflow

A Debian Security Advisory reports: Ulf Härnhammar from the Debian Security Audit Project discovered a buffer overflow in axel, a light download accelerator. When reading remote input the program did not check if a part of the input can overflow a buffer and maybe trigger the execution of arbitra...

mozilla -- privilege escalation via DOM property overrides

A Mozilla Foundation Security Advisory reports: mozbugra4 reported several exploits giving an attacker the ability to install malicious code or steal data, requiring only that the user do commonplace actions like click on a link or open the context menu. The common cause in each case was privileg...

oops -- format string vulnerability

A RST/GHC Advisory reports that there is an format string vulnerability in oops. The vulnerability can be found in the MySQL/PgSQL authentication module. Succesful exploitation may allow execution of arbitrary code...

junkbuster -- heap corruption vulnerability and configuration modification vulnerability

A Debian advisory reports: James Ranson discovered that an attacker can modify the referrer setting with a carefully crafted URL by accidently overwriting a global variable. Tavis Ormandy from the Gentoo Security Team discovered several heap corruptions due to inconsistent use of an internal...

wordpress -- multiple vulnerabilities

A Gentoo Linux Security Advisory reports: Due to a lack of input validation, WordPress is vulnerable to SQL injection and XSS attacks. An attacker could use the SQL injection vulnerabilities to gain information from the database. Furthermore the cross-site scripting issues give an attacker the...