Computer Security
[EN] securityvulns.ru no-pyccku


Microsoft Internet Explorer DoS
Published:09.11.2009
Source:
SecurityVulns ID:10384
Type:client
Threat Level:
4/10
Description:Unremovable dialog with cycled setHomePage.
Affected:MICROSOFT : Windows 2000 Server
 MICROSOFT : Windows 2000 Professional
 MICROSOFT : Windows XP
 MICROSOFT : Windows 2003 Server
 MICROSOFT : Windows Vista
 MICROSOFT : Windows 2008 Server
Original documentdocumentMustLive, DoS vulnerability in Internet Explorer (09.11.2009)
 documentMustLive, DoS vulnerability in Internet Explorer 7 (09.11.2009)
 documentMustLive, DoS vulnerability in Internet Explorer (09.11.2009)

Pidgin DoS
updated since 09.11.2009
Published:09.11.2009
Source:
SecurityVulns ID:10386
Type:remote
Threat Level:
5/10
Description:Crash on OSCAR protocol contact list parsing (ICQ and AIM).
CVE:CVE-2009-3615 (The OSCAR protocol plugin in libpurple in Pidgin before 2.6.3 and Adium before 1.3.7 allows remote attackers to cause a denial of service (application crash) via crafted contact-list data for (1) ICQ and possibly (2) AIM, as demonstrated by the SIM IM client.)
Original documentdocumentDEBIAN, [SECURITY] [DSA 1932-1] New pidgin packages fix arbitrary code execution (09.11.2009)

Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
updated since 09.11.2009
Published:09.11.2009
Source:
SecurityVulns ID:10385
Type:remote
Threat Level:
5/10
Description:PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.
Affected:PIGALLE : Pigalle 0.76
 TOUTVIRTUAL : VirtualIQ Professional 3.2
Original documentdocumentClaudio Criscione, ToutVirtual VirtualIQ Multiple Vulnerabilities (09.11.2009)
 documentMustLive, Vulnerabilities in Pigalle (09.11.2009)

Apple Safari buffer overflow
Published:09.11.2009
Source:
SecurityVulns ID:10387
Type:remote
Threat Level:
7/10
Description:Buffer overflow on oversized CSS background attribute.
Affected:APPLE : Safari 4.0
Original documentdocumentJeremy Brown, Safari 4.0.3 (Win32) CSS Remote Denial of Service Exploit (09.11.2009)
Files:Safari 4.0.3 (Win32) CSS Remote Denial of Service Exploit

Apache Tomcat for Windows backdoor account
Published:09.11.2009
Source:
SecurityVulns ID:10389
Type:remote
Threat Level:
6/10
Description:admin account with empty password is created during installation.
Affected:APACHE : Tomcat 5.5
 APACHE : Tomcat 6.0
CVE:CVE-2009-3548 (The Windows installer for Apache Tomcat 6.0.0 through 6.0.20, 5.5.0 through 5.5.28, and possibly earlier versions uses a blank default password for the administrative user, which allows remote attackers to gain privileges.)
Original documentdocumentAPACHE, [SECURITY] CVE-2009-3548 Apache Tomcat Windows Installer insecure default administrative password (09.11.2009)

SSL data injection
updated since 09.11.2009
Published:10.02.2010
Source:
SecurityVulns ID:10388
Type:m-i-t-m
Threat Level:
8/10
Description:Data injection possibility connected with SSL in-session renegotiation.
Affected:OPENSSL : OpenSSL 0.9
 PROFTPD : ProFTPD 1.3
 APACHE : Apache 2.2
 ARUBANETWORKS : ArubaOS 2.4
 ARUBANETWORKS : ArubaOS 2.5
 ARUBANETWORKS : ArubaOS 3.1
 ARUBANETWORKS : ArubaOS 3.3
 GNU : GnuTLS 2.8
 ARUBANETWORKS : ArubaOS 3.4
 MOZILLA : Mozilla Network Security Services 3.12
CVE:CVE-2009-3555 (The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.)
Original documentdocumentARUBANETWORKS, Aruba Advisory ID: AID-020810 TLS Protocol Session Renegotiation Security Vulnerability (10.02.2010)
 documentRedTeam Pentesting, TLS Renegotiation Vulnerability: Proof of Concept Code (Python) (22.12.2009)
 documentRedTeam Pentesting, msgid:[email protected][email protected]&from=RedTeam%20Pentesting%20GmbH&folder=\\3APA3A\Bugtraq&subject=TLS%20Renegotiation%20Vulnerability:%20Proof (22.12.2009)
 documentMANDRIVA, [ MDVSA-2009:337 ] proftpd (22.12.2009)
 documentThierry Zoller, TLS / SSLv3 vulnerability explained (New ways to leverage the vulnerability) (30.11.2009)
 documentThierry Zoller, TLS / SSLv3 vulnerability explained (DRAFT) (18.11.2009)
 documentCISCO, Cisco Security Advisory: Transport Layer Security Renegotiation Vulnerability (11.11.2009)
 documentMANDRIVA, [ MDVSA-2009:295 ] apache (09.11.2009)
Files:PoC exploit for the TLS renegotiation vulnerability (CVE-2009-3555)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod