Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
Published:		10.11.2008
Source:
SecurityVulns ID:		9411
Type:		remote
Level:		5/10
Description:		PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc. CimWebCenter: crossite scripting, informationleakage.

Affected:		GALLERY : Gallery 1.5
		INDISGUISE : Enthusiast 3.1
		MOINMOIN : MoinMoin 1.5
		HMAILSERVER : hMAilServer 4.4
		CIMWEBCENTER : CimWebCenter 4.0
		COLLABTIVE : Collabtive 0.4
		GALLERY : Gallery 2.2
		ARABPORTAL : Arab Portal 2.1
		BOGDUMP : BigDump 0.29
CVE:		CVE-2008-4931 (Cross-site scripting (XSS) vulnerability in the account module in firmCHANNEL Digital Signage 3.24, and possibly earlier versions, allows remote attackers to inject arbitrary web script or HTML via the action parameter to index.php.)
		CVE-2008-4130 (Cross-site scripting (XSS) vulnerability in Gallery 2.x before 2.2.6 allows remote attackers to inject arbitrary web script or HTML via a crafted Flash animation, related to the ability of the animation to "interact with the embedding page.")
		CVE-2008-4129 (Gallery before 1.5.9, and 2.x before 2.2.6, does not properly handle ZIP archives containing symbolic links, which allows remote authenticated users to conduct directory traversal attacks and read arbitrary files via vectors related to the archive upload (aka zip upload) functionality.)
		CVE-2008-3662 (Gallery before 1.5.9, and 2.x before 2.2.6, does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.)
		CVE-2008-3600 (Directory traversal vulnerability in contrib/phpBB2/modules.php in Gallery 1.5.7 and 1.6-alpha3, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the phpEx parameter within a modload action.)

Original document		XiaShing_(at)_gmail.com, Remote access vulnerability using BigDump ver. 0.29b (10.11.2008)
		r3d.w0rm_(at)_yahoo.com, Arab Portal v2.1 Remote File Disclosure (Win32) (10.11.2008)
		nospam_(at)_email.it, hMAilServer 4.4.2 (PHPWebAdmin) local & remote file inclusion (10.11.2008)
		Brad Antoniewicz, FirmChannel Digital Signage 3.24 Cross-site scripting (10.11.2008)
		beenudel1986_(at)_gmail.com, DriveCMS article.php remote sql injection (10.11.2008)
		admin_(at)_bugreport.ir, Enthusiast 3 Remote Code Execution (10.11.2008)
		f.bianchino_(at)_gmail.com, Metrica Service Assurance Multiple Cross Site Scripting (10.11.2008)
		XiaShing_(at)_gmail.com, Multiple remote vulnerabilities MoinMoin v1.80 (10.11.2008)
		ascii, Collabtive 0.4.8 Multiple Vulnerabilities (10.11.2008)
		MustLive, Vulnerabilities in CimWebCenter (10.11.2008)

Discuss:

Read or add your comments to this news (0 comments)

Graphviz array index overflow
Published:		10.11.2008
Source:		BUGTRAQ
SecurityVulns ID:		9412
Type:		local
Level:		5/10
Description:		Array index overflow on DOT file with large number of Agraph_t elements.

Affected:		GRAPHVIZ : graphviz 2.20
CVE:		CVE-2008-4555 (Stack-based buffer overflow in the push_subg function in parser.y (lib/graph/parser.c) in Graphviz 2.20.2, and possibly earlier versions, allows user-assisted remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a DOT file with a large number of Agraph_t elements.)

Original document

GENTOO, [ GLSA 200811-04 ] Graphviz: User-assisted execution of arbitrary code (10.11.2008)

Discuss:

Read or add your comments to this news (0 comments)

Microsoft Windows UnhookWindowsHookEx() DoS
Published:		10.11.2008
Source:		BUGTRAQ
SecurityVulns ID:		9415
Type:		local
Level:		5/10
Description:		Race conditions on UnhookWindowsHookEx() call during active desktop switichin cause system to hang or crash.

Affected:		MICROSOFT : Windows 2003 Server
		MICROSOFT : Windows Vista

Original document

support_(at)_killprog.com, BSOD in Win'2k3, Vista x86 and x64 by nonpriviledged user (10.11.2008)

Discuss:

Read or add your comments to this news (0 comments)

FAAD2 library buffer overflow
Published:		10.11.2008
Source:		BUGTRAQ
SecurityVulns ID:		9413
Type:		library
Level:		6/10
Description:		Buffer overflow on MPEG-4 files parsing.

Affected:		FAAD2 : faad2 2.6
CVE:		CVE-2008-4201 (Heap-based buffer overflow in the decodeMP4file function (frontend/main.c) in FAAD2 2.6.1 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted MPEG-4 (MP4) file.)

Original document

GENTOO, [ GLSA 200811-03 ] FAAD2: User-assisted execution of arbitrary code (10.11.2008)

Discuss:

Read or add your comments to this news (0 comments)

VLC Media Player security vulnerabilities
Published:		10.11.2008
Source:		BUGTRAQ
SecurityVulns ID:		9421
Type:		client
Level:		5/10
Description:		Buffer overflows on RealText and .cue files parsing.

Affected:

VIDEOLAN : VLC media player 0.9

Original document		tk_(at)_trapkit.de, [TKADV2008-011] VLC media player RealText Processing Stack Overflow Vulnerability (10.11.2008)
		tk_(at)_trapkit.de, [TKADV2008-012] VLC media player cue Processing Stack Overflow Vulnerability (10.11.2008)

Discuss:

Read or add your comments to this news (0 comments)

OpenFire jabber server multiple security vulnerabilities
Published:		10.11.2008
Source:		BUGTRAQ
SecurityVulns ID:		9417
Type:		remote
Level:		8/10
Description:		Authentication bypass, SQL injection, crossite scripting.

Affected:

JIVE : Openfire 3.6

Original document

Andreas Kurtz, [AK-ADV2008-001] Openfire Jabber-Server: Multiple Vulnerabilities (Authentication Bypass, SQL injection, ...) (10.11.2008)

Discuss:

Read or add your comments to this news (0 comments)

Dovecot IMAP server DoS
Published:		10.11.2008
Source:		BUGTRAQ
SecurityVulns ID:		9418
Type:		remote
Level:		6/10
Description:		Assertion on message headers parsing.

Affected:		DOVECOT : Dovecot 1.1
CVE:		CVE-2008-4907 (The message parsing feature in Dovecot 1.1.4 and 1.1.5, when using the FETCH ENVELOPE command in the IMAP client, allows remote attackers to cause a denial of service (persistent crash) via an email with a malformed From address, which triggers an assertion error, aka "invalid message address parsing bug.")

Original document

UBUNTU, [USN-666-1] Dovecot vulnerability (10.11.2008)

Discuss:

Read or add your comments to this news (0 comments)

VMWare security vulnereabilities
Published:		10.11.2008
Source:		BUGTRAQ
SecurityVulns ID:		9419
Type:		local
Level:		6/10
Description:		Privilege escalation in guest OS due to invalid CPU emulation, directory traversal.

Affected:		VMWARE : VMware Workstation 5.5
		VMWARE : VMware Player 1.0
		VMWARE : VMware Server 1.0
		VMWARE : VMware ACE 1.0
		VMWARE : VMWare Workstation 6.0
		VMWARE : VMware Player 2.0
		VMWARE : VMware ESX 3.0
		VMWARE : VMware ESX 2.5
		VMWARE : VMware ESXi 3.5
		VMWARE : VMware ESX 3.5
CVE:		CVE-2008-4915 (The CPU hardware emulation in VMware Workstation 6.0.5 and earlier and 5.5.8 and earlier; Player 2.0.x through 2.0.5 and 1.0.x through 1.0.8; ACE 2.0.x through 2.0.5 and earlier, and 1.0.x through 1.0.7; Server 1.0.x through 1.0.7; ESX 2.5.4 through 3.5; and ESXi 3.5, when running 32-bit and 64-bit guest operating systems, does not properly handle the Trap flag, which allows authenticated guest OS users to gain privileges on the guest OS.)
		CVE-2008-4281 (Directory traversal vulnerability in VMWare ESXi 3.5 before ESXe350-200810401-O-UG and ESX 3.5 before ESX350-200810201-UG allows administrators with the Datastore.FileManagement privilege to gain privileges via unknown vectors.)

Original document		ds.adv.pub_(at)_gmail.com, VMware Emulation Flaw x64 Guest Privilege Escalation (2/2) (10.11.2008)
		VMWARE, VMSA-2008-0018 VMware Hosted products and patches for ESX and ESXi resolve two security issues (10.11.2008)

Discuss:

Read or add your comments to this news (0 comments)

HP Tru64 Unix showfile privilege escalation
Published:		10.11.2008
Source:		BUGTRAQ
SecurityVulns ID:		9420
Type:		local
Level:		5/10

Affected:		HP : Tru64 UNIX 5.1
CVE:		CVE-2008-4414 (Unspecified vulnerability in the AdvFS showfile command in HP Tru64 UNIX 5.1B-3 and 5.1B-4 allows local users to gain privileges via unspecified vectors.)

Original document

HP, [security bulletin] HPSBTU02383 SSRT080098 rev.1 - HP Tru64 UNIX running AdvFS "showfile" command, Local Gain Extended Privileges (10.11.2008)

Discuss:

Read or add your comments to this news (0 comments)

NOS GetPlus download manager ActiveX buffer overflow / Acrobat Reader
Published:		10.11.2008
Source:		BUGTRAQ
SecurityVulns ID:		9422
Type:		client
Level:		5/10

Affected:		ADOBE : Adobe Reader 8.1
		NOS : getPlus 1.2
CVE:		CVE-2008-4817 (The Download Manager in Adobe Acrobat Professional and Reader 8.1.2 and earlier allows remote attackers to execute arbitrary code via a crafted PDF document that calls an AcroJS function with a long string argument, triggering heap corruption.)

Original document

IDEFENSE, iDefense Security Advisory 11.04.08: Multiple Vendor NOS Microsystems getPlus Downloader Stack Buffer Overflow Vulnerability (10.11.2008)

Discuss:

Read or add your comments to this news (0 comments)

Aruba Mobility Controller informaton leakage
Published:		10.11.2008
Source:		BUGTRAQ
SecurityVulns ID:		9423
Type:		remote
Level:		5/10
Description:		Knowing any SNMP community with read access it's possible to learn any SNMP community.

Original document

nnposter_(at)_disclosed.not, Aruba Mobility Controller SNMP Community String Disclosure (10.11.2008)

Discuss:

Read or add your comments to this news (0 comments)

ClamAV antivirus buffer overflow
Published:		10.11.2008
Source:		BUGTRAQ
SecurityVulns ID:		9416
Type:		remote
Level:		7/10
Description:		Buffer overflowon VBS files parsing.

Affected:

CLAMAV : ClamAV 0.94

Original document

Moritz Jodeit, ClamAV get_unicode_name() off-by-one buffer overflow (10.11.2008)

Discuss:

Read or add your comments to this news (0 comments)

MySQL privilege escalation updated since 22.07.2008
Published:		10.11.2008
Source:		CVE
SecurityVulns ID:		9164
Type:		local
Level:		5/10
Description:		It's possible to specify file of different database in CREATE TABLE.

Affected:		MYSQL : MySQL 4.1
		ORACLE : MySQL 5.0
		ORACLE : MySQL 5.1
		MYSQL : MySQL 6.0
CVE:		CVE-2008-4098 (MySQL before 5.0.67 allows local users to bypass certain privilege checks by calling CREATE TABLE on a MyISAM table with modified (1) DATA DIRECTORY or (2) INDEX DIRECTORY arguments that are originally associated with pathnames without symlinks, and that can point to tables created at a future time at which a pathname is modified to contain a symlink to a subdirectory of the MySQL home data directory. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-4097.)
		CVE-2008-4097 (MySQL 5.0.51a allows local users to bypass certain privilege checks by calling CREATE TABLE on a MyISAM table with modified (1) DATA DIRECTORY or (2) INDEX DIRECTORY arguments that are associated with symlinks within pathnames for subdirectories of the MySQL home data directory, which are followed when tables are created in the future. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-2079.)
		CVE-2008-2079 (MySQL 4.1.x before 4.1.24, 5.0.x before 5.0.60, 5.1.x before 5.1.24, and 6.0.x before 6.0.5 allows local users to bypass certain privilege checks by calling CREATE TABLE on a MyISAM table with modified (1) DATA DIRECTORY or (2) INDEX DIRECTORY arguments that are within the MySQL home data directory, which can point to tables that are created in the future.)

Original document

DEBIAN, [SECURITY] [DSA 1662-1] New mysql-dfsg-5.0 packages fix authorization bypass (10.11.2008)

Discuss:

Read or add your comments to this news (0 comments)

Microsoft Windows Explorer buffer overflow updated since 01.06.2006
Published:		10.11.2008
Source:		BUGTRAQ
SecurityVulns ID:		6207
Type:		local
Level:		5/10
Description:		Buffer overflow during right-click on .url file with oversized mhtml://mid: URL. Vulnerability can be used for hidden malware installation.

Affected:		MICROSOFT : Windows XP
		MICROSOFT : Windows 2003 Server

Original document		MustLive, DoS vulnerability in Total Commander (10.11.2008)
		MICROSOFT, Microsoft Security Bulletin MS06-043 Vulnerability in Microsoft Windows Could Allow Remote Code Execution (920214) (08.08.2006)
		Mr.Niega_(at)_gmail.com, Internet explorer Vulnerbility (01.06.2006)

Files:		Explorer.exe .url file crash PoC
		Microsoft Security Bulletin MS06-043 Vulnerability in Microsoft Windows Could Allow Remote Code Execution (920214)
Discuss:		Read or add your comments to this news (0 comments)

net-snmp multiple security vulnerabilities updated since 10.11.2008
Published:		20.07.2009
Source:		BUGTRAQ
SecurityVulns ID:		9414
Type:		remote
Level:		6/10
Description:		Buffer overflow in snmp_get, integer overflow in SNMP agent.

Affected:		NETSNMP : Net-SNMP 5.1
		NETSNMP : Net-SNMP 5.2
		NETSNMP : Net-SNMP 5.4
CVE:		CVE-2009-1887 (agent/snmp_agent.c in snmpd in net-snmp 5.0.9 in Red Hat Enterprise Linux (RHEL) 3 allows remote attackers to cause a denial of service (daemon crash) via a crafted SNMP GETBULK request that triggers a divide-by-zero error. NOTE: this vulnerability exists because of an incorrect fix for CVE-2008-4309.)
		CVE-2008-4309 (Integer overflow in the netsnmp_create_subtree_cache function in agent/snmp_agent.c in net-snmp 5.4 before 5.4.2.1, 5.3 before 5.3.2.3, and 5.2 before 5.2.5.1 allows remote attackers to cause a denial of service (crash) via a crafted SNMP GETBULK request, which triggers a heap-based buffer overflow, related to the number of responses or repeats.)
		CVE-2008-2292 (Buffer overflow in the __snprint_value function in snmp_get in Net-SNMP 5.1.4, 5.2.4, and 5.4.1, as used in SNMP.xs for Perl, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large OCTETSTRING in an attribute value pair (AVP).)

Original document		MANDRIVA, [ MDVSA-2009:156 ] net-snmp (20.07.2009)
		DEBIAN, [SECURITY] [DSA 1663-1] New net-snmp packages fix several vulnerabilities (10.11.2008)

Discuss:

Read or add your comments to this news (0 comments)