Computer Security
[EN] securityvulns.ru no-pyccku


Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
Published:17.02.2011
Source:
SecurityVulns ID:11441
Type:remote
Threat Level:
5/10
Description:PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.
Affected:COPPERMINE : Coppermine 1.5
 DRUPAL : Drupal 6.20
 FLATNUX : flatnux 2011 01.26
 APACHE : Archiva 1.2
Original documentdocumentAPACHE, [SECURITY] CVE-2011-0533: Apache Archiva cross-site scripting vulnerability (17.02.2011)
 documentHigh-Tech Bridge Security Research, HTB22834: Path disclosure in FlatnuX (17.02.2011)
 documentHigh-Tech Bridge Security Research, HTB22835: DoS (Denial of Service) Risk in FlatnuX (17.02.2011)
 documentHigh-Tech Bridge Security Research, HTB22836: Path disclosure in Coppermine (17.02.2011)
 documentMustLive, Уязвимость в reCAPTCHA для Drupal (17.02.2011)
 documentMustLive, Уязвимости в Drupal (17.02.2011)

Tembria Server Monitor security vulnerability
Published:17.02.2011
Source:
SecurityVulns ID:11442
Type:remote
Threat Level:
5/10
Description:Weak cryptography, crossite scripting.
Affected:TEMBRIA : Tembria Server Monitor 6.0
Original documentdocumentrobkraus_(at)_solutionary.com, Tembria Server Monitor Weak Cryptographic Password Storage Vulnerability (17.02.2011)
 documentrobkraus_(at)_solutionary.com, Tembria Server Monitor Multiple Cross-site Scripting (XSS) Vulnerabilities (17.02.2011)

Oracle Java multiple security vulnerabilities / OpenJDK
Published:17.02.2011
Source:
SecurityVulns ID:11443
Type:library
Threat Level:
8/10
Description:Over 20 of different vulnerabilities.
Affected:ORACLE : JDK 5.0
 ORACLE : Jre 6.0
 ORACLE : JDK 6.0
 ORACLE : OpenJDK 6
CVE:CVE-2011-0706 (The JNLPClassLoader class in IcedTea-Web before 1.0.1, as used in OpenJDK Runtime Environment 1.6.0, allows remote attackers to gain privileges via unknown vectors related to multiple signers and the assignment of "an inappropriate security descriptor.")
 CVE-2010-4476 (The Double.parseDouble method in Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier, as used in OpenJDK, Apache, JBossweb, and other products, allows remote attackers to cause a denial of service via a crafted string that triggers an infinite loop of estimations during conversion to a double-precision binary floating-point number, as demonstrated using 2.2250738585072012e-308.)
 CVE-2010-4475 (Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality via unknown vectors related to Deployment.)
 CVE-2010-4474 (Unspecified vulnerability in the Java DB component in Oracle Java SE and Java for Business 6 Update 23, and, and earlier allows local users to affect confidentiality via unknown vectors related to Security, a similar vulnerability to CVE-2009-4269.)
 CVE-2010-4473 (Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Sound and unspecified APIs.)
 CVE-2010-4472 (Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier allows remote attackers to affect availability, related to XML Digital Signature and unspecified APIs. NOTE: the previous information was obtained from the February 2011 CPU. Oracle has not commented on claims from a downstream vendor that this issue involves the replacement of the "XML DSig Transform or C14N algorithm implementations.")
 CVE-2010-4471 (Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, and 5.0 Update 27 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality via unknown vectors related to 2D. NOTE: the previous information was obtained from the February 2011 CPU. Oracle has not commented on claims from a downstream vendor that this issue is related to the exposure of system properties via vectors related to Font.createFont and exception text.)
 CVE-2010-4470 (Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23, and, and earlier allows remote attackers to affect availability via unknown vectors related to JAXP and unspecified APIs. NOTE: the previous information was obtained from the February 2011 CPU. Oracle has not commented on claims from a downstream vendor that this issue is related to "Features set on SchemaFactory not inherited by Validator.")
 CVE-2010-4469 (Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to HotSpot. NOTE: the previous information was obtained from the February 2011 CPU. Oracle has not commented on claims from a downstream vendor that this issue is heap corruption related to the Verifier and "backward jsrs.")
 CVE-2010-4468 (Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, and 5.0 Update 27 and earlier, allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality and integrity via unknown vectors related to JDBC.)
 CVE-2010-4467 (Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 10 through 6 Update 23 allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Deployment.)
 CVE-2010-4466 (Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier for Windows, Solaris, and, Linux; 5.0 Update 27 and earlier for Windows; and 1.4.2_29 and earlier for Windows allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality via unknown vectors related to Deployment.)
 CVE-2010-4465 (Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Swing. NOTE: the previous information was obtained from the February 2011 CPU. Oracle has not commented on claims from a downstream vendor that this issue is related to the lack of framework support by AWT event dispatch, and/or "clipboard access in Applets.")
 CVE-2010-4463 (Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 21 through 6 Update 23 allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Deployment.)
 CVE-2010-4462 (Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Sound and unspecified APIs.)
 CVE-2010-4454 (Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Sound and unspecified APIs.)
 CVE-2010-4452 (Unspecified vulnerability in the Deployment component in Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors.)
 CVE-2010-4451 (Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier for Windows, when using Java Update, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Install.)
 CVE-2010-4450 (Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier for Solaris and Linux; 5.0 Update 27 and earlier for Solaris and Linux; and 1.4.2_29 and earlier for Solaris and Linux allows local standalone applications to affect confidentiality, integrity, and availability via unknown vectors related to Launcher. NOTE: the previous information was obtained from the February 2011 CPU. Oracle has not commented on claims from a downstream vendor that this issue is an untrusted search path vulnerability involving an empty LD_LIBRARY_PATH environment variable.)
 CVE-2010-4448 (Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect integrity via unknown vectors related to Networking. NOTE: the previous information was obtained from the February 2011 CPU. Oracle has not commented on claims from a downstream vendor that this issue involves "DNS cache poisoning by untrusted applets.")
 CVE-2010-4447 (Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality via unknown vectors related to Deployment.)
 CVE-2010-4422 (Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment.)
Original documentdocumentZDI, ZDI-11-086: Oracle Java Webstart Trusted JNLP Extension Remote Code Execution Vulnerability (17.02.2011)
 documentZDI, ZDI-11-083: Oracle Java Applet Clipboard Injection Remote Code Execution Vulnerability (17.02.2011)
 documentZDI, ZDI-11-085: Oracle Java XGetSamplePtrFromSnd Remote Code Execution Vulnerability (17.02.2011)
 documentZDI, ZDI-11-084: Oracle Java Unsigned Applet Applet2ClassLoader Remote Code Execution Vulnerability (17.02.2011)
 documentZDI, ZDI-11-082: Oracle Java Runtime NTLM Authentication Information Leakage Vulnerability (17.02.2011)
Files:Oracle Java SE and Java for Business Critical Patch Update Advisory - February 2011

passwd / shadow vulnerabilities
updated since 17.02.2011
Published:18.02.2011
Source:
SecurityVulns ID:11444
Type:local
Threat Level:
5/10
Description:It's possible to inject newlines into /etc/passwd
Affected:DEBIAN : passwd 4.1
CVE:CVE-2011-0721 (Multiple CRLF injection vulnerabilities in (1) chfn and (2) chsh in shadow 1:4.1.4 allow local users to add new users or groups to /etc/passwd via the GECOS field.)
Original documentdocumentDEBIAN, [SECURITY] [DSA 2164-1] shadow security update (17.02.2011)
 documentUBUNTU, [USN-1065-1] shadow vulnerability (17.02.2011)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod