Secunia Research: Joomla BSQ Sitestats Component Multiple Vulnerabilities
== Secunia Research 29/09/2006 - Joomla BSQ Sitestats Component Multiple Vulnerabilities - == Table of Contents Affected Software1 Severity.2 Vendor's Description of Software.3 Description of Vulnerability.4 Solution.5 Time Table...6 Credits..7 References...8 About Secunia9 Verification10 == 1) Affected Software BSQ Sitestats (component for Joomla) 1.x NOTE: Other versions may also be affected. == 2) Severity Rating: Highly critical Impact: System access Manipulation of data Cross Site Scripting Where: From remote == 3) Vendor's Description of Software BSQ Sitestats is a site stats module that is lightweight on the front end but offers both tabular and graphical summaries of site visitors' sessions on the backend. Product Link: http://developer.joomla.org/sf/projects/bsq_sitestats == 4) Description of Vulnerability Secunia Research has discovered some vulnerabilities in the BSQ Sitestats component for Joomla, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks, and to compromise a vulnerable system. 1) Input passed to the ip form field parameter when performing an IP Address Lookup is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a logged in administrator's browser session in context of an affected site. 2) Input passed to multiple parameters when importing the ip-to-country.csv file is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code when an administrator is tricked into importing a malicious ip-to-country.csv file. 3) Input passed via the HTTP Referer, the HTTP User Agent, and the HTTP Accept Language Header bsqtemplateinc.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation requires that magic_quotes_gpc is disabled. 4) Input passed to the baseDir parameter in components/com_bsq_sitestats/external/rssfeeds.php is not properly verified before being used to include files. This can be exploited to execute arbitrary PHP code by including files from local or external resources. Successful exploitation requires that register_globals is enabled. The vulnerabilities have been confirmed in version 1.8.0. Other versions may also be affected. == 5) Solution The vulnerabilities have been fixed in version 2.2.1. == 6) Time Table 14/09/2006 - Vendor notified. 14/09/2006 - Vendor response. 17/09/2006 - Vendor releases fixed version 2.2.1. 29/09/2006 - Public disclosure. == 7) Credits Discovered by Sven Krewitt, Secunia Research. == 8) References None assigned. == 9) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://corporate.secunia.com/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://corporate.secunia.com/secunia_research/33/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/secunia_vacancies/ Secunia offers a FREE mailing list called Secunia Security Advisories
Secunia Research: Tagger LE PHP eval() Injection Vulnerabilities
== Secunia Research 14/09/2006 - Tagger LE PHP eval() Injection Vulnerabilities - == Table of Contents Affected Software1 Severity.2 Vendor's Description of Software.3 Description of Vulnerabilities...4 Solution.5 Time Table...6 Credits..7 References...8 About Secunia9 Verification10 == 1) Affected Software Tagger LE latest version (product has no version information). Other versions may also be affected. == 2) Severity Rating: Highly critical Impact: System Access Where: From Remote == 3) Vendor's Description of Software Tagger LE is a tagboard (mini message board) that will add visitor interactivity with your website and a form of communication to one and another. Tagger's many features include an Administration panel, IP Banning, Smart Auto Refresh, Smilies, Imposter prevention, and more. A perfect addition to a website lacking interactivity. This solution uses a Flat File Database (MySQL is not required). Product link: http://www.venturenine.com/ == 4) Description of Vulnerabilities Secunia Research has discovered some vulnerabilities in Tagger LE, which can be exploited by malicious people to compromise a vulnerable system. Input passed via the query string in tags.php, sign.php, and admin/index.php isn't properly sanitised before being used in an eval() call. This can be exploited to inject and execute arbitrary PHP code via a specially crafted parameter name or value. Examples: http://[host]/tags.php?foo=%22.[code].%22 http://[host]/sign.php?foo=%22.[code].%22 http://[host]/admin/index.php?foo=%22.[code].%22 http://[host]/taggerLE/tags.php?foo;[code];$foo=foo http://[host]/taggerLE/sign.php?foo;[code];$foo=foo http://[host]/admin/index.php?foo;[code];$foo=foo == 5) Solution Edit the source code to ensure that input is properly sanitised. == 6) Time Table 30/08/2006 - Initial vendor notification. 13/09/2006 - Final reminder. 14/09/2006 - Public disclosure. == 7) Credits Discovered by Andreas Sandblad, Secunia Research. == 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2006-4437 for the vulnerabilities. == 9) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2006-62/advisory/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Secunia Research: PC Tools AntiVirus Insecure Default Directory Permissions
== Secunia Research 03/08/2006 - PC Tools AntiVirus Insecure Default Directory Permissions - == Table of Contents Affected Software1 Severity.2 Vendor's Description of Software.3 Description of Vulnerability.4 Solution.5 Time Table...6 Credits..7 References...8 About Secunia9 Verification10 == 1) Affected Software PC Tools AntiVirus 2.1.0.51. Other versions may also be affected. == 2) Severity Rating: Less critical Impact: Privilege Escalation Where: Local system == 3) Vendor's Description of Software With PC Tools AntiVirus you are protected against the most nefarious cyber-threats attempting to gain access to your PC and personal information. Product Link: http://www.pctools.com/anti-virus/ == 4) Description of Vulnerability Secunia Research has discovered a security issue in PC Tools AntiVirus, which can be exploited by malicious, local users to gain escalated privileges. The problem is caused due to the application setting insecure default permissions (grants Everyone group Full Control) on the PC Tools AntiVirus directory and all child objects. This can be exploited to remove, manipulate, and replace any of the application's files. Successful exploitation allows execution of arbitrary commands with SYSTEM privileges. == 5) Solution Grant only trusted users access to affected systems. Set proper permissions on the directory and all child objects (this may impact the functionality). == 6) Time Table 19/07/2006 - Vendor notified. 02/08/2006 - Vendor notified again. 03/08/2006 - Public disclosure. == 7) Credits Discovered by Carsten Eiram, Secunia Research. == 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2006-3114 for the vulnerabilities. == 9) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2006-51/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Secunia Research: Jetbox Multiple Vulnerabilities
== Secunia Research 02/08/2006 - Jetbox Multiple Vulnerabilities - == Table of Contents Affected Software1 Severity.2 Vendor's Description of Software.3 Description of Vulnerability.4 Solution.5 Time Table...6 Credits..7 References...8 About Secunia9 Verification10 == 1) Affected Software Jetbox CMS 2.1 SR1 Other versions may also be affected. == 2) Severity Rating: Highly critical Impact: System access Exposure of system information Manipulation of data Cross-Site Scripting Hijacking Where: From remote == 3) Vendor's Description of Software Jetbox content management system is seriously tested on usability has a professional intuitive interface.. Product Link: http://jetbox.streamedge.com/index.php == 4) Description of Vulnerability Secunia Research has discovered some vulnerabilities in Jetbox CMS, which can be exploited by malicious people to conduct session fixation attacks, disclose certain system information, conduct cross-site scripting, script insertion, and SQL injection attacks, and compromise a vulnerable system. 1) An error in the handling of sessions during login to the administration section can be exploited to hijack another user's session by tricking the user into logging in after following a specially crafted link. 2) Input passed via the URL is not properly sanitised before being used in a dynamic variable evaluation in index.php. This can be exploited to overwrite certain configuration variables. Successful exploitation e.g. leads to disclosure of certain system information via phpinfo or execution of arbitrary HTML and script code in a user's browser session in context of an affected site. 3) Input passed to the login parameter in admin/cms/index.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. 4) Input passed to formmail.php via the Supply news page is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. This is related to: SA13576 5) Input passed via the URL is not properly sanitised before being returned in the Site statistics page in the administration section. This can be exploited to insert arbitrary HTML and script code, which is executed in an administrative user's browser session in context of an affected site when statistics are viewed. 6) Input passed to the query_string form field parameter when performing a search is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which is executed in an administrative user's browser session in context of an affected site when search statistics are viewed. 7) Input passed to the frontsession cookie parameter, the view parameter in index.php, and to the login parameter in admin/cms/index.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation may lead to execution of arbitrary PHP code by including files from external resources, but requires that magic_quotes_gpc is disabled. == 5) Solution Use another product. == 6) Time Table 14/07/2006 - Initial vendor notification. 21/07/2006 - Second vendor notification. 02/08/2006 - Public disclosure. == 7) Credits Discovered by Sven Krewitt, Secunia Research. == 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2006-3583 (session fixation), CVE-2006-3584 (overwriting configuration variables), CVE-2006-3585 (cross-site
Secunia Research: Mozilla Firefox XPCOM Event Handling Memory Corruption
== Secunia Research 27/07/2006 - Mozilla Firefox XPCOM Event Handling Memory Corruption - == Table of Contents Affected Software1 Severity.2 Vendor's Description of Software.3 Description of Vulnerability.4 Solution.5 Time Table...6 Credits..7 References...8 About Secunia9 Verification10 == 1) Affected Software Mozilla Firefox 1.5.0.1, 1.5.0.2, 1.5.0.3, and 1.5.0.4. NOTE: Other versions may also be affected. == 2) Severity Rating: Highly critical Impact: System access Where: Remote == 3) Vendor's Description of Software The award-winning, free Web browser is better than ever. Browse the Web with confidence - Firefox protects you from viruses, spyware and pop-ups. Enjoy improvements to performance, ease of use and privacy. It's easy to import your favorites and settings and get started. Product Link: http://www.mozilla.com/firefox/ == 4) Description of Vulnerability Secunia Research has discovered a vulnerability in Mozilla Firefox, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to an memory corruption error within the handling of simultaneously happening XPCOM events resulting in the use of a deleted timer object. Successful exploitation allows execution of arbitrary code. == 5) Solution Update to version 1.5.0.5. == 6) Time Table 22/06/2006 - Vendor notified. 23/06/2006 - Vendor response. 27/07/2006 - Public disclosure. == 7) Credits Discovered by Carsten Eiram, Secunia Research. == 8) References Mozilla.org: http://www.mozilla.org/security/announce/2006/mfsa2006-46.html The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2006-3113 for the vulnerability. == 9) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2006-53/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Secunia Research: AutoVue SolidModel Professional Buffer Overflow Vulnerability
== Secunia Research 26/07/2006 - AutoVue SolidModel Professional Buffer Overflow Vulnerability - == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software * AutoVue SolidModel Professional Desktop Edition version 19.1 Build 5993. Other versions may also be affected. == 2) Severity Rating: Moderately Critical Impact: System Access Where: Remote == 3) Description of Vulnerability Secunia Research has discovered a vulnerability in AutoVue SolidModel Professional Desktop Edition, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to a boundary error within the handling of ARJ, RAR, and ZIP archives. This can be exploited to cause a stack-based buffer overflow when a malicious archive containing a file with an overly long filename is opened. Successful exploitation allows execution of arbitrary code. == 4) Solution Do not open untrusted archives. == 5) Time Table 07/07/2006 - Initial vendor notification. 12/07/2006 - Second vendor notification. 19/07/2006 - Third vendor notification. 26/07/2006 - Public disclosure. == 6) Credits Discovered by Tan Chew Keong, Secunia Research. == 7) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2006-3350 for the vulnerability. == 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2006-56/advisory/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Secunia Research: FileCOPA Directory Argument Handling Buffer Overflow
== Secunia Research 25/07/2006 - FileCOPA Directory Argument Handling Buffer Overflow - == Table of Contents Affected Software1 Severity.2 Vendor's Description of Software.3 Description of Vulnerability.4 Solution.5 Time Table...6 Credits..7 References...8 About Secunia9 Verification10 == 1) Affected Software FileCOPA 1.01 released 2006-07-18. NOTE: Other versions may also be affected. == 2) Severity Rating: Moderate (High with anonymous access enabled) Impact: System compromise Where: Remote == 3) Vendor's Description of Software FileCOPA takes the hard work out of running an FTP Server. The FileCOPA FTP Server Software installs on any version of the Microsoft Windows operating system with just a few clicks of the mouse and automatically configures itself for anonymous operation. Product Link: http://www.filecopa.com/ == 4) Description of Vulnerability Secunia Research has discovered a vulnerability in FileCOPA, which can be exploited by malicious users to compromise a vulnerable system. The vulnerability is caused due to an integer underflow error in the FTP service (filecpnt.exe) when processing directory arguments passed to certain FTP commands (e.g. CWD, DELE, MDTM, and MKD). This can be exploited to cause a stack-based buffer overflow by passing a specially crafted, overly long argument to one of the affected FTP commands. Successful exploitation allows execution of arbitrary code. == 5) Solution Update to version 1.01 released 2006-07-21. == 6) Time Table 21/07/2006 - Vendor notified. 21/07/2006 - Vendor response. 25/07/2006 - Public disclosure. == 7) Credits Discovered by Carsten Eiram, Secunia Research. == 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2006-3768 for the vulnerability. == 9) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2006-55/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Secunia Research: IceWarp Web Mail Two File Inclusion Vulnerabilities
== Secunia Research 17/07/2006 - IceWarp Web Mail Two File Inclusion Vulnerabilities - == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software * Merak Mail Server version 8.3.8.r with IceWarp Web Mail 5.6.0. Other versions may also be affected. == 2) Severity Rating: Highly Critical Impact: System access Exposure of sensitive information Where: Remote == 3) Description of Vulnerability Secunia Research has discovered two vulnerabilities in IceWarp Web Mail, which can be exploited by malicious users and by malicious people to disclose potentially sensitive information and compromise a vulnerable system. 1) Input passed to the language and lang_settings parameters in /accounts/inc/include.php and /admin/inc/include.php is not properly sanitised by the securepath() function before being used to include files. This can be exploited to include arbitrary files from local resources on the Windows platform using full pathnames. This can further be exploited to execute arbitrary PHP code by injecting the code into the mail server's log file and including it. Example: http://[host]:32000/admin/inc/include.php? language=0lang_settings[0][1]=c:\[file]%00 The vulnerability is related to #5 in: SA17046 Successful exploitation allows execution of arbitrary PHP code on a vulnerable server without requiring authentication. 2) Input passed to the language parameter in /mail/settings.html is not properly validated before being saved to the database. This can be exploited in conjunction with overwrite of the lang_settings variable, which is not properly sanitised by the validatefolder() function, to include arbitrary files from local resources using full pathnames and from remote Windows shared folders using UNC pathnames. Examples: http://[host]:32000/mail/settings.html? id=[current_id]Save_x=1language=TEST http://[host]:32000/mail/index.html? id=[curent_id]lang_settings[TEST]=test; lang_settings[TEST]=test;c:\[file]%00; http://[host]:32000/mail/index.html ?id=[curent_id]lang_settings[TEST]=test; lang_settings[TEST]=test;\\[host]\[share]\[file]%00; Successful exploitation allows execution of arbitrary PHP code on a vulnerable server but requires a valid logon. The vulnerability is related to #7 in: SA17046 == 4) Solution Update to version 8.3.8.r with IceWarp Web Mail 5.6.1. == 5) Time Table 21/02/2006 - Initial vendor notification. 22/02/2006 - Initial vendor reply and fixed version released. 17/07/2006 - Public disclosure. == 6) Credits Discovered by Tan Chew Keong, Secunia Research. == 7) References SA17046: http://secunia.com/advisories/17046/ The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2006-0817 (#1) and CVE-2006-0818 (#2) for the vulnerabilities. == 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2006-12/advisory/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Secunia Research: VisNetic Mail Server Two File Inclusion Vulnerabilities
== Secunia Research 17/07/2006 - VisNetic Mail Server Two File Inclusion Vulnerabilities - == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software * Visnetic Mail Server version 8.3.5. Other versions may also be affected. == 2) Severity Rating: Highly Critical Impact: System access Exposure of sensitive information Where: Remote == 3) Description of Vulnerability Secunia Research has discovered two vulnerabilities in Visnetic Mail Server, which can be exploited by malicious users and by malicious people to disclose potentially sensitive information and to compromise a vulnerable system. 1) Input passed to the language and lang_settings parameters in /accounts/inc/include.php and /admin/inc/include.php isn't properly sanitised by the securepath() function before being used to include files. This can be exploited to include arbitrary files from local resources on the Windows platform using full pathnames. This can further be exploited to execute arbitrary PHP code by injecting the code into the mail server's log file and including it. Example: http://[host]:32000/admin/inc/include.php? language=0lang_settings[0][1]=c:\[file]%00 The vulnerability is related to #1 in: SA17865 Successful exploitation allows execution of arbitrary PHP code on a vulnerable server without requiring authentication. 2) Input passed to the language parameter in /mail/settings.html isn't properly validated before being saved to the database. This can be exploited in conjunction with overwrite of the lang_settings variable, which isn't properly sanitised by the validatefolder() function, to include arbitrary files from local resources using full pathnames, and from remote Windows shared folders using UNC pathnames. Examples: http://[host]:32000/mail/settings.html? id=[current_id]Save_x=1language=TEST http://[host]:32000/mail/index.html? id=[curent_id]lang_settings[TEST]=test; lang_settings[TEST]=test;c:\[file]%00; http://[host]:32000/mail/index.html ?id=[curent_id]lang_settings[TEST]=test; lang_settings[TEST]=test;\\[host]\[share]\[file]%00; Successful exploitation allows execution of arbitrary PHP code on a vulnerable server but requires a valid logon. The vulnerability is related to #3 in: SA17865 == 4) Solution Update to version 8.5.0.5. == 5) Time Table 21/02/2006 - Initial vendor notification. 21/02/2006 - Initial vendor reply. 01/06/2006 - Vendor reminder. 20/06/2006 - Vendor reminder. 13/07/2006 - Vendor reminder. 14/07/2006 - Fixed version released. 17/07/2006 - Public disclosure. == 6) Credits Discovered by Tan Chew Keong, Secunia Research. == 7) References SA17865: http://secunia.com/advisories/17865/ The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2006-0817 (#1) and CVE-2006-0818 (#2) for the vulnerabilities. == 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2006-14/advisory/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com
Secunia Research: BitZipper unacev2.dll Buffer Overflow Vulnerability
== Secunia Research 17/07/2006 - BitZipper unacev2.dll Buffer Overflow Vulnerability - == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software * BitZipper version 4.1 SR-1. Other versions may also be affected. == 2) Severity Rating: Moderately Critical Impact: System Access Where: Remote == 3) Description of Vulnerability Secunia Research has discovered a vulnerability in BitZipper, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error in UNACEV2.DLL when extracting an ACE archive containing a file with an overly long filename. This can be exploited to cause a stack-based buffer overflow when a user extracts a specially crafted ACE archive. The vulnerability is related to: SA16479 == 4) Solution Do not extract untrusted archives. == 5) Time Table 02/05/2006 - Initial vendor notification. 16/05/2006 - Second vendor notification. 16/05/2006 - Initial vendor reply. 17/07/2006 - Public disclosure == 6) Credits Discovered by Secunia Research. == 7) References SA16479: http://secunia.com/advisories/16479/ The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2005-2856 for the vulnerability. == 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2006-46/advisory/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Secunia Research: phpRaid SQL Injection and File Inclusion Vulnerabilities
== Secunia Research 29/06/2006 - phpRaid SQL Injection and File Inclusion Vulnerabilities - == Table of Contents Affected Software1 Severity.2 Vendor's Description of Software.3 Description of Vulnerability.4 Solution.5 Time Table...6 Credits..7 References...8 About Secunia9 Verification10 == 1) Affected Software phpRaid 3.0.4, 3.0.5, 3.0.6 Other versions may also be affected. == 2) Severity Rating: Highly critical Impact: System access, manipulation of data Where: From remote == 3) Vendor's Description of Software phpRaid is a raid management tool for World of Warcraft Product Link: http://www.spiffyjr.com == 4) Description of Vulnerability Secunia Research has discovered some vulnerabilities in phpRaid, which can be exploited by malicious people to conduct SQL injection attacks or to compromise a vulnerable system. 1) Input passed to the raid_id parameter in view.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation requires that magic_quotes_gpc is disabled. The vulnerability has been confirmed in version 3.0.4. Prior versions may also be affected. 2) Input passed via the URL is not properly sanitised before being used in a SQL query in the log_hack() function in includes/functions_logging.php. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation requires that magic_quotes_gpc is disabled. The vulnerability has been confirmed in version 3.0.5. Other versions may also be affected. 3) Input passed to the phpraid_dir parameter in multiple files is not properly verified before being used to include files. This can be exploited to execute arbitrary PHP code by including files from local or external resources. Affected files: configuration.php guilds.php index.php locations.php login.php lua_output.php permissions.php profile.php raids.php register.php roster.php view.php logs.php (included in version 3.0.5) users.php (included in version 3.0.5) Successful exploitation requires that register_globals is enabled. The vulnerabilities have been confirmed in version 3.0.4 and 3.0.5. Prior versions may also be affected. 4) Input passed to the phpraid_dir parameter in announcements.php and rss.php is not properly verified before being used to include files. This can be exploited to execute arbitrary PHP code by including files from local or external resources. Successful exploitation requires that register_globals is enabled. The vulnerabilities have been confirmed in version 3.0.6. Other versions may also be affected. 5) Input passed to the username and email form field parameters in register.php is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Note: This is only vulnerable if the option phpraid is chosen as authorisation type. Successful exploitation can give an attacker access to the administration section. Successful exploitation requires that magic_quotes_gpc is enabled. The vulnerabilities have been confirmed in version 3.0.6. Other versions may also be affected. == 5) Solution Vulnerability #1 has been fixed in version 3.0.5, and vulnerabilities #2 and #3 have been fixed in version 3.0.6. Edit the source code to ensure that input is properly verified and sanitised. == 6) Time Table 26/05/2006 - Initial vendor notification. 29/05/2006 - Vendor response. 30/05/2006 - Second vendor notification. 08/06/2006 - Third vendor notification. 29/06/2006 - Public disclosure. == 7) Credits Discovered by Sven Krewitt, Secunia Research. == 8) References The Common Vulnerabilities and Exposures
Secunia Research: DeluxeBB SQL Injection and File Inclusion Vulnerabilities
== Secunia Research 14/06/2006 - DeluxeBB SQL Injection and File Inclusion Vulnerabilities - == Table of Contents Affected Software1 Severity.2 Description of Vulnerabilities...3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software DeluxeBB 1.06 Other versions may also be affected. Product link: http://www.deluxebb.com/ == 2) Severity Rating: Highly critical Impact: System access, manipulation of data Where: From remote == 3) Description of Vulnerabilities Secunia Research has discovered some vulnerabilities in DeluxeBB, which can be exploited by malicious people to conduct SQL injection attacks and compromise a vulnerable system. 1) Input passed to the templatefolder parameter in various scripts isn't properly verified, before it is used to include files. This can be exploited to include arbitrary files from external and local resources. Examples: http://[host]/templates/deluxe/postreply.php?templatefolder=[file] http://[host]/templates/deluxe/posting.php?templatefolder=[file] http://[host]/templates/deluxe/pm/newpm.php?templatefolder=[file] http://[host]/templates/default/postreply.php?templatefolder=[file] http://[host]/templates/default/posting.php?templatefolder=[file] http://[host]/templates/default/pm/newpm.php?templatefolder=[file] Successful exploitation requires that register_globals is enabled. 2) Input passed to the hideemail, languagex, xthetimeoffset, and xthetimeformat parameters when registering for an account isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation requires that magic_quotes_gpc is disabled. The vulnerabilities have been confirmed in version 1.06. Other versions may also be affected. == 4) Solution Edit the source code to ensure that input is properly sanitised and verified. == 5) Time Table 26/05/2006 - Initial vendor notification. 14/06/2006 - Public disclosure. == 6) Credits Discovered by Andreas Sandblad, Secunia Research. == 7) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2006-2914 (file inclusion) and CVE-2006-2915 (SQL injection) for the vulnerabilities. == 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2006-44/advisory/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Secunia Research: Opera SSL Certificate Stealing Weakness
== Secunia Research 28/06/2006 - Opera SSL Certificate Stealing Weakness - == Table of Contents Affected Software1 Severity.2 Description of Vulnerabilities...3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software Opera 8.54 Prior versions may also be affected. == 2) Severity Rating: Not critical Impact: Spoofing Where: From remote == 3) Description of Vulnerabilities Secunia Research has discovered a weakness in Opera, which can be exploited to display the SSL certificate from a trusted site on an untrusted site. The weakness is caused due to Opera not resetting the SSL security bar after displaying a download dialog from a SSL enabled web site. This allows an untrusted web site to display yellow SSL security bar from a trusted web site. NOTE: A more convincing exploit can be done using pop-up windows, which do not have a visible address bar. == 4) Solution Upgrade to version 9.0. == 5) Time Table 31/03/2006 - Initial vendor notification. 28/06/2006 - Public disclosure. == 6) Credits Discovered by Jakob Balle, Secunia Research. == 7) References No references available. == 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2006-49/advisory/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Secunia Resaerch: Internet Explorer Exception Handling Memory Corruption Vulnerability
== Secunia Research 14/06/2006 Internet Explorer Exception Handling Memory Corruption Vulnerability == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software Microsoft Internet Explorer 6.0 Prior versions may also be affected. == 2) Severity Rating: Highly critical Impact: System access Where: From remote == 3) Description of Vulnerability Secunia Research has discovered a vulnerability in Internet Explorer, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a memory corruption error within the handling of certain exceptional conditions. This can e.g. be exploited by registering an exception handler for an object and then trigger a certain condition via e.g. a certain sequence of nested object HTML tags. Successful exploitation allows execution of arbitrary code when a user e.g. visits a malicious web site. NOTE: This vulnerability is a variant of a browser crash bug initially reported by Michal Zalewski. The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2 (without MS06-021). Prior versions may also be affected. == 4) Solution Apply patches. Please see MS06-021 (KB916281): http://www.microsoft.com/technet/security/Bulletin/MS06-021.mspx == 5) Time Table 26/04/2006 - Initial vendor notification. 28/04/2006 - Vendor confirms vulnerability. 14/06/2006 - Public disclosure. == 6) Credits Discovered by Andreas Sandblad, Secunia Research. Initial crash bug discovered by: Michal Zalewski == 7) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2006-2218 for the vulnerability. == 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2006-41/advisory/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Secunia Research: PicoZip zipinfo.dll Multiple Archives Buffer Overflow
== Secunia Research 14/06/2006 - PicoZip zipinfo.dll Multiple Archives Buffer Overflow - == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software * PicoZip version 4.01 Prior versions may also be affected. == 2) Severity Rating: Moderately Critical Impact: System Access Where: Remote == 3) Description of Vulnerability Secunia Research has discovered a vulnerability in PicoZip, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error within the zipinfo.dll info tip shell extension when reading a ACE, RAR, or ZIP archive that contains a file with an overly long filename. This can be exploited to cause a stack-based buffer overflow when the user moves the mouse cursor over a malicious archive either in Windows Explorer or from any program that uses the file-open dialog box. Successful exploitation allows arbitrary code execution. == 4) Solution Update to version 4.02. http://www.picozip.com/downloads.html == 5) Time Table 06/06/2006 - Initial vendor notification. 07/06/2006 - Initial vendor reply. 14/06/2006 - Public disclosure. == 6) Credits Discovered by Tan Chew Keong, Secunia Research. == 7) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2006-2909 for the vulnerability. Acubix: http://www.picozip.com/changelog.html == 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2006-42/advisory/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Secunia Research: CMS Mundo SQL Injection and File Upload Vulnerabilities
== Secunia Research 14/06/2006 - CMS Mundo SQL Injection and File Upload Vulnerabilities - == Table of Contents Affected Software1 Severity.2 Description of Vulnerabilities...3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software CMS Mundo 1.0 build 007 Prior versions may also be affected. Product Link: http://www.hotwebscripts.com/index.php?mod=webshopfunction= showDetailsid=76 == 2) Severity Rating: Highly critical Impact: System access, manipulation of data Where: From remote == 3) Description of Vulnerabilities Secunia Research has discovered two vulnerabilities in CMS Mundo, which can be exploited by malicious people to conduct SQL injection attacks and compromise a vulnerable system. 1) Input passed to the username parameter in controlpanel/ during login isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. This can further be exploited to bypass the authentication process and access the administration section (by e.g. providing admin ' /* as the username together with an empty password). Successful exploitation requires that magic_quotes_gpc is disabled. 2) An input validation error in the image upload handling in the image gallery can be exploited to upload arbitrary PHP scripts to a predictable location inside the web root. Successful exploitation requires access to the administration section. A combination of vulnerabilities #1 and #2 can be exploited by a malicious person to execute arbitrary PHP code on a vulnerable system. The vulnerabilities have been confirmed in version 1.0 build 007. Prior versions may also be affected. == 4) Solution Update to version 1.0 build 008. == 5) Time Table 30/05/2006 - Initial vendor notification. 30/05/2006 - Vendor confirms vulnerabilities. 14/06/2006 - Public disclosure. == 6) Credits Discovered by Andreas Sandblad, Secunia Research. == 7) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2006-2911 (SQL injection) and CVE-2006-2931 (arbitrary file upload) for the vulnerabilities. == 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2006-43/advisory/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Secunia Research: DeluxeBB SQL Injection and File Inclusion Vulnerabilities
== Secunia Research 14/06/2006 - DeluxeBB SQL Injection and File Inclusion Vulnerabilities - == Table of Contents Affected Software1 Severity.2 Description of Vulnerabilities...3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software DeluxeBB 1.06 Other versions may also be affected. Product link: http://www.deluxebb.com/ == 2) Severity Rating: Highly critical Impact: System access, manipulation of data Where: From remote == 3) Description of Vulnerabilities Secunia Research has discovered some vulnerabilities in DeluxeBB, which can be exploited by malicious people to conduct SQL injection attacks and compromise a vulnerable system. 1) Input passed to the templatefolder parameter in various scripts isn't properly verified, before it is used to include files. This can be exploited to include arbitrary files from external and local resources. Examples: http://[host]/templates/deluxe/postreply.php?templatefolder=[file] http://[host]/templates/deluxe/posting.php?templatefolder=[file] http://[host]/templates/deluxe/pm/newpm.php?templatefolder=[file] http://[host]/templates/default/postreply.php?templatefolder=[file] http://[host]/templates/default/posting.php?templatefolder=[file] http://[host]/templates/default/pm/newpm.php?templatefolder=[file] Successful exploitation requires that register_globals is enabled. 2) Input passed to the hideemail, languagex, xthetimeoffset, and xthetimeformat parameters when registering for an account isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation requires that magic_quotes_gpc is disabled. The vulnerabilities have been confirmed in version 1.06. Other versions may also be affected. == 4) Solution Edit the source code to ensure that input is properly sanitised and verified. == 5) Time Table 26/05/2006 - Initial vendor notification. 14/06/2006 - Public disclosure. == 6) Credits Discovered by Andreas Sandblad, Secunia Research. == 7) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2006-2914 (file inclusion) and CVE-2006-2915 (SQL injection) for the vulnerabilities. == 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2006-44/advisory/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Secunia Research: MyBB domecode() PHP Code Execution Vulnerability
== Secunia Research 12/06/2006 - MyBB domecode() PHP Code Execution Vulnerability - == Table of Contents Affected Software1 Severity.2 Vendor's Description of Software.3 Description of Vulnerability.4 Solution.5 Time Table...6 Credits..7 References...8 About Secunia9 Verification10 == 1) Affected Software MyBB 1.1.2 Prior versions may also be affected. == 2) Severity Rating: Highly critical Impact: System access Where: Remote == 3) Vendor's Description of Software MyBB is a powerful, efficient and free forum package developed in PHP and MySQL. MyBB has been designed with the end users in mind, you and your subscribers. Full control over your discussion system is presented right at the tip of your fingers, from multiple styles and themes to the ultimate customisation of your forums using the template system. Product link: http://www.mybboard.com/ == 4) Description of Vulnerability Secunia Research has discovered a vulnerability in MyBB, which can be exploited by malicious people to compromise a vulnerable system. Input passed to the username field when registering isn't properly sanitised before being used in a preg_replace call with the e modifier in the domecode() function in inc/functions_post.php. This can be exploited to execute arbitrary PHP code by first registering with a specially crafted username and then previewing a post containing the /slap string. The vulnerability has been confirmed in version 1.1.2. Prior versions may also be affected. == 5) Solution Update to version 1.1.3. http://www.mybboard.com/downloads.php == 6) Time Table 06/06/2006 - Initial vendor notification. 06/06/2006 - Vendor confirms vulnerability. 12/06/2006 - Public disclosure. == 7) Credits Discovered by Andreas Sandblad, Secunia Research. == 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2006-2908 for the vulnerability. == 9) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2006-40/advisory/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Secunia Research: SelectaPix Cross-Site Scripting and SQL Injection Vulnerabilities
== Secunia Research 09/06/2006 - SelectaPix Cross-Site Scripting and SQL Injection Vulnerabilities - == Table of Contents Affected Software1 Severity.2 Vendor's Description of Software.3 Description of Vulnerabilities...4 Solution.5 Time Table...6 Credits..7 References...8 About Secunia9 Verification10 == 1) Affected Software * SelectaPix 1.31 Prior versions may also be affected. == 2) Severity Rating: Moderately critical Impact: Manipulation of data and cross-site scripting Where: Remote == 3) Vendor's Description of Software SelectaPix is a free (GPL Licence), highly configurable PHP/MySQL image gallery system which can be integrated into your existing site in minutes. The password-protected admin section allows you to upload up to 10 jpeg images in one go, and arrange them into albums and sub-albums. Product link: http://www.outofthetrees.co.uk/selectapix/index.php == 4) Description of Vulnerabilities Secunia Research has discovered some vulnerabilities in SelectaPix, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. 1) Some input is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Examples: http://[host]/view_album.php?albumID=[code] http://[host]/popup.php?albumID=2imageID=[code] http://[host]/index.php?albumID=[code] * The username and passwd parameters passed in admin/member.php. This can further be exploited to bypass the authentication process and access the administration section. Successful exploitation requires that magic_quotes_gpc is disabled (except for the albumID parameter). 2) Input passed to the albumID parameter in popup.php and view_album.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerabilities have been confirmed in version 1.31. Prior versions may also be affected. == 5) Solution Update to version 1.4. http://www.outofthetrees.co.uk/selectapix/index.php == 6) Time Table 17/05/2006 - Initial vendor notification. 31/05/2006 - Vendor confirms vulnerabilities. 09/06/2006 - Public disclosure. == 7) Credits Discovered by Andreas Sandblad, Secunia Research. == 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2006-2912 (SQL injection) and CVE-2006-2913 (cross-site scripting) for the vulnerabilities. == 9) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2006-39/advisory/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Secunia Research: AutoMate unacev2.dll Buffer Overflow Vulnerability
== Secunia Research 07/06/2006 - AutoMate unacev2.dll Buffer Overflow Vulnerability - == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software * AutoMate version 6.1.0.0 Other versions may also be affected. == 2) Severity Rating: Less Critical Impact: System Access Where: Remote == 3) Description of Vulnerability Secunia Research has discovered a vulnerability in AutoMate, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error in UNACEV2.DLL when extracting an ACE archive containing a file with an overly long filename. This can be exploited to cause a stack-based buffer overflow when a user extracts a specially crafted ACE archive. The vulnerability is related to: SA16479 Successful exploitation requires that the user is e.g. tricked into scheduling a task to extract a malicious ACE archive. == 4) Solution The vendor reportedly released a fix on 2006-05-29. Do not extract untrusted ACE archives. == 5) Time Table 02/05/2006 - Initial vendor notification. 09/05/2006 - Initial vendor reply. 16/05/2006 - Vendor reminder. 16/05/2006 - Vendor reply. 30/05/2006 - Vendor reminder. 07/06/2006 - Public disclosure. (No reply from vendor) == 6) Credits Discovered by Secunia Research. == 7) References SA16479: http://secunia.com/advisories/16479/ The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2005-2856 for the vulnerability. == 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2006-38/advisory/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Secunia Research: Eserv/3 IMAP and HTTP Server Multiple Vulnerabilities
== Secunia Research 31/05/2006 - Eserv/3 IMAP and HTTP Server Multiple Vulnerabilities - == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software * EServ/3 version 3.25 Prior versions may also be affected. == 2) Severity Rating: Moderately Critical Impact: Security bypass Exposure of sensitive information Where: Remote == 3) Description of Vulnerability Secunia Research has discovered some vulnerabilities in Eserv/3, which can be exploited by malicious users to bypass certain security restrictions and to disclose potentially sensitive information, and by malicious people to gain access to potentially sensitive information. 1) Directory traversal errors exist in the CREATE, SELECT, DELETE, RENAME, COPY and APPEND commands of the IMAP service. This can be exploited by an authenticated user to read other users' emails, create/rename arbitrary directories on the system, and delete empty directories. 2) A validation error of the filename extension supplied by the user in the URL can be exploited to retrieve the source code of script files (e.g. PHP, PL) from the HTTP server via specially crafted requests containing dot, space and slash characters. == 4) Solution Update to version 3.26 or apply patch. == 5) Time Table 15/05/2006 - Initial vendor notification. 15/05/2006 - Initial vendor reply. 31/05/2006 - Public disclosure. == 6) Credits Discovered by Tan Chew Keong, Secunia Research. == 7) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2006-2308 and CVE-2006-2309 for the vulnerabilities. EServ: http://www.eserv.ru/ru/news/news_detail.php?ID=235 == 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2006-37/advisory/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Secunia Research: ZipCentral ZIP File Handling Buffer Overflow Vulnerability
== Secunia Research 30/05/2006 - ZipCentral ZIP File Handling Buffer Overflow Vulnerability - == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software * ZipCentral 4.01 Other versions may also be affected. == 2) Severity Rating: Moderately Critical Impact: System Access Where: Remote == 3) Description of Vulnerability Secunia Research has discovered a vulnerability in ZipCentral, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error within the handling of filenames in a ZIP archive. This can be exploited to cause a stack-based buffer overflow when a malicious ZIP archive containing a file with an overly long filename is extracted. Successful exploitation allows arbitrary code execution. == 4) Solution Do not extract ZIP files from untrusted sources. == 5) Time Table 25/05/2006 - Initial vendor notification. 30/05/2006 - Second vendor notification. 30/05/2006 - Public disclosure (email bounced). == 6) Credits Discovered by Tan Chew Keong, Secunia Research. == 7) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2006-2439 for the vulnerability. == 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2006-35/advisory/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Secunia Research: CAM UnZip ZIP File Handling Buffer Overflow Vulnerability
== Secunia Research 19/05/2006 - CAM UnZip ZIP File Handling Buffer Overflow Vulnerability - == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software * CAM UnZip version 4.0 and 4.3 Prior versions may also be affected. == 2) Severity Rating: Moderately Critical Impact: System Access Where: Remote == 3) Description of Vulnerability Secunia Research has discovered a vulnerability in CAM UnZip, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error when listing the contents of a ZIP archive. This can be exploited to cause a stack-based buffer overflow when a malicious ZIP archive containing a file with an overly long filename is opened. The vulnerability is related to: SA19945 == 4) Solution Update to version 4.4. http://www.camunzip.com/download.htm == 5) Time Table 03/05/2006 - Initial vendor notification. 03/05/2006 - Initial vendor reply. 19/05/2006 - Public disclosure. == 6) Credits Discovered by Tan Chew Keong, Secunia Research. == 7) References SA19945: http://secunia.com/advisories/19945/ The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2006-2161 for the vulnerability. == 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2006-34/advisory/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Secunia Research: IZArc unacev2.dll Buffer Overflow Vulnerability
== Secunia Research 17/05/2006 - IZArc unacev2.dll Buffer Overflow Vulnerability - == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software * IZArc version 3.5 beta 3. Other versions may also be affected. == 2) Severity Rating: Moderately Critical Impact: System Access Where: Remote == 3) Description of Vulnerability Secunia Research has discovered a vulnerability in IZArc, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error in UNACEV2.DLL when extracting an ACE archive containing a file with an overly long filename. This can be exploited to cause a stack-based buffer overflow when a user extracts a specially crafted ACE archive. The vulnerability is related to: SA16479 == 4) Solution Do not extract untrusted ACE archives. == 5) Time Table 04/05/2006 - Initial vendor notification. 16/05/2006 - Second vendor notification. 17/05/2006 - Public disclosure. (No reply from vendor) == 6) Credits Discovered by Secunia Research. == 7) References SA16479: http://secunia.com/advisories/16479/ The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2005-2856 for the vulnerability. == 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2006-32/advisory/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Secunia Research: Eazel unacev2.dll Buffer Overflow Vulnerability
== Secunia Research 17/05/2006 - Eazel unacev2.dll Buffer Overflow Vulnerability - == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software * Eazel version 1.0. Other versions may also be affected. == 2) Severity Rating: Moderately Critical Impact: System Access Where: Remote == 3) Description of Vulnerability Secunia Research has discovered a vulnerability in Eazel, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error in ztvunacev2.dll (UNACEV2.DLL) when extracting an ACE archive containing a file with an overly long filename. This can be exploited to cause a stack-based buffer overflow when a user extracts a specially crafted ACE archive. The vulnerability is related to: SA16479 == 4) Solution Do not extract untrusted ACE archives. == 5) Time Table 03/05/2006 - Initial vendor notification. 16/05/2006 - Second vendor notification. 17/05/2006 - Public disclosure. (No reply from vendor) == 6) Credits Discovered by Secunia Research. == 7) References SA16479: http://secunia.com/advisories/16479/ The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2005-2856 for the vulnerability. == 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2006-33/advisory/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Secunia Research: FilZip unacev2.dll Buffer Overflow Vulnerability
== Secunia Research 15/05/2006 - FilZip unacev2.dll Buffer Overflow Vulnerability - == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software * FilZip version 3.04. Other versions may also be affected. == 2) Severity Rating: Moderately Critical Impact: System Access Where: Remote == 3) Description of Vulnerability Secunia Research has discovered a vulnerability in FilZip, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error in UNACEV2.DLL when extracting an ACE archive containing a file with an overly long filename. This can be exploited to cause a stack-based buffer overflow when a user extracts a specially crafted ACE archive. The vulnerability is related to: SA16479 == 4) Solution Do not extract ACE archives from untrusted sources. == 5) Time Table 26/04/2006 - Initial vendor notification. 27/04/2006 - Second vendor notification. 11/05/2006 - Third vendor notification. 15/05/2006 - Public disclosure. (No reply from vendor) == 6) Credits Discovered by Secunia Research. == 7) References SA16479: http://secunia.com/advisories/16479/ The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2005-2856 for the vulnerability. == 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2006-30/advisory/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Secunia Research: Abakt ZIP File Handling Buffer Overflow Vulnerability
== Secunia Research 15/05/2006 - Abakt ZIP File Handling Buffer Overflow Vulnerability - == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software * Abakt version 0.9.2 and 0.9.3-beta1 Prior versions may also be affected. == 2) Severity Rating: Moderately Critical Impact: System Access Where: Remote == 3) Description of Vulnerability Secunia Research has discovered a vulnerability in Abakt, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error when listing the contents of a ZIP archive. This can be exploited to cause a stack-based buffer overflow when a malicious ZIP archive containing a file with an overly long filename is opened. The vulnerability is related to: SA19945 Successful exploitation allows execution of arbitrary code but requires that the user is e.g. tricked into opening a malicious ZIP archive from within the Restore Zip Archive functionality. == 4) Solution The vulnerability has been fixed in 0.9.3-RC1. == 5) Time Table 12/05/2006 - Initial vendor notification. 15/05/2006 - Initial vendor reply. 15/05/2006 - Public disclosure. == 6) Credits Discovered by Tan Chew Keong, Secunia Research. == 7) References SA19945: http://secunia.com/advisories/19945/ The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2006-2161 for the vulnerability. == 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2006-31/advisory/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Secunia Research: UltimateZip unacev2.dll Buffer Overflow Vulnerability
== Secunia Research 11/05/2006 - UltimateZip unacev2.dll Buffer Overflow Vulnerability - == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software * UltimateZip version 2.7.1, 3.0.3, and 3.1b. Other versions may also be affected. == 2) Severity Rating: Moderately Critical Impact: System Access Where: Remote == 3) Description of Vulnerability Secunia Research has discovered a vulnerability in UltimateZip, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error in UNACEV2.DLL when extracting an ACE archive containing a file with an overly long filename. This can be exploited to cause a stack-based buffer overflow when a user extracts a specially crafted ACE archive. The vulnerability is related to: SA16479 == 4) Solution Do not extract ACE archives from untrusted sources. == 5) Time Table 26/04/2006 - Initial vendor notification. 27/04/2006 - Second vendor notification. 04/05/2006 - Third vendor notification. 11/05/2006 - Public disclosure. (No reply from vendor) == 6) Credits Discovered by Secunia Research. == 7) References SA16479: http://secunia.com/advisories/16479/ The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2005-2856 for the vulnerability. == 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2006-29/advisory/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Secunia Research: Where Is It unacev2.dll Buffer Overflow Vulnerability
== Secunia Research 09/05/2006 - Where Is It unacev2.dll Buffer Overflow Vulnerability - == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software * Where Is It version 3.73.501 Other versions may also be affected. == 2) Severity Rating: Moderately Critical Impact: System Access Where: Remote == 3) Description of Vulnerability Secunia Research has discovered a vulnerability in Where Is It (WhereIsIt), which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error in UNACEV2.DLL when extracting an ACE archive containing a file with an overly long filename. This can be exploited to cause a stack-based buffer overflow when a user extracts a specially crafted ACE archive. The vulnerability is related to: SA16479 == 4) Solution Update to version 3.73.505 http://www.whereisit-soft.com/download.html == 5) Time Table 04/05/2006 - Initial vendor notification. 09/05/2006 - Public disclosure. (No reply from vendor, but silently fixed in latest version) == 6) Credits Discovered by Secunia Research. == 7) References SA16479: http://secunia.com/advisories/16479/ == 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2006-28/advisory/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Secunia Research: TZipBuilder ZIP File Handling Buffer Overflow Vulnerability
== Secunia Research 08/05/2006 - TZipBuilder ZIP File Handling Buffer Overflow Vulnerability - == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software * TZipBuilder 1.79.03.01. Prior versions may also be affected. == 2) Severity Rating: Moderately Critical Impact: System Access Where: Remote == 3) Description of Vulnerability Secunia Research has discovered a vulnerability in TZipBuilder, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error when listing the contents of a ZIP archive that contains a file with an overly long filename. This can be exploited to cause a stack-based buffer overflow when a specially crafted ZIP archive is opened. Successful exploitation allows execution of arbitrary code with the privileges of an application that uses the library. == 4) Solution Update to version 1.79.04.00. http://www.drehoeksw.net/ZipBuild2.html == 5) Time Table 03/05/2006 - Initial vendor notification. 03/05/2006 - Initial vendor reply. 08/05/2006 - Public disclosure. == 6) Credits Discovered by Tan Chew Keong, Secunia Research. == 7) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2006-2161 for the vulnerability. == 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2006-26/advisory/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Secunia Research: Anti-Trojan unacev2.dll Buffer Overflow Vulnerability
== Secunia Research 08/05/2006 - Anti-Trojan unacev2.dll Buffer Overflow Vulnerability - == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software * Anti-Trojan 5.5.421. Prior versions may also be affected. == 2) Severity Rating: Highly Critical Impact: System Access Where: Remote == 3) Description of Vulnerability Secunia Research has discovered a vulnerability in Anti-Trojan, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error in UNACEV2.DLL when extracting an ACE archive containing a file with an overly long filename. This can be exploited to cause a stack-based buffer overflow when a user scans a specially crafted ACE archive. The vulnerability is related to: SA16479 Successful exploitation requires that the Search in archive files option is enabled. == 4) Solution Version 5.5 is no longer supported and no fix is available. The vendor recommends existing users to upgrade to the successor product a-squared Anti-Malware. == 5) Time Table 08/05/2006 - Initial vendor notification. 08/05/2006 - Initial vendor reply. 08/05/2006 - Public disclosure. == 6) Credits Discovered by Secunia Research. == 7) References SA16479: http://secunia.com/advisories/16479/ The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2005-2856 for the vulnerability. == 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2006-27/advisory/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Secunia Research: WinHKI unacev2.dll Buffer Overflow Vulnerability
== Secunia Research 01/05/2006 - WinHKI unacev2.dll Buffer Overflow Vulnerability - == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software * WinHKI version 1.66 and 1.67. Prior versions may also be affected. == 2) Severity Rating: Moderately Critical Impact: System Access Where: Remote == 3) Description of Vulnerability Secunia Research has discovered a vulnerability in WinHKI, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error in ztvunacev2.dll (UNACEV2.DLL) when extracting an ACE archive containing a file with an overly long filename. This can be exploited to cause a stack-based buffer overflow when a user extracts a specially crafted ACE archive. The vulnerability is related to: SA16479 == 4) Solution Update to version 1.68. http://www.winhki.com/en/download.htm == 5) Time Table 30/03/2006 - Initial vendor notification. 01/04/2006 - Initial vendor reply. 01/05/2006 - Public disclosure. == 6) Credits Discovered by Tan Chew Keong, Secunia Research. == 7) References SA16479: http://secunia.com/advisories/16479/ == 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2006-25/advisory/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Secunia Research: Servant Salamander unacev2.dll Buffer Overflow Vulnerability
== Secunia Research 28/04/2006 - Servant Salamander unacev2.dll Buffer Overflow Vulnerability - == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software * Servant Salamander 2.0 * Servant Salamander 2.5 Beta 11 Prior versions may also be affected. == 2) Severity Rating: Moderately Critical Impact: System Access Where: Remote == 3) Description of Vulnerability Secunia Research has discovered a vulnerability in Servant Salamander, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error in UNACEV2.DLL when extracting an ACE archive containing a file with an overly long filename. This can be exploited to cause a stack-based buffer overflow when a user extracts a specially crafted ACE archive. The vulnerability is related to: SA16479 == 4) Solution The vulnerability has been fixed in version 2.5 RC 1. == 5) Time Table 27/04/2006 - Initial vendor notification. 27/04/2006 - Initial vendor reply. 28/04/2006 - Public disclosure. == 6) Credits Discovered by Tan Chew Keong, Secunia Research. == 7) References SA16479: http://secunia.com/advisories/16479/ == 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2006-24/advisory/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Secunia Research: SpeedProject Products ACE Archive Handling Buffer Overflow
== Secunia Research 26/04/2006 - SpeedProject Products ACE Archive Handling Buffer Overflow - == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software * Squeez 5.10 Build 4460 * SpeedCommander 10.52 Build 4450 * SpeedCommander 11.01 Build 4450 Prior versions may also be affected. == 2) Severity Rating: Moderately Critical Impact: System Access Where: Remote == 3) Description of Vulnerability Secunia Research has discovered a vulnerability in various SpeedProject products, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to boundary errors in CxAce60.dll and CxAce60u.dll within the handling of an ACE archive that contains a file with an overly long filename. This can be exploited to cause a stack-based buffer overflow and allows arbitrary code execution when a specially crafted archive is extracted. == 4) Solution Update to the fixed versions. http://www.speedproject.de/enu/download.html Squeez 5: Update to Squeez 5.20 Build 4600. SpeedCommander 10: Update to version 10.53 Build 4590 or later. SpeedCommander 11: Update to version 11.10 Build 4590 or later. == 5) Time Table 31/03/2006 - Initial vendor notification. 01/04/2006 - Initial vendor reply. 26/04/2006 - Public disclosure. == 6) Credits Discovered by Tan Chew Keong, Secunia Research. == 7) References No other references. == 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2006-23/advisory/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Secunia Research: Adobe Document Server for Reader Extensions Multiple Vulnerabilities
== Secunia Research 13/04/2006 Adobe Document Server for Reader Extensions Multiple Vulnerabilities == Table of Contents Affected Software1 Severity.2 Vendor's Description of Software.3 Description of Vulnerability.4 Solution.5 Time Table...6 Credits..7 References...8 About Secunia9 Verification10 == 1) Affected Software Adobe Document Server for Reader Extensions 6.0 Included with: Adobe Document Server 6.0 (p026) Adobe Graphics Server 2.1 (d013) NOTE: Other versions may also be affected. == 2) Severity Rating: Less critical Impact: Exposure of Sensitive Information Cross-Site Scripting Security Bypass Where: Remote == 3) Vendor's Description of Software Easily share interactive, intelligent Adobe Portable Document Format (PDF) documents with external parties — without requiring respondents to invest in costly software.. Product Link: http://www.adobe.com/products/server/readerextensions/main.html == 4) Description of Vulnerability Secunia Research has discovered multiple vulnerabilities in Adobe Document Server for Reader Extensions, which can be exploited by malicious users to bypass certain security restrictions and conduct script insertion attacks, or by malicious people to gain knowledge of sensitive information or conduct cross-site scripting attacks. 1) Missing access control restrictions in the Adobe Document Server for Reader Extensions (ads-readerext) can be exploited by authenticated users to access functionality, which they should not have access to, by manipulating the actionID and pageID parameters. Successful exploitation e.g. allows a low-privileged user with Draft permissions to create a new administrative user account. 2) Input passed to the ReaderURL variable in the Update Download Site section of ads-readerext is not properly sanitised before being used. This can be exploited to insert arbitrary script code (prefixed with either ftp://; or http://;), which will be executed in an administrative user's browser session when logging in. Normally, editing this field requires administrative privileges. However, this can be combined with vulnerability #1 and therefore be exploited by any valid user. 3) Input passed to the actionID parameter in ads-readerext and the op parameter in Adobe Server Web Services (AlterCast) is not properly sanitised before being returned to users. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of a vulnerable site. Examples: http://[host]:8019/ads-readerext/ads-readerext?actionID=[code] http://[host]:8019/altercast/AlterCast?op=[code] 4) Different error messages are returned when attempting to log into ads-readerext depending on whether or not the supplied username exists. This can be exploited to enumerate valid accounts. 5) A user's session ID for ads-readerext is passed in the URL (jsessionid parameter) and exposed to other web sites in the Referer: header. == 5) Solution Update to the current version of Adobe Document Server for Reader Extensions. NOTE: Adobe Document Server for Reader Extensions 6.0 is no longer a supported product. Adobe has shipped two subsequent versions (Adobe Document Server for Reader Extensions 6.1 and LiveCycle Reader Extensions 7.0) both of which are not affected. == 6) Time Table 26/07/2005 - Initial vendor notification. 26/07/2005 - Initial vendor reply. 13/04/2006 - Public disclosure. == 7) Credits Discovered by Carsten Eiram and Tan Chew Keong, Secunia Research. == 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2006-1627 for the vulnerability. Adobe: http://www.adobe.com/support/techdocs/322699.html http://www.adobe.com/support/techdocs/331915.html http
Secunia Research: AN HTTPD Script Source Disclosure Vulnerability
== Secunia Research 03/04/2006 - AN HTTPD Script Source Disclosure Vulnerability - == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software * AN HTTPD version 1.42n. Prior versions may also be affected. == 2) Severity Rating: Moderately Critical Impact: Exposure of sensitive information Where: Remote == 3) Description of Vulnerability Secunia Research has discovered a vulnerability in AN HTTPD, which can be exploited by malicious people to disclose potentially sensitive information. The vulnerability is caused due to a validation error of the filename extension supplied by the user in the URL. This can be exploited to retrieve the source code of script files (e.g. PL, CGI, and BAT) from the server via specially crafted requests containing dot and space characters. == 4) Solution Update to version 1.42p. == 5) Time Table 22/03/2006 - Initial vendor notification. 01/04/2006 - Initial vendor reply. 03/04/2006 - Public disclosure. == 6) Credits Discovered by Tan Chew Keong, Secunia Research. == 7) References No other references. == 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2006-21/advisory/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Secunia Research: Blazix Web Server JSP Source Code Disclosure Vulnerability
== Secunia Research 28/03/2006 - Blazix Web Server JSP Source Code Disclosure Vulnerability - == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software * Blazix Web Server version 1.2.5 on Windows. Prior versions may also be affected. == 2) Severity Rating: Moderately Critical Impact: Exposure of sensitive information Where: Remote == 3) Description of Vulnerability Secunia Research has discovered a vulnerability in Blazix, which can be exploited by malicious people to disclose potentially sensitive information. The vulnerability is caused due to a validation error of the filename extension supplied by the user in the URL. This can be exploited to retrieve the source code of JSP files from the server via specially crafted requests containing dot, space, and slash characters. == 4) Solution Update to version 1.2.6. == 5) Time Table 22/03/2006 - Initial vendor notification. 22/03/2006 - Initial vendor reply. 28/03/2006 - Public disclosure. == 6) Credits Discovered by Tan Chew Keong, Secunia Research. == 7) References No other references. == 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2006-22/advisory/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Secunia Research: Quick 'n Easy/Baby Web Server ASP Code Disclosure Vulnerability
== Secunia Research 24/03/2006 - Quick 'n Easy/Baby Web Server ASP Code Disclosure Vulnerability - == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software * Quick 'n Easy Web Server version 3.0.6 and 3.1 * Baby Web Server version 2.7.2 Prior versions may also be affected. == 2) Severity Rating: Moderately Critical Impact: Exposure of sensitive information Where: Remote == 3) Description of Vulnerability Secunia Research has discovered a vulnerability in Quick 'n Easy/Baby Web Server, which can be exploited by malicious people to disclose potentially sensitive information. The vulnerability is caused due to a validation error of the filename extension supplied by the user in the URL. This can be exploited to retrieve the source code of ASP files from the server via specially crafted requests containing dot, space and slash characters. == 4) Solution Quick 'n Easy Web Server: Update to version 3.1.1 http://www.pablosoftwaresolutions.com/html/quick__n_easy_web_server.html Baby Web Server: The vendor has reported that Baby Web Server is not longer supported and has been replaced with Quick 'n Easy Web Server. == 5) Time Table 22/03/2006 - Initial vendor notification. 22/03/2006 - Initial vendor reply. 24/03/2006 - Public disclosure. == 6) Credits Discovered by Tan Chew Keong, Secunia Research. == 7) References No other references. == 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2006-19/advisory/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Secunia Research: Adobe Document/Graphics Server File URI Resource Access
== Secunia Research 15/03/2006 - Adobe Document/Graphics Server File URI Resource Access - == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software * Adobe Graphics Server 2.x * Adobe Document Server 5.x * Adobe Document Server 6.x Prior versions may also be affected. == 2) Severity Rating: Moderately Critical Impact: System access Manipulation of data Exposure of sensitive information Where: Local network == 3) Description of Vulnerability Secunia Research has discovered a vulnerability in Adobe Document Server and Adobe Graphics Server, which can be exploited by malicious people to gain knowledge of potentially sensitive information, overwrite arbitrary files, or compromise a vulnerable system. The saveContent and saveOptimized ADS (Adobe Document Server) commands allow graphics or PDF files to be saved with any file extensions to arbitrary locations on the server with SYSTEM privileges (default settings) using File URIs. Similarly, the loadContent command allows retrieving of graphics or PDF files specified using File URIs. These commands are exposed via the AlterCast web service running on port 8019. This can be exploited by sending a specially crafted SOAP request to the web service to write a graphics file containing malicious JavaScript as metadata to e.g. the server's All Users startup folder. The request can be constructed to save this graphics file with a HTA extension causing the file to be executed the next time any user logs in. A request containing loadContent can also be sent to retrieve arbitrary graphics or PDF files from the server, potentially exposing sensitive information. Successful exploitation requires that the service is configured to run with SYSTEM privileges (default) or with privileges of a normal user that has been granted interactive logon rights. == 4) Solution The vendor has published additional hardening steps to prevent exploitation of the vulnerability (see vendor advisory for details). == 5) Time Table 26/07/2005 - Initial vendor notification. 26/07/2005 - Initial vendor reply. 14/03/2006 - Vendor published additional hardening guidelines. 15/03/2006 - Public disclosure. == 6) Credits Discovered by Tan Chew Keong, Secunia Research. == 7) References Adobe: http://www.adobe.com/support/techdocs/332989.html The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2006-1182 for the vulnerability. == 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2005-28/advisory/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Secunia Research: unalz Filename Handling Directory Traversal Vulnerability
== Secunia Research 13/03/2006 - unalz Filename Handling Directory Traversal Vulnerability - == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software * unalz version 0.53. Other versions may also be affected. == 2) Severity Rating: Less Critical Impact: System access Where: Remote == 3) Description of Vulnerability Secunia Research has discovered a vulnerability in unalz, which potentially can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to an input validation error when extracting an ALZ archive. This makes it possible to have files extracted to arbitrary locations outside the specified directory using the ../ directory traversal sequence. The vulnerability has been confirmed in version 0.53. Other version may also be affected. == 4) Solution Update to version 0.55. == 5) Time Table 02/03/2006 - Initial vendor notification. 10/03/2006 - Initial vendor reply. 13/03/2006 - Public disclosure. == 6) Credits Discovered by Tan Chew Keong, Secunia Research. == 7) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2006-0950 for the vulnerability. == 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2006-16/advisory/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Secunia Research: Lighttpd Script Source Disclosure Vulnerability
== Secunia Research 01/03/2006 - Lighttpd Script Source Disclosure Vulnerability - == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software * Lighttpd version 1.4.10 for Windows. Other versions may also be affected. == 2) Severity Rating: Moderately Critical Impact: Exposure of sensitive information Where: Remote == 3) Description of Vulnerability Secunia Research has discovered a vulnerability in Lighttpd, which can be exploited by malicious people to disclose potentially sensitive information. The vulnerability is caused due to a validation error of the filename extension supplied by the user in the URL. This can be exploited to retrieve the source code of script files (e.g. PHP) from the server via specially-crafted requests containing dot and space characters. == 4) Solution Update to version 1.4.10a for Windows. == 5) Time Table 15/02/2006 - Initial vendor notification. 16/02/2006 - Initial vendor reply. 01/03/2006 - Public disclosure. == 6) Credits Discovered by Tan Chew Keong, Secunia Research. == 7) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2006-0814 for the vulnerability. == 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2006-9/advisory/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Secunia Research: NetworkActiv Web Server Script Source Disclosure Vulnerability
== Secunia Research 01/03/2006 - NetworkActiv Web Server Script Source Disclosure Vulnerability - == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software * NetworkActiv Web Server 3.5.15. Other versions may also be affected. == 2) Severity Rating: Moderately Critical Impact: Exposure of sensitive information Where: Remote == 3) Description of Vulnerability Secunia Research has discovered a vulnerability in NetworkActiv Web Server, which can be exploited by malicious people to disclose potentially sensitive information. The vulnerability is caused due to a validation error of the filename extension supplied by the user in the URL. This can be exploited to retrieve the source code of script files (e.g. PHP) from the server via specially-crafted requests containing the forward slash character. == 4) Solution Update to version 3.5.16. == 5) Time Table 21/02/2006 - Initial vendor notification. 21/02/2006 - Initial vendor reply. 01/03/2006 - Public disclosure. == 6) Credits Discovered by Tan Chew Keong, Secunia Research. == 7) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2006-0815 for the vulnerability. == 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2006-10/advisory/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Secunia Research: ArGoSoft Mail Server Pro viewheaders Script Insertion
== Secunia Research 27/02/2006 - ArGoSoft Mail Server Pro viewheaders Script Insertion - == Table of Contents Affected Software1 Severity.2 Vendor's Description of Software.3 Description of Vulnerability.4 Solution.5 Time Table...6 Credits..7 References...8 About Secunia9 Verification10 == 1) Affected Software ArGoSoft Mail Server Pro 1.8.8.5 NOTE: Prior versions may also be affected. == 2) Severity Rating: Moderately critical Impact: Cross-Site Scripting Where: Remote == 3) Vendor's Description of Software ArGoSoft Mail Server is full SMTP/POP3/Finger/IMAP server for all Windows platforms, which will let you turn your computer into the email system. It is very compact, takes about 1-5 Mb of disk space (depending on the version), does not have any specific memory requirements, and what is the most important - it's very easy to use. Product Link: http://www.argosoft.com/rootpages/MailServer/Default.aspx == 4) Description of Vulnerability Secunia Research has discovered a vulnerability in ArGoSoft Mail Server Pro, which can be exploited by malicious people to conduct script insertion attacks. Input passed in various e-mail headers (e.g. subject and from) is not properly sanitised before being displayed by the View Headers functionality. This can be exploited to insert arbitrary HTML and script code, which is executed in a user's browser session in context of a vulnerable site when viewing the headers of a malicious e-mail. == 5) Solution Update to version 1.8.8.6 or later. == 6) Time Table 24/02/2006 - Vendor notified. 24/02/2006 - Vendor response. 27/02/2006 - Public disclosure. == 7) Credits Discovered by Secunia Research. == 8) References No other references available. == 9) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2006-6/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Secunia Research: Visnetic AntiVirus Plug-in for MailServer Privilege Escalation
== Secunia Research 23/02/2006 - Visnetic AntiVirus Plug-in for MailServer Privilege Escalation - == Table of Contents Affected Software1 Severity.2 Vendor's Description of Software.3 Description of Vulnerability.4 Solution.5 Time Table...6 Credits..7 References...8 About Secunia9 Verification10 == 1) Affected Software Visnetic AntiVirus Plug-in for MailServer 4.6.0.4 and 4.6.1.1. NOTE: Other versions may also be affected. == 2) Severity Rating: Less critical Impact: Privilege escalation Where: Local system == 3) Vendor's Description of Software The best means of protecting your organization from email-propagated viruses is antivirus protection for your mail server. The VisNetic AntiVirus Plug-in is tightly integrated antivirus protection designed specifically for VisNetic Mail Server.. Product Link: http://www.deerfield.com/products/visnetic-mailserver/antivirus/ == 4) Description of Vulnerability Secunia Research has discovered a vulnerability in Visnetic AntiVirus Plug-in for MailServer, which can be exploited by malicious, local users to gain escalated privileges. The vulnerability is caused due to the Visnetic AntiVirus Plug-in (DKAVUpSch.exe) not dropping its privileges before invoking other programs. This can be exploited to invoke arbitrary programs on the system with SYSTEM privileges. == 5) Solution Update to version 4.6.1.2. == 6) Time Table 07/09/2005 - Vendor notified (1st notice). 07/02/2006 - Vendor notified (2nd notice). 21/02/2006 - Vendor notified (3rd notice). 21/02/2006 - Vendor response. 23/02/2006 - Public disclosure. == 7) Credits Discovered by Secunia Research. == 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2006-0812 for the vulnerability. == 9) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2005-65/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Secunia Research: Lotus Notes Multiple Archive Handling Directory Traversal
== Secunia Research 10/02/2006 - Lotus Notes Multiple Archive Handling Directory Traversal - == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software * Lotus Notes 6.5.4 * Lotus Notes 7.0 Other versions may also be affected. == 2) Severity Rating: Moderately Critical Impact: Security Bypass Where: Remote == 3) Description of Vulnerability Secunia Research has discovered a vulnerability in Lotus Notes, which can be exploited by malicious people to bypass certain security restrictions. The vulnerability is caused due to directory traversal errors in kvarcve.dll when generating the preview of a compressed file from ZIP, UUE and TAR archives. This can be exploited to delete arbitrary files that are accessible to the Notes user. Successful exploitation requires that the user is e.g. tricked into previewing a compressed file with directory traversal sequences in its filename from within the Notes attachment viewer. == 4) Solution Update to version 6.5.5 or 7.0.1. == 5) Time Table 04/08/2005 - Initial vendor notification. 04/08/2005 - Initial vendor response. 10/02/2006 - Public disclosure. == 6) Credits Discovered by Tan Chew Keong and Carsten Eiram, Secunia Research. == 7) References The Common Vulnerabilities and Exposures (CVE) project has assigned candidate number CAN-2005-2619 for the vulnerability. == 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2005-30/advisory/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Secunia Research: IBM Lotus Domino iNotes Client Script Insertion Vulnerabilities
== Secunia Research 10/02/2006 - IBM Lotus Domino iNotes Client Script Insertion Vulnerabilities - == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software * IBM Lotus Domino Web Access 7.x * IBM Lotus Domino Web Access (iNotes) 6.x * IBM Lotus Domino 6.x * IBM Lotus Domino 7.x Other versions may also be affected. == 2) Severity Rating: Moderately Critical Impact: Cross-Site Scripting Where: Remote == 3) Description of Vulnerability Secunia Research has discovered some vulnerabilities in Lotus Domino iNotes Client, which can be exploited by malicious people to conduct script insertion attacks. 1) Attached files (e.g. .html files) are opened in the context of the site if the user clicks on it. This can be exploited to execute arbitrary JavaScript code in the context of the user's session. The vulnerability has been confirmed in version 6.5.4. The vulnerability does not affect version 6.5.4 FP1. Prior versions may also be affected. 2) The email subject is not properly sanitised before being displayed to the user as the browser title. This can be exploited to execute arbitrary JavaScript in the context of the user's session when the user views a received email. Example: /TITLESCRIPTalert(Vulnerable!);/SCRIPT The vulnerability has been confirmed in version 6.5.4 and also reported in version 7.0. Other versions may also be affected. 3) It is possible to bypass certain security checks related to javascript: URLs by inserting #13; in the middle of the URL. This can be exploited to execute arbitrary JavaScript code in the context of the user's session. Example: a href=java#13;script:alert('Vulnerable!');Link/a The vulnerability has been confirmed in version 6.5.4 and also reported in version 7.0. Other versions may also be affected. 4) The attachment filename is not properly sanitised before being displayed to the user. This can be exploited to execute arbitrary JavaScript in context of the user's session when the user views a received email. Successful exploitation requires that the Domino Web Access ActiveX control is not installed on the browser. The vulnerability has been confirmed in version 6.5.4 and also reported in version 7.0. Other versions may also be affected. == 4) Solution Update to version 6.5.5 or 7.0.1. == 5) Time Table 22/08/2005 - Initial vendor notification. 25/08/2005 - Initial vendor response. 10/02/2006 - Public disclosure. == 6) Credits 1-3) Jakob Balle, Secunia Research. 4) Tan Chew Keong, Secunia Research. == 7) References No other references. == 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2005-38/advisory/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Secunia Research: Lotus Notes TAR Reader File Extraction Buffer Overflow
== Secunia Research 10/02/2006 - Lotus Notes TAR Reader File Extraction Buffer Overflow - == Table of Contents Affected Software1 Severity.2 Vendor's Description of Software.3 Description of Vulnerability.4 Solution.5 Time Table...6 Credits..7 References...8 About Secunia9 Verification10 == 1) Affected Software Lotus Notes 6.5.4 and 7.0. NOTE: Other versions may also be affected. == 2) Severity Rating: Less critical Impact: System access Where: From remote == 3) Vendor's Description of Software IBM Lotus Notes continues to set the standard for innovation in the messaging and collaboration market Lotus defined over a decade ago. As an integrated collaborative environment, the Lotus Notes client and the IBM Lotus Domino server combine enterprise-class messaging and calendaring scheduling capabilities with a robust platform for collaborative applications. Product Link: http://www.lotus.com/products/product4.nsf/wdocs/noteshomepage == 4) Description of Vulnerability Secunia Research has discovered a vulnerability in Lotus Notes, which potentially can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error in the TAR reader (tarrdr.dll) when extracting files from a TAR archive. This can be exploited to cause a stack-based buffer overflow via a TAR archive containing a file with a long filename. Successful exploitation allows execution of arbitrary code, but requires that the user views a malicious TAR archive and chooses to extracts a compressed file to a directory with a very long path (more than 220 bytes). == 5) Solution Update to version 6.5.5 or 7.0.1. == 6) Time Table 17/08/2005 - Vendor notified. 18/08/2005 - Vendor response. 10/02/2006 - Public disclosure. == 7) Credits Discovered by Carsten Eiram, Secunia Research. == 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned candidate number CAN-2005-2618 for the vulnerability. == 9) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2005-34/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Secunia Research: Lotus Notes UUE File Handling Buffer Overflow
== Secunia Research 10/02/2006 - Lotus Notes UUE File Handling Buffer Overflow - == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software * Lotus Notes 6.5.4 * Lotus Notes 7.0 Other versions may also be affected. == 2) Severity Rating: Highly Critical Impact: System access Where: Remote == 3) Description of Vulnerability Secunia Research has discovered a vulnerability in Lotus Notes, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error in uudrdr.dll when handling an UUE file containing an encoded file with an overly long filename. This can be exploited to cause a stack-based buffer overflow. Suucessful exploitation allows execution of arbitrary code when a malicious UUE file is opened in the Notes attachment viewer. == 4) Solution Update to version 6.5.5 or 7.0.1. == 5) Time Table 05/08/2005 - Initial vendor notification. 05/08/2005 - Initial vendor response. 10/02/2006 - Public disclosure. == 6) Credits Discovered by Tan Chew Keong, Secunia Research. == 7) References The Common Vulnerabilities and Exposures (CVE) project has assigned candidate number CAN-2005-2618 for the vulnerability. == 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2005-36/advisory/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Secunia Research: Lotus Notes HTML Speed Reader Link Buffer Overflows
== Secunia Research 10/02/2006 - Lotus Notes HTML Speed Reader Link Buffer Overflows - == Table of Contents Affected Software1 Severity.2 Vendor's Description of Software.3 Description of Vulnerability.4 Solution.5 Time Table...6 Credits..7 References...8 About Secunia9 Verification10 == 1) Affected Software IBM Lotus Notes 6.5.4 and 7.0. NOTE: Other versions may also be affected. == 2) Severity Rating: Highly critical Impact: System Compromise Where: Remote == 3) Vendor's Description of Software IBM Lotus Notes continues to set the standard for innovation in the messaging and collaboration market Lotus defined over a decade ago. As an integrated collaborative environment, the Lotus Notes client and the IBM Lotus Domino server combine enterprise-class messaging and calendaring scheduling capabilities with a robust platform for collaborative applications. Product Link: http://www.lotus.com/products/product4.nsf/wdocs/noteshomepage == 4) Description of Vulnerability Secunia Research has discovered two vulnerabilities in Lotus Notes, which can be exploited by malicious people to compromise a user's system. 1) A boundary error exists in the HTML speed reader (htmsr.dll), which is used for viewing HTML attachments in emails. This can be exploited to cause a stack-based buffer overflow via a malicious email containing an overly long link (about 800 characters) beginning with either http, ftp, or //. Successful exploitation allows execution of arbitrary code with the privileges of the user running Lotus Notes, but requires that the user follows a link in the HTML document. 2) A boundary error in the HTML speed reader when checking if a link references a local file can be exploited to cause a stack- based buffer overflow via a malicious email containing a specially crafted, overly long link. Successful exploitation allows execution of arbitrary code with the privileges of the user running Lotus Notes, as soon as the user views the malicious HTML document. == 5) Solution Update to version 6.5.5 or 7.0.1. == 6) Time Table 06/08/2005 - Vendor notified. 07/08/2005 - Vendor response. 10/02/2006 - Public disclosure. == 7) Credits Discovered by Carsten Eiram, Secunia Research. == 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned candidate number CAN-2005-2618 for the vulnerabilities. == 9) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2005-32/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Secunia Research: Mozilla Thunderbird Attachment Spoofing Vulnerability
== Secunia Research 17/01/2006 - Mozilla Thunderbird Attachment Spoofing Vulnerability - == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software Mozilla Thunderbird versions 1.0.2, 1.0.6, and 1.0.7 for Microsoft Windows. Other versions may also be affected. == 2) Severity Rating: Less critical Impact: Spoofing System access Where: From remote == 3) Description of Vulnerability Secunia Research has discovered a vulnerability in Thunderbird, which can be exploited by malicious people to trick users into executing arbitrary programs. The vulnerability is caused due to attachments not being displayed correctly in mails. This can be exploited to spoof the file extension and the associated file type icon via a combination of overly long filenames containing whitespaces and Content-Type headers not matching the file extension. Successful exploitation may lead to malware being saved to e.g. the desktop. NOTE: Attachments can be saved by dragging the attachment, or using the Save As... or Save All... functionality. For files on the desktop the icon can be spoofed if it e.g. is a .exe or .lnk file. The vulnerability has been confirmed in versions 1.0.2, 1.0.6, and 1.0.7 for Microsoft Windows. Other versions may also be affected. == 4) Solution Update to version 1.5. http://www.mozilla.com/thunderbird/ == 5) Time Table 01/07/2005 - Initial vendor notification. 10/07/2005 - Vendor confirms the vulnerability. 27/07/2005 - Vulnerability fixed in the CVS repository. 12/01/2006 - Thunderbird 1.5 released. 17/01/2006 - Public disclosure. == 6) Credits Discovered by Andreas Sandblad, Secunia Research. == 7) References https://bugzilla.mozilla.org/show_bug.cgi?id=300246 == 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia web site: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 9) Verification Please verify this advisory by visiting the Secunia web site: http://secunia.com/secunia_research/2005-22/advisory/ Complete list of vulnerability reports released by Secunia Research: http://secunia.com/secunia_research/ =
Secunia Research: TUGZip ARJ Archive Handling Buffer Overflow Vulnerability
== Secunia Research 30/12/2005 - TUGZip ARJ Archive Handling Buffer Overflow Vulnerability - == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software * TUGZip 3.4.0.0 Other versions may also be affected. == 2) Severity Rating: Moderately Critical Impact: System access Where: Remote == 3) Description of Vulnerability Secunia Research has discovered a vulnerability in TUGZip, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error when handling an ARJ archive containing a file with an overly long filename. This can be exploited to cause a stack-based buffer overflow. Successful exploitation allows arbitrary code execution when a malicious ARJ file is opened. The vulnerability has been confirmed in version 3.4.0.0. Other versions may also be affected. == 4) Solution Do not open untrusted ARJ archives. == 5) Time Table 07/10/2005 - Initial vendor notification. 13/10/2005 - Initial vendor reply. 15/11/2005 - Reminder sent. 30/12/2005 - Public disclosure. == 6) Credits Discovered by Tan Chew Keong, Secunia Research. == 7) References No other references. == 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2005-63/advisory/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Secunia Research: IceWarp Web Mail Multiple File Inclusion Vulnerabilities
== Secunia Research 27/12/2005 - IceWarp Web Mail Multiple File Inclusion Vulnerabilities - == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software * Merak Mail Server version 8.3.0.r. * VisNetic Mail Server version 8.3.0 build 1. Other versions may also be affected. == 2) Severity Rating: Highly Critical Impact: System access Exposure of sensitive information Where: Remote == 3) Description of Vulnerability Secunia Research has discovered some vulnerabilities in IceWarp Web Mail, which can be exploited by malicious users and by malicious people to disclose potentially sensitive information and to compromise a vulnerable system. 1) The webmail and webadmin services run with PHP configured with register_global enabled. The language and lang_settings variables in /accounts/inc/include.php and /admin/inc/include.php are not properly initialised when the scripts are accessed directly. This makes it possible to overwrite the variables to cause the scripts to include arbitrary PHP scripts from local and remote sources. Example: http://[host]:32000/accounts/inc/include.php? language=0lang_settings[0][1]=http://[host]/ http://[host]:32000/admin/inc/include.php? language=0lang_settings[0][1]=http://[host]/ Successful exploitation allows execution of arbitrary PHP code on a vulnerable server with SYSTEM privileges without requiring authentication. 2) Input passed to the lang parameter in /dir/include.html isn't properly validated before being used to include files. This can be exploited to include arbitrary files from local sources. Example: http://[host]:32000/dir/include.html?lang=[file]%00 Successful exploitation allows disclosure of arbitrary files on a vulnerable server without requiring authentication. 3) Input passed to the language parameter in /mail/settings.html isn't properly validated before being saved to the database. This can be exploited in conjunction with overwrite of the lang_settings variable, to include arbitrary PHP scripts from local and remote sources. Example: http://[host]:32000/mail/settings.html? id=[current_id]Save_x=1language=TEST http://[host]:32000/mail/index.html? id=[current_id]lang_settings[TEST]=test;http://[host]/; Successful exploitation allows execution of arbitrary PHP scripts on a vulnerable server with SYSTEM privileges but requires a valid logon. 4) The default_layout and layout_settings variables are not properly initialised when /mail/include.html encounters a HTTP_USER_AGENT string that it does not recognise. This can be exploited in conjunction with overwrite of the default_layout and layout_settings variables to disclose the content of local files. Example (using non-IE/Mozilla/Firefox browser): http://[host]:32000/mail/index.html?/mail/index.html? default_layout=OUTLOOK2003layout_settings[OUTLOOK2003]=test;[file]%00;2 Successful exploitation allows disclosure of arbitrary files on a vulnerable server without requiring authentication. == 4) Solution Merak Mail Server: Update to version 8.3.5.r. VisNetic Mail Server: Update to version 8.3.5. == 5) Time Table 07/12/2005 - Initial vendor notification. 07/12/2005 - Initial vendor reply. 27/12/2005 - Public disclosure. == 6) Credits Discovered by Tan Chew Keong, Secunia Research. == 7) References No other references available. == 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them
Secunia Research: Pegasus Mail Buffer Overflow and Off-by-One Vulnerabilities
== Secunia Research 20/12/2005 - Pegasus Mail Buffer Overflow and Off-by-One Vulnerabilities - == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software * Pegasus Mail version 4.21a, 4.21b, and 4.21c. * Pegasus Mail version 4.30PB1 (Public Beta 1). == 2) Severity Rating: Moderately Critical Impact: System access Where: Remote == 3) Description of Vulnerability Secunia Research has discovered two vulnerabilities in Pegasus Mail, which can be exploited by malicious people to compromise a user's system. 1) A boundary error exists when using the reply from a POP3 server to construct trace messages that are displayed to the user if an error occurs when downloading emails. This can be exploited to cause a stack-based buffer overflow via an overly long POP3 reply. Successful exploitation allows arbitrary code execution but requires that the user is e.g. tricked into connecting to a malicious POP3 server. 2) An off-by-one error exists when displaying the RFC2822 message headers of an email to the user. This can be exploited to overwrite the least significant byte of the saved EBP via a email message header that is 1022 bytes or longer. This allows code execution on a Windows XP system. Successful exploitation requires that the user is e.g. tricked into viewing the headers of a malicious email via the Message headers... menu item in the context menu of the email message. The vulnerabilities have been confirmed in version 4.21c and 4.30PB1 (Public Beta 1). == 4) Solution Updated to version 4.31. == 5) Time Table 13/12/2005 - Initial vendor notification. 13/12/2005 - Initial vendor reply. 20/12/2005 - Public disclosure. == 6) Credits Discovered by Tan Chew Keong, Secunia Research. == 7) References Pegasus Mail: http://www.pmail.com/newsflash.htm#secunia == 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2005-61/advisory/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Secunia Research: Microsoft Internet Explorer Keyboard Shortcut Processing Vulnerability
== Secunia Research 13/12/2005 Microsoft Internet Explorer Keyboard Shortcut Processing Vulnerability == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software Microsoft Internet Explorer 6.0 Other versions may also be affected. == 2) Severity Rating: Highly critical Impact: System access and security bypass Where: From remote == 3) Description of Vulnerability Secunia Research has discovered a vulnerability in Microsoft Internet Explorer, which can be exploited by malicious people to trick users into executing malicious files. The vulnerability is caused due to a design error in the processing of keyboard shortcuts for certain security dialogs. This can e.g. be exploited to delay the file download dialog and trick users into executing a malicious .bat file after pressing the r key. A successful attack may be outlined as: 1. Detect that the user is typing on the keyboard. 2. Redirect to a malicious .bat file. 3. In a new thread, force the browser to consume a large amount of CPU resources via a simple loop statement. This causes the upcoming file download dialog to be delayed. 4. The user eventually presses the r key which is a keyboard shortcut for opening the downloaded file. The download dialog has not yet been shown for the user when this event occurs. 5. The loop statement stops causing the download dialog to be visible and the keyboard shortcut event is processed. 6. The malicious .bat file is launched. The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2. Other versions may also be affected. == 4) Solution Apply patches. Please see MS05-054 (KB905915): http://www.microsoft.com/technet/security/Bulletin/MS05-054.mspx == 5) Time Table 21/05/2005 - Vulnerability discovered. 24/05/2005 - Vendor notified. 20/06/2005 - Vendor confirms the vulnerability. 13/12/2005 - Vendor issues patch. 13/12/2005 - Public disclosure. == 6) Credits Discovered by Andreas Sandblad, Secunia Research. == 7) References The Common Vulnerabilities and Exposures (CVE) project has assigned candidate number CAN-2005-2829 for the vulnerability. == 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia web site: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 9) Verification Please verify this advisory by visiting the Secunia web site: http://secunia.com/secunia_research/2005-7/advisory/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Secunia Research: Internet Explorer Suppressed Download Dialog Vulnerability
== Secunia Research 13/12/2005 - Internet Explorer Suppressed Download Dialog Vulnerability - == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 About Secunia7 Verification.8 == 1) Affected Software Microsoft Internet Explorer 6.0 Prior versions may also be affected. == 2) Severity Rating: Highly critical Impact: System Access Where: From remote == 3) Description of Vulnerability Secunia Research has discovered a vulnerability in Internet Explorer, which can be exploited by malicious people to trick users into downloading and executing arbitrary programs on a user's system. A design error in the processing of mouse clicks in new browser windows and the predictability of the position of the File Download dialog box can be exploited to trick the user into clicking on the Run button of the dialog box. This is exploited by first causing a File Download dialog box to be displayed underneath a new browser window, and then tricking the user into double-clicking within a specific area in the new window. This will result in an unintended click of the Run button in the hidden File Download dialog box. == 4) Solution Apply patches. Please see MS05-054 (KB905915): http://www.microsoft.com/technet/security/Bulletin/MS05-054.mspx == 5) Time Table 26/06/2005 - Vulnerability discovered and reported to vendor. 13/12/2005 - Public disclosure. == 6) Credits Discovered by Jakob Balle, Secunia Research. == 7) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia web site: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 8) Verification Please verify this advisory by visiting the Secunia web site: http://secunia.com/secunia_research/2005-21/advisory/ Complete list of vulnerability reports released by Secunia Research: http://secunia.com/secunia_research/ ==
Secunia Research: SpeedProject Products ZIP/UUE File Extraction Buffer Overflow
== Secunia Research 24/11/2005 - SpeedProject Products ZIP/UUE File Extraction Buffer Overflow - == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software * ZipStar 5.0 Build 4285 * Squeez 5.0 Build 4285 * SpeedCommander 11.0 Build 4430 * SpeedCommander 10.51 Build 4430 Prior versions may also be affected. == 2) Severity Rating: Moderately Critical Impact: System access Where: Remote == 3) Description of Vulnerability Secunia Research has discovered two vulnerabilities in various SpeedProject products, which can be exploited by malicious people to compromise a user's system. 1) A boundary error exists in CxZIP60.dll and CxZIP60u.dll due to the unsafe use of the lstrcat() function when constructing the full pathname of a file that is extracted from a ZIP archive. This can be exploited to cause a stack-based buffer overflow and allows arbitrary code execution when a specially crafted archive is extracted. The vulnerability has been confirmed in the following products. * ZipStar 5.0 Build 4285 * Squeez 5.0 Build 4285 * SpeedCommander 11.0 Build 4430 * SpeedCommander 10.51 Build 4430 2) A boundary error exists in CxUux60.dll and CxUux60u.dll due to the unsafe use of the lstrcpy() function when constructing the full pathname of the file that is decoded from a UUE file. This can be exploited to cause a stack-based buffer overflow and allows arbitrary code execution when a specially crafted UUE file is decoded. The vulnerability has been confirmed in the following products. * Squeez 5.0 Build 4285 * SpeedCommander 11.0 Build 4430 * SpeedCommander 10.51 Build 4430 == 4) Solution Update to the fixed versions. SpeedCommander 10: Update to version 10.52 Build 4450. SpeedCommander 11: Update to version 11.01 Build 4450. Squeez 5.0: Update to Squeez 5.10 Build 4460. ZipStar 5.0: Update to ZipStar 5.10 Build 4460. == 5) Time Table 03/11/2005 - Initial vendor notification. 03/11/2005 - Initial vendor reply. 17/11/2005 - Vendor released fixed versions. 24/11/2005 - Public disclosure. == 6) Credits Discovered by Tan Chew Keong, Secunia Research. == 7) References No other references. == 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2005-60/advisory/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Secunia Research: Opera Command Line URL Shell Command Injection
== Secunia Research 22/11/2005 - Opera Command Line URL Shell Command Injection - == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software Opera 8.x on Unix / Linux based environments. Prior versions may also be affected. == 2) Severity Rating: Highly Critical Impact: System access Where: Remote == 3) Description of Vulnerability Secunia Research has discovered a vulnerability in Opera, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to the shell script used to launch Opera parsing shell commands that are enclosed within backticks in the URL provided via the command line. This can e.g. be exploited to execute arbitrary shell commands by tricking a user into following a malicious link in an external application which uses Opera as the default browser (e.g. the mail client Evolution on Red Hat Enterprise Linux 4). This vulnerability can only be exploited on Unix / Linux based environments. This vulnerability is a variant of: http://secunia.com/SA16869 == 4) Solution Update to version 8.51. http://www.opera.com/download/ == 5) Time Table 22/09/2005 - Initial vendor notification. 22/09/2005 - Initial vendor reply. 22/11/2005 - Vendor released patches. 22/11/2005 - Public disclosure. == 6) Credits Originally discovered by: Peter Zelezny Discovered in Opera by: Jakob Balle, Secunia Research == 7) References Secunia Advisory SA16869: http://secunia.com/advisories/16869/ == 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2005-57/advisory/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Secunia Research: cPanel Entropy Chat Script Insertion Vulnerability
== Secunia Research 04/11/2005 - cPanel Entropy Chat Script Insertion Vulnerability - == Table of Contents Affected Software1 Severity.2 Vendor's Description of Software.3 Description of Vulnerability.4 Solution.5 Time Table...6 Credits..7 About Secunia8 Verification.9 == 1) Affected Software cPanel 10.2.0-R82 and 10.6.0-R137 Other versions may also be affected. == 2) Severity Rating: Moderately critical Impact: Cross-site scripting Where: Remote == 3) Vendor's Description of Software cPanel WebHost Manager (WHM) is a next generation web hosting control panel system. Both cPanel WHM are extremely feature rich as well as include an easy to use web based interface (GUI). Product link: http://www.cpanel.net/ == 4) Description of Vulnerability Secunia Research has discovered a vulnerability in cPanel, which can be exploited by malicious people to conduct script insertion attacks. Input passed to the chat message field in the pre-installed Entropy Chat script isn't properly sanitised before being used. This can be exploited to inject arbitrary script code, which will be executed in a user's browser session in context of an affected site when the malicious user data is viewed with the Microsoft Internet Explorer browser. Example: Send message b style=width:expression([code])text/b via http://[host]:2084/ The vulnerability has been confirmed in versions 10.2.0-R82 and 10.6.0-R137. Other versions may also be affected. == 5) Solution Edit the source code to ensure that input is properly sanitised. == 6) Time Table 10/10/2005 - Vulnerability discovered. 14/10/2005 - Vendor notified. 04/11/2005 - Public disclosure. == 7) Credits Discovered by Andreas Sandblad, Secunia Research. == 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2005-56/advisory/ ==