VARIoT IoT vulnerabilities database

Stack-based buffer overflow in the Broadcom BCMWL5.SYS wireless device driver 3.50.21.10, as used in Cisco Linksys WPC300N Wireless-N Notebook Adapter before 4.100.15.5 and other products, allows remote attackers to execute arbitrary code via an 802.11 response frame containing a long SSID field. A buffer overflow vulnerability exists in the Broadcom BCMWL5.SYS wireless driver. Successful exploitation of this vulnerability may allow an attacker to execute arbitrary code, or cause a denial-of-service condition. ---------------------------------------------------------------------- To improve our services to our customers, we have made a number of additions to the Secunia Advisories and have started translating the advisories to German. The improvements will help our customers to get a better understanding of how we reached our conclusions, how it was rated, our thoughts on exploitation, attack vectors, and scenarios. This includes: * Reason for rating * Extended description * Extended solution * Exploit code or links to exploit code * Deep links Read the full description: http://corporate.secunia.com/products/48/?r=l Contact Secunia Sales for more information: http://corporate.secunia.com/how_to_buy/15/?r=l ---------------------------------------------------------------------- TITLE: Broadcom Wireless Driver Probe Response SSID Buffer Overflow SECUNIA ADVISORY ID: SA22831 VERIFY ADVISORY: http://secunia.com/advisories/22831/ CRITICAL: Moderately critical IMPACT: System access WHERE: >From remote SOFTWARE: Broadcom NIDS 5.0 Wireless Driver 3.x http://secunia.com/product/12559/ DESCRIPTION: Johnny Cache has reported a vulnerability in Broadcom Wireless driver, which potentially can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to a boundary error in the BCMWL5.SYS device driver when handling probe response requests with a long SSID. This can be exploited to cause a stack-based buffer overflow via a specially crafted packet. The vulnerability is reported in version 3.50.21.10. Other versions may also be affected. SOLUTION: Update to the latest version. Linksys: http://www.linksys.com/servlet/Satellite?c=L_Download_C2&childpagename=US%2FLayout&cid=1115417109934&packedargs=sku%3D1144763513196&pagename=Linksys%2FCommon%2FVisitorWrapper Turn off the wireless card when not in use. PROVIDED AND/OR DISCOVERED BY: Johnny Cache ORIGINAL ADVISORY: http://projects.info-pull.com/mokb/MOKB-11-11-2006.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Stack-based buffer overflow in A5AGU.SYS 1.0.1.41 for the D-Link DWL-G132 wireless adapter allows remote attackers to execute arbitrary code via a 802.11 beacon request with a long Rates information element (IE). D-LINK DWL-G132 is a high performance 802.11g wireless network card.  D-Link DWL-G132 wireless network card A5AGU.SYS driver has a stack overflow vulnerability. A remote attacker may use this vulnerability to execute arbitrary instructions on the user's machine. Because the overflow is triggered by a beacon frame, all network cards in the attack range are affected. The D-Link Wireless Device Driver for DWL-G132 devices is prone to a stack-based buffer-overflow vulnerability because the driver fails to properly bounds-check user-supplied data before copying it into an insufficiently sized memory buffer. Exploiting this issue allows attackers to execute arbitrary machine code in the context of the kernel hosting the vulnerable driver. Failed attempts will likely crash the kernel, resulting in denial-of-service conditions. The ASAGU.SYS driver is primarily used on the Microsoft Window operating system. Note, however, that Linux and BSD machines using the 'ndiswrapper' tool should determine if they are using a vulnerable instance of the driver. Note also that this vulnerability can be exploited only when an attacker is within the range of broadcast of 802.11 wireless connections. Version 1.0.1.41 of the ASAGU.SYS driver is reported vulnerable; other versions may also be affected. ---------------------------------------------------------------------- To improve our services to our customers, we have made a number of additions to the Secunia Advisories and have started translating the advisories to German. The improvements will help our customers to get a better understanding of how we reached our conclusions, how it was rated, our thoughts on exploitation, attack vectors, and scenarios. This includes: * Reason for rating * Extended description * Extended solution * Exploit code or links to exploit code * Deep links Read the full description: http://corporate.secunia.com/products/48/?r=l Contact Secunia Sales for more information: http://corporate.secunia.com/how_to_buy/15/?r=l ---------------------------------------------------------------------- TITLE: D-Link DWL-G132 Wireless Driver Beacon Rates Buffer Overflow SECUNIA ADVISORY ID: SA22860 VERIFY ADVISORY: http://secunia.com/advisories/22860/ CRITICAL: Moderately critical IMPACT: System access WHERE: >From remote SOFTWARE: D-Link Wireless USB Network Adapter Driver 1.x http://secunia.com/product/12585/ DESCRIPTION: H D Moore has reported a vulnerability in D-Link DWL-G132 Wireless driver, which can be exploited by malicious people to compromise a vulnerable system. This can be exploited to cause a stack-based buffer overflow via a specially crafted packet. PROVIDED AND/OR DISCOVERED BY: H D Moore ORIGINAL ADVISORY: http://projects.info-pull.com/mokb/MOKB-13-11-2006.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The CFUserNotificationSendRequest function in UserNotificationCenter.app in Apple Mac OS X 10.4.8, when used in combination with diskutil, allows local users to gain privileges via a malicious InputManager in Library/InputManagers in a user's home directory, which is executed when Cocoa applications attempt to notify the user. Apple's UserNotificationCenter contains a vulnerability that may allow local users to gain elevated privileges. According to Apple's information, gaining elevated privileges could result in unauthorized overwriting or modification of system files. This issue stems from a flaw in the UserNotificationCenter application that results in arbitrary code-execution with wheel-group privileges. This issue affects Apple Mac OS X version 10.4.8; other versions may also be affected. ---------------------------------------------------------------------- To improve our services to our customers, we have made a number of additions to the Secunia Advisories and have started translating the advisories to German. The improvements will help our customers to get a better understanding of how we reached our conclusions, how it was rated, our thoughts on exploitation, attack vectors, and scenarios. The vulnerability exists due to an error in the "fpathconf()" syscall when it is called with an unsupported file type and can be exploited to cause a system panic. The vulnerability is confirmed in version 10.4.8. Other versions may also be affected. SOLUTION: Grant only trusted users access to affected systems. PROVIDED AND/OR DISCOVERED BY: Initially discovered in FreeBSD and reported in Mac OS X by Ilja Van Sprundel. ORIGINAL ADVISORY: http://projects.info-pull.com/mokb/MOKB-09-11-2006.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The Bonjour functionality in mDNSResponder, iChat 3.1.6, and InstantMessage framework 428 in Apple Mac OS X 10.4.8 allows remote attackers to cause a denial of service (persistent application crash) via a crafted phsh hash attribute in a TXT key. A vulnerability in the way Apple Mac OS X handles corrupted Universal Mach-O Binaries may result in execution of arbitrary code or denial of service. According to Apple information, iChat of Bonjour In message processing NULL Pointer Dereferencing causes the application to crash.Third parties on the local network can cause the application to crash. Apple iChat is prone to multiple remote denial-of-service vulnerabilities. These issues affect the Bonjour functionality. Apple iChat 3.1.6 is reported affected; other versions may be vulnerable as well. Apple iChat is a video chat tool bundled with Apple's family of operating systems. Several denial-of-service vulnerabilities exist in iChat's Bonjour feature, which allows automatic discovery of computers. There are no restrictions on finding available contacts via mDNS queries, iChat will add the broadcasted _presence._tcp record even if the contact does not exist, so a malicious user can broadcast a fake record so that iChat users using Bonjour cannot discover more peers, unable to communicate reliably. In addition, the iChat agent may have an exception when processing a specially crafted TXT key hash, resulting in a crash when sending a SIGTRAP signal to the process. Trying to start iChat Bonjour again will fail because mDNSResponder keeps a specially crafted record. ---------------------------------------------------------------------- To improve our services to our customers, we have made a number of additions to the Secunia Advisories and have started translating the advisories to German. The improvements will help our customers to get a better understanding of how we reached our conclusions, how it was rated, our thoughts on exploitation, attack vectors, and scenarios. The vulnerability exists due to an error in the "fpathconf()" syscall when it is called with an unsupported file type and can be exploited to cause a system panic. The vulnerability is confirmed in version 10.4.8. SOLUTION: Grant only trusted users access to affected systems. PROVIDED AND/OR DISCOVERED BY: Initially discovered in FreeBSD and reported in Mac OS X by Ilja Van Sprundel. ORIGINAL ADVISORY: http://projects.info-pull.com/mokb/MOKB-09-11-2006.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

SSL VPN Client in Cisco Secure Desktop before 3.1.1.45, when configured to spawn a web browser after a successful connection, stores sensitive browser session information in a directory outside of the CSD vault and does not restrict the user from saving files outside of the vault, which is not cleared after the VPN connection terminates and allows local users to read unencrypted data. Cisco Secure Desktop is susceptible to multiple vulnerabilities. These issues are due to design flaws in the application. Exploiting these issues allows local attackers to evade application security policies, to access sensitive information, and to gain local system privileges on affected computers. These vulnerabilities affect Cisco Secure Desktop version 3.1.1.33 and prior. Local privilege escalation +------------------------ The default permissions of the directory where the CSD is installed and its parent directory allow any user to modify the contents of the CSD installation, including Reorder, delete and overwrite files. Unprivileged users can exploit this vulnerability to elevate their privileges and obtain localsystem-equivalent privileges by replacing certain CSD executables that run as system services with LocalSystem privileges. CSD is installed to the \\%SystemDrive\\%\Program Files\Cisco Systems\Secure Desktop\ directory by default. Note that some other Cisco products install their files into the \\%SystemDrive\\%\Program Files\Cisco Systems\ directory. So a side effect of this vulnerability in CSD is that if other products are installed after the vulnerable version of CSD is installed, those products will also be affected. ---------------------------------------------------------------------- To improve our services to our customers, we have made a number of additions to the Secunia Advisories and have started translating the advisories to German. The improvements will help our customers to get a better understanding of how we reached our conclusions, how it was rated, our thoughts on exploitation, attack vectors, and scenarios. This includes: * Reason for rating * Extended description * Extended solution * Exploit code or links to exploit code * Deep links Read the full description: http://corporate.secunia.com/products/48/?r=l Contact Secunia Sales for more information: http://corporate.secunia.com/how_to_buy/15/?r=l ---------------------------------------------------------------------- TITLE: Cisco Secure Desktop Multiple Vulnerabilities SECUNIA ADVISORY ID: SA22747 VERIFY ADVISORY: http://secunia.com/advisories/22747/ CRITICAL: Less critical IMPACT: Security Bypass, Exposure of sensitive information, Privilege escalation WHERE: Local system SOFTWARE: Cisco Secure Desktop 3.x http://secunia.com/product/7726/ DESCRIPTION: Some vulnerabilities have been reported in Cisco Secure Desktop, which can be exploited by malicious, local users to gain knowledge of sensitive information, bypass certain security restrictions, or gain escalated privileges on a vulnerable system. Successful exploitation requires that Cisco SSL VPN is configured to automatically spawn a browser after a successful connection. 2) Users are able to switch between the Secure Desktop and the Local (non-secure) Desktop when using applications that attempt to switch to the default desktop. 3) When installed on an NTFS file system, insecure default permissions are placed on the installation directory. This can be exploited to remove, manipulate, and replace any of the application's file. Successful exploitation allows execution of arbitrary commands with SYSTEM privileges. SOLUTION: Update to version 3.1.1.45. PROVIDED AND/OR DISCOVERED BY: 1, 2) Reported by the vendor 3) Titon, Bastard Labs. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20061108-csd.shtml iDefense: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=442 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The installation of Cisco Secure Desktop (CSD) before 3.1.1.45 uses insecure default permissions (all users full control) for the CSD directory and its parent directory, which allow local users to gain privileges by replacing CSD executables, aka "Local Privilege Escalation". Cisco Secure Desktop is susceptible to multiple vulnerabilities. These issues are due to design flaws in the application. Exploiting these issues allows local attackers to evade application security policies, to access sensitive information, and to gain local system privileges on affected computers. These vulnerabilities affect Cisco Secure Desktop version 3.1.1.33 and prior. Cisco Secure Desktop (CSD) uses encryption to reduce the risk of cookies, browser history, temporary files, and downloads being left on the system after a remote user logs off or an SSL VPN session times out. Unprivileged users can exploit this vulnerability to elevate their privileges and obtain localsystem-equivalent privileges by replacing certain CSD executables that run as system services with LocalSystem privileges. Note that some other Cisco products install their files into the \\%SystemDrive\\%\Program Files\Cisco Systems\ directory. So a side effect of this vulnerability in CSD is that if other products are installed after the vulnerable version of CSD is installed, those products will also be affected. ---------------------------------------------------------------------- To improve our services to our customers, we have made a number of additions to the Secunia Advisories and have started translating the advisories to German. The improvements will help our customers to get a better understanding of how we reached our conclusions, how it was rated, our thoughts on exploitation, attack vectors, and scenarios. This includes: * Reason for rating * Extended description * Extended solution * Exploit code or links to exploit code * Deep links Read the full description: http://corporate.secunia.com/products/48/?r=l Contact Secunia Sales for more information: http://corporate.secunia.com/how_to_buy/15/?r=l ---------------------------------------------------------------------- TITLE: Cisco Secure Desktop Multiple Vulnerabilities SECUNIA ADVISORY ID: SA22747 VERIFY ADVISORY: http://secunia.com/advisories/22747/ CRITICAL: Less critical IMPACT: Security Bypass, Exposure of sensitive information, Privilege escalation WHERE: Local system SOFTWARE: Cisco Secure Desktop 3.x http://secunia.com/product/7726/ DESCRIPTION: Some vulnerabilities have been reported in Cisco Secure Desktop, which can be exploited by malicious, local users to gain knowledge of sensitive information, bypass certain security restrictions, or gain escalated privileges on a vulnerable system. 1) Internet browsers that are automatically spawned after establishing an SSL VPN connection uses a directory outside of the CSD vault. Users are then able to save files downloaded during the internet browsing session into the said directory, which results in unencrypted files remaining in the system after the SSL VPN session. Successful exploitation requires that Cisco SSL VPN is configured to automatically spawn a browser after a successful connection. 2) Users are able to switch between the Secure Desktop and the Local (non-secure) Desktop when using applications that attempt to switch to the default desktop. 3) When installed on an NTFS file system, insecure default permissions are placed on the installation directory. This can be exploited to remove, manipulate, and replace any of the application's file. Successful exploitation allows execution of arbitrary commands with SYSTEM privileges. SOLUTION: Update to version 3.1.1.45. PROVIDED AND/OR DISCOVERED BY: 1, 2) Reported by the vendor 3) Titon, Bastard Labs. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20061108-csd.shtml iDefense: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=442 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco Secure Desktop (CSD) before 3.1.1.45 allows local users to escape out of the secure desktop environment by using certain applications that switch to the default desktop, aka "System Policy Evasion". These issues are due to design flaws in the application. Exploiting these issues allows local attackers to evade application security policies, to access sensitive information, and to gain local system privileges on affected computers. Cisco Secure Desktop (CSD) uses encryption to reduce the risk of cookies, browser history, temporary files, and downloads being left on the system after a remote user logs off or an SSL VPN session times out. Local privilege escalation +------------------------ The default permissions of the directory where the CSD is installed and its parent directory allow any user to modify the contents of the CSD installation, including Reorder, delete and overwrite files. Unprivileged users can exploit this vulnerability to elevate their privileges and obtain localsystem-equivalent privileges by replacing certain CSD executables that run as system services with LocalSystem privileges. CSD is installed to the \\%SystemDrive\\%\Program Files\Cisco Systems\Secure Desktop\ directory by default. Note that some other Cisco products install their files into the \\%SystemDrive\\%\Program Files\Cisco Systems\ directory. So a side effect of this vulnerability in CSD is that if other products are installed after the vulnerable version of CSD is installed, those products will also be affected. ---------------------------------------------------------------------- To improve our services to our customers, we have made a number of additions to the Secunia Advisories and have started translating the advisories to German. The improvements will help our customers to get a better understanding of how we reached our conclusions, how it was rated, our thoughts on exploitation, attack vectors, and scenarios. This includes: * Reason for rating * Extended description * Extended solution * Exploit code or links to exploit code * Deep links Read the full description: http://corporate.secunia.com/products/48/?r=l Contact Secunia Sales for more information: http://corporate.secunia.com/how_to_buy/15/?r=l ---------------------------------------------------------------------- TITLE: Cisco Secure Desktop Multiple Vulnerabilities SECUNIA ADVISORY ID: SA22747 VERIFY ADVISORY: http://secunia.com/advisories/22747/ CRITICAL: Less critical IMPACT: Security Bypass, Exposure of sensitive information, Privilege escalation WHERE: Local system SOFTWARE: Cisco Secure Desktop 3.x http://secunia.com/product/7726/ DESCRIPTION: Some vulnerabilities have been reported in Cisco Secure Desktop, which can be exploited by malicious, local users to gain knowledge of sensitive information, bypass certain security restrictions, or gain escalated privileges on a vulnerable system. 1) Internet browsers that are automatically spawned after establishing an SSL VPN connection uses a directory outside of the CSD vault. Users are then able to save files downloaded during the internet browsing session into the said directory, which results in unencrypted files remaining in the system after the SSL VPN session. Successful exploitation requires that Cisco SSL VPN is configured to automatically spawn a browser after a successful connection. 3) When installed on an NTFS file system, insecure default permissions are placed on the installation directory. This can be exploited to remove, manipulate, and replace any of the application's file. Successful exploitation allows execution of arbitrary commands with SYSTEM privileges. SOLUTION: Update to version 3.1.1.45. PROVIDED AND/OR DISCOVERED BY: 1, 2) Reported by the vendor 3) Titon, Bastard Labs. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20061108-csd.shtml iDefense: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=442 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

prl_dhcpd in Parallels Desktop for Mac Build 1940 uses insecure permissions (0666) for /Library/Parallels/.dhcpd_configuration, which allows local users to modify DHCP configuration. ---------------------------------------------------------------------- To improve our services to our customers, we have made a number of additions to the Secunia Advisories and have started translating the advisories to German. The improvements will help our customers to get a better understanding of how we reached our conclusions, how it was rated, our thoughts on exploitation, attack vectors, and scenarios. This includes: * Reason for rating * Extended description * Extended solution * Exploit code or links to exploit code * Deep links Read the full description: http://corporate.secunia.com/products/48/?r=l Contact Secunia Sales for more information: http://corporate.secunia.com/how_to_buy/15/?r=l ---------------------------------------------------------------------- TITLE: Parallels Desktop for Mac Insecure File Permissions SECUNIA ADVISORY ID: SA22634 VERIFY ADVISORY: http://secunia.com/advisories/22634/ CRITICAL: Less critical IMPACT: Unknown WHERE: Local system SOFTWARE: Parallels Desktop for Mac http://secunia.com/product/12498/ DESCRIPTION: Fabio Pietrosanti has reported a security issue with unknown impact in Parallels Desktop for Mac. The security issue is caused due to /Library/StartupItems/Parallels/prl_dhcpd creating the file "/Library/Parallels/.dhcpd_configuration" with insecure file permissions (set to 666). Other versions may also be affected. SOLUTION: Grant only trusted users to affected systems. PROVIDED AND/OR DISCOVERED BY: Fabio Pietrosanti ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

My Firewall Plus 5.0 Build 1119 does not verify if explorer.exe is running before launching iexplore.exe from the "Test Your Firewall" feature, which allows local users to gain SYSTEM privileges. My Firewall Plus is prone to a local privilege-escalation vulnerability. A local attacker could exploit this issue to execute arbitrary machine code with SYSTEM-level privileges. A successful exploit could result in the complete compromise of the affected computer. Failed attempts would cause denial-of-service conditions. Version 5.0 Build 1119 is vulnerable; other versions may also be affected. ---------------------------------------------------------------------- To improve our services to our customers, we have made a number of additions to the Secunia Advisories and have started translating the advisories to German. The improvements will help our customers to get a better understanding of how we reached our conclusions, how it was rated, our thoughts on exploitation, attack vectors, and scenarios. PROVIDED AND/OR DISCOVERED BY: Secunia Research ORIGINAL ADVISORY: Secunia Research: http://secunia.com/secunia_research/2006-59/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . ====================================================================== Secunia Research 21/11/2006 - My Firewall Plus Privilege Escalation Vulnerability - ====================================================================== Table of Contents Affected Software....................................................1 Severity.............................................................2 Vendor's Description of Software.....................................3 Description of Vulnerability.........................................4 Solution.............................................................5 Time Table...........................................................6 Credits..............................................................7 References...........................................................8 About Secunia........................................................9 Verification........................................................10 ====================================================================== 1) Affected Software My Firewall Plus 5.0 Build 1119. ====================================================================== 2) Severity Rating: Less critical Impact: Privilege Escalation Where: Local System ====================================================================== 3) Vendor's Description of Software "Corporate strength firewall for your personal PC". The vulnerability is caused due to the application windows running with SYSTEM privileges and the application not checking if explorer.exe is running before performing certain actions. Successful exploitation allows execution of arbitrary commands with SYSTEM privileges. ====================================================================== 5) Solution Enable the password protection to reduce the risk. ====================================================================== 6) Time Table 03/08/2006 - Vendor notified. 03/08/2006 - Vendor response. 16/08/2006 - Vendor reminder sent. 11/10/2006 - Vendor reminder sent. 21/11/2006 - Public disclosure. ====================================================================== 7) Credits Discovered by Secunia Research. ====================================================================== 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2006-3973 for the vulnerability. ====================================================================== 9) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://corporate.secunia.com/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://corporate.secunia.com/secunia_research/33/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/secunia_vacancies/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ ====================================================================== 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2006-59/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ====================================================================== _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

SQL injection vulnerability in detail.php in DeltaScripts PHP Classifieds 7.1 and earlier allows remote attackers to execute arbitrary SQL commands via the user_id parameter. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation. This issue affects 7.1 and prior versions; other versions may also be affected. ---------------------------------------------------------------------- To improve our services to our customers, we have made a number of additions to the Secunia Advisories and have started translating the advisories to German. The improvements will help our customers to get a better understanding of how we reached our conclusions, how it was rated, our thoughts on exploitation, attack vectors, and scenarios. This includes: * Reason for rating * Extended description * Extended solution * Exploit code or links to exploit code * Deep links Read the full description: http://corporate.secunia.com/products/48/?r=l Contact Secunia Sales for more information: http://corporate.secunia.com/how_to_buy/15/?r=l ---------------------------------------------------------------------- TITLE: PHP Classifieds "user_id" SQL Injection Vulnerability SECUNIA ADVISORY ID: SA22704 VERIFY ADVISORY: http://secunia.com/advisories/22704/ CRITICAL: Moderately critical IMPACT: Manipulation of data WHERE: >From remote SOFTWARE: PHP Classifieds 7.x http://secunia.com/product/12226/ DESCRIPTION: ajann has discovered a vulnerability in PHP Classifieds, which can be exploited by malicious people to conduct SQL injection attacks. Input passed to the "user_id" parameter in detail.php is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The vulnerability is confirmed in version 7.1b. SOLUTION: Edit the source code to ensure that input is properly sanitised. PROVIDED AND/OR DISCOVERED BY: ajann ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in the setRequestHeader method in the XMLHTTP (XML HTTP) ActiveX Control 4.0 in Microsoft XML Core Services 4.0 on Windows, when accessed by Internet Explorer, allows remote attackers to execute arbitrary code via crafted arguments that lead to memory corruption, a different vulnerability than CVE-2006-4685. NOTE: some of these details are obtained from third party information. Failed exploit attempts will result in a denial-of-service condition. An attacker could exploit this vulnerability by crafting a specially crafted web page that could allow remote code execution if a user visits the web page or clicks a link in an email message. However, user interaction is required to exploit this vulnerability. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA06-318A Microsoft Security Updates for Windows, Internet Explorer, and Adobe Flash Original release date: November 14, 2006 Last revised: -- Source: US-CERT Systems Affected * Microsoft Windows * Microsoft Internet Explorer * Adobe Flash Overview Microsoft has released updates that address critical vulnerabilities in Microsoft Windows, Internet Explorer, and Adobe Flash. I. Description Microsoft has released updates to address vulnerabilities in Microsoft Windows, Internet Explorer, and Adobe Flash as part of the Microsoft Security Bulletin Summary for November 2006. Microsoft has included updates to Adobe Flash, which is installed with Internet Explorer. Further information is available in the Vulnerability Notes Database. II. An attacker may also be able to cause a denial of service. III. Solution Apply updates from Microsoft Microsoft has provided updates for these vulnerabilities in the November 2006 Security Bulletins. The Security Bulletins describe any known issues related to the updates. Note any known issues described in the Bulletins and test for any potentially adverse affects in your environment. System administrators may wish to consider using Windows Server Update Services (WSUS). IV. References * US-CERT Vulnerability Notes for Microsoft November 2006 updates - <http://www.kb.cert.org/vuls/byid?searchview&query=ms06-nov> * Securing Your Web Browser - <http://www.us-cert.gov/reading_room/securing_browser/> * Microsoft Security Bulletin Summary for November 2006 - <http://www.microsoft.com/technet/security/bulletin/ms06-nov.mspx> * Microsoft Update - <https://update.microsoft.com/microsoftupdate/> * Windows Server Update Services - <http://www.microsoft.com/windowsserversystem/updateservices/default.mspx> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA06-318A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA06-318A Feedback VU#377369" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2006 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History November 14, 2006: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRVpHwexOF3G+ig+rAQLUEAf9FSKBHOCuPIRuJYJYgY9th7ZRtNdxsWWQ 4ulkdZVv3P682sQEtF6glpLN1h+YHA1oF93uLp6T+7FKlxP1MYrxRPP5p1nH+fCa bRmVxUSATuDrxaTZmJWcJcL8zvaNTqkkDBCpG8GN32OCwgE40xNJRsKiv2UuIAYJ geGl8mK5PGb4Sr0Bjlw2n5fbcKkjoJXYmkxV3CXzvpPrtS1fIq0rZ19sRB4+Jw3I heEM7rKGMo3N4OUEYTpt2yW1Mpj2zVyWo2O8PWJmuMZq1lCsECrvTvfk4/q3s4Yh Z0l6F4Ps6L2D5PkNkg08EgxvbiPHYI8B8VZ1SlitvOcKiVOggyxYrg== =K0Wj -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- To improve our services to our customers, we have made a number of additions to the Secunia Advisories and have started translating the advisories to German. The improvements will help our customers to get a better understanding of how we reached our conclusions, how it was rated, our thoughts on exploitation, attack vectors, and scenarios. This includes: * Reason for rating * Extended description * Extended solution * Exploit code or links to exploit code * Deep links Read the full description: http://corporate.secunia.com/products/48/?r=l Contact Secunia Sales for more information: http://corporate.secunia.com/how_to_buy/15/?r=l ---------------------------------------------------------------------- TITLE: Microsoft XMLHTTP ActiveX Control Code Execution Vulnerability SECUNIA ADVISORY ID: SA22687 VERIFY ADVISORY: http://secunia.com/advisories/22687/ CRITICAL: Extremely critical IMPACT: System access WHERE: >From remote OPERATING SYSTEM: Microsoft Windows XP Professional http://secunia.com/product/22/ Microsoft Windows XP Home Edition http://secunia.com/product/16/ Microsoft Windows Server 2003 Web Edition http://secunia.com/product/1176/ Microsoft Windows Server 2003 Standard Edition http://secunia.com/product/1173/ Microsoft Windows Server 2003 Enterprise Edition http://secunia.com/product/1174/ Microsoft Windows Server 2003 Datacenter Edition http://secunia.com/product/1175/ Microsoft Windows 2000 Server http://secunia.com/product/20/ Microsoft Windows 2000 Professional http://secunia.com/product/1/ Microsoft Windows 2000 Datacenter Server http://secunia.com/product/1177/ Microsoft Windows 2000 Advanced Server http://secunia.com/product/21/ SOFTWARE: Microsoft Core XML Services (MSXML) 4.x http://secunia.com/product/6472/ DESCRIPTION: A vulnerability has been reported in Microsoft XML Core Services, which can be exploited by malicious people to compromise a users system. The vulnerability is caused due to an unspecified error in the XMLHTTP 4.0 ActiveX Control. Successful exploitation allows execution of arbitrary code when a user e.g. visits a malicious website using Internet Explorer. NOTE: The vulnerability is already being actively exploited. SOLUTION: Microsoft has recommended various workarounds including setting the kill-bit for the affected ActiveX control (see the vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: Discovered as a 0-day. ORIGINAL ADVISORY: Microsoft http://www.microsoft.com/technet/security/advisory/927892.mspx ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in enserver.exe in SAP Web Application Server 6.40 before patch 136 and 7.00 before patch 66 allows remote attackers to read arbitrary files via crafted data on a "3200+SYSNR" TCP port, as demonstrated by port 3201. NOTE: this issue can be leveraged by local users to access a named pipe as the SAPServiceJ2E user. SAP Web Application Server is prone to a remote information-disclosure vulnerability. An attacker can leverage this issue to gain access to sensitive data. Information obtained could aid in further attacks. These versions are affected: - 6.40 patch 135 and prior - 7.00 patch 55 and prior. ---------------------------------------------------------------------- To improve our services to our customers, we have made a number of additions to the Secunia Advisories and have started translating the advisories to German. The improvements will help our customers to get a better understanding of how we reached our conclusions, how it was rated, our thoughts on exploitation, attack vectors, and scenarios. This includes: * Reason for rating * Extended description * Extended solution * Exploit code or links to exploit code * Deep links Read the full description: http://corporate.secunia.com/products/48/?r=l Contact Secunia Sales for more information: http://corporate.secunia.com/how_to_buy/15/?r=l ---------------------------------------------------------------------- TITLE: SAP Web Application Server Multiple Vulnerabilities SECUNIA ADVISORY ID: SA22677 VERIFY ADVISORY: http://secunia.com/advisories/22677/ CRITICAL: Moderately critical IMPACT: Exposure of sensitive information, DoS WHERE: >From remote SOFTWARE: SAP Web Application Server 7.x http://secunia.com/product/6087/ SAP Web Application Server 6.x http://secunia.com/product/3327/ DESCRIPTION: Nicob has reported some vulnerabilities in SAP Web Application Server, which can be exploited by malicious people to disclose sensitive information or to cause a DoS (Denial of Service). 2) An unspecified error allows crashing the enserver.exe process. The vulnerabilities are reported in version 6.40 and 7.00. PROVIDED AND/OR DISCOVERED BY: Nicob ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in SAP Web Application Server 6.40 before patch 136 and 7.00 before patch 66 allows remote attackers to cause a denial of service (enserver.exe crash) via a 0x72F2 sequence on UDP port 64999. Exploiting this issue allows remote attackers to consume excessive system resources until the software becomes unresponsive to further calls, effectively denying service to legitimate users. These versions are affected: - 6.40 patch 135 and prior - 7.00 patch 55 and prior. ---------------------------------------------------------------------- To improve our services to our customers, we have made a number of additions to the Secunia Advisories and have started translating the advisories to German. The improvements will help our customers to get a better understanding of how we reached our conclusions, how it was rated, our thoughts on exploitation, attack vectors, and scenarios. 1) Due to an unspecified error it is possible to read arbitrary files on the system with privileges of the web server. 2) An unspecified error allows crashing the enserver.exe process. The vulnerabilities are reported in version 6.40 and 7.00. PROVIDED AND/OR DISCOVERED BY: Nicob ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco Security Agent Management Center (CSAMC) 5.1 before 5.1.0.79 does not properly handle certain LDAP error messages, which allows remote attackers to bypass authentication requirements via an empty password when using an external LDAP server. Exploiting this issue allows remote attackers to gain administrative access to the web-based administrative interface of the affected application. This issue affects Cisco Security Agent Management Center 5.1 prior to 5.1.0.79. This issue is being tracked by Cisco Bug ID CSCsg40822. Cisco Security Agent (CSA) provides threat protection for server and desktop computing systems. There is a loophole in CSA processing LDAP authentication, and remote attackers may use this loophole to obtain unauthorized management rights. If the administrator has the configuration or deployment role, it is possible to change the policies of the managed CSA clients. This can lead to a reduction in the security posture of the managed system and an attack on the managed system. ---------------------------------------------------------------------- To improve our services to our customers, we have made a number of additions to the Secunia Advisories and have started translating the advisories to German. The improvements will help our customers to get a better understanding of how we reached our conclusions, how it was rated, our thoughts on exploitation, attack vectors, and scenarios. The vulnerability is reported in version 5.1 prior to Hotfix 5.1.0.79. SOLUTION: Apply Hotfix 5.1.0.79 PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/en/US/products/products_security_advisory09186a00807726f7.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The \Device\SandBox driver in Outpost Firewall PRO 4.0 (964.582.059) allows local users to cause a denial of service (system crash) via an invalid argument to the DeviceIoControl function that triggers an invalid memory operation. Outpost Firewall PRO is prone to a local denial-of-service vulnerability because the application fails to properly handle unexpected input. Exploiting this issue allows local attackers to crash affected computers, denying service to legitimate users. Outpost Firewall PRO 4.0 (964.582.059) is vulnerable to this issue; other versions may also be affected. ---------------------------------------------------------------------- To improve our services to our customers, we have made a number of additions to the Secunia Advisories and have started translating the advisories to German. The improvements will help our customers to get a better understanding of how we reached our conclusions, how it was rated, our thoughts on exploitation, attack vectors, and scenarios. This includes: * Reason for rating * Extended description * Extended solution * Exploit code or links to exploit code * Deep links Read the full description: http://corporate.secunia.com/products/48/?r=l Contact Secunia Sales for more information: http://corporate.secunia.com/how_to_buy/15/?r=l ---------------------------------------------------------------------- TITLE: Outpost Firewall "Sandbox" Driver Denial Of Service Vulnerability SECUNIA ADVISORY ID: SA22673 VERIFY ADVISORY: http://secunia.com/advisories/22673/ CRITICAL: Not critical IMPACT: DoS WHERE: Local system SOFTWARE: Outpost Firewall Pro 4.x http://secunia.com/product/12472/ DESCRIPTION: Matousec has discovered a vulnerability in Outpost Firewall, which can be exploited by malicious, local users to cause a DoS (Denial of Service). The vulnerability is caused due to an error in the handling of data sent to the "Device\Sandbox" device. This can be exploited to crash a vulnerable system by sending arbitrary data to the said device. The vulnerability is confirmed in version 4.0.964.6926 (582). Other versions may be affected as well. SOLUTION: Restrict access to trusted users only. PROVIDED AND/OR DISCOVERED BY: Matousec Transparent Security ORIGINAL ADVISORY: Matousec Transparent Security: http://www.matousec.com/info/advisories/Outpost-Insufficient-validation-of-SandBox-driver-input-buffer.php ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

SQL injection vulnerability in modules/journal/search.php in the Journal module in Francisco Burzi PHP-Nuke 7.9 and earlier allows remote attackers to execute arbitrary SQL commands via the forwhat parameter. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation. PHP-Nuke 7.9 and prior versions are vulnerable. ---------------------------------------------------------------------- To improve our services to our customers, we have made a number of additions to the Secunia Advisories and have started translating the advisories to German. The improvements will help our customers to get a better understanding of how we reached our conclusions, how it was rated, our thoughts on exploitation, attack vectors, and scenarios. This includes: * Reason for rating * Extended description * Extended solution * Exploit code or links to exploit code * Deep links Read the full description: http://corporate.secunia.com/products/48/?r=l Contact Secunia Sales for more information: http://corporate.secunia.com/how_to_buy/15/?r=l ---------------------------------------------------------------------- TITLE: PHP-Nuke "forwhat" SQL Injection Vulnerability SECUNIA ADVISORY ID: SA22617 VERIFY ADVISORY: http://secunia.com/advisories/22617/ CRITICAL: Moderately critical IMPACT: Manipulation of data WHERE: >From remote SOFTWARE: PHP-Nuke 7.x http://secunia.com/product/2385/ DESCRIPTION: Paisterist has discovered a vulnerability in PHP-Nuke, which can be exploited by malicious people to conduct SQL injection attacks. Input passed to the "forwhat" parameter in modules/journal/search.php is not properly sanitised, before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The vulnerability is confirmed in version 7.9. SOLUTION: Edit the source code to ensure that input is properly verified. PROVIDED AND/OR DISCOVERED BY: Paisterist ORIGINAL ADVISORY: http://www.neosecurityteam.net/index.php?action=advisories&id=29 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

ECI Telecom B-FOCuS Wireless 802.11b/g ADSL2+ Router allows remote attackers to read arbitrary files via a certain HTTP request, as demonstrated by a request for a router configuration file, related to the /html/defs/ URI. ECI Telecom's B-FOCuS ADSL2+ Combo332+ wireless router is prone to an information-disclosure vulnerability. The router's Web-Based Management interface fails to authenticate users before providing access to sensitive information. Exploiting this issue may allow an unauthenticated remote attacker to retrieve sensitive information from the affected device, which may aid in further attacks. B-Focus ADSL2+ does not properly configure the web management interface, attackers can list directories, read routers and configuration files by sending specially crafted requests. ---------------------------------------------------------------------- To improve our services to our customers, we have made a number of additions to the Secunia Advisories and have started translating the advisories to German. The improvements will help our customers to get a better understanding of how we reached our conclusions, how it was rated, our thoughts on exploitation, attack vectors, and scenarios. This includes: * Reason for rating * Extended description * Extended solution * Exploit code or links to exploit code * Deep links Read the full description: http://corporate.secunia.com/products/48/?r=l Contact Secunia Sales for more information: http://corporate.secunia.com/how_to_buy/15/?r=l ---------------------------------------------------------------------- TITLE: ECI B-FOCuS Wireless Router Information Disclosure SECUNIA ADVISORY ID: SA22667 VERIFY ADVISORY: http://secunia.com/advisories/22667/ CRITICAL: Moderately critical IMPACT: Exposure of sensitive information WHERE: >From local network OPERATING SYSTEM: B-FOCuS Router 332+ http://secunia.com/product/12485/ DESCRIPTION: Tal Argoni has reported a vulnerability in B-FOCuS Wireless router, which can be exploited by malicious people to disclose certain sensitive information. The problem is due to improper authentication in the web-based management, which can be exploited by an unauthenticated person to read the router's configuration files. PROVIDED AND/OR DISCOVERED BY: Tal Argoni ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

D-Link DSL-G624T firmware 3.00B01T01.YA-C.20060616 allows remote attackers to list contents of the cgi-bin directory via unspecified vectors, probably a direct request. D-Link DSL-G624T Is cgi-bin A vulnerability exists that lists directory contents.By a third party cgi-bin The contents of the directory may be listed. D-Link DSL-G624T firmware 3.00B01T01.YA-C.20060616 has an unknown information disclosure vulnerability. Dsl-G624t is prone to a remote security vulnerability

Multiple cross-site scripting (XSS) vulnerabilities in cgi-bin/webcm in D-Link DSL-G624T firmware 3.00B01T01.YA-C.20060616 allow remote attackers to inject arbitrary web script or HTML via the (1) upnp:settings/state or (2) upnp:settings/connection parameters. ---------------------------------------------------------------------- Want to work within IT-Security? Secunia is expanding its team of highly skilled security experts. We will help with relocation and obtaining a work permit. Currently the following type of positions are available: http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: D-Link DSL-G624T Directory Traversal and Cross-Site Scripting SECUNIA ADVISORY ID: SA22524 VERIFY ADVISORY: http://secunia.com/advisories/22524/ CRITICAL: Less critical IMPACT: Cross Site Scripting, Exposure of sensitive information WHERE: >From local network SOFTWARE: D-Link DSL-G624T http://secunia.com/product/12420/ DESCRIPTION: Jose Ramon Palanco has reported some vulnerabilities in D-Link DSL-G624T, which can be exploited by malicious people to conduct cross-site scripting attacks or to disclose certain sensitive information. 1) Input passed to the "upnp%3Asettings%2Fstate" and "upnp%3Asettings%2Fconnection" parameters in cgi-bin/webcm is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. 2) Input passed to the "getpage" parameter in cgi-bin/webcm is not properly verified before being used. This can be exploited to disclose the content of certain files via directory traversal attacks. The vulnerabilities are reported in firmware version V3.00B01T01.YA-C.20060616. Other versions may also be affected. SOLUTION: Do not visit other web sites while accessing the device and use it only in a trusted network. PROVIDED AND/OR DISCOVERED BY: Jose Ramon Palanco ORIGINAL ADVISORY: http://www.eazel.es/advisory005-D-Link-DSL-G624T-directoy-transversal-xss-cross-site-scripting-directory-listing-vulnerabilities.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco Security Agent (CSA) for Linux 4.5 before 4.5.1.657 and 5.0 before 5.0.0.193, as used by Unified CallManager (CUCM) and Unified Presence Server (CUPS), allows remote attackers to cause a denial of service (resource consumption) via a port scan with certain options. Successfully exploiting this issue allows remote attackers to cause the affected software to enter into an unresponsive state, denying further service to legitimate users. This issue does not affect CSA for Windows or Solaris. Cisco Security Agent (CSA) provides threat protection for server and desktop computing systems. Vulnerabilities exist when CSA handles special cases such as port scanning, and remote attackers may exploit this vulnerability to degrade service responsiveness. ---------------------------------------------------------------------- Want to work within IT-Security? Secunia is expanding its team of highly skilled security experts. We will help with relocation and obtaining a work permit. The vulnerability is caused due to an error within the detection of port scans. SOLUTION: Apply Hotfixes. http://www.cisco.com/pcgi-bin/tablebuild.pl/cups-10?psrtdcat20e2 CSA version 4.5 for Linux: Apply Hotfix 4.5.1.657 CSA version 5.0 for Linux: Apply Hotfix 5.0.0.193 CUCM 5.0 version including 5.0(4): Apply COS COP upgrade. CUPS 1.0 version including 1.0(2): Apply COS COP upgrade. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/en/US/products/products_security_advisory09186a00807693c7.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------