VARIoT IoT vulnerabilities database

SQL injection vulnerability in detail.php in DeltaScripts PHP Classifieds 7.1 and earlier allows remote attackers to execute arbitrary SQL commands via the user_id parameter. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation. This issue affects 7.1 and prior versions; other versions may also be affected. ---------------------------------------------------------------------- To improve our services to our customers, we have made a number of additions to the Secunia Advisories and have started translating the advisories to German. The improvements will help our customers to get a better understanding of how we reached our conclusions, how it was rated, our thoughts on exploitation, attack vectors, and scenarios. This includes: * Reason for rating * Extended description * Extended solution * Exploit code or links to exploit code * Deep links Read the full description: http://corporate.secunia.com/products/48/?r=l Contact Secunia Sales for more information: http://corporate.secunia.com/how_to_buy/15/?r=l ---------------------------------------------------------------------- TITLE: PHP Classifieds "user_id" SQL Injection Vulnerability SECUNIA ADVISORY ID: SA22704 VERIFY ADVISORY: http://secunia.com/advisories/22704/ CRITICAL: Moderately critical IMPACT: Manipulation of data WHERE: >From remote SOFTWARE: PHP Classifieds 7.x http://secunia.com/product/12226/ DESCRIPTION: ajann has discovered a vulnerability in PHP Classifieds, which can be exploited by malicious people to conduct SQL injection attacks. Input passed to the "user_id" parameter in detail.php is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The vulnerability is confirmed in version 7.1b. SOLUTION: Edit the source code to ensure that input is properly sanitised. PROVIDED AND/OR DISCOVERED BY: ajann ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in the setRequestHeader method in the XMLHTTP (XML HTTP) ActiveX Control 4.0 in Microsoft XML Core Services 4.0 on Windows, when accessed by Internet Explorer, allows remote attackers to execute arbitrary code via crafted arguments that lead to memory corruption, a different vulnerability than CVE-2006-4685. NOTE: some of these details are obtained from third party information. Failed exploit attempts will result in a denial-of-service condition. An attacker could exploit this vulnerability by crafting a specially crafted web page that could allow remote code execution if a user visits the web page or clicks a link in an email message. However, user interaction is required to exploit this vulnerability. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA06-318A Microsoft Security Updates for Windows, Internet Explorer, and Adobe Flash Original release date: November 14, 2006 Last revised: -- Source: US-CERT Systems Affected * Microsoft Windows * Microsoft Internet Explorer * Adobe Flash Overview Microsoft has released updates that address critical vulnerabilities in Microsoft Windows, Internet Explorer, and Adobe Flash. I. Description Microsoft has released updates to address vulnerabilities in Microsoft Windows, Internet Explorer, and Adobe Flash as part of the Microsoft Security Bulletin Summary for November 2006. Microsoft has included updates to Adobe Flash, which is installed with Internet Explorer. Further information is available in the Vulnerability Notes Database. II. An attacker may also be able to cause a denial of service. III. Solution Apply updates from Microsoft Microsoft has provided updates for these vulnerabilities in the November 2006 Security Bulletins. The Security Bulletins describe any known issues related to the updates. Note any known issues described in the Bulletins and test for any potentially adverse affects in your environment. System administrators may wish to consider using Windows Server Update Services (WSUS). IV. References * US-CERT Vulnerability Notes for Microsoft November 2006 updates - <http://www.kb.cert.org/vuls/byid?searchview&query=ms06-nov> * Securing Your Web Browser - <http://www.us-cert.gov/reading_room/securing_browser/> * Microsoft Security Bulletin Summary for November 2006 - <http://www.microsoft.com/technet/security/bulletin/ms06-nov.mspx> * Microsoft Update - <https://update.microsoft.com/microsoftupdate/> * Windows Server Update Services - <http://www.microsoft.com/windowsserversystem/updateservices/default.mspx> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA06-318A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA06-318A Feedback VU#377369" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2006 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History November 14, 2006: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRVpHwexOF3G+ig+rAQLUEAf9FSKBHOCuPIRuJYJYgY9th7ZRtNdxsWWQ 4ulkdZVv3P682sQEtF6glpLN1h+YHA1oF93uLp6T+7FKlxP1MYrxRPP5p1nH+fCa bRmVxUSATuDrxaTZmJWcJcL8zvaNTqkkDBCpG8GN32OCwgE40xNJRsKiv2UuIAYJ geGl8mK5PGb4Sr0Bjlw2n5fbcKkjoJXYmkxV3CXzvpPrtS1fIq0rZ19sRB4+Jw3I heEM7rKGMo3N4OUEYTpt2yW1Mpj2zVyWo2O8PWJmuMZq1lCsECrvTvfk4/q3s4Yh Z0l6F4Ps6L2D5PkNkg08EgxvbiPHYI8B8VZ1SlitvOcKiVOggyxYrg== =K0Wj -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- To improve our services to our customers, we have made a number of additions to the Secunia Advisories and have started translating the advisories to German. The improvements will help our customers to get a better understanding of how we reached our conclusions, how it was rated, our thoughts on exploitation, attack vectors, and scenarios. This includes: * Reason for rating * Extended description * Extended solution * Exploit code or links to exploit code * Deep links Read the full description: http://corporate.secunia.com/products/48/?r=l Contact Secunia Sales for more information: http://corporate.secunia.com/how_to_buy/15/?r=l ---------------------------------------------------------------------- TITLE: Microsoft XMLHTTP ActiveX Control Code Execution Vulnerability SECUNIA ADVISORY ID: SA22687 VERIFY ADVISORY: http://secunia.com/advisories/22687/ CRITICAL: Extremely critical IMPACT: System access WHERE: >From remote OPERATING SYSTEM: Microsoft Windows XP Professional http://secunia.com/product/22/ Microsoft Windows XP Home Edition http://secunia.com/product/16/ Microsoft Windows Server 2003 Web Edition http://secunia.com/product/1176/ Microsoft Windows Server 2003 Standard Edition http://secunia.com/product/1173/ Microsoft Windows Server 2003 Enterprise Edition http://secunia.com/product/1174/ Microsoft Windows Server 2003 Datacenter Edition http://secunia.com/product/1175/ Microsoft Windows 2000 Server http://secunia.com/product/20/ Microsoft Windows 2000 Professional http://secunia.com/product/1/ Microsoft Windows 2000 Datacenter Server http://secunia.com/product/1177/ Microsoft Windows 2000 Advanced Server http://secunia.com/product/21/ SOFTWARE: Microsoft Core XML Services (MSXML) 4.x http://secunia.com/product/6472/ DESCRIPTION: A vulnerability has been reported in Microsoft XML Core Services, which can be exploited by malicious people to compromise a users system. The vulnerability is caused due to an unspecified error in the XMLHTTP 4.0 ActiveX Control. Successful exploitation allows execution of arbitrary code when a user e.g. visits a malicious website using Internet Explorer. NOTE: The vulnerability is already being actively exploited. SOLUTION: Microsoft has recommended various workarounds including setting the kill-bit for the affected ActiveX control (see the vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: Discovered as a 0-day. ORIGINAL ADVISORY: Microsoft http://www.microsoft.com/technet/security/advisory/927892.mspx ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in enserver.exe in SAP Web Application Server 6.40 before patch 136 and 7.00 before patch 66 allows remote attackers to read arbitrary files via crafted data on a "3200+SYSNR" TCP port, as demonstrated by port 3201. NOTE: this issue can be leveraged by local users to access a named pipe as the SAPServiceJ2E user. SAP Web Application Server is prone to a remote information-disclosure vulnerability. An attacker can leverage this issue to gain access to sensitive data. Information obtained could aid in further attacks. These versions are affected: - 6.40 patch 135 and prior - 7.00 patch 55 and prior. ---------------------------------------------------------------------- To improve our services to our customers, we have made a number of additions to the Secunia Advisories and have started translating the advisories to German. The improvements will help our customers to get a better understanding of how we reached our conclusions, how it was rated, our thoughts on exploitation, attack vectors, and scenarios. This includes: * Reason for rating * Extended description * Extended solution * Exploit code or links to exploit code * Deep links Read the full description: http://corporate.secunia.com/products/48/?r=l Contact Secunia Sales for more information: http://corporate.secunia.com/how_to_buy/15/?r=l ---------------------------------------------------------------------- TITLE: SAP Web Application Server Multiple Vulnerabilities SECUNIA ADVISORY ID: SA22677 VERIFY ADVISORY: http://secunia.com/advisories/22677/ CRITICAL: Moderately critical IMPACT: Exposure of sensitive information, DoS WHERE: >From remote SOFTWARE: SAP Web Application Server 7.x http://secunia.com/product/6087/ SAP Web Application Server 6.x http://secunia.com/product/3327/ DESCRIPTION: Nicob has reported some vulnerabilities in SAP Web Application Server, which can be exploited by malicious people to disclose sensitive information or to cause a DoS (Denial of Service). 2) An unspecified error allows crashing the enserver.exe process. The vulnerabilities are reported in version 6.40 and 7.00. PROVIDED AND/OR DISCOVERED BY: Nicob ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in SAP Web Application Server 6.40 before patch 136 and 7.00 before patch 66 allows remote attackers to cause a denial of service (enserver.exe crash) via a 0x72F2 sequence on UDP port 64999. Exploiting this issue allows remote attackers to consume excessive system resources until the software becomes unresponsive to further calls, effectively denying service to legitimate users. These versions are affected: - 6.40 patch 135 and prior - 7.00 patch 55 and prior. ---------------------------------------------------------------------- To improve our services to our customers, we have made a number of additions to the Secunia Advisories and have started translating the advisories to German. The improvements will help our customers to get a better understanding of how we reached our conclusions, how it was rated, our thoughts on exploitation, attack vectors, and scenarios. 1) Due to an unspecified error it is possible to read arbitrary files on the system with privileges of the web server. 2) An unspecified error allows crashing the enserver.exe process. The vulnerabilities are reported in version 6.40 and 7.00. PROVIDED AND/OR DISCOVERED BY: Nicob ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco Security Agent Management Center (CSAMC) 5.1 before 5.1.0.79 does not properly handle certain LDAP error messages, which allows remote attackers to bypass authentication requirements via an empty password when using an external LDAP server. Exploiting this issue allows remote attackers to gain administrative access to the web-based administrative interface of the affected application. This issue affects Cisco Security Agent Management Center 5.1 prior to 5.1.0.79. This issue is being tracked by Cisco Bug ID CSCsg40822. Cisco Security Agent (CSA) provides threat protection for server and desktop computing systems. There is a loophole in CSA processing LDAP authentication, and remote attackers may use this loophole to obtain unauthorized management rights. If the administrator has the configuration or deployment role, it is possible to change the policies of the managed CSA clients. This can lead to a reduction in the security posture of the managed system and an attack on the managed system. ---------------------------------------------------------------------- To improve our services to our customers, we have made a number of additions to the Secunia Advisories and have started translating the advisories to German. The improvements will help our customers to get a better understanding of how we reached our conclusions, how it was rated, our thoughts on exploitation, attack vectors, and scenarios. The vulnerability is reported in version 5.1 prior to Hotfix 5.1.0.79. SOLUTION: Apply Hotfix 5.1.0.79 PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/en/US/products/products_security_advisory09186a00807726f7.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The \Device\SandBox driver in Outpost Firewall PRO 4.0 (964.582.059) allows local users to cause a denial of service (system crash) via an invalid argument to the DeviceIoControl function that triggers an invalid memory operation. Outpost Firewall PRO is prone to a local denial-of-service vulnerability because the application fails to properly handle unexpected input. Exploiting this issue allows local attackers to crash affected computers, denying service to legitimate users. Outpost Firewall PRO 4.0 (964.582.059) is vulnerable to this issue; other versions may also be affected. ---------------------------------------------------------------------- To improve our services to our customers, we have made a number of additions to the Secunia Advisories and have started translating the advisories to German. The improvements will help our customers to get a better understanding of how we reached our conclusions, how it was rated, our thoughts on exploitation, attack vectors, and scenarios. This includes: * Reason for rating * Extended description * Extended solution * Exploit code or links to exploit code * Deep links Read the full description: http://corporate.secunia.com/products/48/?r=l Contact Secunia Sales for more information: http://corporate.secunia.com/how_to_buy/15/?r=l ---------------------------------------------------------------------- TITLE: Outpost Firewall "Sandbox" Driver Denial Of Service Vulnerability SECUNIA ADVISORY ID: SA22673 VERIFY ADVISORY: http://secunia.com/advisories/22673/ CRITICAL: Not critical IMPACT: DoS WHERE: Local system SOFTWARE: Outpost Firewall Pro 4.x http://secunia.com/product/12472/ DESCRIPTION: Matousec has discovered a vulnerability in Outpost Firewall, which can be exploited by malicious, local users to cause a DoS (Denial of Service). The vulnerability is caused due to an error in the handling of data sent to the "Device\Sandbox" device. This can be exploited to crash a vulnerable system by sending arbitrary data to the said device. The vulnerability is confirmed in version 4.0.964.6926 (582). Other versions may be affected as well. SOLUTION: Restrict access to trusted users only. PROVIDED AND/OR DISCOVERED BY: Matousec Transparent Security ORIGINAL ADVISORY: Matousec Transparent Security: http://www.matousec.com/info/advisories/Outpost-Insufficient-validation-of-SandBox-driver-input-buffer.php ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

SQL injection vulnerability in modules/journal/search.php in the Journal module in Francisco Burzi PHP-Nuke 7.9 and earlier allows remote attackers to execute arbitrary SQL commands via the forwhat parameter. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation. PHP-Nuke 7.9 and prior versions are vulnerable. ---------------------------------------------------------------------- To improve our services to our customers, we have made a number of additions to the Secunia Advisories and have started translating the advisories to German. The improvements will help our customers to get a better understanding of how we reached our conclusions, how it was rated, our thoughts on exploitation, attack vectors, and scenarios. This includes: * Reason for rating * Extended description * Extended solution * Exploit code or links to exploit code * Deep links Read the full description: http://corporate.secunia.com/products/48/?r=l Contact Secunia Sales for more information: http://corporate.secunia.com/how_to_buy/15/?r=l ---------------------------------------------------------------------- TITLE: PHP-Nuke "forwhat" SQL Injection Vulnerability SECUNIA ADVISORY ID: SA22617 VERIFY ADVISORY: http://secunia.com/advisories/22617/ CRITICAL: Moderately critical IMPACT: Manipulation of data WHERE: >From remote SOFTWARE: PHP-Nuke 7.x http://secunia.com/product/2385/ DESCRIPTION: Paisterist has discovered a vulnerability in PHP-Nuke, which can be exploited by malicious people to conduct SQL injection attacks. Input passed to the "forwhat" parameter in modules/journal/search.php is not properly sanitised, before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The vulnerability is confirmed in version 7.9. SOLUTION: Edit the source code to ensure that input is properly verified. PROVIDED AND/OR DISCOVERED BY: Paisterist ORIGINAL ADVISORY: http://www.neosecurityteam.net/index.php?action=advisories&id=29 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

ECI Telecom B-FOCuS Wireless 802.11b/g ADSL2+ Router allows remote attackers to read arbitrary files via a certain HTTP request, as demonstrated by a request for a router configuration file, related to the /html/defs/ URI. ECI Telecom's B-FOCuS ADSL2+ Combo332+ wireless router is prone to an information-disclosure vulnerability. The router's Web-Based Management interface fails to authenticate users before providing access to sensitive information. Exploiting this issue may allow an unauthenticated remote attacker to retrieve sensitive information from the affected device, which may aid in further attacks. B-Focus ADSL2+ does not properly configure the web management interface, attackers can list directories, read routers and configuration files by sending specially crafted requests. ---------------------------------------------------------------------- To improve our services to our customers, we have made a number of additions to the Secunia Advisories and have started translating the advisories to German. The improvements will help our customers to get a better understanding of how we reached our conclusions, how it was rated, our thoughts on exploitation, attack vectors, and scenarios. This includes: * Reason for rating * Extended description * Extended solution * Exploit code or links to exploit code * Deep links Read the full description: http://corporate.secunia.com/products/48/?r=l Contact Secunia Sales for more information: http://corporate.secunia.com/how_to_buy/15/?r=l ---------------------------------------------------------------------- TITLE: ECI B-FOCuS Wireless Router Information Disclosure SECUNIA ADVISORY ID: SA22667 VERIFY ADVISORY: http://secunia.com/advisories/22667/ CRITICAL: Moderately critical IMPACT: Exposure of sensitive information WHERE: >From local network OPERATING SYSTEM: B-FOCuS Router 332+ http://secunia.com/product/12485/ DESCRIPTION: Tal Argoni has reported a vulnerability in B-FOCuS Wireless router, which can be exploited by malicious people to disclose certain sensitive information. The problem is due to improper authentication in the web-based management, which can be exploited by an unauthenticated person to read the router's configuration files. PROVIDED AND/OR DISCOVERED BY: Tal Argoni ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

D-Link DSL-G624T firmware 3.00B01T01.YA-C.20060616 allows remote attackers to list contents of the cgi-bin directory via unspecified vectors, probably a direct request. D-Link DSL-G624T Is cgi-bin A vulnerability exists that lists directory contents.By a third party cgi-bin The contents of the directory may be listed. D-Link DSL-G624T firmware 3.00B01T01.YA-C.20060616 has an unknown information disclosure vulnerability. Dsl-G624t is prone to a remote security vulnerability

Multiple cross-site scripting (XSS) vulnerabilities in cgi-bin/webcm in D-Link DSL-G624T firmware 3.00B01T01.YA-C.20060616 allow remote attackers to inject arbitrary web script or HTML via the (1) upnp:settings/state or (2) upnp:settings/connection parameters. ---------------------------------------------------------------------- Want to work within IT-Security? Secunia is expanding its team of highly skilled security experts. We will help with relocation and obtaining a work permit. Currently the following type of positions are available: http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: D-Link DSL-G624T Directory Traversal and Cross-Site Scripting SECUNIA ADVISORY ID: SA22524 VERIFY ADVISORY: http://secunia.com/advisories/22524/ CRITICAL: Less critical IMPACT: Cross Site Scripting, Exposure of sensitive information WHERE: >From local network SOFTWARE: D-Link DSL-G624T http://secunia.com/product/12420/ DESCRIPTION: Jose Ramon Palanco has reported some vulnerabilities in D-Link DSL-G624T, which can be exploited by malicious people to conduct cross-site scripting attacks or to disclose certain sensitive information. 1) Input passed to the "upnp%3Asettings%2Fstate" and "upnp%3Asettings%2Fconnection" parameters in cgi-bin/webcm is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. 2) Input passed to the "getpage" parameter in cgi-bin/webcm is not properly verified before being used. This can be exploited to disclose the content of certain files via directory traversal attacks. The vulnerabilities are reported in firmware version V3.00B01T01.YA-C.20060616. Other versions may also be affected. SOLUTION: Do not visit other web sites while accessing the device and use it only in a trusted network. PROVIDED AND/OR DISCOVERED BY: Jose Ramon Palanco ORIGINAL ADVISORY: http://www.eazel.es/advisory005-D-Link-DSL-G624T-directoy-transversal-xss-cross-site-scripting-directory-listing-vulnerabilities.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco Security Agent (CSA) for Linux 4.5 before 4.5.1.657 and 5.0 before 5.0.0.193, as used by Unified CallManager (CUCM) and Unified Presence Server (CUPS), allows remote attackers to cause a denial of service (resource consumption) via a port scan with certain options. Successfully exploiting this issue allows remote attackers to cause the affected software to enter into an unresponsive state, denying further service to legitimate users. This issue does not affect CSA for Windows or Solaris. Cisco Security Agent (CSA) provides threat protection for server and desktop computing systems. Vulnerabilities exist when CSA handles special cases such as port scanning, and remote attackers may exploit this vulnerability to degrade service responsiveness. ---------------------------------------------------------------------- Want to work within IT-Security? Secunia is expanding its team of highly skilled security experts. We will help with relocation and obtaining a work permit. The vulnerability is caused due to an error within the detection of port scans. SOLUTION: Apply Hotfixes. http://www.cisco.com/pcgi-bin/tablebuild.pl/cups-10?psrtdcat20e2 CSA version 4.5 for Linux: Apply Hotfix 4.5.1.657 CSA version 5.0 for Linux: Apply Hotfix 5.0.0.193 CUCM 5.0 version including 5.0(4): Apply COS COP upgrade. CUPS 1.0 version including 1.0(2): Apply COS COP upgrade. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/en/US/products/products_security_advisory09186a00807693c7.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

3Com Switch SS3 4400 switches, firmware 5.11, 6.00 and 6.10 and earlier, allow remote attackers to read the SNMP Read-Write Community string and conduct unauthorized actions via unspecified "normally restricted management packets on the device" that cause the community string to be returned. 3Com SS3 4400 Switch products are prone to an information-disclosure vulnerability. An attacker can exploit this issue to retrieve potentially sensitive information. The impact of successful exploits may allow various operations on the device, including disabling ports and reconfiguring a VLAN. Note that this issue may be exploited only through the management VLAN that the affected device is connected to. Firmware versions 5.11, 6.00, and 6.10 or earlier are vulnerable. ---------------------------------------------------------------------- To improve our services to our customers, we have made a number of additions to the Secunia Advisories and have started translating the advisories to German. The improvements will help our customers to get a better understanding of how we reached our conclusions, how it was rated, our thoughts on exploitation, attack vectors, and scenarios. This includes: * Reason for rating * Extended description * Extended solution * Exploit code or links to exploit code * Deep links Read the full description: http://corporate.secunia.com/products/48/?r=l Contact Secunia Sales for more information: http://corporate.secunia.com/how_to_buy/15/?r=l ---------------------------------------------------------------------- TITLE: 3Com SuperStack 3 Switch 4400 Information Disclosure SECUNIA ADVISORY ID: SA22818 VERIFY ADVISORY: http://secunia.com/advisories/22818/ CRITICAL: Less critical IMPACT: Exposure of sensitive information WHERE: >From local network OPERATING SYSTEM: 3Com SuperStack 3 Switch 4400 Family http://secunia.com/product/450/ DESCRIPTION: A security issue has been reported in the 3Com SuperStack 3 Switch 4400 family, which can be exploited by malicious people to gain knowledge of sensitive information. Successful exploitation requires access to the management VLAN. SOLUTION: An update is reportedly available for customers with a software maintenance agreement or via the 3Com Partner Access site. PROVIDED AND/OR DISCOVERED BY: The vendor credits Andrew Brennan. ORIGINAL ADVISORY: http://www.3com.com/securityalert/alerts/3COM-06-004.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Directory traversal vulnerability in /cgi-bin/webcm in INCA IM-204 allows remote attackers to read arbitrary files via a "/./." (modified dot dot) sequences in the getpage parameter. INCA IM-204 devices are prone to a remote information-disclosure vulnerability because the devices fail to properly sanitize user-supplied input. Exploiting this issue allows remote, unauthenticated attackers to gain access to potentially sensitive configuration information from affected devices. This may aid them in further attacks. This BID may be related to BID 20689; the issues are very similar in nature. ---------------------------------------------------------------------- To improve our services to our customers, we have made a number of additions to the Secunia Advisories and have started translating the advisories to German. The improvements will help our customers to get a better understanding of how we reached our conclusions, how it was rated, our thoughts on exploitation, attack vectors, and scenarios. This includes: * Reason for rating * Extended description * Extended solution * Exploit code or links to exploit code * Deep links Read the full description: http://corporate.secunia.com/products/48/?r=l Contact Secunia Sales for more information: http://corporate.secunia.com/how_to_buy/15/?r=l ---------------------------------------------------------------------- TITLE: INCA IM-204 "getpage" Parameter Information Disclosure SECUNIA ADVISORY ID: SA22557 VERIFY ADVISORY: http://secunia.com/advisories/22557/ CRITICAL: Less critical IMPACT: Exposure of sensitive information WHERE: >From local network OPERATING SYSTEM: INCA IM-204 http://secunia.com/product/12440/ DESCRIPTION: Crackers_Child has reported a vulnerability in INCA IM-204, which can be exploited by malicious people to disclose potential sensitive information. Input passed to the "getpage" parameter in cgi-bin/webcm is not properly verified before being used. This can be exploited to disclose the content of certain files via directory traversal attacks. SOLUTION: Use the device only in a trusted network. PROVIDED AND/OR DISCOVERED BY: Crackers_Child ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The SAVRT.SYS device driver, as used in Symantec AntiVirus Corporate Edition 8.1 and 9.0.x up to 9.0.3, and Symantec Client Security 1.1 and 2.0.x up to 2.0.3, allows local users to execute arbitrary code via a modified address for the output buffer argument to the DeviceIOControl function. Symantec AntiVirus and Symantec Client Security are prone to a privilege-escalation vulnerability. Local attackers can exploit this issue to corrupt memory and execute arbitrary code with kernel-level privileges. Successful exploits may facilitate a complete system compromise. ---------------------------------------------------------------------- Want to work within IT-Security? Secunia is expanding its team of highly skilled security experts. We will help with relocation and obtaining a work permit. The vulnerability is caused due to an improper validation of the output buffer address space of a "DeviceIOControl()" call in the SAVRT.SYS device driver. PROVIDED AND/OR DISCOVERED BY: The vendor credits Boon Seng Lim. ORIGINAL ADVISORY: Symantec: http://www.symantec.com/avcenter/security/Content/2006.10.23.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Directory traversal vulnerability in cgi-bin/webcm in D-Link DSL-G624T firmware 3.00B01T01.YA-C.20060616 allows remote attackers to read arbitrary files via a .. (dot dot) in the getpage parameter. D-Link DSL-G624T of cgi-bin/webcm Contains a directory traversal vulnerability.By a third party .. A remote attacker can read any file using .. D-Link DSL-G624T devices are prone to a remote information-disclosure vulnerability because the devices fail to properly sanitize user-supplied input. Exploiting this issue allows remote, unauthenticated attackers to gain access to potentially sensitive configuration information from affected devices. This may aid them in further attacks. ---------------------------------------------------------------------- Want to work within IT-Security? Secunia is expanding its team of highly skilled security experts. We will help with relocation and obtaining a work permit. Currently the following type of positions are available: http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: D-Link DSL-G624T Directory Traversal and Cross-Site Scripting SECUNIA ADVISORY ID: SA22524 VERIFY ADVISORY: http://secunia.com/advisories/22524/ CRITICAL: Less critical IMPACT: Cross Site Scripting, Exposure of sensitive information WHERE: >From local network SOFTWARE: D-Link DSL-G624T http://secunia.com/product/12420/ DESCRIPTION: Jose Ramon Palanco has reported some vulnerabilities in D-Link DSL-G624T, which can be exploited by malicious people to conduct cross-site scripting attacks or to disclose certain sensitive information. 1) Input passed to the "upnp%3Asettings%2Fstate" and "upnp%3Asettings%2Fconnection" parameters in cgi-bin/webcm is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. 2) Input passed to the "getpage" parameter in cgi-bin/webcm is not properly verified before being used. The vulnerabilities are reported in firmware version V3.00B01T01.YA-C.20060616. Other versions may also be affected. SOLUTION: Do not visit other web sites while accessing the device and use it only in a trusted network. PROVIDED AND/OR DISCOVERED BY: Jose Ramon Palanco ORIGINAL ADVISORY: http://www.eazel.es/advisory005-D-Link-DSL-G624T-directoy-transversal-xss-cross-site-scripting-directory-listing-vulnerabilities.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

PHP remote file inclusion vulnerability in functions.php in DeltaScripts PHP Classifieds 7.1 allows remote attackers to execute arbitrary PHP code via a URL in the set_path parameter. Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible. Version 7.1 is vulnerable; other versions may also be affected. This BID is being retired because further information shows that the application is not vulnerable to this issue

Unspecified vulnerability in Toshiba Bluetooth wireless device driver 3.x and 4 through 4.00.35, as used in multiple products, allows physically proximate attackers to cause a denial of service (crash), corrupt memory, and possibly execute arbitrary code via crafted Bluetooth packets. Bluetooth Wireless Device Driver is prone to a denial-of-service vulnerability. Attackers can exploit this issue to crash the affected application, denying service to legitimate users. ---------------------------------------------------------------------- Want to work within IT-Security? Secunia is expanding its team of highly skilled security experts. We will help with relocation and obtaining a work permit. Currently the following type of positions are available: http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: Toshiba Bluetooth Stack Memory Corruption Vulnerability SECUNIA ADVISORY ID: SA22402 VERIFY ADVISORY: http://secunia.com/advisories/22402/ CRITICAL: Moderately critical IMPACT: DoS, System access WHERE: >From remote SOFTWARE: Toshiba Bluetooth Stack 4.x http://secunia.com/product/6807/ Toshiba Bluetooth Stack 3.x http://secunia.com/product/6806/ DESCRIPTION: A vulnerability has been reported in Toshiba Bluetooth Stack, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Successful exploitation requires knowledge of the Bluetooth device address. The vulnerability is reported in version 3.x and versions 4 through 4.00.35. Other versions may also be affected. NOTE: Products from other vendors using the Toshiba Bluetooth Stack may also be affected. The Toshiba Bluetooth Stack running on 64-bit platforms is reportedly not affected. SOLUTION: Update to the latest version. PROVIDED AND/OR DISCOVERED BY: David Maynor, SecureWorks and Jon Ellch. ORIGINAL ADVISORY: http://www.secureworks.com/press/20061011-dell.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

XORP (eXtensible Open Router Platform) 1.2 and 1.3 allows remote attackers to cause a denial of service (application crash) via an Open Shortest Path First (OSPF) Link State Advertisement (LSA) with an invalid LSA length field. Exploiting this issue allows remote, unauthenticated attackers to crash the application, denying further service to legitimate users. eXtensible Open Router Platform versions 1.2 and 1.3 are vulnerable to this issue. ---------------------------------------------------------------------- Want to work within IT-Security? Secunia is expanding its team of highly skilled security experts. We will help with relocation and obtaining a work permit. Currently the following type of positions are available: http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: XORP OSPF Link State Advertisements Denial of Service SECUNIA ADVISORY ID: SA22462 VERIFY ADVISORY: http://secunia.com/advisories/22462/ CRITICAL: Moderately critical IMPACT: DoS WHERE: >From remote SOFTWARE: XORP 1.x http://secunia.com/product/12372/ DESCRIPTION: Mu Security has reported a vulnerability in XORP, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an out of bounds read when processing Link State Advertisements (LSA). This can be exploited to crash the OSPF daemon by sending LSAs with invalid length values. The vulnerability is reported in XORP 1.2 and 1.3. Other versions may also be affected. SOLUTION: Follow vendor instructions to apply patches. http://www.xorp.org/advisories/XORP_SA_06:01.ospf.txt PROVIDED AND/OR DISCOVERED BY: Mu Security ORIGINAL ADVISORY: XORP Project Advisory: http://www.xorp.org/advisories/XORP_SA_06:01.ospf.txt Mu Security Advisory: http://labs.musecurity.com/advisories/MU-200610-01.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Kerio WinRoute Firewall 6.2.2 and earlier allows remote attackers to cause a denial of service (crash) via malformed DNS responses. Kerio WinRoute Firewall is prone to a remote denial-of-service vulnerability. Exploiting this issue may permit an attacker to crash affected devices, denying further network services to legitimate users. Kerio WinRoute Firewall 6.2.2 and prior versions are vulnerable; other versions may also be affected. Kerio WinRoute Firewall is a gateway firewall for small and medium businesses. ---------------------------------------------------------------------- To improve our services to our customers, we have made a number of additions to the Secunia Advisories and have started translating the advisories to German. The improvements will help our customers to get a better understanding of how we reached our conclusions, how it was rated, our thoughts on exploitation, attack vectors, and scenarios. This includes: * Reason for rating * Extended description * Extended solution * Exploit code or links to exploit code * Deep links Read the full description: http://corporate.secunia.com/products/48/?r=l Contact Secunia Sales for more information: http://corporate.secunia.com/how_to_buy/15/?r=l ---------------------------------------------------------------------- TITLE: Kerio WinRoute Firewall DNS Response Denial of Service SECUNIA ADVISORY ID: SA22986 VERIFY ADVISORY: http://secunia.com/advisories/22986/ CRITICAL: Moderately critical IMPACT: DoS WHERE: >From remote SOFTWARE: Kerio WinRoute Firewall 6.x http://secunia.com/product/3613/ DESCRIPTION: A vulnerability has been reported in Kerio WinRoute Firewall, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an unspecified error when processing malformed DNS responses. This can be exploited to crash the application. SOLUTION: Update to version 6.2.3. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cross-site scripting (XSS) vulnerability in my.acctab.php3 in F5 Networks FirePass 1000 SSL VPN 5.5, and possibly earlier, allows remote attackers to inject arbitrary web script or HTML via the sid parameter. An attacker may leverage this issue to have arbitrary script code execute in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. Version 5.5 is vulnerable; other versions may also be affected. ---------------------------------------------------------------------- Want to work within IT-Security? Secunia is expanding its team of highly skilled security experts. We will help with relocation and obtaining a work permit. Input passed to the "sid" parameter in my.acctab.php3 is not properly sanitised before being returned to the user. The vulnerability is reported in FirePass 1000 SSL VPN version 5.5. PROVIDED AND/OR DISCOVERED BY: Richard Brain, ProCheckUp ORIGINAL ADVISORY: http://www.procheckup.com/Vulner_PR0603b.php ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------