VARIoT IoT vulnerabilities database

Cisco Secure Access Control Server (ACS) 4.x for Windows uses the client's IP address and the server's port number to grant access to an HTTP server port for an administration session, which allows remote attackers to bypass authentication via various methods, aka "ACS Weak Session Management Vulnerability.". This issue is due to the application's failure to properly ensure that remote web-based users are properly authenticated. This issue allows remote attackers to gain administrative access to the web-based administrative interface of the affected application. Cisco Secure ACS for Windows versions in the 4.x series were identified as vulnerable to this issue; other versions and platforms may also be affected. This issue is being tracked by Cisco Bug IDs CSCse26754 and CSCse26719. This helps attackers to hijack management sessions because port numbers are assigned in a sequential fashion without using strong authentication. ---------------------------------------------------------------------- Want to join the Secunia Security Team? Secunia offers a position as a security specialist, where your daily work involves reverse engineering of software and exploit code, auditing of source code, and analysis of vulnerability reports. http://secunia.com/secunia_security_specialist/ ---------------------------------------------------------------------- TITLE: Cisco Secure ACS Session Management Security Issue SECUNIA ADVISORY ID: SA20816 VERIFY ADVISORY: http://secunia.com/advisories/20816/ CRITICAL: Less critical IMPACT: Security Bypass WHERE: >From local network SOFTWARE: Cisco Secure ACS 4.x http://secunia.com/product/10635/ DESCRIPTION: Darren Bounds has reported a security issue in Cisco Secure ACS, which can be exploited by malicious people to bypass certain security restrictions. The problem is caused due to the web-based management interface handling session management in an insecure way based on the assigned service port and the client's IP address. Successful exploitation requires that the attacker uses the same IP address as the logged in administrative user. The security issue has been reported in version 4.0 for Windows. Other versions may also be affected. SOLUTION: Only connect to the web-based management interface from dedicated management systems. PROVIDED AND/OR DISCOVERED BY: Darren Bounds ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sr-20060623-acs.shtml Darren Bounds: http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/047301.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The FTP proxy module in Fortinet FortiOS (FortiGate) before 2.80 MR12 and 3.0 MR2 allows remote attackers to bypass anti-virus scanning via the Enhanced Passive (EPSV) FTP mode. Fortinet FortiGate is prone to a vulnerability that allows an attacker to bypass antivirus protection. This issue occurs when files are transferred using the FTP protocol under certain conditions. Fortinet FortiOS versions prior to 2.80 MR12 and 3.0 MR2 are vulnerable to this issue if the FTP antivirus gateway-scanning service is used. Fortinet FortiGate is a network security platform developed by Fortinet. The platform provides functions such as firewall, antivirus and intrusion prevention (IPS), application control, antispam, wireless controller and WAN acceleration. ---------------------------------------------------------------------- Want to join the Secunia Security Team? Secunia offers a position as a security specialist, where your daily work involves reverse engineering of software and exploit code, auditing of source code, and analysis of vulnerability reports. http://secunia.com/secunia_security_specialist/ ---------------------------------------------------------------------- TITLE: FortiGate FTP Anti-Virus Scanning Bypass Vulnerability SECUNIA ADVISORY ID: SA20720 VERIFY ADVISORY: http://secunia.com/advisories/20720/ CRITICAL: Less critical IMPACT: Security Bypass WHERE: >From remote OPERATING SYSTEM: Fortinet FortiOS (FortiGate) 3.x http://secunia.com/product/6802/ Fortinet FortiOS (FortiGate) 2.x http://secunia.com/product/2289/ DESCRIPTION: A vulnerability has been reported in FortiGate, which can be exploited by malicious people to bypass certain security restrictions. The vulnerability is caused due to an error within the FortiGate FTP proxy when handling the ESPV command. SOLUTION: Update to FortiOS 2.80 MR12 release or FortiOS 3.0 MR2 release. Users can contact Fortinet Tech Support to obtain the updated firmware. PROVIDED AND/OR DISCOVERED BY: The vendor credits a recent magazine test review article. ORIGINAL ADVISORY: http://www.fortinet.com/FortiGuardCenter/advisory/FG-2006-15.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The TOSRFBD.SYS driver for Toshiba Bluetooth Stack 4.00.29 and earlier on Windows allows remote attackers to cause a denial of service (reboot) via a L2CAP echo request that triggers an out-of-bounds memory access, similar to "Ping o' Death" and as demonstrated by BlueSmack. NOTE: this issue was originally reported for 4.00.23. Toshiba Bluetooth Stack is prone to a remote denial-of-service vulnerability. Reports indicate that a successful attack can corrupt memory and restart a vulnerable computer. Toshiba Bluetooth Stack for Windows versions 4.0.23 and prior are reported to be affected

Cross-site scripting (XSS) vulnerability in Cisco CallManager 3.3 before 3.3(5)SR3, 4.1 before 4.1(3)SR4, 4.2 before 4.2(3), and 4.3 before 4.3(1), allows remote attackers to inject arbitrary web script or HTML via the (1) pattern parameter in ccmadmin/phonelist.asp and (2) arbitrary parameters in ccmuser/logon.asp, aka bugid CSCsb68657. This issue is due to a failure in the web-interface to properly sanitize user-supplied input. An attacker may leverage this issue to have arbitrary script code execute in the browser of an unsuspecting administrative user in the context of the affected site. This may help the attacker launch other attacks

Buffer overflow in Microsoft Internet Information Services (IIS) 5.0, 5.1, and 6.0 allows local and possibly remote attackers to execute arbitrary code via crafted Active Server Pages (ASP). Microsoft DHCP Client service contains a buffer overflow. This vulnerability may allow a remote attacker to execute arbitrary code on a vulnerable system. Microsoft Office applications fail to properly handle PNG images. To exploit this issue, attackers must be able to place and execute malicious ASP pages on computers running the affected ASP server software. This may be an issue in shared-hosting environments. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA06-192A Microsoft Windows, Office, and IIS Vulnerabilities Original release date: July 11, 2006 Last revised: -- Source: US-CERT Systems Affected * Microsoft Windows * Microsoft Internet Information Services (IIS) * Microsoft Office * Microsoft Office for Mac * Microsoft Access * Microsoft Excel and Excel Viewer * Microsoft FrontPage * Microsoft InfoPath * Microsoft OneNote * Microsoft Outlook * Microsoft PowerPoint * Microsoft Project * Microsoft Publisher * Microsoft Visio * Microsoft Word and Word Viewer Overview Microsoft has released updates that address critical vulnerabilities in Microsoft Windows, IIS, and Office. I. Description Microsoft Security Bulletin Summary for July 2006 addresses vulnerabilities in Microsoft products including Windows, IIS, and Office. (CVE-2006-0007) In MS06-037, Microsoft has released updates for the Excel vulnerability (VU#802324) described in Technical Cyber Security Alert TA06-167A. II. An attacker may also be able to cause a denial of service. III. Solution Apply a patch from your vendor Microsoft has provided updates for these vulnerabilities in the Security Bulletins. Updates for Microsoft Windows and Microsoft Office XP and later are available on the Microsoft Update site. Apple Mac OS X users should obtain updates from the Mactopia web site. System administrators may wish to consider using Windows Server Update Services (WSUS). Workaround Please see the following Vulnerability Notes for workarounds. Appendix A. References * Microsoft Security Bulletin Summary for July 2006 - <http://www.microsoft.com/technet/security/bulletin/ms06-jul.mspx> * Technical Cyber Security Alert TA06-167A - <http://www.us-cert.gov/cas/techalerts/TA06-167A.html> * US-CERT Vulnerability Notes for Microsoft July 2006 updates - <http://www.kb.cert.org/vuls/byid?searchview&query=ms06-jul> * US-CERT Vulnerability Note VU#395588 - <http://www.kb.cert.org/vuls/id/395588> * US-CERT Vulnerability Note VU#189140 - <http://www.kb.cert.org/vuls/id/189140> * US-CERT Vulnerability Note VU#257164 - <http://www.kb.cert.org/vuls/id/257164> * US-CERT Vulnerability Note VU#802324 - <http://www.kb.cert.org/vuls/id/802324> * US-CERT Vulnerability Note VU#580036 - <http://www.kb.cert.org/vuls/id/580036> * US-CERT Vulnerability Note VU#609868 - <http://www.kb.cert.org/vuls/id/609868> * US-CERT Vulnerability Note VU#409316 - <http://www.kb.cert.org/vuls/id/409316> * US-CERT Vulnerability Note VU#459388 - <http://www.kb.cert.org/vuls/id/459388> * US-CERT Vulnerability Note VU#668564 - <http://www.kb.cert.org/vuls/id/668564> * CVE-2006-0026 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0026> * CVE-2006-1314 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1314> * CVE-2006-2372 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2372> * CVE-2006-3059 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3059> * CVE-2006-1316 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1316> * CVE-2006-1540 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1540> * CVE-2006-2389 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2389> * CVE-2006-0033 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0033> * CVE-2006-0007 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0007> * Microsoft Update - <https://update.microsoft.com/microsoftupdate> * Microsoft Office Update - <http://officeupdate.microsoft.com> * Mactopia - <http://www.microsoft.com/mac> * Windows Server Update Services - <http://www.microsoft.com/windowsserversystem/updateservices/default.mspx> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA06-192A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA06-192A Feedback VU#802324" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2006 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History July 11, 2006: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRLQsLn0pj593lg50AQLyjQf/blQM+kdtxI5/dQ/Njj99QuR3yBT9ERwJ QfZgOr8yN4rUhOU1xkXq6go7E1W4kfwuKVwwobLuYXk9Cq6xP4aVpt0/ws53wNHI iAvJ1rURSFcVwDAXKvbiv7mmjORA36R5M37JiwR0ny76f20yZaz8LTjMbhwSLyFR Cj7kPE0o6Fu0uUwI7ETskfcK4iF0PVoVW2mava1YG8zFuby/A+Ps7ddQvu/EcaxP Y12QXtCP1jsB3+iJKAh7aQAh9h8aV6nuq4NZyFAHmao8iQo7qd9BMG451xTPDxn3 PoM2y5R0bXko+E4hWudpjel/JABm+nIV3R9il1QDantUI0aCqTDS9A== =7GPc -----END PGP SIGNATURE----- . Other versions of Excel, and other Office programs may be affected or act as attack vectors. Opening a specially crafted Excel document, including documents hosted on web sites or attached to email messages, could trigger the vulnerability. Office documents can contain embedded objects. For example, a malicious Excel document could be embedded in an Word or PowerPoint document. Office documents other than Excel documents could be used as attack vectors. If the user has administrative privileges, the attacker could gain complete control of the system. Solution At the time of writing, there is no complete solution available. Consider the following workarounds: Do not open untrusted Excel documents Do not open unfamiliar or unexpected Excel or other Office documents, including those received as email attachments or hosted on a web site. Please see Cyber Security Tip ST04-010 for more information. Do not rely on file extension filtering In most cases, Windows will call Excel to open a document even if the document has an unknown file extension. For example, if document.x1s (note the digit "1") contains the correct file header information, Windows will open document.x1s with Excel. ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA06-167A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff

Cross-site scripting (XSS) vulnerability in LogonProxy.cgi in Cisco Secure ACS for UNIX 2.3 allows remote attackers to inject arbitrary web script or HTML via the (1) error, (2) SSL, and (3) Ok parameters. This issue is due to a failure in the application to properly sanitize user-supplied input. An attacker may leverage this issue to have arbitrary script code execute in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. This issue affects Cisco Secure ACS version 2.3 for UNIX; other versions may also be vulnerable. ---------------------------------------------------------------------- Want to join the Secunia Security Team? Secunia offers a position as a security specialist, where your daily work involves reverse engineering of software and exploit code, auditing of source code, and analysis of vulnerability reports. Input passed to specified parameters in LogonProxy.cgi is not properly sanitised before being returned to the user. SOLUTION: Apply patch. http://www.cisco.com/pcgi-bin/tablebuild.pl/cspatchunix-3des PROVIDED AND/OR DISCOVERED BY: The vendor credits Thomas Liam Romanis and Fujitsu Services Limited. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sr-20060615-acs.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple cross-site scripting (XSS) vulnerabilities in the WebVPN feature in the Cisco VPN 3000 Series Concentrators and Cisco ASA 5500 Series Adaptive Security Appliances (ASA), when in WebVPN clientless mode, allow remote attackers to inject arbitrary web script or HTML via the domain parameter in (1) dnserror.html and (2) connecterror.html, aka bugid CSCsd81095 (VPN3k) and CSCse48193 (ASA). NOTE: the vendor states that "WebVPN full-network-access mode" is not affected, despite the claims by the original researcher. The issue is due to insufficient sanitization of HTML and script code from error messages that are displayed to users. This vulnerability could result in the execution of attacker-supplied HTML and script code in the session of a victim user. In the worst-case scenario, the attacker could gain unauthorized access to the VPN by stealing the WebVPN session cookie. Cisco tracks this issue as Bug IDs CSCsd81095 and CSCse48193. ---------------------------------------------------------------------- Want to join the Secunia Security Team? Secunia offers a position as a security specialist, where your daily work involves reverse engineering of software and exploit code, auditing of source code, and analysis of vulnerability reports. Input passed in the URL isn't properly sanitised before being returned to the user in the "dnserror.html" and the "connecterror.html" pages. Successful exploitation requires that clientless mode of the WebVPN feature is enabled. SOLUTION: Filter malicious characters and character sequences in a proxy or firewall with URL filtering capabilities. PROVIDED AND/OR DISCOVERED BY: The vendor credits Michal Zalewski and two other users. ORIGINAL ADVISORY: http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/046708.html Cisco: http://www.cisco.com/warp/public/707/cisco-sr-20060613-webvpn-xss.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

OpenBase SQL 10.0 and earlier, as used in Apple Xcode 2.2 2.2 and earlier and possibly other products, allows local users to create arbitrary files via a symlink attack on the simulation.sql file. Apple Xcode Used in etc. The OpenBase application shipped with Apple Xcode is prone to multiple privilege-escalation issues because the application fails to handle exceptional conditions when executing setuid programs. A local attacker can exploit these issues to gain superuser privileges. A successful exploit would lead to the complete compromise of affected computers. This issue affects Apple Xcode 2.2 and earlier versions. Xcode is the development tool used on Apple machines. ---------------------------------------------------------------------- 2003: 2,700 advisories published 2004: 3,100 advisories published 2005: 4,600 advisories published 2006: 5,300 advisories published How do you know which Secunia advisories are important to you? The Secunia Vulnerability Intelligence Solutions allows you to filter and structure all the information you need, so you can address issues effectively. The vulnerabilities are caused due to the inclusion of vulnerable versions of Binutils and OpenBase SQL. ---------------------------------------------------------------------- Want to join the Secunia Security Team? Secunia offers a position as a security specialist, where your daily work involves reverse engineering of software and exploit code, auditing of source code, and analysis of vulnerability reports. http://secunia.com/secunia_security_specialist/ ---------------------------------------------------------------------- TITLE: SpamAssassin "spamd" Shell Command Injection Vulnerability SECUNIA ADVISORY ID: SA20430 VERIFY ADVISORY: http://secunia.com/advisories/20430/ CRITICAL: Moderately critical IMPACT: System access WHERE: >From local network SOFTWARE: SpamAssassin 3.x http://secunia.com/product/4506/ DESCRIPTION: A vulnerability has been reported in SpamAssassin, which can be exploited by malicious people to compromise a vulnerable system. Some unspecified input is not properly sanitised before being used. This can be exploited to inject arbitrary shell commands. Successful exploitation requires that spamd is used with the "--vpopmail" and "--paranoid" switches. The vulnerability has been reported in version 3.0.3. Other versions may also be affected. SOLUTION: Update to version 3.0.6 or 3.1.3. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Untrusted search path vulnerability in OpenBase SQL 10.0 and earlier, as used in Apple Xcode 2.2 2.2 and earlier and possibly other products, allows local users to execute arbitrary code via a modified PATH that references a malicious gzip program, which is executed by gnutar with certain TAR_OPTIONS environment variable settings, when gnutar is invoked by OpenBase. Apple Xcode Used in etc. The OpenBase application shipped with Apple Xcode is prone to multiple privilege-escalation issues because the application fails to handle exceptional conditions when executing setuid programs. A local attacker can exploit these issues to gain superuser privileges. A successful exploit would lead to the complete compromise of affected computers. This issue affects Apple Xcode 2.2 and earlier versions. Xcode is the development tool used on Apple machines. By using the TAR_OPTIONS environment variable, gnutar can be forced to call gzip without specifying the path, and the attacker can gain root privileges by controlling the PATH variable. ---------------------------------------------------------------------- 2003: 2,700 advisories published 2004: 3,100 advisories published 2005: 4,600 advisories published 2006: 5,300 advisories published How do you know which Secunia advisories are important to you? The Secunia Vulnerability Intelligence Solutions allows you to filter and structure all the information you need, so you can address issues effectively. ---------------------------------------------------------------------- Want to work within IT-Security? Secunia is expanding its team of highly skilled security experts. We will help with relocation and obtaining a work permit. For more information: SA22390 SOLUTION: Download the latest J2SE 5.0-compliant OpenBase JDBC drivers from http://www.openbase.com. Alternatively, remove the "setuid" flags from the OpenBase binaries. ---------------------------------------------------------------------- Want to join the Secunia Security Team? Secunia offers a position as a security specialist, where your daily work involves reverse engineering of software and exploit code, auditing of source code, and analysis of vulnerability reports. http://secunia.com/secunia_security_specialist/ ---------------------------------------------------------------------- TITLE: SpamAssassin "spamd" Shell Command Injection Vulnerability SECUNIA ADVISORY ID: SA20430 VERIFY ADVISORY: http://secunia.com/advisories/20430/ CRITICAL: Moderately critical IMPACT: System access WHERE: >From local network SOFTWARE: SpamAssassin 3.x http://secunia.com/product/4506/ DESCRIPTION: A vulnerability has been reported in SpamAssassin, which can be exploited by malicious people to compromise a vulnerable system. Some unspecified input is not properly sanitised before being used. This can be exploited to inject arbitrary shell commands. Successful exploitation requires that spamd is used with the "--vpopmail" and "--paranoid" switches. The vulnerability has been reported in version 3.0.3. Other versions may also be affected. SOLUTION: Update to version 3.0.6 or 3.1.3. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cross-site scripting (XSS) vulnerability in the web interface in Ingate Firewall before 4.4.1 and SIParator before 4.4.1 allows remote attackers to inject arbitrary web script or HTML, and steal cookies, via unspecified vectors related to "XSS exploits" in administrator functionality. ---------------------------------------------------------------------- Want to join the Secunia Security Team? Secunia offers a position as a security specialist, where your daily work involves reverse engineering of software and exploit code, auditing of source code, and analysis of vulnerability reports. http://secunia.com/secunia_security_specialist/ ---------------------------------------------------------------------- TITLE: Ingate Firewall and SIParator Two Vulnerabilities SECUNIA ADVISORY ID: SA20479 VERIFY ADVISORY: http://secunia.com/advisories/20479/ CRITICAL: Moderately critical IMPACT: Cross Site Scripting, DoS WHERE: >From remote OPERATING SYSTEM: Ingate SIParator 4.x http://secunia.com/product/5687/ Ingate Firewall 4.x http://secunia.com/product/4050/ DESCRIPTION: Two vulnerabilities have been reported in Ingate Firewall and SIParator, which can be exploited by malicious people to conduct cross-site scripting attacks and to cause a DoS (Denial of Service). 1) An error exists within the handling of SSL/TLS handshake in the SIP module and in the web server. This can be exploited to cause the modules to crash via a specially-crafted handshake. Successful exploitation requires that SSL/TLS is enabled. 2) Input passed to unspecified parameters in the web interface isn't properly sanitised before being returned to the user. SOLUTION: Update to version 4.4.1. http://www.ingate.com/upgrades.php PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: http://www.ingate.com/relnote-441.php ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Ingate Firewall in the SIP module before 4.4.1 and SIParator before 4.4.1, when TLS is enabled or when SSL/TLS is enabled in the web server, allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake. Ingate Firewall and SIParator products are prone to a remote denial-of-service vulnerability. This vulnerability is exploitable only if SSL/TLS has been enabled in the SIP module or in the webserver. Versions of Ingate Firewall and SIParator prior to 4.4.1 are vulnerable to this issue. ---------------------------------------------------------------------- Want to join the Secunia Security Team? Secunia offers a position as a security specialist, where your daily work involves reverse engineering of software and exploit code, auditing of source code, and analysis of vulnerability reports. http://secunia.com/secunia_security_specialist/ ---------------------------------------------------------------------- TITLE: Ingate Firewall and SIParator Two Vulnerabilities SECUNIA ADVISORY ID: SA20479 VERIFY ADVISORY: http://secunia.com/advisories/20479/ CRITICAL: Moderately critical IMPACT: Cross Site Scripting, DoS WHERE: >From remote OPERATING SYSTEM: Ingate SIParator 4.x http://secunia.com/product/5687/ Ingate Firewall 4.x http://secunia.com/product/4050/ DESCRIPTION: Two vulnerabilities have been reported in Ingate Firewall and SIParator, which can be exploited by malicious people to conduct cross-site scripting attacks and to cause a DoS (Denial of Service). 1) An error exists within the handling of SSL/TLS handshake in the SIP module and in the web server. This can be exploited to cause the modules to crash via a specially-crafted handshake. Successful exploitation requires that SSL/TLS is enabled. 2) Input passed to unspecified parameters in the web interface isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in an administrator's browser session in context of the web interface. SOLUTION: Update to version 4.4.1. http://www.ingate.com/upgrades.php PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: http://www.ingate.com/relnote-441.php ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Internet Explorer 6 allows user-assisted remote attackers to read arbitrary files by tricking a user into typing the characters of the target filename in a text box and using the OnKeyDown, OnKeyPress, and OnKeyUp Javascript keystroke events to change the focus and cause those characters to be inserted into a file upload input control, which can then upload the file when the user submits the form. Mozilla Firefox allows cross-domain access to an iframe. This vulnerability could allow an attacker to interact with a web site in a different domain. The attacker could read content and cookies, capture keystrokes, and modify content. Mozilla Firefox does not filter input when sending certain URIs to registered protocol handlers. This may allow a remote, authenticated attacker to use Firefox as a vector for executing commands on a vulnerable system. ---------------------------------------------------------------------- Want to join the Secunia Security Team? Secunia offers a position as a security specialist, where your daily work involves reverse engineering of software and exploit code, auditing of source code, and analysis of vulnerability reports. SOLUTION: Disable Active Scripting support. Do not enter suspicious text when visiting untrusted web sites. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. The Full Featured Secunia Network Software Inspector (NSI) is now available: http://secunia.com/network_software_inspector/ The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,000 different Windows applications. ---------------------------------------------------------------------- TITLE: Mozilla Firefox Multiple Vulnerabilities SECUNIA ADVISORY ID: SA26095 VERIFY ADVISORY: http://secunia.com/advisories/26095/ CRITICAL: Highly critical IMPACT: Cross Site Scripting, Spoofing, DoS, System access WHERE: >From remote SOFTWARE: Mozilla Firefox 2.0.x http://secunia.com/product/12434/ DESCRIPTION: Some vulnerabilities have been reported in Mozilla Firefox, which can be exploited by malicious people to conduct spoofing and cross-site scripting attacks and potentially to compromise a user's system. 1) Various errors in the browser engine can be exploited to cause memory corruption and potentially to execute arbitrary code. 2) Various errors in the Javascript engine can be exploited to cause memory corruption and potentially to execute arbitrary code. 3) An error in the "addEventListener" and "setTimeout" methods can be exploited to inject script into another site's context, circumventing the browser's same-origin policy. 4) An error in the cross-domain handling can be exploited to inject arbitrary HTML and script code in a sub-frame of another web site. This is related to vulnerability #5 in: SA21906 5) An unspecified error in the handling of elements outside of documents allows an attacker to call an event handler and execute arbitrary code with chrome privileges. 6) An unspecified error in the handling of "XPCNativeWrapper" can lead to execution of user-supplied code. SOLUTION: Update to version 2.0.0.5. PROVIDED AND/OR DISCOVERED BY: 1) The vendor credits Bernd Mielke, Boris Zbarsky, David Baron, Daniel Veditz, Jesse Ruderman, Lukas Loehrer, Martijn Wargers, Mats Palmgren, Olli Pettay, Paul Nickerson, and Vladimir Sukhoy. 2) The vendor credits Asaf Romano, Jesse Ruderman, and Igor Bukanov. 3, 5) The vendor credits moz_bug_r_a4 4) Ronen Zilberman and Michal Zalewski 6) The vendor credits shutdown and moz_bug_r_a4. ORIGINAL ADVISORY: http://www.mozilla.org/security/announce/2007/mfsa2007-18.html http://www.mozilla.org/security/announce/2007/mfsa2007-19.html http://www.mozilla.org/security/announce/2007/mfsa2007-20.html http://www.mozilla.org/security/announce/2007/mfsa2007-21.html http://www.mozilla.org/security/announce/2007/mfsa2007-25.html OTHER REFERENCES: SA21906: http://secunia.com/advisories/21906/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . ---------------------------------------------------------------------- BETA test the new Secunia Personal Software Inspector! The Secunia PSI detects installed software on your computer and categorises it as either Insecure, End-of-Life, or Up-To-Date. Effectively enabling you to focus your attention on software installations where more secure versions are available from the vendors. The vulnerability is caused due to an error within the handling of "about:blank" pages loaded by chrome in an addon. This can be exploited to execute script code under chrome privileges by e.g. clicking on a link opened in an "about:blank" window created and populated in a certain ways by an addon. Successful exploitation requires that certain addons are installed. http://www.mozilla.com/en-US/firefox/ Thunderbird: Fixed in the upcoming version 2.0.0.6. http://www.mozilla.com/en-US/thunderbird/ SeaMonkey: Fixed in the upcoming version 1.1.4. For more information: SA26201 PROVIDED AND/OR DISCOVERED BY: moz_bug_r_a4 CHANGELOG: 2007-07-31: Updated "Description". Added link to vendor advisory. "mailto", "news", "nntp", "snews", "telnet"). using Firefox visits a malicious website with a specially crafted "mailto" URI containing a "%" character and ends in a certain extension (e.g. The vulnerability is confirmed on a fully patched Windows XP SP2 and Windows Server 2003 SP2 system using Firefox version 2.0.0.5 and Netscape Navigator version 9.0b2. Other versions and browsers may also be affected. SOLUTION: Do not browse untrusted websites or follow untrusted links. PROVIDED AND/OR DISCOVERED BY: Vulnerability discovered by: * Billy (BK) Rios Firefox not escaping quotes originally discussed by: * Jesper Johansson Additional research by Secunia Research. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA07-297B Adobe Updates for Microsoft Windows URI Vulnerability Original release date: October 24, 2007 Last revised: -- Source: US-CERT Systems Affected Microsoft Windows XP and Windows Server 2003 systems with Internet Explorer 7 and any of the following Adobe products: * Adobe Reader 8.1 and earlier * Adobe Acrobat Professional, 3D, and Standard 8.1 and earlier * Adobe Reader 7.0.9 and earlier * Adobe Acrobat Professional, 3D, Standard, and Elements 7.0.9 and earlier Overview Adobe has released updates for the Adobe Reader and Adobe Acrobat product families. The update addresses a URI handling vulnerability in Microsoft Windows XP and Server 2003 systems with Internet Explorer 7. I. Description Installing Microsoft Internet Explorer (IE) 7 on Windows XP or Server 2003 changes the way Windows handles Uniform Resource Identifiers (URIs). This change has introduced a flaw that can cause Windows to incorrectly determine the appropriate handler for the protocol specified in a URI. More information about this vulnerability is available in US-CERT Vulnerability Note VU#403150. Public reports indicate that this vulnerability is being actively exploited with malicious PDF files. Adobe has released Adobe Reader 8.1.1 and Adobe Acrobat 8.1.1, which mitigate this vulnerability. II. III. Solution Apply an update Adobe has released Adobe Reader 8.1.1 and Adobe Acrobat 8.1.1 to address this issue. These Adobe products handle URIs in a way that mitigates the vulnerability in Microsoft Windows. Disable the mailto: URI in Adobe Reader and Adobe Acrobat If you are unable to install an updated version of the software, this vulnerability can be mitigated by disabling the mailto: URI handler in Adobe Reader and Adobe Acrobat. Please see Adobe Security Bulletin APSB07-18 for details. Appendix A. Vendor Information Adobe For information about updating affected Adobe products, see Adobe Security Bulletin APSB07-18. Appendix B. References * Adobe Security Bulletin APSB07-18 - <http://www.adobe.com/support/security/bulletins/apsb07-18.htm> * Microsoft Security Advisory (943521) - <http://www.microsoft.com/technet/security/advisory/943521.mspx> * US-CERT Vulnerability Note VU#403150 - <http://www.kb.cert.org/vuls/id/403150> _________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA07-297B.html> _________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA07-297B Feedback VU#403150" in the subject. _________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. _________________________________________________________________ Produced 2007 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> _________________________________________________________________ Revision History October 24, 2007: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRx+8WPRFkHkM87XOAQIrOQf/USsBbfDmKZ4GCi8W2466mI+kZoEHoe/H 3l3p4/1cuFGoPHFfeDLbG+alXiHSAdXoX7Db34InEUKMs7kRUVPEdW9LggI9VaTJ lKnZJxM3dXL+zPCWcDkNqrmmzyJuXwN5FmSXhlcnN4+FRzNrZYwDe1UcOk3q6m1s VNPIBTrqfSuFRllNt+chV1vQ876LLweS+Xh1DIQ/VIyduqvTogoYZO4p2A0YJD57 4y0obNuk+IhgzyhZHtSsR0ql7rGrFr4S97XUQGbKOAZWcDzNGiXJ5FkrMTaP25OI LazBVDofVz8ydUcEkb4belgv5REpfYUJc9hRbRZ+IpbAay2j42m8NQ== =PgB9 -----END PGP SIGNATURE-----

The web server for D-Link Wireless Access-Point (DWL-2100ap) firmware 2.10na and earlier allows remote attackers to obtain sensitive system information via a request to an arbitrary .cfg file, which returns configuration information including passwords. D-Link DWL-2100ap is a popular wireless access point. Harm to remote attackers can use vulnerabilities to obtain sensitive information. Conditions Required for Attack An attacker must access D-Link DWL-2100AP. Vulnerability Information D-Link DWL-2100AP is a wireless router device. Test method http: //dlink-DWL-2100ap/cgi-bin/Intruders.cfg Vendor solutions can use the following third-party patches: http://www.dlinkbrasil.com.br/internet/downloads/Wireless/DWL-2100AP /DWL2100AP-firmware-v210na-r0343.tfp. D-Link DWL-2100AP devices are susceptible to a remote information-disclosure vulnerability. The devices fail to properly secure configuration information. This may aid them in further attacks. ---------------------------------------------------------------------- Want to join the Secunia Security Team? Secunia offers a position as a security specialist, where your daily work involves reverse engineering of software and exploit code, auditing of source code, and analysis of vulnerability reports. http://secunia.com/secunia_security_specialist/ ---------------------------------------------------------------------- TITLE: D-Link DWL-2100AP Exposure of Configuration Files SECUNIA ADVISORY ID: SA20474 VERIFY ADVISORY: http://secunia.com/advisories/20474/ CRITICAL: Less critical IMPACT: Exposure of sensitive information WHERE: >From local network OPERATING SYSTEM: D-Link DWL-2100AP http://secunia.com/product/4116/ DESCRIPTION: A security issue has been reported in D-Link DWL-2100AP, which can be exploited by malicious people to disclose sensitive information. The problem is caused due to configuration files being stored insecurely inside the "cgi-bin" directory. Example: http://[host]/cgi-bin/[file].cfg The security issue has been reported in firmware version 2.10na. Other versions may also be affected. SOLUTION: Filter traffic to the web interface of an affected device. PROVIDED AND/OR DISCOVERED BY: Wendel Guglielmetti Henrique and Intruders Tiger Team Security. ORIGINAL ADVISORY: http://www.intruders.org.br/adv0206en.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Buffer overflow in the web console in F-Secure Anti-Virus for Microsoft Exchange 6.40, and Internet Gatekeeper 6.40 through 6.42 and 6.50 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown attack vectors. NOTE: By default, the connections are only allowed from the local host. F-Secure Anti-Virus is prone to a denial-of-service vulnerability. ---------------------------------------------------------------------- Want to join the Secunia Security Team? Secunia offers a position as a security specialist, where your daily work involves reverse engineering of software and exploit code, auditing of source code, and analysis of vulnerability reports. The vulnerability is caused due to an unspecified boundary error within the web console prior to authentication and can be exploited to cause a buffer overflow. Successful exploitation crashes the web console process and may potentially allow execution of arbitrary code. The criticality of the vulnerability therefore depends on how the web console has been configured to accept connections. SOLUTION: Update to a fixed version or apply hotfix. -- F-Secure Anti-Virus for Microsoft Exchange -- Apply hotfix for version 6.40: ftp://ftp.f-secure.com/support/hotfix/fsav-mse/fsavmse640-05.zip -- F-Secure Internet Gatekeeper -- Update to version 6.60 or apply hotfix (for version 6.50): ftp://ftp.f-secure.com/support/hotfix/fsig/fsigk650-01.zip PROVIDED AND/OR DISCOVERED BY: The vendor credits Mikko Korppi. ORIGINAL ADVISORY: http://www.f-secure.com/security/fsc-2006-3.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cross-site scripting (XSS) vulnerability in the Servlet Service in Fujitsu Interstage Application Server (IJServer) 8.0.2 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly involving web.xml and HTTP 404 and 500 status codes. The Servlet Service for Interstage Business Application and the Servlet Service for Interstage Management Console (may be referred to as "Servlet Service for Interstage Operation Management" in certain versions) included in the Interstage product series from Fujitsu contain a cross-site scripting vulnerability. As of March 19, 2007, Fujitsu has announced workarounds for this issue. For more information, refer to the vendor's website.An arbitrary script may be executed on the user's web browser. iNTERSTAGE Application Server Standard Edition is prone to a cross-site scripting vulnerability. SOLUTION: The vendor recommends setting error pages for both HTTP status codes 404 and 500 (see vendor advisory for details). The vendor is reportedly working on patches. PROVIDED AND/OR DISCOVERED BY: Daiki Fukumori, Secure Sky Technology. ORIGINAL ADVISORY: Fujitsu: http://www.fujitsu.com/global/support/software/security/products-f/interstage-200701e.html http://software.fujitsu.com/jp/security/products-fujitsu/solution/interstage_as_200701.html http://software.fujitsu.com/jp/security/vulnerabilities/jvn-83832818.html OTHER REFERENCES: JVN: http://jvn.jp/jp/JVN%2383832818/index.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The KDE HTML library (kdelibs), as used by Konqueror 3.5.5, does not properly parse HTML comments, which allows remote attackers to conduct cross-site scripting (XSS) attacks and bypass some XSS protection schemes by embedding certain HTML tags within a comment in a title tag, a related issue to CVE-2007-0478. As a result, authentication information may be leaked. Konquerer is prone to a cross-site scripting vulnerability because the application fails to sufficiently sanitize user-supplied data. Exploiting this issue may help the attacker steal cookie-based authentication credentials and launch other attacks. All versions of KDE up to and including KDE 3.5.6 are vulnerable to this issue. Apple Safari web browser is also vulnerable to this issue. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200703-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: KHTML: Cross-site scripting (XSS) vulnerability Date: March 10, 2007 Bugs: #165606 ID: 200703-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== The KHTML component shipped with the KDE libraries is prone to a cross-site scripting (XSS) vulnerability. Background ========== KDE is a feature-rich graphical desktop environment for Linux and Unix-like Operating Systems. KHTML is the HTML interpreter used in Konqueror and other parts of KDE. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 kde-base/kdelibs < 3.5.5-r8 >= 3.5.5-r8 Description =========== The KHTML code allows for the execution of JavaScript code located inside the "Title" HTML element, a related issue to the Safari error found by Jose Avila. Impact ====== When viewing a HTML page that renders unsanitized attacker-supplied input in the page title, Konqueror and other parts of KDE will execute arbitrary JavaScript code contained in the page title, allowing for the theft of browser session data or cookies. Workaround ========== There is no known workaround at this time. Resolution ========== All KDElibs users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=kde-base/kdelibs-3.5.5-r8" References ========== [ 1 ] CVE-2007-0537 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0537 [ 2 ] CVE-2007-0478 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0478 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200703-10.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . =========================================================== Ubuntu Security Notice USN-420-1 February 06, 2007 kdelibs vulnerability CVE-2007-0537 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 5.10 Ubuntu 6.06 LTS Ubuntu 6.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 5.10: kdelibs4c2 4:3.4.3-0ubuntu2.2 Ubuntu 6.06 LTS: kdelibs4c2a 4:3.5.2-0ubuntu18.2 Ubuntu 6.10: kdelibs4c2a 4:3.5.5-0ubuntu3.1 After a standard system upgrade you need to restart your session to effect the necessary changes. By tricking a Konqueror user into visiting a malicious website, an attacker could bypass cross-site scripting protections. Updated packages for Ubuntu 5.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/k/kdelibs/kdelibs_3.4.3-0ubuntu2.2.diff.gz Size/MD5: 330443 7bf67340aef75bbafe1bf0f517ad0677 http://security.ubuntu.com/ubuntu/pool/main/k/kdelibs/kdelibs_3.4.3-0ubuntu2.2.dsc Size/MD5: 1523 9a013d5dc8f7953036af99dd264f9811 http://security.ubuntu.com/ubuntu/pool/main/k/kdelibs/kdelibs_3.4.3.orig.tar.gz Size/MD5: 19981388 36e7a8320bd95760b41c4849da170100 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/k/kdelibs/kdelibs-data_3.4.3-0ubuntu2.2_all.deb Size/MD5: 6970448 a0a541bd78cb848da8aa97ac4b29d0fe http://security.ubuntu.com/ubuntu/pool/main/k/kdelibs/kdelibs4-doc_3.4.3-0ubuntu2.2_all.deb Size/MD5: 29298458 f04629ca27bafeaa897a86839fc6e645 http://security.ubuntu.com/ubuntu/pool/main/k/kdelibs/kdelibs_3.4.3-0ubuntu2.2_all.deb Size/MD5: 30714 8ec392ba5ba0f78e9b12dd9d025019d6 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/k/kdelibs/kdelibs-bin_3.4.3-0ubuntu2.2_amd64.deb Size/MD5: 926668 3e7c767a9eeb80d0a85640d7dbfb53d7 http://security.ubuntu.com/ubuntu/pool/main/k/kdelibs/kdelibs4-dev_3.4.3-0ubuntu2.2_amd64.deb Size/MD5: 1309046 e73c5de672193ac0385a28dd3accf646 http://security.ubuntu.com/ubuntu/pool/universe/k/kdelibs/kdelibs4c2-dbg_3.4.3-0ubuntu2.2_amd64.deb Size/MD5: 22552842 287114119aee64a256f8fce295e9d034 http://security.ubuntu.com/ubuntu/pool/main/k/kdelibs/kdelibs4c2_3.4.3-0ubuntu2.2_amd64.deb Size/MD5: 9109026 aa34fe2f02d9772ad8e25bb36e573505 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/k/kdelibs/kdelibs-bin_3.4.3-0ubuntu2.2_i386.deb Size/MD5: 814498 1eace86f58caf3f936c77e749a45ffc6 http://security.ubuntu.com/ubuntu/pool/main/k/kdelibs/kdelibs4-dev_3.4.3-0ubuntu2.2_i386.deb Size/MD5: 1305652 0ce209d9c2c5ed846dbb1edc16fe5606 http://security.ubuntu.com/ubuntu/pool/universe/k/kdelibs/kdelibs4c2-dbg_3.4.3-0ubuntu2.2_i386.deb Size/MD5: 19410566 85751508b7f13b790cbda8d795930a72 http://security.ubuntu.com/ubuntu/pool/main/k/kdelibs/kdelibs4c2_3.4.3-0ubuntu2.2_i386.deb Size/MD5: 8072650 9caf6a826bb790e309036555f40b9b8d powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/k/kdelibs/kdelibs-bin_3.4.3-0ubuntu2.2_powerpc.deb Size/MD5: 909782 0a1cbec28532ca006c7ddcb6990a6e65 http://security.ubuntu.com/ubuntu/pool/main/k/kdelibs/kdelibs4-dev_3.4.3-0ubuntu2.2_powerpc.deb Size/MD5: 1310430 f31f57e3c37f8c12e586cfa0084dc203 http://security.ubuntu.com/ubuntu/pool/universe/k/kdelibs/kdelibs4c2-dbg_3.4.3-0ubuntu2.2_powerpc.deb Size/MD5: 22763768 b1aba1f6b9ef2c454f2172d442302b49 http://security.ubuntu.com/ubuntu/pool/main/k/kdelibs/kdelibs4c2_3.4.3-0ubuntu2.2_powerpc.deb Size/MD5: 8433768 18b2c898ed6d40844c19635d8b85e8a2 sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/k/kdelibs/kdelibs-bin_3.4.3-0ubuntu2.2_sparc.deb Size/MD5: 831058 158b90fe780e29e6618cf4b7f9f96bc8 http://security.ubuntu.com/ubuntu/pool/main/k/kdelibs/kdelibs4-dev_3.4.3-0ubuntu2.2_sparc.deb Size/MD5: 1307028 b1c14bf29a7622ac3844c68a652bf21c http://security.ubuntu.com/ubuntu/pool/universe/k/kdelibs/kdelibs4c2-dbg_3.4.3-0ubuntu2.2_sparc.deb Size/MD5: 20031538 f2778deea8ef14eb9b3e90f5ed97ab50 http://security.ubuntu.com/ubuntu/pool/main/k/kdelibs/kdelibs4c2_3.4.3-0ubuntu2.2_sparc.deb Size/MD5: 8241130 26c0145f1abb71b0a3ea5a89214df223 Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/k/kdelibs/kdelibs_3.5.2-0ubuntu18.2.diff.gz Size/MD5: 477706 5d236a3b69a4bae7b81d337e58a2c3fe http://security.ubuntu.com/ubuntu/pool/main/k/kdelibs/kdelibs_3.5.2-0ubuntu18.2.dsc Size/MD5: 1609 0a27d1f21c1374d8abf8ea0dba0abf79 http://security.ubuntu.com/ubuntu/pool/main/k/kdelibs/kdelibs_3.5.2.orig.tar.gz Size/MD5: 18775353 00c878d449522fb8aa2769a4c5ae1fde Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/k/kdelibs/kdelibs-data_3.5.2-0ubuntu18.2_all.deb Size/MD5: 7083858 f74b97726f683b5eca3798bd8f7ae2a1 http://security.ubuntu.com/ubuntu/pool/main/k/kdelibs/kdelibs4-doc_3.5.2-0ubuntu18.2_all.deb Size/MD5: 41496444 87e2fc31c4dd95cd7d87aeee51dec330 http://security.ubuntu.com/ubuntu/pool/main/k/kdelibs/kdelibs_3.5.2-0ubuntu18.2_all.deb Size/MD5: 35748 636e14773798c30ddf4c0a87b3d5cd39 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/k/kdelibs/kdelibs-bin_3.5.2-0ubuntu18.2_amd64.deb Size/MD5: 925624 1ba9b88fc6456c6dac97693532412fde http://security.ubuntu.com/ubuntu/pool/main/k/kdelibs/kdelibs-dbg_3.5.2-0ubuntu18.2_amd64.deb Size/MD5: 26451886 2eaed22c02f68909ebe219629a774dc6 http://security.ubuntu.com/ubuntu/pool/main/k/kdelibs/kdelibs4-dev_3.5.2-0ubuntu18.2_amd64.deb Size/MD5: 1355626 1458250a60303a07ad551ce343ae23ec http://security.ubuntu.com/ubuntu/pool/main/k/kdelibs/kdelibs4c2a_3.5.2-0ubuntu18.2_amd64.deb Size/MD5: 9406898 7f952f591c7345216bfc0bb42277875d i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/k/kdelibs/kdelibs-bin_3.5.2-0ubuntu18.2_i386.deb Size/MD5: 814970 cc6ae65176411013a8dea78a77151e25 http://security.ubuntu.com/ubuntu/pool/main/k/kdelibs/kdelibs-dbg_3.5.2-0ubuntu18.2_i386.deb Size/MD5: 22925204 60d4c71b837e82da16d2b1ad75cbf628 http://security.ubuntu.com/ubuntu/pool/main/k/kdelibs/kdelibs4-dev_3.5.2-0ubuntu18.2_i386.deb Size/MD5: 1352256 1ceee31122ff0fe680fbdbebbd6c8ced http://security.ubuntu.com/ubuntu/pool/main/k/kdelibs/kdelibs4c2a_3.5.2-0ubuntu18.2_i386.deb Size/MD5: 8334452 427cd25652287fc52ba2bdbd028c2f33 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/k/kdelibs/kdelibs-bin_3.5.2-0ubuntu18.2_powerpc.deb Size/MD5: 905950 4b29acb4cc1a8fb52ff9bb7b3715b0d3 http://security.ubuntu.com/ubuntu/pool/main/k/kdelibs/kdelibs-dbg_3.5.2-0ubuntu18.2_powerpc.deb Size/MD5: 26718664 f92f6f62ab9b9bbd0da8cb649dbeb132 http://security.ubuntu.com/ubuntu/pool/main/k/kdelibs/kdelibs4-dev_3.5.2-0ubuntu18.2_powerpc.deb Size/MD5: 1356968 a6e62679f09dbafa54137204af905494 http://security.ubuntu.com/ubuntu/pool/main/k/kdelibs/kdelibs4c2a_3.5.2-0ubuntu18.2_powerpc.deb Size/MD5: 8689506 0b3b6f533712eb6a8143827d2b01b015 sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/k/kdelibs/kdelibs-bin_3.5.2-0ubuntu18.2_sparc.deb Size/MD5: 827096 17f46503797d14c6be17c7fd890ac843 http://security.ubuntu.com/ubuntu/pool/main/k/kdelibs/kdelibs-dbg_3.5.2-0ubuntu18.2_sparc.deb Size/MD5: 23623320 36aefb75ec36a60d3308392842556130 http://security.ubuntu.com/ubuntu/pool/main/k/kdelibs/kdelibs4-dev_3.5.2-0ubuntu18.2_sparc.deb Size/MD5: 1353298 9627c92acea5abc671668d0b5ecfd744 http://security.ubuntu.com/ubuntu/pool/main/k/kdelibs/kdelibs4c2a_3.5.2-0ubuntu18.2_sparc.deb Size/MD5: 8491558 dd2fe11d276e78bb16bd42bc34452c20 Updated packages for Ubuntu 6.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/k/kdelibs/kdelibs_3.5.5-0ubuntu3.1.diff.gz Size/MD5: 734200 8d5db0d6c6070468a32841b75a9e0d83 http://security.ubuntu.com/ubuntu/pool/main/k/kdelibs/kdelibs_3.5.5-0ubuntu3.1.dsc Size/MD5: 1691 7a23f4f003e66e4a4fb90f620a0de347 http://security.ubuntu.com/ubuntu/pool/main/k/kdelibs/kdelibs_3.5.5.orig.tar.gz Size/MD5: 18926397 65e455d5814142ee992097230ffe7e80 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/k/kdelibs/kdelibs-data_3.5.5-0ubuntu3.1_all.deb Size/MD5: 7210528 1e62a8249a44e98da5ba24c1eaa1d4f0 http://security.ubuntu.com/ubuntu/pool/main/k/kdelibs/kdelibs4-doc_3.5.5-0ubuntu3.1_all.deb Size/MD5: 39981890 5469fd4b98d68f0e01ddb4bd5ba7d904 http://security.ubuntu.com/ubuntu/pool/main/k/kdelibs/kdelibs_3.5.5-0ubuntu3.1_all.deb Size/MD5: 37742 2b1ebdb5648cbd390ecd1fa8d6b2d7e4 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/k/kdelibs/kdelibs-dbg_3.5.5-0ubuntu3.1_amd64.deb Size/MD5: 27050664 b7884e4a85307416811f755e2ed967aa http://security.ubuntu.com/ubuntu/pool/main/k/kdelibs/kdelibs4-dev_3.5.5-0ubuntu3.1_amd64.deb Size/MD5: 1345432 c2cd5e2b9433e629ae366965b47c30c6 http://security.ubuntu.com/ubuntu/pool/main/k/kdelibs/kdelibs4c2a_3.5.5-0ubuntu3.1_amd64.deb Size/MD5: 10401586 f02e2f09dfd27d09f2a00daaaa6a7969 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/k/kdelibs/kdelibs-dbg_3.5.5-0ubuntu3.1_i386.deb Size/MD5: 26229446 ae021c2a0a95f237a934962a39e13821 http://security.ubuntu.com/ubuntu/pool/main/k/kdelibs/kdelibs4-dev_3.5.5-0ubuntu3.1_i386.deb Size/MD5: 1343076 5e46eaa9d38a6876671efd18ac052ef5 http://security.ubuntu.com/ubuntu/pool/main/k/kdelibs/kdelibs4c2a_3.5.5-0ubuntu3.1_i386.deb Size/MD5: 9555316 4573d9f461ff2a441a13ac744e8f27e5 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/k/kdelibs/kdelibs-dbg_3.5.5-0ubuntu3.1_powerpc.deb Size/MD5: 28018226 74bc9b1b1e11817b33e3027213462fa0 http://security.ubuntu.com/ubuntu/pool/main/k/kdelibs/kdelibs4-dev_3.5.5-0ubuntu3.1_powerpc.deb Size/MD5: 1347170 df48d8bc10826c2805d607f4d52eb738 http://security.ubuntu.com/ubuntu/pool/main/k/kdelibs/kdelibs4c2a_3.5.5-0ubuntu3.1_powerpc.deb Size/MD5: 9782346 4d5986ecf7ace1bd5bf275d101f98e03 sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/k/kdelibs/kdelibs-dbg_3.5.5-0ubuntu3.1_sparc.deb Size/MD5: 25362410 e80c7336df062cac6690d745d91730fc http://security.ubuntu.com/ubuntu/pool/main/k/kdelibs/kdelibs4-dev_3.5.5-0ubuntu3.1_sparc.deb Size/MD5: 1343134 cc62c0d393cacc36a552c304cee9b2a1 http://security.ubuntu.com/ubuntu/pool/main/k/kdelibs/kdelibs4c2a_3.5.5-0ubuntu3.1_sparc.deb Size/MD5: 9473018 dfff27cb2bcb323d51d4b16e11453d49 . Also affects kdelibs 3.5.6, as per KDE official advisory. Updated packages have been patched to prevent this. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0537 _______________________________________________________________________ Updated Packages: Mandriva Linux 2007.1: 290249d063eb99aa0267060e28bd3d63 2007.1/i586/kdelibs-common-3.5.6-11.1mdv2007.1.i586.rpm 0392bf166e2b95b8274f67e24066dc8a 2007.1/i586/kdelibs-devel-doc-3.5.6-11.1mdv2007.1.i586.rpm 06107eb81ff8b184812f7a8ae31b52b9 2007.1/i586/libkdecore4-3.5.6-11.1mdv2007.1.i586.rpm ffb71260989867bcec7d7fae45b86b5a 2007.1/i586/libkdecore4-devel-3.5.6-11.1mdv2007.1.i586.rpm 2f2938b43f88a2a197e6cc90b35c63b8 2007.1/SRPMS/kdelibs-3.5.6-11.1mdv2007.1.src.rpm Mandriva Linux 2007.1/X86_64: 258cf38cce814a12a44c79c283de7c3d 2007.1/x86_64/kdelibs-common-3.5.6-11.1mdv2007.1.x86_64.rpm 70b9d63ac375ba65fb6c6b526dfe80f0 2007.1/x86_64/kdelibs-devel-doc-3.5.6-11.1mdv2007.1.x86_64.rpm ee0681c70efd4cebb72a23b773d56f09 2007.1/x86_64/lib64kdecore4-3.5.6-11.1mdv2007.1.x86_64.rpm 664da181e64ab3f343b265cac6de0e87 2007.1/x86_64/lib64kdecore4-devel-3.5.6-11.1mdv2007.1.x86_64.rpm 2f2938b43f88a2a197e6cc90b35c63b8 2007.1/SRPMS/kdelibs-3.5.6-11.1mdv2007.1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGvN99mqjQ0CJFipgRAkoiAJ9cYCEKSJXMFS0+C1kOsR82hamhUQCdHdlA 0d14cDmgZcJ1DxJi7dCNr3E= =ix0J -----END PGP SIGNATURE-----

WebCore on Apple Mac OS X 10.3.9 and 10.4.10, as used in Safari, does not properly parse HTML comments in TITLE elements, which allows remote attackers to conduct cross-site scripting (XSS) attacks and bypass some XSS protection schemes by embedding certain HTML tags within an HTML comment. Konquerer is prone to a cross-site scripting vulnerability because the application fails to sufficiently sanitize user-supplied data. Exploiting this issue may help the attacker steal cookie-based authentication credentials and launch other attacks. All versions of KDE up to and including KDE 3.5.6 are vulnerable to this issue. Apple Safari web browser is also vulnerable to this issue. Apple Mac OS X is prone to multiple security vulnerabilities. These issues affect Mac OS X and various applications, including CFNetwork, CoreAudio, iChat, mDNSResponder, PDFKit, Quartz Composer, Samba, and WebCore. Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers. Apple Mac OS X 10.4.10 and prior versions are vulnerable to these issues. ---------------------------------------------------------------------- BETA test the new Secunia Personal Software Inspector! The Secunia PSI detects installed software on your computer and categorises it as either Insecure, End-of-Life, or Up-To-Date. Effectively enabling you to focus your attention on software installations where more secure versions are available from the vendors. Download the free PSI BETA from the Secunia website: https://psi.secunia.com/ ---------------------------------------------------------------------- TITLE: Mac OS X Security Update Fixes Multiple Vulnerabilities SECUNIA ADVISORY ID: SA26235 VERIFY ADVISORY: http://secunia.com/advisories/26235/ CRITICAL: Highly critical IMPACT: Security Bypass, Cross Site Scripting, Spoofing, Manipulation of data, Exposure of sensitive information, Privilege escalation, DoS, System access WHERE: >From remote OPERATING SYSTEM: Apple Macintosh OS X http://secunia.com/product/96/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) An error within the handling of FTP URIs in CFNetwork can be exploited to run arbitrary FTP commands in context of the user's FTP client, when a user is enticed to click on a specially crafted FTP URI. 2) An input validation error can cause applications using CFNetwork to become vulnerable to HTTP response splitting attacks. 3) A design error exists in the Java interface to CoreAudio, which can be exploited to free arbitrary memory, when a user is enticed to visit a web site containing a specially crafted Java applet. 4) An unspecified error exists in the Java interface to CoreAudio, which can be exploited to read or write out of bounds of the allocated heap by enticing a user to visit a web site containing a specially crafted Java applet. 5) A unspecified error exists in the Java interface to CoreAudio, which can be exploited to instantiate or manipulate objects outside the bounds of the allocated heap, when a user is enticed to visit a web site containing a specially crafted Java applet. Successful exploitation of vulnerabilities #3 to #5 may allow arbitrary code execution. For more information: SA13237 7) A boundary error within the UPnP IGD (Internet Gateway Device Standardized Device Control Protocol) code in iChat can be exploited on the local network to crash the application or to execute arbitrary code, by sending a specially crafted packet. 8) Some vulnerabilities in Kerberos can be exploited by malicious users and malicious people to compromise a vulnerable system. For more information: SA25800 9) An error within the UPnP IGD (Internet Gateway Device Standardized Device Control Protocol) code in mDNSResponder can be exploited on the local network to crash the application or to execute arbitrary code, by sending a specially crafted packet. 10) An integer underflow exists in PDFKit within the handling of PDF files in Preview and may be exploited to execute arbitrary code when a user opens a specially crafted PDF file. 11) Multiple vulnerabilities exist in PHP, which can be exploited to disclose potentially sensitive information, to cause a DoS (Denial of Service), to bypass certain security restrictions, to conduct cross-site scripting attacks, or to compromise a vulnerable system. For more information: SA24814 SA24356 SA24440 SA24505 SA24542 SA25123 12) An error exists in Quartz Composer due to an uninitialized object pointer when handling Quartz Composer files and may be exploited to execute arbitrary code when a specially crafted Quartz Composer file is viewed. 13) Some vulnerabilities exist in Samba, which can be exploited by malicious people to compromise a vulnerable system. For more information: SA25232 14) An unspecified error in Samba can be exploited to bypass file system quotas. 15) Some vulnerabilities in Squirrelmail can be exploited by malicious people to disclose and manipulate certain sensitive information or to conduct cross-site scripting, cross-site request forgery, and script insertion attacks. For more information: SA16987 SA20406 SA21354 SA23195 SA25200 16) Some vulnerabilities in Apache Tomcat can be exploited by malicious people to conduct cross-site scripting attacks or to bypass certain security restrictions. For more information: SA24732 SA25383 SA25721 17) An error in WebCore can be exploited to load Java applets even when Java is disabled in the preferences. 18) An error in WebCore can be exploited to conduct cross-site scripting attacks. For more information see vulnerability #1 in: SA23893 19) An error in WebCore can be exploited by malicious people to gain knowledge of sensitive information. For more information see vulnerability #2 in: SA23893 20) An error in WebCore when handling properties of certain global objects can be exploited to conduct cross-site scripting attacks when navigating to a new URL with Safari. 21) An error in WebKit within in the handling of International Domain Name (IDN) support and Unicode fonts embedded in Safari can be exploited to spoof a URL. This is similar to: SA14164 22) A boundary error in the Perl Compatible Regular Expressions (PCRE) library in WebKit and used by the JavaScript engine in Safari can be exploited to cause a heap-based buffer overflow when a user visits a malicious web page. 23) Input validation errors exists in bzgrep and zgrep. For more information: SA15047 SOLUTION: Apply Security Update 2007-007. Security Update 2007-007 (10.4.10 Server Universal): http://www.apple.com/support/downloads/securityupdate200700710410serveruniversal.html Security Update 2007-007 (10.4.10 Universal): http://www.apple.com/support/downloads/securityupdate200700710410universal.html Security Update 2007-007 (10.4.10 Server PPC): http://www.apple.com/support/downloads/securityupdate200700710410serverppc.html Security Update 2007-007 (10.4.10 PPC): http://www.apple.com/support/downloads/securityupdate200700710410ppc.html Security Update 2007-007 (10.3.9 Server): http://www.apple.com/support/downloads/securityupdate20070071039server.html Security Update 2007-007 (10.3.9): http://www.apple.com/support/downloads/securityupdate20070071039.html PROVIDED AND/OR DISCOVERED BY: 2) The vendor credits Steven Kramer, sprintteam.nl. 14) The vendor credits Mike Matz, Wyomissing Area School District. 17) The vendor credits Scott Wilde. 19) Secunia Research 22) The vendor credits Charlie Miller and Jake Honoroff of Independent Security Evaluators. ORIGINAL ADVISORY: http://docs.info.apple.com/article.html?artnum=306172 OTHER REFERENCES: SA13237: http://secunia.com/advisories/13237/ SA15047: http://secunia.com/advisories/15047/ SA16987: http://secunia.com/advisories/16987/ SA20406: http://secunia.com/advisories/20406/ SA21354: http://secunia.com/advisories/21354/ SA22588: http://secunia.com/advisories/22588/ SA23195: http://secunia.com/advisories/23195/ SA23893: http://secunia.com/advisories/23893/ SA24814: http://secunia.com/advisories/24814/ SA24356: http://secunia.com/advisories/24356/ SA24440: http://secunia.com/advisories/24440/ SA24505: http://secunia.com/advisories/24505/ SA24542: http://secunia.com/advisories/24542/ SA24732: http://secunia.com/advisories/24732/ SA25800: http://secunia.com/advisories/25800/ SA25123: http://secunia.com/advisories/25123/ SA25200: http://secunia.com/advisories/25200/ SA25232: http://secunia.com/advisories/25232/ SA25383: http://secunia.com/advisories/25383/ SA25721: http://secunia.com/advisories/25721/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . ---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. Try it out online: http://secunia.com/software_inspector/ ---------------------------------------------------------------------- TITLE: Safari HTML Parsing Weakness SECUNIA ADVISORY ID: SA23893 VERIFY ADVISORY: http://secunia.com/advisories/23893/ CRITICAL: Not critical IMPACT: Cross Site Scripting WHERE: >From remote SOFTWARE: Safari 2.x http://secunia.com/product/5289/ DESCRIPTION: Jose Avila III has discovered a weakness in Safari, which can potentially be exploited by malicious people to conduct cross-site scripting attacks. The weakness is caused due to an error in the parsing of comments within certain tags of an HTML document. Arbitrary HTML and script code in a comment tag is executed in a user's browser session when preceded by the corresponding closing tag (e.g. the title tag). Successful exploitation is possible on web sites that allow users to insert unsanitised HTML and script code within a comment into such a tag. The weakness is confirmed in Safari 2.0.4. Other versions may also be affected. SOLUTION: Do not browse untrusted sites. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200703-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: KHTML: Cross-site scripting (XSS) vulnerability Date: March 10, 2007 Bugs: #165606 ID: 200703-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== The KHTML component shipped with the KDE libraries is prone to a cross-site scripting (XSS) vulnerability. Background ========== KDE is a feature-rich graphical desktop environment for Linux and Unix-like Operating Systems. KHTML is the HTML interpreter used in Konqueror and other parts of KDE. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 kde-base/kdelibs < 3.5.5-r8 >= 3.5.5-r8 Description =========== The KHTML code allows for the execution of JavaScript code located inside the "Title" HTML element, a related issue to the Safari error found by Jose Avila. Impact ====== When viewing a HTML page that renders unsanitized attacker-supplied input in the page title, Konqueror and other parts of KDE will execute arbitrary JavaScript code contained in the page title, allowing for the theft of browser session data or cookies. Workaround ========== There is no known workaround at this time. Resolution ========== All KDElibs users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=kde-base/kdelibs-3.5.5-r8" References ========== [ 1 ] CVE-2007-0537 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0537 [ 2 ] CVE-2007-0478 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0478 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200703-10.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . Updated packages have been patched to correct this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0537 _______________________________________________________________________ Updated Packages: Mandriva Linux 2007.0: 7882590402c82ff347205c176380153e 2007.0/i586/kdelibs-common-3.5.4-19.2mdv2007.0.i586.rpm 01c4eb64ef06a8a8759843be0c07a920 2007.0/i586/kdelibs-devel-doc-3.5.4-19.2mdv2007.0.i586.rpm e63e9a2d3a07d3f2cfa20e495a5b1010 2007.0/i586/libkdecore4-3.5.4-19.2mdv2007.0.i586.rpm 1ad276143d78de84b08606a815eecda9 2007.0/i586/libkdecore4-devel-3.5.4-19.2mdv2007.0.i586.rpm 34ee09ad1644f5685f6ebb6e7e214939 2007.0/SRPMS/kdelibs-3.5.4-19.2mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: 081d768881b4f012e75854738189327d 2007.0/x86_64/kdelibs-common-3.5.4-19.2mdv2007.0.x86_64.rpm 051e3625e87627e52c47590961523b51 2007.0/x86_64/kdelibs-devel-doc-3.5.4-19.2mdv2007.0.x86_64.rpm 6a2b0171144925bd21073553816f33b1 2007.0/x86_64/lib64kdecore4-3.5.4-19.2mdv2007.0.x86_64.rpm ae2202556fccf0bb820ed3e8401825ec 2007.0/x86_64/lib64kdecore4-devel-3.5.4-19.2mdv2007.0.x86_64.rpm 34ee09ad1644f5685f6ebb6e7e214939 2007.0/SRPMS/kdelibs-3.5.4-19.2mdv2007.0.src.rpm Corporate 3.0: 6afd1be3e42d77e131e44f9ed969c80e corporate/3.0/i586/kdelibs-common-3.2-36.17.C30mdk.i586.rpm c00a10231de66159fecb2106e56ec1ca corporate/3.0/i586/libkdecore4-3.2-36.17.C30mdk.i586.rpm 733852a68f994ace4eb35017342443fb corporate/3.0/i586/libkdecore4-devel-3.2-36.17.C30mdk.i586.rpm 4d4c9fee93b93f2c76f5092ff5ef23f3 corporate/3.0/SRPMS/kdelibs-3.2-36.17.C30mdk.src.rpm Corporate 3.0/X86_64: 418170a92387d41c49f3d32c91c97c9b corporate/3.0/x86_64/kdelibs-common-3.2-36.17.C30mdk.x86_64.rpm 590e047f677eb717c40a9e2fd77590e8 corporate/3.0/x86_64/lib64kdecore4-3.2-36.17.C30mdk.x86_64.rpm ec04fe80ee4a983e1ad98f54d75681af corporate/3.0/x86_64/lib64kdecore4-devel-3.2-36.17.C30mdk.x86_64.rpm 4d4c9fee93b93f2c76f5092ff5ef23f3 corporate/3.0/SRPMS/kdelibs-3.2-36.17.C30mdk.src.rpm Corporate 4.0: 2dc94e4e225b74d3f2e283b04c836273 corporate/4.0/i586/kdelibs-arts-3.5.4-2.3.20060mlcs4.i586.rpm 826d76e2f3d50f48513ed18c4360dd67 corporate/4.0/i586/kdelibs-common-3.5.4-2.3.20060mlcs4.i586.rpm f7dad3711d9406d1123428f2c0cd9453 corporate/4.0/i586/kdelibs-devel-doc-3.5.4-2.3.20060mlcs4.i586.rpm 88f0164705a9d71f21c3c4edfe7822b2 corporate/4.0/i586/libkdecore4-3.5.4-2.3.20060mlcs4.i586.rpm e00f9222203a3c51a747a694e3ab32c7 corporate/4.0/i586/libkdecore4-devel-3.5.4-2.3.20060mlcs4.i586.rpm 79690e9ab56836b4adc7a4d59bb872db corporate/4.0/SRPMS/kdelibs-3.5.4-2.3.20060mlcs4.src.rpm Corporate 4.0/X86_64: 88d9b2f945bd62aa89b5f7743320cc0a corporate/4.0/x86_64/kdelibs-arts-3.5.4-2.3.20060mlcs4.x86_64.rpm c1e462eaeb2127939d0d3775fb7a04a4 corporate/4.0/x86_64/kdelibs-common-3.5.4-2.3.20060mlcs4.x86_64.rpm a559376fde6f8513904010fc377293e7 corporate/4.0/x86_64/kdelibs-devel-doc-3.5.4-2.3.20060mlcs4.x86_64.rpm d97e4c4dd9859b6e43f3399e3e2c5fa1 corporate/4.0/x86_64/lib64kdecore4-3.5.4-2.3.20060mlcs4.x86_64.rpm f3e43bca041aeca542bba33a0bac1d43 corporate/4.0/x86_64/lib64kdecore4-devel-3.5.4-2.3.20060mlcs4.x86_64.rpm 79690e9ab56836b4adc7a4d59bb872db corporate/4.0/SRPMS/kdelibs-3.5.4-2.3.20060mlcs4.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFFw5r6mqjQ0CJFipgRAnJ4AJ9RqADSMDbkaQkcR9ZPi2ArjF9rtACgrhPc 7PYBsjk/ZTsogFdYFeWPWdc= =r0d9 -----END PGP SIGNATURE-----

The Java interface to CoreAudio on Apple Mac OS X 10.3.9 and 10.4.10 does not restrict object instantiation and manipulation to valid heap addresses, which allows remote attackers to execute arbitrary code via a crafted applet. Apple Mac OS X is prone to multiple security vulnerabilities. These issues affect Mac OS X and various applications, including CFNetwork, CoreAudio, iChat, mDNSResponder, PDFKit, Quartz Composer, Samba, and WebCore. Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers. Apple Mac OS X 10.4.10 and prior versions are vulnerable to these issues. ---------------------------------------------------------------------- BETA test the new Secunia Personal Software Inspector! The Secunia PSI detects installed software on your computer and categorises it as either Insecure, End-of-Life, or Up-To-Date. Effectively enabling you to focus your attention on software installations where more secure versions are available from the vendors. Download the free PSI BETA from the Secunia website: https://psi.secunia.com/ ---------------------------------------------------------------------- TITLE: Mac OS X Security Update Fixes Multiple Vulnerabilities SECUNIA ADVISORY ID: SA26235 VERIFY ADVISORY: http://secunia.com/advisories/26235/ CRITICAL: Highly critical IMPACT: Security Bypass, Cross Site Scripting, Spoofing, Manipulation of data, Exposure of sensitive information, Privilege escalation, DoS, System access WHERE: >From remote OPERATING SYSTEM: Apple Macintosh OS X http://secunia.com/product/96/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) An error within the handling of FTP URIs in CFNetwork can be exploited to run arbitrary FTP commands in context of the user's FTP client, when a user is enticed to click on a specially crafted FTP URI. 2) An input validation error can cause applications using CFNetwork to become vulnerable to HTTP response splitting attacks. 3) A design error exists in the Java interface to CoreAudio, which can be exploited to free arbitrary memory, when a user is enticed to visit a web site containing a specially crafted Java applet. 4) An unspecified error exists in the Java interface to CoreAudio, which can be exploited to read or write out of bounds of the allocated heap by enticing a user to visit a web site containing a specially crafted Java applet. 5) A unspecified error exists in the Java interface to CoreAudio, which can be exploited to instantiate or manipulate objects outside the bounds of the allocated heap, when a user is enticed to visit a web site containing a specially crafted Java applet. Successful exploitation of vulnerabilities #3 to #5 may allow arbitrary code execution. For more information: SA13237 7) A boundary error within the UPnP IGD (Internet Gateway Device Standardized Device Control Protocol) code in iChat can be exploited on the local network to crash the application or to execute arbitrary code, by sending a specially crafted packet. 8) Some vulnerabilities in Kerberos can be exploited by malicious users and malicious people to compromise a vulnerable system. For more information: SA25800 9) An error within the UPnP IGD (Internet Gateway Device Standardized Device Control Protocol) code in mDNSResponder can be exploited on the local network to crash the application or to execute arbitrary code, by sending a specially crafted packet. 10) An integer underflow exists in PDFKit within the handling of PDF files in Preview and may be exploited to execute arbitrary code when a user opens a specially crafted PDF file. 11) Multiple vulnerabilities exist in PHP, which can be exploited to disclose potentially sensitive information, to cause a DoS (Denial of Service), to bypass certain security restrictions, to conduct cross-site scripting attacks, or to compromise a vulnerable system. For more information: SA24814 SA24356 SA24440 SA24505 SA24542 SA25123 12) An error exists in Quartz Composer due to an uninitialized object pointer when handling Quartz Composer files and may be exploited to execute arbitrary code when a specially crafted Quartz Composer file is viewed. 13) Some vulnerabilities exist in Samba, which can be exploited by malicious people to compromise a vulnerable system. For more information: SA25232 14) An unspecified error in Samba can be exploited to bypass file system quotas. 15) Some vulnerabilities in Squirrelmail can be exploited by malicious people to disclose and manipulate certain sensitive information or to conduct cross-site scripting, cross-site request forgery, and script insertion attacks. For more information: SA16987 SA20406 SA21354 SA23195 SA25200 16) Some vulnerabilities in Apache Tomcat can be exploited by malicious people to conduct cross-site scripting attacks or to bypass certain security restrictions. For more information: SA24732 SA25383 SA25721 17) An error in WebCore can be exploited to load Java applets even when Java is disabled in the preferences. 18) An error in WebCore can be exploited to conduct cross-site scripting attacks. For more information see vulnerability #1 in: SA23893 19) An error in WebCore can be exploited by malicious people to gain knowledge of sensitive information. For more information see vulnerability #2 in: SA23893 20) An error in WebCore when handling properties of certain global objects can be exploited to conduct cross-site scripting attacks when navigating to a new URL with Safari. 21) An error in WebKit within in the handling of International Domain Name (IDN) support and Unicode fonts embedded in Safari can be exploited to spoof a URL. This is similar to: SA14164 22) A boundary error in the Perl Compatible Regular Expressions (PCRE) library in WebKit and used by the JavaScript engine in Safari can be exploited to cause a heap-based buffer overflow when a user visits a malicious web page. 23) Input validation errors exists in bzgrep and zgrep. For more information: SA15047 SOLUTION: Apply Security Update 2007-007. Security Update 2007-007 (10.4.10 Server Universal): http://www.apple.com/support/downloads/securityupdate200700710410serveruniversal.html Security Update 2007-007 (10.4.10 Universal): http://www.apple.com/support/downloads/securityupdate200700710410universal.html Security Update 2007-007 (10.4.10 Server PPC): http://www.apple.com/support/downloads/securityupdate200700710410serverppc.html Security Update 2007-007 (10.4.10 PPC): http://www.apple.com/support/downloads/securityupdate200700710410ppc.html Security Update 2007-007 (10.3.9 Server): http://www.apple.com/support/downloads/securityupdate20070071039server.html Security Update 2007-007 (10.3.9): http://www.apple.com/support/downloads/securityupdate20070071039.html PROVIDED AND/OR DISCOVERED BY: 2) The vendor credits Steven Kramer, sprintteam.nl. 14) The vendor credits Mike Matz, Wyomissing Area School District. 17) The vendor credits Scott Wilde. 19) Secunia Research 22) The vendor credits Charlie Miller and Jake Honoroff of Independent Security Evaluators. ORIGINAL ADVISORY: http://docs.info.apple.com/article.html?artnum=306172 OTHER REFERENCES: SA13237: http://secunia.com/advisories/13237/ SA15047: http://secunia.com/advisories/15047/ SA16987: http://secunia.com/advisories/16987/ SA20406: http://secunia.com/advisories/20406/ SA21354: http://secunia.com/advisories/21354/ SA22588: http://secunia.com/advisories/22588/ SA23195: http://secunia.com/advisories/23195/ SA23893: http://secunia.com/advisories/23893/ SA24814: http://secunia.com/advisories/24814/ SA24356: http://secunia.com/advisories/24356/ SA24440: http://secunia.com/advisories/24440/ SA24505: http://secunia.com/advisories/24505/ SA24542: http://secunia.com/advisories/24542/ SA24732: http://secunia.com/advisories/24732/ SA25800: http://secunia.com/advisories/25800/ SA25123: http://secunia.com/advisories/25123/ SA25200: http://secunia.com/advisories/25200/ SA25232: http://secunia.com/advisories/25232/ SA25383: http://secunia.com/advisories/25383/ SA25721: http://secunia.com/advisories/25721/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

WebCore on Apple Mac OS X 10.3.9 and 10.4.10 retains properties of certain global objects when a new URL is visited in the same window, which allows remote attackers to conduct cross-site scripting (XSS) attacks. Apple Mac OS X is prone to multiple security vulnerabilities. These issues affect Mac OS X and various applications, including CFNetwork, CoreAudio, iChat, mDNSResponder, PDFKit, Quartz Composer, Samba, and WebCore. Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers. Apple Mac OS X 10.4.10 and prior versions are vulnerable to these issues. ---------------------------------------------------------------------- BETA test the new Secunia Personal Software Inspector! The Secunia PSI detects installed software on your computer and categorises it as either Insecure, End-of-Life, or Up-To-Date. Effectively enabling you to focus your attention on software installations where more secure versions are available from the vendors. Download the free PSI BETA from the Secunia website: https://psi.secunia.com/ ---------------------------------------------------------------------- TITLE: Mac OS X Security Update Fixes Multiple Vulnerabilities SECUNIA ADVISORY ID: SA26235 VERIFY ADVISORY: http://secunia.com/advisories/26235/ CRITICAL: Highly critical IMPACT: Security Bypass, Cross Site Scripting, Spoofing, Manipulation of data, Exposure of sensitive information, Privilege escalation, DoS, System access WHERE: >From remote OPERATING SYSTEM: Apple Macintosh OS X http://secunia.com/product/96/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) An error within the handling of FTP URIs in CFNetwork can be exploited to run arbitrary FTP commands in context of the user's FTP client, when a user is enticed to click on a specially crafted FTP URI. 2) An input validation error can cause applications using CFNetwork to become vulnerable to HTTP response splitting attacks. 3) A design error exists in the Java interface to CoreAudio, which can be exploited to free arbitrary memory, when a user is enticed to visit a web site containing a specially crafted Java applet. 4) An unspecified error exists in the Java interface to CoreAudio, which can be exploited to read or write out of bounds of the allocated heap by enticing a user to visit a web site containing a specially crafted Java applet. 5) A unspecified error exists in the Java interface to CoreAudio, which can be exploited to instantiate or manipulate objects outside the bounds of the allocated heap, when a user is enticed to visit a web site containing a specially crafted Java applet. Successful exploitation of vulnerabilities #3 to #5 may allow arbitrary code execution. For more information: SA13237 7) A boundary error within the UPnP IGD (Internet Gateway Device Standardized Device Control Protocol) code in iChat can be exploited on the local network to crash the application or to execute arbitrary code, by sending a specially crafted packet. 8) Some vulnerabilities in Kerberos can be exploited by malicious users and malicious people to compromise a vulnerable system. For more information: SA25800 9) An error within the UPnP IGD (Internet Gateway Device Standardized Device Control Protocol) code in mDNSResponder can be exploited on the local network to crash the application or to execute arbitrary code, by sending a specially crafted packet. 10) An integer underflow exists in PDFKit within the handling of PDF files in Preview and may be exploited to execute arbitrary code when a user opens a specially crafted PDF file. 11) Multiple vulnerabilities exist in PHP, which can be exploited to disclose potentially sensitive information, to cause a DoS (Denial of Service), to bypass certain security restrictions, to conduct cross-site scripting attacks, or to compromise a vulnerable system. For more information: SA24814 SA24356 SA24440 SA24505 SA24542 SA25123 12) An error exists in Quartz Composer due to an uninitialized object pointer when handling Quartz Composer files and may be exploited to execute arbitrary code when a specially crafted Quartz Composer file is viewed. 13) Some vulnerabilities exist in Samba, which can be exploited by malicious people to compromise a vulnerable system. For more information: SA25232 14) An unspecified error in Samba can be exploited to bypass file system quotas. 15) Some vulnerabilities in Squirrelmail can be exploited by malicious people to disclose and manipulate certain sensitive information or to conduct cross-site scripting, cross-site request forgery, and script insertion attacks. For more information: SA16987 SA20406 SA21354 SA23195 SA25200 16) Some vulnerabilities in Apache Tomcat can be exploited by malicious people to conduct cross-site scripting attacks or to bypass certain security restrictions. For more information: SA24732 SA25383 SA25721 17) An error in WebCore can be exploited to load Java applets even when Java is disabled in the preferences. 18) An error in WebCore can be exploited to conduct cross-site scripting attacks. For more information see vulnerability #1 in: SA23893 19) An error in WebCore can be exploited by malicious people to gain knowledge of sensitive information. 21) An error in WebKit within in the handling of International Domain Name (IDN) support and Unicode fonts embedded in Safari can be exploited to spoof a URL. This is similar to: SA14164 22) A boundary error in the Perl Compatible Regular Expressions (PCRE) library in WebKit and used by the JavaScript engine in Safari can be exploited to cause a heap-based buffer overflow when a user visits a malicious web page. 23) Input validation errors exists in bzgrep and zgrep. For more information: SA15047 SOLUTION: Apply Security Update 2007-007. Security Update 2007-007 (10.4.10 Server Universal): http://www.apple.com/support/downloads/securityupdate200700710410serveruniversal.html Security Update 2007-007 (10.4.10 Universal): http://www.apple.com/support/downloads/securityupdate200700710410universal.html Security Update 2007-007 (10.4.10 Server PPC): http://www.apple.com/support/downloads/securityupdate200700710410serverppc.html Security Update 2007-007 (10.4.10 PPC): http://www.apple.com/support/downloads/securityupdate200700710410ppc.html Security Update 2007-007 (10.3.9 Server): http://www.apple.com/support/downloads/securityupdate20070071039server.html Security Update 2007-007 (10.3.9): http://www.apple.com/support/downloads/securityupdate20070071039.html PROVIDED AND/OR DISCOVERED BY: 2) The vendor credits Steven Kramer, sprintteam.nl. 14) The vendor credits Mike Matz, Wyomissing Area School District. 17) The vendor credits Scott Wilde. 19) Secunia Research 22) The vendor credits Charlie Miller and Jake Honoroff of Independent Security Evaluators. ORIGINAL ADVISORY: http://docs.info.apple.com/article.html?artnum=306172 OTHER REFERENCES: SA13237: http://secunia.com/advisories/13237/ SA15047: http://secunia.com/advisories/15047/ SA16987: http://secunia.com/advisories/16987/ SA20406: http://secunia.com/advisories/20406/ SA21354: http://secunia.com/advisories/21354/ SA22588: http://secunia.com/advisories/22588/ SA23195: http://secunia.com/advisories/23195/ SA23893: http://secunia.com/advisories/23893/ SA24814: http://secunia.com/advisories/24814/ SA24356: http://secunia.com/advisories/24356/ SA24440: http://secunia.com/advisories/24440/ SA24505: http://secunia.com/advisories/24505/ SA24542: http://secunia.com/advisories/24542/ SA24732: http://secunia.com/advisories/24732/ SA25800: http://secunia.com/advisories/25800/ SA25123: http://secunia.com/advisories/25123/ SA25200: http://secunia.com/advisories/25200/ SA25232: http://secunia.com/advisories/25232/ SA25383: http://secunia.com/advisories/25383/ SA25721: http://secunia.com/advisories/25721/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Quartz Composer on Apple Mac OS X 10.4.10 does not initialize a certain object pointer, which might allow user-assisted remote attackers to execute arbitrary code via a crafted Quartz Composer file. Apple Mac OS X is prone to multiple security vulnerabilities. Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers. Apple Mac OS X 10.4.10 and prior versions are vulnerable to these issues. ---------------------------------------------------------------------- BETA test the new Secunia Personal Software Inspector! The Secunia PSI detects installed software on your computer and categorises it as either Insecure, End-of-Life, or Up-To-Date. Effectively enabling you to focus your attention on software installations where more secure versions are available from the vendors. Download the free PSI BETA from the Secunia website: https://psi.secunia.com/ ---------------------------------------------------------------------- TITLE: Mac OS X Security Update Fixes Multiple Vulnerabilities SECUNIA ADVISORY ID: SA26235 VERIFY ADVISORY: http://secunia.com/advisories/26235/ CRITICAL: Highly critical IMPACT: Security Bypass, Cross Site Scripting, Spoofing, Manipulation of data, Exposure of sensitive information, Privilege escalation, DoS, System access WHERE: >From remote OPERATING SYSTEM: Apple Macintosh OS X http://secunia.com/product/96/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) An error within the handling of FTP URIs in CFNetwork can be exploited to run arbitrary FTP commands in context of the user's FTP client, when a user is enticed to click on a specially crafted FTP URI. 2) An input validation error can cause applications using CFNetwork to become vulnerable to HTTP response splitting attacks. 3) A design error exists in the Java interface to CoreAudio, which can be exploited to free arbitrary memory, when a user is enticed to visit a web site containing a specially crafted Java applet. 4) An unspecified error exists in the Java interface to CoreAudio, which can be exploited to read or write out of bounds of the allocated heap by enticing a user to visit a web site containing a specially crafted Java applet. 5) A unspecified error exists in the Java interface to CoreAudio, which can be exploited to instantiate or manipulate objects outside the bounds of the allocated heap, when a user is enticed to visit a web site containing a specially crafted Java applet. Successful exploitation of vulnerabilities #3 to #5 may allow arbitrary code execution. For more information: SA13237 7) A boundary error within the UPnP IGD (Internet Gateway Device Standardized Device Control Protocol) code in iChat can be exploited on the local network to crash the application or to execute arbitrary code, by sending a specially crafted packet. 8) Some vulnerabilities in Kerberos can be exploited by malicious users and malicious people to compromise a vulnerable system. For more information: SA25800 9) An error within the UPnP IGD (Internet Gateway Device Standardized Device Control Protocol) code in mDNSResponder can be exploited on the local network to crash the application or to execute arbitrary code, by sending a specially crafted packet. 10) An integer underflow exists in PDFKit within the handling of PDF files in Preview and may be exploited to execute arbitrary code when a user opens a specially crafted PDF file. 11) Multiple vulnerabilities exist in PHP, which can be exploited to disclose potentially sensitive information, to cause a DoS (Denial of Service), to bypass certain security restrictions, to conduct cross-site scripting attacks, or to compromise a vulnerable system. 13) Some vulnerabilities exist in Samba, which can be exploited by malicious people to compromise a vulnerable system. For more information: SA25232 14) An unspecified error in Samba can be exploited to bypass file system quotas. 15) Some vulnerabilities in Squirrelmail can be exploited by malicious people to disclose and manipulate certain sensitive information or to conduct cross-site scripting, cross-site request forgery, and script insertion attacks. For more information: SA16987 SA20406 SA21354 SA23195 SA25200 16) Some vulnerabilities in Apache Tomcat can be exploited by malicious people to conduct cross-site scripting attacks or to bypass certain security restrictions. For more information: SA24732 SA25383 SA25721 17) An error in WebCore can be exploited to load Java applets even when Java is disabled in the preferences. 18) An error in WebCore can be exploited to conduct cross-site scripting attacks. For more information see vulnerability #1 in: SA23893 19) An error in WebCore can be exploited by malicious people to gain knowledge of sensitive information. For more information see vulnerability #2 in: SA23893 20) An error in WebCore when handling properties of certain global objects can be exploited to conduct cross-site scripting attacks when navigating to a new URL with Safari. 21) An error in WebKit within in the handling of International Domain Name (IDN) support and Unicode fonts embedded in Safari can be exploited to spoof a URL. This is similar to: SA14164 22) A boundary error in the Perl Compatible Regular Expressions (PCRE) library in WebKit and used by the JavaScript engine in Safari can be exploited to cause a heap-based buffer overflow when a user visits a malicious web page. 23) Input validation errors exists in bzgrep and zgrep. For more information: SA15047 SOLUTION: Apply Security Update 2007-007. Security Update 2007-007 (10.4.10 Server Universal): http://www.apple.com/support/downloads/securityupdate200700710410serveruniversal.html Security Update 2007-007 (10.4.10 Universal): http://www.apple.com/support/downloads/securityupdate200700710410universal.html Security Update 2007-007 (10.4.10 Server PPC): http://www.apple.com/support/downloads/securityupdate200700710410serverppc.html Security Update 2007-007 (10.4.10 PPC): http://www.apple.com/support/downloads/securityupdate200700710410ppc.html Security Update 2007-007 (10.3.9 Server): http://www.apple.com/support/downloads/securityupdate20070071039server.html Security Update 2007-007 (10.3.9): http://www.apple.com/support/downloads/securityupdate20070071039.html PROVIDED AND/OR DISCOVERED BY: 2) The vendor credits Steven Kramer, sprintteam.nl. 14) The vendor credits Mike Matz, Wyomissing Area School District. 17) The vendor credits Scott Wilde. 19) Secunia Research 22) The vendor credits Charlie Miller and Jake Honoroff of Independent Security Evaluators. ORIGINAL ADVISORY: http://docs.info.apple.com/article.html?artnum=306172 OTHER REFERENCES: SA13237: http://secunia.com/advisories/13237/ SA15047: http://secunia.com/advisories/15047/ SA16987: http://secunia.com/advisories/16987/ SA20406: http://secunia.com/advisories/20406/ SA21354: http://secunia.com/advisories/21354/ SA22588: http://secunia.com/advisories/22588/ SA23195: http://secunia.com/advisories/23195/ SA23893: http://secunia.com/advisories/23893/ SA24814: http://secunia.com/advisories/24814/ SA24356: http://secunia.com/advisories/24356/ SA24440: http://secunia.com/advisories/24440/ SA24505: http://secunia.com/advisories/24505/ SA24542: http://secunia.com/advisories/24542/ SA24732: http://secunia.com/advisories/24732/ SA25800: http://secunia.com/advisories/25800/ SA25123: http://secunia.com/advisories/25123/ SA25200: http://secunia.com/advisories/25200/ SA25232: http://secunia.com/advisories/25232/ SA25383: http://secunia.com/advisories/25383/ SA25721: http://secunia.com/advisories/25721/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------