VARIoT IoT vulnerabilities database

Unspecified vulnerability in Safari, LaunchServices, and/or CoreTypes in Apple Mac OS X 10.4 up to 10.4.5 allows attackers to trick a user into opening an application that appears to be a safe file type. NOTE: due to the lack of specific information in the vendor advisory, it is not clear how CVE-2006-0397, CVE-2006-0398, and CVE-2006-0399 are different. Apple Safari WebKit component is vulnerable to buffer overflow. This may allow a remote attacker to execute arbitrary code or cause a denial-of-service condition. Apple Mail contains a vulnerability that may allow an attacker to execute arbitrary commands on OS X Leopdard (10.5) systems. Commands would be executed in the context of the user opening the archive file. Attackers can reportedly use Safari and Apple Mail as exploitation vectors for this vulnerability. Mac OS X 10.4.5 is reported to be vulnerable. Earlier versions may also be affected. Apple Safari is a web browser bundled with the Apple operating system. There is an issue in Safari's handling of automatic opening of downloaded files. Safari's default configuration allows files to be automatically opened after downloading a safe file. ---------------------------------------------------------------------- 2003: 2,700 advisories published 2004: 3,100 advisories published 2005: 4,600 advisories published 2006: 5,300 advisories published How do you know which Secunia advisories are important to you? The Secunia Vulnerability Intelligence Solutions allows you to filter and structure all the information you need, so you can address issues effectively. Get a free trial of the Secunia Vulnerability Intelligence Solutions: http://corporate.secunia.com/how_to_buy/38/vi/?ref=secadv ---------------------------------------------------------------------- TITLE: Apple Mail Command Execution Vulnerability SECUNIA ADVISORY ID: SA27785 VERIFY ADVISORY: http://secunia.com/advisories/27785/ CRITICAL: Highly critical IMPACT: System access WHERE: >From remote OPERATING SYSTEM: Apple Macintosh OS X http://secunia.com/product/96/ DESCRIPTION: A vulnerability has been reported in Apple Mail, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to an error in the handling of unsafe file types in email attachments. This can be exploited via a specially crafted email containing an attachment of an ostensibly safe file type (e.g. ".jpg") to execute arbitrary shell commands when the attachment is double-clicked. SOLUTION: Do not open attachments from untrusted sources. ORIGINAL ADVISORY: http://www.heise-security.co.uk/news/99257 OTHER REFERENCES: SA19064: http://secunia.com/advisories/19064/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA06-062A Apple Mac Products are Affected by Multiple Vulnerabilities Original release date: March 3, 2006 Last revised: -- Source: US-CERT Systems Affected * Apple Mac OS X version 10.3.9 (Panther) and version 10.4.5 (Tiger) * Apple Mac OS X Server version 10.3.9 and version 10.4.5 * Apple Safari web browser Previous versions of Mac OS X may also be affected.Please see Apple Security Update 2006-001 for further information. Impacts of other vulnerabilities include bypassing security restrictions and denial of service. I. (CVE-2006-0387) Please note that Apple Security Update 2006-001 addresses additional vulnerabilities not described above. As further information becomes available, we will publish individual Vulnerability Notes. In addition, more information about VU#999708 is available in US-CERT Technical Cyber Security Alert TA06-053A. II. Impact The impacts of these vulnerabilities vary. For information about specific impacts, please see the Vulnerability Notes. III. Solution Install an update Install the update as described in Apple Security Update 2006-001. In addition, this update is available via Apple Update. Appendix A. References * US-CERT Vulnerability Note VU#999708 - <http://www.kb.cert.org/vuls/id/999708> * US-CERT Vulnerability Note VU#351217 - <http://www.kb.cert.org/vuls/id/351217> * US-CERT Vulnerability Note VU#176732 - <http://www.kb.cert.org/vuls/id/176732> * US-CERT Technical Cyber Security Alert TA06-053A - <http://www.us-cert.gov/cas/techalerts/TA06-053A.html> * Securing Your Web Browser - <http://www.us-cert.gov/reading_room/securing_browser/#Safari> * Apple Security Update 2006-001 - <http://docs.info.apple.com/article.html?artnum=303382> * Mac OS X: Updating your software - <http://docs.info.apple.com/article.html?artnum=106704> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA06-062A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA06-062A Feedback VU#351217" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2006 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History March 3, 2006: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRAiYnH0pj593lg50AQIdzggAxPbhEKlYyJUdTNqDBGSI+GAQ2oRY9WFx i+2yy5B34IvwyWt04Wb9PxgbCeWHbw9zc8X5xRPZEA/nVQWX/nnz20Tnap8ZRZUC bqlzo9pz2P+TOm3SBKUlZ+Rl0xTUTBJus78oiczzLu/Fy1oB8obC3qfwNDdrykXc i2MupUdRbZ5azrzDmzJGZktpVwJjM9UbXypbwsa1vg5+pAcRf4N0939kcjBML6LH B1jKz3PF0DLX/THj0sAq5PwiE82jCtop1hpD8zVWJOLGX1lbxhcHVLbiFiKaaF7u lKvIAf6ec9h+MQDwAnuA2uaYaQSwofCiWdOPAlueMzq23Ultlinz4g== =5Ooe -----END PGP SIGNATURE-----

Unspecified vulnerability in Safari, LaunchServices, and/or CoreTypes in Apple Mac OS X 10.4 up to 10.4.5 allows attackers to trick a user into opening an application that appears to be a safe file type. NOTE: due to the lack of specific information in the vendor advisory, it is not clear how CVE-2006-0397, CVE-2006-0398, and CVE-2006-0399 are different. Apple Safari fails to properly determine file safety, allowing a remote unauthenticated attacker to execute arbitrary commands or code. Commands would be executed in the context of the user opening the archive file. Attackers can reportedly use Safari and Apple Mail as exploitation vectors for this vulnerability. Mac OS X 10.4.5 is reported to be vulnerable. Earlier versions may also be affected. There is an issue in Safari's handling of automatic opening of downloaded files. Due to this default configuration and inconsistencies in Safari and OS X's security files, Safari may execute arbitrary shell commands if a specially crafted page is viewed. TITLE: Mac OS X "__MACOSX" ZIP Archive Shell Script Execution SECUNIA ADVISORY ID: SA18963 VERIFY ADVISORY: http://secunia.com/advisories/18963/ CRITICAL: Extremely critical IMPACT: System access WHERE: >From remote OPERATING SYSTEM: Apple Macintosh OS X http://secunia.com/product/96/ DESCRIPTION: Michael Lehn has discovered a vulnerability in Mac OS X, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to an error in the processing of file association meta data (stored in the "__MACOSX" folder) in ZIP archives. This can be exploited to trick users into executing a malicious shell script renamed to a safe file extension stored in a ZIP archive. This can also be exploited automatically via the Safari browser when visiting a malicious web site. Secunia has constructed a test, which can be used to check if your system is affected by this issue: http://secunia.com/mac_os_x_command_execution_vulnerability_test/ The vulnerability has been confirmed on a fully patched system with Safari 2.0.3 (417.8) and Mac OS X 10.4.5. SOLUTION: The vulnerability can be mitigated by disabling the "Open safe files after downloading" option in Safari. Do not open files in ZIP archives originating from untrusted sources. PROVIDED AND/OR DISCOVERED BY: Michael Lehn ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The "Open 'safe' files after downloading" option in Safari on Apple Mac OS X allows remote user-assisted attackers to execute arbitrary commands by tricking a user into downloading a __MACOSX folder that contains metadata (resource fork) that invokes the Terminal, which automatically interprets the script using bash, as demonstrated using a ZIP file that contains a script with a safe file extension. Apple Safari WebKit component is vulnerable to buffer overflow. Mac OS X of Web browser Safari Contains an arbitrary code execution vulnerability in its default configuration. Safari Now, in the default settings, Resource forks Refer to the file type defined in .If the file type is image / video / compressed file, "Safe" file Will be processed automatically. This allows for crafted files "Safe" file There is a possibility that arbitrary code execution may be executed as a result. Exploit code that exploits this vulnerability has already been published.A remote third party could execute arbitrary code with the privileges of the logged-in user. If a user is logged in with an account with administrator privileges, the resulting vulnerable system could be completely controlled. Commands would be executed in the context of the user opening the archive file. Attackers can reportedly use Safari and Apple Mail as exploitation vectors for this vulnerability. Mac OS X 10.4.5 is reported to be vulnerable. Earlier versions may also be affected. Apple Safari is a web browser bundled with the Apple operating system. There is an issue in Safari's handling of automatic opening of downloaded files. TITLE: Mac OS X Security Update Fixes Multiple Vulnerabilities SECUNIA ADVISORY ID: SA19064 VERIFY ADVISORY: http://secunia.com/advisories/19064/ CRITICAL: Extremely critical IMPACT: Security Bypass, Cross Site Scripting, Privilege escalation, DoS, System access WHERE: >From remote OPERATING SYSTEM: Apple Macintosh OS X http://secunia.com/product/96/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) Various security issues exist in the PHP Apache module and scripting environment. For more information: SA17371 2) An error in automount makes it possible for malicious file servers to cause a vulnerable system to mount file systems with reserved names, which can cause a DoS (Denial of Service) or potentially allow arbitrary code execution. 3) An input validation error in the BOM framework when unpacking certain archives can be exploited to cause files to be unpacked to arbitrary locations via directory traversal attacks. 4) The "passwd" program creates temporary files insecurely, which can be exploited via symlink attacks to create or overwrite arbitrary files with "root" privileges. 5) User directories are insecurely mounted when a FileVault image is created, which may allow unauthorised access to files. 6) An error in IPSec when handling certain error conditions can be exploited to cause a DoS against VPN connections. 7) An error in the LibSystem component can be exploited by malicious people to cause a heap-based buffer overflow via applications when requesting large amounts of memory. 8) The "Download Validation" in the Mail component fails to warn users about unsafe file types when an e-mail attachment is double-clicked. 9) In certain cases a Perl program may fail to drop privileges. For more information: SA17922 10) A boundary error in rsync can be exploited by authenticated users to cause a heap-based buffer overflow when it's allowed to transfer extended attributes. 11) A boundary error in WebKit's handling of certain HTML can be exploited to cause a heap-based buffer overflow. 12) A boundary error in Safari when parsing JavaScript can be exploited to cause a stack-based buffer overflow and allows execution of arbitrary code when a malicious web page including specially crafted JavaScript is viewed. 13) An error in Safari's security model when handling HTTP redirection can be exploited to execute JavaScript in the local domain via a specially crafted web site. This vulnerability is related to: SA18963 15) An input validation error in the Syndication (Safari RSS) component can be exploited to conduct cross-site scripting attacks when subscribing to malicious RSS content. SOLUTION: Apply Security Update 2006-001. 4) Vade 79 (the vendor also credits Ilja van Sprundel and iDEFENSE). 6) The vendor credits OUSPG from the University of Oulu, NISCC, and CERT-FI. 7) The vendor credits Neil Archibald, Suresec LTD. 10) The vendor credits Jan-Derk Bakker. 11) The vendor credits Suresec LTD. ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=303382 Vade79: http://fakehalo.us/xosx-passwd.pl OTHER REFERENCES: SA18963: http://secunia.com/advisories/18963/ SA17922: http://secunia.com/advisories/17922/ SA17371: http://secunia.com/advisories/17371/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The CAPTCHA functionality in php-Nuke 6.0 through 7.9 uses fixed challenge/response pairs that only vary once per day based on the User Agent (HTTP_USER_AGENT), which allows remote attackers to bypass CAPTCHA controls by fixing the User Agent, performing a valid challenge/response, then replaying that pair in the random_num and gfx_check parameters. The CAPTCHA implementation of PHPNuke may be bypassed by remote attackers due to a design error. This may be used to carry out other attacks such as brute-force attempts against the login page. TITLE: PHP-Nuke CAPTCHA Bypass Weakness SECUNIA ADVISORY ID: SA18936 VERIFY ADVISORY: http://secunia.com/advisories/18936/ CRITICAL: Not critical IMPACT: Security Bypass WHERE: >From remote SOFTWARE: PHP-Nuke 7.x http://secunia.com/product/2385/ PHP-Nuke 6.x http://secunia.com/product/329/ DESCRIPTION: Janek Vind "waraxe" has reported a weakness in PHP-Nuke, which can be exploited by malicious people to bypass certain security restrictions. A design error in the CAPTCHA security feature, which relies only on the "sitekey", the User-Agent HTTP header, a random number, and the current date to generate the response code can be exploited to bypass the security feature by replaying any random number and response code pair for the current day. The weakness has been reported in versions 6.0 through 7.9. SOLUTION: Do not rely on the CAPTCHA feature to prevent automated logons to PHP-Nuke. PROVIDED AND/OR DISCOVERED BY: Janek Vind "waraxe" ORIGINAL ADVISORY: http://www.waraxe.us/advisory-45.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The frag3 preprocessor in Sourcefire Snort 2.4.3 does not properly reassemble certain fragmented packets with IP options, which allows remote attackers to evade detection of certain attacks, possibly related to IP option lengths. Snort is reportedly prone to a vulnerability that may allow malicious packets to bypass detection. Reports indicate that the Frag3 preprocessor fails to properly analyze certain packets. A successful attack can allow attackers to bypass intrusion detection and to carry out attacks against computers protected by Snort. This vulnerability affects Snort 2.4.3. Other versions may be vulnerable as well. TITLE: Snort frag3 Preprocessor Packet Reassembly Vulnerability SECUNIA ADVISORY ID: SA18959 VERIFY ADVISORY: http://secunia.com/advisories/18959/ CRITICAL: Moderately critical IMPACT: Security Bypass WHERE: >From remote SOFTWARE: Snort 2.4.x http://secunia.com/product/5691/ DESCRIPTION: siouxsie has reported a vulnerability in Snort, which potentially can be exploited by malicious people to bypass certain security restrictions. The vulnerability has been reported in version 2.4.3. SOLUTION: Filter potentially malicious fragmented IP packets with a firewall. PROVIDED AND/OR DISCOVERED BY: siouxsie ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Certain unspecified Kyocera printers have a default "admin" account with a blank password, which allows remote attackers to access an administrative menu via a telnet session. Kyocera The printer contains a vulnerability that allows access to the administration menu.A third party may access the administration menu. Fs-3830N is prone to a remote security vulnerability. TITLE: Kyocera FS-3830N Configuration Modification Security Issue SECUNIA ADVISORY ID: SA18896 VERIFY ADVISORY: http://secunia.com/advisories/18896/ CRITICAL: Less critical IMPACT: Manipulation of data, Exposure of system information WHERE: >From local network OPERATING SYSTEM: Kyocera FS-3830N http://secunia.com/product/8101/ DESCRIPTION: evader has reported a security issue in Kyocera FS-3830N Printer, which can be exploited by malicious people to gain knowledge of or potentially to modify certain system information. The security issue is caused due to the printer allowing access to certain configuration settings without requiring prior authentication via a request sent to port 9100/tcp. This may be exploited to disclose and modify the configured settings. SOLUTION: Restrict access to the printer. PROVIDED AND/OR DISCOVERED BY: evader ORIGINAL ADVISORY: http://evader.wordpress.com/2006/02/16/kyocera-printers/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Kyocera 3830 (aka FS-3830N) printers have a back door that allows remote attackers to read and alter configuration settings via strings that begin with "!R!SIOP0", as demonstrated using (1) a connection to to TCP port 9100 or (2) the UNIX lp command. Kyocera 3830 printer is prone to an unauthorized access vulnerability. This issue is due to a failure in the application to perform proper authentication before granting access to printer functions. An attacker can exploit this issue to set arbitrary printer configuration settings. The impact of successful exploitation will vary depending on the settings reconfigured. TITLE: Kyocera FS-3830N Configuration Modification Security Issue SECUNIA ADVISORY ID: SA18896 VERIFY ADVISORY: http://secunia.com/advisories/18896/ CRITICAL: Less critical IMPACT: Manipulation of data, Exposure of system information WHERE: >From local network OPERATING SYSTEM: Kyocera FS-3830N http://secunia.com/product/8101/ DESCRIPTION: evader has reported a security issue in Kyocera FS-3830N Printer, which can be exploited by malicious people to gain knowledge of or potentially to modify certain system information. This may be exploited to disclose and modify the configured settings. Note: It has also been reported that other network-enabled Kyocera printers have a default username "admin" and blank password for the telnet configuration port. PROVIDED AND/OR DISCOVERED BY: evader ORIGINAL ADVISORY: http://evader.wordpress.com/2006/02/16/kyocera-printers/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

D-Link DWL-G700AP with firmware 2.00 and 2.01 allows remote attackers to cause a denial of service (CAMEO HTTP service crash) via a request composed of "GET" followed by a space and two newlines, possibly triggering the crash due to missing arguments. D-Link DWL-G700AP is a wireless access router.  D-Link DWL-G700AP's HTTP management interface implementation has a vulnerability. A remote attacker could use this vulnerability to cause the HTTP server to become unresponsive.  If you want to configure DWL-G700AP, you must go through the http service, and this service is managed by httpd named CAMEO. A denial of service vulnerability exists in this webserver. An attacker just sending a "GET \ n \ n" string can cause the service to crash. D-Link DWL-G700AP HTTPD is prone to a remote denial-of-service vulnerability. This issue is due to a failure in the 'httpd' service to properly handle malformed data. An attacker can exploit this issue to crash the affected webserver, effectively denying service to legitimate users. The affected device must be manually reset to restart the affected service. This issue is reported to affect firmware versions 2.00 and 2.01; other firmware versions may also be vulnerable. TITLE: DWL-G700AP Web Interface Denial of Service SECUNIA ADVISORY ID: SA18932 VERIFY ADVISORY: http://secunia.com/advisories/18932/ CRITICAL: Less critical IMPACT: DoS WHERE: >From local network OPERATING SYSTEM: D-Link DWL-G700AP http://secunia.com/product/8121/ DESCRIPTION: l0om has reported a vulnerability in D-Link DWL-G700AP, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error in the web-based management interface and can be exploited to crash the service via a malformed HTTP request with no resource specified. SOLUTION: Restrict access to the web interface. PROVIDED AND/OR DISCOVERED BY: l0om ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

SQL injection vulnerability in index.php in the Your_Account module in PHP-Nuke 7.8 and earlier allows remote attackers to execute arbitrary SQL commands via the username variable (Nickname field). PHPNuke is prone to an SQL-injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input before using it in SQL queries. Successful exploitation could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation. PHP-Nuke is a popular website creation and management tool, it can use many database software as backend, such as MySQL, PostgreSQL, mSQL, Interbase, Sybase, etc. There is an input validation vulnerability in the implementation of Your_Account module of PHP-Nuke. The Your_Account module of PHP-Nuke does not fully filter and check the username parameter. A remote attacker may insert malicious SQL commands into this parameter, thereby obtaining unauthorized operations on the background database. TITLE: PHP-Nuke "Your_Account" Module SQL Injection Vulnerability SECUNIA ADVISORY ID: SA18931 VERIFY ADVISORY: http://secunia.com/advisories/18931/ CRITICAL: Moderately critical IMPACT: Manipulation of data WHERE: >From remote SOFTWARE: PHP-Nuke 7.x http://secunia.com/product/2385/ PHP-Nuke 6.x http://secunia.com/product/329/ DESCRIPTION: sp3x has discovered a vulnerability in PHP-Nuke, which can be exploited by malicious people to conduct SQL injection attacks. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The vulnerability has been confirmed in version 7.8. Other versions may also be affected. SOLUTION: The vulnerability has reportedly been fixed in version 7.9 with patch 3.1. PROVIDED AND/OR DISCOVERED BY: sp3x ORIGINAL ADVISORY: http://securityreason.com/securityalert/440 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The Authentication, Authorization, and Accounting (AAA) capability in versions 5.0(1) and 5.0(3) of the software used by multiple Cisco Anomaly Detection and Mitigation products, when running with an incomplete TACACS+ configuration without a "tacacs-server host" command, allows remote attackers to bypass authentication and gain privileges, aka Bug ID CSCsd21455. Cisco Anomaly Detection and Mitigation appliances and service modules are prone to an authentication-bypass vulnerability. This issue can allow attackers to gain unauthorized access to devices or gain elevated privileges. This vulnerability presents itself when the devices have been configured to authenticate users against an external TACACS+ server, but an external TACACS+ server isn't specified in the configuration using the 'tacacs-server host' command. Note that a device is vulnerable only if the 'tacacs-server host' command isn't present in the configuration. Depending on the privileges gained, the attacker may obtain sensitive information about a network by sniffing traffic and inspecting configuration policies. Denial-of-service attacks are also possible. Both Cisco Guard and Cisco Traffic Anomaly Detector appliances are Distributed Denial of Service (DDoS) attack mitigation appliances that detect potential DDoS attacks and divert attack traffic to the monitored network without affecting legitimate traffic. The permissions available to bypass authentication users depend on the type of account used to log in and whether there is an account on the device. The situation is as follows: * Using a non-existing account: the user can only execute the show command Obtain the same permissions normally given to this account* Using an existing Linux account: the user can access the base Linux shell Additionally, if the enable authentication is performed on the TACACS+ server via the aaa authentication enable tacacs+ command and the actual TACACS+ server is not specified via the tacacs-server host command The user can also bypass the authentication of the enable command. TITLE: Cisco Products TACACS+ Authentication Bypass SECUNIA ADVISORY ID: SA18904 VERIFY ADVISORY: http://secunia.com/advisories/18904/ CRITICAL: Less critical IMPACT: Security Bypass WHERE: >From remote OPERATING SYSTEM: Cisco Guard 5.x http://secunia.com/product/8097/ Cisco Traffic Anomaly Detector 5.x http://secunia.com/product/8095/ SOFTWARE: Cisco Catalyst 6500/Cisco 7600 Router Anomaly Guard Module http://secunia.com/product/8098/ Cisco Catalyst 6500/Cisco 7600 Router Traffic Anomaly Detector Module http://secunia.com/product/8099/ DESCRIPTION: A security issue has been reported in various Cisco products, which can be exploited by malicious people to bypass certain security restrictions. Successful exploitation requires that TACACS+ authentication is incompletely configured (i.e. The security issue affects the following products: * Cisco Guard versions 5.0(1) and 5.0(3) * Cisco Traffic Anomaly Detector versions 5.0(1) and 5.0(3) * Anomaly Guard Module for the Cisco Catalyst 6500 switches/Cisco 7600 routers * Traffic Anomaly Detector Module for the Cisco Catalyst 6500 switches/Cisco 7600 routers NOTE: Versions prior to 5.0 and versions later than 5.0(3) are unaffected. SOLUTION: Update to version 5.1(4) or later. Software for the Cisco Guard appliance: http://www.cisco.com/pcgi-bin/tablebuild.pl/cisco-ga-crypto. Software for the Cisco Traffic Anomaly Detector appliance: http://www.cisco.com/pcgi-bin/tablebuild.pl/cisco-ad-crypto. Software for the Cisco Anomaly Guard Module: http://www.cisco.com/pcgi-bin/tablebuild.pl/cisco-agm-crypto. Software for the Cisco Anomaly Traffic Detector Module: http://www.cisco.com/pcgi-bin/tablebuild.pl/cisco-adm-crypto Configure TACACS+ authentication properly. PROVIDED AND/OR DISCOVERED BY: The vendor credits Gerrit Wenig. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20060215-guard.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Rockliffe MailSite 7.0 and earlier allows remote attackers to cause a denial of service by sending crafted LDAP packets to port 389/TCP, as demonstrated by the ProtoVer LDAP testsuite. Rockliffe MailSite is prone to multiple unspecified vulnerabilities. These issues may be triggered by malformed LDAP data. The exact impact of these vulnerabilities is not known at this time. Although the issues are known to crash the server, the possibility of remote code execution is unconfirmed. This BID will be updated as further information is made available. TITLE: MailSite LDAP Service Denial of Service Vulnerability SECUNIA ADVISORY ID: SA18888 VERIFY ADVISORY: http://secunia.com/advisories/18888/ CRITICAL: Less critical IMPACT: DoS WHERE: >From local network SOFTWARE: MailSite 5.x http://secunia.com/product/1698/ MailSite 6.x http://secunia.com/product/5898/ MailSite 7.x http://secunia.com/product/6895/ DESCRIPTION: Evgeny Legerov has reported a vulnerability in MailSite, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error in the LDAP server within the handling of certain requests. SOLUTION: Restrict access to the LDAP service. PROVIDED AND/OR DISCOVERED BY: Evgeny Legerov, GLEG Ltd. ORIGINAL ADVISORY: http://lists.immunitysec.com/pipermail/dailydave/2006-February/002926.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

SQL injection vulnerability in member_login.php in PHP Classifieds 6.18 through 6.20 allows remote attackers to execute arbitrary SQL commands via the (1) username parameter, which is used by the E-mail address field, and (2) password parameter. A SQL injection vulnerability exists in PHP Classifieds 6.18 to 6.20 member_login.php. This issue is due to a failure in the application to properly sanitize user-supplied input before using it in an SQL query. Successful exploitation could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation. An attacker can exploit this issue to bypass the authentication mechanism and gain access as an arbitrary user. TITLE: PHP Classifieds "member_login.php" SQL Injection SECUNIA ADVISORY ID: SA18881 VERIFY ADVISORY: http://secunia.com/advisories/18881/ CRITICAL: Moderately critical IMPACT: Manipulation of data WHERE: >From remote SOFTWARE: PHP Classifieds 6.x http://secunia.com/product/8084/ DESCRIPTION: Audun Larsen has reported a vulnerability in PHP Classifieds, which can be exploited by malicious people to conduct SQL injection attacks. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation allows bypassing of login authentication but requires that the username is known and "magic_quotes_gpc" is disabled. The vulnerability has been reported in version 6.20 with member_login.php dated before 2006-02-14. Prior versions may also be affected. SOLUTION: Apply patch. http://www.deltascripts.com/download/ PROVIDED AND/OR DISCOVERED BY: Audun Larsen ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Apple Mac OS X 10.4.5 and allows local users to cause a denial of service (crash) via an undocumented system call. This issue is do to the kernel's failure to properly handle the execution of an undocumented system call. The vulnerability is caused due to an unspecified error in an undocumented system call. and can be exploited to crash the system. SOLUTION: Update to version 10.4.5. ORIGINAL ADVISORY: http://docs.info.apple.com/article.html?artnum=303290 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Nokia N70 cell phone allows remote attackers to cause a denial of service (reboot or shutdown) through a wireless Bluetooth connection via a malformed Logical Link Control and Adaptation Protocol (L2CAP) packet whose length field is less than the actual length of the packet, possibly triggering a buffer overflow, as demonstrated using the Bluetooth Stack Smasher (BSS). Nokia N70 is reportedly prone to a remote denial-of-service vulnerability. A successful attack can allow an attacker to corrupt memory and to trigger a denial-of-service condition. Arbitrary code execution may be possible as well, but this has not been confirmed. Nokia model N70 is reported vulnerable to this issue; the specific firmware is currently unknown. This issue is reported to be a seperate issue than 16513 (Nokia N70 Remote Denial of Service Vulnerability) also discovered using the BSS Stack Smasher. TITLE: Nokia Cell Phones Bluetooth Denial of Service Vulnerability SECUNIA ADVISORY ID: SA18724 VERIFY ADVISORY: http://secunia.com/advisories/18724/ CRITICAL: Not critical IMPACT: DoS WHERE: >From remote OPERATING SYSTEM: Nokia N70 http://secunia.com/product/8012/ DESCRIPTION: Pierre Betouin has reported a vulnerability in Nokia cell phones, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error in the Bluetooth stack within the handling of certain requests. This can be exploited to cause the device to stop responding or to display a "System error" message. Other Nokia cell phones with Bluetooth functionality may also be affected. SOLUTION: Disable Bluetooth. PROVIDED AND/OR DISCOVERED BY: Pierre Betouin ORIGINAL ADVISORY: http://www.secuobs.com/news/10022006-nokia_n70.shtml#english ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cross-site scripting (XSS) vulnerability in header.php in PHP-Nuke 6.0 to 7.8 allows remote attackers to inject arbitrary web script or HTML via the pagetitle parameter. PHPNuke is prone to a cross-site scripting vulnerability. This issue affects the 'header.php' script. PHPNuke 7.8 and prior versions are reportedly vulnerable. TITLE: PHP-Nuke "pagetitle" Cross-Site Scripting Vulnerability SECUNIA ADVISORY ID: SA18820 VERIFY ADVISORY: http://secunia.com/advisories/18820/ CRITICAL: Less critical IMPACT: Cross Site Scripting WHERE: >From remote SOFTWARE: PHP-Nuke 7.x http://secunia.com/product/2385/ PHP-Nuke 6.x http://secunia.com/product/329/ DESCRIPTION: Janek Vind "waraxe" has discovered a vulnerability in PHP-Nuke, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed to the "pagetitle" parameter in "header.php" isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Example: http://[host]/?pagetitle=title</title></head><script+src=http://[host]/script.js? The vulnerability has been confirmed in version 7.8. SOLUTION: Edit the source code to ensure that input is properly sanitised. PROVIDED AND/OR DISCOVERED BY: Janek Vind "waraxe" ORIGINAL ADVISORY: http://www.waraxe.us/advisory-44.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in the Lexmark Printer Sharing LexBce Server Service (LexPPS), possibly 8.29 and 9.41, allows remote attackers to execute arbitrary code via unspecified vectors. NOTE: This information is based on a vague initial disclosure; details will be updated after the grace period has ended. TITLE: Lexmark Printers LexBce Server Arbitrary Code Execution SECUNIA ADVISORY ID: SA18744 VERIFY ADVISORY: http://secunia.com/advisories/18744/ CRITICAL: Moderately critical IMPACT: System access WHERE: >From local network OPERATING SYSTEM: Lexmark X1100 Series http://secunia.com/product/7842/ SOFTWARE: Lexmark LexBce Server (LexPPS) 8.x http://secunia.com/product/7856/ Lexmark LexBce Server (LexPPS) 9.x http://secunia.com/product/7847/ DESCRIPTION: Peter Winter-Smith of NGSSoftware has reported a vulnerability in the LexBce Server Service included with various Lexmark printers, which can be exploited by malicious people to compromise a user's system. This can be exploited to execute arbitrary code on a system with Lexmark printer installed. NOTE: The service is installed with the printer drivers of Lexmark X1100 series (LexPPS version 8.29), and X2200 series (LexPPS version 9.41). Other Lexmark printers may also have the service installed. SOLUTION: Disable the service if printer sharing is not required. PROVIDED AND/OR DISCOVERED BY: Peter Winter-Smith, NGSSoftware. ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Nortel Networks is the industry's leading provider of communications equipment, offering a wide range of network communications equipment. A remote denial of service vulnerability exists in multiple VPN products from Nortel Networks. This vulnerability is triggered if a special network communication is handled, causing the IPSec software to fail to process ESP traffic, causing a denial of service. The specific content and type of network traffic sufficient to trigger this issue are currently unknown. This issue is reportedly being tracked by Nortel as support case 060110-04843. Nortel IPSec client software version v04_60.51 and newer is reportedly susceptible to this issue. Further reports indicate this issue is exploitable only through an existing IPSec tunnel and only via a valid remote access account. NOTE: Further analysis and reports have indicated that this issue is limited to the VPN Client. Therefore, we have determined that this does not present a security threat. This BID is being retired

Multiple unspecified vulnerabilities in Tumbleweed MailGate Email Firewall (EMF) 6.x allow remote attackers to (1) trigger temporarily incorrect processing of an e-mail message under "extremely heavy loads" and (2) cause an "increased number of missed spam" during "spam outbreaks.". MailGate Email Firewall is prone to a remote security vulnerability

Cisco VPN 3000 series concentrators running software 4.7.0 through 4.7.2.A allow remote attackers to cause a denial of service (device reload or user disconnect) via a crafted HTTP packet. A successful attack can cause the device to hang, completely denying further service to legitimate users. Cisco has documented this issue as Bug IDs CSCsb77324 and CSCsd26340. The vulnerability is caused due to an error when processing HTTP packets. Successful exploitation requires that the HTTP service is enabled (default setting). The vulnerability has been reported in software versions 4.7.0 through 4.7.2.A (including version 4.7REL). Software versions prior to 4.7.x are not affected. SOLUTION: Update to software version 4.7.2.B or later. http://www.cisco.com/pcgi-bin/tablebuild.pl/vpn3000-3des Disable the HTTP service. PROVIDED AND/OR DISCOVERED BY: Discussed at the Schmoocon security conference. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20060126-vpn.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The TCL shell in Cisco IOS 12.2(14)S before 12.2(14)S16, 12.2(18)S before 12.2(18)S11, and certain other releases before 25 January 2006 does not perform Authentication, Authorization, and Accounting (AAA) command authorization checks, which may allow local users to execute IOS EXEC commands that were prohibited via the AAA configuration, aka Bug ID CSCeh73049. ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. ------------ AAA (authentication, authorization, and accounting) Authentication, authorization, and billing management for network usage ( Access management ) It is a mechanism for doing. Cisco IOS is prone to a remote AAA command authorization-bypass vulnerability. This issue allows remote attackers to bypass AAA command authorization checks and to gain elevated access to affected devices. This issue is documented by Cisco bug ID CSCeh73049http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCeh73049. Cisco Internet Operating System (IOS) is an operating system used on CISCO routers. In some configurations, a logged-in user can execute arbitrary commands through the TCL Shell without authentication, resulting in privilege escalation. Devices that do not have the AAA service function and do not support TCL are not affected by this vulnerability. TITLE: Cisco IOS AAA Command Authentication Bypass Vulnerability SECUNIA ADVISORY ID: SA18613 VERIFY ADVISORY: http://secunia.com/advisories/18613/ CRITICAL: Less critical IMPACT: Security Bypass WHERE: Local system OPERATING SYSTEM: Cisco IOS R12.x http://secunia.com/product/50/ Cisco IOS 12.x http://secunia.com/product/182/ DESCRIPTION: A vulnerability has been reported in Cisco IOS, which can be exploited by malicious, local users to bypass certain security restrictions. The vulnerability has been reported in IOS Version 12.0T or later. Note: It has also been reported that an authenticated user is automatically placed into the Tcl Shell mode if a previous user goes into Tcl Shell mode and terminates the session before leaving the Tcl Shell mode. This may help to exacerbate the vulnerability. SOLUTION: Fixes are available (see patch matrix in vendor advisory). http://www.cisco.com/warp/public/707/cisco-response-20060125-aaatcl.shtml PROVIDED AND/OR DISCOVERED BY: The vendor credits Nicolas Fischbach of COLT Telecom. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-response-20060125-aaatcl.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------