VARIoT IoT vulnerabilities database

Webroot Desktop Firewall before 1.3.0build52 allows local users to disable the firewall, even when password protection is enabled, via certain DeviceIoControl commands. The first issue is a buffer overflow vulnerability, due to a failure of the application to properly bounds check user-supplied data prior to copying it to an insufficiently sized memory buffer. Local attackers may exploit this first issue to execute arbitrary machine code with SYSTEM privileges. Attackers require the ability to modify the firewall's list of allowed applications. The second issue is an authentication bypass vulnerability. Local attackers may exploit the second issue to disable the firewall, aiding them in further attacks. These issues may only be exploited by local attackers with privileges allowing them to utilize 'DeviceIoControl()' to send commands to the firewall driver. These issues are reported to exist in version 1.3.0.43. Other versions may also be affected. 1) A boundary error in PWIWrapper.dll when deleting a program from the list of "allowed" programs can cause a stack-based buffer overflow in FirewallNTService.exe. Successful exploitation allows non-privileged users to execute arbitrary code with SYSTEM privileges, but requires the the ability to add and remove programs from the firewall's permitted application list. SOLUTION: Update to version 1.3.0 build 52. PROVIDED AND/OR DISCOVERED BY: Tan Chew Keong, Secunia Research. ORIGINAL ADVISORY: Webroot: http://support.webroot.com/ics/support/KBAnswer.asp?questionID=2332 Secunia Research: http://secunia.com/secunia_research/2005-10/advisory/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Integer overflow in Apple QuickTime Player before 7.1 allows remote attackers to execute arbitrary code via a crafted JPEG image. Apple QuickTime fails to properly handle JPEG images. Apple Quicktime Has multiple vulnerabilities. For more information, see the information provided by the vendor. These issues affect both Mac OS X and Microsoft Windows releases of the software. Successful exploits will result in the execution of arbitrary code in the context of the currently logged-in user. Failed exploit attempts will likely cause denial-of-service conditions. Apple QuickTime is a popular multimedia player that supports a wide variety of media formats. Apple QuickTime is a popular multimedia player that supports a wide variety of media formats. CVE-2006-1461 An attacker can create a specially crafted Flash movie to trigger a buffer overflow, resulting in arbitrary command execution with user privileges or denial of service. CVE-2006-1462, CVE-2006-1463 An attacker can create a specially crafted H.264 movie to trigger integer overflow or buffer overflow, resulting in arbitrary command execution with user privileges or denial of service. CVE-2006-1464 An attacker can create a specially crafted MPEG4 movie to trigger a buffer overflow, resulting in arbitrary command execution or denial of service with user privileges. CVE-2006-1465 An attacker can create a specially crafted AVI movie to trigger a buffer overflow, resulting in arbitrary command execution or denial of service with user privileges. CVE-2006-1453, CVE-2006-1454 QuickDraw has two vulnerabilities when processing malformed PICT files. Malformed font information may cause stack overflow, and malformed graphics data may cause heap overflow. An attacker can create specially crafted PICT graphics. CVE-2006-2238 An attacker can create a specially crafted BMP graphic to trigger a buffer overflow, causing arbitrary commands to be executed with user privileges or denial of service. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA06-132A Apple Mac Products Affected by Multiple Vulnerabilities Original release date: May 12, 2006 Last revised: -- Source: US-CERT Systems Affected * Apple Mac OS X version 10.3.9 (Panther) and version 10.4.6 (Tiger) * Apple Mac OS X Server version 10.3.9 and version 10.4.6 * Apple Safari web browser * Apple Mail Previous versions of Mac OS X may also be affected. Please see Apple Security Update 2006-003 for further information. Impacts of other vulnerabilities include bypassing security restrictions and denial of service. I. Further details are available in the individual Vulnerability Notes. II. Impact The impacts of these vulnerabilities vary. For information about specific impacts, please see the Vulnerability Notes. III. Solution Install an update Install Apple Security Update 2006-003. This and other updates are available via Apple Update. Disable "Open 'safe' files after downloading" For additional protection, disable the option to "Open 'safe' files after downloading," as specified in "Securing Your Web Browser." Appendix A. References * Securing Your Web Browser - <http://www.us-cert.gov/reading_room/securing_browser/#Safari> * Apple Security Update 2006-003 - <http://docs.info.apple.com/article.html?artnum=303737> * Mac OS X: Updating your software - <http://docs.info.apple.com/article.html?artnum=106704> ____________________________________________________________________ These vulnerabilities were reported in Apple Security Update 2006-003. Please see the Vulnerability Notes for individual reporter acknowledgements. ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA06-132A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA06-132A Feedback VU#519473" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2006 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History May 12, 2006: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRGTxnX0pj593lg50AQKebgf+PTa7qCt6QQRcXGlJ3vjPFOdO1VNRMGr8 WOP8JKHbCK93O3E6YtHJ3nQTJBfyq169TQijWvoWvjjXM603DojGXUXgTBZFhTSG c4L0jE2+nD3273nZXGPreFJAsPxK6me7d4Of/KQ/prJnUfrnWNxfrP90CmXRKNLD +4eC4BEjNXCqpb0ki62WQM7NED6IgfgNZWfO7faTSRYNRdEyLAgetQxZVm5eepyK BJO3rRBBRkOIkIIG5o/J5ViqgiuUP75N37QqTc7BtyzQR2OeWepytJvkMvJUBVAG r0fLUKvhT4wdHxsNGVGCxLNf3NHG1UuWNO3UZ9MeBmREdmeT+K0l9A== =cabu -----END PGP SIGNATURE-----

Buffer overflow in the TIFF library in the Photo Viewer for Sony PSP 2.0 firmware allows remote attackers to cause a denial of service via a crafted TIFF image. PSP is prone to a denial-of-service vulnerability. The full name of PSP is PlayStation Portable, which is a new handheld game console developed by SONY. ---------------------------------------------------------------------- Bist Du interessiert an einem neuen Job in IT-Sicherheit? Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT- Sicherheit: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: Sony PSP Photo Viewer TIFF File Handling Buffer Overflow SECUNIA ADVISORY ID: SA16922 VERIFY ADVISORY: http://secunia.com/advisories/16922/ CRITICAL: Moderately critical IMPACT: System access WHERE: >From remote OPERATING SYSTEM: Sony PSP (PlayStation Portable) http://secunia.com/product/5764/ DESCRIPTION: A vulnerability has been reported in Sony PSP, which potentially can be exploited by malicious people to compromise a user's system. This may be related to: SA15320 The vulnerability has been reported in firmware version 2.0. Other versions may also be affected. SOLUTION: Do not open untrusted TIFF files. ORIGINAL ADVISORY: http://pspupdates.qj.net/2005/09/20-overflow-found-and-working.html OTHER REFERENCES: SA15320 http://secunia.com/advisories/15320/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Internet Explorer 6.0, and possibly other versions, allows remote attackers to bypass the same origin security policy and make requests outside of the intended domain by calling open on an XMLHttpRequest object (Microsoft.XMLHTTP) and using tab, newline, and carriage return characters within the first argument (method name), which is supported by some proxy servers that convert tabs to spaces. NOTE: this issue can be leveraged to conduct referer spoofing, HTTP Request Smuggling, and other attacks. Microsoft Internet Explorer is prone to a weakness that permits the injection of arbitrary HTTP requests due to improper verification of parameters passed to XmlHttpRequest. An attacker may craft a website that instantiates the affected control and forces the browser to request a site on the same host (or another host in case a forwarding proxy is employed). The attacker would then intercept the response and steal sensitive data to aid in further attacks

Sybari Antigen 8.0 SR2 does not properly filter SMTP messages, which allows remote attackers to bypass custom filter rules and send file attachments of arbitrary file types via a message with a subject of "Antigen forwarded attachment". Sybari Antigen for Exchange/SMTP products are vulnerable to an attachment rule bypass vulnerability. A successful attack may result in arbitrary attachments and unwanted content being delivered to users. It should be noted that this issue does not disable or bypass antivirus scanning of attachments. Sybari Antigen v8.0 SR2 for Exchange and Sybari Antigen v8.0 SR2 for SMTP Gateways are reportedly vulnerable. Other versions may be affected as well. Sybari Antigen is a multi-scanning engine solution that integrates eight different scanning engines from detection to execution in a single product, providing a higher level of security protection against today's malicious code attacks. ---------------------------------------------------------------------- Bist Du interessiert an einem neuen Job in IT-Sicherheit? Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT- Sicherheit: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: Antigen for Exchange "Antigen forwarded attachment" Filter Bypass SECUNIA ADVISORY ID: SA16759 VERIFY ADVISORY: http://secunia.com/advisories/16759/ CRITICAL: Less critical IMPACT: Security Bypass WHERE: >From remote SOFTWARE: Antigen 8.x http://secunia.com/product/5731/ DESCRIPTION: Alan G. The vulnerability is caused due to a design error in the processing of mails with the subject "Antigen forwarded attachment". This can be exploited to bypass certain custom filters for file attachments. The vulnerability has been reported in version 8.0 SR2. Some other issues which may be security related have also been reported by the vendor. SOLUTION: Update to version 8.0 SR3 for Exchange (Build 1517). http://www.sybari.com/portal/alias__Rainbow/lang__en-US/tabID__3359/DesktopDefault.aspx PROVIDED AND/OR DISCOVERED BY: Alan G. Monaghan, Gardner Publications, Inc ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco IOS is vulnerable to a denial-of-service and unauthorized-access vulnerability. An attacker can exploit this issue to cause denial-of-service conditions in the EIGRP implementation of selective neighbors and potentially intercept, modify, and redirect messages. Cisco is tracking this vulnerability as bug id CSCsc13698.

Apple Safari allows remote attackers to cause a denial of service (application crash) via a crafted data:// URL. Apple Safari is prone to a memory corruption vulnerability. This issue is exposed when the browser opens specific 'data:' URIs, causing the browser to crash. Though unconfirmed, this vulnerability could be exploitable to execute arbitrary code. Apple Safari is a web browser developed by Apple (Apple), and is the default browser included with Mac OS X and iOS operating systems. ---------------------------------------------------------------------- Bist Du interessiert an einem neuen Job in IT-Sicherheit? Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT- Sicherheit: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: Safari "data:" URI Handler Denial of Service Weakness SECUNIA ADVISORY ID: SA16875 VERIFY ADVISORY: http://secunia.com/advisories/16875/ CRITICAL: Not critical IMPACT: DoS WHERE: >From remote SOFTWARE: Safari 2.x http://secunia.com/product/5289/ DESCRIPTION: Jonathan Rockway has discovered a weakness in Safari, which can be exploited by malicious people to cause a DoS (Denial of Service). The weakness is caused due to an error in the processing of URLs in the "data:" URI handler. This can be exploited to crash a vulnerable browser via e.g. an image tag referencing a specially crafted "data:" URL. Example: data://<h1>crash</h1> The weakness has been confirmed in version 2.0 (412.2). Other versions may also be affected. SOLUTION: Do not browse untrusted web sites. PROVIDED AND/OR DISCOVERED BY: Jonathan Rockway ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple unspecified vulnerabilities in the WYSIWYG editor in PHP-Nuke before 7.9 Final have unknown impact and attack vectors. PHP-Nuke is prone to a remote security vulnerability. PHP Nuke is a professional content management system (CMS). The complete solution of PHP-Nuke is suitable for anyone who wants to build their own portal website. It includes news management, advertisement management, forum system, voting system, FAQ system, IP Shielding system, knowledge encyclopedia, e-newsletter, etc. ---------------------------------------------------------------------- Bist Du interessiert an einem neuen Job in IT-Sicherheit? Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT- Sicherheit: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: PHP-Nuke Unspecified wysiwyg Editor Vulnerabilities SECUNIA ADVISORY ID: SA16843 VERIFY ADVISORY: http://secunia.com/advisories/16843/ CRITICAL: Moderately critical IMPACT: Unknown WHERE: >From remote SOFTWARE: PHP-Nuke 7.x http://secunia.com/product/2385/ DESCRIPTION: Some potential vulnerabilities have been reported in PHP-Nuke with unknown impacts . SOLUTION: Update to version 7.9. http://www.phpnuke.org/modules.php?name=Release PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: http://www.phpnuke.org/modules.php?name=News&file=article&sid=7435 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Avocent CCM console server running firmware 2.1 CCM4850 allows remote authenticated attackers to bypass port restrictions by connecting to the server via SSH and using the connect command to access the serial port. Avocent CCM is prone to a vulnerability that permits the bypass of access control to privileged ports. This issue is due to a failure in the application to perform proper authorization before granting access to internal functions. An attacker can exploit this vulnerability to bypass access control and gain privileged access to ports and devices connected to the vulnerable appliance. Avocent CCM is a multi-computer controller. ---------------------------------------------------------------------- Bist Du interessiert an einem neuen Job in IT-Sicherheit? Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT- Sicherheit: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: Avocent CCM Port Access Control Bypass Vulnerability SECUNIA ADVISORY ID: SA16836 VERIFY ADVISORY: http://secunia.com/advisories/16836/ CRITICAL: Less critical IMPACT: Security Bypass WHERE: >From remote OPERATING SYSTEM: Avocent CCM XX50 http://secunia.com/product/5714/ DESCRIPTION: Dirk Wetter has reported a vulnerability in Avocent CCM, which can be exploited by malicious users to bypass certain security restrictions. The vulnerability has been reported in CCM4850 with firmware 2.1. SOLUTION: Update to firmware version 2.3. ftp://ftp.avocent.com/public/product-upgrades/$ds1800/CCMx50%20Series/CCMx50%27s_AV_2.3/ PROVIDED AND/OR DISCOVERED BY: Dirk Wetter ORIGINAL ADVISORY: http://drwetter.org/cs-probs/avocent-sshbug.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Buffer overflow in apply.cgi in Linksys WRT54G 3.01.03, 3.03.6, and possibly other versions before 4.20.7, allows remote attackers to execute arbitrary code via a long HTTP POST request. WRT54G v1.0 is prone to a remote security vulnerability. Successfully exploiting this issue may allow an attacker to execute arbitrary code in the context of the affected application. Failed exploit attempts may cause a denial-of-service condition. Linksys WRT54G Router Remote Administration apply.cgi Buffer Overflow Vulnerability iDEFENSE Security Advisory 09.13.05 www.idefense.com/application/poi/display?id=305&type=vulnerabilities September 13, 2005 I. BACKGROUND The Linksys WRT54G is a combination wireless access point, switch and router. More information is available at the following URL: http://www.linksys.com/products/product.asp?prid=508 II. The vulnerability specifically exists in the 'apply.cgi' handler of the httpd running on the internal interfaces, including the by default the wireless interface. This handler is used by the many of the configuration pages to perform the configuration management of the router. III. This could allow any operation to be performed on the router, including changing passwords and firewall configuration, installation of new firmware with other features, or denial of service. Exploitation of this vulnerability requires that an attacker can connect to the web management port of the router. The httpd is running by default but is only accessible via the LAN ports or the WLAN (wireless LAN). An attacker who can associate via the wireless interface to the network running a vulnerable httpd could send an exploit from a wireless device, and so not require direct physical access to an affected network. Additionally, if the httpd is configured to listen on the WAN (internet) interface, this vulnerability would be exploitable remotely over the internet. On some versions of the WRT54G firmware the buffer used to store the POST input, 'post_buf', is before a structure in memory containing pointers to the 'mime_handlers' structure, which contains function pointers for handling the various types of input. By overwriting this structure so some function pointers point into post_buf, it is possible to execute arbitrary commands. Overwriting these values with nulls will prevent access to the httpd on the system until the router is restarted. Overwriting these values with 'garbage' values will cause the httpd to crash but it will be restarted by a system monitoring process within 2 minutes, allowing multiple exploitation attempts. Although authentication checks are performed on access to this page, the code which reads in the buffer is executed even if authentication fails, so as to clear the input buffer from the client before returning an error message. This may allow an unauthenticated user to exploit the vulnerability. IV. DETECTION iDEFENSE has confirmed the existence of this vulnerability in version 3.01.03 of the firmware of the Linksys WRT54G, and has identified the same code is present in version 3.03.6. All versions prior to 4.20.7 may be affected. As this firmware is Open Source, and based on a reference implementation supplied by the original hardware maker, there may be other affected 3rd party firmware which use the same or similar code, and are thus also affected. V. WORKAROUND In order to mitigate exposure of the internal network to outside attackers, ensure encryption is enabled on the wireless interface. The exact settings to use are dependent on your wireless deployment policies. VI. VENDOR RESPONSE This vulnerability is addressed in firmware version 4.20.7 available for download at: http://www.linksys.com/servlet/Satellite?childpagename=US%2FLayout &packedargs=c%3DL_Download_C2%26cid%3D1115417109974%26sku%3D112491680264 5 &pagename=Linksys%2FCommon%2FVisitorWrapper VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2005-2799 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 06/07/2005 Initial vendor notification 06/07/2005 Initial vendor response 09/13/2005 Coordinated public disclosure IX. CREDIT This vulnerability was discovered by Greg MacManus of iDEFENSE Labs. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright (c) 2005 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information

Multiple SQL injection vulnerabilities in modules.php in PHP-Nuke 7.8, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) name, (2) sid, and (3) pid parameters in a POST request, which bypasses security checks that are performed for GET requests. PHP-Nuke is prone to a sql-injection vulnerability. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. There are multiple SQL injection vulnerabilities in modules.php in PHP-Nuke 7.8. When magic_quotes_gpc is disabled, a remote attacker can execute arbitrary SQL commands. Such requests bypass the security checks performed for GET requests. ---------------------------------------------------------------------- Bist Du interessiert an einem neuen Job in IT-Sicherheit? Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT- Sicherheit: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: PHP-Nuke SQL Injection Vulnerabilities SECUNIA ADVISORY ID: SA16801 VERIFY ADVISORY: http://secunia.com/advisories/16801/ CRITICAL: Moderately critical IMPACT: Manipulation of data WHERE: >From remote SOFTWARE: PHP-Nuke 7.x http://secunia.com/product/2385/ DESCRIPTION: Robin Verton has discovered some vulnerabilities in PHP-Nuke, which can be exploited by malicious people to conduct SQL injection attacks. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The vulnerabilities have been confirmed in version 7.7. Version 7.8 and prior are reportedly also be affected. SOLUTION: Edit the source code to ensure that input is properly sanitised. PROVIDED AND/OR DISCOVERED BY: Robin Verton ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Linksys WRT54G router allows remote attackers to cause a denial of service (CPU consumption and server hang) via an HTTP POST request with a negative Content-Length value. WRT54G v1.0 is prone to a denial-of-service vulnerability. Linksys WRT54G is a Cisco wireless router

ezconfig.asp in Linksys WRT54G router 3.01.03, 3.03.6, non-default configurations of 2.04.4, and possibly other versions, does not use an authentication initialization function, which allows remote attackers to obtain encrypted configuration information and, if the key is known, modify the configuration. WRT54G v1.0 is prone to a remote security vulnerability. Linksys WRT54G is a Cisco wireless router

ezconfig.asp in Linksys WRT54G router 3.01.03, 3.03.6, non-default configurations of 2.04.4, and possibly other versions, uses weak encryption (XOR encoding with a fixed byte mask) for configuration information, which could allow attackers to decrypt the information and possibly re-encrypt it in conjunction with CVE-2005-2914. WRT54G v1.0 is prone to a remote security vulnerability. Linksys WRT54G is a Cisco wireless router

Linksys WRT54G 3.01.03, 3.03.6, 4.00.7, and possibly other versions before 4.20.7, does not verify user authentication until after an HTTP POST request has been processed, which allows remote attackers to (1) modify configuration using restore.cgi or (2) upload new firmware using upgrade.cgi. WRT54G v1.0 is prone to a remote security vulnerability. Linksys WRT54G is a Cisco wireless router. cgi to modify configuration or (2) upload new firmware using upgrade.cgi

Multiple vulnerabilities have been identified in Linksys WRT54G routers. These issue all require that an attacker have access to either the wireless, or internal LAN network segments of the affected device. Exploitation from the WAN interface is only possible if the affected device has remote management enabled. This issue allows attackers to: - Download and replace the configuration of affected routers. - Execute arbitrary machine code in the context of the affected device. - Utilize HTTP POST requests to upload router configuration and firmware files without proper authentication - Degrade the performance of affected devices and cause the Web server to become unresponsive, potentially denying service to legitimate users.

ADSL Road Runner modem in the Annex A family has a service running on port 224, which allows remote attackers to login to the modem with a blank password and gain unauthorized access. Annex is a modem specification

Argument injection vulnerability in Barracuda Spam Firewall running firmware 3.1.16 and 3.1.17 allows remote attackers to (1) read portions of source code via the -f option to Dig (dig_device.cgi), (2) determine file existence via the -r argument to Tcpdump (tcpdump_device.cgi) or (3) modify files in the cgi-bin directory via the -w argument to Tcpdump. Barracuda Spam Firewall is prone to a remote security vulnerability. Barracuda Spam Firewall is the main product of Bovite, which provides users with a safe, efficient and comprehensive overall solution for spam and virus email protection

Check Point NGX R60 does not properly verify packets against the predefined service group "CIFS" rule, which allows remote attackers to bypass intended restrictions. CIFS There is a vulnerability that will be interpreted.Check Point VPN-1/FireWall-1 May be restricted and may be connected to a computer in the network. This issue is due to a failure of the software to properly implement expected firewall rules. This vulnerability allows attackers to bypass firewall rules, letting them attack protected services and computers without expected restriction. This also issue leads to a false sense of security by firewall administrators. ---------------------------------------------------------------------- Bist Du interessiert an einem neuen Job in IT-Sicherheit? Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT- Sicherheit: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: Check Point Firewall CIFS Service Group Rule Bypass SECUNIA ADVISORY ID: SA16770 VERIFY ADVISORY: http://secunia.com/advisories/16770/ CRITICAL: Less critical IMPACT: Security Bypass WHERE: >From remote SOFTWARE: Check Point VPN-1/Firewall-1 NG http://secunia.com/product/89/ Check Point VPN-1 Server 4.x http://secunia.com/product/2965/ Check Point Provider-1 http://secunia.com/product/3262/ Check Point FireWall-1 GX 2.x http://secunia.com/product/3263/ Check Point Firewall-1 4.x http://secunia.com/product/88/ Check Point VPN-1/FireWall-1 NG with Application Intelligence (AI) http://secunia.com/product/2542/ Check Point VPN-1/FireWall-1 VSX NG http://secunia.com/product/3264/ DESCRIPTION: fitz has reported a security issue in Check Point Firewall, which potentially can be exploited by malicious people to bypass certain security restrictions. The security issue has been reported in the following products: * VPN-1/FireWall-1 * VPN-1 VSX * Provider-1 SOLUTION: The vendor suggests renaming the CIFS service group. Refer to the vendor's advisory for instructions. PROVIDED AND/OR DISCOVERED BY: fitz ORIGINAL ADVISORY: Check Point: http://secureknowledge.us.checkpoint.com/SecureKnowledge/viewSolutionDocument.do?id=sk31196 OTHER REFERENCES: US-CERT VU#508209: http://www.kb.cert.org/vuls/id/508209 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Buffer overflow in Firewall Authentication Proxy for FTP and/or Telnet Sessions for Cisco IOS 12.2ZH and 12.2ZL, 12.3 and 12.3T, and 12.4 and 12.4T allows remote attackers to cause a denial of service and possibly execute arbitrary code via crafted user authentication credentials. IOS is prone to a denial-of-service vulnerability. Successful exploitation of this issue could cause a denial of service or potential execution of arbitrary code. This issue affects the FTP and Telnet protocols, but not HTTP. Cisco's Internet Operating System (IOS) is a complex operating system optimized for Internetworking -- similar to a Local Area Operating System (NOS), such as Novell's NetWare, optimized for LANs. The vulnerability is caused due to a boundary error when the Authentication Proxy FTP/Telnet is processing user authentication credentials. This can be exploited to cause a buffer overflow. The vulnerability is reported in the following versions: * 12.2ZH and 12.2ZL based trains * 12.3 based trains * 12.3T based trains * 12.4 based trains * 12.4T based trains SOLUTION: Fixes are available (see patch matrix in vendor advisory). http://www.cisco.com/warp/public/707/cisco-sa-20050907-auth_proxy.shtml#software PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20050907-auth_proxy.shtml OTHER REFERENCES: US-CERT VU#236045: http://www.kb.cert.org/vuls/id/236045 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------