Kazdych par dnu me prijde email s informacemi jake jsou nove obevene bezpecnostni problemy. Posila nam to firma, ktera zajistuje bezpecnost placeni kreditnimi kartami. Vetsine veci nerozumim takze to detailne to nectu. Jen me desi ten rozsah. Kolik toho je. Kdyz si predstavim velkou firmu, ve ktere lide pouzivaji stovky ruznych softwaru a systemu, tak to musi byt docela napor to vse uhlidat. To je i duvod, proc treba radeji ani neukladame cisla kreditnich karet. Cim mene citlivych informaci se uklada tim lepe. Ale i tak je to hruza. Porad nejake viry a podobne problemy. Clovek si uz ani nemuze v klidu pripojit na FTP nebo si vymyslet jednoduse zapamatovatelne heslo:-).
SecurityMetrics, Inc.
Security Bulletin
******************************
We gladly provide this Security Bulletin as a free service.
See the bottom of this message to unsubscribe.
******************************
Evaluating external vulnerability assessment solutions? Try our free
server/firewall test at:
http://www.securitymetrics.
******************************
May 08, 2009
2009-05-08: Microsoft .NET Framework PE Loader Remote Buffer Overflow Vulnerability
An attacker can exploit this issue to execute arbitrary code in the context of a user running the application. Successful exploits can result in the complete compromise of affected computers. Failed attacks will likely result in denial-of-service conditions.
http://www.securityfocus.com/
May 08, 2009
2009-05-08: Microsoft .Net Framework Multiple Null Byte Injection Vulnerabilities
An attacker can exploit these issues to access sensitive information that may aid in further attacks; other attacks are also possible.
http://www.securityfocus.com/
May 08, 2009
2009-05-08: Multiple Symantec Products Intel Common Base Agent Remote Command Execution Vulnerability
Successfully exploiting this issue will allow an attacker to execute arbitrary commands with SYSTEM-level privileges, completely compromising affected computers. Failed exploit attempts will result in a denial-of-service condition.
http://www.securityfocus.com/
May 08, 2009
2009-05-08: Sorinara Streaming Audio Player ‘.pla’ File Remote Stack Buffer Overflow Vulnerability
Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.
http://www.securityfocus.com/
May 08, 2009
2009-05-08: Linux Kernel ‘ptrace_attach()’ Local Privilege Escalation Vulnerability
A local attacker can exploit this issue to execute arbitrary code with superuser privileges, resulting in a complete compromise of the affected computer.
http://www.securityfocus.com/
May 08, 2009
2009-05-08: Microsoft .NET Framework JIT Compiler Remote Buffer Overflow Vulnerability
An attacker can exploit this issue to execute arbitrary code in the context of a user running the application. Successful exploits can result in the complete compromise of affected computers. Failed attacks will likely result in denial-of-service conditions.
http://www.securityfocus.com/
May 08, 2009
2009-05-08: Mozilla Firefox ‘nsTextFrame::ClearTextRun()’ Remote Memory Corruption Vulnerability
Successful exploits will allow remote attackers to execute arbitrary code within the context of the affected browser or crash the browser, denying service to legitimate users.
http://www.securityfocus.com/
May 08, 2009
2009-05-08: HP-UX ‘useradd’ Local Unauthorized Access Vulnerability
HP-UX is prone to a local unauthorized-access vulnerability because the software fails to properly restrict access to certain directories and files.
http://www.securityfocus.com/
May 08, 2009
2009-05-08: Pango ‘pango_glyph_string_set_size()
Successful exploits may allow attackers to crash the application that uses the library, denying service to legitimate users. Due to the nature of this issue arbitrary code-execution may be possible, however this has not been confirmed.
http://www.securityfocus.com/
May 08, 2009
2009-05-08: GNU screen Insecure Temporary File Creation Vulnerability
An attacker with local access could disclose sensitive information or perform symbolic-link attacks to overwrite arbitrary files in the context of the affected application. Successfully mounting a symlink attack may allow the attacker to delete or corrupt sensitive files, which may result in a denial of service. Other attacks may also be possible.
http://www.securityfocus.com/
May 08, 2009
2009-05-08: Chinagames ActiveX Control ‘CreateChinagames()’ Buffer Overflow Vulnerability
An attacker can exploit this issue to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed attacks will likely cause denial-of-service conditions.
http://www.securityfocus.com/
May 08, 2009
2009-05-08: TCPDB ‘user/index.php’ Authentication Bypass Vulnerability
This may allow the attacker to compromise the application and the computer; other attacks are also possible.
http://www.securityfocus.com/
May 08, 2009
2009-05-08: Techno Dreams Job Career Package Cookie Authentication Bypass Vulnerability
Attackers can exploit this vulnerability to gain unauthorized access to the affected application, which may aid in further attacks.
http://www.securityfocus.com/
May 08, 2009
2009-05-08: Sorinara Soritong MP3 Player ‘.m3u’ File Remote Stack Buffer Overflow Vulnerability
Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.
http://www.securityfocus.com/
May 08, 2009
2009-05-08: webSPELL ‘getlang.php’ SQL Injection Vulnerability
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.securityfocus.com/
May 08, 2009
2009-05-08: PHP ‘mb_ereg_replace()’ String Evaluation Vulnerability
Exploiting this issue may allow attackers to execute arbitrary PHP commands in the context of the affected application.
http://www.securityfocus.com/
May 08, 2009
2009-05-08: Multiple Mini-stream Software Products ‘.asx’ File Remote Stack Buffer Overflow Vulnerability
Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.
http://www.securityfocus.com/
May 08, 2009
2009-05-08: libwmf WMF Image File Remote Code Execution Vulnerability
Successfully exploiting this issue would allow an attacker to corrupt memory and execute arbitrary code in the context of the currently logged-in user.
http://www.securityfocus.com/
May 08, 2009
2009-05-08: HP OpenView Network Node Manager ‘ovalarmsrv.exe’ Remote Code Execution Vulnerability
Successfully exploiting this issue allows an attacker to execute arbitrary code with the privileges of the user running the affected application.
http://www.securityfocus.com/
May 08, 2009
2009-05-08: Multiple Mini-stream Software Products ‘.ram’ File Remote Stack Buffer Overflow Vulnerability
Attackers may leverage this issue to execute arbitrary code in the context of an affected application. Failed attacks will cause denial-of-service conditions.
http://www.securityfocus.com/
May 08, 2009
2009-05-08: MPFR Library ‘printf.c’ Multiple Buffer Overflow Vulnerabilities
An attacker can exploit these issues to execute arbitrary code in the context of applications using the vulnerable library. Failed exploit attempts will likely cause denial-of-service conditions.
http://www.securityfocus.com/
May 08, 2009
2009-05-08: libmodplug ‘load_pat.c’ Remote Buffer Overflow Vulnerability
An attacker can exploit this issue to execute arbitrary code with the privileges of the user running an application that relies on the affected library. Failed exploit attempts will result in a denial-of-service condition.
http://www.securityfocus.com/
May 08, 2009
2009-05-08: libmodplug ‘s3m’ Remote Buffer Overflow Vulnerability
An attacker can exploit this issue to execute arbitrary code with the privileges of the user running an application that relies on the affected library. Failed exploit attempts will result in a denial-of-service condition.
http://www.securityfocus.com/
May 08, 2009
2009-05-08: Grabit ‘NZB’ File Remote Stack Buffer Overflow Vulnerability
Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.
http://www.securityfocus.com/
May 08, 2009
2009-05-08: BaoFeng Storm ActiveX Control ‘SetAttributeValue()’ Buffer Overflow Vulnerability
An attacker can exploit this issue to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed attacks will likely cause denial-of-service conditions.
http://www.securityfocus.com/
May 08, 2009
2009-05-08: BaoFeng Storm ActiveX Control ‘OnBeforeVideoDownload()’ Buffer Overflow Vulnerability
An attacker can exploit this issue to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed attacks will likely cause denial-of-service conditions.
http://www.securityfocus.com/
May 08, 2009
2009-05-08: Aladdin eSafe Unspecified Archive File Scan Evasion Vulnerability
Successful exploits will allow attackers to distribute files containing malicious code that the antivirus application will fail to detect.
http://www.securityfocus.com/
May 08, 2009
2009-05-08: acpid Local Denial of Service Vulnerability
Successful exploits will allow attackers to make the daemon unresponsive, resulting in denial-of-service conditions.
http://www.securityfocus.com/
May 08, 2009
2009-05-08: Memcached and MemcacheDB ASLR Information Disclosure Weakness
Attackers can exploit this weakness to gain access to sensitive information such as stack, heap, and shared-library memory locations. Information obtained may aid in other attacks.
http://www.securityfocus.com/
May 08, 2009
2009-05-08: Linux Kernel ‘exit_notify()’ CAP_KILL Verification Local Privilege Escalation Vulnerability
A local attacker can exploit this issue to execute arbitrary code with superuser privileges, resulting in a complete compromise of the affected computer.
http://www.securityfocus.com/
May 08, 2009
2009-05-08: Linux Kernel ‘locks_remove_flock()’ Local Race Condition Vulnerability
A local attacker may exploit this issue to crash the computer or gain elevated privileges.
http://www.securityfocus.com/
May 08, 2009
2009-05-08: Linux Kernel ‘ecryptfs_write_metadata_to_
Successful exploits will allow attackers to view portions of kernel memory. Information harvested may be used in further attacks.
http://www.securityfocus.com/
May 08, 2009
2009-05-08: Linux Kernel Audit System ‘audit_syscall_entry()’ System Call Security Bypass Vulnerability
A local attacker may be able to exploit this issue to bypass audit mechanisms imposed on system calls. This may allow malicious behavior to escape notice.
http://www.securityfocus.com/
May 08, 2009
2009-05-08: Linux Kernel ‘NFS filename’ Local Denial of Service Vulnerability
Attackers can exploit this issue to trigger a kernel oops, resulting in a denial-of-service condition.
http://www.securityfocus.com/
May 08, 2009
2009-05-08: Linux Kernel ‘sock.c’ SO_BSDCOMPAT Option Information Disclosure Vulnerability
Successful exploits will allow attackers to view portions of kernel memory. Information harvested may be used in further attacks.
http://www.securityfocus.com/
May 08, 2009
2009-05-08: Linux Kernel ‘dell_rbu’ Local Denial of Service Vulnerabilities
A local unprivileged attacker can exploit these issues to cause a vulnerable system to crash, resulting in denial-of-service conditions.
http://www.securityfocus.com/
May 08, 2009
2009-05-08: Linux Kernel Cloned Process ‘CLONE_PARENT’ Local Origin Validation Weakness
A local attacker may exploit this issue to kill vulnerable processes, resulting in a denial-of-service condition. In some cases, other attacks may also be possible.
http://www.securityfocus.com/
May 08, 2009
2009-05-08: Linux Kernel ‘keyctl_join_session_keyring()
Attackers can exploit this issue to cause a crash by exhausting memory resources.
http://www.securityfocus.com/
May 08, 2009
2009-05-08: Linux Kernel ‘parisc_show_stack()’ Local Denial of Service Vulnerability
Local attackers can exploit this issue to crash the affected computer, denying service to legitimate users.
http://www.securityfocus.com/
May 08, 2009
2009-05-08: Linux Kernel Frame Size Integer Overflow Remote Information Disclosure Vulnerability
Remote attackers can exploit this issue to obtain sensitive information that may lead to further attacks.
http://www.securityfocus.com/
May 08, 2009
2009-05-08: Linux Kernel ‘FWD-TSN’ Chunk Remote Buffer Overflow Vulnerability
An attacker can exploit this issue to execute arbitrary code with kernel-level privileges. Successfully exploiting this issue will result in the complete compromise of affected computers. Failed exploit attempts will result in a denial-of-service condition.
http://www.securityfocus.com/
May 08, 2009
2009-05-08: Linux Kernel ‘ib700wdt.c’ Buffer Underflow Vulnerability
A local attacker can exploit this issue to execute arbitrary code with kernel-level privileges or crash the affected computer, denying service to legitimate users.
http://www.securityfocus.com/
May 08, 2009
2009-05-08: Linux Kernel ‘/ipc/shm.c’ Local Denial of Service Vulnerability
Attackers can exploit this issue to cause the Linux kernel to lock up, resulting in a denial-of-service condition.
http://www.securityfocus.com/
May 08, 2009
2009-05-08: Linux Kernel MIPS Untrusted User Application Local Denial of Service Vulnerability
Attackers can exploit this issue to cause the kernel to crash, denying service to legitimate users.
http://www.securityfocus.com/
May 08, 2009
2009-05-08: Linux Kernel CIFS Remote Buffer Overflow Vulnerability
An attacker can exploit this issue to execute arbitrary code with kernel-level privileges. Successfully exploiting this issue will result in the complete compromise of affected computers. Failed exploit attempts will result in a denial-of-service condition.
http://www.securityfocus.com/
May 08, 2009
2009-05-08: Linux Kernel 64 Bit ABI System Call Parameter Privilege Escalation Vulnerability
A local attacker may be able to exploit this issue to read or write to unintended address spaces. This may result in denial-of-service conditions, the disclosure of sensitive information, or privilege escalation.
http://www.securityfocus.com/
May 08, 2009
2009-05-08: Linux Kernel ‘drivers/char/agp/generic.c’ Local Information Disclosure Vulnerability
Local attackers can exploit this issue to obtain sensitive information that may lead to further attacks.
http://www.securityfocus.com/
May 08, 2009
2009-05-08: Linux Kernel ‘qdisc_run()’ Local Denial of Service Vulnerability
Local attackers can exploit this issue to cause a soft lockup, denying service to legitimate users.
http://www.securityfocus.com/
May 08, 2009
2009-05-08: razorCMS ‘Create New Page’ Form HTML Injection Vulnerability
Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible.
http://www.securityfocus.com/
May 08, 2009
2009-05-08: ldns ‘rr.c’ Remote Buffer Overflow Vulnerability
An attacker can exploit this issue to execute arbitrary code within the context of an application using the affected library. Failed exploit attempts will result in denial-of-service conditions.
http://www.securityfocus.com/
May 08, 2009
2009-05-08: Kayako SupportSuite Ticket Notes HTML Injection Vulnerability
Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible.
http://www.securityfocus.com/
May 08, 2009
2009-05-08: FreePBX Multiple Cross Site Scripting and Information Disclosure Vulnerabilities
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. The attacker may also exploit these issues to obtain sensitive information.
http://www.securityfocus.com/
May 08, 2009
2009-05-08: Mozilla Firefox/Thunderbird/SeaMonkey MFSA 2009 -14 through -22 Multiple Remote Vulnerabilities
Attackers can exploit these issues to bypass same-origin restrictions, obtain potentially sensitive information, and execute arbitrary script code with elevated privileges; other attacks are also possible.
http://www.securityfocus.com/
May 08, 2009
2009-05-08: Verlihub Control Panel Multiple Cross-Site Scripting Vulnerabilities
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
http://www.securityfocus.com/
May 08, 2009
2009-05-08: 32bit FTP ‘CWD’ Response Remote Buffer Overflow Vulnerability
An attacker may exploit this issue to execute arbitrary code in the context of the vulnerable application. Failed exploit attempts will likely result in a denial-of-service condition.
http://www.securityfocus.com/
May 08, 2009
2009-05-08: Claroline ‘claroline/linker/notfound.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.securityfocus.com/
May 08, 2009
2009-05-08: URUWorks ViPlay3 ‘.vpl’ File Remote Buffer Overflow Vulnerability
Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.
http://www.securityfocus.com/
May 07, 2009
2009-05-07: ST-Gallery ‘example.php’ Multiple SQL Injection Vulnerabilities
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.securityfocus.com/
May 07, 2009
2009-05-07: JobScript ‘changepassword.php’ Remote Password Change Vulnerability
Exploiting this issue may allow the attacker to gain unauthorized access to the affected application. Successful exploits will completely compromise victims’ accounts.
http://www.securityfocus.com/
May 07, 2009
2009-05-07: Simple Customer ‘profile.php’ Remote Password Change Vulnerability
Exploiting this issue may allow the attacker to gain unauthorized access to the affected application. Successful exploits will completely compromise victims’ accounts.
http://www.securityfocus.com/
May 07, 2009
2009-05-07: VideoScript.us YouTube Video Script ‘admin/index.php’ Multiple SQL Injection Vulnerabilities
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.securityfocus.com/
May 07, 2009
2009-05-07: Microsoft May 2009 Advance Notification Multiple Vulnerabilities
Successfully exploiting these issues may allow remote or local attackers to compromise affected computers.
http://www.securityfocus.com/
May 07, 2009
2009-05-07: Garmin Communicator Plugin ‘npGarmin.dll’ Security Bypass Vulnerability
Attackers may exploit the issue to bypass certain security restrictions and perform unauthorized actions.
http://www.securityfocus.com/
May 06, 2009
2009-05-06: Cscope ‘find.c’ Stack Based Buffer Overflow Vulnerability
Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.
http://www.securityfocus.com/
May 06, 2009
2009-05-06: SilverStripe ‘AjaxUniqueTextField’ Parameter SQL Injection Vulnerability
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.securityfocus.com/
May 06, 2009
2009-05-06: ReVou ‘adminlogin/password.php’ Remote Password Change Vulnerability
Exploiting this issue may allow the attacker to gain unauthorized access to the affected application. Successful exploits will completely compromise victims’ accounts.
http://www.securityfocus.com/
May 06, 2009
2009-05-06: Multiple F-Secure Products RAR/ZIP Files Scan Evasion Vulnerability
Successful exploits will allow attackers to distribute files containing malicious code that the antivirus application will fail to detect.
http://www.securityfocus.com/
May 06, 2009
2009-05-06: FunGamez Local File Include and SQL Injection Vulnerabilities
An attacker can exploit the local file-include vulnerability using directory-traversal strings to view and execute arbitrary local files within the context of the webserver process. Information harvested may aid in further attacks.
http://www.securityfocus.com/
May 06, 2009
2009-05-06: Flatchat ‘pmscript.php’ Local File Include Vulnerability
An attacker can exploit this vulnerability to view files and execute local scripts in the context of the webserver process. This may aid in further attacks.
http://www.securityfocus.com/
May 06, 2009
2009-05-06: Sun Solaris DTrace Handler IOCTL Request Multiple Local Denial of Service Vulnerabilities
An attacker can exploit these issues to cause a system panic, denying service to legitimate users. Very few technical details are currently available. We will update this BID as more information emerges.
http://www.securityfocus.com/
May 06, 2009
2009-05-06: Coccinelle Insecure Temporary File Creation Vulnerability
An attacker with local access could potentially exploit this issue to perform symbolic link attacks to overwrite arbitrary attacker-specified files.
http://www.securityfocus.com/
May 06, 2009
2009-05-06: SMA-DB Cross Site Scripting and Remote File Include Vulnerabilities
An attacker can exploit these issues to execute malicious PHP code in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system. Attackers may also execute script code in an unsuspecting user’s browser or steal cookie-based authentication credentials; other attacks are also possible.
http://www.securityfocus.com/
May 06, 2009
2009-05-06: Sun Solaris ip(7P) Kernel Module Minor Number Allocation Local Denial Of Service Vulnerability
Local attackers may exploit this issue to exhaust certain system resources, denying service to legitimate users.
http://www.securityfocus.com/
May 06, 2009
2009-05-06: Drupal HTML Injection and Information Disclosure Vulnerabilities
An attacker may leverage these issues to obtain potentially sensitive information, execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, or control how the site is rendered to the user; other attacks are also possible.
http://www.securityfocus.com/
May 06, 2009
2009-05-06: CUPS and Xpdf JBIG2 Symbol Dictionary Processing Heap Buffer Overflow Vulnerability
Exploiting this issue may allow remote attackers to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely cause denial-of-service conditions.
http://www.securityfocus.com/
May 06, 2009
2009-05-06: CUPS Insufficient ‘Host’ Header Validation Weakness
An attacker can use this weakness to carry out certain attacks such as DNS rebinding against the vulnerable server.
http://www.securityfocus.com/
May 06, 2009
2009-05-06: SunGard Banner Student ‘twbkwbis.P_SecurityQuestion’ HTML Injection Vulnerability
Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible.
http://www.securityfocus.com/
May 06, 2009
2009-05-06: MIT Kerberos ‘asn1_decode_generaltime()’ Uninitialized Pointer Memory Corruption Vulnerability
Successful exploits may allow remote attackers to crash Kerberos servers, including the ‘kadmind’ administration daemon. Given the nature of this issue, attackers may also be able to execute arbitrary code with SYSTEM-level or superuser privileges, but this has not been confirmed.
http://www.securityfocus.com/
May 06, 2009
2009-05-06: Google Chrome ‘chromehtml:’ Protocol Handler Same Origin Policy Bypass Vulnerability
Google Chrome is prone to a vulnerability that allows attackers to bypass the same-origin policy and obtain sensitive information, including the existence of local files and authentication credentials for web applications. Other attacks are also possible.
http://www.securityfocus.com/
May 06, 2009
2009-05-06: Nucleus Kernel Recovery for Mac and Novell Multiple Buffer Overflow Vulnerabilities
Attackers may leverage these issues to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.
http://www.securityfocus.com/
May 06, 2009
2009-05-06: VerliAdmin ‘index.php’ Multiple Cross-Site Scripting Vulnerabilities
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
http://www.securityfocus.com/
May 06, 2009
2009-05-06: LinkBase Users Menu HTML Injection Vulnerability
Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible.
http://www.securityfocus.com/
May 06, 2009
2009-05-06: Cisco Subscriber Edge Services Manager Cross Site Scripting And HTML Injection Vulnerabilities
Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible.
http://www.securityfocus.com/
May 06, 2009
2009-05-06: Almond Classifieds for Joomla! ‘id’ Parameter SQL Injection Vulnerability
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.securityfocus.com/
May 06, 2009
2009-05-06: TemaTres SQL Injection and Cross Site Scripting Vulnerabilities
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.securityfocus.com/
May 06, 2009
2009-05-06: Xpdf JBIG2 Processing Multiple Security Vulnerabilities
Exploiting these issues may allow remote attackers to execute arbitrary code in the context of an affected application. Failed exploit attempts will likely cause denial-of-service conditions.
http://www.securityfocus.com/
May 06, 2009
2009-05-06: CUPS ‘_cupsImageReadTIFF()’ Integer Overflow Vulnerability
Successful exploits may allow attackers to execute arbitrary code with the privileges of a user running the utilities. Failed exploit attempts likely cause denial-of-service conditions.
http://www.securityfocus.com/
May 06, 2009
2009-05-06: xvfb-run Insecure Magic Cookie Local Information Disclosure Vulnerability
Exploiting this issue may allow a local attacker to obtain sensitive information that may lead to further attacks.
http://www.securityfocus.com/
May 06, 2009
2009-05-06: Woodstock 404 Error Page Cross Site Scripting Vulnerability
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and to steal cookie-based authentication credentials.
http://www.securityfocus.com/
May 06, 2009
2009-05-06: 32bit FTP ‘banner’ Remote Buffer Overflow Vulnerability
An attacker may exploit this issue to execute arbitrary code in the context of the vulnerable application. Failed exploit attempts will likely result in a denial-of-service condition.
http://www.securityfocus.com/
May 06, 2009
2009-05-06: GlassFish Enterprise Server Multiple Cross Site Scripting Vulnerabilities
Attacker-supplied HTML and script code would run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials.
http://www.securityfocus.com/
May 06, 2009
2009-05-06: IceWarp Merak Mail Server ‘item.php’ Cross-Site Scripting Vulnerability
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal potentially sensitive information and launch other attacks.
http://www.securityfocus.com/
May 06, 2009
2009-05-06: IceWarp Merak Mail Server ‘Forgot Password’ Input Validation Vulnerability
Attackers can exploit this issue via social-engineering techniques to obtain valid users’ login credentials; other attacks may also be possible.
http://www.securityfocus.com/
May 06, 2009
2009-05-06: IceWarp Merak Mail Server ‘cleanHTML()’ Function Cross-Site Scripting Vulnerability
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal potentially sensitive information and launch other attacks.
http://www.securityfocus.com/
May 06, 2009
2009-05-06: IceWarp Merak Mail Server Groupware Component Multiple SQL Injection Vulnerabilities
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.securityfocus.com/
May 06, 2009
2009-05-06: Mitel NuPoint Messenger Authentication Credentials Information Disclosure Vulnerability
Exploiting this issue can allow a remote attacker to harvest sensitive information that can aid in further attacks.
http://www.securityfocus.com/
May 06, 2009
2009-05-06: MoinMoin ‘AttachFile.py’ Multiple Cross Site Scripting Vulnerabilities
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.securityfocus.com/
May 06, 2009
2009-05-06: Nagios External Commands and Adaptive Commands Unspecified Vulnerability
Very little information is known about this issue. We will update this BID as soon as more information becomes available.
http://www.securityfocus.com/
May 06, 2009
2009-05-06: Nagios Web Interface Privilege Escalation Vulnerability
An attacker with low-level privileges may exploit this issue to bypass authorization and cause arbitrary commands to run within the context of the Nagios server. This may aid in further attacks.
http://www.securityfocus.com/
May 06, 2009
2009-05-06: Adobe Flash Player Unspecified Remote Denial of Service Vulnerability
Exploiting this issue allows remote attackers to crash the application and possibly to execute code, but this has not been confirmed.
http://www.securityfocus.com/
May 06, 2009
2009-05-06: Adobe Flash Player Invalid Object Reference Remote Code Execution Vulnerability
An attacker can exploit this issue to execute arbitrary code with the privileges of the user running the application. Failed exploit attempts will likely crash the application, denying service to legitimate users.
http://www.securityfocus.com/
******************************
This service is provided by SecurityMetrics, Inc.
Chyby byly, jsou a budou, tomu se nevyhnete. Ale:
1) Pokud tomu nerozumíte, proč si to necháváte posílat?
2) Mícháte dost nesouvisející produkty – co jsem zběžně nakouknul, tak třeba .NET framework, Firefox,
ActiveX, HP-UX, screen, Linux, PHP, nějaké CMS, Flash, Glassfish,
nějaký modul do jádra Solarisu – to nepředpokládám, že se o tohle
všechno staráte/používáte najednou, tak nevím, proč by vás to všechno mělo trápit. A admin se najednou o nějaké ActiveX a HP-UX taky
starat nebude.
3) "Kdyz si predstavim velkou firmu, ve ktere lide pouzivaji stovky
ruznych softwaru a systemu, tak to musi byt docela napor to vse
uhlidat." – od toho má operační systém nějakou dobu podpory a
bezpečnostních aktualizací. Rozumné operační systémy mi zajistí
patchování téměr všech aplikací tím co za mě opraví distributor, takže
na mně toho zbyde minimum. Pokud nemáte rozumný operační systém, váš
problém.
4) "Porad nejake virusy." Virusy … auuuu, ten češtin! 🙂
5) "Clovek si uz ani nemuze v klidu pripojit na FTP" člověk se nemohl
v klidu na FTP připojit nikdy, protože se jedná nezabezpečený protokol. Pokud nevíte takovéhle základní věci a používáte FTP na citlivá data, pak vám žádný security bulletin nepomůže.
6) "nebo si vymyslet jednoduse zapamatovatelne heslo" jednoduše
zapamatovatelné heslo si vymyslet může. Jednoduše zapamatovatelné !=
snadno prolomitelné. Navíc odolnost hesla proti prolomení s těma zranitelnostma které uvádíte souvisí jak?
No ja si to nenechavam posilat. Zacli me to posilat sami.
Jinak fakt jsem do nedavna netusil ze FTP je nebezpecny protokol a v klidu jsem jej poslednich 10-15 let pouzival.
FTP nie je nebezpecny protokol ale nezabezpeceny protokol. Data ktore idu cez FTP spojenie su v plain texte a nie su teda sifrovane. To znamena ze v tom najjednoduchsom pripade ak niekto ma zaujem zistit vase heslo a sedi na rovnakej sieti (kaviaren, skola..) tak je to jednoduche.
FTP by bolo na mieste nechat umriet a pouzivat nahrady ako je napr. SCP.
Vas webhoster by hol mal podporovat ak teda za nieco stoji.
J.
Korekcia: v pripade ze utocnik sedi na rovnakej sieti je jednoduche toto heslo zachytit (pomocou volne stiahnutelnych nastrojov).
Usla mi cast vety pri pisani. pardon 😉
Johne, kolega psal, ze FTP je nezabezpeceny protokol, coz neni totez jako nebezpecny.
A chtel tim zrejme rict, ze bys mel radeji pouzivat sifrovany SFTP (Secure FTP).
O top FTPéčku jsem měl taky jiné přesvědčení…
FTP je sice z principu nezabezpeceny protokol, ktery posila hesla jen tak po siti(daji se snadno odchytit). Na druhou stranu je fakt, ze minimalne 99% utoku nevyuziva toho ze ftp je nezabezpeceny protokol, ale hesla krade primo s klientskych PC(a proti tomu sifrovani po ceste nepomuze).
Odchyceni hesla po ceste sice nevyzaduje zadne specialni znalosti, problem je ze pokud nemate pristup na nejaky router pres ktery jde dostatecne mnozstvi dat(hranicni router u ISP…), je odchytavani docela neefektivni.
Kdysi jsem si přihlásil něco obdobného, ale omezené jen na mnou používané technologie (měl jsem to v náplni práce). Bral jsem to jako takový další level v porovnání s běžnou aktualizací distribuce. Např. tam bylo info o chybě v kernelu, a jak jí lze neutralizovat, než vyjde aktualizace v rámci distribuce.
Ale proč by to měl odebírat manager, navíc nefiltrovaně? Nevidím žádný důvod. Leda pro odesílatele, který si tak zvyšuje šance mu prodat nějaký předražený nesmysl.
"FTP je nebezpecny protokol" – ne, neni nebezpecny, ale nezabezpeceny, to je trochu rozdil 🙂
Tzn. podobne jako ostatni sluzby a protokoly, navrzene v letech 1970-1990 zkratka posilaji login a heslo v plaintextu a to je cele.
V dnesni dobe existuje (a kazdy rozumny hosting, nekdy i free hosting, ma povolene) SFTP a tedy nevidim vetsi problem…
Snazsi, nez odchytit plaintext heslo (lovec musi sedet mezi vasim kompem a serverem, coz na ADSL pripojce dost dobre nejde, pokud se nehackne do vaseho kompu nebo routeru nekde mezi), je vyndat heslo z pocitace, kde je ulozene v nejakem obskurnim scamblovani, typicky z Total Commander apod. Na to byl ted jeden trojan.
Takze ja bych se bal u beznych vefi plain-hesla jen pokud bych se pripojoval z wifi anebo komunitnich siti, ne od komercniho prowidera…
Co se tyka autoupdateu, to je kapitola sama pro sebe… Nic neni 100%nti
za "100%nti" a podobne paslataniny bych vesel do pruvanu.
Nejsem zadny hnidopich ani pravopisna policie, sam delam chyb dost, ale na neco takoveho se uz proste reagovat musi.
Tohle mi vždycky připadalo zvláštní.
Řekněme, že je firma, jejíž podnikání závisí na 10 dodávkách, které rozváží zboží. Bude vedení firmy osobně kontrolovat, jestli mají v pořádku brzdy, opravovat startér, když se rozbije, nebo zjišťovat, jaké těsnění se má dát do motoru? Ne, někoho si na to najmou, nebo mají přímo člověka, mechanika, který se o ty auta bude starat.
Ale když v tom textu auto nahradíme počítačem, tak řada, hlavně menších firem, si myslí, že to není potřeba a že si to nějak zařídí sami. Přitom v řadě případů je jejich podnikání na těch počítačích plně závislé a počítač je mnohem složitější než auto a to hlavně po softwarové stránce.
Jak to Johne tenkrát dopadlo s tím tvým hacknutým gmailem? Už máš pokoj? Zjistils nějaké informace o tom, jak se k tobě dostali?
k tomu gmailu:
casto sa objavuje scenar ze pouzivatel ma starsiu verziu prehliadaca (firefox dostal palbu posledne) a pride na stranku kde je chyba vo webovej aplikacii (napriklad XSS). Cez toto XSS sa pokusi utocnik napadnut prehliadac (nacita exploit pomocou javascriptu) a zoberie si napriklad ulozene hesla. Prehliadac vacsinou bezi pod pouzivatelom a nie v sandboxe a tym ma vsetky prava ktore ma pouzivatel (vratane citania jeho suborov).
Toto je imho najpravdepodobnejsi scenar. Webov s XSS su kvanta a diery v prehliadacoch sa objavuju co den.
Ono to je aktuálnější a aktuálnější téma. Nemám rád zabezpečovací paranoiky ze školy 🙂 ale taky sedlám na aspon základní bezpečnostní principy, v pátek mi byl hijacknut ICQ account 😀 tak jsem si ho hijackl zpátky a radši změnil heslo (ze starého 123456 :D; uznávám, že to byla moje chyba )
Ale viděl jsem stovky webů napadených přes TC v posledních 2 měsících..