Section: .. / 0807-advisories /
| /// File Name: |
07.08.08-1.txt |
Description:
|
iDefense Security Advisory 07.08.08 - Remote exploitation of an integer underflow vulnerability within Microsoft Corp.'s SQL Server could allow a remote attacker to execute arbitrary code with the privileges of the SQL Server. The vulnerability exists within the code responsible for parsing a stored backup file. A 32-bit integer value, representing the size of a record, is taken from the file and used to calculate the number of bytes to read into a heap buffer. This calculation can underflow, which leads to insufficient memory being allocated. The buffer is subsequently overfilled leading to an exploitable condition. iDefense confirmed the existence of this vulnerability in Microsoft SQL Server 2005 Service Pack 2 Hot Fix 4. Additional tests against SQL Server 2005 without any updates suggest it is also vulnerable. Previous versions are also suspected to be vulnerable.
| | Author: | Brett Moore | | Homepage: | http://www.idefense.com/ | | File Size: | 3784 | | Related CVE(s): | CVE-2008-0107, CVE-2008-0106, CVE-2008-0086 | | Last Modified: | Jul 10 03:13:55 2008 |
| MD5 Checksum: | 8b9cc4e45c191c51974cb00c251a4d03 |
|
| /// File Name: |
07.09.08-1.txt |
Description:
|
iDefense Security Advisory 07.09.08 - Remote exploitation of a heap buffer overflow vulnerability in Novell Inc.'s eDirectory could allow an attacker to execute arbitrary code with the privileges of the affected service. The vulnerability exists due to an incorrect calculation when allocating a heap buffer to store the search parameters. By passing NULL search parameters, it is possible to overflow a heap based buffer with the string "(null)". This can result in the corruption of heap management structures, and depending on the layout of the heap, possibly function pointers. iDefense has confirmed the existence of this vulnerability in eDirectory version 8.8 SP2 for Linux. Other versions may also be affected.
| | Homepage: | http://www.idefense.com/ | | File Size: | 3583 | | Related CVE(s): | CVE-2008-1809 | | Last Modified: | Jul 10 18:52:18 2008 |
| MD5 Checksum: | 394dfb4afcb412feb3f9e7d2d0495f4e |
|
| /// File Name: |
07.15.08-1.txt |
Description:
|
iDefense Security Advisory 07.15.08 - Remote exploitation of a pre-authentication input validation vulnerability in Oracle Corp.'s Oracle Internet Directory allows an attacker to conduct a denial of service attack on a vulnerable host. Internet Directory consists of two processes. One process acts as a listener. It handles incoming connections and passes them off to the second process. The second process, which handles requests, contains the vulnerability. When processing a malformed LDAP request, it is possible to cause the handler to dereference a NULL pointer. This results in the process crashing. Future connection requests will be accepted by the listener process, and then immediately closed when it finds that there is no handler process running. iDefense confirmed the existence of this vulnerability in Oracle Internet Directory for Windows version 10.1.4.0.1 with the April 2007 CPU installed. Previous versions may also be affected.
| | Author: | Joxean Koret | | Homepage: | http://www.idefense.com/ | | File Size: | 3843 | | Related CVE(s): | CVE-2008-2595 | | Last Modified: | Jul 15 20:20:55 2008 |
| MD5 Checksum: | e8fd9c9196beac5c66e3d1a2dbceb960 |
|
| /// File Name: |
07.15.08-2.txt |
Description:
|
iDefense Security Advisory 07.15.08 - Remote exploitation of a buffer overflow vulnerability in the DBMS_AQELM package in Oracle Corp.'s Oracle Database product allows attackers to execute arbitrary code with the privileges of the database user. This vulnerability exists due to improper input validation when handling a parameter passed to a procedure within the DBMS_AQELM package. Since the parameter is not properly validated, providing a long string can cause a buffer overflow to occur. This results in corruption of the database and could allow for the execution of arbitrary code as the database user. iDefense confirmed the existence of this vulnerability in Oracle Database version 10.2.0.3 and 11.1.0.6 with the October 2007 CPU applied. Previous versions may also be affected.
| | Author: | Joxean Koret | | Homepage: | http://www.idefense.com/ | | File Size: | 3635 | | Related CVE(s): | CVE-2008-2607 | | Last Modified: | Jul 15 20:22:23 2008 |
| MD5 Checksum: | ce82ad21bbe158ccfb4fd2c80da488bc |
|
| /// File Name: |
07.15.08-3.txt |
Description:
|
iDefense Security Advisory 07.15.08 - Local exploitation of an untrusted library path vulnerability in Oracle Corp.'s Oracle Database product allows attackers to gain elevated privileges. This vulnerability specifically exists in a set-uid root program distributed with Oracle Database for Linux and Unix platforms. By replacing a module owned by the oracle user, which is loaded by this program, an attacker can execute arbitrary code as root. iDefense confirmed the existence of this vulnerability in Oracle 11g R1 version 11.1.0.6.0 on 32-bit Linux platform. Previous versions may also be affected.
| | Author: | Joxean Koret | | Homepage: | http://www.idefense.com/ | | File Size: | 3311 | | Related CVE(s): | CVE-2008-2613 | | Last Modified: | Jul 15 20:23:19 2008 |
| MD5 Checksum: | e8ee1e493dada84f07feb39294a4a5f6 |
|
| /// File Name: |
07.28.08-1.txt |
Description:
|
iDefense Security Advisory 07.28.08 - Remote exploitation of a denial of service vulnerability in Hewlett-Packard's Internet Services Probe Builder product allows an unauthenticated attacker the ability to terminate any process. The Probe Builder Service, PBOVISServer.exe, listens by default on TCP port 32968. This process has a specific opcode that allows a remote unauthenticated user to terminate any process on the system by supplying a process ID number. iDefense has confirmed this vulnerability in HP's Internet Services Probe Builder 2.2 for Windows with all updates applied.
| | Homepage: | http://www.idefense.com/ | | File Size: | 3399 | | Related CVE(s): | CVE-2008-1667 | | Last Modified: | Jul 28 21:01:45 2008 |
| MD5 Checksum: | e1f231d11f934f575cca5ec80537f348 |
|
| /// File Name: |
07.30.08-1.txt |
Description:
|
iDefense Security Advisory 07.30.08 - Local exploitation of an untrusted path vulnerability in the "dbmsrv" program, as distributed with SAP AG's MaxDB, allow attackers to elevate privileges to that of the "sdb" user. When a local user runs the "dbmcli" program, the MaxDB executes a "dbmsrv" process on the user's behalf. The "dbmsrv" process, which is responsible for executing user commands, runs as the user "sdb" with group "sdba". This vulnerability exists due to improper sanitization of the "PATH" environment variable. By prefixing the "PATH" environment variable with a path under the attacker control, one is able to execute arbitrary code iDefense has confirmed the existence of this vulnerability in SAP MaxDB version 7.6.03.15 on Linux. Other versions may also be vulnerable. with "sdb:sdba" privileges.
| | Homepage: | http://www.idefense.com/ | | File Size: | 3377 | | Related CVE(s): | CVE-2008-1810 | | Last Modified: | Jul 31 18:25:13 2008 |
| MD5 Checksum: | d187db4d824398f4405de6519303b02f |
|
| /// File Name: |
Advisory-DWR.pdf |
Description:
|
Direct Web Rendering (DWR) version 2.0.1 suffers from a cross site scripting vulnerability.
| | Author: | Peter Osterberg | | Homepage: | http://www.fortconsult.net/ | | File Size: | 194548 | | Related CVE(s): | CVE-2008-2740 | | Last Modified: | Jul 10 00:24:48 2008 |
| MD5 Checksum: | 377d17490f5fdf8a4323108cbce18fa9 |
|
| /// File Name: |
afstatuslogxss-08_004.txt |
Description:
|
Affinium Campaign version 7.2.1.0.55 suffers from a log related cross site scripting vulnerability.
| | Author: | Tim Brown | | Homepage: | http://www.portcullis-security.com/ | | File Size: | 4612 | | Last Modified: | Jul 30 23:44:53 2008 |
| MD5 Checksum: | a6846d1eedb931298117ea2e910ddef3 |
|
| /// File Name: |
aftemplatesxss-08_003.txt |
Description:
|
Affinium Campaign version 7.2.1.0.55 suffers from a javascript injection vulnerability in the templates web page.
| | Author: | Tim Brown | | Homepage: | http://www.portcullis-security.com/ | | File Size: | 2980 | | Last Modified: | Jul 30 23:45:53 2008 |
| MD5 Checksum: | cfdee28ecdff8ffe90e63ceef77086a7 |
|
| /// File Name: |
assurent-caarcserve.txt |
Description:
|
There exists a buffer overflow vulnerability in the way CA ARCserve Backup for Laptops and Desktops handles incoming messages. The vulnerability is due to an integer underflow in the LGServer service. Affected includes CA ARCserve Backup for Laptops and Desktops version r11.0 through r11.5, CA Desktop Management Suite version 11.1 through 11.2, and CA Protection Suites versions r2, 3.0, and 3.1.
| | Homepage: | http://www.assurent.com/ | | File Size: | 2977 | | Related CVE(s): | CVE-2008-3175 | | Last Modified: | Jul 31 18:22:36 2008 |
| MD5 Checksum: | f4eb71f630c2db5a88849787cf146e08 |
|
| /// File Name: |
AST-2008-010.txt |
Description:
|
Asterisk Project Security Advisory - By flooding an Asterisk server with IAX2 'POKE' requests, an attacker may eat up all call numbers associated with the IAX2 protocol on an Asterisk server and prevent other IAX2 calls from getting through. Due to the nature of the protocol, IAX2 POKE calls will expect an ACK packet in response to the PONG packet sent in response to the POKE. While waiting for this ACK packet, this dialog consumes an IAX2 call number, as the ACK packet must contain the same call number as was allocated and sent in the PONG.
| | Author: | Jeremy McNamara | | Homepage: | http://www.asterisk.org/security | | File Size: | 10633 | | Related CVE(s): | CVE-2008-3263 | | Last Modified: | Jul 23 19:41:47 2008 |
| MD5 Checksum: | c3e6feb71c399d84d8dc74877ffc992c |
|
| /// File Name: |
AST-2008-011.txt |
Description:
|
Asterisk Project Security Advisory - An attacker may request an Asterisk server to send part of a firmware image. However, as this firmware download protocol does not initiate a handshake, the source address may be spoofed. Therefore, an IAX2 FWDOWNL request for a firmware file may consume as little as 40 bytes, yet produces a 1040 byte response. Coupled with multiple geographically diverse Asterisk servers, an attacker may flood an victim site with unwanted firmware packets.
| | Author: | Tilghman Lesher | | Homepage: | http://www.asterisk.org/security | | File Size: | 10634 | | Related CVE(s): | CVE-2008-3264 | | Last Modified: | Jul 23 19:43:03 2008 |
| MD5 Checksum: | 2185fd4b6b919de751e6fe7c8aab32a1 |
|
| /// File Name: |
cisco-sa-20080708-dns.txt |
Description:
|
Cisco Security Advisory - Multiple Cisco products are vulnerable to DNS cache poisoning attacks due to their use of insufficiently randomized DNS transaction IDs and UDP source ports in the DNS queries that they produce, which may allow an attacker to more easily forge DNS answers that can poison DNS caches. To exploit this vulnerability an attacker must be able to cause a vulnerable DNS server to perform recursive DNS queries. Therefore, DNS servers that are only authoritative, or servers where recursion is not allowed, are not affected.
| | Homepage: | http://www.cisco.com/ | | File Size: | 70464 | | Related CVE(s): | CVE-2008-1447 | | Last Modified: | Jul 10 02:26:35 2008 |
| MD5 Checksum: | cb637e8f1582226fc0c36ad581d49c46 |
|
| /// File Name: |
citrix-escalate.txt |
Description:
|
The icabar.exe file which is designed to startup the Citrix MetaFrame administration toolbar allows an attacker to escalate privileges in Windows 2000 and below in the default configuration and in Windows 2003 in some special circumstances.
| | Author: | Wendel Guglielmetti Henrique | | Homepage: | http://www.intruders.com.br/ | | File Size: | 6420 | | Last Modified: | Jul 30 23:05:52 2008 |
| MD5 Checksum: | ef81b53ce66ce55562cabce992bfbde2 |
|
| /// File Name: |
CS-2008-2.txt |
Description:
|
SocialEngine versions below 2.83 suffer from an input validation vulnerability that allows for client take over.
| | Author: | Tim Loshak | | File Size: | 1341 | | Last Modified: | Jul 23 19:16:38 2008 |
| MD5 Checksum: | cd06e8756e37818b845ccfa76907f968 |
|
| /// File Name: |
dsa-1540-3.txt |
Description:
|
Debian Security Advisory 1540-3 - This update fixes a regression in lighttpd introduced in DSA-1540, causing SSL failures.
| | Homepage: | http://www.debian.org/security | | File Size: | 14614 | | Related CVE(s): | CVE-2008-1531 | | Last Modified: | Jul 23 19:48:43 2008 |
| MD5 Checksum: | cccf48a06495b899a26c83ab12130eb3 |
|
| /// File Name: |
dsa-1544-2.txt |
Description:
|
Debian Security Advisory 1544-2 - Thomas Biege discovered that the upstream fix for the weak random number randomization did still not use difficult-to-predict random numbers. This is corrected in this security update.
| | Homepage: | http://www.debian.org/security | | File Size: | 5057 | | Related CVE(s): | CVE-2008-1637 | | Last Modified: | Jul 16 15:45:43 2008 |
| MD5 Checksum: | 82e55904d542f28198d9499d43db9a50 |
|
| /// File Name: |
dsa-1569-3.txt |
Description:
|
Debian Security Advisory 1569-3 - Since the previous security update, the cacti package could no longer be rebuilt from the source package. This update corrects that problem. Note that this problem does not affect regular use of the provided binary packages (.deb).
| | Homepage: | http://www.debian.org/security | | File Size: | 3425 | | Related CVE(s): | CVE-2008-0783, CVE-2008-0785 | | Last Modified: | Jul 15 20:02:17 2008 |
| MD5 Checksum: | 17dce37d3f17988c79c9c5f1d1a8a226 |
|
| /// File Name: |
dsa-1600-1.txt |
Description:
|
Debian Security Advisory 1600-1 - It was discovered that sympa, a modern mailing list manager, would crash when processing certain types of malformed messages.
| | Homepage: | http://www.debian.org/security | | File Size: | 4408 | | Related CVE(s): | CVE-2008-1648 | | Last Modified: | Jul 9 20:07:34 2008 |
| MD5 Checksum: | 3444d8e2715f032aebd7f53583395d08 |
|
| /// File Name: |
dsa-1601-1.txt |
Description:
|
Debian Security Advisory 1601-1 - Several remote vulnerabilities have been discovered in Wordpress, the weblog manager. WordPress allows remote attackers to redirect authenticated users to other websites and potentially obtain sensitive information. The XML-RPC implementation, when registration is enabled, allows remote attackers to edit posts of other blog users.
| | Homepage: | http://www.debian.org/security | | File Size: | 3426 | | Related CVE(s): | CVE-2007-1599, CVE-2008-0664 | | Last Modified: | Jul 9 21:48:18 2008 |
| MD5 Checksum: | 520c976f621764641612c3d459289c62 |
|
| /// File Name: |
dsa-1602-1.txt |
Description:
|
Debian Security Advisory 1602-1 - Tavis Ormandy discovered that PCRE, the Perl-Compatible Regular Expression library, may encounter a heap overflow condition when compiling certain regular expressions involving in-pattern options and branches, potentially leading to arbitrary code execution.
| | Homepage: | http://www.debian.org/security | | File Size: | 9947 | | Related CVE(s): | CVE-2008-2371 | | Last Modified: | Jul 10 00:52:30 2008 |
| MD5 Checksum: | 2910b17782ff11e4d41b819e101b0c08 |
|
| /// File Name: |
dsa-1603-1.txt |
Description:
|
Debian Security Advisory 1603-1 - Dan Kaminsky discovered that properties inherent to the DNS protocol lead to practical DNS cache poisoning attacks. Among other things, successful attacks can lead to misdirected web traffic and email rerouting.
| | Homepage: | http://www.debian.org/security | | File Size: | 25029 | | Related CVE(s): | CVE-2008-1447 | | Last Modified: | Jul 10 02:16:23 2008 |
| MD5 Checksum: | 97eb7a844baa184fbb006f4c445c6ac4 |
|
| /// File Name: |
dsa-1604-1.txt |
Description:
|
Debian Security Advisory 1604-1 - Dan Kaminsky discovered that properties inherent to the DNS protocol lead to practical DNS cache poisoning attacks. Among other things, successful attacks can lead to misdirected web traffic and email rerouting.
| | Homepage: | http://www.debian.org/security | | File Size: | 2554 | | Related CVE(s): | CVE-2008-1447 | | Last Modified: | Jul 10 02:23:57 2008 |
| MD5 Checksum: | 45361bf0c543432f0fd3cc3fbcd57d68 |
|
|
|
|
|
![.:[ packet storm ]:.](/images/ps-ani.gif)
