Packet Storm - Information Security News, Files, Tools, Exploits, Advisories and Whitepapers http://packetstormsecurity.org/ en-us Thu, 17 May 2012 05:15:59 GMT 144400 http://packetstormsecurity.org/ http://www.google-analytics.com/__utm.gif?utmwv=1.3&utmn=2217059977&utmcs=ISO-8859-1&utmsr=31337x31337&utmsc=32-bit&utmul=en-us&utmje=0&utmfl=-&utmcn=1&utmdt=Files%u2248%20Packet%20Storm&utmhn=packetstormsecurity.org&utmr=-&utmp=%2Ffiles%2F&utmac=UA-18885198-1&utmcc=__utma%3D32867617.2217059977.1337231759.1337231759.1337231759.1%3B%2B__utmz%3D32867617.1337231759.1.1.utmccn%3D(direct)%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none) http://packetstormsecurity.org/files/112806/ZSL-2012-5091.txt http://packetstormsecurity.org/files/112806/ZSL-2012-5091.txt http://packetstormsecurity.org/files/112806/Artiphp-CMS-5.5.0-Database-Backup-Disclosure.html Thu, 17 May 2012 00:19:18 GMT Artiphp CMS version 5.5.0 suffers from a database backup disclosure vulnerability. http://packetstormsecurity.org/files/112804/ZSL-2012-5090.txt http://packetstormsecurity.org/files/112804/ZSL-2012-5090.txt http://packetstormsecurity.org/files/112804/Artiphp-CMS-5.5.0-Cross-Site-Scripting.html Thu, 17 May 2012 00:17:58 GMT Artiphp CMS version 5.5.0 suffers from multiple POST cross site scripting vulnerabilities. http://packetstormsecurity.org/files/112803/CVE-2012-2334.txt http://packetstormsecurity.org/files/112803/CVE-2012-2334.txt http://packetstormsecurity.org/files/112803/OpenOffice.org-3.3.0-Powerpoint-Denial-Of-Service.html Thu, 17 May 2012 00:16:10 GMT A review of the code in filter/source/msfilter msdffimp.cxx in OpenOffice.org versions 3.3 and 3.4 Beta revealed some unchecked memory allocations, which could be exploited via malformed Powerpoint graphics records ("escher") to cause bad_alloc exceptions. From this vulnerability a denial of service attack is possible. http://packetstormsecurity.org/files/112802/DRUPAL-SA-CONTRIB-2012-082.txt http://packetstormsecurity.org/files/112802/DRUPAL-SA-CONTRIB-2012-082.txt http://packetstormsecurity.org/files/112802/Drupal-Zen-6.x-Cross-Site-Scripting.html Thu, 17 May 2012 00:15:08 GMT Drupal Zen third party module version 6.x suffers from a cross site scripting vulnerability. http://packetstormsecurity.org/files/112801/ZSL-2012-5089.txt http://packetstormsecurity.org/files/112801/ZSL-2012-5089.txt http://packetstormsecurity.org/files/112801/SiliSoftware-backupDB-1.2.7a-Cross-Site-Scripting.html Thu, 17 May 2012 00:10:11 GMT SiliSoftware backupDB() version 1.2.7a suffers from a cross site scripting vulnerability. http://packetstormsecurity.org/files/112800/CVE-2012-2149.txt http://packetstormsecurity.org/files/112800/CVE-2012-2149.txt http://packetstormsecurity.org/files/112800/OpenOffice.org-Memory-Overwrite.html Wed, 16 May 2012 23:54:12 GMT OpenOffice.org versions 3.3 and 3.4 Beta suffer from a memory overwrite vulnerability. http://packetstormsecurity.org/files/112799/dsa-2473-1.txt http://packetstormsecurity.org/files/112799/dsa-2473-1.txt http://packetstormsecurity.org/files/112799/Debian-Security-Advisory-2473-1.html Wed, 16 May 2012 23:53:38 GMT Debian Linux Security Advisory 2473-1 - Tielei Wang discovered that OpenOffice.org does not allocate a large enough memory region when processing a specially crafted JPEG object, leading to a heap-based buffer overflow and potentially arbitrary code execution. http://packetstormsecurity.org/files/112797/ZSL-2012-5088.txt http://packetstormsecurity.org/files/112797/ZSL-2012-5088.txt http://packetstormsecurity.org/files/112797/SiliSoftware-phpThumb-1.7.11-Cross-Site-Scripting.html Wed, 16 May 2012 23:42:52 GMT SiliSoftware phpThumb() version 1.7.11 suffers from a cross site scripting vulnerability. http://packetstormsecurity.org/files/112796/flashpeak-dos.txt http://packetstormsecurity.org/files/112796/flashpeak-dos.txt http://packetstormsecurity.org/files/112796/FlashPeak-SlimBrowser-6.0.1.38-Denial-Of-Service.html Wed, 16 May 2012 23:41:14 GMT FlashPeak SlimBrowser version 6.0.1.38 suffers from a denial of service vulnerability. http://packetstormsecurity.org/files/112795/DRUPAL-SA-CONTRIB-2012-081.txt http://packetstormsecurity.org/files/112795/DRUPAL-SA-CONTRIB-2012-081.txt http://packetstormsecurity.org/files/112795/Drupal-Aberdeen-6.x-Cross-Site-Scripting.html Wed, 16 May 2012 23:37:19 GMT Drupal Aberdeen third party module version 6.x suffers from a cross site scripting vulnerability. http://packetstormsecurity.org/files/112794/DRUPAL-SA-CONTRIB-2012-080.txt http://packetstormsecurity.org/files/112794/DRUPAL-SA-CONTRIB-2012-080.txt http://packetstormsecurity.org/files/112794/Drupal-Hostmaster-6.x-Cross-Site-Scripting-Access-Bypass.html Wed, 16 May 2012 23:32:53 GMT Drupal Hostmaster third party module version 6.x suffers from access bypass and cross site scripting vulnerabilities. http://packetstormsecurity.org/files/112793/DRUPAL-SA-CONTRIB-2012-079.txt http://packetstormsecurity.org/files/112793/DRUPAL-SA-CONTRIB-2012-079.txt http://packetstormsecurity.org/files/112793/Drupal-Post-Affiliate-Pro-6.x-Cross-Site-Scripting-Access-Bypass.html Wed, 16 May 2012 23:30:19 GMT Drupal Post Affiliate Pro third party module version 6.x suffers from access bypass and cross site scripting vulnerabilities. http://packetstormsecurity.org/files/112792/CVE-2012-1149.txt http://packetstormsecurity.org/files/112792/CVE-2012-1149.txt http://packetstormsecurity.org/files/112792/OpenOffice.org-vclmi.dll-Integer-Overflow.html Wed, 16 May 2012 23:27:40 GMT A vulnerability is caused due to an integer overflow error in the vclmi.dll module when allocating memory for an embedded image object. This can be exploited to cause a heap-based buffer overflow via, for example using a specially crafted JPEG object within a DOC file. OpenOffice.org 3.3.0 and 3.4 beta users are advised to upgrade to Apache OpenOffice 3.4. Users who are unable to upgrade immediately should be cautious when opening untrusted documents. http://packetstormsecurity.org/files/112791/PRE-SA-2012-03.txt http://packetstormsecurity.org/files/112791/PRE-SA-2012-03.txt http://packetstormsecurity.org/files/112791/Linux-Kernel-HFS-Plus-Buffer-Overflow.html Wed, 16 May 2012 23:25:02 GMT PRE-CERT Security Advisory - The Linux kernel contains a vulnerability in the driver for HFS plus file systems that may be exploited for code execution or privilege escalation. A specially-crafted HFS plus filesystem can cause a buffer overflow via the memcpy() call of hfs_bnode_read() (in fs/hfsplus/bnode.c). http://packetstormsecurity.org/files/112790/sect2012-cfp.txt http://packetstormsecurity.org/files/112790/sect2012-cfp.txt http://packetstormsecurity.org/files/112790/SEC-T-2012-Call-For-Papers.html Wed, 16 May 2012 23:19:19 GMT The SEC-T 2012 Call For Papers has been announced. It will be held from September 13th through the 14th in Stockholm, Sweden. http://packetstormsecurity.org/files/112789/APPLE-SA-2012-05-15-1.txt http://packetstormsecurity.org/files/112789/APPLE-SA-2012-05-15-1.txt http://packetstormsecurity.org/files/112789/Apple-Security-Advisory-2012-05-15-1.html Wed, 16 May 2012 23:16:27 GMT Apple Security Advisory 2012-05-15-1 - QuickTime 7.7.2 is now available and addresses multiple security issues. Multiple stack overflows existed in QuickTime's handling of TeXML files. A heap overflow existed in QuickTime's handling of text tracks. A heap buffer overflow existed in the handling of H.264 encoded movie files. An uninitialized memory access issue existed in the handling of MP4 encoded files. For OS X Lion systems, this issue is addressed in OS X Lion v10.7.3. For Mac OS X v10.6 systems, this issue is addressed in Security Update 2012-001. Various other issues were also addressed. http://packetstormsecurity.org/files/112785/captchaunijimpe-xss.txt http://packetstormsecurity.org/files/112785/captchaunijimpe-xss.txt http://packetstormsecurity.org/files/112785/Unijimpe-Captcha-Cross-Site-Scripting.html Wed, 16 May 2012 23:14:53 GMT Unijimpe Captcha suffers from a cross site scripting vulnerability. http://packetstormsecurity.org/files/112784/DRUPAL-SA-CONTRIB-2012-078.txt http://packetstormsecurity.org/files/112784/DRUPAL-SA-CONTRIB-2012-078.txt http://packetstormsecurity.org/files/112784/Drupal-Smart-Breadcrumb-6.x-Cross-Site-Scripting.html Wed, 16 May 2012 23:13:21 GMT Drupal Smart Breadcrumb third party module version 6.x suffers from a cross site scripting vulnerability. http://packetstormsecurity.org/files/112783/DRUPAL-SA-CONTRIB-2012-077.txt http://packetstormsecurity.org/files/112783/DRUPAL-SA-CONTRIB-2012-077.txt http://packetstormsecurity.org/files/112783/Drupal-Advertisement-6.x-Cross-Site-Scripting.html Wed, 16 May 2012 23:11:48 GMT Drupal Advertisement third party module version 6.x suffers from cross site scripting and information disclosure vulnerabilities. http://packetstormsecurity.org/files/112782/DRUPAL-SA-CONTRIB-2012-076.txt http://packetstormsecurity.org/files/112782/DRUPAL-SA-CONTRIB-2012-076.txt http://packetstormsecurity.org/files/112782/Drupal-Ubercart-Product-Keys-6.x-Access-Bypass.html Wed, 16 May 2012 23:10:12 GMT Drupal Ubercart Product Keys third party module version 6.x suffers from an access bypass vulnerability. http://packetstormsecurity.org/files/112781/dsa-2472-1.txt http://packetstormsecurity.org/files/112781/dsa-2472-1.txt http://packetstormsecurity.org/files/112781/Debian-Security-Advisory-2472-1.html Wed, 16 May 2012 22:46:40 GMT Debian Linux Security Advisory 2472-1 - Dave Love discovered that users who are allowed to submit jobs to a Grid Engine installation can escalate their privileges to root because the environment is not properly sanitized before creating processes. http://packetstormsecurity.org/files/112780/USN-1442-1.txt http://packetstormsecurity.org/files/112780/USN-1442-1.txt http://packetstormsecurity.org/files/112780/Ubuntu-Security-Notice-USN-1442-1.html Wed, 16 May 2012 22:46:27 GMT Ubuntu Security Notice 1442-1 - It was discovered that sudo incorrectly handled network masks when using Host and Host_List. A local user who is listed in sudoers may be allowed to run commands on unintended hosts when IPv4 network masks are used to grant access. A local attacker could exploit this to bypass intended access restrictions. Host and Host_List are not used in the default installation of Ubuntu. http://packetstormsecurity.org/files/112779/glsa-201205-02.txt http://packetstormsecurity.org/files/112779/glsa-201205-02.txt http://packetstormsecurity.org/files/112779/Gentoo-Linux-Security-Advisory-201205-02.html Wed, 16 May 2012 22:02:22 GMT Gentoo Linux Security Advisory 201205-2 - Multiple vulnerabilities have been found in ConnMan, allowing attackers to execute arbitrary code or cause Denial of Service. Versions less than 1.0-r1 are affected. http://packetstormsecurity.org/files/112748/axous-csrf.txt http://packetstormsecurity.org/files/112748/axous-csrf.txt http://packetstormsecurity.org/files/112748/Axous-1.1.1-Cross-Site-Request-Forgery-Cross-Site-Scripting.html Tue, 15 May 2012 22:42:51 GMT Axous version 1.1.1 suffers from cross site request forgery and cross site scripting vulnerabilities. http://packetstormsecurity.org/files/112747/VMRL-applequicktime.txt http://packetstormsecurity.org/files/112747/VMRL-applequicktime.txt http://packetstormsecurity.org/files/112747/Apple-Quicktime-.pct-Parsing-Memory-Corruption.html Tue, 15 May 2012 22:38:03 GMT Apple Quicktime does not properly parse .pct media files, which causes a corruption in module DllMain by opening a malformed file with an invalid value located in PoC repro01.pct at offset 0x20E. Quicktime Player version 7.7.1 (1680.42) on Windows XP SP 3 - PT_BR is confirmed affected. Other versions may also be affected.