Next Page >>
editing
You are encouraged to read the time line and draw your own conclusions.
Desktop Protection
* avast! 4 Professional (impact low, reason real-time protection)
* avast! 4 Home Edition (impact low, reason real-time protection)
* avast! Pro Family pack (impact low, reason real-time protection)
* avast! WHS Edition (impact low, reason real-time protection)
* avast! Mac Edition (impact unknown)
* avast! Linux Home Edition (impact unknown)
* avast! U3 Edition (impact unknown)
The reported issue DOES NOT AFFECT ANY CURRENT ENOMALY PRODUCT. Our current products are Enomaly ECP Service Provider Edition and Enomaly ECP High Assurance Edition, and neither utilizes the "vmfeed" module.
Specifically, the "vmfeed" module has not been utilized in any version of our products released since the initial release of Enomaly ECP Service Provider Edition in June 2009. The "vmfeed" module was utilized only in our previous-generation "Community Edition" product, which has been deprecated and withdrawn from distribution. Enomaly ECP Service Provider Edition is a completely different product from the old Community Edition.
As a result, since the Community Edition product is deprecated and has been withdrawn, Enomaly has not investigated this reported issue.
Further information on the differences between the deprecated Community Edition technology and our current Service Provider Edition technology can be found at http://src.enomaly.com.
Lars-Erik Forsberg, VP Delivery
Enomaly Inc.
arbitrary code execution upon opening a crafted file.
2. Overview
``Vim is an almost compatible version of the UNIX editor Vi. Many new features
have been added: multi-level undo, syntax highlighting, command line history,
on-line help, spell checking, filename completion, block operations, etc.''
-- VIM 7.1 README.txt
Parts of Vim are written in the Vim script language. A feature of this
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02652463
Version: 1
HPSBMA02615 SSRT100228 rev.1 - HP Insight Diagnostics Online Edition Running on Linux and Windows, Remote Cross Site Scripting (XSS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-12-14
Last Updated: 2010-12-14
Besides, Bkis also found some XSS and CSRF vulnerabilities on the following
OpenBlog's functions:
XSS holes are found on the following modules:
- Create a new post
- Edit a post
- Create a new page
Because these modules' input variables are not adequately checked and
filtered, hacker might insert his code into the path's links. If a user
logins to his Blog and clicks the link, hacker's malicious code (JavaScript)
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02492472
Version: 1
HPSBMA02571 SSRT100034 rev.1 - HP Insight Diagnostics Online Edition, Remote Cross Site Scripting (XSS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-08-30
Last Updated: 2010-08-30
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Security risk: critical
Preconditions:
1. attacker must be registered user
2. attacker must have blog editing privileges
Registered users with blog keeping privileges can access personal gallery
functionality, example URL:
http://localhost/mkportal.1.2.1/index.php?ind=blog&op=p_gal
- Quick statistics function (server status, game server status, online players)
- Statistics (login server status, game server status, players online, total accounts, total characters, total gm characters, total clans)
Administrator Features:
- (NEW) New administrator skin
- (NEW) New server settings (Edit server settings, server rates, specs etc)
- (NEW) New website settings (Title, Note from the management, Contact Email, Rankings Limit)
- (NEW) Ads Management (Add, Edit & Delete)
- News management (add, edit & delete)
- Download management (add, edit & delete)
- Login
Edition (SSE), Local Denial of Service (DoS), Execution of Arbitrary Code
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01697543
Version: 2
Overview
========
A stored XSS vulnerability exists in Microsoft Windows SharePoint
Services 2.0 where a malicious user can bypass sanitization and inject
javascript into a web page they are editing. Under normal circumstances,
SharePoint does not permit users to include javascript in any submitted
content.
Impact
Avast! Multiple Vulnerabilities
BACKGROUND
Avast! antivirus software represents complete virus protection, offering full desktop security including a resident shield. Daily automatic updates ensure continuous data protection against all types of malware and spyware. Avast! antivirus is certified by both ICSA Labs and West Coast Labs Checkmark.
Avast! Professional Edition 4.8 is a collection of award winning, high-end technologies that work in perfect synergy, having one common goal: to protect your system and valuable data against computer viruses, spyware and rootkits. It represents a best-in-class antivirus solution for any Windows-based workstation.
Source: http://www.avast.com
VULNERABLE PRODUCTS
|----------------------------+------------+------------------------------|
| Asterisk Addons | 1.6.0.x | Not affected |
|----------------------------+------------+------------------------------|
| Asterisk Addons | 1.6.1.x | Not affected |
|----------------------------+------------+------------------------------|
| Asterisk Business Edition | A.x.x | All versions |
|----------------------------+------------+------------------------------|
| Asterisk Business Edition | B.x.x | All versions prior to |
| | | B.2.5.9 |
|----------------------------+------------+------------------------------|
| Asterisk Business Edition | C.2.x | All versions prior to |
Ref : [TZO-20-2009] - AVG generic ZIP bypass / evasion
WWW : http://blog.zoller.lu/2009/04/avg-zip-evasion-bypass.html
Vendor : http://www.AVG.com
Status : Patched (with engine build 8.5 323)
CVE : none provided
Credit : t.b.a
OSVDB vendor entry: none [1]
Security notification reaction rating : good
Notification to patch window : +-28 days
Comment:
|----------------------------+------------+------------------------------|
| Asterisk Addons | 1.4.x | Not affected |
|----------------------------+------------+------------------------------|
| Asterisk Addons | 1.6.x | Not affected |
|----------------------------+------------+------------------------------|
| Asterisk Business Edition | A.x.x | All versions |
|----------------------------+------------+------------------------------|
| Asterisk Business Edition | B.x.x | All versions prior to |
| | | B.2.5.8 |
|----------------------------+------------+------------------------------|
| Asterisk Business Edition | C.1.x.x | All versions prior to |
|----------------------------+---------+---------------------------------|
| Asterisk Addons | 1.4.x | Not affected |
|----------------------------+---------+---------------------------------|
| Asterisk Addons | 1.6.x | Not affected |
|----------------------------+---------+---------------------------------|
| Asterisk Business Edition | A.x.x | All versions |
|----------------------------+---------+---------------------------------|
| Asterisk Business Edition | B.x.x | All versions prior to B.2.5.7 |
|----------------------------+---------+---------------------------------|
| Asterisk Business Edition | C.1.x.x | All versions prior to C.1.10.4 |
|----------------------------+---------+---------------------------------|
CALL FOR PAPERS - Hackers 2 Hackers Conference 7th edition
The call for papers for H2HC 7th edition is now open. H2HC is a hacker
conference taking place in Sao Paulo, Brazil, from 27 to 28 November
2010 and this year for the first time also in Cancun, on 3 of December 2010.
[ - Introduction - ]
For the seventh consecutive year and past success we have been having,
the annual Hackers 2 Hackers Conference will be held again in Sao Paulo,
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01697543
Version: 1
HPSBMA02417 SSRT090031 rev.1 - HP Data Protector Express and HP Data Protector Express Single Server Edition (SSE), Local Denial of Service (DoS), Execution of Arbitrary Code
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2009-05-13
Last Updated: 2009-05-12
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02067559
Version: 1
HPSBMA02516 SSRT090232 rev.1 - HP Data Protector Express and HP Data Protector Express Single Server Edition (SSE), Local
Denial of Service (DoS), Execution of Arbitrary Code
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02498535
Version: 1
HPSBMA02576 SSRT090231 rev.1 - HP Data Protector Express and HP Data Protector Express Single Server Edition (SSE), Local Denial of Service (DoS), Execution of Arbitrary Code
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-09-08
Last Updated: 2010-09-08
1.Vulnerablity information
2.Vulnerablity description
3.Vulnerable systems
4.Vendor Information, solutions and workarounds
5.Credits
6.Technical description
6.1.NTLMv1 authentication protocol
6.2.The Flaws
6.3.Detecting if the SMB service generates duplicate 8-byte challenges
6.4.Exploiting duplicate challenges
|----------------------------+---------+---------------------------------|
| Asterisk Addons | 1.4.x | Unaffected |
|----------------------------+---------+---------------------------------|
| Asterisk Addons | 1.6.x | Unaffected |
|----------------------------+---------+---------------------------------|
| Asterisk Business Edition | A.x.x | Unaffected |
|----------------------------+---------+---------------------------------|
| Asterisk Business Edition | B.x.x | All versions prior to B.2.5.12 |
|----------------------------+---------+---------------------------------|
| Asterisk Business Edition | C.x.x | All versions prior to C.2.4.5 |
| | | and C.3.2.2 |
|----------------------------+---------+---------------------------------|
| Asterisk Addons | 1.4.x | Unaffected |
|----------------------------+---------+---------------------------------|
| Asterisk Addons | 1.6.x | Unaffected |
|----------------------------+---------+---------------------------------|
| Asterisk Business Edition | A.x.x | All versions |
|----------------------------+---------+---------------------------------|
| Asterisk Business Edition | B.x.x | All versions prior to B.2.5.12 |
|----------------------------+---------+---------------------------------|
| Asterisk Business Edition | C.x.x | All versions prior to C.2.4.5 |
| | | and C.3.2.2 |
|----------------------------------+-------------+-----------------------|
| Asterisk Addons | 1.2.x | Not affected |
|----------------------------------+-------------+-----------------------|
| Asterisk Addons | 1.4.x | Not affected |
|----------------------------------+-------------+-----------------------|
| Asterisk Business Edition | A.x.x | All versions |
|----------------------------------+-------------+-----------------------|
| Asterisk Business Edition | B.x.x | All versions prior to |
| | | B.2.5.4 |
|----------------------------------+-------------+-----------------------|
| Asterisk Business Edition | C.x.x | All versions prior to |
|----------------------------------+-------------+-----------------------|
| Asterisk Addons | 1.2.x | Not affected |
|----------------------------------+-------------+-----------------------|
| Asterisk Addons | 1.4.x | Not affected |
|----------------------------------+-------------+-----------------------|
| Asterisk Business Edition | A.x.x | All versions |
|----------------------------------+-------------+-----------------------|
| Asterisk Business Edition | B.x.x.x | All versions prior to |
| | | B.2.5.4 |
|----------------------------------+-------------+-----------------------|
| Asterisk Business Edition | C.x.x.x | All versions prior to |
-------- Z o r p S e c u r i t y A d v i s o r y ( Z S A ) ------------
PACKAGE : syslog-ng, syslog-ng-premium-edition
AFFECTED VERSION : <= 2.0.6, 2.1.8
FIXED : 2.0.6, 2.1.8
SUMMARY : Denial of Service
TYPE : remote
AFFECTED : all platforms
ZSA-ID : ZSA-2007-029
DATE : Dec 14, 2007
language, Xalan-Java supports the creation and use of extension
elements and extension functions... Extensions written in Java are
directly supported by Xalan-Java."
Because Cascade Server does not restrict the kind of XSLT code users
are able to enter, any user with access to edit XSLT stylesheets can
cause Cascade Server to execute arbitrary Java code. Using the
java.lang.Runtime class, Java can run shell commands.
While the privilege level of the Cascade Server process may prevent
an attacker from gaining complete control of the host system, that
2. Vulnerabilities:
####################
2.1. Insecure Direct Object Reference [in "bs_login.asp"]. Everyone can change admin password.
2.1.1. Exploit:
Check the exploit section.
2.2. Insecure Direct Object Reference [in "bs_login.asp"]. Everyone can edit all the site info., such as admin email address.
2.2.1. Exploit:
Check the exploit section.
2.3. Insecure Direct Object Reference [in "bs_login.asp"]. Everyone can edit all the site design. (Also, all the site settings can be changed by other parameters)
2.3.1. Exploit:
Check the exploit section.
those systems, which changed filename of CaptchaSecurityImages.php.
So I made additional research on vulnerable systems previously reported by
me, and found many projects which are also affected. Here is a list of them
as an addition to my two previous advisories. I already combined information
about vulnerabilities in GunCMS and PhoenixCMS PHP Edition into one
advisory, and in this advisory I'm using the same approach. Where I combine
multiple vulnerable systems into one advisory not by just using of the same
script, but when they use codes of other systems.
Concerning vulnerabilities in MiniManager for Project MANGOS
|----------------------------------+----------------+--------------------|
| Asterisk Open Source | 1.4.x | All versions |
|----------------------------------+----------------+--------------------|
| Asterisk Open Source | 1.6.x | All versions |
|----------------------------------+----------------+--------------------|
| Asterisk Business Edition | B.x.x | All versions |
|----------------------------------+----------------+--------------------|
| Asterisk Business Edition | C.x.x | All versions |
|----------------------------------+----------------+--------------------|
| s800i (Asterisk Appliance) | 1.3.x | All versions |
+------------------------------------------------------------------------+
|----------------------------------+----------------+--------------------|
| Asterisk Open Source | 1.4.x | All versions |
|----------------------------------+----------------+--------------------|
| Asterisk Open Source | 1.6.x | All versions |
|----------------------------------+----------------+--------------------|
| Asterisk Business Edition | B.x.x | All versions |
|----------------------------------+----------------+--------------------|
| Asterisk Business Edition | C.x.x | All versions |
|----------------------------------+----------------+--------------------|
| s800i (Asterisk Appliance) | 1.3.x | All versions |
+------------------------------------------------------------------------+
Next Page>>
|
