Archive for January, 2008

UNIFIED COMMUNICATIONS TECH TIP – What’s the value of unified communications?

January 30th, 2008 No Comments »

What’s the value of unified communications?
Gary Audin
01.21.2008
Rating: -3.00- (out of 5)

RSS FEEDS:  VoIP news and advice channel
Add to Google

Unified communications — everyone seems to see great value in its implementation, but how does the enterprise evaluate the move to unified communications (UC)? Since UC is sold on human productivity improvements, who within which parts of an organization will benefit? UC is of greatest value when both ends of the communication functions have access to the same features. One end will limit the productivity enhancements if it does not have access to UC.In this tip, you will find a list of important questions that should be asked of you and your organization when you are considering a unified communications implementation. The entire process of creating a product or service — from a rough idea to delivery — involves many people, organizations and internal/external information, all of which will benefit from better communications. Collaboration, mobility and presence mechanisms will be important tools. The following seven phases are explored for the analysis of the value of UC in each.

Internal enterprise support
The internal operations of an enterprise have to be effective before that enterprise should offer any product or service. UC can make company executives more efficient and benefit internal organizations such as finance, human resources, facilities and IT. Collaboration, mobility and presence as used in UC will improve the enterprise efficiency, reduce the staff’s stress levels and improve productivity.

  • Can UC mobility provide seamless information for decision support?
  • Will client access be improved with UC?
  • There will always be business issues to resolve. Will UC reduce the time to issue/problem resolution?
  • Executives need to collaborate on policy development and business direction. Will UC improve these processes?

Product or service development
The developers of a product or service will always be working with a time constraint. Competition will drive the schedule for the development.

  • Will UC reduce the time to market? Developer collaboration that is fast and efficient will be the goal (whether working with internal staff, consultants or potential vendors) and will thereby accelerate the time to market.
  • Development groups do not always have the expertise necessary to complete the development of a product or service. Does the UC function provide an effective method for locating and accessing the expertise required?
  • Will UC enhance the ability of geographically scattered people and resources to work as a real-time team?

Marketing the product or service
Marketing needs to prepare a number of tools (advertising, brochures, press releases, meetings, etc.) to bring the product or service to the attention of the customers.

  • Does UC benefit the exchange of information, schedules and tools with external resources such as the press, PR firms and potential first customers? Contact management and the associated linkages are important during the product or service introduction as is the continuing marketing effort after the release of the product or service.
  • A marketing campaign will need continuous fast and effective communications. Can UC be used to keep the campaign on schedule and be useful in responding to market changes?
  • Will UC help ensure that the time-to-market schedule is met? Collaboration and mobility will be the key values of UC during the marketing effort.

Producing the product or service
This phase will include external part delivery, service providers, packaging and shipping companies and other organizations that need to be coordinated — especially if just-in-time scheduling is the goal. Accurate communications, delivered in a timely manner in whatever form is most productive, are the key value of UC.

  • Will the collaboration features of UC benefit the production process design?
  • Will UC reduce the time for problem/issue resolution?
  • Will UC be useful for identifying the resources needed to resolve a problem/issue?
  • Once the production process has begun, how will UC help in the management of the process?
  • Will UC enhance the ability of geographically scattered people and resources to work as a real-time team?

Selling the product or service
Increasing sales productivity and market penetration are the primary goals of the sales organization. Sales may be made directly through agents, retail stores or VARs. The different methods all have common needs — consistent and reliable product/service information and delivery.

  • Can UC reduce the sales cycle time? Analysis has demonstrated that up to a 30% reduction in the sales cycle duration can be accomplished through the use of UC.
  • Can UC reduce the telephone tag by providing and controlling the presence information and providing immediate alternate means of communications such as IM and email?
  • Will a smaller sales staff be able to sell more product/service by employing UC?

Delivering the product or service
The delivery of a product/service is a logistics issue. Delivery issues will be similar to the issues encountered in the production environment.

  • Will the collaboration features of UC benefit the delivery process design?
  • Will UC reduce the time for delivery problem/issue resolution?
  • Will UC be useful for identifying the resources needed to resolve a problem/issue?
  • Once the delivery process has been implemented, how will UC help in the management of the process?
  • Will UC enhance the ability of geographically scattered resources such as production facilities, warehouses and delivery service providers to work as a real-time team?

Customer service
Keeping the customer satisfied — even happy — should be the goal of any organization. This is not always the case, however, and bad customer service will always come back to haunt the negligent enterprise, causing the reduction of market share and profitability.

  • Will UC provide rapid access to the correct enterprise resource to make the sale?
  • Will UC provide rapid access to the correct enterprise resource to resolve an issue or problem?
  • Can UC reduce the customer service time and thereby reduce the customer service staff size?
  • Will UC provide alternative communications methods for a wide variety of customers to access?
  • Will UC tools be able to give the service managers better visibility into their service operation?

Implementing unified communications may not address all of the questions and considerations. Demonstrating the value of UC will, at first, be less of a financial issue and more of a productivity improvement issue — and increased productivity eventually translates into financial benefits.

Gary Audin has more than 40 years of computer, communications and security experience. He has planned, designed, specified, implemented and operated data, LAN and telephone networks. These have included local area, national and international networks, as well as VoIP and IP convergent networks, in the U.S., Canada, Europe, Australia and Asia.

US-Cert: Vulnerability Summary for the Week of January 21, 2008

January 28th, 2008 No Comments »
The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cyber Security Division (NCSD) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High – Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 – 10.0
  • Medium – Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 – 6.9
  • Low – Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 – 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

High Vulnerabilities
Primary
Vendor — Product		 Description
Discovered
Published
CVSS Score Source & Patch Info
360 Web Manager — 360 Web Manager SQL injection vulnerability in form.php in 360 Web Manager 3.0 allows remote attackers to execute arbitrary SQL commands via the IDFM parameter.
unknown
2008-01-23
7.5 CVE-2008-0430
MILW0RM
BID
FRSIRT
XF
Agares Media — phpAutoVideo PHP remote file inclusion vulnerability in theme/phpAutoVideo/LightTwoOh/sidebar.php in Agares phpAutoVideo 2.21 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the loadpage parameter, a different vector than CVE-2007-6614.
unknown
2008-01-23
7.5 CVE-2008-0433
BUGTRAQ
BID
FRSIRT
SECUNIA
XF
AlilG — aliTalk inc/elementz.php in aliTalk 1.9.1.1 does not properly verify authentication, which allows remote attackers to add an arbitrary user account via a modified lilil parameter, in conjunction with the ubild and pa parameters.
unknown
2008-01-22
7.5 CVE-2008-0391
MILW0RM
BID
AlstraSoft — Forum Pay Per Post Exchange SQL injection vulnerability in index.php in AlstraSoft Forum Pay Per Post Exchange 2.0 allows remote attackers to execute arbitrary SQL commands via the catid parameter in a forum_catview action.
unknown
2008-01-23
7.5 CVE-2008-0429
MILW0RM
BID
FRSIRT
SECUNIA
auraCMS — Mod Block Statistik
auraCMS — AuraCMS		 stat.php in AuraCMS 1.62, and Mod Block Statistik for AuraCMS, allows remote attackers to inject arbitrary PHP code into online.db.txt via the X-Forwarded-For HTTP header in a stat action to index.php, and execute online.db.txt via a certain request to index.php.
unknown
2008-01-22
7.5 CVE-2008-0390
MILW0RM
BID
BitDefender — Update Server Directory traversal vulnerability in BitDefender Update Server (http.exe), as used in BitDefender products including Security for Fileservers and Enterprise Manager (BDEM), allows remote attackers to read arbitrary files via .. (dot dot) sequences in an HTTP request.
unknown
2008-01-23
7.8 CVE-2008-0396
BUGTRAQ
OTHER-REF
OTHER-REF
BID
FRSIRT
SECUNIA
XF
Blog CMS — Blog CMS Multiple PHP remote file inclusion vulnerabilities in BLOG:CMS 4.2.1.c allow remote attackers to execute arbitrary PHP code via a URL in the (1) DIR_PLUGINS parameter to (a) index.php, and the (2) DIR_LIBS parameter to (b) media.php and (c) xmlrpc/server.php in admin/.
unknown
2008-01-24
7.5 CVE-2008-0450
BUGTRAQ
Bloo — bloofoxCMS Directory traversal vulnerability in file.php in bloofoxCMS 0.3 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.
unknown
2008-01-23
7.8 CVE-2008-0427
BUGTRAQ
OTHER-REF
FRSIRT
SECUNIA
XF
BloofoxCMS — BloofoxCMS Multiple SQL injection vulnerabilities in the login function in system/class_permissions.php in bloofoxCMS 0.3 allow remote attackers to execute arbitrary SQL commands via the (1) username or (2) password parameter to admin/index.php.
unknown
2008-01-23
7.5 CVE-2008-0428
BUGTRAQ
OTHER-REF
FRSIRT
SECUNIA
XF
BoastMachine — BoastMachine SQL injection vulnerability in mail.php in boastMachine (aka bMachine) 3.1 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter.
unknown
2008-01-23
7.5 CVE-2008-0422
BID
FRSIRT
businessobjects — Crystal Reports
Microsoft — ActiveX		 Race condition in the Enterprise Tree ActiveX control (EnterpriseControls.dll 11.5.0.313) in Crystal Reports XI Release 2 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the SelectedSession method, which triggers a buffer overflow.
unknown
2008-01-22
9.3 CVE-2008-0379
MILW0RM
BID
SECTRACK
XF
Cisco — 5500 Series Adaptive Security Appliance
Cisco — PIX 500 Series Security Appliance		 Unspecified vulnerability in Cisco PIX 500 Series Security Appliance (PIX) and 5500 Series Adaptive Security Appliance (ASA) before 7.2(3)6 and 8.0(3), when the Time-to-Live (TTL) decrement feature is enabled, allows remote attackers to cause a denial of service (device reload) via a crafted IP packet.
unknown
2008-01-23
7.1 CVE-2008-0028
CISCO
BID
Cisco — AVS Cisco Application Velocity System (AVS) before 5.1.0 is installed with default passwords for some system accounts, which allows remote attackers to gain privileges.
unknown
2008-01-23
10.0 CVE-2008-0029
CISCO
Citadel — Citadel_SMTP Buffer overflow in Citadel SMTP server 7.10 and earlier allows remote attackers to execute arbitrary code via a long RCPT TO command, which is not properly handled by the makeuserkey function. NOTE: some of these details were obtained from third party information.
unknown
2008-01-23
9.4 CVE-2008-0394
MILW0RM
OTHER-REF
SECUNIA
XF
Core Security Technologies — CORE FORCE Multiple buffer overflows in CORE FORCE before 0.95.172 allow local users to cause a denial of service (system crash) and possibly execute arbitrary code in the kernel context via crafted arguments to (1) IOCTL functions in the Firewall module or (2) SSDT hook handler functions in the Registry module.
unknown
2008-01-18
7.2 CVE-2008-0365
BUGTRAQ
OTHER-REF
BID
Core Security Technologies — CORE FORCE CORE FORCE before 0.95.172 does not properly validate arguments to SSDT hook handler functions in the Registry module, which allows local users to cause a denial of service (system crash) and possibly execute arbitrary code in the kernel context via crafted arguments.
unknown
2008-01-18
7.2 CVE-2008-0366
BUGTRAQ
OTHER-REF
BID
CyberGL Dev Team — phpSearch PHP remote file inclusion vulnerability in utils/class_HTTPRetriever.php in phpSearch allows remote attackers to execute arbitrary PHP code via a URL in the libcurlemuinc parameter.
unknown
2008-01-24
7.5 CVE-2008-0448
BUGTRAQ
XF
Debian — Debian Linux Argument injection vulnerability in scponly 4.6 and earlier allows remote authenticated users to modify commands when scponly invokes (1) unison, (2) rsync, (3) svn, and (4) svnserve, which can be leveraged to execute arbitrary code, as demonstrated by the –diff3-cmd option to svn, a different vulnerability than CVE-2007-6350.
unknown
2008-01-24
8.5 CVE-2007-6415
OTHER-REF
SECUNIA
Digital Data Communications — RtspVapgDecoder.dll Buffer overflow in the Digital Data Communications RtspVaPgCtrl ActiveX control (RtspVapgDecoder.dll 1.1.0.29) allows remote attackers to execute arbitrary code via a long MP4Prefix property.
unknown
2008-01-22
10.0 CVE-2008-0380
MILW0RM
BID
FRSIRT
Foojan — PHP Weblog SQL injection vulnerability in index.php in Foojan WMS PHP Weblog 1.0 allows remote attackers to execute arbitrary SQL commands via the story parameter.
unknown
2008-01-24
7.5 CVE-2008-0447
MILW0RM
Gecad Technologies — Axigen Mail Server Format string vulnerability in the AXIMilter module in AXIGEN Mail Server 5.0.2 allows remote attackers to execute arbitrary code via format string specifiers in the CNHO command.
unknown
2008-01-23
7.5 CVE-2008-0434
BUGTRAQ
FULLDISC
MILW0RM
BID
SECUNIA
XF
HP — HP-UX Unspecified vulnerability in HP-UX B.11.31, when running ARPA Transport, allows remote attackers to cause a denial of service via unknown vectors.
unknown
2008-01-23
10.0 CVE-2007-6425
HP
HP — HP Virtual Rooms
Microsoft — ActiveX		 Multiple buffer overflows in the WebHPVCInstall.HPVirtualRooms14 ActiveX control in HPVirtualRooms14.dll 1.0.0.100, as used in the installation process for HP Virtual Rooms, allow remote attackers to execute arbitrary code via a long (1) AuthenticationURL, (2) PortalAPIURL, or (3) cabroot property value. NOTE: some of these details are obtained from third party information.
unknown
2008-01-23
10.0 CVE-2008-0437
FULLDISC
BID
FRSIRT
SECUNIA
IBM — AIX Buffer overflow in the pioout program in printers.rte in IBM AIX 5.2, 5.3, and 6.1 allows local users to gain privileges via a long command line option.
unknown
2008-01-24
7.2 CVE-2007-5764
IDEFENSE
OTHER-REF
AIXAPAR
AIXAPAR
AIXAPAR
AIXAPAR
IBM — Informix Dynamic Server Unspecified vulnerability in IBM Informix Dynamic Server (IDS) 10.x before 10.00.xC8 allows attackers to create files via unspecified vectors involving the onedcu program.
unknown
2008-01-18
10.0 CVE-2008-0368
OTHER-REF
AIXAPAR
BID
FRSIRT
SECUNIA
SECTRACK
XF
IBM — Informix Dynamic Server Unspecified vulnerability in IBM Informix Dynamic Server (IDS) 10.x before 10.00.xC8 allows attackers to create files via unspecified vectors involving the SQLIDEBUG environment variable.
unknown
2008-01-18
10.0 CVE-2008-0369
OTHER-REF
AIXAPAR
BID
FRSIRT
SECUNIA
SECTRACK
XF
IBM — WebSphere Application Server Unspecified vulnerability in the serveServletsByClassnameEnabled feature in IBM WebSphere Application Server (WAS) 6.0 through 6.0.2.25 and 6.1 through 6.1.0.14 has unknown impact and attack vectors.
unknown
2008-01-22
10.0 CVE-2008-0389
OTHER-REF
BID
FRSIRT
SECUNIA
IBM — Tivoli Provisioning Manager OS Deployment Unspecified vulnerability in the HTTP server in IBM Tivoli Provisioning Manager for OS Deployment before 5.1.0.3 Interim Fix 3 allows attackers to cause a denial of service via unknown vectors.
unknown
2008-01-23
10.0 CVE-2008-0401
OTHER-REF
BID
FRSIRT
SECTRACK
SECUNIA
XF
Invision Power Services — Invision Gallery SQL injection vulnerability in Invision Gallery 2.0.7 and earlier allows remote attackers to execute arbitrary SQL commands via the album parameter in a rate command.
unknown
2008-01-23
7.5 CVE-2008-0421
Julian Pawlowski — LulieBlog SQL injection vulnerability in voircom.php in LulieBlog 1.02 allows remote attackers to execute arbitrary SQL commands via the id parameter.
unknown
2008-01-24
7.5 CVE-2008-0446
MILW0RM
Lycos — FileUploader.dll Heap-based buffer overflow in the FileUploader.FUploadCtl.1 ActiveX control in FileUploader.dll 2.0.0.2 in Lycos FileUploader Module allows remote attackers to execute arbitrary code via a long HandwriterFilename property value. NOTE: some of these details are obtained from third party information.
unknown
2008-01-24
10.0 CVE-2008-0443
MILW0RM
BID
FRSIRT
SECUNIA
Microsoft — Visual Basic Enterprise Edition Multiple buffer overflows in Microsoft Visual Basic Enterprise Edition 6.0 SP6 allow user-assisted remote attackers to execute arbitrary code via a .dsr file with a long (1) ConnectionName or (2) CommandName line.
unknown
2008-01-22
9.3 CVE-2008-0392
MILW0RM
BID
XF
Microsoft — ie
Skype Technologies — Skype		 Cross-zone scripting vulnerability in the Internet Explorer web control in Skype 3.6.0.244, and earlier 3.5.x and 3.6.x versions, on Windows allows user-assisted remote attackers to inject arbitrary web script or HTML in the Local Machine Zone via the Title field of a (1) Dailymotion and possibly (2) Metacafe movie in the Skype video gallery, accessible through a search within the “Add video to chat” dialog, aka “videomood XSS.”
unknown
2008-01-24
9.3 CVE-2008-0454
BUGTRAQ
FULLDISC
FULLDISC
OTHER-REF
OTHER-REF
OTHER-REF
OTHER-REF
OTHER-REF
OTHER-REF
CERT-VN
FRSIRT
Mooseguy Blog System — MGBS SQL injection vulnerability in blog.php in Mooseguy Blog System (MGBS) 1.0 allows remote attackers to execute arbitrary SQL commands via the month parameter.
unknown
2008-01-23
7.5 CVE-2008-0424
MILW0RM
BID
FRSIRT
MyBB — MyBB Multiple SQL injection vulnerabilities in MyBB 1.2.10 and earlier allow remote moderators and administrators to execute arbitrary SQL commands via (1) the mergepost parameter in a do_mergeposts action, (2) rid parameter in an allreports action, or (3) threads parameter in a do_multimovethreads action to (a) moderation.php; or (4) gid parameter to (b) admin/usergroups.php.
unknown
2008-01-22
7.5 CVE-2008-0383
BUGTRAQ
OTHER-REF
OTHER-REF
BID
SECUNIA
XF
XF
MyBulletinBoard — MyBulletinBoard Multiple eval injection vulnerabilities in MyBB 1.2.10 and earlier allow remote attackers to execute arbitrary code via the sortby parameter to (1) forumdisplay.php or (2) a results action in search.php.
unknown
2008-01-22
7.5 CVE-2008-0382
BUGTRAQ
MILW0RM
MILW0RM
BID
SECUNIA
News — MicroNews MicroNews allows remote attackers to bypass authentication and gain administrative privileges via a direct request to admin.php.
unknown
2008-01-22
10.0 CVE-2008-0377
BUGTRAQ
XF
OKI Printing Solutions — C5510 MFP Printer OKI C5510MFP Printer CU H2.15, PU 01.03.01, System F/W 1.01, and Web Page 1.00 sends the configuration of the printer in cleartext, which allows remote attackers to obtain the administrative password by connecting to TCP port 5548 or 7777.
unknown
2008-01-22
10.0 CVE-2008-0374
BUGTRAQ
OTHER-REF
BID
SECUNIA
OKI Printing Solutions — C5510 MFP Printer Unspecified vulnerability in OKI C5510MFP Printer CU H2.15, PU 01.03.01, System F/W 1.01, and Web Page 1.00 allows remote attackers to set the password and obtain administrative access via unspecified vectors.
unknown
2008-01-22
10.0 CVE-2008-0375
BUGTRAQ
OTHER-REF
BID
SECUNIA
PacerCMS — PacerCMS Multiple SQL injection vulnerabilities in PacerCMS 0.6 allow remote authenticated users to execute arbitrary SQL commands via the id parameter to (1) siteadmin/article-edit.php; and unspecified parameters to (2) submitted-edit.php, (3) page-edit.php, (4) section-edit.php, (5) staff-edit.php, and (6) staff-access.php in siteadmin/.
unknown
2008-01-24
7.5 CVE-2008-0451
BUGTRAQ
OTHER-REF
BID
XF
PHP — F1 Maxs File Uploader Unrestricted file upload vulnerability in PHP F1 Max’s File Uploader allows remote attackers to upload and execute arbitrary PHP files.
unknown
2008-01-22
7.5 CVE-2008-0373
BUGTRAQ
BID
XF
Rocksalt International — VP_ASP SQL injection vulnerability in paypalresult.asp in VP-ASP Shopping Cart 6.50 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
unknown
2008-01-24
7.5 CVE-2008-0449
BID
XF
Small Axe Solutions — Weblog PHP remote file inclusion vulnerability in inc/linkbar.php in Small Axe Weblog 0.3.1 allows remote attackers to execute arbitrary PHP code via a URL in the ffile parameter, a different vector than CVE-2008-0376. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
unknown
2008-01-24
7.5 CVE-2008-0442
BID
SECUNIA
Winamp — Nullsoft Winamp Multiple stack-based buffer overflows in in_mp3.dll in Winamp 5.21, 5.5, and 5.51 allow remote attackers to execute arbitrary code via a long (1) artist or (2) name tag in Ultravox streaming metadata, related to construction of stream titles.
unknown
2008-01-22
10.0 CVE-2008-0065
OTHER-REF
OTHER-REF
FRSIRT
SECUNIA

Back to top

Medium Vulnerabilities
Primary
Vendor — Product		 Description
Discovered
Published
CVSS Score Source & Patch Info
8e6 — R3000 Internet Filter 8e6 R3000 Internet Filter 2.0.05.33, and other versions before 2.0.11, allows remote attackers to bypass intended restrictions via a fragmented HTTP request.
unknown
2008-01-22
5.0 CVE-2008-0372
BUGTRAQ
BID
SECUNIA
XF
BUGTRAQ
absofort — aconon Mail Enterprise SQL Directory traversal vulnerability in archiv.cgi in absofort aconon Mail 2007 Enterprise SQL 11.7.0 and Mail 2004 Enterprise SQL 11.5.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the template parameter.
unknown
2008-01-25
5.0 CVE-2008-0464
FULLDISC
MILW0RM
OTHER-REF
BID
SECUNIA
Aflog — Aflog Cross-site scripting (XSS) vulnerability in aflog 1.01, and possibly earlier versions, allows remote attackers to inject arbitrary web script or HTML via the comment form.
unknown
2008-01-23
4.3 CVE-2008-0398
MILW0RM
BID
aflog.org — aflog Multiple SQL injection vulnerabilities in aflog 1.01, and possibly earlier versions, allow remote attackers to execute arbitrary SQL commands via (1) the id parameter to comments.php and (2) an unspecified parameter to view.php.
unknown
2008-01-23
6.8 CVE-2008-0397
MILW0RM
BID
Agares Media — phpAutoVideo Cross-site scripting (XSS) vulnerability in index.php in phpAutoVideo 2.21 and earlier allows remote attackers to inject arbitrary web script or HTML via the cat parameter.
unknown
2008-01-23
4.3 CVE-2008-0432
BUGTRAQ
BID
FRSIRT
SECUNIA
XF
AlilG — aliTalk Multiple SQL injection vulnerabilities in aliTalk 1.9.1.1, when magic_quotes_gpc is disabled, allow remote authenticated users to execute arbitrary SQL commands via (1) the mohit parameter to (a) inc/receivertwo.php; and allow remote attackers to execute arbitrary SQL commands via (2) the id parameter to (b) inc/usercp.php, related to functionz/usercp.php; or (3) the username parameter to (c) admin/index.php, related to functionz/first_process.php, or (d) index.php. NOTE: some of these details are obtained from third party information.
unknown
2008-01-22
6.8 CVE-2008-0371
MILW0RM
BID
SECUNIA
XF
XF
XF
XF
AlstraSoft — Forum Pay Per Post Exchange AlstraSoft Forum Pay Per Post Exchange 2.0 stores passwords in cleartext, which makes it easier for attackers to access user accounts.
unknown
2008-01-23
5.0 CVE-2008-0440
MILW0RM
Apache Software Foundation — Tomcat The SingleSignOn Valve (org.apache.catalina.authenticator.SingleSignOn) in Apache Tomcat before 5.5.21 does not set the secure flag for the JSESSIONIDSSO cookie in an https session, which can cause the cookie to be sent in http requests, making it easier for remote attackers to capture this cookie.
unknown
2008-01-22
5.0 CVE-2008-0128
OTHER-REF
OTHER-REF
BID
FRSIRT
SECUNIA
SECUNIA
XF
Apache Software Foundation — Apache HTTP Server Cross-site scripting (XSS) vulnerability in the mod_negotiation module in the Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x series, and 1.3.39 and earlier in the 1.3.x series allows remote authenticated users to inject arbitrary web script or HTML by uploading a file with a name containing XSS sequences and a file extension, which leads to injection within a (1) “406 Not Acceptable” or (2) “300 Multiple Choices” HTTP response when the extension is omitted in a request for the file.
unknown
2008-01-24
4.3 CVE-2008-0455
BUGTRAQ
OTHER-REF
BID
SECTRACK
Belkin — F5D9230-4 The web server in Belkin Wireless G Plus MIMO Router F5D9230-4 does not require authentication for SaveCfgFile.cgi, which allows remote attackers to read and modify configuration via a direct request to SaveCfgFile.cgi.
unknown
2008-01-23
5.5 CVE-2008-0403
BUGTRAQ
MILW0RM
BID
FRSIRT
XF
cPanel — cPanel Cross-site scripting (XSS) vulnerability in dohtaccess.html in cPanel before 11.17 build 19417 allows remote attackers to inject arbitrary web script or HTML via the rurl parameter. NOTE: some of these details are obtained from third party information.
unknown
2008-01-22
4.3 CVE-2008-0370
BUGTRAQ
OTHER-REF
BID
SECUNIA
DeluxeBB — DeluxeBB Cross-site scripting (XSS) vulnerability in templates/default/admincp/attachments_header.php in DeluxeBB 1.1 allows remote attackers to inject arbitrary web script or HTML via the lang_listofmatches parameter.
unknown
2008-01-23
4.3 CVE-2008-0439
BUGTRAQ
Drupal — Archive Module Cross-site scripting (XSS) vulnerability in the Archive 5.x before 5.x-1.8 module for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
unknown
2008-01-25
4.3 CVE-2008-0462
OTHER-REF
BID
SECUNIA
Drupal — Workflow Cross-site scripting (XSS) vulnerability in the Workflow 4.7.x before 4.7.x-1.2 and 5.x before 5.x-1.2 module for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving node properties.
unknown
2008-01-25
4.3 CVE-2008-0463
OTHER-REF
SECUNIA
EasySiteNetwork — Recipe Website Script SQL injection vulnerability in list.php in Easysitenetwork Recipe allows remote attackers to execute arbitrary SQL commands via the categoryid parameter.
unknown
2008-01-24
6.8 CVE-2008-0453
MILW0RM
BID
ELOG — ELOG Cross-site scripting (XSS) vulnerability in Electronic Logbook (ELOG) before 2.7.0 allows remote attackers to inject arbitrary web script or HTML via subtext parameter to unspecified components.
unknown
2008-01-24
4.3 CVE-2008-0444
OTHER-REF
BID
SECUNIA
XF
ELOG — ELOG The replace_inline_img function in elogd in Electronic Logbook (ELOG) before 2.7.1 allows remote attackers to cause a denial of service (infinite loop) via crafted logbook entries. NOTE: some of these details are obtained from third party information.
unknown
2008-01-24
5.0 CVE-2008-0445
BID
SECUNIA
XF
Francisco Burzi — PHP-Nuke SQL injection vulnerability in index.php in the Search module in PHP-Nuke 8.0 FINAL and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the sid parameter in a comments action to modules.php. NOTE: some of these details are obtained from third party information.
unknown
2008-01-25
6.8 CVE-2008-0461
MILW0RM
BID
FRSIRT
SECUNIA
Frimousse — Frimousse Absolute path traversal vulnerability in explorerdir.php in Frimousse 0.0.2 allows remote attackers to read arbitrary files and list arbitrary directories via a full pathname in the name parameter.
unknown
2008-01-23
5.0 CVE-2008-0425
MILW0RM
BID
FRSIRT
XF
GradMan — GradMan Directory traversal vulnerability in info.php in GradMan 0.1.3 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the tabla parameter, a different vector than CVE-2008-0361.
unknown
2008-01-22
5.8 CVE-2008-0393
MILW0RM
BID
SECUNIA
XF
IBM — Websphere Business Modeler Basic
IBM — Websphere Business Modeler Advanced		 Unspecified vulnerability in IBM WebSphere Business Modeler Basic and Advanced 6.0.2.1 before Interim Fix 11 allows remote authenticated users to bypass intended access restrictions and delete unspecified repository resources via unknown vectors, even when they are not administrators or members of the repository’s owning group.
unknown
2008-01-23
6.0 CVE-2008-0402
OTHER-REF
OTHER-REF
AIXAPAR
BID
SECTRACK
SECUNIA
IDMOS — IDMOS CMS Directory traversal vulnerability in administrator/download.php in IDMOS (aka Phoenix) 1.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the fileName parameter.
unknown
2008-01-23
5.0 CVE-2008-0431
MILW0RM
BID
FRSIRT
SECUNIA
Kayako — SupportSuite Kayako SupportSuite 3.11.01 allows remote attackers to obtain server configuration information via a direct request to syncml/index.php, which prints the contents of the $_SERVER superglobal.
unknown
2008-01-23
5.0 CVE-2008-0395
BUGTRAQ
OTHER-REF
SECUNIA
Lama — Lama Software Multiple PHP remote file inclusion vulnerabilities in Lama Software allow remote attackers to execute arbitrary PHP code via a URL in the MY_CONF[classRoot] parameter to (1) inc.steps.access_error.php, (2) inc.steps.check_login.php, or (3) inc.steps.init_system.php in admin/functions/.
unknown
2008-01-23
6.8 CVE-2008-0423
BID
FRSIRT
SECUNIA
LiquidSilverCMS — LiquidSilverCMS Directory traversal vulnerability in update/index.php in Liquid-Silver CMS 0.35, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the update parameter.
unknown
2008-01-25
6.8 CVE-2008-0459
MILW0RM
BID
SECUNIA
Mahara — Mahara Unspecified vulnerability in Mahara before 0.9.1 has unknown impact and remote attack vectors, probably related to cross-site scripting (XSS) in uploaded files.
unknown
2008-01-22
4.3 CVE-2008-0381
OTHER-REF
BID
SECUNIA
Mantis — Mantis Cross-site scripting (XSS) vulnerability in Mantis before 1.1.1 allows remote attackers to inject arbitrary web script or HTML via the “Most active bugs” summary.
unknown
2008-01-23
4.3 CVE-2008-0404
OTHER-REF
BID
FRSIRT
SECUNIA
XF
Microsoft — ie
MediaWiki — MediaWiki BotQuery Ext
MediaWiki — MediaWiki		 Cross-site scripting (XSS) vulnerability in api.php in (1) MediaWiki 1.11 through 1.11.0rc1, 1.10 through 1.10.2, 1.9 through 1.9.4, and 1.8; and (2) the BotQuery extension for MediaWiki 1.7 and earlier; when Internet Explorer is used, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
unknown
2008-01-25
4.3 CVE-2008-0460
MLIST
SECUNIA
Modern — Modern
singapore — singapore		 Cross-site scripting (XSS) vulnerability in header.tpl.php in the modern template for Singapore 0.10.1 allows remote attackers to inject arbitrary web script or HTML via the gallery parameter to default.php.
unknown
2008-01-23
4.3 CVE-2008-0400
OTHER-REF
BID
FRSIRT
SECUNIA
Mozilla — Firefox Mozilla Firefox 2.0.0.11, 3.0b2, and possibly earlier versions, when prompting for HTTP Basic Authentication, displays the site requesting the authentication after the Realm text, which might make it easier for remote HTTP servers to conduct phishing and spoofing attacks.
unknown
2008-01-18
5.0 CVE-2008-0367
BUGTRAQ
BUGTRAQ
OTHER-REF
OTHER-REF
OTHER-REF
OTHER-REF
NEC — SocksCap Stack-based buffer overflow in SocksCap 2.40-051231 and earlier, when “Resolve all names remotely” is enabled, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long hostname.
unknown
2008-01-22
6.8 CVE-2008-0378
BUGTRAQ
BID
Novemberborn — sIFR Cross-site scripting (XSS) vulnerability in the font rendering functionality in Novemberborn sIFR 2.0.2 allows remote attackers to inject arbitrary web script or HTML via the txt parameter to a Flash (SWF) file, as demonstrated by fonts/FuturaLt.swf.
unknown
2008-01-23
4.3 CVE-2008-0438
BUGTRAQ
OTHER-REF
BID
OpenBSD — Open_BSD OpenBSD 4.2 allows local users to cause a denial of service (kernel panic) by calling the SIOCGIFRTLABEL IOCTL on an interface that does not have a route label, which triggers a NULL pointer dereference when the return value from the rtlabel_id2name function is not checked.
unknown
2008-01-22
4.9 CVE-2008-0384
MILW0RM
MLIST
OPENBSD
BID
SECTRACK
SECUNIA
OZJournals — OZJournals Directory traversal vulnerability in index.php in OZJournals 2.1.1 allows remote attackers to read portions of arbitrary files via a .. (dot dot) in the id parameter in a printpreview action.
unknown
2008-01-23
5.0 CVE-2008-0435
MILW0RM
BID
FRSIRT
SECUNIA
PacerCMS — PacerCMS Cross-site scripting (XSS) vulnerability in submit.php in PacerCMS before 0.6.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
unknown
2008-01-23
4.3 CVE-2008-0426
OTHER-REF
BID
SECUNIA
PD9 Software — MegaBBS Cross-site scripting (XSS) vulnerability in profile-upload/upload.asp in PD9 Software MegaBBS 1.5.14b allows remote attackers to inject arbitrary web script or HTML via the target parameter.
unknown
2008-01-23
4.3 CVE-2008-0436
BUGTRAQ
BID
PHP — PHP curl/interface.c in the cURL library (aka libcurl) in PHP 5.2.4 and 5.2.5 allows context-dependent attackers to bypass safe_mode and open_basedir restrictions and read arbitrary files via a file:// request containing a \x00 sequence, a different vulnerability than CVE-2006-2563.
unknown
2008-01-24
5.0 CVE-2007-4850
SREASONRES
BUGTRAQ
FULLDISC
OTHER-REF
BID
XF
Seagull PHP Framework — Seagull PHP Framework Directory traversal vulnerability in optimizer.php in Seagull PHP Framework 0.6.3 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the files parameter.
unknown
2008-01-25
5.0 CVE-2008-0465
MILW0RM
BID
Siteman — Siteman Directory traversal vulnerability in articles.php in Siteman 1.1.9 allows remote attackers to read arbitrary files via directory traversal sequences in the cat parameter in a viewart action.
unknown
2008-01-24
5.0 CVE-2008-0452
MILW0RM
SLAED — SLAED CMS Directory traversal vulnerability in function/sources.php in SLAED CMS 2.5 Lite allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the newlang parameter to index.php.
unknown
2008-01-25
6.8 CVE-2008-0458
MILW0RM
BID
Softpedia — Small Axe Weblog PHP remote file inclusion vulnerability in inc/linkbar.php in Small Axe Weblog 0.3.1 allows remote attackers to execute arbitrary PHP code via a URL in the cfile parameter.
unknown
2008-01-22
6.8 CVE-2008-0376
MILW0RM
Toshiba — Surveillix RecordSend Class Multiple buffer overflows in Toshiba Surveillance (Surveillix) RecordSend ActiveX control (MeIpCamX.DLL 1.0.0.4) allow remote attackers to execute arbitrary code via long arguments to the (1) SetPort and (2) SetIpAddress methods.
unknown
2008-01-23
6.8 CVE-2008-0399
MILW0RM
OTHER-REF
BID
FRSIRT
SECUNIA
XF
WordPress — WP_Forum SQL injection vulnerability in the WP-Forum 1.7.4 plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the user parameter in a showprofile action to the default URI.
unknown
2008-01-22
6.8 CVE-2008-0388
MILW0RM
BID
FRSIRT
SECUNIA
XF

Back to top

Low Vulnerabilities
Primary
Vendor — Product		 Description
Discovered
Published
CVSS Score Source & Patch Info
Apache Software Foundation — Apache HTTP Server CRLF injection vulnerability in the mod_negotiation module in the Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x series, and 1.3.39 and earlier in the 1.3.x series allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks by uploading a file with a multi-line name containing HTTP header sequences and a file extension, which leads to injection within a (1) “406 Not Acceptable” or (2) “300 Multiple Choices” HTTP response when the extension is omitted in a request for the file.
unknown
2008-01-24
3.5 CVE-2008-0456
BUGTRAQ
OTHER-REF
BID
SECTRACK
IBM — Tivoli Business Service Manager IBM Tivoli Business Service Manager (TBSM) 4.1.1 stores passwords in cleartext (1) after external authentication, which triggers writing the password to SM_server.log; and (2) after a reconfig action; which allows local users to obtain sensitive information.
unknown
2008-01-24
2.1 CVE-2008-0441
OTHER-REF
BID
FRSIRT
SECTRACK
SECUNIA
XF

Back to top
Last updated January 28, 2008

Symantec Anti Virus Threat Center Update – 1/29/08

January 28th, 2008 No Comments »


Blackberry Enterprise Server v4.0 SP7 Maintenance Release 3

January 26th, 2008 No Comments »

Hello,

  • BlackBerry Enterprise Server v4.0 Service Pack 7 Maintenance Release 3 for Novell GroupWise and 

  • BlackBerry Enterprise Server v4.0 Service Pack 7 Maintenance Release 3 for Lotus Domino are now available for download.

Please visit http://www.blackberry.com/go/serverdownloads to access the service pack and a list of fixed issues, software updates, and additional information.

Thank you,

BlackBerry Software Releases
Research In Motion Limited
Telephone: 1-877-255-2377 | (+1) 519-888-6181
Email: help@blackberry.net
Web: http://www.blackberry.com


You are currently subscribed to BlackBerry Software Notifications as luke...@mtginfo.com.
To unsubscribe, email leav...@lyrislist.rim.com.
To subscribe with another email address, email join-softwarenotifications@lyrislist.rim.com.
For all other support inquiries, please contact help@blackberry.net.


Microsoft 2-2008 Volume LIcensing Subscription Updates

January 26th, 2008 No Comments »

WSUS – Windows Server Update Services Manuals

January 25th, 2008 No Comments »

The following WSUS manuals are avaiable to download:

  • WSUS – Deploying Microsoft Windows Server Update Services.doc
  • WSUS – WSUSStepbyStep.doc

    • ORK – Microsoft Office 2003 Group Policy User Interface Option Settings

    January 25th, 2008 No Comments »

    Microsoft Office 2003 User Interface Option Settings, with group policies (Office Resource Kit)


    Websense

    January 25th, 2008 No Comments »

    The following Websense manuals are available for download:

  • Websense – CPM_Admin.pdf
  • Websense – CPM_Explorer_Admin.pdf
  • Websense – CPM_Install.pdf
  • Websense – CPM_Reporter_Admin.pdf

    • Packeteer

    January 25th, 2008 No Comments »

    Packeteer packet shaper manual:

    Packeteer – Getting_Started_Guide_v71.pdf


    Netcheck Patch Pro

    January 25th, 2008 No Comments »

    Netcheck Patch Pro Manuals for ver 5:

    Net Check – Patch pro – NetChkPatch5AdminGd.pdf


    SEO Powered by Platinum SEO from Techblissonline