Monthly Archive: September 2008

PyDNS (aka python-dns) before 2.3.1-5 in Debian GNU/Linux does not use random source ports for DNS requests and does not use random transaction IDs for DNS retries, which makes it easier for remote attackers...

The search function in phpBB 2.x provides a search_id value that leaks the state of PHP’s PRNG, which allows remote attackers to obtain potentially sensitive information, as demonstrated by a cross-application attack against WordPress,...

Tools/faqwiz/move-faqwiz.sh (aka the generic FAQ wizard moving tool) in Python 2.4.5 might allow local users to overwrite arbitrary files via a symlink attack on a tmp$RANDOM.tmp temporary file. NOTE: there may not be common...

The (1) rand and (2) mt_rand functions in PHP 5.2.6 do not produce cryptographically strong random numbers, which allows attackers to leverage exposures in products that rely on these functions for security-relevant functionality, as...

WordPress before 2.6.2 does not properly handle MySQL warnings about insertion of username strings that exceed the maximum column width of the user_login column, and does not properly handle space characters when comparing usernames,...

JRequest in Joomla! 1.5 before 1.5.7 does not sanitize variables that were set with JRequest::setVar, which allows remote attackers to conduct "variable injection" attacks and have unspecified other impact. Date published : 2008-09-18 http://developer.joomla.org/security/news/271-20080901-core-jrequest-variable-injection.html...

Multiple open redirect vulnerabilities in Joomla! 1.5 before 1.5.7 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a "passed in" URL. Date published : 2008-09-18 http://developer.joomla.org/security/news/274-20080904-core-redirect-spam.html http://marc.info/?l=oss-security&m=122118210029084&w=2

The mailto (aka com_mailto) component in Joomla! 1.5 before 1.5.7 sends e-mail messages without validating the URL, which allows remote attackers to transmit spam. Date published : 2008-09-18 http://developer.joomla.org/security/news/273-20080903-core-commailto-spam.html http://marc.info/?l=oss-security&m=122118210029084&w=2

Joomla! 1.5 before 1.5.7 initializes PHP’s PRNG with a weak seed, which makes it easier for attackers to guess the pseudo-random values produced by PHP’s mt_rand function, as demonstrated by guessing password reset tokens,...

Vim 3.0 through 7.x before 7.2.010 does not properly escape characters, which allows user-assisted attackers to (1) execute arbitrary shell commands by entering a K keystroke on a line that contains a ";" (semicolon)...

GNU adns 1.4 and earlier uses a fixed source port and sequential transaction IDs for DNS requests, which makes it easier for remote attackers to spoof DNS responses, a different vulnerability than CVE-2008-1447. NOTE:...

PyDNS (aka python-dns) before 2.3.1-4 in Debian GNU/Linux does not use random source ports or transaction IDs for DNS requests, which makes it easier for remote attackers to spoof DNS responses, a different vulnerability...

Gallery before 1.5.9, and 2.x before 2.2.6, does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make...

The InstallShield Update Service Agent ActiveX control in isusweb.dll allows remote attackers to cause a denial of service (memory corruption and browser crash) and possibly execute arbitrary code via a call to ExecuteRemote with...