SECUNIA ADVISORY ID: SA23138

VERIFY ADVISORY: http://secunia.com/advisories/23138/

CRITICAL: Not critical

IMPACT: DoS

SOFTWARE:
Adobe Reader 7.x - http://secunia.com/product/4546/
Adobe Acrobat 7.x - http://secunia.com/product/4594/

DESCRIPTION: Some bugs have been discovered in Adobe Reader and Adobe Acrobat, which may cause an included ActiveX control to crash. The bugs are caused due to errors in the AcroPDF ActiveX control (AcroPDF.dll) when processing arbitrary arguments passed to the "setPageMode()", "setLayoutMode()", "setNamedDest()", and "LoadFile()" methods.

NOTE: Secunia has currently decided to treat these issues as crash bugs as further internal research and dialogue with the vendor indicates that no risk of potential remote code execution has been proven. Currently, only crashes have been confirmed by locally executing a WSF file (Windows Script File), which is considered an untrusted file type.

The bugs are confirmed in Adobe Reader 7.0.5 and 7.0.8 for Windows. They have also been reported in Adobe Reader 7.0.0 through 7.0.8 and Adobe Acrobat Standard and Professional 7.0.0 through 7.0.8 on the Windows platform. Prior versions may also be affected.

SOLUTION: The vendor recommends deleting AcroPDF.dll (this workaround will prevent PDF documents from opening in Internet Explorer). The vendor is currently working on an update for version 7.0.8 for Adobe Reader and Adobe Acrobat.

PROVIDED AND/OR DISCOVERED BY: Originally reported in the "LoadFile()" method by Michal Bucko (sapheal), hack.pl. Other bugs reported by FrSIRT.

ORIGINAL ADVISORY: Adobe Systems: http://www.adobe.com/support/security/advisories/apsa06-02.html

Posted at phpnuke.org

FB Writes: "Hello Nukers! PHP-Nuke 7.9 Final version is out now and available from here. This version includes a new variables validation and filtering system more effective and more secure, potential security vulnerabilities generated from the wysiwyg editor has been fixed, BBtoNuke 2.0.17, added banned IP edit function, improved search module internals, quotes and double quotes are now supported on all parts of the system, wysiwyg editor can be totaly deactivated from config.php file, users groups fixes to properly load the members modules, several fixes in the advertising system and many more.

Also, there is already a road map for the future version 8.0. Since it's a totaly new branch I planned lot of new features for that version. A new and redesigned administration system, more functional, more easy to use and more organization over its sections, new reorganization of Downloads module, more use of CSS style and many new features that all you'll love for sure.

The work of coding for the next version 8.0 will start in a couple of weeks since it requires lot of design first since the urgent need of a new administration system is one of the priorities for that release. You can expect improvements on almost all modules." Read More...

Note: 

I now have a copy - Thanks to a generous donor :). I and a few others will test it before making it available.

Nukeum66 writes:  

If you or anyone you know has downloaded the cpanel user guide before August 14, 2005 please be advised it has a major security hole. I have applied the fix to the available download and you should either re-download it or download the patched index.php file. Thanks, Scott Johnson

Get PATCH Only

(full) Download cPanel User Guide

perfect-games writes:  

Anyone looking for phpbb ports over to phpnuke? Even if never been ported our friendly staff will be there to help. We have a number of mods released this week and more to follow from knowedgebase, shockwave arcade, v3 arcade ported as nuke module etc. If there any ports you would like us to help you with, either forum or other cms ports, pop over www.portedmods.com and let us know. portedmods dev team

Note: 

From Mighty_Y: This gets me mad huh! He is just releasing the Attachment Mod v2.3.14 but he didn't even port it himself! I did the port and released it to http://support.code-area51.com. You can see he just took my package by reading the readme.txt included in the root of his package. He just made little changes to update my files to 2.3.14 but he forgot a zillion places which can definately mess up your site! Please stay away from this release and use the package I will release later today, one that is tested like it should!

spcdata writes:  

Some Serious bugs have been found in My GuestBook that has shown to be a big security risk !!

If you have downloaded and installed My GuestBook You should remove it as soon as possible !!! until i make a fix for it !!!!!

I'm terrible sorry and i apologize for for this!!

southern writes:  

Category: Application (Calendar) > Event Calendar (PHP-Nuke Module) Vendors: holbrookau.net
Event Calendar Input Validation Holes Let Remote Users Inject SQL Commands

SecurityTracker Alert ID: 1012245
SecurityTracker URL: http://securitytracker.com/id?1012245
CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)
Date: Nov 16 2004

Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
 Read More...

Note: 

From the author: "NOTICE Due to numerous security issues found recently, the PHP-Nuke Event Calendar module formally found on this site is no longer available. Sorry, but as I don't have the time nor expertise to try and patch up the code, I suggest to those using it to delete it from their sites and seek a more secure and up-to-date alternative. - Holbrookau"