NOTE: This only affects the Microsoft Windows platform.

TITLE: Apache "mod_alias" URL Validation Canonicalization Vulnerability

SECUNIA ADVISORY ID: SA21490

VERIFY ADVISORY: http://secunia.com/advisories/21490/

CRITICAL: Less critical

IMPACT: Security Bypass, Exposure of sensitive information

WHERE: >From remote

SOFTWARE:
Apache 2.2.x -- http://secunia.com/product/9633/
Apache 2.0.x -- http://secunia.com/product/73/

DESCRIPTION: Susam Pal has discovered a vulnerability in Apache, which can be exploited by malicious people to bypass certain security restrictions and disclose potentially sensitive information. The vulnerability is caused due to an canonicalization error in the "mod_alias" module in the handling of case-sensitive alias directive arguments on file systems supporting case-insensitive directory names. This can e.g. be exploited to disclose the source code of applications placed in the "cgi-bin" directory on certain non-default configurations where the ScriptAlias directive references a directory inside the document root by accessing an URL with a capital directory name (e.g. "CGI-BIN"). The vulnerability has been confirmed in versions 2.0.59 and 2.2.3, and has also been reported in version 2.2.2. Other versions may also be affected.

Example of a vulnerable configuration: DocumentRoot "[path]/docroot/" ScriptAlias /cgi-bin/ "/[path]/docroot/cgi-bin"

SOLUTION: Edit the configuration to ensure that alias directives (e.g. ScriptAlias) references directories outside of the document root.

PROVIDED AND/OR DISCOVERED BY: Susam Pal, Infosys Technologies Ltd.

Follow the links to read the full reports.

TITLE: Microsoft Visual Basic for Applications Buffer Overflow
SECUNIA ADVISORY ID: SA21408
VERIFY ADVISORY: http://secunia.com/advisories/21408/
CRITICAL: Extremely critical
IMPACT: System access

TITLE: Windows Kernel Privilege Escalation Vulnerability
SECUNIA ADVISORY ID: SA21415
VERIFY ADVISORY: http://secunia.com/advisories/21415/
CRITICAL: Less critical
IMPACT: Privilege escalation

TITLE: Microsoft Windows Two Vulnerabilities
SECUNIA ADVISORY ID: SA21417
VERIFY ADVISORY: http://secunia.com/advisories/21417/
CRITICAL: Highly critical
IMPACT: Privilege escalation, System access

TITLE: Microsoft Management Console Cross-Site Scripting
SECUNIA ADVISORY ID: SA21401
VERIFY ADVISORY: http://secunia.com/advisories/21401/
CRITICAL: Highly critical
IMPACT: Cross Site Scripting, System access

TITLE: Windows DNS Resolution Code Execution Vulnerabilities
SECUNIA ADVISORY ID: SA21394
VERIFY ADVISORY: http://secunia.com/advisories/21394/
CRITICAL: Highly critical
IMPACT: System access

TITLE: Windows Server Service Buffer Overflow Vulnerability
SECUNIA ADVISORY ID: SA21388
VERIFY ADVISORY: http://secunia.com/advisories/21388/
CRITICAL: Moderately critical
IMPACT: System access

TITLE: Internet Explorer Multiple Vulnerabilities

SECUNIA ADVISORY ID: SA21396

VERIFY ADVISORY: http://secunia.com/advisories/21396/

CRITICAL: Highly critical

IMPACT: Exposure of sensitive information, System access

WHERE: >From remote

SOFTWARE:
Microsoft Internet Explorer 6.x -- http://secunia.com/product/11/
Microsoft Internet Explorer 5.01 -- http://secunia.com/product/9/

DESCRIPTION: Multiple vulnerabilities have been reported in Internet Explorer, which can be exploited by malicious people to gain knowledge of certain information or compromise a user's system.

1) An error in the interpretation of HTML with certain layout positioning combinations can be exploited to corrupt memory and execute arbitrary code via a specially crafted web page.

2) An error in the way chained Cascading Style Sheets (CSS) are handled can be exploited to corrupt memory and execute arbitrary code via a specially crafted web page.

3) Another error in the HTML rendering can be exploited to corrupt memory and execute arbitrary code via a specially crafted web page.

4) Errors in the way Internet Explorer instantiates COM objects not intended to be instantiated in the browser can be exploited to execute arbitrary code via a specially crafted web page.

5) An error in the way the origin of a script is determined can be exploited to run a script in another domain or security zone than intended via a specially crafted web page.

6) Script may persist across navigations making it possible to use the script to access the window location of a web page in another domain or security zone.

ORIGINAL ADVISORY: MS06-042 (KB918899): http://www.microsoft.com/technet/security/Bulletin/MS06-042.mspx

SOLUTION: Apply patches. (Read more) Read More...

TITLE: PHP "sscanf()" Code Execution Safe Mode Bypass

SECUNIA ADVISORY ID: SA21403

VERIFY ADVISORY: http://secunia.com/advisories/21403/

CRITICAL: Less critical

IMPACT: Security Bypass

WHERE: Local system

SOFTWARE:
PHP 4.4.x -- http://secunia.com/product/5768/
PHP 5.1.x -- http://secunia.com/product/6796/

DESCRIPTION: Heintz has discovered a vulnerability in PHP, which potentially can be exploited by malicious, local users to bypass certain security restrictions. The vulnerability is caused due to an array boundary error in the "sscanf()" PHP function in the processing of the "$1s" format specifier. This can be exploited to reference freed memory by passing an variable as argument which has been unset. Successful exploitation may e.g. allow bypass of the safe mode protection by executing arbitrary code. The vulnerability has been confirmed in versions 5.1.4 and 4.4.3. Other versions may also be affected.

SOLUTION: The vulnerability has been fixed in the CVS repository. Grant only trusted users access to affected systems.

PROVIDED AND/OR DISCOVERED BY: Heintz

ORIGINAL ADVISORY: http://bugs.php.net/bug.php?id=38322

TITLE: PHP Two Unspecified Vulnerabilities

SECUNIA ADVISORY ID: SA21328

VERIFY ADVISORY: http://secunia.com/advisories/21328/

CRITICAL: Moderately critical

IMPACT: Unknown

WHERE: >From remote

SOFTWARE: PHP 4.4.x -- http://secunia.com/product/5768/

DESCRIPTION: Two unspecified vulnerabilities with unknown impacts have been reported in PHP.

1) An offset/length parameter validation error exists in the "substr_compare()" function.

2) An unspecified error exists in the handling of certain characters in session names.

Many other issues, where some may be security related, have also been reported.

SOLUTION: Update to version 4.4.3. -- http://www.php.net/downloads.php

PROVIDED AND/OR DISCOVERED BY: Reported by the vendor.

ORIGINAL ADVISORY: PHP Group: http://www.php.net/release_4_4_3.php

The security issues resolved include the following:

* Disallow certain characters in session names.
* Fixed a buffer overflow inside the wordwrap() function.
* Prevent jumps to parent directory via the 2nd parameter of the tempnam() function.
* Improved safe_mode check for the error_log() function.
* Fixed cross-site scripting inside the phpinfo() function.
* Fixed offset/length parameter validation inside the substr_compare() function.

The release also includes about 20 bug fixes and an upgraded PCRE library (version 6.6).

For a full list of changes in PHP 4.4.3, read more...... Read More...

TITLE: McAfee Products Unspecified Code Execution Vulnerability

SECUNIA ADVISORY ID: SA21264

VERIFY ADVISORY: http://secunia.com/advisories/21264/

CRITICAL: Highly critical

IMPACT: System access

WHERE: >From remote

SOFTWARE: McAfee AntiSpyware 6.x - http://secunia.com/product/6439/
McAfee Internet Security Suite 2006 - http://secunia.com/product/11210/
McAfee Personal Firewall Plus 7.x - http://secunia.com/product/267/
McAfee Privacy Service 6.x - http://secunia.com/product/6481/
McAfee SpamKiller 7.x - http://secunia.com/product/7790/
McAfee VirusScan 10.x - http://secunia.com/product/9052/
McAfee Wireless Home Network Security 2006 - http://secunia.com/product/11211/

DESCRIPTION: eEye Digital Security has reported a vulnerability in various McAfee products, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to an unspecified error and allows execution of arbitrary code. No more information is currently available.

SOLUTION: Sufficient information about the vulnerability is not available to suggest a proper workaround.

PROVIDED AND/OR DISCOVERED BY: eEye Digital Security

ORIGINAL ADVISORY: eEye Digital Security: http://www.eeye.com/html/research/upcoming/20060719.html