"This is an absolutely vital security patch which all store owners must apply!"

Vital Security Patch Details

I have re-released a patch (v2.4.2pl2) for the SQL injection exploit that was recently discovered by Feloci and reported by Technocrat. Even though it is powerless against RavenNuke76, I recommend that everyone who uses NukeSentinel(tm) download and apply this patch ASAP!

Read about the issue and fix NukeSentinel(tm) Patch Level 2.4.2pl2. Download NukeSentinel(tm) Patch Level 2.4.2pl2

I have released a patch (v2.4.2pl1) for the SQL injection exploit that was recently discovered by Feloci and reported by Technocrat. Even though it is powerless against RavenNuke76, I recommend that everyone who uses NukeSentinel(tm) download and apply this patch ASAP!

Download NukeSentinel(tm) Patch Level 2.4.2pl1

There have been a series of recent attacks on sites that are not patched current with Chatserv's 3.x series. This specially crafted url was also able to bypass the filters in NukeSentinel(tm). There's more to the story, but read the thread Recent UNION exploit with unpatched sites and NukeSentinel for the fix. The download will be corrected shortly.

Thanks to Technocrat for first making me aware of this and for also being persistent to get a good fix!

"Exploit code for a new flaw in Internet Explorer could put systems at risk of remote attack, security experts warned Monday."

The exploit code, made public Monday, aims to take advantage of the "extremely critical" vulnerabilities in IE 5.5 and IE 6 running on XP Service Pack 2 (SP2), and IE 6 running on Windows 2000 SP4, security researcher Secunia said in advisory.

Once a PC user is tricked into visiting a malicious Web site, the exploit can be triggered automatically, without the user doing anything.

"An attacker could use the exploit to run any code they want to on a person's system," said Thomas Kristensen, Secunia's chief technology officer. "It could be they want to launch some really nasty code on a user's system."

The flaw lies in a Javascript component of IE used for loading Web pages onto a computer, according to an advisory from SANS Internet Storm Center.

Microsoft has not released a patch for the hole exploited by the code. People can attempt to work around the problem by either shutting off Javascript or using another type of browser, security companies advised.

Security researchers said the IE vulnerability has been known for the past six months, ... Read the rest of the story

qfk writes:  

TITLE: phpMyAdmin HTTP Response Splitting Vulnerability
SECUNIA ADVISORY ID: SA17578
VERIFY ADVISORY: http://secunia.com/advisories/17578/
CRITICAL: Less critical
IMPACT: Exposure of system information, Cross Site Scripting
WHERE: >From remote
SOFTWARE: phpMyAdmin 2.x
http://secunia.com/product/1720/
phpMyAdmin 1.x
http://secunia.com/product/1719/

DESCRIPTION: Toni Koivunen has reported a vulnerability in phpMyAdmin, which can be exploited by malicious people to conduct HTTP response splitting attacks. Some input passed to "libraries/header_http.inc.php" isn't properly sanitised before being returned to the user. This can be exploited to include arbitrary HTTP headers in a response sent to the user. Successful exploitation requires that "register_globals" is enabled. It is also possible to disclose the full path to certain scripts by accessing them directly. The vulnerability has been reported in versions prior to 2.6.4-pl4 and in version 2.7.0-beta1.

SOLUTION: Update to version 2.6.4-pl4.
http://www.phpmyadmin.net/home_page/downloads.php
PROVIDED AND/OR DISCOVERED BY: Toni Koivunen
ORIGINAL ADVISORY: Toni Koivunen: http://www.fitsec.com/advisories/FS-05-02.txt
phpMyAdmin: http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-6