[Full-disclosure] VMSA-2010-0007 VMware hosted products, vCenter Server and ESX patches resolve multiple security issues

2010-04-09 Thread VMware Security team
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - VMware Security Advisory Advisory ID: VMSA-2010-0007 Synopsis: VMware hosted products, vCenter Server and ESX patches

[Full-disclosure] Java Deployment Toolkit Performs Insufficient Validation of Parameters

2010-04-09 Thread Tavis Ormandy
Java Deployment Toolkit Performs Insufficient Validation of Parameters - Java Web Start (henceforth, jws) provides java developers with a way to let users launch and install their applications using a URL to a Java Networking

Re: [Full-disclosure] Java Deployment Toolkit Performs InsufficientValidation of Parameters

2010-04-09 Thread Larry Seltzer
jws seems to be one of those gifts that keeps on giving. I don't have actual numbers, but it seems to me I see it mentioned regularly in their vulnerability reports. -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On

[Full-disclosure] Secunia Research: Pulse CMS Arbitrary File Upload Vulnerability

2010-04-09 Thread Secunia Research
== Secunia Research 08/04/2010 - Pulse CMS Arbitrary File Upload Vulnerability - == Table of Contents Affected

[Full-disclosure] Secunia Research: Pulse CMS Cross-Site Request Forgery

2010-04-09 Thread Secunia Research
== Secunia Research 08/04/2010 - Pulse CMS Cross-Site Request Forgery - == Table of Contents Affected

[Full-disclosure] List Charter

2010-04-09 Thread John Cartwright
[Full-Disclosure] Mailing List Charter John Cartwright jo...@grok.org.uk - Introduction Purpose - This document serves as a charter for the [Full-Disclosure] mailing list hosted at lists.grok.org.uk. The list was created on 9th July 2002 by Len Rose, and is primarily concerned with

[Full-disclosure] Vulnerabilities in phpCOIN

2010-04-09 Thread MustLive
Hello Full-Disclosure! I want to warn you about security vulnerabilities in system phpCOIN. - Advisory: Vulnerabilities in phpCOIN - URL: http://websecurity.com.ua/4090/ - Affected products: phpCOIN 1.6.5 and

Re: [Full-disclosure] Vulnerabilities in phpCOIN

2010-04-09 Thread Jan G.B.
2010/4/9 MustLive mustl...@websecurity.com.ua: Hello Full-Disclosure! Quoting the list charter: Gratuitous advertisement, product placement, or self-promotion is forbidden. And where's the point in reporting several projects that use a -say- library which has a reported problem? (I mean,

Re: [Full-disclosure] Vulnerabilities in phpCOIN

2010-04-09 Thread Valdis . Kletnieks
On Fri, 09 Apr 2010 15:49:58 +0200, Jan G.B. said: And where's the point in reporting several projects that use a -say- library which has a reported problem? (I mean, you've send quite the same mail with a different software to bugtraq, today.) A few years ago, a rather nasty vulnerability

Re: [Full-disclosure] Vulnerabilities in phpCOIN

2010-04-09 Thread Jan G.B.
2010/4/9 valdis.kletni...@vt.edu: On Fri, 09 Apr 2010 15:49:58 +0200, Jan G.B. said: And where's the point in reporting several projects that use a -say- library which has a reported problem? (I mean, you've send quite the same mail with a different software to bugtraq, today.) A few years

[Full-disclosure] LFI In Multi Profit Websites

2010-04-09 Thread rockey killer
Local File Inclusion (LFI) in Multi Profit Websites Multi Profit Websites is a commercial script that is running on multiple domains and they claims that this script earns money for the owner. Vulnerability Local File Inclusion Via URL which can be reproduced by

Re: [Full-disclosure] Vulnerabilities in phpCOIN

2010-04-09 Thread Christian Sciberras
I think Universities should rethink their Software Development courses... Valdis has got a very strong point. Here's my own. I got Safari to test websites I develop. Apple seems to think that during a recommended/critical Safari update, I should be installing iTunes. Oh, and surprise, with iTunes

Re: [Full-disclosure] Vulnerabilities in phpCOIN

2010-04-09 Thread Jeff Kell
Amen to that. Everything seems to be delivered for installation and even increasingly with *each* update, carrying various hitch hiker applications... toolbars, trial software, etc. Sun Java updates installing toolbars, Adobe doing toolbars, even FoxIT installed some toolbars (even after I

[Full-disclosure] ZDI-10-068: Apple QuickTime H.263 Array Index Parsing Remote Code Execution Vulnerability

2010-04-09 Thread ZDI Disclosures
ZDI-10-068: Apple QuickTime H.263 Array Index Parsing Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-068 April 9, 2010 -- CVE ID: CVE-2010-0062 -- Affected Vendors: Apple -- Affected Products: Apple Quicktime -- TippingPoint(TM) IPS Customer Protection:

[Full-disclosure] Vulnerability in Tembria Server Monitor

2010-04-09 Thread Security
Hi, Please find the advisory in attachment. Regards, S├ębastien Duquette Corelan TeamAdvisory CORELAN-10-022 Reference : CVE-2010-1316 Disclosure date : April 8th, 2010 http://www.corelan.be:8800/advisories.php?id=CORELAN-10-022 00 : Vulnerability information Product : Tembria

[Full-disclosure] [USN-927-1] NSS vulnerability

2010-04-09 Thread Jamie Strandboge
=== Ubuntu Security Notice USN-927-1 April 09, 2010 nss vulnerability CVE-2009-3555 === A security issue affects the following Ubuntu releases: Ubuntu 9.10 This advisory

[Full-disclosure] iDefense Security Advisory 04.09.10: VMware VMnc Codec Heap Overflow Vulnerability

2010-04-09 Thread iDefense Labs
iDefense Security Advisory 04.09.10 http://labs.idefense.com/intelligence/vulnerabilities/ Apr 09, 2010 I. BACKGROUND VMware Inc. markets several virtualization products such as ACE, Player, Server, and Workstation. These products include a video coder-decoder (codec) called 'vmnc.dll', or

[Full-disclosure] [USN-920-1] Firefox 3.0 and Xulrunner vulnerabilities

2010-04-09 Thread Jamie Strandboge
=== Ubuntu Security Notice USN-920-1 April 09, 2010 firefox-3.0, xulrunner-1.9 vulnerabilities CVE-2010-0174, CVE-2010-0175, CVE-2010-0176, CVE-2010-0177, CVE-2010-0178, CVE-2010-0179

Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds

2010-04-09 Thread Tracy Reed
On Wed, Apr 07, 2010 at 03:52:00PM -0600, Digital X spake thusly: Having just gone through a PCI audit I can safely say a few things: Not the fault of PCI. Perhaps you should consider a better auditor. -- Tracy Reed http://tracyreed.org pgp0MpTXa0ifv.pgp Description: PGP signature

[Full-disclosure] CVE-2009-4510: TANDBERG VCS Static SSH Host Keys

2010-04-09 Thread VSR Advisories
: Firmware version x5.1.1 released [2]. CVE Candidate: CVE-2009-4510 Reference: http://www.vsecurity.com/resources/advisory/20100409-2/ - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Product Description - --- - From [1]: The Video Communication

[Full-disclosure] CVE-2009-4511: TANDBERG VCS Arbitrary File Retrieval

2010-04-09 Thread VSR Advisories
Status: Firmware update released [2] CVE Candidate: CVE-2009-4511 Reference: http://www.vsecurity.com/resources/advisory/20100409-3/ - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Product Description - --- - From [1]: The Video Communication

[Full-disclosure] CVE-2009-4509: TANDBERG VCS Authentication Bypass

2010-04-09 Thread VSR Advisories
Vendor Status: Update released (without security advisory) on October 9, 2009 CVE Candidate: CVE-2009-4509 Reference: http://www.vsecurity.com/resources/advisory/20100409-1/ - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Product Description