Информационная безопасность
[RU] switch to English


DoS против OpenSSH
Опубликовано:5 августа 2011 г.
Источник:
SecurityVulns ID:11833
Тип:удаленная
Уровень опасности:
6/10
Описание:Исчерпание памяти при аутентификации через GSSAPI.
Оригинальный текстdocumentpi3_(at)_itsec.pl, Useless OpenSSH resources exhausion bug via GSSAPI (05.08.2011)

Cводка уязвимостей безопасности в Web-приложениях (PHP, ASP, JSP, CGI, Perl)
Опубликовано:5 августа 2011 г.
Источник:
SecurityVulns ID:11835
Тип:удаленная
Уровень опасности:
5/10
Описание:Инъекции PHP, инъекции SQL, обратный путь в каталогах, межсайтовый скриптинг, модификация файлов, утечка информации и т.д.
Затронутые продукты:VBULLETIN : Vbulletin 4.1
 TELLIGENT : Community Server 2007
 WORDPRESS : WP E-Commerce 3.8
Оригинальный текстdocumentharoon_(at)_live.it, Cross Site Scription Vulnerability in vBulletin 4.1.3, 4.1.4 and 4.1.5 (05.08.2011)
 documentHigh-Tech Bridge Security Research, XSS in WP e-Commerce (05.08.2011)
 documentAdvisories PontoSec, Community Server - Stored Cross-Site Scripting in User's Signature (05.08.2011)

Скриптинг между приложениями в Android
Опубликовано:5 августа 2011 г.
Источник:
SecurityVulns ID:11836
Тип:локальная
Уровень опасности:
4/10
Описание:Приложение может выполнить скрипт в браузере в контексте любого домена.
Затронутые продукты:GOOGLE : Android 2.3
 ANDROID : Android 3.1
CVE:CVE-2011-2357 (Cross-application scripting vulnerability in the Browser URL loading functionality in Android 2.3.4 and 3.1 allows local applications to bypass the sandbox and execute arbitrary Javascript in arbitrary domains by (1) causing the MAX_TAB number of tabs to be opened, then loading a URI to the targeted domain into the current tab, or (2) making two startActivity function calls beginning with the targeted domain's URI followed by the malicious Javascript while the UI focus is still associated with the targeted domain.)
Оригинальный текстdocumentRoee Hay, Android Browser Cross-Application Scripting (CVE-2011-2357) (05.08.2011)

Уязвимости безопасности в ActiveX ThreeDify Designer
Опубликовано:5 августа 2011 г.
Источник:
SecurityVulns ID:11837
Тип:клиент
Уровень опасности:
5/10
Описание:Небезопасные методы, переполнение буфера.
Затронутые продукты:THREEDIFY : ThreeDify Designer 5.0
Оригинальный текстdocumentHigh-Tech Bridge Security Research, ThreeDify Designer ActiveX control multiple buffer overflow vulnerabilities (05.08.2011)
 documentHigh-Tech Bridge Security Research, ThreeDify Designer ActiveX control Insecure Method (05.08.2011)

Многочисленные уязвимости безопасности в Apple QuickTime
дополнено с 5 августа 2011 г.
Опубликовано:5 сентября 2011 г.
Источник:
SecurityVulns ID:11834
Тип:удаленная
Уровень опасности:
7/10
Описание:Повреждения памяти при разборе PICT, JPEG2000, WAV, JPEG, GIF и различных видео-форматов, межсайтовый скриптинг.
Затронутые продукты:QUICKTIME : QuickTime 7.6
CVE:CVE-2011-0258 (Apple QuickTime before 7.7 on Windows allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted image description associated with an mp4v tag in a movie file.)
 CVE-2011-0257 (Integer signedness error in Apple QuickTime before 7.7 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted PnSize opcode in a PICT file that triggers a stack-based buffer overflow.)
 CVE-2011-0256 (Integer overflow in Apple QuickTime before 7.7 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted track run atoms in a QuickTime movie file.)
 CVE-2011-0252 (Heap-based buffer overflow in Apple QuickTime before 7.7 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted STTS atoms in a QuickTime movie file.)
 CVE-2011-0251 (Heap-based buffer overflow in Apple QuickTime before 7.7 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted STSZ atoms in a QuickTime movie file.)
 CVE-2011-0250 (Heap-based buffer overflow in Apple QuickTime before 7.7 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted STSS atoms in a QuickTime movie file.)
 CVE-2011-0249 (Heap-based buffer overflow in Apple QuickTime before 7.7 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted STSC atoms in a QuickTime movie file.)
 CVE-2011-0248 (Stack-based buffer overflow in the QuickTime ActiveX control in Apple QuickTime before 7.7 on Windows, when Internet Explorer is used, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted QTL file.)
 CVE-2011-0247 (Multiple stack-based buffer overflows in Apple QuickTime before 7.7 on Windows allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted H.264 movie.)
 CVE-2011-0246 (Heap-based buffer overflow in Apple QuickTime before 7.7 on Windows allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted GIF file.)
 CVE-2011-0245 (Buffer overflow in Apple QuickTime before 7.7 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted pict file.)
 CVE-2011-0213 (Buffer overflow in QuickTime in Apple Mac OS X before 10.6.8 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted JPEG file.)
 CVE-2011-0211 (Integer overflow in QuickTime in Apple Mac OS X before 10.6.8 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted movie file.)
 CVE-2011-0210 (QuickTime in Apple Mac OS X before 10.6.8 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via crafted sample tables in a movie file.)
 CVE-2011-0209 (Integer overflow in QuickTime in Apple Mac OS X before 10.6.8 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted RIFF WAV file.)
 CVE-2011-0187 (The plug-in in QuickTime in Apple Mac OS X before 10.6.7 allows remote attackers to bypass the Same Origin Policy and obtain potentially sensitive video data via vectors involving a cross-site redirect.)
 CVE-2011-0186 (QuickTime in Apple Mac OS X before 10.6.7 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted JPEG2000 image.)
Оригинальный текстdocumentZDI, ZDI-11-277: Apple QuickTime 3g2 'mp4v' atom size Remote Code Execution Vulnerability (05.09.2011)
 documentZDI, ZDI-11-259: Apple QuickTime STSZ atom Parsing Remote Code Execution Vulnerability (17.08.2011)
 documentZDI, ZDI-11-258: Apple QuickTime STSC atom Parsing Remote Code Execution Vulnerability (17.08.2011)
 documentZDI, ZDI-11-257: Apple QuickTime Player H.264 Slice Header Remote Code Execution Vulnerability (17.08.2011)
 documentZDI, ZDI-11-256: Apple QuickTime Media Link src Parameter Remote Code Execution Vulnerability (17.08.2011)
 documentZDI, ZDI-11-255: Apple QuickTime Player H.264 Reference Picture List Remote Code Execution Vulnerability (17.08.2011)
 documentZDI, ZDI-11-254: Apple QuickTime 'trun' atom sampleCount Integer Overflow Remote Code Execution Vulnerability (17.08.2011)
 documentZDI, ZDI-11-252: Apple QuickTime PICT Image PnSize Opcode Remote Code Execution Vulnerability (17.08.2011)
 documentZDI, ZDI-11-251: Apple QuickTime STSS atom Parsing Remote Code Execution Vulnerability (10.08.2011)
 documentZDI, ZDI-11-250: Apple QuickTime STTS atom Remote Code Execution Vulnerability (10.08.2011)
 documentAPPLE, APPLE-SA-2011-08-03-1 QuickTime 7.7 (05.08.2011)
Файлы:About the security content of QuickTime 7.7

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород