Information freedom for open source users.

HP Security Bulletin – A potential vulnerability has been identified with HP Performance Insight. The vulnerability could be exploited remotely to execute arbitrary commands.

Zero Day Initiative Advisory 10-026 – This vulnerability allows remote attackers to execute arbitrary commands on vulnerable installations of Hewlett-Packard Performance Insight. Authentication is not required to exploit this vulnerability. The specific flaw exists in the handling of requests to the helpmanager servlet running on the Performance Insight web server. Insufficient input validation and authentication allows for arbitrary JSP pages to be uploaded which can be leveraged to execute arbitrary OS commands. Exploitation of this vulnerability allows an attacker to gain control of the affected system under SYSTEM credentials.

Mandriva Linux Security Advisory 2010-058 – Multiple vulnerabilities have been found and corrected in PHP. Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. The updated packages have been patched to correct these issues.

Core Security Technologies Advisory – A vulnerability was found in Windows Movie Maker and Microsoft Producer, which can be triggered by a remote attacker by sending a specially crafted file and enticing the user to open it. This vulnerability results in a write access violation and can lead to remote code execution.

Core Security Technologies Advisory – A memory corruption occurs on Microsoft Office Excel 2002 when parsing a .XLS file with a malformed DbOrParamQry record. This vulnerability could be used by a remote attacker to execute arbitrary code in the context of the currently logged on user, by enticing the user to open a specially crafted file.

Technical Cyber Security Alert 2010-68A – Microsoft has released updates to address vulnerabilities in Microsoft Windows and Microsoft Office.

Microsoft Excel Object Type Confusion Remote Code Execution Vulnerability

Microsoft Excel MDXSET Record Remote Heap Buffer Overflow Vulnerability

Zero Day Initiative Advisory 10-025 – This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Office Excel. User interaction is required to exploit this vulnerability in that the target must open a malicious file. The specific flaw exists in the decompression of XLSX files. The XLSX file is a ZIP archive of the associated content making up the new Open XML Document. Due to the lack of validation on the ZIP header when decompressing certain XML elements it is possible to execute uninitialized memory. Successful exploitation can lead to remote code execution under the credentials of the currently logged in user.

ZDI-10-025: Microsoft Office Excel XLSX File Parsing Remote Code Execution Vulnerability

Re: Apple Airport Wireless Products: Promiscuous FTP PORT Allowed in FTP Proxy Provides Security Bypass

[security bulletin] HPSBMA02489 SSRT090065 rev.1 – HP Performance Insight , Remote Execution of Arbitrary Commands

IBM ENOVIA SmarTeam v5 Cross Site Scripting Vulnerability

SQL injection vulnerability in wILD CMS

LinuxSecurity.com: It was discovered that tdiary, a communication-friendly weblog system, is prone to a cross-site scripting vulnerability due to insuficient input sanitising in the TrackBack transmission plugin. [More...]

LinuxSecurity.com: Multiple vulnerabilities has been found and corrected in php:
* Improved LCG entropy. (Rasmus, Samy Kamkar)
* Fixed safe_mode validation inside tempnam() when the directory
path does not end with a /). (Martin Jansen)
[More...]

Debian Linux Security Advisory 2008-1 – Several remote vulnerabilities have been discovered in the TYPO3 web content management framework: Cross-site scripting vulnerabilities have been discovered in both the frontend and the backend. Also, user data could be leaked.

LinuxSecurity.com: Multiple vulnerabilities have been fixed in Firefox, which can be exploited by malicious people to conduct cross-site scripting attacks or compromise a user’s system.

LinuxSecurity.com: A security issue has been fixed in sudo, which can be exploited by malicious, local users to gain escalated privileges.

Re: phpinfo() XSS Vulnerability