Spyware, Viruses, & Security forum

General discussion

VULNERABILITIES \ FIXES - January 27, 2009

by Marianna Schmudlach / January 26, 2009 11:48 PM PST

Fedora update for dia

Release Date: 2009-01-27

Critical:
Less critical
Impact: Privilege escalation

Where: Local system
Solution Status: Vendor Patch


OS: Fedora 9

Description:
Fedora has issued an update for dia. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges.

For more information:
SA33672

Solution:
Apply updated packages via the yum utility ("yum update dia").

Original Advisory:
FEDORA-2009-1057:
https://www.redhat.com/archives/fedor...e-announce/2009-January/msg01065.html

Other References:
SA33672:
http://secunia.com/advisories/33672/

Discussion is locked
You are posting a reply to: VULNERABILITIES \ FIXES - January 27, 2009
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VULNERABILITIES \ FIXES - January 27, 2009
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
WB News "config[installdir]" Multiple File Inclusion Vulnera
by Marianna Schmudlach / January 26, 2009 11:49 PM PST

Release Date: 2009-01-27

Critical:
Highly critical
Impact: System access

Where: From remote
Solution Status: Vendor Patch


Software: WB News 2.x

Description:
HACKERS PAL has discovered some vulnerabilities in WB News, which can be exploited by malicious people to compromise a vulnerable system.

Input passed to the "config[installdir]" parameter in search.php, archive.php, comments.php, news.php, base/News.php, base/SendFriend.php, base/Archive.php, and base/Comments.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local and external resources.

Successful exploitation of these vulnerabilities requires that "register_globals" is enabled.

These vulnerabilities are confirmed in version 2.0.1. Other versions may also be affected.

Solution:
Update to version 2.1.0.

Provided and/or discovered by:
HACKERS PAL
http://secunia.com/advisories/33691/

Collapse -
Fedora update for vnc
by Marianna Schmudlach / January 26, 2009 11:51 PM PST

Release Date: 2009-01-27

Critical:
Moderately critical
Impact: DoS
System access

Where: From remote
Solution Status: Vendor Patch


OS: Fedora 9

Description:
Fedora has issued an update for vnc. This fixes a vulnerability, which can potentially be exploited by malicious people to compromise a user's system.

Solution:
Apply updated packages using the yum utility ("yum update vnc").

Original Advisory:
FEDORA-2009-1001:
https://www.redhat.com/archives/fedor...e-announce/2009-January/msg01025.html

Other References:
SA32317:
http://secunia.com/advisories/32317/

Collapse -
SAP NetWeaver Cross-Site Scripting Vulnerability
by Marianna Schmudlach / January 26, 2009 11:52 PM PST

Release Date: 2009-01-27

Critical:
Less critical
Impact: Cross Site Scripting

Where: From remote
Solution Status: Vendor Patch


Software: SAP NetWeaver 4.x

Description:
A vulnerability has been reported in SAP NetWeaver, which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed via the URL is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Successful exploitation may require that the victim uses a browser which executes JavaScript statements in documents of the content type "text/plain" (e.g. Internet Explorer).

Solution:
The vendor has reportedly issued a patch via SAP Note 1235253.
http://service.sap.com/sap/support/notes/1235253

Provided and/or discovered by:
Martin Suess, Compass Security

Original Advisory:
SAP:
http://service.sap.com/sap/support/notes/1235253

Compass Security:
http://www.csnc.ch/misc/files/advisories/CVE-2008-3358.txt

Collapse -
ConPresso CMS Session Fixation and Cross-Site Scripting
by Marianna Schmudlach / January 26, 2009 11:55 PM PST

Release Date: 2009-01-27

Critical:
Less critical
Impact: Hijacking
Cross Site Scripting

Where: From remote
Solution Status: Unpatched


Software: ConPresso CMS 4.x

Description:
David Vieira-Kurz has discovered some vulnerabilities in ConPresso, which can be exploited by malicious people to conduct session fixation and script insertion attacks.

Solution:
Edit the source code to ensure that input is properly sanitised. Do not follow links from untrusted sources.

Provided and/or discovered by:
David Vieira-Kurz

Collapse -
GLPI SQL Injection Vulnerabilities
by Marianna Schmudlach / January 26, 2009 11:56 PM PST

Release Date: 2009-01-27

Critical:
Less critical
Impact: Manipulation of data

Where: From remote
Solution Status: Vendor Patch


Software: GLPI 0.x

Description:
Some vulnerabilities have been reported in GLPI, which can be exploited by malicious users to conduct SQL injection attacks.

Input passed via unspecified parameters is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

The vulnerabilities are reported in versions prior to 0.71.4.

Solution:
Update to version 0.71.4 or later.

Provided and/or discovered by:
moyo

Original Advisory:
http://www.glpi-project.org/spip.php?page=annonce&id_breve=161&lang=en
https://dev.indepnet.net/glpi/ticket/1224

Collapse -
Debian update for typo3-src
by Marianna Schmudlach / January 26, 2009 11:57 PM PST

Release Date: 2009-01-27

Critical:
Highly critical
Impact: Hijacking
Security Bypass
Cross Site Scripting
System access

Where: From remote
Solution Status: Vendor Patch


OS: Debian GNU/Linux 4.0
Debian GNU/Linux unstable alias sid

Description:
Debian has issued an update for typo3-src. This fixes some vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting and session fixation attacks, and compromise a vulnerable system.

Solution:
Apply updated packages and regenerate the encryption key.

Original Advisory:
DSA-1711-1:
http://lists.debian.org/debian-security-announce/2009/msg00019.html

Other References:
SA33617:
http://secunia.com/advisories/33617/

Collapse -
Ubuntu update for xine-lib
by Marianna Schmudlach / January 26, 2009 11:59 PM PST

Release Date: 2009-01-27

Critical:
Highly critical
Impact: DoS
System access

Where: From remote
Solution Status: Vendor Patch


OS: Ubuntu Linux 6.06
Ubuntu Linux 7.10
Ubuntu Linux 8.04
Ubuntu Linux 8.10

Description:
Ubuntu has issued an update for xine-lib. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system.

Solution:
Apply updated packages.

Original Advisory:
USN-710-1:
https://lists.ubuntu.com/archives/ubu...ity-announce/2009-January/000829.html

Other References:
SA31502:
http://secunia.com/advisories/31502/

SA31567:
http://secunia.com/advisories/31567/

Collapse -
Ubuntu update for ktorrent
by Marianna Schmudlach / January 27, 2009 12:01 AM PST

Release Date: 2009-01-27

Critical:
Moderately critical
Impact: Security Bypass
System access

Where: From remote
Solution Status: Vendor Patch


OS: Ubuntu Linux 7.10
Ubuntu Linux 8.04
Ubuntu Linux 8.10

Description:
Ubuntu has issued an update for ktorrent. This fixes some vulnerabilities, which can be exploited by malicious users to compromise a vulnerable system and malicious people to bypass certain security restrictions.

Solution:
Apply updated packages.

Original Advisory:
USN-711-1:
https://lists.ubuntu.com/archives/ubu...ity-announce/2009-January/000830.html

Other References:
SA32442:
http://secunia.com/advisories/32442/

Collapse -
Fedora update for kernel
by Marianna Schmudlach / January 27, 2009 12:02 AM PST

Release Date: 2009-01-27

Critical:
Less critical
Impact: Privilege escalation
DoS

Where: From remote
Solution Status: Vendor Patch


OS: Fedora 9

Description:
Fedora has issued an update for the kernel. This fixes a security issue, which can be exploited by malicious, local users to potentially cause a DoS (Denial of Service) or gain escalated privileges.

Solution:
Apply updated packages using the yum utility ("yum update kernel").

Original Advisory:
FEDORA-2009-0816:
https://www.redhat.com/archives/fedor...e-announce/2009-January/msg01045.html

Other References:
SA33477:
http://secunia.com/advisories/33477/

Collapse -
Dia Insecure Python Module Search Path Vulnerability
by Marianna Schmudlach / January 27, 2009 12:03 AM PST

Release Date: 2009-01-27

Critical:
Less critical
Impact: Privilege escalation

Where: Local system
Solution Status: Unpatched


Software: Dia 0.x

Description:
A vulnerability has been reported in Dia, which can be exploited by malicious, local users to gain escalated privileges.

The vulnerability is caused due to Dia using the current working directory as part of the module search path. This can be exploited to e.g. execute arbitrary Python code with the privileges of another user by tricking the user into executing Dia in a directory containing a Python file named like one of the modules Dia uses.

Solution:
Do not execute Dia in untrusted directories.

Provided and/or discovered by:
James Vega

Original Advisory:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504251

Collapse -
VirtueMart Multiple SQL Injection Vulnerabilities
by Marianna Schmudlach / January 27, 2009 12:04 AM PST

Release Date: 2009-01-27

Critical:
Moderately critical
Impact: Manipulation of data

Where: From remote
Solution Status: Vendor Patch


Software: VirtueMart 1.x
VirtueMart Joomla! eCommerce Edition 1.x

Description:
Some vulnerabilities have been discovered in VirtueMart, which can be exploited by malicious people and users to conduct SQL injection attacks.

These vulnerabilities are confirmed in version 1.1.2. Other versions may also be affected.

Solution:
Update to version 1.1.3.

Provided and/or discovered by:
Janek Vind

Original Advisory:
Janek Vind:
http://www.waraxe.us/advisory-71.html

VirtueMart:
https://dev.virtuemart.net/cb/wiki/2878

Collapse -
ITLPoll "id" SQL Injection Vulnerability
by Marianna Schmudlach / January 27, 2009 12:05 AM PST

Release Date: 2009-01-27

Critical:
Moderately critical
Impact: Manipulation of data

Where: From remote
Solution Status: Unpatched


Software: ITLPoll 2.x

Description:
fuzion has discovered a vulnerability in ITLPoll, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "id" parameter in index.php is not properly sanitised before being used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation requires that "magic_quotes_gpc" is disabled.

The vulnerability is confirmed in version 2.7 Stable2. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Set "magic_quotes_gpc" to "On".

Provided and/or discovered by:
fuzion

Original Advisory:
http://milw0rm.com/exploits/7867

Collapse -
FlexCell Grid ActiveX Control "SaveFile()" and "ExportToXML(
by Marianna Schmudlach / January 27, 2009 12:06 AM PST

Release Date: 2009-01-27

Critical:
Less critical
Impact: Manipulation of data

Where: From remote
Solution Status: Unpatched


Software: FlexCell Grid ActiveX Control 5.x



Description:
Houssamix has discovered two vulnerabilities in the FlexCell Grid ActiveX control, which can be exploited by malicious people to overwrite arbitrary files.

The vulnerability is caused due to the FlexCell.Grid ActiveX control (FlexCell.ocx) providing the insecure "SaveFile()" and "ExportToXML()" methods. This can be exploited to corrupt arbitrary files in the context of the currently logged-on user.

The vulnerabilities are confirmed in FlexCell.ocx version 5.7.0.2. Other versions may also be affected.

Solution:
Set the kill-bit for the affected ActiveX control.

Provided and/or discovered by:
Houssamix

Original Advisory:
http://milw0rm.com/exploits/7868

Collapse -
MW6 Technologies Barcode ActiveX "Supplement" Buffer Overflo
by Marianna Schmudlach / January 27, 2009 12:07 AM PST

Release Date: 2009-01-27

Critical:
Highly critical
Impact: System access

Where: From remote
Solution Status: Unpatched


Software: MW6 Technologies 1D Barcode ActiveX Control 3.x



Description:
Houssamix has discovered a vulnerability in the MW6 Technologies Barcode ActiveX control, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a boundary error in the Barcode.MW6Barcode.1 ActiveX control (Barcode.dll). This can be exploited to cause a heap-based buffer overflow via an overly long string assigned to the "Supplement" property.

Successful exploitation allows execution of arbitrary code.

The vulnerability is confirmed in Barcode.dll version 3.0.0.1. Other versions may also be affected.

Solution:
Set the kill-bit for the affected ActiveX control.

Provided and/or discovered by:
Houssamix

Original Advisory:
http://milw0rm.com/exploits/7869

Collapse -
Script Toko Online "cat_id" SQL Injection Vulnerability
by Marianna Schmudlach / January 27, 2009 12:08 AM PST

Release Date: 2009-01-27

Critical:
Moderately critical
Impact: Manipulation of data

Where: From remote
Solution Status: Unpatched


Software: Script Toko Online 5.x

Description:
k1n9k0ng has reported a vulnerability in Script Toko Online, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "cat_id" parameter in shop_display_products.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

This vulnerability is reported in version 5.01. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
k1n9k0ng

Original Advisory:
http://milw0rm.com/exploits/7873

Collapse -
SHOP-INET "grid" SQL Injection Vulnerability
by Marianna Schmudlach / January 27, 2009 12:09 AM PST

Release Date: 2009-01-27

Critical:
Moderately critical
Impact: Manipulation of data

Where: From remote
Solution Status: Unpatched


Software: SHOP-INET 4.x

Description:
A vulnerability has been reported in SHOP-INET, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "grid" parameter in show_cat2.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Solution:
Filter malicious characters and character sequences using a proxy.

Provided and/or discovered by:
FeDeReR

Original Advisory:
http://milw0rm.com/exploits/7874

Collapse -
Piggydb Cross-Site Scripting Vulnerability
by Marianna Schmudlach / January 27, 2009 12:10 AM PST

Release Date: 2009-01-27

Critical:
Less critical
Impact: Cross Site Scripting

Where: From remote
Solution Status: Vendor Patch


Software: Piggydb 3.x

Description:
A vulnerability has been reported in Piggydb, which can be exploited by malicious people to conduct cross-site scripting attacks.

Certain unspecified input is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

The vulnerability is reported in versions prior to 3.3.

Solution:
Update to version 3.3.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
http://piggydb.devjavu.com/wiki/changelog

Collapse -
Wazzum Dating Software "userid" SQL Injection Vulnerability
by Marianna Schmudlach / January 27, 2009 12:11 AM PST

Release Date: 2009-01-27

Critical:
Moderately critical
Impact: Manipulation of data

Where: From remote
Solution Status: Unpatched


Software: Wazzum Dating Software 2.x

Description:
nuclear has reported a vulnerability in Wazzum Dating Software, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "userid" parameter in profile_view.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
nuclear

Original Advisory:
http://milw0rm.com/exploits/7877

Collapse -
GLinks "cat" SQL Injection Vulnerability
by Marianna Schmudlach / January 27, 2009 12:13 AM PST

Release Date: 2009-01-27

Critical:
Moderately critical
Impact: Manipulation of data

Where: From remote
Solution Status: Unpatched


Software: GLinks 2.x

Description:
nuclear has discovered a vulnerability in GLinks, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "cat" parameter in index.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

This vulnerability is confirmed in version 2.1. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
nuclear

Original Advisory:
http://milw0rm.com/exploits/7878

Collapse -
ClickAuction "txtEmail" and "txtPassword" SQL Injection Vuln
by Marianna Schmudlach / January 27, 2009 12:14 AM PST

Release Date: 2009-01-27

Critical:
Moderately critical
Impact: Security Bypass
Manipulation of data

Where: From remote
Solution Status: Unpatched


Software: ClickAuction

Description:
R3d D3v!L has reported some vulnerabilities in ClickAuction, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "txtEmail" and "txtPassword" parameters in login_check.asp is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

These vulnerabilities can be exploited to bypass the authentication mechanism.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
R3d D3v!L

Original Advisory:
http://milw0rm.com/exploits/7880

Collapse -
Joomla Flash Magazine Deluxe Component "mag_id" SQL Injectio
by Marianna Schmudlach / January 27, 2009 12:15 AM PST

Release Date: 2009-01-27

Critical:
Moderately critical
Impact: Manipulation of data

Where: From remote
Solution Status: Unpatched


Software: Flash Magazine Deluxe (component for Joomla!)

Description:
TurkGuvenligi has reported a vulnerability in the Flash Magazine Deluxe component for Joomla!, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed via the "mag_id" parameter in index.php (when "option" is set to "com_flashmagazinedeluxe") is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
TurkGuvenligi

Original Advisory:
http://milw0rm.com/exploits/7881

Collapse -
Ubuntu update for vim
by Marianna Schmudlach / January 27, 2009 12:17 AM PST

Release Date: 2009-01-27

Critical:
Moderately critical
Impact: System access

Where: From remote
Solution Status: Vendor Patch


OS: Ubuntu Linux 6.06
Ubuntu Linux 7.10
Ubuntu Linux 8.04
Ubuntu Linux 8.10

Description:
Ubuntu has issued an update for vim. This fixes a weakness and a vulnerability, which can be exploited by malicious people to compromise a user's system.

Original Advisory:
USN-712-1:
https://lists.ubuntu.com/archives/ubu...ity-announce/2009-January/000831.html

Other References:
SA30731:
http://secunia.com/advisories/30731/

SA31592:
http://secunia.com/advisories/31592/

Collapse -
Microsoft Windows Mobile Bluetooth Stack OBEX Directory Trav
by Marianna Schmudlach / January 27, 2009 12:18 AM PST

Release Date: 2009-01-27

Critical:
Less critical
Impact: Security Bypass
Exposure of system information
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


OS: Microsoft Windows Mobile 6.x

Description:
Alberto Moreno Tablado has reported a vulnerability in Microsoft Windows Mobile, which can be exploited by malicious users to disclose sensitive information and bypass certain security restrictions.

The vulnerability is caused due to an input validation error in the Bluetooth OBEX FTP server. This can be exploited to download or upload arbitrary files outside the root directory via directory traversal attacks.

Successful exploitation requires OBEX read or write access.

Solution:
Restrict access to trusted users only.

Provided and/or discovered by:
Alberto Moreno Tablado

Original Advisory:
http://www.seguridadmobile.com/window...etooth-Stack-Directory-Traversal.html

Collapse -
OpenX Multiple Vulnerabilities
by Marianna Schmudlach / January 27, 2009 12:19 AM PST

Release Date: 2009-01-27

Critical:
Moderately critical
Impact: Cross Site Scripting
Manipulation of data
Exposure of system information
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: OpenX (formerly Openads and phpAdsNew) 2.x

Description:
Multiple vulnerabilities have been discovered in OpenX, which can be exploited by malicious people to conduct cross-site scripting, cross-site request forgery, and file inclusion attacks and by malicious users to conduct script insertion and SQL injection attacks.

NOTE: Other vulnerabilities may also exist.

The vulnerabilities are confirmed in version 2.6.3. Other versions may also be affected.

Solution:
Use another product.

Provided and/or discovered by:
Sarid Harper, Secunia.

The local file inclusion vulnerability via the "MAX_type" parameter (#22) was also independently discovered and publicly reported by Charlie.

Original Advisory:
Secunia Research:
http://secunia.com/secunia_research/2009-4/

Charlie:
http://milw0rm.com/exploits/7883

Collapse -
First release candidate of Internet Explorer 8 available
by Marianna Schmudlach / January 27, 2009 12:24 AM PST

27 January 2009

Microsoft has made the first release candidate of Internet Explorer 8 available for public download. The latest pre-release version of IE8 is reportedly feature complete. Microsoft already gave the release candidate to some of its partners for testing in December. The candidate works with Windows XP and Vista (32 and 64 bit), but not with Windows 7 ? although this is bound to change soon, as IE8 will ship with Windows 7.

More: http://www.heise-online.co.uk/security/First-release-candidate-of-Internet-Explorer-8-available--/news/112497

Collapse -
Linux Kernel - eCryptfs vulnerability
by Marianna Schmudlach / January 27, 2009 12:27 AM PST

27 January 2009

Due to a vulnerability in the Linux kernel, a local attacker on a system with Linux kernel series 2.6 could crash the system to deny service to legitimate users or possibly obtain root privileges.

Security Lab say the vulnerability is in fs/ecryptfs/inode.c in the eCryptfs subsystem in the Linux kernel before 2.6.28.1 allows local users to cause a denial of service (fault or memory corruption), and possibly have some other unspecified impact, by making a readlink call that results in an error. The error leads to the call returning a -1 value as an array index. For those who compile their own kernel builds: there is a three line patch. The issue is fixed in the recently released version 2.6.28.1 of the Linux kernel. According to an advisory on Security Focus how an exploit might be developed is apparently still unclear and to-date there are no known exploits.

More: http://www.heise-online.co.uk/security/Linux-Kernel-eCryptfs-vulnerability--/news/112500

Collapse -
DoS vulnerability in Sun Solaris 10
by Marianna Schmudlach / January 27, 2009 12:28 AM PST

27 January 2009,

An exploit has been reported on the Full Disclosure security mailing list for Sun Solaris 10 on x86 based systems. The exploit can cause a kernel panic via an IPv6 vulnerability. It only takes a single crafted IPv6 packet to be sent to a system to cause the kernel panic.

The exact cause of the problem is still unknown. The author of the post on the exploit, who goes by the pseudonym of 'Kingcope', has said that the crash dump entries show that there is a problem in connection to the IPSec. A patch is not yet available and the only current solution may be to switch off IPv6 support.

More: http://www.heise-online.co.uk/security/DoS-vulnerability-in-Sun-Solaris-10--/news/112499

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

Does BMW or Volvo do it best?

Pint-size luxury and funky style

Shopping for a new car this weekend? See how the BMW X2 stacks up against the Volvo XC40 in our side-by-side comparison.