The file watch implementation in the audit subsystem (auditctl -w) in the Red Hat Enterprise Linux (RHEL) 4 kernel 2.6.9 allows local users to cause a denial of service (kernel panic) by replacing a watched file, which does not cause the watch on the old inode to be dropped.Successful exploitation requires that the attacker previously created a watch for a file.RHSA-2007:008524300227371017705Multiple heap-based buffer overflows in WordPerfect Document importer/exporter (libwpd) before 0.8.9 allow user-assisted remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted WordPerfect file in which values to loop counters are not properly handled in the (1) WP3TablesGroup::_readContents and (2) WP5DefinitionGroup_DefineTablesSubGroup::WP5DefinitionGroup_DefineTablesSubGroup functions. NOTE: the integer overflow has been split into CVE-2007-1466.This vulnerability has been addressed by the vendor through a product update: http://sourceforge.net/projects/libwpd/ ADV-2007-09762450720070316 Multiple Vendor libwpd Multiple Buffer Overflow Vulnerabilities20070316 rPSA-2007-0057-1 libwpdDSA-1268DSA-1270FEDORA-2007-350MDKSA-2007:063MDKSA-2007:064RHSA-2007:0055SUSE-SA:2007:023USN-437-123006ADV-2007-1032101778924557245722458024573245812459324465GLSA-200704-0724794102863ADV-2007-133924856GLSA-200704-1224906MDKSA-2007:063MDKSA-2007:064SSA-2007-085-02245882461324591pam_unix.so in Linux-PAM 0.99.7.0 allows context-dependent attackers to log into accounts whose password hash, as stored in /etc/passwd or /etc/shadow, has only two characters.[fedora-devel-list] 20070122 Re: rawhide report: 20070120 changes[fedora-devel-list] 20070122 Re: rawhide report: 20070120 changes[pam-list] 20070123 Linux-PAM 0.99.7.1 released SUSE-SR:2007:003 22204 ADV-2007-0323 23858 linuxpam-pamunix-security-bypass(31739)The NFS client implementation in the kernel in Red Hat Enterprise Linux (RHEL) 3, when a filesystem is mounted with the noacl option, checks permissions for the open system call via vfs_permission (mode bits) data rather than an NFS ACCESS call to the server, which allows local client processes to obtain a false success status from open calls that the server would deny, and possibly obtain sensitive information about file permissions on the server, as demonstrated in a root_squash environment. NOTE: it is uncertain whether any scenarios involving this issue cross privilege boundaries.Multiple buffer overflows in the (1) read and (2) write handlers in the Omnikey CardMan 4040 driver in the Linux kernel before 2.6.21-rc3 allow local users to gain privileges.20070309 Buffer Overflow in Linux Drivers for Omnikey CardMan 4040 (CVE-2007-0005)FEDORA-2007-335FEDORA-2007-336RHSA-2007:009922870ADV-2007-0872330232443624518kernel-cardman4040drivers-bo(32880) MDKSA-2007:078 24777 24901 DSA-1286 2507820070615 rPSA-2007-0124-1 kernel xenMDKSA-2007:078USN-486-1USN-489-1256912613326139The key serial number collision avoidance code in the key_alloc_serial function in Linux kernel 2.6.9 up to 2.6.20 allows local users to cause a denial of service (crash) via vectors that trigger a null dereference, as originally reported as "spinlock CPU recursion."The scheme for selecting serial numbers was changed from incrementing a counter to random number selection, increasing the likelihood of a serial number collision.MDKSA-2007:060RHSA-2007:0085RHSA-2007:0099SUSE-SA:2007:02122539241092425924300244292448224547USN-451-12475220070615 rPSA-2007-0124-1 kernel xenMDKSA-2007:047MDKSA-2007:06025691MDKSA-2007:047gnucash 2.0.4 and earlier allows local users to overwrite arbitrary files via a symlink attack on the (1) gnucash.trace, (2) qof.trace, and (3) qof.trace.[PID] temporary files.24225 FEDORA-2007-256 MDKSA-2007:046 22610 ADV-2007-0653 24226 24317 gnucash-symlink(32558)Integer underflow in the SSLv2 support in Mozilla Network Security Services (NSS) before 3.11.5, as used by Firefox before 1.5.0.10 and 2.x before 2.0.0.2, SeaMonkey before 1.0.8, Thunderbird before 1.5.0.10, and certain Sun Java System server products before 20070611, allows remote attackers to execute arbitrary code via a crafted SSLv2 server message containing a public key that is too short to encrypt the "Master Secret", which results in a heap-based overflow.SSA:2007-066-03SSA:2007-066-04SSA:2007-066-05102945SUSE-SA:2007:022ADV-2007-21412559724406244552445624457243422558820070223 Mozilla Network Security Services SSLv2 Client Integer Underflow Vulnerability20070226 rPSA-2007-0040-1 firefox20070303 rPSA-2007-0040-3 firefox thunderbirdFEDORA-2007-278FEDORA-2007-279FEDORA-2007-281FEDORA-2007-293GLSA-200703-18GLSA-200703-22MDKSA-2007:050MDKSA-2007:052RHSA-2007:0079RHSA-2007:0077RHSA-2007:0078RHSA-2007:0097RHSA-2007:0108SUSE-SA:2007:019USN-428-1USN-431-1VU#37781222694ADV-2007-0719ADV-2007-0718321051017696242382425224253242772428724290242052432824333243432432024293243952438424389244102452224562nss-mastersecret-bo(32666)102856ADV-2007-1165 24703 20070301-01-P 24650DSA-1336FEDORA-2007-308FEDORA-2007-309MDKSA-2007:05020070202-01-PHPSBUX02153Stack-based buffer overflow in the SSLv2 support in Mozilla Network Security Services (NSS) before 3.11.5, as used by Firefox before 1.5.0.10 and 2.x before 2.0.0.2, Thunderbird before 1.5.0.10, SeaMonkey before 1.0.8, and certain Sun Java System server products before 20070611, allows remote attackers to execute arbitrary code via invalid "Client Master Key" length values.SSA:2007-066-03SSA:2007-066-04SSA:2007-066-05102945SUSE-SA:2007:022ADV-2007-21412559724406244552445624457243422558820070223 Mozilla Network Security Services SSLv2 Server Stack Overflow Vulnerability20070226 rPSA-2007-0040-1 firefox20070303 rPSA-2007-0040-3 firefox thunderbirdFEDORA-2007-278FEDORA-2007-279GLSA-200703-18GLSA-200703-22MDKSA-2007:050MDKSA-2007:052RHSA-2007:0079RHSA-2007:0077RHSA-2007:0078RHSA-2007:0097RHSA-2007:0108SUSE-SA:2007:019USN-428-1USN-431-1VU#592796ADV-2007-0719ADV-2007-071832106101769624253242772428724290243332434324293243952438424389244102452224562nss-clientmasterkey-bo(32663)102856ADV-2007-11652470320070301-01-P24650DSA-1336FEDORA-2007-308FEDORA-2007-309MDKSA-2007:05020070202-01-PHPSBUX02153The GdkPixbufLoader function in GIMP ToolKit (GTK+) in GTK 2 (gtk2) before 2.4.13 allows context-dependent attackers to cause a denial of service (crash) via a malformed image file.RHSA-2007:0019 DSA-1256 MDKSA-2007:039 SUSE-SR:2007:002 USN-415-1 22209 ADV-2007-0331 1017552 23884 23933 23935 24010 24006 24095 23984MDKSA-2007:039The web portal interface in Citrix Access Gateway (aka Citrix Advanced Access Control) before Advanced Edition 4.5 HF1 places a session ID in the URL, which allows context-dependent attackers to hijack sessions by reading "residual information", including the a referer log, browser history, or browser cache.20071022 Corsaire Security Advisory - Citrix Access Gateway session ID disclosure issue24975ADV-2007-2583101843526143citrix-access-unspeci-information-disclosure(35510)Sun JRE 5.0 before update 14 allows remote attackers to cause a denial of service (Internet Explorer crash) via an object tag with an encoded applet and an undefined name attribute, which triggers a NULL pointer dereference in jpiexp32.dll when the applet is decoded and passed to the JVM.20080108 Corsaire Security Advisory: Sun J2RE DoS issue27185sun-java-jpiexp32-dos(39549)3527ChainKey Java Code Protection allows attackers to decompile Java class files via a Java class loader with a modified defineClass method that saves the bytecode to a file before it is passed to the JVM.20070112 Corsaire Security Advisory: ChainKey Java Code Protection Bypass issue20070112 Re: Corsaire Security Advisory: ChainKey Java Code Protection Bypass issueBuffer overflow in Apple QuickTime 7.1.3 allows remote attackers to execute arbitrary code via a long rtsp:// URI.Exploit 3064218291017461VU#442497ADV-2007-000123540quicktime-rtsp-url-bo(31203) 3064 APPLE-SA-2007-01-23 TA07-005A 31023Stack-based buffer overflow in MoviePlay 4.76 allows remote attackers to execute arbitrary code via a long filename in a LST file.21840229594051Multiple format string vulnerabilities in (1) the cdio_log_handler function in modules/access/cdda/access.c in the CDDA (libcdda_plugin) plugin, and the (2) cdio_log_handler and (3) vcd_log_handler functions in modules/access/vcdx/access.c in the VCDX (libvcdx_plugin) plugin, in VideoLAN VLC 0.7.0 through 0.8.6 allow user-assisted remote attackers to execute arbitrary code via format string specifiers in an invalid URI, as demonstrated by a udp://-- URI in an M3U file.23592[vlc-devel] 20070102 Security hole in VLC media player for Mac...ADV-2007-00261017464vlcmediaplayer-udp-format-string(31226)21852 DSA-1252 GLSA-200701-24 SUSE-SA:2007:013 23829 23910 23971Stack-based buffer overflow in the NCTAudioFile2.AudioFile ActiveX control (NCTAudioFile2.dll), as used by multiple products, allows remote attackers to execute arbitrary code via a long argument to the SetFormatLikeSample function. NOTE: the products include (1) NCTsoft NCTAudioStudio, NCTAudioEditor, and NCTDialogicVoice; (2) Magic Audio Recorder, Music Editor, and Audio Converter; (3) Aurora Media Workshop; DB Audio Mixer And Editor; (4) J. Hepple Products including Fx Audio Editor and others; (5) EXPStudio Audio Editor; (6) iMesh; (7) Quikscribe; (8) RMBSoft AudioConvert and SoundEdit Pro 2.1; (9) CDBurnerXP; (10) Code-it Software Wave MP3 Editor and aBasic Editor; (11) Movavi VideoMessage, DVD to iPod, and others; (12) SoftDiv Software Dexster, iVideoMAX, and others; (13) Sienzo Digital Music Mentor (DMM); (14) MP3 Normalizer; (15) Roemer Software FREE and Easy Hi-Q Recorder, and Easy Hi-Q Converter; (16) Audio Edit Magic; (17) Joshua Video and Audio Converter; (18) Virtual CD; (19) Cheetah CD and DVD Burner; (20) Mystik Media AudioEdit Deluxe, Blaze Media, and others; (21) Power Audio Editor; (22) DanDans Digital Media Full Audio Converter, Music Editing Master, and others; (23) Xrlly Software Text to Speech Makerand Arial Sound Recorder / Audio Converter; (24) Absolute Sound Recorder, Video to Audio Converter, and MP3 Splitter; (25) Easy Ringtone Maker; (26) RecordNRip; (27) McFunSoft iPod Audio Studio, Audio Recorder for Free, and others; (28) MP3 WAV Converter; (29) BearShare 6.0.2.26789; and (30) Oracle Siebel SimBuilder and CRM 7.x. 23534 23535 23536 23541 23542 23544 23546 23548 23550 23554 23558 23560 23561 23562 23565 23745 23753 23795 nctaudiofile2-multiple-bo(31707) 22196 23892 2292220070124 Re: Secunia Research: NCTsoft Products NCTAudioFile2 ActiveXControl Buffer Overflow20070124 Secunia Research: NCTsoft Products NCTAudioFile2 ActiveX ControlBuffer Overflow20070124 Secunia Research: Sienzo Digital Music Mentor NCTAudioFile2ActiveX Control Buffer Overflow2599326046261002610128407ADV-2007-0310234752349323532235432355123552235532355723568VU#2927132348523495235112351623530Multiple heap-based buffer overflows in rumpusd in Rumpus 5.1 and earlier (1) allow remote authenticated users to execute arbitrary code via a long LIST command and other unspecified requests to the FTP service, and (2) allow remote attackers to execute arbitrary code via unspecified requests to the HTTP service. 23842 rumpus-ftp-service-bo(31594)Heap-based buffer overflow in the SFTP protocol handler for Panic Transmit (Transmit.app) up to 3.5.5 allows remote attackers to execute arbitrary code via a long ftps:// URL.ADV-2007-027323861 3160 transmit-url-handler-bo(31673)Format string vulnerability in Apple iChat 3.1.6 allows remote attackers to cause a denial of service (null pointer dereference and application crash) and possibly execute arbitrary code via format string specifiers in an aim:// URI.ADV-2007-0274 APPLE-SA-2007-02-15 TA07-047A VU#794752 22146 1017661 24198 ichat-aim-format-string(31679)Untrusted search path vulnerability in writeconfig in Apple Mac OS X 10.4.8 allows local users to gain privileges via a modified PATH that points to a malicious launchctl program.3160523793macos-writeconfig-privilege-escalation(31677)APPLE-SA-2007-04-1922148ADV-2007-1470101794124966TA07-109AADV-2007-0074The CFUserNotificationSendRequest function in UserNotificationCenter.app in Apple Mac OS X 10.4.8, when used in combination with diskutil, allows local users to gain privileges via a malicious InputManager in Library/InputManagers in a user's home directory, which is executed when Cocoa applications attempt to notify the user. APPLE-SA-2007-02-15 TA07-047A VU#315856 22188 32695 1017542 23846 24198 macos-inputmanager-privilege-escalation(31676)ADV-2007-0074Integer overflow in the Vector Markup Language (VML) implementation (vgx.dll) in Microsoft Internet Explorer 5.01, 6, and 7 on Windows 2000 SP4, XP SP2, Server 2003, and Server 2003 SP1 allows remote attackers to execute arbitrary code via a crafted web page that contains unspecified integer properties that cause insufficient memory allocation and trigger a buffer overflow, aka the "VML Buffer Overrun Vulnerability."20070109 Microsoft Windows VML Element Integer Overflow VulnerabilityMS07-004929969VU#12208421930ADV-2007-010531250101748923677ie-vml-record-bo(31287)ADV-2007-0129TA07-009A20070116 MS07-004 VML Integer Overflow Exploit20070117 Re: MS07-004 VML Integer Overflow ExploitHPSBST02184oval:org.mitre.oval:def:1058The MFC component in Microsoft Windows 2000 SP4, XP SP2, and 2003 SP1 and Visual Studio .NET 2000, 2002 SP1, 2003, and 2003 SP1 allows user-assisted remote attackers to execute arbitrary code via an RTF file with a malformed OLE object that triggers memory corruption. NOTE: this might be due to a stack-based buffer overflow in the the AfxOleSetEditMenu function in MFC42u.dll.MS07-012VU#93204122476ADV-2007-058131887101763824150TA07-044Aoval:org.mitre.oval:def:157The OLE Dialog component in Microsoft Windows 2000 SP4, XP SP2, and 2003 SP1 allows user-assisted remote attackers to execute arbitrary code via an RTF file with a malformed OLE object that triggers memory corruption.MS07-011 VU#497756 22483 ADV-2007-0580 31885 1017637 24147TA07-044Aoval:org.mitre.oval:def:540Microsoft Excel 2000 SP3, 2002 SP3, 2003 SP2, 2004 for Mac, and v.X for Mac allows remote attackers to execute arbitrary code via malformed IMDATA records that trigger memory corruption.MS07-002VU#74996421856ADV-2007-01031017487TA07-009AHPSBST0218431255oval:org.mitre.oval:def:119Microsoft Excel 2000, 2002, 2003, Viewer 2003, Office 2004 for Mac, and Office v.X for Mac does not properly handle certain opcodes, which allows user-assisted remote attackers to execute arbitrary code via a crafted XLS file, which results in an "Improper Memory Access Vulnerability." NOTE: an early disclosure of this issue used CVE-2006-3432, but only CVE-2007-0028 should be used.MS07-002VU#493185ADV-2007-01032195223676TA07-009AHPSBST02184312491017485oval:org.mitre.oval:def:768Microsoft Excel 2000 SP3, 2002 SP3, 2003 SP2, 2004 for Mac, and v.X for Mac allows user-assisted remote attackers to execute arbitrary code via a malformed string, aka "Excel Malformed String Vulnerability."MS07-00221877ADV-2007-01031017487TA07-009AHPSBST0218431256oval:org.mitre.oval:def:1102Microsoft Excel 2000 SP3, 2002 SP3, 2003 SP2, 2004 for Mac, and v.X for Mac allows user-assisted remote attackers to execute arbitrary code via an Excel file with an out-of-range Column field in certain BIFF8 record types, which references arbitrary memory.20070109 Microsoft Excel Invalid Column Heap Corruption VulnerabilityMS07-002VU#30283621925ADV-2007-01031017487TA07-009AHPSBST0218431257oval:org.mitre.oval:def:323Heap-based buffer overflow in Microsoft Excel 2000 SP3, 2002 SP3, 2003 SP2, 2004 for Mac, and v.X for Mac allows user-assisted remote attackers to execute arbitrary code via a BIFF8 spreadsheet with a PALETTE record that contains a large number of entries.20070109 Microsoft Excel Long Palette Heap Overflow VulnerabilityMS07-002VU#62553221922ADV-2007-01031017487TA07-009AHPSBST0218431258oval:org.mitre.oval:def:753Microsoft Outlook 2002 and 2003 allows user-assisted remote attackers to execute arbitrary code via a malformed VEVENT record in an .iCal meeting request or ICS file.MS07-003VU#47690021931ADV-2007-0104101748823674TA07-009AHPSBST0218431252oval:org.mitre.oval:def:516Buffer overflow in the Advanced Search (Finder.exe) feature of Microsoft Outlook 2000, 2002, and 2003 allows user-assisted remote attackers to execute arbitrary code via a crafted Outlook Saved Searches (OSS) file that triggers memory corruption, aka "Microsoft Outlook Advanced Find Vulnerability."MS07-003VU#27186021936ADV-2007-010410174882367420070111 Computer Terrorism (UK) :: Incident Response Centre - Microsoft Outlook VulnerabilityTA07-009AHPSBST0218431254oval:org.mitre.oval:def:153Word (or Word Viewer) in Microsoft Office 2000 SP3, XP SP3, 2003 SP2, 2004 for Mac, and Works Suite 2004, 2005, and 2006 does not properly handle data in a certain array, which allows user-assisted remote attackers to execute arbitrary code, aka the "Word Array Overflow Vulnerability."MS07-024VU#26077723804ADV-2007-1709101801334387HPSBST02214TA07-128Aoval:org.mitre.oval:def:1737Stack-based buffer overflow in the animated cursor code in Microsoft Windows 2000 SP4 through Vista allows remote attackers to execute arbitrary code or cause a denial of service (persistent reboot) via a large length value in the second (or later) anih block of a RIFF .ANI, cur, or .ico file, which results in memory corruption when processing cursors, animated cursors, and icons, a variant of CVE-2005-0416, as originally demonstrated using Internet Explorer 6 and 7. NOTE: this might be a duplicate of CVE-2007-1765; if so, then CVE-2007-0038 should be preferred.20070330 0-day ANI vulnerability in Microsoft Windows (CVE-2007-0038)TA07-089AVU#1916092465920070330 0-day ANI vulnerability in Microsoft Windows (CVE-2007-0038)20070330 Re: 0-day ANI vulnerability in Microsoft Windows (CVE-2007-0038)20070331 RE: [Full-disclosure] 0-day ANI vulnerability in Microsoft Windows(CVE-2007-0038)20070331 Re: 0-day ANI vulnerability in Microsoft Windows (CVE-2007-0038)3634windows-ani-code-execution(33301)MS07-017TA07-093AADV-2007-121520070402 More information on ZERT patch for ANI 0day HPSBST0220620070402 MS announces out-of-band patch for ANI 0dayTA07-100A33629oval:org.mitre.oval:def:18542542The Exchange Collaboration Data Objects (EXCDO) functionality in Microsoft Exchange Server 2000 SP3, 2003 SP1 and SP2, and 2007 allows remote attackers to cause a denial of service (crash) via an Internet Calendar (iCal) file containing multiple X-MICROSOFT-CDO-MODPROPS (MODPROPS) properties in which the second MODPROPS is longer than the first, which triggers a NULL pointer dereference and an unhandled exception.MS07-02623808ADV-2007-171110180152518320070508 Exchange Calendar MODPROPS Denial of Service (CVE-2007-0039)20070509 Exchange Calendar MODPROPS Denial of Service (CVE-2007-0039)HPSBST02214TA07-128A34390oval:org.mitre.oval:def:1593exchange-ical-dos(33888)The LDAP service in Windows Active Directory in Microsoft Windows 2000 Server SP4, Server 2003 SP1 and SP2, Server 2003 x64 Edition and SP2, and Server 2003 for Itanium-based Systems SP1 and SP2 allows remote attackers to execute arbitrary code via a crafted LDAP request with an unspecified number of "convertible attributes."MS07-03920070710 Microsoft Windows Active Directory Remote Code ExecutionSSRT071446TA07-191AVU#48790524800ADV-2007-2481oval:org.mitre.oval:def:2012101835526002The PE Loader service in Microsoft .NET Framework 1.0, 1.1, and 2.0 for Windows 2000, XP, Server 2003, and Vista allows remote attackers to execute arbitrary code via unspecified vectors involving an "unchecked buffer" and unvalidated message lengths, probably a buffer overflow.MS07-040SSRT071446TA07-191A24778ADV-2007-2482oval:org.mitre.oval:def:2093101835626003ms-dotnet-pe-loader-bo(34637)Interpretation conflict in ASP.NET in Microsoft .NET Framework 1.0, 1.1, and 2.0 for Windows 2000, XP, Server 2003, and Vista allows remote attackers to access configuration files and obtain sensitive information, and possibly bypass security mechanisms that try to constrain the final substring of a string, via %00 characters, related to use of %00 as a string terminator within POSIX functions but a data character within .NET strings, aka "Null Byte Termination Vulnerability."MS07-040SSRT071446TA07-191AADV-2007-2482oval:org.mitre.oval:def:2070101835626003The Just In Time (JIT) Compiler service in Microsoft .NET Framework 1.0, 1.1, and 2.0 for Windows 2000, XP, Server 2003, and Vista allows user-assisted remote attackers to execute arbitrary code via unspecified vectors involving an "unchecked buffer," probably a buffer overflow, aka ".NET JIT Compiler Vulnerability".MS07-040SSRT071446TA07-191A24811ADV-2007-2482oval:org.mitre.oval:def:1873101835626003ms-dotnet-jit-bo(34639)Adobe Acrobat Reader Plugin before 8.0.0 for the Firefox, Internet Explorer, and Opera web browsers allows remote attackers to force the browser to make unauthorized requests to other web sites via a URL in the (1) FDF, (2) xml, and (3) xfdf AJAX request parameters, following the # (hash) character, aka "Universal CSRF and session riding."20070103 Adobe Acrobat Reader Plugin - Multiple VulnerabilitiesADV-2007-00321017469adobe-acrobat-pdf-csrf(31266)21858GLSA-200701-16SUSE-SA:2007:01123812238822090RHSA-2008:014429065Multiple cross-site scripting (XSS) vulnerabilities in Adobe Acrobat Reader Plugin before 8.0.0 for Mozilla Firefox, Microsoft Internet Explorer 6 SP1, Opera 8.5.4 build 770, and Opera 9.10.8679 on Windows allow remote attackers to inject arbitrary JavaScript and conduct other attacks via a .pdf URL with a javascript: or res: URI with (1) FDF, (2) XML, and (3) XFDF AJAX parameters, or (4) an arbitrarily named name=URI anchor identifier, aka "Universal XSS (UXSS)."244572090HPSBUX0215320070103 Adobe Acrobat Reader Plugin - Multiple Vulnerabilities20070103 RE: [WEB SECURITY] Universal XSS with PDF files: highly dangerous20070103 Re: Universal XSS with PDF files: highly dangerous20070103 Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous20070103 Universal XSS with PDF files: highly dangerousVU#815960ADV-2007-0032101746923483adobe-acrobat-pdf-xss(31271)RHSA-2007:0017218582369120070104 Universal PDF XSS After PartyGLSA-200701-16RHSA-2007:0021102847SUSE-SA:2007:011ADV-2007-095723812238772388224533SSA:2007-066-05Double free vulnerability in the Adobe Acrobat Reader Plugin before 8.0.0, as used in Mozilla Firefox 1.5.0.7, allows remote attackers to execute arbitrary code by causing an error via a javascript: URI call to document.write in the (1) FDF, (2) XML, or (3) XFDF AJAX request parameters.20070103 Adobe Acrobat Reader Plugin - Multiple VulnerabilitiesADV-2007-00321017469adobe-acrobat-msvcrt-code-execution(31272)RHSA-2007:001723691 GLSA-200701-16 RHSA-2007:0021 102847 SUSE-SA:2007:011 ADV-2007-0957 23812 23877 23882 245332090CRLF injection vulnerability in Adobe Acrobat Reader Plugin before 8.0.0, when used with the Microsoft.XMLHTTP ActiveX object in Internet Explorer, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the javascript: URI in the (1) FDF, (2) XML, or (3) XFDF AJAX request parameters.ADV-2007-00321017469adobe-acrobat-xmlhttp-response-splitting(31291)SUSE-SA:2007:01123882Adobe Acrobat Reader Plugin before 8.0.0, when used with Internet Explorer, allows remote attackers to cause a denial of service (memory consumption) via a long sequence of # (hash) characters appended to a PDF URL.20070103 Adobe Acrobat Reader Plugin - Multiple VulnerabilitiesADV-2007-00321017469adobe-acrobat-character-dos(31273)GLSA-200701-16SUSE-SA:2007:01123812238822090Geckovich TaskTracker Pro 1.5 and earlier allows remote attackers to add administrative or other accounts via an Add action with a modified GroupID in a direct request to Customize.asp.2184723564tasktrackerpro-customize-auth-bypass(31235)** DISPUTED ** PHP remote file inclusion vulnerability in index.php in OpenPinboard 2.0 allows remote attackers to execute arbitrary PHP code via a URL in the language parameter. NOTE: this issue has been disputed by the developer and a third party, since the variable is set before use. CVE analysis suggests that there is a small time window of risk before the installation is complete.20070103 OpenPinboard <= Remote File Include20070103 Re: OpenPinboard <= Remote File IncludeFormat string vulnerability in Apple iPhoto 6.0.5 (316), and other versions before 6.0.6, allows remote user-assisted attackers to execute arbitrary code via a crafted photocast with format string specifiers in the title of an RSS iPhoto feed.20070104 DMA[2007-0104a] - 'iLife iPhoto Photocasing Format String Vulnerability'21871ADV-2007-005723615iphoto-xmltitle-format-string(31281)3080APPLE-SA-2007-03-13SQL injection vulnerability in haberdetay.asp in Vizayn Haber allows remote attackers to execute arbitrary SQL commands via the id parameter.21836ADV-2007-001523576vicayn-haberdetay-sql-injection(31213)SQL injection vulnerability in detail.asp in ASP SiteWare autoDealer 2.0 and earlier allows remote attackers to execute arbitrary SQL commands via the iPro parameter.21833ADV-2007-001623572autodealer-detail-sql-injection(31219)Cross-site scripting (XSS) vulnerability in gbrowse.php in Belchior Foundry vCard PRO allows remote attackers to inject arbitrary web script or HTML via the sortby parameter.20070101 vBulletin vCard PRO XSS21844vcard-gbrowse-xss(31182)Directory traversal vulnerability in formbankcgi.exe/AbfrageForm in Formbankserver 1.9 allows remote attackers to read arbitrary files via directory traversal sequences in the Name parameter. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information.ADV-2007-001223539formbankserver-name-directory-traversal(31214) 3063Multiple cross-site scripting (XSS) vulnerabilities in AShop Deluxe 4.5 and AShop Administration Panel allow remote attackers to inject arbitrary web script or HTML via the (1) cat parameter to (a) ashop/catalogue.php and (b) ashop/basket.php, the (2) exp parameter to ashop/catalogue.php, the (3) searchstring parameter to (c) ashop/search.php, the (4) checkout and (5) action parameters to (d) ashop/shipping.php, the cat parameter to (f) cart-path/admin/editcatalogue.php, and the (7) resultpage parameter to (g) cart-path/admin/salesadmin.php.20070101 AShop Shopping Cart Multiple XSS Vulnerabilities21845ADV-2007-002823547ashop-multiple-scripts-xss(31178)2091Cisco Clean Access (CCA) 3.6.x through 3.6.4.2 and 4.0.x through 4.0.3.2 does not properly configure or allow modification of a shared secret authentication key, which causes all devices to have the same shared sercet and allows remote attackers to gain unauthorized access.20070103 Multiple Vulnerabilities in Cisco Clean AccessADV-2007-0030101746523617Cisco Clean Access (CCA) 3.5.x through 3.5.9 and 3.6.x through 3.6.1.1 on the Clean Access Manager (CAM) allows remote attackers to bypass authentication and download arbitrary manual database backups by guessing the snapshot filename using brute force, then making a direct request for the file.20070103 Multiple Vulnerabilities in Cisco Clean AccessADV-2007-003010174652355632579Cross-zone scripting vulnerability in Apple Quicktime 3 to 7.1.3 allows remote user-assisted attackers to execute arbitrary code and list filesystem contents via a QuickTime movie (.MOV) with an HREF Track (HREFTrack) that contains an automatic action tag with a local URI, which is executed in a local zone during preview, as exploited by a MySpace worm.VU#304064 APPLE-SA-2007-03-05Stack-based buffer overflow in the Message Queuing Server (Cam.exe) in CA (formerly Computer Associates) Message Queuing (CAM / CAFT) software before 1.11 Build 54_4 on Windows and NetWare, as used in CA Advantage Data Transport, eTrust Admin, certain BrightStor products, certain CleverPath products, and certain Unicenter products, allows remote attackers to execute arbitrary code via a crafted message to TCP port 3104.20070724 CA Message Queuing Server (Cam.exe) Overflow25051ADV-2007-263826190systems-management-bo(32234)20070725 [CAID 35527]: CA Message Queuing (CAM / CAFT) Buffer Overflow Vulnerability1018449The DHCP server in EMC VMware Workstation before 5.5.5 Build 56455 and 6.x before 6.0.1 Build 55017, Player before 1.0.5 Build 56455 and Player 2 before 2.0.1 Build 55017, ACE before 1.0.3 Build 54075 and ACE 2 before 2.0.1 Build 55017, and Server before 1.0.4 Build 56528 allows remote attackers to execute arbitrary code via a malformed packet that triggers "corrupt stack memory."20070919 VMWare DHCP Server Remote Code Execution Vulnerabilities25729dhcp-malformed-packet-bo(33101)20070920 VMSA-2007-0006 Critical security updates for all supported versions of VMware ESX Server, VMware Server, VMware Workstation, VMware ACE, and VMware PlayerGLSA-200711-23USN-543-1ADV-2007-32291018717268902769427706Integer overflow in the ISC dhcpd 3.0.x before 3.0.7 and 3.1.x before 3.1.1; and the DHCP server in EMC VMware Workstation before 5.5.5 Build 56455 and 6.x before 6.0.1 Build 55017, Player before 1.0.5 Build 56455 and Player 2 before 2.0.1 Build 55017, ACE before 1.0.3 Build 54075 and ACE 2 before 2.0.1 Build 55017, and Server before 1.0.4 Build 56528; allows remote attackers to cause a denial of service (daemon crash) or execute arbitrary code via a malformed DHCP packet with a large dhcp-max-message-size that triggers a stack-based buffer overflow, related to servers configured to send many DHCP options to clients.20070919 VMWare DHCP Server Remote Code Execution Vulnerabilities25729dhcp-param-overflow(33102)20070920 VMSA-2007-0006 Critical security updates for all supported versions of VMware ESX Server, VMware Server, VMware Workstation, VMware ACE, and VMware PlayerGLSA-200711-23USN-543-1ADV-2007-32291018717268902769427706GLSA-200808-0531396Integer underflow in the DHCP server in EMC VMware Workstation before 5.5.5 Build 56455 and 6.x before 6.0.1 Build 55017, Player before 1.0.5 Build 56455 and Player 2 before 2.0.1 Build 55017, ACE before 1.0.3 Build 54075 and ACE 2 before 2.0.1 Build 55017, and Server before 1.0.4 Build 56528 allows remote attackers to execute arbitrary code via a malformed DHCP packet that triggers a stack-based buffer overflow.20070919 VMWare DHCP Server Remote Code Execution Vulnerabilities25729dhcp-param-underflow(33103)20070920 VMSA-2007-0006 Critical security updates for all supported versions of VMware ESX Server, VMware Server, VMware Workstation, VMware ACE, and VMware PlayerGLSA-200711-23USN-543-1ADV-2007-32291018717268902769427706Heap-based buffer overflow in Windows Media Format Runtime 7.1, 9, 9.5, 9.5 x64 Edition, 11, and Windows Media Services 9.1 for Microsoft Windows 2000, XP, Server 2003, and Vista allows user-assisted remote attackers to execute arbitrary code via a crafted Advanced Systems Format (ASF) file.MS07-068HPSBST0229926776ADV-2007-4183101907428034TA07-345AVU#319385oval:org.mitre.oval:def:3622Heap-based buffer overflow in Object Linking and Embedding (OLE) Automation in Microsoft Windows 2000 SP4, XP SP2, Server 2003 SP1 and SP2, Vista, Office 2004 for Mac, and Visual basic 6.0 SP6 allows remote attackers to execute arbitrary code via a crafted script request.MS08-008TA08-043C27661ADV-2008-0510101937328902HPSBST02314oval:org.mitre.oval:def:5388The kernel in Microsoft Windows 2000 SP4, XP SP2, and Server 2003, when ICMP Router Discovery Protocol (RDP) is enabled, allows remote attackers to cause a denial of service via fragmented router advertisement ICMP packets that trigger an out-of-bounds read, aka "Windows Kernel TCP/IP/ICMP Vulnerability."MS08-00128297TA08-008A20070108 Multiple (3) Microsoft Windows TCP/IP Remote Code Execution and DoS VulnerabilitiesHPSBST0230427139ADV-2008-00691019166win-tcpip-icmp-dos(39254)oval:org.mitre.oval:def:5271Unspecified vulnerability in the Lotus Domino Web Server 6.0, 6.5.x before 6.5.6, and 7.0.x before 7.0.3 allows remote attackers to cause a denial of service (daemon crash) via requests for URLs that reference certain files.24307ADV-2007-204625542domino-unspecified-dos(34689)1018189IBM Lotus Domino 7.0.x before 7.0.3 does not revalidate the signature on a signed scheduled agent after the agent is modified, which allows remote authenticated users to gain privileges via a modified agent in a server database.24322ADV-2007-206325520domino-signature-privilege-escalation(34718)Unspecified vulnerability in the kernel in Microsoft Windows XP SP2, Server 2003, and Vista allows remote attackers to cause a denial of service (CPU consumption) and possibly execute arbitrary code via crafted (1) IGMPv3 and (2) MLDv2 packets that trigger memory corruption, aka "Windows Kernel TCP/IP/IGMPv3 and MLDv2 Vulnerability."MS08-00128297TA08-008A20070108 Multiple (3) Microsoft Windows TCP/IP Remote Code Execution and DoS VulnerabilitiesVU#11508327100win-ssm-igmp-bo(39452)win-ssm-mld-bo(39453)HPSBST02304ADV-2008-00691019166oval:org.mitre.oval:def:5370Integer overflow in Adobe Flash Player 9.0.115.0 and earlier, and 8.0.39.0 and earlier, allows remote attackers to execute arbitrary code via a crafted SWF file with a negative Scene Count value, which passes a signed comparison, is used as an offset of a NULL pointer, and triggers a buffer overflow.RHSA-2008:0221TA08-100A1019811SUSE-SA:2008:0222976320080408 Adobe Flash Player Invalid Pointer VulnerabilityGLSA-200804-2144282multimedia-file-integer-overflow(37277)VU#1595232869529865APPLE-SA-2008-05-28238305TA08-150ATA08-149AVU#39547329386ADV-2008-1662ADV-2008-1697ADV-2008-17241020114304043043030507AspBB stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing user passwords via a direct request for db/aspbb.mdb.20070102 AspBB Remote Password Disclosureaspbb-aspbb-info-disclosure(31230)2100Openforum stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing user passwords via a direct request for openforum.mdb.20070102 Openforum Remote password Disclosureopenforum-openforum-password-disclosure(31209)2099lblog stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for a certain file in admin/db/newFolder/.20070102 lblog Remote Password Disclosure1017462lblog-newfolder-information-disclosure(31229)2098BattleBlog stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for database/blankmaster.mdb.20070101 BattleBlog Database Download Vulnerabilitybattleblog-blankmaster-info-disclosure(31224)2097rblog stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for (1) data/admin.mdb or (2) data/rblog.mdb.20070101 rblog Database Download Vulnerability23538rblog-database-info-disclosure(31200)2102** DISPUTED ** Buffer overflow in the SMB_Connect_Server function in FreeRadius 1.1.3 and earlier allows attackers to execute arbitrary code related to the server desthost field of an SMB_Handle_Type instance. NOTE: the impact of this issue has been disputed by a reliable third party and the vendor, who states that exploitation is limited "only to local administrators who have write access to the server configuration files." CVE concurs with the dispute.-- Official Vendor Statement from the FreeRADIUS Server project This issue is not a security vulnerability. The exploit is available only to local administrators who have write access to the server configuration files. As such, this issue has no security impact on any system running FreeRADIUS. -- Official Vendor Statement from the FreeRADIUS Server project 20070102 FreeRadius 1.1.3 SMB_Handle_Type SMB_Connect_Server arbitrary code execution20070103 Re: FreeRadius 1.1.3 SMB_Handle_Type SMB_Connect_Server arbitrary code execution1017463freeradius-smbconnectserver-bo(31248)20070211 FreeRADIUS dispute of CVE-2007-0080Sunbelt Kerio Personal Firewall (SKPF) 4.3.268 and 4.3.246, and possibly other versions allows local users to provide a Trojan horse iphlpapi.dll to SKPF by placing it in the installation directory.20070101 Kerio Fake 'iphlpapi' DLL injection Vulnerability21828kerio-directory-code-execution(31232)333562095users_adm/start1.php in IMGallery 2.5 and earlier does not properly handle files with multiple extensions, which allows remote authenticated users to upload and execute arbitrary PHP scripts.21827ADV-2007-0010imgallery-start1-file-upload(31237) 3049Cross-site scripting (XSS) vulnerability in Nuked Klan 1.7 and earlier allows remote attackers to inject arbitrary web script or HTML via a javascript: URI in a getURL statement in a .swf file, as demonstrated by "Remote Cookie Disclosure." NOTE: it could be argued that this is an issue in Shockwave instead of Nuked Klan.20070102 Nuked Klan <= 1.7 Remote Cookie Disclosure Exploit218502101** DISPUTED ** Buffer overflow in the Windows NT Message Compiler (MC) 1.00.5239 on Microsoft Windows XP allows local users to gain privileges via a long MC-filename. NOTE: this issue has been disputed by a reliable third party who states that the compiler is not a privileged program, so privilege boundaries cannot be crossed.20070102 Windows NT Message Compiler 1.00.5239 arbitrary code execution20070103 Re: Windows NT Message Compiler 1.00.5239 arbitrary code executionUnspecified vulnerability in sys/dev/pci/vga_pci.c in the VGA graphics driver for wscons in OpenBSD 3.9 and 4.0, when the kernel is compiled with the PCIAGP option and a non-AGP device is being used, allows local users to gain privileges via unspecified vectors, possibly related to agp_ioctl NULL pointer reference.[openbsd-cvs] 20070103 Re: CVS: cvs.openbsd.org: src[3.9] 017: SECURITY FIX: January 3, 2007[4.0] 007: SECURITY FIX: January 3, 2007101746823608[openbsd-cvs] 20070103 CVS: cvs.openbsd.org: wwwADV-2007-0043openbsd-vga-privilege-escalation(31276)32574** DISPUTED ** The Apache HTTP Server, when accessed through a TCP connection with a large window size, allows remote attackers to cause a denial of service (network bandwidth consumption) via a Range header that specifies multiple copies of the same fragment. NOTE: the severity of this issue has been disputed by third parties, who state that the large window size required by the attack is not normally supported or configured by the server, or that a DDoS-style attack would accomplish the same goal.20070103 a cheesy Apache / IIS DoS vuln (+a question)20070104 Re: a cheesy Apache / IIS DoS vuln (+a question)20070104 Re: a cheesy Apache / IIS DoS vuln (+a question)20070104 Re: a cheesy Apache / IIS DoS vuln (+a question)** DISPUTED ** Microsoft Internet Information Services (IIS), when accessed through a TCP connection with a large window size, allows remote attackers to cause a denial of service (network bandwidth consumption) via a Range header that specifies multiple copies of the same fragment. NOTE: the severity of this issue has been disputed by third parties, who state that the large window size required by the attack is not normally supported or configured by the server, or that a DDoS-style attack would accomplish the same goal.20070103 a cheesy Apache / IIS DoS vuln (+a question)20070104 Re: a cheesy Apache / IIS DoS vuln (+a question)20070104 Re: a cheesy Apache / IIS DoS vuln (+a question)20070104 Re: a cheesy Apache / IIS DoS vuln (+a question)Multiple directory traversal vulnerabilities in openmedia allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) src parameter to page.php or the (2) format parameter to search_form.php.20070102 openmedia local read fileopenmedia-page-directory-traversal(31258)2103jgbbs stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for db/bbs.mdb.20070103 jgbbsjgbbs-bbs-information-disclosure(31274)WineGlass stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for db/data.mdb.20070103 WineGlass ADV-2007-003723594newsCMSlite stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for newsCMS.mdb.newscmslite-newscms-info-disclosure(31222) 3066SQL injection vulnerability in productdetail.asp in E-SMARTCART 1.0 allows remote attackers to execute arbitrary SQL commands via the product_id parameter.23610ADV-2007-0036esmartcart-productdetail-sql-injection(31243) 3074SQL injection vulnerability in page.php in Simple Web Content Management System allows remote attackers to execute arbitrary SQL commands via the id parameter.20070103 Simple Web Content Management System SQL Injection ExploitADV-2007-004023590swcms-page-sql-injection(31261)30762106Sven Moderow GuestBook 0.3a stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for (1) gbook97.mdb or (2) gbook.mdb in ~db/.20070103 GuestBook v0.3a Remote Password Disclosureguestbook-gbook-information-disclosure(31245)2105phpMyAdmin 2.9.1.1 allows remote attackers to obtain sensitive information via a direct request for themes/darkblue_orange/layout.inc.php, which reveals the path in an error message.20070102 Inforamtion Discloser Vulnerabilities in phpMyAdminphpmyadmin-darkblueorange-path-disclosure(31223)MDKSA-2007:1992104CarbonCommunities stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for DataBase/Carbon2.4d.mdb.ADV-2007-0038carboncommunities-carbon2-info-disclosure(31253)Multiple stack-based buffer overflows in the (1) LoadTree and (2) ReadHeader functions in PAISO.DLL 1.7.3.0 (1.7.3 beta) in ConeXware PowerArchiver 2006 9.64.02 allow user-assisted attackers to execute arbitrary code via a crafted ISO file containing a file within several nested directories.20070104 PowerArchiver PAISO.DLL Buffer OverflowADV-2007-00412355920070104 [vuln.sg] PowerArchiver PAISO.DLL Buffer Overflow Vulnerabilitypowerarchiver-loadtree-readheader-bo(31263)Directory traversal vulnerability in language.php in VerliAdmin 0.3 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the lang cookie, as demonstrated by injecting PHP sequences into an Apache HTTP Server log file, which is then included by language.php.ADV-2007-0035verliadmin-language-file-include(31241) 3075Race condition in the msxml3 module in Microsoft Internet Explorer 6 allows remote attackers to cause a denial of service (application crash) via many nested tags in an XML document in an IFRAME, when synchronous document rendering is frequently disrupted with asynchronous events, as demonstrated using a JavaScript timer, which can trigger null pointer dereferences or memory corruption.20070104 Concurrency strikes MSIE (potentially exploitable msxml3 flaws)20070104 RE: [Full-disclosure] Concurrency strikes MSIE (potentially exploitablemsxml3 flaws)20070104 Concurrency strikes MSIE (potentially exploitable msxml3 flaws)218722365520070104 Re: RE: [Full-disclosure] Concurrency strikes MSIE (potentially exploitablemsxml3 flaws)The Perforce client does not restrict the set of files that it overwrites upon receiving a request from the server, which allows remote attackers to overwrite arbitrary files by modifying the client config file on the server, or by operating a malicious server.20070104 Perforce client: security hole by designCross-site request forgery (CSRF) vulnerability in SPINE allows remote attackers to perform unauthorized actions as administrators via unspecified vectors. NOTE: some of these details are obtained from third party information.ADV-2007-004223537spine-unspecified-csrf(31283)The Adobe PDF specification 1.3, as implemented by Apple Mac OS X Preview, allows remote attackers to have an unknown impact, possibly including denial of service (infinite loop), arbitrary code execution, or memory corruption, via a PDF file with a (1) crafted catalog dictionary or (2) a crafted Pages attribute that references an invalid page tree node.21910multiple-vendor-pdf-code-execution(31364)ADV-2007-0930101774924479TA07-072AThe Adobe PDF specification 1.3, as implemented by Adobe Acrobat before 8.0.0, allows remote attackers to have an unknown impact, possibly including denial of service (infinite loop), arbitrary code execution, or memory corruption, via a PDF file with a (1) crafted catalog dictionary or (2) a crafted Pages attribute that references an invalid page tree node.21910multiple-vendor-pdf-code-execution(31364)ADV-2007-0930101774924479TA07-072AThe Adobe PDF specification 1.3, as implemented by (a) xpdf 3.0.1 patch 2, (b) kpdf in KDE before 3.5.5, (c) poppler before 0.5.4, and other products, allows remote attackers to have an unknown impact, possibly including denial of service (infinite loop), arbitrary code execution, or memory corruption, via a PDF file with a (1) crafted catalog dictionary or (2) a crafted Pages attribute that references an invalid page tree node.21910multiple-vendor-pdf-code-execution(31364)20070116 [KDE Security Advisory] kpdf/kword/xpdf denial of service vulnerabilityMDKSA-2007:018MDKSA-2007:020MDKSA-2007:022MDKSA-2007:019MDKSA-2007:021MDKSA-2007:024SUSE-SR:2007:003USN-410-1USN-410-2ADV-2007-0203ADV-2007-0212ADV-2007-0244ADV-2007-09301017514101774923799237912380823813238152384423839238762420424479MDKSA-2007:019MDKSA-2007:021MDKSA-2007:024TA07-072AStack-based buffer overflow in the CSAdmin service in Cisco Secure Access Control Server (ACS) for Windows before 4.1 and ACS Solution Engine before 4.1 allows remote attackers to execute arbitrary code via a crafted HTTP GET request.20070105 Multiple Vulnerabilities in Cisco Secure Access Control Server21900ADV-2007-0068101747523629cisco-acs-csadmin-bo(31323)VU#74424932642Cross-site scripting (XSS) vulnerability in the CSRF protection scheme in WordPress before 2.0.6 allows remote attackers to inject arbitrary web script or HTML via a CSRF attack with an invalid token and quote characters or HTML tags in URL variable names, which are not properly handled when WordPress generates a new link to verify the request.20070105 Advisory 01/2007: WordPress CSRF Protection XSS Vulnerability21893ADV-2007-0061235952114WordPress before 2.0.6, when mbstring is enabled for PHP, decodes alternate character sets after escaping the SQL query, which allows remote attackers to bypass SQL injection protection schemes and execute arbitrary SQL commands via multibyte charsets, as demonstrated using UTF-7.Successful exploitation requires that the "mbstring" extension be enabled. This vulnerability is addressed in the following product release: WordPress, WordPress, 2.0.620070105 Advisory 02/2007: WordPress Trackback Charset Decoding SQL Injection Vulnerability21907ADV-2007-006123595OpenPKG-SA-2007.005wordpress-mbstring-security-bypass(31297)GLSA-200701-10237412112nwgina.dll in Novell Client 4.91 SP3 for Windows 2000/XP/2003 does not delete user profiles during a Terminal Service or Citrix session, which allows remote authenticated users to invoke alternate user profiles.21886ADV-2007-0064101747123619novell-profile-security-bypass(31343)wp-login.php in WordPress 2.0.5 and earlier displays different error messages if a user exists or not, which allows remote attackers to obtain sensitive information and facilitates brute force attacks.20070103 Wordpress <= 2.x dictionnary & Bruteforce attackADV-2007-006223621wordpress-account-enumeration(31262)GLSA-200701-10237412113Cross-site scripting (XSS) vulnerability in nidp/idff/sso in Novell Access Manager Identity Server before 3.0.0-1013 allows remote attackers to inject arbitrary web script or HTML via the IssueInstant parameter, which is not properly handled in the resulting error message.21921ADV-2007-0073236541017483Buffer overflow in Resco Photo Viewer for PocketPC 4.11 and 6.01, as used in mobile devices running Windows Mobile 5.0, 2003, and 2003SE, allows remote attackers to execute arbitrary code via a crafted PNG image.21920ADV-2007-007223658SQL injection vulnerability in cats.asp in createauction allows remote attackers to execute arbitrary SQL commands via the catid parameter.20070107 createauction (cats.asp) Remote SQL Injection Vulnerability21929createauction-cats-sql-injection(31356)2111Buffer overflow in Packeteer PacketShaper PacketWise 8.x allows remote authenticated users to cause a denial of service (reset or reboot) via (1) a long traffic class argument to the "class show" command or (2) a long POLICY parameter value in clastree.htm.20070108 Packeteer PacketWise CLI overflow DoS21933ADV-2007-009823685packetshaper-argument-dos(31357)2110Sun Java System Content Delivery Server 5.0 and 5.0 PU1 allows remote attackers to obtain sensitive information regarding "content details" via unspecified vectors.10276421908ADV-2007-007623630sun-java-cds-info-disclosure(31345)Static code injection vulnerability in Coppermine Photo Gallery 1.4.10 and earlier allows remote authenticated administrators to execute arbitrary PHP code via the Username to login.php, which is injected into an error message in security.log.php, which can then be accessed using viewlog.php.20070105 Coppermine Photo Gallery <= 1.4.10 SQL Injection Exploit20070108 Source verify - Coppermine Photo Gallery <= 1.4.10 code injection2107Digger Solutions Intranet Open Source (IOS) stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for data/intranet.mdb.20070105 Intranet Open Source Remote Password Disclosure intranet-intranet-info-disclosure(31308)2109DiskManagementTool in the DiskManagement.framework 92.29 on Mac OS X 10.4.8 does not properly validate Bill of Materials (BOM) files, which allows attackers to gain privileges via a BOM file under /Library/Receipts/, which triggers arbitrary file permission changes upon execution of a diskutil permission repair operation.21899ADV-2007-007423653Multiple absolute path traversal vulnerabilities in EditTag 1.2 allow remote attackers to read arbitrary files via an absolute pathname in the file parameter to (1) edittag.cgi, (2) edittag.pl, (3) edittag_mp.cgi, or (4) edittag_mp.pl.20070105 Multiple bugs in EditTag218907950Multiple cross-site scripting (XSS) vulnerabilities in EditTag 1.2 allow remote attackers to inject arbitrary web script or HTML via the plain parameter to (1) mkpw_mp.cgi, (2) mkpw.pl, or (3) mkpw.cgi.20070105 Multiple bugs in EditTag218917950Acunetix Web Vulnerability Scanner (WVS) 4.0 Build 20060717 and earlier allows remote attackers to cause a denial of service (application crash) via multiple HTTP requests containing invalid Content-Length values.21898acunetix-content-length-dos(31279) 3078Cross-site scripting (XSS) vulnerability in search.asp in RI Blog 1.3 allows remote attackers to inject arbitrary web script or HTML via the q parameter.20070105 RI Blog 1.3 XSS Vuln.21880ADV-2007-008323657riblog-search-xss(31317)2108Multiple SQL injection vulnerabilities in Coppermine Photo Gallery 1.4.10 and earlier allow remote authenticated administrators to execute arbitrary SQL commands via (1) the cat parameter to albmgr.php, and possibly (2) the gid parameter to usermgr.php; (3) the start parameter to db_ecard.php; and the albumid parameter to unspecified files, related to the (4) filename_to_title and (5) del_titles functions.20070105 Coppermine Photo Gallery <= 1.4.10 SQL Injection Exploit218943085258462123Unrestricted file upload vulnerability in Uber Uploader 4.2 allows remote attackers to upload and execute arbitrary PHP scripts by naming them with a .phtml extension, which bypasses the .php extension check but is still executable on some server configurations.20070105 Uber Uploader 4.2 Arbitrary File Upload Vulnerabilityuber-uploader-phtml-file-upload(31303)2116Unspecified vulnerability in Drupal before 4.6.11, and 4.7 before 4.7.5, when MySQL is used, allows remote authenticated users to cause a denial of service by poisoning the page cache via unspecified vectors, which triggers erroneous 404 HTTP errors for pages that exist.20070105 [DRUPAL-SA-2007-002] Drupal 4.6.11 / 4.7.5 fixes DoS issue21895ADV-2007-0051235862115Kaspersky Labs Antivirus Engine 6.0 for Windows and 5.5-10 for Linux before 20070102 enter an infinite loop upon encountering an invalid NumberOfRvaAndSizes value in the Optional Windows Header of a portable executable (PE) file, which allows remote attackers to cause a denial of service (CPU consumption) by scanning a crafted PE file.20070105 Kaspersky Antivirus Scan Engine PE File Denial of Service Vulnerability2357521901ADV-2007-00671017476kaspersky-antivirus-pe-dos(31315)Heap-based buffer overflow in Opera 9.02 allows remote attackers to execute arbitrary code via a JPEG file with an invalid number of index bytes in the Define Huffman Table (DHT) marker.20070105 Opera Software Opera Web Browser JPG Image DHT Marker Heap Corruption VulnerabilityADV-2007-0060236131017473opera-jpeg-dht-bo(31305)GLSA-200701-08SUSE-SA:2007:0092373923771The Javascript SVG support in Opera before 9.10 does not properly validate object types in a createSVGTransformFromMatrix request, which allows remote attackers to execute arbitrary code via JavaScript code that uses an invalid object in this request that causes a controlled pointer to be referenced during the virtual function call.20070105 Opera Software Opera Web Browser createSVGTransformFromMatrix Object Typecasting VulnerabilityADV-2007-0060236131017473GLSA-200701-08SUSE-SA:2007:0092373923771SQL injection vulnerability in info_book.asp in Digirez 3.4 and earlier allows remote attackers to execute arbitrary SQL commands via the book_id parameter.ADV-2007-005323606SQL injection vulnerability in main.asp in LocazoList 2.01a beta5 and earlier allows remote attackers to execute arbitrary SQL commands via the subcatID parameter.locazolist-main-sql-injection(31242)ADV-2007-0052 3073SQL injection vulnerability in user.php in iGeneric iG Calendar 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter.21873ADV-2007-00552360220070105 IG Calendar SQL Injectionigcalendar-user-sql-injection(31300) 3082JAMWiki before 0.5.0 does not properly check permissions during moves of "read-only or admin-only topics," which allows remote attackers to make unauthorized changes to the wiki.2363421879jamwiki-permission-security-bypass(31296)SQL injection vulnerability in compare_product.php in iGeneric iG Shop 1.4 allows remote attackers to execute arbitrary SQL commands via the id parameter.ADV-2007-00562360420070105 IG Shop remote code execution21874igshop-compareproduct-sql-injection(31299) 3083Multiple SQL injection vulnerabilities in display_review.php in iGeneric iG Shop 1.4 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) id or (2) user_login_cookie parameter.ADV-2007-0056Multiple eval injection vulnerabilities in iGeneric iG Shop 1.0 allow remote attackers to execute arbitrary code via the action parameter, which is supplied to an eval function call in (1) cart.php and (2) page.php. NOTE: a later report and CVE analysis indicate that the vulnerability is present in 1.4.ADV-2007-00562360420070105 IG Shop remote code execution21875igshop-cartpage-code-execution(31301)308320070619 iG Shop 1.4 eval Inclusion Vulnerability20070618 Dup: iG Shop 1.4 (page.php) Remote Code Execution ExploitPHP remote file inclusion vulnerability in inc/init.inc.php in Aratix 0.2.2 beta 11 and earlier, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the current_path parameter.20070108 Source verify of Aratix RFIADV-2007-0054aratix-init-file-include(31282) 3079Multiple cross-site scripting (XSS) vulnerabilities in Drupal before 4.6.11, and 4.7 before 4.7.5, allow remote attackers to inject arbitrary web script or HTML via unspecified parameters in the (1) filter and (2) system modules. NOTE: some of these details are obtained from third party information.20070105 [DRUPAL-SA-2007-001] Drupal 4.6.11 / 4.7.5 fixesADV-2007-005020070105 [DRUPAL-SA-2007-001] Drupal 4.6.11 / 4.7.5 fixes XSS issuedrupal-core-unspecified-xss(31311)Cross-site scripting (XSS) vulnerability in SimpleBoxes/SerendipityNZ Serene Bach 2.05R and earlier, and 2.08D and earlier in the 2.08 series; and (2) sb 1.13D and earlier, and 1.18R and earlier in the 1.18 series; allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.2362321884ADV-2007-00651017470serene-bach-unspecified-xss(31302)formbankcgi.exe in Fersch Formbankserver 1.9, when the PATH_INFO begins with (1) AbfrageForm or (2) EingabeForm, allows remote attackers to cause a denial of service (daemon crash) via multiple requests containing many /../ sequences in the Name parameter. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information.23539formbankserver-formbank-dos(31216)Unspecified vulnerability in the DECnet-Plus 7.3-2 feature in DECnet/OSI 7.3-2 for OpenVMS ALPHA, and the DECnet-Plus 7.3 feature in DECnet/OSI 7.3 for OpenVMS VAX, allows attackers to obtain "unintended privileged access to data and system resources" via unspecified vectors, related to (1) [SYSEXE]CTF$UI.EXE, (2) [SYSMSG]CTF$MESSAGES.EXE, (3) [SYSHLP]CTF$HELP.HLB, and (4) [SYSMGR]CTF$STARTUP.COM.23636ADV-2007-0063SQL injection vulnerability in down.asp in Kolayindir Download (Yenionline) allows remote attackers to execute arbitrary SQL commands via the id parameter.20070105 Kolayindir Download (Yenionline) (tr) SqL Injection Vuln.21889ADV-2007-007923645kolayindirdownload-down-sql-injection(31320)2122Cross-site scripting (XSS) vulnerability in yald.php in Yet Another Link Directory 1.0 allows remote attackers to inject arbitrary web script or HTML via the search parameter.20070106 Yet Another Link Directory v1.021904ADV-2007-008223646yald-yald-xss(31322)2121SQL injection vulnerability in orange.asp in ShopStoreNow E-commerce Shopping Cart allows remote attackers to execute arbitrary SQL commands via the CatID parameter.20070106 shopstorenow (orange.asp) sql injection21905ADV-2007-008023642shopstorenow-orange-sql-injection(31313)2120Multiple PHP remote file inclusion vulnerabilities in NUNE News Script 2.0pre2 allow remote attackers to execute arbitrary PHP code via a URL in the custom_admin_path parameter to (1) index.php or (2) archives.php.ADV-2007-00782363520070107 NUNE News Script (custom_admin_path) Remote File Include Vulnerablitynune-index-archives-file-include(31312)Cross-site scripting (XSS) vulnerability in search.asp in Digitizing Quote And Ordering System 1.0 allows remote authenticated attackers to inject arbitrary web script or HTML via the ordernum parameter.23652qos-search-xss(31321) 3089PHP remote file inclusion vulnerability in bn_smrep1.php in BinGoPHP News (BP News) 3.01 allows remote attackers to execute arbitrary PHP code via a URL in the bnrep parameter, a different vector than CVE-2006-4648 and CVE-2006-4649.1017477bingo-bnsmrep1-file-include(31328)Multiple cross-site scripting (XSS) vulnerabilities in Fix and Chips CMS 1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter in (a) delete-announce.php; the (2) Announcement form field in (b) staff.php; the (3) Client Name, (4) Business Name, (5) Street, (6) Address 2, (7) Town/City, (8) Postcode, (9) Phone Number, (10) Email Address and (11) Website Address form fields in (c) new_customer.php; and unspecified fields in (d) search.php and (e) client-results.php.20070106 Fix & Chips CMS v1.0ADV-2007-008123625fixandchips-multiple-scripts-xss(31319)32646326473264832649326502119Cuyahoga before 1.0.1 installs the FCKEditor component with an incorrect deny statement in a Web.config file, which allows remote attackers to upload files when these privileges were intended only for the Administrator and Editor roles.2366221927Format string vulnerability in OmniGroup OmniWeb 5.5.1 allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via format string specifiers in the Javascript alert function.ADV-2007-00752362421911omniweb-alert-format-string(31324)20070111 DMA[2007-0107a] OmniWeb Javascript Alert Format String Vulnerabiity and DMA[2007-0109a] Apple Finder Disk Image Volume Label Overflow / DoS 3098EMembersPro 1.0 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for users.mdb.20070107 EMembersPro 1.0 Remote Password Disclosure Vulnerabilityememberspro-users-info-disclosure(31329)2118Multiple PHP remote file inclusion vulnerabilities in index.php in Dayfox Blog allow remote attackers to execute arbitrary PHP code via a URL in the (1) page, (2) subject, and (3) q parameters.20070107 Dayfox Blog Remote File Include Vuln.ADV-2007-009923661dayfoxblog-index-file-include(31336)2117MitiSoft stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for access_MS/MitiSoft.mdb.20070107 MitiSoft Remote Password Disclosure Vulnerabilitymitisoft-mitisoft-info-disclosure(31341)OhhASP stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for db/OhhASP.mdb.20070106 ohhASP Remote Password Disclosureohhasp-ohhasp-info-disclosure(31342)AJLogin 3.5 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for ajlogin.mdb.20070107 AJLogin v3.5 Remote Password Disclosure Vulnerabilityajlogin-ajlogin-info-disclosure(31331)2127Webulas stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for db/db.mdb.20070107 Webulas Remote Password Disclosure Vulnerabilitywebulas-db-info-disclosure(31338)2126HarikaOnline 2.0 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for harikaonline.mdb.20070107 HarikaOnline v2.0 Remote Password Disclosure Vulnerabilityharikaonline-harikaonline-info-disclosure(31339)2125M-Core stores the database under the web document root, which allows remote attackers to obtain sensitive information via a direct request to db/uyelik.mdb.20070107 M-Core Remote Password Disclosure Vulnerabilitymcore-uyelik-info-disclosure(31340)2124Array index error in the uri_lookup function in the URI parser for neon 0.26.0 to 0.26.2, possibly only on 64-bit platforms, allows remote malicious servers to cause a denial of service (crash) via a URI with non-ASCII characters, which triggers a buffer under-read due to a type conversion error that generates a negative index.[neon] 20070107 invalid chars cause sigserv in neonMDKSA-2007:01322035ADV-2007-01722376323751 [cadaver] 20070123 release 0.22.5 SUSE-SR:2007:002 ADV-2007-0362 23984Directory traversal vulnerability in the GeoIP_update_database_general function in libGeoIP/GeoIPUpdate.c in GeoIP 1.4.0 allows remote malicious update servers (possibly only update.maxmind.com) to overwrite arbitrary files via a .. (dot dot) in the database filename, which is returned by a request to app/update_getfilename.MDKSA-2007:00421959ADV-2007-0117ADV-2007-0118geoip-geoipupdate-directory-traversal(31383) USN-412-1 23880 23906MDKSA-2007:004Stack-based buffer overflow in the LiveJournal support (hooks/ljhook.cc) in CenterICQ 4.9.11 through 4.21.0, when using unofficial LiveJournal servers, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code by adding the victim as a friend and using long (1) username and (2) real name strings.Failed exploitation attempts will likely result in a denial-of-service condition.20070107 TK53 Advisory #1: CenterICQ remote DoS buffer overflow in LiveJournal handling21932centericq-username-bo(31330)GLSA-200701-20ADV-2007-030610175452129The PML Driver HPZ12 (HPZipm12.exe) in the HP all-in-one drivers, as used by multiple HP products, uses insecure SERVICE_CHANGE_CONFIG DACL permissions, which allows local users to gain privileges and execute arbitrary programs, as demonstrated by modifying the binpath argument, a related issue to CVE-2006-0023.20070108 HP Multiple Products PML Driver Local Privilege Escalation21935ADV-2007-009423663pml-driver-config-privilege-escalation(31361)2128Unsanity Application Enhancer (APE) 2.0.2 installs with insecure permissions for the (1) ApplicationEnhancer binary and the (2) /Library/Frameworks/ApplicationEnhancer.framework directory, which allows local users to gain privileges by modifying or replacing the binary or library files.2195123649ape-appenhancer-privilege-escalation(31349)SecureKit Steganography 1.7.1 and 1.8 embeds password information in the carrier file, which allows remote attackers to bypass authentication requirements and decrypt embedded steganography by replacing the last 20 bytes of the JPEG image with alternate password information.20070106 Cracking Steganography Application in less than ONE minute2363920070107 A Major design Bug in Steganography 1.7.x, 1.8 (latest) (Updated Version)steganography-password-security-bypass(31378)Camouflage 1.2.1 embeds password information in the carrier file, which allows remote attackers to bypass authentication requirements and decrypt embedded steganography by replacing certain bytes of the JPEG image with alternate password information.219392357820070107 A Major design Bug in Camouflage 1.2.1 (latest)camouflage-password-security-bypass(31375)Unspecified vulnerability in libnsl in Sun Solaris 8 and 9 allows remote attackers to cause a denial of service (crash) via malformed RPC requests that trigger a crash in rpcbind.10271321964ADV-2007-011023700solaris-rpcbind-dos(31366)1017492 24056oval:org.mitre.oval:def:2210The jail rc.d script in FreeBSD 5.3 up to 6.2 does not verify pathnames when writing to /var/log/console.log during a jail start-up, or when file systems are mounted or unmounted, which allows local root users to overwrite arbitrary files, or mount/unmount files, outside of the jail via a symlink attack.FreeBSD-SA-07:0122011237301017505Multiple PHP file inclusion vulnerabilities in WGS-PPC (aka PPC Search Engine), as distributed with other aliases, allow remote attackers to execute arbitrary PHP code via a URL in the INC parameter in (1) config_admin.php, (2) config_main.php, (3) config_member.php, and (4) mysql_config.php in config/; (5) admin.php and (6) index.php in admini/; (7) paypalipn/ipnprocess.php; (8) index.php and (9) registration.php in members/; and (10) ppcbannerclick.php and (11) ppcclick.php in main/.20070109 ppc engine Multiple file inclusion20070109 21961demoppc-inc-file-include(31355) 3104 33444 33445 33446 33447 33448 33449 33450 33451 33452 33453 334542134The Tape Engine service in Computer Associates (CA) BrightStor ARCserve Backup 9.01 through 11.5, Enterprise Backup 10.5, and CA Server/Business Protection Suite r2 allows remote attackers to execute arbitrary code via certain data in opnum 0xBF in an RPC request, which is directly executed.VU#662400ADV-2007-015423648brightstor-tapeengine-code-execution(31442)20070111 ZDI-07-002: CA BrightStor ARCserve Backup Tape Engine Code Execution Vulnerability101750620070111 LS-20061002 - Computer Associates BrightStor ARCserve Backup Remote Code Execution Vulnerability20070111 [CAID 34955, 34956, 34957, 34958, 34959, 34817]: CA BrightStor ARCserve Backup Multiple Overflow Vulnerabilities22010Multiple buffer overflows in Computer Associates (CA) BrightStor ARCserve Backup 9.01 through 11.5, Enterprise Backup 10.5, and CA Server/Business Protection Suite r2 allow remote attackers to execute arbitrary code via RPC requests with crafted data for opnums (1) 0x2F and (2) 0x75 in the (a) Message Engine RPC service, or opnum (3) 0xCF in the Tape Engine service.20070111 Computer Associates BrightStor ARCserve Backup RPC Engine PFC Request Buffer Overflow Vulnerability20070111 ZDI-07-003: CA BrightStor ARCserve Backup Message Engine Buffer Overflow VulnerabilityVU#180336ADV-2007-01542364820070111 ZDI-07-004: CA BrightStor ARCserve Backup Tape Engine Buffer Overflow VulnerabilityVU#15103222005220061017506brightstor-messageengine-rpc-bo(31443)brightstor-tapeengine-rpc-bo(31433)20070111 [CAID 34955, 34956, 34957, 34958, 34959, 34817]: CA BrightStor ARCserve Backup Multiple Overflow VulnerabilitiesPHP remote file inclusion vulnerability in index.php in AllMyVisitors 0.4.0 allows remote attackers to execute arbitrary PHP code via a URL in the AMV_serverpath parameter.21917allmyvisitors-index-file-include(31316) 3097PHP remote file inclusion vulnerability in index.php in AllMyLinks 0.5.0 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the AML_opensite parameter.21916allmylinks-index-file-include(31314) 3096Multiple PHP remote file inclusion vulnerabilities in AllMyGuests 0.3.0 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the AMG_serverpath parameter to (1) comments.php and (2) signin.php; and possibly via a URL in unspecified parameters to (3) include/submit.inc.php, (4) admin/index.php, (5) include/cm_submit.inc.php, and (6) index.php.21918allmyguests-multiple-file-include(31310) 3093Directory traversal vulnerability in index.php in L2J Statistik Script 0.09 and earlier, when register_globals is enabled and magic_quotes is disabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the page parameter, as demonstrated by injecting PHP sequences into an Apache HTTP Server log file, which is then included by index.php.21914l2j-statistik-index-file-include(31309)ADV-2007-0097 3091Multiple stack-based multiple buffer overflows in the BRWOSSRE2UC.dll ActiveX Control in Sina UC2006 and earlier allow remote attackers to execute arbitrary code via a long string in the (1) astrVerion parameter to the SendChatRoomOpt function or (2) the astrDownDir parameter to the SendDownLoadFile function.20070109 Sina UC ActiveX Multiple Remote Stack OverflowADV-2007-00932363820070109 Sina UC ActiveX Multiple Remote Stack Overflow21958sinauc-sendchatroomopt-bo(31348)sinauc-senddownloadfile-bo(31350)Cross-site scripting (XSS) vulnerability in htsrv/login.php in b2evolution 1.8.6 allows remote attackers to inject arbitrary web script or HTML via scriptable attributes in the redirect_to parameter.2365621953b2evolution-login-xss(31368)DSA-156830093Cross-site scripting (XSS) vulnerability in search/advanced_search.php in GForge 4.5.11 allows remote attackers to inject arbitrary web script or HTML via the words parameter.20070108 GForge Cross Site Scripting vulnerability21946101748223675gforge-words-xss(31346)2133DSA-147528598Cross-site scripting (XSS) vulnerability in the AJAX module in MediaWiki before 1.6.9, 1.7 before 1.7.2, 1.8 before 1.8.3, and 1.9 before 1.9.0rc2, when wgUseAjax is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.21956ADV-2007-009623647mediawiki-ajax-unspecified-xss(31359) SUSE-SR:2007:006 24889PHP remote file inclusion vulnerability in info.php in Easy Banner Pro 2.8 allows remote attackers to execute arbitrary PHP code via a URL in the s[phppath] parameter.20070108 Easy Banner Pro Version 2.8 <= Remote File Inclusion21967easybannerpro-info-file-include(31374)2132SQL injection vulnerability in comment.php in PHPKIT 1.6.1 R2 allows remote attackers to execute arbitrary SQL commands via the subid parameter.20070109 Re: PHPKit 1.6.1 RC2 (faq/faq.php) Remote SQL Injection Exploit219622131Stack-based buffer overflow in EF Commander 5.75 allows user-assisted attackers to execute arbitrary code via a crafted ISO file containing a file within several nested directories, which produces a large filename that triggers the overflow.2365921969efcommander-iso-pathname-bo(31365)PHP remote file inclusion vulnerability in include/common_function.php in magic photo storage website allows remote attackers to execute arbitrary PHP code via a URL in the _config[site_path] parameter.20070108 magic photo storage website Remote File Inclusion21965ADV-2007-013623687magicphotostorage-config-file-include(31347)Multiple PHP remote file inclusion vulnerabilities in magic photo storage website allow remote attackers to execute arbitrary PHP code via a URL in the _config[site_path] parameter to (1) admin_password.php, (2) add_welcome_text.php, (3) admin_email.php, (4) add_templates.php, (5) admin_paypal_email.php, (6) approve_member.php, (7) delete_member.php, (8) index.php, (9) list_members.php, (10) membership_pricing.php, or (11) send_email.php in admin/; (12) config.php or (13) db_config.php in include/; or (14) add_category.php, (15) add_news.php, (16) change_catalog_template.php, (17) couple_milestone.php, (18) couple_profile.php, (19) delete_category.php, (20) index.php, (21) login.php, (22) logout.php, (23) register.php, (24) upload_photo.php, (25) user_catelog_password.php, (26) user_email.php, (27) user_extend.php, or (28) user_membership_password.php in user/. NOTE: the include/common_function.php vector is already covered by another candidate from the same date.20070108 magic photo storage website Multiple Remote File Inclusion21965 32668 33411 33412 33413 33414 33415 33416 33417 33418 33419 33420 33421 33422 33423 33425 33426 33427 33428 33429 33430 33431 33433 33435 33436 33437 33438 33439 33432 334342136Cross-site scripting (XSS) vulnerability in /search in iPlanet Web Server 4.x allows remote attackers to inject arbitrary web script or HTML via the NS-max-records parameter. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information.2197723605Getahead Direct Web Remoting (DWR) before 1.1.4 allows attackers to obtain unauthorized access to public methods via a crafted request that bypasses the include/exclude checks.21955ADV-2007-009523641dwr-include-exclude-security-bypass(31377)Getahead Direct Web Remoting (DWR) before 1.1.4 allows attackers to cause a denial of service (memory exhaustion and servlet outage) via unknown vectors related to a large number of calls in a batch.21955ADV-2007-009523641dwr-servlet-engine-dos(31382)Multiple cross-site scripting (XSS) vulnerabilities in F5 FirePass SSL VPN allow remote attackers to inject arbitrary web script or HTML via (1) the xcho parameter to my.logon.php3; the (2) topblue, (3) midblue, (4) wtopblue, and certain other Custom color parameters in a per action to vdesk/admincon/index.php; the (5) h321, (6) h311, (7) h312, and certain other Front Door custom text color parameters in a per action to vdesk/admincon/index.php; the (8) ua parameter in a bro action to vdesk/admincon/index.php; the (9) app_param and (10) app_name parameters to webyfiers.php; (11) double eval functions; (12) JavaScript contained in an <FP_DO_NOT_TOUCH> element; and (13) the vhost parameter to my.activation.php. NOTE: it is possible that this candidate overlaps CVE-2006-3550.2195720070106 NNL-Labs & MNIN - F5 FirePass Security Advisory236272364332740327413274232743327393273732738F5 FirePass 5.4 through 5.5.2 and 6.0 allows remote attackers to access restricted URLs via (1) a trailing null byte, (2) multiple leading slashes, (3) Unicode encoding, (4) URL-encoded directory traversal or same-directory characters, or (5) upper case letters in the domain name.2195720070106 NNL-Labs & MNIN - F5 FirePass Security Advisory2362623640F5 FirePass 5.4 through 5.5.1 does not properly enforce host access restrictions when a client uses a single integer (dword) representation of an IP address ("dotless IP address"), which allows remote authenticated users to connect to the FirePass administrator console and certain other network resources.2195720070106 NNL-Labs & MNIN - F5 FirePass Security Advisory2364032734** DISPUTED ** PHP remote file inclusion vulnerability in index.php in GeoBB Georgian Bulletin Board allows remote attackers to execute arbitrary PHP code via a URL in the action parameter. NOTE: CVE disputes this issue, since GeoBB 1.0 sets $action to a whitelisted value.20070107 GeoBB Georgian Bulletin Board Remote File Include Vuln.20070110 Dispute of GeoBB RFIgeobb-index-file-include(31335)2141PHP remote file inclusion vulnerability in edit_address.php in edit-x ecommerce allows remote attackers to execute arbitrary PHP code via a URL in the include_dir parameter.20070109 edit-x ecommerce (include_dir) Remote File include21974ADV-2007-0158editx-editaddress-file-include(31384)2139Cross-site scripting (XSS) vulnerability in admin.php in MKPortal allows remote attackers to inject arbitrary web script or HTML via two certain fields in a contents_new operation in the ad_contents section.20070105 MkPortal Admin XSSmkportal-admin-xss(31304)2138Cross-site request forgery (CSRF) vulnerability in the save_main operation in the ad_perms section in admin.php in MKPortal allows remote attackers to modify privilege settings, as demonstrated using a getURL of admin.php within a .swf file contained in an IFRAME element, aka the "All Guests are Admin" attack.20070104 MkPortal 2137FON La Fonera routers do not properly limit DNS service access by unauthenticated clients, which allows remote attackers to tunnel traffic via DNS requests for hosts that should not be accessible before authentication.20070106 FON Router allows anonymous web access20070107 Re: FON Router allows anonymous web accessadmin.php in MKPortal M1.1 RC1 allows remote attackers to obtain sensitive information via a direct request with an MK_PATH=1 query string, which reveals the path in an error message.20070108 MKPortal Full Path Disclosuremkportal-admin-path-disclosure(31333)my.activation.php3 in F5 FirePass 5.4 through 5.5.1 and 6.0 displays different error messages for failed login attempts with a valid username than for those with an invalid username, which allows remote attackers to confirm the validity of an LDAP account.2195720070106 NNL-Labs & MNIN - F5 FirePass Security Advisory2362732736SQL injection vulnerability in admin_check_user.asp in Motionborg Web Real Estate 2.1 and earlier allows remote attackers to execute arbitrary SQL commands via the username field (txtUserName parameter) and possibly other parameters. NOTE: some details were obtained from third party information.21963motionborg-admincheckuser-sql-injection(31360)ADV-2007-014323531 3105Finder 10.4.6 on Apple Mac OS X 10.4.8 allows user-assisted remote attackers to cause a denial of service and possibly execute arbitrary code via a long volume name in a DMG disk image, which results in memory corruption.20070111 DMA[2007-0107a] OmniWeb Javascript Alert Format String Vulnerabiity and DMA[2007-0109a] Apple Finder Disk Image Volume Label Overflow / DoS21980ADV-2007-0140macos-finder-dos(31410)APPLE-SA-2007-02-15TA07-047AVU#24088010176622419832714The JTapi Gateway process in Cisco Unified Contact Center Enterprise, Unified Contact Center Hosted, IP Contact Center Enterprise, and Cisco IP Contact Center Hosted 5.0 through 7.1 allows remote attackers to cause a denial of service (repeated process restart) via a certain TCP session on the JTapi server port.20070110 Cisco Unified Contact Center and IP Contact Center JTapi Gateway Vulnerability21988ADV-2007-0138101749923710The Data-link Switching (DLSw) feature in Cisco IOS 11.0 through 12.4 allows remote attackers to cause a denial of service (device reload) via "an invalid value in a DLSw message... during the capabilities exchange."20070110 DLSw Vulnerability21990ADV-2007-0139101749823697PHP remote file inclusion vulnerability in template.php in Geoffrey Golliher Axiom Photo/News Gallery (axiompng) 0.8.6 allows remote attackers to execute arbitrary PHP code via a URL in the baseAxiomPath parameter.20070110 source verify - Axiom RFIADV-2007-01072197223715axiom-template-file-include(31372) 3108Buffer overflow in the cmd_usr function in ftp-gw in TIS Internet Firewall Toolkit (FWTK) allows remote attackers to execute arbitrary code via a long destination hostname (dest).219601017481tisfwtk-ftpgw-bo(31363)SQL injection vulnerability in index.php in @lex Guestbook 4.0.2 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the lang parameter.20070107 @lex Guestbook <= 4.0.2 Remote Command Execution Exploit2192623637ADV-2007-0137 31032135Multiple unspecified vulnerabilities in phpMyAdmin before 2.9.2-rc1 have unknown impact and attack vectors.2370221987MDKSA-2007:199Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before 2.9.2-rc1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: some of these details are obtained from third party information,ADV-2007-01252370221987phpmyadmin-unspecified-xss(31387)MDKSA-2007:199Directory traversal vulnerability in admin/skins.php for @lex Guestbook 4.0.2 and earlier allows remote attackers to create files in arbitrary directories via ".." sequences in the (1) aj_skin and (2) skin_edit parameters. NOTE: this can be leveraged for file inclusion by creating a skin file in the lang directory, then referencing that file via the lang parameter to index.php, which passes a sanity check in livre_include.php.20070107 @lex Guestbook <= 4.0.2 Remote Command Execution Exploit2192631032135Unspecified vulnerability in HP OpenView Network Node Manager (OV NNM) 6.20, 6.4x, 7.01, and 7.50 allows remote attackers to read arbitrary files via unknown vectors.HPSBMA02175220091017503 ADV-2007-01532140Microsoft Word in Office 2000 SP3, XP SP3, Office 2003 SP2, Works Suite 2004 to 2006, and Office 2004 for Mac does not correctly check the properties of certain documents and warn the user of macro content, which allows user-assisted remote attackers to execute arbitrary code.MS07-01422477ADV-2007-05831017639TA07-044A34385oval:org.mitre.oval:def:700Microsoft Word in Office 2000 SP3, XP SP3, Office 2003 SP2, Works Suite 2004 to 2006, and Office 2004 for Mac allows user-assisted remote attackers to execute arbitrary code via a Word file with a malformed drawing object, which leads to memory corruption.MS07-01422482ADV-2007-05831017639TA07-044Aoval:org.mitre.oval:def:187The Window Image Acquisition (WIA) Service in Microsoft Windows XP SP2 allows local users to gain privileges via unspecified vectors involving an "unchecked buffer," probably a buffer overflow.MS07-007 22499 ADV-2007-0576 31889 1017634 24132TA07-044Aoval:org.mitre.oval:def:186The hardware detection functionality in the Windows Shell in Microsoft Windows XP SP2 and Professional, and Server 2003 SP1 allows local users to gain privileges via an unvalidated parameter to a function related to the "detection and registration of new hardware."MS07-006 VU#240796 22481 ADV-2007-0575 31890 1017633 24126TA07-044Aoval:org.mitre.oval:def:224Microsoft Exchange Server 2000 SP3, 2003 SP1 and SP2, and 2007 does not properly decode certain MIME encoded e-mails, which allows remote attackers to execute arbitrary code via a crafted base64-encoded MIME e-mail message.MS07-026 VU#343145 23809 ADV-2007-1711 1018015 25183HPSBST02214TA07-128A34391oval:org.mitre.oval:def:1890exchange-mime-base64-code-execution(33889)The HTML Help ActiveX control (Hhctrl.ocx) in Microsoft Windows 2000 SP3, XP SP2 and Professional, 2003 SP1 allows remote attackers to execute arbitrary code via unspecified functions, related to uninitialized parameters.MS07-008VU#56375622478ADV-2007-057731884101763524136TA07-044Aoval:org.mitre.oval:def:125Stack-based buffer overflow in Microsoft Excel 2000 SP3, 2002 SP3, 2003 SP2, and 2003 Viewer allows user-assisted remote attackers to execute arbitrary code via a .XLS BIFF file with a malformed Named Graph record, which results in memory corruption.MS07-023 20070508 ZDI-07-026: Microsoft Excel BIFF File Format Named Graph Record Parsing Stack Overflow Vulnerability 23760 ADV-2007-1708 1018012 25150HPSBST02214TA07-128A34393oval:org.mitre.oval:def:1971excel-biff-file-bo(33913)wkcvqd01.dll in Microsoft Works 6 File Converter, as used in Office 2003 SP2, Works 8.0, and Works Suite 2005, allows remote attackers to execute arbitrary code via a .wps file with crafted section length headers, aka "Microsoft Works File Converter Input Validation Vulnerability."MS08-011TA08-043C27657ADV-2008-051310193862890420080208 Microsoft Office Works Converter Heap Overflow VulnerabilityHPSBST02314oval:org.mitre.oval:def:5309The wininet.dll FTP client code in Microsoft Internet Explorer 5.01 and 6 might allow remote attackers to execute arbitrary code via an FTP server response of a specific length that causes a terminating null byte to be written outside of a buffer, which causes heap corruption.MS07-01620070213 Microsoft 'wininet.dll' FTP Reply Null Termination Heap Corruption VulnerabilityVU#61356422489ADV-2007-05843189210176422415620070309 MS07-016 FTP Response DOS PoCTA07-044Aoval:org.mitre.oval:def:1141Microsoft Internet Explorer 5.01 and 6 allows remote attackers to execute arbitrary code by instantiating certain COM objects from Urlmon.dll, which triggers memory corruption during a call to the IObjectSafety function.MS07-03320070612 Microsoft License Manager and urlmon.dll COM Object Interaction Invalid Memory Access VulnerabilityHPSBST02231TA07-163A24372ADV-2007-2153oval:org.mitre.oval:def:1084101823525627webbrowser-object-code-execution(32106)Microsoft Internet Explorer 5.01, 6, and 7 uses certain COM objects from (1) Msb1fren.dll, (2) Htmlmm.ocx, and (3) Blnmgrps.dll as ActiveX controls, which allows remote attackers to execute arbitrary code via unspecified vectors, a different issue than CVE-2006-4697.MS07-016VU#77178822504ADV-2007-0584318933189431895101764324156ie-com-activex-code-execution(32427)TA07-044Aoval:org.mitre.oval:def:257Cross-site scripting (XSS) vulnerability in Outlook Web Access (OWA) in Microsoft Exchange Server 2000 SP3, and 2003 SP1 and SP2 allows remote attackers to execute arbitrary scripts, spoof content, or obtain sensitive information via certain UTF-encoded, script-based e-mail attachments, involving an "incorrectly handled UTF character set label".MS07-026 VU#124113 23806 ADV-2007-1711 1018015 25183HPSBST02214TA07-128A34389oval:org.mitre.oval:def:1371exchange-utf-xss(33887)Integer overflow in the IMAP (IMAP4) support in Microsoft Exchange Server 2000 SP3 allows remote attackers to cause a denial of service (service hang) via crafted literals in an IMAP command, aka the "IMAP Literal Processing Vulnerability."MS07-02623810ADV-2007-171110180152518320070508 Microsoft Exchange Server 2000 IMAP Literal Processing DoS VulnerabilityHPSBST02214TA07-128A34392oval:org.mitre.oval:def:2054exchange-imap-command-dos(33890)Directory traversal vulnerability in the EmChartBean server side component for Oracle Application Server 10g allows remote attackers to read arbitrary files via unknown vectors, probably "\.." sequences in the beanId parameter. NOTE: this is likely a duplicate of another CVE that Oracle addressed in CPU Jan 2007, but due to lack of details by Oracle, it is unclear which BugID this issue is associated with, so the other CVE cannot be determined. Possibilities include EM02 (CVE-2007-0292) or EM05 (CVE-2007-0293).20070115 SYMSA-2007-001: Oracle Application Server 10g - Directory Traversal220272379420070131 Oracle 10g R2 Enterprise Manager Directory Traversal101752222083SQL injection vulnerability in shared/code/cp_functions_downloads.php in Nicola Asuni All In One Control Panel (AIOCP) before 1.3.009 allows remote attackers to execute arbitrary SQL commands via the download_category parameter.23726SQL injection vulnerability in shopgiftregsearch.asp in VP-ASP Shopping Cart 6.09 and earlier allows remote attackers to execute arbitrary SQL commands via the LoginLastname parameter.23699vpasp-shopgift-sql-injection(31447) 3115Cross-site scripting (XSS) vulnerability in shopcustadmin.asp in VP-ASP Shopping Cart 6.09 and earlier allows remote attackers to inject arbitrary web script or HTML via the msg parameter.23699vpasp-shopcustadmin-xss(31449) 3115SQL injection vulnerability in wbsearch.aspx in uniForum 4 and earlier allows remote attackers to execute arbitrary SQL commands via the "by User" field (aka the TXbyuser parameter).21966uniforum-wbsearch-sql-injection(31362) 20070125 uniForum <= v4 (wbsearch.aspx) Remote SQL Injection Vulnerability 3106 23827slocate 3.1 does not properly manage database entries that specify names of files in protected directories, which allows local users to obtain the names of private files. NOTE: another researcher reports that the issue is not present in slocate 2.7.20070110 Re: slocate leaks filenames of protected directories20070110 slocate leaks filenames of protected directories20070111 Re: slocate leaks filenames of protected directories2198920070112 Re: slocate leaks filenames of protected directories USN-425-1The DataCollector service in EIQ Networks Network Security Analyzer allows remote attackers to cause a denial of service (service crash) via a (1) &CONNECTSERVER& (2) &ADDENTRY& (3) &FIN& (4) &START& (5) &LOGPATH& (6) &FWADELTA& (7) &FWALOG& (8) &SETSYNCHRONOUS& (9) &SETPRGFILE&, or (10) &SETREPLYPORT& string to TCP port 10618, which triggers a NULL pointer dereference.20070110 EIQ Networks Network Security Analyzer DoS Vulnerability21994ADV-2007-014723693eiq-datacollector-dos(31428)Integer overflow in the ffs_mountfs function in Mac OS X 10.4.8 and FreeBSD 6.1 allows local users to cause a denial of service (panic) and possibly gain privileges via a crafted DMG image that causes "allocation of a negative size buffer" leading to a heap-based buffer overflow, a related issue to CVE-2006-5679. NOTE: a third party states that this issue does not cross privilege boundaries in FreeBSD because only root may mount a filesystem.21993ADV-2007-014123703[freebsd-security] 20070114 MOAB advisoriesmacos-ffsmountfs-bo(31409) ADV-2007-0930 32684 1017751 24479APPLE-SA-2007-03-13TA07-072A** DISPUTED ** PHP remote file inclusion vulnerability in install.php in CS-Cart 1.3.3 allows remote attackers to execute arbitrary PHP code via a URL in the install_dir parameter. NOTE: CVE and third parties dispute this vulnerability because install_dir is defined before use.20070109 CS-Cart 1.3.3 (install.php) Remote File Include Vulnerability20070110 [bogus] [ahmed_labib_hilmy at yahoo.com: CS-Cart 1.3.3 (install.php) Remote File Include Vulnerability] (fwd)cscart-install-file-include(31408)Cross-site scripting (XSS) vulnerability in Movable Type (MT) 3.33, when nofollow is disabled and unmoderated comments are enabled, allows remote attackers to inject arbitrary web script or HTML via the Comments field.23669ADV-2007-0142PHP remote file inclusion vulnerability in routines/fieldValidation.php in Jshop Server 1.3 allows remote attackers to execute arbitrary PHP code via a URL in the jssShopFileSystem parameter.2199520070110 Jshop Server 1.3jshop-fieldvalidation-file-include(31425) 31132146wp-trackback.php in WordPress 2.0.6 and earlier does not properly unset variables when the input data includes a numeric parameter with a value matching an alphanumeric parameter's hash value, which allows remote attackers to execute arbitrary SQL commands via the tb_id parameter. NOTE: it could be argued that this vulnerability is due to a bug in the unset PHP command (CVE-2006-3017) and the proper fix should be in PHP; if so, then this should not be treated as a vulnerability in WordPress.21983wordpress-tbid-sql-injection(31385) 3109** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2007-0243. Reason: This candidate is a duplicate of CVE-2007-0243. Notes: All CVE users should reference CVE-2007-0243 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.20070117 ZDI-07-005: Sun Microsystems Java GIF File Parsing Memory Corruption VulnerabilityVU#38828922085Stack-based buffer overflow in the glibtop_get_proc_map_s function in libgtop before 2.14.6 (libgtop2) allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a process with a long filename that is mapped in its address space, which triggers the overflow in gnome-system-monitor.USN-407-1ADV-2007-0185ADV-2007-01872373623777DSA-1255GLSA-200701-17MDKSA-2007:0232205423814238402387224015libgtop2-glibtopbo(31522)RHSA-2007:0765101852626367Double free vulnerability in the _ATPsndrsp function in Apple Mac OS X 10.4.8, and possibly other versions, allows remote attackers to cause a denial of service (kernel panic) and possibly execute arbitrary code via a crafted AppleTalk request that triggers a heap-based buffer overflow.22041ADV-2007-01911017513237083130ADV-2007-093032687101775124479APPLE-SA-2007-03-13TA07-072AThe ndeb-binary feature in Lookup (lookup-el) allows local users to overwrite arbitrary files via a symlink attack on temporary files.DSA-12692437724590 23026 1017792 lookup-ndebbinary-symlink(33052)GLSA-200712-0728023Stack-based buffer overflow in filter\starcalc\scflt.cxx in the StarCalc parser in OpenOffice.org (OOo) Office Suite before 2.2, and 1.x before 1.1.5 Patch, allows user-assisted remote attackers to execute arbitrary code via a document with a long Note.DSA-1270ADV-2007-10321017799RHSA-2007:0033RHSA-2007:0069102794SUSE-SA:2007:023USN-444-1ADV-2007-111724465245502464624647openoffice-starcalc-bo(33112)MDKSA-2007:0732467620070404 High Risk Vulnerability in OpenOffice 24810 GLSA-200704-12 24906230672458824613OpenOffice.org (OOo) Office Suite allows user-assisted remote attackers to execute arbitrary commands via shell metacharacters in a prepared link in a crafted document.DSA-1270ADV-2007-10321017799 RHSA-2007:0033 RHSA-2007:0069 102807 SUSE-SA:2007:023 USN-444-1 22812 ADV-2007-1117 24465 24550 24646 24647 openoffice-shell-command-execution(33113) MDKSA-2007:073 24676 24810 GLSA-200704-12 249062458824613Cross-site scripting (XSS) vulnerability in Zope 2.10.2 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors in a HTTP GET request.ADV-2007-1041 23084 24017 zope-unspecifiedget-xss(33187) DSA-1275 24713 SUSE-SR:2007:011 25239The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters. MDKSA-2007:074 MDKSA-2007:075 MDKSA-2007:076 23269 ADV-2007-1212 24727 24699 24705 SSA:2007-093-03 USN-452-1 24726 24847 qt-utf8-xss(33397) SUSE-SR:2007:006 24797 24889 24759 DSA-1292 25263FEDORA-2007-703MDKSA-2007:074MDKSA-2007:075MDKSA-2007:076RHSA-2007:0909RHSA-2007:088320070901-01-P26857268042710827275Buffer overflow in Sun JDK and Java Runtime Environment (JRE) 5.0 Update 9 and earlier, SDK and JRE 1.4.2_12 and earlier, and SDK and JRE 1.3.1_18 and earlier allows applets to gain privileges via a GIF image with a block with a 0 width field, which triggers memory corruption.10276020070117 ZDI-07-005: Sun Microsystems Java GIF File Parsing Memory Corruption VulnerabilityVU#388289ADV-2007-02112375720070121 Sun Microsystems Java GIF File Parsing Memory Corruption Vulnerability Prove Of Concept ExploitGLSA-200702-07GLSA-200702-08HPSBUX0219622085ADV-2007-09361017520242022418924468jre-gif-bo(31537)RHSA-2007:0166RHSA-2007:016724993BEA07-172.00ADV-2007-181425283RHSA-2007:0956SUSE-SA:2007:045TA07-022A260492611927203266452158APPLE-SA-2007-12-14ADV-2007-422428115RHSA-2008:0261pptpgre.c in PoPToP Point to Point Tunneling Server (pptpd) before 1.3.4 allows remote attackers to cause a denial of service (PPTP connection tear-down) via (1) GRE packets with out-of-order sequence numbers or (2) certain GRE packets that are processed using a wrong pointer and improperly dequeued.DSA-128823886ADV-2007-1743 SUSE-SR:2007:010 25220 GLSA-200705-18 2007-0017 USN-459-1 1018064 25255SUSE-SR:2007:019USN-459-226987Heap-based buffer overflow in OpenOffice.org (OOo) 2.2.1 and earlier allows remote attackers to execute arbitrary code via a RTF file with a crafted prtdata tag with a length parameter inconsistency, which causes vtable entries to be overwritten.DSA-130720070613 High risk vulnerability in OpenOffice RTF parserGLSA-200707-02MDKSA-2007:144RHSA-2007:040620070602-01-P102917SUSE-SA:2007:037USN-482-124450ADV-2007-2166ADV-2007-2229101823925648256502567325705258622589425905260102602226476openoffice-rtf-bo(34843)plugins/scmcvs/www/cvsweb.php in the CVSWeb CGI in GForge 4.5.16 before 20070524, aka gforge-plugin-scmcvs, allows remote attackers to execute arbitrary commands via shell metacharacters in the PATH_INFO.DSA-129724141ADV-2007-19422539525416gforge-cvsweb-code-execution(34510)squid/src/ftp.c in Squid before 2.6.STABLE7 allows remote FTP servers to cause a denial of service (core dump) via crafted FTP directory listing responses, possibly related to the (1) ftpListingFinish and (2) ftpHtmlifyListEntry functions.23767FEDORA-2007-092GLSA-200701-22MDKSA-2007:026SUSE-SA:2007:0122007-0003USN-414-122079ADV-2007-0199238102380523837238892392123946squid-multiple-dos(31523)MDKSA-2007:026The aclMatchExternal function in Squid before 2.6.STABLE7 allows remote attackers to cause a denial of service (crash) by causing an external_acl queue overload, which triggers an infinite loop.23767 GLSA-200701-22 MDKSA-2007:026 SUSE-SA:2007:012 USN-414-1 22203 ADV-2007-0199 23805 23889 23921 23946 squid-externalacl-dos(31525)MDKSA-2007:026Cross-site scripting (XSS) vulnerability in index.php in Nwom topsites 3.0 allows remote attackers to inject arbitrary web script or HTML via the o parameter.20070111 Nwom topsites v3.0220122149index.php in Nwom topsites 3.0 allows remote attackers to obtain potentially sensitive information via a ' (quote) character in the o parameter, which forces a SQL error.20070111 Nwom topsites v3.0220122149Integer underflow in the DecodeGRE function in src/decode.c in Snort 2.6.1.2 allows remote attackers to trigger dereferencing of certain memory locations via crafted GRE packets, which may cause corruption of log files or writing of sensitive information into log files.20070111 Calyptix Security Advisory CX-2007-001 - Snort 2.6.1.2 Integer Underflow Vulnerability22004 ADV-2007-0152 10175072165Unspecified vulnerability in easy-content filemanager allows remote attackers to upload or modify arbitrary files via unspecified vectors.20070111 easy-content filemanager** DISPUTED ** Unspecified vulnerability in the grsecurity patch has unspecified impact and remote attack vectors, a different vulnerability than the expand_stack vulnerability from the Digital Armaments 20070110 pre-advisory. NOTE: the grsecurity developer has disputed this issue, stating that "the function they claim the vulnerability to be in is a trivial function, which can, and has been, easily checked for any supposed vulnerabilities." The developer also cites a past disclosure that was not proven.Format string vulnerability in the errors_create_window function in errors.c in xine-ui allows attackers to execute arbitrary code via unknown vectors.20070111 Xine-ui format string Vulnerabilties.2200223709xineui-errorscreatewindow-format-string(31505) GLSA-200701-18 MDKSA-2007:027 23891MDKSA-2007:027MDKSA-2007:15423931XINE 0.99.4 allows user-assisted remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a certain M3U file that contains a long #EXTINF line and contains format string specifiers in an invalid udp:// URI, possibly a variant of CVE-2007-0017.20070110 VLC Format String Vulnerability also in XINE MDKSA-2007:027MDKSA-2007:027MDKSA-2007:1542225223931VideoLAN VLC 0.8.6a allows remote attackers to cause a denial of service (application crash) via a crafted .wmv file.22003 vlcmediaplayer-wmv-dos(31515)** DISPUTED ** Unspecified vulnerability in the expand_stack function in grsecurity PaX allows local users to gain privileges via unspecified vectors. NOTE: the grsecurity developer has disputed this issue, stating that "the function they claim the vulnerability to be in is a trivial function, which can, and has been, easily checked for any supposed vulnerabilities." The developer also cites a past disclosure that was not proven. As of 20070120, the original researcher has released demonstration code.20070111 Digital Armaments Security Pre-Advisory 11.01.2007: Grsecurity Kernel PaX - Local root vulnerability22014ADV-2007-01552371320070112 Lies? [Was: Re: Digital Armaments Security Pre-Advisory11.01.2007: Grsecurity Kernel PaX - Local root vulnerability]101750920070120 Digital Armaments Security Advisory 20.01.2007: Grsecurity Kernel PaX Vulnerability20070309 Re: Digital Armaments Security Advisory 20.01.2007: Grsecurity Kernel PaX VulnerabilityCross-site scripting (XSS) vulnerability in index.php in (1) Fastilo 2.0 and (2) Open Solution Quick.Cart 2.0 allows remote attackers to inject arbitrary web script or HTML via the p parameter. NOTE: some of these details are obtained from third party information.220072373323738 21971 ADV-2007-0156 ADV-2007-0157 quickcart-p-xss(31475)Ezboxx Portal System Beta 0.7.6 and earlier allows remote attackers to obtain sensitive information via a invalid cat parameter to boxx/knowledgebase.asp, which reveals the path in an error message.20070111 Ezboxx multiple vulnerabilities.ADV-2007-0208** DISPUTED ** PHP remote file inclusion vulnerability in index.php in Naig 0.5.2 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the this_path parameter. NOTE: a reliable third party disputes this vulnerability because this_path is defined before use.20070112 Naig <= 0.5.2 (this_path) Remote File Include Vulnerability20070112 Fwd: Naig <= 0.5.2 (this_path) Remote File Include Vulnerability 20070113 Re: Naig <= 0.5.2 (this_path) Remote File Include Vulnerability2145snews.php in sNews 1.5.30 and earlier does not properly exit when authentication fails, which allows remote attackers to perform unauthorized administrative actions, as demonstrated by changing an administrative password via the changeup task, and by uploading PHP code via the imagefile parameter.2202523746 3116 snews-image-file-upload(31535)WordPress 2.0.6, and 2.1Alpha 3 (SVN:4662), does not properly verify that the m parameter value has the string data type, which allows remote attackers to obtain sensitive information via an invalid m[] parameter, as demonstrated by obtaining the path, and obtaining certain SQL information such as the table prefix.20070112 Wordpress disclosure of Table Prefix WeaknessUnspecified vulnerability in Total Commander before 6.5.6 allows user-assisted remote attackers to delete arbitrary files and corrupt a filesystem via a crafted RAR file. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information.22033Buffer overflow in Winzip32.exe in WinZip 9.0 allows local users to cause a denial of service (application crash) and possibly execute arbitrary code via a long command line argument. NOTE: this issue may cross privilege boundaries if an application automatically invokes Winzip32.exe for untrusted input filenames, as in the case of a file upload application. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information.This vulnerability is addressed in the following product release: WinZip, WinZip, 9.0 SR122020Multiple cross-site scripting (XSS) vulnerabilities in Ezboxx Portal System Beta 0.7.6 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the pic parameter to custom/piczoom.asp, (2) the nocatname parameter to boxx/user-upload.asp, or (3) the iid parameter to indexes/newscomments.asp.20070111 Ezboxx multiple vulnerabilities. ADV-2007-0208 23759SQL injection vulnerability in boxx/ShowAppendix.asp in Ezboxx Portal System Beta 0.7.6 and earlier allows remote attackers to inject arbitrary web script or HTML via the iid parameter.20070111 Ezboxx multiple vulnerabilities. ADV-2007-0208 23759The ufs_lookup function in the Mac OS X 10.4.8 and FreeBSD 6.1 kernels allows local users to cause a denial of service (kernel panic) and possibly corrupt other filesystems by mounting a crafted UNIX File System (UFS) DMG image that contains a corrupted directory entry (struct direct), related to the ufs_dirbad function. NOTE: a third party states that the FreeBSD issue does not cross privilege boundaries.[freebsd-security] 20070114 MOAB advisories22036ADV-2007-0171ADV-2007-09303268610177512372124479APPLE-SA-2007-03-13TA07-072AMultiple unspecified vulnerabilities in Oracle Database 9.0.1.5, 9.2.0.7, and 10.1.0.5 have unknown impact and attack vectors related to (1) the Advanced Queuing component and sys.dbms_aqsys.dbms_aq privileges (DB01), (2) Advanced Replication and sys.dbms_repcat_untrusted (DB07), and (3) Oracle Text and ctxload (DB15). NOTE: Oracle has not publicly claims by reliable researchers that DB01 is for SQL injection in the SYS.DBMS_AQ_INV package, and DB07 is for a buffer overflow in the UNREGISTER_SNAPSHOT procedure in the DBMS_REPCAT_UNTRUSTED package.TA07-017AVU#2217882379420070129 Re: Re: Oracle Buffer Overflows in DBMS_CAPTURE_ADM_INTERNAL20070124 Oracle Buffer Overflow in DBMS_REPCAT_UNTRUSTED.UNREGISTER_SNAPSHOT1017522oracle-cpu-jan2007(31541)22083Unspecified vulnerability in Oracle Database 9.2.0.8, 10.1.0.5, and 10.2.0.3 has unknown impact and attack vectors related to the Change Data Capture and sys.dbms_cdc_subscribe privileges, aka DB02.TA07-017A23794 1017522 oracle-cpu-jan2007(31541)22083Buffer overflow in SYS.DBMS_DRS in Oracle Database 9.2.0.7 and 10.1.0.4 allows remote authenticated users to cause a denial of service (crash) or execute arbitrary code via the GET_PROPERTY function in SYS.DBMS_DRS, aka DB03.TA07-017A2379420070124 Oracle Buffer Overflow in DBMS_DRS.GET_PROPERTY1017522oracle-cpu-jan2007(31541)20070718 Oracle Database Buffer overflow vulnerabilities in procedure DBMS_DRS.GET_PROPERTY (DB03)22083Unspecified vulnerability in Oracle Database 9.0.1.5 and 9.2.0.7 has unknown impact and attack vectors related to the Log Miner component and sys.dbms_log_mnr privileges, aka DB04. NOTE: Oracle has not disputed a reliable researcher claim that this is a buffer overflow in the ADD_LOGFILE procedure for the SYS.DBMS_LOGMNR package that allows code execution.TA07-017A2379420070129 Re: Re: Oracle Buffer Overflows in DBMS_CAPTURE_ADM_INTERNAL20070124 Oracle Buffer Overflow in DBMS_LOGMNR.ADD_LOGFILE1017522oracle-cpu-jan2007(31541)22083Multiple buffer overflows in MDSYS.MD in Oracle Database 8.1.7.4, 9.0.1.5, 9.2.0.7, and 10.1.0.4 allows remote authenticated users to cause a denial of service (crash) or execute arbitrary code via unspecified vectors involving certain public procedures, aka DB05.TA07-017A2379420070124 Oracle Multiple Buffer Overflows and DoS attacks in public procedures of MDSYS.MD1017522oracle-cpu-jan2007(31541)20070718 Oracle Database Buffer overflows and Denial of service vulnerabilities in public procedures of MDSYS.MD (DB12)22083Unspecified vulnerability in Oracle Database 9.0.1.5, 9.2.0.8, 10.1.0.5, and 10.2.0.3 has unknown impact and attack vectors related to XMLDB, aka DB06. NOTE: as of 20070123, Oracle has not disputed claims by a reliable researcher that DB06 is for multiple cross-site scripting (XSS) vulnerabilities.TA07-017A237941017522oracle-cpu-jan2007(31541)22083Multiple unspecified vulnerabilities in Oracle Database 9.2.0.7 and 10.1.0.5 have unknown impact and attack vectors related to (1) Export and sys.dbms_logrep_util (DB08), and (2) Oracle Streams and sys.dbms_capture_adm_internal privileges (DB09). NOTE: Oracle has not disputed reliable researcher claims that DB08 is for a buffer overflow in the GET_OBJECT_NAME procedure in the DBMS_LOGREP_UTIL package, and DB09 is for buffer overflows in the CREATE_CAPTURE, ALTER_CAPTURE, and ABORT_TABLE_INSTANTIATION procedures in SYS.DBMS_CAPTURE_ADM_INTERNAL.TA07-017A2379420070125 Re: Oracle Buffer Overflow in DBMS_LOGREP_UTIL.GET_OBJECT_NAME20070125 Re: Oracle Buffer Overflows in DBMS_CAPTURE_ADM_INTERNAL20070129 Re: Re: Oracle Buffer Overflows in DBMS_CAPTURE_ADM_INTERNAL20070124 Oracle Buffer Overflow in DBMS_LOGREP_UTIL.GET_OBJECT_NAME20070124 Oracle Buffer Overflows in DBMS_CAPTURE_ADM_INTERNAL1017522oracle-cpu-jan2007(31541)22083Cross-site scripting (XSS) vulnerability in Oracle Reports Web Cartridge (RWCGI60) in the Workflow Cartridge component, as used in Oracle Database 9.2.0.8, 10.1.0.5, and 10.2.0.3; Application Server 9.0.4.3, 10.1.2.0.2, and 10.1.2.2; Collaboration Suite 10.1.2; and Oracle E-Business Suite and Applications 11.5.10CU2; allows remote authenticated users to inject arbitrary HTML or web script via the genuser parameter to rwcgi60, aka OWF01.TA07-017A2379420070117 [ISecAuditors Security Advisories] Oracle Reports Web Cartridge (RWCGI60) vulnerable to XSS1017522oracle-cpu-jan2007(31541)22083Multiple unspecified vulnerabilities in Oracle Database 8.1.7.4 and 9.0.1.5 have unknown impact and attack vectors related to (1) Advanced Security Option and oklist or okdstry (DB10), (2) Oracle Net Services (DB13), and (3) Recovery Manager and oklist (DB16).TA07-017A23794 1017522 oracle-cpu-jan2007(31541)22083Unspecified vulnerability in Oracle Database client-only 10.1.0.4 has unknown impact and attack vectors related to the Export component and expdp or impdp, aka DB11.TA07-017A23794 1017522 oracle-cpu-jan2007(31541)22083Multiple unspecified vulnerabilities in Oracle Database 8.1.7.4, 9.0.1.5, 9.2.0.7, and 10.1.0.5 have unknown impact and attack vectors related to (1) NLS Runtime and lmsgen (DB12), and (2) Oracle Text and ctxkbtc (DB14).TA07-017A23794 1017522 oracle-cpu-jan2007(31541)22083Multiple unspecified vulnerabilities in Oracle HTTP Server 9.2.0.8 and Oracle E-Business Suite and Applications 11.5.10CU2 have unknown impact and attack vectors, aka (1) OHS01, (2) OHS02, (3) OHS05, (4) OHS06, and (5) OHS07.TA07-017A23794 1017522 oracle-cpu-jan2007(31541)22083Unspecified vulnerability in Oracle HTTP Server 9.0.1.5, Application Server 9.0.4.3, 10.1.2.0.0, 10.1.2.0.2, and 10.1.2.2; and Collaboration Suite 9.0.4.2 and 10.1.2; has unknown impact and attack vectors related to the Oracle Process Mgmt & Notification component, aka OPMN01. NOTE: as of 20070123, Oracle has not disputed claims by a reliable researcher that OPMN01 is for a buffer overflow in Oracle Notification Service (ONS).TA07-017A237941017522oracle-cpu-jan2007(31541)22083Multiple unspecified vulnerabilities in Oracle HTTP Server 9.0.1.5, 9.2.0.8, 10.1.0.5, and 10.2.0.3; Application Server 9.0.4.3, 10.1.2.0.0, 10.1.2.0.1, 10.1.2.0.2, 10.1.2.1, and 10.1.3.0; and Collaboration Suite 9.0.4.2 and 10.1.2; have unknown impact and attack vectors related to the Oracle HTTP Server, aka (1) OHS03 and (2) OHS04.TA07-017A23794 1017522 oracle-cpu-jan2007(31541)22083Unspecified vulnerability in Oracle HTTP Server 9.0.1.5, Application Server 9.0.4.2 and 10.1.2.0.0, and Collaboration Suite 9.0.4.2 has unknown impact and attack vectors related to the Oracle Process Mgmt & Notification component, aka OPMN02.TA07-017A23794 1017522 oracle-cpu-jan2007(31541)22083Unspecified vulnerability in Oracle Application Server 9.0.4.3 and Collaboration Suite 9.0.4.2 has unknown impact and attack vectors related to Oracle Containers for J2EE, aka OC4J02.TA07-017A23794 1017522 oracle-cpu-jan2007(31541)22083Multiple unspecified vulnerabilities in Oracle Application Server 9.0.4.3 and 10.1.2.0.0, and Collaboration Suite 9.0.4.2, have unknown impact and attack vectors related to Oracle Containers for J2EE, aka (1) OC4J03 and (2) OC4J04.TA07-017A23794 1017522 oracle-cpu-jan2007(31541)22083Unspecified vulnerability in Oracle Application Server 9.0.4.3, 10.1.2.0.2, and 10.1.2.2; Collaboration Suite 9.0.4.2 and 10.1.2; and E-Business Suite and Applications 11.5.10CU2 has unknown impact and attack vectors related to Oracle Reports Developer, aka REP01.TA07-017A23794 1017522 oracle-cpu-jan2007(31541)22083Unspecified vulnerability in Oracle Application Server 10.1.2.0.2 and 10.1.3.0, and Collaboration Suite 10.1.2, has unknown impact and attack vectors related to Containers for J2EE, aka OC4J07.TA07-017A23794 1017522 oracle-cpu-jan2007(31541)22083Unspecified vulnerability in Oracle Application Server 9.0.4.3, 10.1.2.0.0, and 10.1.2.0.2; and Collaboration Suite 9.0.4.2 and 10.1.2; has unknown impact and attack vectors related to Containers for J2EE, aka OC4J08.TA07-017A23794 1017522 oracle-cpu-jan2007(31541)22083Unspecified vulnerability in Oracle Application Server 10.1.4.0 has unknown impact and attack vectors related to Oracle Internet Directory, aka OID01.TA07-017A23794 1017522 oracle-cpu-jan2007(31541)22083Multiple unspecified vulnerabilities in Oracle Collaboration Suite 9.0.4.2 have unknown impact and attack vectors related to Oracle Containers for J2EE, aka (1) OC4J01, (2) OC4J05, and (3) OC4J06.TA07-017A23794 1017522 oracle-cpu-jan2007(31541)22083Multiple unspecified vulnerabilities in Oracle E-Business Suite and Applications 11.5.10CU2 have unknown impact and attack vectors related to (1) Application Object Library (APPS01), (2) Human Resources (APPS03), (3) Payables (APPS04), (4) Trading Community Architecture (APPS05), and (5) Web Applications Desktop Integrator (APPS06).TA07-017A23794 1017522 oracle-cpu-jan2007(31541)22083Unspecified vulnerability in Oracle E-Business Suite and Applications 6.2.3 has unknown impact and attack vectors related to Oracle Exchange, aka APPS02.TA07-017A23794 1017522 oracle-cpu-jan2007(31541)22083Multiple unspecified vulnerabilities in Oracle Enterprise Manager 10.1.0.5 have unknown impact and attack vectors related to Oracle Agent, aka (1) EM01 and (2) EM02. NOTE: EM05 might be related to CVE-2007-0222.TA07-017A237941017522oracle-cpu-jan2007(31541)22083Multiple unspecified vulnerabilities in Oracle Enterprise Manager 10.1.0.5 and 10.2.0.1 have unknown impact and attack vectors related to (1) Oracle Agent (EM03) and (2) EM04 and (3) EM05 in Enterprise Manager Console. NOTE: EM05 might be related to CVE-2007-0222.TA07-017A237941017522oracle-cpu-jan2007(31541)22083Unspecified vulnerability in Oracle Enterprise Manager 10.2.0.1 has unknown impact and attack vectors related to Database Cloning & Data Guard Management, aka EM06.TA07-017A23794 1017522 oracle-cpu-jan2007(31541)22083Unspecified vulnerability in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.22.13 and 8.47.11 has unknown impact and attack vectors in PeopleTools, aka PSE01.TA07-017A23794 1017522 oracle-cpu-jan2007(31541)22083Unspecified vulnerability in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.22.13, 8.47.11, and 8.48.06 has unknown impact and attack vectors in PeopleTools, aka PSE02.TA07-017A23794 1017522 oracle-cpu-jan2007(31541)22083Unspecified vulnerability in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.47.11 and 8.48.06 has unknown impact and attack vectors in PeopleTools, aka PSE03.TA07-017A23794 1017522 oracle-cpu-jan2007(31541)22083PHP remote file inclusion vulnerability in show.php in LunarPoll, when register_globals is enabled, allows remote attackers execute arbitrary PHP code via a URL in the PollDir parameter.20070112 LunarPoll (PollDir) Remote File Include Vulnerabilities20070112 Source Verify of LunarPoll PollDir RFI22024 3117 ADV-2007-0177 1017510 23760 lunarpoll-show-file-include(31472)2152Integer overflow in the byte_swap_sbin function in bsd/ufs/ufs/ufs_byte_order.c in Mac OS X 10.4.8 allows user-assisted remote attackers to cause a denial of service (kernel panic) by mounting a crafted Unix File System (UFS) DMG image, which triggers an invalid pointer dereference.23725VU#515792ADV-2007-093031653101775124479APPLE-SA-2007-03-13TA07-072APHP remote file inclusion vulnerability in i-accueil.php in TLM CMS 1.1 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the chemin parameter.Successful exploitation requires that "register_globals" is enabled.Exploit 311822021ADV-2007-017623722PHP remote file inclusion vulnerability in _admin/admin_menu.php in FdWeB Espace Membre 2.1 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the path parameter.Successful exploitation requires that "register_globals" is enabled.Exploit 312322040ADV-2007-017823743Multiple cross-site scripting (XSS) vulnerabilities in InstantASP 4.1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) SessionID parameter to (a) Logon.aspx, and the (2) Username and (3) Update parameters to (b) Members1.aspx.20070115 InstantForum.NET Multiple Cross-Site Scripting Vulnerability2205223787 ADV-2007-0227 instantforum-multiple-scripts-xss(31521)2164Multiple unspecified vulnerabilities in Zina 1.0rc1 and earlier have unknown impact and attack vectors related to "Potential security bugs."22049ADV-2007-0181SQL injection vulnerability in duyuru.asp in MiNT Haber Sistemi 2.7 allows remote attackers to execute arbitrary SQL commands via the id parameter.ADV-2007-0175237563120SQL injection vulnerability in etkinlikbak.asp in Okul Web Otomasyon Sistemi 4.0.1 allows remote attackers to execute arbitrary SQL commands via the id parameter.20070115 Okul Web Otomasyon Sistemi (etkinlikbak.asp) SQL Injection Vulnerability2206023755 3135 ADV-2007-02062151