Stack-based buffer overflow in Microsoft Publisher 2000 through 2003 allows user-assisted remote attackers to execute arbitrary code via a crafted PUB file, which causes an overflow when parsing fonts. TA06-255A VU#406236 19951 20060912 Computer Terrorism (UK) :: Incident Response Centre - Microsoft Publisher Font Parsing Vulnerability MS06-054 http://www.computerterrorism.com/research/ct12-09-2006-2.htm 21863 publisher-pub-code-execution(28648) ADV-2006-3565 SSRT061187 HPSBST02134 1016825 1548 oval:org.mitre.oval:def:590 Unspecified vulnerability in Microsoft Outlook 2000 through 2003, Exchange 5.0 Server SP2 and 5.5 SP4, Exchange 2000 SP3, and Office allows remote attackers to execute arbitrary code via an e-mail message with a crafted Transport Neutral Encapsulation Format (TNEF) MIME attachment, related to message length validation. TA06-010A VU#252146 16197 20060110 Microsoft Outlook Critical Vulnerability 20060110 Microsoft Exchange Critical Vulnerability MS06-003 1015461 1015460 18368 win-tnef-overflow(22878) ADV-2006-0119 http://support.avaya.com/elmodocs2/security/ASA-2006-004.htm 331 330 oval:org.mitre.oval:def:624 oval:org.mitre.oval:def:1485 oval:org.mitre.oval:def:1456 oval:org.mitre.oval:def:1316 oval:org.mitre.oval:def:1165 oval:org.mitre.oval:def:1082 Unspecified vulnerability in the RDS.Dataspace ActiveX control, which is contained in ActiveX Data Objects (ADO) and distributed in Microsoft Data Access Components (MDAC) 2.7 and 2.8, allows remote attackers to execute arbitrary code via unknown attack vectors. TA06-101A VU#234812 MS06-014 ie-wscriptshell-command-execution(29915) mdac-rdsdataspace-execute-code(25006) ADV-2006-2452 ADV-2006-1319 http://www.securityfocus.com/data/vulnerabilities/exploits/0day_ie.pdf 20797 17462 20080128 Re: Exploit in IE6,7 20080128 Exploit in IE6,7 20070731 Re: Exploit In Internet Explorer 20070730 RE: Exploit In Internet Explorer 20070730 Re: Exploit In Internet Explorer 20070729 Exploit In Internet Explorer 24517 2164 2052 http://www.hitachi-support.com/security_e/vuls_e/HS06-013_e/index-e.html http://www.hitachi-support.com/security_e/vuls_e/HS06-013_e/01-e.html 1015894 20719 19583 oval:org.mitre.oval:def:1778 oval:org.mitre.oval:def:1742 oval:org.mitre.oval:def:1511 oval:org.mitre.oval:def:1323 oval:org.mitre.oval:def:1204 Microsoft PowerPoint 2000 in Office 2000 SP3 has an interaction with Internet Explorer that allows remote attackers to obtain sensitive information via a PowerPoint presentation that attempts to access objects in the Temporary Internet Files Folder (TIFF). VU#963628 MS06-010 ADV-2006-0579 powerpoint-tiff-information-disclosure(24490) 16634 1015632 18865 oval:org.mitre.oval:def:1555 Buffer overflow in the plug-in for Microsoft Windows Media Player (WMP) 9 and 10, when used in browsers other than Internet Explorer and set as the default application to handle media files, allows remote attackers to execute arbitrary code via HTML with an EMBED element containing a long src attribute. TA06-045A VU#692060 win-mediaplayer-plugin-embed-bo(24493) ADV-2006-0575 16644 MS06-006 20060214 Microsoft Windows Media Player Plugin Buffer Overflow Vulnerability 1015628 18852 oval:org.mitre.oval:def:1559 Heap-based buffer overflow in the bitmap processing routine in Microsoft Windows Media Player 7.1 on Windows 2000 SP4, Media Player 9 on Windows 2000 SP4 and XP SP1, and Media Player 10 on XP SP1 and SP2 allows remote attackers to execute arbitrary code via a crafted bitmap (.BMP) file that specifies a size of 0 but contains additional data. TA06-045A VU#291396 16633 MS06-005 http://www.eeye.com/html/research/advisories/AD20060214.html 1015627 18835 win-media-player-bmp-bo(24488) ADV-2006-0574 20060215 Windows Media Player BMP Heap Overflow (MS06-005) 20060214 [EEYEB-20051017] Windows Media Player BMP Heap Overflow 423 oval:org.mitre.oval:def:1661 oval:org.mitre.oval:def:1598 oval:org.mitre.oval:def:1578 oval:org.mitre.oval:def:1256 Buffer overflow in GIFIMP32.FLT, as used in Microsoft Office 2003 SP1 and SP2, Office XP SP3, Office 2000 SP3, and other products, allows user-assisted attackers to execute arbitrary code via a crafted GIF image that triggers memory corruption when it is parsed. TA06-192A VU#668564 MS06-039 ADV-2006-2757 18915 20060712 NSFOCUS SA2006-04 : Microsoft Office GIF Filter Buffer Overflow Vulnerability 27146 1016470 21013 20060712 NSFOCUS SA2006-04 : Microsoft Office GIF Filter Buffer Overflow Vulnerability oval:org.mitre.oval:def:21 The ShellAbout API call in Korean Input Method Editor (IME) in Korean versions of Microsoft Windows XP SP1 and SP2, Windows Server 2003 up to SP1, and Office 2003, allows local users to gain privileges by launching the "shell about dialog box" and clicking the "End-User License Agreement" link, which executes Notepad with the privileges of the program that displays the about box. VU#739844 16643 MS06-009 1015631 18859 win-korean-ime-privilege-elevation(24492) ADV-2006-0578 20060215 Security advisory: Windows IME Vulnerability (MS06-009) http://www.ryanstyle.com/alert/my/5/ms06_009_eng.html oval:org.mitre.oval:def:727 oval:org.mitre.oval:def:1688 oval:org.mitre.oval:def:1664 oval:org.mitre.oval:def:1650 oval:org.mitre.oval:def:1595 Buffer overflow in Microsoft Office 2000 SP3, XP SP3, and other versions and packages, allows user-assisted attackers to execute arbitrary code via a routing slip that is longer than specified by the provided length field, as exploited by malware such as TROJ_MDROPPER.BH and Trojan.PPDropper.E in attacks against PowerPoint. TA06-073A VU#682820 17000 20060314 SYMSA-2006-001: Buffer overflow in Microsoft Office 2000, Office XP (2002), and Office 2003 Routing Slip Metadata MS06-012 1015766 19138 powerpoint-presentation-code-execution(29009) office-routing-slip-bo(25009) ADV-2006-3678 ADV-2006-0950 http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FMDROPPER%2EBH http://www.symantec.com/security_response/writeup.jsp?docid=2006-091810-5028-99 http://www.symantec.com/enterprise/research/SYMSA-2006-001.txt 20059 20060919 Microsoft PowerPoint 0-day Vulnerability FAQ - September written 20060919 New PowerPoint 0-day Trojan in the wild 20060822 Major updates in PowerPoint FAQ document - not a 0-day issue 20060819 New PowerPoint 0-day and Trojan - FAQ document ready 20060422 PowerPoint Phishing Trojan 23903 http://www.darkreading.com/document.asp?doc_id=101970 http://support.avaya.com/elmodocs2/security/ASA-2006-069.htm 1016886 1016720 19238 20060919 New PowerPoint 0-day Trojan in the wild http://isc.sans.org/diary.php?storyid=1618 http://blogs.securiteam.com/?p=559 http://blogs.securiteam.com/?p=557 http://blogs.securiteam.com/?author=28 20060822 Major updates in PowerPoint FAQ document - not a 0-day issue oval:org.mitre.oval:def:798 oval:org.mitre.oval:def:1653 oval:org.mitre.oval:def:1553 oval:org.mitre.oval:def:1504 Heap-based buffer overflow in T2EMBED.DLL in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 up to SP1, Windows 98, and Windows ME allows remote attackers to execute arbitrary code via an e-mail message or web page with a crafted Embedded Open Type (EOT) web font that triggers the overflow during decompression. TA06-010A VU#915930 16194 MS06-002 18365 win-embedded-fonts-bo(23922) http://www130.nortelnetworks.com/cgi-bin/eserv/cs/main.jsp?cscat=BLTNDETAIL&DocumentOID=375525 ADV-2006-0118 20060110 [EEYEB-2000801] - Windows Embedded Open Type (EOT) Font Heap Overflow Vulnerability 18829 EEYEB20050801 http://support.avaya.com/elmodocs2/security/ASA-2006-004.htm 1015459 18391 18311 oval:org.mitre.oval:def:714 oval:org.mitre.oval:def:698 oval:org.mitre.oval:def:1491 oval:org.mitre.oval:def:1462 oval:org.mitre.oval:def:1185 oval:org.mitre.oval:def:1126 Unspecified vulnerability in Windows Explorer in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allows remote attackers to execute arbitrary code via attack vectors involving COM objects and "crafted files and directories," aka the "Windows Shell Vulnerability." TA06-101A VU#641460 MS06-015 19606 win-explorer-com-code-execution(25554) ADV-2006-1320 17464 24516 1015897 oval:org.mitre.oval:def:1764 oval:org.mitre.oval:def:1743 oval:org.mitre.oval:def:1679 oval:org.mitre.oval:def:1448 oval:org.mitre.oval:def:1191 Buffer overflow in the Web Client service (WebClnt.dll) for Microsoft Windows XP SP1 and SP2, and Server 2003 up to SP1, allows remote authenticated users or Guests to execute arbitrary code via crafted RPC requests, a different vulnerability than CVE-2005-1207. VU#388900 16636 MS06-008 1015630 18857 msrpc-webclient-message-bo(24491) ADV-2006-0577 oval:org.mitre.oval:def:716 oval:org.mitre.oval:def:683 oval:org.mitre.oval:def:1602 oval:org.mitre.oval:def:1547 oval:org.mitre.oval:def:1220 Buffer overflow in Microsoft Outlook Express 5.5 and 6 allows remote attackers to execute arbitrary code via a crafted Windows Address Book (WAB) file containing "certain Unicode strings" and modified length values. MS06-016 19617 http://www.zerodayinitiative.com/advisories/ZDI-06-007.html ADV-2006-1321 17459 20060411 ZDI-06-007: Microsoft Windows Address Book (WAB) File Format Parsing Vulnerability outlook-express-wab-bo(25535) 1015898 691 20060411 ZDI-06-007: Microsoft Windows Address Book (WAB) File Format Parsing Vulnerability oval:org.mitre.oval:def:812 oval:org.mitre.oval:def:1791 oval:org.mitre.oval:def:1780 oval:org.mitre.oval:def:1771 oval:org.mitre.oval:def:1769 oval:org.mitre.oval:def:1682 oval:org.mitre.oval:def:1611 Cross-site scripting (XSS) vulnerability in _vti_bin/_vti_adm/fpadmdll.dll in Microsoft FrontPage Server Extensions 2002 and SharePoint Team Services allows remote attackers to inject arbitrary web script or HTML, then leverage the attack to execute arbitrary programs or create new accounts, via the (1) operation, (2) command, and (3) name parameters. 17452 MS06-017 http://www.argeniss.com/research/ARGENISS-ADV-040602.txt 1015896 1015895 19623 ADV-2006-1322 20060412 Vulnerability in Microsoft FrontPage Server Extensions Could Allow Cross-Site Scripting fpse-html-xss(25537) 704 oval:org.mitre.oval:def:1748 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-3899. Reason: This candidate is a duplicate of CVE-2005-3899. Notes: All CVE users should reference CVE-2005-3899 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Heap-based buffer overflow in the encodeURI and decodeURI functions in the kjs JavaScript interpreter engine in KDE 3.2.0 through 3.5.0 allows remote attackers to execute arbitrary code via a crafted, UTF-8 encoded URI. 20060119 [KDE Security Advisory] kjs encodeuri/decodeuri heap overflow http://www.kde.org/info/security/advisory-20060119-1.txt 18500 ftp://ftp.kde.org/pub/kde/security_patches/post-3.4.3-kdelibs-kjs.diff ADV-2006-0265 USN-245-1 SUSE-SA:2006:003 RHSA-2006:0184 GLSA-200601-11 DSA-948 18570 18561 18559 18552 18540 oval:org.mitre.oval:def:11858 kde-kjs-bo(24242) 16325 FLSA:178606 22659 MDKSA-2006:019 SSA:2006-045-05 1015512 364 18899 18583 An unspecified Microsoft WMF parsing application, as used in Internet Explorer 5.01 SP4 on Windows 2000 SP4, and 5.5 SP2 on Windows Millennium, and possibly other versions, allows attackers to cause a denial of service (crash) and possibly execute code via a crafted WMF file with a manipulated WMF header size, possibly involving an integer overflow, a different vulnerability than CVE-2005-4560, and aka "WMF Image Parsing Memory Corruption Vulnerability." VU#312956 TA06-045A 16516 MS06-004 18729 ADV-2006-0469 22976 http://www.microsoft.com/technet/security/advisory/913333.mspx 18912 [funsec] 20060110 Another WMF flaw without a Microsoft patch oval:org.mitre.oval:def:1638 Microsoft Windows XP SP1 and SP2, and Server 2003 up to SP1, allows remote attackers to cause a denial of service (hang) via an IGMP packet with an invalid IP option, aka the "IGMP v3 DoS Vulnerability." TA06-045A VU#839284 16645 MS06-007 18853 win-igmpv3-dos(24489) ADV-2006-0576 20071023 SYMSA-2007-012: Microsoft Windows CE IGMP Denial of Service http://www.securiteam.com/exploits/5PP0T0KI0O.html 1599 1015629 oval:org.mitre.oval:def:678 oval:org.mitre.oval:def:1662 oval:org.mitre.oval:def:1647 oval:org.mitre.oval:def:1425 oval:org.mitre.oval:def:1310 Unspecified vulnerability in Microsoft PowerPoint in Microsoft Office 2000 SP3, Office XP SP3, Office 2003 SP1 and SP2, Office 2004 for Mac, and v. X for Mac allows user-assisted attackers to execute arbitrary code via a PowerPoint document with a malformed record, which triggers memory corruption. TA06-164A VU#190089 18382 MS06-028 powerpoint-record-bo(26784) ADV-2006-2325 26435 1016287 20633 oval:org.mitre.oval:def:1984 oval:org.mitre.oval:def:1836 oval:org.mitre.oval:def:1069 Microsoft Windows XP SP1 and SP2 before August 2004, and possibly other operating systems and versions, uses insecure default ACLs that allow the Authenticated Users group to gain privileges by modifying critical configuration information for the (1) Simple Service Discovery Protocol (SSDP), (2) Universal Plug and Play Device Host (UPnP), (3) NetBT, (4) SCardSvr, (5) DHCP, and (6) DnsCache services, aka "Permissive Windows Services DACLs." NOTE: the NetBT, SCardSvr, DHCP, DnsCache already require privileged access to exploit. VU#953860 MS06-011 18756 win-auth-users-insecure-permissions(24463) http://www130.nortelnetworks.com/cgi-bin/eserv/cs/main.jsp?cscat=BLTNDETAIL&DocumentOID=391523&RenditionID= ADV-2006-0417 20060131 Windows Access Control Demystified http://www.microsoft.com/technet/security/advisory/914457.mspx http://www.cs.princeton.edu/~sudhakar/papers/winval.pdf http://support.avaya.com/elmodocs2/security/ASA-2006-069.htm 1015765 1015595 19313 19238 oval:org.mitre.oval:def:1696 oval:org.mitre.oval:def:1671 Multiple unspecified vulnerabilities in Adobe Flash Player 8.0.22.0 and earlier allow remote attackers to execute arbitrary code via a crafted SWF file. TA07-352A TA06-132A TA06-129A TA06-075A VU#945060 http://www.macromedia.com/devnet/security/security_zone/apsb06-03.html 19218 macromedia-swf-code-execution(25005) ADV-2007-4238 ADV-2006-1779 ADV-2006-1744 ADV-2006-1262 ADV-2006-0952 17106 RHSA-2006:0268 23908 17951 http://www.opera.com/docs/changelogs/windows/854/ SUSE-SA:2006:015 MS06-020 GLSA-200603-20 1015770 28136 20077 20045 19328 19259 19198 APPLE-SA-2007-12-17 APPLE-SA-2006-05-11 http://docs.info.apple.com/article.html?artnum=307179 oval:org.mitre.oval:def:1922 oval:org.mitre.oval:def:1894 Stack-based buffer overflow in Microsoft Windows Media Player 9 and 10 allows remote attackers to execute arbitrary code via a PNG image with a large chunk size. TA06-164A VU#608020 18385 MS06-024 20060613 Windows Media Player PNG Chunk Decoding Stack-Based Buffer Overflow 20626 win-media-player-png-bo(26788) ADV-2006-2322 26430 1016284 oval:org.mitre.oval:def:1974 oval:org.mitre.oval:def:1820 oval:org.mitre.oval:def:1807 oval:org.mitre.oval:def:1805 oval:org.mitre.oval:def:1729 oval:org.mitre.oval:def:1230 Buffer overflow in Microsoft Internet Information Services (IIS) 5.0, 5.1, and 6.0 allows local and possibly remote attackers to execute arbitrary code via crafted Active Server Pages (ASP). VU#395588 TA06-192A iis-asp-bo(26796) 18858 MS06-034 1016466 21006 ADV-2006-2752 27152 20060718 ASP.DLL Include File Buffer Overflow oval:org.mitre.oval:def:435 Unspecified vulnerability in Microsoft Exchange allows remote attackers to execute arbitrary code via e-mail messages with crafted (1) vCal or (2) iCal Calendar properties. TA06-129A VU#303452 MS06-019 exchange-calendar-code-execution(25556) ADV-2006-1743 17908 25338 1016048 20029 oval:org.mitre.oval:def:2035 oval:org.mitre.oval:def:1996 oval:org.mitre.oval:def:1818 Unspecified vulnerability in Microsoft Excel 2000, 2002, and 2003, in Microsoft Office 2000 SP3 and other packages, allows user-assisted attackers to execute arbitrary code via a BIFF parsing format file containing malformed BOOLERR records that lead to memory corruption, probably involving invalid pointers. TA06-073A VU#339878 MS06-012 1015766 19138 excel-parsing-format-file-bo(25225) http://www.zerodayinitiative.com/advisories/ZDI-06-004.html ADV-2006-0950 20060314 ZDI-06-004: Microsoft Excel File Format Parsing Vulnerability 23899 http://support.avaya.com/elmodocs2/security/ASA-2006-069.htm 583 19238 oval:org.mitre.oval:def:1635 oval:org.mitre.oval:def:1509 oval:org.mitre.oval:def:1411 oval:org.mitre.oval:def:1158 Unspecified vulnerability in Microsoft Excel 2000, 2002, and 2003, in Microsoft Office 2000 SP3 and other packages, allows user-assisted attackers to execute arbitrary code via an Excel file with a malformed description, which leads to memory corruption. TA06-073A VU#235774 MS06-012 1015766 19138 excel-description-bo(25227) ADV-2006-0950 23900 http://support.avaya.com/elmodocs2/security/ASA-2006-069.htm 586 585 19238 oval:org.mitre.oval:def:1633 oval:org.mitre.oval:def:1579 oval:org.mitre.oval:def:1570 oval:org.mitre.oval:def:1522 Unspecified vulnerability in Microsoft Excel 2000, 2002, and 2003, in Microsoft Office 2000 SP3 and other packages, allows user-assisted attackers to execute arbitrary code via an Excel file with a malformed graphic, which leads to memory corruption. TA06-073A VU#123222 MS06-012 1015766 19138 excel-graphic-bo(25229) ADV-2006-0950 16181 23901 http://support.avaya.com/elmodocs2/security/ASA-2006-069.htm 19238 oval:org.mitre.oval:def:1666 oval:org.mitre.oval:def:1630 oval:org.mitre.oval:def:1510 oval:org.mitre.oval:def:1401 Stack-based buffer overflow in Microsoft Excel 2000, 2002, and 2003, in Microsoft Office 2000 SP3 and other packages, allows user-assisted attackers to execute arbitrary code via an Excel file with a malformed record with a modified length value, which leads to memory corruption. TA06-073A VU#104302 17101 MS06-012 1015766 19138 excel-record-bo(25228) ADV-2006-0950 20060315 [xfocus-SD-060314]Microsoft Office Excel Buffer Overflow Vulnerability 23902 http://support.avaya.com/elmodocs2/security/ASA-2006-069.htm 589 19238 20060314 [xfocus-SD-060314]Microsoft Office Excel Buffer Overflow Vulnerability oval:org.mitre.oval:def:763 oval:org.mitre.oval:def:1750 oval:org.mitre.oval:def:1525 oval:org.mitre.oval:def:1327 Cross-site scripting (XSS) vulnerability in the Indexing Service in Microsoft Windows 2000, XP, and Server 2003, when the Encoding option is set to Auto Select, allows remote attackers to inject arbitrary web script or HTML via a UTF-7 encoded URL, which is injected into an error message whose charset is set to UTF-7. Successful exploitation requires that the Indexing service is accessible through IIS. TA06-255A VU#108884 19927 MS06-053 21861 ms-indexing-service-xss(28651) ADV-2006-3564 20061001 Microsoft Internet Information Services UTF-7 XSS Vulnerability [MS06-053] 20061002 IE UXSS (Universal XSS in IE, was Re: Microsoft Internet Information Services UTF-7 XSS Vulnerability [MS06-053]) SSRT061187 HPSBST02134 http://www.geocities.jp/ptrs_sec/advisory09e.html 1016826 oval:org.mitre.oval:def:535 Unspecified vulnerability in Microsoft Office 2003 SP1 and SP2, Office XP SP3, Office 2000 SP3, and other products, allows user-assisted attackers to execute arbitrary code via a crafted PNG image that triggers memory corruption when it is parsed. TA06-192A VU#459388 18913 MS06-039 ADV-2006-2757 27147 http://www.fortinet.com/FortiGuardCenter/advisory/FG-2006-22.html 1016470 21013 oval:org.mitre.oval:def:163 Heap-based buffer overflow in the CRpcIoManagerServer::BuildContext function in msdtcprx.dll for Microsoft Distributed Transaction Coordinator (MSDTC) for Windows NT 4.0 and Windows 2000 SP2 and SP3 allows remote attackers to execute arbitrary code via a long fifth argument to the BuildContextW or BuildContext opcode, which triggers a bug in the NdrAllocate function, aka the MSDTC Invalid Memory Access Vulnerability. 17906 20060509 [EEYEB20051011A] - Microsoft Distributed Transaction Coordinator Heap Overflow MS06-018 http://www.eeye.com/html/research/advisories/AD20060509a.html 20000 msdtc-network-message-dos(25559) ADV-2006-1742 20060511 Microsoft MSDTC NdrAllocate Validation Vulnerability 25335 1016047 863 20060510 Microsoft MSDTC NdrAllocate Validation Vulnerability 20060509 [EEYEB20051011A] - Microsoft Distributed Transaction Coordinator Heap Overflow oval:org.mitre.oval:def:1908 oval:org.mitre.oval:def:1477 oval:org.mitre.oval:def:1222 The netlink_rcv_skb function in af_netlink.c in Linux kernel 2.6.14 and 2.6.15 allows local users to cause a denial of service (infinite loop) via a nlmsg_len field of 0. 2006-0004 18482 kernel-afnetlink-dos(24202) ADV-2006-0220 16414 http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=ad8e4b75c8a7bed475d72ce09bf5267188621961 388 ip_nat_pptp in the PPTP NAT helper (netfilter/ip_nat_helper_pptp.c) in Linux kernel 2.6.14, and other versions, allows remote attackers to cause a denial of service (memory corruption or crash) via an inbound PPTP_IN_CALL_REQUEST packet that causes a null pointer to be used in an offset calculation. ADV-2006-0220 http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=15db34702cfafd24acc60295cf14861e497502ab kernel-pptpincallrequest-dos(24203) 2006-0004 16414 388 18482 ip_nat_pptp in the PPTP NAT helper (netfilter/ip_nat_helper_pptp.c) in Linux kernel 2.6.14, and other versions, allows local users to cause a denial of service (memory corruption or crash) via a crafted outbound packet that causes an incorrect offset to be calculated from pointer arithmetic when non-linear SKBs (socket buffers) are used. ADV-2006-0220 http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=03b9feca89366952ae5dfe4ad8107b1ece50b710 kernel-pptpnathelper-dos(24204) 2006-0004 16414 388 18482 Integer overflow in the do_replace function in netfilter for Linux before 2.6.16-rc3, when using "virtualization solutions" such as OpenVZ, allows local users with CAP_NET_ADMIN rights to cause a buffer overflow in the copy_from_user function. Linux kernel version 2.6.16 has been released to address this issue. 17178 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=186295 linux-netfilter-doreplace-overflow(25400) ADV-2006-2554 ADV-2006-1046 USN-302-1 RHSA-2006:0575 http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=ee4bb818ae35f68d1f848eae0a7b150a38eb4168 DSA-1103 DSA-1097 http://support.avaya.com/elmodocs2/security/ASA-2006-200.htm 22417 21465 20914 20716 20671 19330 oval:org.mitre.oval:def:10945 Race condition in the do_add_counters function in netfilter for Linux kernel 2.6.16 allows local users with CAP_NET_ADMIN capabilities to read kernel memory by triggering the race condition in a way that produces a size value that is inconsistent with allocated memory, which leads to a buffer over-read in IPT_ENTRY_ITERATE. http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=2722971cbe831117686039d5c334f2c0f560be13 http://bugs.gentoo.org/show_bug.cgi?id=133465 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=191698 linux-doaddcounters-race-condition(26583) ADV-2006-2554 ADV-2006-1893 USN-311-1 18113 RHSA-2006:0689 25697 DSA-1103 DSA-1097 http://support.avaya.com/elmodocs2/security/ASA-2006-249.htm 22945 22292 21476 20991 20914 20671 20185 oval:org.mitre.oval:def:10309 http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.17 GNOME Evolution 2.4.2.1 and earlier allows remote attackers to cause a denial of service (CPU and memory consumption) via a text e-mail with a large number of URLs, possibly due to unknown problems in gtkhtml. ADV-2006-0801 20060301 Evolution Emailer DoS evolution-email-dos(25050) 16899 19094 Unspecified vulnerability in (1) apreq_parse_headers and (2) apreq_parse_urlencoded functions in Apache2::Request (Libapreq2) before 2.07 allows remote attackers cause a denial of service (CPU consumption) via unknown attack vectors that result in quadratic computational complexity. 16710 DSA-1000 19139 18846 libapreq2-parsing-dos(24917) ADV-2006-0645 GLSA-200604-08 http://svn.apache.org/viewcvs.cgi/httpd/apreq/tags/v2_07/CHANGES?rev=376998&view=markup 737 19658 Buffer overflow in the realpath function in nfs-server rpc.mountd, as used in SUSE Linux 9.1 through 10.0, allows local users to execute arbitrary code via unspecified vectors involving mount requests and symlinks. 18638 SUSE-SA:2006:005 nfs-rpcmountd-realpath-bo(24347) ADV-2006-0348 16388 18614 DSA-975 18889 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=350020 Unspecified vulnerability in context.py in Albatross web application toolkit before 1.33 allows remote attackers to execute arbitrary commands via unspecified vectors involving template files and the "handling of submitted form fields". DSA-942 18457 ADV-2006-0196 16252 http://www.object-craft.com.au/projects/albatross/news.html http://security.debian.org/pool/updates/main/a/albatross/albatross_1.20-2.diff.gz albatross-context-command-execution(24130) 22451 18496 crawl before 4.0.0 does not securely call programs when saving and loading games, which allows local users to gain privileges. DSA-949 ADV-2006-0303 16337 18545 crawl-insecure-command-execution(24262) 22690 18573 squid_redirect script in adzapper before 2006-01-29 allows remote attackers to cause a denial of service (CPU consumption) via a URL with a large number of trailing / (forward slashes), which might produce inefficient regular expressions. DSA-966 18777 18771 ADV-2006-0491 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=350308 http://bugs.debian.org/cgi-bin/bugreport.cgi/squid_redirect.diff?bug=350308;msg=5;att=1 http://adzapper.sourceforge.net/cvslog.html adzapper-squid-redirect-dos(24640) 16558 22900 packets.c in Freeciv 2.0 before 2.0.8 allows remote attackers to cause a denial of service (server crash) via crafted packets with negative compressed size values. 16975 20060306 Out of memory crash in Freeciv 2.0.7 19120 freeciv-packets-dos(25166) ADV-2006-0838 MDKSA-2006:053 GLSA-200603-11 DSA-994 19253 19227 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=355211 Francesco Stablum tcpick 0.2.1 allows remote attackers to cause a denial of service (segmentation fault) via certain fragmented packets, possibly involving invalid headers and an attacker-controlled payload length. NOTE: this issue might be a buffer overflow or overread. ADV-2006-1466 17665 http://sourceforge.net/mailarchive/forum.php?thread_id=9989610&forum_id=37151 tcpick-writec-dos(26090) gpg in GnuPG before 1.4.2.2 does not properly verify non-detached signatures, which allows attackers to inject unsigned data via a data packet that is not associated with a control packet, which causes the check for concatenated signatures to report that the signature is valid, a different vulnerability than CVE-2006-0455. 17058 20060309 GnuPG does not detect injection of unsigned data 23790 GLSA-200603-08 DSA-993 1015749 19173 [gnupg-announce] 20060309 [Announce] GnuPG does not detect injection of unsigned data ADV-2006-0915 USN-264-1 oval:org.mitre.oval:def:10063 gnupg-nondetached-sig-verification(25184) 2006-0014 SSA:2006-072-02 FLSA-2006:185355 RHSA-2006:0266 FEDORA-2006-147 MDKSA-2006:055 568 450 19532 19287 19249 19244 19234 19232 19231 19203 19197 SUSE-SA:2006:014 20060401-01-U snmptrapfmt in Debian 3.0 allows local users to overwrite arbitrary files via a symlink attack on a temporary log file. DSA-1013 19318 17182 snmptrapfmt-log-temprary-file(25442) Buffer overflow in playlistimport.cpp in Kaffeine Player 0.4.2 through 0.7.1 allows user-assisted attackers to execute arbitrary code via long HTTP request headers when Kaffeine is "fetching remote playlists", which triggers the overflow in the http_peek function. http://www.kde.org/info/security/advisory-20060404-1.txt 19525 kaffeine-http-peek-bo(25631) ADV-2006-1229 USN-268-1 17372 20060405 [Kaffeine Security Advisory] Heap based buffer overflow in http_peek() SUSE-SR:2006:008 GLSA-200604-04 DSA-1023 1015863 19571 19557 19549 19542 19540 MDKSA-2006:065 The attachment scrubber (Scrubber.py) in Mailman 2.1.5 and earlier, when using Python's library email module 2.5, allows remote attackers to cause a denial of service (mailing list delivery failure) via a multipart MIME message with a single part that has two blank lines between the first boundary and the end boundary. 17311 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=358892 oval:org.mitre.oval:def:9475 USN-267-1 RHSA-2006:0486 24367 SUSE-SR:2006:008 MDKSA-2006:061 DSA-1027 1015851 20782 20624 19571 19545 19522 20060602-01-U Imager (libimager-perl) before 0.50 allows user-assisted attackers to cause a denial of service (segmentation fault) by writing a 2- or 4-channel JPEG image (or a 2-channel TGA image) to a scalar, which triggers a NULL pointer dereference. 17415 DSA-1028 19577 19575 imager-jpeg-tga-dos(25717) ADV-2006-1294 http://rt.cpan.org/Public/Bug/Display.html?id=18397 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=359661 The ipfw firewall in FreeBSD 6.0-RELEASE allows remote attackers to cause a denial of service (firewall crash) via ICMP IP fragments that match a reset, reject or unreach action, which leads to an access of an uninitialized pointer. 16209 18378 FreeBSD-SA-06:04 ipfw-icmp-fragment-dos(24073) 22319 1015477 The ispell_op function in ee on FreeBSD 4.10 to 6.0 uses predictable filenames and does not confirm which file is being written, which allows local users to overwrite arbitrary files via a symlink attack when ee invokes ispell. 16207 18404 FreeBSD-SA-06:02 ee-ispell-op-symlink(24074) 22320 1015469 Double free vulnerability in the authentication and authentication token alteration code in PAM-MySQL 0.6.x before 0.6.2 and 0.7.x before 0.7pre3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted passwords, which lead to a double free of a pointer that was created by the pam_get_item function. NOTE: this issue only occurs in certain configurations in which there are multiple PAM modules, PAM-MySQL is not evaluated first, and there are no requisite modules before PAM-MySQL. VU#693909 16564 1015603 18598 ADV-2006-0490 22995 22994 GLSA-200606-18 http://sourceforge.net/forum/forum.php?forum_id=499394 20690 http://jvn.jp/cert/JVNVU%23693909/index.html Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to bypass the Kill bit settings for dangerous ActiveX controls via unknown vectors involving crafted HTML, which can expose the browser to attacks that would otherwise be prevented by the Kill bit setting. NOTE: CERT/CC claims that MS05-054 fixes this issue, but it is not described in MS05-054. VU#998297 http://www.microsoft.com/technet/security/bulletin/ms05-054.mspx ie-activex-killbit-bypass(24379) 16409 23657 Signal handler race condition in Sendmail 8.13.x before 8.13.6 allows remote attackers to execute arbitrary code by triggering timeouts in a way that causes the setjmp and longjmp function calls to be interrupted and modify unexpected memory locations. TA06-081A VU#834865 RHSA-2006:0265 RHSA-2006:0264 ADV-2006-2490 ADV-2006-2189 ADV-2006-1529 ADV-2006-1157 ADV-2006-1139 ADV-2006-1072 ADV-2006-1068 ADV-2006-1051 ADV-2006-1049 http://www.sendmail.com/company/advisory/index.shtml 20060322 sendmail vuln advisories (CVE-2006-0058) OpenPKG-SA-2006.007 20060322 Sendmail Remote Signal Handling Vulnerability GLSA-200603-21 DSA-1015 200494 19367 19363 19342 oval:org.mitre.oval:def:11074 HPSBTU02116 HPSBUX02108 smtp-timeout-bo(24584) http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=2751 http://www14.software.ibm.com/webapp/set2/sas/f/hmc/power5/install/v52.Readme.html#MH00688 17192 FLSA:186277 FEDORA-2006-193 FEDORA-2006-194 24037 [3.8] 006: SECURITY FIX: March 25, 2006 SUSE-SA:2006:017 MDKSA-2006:058 http://www.f-secure.com/security/fsc-2006-2.shtml Q-151 IY82994 IY82993 IY82992 http://support.avaya.com/elmodocs2/security/ASA-2006-078.htm http://support.avaya.com/elmodocs2/security/ASA-2006-074.htm 102324 102262 SSA:2006-081-01 1015801 743 612 20723 20243 19774 19676 19533 19532 19466 19450 19407 19404 19394 19368 19361 19360 19356 19349 19346 19345 HPSBTU02116 HPSBUX02108 20060401-01-U 20060302-01-P SCOSA-2006.24 NetBSD-SA2006-010 FreeBSD-SA-06:13 oval:org.mitre.oval:def:1689 Heap-based buffer overflow in the ISO Transport Service over TCP (RFC 1006) implementation of LiveData ICCP Server before 5.00.035 allows remote attackers to cause a denial of service or execute arbitrary code via malformed packets. This vulnerability is addressed in the following product release: LiveData, ICCP Server, 5.00.035 VU#190617 ADV-2006-1830 http://www.kb.cert.org/vuls/id/JGEI-6MMS9T livedata-iccp-rfc1006-bo(26490) 18010 http://www.digitalbond.com/SCADA_Blog/2006/05/us-cert-livedata-iccp-vulnerability.html 1016113 20146 Cross-site scripting (XSS) vulnerability in phpBB 2.0.19, when "Allowed HTML tags" is enabled, allows remote attackers to inject arbitrary web script or HTML via a permitted HTML tag with ' (single quote) characters and active attributes such as onmouseover, a variant of CVE-2005-4357. ADV-2006-0051 22672 313 http://securityreason.com/securityalert/313 20060105 phpBB 2.0.19 XSS PHP remote file include vulnerability in includes/orderSuccess.inc.php in CubeCart allows remote attackers to execute arbitrary PHP code via a URL in the glob[rootDir] parameter. ADV-2006-0016 1398 SQL injection vulnerability in (1) functions.php, (2) functions_update.php, and (3) functions_display.php in VEGO Web Forum 1.26 and earlier allows remote attackers to execute arbitrary SQL commands via the theme_id parameter in index.php. ADV-2006-0003 20060101 [eVuln] VEGO Web Forum SQL Injection Vulnerability 18273 http://evuln.com/vulns/1/summary.html 16107 22140 315 SQL injection vulnerability in index.php in PHPjournaler 1.0 allows remote attackers to execute arbitrary SQL commands via the readold parameter. ADV-2006-0006 16111 20060101 [eVuln] PHPjournaler SQL Injection Vulnerability 22149 18265 http://evuln.com/vulns/9/summary.html SQL injection vulnerability in login.php in VEGO Links Builder 2.00 and earlier allows remote attackers to execute arbitrary SQL commands via the username parameter. ADV-2006-0004 18272 http://evuln.com/vulns/2/summary.html 16108 22139 SQL injection vulnerability in Primo Cart 1.0 and earlier allows remote attackers to execute arbitrary SQL commands via the (1) q parameter to search.php and (2) email parameter to user.php. ADV-2006-0008 18264 16125 22147 22146 http://pridels0.blogspot.com/2006/01/primo-cart-sql-inj.html Cross-site scripting (XSS) vulnerability in addentry.php in Chipmunk Guestbook 1.4 and earlier allows remote attackers to inject arbitrary web script or HTML via the homepage parameter. 19087 16112 20060101 [eVuln] Chipmunk Guestbook XSS Vulnerability 18270 http://evuln.com/vulns/4/summary.html ** DISPUTED ** Drupal allows remote attackers to conduct cross-site scripting (XSS) attacks via an IMG tag with an unusual encoded Javascript function name, as demonstrated using variations of the alert() function. NOTE: a followup by the vendor suggests that the issue does not exist in 4.5.6 or 4.6.4 when "Filtered HTML" is enabled, and since "Full HTML" would not filter HTML by design, perhaps this should not be included in CVE. 20060103 Re: Drupal all versiyon xss cehennem.org 20060102 Drupal all versiyon xss cehennem.org The ebuild for pinentry before 0.7.2-r2 on Gentoo Linux sets setgid bits for pinentry programs, which allows local users to read or overwrite arbitrary files as gid 0. 16120 GLSA-200601-01 22211 18284 Buffer overflow in termsh on SCO OpenServer 5.0.7 allows remote attackers to execute arbitrary code via a long -o command line argument. NOTE: this is probably a different vulnerability than CVE-2005-0351 since it involves a distinct attack vector. 16122 20060102 SCO Openserver 5.0.x exploit http://downloads.securityfocus.com/vulnerabilities/exploits/Openserver_bof.c Cross-site scripting (XSS) vulnerability in DiscusWare Discus Freeware 3.10.5 and Professional 3.10.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors in a URL, which is not properly sanitized from the resulting error message. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 16119 22153 18283 SQL injection vulnerability in profile.php in PHPenpals allows remote attackers to execute arbitrary SQL commands via the personalID parameter. NOTE: it was later reported that 1.1 and earlier are affected. ADV-2006-0005 16109 20060101 [eVuln] PHPenpals SQL Injection Vulnerabilit 22150 8706 18269 http://evuln.com/vulns/5/summary.html Direct static code injection vulnerability in phpBook 1.3.2 and earlier allows remote attackers to execute arbitrary PHP code via the e-mail field (mail variable) in a new message, which is written to a PHP file. 16106 20060101 [eVuln] phpBook PHP Code Execution http://evuln.com/vulns/6/summary.html ADV-2006-0002 18268 PHP remote file include vulnerability in forum.php in oaBoard 1.0 allows remote attackers to execute arbitrary PHP code via a URL in the inc parameter. 16105 20060531 Re: OaBoard 1.0 Remote File inclusion 20060530 OaBoard 1.0 Remote File inclusion 20060101 [eVuln] oaBoard PHP Code Execution 1016211 http://evuln.com/vulns/3/summary.html Off-by-one error in the getfattr function in File::ExtAttr before 0.03 allows attackers to trigger a buffer overflow via unspecified attack vectors. 16118 http://sourceforge.net/project/shownotes.php?release_id=382199&group_id=153116 18253 ADV-2006-0013 22160 Multiple cross-site scripting (XSS) vulnerabilities in B-net Software 1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) name and (2) shout variables to (a) shout.php, or the (3) title and (4) message variables to (b) guestbook.php. ADV-2006-0018 16114 20060102 [eVuln] B-net Software Multiple XSS Vulnerabilities 18271 http://evuln.com/vulns/10/summary.html 20060825 Re: [eVuln] B-net Software Multiple XSS Vulnerabilities 22191 22190 http://sourceforge.net/project/shownotes.php?release_id=442067&group_id=117067 316 SQL injection vulnerability in auth.php in ScozNet ScozBook BETA 1.1 allows remote attackers to execute arbitrary SQL commands via the username field (adminname variable). ADV-2006-0027 16115 20060102 [eVuln] ScozBook "adminname" Authentication Bypass http://evuln.com/vulns/11/summary.html 22221 318 8476 Cross-site scripting (XSS) vulnerability in vBulletin 3.5.2, and possibly earlier versions, allows remote attackers to inject arbitrary web script or HTML via the title of an event, which is not properly filtered by (1) calendar.php and (2) reminder.php. ADV-2006-0033 16116 20060108 Html_Injection in vBulletin 3.5.2 20060101 [KAPDA::#19] - Html Injection in vBulletin 3.5.2 22220 22210 18299 http://kapda.ir/advisory-177.html ialmnt5.sys in the ialmrnt5 display driver in Intel Graphics Accelerator Driver 6.14.10.4308 allows attackers to cause a denial of service (crash or screen resolution change) via a long text field, as demonstrated using a long window title. ADV-2006-0017 16127 22196 18286 20060103 Re: Buffer Overflow vulnerability in Windows Display Manager [Suspected] 20060103 Re: Buffer Overflow vulnerability in Windows Display Manager [Suspected] 20060102 Buffer Overflow vulnerability in Windows Display Manager [Suspected] Format string vulnerability in the SetImageInfo function in image.c for ImageMagick 6.2.3 and other versions, and GraphicsMagick, allows user-assisted attackers to cause a denial of service (crash) and possibly execute arbitrary code via a numeric format string specifier such as %d in the file name, a variant of CVE-2005-0397, and as demonstrated using the convert program. 12717 GLSA-200602-13.xml GLSA-200602-06 SSA:2006-045-03 19183 19030 18851 18607 20060301-01-U https://issues.rpath.com/browse/RPL-389 ADV-2008-0412 USN-246-1 20061127 rPSA-2006-0218-1 ImageMagick SUSE-SR:2006:006 MDKSA-2006:024 DSA-1213 231321 1015623 500 28800 23090 22998 19408 18871 18261 RHSA-2006:0178 oval:org.mitre.oval:def:10717 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=345876 Format string vulnerability in the logging code of SMS Server Tools (smstools) 1.14.8 and earlier allows local users to execute arbitrary code via unspecified attack vectors. 18357 smstools-logging-format-string(24034) 16188 22287 DSA-930 18343 Cross-site scripting vulnerability in index.php in raSMP 2.0.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the $_SERVER[HTTP_USER_AGENT] variable (User-Agent header). ADV-2006-0030 16138 22198 18292 http://evuln.com/vulns/13/summary.html 1015432 20060116 vendor ack/fix: 22198: raSMP index.php User-Agent Field XSS (fwd) SQL injection vulnerability in Nkads 1.0 alfa 3 allows remote attackers to execute arbitrary SQL commands via the (1) usuario_nkads_admin or (2) password_nkads_admin parameters. ADV-2006-0040 http://www.soulblack.com.ar/repo/papers/advisory/nkads_advisory.txt 18302 22206 Cross-site scripting vulnerability in index.php in Next Generation Image Gallery 0.0.1 Lite Edition allows remote attackers to inject arbitrary web script or HTML via the page parameter. ADV-2006-0037 18309 22202 http://osvdb.org/ref/22/22202-nextgen.txt SQL injection vulnerability in (1) pages.php and (2) detail.php in Lizard Cart CMS 1.04 allows remote attackers to execute arbitrary SQL commands via the id parameter. ADV-2006-0029 16140 20060104 [eVuln] Lizard Cart CMS SQL Injection Vulnerability 18297 22200 22199 http://www.evuln.com/vulns/12/summary.html 1015435 314 SQL injection vulnerability in intouch.lib.php in inTouch 0.5.1 Alpha allows remote attackers to execute arbitrary SQL commands via the user parameter. ADV-2006-0026 16110 20060101 [eVuln] inTouch Authentication Bypass http://evuln.com/vulns/8/summary.html intouch-intouch-sql-injection(23954) 22382 Buffer overflow in ESRI ArcPad 7.0.0.156 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a .amp file with a COORDSYS tag with a long string attribute. ADV-2006-0032 16136 http://users.pandora.be/bratax/advisories/b007.html 18294 22208 Directory traversal vulnerability in index.php in IDV Directory Viewer before 2005.1 allows remote attackers to view arbitrary directory contents via a .. (dot dot) in the dir parameter. http://sourceforge.net/project/shownotes.php?release_id=382593&group_id=152499 ADV-2006-0031 18298 16137 Cross-site scripting (XSS) vulnerability in webmail in Open-Xchange 0.8.1-6 and earlier, with "Inline HTML" enabled, allows remote attackers to inject arbitrary web script or HTML via e-mail attachments, which are rendered inline. ADV-2006-0034 18285 20060103 Open Xchange XSS 1015431 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2006-0992, CVE-2006-0158. Reason: this candidate was intended for one issue, but a typo caused it to be associated with a Novell/Groupwise issue. In addition, this issue was a duplicate of a SiteSuite issue that was also assigned CVE-2006-0158. Notes: All CVE users should consult CVE-2006-0992 and CVE-2006-0158 to determine which ID is appropriate. All references and descriptions in this candidate have been removed to prevent accidental usage. Cross-site scripting (XSS) vulnerability in index.php in @Card ME PHP allows remote attackers to inject arbitrary web script or HTML via the cat parameter. ADV-2006-0039 22203 18306 http://osvdb.org/ref/22/22203-ecardmax.txt PHP remote file include vulnerability in forum.php in oaBoard 1.0 allows remote attackers to execute arbitrary PHP code via a URL in the inc_stat parameter, a different vulnerability than CVE-2006-0076. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. ADV-2006-0028 17373 dm-crypt in Linux kernel 2.6.15 and earlier does not clear a structure before it is freed, which leads to a memory disclosure that could allow local users to obtain sensitive information about a cryptographic key. [linux-kernel] 20060104 [Patch 2.6] dm-crypt: zero key before freeing it ADV-2006-0235 oval:org.mitre.oval:def:11192 [linux-kernel] 20060104 [Patch 2.6] dm-crypt: Zero key material before free to avoid information leak kernel-dmcrypt-information-disclosure(24189) USN-244-1 2006-0004 16301 FLSA:157459-4 RHSA-2006:0132 FEDORA-2006-102 22418 SUSE-SA:2006:028 MDKSA-2006:040 DSA-1017 1015740 388 20398 19374 19160 18774 18527 18487 wan/sdla.c in Linux kernel 2.6.x before 2.6.11 and 2.4.x before 2.4.29 does not require the CAP_SYS_RAWIO privilege for an SDLA firmware upgrade, with unknown impact and local attack vectors. NOTE: further investigation suggests that this issue requires root privileges to exploit, since it is protected by CAP_NET_ADMIN; thus it might not be a vulnerability, although capabilities provide finer distinctions between privilege levels. MDKSA-2006:044 USN-244-1 16304 http://www.kernel.org/git/?p=linux/kernel/git/tglx/history.git;a=commitdiff;h=0f1d4813a4a65296e1131f320a60741732bc068f DSA-1017 19374 18977 18527 http://linux.bkbits.net:8080/linux-2.4/cset@1.1448.91.23?nav=index.html|src/|src/drivers|src/drivers/net|src/drivers/net/wan|related/drivers/net/wan/sdla.c Stack-based buffer overflow in the create_named_pipe function in libmysql.c in PHP 4.3.10 and 4.4.x before 4.4.3 for Windows allows attackers to execute arbitrary code via a long (1) arg_host or (2) arg_unix_socket argument, as demonstrated by a long named pipe variable in the host argument to the mysql_connect function. ADV-2006-0046 16145 20060105 Windows PHP 4.x http://www.php.net/ChangeLog-4.php#4.4.3 22232 18275 20060105 Windows PHP 4.x 20060108 RE: Windows PHP 4.x The dupfdopen function in sys/kern/kern_descrip.c in OpenBSD 3.7 and 3.8 allows local users to re-open arbitrary files by using setuid programs to access file descriptors using /dev/fd/. 16144 [3.7] 20060105 008: SECURITY FIX: January 5, 2006 18296 ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.7/common/008_fd.patch 22231 1015437 PHP remote file include vulnerability in (1) include/templates/categories/default.php and (2) certain other include/templates/categories/ PHP scripts in Valdersoft Shopping Cart 3.0 allows remote attackers to execute arbitrary code via a URL in the catalogDocumentRoot parameter. 16126 http://downloads.securityfocus.com/vulnerabilities/exploits/cijfer-vscxpl.pl 1401 Buffer overflow in NicoFTP 3.0.1.19 and earlier might allow local users to execute arbitrary code via a long string in the "Name of site" field of an FTP account. NOTE: because this program executes with the privileges of the invoking user, and because remote programs do not normally have the ability to create or modify FTP accounts in this program, there may not be a typical attack vector for the issue that crosses privilege boundaries. Therefore this may not be a vulnerability. 20060102 NicoFTP Stack Overflow 317 Multiple cross-site scripting (XSS) vulnerabilities in sBLOG 0.7.1 Beta 20051202 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) p and (2) keyword parameters in (a) index.php and (b) search.php. sblog-multiple-scripts-xss(23979) ADV-2006-0041 22374 22373 http://osvdb.org/ref/22/22373-sblog.txt Cross-site scripting (XSS) vulnerability in TinyPHPForum (TPF) 3.6 and earlier allows remote attackers to inject arbitrary web script via a javascript: scheme in an "[a]" bbcode tag, possibly the txt parameter to action.php. ADV-2006-0054 20060105 [eVuln] TinyPHPForum Multiple Vulnerabilities 22256 1015436 18293 http://evuln.com/vulns/14/summary.html 320 TinyPHPForum 3.6 and earlier stores the (1) users/[USERNAME].hash and (2) users/[USERNAME].email files under the web root with insufficient access control, which allows remote attackers to list all registered users and possibly obtain other sensitive information. tinyphpforum-users-information-disclosure(24016) ADV-2006-0054 20060417 Tiny PHP forum - vulns 20060105 [eVuln] TinyPHPForum Multiple Vulnerabilities 22257 1015436 320 18293 http://evuln.com/vulns/14/summary.html Directory traversal vulnerability in TinyPHPForum 3.6 and earlier allows remote attackers to create a new user account, create a new topic, or view the profile of a user account, as demonstrated via a .. (dot dot) in the uname parameter to profile.php. ADV-2006-0054 20060105 [eVuln] TinyPHPForum Multiple Vulnerabilities 18293 http://evuln.com/vulns/14/summary.html http://evuln.com/vulns/14/exploit.html 16163 22258 1015436 320 PostgreSQL 8.0.x before 8.0.6 and 8.1.x before 8.1.2, when running on Windows, allows remote attackers to cause a denial of service (postmaster exit and no new connections) via a large number of simultaneous connection requests. [pgsql-announce] 20060109 CRITICAL RELEASE: Minor Releases to Fix DoS Vulnerability ADV-2006-0114 postgresql-connection-request-dos(24049) 16201 20060111 PostgreSQL security releases 8.0.6 and 8.1.2 http://www.postgresql.org/about/news.456 1015482 327 18419 gdi/driver.c and gdi/printdrv.c in Wine 20050930, and other versions, implement the SETABORTPROC GDI Escape function call for Windows Metafile (WMF) files, which allows attackers to execute arbitrary code, the same vulnerability as CVE-2005-4560 but in a different codebase. 18323 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=346197 ADV-2006-0098 [Dailydave] 20060105 WMF goes away :< win-wmf-execute-code(23846) 20060117 ERRATA: [ GLSA 200601-09 ] Wine: Windows Metafile SETABORTPROC vulnerability SUSE-SR:2006:002 MDKSA-2006:014 GLSA-200601-09 DSA-954 18578 18549 18451 SQL injection vulnerability in Timecan CMS allows remote attackers to execute arbitrary SQL commands via the viewID parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. Due to the unavailability of the original source, it cannot be determined if this is the same issue as identified by CVE-2006-0108. 16159 22252 18324 timecancms-sql-injection(24014) SQL injection vulnerability in mcl_login.asp in Timecan CMS allows remote attackers to execute arbitrary SQL commands via the email parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. Due to the unavailability of the original source, it cannot be determined if this is the same issue as identified by CVE-2006-0107. ADV-2006-0078 22253 22252 timecancms-sql-injection(24014) Cross-site scripting vulnerability in category.php in Modular Merchant Shopping Cart allows remote attackers to inject arbitrary web script or HTML via the cat parameter. 18320 ADV-2006-0076 16160 22243 http://www.modularmerchant.com/forums/viewtopic.php?t=46 http://osvdb.org/ref/22/22243-modular.txt 20060214 vendor ack/fix 22243: Modular Merchant Marketplace Shopping Cart category.php cat Variable XSS (fwd) Cross-site scripting (XSS) vulnerability in escribir.php in Foro Domus 2.10 allows remote attackers to inject arbitrary web script via the email parameter. ADV-2006-0073 16154 20060106 [eVuln] Proyecto Domus 'email' XSS Vulnerability 22263 18327 http://evuln.com/vulns/16/summary.html domus-escribir-xss(24020) Cross-site scripting vulnerability in index.php in Boxcar Media Shopping Cart allows remote attackers to inject arbitrary web script or HTML via the (1) parent or (2) pg parameter. boxcar-index-xss(24019) ADV-2006-0080 22360 http://osvdb.org/ref/22/22360-boxcar.txt Cross-site scripting (XSS) vulnerability in index.php in Enhanced Simple PHP Gallery 1.7 allows remote attackers to inject arbitrary web script or HTML via the dir parameter. ADV-2006-0036 22201 18310 http://osvdb.org/ref/22/22201-espg.txt Enhanced Simple PHP Gallery 1.7 allows remote attackers to obtain the full path of the application via a direct request to sp_helper_functions.php, which leaks the pathname in an error message. 18310 http://osvdb.org/ref/22/22201-espg.txt 22417 The vCard functions in Joomla! 1.0.5 use predictable sequential IDs for vcards and do not restrict access to them, which allows remote attackers to obtain valid e-mail addresses to conduct spam attacks by modifying the contact_id parameter to index2.php. joomla-vcard-information-disclosure(24042) ADV-2006-0097 16185 18361 http://forum.joomla.org/index.php/topic,29031.0.html http://forge.joomla.org/sf/go/artf2950 Multiple SQL injection vulnerabilities in OnePlug Solutions OnePlug CMS allow remote attackers to execute arbitrary SQL commands via the (1) Press_Release_ID parameter in press/details.asp, (2) Service_ID parameter in services/details.asp, and (3) Product_ID parameter in products/details.asp. ADV-2006-0079 16155 22250 22249 22248 18325 http://osvdb.org/ref/22/22248-oneplug.txt Cross-site scripting vulnerability search.inetstore in iNETstore Ebusiness Software 2.0 allows remote attackers to inject arbitrary web script or HTML via the searchterm parameter. ADV-2006-0075 16156 20060126 Re: [OSVDB Mods] iNETstore E Commerce Solution - Cross Site Scripting 22251 20060127 vendor confirms versions: iNETstore E Commerce Solution - Cross Site Scripting (fwd) 18322 http://osvdb.org/ref/22/22251-inetstore.txt Buffer overflow in IBM Lotus Notes and Domino Server before 6.5.5 allows attackers to cause a denial of service (router crash or hang) via unspecified vectors involving "CD to MIME Conversion". 16158 18328 ADV-2006-0081 http://www-10.lotus.com/ldd/r5fixlist.nsf/e7dbb5aee9a94c56852570c90056a95d/21d8fd7989fdf78d852570e4001bae68?OpenDocument http://www-10.lotus.com/ldd/r5fixlist.nsf/5c087391999d06e7852569280062619d/50c634bfe193efa5852570e4001baace?OpenDocument http://www-1.ibm.com/support/docview.wss?uid=swg27007054 lotus-cdtomime-dos(24205) Unspecified vulnerability in IBM Lotus Notes and Domino Server before 6.5.5, when running on AIX, allows attackers to cause a denial of service (deep recursion leading to stack overflow and crash) via long formulas. 16158 18328 ADV-2006-0081 http://www-10.lotus.com/ldd/r5fixlist.nsf/e7dbb5aee9a94c56852570c90056a95d/21d8fd7989fdf78d852570e4001bae68?OpenDocument http://www-10.lotus.com/ldd/r5fixlist.nsf/5c087391999d06e7852569280062619d/50c634bfe193efa5852570e4001baace?OpenDocument http://www-1.ibm.com/support/docview.wss?uid=swg27007054 lotus-long-formula-bo(24206) Multiple unspecified vulnerabilities in IBM Lotus Notes and Domino Server before 6.5.5 have unknown impact and attack vectors, due to "potential security issues" as identified by SPR numbers (1) GPKS6C9J67 in Agents, (2) JGAN6B6TZ3 and (3) KSPR699NBP in the Router, (4) GPKS5YQGPT in Security, or (5) HSAO6BNL6Y in the Web Server. NOTE: vector 3 is related to an issue in NROUTER in IBM Lotus Notes and Domino Server before 6.5.4 FP1, 6.5.5, and 7.0, which allows remote attackers to cause a denial of service (CPU consumption) via a crafted vCal meeting request sent via SMTP (aka SPR# KSPR699NBP). 16158 18328 domino-smtp-nrouter-dos(27413) lotus-web-unspecified-xss(24211) lotus-multiple-unspecified(24207) ADV-2006-2564 ADV-2006-0081 18020 20060626 SYMSA-2006-006: Lotus Domino SMTP Based Denial of Service http://www-10.lotus.com/ldd/r5fixlist.nsf/5c087391999d06e7852569280062619d/f97fe7cfd9a8113b8525709200001db4?OpenDocument&Highlight=0,GPKS6C9J67 http://www-10.lotus.com/ldd/r5fixlist.nsf/5c087391999d06e7852569280062619d/e4deb1cbb011c747852570e4001ba9bb?OpenDocument&Highlight=0,GPKS5YQGPT http://www-10.lotus.com/ldd/r5fixlist.nsf/5c087391999d06e7852569280062619d/de2ab57a5b9547848525701b00420c2c?OpenDocument&Highlight=0,KSPR699NBP http://www-10.lotus.com/ldd/r5fixlist.nsf/5c087391999d06e7852569280062619d/d1150fc9c5dec8b18525709200001da6?OpenDocument&Highlight=0,GPKS6C9J67 http://www-10.lotus.com/ldd/r5fixlist.nsf/5c087391999d06e7852569280062619d/9a1650d1a771f3078525702a00420def?OpenDocument&Highlight=0,HSAO6BNL6Y http://www-10.lotus.com/ldd/r5fixlist.nsf/5c087391999d06e7852569280062619d/94a77eb898843aca8525709200001de1?OpenDocument&Highlight=0,JGAN6B6TZ3 http://www-1.ibm.com/support/docview.wss?uid=swg27007054 1016390 20855 Multiple unspecified vulnerabilities in IBM Lotus Notes and Domino Server before 6.5.5 allow attackers to cause a denial of service (application crash) via multiple vectors, involving (1) a malformed message sent to an "Out Of Office" agent (SPR LPEE6DMQWJ), (2) the compact command (RTIN5U2SAJ), (3) malformed bitmap images (MYAA6FH5HW), (4) the "Delete Attachment" action (YPHG6844LD), (5) parsing certificates from a remote Certificate Table (AELE6DZFJW), and (6) creating a SSL key ring with the Domino Administration client (NSUA4FQPTN). 16158 18328 ADV-2006-0081 http://www-10.lotus.com/ldd/r5fixlist.nsf/e7dbb5aee9a94c56852570c90056a95d/ced5f873baea4e8b852570e4001baa6d?OpenDocument http://www-10.lotus.com/ldd/r5fixlist.nsf/e7dbb5aee9a94c56852570c90056a95d/ad0dd14aa109f96b852570e4001bb08c?OpenDocument http://www-10.lotus.com/ldd/r5fixlist.nsf/e7dbb5aee9a94c56852570c90056a95d/5f166a44ee743b2c852570e4001baf31?OpenDocument http://www-10.lotus.com/ldd/r5fixlist.nsf/e7dbb5aee9a94c56852570c90056a95d/4118a1f266afb26c852570e4001baf5e?OpenDocument http://www-10.lotus.com/ldd/r5fixlist.nsf/e7dbb5aee9a94c56852570c90056a95d/2bb4f466a9e986ae852570e4001babbb?OpenDocument http://www-10.lotus.com/ldd/r5fixlist.nsf/e7dbb5aee9a94c56852570c90056a95d/040482aeb1416bb7852570e4001badd6?OpenDocument http://www-10.lotus.com/ldd/r5fixlist.nsf/5c087391999d06e7852569280062619d/258394eaa824f2c08525708a004209d3?OpenDocument http://www-1.ibm.com/support/docview.wss?uid=swg27007054 lotus-ssl-keyring-dos(24217) lotus-certificate-parsing-dos(24216) lotus-delete-attachment-dos(24215) lotus-bmp-dos(24214) lotus-compact-dos(24213) lotus-outofoffice-dos(24212) Multiple memory leaks in IBM Lotus Notes and Domino Server before 6.5.5 allow attackers to cause a denial of service (memory consumption and crash) via unknown vectors related to (1) unspecified vectors during the SSL handshake (SPR# MKIN67MQVW), (2) the stash file during the SSL handshake (SPR# MKIN693QUT), and possibly other vectors. NOTE: due to insufficient information in the original vendor advisory, it is not clear whether there is an attacker role in other memory leaks that are specified in the advisory. 16158 18328 ADV-2006-0081 http://www-10.lotus.com/ldd/r5fixlist.nsf/5c087391999d06e7852569280062619d/2221243535d88a2b8525701b00420cd6?OpenDocument&Highlight=0,MKIN693QUT http://www-10.lotus.com/ldd/r5fixlist.nsf/5c087391999d06e7852569280062619d/20f66e356a76c90f8525702a00420e08?OpenDocument&Highlight=0,MKIN67MQVW http://www-1.ibm.com/support/docview.wss?uid=swg27007054 lotus-ssl-handshake-dos(24223) Cross-site scripting (XSS) vulnerability in Public/Index.asp in Aquifer CMS allows remote attackers to inject arbitrary web script or HTML via the Keyword parameter. Vendor provided solution: "Liquid Development has identified this vulnerability in all shipping versions of AquiferCMS and coded a software fix. The fix will be included in all releases of AquiferCMS built on or after January 24, 2006. Customers should contact Liquid Development to obtain the fix for this vulnerability. For more information visit www.aquifercms.com." 22247 ADV-2006-0074 16162 18326 http://osvdb.org/ref/22/22247-aquifer.txt 20060124 vendor ack/fix: Aquifer CMS Index.asp Keyword Variable XSS (fwd) Multiple SQL injection vulnerabilities in ADN Forum 1.0b allow remote attackers to execute arbitrary SQL commands via the (1) fid parameter in index.php and (2) pagid parameter in verpag.php, and possibly other vectors. ADV-2006-0077 16157 20060105 [eVuln] ADNForum Multiple Vulnerabilities 22241 22240 1015445 18300 http://evuln.com/vulns/15/summary.html Cross-site scripting (XSS) vulnerability in crear.php in ADN Forum 1.0b allows remote attackers to inject arbitrary web script or HTML via the titulo parameter, which is used by the "Topic name" field. ADV-2006-0077 16157 20060105 [eVuln] ADNForum Multiple Vulnerabilities 18300 http://evuln.com/vulns/15/summary.html 22242 1015445 Unspecified vulnerability in appserv/main.php in AppServ 2.4.5 allows remote attackers to include arbitrary files via the appserv_root parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. There is not enough detail from these third party sources to know whether this is directory traversal, remote file include, or another issue. ADV-2006-0053 22228 18163 16166 rxvt-unicode before 6.3, on certain platforms that use openpty and non-Unix pty devices such as Linux and most BSD platforms, does not maintain the intended permissions of tty devices, which allows local users to gain read and write access to the devices. 22223 18301 ADV-2006-0052 http://dist.schmorp.de/rxvt-unicode/Changes Directory traversal vulnerability in the IMAP service of Rockliffe MailSite before 6.1.22.1 allows remote authenticated users to rename the folders of other users via a .. (dot dot) in the RENAME command. http://zur.homelinux.com/Advisories/RockliffeMailsiteDirTransveral.txt 22229 18318 20060104 Rockliffe Directory Transversal Vulnerability ADV-2006-0055 20060105 Re: Rockliffe Directory Transversal Vulnerability Buffer overflow in the IMAP service of Rockliffe MailSite before 6.1.22.1 allows remote attackers to have an unknown impact via unknown attack vectors. http://zur.homelinux.com/Advisories/RockliffeMailsiteDirTransveral.txt 20060104 Rockliffe Directory Transversal Vulnerability rockliffe-imap-unspecified-bo(39991) Mail Management Agent (MAILMA) (aka Mail Management Server) in Rockliffe MailSite 7.0.3.1 and earlier generates different responses depending on whether or not a username is valid, which allows remote attackers to enumerate valid usernames via user requests to TCP port 106. 18318 http://zur.homelinux.com/Advisories/RockliffeMailsiteUserEnum.txt ADV-2006-0055 22230 20060104 Rockliffe Mailsite User Enumeration Flaw Mail Management Agent (MAILMA) (aka Mail Management Server) in Rockliffe MailSite 7.0.3.1 and earlier allows remote attackers to attempt authentication with an unlimited number of user account names and passwords without denying connections, limiting the rate of connections, or locking out an account. http://zur.homelinux.com/Advisories/RockliffeMailsiteUserEnum.txt 20060104 Rockliffe Mailsite User Enumeration Flaw boastMachine 3.1 allows remote attackers to obtain sensitive information via a direct request to (1) footer.php and (2) side_menu.php, which reveals the path in an error message. 20060105 [ECHO_ADV_25$2006] Full path disclosure on boastMachine v3.1 http://echo.or.id/adv/adv26-K-159-2006.txt Directory traversal vulnerability in webftp.php in SysCP WebFTP 1.2.6 and possibly earlier allows remote attackers to include and execute arbitrary local PHP scripts, and possibly read other types of files, via a .. (dot dot) and a trailing null in the webftp_language parameter. 18355 ADV-2006-0090 16175 20060104 SysCP WebFTP local file inclusion vulnerability webftp-language-file-include(24018) Multiple directory traversal vulnerabilities in AIX 5.3 ML03 allow local users to determine the existence of files and read partial contents of certain files via a .. (dot dot) in the argument to (1) getCommand.new (aka getCommand) and (2) getShell, a different vulnerability than CVE-2005-4273. 16103 16102 20060101 [xfocus-SD-060101]AIX getCommand&getShell two vulnerabilities 1015429 Cross-site scripting (XSS) vulnerability in register.php in TheWebForum (twf) 1.2.1 allows remote attackers to inject arbitrary web script or HTML via the www parameter. ADV-2006-0093 16161 20060106 [eVuln] TheWebForum Script Insertion and Authentication Bypass 1015450 18392 http://evuln.com/vulns/17/summary.html http://evuln.com/vulns/17/exploit.html thewebforum-register-xss(24007) 22295 SQL injection vulnerability in login.php in TheWebForum (twf) 1.2.1 allows remote attackers to execute arbitrary SQL commands and bypass login authentication via the username parameter (aka the u variable). ADV-2006-0093 16161 20060106 [eVuln] TheWebForum Script Insertion and Authentication Bypass 1015450 18392 http://evuln.com/vulns/17/summary.html http://evuln.com/vulns/17/exploit.html thewebforum-login-sql-injection(24027) 22294 321 Multiple cross-site scripting (XSS) vulnerabilities in the guestbook module in modules.php in Phanatic Softwares Chimera Web Portal System 0.2 allow remote attackers to inject arbitrary web script or HTML via the (1) comment_poster, (2) comment_poster_email, (3) comment_poster_homepage, and (4) comment_text parameters. ADV-2006-0025 16113 20060101 [eVuln] Chimera Web Portal System Multiple Vulnerabilities http://evuln.com/vulns/7/summary.html http://evuln.com/vulns/7/exploit.html SQL injection vulnerability in linkcategory.php in Phanatic Softwares Chimera Web Portal System 0.2 allows remote attackers to execute arbitrary SQL commands via the id parameter. ADV-2006-0025 16113 20060101 [eVuln] Chimera Web Portal System Multiple Vulnerabilities http://evuln.com/vulns/7/summary.html http://evuln.com/vulns/7/exploit.html chimera-linkcategory-sql-injection(23963) 22420 aMSN (aka Alvaro's Messenger) allows remote attackers to cause a denial of service (client hang and termination of client's instant-messaging session) by repeatedly sending crafted data to the default file-transfer port (TCP 6891). http://www.securiteam.com/exploits/5JP090KHFQ.html 22186 The send-private-message functionality (send-private-message.asp) in PD9 Software MegaBBS 2.1 allows remote attackers to read private messages of other users via a modified replyid parameter. 16168 http://www.pd9soft.com/megabbs/forums/thread-view.asp?tid=4924 http://www.hamid.ir/security/megabbs.txt 18342 ADV-2006-0095 megabbs-sendprivatemessage-disclosure(24050) 1015452 Cross-site scripting (XSS) vulnerability in post.php in NavBoard V16 Stable(2.6.0) and V17beta2 allows remote attackers to inject arbitrary web script or HTML via the (1) b, (2) textlarge, and (3) url bbcode tags. navboard-post-xss(24021) ADV-2006-0092 16165 20060107 [eVuln] NavBoard BBcode XSS Vulnerability 22277 18345 http://evuln.com/vulns/19/summary.html Qualcomm Eudora Internet Mail Server (EIMS) before 3.2.8 allows remote attackers to cause a denial of service (crash) via (1) malformed NTLM authentication requests, or a malformed (2) Incoming Mail X or (3) Temporary Mail file. http://www.eudora.co.nz/updates.html 18356 ADV-2006-0099 16179 eims-corrupted-mail-dos(24033) eims-ntlm-auth-dos(24032) Cross-site scripting (XSS) vulnerability in andromeda.php in Andromeda 1.9.3.4 and earlier allows remote attackers to inject arbitrary web script or HTML via the s parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. ADV-2006-0096 16183 18359 andromeda-script-xss(24031) Microsoft Windows Graphics Rendering Engine (GRE) allows remote attackers to corrupt memory and cause a denial of service (crash) via a WMF file containing (1) ExtCreateRegion or (2) ExtEscape function calls with arguments with inconsistent lengths. 1015453 win-gre-wmf-dos(24044) ADV-2006-0115 16167 20060109 [UPDATE]Microsoft Windows GRE WMF Format Multiple Unauthorized Memory Access Vulnerabilities 20060107 Microsoft Windows GRE WMF Format Multiple Memory Overrun Vulnerabilities http://lostmon.blogspot.com/2007/08/windows-extended-file-attributes-buffer.html http://blogs.technet.com/msrc/archive/2006/01/09/417198.aspx The proxy server feature in go-pear.php in PHP PEAR 0.2.2, as used in Apache2Triad, allows remote attackers to execute arbitrary PHP code by redirecting go-pear.php to a malicious proxy server that provides a modified version of Tar.php with a malicious extractModify function. 18390 gopear-proxy-redirection(24076) ADV-2006-0148 16174 20060109 New PEAR / Apache2Triad Exploit http://apache2triad.net/forums/viewtopic.php?p=14670 The kernfs_xread function in kernfs in NetBSD 1.6 through 2.1, and OpenBSD 3.8, does not properly validate file offsets against negative 32-bit values that occur as a result of truncation, which allows local users to read arbitrary kernel memory and gain privileges via the lseek system call. 16173 http://www.securitylab.net/research/2006/02/advisory_netbsd_openbsd_kernfs.html 20060202 [SLAB] NetBSD / OpenBSD kernfs_xread patch evasion 22293 18712 18388 NetBSD-SA2006-001 netbsd-kernfs-memory-disclosure(24035) 405 The server.php test script in ADOdb for PHP before 4.70, as used in multiple products including (1) Mantis, (2) PostNuke, (3) Moodle, (4) Cacti, (5) Xaraya, (6) PHPOpenChat, (7) MAXdev MD-Pro, and (8) MediaBeez, when the MySQL root password is empty, allows remote attackers to execute arbitrary SQL commands via the sql parameter. http://www.xaraya.com/index.php/news/569 16187 20060202 Bug for libs in php link directory 2.0 22290 GLSA-200604-07 DSA-1031 DSA-1030 DSA-1029 http://secunia.com/secunia_research/2005-64/advisory/ 19699 19591 19590 19563 19555 18720 18276 18260 18233 17418 adodb-server-command-execution(24051) ADV-2006-1419 ADV-2006-1305 ADV-2006-1304 ADV-2006-0447 ADV-2006-0370 ADV-2006-0105 ADV-2006-0104 ADV-2006-0103 ADV-2006-0102 ADV-2006-0101 20070418 MediaBeez Sql query Execution .. Wear isn't ?? :) 20060409 PhpOpenChat 3.0.x ADODB Server.php http://www.maxdev.com/Article550.phtml 713 24954 19691 19600 18267 18254 http://retrogod.altervista.org/phpopenchat_30x_sql_xpl.html Dynamic code evaluation vulnerability in tests/tmssql.php test script in ADOdb for PHP before 4.70, as used in multiple products including (1) Mantis, (2) PostNuke, (3) Moodle, (4) Cacti, (5) Xaraya, (6) PhpOpenChat, possibly (7) MAXdev MD-Pro, and (8) Simplog, allows remote attackers to execute arbitrary PHP functions via the do parameter, which is saved in a variable that is then executed as a function, as demonstrated using phpinfo. 22291 GLSA-200604-07 DSA-1030 DSA-1029 http://secunia.com/secunia_research/2005-64/advisory/ 19628 19591 19590 19555 18276 18260 18254 18233 17418 ADV-2006-1332 ADV-2006-1305 ADV-2006-0104 ADV-2006-0103 ADV-2006-0102 ADV-2006-0101 20060412 Simplog <=0.9.2 multiple vulnerabilities 20060409 PhpOpenChat 3.0.x ADODB Server.php "sql" SQL injection DSA-1031 19600 18267 http://retrogod.altervista.org/simplog_092_incl_xpl.html http://retrogod.altervista.org/phpopenchat_30x_sql_xpl.html 1663 adodb-tmssql-command-execution(24052) 19691 NetSarang Xlpd 2.1 allows remote attackers to cause a denial of service (crash) via a large number of connections from the same IP address. 16164 http://www.ipomonis.com/advisories/xlpd.txt 1015444 xlpd-connection-dos(24041) Cross-site scripting (XSS) vulnerability in SimpBook 1.0, with html_enable on (the default), allows remote attackers to inject arbitrary web script or HTML via the message field. 1015451 20060106 SimpBook "message" Remote Cross-Site Scripting Vulnerability Multiple format string vulnerabilities in the auth_ldap_log_reason function in Apache auth_ldap 1.6.0 and earlier allows remote attackers to execute arbitrary code via various vectors, including the username. MDKSA-2006:017 16177 RHSA-2006:0179 DSA-952 18568 18412 18405 18382 apache-authldap-format-string(24030) ADV-2006-0117 20060109 Digital Armaments Security Advisory 01.09.2006: Apache auth_ldap module Multiple Format Strings Vulnerability http://www.rudedog.org/auth_ldap/Changes.html http://www.digitalarmaments.com/2006090173928420.html 1015456 sudo 1.6.8 and other versions does not clear the PYTHONINSPECT environment variable, which allows limited local users to gain privileges via a Python script, a variant of CVE-2005-4158. 18363 USN-235-2 16184 18358 2006-0010 SUSE-SR:2006:002 MDKSA-2006:159 DSA-946 SSA:2006-045-08 21692 19016 18906 18558 18549 Cross-site scripting (XSS) in search_result.php in phpChamber 1.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the needle parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. ADV-2006-0094 16180 18360 phpchamber-searchresult-xss(24029) 22282 427BB 2.2 and 2.2.1 verifies authentication credentials based on the username, authenticated, and usertype cookies, which allows remote attackers to bypass authentication by using a valid username and usertype and setting the authenticated cookie. ADV-2006-0091 16178 20060107 [eVuln] 427BB Multiple Vulnerabilities (Cookie-based Authentication Bypass, SQL Injections, XSS) 18354 http://evuln.com/vulns/18/summary.html 427bb-scripts-security-bypass(24038) 22274 SQL injection vulnerability in showthread.php in 427BB 2.2 and 2.2.1 allows remote attackers to execute arbitrary SQL commands via the ForumID parameter. ADV-2006-0091 16169 20060107 [eVuln] 427BB Multiple Vulnerabilities (Cookie-based Authentication Bypass, SQL Injections, XSS) 18354 http://evuln.com/vulns/18/summary.html 427bb-showthread-sql-injection(24039) 22275 Cross-site scripting (XSS) vulnerability in posts.php in 427BB 2.2 and 2.2.1 allows remote attackers to inject arbitrary Javascript via a new message with a url bbcode tag containing a javascript URI. ADV-2006-0091 20060107 [eVuln] 427BB Multiple Vulnerabilities (Cookie-based Authentication Bypass, SQL Injections, XSS) 18354 http://evuln.com/vulns/18/summary.html 427bb-posts-xss(24040) 22276 Cross-site scripting (XSS) vulnerability in Foxrum 4.0.4f allows remote attackers to inject arbitrary Javascript via the javascript URI in bbcode url tags in (1) addpost1.php and (2) addtopic1.php. ADV-2006-0121 16172 20060109 [eVuln] Foxrum BBCode XSS Vulnerabilty 18386 http://evuln.com/vulns/20 foxrum-bbcode-xss(24043) 325 settings.php in Reamday Enterprises Magic News Plus 1.0.3 allows remote attackers to change the administrator password via a change action that specifies identical values for the passwd and admin_password parameters, then declares the new password string in the new_passwd and confirm_passwd parameters. 16182 http://downloads.securityfocus.com/vulnerabilities/exploits/MagicNewsPlus-pw-change.pl 18601 SQL injection vulnerability in index.php in CyberDoc SiteSuite CMS allows remote attackers to execute arbitrary SQL commands via the page parameter. ADV-2006-0038 22205 18305 http://osvdb.org/ref/22/22205-sitesuite.txt SQL injection vulnerability in escribir.php in Foro Domus 2.10 allows remote attackers to execute arbitrary SQL commands via the email parameter. NOTE: the provenance of this information is unknown, although it may be based on post-disclosure analysis of CVE-2006-0110; the details are obtained solely from third party information. domus-escribir-sql-injection(24017) ADV-2006-0073 22264 18327 SQL injection vulnerability in add_post.php3 in Venom Board 1.22 allows remote attackers to execute arbitrary SQL commands via the (1) parent, (2) root, and (3) topic_id parameters to post.php3. venomboard-addpost-sql-injection(24046) ADV-2006-0122 16176 22297 326 18383 20060109 [eVuln] Venom Board SQL Injection Vulnerability http://evuln.com/vulns/21/summary.html Unspecified vulnerability in uucp in Sun Solaris 8 and 9 has unknown impact and attack vectors. NOTE: due to the vagueness of the vendor advisory, it is not clear whether this is related to CVE-2004-0780. 101933 ADV-2006-0113 http://support.avaya.com/elmodocs2/security/ASA-2006-056.htm 1015455 19087 18371 oval:org.mitre.oval:def:1534 Heap-based buffer overflow in libclamav/upx.c in Clam Antivirus (ClamAV) before 0.88 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted UPX files. VU#385908 16191 18379 ADV-2006-0116 http://www.clamav.net/doc/0.88/ChangeLog clamav-libclamav-upx-bo(24047) http://www.zerodayinitiative.com/advisories/ZDI-06-001.html 2006-0002 22318 MDKSA-2006:016 GLSA-200601-07 DSA-947 1015457 342 18548 18478 18463 18453 20060112 ZDI-06-001: Clam AntiVirus UPX Unpacking Code Execution Vulnerability SQL injection vulnerability in the search module (modules/Search/index.php) of PHPNuke EV 7.7 -R1 allows remote attackers to execute arbitrary SQL commands via the query parameter, which is used by the search field. NOTE: This is a different vulnerability than CVE-2005-3792. phpnukeev-search-sql-injection(44978) ADV-2006-0120 16186 22316 18394 http://lostmon.blogspot.com/2006/01/phpnuke-ev-77-search-module-query.html phgstats.inc.php in phgstats before 0.5.1, if register_globals is enabled, allows remote attackers to include arbitrary files and execute arbitrary PHP code by modifying the PHGDIR variable. http://sourceforge.net/project/shownotes.php?release_id=384232 18346 ADV-2006-0123 phgstats-php-file-include(24062) 17469 22302 Cross-site scripting (XSS) vulnerability in the DataForm Entries functionality in Plain Black WebGUI before 6.8.4 (gamma) allows remote attackers to inject arbitrary Javascript via the (1) url and (2) name field of the default email form. http://sourceforge.net/project/shownotes.php?release_id=384153&group_id=51417 18372 ADV-2006-0126 http://sourceforge.net/tracker/index.php?func=detail&aid=1395371&group_id=51417&atid=463213 webgui-forms-xss(24053) Symantec Norton SystemWorks and SystemWorks Premier 2005 and 2006 stores temporary copies of files in the Norton Protected Recycle Bin NProtect directory, which is hidden from the FindFirst and FindNext Windows APIs and allows remote attackers to hide arbitrary files from virus scanners and other products. 1015462 http://securityresponse.symantec.com/avcenter/security/Content/2006.01.10.html 18402 systemworks-nprotect-hidden(24061) ADV-2006-0143 SQL injection vulnerability in MyPhPim 01.05 allows remote attackers to execute arbitrary SQL commands via the (1) cal_id parameter in calendar.php3 and the (2) password field on the login page. myphpim-login-sql-injection(24075) myphpim-calendar-sql-injection(24066) ADV-2006-0147 16210 20060111 [eVuln] MyPhPim Multiple SQL Injection and XSS Vulnerabilities 22325 22324 18399 http://evuln.com/vulns/22/summary.html Cross-site scripting (XSS) vulnerability in MyPhPim 01.05 allows remote attackers to inject arbitrary web script or HTML via the description field on the "Create New todo" page. myphpim-todo-xss(24071) ADV-2006-0147 16210 20060111 [eVuln] MyPhPim Multiple SQL Injection and XSS Vulnerabilities 22326 18399 http://evuln.com/vulns/22/summary.html addresses.php3 in MyPhPim 01.05 does not restrict uploaded files, which allows remote attackers to execute arbitrary PHP code via the pdbfile variable, then directly accessing those files from the uploads directory. myphpim-addresses-file-upload(24070) ADV-2006-0147 16208 20060111 [eVuln] MyPhPim Arbitrary File Upload 18399 http://evuln.com/vulns/23/summary.html ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2006-0035. Reason: This candidate is a duplicate of CVE-2006-0035. Notes: All CVE users should reference CVE-2006-0035 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. PHP remote file include vulnerability in index.php in OrjinWeb E-commerce allows remote attackers to execute arbitrary code via a URL in the page parameter. NOTE: it is not clear, but OrjinWeb might be an application service, in which case it should not be included in CVE. 16199 20060106 Orjinweb E-commerce orjinweb-url-file-include(24097) 22387 Cross-site scripting (XSS) vulnerability in the file manager utility in Hummingbird Collaboration (aka Hummingbird Enterprise Collaboration) 5.21 and earlier allows remote attackers to inject arbitrary web script or HTML in an uploaded page, which is published without a check for hostile scripting. ADV-2006-0145 16195 20060110 Multiple Vulnerabilities in Hummingbird Collaboration http://www.securenetwork.it/advisories/sn-2006-01.html 18411 hummingbird-enterprise-xss(24067) Hummingbird Collaboration (aka Hummingbird Enterprise Collaboration) 5.21 and earlier allows remote attackers to misrepresent the type and name of a file via modified doc_ext and id parameters, which might trick a user into downloading dangerous or unexpected content. ADV-2006-0145 16195 20060110 Multiple Vulnerabilities in Hummingbird Collaboration http://www.securenetwork.it/advisories/sn-2006-01.html 18411 hummingbird-enterprise-file-download(24068) Hummingbird Collaboration (aka Hummingbird Enterprise Collaboration) 5.21 and earlier allows remote attackers to obtain sensitive information (intranet IP addresses and enumerations of valid parameter values) via a direct request to hc, which reveals the information in an error message or a cookie. ADV-2006-0145 16195 20060110 Multiple Vulnerabilities in Hummingbird Collaboration http://www.securenetwork.it/advisories/sn-2006-01.html 18411 hummingbird-enterprise-information-disclosure(24069) 328 Cross-site scripting (XSS) vulnerability in search_form.asp in Web Wiz Forums 6.34 allows remote attackers to inject arbitrary web script or HTML via the search parameter. 16196 webwizforums-searchform-xss(24048) 20060111 Advisory:XSS vulnerability on WebWiz Forums <= 6.34(search_form.asp) 22398 20060109 Advisory:XSS vulnerability on WebWiz Forums <= 6.34 (search_form.asp) Buffer overflow in certain functions in src/fileio.c and src/unix/fileio.c in xmame before 11 January 2006 may allow local users to gain privileges via a long (1) -lang, (2) -ctrlr, (3) -pb, or (4) -rec argument on many operating systems, and via a long (5) -jdev argument on Ubuntu Linux. 16203 20060110 mysec.org Security Advisory : Xmame buffer overflow, with a possibility of privilege escalation 20060110 mysec.org Security Advisory : Xmame buffer overflow, with a possibility of privilege escalation. xmame-multiple-parameters-bo(24102) http://x.mame.net/changes-unix.html Multiple buffer overflows in Cray UNICOS 9.0.2.2 might allow local users to gain privileges by (1) invoking /usr/bin/script with a long command line argument or (2) setting the -c option of /etc/nu to the name of a file containing a long line. 16205 20060110 SUID root overflows in UNICOS and partial shellcode unicos-command-line-bo(24276) Format string vulnerability in /bin/ftp in UNICOS 9.0.2.2 allows local users to have an unknown impact via format string specifiers in the quote command. NOTE: because the program is not setuid and not normally called from remote programs, there may not be a typical attack vector for the issue that crosses privilege boundaries. Therefore this may not be a vulnerability. 16205 20060110 SUID root overflows in UNICOS and partial shellcode unicos-ftp-format-string(24277) The Cisco IP Phone 7940 allows remote attackers to cause a denial of service (reboot) via a large amount of TCP SYN packets (syn flood) to arbitrary ports, as demonstrated to port 80. 1015488 18479 cisco-ipphone-synflood-dos(24117) ADV-2006-0202 16200 22469 20060113 Response to Cisco IP Phone 7940 DoS Exploit posted on milw0rm.com http://downloads.securityfocus.com/vulnerabilities/exploits/cisco_ip7940_dos.pl Cross-site scripting (XSS) vulnerability in CaLogic Calendars 1.2.2 allows remote attackers to inject arbitrary web script or HTML via the Title field on the "Adding New Event" page, and possibly other vectors, involving iframe tags. ADV-2006-0149 16206 18417 http://evuln.com/vulns/24/summary.html calogic-newevent-xss(24077) 20060116 [eVuln] CaLogic Calendars Multiple XSS Vulnerabilities 22322 Cisco Security Monitoring, Analysis and Response System (CS-MARS) before 4.1.3 has an undocumented administrative account with a default password, which allows local users to gain privileges via the expert command. 16211 20060111 Default Administrative Password in Cisco Security Monitoring, Analysis and Response System (CS-MARS) ADV-2006-0154 cisco-csmars-default-password(24065) 22346 1015471 335 18424 login.php in ACal Calendar Project 2.2.5 allows remote attackers to bypass authentication by setting the ACalAuthenticate cookie variable to "inside". ADV-2006-0152 http://evuln.com/vulns/25/summary.html acal-login-auth-bypass(24104) 20060112 [eVuln] ACal Authentication Bypass & PHP Code Insertion 22344 343 18432 Direct static code injection vulnerability in edit.php in ACal Calendar Project 2.2.5 allows authenticated users to execute arbitrary PHP code via (1) the edit=header value, which modifies header.php, or (2) the edit=footer value, which modifies footer.php. NOTE: this issue might be resultant from the poor authentication as identified by CVE-2006-0182. Since the design of the product allows the administrator to edit the code, perhaps this issue should not be included in CVE, except as a consequence of CVE-2006-0182. ADV-2006-0152 http://evuln.com/vulns/25/summary.html acal-header-footer-code-execute(24107) 20060112 [eVuln] ACal Authentication Bypass & PHP Code Insertion 22345 343 18432 Multiple SQL injection vulnerabilities in AspTopSites allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to goto.asp or (2) password parameter to includeloginuser.asp. ADV-2006-0146 http://www.exploitlabs.com/files/advisories/EXPL-A-2006-001-asptopsites.txt 18408 asptopsites-goto-sql-injection(24072) 22330 20060110 AspTopSites SQL injection Multiple cross-site scripting vulnerabilities in the (1) Pool or (2) News Modules in Php-Nuke allow remote attackers to inject arbitrary web script or HTML via javascript in the SRC attribute of an IMG tag. ADV-2006-0125 16192 20060107 Php-Nuke Pool and News Module IMG Tag Cross Site 18374 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-4500. Reason: This candidate is a duplicate of CVE-2005-4500. Notes: All CVE users should reference CVE-2005-4500 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. By design, Microsoft Visual Studio 2005 automatically executes code in the Load event of a user-defined control (UserControl1_Load function), which allows user-assisted attackers to execute arbitrary code by tricking the user into opening a malicious Visual Studio project file. ADV-2006-0151 16225 20060113 Visual Studio Remote Code Execution 18409 visualstudio-usercontrol-code-execution(24116) webmail.php in SquirrelMail 1.4.0 to 1.4.5 allows remote attackers to inject arbitrary web pages into the right frame via a URL in the right_frame parameter. NOTE: this has been called a cross-site scripting (XSS) issue, but it is different than what is normally identified as XSS. squirrelmail-webmail-xss(24847) ADV-2006-0689 http://www.squirrelmail.org/security/issue/2006-02-01 16756 1015662 18985 oval:org.mitre.oval:def:10419 RHSA-2006:0283 FEDORA-2006-133 SUSE-SR:2006:005 MDKSA-2006:049 GLSA-200603-09 DSA-988 20210 19960 19205 19176 19131 19130 20060501-01-U Buffer overflow in eStara Softphone 3.0.1.14 through 3.0.1.46 allows remote attackers to execute arbitrary code via a long attribute (aka "a") field in the SDP data of a SIP packet on UDP port 5060. This is the vendor provided solution: "eStara has released Softphone version 3.0.1.47 to resolve the buffer overflow demonstrated in parsing SDP with long "a=" lines. Licensed customers can download a new version via the email sent to them with purchase, customers testing may go back to http://www.estara.com/softphone/ to obtain a new free trial. Version information can be gathered by going to Help->About. eStara highly recommends all customers upgrade to avoid this issue. If there's further questions please email us: softphone@estara.com. eStara would like to thank ZwelL for bringing the issue to our attention." estara-sip-sdp-bo(24090) ADV-2006-0167 16213 20060111 eStara Softphone SIP stack Buffer Overflow Vulnerability 1015481 18410 22348 Unspecified vulnerability in Sun Solaris 9 and 10 for the x86 platform allows local users to gain privileges or cause a denial of service (panic) via unspecified vectors, possibly involving functions from the mm driver. 102066 18421 ADV-2006-0165 solaris-unspecified-root-access(24084) 16224 http://support.avaya.com/elmodocs2/security/ASA-2006-056.htm 1015478 19087 oval:org.mitre.oval:def:702 Unspecified vulnerability in Sun Solaris 10 allows local users to cause a denial of service (null dereference) via unspecified vectors involving the use of the find command on the "/proc" filesystem. NOTE: due to the vagueness of the vendor advisory, it is not clear whether this is related to CVE-2005-3250. 102108 18420 ADV-2006-0166 solaris-find-proc-dos(24085) 16222 22347 http://support.avaya.com/elmodocs2/security/ASA-2006-056.htm 1015479 19087 oval:org.mitre.oval:def:1608 SQL injection vulnerability in Login_Validate.asp in ASPSurvey 1.10 allows remote attackers to execute arbitrary SQL commands via the Password parameter to login.asp. aspsurvey-loginvalidate-sql-injection(24087) ADV-2006-0164 16496 20060204 sql injection in ASP Survey 22342 414 18422 Cross-site scripting (XSS) vulnerability in the Hosting Control Panel (psoft.hsphere.CP) in Positive Software H-Sphere 2.4.3 Patch 8 and earlier allows remote attackers to inject arbitrary web script or HTML via the login parameter in a login action. 20060112 H-Sphere Security Vulnerability ADV-2006-0172 http://www.psoft.net/HSdocumentation/versions/?v=all&p=r hsphere-login-xss(24096) http://www.psoft.net/HSdocumentation/versions/index.php?v=243p9&p=r 22372 18447 Cross-site scripting (XSS) vulnerability in default.asp in FogBugz 4.029, and other versions before 4.0.33, allows remote attackers to inject arbitrary web script or HTML via the dest parameter in the pgLogon page. 16216 ADV-2006-0174 20060112 FogBugz Cross Site Scripting Vulnerability http://www.fogcreek.com/FogBugz/KB/releaseNotes/WhatsNewInFogBugz4.0.33.html fogbugz-login-xss(24103) 22370 18443 Interpretation conflict in the MagicHTML filter in SquirrelMail 1.4.0 to 1.4.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via style sheet specifiers with invalid (1) "/*" and "*/" comments, or (2) a newline in a "url" specifier, which is processed by certain web browsers including Internet Explorer. squirrelmail-magichtml-xss(24848) ADV-2006-0689 http://www.squirrelmail.org/security/issue/2006-02-10 16756 1015662 18985 oval:org.mitre.oval:def:9548 RHSA-2006:0283 FEDORA-2006-133 SUSE-SR:2006:005 MDKSA-2006:049 GLSA-200603-09 DSA-988 20210 19960 19205 19176 19131 19130 20060501-01-U Unspecified vulnerability in Serial line sniffer (aka slsnif) 0.4.4 allows local users to gain privileges via a long value of the HOME environment variable, possibly because of a buffer overflow. slsnif-home-bo(24082) ADV-2006-0212 20060111 Serial Line Sniffer 0.4.4 Buffer Overflow http://shellcoders.com/sintigan/slsnif-ploit.pl 18497 The XClientMessageEvent struct used in certain components of X.Org 6.8.2 and earlier, possibly including (1) the X server and (2) Xlib, uses a "long" specifier for elements of the l array, which results in inconsistent sizes in the struct on 32-bit versus 64-bit platforms, and might allow attackers to cause a denial of service (application crash) and possibly conduct other attacks. 20060108 xorg server 6.8.2 and below on 64bit arch Cross-site scripting (XSS) vulnerability in a certain module, possibly poll or Pool, for XOOPS allows remote attackers to inject arbitrary web script or HTML via JavaScript in the SRC attribute of an IMG element in a comment. http://www.xoops.org/modules/newbb/viewtopic.php?topic_id=45637&forum=2&post_id=200481 16189 20060107 Xoops Pool Module IMG Tag Cross Site Scripting xoops-pool-imagetag-xss(24091) SQL injection vulnerability in news.asp in Mini-Nuke CMS System 1.8.2 and earlier allows remote attackers to execute arbitrary SQL commands via the hid parameter. mininuke-news-sql-injection(24098) ADV-2006-0173 20060113 Advisory: MiniNuke CMS System <= 1.8.2 (news.asp) SQL Injectionvulnerability 22384 http://www.nukedx.com/?viewdoc=7 340 18439 20060112 Advisory: MiniNuke CMS System <= 1.8.2 (news.asp) SQL Injection vulnerability Format string vulnerability in the error-reporting feature in the mysqli extension in PHP 5.1.0 and 5.1.1 might allow remote attackers to execute arbitrary code via format string specifiers in MySQL error messages. php-extmysqli-format-string(24095) 16219 http://www.php.net/release_5_1_2.php 18431 ADV-2006-0369 ADV-2006-0177 20060112 Advisory 02/2006: PHP ext/mysqli Format String Vulnerability http://www.hardened-php.net/advisory_022006.113.html 1015485 337 Dave Nielsen and Patrick Breitenbach PayPal Web Services (aka PHP Toolkit) 0.50, and possibly earlier versions, allows remote attackers to enter false payment entries into the log file via HTTP POST requests to ipn_success.php. ADV-2006-0183 http://www.uinc.ru/articles/vuln/ptpaypal050.shtml 16218 20060112 Multiple PHP Toolkit for PayPal Vulnerabilities 18444 22378 Dave Nielsen and Patrick Breitenbach PayPal Web Services (aka PHP Toolkit) 0.50 and possibly earlier has (1) world-readable permissions for ipn/logs/ipn_success.txt, which allows local users to view sensitive information (payment data), and (2) world-writable permissions for ipn/logs, which allows local users to delete or replace payment data. ADV-2006-0183 http://www.uinc.ru/articles/vuln/ptpaypal050.shtml 16218 20060112 Multiple PHP Toolkit for PayPal Vulnerabilities 18444 22379 membership.asp in Mini-Nuke CMS System 1.8.2 and earlier does not verify the old password when changing a password, which allows remote attackers to change the passwords of other members via a lostpassnew action with a modified x parameter. mininuke-membership-change-password(24101) ADV-2006-0173 20060113 Advisory: MiniNuke CMS System <= 1.8.2 (membership.asp) remoteuser password change exploit 22385 344 18439 20060112 Advisory: MiniNuke CMS System <= 1.8.2 (news.asp) SQL Injection vulnerability 20060112 Advisory: MiniNuke CMS System <= 1.8.2 (membership.asp) remote user password change exploit 20060129 [xpl#2] MiniNuke 1.8.2 - change member's passwrod < Perl > Multiple cross-site scripting (XSS) vulnerabilities in Wordcircle 2.17 allow remote attackers to inject arbitrary web script or HTML via (1) the "Course name" field in index.php when the frm parameter has the value "mine" and (2) possibly certain other fields in unspecified scripts. wordcircle-index-xss(24106) ADV-2006-0185 16227 20060112 [eVuln] Wordcircle Multiple SQL Injection & XSS Vulnerabilities 22359 18440 http://evuln.com/vulns/28/summary.html 345 Multiple SQL injection vulnerabilities in Wordcircle 2.17 allow remote attackers to (1) execute arbitrary SQL commands and bypass authentication via the password field in the login action to index.php (involving v_login.php and s_user.php) and (2) have other unknown impact via certain other fields in unspecified scripts. wordcircle-login-security-bypass(24108) wordcircle-sql-injection(24105) ADV-2006-0185 16227 20060112 [eVuln] Wordcircle Multiple SQL Injection & XSS Vulnerabilities 20060112 [eVuln] Wordcircle Authentication Bypass 22358 346 345 18440 http://evuln.com/vulns/28/summary.html http://evuln.com/vulns/27/summary.html Eval injection vulnerability in Light Weight Calendar (LWC) 1.0 (20040909) and earlier allows remote attackers to execute arbitrary PHP code via the date parameter in cal.php, which is included by index.php. 16229 18450 http://evuln.com/vulns/29/summary.html http://evuln.com/vulns/29/exploit.html lwc-cal-execute-code(24110) 22376 20060318 Source VERIFY - Light Weight Calendar issue is eval injection Multiple HTTP response splitting vulnerabilities in PHP 5.1.1 allow remote attackers to inject arbitrary HTTP headers via a crafted Set-Cookie header, related to the (1) session extension (aka ext/session) and the (2) header function. php-session-response-splitting(24094) 16220 GLSA-200603-22 1015484 19355 19179 18697 18431 ADV-2006-0369 ADV-2006-0177 USN-261-1 http://www.php.net/release_5_1_2.php MDKSA-2006:028 http://www.hardened-php.net/advisory_012006.112.html DSA-1331 25945 19012 SUSE-SR:2006:004 Multiple cross-site scripting (XSS) vulnerabilities in PHP 4.4.1 and 5.1.1, when display_errors and html_errors are on, allow remote attackers to inject arbitrary web script or HTML via inputs to PHP applications that are not filtered when they are included in the resulting error message. 16803 http://www.php.net/release_5_1_2.php GLSA-200603-22 19355 19179 18697 18431 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=178028 ADV-2006-2685 ADV-2006-0369 ADV-2006-0177 USN-261-1 RHSA-2006:0501 http://www.php.net/ChangeLog-4.php#4.4.2 MDKSA-2006:028 http://support.avaya.com/elmodocs2/security/ASA-2006-160.htm http://support.avaya.com/elmodocs2/security/ASA-2006-129.htm 21564 21252 20951 20222 20210 19832 19012 RHSA-2006:0549 RHSA-2006:0276 oval:org.mitre.oval:def:10064 SUSE-SR:2006:004 20060501-01-U SQL injection vulnerability in general_functions.php in TankLogger 2.4 allows remote attackers to execute arbitrary SQL commands via the (1) livestock_id parameter to showInfo.php and (2) tank_id parameter, possibly to livestock.php. ADV-2006-0153 http://evuln.com/vulns/26/summary.html tanklogger-generalfunctions-sql-injection(24080) 16228 20060112 [eVuln] TankLogger SQL Injection Vulnerability 22369 22368 341 18441 20060113 Verified TankLogger SQl inject by source inspection Cross-site scripting (XSS) vulnerability in index.php in Interspire TrackPoint NX before 0.1 allows remote attackers to inject arbitrary web script or HTML via the username parameter when using the Login page. ADV-2006-0175 16214 http://www.interspire.com/forum/showthread.php?p=29606 trackpointnx-login-xss(24112) 20060112 Interspire TrackPoint NX XSS Vulnerability 22377 18445 Cross-site scripting (XSS) vulnerability in forgotPassword.asp in Helm Hosting Control Panel 3.2.8 and earlier allows remote attackers to inject arbitrary web script or HTML via the txtEmailAddress parameter. ADV-2006-0203 20060112 Helm XSS Vulnerability helm-forgotpassword-xss(24139) http://www.webhostautomation.com/webhost-301 16234 22454 18492 Directory traversal vulnerability in OBEX Push services in Toshiba Bluetooth Stack 4.00.23(T) and earlier allows remote attackers to upload arbitrary files to arbitrary remote locations specified by .. (dot dot) sequences, as demonstrated by ..\\ sequences in the RFILE argument of ussp-push. ADV-2006-0184 16236 http://www.digitalmunition.com/DMA%5B2006-0112a%5D.txt 18437 20060113 DMA[2006-0112a] - 'Toshiba Bluetooth Stack Directory Transversal' 20060113 DMA[2006-0112a] - 'Toshiba Bluetooth Stack Directory Transversal' 22380 1015486 http://aps.toshiba-tro.de/bluetooth/pages/driverinfo.php?txt=sp2 Kolab Server 2.0.1, 2.0.2 and development versions pre-2.1-20051215 and earlier, when authenticating users via secure SMTP, stores authentication credentials in plaintext in the postfix.log file, which allows local users to gain privileges. 18438 http://kolab.org/security/kolab-vendor-notice-08.txt ADV-2006-0186 kolab-smtp-logging(24123) 22381 Eval injection vulnerability in ezDatabase 2.0 and earlier allows remote attackers to execute arbitrary PHP code via the db_id parameter to visitorupload.php, as demonstrated using phpinfo and include function calls. ezdatabase-visitorupload-file-include(24136) 16237 351 18043 http://pridels0.blogspot.com/2006/01/ezdatabase-20-and-below.html Cross-site scripting (XSS) vulnerability in admin.php in QualityEBiz Quality PPC (QPPC) 1.0 build 1644 allows remote attackers to inject arbitrary web script or HTML via the cpage parameter. NOTE: this issue might be resultant from CVE-2006-0216. 22352 http://osvdb.org/ref/22/22352-qualityppc.txt admin.php in QualityEBiz Quality PPC (QPPC) 1.0 build 1644 allows remote attackers to obtain sensitive information, possibly the installation path of the application, via unspecified "meta characters" to the cpage parameter. 22353 http://osvdb.org/ref/22/22353-qualityppc.txt http://osvdb.org/ref/22/22352-qualityppc.txt Multiple cross-site scripting (XSS) vulnerabilities in Ultimate Auction 3.67 allow remote attackers to inject arbitrary web script or HTML via the (1) item parameter in item.pl and (2) category parameter in itemlist.pl, which reflects the XSS in an error message. NOTE: the affected version might be wrong since the current version as of 20060116 is 3.6.1. ADV-2006-0187 16239 22444 22443 18477 20060115 Ultimate Auction <=3.67 ultimate-auction-item-xss(24138) 16254 Multiple unspecified vulnerabilities in MyBulletinBoard (MyBB) before 1.0.2 have unspecified impact and attack vectors, related to (1) admin/moderate.php, (2) admin/themes.php, (3) inc/functions.php, (4) inc/functions_upload.php, (5) printthread.php, and (6) usercp.php, and probably related to SQL injection. NOTE: it is likely that this issue subsumes CVE-2005-4602 and CVE-2005-4603. However, since the vendor advisory is vague and additional files are mentioned, is is likely that this contains at least one distinct vulnerability from CVE-2005-4602 and CVE-2005-4603. http://community.mybboard.net/showthread.php?tid=5852 The original distribution of MyBulletinBoard (MyBB) to update from older versions to 1.0.2 omits or includes older versions of certain critical files, which allows attackers to conduct (1) SQL injection attacks via an attachment name that is not properly handled by inc/functions_upload.php (CVE-2005-4602), and possibly (2) other attacks related to threadmode in usercp.php. http://community.mybboard.net/showthread.php?tid=5960 16230 http://community.mybboard.net/showthread.php?tid=5853&pid=35151#pid35151 http://community.mybboard.net/showthread.php?tid=5853&pid=35088#pid35088 mybb-usercp-script-sql-injection(24115) Multiple cross-site scripting (XSS) vulnerabilities in DCP-Portal 5.3 through 6.1.1 allow remote attackers to inject arbitrary web script or HTML via (1) the day parameter in calendar.php and (2) the input form in search.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. It is possible that this issue is resultant from an SQL injection problem in CVE-2005-4227.3 and CVE-2005-4227.13. 16232 20060113 DCP Portal Cross-Site Scripting Vulnerability dcpportal-calendar-search-xss(24153) SQL injection vulnerability in index.asp in the Admin Panel in Dragon Design Services Network (DDSN) cm3 content manager (CM3CMS) allows remote attackers to execute arbitrary SQL commands via the (1) username or (2) password. cm3-login-sql-injection(24266) 16231 20060113 DDSN CMS Admin Panel SQL Injection Vulnerability 22696 Cross-site scripting (XSS) vulnerability in fullview.php in AlstraSoft Template Seller Pro allows remote attackers to inject arbitrary web script or HTML via the tempid parameter. template-seller-fullview-xss(24235) 16233 20060113 AlstraSoft Template Seller Pro Cross-Site Scripting Vulnerability 22746 Directory traversal vulnerability in Shanghai TopCMM 123 Flash Chat Server Software 5.1 allows attackers to create or overwrite arbitrary files on the server via ".." (dot dot) sequences in the username field. 16235 http://www.123flashchat.com/flash-chat-server-v512.html 123flashchat-user-directory-traversal(24137) ADV-2006-0198 22440 18455 Buffer overflow in Library of Assorted Spiffy Things (LibAST) 0.6.1 and earlier, as used in Eterm and possibly other software, allows local users to execute arbitrary code as the utmp user via a long -X command line argument (alternative configuration file name). 20060123 [ Rosiello Security ] Eterm-LibAST Advisory 20060125 Rosiello Security - Eterm-LibAST Advisory http://www.rosiello.org/en/read_bugs.php?id=25 ADV-2006-0314 16350 20060123 LibAST 0.7 Release Fixes Security Vulnerability http://freshmeat.net/projects/libast/?branch_id=17907&release_id=217840 eterm-libast-filename-bo(24303) 22735 MDKSA-2006:029 GLSA-200601-14 DSA-976 373 18916 18632 18586 scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filenames that contain shell metacharacters or spaces, which are expanded twice. TA07-072A 18595 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=174026 openssh-scp-command-execution(24305) ADV-2007-2120 ADV-2007-0930 ADV-2006-4869 ADV-2006-2490 ADV-2006-0306 USN-255-1 2006-0004 16369 FLSA-2006:168935 RHSA-2006:0044 22692 OpenPKG-SA-2006.003 SUSE-SA:2006:008 GLSA-200602-11 SSA:2006-045-06 1015540 19159 18970 18969 18964 18910 18850 18798 18736 18650 18579 oval:org.mitre.oval:def:9962 HPSBUX02178 20060212 [3.8] 005: SECURITY FIX: February 12, 2006 http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=2751 http://www14.software.ibm.com/webapp/set2/sas/f/hmc/power5/install/v52.Readme.html#MH00688 http://www.vmware.com/support/vi3/doc/esx-9986131-patch.html http://www.vmware.com/support/vi3/doc/esx-3069097-patch.html RHSA-2006:0698 RHSA-2006:0298 MDKSA-2006:034 http://support.avaya.com/elmodocs2/security/ASA-2007-246.htm http://support.avaya.com/elmodocs2/security/ASA-2006-262.htm http://support.avaya.com/elmodocs2/security/ASA-2006-174.htm http://support.avaya.com/elmodocs2/security/ASA-2006-158.htm 102961 462 25936 25607 24479 23680 23340 23241 22196 21724 21492 21262 21129 20723 APPLE-SA-2007-03-13 HPSBUX02178 http://docs.info.apple.com/article.html?artnum=305214 http://blogs.sun.com/security/entry/sun_alert_102961_security_vulnerability 20060703-01-P oval:org.mitre.oval:def:1138 Integer overflow in IEEE 802.11 network subsystem (ieee80211_ioctl.c) in FreeBSD before 6.0-STABLE, while scanning for wireless networks, allows remote attackers to execute arbitrary code by broadcasting crafted (1) beacon or (2) probe response frames. 16296 18353 http://www.signedness.org/advisories/sps-0x1.txt FreeBSD-SA-06:05 bsd-ieee80211-bo(24192) 22537 http://www.blackhat.com/html/bh-europe-07/bh-eu-07-speakers.html#Eriksson 1015518 http://kernelwars.blogspot.com/2007/01/alive.html Multiple unspecified vulnerabilities in lpsched in Sun Solaris 8, 9, and 10 allow local users to delete arbitrary files or disable the LP print service via unknown attack vectors. 102033 1015492 18498 ADV-2006-0200 solaris-lpsched-dos(24127) 16245 22442 22441 http://support.avaya.com/elmodocs2/security/ASA-2006-056.htm 19087 oval:org.mitre.oval:def:662 The RBAC functionality in grsecurity before 2.1.8 does not properly handle when the admin role creates a service and then exits the shell without unauthenticating, which causes the service to be restarted with the admin role still active. 16261 18458 ADV-2006-0199 http://www.grsecurity.org/news.php#grsec218 grsecurity-rbac-admin-privileges(24156) Unquoted Windows search path vulnerability in Wehntrust might allow local users to gain privileges via a malicious "program.exe" file in the C: folder, which is run when Wehntrust creates the autostart key. 20060116 Re: [Full-disclosure] WehnTrust - When you have to trust Wehntrust 16268 20060116 WehnTrust - When you have to trust Wehntrust wehntrust-service-start-file-execution(24315) http://www.wehnus.com/downloads.pl Symantec Scan Engine 5.0.0.24, and possibly other versions before 5.1.0.7, uses a client-side check to verify a password, which allows remote attackers to gain administrator privileges via a modified client that sends certain XML requests. VU#118388 20060421 Rapid7 Advisory R7-0021: Symantec Scan Engine Authentication Fundamental Design Error ADV-2006-1464 sse-unauth-admin-access(25972) http://www.symantec.com/avcenter/security/Content/2006.04.21.html 17637 20060421 [Symantec Security Advisor] Symantec Scan Engine Multiple Vulnerabilities 20060421 Rapid7 Advisory R7-0021: Symantec Scan Engine Authentication Fundamental Design Error 19734 Symantec Scan Engine 5.0.0.24, and possibly other versions before 5.1.0.7, uses the same private DSA key for each installation, which allows remote attackers to conduct man-in-the-middle attacks and decrypt communications. 20060421 Rapid7 Advisory R7-0022: Symantec Scan Engine Known Immutable DSA Private Key ADV-2006-1464 sse-insecure-private-key(25973) http://www.symantec.com/avcenter/security/Content/2006.04.21.html 17637 20060421 [Symantec Security Advisor] Symantec Scan Engine Multiple Vulnerabilities 20060421 Rapid7 Advisory R7-0022: Symantec Scan Engine Known Immutable DSA Private Key 1015974 19734 Symantec Scan Engine 5.0.0.24, and possibly other versions before 5.1.0.7, stores sensitive log and virus definition files under the web root with insufficient access control, which allows remote attackers to obtain the information via direct requests. 20060421 Rapid7 Advisory R7-0023: Symantec Scan Engine File Disclosure Vulnerability ADV-2006-1464 sse-unauth-file-access(25974) http://www.symantec.com/avcenter/security/Content/2006.04.21.html 17637 20060421 [Symantec Security Advisor] Symantec Scan Engine Multiple Vulnerabilities 20060421 Rapid7 Advisory R7-0023: Symantec Scan Engine File Disclosure Vulnerability 1015974 759 758 19734 Cross-site scripting (XSS) vulnerability in functions.php in microBlog 2.0 RC-10 allows remote attackers to inject arbitrary web script and HTML via a javascript: URI in a [url] BBcode tag. microblog-functions-xss(24140) 16272 20060117 [eVuln] microBlog BBCode XSS Vulnerability 1015496 http://evuln.com/vulns/36/summary.html SQL injection vulnerability in index.php in microBlog 2.0 RC-10 allows remote attackers to execute arbitrary SQL commands via the (1) month and (2) year parameters. ADV-2006-0239 16270 20060117 [eVuln] microBlog SQL Injection Vulnerability microblog-index-sql-injection(24132) 22512 1015496 18442 http://evuln.com/vulns/35/summary.html SQL injection vulnerability in WhiteAlbum 2.5 allows remote attackers to execute arbitrary SQL commands via the dir parameter to pictures.php. ADV-2006-0241 16247 20060116 White Album Sql &#304;njection biyosecurity.be whitealbum-pictures-sql-injection(24271) 22520 http://www.biyosecurity.be/bugs/whitealbum.txt 18460 GUI display truncation vulnerability in Mozilla Thunderbird 1.0.2, 1.0.6, and 1.0.7 allows user-assisted attackers to execute arbitrary code via an attachment with a filename containing a large number of spaces ending with a dangerous extension that is not displayed by Thunderbird, along with an inconsistent Content-Type header, which could be used to trick a user into downloading dangerous content by dragging or saving the attachment. 16271 20060117 Secunia Research: Mozilla Thunderbird Attachment SpoofingVulnerability http://secunia.com/secunia_research/2005-22/advisory 15907 https://bugzilla.mozilla.org/show_bug.cgi?id=300246 thunderbird-attachment-ext-spoofing(24164) ADV-2006-0230 MDKSA-2006:021 Cross-site scripting (XSS) vulnerability in index.php in GTP iCommerce allows remote attackers to inject arbitrary web script or HTML via the (1) cat and (2) subcat parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. ADV-2006-0214 16255 18470 gtpicommerce-index-xss(24150) SQL injection vulnerability in wp-stats.php in GaMerZ WP-Stats 2.0 allows remote attackers to execute arbitrary SQL commands via the author parameter. http://www.lesterchan.net/blogs/ 18471 ADV-2006-0192 16241 wpstats-script-sql-injection(24163) 22450 http://www.lesterchan.net/blogs/archives/2006/01/18/wp-stats-sql-injection-vulnerability http://osvdb.org/ref/22/22450-wpstats.txt Multiple cross-site scripting (XSS) vulnerabilities in Simple Blog 2.1 allow remote attackers to inject arbitrary web script or HTML via (1) a comment to comments.asp and (2) possibly certain other fields in unspecified scripts. ADV-2006-0194 16243 20060114 [HSC Security Group] Multiple SQL injection/XSS in SimpleBlog 2.1 18488 simpleblog-comment-xss(24154) 22448 http://www.hackerscenter.com/archive/view.asp?id=21926 Multiple SQL injection vulnerabilities in Simple Blog 2.1 allow remote attackers to execute arbitrary SQL commands via the month parameter in an archives view operation and possibly certain other parameters in unspecified scripts. simpleblog-month-sql-injection(24155) ADV-2006-0194 16243 20060114 [HSC Security Group] Multiple SQL injection/XSS in SimpleBlog 2.1 22447 http://www.hackerscenter.com/archive/view.asp?id=21926 18488 Cross-site scripting vulnerability in WBNews 1.1.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the Name field. ADV-2006-0237 16277 20060117 XSS in WBNews < = v1.1.0 18499 Cross-site scripting vulnerability in index.php in PHP Fusebox 4.0.6 allows remote attackers to inject arbitrary web script or HTML via the fuseaction parameter. 20060117 IndonesiaHack Advisory HTML injection in PHP Fusebox 16274 355 Cross-site scripting (XSS) vulnerability in SMBCMS 2.1 allows remote attackers to inject arbitrary web script or HTML via the text parameter, which is used by the "Search Site" field. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. ADV-2006-0229 16281 18454 smbcms-sitesearch-xss(24187) 22494 ** DISPUTED ** Directory traversal vulnerability in workspaces.php in phpXplorer 0.9.33 allows remote attackers to include arbitrary files via a .. (dot dot) and trailing null byte (%00) in the sShare parameter. NOTE: a followup post claims that this is not a vulnerability since the functionality of phpXplorer supports the upload of PHP files, which would not cross privilege boundaries since the PHP functionality would support read access outside the web root. ADV-2006-0232 16263 20060116 Re: Directory traversal in phpXplorer 20060116 Directory traversal in phpXplorer http://www.arrelnet.com/advisories/adv20060116.html 18518 phpxplorer-sshare-directory-traversal(39982) 353 Multiple cross-site scripting (XSS) vulnerabilities in CubeCart 3.0.7-pl1 allow remote attackers to inject arbitrary web script or HTML via the (3) redir, (4) productId, (5) docId, (6) act, and (7) catId parameters in index.php; and the (8) username field in a login action in index.php. NOTE: the cart.php/redir and index.php/searchStr vectors are already covered by CVE-2005-3152. ADV-2006-0227 16259 22471 18519 http://lostmon.blogspot.com/2006/01/cubecart-307-pl1-indexphp-multiple.html http://bugs.cubecart.com/?do=details&id=459 cubecart-index-script-xss(24177) Cross-site scripting (XSS) vulnerability in down.pl in Widexl Download Tracker 1.06 allows remote attackers to inject arbitrary web script or HTML via the ID parameter. ADV-2006-0213 16265 22462 18472 http://osvdb.org/ref/22/22462-widexl.txt downloadtracker-down-xss(24161) Cross-site scripting (XSS) vulnerability in anyboard.cgi in Netbula Anyboard 9.9 and earlier allows remote attackers to inject arbitrary web script or HTML via the tK parameter in a find command. ADV-2006-0188 16264 22461 18469 http://osvdb.org/ref/22/22461-anyboard.txt netbula-anyboard-script-xss(24167) Virata-EmWeb web server 6_1_0, as used in (1) Intracom JetSpeed 500 and 520 and (2) Allied Data Technologies CopperJet 811 RouterPlus, allows remote attackers to access privileged information, such as user lists and configuration settings, via direct HTTP requests. ADV-2006-0218 18483 http://blog.globalnetworks.gr/?p=4 virata-emweb-unauth-access(24304) SQL injection vulnerability in viewcat.php in BitDamaged geoBlog MOD_1.0 allows remote attackers to execute arbitrary SQL commands, then steal credentials and upload files, via the cat parameter ($tmpCategory variable). geoBlog-viewcat-sql-injection(24146) ADV-2006-0191 16249 22463 1015493 18504 http://evuln.com/vulns/33/summary.html Format string vulnerability in the snmp_input function in snmptrapd in CMU SNMP utilities (cmu-snmp) allows remote attackers to execute arbitrary code by sending crafted SNMP messages to UDP port 162. ADV-2006-0234 16267 20060116 Digital Armaments Security Advisory 01.16.2006: CMU SNMP utilities snmptrad Format String Vulnerability http://www.digitalarmaments.com/2006040164883273.html 18525 cmusnmp-snmpinput-format-string(24178) 22493 Cross-site scripting (XSS) vulnerability in fom.cgi in Faq-O-Matic 2.711 allows remote attackers to inject arbitrary web script or HTML via the (1) _duration, (2) file, and (3) cmd parameters. ADV-2006-0189 16251 22439 18468 http://osvdb.org/ref/22/22439-faqomatic.txt faqomatic-fom-xss(24165) SQL injection vulnerability in Benders Calendar 1.0 allows remote attackers to execute arbitrary SQL commands via multiple parameters, as demonstrated by the (1) year, (2) month, and (3) day parameters. ADV-2006-0190 16242 20060115 [eVuln] Benders Calendar SQL Injection 22449 1015491 18462 http://evuln.com/vulns/30/summary.html benderscalendar-sql-injection(24120) Buffer overflow in the Bluetooth OBEX Object Push service in "Blue Neighbors.EXE" in AmbiCom Blue Neighbors 2.50 Build 2500 and earlier allows remote attackers to execute arbitrary code via a long file name, as demonstrated via a long RFILE argument to ussp-push. ADV-2006-0219 20060120 DMA[2006-0115a] - 'AmbiCom Bluetooth Object Push Overflow' http://www.digitalmunition.com/DMA%5B2006-0115a%5D.txt 18466 ambicom-bluetooth-objectpush-bo(24179) 16258 366 Multiple cross-site scripting (XSS) vulnerabilities in Apache Geronimo 1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) time parameter to cal2.jsp and (2) any invalid parameter, which causes an XSS when the log file is viewed by the Web-Access-Log viewer. https://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12310181&styleName=Html&projectId=10220&Create=Create ADV-2006-0217 16260 20060115 Apache Geronimo 1.0 - CSS and persistent HTML-Injectionvulnerabilities http://www.oliverkarow.de/research/geronimo_css.txt 18485 http://issues.apache.org/jira/browse/GERONIMO-1474 geronimo-webaccesslog-viewer-xss(24159) geronimo-jspexamples-xss(24158) RHSA-2008:0261 31493 RHSA-2008:0630 Unquoted Windows search path vulnerability in Check Point VPN-1 SecureClient might allow local users to gain privileges via a malicious "program.exe" file in the C: folder, which is run when SecureClient attempts to launch the Sr_GUI.exe program. ADV-2006-0258 16290 20060117 [ TZO-012006 ] Checkpoint VPN-1 SecureClient insecure usage of CreateProcess() http://secdev.zoller.lu/research/checkpoint.txt Unspecified vulnerability in the Advanced Queuing component of Oracle Database server 8.1.7.4, 9.0.1.5, 9.2.0.6, 10.1.0.3 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB01. VU#545804 ADV-2006-0323 ADV-2006-0243 16287 http://www.oracle.com/technetwork/topics/security/cpujan2006-082403.html 1015499 18608 18493 Unspecified vulnerability in the Change Data Capture component of Oracle Database server 9.2.0.7, 10.1.0.5, and 10.2.0.1 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB02. NOTE: details are unavailable from Oracle, but they have not publicly disputed a claim by a reliable independent researcher that states that the problem is SQL injection in the CDC_ALLOCATE_LOCK function of the DBMS_CDC_UTILITY package. VU#545804 1015499 oracle-january2006-update(24321) ADV-2006-0323 ADV-2006-0243 16287 22540 http://www.oracle.com/technetwork/topics/security/cpujan2006-082403.html 18608 18493 Unspecified vulnerability in the Connection Manager component of Oracle Database server 8.1.7.4 and 9.0.1.5 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB03. VU#545804 oracle-january2006-update(24321) ADV-2006-0323 ADV-2006-0243 16287 http://www.oracle.com/technetwork/topics/security/cpujan2006-082403.html 1015499 18608 18493 Multiple unspecified vulnerabilities in Oracle Database server 10.1.0.5 have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) DB04 and (2) DB06 in the (a) Data Pump component; (3) DB10 in the (b) Net Listener component; and (4) DB16 in the (c) Oracle Text component. NOTE: details are unavailable from Oracle, but they have not publicly disputed a claim by a reliable independent researcher that states that DB06 is SQL injection in the GENERATE_JOB_NAME, GET_WORKERSTATUSLIST1010, GET_PARAMVALUES1010, GET_DUMPFILESET1010, GET_JOBSTATUS1010, ATTACH, and ESTABLISH_REMOTE_CONTEXT functions in DBMS_DATAPUMP. VU#545804 16287 18493 oracle-january2006-update(24321) ADV-2006-0323 ADV-2006-0243 22544 http://www.oracle.com/technetwork/topics/security/cpujan2006-082403.html 1015499 18608 Multiple unspecified vulnerabilities in Oracle Database server 9.2.0.7 and 10.1.0.5 have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) DB05 in the (a) Data Pump component; (2) DB15 in the (b) Oracle Text component; (3) DB22 in the (c) Streams Apply component; (4) DB23 and (5) DB24 in the (d) Streams Capture component; and (6) DB26 in the (e) Streams Subcomponent. NOTE: details are unavailable from Oracle, but they have not publicly disputed a claim by a reliable independent researcher that states that DB05 involves SQL injection in the (f) LONG2VARCHAR, LONG2VCMAX, LONG2VCNT, and LONG2CLOB functions in the DBMS_METADATA_UTIL package; (g) MAKE_FILTER, FETCH_VIEWS_ERROR, FETCH_FILTERS, FETCH_VIEWS, SET_FILTER_COMMON, DO_FILTER_SCRIPT, SET_TABLE_FILTERS, and MAKE_FILTER_TEXT functions in the DBMS_METADATA_INT package; and (h) GET_PREPOST_TABLE_ACT function in the DBMS_METADATA package. VU#545804 1015499 18608 oracle-january2006-update(24321) ADV-2006-0323 ADV-2006-0243 16287 22643 22637 22543 http://www.oracle.com/technetwork/topics/security/cpujan2006-082403.html 18493 Multiple unspecified vulnerabilities in Oracle Database server 8.1.7.4, 9.0.1.5, 9.2.0.7, and 10.1.0.5 have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) DB07 in the Dictionary component and (2) DB14 in the Oracle Label Security component. NOTE: Oracle has not disputed reliable researcher claims that DB07 involves plaintext storage of the TDE wallet password in a trace file by event 10053. VU#545804 oracle-january2006-update(24321) oracle-masterkey-plaintext(24168) ADV-2006-0323 ADV-2006-0243 16287 20060117 Oracle Database 10g Rel. 2 - Event 10053 logs TDE wallet password in cleartext http://www.red-database-security.com/advisory/oracle_tde_wallet_password.html http://www.oracle.com/technetwork/topics/security/cpujan2006-082403.html 1015499 18608 18493 Unspecified vulnerability in the Net Foundation Layer component of Oracle Database server 8.1.7.4, 9.0.1.5, 9.0.1.5 FIPS, 9.2.0.6, and 10.1.0.4 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB08. VU#545804 oracle-january2006-update(24321) ADV-2006-0323 ADV-2006-0243 16287 http://www.oracle.com/technetwork/topics/security/cpujan2006-082403.html 1015499 18608 18493 Multiple unspecified vulnerabilities in Oracle Database server 8.1.7.4, 9.0.1.5, 9.0.1.5 FIPS, 9.2.0.7, 10.1.0.5, and 10.2.0.1 have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) DB09 in the (a) Net Listener component; and (2) DB12 and (3) DB13 in the Network Communications (RPC) component. TA06-018A VU#870172 VU#545804 oracle-january2006-update(24321) ADV-2006-0323 ADV-2006-0243 16287 22551 22550 22547 http://www.oracle.com/technetwork/topics/security/cpujan2006-082403.html 1015499 18608 18493 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2006-0259. Reason: This candidate is subsumed by CVE-2006-0259. An error during initial CVE analysis used the wrong set of affected versions for "DB10". Notes: All CVE users should reference CVE-2006-0259 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Multiple unspecified vulnerabilities in Oracle Database server 8.1.7.4, 9.0.1.5, 9.2.0.7, 10.1.0.5, and 10.2.0.1 have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) DB17 in the Oracle Text component and (2) DB18 in the Program Interface Network component. NOTE: details are unavailable from Oracle, but they have not publicly disputed a claim by a reliable independent researcher that states that DB17 involves SQL injection in the (a) VALIDATE_STATEMENT and BUILD_DML functions in CTXSYS.DRILOAD; (b) CLEAN_DML function in CTXSYS.DRIDML; (c) GET_ROWID function in CTXSYS.CTX_DOC; (d) BROWSE_WORDS function in CTXSYS.CTX_QUERY; and (e) ODCIINDEXTRUNCATE, ODCIINDEXDROP, and ODCIINDEXDELETE functions in CATINDEXMETHODS. VU#545804 1015499 18608 oracle-january2006-update(24321) ADV-2006-0323 ADV-2006-0243 16287 http://www.red-database-security.com/advisory/oracle_cpu_jan_2006.html 22642 22641 22640 22639 22555 http://www.oracle.com/technetwork/topics/security/cpujan2006-082403.html 18493 Unspecified vulnerability in the Query Optimizer component of Oracle Database server 9.0.1.5, 9.2.0.7, and 10.1.0.5 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB19. VU#545804 oracle-january2006-update(24321) ADV-2006-0323 ADV-2006-0243 16287 http://www.oracle.com/technetwork/topics/security/cpujan2006-082403.html 1015499 18608 18493 Unspecified vulnerability in the Query Optimizer component of Oracle Database server 9.2.0.6 and 10.1.0.4 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB20. VU#545804 oracle-january2006-update(24321) ADV-2006-0323 ADV-2006-0243 16287 http://www.oracle.com/technetwork/topics/security/cpujan2006-082403.html 1015499 18608 18493 Unspecified vulnerability in the Security component of Oracle Database server 9.0.1.5, 9.0.1.5 FIPS, 9.2.0.6, and 10.1.0.4 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB21. VU#545804 oracle-january2006-update(24321) ADV-2006-0323 ADV-2006-0243 16287 http://www.oracle.com/technetwork/topics/security/cpujan2006-082403.html 1015499 18608 18493 Unspecified vulnerability in the Streams Capture component of Oracle Database server 10.1.0.5 and 10.2.0.1 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB25. NOTE: details are unavailable from Oracle, but they have not publicly disputed a claim by a reliable independent researcher that states that the problem is SQL injection in the SET_DIRECTORY_ROOT function in the DBMS_CDC_PUBLISH package. VU#545804 oracle-january2006-update(24321) ADV-2006-0323 ADV-2006-0243 16287 http://www.red-database-security.com/advisory/oracle_cpu_jan_2006.html 22563 http://www.oracle.com/technetwork/topics/security/cpujan2006-082403.html 1015499 18608 18493 Unspecified vulnerability in the Transparent Data Encryption (TDE) Wallet component of Oracle Database server 10.2.0.1 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB27. NOTE: Oracle has not disputed a reliable researcher report that TDA stores the master key without encryption, which allows local users to obtain the key via the SGA. VU#545804 oracle-january2006-update(24321) oracle-sga-masterkey-plaintext(24186) ADV-2006-0323 ADV-2006-0243 16287 20060117 Oracle Database 10g Rel. 2- Transparent Data Encryption plaintext masterkey in SGA http://www.red-database-security.com/advisory/oracle_tde_unencrypted_sga.html http://www.oracle.com/technetwork/topics/security/cpujan2006-082403.html 1015499 18608 18493 Unspecified vulnerability in the Upgrade & Downgrade component of Oracle Database server 8.1.7.4, 9.0.1.5, 9.2.0.7, and 10.1.0.4 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB28. NOTE: details are unavailable from Oracle, but they have not publicly disputed a claim by a reliable independent researcher that states that the problem is SQL injection in the DBMS_REGISTRY package in certain parameters to the (1) IS_COMPONENT, (2) GET_COMP_OPTION, (3) DISABLE_DDL_TRIGGERS, (4) SCRIPT_EXISTS, (5) COMP_PATH, (6) GATHER_STATS, (7) NOTHING_SCRIPT, and (8) VALIDATE_COMPONENTS functions. VU#545804 oracle-january2006-update(24321) ADV-2006-0323 ADV-2006-0243 16287 http://www.red-database-security.com/advisory/oracle_cpu_jan_2006.html 22566 http://www.oracle.com/technetwork/topics/security/cpujan2006-082403.html 1015499 18608 18493 Unspecified vulnerability in the XML Database component of Oracle Database server 9.2.0.7 and 10.1.0.4 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB29. NOTE: based on mutual credits by the relevant sources, it is highly likely that this issue is a buffer overflow in the (a) DBMS_XMLSCHEMA and (b) DBMS_XMLSCHEMA_INT packages, as exploitable via long arguments to (1) XDB.DBMS_XMLSCHEMA.GENERATESCHEMA or (2) XDB.DBMS_XMLSCHEMA.GENERATESCHEMAS. TA06-018A VU#891644 VU#545804 oracle-xdbdbmx-xmlschema-bo(24376) oracle-january2006-update(24321) ADV-2006-0323 ADV-2006-0243 16287 http://www.red-database-security.com/advisory/oracle_cpu_jan_2006.html http://www.oracle.com/technetwork/topics/security/cpujan2006-082403.html http://www.integrigy.com/info/IntegrigySecurityAnalysis-CPU0106.pdf http://www.argeniss.com/research/ARGENISS-ADV-010601.txt 1015499 18608 18493 20060126 [Argeniss] Oracle Database Buffer overflows vulnerabilities in public procedures of XDB.DBMS_XMLSCHEMA{_INT} Unspecified vulnerability in the Portal component of Oracle Application Server 9.0.4.2 and 10.1.2.0 has unspecified impact and attack vectors, as identified by Oracle Vuln# AS01. VU#545804 oracle-january2006-update(24321) ADV-2006-0323 ADV-2006-0243 16287 http://www.oracle.com/technetwork/topics/security/cpujan2006-082403.html 1015499 18608 18493 Unspecified vulnerability in the Oracle Reports Developer component of Oracle Application Server 9.0.4.2 and 10.1.2.0.2 has unspecified impact and attack vectors, as identified by Oracle Vuln# REP03. VU#545804 oracle-january2006-update(24321) ADV-2006-0323 ADV-2006-0243 16287 http://www.oracle.com/technetwork/topics/security/cpujan2006-082403.html 1015499 18608 18493 Unspecified vulnerability in the Oracle Reports Developer component of Oracle Application Server 9.0.4.2 has unspecified impact and attack vectors, as identified by Oracle Vuln# REP04. NOTE: Oracle has not disputed reliable researcher claims that this issue is related to directory traversal that allows reading of portions of arbitrary XML files via the customize parameter. VU#545804 oracle-january2006-update(24321) ADV-2006-0323 ADV-2006-0243 16287 20060117 Oracle Reports - Read parts of files via customize(fixed after 875 days) http://www.red-database-security.com/advisory/oracle_reports_read_any_xml_file.html http://www.oracle.com/technetwork/topics/security/cpujan2006-082403.html 1015499 18608 18493 Multiple unspecified vulnerabilities in Oracle Collaboration Suite Release 2, version 9.0.4.2 (Oracle9i) have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) OCS01, 2) OCS02, 3) OCS03, 4) OCS04, 5) OCS05, 6) OCS06, 7) OCS07, (8) OCS08, and (9) OCS09 in the (a) Email Server component; 10) OCS10 (and (11) OCS11 in the (b) Oracle Collaboration Suite Wireless & Voice (component; 12) OCS12 and (13) OCS13 in the (c) Oracle Content (Management SDK component; 14) OCS14 and (15) OCS15 in the (d) Oracle (Content Services component. VU#545804 1015499 18608 oracle-january2006-update(24321) ADV-2006-0323 ADV-2006-0243 16287 http://www.oracle.com/technetwork/topics/security/cpujan2006-082403.html 18493 Multiple unspecified vulnerabilities in Oracle E-Business Suite and Applications 11.5.10 have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) APPS01 in the (a) Application Install component; (2) APPS07 in the (b) Oracle Applications Framework component; (3) APPS08, (4) APPS09, (5) APPS10, and (6) APPS11 in the (c) Oracle Applications Technology Stack component; (7) APPS12 in the (d) Oracle Human Resources component; (8) APPS15 and (9) APPS16 in the (e) Oracle Marketing component; (10) APPS17 in the (f) Marketing Encyclopedia System component; (11) APPS18 in the (g) Oracle Trade Management component; and (12) APPS19 in the (h) Oracle Web Applications Desktop Integration component. VU#545804 oracle-january2006-update(24321) ADV-2006-0323 ADV-2006-0243 16287 http://www.oracle.com/technetwork/topics/security/cpujan2006-082403.html 1015499 18608 18493 Multiple unspecified vulnerabilities in Oracle E-Business Suite and Applications 11.5.9 have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) APPS02 in the (a) CRM Technical Foundation component; (2) APPS03 in the (b) iProcurement component; and (3) APPS04, (4) APPS05, and (5) APPS06 in the Oracle Application Object Library component. VU#545804 oracle-january2006-update(24321) ADV-2006-0323 ADV-2006-0243 16287 http://www.oracle.com/technetwork/topics/security/cpujan2006-082403.html 1015499 18608 18493 Multiple unspecified vulnerabilities in Oracle E-Business Suite and Applications 4.3 have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) APPS13 and (2) APPS14 in the Oracle iLearning component. VU#545804 oracle-january2006-update(24321) ADV-2006-0323 ADV-2006-0243 16287 http://www.oracle.com/technetwork/topics/security/cpujan2006-082403.html 1015499 18608 18493 Unspecified vulnerability in Oracle PeopleSoft Enterprise Portal 8.4 Bundle 15, 8.8 Bundle 10, and 8.9 Bundle 2 has unspecified impact and attack vectors, as identified by Oracle Vuln# PSE01. VU#545804 oracle-january2006-update(24321) ADV-2006-0323 ADV-2006-0243 16287 http://www.oracle.com/technetwork/topics/security/cpujan2006-082403.html 1015499 18608 18493 Unspecified vulnerability in Oracle JD Edwards HTML Server 8.95.F1 SP23_L1 has unspecified impact and attack vectors, as identified by Oracle Vuln# JDE01. VU#545804 oracle-january2006-update(24321) ADV-2006-0323 ADV-2006-0243 16287 http://www.oracle.com/technetwork/topics/security/cpujan2006-082403.html 1015499 18608 18493 Unspecified vulnerability in Oracle Database Server 8.1.7.4, 9.0.1.5, 9.0.1.5 FIPS, 9.2.0.7, and 10.1.0.5, Application Server 1.0.2.2, 9.0.4.2, and 10.1.2.0.2, and Collaboration Suite Release 2, version 9.0.4.2 (Oracle9i) has unspecified impact and attack vectors, as identified by Oracle Vuln# DBC01 in the Protocol Support component. VU#545804 oracle-january2006-update(24321) ADV-2006-0323 ADV-2006-0243 16287 http://www.oracle.com/technetwork/topics/security/cpujan2006-082403.html 1015499 18608 18493 Unspecified vulnerability in Oracle Database Server 10.1.0.4.2, Application Server 10.1.2.0.2, and Collaboration Suite Release 2, version 9.0.4.2 (Oracle9i) has unspecified impact and attack vectors, as identified by Oracle Vuln# DBC02 in the Reorganize Objects & Convert Tablespace component. VU#545804 1015499 18608 oracle-january2006-update(24321) ADV-2006-0323 ADV-2006-0243 16287 http://www.oracle.com/technetwork/topics/security/cpujan2006-082403.html 18493 Multiple unspecified vulnerabilities in Oracle Application Server 9.0.4.2 and 10.1.2.0.2, and E-Business Suite and Applications 11.5.10, have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) FORM01 and (2) FORM02 in the Oracle Forms component. VU#545804 oracle-january2006-update(24321) ADV-2006-0323 ADV-2006-0243 16287 http://www.oracle.com/technetwork/topics/security/cpujan2006-082403.html 1015499 18608 18493 Unspecified vulnerability in the Java Net component of Oracle Database Server 8.1.7.4, 9.0.1.5, 9.0.1.5 FIPS, 9.2.0.7, and 10.1.0.4, and Application Server 1.0.2.2, 9.0.4.2, and 10.1.2.0.2, has unspecified impact and attack vectors, as identified by Oracle Vuln# JN01. VU#545804 oracle-january2006-update(24321) ADV-2006-0323 ADV-2006-0243 16287 http://www.oracle.com/technetwork/topics/security/cpujan2006-082403.html 1015499 18608 18493 Unspecified vulnerability in the Oracle HTTP Server component of Oracle Database Server 9.0.1.5, 9.0.1.5 FIPS, 9.2.0.7, and 10.1.0.5, and Application Server 1.0.2.2, 9.0.4.2, and 10.1.2.0.2, has unspecified impact and attack vectors, as identified by Oracle Vuln# OHS01. VU#545804 oracle-january2006-update(24321) ADV-2006-0323 ADV-2006-0243 16287 http://www.oracle.com/technetwork/topics/security/cpujan2006-082403.html 1015499 18608 18493 Unspecified vulnerability in the Oracle HTTP Server component of Oracle Database Server 10.1.0.5 and Application Server 10.1.2.0.2 has unspecified impact and attack vectors, as identified by Oracle Vuln# OHS02. VU#545804 oracle-january2006-update(24321) ADV-2006-0323 ADV-2006-0243 16287 http://www.oracle.com/technetwork/topics/security/cpujan2006-082403.html 1015499 18608 18493 Multiple unspecified vulnerabilities in the Oracle Reports Developer component of Oracle Application Server 9.0.4.1 and E-Business Suite and Applications 11.5.10 have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) REP01 and (2) REP02. VU#545804 1015499 18608 oracle-january2006-update(24321) ADV-2006-0323 ADV-2006-0243 16287 http://www.oracle.com/technetwork/topics/security/cpujan2006-082403.html 18493 Multiple unspecified vulnerabilities in Oracle Application Server 6.0.8.26(PS17) and E-Business Suite and Applications 11.5.10 have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) REP05 and (2) REP06 in the Oracle Reports Developer component. NOTE: Oracle has not disputed reliable researcher claims that REP05 is the same as CVE-2005-2378 and REP06 is the same as CVE-2005-2371, both of which involve directory traversal. VU#545804 oracle-january2006-update(24321) ADV-2006-0323 ADV-2006-0243 16287 20060117 Oracle Reports - Overwrite any application server file via desname (fixed after 889 days) 20060117 Oracle Reports - Read parts of files via desname (fixed after 874 days) http://www.red-database-security.com/advisory/oracle_reports_read_any_file.html http://www.red-database-security.com/advisory/oracle_reports_overwrite_any_file.html http://www.oracle.com/technetwork/topics/security/cpujan2006-082403.html 1015499 18608 18493 Unspecified vulnerability in Oracle Database Server 9.2.0.7, Application Server 9.0.4.2 and 10.1.2.1, Collaboration Suite Release 2, version 9.0.4.2 (Oracle9i), and E-Business Suite and Applications 11.5.10 has unspecified impact and attack vectors, as identified by Oracle Vuln# WF01 in the Oracle Workflow Cartridge component. VU#545804 oracle-january2006-update(24321) ADV-2006-0323 ADV-2006-0243 16287 http://www.oracle.com/technetwork/topics/security/cpujan2006-082403.html 1015499 18608 18493 Multiple unspecified vulnerabilities in Oracle Database Server 10.2.0.1, Application Server 9.0.4.2 and 10.1.2.1, Collaboration Suite Release 2, version 9.0.4.2 (Oracle9i), and E-Business Suite and Applications 11.5.10 have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) WF02 and (2) WF03 in the Oracle Workflow Cartridge component. VU#545804 oracle-january2006-update(24321) ADV-2006-0323 ADV-2006-0243 16287 http://www.oracle.com/technetwork/topics/security/cpujan2006-082403.html 1015499 18608 18493 The Javascript interpreter (jsinterp.c) in Mozilla and Firefox before 1.5.1 does not properly dereference objects, which allows remote attackers to cause a denial of service (crash) or execute arbitrary code via unknown attack vectors related to garbage collection. https://bugzilla.mozilla.org/show_bug.cgi?id=316885 ADV-2006-3749 ADV-2006-3391 ADV-2006-0413 HPSBUX02156 SSRT061158 RHSA-2006:0200 RHSA-2006:0199 SUSE-SA:2006:004 228526 oval:org.mitre.oval:def:10016 mozilla-javascript-memory-corruption(24430) USN-276-1 USN-275-1 USN-271-1 16476 HPSBUX02156 HPSBUX02122 FLSA-2006:180036-2 FLSA:180036-1 RHSA-2006:0330 FEDORA-2006-076 FEDORA-2006-075 SUSE-SA:2006:004 http://www.mozilla.org/security/announce/2006/mfsa2006-01.html MDKSA-2006:078 MDKSA-2006:037 MDKSA-2006:036 GLSA-200605-09 GLSA-200604-18 GLSA-200604-12 DSA-1051 DSA-1046 DSA-1044 http://support.avaya.com/elmodocs2/security/ASA-2006-205.htm 102550 1015570 22065 21622 21033 20051 19950 19941 19902 19863 19862 19852 19823 19821 19780 19759 19746 19230 18709 18708 18706 18705 18704 18703 18700 20060201-01-U SCOSA-2006.26 oval:org.mitre.oval:def:670 The function allocation code (js_NewFunction in jsfun.c) in Firefox 1.5 allows attackers to cause a denial of service (memory corruption) and possibly execute arbitrary code via user-defined methods that trigger garbage collection in a way that operates on freed objects. https://bugzilla.mozilla.org/show_bug.cgi?id=322045 ADV-2006-3749 ADV-2006-3391 ADV-2006-0413 SSRT061236 SSRT061158 228526 firefox-function-allocation-code-execution(42654) mozilla-javascript-memory-corruption(24430) 16476 SSRT061236 SSRT061158 http://www.mozilla.org/security/announce/2006/mfsa2006-01.html GLSA-200604-18 DSA-1051 DSA-1046 DSA-1044 http://support.avaya.com/elmodocs2/security/ASA-2006-205.htm 102550 1015570 22065 21622 19941 19902 19863 19862 18704 18700 oval:org.mitre.oval:def:1494 Mozilla Firefox before 1.5.0.1, Thunderbird 1.5 if running Javascript in mail, and SeaMonkey before 1.0 allow remote attackers to execute arbitrary code by changing an element's style from position:relative to position:static, which causes Gecko to operate on freed memory. https://bugzilla.mozilla.org/show_bug.cgi?id=317934 ADV-2006-3749 ADV-2006-0413 SSRT061236 mozilla-element-change-memory-corruption(24431) 16476 HPSBUX02156 http://www.mozilla.org/security/announce/2006/mfsa2006-02.html 1015570 22065 18704 18700 oval:org.mitre.oval:def:1514 Mozilla Firefox 1.5, Thunderbird 1.5 if Javascript is enabled in mail, and SeaMonkey before 1.0 might allow remote attackers to execute arbitrary code via the QueryInterface method of the built-in Location and Navigator objects, which leads to memory corruption. TA06-038A VU#759273 https://bugzilla.mozilla.org/show_bug.cgi?id=319296 ADV-2006-3749 ADV-2006-0413 SSRT061236 mozilla-queryinterface-memory-corruption(24433) 16476 HPSBUX02156 http://www.mozilla.org/security/announce/2006/mfsa2006-04.html 1015570 22065 18704 18700 oval:org.mitre.oval:def:1562 The XULDocument.persist function in Mozilla, Firefox before 1.5.0.1, and SeaMonkey before 1.0 does not validate the attribute name, which allows remote attackers to execute arbitrary Javascript by injecting RDF data into the user's localstore.rdf file. TA06-038A VU#592425 https://bugzilla.mozilla.org/show_bug.cgi?id=319847 ADV-2006-3749 ADV-2006-3391 ADV-2006-0413 SSRT061236 SSRT061158 RHSA-2006:0200 RHSA-2006:0199 SUSE-SA:2006:004 228526 oval:org.mitre.oval:def:11803 mozilla-xuldocument-command-execution(24434) USN-276-1 USN-275-1 USN-271-1 16476 HPSBUX02156 SSRT061158 FLSA-2006:180036-2 FLSA:180036-1 RHSA-2006:0330 FEDORA-2006-076 FEDORA-2006-075 SUSE-SA:2006:004 http://www.mozilla.org/security/announce/2006/mfsa2006-05.html MDKSA-2006:078 MDKSA-2006:037 MDKSA-2006:036 GLSA-200605-09 GLSA-200604-18 GLSA-200604-12 DSA-1051 DSA-1046 DSA-1044 http://support.avaya.com/elmodocs2/security/ASA-2006-205.htm 102550 1015570 22065 21622 21033 20051 19950 19941 19902 19863 19862 19852 19823 19821 19780 19759 19746 19230 18709 18708 18706 18705 18704 18703 18700 20060201-01-U SCOSA-2006.26 oval:org.mitre.oval:def:1493 Multiple integer overflows in Mozilla Firefox 1.5, Thunderbird 1.5 if Javascript is enabled in mail, and SeaMonkey before 1.0 might allow remote attackers to execute arbitrary code via the (1) EscapeAttributeValue in jsxml.c for E4X, (2) nsSVGCairoSurface::Init in SVG, and (3) nsCanvasRenderingContext2D.cpp in Canvas. https://bugzilla.mozilla.org/show_bug.cgi?id=322215 https://bugzilla.mozilla.org/show_bug.cgi?id=319872 mozilla-component-integer-overflow(24435) ADV-2006-3749 ADV-2006-0413 16476 SSRT061236 1015570 18704 18700 HPSBUX02156 http://www.mozilla.org/security/announce/2006/mfsa2006-06.html 22065 oval:org.mitre.oval:def:1339 The XML parser in Mozilla Firefox before 1.5.0.1 and SeaMonkey before 1.0 allows remote attackers to cause a denial of service (crash) and possibly read sensitive data via unknown attack vectors that trigger an out-of-bounds read. mozilla-xml-parser-dos(24436) 16476 1015570 18704 18700 ADV-2006-3749 ADV-2006-0413 SSRT061236 SSRT061236 http://www.mozilla.org/security/announce/2006/mfsa2006-07.html 22065 oval:org.mitre.oval:def:677 The E4X implementation in Mozilla Firefox before 1.5.0.1, Thunderbird 1.5 if running Javascript in mail, and SeaMonkey before 1.0 exposes the internal "AnyName" object to external interfaces, which allows multiple cooperating domains to exchange information in violation of the same origin restrictions. https://bugzilla.mozilla.org/show_bug.cgi?id=322312 ADV-2006-3749 ADV-2006-0413 SSRT061236 mozilla-e4x-security-bypass(24437) 16476 SSRT061236 http://www.mozilla.org/security/announce/2006/mfsa2006-08.html 1015570 22065 18704 18700 oval:org.mitre.oval:def:1625 Buffer overflow in tar 1.14 through 1.15.90 allows user-assisted attackers to cause a denial of service (application crash) and possibly execute code via unspecified vectors involving PAX extended headers. TA07-109A TA07-072A MDKSA-2006:046 23371 18999 18976 gnu-tar-pax-headers-bo(24855) ADV-2008-2518 ADV-2007-1470 ADV-2007-0930 ADV-2006-0684 USN-257-1 2006-0010 16764 FLSA:183571-2 RHSA-2006:0232 OpenPKG-SA-2006.006 SUSE-SR:2006:005 GLSA-200603-06 DSA-987 241646 1015705 19236 19152 19130 19093 19016 18973 oval:org.mitre.oval:def:9295 oval:org.mitre.oval:def:6094 oval:org.mitre.oval:def:5993 oval:org.mitre.oval:def:5978 oval:org.mitre.oval:def:5252 [Bug-tar] 20060220 tar 1.15.90 released 543 480 24966 24479 20042 APPLE-SA-2007-03-13 APPLE-SA-2007-04-19 http://docs.info.apple.com/article.html?artnum=305391 http://docs.info.apple.com/article.html?artnum=305214 Heap-based buffer overflow in Splash.cc in xpdf, as used in other products such as (1) poppler, (2) kdegraphics, (3) gpdf, (4) pdfkit.framework, and others, allows attackers to cause a denial of service and possibly execute arbitrary code via crafted splash images that produce certain values that exceed the width or height of the associated bitmap. xpdf-splash-bo(24391) USN-249-1 FLSA:175404 20060202 [KDE Security Advisory] kpdf/xpdf heap based buffer overflow RHSA-2006:0201 FEDORA-2006-103 http://www.kde.org/info/security/advisory-20060202-1.txt GLSA-200602-12 GLSA-200602-05 GLSA-200602-04 DSA-974 DSA-972 DSA-971 SSA:2006-045-04 SSA:2006-045-09 1015576 19377 18983 18913 18908 18882 18864 18862 18860 18839 18838 18837 18834 18826 18825 18707 18677 RHSA-2006:0206 SCOSA-2006.15 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=179046 https://bugzilla.novell.com/show_bug.cgi?id=141242 ADV-2006-0422 ADV-2006-0389 MDKSA-2006:032 MDKSA-2006:031 MDKSA-2006:030 470 18875 18274 oval:org.mitre.oval:def:10850 ZyXel P2000W VoIP 802.11b Wireless Phone running firmware WV.00.02 allows remote attackers to obtain sensitive information, such as MAC address and software version, by directly accessing UDP port 9090. 16285 18511 20060116 ZyXel P2000W (Version 2) VoIP wireless phone undocumented port UDP/9090 zyxel-p2000w-default-port(24145) 22516 Multiple unspecified vulnerabilities in the (1) publishing component, (2) Contact Component, (3) TinyMCE Compressor, and (4) other components in Joomla! 1.0.5 and earlier have unknown impact and attack vectors. 18513 http://www.joomla.org/content/view/738/66/ Buffer overflow in Dual DHCP DNS Server 1.0 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via the DHCP options field. 18486 http://aluigi.altervista.org/adv/dualsbof-adv.txt ADV-2006-0245 dualdhcpdns-options-field-bo(24191) 16298 1015495 Clipcomm CPW-100E VoIP 802.11b Wireless Handset Phone running firmware 1.1.12 (051129) and CP-100E VoIP 802.11b Wireless Phone running firmware 1.1.60 allows remote attackers to gain unauthorized access via the debug service on TCP port 60023. 16289 18505 20060116 Clipcomm CP-100E VoIP wireless desktop phone open debug service TCP/60023 20060116 Clipcomm CPW-100E VoIP wireless handset phone open debug service TCP/60023 clipcomm-cp100e-default-port(24144) The DM Primer (dmprimer.exe) in the DM Deployment Common Component in Computer Associates (CA) BrightStor Mobile Backup r4.0, BrightStor ARCserve Backup for Laptops & Desktops r11.0, r11.1, r11.1 SP1, Unicenter Remote Control 6.0, 6.0 SP1, CA Desktop Protection Suite r2, CA Server Protection Suite r2, and CA Business Protection Suite r2 allows remote attackers to cause a denial of service (CPU consumption or application hang) via a large network packet, which causes a WSAEMESGSIZE error code that is not handled, leading to a thread exit. http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33756 ADV-2006-0236 16276 20060118 CAID 33756 - DM Deployment Common Component Vulnerabilities 22529 http://www.designfolks.com.au/karma/DMPrimer/ http://supportconnectw.ca.com/public/ca_common_docs/dmdeploysecurity_notice.asp 1015504 18531 The DM Primer in the DM Deployment Common Component in Computer Associates (CA) BrightStor Mobile Backup r4.0, BrightStor ARCserve Backup for Laptops & Desktops r11.0, r11.1, r11.1 SP1, Unicenter Remote Control 6.0, 6.0 SP1, CA Desktop Protection Suite r2, CA Server Protection Suite r2, and CA Business Protection Suite r2 allows remote attackers to cause a denial of service (CPU consumption and log file consumption) via unspecified "unrecognized network messages" that are not properly handled. 1015504 http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33756 ADV-2006-0236 16276 20060118 CAID 33756 - DM Deployment Common Component Vulnerabilities 22529 http://supportconnectw.ca.com/public/ca_common_docs/dmdeploysecurity_notice.asp 18531 PHP remote file inclusion vulnerability in htmltonuke.php in the htmltonuke 2.0 alpha, and possibly other versions, module for PHP-Nuke allows remote attackers to execute arbitrary PHP code via a URL in the filnavn parameter. htmltonuke-htmltonuke-file-include(33092) 16282 3524 Linksys BEFVP41 VPN Router 2.0 with firmware 1.01.04 allows remote attackers on the local network, to cause a denial of service via IP packets with a null IP option length. ADV-2006-0238 20060116 Re: Linksys VPN Router (BEFVP41) DoS Vulnerability 20060113 Linksys VPN Router (BEFVP41) DoS Vulnerability 1015490 18461 linksys-null-length-dos(24125) 16307 20060117 Re: Linksys VPN Router (BEFVP41) DoS Vulnerability Cross-site scripting (XSS) vulnerability in aoblogger 2.3 allows remote attackers to inject arbitrary Javascript via a javascript URI in the BBcode url tag. ADV-2006-0240 16286 16889 http://evuln.com/vulns/37/summary.html aoblogger-url-xss(24141) 22526 http://mikeheltonisawesome.com/viewcomments.php?idd=46 20060117 [eVuln] aoblogger Multiple Vulnerabilities SQL injection vulnerability in login.php in aoblogger 2.3 allows remote attackers to execute arbitrary SQL commands via the username parameter. ADV-2006-0240 16286 16889 http://evuln.com/vulns/37/summary.html aoblogger-login-sql-injection(24142) 22527 http://mikeheltonisawesome.com/viewcomments.php?idd=46 20060117 [eVuln] aoblogger Multiple Vulnerabilities create.php in aoblogger 2.3 allows remote attackers to bypass authentication and create new blog entries by setting the uza parameter to 1. ADV-2006-0240 16286 16889 http://evuln.com/vulns/37/summary.html aoblogger-create-security-bypass(24143) http://mikeheltonisawesome.com/viewcomments.php?idd=46 20060117 [eVuln] aoblogger Multiple Vulnerabilities Multiple SQL injection vulnerabilities in PDFdirectory before 1.0 allow remote attackers to execute arbitrary SQL commands via multiple unspecified vectors involving (1) util.php, (2) userpref.php, (3) user.php, (4) uploadfrm.php, (5) title.php, (6) team.php, (7) stats.php, (8) page.php, (9) org.php, (10) member.php, (11) index.php, (12) group.php, or (13) anniv.php. 16273 22415 22414 22413 22412 22411 22410 22409 22408 22407 22406 22405 22404 22403 http://sourceforge.net/project/shownotes.php?release_id=382411&group_id=122682 18459 ADV-2006-0231 PDFdirectory before 1.0 stores sensitive data in plaintext, which allows remote attackers to obtain arbitrary users' passwords by direct queries to the database, possibly via one of the SQL injection vulnerabilities. 22402 http://sourceforge.net/project/shownotes.php?release_id=382411&group_id=122682 index.php in EZDatabase before 2.1.2 does not properly cleanse the p parameter before constructing and including a .php filename, which allows remote attackers to conduct directory traversal attacks, and produces resultant cross-site scripting (XSS) and path disclosure. http://zur.homelinux.com/Advisories/ezdatabase_dir_trans.txt 16257 20060115 EZDatabase Directory Transversal, XSS and Path Disclosure Vulnerability 18043 20060115 EZDatabase Directory Transversal, XSS and Path Disclosure Vulnerability ezdatabase-index-p-path-disclosure(24135) ezdatabase-index-p-xss(24134) 22684 Buffer overflow in YGPPicFinder.DLL in AOL You've Got Pictures (YGP) Picture Finder Tool ActiveX Control, as used in AOL 8.0, 8.0 Plus, and 9.0 Classic, allows remote attackers to execute arbitrary code via unspecified vectors. VU#715730 16262 18521 aol-youvegotpictures-activex-bo(24160) ADV-2006-0221 22486 http://www.kb.cert.org/vuls/id/MIMG-6KRSQP 1015494 http://news.com.com/2061-10789_3-6027865.html?part=rss&tag=6027865&subj=news Cross-site scripting (XSS) vulnerability in rkrt_stats.php in RedKernel Referrer Tracker 1.1.0-3 allows remote attackers to inject arbitrary web script or HTML via a query string value as a GET, which is stored in the $QUERY_STRING variable. NOTE: the provenance of this information is unknown; portions of the details are obtained from third party information. ADV-2006-0197 16266 18473 referertracker-rkrtstats-xss(24151) SQL injection vulnerability in index.php in BlogPHP 1.0, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands and bypass authentication via the username parameter in a login action. blogphp-index-bypass-security(24131) ADV-2006-0204 16269 20060117 [eVuln] BlogPHP Authentication Bypass 22495 18467 http://evuln.com/vulns/34/summary Directory traversal vulnerability in the FTP server (port 22003/tcp) in Farmers WIFE 4.4 SP1 allows remote attackers to create arbitrary files via ".." (dot dot) sequences in a (1) PUT, (2) SIZE, and possibly other commands. 22496 http://www.lort.dk/DSR-farmerswife44sp1.pl 18508 20060113 Farmers wife 4.4 sp1 remote SYSTEM access farmerswife-ftp-directory-traversal(24190) 16321 SQL injection vulnerability in admin/processlogin.php in Bit 5 Blog 8.01 allows remote attackers to execute arbitrary SQL commands and bypass authentication via the (1) username and (2) password parameter. ADV-2006-0195 16244 20060115 [eVuln] Bit 5 Blog SQL Injection & Authentication Bypass Vulnerability 18464 http://evuln.com/vulns/31/summary bit5blog-processlogin-sql-injection(24124) 22445 fetchmail 6.3.0 and other versions before 6.3.2 allows remote attackers to cause a denial of service (crash) via crafted e-mail messages that cause a free of an invalid pointer when fetchmail bounces the message to the originator or local postmaster. TA06-214A http://fetchmail.berlios.de/fetchmail-SA-2006-01.txt fetchmail-message-bounce-dos(24265) ADV-2006-3101 ADV-2006-0300 19289 16365 20060122 fetchmail security announcement fetchmail-SA-2006-01 (CVE-2006-0321) 22691 SSA:2006-045-01 1015527 21253 18895 18571 APPLE-SA-2006-08-01 http://developer.berlios.de/project/shownotes.php?release_id=8784 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=348747 Unspecified vulnerability the edit comment formatting functionality in MediaWiki 1.5.x before 1.5.6 and 1.4.x before 1.4.14 allows attackers to cause a denial of service (infinite loop) via "certain malformed links." http://sourceforge.net/project/shownotes.php?release_id=386609 ADV-2006-0392 mediawiki-comment-format-dos(24478) 18717 18711 SUSE-SR:2006:003 Buffer overflow in swfformat.dll in multiple RealNetworks products and versions including RealPlayer 10.x, RealOne Player, Rhapsody 3, and Helix Player allows remote attackers to execute arbitrary code via a crafted SWF (Flash) file with (1) a a size value that is less than the actual size, or (2) other unspecified manipulations. VU#231028 http://www.service.real.com/realplayer/security/03162006_player/en/ RHSA-2006:0257 SUSE-SA:2006:018 GLSA-200603-24 19365 19362 realnetworks-swf-bo(25408) ADV-2006-1057 17202 20060411 Realplayer .SWF Multiple Remote Memory Corruption Vulnerabilities 1015806 690 19390 19358 SQL injection vulnerability in WebspotBlogging 3.0 allows remote attackers to execute arbitrary SQL commands and bypass authentication via the username parameter to login.php. ADV-2006-0268 16319 20060119 [eVuln] WebspotBlogging Authentication Bypass Vulnerability http://evuln.com/vulns/41/summary.html https://sourceforge.net/project/shownotes.php?release_id=387180&group_id=156586 https://sourceforge.net/forum/forum.php?forum_id=532233 webspotblogging-login-sql-injection(24222) 22670 1015522 356 18560 Etomite Content Management System 0.6, and possibly earlier versions, when downloaded from the web site in January 2006 after January 10, contains a back door in manager/includes/todo.inc.php, which allows remote attackers to execute arbitrary commands via the "cij" parameter. etomite-default-backdoor(24254) 18556 ADV-2006-0283 16336 20060130 Etomite followup information 20060127 Etomite CMS 22693 http://www.lucaercoli.it/advs/etomite.txt http://www.etomite.org/forums/index.php?showtopic=4291 http://www.etomite.org/forums/index.php?showtopic=4185 TYPO3 3.7.1 allows remote attackers to obtain sensitive information via a direct request to (1) thumbs.php, (2) showpic.php, or (3) tables.php, which causes them to incorrectly define a variable and reveal the path in an error message when a require function call fails. 20060119 IRM 015: File system path disclosure on TYPO3 Web Content Manager ADV-2006-0269 20060119 Re: IRM 015: File system path disclosure on TYPO3 Web Content Manager 20060119 Re: IRM 015: File system path disclosure on TYPO3 Web Content Manage http://www.irmplc.com/advisory015.htm 18546 http://bugs.typo3.org/view.php?id=2248 typo3-multiple-path-disclosure(24244) 22667 22666 22665 361 Format string vulnerability in Tftpd32 2.81 allows remote attackers to cause a denial of service via format string specifiers in a filename in a (1) GET or (2) SEND request. VU#632633 ADV-2006-0263 20060119 Critical security advisory #006 tftpd32 Format string http://www.critical.lt/research/tftpd32_281_dos.txt http://www.critical.lt/?vulnerabilities/200 18539 tftpd32-request-format-string(24250) 16333 22661 362 SQL injection vulnerability in HITSENSER Data Mart Server BS, BS-S, BS-M, BS-L, and EX allows remote attackers to execute arbitrary SQL commands via unknown attack vectors. 18553 ADV-2006-0266 16326 22669 http://www.hitachi-support.com/security_e/vuls_e/HS05-026_e/index-e.html 1015519 hitachi-hitsenser-sql-injection(24240) Cross-site scripting (XSS) vulnerability in Gallery before 1.5.2 allows remote attackers to inject arbitrary web script or HTML via unknown attack vectors, possibly involving the user name (fullname). gallery-unknown-xss(24247) 16334 22660 GLSA-200601-13 18627 18557 ADV-2006-0282 http://gallery.menalto.com/page/gallery_1_5_2_release DSA-1148 21502 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=325285 Buffer overflow in Change passwd 3.1 (chpasswd) SquirrelMail plugin allows local users to execute arbitrary code via long command line arguments. http://www.squirrelmail.org/plugin_view.php?id=117 20060119 Change passwd 3.1 (SquirrelMail plugin ) changepassword-changepasswd-bo(24258) 363 Pantomime in Ecartis 1.0.0 snapshot 20050909 stores e-mail attachments in a publicly accessible directory, which may allow remote attackers to upload arbitrary files. 16317 18524 ecartis-pantomime-bypass-security(24220) ADV-2006-0260 [listar-dev] 20060119 [EDev] Re: Potential vulnerability -- who to contact? [listar-dev] 20060115 [EDev] Re: Potential vulnerability -- who to contact? Cross-site scripting (XSS) vulnerability in ar-blog 5.2 allows remote attackers to inject arbitrary web script or HTML via the (1) month or (2) year parameter to index.php. 20060118 -2- [XSS] in ar-blog v 5.2 arblog-index-xss(24246) 20060527 Multiple Xss exploits in ar-blog v 5.2 Cross-site scripting (XSS) vulnerability in search.php in My Amazon Store Manager 1.0 allows remote attackers to inject arbitrary web script or HTML via the Keywords parameter. NOTE: some sources claim that the affected parameter is "q", but the only public archive of the original researcher notification shows an XSS manipulation in "Keywords". masm-search-xss(24230) ADV-2006-0252 16312 22626 18535 http://osvdb.org/ref/22/22626-my_amazon.txt Multiple unspecified vulnerabilities in Kerio WinRoute Firewall before 6.1.4 Patch 1 allow remote attackers to cause a denial of service via multiple unspecified vectors involving (1) long strings received from Active Directory and (2) the filtering of HTML. 16314 22631 18542 kerio-winroute-activedirectory-dos(24233) kerio-winroute-html-dos(24232) ADV-2006-0247 http://www.kerio.com/kwf_history.html Kerio WinRoute Firewall before 6.1.4 Patch 2 allows attackers to cause a denial of service (CPU consumption and hang) via unknown vectors involving "browsing the web". ADV-2006-0324 http://www.kerio.com/kwf_history.html kerio-winroute-browsing-dos(24317) 16385 22631 18589 Buffer overflow in multiple F-Secure Anti-Virus products and versions for Windows and Linux, including Anti-Virus for Windows Servers 5.52 and earlier, Internet Security 2004, 2005 and 2006, and Anti-Virus for Linux Servers 4.64 and earlier, allows remote attackers to execute arbitrary code via crafted ZIP archives. http://www.f-secure.com/security/fsc-2006-1.shtml 18529 ADV-2006-0257 16309 fsecure-zip-bo(24198) 22632 Q-103 1015510 1015509 1015508 1015507 Multiple F-Secure Anti-Virus products and versions for Windows and Linux, including Anti-Virus for Windows Servers 5.52 and earlier, Internet Security 2004, 2005 and 2006, and Anti-Virus for Linux Servers 4.64 and earlier, allow remote attackers to hide arbitrary files and data via malformed (1) RAR and (2) ZIP archives, which are not properly scanned. 16309 http://www.f-secure.com/security/fsc-2006-1.shtml 18529 ADV-2006-0257 22633 Q-103 1015510 1015509 1015508 1015507 fsecure-rar-zip-scan-bypass(24199) Buffer overflow in BitComet Client 0.60 allows remote attackers to execute arbitrary code, when the publisher's name link is clicked, via a long publisher URI in a torrent file. 16311 18522 ADV-2006-0251 20060118 Fortinet Advisory: BitComet URI Buffer Overflow Vulnerability http://www.fortinet.com/FortiGuardCenter/FSA-2006-07.html http://www.bitcomet.com/doc/changelog.htm bitcomet-torrent-publisher-bo(24229) 22625 357 20060118 Fortinet Advisory: BitComet URI Buffer Overflow Vulnerability 20060122 BitComet URI Proof of Concept Unspecified vulnerability in Stack Group Bidding Protocol (SGBP) support in Cisco IOS 12.0 through 12.4 running on various Cisco products, when SGBP is enabled, allows remote attackers on the local network to cause a denial of service (device hang and network traffic loss) via a crafted UDP packet to port 9900. 1015501 18490 cisco-ios-sgbp-dos(24182) ADV-2006-0248 16303 22624 20060118 IOS Stack Group Bidding Protocol Crafted Packet DoS 358 Cross-site scripting (XSS) vulnerability in WCONSOLE.DLL in Rockliffe MailSite 5.x and 6.1.22 and earlier allows remote attackers to inject arbitrary web script or HTML via the query string. 18551 20060120 RockLiffe MailSite wconsole.dll Denial of Service/Script Injection Vulnerability ADV-2006-0284 mailsite-wconsole-xss(24256) 16330 22677 RockLiffe MailSite HTTP Mail management agent (httpma) 7.0.3.1 allows remote attackers to cause a denial of service (CPU consumption and crash) via a malformed query string containing special characters such as "|". 18551 20060120 RockLiffe MailSite wconsole.dll Denial of Service/Script Injection Vulnerability mailsite-wconsole-dos(24255) ADV-2006-0284 16331 22678 Unspecified vulnerability in the Port Discovery Standard and Advanced features in Hitachi JP1/NetInsight II allows attackers to stop the Port Discovery service via unknown vectors involving "invalid format data". 18538 ADV-2006-0267 16327 22676 http://www.hitachi-support.com/security_e/vuls_e/HS05-027_e/index-e.html 1015520 hitachi-jp1netinsight-port-dos(24243) Directory traversal vulnerability in Intervations FileCOPA FTP Server 1.01 allows remote attackers to read and write arbitrary files via a .. (dot dot) in the (1) STOR and (2) RETR commands. http://www.nii.co.in/vuln/filecopa.html 18550 filecopa-ftp-directory-traversal(24257) ADV-2006-0285 16335 22694 Multiple SQL injection vulnerabilities in SaralBlog 1.0 allow remote attackers to execute arbitrary SQL commands via the search parameter to search.php. NOTE: the id/viewprofile.php issue is already covered by CVE-2005-4058. 16306 http://evuln.com/vulns/40/summary.html saralblog-search-sql-injection(24218) 22740 1015517 20060118 [eVuln] SaralBlog XSS & Multiple SQL Injection Vulnerabilities Cross-site scripting (XSS) vulnerability in SaralBlog 1.0 allows remote attackers to inject arbitrary web script or HTML via a website field in a new comment to view.php, which is not properly handled in the comment function in functions.php. 16306 http://evuln.com/vulns/40/summary.html saralblog-view-xss(24219) 27907 1015517 20060118 [eVuln] SaralBlog XSS & Multiple SQL Injection Vulnerabilities Directory traversal vulnerability in ELOG before 2.6.1 allows remote attackers to access arbitrary files outside of the elog directory via "../" (dot dot) sequences in the URL. 16315 18533 elog-dotdot-directory-traversal(24224) ADV-2006-0262 http://midas.psi.ch/elog/download/ChangeLog 22647 DSA-967 18783 Format string vulnerability in the write_logfile function in ELOG before 2.6.1 allows remote attackers to cause a denial of service (server crash) via unknown attack vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 16315 18533 ADV-2006-0262 http://midas.psi.ch/elog/download/ChangeLog elog-elogd-format-string(24221) 22646 DSA-967 18783 SQL injection vulnerability in eggblog 2.0 allows remote attackers to execute arbitrary SQL commands via the id parameter to blog.php. 16305 1015505 18212 http://evuln.com/vulns/39/summary.html eggblog-blog-sql-injection(24210) 22751 20060118 [eVuln] eggblog Multiple SQL Injection & XSS Vulnerabilities Cross-site scripting (XSS) vulnerability in eggblog 2.0 allow remote attackers to inject arbitrary web script or HTML via the message field to topic.php. 16305 1015505 18212 http://evuln.com/vulns/39/summary.html eggblog-topic-xss(24209) 22752 20060118 [eVuln] eggblog Multiple SQL Injection & XSS Vulnerabilities Unspecified "critical denial-of-service vulnerability" in MyDNS before 1.1.0 has unknown impact and attack vectors. 22636 18532 ADV-2006-0256 http://mydns.bboy.net/download/changelog.html mydns-query-dos(24228) 16431 GLSA-200601-16 DSA-963 1015521 18653 18641 The default configuration of Fluffington FLog 1.01 installs users.0.dat under the web document root with insufficient access control, which might allow remote attackers to obtain sensitive information (login credentials) via a direct request. NOTE: It was later reported that 1.1.2 is also affected. 20070105 Flog 1.1.2 Remote Admin Password Disclosure 20060117 [eVuln] Flog Information Disclosure Vulnerability http://evuln.com/vulns/38/summary/bt/ flog-admin-info-disclosure(31307) flog-data-directory-insecure(24193) unix_random.c in lshd for lsh 2.0.1 leaks file descriptors related to the randomness generator, which allows local users to cause a denial of service by truncating the seed file, which prevents the server from starting, or obtain sensitive seed information that could be used to crack keys. 16357 DSA-956 18623 18564 lsh-file-descriptor-leak(24263) ADV-2006-0301 22695 [lsh-bugs] SECURITY: lshd leaks fd:s to user shells Cisco IOS before 12.3-7-JA2 on Aironet Wireless Access Points (WAP) allows remote authenticated users to cause a denial of service (termination of packet passing or termination of client connections) by sending the management interface a large number of spoofed ARP packets, which creates a large ARP table that exhausts memory, aka Bug ID CSCsc16644. 1015483 18430 cisco-aironet-arp-dos(24086) ADV-2006-0176 16217 22375 20060112 Access Point Memory Exhaustion from ARP Attacks 339 oval:org.mitre.oval:def:5680 Helmsman Research (aka CoolUtils) HomeFtp 1.1 allows remote attackers to cause an unspecified denial of service via a long USER command combined with a long PASS command and an NLST command. 20060114 [KAPDA::#21] - HomeFtp v1.1 Denial of Service http://www.kapda.ir/advisory-202.html homeftp-long-command-dos(24152) 16238 350 Ari Pikivirta Home Ftp Server 1.0.7 allows remote attackers to cause an unspecified denial of service via a long USER command combined with a long PASS command. 20060115 Homeftp r1.0.7 Denial of Service http://www.kapda.ir/advisory-211.html homeftpserver-long-command-dos(24227) Grant Averett Cerberus FTP Server 2.32, and possibly earlier versions, allows remote attackers to cause an unspecified denial of service via a long string that does not contain a valid FTP command. 20060115 Cerberus FTP Server 2.32 Denial of Service http://www.kapda.ir/advisory-210.html http://www.cerberusftp.com/cerberus-releasenotes.htm cerberus-long-command-dos(24226) Multiple SQL injection vulnerabilities in PowerPortal, possibly 1.1 beta through 1.3, allow remote attackers to execute arbitrary SQL commands via the search parameter in (1) index.php and (2) search.php. NOTE: This issue might overlap CVE-2004-0663.2. 16279 20060117 PowerPortal Cross-Site Scripting Vulnerability http://web.archive.org/web/20050303003128/http://powerportal.sourceforge.net/ powerportal-search-index-xss(24196) 27958 27957 10172 Buffer overflow in CounterPath eyeBeam SIP Softphone allows remote attackers to (1) cause a denial of service (device crash) via SIP INVITE commands with a long header field name sent during startup and (2) cause a denial of service (device hang or crash) via SIP INVITE commands with a long header field name sent during a call. eyebeam-sip-header-bo(24181) ADV-2006-0259 16253 20060921 Re: CounterPath eyeBeam Handing SIP header Vulnerabilities 20060116 CounterPath eyeBeam Handing SIP header Vulnerabilities 354 18516 http://blog.donews.com/zwell/archive/2006/01/17/698810.aspx MPM SIP HP-180W Wireless IP Phone WE.00.17 allows remote attackers to obtain sensitive information and possibly cause a denial of service via a direct connection to UDP port 9090, which is undocumented and does not require authentication. 16285 18512 20060116 MPM HP-180W VoIP wireless desktop phone undocumented port UDP/9090 mpn-hp180w-default-port(24147) Cross-site scripting (XSS) vulnerability in addcomment.php in Bit 5 Blog 8.01 allows remote attackers to inject arbitrary web script or HTML via a javascript URI in an <a> tag in the comment parameter, which strips most tags but not <a>. ADV-2006-0195 16246 20060115 [eVuln] Bit 5 Blog JavaScript Insertion Vulnerability 22446 18464 http://evuln.com/vulns/32/summary/ http://evuln.com/vulns/32/exploit bit5blog-addcomment-xss(24129) TippingPoint Intrusion Prevention System (IPS) TOS before 2.1.4.6324, and TOS 2.2.x before 2.2.1.6506, allow remote attackers to cause a denial of service (CPU consumption) via an unknown vector, probably involving an HTTP request with a negative number in the Content-Length header. 22504 http://www.eweek.com/article2/0,1759,1912048,00.asp http://isc.sans.org/diary.php?storyid=1042 tippingpoint-ips-http-traffic-dos(24200) 16299 1015511 18515 The "Remember my Password" feature in MSN Messenger 7.5 stores passwords in an encrypted format under the HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Creds registry key, which might allow local users to obtain the original passwords via a program that calls CryptUnprotectData, as demonstrated by the "MSN Password Recovery.exe" program. NOTE: it could be argued that local-only password recovery is inherently insecure because the decryption methods and keys must be stored somewhere on the local system, and are thus inherently accessible with varying degrees of effort. Perhaps this issue should not be included in CVE. 20060117 Re: MSN Messenger Password Decrypter for WinXP/2003 20060113 Re: MSN Messenger Password Decrypter for WinXP/2003 http://www.msn-password-recovery.com/ Cross-site scripting (XSS) vulnerability in MyBulletinBoard (MyBB) allows remote attackers to inject arbitrary web script or HTML via a signature containing a JavaScript URI in the SRC attribute of an IMG element, in which the URI uses SGML numeric character references without trailing semicolons, as demonstrated by "&#106&#97&#118&#97&#115&#99&#114&#105&#112&#116". 18544 mybb-html-signature-xss(24225) ADV-2006-0255 16308 22628 20060118 MyBB Signature HTML Code Injection Cross-site scripting (XSS) vulnerability in XMB (aka extreme message board) allows remote attackers to inject arbitrary web script or HTML via JavaScript in the SRC attribute of an IMG element. 20060118 XMB Forum HTML Code Injection xmbforum-imgsrc-xss(24208) 27920 Cross-site scripting (XSS) vulnerability in Phpclanwebsite (aka PCW) allows remote attackers to inject arbitrary web script or HTML via a javascript URI in a BBCode img tag. A simple fix has been released on the Main PCW site available directly at <a href="http://www.phpclanwebsite.com/index.php?page=downloads&func=browselist&par=1">http://www.phpclanwebsite.com/index.php?page=downloads&func=browselist&par=1 </a>Please download and install imediately. 16300 18541 ADV-2006-0254 20060117 Phpclanwebsite BBCode IMG Tag XSS Vulnerability Unspecified vulnerability in Cisco CallManager 3.2 and earlier, 3.3 before 3.3(5)SR1, 4.0 before 4.0(2a)SR2c, and 4.1 before 4.1(3)SR2 allows remote authenticated users with read-only administrative privileges to obtain full administrative privileges via a "crafted URL on the CCMAdmin web page." 22621 20060118 Cisco Call Manager Privilege Escalation 1015502 18501 cisco-callmanager-ccmadmin-gain-priv(24172) ADV-2006-0250 16293 Cisco CallManager 3.2 and earlier, 3.3 before 3.3(5)SR1, 4.0 before 4.0(2a)SR2c, and 4.1 before 4.1(3)SR2 allow remote attackers to (1) cause a denial of service (CPU and memory consumption) via a large number of open TCP connections to port 2000 and (2) cause a denial of service (fill the Windows Service Manager communication queue) via a large number of TCP connections to port 2001, 2002, or 7727. 18494 ADV-2006-0249 16295 20060118 Cisco Call Manager Denial of Service cisco-callmanager-port-connection-dos(24180) 22623 22622 1015503 359 ** DISPUTED ** MySQL 5.0.18 allows local users with access to a VIEW to obtain sensitive information via the "SELECT * FROM information_schema.views;" query, which returns the query that created the VIEW. NOTE: this issue has been disputed by third parties, saying that the availability of the schema is a normal and sometimes desired aspect of database access. 20060128 Re: MySQL 5.0 information leak? 20060123 RE: MySQL 5.0 information leak? 20060124 Re: MySQL 5.0 information leak? 20060122 Re: MySQL 5.0 information leak? 20060120 MySQL 5.0 information leak? 20060121 Re: MySQL 5.0 information leak? 20060121 RE: MySQL 5.0 information leak? Noah Medling RCBlog 1.03 stores the data and config directories under the web root with insufficient access control, which allows remote attackers to view account names and MD5 password hashes. 20060120 [eVuln] RCBlog Directory Traversal & Sensitive Information Disclosure http://www.fluffington.com/index.php?page=rcblog 18547 http://evuln.com/vulns/42/summary.html rcblog-data-config-insecure-directories(24249) 22679 1015523 Directory traversal vulnerability in index.php in Noah Medling RCBlog 1.03 allows remote attackers to read arbitrary .txt files, possibly including one that stores the administrator's account name and password, via a .. (dot dot) in the post parameter. 16342 20060120 [eVuln] RCBlog Directory Traversal & Sensitive Information Disclosure http://www.fluffington.com/index.php?page=rcblog 18547 http://evuln.com/vulns/42/summary.html rcblog-index-file-include(27042) rcblog-index-directory-traversal(24248) 20060611 RCblog 1.03 Directory Traversal [index.php] 20060218 RCblog exploit [fun] 22680 1015523 Multiple SQL injection vulnerabilities in config.php in Insane Visions BlogPHP, possibly 1.0, allow remote attackers to execute arbitrary SQL commands via the (1) blogphp_username or (2) blogphp_password parameter in a cookie. BlogPHP version 2.0 was released to fix the config.php exploit and is available for download at <a href="http://sourceforge.net/project/showfiles.php?group_id=156043">http://sourceforge.net/project/showfiles.php?group_id=156043</a>. 16340 20060121 BlogPHP config.php SQL injection login bypassed 20060120 BlogPHP config.php SQL injection login bypass 20060120 BlogPHP config.php SQL injection login bypass 22738 blogphp-index-bypass-security(24131) 365 Cross-site scripting (XSS) vulnerability in register.aspx in Douran FollowWeb allows remote attackers to inject arbitrary web script or HTML via unknown attack vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 16302 27918 Advantage Century Telecommunication (ACT) P202S IP Phone 1.01.21 running firmware 1.1.21 has multiple undocumented ports available, which (1) might allow remote attackers to obtain sensitive information, such as memory contents and internal operating-system data, by directly accessing the VxWorks WDB remote debugging ONCRPC (aka wdbrpc) on UDP 17185, (2) reflect network data using echo (TCP 7), or (3) gain access without authentication using rlogin (TCP 513). act-p202s-default-port(24149) 16288 18514 20060116 ACT P202S VoIP wireless phone multiple undocumented ports/services Advantage Century Telecommunication (ACT) P202S IP Phone 1.01.21 running firmware 1.1.21 on VxWorks uses a hardcoded Network Time Protocol (NTP) server in Taiwan, which could allow remote attackers to provide false time information, block access to time information, or conduct other attacks. 18514 20060116 ACT P202S VoIP wireless phone multiple undocumented ports/services act-p202s-default-port(24149) 16288 The 802.11 wireless client in certain operating systems including Windows 2000, Windows XP, and Windows Server 2003 does not warn the user when (1) it establishes an association with a station in ad hoc (aka peer-to-peer) mode or (2) a station in ad hoc mode establishes an association with it, which allows remote attackers to put unexpected wireless communication into place. http://www.theta44.org/karma/ 20060114 [NMRC Advisory] Microsoft Windows Wireless Exposure on Laptops http://www.securiteam.com/windowsntfocus/5YP0D2KHHO.html http://www.nmrc.org/pub/advise/20060114.txt 1015489 windows-wireless-adhoc-unauth-access(24157) 349 CRLF injection vulnerability in SquirrelMail 1.4.0 to 1.4.5 allows remote attackers to inject arbitrary IMAP commands via newline characters in the mailbox parameter of the sqimap_mailbox_select command, aka "IMAP injection." http://www.squirrelmail.org/security/issue/2006-02-15 1015662 squirrelmail-mailbox-imap-injection(24849) ADV-2006-0689 16756 18985 oval:org.mitre.oval:def:11470 RHSA-2006:0283 FEDORA-2006-133 SUSE-SR:2006:005 MDKSA-2006:049 GLSA-200603-09 DSA-988 20210 19960 19205 19176 19131 19130 20060501-01-U Cross-site scripting (XSS) vulnerability in Netrix X-Site Manager allows remote attackers to inject arbitrary web script or HTML via the product_id parameter, as originally demonstrated for a custom mp3players_details.php program. NOTE: the name of the affected program might be installation-dependent, but it has been identified as "product_details.php" by some sources. ADV-2006-0253 16313 22634 18537 http://osvdb.org/ref/22/22634-x-site.txt xsitemanager-productdetails-xss(24234) FreeBSD kernel 5.4-STABLE and 6.0 does not completely initialize a buffer before making it available to userland, which could allow local users to read portions of kernel memory. 18599 16373 FreeBSD-SA-06:06 bsd-buffer-initialization-disclosure(24338) 22730 1015541 A logic error in FreeBSD kernel 5.4-STABLE and 6.0 causes the kernel to calculate an incorrect buffer length, which causes more data to be copied to userland than intended, which could allow local users to read portions of kernel memory. 18599 16373 FreeBSD-SA-06:06 bsd-buffer-length-disclosure(24340) 22731 1015541 A logic error in the IP fragment cache functionality in pf in FreeBSD 5.3, 5.4, and 6.0, and OpenBSD, when a 'scrub fragment crop' or 'scrub fragment drop-ovl' rule is being used, allows remote attackers to cause a denial of service (crash) via crafted packets that cause a packet fragment to be inserted twice. 18609 FreeBSD-SA-06:07 16375 http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf_norm.c.diff?r1=1.103&r2=1.104 bsd-pf-fragment-dos(24337) 22732 1015542 NetBSD-SA2006-004 Apple Mac OS X 10.4.5 and allows local users to cause a denial of service (crash) via an undocumented system call. ADV-2006-0597 APPLE-SA-2006-02-14 macosx-system-call-dos(24682) 16654 23190 1015634 18907 IPSec when used with VPN networks in Mac OS X 10.4 through 10.4.5 allows remote attackers to cause a denial of service (application crash) via unspecified vectors involving the "incorrect handling of error conditions". TA06-062A 16907 19064 ADV-2006-0791 APPLE-SA-2006-03-01 macosx-vpn-dos(25025) 23643 http://docs.info.apple.com/article.html?artnum=303382 automount in Mac OS X 10.4.5 and earlier allows remote file servers to cause a denial of service (unresponsiveness) or execute arbitrary code via unspecified vectors that cause automount to "mount file systems with reserved names". TA06-062A 16907 19064 ADV-2006-0791 APPLE-SA-2006-03-01 macosx-automount-execute-code(25021) 23640 1015709 http://docs.info.apple.com/article.html?artnum=303382 FileVault in Mac OS X 10.4.5 and earlier does not properly mount user directories when creating a FileVault image, which allows local users to access protected files when FileVault is enabled. TA06-062A 16907 19064 APPLE-SA-2006-03-01 ADV-2006-0791 macosx-filevault-file-access(25024) 23642 http://docs.info.apple.com/article.html?artnum=303382 Stack-based buffer overflow in Safari in Mac OS X 10.4.5 and earlier, and 10.3.9 and earlier, allows remote attackers to execute arbitrary code via unspecified vectors involving a web page with crafted JavaScript, a different vulnerability than CVE-2005-4504. TA06-062A VU#176732 16907 19064 APPLE-SA-2006-03-01 ADV-2006-0791 macosx-safari-bo(25032) 1015713 http://docs.info.apple.com/article.html?artnum=303382 Safari in Mac OS X 10.3 before 10.3.9 and 10.4 before 10.4.5 allows remote attackers to redirect users to local files and execute arbitrary JavaScript via unspecified vectors involving HTTP redirection to local resources. TA06-062A 16907 1015713 19064 APPLE-SA-2006-03-01 macosx-safari-http-redirect(25038) ADV-2006-0791 http://docs.info.apple.com/article.html?artnum=303382 Cross-site scripting (XSS) vulnerability in Syndication (Safari RSS) in Mac OS X 10.4 through 10.4.5 allows remote attackers to execute arbitrary JavaScript via unspecified vectors involving RSS feeds. TA06-062A 16907 19064 APPLE-SA-2006-03-01 ADV-2006-0791 macosx-syndication-xss(25040) 23649 http://docs.info.apple.com/article.html?artnum=303382 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-4504. Reason: This candidate is a duplicate of CVE-2005-4504. Notes: All CVE users should reference CVE-2005-4504 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Directory traversal vulnerability in the BOM framework in Mac OS X 10.x before 10.3.9 and 10.4 before 10.4.5 allows user-assisted attackers to overwrite or create arbitrary files via an archive that is handled by BOMArchiveHelper. TA06-062A 20060302 Apple MacOS X BOMArchiveHelper Directory Traversal Vulnerability APPLE-SA-2006-03-01 ADV-2006-0791 16907 23641 19064 macosx-bom-directory-traversal(25023) http://docs.info.apple.com/article.html?artnum=303382 Buffer overflow in Apple Mac OS X 10.4.7 allows user-assisted attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted Canon RAW image. VU#527236 TA06-214A macosx-raw-image-bo(28142) ADV-2006-3101 19289 27739 21253 APPLE-SA-2006-08-01 OpenSSH in Apple Mac OS X 10.4.7 allows remote attackers to cause a denial of service or determine account existence by attempting to log in using an invalid user, which causes the server to hang. TA06-214A macosx-openssh-nonexistent-user-dos(28147) ADV-2006-3101 19289 27745 1016672 21253 APPLE-SA-2006-08-01 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2006-0848. Reason: This candidate is a duplicate of CVE-2006-0848. Notes: All CVE users should reference CVE-2006-0848 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. The Download Validation in Mail in Mac OS X 10.4 does not properly recognize attachment file types to warn a user of an unsafe type, which allows user-assisted remote attackers to execute arbitrary code via crafted file types. TA06-062A ADV-2006-0791 APPLE-SA-2006-03-01 http://docs.info.apple.com/article.html?artnum=303382 macosx-mail-bypass-security(25027) 16907 23645 19064 Buffer overflow in Mail in Apple Mac OS X 10.4 up to 10.4.5, when patched with Security Update 2006-001, allows remote attackers to execute arbitrary code via a long Real Name value in an e-mail attachment sent in AppleDouble format, which triggers the overflow when the user double-clicks on an attachment. VU#980084 17081 1015762 19129 ADV-2006-0949 20060314 DMA[2006-0313a] - 'Apple OSX Mail.app RFC1740 Real Name Buffer Overflow' http://www.digitalmunition.com/DMA%5B2006-0313a%5D.txt APPLE-SA-2006-03-13 http://docs.info.apple.com/article.html?artnum=303453 macosx-mail-attachment-bo(25209) 23872 Unspecified vulnerability in Safari, LaunchServices, and/or CoreTypes in Apple Mac OS X 10.4 up to 10.4.5 allows attackers to trick a user into opening an application that appears to be a safe file type. NOTE: due to the lack of specific information in the vendor advisory, it is not clear how CVE-2006-0397, CVE-2006-0398, and CVE-2006-0399 are different. Per Hyperlink 894663: Vendor description specifies that the file is automatically opened by the application: Safari could automatically open a file which appears to be a safe file type. 19129 macosx-safefiletype-command-execution(25269) ADV-2006-0949 23869 1015760 APPLE-SA-2006-03-13 http://docs.info.apple.com/article.html?artnum=303453 Unspecified vulnerability in Safari, LaunchServices, and/or CoreTypes in Apple Mac OS X 10.4 up to 10.4.5 allows attackers to trick a user into opening an application that appears to be a safe file type. NOTE: due to the lack of specific information in the vendor advisory, it is not clear how CVE-2006-0397, CVE-2006-0398, and CVE-2006-0399 are different. Hyperlink Record 894667 specifies: Safari could automatically open a file which appears to be a safe file type, such as an image or movie, but is actually an application. 19129 macosx-safefiletype-command-execution(25269) ADV-2006-0949 23870 1015760 APPLE-SA-2006-03-13 http://docs.info.apple.com/article.html?artnum=303453 Unspecified vulnerability in Safari, LaunchServices, and/or CoreTypes in Apple Mac OS X 10.4 up to 10.4.5 allows attackers to trick a user into opening an application that appears to be a safe file type. NOTE: due to the lack of specific information in the vendor advisory, it is not clear how CVE-2006-0397, CVE-2006-0398, and CVE-2006-0399 are different. Per Hyperlink Record 894671: Safari could automatically open a file which appears to be a safe file type, such as an image or movie, but is actually an application. 19129 macosx-safefiletype-command-execution(25269) ADV-2006-0949 23871 1015760 APPLE-SA-2006-03-13 http://docs.info.apple.com/article.html?artnum=303453 CoreTypes in Apple Mac OS X 10.4 up to 10.4.5 allows remote attackers to bypass the same-origin policy and execute Javascript in other domains via unknown vectors involving "crafted archives." 17082 19129 ADV-2006-0949 APPLE-SA-2006-03-13 http://docs.info.apple.com/article.html?artnum=303453 macosx-sameorigin-policy-bypass(25208) 23873 1015763 Unspecified vulnerability in Mac OS X before 10.4.6, when running on an Intel-based computer, allows attackers with physical access to bypass the firmware password and log on in Single User Mode via unspecified vectors. 19462 ADV-2006-1215 17364 http://docs.info.apple.com/article.html?artnum=303567 macosx-firmware-password-bypass(25620) 24399 1015859 SQL injection vulnerability in Zoph before 0.5pre1 allows remote attackers to execute arbitrary SQL commands. zoph-sql-injection(24264) http://sourceforge.net/project/shownotes.php?group_id=69353&release_id=387320 18563 ADV-2006-0297 16347 22743 DSA-989 19153 Multiple SQL injection vulnerabilities in e-moBLOG 1.3 allow remote attackers to execute arbitrary SQL commands via the (1) monthy parameter to index.php or (2) login parameter to admin/index.php. NOTE: some sources have reported item 1 as involving the "monthly" parameter, but this is incorrect. emoblog-index-sql-injection(24245) ADV-2006-0296 16344 20060122 [eVuln] e-moBLOG SQL Injection Vulnerability 22701 22700 1015524 370 18567 http://evuln.com/vulns/43/summary.html 20060125 The parameter in e-moBLOG is Note-A-Day Weblog 2.2 stores sensitive data under the web document root with insufficient access control, which allows remote attackers to obtain sensitive information via a direct request to archive/.phpass-admin, which contains encrypted passwords. noteaday-archive-directory-insecure(24270) noteaday-archive-information-disclosure(24270) ADV-2006-0299 18566 http://evuln.com/vulns/44/summary.html 22699 1015539 371 20060122 [eVuln] Note-A-Day Weblog Sensitive Information Disclosure The TIFFFetchShortPair function in tif_dirread.c in libtiff 3.8.0 allows remote attackers to cause a denial of service (application crash) via a crafted TIFF image that triggers a NULL pointer dereference, possibly due to changes in type declarations and/or the TIFFVSetField function. Per: http://cwe.mitre.org/data/definitions/476.html 'CWE-476: NULL Pointer Dereference' libtiff-tiffvsetfield-dos(24275) ADV-2006-0302 18172 GLSA-200605-17 20345 18587 http://bugzilla.remotesensing.org/show_bug.cgi?id=1034 http://bugzilla.remotesensing.org/show_bug.cgi?id=1029 search.php in MyBB 1.0.2 allows remote attackers to obtain sensitive information via a certain search request that reveals the table prefix in a SQL error message, possibly due to invalid parameters. mybb-search-information-disclosure(24272) 20060114 MyBB 1.0.2 Sniffing table perfix bug in search.php 22736 18577 Cross-site scripting (XSS) vulnerability in post.php in AZ Bulletin Board (AZbb) 1.1.00 and earlier allows remote attackers to inject arbitrary web script or HTML via the (1) nickname parameter and (2) an iframe tag in the topic parameter. NOTE: the original disclosure specified the name parameter, but a correction was later provided. NOTE: followup posts have both disputed and confirmed the original claim. azbulletinboard-post-xss(24274) ADV-2006-0298 16351 20060309 Re: Re: [CORRECTIONS AND ADDITIONS ]Azbb v1.1.00 Cross-Site Scripting 20060308 Re: [CORRECTIONS AND ADDITIONS ]Azbb v1.1.00 Cross-Site Scripting 20060128 [CORRECTIONS AND ADDITIONS ]Azbb v1.1.00 Cross-Site Scripting 20060123 Azbb v1.1.00 Cross-Site Scripting 18565 http://kapda.ir/advisory-236.html 20060308 Re: [CORRECTIONS AND ADDITIONS ]Azbb v1.1.00 Cross-Site Scripting rsh utility in Sun Grid Engine (SGE) before 6.0u7_1 allows local users to gain privileges and execute arbitrary code via unspecified vectors, possibly involving command line arguments. 18580 ADV-2006-0308 http://gridengine.sunsource.net/project/gridengine/60patches.txt sge-rsh-gain-privileges(24281) 16366 1015531 Cross-site scripting (XSS) vulnerability in index.php in Pixelpost Photoblog 1.4.3 allows remote attackers to inject arbitrary web script or HTML via the "Add Comment" field in a comment popup. pixelpost-index-xss(24261) ADV-2006-0309 16362 18572 http://evuln.com/vulns/45/summary.html 20060123 [eVuln] Pixelpost Photoblog XSS Vulnerability 1015529 SQL injection vulnerability in ADOdb before 4.71, when using PostgreSQL, allows remote attackers to execute arbitrary SQL commands via unspecified attack vectors involving binary strings. http://sourceforge.net/project/shownotes.php?release_id=387862&group_id=42718 18575 adodb-postgresql-sql-injection(24314) ADV-2006-0448 ADV-2006-0315 16364 22705 GLSA-200604-07 GLSA-200602-02 DSA-1031 DSA-1030 DSA-1029 19591 19590 19555 18745 18732 19691 claro_init_local.inc.php in Claroline 1.7.2 uses guessable session cookies (MD5 hash of connection time), which allows remote attackers to hijack sessions and possibly gain administrative privileges. ADV-2006-0320 16341 20060120 Claroline 1.7.2, sso identification vulnerability claroline-cookie-bypass-security(24326) 18588 SQL injection vulnerability in CyberShop allows remote attackers to execute arbitrary SQL commands and bypass authentication via the username parameter in a login action. cybershop-login-sql-injection(24005) 22365 20060105 CyberShop User Login Sql Injection Multiple SQL injection vulnerabilities in index.php in NewsPHP allow remote attackers to execute arbitrary SQL commands via the (1) discuss, (2) tim, (3) id, (4) last, and (5) limit parameter. newsphp-index-sql-injection(24320) ADV-2006-0341 16339 20060122 Newsphp Multiple SQL Injection Vulnerabilities 22717 18624 Tor before 0.1.1.20 allows remote attackers to identify hidden services via a malicious Tor server that attempts a large number of accesses of the hidden service, which eventually causes a circuit to be built through the malicious server. 18576 http://archives.seul.org/or/announce/Jan-2006/msg00001.html tor-service-information-disclosure(24285) 18323 22689 http://tor.eff.org/cvs/tor/ChangeLog GLSA-200606-04 20514 19795 Cross-site scripting (XSS) vulnerability in index.php in SleeperChat 0.3f and earlier allows remote attackers to inject arbitrary web script or HTML via the pseudo parameter. 16363 1015525 sleeperchat-index-xss(24300) 22784 SleeperChat 0.3f and earlier allows remote attackers to bypass authentication and create new entries via the txt parameter to (1) chat_no.php and (2) chat_if.php. sleeperchat-txt-security-bypass(24357) 1015525 SQL injection vulnerability in login.php in miniBloggie 1.0 and earlier, when gpc_magic_quotes is disabled, allows remote attackers to execute arbitrary SQL commands and bypass authentication via the (1) username and (2) password parameters. ADV-2006-0310 http://evuln.com/vulns/47/summary.html minibloggie-login-sql-injection(24280) 16367 20060124 [eVuln] miniBloggie Authentication Bypass 22729 1015534 18604 Eval injection vulnerability in 123 Flash Chat Server 5.0 and 5.1 allows attackers to execute arbitrary code via a crafted username. 16360 20060124 [ISecAuditors Advisories] Arbitrary flash code remote execution in 123flashchat BEA WebLogic Server and WebLogic Express 9.0, 8.1 through SP5, and 7.0 through SP6 allows anonymous binds to the embedded LDAP server, which allows remote attackers to read user entries or cause a denial of service (unspecified) via a large number of connections. 1015528 BEA06-81.01 BEA WebLogic Server and WebLogic Express 8.1 through SP4 and 7.0 through SP6 does not properly handle when servlets use relative forwarding, which allows remote attackers to cause a denial of service (slowdown) via unknown attack vectors that cause "looping stack overflow errors." 1015528 BEA06-106.01 By design, BEA WebLogic Server and WebLogic Express 7.0 and 6.1, when creating multiple domains from the same WebLogic instance on the same machine, allows administrators of any created domain to access other created domains, which could allow administrators to gain privileges that were not intended. 1015528 18581 BEA06-108.00 weblogic-cross-domain-management(24286) ADV-2006-0313 16358 Multiple unspecified vulnerabilities in BEA WebLogic Server and WebLogic Express 8.1 through SP4, 7.0 through SP6, and 6.1 through SP7 allow remote attackers to access MBean attributes or cause an unspecified denial of service via unknown attack vectors. 1015528 18592 BEA06-109.00 weblogic-java-mbean-access(24294) ADV-2006-0313 16358 BEA WebLogic Portal 8.1 through SP3 stores the password for the RDBMS Authentication provider in cleartext in the config.xml file, which allows attackers to gain privileges. 1015528 BEA06-110.00 weblogic-portal-config-info-disclosure(40705) weblogicportal-config-info-disclosure(24284) ADV-2008-0613 ADV-2006-0312 16358 18593 BEA08-110.01 BEA WebLogic Server and WebLogic Express 8.1 through SP4, 7.0 through SP6, and 6.1 through SP7 allows remote authenticated guest users to read the server log and obtain sensitive configuration information. 1015528 18592 BEA06-111.00 weblogic-server-log-disclosure(24295) ADV-2006-0313 16358 22776 BEA WebLogic Portal 8.1 through SP4 allows remote attackers to obtain the source for a deployment descriptor file via unknown vectors. 1015528 BEA06-112.00 weblogic-deployment-descriptor-disclosure(24297) ADV-2006-0312 16358 18593 BEA WebLogic Server and WebLogic Express 8.1 through SP4, when configuration auditing is enabled and a password change occurs, stores the old and new passwords in cleartext in the DefaultAuditRecorder.log file, which could allow attackers to gain privileges. 1015528 18592 BEA06-113.00 weblogic-password-information-disclosure(24290) ADV-2006-0313 16358 22775 Unspecified vulnerability in BEA WebLogic Server and WebLogic Express 9.0 and 8.1 through SP5 allows malicious EJBs or servlet applications to decrypt system passwords, possibly by accessing functionality that should have been restricted. 1015528 18592 BEA06-114.00 weblogic-servlets-obtain-information(24291) ADV-2006-0313 16358 22774 Unspecified vulnerability in BEA WebLogic Portal 8.1 SP3 through SP5, when using Web Services Remote Portlets (WSRP), allows remote attackers to access restricted web resources via crafted URLs. 1015528 BEA06-115.00 weblogic-wsrp-gain-access(24293) ADV-2006-0312 16358 22767 18593 BEA WebLogic Server and WebLogic Express 9.0 causes new security providers to appear active even if they have not been activated by a server reboot, which could cause an administrator to perform inappropriate, security-relevant actions. 1015528 18592 BEA06-116.00 weblogic-security-provider-weakness(24298) ADV-2006-0313 16358 22773 Certain configurations of BEA WebLogic Server and WebLogic Express 9.0, 8.1 through SP5, and 7.0 through SP6, when connection filters are enabled, cause the server to run more slowly, which makes it easier for remote attackers to cause a denial of service (server slowdown). 1015528 18592 BEA06-117.00 ADV-2006-0313 16358 weblogic-connection-filter-dos(24301) Unspecified vulnerability in BEA WebLogic Server and WebLogic Express 8.1 SP5 allows untrusted applications to obtain the server's SSL identity via unknown attack vectors. 1015528 18592 BEA06-118.00 ADV-2006-0313 16358 weblogic-ssl-identity-exposure(24302) Unspecified vulnerability in BEA WebLogic Server and WebLogic Express 9.0, when an Administrator uses the WebLogic Administration Console to add custom security policies, causes incorrect policies to be created, which prevents the server from properly protecting JNDI resources. 1015528 18592 BEA06-119.00 weblogic-jdni-security-weakness(24299) ADV-2006-0313 16358 Selective Acknowledgement (SACK) in FreeBSD 5.3 and 5.4 does not properly handle an incoming selective acknowledgement when there is insufficient memory, which might allow remote attackers to cause a denial of service (infinite loop). 22861 ADV-2006-0409 16466 FreeBSD-SA-06:08 bsd-sack-handling-dos(24453) 1015566 399 18696 Directory traversal vulnerability in action.php in phpXplorer allows remote attackers to read arbitrary files via ".." (dot dot) sequences and null bytes in the sAction parameter, a different vulnerability than CVE-2006-0244. NOTE: if the functionality of phpXplorer supports the upload of PHP files, then this issue would not cross privilege boundaries and would not be a vulnerability. phpxplorer-sshare-directory-traversal(39982) 16292 20060118 phpXplorer file inclusion biyosecurity.be Unspecified vulnerability in Oracle PL/SQL (PLSQL), as used in Database Server DS 9.2.0.7 and 10.1.0.5, Application Server 1.0.2.2, 9.0.4.2, 10.1.2.0.2, 10.1.2.1.0, and 10.1.3.0.0, E-Business Suite and Applications 11.5.10, and Collaboration Suite 10.1.1, 10.1.2.0, 10.1.2.1, and 9.0.4.2, allows attackers to bypass the PLSQLExclusion list and access excluded packages and procedures, aka Vuln# PLSQL01. VU#169164 20060125 Workaround for unpatched Oracle PLSQL Gateway flaw 1015961 oracle-plsql-command-execution(24363) ADV-2006-1571 ADV-2006-1397 ADV-2006-0338 16384 HPSBMA02113 HPSBMA02113 20060208 Re: Workaround for unpatched Oracle PLSQL Gateway flaw 20060202 More on the workaround for the unpatched Oracle PLSQL Gateway flaw 20060202 The History of the Oracle PLSQL Gateway Flaw 20060131 Re: Workaround for unpatched Oracle PLSQL Gateway flaw 22719 http://www.oracle.com/technology/deploy/security/pdf/public_vuln_to_advisory_mapping.html http://www.oracle.com/technetwork/topics/security/cpuapr2006-090826.html 1015544 403 402 19859 19712 18621 20060125 Workaround for unpatched Oracle PLSQL Gateway flaw 20060202 More on the workaround for the unpatched Oracle PLSQL Gateway flaw 20060202 The History of the Oracle PLSQL Gateway Flaw Unspecified vulnerability in HP HP-UX B.11.00, B.11.04, and B.11.11 allows local users to gain privileges via unknown attack vectors. 1015530 HPSBUX02091 SSRT061099 ADV-2006-0322 hpux-unspecified-privilege-escalation(24318) http://support.avaya.com/elmodocs2/security/ASA-2006-025.htm 18600 18596 oval:org.mitre.oval:def:1586 oval:org.mitre.oval:def:1577 oval:org.mitre.oval:def:1453 Cross-site scripting (XSS) vulnerability in admin_smilies.php in phpBB 2.0.19 allows remote attackers to inject arbitrary web script or HTML via Javascript events such as "onmouseover" in the (1) smile_url or (2) smile_emotion parameters, which bypasses a check for "<" and ">" characters. phpbb-referer-header-http-xss(24497) ADV-2006-0445 22928 20060203 phpBB 2.0.19 Cross Site Request Forgeries and XSS Admin 18693 20060203 phpBB 2.0.19 Cross Site Request Forgeries and XSS Admin 406 Cross-site request forgery (CSRF) vulnerability in phpBB 2.0.19, when Link to off-site Avatar or bbcode (IMG) are enabled, allows remote attackers to perform unauthorized actions as a logged in user via a link or IMG tag in a user profile, as demonstrated using links to (1) admin/admin_users.php and (2) modcp.php. ADV-2006-0445 20060203 phpBB 2.0.19 Cross Site Request Forgeries and XSS Admin 18693 phpbb-referer-header-http-xss(24497) 22929 406 20060203 phpBB 2.0.19 Cross Site Request Forgeries and XSS Admin Text Rider 2.4 stores sensitive data in the data directory under the web document root with insufficient access control, which allows remote attackers to obtain usernames and password hashes by directly accessing data/userlist.txt. textrider-data-information-disclosure(24279) ADV-2006-0321 18605 http://evuln.com/vulns/46/summary.html 20060124 [eVuln] Text Rider Sensitive Information Disclosure 1015533 Text Rider 2.4 allows attackers to bypass authentication and upload files without providing a valid password by obtaining the MD5 hash of the password (possibly via another vulnerability that reads it from a data file), then including the hash in a cookie. http://evuln.com/vulns/46/summary.html 20060124 [eVuln] Text Rider Sensitive Information Disclosure 1015533 Stack-based buffer overflow in Sami FTP Server 2.0.1 allows remote attackers to execute arbitrary code via a long USER command, which triggers the overflow when the log is viewed. ADV-2006-0317 16370 http://www.critical.lt/?vulnerabilities/208 18574 samiftpserver-user-bo(24325) 20060124 SamiFTPd buffer overflow http://www.karjasoft.com/samiftp/news http://downloads.securityfocus.com/vulnerabilities/exploits/sami_ftp_poc.pl Multiple cross-site scripting (XSS) vulnerabilities in usercp.php in MyBulletinBoard (MyBB) 1.02 allow remote attackers to inject arbitrary web script or HTML via the (1) notepad parameter in a notepad action and (2) signature parameter in a editsig action. NOTE: These are different attack vectors, and probably a different vulnerability, than CVE-2006-0218 and CVE-2006-0219. ADV-2006-0316 16361 20060124 [KAPDA::#25] - MyBB 1.x Cross_Site_Scripting 1015535 18603 http://kapda.ir/advisory-241.html Cross-site scripting (XSS) vulnerability in archive.php in CheesyBlog 1.0 allows remote attackers to inject arbitrary web script or HTML via the (1) realname and (2) comment parameters, or (3) via a javascript URI in the url parameter, when adding a comment. ADV-2006-0326 16376 20060125 [eVuln] CheesyBlog XSS Vulnerability http://evuln.com/vulns/49/summary.html cheesyblog-archive-xss(24292) 22716 369 18610 SQL injection vulnerability in index.php in Phpclanwebsite (aka PCW) 1.23.1 allows remote attackers to execute arbitrary SQL commands via the (1) par parameter in the post function on the forum page and possibly the (2) poll_id parameter on the poll page. NOTE: the poll_id vector can also allow resultant cross-site scripting (XSS) from an unquoted error message for invalid SQL syntax. A simple fix has been released on the Main PCW site available directly at <a href="http://www.phpclanwebsite.com/index.php?page=downloads&func=browselist&par=1">http://www.phpclanwebsite.com/index.php?page=downloads&func=browselist&par=1</a> Please download and install imediately. Tech note: Filters id number (par) to contain numbers only. 16391 18597 ADV-2006-0342 20060125 HYSA-2006-002 Phpclanwebsite 1.23.1 Multiple Vulnerabilities 22722 22720 http://www.h4cky0u.org/advisories/HYSA-2006-002-phpclan.txt phpclanwebsite-index-sql-injection(24355) index.php in Phpclanwebsite 1.23.1 allows remote authenticated users to obtain the installation path by specifying an invalid file name to the uploader page, as demonstrated by "\", which will display the full path of uploader.php. NOTE: this might be the result of a file inclusion vulnerability. Please add the following to the config.php file to avoid all such exploits. ini_set('display_errors', false); 16391 20060125 HYSA-2006-002 Phpclanwebsite 1.23.1 Multiple Vulnerabilities 22721 http://www.h4cky0u.org/advisories/HYSA-2006-002-phpclan.txt Unspecified vulnerability in WeBWorK 2.1.3 and 2.2-pre1 allows remote privilged attackers to execute arbitrary commands as the web server via unknown attack vectors. 18594 http://devel.webwork.rochester.edu/twiki/bin/view/Webwork/WeBWorKRelease2pt1pt4 ADV-2006-0319 webwork-unknown-command-execution(24322) 16371 Multiple buffer overflows in E-Post Mail Server 4.10 and SPA-PRO Mail @Solomon 4.00 allow remote attackers to execute arbitrary code via a long username to the (1) AUTH PLAIN or (2) AUTH LOGIN SMTP commands, which is not properly handled by (a) EPSTRS.EXE or (b) SPA-RS.EXE; (3) a long username in the APOP POP3 command, which is not properly handled by (c) EPSTPOP4S.EXE or (d) SPA-POP3S.EXE; (4) a long IMAP DELETE command, which is not properly handled by (e) EPSTIMAP4S.EXE or (f) SPA-IMAP4S.EXE. http://secunia.com/secunia_research/2006-1/advisory/ 18480 ADV-2006-0318 epost-imap-mailbox-dos(24334) epost-pop3-username-bo(24333) epost-smtp-username-bo(24331) 16379 22763 22762 22761 Multiple directory traversal vulnerabilities in (1) EPSTIMAP4S.EXE and (2) SPA-IMAP4S.EXE in the IMAP service in E-Post Mail 4.05 and SPA-PRO Mail 4.05 allow remote attackers to (a) list arbitrary directories or cause a denial of service via the LIST command; or create arbitrary files via the (b) APPEND, (c) COPY, or (d) RENAME commands. http://secunia.com/secunia_research/2006-1/advisory/ 18480 epost--append-copy-rename-file-creation(24336) ADV-2006-0318 epost--append-copy-rename-file-creation(24336) epost-imap-list-directory-traversal(24335) 16379 22765 22764 Early termination vulnerability in the IMAP service in E-Post Mail 4.05 and SPA-PRO Mail 4.05 allows remote attackers to cause a denial of service (infinite loop) by sending an APPEND command and disconnecting before the expected amount of data is sent. http://secunia.com/secunia_research/2006-1/advisory/ 18480 ADV-2006-0318 epost-imap-append-dos(24341) 16379 22766 phpBB 2.0.19 and earlier allows remote attackers to cause a denial of service (application crash) by (1) registering many users through profile.php or (2) using search.php to search in a certain way that confuses the database. 20060125 HYSA-2006-001 phpBB 2.0.19 search.php and profile.php DOS Vulnerability http://www.h4cky0u.org/advisories/HYSA-2006-001-phpbb.txt http://h4cky0u.org/viewtopic.php?t=637 phpbb-search-profile-dos(24327) 368 Multiple memory leaks in the LDAP component in Fedora Directory Server 1.0 allow remote attackers to cause a denial of service (memory consumption) via invalid BER packets that trigger an error, which might prevent memory from being freed if it was allocated during the ber_scanf call, as demonstrated using the ProtoVer LDAP test suite. http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=179135 fedora-ber-memory-leak-dos(24794) 16677 18960 dn2ancestor in the LDAP component in Fedora Directory Server 1.0 allows remote attackers to cause a denial of service (CPU and memory consumption) via a ModDN operation with a DN that contains a large number of "," (comma) characters, which results in a large amount of recursion, as demonstrated using the ProtoVer LDAP test suite. http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=179137 fedora-dn2ancestor-dos(24796) 16677 18960 The LDAP component in Fedora Directory Server 1.0 allow remote attackers to cause a denial of service (crash) via a certain "bad BER sequence" that results in a free of uninitialized memory, as demonstrated using the ProtoVer LDAP test suite. http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=179135 fedora-ber-bad-sequence-dos(24795) 16677 18960 Linux kernel before 2.6.15.3 down to 2.6.12, while constructing an ICMP response in icmp_send, does not properly handle when the ip_options_echo function in icmp.c fails, which allows remote attackers to cause a denial of service (crash) via vectors such as (1) record-route and (2) timestamp IP options with the needaddr bit set and a truncated value. 16532 FLSA:157459-4 FEDORA-2006-102 SUSE-SA:2006:006 18861 18788 18784 18774 18766 [dailydave] 20060207 Fun with Linux (2.6.12 -> 2.6.15.2) kernel-icmp-ipoptionsecho-dos(24575) ADV-2006-0464 USN-250-1 2006-0006 MDKSA-2006:040 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.15.3 [linux-kernel] 20060207 Re: Linux 2.6.15.3 [linux-kernel] 20060207 Linux 2.6.15.3 gpgv in GnuPG before 1.4.2.1, when using unattended signature verification, returns a 0 exit code in certain cases even when the detached signature file does not carry a signature, which could cause programs that use gpgv to assume that the signature verification has succeeded. Note: this also occurs when running the equivalent command "gpg --verify". DSA-978 SSA:2006-072-02 16663 SUSE-SA:2006:009 GLSA-200602-10 18968 18956 18955 18942 18934 18933 [gnupg-devel] 20060215 [Announce] False positive signature verification in GnuPG gnupg-gpgv-improper-verification(24744) ADV-2006-0610 USN-252-1 2006-0008 FLSA-2006:185355 20060215 False positive signature verification in GnuPG RHSA-2006:0266 23221 OpenPKG-SA-2006.001 SUSE-SA:2006:013 SUSE-SR:2006:005 MDKSA-2006:043 19532 19249 19130 18845 oval:org.mitre.oval:def:10084 [gnupg-announce] 20060215 False positive signature verification in GnuPG FEDORA-2006-116 20060401-01-U The strnlen_user function in Linux kernel before 2.6.16 on IBM S/390 can return an incorrect value, which allows local users to cause a denial of service via unknown vectors. ADV-2006-2554 http://www.mail-archive.com/kernel-svn-changes@lists.alioth.debian.org/msg01631.html http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.16-rc6 http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=331c46591414f7f92b1cec048009abe89892ee79 http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=331c46591414f7f92b1cec048009abe89892ee79 DSA-1103 oval:org.mitre.oval:def:9909 18687 RHSA-2006:0575 http://support.avaya.com/elmodocs2/security/ASA-2006-200.htm 22417 21465 20914 Race condition in the (1) add_key, (2) request_key, and (3) keyctl functions in Linux kernel 2.6.x allows local users to cause a denial of service (crash) or read sensitive kernel memory by modifying the length of a string argument between the time that the kernel calculates the length and when it copies the data into kernel memory. USN-263-1 oval:org.mitre.oval:def:9566 kernel-addkey-dos(25354) 17084 RHSA-2006:0575 23894 SUSE-SA:2006:028 MDKSA-2006:059 http://support.avaya.com/elmodocs2/security/ASA-2006-200.htm 22417 21465 20398 19220 The DCC ACCEPT command handler in irssi before 0.8.9+0.8.10rc5-0ubuntu4.1 in Ubuntu Linux, and possibly other distributions, allows remote attackers to cause a denial of service (application crash) via certain crafted arguments in a DCC command. 19090 USN-259-1 16913 irssi-dcc-accept-dos(25147) flex.skl in Will Estes and John Millaway Fast Lexical Analyzer Generator (flex) before 2.5.33 does not allocate enough memory for grammars containing (1) REJECT statements or (2) trailing context rules, which causes flex to generate code that contains a buffer overflow that might allow context-dependent attackers to execute arbitrary code. flex-bypass-security(24995) DSA-1020 16896 23440 19424 19071 ADV-2006-0770 USN-260-1 GLSA-200603-07 [flex-announce] 20060222 flex 2.5.33 released 570 19228 19126 http://prdownloads.sourceforge.net/flex/flex-2.5.33.tar.bz2?download Multiple buffer overflows in BomberClone before 0.11.6.2 allow remote attackers to execute arbitrary code via long error messages. GLSA-200602-09 ADV-2006-0643 bomberclone-error-message-bo(24764) 16697 23263 DSA-997 19210 18915 18914 Cross-site scripting (XSS) vulnerability in core.input.php in ExpressionEngine 1.4.1 allows remote attackers to inject arbitrary web script or HTML via HTTP_REFERER (referer). http://evuln.com/vulns/48/summary.html ADV-2006-0325 expressionengine-coreinput-xss(24296) 16377 20060125 [eVuln] ExpressionEngine 'Referer' XSS Vulnerability 372 18602 SQL injection vulnerability in comentarios.php in AndoNET Blog 2004.09.02 allows remote attackers to execute arbitrary SQL commands via the entrada parameter. ADV-2006-0327 http://evuln.com/vulns/50/summary.html andonetblog-index-sql-injection(24309) 16393 20060126 [eVuln] AndoNET Blog SQL Injection Vulnerability 22755 377 18633 Cross-site scripting (XSS) vulnerability in IdeoContent Manager allows remote attackers to inject arbitrary web script or HTML via the (1) goto_id parameter to index.php or (2) page parameter to news_full.php. 22713 22712 http://osvdb.org/ref/22/22712-ideocontent.txt Multiple SQL injection vulnerabilities in index.php in IdeoContent Manager allow remote attackers to execute arbitrary SQL commands via the (1) goto_id or (2) mid parameter. 22714 http://osvdb.org/ref/22/22712-ideocontent.txt Cross-site scripting (XSS) vulnerability in risultati_ricerca.php in active121 Site Manager allows remote attackers to inject arbitrary web script or HTML via the cerca parameter. 22715 http://osvdb.org/ref/22/22715-active121.txt Cross-site scripting (XSS) vulnerability in search.asp in Goldstag Content Management System allows remote attackers to inject arbitrary web script or HTML via the text parameter. 22711 http://osvdb.org/ref/22/22711-goldstag.txt goldstag-search-xss(25198) Unspecified vulnerability in Pioneers (formerly gnocatan) before 0.9.49 allows remote attackers to cause a denial of service (application crash) via long chat messages. pioneers-chat-message-dos(24383) DSA-964 18692 18647 ADV-2006-0376 16429 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=350237 CommuniGate Pro Core Server before 5.0.7 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via LDAP messages with negative BER lengths, and possibly other vectors, as demonstrated by the ProtoVer LDAP test suite. 16407 20060128 Multiple vulnerabilities in CommuniGate Pro Server http://www.gleg.net/advisory_cg.shtml 18640 ADV-2006-0364 http://www.stalker.com/CommuniGatePro/History.html communigate-ldap-bo(24409) Cross-site scripting (XSS) vulnerability in UebiMiau 2.7.9, and possibly earlier versions, allows remote attackers to inject arbitrary web script or HTML via a javascript: URI in the SRC attribute of an IMG tag. uebimiau-html-xss(24375) ADV-2006-0388 http://www.uebimiau.org/news.php 16413 20060129 UebiMiau Webmail System Security Vulnerability 18655 387 Cross-site scripting (XSS) vulnerability in search.php in MyBulletinBoard (MyBB) 1.02 allows remote attackers to inject arbitrary web script or HTML via the (1) sortby and (2) sortordr parameters, which are not properly handled in a redirection. ADV-2006-0350 16387 22750 18617 20060125 MyBB 1.0.2 XSS attack in search.php redirection http://community.mybboard.net/showthread.php?tid=6418 http://community.mybboard.net/attachment.php?aid=2181 mybb-search-xss(24466) 374 Cross-site scripting (XSS) vulnerability in the bbcode function in functions.php in my little homepage my little forum, as last modified in June 2005, allows remote attackers to inject arbitrary Javascript via a javascript URI in BBcode link tags. mylittlehomepage-link-tag-xss(24310) ADV-2006-0349 16395 20060126 [eVuln] "my little homepage" products [link] BBCode XSS Vulnerability 18628 http://evuln.com/vulns/51/summary.html 22856 http://evuln.com/vulns/51/ 20060130 My Little Homepage - source verify of different products Cross-site scripting (XSS) vulnerability in guestbook.php in my little homepage my little guestbook, as last modified in March 2004, allows remote attackers to inject arbitrary Javascript via a javascript URI in BBcode link tags. mylittlehomepage-link-tag-xss(24310) ADV-2006-0349 16395 20060126 [eVuln] "my little homepage" products [link] BBCode XSS Vulnerability 18628 http://evuln.com/vulns/51/summary.html 22855 http://evuln.com/vulns/51/ 20060130 My Little Homepage - source verify of different products Cross-site scripting (XSS) vulnerability in the bbcode function in weblog.php in my little homepage my little weblog, as last modified in April 2004, allows remote attackers to inject arbitrary Javascript via a javascript URI in BBcode link tags. mylittlehomepage-link-tag-xss(24310) ADV-2006-0349 16395 20060126 [eVuln] "my little homepage" products [link] BBCode XSS Vulnerability 18628 http://evuln.com/vulns/51/summary.html 22753 378 http://evuln.com/vulns/51/ 20060130 My Little Homepage - source verify of different products Multiple integer overflows in Shareaza 2.2.1.0 allow remote attackers to execute arbitrary code via (1) a large packet length field, which causes an overflow in the ReadBuffer function in (a) BTPacket.cpp and (b) EDPacket.cpp, or (2) a large packet, which causes a heap-based overflow in the Write function in (c) Packet.h. 16399 20060127 Shareaza P2P Remote Vulnerability http://www.hustlelabs.com/shareaza_advisory.pdf http://cvs.sourceforge.net/viewcvs.py/shareaza/shareaza/EDPacket.cpp?r1=1.15&r2=1.15.2.1 http://cvs.sourceforge.net/viewcvs.py/shareaza/shareaza/BTPacket.cpp?r1=1.5&r2=1.5.4.1 shareaza-cpacket-bo(24344) shareaza-cedpacket-bo(24343) shareaza-btpacket-bo(24342) 382 20060126 Shareaza Remote Vulnerability PHP-Ping 1.3 does not properly validate ping counts, which allows remote attackers to cause a denial of service (ping flood) via a negative count parameter. ADV-2006-0368 http://www.kapda.ir/advisory-231.html 18645 phpping-negative-count-dos(24382) Buffer overflow in Nullsoft Winamp 5.12 allows remote attackers to execute arbitrary code via a playlist (pls) file with a long file name (File1 field). TA06-032A VU#604745 18649 winamp-playlist-filename-bo(24361) winamp-playlist-filename-bo(24361) http://www.winamp.com/player/version_history.php ADV-2006-0361 16410 20060131 Re: Re: Winamp 5.12 - 0day exploit - code execution through playlist 20060130 Winamp 5.12 - 0day exploit - code execution through playlist 22789 http://www.heise.de/newsticker/meldung/68981 1015552 3422 398 386 1458 oval:org.mitre.oval:def:1402 Buffer overflow in git-checkout-index in GIT before 1.1.5 allows remote attackers to execute arbitrary code via an index file with a long symbolic link. 18643 http://lwn.net/Articles/169623/ ADV-2006-0367 git-gitcheckoutindex-bo(24360) 16417 CRE Loaded 6.15 allows remote attackers to perform privileged actions, including uploading and creating arbitrary files, via a direct request to files.php. NOTE: the vendor states "The initial announcement of this risk was made on our website... and it included a patch which will close the vulnerability on all known 6.0x and 6.1x releases. We strongly encourage users of CRE Loaded 6.x, osCMax, and other users of osCommerce who have installed HTMLArea based WYSIWYG editors and Admin Access with Levels to modify thier installations at the earliest possible moment." 16415 18648 creloaded-files-auth-bypass(24377) ADV-2006-0373 22793 20060203 vendor ack/fix: 22793: CRE Loaded files.php Unauthenticated Arbitrary File Upload (fwd) pmwiki.php in PmWiki 2.1 beta 20, with register_globals enabled, allows remote attackers to bypass protection mechanisms that deregister global variables by setting both a GPC variable and a GLOBALS[] variable with the same name, which causes PmWiki to unset the GLOBALS[] variable but not the GPC variable, which creates resultant vulnerabilities such as remote file inclusion and cross-site scripting (XSS). pmwiki-multiple-xss(24368) pmwiki-file-include(24367) pmwiki-path-