** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-3899. Reason: This candidate is a duplicate of CVE-2005-3899. Notes: All CVE users should reference CVE-2005-3899 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. PHP remote file include vulnerability in includes/orderSuccess.inc.php in CubeCart allows remote attackers to execute arbitrary PHP code via a URL in the glob[rootDir] parameter. ADV-2006-0016 1398 SQL injection vulnerability in (1) functions.php, (2) functions_update.php, and (3) functions_display.php in VEGO Web Forum 1.26 and earlier allows remote attackers to execute arbitrary SQL commands via the theme_id parameter in index.php. 20060101 [eVuln] VEGO Web Forum SQL Injection Vulnerability ADV-2006-0003 18273 http://evuln.com/vulns/1/summary.html 16107 22140 315 SQL injection vulnerability in index.php in PHPjournaler 1.0 allows remote attackers to execute arbitrary SQL commands via the readold parameter. 16111 20060101 [eVuln] PHPjournaler SQL Injection Vulnerability 22149 ADV-2006-0006 18265 http://evuln.com/vulns/9/summary.html SQL injection vulnerability in login.php in VEGO Links Builder 2.00 and earlier allows remote attackers to execute arbitrary SQL commands via the username parameter. ADV-2006-0004 18272 http://evuln.com/vulns/2/summary.html 16108 22139 SQL injection vulnerability in Primo Cart 1.0 and earlier allows remote attackers to execute arbitrary SQL commands via the (1) q parameter to search.php and (2) email parameter to user.php. ADV-2006-0008 18264 16125 22147 22146 http://pridels0.blogspot.com/2006/01/primo-cart-sql-inj.html Cross-site scripting (XSS) vulnerability in addentry.php in Chipmunk Guestbook 1.4 and earlier allows remote attackers to inject arbitrary web script or HTML via the homepage parameter. 19087 16112 20060101 [eVuln] Chipmunk Guestbook XSS Vulnerability 18270 http://evuln.com/vulns/4/summary.html ** DISPUTED ** Drupal allows remote attackers to conduct cross-site scripting (XSS) attacks via an IMG tag with an unusual encoded Javascript function name, as demonstrated using variations of the alert() function. NOTE: a followup by the vendor suggests that the issue does not exist in 4.5.6 or 4.6.4 when "Filtered HTML" is enabled, and since "Full HTML" would not filter HTML by design, perhaps this should not be included in CVE. 20060103 Re: Drupal all versiyon xss cehennem.org 20060102 Drupal all versiyon xss cehennem.org The ebuild for pinentry before 0.7.2-r2 on Gentoo Linux sets setgid bits for pinentry programs, which allows local users to read or overwrite arbitrary files as gid 0. 16120 GLSA-200601-01 22211 18284 Buffer overflow in termsh on SCO OpenServer 5.0.7 allows remote attackers to execute arbitrary code via a long -o command line argument. NOTE: this is probably a different vulnerability than CVE-2005-0351 since it involves a distinct attack vector. 16122 20060102 SCO Openserver 5.0.x exploit http://downloads.securityfocus.com/vulnerabilities/exploits/Openserver_bof.c Cross-site scripting (XSS) vulnerability in DiscusWare Discus Freeware 3.10.5 and Professional 3.10.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors in a URL, which is not properly sanitized from the resulting error message. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 16119 22153 18283 SQL injection vulnerability in profile.php in PHPenpals allows remote attackers to execute arbitrary SQL commands via the personalID parameter. NOTE: it was later reported that 1.1 and earlier are affected. 16109 20060101 [eVuln] PHPenpals SQL Injection Vulnerabilit 22150 8706 ADV-2006-0005 18269 http://evuln.com/vulns/5/summary.html Direct static code injection vulnerability in phpBook 1.3.2 and earlier allows remote attackers to execute arbitrary PHP code via the e-mail field (mail variable) in a new message, which is written to a PHP file. 16106 20060101 [eVuln] phpBook PHP Code Execution ADV-2006-0002 http://evuln.com/vulns/6/summary.html 18268 PHP remote file include vulnerability in forum.php in oaBoard 1.0 allows remote attackers to execute arbitrary PHP code via a URL in the inc parameter. 16105 20060531 Re: OaBoard 1.0 Remote File inclusion 20060530 OaBoard 1.0 Remote File inclusion 20060101 [eVuln] oaBoard PHP Code Execution 1016211 http://evuln.com/vulns/3/summary.html Off-by-one error in the getfattr function in File::ExtAttr before 0.03 allows attackers to trigger a buffer overflow via unspecified attack vectors. 16118 ADV-2006-0013 http://sourceforge.net/project/shownotes.php?release_id=382199&group_id=153116 18253 22160 Multiple cross-site scripting (XSS) vulnerabilities in B-net Software 1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) name and (2) shout variables to (a) shout.php, or the (3) title and (4) message variables to (b) guestbook.php. 16114 20060102 [eVuln] B-net Software Multiple XSS Vulnerabilities 18271 http://evuln.com/vulns/10/summary.html 20060825 Re: [eVuln] B-net Software Multiple XSS Vulnerabilities 22191 22190 ADV-2006-0018 http://sourceforge.net/project/shownotes.php?release_id=442067&group_id=117067 316 SQL injection vulnerability in auth.php in ScozNet ScozBook BETA 1.1 allows remote attackers to execute arbitrary SQL commands via the username field (adminname variable). 16115 20060102 [eVuln] ScozBook "adminname" Authentication Bypass http://evuln.com/vulns/11/summary.html 22221 ADV-2006-0027 318 8476 Cross-site scripting (XSS) vulnerability in vBulletin 3.5.2, and possibly earlier versions, allows remote attackers to inject arbitrary web script or HTML via the title of an event, which is not properly filtered by (1) calendar.php and (2) reminder.php. 16116 20060108 Html_Injection in vBulletin 3.5.2 20060101 [KAPDA::#19] - Html Injection in vBulletin 3.5.2 22220 22210 ADV-2006-0033 18299 http://kapda.ir/advisory-177.html ialmnt5.sys in the ialmrnt5 display driver in Intel Graphics Accelerator Driver 6.14.10.4308 allows attackers to cause a denial of service (crash or screen resolution change) via a long text field, as demonstrated using a long window title. 16127 22196 ADV-2006-0017 18286 20060103 Re: Buffer Overflow vulnerability in Windows Display Manager [Suspected] 20060102 Buffer Overflow vulnerability in Windows Display Manager [Suspected] Format string vulnerability in the SetImageInfo function in image.c for ImageMagick 6.2.3 and other versions, and GraphicsMagick, allows user-assisted attackers to cause a denial of service (crash) and possibly execute arbitrary code via a numeric format string specifier such as %d in the file name, a variant of CVE-2005-0397, and as demonstrated using the convert program. 12717 GLSA-200602-13.xml GLSA-200602-06 SSA:2006-045-03 19183 19030 18851 18607 MDKSA-2006:024 20060301-01-U USN-246-1 SUSE-SR:2006:006 1015623 19408 18871 18261 RHSA-2006:0178 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=345876 https://issues.rpath.com/browse/RPL-389 20061127 rPSA-2006-0218-1 ImageMagick MDKSA-2006:024 ADV-2008-0412 DSA-1213 231321 500 28800 23090 22998 Cross-site scripting vulnerability in index.php in raSMP 2.0.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the $_SERVER[HTTP_USER_AGENT] variable (User-Agent header). 16138 22198 ADV-2006-0030 18292 http://evuln.com/vulns/13/summary.html 1015432 20060116 vendor ack/fix: 22198: raSMP index.php User-Agent Field XSS (fwd) SQL injection vulnerability in Nkads 1.0 alfa 3 allows remote attackers to execute arbitrary SQL commands via the (1) usuario_nkads_admin or (2) password_nkads_admin parameters. http://www.soulblack.com.ar/repo/papers/advisory/nkads_advisory.txt ADV-2006-0040 18302 22206 Cross-site scripting vulnerability in index.php in Next Generation Image Gallery 0.0.1 Lite Edition allows remote attackers to inject arbitrary web script or HTML via the page parameter. ADV-2006-0037 18309 22202 http://osvdb.org/ref/22/22202-nextgen.txt SQL injection vulnerability in (1) pages.php and (2) detail.php in Lizard Cart CMS 1.04 allows remote attackers to execute arbitrary SQL commands via the id parameter. 16140 20060104 [eVuln] Lizard Cart CMS SQL Injection Vulnerability ADV-2006-0029 18297 22200 22199 http://www.evuln.com/vulns/12/summary.html 1015435 314 SQL injection vulnerability in intouch.lib.php in inTouch 0.5.1 Alpha allows remote attackers to execute arbitrary SQL commands via the user parameter. 16110 20060101 [eVuln] inTouch Authentication Bypass ADV-2006-0026 http://evuln.com/vulns/8/summary.html intouch-intouch-sql-injection(23954) 22382 Buffer overflow in ESRI ArcPad 7.0.0.156 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a .amp file with a COORDSYS tag with a long string attribute. 16136 ADV-2006-0032 http://users.pandora.be/bratax/advisories/b007.html 18294 22208 Directory traversal vulnerability in index.php in IDV Directory Viewer before 2005.1 allows remote attackers to view arbitrary directory contents via a .. (dot dot) in the dir parameter. http://sourceforge.net/project/shownotes.php?release_id=382593&group_id=152499 ADV-2006-0031 18298 16137 Cross-site scripting (XSS) vulnerability in webmail in Open-Xchange 0.8.1-6 and earlier, with "Inline HTML" enabled, allows remote attackers to inject arbitrary web script or HTML via e-mail attachments, which are rendered inline. ADV-2006-0034 18285 20060103 Open Xchange XSS 1015431 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2006-0992, CVE-2006-0158. Reason: this candidate was intended for one issue, but a typo caused it to be associated with a Novell/Groupwise issue. In addition, this issue was a duplicate of a SiteSuite issue that was also assigned CVE-2006-0158. Notes: All CVE users should consult CVE-2006-0992 and CVE-2006-0158 to determine which ID is appropriate. All references and descriptions in this candidate have been removed to prevent accidental usage. Cross-site scripting (XSS) vulnerability in index.php in @Card ME PHP allows remote attackers to inject arbitrary web script or HTML via the cat parameter. 22203 ADV-2006-0039 18306 http://osvdb.org/ref/22/22203-ecardmax.txt PHP remote file include vulnerability in forum.php in oaBoard 1.0 allows remote attackers to execute arbitrary PHP code via a URL in the inc_stat parameter, a different vulnerability than CVE-2006-0076. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. ADV-2006-0028 17373 Cross-site scripting (XSS) vulnerability in phpBB 2.0.19, when "Allowed HTML tags" is enabled, allows remote attackers to inject arbitrary web script or HTML via a permitted HTML tag with ' (single quote) characters and active attributes such as onmouseover, a variant of CVE-2005-4357. 313 20060105 phpBB 2.0.19 XSS 22672 ADV-2006-0051 Cross-site scripting (XSS) vulnerability in WCONSOLE.DLL in Rockliffe MailSite 5.x and 6.1.22 and earlier allows remote attackers to inject arbitrary web script or HTML via the query string. ADV-2006-0284 18551 20060120 RockLiffe MailSite wconsole.dll Denial of Service/Script Injection Vulnerability mailsite-wconsole-xss(24256) 16330 22677 dm-crypt in Linux kernel 2.6.15 and earlier does not clear a structure before it is freed, which leads to a memory disclosure that could allow local users to obtain sensitive information about a cryptographic key. [linux-kernel] 20060104 [Patch 2.6] dm-crypt: zero key before freeing it [linux-kernel] 20060104 [Patch 2.6] dm-crypt: Zero key material before free to avoid information leak kernel-dmcrypt-information-disclosure(24189) USN-244-1 2006-0004 16301 FLSA:157459-4 RHSA-2006:0132 FEDORA-2006-102 22418 SUSE-SA:2006:028 MDKSA-2006:040 ADV-2006-0235 DSA-1017 1015740 388 20398 19374 19160 18774 18527 18487 MDKSA-2006:040 wan/sdla.c in Linux kernel 2.6.x before 2.6.11 and 2.4.x before 2.4.29 does not require the CAP_SYS_RAWIO privilege for an SDLA firmware upgrade, with unknown impact and local attack vectors. NOTE: further investigation suggests that this issue requires root privileges to exploit, since it is protected by CAP_NET_ADMIN; thus it might not be a vulnerability, although capabilities provide finer distinctions between privilege levels. MDKSA-2006:044 USN-244-1 16304 http://www.kernel.org/git/?p=linux/kernel/git/tglx/history.git;a=commitdiff;h=0f1d4813a4a65296e1131f320a60741732bc068f DSA-1017 19374 18977 18527 http://linux.bkbits.net:8080/linux-2.4/cset@1.1448.91.23?nav=index.html|src/|src/drivers|src/drivers/net|src/drivers/net/wan|related/drivers/net/wan/sdla.c Stack-based buffer overflow in the create_named_pipe function in libmysql.c in PHP 4.3.10 and 4.4.x before 4.4.3 for Windows allows attackers to execute arbitrary code via a long (1) arg_host or (2) arg_unix_socket argument, as demonstrated by a long named pipe variable in the host argument to the mysql_connect function. 16145 20060105 Windows PHP 4.x "0-day" buffer overflow http://www.php.net/ChangeLog-4.php#4.4.3 22232 ADV-2006-0046 18275 20060105 Windows PHP 4.x "0-day" buffer overflow 20060108 RE: Windows PHP 4.x "0-day" buffer overflow The dupfdopen function in sys/kern/kern_descrip.c in OpenBSD 3.7 and 3.8 allows local users to re-open arbitrary files by using setuid programs to access file descriptors using /dev/fd/. 16144 [3.7] 20060105 008: SECURITY FIX: January 5, 2006 18296 ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.7/common/008_fd.patch 22231 1015437 PHP remote file include vulnerability in (1) include/templates/categories/default.php and (2) certain other include/templates/categories/ PHP scripts in Valdersoft Shopping Cart 3.0 allows remote attackers to execute arbitrary code via a URL in the catalogDocumentRoot parameter. 16126 http://downloads.securityfocus.com/vulnerabilities/exploits/cijfer-vscxpl.pl 1401 Buffer overflow in NicoFTP 3.0.1.19 and earlier might allow local users to execute arbitrary code via a long string in the "Name of site" field of an FTP account. NOTE: because this program executes with the privileges of the invoking user, and because remote programs do not normally have the ability to create or modify FTP accounts in this program, there may not be a typical attack vector for the issue that crosses privilege boundaries. Therefore this may not be a vulnerability. 20060102 NicoFTP Stack Overflow 317 Multiple cross-site scripting (XSS) vulnerabilities in sBLOG 0.7.1 Beta 20051202 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) p and (2) keyword parameters in (a) index.php and (b) search.php. sblog-multiple-scripts-xss(23979) 22374 22373 ADV-2006-0041 http://osvdb.org/ref/22/22373-sblog.txt Cross-site scripting (XSS) vulnerability in TinyPHPForum (TPF) 3.6 and earlier allows remote attackers to inject arbitrary web script via a javascript: scheme in an "[a]" bbcode tag, possibly the txt parameter to action.php. 20060105 [eVuln] TinyPHPForum Multiple Vulnerabilities 22256 ADV-2006-0054 1015436 18293 http://evuln.com/vulns/14/summary.html 320 TinyPHPForum 3.6 and earlier stores the (1) users/[USERNAME].hash and (2) users/[USERNAME].email files under the web root with insufficient access control, which allows remote attackers to list all registered users and possibly obtain other sensitive information. 20060417 Tiny PHP forum - vulns 20060105 [eVuln] TinyPHPForum Multiple Vulnerabilities 22257 ADV-2006-0054 1015436 18293 http://evuln.com/vulns/14/summary.html tinyphpforum-users-information-disclosure(24016) 320 Directory traversal vulnerability in TinyPHPForum 3.6 and earlier allows remote attackers to create a new user account, create a new topic, or view the profile of a user account, as demonstrated via a .. (dot dot) in the uname parameter to profile.php. 20060105 [eVuln] TinyPHPForum Multiple Vulnerabilities ADV-2006-0054 18293 http://evuln.com/vulns/14/summary.html http://evuln.com/vulns/14/exploit.html 16163 22258 1015436 320 gdi/driver.c and gdi/printdrv.c in Wine 20050930, and other versions, implement the SETABORTPROC GDI Escape function call for Windows Metafile (WMF) files, which allows attackers to execute arbitrary code, the same vulnerability as CVE-2005-4560 but in a different codebase. ADV-2006-0098 18323 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=346197 [Dailydave] 20060105 WMF goes away :< win-wmf-execute-code(23846) 20060117 ERRATA: [ GLSA 200601-09 ] Wine: Windows Metafile SETABORTPROC vulnerability SUSE-SR:2006:002 MDKSA-2006:014 GLSA-200601-09 DSA-954 18578 18549 18451 MDKSA-2006:014 SQL injection vulnerability in Timecan CMS allows remote attackers to execute arbitrary SQL commands via the viewID parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. Due to the unavailability of the original source, it cannot be determined if this is the same issue as identified by CVE-2006-0108. 16159 22252 18324 timecancms-sql-injection(24014) SQL injection vulnerability in mcl_login.asp in Timecan CMS allows remote attackers to execute arbitrary SQL commands via the email parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. Due to the unavailability of the original source, it cannot be determined if this is the same issue as identified by CVE-2006-0107. 22253 22252 ADV-2006-0078 timecancms-sql-injection(24014) Cross-site scripting vulnerability in category.php in Modular Merchant Shopping Cart allows remote attackers to inject arbitrary web script or HTML via the cat parameter. 18320 16160 22243 http://www.modularmerchant.com/forums/viewtopic.php?t=46 ADV-2006-0076 http://osvdb.org/ref/22/22243-modular.txt 20060214 vendor ack/fix 22243: Modular Merchant Marketplace Shopping Cart category.php cat Variable XSS (fwd) Cross-site scripting (XSS) vulnerability in escribir.php in Foro Domus 2.10 allows remote attackers to inject arbitrary web script via the email parameter. 16154 20060106 [eVuln] Proyecto Domus 'email' XSS Vulnerability 22263 ADV-2006-0073 18327 http://evuln.com/vulns/16/summary.html domus-escribir-xss(24020) Cross-site scripting vulnerability in index.php in Boxcar Media Shopping Cart allows remote attackers to inject arbitrary web script or HTML via the (1) parent or (2) pg parameter. boxcar-index-xss(24019) 22360 ADV-2006-0080 http://osvdb.org/ref/22/22360-boxcar.txt Cross-site scripting (XSS) vulnerability in index.php in Enhanced Simple PHP Gallery 1.7 allows remote attackers to inject arbitrary web script or HTML via the dir parameter. 22201 ADV-2006-0036 18310 http://osvdb.org/ref/22/22201-espg.txt Enhanced Simple PHP Gallery 1.7 allows remote attackers to obtain the full path of the application via a direct request to sp_helper_functions.php, which leaks the pathname in an error message. 18310 http://osvdb.org/ref/22/22201-espg.txt 22417 The vCard functions in Joomla! 1.0.5 use predictable sequential IDs for vcards and do not restrict access to them, which allows remote attackers to obtain valid e-mail addresses to conduct spam attacks by modifying the contact_id parameter to index2.php. 16185 ADV-2006-0097 18361 http://forum.joomla.org/index.php/topic,29031.0.html http://forge.joomla.org/sf/go/artf2950 joomla-vcard-information-disclosure(24042) Multiple SQL injection vulnerabilities in OnePlug Solutions OnePlug CMS allow remote attackers to execute arbitrary SQL commands via the (1) Press_Release_ID parameter in press/details.asp, (2) Service_ID parameter in services/details.asp, and (3) Product_ID parameter in products/details.asp. 16155 22250 22249 22248 ADV-2006-0079 18325 http://osvdb.org/ref/22/22248-oneplug.txt Cross-site scripting vulnerability search.inetstore in iNETstore Ebusiness Software 2.0 allows remote attackers to inject arbitrary web script or HTML via the searchterm parameter. 16156 20060126 Re: [OSVDB Mods] iNETstore E Commerce Solution - Cross Site Scripting 22251 ADV-2006-0075 20060127 vendor confirms versions: iNETstore E Commerce Solution - Cross Site Scripting (fwd) 18322 http://osvdb.org/ref/22/22251-inetstore.txt Buffer overflow in IBM Lotus Notes and Domino Server before 6.5.5 allows attackers to cause a denial of service (router crash or hang) via unspecified vectors involving "CD to MIME Conversion". 16158 18328 http://www-10.lotus.com/ldd/r5fixlist.nsf/e7dbb5aee9a94c56852570c90056a95d/21d8fd7989fdf78d852570e4001bae68?OpenDocument http://www-10.lotus.com/ldd/r5fixlist.nsf/5c087391999d06e7852569280062619d/50c634bfe193efa5852570e4001baace?OpenDocument http://www-1.ibm.com/support/docview.wss?uid=swg27007054 lotus-cdtomime-dos(24205) ADV-2006-0081 Unspecified vulnerability in IBM Lotus Notes and Domino Server before 6.5.5, when running on AIX, allows attackers to cause a denial of service (deep recursion leading to stack overflow and crash) via long formulas. 16158 18328 http://www-10.lotus.com/ldd/r5fixlist.nsf/e7dbb5aee9a94c56852570c90056a95d/21d8fd7989fdf78d852570e4001bae68?OpenDocument http://www-10.lotus.com/ldd/r5fixlist.nsf/5c087391999d06e7852569280062619d/50c634bfe193efa5852570e4001baace?OpenDocument http://www-1.ibm.com/support/docview.wss?uid=swg27007054 lotus-long-formula-bo(24206) ADV-2006-0081 Multiple unspecified vulnerabilities in IBM Lotus Notes and Domino Server before 6.5.5 have unknown impact and attack vectors, due to "potential security issues" as identified by SPR numbers (1) GPKS6C9J67 in Agents, (2) JGAN6B6TZ3 and (3) KSPR699NBP in the Router, (4) GPKS5YQGPT in Security, or (5) HSAO6BNL6Y in the Web Server. NOTE: vector 3 is related to an issue in NROUTER in IBM Lotus Notes and Domino Server before 6.5.4 FP1, 6.5.5, and 7.0, which allows remote attackers to cause a denial of service (CPU consumption) via a crafted vCal meeting request sent via SMTP (aka SPR# KSPR699NBP). 16158 18328 18020 20060626 SYMSA-2006-006: Lotus Domino SMTP Based Denial of Service ADV-2006-2564 ADV-2006-0081 http://www-10.lotus.com/ldd/r5fixlist.nsf/5c087391999d06e7852569280062619d/f97fe7cfd9a8113b8525709200001db4?OpenDocument&Highlight=0,GPKS6C9J67 http://www-10.lotus.com/ldd/r5fixlist.nsf/5c087391999d06e7852569280062619d/e4deb1cbb011c747852570e4001ba9bb?OpenDocument&Highlight=0,GPKS5YQGPT http://www-10.lotus.com/ldd/r5fixlist.nsf/5c087391999d06e7852569280062619d/de2ab57a5b9547848525701b00420c2c?OpenDocument&Highlight=0,KSPR699NBP http://www-10.lotus.com/ldd/r5fixlist.nsf/5c087391999d06e7852569280062619d/d1150fc9c5dec8b18525709200001da6?OpenDocument&Highlight=0,GPKS6C9J67 http://www-10.lotus.com/ldd/r5fixlist.nsf/5c087391999d06e7852569280062619d/9a1650d1a771f3078525702a00420def?OpenDocument&Highlight=0,HSAO6BNL6Y http://www-10.lotus.com/ldd/r5fixlist.nsf/5c087391999d06e7852569280062619d/94a77eb898843aca8525709200001de1?OpenDocument&Highlight=0,JGAN6B6TZ3 http://www-1.ibm.com/support/docview.wss?uid=swg27007054 1016390 20855 domino-smtp-nrouter-dos(27413) lotus-web-unspecified-xss(24211) lotus-multiple-unspecified(24207) Multiple unspecified vulnerabilities in IBM Lotus Notes and Domino Server before 6.5.5 allow attackers to cause a denial of service (application crash) via multiple vectors, involving (1) a malformed message sent to an "Out Of Office" agent (SPR LPEE6DMQWJ), (2) the compact command (RTIN5U2SAJ), (3) malformed bitmap images (MYAA6FH5HW), (4) the "Delete Attachment" action (YPHG6844LD), (5) parsing certificates from a remote Certificate Table (AELE6DZFJW), and (6) creating a SSL key ring with the Domino Administration client (NSUA4FQPTN). 16158 18328 http://www-10.lotus.com/ldd/r5fixlist.nsf/e7dbb5aee9a94c56852570c90056a95d/ced5f873baea4e8b852570e4001baa6d?OpenDocument http://www-10.lotus.com/ldd/r5fixlist.nsf/e7dbb5aee9a94c56852570c90056a95d/ad0dd14aa109f96b852570e4001bb08c?OpenDocument http://www-10.lotus.com/ldd/r5fixlist.nsf/e7dbb5aee9a94c56852570c90056a95d/5f166a44ee743b2c852570e4001baf31?OpenDocument http://www-10.lotus.com/ldd/r5fixlist.nsf/e7dbb5aee9a94c56852570c90056a95d/4118a1f266afb26c852570e4001baf5e?OpenDocument http://www-10.lotus.com/ldd/r5fixlist.nsf/e7dbb5aee9a94c56852570c90056a95d/2bb4f466a9e986ae852570e4001babbb?OpenDocument http://www-10.lotus.com/ldd/r5fixlist.nsf/e7dbb5aee9a94c56852570c90056a95d/040482aeb1416bb7852570e4001badd6?OpenDocument http://www-10.lotus.com/ldd/r5fixlist.nsf/5c087391999d06e7852569280062619d/258394eaa824f2c08525708a004209d3?OpenDocument http://www-1.ibm.com/support/docview.wss?uid=swg27007054 lotus-ssl-keyring-dos(24217) lotus-certificate-parsing-dos(24216) lotus-delete-attachment-dos(24215) lotus-bmp-dos(24214) lotus-compact-dos(24213) lotus-outofoffice-dos(24212) ADV-2006-0081 Multiple memory leaks in IBM Lotus Notes and Domino Server before 6.5.5 allow attackers to cause a denial of service (memory consumption and crash) via unknown vectors related to (1) unspecified vectors during the SSL handshake (SPR# MKIN67MQVW), (2) the stash file during the SSL handshake (SPR# MKIN693QUT), and possibly other vectors. NOTE: due to insufficient information in the original vendor advisory, it is not clear whether there is an attacker role in other memory leaks that are specified in the advisory. 16158 18328 http://www-10.lotus.com/ldd/r5fixlist.nsf/5c087391999d06e7852569280062619d/2221243535d88a2b8525701b00420cd6?OpenDocument&Highlight=0,MKIN693QUT http://www-10.lotus.com/ldd/r5fixlist.nsf/5c087391999d06e7852569280062619d/20f66e356a76c90f8525702a00420e08?OpenDocument&Highlight=0,MKIN67MQVW http://www-1.ibm.com/support/docview.wss?uid=swg27007054 lotus-ssl-handshake-dos(24223) ADV-2006-0081 Cross-site scripting (XSS) vulnerability in Public/Index.asp in Aquifer CMS allows remote attackers to inject arbitrary web script or HTML via the Keyword parameter. Vendor provided solution: "Liquid Development has identified this vulnerability in all shipping versions of AquiferCMS and coded a software fix. The fix will be included in all releases of AquiferCMS built on or after January 24, 2006. Customers should contact Liquid Development to obtain the fix for this vulnerability. For more information visit www.aquifercms.com." 22247 16162 ADV-2006-0074 18326 http://osvdb.org/ref/22/22247-aquifer.txt 20060124 vendor ack/fix: Aquifer CMS Index.asp Keyword Variable XSS (fwd) Multiple SQL injection vulnerabilities in ADN Forum 1.0b allow remote attackers to execute arbitrary SQL commands via the (1) fid parameter in index.php and (2) pagid parameter in verpag.php, and possibly other vectors. 16157 20060105 [eVuln] ADNForum Multiple Vulnerabilities 22241 22240 ADV-2006-0077 1015445 18300 http://evuln.com/vulns/15/summary.html Cross-site scripting (XSS) vulnerability in crear.php in ADN Forum 1.0b allows remote attackers to inject arbitrary web script or HTML via the titulo parameter, which is used by the "Topic name" field. 16157 20060105 [eVuln] ADNForum Multiple Vulnerabilities ADV-2006-0077 18300 http://evuln.com/vulns/15/summary.html 22242 1015445 Unspecified vulnerability in appserv/main.php in AppServ 2.4.5 allows remote attackers to include arbitrary files via the appserv_root parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. There is not enough detail from these third party sources to know whether this is directory traversal, remote file include, or another issue. 22228 ADV-2006-0053 18163 16166 rxvt-unicode before 6.3, on certain platforms that use openpty and non-Unix pty devices such as Linux and most BSD platforms, does not maintain the intended permissions of tty devices, which allows local users to gain read and write access to the devices. 22223 ADV-2006-0052 18301 http://dist.schmorp.de/rxvt-unicode/Changes Directory traversal vulnerability in the IMAP service of Rockliffe MailSite before 6.1.22.1 allows remote authenticated users to rename the folders of other users via a .. (dot dot) in the RENAME command. http://zur.homelinux.com/Advisories/RockliffeMailsiteDirTransveral.txt 22229 ADV-2006-0055 18318 20060104 Rockliffe Directory Transversal Vulnerability 20060105 Re: Rockliffe Directory Transversal Vulnerability Buffer overflow in the IMAP service of Rockliffe MailSite before 6.1.22.1 allows remote attackers to have an unknown impact via unknown attack vectors. http://zur.homelinux.com/Advisories/RockliffeMailsiteDirTransveral.txt 20060104 Rockliffe Directory Transversal Vulnerability rockliffe-imap-unspecified-bo(39991) Mail Management Agent (MAILMA) (aka Mail Management Server) in Rockliffe MailSite 7.0.3.1 and earlier generates different responses depending on whether or not a username is valid, which allows remote attackers to enumerate valid usernames via user requests to TCP port 106. ADV-2006-0055 18318 http://zur.homelinux.com/Advisories/RockliffeMailsiteUserEnum.txt 22230 20060104 Rockliffe Mailsite User Enumeration Flaw Mail Management Agent (MAILMA) (aka Mail Management Server) in Rockliffe MailSite 7.0.3.1 and earlier allows remote attackers to attempt authentication with an unlimited number of user account names and passwords without denying connections, limiting the rate of connections, or locking out an account. http://zur.homelinux.com/Advisories/RockliffeMailsiteUserEnum.txt 20060104 Rockliffe Mailsite User Enumeration Flaw boastMachine 3.1 allows remote attackers to obtain sensitive information via a direct request to (1) footer.php and (2) side_menu.php, which reveals the path in an error message. 20060105 [ECHO_ADV_25$2006] Full path disclosure on boastMachine v3.1 http://echo.or.id/adv/adv26-K-159-2006.txt Directory traversal vulnerability in webftp.php in SysCP WebFTP 1.2.6 and possibly earlier allows remote attackers to include and execute arbitrary local PHP scripts, and possibly read other types of files, via a .. (dot dot) and a trailing null in the webftp_language parameter. ADV-2006-0090 18355 16175 20060104 SysCP WebFTP local file inclusion vulnerability webftp-language-file-include(24018) Multiple directory traversal vulnerabilities in AIX 5.3 ML03 allow local users to determine the existence of files and read partial contents of certain files via a .. (dot dot) in the argument to (1) getCommand.new (aka getCommand) and (2) getShell, a different vulnerability than CVE-2005-4273. 16103 16102 20060101 [xfocus-SD-060101]AIX getCommand&getShell two vulnerabilities 1015429 Cross-site scripting (XSS) vulnerability in register.php in TheWebForum (twf) 1.2.1 allows remote attackers to inject arbitrary web script or HTML via the www parameter. 16161 20060106 [eVuln] TheWebForum Script Insertion and Authentication Bypass ADV-2006-0093 1015450 18392 http://evuln.com/vulns/17/summary.html http://evuln.com/vulns/17/exploit.html thewebforum-register-xss(24007) 22295 SQL injection vulnerability in login.php in TheWebForum (twf) 1.2.1 allows remote attackers to execute arbitrary SQL commands and bypass login authentication via the username parameter (aka the u variable). 16161 20060106 [eVuln] TheWebForum Script Insertion and Authentication Bypass ADV-2006-0093 1015450 18392 http://evuln.com/vulns/17/summary.html http://evuln.com/vulns/17/exploit.html thewebforum-login-sql-injection(24027) 22294 321 Multiple cross-site scripting (XSS) vulnerabilities in the guestbook module in modules.php in Phanatic Softwares Chimera Web Portal System 0.2 allow remote attackers to inject arbitrary web script or HTML via the (1) comment_poster, (2) comment_poster_email, (3) comment_poster_homepage, and (4) comment_text parameters. 16113 20060101 [eVuln] Chimera Web Portal System Multiple Vulnerabilities ADV-2006-0025 http://evuln.com/vulns/7/summary.html http://evuln.com/vulns/7/exploit.html SQL injection vulnerability in linkcategory.php in Phanatic Softwares Chimera Web Portal System 0.2 allows remote attackers to execute arbitrary SQL commands via the id parameter. 16113 20060101 [eVuln] Chimera Web Portal System Multiple Vulnerabilities ADV-2006-0025 http://evuln.com/vulns/7/summary.html http://evuln.com/vulns/7/exploit.html chimera-linkcategory-sql-injection(23963) 22420 aMSN (aka Alvaro's Messenger) allows remote attackers to cause a denial of service (client hang and termination of client's instant-messaging session) by repeatedly sending crafted data to the default file-transfer port (TCP 6891). http://www.securiteam.com/exploits/5JP090KHFQ.html 22186 The send-private-message functionality (send-private-message.asp) in PD9 Software MegaBBS 2.1 allows remote attackers to read private messages of other users via a modified replyid parameter. 16168 http://www.pd9soft.com/megabbs/forums/thread-view.asp?tid=4924 http://www.hamid.ir/security/megabbs.txt ADV-2006-0095 18342 megabbs-sendprivatemessage-disclosure(24050) 1015452 Cross-site scripting (XSS) vulnerability in post.php in NavBoard V16 Stable(2.6.0) and V17beta2 allows remote attackers to inject arbitrary web script or HTML via the (1) b, (2) textlarge, and (3) url bbcode tags. navboard-post-xss(24021) 16165 20060107 [eVuln] NavBoard BBcode XSS Vulnerability 22277 ADV-2006-0092 18345 http://evuln.com/vulns/19/summary.html Qualcomm Eudora Internet Mail Server (EIMS) before 3.2.8 allows remote attackers to cause a denial of service (crash) via (1) malformed NTLM authentication requests, or a malformed (2) Incoming Mail X or (3) Temporary Mail file. ADV-2006-0099 http://www.eudora.co.nz/updates.html 18356 16179 eims-corrupted-mail-dos(24033) eims-ntlm-auth-dos(24032) Cross-site scripting (XSS) vulnerability in andromeda.php in Andromeda 1.9.3.4 and earlier allows remote attackers to inject arbitrary web script or HTML via the s parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 16183 ADV-2006-0096 18359 andromeda-script-xss(24031) Microsoft Windows Graphics Rendering Engine (GRE) allows remote attackers to corrupt memory and cause a denial of service (crash) via a WMF file containing (1) ExtCreateRegion or (2) ExtEscape function calls with arguments with inconsistent lengths. 1015453 16167 20060109 [UPDATE]Microsoft Windows GRE WMF Format Multiple Unauthorized Memory Access Vulnerabilities 20060107 Microsoft Windows GRE WMF Format Multiple Memory Overrun Vulnerabilities ADV-2006-0115 http://blogs.technet.com/msrc/archive/2006/01/09/417198.aspx win-gre-wmf-dos(24044) http://lostmon.blogspot.com/2007/08/windows-extended-file-attributes-buffer.html Format string vulnerability in the logging code of SMS Server Tools (smstools) 1.14.8 and earlier allows local users to execute arbitrary code via unspecified attack vectors. 18357 smstools-logging-format-string(24034) 16188 22287 DSA-930 18343 The proxy server feature in go-pear.php in PHP PEAR 0.2.2, as used in Apache2Triad, allows remote attackers to execute arbitrary PHP code by redirecting go-pear.php to a malicious proxy server that provides a modified version of Tar.php with a malicious extractModify function. ADV-2006-0148 18390 gopear-proxy-redirection(24076) 16174 20060109 New PEAR / Apache2Triad Exploit http://apache2triad.net/forums/viewtopic.php?p=14670 The kernfs_xread function in kernfs in NetBSD 1.6 through 2.1, and OpenBSD 3.8, does not properly validate file offsets against negative 32-bit values that occur as a result of truncation, which allows local users to read arbitrary kernel memory and gain privileges via the lseek system call. 16173 http://www.securitylab.net/research/2006/02/advisory_netbsd_openbsd_kernfs.html 20060202 [SLAB] NetBSD / OpenBSD kernfs_xread patch evasion 22293 18712 18388 NetBSD-SA2006-001 netbsd-kernfs-memory-disclosure(24035) 405 The server.php test script in ADOdb for PHP before 4.70, as used in multiple products including (1) Mantis, (2) PostNuke, (3) Moodle, (4) Cacti, (5) Xaraya, (6) PHPOpenChat, (7) MAXdev MD-Pro, and (8) MediaBeez, when the MySQL root password is empty, allows remote attackers to execute arbitrary SQL commands via the sql parameter. http://www.xaraya.com/index.php/news/569 16187 20060202 Bug for libs in php link directory 2.0 22290 GLSA-200604-07 ADV-2006-1419 ADV-2006-1304 ADV-2006-0447 ADV-2006-0370 ADV-2006-0105 ADV-2006-0104 ADV-2006-0103 ADV-2006-0101 DSA-1031 DSA-1030 DSA-1029 http://secunia.com/secunia_research/2005-64/advisory/ 19699 19591 19590 19563 19555 18720 18276 18260 18233 17418 adodb-server-command-execution(24051) 20070418 MediaBeez Sql query Execution .. Wear isn't ?? :) 20060409 PhpOpenChat 3.0.x ADODB Server.php "sql" SQL injection http://www.maxdev.com/Article550.phtml ADV-2006-1305 ADV-2006-0102 713 24954 19691 19600 18267 18254 http://retrogod.altervista.org/phpopenchat_30x_sql_xpl.html Dynamic code evaluation vulnerability in tests/tmssql.php test script in ADOdb for PHP before 4.70, as used in multiple products including (1) Mantis, (2) PostNuke, (3) Moodle, (4) Cacti, (5) Xaraya, (6) PhpOpenChat, possibly (7) MAXdev MD-Pro, and (8) Simplog, allows remote attackers to execute arbitrary PHP functions via the do parameter, which is saved in a variable that is then executed as a function, as demonstrated using phpinfo. 22291 GLSA-200604-07 ADV-2006-1332 ADV-2006-0104 ADV-2006-0103 ADV-2006-0102 ADV-2006-0101 DSA-1030 DSA-1029 http://secunia.com/secunia_research/2005-64/advisory/ 19628 19591 19590 19555 18276 18260 18254 18233 17418 20060412 Simplog <=0.9.2 multiple vulnerabilities 20060409 PhpOpenChat 3.0.x ADODB Server.php "sql" SQL injection ADV-2006-1305 DSA-1031 19600 18267 http://retrogod.altervista.org/simplog_092_incl_xpl.html http://retrogod.altervista.org/phpopenchat_30x_sql_xpl.html 1663 adodb-tmssql-command-execution(24052) 19691 NetSarang Xlpd 2.1 allows remote attackers to cause a denial of service (crash) via a large number of connections from the same IP address. 16164 http://www.ipomonis.com/advisories/xlpd.txt 1015444 xlpd-connection-dos(24041) Cross-site scripting (XSS) vulnerability in SimpBook 1.0, with html_enable on (the default), allows remote attackers to inject arbitrary web script or HTML via the message field. 1015451 20060106 SimpBook "message" Remote Cross-Site Scripting Vulnerability Multiple format string vulnerabilities in the auth_ldap_log_reason function in Apache auth_ldap 1.6.0 and earlier allows remote attackers to execute arbitrary code via various vectors, including the username. MDKSA-2006:017 16177 RHSA-2006:0179 ADV-2006-0117 DSA-952 18568 18412 18405 18382 20060109 Digital Armaments Security Advisory 01.09.2006: Apache auth_ldap module Multiple Format Strings Vulnerability http://www.rudedog.org/auth_ldap/Changes.html http://www.digitalarmaments.com/2006090173928420.html 1015456 apache-authldap-format-string(24030) sudo 1.6.8 and other versions does not clear the PYTHONINSPECT environment variable, which allows limited local users to gain privileges via a Python script, a variant of CVE-2005-4158. 18363 USN-235-2 16184 18358 2006-0010 SUSE-SR:2006:002 MDKSA-2006:159 DSA-946 SSA:2006-045-08 21692 19016 18906 18558 18549 MDKSA-2006:159 Cross-site scripting (XSS) in search_result.php in phpChamber 1.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the needle parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 16180 ADV-2006-0094 18360 phpchamber-searchresult-xss(24029) 22282 427BB 2.2 and 2.2.1 verifies authentication credentials based on the username, authenticated, and usertype cookies, which allows remote attackers to bypass authentication by using a valid username and usertype and setting the authenticated cookie. 16178 20060107 [eVuln] 427BB Multiple Vulnerabilities (Cookie-based Authentication Bypass, SQL Injections, XSS) ADV-2006-0091 18354 http://evuln.com/vulns/18/summary.html 427bb-scripts-security-bypass(24038) 22274 SQL injection vulnerability in showthread.php in 427BB 2.2 and 2.2.1 allows remote attackers to execute arbitrary SQL commands via the ForumID parameter. 16169 20060107 [eVuln] 427BB Multiple Vulnerabilities (Cookie-based Authentication Bypass, SQL Injections, XSS) ADV-2006-0091 18354 http://evuln.com/vulns/18/summary.html 427bb-showthread-sql-injection(24039) 22275 Cross-site scripting (XSS) vulnerability in posts.php in 427BB 2.2 and 2.2.1 allows remote attackers to inject arbitrary Javascript via a new message with a url bbcode tag containing a javascript URI. 20060107 [eVuln] 427BB Multiple Vulnerabilities (Cookie-based Authentication Bypass, SQL Injections, XSS) ADV-2006-0091 18354 http://evuln.com/vulns/18/summary.html 427bb-posts-xss(24040) 22276 Cross-site scripting (XSS) vulnerability in Foxrum 4.0.4f allows remote attackers to inject arbitrary Javascript via the javascript URI in bbcode url tags in (1) addpost1.php and (2) addtopic1.php. 16172 20060109 [eVuln] Foxrum BBCode XSS Vulnerabilty ADV-2006-0121 18386 http://evuln.com/vulns/20 foxrum-bbcode-xss(24043) 325 settings.php in Reamday Enterprises Magic News Plus 1.0.3 allows remote attackers to change the administrator password via a change action that specifies identical values for the passwd and admin_password parameters, then declares the new password string in the new_passwd and confirm_passwd parameters. 16182 http://downloads.securityfocus.com/vulnerabilities/exploits/MagicNewsPlus-pw-change.pl 18601 SQL injection vulnerability in index.php in CyberDoc SiteSuite CMS allows remote attackers to execute arbitrary SQL commands via the page parameter. 22205 ADV-2006-0038 18305 http://osvdb.org/ref/22/22205-sitesuite.txt SQL injection vulnerability in escribir.php in Foro Domus 2.10 allows remote attackers to execute arbitrary SQL commands via the email parameter. NOTE: the provenance of this information is unknown, although it may be based on post-disclosure analysis of CVE-2006-0110; the details are obtained solely from third party information. 22264 ADV-2006-0073 18327 domus-escribir-sql-injection(24017) SQL injection vulnerability in add_post.php3 in Venom Board 1.22 allows remote attackers to execute arbitrary SQL commands via the (1) parent, (2) root, and (3) topic_id parameters to post.php3. venomboard-addpost-sql-injection(24046) 16176 22297 ADV-2006-0122 18383 20060109 [eVuln] Venom Board SQL Injection Vulnerability 20060109 [eVuln] Venom Board SQL Injection Vulnerability http://evuln.com/vulns/21/summary.html 326 Unspecified vulnerability in uucp in Sun Solaris 8 and 9 has unknown impact and attack vectors. NOTE: due to the vagueness of the vendor advisory, it is not clear whether this is related to CVE-2004-0780. 101933 ADV-2006-0113 http://support.avaya.com/elmodocs2/security/ASA-2006-056.htm 1015455 19087 18371 oval:org.mitre.oval:def:1534 Heap-based buffer overflow in libclamav/upx.c in Clam Antivirus (ClamAV) before 0.88 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted UPX files. VU#385908 16191 ADV-2006-0116 18379 http://www.clamav.net/doc/0.88/ChangeLog clamav-libclamav-upx-bo(24047) http://www.zerodayinitiative.com/advisories/ZDI-06-001.html 2006-0002 22318 MDKSA-2006:016 GLSA-200601-07 DSA-947 1015457 342 18548 18478 18463 18453 20060112 ZDI-06-001: Clam AntiVirus UPX Unpacking Code Execution Vulnerability MDKSA-2006:016 PostgreSQL 8.0.x before 8.0.6 and 8.1.x before 8.1.2, when running on Windows, allows remote attackers to cause a denial of service (postmaster exit and no new connections) via a large number of simultaneous connection requests. [pgsql-announce] 20060109 CRITICAL RELEASE: Minor Releases to Fix DoS Vulnerability postgresql-connection-request-dos(24049) 16201 20060111 PostgreSQL security releases 8.0.6 and 8.1.2 http://www.postgresql.org/about/news.456 ADV-2006-0114 1015482 327 18419 An unspecified Microsoft WMF parsing application, as used in Internet Explorer 5.01 SP4 on Windows 2000 SP4, and 5.5 SP2 on Windows Millennium, and possibly other versions, allows attackers to cause a denial of service (crash) and possibly execute code via a crafted WMF file with a manipulated WMF header size, possibly involving an integer overflow, a different vulnerability than CVE-2005-4560, and aka "WMF Image Parsing Memory Corruption Vulnerability." VU#312956 TA06-045A 16516 MS06-004 ADV-2006-0469 18729 22976 http://www.microsoft.com/technet/security/advisory/913333.mspx 18912 [funsec] 20060110 Another WMF flaw without a Microsoft patch oval:org.mitre.oval:def:1638 Heap-based buffer overflow in T2EMBED.DLL in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 up to SP1, Windows 98, and Windows ME allows remote attackers to execute arbitrary code via an e-mail message or web page with a crafted Embedded Open Type (EOT) web font that triggers the overflow during decompression. TA06-010A VU#915930 16194 MS06-002 ADV-2006-0118 18365 win-embedded-fonts-bo(23922) http://www130.nortelnetworks.com/cgi-bin/eserv/cs/main.jsp?cscat=BLTNDETAIL&DocumentOID=375525 20060110 [EEYEB-2000801] - Windows Embedded Open Type (EOT) Font Heap Overflow Vulnerability 18829 EEYEB20050801 http://support.avaya.com/elmodocs2/security/ASA-2006-004.htm 1015459 18391 18311 oval:org.mitre.oval:def:714 oval:org.mitre.oval:def:698 oval:org.mitre.oval:def:1491 oval:org.mitre.oval:def:1462 oval:org.mitre.oval:def:1185 oval:org.mitre.oval:def:1126 Unspecified vulnerability in Microsoft Outlook 2000 through 2003, Exchange 5.0 Server SP2 and 5.5 SP4, Exchange 2000 SP3, and Office allows remote attackers to execute arbitrary code via an e-mail message with a crafted Transport Neutral Encapsulation Format (TNEF) MIME attachment, related to message length validation. TA06-010A VU#252146 16197 20060110 Microsoft Outlook Critical Vulnerability 20060110 Microsoft Exchange Critical Vulnerability MS06-003 ADV-2006-0119 1015461 1015460 18368 http://support.avaya.com/elmodocs2/security/ASA-2006-004.htm win-tnef-overflow(22878) 331 330 oval:org.mitre.oval:def:624 oval:org.mitre.oval:def:1485 oval:org.mitre.oval:def:1456 oval:org.mitre.oval:def:1316 oval:org.mitre.oval:def:1165 oval:org.mitre.oval:def:1082 The netlink_rcv_skb function in af_netlink.c in Linux kernel 2.6.14 and 2.6.15 allows local users to cause a denial of service (infinite loop) via a nlmsg_len field of 0. 2006-0004 18482 16414 http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=ad8e4b75c8a7bed475d72ce09bf5267188621961 kernel-afnetlink-dos(24202) ADV-2006-0220 388 The ipfw firewall in FreeBSD 6.0-RELEASE allows remote attackers to cause a denial of service (firewall crash) via ICMP IP fragments that match a reset, reject or unreach action, which leads to an access of an uninitialized pointer. 16209 18378 FreeBSD-SA-06:04 ipfw-icmp-fragment-dos(24073) 22319 1015477 The ispell_op function in ee on FreeBSD 4.10 to 6.0 uses predictable filenames and does not confirm which file is being written, which allows local users to overwrite arbitrary files via a symlink attack when ee invokes ispell. 16207 18404 FreeBSD-SA-06:02 ee-ispell-op-symlink(24074) 22320 1015469 SQL injection vulnerability in the search module (modules/Search/index.php) of PHPNuke EV 7.7 -R1 allows remote attackers to execute arbitrary SQL commands via the query parameter, which is used by the search field. NOTE: This is a different vulnerability than CVE-2005-3792. phpnukeev-search-sql-injection(44978) 16186 22316 ADV-2006-0120 18394 http://lostmon.blogspot.com/2006/01/phpnuke-ev-77-search-module-query.html phgstats.inc.php in phgstats before 0.5.1, if register_globals is enabled, allows remote attackers to include arbitrary files and execute arbitrary PHP code by modifying the PHGDIR variable. ADV-2006-0123 http://sourceforge.net/project/shownotes.php?release_id=384232 18346 phgstats-php-file-include(24062) 17469 22302 Cross-site scripting (XSS) vulnerability in the DataForm Entries functionality in Plain Black WebGUI before 6.8.4 (gamma) allows remote attackers to inject arbitrary Javascript via the (1) url and (2) name field of the default email form. ADV-2006-0126 http://sourceforge.net/project/shownotes.php?release_id=384153&group_id=51417 18372 http://sourceforge.net/tracker/index.php?func=detail&aid=1395371&group_id=51417&atid=463213 webgui-forms-xss(24053) Symantec Norton SystemWorks and SystemWorks Premier 2005 and 2006 stores temporary copies of files in the Norton Protected Recycle Bin NProtect directory, which is hidden from the FindFirst and FindNext Windows APIs and allows remote attackers to hide arbitrary files from virus scanners and other products. ADV-2006-0143 1015462 http://securityresponse.symantec.com/avcenter/security/Content/2006.01.10.html 18402 systemworks-nprotect-hidden(24061) SQL injection vulnerability in MyPhPim 01.05 allows remote attackers to execute arbitrary SQL commands via the (1) cal_id parameter in calendar.php3 and the (2) password field on the login page. myphpim-login-sql-injection(24075) myphpim-calendar-sql-injection(24066) 16210 20060111 [eVuln] MyPhPim Multiple SQL Injection and XSS Vulnerabilities 22325 22324 ADV-2006-0147 18399 http://evuln.com/vulns/22/summary.html Cross-site scripting (XSS) vulnerability in MyPhPim 01.05 allows remote attackers to inject arbitrary web script or HTML via the description field on the "Create New todo" page. myphpim-todo-xss(24071) 16210 20060111 [eVuln] MyPhPim Multiple SQL Injection and XSS Vulnerabilities 22326 ADV-2006-0147 18399 http://evuln.com/vulns/22/summary.html addresses.php3 in MyPhPim 01.05 does not restrict uploaded files, which allows remote attackers to execute arbitrary PHP code via the pdbfile variable, then directly accessing those files from the uploads directory. myphpim-addresses-file-upload(24070) 16208 20060111 [eVuln] MyPhPim Arbitrary File Upload ADV-2006-0147 18399 http://evuln.com/vulns/23/summary.html ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2006-0035. Reason: This candidate is a duplicate of CVE-2006-0035. Notes: All CVE users should reference CVE-2006-0035 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. PHP remote file include vulnerability in index.php in OrjinWeb E-commerce allows remote attackers to execute arbitrary code via a URL in the page parameter. NOTE: it is not clear, but OrjinWeb might be an application service, in which case it should not be included in CVE. 16199 20060106 Orjinweb E-commerce orjinweb-url-file-include(24097) 22387 Cross-site scripting (XSS) vulnerability in the file manager utility in Hummingbird Collaboration (aka Hummingbird Enterprise Collaboration) 5.21 and earlier allows remote attackers to inject arbitrary web script or HTML in an uploaded page, which is published without a check for hostile scripting. ADV-2006-0145 16195 20060110 Multiple Vulnerabilities in Hummingbird Collaboration http://www.securenetwork.it/advisories/sn-2006-01.html 18411 hummingbird-enterprise-xss(24067) Hummingbird Collaboration (aka Hummingbird Enterprise Collaboration) 5.21 and earlier allows remote attackers to misrepresent the type and name of a file via modified doc_ext and id parameters, which might trick a user into downloading dangerous or unexpected content. ADV-2006-0145 16195 20060110 Multiple Vulnerabilities in Hummingbird Collaboration http://www.securenetwork.it/advisories/sn-2006-01.html 18411 hummingbird-enterprise-file-download(24068) Hummingbird Collaboration (aka Hummingbird Enterprise Collaboration) 5.21 and earlier allows remote attackers to obtain sensitive information (intranet IP addresses and enumerations of valid parameter values) via a direct request to hc, which reveals the information in an error message or a cookie. 16195 20060110 Multiple Vulnerabilities in Hummingbird Collaboration http://www.securenetwork.it/advisories/sn-2006-01.html ADV-2006-0145 18411 hummingbird-enterprise-information-disclosure(24069) 328 Cross-site scripting (XSS) vulnerability in search_form.asp in Web Wiz Forums 6.34 allows remote attackers to inject arbitrary web script or HTML via the search parameter. 16196 20060111 Advisory:XSS vulnerability on WebWiz Forums <= 6.34(search_form.asp) 20060109 Advisory:XSS vulnerability on WebWiz Forums <= 6.34 (search_form.asp) webwizforums-searchform-xss(24048) 22398 Buffer overflow in certain functions in src/fileio.c and src/unix/fileio.c in xmame before 11 January 2006 may allow local users to gain privileges via a long (1) -lang, (2) -ctrlr, (3) -pb, or (4) -rec argument on many operating systems, and via a long (5) -jdev argument on Ubuntu Linux. 16203 20060110 mysec.org Security Advisory : Xmame buffer overflow, with a possibility of privilege escalation 20060110 mysec.org Security Advisory : Xmame buffer overflow, with a possibility of privilege escalation. xmame-multiple-parameters-bo(24102) http://x.mame.net/changes-unix.html Multiple buffer overflows in Cray UNICOS 9.0.2.2 might allow local users to gain privileges by (1) invoking /usr/bin/script with a long command line argument or (2) setting the -c option of /etc/nu to the name of a file containing a long line. 16205 20060110 SUID root overflows in UNICOS and partial shellcode unicos-command-line-bo(24276) Format string vulnerability in /bin/ftp in UNICOS 9.0.2.2 allows local users to have an unknown impact via format string specifiers in the quote command. NOTE: because the program is not setuid and not normally called from remote programs, there may not be a typical attack vector for the issue that crosses privilege boundaries. Therefore this may not be a vulnerability. 16205 20060110 SUID root overflows in UNICOS and partial shellcode unicos-ftp-format-string(24277) The Cisco IP Phone 7940 allows remote attackers to cause a denial of service (reboot) via a large amount of TCP SYN packets (syn flood) to arbitrary ports, as demonstrated to port 80. ADV-2006-0202 1015488 18479 cisco-ipphone-synflood-dos(24117) 16200 22469 20060113 Response to Cisco IP Phone 7940 DoS Exploit posted on milw0rm.com http://downloads.securityfocus.com/vulnerabilities/exploits/cisco_ip7940_dos.pl Cross-site scripting (XSS) vulnerability in CaLogic Calendars 1.2.2 allows remote attackers to inject arbitrary web script or HTML via the Title field on the "Adding New Event" page, and possibly other vectors, involving iframe tags. 16206 ADV-2006-0149 18417 http://evuln.com/vulns/24/summary.html calogic-newevent-xss(24077) 20060116 [eVuln] CaLogic Calendars Multiple XSS Vulnerabilities 22322 Cisco Security Monitoring, Analysis and Response System (CS-MARS) before 4.1.3 has an undocumented administrative account with a default password, which allows local users to gain privileges via the expert command. 16211 20060111 Default Administrative Password in Cisco Security Monitoring, Analysis and Response System (CS-MARS) cisco-csmars-default-password(24065) 22346 ADV-2006-0154 1015471 335 18424 login.php in ACal Calendar Project 2.2.5 allows remote attackers to bypass authentication by setting the ACalAuthenticate cookie variable to "inside". ADV-2006-0152 http://evuln.com/vulns/25/summary.html acal-login-auth-bypass(24104) 20060112 [eVuln] ACal Authentication Bypass & PHP Code Insertion 22344 343 18432 Direct static code injection vulnerability in edit.php in ACal Calendar Project 2.2.5 allows authenticated users to execute arbitrary PHP code via (1) the edit=header value, which modifies header.php, or (2) the edit=footer value, which modifies footer.php. NOTE: this issue might be resultant from the poor authentication as identified by CVE-2006-0182. Since the design of the product allows the administrator to edit the code, perhaps this issue should not be included in CVE, except as a consequence of CVE-2006-0182. ADV-2006-0152 http://evuln.com/vulns/25/summary.html acal-header-footer-code-execute(24107) 20060112 [eVuln] ACal Authentication Bypass & PHP Code Insertion 22345 343 18432 Multiple SQL injection vulnerabilities in AspTopSites allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to goto.asp or (2) password parameter to includeloginuser.asp. ADV-2006-0146 http://www.exploitlabs.com/files/advisories/EXPL-A-2006-001-asptopsites.txt 18408 asptopsites-goto-sql-injection(24072) 22330 20060110 AspTopSites SQL injection Multiple cross-site scripting vulnerabilities in the (1) Pool or (2) News Modules in Php-Nuke allow remote attackers to inject arbitrary web script or HTML via javascript in the SRC attribute of an IMG tag. 16192 20060107 Php-Nuke Pool and News Module IMG Tag Cross Site ADV-2006-0125 18374 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-4500. Reason: This candidate is a duplicate of CVE-2005-4500. Notes: All CVE users should reference CVE-2005-4500 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. By design, Microsoft Visual Studio 2005 automatically executes code in the Load event of a user-defined control (UserControl1_Load function), which allows user-assisted attackers to execute arbitrary code by tricking the user into opening a malicious Visual Studio project file. 16225 20060113 Visual Studio Remote Code Execution ADV-2006-0151 18409 visualstudio-usercontrol-code-execution(24116) Buffer overflow in eStara Softphone 3.0.1.14 through 3.0.1.46 allows remote attackers to execute arbitrary code via a long attribute (aka "a") field in the SDP data of a SIP packet on UDP port 5060. This is the vendor provided solution: "eStara has released Softphone version 3.0.1.47 to resolve the buffer overflow demonstrated in parsing SDP with long "a=" lines. Licensed customers can download a new version via the email sent to them with purchase, customers testing may go back to http://www.estara.com/softphone/ to obtain a new free trial. Version information can be gathered by going to Help->About. eStara highly recommends all customers upgrade to avoid this issue. If there's further questions please email us: softphone@estara.com. eStara would like to thank ZwelL for bringing the issue to our attention." estara-sip-sdp-bo(24090) 16213 20060111 eStara Softphone SIP stack Buffer Overflow Vulnerability ADV-2006-0167 1015481 18410 22348 Unspecified vulnerability in Sun Solaris 9 and 10 for the x86 platform allows local users to gain privileges or cause a denial of service (panic) via unspecified vectors, possibly involving functions from the mm driver. ADV-2006-0165 102066 18421 solaris-unspecified-root-access(24084) 16224 http://support.avaya.com/elmodocs2/security/ASA-2006-056.htm 1015478 19087 oval:org.mitre.oval:def:702 Unspecified vulnerability in Sun Solaris 10 allows local users to cause a denial of service (null dereference) via unspecified vectors involving the use of the find command on the "/proc" filesystem. NOTE: due to the vagueness of the vendor advisory, it is not clear whether this is related to CVE-2005-3250. ADV-2006-0166 102108 18420 solaris-find-proc-dos(24085) 16222 22347 http://support.avaya.com/elmodocs2/security/ASA-2006-056.htm 1015479 19087 oval:org.mitre.oval:def:1608 SQL injection vulnerability in Login_Validate.asp in ASPSurvey 1.10 allows remote attackers to execute arbitrary SQL commands via the Password parameter to login.asp. aspsurvey-loginvalidate-sql-injection(24087) 16496 20060204 sql injection in ASP Survey 22342 ADV-2006-0164 18422 414 Cross-site scripting (XSS) vulnerability in the Hosting Control Panel (psoft.hsphere.CP) in Positive Software H-Sphere 2.4.3 Patch 8 and earlier allows remote attackers to inject arbitrary web script or HTML via the login parameter in a login action. 20060112 H-Sphere Security Vulnerability http://www.psoft.net/HSdocumentation/versions/?v=all&p=r hsphere-login-xss(24096) http://www.psoft.net/HSdocumentation/versions/index.php?v=243p9&p=r 22372 ADV-2006-0172 18447 Cross-site scripting (XSS) vulnerability in default.asp in FogBugz 4.029, and other versions before 4.0.33, allows remote attackers to inject arbitrary web script or HTML via the dest parameter in the pgLogon page. 16216 20060112 FogBugz Cross Site Scripting Vulnerability http://www.fogcreek.com/FogBugz/KB/releaseNotes/WhatsNewInFogBugz4.0.33.html fogbugz-login-xss(24103) 22370 ADV-2006-0174 18443 Unspecified vulnerability in Serial line sniffer (aka slsnif) 0.4.4 allows local users to gain privileges via a long value of the HOME environment variable, possibly because of a buffer overflow. slsnif-home-bo(24082) 20060111 Serial Line Sniffer 0.4.4 Buffer Overflow http://shellcoders.com/sintigan/slsnif-ploit.pl ADV-2006-0212 18497 The XClientMessageEvent struct used in certain components of X.Org 6.8.2 and earlier, possibly including (1) the X server and (2) Xlib, uses a "long" specifier for elements of the l array, which results in inconsistent sizes in the struct on 32-bit versus 64-bit platforms, and might allow attackers to cause a denial of service (application crash) and possibly conduct other attacks. 20060108 xorg server 6.8.2 and below on 64bit arch Cross-site scripting (XSS) vulnerability in a certain module, possibly poll or Pool, for XOOPS allows remote attackers to inject arbitrary web script or HTML via JavaScript in the SRC attribute of an IMG element in a comment. http://www.xoops.org/modules/newbb/viewtopic.php?topic_id=45637&forum=2&post_id=200481 16189 20060107 Xoops Pool Module IMG Tag Cross Site Scripting xoops-pool-imagetag-xss(24091) SQL injection vulnerability in news.asp in Mini-Nuke CMS System 1.8.2 and earlier allows remote attackers to execute arbitrary SQL commands via the hid parameter. mininuke-news-sql-injection(24098) 20060113 Advisory: MiniNuke CMS System <= 1.8.2 (news.asp) SQL Injectionvulnerability 22384 http://www.nukedx.com/?viewdoc=7 ADV-2006-0173 18439 20060112 Advisory: MiniNuke CMS System <= 1.8.2 (news.asp) SQL Injection vulnerability 340 Format string vulnerability in the error-reporting feature in the mysqli extension in PHP 5.1.0 and 5.1.1 might allow remote attackers to execute arbitrary code via format string specifiers in MySQL error messages. php-extmysqli-format-string(24095) 16219 http://www.php.net/release_5_1_2.php ADV-2006-0177 18431 20060112 Advisory 02/2006: PHP ext/mysqli Format String Vulnerability http://www.hardened-php.net/advisory_022006.113.html ADV-2006-0369 1015485 337 Dave Nielsen and Patrick Breitenbach PayPal Web Services (aka PHP Toolkit) 0.50, and possibly earlier versions, allows remote attackers to enter false payment entries into the log file via HTTP POST requests to ipn_success.php. ADV-2006-0183 http://www.uinc.ru/articles/vuln/ptpaypal050.shtml 16218 20060112 Multiple PHP Toolkit for PayPal Vulnerabilities 18444 22378 Dave Nielsen and Patrick Breitenbach PayPal Web Services (aka PHP Toolkit) 0.50 and possibly earlier has (1) world-readable permissions for ipn/logs/ipn_success.txt, which allows local users to view sensitive information (payment data), and (2) world-writable permissions for ipn/logs, which allows local users to delete or replace payment data. ADV-2006-0183 http://www.uinc.ru/articles/vuln/ptpaypal050.shtml 16218 20060112 Multiple PHP Toolkit for PayPal Vulnerabilities 18444 22379 membership.asp in Mini-Nuke CMS System 1.8.2 and earlier does not verify the old password when changing a password, which allows remote attackers to change the passwords of other members via a lostpassnew action with a modified x parameter. mininuke-membership-change-password(24101) 20060113 Advisory: MiniNuke CMS System <= 1.8.2 (membership.asp) remoteuser password change exploit 22385 ADV-2006-0173 18439 20060112 Advisory: MiniNuke CMS System <= 1.8.2 (news.asp) SQL Injection vulnerability 20060112 Advisory: MiniNuke CMS System <= 1.8.2 (membership.asp) remote user password change exploit 20060129 [xpl#2] MiniNuke 1.8.2 - change member's passwrod < Perl > 344 Multiple cross-site scripting (XSS) vulnerabilities in Wordcircle 2.17 allow remote attackers to inject arbitrary web script or HTML via (1) the "Course name" field in index.php when the frm parameter has the value "mine" and (2) possibly certain other fields in unspecified scripts. wordcircle-index-xss(24106) 16227 20060112 [eVuln] Wordcircle Multiple SQL Injection & XSS Vulnerabilities 22359 ADV-2006-0185 18440 http://evuln.com/vulns/28/summary.html 345 Multiple SQL injection vulnerabilities in Wordcircle 2.17 allow remote attackers to (1) execute arbitrary SQL commands and bypass authentication via the password field in the login action to index.php (involving v_login.php and s_user.php) and (2) have other unknown impact via certain other fields in unspecified scripts. wordcircle-login-security-bypass(24108) wordcircle-sql-injection(24105) 16227 20060112 [eVuln] Wordcircle Multiple SQL Injection & XSS Vulnerabilities 20060112 [eVuln] Wordcircle Authentication Bypass 22358 ADV-2006-0185 18440 http://evuln.com/vulns/28/summary.html http://evuln.com/vulns/27/summary.html 346 345 Eval injection vulnerability in Light Weight Calendar (LWC) 1.0 (20040909) and earlier allows remote attackers to execute arbitrary PHP code via the date parameter in cal.php, which is included by index.php. 16229 18450 http://evuln.com/vulns/29/summary.html http://evuln.com/vulns/29/exploit.html lwc-cal-execute-code(24110) 22376 20060318 Source VERIFY - Light Weight Calendar issue is eval injection Multiple HTTP response splitting vulnerabilities in PHP 5.1.1 allow remote attackers to inject arbitrary HTTP headers via a crafted Set-Cookie header, related to the (1) session extension (aka ext/session) and the (2) header function. php-session-response-splitting(24094) 16220 GLSA-200603-22 ADV-2006-0369 ADV-2006-0177 1015484 19355 19179 18697 18431 MDKSA-2006:028 USN-261-1 http://www.php.net/release_5_1_2.php http://www.hardened-php.net/advisory_012006.112.html 19012 SUSE-SR:2006:004 MDKSA-2006:028 DSA-1331 25945 Multiple cross-site scripting (XSS) vulnerabilities in PHP 4.4.1 and 5.1.1, when display_errors and html_errors are on, allow remote attackers to inject arbitrary web script or HTML via inputs to PHP applications that are not filtered when they are included in the resulting error message. 16803 http://www.php.net/release_5_1_2.php GLSA-200603-22 ADV-2006-0369 ADV-2006-0177 19355 19179 18697 18431 MDKSA-2006:028 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=178028 USN-261-1 http://www.php.net/ChangeLog-4.php#4.4.2 19012 SUSE-SR:2006:004 RHSA-2006:0501 MDKSA-2006:028 ADV-2006-2685 http://support.avaya.com/elmodocs2/security/ASA-2006-160.htm http://support.avaya.com/elmodocs2/security/ASA-2006-129.htm 21564 21252 20951 20222 20210 19832 RHSA-2006:0549 RHSA-2006:0276 20060501-01-U SQL injection vulnerability in general_functions.php in TankLogger 2.4 allows remote attackers to execute arbitrary SQL commands via the (1) livestock_id parameter to showInfo.php and (2) tank_id parameter, possibly to livestock.php. ADV-2006-0153 http://evuln.com/vulns/26/summary.html tanklogger-generalfunctions-sql-injection(24080) 16228 20060112 [eVuln] TankLogger SQL Injection Vulnerability 22369 22368 341 18441 20060113 Verified TankLogger SQl inject by source inspection Cross-site scripting (XSS) vulnerability in index.php in Interspire TrackPoint NX before 0.1 allows remote attackers to inject arbitrary web script or HTML via the username parameter when using the Login page. 16214 http://www.interspire.com/forum/showthread.php?p=29606 trackpointnx-login-xss(24112) 20060112 Interspire TrackPoint NX XSS Vulnerability 22377 ADV-2006-0175 18445 Cross-site scripting (XSS) vulnerability in forgotPassword.asp in Helm Hosting Control Panel 3.2.8 and earlier allows remote attackers to inject arbitrary web script or HTML via the txtEmailAddress parameter. 20060112 Helm XSS Vulnerability helm-forgotpassword-xss(24139) http://www.webhostautomation.com/webhost-301 16234 22454 ADV-2006-0203 18492 Directory traversal vulnerability in OBEX Push services in Toshiba Bluetooth Stack 4.00.23(T) and earlier allows remote attackers to upload arbitrary files to arbitrary remote locations specified by .. (dot dot) sequences, as demonstrated by ..\\ sequences in the RFILE argument of ussp-push. 16236 ADV-2006-0184 http://www.digitalmunition.com/DMA%5B2006-0112a%5D.txt 18437 20060113 DMA[2006-0112a] - 'Toshiba Bluetooth Stack Directory Transversal' 20060113 DMA[2006-0112a] - 'Toshiba Bluetooth Stack Directory Transversal' 20060113 DMA[2006-0112a] - 'Toshiba Bluetooth Stack Directory Transversal' 22380 1015486 http://aps.toshiba-tro.de/bluetooth/pages/driverinfo.php?txt=sp2 Kolab Server 2.0.1, 2.0.2 and development versions pre-2.1-20051215 and earlier, when authenticating users via secure SMTP, stores authentication credentials in plaintext in the postfix.log file, which allows local users to gain privileges. ADV-2006-0186 18438 http://kolab.org/security/kolab-vendor-notice-08.txt kolab-smtp-logging(24123) 22381 Eval injection vulnerability in ezDatabase 2.0 and earlier allows remote attackers to execute arbitrary PHP code via the db_id parameter to visitorupload.php, as demonstrated using phpinfo and include function calls. ezdatabase-visitorupload-file-include(24136) 16237 351 18043 http://pridels0.blogspot.com/2006/01/ezdatabase-20-and-below.html Cross-site scripting (XSS) vulnerability in admin.php in QualityEBiz Quality PPC (QPPC) 1.0 build 1644 allows remote attackers to inject arbitrary web script or HTML via the cpage parameter. NOTE: this issue might be resultant from CVE-2006-0216. 22352 http://osvdb.org/ref/22/22352-qualityppc.txt admin.php in QualityEBiz Quality PPC (QPPC) 1.0 build 1644 allows remote attackers to obtain sensitive information, possibly the installation path of the application, via unspecified "meta characters" to the cpage parameter. 22353 http://osvdb.org/ref/22/22353-qualityppc.txt http://osvdb.org/ref/22/22352-qualityppc.txt Multiple cross-site scripting (XSS) vulnerabilities in Ultimate Auction 3.67 allow remote attackers to inject arbitrary web script or HTML via the (1) item parameter in item.pl and (2) category parameter in itemlist.pl, which reflects the XSS in an error message. NOTE: the affected version might be wrong since the current version as of 20060116 is 3.6.1. 16239 22444 22443 ADV-2006-0187 18477 20060115 Ultimate Auction <=3.67 ultimate-auction-item-xss(24138) 16254 Multiple unspecified vulnerabilities in MyBulletinBoard (MyBB) before 1.0.2 have unspecified impact and attack vectors, related to (1) admin/moderate.php, (2) admin/themes.php, (3) inc/functions.php, (4) inc/functions_upload.php, (5) printthread.php, and (6) usercp.php, and probably related to SQL injection. NOTE: it is likely that this issue subsumes CVE-2005-4602 and CVE-2005-4603. However, since the vendor advisory is vague and additional files are mentioned, is is likely that this contains at least one distinct vulnerability from CVE-2005-4602 and CVE-2005-4603. http://community.mybboard.net/showthread.php?tid=5852 The original distribution of MyBulletinBoard (MyBB) to update from older versions to 1.0.2 omits or includes older versions of certain critical files, which allows attackers to conduct (1) SQL injection attacks via an attachment name that is not properly handled by inc/functions_upload.php (CVE-2005-4602), and possibly (2) other attacks related to threadmode in usercp.php. http://community.mybboard.net/showthread.php?tid=5960 16230 http://community.mybboard.net/showthread.php?tid=5853&pid=35151#pid35151 http://community.mybboard.net/showthread.php?tid=5853&pid=35088#pid35088 mybb-usercp-script-sql-injection(24115) Multiple cross-site scripting (XSS) vulnerabilities in DCP-Portal 5.3 through 6.1.1 allow remote attackers to inject arbitrary web script or HTML via (1) the day parameter in calendar.php and (2) the input form in search.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. It is possible that this issue is resultant from an SQL injection problem in CVE-2005-4227.3 and CVE-2005-4227.13. 16232 20060113 DCP Portal Cross-Site Scripting Vulnerability dcpportal-calendar-search-xss(24153) SQL injection vulnerability in index.asp in the Admin Panel in Dragon Design Services Network (DDSN) cm3 content manager (CM3CMS) allows remote attackers to execute arbitrary SQL commands via the (1) username or (2) password. cm3-login-sql-injection(24266) 16231 20060113 DDSN CMS Admin Panel SQL Injection Vulnerability 22696 Cross-site scripting (XSS) vulnerability in fullview.php in AlstraSoft Template Seller Pro allows remote attackers to inject arbitrary web script or HTML via the tempid parameter. template-seller-fullview-xss(24235) 16233 20060113 AlstraSoft Template Seller Pro Cross-Site Scripting Vulnerability 22746 Directory traversal vulnerability in Shanghai TopCMM 123 Flash Chat Server Software 5.1 allows attackers to create or overwrite arbitrary files on the server via ".." (dot dot) sequences in the username field. 16235 http://www.123flashchat.com/flash-chat-server-v512.html 22440 ADV-2006-0198 18455 123flashchat-user-directory-traversal(24137) Multiple unspecified vulnerabilities in lpsched in Sun Solaris 8, 9, and 10 allow local users to delete arbitrary files or disable the LP print service via unknown attack vectors. ADV-2006-0200 102033 1015492 18498 solaris-lpsched-dos(24127) 16245 22442 22441 http://support.avaya.com/elmodocs2/security/ASA-2006-056.htm 19087 oval:org.mitre.oval:def:662 The RBAC functionality in grsecurity before 2.1.8 does not properly handle when the admin role creates a service and then exits the shell without unauthenticating, which causes the service to be restarted with the admin role still active. 16261 ADV-2006-0199 18458 http://www.grsecurity.org/news.php#grsec218 grsecurity-rbac-admin-privileges(24156) Unquoted Windows search path vulnerability in Wehntrust might allow local users to gain privileges via a malicious "program.exe" file in the C: folder, which is run when Wehntrust creates the autostart key. 20060116 Re: [Full-disclosure] WehnTrust - When you have to trust Wehntrust 16268 20060116 WehnTrust - When you have to trust Wehntrust wehntrust-service-start-file-execution(24315) http://www.wehnus.com/downloads.pl Cross-site scripting (XSS) vulnerability in functions.php in microBlog 2.0 RC-10 allows remote attackers to inject arbitrary web script and HTML via a javascript: URI in a [url] BBcode tag. microblog-functions-xss(24140) 16272 20060117 [eVuln] microBlog BBCode XSS Vulnerability 1015496 http://evuln.com/vulns/36/summary.html SQL injection vulnerability in index.php in microBlog 2.0 RC-10 allows remote attackers to execute arbitrary SQL commands via the (1) month and (2) year parameters. 16270 20060117 [eVuln] microBlog SQL Injection Vulnerability microblog-index-sql-injection(24132) 22512 ADV-2006-0239 1015496 18442 http://evuln.com/vulns/35/summary.html SQL injection vulnerability in WhiteAlbum 2.5 allows remote attackers to execute arbitrary SQL commands via the dir parameter to pictures.php. 16247 20060116 White Album Sql &#304;njection biyosecurity.be whitealbum-pictures-sql-injection(24271) 22520 ADV-2006-0241 http://www.biyosecurity.be/bugs/whitealbum.txt 18460 GUI display truncation vulnerability in Mozilla Thunderbird 1.0.2, 1.0.6, and 1.0.7 allows user-assisted attackers to execute arbitrary code via an attachment with a filename containing a large number of spaces ending with a dangerous extension that is not displayed by Thunderbird, along with an inconsistent Content-Type header, which could be used to trick a user into downloading dangerous content by dragging or saving the attachment. 16271 20060117 Secunia Research: Mozilla Thunderbird Attachment SpoofingVulnerability ADV-2006-0230 http://secunia.com/secunia_research/2005-22/advisory 15907 https://bugzilla.mozilla.org/show_bug.cgi?id=300246 MDKSA-2006:021 thunderbird-attachment-ext-spoofing(24164) MDKSA-2006:021 Cross-site scripting (XSS) vulnerability in index.php in GTP iCommerce allows remote attackers to inject arbitrary web script or HTML via the (1) cat and (2) subcat parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 16255 ADV-2006-0214 18470 gtpicommerce-index-xss(24150) SQL injection vulnerability in wp-stats.php in GaMerZ WP-Stats 2.0 allows remote attackers to execute arbitrary SQL commands via the author parameter. http://www.lesterchan.net/blogs/ 18471 16241 ADV-2006-0192 wpstats-script-sql-injection(24163) 22450 http://www.lesterchan.net/blogs/archives/2006/01/18/wp-stats-sql-injection-vulnerability http://osvdb.org/ref/22/22450-wpstats.txt Multiple cross-site scripting (XSS) vulnerabilities in Simple Blog 2.1 allow remote attackers to inject arbitrary web script or HTML via (1) a comment to comments.asp and (2) possibly certain other fields in unspecified scripts. 16243 20060114 [HSC Security Group] Multiple SQL injection/XSS in SimpleBlog 2.1 ADV-2006-0194 18488 simpleblog-comment-xss(24154) 22448 http://www.hackerscenter.com/archive/view.asp?id=21926 Multiple SQL injection vulnerabilities in Simple Blog 2.1 allow remote attackers to execute arbitrary SQL commands via the month parameter in an archives view operation and possibly certain other parameters in unspecified scripts. simpleblog-month-sql-injection(24155) 16243 20060114 [HSC Security Group] Multiple SQL injection/XSS in SimpleBlog 2.1 22447 http://www.hackerscenter.com/archive/view.asp?id=21926 ADV-2006-0194 18488 Cross-site scripting vulnerability in WBNews 1.1.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the Name field. 16277 20060117 XSS in WBNews < = v1.1.0 ADV-2006-0237 18499 Cross-site scripting vulnerability in index.php in PHP Fusebox 4.0.6 allows remote attackers to inject arbitrary web script or HTML via the fuseaction parameter. 20060117 IndonesiaHack Advisory HTML injection in PHP Fusebox 16274 355 Cross-site scripting (XSS) vulnerability in SMBCMS 2.1 allows remote attackers to inject arbitrary web script or HTML via the text parameter, which is used by the "Search Site" field. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 16281 ADV-2006-0229 18454 smbcms-sitesearch-xss(24187) 22494 ** DISPUTED ** Directory traversal vulnerability in workspaces.php in phpXplorer 0.9.33 allows remote attackers to include arbitrary files via a .. (dot dot) and trailing null byte (%00) in the sShare parameter. NOTE: a followup post claims that this is not a vulnerability since the functionality of phpXplorer supports the upload of PHP files, which would not cross privilege boundaries since the PHP functionality would support read access outside the web root. 16263 20060116 Re: Directory traversal in phpXplorer 20060116 Directory traversal in phpXplorer ADV-2006-0232 http://www.arrelnet.com/advisories/adv20060116.html 18518 phpxplorer-sshare-directory-traversal(39982) 353 Multiple cross-site scripting (XSS) vulnerabilities in CubeCart 3.0.7-pl1 allow remote attackers to inject arbitrary web script or HTML via the (3) redir, (4) productId, (5) docId, (6) act, and (7) catId parameters in index.php; and the (8) username field in a login action in index.php. NOTE: the cart.php/redir and index.php/searchStr vectors are already covered by CVE-2005-3152. 16259 22471 ADV-2006-0227 18519 http://lostmon.blogspot.com/2006/01/cubecart-307-pl1-indexphp-multiple.html http://bugs.cubecart.com/?do=details&id=459 cubecart-index-script-xss(24177) Cross-site scripting (XSS) vulnerability in down.pl in Widexl Download Tracker 1.06 allows remote attackers to inject arbitrary web script or HTML via the ID parameter. 16265 22462 ADV-2006-0213 18472 http://osvdb.org/ref/22/22462-widexl.txt downloadtracker-down-xss(24161) Cross-site scripting (XSS) vulnerability in anyboard.cgi in Netbula Anyboard 9.9 and earlier allows remote attackers to inject arbitrary web script or HTML via the tK parameter in a find command. 16264 22461 ADV-2006-0188 18469 http://osvdb.org/ref/22/22461-anyboard.txt netbula-anyboard-script-xss(24167) Virata-EmWeb web server 6_1_0, as used in (1) Intracom JetSpeed 500 and 520 and (2) Allied Data Technologies CopperJet 811 RouterPlus, allows remote attackers to access privileged information, such as user lists and configuration settings, via direct HTTP requests. ADV-2006-0218 18483 http://blog.globalnetworks.gr/?p=4 virata-emweb-unauth-access(24304) SQL injection vulnerability in viewcat.php in BitDamaged geoBlog MOD_1.0 allows remote attackers to execute arbitrary SQL commands, then steal credentials and upload files, via the cat parameter ($tmpCategory variable). 16249 22463 ADV-2006-0191 1015493 18504 http://evuln.com/vulns/33/summary.html geoBlog-viewcat-sql-injection(24146) Format string vulnerability in the snmp_input function in snmptrapd in CMU SNMP utilities (cmu-snmp) allows remote attackers to execute arbitrary code by sending crafted SNMP messages to UDP port 162. 16267 20060116 Digital Armaments Security Advisory 01.16.2006: CMU SNMP utilities snmptrad Format String Vulnerability ADV-2006-0234 http://www.digitalarmaments.com/2006040164883273.html 18525 cmusnmp-snmpinput-format-string(24178) 22493 Cross-site scripting (XSS) vulnerability in fom.cgi in Faq-O-Matic 2.711 allows remote attackers to inject arbitrary web script or HTML via the (1) _duration, (2) file, and (3) cmd parameters. 16251 22439 ADV-2006-0189 18468 http://osvdb.org/ref/22/22439-faqomatic.txt faqomatic-fom-xss(24165) SQL injection vulnerability in Benders Calendar 1.0 allows remote attackers to execute arbitrary SQL commands via multiple parameters, as demonstrated by the (1) year, (2) month, and (3) day parameters. 16242 20060115 [eVuln] Benders Calendar SQL Injection 22449 ADV-2006-0190 1015491 18462 http://evuln.com/vulns/30/summary.html benderscalendar-sql-injection(24120) Buffer overflow in the Bluetooth OBEX Object Push service in "Blue Neighbors.EXE" in AmbiCom Blue Neighbors 2.50 Build 2500 and earlier allows remote attackers to execute arbitrary code via a long file name, as demonstrated via a long RFILE argument to ussp-push. 20060120 DMA[2006-0115a] - 'AmbiCom Bluetooth Object Push Overflow' ADV-2006-0219 http://www.digitalmunition.com/DMA%5B2006-0115a%5D.txt 18466 ambicom-bluetooth-objectpush-bo(24179) 16258 366 Multiple cross-site scripting (XSS) vulnerabilities in Apache Geronimo 1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) time parameter to cal2.jsp and (2) any invalid parameter, which causes an XSS when the log file is viewed by the Web-Access-Log viewer. https://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12310181&styleName=Html&projectId=10220&Create=Create https://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12310181&styleName=Html&projectId=10220&Create=Create 16260 20060115 Apache Geronimo 1.0 - CSS and persistent HTML-Injectionvulnerabilities http://www.oliverkarow.de/research/geronimo_css.txt ADV-2006-0217 18485 http://issues.apache.org/jira/browse/GERONIMO-1474 geronimo-webaccesslog-viewer-xss(24159) geronimo-jspexamples-xss(24158) RHSA-2008:0261 31493 RHSA-2008:0630 Unquoted Windows search path vulnerability in Check Point VPN-1 SecureClient might allow local users to gain privileges via a malicious "program.exe" file in the C: folder, which is run when SecureClient attempts to launch the Sr_GUI.exe program. 16290 20060117 [ TZO-012006 ] Checkpoint VPN-1 SecureClient insecure usage of CreateProcess() ADV-2006-0258 http://secdev.zoller.lu/research/checkpoint.txt Unspecified vulnerability in context.py in Albatross web application toolkit before 1.33 allows remote attackers to execute arbitrary commands via unspecified vectors involving template files and the "handling of submitted form fields". ADV-2006-0196 DSA-942 18457 16252 http://www.object-craft.com.au/projects/albatross/news.html http://security.debian.org/pool/updates/main/a/albatross/albatross_1.20-2.diff.gz albatross-context-command-execution(24130) 22451 18496 Unspecified vulnerability in the Advanced Queuing component of Oracle Database server 8.1.7.4, 9.0.1.5, 9.2.0.6, 10.1.0.3 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB01. VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html 16287 ADV-2006-0323 ADV-2006-0243 1015499 18608 18493 Unspecified vulnerability in the Change Data Capture component of Oracle Database server 9.2.0.7, 10.1.0.5, and 10.2.0.1 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB02. NOTE: details are unavailable from Oracle, but they have not publicly disputed a claim by a reliable independent researcher that states that the problem is SQL injection in the CDC_ALLOCATE_LOCK function of the DBMS_CDC_UTILITY package. VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html ADV-2006-0323 ADV-2006-0243 1015499 oracle-january2006-update(24321) 16287 22540 18608 18493 Unspecified vulnerability in the Connection Manager component of Oracle Database server 8.1.7.4 and 9.0.1.5 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB03. VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html oracle-january2006-update(24321) 16287 ADV-2006-0323 ADV-2006-0243 1015499 18608 18493 Multiple unspecified vulnerabilities in Oracle Database server 10.1.0.5 have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) DB04 and (2) DB06 in the (a) Data Pump component; (3) DB10 in the (b) Net Listener component; and (4) DB16 in the (c) Oracle Text component. NOTE: details are unavailable from Oracle, but they have not publicly disputed a claim by a reliable independent researcher that states that DB06 is SQL injection in the GENERATE_JOB_NAME, GET_WORKERSTATUSLIST1010, GET_PARAMVALUES1010, GET_DUMPFILESET1010, GET_JOBSTATUS1010, ATTACH, and ESTABLISH_REMOTE_CONTEXT functions in DBMS_DATAPUMP. VU#545804 16287 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html ADV-2006-0243 18493 oracle-january2006-update(24321) 22544 ADV-2006-0323 1015499 18608 Multiple unspecified vulnerabilities in Oracle Database server 9.2.0.7 and 10.1.0.5 have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) DB05 in the (a) Data Pump component; (2) DB15 in the (b) Oracle Text component; (3) DB22 in the (c) Streams Apply component; (4) DB23 and (5) DB24 in the (d) Streams Capture component; and (6) DB26 in the (e) Streams Subcomponent. NOTE: details are unavailable from Oracle, but they have not publicly disputed a claim by a reliable independent researcher that states that DB05 involves SQL injection in the (f) LONG2VARCHAR, LONG2VCMAX, LONG2VCNT, and LONG2CLOB functions in the DBMS_METADATA_UTIL package; (g) MAKE_FILTER, FETCH_VIEWS_ERROR, FETCH_FILTERS, FETCH_VIEWS, SET_FILTER_COMMON, DO_FILTER_SCRIPT, SET_TABLE_FILTERS, and MAKE_FILTER_TEXT functions in the DBMS_METADATA_INT package; and (h) GET_PREPOST_TABLE_ACT function in the DBMS_METADATA package. VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html ADV-2006-0323 ADV-2006-0243 1015499 18608 oracle-january2006-update(24321) 16287 22643 22637 22543 18493 Multiple unspecified vulnerabilities in Oracle Database server 8.1.7.4, 9.0.1.5, 9.2.0.7, and 10.1.0.5 have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) DB07 in the Dictionary component and (2) DB14 in the Oracle Label Security component. NOTE: Oracle has not disputed reliable researcher claims that DB07 involves plaintext storage of the TDE wallet password in a trace file by event 10053. VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html oracle-january2006-update(24321) oracle-masterkey-plaintext(24168) 16287 20060117 Oracle Database 10g Rel. 2 - Event 10053 logs TDE wallet password in cleartext http://www.red-database-security.com/advisory/oracle_tde_wallet_password.html ADV-2006-0323 ADV-2006-0243 1015499 18608 18493 Unspecified vulnerability in the Net Foundation Layer component of Oracle Database server 8.1.7.4, 9.0.1.5, 9.0.1.5 FIPS, 9.2.0.6, and 10.1.0.4 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB08. VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html oracle-january2006-update(24321) 16287 ADV-2006-0323 ADV-2006-0243 1015499 18608 18493 Multiple unspecified vulnerabilities in Oracle Database server 8.1.7.4, 9.0.1.5, 9.0.1.5 FIPS, 9.2.0.7, 10.1.0.5, and 10.2.0.1 have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) DB09 in the (a) Net Listener component; and (2) DB12 and (3) DB13 in the Network Communications (RPC) component. TA06-018A VU#870172 VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html oracle-january2006-update(24321) 16287 22551 22550 22547 ADV-2006-0323 ADV-2006-0243 1015499 18608 18493 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2006-0259. Reason: This candidate is subsumed by CVE-2006-0259. An error during initial CVE analysis used the wrong set of affected versions for "DB10". Notes: All CVE users should reference CVE-2006-0259 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Multiple unspecified vulnerabilities in Oracle Database server 8.1.7.4, 9.0.1.5, 9.2.0.7, 10.1.0.5, and 10.2.0.1 have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) DB17 in the Oracle Text component and (2) DB18 in the Program Interface Network component. NOTE: details are unavailable from Oracle, but they have not publicly disputed a claim by a reliable independent researcher that states that DB17 involves SQL injection in the (a) VALIDATE_STATEMENT and BUILD_DML functions in CTXSYS.DRILOAD; (b) CLEAN_DML function in CTXSYS.DRIDML; (c) GET_ROWID function in CTXSYS.CTX_DOC; (d) BROWSE_WORDS function in CTXSYS.CTX_QUERY; and (e) ODCIINDEXTRUNCATE, ODCIINDEXDROP, and ODCIINDEXDELETE functions in CATINDEXMETHODS. VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html ADV-2006-0323 ADV-2006-0243 1015499 18608 oracle-january2006-update(24321) 16287 http://www.red-database-security.com/advisory/oracle_cpu_jan_2006.html 22642 22641 22640 22639 22555 18493 Unspecified vulnerability in the Query Optimizer component of Oracle Database server 9.0.1.5, 9.2.0.7, and 10.1.0.5 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB19. VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html oracle-january2006-update(24321) 16287 ADV-2006-0323 ADV-2006-0243 1015499 18608 18493 Unspecified vulnerability in the Query Optimizer component of Oracle Database server 9.2.0.6 and 10.1.0.4 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB20. VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html oracle-january2006-update(24321) 16287 ADV-2006-0323 ADV-2006-0243 1015499 18608 18493 Unspecified vulnerability in the Security component of Oracle Database server 9.0.1.5, 9.0.1.5 FIPS, 9.2.0.6, and 10.1.0.4 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB21. VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html oracle-january2006-update(24321) 16287 ADV-2006-0323 ADV-2006-0243 1015499 18608 18493 Unspecified vulnerability in the Streams Capture component of Oracle Database server 10.1.0.5 and 10.2.0.1 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB25. NOTE: details are unavailable from Oracle, but they have not publicly disputed a claim by a reliable independent researcher that states that the problem is SQL injection in the SET_DIRECTORY_ROOT function in the DBMS_CDC_PUBLISH package. VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html oracle-january2006-update(24321) 16287 http://www.red-database-security.com/advisory/oracle_cpu_jan_2006.html 22563 ADV-2006-0323 ADV-2006-0243 1015499 18608 18493 Unspecified vulnerability in the Transparent Data Encryption (TDE) Wallet component of Oracle Database server 10.2.0.1 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB27. NOTE: Oracle has not disputed a reliable researcher report that TDA stores the master key without encryption, which allows local users to obtain the key via the SGA. VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html oracle-january2006-update(24321) oracle-sga-masterkey-plaintext(24186) 16287 20060117 Oracle Database 10g Rel. 2- Transparent Data Encryption plaintext masterkey in SGA http://www.red-database-security.com/advisory/oracle_tde_unencrypted_sga.html ADV-2006-0323 ADV-2006-0243 1015499 18608 18493 Unspecified vulnerability in the Upgrade & Downgrade component of Oracle Database server 8.1.7.4, 9.0.1.5, 9.2.0.7, and 10.1.0.4 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB28. NOTE: details are unavailable from Oracle, but they have not publicly disputed a claim by a reliable independent researcher that states that the problem is SQL injection in the DBMS_REGISTRY package in certain parameters to the (1) IS_COMPONENT, (2) GET_COMP_OPTION, (3) DISABLE_DDL_TRIGGERS, (4) SCRIPT_EXISTS, (5) COMP_PATH, (6) GATHER_STATS, (7) NOTHING_SCRIPT, and (8) VALIDATE_COMPONENTS functions. VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html oracle-january2006-update(24321) 16287 http://www.red-database-security.com/advisory/oracle_cpu_jan_2006.html 22566 ADV-2006-0323 ADV-2006-0243 1015499 18608 18493 Unspecified vulnerability in the XML Database component of Oracle Database server 9.2.0.7 and 10.1.0.4 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB29. NOTE: based on mutual credits by the relevant sources, it is highly likely that this issue is a buffer overflow in the (a) DBMS_XMLSCHEMA and (b) DBMS_XMLSCHEMA_INT packages, as exploitable via long arguments to (1) XDB.DBMS_XMLSCHEMA.GENERATESCHEMA or (2) XDB.DBMS_XMLSCHEMA.GENERATESCHEMAS. TA06-018A VU#891644 VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html oracle-xdbdbmx-xmlschema-bo(24376) oracle-january2006-update(24321) 16287 http://www.red-database-security.com/advisory/oracle_cpu_jan_2006.html http://www.integrigy.com/info/IntegrigySecurityAnalysis-CPU0106.pdf ADV-2006-0323 ADV-2006-0243 http://www.argeniss.com/research/ARGENISS-ADV-010601.txt 1015499 18608 18493 20060126 [Argeniss] Oracle Database Buffer overflows vulnerabilities in public procedures of XDB.DBMS_XMLSCHEMA{_INT} Unspecified vulnerability in the Portal component of Oracle Application Server 9.0.4.2 and 10.1.2.0 has unspecified impact and attack vectors, as identified by Oracle Vuln# AS01. VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html oracle-january2006-update(24321) 16287 ADV-2006-0323 ADV-2006-0243 1015499 18608 18493 Unspecified vulnerability in the Oracle Reports Developer component of Oracle Application Server 9.0.4.2 and 10.1.2.0.2 has unspecified impact and attack vectors, as identified by Oracle Vuln# REP03. VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html oracle-january2006-update(24321) 16287 ADV-2006-0323 ADV-2006-0243 1015499 18608 18493 Unspecified vulnerability in the Oracle Reports Developer component of Oracle Application Server 9.0.4.2 has unspecified impact and attack vectors, as identified by Oracle Vuln# REP04. NOTE: Oracle has not disputed reliable researcher claims that this issue is related to directory traversal that allows reading of portions of arbitrary XML files via the customize parameter. VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html oracle-january2006-update(24321) 16287 20060117 Oracle Reports - Read parts of files via customize(fixed after 875 days) http://www.red-database-security.com/advisory/oracle_reports_read_any_xml_file.html ADV-2006-0323 ADV-2006-0243 1015499 18608 18493 Multiple unspecified vulnerabilities in Oracle Collaboration Suite Release 2, version 9.0.4.2 (Oracle9i) have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) OCS01, 2) OCS02, 3) OCS03, 4) OCS04, 5) OCS05, 6) OCS06, 7) OCS07, (8) OCS08, and (9) OCS09 in the (a) Email Server component; 10) OCS10 (and (11) OCS11 in the (b) Oracle Collaboration Suite Wireless & Voice (component; 12) OCS12 and (13) OCS13 in the (c) Oracle Content (Management SDK component; 14) OCS14 and (15) OCS15 in the (d) Oracle (Content Services component. VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html ADV-2006-0323 ADV-2006-0243 1015499 18608 oracle-january2006-update(24321) 16287 18493 Multiple unspecified vulnerabilities in Oracle E-Business Suite and Applications 11.5.10 have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) APPS01 in the (a) Application Install component; (2) APPS07 in the (b) Oracle Applications Framework component; (3) APPS08, (4) APPS09, (5) APPS10, and (6) APPS11 in the (c) Oracle Applications Technology Stack component; (7) APPS12 in the (d) Oracle Human Resources component; (8) APPS15 and (9) APPS16 in the (e) Oracle Marketing component; (10) APPS17 in the (f) Marketing Encyclopedia System component; (11) APPS18 in the (g) Oracle Trade Management component; and (12) APPS19 in the (h) Oracle Web Applications Desktop Integration component. VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html oracle-january2006-update(24321) 16287 ADV-2006-0323 ADV-2006-0243 1015499 18608 18493 Multiple unspecified vulnerabilities in Oracle E-Business Suite and Applications 11.5.9 have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) APPS02 in the (a) CRM Technical Foundation component; (2) APPS03 in the (b) iProcurement component; and (3) APPS04, (4) APPS05, and (5) APPS06 in the Oracle Application Object Library component. VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html oracle-january2006-update(24321) 16287 ADV-2006-0323 ADV-2006-0243 1015499 18608 18493 Multiple unspecified vulnerabilities in Oracle E-Business Suite and Applications 4.3 have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) APPS13 and (2) APPS14 in the Oracle iLearning component. VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html oracle-january2006-update(24321) 16287 ADV-2006-0323 ADV-2006-0243 1015499 18608 18493 Unspecified vulnerability in Oracle PeopleSoft Enterprise Portal 8.4 Bundle 15, 8.8 Bundle 10, and 8.9 Bundle 2 has unspecified impact and attack vectors, as identified by Oracle Vuln# PSE01. VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html oracle-january2006-update(24321) 16287 ADV-2006-0323 ADV-2006-0243 1015499 18608 18493 Unspecified vulnerability in Oracle JD Edwards HTML Server 8.95.F1 SP23_L1 has unspecified impact and attack vectors, as identified by Oracle Vuln# JDE01. VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html oracle-january2006-update(24321) 16287 ADV-2006-0323 ADV-2006-0243 1015499 18608 18493 Unspecified vulnerability in Oracle Database Server 8.1.7.4, 9.0.1.5, 9.0.1.5 FIPS, 9.2.0.7, and 10.1.0.5, Application Server 1.0.2.2, 9.0.4.2, and 10.1.2.0.2, and Collaboration Suite Release 2, version 9.0.4.2 (Oracle9i) has unspecified impact and attack vectors, as identified by Oracle Vuln# DBC01 in the Protocol Support component. VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html oracle-january2006-update(24321) 16287 ADV-2006-0323 ADV-2006-0243 1015499 18608 18493 Unspecified vulnerability in Oracle Database Server 10.1.0.4.2, Application Server 10.1.2.0.2, and Collaboration Suite Release 2, version 9.0.4.2 (Oracle9i) has unspecified impact and attack vectors, as identified by Oracle Vuln# DBC02 in the Reorganize Objects & Convert Tablespace component. VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html ADV-2006-0323 ADV-2006-0243 1015499 18608 oracle-january2006-update(24321) 16287 18493 Multiple unspecified vulnerabilities in Oracle Application Server 9.0.4.2 and 10.1.2.0.2, and E-Business Suite and Applications 11.5.10, have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) FORM01 and (2) FORM02 in the Oracle Forms component. VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html oracle-january2006-update(24321) 16287 ADV-2006-0323 ADV-2006-0243 1015499 18608 18493 Unspecified vulnerability in the Java Net component of Oracle Database Server 8.1.7.4, 9.0.1.5, 9.0.1.5 FIPS, 9.2.0.7, and 10.1.0.4, and Application Server 1.0.2.2, 9.0.4.2, and 10.1.2.0.2, has unspecified impact and attack vectors, as identified by Oracle Vuln# JN01. VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html oracle-january2006-update(24321) 16287 ADV-2006-0323 ADV-2006-0243 1015499 18608 18493 Unspecified vulnerability in the Oracle HTTP Server component of Oracle Database Server 9.0.1.5, 9.0.1.5 FIPS, 9.2.0.7, and 10.1.0.5, and Application Server 1.0.2.2, 9.0.4.2, and 10.1.2.0.2, has unspecified impact and attack vectors, as identified by Oracle Vuln# OHS01. VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html oracle-january2006-update(24321) 16287 ADV-2006-0323 ADV-2006-0243 1015499 18608 18493 Unspecified vulnerability in the Oracle HTTP Server component of Oracle Database Server 10.1.0.5 and Application Server 10.1.2.0.2 has unspecified impact and attack vectors, as identified by Oracle Vuln# OHS02. VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html oracle-january2006-update(24321) 16287 ADV-2006-0323 ADV-2006-0243 1015499 18608 18493 Multiple unspecified vulnerabilities in the Oracle Reports Developer component of Oracle Application Server 9.0.4.1 and E-Business Suite and Applications 11.5.10 have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) REP01 and (2) REP02. VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html ADV-2006-0323 ADV-2006-0243 1015499 18608 oracle-january2006-update(24321) 16287 18493 Multiple unspecified vulnerabilities in Oracle Application Server 6.0.8.26(PS17) and E-Business Suite and Applications 11.5.10 have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) REP05 and (2) REP06 in the Oracle Reports Developer component. NOTE: Oracle has not disputed reliable researcher claims that REP05 is the same as CVE-2005-2378 and REP06 is the same as CVE-2005-2371, both of which involve directory traversal. VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html oracle-january2006-update(24321) 16287 20060117 Oracle Reports - Overwrite any application server file via desname (fixed after 889 days) 20060117 Oracle Reports - Read parts of files via desname (fixed after 874 days) http://www.red-database-security.com/advisory/oracle_reports_read_any_file.html http://www.red-database-security.com/advisory/oracle_reports_overwrite_any_file.html ADV-2006-0323 ADV-2006-0243 1015499 18608 18493 Unspecified vulnerability in Oracle Database Server 9.2.0.7, Application Server 9.0.4.2 and 10.1.2.1, Collaboration Suite Release 2, version 9.0.4.2 (Oracle9i), and E-Business Suite and Applications 11.5.10 has unspecified impact and attack vectors, as identified by Oracle Vuln# WF01 in the Oracle Workflow Cartridge component. VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html oracle-january2006-update(24321) 16287 ADV-2006-0323 ADV-2006-0243 1015499 18608 18493 Multiple unspecified vulnerabilities in Oracle Database Server 10.2.0.1, Application Server 9.0.4.2 and 10.1.2.1, Collaboration Suite Release 2, version 9.0.4.2 (Oracle9i), and E-Business Suite and Applications 11.5.10 have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) WF02 and (2) WF03 in the Oracle Workflow Cartridge component. VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html oracle-january2006-update(24321) 16287 ADV-2006-0323 ADV-2006-0243 1015499 18608 18493 ZyXel P2000W VoIP 802.11b Wireless Phone running firmware WV.00.02 allows remote attackers to obtain sensitive information, such as MAC address and software version, by directly accessing UDP port 9090. 16285 18511 20060116 ZyXel P2000W (Version 2) VoIP wireless phone undocumented port UDP/9090 zyxel-p2000w-default-port(24145) 22516 Multiple unspecified vulnerabilities in the (1) publishing component, (2) Contact Component, (3) TinyMCE Compressor, and (4) other components in Joomla! 1.0.5 and earlier have unknown impact and attack vectors. 18513 http://www.joomla.org/content/view/738/66/ Buffer overflow in Dual DHCP DNS Server 1.0 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via the DHCP options field. 18486 http://aluigi.altervista.org/adv/dualsbof-adv.txt dualdhcpdns-options-field-bo(24191) 16298 ADV-2006-0245 1015495 Clipcomm CPW-100E VoIP 802.11b Wireless Handset Phone running firmware 1.1.12 (051129) and CP-100E VoIP 802.11b Wireless Phone running firmware 1.1.60 allows remote attackers to gain unauthorized access via the debug service on TCP port 60023. 16289 18505 20060116 Clipcomm CP-100E VoIP wireless desktop phone open debug service TCP/60023 20060116 Clipcomm CPW-100E VoIP wireless handset phone open debug service TCP/60023 clipcomm-cp100e-default-port(24144) The DM Primer (dmprimer.exe) in the DM Deployment Common Component in Computer Associates (CA) BrightStor Mobile Backup r4.0, BrightStor ARCserve Backup for Laptops & Desktops r11.0, r11.1, r11.1 SP1, Unicenter Remote Control 6.0, 6.0 SP1, CA Desktop Protection Suite r2, CA Server Protection Suite r2, and CA Business Protection Suite r2 allows remote attackers to cause a denial of service (CPU consumption or application hang) via a large network packet, which causes a WSAEMESGSIZE error code that is not handled, leading to a thread exit. http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33756 16276 20060118 CAID 33756 - DM Deployment Common Component Vulnerabilities 22529 ADV-2006-0236 http://www.designfolks.com.au/karma/DMPrimer/ http://supportconnectw.ca.com/public/ca_common_docs/dmdeploysecurity_notice.asp 1015504 18531 The DM Primer in the DM Deployment Common Component in Computer Associates (CA) BrightStor Mobile Backup r4.0, BrightStor ARCserve Backup for Laptops & Desktops r11.0, r11.1, r11.1 SP1, Unicenter Remote Control 6.0, 6.0 SP1, CA Desktop Protection Suite r2, CA Server Protection Suite r2, and CA Business Protection Suite r2 allows remote attackers to cause a denial of service (CPU consumption and log file consumption) via unspecified "unrecognized network messages" that are not properly handled. 1015504 http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33756 16276 20060118 CAID 33756 - DM Deployment Common Component Vulnerabilities 22529 ADV-2006-0236 http://supportconnectw.ca.com/public/ca_common_docs/dmdeploysecurity_notice.asp 18531 PHP remote file inclusion vulnerability in htmltonuke.php in the htmltonuke 2.0 alpha, and possibly other versions, module for PHP-Nuke allows remote attackers to execute arbitrary PHP code via a URL in the filnavn parameter. htmltonuke-htmltonuke-file-include(33092) 16282 3524 Linksys BEFVP41 VPN Router 2.0 with firmware 1.01.04 allows remote attackers on the local network, to cause a denial of service via IP packets with a null IP option length. 20060116 Re: Linksys VPN Router (BEFVP41) DoS Vulnerability 20060113 Linksys VPN Router (BEFVP41) DoS Vulnerability ADV-2006-0238 1015490 18461 linksys-null-length-dos(24125) 16307 20060117 Re: Linksys VPN Router (BEFVP41) DoS Vulnerability Cross-site scripting (XSS) vulnerability in aoblogger 2.3 allows remote attackers to inject arbitrary Javascript via a javascript URI in the BBcode url tag. 16286 ADV-2006-0240 16889 http://evuln.com/vulns/37/summary.html aoblogger-url-xss(24141) 22526 http://mikeheltonisawesome.com/viewcomments.php?idd=46 20060117 [eVuln] aoblogger Multiple Vulnerabilities SQL injection vulnerability in login.php in aoblogger 2.3 allows remote attackers to execute arbitrary SQL commands via the username parameter. 16286 ADV-2006-0240 16889 http://evuln.com/vulns/37/summary.html aoblogger-login-sql-injection(24142) 22527 http://mikeheltonisawesome.com/viewcomments.php?idd=46 20060117 [eVuln] aoblogger Multiple Vulnerabilities create.php in aoblogger 2.3 allows remote attackers to bypass authentication and create new blog entries by setting the uza parameter to 1. 16286 ADV-2006-0240 16889 http://evuln.com/vulns/37/summary.html aoblogger-create-security-bypass(24143) http://mikeheltonisawesome.com/viewcomments.php?idd=46 20060117 [eVuln] aoblogger Multiple Vulnerabilities