Stack-based buffer overflow in Microsoft Publisher 2000 through 2003 allows user-assisted remote attackers to execute arbitrary code via a crafted PUB file, which causes an overflow when parsing fonts. TA06-255A VU#406236 19951 20060912 Computer Terrorism (UK) :: Incident Response Centre - Microsoft Publisher Font Parsing Vulnerability MS06-054 http://www.computerterrorism.com/research/ct12-09-2006-2.htm 21863 publisher-pub-code-execution(28648) ADV-2006-3565 SSRT061187 HPSBST02134 1016825 1548 oval:org.mitre.oval:def:590 Unspecified vulnerability in Microsoft Outlook 2000 through 2003, Exchange 5.0 Server SP2 and 5.5 SP4, Exchange 2000 SP3, and Office allows remote attackers to execute arbitrary code via an e-mail message with a crafted Transport Neutral Encapsulation Format (TNEF) MIME attachment, related to message length validation. TA06-010A VU#252146 16197 20060110 Microsoft Outlook Critical Vulnerability 20060110 Microsoft Exchange Critical Vulnerability MS06-003 1015461 1015460 18368 win-tnef-overflow(22878) ADV-2006-0119 http://support.avaya.com/elmodocs2/security/ASA-2006-004.htm 331 330 oval:org.mitre.oval:def:624 oval:org.mitre.oval:def:1485 oval:org.mitre.oval:def:1456 oval:org.mitre.oval:def:1316 oval:org.mitre.oval:def:1165 oval:org.mitre.oval:def:1082 Unspecified vulnerability in the RDS.Dataspace ActiveX control, which is contained in ActiveX Data Objects (ADO) and distributed in Microsoft Data Access Components (MDAC) 2.7 and 2.8, allows remote attackers to execute arbitrary code via unknown attack vectors. TA06-101A VU#234812 MS06-014 ie-wscriptshell-command-execution(29915) mdac-rdsdataspace-execute-code(25006) ADV-2006-2452 ADV-2006-1319 http://www.securityfocus.com/data/vulnerabilities/exploits/0day_ie.pdf 20797 17462 20080128 Re: Exploit in IE6,7 20080128 Exploit in IE6,7 20070731 Re: Exploit In Internet Explorer 20070730 RE: Exploit In Internet Explorer 20070730 Re: Exploit In Internet Explorer 20070729 Exploit In Internet Explorer 24517 2164 2052 http://www.hitachi-support.com/security_e/vuls_e/HS06-013_e/index-e.html http://www.hitachi-support.com/security_e/vuls_e/HS06-013_e/01-e.html 1015894 20719 19583 oval:org.mitre.oval:def:1778 oval:org.mitre.oval:def:1742 oval:org.mitre.oval:def:1511 oval:org.mitre.oval:def:1323 oval:org.mitre.oval:def:1204 Microsoft PowerPoint 2000 in Office 2000 SP3 has an interaction with Internet Explorer that allows remote attackers to obtain sensitive information via a PowerPoint presentation that attempts to access objects in the Temporary Internet Files Folder (TIFF). VU#963628 MS06-010 ADV-2006-0579 powerpoint-tiff-information-disclosure(24490) 16634 1015632 18865 oval:org.mitre.oval:def:1555 Buffer overflow in the plug-in for Microsoft Windows Media Player (WMP) 9 and 10, when used in browsers other than Internet Explorer and set as the default application to handle media files, allows remote attackers to execute arbitrary code via HTML with an EMBED element containing a long src attribute. TA06-045A VU#692060 win-mediaplayer-plugin-embed-bo(24493) ADV-2006-0575 16644 MS06-006 20060214 Microsoft Windows Media Player Plugin Buffer Overflow Vulnerability 1015628 18852 oval:org.mitre.oval:def:1559 Heap-based buffer overflow in the bitmap processing routine in Microsoft Windows Media Player 7.1 on Windows 2000 SP4, Media Player 9 on Windows 2000 SP4 and XP SP1, and Media Player 10 on XP SP1 and SP2 allows remote attackers to execute arbitrary code via a crafted bitmap (.BMP) file that specifies a size of 0 but contains additional data. TA06-045A VU#291396 16633 MS06-005 http://www.eeye.com/html/research/advisories/AD20060214.html 1015627 18835 win-media-player-bmp-bo(24488) ADV-2006-0574 20060215 Windows Media Player BMP Heap Overflow (MS06-005) 20060214 [EEYEB-20051017] Windows Media Player BMP Heap Overflow 423 oval:org.mitre.oval:def:1661 oval:org.mitre.oval:def:1598 oval:org.mitre.oval:def:1578 oval:org.mitre.oval:def:1256 Buffer overflow in GIFIMP32.FLT, as used in Microsoft Office 2003 SP1 and SP2, Office XP SP3, Office 2000 SP3, and other products, allows user-assisted attackers to execute arbitrary code via a crafted GIF image that triggers memory corruption when it is parsed. TA06-192A VU#668564 MS06-039 ADV-2006-2757 18915 20060712 NSFOCUS SA2006-04 : Microsoft Office GIF Filter Buffer Overflow Vulnerability 27146 1016470 21013 20060712 NSFOCUS SA2006-04 : Microsoft Office GIF Filter Buffer Overflow Vulnerability oval:org.mitre.oval:def:21 The ShellAbout API call in Korean Input Method Editor (IME) in Korean versions of Microsoft Windows XP SP1 and SP2, Windows Server 2003 up to SP1, and Office 2003, allows local users to gain privileges by launching the "shell about dialog box" and clicking the "End-User License Agreement" link, which executes Notepad with the privileges of the program that displays the about box. VU#739844 16643 MS06-009 1015631 18859 win-korean-ime-privilege-elevation(24492) ADV-2006-0578 20060215 Security advisory: Windows IME Vulnerability (MS06-009) http://www.ryanstyle.com/alert/my/5/ms06_009_eng.html oval:org.mitre.oval:def:727 oval:org.mitre.oval:def:1688 oval:org.mitre.oval:def:1664 oval:org.mitre.oval:def:1650 oval:org.mitre.oval:def:1595 Buffer overflow in Microsoft Office 2000 SP3, XP SP3, and other versions and packages, allows user-assisted attackers to execute arbitrary code via a routing slip that is longer than specified by the provided length field, as exploited by malware such as TROJ_MDROPPER.BH and Trojan.PPDropper.E in attacks against PowerPoint. TA06-073A VU#682820 17000 20060314 SYMSA-2006-001: Buffer overflow in Microsoft Office 2000, Office XP (2002), and Office 2003 Routing Slip Metadata MS06-012 1015766 19138 powerpoint-presentation-code-execution(29009) office-routing-slip-bo(25009) ADV-2006-3678 ADV-2006-0950 http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FMDROPPER%2EBH http://www.symantec.com/security_response/writeup.jsp?docid=2006-091810-5028-99 http://www.symantec.com/enterprise/research/SYMSA-2006-001.txt 20059 20060919 Microsoft PowerPoint 0-day Vulnerability FAQ - September written 20060919 New PowerPoint 0-day Trojan in the wild 20060822 Major updates in PowerPoint FAQ document - not a 0-day issue 20060819 New PowerPoint 0-day and Trojan - FAQ document ready 20060422 PowerPoint Phishing Trojan 23903 http://www.darkreading.com/document.asp?doc_id=101970 http://support.avaya.com/elmodocs2/security/ASA-2006-069.htm 1016886 1016720 19238 20060919 New PowerPoint 0-day Trojan in the wild http://isc.sans.org/diary.php?storyid=1618 http://blogs.securiteam.com/?p=559 http://blogs.securiteam.com/?p=557 http://blogs.securiteam.com/?author=28 20060822 Major updates in PowerPoint FAQ document - not a 0-day issue oval:org.mitre.oval:def:798 oval:org.mitre.oval:def:1653 oval:org.mitre.oval:def:1553 oval:org.mitre.oval:def:1504 Heap-based buffer overflow in T2EMBED.DLL in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 up to SP1, Windows 98, and Windows ME allows remote attackers to execute arbitrary code via an e-mail message or web page with a crafted Embedded Open Type (EOT) web font that triggers the overflow during decompression. TA06-010A VU#915930 16194 MS06-002 18365 win-embedded-fonts-bo(23922) http://www130.nortelnetworks.com/cgi-bin/eserv/cs/main.jsp?cscat=BLTNDETAIL&DocumentOID=375525 ADV-2006-0118 20060110 [EEYEB-2000801] - Windows Embedded Open Type (EOT) Font Heap Overflow Vulnerability 18829 EEYEB20050801 http://support.avaya.com/elmodocs2/security/ASA-2006-004.htm 1015459 18391 18311 oval:org.mitre.oval:def:714 oval:org.mitre.oval:def:698 oval:org.mitre.oval:def:1491 oval:org.mitre.oval:def:1462 oval:org.mitre.oval:def:1185 oval:org.mitre.oval:def:1126 Unspecified vulnerability in Windows Explorer in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allows remote attackers to execute arbitrary code via attack vectors involving COM objects and "crafted files and directories," aka the "Windows Shell Vulnerability." TA06-101A VU#641460 MS06-015 19606 win-explorer-com-code-execution(25554) ADV-2006-1320 17464 24516 1015897 oval:org.mitre.oval:def:1764 oval:org.mitre.oval:def:1743 oval:org.mitre.oval:def:1679 oval:org.mitre.oval:def:1448 oval:org.mitre.oval:def:1191 Buffer overflow in the Web Client service (WebClnt.dll) for Microsoft Windows XP SP1 and SP2, and Server 2003 up to SP1, allows remote authenticated users or Guests to execute arbitrary code via crafted RPC requests, a different vulnerability than CVE-2005-1207. VU#388900 16636 MS06-008 1015630 18857 msrpc-webclient-message-bo(24491) ADV-2006-0577 oval:org.mitre.oval:def:716 oval:org.mitre.oval:def:683 oval:org.mitre.oval:def:1602 oval:org.mitre.oval:def:1547 oval:org.mitre.oval:def:1220 Buffer overflow in Microsoft Outlook Express 5.5 and 6 allows remote attackers to execute arbitrary code via a crafted Windows Address Book (WAB) file containing "certain Unicode strings" and modified length values. MS06-016 19617 http://www.zerodayinitiative.com/advisories/ZDI-06-007.html ADV-2006-1321 17459 20060411 ZDI-06-007: Microsoft Windows Address Book (WAB) File Format Parsing Vulnerability outlook-express-wab-bo(25535) 1015898 691 20060411 ZDI-06-007: Microsoft Windows Address Book (WAB) File Format Parsing Vulnerability oval:org.mitre.oval:def:812 oval:org.mitre.oval:def:1791 oval:org.mitre.oval:def:1780 oval:org.mitre.oval:def:1771 oval:org.mitre.oval:def:1769 oval:org.mitre.oval:def:1682 oval:org.mitre.oval:def:1611 Cross-site scripting (XSS) vulnerability in _vti_bin/_vti_adm/fpadmdll.dll in Microsoft FrontPage Server Extensions 2002 and SharePoint Team Services allows remote attackers to inject arbitrary web script or HTML, then leverage the attack to execute arbitrary programs or create new accounts, via the (1) operation, (2) command, and (3) name parameters. 17452 MS06-017 http://www.argeniss.com/research/ARGENISS-ADV-040602.txt 1015896 1015895 19623 ADV-2006-1322 20060412 Vulnerability in Microsoft FrontPage Server Extensions Could Allow Cross-Site Scripting fpse-html-xss(25537) 704 oval:org.mitre.oval:def:1748 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-3899. Reason: This candidate is a duplicate of CVE-2005-3899. Notes: All CVE users should reference CVE-2005-3899 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Heap-based buffer overflow in the encodeURI and decodeURI functions in the kjs JavaScript interpreter engine in KDE 3.2.0 through 3.5.0 allows remote attackers to execute arbitrary code via a crafted, UTF-8 encoded URI. 20060119 [KDE Security Advisory] kjs encodeuri/decodeuri heap overflow http://www.kde.org/info/security/advisory-20060119-1.txt 18500 ftp://ftp.kde.org/pub/kde/security_patches/post-3.4.3-kdelibs-kjs.diff ADV-2006-0265 USN-245-1 SUSE-SA:2006:003 RHSA-2006:0184 GLSA-200601-11 DSA-948 18570 18561 18559 18552 18540 oval:org.mitre.oval:def:11858 kde-kjs-bo(24242) 16325 FLSA:178606 22659 MDKSA-2006:019 SSA:2006-045-05 1015512 364 18899 18583 An unspecified Microsoft WMF parsing application, as used in Internet Explorer 5.01 SP4 on Windows 2000 SP4, and 5.5 SP2 on Windows Millennium, and possibly other versions, allows attackers to cause a denial of service (crash) and possibly execute code via a crafted WMF file with a manipulated WMF header size, possibly involving an integer overflow, a different vulnerability than CVE-2005-4560, and aka "WMF Image Parsing Memory Corruption Vulnerability." VU#312956 TA06-045A 16516 MS06-004 18729 ADV-2006-0469 22976 http://www.microsoft.com/technet/security/advisory/913333.mspx 18912 [funsec] 20060110 Another WMF flaw without a Microsoft patch oval:org.mitre.oval:def:1638 Microsoft Windows XP SP1 and SP2, and Server 2003 up to SP1, allows remote attackers to cause a denial of service (hang) via an IGMP packet with an invalid IP option, aka the "IGMP v3 DoS Vulnerability." TA06-045A VU#839284 16645 MS06-007 18853 win-igmpv3-dos(24489) ADV-2006-0576 20071023 SYMSA-2007-012: Microsoft Windows CE IGMP Denial of Service http://www.securiteam.com/exploits/5PP0T0KI0O.html 1599 1015629 oval:org.mitre.oval:def:678 oval:org.mitre.oval:def:1662 oval:org.mitre.oval:def:1647 oval:org.mitre.oval:def:1425 oval:org.mitre.oval:def:1310 Unspecified vulnerability in Microsoft PowerPoint in Microsoft Office 2000 SP3, Office XP SP3, Office 2003 SP1 and SP2, Office 2004 for Mac, and v. X for Mac allows user-assisted attackers to execute arbitrary code via a PowerPoint document with a malformed record, which triggers memory corruption. TA06-164A VU#190089 18382 MS06-028 powerpoint-record-bo(26784) ADV-2006-2325 26435 1016287 20633 oval:org.mitre.oval:def:1984 oval:org.mitre.oval:def:1836 oval:org.mitre.oval:def:1069 Microsoft Windows XP SP1 and SP2 before August 2004, and possibly other operating systems and versions, uses insecure default ACLs that allow the Authenticated Users group to gain privileges by modifying critical configuration information for the (1) Simple Service Discovery Protocol (SSDP), (2) Universal Plug and Play Device Host (UPnP), (3) NetBT, (4) SCardSvr, (5) DHCP, and (6) DnsCache services, aka "Permissive Windows Services DACLs." NOTE: the NetBT, SCardSvr, DHCP, DnsCache already require privileged access to exploit. VU#953860 MS06-011 18756 win-auth-users-insecure-permissions(24463) http://www130.nortelnetworks.com/cgi-bin/eserv/cs/main.jsp?cscat=BLTNDETAIL&DocumentOID=391523&RenditionID= ADV-2006-0417 20060131 Windows Access Control Demystified http://www.microsoft.com/technet/security/advisory/914457.mspx http://www.cs.princeton.edu/~sudhakar/papers/winval.pdf http://support.avaya.com/elmodocs2/security/ASA-2006-069.htm 1015765 1015595 19313 19238 oval:org.mitre.oval:def:1696 oval:org.mitre.oval:def:1671 Multiple unspecified vulnerabilities in Adobe Flash Player 8.0.22.0 and earlier allow remote attackers to execute arbitrary code via a crafted SWF file. TA07-352A TA06-132A TA06-129A TA06-075A VU#945060 http://www.macromedia.com/devnet/security/security_zone/apsb06-03.html 19218 macromedia-swf-code-execution(25005) ADV-2007-4238 ADV-2006-1779 ADV-2006-1744 ADV-2006-1262 ADV-2006-0952 17106 RHSA-2006:0268 23908 17951 http://www.opera.com/docs/changelogs/windows/854/ SUSE-SA:2006:015 MS06-020 GLSA-200603-20 1015770 28136 20077 20045 19328 19259 19198 APPLE-SA-2007-12-17 APPLE-SA-2006-05-11 http://docs.info.apple.com/article.html?artnum=307179 oval:org.mitre.oval:def:1922 oval:org.mitre.oval:def:1894 Stack-based buffer overflow in Microsoft Windows Media Player 9 and 10 allows remote attackers to execute arbitrary code via a PNG image with a large chunk size. TA06-164A VU#608020 18385 MS06-024 20060613 Windows Media Player PNG Chunk Decoding Stack-Based Buffer Overflow 20626 win-media-player-png-bo(26788) ADV-2006-2322 26430 1016284 oval:org.mitre.oval:def:1974 oval:org.mitre.oval:def:1820 oval:org.mitre.oval:def:1807 oval:org.mitre.oval:def:1805 oval:org.mitre.oval:def:1729 oval:org.mitre.oval:def:1230 Buffer overflow in Microsoft Internet Information Services (IIS) 5.0, 5.1, and 6.0 allows local and possibly remote attackers to execute arbitrary code via crafted Active Server Pages (ASP). VU#395588 TA06-192A iis-asp-bo(26796) 18858 MS06-034 1016466 21006 ADV-2006-2752 27152 20060718 ASP.DLL Include File Buffer Overflow oval:org.mitre.oval:def:435 Unspecified vulnerability in Microsoft Exchange allows remote attackers to execute arbitrary code via e-mail messages with crafted (1) vCal or (2) iCal Calendar properties. TA06-129A VU#303452 MS06-019 exchange-calendar-code-execution(25556) ADV-2006-1743 17908 25338 1016048 20029 oval:org.mitre.oval:def:2035 oval:org.mitre.oval:def:1996 oval:org.mitre.oval:def:1818 Unspecified vulnerability in Microsoft Excel 2000, 2002, and 2003, in Microsoft Office 2000 SP3 and other packages, allows user-assisted attackers to execute arbitrary code via a BIFF parsing format file containing malformed BOOLERR records that lead to memory corruption, probably involving invalid pointers. TA06-073A VU#339878 MS06-012 1015766 19138 excel-parsing-format-file-bo(25225) http://www.zerodayinitiative.com/advisories/ZDI-06-004.html ADV-2006-0950 20060314 ZDI-06-004: Microsoft Excel File Format Parsing Vulnerability 23899 http://support.avaya.com/elmodocs2/security/ASA-2006-069.htm 583 19238 oval:org.mitre.oval:def:1635 oval:org.mitre.oval:def:1509 oval:org.mitre.oval:def:1411 oval:org.mitre.oval:def:1158 Unspecified vulnerability in Microsoft Excel 2000, 2002, and 2003, in Microsoft Office 2000 SP3 and other packages, allows user-assisted attackers to execute arbitrary code via an Excel file with a malformed description, which leads to memory corruption. TA06-073A VU#235774 MS06-012 1015766 19138 excel-description-bo(25227) ADV-2006-0950 23900 http://support.avaya.com/elmodocs2/security/ASA-2006-069.htm 586 585 19238 oval:org.mitre.oval:def:1633 oval:org.mitre.oval:def:1579 oval:org.mitre.oval:def:1570 oval:org.mitre.oval:def:1522 Unspecified vulnerability in Microsoft Excel 2000, 2002, and 2003, in Microsoft Office 2000 SP3 and other packages, allows user-assisted attackers to execute arbitrary code via an Excel file with a malformed graphic, which leads to memory corruption. TA06-073A VU#123222 MS06-012 1015766 19138 excel-graphic-bo(25229) ADV-2006-0950 16181 23901 http://support.avaya.com/elmodocs2/security/ASA-2006-069.htm 19238 oval:org.mitre.oval:def:1666 oval:org.mitre.oval:def:1630 oval:org.mitre.oval:def:1510 oval:org.mitre.oval:def:1401 Stack-based buffer overflow in Microsoft Excel 2000, 2002, and 2003, in Microsoft Office 2000 SP3 and other packages, allows user-assisted attackers to execute arbitrary code via an Excel file with a malformed record with a modified length value, which leads to memory corruption. TA06-073A VU#104302 17101 MS06-012 1015766 19138 excel-record-bo(25228) ADV-2006-0950 20060315 [xfocus-SD-060314]Microsoft Office Excel Buffer Overflow Vulnerability 23902 http://support.avaya.com/elmodocs2/security/ASA-2006-069.htm 589 19238 20060314 [xfocus-SD-060314]Microsoft Office Excel Buffer Overflow Vulnerability oval:org.mitre.oval:def:763 oval:org.mitre.oval:def:1750 oval:org.mitre.oval:def:1525 oval:org.mitre.oval:def:1327 Cross-site scripting (XSS) vulnerability in the Indexing Service in Microsoft Windows 2000, XP, and Server 2003, when the Encoding option is set to Auto Select, allows remote attackers to inject arbitrary web script or HTML via a UTF-7 encoded URL, which is injected into an error message whose charset is set to UTF-7. Successful exploitation requires that the Indexing service is accessible through IIS. TA06-255A VU#108884 19927 MS06-053 21861 ms-indexing-service-xss(28651) ADV-2006-3564 20061001 Microsoft Internet Information Services UTF-7 XSS Vulnerability [MS06-053] 20061002 IE UXSS (Universal XSS in IE, was Re: Microsoft Internet Information Services UTF-7 XSS Vulnerability [MS06-053]) SSRT061187 HPSBST02134 http://www.geocities.jp/ptrs_sec/advisory09e.html 1016826 oval:org.mitre.oval:def:535 Unspecified vulnerability in Microsoft Office 2003 SP1 and SP2, Office XP SP3, Office 2000 SP3, and other products, allows user-assisted attackers to execute arbitrary code via a crafted PNG image that triggers memory corruption when it is parsed. TA06-192A VU#459388 18913 MS06-039 ADV-2006-2757 27147 http://www.fortinet.com/FortiGuardCenter/advisory/FG-2006-22.html 1016470 21013 oval:org.mitre.oval:def:163 Heap-based buffer overflow in the CRpcIoManagerServer::BuildContext function in msdtcprx.dll for Microsoft Distributed Transaction Coordinator (MSDTC) for Windows NT 4.0 and Windows 2000 SP2 and SP3 allows remote attackers to execute arbitrary code via a long fifth argument to the BuildContextW or BuildContext opcode, which triggers a bug in the NdrAllocate function, aka the MSDTC Invalid Memory Access Vulnerability. 17906 20060509 [EEYEB20051011A] - Microsoft Distributed Transaction Coordinator Heap Overflow MS06-018 http://www.eeye.com/html/research/advisories/AD20060509a.html 20000 msdtc-network-message-dos(25559) ADV-2006-1742 20060511 Microsoft MSDTC NdrAllocate Validation Vulnerability 25335 1016047 863 20060510 Microsoft MSDTC NdrAllocate Validation Vulnerability 20060509 [EEYEB20051011A] - Microsoft Distributed Transaction Coordinator Heap Overflow oval:org.mitre.oval:def:1908 oval:org.mitre.oval:def:1477 oval:org.mitre.oval:def:1222 The netlink_rcv_skb function in af_netlink.c in Linux kernel 2.6.14 and 2.6.15 allows local users to cause a denial of service (infinite loop) via a nlmsg_len field of 0. 2006-0004 18482 kernel-afnetlink-dos(24202) ADV-2006-0220 16414 http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=ad8e4b75c8a7bed475d72ce09bf5267188621961 388 ip_nat_pptp in the PPTP NAT helper (netfilter/ip_nat_helper_pptp.c) in Linux kernel 2.6.14, and other versions, allows remote attackers to cause a denial of service (memory corruption or crash) via an inbound PPTP_IN_CALL_REQUEST packet that causes a null pointer to be used in an offset calculation. ADV-2006-0220 http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=15db34702cfafd24acc60295cf14861e497502ab kernel-pptpincallrequest-dos(24203) 2006-0004 16414 388 18482 ip_nat_pptp in the PPTP NAT helper (netfilter/ip_nat_helper_pptp.c) in Linux kernel 2.6.14, and other versions, allows local users to cause a denial of service (memory corruption or crash) via a crafted outbound packet that causes an incorrect offset to be calculated from pointer arithmetic when non-linear SKBs (socket buffers) are used. ADV-2006-0220 http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=03b9feca89366952ae5dfe4ad8107b1ece50b710 kernel-pptpnathelper-dos(24204) 2006-0004 16414 388 18482 Integer overflow in the do_replace function in netfilter for Linux before 2.6.16-rc3, when using "virtualization solutions" such as OpenVZ, allows local users with CAP_NET_ADMIN rights to cause a buffer overflow in the copy_from_user function. Linux kernel version 2.6.16 has been released to address this issue. 17178 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=186295 linux-netfilter-doreplace-overflow(25400) ADV-2006-2554 ADV-2006-1046 USN-302-1 RHSA-2006:0575 http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=ee4bb818ae35f68d1f848eae0a7b150a38eb4168 DSA-1103 DSA-1097 http://support.avaya.com/elmodocs2/security/ASA-2006-200.htm 22417 21465 20914 20716 20671 19330 oval:org.mitre.oval:def:10945 Race condition in the do_add_counters function in netfilter for Linux kernel 2.6.16 allows local users with CAP_NET_ADMIN capabilities to read kernel memory by triggering the race condition in a way that produces a size value that is inconsistent with allocated memory, which leads to a buffer over-read in IPT_ENTRY_ITERATE. http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=2722971cbe831117686039d5c334f2c0f560be13 http://bugs.gentoo.org/show_bug.cgi?id=133465 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=191698 linux-doaddcounters-race-condition(26583) ADV-2006-2554 ADV-2006-1893 USN-311-1 18113 RHSA-2006:0689 25697 DSA-1103 DSA-1097 http://support.avaya.com/elmodocs2/security/ASA-2006-249.htm 22945 22292 21476 20991 20914 20671 20185 oval:org.mitre.oval:def:10309 http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.17 GNOME Evolution 2.4.2.1 and earlier allows remote attackers to cause a denial of service (CPU and memory consumption) via a text e-mail with a large number of URLs, possibly due to unknown problems in gtkhtml. ADV-2006-0801 20060301 Evolution Emailer DoS evolution-email-dos(25050) 16899 19094 Unspecified vulnerability in (1) apreq_parse_headers and (2) apreq_parse_urlencoded functions in Apache2::Request (Libapreq2) before 2.07 allows remote attackers cause a denial of service (CPU consumption) via unknown attack vectors that result in quadratic computational complexity. 16710 DSA-1000 19139 18846 libapreq2-parsing-dos(24917) ADV-2006-0645 GLSA-200604-08 http://svn.apache.org/viewcvs.cgi/httpd/apreq/tags/v2_07/CHANGES?rev=376998&view=markup 737 19658 Buffer overflow in the realpath function in nfs-server rpc.mountd, as used in SUSE Linux 9.1 through 10.0, allows local users to execute arbitrary code via unspecified vectors involving mount requests and symlinks. 18638 SUSE-SA:2006:005 nfs-rpcmountd-realpath-bo(24347) ADV-2006-0348 16388 18614 DSA-975 18889 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=350020 Unspecified vulnerability in context.py in Albatross web application toolkit before 1.33 allows remote attackers to execute arbitrary commands via unspecified vectors involving template files and the "handling of submitted form fields". DSA-942 18457 ADV-2006-0196 16252 http://www.object-craft.com.au/projects/albatross/news.html http://security.debian.org/pool/updates/main/a/albatross/albatross_1.20-2.diff.gz albatross-context-command-execution(24130) 22451 18496 crawl before 4.0.0 does not securely call programs when saving and loading games, which allows local users to gain privileges. DSA-949 ADV-2006-0303 16337 18545 crawl-insecure-command-execution(24262) 22690 18573 squid_redirect script in adzapper before 2006-01-29 allows remote attackers to cause a denial of service (CPU consumption) via a URL with a large number of trailing / (forward slashes), which might produce inefficient regular expressions. DSA-966 18777 18771 ADV-2006-0491 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=350308 http://bugs.debian.org/cgi-bin/bugreport.cgi/squid_redirect.diff?bug=350308;msg=5;att=1 http://adzapper.sourceforge.net/cvslog.html adzapper-squid-redirect-dos(24640) 16558 22900 packets.c in Freeciv 2.0 before 2.0.8 allows remote attackers to cause a denial of service (server crash) via crafted packets with negative compressed size values. 16975 20060306 Out of memory crash in Freeciv 2.0.7 19120 freeciv-packets-dos(25166) ADV-2006-0838 MDKSA-2006:053 GLSA-200603-11 DSA-994 19253 19227 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=355211 Francesco Stablum tcpick 0.2.1 allows remote attackers to cause a denial of service (segmentation fault) via certain fragmented packets, possibly involving invalid headers and an attacker-controlled payload length. NOTE: this issue might be a buffer overflow or overread. ADV-2006-1466 17665 http://sourceforge.net/mailarchive/forum.php?thread_id=9989610&forum_id=37151 tcpick-writec-dos(26090) gpg in GnuPG before 1.4.2.2 does not properly verify non-detached signatures, which allows attackers to inject unsigned data via a data packet that is not associated with a control packet, which causes the check for concatenated signatures to report that the signature is valid, a different vulnerability than CVE-2006-0455. 17058 20060309 GnuPG does not detect injection of unsigned data 23790 GLSA-200603-08 DSA-993 1015749 19173 [gnupg-announce] 20060309 [Announce] GnuPG does not detect injection of unsigned data ADV-2006-0915 USN-264-1 oval:org.mitre.oval:def:10063 gnupg-nondetached-sig-verification(25184) 2006-0014 SSA:2006-072-02 FLSA-2006:185355 RHSA-2006:0266 FEDORA-2006-147 MDKSA-2006:055 568 450 19532 19287 19249 19244 19234 19232 19231 19203 19197 SUSE-SA:2006:014 20060401-01-U snmptrapfmt in Debian 3.0 allows local users to overwrite arbitrary files via a symlink attack on a temporary log file. DSA-1013 19318 17182 snmptrapfmt-log-temprary-file(25442) Buffer overflow in playlistimport.cpp in Kaffeine Player 0.4.2 through 0.7.1 allows user-assisted attackers to execute arbitrary code via long HTTP request headers when Kaffeine is "fetching remote playlists", which triggers the overflow in the http_peek function. http://www.kde.org/info/security/advisory-20060404-1.txt 19525 kaffeine-http-peek-bo(25631) ADV-2006-1229 USN-268-1 17372 20060405 [Kaffeine Security Advisory] Heap based buffer overflow in http_peek() SUSE-SR:2006:008 GLSA-200604-04 DSA-1023 1015863 19571 19557 19549 19542 19540 MDKSA-2006:065 The attachment scrubber (Scrubber.py) in Mailman 2.1.5 and earlier, when using Python's library email module 2.5, allows remote attackers to cause a denial of service (mailing list delivery failure) via a multipart MIME message with a single part that has two blank lines between the first boundary and the end boundary. 17311 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=358892 oval:org.mitre.oval:def:9475 USN-267-1 RHSA-2006:0486 24367 SUSE-SR:2006:008 MDKSA-2006:061 DSA-1027 1015851 20782 20624 19571 19545 19522 20060602-01-U Imager (libimager-perl) before 0.50 allows user-assisted attackers to cause a denial of service (segmentation fault) by writing a 2- or 4-channel JPEG image (or a 2-channel TGA image) to a scalar, which triggers a NULL pointer dereference. 17415 DSA-1028 19577 19575 imager-jpeg-tga-dos(25717) ADV-2006-1294 http://rt.cpan.org/Public/Bug/Display.html?id=18397 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=359661 The ipfw firewall in FreeBSD 6.0-RELEASE allows remote attackers to cause a denial of service (firewall crash) via ICMP IP fragments that match a reset, reject or unreach action, which leads to an access of an uninitialized pointer. 16209 18378 FreeBSD-SA-06:04 ipfw-icmp-fragment-dos(24073) 22319 1015477 The ispell_op function in ee on FreeBSD 4.10 to 6.0 uses predictable filenames and does not confirm which file is being written, which allows local users to overwrite arbitrary files via a symlink attack when ee invokes ispell. 16207 18404 FreeBSD-SA-06:02 ee-ispell-op-symlink(24074) 22320 1015469 Double free vulnerability in the authentication and authentication token alteration code in PAM-MySQL 0.6.x before 0.6.2 and 0.7.x before 0.7pre3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted passwords, which lead to a double free of a pointer that was created by the pam_get_item function. NOTE: this issue only occurs in certain configurations in which there are multiple PAM modules, PAM-MySQL is not evaluated first, and there are no requisite modules before PAM-MySQL. VU#693909 16564 1015603 18598 ADV-2006-0490 22995 22994 GLSA-200606-18 http://sourceforge.net/forum/forum.php?forum_id=499394 20690 http://jvn.jp/cert/JVNVU%23693909/index.html Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to bypass the Kill bit settings for dangerous ActiveX controls via unknown vectors involving crafted HTML, which can expose the browser to attacks that would otherwise be prevented by the Kill bit setting. NOTE: CERT/CC claims that MS05-054 fixes this issue, but it is not described in MS05-054. VU#998297 http://www.microsoft.com/technet/security/bulletin/ms05-054.mspx ie-activex-killbit-bypass(24379) 16409 23657 Signal handler race condition in Sendmail 8.13.x before 8.13.6 allows remote attackers to execute arbitrary code by triggering timeouts in a way that causes the setjmp and longjmp function calls to be interrupted and modify unexpected memory locations. TA06-081A VU#834865 RHSA-2006:0265 RHSA-2006:0264 ADV-2006-2490 ADV-2006-2189 ADV-2006-1529 ADV-2006-1157 ADV-2006-1139 ADV-2006-1072 ADV-2006-1068 ADV-2006-1051 ADV-2006-1049 http://www.sendmail.com/company/advisory/index.shtml 20060322 sendmail vuln advisories (CVE-2006-0058) OpenPKG-SA-2006.007 20060322 Sendmail Remote Signal Handling Vulnerability GLSA-200603-21 DSA-1015 200494 19367 19363 19342 oval:org.mitre.oval:def:11074 HPSBTU02116 HPSBUX02108 smtp-timeout-bo(24584) http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=2751 http://www14.software.ibm.com/webapp/set2/sas/f/hmc/power5/install/v52.Readme.html#MH00688 17192 FLSA:186277 FEDORA-2006-193 FEDORA-2006-194 24037 [3.8] 006: SECURITY FIX: March 25, 2006 SUSE-SA:2006:017 MDKSA-2006:058 http://www.f-secure.com/security/fsc-2006-2.shtml Q-151 IY82994 IY82993 IY82992 http://support.avaya.com/elmodocs2/security/ASA-2006-078.htm http://support.avaya.com/elmodocs2/security/ASA-2006-074.htm 102324 102262 SSA:2006-081-01 1015801 743 612 20723 20243 19774 19676 19533 19532 19466 19450 19407 19404 19394 19368 19361 19360 19356 19349 19346 19345 HPSBTU02116 HPSBUX02108 20060401-01-U 20060302-01-P SCOSA-2006.24 NetBSD-SA2006-010 FreeBSD-SA-06:13 oval:org.mitre.oval:def:1689 Heap-based buffer overflow in the ISO Transport Service over TCP (RFC 1006) implementation of LiveData ICCP Server before 5.00.035 allows remote attackers to cause a denial of service or execute arbitrary code via malformed packets. This vulnerability is addressed in the following product release: LiveData, ICCP Server, 5.00.035 VU#190617 ADV-2006-1830 http://www.kb.cert.org/vuls/id/JGEI-6MMS9T livedata-iccp-rfc1006-bo(26490) 18010 http://www.digitalbond.com/SCADA_Blog/2006/05/us-cert-livedata-iccp-vulnerability.html 1016113 20146 Cross-site scripting (XSS) vulnerability in phpBB 2.0.19, when "Allowed HTML tags" is enabled, allows remote attackers to inject arbitrary web script or HTML via a permitted HTML tag with ' (single quote) characters and active attributes such as onmouseover, a variant of CVE-2005-4357. ADV-2006-0051 313 http://securityreason.com/securityalert/313 20060105 phpBB 2.0.19 XSS 22672 PHP remote file include vulnerability in includes/orderSuccess.inc.php in CubeCart allows remote attackers to execute arbitrary PHP code via a URL in the glob[rootDir] parameter. ADV-2006-0016 1398 SQL injection vulnerability in (1) functions.php, (2) functions_update.php, and (3) functions_display.php in VEGO Web Forum 1.26 and earlier allows remote attackers to execute arbitrary SQL commands via the theme_id parameter in index.php. ADV-2006-0003 20060101 [eVuln] VEGO Web Forum SQL Injection Vulnerability 18273 http://evuln.com/vulns/1/summary.html 16107 22140 315 SQL injection vulnerability in index.php in PHPjournaler 1.0 allows remote attackers to execute arbitrary SQL commands via the readold parameter. ADV-2006-0006 16111 20060101 [eVuln] PHPjournaler SQL Injection Vulnerability 22149 18265 http://evuln.com/vulns/9/summary.html SQL injection vulnerability in login.php in VEGO Links Builder 2.00 and earlier allows remote attackers to execute arbitrary SQL commands via the username parameter. ADV-2006-0004 18272 http://evuln.com/vulns/2/summary.html 16108 22139 SQL injection vulnerability in Primo Cart 1.0 and earlier allows remote attackers to execute arbitrary SQL commands via the (1) q parameter to search.php and (2) email parameter to user.php. ADV-2006-0008 18264 16125 22147 22146 http://pridels0.blogspot.com/2006/01/primo-cart-sql-inj.html Cross-site scripting (XSS) vulnerability in addentry.php in Chipmunk Guestbook 1.4 and earlier allows remote attackers to inject arbitrary web script or HTML via the homepage parameter. 19087 16112 20060101 [eVuln] Chipmunk Guestbook XSS Vulnerability 18270 http://evuln.com/vulns/4/summary.html ** DISPUTED ** Drupal allows remote attackers to conduct cross-site scripting (XSS) attacks via an IMG tag with an unusual encoded Javascript function name, as demonstrated using variations of the alert() function. NOTE: a followup by the vendor suggests that the issue does not exist in 4.5.6 or 4.6.4 when "Filtered HTML" is enabled, and since "Full HTML" would not filter HTML by design, perhaps this should not be included in CVE. 20060103 Re: Drupal all versiyon xss cehennem.org 20060102 Drupal all versiyon xss cehennem.org The ebuild for pinentry before 0.7.2-r2 on Gentoo Linux sets setgid bits for pinentry programs, which allows local users to read or overwrite arbitrary files as gid 0. 16120 GLSA-200601-01 22211 18284 Buffer overflow in termsh on SCO OpenServer 5.0.7 allows remote attackers to execute arbitrary code via a long -o command line argument. NOTE: this is probably a different vulnerability than CVE-2005-0351 since it involves a distinct attack vector. 16122 20060102 SCO Openserver 5.0.x exploit http://downloads.securityfocus.com/vulnerabilities/exploits/Openserver_bof.c Cross-site scripting (XSS) vulnerability in DiscusWare Discus Freeware 3.10.5 and Professional 3.10.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors in a URL, which is not properly sanitized from the resulting error message. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 16119 22153 18283 SQL injection vulnerability in profile.php in PHPenpals allows remote attackers to execute arbitrary SQL commands via the personalID parameter. NOTE: it was later reported that 1.1 and earlier are affected. ADV-2006-0005 16109 20060101 [eVuln] PHPenpals SQL Injection Vulnerabilit 22150 8706 18269 http://evuln.com/vulns/5/summary.html Direct static code injection vulnerability in phpBook 1.3.2 and earlier allows remote attackers to execute arbitrary PHP code via the e-mail field (mail variable) in a new message, which is written to a PHP file. 16106 20060101 [eVuln] phpBook PHP Code Execution http://evuln.com/vulns/6/summary.html ADV-2006-0002 18268 PHP remote file include vulnerability in forum.php in oaBoard 1.0 allows remote attackers to execute arbitrary PHP code via a URL in the inc parameter. 16105 20060531 Re: OaBoard 1.0 Remote File inclusion 20060530 OaBoard 1.0 Remote File inclusion 20060101 [eVuln] oaBoard PHP Code Execution 1016211 http://evuln.com/vulns/3/summary.html Off-by-one error in the getfattr function in File::ExtAttr before 0.03 allows attackers to trigger a buffer overflow via unspecified attack vectors. 16118 http://sourceforge.net/project/shownotes.php?release_id=382199&group_id=153116 18253 ADV-2006-0013 22160 Multiple cross-site scripting (XSS) vulnerabilities in B-net Software 1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) name and (2) shout variables to (a) shout.php, or the (3) title and (4) message variables to (b) guestbook.php. ADV-2006-0018 16114 20060102 [eVuln] B-net Software Multiple XSS Vulnerabilities 18271 http://evuln.com/vulns/10/summary.html 20060825 Re: [eVuln] B-net Software Multiple XSS Vulnerabilities 22191 22190 http://sourceforge.net/project/shownotes.php?release_id=442067&group_id=117067 316 SQL injection vulnerability in auth.php in ScozNet ScozBook BETA 1.1 allows remote attackers to execute arbitrary SQL commands via the username field (adminname variable). ADV-2006-0027 16115 20060102 [eVuln] ScozBook "adminname" Authentication Bypass http://evuln.com/vulns/11/summary.html 22221 318 8476 Cross-site scripting (XSS) vulnerability in vBulletin 3.5.2, and possibly earlier versions, allows remote attackers to inject arbitrary web script or HTML via the title of an event, which is not properly filtered by (1) calendar.php and (2) reminder.php. ADV-2006-0033 16116 20060108 Html_Injection in vBulletin 3.5.2 20060101 [KAPDA::#19] - Html Injection in vBulletin 3.5.2 22220 22210 18299 http://kapda.ir/advisory-177.html ialmnt5.sys in the ialmrnt5 display driver in Intel Graphics Accelerator Driver 6.14.10.4308 allows attackers to cause a denial of service (crash or screen resolution change) via a long text field, as demonstrated using a long window title. ADV-2006-0017 16127 22196 18286 20060103 Re: Buffer Overflow vulnerability in Windows Display Manager [Suspected] 20060103 Re: Buffer Overflow vulnerability in Windows Display Manager [Suspected] 20060102 Buffer Overflow vulnerability in Windows Display Manager [Suspected] Format string vulnerability in the SetImageInfo function in image.c for ImageMagick 6.2.3 and other versions, and GraphicsMagick, allows user-assisted attackers to cause a denial of service (crash) and possibly execute arbitrary code via a numeric format string specifier such as %d in the file name, a variant of CVE-2005-0397, and as demonstrated using the convert program. 12717 GLSA-200602-13.xml GLSA-200602-06 SSA:2006-045-03 19183 19030 18851 18607 20060301-01-U https://issues.rpath.com/browse/RPL-389 ADV-2008-0412 USN-246-1 20061127 rPSA-2006-0218-1 ImageMagick SUSE-SR:2006:006 MDKSA-2006:024 DSA-1213 231321 1015623 500 28800 23090 22998 19408 18871 18261 RHSA-2006:0178 oval:org.mitre.oval:def:10717 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=345876 Format string vulnerability in the logging code of SMS Server Tools (smstools) 1.14.8 and earlier allows local users to execute arbitrary code via unspecified attack vectors. 18357 smstools-logging-format-string(24034) 16188 22287 DSA-930 18343 Cross-site scripting vulnerability in index.php in raSMP 2.0.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the $_SERVER[HTTP_USER_AGENT] variable (User-Agent header). ADV-2006-0030 16138 22198 18292 http://evuln.com/vulns/13/summary.html 1015432 20060116 vendor ack/fix: 22198: raSMP index.php User-Agent Field XSS (fwd) SQL injection vulnerability in Nkads 1.0 alfa 3 allows remote attackers to execute arbitrary SQL commands via the (1) usuario_nkads_admin or (2) password_nkads_admin parameters. ADV-2006-0040 http://www.soulblack.com.ar/repo/papers/advisory/nkads_advisory.txt 18302 22206 Cross-site scripting vulnerability in index.php in Next Generation Image Gallery 0.0.1 Lite Edition allows remote attackers to inject arbitrary web script or HTML via the page parameter. ADV-2006-0037 18309 22202 http://osvdb.org/ref/22/22202-nextgen.txt SQL injection vulnerability in (1) pages.php and (2) detail.php in Lizard Cart CMS 1.04 allows remote attackers to execute arbitrary SQL commands via the id parameter. ADV-2006-0029 16140 20060104 [eVuln] Lizard Cart CMS SQL Injection Vulnerability 18297 22200 22199 http://www.evuln.com/vulns/12/summary.html 1015435 314 SQL injection vulnerability in intouch.lib.php in inTouch 0.5.1 Alpha allows remote attackers to execute arbitrary SQL commands via the user parameter. ADV-2006-0026 16110 20060101 [eVuln] inTouch Authentication Bypass http://evuln.com/vulns/8/summary.html intouch-intouch-sql-injection(23954) 22382 Buffer overflow in ESRI ArcPad 7.0.0.156 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a .amp file with a COORDSYS tag with a long string attribute. ADV-2006-0032 16136 http://users.pandora.be/bratax/advisories/b007.html 18294 22208 Directory traversal vulnerability in index.php in IDV Directory Viewer before 2005.1 allows remote attackers to view arbitrary directory contents via a .. (dot dot) in the dir parameter. http://sourceforge.net/project/shownotes.php?release_id=382593&group_id=152499 ADV-2006-0031 18298 16137 Cross-site scripting (XSS) vulnerability in webmail in Open-Xchange 0.8.1-6 and earlier, with "Inline HTML" enabled, allows remote attackers to inject arbitrary web script or HTML via e-mail attachments, which are rendered inline. ADV-2006-0034 18285 20060103 Open Xchange XSS 1015431 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2006-0992, CVE-2006-0158. Reason: this candidate was intended for one issue, but a typo caused it to be associated with a Novell/Groupwise issue. In addition, this issue was a duplicate of a SiteSuite issue that was also assigned CVE-2006-0158. Notes: All CVE users should consult CVE-2006-0992 and CVE-2006-0158 to determine which ID is appropriate. All references and descriptions in this candidate have been removed to prevent accidental usage. Cross-site scripting (XSS) vulnerability in index.php in @Card ME PHP allows remote attackers to inject arbitrary web script or HTML via the cat parameter. ADV-2006-0039 22203 18306 http://osvdb.org/ref/22/22203-ecardmax.txt PHP remote file include vulnerability in forum.php in oaBoard 1.0 allows remote attackers to execute arbitrary PHP code via a URL in the inc_stat parameter, a different vulnerability than CVE-2006-0076. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. ADV-2006-0028 17373 dm-crypt in Linux kernel 2.6.15 and earlier does not clear a structure before it is freed, which leads to a memory disclosure that could allow local users to obtain sensitive information about a cryptographic key. [linux-kernel] 20060104 [Patch 2.6] dm-crypt: zero key before freeing it ADV-2006-0235 oval:org.mitre.oval:def:11192 [linux-kernel] 20060104 [Patch 2.6] dm-crypt: Zero key material before free to avoid information leak kernel-dmcrypt-information-disclosure(24189) USN-244-1 2006-0004 16301 FLSA:157459-4 RHSA-2006:0132 FEDORA-2006-102 22418 SUSE-SA:2006:028 MDKSA-2006:040 DSA-1017 1015740 388 20398 19374 19160 18774 18527 18487 wan/sdla.c in Linux kernel 2.6.x before 2.6.11 and 2.4.x before 2.4.29 does not require the CAP_SYS_RAWIO privilege for an SDLA firmware upgrade, with unknown impact and local attack vectors. NOTE: further investigation suggests that this issue requires root privileges to exploit, since it is protected by CAP_NET_ADMIN; thus it might not be a vulnerability, although capabilities provide finer distinctions between privilege levels. MDKSA-2006:044 USN-244-1 16304 http://www.kernel.org/git/?p=linux/kernel/git/tglx/history.git;a=commitdiff;h=0f1d4813a4a65296e1131f320a60741732bc068f DSA-1017 19374 18977 18527 http://linux.bkbits.net:8080/linux-2.4/cset@1.1448.91.23?nav=index.html|src/|src/drivers|src/drivers/net|src/drivers/net/wan|related/drivers/net/wan/sdla.c Stack-based buffer overflow in the create_named_pipe function in libmysql.c in PHP 4.3.10 and 4.4.x before 4.4.3 for Windows allows attackers to execute arbitrary code via a long (1) arg_host or (2) arg_unix_socket argument, as demonstrated by a long named pipe variable in the host argument to the mysql_connect function. ADV-2006-0046 16145 20060105 Windows PHP 4.x http://www.php.net/ChangeLog-4.php#4.4.3 22232 18275 20060105 Windows PHP 4.x 20060108 RE: Windows PHP 4.x The dupfdopen function in sys/kern/kern_descrip.c in OpenBSD 3.7 and 3.8 allows local users to re-open arbitrary files by using setuid programs to access file descriptors using /dev/fd/. 16144 [3.7] 20060105 008: SECURITY FIX: January 5, 2006 18296 ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.7/common/008_fd.patch 22231 1015437 PHP remote file include vulnerability in (1) include/templates/categories/default.php and (2) certain other include/templates/categories/ PHP scripts in Valdersoft Shopping Cart 3.0 allows remote attackers to execute arbitrary code via a URL in the catalogDocumentRoot parameter. 16126 http://downloads.securityfocus.com/vulnerabilities/exploits/cijfer-vscxpl.pl 1401 Buffer overflow in NicoFTP 3.0.1.19 and earlier might allow local users to execute arbitrary code via a long string in the "Name of site" field of an FTP account. NOTE: because this program executes with the privileges of the invoking user, and because remote programs do not normally have the ability to create or modify FTP accounts in this program, there may not be a typical attack vector for the issue that crosses privilege boundaries. Therefore this may not be a vulnerability. 20060102 NicoFTP Stack Overflow 317 Multiple cross-site scripting (XSS) vulnerabilities in sBLOG 0.7.1 Beta 20051202 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) p and (2) keyword parameters in (a) index.php and (b) search.php. sblog-multiple-scripts-xss(23979) ADV-2006-0041 22374 22373 http://osvdb.org/ref/22/22373-sblog.txt Cross-site scripting (XSS) vulnerability in TinyPHPForum (TPF) 3.6 and earlier allows remote attackers to inject arbitrary web script via a javascript: scheme in an "[a]" bbcode tag, possibly the txt parameter to action.php. ADV-2006-0054 20060105 [eVuln] TinyPHPForum Multiple Vulnerabilities 22256 1015436 18293 http://evuln.com/vulns/14/summary.html 320 TinyPHPForum 3.6 and earlier stores the (1) users/[USERNAME].hash and (2) users/[USERNAME].email files under the web root with insufficient access control, which allows remote attackers to list all registered users and possibly obtain other sensitive information. tinyphpforum-users-information-disclosure(24016) ADV-2006-0054 20060417 Tiny PHP forum - vulns 20060105 [eVuln] TinyPHPForum Multiple Vulnerabilities 22257 1015436 320 18293 http://evuln.com/vulns/14/summary.html Directory traversal vulnerability in TinyPHPForum 3.6 and earlier allows remote attackers to create a new user account, create a new topic, or view the profile of a user account, as demonstrated via a .. (dot dot) in the uname parameter to profile.php. ADV-2006-0054 20060105 [eVuln] TinyPHPForum Multiple Vulnerabilities 18293 http://evuln.com/vulns/14/summary.html http://evuln.com/vulns/14/exploit.html 16163 22258 1015436 320 PostgreSQL 8.0.x before 8.0.6 and 8.1.x before 8.1.2, when running on Windows, allows remote attackers to cause a denial of service (postmaster exit and no new connections) via a large number of simultaneous connection requests. [pgsql-announce] 20060109 CRITICAL RELEASE: Minor Releases to Fix DoS Vulnerability ADV-2006-0114 postgresql-connection-request-dos(24049) 16201 20060111 PostgreSQL security releases 8.0.6 and 8.1.2 http://www.postgresql.org/about/news.456 1015482 327 18419 gdi/driver.c and gdi/printdrv.c in Wine 20050930, and other versions, implement the SETABORTPROC GDI Escape function call for Windows Metafile (WMF) files, which allows attackers to execute arbitrary code, the same vulnerability as CVE-2005-4560 but in a different codebase. 18323 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=346197 ADV-2006-0098 [Dailydave] 20060105 WMF goes away :< win-wmf-execute-code(23846) 20060117 ERRATA: [ GLSA 200601-09 ] Wine: Windows Metafile SETABORTPROC vulnerability SUSE-SR:2006:002 MDKSA-2006:014 GLSA-200601-09 DSA-954 18578 18549 18451 SQL injection vulnerability in Timecan CMS allows remote attackers to execute arbitrary SQL commands via the viewID parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. Due to the unavailability of the original source, it cannot be determined if this is the same issue as identified by CVE-2006-0108. 16159 22252 18324 timecancms-sql-injection(24014) SQL injection vulnerability in mcl_login.asp in Timecan CMS allows remote attackers to execute arbitrary SQL commands via the email parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. Due to the unavailability of the original source, it cannot be determined if this is the same issue as identified by CVE-2006-0107. ADV-2006-0078 22253 22252 timecancms-sql-injection(24014) Cross-site scripting vulnerability in category.php in Modular Merchant Shopping Cart allows remote attackers to inject arbitrary web script or HTML via the cat parameter. 18320 ADV-2006-0076 16160 22243 http://www.modularmerchant.com/forums/viewtopic.php?t=46 http://osvdb.org/ref/22/22243-modular.txt 20060214 vendor ack/fix 22243: Modular Merchant Marketplace Shopping Cart category.php cat Variable XSS (fwd) Cross-site scripting (XSS) vulnerability in escribir.php in Foro Domus 2.10 allows remote attackers to inject arbitrary web script via the email parameter. ADV-2006-0073 16154 20060106 [eVuln] Proyecto Domus 'email' XSS Vulnerability 22263 18327 http://evuln.com/vulns/16/summary.html domus-escribir-xss(24020) Cross-site scripting vulnerability in index.php in Boxcar Media Shopping Cart allows remote attackers to inject arbitrary web script or HTML via the (1) parent or (2) pg parameter. boxcar-index-xss(24019) ADV-2006-0080 22360 http://osvdb.org/ref/22/22360-boxcar.txt Cross-site scripting (XSS) vulnerability in index.php in Enhanced Simple PHP Gallery 1.7 allows remote attackers to inject arbitrary web script or HTML via the dir parameter. ADV-2006-0036 22201 18310 http://osvdb.org/ref/22/22201-espg.txt Enhanced Simple PHP Gallery 1.7 allows remote attackers to obtain the full path of the application via a direct request to sp_helper_functions.php, which leaks the pathname in an error message. 18310 http://osvdb.org/ref/22/22201-espg.txt 22417 The vCard functions in Joomla! 1.0.5 use predictable sequential IDs for vcards and do not restrict access to them, which allows remote attackers to obtain valid e-mail addresses to conduct spam attacks by modifying the contact_id parameter to index2.php. joomla-vcard-information-disclosure(24042) ADV-2006-0097 16185 18361 http://forum.joomla.org/index.php/topic,29031.0.html http://forge.joomla.org/sf/go/artf2950 Multiple SQL injection vulnerabilities in OnePlug Solutions OnePlug CMS allow remote attackers to execute arbitrary SQL commands via the (1) Press_Release_ID parameter in press/details.asp, (2) Service_ID parameter in services/details.asp, and (3) Product_ID parameter in products/details.asp. ADV-2006-0079 16155 22250 22249 22248 18325 http://osvdb.org/ref/22/22248-oneplug.txt Cross-site scripting vulnerability search.inetstore in iNETstore Ebusiness Software 2.0 allows remote attackers to inject arbitrary web script or HTML via the searchterm parameter. ADV-2006-0075 16156 20060126 Re: [OSVDB Mods] iNETstore E Commerce Solution - Cross Site Scripting 22251 20060127 vendor confirms versions: iNETstore E Commerce Solution - Cross Site Scripting (fwd) 18322 http://osvdb.org/ref/22/22251-inetstore.txt Buffer overflow in IBM Lotus Notes and Domino Server before 6.5.5 allows attackers to cause a denial of service (router crash or hang) via unspecified vectors involving "CD to MIME Conversion". 16158 18328 ADV-2006-0081 http://www-10.lotus.com/ldd/r5fixlist.nsf/e7dbb5aee9a94c56852570c90056a95d/21d8fd7989fdf78d852570e4001bae68?OpenDocument http://www-10.lotus.com/ldd/r5fixlist.nsf/5c087391999d06e7852569280062619d/50c634bfe193efa5852570e4001baace?OpenDocument http://www-1.ibm.com/support/docview.wss?uid=swg27007054 lotus-cdtomime-dos(24205) Unspecified vulnerability in IBM Lotus Notes and Domino Server before 6.5.5, when running on AIX, allows attackers to cause a denial of service (deep recursion leading to stack overflow and crash) via long formulas. 16158 18328 ADV-2006-0081 http://www-10.lotus.com/ldd/r5fixlist.nsf/e7dbb5aee9a94c56852570c90056a95d/21d8fd7989fdf78d852570e4001bae68?OpenDocument http://www-10.lotus.com/ldd/r5fixlist.nsf/5c087391999d06e7852569280062619d/50c634bfe193efa5852570e4001baace?OpenDocument http://www-1.ibm.com/support/docview.wss?uid=swg27007054 lotus-long-formula-bo(24206) Multiple unspecified vulnerabilities in IBM Lotus Notes and Domino Server before 6.5.5 have unknown impact and attack vectors, due to "potential security issues" as identified by SPR numbers (1) GPKS6C9J67 in Agents, (2) JGAN6B6TZ3 and (3) KSPR699NBP in the Router, (4) GPKS5YQGPT in Security, or (5) HSAO6BNL6Y in the Web Server. NOTE: vector 3 is related to an issue in NROUTER in IBM Lotus Notes and Domino Server before 6.5.4 FP1, 6.5.5, and 7.0, which allows remote attackers to cause a denial of service (CPU consumption) via a crafted vCal meeting request sent via SMTP (aka SPR# KSPR699NBP). 16158 18328 domino-smtp-nrouter-dos(27413) lotus-web-unspecified-xss(24211) lotus-multiple-unspecified(24207) ADV-2006-2564 ADV-2006-0081 18020 20060626 SYMSA-2006-006: Lotus Domino SMTP Based Denial of Service http://www-10.lotus.com/ldd/r5fixlist.nsf/5c087391999d06e7852569280062619d/f97fe7cfd9a8113b8525709200001db4?OpenDocument&Highlight=0,GPKS6C9J67 http://www-10.lotus.com/ldd/r5fixlist.nsf/5c087391999d06e7852569280062619d/e4deb1cbb011c747852570e4001ba9bb?OpenDocument&Highlight=0,GPKS5YQGPT http://www-10.lotus.com/ldd/r5fixlist.nsf/5c087391999d06e7852569280062619d/de2ab57a5b9547848525701b00420c2c?OpenDocument&Highlight=0,KSPR699NBP http://www-10.lotus.com/ldd/r5fixlist.nsf/5c087391999d06e7852569280062619d/d1150fc9c5dec8b18525709200001da6?OpenDocument&Highlight=0,GPKS6C9J67 http://www-10.lotus.com/ldd/r5fixlist.nsf/5c087391999d06e7852569280062619d/9a1650d1a771f3078525702a00420def?OpenDocument&Highlight=0,HSAO6BNL6Y http://www-10.lotus.com/ldd/r5fixlist.nsf/5c087391999d06e7852569280062619d/94a77eb898843aca8525709200001de1?OpenDocument&Highlight=0,JGAN6B6TZ3 http://www-1.ibm.com/support/docview.wss?uid=swg27007054 1016390 20855 Multiple unspecified vulnerabilities in IBM Lotus Notes and Domino Server before 6.5.5 allow attackers to cause a denial of service (application crash) via multiple vectors, involving (1) a malformed message sent to an "Out Of Office" agent (SPR LPEE6DMQWJ), (2) the compact command (RTIN5U2SAJ), (3) malformed bitmap images (MYAA6FH5HW), (4) the "Delete Attachment" action (YPHG6844LD), (5) parsing certificates from a remote Certificate Table (AELE6DZFJW), and (6) creating a SSL key ring with the Domino Administration client (NSUA4FQPTN). 16158 18328 ADV-2006-0081 http://www-10.lotus.com/ldd/r5fixlist.nsf/e7dbb5aee9a94c56852570c90056a95d/ced5f873baea4e8b852570e4001baa6d?OpenDocument http://www-10.lotus.com/ldd/r5fixlist.nsf/e7dbb5aee9a94c56852570c90056a95d/ad0dd14aa109f96b852570e4001bb08c?OpenDocument http://www-10.lotus.com/ldd/r5fixlist.nsf/e7dbb5aee9a94c56852570c90056a95d/5f166a44ee743b2c852570e4001baf31?OpenDocument http://www-10.lotus.com/ldd/r5fixlist.nsf/e7dbb5aee9a94c56852570c90056a95d/4118a1f266afb26c852570e4001baf5e?OpenDocument http://www-10.lotus.com/ldd/r5fixlist.nsf/e7dbb5aee9a94c56852570c90056a95d/2bb4f466a9e986ae852570e4001babbb?OpenDocument http://www-10.lotus.com/ldd/r5fixlist.nsf/e7dbb5aee9a94c56852570c90056a95d/040482aeb1416bb7852570e4001badd6?OpenDocument http://www-10.lotus.com/ldd/r5fixlist.nsf/5c087391999d06e7852569280062619d/258394eaa824f2c08525708a004209d3?OpenDocument http://www-1.ibm.com/support/docview.wss?uid=swg27007054 lotus-ssl-keyring-dos(24217) lotus-certificate-parsing-dos(24216) lotus-delete-attachment-dos(24215) lotus-bmp-dos(24214) lotus-compact-dos(24213) lotus-outofoffice-dos(24212) Multiple memory leaks in IBM Lotus Notes and Domino Server before 6.5.5 allow attackers to cause a denial of service (memory consumption and crash) via unknown vectors related to (1) unspecified vectors during the SSL handshake (SPR# MKIN67MQVW), (2) the stash file during the SSL handshake (SPR# MKIN693QUT), and possibly other vectors. NOTE: due to insufficient information in the original vendor advisory, it is not clear whether there is an attacker role in other memory leaks that are specified in the advisory. 16158 18328 ADV-2006-0081 http://www-10.lotus.com/ldd/r5fixlist.nsf/5c087391999d06e7852569280062619d/2221243535d88a2b8525701b00420cd6?OpenDocument&Highlight=0,MKIN693QUT http://www-10.lotus.com/ldd/r5fixlist.nsf/5c087391999d06e7852569280062619d/20f66e356a76c90f8525702a00420e08?OpenDocument&Highlight=0,MKIN67MQVW http://www-1.ibm.com/support/docview.wss?uid=swg27007054 lotus-ssl-handshake-dos(24223) Cross-site scripting (XSS) vulnerability in Public/Index.asp in Aquifer CMS allows remote attackers to inject arbitrary web script or HTML via the Keyword parameter. Vendor provided solution: "Liquid Development has identified this vulnerability in all shipping versions of AquiferCMS and coded a software fix. The fix will be included in all releases of AquiferCMS built on or after January 24, 2006. Customers should contact Liquid Development to obtain the fix for this vulnerability. For more information visit www.aquifercms.com." 22247 ADV-2006-0074 16162 18326 http://osvdb.org/ref/22/22247-aquifer.txt 20060124 vendor ack/fix: Aquifer CMS Index.asp Keyword Variable XSS (fwd) Multiple SQL injection vulnerabilities in ADN Forum 1.0b allow remote attackers to execute arbitrary SQL commands via the (1) fid parameter in index.php and (2) pagid parameter in verpag.php, and possibly other vectors. ADV-2006-0077 16157 20060105 [eVuln] ADNForum Multiple Vulnerabilities 22241 22240 1015445 18300 http://evuln.com/vulns/15/summary.html Cross-site scripting (XSS) vulnerability in crear.php in ADN Forum 1.0b allows remote attackers to inject arbitrary web script or HTML via the titulo parameter, which is used by the "Topic name" field. ADV-2006-0077 16157 20060105 [eVuln] ADNForum Multiple Vulnerabilities 18300 http://evuln.com/vulns/15/summary.html 22242 1015445 Unspecified vulnerability in appserv/main.php in AppServ 2.4.5 allows remote attackers to include arbitrary files via the appserv_root parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. There is not enough detail from these third party sources to know whether this is directory traversal, remote file include, or another issue. ADV-2006-0053 22228 18163 16166 rxvt-unicode before 6.3, on certain platforms that use openpty and non-Unix pty devices such as Linux and most BSD platforms, does not maintain the intended permissions of tty devices, which allows local users to gain read and write access to the devices. 22223 18301 ADV-2006-0052 http://dist.schmorp.de/rxvt-unicode/Changes Directory traversal vulnerability in the IMAP service of Rockliffe MailSite before 6.1.22.1 allows remote authenticated users to rename the folders of other users via a .. (dot dot) in the RENAME command. http://zur.homelinux.com/Advisories/RockliffeMailsiteDirTransveral.txt 22229 18318 20060104 Rockliffe Directory Transversal Vulnerability ADV-2006-0055 20060105 Re: Rockliffe Directory Transversal Vulnerability Buffer overflow in the IMAP service of Rockliffe MailSite before 6.1.22.1 allows remote attackers to have an unknown impact via unknown attack vectors. http://zur.homelinux.com/Advisories/RockliffeMailsiteDirTransveral.txt 20060104 Rockliffe Directory Transversal Vulnerability rockliffe-imap-unspecified-bo(39991) Mail Management Agent (MAILMA) (aka Mail Management Server) in Rockliffe MailSite 7.0.3.1 and earlier generates different responses depending on whether or not a username is valid, which allows remote attackers to enumerate valid usernames via user requests to TCP port 106. 18318 http://zur.homelinux.com/Advisories/RockliffeMailsiteUserEnum.txt ADV-2006-0055 22230 20060104 Rockliffe Mailsite User Enumeration Flaw Mail Management Agent (MAILMA) (aka Mail Management Server) in Rockliffe MailSite 7.0.3.1 and earlier allows remote attackers to attempt authentication with an unlimited number of user account names and passwords without denying connections, limiting the rate of connections, or locking out an account. http://zur.homelinux.com/Advisories/RockliffeMailsiteUserEnum.txt 20060104 Rockliffe Mailsite User Enumeration Flaw boastMachine 3.1 allows remote attackers to obtain sensitive information via a direct request to (1) footer.php and (2) side_menu.php, which reveals the path in an error message. 20060105 [ECHO_ADV_25$2006] Full path disclosure on boastMachine v3.1 http://echo.or.id/adv/adv26-K-159-2006.txt Directory traversal vulnerability in webftp.php in SysCP WebFTP 1.2.6 and possibly earlier allows remote attackers to include and execute arbitrary local PHP scripts, and possibly read other types of files, via a .. (dot dot) and a trailing null in the webftp_language parameter. 18355 ADV-2006-0090 16175 20060104 SysCP WebFTP local file inclusion vulnerability webftp-language-file-include(24018) Multiple directory traversal vulnerabilities in AIX 5.3 ML03 allow local users to determine the existence of files and read partial contents of certain files via a .. (dot dot) in the argument to (1) getCommand.new (aka getCommand) and (2) getShell, a different vulnerability than CVE-2005-4273. 16103 16102 20060101 [xfocus-SD-060101]AIX getCommand&getShell two vulnerabilities 1015429 Cross-site scripting (XSS) vulnerability in register.php in TheWebForum (twf) 1.2.1 allows remote attackers to inject arbitrary web script or HTML via the www parameter. ADV-2006-0093 16161 20060106 [eVuln] TheWebForum Script Insertion and Authentication Bypass 1015450 18392 http://evuln.com/vulns/17/summary.html http://evuln.com/vulns/17/exploit.html thewebforum-register-xss(24007) 22295 SQL injection vulnerability in login.php in TheWebForum (twf) 1.2.1 allows remote attackers to execute arbitrary SQL commands and bypass login authentication via the username parameter (aka the u variable). ADV-2006-0093 16161 20060106 [eVuln] TheWebForum Script Insertion and Authentication Bypass 1015450 18392 http://evuln.com/vulns/17/summary.html http://evuln.com/vulns/17/exploit.html thewebforum-login-sql-injection(24027) 22294 321 Multiple cross-site scripting (XSS) vulnerabilities in the guestbook module in modules.php in Phanatic Softwares Chimera Web Portal System 0.2 allow remote attackers to inject arbitrary web script or HTML via the (1) comment_poster, (2) comment_poster_email, (3) comment_poster_homepage, and (4) comment_text parameters. ADV-2006-0025 16113 20060101 [eVuln] Chimera Web Portal System Multiple Vulnerabilities http://evuln.com/vulns/7/summary.html http://evuln.com/vulns/7/exploit.html SQL injection vulnerability in linkcategory.php in Phanatic Softwares Chimera Web Portal System 0.2 allows remote attackers to execute arbitrary SQL commands via the id parameter. ADV-2006-0025 16113 20060101 [eVuln] Chimera Web Portal System Multiple Vulnerabilities http://evuln.com/vulns/7/summary.html http://evuln.com/vulns/7/exploit.html chimera-linkcategory-sql-injection(23963) 22420 aMSN (aka Alvaro's Messenger) allows remote attackers to cause a denial of service (client hang and termination of client's instant-messaging session) by repeatedly sending crafted data to the default file-transfer port (TCP 6891). http://www.securiteam.com/exploits/5JP090KHFQ.html 22186 The send-private-message functionality (send-private-message.asp) in PD9 Software MegaBBS 2.1 allows remote attackers to read private messages of other users via a modified replyid parameter. 16168 http://www.pd9soft.com/megabbs/forums/thread-view.asp?tid=4924 http://www.hamid.ir/security/megabbs.txt 18342 ADV-2006-0095 megabbs-sendprivatemessage-disclosure(24050) 1015452 Cross-site scripting (XSS) vulnerability in post.php in NavBoard V16 Stable(2.6.0) and V17beta2 allows remote attackers to inject arbitrary web script or HTML via the (1) b, (2) textlarge, and (3) url bbcode tags. navboard-post-xss(24021) ADV-2006-0092 16165 20060107 [eVuln] NavBoard BBcode XSS Vulnerability 22277 18345 http://evuln.com/vulns/19/summary.html Qualcomm Eudora Internet Mail Server (EIMS) before 3.2.8 allows remote attackers to cause a denial of service (crash) via (1) malformed NTLM authentication requests, or a malformed (2) Incoming Mail X or (3) Temporary Mail file. http://www.eudora.co.nz/updates.html 18356 ADV-2006-0099 16179 eims-corrupted-mail-dos(24033) eims-ntlm-auth-dos(24032) Cross-site scripting (XSS) vulnerability in andromeda.php in Andromeda 1.9.3.4 and earlier allows remote attackers to inject arbitrary web script or HTML via the s parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. ADV-2006-0096 16183 18359 andromeda-script-xss(24031) Microsoft Windows Graphics Rendering Engine (GRE) allows remote attackers to corrupt memory and cause a denial of service (crash) via a WMF file containing (1) ExtCreateRegion or (2) ExtEscape function calls with arguments with inconsistent lengths. 1015453 win-gre-wmf-dos(24044) ADV-2006-0115 16167 20060109 [UPDATE]Microsoft Windows GRE WMF Format Multiple Unauthorized Memory Access Vulnerabilities 20060107 Microsoft Windows GRE WMF Format Multiple Memory Overrun Vulnerabilities http://lostmon.blogspot.com/2007/08/windows-extended-file-attributes-buffer.html http://blogs.technet.com/msrc/archive/2006/01/09/417198.aspx The proxy server feature in go-pear.php in PHP PEAR 0.2.2, as used in Apache2Triad, allows remote attackers to execute arbitrary PHP code by redirecting go-pear.php to a malicious proxy server that provides a modified version of Tar.php with a malicious extractModify function. 18390 gopear-proxy-redirection(24076) ADV-2006-0148 16174 20060109 New PEAR / Apache2Triad Exploit http://apache2triad.net/forums/viewtopic.php?p=14670 The kernfs_xread function in kernfs in NetBSD 1.6 through 2.1, and OpenBSD 3.8, does not properly validate file offsets against negative 32-bit values that occur as a result of truncation, which allows local users to read arbitrary kernel memory and gain privileges via the lseek system call. 16173 http://www.securitylab.net/research/2006/02/advisory_netbsd_openbsd_kernfs.html 20060202 [SLAB] NetBSD / OpenBSD kernfs_xread patch evasion 22293 18712 18388 NetBSD-SA2006-001 netbsd-kernfs-memory-disclosure(24035) 405 The server.php test script in ADOdb for PHP before 4.70, as used in multiple products including (1) Mantis, (2) PostNuke, (3) Moodle, (4) Cacti, (5) Xaraya, (6) PHPOpenChat, (7) MAXdev MD-Pro, and (8) MediaBeez, when the MySQL root password is empty, allows remote attackers to execute arbitrary SQL commands via the sql parameter. http://www.xaraya.com/index.php/news/569 16187 20060202 Bug for libs in php link directory 2.0 22290 GLSA-200604-07 DSA-1031 DSA-1030 DSA-1029 http://secunia.com/secunia_research/2005-64/advisory/ 19699 19591 19590 19563 19555 18720 18276 18260 18233 17418 adodb-server-command-execution(24051) ADV-2006-1419 ADV-2006-1305 ADV-2006-1304 ADV-2006-0447 ADV-2006-0370 ADV-2006-0105 ADV-2006-0104 ADV-2006-0103 ADV-2006-0102 ADV-2006-0101 20070418 MediaBeez Sql query Execution .. Wear isn't ?? :) 20060409 PhpOpenChat 3.0.x ADODB Server.php http://www.maxdev.com/Article550.phtml 713 24954 19691 19600 18267 18254 http://retrogod.altervista.org/phpopenchat_30x_sql_xpl.html Dynamic code evaluation vulnerability in tests/tmssql.php test script in ADOdb for PHP before 4.70, as used in multiple products including (1) Mantis, (2) PostNuke, (3) Moodle, (4) Cacti, (5) Xaraya, (6) PhpOpenChat, possibly (7) MAXdev MD-Pro, and (8) Simplog, allows remote attackers to execute arbitrary PHP functions via the do parameter, which is saved in a variable that is then executed as a function, as demonstrated using phpinfo. 22291 GLSA-200604-07 DSA-1030 DSA-1029 http://secunia.com/secunia_research/2005-64/advisory/ 19628 19591 19590 19555 18276 18260 18254 18233 17418 ADV-2006-1332 ADV-2006-1305 ADV-2006-0104 ADV-2006-0103 ADV-2006-0102 ADV-2006-0101 20060412 Simplog <=0.9.2 multiple vulnerabilities 20060409 PhpOpenChat 3.0.x ADODB Server.php "sql" SQL injection DSA-1031 19600 18267 http://retrogod.altervista.org/simplog_092_incl_xpl.html http://retrogod.altervista.org/phpopenchat_30x_sql_xpl.html 1663 adodb-tmssql-command-execution(24052) 19691 NetSarang Xlpd 2.1 allows remote attackers to cause a denial of service (crash) via a large number of connections from the same IP address. 16164 http://www.ipomonis.com/advisories/xlpd.txt 1015444 xlpd-connection-dos(24041) Cross-site scripting (XSS) vulnerability in SimpBook 1.0, with html_enable on (the default), allows remote attackers to inject arbitrary web script or HTML via the message field. 1015451 20060106 SimpBook "message" Remote Cross-Site Scripting Vulnerability Multiple format string vulnerabilities in the auth_ldap_log_reason function in Apache auth_ldap 1.6.0 and earlier allows remote attackers to execute arbitrary code via various vectors, including the username. MDKSA-2006:017 16177 RHSA-2006:0179 DSA-952 18568 18412 18405 18382 apache-authldap-format-string(24030) ADV-2006-0117 20060109 Digital Armaments Security Advisory 01.09.2006: Apache auth_ldap module Multiple Format Strings Vulnerability http://www.rudedog.org/auth_ldap/Changes.html http://www.digitalarmaments.com/2006090173928420.html 1015456 sudo 1.6.8 and other versions does not clear the PYTHONINSPECT environment variable, which allows limited local users to gain privileges via a Python script, a variant of CVE-2005-4158. 18363 USN-235-2 16184 18358 2006-0010 SUSE-SR:2006:002 MDKSA-2006:159 DSA-946 SSA:2006-045-08 21692 19016 18906 18558 18549 Cross-site scripting (XSS) in search_result.php in phpChamber 1.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the needle parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. ADV-2006-0094 16180 18360 phpchamber-searchresult-xss(24029) 22282 427BB 2.2 and 2.2.1 verifies authentication credentials based on the username, authenticated, and usertype cookies, which allows remote attackers to bypass authentication by using a valid username and usertype and setting the authenticated cookie. ADV-2006-0091 16178 20060107 [eVuln] 427BB Multiple Vulnerabilities (Cookie-based Authentication Bypass, SQL Injections, XSS) 18354 http://evuln.com/vulns/18/summary.html 427bb-scripts-security-bypass(24038) 22274 SQL injection vulnerability in showthread.php in 427BB 2.2 and 2.2.1 allows remote attackers to execute arbitrary SQL commands via the ForumID parameter. ADV-2006-0091 16169 20060107 [eVuln] 427BB Multiple Vulnerabilities (Cookie-based Authentication Bypass, SQL Injections, XSS) 18354 http://evuln.com/vulns/18/summary.html 427bb-showthread-sql-injection(24039) 22275 Cross-site scripting (XSS) vulnerability in posts.php in 427BB 2.2 and 2.2.1 allows remote attackers to inject arbitrary Javascript via a new message with a url bbcode tag containing a javascript URI. ADV-2006-0091 20060107 [eVuln] 427BB Multiple Vulnerabilities (Cookie-based Authentication Bypass, SQL Injections, XSS) 18354 http://evuln.com/vulns/18/summary.html 427bb-posts-xss(24040) 22276 Cross-site scripting (XSS) vulnerability in Foxrum 4.0.4f allows remote attackers to inject arbitrary Javascript via the javascript URI in bbcode url tags in (1) addpost1.php and (2) addtopic1.php. ADV-2006-0121 16172 20060109 [eVuln] Foxrum BBCode XSS Vulnerabilty 18386 http://evuln.com/vulns/20 foxrum-bbcode-xss(24043) 325 settings.php in Reamday Enterprises Magic News Plus 1.0.3 allows remote attackers to change the administrator password via a change action that specifies identical values for the passwd and admin_password parameters, then declares the new password string in the new_passwd and confirm_passwd parameters. 16182 http://downloads.securityfocus.com/vulnerabilities/exploits/MagicNewsPlus-pw-change.pl 18601 SQL injection vulnerability in index.php in CyberDoc SiteSuite CMS allows remote attackers to execute arbitrary SQL commands via the page parameter. ADV-2006-0038 22205 18305 http://osvdb.org/ref/22/22205-sitesuite.txt SQL injection vulnerability in escribir.php in Foro Domus 2.10 allows remote attackers to execute arbitrary SQL commands via the email parameter. NOTE: the provenance of this information is unknown, although it may be based on post-disclosure analysis of CVE-2006-0110; the details are obtained solely from third party information. ADV-2006-0073 22264 18327 domus-escribir-sql-injection(24017) SQL injection vulnerability in add_post.php3 in Venom Board 1.22 allows remote attackers to execute arbitrary SQL commands via the (1) parent, (2) root, and (3) topic_id parameters to post.php3. venomboard-addpost-sql-injection(24046) ADV-2006-0122 16176 22297 326 18383 20060109 [eVuln] Venom Board SQL Injection Vulnerability http://evuln.com/vulns/21/summary.html Unspecified vulnerability in uucp in Sun Solaris 8 and 9 has unknown impact and attack vectors. NOTE: due to the vagueness of the vendor advisory, it is not clear whether this is related to CVE-2004-0780. 101933 ADV-2006-0113 http://support.avaya.com/elmodocs2/security/ASA-2006-056.htm 1015455 19087 18371 oval:org.mitre.oval:def:1534 Heap-based buffer overflow in libclamav/upx.c in Clam Antivirus (ClamAV) before 0.88 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted UPX files. VU#385908 16191 18379 ADV-2006-0116 http://www.clamav.net/doc/0.88/ChangeLog clamav-libclamav-upx-bo(24047) http://www.zerodayinitiative.com/advisories/ZDI-06-001.html 2006-0002 22318 MDKSA-2006:016 GLSA-200601-07 DSA-947 1015457 342 18548 18478 18463 18453 20060112 ZDI-06-001: Clam AntiVirus UPX Unpacking Code Execution Vulnerability SQL injection vulnerability in the search module (modules/Search/index.php) of PHPNuke EV 7.7 -R1 allows remote attackers to execute arbitrary SQL commands via the query parameter, which is used by the search field. NOTE: This is a different vulnerability than CVE-2005-3792. phpnukeev-search-sql-injection(44978) ADV-2006-0120 16186 22316 18394 http://lostmon.blogspot.com/2006/01/phpnuke-ev-77-search-module-query.html phgstats.inc.php in phgstats before 0.5.1, if register_globals is enabled, allows remote attackers to include arbitrary files and execute arbitrary PHP code by modifying the PHGDIR variable. http://sourceforge.net/project/shownotes.php?release_id=384232 18346 ADV-2006-0123 phgstats-php-file-include(24062) 17469 22302 Cross-site scripting (XSS) vulnerability in the DataForm Entries functionality in Plain Black WebGUI before 6.8.4 (gamma) allows remote attackers to inject arbitrary Javascript via the (1) url and (2) name field of the default email form. http://sourceforge.net/project/shownotes.php?release_id=384153&group_id=51417 18372 ADV-2006-0126 http://sourceforge.net/tracker/index.php?func=detail&aid=1395371&group_id=51417&atid=463213 webgui-forms-xss(24053) Symantec Norton SystemWorks and SystemWorks Premier 2005 and 2006 stores temporary copies of files in the Norton Protected Recycle Bin NProtect directory, which is hidden from the FindFirst and FindNext Windows APIs and allows remote attackers to hide arbitrary files from virus scanners and other products. 1015462 http://securityresponse.symantec.com/avcenter/security/Content/2006.01.10.html 18402 systemworks-nprotect-hidden(24061) ADV-2006-0143 SQL injection vulnerability in MyPhPim 01.05 allows remote attackers to execute arbitrary SQL commands via the (1) cal_id parameter in calendar.php3 and the (2) password field on the login page. myphpim-login-sql-injection(24075) myphpim-calendar-sql-injection(24066) ADV-2006-0147 16210 20060111 [eVuln] MyPhPim Multiple SQL Injection and XSS Vulnerabilities 22325 22324 18399 http://evuln.com/vulns/22/summary.html Cross-site scripting (XSS) vulnerability in MyPhPim 01.05 allows remote attackers to inject arbitrary web script or HTML via the description field on the "Create New todo" page. myphpim-todo-xss(24071) ADV-2006-0147 16210 20060111 [eVuln] MyPhPim Multiple SQL Injection and XSS Vulnerabilities 22326 18399 http://evuln.com/vulns/22/summary.html addresses.php3 in MyPhPim 01.05 does not restrict uploaded files, which allows remote attackers to execute arbitrary PHP code via the pdbfile variable, then directly accessing those files from the uploads directory. myphpim-addresses-file-upload(24070) ADV-2006-0147 16208 20060111 [eVuln] MyPhPim Arbitrary File Upload 18399 http://evuln.com/vulns/23/summary.html ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2006-0035. Reason: This candidate is a duplicate of CVE-2006-0035. Notes: All CVE users should reference CVE-2006-0035 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. PHP remote file include vulnerability in index.php in OrjinWeb E-commerce allows remote attackers to execute arbitrary code via a URL in the page parameter. NOTE: it is not clear, but OrjinWeb might be an application service, in which case it should not be included in CVE. 16199 20060106 Orjinweb E-commerce orjinweb-url-file-include(24097) 22387 Cross-site scripting (XSS) vulnerability in the file manager utility in Hummingbird Collaboration (aka Hummingbird Enterprise Collaboration) 5.21 and earlier allows remote attackers to inject arbitrary web script or HTML in an uploaded page, which is published without a check for hostile scripting. ADV-2006-0145 16195 20060110 Multiple Vulnerabilities in Hummingbird Collaboration http://www.securenetwork.it/advisories/sn-2006-01.html 18411 hummingbird-enterprise-xss(24067) Hummingbird Collaboration (aka Hummingbird Enterprise Collaboration) 5.21 and earlier allows remote attackers to misrepresent the type and name of a file via modified doc_ext and id parameters, which might trick a user into downloading dangerous or unexpected content. ADV-2006-0145 16195 20060110 Multiple Vulnerabilities in Hummingbird Collaboration http://www.securenetwork.it/advisories/sn-2006-01.html 18411 hummingbird-enterprise-file-download(24068) Hummingbird Collaboration (aka Hummingbird Enterprise Collaboration) 5.21 and earlier allows remote attackers to obtain sensitive information (intranet IP addresses and enumerations of valid parameter values) via a direct request to hc, which reveals the information in an error message or a cookie. ADV-2006-0145 16195 20060110 Multiple Vulnerabilities in Hummingbird Collaboration http://www.securenetwork.it/advisories/sn-2006-01.html 18411 hummingbird-enterprise-information-disclosure(24069) 328 Cross-site scripting (XSS) vulnerability in search_form.asp in Web Wiz Forums 6.34 allows remote attackers to inject arbitrary web script or HTML via the search parameter. 16196 20060111 Advisory:XSS vulnerability on WebWiz Forums <= 6.34(search_form.asp) 20060109 Advisory:XSS vulnerability on WebWiz Forums <= 6.34 (search_form.asp) webwizforums-searchform-xss(24048) 22398 Buffer overflow in certain functions in src/fileio.c and src/unix/fileio.c in xmame before 11 January 2006 may allow local users to gain privileges via a long (1) -lang, (2) -ctrlr, (3) -pb, or (4) -rec argument on many operating systems, and via a long (5) -jdev argument on Ubuntu Linux. 16203 20060110 mysec.org Security Advisory : Xmame buffer overflow, with a possibility of privilege escalation 20060110 mysec.org Security Advisory : Xmame buffer overflow, with a possibility of privilege escalation. xmame-multiple-parameters-bo(24102) http://x.mame.net/changes-unix.html Multiple buffer overflows in Cray UNICOS 9.0.2.2 might allow local users to gain privileges by (1) invoking /usr/bin/script with a long command line argument or (2) setting the -c option of /etc/nu to the name of a file containing a long line. 16205 20060110 SUID root overflows in UNICOS and partial shellcode unicos-command-line-bo(24276) Format string vulnerability in /bin/ftp in UNICOS 9.0.2.2 allows local users to have an unknown impact via format string specifiers in the quote command. NOTE: because the program is not setuid and not normally called from remote programs, there may not be a typical attack vector for the issue that crosses privilege boundaries. Therefore this may not be a vulnerability. 16205 20060110 SUID root overflows in UNICOS and partial shellcode unicos-ftp-format-string(24277) The Cisco IP Phone 7940 allows remote attackers to cause a denial of service (reboot) via a large amount of TCP SYN packets (syn flood) to arbitrary ports, as demonstrated to port 80. 1015488 18479 cisco-ipphone-synflood-dos(24117) ADV-2006-0202 16200 22469 20060113 Response to Cisco IP Phone 7940 DoS Exploit posted on milw0rm.com http://downloads.securityfocus.com/vulnerabilities/exploits/cisco_ip7940_dos.pl Cross-site scripting (XSS) vulnerability in CaLogic Calendars 1.2.2 allows remote attackers to inject arbitrary web script or HTML via the Title field on the "Adding New Event" page, and possibly other vectors, involving iframe tags. ADV-2006-0149 16206 18417 http://evuln.com/vulns/24/summary.html calogic-newevent-xss(24077) 20060116 [eVuln] CaLogic Calendars Multiple XSS Vulnerabilities 22322 Cisco Security Monitoring, Analysis and Response System (CS-MARS) before 4.1.3 has an undocumented administrative account with a default password, which allows local users to gain privileges via the expert command. 16211 20060111 Default Administrative Password in Cisco Security Monitoring, Analysis and Response System (CS-MARS) ADV-2006-0154 cisco-csmars-default-password(24065) 22346 1015471 335 18424 login.php in ACal Calendar Project 2.2.5 allows remote attackers to bypass authentication by setting the ACalAuthenticate cookie variable to "inside". ADV-2006-0152 http://evuln.com/vulns/25/summary.html acal-login-auth-bypass(24104) 20060112 [eVuln] ACal Authentication Bypass & PHP Code Insertion 22344 343 18432 Direct static code injection vulnerability in edit.php in ACal Calendar Project 2.2.5 allows authenticated users to execute arbitrary PHP code via (1) the edit=header value, which modifies header.php, or (2) the edit=footer value, which modifies footer.php. NOTE: this issue might be resultant from the poor authentication as identified by CVE-2006-0182. Since the design of the product allows the administrator to edit the code, perhaps this issue should not be included in CVE, except as a consequence of CVE-2006-0182. ADV-2006-0152 http://evuln.com/vulns/25/summary.html acal-header-footer-code-execute(24107) 20060112 [eVuln] ACal Authentication Bypass & PHP Code Insertion 22345 343 18432 Multiple SQL injection vulnerabilities in AspTopSites allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to goto.asp or (2) password parameter to includeloginuser.asp. ADV-2006-0146 http://www.exploitlabs.com/files/advisories/EXPL-A-2006-001-asptopsites.txt 18408 asptopsites-goto-sql-injection(24072) 22330 20060110 AspTopSites SQL injection Multiple cross-site scripting vulnerabilities in the (1) Pool or (2) News Modules in Php-Nuke allow remote attackers to inject arbitrary web script or HTML via javascript in the SRC attribute of an IMG tag. ADV-2006-0125 16192 20060107 Php-Nuke Pool and News Module IMG Tag Cross Site 18374 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-4500. Reason: This candidate is a duplicate of CVE-2005-4500. Notes: All CVE users should reference CVE-2005-4500 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. By design, Microsoft Visual Studio 2005 automatically executes code in the Load event of a user-defined control (UserControl1_Load function), which allows user-assisted attackers to execute arbitrary code by tricking the user into opening a malicious Visual Studio project file. ADV-2006-0151 16225 20060113 Visual Studio Remote Code Execution 18409 visualstudio-usercontrol-code-execution(24116) webmail.php in SquirrelMail 1.4.0 to 1.4.5 allows remote attackers to inject arbitrary web pages into the right frame via a URL in the right_frame parameter. NOTE: this has been called a cross-site scripting (XSS) issue, but it is different than what is normally identified as XSS. squirrelmail-webmail-xss(24847) ADV-2006-0689 http://www.squirrelmail.org/security/issue/2006-02-01 16756 1015662 18985 oval:org.mitre.oval:def:10419 RHSA-2006:0283 FEDORA-2006-133 SUSE-SR:2006:005 MDKSA-2006:049 GLSA-200603-09 DSA-988 20210 19960 19205 19176 19131 19130 20060501-01-U Buffer overflow in eStara Softphone 3.0.1.14 through 3.0.1.46 allows remote attackers to execute arbitrary code via a long attribute (aka "a") field in the SDP data of a SIP packet on UDP port 5060. This is the vendor provided solution: "eStara has released Softphone version 3.0.1.47 to resolve the buffer overflow demonstrated in parsing SDP with long "a=" lines. Licensed customers can download a new version via the email sent to them with purchase, customers testing may go back to http://www.estara.com/softphone/ to obtain a new free trial. Version information can be gathered by going to Help->About. eStara highly recommends all customers upgrade to avoid this issue. If there's further questions please email us: softphone@estara.com. eStara would like to thank ZwelL for bringing the issue to our attention." estara-sip-sdp-bo(24090) ADV-2006-0167 16213 20060111 eStara Softphone SIP stack Buffer Overflow Vulnerability 1015481 18410 22348 Unspecified vulnerability in Sun Solaris 9 and 10 for the x86 platform allows local users to gain privileges or cause a denial of service (panic) via unspecified vectors, possibly involving functions from the mm driver. 102066 18421 ADV-2006-0165 solaris-unspecified-root-access(24084) 16224 http://support.avaya.com/elmodocs2/security/ASA-2006-056.htm 1015478 19087 oval:org.mitre.oval:def:702 Unspecified vulnerability in Sun Solaris 10 allows local users to cause a denial of service (null dereference) via unspecified vectors involving the use of the find command on the "/proc" filesystem. NOTE: due to the vagueness of the vendor advisory, it is not clear whether this is related to CVE-2005-3250. 102108 18420 ADV-2006-0166 solaris-find-proc-dos(24085) 16222 22347 http://support.avaya.com/elmodocs2/security/ASA-2006-056.htm 1015479 19087 oval:org.mitre.oval:def:1608 SQL injection vulnerability in Login_Validate.asp in ASPSurvey 1.10 allows remote attackers to execute arbitrary SQL commands via the Password parameter to login.asp. aspsurvey-loginvalidate-sql-injection(24087) ADV-2006-0164 16496 20060204 sql injection in ASP Survey 22342 414 18422 Cross-site scripting (XSS) vulnerability in the Hosting Control Panel (psoft.hsphere.CP) in Positive Software H-Sphere 2.4.3 Patch 8 and earlier allows remote attackers to inject arbitrary web script or HTML via the login parameter in a login action. 20060112 H-Sphere Security Vulnerability ADV-2006-0172 http://www.psoft.net/HSdocumentation/versions/?v=all&p=r hsphere-login-xss(24096) http://www.psoft.net/HSdocumentation/versions/index.php?v=243p9&p=r 22372 18447 Cross-site scripting (XSS) vulnerability in default.asp in FogBugz 4.029, and other versions before 4.0.33, allows remote attackers to inject arbitrary web script or HTML via the dest parameter in the pgLogon page. 16216 ADV-2006-0174 20060112 FogBugz Cross Site Scripting Vulnerability http://www.fogcreek.com/FogBugz/KB/releaseNotes/WhatsNewInFogBugz4.0.33.html fogbugz-login-xss(24103) 22370 18443 Interpretation conflict in the MagicHTML filter in SquirrelMail 1.4.0 to 1.4.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via style sheet specifiers with invalid (1) "/*" and "*/" comments, or (2) a newline in a "url" specifier, which is processed by certain web browsers including Internet Explorer. squirrelmail-magichtml-xss(24848) ADV-2006-0689 http://www.squirrelmail.org/security/issue/2006-02-10 16756 1015662 18985 oval:org.mitre.oval:def:9548 RHSA-2006:0283 FEDORA-2006-133 SUSE-SR:2006:005 MDKSA-2006:049 GLSA-200603-09 DSA-988 20210 19960 19205 19176 19131 19130 20060501-01-U Unspecified vulnerability in Serial line sniffer (aka slsnif) 0.4.4 allows local users to gain privileges via a long value of the HOME environment variable, possibly because of a buffer overflow. slsnif-home-bo(24082) ADV-2006-0212 20060111 Serial Line Sniffer 0.4.4 Buffer Overflow http://shellcoders.com/sintigan/slsnif-ploit.pl 18497 The XClientMessageEvent struct used in certain components of X.Org 6.8.2 and earlier, possibly including (1) the X server and (2) Xlib, uses a "long" specifier for elements of the l array, which results in inconsistent sizes in the struct on 32-bit versus 64-bit platforms, and might allow attackers to cause a denial of service (application crash) and possibly conduct other attacks. 20060108 xorg server 6.8.2 and below on 64bit arch Cross-site scripting (XSS) vulnerability in a certain module, possibly poll or Pool, for XOOPS allows remote attackers to inject arbitrary web script or HTML via JavaScript in the SRC attribute of an IMG element in a comment. http://www.xoops.org/modules/newbb/viewtopic.php?topic_id=45637&forum=2&post_id=200481 16189 20060107 Xoops Pool Module IMG Tag Cross Site Scripting xoops-pool-imagetag-xss(24091) SQL injection vulnerability in news.asp in Mini-Nuke CMS System 1.8.2 and earlier allows remote attackers to execute arbitrary SQL commands via the hid parameter. mininuke-news-sql-injection(24098) ADV-2006-0173 20060113 Advisory: MiniNuke CMS System <= 1.8.2 (news.asp) SQL Injectionvulnerability 22384 http://www.nukedx.com/?viewdoc=7 340 18439 20060112 Advisory: MiniNuke CMS System <= 1.8.2 (news.asp) SQL Injection vulnerability Format string vulnerability in the error-reporting feature in the mysqli extension in PHP 5.1.0 and 5.1.1 might allow remote attackers to execute arbitrary code via format string specifiers in MySQL error messages. php-extmysqli-format-string(24095) 16219 http://www.php.net/release_5_1_2.php 18431 ADV-2006-0369 ADV-2006-0177 20060112 Advisory 02/2006: PHP ext/mysqli Format String Vulnerability http://www.hardened-php.net/advisory_022006.113.html 1015485 337 Dave Nielsen and Patrick Breitenbach PayPal Web Services (aka PHP Toolkit) 0.50, and possibly earlier versions, allows remote attackers to enter false payment entries into the log file via HTTP POST requests to ipn_success.php. ADV-2006-0183 http://www.uinc.ru/articles/vuln/ptpaypal050.shtml 16218 20060112 Multiple PHP Toolkit for PayPal Vulnerabilities 18444 22378 Dave Nielsen and Patrick Breitenbach PayPal Web Services (aka PHP Toolkit) 0.50 and possibly earlier has (1) world-readable permissions for ipn/logs/ipn_success.txt, which allows local users to view sensitive information (payment data), and (2) world-writable permissions for ipn/logs, which allows local users to delete or replace payment data. ADV-2006-0183 http://www.uinc.ru/articles/vuln/ptpaypal050.shtml 16218 20060112 Multiple PHP Toolkit for PayPal Vulnerabilities 18444 22379 membership.asp in Mini-Nuke CMS System 1.8.2 and earlier does not verify the old password when changing a password, which allows remote attackers to change the passwords of other members via a lostpassnew action with a modified x parameter. mininuke-membership-change-password(24101) ADV-2006-0173 20060113 Advisory: MiniNuke CMS System <= 1.8.2 (membership.asp) remoteuser password change exploit 22385 344 18439 20060112 Advisory: MiniNuke CMS System <= 1.8.2 (news.asp) SQL Injection vulnerability 20060112 Advisory: MiniNuke CMS System <= 1.8.2 (membership.asp) remote user password change exploit 20060129 [xpl#2] MiniNuke 1.8.2 - change member's passwrod < Perl > Multiple cross-site scripting (XSS) vulnerabilities in Wordcircle 2.17 allow remote attackers to inject arbitrary web script or HTML via (1) the "Course name" field in index.php when the frm parameter has the value "mine" and (2) possibly certain other fields in unspecified scripts. wordcircle-index-xss(24106) ADV-2006-0185 16227 20060112 [eVuln] Wordcircle Multiple SQL Injection & XSS Vulnerabilities 22359 18440 http://evuln.com/vulns/28/summary.html 345 Multiple SQL injection vulnerabilities in Wordcircle 2.17 allow remote attackers to (1) execute arbitrary SQL commands and bypass authentication via the password field in the login action to index.php (involving v_login.php and s_user.php) and (2) have other unknown impact via certain other fields in unspecified scripts. wordcircle-login-security-bypass(24108) wordcircle-sql-injection(24105) ADV-2006-0185 16227 20060112 [eVuln] Wordcircle Multiple SQL Injection & XSS Vulnerabilities 20060112 [eVuln] Wordcircle Authentication Bypass 22358 346 345 18440 http://evuln.com/vulns/28/summary.html http://evuln.com/vulns/27/summary.html Eval injection vulnerability in Light Weight Calendar (LWC) 1.0 (20040909) and earlier allows remote attackers to execute arbitrary PHP code via the date parameter in cal.php, which is included by index.php. 16229 18450 http://evuln.com/vulns/29/summary.html http://evuln.com/vulns/29/exploit.html lwc-cal-execute-code(24110) 22376 20060318 Source VERIFY - Light Weight Calendar issue is eval injection Multiple HTTP response splitting vulnerabilities in PHP 5.1.1 allow remote attackers to inject arbitrary HTTP headers via a crafted Set-Cookie header, related to the (1) session extension (aka ext/session) and the (2) header function. php-session-response-splitting(24094) 16220 GLSA-200603-22 1015484 19355 19179 18697 18431 ADV-2006-0369 ADV-2006-0177 USN-261-1 http://www.php.net/release_5_1_2.php MDKSA-2006:028 http://www.hardened-php.net/advisory_012006.112.html DSA-1331 25945 19012 SUSE-SR:2006:004 Multiple cross-site scripting (XSS) vulnerabilities in PHP 4.4.1 and 5.1.1, when display_errors and html_errors are on, allow remote attackers to inject arbitrary web script or HTML via inputs to PHP applications that are not filtered when they are included in the resulting error message. 16803 http://www.php.net/release_5_1_2.php GLSA-200603-22 19355 19179 18697 18431 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=178028 ADV-2006-2685 ADV-2006-0369 ADV-2006-0177 USN-261-1 RHSA-2006:0501 http://www.php.net/ChangeLog-4.php#4.4.2 MDKSA-2006:028 http://support.avaya.com/elmodocs2/security/ASA-2006-160.htm http://support.avaya.com/elmodocs2/security/ASA-2006-129.htm 21564 21252 20951 20222 20210 19832 19012 RHSA-2006:0549 RHSA-2006:0276 oval:org.mitre.oval:def:10064 SUSE-SR:2006:004 20060501-01-U SQL injection vulnerability in general_functions.php in TankLogger 2.4 allows remote attackers to execute arbitrary SQL commands via the (1) livestock_id parameter to showInfo.php and (2) tank_id parameter, possibly to livestock.php. ADV-2006-0153 http://evuln.com/vulns/26/summary.html tanklogger-generalfunctions-sql-injection(24080) 16228 20060112 [eVuln] TankLogger SQL Injection Vulnerability 22369 22368 341 18441 20060113 Verified TankLogger SQl inject by source inspection Cross-site scripting (XSS) vulnerability in index.php in Interspire TrackPoint NX before 0.1 allows remote attackers to inject arbitrary web script or HTML via the username parameter when using the Login page. ADV-2006-0175 16214 http://www.interspire.com/forum/showthread.php?p=29606 trackpointnx-login-xss(24112) 20060112 Interspire TrackPoint NX XSS Vulnerability 22377 18445 Cross-site scripting (XSS) vulnerability in forgotPassword.asp in Helm Hosting Control Panel 3.2.8 and earlier allows remote attackers to inject arbitrary web script or HTML via the txtEmailAddress parameter. ADV-2006-0203 20060112 Helm XSS Vulnerability helm-forgotpassword-xss(24139) http://www.webhostautomation.com/webhost-301 16234 22454 18492 Directory traversal vulnerability in OBEX Push services in Toshiba Bluetooth Stack 4.00.23(T) and earlier allows remote attackers to upload arbitrary files to arbitrary remote locations specified by .. (dot dot) sequences, as demonstrated by ..\\ sequences in the RFILE argument of ussp-push. ADV-2006-0184 16236 http://www.digitalmunition.com/DMA%5B2006-0112a%5D.txt 18437 20060113 DMA[2006-0112a] - 'Toshiba Bluetooth Stack Directory Transversal' 20060113 DMA[2006-0112a] - 'Toshiba Bluetooth Stack Directory Transversal' 22380 1015486 http://aps.toshiba-tro.de/bluetooth/pages/driverinfo.php?txt=sp2 Kolab Server 2.0.1, 2.0.2 and development versions pre-2.1-20051215 and earlier, when authenticating users via secure SMTP, stores authentication credentials in plaintext in the postfix.log file, which allows local users to gain privileges. 18438 http://kolab.org/security/kolab-vendor-notice-08.txt ADV-2006-0186 kolab-smtp-logging(24123) 22381 Eval injection vulnerability in ezDatabase 2.0 and earlier allows remote attackers to execute arbitrary PHP code via the db_id parameter to visitorupload.php, as demonstrated using phpinfo and include function calls. ezdatabase-visitorupload-file-include(24136) 16237 351 18043 http://pridels0.blogspot.com/2006/01/ezdatabase-20-and-below.html Cross-site scripting (XSS) vulnerability in admin.php in QualityEBiz Quality PPC (QPPC) 1.0 build 1644 allows remote attackers to inject arbitrary web script or HTML via the cpage parameter. NOTE: this issue might be resultant from CVE-2006-0216. 22352 http://osvdb.org/ref/22/22352-qualityppc.txt admin.php in QualityEBiz Quality PPC (QPPC) 1.0 build 1644 allows remote attackers to obtain sensitive information, possibly the installation path of the application, via unspecified "meta characters" to the cpage parameter. 22353 http://osvdb.org/ref/22/22353-qualityppc.txt http://osvdb.org/ref/22/22352-qualityppc.txt Multiple cross-site scripting (XSS) vulnerabilities in Ultimate Auction 3.67 allow remote attackers to inject arbitrary web script or HTML via the (1) item parameter in item.pl and (2) category parameter in itemlist.pl, which reflects the XSS in an error message. NOTE: the affected version might be wrong since the current version as of 20060116 is 3.6.1. ADV-2006-0187 16239 22444 22443 18477 20060115 Ultimate Auction <=3.67 ultimate-auction-item-xss(24138) 16254 Multiple unspecified vulnerabilities in MyBulletinBoard (MyBB) before 1.0.2 have unspecified impact and attack vectors, related to (1) admin/moderate.php, (2) admin/themes.php, (3) inc/functions.php, (4) inc/functions_upload.php, (5) printthread.php, and (6) usercp.php, and probably related to SQL injection. NOTE: it is likely that this issue subsumes CVE-2005-4602 and CVE-2005-4603. However, since the vendor advisory is vague and additional files are mentioned, is is likely that this contains at least one distinct vulnerability from CVE-2005-4602 and CVE-2005-4603. http://community.mybboard.net/showthread.php?tid=5852 The original distribution of MyBulletinBoard (MyBB) to update from older versions to 1.0.2 omits or includes older versions of certain critical files, which allows attackers to conduct (1) SQL injection attacks via an attachment name that is not properly handled by inc/functions_upload.php (CVE-2005-4602), and possibly (2) other attacks related to threadmode in usercp.php. http://community.mybboard.net/showthread.php?tid=5960 16230 http://community.mybboard.net/showthread.php?tid=5853&pid=35151#pid35151 http://community.mybboard.net/showthread.php?tid=5853&pid=35088#pid35088 mybb-usercp-script-sql-injection(24115) Multiple cross-site scripting (XSS) vulnerabilities in DCP-Portal 5.3 through 6.1.1 allow remote attackers to inject arbitrary web script or HTML via (1) the day parameter in calendar.php and (2) the input form in search.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. It is possible that this issue is resultant from an SQL injection problem in CVE-2005-4227.3 and CVE-2005-4227.13. 16232 20060113 DCP Portal Cross-Site Scripting Vulnerability dcpportal-calendar-search-xss(24153) SQL injection vulnerability in index.asp in the Admin Panel in Dragon Design Services Network (DDSN) cm3 content manager (CM3CMS) allows remote attackers to execute arbitrary SQL commands via the (1) username or (2) password. cm3-login-sql-injection(24266) 16231 20060113 DDSN CMS Admin Panel SQL Injection Vulnerability 22696 Cross-site scripting (XSS) vulnerability in fullview.php in AlstraSoft Template Seller Pro allows remote attackers to inject arbitrary web script or HTML via the tempid parameter. template-seller-fullview-xss(24235) 16233 20060113 AlstraSoft Template Seller Pro Cross-Site Scripting Vulnerability 22746 Directory traversal vulnerability in Shanghai TopCMM 123 Flash Chat Server Software 5.1 allows attackers to create or overwrite arbitrary files on the server via ".." (dot dot) sequences in the username field. 16235 http://www.123flashchat.com/flash-chat-server-v512.html 123flashchat-user-directory-traversal(24137) ADV-2006-0198 22440 18455 Buffer overflow in Library of Assorted Spiffy Things (LibAST) 0.6.1 and earlier, as used in Eterm and possibly other software, allows local users to execute arbitrary code as the utmp user via a long -X command line argument (alternative configuration file name). 20060123 [ Rosiello Security ] Eterm-LibAST Advisory 20060125 Rosiello Security - Eterm-LibAST Advisory http://www.rosiello.org/en/read_bugs.php?id=25 ADV-2006-0314 16350 20060123 LibAST 0.7 Release Fixes Security Vulnerability http://freshmeat.net/projects/libast/?branch_id=17907&release_id=217840 eterm-libast-filename-bo(24303) 22735 MDKSA-2006:029 GLSA-200601-14 DSA-976 373 18916 18632 18586 scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filenames that contain shell metacharacters or spaces, which are expanded twice. TA07-072A 18595 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=174026 openssh-scp-command-execution(24305) ADV-2007-2120 ADV-2007-0930 ADV-2006-4869 ADV-2006-2490 ADV-2006-0306 USN-255-1 2006-0004 16369 FLSA-2006:168935 RHSA-2006:0044 22692 OpenPKG-SA-2006.003 SUSE-SA:2006:008 GLSA-200602-11 SSA:2006-045-06 1015540 19159 18970 18969 18964 18910 18850 18798 18736 18650 18579 oval:org.mitre.oval:def:9962 HPSBUX02178 20060212 [3.8] 005: SECURITY FIX: February 12, 2006 http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=2751 http://www14.software.ibm.com/webapp/set2/sas/f/hmc/power5/install/v52.Readme.html#MH00688 http://www.vmware.com/support/vi3/doc/esx-9986131-patch.html http://www.vmware.com/support/vi3/doc/esx-3069097-patch.html RHSA-2006:0698 RHSA-2006:0298 MDKSA-2006:034 http://support.avaya.com/elmodocs2/security/ASA-2007-246.htm http://support.avaya.com/elmodocs2/security/ASA-2006-262.htm http://support.avaya.com/elmodocs2/security/ASA-2006-174.htm http://support.avaya.com/elmodocs2/security/ASA-2006-158.htm 102961 462 25936 25607 24479 23680 23340 23241 22196 21724 21492 21262 21129 20723 APPLE-SA-2007-03-13 HPSBUX02178 http://docs.info.apple.com/article.html?artnum=305214 http://blogs.sun.com/security/entry/sun_alert_102961_security_vulnerability 20060703-01-P oval:org.mitre.oval:def:1138 Integer overflow in IEEE 802.11 network subsystem (ieee80211_ioctl.c) in FreeBSD before 6.0-STABLE, while scanning for wireless networks, allows remote attackers to execute arbitrary code by broadcasting crafted (1) beacon or (2) probe response frames. 16296 18353 http://www.signedness.org/advisories/sps-0x1.txt FreeBSD-SA-06:05 bsd-ieee80211-bo(24192) 22537 http://www.blackhat.com/html/bh-europe-07/bh-eu-07-speakers.html#Eriksson 1015518 http://kernelwars.blogspot.com/2007/01/alive.html Multiple unspecified vulnerabilities in lpsched in Sun Solaris 8, 9, and 10 allow local users to delete arbitrary files or disable the LP print service via unknown attack vectors. 102033 1015492 18498 ADV-2006-0200 solaris-lpsched-dos(24127) 16245 22442 22441 http://support.avaya.com/elmodocs2/security/ASA-2006-056.htm 19087 oval:org.mitre.oval:def:662 The RBAC functionality in grsecurity before 2.1.8 does not properly handle when the admin role creates a service and then exits the shell without unauthenticating, which causes the service to be restarted with the admin role still active. 16261 18458 ADV-2006-0199 http://www.grsecurity.org/news.php#grsec218 grsecurity-rbac-admin-privileges(24156) Unquoted Windows search path vulnerability in Wehntrust might allow local users to gain privileges via a malicious "program.exe" file in the C: folder, which is run when Wehntrust creates the autostart key. 20060116 Re: [Full-disclosure] WehnTrust - When you have to trust Wehntrust 16268 20060116 WehnTrust - When you have to trust Wehntrust wehntrust-service-start-file-execution(24315) http://www.wehnus.com/downloads.pl Symantec Scan Engine 5.0.0.24, and possibly other versions before 5.1.0.7, uses a client-side check to verify a password, which allows remote attackers to gain administrator privileges via a modified client that sends certain XML requests. VU#118388 20060421 Rapid7 Advisory R7-0021: Symantec Scan Engine Authentication Fundamental Design Error ADV-2006-1464 sse-unauth-admin-access(25972) http://www.symantec.com/avcenter/security/Content/2006.04.21.html 17637 20060421 [Symantec Security Advisor] Symantec Scan Engine Multiple Vulnerabilities 20060421 Rapid7 Advisory R7-0021: Symantec Scan Engine Authentication Fundamental Design Error 19734 Symantec Scan Engine 5.0.0.24, and possibly other versions before 5.1.0.7, uses the same private DSA key for each installation, which allows remote attackers to conduct man-in-the-middle attacks and decrypt communications. 20060421 Rapid7 Advisory R7-0022: Symantec Scan Engine Known Immutable DSA Private Key ADV-2006-1464 sse-insecure-private-key(25973) http://www.symantec.com/avcenter/security/Content/2006.04.21.html 17637 20060421 [Symantec Security Advisor] Symantec Scan Engine Multiple Vulnerabilities 20060421 Rapid7 Advisory R7-0022: Symantec Scan Engine Known Immutable DSA Private Key 1015974 19734 Symantec Scan Engine 5.0.0.24, and possibly other versions before 5.1.0.7, stores sensitive log and virus definition files under the web root with insufficient access control, which allows remote attackers to obtain the information via direct requests. 20060421 Rapid7 Advisory R7-0023: Symantec Scan Engine File Disclosure Vulnerability ADV-2006-1464 sse-unauth-file-access(25974) http://www.symantec.com/avcenter/security/Content/2006.04.21.html 17637 20060421 [Symantec Security Advisor] Symantec Scan Engine Multiple Vulnerabilities 20060421 Rapid7 Advisory R7-0023: Symantec Scan Engine File Disclosure Vulnerability 1015974 759 758 19734 Cross-site scripting (XSS) vulnerability in functions.php in microBlog 2.0 RC-10 allows remote attackers to inject arbitrary web script and HTML via a javascript: URI in a [url] BBcode tag. microblog-functions-xss(24140) 16272 20060117 [eVuln] microBlog BBCode XSS Vulnerability 1015496 http://evuln.com/vulns/36/summary.html SQL injection vulnerability in index.php in microBlog 2.0 RC-10 allows remote attackers to execute arbitrary SQL commands via the (1) month and (2) year parameters. ADV-2006-0239 16270 20060117 [eVuln] microBlog SQL Injection Vulnerability microblog-index-sql-injection(24132) 22512 1015496 18442 http://evuln.com/vulns/35/summary.html SQL injection vulnerability in WhiteAlbum 2.5 allows remote attackers to execute arbitrary SQL commands via the dir parameter to pictures.php. ADV-2006-0241 16247 20060116 White Album Sql &#304;njection biyosecurity.be whitealbum-pictures-sql-injection(24271) 22520 http://www.biyosecurity.be/bugs/whitealbum.txt 18460 GUI display truncation vulnerability in Mozilla Thunderbird 1.0.2, 1.0.6, and 1.0.7 allows user-assisted attackers to execute arbitrary code via an attachment with a filename containing a large number of spaces ending with a dangerous extension that is not displayed by Thunderbird, along with an inconsistent Content-Type header, which could be used to trick a user into downloading dangerous content by dragging or saving the attachment. 16271 20060117 Secunia Research: Mozilla Thunderbird Attachment SpoofingVulnerability http://secunia.com/secunia_research/2005-22/advisory 15907 https://bugzilla.mozilla.org/show_bug.cgi?id=300246 thunderbird-attachment-ext-spoofing(24164) ADV-2006-0230 MDKSA-2006:021 Cross-site scripting (XSS) vulnerability in index.php in GTP iCommerce allows remote attackers to inject arbitrary web script or HTML via the (1) cat and (2) subcat parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. ADV-2006-0214 16255 18470 gtpicommerce-index-xss(24150) SQL injection vulnerability in wp-stats.php in GaMerZ WP-Stats 2.0 allows remote attackers to execute arbitrary SQL commands via the author parameter. http://www.lesterchan.net/blogs/ 18471 ADV-2006-0192 16241 wpstats-script-sql-injection(24163) 22450 http://www.lesterchan.net/blogs/archives/2006/01/18/wp-stats-sql-injection-vulnerability http://osvdb.org/ref/22/22450-wpstats.txt Multiple cross-site scripting (XSS) vulnerabilities in Simple Blog 2.1 allow remote attackers to inject arbitrary web script or HTML via (1) a comment to comments.asp and (2) possibly certain other fields in unspecified scripts. ADV-2006-0194 16243 20060114 [HSC Security Group] Multiple SQL injection/XSS in SimpleBlog 2.1 18488 simpleblog-comment-xss(24154) 22448 http://www.hackerscenter.com/archive/view.asp?id=21926 Multiple SQL injection vulnerabilities in Simple Blog 2.1 allow remote attackers to execute arbitrary SQL commands via the month parameter in an archives view operation and possibly certain other parameters in unspecified scripts. simpleblog-month-sql-injection(24155) ADV-2006-0194 16243 20060114 [HSC Security Group] Multiple SQL injection/XSS in SimpleBlog 2.1 22447 http://www.hackerscenter.com/archive/view.asp?id=21926 18488 Cross-site scripting vulnerability in WBNews 1.1.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the Name field. ADV-2006-0237 16277 20060117 XSS in WBNews < = v1.1.0 18499 Cross-site scripting vulnerability in index.php in PHP Fusebox 4.0.6 allows remote attackers to inject arbitrary web script or HTML via the fuseaction parameter. 20060117 IndonesiaHack Advisory HTML injection in PHP Fusebox 16274 355 Cross-site scripting (XSS) vulnerability in SMBCMS 2.1 allows remote attackers to inject arbitrary web script or HTML via the text parameter, which is used by the "Search Site" field. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. ADV-2006-0229 16281 18454 smbcms-sitesearch-xss(24187) 22494 ** DISPUTED ** Directory traversal vulnerability in workspaces.php in phpXplorer 0.9.33 allows remote attackers to include arbitrary files via a .. (dot dot) and trailing null byte (%00) in the sShare parameter. NOTE: a followup post claims that this is not a vulnerability since the functionality of phpXplorer supports the upload of PHP files, which would not cross privilege boundaries since the PHP functionality would support read access outside the web root. ADV-2006-0232 16263 20060116 Re: Directory traversal in phpXplorer 20060116 Directory traversal in phpXplorer http://www.arrelnet.com/advisories/adv20060116.html 18518 phpxplorer-sshare-directory-traversal(39982) 353 Multiple cross-site scripting (XSS) vulnerabilities in CubeCart 3.0.7-pl1 allow remote attackers to inject arbitrary web script or HTML via the (3) redir, (4) productId, (5) docId, (6) act, and (7) catId parameters in index.php; and the (8) username field in a login action in index.php. NOTE: the cart.php/redir and index.php/searchStr vectors are already covered by CVE-2005-3152. ADV-2006-0227 16259 22471 18519 http://lostmon.blogspot.com/2006/01/cubecart-307-pl1-indexphp-multiple.html http://bugs.cubecart.com/?do=details&id=459 cubecart-index-script-xss(24177) Cross-site scripting (XSS) vulnerability in down.pl in Widexl Download Tracker 1.06 allows remote attackers to inject arbitrary web script or HTML via the ID parameter. ADV-2006-0213 16265 22462 18472 http://osvdb.org/ref/22/22462-widexl.txt downloadtracker-down-xss(24161) Cross-site scripting (XSS) vulnerability in anyboard.cgi in Netbula Anyboard 9.9 and earlier allows remote attackers to inject arbitrary web script or HTML via the tK parameter in a find command. ADV-2006-0188 16264 22461 18469 http://osvdb.org/ref/22/22461-anyboard.txt netbula-anyboard-script-xss(24167) Virata-EmWeb web server 6_1_0, as used in (1) Intracom JetSpeed 500 and 520 and (2) Allied Data Technologies CopperJet 811 RouterPlus, allows remote attackers to access privileged information, such as user lists and configuration settings, via direct HTTP requests. ADV-2006-0218 18483 http://blog.globalnetworks.gr/?p=4 virata-emweb-unauth-access(24304) SQL injection vulnerability in viewcat.php in BitDamaged geoBlog MOD_1.0 allows remote attackers to execute arbitrary SQL commands, then steal credentials and upload files, via the cat parameter ($tmpCategory variable). geoBlog-viewcat-sql-injection(24146) ADV-2006-0191 16249 22463 1015493 18504 http://evuln.com/vulns/33/summary.html Format string vulnerability in the snmp_input function in snmptrapd in CMU SNMP utilities (cmu-snmp) allows remote attackers to execute arbitrary code by sending crafted SNMP messages to UDP port 162. ADV-2006-0234 16267 20060116 Digital Armaments Security Advisory 01.16.2006: CMU SNMP utilities snmptrad Format String Vulnerability http://www.digitalarmaments.com/2006040164883273.html 18525 cmusnmp-snmpinput-format-string(24178) 22493 Cross-site scripting (XSS) vulnerability in fom.cgi in Faq-O-Matic 2.711 allows remote attackers to inject arbitrary web script or HTML via the (1) _duration, (2) file, and (3) cmd parameters. ADV-2006-0189 16251 22439 18468 http://osvdb.org/ref/22/22439-faqomatic.txt faqomatic-fom-xss(24165) SQL injection vulnerability in Benders Calendar 1.0 allows remote attackers to execute arbitrary SQL commands via multiple parameters, as demonstrated by the (1) year, (2) month, and (3) day parameters. ADV-2006-0190 16242 20060115 [eVuln] Benders Calendar SQL Injection 22449 1015491 18462 http://evuln.com/vulns/30/summary.html benderscalendar-sql-injection(24120) Buffer overflow in the Bluetooth OBEX Object Push service in "Blue Neighbors.EXE" in AmbiCom Blue Neighbors 2.50 Build 2500 and earlier allows remote attackers to execute arbitrary code via a long file name, as demonstrated via a long RFILE argument to ussp-push. ADV-2006-0219 20060120 DMA[2006-0115a] - 'AmbiCom Bluetooth Object Push Overflow' http://www.digitalmunition.com/DMA%5B2006-0115a%5D.txt 18466 ambicom-bluetooth-objectpush-bo(24179) 16258 366 Multiple cross-site scripting (XSS) vulnerabilities in Apache Geronimo 1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) time parameter to cal2.jsp and (2) any invalid parameter, which causes an XSS when the log file is viewed by the Web-Access-Log viewer. https://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12310181&styleName=Html&projectId=10220&Create=Create ADV-2006-0217 16260 20060115 Apache Geronimo 1.0 - CSS and persistent HTML-Injectionvulnerabilities http://www.oliverkarow.de/research/geronimo_css.txt 18485 http://issues.apache.org/jira/browse/GERONIMO-1474 geronimo-webaccesslog-viewer-xss(24159) geronimo-jspexamples-xss(24158) RHSA-2008:0261 31493 RHSA-2008:0630 Unquoted Windows search path vulnerability in Check Point VPN-1 SecureClient might allow local users to gain privileges via a malicious "program.exe" file in the C: folder, which is run when SecureClient attempts to launch the Sr_GUI.exe program. ADV-2006-0258 16290 20060117 [ TZO-012006 ] Checkpoint VPN-1 SecureClient insecure usage of CreateProcess() http://secdev.zoller.lu/research/checkpoint.txt Unspecified vulnerability in the Advanced Queuing component of Oracle Database server 8.1.7.4, 9.0.1.5, 9.2.0.6, 10.1.0.3 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB01. VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html ADV-2006-0323 ADV-2006-0243 16287 1015499 18608 18493 Unspecified vulnerability in the Change Data Capture component of Oracle Database server 9.2.0.7, 10.1.0.5, and 10.2.0.1 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB02. NOTE: details are unavailable from Oracle, but they have not publicly disputed a claim by a reliable independent researcher that states that the problem is SQL injection in the CDC_ALLOCATE_LOCK function of the DBMS_CDC_UTILITY package. VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html 1015499 oracle-january2006-update(24321) ADV-2006-0323 ADV-2006-0243 16287 22540 18608 18493 Unspecified vulnerability in the Connection Manager component of Oracle Database server 8.1.7.4 and 9.0.1.5 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB03. VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html oracle-january2006-update(24321) ADV-2006-0323 ADV-2006-0243 16287 1015499 18608 18493 Multiple unspecified vulnerabilities in Oracle Database server 10.1.0.5 have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) DB04 and (2) DB06 in the (a) Data Pump component; (3) DB10 in the (b) Net Listener component; and (4) DB16 in the (c) Oracle Text component. NOTE: details are unavailable from Oracle, but they have not publicly disputed a claim by a reliable independent researcher that states that DB06 is SQL injection in the GENERATE_JOB_NAME, GET_WORKERSTATUSLIST1010, GET_PARAMVALUES1010, GET_DUMPFILESET1010, GET_JOBSTATUS1010, ATTACH, and ESTABLISH_REMOTE_CONTEXT functions in DBMS_DATAPUMP. VU#545804 16287 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html 18493 oracle-january2006-update(24321) ADV-2006-0323 ADV-2006-0243 22544 1015499 18608 Multiple unspecified vulnerabilities in Oracle Database server 9.2.0.7 and 10.1.0.5 have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) DB05 in the (a) Data Pump component; (2) DB15 in the (b) Oracle Text component; (3) DB22 in the (c) Streams Apply component; (4) DB23 and (5) DB24 in the (d) Streams Capture component; and (6) DB26 in the (e) Streams Subcomponent. NOTE: details are unavailable from Oracle, but they have not publicly disputed a claim by a reliable independent researcher that states that DB05 involves SQL injection in the (f) LONG2VARCHAR, LONG2VCMAX, LONG2VCNT, and LONG2CLOB functions in the DBMS_METADATA_UTIL package; (g) MAKE_FILTER, FETCH_VIEWS_ERROR, FETCH_FILTERS, FETCH_VIEWS, SET_FILTER_COMMON, DO_FILTER_SCRIPT, SET_TABLE_FILTERS, and MAKE_FILTER_TEXT functions in the DBMS_METADATA_INT package; and (h) GET_PREPOST_TABLE_ACT function in the DBMS_METADATA package. VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html 1015499 18608 oracle-january2006-update(24321) ADV-2006-0323 ADV-2006-0243 16287 22643 22637 22543 18493 Multiple unspecified vulnerabilities in Oracle Database server 8.1.7.4, 9.0.1.5, 9.2.0.7, and 10.1.0.5 have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) DB07 in the Dictionary component and (2) DB14 in the Oracle Label Security component. NOTE: Oracle has not disputed reliable researcher claims that DB07 involves plaintext storage of the TDE wallet password in a trace file by event 10053. VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html oracle-january2006-update(24321) oracle-masterkey-plaintext(24168) ADV-2006-0323 ADV-2006-0243 16287 20060117 Oracle Database 10g Rel. 2 - Event 10053 logs TDE wallet password in cleartext http://www.red-database-security.com/advisory/oracle_tde_wallet_password.html 1015499 18608 18493 Unspecified vulnerability in the Net Foundation Layer component of Oracle Database server 8.1.7.4, 9.0.1.5, 9.0.1.5 FIPS, 9.2.0.6, and 10.1.0.4 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB08. VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html oracle-january2006-update(24321) ADV-2006-0323 ADV-2006-0243 16287 1015499 18608 18493 Multiple unspecified vulnerabilities in Oracle Database server 8.1.7.4, 9.0.1.5, 9.0.1.5 FIPS, 9.2.0.7, 10.1.0.5, and 10.2.0.1 have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) DB09 in the (a) Net Listener component; and (2) DB12 and (3) DB13 in the Network Communications (RPC) component. TA06-018A VU#870172 VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html oracle-january2006-update(24321) ADV-2006-0323 ADV-2006-0243 16287 22551 22550 22547 1015499 18608 18493 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2006-0259. Reason: This candidate is subsumed by CVE-2006-0259. An error during initial CVE analysis used the wrong set of affected versions for "DB10". Notes: All CVE users should reference CVE-2006-0259 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Multiple unspecified vulnerabilities in Oracle Database server 8.1.7.4, 9.0.1.5, 9.2.0.7, 10.1.0.5, and 10.2.0.1 have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) DB17 in the Oracle Text component and (2) DB18 in the Program Interface Network component. NOTE: details are unavailable from Oracle, but they have not publicly disputed a claim by a reliable independent researcher that states that DB17 involves SQL injection in the (a) VALIDATE_STATEMENT and BUILD_DML functions in CTXSYS.DRILOAD; (b) CLEAN_DML function in CTXSYS.DRIDML; (c) GET_ROWID function in CTXSYS.CTX_DOC; (d) BROWSE_WORDS function in CTXSYS.CTX_QUERY; and (e) ODCIINDEXTRUNCATE, ODCIINDEXDROP, and ODCIINDEXDELETE functions in CATINDEXMETHODS. VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html 1015499 18608 oracle-january2006-update(24321) ADV-2006-0323 ADV-2006-0243 16287 http://www.red-database-security.com/advisory/oracle_cpu_jan_2006.html 22642 22641 22640 22639 22555 18493 Unspecified vulnerability in the Query Optimizer component of Oracle Database server 9.0.1.5, 9.2.0.7, and 10.1.0.5 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB19. VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html oracle-january2006-update(24321) ADV-2006-0323 ADV-2006-0243 16287 1015499 18608 18493 Unspecified vulnerability in the Query Optimizer component of Oracle Database server 9.2.0.6 and 10.1.0.4 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB20. VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html oracle-january2006-update(24321) ADV-2006-0323 ADV-2006-0243 16287 1015499 18608 18493 Unspecified vulnerability in the Security component of Oracle Database server 9.0.1.5, 9.0.1.5 FIPS, 9.2.0.6, and 10.1.0.4 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB21. VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html oracle-january2006-update(24321) ADV-2006-0323 ADV-2006-0243 16287 1015499 18608 18493 Unspecified vulnerability in the Streams Capture component of Oracle Database server 10.1.0.5 and 10.2.0.1 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB25. NOTE: details are unavailable from Oracle, but they have not publicly disputed a claim by a reliable independent researcher that states that the problem is SQL injection in the SET_DIRECTORY_ROOT function in the DBMS_CDC_PUBLISH package. VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html oracle-january2006-update(24321) ADV-2006-0323 ADV-2006-0243 16287 http://www.red-database-security.com/advisory/oracle_cpu_jan_2006.html 22563 1015499 18608 18493 Unspecified vulnerability in the Transparent Data Encryption (TDE) Wallet component of Oracle Database server 10.2.0.1 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB27. NOTE: Oracle has not disputed a reliable researcher report that TDA stores the master key without encryption, which allows local users to obtain the key via the SGA. VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html oracle-january2006-update(24321) oracle-sga-masterkey-plaintext(24186) ADV-2006-0323 ADV-2006-0243 16287 20060117 Oracle Database 10g Rel. 2- Transparent Data Encryption plaintext masterkey in SGA http://www.red-database-security.com/advisory/oracle_tde_unencrypted_sga.html 1015499 18608 18493 Unspecified vulnerability in the Upgrade & Downgrade component of Oracle Database server 8.1.7.4, 9.0.1.5, 9.2.0.7, and 10.1.0.4 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB28. NOTE: details are unavailable from Oracle, but they have not publicly disputed a claim by a reliable independent researcher that states that the problem is SQL injection in the DBMS_REGISTRY package in certain parameters to the (1) IS_COMPONENT, (2) GET_COMP_OPTION, (3) DISABLE_DDL_TRIGGERS, (4) SCRIPT_EXISTS, (5) COMP_PATH, (6) GATHER_STATS, (7) NOTHING_SCRIPT, and (8) VALIDATE_COMPONENTS functions. VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html oracle-january2006-update(24321) ADV-2006-0323 ADV-2006-0243 16287 http://www.red-database-security.com/advisory/oracle_cpu_jan_2006.html 22566 1015499 18608 18493 Unspecified vulnerability in the XML Database component of Oracle Database server 9.2.0.7 and 10.1.0.4 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB29. NOTE: based on mutual credits by the relevant sources, it is highly likely that this issue is a buffer overflow in the (a) DBMS_XMLSCHEMA and (b) DBMS_XMLSCHEMA_INT packages, as exploitable via long arguments to (1) XDB.DBMS_XMLSCHEMA.GENERATESCHEMA or (2) XDB.DBMS_XMLSCHEMA.GENERATESCHEMAS. TA06-018A VU#891644 VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html oracle-xdbdbmx-xmlschema-bo(24376) oracle-january2006-update(24321) ADV-2006-0323 ADV-2006-0243 16287 http://www.red-database-security.com/advisory/oracle_cpu_jan_2006.html http://www.integrigy.com/info/IntegrigySecurityAnalysis-CPU0106.pdf http://www.argeniss.com/research/ARGENISS-ADV-010601.txt 1015499 18608 18493 20060126 [Argeniss] Oracle Database Buffer overflows vulnerabilities in public procedures of XDB.DBMS_XMLSCHEMA{_INT} Unspecified vulnerability in the Portal component of Oracle Application Server 9.0.4.2 and 10.1.2.0 has unspecified impact and attack vectors, as identified by Oracle Vuln# AS01. VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html oracle-january2006-update(24321) ADV-2006-0323 ADV-2006-0243 16287 1015499 18608 18493 Unspecified vulnerability in the Oracle Reports Developer component of Oracle Application Server 9.0.4.2 and 10.1.2.0.2 has unspecified impact and attack vectors, as identified by Oracle Vuln# REP03. VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html oracle-january2006-update(24321) ADV-2006-0323 ADV-2006-0243 16287 1015499 18608 18493 Unspecified vulnerability in the Oracle Reports Developer component of Oracle Application Server 9.0.4.2 has unspecified impact and attack vectors, as identified by Oracle Vuln# REP04. NOTE: Oracle has not disputed reliable researcher claims that this issue is related to directory traversal that allows reading of portions of arbitrary XML files via the customize parameter. VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html oracle-january2006-update(24321) ADV-2006-0323 ADV-2006-0243 16287 20060117 Oracle Reports - Read parts of files via customize(fixed after 875 days) http://www.red-database-security.com/advisory/oracle_reports_read_any_xml_file.html 1015499 18608 18493 Multiple unspecified vulnerabilities in Oracle Collaboration Suite Release 2, version 9.0.4.2 (Oracle9i) have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) OCS01, 2) OCS02, 3) OCS03, 4) OCS04, 5) OCS05, 6) OCS06, 7) OCS07, (8) OCS08, and (9) OCS09 in the (a) Email Server component; 10) OCS10 (and (11) OCS11 in the (b) Oracle Collaboration Suite Wireless & Voice (component; 12) OCS12 and (13) OCS13 in the (c) Oracle Content (Management SDK component; 14) OCS14 and (15) OCS15 in the (d) Oracle (Content Services component. VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html 1015499 18608 oracle-january2006-update(24321) ADV-2006-0323 ADV-2006-0243 16287 18493 Multiple unspecified vulnerabilities in Oracle E-Business Suite and Applications 11.5.10 have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) APPS01 in the (a) Application Install component; (2) APPS07 in the (b) Oracle Applications Framework component; (3) APPS08, (4) APPS09, (5) APPS10, and (6) APPS11 in the (c) Oracle Applications Technology Stack component; (7) APPS12 in the (d) Oracle Human Resources component; (8) APPS15 and (9) APPS16 in the (e) Oracle Marketing component; (10) APPS17 in the (f) Marketing Encyclopedia System component; (11) APPS18 in the (g) Oracle Trade Management component; and (12) APPS19 in the (h) Oracle Web Applications Desktop Integration component. VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html oracle-january2006-update(24321) ADV-2006-0323 ADV-2006-0243 16287 1015499 18608 18493 Multiple unspecified vulnerabilities in Oracle E-Business Suite and Applications 11.5.9 have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) APPS02 in the (a) CRM Technical Foundation component; (2) APPS03 in the (b) iProcurement component; and (3) APPS04, (4) APPS05, and (5) APPS06 in the Oracle Application Object Library component. VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html oracle-january2006-update(24321) ADV-2006-0323 ADV-2006-0243 16287 1015499 18608 18493 Multiple unspecified vulnerabilities in Oracle E-Business Suite and Applications 4.3 have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) APPS13 and (2) APPS14 in the Oracle iLearning component. VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html oracle-january2006-update(24321) ADV-2006-0323 ADV-2006-0243 16287 1015499 18608 18493 Unspecified vulnerability in Oracle PeopleSoft Enterprise Portal 8.4 Bundle 15, 8.8 Bundle 10, and 8.9 Bundle 2 has unspecified impact and attack vectors, as identified by Oracle Vuln# PSE01. VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html oracle-january2006-update(24321) ADV-2006-0323 ADV-2006-0243 16287 1015499 18608 18493 Unspecified vulnerability in Oracle JD Edwards HTML Server 8.95.F1 SP23_L1 has unspecified impact and attack vectors, as identified by Oracle Vuln# JDE01. VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html oracle-january2006-update(24321) ADV-2006-0323 ADV-2006-0243 16287 1015499 18608 18493 Unspecified vulnerability in Oracle Database Server 8.1.7.4, 9.0.1.5, 9.0.1.5 FIPS, 9.2.0.7, and 10.1.0.5, Application Server 1.0.2.2, 9.0.4.2, and 10.1.2.0.2, and Collaboration Suite Release 2, version 9.0.4.2 (Oracle9i) has unspecified impact and attack vectors, as identified by Oracle Vuln# DBC01 in the Protocol Support component. VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html oracle-january2006-update(24321) ADV-2006-0323 ADV-2006-0243 16287 1015499 18608 18493 Unspecified vulnerability in Oracle Database Server 10.1.0.4.2, Application Server 10.1.2.0.2, and Collaboration Suite Release 2, version 9.0.4.2 (Oracle9i) has unspecified impact and attack vectors, as identified by Oracle Vuln# DBC02 in the Reorganize Objects & Convert Tablespace component. VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html 1015499 18608 oracle-january2006-update(24321) ADV-2006-0323 ADV-2006-0243 16287 18493 Multiple unspecified vulnerabilities in Oracle Application Server 9.0.4.2 and 10.1.2.0.2, and E-Business Suite and Applications 11.5.10, have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) FORM01 and (2) FORM02 in the Oracle Forms component. VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html oracle-january2006-update(24321) ADV-2006-0323 ADV-2006-0243 16287 1015499 18608 18493 Unspecified vulnerability in the Java Net component of Oracle Database Server 8.1.7.4, 9.0.1.5, 9.0.1.5 FIPS, 9.2.0.7, and 10.1.0.4, and Application Server 1.0.2.2, 9.0.4.2, and 10.1.2.0.2, has unspecified impact and attack vectors, as identified by Oracle Vuln# JN01. VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html oracle-january2006-update(24321) ADV-2006-0323 ADV-2006-0243 16287 1015499 18608 18493 Unspecified vulnerability in the Oracle HTTP Server component of Oracle Database Server 9.0.1.5, 9.0.1.5 FIPS, 9.2.0.7, and 10.1.0.5, and Application Server 1.0.2.2, 9.0.4.2, and 10.1.2.0.2, has unspecified impact and attack vectors, as identified by Oracle Vuln# OHS01. VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html oracle-january2006-update(24321) ADV-2006-0323 ADV-2006-0243 16287 1015499 18608 18493 Unspecified vulnerability in the Oracle HTTP Server component of Oracle Database Server 10.1.0.5 and Application Server 10.1.2.0.2 has unspecified impact and attack vectors, as identified by Oracle Vuln# OHS02. VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html oracle-january2006-update(24321) ADV-2006-0323 ADV-2006-0243 16287 1015499 18608 18493 Multiple unspecified vulnerabilities in the Oracle Reports Developer component of Oracle Application Server 9.0.4.1 and E-Business Suite and Applications 11.5.10 have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) REP01 and (2) REP02. VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html 1015499 18608 oracle-january2006-update(24321) ADV-2006-0323 ADV-2006-0243 16287 18493 Multiple unspecified vulnerabilities in Oracle Application Server 6.0.8.26(PS17) and E-Business Suite and Applications 11.5.10 have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) REP05 and (2) REP06 in the Oracle Reports Developer component. NOTE: Oracle has not disputed reliable researcher claims that REP05 is the same as CVE-2005-2378 and REP06 is the same as CVE-2005-2371, both of which involve directory traversal. VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html oracle-january2006-update(24321) ADV-2006-0323 ADV-2006-0243 16287 20060117 Oracle Reports - Overwrite any application server file via desname (fixed after 889 days) 20060117 Oracle Reports - Read parts of files via desname (fixed after 874 days) http://www.red-database-security.com/advisory/oracle_reports_read_any_file.html http://www.red-database-security.com/advisory/oracle_reports_overwrite_any_file.html 1015499 18608 18493 Unspecified vulnerability in Oracle Database Server 9.2.0.7, Application Server 9.0.4.2 and 10.1.2.1, Collaboration Suite Release 2, version 9.0.4.2 (Oracle9i), and E-Business Suite and Applications 11.5.10 has unspecified impact and attack vectors, as identified by Oracle Vuln# WF01 in the Oracle Workflow Cartridge component. VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html oracle-january2006-update(24321) ADV-2006-0323 ADV-2006-0243 16287 1015499 18608 18493 Multiple unspecified vulnerabilities in Oracle Database Server 10.2.0.1, Application Server 9.0.4.2 and 10.1.2.1, Collaboration Suite Release 2, version 9.0.4.2 (Oracle9i), and E-Business Suite and Applications 11.5.10 have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) WF02 and (2) WF03 in the Oracle Workflow Cartridge component. VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html oracle-january2006-update(24321) ADV-2006-0323 ADV-2006-0243 16287 1015499 18608 18493 The Javascript interpreter (jsinterp.c) in Mozilla and Firefox before 1.5.1 does not properly dereference objects, which allows remote attackers to cause a denial of service (crash) or execute arbitrary code via unknown attack vectors related to garbage collection. https://bugzilla.mozilla.org/show_bug.cgi?id=316885 ADV-2006-3749 ADV-2006-3391 ADV-2006-0413 HPSBUX02156 SSRT061158 RHSA-2006:0200 RHSA-2006:0199 SUSE-SA:2006:004 228526 oval:org.mitre.oval:def:10016 mozilla-javascript-memory-corruption(24430) USN-276-1 USN-275-1 USN-271-1 16476 HPSBUX02156 HPSBUX02122 FLSA-2006:180036-2 FLSA:180036-1 RHSA-2006:0330 FEDORA-2006-076 FEDORA-2006-075 SUSE-SA:2006:004 http://www.mozilla.org/security/announce/2006/mfsa2006-01.html MDKSA-2006:078 MDKSA-2006:037 MDKSA-2006:036 GLSA-200605-09 GLSA-200604-18 GLSA-200604-12 DSA-1051 DSA-1046 DSA-1044 http://support.avaya.com/elmodocs2/security/ASA-2006-205.htm 102550 1015570 22065 21622 21033 20051 19950 19941 19902 19863 19862 19852 19823 19821 19780 19759 19746 19230 18709 18708 18706 18705 18704 18703 18700 20060201-01-U SCOSA-2006.26 oval:org.mitre.oval:def:670 The function allocation code (js_NewFunction in jsfun.c) in Firefox 1.5 allows attackers to cause a denial of service (memory corruption) and possibly execute arbitrary code via user-defined methods that trigger garbage collection in a way that operates on freed objects. https://bugzilla.mozilla.org/show_bug.cgi?id=322045 ADV-2006-3749 ADV-2006-3391 ADV-2006-0413 SSRT061236 SSRT061158 228526 firefox-function-allocation-code-execution(42654) mozilla-javascript-memory-corruption(24430) 16476 SSRT061236 SSRT061158 http://www.mozilla.org/security/announce/2006/mfsa2006-01.html GLSA-200604-18 DSA-1051 DSA-1046 DSA-1044 http://support.avaya.com/elmodocs2/security/ASA-2006-205.htm 102550 1015570 22065 21622 19941 19902 19863 19862 18704 18700 oval:org.mitre.oval:def:1494 Mozilla Firefox before 1.5.0.1, Thunderbird 1.5 if running Javascript in mail, and SeaMonkey before 1.0 allow remote attackers to execute arbitrary code by changing an element's style from position:relative to position:static, which causes Gecko to operate on freed memory. https://bugzilla.mozilla.org/show_bug.cgi?id=317934 ADV-2006-3749 ADV-2006-0413 SSRT061236 mozilla-element-change-memory-corruption(24431) 16476 HPSBUX02156 http://www.mozilla.org/security/announce/2006/mfsa2006-02.html 1015570 22065 18704 18700 oval:org.mitre.oval:def:1514 Mozilla Firefox 1.5, Thunderbird 1.5 if Javascript is enabled in mail, and SeaMonkey before 1.0 might allow remote attackers to execute arbitrary code via the QueryInterface method of the built-in Location and Navigator objects, which leads to memory corruption. TA06-038A VU#759273 https://bugzilla.mozilla.org/show_bug.cgi?id=319296 ADV-2006-3749 ADV-2006-0413 SSRT061236 mozilla-queryinterface-memory-corruption(24433) 16476 HPSBUX02156 http://www.mozilla.org/security/announce/2006/mfsa2006-04.html 1015570 22065 18704 18700 oval:org.mitre.oval:def:1562 The XULDocument.persist function in Mozilla, Firefox before 1.5.0.1, and SeaMonkey before 1.0 does not validate the attribute name, which allows remote attackers to execute arbitrary Javascript by injecting RDF data into the user's localstore.rdf file. TA06-038A VU#592425 https://bugzilla.mozilla.org/show_bug.cgi?id=319847 ADV-2006-3749 ADV-2006-3391 ADV-2006-0413 SSRT061236 SSRT061158 RHSA-2006:0200 RHSA-2006:0199 SUSE-SA:2006:004 228526 oval:org.mitre.oval:def:11803 mozilla-xuldocument-command-execution(24434) USN-276-1 USN-275-1 USN-271-1 16476 HPSBUX02156 SSRT061158 FLSA-2006:180036-2 FLSA:180036-1 RHSA-2006:0330 FEDORA-2006-076 FEDORA-2006-075 SUSE-SA:2006:004 http://www.mozilla.org/security/announce/2006/mfsa2006-05.html MDKSA-2006:078 MDKSA-2006:037 MDKSA-2006:036 GLSA-200605-09 GLSA-200604-18 GLSA-200604-12 DSA-1051 DSA-1046 DSA-1044 http://support.avaya.com/elmodocs2/security/ASA-2006-205.htm 102550 1015570 22065 21622 21033 20051 19950 19941 19902 19863 19862 19852 19823 19821 19780 19759 19746 19230 18709 18708 18706 18705 18704 18703 18700 20060201-01-U SCOSA-2006.26 oval:org.mitre.oval:def:1493 Multiple integer overflows in Mozilla Firefox 1.5, Thunderbird 1.5 if Javascript is enabled in mail, and SeaMonkey before 1.0 might allow remote attackers to execute arbitrary code via the (1) EscapeAttributeValue in jsxml.c for E4X, (2) nsSVGCairoSurface::Init in SVG, and (3) nsCanvasRenderingContext2D.cpp in Canvas. https://bugzilla.mozilla.org/show_bug.cgi?id=322215 https://bugzilla.mozilla.org/show_bug.cgi?id=319872 mozilla-component-integer-overflow(24435) ADV-2006-3749 ADV-2006-0413 16476 SSRT061236 1015570 18704 18700 HPSBUX02156 http://www.mozilla.org/security/announce/2006/mfsa2006-06.html 22065 oval:org.mitre.oval:def:1339 The XML parser in Mozilla Firefox before 1.5.0.1 and SeaMonkey before 1.0 allows remote attackers to cause a denial of service (crash) and possibly read sensitive data via unknown attack vectors that trigger an out-of-bounds read. mozilla-xml-parser-dos(24436) 16476 1015570 18704 18700 ADV-2006-3749 ADV-2006-0413 SSRT061236 SSRT061236 http://www.mozilla.org/security/announce/2006/mfsa2006-07.html 22065 oval:org.mitre.oval:def:677 The E4X implementation in Mozilla Firefox before 1.5.0.1, Thunderbird 1.5 if running Javascript in mail, and SeaMonkey before 1.0 exposes the internal "AnyName" object to external interfaces, which allows multiple cooperating domains to exchange information in violation of the same origin restrictions. https://bugzilla.mozilla.org/show_bug.cgi?id=322312 ADV-2006-3749 ADV-2006-0413 SSRT061236 mozilla-e4x-security-bypass(24437) 16476 SSRT061236 http://www.mozilla.org/security/announce/2006/mfsa2006-08.html 1015570 22065 18704 18700 oval:org.mitre.oval:def:1625 Buffer overflow in tar 1.14 through 1.15.90 allows user-assisted attackers to cause a denial of service (application crash) and possibly execute code via unspecified vectors involving PAX extended headers. TA07-109A TA07-072A MDKSA-2006:046 23371 18999 18976 gnu-tar-pax-headers-bo(24855) ADV-2008-2518 ADV-2007-1470 ADV-2007-0930 ADV-2006-0684 USN-257-1 2006-0010 16764 FLSA:183571-2 RHSA-2006:0232 OpenPKG-SA-2006.006 SUSE-SR:2006:005 GLSA-200603-06 DSA-987 241646 1015705 19236 19152 19130 19093 19016 18973 oval:org.mitre.oval:def:9295 oval:org.mitre.oval:def:6094 oval:org.mitre.oval:def:5993 oval:org.mitre.oval:def:5978 oval:org.mitre.oval:def:5252 [Bug-tar] 20060220 tar 1.15.90 released 543 480 24966 24479 20042 APPLE-SA-2007-03-13 APPLE-SA-2007-04-19 http://docs.info.apple.com/article.html?artnum=305391 http://docs.info.apple.com/article.html?artnum=305214 Heap-based buffer overflow in Splash.cc in xpdf, as used in other products such as (1) poppler, (2) kdegraphics, (3) gpdf, (4) pdfkit.framework, and others, allows attackers to cause a denial of service and possibly execute arbitrary code via crafted splash images that produce certain values that exceed the width or height of the associated bitmap. xpdf-splash-bo(24391) USN-249-1 FLSA:175404 20060202 [KDE Security Advisory] kpdf/xpdf heap based buffer overflow RHSA-2006:0201 FEDORA-2006-103 http://www.kde.org/info/security/advisory-20060202-1.txt GLSA-200602-12 GLSA-200602-05 GLSA-200602-04 DSA-974 DSA-972 DSA-971 SSA:2006-045-04 SSA:2006-045-09 1015576 19377 18983 18913 18908 18882 18864 18862 18860 18839 18838 18837 18834 18826 18825 18707 18677 RHSA-2006:0206 SCOSA-2006.15 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=179046 https://bugzilla.novell.com/show_bug.cgi?id=141242 ADV-2006-0422 ADV-2006-0389 MDKSA-2006:032 MDKSA-2006:031 MDKSA-2006:030 470 18875 18274 oval:org.mitre.oval:def:10850 ZyXel P2000W VoIP 802.11b Wireless Phone running firmware WV.00.02 allows remote attackers to obtain sensitive information, such as MAC address and software version, by directly accessing UDP port 9090. 16285 18511 20060116 ZyXel P2000W (Version 2) VoIP wireless phone undocumented port UDP/9090 zyxel-p2000w-default-port(24145) 22516 Multiple unspecified vulnerabilities in the (1) publishing component, (2) Contact Component, (3) TinyMCE Compressor, and (4) other components in Joomla! 1.0.5 and earlier have unknown impact and attack vectors. 18513 http://www.joomla.org/content/view/738/66/ Buffer overflow in Dual DHCP DNS Server 1.0 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via the DHCP options field. 18486 http://aluigi.altervista.org/adv/dualsbof-adv.txt ADV-2006-0245 dualdhcpdns-options-field-bo(24191) 16298 1015495 Clipcomm CPW-100E VoIP 802.11b Wireless Handset Phone running firmware 1.1.12 (051129) and CP-100E VoIP 802.11b Wireless Phone running firmware 1.1.60 allows remote attackers to gain unauthorized access via the debug service on TCP port 60023. 16289 18505 20060116 Clipcomm CP-100E VoIP wireless desktop phone open debug service TCP/60023 20060116 Clipcomm CPW-100E VoIP wireless handset phone open debug service TCP/60023 clipcomm-cp100e-default-port(24144) The DM Primer (dmprimer.exe) in the DM Deployment Common Component in Computer Associates (CA) BrightStor Mobile Backup r4.0, BrightStor ARCserve Backup for Laptops & Desktops r11.0, r11.1, r11.1 SP1, Unicenter Remote Control 6.0, 6.0 SP1, CA Desktop Protection Suite r2, CA Server Protection Suite r2, and CA Business Protection Suite r2 allows remote attackers to cause a denial of service (CPU consumption or application hang) via a large network packet, which causes a WSAEMESGSIZE error code that is not handled, leading to a thread exit. http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33756 ADV-2006-0236 16276 20060118 CAID 33756 - DM Deployment Common Component Vulnerabilities 22529 http://www.designfolks.com.au/karma/DMPrimer/ http://supportconnectw.ca.com/public/ca_common_docs/dmdeploysecurity_notice.asp 1015504 18531 The DM Primer in the DM Deployment Common Component in Computer Associates (CA) BrightStor Mobile Backup r4.0, BrightStor ARCserve Backup for Laptops & Desktops r11.0, r11.1, r11.1 SP1, Unicenter Remote Control 6.0, 6.0 SP1, CA Desktop Protection Suite r2, CA Server Protection Suite r2, and CA Business Protection Suite r2 allows remote attackers to cause a denial of service (CPU consumption and log file consumption) via unspecified "unrecognized network messages" that are not properly handled. 1015504 http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33756 ADV-2006-0236 16276 20060118 CAID 33756 - DM Deployment Common Component Vulnerabilities 22529 http://supportconnectw.ca.com/public/ca_common_docs/dmdeploysecurity_notice.asp 18531 PHP remote file inclusion vulnerability in htmltonuke.php in the htmltonuke 2.0 alpha, and possibly other versions, module for PHP-Nuke allows remote attackers to execute arbitrary PHP code via a URL in the filnavn parameter. htmltonuke-htmltonuke-file-include(33092) 16282 3524 Linksys BEFVP41 VPN Router 2.0 with firmware 1.01.04 allows remote attackers on the local network, to cause a denial of service via IP packets with a null IP option length. ADV-2006-0238 20060116 Re: Linksys VPN Router (BEFVP41) DoS Vulnerability 20060113 Linksys VPN Router (BEFVP41) DoS Vulnerability 1015490 18461 linksys-null-length-dos(24125) 16307 20060117 Re: Linksys VPN Router (BEFVP41) DoS Vulnerability Cross-site scripting (XSS) vulnerability in aoblogger 2.3 allows remote attackers to inject arbitrary Javascript via a javascript URI in the BBcode url tag. ADV-2006-0240 16286 16889 http://evuln.com/vulns/37/summary.html aoblogger-url-xss(24141) 22526 http://mikeheltonisawesome.com/viewcomments.php?idd=46 20060117 [eVuln] aoblogger Multiple Vulnerabilities SQL injection vulnerability in login.php in aoblogger 2.3 allows remote attackers to execute arbitrary SQL commands via the username parameter. ADV-2006-0240 16286 16889 http://evuln.com/vulns/37/summary.html aoblogger-login-sql-injection(24142) 22527 http://mikeheltonisawesome.com/viewcomments.php?idd=46 20060117 [eVuln] aoblogger Multiple Vulnerabilities create.php in aoblogger 2.3 allows remote attackers to bypass authentication and create new blog entries by setting the uza parameter to 1. ADV-2006-0240 16286 16889 http://evuln.com/vulns/37/summary.html aoblogger-create-security-bypass(24143) http://mikeheltonisawesome.com/viewcomments.php?idd=46 20060117 [eVuln] aoblogger Multiple Vulnerabilities Multiple SQL injection vulnerabilities in PDFdirectory before 1.0 allow remote attackers to execute arbitrary SQL commands via multiple unspecified vectors involving (1) util.php, (2) userpref.php, (3) user.php, (4) uploadfrm.php, (5) title.php, (6) team.php, (7) stats.php, (8) page.php, (9) org.php, (10) member.php, (11) index.php, (12) group.php, or (13) anniv.php. 16273 22415 22414 22413 22412 22411 22410 22409 22408 22407 22406 22405 22404 22403 http://sourceforge.net/project/shownotes.php?release_id=382411&group_id=122682 18459 ADV-2006-0231 PDFdirectory before 1.0 stores sensitive data in plaintext, which allows remote attackers to obtain arbitrary users' passwords by direct queries to the database, possibly via one of the SQL injection vulnerabilities. 22402 http://sourceforge.net/project/shownotes.php?release_id=382411&group_id=122682 index.php in EZDatabase before 2.1.2 does not properly cleanse the p parameter before constructing and including a .php filename, which allows remote attackers to conduct directory traversal attacks, and produces resultant cross-site scripting (XSS) and path disclosure. http://zur.homelinux.com/Advisories/ezdatabase_dir_trans.txt 16257 20060115 EZDatabase Directory Transversal, XSS and Path Disclosure Vulnerability 18043 20060115 EZDatabase Directory Transversal, XSS and Path Disclosure Vulnerability ezdatabase-index-p-path-disclosure(24135) ezdatabase-index-p-xss(24134) 22684 Buffer overflow in YGPPicFinder.DLL in AOL You've Got Pictures (YGP) Picture Finder Tool ActiveX Control, as used in AOL 8.0, 8.0 Plus, and 9.0 Classic, allows remote attackers to execute arbitrary code via unspecified vectors. VU#715730 16262 18521 aol-youvegotpictures-activex-bo(24160) ADV-2006-0221 22486 http://www.kb.cert.org/vuls/id/MIMG-6KRSQP 1015494 http://news.com.com/2061-10789_3-6027865.html?part=rss&tag=6027865&subj=news Cross-site scripting (XSS) vulnerability in rkrt_stats.php in RedKernel Referrer Tracker 1.1.0-3 allows remote attackers to inject arbitrary web script or HTML via a query string value as a GET, which is stored in the $QUERY_STRING variable. NOTE: the provenance of this information is unknown; portions of the details are obtained from third party information. ADV-2006-0197 16266 18473 referertracker-rkrtstats-xss(24151) SQL injection vulnerability in index.php in BlogPHP 1.0, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands and bypass authentication via the username parameter in a login action. blogphp-index-bypass-security(24131) ADV-2006-0204 16269 20060117 [eVuln] BlogPHP Authentication Bypass 22495 18467 http://evuln.com/vulns/34/summary Directory traversal vulnerability in the FTP server (port 22003/tcp) in Farmers WIFE 4.4 SP1 allows remote attackers to create arbitrary files via ".." (dot dot) sequences in a (1) PUT, (2) SIZE, and possibly other commands. 22496 http://www.lort.dk/DSR-farmerswife44sp1.pl 18508 20060113 Farmers wife 4.4 sp1 remote SYSTEM access farmerswife-ftp-directory-traversal(24190) 16321 SQL injection vulnerability in admin/processlogin.php in Bit 5 Blog 8.01 allows remote attackers to execute arbitrary SQL commands and bypass authentication via the (1) username and (2) password parameter. ADV-2006-0195 16244 20060115 [eVuln] Bit 5 Blog SQL Injection & Authentication Bypass Vulnerability 18464 http://evuln.com/vulns/31/summary bit5blog-processlogin-sql-injection(24124) 22445 fetchmail 6.3.0 and other versions before 6.3.2 allows remote attackers to cause a denial of service (crash) via crafted e-mail messages that cause a free of an invalid pointer when fetchmail bounces the message to the originator or local postmaster. TA06-214A http://fetchmail.berlios.de/fetchmail-SA-2006-01.txt fetchmail-message-bounce-dos(24265) ADV-2006-3101 ADV-2006-0300 19289 16365 20060122 fetchmail security announcement fetchmail-SA-2006-01 (CVE-2006-0321) 22691 SSA:2006-045-01 1015527 21253 18895 18571 APPLE-SA-2006-08-01 http://developer.berlios.de/project/shownotes.php?release_id=8784 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=348747 Unspecified vulnerability the edit comment formatting functionality in MediaWiki 1.5.x before 1.5.6 and 1.4.x before 1.4.14 allows attackers to cause a denial of service (infinite loop) via "certain malformed links." http://sourceforge.net/project/shownotes.php?release_id=386609 ADV-2006-0392 mediawiki-comment-format-dos(24478) 18717 18711 SUSE-SR:2006:003 Buffer overflow in swfformat.dll in multiple RealNetworks products and versions including RealPlayer 10.x, RealOne Player, Rhapsody 3, and Helix Player allows remote attackers to execute arbitrary code via a crafted SWF (Flash) file with (1) a a size value that is less than the actual size, or (2) other unspecified manipulations. VU#231028 http://www.service.real.com/realplayer/security/03162006_player/en/ RHSA-2006:0257 SUSE-SA:2006:018 GLSA-200603-24 19365 19362 realnetworks-swf-bo(25408) ADV-2006-1057 17202 20060411 Realplayer .SWF Multiple Remote Memory Corruption Vulnerabilities 1015806 690 19390 19358 SQL injection vulnerability in WebspotBlogging 3.0 allows remote attackers to execute arbitrary SQL commands and bypass authentication via the username parameter to login.php. ADV-2006-0268 16319 20060119 [eVuln] WebspotBlogging Authentication Bypass Vulnerability http://evuln.com/vulns/41/summary.html https://sourceforge.net/project/shownotes.php?release_id=387180&group_id=156586 https://sourceforge.net/forum/forum.php?forum_id=532233 webspotblogging-login-sql-injection(24222) 22670 1015522 356 18560 Etomite Content Management System 0.6, and possibly earlier versions, when downloaded from the web site in January 2006 after January 10, contains a back door in manager/includes/todo.inc.php, which allows remote attackers to execute arbitrary commands via the "cij" parameter. etomite-default-backdoor(24254) 18556 ADV-2006-0283 16336 20060130 Etomite followup information 20060127 Etomite CMS 22693 http://www.lucaercoli.it/advs/etomite.txt http://www.etomite.org/forums/index.php?showtopic=4291 http://www.etomite.org/forums/index.php?showtopic=4185 TYPO3 3.7.1 allows remote attackers to obtain sensitive information via a direct request to (1) thumbs.php, (2) showpic.php, or (3) tables.php, which causes them to incorrectly define a variable and reveal the path in an error message when a require function call fails. 20060119 IRM 015: File system path disclosure on TYPO3 Web Content Manager ADV-2006-0269 20060119 Re: IRM 015: File system path disclosure on TYPO3 Web Content Manager 20060119 Re: IRM 015: File system path disclosure on TYPO3 Web Content Manage http://www.irmplc.com/advisory015.htm 18546 http://bugs.typo3.org/view.php?id=2248 typo3-multiple-path-disclosure(24244) 22667 22666 22665 361 Format string vulnerability in Tftpd32 2.81 allows remote attackers to cause a denial of service via format string specifiers in a filename in a (1) GET or (2) SEND request. VU#632633 ADV-2006-0263 20060119 Critical security advisory #006 tftpd32 Format string http://www.critical.lt/research/tftpd32_281_dos.txt http://www.critical.lt/?vulnerabilities/200 18539 tftpd32-request-format-string(24250) 16333 22661 362 SQL injection vulnerability in HITSENSER Data Mart Server BS, BS-S, BS-M, BS-L, and EX allows remote attackers to execute arbitrary SQL commands via unknown attack vectors. 18553 ADV-2006-0266 16326 22669 http://www.hitachi-support.com/security_e/vuls_e/HS05-026_e/index-e.html 1015519 hitachi-hitsenser-sql-injection(24240) Cross-site scripting (XSS) vulnerability in Gallery before 1.5.2 allows remote attackers to inject arbitrary web script or HTML via unknown attack vectors, possibly involving the user name (fullname). gallery-unknown-xss(24247) 16334 22660 GLSA-200601-13 18627 18557 ADV-2006-0282 http://gallery.menalto.com/page/gallery_1_5_2_release DSA-1148 21502 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=325285 Buffer overflow in Change passwd 3.1 (chpasswd) SquirrelMail plugin allows local users to execute arbitrary code via long command line arguments. http://www.squirrelmail.org/plugin_view.php?id=117 20060119 Change passwd 3.1 (SquirrelMail plugin ) changepassword-changepasswd-bo(24258) 363 Pantomime in Ecartis 1.0.0 snapshot 20050909 stores e-mail attachments in a publicly accessible directory, which may allow remote attackers to upload arbitrary files. 16317 18524 ecartis-pantomime-bypass-security(24220) ADV-2006-0260 [listar-dev] 20060119 [EDev] Re: Potential vulnerability -- who to contact? [listar-dev] 20060115 [EDev] Re: Potential vulnerability -- who to contact? Cross-site scripting (XSS) vulnerability in ar-blog 5.2 allows remote attackers to inject arbitrary web script or HTML via the (1) month or (2) year parameter to index.php. 20060118 -2- [XSS] in ar-blog v 5.2 arblog-index-xss(24246) 20060527 Multiple Xss exploits in ar-blog v 5.2 Cross-site scripting (XSS) vulnerability in search.php in My Amazon Store Manager 1.0 allows remote attackers to inject arbitrary web script or HTML via the Keywords parameter. NOTE: some sources claim that the affected parameter is "q", but the only public archive of the original researcher notification shows an XSS manipulation in "Keywords". masm-search-xss(24230) ADV-2006-0252 16312 22626 18535 http://osvdb.org/ref/22/22626-my_amazon.txt Multiple unspecified vulnerabilities in Kerio WinRoute Firewall before 6.1.4 Patch 1 allow remote attackers to cause a denial of service via multiple unspecified vectors involving (1) long strings received from Active Directory and (2) the filtering of HTML. 16314 22631 18542 kerio-winroute-activedirectory-dos(24233) kerio-winroute-html-dos(24232) ADV-2006-0247 http://www.kerio.com/kwf_history.html Kerio WinRoute Firewall before 6.1.4 Patch 2 allows attackers to cause a denial of service (CPU consumption and hang) via unknown vectors involving "browsing the web". ADV-2006-0324 http://www.kerio.com/kwf_history.html kerio-winroute-browsing-dos(24317) 16385 22631 18589 Buffer overflow in multiple F-Secure Anti-Virus products and versions for Windows and Linux, including Anti-Virus for Windows Servers 5.52 and earlier, Internet Security 2004, 2005 and 2006, and Anti-Virus for Linux Servers 4.64 and earlier, allows remote attackers to execute arbitrary code via crafted ZIP archives. http://www.f-secure.com/security/fsc-2006-1.shtml 18529 ADV-2006-0257 16309 fsecure-zip-bo(24198) 22632 Q-103 1015510 1015509 1015508 1015507 Multiple F-Secure Anti-Virus products and versions for Windows and Linux, including Anti-Virus for Windows Servers 5.52 and earlier, Internet Security 2004, 2005 and 2006, and Anti-Virus for Linux Servers 4.64 and earlier, allow remote attackers to hide arbitrary files and data via malformed (1) RAR and (2) ZIP archives, which are not properly scanned. 16309 http://www.f-secure.com/security/fsc-2006-1.shtml 18529 ADV-2006-0257 22633 Q-103 1015510 1015509 1015508 1015507 fsecure-rar-zip-scan-bypass(24199) Buffer overflow in BitComet Client 0.60 allows remote attackers to execute arbitrary code, when the publisher's name link is clicked, via a long publisher URI in a torrent file. 16311 18522 ADV-2006-0251 20060118 Fortinet Advisory: BitComet URI Buffer Overflow Vulnerability http://www.fortinet.com/FortiGuardCenter/FSA-2006-07.html http://www.bitcomet.com/doc/changelog.htm bitcomet-torrent-publisher-bo(24229) 22625 357 20060118 Fortinet Advisory: BitComet URI Buffer Overflow Vulnerability 20060122 BitComet URI Proof of Concept Unspecified vulnerability in Stack Group Bidding Protocol (SGBP) support in Cisco IOS 12.0 through 12.4 running on various Cisco products, when SGBP is enabled, allows remote attackers on the local network to cause a denial of service (device hang and network traffic loss) via a crafted UDP packet to port 9900. 1015501 18490 cisco-ios-sgbp-dos(24182) ADV-2006-0248 16303 22624 20060118 IOS Stack Group Bidding Protocol Crafted Packet DoS 358 Cross-site scripting (XSS) vulnerability in WCONSOLE.DLL in Rockliffe MailSite 5.x and 6.1.22 and earlier allows remote attackers to inject arbitrary web script or HTML via the query string. 18551 20060120 RockLiffe MailSite wconsole.dll Denial of Service/Script Injection Vulnerability ADV-2006-0284 mailsite-wconsole-xss(24256) 16330 22677 RockLiffe MailSite HTTP Mail management agent (httpma) 7.0.3.1 allows remote attackers to cause a denial of service (CPU consumption and crash) via a malformed query string containing special characters such as "|". 18551 20060120 RockLiffe MailSite wconsole.dll Denial of Service/Script Injection Vulnerability mailsite-wconsole-dos(24255) ADV-2006-0284 16331 22678 Unspecified vulnerability in the Port Discovery Standard and Advanced features in Hitachi JP1/NetInsight II allows attackers to stop the Port Discovery service via unknown vectors involving "invalid format data". 18538 ADV-2006-0267 16327 22676 http://www.hitachi-support.com/security_e/vuls_e/HS05-027_e/index-e.html 1015520 hitachi-jp1netinsight-port-dos(24243) Directory traversal vulnerability in Intervations FileCOPA FTP Server 1.01 allows remote attackers to read and write arbitrary files via a .. (dot dot) in the (1) STOR and (2) RETR commands. http://www.nii.co.in/vuln/filecopa.html 18550 filecopa-ftp-directory-traversal(24257) ADV-2006-0285 16335 22694 Multiple SQL injection vulnerabilities in SaralBlog 1.0 allow remote attackers to execute arbitrary SQL commands via the search parameter to search.php. NOTE: the id/viewprofile.php issue is already covered by CVE-2005-4058. 16306 http://evuln.com/vulns/40/summary.html saralblog-search-sql-injection(24218) 22740 1015517 20060118 [eVuln] SaralBlog XSS & Multiple SQL Injection Vulnerabilities Cross-site scripting (XSS) vulnerability in SaralBlog 1.0 allows remote attackers to inject arbitrary web script or HTML via a website field in a new comment to view.php, which is not properly handled in the comment function in functions.php. 16306 http://evuln.com/vulns/40/summary.html saralblog-view-xss(24219) 27907 1015517 20060118 [eVuln] SaralBlog XSS & Multiple SQL Injection Vulnerabilities Directory traversal vulnerability in ELOG before 2.6.1 allows remote attackers to access arbitrary files outside of the elog directory via "../" (dot dot) sequences in the URL. 16315 18533 elog-dotdot-directory-traversal(24224) ADV-2006-0262 http://midas.psi.ch/elog/download/ChangeLog 22647 DSA-967 18783 Format string vulnerability in the write_logfile function in ELOG before 2.6.1 allows remote attackers to cause a denial of service (server crash) via unknown attack vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 16315 18533 ADV-2006-0262 http://midas.psi.ch/elog/download/ChangeLog elog-elogd-format-string(24221) 22646 DSA-967 18783 SQL injection vulnerability in eggblog 2.0 allows remote attackers to execute arbitrary SQL commands via the id parameter to blog.php. 16305 1015505 18212 http://evuln.com/vulns/39/summary.html eggblog-blog-sql-injection(24210) 22751 20060118 [eVuln] eggblog Multiple SQL Injection & XSS Vulnerabilities Cross-site scripting (XSS) vulnerability in eggblog 2.0 allow remote attackers to inject arbitrary web script or HTML via the message field to topic.php. 16305 1015505 18212 http://evuln.com/vulns/39/summary.html eggblog-topic-xss(24209) 22752 20060118 [eVuln] eggblog Multiple SQL Injection & XSS Vulnerabilities Unspecified "critical denial-of-service vulnerability" in MyDNS before 1.1.0 has unknown impact and attack vectors. 22636 18532 ADV-2006-0256 http://mydns.bboy.net/download/changelog.html mydns-query-dos(24228) 16431 GLSA-200601-16 DSA-963 1015521 18653 18641 The default configuration of Fluffington FLog 1.01 installs users.0.dat under the web document root with insufficient access control, which might allow remote attackers to obtain sensitive information (login credentials) via a direct request. NOTE: It was later reported that 1.1.2 is also affected. 20070105 Flog 1.1.2 Remote Admin Password Disclosure 20060117 [eVuln] Flog Information Disclosure Vulnerability http://evuln.com/vulns/38/summary/bt/ flog-admin-info-disclosure(31307) flog-data-directory-insecure(24193) unix_random.c in lshd for lsh 2.0.1 leaks file descriptors related to the randomness generator, which allows local users to cause a denial of service by truncating the seed file, which prevents the server from starting, or obtain sensitive seed information that could be used to crack keys. 16357 DSA-956 18623 18564 lsh-file-descriptor-leak(24263) ADV-2006-0301 22695 [lsh-bugs] SECURITY: lshd leaks fd:s to user shells Cisco IOS before 12.3-7-JA2 on Aironet Wireless Access Points (WAP) allows remote authenticated users to cause a denial of service (termination of packet passing or termination of client connections) by sending the management interface a large number of spoofed ARP packets, which creates a large ARP table that exhausts memory, aka Bug ID CSCsc16644. 1015483 18430 cisco-aironet-arp-dos(24086) ADV-2006-0176 16217 22375 20060112 Access Point Memory Exhaustion from ARP Attacks 339 oval:org.mitre.oval:def:5680 Helmsman Research (aka CoolUtils) HomeFtp 1.1 allows remote attackers to cause an unspecified denial of service via a long USER command combined with a long PASS command and an NLST command. 20060114 [KAPDA::#21] - HomeFtp v1.1 Denial of Service http://www.kapda.ir/advisory-202.html homeftp-long-command-dos(24152) 16238 350 Ari Pikivirta Home Ftp Server 1.0.7 allows remote attackers to cause an unspecified denial of service via a long USER command combined with a long PASS command. 20060115 Homeftp r1.0.7 Denial of Service http://www.kapda.ir/advisory-211.html homeftpserver-long-command-dos(24227) Grant Averett Cerberus FTP Server 2.32, and possibly earlier versions, allows remote attackers to cause an unspecified denial of service via a long string that does not contain a valid FTP command. 20060115 Cerberus FTP Server 2.32 Denial of Service http://www.kapda.ir/advisory-210.html http://www.cerberusftp.com/cerberus-releasenotes.htm cerberus-long-command-dos(24226) Multiple SQL injection vulnerabilities in PowerPortal, possibly 1.1 beta through 1.3, allow remote attackers to execute arbitrary SQL commands via the search parameter in (1) index.php and (2) search.php. NOTE: This issue might overlap CVE-2004-0663.2. 16279 20060117 PowerPortal Cross-Site Scripting Vulnerability http://web.archive.org/web/20050303003128/http://powerportal.sourceforge.net/ powerportal-search-index-xss(24196) 27958 27957 10172 Buffer overflow in CounterPath eyeBeam SIP Softphone allows remote attackers to (1) cause a denial of service (device crash) via SIP INVITE commands with a long header field name sent during startup and (2) cause a denial of service (device hang or crash) via SIP INVITE commands with a long header field name sent during a call. eyebeam-sip-header-bo(24181) ADV-2006-0259 16253 20060921 Re: CounterPath eyeBeam Handing SIP header Vulnerabilities 20060116 CounterPath eyeBeam Handing SIP header Vulnerabilities 354 18516 http://blog.donews.com/zwell/archive/2006/01/17/698810.aspx MPM SIP HP-180W Wireless IP Phone WE.00.17 allows remote attackers to obtain sensitive information and possibly cause a denial of service via a direct connection to UDP port 9090, which is undocumented and does not require authentication. 16285 18512 20060116 MPM HP-180W VoIP wireless desktop phone undocumented port UDP/9090 mpn-hp180w-default-port(24147) Cross-site scripting (XSS) vulnerability in addcomment.php in Bit 5 Blog 8.01 allows remote attackers to inject arbitrary web script or HTML via a javascript URI in an <a> tag in the comment parameter, which strips most tags but not <a>. ADV-2006-0195 16246 20060115 [eVuln] Bit 5 Blog JavaScript Insertion Vulnerability 22446 18464 http://evuln.com/vulns/32/summary/ http://evuln.com/vulns/32/exploit bit5blog-addcomment-xss(24129) TippingPoint Intrusion Prevention System (IPS) TOS before 2.1.4.6324, and TOS 2.2.x before 2.2.1.6506, allow remote attackers to cause a denial of service (CPU consumption) via an unknown vector, probably involving an HTTP request with a negative number in the Content-Length header. 22504 http://www.eweek.com/article2/0,1759,1912048,00.asp http://isc.sans.org/diary.php?storyid=1042 tippingpoint-ips-http-traffic-dos(24200) 16299 1015511 18515 The "Remember my Password" feature in MSN Messenger 7.5 stores passwords in an encrypted format under the HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Creds registry key, which might allow local users to obtain the original passwords via a program that calls CryptUnprotectData, as demonstrated by the "MSN Password Recovery.exe" program. NOTE: it could be argued that local-only password recovery is inherently insecure because the decryption methods and keys must be stored somewhere on the local system, and are thus inherently accessible with varying degrees of effort. Perhaps this issue should not be included in CVE. 20060117 Re: MSN Messenger Password Decrypter for WinXP/2003 20060113 Re: MSN Messenger Password Decrypter for WinXP/2003 http://www.msn-password-recovery.com/ Cross-site scripting (XSS) vulnerability in MyBulletinBoard (MyBB) allows remote attackers to inject arbitrary web script or HTML via a signature containing a JavaScript URI in the SRC attribute of an IMG element, in which the URI uses SGML numeric character references without trailing semicolons, as demonstrated by "&#106&#97&#118&#97&#115&#99&#114&#105&#112&#116". 18544 mybb-html-signature-xss(24225) ADV-2006-0255 16308 22628 20060118 MyBB Signature HTML Code Injection Cross-site scripting (XSS) vulnerability in XMB (aka extreme message board) allows remote attackers to inject arbitrary web script or HTML via JavaScript in the SRC attribute of an IMG element. 20060118 XMB Forum HTML Code Injection xmbforum-imgsrc-xss(24208) 27920 Cross-site scripting (XSS) vulnerability in Phpclanwebsite (aka PCW) allows remote attackers to inject arbitrary web script or HTML via a javascript URI in a BBCode img tag. A simple fix has been released on the Main PCW site available directly at <a href="http://www.phpclanwebsite.com/index.php?page=downloads&func=browselist&par=1">http://www.phpclanwebsite.com/index.php?page=downloads&func=browselist&par=1 </a>Please download and install imediately. 16300 18541 ADV-2006-0254 20060117 Phpclanwebsite BBCode IMG Tag XSS Vulnerability Unspecified vulnerability in Cisco CallManager 3.2 and earlier, 3.3 before 3.3(5)SR1, 4.0 before 4.0(2a)SR2c, and 4.1 before 4.1(3)SR2 allows remote authenticated users with read-only administrative privileges to obtain full administrative privileges via a "crafted URL on the CCMAdmin web page." 22621 20060118 Cisco Call Manager Privilege Escalation 1015502 18501 cisco-callmanager-ccmadmin-gain-priv(24172) ADV-2006-0250 16293 Cisco CallManager 3.2 and earlier, 3.3 before 3.3(5)SR1, 4.0 before 4.0(2a)SR2c, and 4.1 before 4.1(3)SR2 allow remote attackers to (1) cause a denial of service (CPU and memory consumption) via a large number of open TCP connections to port 2000 and (2) cause a denial of service (fill the Windows Service Manager communication queue) via a large number of TCP connections to port 2001, 2002, or 7727. 18494 ADV-2006-0249 16295 20060118 Cisco Call Manager Denial of Service cisco-callmanager-port-connection-dos(24180) 22623 22622 1015503 359 ** DISPUTED ** MySQL 5.0.18 allows local users with access to a VIEW to obtain sensitive information via the "SELECT * FROM information_schema.views;" query, which returns the query that created the VIEW. NOTE: this issue has been disputed by third parties, saying that the availability of the schema is a normal and sometimes desired aspect of database access. 20060128 Re: MySQL 5.0 information leak? 20060123 RE: MySQL 5.0 information leak? 20060124 Re: MySQL 5.0 information leak? 20060122 Re: MySQL 5.0 information leak? 20060120 MySQL 5.0 information leak? 20060121 Re: MySQL 5.0 information leak? 20060121 RE: MySQL 5.0 information leak? Noah Medling RCBlog 1.03 stores the data and config directories under the web root with insufficient access control, which allows remote attackers to view account names and MD5 password hashes. 20060120 [eVuln] RCBlog Directory Traversal & Sensitive Information Disclosure http://www.fluffington.com/index.php?page=rcblog 18547 http://evuln.com/vulns/42/summary.html rcblog-data-config-insecure-directories(24249) 22679 1015523 Directory traversal vulnerability in index.php in Noah Medling RCBlog 1.03 allows remote attackers to read arbitrary .txt files, possibly including one that stores the administrator's account name and password, via a .. (dot dot) in the post parameter. 16342 20060120 [eVuln] RCBlog Directory Traversal & Sensitive Information Disclosure http://www.fluffington.com/index.php?page=rcblog 18547 http://evuln.com/vulns/42/summary.html rcblog-index-file-include(27042) rcblog-index-directory-traversal(24248) 20060611 RCblog 1.03 Directory Traversal [index.php] 20060218 RCblog exploit [fun] 22680 1015523 Multiple SQL injection vulnerabilities in config.php in Insane Visions BlogPHP, possibly 1.0, allow remote attackers to execute arbitrary SQL commands via the (1) blogphp_username or (2) blogphp_password parameter in a cookie. BlogPHP version 2.0 was released to fix the config.php exploit and is available for download at <a href="http://sourceforge.net/project/showfiles.php?group_id=156043">http://sourceforge.net/project/showfiles.php?group_id=156043</a>. 16340 20060121 BlogPHP config.php SQL injection login bypassed 20060120 BlogPHP config.php SQL injection login bypass 20060120 BlogPHP config.php SQL injection login bypass 22738 blogphp-index-bypass-security(24131) 365 Cross-site scripting (XSS) vulnerability in register.aspx in Douran FollowWeb allows remote attackers to inject arbitrary web script or HTML via unknown attack vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 16302 27918 Advantage Century Telecommunication (ACT) P202S IP Phone 1.01.21 running firmware 1.1.21 has multiple undocumented ports available, which (1) might allow remote attackers to obtain sensitive information, such as memory contents and internal operating-system data, by directly accessing the VxWorks WDB remote debugging ONCRPC (aka wdbrpc) on UDP 17185, (2) reflect network data using echo (TCP 7), or (3) gain access without authentication using rlogin (TCP 513). act-p202s-default-port(24149) 16288 18514 20060116 ACT P202S VoIP wireless phone multiple undocumented ports/services Advantage Century Telecommunication (ACT) P202S IP Phone 1.01.21 running firmware 1.1.21 on VxWorks uses a hardcoded Network Time Protocol (NTP) server in Taiwan, which could allow remote attackers to provide false time information, block access to time information, or conduct other attacks. 18514 20060116 ACT P202S VoIP wireless phone multiple undocumented ports/services act-p202s-default-port(24149) 16288 The 802.11 wireless client in certain operating systems including Windows 2000, Windows XP, and Windows Server 2003 does not warn the user when (1) it establishes an association with a station in ad hoc (aka peer-to-peer) mode or (2) a station in ad hoc mode establishes an association with it, which allows remote attackers to put unexpected wireless communication into place. http://www.theta44.org/karma/ 20060114 [NMRC Advisory] Microsoft Windows Wireless Exposure on Laptops http://www.securiteam.com/windowsntfocus/5YP0D2KHHO.html http://www.nmrc.org/pub/advise/20060114.txt 1015489 windows-wireless-adhoc-unauth-access(24157) 349 CRLF injection vulnerability in SquirrelMail 1.4.0 to 1.4.5 allows remote attackers to inject arbitrary IMAP commands via newline characters in the mailbox parameter of the sqimap_mailbox_select command, aka "IMAP injection." http://www.squirrelmail.org/security/issue/2006-02-15 1015662 squirrelmail-mailbox-imap-injection(24849) ADV-2006-0689 16756 18985 oval:org.mitre.oval:def:11470 RHSA-2006:0283 FEDORA-2006-133 SUSE-SR:2006:005 MDKSA-2006:049 GLSA-200603-09 DSA-988 20210 19960 19205 19176 19131 19130 20060501-01-U Cross-site scripting (XSS) vulnerability in Netrix X-Site Manager allows remote attackers to inject arbitrary web script or HTML via the product_id parameter, as originally demonstrated for a custom mp3players_details.php program. NOTE: the name of the affected program might be installation-dependent, but it has been identified as "product_details.php" by some sources. ADV-2006-0253 16313 22634 18537 http://osvdb.org/ref/22/22634-x-site.txt xsitemanager-productdetails-xss(24234) FreeBSD kernel 5.4-STABLE and 6.0 does not completely initialize a buffer before making it available to userland, which could allow local users to read portions of kernel memory. 18599 16373 FreeBSD-SA-06:06 bsd-buffer-initialization-disclosure(24338) 22730 1015541 A logic error in FreeBSD kernel 5.4-STABLE and 6.0 causes the kernel to calculate an incorrect buffer length, which causes more data to be copied to userland than intended, which could allow local users to read portions of kernel memory. 18599 16373 FreeBSD-SA-06:06 bsd-buffer-length-disclosure(24340) 22731 1015541 A logic error in the IP fragment cache functionality in pf in FreeBSD 5.3, 5.4, and 6.0, and OpenBSD, when a 'scrub fragment crop' or 'scrub fragment drop-ovl' rule is being used, allows remote attackers to cause a denial of service (crash) via crafted packets that cause a packet fragment to be inserted twice. 18609 FreeBSD-SA-06:07 16375 http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf_norm.c.diff?r1=1.103&r2=1.104 bsd-pf-fragment-dos(24337) 22732 1015542 NetBSD-SA2006-004 Apple Mac OS X 10.4.5 and allows local users to cause a denial of service (crash) via an undocumented system call. ADV-2006-0597 APPLE-SA-2006-02-14 macosx-system-call-dos(24682) 16654 23190 1015634 18907 IPSec when used with VPN networks in Mac OS X 10.4 through 10.4.5 allows remote attackers to cause a denial of service (application crash) via unspecified vectors involving the "incorrect handling of error conditions". TA06-062A 16907 19064 ADV-2006-0791 APPLE-SA-2006-03-01 macosx-vpn-dos(25025) 23643 http://docs.info.apple.com/article.html?artnum=303382 automount in Mac OS X 10.4.5 and earlier allows remote file servers to cause a denial of service (unresponsiveness) or execute arbitrary code via unspecified vectors that cause automount to "mount file systems with reserved names". TA06-062A 16907 19064 ADV-2006-0791 APPLE-SA-2006-03-01 macosx-automount-execute-code(25021) 23640 1015709 http://docs.info.apple.com/article.html?artnum=303382 FileVault in Mac OS X 10.4.5 and earlier does not properly mount user directories when creating a FileVault image, which allows local users to access protected files when FileVault is enabled. TA06-062A 16907 19064 APPLE-SA-2006-03-01 ADV-2006-0791 macosx-filevault-file-access(25024) 23642 http://docs.info.apple.com/article.html?artnum=303382 Stack-based buffer overflow in Safari in Mac OS X 10.4.5 and earlier, and 10.3.9 and earlier, allows remote attackers to execute arbitrary code via unspecified vectors involving a web page with crafted JavaScript, a different vulnerability than CVE-2005-4504. TA06-062A VU#176732 16907 19064 APPLE-SA-2006-03-01 ADV-2006-0791 macosx-safari-bo(25032) 1015713 http://docs.info.apple.com/article.html?artnum=303382 Safari in Mac OS X 10.3 before 10.3.9 and 10.4 before 10.4.5 allows remote attackers to redirect users to local files and execute arbitrary JavaScript via unspecified vectors involving HTTP redirection to local resources. TA06-062A 16907 1015713 19064 APPLE-SA-2006-03-01 macosx-safari-http-redirect(25038) ADV-2006-0791 http://docs.info.apple.com/article.html?artnum=303382 Cross-site scripting (XSS) vulnerability in Syndication (Safari RSS) in Mac OS X 10.4 through 10.4.5 allows remote attackers to execute arbitrary JavaScript via unspecified vectors involving RSS feeds. TA06-062A 16907 19064 APPLE-SA-2006-03-01 ADV-2006-0791 macosx-syndication-xss(25040) 23649 http://docs.info.apple.com/article.html?artnum=303382 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-4504. Reason: This candidate is a duplicate of CVE-2005-4504. Notes: All CVE users should reference CVE-2005-4504 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Directory traversal vulnerability in the BOM framework in Mac OS X 10.x before 10.3.9 and 10.4 before 10.4.5 allows user-assisted attackers to overwrite or create arbitrary files via an archive that is handled by BOMArchiveHelper. TA06-062A 20060302 Apple MacOS X BOMArchiveHelper Directory Traversal Vulnerability APPLE-SA-2006-03-01 ADV-2006-0791 16907 23641 19064 macosx-bom-directory-traversal(25023) http://docs.info.apple.com/article.html?artnum=303382 Buffer overflow in Apple Mac OS X 10.4.7 allows user-assisted attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted Canon RAW image. VU#527236 TA06-214A macosx-raw-image-bo(28142) ADV-2006-3101 19289 27739 21253 APPLE-SA-2006-08-01 OpenSSH in Apple Mac OS X 10.4.7 allows remote attackers to cause a denial of service or determine account existence by attempting to log in using an invalid user, which causes the server to hang. TA06-214A macosx-openssh-nonexistent-user-dos(28147) ADV-2006-3101 19289 27745 1016672 21253 APPLE-SA-2006-08-01 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2006-0848. Reason: This candidate is a duplicate of CVE-2006-0848. Notes: All CVE users should reference CVE-2006-0848 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. The Download Validation in Mail in Mac OS X 10.4 does not properly recognize attachment file types to warn a user of an unsafe type, which allows user-assisted remote attackers to execute arbitrary code via crafted file types. TA06-062A ADV-2006-0791 APPLE-SA-2006-03-01 http://docs.info.apple.com/article.html?artnum=303382 macosx-mail-bypass-security(25027) 16907 23645 19064 Buffer overflow in Mail in Apple Mac OS X 10.4 up to 10.4.5, when patched with Security Update 2006-001, allows remote attackers to execute arbitrary code via a long Real Name value in an e-mail attachment sent in AppleDouble format, which triggers the overflow when the user double-clicks on an attachment. VU#980084 17081 1015762 19129 ADV-2006-0949 20060314 DMA[2006-0313a] - 'Apple OSX Mail.app RFC1740 Real Name Buffer Overflow' http://www.digitalmunition.com/DMA%5B2006-0313a%5D.txt APPLE-SA-2006-03-13 http://docs.info.apple.com/article.html?artnum=303453 macosx-mail-attachment-bo(25209) 23872 Unspecified vulnerability in Safari, LaunchServices, and/or CoreTypes in Apple Mac OS X 10.4 up to 10.4.5 allows attackers to trick a user into opening an application that appears to be a safe file type. NOTE: due to the lack of specific information in the vendor advisory, it is not clear how CVE-2006-0397, CVE-2006-0398, and CVE-2006-0399 are different. Per Hyperlink 894663: Vendor description specifies that the file is automatically opened by the application: Safari could automatically open a file which appears to be a safe file type. 19129 macosx-safefiletype-command-execution(25269) ADV-2006-0949 23869 1015760 APPLE-SA-2006-03-13 http://docs.info.apple.com/article.html?artnum=303453 Unspecified vulnerability in Safari, LaunchServices, and/or CoreTypes in Apple Mac OS X 10.4 up to 10.4.5 allows attackers to trick a user into opening an application that appears to be a safe file type. NOTE: due to the lack of specific information in the vendor advisory, it is not clear how CVE-2006-0397, CVE-2006-0398, and CVE-2006-0399 are different. Hyperlink Record 894667 specifies: Safari could automatically open a file which appears to be a safe file type, such as an image or movie, but is actually an application. 19129 macosx-safefiletype-command-execution(25269) ADV-2006-0949 23870 1015760 APPLE-SA-2006-03-13 http://docs.info.apple.com/article.html?artnum=303453 Unspecified vulnerability in Safari, LaunchServices, and/or CoreTypes in Apple Mac OS X 10.4 up to 10.4.5 allows attackers to trick a user into opening an application that appears to be a safe file type. NOTE: due to the lack of specific information in the vendor advisory, it is not clear how CVE-2006-0397, CVE-2006-0398, and CVE-2006-0399 are different. Per Hyperlink Record 894671: Safari could automatically open a file which appears to be a safe file type, such as an image or movie, but is actually an application. 19129 macosx-safefiletype-command-execution(25269) ADV-2006-0949 23871 1015760 APPLE-SA-2006-03-13 http://docs.info.apple.com/article.html?artnum=303453 CoreTypes in Apple Mac OS X 10.4 up to 10.4.5 allows remote attackers to bypass the same-origin policy and execute Javascript in other domains via unknown vectors involving "crafted archives." 17082 19129 ADV-2006-0949 APPLE-SA-2006-03-13 http://docs.info.apple.com/article.html?artnum=303453 macosx-sameorigin-policy-bypass(25208) 23873 1015763 Unspecified vulnerability in Mac OS X before 10.4.6, when running on an Intel-based computer, allows attackers with physical access to bypass the firmware password and log on in Single User Mode via unspecified vectors. 19462 ADV-2006-1215 17364 http://docs.info.apple.com/article.html?artnum=303567 macosx-firmware-password-bypass(25620) 24399 1015859 SQL injection vulnerability in Zoph before 0.5pre1 allows remote attackers to execute arbitrary SQL commands. zoph-sql-injection(24264) http://sourceforge.net/project/shownotes.php?group_id=69353&release_id=387320 18563 ADV-2006-0297 16347 22743 DSA-989 19153 Multiple SQL injection vulnerabilities in e-moBLOG 1.3 allow remote attackers to execute arbitrary SQL commands via the (1) monthy parameter to index.php or (2) login parameter to admin/index.php. NOTE: some sources have reported item 1 as involving the "monthly" parameter, but this is incorrect. emoblog-index-sql-injection(24245) ADV-2006-0296 16344 20060122 [eVuln] e-moBLOG SQL Injection Vulnerability 22701 22700 1015524 370 18567 http://evuln.com/vulns/43/summary.html 20060125 The parameter in e-moBLOG is Note-A-Day Weblog 2.2 stores sensitive data under the web document root with insufficient access control, which allows remote attackers to obtain sensitive information via a direct request to archive/.phpass-admin, which contains encrypted passwords. noteaday-archive-directory-insecure(24270) noteaday-archive-information-disclosure(24270) ADV-2006-0299 18566 http://evuln.com/vulns/44/summary.html 22699 1015539 371 20060122 [eVuln] Note-A-Day Weblog Sensitive Information Disclosure The TIFFFetchShortPair function in tif_dirread.c in libtiff 3.8.0 allows remote attackers to cause a denial of service (application crash) via a crafted TIFF image that triggers a NULL pointer dereference, possibly due to changes in type declarations and/or the TIFFVSetField function. Per: http://cwe.mitre.org/data/definitions/476.html 'CWE-476: NULL Pointer Dereference' libtiff-tiffvsetfield-dos(24275) ADV-2006-0302 18172 GLSA-200605-17 20345 18587 http://bugzilla.remotesensing.org/show_bug.cgi?id=1034 http://bugzilla.remotesensing.org/show_bug.cgi?id=1029 search.php in MyBB 1.0.2 allows remote attackers to obtain sensitive information via a certain search request that reveals the table prefix in a SQL error message, possibly due to invalid parameters. mybb-search-information-disclosure(24272) 20060114 MyBB 1.0.2 Sniffing table perfix bug in search.php 22736 18577 Cross-site scripting (XSS) vulnerability in post.php in AZ Bulletin Board (AZbb) 1.1.00 and earlier allows remote attackers to inject arbitrary web script or HTML via the (1) nickname parameter and (2) an iframe tag in the topic parameter. NOTE: the original disclosure specified the name parameter, but a correction was later provided. NOTE: followup posts have both disputed and confirmed the original claim. azbulletinboard-post-xss(24274) ADV-2006-0298 16351 20060309 Re: Re: [CORRECTIONS AND ADDITIONS ]Azbb v1.1.00 Cross-Site Scripting 20060308 Re: [CORRECTIONS AND ADDITIONS ]Azbb v1.1.00 Cross-Site Scripting 20060128 [CORRECTIONS AND ADDITIONS ]Azbb v1.1.00 Cross-Site Scripting 20060123 Azbb v1.1.00 Cross-Site Scripting 18565 http://kapda.ir/advisory-236.html 20060308 Re: [CORRECTIONS AND ADDITIONS ]Azbb v1.1.00 Cross-Site Scripting rsh utility in Sun Grid Engine (SGE) before 6.0u7_1 allows local users to gain privileges and execute arbitrary code via unspecified vectors, possibly involving command line arguments. 18580 ADV-2006-0308 http://gridengine.sunsource.net/project/gridengine/60patches.txt sge-rsh-gain-privileges(24281) 16366 1015531 Cross-site scripting (XSS) vulnerability in index.php in Pixelpost Photoblog 1.4.3 allows remote attackers to inject arbitrary web script or HTML via the "Add Comment" field in a comment popup. pixelpost-index-xss(24261) ADV-2006-0309 16362 18572 http://evuln.com/vulns/45/summary.html 20060123 [eVuln] Pixelpost Photoblog XSS Vulnerability 1015529 SQL injection vulnerability in ADOdb before 4.71, when using PostgreSQL, allows remote attackers to execute arbitrary SQL commands via unspecified attack vectors involving binary strings. http://sourceforge.net/project/shownotes.php?release_id=387862&group_id=42718 18575 adodb-postgresql-sql-injection(24314) ADV-2006-0448 ADV-2006-0315 16364 22705 GLSA-200604-07 GLSA-200602-02 DSA-1031 DSA-1030 DSA-1029 19591 19590 19555 18745 18732 19691 claro_init_local.inc.php in Claroline 1.7.2 uses guessable session cookies (MD5 hash of connection time), which allows remote attackers to hijack sessions and possibly gain administrative privileges. ADV-2006-0320 16341 20060120 Claroline 1.7.2, sso identification vulnerability claroline-cookie-bypass-security(24326) 18588 SQL injection vulnerability in CyberShop allows remote attackers to execute arbitrary SQL commands and bypass authentication via the username parameter in a login action. cybershop-login-sql-injection(24005) 22365 20060105 CyberShop User Login Sql Injection Multiple SQL injection vulnerabilities in index.php in NewsPHP allow remote attackers to execute arbitrary SQL commands via the (1) discuss, (2) tim, (3) id, (4) last, and (5) limit parameter. newsphp-index-sql-injection(24320) ADV-2006-0341 16339 20060122 Newsphp Multiple SQL Injection Vulnerabilities 22717 18624 Tor before 0.1.1.20 allows remote attackers to identify hidden services via a malicious Tor server that attempts a large number of accesses of the hidden service, which eventually causes a circuit to be built through the malicious server. 18576 http://archives.seul.org/or/announce/Jan-2006/msg00001.html tor-service-information-disclosure(24285) 18323 22689 http://tor.eff.org/cvs/tor/ChangeLog GLSA-200606-04 20514 19795 Cross-site scripting (XSS) vulnerability in index.php in SleeperChat 0.3f and earlier allows remote attackers to inject arbitrary web script or HTML via the pseudo parameter. 16363 1015525 sleeperchat-index-xss(24300) 22784 SleeperChat 0.3f and earlier allows remote attackers to bypass authentication and create new entries via the txt parameter to (1) chat_no.php and (2) chat_if.php. sleeperchat-txt-security-bypass(24357) 1015525 SQL injection vulnerability in login.php in miniBloggie 1.0 and earlier, when gpc_magic_quotes is disabled, allows remote attackers to execute arbitrary SQL commands and bypass authentication via the (1) username and (2) password parameters. ADV-2006-0310 http://evuln.com/vulns/47/summary.html minibloggie-login-sql-injection(24280) 16367 20060124 [eVuln] miniBloggie Authentication Bypass 22729 1015534 18604 Eval injection vulnerability in 123 Flash Chat Server 5.0 and 5.1 allows attackers to execute arbitrary code via a crafted username. 16360 20060124 [ISecAuditors Advisories] Arbitrary flash code remote execution in 123flashchat BEA WebLogic Server and WebLogic Express 9.0, 8.1 through SP5, and 7.0 through SP6 allows anonymous binds to the embedded LDAP server, which allows remote attackers to read user entries or cause a denial of service (unspecified) via a large number of connections. 1015528 BEA06-81.01 BEA WebLogic Server and WebLogic Express 8.1 through SP4 and 7.0 through SP6 does not properly handle when servlets use relative forwarding, which allows remote attackers to cause a denial of service (slowdown) via unknown attack vectors that cause "looping stack overflow errors." 1015528 BEA06-106.01 By design, BEA WebLogic Server and WebLogic Express 7.0 and 6.1, when creating multiple domains from the same WebLogic instance on the same machine, allows administrators of any created domain to access other created domains, which could allow administrators to gain privileges that were not intended. 1015528 18581 BEA06-108.00 weblogic-cross-domain-management(24286) ADV-2006-0313 16358 Multiple unspecified vulnerabilities in BEA WebLogic Server and WebLogic Express 8.1 through SP4, 7.0 through SP6, and 6.1 through SP7 allow remote attackers to access MBean attributes or cause an unspecified denial of service via unknown attack vectors. 1015528 18592 BEA06-109.00 weblogic-java-mbean-access(24294) ADV-2006-0313 16358 BEA WebLogic Portal 8.1 through SP3 stores the password for the RDBMS Authentication provider in cleartext in the config.xml file, which allows attackers to gain privileges. 1015528 BEA06-110.00 weblogic-portal-config-info-disclosure(40705) weblogicportal-config-info-disclosure(24284) ADV-2008-0613 ADV-2006-0312 16358 18593 BEA08-110.01 BEA WebLogic Server and WebLogic Express 8.1 through SP4, 7.0 through SP6, and 6.1 through SP7 allows remote authenticated guest users to read the server log and obtain sensitive configuration information. 1015528 18592 BEA06-111.00 weblogic-server-log-disclosure(24295) ADV-2006-0313 16358 22776 BEA WebLogic Portal 8.1 through SP4 allows remote attackers to obtain the source for a deployment descriptor file via unknown vectors. 1015528 BEA06-112.00 weblogic-deployment-descriptor-disclosure(24297) ADV-2006-0312 16358 18593 BEA WebLogic Server and WebLogic Express 8.1 through SP4, when configuration auditing is enabled and a password change occurs, stores the old and new passwords in cleartext in the DefaultAuditRecorder.log file, which could allow attackers to gain privileges. 1015528 18592 BEA06-113.00 weblogic-password-information-disclosure(24290) ADV-2006-0313 16358 22775 Unspecified vulnerability in BEA WebLogic Server and WebLogic Express 9.0 and 8.1 through SP5 allows malicious EJBs or servlet applications to decrypt system passwords, possibly by accessing functionality that should have been restricted. 1015528 18592 BEA06-114.00 weblogic-servlets-obtain-information(24291) ADV-2006-0313 16358 22774 Unspecified vulnerability in BEA WebLogic Portal 8.1 SP3 through SP5, when using Web Services Remote Portlets (WSRP), allows remote attackers to access restricted web resources via crafted URLs. 1015528 BEA06-115.00 weblogic-wsrp-gain-access(24293) ADV-2006-0312 16358 22767 18593 BEA WebLogic Server and WebLogic Express 9.0 causes new security providers to appear active even if they have not been activated by a server reboot, which could cause an administrator to perform inappropriate, security-relevant actions. 1015528 18592 BEA06-116.00 weblogic-security-provider-weakness(24298) ADV-2006-0313 16358 22773 Certain configurations of BEA WebLogic Server and WebLogic Express 9.0, 8.1 through SP5, and 7.0 through SP6, when connection filters are enabled, cause the server to run more slowly, which makes it easier for remote attackers to cause a denial of service (server slowdown). 1015528 18592 BEA06-117.00 ADV-2006-0313 16358 weblogic-connection-filter-dos(24301) Unspecified vulnerability in BEA WebLogic Server and WebLogic Express 8.1 SP5 allows untrusted applications to obtain the server's SSL identity via unknown attack vectors. 1015528 18592 BEA06-118.00 ADV-2006-0313 16358 weblogic-ssl-identity-exposure(24302) Unspecified vulnerability in BEA WebLogic Server and WebLogic Express 9.0, when an Administrator uses the WebLogic Administration Console to add custom security policies, causes incorrect policies to be created, which prevents the server from properly protecting JNDI resources. 1015528 18592 BEA06-119.00 weblogic-jdni-security-weakness(24299) ADV-2006-0313 16358 Selective Acknowledgement (SACK) in FreeBSD 5.3 and 5.4 does not properly handle an incoming selective acknowledgement when there is insufficient memory, which might allow remote attackers to cause a denial of service (infinite loop). 22861 ADV-2006-0409 16466 FreeBSD-SA-06:08 bsd-sack-handling-dos(24453) 1015566 399 18696 Directory traversal vulnerability in action.php in phpXplorer allows remote attackers to read arbitrary files via ".." (dot dot) sequences and null bytes in the sAction parameter, a different vulnerability than CVE-2006-0244. NOTE: if the functionality of phpXplorer supports the upload of PHP files, then this issue would not cross privilege boundaries and would not be a vulnerability. 20060118 phpXplorer file inclusion biyosecurity.be phpxplorer-sshare-directory-traversal(39982) 16292 Unspecified vulnerability in Oracle PL/SQL (PLSQL), as used in Database Server DS 9.2.0.7 and 10.1.0.5, Application Server 1.0.2.2, 9.0.4.2, 10.1.2.0.2, 10.1.2.1.0, and 10.1.3.0.0, E-Business Suite and Applications 11.5.10, and Collaboration Suite 10.1.1, 10.1.2.0, 10.1.2.1, and 9.0.4.2, allows attackers to bypass the PLSQLExclusion list and access excluded packages and procedures, aka Vuln# PLSQL01. VU#169164 20060125 Workaround for unpatched Oracle PLSQL Gateway flaw 1015961 oracle-plsql-command-execution(24363) ADV-2006-1571 ADV-2006-1397 ADV-2006-0338 16384 HPSBMA02113 HPSBMA02113 20060208 Re: Workaround for unpatched Oracle PLSQL Gateway flaw 20060202 More on the workaround for the unpatched Oracle PLSQL Gateway flaw 20060202 The History of the Oracle PLSQL Gateway Flaw 20060131 Re: Workaround for unpatched Oracle PLSQL Gateway flaw 22719 http://www.oracle.com/technology/deploy/security/pdf/public_vuln_to_advisory_mapping.html http://www.oracle.com/technology/deploy/security/pdf/cpuapr2006.html 1015544 403 402 19859 19712 18621 20060125 Workaround for unpatched Oracle PLSQL Gateway flaw 20060202 More on the workaround for the unpatched Oracle PLSQL Gateway flaw 20060202 The History of the Oracle PLSQL Gateway Flaw Unspecified vulnerability in HP HP-UX B.11.00, B.11.04, and B.11.11 allows local users to gain privileges via unknown attack vectors. 1015530 HPSBUX02091 SSRT061099 ADV-2006-0322 hpux-unspecified-privilege-escalation(24318) http://support.avaya.com/elmodocs2/security/ASA-2006-025.htm 18600 18596 oval:org.mitre.oval:def:1586 oval:org.mitre.oval:def:1577 oval:org.mitre.oval:def:1453 Cross-site scripting (XSS) vulnerability in admin_smilies.php in phpBB 2.0.19 allows remote attackers to inject arbitrary web script or HTML via Javascript events such as "onmouseover" in the (1) smile_url or (2) smile_emotion parameters, which bypasses a check for "<" and ">" characters. phpbb-referer-header-http-xss(24497) ADV-2006-0445 22928 20060203 phpBB 2.0.19 Cross Site Request Forgeries and XSS Admin 18693 20060203 phpBB 2.0.19 Cross Site Request Forgeries and XSS Admin 406 Cross-site request forgery (CSRF) vulnerability in phpBB 2.0.19, when Link to off-site Avatar or bbcode (IMG) are enabled, allows remote attackers to perform unauthorized actions as a logged in user via a link or IMG tag in a user profile, as demonstrated using links to (1) admin/admin_users.php and (2) modcp.php. ADV-2006-0445 20060203 phpBB 2.0.19 Cross Site Request Forgeries and XSS Admin 18693 phpbb-referer-header-http-xss(24497) 22929 406 20060203 phpBB 2.0.19 Cross Site Request Forgeries and XSS Admin Text Rider 2.4 stores sensitive data in the data directory under the web document root with insufficient access control, which allows remote attackers to obtain usernames and password hashes by directly accessing data/userlist.txt. textrider-data-information-disclosure(24279) ADV-2006-0321 18605 http://evuln.com/vulns/46/summary.html 20060124 [eVuln] Text Rider Sensitive Information Disclosure 1015533 Text Rider 2.4 allows attackers to bypass authentication and upload files without providing a valid password by obtaining the MD5 hash of the password (possibly via another vulnerability that reads it from a data file), then including the hash in a cookie. http://evuln.com/vulns/46/summary.html 20060124 [eVuln] Text Rider Sensitive Information Disclosure 1015533 Stack-based buffer overflow in Sami FTP Server 2.0.1 allows remote attackers to execute arbitrary code via a long USER command, which triggers the overflow when the log is viewed. ADV-2006-0317 16370 http://www.critical.lt/?vulnerabilities/208 18574 samiftpserver-user-bo(24325) 20060124 SamiFTPd buffer overflow http://www.karjasoft.com/samiftp/news http://downloads.securityfocus.com/vulnerabilities/exploits/sami_ftp_poc.pl Multiple cross-site scripting (XSS) vulnerabilities in usercp.php in MyBulletinBoard (MyBB) 1.02 allow remote attackers to inject arbitrary web script or HTML via the (1) notepad parameter in a notepad action and (2) signature parameter in a editsig action. NOTE: These are different attack vectors, and probably a different vulnerability, than CVE-2006-0218 and CVE-2006-0219. ADV-2006-0316 16361 20060124 [KAPDA::#25] - MyBB 1.x Cross_Site_Scripting 1015535 18603 http://kapda.ir/advisory-241.html Cross-site scripting (XSS) vulnerability in archive.php in CheesyBlog 1.0 allows remote attackers to inject arbitrary web script or HTML via the (1) realname and (2) comment parameters, or (3) via a javascript URI in the url parameter, when adding a comment. ADV-2006-0326 16376 20060125 [eVuln] CheesyBlog XSS Vulnerability http://evuln.com/vulns/49/summary.html cheesyblog-archive-xss(24292) 22716 369 18610 SQL injection vulnerability in index.php in Phpclanwebsite (aka PCW) 1.23.1 allows remote attackers to execute arbitrary SQL commands via the (1) par parameter in the post function on the forum page and possibly the (2) poll_id parameter on the poll page. NOTE: the poll_id vector can also allow resultant cross-site scripting (XSS) from an unquoted error message for invalid SQL syntax. A simple fix has been released on the Main PCW site available directly at <a href="http://www.phpclanwebsite.com/index.php?page=downloads&func=browselist&par=1">http://www.phpclanwebsite.com/index.php?page=downloads&func=browselist&par=1</a> Please download and install imediately. Tech note: Filters id number (par) to contain numbers only. 16391 18597 ADV-2006-0342 20060125 HYSA-2006-002 Phpclanwebsite 1.23.1 Multiple Vulnerabilities 22722 22720 http://www.h4cky0u.org/advisories/HYSA-2006-002-phpclan.txt phpclanwebsite-index-sql-injection(24355) index.php in Phpclanwebsite 1.23.1 allows remote authenticated users to obtain the installation path by specifying an invalid file name to the uploader page, as demonstrated by "\", which will display the full path of uploader.php. NOTE: this might be the result of a file inclusion vulnerability. Please add the following to the config.php file to avoid all such exploits. ini_set('display_errors', false); 16391 20060125 HYSA-2006-002 Phpclanwebsite 1.23.1 Multiple Vulnerabilities 22721 http://www.h4cky0u.org/advisories/HYSA-2006-002-phpclan.txt Unspecified vulnerability in WeBWorK 2.1.3 and 2.2-pre1 allows remote privilged attackers to execute arbitrary commands as the web server via unknown attack vectors. 18594 http://devel.webwork.rochester.edu/twiki/bin/view/Webwork/WeBWorKRelease2pt1pt4 ADV-2006-0319 webwork-unknown-command-execution(24322) 16371 Multiple buffer overflows in E-Post Mail Server 4.10 and SPA-PRO Mail @Solomon 4.00 allow remote attackers to execute arbitrary code via a long username to the (1) AUTH PLAIN or (2) AUTH LOGIN SMTP commands, which is not properly handled by (a) EPSTRS.EXE or (b) SPA-RS.EXE; (3) a long username in the APOP POP3 command, which is not properly handled by (c) EPSTPOP4S.EXE or (d) SPA-POP3S.EXE; (4) a long IMAP DELETE command, which is not properly handled by (e) EPSTIMAP4S.EXE or (f) SPA-IMAP4S.EXE. http://secunia.com/secunia_research/2006-1/advisory/ 18480 ADV-2006-0318 epost-imap-mailbox-dos(24334) epost-pop3-username-bo(24333) epost-smtp-username-bo(24331) 16379 22763 22762 22761 Multiple directory traversal vulnerabilities in (1) EPSTIMAP4S.EXE and (2) SPA-IMAP4S.EXE in the IMAP service in E-Post Mail 4.05 and SPA-PRO Mail 4.05 allow remote attackers to (a) list arbitrary directories or cause a denial of service via the LIST command; or create arbitrary files via the (b) APPEND, (c) COPY, or (d) RENAME commands. http://secunia.com/secunia_research/2006-1/advisory/ 18480 epost--append-copy-rename-file-creation(24336) ADV-2006-0318 epost--append-copy-rename-file-creation(24336) epost-imap-list-directory-traversal(24335) 16379 22765 22764 Early termination vulnerability in the IMAP service in E-Post Mail 4.05 and SPA-PRO Mail 4.05 allows remote attackers to cause a denial of service (infinite loop) by sending an APPEND command and disconnecting before the expected amount of data is sent. http://secunia.com/secunia_research/2006-1/advisory/ 18480 ADV-2006-0318 epost-imap-append-dos(24341) 16379 22766 phpBB 2.0.19 and earlier allows remote attackers to cause a denial of service (application crash) by (1) registering many users through profile.php or (2) using search.php to search in a certain way that confuses the database. 20060125 HYSA-2006-001 phpBB 2.0.19 search.php and profile.php DOS Vulnerability http://www.h4cky0u.org/advisories/HYSA-2006-001-phpbb.txt http://h4cky0u.org/viewtopic.php?t=637 phpbb-search-profile-dos(24327) 368 Multiple memory leaks in the LDAP component in Fedora Directory Server 1.0 allow remote attackers to cause a denial of service (memory consumption) via invalid BER packets that trigger an error, which might prevent memory from being freed if it was allocated during the ber_scanf call, as demonstrated using the ProtoVer LDAP test suite. http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=179135 fedora-ber-memory-leak-dos(24794) 16677 18960 dn2ancestor in the LDAP component in Fedora Directory Server 1.0 allows remote attackers to cause a denial of service (CPU and memory consumption) via a ModDN operation with a DN that contains a large number of "," (comma) characters, which results in a large amount of recursion, as demonstrated using the ProtoVer LDAP test suite. http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=179137 fedora-dn2ancestor-dos(24796) 16677 18960 The LDAP component in Fedora Directory Server 1.0 allow remote attackers to cause a denial of service (crash) via a certain "bad BER sequence" that results in a free of uninitialized memory, as demonstrated using the ProtoVer LDAP test suite. http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=179135 fedora-ber-bad-sequence-dos(24795) 16677 18960 Linux kernel before 2.6.15.3 down to 2.6.12, while constructing an ICMP response in icmp_send, does not properly handle when the ip_options_echo function in icmp.c fails, which allows remote attackers to cause a denial of service (crash) via vectors such as (1) record-route and (2) timestamp IP options with the needaddr bit set and a truncated value. 16532 FLSA:157459-4 FEDORA-2006-102 SUSE-SA:2006:006 18861 18788 18784 18774 18766 [dailydave] 20060207 Fun with Linux (2.6.12 -> 2.6.15.2) kernel-icmp-ipoptionsecho-dos(24575) ADV-2006-0464 USN-250-1 2006-0006 MDKSA-2006:040 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.15.3 [linux-kernel] 20060207 Re: Linux 2.6.15.3 [linux-kernel] 20060207 Linux 2.6.15.3 gpgv in GnuPG before 1.4.2.1, when using unattended signature verification, returns a 0 exit code in certain cases even when the detached signature file does not carry a signature, which could cause programs that use gpgv to assume that the signature verification has succeeded. Note: this also occurs when running the equivalent command "gpg --verify". DSA-978 SSA:2006-072-02 16663 SUSE-SA:2006:009 GLSA-200602-10 18968 18956 18955 18942 18934 18933 [gnupg-devel] 20060215 [Announce] False positive signature verification in GnuPG gnupg-gpgv-improper-verification(24744) ADV-2006-0610 USN-252-1 2006-0008 FLSA-2006:185355 20060215 False positive signature verification in GnuPG RHSA-2006:0266 23221 OpenPKG-SA-2006.001 SUSE-SA:2006:013 SUSE-SR:2006:005 MDKSA-2006:043 19532 19249 19130 18845 oval:org.mitre.oval:def:10084 [gnupg-announce] 20060215 False positive signature verification in GnuPG FEDORA-2006-116 20060401-01-U The strnlen_user function in Linux kernel before 2.6.16 on IBM S/390 can return an incorrect value, which allows local users to cause a denial of service via unknown vectors. ADV-2006-2554 http://www.mail-archive.com/kernel-svn-changes@lists.alioth.debian.org/msg01631.html http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.16-rc6 http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=331c46591414f7f92b1cec048009abe89892ee79 http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=331c46591414f7f92b1cec048009abe89892ee79 DSA-1103 oval:org.mitre.oval:def:9909 18687 RHSA-2006:0575 http://support.avaya.com/elmodocs2/security/ASA-2006-200.htm 22417 21465 20914 Race condition in the (1) add_key, (2) request_key, and (3) keyctl functions in Linux kernel 2.6.x allows local users to cause a denial of service (crash) or read sensitive kernel memory by modifying the length of a string argument between the time that the kernel calculates the length and when it copies the data into kernel memory. USN-263-1 oval:org.mitre.oval:def:9566 kernel-addkey-dos(25354) 17084 RHSA-2006:0575 23894 SUSE-SA:2006:028 MDKSA-2006:059 http://support.avaya.com/elmodocs2/security/ASA-2006-200.htm 22417 21465 20398 19220 The DCC ACCEPT command handler in irssi before 0.8.9+0.8.10rc5-0ubuntu4.1 in Ubuntu Linux, and possibly other distributions, allows remote attackers to cause a denial of service (application crash) via certain crafted arguments in a DCC command. 19090 USN-259-1 16913 irssi-dcc-accept-dos(25147) flex.skl in Will Estes and John Millaway Fast Lexical Analyzer Generator (flex) before 2.5.33 does not allocate enough memory for grammars containing (1) REJECT statements or (2) trailing context rules, which causes flex to generate code that contains a buffer overflow that might allow context-dependent attackers to execute arbitrary code. flex-bypass-security(24995) DSA-1020 16896 23440 19424 19071 ADV-2006-0770 USN-260-1 GLSA-200603-07 [flex-announce] 20060222 flex 2.5.33 released 570 19228 19126 http://prdownloads.sourceforge.net/flex/flex-2.5.33.tar.bz2?download Multiple buffer overflows in BomberClone before 0.11.6.2 allow remote attackers to execute arbitrary code via long error messages. GLSA-200602-09 ADV-2006-0643 bomberclone-error-message-bo(24764) 16697 23263 DSA-997 19210 18915 18914 Cross-site scripting (XSS) vulnerability in core.input.php in ExpressionEngine 1.4.1 allows remote attackers to inject arbitrary web script or HTML via HTTP_REFERER (referer). http://evuln.com/vulns/48/summary.html ADV-2006-0325 expressionengine-coreinput-xss(24296) 16377 20060125 [eVuln] ExpressionEngine 'Referer' XSS Vulnerability 372 18602 SQL injection vulnerability in comentarios.php in AndoNET Blog 2004.09.02 allows remote attackers to execute arbitrary SQL commands via the entrada parameter. ADV-2006-0327 http://evuln.com/vulns/50/summary.html andonetblog-index-sql-injection(24309) 16393 20060126 [eVuln] AndoNET Blog SQL Injection Vulnerability 22755 377 18633 Cross-site scripting (XSS) vulnerability in IdeoContent Manager allows remote attackers to inject arbitrary web script or HTML via the (1) goto_id parameter to index.php or (2) page parameter to news_full.php. 22713 22712 http://osvdb.org/ref/22/22712-ideocontent.txt Multiple SQL injection vulnerabilities in index.php in IdeoContent Manager allow remote attackers to execute arbitrary SQL commands via the (1) goto_id or (2) mid parameter. 22714 http://osvdb.org/ref/22/22712-ideocontent.txt Cross-site scripting (XSS) vulnerability in risultati_ricerca.php in active121 Site Manager allows remote attackers to inject arbitrary web script or HTML via the cerca parameter. 22715 http://osvdb.org/ref/22/22715-active121.txt Cross-site scripting (XSS) vulnerability in search.asp in Goldstag Content Management System allows remote attackers to inject arbitrary web script or HTML via the text parameter. 22711 http://osvdb.org/ref/22/22711-goldstag.txt goldstag-search-xss(25198) Unspecified vulnerability in Pioneers (formerly gnocatan) before 0.9.49 allows remote attackers to cause a denial of service (application crash) via long chat messages. pioneers-chat-message-dos(24383) DSA-964 18692 18647 ADV-2006-0376 16429 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=350237 CommuniGate Pro Core Server before 5.0.7 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via LDAP messages with negative BER lengths, and possibly other vectors, as demonstrated by the ProtoVer LDAP test suite. 16407 20060128 Multiple vulnerabilities in CommuniGate Pro Server http://www.gleg.net/advisory_cg.shtml 18640 ADV-2006-0364 http://www.stalker.com/CommuniGatePro/History.html communigate-ldap-bo(24409) Cross-site scripting (XSS) vulnerability in UebiMiau 2.7.9, and possibly earlier versions, allows remote attackers to inject arbitrary web script or HTML via a javascript: URI in the SRC attribute of an IMG tag. uebimiau-html-xss(24375) ADV-2006-0388 http://www.uebimiau.org/news.php 16413 20060129 UebiMiau Webmail System Security Vulnerability 18655 387 Cross-site scripting (XSS) vulnerability in search.php in MyBulletinBoard (MyBB) 1.02 allows remote attackers to inject arbitrary web script or HTML via the (1) sortby and (2) sortordr parameters, which are not properly handled in a redirection. ADV-2006-0350 16387 22750 18617 20060125 MyBB 1.0.2 XSS attack in search.php redirection http://community.mybboard.net/showthread.php?tid=6418 http://community.mybboard.net/attachment.php?aid=2181 mybb-search-xss(24466) 374 Cross-site scripting (XSS) vulnerability in the bbcode function in functions.php in my little homepage my little forum, as last modified in June 2005, allows remote attackers to inject arbitrary Javascript via a javascript URI in BBcode link tags. mylittlehomepage-link-tag-xss(24310) ADV-2006-0349 16395 20060126 [eVuln] "my little homepage" products [link] BBCode XSS Vulnerability 18628 http://evuln.com/vulns/51/summary.html 22856 http://evuln.com/vulns/51/ 20060130 My Little Homepage - source verify of different products Cross-site scripting (XSS) vulnerability in guestbook.php in my little homepage my little guestbook, as last modified in March 2004, allows remote attackers to inject arbitrary Javascript via a javascript URI in BBcode link tags. mylittlehomepage-link-tag-xss(24310) ADV-2006-0349 16395 20060126 [eVuln] "my little homepage" products [link] BBCode XSS Vulnerability 18628 http://evuln.com/vulns/51/summary.html 22855 http://evuln.com/vulns/51/ 20060130 My Little Homepage - source verify of different products Cross-site scripting (XSS) vulnerability in the bbcode function in weblog.php in my little homepage my little weblog, as last modified in April 2004, allows remote attackers to inject arbitrary Javascript via a javascript URI in BBcode link tags. mylittlehomepage-link-tag-xss(24310) ADV-2006-0349 16395 20060126 [eVuln] "my little homepage" products [link] BBCode XSS Vulnerability 18628 http://evuln.com/vulns/51/summary.html 22753 378 http://evuln.com/vulns/51/ 20060130 My Little Homepage - source verify of different products Multiple integer overflows in Shareaza 2.2.1.0 allow remote attackers to execute arbitrary code via (1) a large packet length field, which causes an overflow in the ReadBuffer function in (a) BTPacket.cpp and (b) EDPacket.cpp, or (2) a large packet, which causes a heap-based overflow in the Write function in (c) Packet.h. 16399 20060127 Shareaza P2P Remote Vulnerability http://www.hustlelabs.com/shareaza_advisory.pdf http://cvs.sourceforge.net/viewcvs.py/shareaza/shareaza/EDPacket.cpp?r1=1.15&r2=1.15.2.1 http://cvs.sourceforge.net/viewcvs.py/shareaza/shareaza/BTPacket.cpp?r1=1.5&r2=1.5.4.1 shareaza-cpacket-bo(24344) shareaza-cedpacket-bo(24343) shareaza-btpacket-bo(24342) 382 20060126 Shareaza Remote Vulnerability PHP-Ping 1.3 does not properly validate ping counts, which allows remote attackers to cause a denial of service (ping flood) via a negative count parameter. ADV-2006-0368 http://www.kapda.ir/advisory-231.html 18645 phpping-negative-count-dos(24382) Buffer overflow in Nullsoft Winamp 5.12 allows remote attackers to execute arbitrary code via a playlist (pls) file with a long file name (File1 field). TA06-032A VU#604745 18649 winamp-playlist-filename-bo(24361) winamp-playlist-filename-bo(24361) http://www.winamp.com/player/version_history.php ADV-2006-0361 16410 20060131 Re: Re: Winamp 5.12 - 0day exploit - code execution through playlist 20060130 Winamp 5.12 - 0day exploit - code execution through playlist 22789 http://www.heise.de/newsticker/meldung/68981 1015552 3422 398 386 1458 oval:org.mitre.oval:def:1402 Buffer overflow in git-checkout-index in GIT before 1.1.5 allows remote attackers to execute arbitrary code via an index file with a long symbolic link. 18643 http://lwn.net/Articles/169623/ ADV-2006-0367 git-gitcheckoutindex-bo(24360) 16417 CRE Loaded 6.15 allows remote attackers to perform privileged actions, including uploading and creating arbitrary files, via a direct request to files.php. NOTE: the vendor states "The initial announcement of this risk was made on our website... and it included a patch which will close the vulnerability on all known 6.0x and 6.1x releases. We strongly encourage users of CRE Loaded 6.x, osCMax, and other users of osCommerce who have installed HTMLArea based WYSIWYG editors and Admin Access with Levels to modify thier installations at the earliest possible moment." 16415 18648 creloaded-files-auth-bypass(24377) ADV-2006-0373 22793 20060203 vendor ack/fix: 22793: CRE Loaded files.php Unauthenticated Arbitrary File Upload (fwd) pmwiki.php in PmWiki 2.1 beta 20, with register_globals enabled, allows remote attackers to bypass protection mechanisms that deregister global variables by setting both a GPC variable and a GLOBALS[] variable with the same name, which causes PmWiki to unset the GLOBALS[] variable but not the GPC variable, which creates resultant vulnerabilities such as remote file inclusion and cross-site scripting (XSS). pmwiki-multiple-xss(24368) pmwiki-file-include(24367) pmwiki-path-disclosure(24366) ADV-2006-0375 http://www.ush.it/2006/01/24/pmwiki-multiple-vulnerabilities/ 16421 1015550 18634 20060128 PmWiki Multiple Vulnerabilities Cross-site scripting (XSS) vulnerability in the Articles module in sPaiz-Nuke allows remote attackers to inject arbitrary web script or HTML via the query parameter in the search file. ADV-2006-0386 16412 20060129 sPaiz-Nuke Cross-Site Scripting Vulnerability spaiznuke-modules-xss(24389) 384 18672 Heap-based buffer overflow in the alpha strip capability in libpng 1.2.7 allows context-dependent attackers to cause a denial of service (crash) when the png_do_strip_filler function is used to strip alpha channels out of the image. 16626 RHSA-2006:0205 1015617 1015615 18863 18654 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=179455 libpng-pngsetstripalpha-bo(24396) ADV-2006-0393 GLSA-200812-15 33137 oval:org.mitre.oval:def:10780 ftp://ftp.simplesystems.org/pub/libpng/png/src/libpng-1.2.8-README.txt Linux kernel 2.6.15.1 and earlier, when running on SPARC architectures, allows local users to cause a denial of service (hang) via a "date -s" command, which causes invalid sign extended arguments to be provided to the get_compat_timespec function call. ADV-2006-0418 [linux-sparc] 20060130 Re: Attempts to set date with 'date -s' hang the machine [linux-sparc] 20060130 Attempts to set date with 'date -s' hang the machine [debian-sparc] 20060128 `date -s' on sparc64 kernel-date-s-dos(24475) 17216 DSA-1017 19374 Cisco VPN 3000 series concentrators running software 4.7.0 through 4.7.2.A allow remote attackers to cause a denial of service (device reload or user disconnect) via a crafted HTTP packet. 20060126 Cisco VPN 3000 Concentrator Vulnerable to Crafted HTTP Attack 18629 cisco-vpn-http-dos(24330) ADV-2006-0346 16394 22754 1015546 375 Directory traversal vulnerability in Vis.pl, as part of the FACE CONTROL product, allows remote attackers to read arbitrary files via a .. (dot dot) in any parameter that opens a file, such as (1) s or (2) p. 1015547 facecontrol-vis-directory-traversal(24374) 16401 20060126 [HSC] Multiple transversal bug in vis http://www.hackerscenter.com/archive/view.asp?id=22236 376 The TCL shell in Cisco IOS 12.2(14)S before 12.2(14)S16, 12.2(18)S before 12.2(18)S11, and certain other releases before 25 January 2006 does not perform Authentication, Authorization, and Accounting (AAA) command authorization checks, which may allow local users to execute IOS EXEC commands that were prohibited via the AAA configuration, aka Bug ID CSCeh73049. ADV-2006-0337 16383 20060125 Response to AAA Command Authorization by-pass oval:org.mitre.oval:def:5836 cisco-aaa-tcl-auth-bypass(24308) 34892 1015543 18613 Certain Cisco IOS releases in 12.2S based trains with maintenance release number 25 and later, 12.3T based trains, and 12.4 based trains reuse a Tcl Shell process across login sessions of different local users on the same terminal if the first user does not use tclquit before exiting, which may cause subsequent local users to execute unintended commands or bypass AAA command authorization checks, aka Bug ID CSCef77770. 20060125 Response to AAA Command Authorization by-pass oval:org.mitre.oval:def:4905 cisco-aaa-tcl-auth-bypass(24308) 22723 1015543 18613 Multiple unspecified vulnerabilities in Tumbleweed MailGate Email Firewall (EMF) 6.x allow remote attackers to (1) trigger temporarily incorrect processing of an e-mail message under "extremely heavy loads" and (2) cause an "increased number of missed spam" during "spam outbreaks." 20060121 Tumbleweed EMF 6.x Processing Issues The VDM (Virtual DOS Machine) emulation environment for MS-DOS applications in Windows 2000, Windows XP SP2, and Windows Server 2003 allows local users to read the first megabyte of memory and possibly obtain sensitive information, as demonstrated by dumper.asm. 20060124 Windows mem leakage windows-vdm-obtain-information(24471) ** DISPUTED ** Buffer overflow in the font command of mIRC, probably 6.16, allows local users to execute arbitrary code via a long string. NOTE: the original researcher claims that issue has been disputed by the vendor, and that the vendor stated "as far as I can tell, this is neither an exploit nor a vulnerability. The above report describes a local bug in mIRC." It could be that this is only exploitable by the user of the application, and thus would not cross privilege boundaries unless under an otherwise restrictive environment such as a kiosk. 20060124 Buffer Overflow /Font on mIRC 20060201 Re: Buffer Overflow /Font on mIRC http://www.securiteam.com/windowsntfocus/5IP080AHPQ.html 22942 http://trout.snt.utwente.nl/ubbthreads/showflat.php?Cat=0&Board=bugreports&Number=118751 383 SQL injection vulnerability in login.asp in ASPThai.Net ASPThai Forums 8.0 and earlier allows remote attackers to execute arbitrary SQL commands and bypass login authentication via the password field. ADV-2006-0372 aspthai-login-sql-injection(24359) 16404 22790 1015548 381 18636 20060127 hello SQL injection vulnerability in SZUserMgnt.class.php in SZUserMgnt 1.4 allows remote attackers to execute arbitrary SQL commands via the username parameter. szusermgnt-username-sql-injection(24339) ADV-2006-0366 http://www.evuln.com/vulns/53/summary.html 16454 20060201 [eVuln] SZUserMgnt Authentication Bypass 22809 1015569 396 18666 Multiple SQL injection vulnerabilities in Calendarix allow remote attackers to execute arbitrary SQL commands via (1) the catview parameter in cal_functions.inc.php and (2) the login parameter in cal_login.php. NOTE: the catview vector might overlap CVE-2005-1865. ADV-2006-0365 http://www.evuln.com/vulns/52/summary.html calendarix-multiple-sql-injection(24332) 16456 20060201 [eVuln] Calendarix SQL Injection & Authorization Bypass Vulnerabilities 22811 22810 1015560 394 18667 Cross-site scripting (XSS) vulnerability in MG2 (formerly known as Minigal) 0.5.1 allows remote attackers to inject arbitrary web script or HTML via the Name field in a comment associated with a picture. 16428 20060130 XSS flaw in MG2 Image Gallery (v.0.5.1) mg2-name-xss(24378) 389 17374 Directory traversal vulnerability in MyBB (aka MyBulletinBoard) 1.02 allows local users with MyBB administrative privileges to include and possibly execute arbitrary local files via directory traversal sequences and a nul (%00) character in the plugin parameter. 20060130 MyBB 1.2 Local File Incusion mybb-plugins-file-include(24461) Cross-site scripting (XSS) vulnerability in the Add Thread to Favorites feature in usercp2.php in MyBB (aka MyBulletinBoard) 1.02 allows remote attackers to inject arbitrary web script or HTML via an HTTP Referer header ($url variable). mybb-usercp2-xss(24392) 16419 20060129 MyBB 1.2 usercp2.php [ $url ] CrossSiteScripting ( XSS ) Cross-site scripting (XSS) vulnerability in Mozilla 1.7.12 and possibly earlier, Mozilla Firefox 1.0.7 and possibly earlier, and Netscape 8.1 and possibly earlier, allows remote attackers to inject arbitrary web script or HTML via the -moz-binding (Cascading Style Sheets) CSS property, which does not require that the style sheet have the same origin as the web page, as demonstrated by the compromise of a large number of LiveJournal accounts. https://bugzilla.mozilla.org/show_bug.cgi?id=324253 mozilla-mozbinding-xss(24427) ADV-2006-0403 16427 22924 http://www.davidpashley.com/cgi/pyblosxom.cgi/computing/livejournal-mozilla-bug.html 1015563 1015553 20060128 -moz-binding CSS property: more XSS fun http://community.livejournal.com/lj_dev/708069.html Multiple SQL injection vulnerabilities in PHP GEN before 1.4 allow remote attackers to inject arbitrary SQL commands via unknown attack vectors. ADV-2006-0408 http://www.eyce.be/php_gen/NEWS phpgen-multiple-sql-injection(24441) 15458 22885 18715 Multiple cross-site scripting (XSS) vulnerabilities in PHP GEN before 1.4 allow remote attackers to inject arbitrary web script or HTML via unknown attack vectors. ADV-2006-0408 http://www.eyce.be/php_gen/NEWS phpgen-parameters-xss(24443) 22884 18715 Cross-site scripting (XSS) vulnerability in rlink.php in Rlink 1.0.0 module for phpBB allows remote attackers to inject arbitrary web script or HTML via the url parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. ADV-2006-0390 16448 18620 phpbb-rlink-xss(24410) 22818 MyCO Guestbook 1.0 stores the admin directory under the web document root with insufficient access control, which allows remote attackers to perform unspecified privileged actions by directly accessing files via a URL. myco-admin-information-disclosure(24438) 20060131 MyCO multiple vulnerabilities Cross-site scripting (XSS) vulnerability in MyCO Guestbook 1.0 allows remote attackers to inject arbitrary web script or HTML via the Name field, when registering a user. 20060131 MyCO multiple vulnerabilities myco-name-xss(24439) 16444 20060201 Re: MyCO multiple vulnerabilities PHP remote file inclusion vulnerability in loginout.php in FarsiNews 2.1 Beta 2 and earlier, with register_globals enabled, allows remote attackers to include arbitrary files via a URL in the cutepath parameter. ADV-2006-0411 16440 20060131 FarsiNews 2.1 PHP Remote File Inclusion http://www.hamid.ir/security/farsinews.txt farsinews-loginout-file-include(24419) 22878 1015554 390 18637 IMAP service in MailEnable Professional Edition before 1.72 allows remote attackers to cause a denial of service (service crash) via unspecified vectors involving the EXAMINE command. http://www.mailenable.com/professionalhistory.asp mailenable-imap-examine-dos(24424) ADV-2006-0397 16457 1015558 18668 Unspecified vulnerability in MailEnable Enterprise Edition before 1.2 allows remote attackers to cause a denial of service (CPU utilization) by viewing "formatted quoted-printable emails" via webmail. mailenable-webmail-dos(24517) http://www.mailenable.com/enterprisehistory.asp 18716 zbattle.net Zbattle client 1.09 SR-1 beta allows remote attackers to cause an unspecified denial of service by rapidly creating and closing a game. zbattle-command-dos(24369) 20060128 zbattle.net Cross-site scripting (XSS) vulnerability in index.php in Nuked-klaN 1.7 allows remote attackers to inject arbitrary web script or HTML via the letter parameter. ADV-2006-0387 20060130 Nuked-klaN Cross-Site Scripting Vulnerability nukedklan-index-xss(24387) 16424 22805 385 18670 Multiple cross-site scripting (XSS) vulnerabilities in Easy CMS allow remote attackers to inject arbitrary web script or HTML via (1) unknown attack vectors in the administrative interface and (2) input fields of the contact form. easycms-xss(24371) ADV-2006-0385 16430 20060131 Re: EasyCMS vulnerable to XSS injection. 20060129 EasyCMS vulnerable to XSS injection. 18673 20060208 Re: Re: EasyCMS vulnerable to XSS injection. Easy CMS stores the images directory under the web document root with insufficient access control and browsing enabled, which allows remote attackers to list and possibly read images that are stored in that directory. easycms-insecure-directories(24373) 20060129 EasyCMS vulnerable to XSS injection. 18673 20060208 Re: Re: EasyCMS vulnerable to XSS injection. Multiple cross-site scripting (XSS) vulnerabilities in clients.php in Cerberus Helpdesk, possibly 2.7, allow remote attackers to inject arbitrary web script or HTML via (1) the contact_search parameter and (2) unspecified url fields. cerberus-clients-xss(24388) ADV-2006-0395 16439 20060130 Cerberus Helpdesk vulnerable to XSS 22843 18657 391 SQL injection vulnerability in userlogin.jsp in Daffodil CRM 1.5 allows remote attackers to execute arbitrary SQL commands via unspecified parameters in a login action. daffodilcrm-userlogin-sql-injection(24450) ADV-2006-0412 16433 20060130 Daffodil CRM - vulnerable to SQL-injection. 22879 18685 ** DISPUTED ** Blackboard Academic Suite 6.0 and earlier does not properly clear session information when de-authenticating a user who is idle, which allows subsequent users to log in as the previous user and gain privileges. NOTE: the vendor has disputed this issue, saying that "This is a customer specific issue related to their Kerberos authentication single sign-on application and not a vulnerability in the Blackboard product." 16438 20060202 Re: Blackboard Authentication Error 20060201 Blackboard Authentication Error 20060201 Re: Blackboard Authentication Error 28023 PADL MigrationTools 46 creates temporary files insecurely, which allows local users to overwrite arbitrary files via a symlink attack on the temporary files, which are not properly created by (1) migrate_all_online.sh, (2) migrate_all_offline.sh, (3) migrate_all_netinfo_online.sh, (4) migrate_all_netinfo_offline.sh, (5) migrate_all_nis_online.sh, (6) migrate_all_nis_offline.sh, (7) migrate_all_nisplus_online.sh, and (8) migrate_all_nisplus_offline.sh. ADV-2005-2427 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=338920 22243 DSA-1187 Directory traversal vulnerability in pkmslogout in Tivoli Web Server Plug-in 5.1.0.10 in Tivoli Access Manager (TAM) 5.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the filename parameter. http://www.vsecurity.com/bulletins/advisories/2006/tam-file-retrieval.txt 20060203 VSR Advisory: IBM Tivoli Access Manager - Web Server Plug-in File Retrieval Vulnerability IY79724 1015582 18725 ADV-2006-0442 tivoli-pkmslogout-directory-traversal(24485) 16494 412 20060203 VSR Advisory: IBM Tivoli Access Manager - Web Server Plug-in File Retrieval Vulnerability Cisco PIX/ASA 7.1.x before 7.1(2) and 7.0.x before 7.0(5), PIX 6.3.x before 6.3.5(112), and FWSM 2.3.x before 2.3(4) and 3.x before 3.1(7), when used with Websense/N2H2, allows remote attackers to bypass HTTP access restrictions by splitting the GET method of an HTTP request into multiple packets, which prevents the request from being sent to Websense for inspection, aka bugs CSCsc67612, CSCsc68472, and CSCsd81734. http://www.vsecurity.com/bulletins/advisories/2006/cisco-websense-bypass.txt 20060508 VSR Advisory: WebSense content filter bypass when deployed in conjunction with Cisco filtering devices ADV-2006-1738 17883 1016040 1016039 20044 cisco-websense-content-filtering-bypass(26308) 25453 20060508 PIX/ASA/FWSM Websense/N2H2 Content Filter Bypass 20060508 VSR Advisory: WebSense content filter bypass when deployed in conjunction with Cisco filtering devices Unspecified vulnerability in the kernel processing in Solaris 10 64 bit platform, when running in 64-bit mode, allows local users to cause a denial of service (system panic) via unknown attack vectors. ADV-2006-0394 102149 18671 solaris-x64-kernel-dos(24395) 16460 1015557 oval:org.mitre.oval:def:219 oval:org.mitre.oval:def:1163 Multiple SQL injection vulnerabilities in formulaires/inc-formulaire_forum.php3 in SPIP 1.8.2-e and earlier and 1.9 Alpha 2 (5539) and earlier allow remote attackers to execute arbitrary SQL commands via the (1) id_forum, (2) id_article, or (3) id_breve parameters to forum.php3; (4) unspecified vectors related to "session handling"; and (5) when posting "petitions". http://www.zone-h.org/en/advisories/read/id=8650/ ADV-2006-0398 18676 spip-forum-sql-injection(24397) 24397 16458 20060131 ZRCSA-200601: SPIP - Multiple Vulnerabilities 22848 22845 22844 1015556 395 20060131 ZRCSA-200601: SPIP - Multiple Vulnerabilities Cross-site scripting (XSS) vulnerability in index.php3 in SPIP 1.8.2-e and earlier and 1.9 Alpha 2 (5539) and earlier allows remote attackers to inject arbitrary web script or HTML via the lang parameter. http://www.zone-h.org/en/advisories/read/id=8650/ ADV-2006-0398 18676 spip-index-xss(24401) 16461 22849 SPIP 1.8.2-e and earlier and 1.9 Alpha 2 (5539) and earlier allows remote attackers to obtain sensitive information via a direct request to inc-messforum.php3, which reveals the path in an error message. http://www.zone-h.org/en/advisories/read/id=8650/ ADV-2006-0398 18676 spip-incmessforum-path-disclosure(24399) SQL injection vulnerability index.php in Dragoran Portal module 1.3 for Invision Power Board (IPB) allows remote attackers to execute arbitrary SQL commands via the site parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. portal-index-sql-injection(24404) ADV-2006-0396 18664 16447 22851 Cross-site scripting (XSS) vulnerability in results.php in BrowserCRM allows remote attackers to inject arbitrary web script or HTML via certain manipulations of the query parameter, as demonstrated using an IMG SRC tag. ADV-2006-0391 20060131 BrowserCRM vulnerable for XSS 18658 browsercrm-results-xss(24390) 16435 22841 393 SQL injection vulnerability in the Authentication Servlet in Symantec Sygate Management Server (SMS) version 4.1 build 1417 and earlier allows remote attackers to execute arbitrary SQL commands and bypass authentication via unknown attack vectors related to a URL. http://securityresponse.symantec.com/avcenter/security/Content/2006.02.01.html ADV-2006-0402 symantec-sms-sql-injection(24413) 16452 22883 1015561 18689 SQL injection vulnerability in global.php in MyBB before 1.03 allows remote attackers to execute arbitrary SQL commands via the templatelist variable. 18678 mybb-global-sql-injection(24416) ADV-2006-0400 22903 http://community.mybboard.net/showthread.php?tid=6418 Cross-site scripting (XSS) vulnerability in ashnews.php in Derek Ashauer ashNews 0.83 allows remote attackers to inject arbitrary web script or HTML via the id parameter. ashnews-ashnews-xss(24365) 16426 22934 9331 20060131 Re: ashnews Cross-Site Scripting Vulnerability 20060130 Re: ashnews Cross-Site Scripting Vulnerability 20060130 ashnews Cross-Site Scripting Vulnerability Multiple Adobe products, including (1) Photoshop CS2, (2) Illustrator CS2, and (3) Adobe Help Center, install a large number of .EXE and .DLL files with write-access permission for the Everyone group, which allows local users to gain privileges via Trojan horse programs. VU#953860 adobe-insecure-default-permissions(24464) ADV-2006-0431 16451 20060131 Windows Access Control Demystified 22908 http://www.cs.princeton.edu/~sudhakar/papers/winval.pdf http://www.adobe.com/support/techdocs/332644.html 1015579 1015578 1015577 18698 The default configuration of the America Online (AOL) client software allows all users to modify a certain registry value that specifies a DLL file name, which might allow local users to gain privileges via a Trojan horse program. VU#953860 16453 20060131 Windows Access Control Demystified http://www.cs.princeton.edu/~sudhakar/papers/winval.pdf aol-insecure-default-permissions(24498) BIND 4 (BIND4) and BIND 8 (BIND8), if used as a target forwarder, allows remote attackers to gain privileged access via a "Kashpureff-style DNS cache corruption" attack. HPSBUX02097 1015606 1015551 18690 tru64-dns-bind-unauth-access(24414) HPSBTU02095 SSRT051007 ADV-2006-0399 16455 HPSBUX02097 22888 748 438 http://computerworld.com/networkingtopics/networking/story/0,10801,103744,00.html 20060216 Recent HP advisories outline BIND problems The cairo library (libcairo), as used in GNOME Evolution and possibly other products, allows remote attackers to cause a denial of service (persistent client crash) via an attached text file that contains "Content-Disposition: inline" in the header, and a very long line in the body, which causes the client to repeatedly crash until the e-mail message is manually removed, possibly due to a buffer overflow, as demonstrated using an XML attachment. USN-265-1 16408 SUSE-SR:2006:007 19504 20060128 gnome evolution mail client inline text file DoS issue MDKSA-2006:057 610 Computer Associates (CA) Message Queuing (CAM / CAFT) before 1.07 Build 220_16 and 1.11 Build 29_20, as used in multiple CA products, allows remote attackers to cause a denial of service via a crafted message to TCP port 4105. http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33581 20060202 CAID 33581 - CA Message Queuing Denial of Service Vulnerabilities 18681 ADV-2006-0414 ca-cam-port4105-dos(24448) 16475 21146 http://supportconnectw.ca.com/public/ca_common_docs/camessagsecurity_notice.asp 1015571 Computer Associates (CA) Message Queuing (CAM / CAFT) before 1.07 Build 220_16 and 1.11 Build 29_20, as used in multiple CA products, allows remote attackers to cause a denial of service via spoofed CAM control messages. 20060202 CAID 33581 - CA Message Queuing Denial of Service Vulnerabilities 18681 http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33581 ADV-2006-0414 ca-cam-spoofed-message-dos(24449) 16475 1015571 404 Unspecified vulnerability in Sun Java System Access Manager 7.0 allows local users logged in as "root" to bypass authentication and gain top-level administrator privileges via the amadmin CLI tool. 18699 sun-jsam-admin-access(24423) ADV-2006-0430 16474 102140 1015567 oval:org.mitre.oval:def:755 oval:org.mitre.oval:def:360 Cross-site scripting (XSS) vulnerability in resultat.asp in SoftMaker Shop allows remote attackers to inject arbitrary web script or HTML via a strSok parameter containing a javascript: URI in an IMG SRC attribute. softmakershop-image-xss(24451) ADV-2006-0434 16471 20060201 SoftMaker Shop is vulnerable to XSS 22911 18683 400 Cross-site scripting (XSS) vulnerability in webmailaging.cgi in cPanel allows remote attackers to inject arbitrary web script or HTML via the numdays parameter. cpanel-scripts-xss(24468) ADV-2006-0433 22906 18691 20060203 Re: cPanel Multiple Cross Site Scripting Multiple cross-site scripting (XSS) vulnerabilities in default.asp in CyberShop Ultimate E-commerce allow remote attackers to inject arbitrary web script or HTML via the (1) ortak or (2) kat parameter. 16473 20060202 CyberShop Ultimate E-commerce Script Cross Site Scripting cybershop-xss(24454) 401 18730 Multiple cross-site scripting (XSS) vulnerabilities in Community Server allow remote attackers to inject arbitrary web script or HTML via unknown attack vectors. NOTE: this candidate does not contain any actionable or distinguishing information. Perhaps it should not be included in CVE. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 16478 Cross-site scripting (XSS) vulnerability in neomail.pl in NeoMail 1.27 allows remote attackers to inject arbitrary web script or HTML via the sort parameter. NOTE: some sources say that the affected parameter is "date," but the demonstration URL shows that it is "sort". neomail-neomail-script-xss(24470) ADV-2006-0449 20060203 Neomail Cross Site Scripting Vulnerability 22978 1015581 Buffer overflow in the POP3 server in Kinesphere Corporation eXchange before 5.0.060125 allows remote attackers to execute arbitrary code via a long RCPT TO argument. exchangepop3-rcptto-bo(24477) ADV-2006-0437 16485 22907 1466 1015580 18687 http://downloads.securityfocus.com/vulnerabilities/exploits/exchangepop3.pl 20060203 Exchangepop3 rcpt buffer overflow vulnerability 408 CipherTrust IronMail 5.0.1, when "Denial of Service Protection" is enabled, allows remote attackers to cause a denial of service (possibly CPU consumption) via a SYN flood with malformed TCP packets from multiple connections. 16465 20060203 IronMail-5.0.1-Denial of-Service-Protection-Lets-Remote-Users-Deny-Service 1015555 ironmail-tcpsyn-flood-dos(24445) 407 The convert-fcrontab program in fcron 3.0.0 might allow local users to gain privileges via a long command-line argument, which causes Linux glibc to report heap memory corruption, possibly because a strcpy in the strdup2 function can "overwrite some data." ADV-2006-0435 16467 20060201 Fcrontab - memory corruption on heap. 18719 https://bugs.trustix.org/show_bug.cgi?id=1754 fcron-syslog-bo(24444) 2006-0036 http://fcron.free.fr/news.php#a20060206a.xml http://fcron.free.fr/doc/en/changes.html 20060201 Fcrontab - memory corruption on heap. Multiple SQL injection vulnerabilities in Tachyon Vanilla Guestbook 1.0 beta allow remote attackers to execute arbitrary SQL commands via unspecified vectors. 16464 http://www.evuln.com/vulns/54/summary.html vanillaguestbook-messages-sql-injection(24412) 20060201 [eVuln] Vanilla Guestbook Multiple XSS & SQL Injection Vulnerabilities Multiple cross-site scripting (XSS) vulnerabilities in Tachyon Vanilla Guestbook 1.0 beta allow remote attackers to inject arbitrary web script or HTML via unknown vectors related to "posting new messages." 16464 http://www.evuln.com/vulns/54/summary.html vanillaguestbook-name-xss(24411) 20060227 Re: [eVuln] Vanilla Guestbook Multiple XSS & SQL Injection Vulnerabilities 20060201 [eVuln] Vanilla Guestbook Multiple XSS & SQL Injection Vulnerabilities Multiple SQL injection vulnerabilities in config.php in NukedWeb GuestBookHost 2005.04.25 allow remote attackers to execute arbitrary SQL commands via the (1) email and (2) password parameters. guestbookhost-login-sql-injection(24406) ADV-2006-0465 http://www.evuln.com/vulns/56/summary.html 16545 20060209 [eVuln] GuestBookHost Authentication Bypass 18761 Cerulean Trillian 3.1.0.120 allows remote attackers to cause a denial of service (client crash) via an AIM message containing the Mac encoded Rich Text Format (RTF) escape sequences (1) \'d1, (2) \'d2, (3) \'d3, (4) \'d4, and (5) \'d5. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 22877 urlmon.dll in Microsoft Internet Explorer 7.0 beta 2 (aka 7.0.5296.0) allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a BGSOUND element with its SRC attribute set to "file://" followed by a large number of "-" (dash of hyphen) characters. 16463 http://www.security-protocols.com/advisory/sp-x23-advisory.txt SQL injection vulnerability in showflat.php in Groupee (formerly known as Infopop) UBB.threads 6.3 and earlier allows remote attackers to execute arbitrary SQL commands via the Number parameter. ubbthreads-showflat-sql-injection(24381) 16520 22808 http://www.cyberlords.net/advisories/cl_ubb.txt 1015549 20060325 UBBThreads<=5.5.1+6.0.2+6.0 br5+6.0.1 SQL injection Unspecified vulnerability in index.php in a certain application available from /v1/tr/portfoy.php on www.egeinternet.com allows remote attackers to execute arbitrary code via "evilcode" in the key parameter, possibly a PHP remote file include vulnerability in which the attack vector is a URL in the key parameter. NOTE: it is not clear whether this vulnerability is associated with an online service or application service provider. If so, then it should not be included in CVE. 20060128 Ege Internet Web Desing Remote Command Exucetion Oracle Database 8i, 9i, and 10g allow remote authenticated users to execute arbitrary SQL statements in the context of the SYS user and bypass audit logging, including statements to create new privileged database accounts, via a modified AUTH_ALTER_SESSION attribute in the authentication phase of the Transparent Network Substrate (TNS) protocol. NOTE: due to the lack of relevant details from the Oracle advisory, a separate CVE is being created since it cannot be conclusively proven that this issue has been addressed by Oracle. It is possible that this is the same issue as Oracle Vuln# DB18 from the January 2006 CPU, in which case this would be subsumed by CVE-2006-0265. TA06-018A VU#871756 http://www.red-database-security.com/advisory/oracle_cpu_jan_2006.html http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html http://www.integrigy.com/info/IntegrigySecurityAnalysis-CPU0106.pdf http://www.imperva.com/application_defense_center/papers/oracle-dbms-01172006.html oracle-login-command-execute(24184) 20060117 Oracle DBMS - Access Control Bypass in Login SQL injection vulnerability in the Oracle Text component of Oracle Database 10g, and possibly earlier versions, might allow remote attackers to execute arbitrary SQL commands via unknown vectors. NOTE: due to the lack of relevant details from the Oracle advisory, a separate CVE is being created since it cannot be conclusively proven that this issue has been addressed by Oracle. It is possible that this is the same issue as Oracle Vuln# DB15 from the January 2006 CPU, in which case this would be subsumed by CVE-2006-0260. TA06-018A VU#150332 http://www.red-database-security.com/advisory/oracle_cpu_jan_2006.html http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html http://www.integrigy.com/info/IntegrigySecurityAnalysis-CPU0106.pdf oracle-january2006-update(24321) SQL injection vulnerability in the SYS.DBMS_METADATA_UTIL package in Oracle Database 10g, and possibly earlier versions, might allow remote attackers to execute arbitrary SQL commands via unknown vectors. NOTE: due to the lack of relevant details from the Oracle advisory, a separate CVE is being created since it cannot be conclusively proven that this issue has been addressed by Oracle. It is possible that this is the same issue as Oracle Vuln# DB05 from the January 2006 CPU, in which case this would be subsumed by CVE-2006-0260. However, there are some inconsistencies that make this unclear, and there is also a possibility that this is related to DB06, which is subsumed by CVE-2006-0259. TA06-018A VU#629316 http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_metadata_util.html http://www.red-database-security.com/advisory/oracle_cpu_jan_2006.html http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html http://www.integrigy.com/info/IntegrigySecurityAnalysis-CPU0106.pdf oracle-january2006-update(24321) Buffer overflow in an unspecified Oracle Client utility might allow remote attackers to execute arbitrary code or cause a denial of service. NOTE: due to the lack of relevant details from the Oracle advisory, a separate CVE is being created since it cannot be conclusively proven that this issue has been addressed by Oracle. It is possible that this is the same issue as Oracle Vuln# DBC02 from the January 2006 CPU, in which case this would be a duplicate of CVE-2006-0283. However, there are enough inconsistencies that the mapping can not be made authoritatively. TA06-018A VU#999268 http://www.red-database-security.com/advisory/oracle_cpu_jan_2006.html http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html http://www.integrigy.com/info/IntegrigySecurityAnalysis-CPU0106.pdf oracle-january2006-update(24321) SQL injection vulnerability in the Data Pump Metadata API in Oracle Database 10g and possibly earlier might allow remote attackers to execute arbitrary SQL commands via unknown vectors. NOTE: due to the lack of relevant details from the Oracle advisory, a separate CVE is being created since it cannot be conclusively proven that this issue has been addressed by Oracle. It is possible that this is the same issue as Oracle Vuln# DB06 from the January 2006 CPU, in which case this would be subsumed by CVE-2006-0259 or, if it is DB05, subsumed by CVE-2006-0260. TA06-018A VU#983340 http://www.red-database-security.com/advisory/oracle_cpu_jan_2006.html http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html http://www.integrigy.com/info/IntegrigySecurityAnalysis-CPU0106.pdf oracle-january2006-update(24321) Unspecified vulnerability in the Net Listener component of Oracle Database server 8.1.7.4, 9.0.1.5, 9.0.1.5 FIPS, and 9.2.0.7 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB11. VU#545804 http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html 18493 ADV-2006-0323 ADV-2006-0243 16287 22549 1015499 18608 oracle-january2006-update(24321) PostgreSQL 8.1.0 through 8.1.2 allows authenticated database users to gain additional privileges via "knowledge of the backend protocol" using a crafted SET ROLE to other database users, a different vulnerability than CVE-2006-0678. VU#567452 18890 postgresql-setrole-privilege-elevation(24718) ADV-2006-0605 16649 20060215 PostgreSQL security releases 8.1.3, 8.0.7, 7.4.12, 7.3.14 http://www.postgresql.org/docs/8.1/static/release.html#RELEASE-8-1-3 OpenPKG-SA-2006.004 1015636 [pgsql-announce] 20060214 Minor Releases 7.3 thru 8.1 Available to Fix Security Issue Linux kernel 2.6 before 2.6.15.5 allows local users to obtain sensitive information via a crafted XFS ftruncate call, which may return stale data. http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.15.5 ADV-2006-2554 ADV-2006-0804 kernel-ftruncate-information-disclosure(24999) USN-263-1 16921 SUSE-SA:2006:028 MDKSA-2006:150 MDKSA-2006:059 DSA-1103 20914 20398 19220 19083 The Linux Kernel before 2.6.15.5 allows local users to cause a denial of service (NFS client panic) via unknown attack vectors related to the use of O_DIRECT (direct I/O). ADV-2006-2554 ADV-2006-0804 oval:org.mitre.oval:def:9932 http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.15.5 kernel-odirect-dos(25000) USN-263-1 16922 RHSA-2006:0493 FEDORA-2006-131 SUSE-SA:2006:028 MDKSA-2006:059 DSA-1103 http://support.avaya.com/elmodocs2/security/ASA-2006-161.htm 21745 20914 20398 20237 19220 19108 19083 sys_mbind in mempolicy.c in Linux kernel 2.6.16 and earlier does not sanity check the maxnod variable before making certain computations for the get_nodes function, which has unknown impact and attack vectors. 16924 http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=636f13c174dd7c84a437d3c3e8fa66f03f7fda63 http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=636f13c174dd7c84a437d3c3e8fa66f03f7fda63 1015752 http://lkml.org/lkml/2006/2/27/355 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=184510 linux-get-nodes-dos(25204) ADV-2006-2554 USN-281-1 23895 SUSE-SA:2006:028 MDKSA-2006:059 DSA-1103 20914 20398 19955 RHBA-2007-0304 oval:org.mitre.oval:def:9674 perfmon (perfmon.c) in Linux kernel on IA64 architectures allows local users to cause a denial of service (crash) by interrupting a task while another process is accessing the mm_struct, which triggers a BUG_ON action in the put_page_testzero function. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=185082 ADV-2006-2554 ADV-2006-1444 17482 oval:org.mitre.oval:def:10177 [linux-ia64] [PATCH 1/1] ia64: perfmon.c trips BUG_ON in put_page_testzero RHSA-2007:0774 DSA-1103 26709 20914 19737 Format string vulnerability in the SMTP server for McAfee WebShield 4.5 MR2 and earlier allows remote attackers to execute arbitrary code via format strings in the domain name portion of a destination address, which are not properly handled when a bounce message is constructed. The vendor has released a patch (P0803), along with version 4.5 MR2 to address this issue. 16742 19491 ADV-2006-1219 20060404 SYMSA-2006-002: McAfee WebShield SMTP Format String Vulnerability webshield-smtp-format-string(25621) 24366 1015861 671 Cisco Secure Access Control Server (ACS) 3.x for Windows stores ACS administrator passwords and the master key in the registry with insecure permissions, which allows local users and remote administrators to decrypt the passwords by using Microsoft's cryptographic API functions to obtain the plaintext version of the master key. This vulnerability is addressed in the following product release: Cisco, Secure Access Control Server, 4.0.1 http://www.symantec.com/enterprise/research/SYMSA-2006-003.txt 16743 20060508 Re: SYMSA-2006-003: Cisco Secure ACS for Windows - Administrator Password Disclosure 20060508 Response to Symantec SYMSA-2006-003 Cisco Secure ACS for Windows - Administrator Password Disclosure 1016042 ADV-2006-1741 20060508 SYMSA-2006-003: Cisco Secure ACS for Windows - Administrator Password Disclosure cisco-acs-admin-password-disclosure(26307) 25892 Cross-site scripting (XSS) vulnerability in problem.php in PluggedOut Blog 1.9.9c allows remote attackers to inject arbitrary web script or HTML via the data parameter. pluggedoutblog-problem-xss(24482) ADV-2006-0440 20060204 PluggedOut Blog SQL injection and XSS 1015586 18726 http://hamid.ir/security/pluggedoutblog.txt 22927 20060206 VERIFY Pluggedout Blog 1.9.9c problem.php XSS SQL injection vulnerability in exec.php in PluggedOut Blog 1.9.9c allows remote attackers to execute arbitrary SQL commands via the entryid parameter in a comment_add action. pluggedoutblog-exec-sql-injection(24480) ADV-2006-0440 20060204 PluggedOut Blog SQL injection and XSS 1015586 18726 http://hamid.ir/security/pluggedoutblog.txt 22926 415 20060206 VERIFY Pluggedout Blog 1.9.9c exec.php SQL injection Stack-based buffer overflow in Microsoft HTML Help Workshop 4.74.8702.0, and possibly earlier versions, and as included in the Microsoft HTML Help 1.4 SDK, allows context-dependent attackers to execute arbitrary code via a .hhp file with a long Contents file field. VU#124460 ADV-2006-0446 http://users.pandora.be/bratax/advisories/b008.html 1015585 18740 mshtmlhelp-workshop-hhp-bo(24481) 22941 PHP remote file include vulnerability in inc/backend_settings.php in Loudblog 0.4 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the $GLOBALS[path] parameter. louadblog-backendsettings-file-include(24479) louadblog-backendsettings-file-include(24479) ADV-2006-0441 16495 20060204 LoudBlog <= 0.4 arbitrary remote inclusion 22921 1015583 556 410 18722 http://retrogod.altervista.org/loudblog_04_incl_xpl.html The LDAP component in CommuniGate Pro Core Server 5.0.7 allows remote attackers to cause a denial of service (application crash) via LDAP messages that contain Distinguished Names (DN) fields with a large number of elements. ADV-2006-0444 http://www.stalker.com/CommuniGatePro/History.html 20060204 ProtoVer LDAP vs CommuniGate Pro 5.0.7 http://www.gleg.net/advisory_cg2.shtml 1015587 18701 communigate-ldap-bo(24409) 22932 416 Directory traversal vulnerability in Files Xaraya module before 0.5.1, when the Archive Directory field on the Modify Config page is blank, allows remote attackers to access files outside of the web root via ".." (dot dot) sequences. files-archive-directory-directory-traversal(24393) http://xaraya.curtisfarnham.com/articles/Files_0.5.1_-_Security_Fix_and_other_things ADV-2006-0371 Cross-site scripting (XSS) vulnerability in throw.main in Outblaze allows remote attackers to inject arbitrary web script or HTML via the file parameter. outblaze-email-thrownmain-xss(24476) ADV-2006-0439 20060203 Outblaze Cross Site Scripting Vulnerability 22909 http://www.morx.org/outblazeXSS.txt 18710 20060202 Outblaze Cross Site Scripting Vulnerability 411 Cross-site scripting (XSS) vulnerability in user_class.php in Papoo 2.1.4 and earlier allows remote attackers to inject arbitrary web script or HTML via the username field during the registration of a new account. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 18721 ADV-2006-0438 22913 papoo-username-xss(24500) Multiple SQL injection vulnerabilities in phpstatus 1.0, when gpc_magic_quotes is disabled, allow remote attackers to execute arbitrary SQL commands and bypass authentication via (1) the username parameter in check.php and (2) unknown attack vectors in the administrative interface. ADV-2006-0450 http://evuln.com/vulns/61/summary.html 16587 20060212 [eVuln] phpstatus Authentication Bypass 427 18791 Multiple cross-site scripting (XSS) vulnerabilities in phpstatus 1.0 allow remote attackers to inject arbitrary web script or HTML via unknown attack vectors in the administrative interface. ADV-2006-0450 http://evuln.com/vulns/61/summary.html 16587 20060212 [eVuln] phpstatus Authentication Bypass 427 18791 phpstatus 1.0 does not require passwords when using cookies to identify a user, which allows remote attackers to bypass authentication. http://evuln.com/vulns/61/summary.html 16587 20060212 [eVuln] phpstatus Authentication Bypass 427 18791 Multiple cross-site scripting (XSS) vulnerabilies in cPanel 10 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) email parameter to (a) editquota.html or (b) dodelpop.html; (2) showtree parameter to (c) diskusage.html; or the (3) mon, (4) year, (5) target, or (6) domain parameter to (d) stats/detailbw.html. cpanel-scripts-xss(24468) ADV-2006-0433 18695 20060203 cPanel Multiple Cross Site Scripting Vulnerability 20060202 cPanel Multiple Cross Site Scripting Vulnerability 22939 22938 22937 22936 Cross-site scripting (XSS) vulnerability in mime/handle.html in cPanel 10 allows remote attackers to inject arbitrary web script or HTML via the (1) file extension or (2) mime-type. ADV-2006-0433 20060205 cPanel 10 handle.html XSS Vulnerability 18695 20060204 cPanel 10 mime/handle.html XSS Vulnerability 22940 1015589 convert-fcrontab in Fcron 2.9.5 and 3.0.0 allows remote attackers to create or overwrite arbitrary files via ".." sequences and a symlink attack on the temporary file that is used during conversion. fcron-dotdot-directory-traversal(24504) ADV-2006-0435 2006-0006 22905 18719 20060202 Re: Fcrontab - memory corruption on heap. 25693 Untrusted search path vulnerability in opcontrol in OProfile 0.9.1 and earlier allows local users to execute arbitrary commands via a modified PATH that references malicious (1) which or (2) dirname programs. NOTE: while opcontrol normally is not run setuid, a common configuration suggests accessing opcontrol using sudo. In such a context, this is a vulnerability. Per: http://cwe.mitre.org/data/definitions/426.html 'CWE-426: Untrusted Search Path' 16536 20060207 Arbitrary code execution via OProfile http://www.redhat.com/magazine/012oct05/features/oprofile/ oval:org.mitre.oval:def:10890 Lexmark X1185 printer allows local users to gain SYSTEM privileges by navigating to the "Appearance" dialog and selecting the "Additional styles (skins) are available on the Lexmark web site" option, which launches a web browser that is running with SYSTEM privileges. ADV-2006-0482 20060207 Re: High Risk Vulnerability in Lexmark Printer Sharing Service lexmark-x1185-privilege-elevation(24596) 16534 18728 Blue Coat Proxy Security Gateway OS (SGOS) 4.1.2.1 does not enforce CONNECT rules when using Deep Content Inspection, which allows remote attackers to bypass connection filters. ADV-2006-0401 http://www.secumind.net/content/french/modules/news/article.php?storyid=8 18622 proxysg-connect-bypass-security(24446) 22853 http://www.bluecoat.com/support/knowledge/advisory_connect_denial_ignore.html 1015644 Multiple integer overflows in (1) the new_demux_packet function in demuxer.h and (2) the demux_asf_read_packet function in demux_asf.c in MPlayer 1.0pre7try2 and earlier allow remote attackers to execute arbitrary code via an ASF file with a large packet length value. NOTE: the provenance of this information is unknown; portions of the details are obtained from third party information. ADV-2006-0457 18718 mplayer-asf-integer-overflow(24531) MDKSA-2006:048 GLSA-200603-03 19114 IBM Lotus Domino Server 7.0 allows remote attackers to cause a denial of service (segmentation fault) via a crafted packet to the LDAP port (389/TCP). ADV-2006-0458 18738 [Dailydave] 20060203 ProtoVer vs Lotus Domino Server 7.0 lotus-domino-ldap-dos(24518) 16523 1015592 SQL injection vulnerability in Hosting Controller 6.1 Hotfix 2.8 allows remote authenticated users to execute arbitrary SQL commands via the (1) GatewayID parameter in an add action in AddGatewaySettings.asp and (2) IP parameter in IPManager.asp. ADV-2006-0460 1015584 18731 hosting-controller-sql-injection(24537) 22983 22982 Unspecified vulnerability in rshd in Heimdal 0.6.x before 0.6.6 and 0.7.x before 0.7.2, when storing forwarded credentials, allows attackers to overwrite arbitrary files and change file ownership via unknown vectors. heimdal-rshd-privilege-elevation(24532) 16524 SUSE-SA:2006:011 http://www.pdc.kth.se/heimdal/advisory/2006-02-06/ GLSA-200603-14 DSA-977 19302 19005 18894 18806 18733 ADV-2006-0628 ADV-2006-0456 USN-247-1 USN-253-1 [heimdal-discuss] 20060206 Heimdal 0.7.2 and 0.6.6 22986 1015591 SQL injection vulnerability in mailarticle.php in Clever Copy 3.0 and earlier allows remote attackers to execute arbitrary SQL commands via the ID parameter. clevercopy-mailarticle-sql-injection(24545) ADV-2006-0462 22984 1015590 18749 http://retrogod.altervista.org/Clever_Copy_V3_sql_xpl.html The PSCipher function in PeopleSoft People Tools 8.4x uses PKCS #5 with a fixed DES key to store user passwords, which makes it easier for local users to guess passwords using a dictionary attack that compares output strings. 16507 20060204 PeopleSoft (Oracle) PSCipher Encryption Weakness 22952 jscript.dll in Microsoft Internet Explorer 6.0 SP1 and earlier allows remote attackers to cause a denial of service (application crash) via a Shockwave Flash object that contains ActionScript code that calls VBScript, which in turn calls the Javascript document.write function, which triggers a null dereference. 16441 20060131 Internet Explorer remotely exploitable vulnerability in JScript's document.write() method 1015559 20060217 Re: Internet Explorer remotely exploitable vulnerability in JScript's document.write() method Multiple SQL injection vulnerabilities in Oracle 10g Release 1 before CPU Jan 2006 allow remote attackers to execute arbitrary SQL commands via multiple parameters in (1) ATTACH_JOB, (2) HAS_PRIVS, and (3) OPEN_JOB functions in the SYS.KUPV$FT package; and (4) UPDATE_JOB, (5) ACTIVE_JOB, (6) ATTACH_POSSIBLE, (7) ATTACH_TO_JOB, (8) CREATE_NEW_JOB, (9) DELETE_JOB, (10) DELETE_MASTER_TABLE, (11) DETACH_JOB, (12) GET_JOB_INFO, (13) GET_JOB_QUEUES, (14) GET_SOLE_JOBNAME, (15) MASTER_TBL_LOCK, and (16) VALID_HANDLE functions in the SYS.KUPV$FT_INT package. NOTE: due to the lack of relevant details from the Oracle advisory, a separate CVE is being created since it cannot be conclusively proven that these issues has been addressed by Oracle. It is unclear which, if any, Oracle Vuln# identifiers apply to these issues. oracle-syskupvftint-sql-injection(24197) oracle-syskupv$ftint-sql-injection(24197) 16294 20060117 Oracle Database 10g Rel. 1 - SQL Injection in SYS.KUPV$FT_INT 20060117 Oracle Database 10g Rel. 1 - SQL Injection in SYS.KUPV$FT http://www.red-database-security.com/advisory/oracle_sql_injection_kupv$ft_int.html http://www.red-database-security.com/advisory/oracle_sql_injection_kupv$ft.html http://www.red-database-security.com/advisory/oracle_cpu_jan_2006.html 22840 22839 20060118 Oracle Database 10g Rel. 1 - SQL Injection in SYS.KUPV$FT 20060118 Oracle Database 10g Rel. 1 - SQL Injection in SYS.KUPV$FT_INT Unspecified vulnerability in util.php in Gallery before 1.5.2-pl2 allows remote authenticated users with trick an owner into modifying stored album data and possibly executing arbitrary code via unspecified vectors involving a crafted link to a crafted file. gallery-util-file-include(24768) 16533 22944 1015641 18735 http://gallery.menalto.com/gallery_1_5_2_pl2_security_release gallery-album-data-modification(24538) 23256 http://www.digitalarmaments.com/2006140293402395.html 20060216 Re: Digital Armaments Security Advisory 02.14.2006: Gallery web-based photo gallery remote file execution 20060214 Digital Armaments Security Advisory 02.14.2006: Gallery web-based photo gallery remote file execution SQL injection vulnerability in search.php in MyTopix 1.2.3 allows remote attackers to execute arbitrary SQL commands via the (1) mid and (2) keywords parameters. 20060204 [KAPDA::#26] - MyTopix Sql Injection & Path Disclosure http://kapda.ir/advisory-249.html mytopix-search-sql-injection(24502) 413 MyTopix 1.2.3 allows remote attackers to obtain the installation path via a direct request to logon.mod.php, which leaks the path in an error message. 20060204 [KAPDA::#26] - MyTopix Sql Injection & Path Disclosure http://kapda.ir/advisory-249.html 413 MyTopix 1.2.3 allows remote attackers to obtain the installation path via an invalid hl parameter to index.php, which leads to path disclosure, possibly related to invalid SQL syntax. 20060204 [KAPDA::#26] - MyTopix Sql Injection & Path Disclosure http://kapda.ir/advisory-249.html 413 The crypt_gensalt functions for BSDI-style extended DES-based and FreeBSD-sytle MD5-based password hashes in crypt_blowfish 0.4.7 and earlier do not evenly and randomly distribute salts, which makes it easier for attackers to guess passwords from a stolen password file due to the increased number of collisions. This vulnerability may only be exploited in conjunction with another vulnerability. The password file (normally shadowed) must first be stolen. cryptblowfish-salt-information-disclosure(24590) 18772 ADV-2006-0477 20060207 crypt_blowfish 1.0 RHSA-2006:0526 23005 http://support.avaya.com/elmodocs2/security/ASA-2006-113.htm 20782 20653 20232 oval:org.mitre.oval:def:11502 http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/glibc/crypt_blowfish/crypt_gensalt.c?only_with_tag=CRYPT_BLOWFISH_1_0 20060602-01-U Unspecified vulnerability in the Lexmark Printer Sharing LexBce Server Service (LexPPS), possibly 8.29 and 9.41, allows remote attackers to execute arbitrary code via unspecified vectors. NOTE: This information is based on a vague initial disclosure; details will be updated after the grace period has ended. lexmark-lexpps-code-execution(24581) ADV-2006-0481 20060207 High Risk Vulnerability in Lexmark Printer Sharing Service 1015593 18744 Cross-site scripting (XSS) vulnerability in PHP-Fusion before 6.00.304 allows remote attackers to inject arbitrary web script or HTML via the (1) shout_name field in shoutbox_panel.php and the (2) comments field in comments_include.php. ADV-2006-0463 http://www.php-fusion.co.uk/news.php?readmore=307 phpfusion-multiple-xss(24548) 16548 http://www.php-fusion.co.uk/downloads.php?cat_id=3 22981 22980 18949 Multiple stack-based buffer overflows in elogd.c in elog before 2.5.7 r1558-4 allow attackers to cause a denial of service (application crash) and possibly execute code via long "revision attributes". DSA-967 18783 16579 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=349528 http://bugs.debian.org/cgi-bin/bugreport.cgi/0001-r1333-Fixed-crashes-with-very-long-revisions-attributes.txt?bug=349528;msg=15;att=1 elog-elogd-bo(24704) Buffer overflow in elogd.c in elog before 2.5.7 r1558-4 allows attackers to execute code via unspecified variables, when writing to the log file. 16579 DSA-967 18783 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=349528 http://bugs.debian.org/cgi-bin/bugreport.cgi/0002-r1335-Applied-patch-from-Emiliano-to-fix-possible-buffer-overflow.txt?bug=349528;msg=15;att=2 elog-elogd-log-bo(24705) The (1) elog.c and (2) elogd.c components in elog before 2.5.7 r1558-4 generate different responses depending on whether or not a username is valid, which allows remote attackers to determine valid usernames. DSA-967 18783 16579 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=349528 http://bugs.debian.org/cgi-bin/bugreport.cgi/0003-r1472-Do-not-distinguish-between-invalid-user-name-and-invalid-password.txt?bug=349528;msg=15;att=3 elog-elog-elogd-user-enumeration(24706) elog before 2.5.7 r1558-4 allows remote attackers to cause a denial of service (infinite redirection) via a request with the fail parameter set to 1, which redirects to the same request. DSA-967 18783 16579 http://savannah.psi.ch/viewcvs/trunk/src/elogd.c?root=elog&rev=1487&view=diff&r1=1487&r2=1486&p1=trunk/src/elogd.c&p2=/trunk/src/elogd.c http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=349528 elog-fail-redirect-dos(24707) Multiple SQL injection vulnerabilities in Hinton Design phphg Guestbook 1.2 allow remote attackers to execute arbitrary SQL commands via the (1) username parameter to check.php or the id parameter to (2) admin/edit_smilie.php, (3) admin/add_theme.php, (4) admin/ban_ip.php, (5) admin/add_lang.php, or (6) admin/edit_filter.php. ADV-2006-0480 16541 20060211 [eVuln] phphg Guestbook Multiple Vulnerabilities 1015620 18758 http://evuln.com/vulns/58/summary.html Multiple cross-site scripting vulnerabilities in signed.php in Hinton Design phphg Guestbook 1.2 allow remote attackers to inject arbitrary web script or HTML via the (1) location, (2) website, or (3) message parameter. 18758 ADV-2006-0480 16541 20060211 [eVuln] phphg Guestbook Multiple Vulnerabilities 1015620 http://evuln.com/vulns/58/summary.html check.php in Hinton Design phphg Guestbook 1.2 does not check the user password when authenticating via cookies, which allows remote attackers to gain unauthorized access. ADV-2006-0480 16541 20060211 [eVuln] phphg Guestbook Multiple Vulnerabilities 1015620 18758 http://evuln.com/vulns/58/description.html Multiple cross-site scripting (XSS) vulnerabilities in Unknown Domain Shoutbox 2005.07.21 allow remote attackers to inject arbitrary web script or HTML, possibly via the (1) Handle or (2) Message fields. ADV-2006-0476 18759 http://evuln.com/vulns/55/summary.html shoutbox-multiple-xss(24440) 16543 20060209 [eVuln] Unknown Domain Shoutbox multiple XSS & SQL Injection Vulnerabilities SQL injection vulnerability in Unknown Domain Shoutbox 2005.07.21 allows remote attackers to execute arbitrary SQL commands via unknown attack vectors. ADV-2006-0476 18759 http://evuln.com/vulns/55/summary.html 16543 20060209 [eVuln] Unknown Domain Shoutbox multiple XSS & SQL Injection Vulnerabilities check.php in Hinton Design phphd 1.0 does not check passwords when certain cookies are provided, which allows remote attackers to bypass authentication. phphd-check-security-bypass(24510) http://www.evuln.com/vulns/60/summary.html 16586 20060212 [eVuln] phphd Multiple Vulnerabilities 23026 18793 Multiple SQL injection vulnerabilities in Hinton Design phphd 1.0 allow remote attackers to execute arbitrary SQL commands via (1) the username parameter to check.php or (2) unknown attack vectors to scripts that display information from the database. phphd-multiple-sql-injection(24515) phphd-check-sql-injection(24508) http://www.evuln.com/vulns/60/summary.html 16586 20060212 [eVuln] phphd Multiple Vulnerabilities 23028 23025 18793 Cross-site scripting (XSS) vulnerability in add.php in Hinton Design phphd 1.0 allows remote attackers to inject arbitrary web script or HTML via unknown vectors. phphd-add-xss(24513) http://www.evuln.com/vulns/60/summary.html 16586 20060212 [eVuln] phphd Multiple Vulnerabilities 23027 18793 Multiple SQL injection vulnerabilities in 2200net Calendar system 1.2, with gpc_magic_quotes disabled, allow remote attackers to execute arbitrary SQL commands and bypass authentication via (1) the fm_data[id] parameter to calendar.php and (2) the $ad['acc'] variable in adminlogin.php. 2200net-adminlogin-sql-injection(24484) 2200net-calendar-sql-injection(24483) ADV-2006-0486 http://www.evuln.com/vulns/62/summary.html 16569 20060215 [eVuln] 2200net Calendar system SQL Injection and Authentication Bypass Vulnerabilities 23038 23037 18781 20060215 [eVuln] 2200net Calendar system SQL Injection and Authentication Directory traversal vulnerability in compose.pl in @Mail 4.3 and earlier for Windows allows remote attackers to upload arbitrary files to arbitrary locations via a .. (dot dot) in the unique parameter. 18646 http://kb.atmail.com/view_article.php?num=374 ADV-2006-0415 16470 22882 Powersave daemon before 0.10.15.2 allows local users to gain privileges (unauthorized access to an X session) via unspecified vectors. NOTE: the provenance of this information is unknown; portions of the details are obtained from third party information. http://sourceforge.net/project/shownotes.php?release_id=379792&group_id=124576 18651 powersave-daemon-gain-privileges(24458) ADV-2006-0416 16469 Unspecified vulnerability in Java Web Start after 1.0.1_02, as used in J2SE 5.0 Update 5 and earlier, allows remote attackers to obtain privileges via unspecified vectors involving untrusted applications. VU#652636 102170 18762 ADV-2006-1398 ADV-2006-0468 javawebstart-jnlp-privilege-elevation(24568) 16540 1015597 http://docs.info.apple.com/article.html?artnum=303658 Unspecified vulnerability in Sun Java JDK and JRE 5.0 Update 3 and earlier, SDK and JRE 1.3.x through 1.3.1_16 and 1.4.x through 1.4.2_08 allows remote attackers to bypass Java sandbox security and obtain privileges via unspecified vectors involving the reflection APIs, aka the "first issue." VU#759996 102171 18760 ADV-2006-1398 ADV-2006-0828 ADV-2006-0467 sun-jre-reflection-privilege-elevation(24561) GLSA-200602-07 1015596 18884 http://docs.info.apple.com/article.html?artnum=303658 Multiple unspecified vulnerabilities in Sun Java JDK and JRE 5.0 Update 4 and earlier, SDK and JRE 1.4.x through 1.4.2_09 allow remote attackers to bypass Java sandbox security and obtain privileges via unspecified vectors involving the reflection APIs, aka the "second and third issues." VU#759996 102171 18760 ADV-2006-1398 ADV-2006-0828 ADV-2006-0467 sun-jre-reflection-privilege-elevation(24561) GLSA-200602-07 1015596 18884 http://docs.info.apple.com/article.html?artnum=303658 Unspecified vulnerability in Sun Java JDK and JRE 5.0 Update 4 and earlier allows remote attackers to bypass Java sandbox security and obtain privileges via unspecified vectors involving the reflection APIs, aka the "fourth issue." VU#759996 102171 18760 ADV-2006-1398 ADV-2006-0828 ADV-2006-0467 sun-jre-reflection-privilege-elevation(24561) GLSA-200602-07 1015596 18884 http://docs.info.apple.com/article.html?artnum=303658 Multiple unspecified vulnerabilities in Sun Java JDK and JRE 5.0 Update 5 and earlier allow remote attackers to bypass Java sandbox security and obtain privileges via unspecified vectors involving the reflection APIs, aka the "fifth, sixth, and seventh issues." VU#759996 102171 18760 ADV-2006-1398 ADV-2006-0828 ADV-2006-0467 sun-jre-reflection-privilege-elevation(24561) GLSA-200602-07 1015596 18884 http://docs.info.apple.com/article.html?artnum=303658 Format string vulnerability in fontsleuth in QNX Neutrino RTOS 6.3.0 allows local users to execute arbitrary code via format string specifiers in the zeroth argument (program name). ADV-2006-0474 20060207 QNX Neutrino RTOS fontsleuth Command Format String Vulnerability 18750 qnx-fontsleuth-format-string(24559) 16539 22966 1015599 Multiple stack-based buffer overflows in QNX Neutrino RTOS 6.3.0 allow local users to execute arbitrary code via long (1) ABLPATH or (2) ABLANG environment variables in the libAP library (libAp.so.2) or (3) a long PHOTON_PATH environment variable to the setitem function in the libph library. qnx-libap-bo(24558) qnx-libph-bo(24557) ADV-2006-0474 16539 22965 22964 20060207 QNX Neutrino RTOS libph PHOTON_PATH Buffer Overflow Vulnerability 20060207 QNX Neutrino RTOS libAp ABLPATH Buffer Overflow Vulnerability 1015599 18750 Race condition in phfont in QNX Neutrino RTOS 6.2.1 allows local users to execute arbitrary code via unspecified manipulations of the PHFONT and PHOTON2_PATH environment variables. ADV-2006-0474 20060207 QNX Neutrino RTOS phfont Race Condition Vulnerability 18750 qnx-phfont-race-condition(24555) 16539 22963 1015599 Multiple buffer overflows in QNX Neutrino RTOS 6.2.0 allow local users to execute arbitrary code via a long first argument to the (1) su or (2) passwd commands. ADV-2006-0474 20060207 QNX Neutrino RTOS passwd Command Buffer Overflow 20060207 QNX Neutrino RTOS su Command Buffer Overflow 18750 qnx-su-bo(24554) qnx-passwd-bo(24551) 16539 22961 22959 1015599 QNX Neutrino RTOS 6.3.0 allows local users to cause a denial of service (hang) by supplying a "break *0xb032d59f" command to gdb. qnx-gdb-dos(24553) ADV-2006-0474 16539 22960 20060207 QNX RTOS 6.3.0 Local Denial of Service Vulnerability 1015598 18750 QNX Neutrino RTOS 6.3.0 ships /etc/rc.d/rc.local with world-writable permissions, which allows local users to modify the file and execute arbitrary code at system startup. ADV-2006-0474 20060207 QNX RTOS 6.3.0 rc.local Insecure File Permissions Vulnerability 18750 qnx-rclocal-root-privileges(24552) 16539 22958 1015598 SQL injection vulnerability in check.asp in Whomp Real Estate Manager XP 2005 allows remote attackers to execute arbitrary SQL commands via the (1) username and (2) password parameters. ADV-2006-0489 16544 20060208 Whomp Real Estate Manager XP 2005 Sql Injection whomp-login-sql-injection(24592) 22969 418 18780 Directory traversal vulnerability in Spip_RSS.PHP in SPIP 1.8.2g and earlier allows remote attackers to read or include arbitrary files via ".." sequences in the GLOBALS[type_urls] parameter, which could then be used to execute arbitrary code via resultant direct static code injection in the file parameter to spip_acces_doc.php3. ADV-2006-0483 16556 http://retrogod.altervista.org/spip_182g_shell_inj_xpl.html spip-rss-file-include(24600) 23086 1015602 18676 SQL injection vulnerability in spip_acces_doc.php3 in SPIP 1.8.2g and earlier allows remote attackers to execute arbitrary SQL commands via the file parameter. ADV-2006-0483 16551 http://retrogod.altervista.org/spip_182g_shell_inj_xpl.html spip-access-doc-sql-injection(24599) 23087 1015602 18676 Cross-site scripting (XSS) vulnerability in Clever Copy 2.0, 2.0a, and 3.0 allows remote attackers to inject arbitrary web script or HTML via the (1) Referer or (2) X-Forwarded-For headers in an HTTP request, which are not properly handled when the administrator accesses Site Stats. clevercopy-script-xss(24524) ADV-2006-0495 16607 20060212 [eVuln] Clever Copy 'Referer' & 'X-Forwarded-For' XSS Vulnerabilities http://www.evuln.com/vulns/64/summary.html 18790 myquiz.pl in Dale Ray MyQuiz 1.01 allows remote attackers to execute arbitrary commands via shell metacharacters in the URL, which are not properly handled as part of the PATH_INFO environment variable. http://www.evuln.com/vulns/57/summary.html http://www.corantodemo.net/coranto/viewnews.cgi?id=EpApAAAVkyirPGThSf&style=dldetails ADV-2006-0443 20060203 [eVuln] MyQuiz Arbitrary Command Execution Vulnerability myquiz-pathinfo-command-execution(24501) 20060207 MyQuiz Arbitrary Command Execution Exploit (perl) 22925 409 18737 20060209 Vendor ACK for MyQuiz Unspecified vulnerability in AOL Instant Messenger (AIM) 5.9.3861 allows user-assisted remote attackers to cause a denial of service (client crash) and possibly execute arbitrary code by tricking the user into requesting Buddy Info about a long screen name, which might cause a buffer overflow. aim-buddy-info-bo(24362) 20060203 Re: AOL Instant Messenger Version 5.9.3861 Local Buffer Overrun Vulnerability 20060203 AOL Instant Messenger Version 5.9.3861 Local Buffer Overrun Vulnerability 20060129 AOL Instant Messenger 5.9.3861 Local Buffer Overrun Vulnerability RITLabs The Bat! before 3.0.0.15 displays certain important headers from encapsulated data in message/partial MIME messages, instead of the real headers, which is in violation of RFC2046 header merging rules and allows remote attackers to spoof the origin of e-mail by sending a fragmented message, as demonstrated using spoofed Received: and Message-ID: headers. https://www.ritlabs.com/bt/bug_view_advanced_page.php?bug_id=0003029 20060206 SECURITY.NNOV: The Bat! 2.x message headers spoofing http://www.security.nnov.ru/advisories/thebatspoof.asp thebat-message-header-spoofing(24535) 16515 18713 20060206 SECURITY.NNOV: The Bat! 2.x message headers spoofing CRLF injection vulnerability in mailback.pl in Erik C. Thauvin mailback allows remote attackers to use mailback as a "spam proxy" by modifying mail headers, including recipient e-mail addresses, via newline characters in the Subject field. 22955 18748 mailback-mail-relay(24540) ADV-2006-0459 http://vc.thauvin.net/cvs/cgi/mailback/mailback.pl?view=log 20060210 Re: mailback script exploit 20060205 mailback script exploit The gen_rand_string function in phpBB 2.0.19 uses insufficiently random data (small value space) to create the activation key ("validation ID") that is sent by e-mail when establishing a password, which makes it easier for remote attackers to obtain the key and modify passwords for existing accounts or create new accounts. ADV-2006-0461 20060205 Easily exploitable Pseudo Random Number generator in phpbb version 2.0.19 and under. http://www.r-security.net/tutorials/view/readtutorial.php?id=4 phpbb-weak-rnd(24573) 22949 18727 The make_password function in ipsclass.php in Invision Power Board (IPB) 2.1.4 uses random data generated from partially predictable seeds to create the authentication code that is sent by e-mail to a user with a lost password, which might make it easier for remote attackers to guess the code and change the password for an IPB account, possibly involving millions of requests. http://www.r-security.net/tutorials/view/readtutorial.php?id=4 http://forums.invisionpower.com/lofiversion/index.php/t200085.html Borland C++Builder 6 (BCB6) with Update Pack 4 Enterprise edition (ent_upd4) evaluates the "i>sizeof(int)" expression to false when i equals -1, which might introduce integer overflow vulnerabilities into applications that could be exploited by context-dependent attackers. bcb-compiler-integer-overflow(24514) http://www.xfocus.net/releases/200602/a849.html 20060206 [xfocus-SD-060206]BCB compiler incorrect deal sizeof operator vulnerability 22953 1015588 Tiny C Compiler (TCC) 0.9.23 (aka TinyCC) evaluates the "i>sizeof(int)" expression to false when i equals -1, which might introduce integer overflow vulnerabilities into applications that could be exploited by context-dependent attackers. 20060207 Re: [xfocus-SD-060206]BCB compiler incorrect deal sizeof operator vulnerability 22956 desktop.php in eyeOS 0.8.9 and earlier tests for the existence of the _SESSION variable before calling the session_start function, which allows remote attackers to execute arbitrary PHP code and possibly conduct other attacks by modifying critical assumed-immutable variables, as demonstrated using PHP code in the _SESSION[apps][eyeOptions.eyeapp][wrapup] variable. 20060207 eyeOS <= 0.8.9 Remote Code Execution http://www.gulftech.org/?node=research&article_id=00096-02072006 ADV-2006-0466 eyeos-desktop-file-include(24569) 16537 1015609 419 18757 Buffer overflow in cram.dll in QUALCOMM Eudora WorldMail 3.0 allows remote attackers to execute arbitrary code via an IMAP APPEND command with a long message literal argument, as demonstrated by Worldmail.pl. NOTE: this is a different vector and a different manipulation than CVE-2005-4267, so it might be a different vulnerability than CVE-2005-4267. 20060204 (OLD) Eudora WorldMail 3.0 Windows 2000 Remote System Exploit SQL injection vulnerability in moderation.php in MyBB (aka MyBulletinBoard) 1.0.3 allows remote authenticated users, with certain privileges for moderating and merging posts, to execute arbitrary SQL commands via the posts parameter. ADV-2006-0475 16538 20060207 [myimei]MyBB1.0.3~moderation.php~SqlInject while merging posts 22957 18754 http://myimei.com/security/2006-02-07/mybb103moderationphpsqlinject-while-merging-posts.html Cross-site scripting (XSS) vulnerability in search.php in MyBB (aka MyBulletinBoard) 1.0.2 allows remote attackers with knowledge of the table prefix to inject arbitrary web script or HTML via a URL encoded value of the keywords parameter, as demonstrated by %3Cscript%3E. http://myimei.com/security/2006-01-14/mybb-102searchphpxss-attackandmore.html 20060208 Re: [myimei]MyBB 1.0.2 XSS attack in search.php 20060207 [myimei]MyBB 1.0.2 XSS attack in search.php mybb-search-xss(24466) Orbicule Undercover allows attackers with physical or root access to disable the protection by using the chmod command to change the permissions of the /private/etc/uc.app/Contents/MacOS/uc file, which prevents the service from being started in LaunchDaemon. 20060202 Issues with security software: orbicule.com "Undercover" Orbicule Undercover uses a third-party web server to determine the IP address through which the computer is accessing the Internet, but does not document this third-party disclosure, which leads to a potential privacy leak that might allow transmission of sensitive information to an unintended remote destination. 20060202 Issues with security software: orbicule.com "Undercover" Trend Micro ServerProtect 5.58, and possibly InterScan Messaging Security Suite and InterScan Web Security Suite, have a default configuration setting of "Do not scan compressed files when Extracted file count exceeds 500 files," which may be too low in certain circumstances, which allows remote attackers to bypass anti-virus checks by sending compressed archives containing many small files. NOTE: since this is related to a configuration setting that has an operational impact that might vary depending on the environment, and the product is claimed to report a message when the compressed file exceeds specified limits, perhaps this should not be included in CVE. 20060205 RE: Trend Micro ServerProtect version 5.58 can be easily circumvented via the mechanism that limits how many files to scan. 20060203 Re: Trend Micro ServerProtect version 5.58 can be easily circumvented via the mechanism that limits how many files to scan. 20060203 Re: Trend Micro ServerProtect version 5.58 can be easily circumvented via the mechanism that limits how many files to scan. 20060203 Trend Micro ServerProtect version 5.58 can be easily circumvented via the mechanism that limits how many files to scan. http://www.packetstormsecurity.org/filedesc/Bypass.pdf.html http://www.packetstormsecurity.org/0602-advisories/Bypass.pdf serverprotect-file-scanning-bypass(24658) 16483 20060206 Fwd: Trend Micro ServerProtect version 5.58 can be easily circumvented via the mechanism that limits how many files to scan. Cross-site scripting (XSS) vulnerability in WiredRed e/pop Web Conferencing 4.1.0.755 allows remote authenticated users to inject arbitrary web script or HTML via the topic name of a conference. ADV-2006-0505 16542 20060208 WiredRed EPOP XSS Vulnerability epop-topic-xss(24609) 22997 421 18753 Multiple directory traversal vulnerabilities in install.php in CPG-Nuke Dragonfly CMS (aka CPG Dragonfly CMS) 9.0.6.1 allow remote attackers to include and execute arbitrary local files via directory traversal sequences and a NUL (%00) character in (1) the newlang parameter and (2) the installlang parameter in a cookie, as demonstrated by using error.php to insert malicious code into a log file, or uploading a malicious .png file, which is then included using install.php. 16546 20060208 CPGNuke Dragonfly 9.0.6.1 remote commands execution through arbitrary local inclusion 23058 1015601 http://retrogod.altervista.org/dragonfly9.0.6.1_incl_xpl.html http://dragonflycms.org/Forums/viewtopic/p=98034.html#98034 http://dragonflycms.org/Forums/viewtopic/p=98034.html cpg-dragonfly-file-include(24660) Tiny ASN.1 Library (libtasn1) before 0.2.18, as used by (1) GnuTLS 1.2.x before 1.2.10 and 1.3.x before 1.3.4, and (2) GNU Shishi, allows attackers to crash the DER decoder and possibly execute arbitrary code via "out-of-bounds access" caused by invalid input, as demonstrated by the ProtoVer SSL test suite. ADV-2006-0496 20060209 ProtoVer SSL: GnuTLS http://www.gleg.net/protover_ssl.shtml oval:org.mitre.oval:def:10540 [gnutls-dev] 20060209 GnuTLS 1.3.4 - Experimental - Security release [gnutls-dev] 20060209 GnuTLS 1.2.10 - Security release [gnutls-dev] 20060209 Libtasn1 0.2.18 - Tiny ASN.1 Library - Security release http://josefsson.org/gnutls/releases/libtasn1/libtasn1-0.2.18-from-0.2.17.patch http://josefsson.org/cgi-bin/viewcvs.cgi/libtasn1/NEWS?root=gnupg-mirror&view=markup http://josefsson.org/cgi-bin/viewcvs.cgi/gnutls/tests/certder.c?view=markup gnutls-libtasn1-der-dos(24606) USN-251-1 2006-0008 16568 FEDORA-2006-107 23054 MDKSA-2006:039 GLSA-200602-08 DSA-986 DSA-985 1015612 446 19092 19080 18918 18898 18832 18830 18815 18794 RHSA-2006:0207 ld in SUSE Linux 9.1 through 10.0, and SLES 9, in certain circumstances when linking binaries, can leave an empty RPATH or RUNPATH, which allows local attackers to execute arbitrary code as other users via by running an ld-linked application from the current directory, which could contain an attacker-controlled library file. SUSE-SA:2006:007 16581 18811 LDAP service in Sun Java System Directory Server 5.2, running on Linux and possibly other platforms, allows remote attackers to cause a denial of service (memory allocation error) via an LDAP packet with a crafted subtree search request, as demonstrated using the ProtoVer LDAP test suite. ADV-2006-0492 18769 [Dailydave] 20060210 ??? Sun Directory Server 5.2 fun ??? [Dailydave] 20060208 Sun Directory Server 5.2 fun sun-java-ldap-dos(24605) 16550 102294 1015604 Multiple directory traversal vulnerabilities in PHP iCalendar 2.0.1, 2.1, and 2.2 allow remote attackers to include arbitrary files via the (1) getdate and possibly other parameters used in the replace_files function in search.php and (2) $file variable as used in the parse function in functions/template.php. 20060208 [eVuln] PHP iCalendar File Inclusion Vulnerability 18778 http://evuln.com/vulns/70/summary.html ADV-2006-0493 16557 http://phpicalendar.net/forums/viewtopic.php?t=396 phpicalendar-template-search-file-include(24591) 420 Cross-site scripting (XSS) vulnerability in DataparkSearch before 4.37 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. 18751 ADV-2006-0488 http://www.dataparksearch.org/ChangeLog dataparksearch-scripts-xss(24627) 16572 Cross-site scripting (XSS) vulnerability in cpaint2.inc.php in the CPAINT library before 2.0.3, as used in multiple scripts, allows remote attackers to inject arbitrary web script or HTML via the cpaint_response_type parameter, which is displayed in a resulting error message, as demonstrated using a hex-encoded IFRAME tag. cpaint-response-type-xss(24594) 20060210 CPAINT AJAX Library Cross Site Scripting http://www.gulftech.org/?node=research&article_id=00097-02092006 18765 ADV-2006-0487 http://cpaint.booleansystems.com/forums/viewtopic.php?t=98 16559 1015608 SQL injection vulnerability in index.php in vwdev allows remote attackers to execute arbitrary SQL commands via the UID parameter in the definition Page. 16547 1015594 vwdev-uid-sql-injection(24583) 22991 WHMCompleteSolution (WHMCS) before 2.3 assigns incorrect permissions to "resellers", which allows remote authenticated users to perform privileged actions or obtain sensitive information. NOTE: this report is based on a vendor bug report that identified "incorrect permissions." However, the vendor did not label it a security issue, and there was no statement regarding whether or not the permissions were actually more permissive than intended. If in fact the permissions were more restrictive than intended, then this would be a functional problem but not a vulnerability. 16560 http://www.whmcs.com/changelog.php ADV-2006-0484 whmcs-resellers-insecure-permissions(24597) Multiple SQL injection vulnerabilities in Hinton Design phpht Topsites 1.3 allow remote attackers to execute arbitrary SQL commands via multiple vectors including the username parameter. 18782 http://evuln.com/vulns/59/summary.html 16562 20060211 [eVuln] phpht Topsites Multiple Vulnerabilities check.php in Hinton Design phpht Topsites 1.3 does not validate passwords when using cookies, which allows remote attackers to bypass authentication via unspecified cookies. 18782 http://evuln.com/vulns/59/summary.html 16562 20060211 [eVuln] phpht Topsites Multiple Vulnerabilities Multiple cross-site scripting (XSS) vulnerabilities in (1) link_edited.php and (2) link_added.php in Hinton Design phpht Topsites 1.3 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. 18782 http://evuln.com/vulns/59/summary.html 16562 20060211 [eVuln] phpht Topsites Multiple Vulnerabilities Directory traversal vulnerability in HP Systems Insight Manager 4.2 through 5.0 SP3 for Windows allows remote attackers to access arbitrary files via unspecified vectors, a different vulnerability than CVE-2005-2006. HPSBMA02096 SSRT061108 ADV-2006-0497 16571 18789 1015605 Cross-site scripting (XSS) vulnerability in Softcomplex PHP Event Calendar 1.5 allows remote authenticated users to inject arbitrary web script or HTML, and corrupt data, via the (1) username and (2) password parameters, which are not sanitized before being written to users.php. NOTE: while this issue was originally reported as XSS, the primary issue might be direct static code injection with resultant XSS. ADV-2006-0507 18792 http://evuln.com/vulns/63/summary.html phpeventcalendar-users-xss(24523) 16588 23072 23071 442 Incomplete blacklist vulnerability in connector.php in FCKeditor 2.0 and 2.2, as used in products such as RunCMS, allows remote attackers to upload and execute arbitrary script files by giving the files specific extensions that are not listed in the Config[DeniedExtensions][File], such as .php.txt. Per: http://cwe.mitre.org/data/definitions/184.html 'CWE-184: Incomplete Blacklist' ADV-2006-0502 20060209 runCMS <= 1.3a2 possible remote code execution through the integrated FCKEditor package 3702 18767 http://retrogod.altervista.org/fckeditor_22_xpl.html Multiple PHP remote file include vulnerabilities in RunCMS 1.2 and earlier, with register_globals and allow_url_fopen enabled, allow remote attackers to execute arbitrary code via the bbPath[path] parameter in (1) class.forumposts.php and (2) forumpollrenderer.php. Successful exploitation requires that both "register_globals" and "allow_url_fopen" are enabled. 16578 18800 ADV-2006-0503 20060209 runCMS <= 1.3a2 possible remote code execution through the integrated FCKEditor package http://retrogod.altervista.org/runcms_13a_xpl.html Multiple directory traversal vulnerabilities in FarsiNews 2.5 and earlier allows remote attackers to (1) read arbitrary files or trigger an error message path disclosure via ".." or invalid names in the archive parameter to index.php, or (2) include arbitrary files via the template parameter to show_archives.php. 18768 ADV-2006-0506 16580 http://www.hamid.ir/security/farsinews2-5.txt http://forum.farsinewsteam.com/index.php?showtopic=76 http://forum.farsinewsteam.com/index.php?showtopic=71 farsinews-index-directory-traversal(24602) farsinews-showarchives-file-include(24598) 20060210 FarsiNews 2.5 Multiple Vulnerabilities 23022 23021 23020 Cross-site scripting (XSS) vulnerability in Scriptme SmE GB Host 1.21 and SmE Blog Host allows remote attackers to inject arbitrary web script or HTML via the BBcode url tag. ADV-2006-0504 16585 18786 http://evuln.com/vulns/65/summary.html sme-bbcode-xss(24543) 447 Cross-site scripting (XSS) vulnerability in Lotus Domino iNotes Client 6.5.4 allows remote attackers to inject arbitrary web script or HTML via email with attached html files, which are directly rendered in the browser. http://secunia.com/secunia_research/2005-38/advisory/ 16340 ADV-2006-0499 domino-webaccess-subject-xss(24612) 16577 23077 http://www-1.ibm.com/support/docview.wss?rs=475&uid=swg21229919 1015610 Multiple cross-site scripting (XSS) vulnerabilities in Lotus Domino iNotes Client 6.5.4 and 7.0 allow remote attackers to inject arbitrary web script or HTML via (1) an email subject; (2) an encoded javascript URI, as demonstrated using "java&#13;script:"; or (3) when the Domino Web Access ActiveX control is not installed, via an email attachment filename. This vulnerability is addressed in the following product releases: IBM, Lotus Domino iNotes Client, 6.5.5 IBM, Lotus Domino iNotes Client, 7.0.1 domino-webaccess-filename-xss(24614) domino-webaccess-javascript-xss(24613) domino-webaccess-attachment-xss(24611) 16577 23079 23078 23077 http://www-1.ibm.com/support/docview.wss?rs=475&uid=swg21229919 1015610 http://secunia.com/secunia_research/2005-38/advisory/ 16340 ADV-2006-0499 Cross-site scripting (XSS) vulnerability in config_defaults_inc.php in Mantis before 1.0 allows remote attackers to inject arbitrary web script or HTML via unknown attack vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. An original vendor bug report is referenced, but not accessible to the general public. 16561 ADV-2006-0485 mantis-configdefaultsinc-xss(24585) DSA-1133 21400 Unspecified vulnerability in (1) query_store.php and (2) manage_proj_create.php in Mantis before 1.0.0 has unknown impact and attack vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. An original vendor bug report is referenced, but not accessible to the general public. 16561 ADV-2006-0485 DSA-1133 21400 Unspecified vulnerability in the (1) unix_mp and (2) unix_64 kernels in IBM AIX 5.3 VRMF 5.3.0.30 through 5.3.0.33 allows local users to cause a denial of service (system crash) via unknown vectors related to EMULATE_VMX. 16624 18795 ADV-2006-0573 23127 IY79595 aix-kernel-dos(24711) lscfg in IBM AIX 5.2 and 5.3 allows local users to modify arbitrary files via a symlink attack. 1015622 ADV-2005-2096 IY77638 IY77624 SQL injection vulnerability in index.php in PwsPHP 1.2.3 allows remote attackers to execute arbitrary SQL commands via the id parameter, possibly in message.php in the espace_membre module. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 19023 http://www.securityfocus.com/bid/16567/exploit 16567 ** DISPUTED ** Multiple SQL injection vulnerabilities in archive.asp in GA's Forum Light allow remote attackers to execute arbitrary SQL commands via the (1) Forum and (2) pages parameter. NOTE: SecurityTracker says that the vendor has disputed this issue, saying that GA Forum Light does not use an SQL database. SecurityTracker's research indicates that the original problem could be due to a vbscript parsing error based on invalid arguments. 16563 20060220 vendor dispute for CVE-2006-0669 1015600 gasforumlight-archive-sql-injection(24616) 23509 Buffer overflow in l2cap.c in hcidump 1.29 allows remote attackers to caues a denial of service (crash) through a wireless Bluetooth connection via a malformed Logical Link Control and Adaptation Protocol (L2CAP) packet. hcidump-bluetooth-dos(24533) ADV-2006-0479 20060206 [ Secuobs - Advisory ] Bluetooth : DoS on hcidump 1.29 + PoC http://www.secuobs.com/news/05022006-bluetooth9.shtml#english 18741 20060206 [ Secuobs - Advisory ] Bluetooth : DoS on hcidump USN-256-1 23056 MDKSA-2006:041 DSA-990 465 19122 18971 Buffer overflow in Sony Ericsson K600i, V600i, W800i, and T68i cell phone allows remote attackers to caues a denial of service (reboot or shutdown) through a wireless Bluetooth connection via a malformed Logical Link Control and Adaptation Protocol (L2CAP) packet whose length field is less than the actual length of the packet. sony-bluetooth-dos(24534) ADV-2006-0478 http://www.secuobs.com/news/05022006-bluetooth7.shtml#english 18747 20060206 [Full-disclosure] [ Secuobs - Advisory ] Bluetooth : DoS on 20060206 [ Secuobs - Advisory ] Bluetooth : DoS on Sony/Ericsson cell phones 16512 Unspecified vulnerability in HP PSC 1210 All-in-One Drivers before 1.0.06 has unknown impact and attack vectors. 16583 18770 http://h10025.www1.hp.com/ewfrf/wc/softwareDownloadIndex?dlc=en&lc=en&os=228%20&product=90764&lang=en&cc=us&softwareitem=oj-37641-1 ADV-2006-0498 Multiple SQL injection vulnerabilities in cms/index.php in Magic Calendar Lite 1.02, with magic_quotes_gpc disabled, allow remote attackers to execute arbitrary SQL commands via the (1) $total_login and (2) $total_password parameter. magiccalendar-index-sql-injection(24588) ADV-2006-0525 http://evuln.com/vulns/71/summary.html 16734 16646 20060220 [eVuln] Magic Calendar Lite Authentication Bypass 1015650 459 18855 Buffer overflow in the arp command of IBM AIX 5.3 L, 5.3, 5.2.2, 5.2 L, and 5.2 allows local users to cause a denial of service (crash) via a long iftype argument. 16584 ADV-2006-0531 IY81476 IY81424 aix-arp-iftype-bo(24628) 18773 Cross-site scripting (XSS) vulnerability in search.php in Siteframe 5.0.1 allows remote attackers to inject arbitrary web script or HTML via the q parameter. ADV-2006-0533 http://siteframe.org/p/xss_vulnerability_in_siteframe_501 18804 http://kiki91.altervista.org/exploit/siteframe5.0.1a_xss.txt siteframe-search-request-xss(24649) 16596 20060212 Siteframe Beaumont 5.0.1a <== Cross-Site Scripting Vulnerability Cross-site scripting (XSS) vulnerability in header.php in PHP-Nuke 6.0 to 7.8 allows remote attackers to inject arbitrary web script or HTML via the pagetitle parameter. http://www.waraxe.us/advisory-44.html ADV-2006-0542 18820 phpnuke-header-xss(24650) 16608 20060214 [waraxe-2006-SA#044] - XSS in phpNuke 7.8 and older versions 425 telnetd in Heimdal 0.6.x before 0.6.6 and 0.7.x before 0.7.2 allows remote unauthenticated attackers to cause a denial of service (server crash) via unknown vectors that trigger a null dereference. [heimdal-discuss] 20060206 Heimdal 0.7.2 and 0.6.6 ADV-2006-0653 ADV-2006-0628 ADV-2006-0456 heimdal-telnetd-dos(24763) USN-253-1 16676 SUSE-SA:2006:011 23244 DSA-977 449 19005 18961 18894 PostgreSQL 7.3.x before 7.3.14, 7.4.x before 7.4.12, 8.0.x before 8.0.7, and 8.1.x before 8.1.3, when compiled with Asserts enabled, allows local users to cause a denial of service (server crash) via a crafted SET SESSION AUTHORIZATION command, a different vulnerability than CVE-2006-0553. 18890 postgresql-setsessionauth-dos(24719) ADV-2006-0605 USN-258-1 2006-0008 16650 1015636 http://www.postgresql.org/docs/8.1/static/release.html#RELEASE-8-1-3 OpenPKG-SA-2006.004 498 19035 19015 SQL injection vulnerability in index.php in the Your_Account module in PHP-Nuke 7.8 and earlier allows remote attackers to execute arbitrary SQL commands via the username variable (Nickname field). ADV-2006-0636 440 440 20060216 Critical SQL Injection PHPNuke <= 7.8 - Your_Account module 20060216 Critical SQL Injection PHPNuke <= 7.8 - Your_Account module phpnuke-youraccount-sql-injection(24769) 16691 20060216 Critical SQL Injection PHPNuke <= 7.8 - Your_Account module 23259 18931 Unspecified vulnerability in WebGUI before 6.8.6-gamma allows remote attackers to create an account, when anonymous registration is disabled, via a certain URL. 18819 ADV-2006-0541 http://www.plainblack.com/getwebgui/advisories/webgui-6.8.6-gamma-released webgui-anonymous-bypass-security(24695) 16612 Format string vulnerability in powerd.c in Power Daemon (powerd) 2.0.2 and earlier allows remote attackers to execute arbitrary code via format string specifiers in the WHATIDO variable. ADV-2006-0545 18841 http://gotfault.net/research/advisory/gadv-powerd.txt powerdaemon-syslog-format-string(24713) 16582 Multiple cross-site scripting (XSS) vulnerabilities in bbcodes system in e107 before 0.7.2 allow remote attackers to inject arbitrary web script or HTML via unknown attack vectors. 18816 ADV-2006-0540 http://e107.org/comment.php?comment.news.776 e107-bbcode-xss(24625) 16614 Cross-site scripting (XSS) vulnerability in Virtual Hosting Control System (VHCS) 2.4.7.1 with v.1 patch and earlier allows remote attackers to inject arbitrary web script or HTML via the username, which is recorded in a log file but not properly handled when the administrator uses the admin log utility to read the log file. 18799 ADV-2006-0534 16600 20060211 RS-2006-1: Multiple flaws in VHCS 2.x http://www.rs-labs.com/adv/RS-Labs-Advisory-2006-1.txt vhcs-admin-xss(24664) change_password.php in Virtual Hosting Control System (VHCS) 2.4.7.1 and earlier does not verify the old password when a user changes the password, which may allow remote attackers to gain unauthorized access. 18799 ADV-2006-0534 16600 20060211 RS-2006-1: Multiple flaws in VHCS 2.x http://www.rs-labs.com/adv/RS-Labs-Advisory-2006-1.txt vhcs-change-password-weakness(24665) The check_login function in login.php in Virtual Hosting Control System (VHCS) 2.4.7.1 and earlier does not exit when authentication fails, which allows remote attackers to gain unauthorized access. 18799 ADV-2006-0534 16600 20060211 RS-2006-1: Multiple flaws in VHCS 2.x http://www.rs-labs.com/adv/RS-Labs-Advisory-2006-1.txt vhcs-checklogin-auth-bypass(24666) add_user.php in Virtual Hosting Control System (VHCS) 2.4.7.1 and earlier does not check user privileges when adding a new administrative user, which allows remote attackers to gain unauthorized access. 18799 ADV-2006-0534 16600 20060211 RS-2006-1: Multiple flaws in VHCS 2.x http://www.rs-labs.com/adv/RS-Labs-Advisory-2006-1.txt vhcs-adduser-privilege-escalation(24667) 430 process.php in DocMGR 0.54.2 does not initialize the $siteModInfo variable when a direct request is made, which allows remote attackers to include arbitrary local files or possibly remote files via a modified includeModule and siteModInfo variable. ADV-2006-0544 18803 http://retrogod.altervista.org/docmgr_0542_incl_xpl.html docmgr-process-file-include(24694) 16601 20060212 DocMGR <= 0.54.2 arbitrary remote inclusion 428 PHP remote file include vulnerability in application.php in nicecoder.com indexu 5.0.0 and 5.0.1 allows remote attackers to execute arbitrary PHP code via a URL in the base_path parameter. indexu-application-file-include(24603) ADV-2006-0494 16565 20060209 [ECHO_ADV_27$2006] Indexu <= 5.0.1 Remote File Inclusion 22989 1015607 18752 http://echo.or.id/adv/adv27-K-159-2006.txt http://echo.or.id/adv/adv26-K-159-2006.txt Cross-site scripting (XSS) vulnerability in the Registration Form in TTS Time Tracking Software 3.0 allows remote attackers to inject arbitrary web script or HTML via the UserName parameter. timetracking-registration-xss(24572) ADV-2006-0524 http://www.evuln.com/vulns/69/summary.html 16630 20060219 [eVuln] Time Tracking Software Multiple Vulnerabilities 18854 Multiple SQL injection vulnerabilities in TTS Time Tracking Software 3.0 allow remote attackers to execute arbitrary SQL commands via unspecified vectors. timetracking-multiple-sql-injection(24571) ADV-2006-0524 http://www.evuln.com/vulns/69/summary.html 16630 20060219 [eVuln] Time Tracking Software Multiple Vulnerabilities 18854 edituser.php in TTS Time Tracking Software 3.0 does not verify that the name and password are correct, which allows remote attackers to overwrite arbitrary data belonging to any account. timetracking-edituser-auth-bypass(24570) ADV-2006-0524 http://www.evuln.com/vulns/69/summary.html 16731 16630 20060219 [eVuln] Time Tracking Software Multiple Vulnerabilities 18854 Multiple SQL injection vulnerabilities in Carey Briggs PHP/MYSQL Timesheet 1 and 2 allow remote attackers to execute arbitrary SQL commands via the (1) yr, (2) month, (3) day, and (4) job parameters in (a) index.php and (b) changehrs.php. The vendor has supplied a patch which is available at: http://www.hotscripts.com/Detailed/51138.html phpmysqltimesheet-multiple-sql-injection(24567) ADV-2006-0522 16620 20060217 [eVuln] PHP/MYSQL Timesheet Multiple SQL Injection Vulnerabilities http://www.evuln.com/vulns/67/summary.html 18822 451 Multiple SQL injection vulnerabilities in rb_auth.php in Roberto Butti CALimba 0.99.2 beta and earlier allow remote attackers to execute arbitrary SQL commands and bypass login authentication via the (1) login and (2) password parameters. calimba-rbauth-sql-injection(24578) ADV-2006-0523 http://www.evuln.com/vulns/68/summary.html 16632 20060217 [eVuln] CALimba Authentication Bypass Vulnerability 453 18856 Unspecified vulnerability in the loaders (load_*.php) in Ansilove before 1.03 allows remote attackers to read arbitrary files via unspecified vectors involving "converting files accessible by the webserver". http://sourceforge.net/project/shownotes.php?release_id=392826 18810 ADV-2006-0536 ansilove-load-information-disclosure(24681) 16603 Ansilove before 1.03 does not filter uploaded file extensions, which allows remote attackers to execute arbitrary code by uploading arbitrary files with dangerous extensions, then accessing them directly in the upload directory. http://sourceforge.net/project/shownotes.php?release_id=392826 18810 ADV-2006-0536 ansilove-filename-code-execution(24684) 16603 SQL injection vulnerability in Zen Cart before 1.2.7 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. http://sourceforge.net/project/shownotes.php?release_id=392886 18801 ADV-2006-0546 zencart-multiple-sql-injection(24701) 23110 Zen Cart before 1.2.7 does not protect the admin/includes directory, which allows remote attackers to cause unknown impact via unspecified vectors, probably direct requests. http://sourceforge.net/project/shownotes.php?release_id=392886 18801 ADV-2006-0546 Unspecified vulnerabilities in Zen Cart before 1.2.7 allow remote attackers to cause unknown impact via unspecified vectors related to "other attempted exploits" other than SQL injection. 18801 ADV-2006-0546 http://sourceforge.net/project/shownotes.php?release_id=392886 zencart-multiple-sql-injection(24701) Cross-site scripting (XSS) vulnerability in search.php in QWikiWiki 1.5, and possibly 1.5.1 and other versions, allows remote attackers to inject arbitrary web script or HTML via the query parameter. qwikiwiki-search-xss(24669) ADV-2006-0562 16638 18814 http://insecurity.altervista.org/index.php?m=02&y=06&entry=entry060213-221217 imageVue 16.1 allows remote attackers to obtain folder permission settings via a direct request to dir.php, which returns an XML document that lists folders and their permissions. imagevue-multiple-information-disclosure(24641) ADV-2006-0570 16594 20060211 imageVue16.1 upload vulnerability 18802 readfolder.php in imageVue 16.1 allows remote attackers to list directories via modified path and ext parameters. ADV-2006-0570 16594 20060211 imageVue16.1 upload vulnerability 18802 imagevue-multiple-information-disclosure(24641) admin/upload.php in imageVue 16.1 allows remote attackers to upload arbitrary files to certain allowed folders via .. (dot dot) sequences in the path parameter. NOTE: due to the lack of details, the specific vulnerability type cannot be determined, although it might be due to directory traversal. ADV-2006-0570 16594 20060211 imageVue16.1 upload vulnerability 18802 imagevue-upload-file-upload(24633) Unspecified vulnerability in index.php in imageVue 16.1 has unknown impact, probably a cross-site scripting (XSS) vulnerability involving the query string that is not quoted when inserted into style and body tags, as demonstrated using a bgcol parameter. ADV-2006-0570 16594 20060211 imageVue16.1 upload vulnerability 18802 imagevue-index-sql-injection(24642) 20061029 Re: imageVue16.1 upload vulnerability 20060719 Re: imageVue16.1 upload vulnerability 429 iE Integrator 4.4.220114, when configured without a "bespoke error page" in acm.ini, allows remote attackers to obtain sensitive information via a URL that calls a non-existent .aspx script in the integrator/apps directory, which results in an error message that displays the installation path, web server name, IP, and port, session cookie information, and the IIS system username. ADV-2006-0568 http://www.irmplc.com/advisory016.htm 18813 ieintegrator-error-information-disclosure(24714) Format string vulnerability in a logging function as used by various SFTP servers, including (1) AttachmateWRQ Reflection for Secure IT UNIX Server before 6.0.0.9, (2) Reflection for Secure IT Windows Server before 6.0 build 38, (3) F-Secure SSH Server for Windows before 5.3 build 35, (4) F-Secure SSH Server for UNIX 3.0 through 5.0.8, (5) SSH Tectia Server 4.3.6 and earlier and 4.4.0, and (6) SSH Shell Server 3.2.9 and earlier, allows remote authenticated users to execute arbitrary commands via unspecified vectors, involving crafted filenames and the stat command. VU#419241 16625 http://support.wrq.com/techdocs/1882.html 1015619 18843 18828 sftp-logging-format-string(24651) ADV-2008-1008 ADV-2006-0555 ADV-2006-0554 16640 GLSA-200703-13 29552 24516 SSRT080011 SSRT080011 Cross-site scripting vulnerability in eintrag.php in Gästebuch (Gastebuch) before 1.3.3 allows remote attackers to inject arbitrary web script or HTML via the URL, which is used in the homepage parameter. This vulnerability is addressed in the following product release: Gastebuch, Gastebuch, 1.3.3 gastebuch-homepage-xss(24670) 16615 18849 20060213 XSS vulnerability in guestbook-php-script ADV-2006-0566 http://www.php4scripte.de/index.php PyBlosxom before 1.3.2, when running on certain webservers, allows remote attackers to read arbitrary files via an HTTP request with multiple leading / (slash) characters, which is accessed using the PATH_INFO variable. http://sourceforge.net/project/shownotes.php?release_id=391800 18858 ADV-2006-0571 pyblosxom-pathinfo-information-disclosure(24730) 16641 Multiple buffer overflows in NullSoft Winamp 5.13 and earlier allow remote attackers to execute arbitrary code via (1) an m3u file containing a long URL ending in .wma, (2) a pls file containing a File1 field with a long URL ending in .wma, or (3) an m3u file with a long filename, variants of CVE-2005-3188 and CVE-2006-0476. ADV-2006-0613 16623 20060213 New winamp m3u/pls .WMA & .M3U Extension overflows 1015621 winamp-m3u-filename-bo(24741) winamp-m3u-wma-bo(24740) winamp-pls-file1-bo(24739) 492 444 http://forums.winamp.com/showthread.php?s=&threadid=238648 Buffer overflow in Metamail 2.7-50 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via e-mail messages with a long boundary attribute, a different vulnerability than CVE-2004-0105. MDKSA-2006:047 16611 RHSA-2006:0217 19000 18987 ADV-2006-0565 1015654 18796 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=352482 metamail-boundary-bo(24702) SUSE-SR:2006:005 GLSA-200603-16 DSA-995 19304 19226 19130 Double free vulnerability in isode.eddy in Isode M-Vault Server 11.3 allows remote attackers to execute arbitrary code via a crafted LDAP request, as demonstrated by ProtoVer Sample LDAP. isode-mvault-ldap-dos(24700) ADV-2006-0567 16635 18818 [Dailydave] 20060213 eddy 0day The (1) addfolder and (2) deletefolder functions in neomail-prefs.pl in NeoMail 1.28 do not validate the Session ID, which allows remote attackers to add and delete arbitrary files, when configured with homedirfolders and homedirspools disabled. http://sourceforge.net/project/shownotes.php?release_id=392562&group_id=2874 18785 ADV-2006-0564 http://secunia.com/secunia_research/2006-3/advisory/ neomail-neomailprefs-bypass-security(24737) 16651 mail_html template in Squishdot 1.5.0 and earlier does not properly validate the (1) email and (2) title variables, which allows remote attackers to bypass spam filters by injecting SMTP headers, probably due to a CRLF injection vulnerability. ADV-2006-0551 http://www.squishdot.org/1139510883 squishdot-mailhtml-header-injection(24659) 16667 18868 Directory traversal vulnerability in LinPHA 1.0 allows remote attackers to include arbitrary files via .. (dot dot) sequences in the (1) lang parameter in docs/index.php and the language parameter in (2) install/install.php, (3) install/sec_stage_install.php, (4) install/third_stage_install.php, and (5) install/forth_stage_install.php. NOTE: direct static code injection is resultant from this issue, as demonstrated by inserting PHP code into the username, which is inserted into linpha.log, which is accessible from the directory traversal. ADV-2006-0535 16592 20060211 Linpha <= 1.0 multiple arbitrary local inclusion 18808 http://retrogod.altervista.org/linpha_10_local.html linpha-index-file-include(24663) 426 Directory traversal vulnerability in the installation file (sql/install-0.9.7.php) in Flyspray 0.9.7 allows remote attackers to include arbitrary files via a .. (dot dot) sequence in the adodbpath parameter. 18847 ADV-2006-0569 16618 20060213 EGS Enterprise Groupware System 1.0 rc4 remote commands execution & FlySpray 0.9.7 remote commands execution http://retrogod.altervista.org/egs_10rc4_php5_incl_xpl.html flyspray-adodbpath-file-include(24735) 432 Cross-site scripting (XSS) vulnerability in sNews 1.3 allows remote attackers to inject arbitrary web script or HTML via the comment field. 16647 20060214 XSS bugs and SQL injection in sNews snews-comment-xss(24674) 20060214 XSS and SQL injection in sNews SQL injection vulnerability in index.php in sNews 1.3 allows remote attackers to execute arbitrary SQL commands via the (1) category and (2) id parameters. 16647 20060214 XSS bugs and SQL injection in sNews snews-index-sql-injection(24675) 431 20060214 XSS and SQL injection in sNews IBM Tivoli Directory Server 6.0 allows remote attackers to cause a denial of service (crash) via a crafted LDAP request, as demonstrated by test 2532 in the ProtoVer Sample LDAP test suite. tivoli-directory-ldap-dos(24619) ADV-2006-0537 16593 18779 [Dailydave] 20060211 IBM Tivoli Directory Server 0day http://www-1.ibm.com/support/docview.wss?uid=swg21230820 1015653 The Internet Key Exchange version 1 (IKEv1) implementation in Avaya VSU 100, 2000, 7500, 10000, and CSU 5000, when running IPSec, allows remote attackers to cause a denial of service (crash) via certain IKE packets, as demonstrated by the PROTOS ISAKMP Test Suite for IKEv1. NOTE: due to the lack of details in the advisory, it is unclear which of CVE-2005-3666, CVE-2005-3667, and/or CVE-2005-3668 this issue applies to. VU#226364 http://support.avaya.com/elmodocs2/security/ASA-2006-043.htm 16613 18836 SQL injection vulnerability in member_login.php in PHP Classifieds 6.18 through 6.20 allows remote attackers to execute arbitrary SQL commands via the (1) username parameter, which is used by the E-mail address field, and (2) password parameter. ADV-2006-0600 16642 20060214 SQL injection in PHP Classifieds 6.20 http://www.deltascripts.com/board/viewtopic.php?id=7234 424 18881 Stack-based buffer overflow in Nullsoft Winamp 5.12 and 5.13 allows user-assisted attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted .m3u file that causes an incorrect strncpy function call when the player pauses or stops the file. 16785 1015675 20060223 NSFOCUS SA2006-01 : Winamp m3u File Processing Buffer Overflow Vulnerability http://www.nsfocus.com/english/homepage/research/0601.htm http://forums.winamp.com/showthread.php?threadid=238648 winamp-m3u-wma-bo(24740) 476 SQL injection vulnerability in pmlite.php in RunCMS 1.2 and 1.3a allows remote attackers to execute arbitrary SQL commands via the to_userid parameter. 18831 runcms-pmlite-sql-injection(24676) ADV-2006-0572 16652 http://www.runcms.org/public/modules/forum/viewtopic.php?topic_id=4003&forum=18 http://hamid.ir/security/runcms.txt runcms-pmlite-sql-injection(24676) 20060216 RUNCMS 1.3a SQL injection 1015626 settings.php in Reamday Enterprises Magic Downloads 1.1.3, when register_globals is enabled, allows remote attackers to modify program behavior, potentially bypassing authentication controls, via modified (1) action, (2) passwd, (3) admin_password, (4) new_passwd, and (5) confirm_passwd variables, which are not initialized. ADV-2006-0602 18877 http://evuln.com/vulns/73/summary.html magicdownloads-settings-access(24615) 16665 20060221 [eVuln] Magic Downloads Unauthorized Data Modification 468 PHP remote file inclusion vulnerability in preview.php in Reamday Enterprises Magic News Lite 1.2.3, when register_globals is enabled, allows remote attackers to include arbitrary files via a URL in the php_script_path parameter. magicnewslite-preview-file-include(24608) ADV-2006-0603 16665 16660 18878 http://evuln.com/vulns/72/summary.html profile.php in Reamday Enterprises Magic News Lite 1.2.3, when register_globals is enabled, allows remote attackers to modify program behavior, potentially bypassing authentication controls, via modified (1) action, (2) passwd, (3) admin_password, (4) new_passwd, and (5) confirm_passwd variables, which are not initialized. ADV-2006-0603 18878 http://evuln.com/vulns/72/summary.html magicnewslite-profile-access(24610) 16665 PHP remote file inclusion vulnerability in prepend.php in Plume CMS 1.0.2, when register_globals is enabled, allows remote attackers to include arbitrary files via a URL in the _PX_config[manager_path] parameter. NOTE: this is a different executable and affected version than CVE-2006-2645. plumecms-frontinc-prepend-file-include(27699) plumecms-prepend-file-include(24697) ADV-2006-0599 16662 23204 1015624 18883 http://plume-cms.net/news/77-Security-Notice-Please-Update-Your-Prependphp-File Cross-site scripting (XSS) vulnerability in linking.php in CPG-Nuke Dragonfly CMS 9.0.6.1 allows remote attackers to inject arbitrary web script or HTML via a URI that is generated when creating a list of online users. ADV-2006-0688 16781 23060 18919 http://dragonflycms.org/Forums/viewtopic/t=14877/postdays=0/postorder=asc/start=15.html http://dragonflycms.org/Forums/viewtopic/t=14751.html http://dragonflycms.org/cvs/html/includes/functions/linking.php?d=9.23-9.22 http://dragonflycms.org/cvs/html/includes/functions/linking.php?b=9.19.2 cpg-dragonfly-linking-xss(24842) SQL injection vulnerability in mstrack.php in MusOX DF MSAnalysis (DFMSA), as used in some environments that use CPG-Nuke Dragonfly CMS, allows remote attackers to trigger path disclosure from a SQL syntax error, and possibly execute arbitrary SQL commands, via certain query data, probably involving the profile name. ADV-2006-0688 23060 http://dragonflycms.org/Forums/viewtopic/t=14877/postdays=0/postorder=asc/start=15.html http://dragonflycms.org/Forums/viewtopic/t=14751.html http://dragonflycms.org/cvs/html/includes/functions/linking.php?d=9.23-9.22 http://dragonflycms.org/cvs/html/includes/functions/linking.php?b=9.19.2 16783 23250 SQL injection vulnerability in search.php in webSPELL 4.01.00 and earlier allows remote attackers to inject arbitrary SQL commands via the title_op parameter. http://www.webspell.org/index.php?site=news_comments&newsID=49&lang=en 18885 ADV-2006-0606 webspell-search-sql-injection(24708) 16673 SQL injection vulnerability in functions.php in Teca Diary PE 1.0 allows remote attackers to execute arbitrary SQL commands via the (1) yy, (2) mm, and (3) dd parameters. tecadiary-functions-sql-injection(24643) ADV-2006-0615 http://www.evuln.com/vulns/75/summary.html 1015674 18876 16686 20060223 [eVuln] Teca Diary PE SQL Injection Vulnerability 477 Multiple unspecified vulnerabilities in Dovecot before 1.0beta3 allow remote attackers to cause a denial of service (application crash or hang) via unspecified vectors involving (1) "potential hangs" in the APPEND command and "potential crashes" in (2) dovecot-auth and (3) imap/pop3-login. NOTE: vector 2 might be related to a double free vulnerability. dovecot-append-dos(24709) ADV-2006-0549 16672 [Dovecot] 20060208 1.0beta3 released 18870 WmRoot/adapter-index.dsp in SAP Business Connector Core Fix 7 and earlier allows remote attackers to conduct spoofing (phishing) attacks via an absolute URL in the url parameter, which loads the URL inside a frame. sapbc-admin-spoofing(24751) ADV-2006-0611 16671 20060515 CYBSEC - Security Advisory: Phishing Vector in SAP BC (BusinessConnector) 20060215 CYBSEC - Security Pre-Advisory: Phishing Vector in SAP BC http://www.cybsec.com/vuln/CYBSEC_Security_Pre-Advisory_Phishing_Vector_in_SAP_BC.pdf 1015639 18880 Directory traversal vulnerability in SAP Business Connector (BC) 4.6 and 4.7 allows remote attackers to read or delete arbitrary files via the fullName parameter to (1) sapbc/SAP/chopSAPLog.dsp or (2) invoke/sap.monitor.rfcTrace/deleteSingle. Details will be updated after the grace period has ended. NOTE: SAP Business Connector is an OEM version of webMethods Integration Server. webMethods states that this issue can only occur when the product is installed as root/admin, and if the attacker has access to a general purpose port; however, both are discouraged in the documentation. In addition, the attacker must already have acquired administrative privileges through other means. Apply patches (see SAP note 906401 and 908349). ADV-2006-0611 16668 20060215 CYBSEC - Security Pre-Advisory: Arbitrary File Read/Delete in SAPBC http://www.cybsec.com/vuln/CYBSEC_Security_Pre-Advisory_Arbitrary_File_Read_or_Delete_in_SAP_BC.pdf http://www.cybsec.com/vuln/CYBSEC_Security_Advisory_Arbitrary_File_Read_or_Delete_in_SAP_BC.pdf 1016122 1015639 18880 20060515 CYBSEC - Security Advisory: Arbitrary File Read/Delete in SAP BC(Business Connector) 1016090 ** DISPUTED ** Cross-site scripting (XSS) vulnerability in WordPress 2.0.0 allows remote attackers to inject arbitrary web script or HTML via scriptable attributes such as (1) onfocus and (2) onblur in the "author's website" field. NOTE: followup comments to the researcher's web log suggest that this issue is only exploitable by the same user who injects the XSS, so this might not be a vulnerability. 16656 20060214 [myimei]WordPress2.0.0~autors?website~XSS attack http://myimei.com/security/2006-02-15/wordpress200autors-websitexss-attack.html wordpress-authorswebsite-xss(24736) The SV_CheckForDuplicateNames function in Valve Software Half-Life CSTRIKE Dedicated Server 1.6 and earlier allows remote authenticated users to cause a denial of service (infinite loop and daemon hang) via a backslash character at the end of a connection string to UDP port 27015. halflife-svcheckforduplicatenames-dos(33505) 16619 http://aluigi.altervista.org/adv/csdos.txt Cross-site scripting (XSS) vulnerability in BBcode.pm in M. Blom HTML::BBCode 1.04 and earlier, as used in products such as My Blog before 1.65, allows remote attackers to inject arbitrary Javascript via a javascript URI in an (1) img or (2) url BBcode tag. 16659 20060215 [eVuln] M. Blom HTML::BBCode perl module XSS Vulnerabilities 20060215 [eVuln] My Blog BBCode XSS Vulnerabilities http://www.evuln.com/vulns/80/summary.html 18905 http://fuzzymonkey.net/forum/viewtopic.php?t=856 http://www.evuln.com/vulns/80/summary.html http://evuln.com/vulns/79/summary.html myblog-bbcode-xss(24668) ADV-2006-0642 ADV-2006-0614 18925 http://menno.b10m.net/perl/HTML-BBCode/Changes http://menno.b10m.net/perl/HTML-BBCode/Changes http://menno.b10m.net/perl/dists/HTML-BBCode-1.05.tar.gz Stack-based buffer overflow in the pam_micasa PAM authentication module in CASA on Novell Linux Desktop 9 and Open Enterprise Server 1 allows remote attackers to execute arbitrary code via unspecified vectors. ADV-2006-0693 SUSE-SA:2006:010 16779 18995 eStara SIP softphone allows remote attackers to cause a denial of service (crash) via a SIP OPTIONS request with a negative Expires field. ADV-2006-0607 20060214 eStara SIP softphone several message-processing vulnerabilities 18872 estara-neg-integer-dos(24677) 16629 Multiple format string vulnerabilities in eStara SIP softphone allow remote attackers to cause a denial of service (hang) via SIP INVITE requests with format string specifiers in the SDP session description, as demonstrated using (1) the field name, (2) the o field (owner/creator and session identifier), or (3) the m field (media name and transport address). ADV-2006-0607 20060214 eStara SIP softphone several message-processing vulnerabilities 18872 estara-sdp-format-string(24678) 16629 eStara SIP softphone allows remote attackers to cause a denial of service (crash) via an INVITE request with a Content-Length field that has more than 9 digits. estara-content-length-dos(24679) ADV-2006-0607 20060214 eStara SIP softphone several message-processing vulnerabilities 18872 16629 Linux kernel before 2.6.15.5, when running on Intel processors, allows local users to cause a denial of service ("endless recursive fault") via unknown attack vectors related to a "bad elf entry address." ADV-2006-2554 ADV-2006-0804 oval:org.mitre.oval:def:10518 http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.15.5 kernel-elf-dos(25001) USN-263-1 16925 RHSA-2006:0493 RHSA-2006:0437 FEDORA-2006-131 23607 SUSE-SA:2006:028 MDKSA-2007:025 MDKSA-2006:059 DSA-1103 DSA-1097 http://support.avaya.com/elmodocs2/security/ASA-2006-180.htm http://support.avaya.com/elmodocs2/security/ASA-2006-161.htm 1015724 21983 21745 21136 20914 20671 20398 20237 19220 19108 19083 The die_if_kernel function in arch/ia64/kernel/unaligned.c in Linux kernel 2.6.x before 2.6.15.6, possibly when compiled with certain versions of gcc, has the "noreturn" attribute set, which allows local users to cause a denial of service by causing user faults on Itanium systems. This vulnerability affects all verison of Linux kernel 2.6.x before 2.6.15.6, and may be exclusive to Itanium systems. 19078 ADV-2006-2554 ADV-2006-0856 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.15.6 oval:org.mitre.oval:def:10742 kernel-dieifkernel-dos(25068) USN-263-1 16993 RHSA-2006:0575 RHSA-2006:0437 23660 SUSE-SA:2006:028 MDKSA-2006:059 DSA-1103 DSA-1097 http://support.avaya.com/elmodocs2/security/ASA-2006-200.htm http://support.avaya.com/elmodocs2/security/ASA-2006-180.htm 22417 21983 21465 21136 20914 20671 20398 19607 19220 20060402-01-U Format string vulnerability in LocalSyslogAppender in Apache log4net 1.2.9 might allow remote attackers to cause a denial of service (memory corruption and termination) via unknown vectors. 19241 http://issues.apache.org/jira/browse/LOG4NET-67 log4net-localsyslogappender-dos(25196) ADV-2006-0955 17095 23905 SUSE-SR:2006:026 22932 Linux kernel before 2.6.16.5 does not properly handle uncanonical return addresses on Intel EM64T CPUs, which reports an exception in the SYSRET instead of the next instruction, which causes the kernel exception handler to run on the user stack with the wrong GS. linux-uncanonical-addr-dos(25869) ADV-2006-2554 ADV-2006-1475 ADV-2006-1390 USN-302-1 17541 RHSA-2006:0493 RHSA-2006:0437 24639 SUSE-SA:2006:047 SUSE-SA:2006:042 SUSE-SA:2006:028 MDKSA-2006:150 MDKSA-2006:086 DSA-1103 http://support.avaya.com/elmodocs2/security/ASA-2006-180.htm http://support.avaya.com/elmodocs2/security/ASA-2006-161.htm 21983 21745 21498 21179 21136 20914 20716 20398 20237 20157 19735 19639 oval:org.mitre.oval:def:9732 FEDORA-2006-423 http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.5 X.Org server (xorg-server) 1.0.0 and later, X11R6.9.0, and X11R7.0 inadvertently treats the address of the geteuid function as if it is the return value of a call to geteuid, which allows local users to bypass intended restrictions and (1) execute arbitrary code via the -modulepath command line option or (2) overwrite arbitrary files via -logfile. 17169 20060320 [CVE-2006-0745] X.Org Security Advisory: privilege escalation and DoS in X11R6.9, X11R7.0 ADV-2006-1028 ADV-2006-1017 20060320 Re: [CVE-2006-0745] X.Org Security Advisory: privilege escalation and DoS in X11R6.9, X11R7.0 xorg-geteuid-privilege-escalation(25341) FEDORA-2006-172 24001 24000 SUSE-SA:2006:016 MDKSA-2006:056 http://support.avaya.com/elmodocs2/security/ASA-2006-078.htm 102252 1015793 606 19676 19316 19311 19307 19256 oval:org.mitre.oval:def:1697 Certain patches for kpdf do not include all relevant patches from xpdf that were associated with CVE-2005-3627, which allows context-dependent attackers to exploit vulnerabilities that were present in CVE-2005-3627. kde-kpdf-patch-bo(25146) 17039 20060310 [KDE Security Advisory] kpdf of KDE 3.3.x heap based buffer overflow RHSA-2006:0262 MDKSA-2006:054 http://www.kde.org/info/security/advisory-20060202-1.txt DSA-1008 1015751 566 19264 19190 19189 oval:org.mitre.oval:def:11441 Integer underflow in Freetype before 2.2 allows remote attackers to cause a denial of service (crash) via a font file with an odd number of blue values, which causes the underflow when decrementing by 2 in a context that assumes an even number of values. TA09-133A https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=183676 https://issues.rpath.com/browse/RPL-429 ADV-2009-1297 ADV-2007-0381 USN-291-1 18326 20060612 rPSA-2006-0100-1 freetype RHSA-2006:0500 MDKSA-2006:099 DSA-1095 http://support.avaya.com/elmodocs2/security/ASA-2006-176.htm http://support.apple.com/kb/HT3549 102705 1016522 35074 23939 21701 21385 21135 21062 20791 20638 20591 20525 oval:org.mitre.oval:def:9508 SUSE-SA:2006:037 APPLE-SA-2009-05-12 20060701-01-U Mozilla Firefox and Thunderbird 1.x before 1.5.0.2 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0.1 allows remote attackers to execute arbitrary code via "an invalid and non-sensical ordering of table-related tags" that results in a negative array index. This vulnerability also affects Mozilla Suite before 1.7.13 mozilla-table-rebuilding-code-execution(25985) http://www.zerodayinitiative.com/advisories/ZDI-06-011/ ADV-2008-0083 ADV-2006-3749 ADV-2006-3748 ADV-2006-3391 ADV-2006-1356 USN-276-1 USN-275-1 17516 SSRT061181 SSRT061181 SSRT061236 SSRT061236 HPSBUX02122 HPSBUX02122 FLSA:189137-2 FLSA:189137-1 20060426 ZDI-06-011: Mozilla Firefox Table Rebuilding Code Execution Vulnerability RHSA-2006:0330 RHSA-2006:0329 SUSE-SA:2006:004 SUSE-SA:2006:004 MDKSA-2006:078 MDKSA-2006:076 MDKSA-2006:075 GLSA-200605-09 GLSA-200604-18 GLSA-200604-12 DSA-1051 DSA-1046 DSA-1044 http://support.avaya.com/elmodocs2/security/ASA-2006-205.htm 228526 102550 22065 21622 21033 20051 19950 19941 19902 19863 19862 19852 19823 19821 19811 19794 19759 oval:org.mitre.oval:def:11164 20060404-01-U SCOSA-2006.26 22066 oval:org.mitre.oval:def:1189 nsHTMLContentSink.cpp in Mozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors involving a "particular sequence of HTML tags" that leads to memory corruption. TA06-107A VU#736934 http://www.zerodayinitiative.com/advisories/ZDI-06-009.html ADV-2006-3391 ADV-2006-1356 USN-276-1 USN-275-1 USN-271-1 17516 SSRT061158 HPSBUX02122 FLSA:189137-2 FLSA:189137-1 HPSBTU02118 HPSBTU02118 20060417 ZDI-06-009: Mozilla Firefox Tag Parsing Code Execution Vulnerability RHSA-2006:0330 RHSA-2006:0329 RHSA-2006:0328 FEDORA-2006-411 FEDORA-2006-410 SUSE-SA:2006:004 SUSE-SA:2006:004 http://www.mozilla.org/security/announce/2006/mfsa2006-18.html GLSA-200605-09 GLSA-200604-18 GLSA-200604-12 DSA-1051 DSA-1046 DSA-1044 http://support.avaya.com/elmodocs2/security/ASA-2006-205.htm 228526 102550 21622 21033 19950 19941 19902 19863 19862 19852 19823 19821 19811 19794 19759 19746 19729 19721 19714 19696 19631 oval:org.mitre.oval:def:11704 SUSE-SA:2006:021 20060404-01-U SCOSA-2006.26 mozilla-nshtmlcontentsink-memory-corruption(25819) MDKSA-2006:078 MDKSA-2006:076 MDKSA-2006:075 729 20051 19780 oval:org.mitre.oval:def:1848 SQL injection vulnerability in army.php in supersmashbrothers (SSB) Army System 2.1.0 for Invision Power Board (IPB) allows remote attackers to execute arbitrary SQL commands via the userstat parameter in an army action to index.php. ipb-armysystem-sql-injection(24654) ADV-2006-0561 16606 20060212 Invision Power Board Army System Mod <= 2.1 SQL Injection Exploit 18840 http://secubox.shadock.net/Invision_Power_Board_Army_System_Mod_2.1_and_prior_SQL_Injection_Exploit.html Multiple unspecified vulnerabilities in the (1) Filesystem in USErspace (FUSE) client and (2) NOOFS daemon in in Network Object Oriented File System (NOOFS) before 0.9.0 have unspecified impact and attack vectors. 23053 23052 http://freshmeat.net/projects/noofs/?branch_id=60557&release_id=218852 [fm-news] 20060204 Newsletter for Friday, February 03rd 2006 Niels Provos Honeyd before 1.5 replies to certain illegal IP packet fragments that other IP stack implementations would drop, which allows remote attackers to identify IP addresses that are being simulated using honeyd. 16595 ADV-2006-0552 20060212 honeyd security advisory: remote detection http://www.honeyd.org/phpBB2/viewtopic.php?t=106 http://www.honeyd.org/adv.2006-01 18867 honeyd-ipfrag-obtain-information(24728) Memory leak in Microsoft Internet Explorer 6 for Windows XP Service Pack 2 allows remote attackers to cause a denial of service (memory consumption) via JavaScript that uses setInterval to repeatedly call a function to set the value of window.status. ie-windowstatus-dos(24846) 20060214 memory leak in IE? ie-windowsstatus-dos(24846) 23307 ** DISPUTED ** dotProject 2.0.1 and earlier allows remote attackers to obtain sensitive information via direct requests with an invalid baseDir to certain PHP scripts in the db directory, which reveal the path in an error message. NOTE: the vendor disputes this issue, saying that it could only occur if the administrator ignores the installation instructions as well as warnings generated by check.php. ADV-2006-0604 16648 20060214 dotproject <= 2.0.1 remote code execution 20060215 Re: dotproject <= 2.0.1 remote code execution 23206 18879 dotproject-phpinfo-check-obtain-info(24745) ** DISPUTED ** Multiple PHP remote file include vulnerabilities in dotProject 2.0.1 and earlier, when register_globals is enabled, allow remote attackers to execute arbitrary commands via the baseDir parameter in (1) db_adodb.php, (2) db_connect.php, (3) session.php, (4) vw_usr_roles.php, (5) calendar.php, (6) date_format.php, and (7) tasks/gantt.php; and the dPconfig[root_dir] parameter in (8) projects/gantt.php, (9) gantt2.php, and (10) vw_files.php. NOTE: the vendor disputes this issue, stating that the product documentation clearly recommends that the system administrator disable register_globals, and that the check.php script warns against this setting. Also, the vendor says that the protection.php/siteurl vector is incorrect because protection.php does not exist in the product. dotproject-multiple-basedir-file-include(24738) ADV-2006-0604 16648 20060214 dotproject <= 2.0.1 remote code execution 20060215 Re: dotproject <= 2.0.1 remote code execution 23219 23218 23217 23216 23215 23214 23213 23212 23211 23210 23209 18879 ** DISPUTED ** dotProject 2.0.1 and earlier leaves (1) phpinfo.php and (2) check.php accessible under the /docs/ directory after installation, which allows remote attackers to obtain sensitive configuration information. NOTE: the vendor disputes this issue, saying that it could only occur if the administrator ignores the installation instructions as well as warnings generated by check.php. ADV-2006-0604 16648 20060214 dotproject <= 2.0.1 remote code execution 20060215 Re: dotproject <= 2.0.1 remote code execution 23208 23207 18879 dotproject-phpinfo-check-obtain-info(24745) 434 Multiple eval injection vulnerabilities in HiveMail 1.3 and earlier allow remote attackers to execute arbitrary PHP code via (1) the contactgroupid parameter in addressbook.update.php, (2) the messageid parameter in addressbook.add.php, (3) the folderid parameter in folders.update.php, and possibly certain parameters in (4) calendar.event.php, (5) index.php, (6) pop.download.php, (7) read.bounce.php, (8) rules.block.php, (9) language.php, and (10) certain other scripts, as demonstrated by an addressbook.update.php request with a contactgroupid value of phpinfo() preceded by facilitators. hivemail-multiple-file-include(24618) ADV-2006-0527 http://www.gulftech.org/?node=research&article_id=00098-02102006 http://forum.hivemail.com/showthread.php?p=26745 20060210 HiveMail <= 1.3 Multiple Vulnerabilities 16591 18807 Multiple cross-site scripting (XSS) vulnerabilities in HiveMail 1.3 and earlier allow remote attackers to inject arbitrary web script or HTML via a URL encoded expression in the query string in (1) index.php and (2) possibly certain other scripts, which is not properly cleansed when accessed from the $_SERVER['PHP_SELF'] variable. hivemail-index-xss(24622) ADV-2006-0527 http://www.gulftech.org/?node=research&article_id=00098-02102006 http://forum.hivemail.com/showthread.php?p=26745 20060210 HiveMail <= 1.3 Multiple Vulnerabilities 16591 18807 Multiple SQL injection vulnerabilities in HiveMail 1.3 and earlier allow remote attackers to execute arbitrary SQL commands via (1) the contactgroupid parameter in addressbook.update.php, (2) the messageid parameter in addressbook.add.php, (3) the folderid parameter in folders.update.php, and possibly certain parameters in (4) calendar.event.php, (5) index.php, (6) pop.download.php, (7) read.bounce.php, (8) rules.block.php, (9) language.php, and (10) certain other scripts; and allow remote authenticated users to execute arbitrary SQL commands via (11) the folderid parameter in index.php and (12) possibly other parameters in certain other scripts, because $_SERVER['PHP_SELF'] is improperly handled. hivemail-index-sql-injection(24623) ADV-2006-0527 http://www.gulftech.org/?node=research&article_id=00098-02102006 http://forum.hivemail.com/showthread.php?p=26745 20060210 HiveMail <= 1.3 Multiple Vulnerabilities 16591 422 18807 LightTPD 1.4.8 and earlier, when the web root is on a case-insensitive filesystem, allows remote attackers to bypass URL checks and obtain sensitive information via file extensions with unexpected capitalization, as demonstrated by a request for index.PHP when the configuration invokes the PHP interpreter only for ".php" names. 18869 ADV-2006-0550 http://lighttpd.net/news/ http://lighttpd.net/news/ lighttpd-ext-source-disclosure(24699) 23229 Buffer overflow in BlackBerry Attachment Service in Research in Motion (RIM) BlackBerry Enterprise Server 2.2 and 4.0 before SP3 Hotfix 4 for IBM Lotus Domino, 3.6 before SP7 and 5.0 before SP3 Hotfix 3 for Microsoft Exchangem, and 4.0 for Novell GroupWise before SP3 Hotfix 1 might allow user-assisted remote attackers to execute arbitrary code on the server via a crafted Microsoft Word document that is opened on a wireless device. blackberry-attachment-word-bo(24629) ADV-2006-0530 16590 20060210 Corrupt Word file may cause buffer overflow in the Blackberry Attachment Service http://www.blackberry.com/knowledgecenterpublic/livelink.exe/fetch/2000/8021/8149/8052/Support_-_Corrupt_Word_file_may_cause_buffer_overflow_in_the_BlackBerry_Attachment_Service.html?nodeid=1181753&vernum=2 WinAbility Folder Guard 4.11 allows local users to gain unauthorized access to certain capabilities of the application by renaming or moving the password file (FGuard.FGP), which disables the password requirement. 20060213 Re: Folder Guard password protection bypass 20060213 Folder Guard password protection bypass folderguard-fguard-bypass-authentication(24725) Cross-site scripting (XSS) vulnerability in dowebmailforward.cgi in cPanel allows remote attackers to inject arbitrary web script or HTML via a URL encoded value in the fwd parameter. 22971 20060207 Re: cPanel Multiple Cross Site Scripting Vulnerability cpanel-dowebmailforward-xss(24839) The Authentication, Authorization, and Accounting (AAA) capability in versions 5.0(1) and 5.0(3) of the software used by multiple Cisco Anomaly Detection and Mitigation products, when running with an incomplete TACACS+ configuration without a "tacacs-server host" command, allows remote attackers to bypass authentication and gain privileges, aka Bug ID CSCsd21455. cisco-tacacs-auth-bypass(24689) ADV-2006-0612 16661 20060215 TACACS+ Authentication Bypass in Cisco Anomaly Detection and Mitigation Products 23237 1015638 1015637 435 18904 GUI display truncation vulnerability in ICQ Inc. (formerly Mirabilis) ICQ 2003a, 2003b, Lite 4.0, Lite 4.1, and possibly other Windows versions allows user-assisted remote attackers to hide malicious file extensions, bypass Windows security warnings via a filename that is all uppercase and of a specific length, which truncates the malicious extension from the display and could trick a user into executing arbitrary programs. 16655 20060215 Mirabiliz ICQ 2002/2003/ LITE 4.0/4.1 LONG (DIRECTORY + FILENAME) EXPLOIT ICQ Inc. (formerly Mirabilis) ICQ 2003a, 2003b, Lite 4.0, Lite 4.1, and possibly other Windows versions allows user-assisted remote attackers to hide malicious file extensions and bypass Windows security warnings via a filename that ends in an assumed-safe extension such as JPG, and possibly containing other modified properties such as company name, icon, and description, which could trick a user into executing arbitrary programs. 16655 20060215 Mirabiliz ICQ 2002/2003/ LITE 4.0/4.1 LONG (DIRECTORY + FILENAME) EXPLOIT CGIWrap before 3.10 allows remote attackers to obtain sensitive information via unknown attack vectors that cause errors in scripts that reveal system information. http://sourceforge.net/project/shownotes.php?release_id=393274&group_id=8209 18797 ADV-2006-0601 http://sourceforge.net/project/showfiles.php?group_id=8209 cgiwrap-error-information-disclosure(24717) 16669 Kadu 0.4.3 allows remote attackers to cause a denial of service (application crash) via a large number of image send requests. ADV-2006-0609 http://www.piotrbania.com/all/adv/kadu-fun.txt 18824 20060215 Kadu Remote Denial Of Service Fun kadu-image-request-dos(24720) 20060215 Kadu Remote Denial Of Service Fun Unspecified vulnerability in in.rexecd in Solaris 10 allows local users to gain privileges on Kerberos systems via unknown attack vectors. 18891 ADV-2006-0608 102186 1015635 solaris-kerberos-command-execution(24680) 16658 Q-126 oval:org.mitre.oval:def:1580 Cross-site scripting (XSS) vulnerability in calendar.php in MyBulletinBoard (MyBB) 1.0.4 allows remote attackers to inject arbitrary web script or HTML via a URL that is not sanitized before being returned as a link in "advanced details". NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. mybb-advanceddetails-xss(24748) ADV-2006-0635 23264 18866 Format string vulnerability in PunkBuster 1.180 and earlier, as used by Soldier of Fortune II and possibly other games, allows remote attackers to cause a denial of service (server crash) and possibly execute arbitrary code via format string specifiers in invalid cvar values, which are not properly handled when the server kicks the player and records the reason. punkbuster-cvars-format-string(24792) 16703 20060216 Soldier of Fortune II format string through PunkBuster 1.180 448 18917 20060216 Soldier of Fortune II format string through PunkBuster 1.180 http://aluigi.altervista.org/adv/sof2pbfs-adv.txt SQL injection vulnerability in Hitachi Business Logic - Container 02-03 through 03-00-/B on Windows, and 03-00 through 03-00-/B on Linux, allows remote attackers to execute arbitrary SQL commands via unspecified vectors in the extended receiving box function. 18817 hitachi-businesslogic-recbox-sql-injection(24621) hitachi-businesslogic-input-sql-injection(23877) ADV-2006-0532 16602 23099 http://www.hitachi-support.com/security_e/vuls_e/HS06-002_e/index-e.html Cross-site scripting (XSS) vulnerability in Hitachi Business Logic - Container 02-03 through 03-00-/B on Windows, and 03-00 through 03-00-/B on Linux, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors in the extended receiving box function. 18817 hitachi-businesslogic-recbox-xss(24620) ADV-2006-0532 16602 http://www.hitachi-support.com/security_e/vuls_e/HS06-002_e/index-e.html SQL injection vulnerability in deleteSession() in DB_eSession library 1.0.2 and earlier, as used in multiple products, allows remote attackers to execute arbitrary SQL commands via the $_sess_id_set variable, which is usually derived from PHPSESSID. ADV-2006-0528 16598 20060211 DB_eSession deleteSession() SQL injection 23104 http://www.gulftech.org/?node=research&article_id=00099-02112006 18805 dbesession-deletesession-sql-injection(24673) 20060501 Re: DB_eSession deleteSession() SQL injection Multiple SQL injection vulnerabilities in show.php in BirthSys 3.1 allow remote attackers to execute arbitrary SQL commands via the $month variable. NOTE: a vector regarding the $date parameter and data.php (date.php) was originally reported, but this appears to be in error. birthsys-show-date-sql-injection(24617) ADV-2006-0621 http://www.evuln.com/vulns/74/summary.html 20060215 EV0074 BirthSys 3.1 SQL injection (fwd) 16684 23185 467 18893 Cross-site scripting (XSS) vulnerability in guestex.pl in Teca Scripts Guestex 1.0 allows remote attackers to inject arbitrary web script or HTML via the url parameter. guestex-script-xss(24644) ADV-2006-0640 23182 http://www.evuln.com/vulns/77/summary.html 16711 20060224 [eVuln] Guestex XSS Vulnerability 1015678 490 18927 Unspecified vulnerability in guestex.pl in Teca Scripts Guestex 1.0 allows remote attackers to execute arbitrary shell commands via the email parameter, possibly involving shell metacharacters. guestex-script-execute-code(24645) ADV-2006-0640 23183 http://www.evuln.com/vulns/76/summary.html 16711 20060224 [eVuln] Guestex Shell Command Execution Vulnerability 489 18927 Multiple SQL injection vulnerabilities in XMB Forums 1.9.3 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) $u2u_select array parameter to u2u.inc.php and (2) $val variable (fidpw0 cookie value) in today.php. http://www.xmbforum.com/ ADV-2006-0529 20060212 XMB Forums Multiple Vulnerabilities 23118 23117 http://www.gulftech.org/?node=research&article_id=00100-02122006 18821 xmbforum-multiple-sql-injection(24646) 16604 Cross-site scripting (XSS) vulnerability in u2u.php in XMB Forums 1.9.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the username parameter, as demonstrated using a URL-encoded iframe tag. xmbforum-u2u-xss(24647) http://www.xmbforum.com/ ADV-2006-0529 16604 20060212 XMB Forums Multiple Vulnerabilities 23119 http://www.gulftech.org/?node=research&article_id=00100-02122006 Multiple cross-site scripting (XSS) vulnerabilities in weblog.pl in PerlBlog 1.09b and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) name and (2) email parameters. perlblog-weblog-xss(24691) http://evuln.com/vulns/81/summary.html 16707 20060227 [eVuln] PerlBlog Multiple Vulnerabilities 508 18924 Directory traversal vulnerability in weblog.pl in PerlBlog 1.09b and earlier allows remote attackers to read certain files via the month parameter. perlblog-weblog-directory-traversal(24690) http://evuln.com/vulns/81/summary.html 16707 20060227 [eVuln] PerlBlog Multiple Vulnerabilities 508 18924 Unspecified vulnerability in weblog.pl in PerlBlog 1.09b and earlier allows remote attackers to create arbitrary files and possibly execute arbitrary code via unspecified attack vectors related to improper handling of (1) the reply parameter, possibly involving injection of (2) the name parameter and (3) the body parameter. perlblog-weblog-command-execution(24692) http://evuln.com/vulns/81/summary.html 16707 20060227 [eVuln] PerlBlog Multiple Vulnerabilities 508 18924 Cross-site scripting (XSS) vulnerability in page.php in in Siteframe Beaumont, possibly 5.0.2 or 5.0.1a, allows remote attackers to inject arbitrary web script or HTML via the comment_text parameter to the user comment page (/edit/Comment). 16695 20060216 Siteframe Beaumont 5.0.2 <== User Comment Cross-Site Scripting Vulnerability siteframe-comment-xss(24836) 23267 443 18892 D-Link DWL-G700AP with firmware 2.00 and 2.01 allows remote attackers to cause a denial of service (CAMEO HTTP service crash) via a request composed of "GET" followed by a space and two newlines, possibly triggering the crash due to missing arguments. ADV-2006-0637 16690 20060216 D-Link DWL-G700AP httpd DoS dlink-admin-interface-dos(24762) 441 18932 Absolute path traversal vulnerability in include.php in PHPKIT 1.6.1 Release 2 and earlier allows remote attackers to include and execute arbitrary local files via a direct request with a path parameter with a null character and beginning with (1) '/' (slash) for an absolute pathname or (2) a drive letter (such as "C:"), which bypasses checks for ".." sequences and trailing ".php" extensions. 20060216 PHPKIT >= 1.6.1r2 arbitrary local/remote inclusion (unproperly patched in previous versions) http://retrogod.altervista.org/phpkit_161r2_incl_xpl.html 1015640 Incomplete blacklist vulnerability in include.php in PHPKIT 1.6.1 Release 2 and earlier, with allow_url_fopen enabled, allows remote attackers to conduct PHP remote file include attacks via a path parameter that specifies a (1) UNC share or (2) ftps URL, which bypasses the check for "http://", "ftp://", and "https://" URLs. 20060216 PHPKIT >= 1.6.1r2 arbitrary local/remote inclusion (unproperly patched in previous versions) http://retrogod.altervista.org/phpkit_161r2_incl_xpl.html 1015640 445 wimpy_trackplays.php in Plaino Wimpy MP3 Player, possibly 5.2 and earlier, allows remote attackers to insert arbitrary strings into trackme.txt via the (1) trackFile, (2) trackArtist, and (3) trackTitle parameters, which can result in providing false information about songs, occupying excessive disk space with very long parameter values, and storing executable code that might be invoked through a different vulnerability. NOTE: since this issue, as described by the original researcher, is entirely dependent on the presence of another vulnerability, it could be argued that Wimpy cannot be responsible for how its data file is processed by applications outside of its control. Since this issue might only be useful as a facilitator manipulation in another vulnerability, perhaps it should not be included in CVE. http://www.xorcrew.net/xpa/XPA-WimpyMP3Player.txt 16696 18900 wimpy-wimpytrackplays-no-auth(24770) Kyocera 3830 (aka FS-3830N) printers have a back door that allows remote attackers to read and alter configuration settings via strings that begin with "!R!SIOP0", as demonstrated using (1) a connection to to TCP port 9100 or (2) the UNIX lp command. ADV-2006-0620 16685 18896 http://evader.wordpress.com/2006/02/16/kyocera-printers/ kyocera-fs3830n-no-auth(24772) 23245 20060215 Kyocera Network Printers Certain unspecified Kyocera printers have a default "admin" account with a blank password, which allows remote attackers to access an administrative menu via a telnet session. ADV-2006-0620 18896 http://evader.wordpress.com/2006/02/16/kyocera-printers/ kyocera-fs3830n-blank-password(24774) 23246 20060215 Kyocera Network Printers Rockliffe MailSite 7.0 and earlier allows remote attackers to cause a denial of service by sending crafted LDAP packets to port 389/TCP, as demonstrated by the ProtoVer LDAP testsuite. mailsite-ldap-dos(24686) ADV-2006-0598 16675 18888 [Dailydave] 20060214 MailSite (WorldMail) fun PHP remote file inclusion vulnerability in index.php in DreamCost HostAdmin allows remote attackers to include arbitrary files via the $path variable, which is not initialized before use. http://www.xorcrew.net/xpa/XPA-HostAdmin.txt ADV-2006-0618 16682 20081007 Re: HostAdmin 3.* Remote File Include Vulnerabilities 20081007 HostAdmin 3.* Remote File Include Vulnerabilities 18901 hostadmin-path-file-include(24723) 20060605 [MajorSecurity #9]HostAdmin <= 3.1 - Remote File Include Vulnerability 23241 1016273 20060215 HostAdmin - Remote Command Execution Vulnerability Cross-site scripting (XSS) vulnerability in preferences.personal.php in V-webmail 1.6.2 allows remote attackers to inject arbitrary web script or HTML via the newid parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. ADV-2006-0639 18776 vwebmail-preferencespersonal-xss(24749) 16706 23260 frameset.php in V-webmail 1.6.2 allows remote attackers to conduct phishing attacks by referencing arbitrary websites in the rframe parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. ADV-2006-0639 18776 vwebmail-frameset-spoofing(24753) 16706 23261 help.php in V-webmail 1.6.2 allows remote attackers to obtain the installation path via unspecified invalid parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. ADV-2006-0639 18776 vwebmail-help-path-disclosure(24754) 23262 Absolute path traversal vulnerability in convert.cgi in Quirex 2.0.2 and earlier allows remote attackers to read arbitrary files, and possibly execute arbitrary code, via the (1) quiz_head, (2) quiz_foot, and (3) template variables. quirex-convert-information-disclosure(24672) ADV-2006-0641 16709 20060226 [eVuln] Quirex Arbitrary File Disclosure Vulnerability 18926 http://evuln.com/vulns/78/summary.html Cross-site scripting (XSS) vulnerability in default.php in Clever Copy 3.0 allows remote attackers to inject arbitrary web script or HTML via the Subject field when sending private messages (privatemessages.php). NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. ADV-2006-0616 16681 23235 18873 clevercopy-subject-xss(24747) Nokia N70 cell phone allows remote attackers to caues a denial of service (reboot or shutdown) through a wireless Bluetooth connection via a malformed Logical Link Control and Adaptation Protocol (L2CAP) packet whose length field is less than the actual length of the packet, possibly triggering a buffer overflow, as demonstrated using the Bluetooth Stack Smasher (BSS). nokia-bluetooth-l2cap-dos(24688) ADV-2006-0538 16666 http://www.secuobs.com/news/15022006-nokia_n70.shtml#english 23061 20060215 [ Secuobs - Advisory ] Another kind of DoS on Nokia cell phones 18724 Multiple directory traversal vulnerabilities in the IMAP service in Macallan Mail Solution before 4.8.05.004 allow remote authenticated users to read e-mails of other users or create, modify, or delete directories via a .. (dot dot) in the argument to the (1) CREATE, (2) SELECT, (3) DELETE, or (4) RENAME commands. 16704 ADV-2006-0644 http://secunia.com/secunia_research/2006-4/advisory/ 18775 http://macallan.club.fr/MMS/index.html macallan-imap-directory-traversal(24761) 23269 1015647 Microsoft Internet Explorer allows remote attackers to spoof a legitimate URL in the status bar and conduct a phishing attack via a web page with an anchor element with a legitimate "href" attribute, a form whose action points to a malicious URL, and an INPUT submit element that is modified to look like a legitimate URL. NOTE: this issue is very similar to CVE-2004-1104, although the manipulations are slightly different. 20060223 Re: Internet Explorer Phishing mouseover issue 20060218 Re: Internet Explorer Phishing mouseover issue 20060216 Internet Explorer Phishing mouseover issue ie-ahref-status-spoofing(17938) 23609 Interpretation conflict in PostNuke 0.761 and earlier allows remote attackers to conduct cross-site scripting (XSS) attacks via HTML tags with a trailing "<" character, which is interpreted as a ">" character by some web browsers but bypasses the blacklist protection in (1) the pnVarCleanFromInput function in pnAPI.php, (2) the pnSecureInput function in pnAntiCracker.php, and (3) the htmltext parameter in an edituser operation to user.php. postnuke-user-nslanguages-xss(24823) 16752 18937 http://news.postnuke.com/index.php?name=News&file=article&sid=2754 ADV-2006-0673 454 http://securityreason.com/securityalert/454 20060219 Multiple vulnerabilities in PostNuke <= 0.761 SQL injection vulnerability in the NS-Languages module for PostNuke 0.761 and earlier, when magic_quotes_gpc is off, allows remote attackers to execute arbitrary SQL commands via the language parameter to admin.php. Successful exploitation requires that the "magic_quotes_gpc" parameter is disabled. 16752 18937 postnuke-nslanguages-sql-injection(24827) ADV-2006-0673 454 454 http://news.postnuke.com/index.php?name=News&file=article&sid=2754 20060219 Multiple vulnerabilities in PostNuke <= 0.761 Cross-site scripting (XSS) vulnerability in the NS-Languages module for PostNuke 0.761 and earlier, when magic_quotes_gpc is enabled, allows remote attackers to inject arbitrary web script or HTML via the language parameter in a missing or translation operation. Successful exploitation requires that the "magic_quotes_gpc" parameter is disabled. postnuke-user-nslanguages-xss(24823) ADV-2006-0673 16752 454 454 18937 http://news.postnuke.com/index.php?name=News&file=article&sid=2754 20060219 Multiple vulnerabilities in PostNuke <= 0.761 The signature verification functionality in the YaST Online Update (YOU) script handling relies on a gpg feature that is not intended for signature verification, which prevents YOU from detecting malicious scripts or code that do not pass the signature check when gpg 1.4.x is being used. SUSE-SA:2006:009 16889 SUSE-SA:2006:013 Off-by-one error in TIN 1.8.0 and earlier might allow attackers to execute arbitrary code via unknown vectors that trigger a buffer overflow. ADV-2006-0702 16728 OpenPKG-SA-2006.005 tin-offbyone-bo(24841) SUSE-SR:2006:005 GLSA-200611-18 19130 The CAPTCHA functionality in php-Nuke 6.0 through 7.9 uses fixed challenge/response pairs that only vary once per day based on the User Agent (HTTP_USER_AGENT), which allows remote attackers to bypass CAPTCHA controls by fixing the User Agent, performing a valid challenge/response, then replaying that pair in the random_num and gfx_check parameters. http://www.waraxe.us/advisory-45.html 16722 20060218 [waraxe-2006-SA#045] - Bypassing CAPTCHA in phpNuke 6.x-7.9 455 18936 Multiple cross-site scripting (XSS) vulnerabilities in ADOdb 4.71, as used in multiple packages such as phpESP, allow remote attackers to inject arbitrary web script or HTML via (1) the next_page parameter in adodb-pager.inc.php and (2) other unspecified vectors related to PHP_SELF. ADV-2006-2021 ADV-2006-0664 16720 20060218 ADOdb Library Cross Site Scripting 23362 http://www.gulftech.org/?node=research&article_id=00101-02182006 GLSA-200604-07 DSA-1031 DSA-1030 DSA-1029 http://sourceforge.net/project/shownotes.php?release_id=419843&group_id=8956 452 19691 19591 19590 19555 18928 http://phpesp.cvs.sourceforge.net/phpesp/phpESP/admin/include/lib/adodb/adodb-pager.inc.php?r1=1.1&r2=1.2 Stack-based buffer overflow in NJStar Chinese and Japanese Word Processor 4.x and 5.x before 5.10 allows user-assisted attackers to execute arbitrary code via font names in NJStar (.njx) documents. 20060220 Secunia Research: NJStar Word Processor Font Name Buffer Overflow http://secunia.com/secunia_research/2006-5/advisory/ 18702 njstar-font-name-bo(24773) ADV-2006-0670 16737 23354 http://www.njstar.com/njstar/japanese/ http://www.njstar.com/njstar/chinese/ 1015649 461 MUTE 0.4 allows remote attackers to cause a denial of service (messages not forwarded) and obtain sensitive information about a target by filling a client's mWebCache cache with malicious "zombie" nodes. 23336 18980 http://cvs.sourceforge.net/viewcvs.py/mute-net/MUTE/doc/notes/notes.txt?view=markup mute-mwebcache-security-bypass(24931) Multiple SQL injection vulnerabilities in Skate Board 0.9 allow remote attackers to execute arbitrary SQL commands via the (1) usern parameter in (a) sendpass.php, and the (2) usern and (3) passwd parameters and (4) sf_cookie cookie in (b) login.php and (c) logged.php. 23303 23302 23301 http://evuln.com/vulns/84/summary.html skateboard-authentication-bypass(24779) skateboard-sendpass-sql-injection(24778) 16936 20060303 [eVuln] Skate Board Multimple Vulnerabilities 540 18978 Unspecified vulnerability in config.php in Skate Board 0.9 allows remote authenticated administrators to execute arbitrary PHP code by causing certain variables in config.php to be modified, possibly due to XSS or direct static code injection. skateboard-config-file-include(24780) 16936 20060303 [eVuln] Skate Board Multimple Vulnerabilities 23304 18978 http://evuln.com/vulns/84/summary.html 540 Cross-site scripting (XSS) vulnerability in reguser.php in Skate Board 0.9 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters involved with the registration form. 23305 http://evuln.com/vulns/84/summary.html skateboard-registration-xss(24781) 16936 20060303 [eVuln] Skate Board Multimple Vulnerabilities 540 18978 The VisNetic AntiVirus Plug-in (DKAVUpSch.exe) for Mail Server 4.6.0.4, 4.6.1.1, and possibly other versions before 4.6.1.2, does not drop privileges before executing other programs, which allows local users to gain privileges. 16583 ADV-2006-0701 16788 20060223 Secunia Research: Visnetic AntiVirus Plug-in for MailServerPrivilege Escalation 1015670 http://secunia.com/secunia_research/2005-65/advisory/ visnetic-av-plugin-privilege-elevation(24928) Heap-based buffer overflow in WinACE 2.60 allows user-assisted attackers to execute arbitrary code via a large header block in an ARJ archive. winace-arj-header-bo(24872) ADV-2006-0709 16786 20060223 Secunia Research: WinACE ARJ Archive Handling Buffer Overflow 23383 1015672 479 http://secunia.com/secunia_research/2005-67/advisory/ 17251 response.c in Lighttpd 1.4.10 and possibly previous versions, when run on Windows, allows remote attackers to read arbitrary source code via requests that contain trailing (1) "." (dot) and (2) space characters, which are ignored by Windows, as demonstrated by PHP files. 20060301 Secunia Research: Lighttpd Script Source Disclosure Vulnerability http://secunia.com/secunia_research/2006-9/advisory/ 18886 lighttpd-source-code-disclosure(24976) ADV-2006-0782 23542 http://trac.lighttpd.net/trac/changeset/1005 16893 1015703 523 NetworkActiv Web Server 3.5.15 allows remote attackers to read script source code via a crafted URL with a "/" (forward slash) after the file extension. 20060301 Secunia Research: NetworkActiv Web Server Script Source DisclosureVulnerability http://secunia.com/secunia_research/2006-10/advisory 18947 networkactiv-script-source-disclosure(24979) ADV-2006-0783 16895 http://www.networkactiv.com/WebServer.html Orion Application Server before 2.0.7, when running on Windows, allows remote attackers to obtain the source code of JSP files via (1) . (dot) and (2) space characters in the extension of a URL. Update to version 2.0.7 or contact the vendor for a patch. ADV-2006-1055 http://secunia.com/secunia_research/2006-11/advisory/ 18950 orion-jsp-source-disclosure(25405) 17204 20060323 Secunia Research: Orion Application Server JSP Source DisclosureVulnerability 24053 1015823 20060323 Secunia Research: Orion Application Server JSP Source Disclosure Vulnerability Absolute path directory traversal vulnerability in (a) MERAK Mail Server for Windows 8.3.8r with before IceWarp Web Mail 5.6.1 and (b) VisNetic MailServer before 8.5.0.5 allows remote attackers to include arbitrary files via a full Windows path and drive letter in the (1) language parameter in accounts/inc/include.php and (2) lang_settings parameter in admin/inc/include.php, which is not properly sanitized by the securepath function, a related issue to CVE-2005-4556. 19002 18966 18953 ADV-2006-2825 http://secunia.com/secunia_research/2006-14/advisory/ http://secunia.com/secunia_research/2006-12/advisory/ visnetic-include-file-include(27773) 20060717 Secunia Research: VisNetic Mail Server Two File InclusionVulnerabilities 20060717 Secunia Research: IceWarp Web Mail Two File InclusionVulnerabilities 27328 1016514 1016513 Absolute path directory traversal vulnerability in (1) MERAK Mail Server for Windows 8.3.8r with before IceWarp Web Mail 5.6.1 and (2) VisNetic MailServer before 8.5.0.5 allows remote authenticated users to include arbitrary files via a modified language parameter and a full Windows or UNC pathname in the lang_settings parameter to mail/index.html, which is not properly sanitized by the validatefolder PHP function, possibly due to an incomplete fix for CVE-2005-4558. 19002 http://secunia.com/secunia_research/2006-14/advisory/ http://secunia.com/secunia_research/2006-12/advisory/ 18966 18953 ADV-2006-2825 visnetic-language-file-include(27780) 20060717 Secunia Research: VisNetic Mail Server Two File InclusionVulnerabilities 20060717 Secunia Research: IceWarp Web Mail Two File InclusionVulnerabilities 1016514 1016513 Dwarf HTTP Server 1.3.2 allows remote attackers to obtain the source code of JSP files via (1) dot, (2) space, (3) slash, or (4) NULL characters in the filename extension of an HTTP request. 20060313 Secunia Research: Dwarf HTTP Server Source Disclosure andCross-Site Scripting http://secunia.com/secunia_research/2006-13/advisory 18962 ADV-2006-0937 dwarfhttp-extension-information-disclosure(25178) 17123 23836 1015779 576 Cross-site scripting (XSS) vulnerability in Dwarf HTTP Server 1.3.2 allows remote attackers to inject arbitrary web script or HTML via unspecified error messages. 20060313 Secunia Research: Dwarf HTTP Server Source Disclosure andCross-Site Scripting http://secunia.com/secunia_research/2006-13/advisory 18962 ADV-2006-0937 dwarfhttp-url-xss(25179) 17123 23837 1015779 SQL injection vulnerability in index.php in BXCP 0.299 allows remote attackers to execute arbitrary SQL commands via the tid parameter. ADV-2006-0660 18929 bxcp-tid-sql-injection(24783) 1513 Unspecified vulnerability in EmuLinker Kaillera Server before 0.99.17 allows remote attackers to cause a denial of service (probably resource consumption) via a crafted packet that causes a "ghost game" to be left on the server. http://sourceforge.net/project/shownotes.php?release_id=394690&group_id=127754 18938 ADV-2006-0665 emulinker-packet-handling-dos(24784) 16733 Multiple SQL injection vulnerabilities in Geeklog 1.4.0 before 1.4.0sr1 and 1.3.11 before 1.3.11sr4 allow remote attackers to inject arbitrary SQL commands via the (1) userid variable to users.php or (2) sessid variable to lib-sessions.php. 18920 ADV-2006-0661 http://www.gulftech.org/?node=research&article_id=00102-02192006 http://www.geeklog.net/article.php/geeklog-1.4.0sr1 geeklog-users-sessions-sql-injection(24775) 16755 20060219 Geeklog Remote Code Execution 23348 Multiple unspecified vulnerabilities in lib-common.php in Geeklog 1.4.0 before 1.4.0sr1 and 1.3.11 before 1.3.11sr4 allow remote attackers to include arbitrary local files and execute arbitrary code via (1) absolute paths in unspecified parameters and (2) the language cookie, as demonstrated for code execution using error.log. http://www.geeklog.net/article.php/geeklog-1.4.0sr1 18920 ADV-2006-0661 http://www.gulftech.org/?node=research&article_id=00102-02192006 16755 20060219 Geeklog Remote Code Execution 23349 Multiple unspecified vulnerabilities in ESS/ Network Controller and MicroServer Web Server in Xerox WorkCentre Pro and Xerox WorkCentre running software 13.027.24.015 and 14.027.24.015 allow remote attackers to bypass authentication or gain "unauthorized network access" via unknown attack vectors. http://www.xerox.com/downloads/usa/en/c/cert_XRX06_001.pdf xerox-workcentre-auth-bypass(24804) ADV-2006-0668 16726 23359 1015648 18952 Unspecified vulnerability in ESS/ Network Controller and MicroServer Web Server in Xerox WorkCentre Pro and Xerox WorkCentre running software 13.027.24.015 and 14.027.24.015 allows remote attackers to cause a denial of service via a crafted Postscript request. http://www.xerox.com/downloads/usa/en/c/cert_XRX06_001.pdf xerox-workcentre-postscript-dos(24805) ADV-2006-0668 16723 1015648 18952 Cross-site scripting vulnerability in ESS/ Network Controller and MicroServer Web Server in Xerox WorkCentre Pro and Xerox WorkCentre running software 13.027.24.015 and 14.027.24.015 allows remote attackers to inject arbitrary web script or HTML via unknown attack vectors. http://www.xerox.com/downloads/usa/en/c/cert_XRX06_001.pdf xerox-workcentre-xss(24806) ADV-2006-0668 16727 18952 Unspecified vulnerability in ESS/ Network Controller and MicroServer Web Server in Xerox WorkCentre Pro and Xerox WorkCentre running software 13.027.24.015 and 14.027.24.015 allows remote attackers to "reduce effectiveness of security features" via unknown attack vectors. http://www.xerox.com/downloads/usa/en/c/cert_XRX06_001.pdf ADV-2006-0668 1015648 18952 Cross-site scripting vulnerability in E-Blah Platinum 9.7 allows remote attackers to inject arbitrary web script or HTML via the referer (HTTP_REFERER), which is not sanitized when the log file is viewed by the administrator using "Click Log". http://www.eblah.com/forum/m-1140116897/ http://evuln.com/vulns/83/summary.html ADV-2006-0638 16713 eblah-httpreferer-xss(24777) 20060302 [eVuln] E-Blah Platinum 'Referer' XSS Vulnerability 23299 528 18992 The scripting engine in Internet Explorer allows remote attackers to cause a denial of service (resource consumption) and possibly execute arbitrary code via a web page that contains a recurrent call to an infinite loop in Javascript or VBscript, which consumes the stack, as demonstrated by resetting the "location" variable within the loop. 20060216 Stack overflow vulnerability in Internet Explorer exploitable trough VBScript and JScript scripting engines. 20060218 Re: Stack overflow vulnerability in Internet Explorer exploitable trough VBScript and JScript scripting engines. ie-script-engine-stack-dos(24788) 16687 PHP remote file include vulnerability in index.php in Tasarim Rehberi allows remote attackers to execute arbitrary PHP code via a URL in the (1) sayfaadi or (2) sayfa parameter. NOTE: this might be a site-specific issue. If so, it should not be included in CVE. 20060218 Tasarim Rehberi Index.PHP Remote Command Exucetion Multiple SQL injection vulnerabilities in admin.asp in WPC.easy allow remote attackers to execute arbitrary SQL commands via the (1) uid and (2) pwd parameter. ADV-2006-0662 20060218 SLQ Injection vulnerability in WPCeasy 18945 16721 456 Multiple cross-site scripting (XSS) vulnerabilities in Barracuda Directory 1.1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors to the (1) Add URL and (2) Suggest Category module. NOTE: the provenance of this information is unknown; portions of the details are obtained from third party information. ADV-2006-0674 18965 barracuda-multiple-xss(24807) 16746 23372 Uniden UIP1868P VoIP Telephone and Router has a default password of admin for the web-based configuration utility, which allows remote attackers to obtain sensitive information on the device such as telephone numbers called, and possibly connect to other hosts. NOTE: it is possible that this password was configured by a reseller, not the original vendor; if so, then this is not a vulnerability in the product. 20060216 Uniden UIP1868P (VoIP phone/gateway) default easy-to-guess password vulnerability uniden-uip1868p-default-account(24786) SQL injection vulnerability in dropbase.php in MitriDAT Web Calendar Pro allows remote attackers to modify internal SQL queries and cause a denial of service (inaccessible database) via the tabls parameter. webcalendarpro-dropbase-sql-injection(24729) ADV-2006-0700 20060215 Web Calendar Pro - Denial of Service SQL Injection Vulnerability http://www.xorcrew.net/xpa/XPA-WebCalendarPro.txt 16789 18902 Mozilla Thunderbird 1.5 allows user-assisted attackers to cause an unspecified denial of service by tricking the user into importing an LDIF file with a long field into the address book, as demonstrated by a long homePhone field. 16716 20060221 Mozila Thunderbird 1.5 Address Book DoS 20060217 Mozila Thunderbird 1.5 Address Book DoS thunderbird-address-book-dos(24810) 469 IBM Tivoli Micromuse Netcool/NeuSecure 3.0.236 has world-readable permissions for (1) /etc/neusecure.conf, (2) /opt/NeuSecure/etc/cms-3.0.236.buildconf, and (3) /opt/NeuSecure/bin/ns_archiver.log, which allows local users to read sensitive information such as passwords. NOTE: IBM has privately confirmed to CVE that a fix is available for these issues. 16700 20060216 Password disclosure and remote access in Netcool/NeuSecure Security information management platform 23270 1015642 18922 20060216 Password disclosure and remote access in Netcool/NeuSecure Security information management platform netcool-neosecure-config-weak-permission(24785) 16693 23914 23271 IBM Tivoli Micromuse Netcool/NeuSecure 3.0.236 stores cleartext passwords in the (1) CMS_DBPASS, (2) CMSM_DBPASS, and (3) RPT_DBPASS fields in /etc/neusecure.conf, and in (4) /opt/NeuSecure/bin/ns_archiver.log, which allows local users to gain privileges. NOTE: IBM has privately confirmed to CVE that a fix is available for these issues. 16698 20060216 Password disclosure and remote access in Netcool/NeuSecure Security information management platform 23271 23270 1015642 18922 20060216 Password disclosure and remote access in Netcool/NeuSecure Security information management platform netcool-neosecure-plaintext-password(24787) netcool-neosecure-config-weak-permission(24785) 16693 The frag3 preprocessor in Sourcefire Snort 2.4.3 does not properly reassemble certain fragmented packets with IP options, which allows remote attackers to evade detection of certain attacks, possibly related to IP option lengths. 16705 20060217 SNORT Incorrect fragmented packet reassembly 18959 snort-frag3-detection-bypass(24811) manage_user_page.php in Mantis 1.00rc4 and earlier does not properly handle a sort parameter containing a ' (quote) character, which allows remote attackers to trigger a SQL error that may be repeatedly reported to a user who makes subsequent web accesses with the MANTIS_MANAGE_COOKIE cookie. NOTE: this issue might be the same as vector 2 in CVE-2005-4519. 20060215 [BuHa-Security] Multiple Vulnerabilities in Mantis 1.00rc4 http://sourceforge.net/project/shownotes.php?release_id=386059&group_id=14963 http://sourceforge.net/project/showfiles.php?group_id=14963&package_id=12175&release_id=386059 http://morph3us.org/advisories/20060214-mantis-100rc4.txt mantis-manageuserpagesql-injection(24726) 16657 Multiple cross-site scripting (XSS) vulnerabilities in Mantis 1.00rc4 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) hide_status, (2) handler_id, (3) user_monitor, (4) reporter_id, (5) view_type, (6) show_severity, (7) show_category, (8) show_status, (9) show_resolution, (10) show_build, (11) show_profile, (12) show_priority, (13) highlight_changed, (14) relationship_type, and (15) relationship_bug parameters in (a) view_all_set.php; the (16) sort parameter in (b) manage_user_page.php; the (17) view_type parameter in (c) view_filters_page.php; and the (18) title parameter in (d) proj_doc_delete.php. NOTE: item 17 might be subsumed by CVE-2005-4522. 20060215 [BuHa-Security] Multiple Vulnerabilities in Mantis 1.00rc4 http://sourceforge.net/project/shownotes.php?release_id=386059&group_id=14963 http://morph3us.org/advisories/20060214-mantis-100rc4.txt 23248 http://sourceforge.net/project/showfiles.php?group_id=14963&package_id=12175&release_id=386059 16657 22487 DSA-1133 21400 Cross-site scripting (XSS) vulnerability in Calacode @Mail 4.3 allows remote attackers to inject arbitrary web script or HTML via a modified javascript: string in the SRC attribute of an IMG element in an e-mail message, as demonstrated by "java&#09;script:." NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. Successful exploitation of this issue requires a victim user has @Mail configured to display images in email messages. @mail-html-image-xss(24742) ADV-2006-0617 16683 23236 18874 Leif M. Wright's Blog 3.5 stores the config file and other txt files under the web root with insufficient access control, which allows remote attackers to read the administrator's password. 16712 http://www.evuln.com/vulns/82/summary.html 18923 webblog-txt-obtain-information(24752) 522 Leif M. Wright's Blog 3.5 does not make a password comparison when authenticating an administrator via a cookie, which allows remote attackers to bypass login authentication, probably by setting the blogAdmin cookie. 16714 http://www.evuln.com/vulns/82/summary.html 18923 webblog-cookie-auth-bypass(24755) 522 Leif M. Wright's Blog 3.5 allows remote authenticated users with administrative privileges to execute arbitrary programs, including shell commands, by configuring the sendmail path to a malicious pathname. http://www.evuln.com/vulns/82/summary.html 18923 webblog-sendmail-command-execution(24757) 522 Multiple cross-site scripting (XSS) vulnerabilities in Leif M. Wright's Blog 3.5 allow remote attackers to inject arbitrary web script or HTML via the (1) Referer and (2) User-Agent HTTP headers, which are stored in a log file and not sanitized when the administrator views the "Log" page, possibly using the ViewCommentsLog function. 16715 http://www.evuln.com/vulns/82/summary.html 18923 webblog-headers-xss(24758) 522 Directory traversal vulnerability in the staticfilter component in CherryPy before 2.1.1 allows remote attackers to read arbitrary files via ".." sequences in unspecified vectors. cherrypy-staticfilter-directory-traversal(24809) 16760 http://groups.google.com/group/cherrypy-announce/browse_thread/thread/92b2972f774fe6df/2f63afc9433dc306#2f63afc9433dc306 ADV-2006-0677 http://sourceforge.net/project/shownotes.php?release_id=384316&group_id=56099 GLSA-200605-16 http://www.cherrypy.org/ 20344 18944 The "Open 'safe' files after downloading" option in Safari on Apple Mac OS X allows remote user-assisted attackers to execute arbitrary commands by tricking a user into downloading a __MACOSX folder that contains metadata (resource fork) that invokes the Terminal, which automatically interprets the script using bash, as demonstrated using a ZIP file that contains a script with a safe file extension. TA06-062A TA06-053A VU#999708 macosx-zip-command-execution(24808) ADV-2006-0671 16736 23510 http://www.mathematik.uni-ulm.de/numerik/staff/lehn/macosx.html http://www.heise.de/english/newsticker/news/69862 http://www.frsirt.com/exploits/20060222.safari_safefiles_exec.pm.php 1015652 18963 http://docs.info.apple.com/article.html?artnum=303382 SQL injection vulnerability in include/includes/user/login.php in ilchClan before 1.05g allows remote attackers to execute arbitrary SQL commands via the login_name parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. ADV-2006-0676 http://www.ilch.de/news-134.html 18951 ilchclan-login-sql-injection(24830) 23370 SQL injection vulnerability in the forum module of ilchClan 1.05g and earlier allows remote attackers to execute arbitrary SQL commands via the pid parameter, when creating a newpost. ADV-2006-0672 18951 ilchclan-index-sql-injection(24829) 16735 23369 1516 Direct static code injection vulnerability in write.php in Admbook 1.2.2 and earlier allows remote attackers to execute arbitrary PHP code via the X-Forwarded-For HTTP header field, which is inserted into content-data.php. admbook-index-command-execution(24771) ADV-2006-0663 18930 16753 1512 Buffer overflow in the IMAP service of TrueNorth Internet Anywhere (IA) eMailserver 5.3.4 allows remote authenticated users to cause a denial of service (crash) and possibly execute arbitrary code via a long SEARCH argument. ia-emailserver-imap-bo(24812) ADV-2006-0686 16744 20060220 [AJECT] TrueNorth IA eMailserver 5.3.4 buffer overflow vulnerability 23377 1015664 18986 PHP remote file inclusion vulnerability in common.php in Intensive Point iUser Ecommerce allows remote attackers to include arbitrary files via a URL in the include_path variable, which is not initialized before being used. iuser-ecommerce-file-include(24724) http://www.xorcrew.net/xpa/XPA-iUser.txt ADV-2006-0699 16787 23429 18903 20060215 iUser Ecommerce - Remote Command Execution Vulnerability Stack-based buffer overflow in the fullpath function in misc.c for zoo 2.10 and earlier, as used in products such as Barracuda Spam Firewall, allows user-assisted attackers to execute arbitrary code via a crafted ZOO file that causes the combine function to return a longer string than expected. GLSA-200603-05 DSA-991 1015866 19514 19166 zoo-misc-bo(24904) ADV-2006-1220 ADV-2006-0705 16790 20060223 zoo contains exploitable buffer overflows SUSE-SR:2006:006 SUSE-SR:2006:005 http://www.guay-leroux.com/projects/zoo-advisory.txt http://www.guay-leroux.com/projects/barracuda-advisory-ZOO.txt 1015668 546 19408 19148 19130 19002 20060403 Barracuda ZOO archiver security bug leads to remote compromise SQL injection vulnerability in login.php in Scriptme SmE GB Host 1.21 allows remote attackers to execute arbitrary SQL commands and bypass authentication via the Username parameter. ADV-2006-0543 16609 20060216 [eVuln] SmE GB Host Authentication Bypass Vulnerability http://www.evuln.com/vulns/66/summary.html smegbhost-login-sql-injection(24544) 18823 Cross-site scripting (XSS) vulnerability in Chatbox Plugin 1.0 in e107 0.7.2 allows remote attackers to inject arbitrary HTML or web script via a Chatbox, as demonstrated using a SCRIPT element. 20060218 e107 CMS 0.7.2 Chatbox plugin XSS vulnerability e107-chatbox-xss(24815) 16719 Unquoted Windows search path vulnerability in (1) snsmcon.exe, (2) the autostartup mechanism, and (3) an unspecified installation component in StarForce Safe'n'Sec Personal + Anti-Spyware 2.0 and earlier, and possibly other StarForce Safe'n'Sec products, might allow local users to gain privileges via a malicious "program" file in the C: folder. 16762 20060219 [TZO-062006] Safe'nVulnerable http://secdev.zoller.lu/research/safnsec.htm Michael Salzer Guestbox 0.6, and other versions before 0.8, allows remote attackers to post an admin comment to a guestbook entry via a certain modified form, possibly related to the nummer parameter. 18946 guestbox-admin-access(24797) ADV-2006-0675 20060302 Re: Guestbox XSS/an admin bypass 20060220 Guestbox XSS/an admin bypass 23374 Multiple cross-site scripting (XSS) vulnerabilities in Michael Salzer Guestbox 0.6, and other versions before 0.8, allow remote attackers to inject arbitrary web script or HTML via (1) HTML tags that follow a "http://" string, which bypasses a regular expression check, and (2) other unspecified attack vectors. 16751 18946 guestbox-gbshow-xss(24798) ADV-2006-0675 20060302 Re: Guestbox XSS/an admin bypass 20060220 Guestbox XSS/an admin bypass 23375 Michael Salzer Guestbox 0.6, and other versoins before 0.8, allows remote attackers to obtain the source IP addresses of guestbook entries via a direct request to /gb/gblog. 23376 18946 guestbox-gblog-obtain-information(24799) ADV-2006-0675 20060302 Re: Guestbox XSS/an admin bypass 20060220 Guestbox XSS/an admin bypass 460 Unspecified vulnerability in InfoVista PortalSE 2.0 Build 20087 on Solaris 8 without the IV00038969 hotfix allows remote attackers to read arbitrary files via a crafted URL. ADV-2006-0695 16776 20060222 IRM 017: Multiple Vulnerabilities in Infovista Portal SE http://www.irmplc.com/advisory017.htm vistaportal-parameter-directory-traversal(24893) 1015669 18994 InfoVista PortalSE 2.0 Build 20087 on Solaris 8 allows remote attackers to obtain sensitive information by specifying a nonexistent server in the server field, which reveals the path in an error message. ADV-2006-0695 16776 20060222 IRM 017: Multiple Vulnerabilities in Infovista Portal SE http://www.irmplc.com/advisory017.htm vistaportal-server-path-disclosure(24894) 1015669 473 18994 filescan in Global Hauri ViRobot 2.0 20050817 does not verify the Cookie HTTP header, which allows remote attackers to gain administrative privileges via an arbitrary cookie value. http://x82.inetcop.org/h0me/adv1sor1es/INCSA.2006-0x82-028-VIROBOT.txt ADV-2006-0691 16768 20060222 [INetCop Security Advisory] Global Hauri Virobot cookie exploit 18974 virobot-filescan-auth-bypass(24850) 1015658 PunBB 1.2.10 and earlier allows remote attackers to cause a denial of service (resource consumption) by registering many user accounts quickly. 20060219 PunBB 1.2.10 Multiple DoS Vulnerabilities http://www.neosecurityteam.net/advisories/Advisory-15.txt punbb-register-ip-dos(24837) PunBB 1.2.10 and earlier allows remote attackers to conduct brute force guessing attacks for an account's password, which may be as short as 4 characters. 20060219 PunBB 1.2.10 Multiple DoS Vulnerabilities http://www.neosecurityteam.net/advisories/Advisory-15.txt punbb-login-bruteforce(24838) Buffer overflow in certain versions of South River (aka SRT) WebDrive, possibly version 6.08 build 1131 and version 8, allows remote attackers to cause a denial of service (application crash and persistent erratic behavior) via a long string in the name entry field. 20060222 South River WebDrive Buffer Overflow Vulnerability webdrive-name-bo(24903) Multiple unspecified injection vulnerabilities in unspecified Auth Container back ends for PEAR::Auth before 1.2.4, and 1.3.x before 1.3.0r4, allow remote attackers to "falsify authentication credentials," related to the "underlying storage containers." 16758 http://pear.php.net/package/Auth/download/1.3.0r4 http://pear.php.net/package/Auth/download/1.2.4 ADV-2006-0696 20060222 Multiple Injection Vulnerabilities in PHP PEAR::Auth Module auth-multiple-injections(24854) GLSA-200603-13 1015666 19301 19008 Directory traversal vulnerability in the "remember me" feature in liveuser.php in PHP Extension and Application Repository (PEAR) LiveUser 0.16.8 and earlier allows remote attackers to determine file existence, and possibly delete arbitrary files with short pathnames or possibly read arbitrary files, via a .. (dot dot) in the store_id value of a cookie. 1015659 http://pear.php.net/package/LiveUser/download/ liveuser-liveuser-file-deletion(24853) liveuser-liveuser-file-access(24852) ADV-2006-0697 16761 20060221 PEAR LiveUser File Access Vulnerabilities http://www.gulftech.org/?node=research&article_id=00103-02212006 466 SQL injection vulnerability in pages.asp in Mini-Nuke CMS System 1.8.2 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter. NOTE: version 2.3 was later reported to be vulnerable as well. mininuke-pages-sql-injection(24803) 17636 16730 20060420 Mini-NUKE v2.3<<--- SQL Injection 20060321 Mini-Nuke<=1.8.2 SQL injection (6) 20060220 MiniNuke CMS System all versions (pages.asp) SQL Injection 23438 http://www.nukedx.com/?viewdoc=9 18439 20060421 Re: Mini-NUKE v2.3<<--- SQL Injection Directory traversal vulnerability in the _setTemplate function in Mambo 4.5.3, 4.5.3h, and possibly earlier versions allows remote attackers to read and include arbitrary files via the mos_change_template parameter. NOTE: CVE-2006-1794 has been assigned to the SQL injection vector. http://source.mambo-foundation.org/view/news/Announcements/Security_Patch_Released/ 18935 ADV-2006-0719 23505 http://www.gulftech.org/?node=research&article_id=00104-02242006 493 20060224 Mambo Multiple Vulnerabilities Directory traversal vulnerability in init.inc.php in Coppermine Photo Gallery 1.4.3 and earlier allows remote attackers to include arbitrary files via a .. (dot dot) sequence and trailing NULL (%00) byte in the lang parameter. http://coppermine-gallery.net/forum/index.php?topic=28062.0 ADV-2006-0669 1015646 18941 http://retrogod.altervista.org/cpg_143_incl_xpl.html http://retrogod.altervista.org/cpg_143_adv.html coppermine-init-file-include(24814) 16718 20060218 Coppermine Photo Gallery <=1.4.3 remote code execution Absolute path traversal vulnerability in docs/showdocs.php in Coppermine Photo Gallery 1.4.3 and earlier allows remote attackers to include arbitrary files via the f parameter, and possibly remote files using UNC share pathnames. http://coppermine-gallery.net/forum/index.php?topic=28062.0 ADV-2006-0669 1015646 18941 http://retrogod.altervista.org/cpg_143_adv.html coppermine-showdoc-file-include(24816) 16718 20060218 Coppermine Photo Gallery <=1.4.3 remote code execution Multiple unspecified vulnerabilities in Intensive Point iUser Ecommerce before 2.2 have unspecified vectors and impact, as addressed by "Urgent secure fixes". NOTE: this might be a duplicate of CVE-2006-0854, but the vendor announcement for this issue (from January 8, 2005) is too vague to be sure, and CVE-2006-0854 does not provide version information. 16787 19003 iuser-ecommerce-undisclosed(24906) http://www.intensivepoint.com/iuser-document.shtml Cross-site scripting vulnerability in ratefile.php in RunCMS 1.3a5 allows remote attackers to inject arbitrary web script or HTML via the lid parameter. ADV-2006-0694 16769 20060222 [KAPDA::#27] - Runcms 1.x Cross_Site_Scripting vulnerability 1015663 18997 http://kapda.ir/advisory-267.html runcms-ratefile-xss(24871) 23388 POPFile before 0.22.4 allows remote attackers to cause a denial of service (application crash) via unspecified vectors involving character sets within e-mail messages. 18975 ADV-2006-0698 http://popfile.sourceforge.net/cgi-bin/wiki.pl?ReleaseNotes/0.22.4 16792 DSA-1061 20205 Cross-site scripting vulnerability in Easy Forum 2.5 allows remote attackers to inject arbitrary web script or HTML via the image variable. easyforum-join-xss(24831) ADV-2006-0706 18996 http://evuln.com/vulns/85/summary.html 16958 20060304 [eVuln] Easy Forum XSS Vulnerability 23430 http://hot-things.net/forum/show.php?f=2&topic=20060224080919 Noah's Classifieds 1.3 allows remote attackers to obtain the installation path via a direct request to include files, as demonstrated by classifieds/gorum/category.php. ADV-2006-0703 20060222 [KAPDA::#29]Noah's classifieds multiple vulnerabilities http://www.kapda.ir/advisory-268.html noahs-category-path-disclosure(24898) 1015667 SQL injection vulnerability in the search tool in Noah's Classifieds 1.3 allows remote attackers to execute arbitrary SQL commands via unspecified attack vectors. ADV-2006-0703 16773 20060222 [KAPDA::#29]Noah's classifieds multiple vulnerabilities http://www.kapda.ir/advisory-268.html noahs-search-sql-injection(24896) 1015667 Multiple cross-site scripting (XSS) vulnerabilities in index.php in Noah's Classifieds 1.3 allow remote attackers to inject arbitrary web script or HTML via the (1) inf parameter; or, when register_globals is enabled, the (2) upperTemplate and (3) lowerTemplate parameters. ADV-2006-0703 16772 20060222 [KAPDA::#29]Noah's classifieds multiple vulnerabilities http://www.kapda.ir/advisory-268.html noahs-indexphp-xss(24895) 1015667 Multiple PHP remote file include vulnerabilities in gorum/gorumlib.php in Noah's Classifieds 1.3, when register_globals is enabled, allow remote attackers to include arbitrary PHP files via the (1) upperTemplate and (2) lowerTemplate parameters, as demonstrated using the lowerTemplate parameter to index.php. ADV-2006-0703 16780 20060222 [KAPDA::#29]Noah's classifieds multiple vulnerabilities http://www.kapda.ir/advisory-268.html noahs-gorumlib-file-include(24899) 1015667 Directory traversal vulnerability in include.php in Noah's Classifieds 1.3 allows remote attackers to include arbitrary local files via the otherTemplate parameter to index.php. ADV-2006-0703 16778 20060222 [KAPDA::#29]Noah's classifieds multiple vulnerabilities http://www.kapda.ir/advisory-268.html noahs-include-directory-traversal(24900) 1015667 OpenSSH on FreeBSD 5.3 and 5.4, when used with OpenPAM, does not properly handle when a forked child process terminates during PAM authentication, which allows remote attackers to cause a denial of service (client connection refusal) by connecting multiple times to the SSH server, waiting for the password prompt, then disconnecting. 16892 1015706 openssh-openpam-dos(25116) ADV-2006-0805 23797 520 http://bugzilla.mindrot.org/show_bug.cgi?id=839 FreeBSD-SA-06:09 The WYSIWYG rendering engine ("rich mail" editor) in Mozilla Thunderbird 1.0.7 and earlier allows user-assisted attackers to bypass javascript security settings and obtain sensitive information or cause a crash via an e-mail containing a javascript URI in the SRC attribute of an IFRAME tag, which is executed when the user edits the e-mail. 16770 DSA-1051 DSA-1046 mozilla-inline-fwd-code-execution(25983) ADV-2006-3749 USN-276-1 HPSBUX02156 HPSBUX02156 SSRT061158 SSRT061158 FLSA:189137-1 20060222 Mozilla Thunderbird : Remote Code Execution & Denial of Service RHSA-2006:0330 RHSA-2006:0329 23653 SUSE-SA:2006:022 SUSE-SA:2006:004 http://www.mozilla.org/security/announce/2006/mfsa2006-21.html MDKSA-2006:078 MDKSA-2006:076 MDKSA-2006:052 GLSA-200605-09 GLSA-200604-18 http://support.avaya.com/elmodocs2/security/ASA-2006-205.htm 228526 102550 1015665 22065 21622 21033 20051 19950 19941 19902 19863 19823 19821 19811 19721 oval:org.mitre.oval:def:10782 SUSE-SA:2006:021 20060404-01-U SCOSA-2006.26 oval:org.mitre.oval:def:2024 Cross-site scripting (XSS) vulnerability in show_news.php in CuteNews 1.4.1 allows remote attackers to inject arbitrary web script or HTML via the show parameter. ADV-2006-0685 23400 18981 http://myimei.com/security/2006-02-20/cutenews141addcommentforprotectedusernamesxss-attack.html cutenews-shownews-xss(24835) 16740 20060221 [myimei]CuteNews1.4.1~ Add Comment For Protected UserNames~ XSS Attack Cross-site scripting (XSS) vulnerability in register.php in DEV web management system 1.5 allows remote attackers to inject arbitrary web script or HTML via the "City/Region" field (mesto variable). NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. ADV-2006-0723 18714 dev-cityregion-xss(24875) 16812 23468 Eval injection vulnerability in sessions.inc in PHP Base Library (PHPLib) before 7.4a, when index.php3 from the PHPLib distribution is available on the server, allows remote attackers to execute arbitrary PHP code by including a base64-encoded representation of the code in a cookie. NOTE: this description was significantly updated on 20060605 to reflect new details after an initial vague advisory. http://sourceforge.net/project/shownotes.php?group_id=31885&release_id=396091 16902 phplib-code-execution(24873) ADV-2006-0720 16801 23466 http://www.gulftech.org/?node=research&article_id=00107-03052006 1016123 index.php in Invision Power Board (IPB) 2.0.1, with Code Confirmation disabled, allows remote attackers to cause an unspecified denial of service by registering a large number of users. 16616 1489 Cross-site scripting (XSS) vulnerability in Calcium 3.10.1 allows remote attackers to inject arbitrary web script or HTML via the EventText parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. ADV-2006-0724 19007 calcium-eventtext-xss(24907) 16851 23471 Directory traversal vulnerability in SpeedProject Squeez 5.1, as used in (1) ZipStar 5.1 and (2) SpeedCommander 11.01.4450, allows remote attackers to overwrite arbitrary files via unspecified manipulations in a (1) JAR or (2) ZIP archive. ADV-2006-0731 20060224 SpeedCommander 11.0 & ZipStar 5.1 & Squeez 5.1 Directory traversal speedproject-zip-jar-directory-traversal(24909) 16807 23465 19006 Multiple directory traversal vulnerabilities in NOCC Webmail 1.0 allow remote attackers to include arbitrary files via .. (dot dot) sequences and a trailing NULL (%00) byte in (1) the _SESSION['nocc_theme'] parameter in (a) html/footer.php; and (2) the lang and (3) theme parameters and the (4) Accept-Language HTTP header field, when force_default_lang is disabled, in (b) index.php, as demonstrated by injecting PHP code into a profile and accessing it using the lang parameter in index.php. 16921 20060223 NOCC Webmail <= 1.0 multiple vulnerabilities nocc-index-file-include(24934) 16793 23419 23418 23417 23416 1015671 http://retrogod.altervista.org/noccw_10_incl_xpl.html NOCC Webmail 1.0 stores e-mail attachments in temporary files with predictable filenames, which makes it easier for remote attackers to execute arbitrary code by accessing the e-mail attachment via directory traversal vulnerabilities. 16921 20060223 NOCC Webmail <= 1.0 multiple vulnerabilities 16793 23420 1015671 http://retrogod.altervista.org/noccw_10_incl_xpl.html NOCC Webmail 1.0 allows remote attackers to obtain sensitive information via a direct request to (1) the profiles directory, which leaks e-mail addresses contained in filenames of profiles, and (2) the tmp directory, which lists names of uploaded attachments. 16921 20060223 NOCC Webmail <= 1.0 multiple vulnerabilities 16793 23422 23420 1015671 http://retrogod.altervista.org/noccw_10_incl_xpl.html Multiple cross-site scripting (XSS) vulnerabilities in NOCC Webmail 1.0 allow remote attackers to inject arbitrary web script or HTML via (1) the html_error_occurred parameter in error.php, (2) html_filter_select parameter in filter_prefs.php, (3) html_no_mail parameter in no_mail.php, the (4) page_line, (5) prev, and (6) next parameters in html_bottom_table.php, and the (7) _SESSION['nocc_theme'] parameter in footer.php. 16921 20060223 NOCC Webmail <= 1.0 multiple vulnerabilities 16793 23427 23426 23425 23424 23423 1015671 http://retrogod.altervista.org/noccw_10_incl_xpl.html NOCC Webmail 1.0 allows remote attackers to obtain the installation path via a direct request to html/header.php. 16921 20060223 NOCC Webmail <= 1.0 multiple vulnerabilities 16793 1015671 478 http://retrogod.altervista.org/noccw_10_incl_xpl.html Cross-site scripting (XSS) vulnerability in Sources/Register.php in Simple Machine Forum (SMF) 1.0.6 allows remote attackers to inject arbitrary web script or HTML via the X-Forwarded-For HTTP header field. smf-register-xss(24915) ADV-2006-0726 http://www.simplemachines.org/community/index.php?topic=78841.0 16841 20060306 [eVuln] Simple Machines Forum - SMF 'X-Forwarded-For' XSS Vulnerability 23480 545 19004 http://evuln.com/vulns/86/summary.html 20060410 VEndor ACK: Simple Machines Forum Register.php X-Forwarded-For XSS ** DISPUTED ** SQL injection vulnerability in VCS Virtual Program Management Intranet (VPMi) Enterprise 3.3 allows remote attackers to execute arbitrary SQL commands via the UpdateID0 parameter to Service_Requests.asp. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. NOTE: the vendor has disputed this issue, saying that "[we] have a behind the scenes complex state management system that uses a combination of keys placed in JavaScript and Session State (server side) that protects against the type of SQL injection you describe. We have tested for many of the cases and have not found it to be an issue." Further investigation suggests that the original researcher might have triggered errors using invalid field values, which is not proof of SQL injection; however, the vendor did not receive a response from the original researcher. vpmi-servicerequests-sql-injection(24885) ADV-2006-0725 16798 23479 20060310 Re: vendor dispute: VCS 20060310 vendor dispute: VCS 18842 Crypt::CBC Perl module 2.16 and earlier, when running in RandomIV mode, uses an initialization vector (IV) of 8 bytes, which results in weaker encryption when used with a cipher that requires a larger block size than 8 bytes, such as Rijndael. 16802 20060223 Vulnerability in Crypt::CBC Perl module, versions <= 2.16 31493 RHSA-2008:0630 crypt-cbc-header-weak-encryption(24954) RHSA-2008:0261 SUSE-SR:2006:015 GLSA-200603-15 DSA-996 488 20899 19303 19187 18755 Directory traversal vulnerability in index.php in 4Images 1.7.1 and earlier allows remote attackers to read and include arbitrary files via ".." (dot dot) sequences in the template parameter. 4images-template-file-include(24938) ADV-2006-0754 16855 20060301 4images <=1.7.1 remote code execution 23529 19026 http://retrogod.altervista.org/4images_171_adv.html 1533 518 nfsd in FreeBSD 6.0 kernel allows remote attackers to cause a denial of service via a crafted NFS mount request, as demonstrated by the ProtoVer NFS test suite. 19017 [Dailydave] 20060226 fun with FreeBSD kernel freebsd-nfsd-kernel-dos(24918) 16838 23511 521 FreeBSD-SA-06:10 Unspecified vulnerability in the hsfs filesystem in Solaris 8, 9, and 10 allows unspecified attackers to cause a denial of service (panic) or execute arbitrary code. 16826 102161 19042 ADV-2006-0756 solaris-hsfs-privilege-elevation(24911) 1015680 oval:org.mitre.oval:def:1628 MySQL 5.0.18 and earlier allows local users to bypass logging mechanisms via SQL queries that contain the NULL character, which are not properly handled by the mysql_real_query function. NOTE: this issue was originally reported for the mysql_query function, but the vendor states that since mysql_query expects a null character, this is not an issue for mysql_query. ADV-2006-0752 16850 RHSA-2008:0364 1015693 30351 19034 http://rst.void.ru/papers/advisory39.txt oval:org.mitre.oval:def:9915 mysql-query-log-bypass-security(24966) USN-274-1 USN-274-2 RHSA-2007:0083 RHSA-2006:0544 MDKSA-2006:064 DSA-1079 DSA-1073 DSA-1071 20625 20333 20253 20241 19814 19502 http://bugs.mysql.com/bug.php?id=17667 20060225 mysql <= 5.0.18 A "programming error" in fast_ipsec in FreeBSD 4.8-RELEASE through 6.1-STABLE and NetBSD 2 through 3 does not properly update the sequence number associated with a Security Association, which allows packets to pass sequence number checks and allows remote attackers to capture IPSec packets and conduct replay attacks. 17191 19366 FreeBSD-SA-06:11 bsd-ipsec-replay(25398) 24068 1015809 NetBSD-SA2006-011 SQL injection vulnerability in D3Jeeb Pro 3 allows remote attackers to execute arbitrary SQL commands via the catid parameter in (1) fastlinks.php and (2) catogary.php. ADV-2006-0757 20060226 2 SQL Injection in d3jeeb d3jeeb-catid-sql-injection(24941) 16853 1015687 19062 SQL injection vulnerability in PHP-Nuke before 7.8 Patched 3.2 allows remote attackers to execute arbitrary SQL commands via encoded /%2a (/*) sequences in the query string, which bypasses regular expressions that are intended to protect against SQL injection, as demonstrated via the kala parameter. http://www.waraxe.us/advisory-47.html 20060225 [waraxe-2006-SA#047] - Evading sql-injection filters in phpNuke 7.8 PHP-Nuke 7.8 Patched 3.2 allows remote attackers to bypass SQL injection protection mechanisms via /%2a (/*) sequences with the "ad_click" word in the query string, as demonstrated via the kala parameter. http://www.waraxe.us/advisory-47.html 20060225 [waraxe-2006-SA#047] - Evading sql-injection filters in phpNuke 7.8 497 Invision Power Board (IPB) 2.1.4 and earlier allows remote attackers to view sensitive information via a direct request to multiple PHP scripts that include the full path in error messages, including (1) PEAR/Text/Diff/Renderer/inline.php, (2) PEAR/Text/Diff/Renderer/unified.php, (3) PEAR/Text/Diff3.php, (4) class_db.php, (5) class_db_mysql.php, and (6) class_xml.php in the ips_kernel/ directory; (7) mysql_admin_queries.php, (8) mysql_extra_queries.php, (9) mysql_queries.php, and (10) mysql_subsm_queries.php in the sources/sql directory; (11) sources/acp_loaders/acp_pages_components.php; (12) sources/action_admin/member.php and (13) sources/action_admin/paysubscriptions.php; (14) login.php, (15) messenger.php, (16) moderate.php, (17) paysubscriptions.php, (18) register.php, (19) search.php, (20) topics.php, (21) and usercp.php in the sources/action_public directory; (22) bbcode/class_bbcode.php, (23) bbcode/class_bbcode_legacy.php, (24) editor/class_editor_rte.php, (25) editor/class_editor_std.php, (26) post/class_post.php, (27) post/class_post_edit.php, (28) post/class_post_new.php, (29) and post/class_post_reply.php in the sources/classes directory; (30) sources/components_acp/registration_DEPR.php; (31) sources/handlers/han_paysubscriptions.php; (32) func_usercp.php; (33) search_mysql_ftext.php, and (34) search_mysql_man.php in the sources/lib/ directory; and (35) convert/auth.php.bak, (36) external/auth.php, and (37) ldap/auth.php in the sources/loginauth directory. invisionpowerboard-multiple-info-disclosure(24840) 20060221 Invision Power Board 2.1.4 Multiple Vulnerabilities http://neosecurityteam.net/index.php?action=advisories&id=16 http://neosecurityteam.net/advisories/Advisory-16.txt 20070419 IPB (Invision Power Board) Full Path Disclusure Invision Power Board (IPB) 2.1.4 and earlier allows remote attackers to list directory contents via a direct request to multiple directories, including (1) sources/loginauth/convert/, (2) sources/portal_plugins/, (3) cache/skin_cache/cacheid_2/, (4) ips_kernel/PEAR/, (5) ips_kernel/PEAR/Text/, (6) ips_kernel/PEAR/Text/Diff/, (7) ips_kernel/PEAR/Text/Diff/Renderer/, (8) style_images/1/folder_rte_files/, (9) style_images/1/folder_js_skin/, (10) style_images/1/folder_rte_images/, and (11) upgrade/ and its subdirectories. invisionpowerboard-multiple-info-disclosure(24840) 20060221 Invision Power Board 2.1.4 Multiple Vulnerabilities http://neosecurityteam.net/index.php?action=advisories&id=16 http://neosecurityteam.net/advisories/Advisory-16.txt NmService.exe in Ipswitch WhatsUp Professional 2006 allows remote attackers to cause a denial of service (CPU consumption) via crafted requests to Login.asp, possibly involving the (1) "In]" and (2) "b;tnLogIn" parameters, or (3) malformed btnLogIn parameters, possibly involving missing "[" (open bracket) or "[" (closing bracket) characters, as demonstrated by "&btnLogIn=[Log&In]=&" or "&b;tnLogIn=[Log&In]=&" in the URL. NOTE: due to the lack of diagnosis by the original researcher, the precise nature of the vulnerability is unclear. http://zur.homelinux.com/Advisories/ipswitch_dos.txt whatsup-nmservice-dos(24864) ADV-2006-0704 16771 20060222 IpSwitch WhatsUp Professional 2006 DoS 23494 472 Oreka before 0.5 allows remote attackers to cause a denial of service (application crash) via a "certain RTP sequence." ADV-2006-0812 23300 http://oreka.sourceforge.net/ 16937 19095 SQL injection vulnerability in whineatnews.pl in Bugzilla 2.17 through 2.18.4 and 2.20 allows remote authenticated users with administrative privileges to execute arbitrary SQL commands via the whinedays parameter, as accessible from editparams.cgi. https://bugzilla.mozilla.org/show_bug.cgi?id=312498 bugzilla-editparams-sql-injection(24819) ADV-2006-0692 16738 20060221 [BUGZILLA] Security Advisory for Bugzilla 2.20, 2.21.1, and 2.18.4 18979 23378 Bugzilla 2.16.10, 2.17 through 2.18.4, and 2.20 does not properly handle certain characters in the mostfreqthreshold parameter in duplicates.cgi, which allows remote attackers to trigger a SQL error. https://bugzilla.mozilla.org/show_bug.cgi?id=312498 bugzilla-duplicates-sql-injection(42802) ADV-2006-0692 20060221 [BUGZILLA] Security Advisory for Bugzilla 2.20, 2.21.1, and 2.18.4 Bugzilla 2.16.10 does not properly handle certain characters in the (1) maxpatchsize and (2) maxattachmentsize parameters in attachment.cgi, which allows remote attackers to trigger a SQL error. https://bugzilla.mozilla.org/show_bug.cgi?id=313441 ADV-2006-0692 Bugzilla 2.19.3 through 2.20 does not properly handle "//" sequences in URLs when redirecting a user from the login form, which could cause it to generate a partial URL in a form action that causes the user's browser to send the form data to another domain. https://bugzilla.mozilla.org/show_bug.cgi?id=325079 bugzilla-login-data-redirection(24821) ADV-2006-0692 16745 20060221 [BUGZILLA] Security Advisory for Bugzilla 2.20, 2.21.1, and 2.18.4 18979 464 Melange Chat Server (aka M-Chat), when accessed via a web browser, automatically sends cookies and other sensitive information for a server to any port specified in the associated link, which allows local users on that server to read the cookies from HTTP headers and possibly gain sensitive information, such as credentials, by setting up a listening port and reading the credentials when the victim clicks on the link. melange-chat-command-information-disclosure(24868) 16747 20060221 grab cookie information with Melange Chat Server 1.10 http://www.oh2600.com/forum/viewtopic.php?t=43 18984 463 Buffer overflow in RITLabs The Bat! 3.60.07 allows remote attackers to execute arbitrary code via a long Subject field. 18989 ADV-2006-0717 16797 20060223 NSA Group Security Advisory NSAG-&sup1;198-23.02.2006 Vulnerability The Bat v. 3.60.07 http://www.nsag.ru/vuln/953.html thebat-subject-bo(24882) 485 SQL injection vulnerability in index.php (aka the login page) in Oi! Email Marketing System 3.0 (aka Oi! 3) allows remote attackers to execute arbitrary SQL commands via the (1) Username and (2) Password fields. ADV-2006-0718 20060223 HYSA-2006-003 Oi! Email Marketing 3.0 SQL Injection http://www.h4cky0u.org/advisories/HYSA-2006-003-oi-email.txt 23462 18993 Oi! Email Marketing System 3.0 (aka Oi! 3) stores the server's FTP password in cleartext on a Configuration web page, which allows local users with superadministrator privileges, or attackers who have obtained access to the web page, to view the password. 20060223 HYSA-2006-003 Oi! Email Marketing 3.0 SQL Injection http://www.h4cky0u.org/advisories/HYSA-2006-003-oi-email.txt 16794 483 Multiple directory traversal vulnerabilities in connector.php in FCKeditor 2.0 FC, as used in products such as RunCMS, allow remote attackers to list and create arbitrary directories via a .. (dot dot) in the CurrentFolder parameter to (1) GetFoldersAndFiles and (2) CreateFolder. 20060223 NSA Group Security Advisory NSAG-&sup1;195-23.02.2006 Vulnerability FCKeditor 2.0 FC http://www.nsag.ru/vuln/952.html fckeditor-connector-obtain-information(24878) 20060519 Re: NSA Group Security Advisory NSAG-&sup1;195-23.02.2006 Vulnerability FCKeditor 2.0 FC 484 CubeCart 3.0 through 3.6 does not properly check authorization for an administration session because of a missing auth.inc.php include, which results in an absolute path traversal vulnerability in FileUpload in connector.php (aka upload.php) that allows remote attackers to upload arbitrary files via a modified CurrentFolder parameter in a direct request to admin/filemanager/upload.php. http://www.cubecart.com/site/forums/index.php?showtopic=14972 http://www.cubecart.com/site/forums/index.php?showtopic=14825 cubecart-connector-file-include(24883) 16796 20060223 NSA Group Security Advisory NSAG-&sup1;197-23.02.2006 Vulnerability CubeCart 3.0.0 ? 3.0.6 http://www.nsag.ru/vuln/892.html http://www.cubecart.com/site/forums/index.php?showtopic=14960 http://www.cubecart.com/site/forums/index.php?showtopic=14817 http://www.cubecart.com/site/forums/index.php?showtopic=14704 482 Multiple cross-site scripting (XSS) vulnerabilities in MyPHPNuke (MPN) 1.88 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the letter parameter in reviews.php and (2) the dcategory parameter in download.php. ADV-2006-0750 20060224 Advisory: MyPHPNuke <= 1.8.8 multiple XSS vulnerabilities http://www.nukedx.com/?viewdoc=12 myphpnuke-reviews-download-xss(24887) 16815 http://www.myphpnuke.com/article.php?sid=1035&mode=thread&order=0 491 19052 Cross-site scripting (XSS) vulnerability in Brown Bear iCal 3.10 allows remote attackers to inject arbitrary web script or HTML via the Calendar Text field when a new event is added. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. This vulnerability affects Brown Bear iCal version 3.10 and previous. ADV-2006-0727 16845 23472 19001 ical-calendartext-xss(24919) Format string vulnerability in the IMAP4rev1 server in Alt-N MDaemon 8.1.1 and possibly 8.1.4 allows remote attackers to cause a denial of service (CPU consumption) by creating and then listing folders whose names contain format string specifiers. ADV-2006-0729 http://www.nsag.ru/vuln/888.html 18921 mdaemon-imap-foldername-dos(24916) 16854 Multiple directory traversal vulnerabilities in Allume StuffIt Standard and Deluxe 9.0, ZipMagic Deluxe 9.0, and StuffIt Expander 9.0.0.21 Engine 9.0.0.21 allow remote attackers to create and overwrite arbitrary files via certain crafted pathnames in a (1) zip or (2) tar archive. ADV-2006-0732 16806 20060224 StuffIt and ZipMagic Family of products Directory traversal http://www.hamid.ir/security/stuffit.txt 19010 stuffit-zipmagic-archive-directory-traversal(24886) 23463 Multiple cross-site scripting (XSS) vulnerabilities in the JGS-XA JGS-Gallery Addon 4.0.0 and earlier for Woltlab Burning Board (wBB) 2.x allow remote attackers to inject arbitrary web script or HTML via the (1) userid parameter in (a) jgs_galerie_slideshow.php and (b) jgs_galerie_scroll.php, and the (2) katid parameter in (c) jgs_galerie_slideshow.php. Vulnerability affects JGS-XA, JGS-Gallery Addon versions 4.0.0 and previous. 16810 20060224 Advisory: Woltlab Burning Board 2.x (JGS-Gallery MOD <= 4.0)multiple XSS vulnerabilities http://www.nukedx.com/?viewdoc=11 wbb-jgsgallerymod-xss(24888) 16843 20060224 Advisory: Woltlab Burning Board 2.x (JGS-Gallery MOD <= 4.0) multiple XSS vulnerabilities The POP3 Server in ArGoSoft Mail Server Pro 1.8 allows remote attackers to obtain sensitive information via the _DUMP command, which reveals the operating system, registered user, and registration code. ADV-2006-0733 16808 20060224 NSA Group Security Advisory NSAG-&sup1;198-23.02.2006 Vulnerability ArGoSoft Mail Server Pro http://www.nsag.ru/vuln/879.html 18990 Directory traversal vulnerability in the IMAP server in ArGoSoft Mail Server Pro 1.8.8.1 allows remote authenticated users to create arbitrary folders via a .. (dot dot) in the RENAME command. ADV-2006-0733 16809 20060224 NSA Group Security Advisory NSAG-&sup1;200-24.02.2006 Vulnerability ArGoSoft Mail Server Pro IMAP http://www.nsag.ru/vuln/878.html 18990 Directory traversal vulnerability in Webmail in ArGoSoft Mail Server Pro 1.8 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the UIDL parameter. ADV-2006-0733 http://www.nsag.ru/vuln/877.html 18990 487 Directory traversal vulnerability in PEAR::Archive_Tar 1.2, and other versions before 1.3.2, allows remote attackers to create and overwrite arbitrary files via certain crafted pathnames in a TAR archive. ADV-2006-0728 16805 20060224 Archive_Tar v 1.2(Tested) (Tar file management class) Directory traversal 23481 http://www.hamid.ir/security/phptar.txt 19011 http://pear.php.net/package/Archive_Tar/download/ http://pear.php.net/bugs/bug.php?id=6933 Directory traversal vulnerability in zip.lib.php 0.1.1 in PEAR::Archive_Zip allows remote attackers to create and overwrite arbitrary files via certain crafted pathnames in a ZIP archive. 20060224 Archive_Tar v 1.2(Tested) (Tar file management class) Directory traversal http://www.hamid.ir/security/phpzip.txt ziplib-directory-traversal(24972) 20060225 Archive_Zip (Zip file management class) Directory traversal 486 Cross-site scripting (XSS) vulnerability in PHPX 3.5.9 allows remote attackers to inject arbitrary web script or HTML via a javascript URI in a url XCode tag in a posted message. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. phpx-xcode-tag-xss(24874) ADV-2006-0722 16799 18688 Cross-site scripting (XSS) vulnerability in webinsta Limbo 1.0.4.2 allows remote attackers to inject arbitrary web script or HTML via the message field in the Contact Form. webinsta-limbo-contact-form-xss(24877) ADV-2006-0721 16811 23469 18723 http://osvdb.org/ref/23/23469-limbo.txt Microsoft Word 2003 allows remote attackers to cause a denial of service (application crash) via a crafted file, as demonstrated by 101_filefuzz. 16782 [Dailydave] 20060221 word dos 4fun Free Host Shop Website Generator 3.3 allows remote authenticated users with administrative privileges to upload and execute arbitrary files via a formname parameter with a filename containing a dangerous file extension and a trailing %00. 19014 http://nsag.ru/vuln/894.html 16823 20060225 NSA Group Security Advisory NSAG-&sup1;202-25.02.2006 Vulnerability WEBSITE GENERATOR 3.3 U.N.U. Mailgust 1.9 allows remote attackers to obtain sensitive information via a direct request to index.php with method=showfullcsv, which reveals the POP3 server configuration, including account name and password. 18998 http://nsag.ru/vuln/890.html mailgust-index-info-disclosure(24890) Cross-site scripting (XSS) vulnerability in eZ publish 3.7.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the RefererURL parameter. 16817 20060225 Advisory: eZ publish <= 3.7.3 (imagecatalogue module) XSSvulnerability http://www.nukedx.com/?viewdoc=16 ezpublish-referrerurl-xss(24956) 1015683 SQL injection vulnerability in DCI-Taskeen 1.03 allows remote attackers to execute arbitrary SQL commands via the (1) id or (2) action parameter to (a) basket.php, or (3) id or (4) page parameter to (b) cat.php. 16828 20060225 SQL Injection in DCI-Taskeen 1015685 dci-taskeen-multiple-scripts-sql-injection(24963) 495 Multiple direct static code injection vulnerabilities in savesettings.php in ShoutLIVE 1.1.0 allow remote attackers to execute arbitrary PHP code via variables that are written to settings.php. ADV-2006-0755 23482 19047 http://evuln.com/vulns/87/summary.html shoutlive-savesettings-file-include(24897) 16857 20060307 [eVuln] ShoutLIVE PHP Code Execution & Multiple XSS Vulnerabilities 557 Multiple cross-site scripting (XSS) vulnerabilities in post.php in ShoutLIVE 1.1.0 allow remote attackers to inject arbitrary web script or HTML via certain variables when posting new messages. ADV-2006-0755 23483 19047 http://evuln.com/vulns/87/summary.html shoutlive-post-xss(24901) 16857 20060307 [eVuln] ShoutLIVE PHP Code Execution & Multiple XSS Vulnerabilities 557 SQL injection vulnerability in profil.php in PwsPHP 1.2.3, and possibly earlier versions, allows remote attackers to execute arbitrary SQL commands via the aff_news_form parameter, a different vulnerability than CVE-2005-1509. 16567 http://downloads.securityfocus.com/vulnerabilities/exploits/PwsPHP_SQL_Inj.php 28444 SQL injection vulnerability in the sondages module in index.php in PwsPHP 1.2.3 allows remote attackers to execute arbitrary SQL commands via the id parameter to index.php. ADV-2006-0748 20060226 Re: PwsPHP Injection SQL on Index.php 20060225 PwsPHP Injection SQL on Index.php http://www.pwsphp.com/index.php?mod=news&ac=commentaires&id=278 1015684 496 Archangel Weblog 0.90.02 allows remote attackers to bypass authentication by setting the ba_admin cookie to 1. archangel-admin-auth-bypass(24984) 20060226 Archangel Weblog 0.90.02 Admin Authentication Bypass & Remote File Inclusion archangel-admin-auth-bypass(24984) 16848 23620 3859 1015689 PHP remote file include vulnerability in admin/index.php in Archangel Weblog 0.90.02 allows remote authenticated administrators to execute arbitrary PHP code via a URL ending in a NULL (%00) in the index parameter. archangel-index-file-include(25142) archangel-admin-auth-bypass(24984) archangel-admin-auth-bypass(24984) 16848 20060226 Archangel Weblog 0.90.02 Admin Authentication Bypass & Remote File Inclusion 23621 1015689 Cross-site scripting (XSS) vulnerability in Thomson SpeedTouch modems running firmware 5.3.2.6.0 allows remote attackers to inject arbitrary web script or HTML via the name parameter to the LocalNetwork page. ADV-2006-0765 16839 20060226 Thomson SpeedTouch 500 modems vulnerable to XSS speedtouch-localnetwork-xss(24977) 23527 1015688 19069 Thomson SpeedTouch modem running firmware 5.3.2.6.0 allows remote attackers to create users that cannot be deleted via scripting code in the "31" parameter in a NewUser function, which is not filtered by the modem when creating the account, but cannot be deleted by the administrator, possibly due to cleansing that occurs in the administrator interface. ADV-2006-0765 16839 20060226 Thomson SpeedTouch 500 modems vulnerable to XSS 1015688 19069 AOL 9.0 Security Edition revision 4184.2340, and probably other versions, uses insecure permissions (Everyone/Full Control) for the "America Online 9.0" directory, which allows local users to gain privileges by replacing critical files. AOL has released fixes to address this issue. These fixes can be automatically applied by logging in to the service. aol-default-insecure-permissions(28445) 19583 1016717 18734 ADV-2006-3317 20060818 Secunia Research: AOL Insecure Default Directory Permissions 27995 1416 http://secunia.com/secunia_research/2006-08 RaidenHTTPD 1.1.47 allows remote attackers to obtain source code of script files, including PHP, via crafted requests involving (1) "." (dot), (2) space, and (3) "/" (slash) characters. This vulnerability affects RaidenHTTPD, RaidenHTTPD version 1.1.47 and may affect all previous versions. 23616 http://secunia.com/secunia_research/2006-15/advisory/ 19032 ADV-2006-0807 raidenhttpd-extension-obtain-information(25037) 16934 unalz 0.53 allows user-assisted attackers to overwrite arbitrary files via an ALZ archive with ".." (dot dot) sequences in a filename. 20060313 Secunia Research: unalz Filename Handling Directory TraversalVulnerability 19063 unalz-archive-directory-traversal(25171) ADV-2006-0938 17105 23835 1015780 575 http://secunia.com/secunia_research/2006-16/ 20060313 Secunia Research: unalz Filename Handling The GUI (nod32.exe) in NOD32 2.5 runs with SYSTEM privileges when the scheduler runs a scheduled on-demand scan, which allows local users to execute arbitrary code during a scheduled scan via unspecified attack vectors. 19054 ADV-2006-1242 http://secunia.com/secunia_research/2006-17/advisory/ 24394 nuauth in NuFW before 1.0.21 does not properly handle blocking TLS sockets, which allows remote authenticated users to cause a denial of service (service hang) by flooding packets at the authentication server. This vulnerability affects NuFW, NuFW Firewall versions 1.0.20 and previous. http://www.nufw.org/+NuFW-1-21-minor-security-fix+.html 19046 ADV-2006-0762 16868 Direct static code injection vulnerability in func.inc.php in ZoneO-Soft freeForum before 1.2.1 allows remote attackers to execute arbitrary PHP code via the (1) X-Forwarded-For and (2) Client-Ip HTTP headers, which are stored in Data/flood.db.php. 19020 http://evuln.com/vulns/89/summary.html ADV-2006-0759 http://soft.zoneo.net/freeForum/changes.php 16871 20060310 [eVuln] FreeForum PHP Code Execution & Multiple XSS Vulnerabilities Cross-site scripting (XSS) vulnerability in func.inc.php in ZoneO-Soft freeForum before 1.2.1 allows remote attackers to inject arbitrary web script or HTML via the (1) name and (2) subject parameters. 19020 http://evuln.com/vulns/89/summary.html ADV-2006-0759 http://soft.zoneo.net/freeForum/changes.php freeforum-func-xss(24925) 16877 20060310 [eVuln] FreeForum PHP Code Execution & Multiple XSS Vulnerabilities SQL injection vulnerability in misc.php in MyBulletinBoard (MyBB) 1.03, when register_globals is enabled, allows remote attackers to execute arbitrary SQL commands by setting the comma variable value via the comma parameter in a cookie. NOTE: 1.04 has also been reported to be affected. mybb-misc-sql-injection(24953) ADV-2006-0774 16631 20060303 MyBB 1.04 Perl Exploit 20060228 MyBB 1.3 NewSQL Injection 23554 512 19061 1539 uConfig agent in Compex NetPassage WPE54G router allows remote attackers to cause a denial of service (unresposiveness) via crafted datagrams to UDP port 7778. ADV-2006-0780 16894 http://www.security.nnov.ru/Ldocument605.html 1015690 19037 netpassage-udp-dos(24968) SQL injection vulnerability in yazdir.asp in Cilem Hiber 1.1 allows remote attackers to execute arbitrary SQL commands via the haber_id parameter. NOTE: this product has also been referred to as "Cilem News," although that does not appear to be the proper name. cilemnews-sql-injection(24920) ADV-2006-0881 16813 23618 http://www.nukedx.com/?viewdoc=10 1015677 19157 1562 20060224 Advisory: CilemNews System <= 1.1 Remote SQL 20060224 Advisory: CilemNews System <= 1.1 Remote SQL Injection Vulnerability SQL injection vulnerability in vuBB 0.2 allows remote attackers to execute arbitrary SQL commands via the pass parameter in a cookie. ADV-2006-0799 19084 vubb-index-sql-injection(25019) 16930 1543 Multiple buffer overflows in STLport 5.0.2 might allow local users to execute arbitrary code via (1) long locale environment variables to a strcpy function call in c_locale_glibc2.c and (2) long arguments to unspecified functions in num_put_float.cpp. 19051 ADV-2006-0800 http://sourceforge.net/project/shownotes.php?release_id=397543 stlport-strcpy-local-bo(25159) 16928 Client Firewall in NCP Network Communication Secure Client 8.11 Build 146, and possibly other versions, allows local users to bypass firewall program execution rules by replacing an allowed program with an arbitrary program. 16906 20060301 NCP VPN/PKI Client - various Bugs ncp-client-firewall-bypass-security(25242) 19082 20060301 NCP VPN/PKI Client - various Bugs NCP Network Communication Secure Client 8.11 Build 146, and possibly other versions, allows local users to bypass security protections and configure privileged options via a long argument to ncpmon.exe, which provides access to alternate privileged menus, possibly due to a buffer overflow. 16906 20060301 NCP VPN/PKI Client - various Bugs ncp-ncpmon-bo(25243) 19082 20060301 NCP VPN/PKI Client - various Bugs NCP Network Communication Secure Client 8.11 Build 146, and possibly other versions, allows local users cause a denial of service (CPU consumption) via a large number of arguments to ncprwsnt.exe, possibly due to a buffer overflow. 16906 20060301 NCP VPN/PKI Client - various Bugs ncp-ncprwsnt-dos(25248) 19082 20060301 NCP VPN/PKI Client - various Bugs NCP Network Communication Secure Client 8.11 Build 146, and possibly other versions, allows local users cause a denial of service (memory usage and cpu utilization) via a flood of arbitrary UDP datagrams to ports 0 to 65000. NOTE: this issue was reported as a buffer overflow, but that term usually does not apply in flooding attacks. 16906 20060301 NCP VPN/PKI Client - various Bugs ncp-udp-dos(25249) 19082 20060301 NCP VPN/PKI Client - various Bugs The ncprwsnt service in NCP Network Communication Secure Client 8.11 Build 146, and possibly other versions, allows local users to execute arbitrary code by modifying the connect.bat script, which is automatically executed by the service after a connection is established. 16906 20060301 NCP VPN/PKI Client - various Bugs ncp-connect-command-execution(25251) 524 19082 20060301 NCP VPN/PKI Client - various Bugs PHP remote file inclusion vulnerability in index.php in Top sites de PixelArtKingdom allows remote attackers to include and execute arbitrary files via the page parameter. 20060227 PixelArtKingdom TopSites Remote Command Exucetion 507 PHP remote file inclusion vulnerability in index.php in one or more ActiveCampaign products, possibly SupportTrio, allows remote attackers to include and execute arbitrary files via the page parameter. 20060227 Knowledgebases Remote Command Exucetion activecampaign-index-command-execution(24989) 3228 505 Directory traversal vulnerability in Lionel Reyero DirectContact 0.3b allows remote attackers to read arbitrary files via a .. (dot dot) in the URL. ADV-2006-0761 20060227 directory traversal in DirectContact 0.3b directcontact-dotdot-dir-traversal(24930) http://www3.autistici.org/fdonato/advisory/DirectContact0.3b-adv.txt 16849 20060312 directory traversal Fixed in DirectContact 0.3c 23519 1015686 506 19053 20060227 directory traversal in DirectContact 0.3b SQL injection vulnerability in news.php in Tony Baird Fantastic News 2.1.1 allows remote attackers to execute arbitrary SQL commands via the page parameter. NOTE: the category vector is already covered by CVE-2005-3846. 20060226 2 SQL Injection in Fantastic News fantasticnews-news-sql-injection(24943) 16842 501 SQL injection vulnerability in topics.php in Appalachian State University phpWebSite 0.10.2 and earlier allows remote attackers to execute arbitrary SQL commands via the topic parameter. http://www.securityfocus.com/data/vulnerabilities/exploits/phpWebSite-topic-sql-inj.pl 16825 phpwebsite-topics-sql-injection(25799) 20060523 sql injection in phpWebSite 0.8.3 20060412 phpWebSite 0.10.? (topics.php) Remote SQL Injection Exploit 1525 Cross-site scripting (XSS) vulnerability in failure.asp in Battleaxe bttlxeForum 2.0 allows remote attackers to inject arbitrary web script or HTML via the err_txt parameter. This vulnerability affects Battleaxe Software, bttlxeForum versions 2.0 and previous bttlxeforum-failure-xss(24981) ADV-2006-0776 16821 23540 19043 20060226 bttlxeForum 2.* XSS Vulnerability ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2006-0459. Reason: This candidate is a reservation duplicate of CVE-2006-0459. Notes: All CVE users should reference CVE-2006-0459 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Directory traversal vulnerability in scan_lang_insert.php in Boris Herbiniere-Seve SPiD 1.3.1 allows remote attackers to read arbitrary files via the lang parameter. spid-scanlanginsert-file-include(24955) ADV-2006-0766 16822 20060225 NSA Group Security Advisory NSAG-&sup1;201-25.02.2006 Vulnerability SPiD v1.3.1 http://www.nsag.ru/vuln/955.html 19033 Craig Morrison Mail Transport System Professional (aka MTS Pro) acts as an open relay when configured to relay all mail through an external SMTP server, which allows remote attackers to relay mail by connecting to the MTS Pro server, then sending a MAIL FROM that specifies a domain that is local to the server. ADV-2006-0786 20060225 Mail Transport System Professional--Open Relay Hole mts-mail-relay(24985) 16840 19067 Multiple cross-site scripting (XSS) vulnerabilities in the View Headers (aka viewheaders) functionality in ArGoSoft Mail Server Pro 1.8.8.5 allow remote attackers to inject arbitrary web script or HTML via (1) the Subject header, (2) the From header, and (3) certain other unspecified headers. This vulnerability affects ArGoSoft, Mail Server Pro version 1.8.8.5, and may affect all previous versions. ADV-2006-0751 16834 20060227 Secunia Research: ArGoSoft Mail Server Pro viewheaders ScriptInsertion 23512 http://secunia.com/secunia_research/2006-6/advisory/ 18991 argosoft-mailserverpro-viewheaders-xss(24945) 504 Unspecified vulnerability in the local weblog publisher in Nidelven IT Issue Dealer before 0.9.96 has unknown impact and attack vectors. This vulnerability affects Nidelven IT, Issue Dealer versions 0.9.95 and previous. 23502 http://issuedealer.com/changes/ issuedealer-unpublished-issue-disclosure(24929) 16884 19018 Multiple cross-site scripting (XSS) vulnerabilities in Jay Eckles CGI Calendar 2.7 allow remote attackers to inject arbitrary web script or HTML via the year parameter in (1) index.cgi and (2) viewday.cgi. ADV-2006-0764 20060226 CGI Calendar XSS Vulnerability cgicalendar-index-viewday-xss(24946) 19066 Directory traversal vulnerability in e-merge WinAce 2.6 and earlier allows remote attackers to create and overwrite arbitrary files via certain crafted pathnames in a (1) zip or (2) tar archive. This vulnerability affects e-merge, WinAce versions 2.6 and previous. winace-rar-tar-directory-traversal(24902) ADV-2006-0730 16800 20060224 WinAce Archiver v2.6 Directory traversal 23464 http://www.hamid.ir/security/winace.txt 19013 The on-access scanner for McAfee Virex 7.7 for Macintosh, in some circumstances, might not activate when malicious content is accessed from the web browser, and might not prevent the content from being saved, which allows remote attackers to bypass virus protection, as demonstrated using the EICAR test file. 20060228 Virex on-access scanning unreliable Cross-site scripting (XSS) vulnerability in index.php in QwikiWiki 1.4 allows remote attackers to inject arbitrary web script or HTML via the page parameter. http://sourceforge.net/forum/forum.php?forum_id=438526 16874 20060228 QwikiWiki v1.4 XSS Vulnerability qwikiwiki-index-xss(24950) 23700 510 Cross-site scripting (XSS) vulnerability in inc_header.php in EJ3 TOPo 2.2.178 allows remote attackers to inject arbitrary web script or HTML via the gTopNombre parameter. This vulnerability affects EJ3, TOPo version 2.2.178, and possibly all previous versions. ADV-2006-0775 16879 20060228 EJ3 TOPo - Cross Site Scripting Vulnerability topo-incheader-xss(24980) 23541 511 19070 Multiple cross-site scripting (XSS) vulnerabilities in the "post comment" functionality of WordPress 2.0.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) name, (2) website, and (3) comment parameters. 20060227 WordPress 2.0.1 Multiple Vulnerabilities http://NeoSecurityTeam.net/advisories/Advisory-17.txt ADV-2006-0777 wordpress-wpcommentspost-xss(24957) 20060302 Re: FW: WordPress 2.0.1 Multiple Vulnerabilities 20060228 FW: WordPress 2.0.1 Multiple Vulnerabilities 19050 WordPress 2.0.1 and earlier allows remote attackers to obtain sensitive information via a direct request to (1) default-filters.php, (2) template-loader.php, (3) rss-functions.php, (4) locale.php, (5) wp-db.php, and (6) kses.php in the wp-includes/ directory; and (7) edit-form-advanced.php, (8) admin-functions.php, (9) edit-link-form.php, (10) edit-page-form.php, (11) admin-footer.php, and (12) menu.php in the wp-admin directory; and possibly (13) list directory contents of the wp-includes directory. NOTE: the vars.php, edit-form.php, wp-settings.php, and edit-form-comment.php vectors are already covered by CVE-2005-4463. The menu-header.php vector is already covered by CVE-2005-2110. Other vectors might be covered by CVE-2005-1688. NOTE: if the typical installation of WordPress does not list any site-specific files to wp-includes, then vector [13] is not an exposure. 20060227 WordPress 2.0.1 Multiple Vulnerabilities http://NeoSecurityTeam.net/advisories/Advisory-17.txt ADV-2006-0777 20060302 Re: FW: WordPress 2.0.1 Multiple Vulnerabilities 20060228 FW: WordPress 2.0.1 Multiple Vulnerabilities 19050 The default configuration of ISC BIND, when configured as a caching name server, allows recursive queries and provides additional delegation information to arbitrary IP addresses, which allows remote attackers to cause a denial of service (traffic amplification) via DNS queries with spoofed source IP addresses. This vulnerability affects ISC, BIND versions 9.3.2 and previous. http://www.us-cert.gov/reading_room/DNS-recursion121605.pdf 20060228 recursive DNS servers DDoS as a growing DDoS problem http://dns.measurement-factory.com/surveys/sum1.html The default configuration of the DNS Server service on Windows Server 2003 and Windows 2000, and the Microsoft DNS Server service on Windows NT 4.0, allows recursive queries and provides additional delegation information to arbitrary IP addresses, which allows remote attackers to cause a denial of service (traffic amplification) via DNS queries with spoofed source IP addresses. This vulnerability affects all versions of Windows 2000 -and- Windows Server 2003. http://www.us-cert.gov/reading_room/DNS-recursion121605.pdf 20060228 recursive DNS servers DDoS as a growing DDoS problem http://dns.measurement-factory.com/surveys/sum1.html Stack-based buffer overflow in the volume manager daemon (vmd) in Veritas NetBackup Enterprise Server 5.0 through 6.0 and DataCenter and BusinesServer 4.5FP and 4.5MP allows attackers to execute arbitrary code via unknown vectors. VU#880801 http://www.zerodayinitiative.com/advisories/ZDI-06-005.html ADV-2006-1124 http://seer.support.veritas.com/docs/281521.htm http://securityresponse.symantec.com/avcenter/security/Content/2006.03.27.html netbackup-vmd-sscanf-bo(25471) 17264 20060327 ZDI-06-005: Symantec VERITAS NetBackup Volume Manager Buffer Overflow 24172 1015832 639 Stack-based buffer overflow in the NetBackup Catalog daemon (bpdbm) in Veritas NetBackup Enterprise Server 5.0 through 6.0 and DataCenter and BusinesServer 4.5FP and 4.5MP allows attackers to execute arbitrary code via unknown vectors. VU#744137 http://securityresponse.symantec.com/avcenter/security/Content/2006.03.27.html http://www.zerodayinitiative.com/advisories/ZDI-06-006.html ADV-2006-1124 http://seer.support.veritas.com/docs/281521.htm netbackup-bpdbm-sprintf-bo(25472) 17264 20060327 SYM06-006, Veritas NetBackup: Multiple Overflow Vulnerabilities in NetBackup Daemons 20060327 ZDI-06-006: Symantec VERITAS NetBackup Database Manager Buffer Overflow 1015832 642 19417 Buffer overflow in the NetBackup Sharepoint Services server daemon (bpspsserver) on NetBackup 6.0 for Windows allows remote attackers to execute arbitrary code via crafted "Request Service" packets to the vnetd service (TCP port 13724). VU#377441 http://securityresponse.symantec.com/avcenter/security/Content/2006.03.27.html netbackup-vnetd-bo(25473) ADV-2006-1124 http://www.tippingpoint.com/security/advisories/TSRT-06-01.html 17264 20060327 TSRT-06-01: Symantec VERITAS NetBackup vnetd Buffer Overflow Vulnerability http://seer.support.veritas.com/docs/281521.htm 1015832 19417 Stack-based buffer overflow in Novell GroupWise Messenger before 2.0 Public Beta 2 allows remote attackers to execute arbitrary code via a long Accept-Language value without a comma or semicolon. NOTE: due to a typo, the original ZDI advisory accidentally referenced CVE-2006-0092. This is the correct identifier. Upgrade to GroupWise Messenger, 2.0 Public Beta 2 to fix this issue. http://www.zerodayinitiative.com/advisories/ZDI-06-008.html 17503 http://support.novell.com/cgi-bin/search/searchtid.cgi?10100861.htm ADV-2006-1355 20060413 ZDI-06-008: Novell GroupWise Messenger Accept-Language Buffer Overflow groupwise-accept-language-bo(25828) 24617 1679 1015911 19663 http://metasploit.blogspot.com/2006/04/exploit-development-groupwise_14.html http://cirt.dk/advisories/cirt-42-advisory.txt The web management interface in 3Com TippingPoint SMS Server before 2.2.1.4478 does not restrict access to certain directories, which might allow remote attackers to obtain potentially sensitive information such as configuration settings. Upgrade to 3Com TippingPoint SMS Server version 2.2.1.4478 http://www.zerodayinitiative.com/advisories/ZDI-06-013.html ADV-2006-1752 20060509 ZDI-06-013: 3Com TippingPoint SMS Server Information Disclosure Vulnerability tippingpoint-sms-information-disclosure(26338) 17935 25360 http://www.3com.com/securityalert/alerts/3COM-06-002.html 1016051 870 20058 Multiple Sophos Anti-Virus products, including Anti-Virus for Windows 5.x before 5.2.1 and 4.x before 4.05, when cabinet file inspection is enabled, allows remote attackers to execute arbitrary code via a CAB file with "invalid folder count values," which leads to heap corruption. The vendor has issued a fixed version http://www.zerodayinitiative.com/advisories/ZDI-06-012.html ADV-2006-1730 17876 20060508 ZDI-06-012: Sophos Anti-Virus CAB Unpacking Code Execution Vulnerability 1016041 20028 sophos-cab-parsing-bo(26305) 869 20060508 ZDI-06-012: Sophos Anti-Virus CAB Unpacking Code Execution Vulnerability EMC Dantz Retrospect 7 backup client 7.0.107, and other versions before 7.0.109, and 6.5 before 6.5.138 allows remote attackers to cause a denial of service (client termination and loss of backup service) via a malformed packet to TCP port 497, which triggers an assert error. This vulnerability affects EMC Dantz, Retrospect versions 7.0.x (all 7.0.x versions previous to 7.0.109) as well as versions 6.5.x (all 6.5.x versions previous to 6.5.138) 20060302 EMC Dantz Retrospect 7 Backup client DoS Vulnerability http://kb.dantz.com/article.asp?article=8361&p=2 ADV-2006-0811 retrospect-backup-packet-dos(25143) 16933 1015714 19097 Cross-site scripting (XSS) vulnerability in phpinfo (info.c) in PHP 5.1.2 and 4.4.2 allows remote attackers to inject arbitrary web script or HTML via long array variables, including (1) a large number of dimensions or (2) long values, which prevents HTML tags from being removed. [php-cvs] 20060330 cvs: php-src /ext/standard info.c http://cvs.php.net/viewcvs.cgi/php-src/ext/standard/info.c?r1=1.260&r2=1.261 php-phpinfo-long-array-xss(25702) ADV-2006-2685 ADV-2006-1290 USN-320-1 17362 RHSA-2006:0501 http://www.php.net/ChangeLog-4.php#4.4.3 24484 SUSE-SA:2006:024 MDKSA-2006:074 http://support.avaya.com/elmodocs2/security/ASA-2006-160.htm http://support.avaya.com/elmodocs2/security/ASA-2006-129.htm 1015879 675 20060408 phpinfo() Cross Site Scripting PHP 5.1.2 and 4.4.2 GLSA-200605-08 21564 21252 21125 20951 20222 20210 20052 19979 19832 19775 19599 RHSA-2006:0549 RHSA-2006:0276 oval:org.mitre.oval:def:10997 http://cvs.php.net/viewcvs.cgi/php-src/ext/standard/info.c 20060501-01-U The SSL server implementation in NILE.NLM in Novell NetWare 6.5 and Novell Open Enterprise Server (OES) permits encryption with a NULL key, which results in cleartext communication that allows remote attackers to read an SSL protected session by sniffing network traffic. ADV-2006-1043 17176 http://support.novell.com/cgi-bin/search/searchtid.cgi?10100633.htm netware-nile-ssl-cleartext(25380) 24046 1015799 19324 The SSL server implementation in NILE.NLM in Novell NetWare 6.5 and Novell Open Enterprise Server (OES) sometimes selects a weak cipher instead of an available stronger cipher, which makes it easier for remote attackers to sniff and decrypt an SSL protected session. ADV-2006-1043 http://support.novell.com/cgi-bin/search/searchtid.cgi?10100633.htm netware-nile-weak-encryption(25381) 24047 1015799 19324 The SSL server implementation in NILE.NLM in Novell NetWare 6.5 and Novell Open Enterprise Server (OES) allows a client to force the server to use weak encryption by stating that a weak cipher is required for client compatibility, which might allow remote attackers to decrypt contents of an SSL protected session. ADV-2006-1043 http://support.novell.com/cgi-bin/search/searchtid.cgi?10100633.htm netware-nile-forced-weak-encryption(25382) 24048 1015799 19324 Multiple SQL injection vulnerabilities in Pentacle In-Out Board 3.0 and earlier allow remote attackers to execute arbitrary SQL commands and bypass authentication via the (1) newsid parameter to newsdetailsview.asp and (2) password parameter to login.asp. ADV-2006-0749 16818 20060225 Advisory: Pentacle In-Out Board <= 6.03 (newsdetailsview.aspnewsid) Remote SQL Injection Vulnerability 20060225 Advisory: Pentacle In-Out Board <= 6.03 (login.asp) AuthencationByPass Vulnerability http://www.nukedx.com/?viewdoc=14 http://www.nukedx.com/?viewdoc=13 1015682 19024 20060225 Advisory: Pentacle In-Out Board <= 6.03 (newsdetailsview.asp newsid) Remote SQL Injection Vulnerability 20060225 Advisory: Pentacle In-Out Board <= 6.03 (login.asp) Authencation ByPass Vulnerability SQL injection vulnerability in the board module in LanSuite LanParty Intranet System 2.0.6 and 2.1.0 beta allows remote attackers to execute arbitrary SQL commands via the fid parameter. This vulnerability affects Lansuite, LanParty Intranet System version 2.1 (Beta) & LanSuite, LanParty Intranet System versions 2.0.6 and previous. ADV-2006-0747 16836 19048 lansuite-fid-sql-injection(24940) 23533 1526 NETGEAR WGT624 Wireless DSL router has a default account of super_username "Gearguy" and super_passwd "Geardog", which allows remote attackers to modify the configuration. NOTE: followup posts have suggested that this might not occur with all WGT624 routers. netgear-wgt624-default-account(24926) 16835 20071220 Re: Re: NETGEAR WGT624 Wireless DSL router default user name/password vulnerability 20060413 Re: Re: NETGEAR WGT624 Wireless DSL router default user name/password vulnerability 20060227 Re: NETGEAR WGT624 Wireless DSL router default user name/password vulnerability 20060226 NETGEAR WGT624 ? Wireless DSL router default user name/password vulnerability The backup configuration option in NETGEAR WGT624 Wireless Firewall Router stores sensitive information in cleartext, which allows remote attackers to obtain passwords and gain privileges. 16837 20060227 NETGEAR WGT624 ? Wireless DSL Firewall/Router vulnerability netgear-wgt624-cleartext-config(24927) Cross-site scripting (XSS) vulnerability in agencyprofile.asp in Parodia 6.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the AG_ID parameter. NOTE: the provenance of this information is unknown; the details are obtained from third party information. ADV-2006-0763 19025 parodia-agencyprofile-xss(24971) 16865 23548 agencyprofile.asp in Parodia 6.2 and earlier might allow remote attackers to obtain sensitive information by triggering an SQL error via an invalid AG_ID parameter. NOTE: the provenance of this information is unknown; the details are obtained from third party information. This vulnerability affects CactuSoft, Parodia version 6.2, and may affect all previous versions as well. 19025 Multiple SQL injection vulnerabilities in sendcard.php in sendcard before 3.3.0 allow remote attackers to execute arbitrary SQL commands via unspecified parameters. sendcard-unspecified-sql-injection(24978) 16900 http://sourceforge.net/forum/forum.php?forum_id=544749 19056 ADV-2006-0778 Multiple SQL injection vulnerabilities in N8cms 1.1 and 1.2 allow remote attackers to execute arbitrary SQL commands via the (1) dir and (2) page_id parameter to index.php. n8cms-index-sql-injection(24974) ADV-2006-0779 20060309 n8cms 1.1 & 1.2 version Sql &#304;njection And XSS 19068 http://biyosecurity.be/bugs/n8cms.txt 16858 Multiple cross-site scripting (XSS) vulnerabilities in N8cms 1.1 and 1.2 allow remote attackers to inject arbitrary web script or HTML via the (1) dir and (2) page_id parameter to (a) index.php and (3) userid parameter to (b) mailto.php. NOTE: it is possible that issues 1 and 2 are resultant from SQL injection. This vulnerability may affect all versions of Nathan Landry, n8cms. n8cms--xss(25126) n8cms-mailto-xss(24975) ADV-2006-0779 20060309 n8cms 1.1 & 1.2 version Sql &#304;njection And XSS 19068 http://biyosecurity.be/bugs/n8cms.txt 16858 562 M4 Project enigma-suite before 0.73.3 (Windows) has a default password of "nominal" for the "enigma-client" account, which allows local users to gain access. ADV-2006-0787 23572 http://www.bytereef.org/m4-project-blog.html 19077 enigma-suite-default-acoount(24993) Buffer overflow in socket/request.c in CrossFire before 1.9.0, when oldsocketmode is enabled, allows remote attackers to cause a denial of service (segmentation fault) and possibly execute code by sending the server a large request. This vulnerability affects CrossFire versions 1.8.0 and previous. crossfire-oldsocketmode-bo(24932) 19044 http://cvs.sourceforge.net/viewcvs.py/crossfire/crossfire/socket/request.c?r1=1.80&r2=1.81 ADV-2006-0760 http://aluigi.altervista.org/poc/crossfirebof.zip 16883 23549 GLSA-200604-11 DSA-1001 19785 19194 LetterMerger 1.2 stores user information in Access database files with insecure permissions, which allows local users to obtain sensitive information. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. lettermerger-files-disclose-information(25020) 16917 23599 19074 SQL injection vulnerability in WordPress 1.5.2, and possibly other versions before 2.0, allows remote attackers to execute arbitrary SQL commands via the User-Agent field in an HTTP header for a comment. GLSA-200603-01 19109 16950 wordpress-comment-sql-injection(25321) 19123 PHP remote file include vulnerability in index.php in SMartBlog (aka SMBlog) 1.2 allows remote attackers to include and execute arbitrary PHP files via (1) the pg parameter and (2) a query string without a parameter. 20060301 SMBlog Remote Command Exucetion smartblog-index-file-include(25220) 16905 Argument injection vulnerability in certain PHP 4.x and 5.x applications, when used with sendmail and when accepting remote input for the additional_parameters argument to the mb_send_mail function, allows context-dependent attackers to read and create arbitrary files by providing extra -C and -X arguments to sendmail. NOTE: it could be argued that this is a class of technology-specific vulnerability, instead of a particular instance; if so, then this should not be included in CVE. This vulnerability affects all versions of PHP from 4.0.x through 5.1.x 20060228 (PHP) mb_send_mail security bypass 18694 ADV-2006-0772 16878 23534 SUSE-SA:2006:024 19979 Argument injection vulnerability in certain PHP 3.x, 4.x, and 5.x applications, when used with sendmail and when accepting remote input for the additional_parameters argument to the mail function, allows remote attackers to read and create arbitrary files via the sendmail -C and -X arguments. NOTE: it could be argued that this is a class of technology-specific vulnerability, instead of a particular instance; if so, then this should not be included in CVE. 20060301 Re: (PHP) mb_send_mail security bypass 16878 SUSE-SA:2006:024 517 19979 Buffer overflow in the IsComponentInstalled method in Internet Explorer 6.0, when used on Windows 2000 before SP4 or Windows XP before SP1, allows remote attackers to execute arbitrary code via JavaScript that calls IsComponentInstalled with a long first argument. ie-iscomponentinstalled-bo(24923) http://www.metasploit.com/projects/Framework/modules/exploits/ie_iscomponentinstalled.pm http://metasploit.com/projects/Framework/exploits.html#ie_iscomponentinstalled 16870 The c-client library 2000, 2001, or 2004 for PHP before 4.4.4 and 5.x before 5.1.5 do not check the (1) safe_mode or (2) open_basedir functions, and when used in applications that accept user-controlled input for the mailbox argument to the imap_open function, allow remote attackers to obtain access to an IMAP stream data structure and conduct unauthorized IMAP actions. php-imap-restriction-bypass(24964) ADV-2006-0772 20060228 (PHP) imap functions bypass safemode and open_basedir restrictions http://www.php.net/release_5_1_5.php http://www.php.net/ChangeLog-5.php#5.1.5 23535 MDKSA-2006:122 516 21546 21050 18694 http://bugs.php.net/bug.php?id=37265 SQL injection vulnerability in poems.php in DCI-Designs Dawaween 1.03 allows remote attackers to execute arbitrary SQL commands via the id parameter in a diwan view action. dawaween-poems-sql-injection(25163) 16909 20060302 sql in Dawaween V 1.03 23827 Cross-site scripting (XSS) vulnerability in fce.php in UKiBoard 3.0.1 allows remote attackers to inject arbitrary web script or HTML via a BBCode url tag when using the show_post function. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information, some of which reference a source URL that appears to be for an unrelated issue. ukiboard-fce-xss(24990) 16912 SQL injection vulnerability in forumlib.php in Johnny_Vegas Vegas Forum 1.0 allows remote attackers to execute arbitrary SQL commands via the postid parameter. ADV-2006-0790 http://evuln.com/vulns/90/summary.html vegasforum-forumlib-sql-injection(25167) 17079 20060313 [eVuln] Vegas Forum SQL Injection Vulnerability 574 19219 Cross-site scripting (XSS) vulnerability in sol_menu.php in PeHePe Uyelik Sistemi (aka PeHePe MemberShip Management System) 3 allows remote attackers to inject arbitrary web script or HTML via the kuladi parameter ($kul_adi variable). http://yns.zaxaz.com/2006/02/28/pehepe-membership-management-system-multiple-vulnerabilities/ ADV-2006-0781 20060228 PEHEPE Membership Management System Multiple Vulnerabilities 19055 16885 PHP remote file include vulnerability in sol_menu.php in PeHePe Uyelik Sistemi (aka PeHePe MemberShip Management System) 3 allows remote attackers to include and execute arbitrary PHP code via a URL in the uye_klasor parameter, along with a misafir[] parameter that is set to UYE_SEVIYE. This vulnerability affects PeHePe, Membership Management System (a.k.a Uyelik Sistemi) versions 3.0 and previous. http://yns.zaxaz.com/2006/02/28/pehepe-membership-management-system-multiple-vulnerabilities/ ADV-2006-0781 20060228 PEHEPE Membership Management System Multiple Vulnerabilities 19055 pehepe-uyeklasor-command-execution(24970) 16887 23567 515 Directory traversal vulnerability in HP System Management Homepage (SMH) 2.0.0 through 2.1.4 on Windows allows remote attackers to access certain files via unspecified vectors. This vulnerability affects all versions of HP, System Management Homepage from 2.0.0 through 2.1.4. This vulnarebility is only present in the following Windows OS environments: Microsoft Windows 2000, 2003, 2003 for x64, 2003 for Itanium and also Windows XP. HPSBMA02099 SSRT061118 1015692 19059 ADV-2006-0769 hp-system-managemenet-homepage-dir-traversal(24996) 16876 SQL injection vulnerability in MgrLogin.asp in Addsoft StoreBot 2005 Professional allows remote attackers to execute arbitrary SQL commands via the Pwd parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. This vulnerability affects all versions of AddSoft, StoreBot 2005 Professional Edition. storebot-mgrlogin-sql-injection(24987) ADV-2006-0784 16897 23575 19019 Cross-site scripting (XSS) vulnerability in manage.asp in Addsoft StoreBot 2002 Standard allows remote attackers to inject arbitrary web script or HTML via the ShipMethod parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. storebot-manage-xss(24986) ADV-2006-0785 16898 23574 19060 JFacets before 0.2 allows remote attackers to gain privileges as any account via a GET request with a modified account profileID. This vulnerability affects JFacets versions prior to 0.2. jfacets-auth-authentication-bypass(24958) http://sourceforge.net/project/shownotes.php?group_id=154666&release_id=396824 19031 ADV-2006-0767 http://sourceforge.net/tracker/index.php?func=detail&aid=1439037&group_id=154666&atid=792697 feedcreator.class.php (aka the syndication component) in Joomla! 1.0.7 allows remote attackers to obtain sensitive information via a "/" (slash) in the feed parameter to index.php, which reveals the path in an error message. http://www.joomla.org/content/view/938/78/ 20060302 JOOMLA CMS 1.0.7 DoS & path disclosing joomla-multiple-disclose-path(25028) 23815 527 feedcreator.class.php (aka the syndication component) in Joomla! 1.0.7 allows remote attackers to cause a denial of service (stressed file cache) by creating many files via filenames in the feed parameter to index.php. http://www.joomla.org/content/view/938/78/ 20060302 JOOMLA CMS 1.0.7 DoS & path disclosing 23817 527 19105 The cross-site scripting (XSS) countermeasures in class.inputfilter.php in Joomla! 1.0.7 allow remote attackers to cause a denial of service via a crafted mosmsg parameter to index.php with a malformed sequence of multiple tags, as demonstrated using "<<>AAA<><>", possibly due to nested or empty tags. 20060302 JOOMLA CMS 1.0.7 DoS & path disclosing 23816 http://www.joomla.org/content/view/938/78/ Unspecified vulnerability in mod_templatechooser in Joomla! 1.0.7 allows remote attackers to obtain sensitive information via an unspecified attack vector that reveals the path. http://www.joomla.org/content/view/938/78/ ADV-2006-0818 joomla-multiple-disclose-path(25028) 23818 19105 config/config_inc.php in iGENUS Webmail 2.02 and earlier allows remote attackers to include arbitrary local files via the SG_HOME parameter. igenus-sg-home-file-include(24935) ADV-2006-0753 16829 23530 19036 http://retrogod.altervista.org/igenus_202_xpl_pl.html Eval injection vulnerability in the decode function in rpc_decoder.php for phpRPC 0.7 and earlier, as used by runcms, exoops, and possibly other programs, allows remote attackers to execute arbitrary PHP code via the base64 tag. ADV-2006-0745 16833 20060226 phpRPC Library Remote Code Execution http://www.gulftech.org/?node=research&article_id=00105-02262006 1015691 502 19058 19028 Multiple cross-site scripting (XSS) vulnerabilities in Dragonfly CMS before 9.0.6.1 allow remote attackers to inject arbitrary web script or HTML via (1) uname, (2) error, (3) profile or (4) the username filed parameter to the (a) Your_Account module, (5) catid, (6) sid, (7) Story Text or (8) Extended text text fields in the (b) News module, (9) month, (10) year or (11) sa parameter to the (c) Stories_Archive module, (12) show, (13) cid, (14) ratetype, or (15) orderby parameter to the (d) Web_Links module, (16) op, or (17) pollid parameter to the (e) Surveys module, (18) c parameter to the (f) Downloads module, (19) meta, or (20) album parameter to the (g) coppermine module, or the search box in the (21) Search, (22) Stories_Archive, (23) Downloads, and (24) Topics module. ADV-2006-0688 16784 1015661 18940 http://lostmon.blogspot.com/2006/02/multiple-cross-site-scripting-in.html cpg-dragonfly-multiple-xss(24843) Multiple cross-site scripting (XSS) vulnerabilities in Woltlab Burning Board (wBB) allow remote attackers to inject arbitrary web script or HTML via (1) the username parameter to galerie_index.php and possibly (2) galerie_onfly.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. The second vector might not be XSS. 16843 Unspecified vulnerability in the Oracle Diagnostics module 2.2 and earlier allows remote attackers to access diagnostics tests via unknown attack vectors. VU#298958 16844 http://www.integrigy.com/info/IntegrigySecurityAnalysis-OracleDiag0206.pdf 19076 Multiple unspecified vulnerabilities in the Oracle Diagnostics module 2.2 and earlier have unknown impact and attack vectors, related to "permissions." 16844 http://www.integrigy.com/info/IntegrigySecurityAnalysis-OracleDiag0206.pdf 19076 SQL injection vulnerability in the Oracle Diagnostics module 2.2 and earlier allows remote attackers to execute arbitrary SQL commands via uknown attack vectors. 16844 http://www.integrigy.com/info/IntegrigySecurityAnalysis-OracleDiag0206.pdf oracle-diagnostics-sql-injection(25259) 19076 Buffer overflow in SecureCRT 5.0.4 and earlier and SecureFX 3.0.4 and earlier allows remote attackers to have an unknown impact when a Unicode string is converted to a "narrow" string. 19040 ADV-2006-0806 http://www.vandyke.com/products/securecrt/history.txt securecrt-securefx-string-bo(25092) http://www.vandyke.com/products/securefx/history.txt 16935 SAP Web Application Server (WebAS) Kernel before 7.0 allows remote attackers to inject arbitrary bytes into the HTTP response and obtain sensitive authentication information, or have other impacts, via a ";%20" followed by encoded HTTP headers. sap-was-url-obtain-information(25003) ADV-2006-0810 18006 20060301 SAP Web Application Server http request url parsing vulnerability 1015702 19085 Cross-site scripting (XSS) vulnerability in vBulletin 3.0.12 and 3.5.3 allows remote attackers to inject arbitrary web script or HTML via the email field, which is injected in profile.php but not sanitized in sendmsg.php. This vulnerability affects all versions of Jelsoft, vBulletin between 3.0.12 and 3.5.3 http://www.kapda.ir/advisory-266.html ADV-2006-0808 http://www.vbulletin.com/forum/showthread.php?postid=1079030 20060302 vBulletin3.0.12&3.5.3~is_valid_email()~XSS Attack 20060301 [KAPDA::#26]vBulletin.3.5.3~3.0.12-XSS 23614 19100 16919 Multiple cross-site scripting (XSS) vulnerabilities in Gregarius 0.5.2 allow remote attackers to inject arbitrary web script or HTML via the (1) rss_query parameter to search.php or (2) tag parameter to tags.php. 20060303 Gregarius 0.5.2 XSS and SQL Injection Vulnerabilities ADV-2006-0819 gregarius-multiple-xss(25058) 16939 23679 23678 19102 Multiple SQL injection vulnerabilities in Gregarius 0.5.2 allow remote attackers to execute arbitrary SQL commands via the (1) folder parameter to feed.php or (2) rss_query parameter to search.php. 20060303 Gregarius 0.5.2 XSS and SQL Injection Vulnerabilities ADV-2006-0819 gregarius-feed-sql-injection(25059) 16939 23681 23680 537 19102 Stack-based buffer overflow in Microsoft Visual Studio 6.0 and Microsoft Visual InterDev 6.0 allows user-assisted attackers to execute arbitrary code via a long DataProject field in a (1) Visual Studio Database Project File (.dbp) or (2) Visual Studio Solution (.sln). visualstudio-dataproject-bo(25148) ADV-2006-0825 16953 20060305 Microsoft Visual Studio 6.0 Sp6 Malformed .dbp File BoF Exploit 20060304 Visual Studio 6.0 Buffer Overflow Vulnerability 23711 http://www.frsirt.com/exploits/20060305.ms-visual-dbp.c.php 1015721 19081 Multiple buffer overflows in LISTSERV 14.3 and 14.4, including LISTSERV Lite and HPO, with the web archive interface enabled, allow remote attackers to execute arbitrary code via unknown attack vectors related to the WA CGI. NOTE: technical details will be released after the grace period has ended on 20060603. This vulnerability affects L-Soft, Listserv (LITE and HPO) 14.4 and all prior versions that are installed with the web archive interface. VU#841132 16951 20060304 Critical Risk Vulnerability in L-Soft Listserv http://www.lsoft.com/manuals/1.8e/relnotes/LISTSERV14.5-Release-Notes.html#wasecurityalert 1015722 ADV-2006-0824 listserv-wa-cgi-bo(25168) http://www.ngssoftware.com/advisories/listserv_3.txt 19106 The HTML rendering engine in Mozilla Thunderbird 1.5, when "Block loading of remote images in mail messages" is enabled, does not properly block external images from inline HTML attachments, which could allow remote attackers to obtain sensitive information, such as application version or IP address, when the user reads the email and the external image is accessed. ADV-2006-3749 ADV-2006-1356 16881 SSRT061236 20060228 Mozilla Thunderbird : Multiple Information Disclosure Vulnerabilities SUSE-SA:2006:004 oval:org.mitre.oval:def:10254 thunderbird-inline-information-disclosure(24959) USN-276-1 17516 SSRT061236 RHSA-2006:0330 SUSE-SA:2006:022 http://www.mozilla.org/security/announce/2006/mfsa2006-26.html MDKSA-2006:078 GLSA-200605-09 GLSA-200604-18 DSA-1051 DSA-1046 514 22065 20051 19950 19941 19902 19863 19823 19821 oval:org.mitre.oval:def:1975 server.cpp in Monopd 0.9.3 allows remote attackers to cause a denial of service (CPU and memory consumption) via a string containing a large number of characters that are escaped when Monopd produces XML output. 19133 http://aluigi.altervista.org/adv/monopdx-adv.txt ADV-2006-0844 16981 http://www.robertjohnkaper.com/downloads/atlantik/monopd-0.9.3-dosfix.diff monopd-string-dos(25161) Unspecified vulnerability in the "Remember Me login functionality" in Joomla! 1.0.7 and earlier has unknown impact and attack vectors. http://www.joomla.org/content/view/938/78/ Joomla! 1.0.7 and earlier allows attackers to bypass intended access restrictions and gain certain privileges via certain attack vectors related to the (1) Weblink, (2) Polls, (3) Newsfeeds, (4) Weblinks, (5) Content, (6) Content Section, (7) Content Category, (8) Contact items, or (9) Contact Search, (10) Content Search, (11) Newsfeed Search, or (12) Weblink Search. This vulnerability affects Joomla! versions 1.0.7 and previous. joomla-multiple-bypass-security(25033) http://www.joomla.org/content/view/938/78/ 19105 ADV-2006-0818 23822 Multiple SQL injection vulnerabilities in the Admin functionality in Joomla! 1.0.7 and earlier allow remote authenticated administrators to execute arbitrary SQL commands via unknown attack vectors. 19105 ADV-2006-0818 23819 http://www.joomla.org/content/view/938/78/ ** DISPUTED ** Kwik-Pay Payroll 4.2.20, and possibly other versions, stores the KwikPay.mdb database file with insecure permissions, which allows local users to obtain sensitive information such as employment and payment data. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. NOTE: the vendor has disputed this vulnerability, stating that "The kwikpay.mdb file supplied with kwikpay is a template for the database structure of user databases created by kwikpay and to store a demonstration payroll. It does not contain any sensitive user information. When a user payroll database is opened, the encryption of the database is checked and if the database is not encrypted, the user is prompted to encrypt the database, but the choice is the customers." kwikpay-payroll-insecure-permissions(25114) 23617 19075 SQL injection vulnerability in Akarru Social BookMarking Engine before 0.4.3.4 allows remote attackers to execute arbitrary SQL commands via unknown attack vectors, possibly involving the username parameter to akarru.lib/users.php. 16989 19112 ADV-2006-0841 http://sourceforge.net/project/shownotes.php?release_id=398713&group_id=155783 akarru-users-sql-injection(25115) The selinux_ptrace logic in hooks.c in SELinux for Linux 2.6.6 allows local users with ptrace permissions to change the tracer SID to an SID of another process. 17830 19955 [selinux] 20060313 [SECURITY] SELinux ptrace bug (CVE-2006-1052) USN-281-1 http://selinuxnews.org/wp/index.php/2006/03/13/security-ptrace-bug-cve-2006-1052/ oval:org.mitre.oval:def:10102 [git-commits-head] 20060311 [PATCH] selinux: tracer SID fix RHSA-2006:0575 25232 MDKSA-2006:086 DSA-1184 http://support.avaya.com/elmodocs2/security/ASA-2006-200.htm 22417 22093 21465 20157 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2006-1861. Reason: This candidate is a reservation duplicate of CVE-2006-1861. Notes: All CVE users should reference CVE-2006-1861 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. The fill_write_buffer function in sysfs/file.c in Linux kernel 2.6.12 up to versions before 2.6.17-rc1 does not zero terminate a buffer when a length of PAGE_SIZE or more is requested, which might allow local users to cause a denial of service (crash) by causing an out-of-bounds read. http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=6e0dd741a89be35defa05bd79f4211c5a2762825;hp=597a7679dd83691be2f3a53e1f3f915b4a7f6eba http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=6e0dd741a89be35defa05bd79f4211c5a2762825 ADV-2006-1475 ADV-2006-1273 linux-fillwritebuffer-dos(25693) USN-281-1 USN-302-1 2006-0020 17402 24443 SUSE-SA:2006:028 20716 20398 19955 19735 19495 FEDORA-2006-423 The Linux kernel before 2.6.16.9 and the FreeBSD kernel, when running on AMD64 and other 7th and 8th generation AuthenticAMD processors, only save/restore the FOP, FIP, and FDP x87 registers in FXSAVE/FXRSTOR when an exception is pending, which allows one process to determine portions of the state of floating point instructions of other processes, which can be leveraged to obtain sensitive information such as cryptographic keys. NOTE: this is the documented behavior of AMD64 processors, but it is inconsistent with Intel processers in a security-relevant fashion that was not addressed by the kernels. Upgrade to Linux Kernel version 2.6.16.9 : http://www.kernel.org/ 17600 19724 19715 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=187911 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=187910 amd-fpu-information-disclosure(25871) ADV-2006-4502 ADV-2006-4353 ADV-2006-2554 ADV-2006-1475 ADV-2006-1426 http://www.vmware.com/download/esx/esx-254-200610-patch.html http://www.vmware.com/download/esx/esx-213-200610-patch.html USN-302-1 20061113 VMSA-2006-0009 - VMware ESX Server 3.0.0 AMD fxsave/restore issue 20061113 VMSA-2006-0005 - VMware ESX Server 2.5.4 Upgrade Patch 1 20061113 VMSA-2006-0007 - VMware ESX Server 2.1.3 Upgrade Patch 2 20061113 VMSA-2006-0006 - VMware ESX Server 2.5.3 Upgrade Patch 4 RHSA-2006:0579 RHSA-2006:0575 RHSA-2006:0437 24807 24746 SUSE-SA:2006:028 DSA-1103 DSA-1097 http://support.avaya.com/elmodocs2/security/ASA-2006-200.htm http://support.avaya.com/elmodocs2/security/ASA-2006-180.htm 1015966 http://security.freebsd.org/advisories/FreeBSD-SA-06:14-amd.txt 22876 22875 22417 21983 21465 21136 21035 20914 20716 20671 20398 19735 oval:org.mitre.oval:def:9995 [linux-kernel] 20060419 RE: Linux 2.6.16.9 FEDORA-2006-423 http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.9 http://kb.vmware.com/kb/2533126 FreeBSD-SA-06:14 Race condition in daemon/slave.c in gdm before 2.14.1 allows local users to gain privileges via a symlink attack when gdm performs chown and chgrp operations on the .ICEauthority file. FEDORA-2006-338 DSA-1040 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=188303 gdm-slavec-symlink(26092) ADV-2006-1465 USN-278-1 17635 RHSA-2007:0286 MDKSA-2006:083 oval:org.mitre.oval:def:10092 http://cvs.gnome.org/viewcvs/gdm2/daemon/slave.c?r1=1.260&r2=1.261 BusyBox 1.1.1 does not use a salt when generating passwords, which makes it easier for local users to guess passwords from a stolen password file using techniques such as rainbow tables. busybox-passwd-weak-security(25569) 17330 19477 oval:org.mitre.oval:def:9483 http://bugs.busybox.net/view.php?id=604 RHSA-2007:0244 http://support.avaya.com/elmodocs2/security/ASA-2007-250.htm 25848 25098 The winbindd daemon in Samba 3.0.21 to 3.0.21c writes the machine trust account password in cleartext in log files, which allows local users to obtain the password and spoof the server in the domain. 20060330 [SECURITY] Samba 3.0.21-3.0.21c: Exposure of machine account credentials in winbindd log files http://us1.samba.org/samba/security/CAN-2006-1059.html 19455 samba-logfile-account-cleartext(25575) ADV-2006-1179 2006-0018 17314 FEDORA-2006-259 24263 1015850 19539 19468 Heap-based buffer overflow in zgv before 5.8 and xzgv before 0.8 might allow user-assisted attackers to execute arbitrary code via a JPEG image with more than 3 output components, such as a CMYK or YCCK color space, which causes less memory to be allocated than required. 19779 19757 xzgv-jpeg-bo(25718) ADV-2006-1288 17409 SUSE-SR:2006:008 DSA-1038 DSA-1037 756 19790 19731 19572 19571 Heap-based buffer overflow in cURL and libcURL 7.15.0 through 7.15.2 allows remote attackers to execute arbitrary commands via a TFTP URL (tftp://) with a valid hostname and a long path. Update to version 7.15.3. 19271 ADV-2006-1008 http://curl.haxx.se/docs/adv_20060320.html curl-tftp-bo(25318) 2006-0016 17154 FEDORA-2006-189 23982 GLSA-200603-19 19371 19344 19335 20060320 [SSAG#001] :: cURL tftp:// URL Buffer Overflow Unspecified vulnerability in lurker.cgi for Lurker 2.0 and earlier allows attackers to read arbitrary files via unknown vectors. This vulnerability affects all versions of Lurker from 0.1a through 0.2 http://sourceforge.net/project/shownotes.php?release_id=399034&group_id=8168 19136 ADV-2006-0850 [Lurker-users] 20060302 Serious security vulnerabilities found lurker-lurker-information-disclosure(25149) 17003 23694 DSA-999 19145 Unspecified vulnerability in Lurker 2.0 and earlier allows remote attackers to create or overwrite files in any writable directory that is named "mbox". This vulnarability affects all verions of Lurker from 0.1a through 0.2 http://sourceforge.net/project/shownotes.php?release_id=399034&group_id=8168 19136 ADV-2006-0850 [Lurker-users] 20060302 Serious security vulnerabilities found lurker-mbox-error(25153) 17003 23695 DSA-999 19145 Multiple cross-site scripting (XSS) vulnerabilities in Lurker 2.0 and earlier allow remote attackers to inject arbitrary web script or HTML via unknown attack vectors. This vulnerability affects all verions of Lurker from 0.1a through 2.0 http://sourceforge.net/project/shownotes.php?release_id=399034&group_id=8168 19136 ADV-2006-0850 [Lurker-users] 20060302 Serious security vulnerabilities found lurker-unspecified-xss(25154) 17003 23696 DSA-999 19145 SQL injection vulnerability in search.php in MyBulletinBoard (MyBB) 1.04 allows remote attackers to execute arbitrary SQL commands via the forums[] parameter. mybb-search-sql-injection(25018) 20060302 MyBB 1.0.4 New SQL Injection 19061 Linux kernel 2.6.16-rc2 and earlier, when running on x86_64 systems with preemption enabled, allows local users to cause a denial of service (oops) via multiple ptrace tasks that perform single steps, which can cause corruption of the DEBUG_STACK stack during the do_debug function call. 17216 24098 19374 DSA-1017 [linux-kernel] 20060207 [PATCH] arch/x86_64/kernel/traps.c PTRACE_SINGLESTEP oops USN-281-1 MDKSA-2006:151 21614 19955 Linksys WRT54G routers version 5 (running VXWorks) allow remote attackers to cause a denial of service by sending a malformed DCC SEND string to an IRC channel, which causes an IRC connection reset, possibly related to the masquerading code for NAT environments, and as demonstrated via (1) a DCC SEND with a single long argument, or (2) a DCC SEND with IP, port, and filesize arguments with a 0 value. 20060306 RE: linksys router + irc DoS 20060303 linksys router + irc DoS 20060304 Various router DoS 20060306 Re: linksys router + irc DoS http://www.hm2k.org/news/1141413208.html multiple-vendor-dccsend-dos(25230) 16954 Netgear 614 and 624 routers, possibly running VXWorks, allow remote attackers to cause a denial of service by sending a malformed DCC SEND string to an IRC channel, which causes an IRC connection reset, possibly related to the masquerading code for NAT environments, and as demonstrated via (1) a DCC SEND with a single long argument, or (2) a DCC SEND with IP, port, and filesize arguments with a 0 value. This vulnerability may affects NetGear Router models 614 and 624 (including WGR614, WGT624, WGT624SC, WGU624, and possibly others) and is most likely related to VXWorks. 20060306 RE: linksys router + irc DoS 20060303 linksys router + irc DoS 20060304 Various router DoS 20060306 Re: linksys router + irc DoS http://www.hm2k.org/news/1141413208.html multiple-vendor-dccsend-dos(25230) 16954 Unspecified vulnerability in the session handling for Geeklog 1.4.x before 1.4.0sr2, 1.3.11 before 1.3.11sr5, 1.3.9 before 1.3.9sr5, and possibly earlier versions allows attackers to gain privileges as arbitrary users via unknown vectors. http://www.geeklog.net/article.php/geeklog-1.4.0sr2 ADV-2006-0851 17010 Cross-site scripting (XSS) vulnerability in dv_gbook.php in DVguestbook 1.0 allows remote attackers to inject arbitrary web script or HTML via the f parameter. ADV-2006-0842 16968 19098 http://biyosecurity.be/bugs/dvguestbook.txt dvguestbook-index-dvgbook-xss(25049) 20060309 DVguestbook 1.0 And 1.2.2 Cross Site Scripting Cross-site scripting (XSS) vulnerability in index.php in DVguestbook 1.2.2 allows remote attackers to inject arbitrary web script or HTML via the page parameter. ADV-2006-0843 16968 http://biyosecurity.be/bugs/dvguestbook.txt dvguestbook-index-dvgbook-xss(25049) 20060309 DVguestbook 1.0 And 1.2.2 Cross Site Scripting 19099 Cross-site scripting (XSS) vulnerability in Daverave Simplog 1.0.2 and earlier allows remote attackers to inject arbitrary web script or HTML via a blog post. 16965 20060304 Simplog <= 1.0.2 Vulnerabilities http://notlegal.ws/simplogsploit.txt simplog-post-xss(25066) Directory traversal vulnerability in index.php in Daverave Simplog 1.0.2 and earlier allows remote attackers to include or read arbitrary .txt files via the (1) act and (2) blogid parameters. ADV-2006-0839 16965 20060304 Simplog <= 1.0.2 Vulnerabilities 19115 http://notlegal.ws/simplogsploit.txt simplog-index-traverse-directories(25067) 542 Jason Boettcher Liero Xtreme 0.62b and earlier allow remote attackers to cause a denial of service (application crash or hang) via a long argument to the connect command. ADV-2006-0849 20060306 Multiple vulnerabilities in Liero Xtreme 0.62b http://aluigi.altervista.org/adv/lieroxxx-adv.txt liero-connect-dos(25185) 16992 19079 Format string vulnerability in the visualization function in Jason Boettcher Liero Xtreme 0.62b and earlier allows remote attackers to execute arbitrary code via format string specifiers in (1) a nickname, (2) a dedicated server name, or (3) a mapname in a level (aka .lxl) file. ADV-2006-0849 20060306 Multiple vulnerabilities in Liero Xtreme 0.62b http://aluigi.altervista.org/adv/lieroxxx-adv.txt liero-visualization-format-string(25187) 16990 549 19079 SQL injection vulnerability in index.php, possibly during a showtopic operation, in Invision Power Board (IPB) 2.1.5 allows remote attackers to execute arbitrary SQL commands via the st parameter. 16971 20060306 SQL injection in Invision Power Board v2.1.5 invision-index-sql-injection(25254) 20060405 Re: SQL injection in Invision Power Board v2.1.5 Multiple cross-site scripting (XSS) vulnerabilities in the commentary in Evo-Dev evoBlog allow remote attackers to inject arbitrary web script or HTML via (1) the name parameter and (2) other unspecified parameters. 16983 20060306 evoBlog Remote Name tag Script injection 20060423 Re: evoBlog Remote Name tag Script injection 23826 544 Multiple buffer overflows in htpasswd, as used in Acme thttpd 2.25b, and possibly other products such as Apache, might allow local users to gain privileges via (1) a long command line argument and (2) a long line in a file. NOTE: since htpasswd is normally installed as a non-setuid program, and the exploit is through command line options, perhaps this issue should not be included in CVE. However, if there are some typical or recommended configurations that use htpasswd with sudo privileges, or common products that access htpasswd remotely, then perhaps it should be included. 16972 20060305 htpasswd bufferoverflow and command execution in thttpd-2.25b. [thttpd] 20060305 Re: htpasswd.c security issues [thttpd] 20060305 htpasswd.c security issues apache-htpasswd-strcpy-bo(31236) thttpd-command-file-bo(25216) 20041029 Apache 1.3.33 local buffer overflow in apache 1.3.31 not fixed in .33? 20041029 Re: local buffer overflow in htpasswd for apache 1.3.31 not fixed in .33? 20070102 Apache 1.3.37 htpasswd buffer overflow vulnerability http://issues.apache.org/bugzilla/show_bug.cgi?id=41279 http://issues.apache.org/bugzilla/show_bug.cgi?id=31975 20040916 FlowSecurity.org: Local Stack Overflow on htpasswd apache 1.3.31 advsory. htpasswd, as used in Acme thttpd 2.25b and possibly other products such as Apache, might allow local users to gain privileges via shell metacharacters in a command line argument, which is used in a call to the system function. NOTE: since htpasswd is normally installed as a non-setuid program, and the exploit is through command line options, perhaps this issue should not be included in CVE. However, if there are some typical or recommended configurations that use htpasswd with sudo privileges, or common products that access htpasswd remotely, then perhaps it should be included. 16972 20060305 htpasswd bufferoverflow and command execution in thttpd-2.25b. 23828 [thttpd] 20060305 Re: htpasswd.c security issues [thttpd] 20060305 htpasswd.c security issues thttpd-command-line-bo(25217) Cross-site scripting (XSS) vulnerability in login.php in Game-Panel 2.6.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the message parameter, possibly requiring a URL encoded value. ADV-2006-0864 16979 20060304 Game-Panel <= 2.1.6 XSS http://notlegal.ws/gamepanel.txt gamepanel-login-xss(25144) 19143 SQL injection vulnerability in forgotten_password.php in Jonathan Beckett PluggedOut Nexus 0.1 allows remote attackers to execute arbitrary SQL commands via the email parameter. nexus-forgottenpassword-sql-injection(25017) ADV-2006-0809 20060302 PluggedOut Nexus SQL injection 19089 http://hamid.ir/security/nexus.txt 16915 1015715 536 Multiple cross-site scripting (XSS) vulnerabilities in phpArcadeScript 2.0 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the gamename parameter in tellafriend.php, (2) the login_status parameter in loginbox.php, (3) the submissionstatus parameter in index.php, the (4) cell_title_background_color and (5) browse_cat_name parameters in browse.php, the (6) gamefile parameter in displaygame.php, and (7) possibly other parameters in unspecified PHP scripts. ADV-2006-0821 16957 20060304 phpArcadeScript XSS Injections 19124 533 Multiple directory traversal vulnerabilities in PHP-Stats 0.1.9.1 and earlier allow remote attackers to read and possibly execute arbitrary files via a .. (dot dot) in the (1) option[language] and (2) option[template] parameters, and (3) possibly other parameters, to (a) admin.php and (b) other unspecified scripts. NOTE: the admin.php/option[language] vector can be used by remote unauthenticated attackers to include arbitrary files in conjunction with CVE-2006-1085. ADV-2006-0822 16963 20060304 PHP-Stats <= 0.1.9.1 remote commands execution http://www.phpstats.net/forum/viewtopic.php?t=140 19116 http://retrogod.altervista.org/php_stats_0191_adv.html 20060327 Re: PHP-Stats <= 0.1.9.1 remote commands execution 20060322 Re: PHP-Stats <= 0.1.9.1 remote commands execution Multiple SQL injection vulnerabilities in PHP-Stats 0.1.9.1 and earlier allow remote attackers to execute arbitrary SQL commands via (1) the option[prefix] parameter in admin.php and other unspecified PHP scripts, and (2) the PC_REMOTE_ADDR HTTP header to click.php. ADV-2006-0822 16963 20060304 PHP-Stats <= 0.1.9.1 remote commands execution http://www.phpstats.net/forum/viewtopic.php?t=140 19116 http://retrogod.altervista.org/php_stats_0191_adv.html 20060327 Re: PHP-Stats <= 0.1.9.1 remote commands execution 20060322 Re: PHP-Stats <= 0.1.9.1 remote commands execution admin.php in PHP-Stats 0.1.9.1 and earlier allows remote attackers to bypass authentication, gain administrator privileges, and execute arbitrary PHP code by modifying the option[admin_pass] parameter and setting the pass_cookie to the MD5 hash of the specified password. ADV-2006-0822 16963 20060304 PHP-Stats <= 0.1.9.1 remote commands execution http://www.phpstats.net/forum/viewtopic.php?t=140 19116 http://retrogod.altervista.org/php_stats_0191_adv.html 20060327 Re: PHP-Stats <= 0.1.9.1 remote commands execution 20060322 Re: PHP-Stats <= 0.1.9.1 remote commands execution ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2006-1083. Reason: This candidate is a duplicate of CVE-2006-1083. Notes: All CVE users should reference CVE-2006-1083 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Direct static code injection vulnerability in the modify_config action in admin.php for PHP-Stats 0.1.9.1 and earlier allows remote authenticated administrators to execute arbitrary PHP code via the option_new[compatibility_mode] parameter, which is not filtered before being stored in config.php. NOTE: this vulnerability can be exploited by remote unauthenticated attackers in conjunction with the option[admin_pass] authentication bypass vulnerability. ADV-2006-0822 16963 20060304 PHP-Stats <= 0.1.9.1 remote commands execution http://www.phpstats.net/forum/viewtopic.php?t=140 19116 http://retrogod.altervista.org/php_stats_0191_adv.html 20060327 Re: PHP-Stats <= 0.1.9.1 remote commands execution 20060322 Re: PHP-Stats <= 0.1.9.1 remote commands execution PHP-Stats 0.1.9.1 and earlier allows remote attackers to obtain potentially sensitive information via a direct request to checktables.php, which lists the database table_prefix. ADV-2006-0822 16963 20060304 PHP-Stats <= 0.1.9.1 remote commands execution http://www.phpstats.net/forum/viewtopic.php?t=140 19116 http://retrogod.altervista.org/php_stats_0191_adv.html 20060327 Re: PHP-Stats <= 0.1.9.1 remote commands execution 20060322 Re: PHP-Stats <= 0.1.9.1 remote commands execution Cross-site scripting (XSS) vulnerability in header.php in PunBB 1.2.10 allows remote attackers to inject arbitrary web script or HTML via the URL, which is not properly handled when the PHP_SELF variable is used to handle a pun_page tag. http://www.punbb.org/download/patch/punbb-1.2.10_to_1.2.11.patch 19039 ADV-2006-0773 http://www.punbb.org/changelogs/1.2.10_to_1.2.11.txt punbb-header-xss(24982) 16891 register.php in PunBB 1.2.10 allows remote attackers to cause an unspecified denial of service via a flood of new user registrations. This vulnerability affects PunBB version 1.2.10, and may affect all previous versions. http://www.punbb.org/download/patch/punbb-1.2.10_to_1.2.11.patch ADV-2006-0773 http://www.punbb.org/changelogs/1.2.10_to_1.2.11.txt punbb-register-ip-dos(24837) Kaspersky Antivirus 5.0.5 and 5.5.3 allows remote attackers to cause a denial of service (CPU and memory consumption) via unknown attack vectors. 16942 20060303 Kaspersky Memory/CPU Usage Leak by design kaspersky-unspecified-dos(25221) 535 Unspecified vulnerability in the pagedata subsystem of the process file system (/proc) in Solaris 8 through 10 allows local users to cause a denial of service (system hang or panic) via unknown attack vectors that cause cause the kmem_oversize arena to allocate a large amount of system memory that does not get freed. This vulnerability affects all versions of Sun, Solaris 8.x through 10.x ADV-2006-0829 102159 solaris-proc-pagedata-dos(25152) 16966 http://support.avaya.com/elmodocs2/security/ASA-2006-081.htm 1015723 19716 19128 oval:org.mitre.oval:def:1618 Unspecified vulnerability in IBM WebSphere 5.0.2.10 through 5.0.2.15 and 5.1.1.4 through 5.1.1.9 allows remote attackers to obtain sensitive information via unknown attack vectors, which causes JSP source code to be revealed. ADV-2006-0788 1015716 16908 SQL injection vulnerability in Datenbank MOD 2.7 and earlier for Woltlab Burning Board allows remote attackers to execute arbitrary SQL commands via the fileid parameter to (1) info_db.php or (2) database.php. 16914 20060301 Woltlab Burning Board 2.x (Datenbank MOD fileid) MultipleVulnerabilities http://www.nukedx.com/?viewdoc=17 23810 23808 Directory traversal vulnerability in the FileSession object in Mod_python module 3.2.7 for Apache allows local users to execute arbitrary code via a crafted session cookie. 16916 http://www.cgisecurity.com/2006/02/07 1015764 19239 modpython-filesession-command-execution(24965) ADV-2006-0768 http://www.modpython.org/fs_sec_warn.html http://svn.apache.org/viewcvs.cgi/httpd/mod_python/branches/3.2.x/NEWS?rev=378945 ** DISPUTED ** Cross-site scripting (XSS) vulnerability in index.php in NZ Ecommerce allows remote attackers to inject arbitrary web script or HTML via the action parameter. NOTE: the vendor has disputed this issue in a comment on the researcher's blog, but research by CVE suggests that this might be a legitimate problem. This vulnerability most likely affects all versions of Digital Builder, NZ Ecommerce. ADV-2006-0803 16931 23600 19088 http://pridels0.blogspot.com/2006/03/nz-ecommerce-sqlxss-vuln.html Multiple cross-site scripting (XSS) vulnerabilities in Datenbank MOD 2.7 and earlier for Woltlab Burning Board allow remote attackers to inject arbitrary web script or HTML via the fileid parameter to (1) info_db.php or (2) database.php. This vulnerability may only affect Datenbank MOD 2.7 and earlier versions in a Woltlab Burning Board environment. 20060301 Woltlab Burning Board 2.x (Datenbank MOD fileid) MultipleVulnerabilities http://www.nukedx.com/?viewdoc=17 wbb-multiple-xss(25004) 23811 23809 20060301 Woltlab Burning Board 2.x (Datenbank MOD fileid) MultipleVulnerabilities ** DISPUTED ** Multiple SQL injection vulnerabilities in NZ Ecommerce allow remote attackers execute arbitrary SQL commands via the (1) informationID or (2) ParentCategory parameter to index.php. NOTE: the vendor has disputed this issue in a comment on the researcher's blog, but research by CVE suggests that this might be a legitimate problem. ADV-2006-0803 16931 23601 19088 http://pridels0.blogspot.com/2006/03/nz-ecommerce-sqlxss-vuln.html PHP remote file include vulnerability in logIT 1.3 and 1.4 allows remote attackers to execute arbitrary PHP code via a URL in the pg parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 16932 Buffer overflow in the sgetstr function in shared/cube.h in Sauerbraten 2006_02_28 and earlier, as derived from the Cube engine, allows remote attackers to execute arbitrary code via long streams of input data. sauerbraten-sgetstr-bo(25083) ADV-2006-0848 ADV-2006-0847 16986 20060306 Multiple vulnerabilities in Cube engine 2005_08_29 20060306 Multiple vulnerabilities in Sauerbraten engine 2006_02_28 19111 19110 http://cvs.sourceforge.net/viewcvs.py/sauerbraten/sauerbraten/src/shared/cube.h?r1=1.7&r2=1.8 http://aluigi.altervista.org/adv/evilcube-adv.txt GLSA-200603-10 19199 The (1) sgetstr and (2) getint functions in Sauerbraten 2006_02_28, as derived from the Cube engine, allow remote attackers to cause a denial of service (segmentation fault) via long streams of input data that trigger an out-of-bounds read, as demonstrated using SV_EXT tag data in the Cube engine, which is not properly handled by getint. sauerbraten-multiple-dos(25085) ADV-2006-0848 ADV-2006-0847 16986 20060306 Multiple vulnerabilities in Cube engine 2005_08_29 20060306 Multiple vulnerabilities in Sauerbraten engine 2006_02_28 19111 19110 http://aluigi.altervista.org/adv/evilcube-adv.txt GLSA-200603-10 19199 Sauerbraten 2006_02_28, as derived from the Cube engine, allows remote attackers to cause a denial of service (client exit) by forcing the server to change to a map (ogz) file whose name contains ".." sequences and has a certain length that prevents the addition of the ".ogz" extension. ADV-2006-0848 ADV-2006-0847 16986 20060306 Multiple vulnerabilities in Cube engine 2005_08_29 20060306 Multiple vulnerabilities in Sauerbraten engine 2006_02_28 19111 19110 http://aluigi.altervista.org/adv/evilcube-adv.txt sauerbraten-sprintf-dos(25086) GLSA-200603-10 548 19199 engine/server.cpp in Sauerbraten 2006_02_28, as derived from the Cube engine, allows remote attackers to cause a denial of service (segmentation fault) via a client that does not completely join the game and times out, which results in a null pointer dereference. sauerbraten-engineserver-dos(25087) ADV-2006-0848 16986 20060306 Multiple vulnerabilities in Sauerbraten engine 2006_02_28 550 Multiple SQL injection vulnerabilities in Pixelpost 1.5 beta 1 and earlier allow remote attackers to execute arbitrary SQL commands via (1) the showimage parameter in index.php; and the (2) USER_AGENT, (3) HTTP_REFERER, and (4) HTTP_HOST HTTP header fields as used in the book_vistor function in includes/functions.php. NOTE: the vendor has disputed some issues from the original disclosure, but due to the vagueness of the dispute, it is not clear whether the vendor is disputing this particular issue. These vulnerabilities may affect all versions of Pixelpost. pixelpost-functions-sql-injection(25046) pixelpost-index-sql-injection(25044) ADV-2006-0823 16964 20060304 Pixel Post Multiple Vulnerabilities http://www.neosecurityteam.net/index.php?action=advisories&id=19 http://forum.pixelpost.org/showthread.php?t=3535 Pixelpost 1.5 beta 1 and earlier allows remote attackers to obtain configuration information via a direct request to includes/phpinfo.php, which calls the phpinfo function. NOTE: the vendor has disputed some issues from the original disclosure, but due to the vagueness of the dispute, it is not clear whether the vendor is disputing this particular issue. This vulnerability may affect all versions of Pixelpost. pixelpost-phpinfo-obtain-information(25048) ADV-2006-0823 16964 20060304 Pixel Post Multiple Vulnerabilities http://www.neosecurityteam.net/index.php?action=advisories&id=19 http://forum.pixelpost.org/showthread.php?t=3535 Cross-site scripting (XSS) vulnerability in Pixelpost 1.5 beta 1 and earlier allows remote attackers to inject arbitrary web script or HTML via the (1) message, (2) name, (3) url, and (4) email parameters when commenting on a post. NOTE: the vendor has disputed some issues from the original disclosure, but due to the vagueness of the dispute, it is not clear whether the vendor is disputing this particular issue. pixelpost-functions-xss(25047) ADV-2006-0823 16964 20060304 Pixel Post Multiple Vulnerabilities http://www.neosecurityteam.net/index.php?action=advisories&id=19 http://forum.pixelpost.org/showthread.php?t=3535 Cross-site scripting (XSS) vulnerability in news.php in NMDeluxe before 1.0.1 allows remote attackers to inject arbitrary web script or HTML via the nick parameter. This vulnerability affects NMDeluxe versions 1.0 and previous. nmdeluxe-news-xss(25069) 19117 http://nmdeluxe.com/index.php http://evuln.com/vulns/93/summary.html ADV-2006-0860 17017 20060317 [eVuln] NMDeluxe XSS & SQL Injection Vulnerabilities 595 SQL injection vulnerability in news.php in NMDeluxe before 1.0.1 allows remote attackers to execute arbitrary SQL commands via the id parameter. This vulnerability affcts NMDeluxe versions 1.0 and previous. nmdeluxe-news-sql-injection(25070) 19117 http://nmdeluxe.com/index.php http://evuln.com/vulns/93/summary.html ADV-2006-0860 17017 20060317 [eVuln] NMDeluxe XSS & SQL Injection Vulnerabilities 595 SQL injection vulnerability in index.asp in Total Ecommerce 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter. NOTE: it is not clear whether this report is associated with a specific product. If not, then it should not be included in CVE. totalecommerce-index-sql-injection(25045) ADV-2006-0840 16960 20060304 Advisory: TotalECommerce (index.asp id) Remote SQL InjectionVulnerability. http://www.nukedx.com/?viewdoc=18 19103 530 Cross-site scripting (XSS) vulnerability in Aztek Forum 4.0 allows remote attackers to inject arbitrary web script or HTML via the message body in a new message. 16938 20060302 AZTEK forums 4.0 multiple vulnerabilities (PoC) 23610 19096 aztekforum-multiple-xss(25035) 1547 Aztek Forum 4.0 allows remote attackers to obtain sensitive information via a "*/*" in the msg parameter to index.php, which reveals usernames and passwords in a MySQL error message, possibly due to a forced SQL error or SQL injection. 16938 20060302 AZTEK forums 4.0 multiple vulnerabilities (PoC) 23611 aztekforum-info-disclosure(25036) 1547 Aztek Forum 4.0 allows remote attackers to obtain sensitive information via a long login value in a register form, which displays the installation path in a MySQL error message. 16938 20060302 AZTEK forums 4.0 multiple vulnerabilities (PoC) 23612 539 1547 SQL injection vulnerability in podcast.php in Loudblog before 0.42 allows remote attackers to execute arbitrary SQL commands via the id parameter. This vulnerability affects Loudblog versions 0.41 and previous. 19172 ADV-2006-0878 17023 20060307 Loudblog 0.41 SQL Injection, Local file read/include http://loudblog.de/forum/viewtopic.php?id=590 loudblog-podcast-sql-injection(25101) Multiple directory traversal vulnerabilities in Loudblog before 0.42 allow remote attackers to read or include arbitrary files via a .. (dot dot) and trailing %00 (NULL) byte in the (1) template and (2) page parameters in (a) index.php, and the (3) language parameter in (b) inc/backend_settings.php. This vulnerability affects Loudblog versions 0.41 and previous. 19172 ADV-2006-0878 17023 20060307 Loudblog 0.41 SQL Injection, Local file read/include http://loudblog.de/forum/viewtopic.php?id=590 loudblog-index-directory-traversal(25103) nCipher HSM before 2.22.6, when generating a Diffie-Hellman public/private key pair without any specified DiscreteLogGroup parameters, chooses random parameters that could allow an attacker to crack the private key in significantly less time than a brute force attack. ncipher-hsm-weak-key(25060) 17006 http://www.ncipher.com/resources/95/sa12_insecure_generation_of_diffiehellman_keys 1015719 19137 ADV-2006-0862 20060308 nCipher Advisory #12: Insecure Generation of Diffie-Hellman keys The CBC-MAC integrity functions in the nCipher nCore API before 2.18 transmit the initialization vector IV as part of a message when the implementation uses a non-zero IV, which allows remote attackers to bypass integrity checks and modify messages without being detected. 17011 http://www.ncipher.com/resources/96/sa13_cbcmac_iv_misleading_programming_interface 1015718 19137 ADV-2006-0862 ncipher-ncore-bypass-security(25062) 20060308 nCipher Advisory #13: CBC-MAC IV misleading programming interface nCipher firmware before V10, as used by (1) nShield, (2) nForce, (3) netHSM, (4) payShield, (5) SecureDB, (6) DSE200 Document Sealing Engine, (7) Time Source Master Clock (TSMC), and possibly other products, contains certain options that were only intended for testing and not production, which might allow remote attackers to obtain information about encryption keys and crack those keys with less effort than brute force. 17012 http://www.ncipher.com/resources/97/sa14_presence_of_flaws_in_firmware_security 1015718 19137 ADV-2006-0862 ncipher-firmware-weak-security(25063) 20060309 nCipher Advisory #14: Presence of flaws in firmware security SQL injection vulnerability in bmail before Aardvark PR9.1 allows remote attackers to execute arbitrary SQL commands via unspecified vectors involving GBK character sets. bmail-gbkcharacterset-sql-injection(25073) http://sourceforge.net/project/shownotes.php?group_id=144412&release_id=399256 19147 ADV-2006-0863 fantastico in Cpanel does not properly handle when it has insufficient permissions to perform certain file operations, which allows remote authenticated users to obtain the full pathname, which is leaked in a PHP error message. cpanel-fantastico-path-disclosure(25277) 20060307 Cpanel Path Disclosure Vulnerability Multiple cross-site scripting (XSS) vulnerabilities in DCP-Portal 6.1.1 and earlier, with register_globals enabled, allow remote attackers to inject arbitrary web script or HTML via the (1) its_url parameter in the documents page and (2) url parameter in the send_write page of (a) index.php; (3) subject, and (4) images parameters to (b) calendar.php; (5) bid, (6) replying_msg, (7) subject, (8) body, and (9) mid parameters to (c) forums.php; (10) subject and (11) message parameters to (d) inbox.php; (12) subject_color and (13) email parameters to (e) lostpassword.php; and the (14) c_name, (15) content_inicial, and (16) cid parameters to (f) mycontents.php. NOTE: the calendar.php/day vector is already subsumed by CVE-2006-0220, and the calendar.php/month, calendar.php/year, and search.php/q parameters for calendar.php are already subsumed by CVE-2004-2511. 20060309 DCP Portal: Multiple XSS Vulnerabilities http://www.seclab.tuwien.ac.at/advisories/TUVSA-0603-001.txt dcpportal-multiple-scripts-xss(25279) 17050 23981 23980 23979 23978 23977 23976 392 Cross-site scripting (XSS) vulnerability in CuteNews 1.4.1 allows remote attackers to inject arbitrary web script or HTML via the query string to index.php. 16961 20060304 [KAPDA::#30] - CuteNews1.4.1 Cross_Site_Scripting Vulnerability 1015726 http://kapda.ir/advisory-277.html cutenews-index-script-xss(25052) 531 Cross-site scripting (XSS) vulnerability in Default.asp in D2KBlog 1.0.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the msg parameter. d2kblog-default-msg-xss(25214) ADV-2006-0896 17035 20060308 [KAPDA::#32] - d2kBlog 1.0.3 Multiple Vulnerabilities 23771 19177 559 SQL injection vulnerability in D2KBlog 1.0.3 and earlier allows remote attackers to execute arbitrary SQL commands via the memName parameter in a cookie. ADV-2006-0896 20060308 [KAPDA::#32] - d2kBlog 1.0.3 Multiple Vulnerabilities 19177 d2kblog-memname-sql-injection(25215) 17035 23770 559 Buffer overflow in RevilloC MailServer and Proxy 1.21 allows remote attackers to execute arbitrary code via a long USER command. revilloc-user-bo(25072) ADV-2006-0867 16997 20060309 RevilloC MailServer 1.x "USER" Command Handling Remote Buffer Overflow Exploit 23735 http://www.morx.org/rev.txt 1015739 19119 20060307 RevilloC mail server USER command heap overflow Grisoft AVG Free 7.1, and other versions including 7.0.308, sets Everyone/Full Control permissions for certain update files including (1) upd_vers.cfg, (2) incavi.avm, and (3) unspecified drivers, which might allow local users to gain privileges. 16952 19118 ADV-2006-0845 http://www.dslreports.com/forum/remark,15601404 1015728 avg-update-gain-privilieges(25139) 20060303 AVG 7 granting Everyone Full Control to updated files... even its drivers Gallery 2 up to 2.0.2 allows remote attackers to spoof their IP address via a modified X-Forwarded-For (X_FORWARDED_FOR) HTTP header, which is checked by Gallery before other more reliable sources of IP address information, such as REMOTE_ADDR. http://www.gulftech.org/?node=research&article_id=00106-03022006 1015717 19104 20060303 Gallery 2 Multiple Vulnerabilities ADV-2006-0813 gallery-header-spoofing(25120) http://gallery.menalto.com/gallery_2.0.3_released Cross-site scripting (XSS) vulnerability in Gallery 2 up to 2.0.2 allows remote attackers to inject arbitrary web script or HTML via the X-Forwarded-For (X_FORWARDED_FOR) HTTP header, which is not properly handled when adding a comment to an album. 16940 1015717 19104 ADV-2006-0813 23596 http://www.gulftech.org/?node=research&article_id=00106-03022006 20060303 Gallery 2 Multiple Vulnerabilities gallery-getremotehostaddress-xss(25117) http://gallery.menalto.com/gallery_2.0.3_released Directory traversal vulnerability in the session handling class (GallerySession.class) in Gallery 2 up to 2.0.2 allows remote attackers to access and delete files by specifying the session in a cookie, which is used in constructing file paths before the session value is sanitized. 1015717 19104 ADV-2006-0813 23597 http://www.gulftech.org/?node=research&article_id=00106-03022006 20060303 Gallery 2 Multiple Vulnerabilities gallery-sessionid-bypass-security(25118) 16948 http://gallery.menalto.com/gallery_2.0.3_released SQL injection vulnerability in config.php in EKINboard 1.0.3 allows remote attackers to execute arbitrary SQL commands and bypass authentication via the username cookie. 16861 http://www.ekinboard.com/patch_for_1.0.3.txt 19045 http://evuln.com/vulns/88/summary.html ekinboard-config-sql-injection(24922) ADV-2006-0758 23547 http://www.ekinboard.com/forums/v1/viewtopic.php?id=469 20060308 [eVuln] EKINboard 'img' BBCode XSS & Cookie 'username' SQL Injection Vulnerabilities Cross-site scripting (XSS) vulnerability in EKINboard 1.0.3 allows remote attackers to inject arbitrary web script or HTML via a Javascript URI in a BBCode img tag. 16861 http://www.ekinboard.com/patch_for_1.0.3.txt http://www.ekinboard.com/forums/v1/viewtopic.php?id=469 19045 http://evuln.com/vulns/88/summary.html ekinboard-bbcode-xss(24921) ADV-2006-0758 23546 20060308 [eVuln] EKINboard 'img' BBCode XSS & Cookie 'username' SQL Injection Vulnerabilities 558 Cross-site scripting (XSS) vulnerability in read.php in bitweaver CMS 1.2.1 allows remote attackers to inject arbitrary web script or HTML via the comment_title parameter. ADV-2006-0837 19101 http://kiki91.altervista.org/exploit/bitweaver_1.2.1_XSS.txt bitweaver-titlefield-xss(25053) 16973 SQL injection vulnerability in show.php in vbzoom 1.11 allow remote attackers to execute arbitrary SQL commands via the MainID parameter. NOTE: the SubjectID vector is already covered by CVE-2005-4729. 16955 20060306 SQL injection & XSS IN vbzoom v1.11 552 Multiple cross-site scripting (XSS) vulnerabilities in vbzoom 1.11 allow remote attackers to inject arbitrary web script or HTML via the UserID parameter to (1) comment.php or (2) contact.php. NOTE: the profile.php/UserName vector is already covered by CVE-2005-2441. 20060306 SQL injection & XSS IN vbzoom v1.11 vbzoom-comment-contact-xss(25090) 16969 16956 23813 23812 552 SQL injection vulnerability in CyBoards PHP Lite 1.25, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the parent parameter to (1) post.php and possibly (2) process_post.php. Successful exploitation requires that the "magic_quotes_gpc" parameter is disabled. ADV-2006-0820 17107 20060314 [eVuln] CyBoards PHP Lite SQL Injection Vulnerability 23692 http://www.gold-sonata.com/forums/read.php?board=1&id=17271 19135 http://evuln.com/vulns/91/description.html cyboards-processpost-sql-injection(25061) 16987 582 Multiple cross-site scripting (XSS) vulnerabilities in sBlog 0.7.2 allow remote attackers to inject arbitrary web script or HTML via the (1) keyword parameter to search.php or (2) username parameter to comments_do.php. ADV-2006-0883 19151 http://kiki91.altervista.org/exploit/sBlog_0.72_xss.txt sblog-username-xss(25111) 17044 23760 23759 Buffer overflow in the PostScript file interpreter code for Xerox CopyCentre and Xerox WorkCentre Pro, running software 1.001.02.073 or earlier, or 1.001.02.074 before 1.001.02.715, allows attackers to cause a denial of service via unknown vectors. http://www.xerox.com/downloads/usa/en/c/cert_XRX06_002.pdf ADV-2006-0857 23724 1015738 19146 xerox-postscript-interpreter-dos(25172) 17014 Multiple unspecified vulnerabilities in Xerox CopyCentre and Xerox WorkCentre Pro, running software 1.001.02.073 or earlier, or 1.001.02.074 before 1.001.02.715, allow remote attackers to cause an unspecified denial of service via a crafted PostScript file that will (1) "navigate through the directory" or (2) a "file sent to expose TCP/IP ports". http://www.xerox.com/downloads/usa/en/c/cert_XRX06_002.pdf ADV-2006-0857 23726 23725 1015738 19146 xerox-postscript-tcpip-dos(25174) xerox-postscript-navigate-dos(25173) 17014 Unspecified vulnerability in the web server code in Xerox CopyCentre and Xerox WorkCentre Pro, running software 1.001.02.073 or earlier, or 1.001.02.074 before 1.001.02.715, allows remote attackers to cause a denial of service (memory corruption) via unknown vectors. http://www.xerox.com/downloads/usa/en/c/cert_XRX06_002.pdf ADV-2006-0857 23727 1015738 19146 xerox-web-corruption-dos(25175) 17014 Unspecified vulnerability in the ESS/ Network Controller in Xerox CopyCentre and Xerox WorkCentre Pro, running software 1.001.02.073 or earlier, or 1.001.02.074 before 1.001.02.715, causes the Immediate Image Overwrite feature to fail after a power loss, which could leave data exposed to attack. http://www.xerox.com/downloads/usa/en/c/cert_XRX06_002.pdf ADV-2006-0857 23728 1015738 19146 xerox-image-overwrite-dos(25176) SQL injection vulnerability in rss.php in RedBLoG 0.5 allows remote attackers to execute arbitrary SQL commands via the cat_id parameter. http://www.x128.net/redblog-05-remote-sql-injection.txt ADV-2006-0894 19181 redblog-catid-sql-injection(25122) 17041 Buffer overflow in qmailadmin.c in QmailAdmin before 1.2.10 allows remote attackers to execute arbitrary code via a long PATH_INFO environment variable. qmialadmin-qmailadmin-bo(25065) 16994 http://sourceforge.net/project/shownotes.php?group_id=6691&release_id=395211 ADV-2006-0852 http://cvs.sourceforge.net/viewcvs.py/qmailadmin/qmailadmin/qmailadmin.c?r1=1.6.2.10&r2=1.6.2.11 23705 GLSA-200611-15 23019 19262 Unspecified vulnerability in Ravenous Web Server before 0.7.1 allows remote attackers to access arbitrary rvplg files, with unknown impact. http://sourceforge.net/project/shownotes.php?group_id=131871&release_id=399092 ADV-2006-0859 ravenous-rvplg-unauth-access(25191) 17013 23706 Cross-site scripting (XSS) vulnerability in FTPoed Blog Engine 1.1 allows remote attackers to inject arbitrary web script or HTML via the comment_body parameter, as used by the comment field, when posting a comment. 20060305 FTPoed Blog Engine =>v1.1 HTML Injection Vulnerability 1015725 ftpoed-comment-xss(25138) Cross-site scripting (XSS) vulnerability in HitHost 1.0.0 allows remote attackers to inject arbitrary web script or HTML via (1) the user parameter in deleteuser.php and (2) the hits parameter in viewuser.php. ADV-2006-0886 20060306 histhost v1.0.0 xss and possible rmdir 19155 hithost-viewuser-deleteuser-xss(25105) 17025 23758 23757 Format string vulnerability in the safe_cprintf function in acebot_cmds.c in Alien Arena 2006 Gold Edition 5.00 allows remote attackers (possibly authenticated) to execute arbitrary code via unspecified vectors when the server sends crafted messages to the clients. ADV-2006-0882 17028 20060307 Multiple vulnerabilities in Alien Arena 2006 GE 5.00 23747 19144 http://aluigi.altervista.org/adv/aa2k6x-adv.txt alien-safe-cprintf-format-string(25199) 20060307 Multiple vulnerabilities in Alien Arena 2006 GE 5.00 Stack-based buffer overflow in the Cmd_Say_f function in g_cmds.c in Alien Arena 2006 Gold Edition 5.00 allows remote attackers (possibly authenticated) to execute arbitrary code by sending a long message to the server. ADV-2006-0882 17028 20060307 Multiple vulnerabilities in Alien Arena 2006 GE 5.00 23748 19144 http://aluigi.altervista.org/adv/aa2k6x-adv.txt alien-cmd-sa-f-bo(25200) 20060307 Multiple vulnerabilities in Alien Arena 2006 GE 5.00 The Com_sprintf function in q_shared.c in Alien Arena 2006 Gold Edition 5.00 does not properly NULL terminate certain long strings, which allows remote attackers (possibly authenticated) to cause a denial of service (application crash) via a long skin, weapon, or model name. ADV-2006-0882 17028 20060307 Multiple vulnerabilities in Alien Arena 2006 GE 5.00 23749 19144 http://aluigi.altervista.org/adv/aa2k6x-adv.txt alien-com-sprintf-dos(25201) 20060307 Multiple vulnerabilities in Alien Arena 2006 GE 5.00 Multiple stack-based buffer overflows in the procConnectArgs function in servmgr.cpp in PeerCast before 0.1217 allow remote attackers to execute arbitrary code via an HTTP GET request with a long (1) parameter name or (2) value in a URL, which triggers the overflow in the nextCGIarg function in servhs.cpp. 17040 20060309 INFIGO-2006-03-01: PeerCast streaming server remote buffer overflow http://www.infigo.hr/in_focus/INFIGO-2006-03-01 peercast-url-bo(25113) ADV-2006-0900 http://www.peercast.org/forum/viewtopic.php?t=3346 23777 GLSA-200603-17 19291 19169 PHP remote file inclusion vulnerability in lib/OWL_API.php in OWL Intranet Engine 0.82, when register_globals is enabled, allows remote attackers to include arbitrary files via a URL in the xrms_file_root parameter, which is not initialized before use. owl-intranet-owlapi-file-include(25082) ADV-2006-0868 23734 19142 1561 17021 Buffer overflow in Tenes Empanadas Graciela (TEG) 0.11.1, automatically appends an _ (underscore) to the end of duplicate nicknames, which allows remote attackers to cause a denial of service (application crash) by creating multiple users with long, identical nicknames, which triggers an off-by-one error. ADV-2006-0846 16982 19134 http://aluigi.altervista.org/adv/tegob1-adv.txt teg-nickname-offbyone-dos(25165) Cross-site scripting vulnerability in index.php in M-Phorum 0.2 allows remote attackers to inject arbitrary web script or HTML via the go parameter. 20060309 M-Phorum Cross Site Scripting 19121 http://biyosecurity.be/bugs/mphorum.txt mphorum-index-xss(25312) 25394 20070821 Vulnerabilities digest 23951 http://securityvulns.com/source13951.html http://securityvulns.com/Ldocument750.html PHP remote file inclusion vulnerability in index.php in M-Phorum 0.2 allows remote attackers to include arbitrary files via the go parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. ADV-2006-0827 16977 19121 mphorum-index-file-include(25102) 23740 SQL injection vulnerability in D2-Shoutbox 4.2 allows remote attackers to execute arbitrary SQL commands via the load parameter, when performing a Shoutbox action through Invision Power Board (IPB). d2shoutbox-index-sql-injection(25074) ADV-2006-0865 16984 19132 1556 PHP remote file inclusion vulnerability in archive.php in Fantastic News 2.1.2 allows remote attackers to include arbitrary files via the CONFIG[script_path] variable. NOTE: 2.1.4 was also reported to be vulnerable. fantasticnews-configscriptpath-file-include(31121) fantasticnews-archive-file-include(25064) ADV-2006-3513 ADV-2006-0826 21796 16985 3027 http://sx02.coresec.de/advisories/152.txt 23519 21807 Cross-site scripting (XSS) vulnerability in manas tungare Site Membership Script before 8 March, 2006 allows remote attackers to inject arbitrary web script or HTML via the Error parameter in (1) login.asp and (2) default.asp. http://www.manastungare.com/projects/site-membership/ ADV-2006-0884 19156 manas-tungare-login-default-xss(25109) 17045 23754 23753 SQL injection vulnerability in manas tungare Site Membership Script before 8 March, 2006 allows remote attackers to execute arbitrary SQL commands via the Username parameter in login.asp. http://www.manastungare.com/projects/site-membership/ ADV-2006-0884 19156 manas-tungare-login-sql-injection(25110) 17045 23755 Cross-site scripting (XSS) vulnerability in Vz Scripts ADP Forum 2.0.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the Subject field (possibly messaggio parameter) when posting a new message in post.php. ADV-2006-0901 20060309 ADP Forum 2.0,* script &#304;njection http://biyosecurity.be/bugs/adpforum2.txt adp-forum-subject-xss(25189) 17047 23961 Kerio MailServer before 6.1.3 Patch 1 allows remote attackers to cause a denial of service (application crash) via a crafted IMAP LOGIN command. http://www.kerio.com/kms_history.html 19150 kerio-mailserver-imap-dos(25150) ADV-2006-0898 17043 20060313 Kerio MailServer bugfun 23772 1015748 Format string vulnerability in Easy File Sharing (EFS) Web Server 3.2 allows remote attackers to cause a denial of service (server crash) and possibly execute arbitrary code via format string specifiers in the query string argument in an HTTP GET request. easyfilesharing-logging-dos(25135) ADV-2006-0912 17046 20060309 Easy File Sharing Web Server Multiple Vulnerablilities 23792 19178 Cross-site scripting (XSS) vulnerability in Easy File Sharing (EFS) Web Server 3.2 allows remote attackers to inject arbitrary web script or HTML via the Description field in creating a folder or uploading a file. easyfilesharing-description-xss(25136) ADV-2006-0912 17046 20060309 Easy File Sharing Web Server Multiple Vulnerablilities 23793 19178 Absolute path traversal vulnerability in Easy File Sharing (EFS) Web Server 3.2 allows remote registered users to execute arbitrary code by uploading a malicious file to the Windows startup folder. 17046 20060309 Easy File Sharing Web Server Multiple Vulnerablilities 23791 easyfilesharing-startup-file-upload(39994) Directory traversal vulnerability in Nodez 4.6.1.1 and earlier allows remote attackers to read or include arbitrary PHP files via a .. (dot dot) in the op parameter, as demonstrated by inserting malicious Email parameters into list.gtdat, then accessing list.gtdat using the op parameter. ADV-2006-0899 19165 http://hamid.ir/security/nodez.txt nodez-op-file-include(25119) 17066 23774 1015747 Cross-site scripting (XSS) vulnerability in Nodez 4.6.1.1 allows remote attackers to inject arbitrary web script or HTML via the op parameter. NOTE: it is possible that this issue is resultant from the directory traversal vulnerability. ADV-2006-0899 19165 http://hamid.ir/security/nodez.txt nodez-op-xss(25121) 17066 23776 1015747 Nodez 4.6.1.1 and earlier stores sensitive data in the list.gtdat file under the web document root with insufficient access control, which allows remote attackers to obtain usernames and password hashes by directly accessing list.gtdat. http://hamid.ir/security/nodez.txt 17066 23775 Cross-site scripting (XSS) vulnerability in the mediamanager module in DokuWiki before 2006-03-05 allows remote attackers to inject arbitrary web script or HTML via unknown attack vectors relating to "handling EXIF data." 19186 ADV-2006-0909 http://wiki.splitbrain.org/wiki%3Achanges dokuwiki-mediamanger-xss(25137) 17065 Monotone 0.25 and earlier, when a user creates a file in a directory called "mt", and when checking out that file on a case-insensitive file system such as Windows or Mac OS X, places the file into the "MT" bookkeeping directory, which could allow context-dependent attackers to execute arbitrary Lua programs as the user running monotone. [Monotone-devel] 20060308 [ANNOUNCE] Monotone 0.25.2 -- security fix release ADV-2006-0990 monotone-mt-lua-code-execution(25294) 17139 19260 SGI ProPack 3 SP6 kernel displays the frame buffer contents of the last session after a reboot, which might allow local users to obtain sensitive information. The attacker must read the contents of the screen after a reboot and before the screen contents can be cleared by anything. 20060402-01-U 24571 19607 The decompress function in compress42.c in (1) ncompress 4.2.4 and (2) liblzw allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code, via crafted data that leads to a buffer underflow. DSA-1149 21437 21434 ADV-2006-3234 21427 oval:org.mitre.oval:def:9373 http://bugs.gentoo.org/show_bug.cgi?id=141728 ncompress-decompress-underflow(28315) 19455 RHSA-2006:0663 SUSE-SR:2006:020 MDKSA-2006:140 http://support.avaya.com/elmodocs2/security/ASA-2006-226.htm 1016836 GLSA-200610-03 22377 22296 22036 21880 21467 20060901-01-P Stack-based buffer overflow in the createPKCS10 function in Cryptomathic Cenroll ActiveX Control 1.1.0.0 allows remote attackers to execute arbitrary code via vectors related to the TDC Digital signature. 25282 1016034 19968 ADV-2006-1675 17852 20060505 Cryptomathic ActiveX Buffer Overflow (TDC Digital signature) http://cirt.dk/advisories/cirt-43-advisory.pdf cryptomathic-primeink-createpkcs10-bo(26255) Sendmail before 8.13.7 allows remote attackers to cause a denial of service via deeply nested, malformed multipart MIME messages that exhaust the stack during the recursive mime8to7 function for performing 8-bit to 7-bit conversion, which prevents Sendmail from delivering queued messages and might lead to disk consumption by core dump files. VU#146718 http://www.sendmail.com/security/advisories/SA-200605-01.txt.asc 18433 102460 20473 15779 https://issues.rpath.com/browse/RPL-526 sendmail-multipart-mime-dos(27128) ADV-2006-3135 ADV-2006-2798 ADV-2006-2390 ADV-2006-2389 ADV-2006-2388 ADV-2006-2351 ADV-2006-2189 HPSBUX02124 SSRT061159 20060721 rPSA-2006-0134-1 sendmail sendmail-cf 20060624 Re: Sendmail MIME DoS vulnerability 20060621 Re: Sendmail MIME DoS vulnerability 20060620 Sendmail MIME DoS vulnerability RHSA-2006:0515 26197 [3.8] 008: SECURITY FIX: June 15, 2006 MDKSA-2006:104 GLSA-200606-19 http://www.fortinet.com/FortiGuardCenter/advisory/FG-2006-18.html http://www.f-secure.com/security/fsc-2006-5.shtml DSA-1155 IY85930 IY85415 http://support.avaya.com/elmodocs2/security/ASA-2006-148.htm SSA:2006-166-01 1016295 21647 21612 21327 21160 21042 20782 20726 20694 20684 20683 20679 20675 20673 20654 20651 20650 20641 oval:org.mitre.oval:def:11253 SUSE-SA:2006:032 SSRT061135 HPSBTU02116 20060602-01-U 20060601-01-P FreeBSD-SA-06:17.sendmail useradd in shadow-utils before 4.0.3, and possibly other versions before 4.0.8, does not provide a required argument to the open function when creating a new user mailbox, which causes the mailbox to be created with unpredictable permissions and possibly allows attackers to read or modify the mailbox. VU#312692 18111 20370 https://issues.rpath.com/browse/RPL-1357 shadow-utils-useradd-file-permission(26958) ADV-2007-3229 ADV-2006-2006 1018221 20070511 rPSA-2007-0096-1 shadow RHSA-2007:0431 RHSA-2007:0276 MDKSA-2006:090 GLSA-200606-02 http://support.avaya.com/elmodocs2/security/ASA-2007-249.htm 27706 26909 25896 25894 25629 25267 25098 20506 oval:org.mitre.oval:def:10807 20070920 VMSA-2007-0006 Critical security updates for all supported versions of VMware ESX Server, VMware Server, VMware Workstation, VMware ACE, and VMware Player http://cvs.pld.org.pl/shadow/NEWS?rev=1.109 20070602-01-P The WeOnlyDo! SFTP (wodSFTP) ActiveX control is marked as safe for scripting, which allows remote attackers to read and write files in arbitrary locations by accessing the control from a web page. VU#378604 ADV-2006-2064 wodsftp-activex-unauth-access(26752) 18192 20361 Buffer overflow in eBay Enhanced Picture Services (aka EPUImageControl Class) in EUPWALcontrol.dll before 1.0.3.48, as used in Sell Your Item (SYI), Setup & Test eBay Enhanced Picture Services, Picture Manager Enhanced Uploader, and CARad.com Add Vehicle, allows remote attackers to execute arbitrary code via a crafted HTML document. VU#597721 ebay-epuimagecontrol-bo(27631) ADV-2006-2698 18921 http://www.kb.cert.org/vuls/id/MIMG-6QKPVH 1016445 20969 Tamarack MMSd before 7.992 allows remote attackers to cause a denial of service (crash) via malformed RFC1006 (OSI over TCP/IP) packets. VU#372878 tamarack-mmsd-packet-dos(28053) ADV-2006-3080 http://www.kb.cert.org/vuls/id/JGEI-6RZPUT 19202 1016734 Adobe Graphics Server 2.0 and 2.1 (formerly AlterCast) and Adobe Document Server (ADS) 5.0 and 6.0 allows local users to read files with certain extensions or overwrite arbitrary files and execute code via a crafted SOAP request to the AlterCast web service in which the request uses the (1) saveContent or (2) saveOptimized ADS commands, or the (3) loadContent command. 17113 20060315 Secunia Research: Adobe Document/Graphics Server File URI ResourceAccess http://www.adobe.com/support/techdocs/332989.html 1015769 19229 adobe-unauth-command-access(25247) ADV-2006-0956 23924 1015768 588 The Ubuntu 5.10 installer does not properly clear passwords from the installer log file (questions.dat), and leaves the log file with world-readable permissions, which allows local users to gain privileges. USN-262-1 https://launchpad.net/distros/ubuntu/+source/shadow/+bug/34606 ADV-2006-0927 ubuntu-installer-password-disclosure(25170) 17086 23868 1015761 19200 Microsoft Distributed Transaction Coordinator (MSDTC) for Windows NT 4.0, 2000 SP4, XP SP1 and SP2, and Server 2003 allows remote attackers to cause a denial of service (crash) via a BuildContextW request with a large (1) UuidString or (2) GuidIn of a certain length, which causes an out-of-range memory access, aka the MSDTC Denial of Service Vulnerability. NOTE: this is a variant of CVE-2005-2119. 17905 20060509 [EEYEB20051011B] - Microsoft Distributed Transaction Coordinator Denial of Service MS06-018 http://www.eeye.com/html/research/advisories/AD20060509b.html 20000 ADV-2006-1742 msdtc-message-dos(25558) 25336 1016047 864 oval:org.mitre.oval:def:1990 oval:org.mitre.oval:def:1912 oval:org.mitre.oval:def:1779 oval:org.mitre.oval:def:1295 Unspecified vulnerability in Microsoft Internet Explorer 5.01 through 6 allows remote attackers to execute arbitrary code via certain invalid HTML that causes memory corruption. VU#503124 TA06-101A MS06-013 ADV-2006-1318 ie-html-execute-code(25542) 17450 1015900 18957 oval:org.mitre.oval:def:787 oval:org.mitre.oval:def:1711 oval:org.mitre.oval:def:1677 Microsoft Internet Explorer 5.01 through 6 allows remote attackers to execute arbitrary code via by instantiating the (1) Mdt2gddr.dll, (2) Mdt2dd.dll, and (3) Mdt2gddo.dll COM objects as ActiveX controls, which leads to memory corruption. TA06-101A VU#959049 18957 ADV-2006-1318 17453 MS06-013 ie-com-activex-execute-code(25545) 1015900 oval:org.mitre.oval:def:791 oval:org.mitre.oval:def:1704 oval:org.mitre.oval:def:1651 oval:org.mitre.oval:def:1589 oval:org.mitre.oval:def:1446 Microsoft Internet Explorer 5.01 through 6 allows remote attackers to execute arbitrary code via HTML elements with a certain crafted tag, which leads to memory corruption. VU#824324 TA06-101A MS06-013 ADV-2006-1318 20060525 [BuHa-Security] MS06-013: HTML Tag Memory Corruption Vulnerability in MS IE 6 SP2 1015900 18957 oval:org.mitre.oval:def:1773 oval:org.mitre.oval:def:1296 oval:org.mitre.oval:def:1290 oval:org.mitre.oval:def:1144 Buffer overflow in URLMON.DLL in Microsoft Internet Explorer 5.01 through 6 allows remote attackers to execute arbitrary code via a crafted URL with an International Domain Name (IDN) using double-byte character sets (DBCS), aka the "Double Byte Character Parsing Memory Corruption Vulnerability." Customers should apply the update immediately. TA06-101A VU#341028 ie-double-byte-execute-code(25551) ADV-2006-1318 17454 MS06-013 1015900 18957 20060411 Microsoft Internet Explorer DBCS Remote Memory Corruption Vulnerability oval:org.mitre.oval:def:792 oval:org.mitre.oval:def:1484 oval:org.mitre.oval:def:1020 Microsoft Internet Explorer 5.01 through 6 does not always return the correct IOleClientSite information when dynamically creating an embedded object, which could cause Internet Explorer to run the object in the wrong security context or zone, and allow remote attackers to execute arbitrary code. VU#959649 ADV-2006-1318 MS06-013 ie-ioleclientsite-execute-code(25552) 17455 1015900 18957 oval:org.mitre.oval:def:965 oval:org.mitre.oval:def:1783 oval:org.mitre.oval:def:1735 oval:org.mitre.oval:def:1541 Microsoft Internet Explorer 5.01 through 6 does not always correctly identify the domain that is associated with a browser window, which allows remote attackers to obtain sensitive cross-domain information and spoof sites by running script after the user has navigated to another site. ADV-2006-1318 MS06-013 ie-popup-zone-bypass(25555) 17457 1015892 18957 oval:org.mitre.oval:def:1710 oval:org.mitre.oval:def:1251 Microsoft Internet Explorer 5.01 through 6 allows remote attackers to conduct phishing attacks by spoofing the address bar and other parts of the trust UI via unknown methods that allow "window content to persist" after the user has navigated to another site, aka the "Address Bar Spoofing Vulnerability." NOTE: this is a different vulnerability than CVE-2006-1626. 17460 MS06-013 1015899 18957 ie-browser-window-spoofing(25557) ADV-2006-1318 670 oval:org.mitre.oval:def:1740 oval:org.mitre.oval:def:1725 oval:org.mitre.oval:def:1645 oval:org.mitre.oval:def:1498 oval:org.mitre.oval:def:1336 Cross-site scripting (XSS) vulnerability in Microsoft Exchange Server 2000 SP1 through SP3, when running Outlook Web Access (OWA), allows user-assisted remote attackers to inject arbitrary HTML or web script via unknown vectors related to "HTML parsing." TA06-164A VU#138188 18381 MS06-029 1016280 20634 ADV-2006-2326 http://www.sec-consult.com/fileadmin/Advisories/20060613-0_owa_xss_noexploit.txt 26441 exchange-owa-xss(25550) 20060614 SEC Consult SA-20060613-0 :: Outlook Web Access Cross Site Scripting Vulnerability oval:org.mitre.oval:def:1315 oval:org.mitre.oval:def:1161 oval:org.mitre.oval:def:1070 Integer signedness error in the enet_protocol_handle_incoming_commands function in protocol.c for ENet library CVS version Jul 2005 and earlier, as used in products including (1) Cube, (2) Sauerbraten, and (3) Duke3d_w32, allows remote attackers to cause a denial of service (application crash) via a packet with a large command length value, which leads to an invalid memory access. ADV-2006-0940 20060312 Multiple vulnerabilities in ENet library (Jul 2005) 19208 http://aluigi.altervista.org/adv/enetx-adv.txt enet-signedness-dos(25157) 17087 23844 1015767 20060312 Multiple vulnerabilities in ENet library (Jul 2005) The enet_protocol_handle_send_fragment function in protocol.c for ENet library CVS version Jul 2005 and earlier, as used in products including (1) Cube, (2) Sauerbraten, and (3) Duke3d_w32, allows remote attackers to cause a denial of service (application crash) via a packet fragment with a large total data size, which triggers an application abort when memory allocation fails. ADV-2006-0940 20060312 Multiple vulnerabilities in ENet library (Jul 2005) 19208 http://aluigi.altervista.org/adv/enetx-adv.txt enet-packet-dos(25158) 17087 23845 1015767 20060312 Multiple vulnerabilities in ENet library (Jul 2005) Multiple cross-site scripting (XSS) vulnerabilities in QwikiWiki 1.5 allow remote attackers to inject arbitrary web script or HTML via the (1) from and (2) help parameters to (a) index.php; (3) action, (4) page, (5) debug, (6) help, (7) username, or (8) password parameters to (b) login.php; the (7) help parameter to (c) pageindex.php; or (8) help parameter to (d) recentchanges.php. qwikiwiki-multiple-scripts-xss(25128) ADV-2006-0910 17064 19182 http://kiki91.altervista.org/exploit/qwikiwiki_1.0.5_xss.txt 23789 23788 23787 23786 SafeDisc installs the driver service for the secdrv.sys driver with insecure permissions, which allows local users to gain privileges by changing the configuration to reference a malicious program. 17070 20060311 Copy protection scheme SafeDisc allows privilege escalation safedisk-secdrv-gain-privileges(25162) Comvigo IM Lock 2006 uses a simple substitution cipher to encrypt a password stored in the msnvs\prc registry value, for which all users have Read permission, which allows local users to bypass the product's blocking functionality by decrypting the password. ADV-2006-0866 20060306 IM Lock 2006 - Insecure Registry Permission Vulnerability 19140 imlock-password-weak-encryption(25219) 16988 Cross-site scripting (XSS) vulnerability in iframe.php in daverave Link Bank allows remote attackers to inject arbitrary web script or HTML via the site parameter. ADV-2006-0885 20060306 link bank code execution and xss 19154 linkbank-iframe-xss(25107) 17001 23751 Direct static code injection vulnerability in add_link.txt in daverave Link Bank allows remote attackers to execute arbitrary PHP code via the url_name parameter, which is not sanitized before being stored in links.txt, which is later used in an include statement. ADV-2006-0885 20060306 link bank code execution and xss 19154 17004 23750 553 Directory traversal vulnerability in resetpw.php in eschew.net phpBannerExchange 2.0 and earlier, and other versions before 2.0 Update 5, allows remote attackers to read arbitrary files via a .. (dot dot) in the email parameter during a "Recover password" operation (recoverpw.php). phpbannerexchange-recoverpw-dir-traversal(25080) phpbannerexchange-resetpw-dir-traversal(25071) ADV-2006-0869 16996 20060307 phpBannerExchange 2.0 Directory Traversal Vulnerability 23720 http://www.h4cky0u.org/advisories/HYSA-2006-004-phpbanner.txt http://www.eschew.net/scripts/phpbe/2.0/releasenotes.php 19127 20060307 phpBannerExchange 2.0 Directory Traversal Vulnerability Multiple cross-site scripting (XSS) vulnerabilities in textfileBB 1.0 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) mess and (2) user parameters in messanger.php, possibly requiring a URL encoded value. ADV-2006-0897 20060308 textfileBB <= 1.0 Multiple XSS 19149 http://notlegal.ws/textfilebbmessanger.txt textbb-messanger-xss(25091) 17029 1015744 PHP remote file include vulnerability in common.php in txtForum 1.0.4-dev and earlier allows remote attackers to include and execute arbitrary PHP code via a URL in the skin parameter to login.php, and possibly other parameters to other PHP scripts, related to include statements in common.php. 20060309 txtForum: Script Injection Vulnerability http://www.seclab.tuwien.ac.at/advisories/TUVSA-0603-004.txt txtforum-login-file-include(25131) 17061 23952 Multiple cross-site scripting (XSS) vulnerabilities in txtForum 1.0.4-dev and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) prev, (2) next, and (3) rand5 parameters in (a) index.php; the (4) r_username and (5) r_loc parameters in (b) new_topic.php; the (6) r_num, (7) r_family_name, (8) r_icq, (9) r_yahoo, (10) r_aim, (11) r_homepage, (12) r_interests, (13) r_about, (14) selected1, (15) selected0, (16) signature_selected1, (17) signature_selected0, (18) smile_selected1, (19) smile_selected0, (20) ubb_selected1, and (21) ubb_selected0 parameters in (c) profile.php; the (22) quote and (23) tid parameters in (d) reply.php; and the (24) tid, (25) sticked, and (26) mid parameters in (e) view_topic.php. 20060309 txtForum: Multiple XSS Vulnerabilities http://www.seclab.tuwien.ac.at/advisories/TUVSA-0603-003.txt txtforum-multiple-xss(25132) 17054 23957 23956 23955 23954 23953 Multiple cross-site scripting (XSS) vulnerabilities in myWebland myBloggie 2.1.3 beta and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) confirmredirect and (2) post_id parameters in (a) delcomment.php, as reachable when mode=delcom from index.php; and the (3) del and (4) message parameters in (b) upload.php, the (5) errormsg parameter in (c) addcat.php, (d) edituser.php, (e) adduser.php, and (f) editcat.php, the (6) trackback_url parameter in (g) add.php, (7) id parameter in (h) deluser.php, (8) cat_id parameter in (i) delcat.php, and (9) post_id parameter in (j) del.php, as reachable from admin.php. mybloggie-index-admin-xss(25134) 17048 20060309 MyBloggie: Multiple XSS Vulnerabilities http://www.seclab.tuwien.ac.at/advisories/TUVSA-0603-002.txt 23992 23991 23990 23989 23988 23987 23986 23975 23974 23973 Matt Johnston Dropbear SSH server 0.47 and earlier, as used in embedded Linux devices and on general-purpose operating systems, allows remote attackers to cause a denial of service (connection slot exhaustion) via a large number of connection attempts that exceeds the MAX_UNAUTH_CLIENTS defined value of 30. 17024 dropbear-connection-dos(25075) 20060307 Dropbear SSH server Denial of Service 1015742 PHP Upload Center stores password hashes under the web root with insufficient access control, which allows remote attackers to download each password hash via a direct request for the upload/users/[USERNAME] file. 20060309 PHP Upload Center Download users password hashes And phpshell Upload http://www.scripts-by.net/PHP/File-Manipulation/php-upload-center.html http://www.blogcu.com/Liz0ziM/317250/ http://biyosecurity.be/bugs/phpuploadcenter2.txt 23627 Sergey Korostel PHP Upload Center allows remote attackers to execute arbitrary PHP code by uploading a file whose name ends in a .php.li extension, which can be accessed from the upload directory. ADV-2006-0817 20060309 PHP Upload Center Download users password hashes And phpshell Upload http://www.scripts-by.net/PHP/File-Manipulation/php-upload-center.html 23626 http://www.blogcu.com/Liz0ziM/317250/ 19107 http://biyosecurity.be/bugs/phpuploadcenter2.txt 564 PHP Advanced Transfer Manager 1.00 through 1.30 stores sensitive information, including password hashes, under the web root with insufficient access control, which allows remote attackers to download each password hash via a direct request for a users/[USERNAME] file. 20060309 PHP Advanced Transfer Manager Download users password hashes http://www.blogcu.com/Liz0ziM/316652/ http://biyosecurity.be/bugs/patm.txt phpatm-password-hash-disclosure(25127) 20060613 Re: PHP Advanced Transfer Manager Download users password hashes 565 17134 The web interface for IBM Tivoli Micromuse Netcool/NeuSecure 3.0.236 includes the MySQL database username and password in cleartext in body.phtml, which allows remote attackers to gain privileges by reading the source. NOTE: IBM has privately confirmed to CVE that a fix is available for these issues. 20060308 Remote access to NeuSecure/Netcool backend database via web interface credentials leakage netcool-neusecure-ns-unauth-access(25270) 17032 IBM Tivoli Micromuse Netcool/NeuSecure 3.0.236 configures a MySQL database to allow connections from any source IP address with the ns database account, which allows remote attackers to bypass the Netcool/NeuSecure application layer and perform unauthorized database actions. NOTE: IBM has privately confirmed to CVE that a fix is available for these issues. 20060308 Remote access to NeuSecure/Netcool backend database via web interface credentials leakage netcool-neusecure-ns-unauth-access(25270) Unspecified vulnerability in index.php in Core CoreNews 2.0.1 allows remote attackers to execute arbitrary commands via the page parameter, possibly due to a PHP remote file include vulnerability. NOTE: this vulnerability could not be confirmed by source code inspection of CoreNews 2.0.1, which does not appear to use a "page" parameter or variable. corenews-index-command-execution(25180) 17067 20060309 CoreNews 2.0.1 Remote Command Exucetion http://web.archive.org/web/20050323212004/www.coreslawn.de/?show=downloads&cat_id=1 24080 754 20060313 Oddness - CoreNews 2.0.1 Remote Command Exucetion JiRo's Banner System Experience and Professional 1.0 and earlier allows remote attackers to bypass access restrictions and gain privileges via a direct request to certain scripts in the files directory, as demonstrated by using addadmin.asp to create a new administrator account. ADV-2006-0911 20060309 Advisory: Jiros Banner Experience Pro Remote Privilege Escalation. http://www.nukedx.com/?viewdoc=19 19184 jbspro-security-bypass(25169) 17060 23780 20060309 Advisory: Jiros Banner Experience Pro Remote Privilege Escalation. UnrealIRCd 3.2.3 allows remote attackers to cause an unspecified denial of service by causing a linked server to send malformed TKL Q:Line commands, as demonstrated by "TKL - q\x08Q *\x08PoC." 23778 19188 http://forums.unrealircd.com/viewtopic.php?t=2985 unrealircd-server-link-dos(25130) ADV-2006-0908 20060309 UnrealIRCd3.2.3 Server-Link Denial of Service 17057 Cross-site scripting (XSS) vulnerability in misc.php in Woltlab Burning Board (wBB) 2.3.4 allows remote attackers to inject arbitrary web script or HTML via the percent parameter. NOTE: this issue has been disputed in a followup post, although the original disclosure might be related to reflected XSS. 16959 20060304 Re: Wbb 2.3. xss 20060304 Wbb 2.3. xss wbb-misc-xss(25156) Cross-site scripting (XSS) vulnerability in bigshow.php in Runcms 1.x allows remote attackers to inject arbitrary web script or HTML via the id parameter. 18997 16970 20060304 [KAPDA::#31] - Runcms 1.x Cross_Site_Scripting vulnerability in bigshow.php http://www.kapda.ir/advisory-280.html 23823 474 SQL injection vulnerability in DSPoll 1.1 allows remote attackers to execute arbitrary SQL commands via the pollid parameter to (1) results.php, (2) topolls.php, (3) pollit.php. ADV-2006-0932 19209 http://evuln.com/vulns/96/summary.html dspoll-pollid-sql-injection(25192) 17103 20060324 [eVuln] DSPoll Multiple SQL Injection Vulnerabilities 23881 23880 23879 1015758 622 620 Unspecified vulnerability in the HTTP proxy in Novell BorderManager 3.8 and earlier allows remote attackers to cause a denial of service (CPU consumption and ABEND) via unknown attack vectors related to "media streaming over HTTP 1.1". 17031 http://support.novell.com/cgi-bin/search/searchtid.cgi?/2972993.htm 19163 ADV-2006-0879 23752 Directory traversal vulnerability in Gallery 2.0.3 and earlier, and 2.1 before RC-2a, allows remote attackers to include arbitrary PHP files via ".." (dot dot) sequences in the stepOrder parameter to (1) upgrade/index.php or (2) install/index.php. 19175 gallery-multiple-index-file-include(25129) ADV-2006-0895 1566 http://gallery.menalto.com/2.0.4_and_2.1_rc_2a_update 17051 Integer overflow in the mach_msg_send function in the kernel for Mac OS X might allow local users to execute arbitrary code via unknown attack vectors related to a large message header size, which leads to a heap-based buffer overflow. 17056 http://www.felinemenace.org/~nemo/ 28453 Untrusted search path vulnerability in the TrueVector service (VSMON.exe) in Zone Labs ZoneAlarm 6.x and Integrity does not search ZoneAlarm's own folders before other folders that are specified in a user's PATH, which might allow local users to execute code as SYSTEM by placing malicious DLLs into a folder that has insecure permissions, but is searched before ZoneAlarm's folder. NOTE: since this issue is dependent on the existence of a vulnerability in a separate product (weak permissions of executables or libraries, or the execution of malicious code), perhaps it should not be included in CVE. ADV-2006-0947 20060309 Statement Regarding Reported Local Escalation of Privileges Vulnerability for ZoneAlarm 20060309 Re: 18 ways to escalate privileges in Zone Labs ZoneAlarm Security Suite build 6.1.744.000 20060308 18 ways to escalate privileges in Zone Labs ZoneAlarm Security Suite build 6.1.744.000 1015743 http://reedarvin.thearvins.com/20060308-01.html zonealarm-path-gain-privileges(25097) 17037 Multiple cross-site scripting (XSS) vulnerabilities in zeroboard 4.1 pl7 allows allow remote attackers to inject arbitrary web script or HTML via the (1) memo box title, (2) user email, and (3) homepage fields. 17075 20060312 [INetCop Security Advisory] zeroboard IP session bypass XSS vulnerability 19214 20060312 [INetCop Security Advisory] zeroboard IP session bypass XSS vulnerability ADV-2006-0944 http://www.nzeo.com/bbs/zboard.php?id=cgi_bugreport2&no=5406 http://www.inetcop.org/upfiles/33INCSA.2006-0x82-029-zeroboard.pdf zeroboard-multiple-fields-xss(25212) 23847 Cross-site scripting (XSS) vulnerability in Jupiter Content Manager 1.1.5 and earlier allows remote attackers to inject arbitrary web script or HTML via a Javascript URI in the image BBcode tag. ADV-2006-0942 17072 20060311 Jupiter CMS <= 1.1.5 multiple XSS attack vectors. 19215 jupitercm-bbcodetag-xss(25241) 20060412 Re: Jupiter CMS <= 1.1.5 multiple XSS attack vectors. 23839 http://www.jupiterportal.com/index.php?n=modules/forum&a=3&d=11&o=5&q=313 572 Directory traversal vulnerability in dwnld.php in GuppY 4.5.11 allows remote attackers to overwrite arbitrary files via a "%2E." (mixed encoding) in the pg parameter. guppy-dwnld-file-deletion(25141) 17068 20060310 [KAPDA::#33] - GuppY <= 4.5.11 Remote DoS vulnerability http://www.kapda.ir/advisory-291.html http://www.freeguppy.org/?lng=en 1015753 19222 ADV-2006-0936 23993 23846 569 CRLF injection vulnerability in Drupal 4.5.x before 4.5.8 and 4.6.x before 4.5.8 allows remote attackers to inject headers of outgoing e-mail messages and use Drupal as a spam proxy. 20060314 [DRUPAL-SA-2006-004] Drupal 4.6.6 / 4.5.8 fixes mail header injection issue 19245 http://drupal.org/node/53806 drupal-header-data-manipulation(25206) 17104 23912 DSA-1007 579 19257 Cross-site scripting (XSS) vulnerability in Drupal 4.5.x before 4.5.8 and 4.6.x before 4.5.8 allows remote attackers to inject arbitrary web script or HTML via unknown attack vectors. 20060314 [DRUPAL-SA-2006-002] Drupal 4.6.6 / 4.5.8 fixes XSS issue 19245 http://drupal.org/node/53803 drupal-undisclosed-xss(25202) 17104 23910 DSA-1007 581 19257 Drupal 4.5.x before 4.5.8 and 4.6.x before 4.5.8, when menu.module is used to create a menu item, does not implement access control for the page that is referenced, which might allow remote attackers to access administrator pages. drupal-menumodule-bypass-security(25197) 20060314 [DRUPAL-SA-2006-001] Drupal 4.6.6 / 4.5.8 fixes access control issue 23909 DSA-1007 19257 19245 http://drupal.org/node/53796 17104 578 Session fixation vulnerability in Drupal 4.5.x before 4.5.8 and 4.6.x before 4.5.8 allows remote attackers to gain privileges by tricking a user to click on a URL that fixes the session identifier. This vulnerability affects Drupal versions 4.6.x before 4.6.6, as well as versions 4.5.x before 4.5.8 20060314 [DRUPAL-SA-2006-003] Drupal 4.6.6 / 4.5.8 fixes session fixation issue 19245 http://drupal.org/node/53805 drupal-login-session-hijacking(25205) 17104 23911 DSA-1007 580 19257 SQL injection vulnerability in search.asp in Hosting Controller 6.1 (Hotfix 2.9) allows remote attackers to execute arbitrary SQL commands via the search parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. This vulnerability may affect all versions of Hosting Controller previous to 6.1 Hotfix 2.9 as well. hosting-controller-search-sql-injection(25140) ADV-2006-0914 23802 19191 Multiple cross-site scripting (XSS) vulnerabilities in create.php in vCard 2.x allow remote attackers to inject arbitrary web script or HTML via the (1) card_id, (2) uploaded, (3) card_fontsize, or (4) card_color parameter. NOTE: the card_id vector was later reported to affect vCard 2.9, and the uploaded vector for 2.6. vcard-create-xss(25181) ADV-2006-0945 22819 17073 20070304 XSS Remote In vCard 2.6 (c)2002 20060527 multiple Xss exploits in : vCard 2.9 20060311 XSS in vCard 23838 1016183 19216 CAPI4HylaFAX 1.3, when compiled with GENERATE_DEBUGSFFDATAFILE set, allows local users to modify arbitrary files via a symlink attack on the c2faxrecv_dbgdatafile.sff temporary file. 17034 20060307 capi4hylafax insecure manipulation with tmp files 20060307 capi4hylafax insecure manipulation with tmp files capi4hylafax-c2faxrecvdbgdatafile-symlink(25262) Multiple SQL injection vulnerabilities in DSDownload 1.0, with magic_quotes_gpc disabled, allow remote attackers to execute arbitrary SQL commands via the (1) key and (2) category parameters to (a) search.php and (b) downloads.php. "magic_quotes_gpc" parameter must be disabled in order for this vulnerability to be exploited. This vulnerability may affect DSPortal, DSDownload versions previous to 1.0 as well. ADV-2006-0934 19202 http://evuln.com/vulns/99/summary.html dsdownload-multiple-sql-injection(25193) 17116 20060325 [eVuln] DSDownload Multiple SQL Injection Vulnerabilities 23887 23886 1015755 626 Multiple cross-site scripting (XSS) vulnerabilities in WMNews allow remote attackers to inject arbitrary web script or HTML via the (1) ArtCat parameter to wmview.php, (2) ctrrowcol parameter to footer.php, or (3) ArtID parameter to wmcomments.php. ADV-2006-0939 17076 20060312 WMNews Cross Site Scripting 19204 http://biyosecurity.be/bugs/wmnews.txt wmnews-multiple-scripts-xss(25210) 23842 23841 23840 SQL injection vulnerability in index.php in DSCounter 1.2, with magic_quotes_gpc disabled, allows remote attackers to execute arbitrary SQL commands via the X-Forwarded-For field (HTTP_X_FORWARDED_FOR environment variable) in an HTTP header. Successful exploitation requires that the "magic_quotes_gpc" parameter is disabled. dscounter-index-sql-injection(25190) ADV-2006-0933 17112 20060325 [eVuln] DSCounter 'X-Forwarded-For' SQL Injection Vulnerability 1015756 19206 http://evuln.com/vulns/98/summary.html 23882 627 Directory traversal vulnerability in admin/deleteuser.php in HitHost 1.0.0 might allow remote attackers to delete directories (possibly only empty directories) via the $deleteuser variable. NOTE: the initial disclosure for this issue indicated that the researcher was unable to prove this issue; however, this might have been due to certain behaviors of rmdir. hithost-deleteuser-directory-deletion(25106) 20060314 Re: histhost v1.0.0 xss and possible rmdir 20060306 histhost v1.0.0 xss and possible rmdir 19155 Buffer overflow in the SetUp function in socket/request.c in CrossFire 1.9.0 allows remote attackers to execute arbitrary code via a long setup sound command, a different vulnerability than CVE-2006-1010. ADV-2006-0951 17093 1582 19237 http://cvs.sourceforge.net/viewcvs.py/crossfire/crossfire/socket/request.c?rev=1.86&view=log crossfire-setup-bo(25252) 23904 DSA-1009 19276 Multiple SQL injection vulnerabilities in DSNewsletter 1.0, with magic_quotes_gpc disabled, allow remote attackers to execute arbitrary SQL commands via the email parameter to (1) include/sub.php, (2) include/confirm.php, or (3) include/unconfirm.php. Successful exploitation requires that the "magic_quotes_gpc" parameter is disabled. dsnewsletter-email-sql-injection(25188) ADV-2006-0931 17111 20060324 [eVuln] DSNewsletter SQL Injection Vulnerability 1015757 19207 http://evuln.com/vulns/97/summary.html 23885 23884 23883 623 SQL injection vulnerability in DSLogin 1.0, with magic_quotes_gpc disabled, allows remote attackers to execute arbitrary SQL commands and bypass authentication via the $log_userid variable in (1) index.php and (2) admin/index.php. Successful exploitation requires that the "magic_quotes_gpc" parameter is disabled. dslogin-index-sql-injection(25194) dslogin-index-bypass-authentication(25194) ADV-2006-0953 17262 20060327 [eVuln] DSLogin Authentication Bypass Vulnerability 1015754 19201 http://evuln.com/vulns/100/summary.html 23896 637 Cross-site scripting (XSS) vulnerability in issue/createissue.aspx in Gemini 2.0 allows remote attackers to inject arbitrary web script or HTML via the rtcDescription$RadEditor1 field. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. gemini-createissue-xss(25195) ADV-2006-0954 23907 19049 17092 Buffer overflow in inet_server.cpp in (1) fb_inet_server and (2) fbserver in Firebird 1.5.2.4731 allows local users to gain privileges via a long value of the -p argument. 17077 20060312 Buffer Overflow and Installation Script Error in Firebird 1.5.3 firebird-fbinetserver-fbserver-bo(25282) 20060312 Buffer Overflow and Installation Script Error in Firebird 1.5.3 Firebird 1.5.2.4731 installs (1) fb_lock_mgr, (2) gds_drop, and (3) fb_inet_server with setuid firebird permissions, which might allow local users to gain privileges via a buffer overflow as identified by CVE-2006-1240, or possibly other vulnerabilities. The problems are fixed in the current 1.5.3 version of the Firebird binary distribution. 17077 20060312 Buffer Overflow and Installation Script Error in Firebird 1.5.3 firebird-fbinetserver-fbserver-bo(25282) 20060312 Buffer Overflow and Installation Script Error in Firebird 1.5.3 The ip_push_pending_frames function in Linux 2.4.x and 2.6.x before 2.6.16 increments the IP ID field when sending a RST after receiving unsolicited TCP SYN-ACK packets, which allows remote attackers to conduct an Idle Scan (nmap -sI) attack, which bypasses intended protections against such attacks. 19402 ADV-2006-2554 ADV-2006-1140 17109 20060316 Re: Linux zero IP ID vulnerability? 20060315 Re: Linux zero IP ID vulnerability? 20060314 Linux zero IP ID vulnerability? http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.1 oval:org.mitre.oval:def:10317 USN-281-1 20060323 Re: Linux zero IP ID vulnerability? RHSA-2006:0575 RHSA-2006:0437 SUSE-SA:2006:028 MDKSA-2006:086 DSA-1103 DSA-1097 http://support.avaya.com/elmodocs2/security/ASA-2006-200.htm http://support.avaya.com/elmodocs2/security/ASA-2006-180.htm 22417 21983 21465 21136 20914 20671 20398 20157 19955 Directory traversal vulnerability in install05.php in Simple PHP Blog (SPB) 0.4.7.1 and earlier allows remote attackers to include and execute arbitrary local files via directory traversal sequences and a NUL (%00) character in the blog_language parameter, as demonstrated by injecting PHP sequences into an Apache access_log file, which is then included using install05.php. simplephpblog-install05-file-include(25322) ADV-2006-1007 17102 19270 1581 Vendor ACK for CVE-2006-1243 (older Simple PHP Blog) http://sourceforge.net/forum/forum.php?forum_id=564904 Unspecified vulnerability in certain versions of xpdf after 3.00, as used in various products including (a) pdfkit.framework, (b) gpdf, (c) pdftohtml, and (d) libextractor, has unknown impact and user-assisted attack vectors, possibly involving errors in (1) gmem.c, (2) SplashXPathScanner.cc, (3) JBIG2Stream.cc, (4) JPXStream.cc, and/or (5) Stream.cc. NOTE: this description is based on Debian advisory DSA 979, which is based on changes that were made after other vulnerabilities such as CVE-2006-0301 and CVE-2005-3624 through CVE-2005-3628 were fixed. Some of these newer fixes appear to be security-relevant, although it is not clear if they fix specific issues or are defensive in nature. DSA-998 DSA-984 DSA-983 DSA-982 DSA-979 DSA-1019 http://security.debian.org/pool/updates/main/p/pdfkit.framework/pdfkit.framework_0.8-2sarge3.diff.gz 19644 19364 19164 19091 19065 19021 18948 USN-270-1 16748 23834 Buffer overflow in mshtml.dll in Microsoft Internet Explorer 6.0.2900.2180, and probably other versions, allows remote attackers to execute arbitrary code via an HTML tag with a large number of script action handlers such as onload and onmouseover, as demonstrated using onclick, aka the "Multiple Event Handler Memory Corruption Vulnerability." TA06-101A VU#984473 17131 MS06-013 1015794 19269 18957 ie-mshtml-bo(25292) ADV-2006-1318 20060325 Re: [optimized PoC] Remote overflow in MSIE script action handlers (mshtml.dll) 23964 20060316 Remote overflow in MSIE script action handlers (mshtml.dll) 20061205 Re: MS Internet Explorer 6.0 (mshtml.dll) Denial of Service Exploit 20061203 MS Internet Explorer 6.0 (mshtml.dll) Denial of Service Exploit oval:org.mitre.oval:def:1766 oval:org.mitre.oval:def:1632 oval:org.mitre.oval:def:1599 oval:org.mitre.oval:def:1569 oval:org.mitre.oval:def:1451 Unspecified vulnerability in mklvcopy in BOS.RTE.LVM in IBM AIX 5.3 allows local users to execute arbitrary commands when mklvcopy calls external commands, possibly due to an untrusted search path vulnerability. http://www.nsfocus.com/english/homepage/research/0602.htm 19235 aix-mklvcopy-code-execution(25849) aix-bosrtelvm-gain-privileges(25299) ADV-2006-0957 17115 23921 IY82739 1015786 20060323 IBM changing significant details? rm_mlcache_file in bos.rte.install in AIX 5.1.0 through 5.3.0 allows local users to overwrite arbitrary files via a symlink attack on temporary files. 17576 http://www.nsfocus.com/english/homepage/research/0603.htm IY82357 19656 aix-rm-mlcache-file-overwrite(25848) ADV-2006-1389 20060424 NSFOCUS SA2006-02 : IBM AIX mklvcopy Local Privilege Escalation Vulnerability 20060424 NSFOCUS SA2006-03 : IBM AIX rm_mlcache_file Local Race Condition Vulnerability 24706 1015952 Unspecified vulnerability in usermod in HP-UX B.11.00, B.11.11, and B.11.23, when run with certain options that involve a new home directory, might cause usermod to change the ownership of all directories and files under the new directory, which might result in less secure permissions than intended. ADV-2006-0997 HPSBUX02102 hpux-usermod-unauthorized-access(25311) 17143 1015834 1015782 19305 SSRT051078 oval:org.mitre.oval:def:785 oval:org.mitre.oval:def:772 oval:org.mitre.oval:def:1098 Integer overflow in Apple QuickTime Player 7.0.3 and 7.0.4 and iTunes 6.0.1 and 6.0.2 allows remote attackers to execute arbitrary code via a FlashPix (FPX) image that contains a field that specifies a large number of blocks. TA06-132B VU#570689 quicktime-flashpix-overflow(26398) ADV-2006-1778 17074 20060511 [EEYEB-20060307] Apple QuickTime FPX Integer Overflow 20060512 Apple QuickDraw/QuickTime Multiple Vulnerabilities http://www.eeye.com/html/research/upcoming/20060307b.html 1016067 20069 APPLE-SA-2006-05-11 Unspecified vulnerability in the Webmail module in Winmail before 4.3 has unknown impact and unknown remote attack vectors. ADV-2006-0858 http://www.magicwinmail.net/changelog.asp 17009 Argument injection vulnerability in greylistclean.cron in sa-exim 4.2 allows remote attackers to delete arbitrary files via an email with a To field that contains a filename separated by whitespace, which is not quoted when greylistclean.cron provides the argument to the rm command. 17110 http://marc.merlins.org/linux/exim/files/sa-exim-cvs/Changelog.html saexim-greylistclean-file-deletion(25286) ADV-2006-0941 19225 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=345071 Eval injection vulnerability in cal.php in Light Weight Calendar (LWC) 1.0 allows remote attackers to execute arbitrary PHP code via the date parameter to index.php. 17059 1570 Unspecified vulnerability in glFTPd before 2.01 RC5 allows remote attackers to bypass IP checks via a crafted DNS hostname, possibly a hostname that appears to be an IP address. 19221 http://www.glftpd.com/files/docs/changelog 17118 Unspecified vulnerability in BorderWare MXtreme 5.0 and 6.0 allows remote attackers to have an unknown impact via unknown attack vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 19223 borderware-mxtreme-web-admin(25325) ADV-2006-0972 17140 23939 1015787 Stack-based buffer overflow in the IMAP service in Mercur Messaging 5.0 SP3 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a long string to the (1) LOGIN or (2) SELECT command, a different set of attack vectors and possibly a different vulnerability than CVE-2003-1177. mercur-imap-bo(25290) ADV-2006-0977 17138 23950 19267 20060316 Re: Mercur IMAPD 5.0 SP3 DoS Exploit or more? 20060316 Re: Mercur IMAPD 5.0 SP3 DoS Exploit or more? Cross-site scripting (XSS) vulnerability in guestbook.php in Soren Boysen (SkullSplitter) PHP Guestbook 2.6 allows remote attackers to inject arbitrary web script or HTML via the url parameter. This vulnerability can only be exploited if the "magic_quotes_gpc" parameter is set to 'off'. 17136 http://www.boysen.be/en/ 19268 http://evuln.com/vulns/104/summary.html ADV-2006-0974 skullsplitter-guestbook-xss(25293) 20060329 [eVuln] Skull-Splitter's PHP Guestbook XSS Vulnerability 23941 650 20060318 Vendor ACK for Skull-Splitter Guestbook XSS The sample files in the authfiles directory in Microsoft Commerce Server 2002 before SP2 allow remote attackers to bypass authentication by logging in to authfiles/login.asp with a valid username and any password, then going to the main site twice. 17134 20060316 Microsoft Commerce Server 2002: Logon as known user with a false password mscs-authfiles-authentication-bypass(25330) 24121 http://msdn.microsoft.com/library/default.asp?url=/library/en-us/csvr2002/htm/cs_se_securityconcepts_cbgw.asp 594 Cross-site scripting (XSS) vulnerability in phpMyAdmin 2.8.0.1 allows remote attackers to inject arbitrary web script or HTML via the set_theme parameter. http://www.phpmyadmin.net/home_page/downloads.php?relnotes=0 19277 ADV-2006-0991 17142 phpmyadmin-settheme-xss(25305) 23943 1015776 Multiple SQL injection vulnerabilities in Maian Support 1.0 allow remote attackers to execute arbitrary SQL commands via the (1) email or (2) pass parameter to admin/index.php. Successful exploitation requires that the "magic_quotes_gpc" parameter is disabled. This vulnerability may affect earlier versions of Maian, Support as well. ADV-2006-0992 19275 http://evuln.com/vulns/103/summary.html maiansupport-adminindex-sql-injection(25300) 20060328 [eVuln] Maian Support Authentication Bypass 23944 645 Horde Application Framework 3.0.9 allows remote attackers to read arbitrary files via a null character in the url parameter in services/go.php, which bypasses a sanity check. horde-servicesgo-information-disclosure(25239) 17117 23918 1015771 19246 20060315 CodeScan Advisory: Unauthenticated Arbitrary File Read in Horde v3.09 and prior ADV-2006-0959 20060315 CodeScan Advisory: Unauthenticated Arbitrary File Read in Horde v3.09 and prior SUSE-SR:2006:009 GLSA-200604-02 DSA-1034 DSA-1033 590 19897 19692 19619 19528 Multiple cross-site scripting (XSS) vulnerabilities in ASPPortal 3.00 allow remote attackers to inject arbitrary web script or HTML via unknown attack vectors. aspportal-multiple-xss(25235) 19247 20060315 CodeScan Advisory: Multiple Vulnerabilities In ASPPortal.net 20060314 CodeScan Advisory: Multiple Vulnerabilities In ASPPortal.net 17114 23920 http://www.aspportal.net/content/news/News_Item.asp?content_ID=32 1015772 Multiple SQL injection vulnerabilities in ASPPortal 3.00 have unknown impact and attack vectors. aspportal-multiple-scripts-sql-injection(25234) 19247 20060315 CodeScan Advisory: Multiple Vulnerabilities In ASPPortal.net 20060314 CodeScan Advisory: Multiple Vulnerabilities In ASPPortal.net 17114 23919 http://www.aspportal.net/content/news/News_Item.asp?content_ID=32 1015772 592 Multiple "unannounced" cross-site scripting (XSS) vulnerabilities in WordPress before 2.0.2 allow remote attackers to inject arbitrary web script or HTML via unknown attack vectors. 17069 http://wordpress.org/development/2006/03/security-202/ Cross-site scripting (XSS) vulnerability in xhawk.net discussion 2.0 beta2 allows remote attackers to inject arbitrary web script or HTML via a Javascript URI in a BBCode img tag. 17119 20060315 [eVuln] discussion - xhawk.net BBCode 'img' XSS & SQL Injection Vulnerabilities http://evuln.com/vulns/92/summary.html discussion-bbcode-xss(25236) 23970 SQL injection vulnerability in discussion.class.php in xhawk.net discussion 2.0 beta2 allows remote attackers to execute arbitrary SQL commands via the view parameter. 20060315 [eVuln] discussion - xhawk.net BBCode 'img' XSS & SQL Injection Vulnerabilities http://evuln.com/vulns/92/summary.html discussion-class-sql-injection(25237) 17121 23971 Cross-site scripting (XSS) vulnerability in Service_Requests.asp in VPMi Enterprise 3.3 allows remote attackers to inject arbitrary web script or HTML via the Request_Name_Display parameter. 23916 20060314 vendor dispute: VCS vpmi-servicerequests-xss(25339) 17172 19297 Invision Power Board 2.1.4 allows remote attackers to hijack sessions and possibly gain administrative privileges by obtaining the session ID from the s parameter, then replaying it in another request. 20060314 Invision Power Board v2.1.4 - session hijacking 20060316 Re: Invision Power Board v2.1.4 - session hijacking The Internet Key Exchange implementation in Funkwerk X2300 7.2.1 allows remote attackers to cause a denial of service and possibly execute arbitrary code via crafted IKE packets, as demonstrated by the PROTOS ISAKMP Test Suite. NOTE: due to the lack of details in the advisory, it is unclear which of CVE-2005-3666, CVE-2005-3667, and/or CVE-2005-3668 this issue applies to. 19233 ADV-2006-0958 http://www.funkwerk-ec.com/portal/downloadcenter/dateien/x2300/r7201p09/readme_721p9.pdf 17124 Buffer overflow in the parse function in parse.c in zoo 2.10 might allow local users to execute arbitrary code via long filename command line arguments, which are not properly handled during archive creation. NOTE: since this issue is local and not setuid, the set of attack scenarios is limited, although is reasonable to expect that there are some situations in which the zoo user might automatically list attacker-controlled filenames to add to the zoo archive. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=183426 GLSA-200603-12 19250 ADV-2006-0969 zoo-parse-bo(25264) 17126 19254 Multiple cross-site scripting (XSS) vulnerabilities in zones.php in Inprotect 0.21 allow remote attackers to inject arbitrary web script or HTML via the (1) Name or (2) Description field. NOTE: the provenance of this information is unknown; the details are obtained from third party information. A remote attacker must have "Manage Zones and Server" permissions on Inprotect to exploit this vulnerability. inprotect-zones-xss(25280) ADV-2006-0970 17141 19248 23936 SQL injection vulnerability in index.php in OxyNews allows remote attackers to execute arbitrary SQL commands via the oxynews_comment_id parameter. ADV-2006-0976 17132 19255 http://biyosecurity.be/bugs/oxynews.txt oxynews-index-sql-injection(25301) 20060316 Oxynews Sql &#304;njection 23940 Multiple cross-site scripting (XSS) vulnerabilities in member.php in MyBulletin Board (MyBB) 1.0.3 allow remote attackers to inject arbitrary web script or HTML via the (1) aim, (2) yahoo, (3) msn, or (4) website field. 17097 20060314 [[KAPDA::#35] MyBB 1.0.3~member.php~XSS Attack in contact details 23935 http://kapda.ir/advisory-297.html http://community.mybboard.net/showthread.php?tid=7368 mybb-member-xss(25263) ** DISPUTED ** Mozilla Firefox 1.0.7 and 1.5.0.1 allows remote attackers to cause a denial of service (crash) via an HTML tag with a large number of script action handlers such as onload and onmouseover, which triggers the crash when the user views the page source. NOTE: Red Hat has disputed this issue, suggesting that "It is likely the reporter was running the IE Tab extension," and Mozilla also confirmed that this is not an issue in Firefox itself. 20060318 Re: Re: Remote overflow in MSIE script action handlers (mshtml.dll) 20060317 Re: Re: Remote overflow in MSIE script action handlers (mshtml.dll) 593 31833 Classic Planer in AntiVir PersonalEdition Classic 7 does not drop privileges before executing external programs, which allows local users to gain privileges via notepad.exe, which is used to display scan reports. 17071 ADV-2006-0948 20060311 AntiVir PersonalEdition Classic: Local Privilige Escalation 19217 20060311 AntiVir PersonalEdition Classic: Local Privilige Escalation antivir-notepad-gain-privilege(25244) 23843 573 GGZ Gaming Zone 0.0.12 allows remote attackers to cause a denial of service (client disconnect) via inputs that produce malformed XML, including (1) trailing ' (apostrophe) character on the ID attribute in a PLAYER XML tag, (2) joining with a long ID attribute or non-trailing ' characters, which causes a <none> name to be assigned, and then disconnecting, or (3) a long CDATA message attribute, which prevents closing tags from being added to the string. ggzgaminzone-xml-dos(25164) ADV-2006-0935 17094 23848 19212 http://aluigi.altervista.org/adv/ggzcdos-adv.txt admin.php in Himpfen Consulting Company PHP SimpleNEWS 1.0.0 allows remote attackers to bypass authentication by setting the admin parameter in a cookie. ADV-2006-0913 19195 http://evuln.com/vulns/94/summary.html simplenews-admin-bypass-security(25177) 17186 20060322 [eVuln] PHP SimpleNEWS, PHP SimpleNEWS MySQL - Authentication Bypass Vulnerability 23803 613 Cross-site scripting (XSS) vulnerability in signup.php in @1 File Store 2006.03.07 allows remote attackers to inject arbitrary web script or HTML via the (1) real_name, (2) email, and (3) login parameters. ADV-2006-0943 17090 20060324 [eVuln] @1 File Store Multiple XSS and SQL Injection Vulnerabilities 23850 1015826 19224 http://evuln.com/vulns/95/summary.html filestore-signup-xss(25182) SQL injection vulnerability in @1 File Store 2006.03.07 allows remote attackers to execute arbitrary SQL commands via the id parameter to (1) functions.php and (2) user.php in the libs directory, (3) edit.php and (4) delete.php in control/files/, (5) edit.php and (6) delete.php in control/users/, (7) edit.php, (8) access.php, and (9) in control/folders/, (10) access.php and (11) delete.php in control/groups/, (12) confirm.php, and (13) download.php; (14) the email parameter in password.php, and (15) the id parameter in folder.php. NOTE: it was later reported that vectors 12 and 13 also affect @1 File Store PRO 3.2. Successful exploitation requires that the "magic_quotes_gpc" parameter is disabled. filestorepro-download-file-include(43724) filestorepro-id-sql-injection(43718) filestore-multiple-sql-injection(25183) ADV-2006-0943 30182 17090 20060324 [eVuln] @1 File Store Multiple XSS and SQL Injection Vulnerabilities 24106 23864 23863 23862 23861 23860 23859 23858 23857 23856 23855 23854 23853 23852 23851 6040 20090825 @1 File Store PRO SQL injection - the old gray dupe 1015826 619 31063 19224 47018 47017 http://evuln.com/vulns/95/summary.html CGI::Session 4.03-1 allows local users to overwrite arbitrary files via a symlink attack on temporary files used by (1) Driver::File, (2) Driver::db_file, and possibly (3) Driver::sqlite. ADV-2006-0946 17177 23865 19211 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=356555 cgisession-cgisess-information-disclosure(25285) CGI::Session 4.03-1 does not set proper permissions on temporary files created in (1) Driver::File and (2) Driver::db_file, which allows local users to obtain privileged information, such as session keys, by viewing the files. ADV-2006-0946 23867 23866 19211 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=356555 cgisession-driver-files-insecure-permissions(25283) 17099 Cross-site scripting (XSS) vulnerability in member.php in MyBulletinBoard (MyBB) 1.04 allows remote attackers to inject arbitrary web script or HTML via the url parameter, a different vulnerability than CVE-2006-1272. NOTE: 1.10 was later reported to be vulnerable. 19213 http://community.mybboard.net/showthread.php?tid=7368 mybb-member-url-xss(25266) ADV-2006-0971 17492 17097 20060314 [KAPDA::#35] - MyBB1.0.4~member.php~XSS after login 23935 http://myimei.com/security/2006-03-09/mybb104memberphpxss-after-login.html http://kapda.ir/advisory-296.html CRLF injection vulnerability in inc/function.php in MyBulletinBoard (MyBB) 1.04 allows remote attackers to conduct cross-site scripting (XSS), poison caches, or hijack pages via CRLF (%0A%0D) sequences in the Referrer HTTP header field, possibly when redirecting to other web pages. http://kapda.ir/advisory-295.html http://community.mybboard.net/showthread.php?tid=7368 17097 20060314 [KAPDA::#34] - MyBB1.0.4~redirectfunction()~HeaderInjection http://myimei.com/security/2006-03-10/mybb104redirectfunctionheaderinjection.html mybb-crlf-header-injection(25267) opiepasswd in One-Time Passwords in Everything (OPIE) in FreeBSD 4.10-RELEASE-p22 through 6.1-STABLE before 20060322 uses the getlogin function to determine the invoking user account, which might allow local users to configure OPIE access to the root account and possibly gain root privileges if a root shell is permitted by the configuration of the wheel group or sshd. 17194 FreeBSD-SA-06:12 bsd-opie-unauthorized-privileges(25397) ADV-2006-1074 24067 1015817 19347 The installation of SQLAnywhere in Symantec Ghost 8.0 and 8.2, as used in Symantec Ghost Solutions Suite (SGSS) 1.0, includes a default administrator login account and password, which allows local users to gain privileges or modify tasks. ADV-2006-0870 17018 http://securityresponse.symantec.com/avcenter/security/Content/2006.03.07.html 19171 1015733 SQLAnywhere in Symantec Ghost 8.0 and 8.2, as used in Symantec Ghost Solutions Suite (SGSS) 1.0, gives read and write permissions to all users for database shared memory sections, which allows local users to access and possibly modify certain information. Update to Symantec Ghost 8.3 that is shipped as a part of Symantec Ghost Solutions Suite 1.1. ADV-2006-0870 http://securityresponse.symantec.com/avcenter/security/Content/2006.03.07.html 19171 17019 1015733 Buffer overflow in the login dialog in dbisqlc.exe in SQLAnywhere for Symantec Ghost 8.0 and 8.2, as used in Symantec Ghost Solutions Suite (SGSS) 1.0, might allow local users to read certain sensitive information from the database. Update to Symantec Ghost 8.3 that is shipped as a part of Symantec Ghost Solutions Suite 1.1. ADV-2006-0870 http://securityresponse.symantec.com/avcenter/security/Content/2006.03.07.html 19171 ghost-dbisqlc-bo(25089) 1015733 Cross-site scripting (XSS) vulnerability in Invision Power Board (IPB) 2.0.4 and 2.1.4 before 20060130 allows remote attackers to steal cookies and probably conduct other activities when the victim is using Internet Explorer. http://forums.invisionpower.com/index.php?showtopic=206790 ADV-2006-0861 19141 Multiple SQL injection vulnerabilities in Invision Power Board (IPB) 2.0.4 and 2.1.4 before 20060105 allow remote attackers to execute arbitrary SQL commands via cookies, related to (1) arrays of id/stamp pairs and (2) the keys in arrays of key/value pairs in ipsclass.php; (3) the topics variable in usercp.php; and the topicsread cookie in (4) topics.php, (5) search.php, and (6) forums.php. http://forums.invisionpower.com/index.php?showtopic=204627 http://forums.invisionpower.com/index.php?act=Attach&type=post&id=9642 ADV-2006-0861 invision-multiple-sql-injection(25100) 19141 Multiple SQL injection vulnerabilities in Milkeyway Captive Portal 0.1 and 0.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) username, (2) password, (3) team, (4) level, (5) status, (6) teamname, and (7) teamlead parameters in (a) auth.php; the (8) username, (9) action, and (10) filter parameters in (b) authuser.php; the (11) username parameter in (c) utils.php; the (12) id and (13) date parameters in (d) traffic.php; the (14) username parameter in (e) userstatistics.php; and the (15) USERNAME and (16) PASSWORD parameters in a cookie to (f) chgpwd.php. ADV-2006-0968 http://www.ush.it/team/ascii/hack-milkeway/milkeyway.txt 17127 20060316 Milkeyway Multiple Vulnerabilities milkeyway-admin-sql-injection(25287) milkeyway-multiple-sql-injection(25281) http://www.ush.it/team/ascii/hack-milkeway/advisory.txt 23931 23929 23928 23927 23925 1015778 19258 Multiple cross-site scripting (XSS) vulnerabilities in Milkeyway Captive Portal 0.1 and 0.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) ipAddress, (2) act, (3) username, and (4) unspecified other parameters in (a) authuser.php; and the (5) username and (6) unspecified other parameters in (b) userstatistics.php. ADV-2006-0968 http://www.ush.it/team/ascii/hack-milkeway/milkeyway.txt 17127 20060316 Milkeyway Multiple Vulnerabilities milkeyway-multiple-xss(25288) http://www.ush.it/team/ascii/hack-milkeway/advisory.txt 23933 23932 1015778 19258 publish.ical.php in Jim Hu and Chad Little PHP iCalendar 2.21 and earlier does not require authentication for write access to the calendars directory, which allows remote attackers to upload and execute arbitrary PHP scripts via a WebDAV PUT request with a filename containing a .php extension and a trailing null character. ADV-2006-1019 17129 1586 http://downloads.securityfocus.com/vulnerabilities/exploits/php-iCalendar-221.upload.php 19285 Directory traversal vulnerability in Jim Hu and Chad Little PHP iCalendar 2.21 and earlier allows remote attackers to include and execute arbitrary local files via directory traversal sequences and a NUL (%00) character in the phpicalendar[cookie_language] and phpicalendar[cookie_style] cookies, as demonstrated by injecting PHP sequences into an Apache access_log file, which is then included by day.php. ADV-2006-1019 1585 17125 19285 Cross-site scripting (XSS) vulnerability in index.php in Contrexx CMS 1.0.8 and earlier allows remote attackers to inject arbitrary web script or HTML via the query string (PHP_SELF). ADV-2006-1013 17128 20060318 Contrexx CMS Xss Vuln http://www.contrexx.com/?section=news&cmd=details&newsid=54 http://www.contrexx.com/?section=media1&act=download&path=/media/archive1/Opensource/Bugfixes/contrexx_1.0.8/&file=contrexx_v1.0.8_bugfix_27-02-06.zip http://soot.shabgard.org/Contrexx-CMS.txt 19294 contrexx-index-xss(25332) 599 PHP remote file include vulnerability in PageController.php in KnowledgebasePublisher 1.2 allows remote attackers to include and execute arbitrary PHP code via a URL in the dir parameter. ADV-2006-1020 17120 1587 knowledgebasepublisher-dir-file-include(25338) 24002 http://sourceforge.net/project/shownotes.php?release_id=402179&group_id=144153 19298 Cross-site scripting (XSS) vulnerability in recherche.php3 in SPIP 1.8.2-g allows remote attackers to inject arbitrary web script or HTML via the recherche parameter. http://zone.spip.org/trac/spip-zone/changeset/1672 http://www.zone-h.fr/advisories/read/id=1105 http://www.silitix.com/spip-xss.html 17130 spip-research-xss(25389) Untrusted search path vulnerability in Beagle 0.2.2.1 might allow local users to gain privileges via a malicious beagle-info program in the current working directory, or possibly directories specified in the PATH. beagle-beagle-status-privilege-escalation(25303) 17195 FEDORA-2006-188 23942 19336 19278 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=357392 Unspecified vulnerability in Veritas Backup Exec for Windows Server Remote Agent 9.1 through 10.1, for Netware Servers and Remote Agent 9.1 and 9.2, and Remote Agent for Linux Servers 10.0 and 10.1 allow attackers to cause a denial of service (application crash or unavailability) due to "memory errors." http://www.symantec.com/avcenter/security/Content/2006.03.17a.html backupexec-app-memory-dos(25309) ADV-2006-0995 17098 20060317 Symantec Security Advisory SYM06-004 1015784 19242 597 Format string vulnerability in the Job Engine service (bengine.exe) in the Media Server in Veritas Backup Exec 10d (10.1) for Windows Servers rev. 5629, Backup Exec 10.0 for Windows Servers rev. 5520, Backup Exec 10.0 for Windows Servers rev. 5484, and Backup Exec 9.1 for Windows Servers rev. 4691, when the job log mode is Full Detailed (aka Full Details), allows remote authenticated users to cause a denial of service and possibly execute arbitrary code via a crafted filename on a machine that is backed up by Backup Exec. This vulnerability can only be exploited if the 'job log' mode is set to "Full Detailed" (aka Full Details). Other older versions of Windows Server (those that have been End-Of-Life'd) should be upgraded to the latest patch of one of the current versions listed above. 17096 http://support.veritas.com/docs/282254 backupexec-bengine-format-string(25310) ADV-2006-0996 http://www.symantec.com/avcenter/security/Content/2006.03.17b.html 20060320 Symantec Security Advisory, SYM06-005 1015785 19242 Microsoft .NET framework 2.0 (ASP.NET) in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 up to SP1 allows remote attackers to bypass access restrictions via unspecified "URL paths" that can access Application Folder objects "explicitly by name." 18920 MS06-033 1016465 ADV-2006-2751 ms-aspnet-appcode-information-disclosure(26802) 27153 20999 oval:org.mitre.oval:def:419 Microsoft Excel 2000 through 2004 allows user-assisted attackers to execute arbitrary code via a .xls file with a crafted SELECTION record that triggers memory corruption, a different vulnerability than CVE-2006-1302. MS06-037 ADV-2006-2755 18853 1016472 oval:org.mitre.oval:def:557 Buffer overflow in Microsoft Excel 2000 through 2003 allows user-assisted attackers to execute arbitrary code via a .xls file with certain crafted fields in a SELECTION record, which triggers memory corruption, aka "Malformed SELECTION record Vulnerability." 18885 MS06-037 ADV-2006-2755 20060712 NSFOCUS SA2006-05 : Microsoft Excel SELECTION Record Memory Corruption Vulnerability http://www.nsfocus.com/english/homepage/research/0605.htm 1016472 1238 oval:org.mitre.oval:def:379 Multiple unspecified vulnerabilities in Microsoft Internet Explorer 5.01 SP4 and 6 SP1 and earlier allow remote attackers to execute arbitrary code by instantiating certain COM objects from Wmm2fxa.dll as ActiveX controls including (1) DXImageTransform.Microsoft.MMSpecialEffect1Input, (2) DXImageTransform.Microsoft.MMSpecialEffect1Input.1, (3) DXImageTransform.Microsoft.MMSpecialEffect2Inputs, (4) DXImageTransform.Microsoft.MMSpecialEffect2Inputs.1, (5) DXImageTransform.Microsoft.MMSpecialEffectInplace1Input, and (6) DXImageTransform.Microsoft.MMSpecialEffectInplace1Input.1, which causes memory corruption during garbage collection. VU#959049 18328 MS06-021 ie-wmm2fxadll-execute-code(26774) http://www.zerodayinitiative.com/advisories/ZDI-06-018.html ADV-2006-2319 20060613 ZDI-06-018: Microsoft Internet Explorer DXImageTransform ActiveX Memory Corruption Vulnerability 26442 1016291 20595 oval:org.mitre.oval:def:2017 oval:org.mitre.oval:def:1973 oval:org.mitre.oval:def:1928 oval:org.mitre.oval:def:1830 oval:org.mitre.oval:def:1767 oval:org.mitre.oval:def:1135 Buffer overflow in Microsoft Excel 2000 through 2003 allows user-assisted attackers to execute arbitrary code via a .xls file with a crafted COLINFO record, which triggers the overflow during a "data filling operation." 18888 MS06-037 ADV-2006-2755 20060712 NSFOCUS SA2006-06 : Microsoft Excel COLINFO Record Buffer Overflow Vulnerability http://www.nsfocus.com/english/homepage/research/0606.htm 1016472 oval:org.mitre.oval:def:545 Microsoft Outlook 2000, 2002, and 2003 allows user-assisted remote attackers to cause a denial of service (memory exhaustion and interrupted mail recovery) via malformed e-mail header information, possibly related to (1) long subject lines or (2) large numbers of recipients in To or CC headers. TA07-009A VU#617436 21937 MS07-003 1017488 23674 ADV-2007-0104 HPSBST02184 SSRT071296 31253 http://osvdb.org/ref/24/24081-outlook1.txt [funsec] 20060308 DOSing Outlook 2003 http://blogs.securiteam.com/index.php/archives/347 oval:org.mitre.oval:def:122 Microsoft Excel 2000 through 2004 allows user-assisted attackers to execute arbitrary code via a .xls file with a crafted BIFF record with an attacker-controlled array index that is used for a function pointer, aka "Malformed OBJECT record Vulnerability." 18886 MS06-037 ADV-2006-2755 20060712 Microsoft Excel Array Index Error Remote Code Execution http://secway.org/advisory/AD20060711.txt 1016472 oval:org.mitre.oval:def:950 Unspecified vulnerability in Microsoft Excel 2000 through 2004 allows user-assisted attackers to execute arbitrary code via a .xls file with a crafted FNGROUPCOUNT value. 18890 MS06-037 excel-fngroupcount-bo(27464) ADV-2006-2755 1016472 20060712 Microsoft Excel Could Allow Remote Code Execution by Malformed FNGROUPCOUNT value Vulnerability oval:org.mitre.oval:def:243 Microsoft Excel 2000 through 2004 allows user-assisted attackers to execute arbitrary code via a .xls file with a crafted LABEL record that triggers memory corruption. MS06-037 ADV-2006-2755 18910 1016472 oval:org.mitre.oval:def:752 The RichEdit component in Microsoft Windows 2000 SP4, XP SP2, and 2003 SP1; Office 2000 SP3, XP SP3, 2003 SP2, and Office 2004 for Mac; and Learning Essentials for Microsoft Office 1.0, 1.1, and 1.5 allows user-assisted remote attackers to execute arbitrary code via a malformed OLE object in an RTF file, which triggers memory corruption. TA07-044A VU#368132 MS07-013 ADV-2007-0582 ms-richedit-code-execution(30592) 1017641 1017640 21876 31886 24152 oval:org.mitre.oval:def:1090 Microsoft JScript 5.1, 5.5, and 5.6 on Windows 2000 SP4, and 5.6 on Windows XP, Server 2003, Windows 98 and Windows Me, will "release objects early" in certain cases, which results in memory corruption and allows remote attackers to execute arbitrary code. TA06-164A VU#390044 18359 MS06-023 20620 ms-jscript-code-execution(26805) ADV-2006-2321 26434 1016283 oval:org.mitre.oval:def:2003 oval:org.mitre.oval:def:1785 oval:org.mitre.oval:def:1644 oval:org.mitre.oval:def:1067 Heap-based buffer overflow in the Server Service (SRV.SYS driver) in Microsoft Windows 2000 SP4, XP SP1 and SP2, Server 2003 up to SP1, and other products, allows remote attackers to execute arbitrary code via crafted first-class Mailslot messages that triggers memory corruption and bypasses size restrictions on second-class Mailslot messages. TA06-192A VU#189140 http://www.tippingpoint.com/security/advisories/TSRT-06-02.html MS06-035 ADV-2006-2753 win-mailslot-bo(26818) 18863 20060711 TSRT-06-02: Microsoft SRV.SYS Mailslot Ring0 Memory Corruption Vulnerability 27154 1212 21007 oval:org.mitre.oval:def:600 The Server Service (SRV.SYS driver) in Microsoft Windows 2000 SP4, XP SP1 and SP2, Server 2003 up to SP1, and other products, allows remote attackers to obtain sensitive information via crafted requests that leak information in SMB buffers, which are not properly initialized, aka "SMB Information Disclosure Vulnerability." VU#333636 MS06-035 ADV-2006-2753 win-smb-information-disclosure(26820) 18891 20060711 SMB Information Disclosure Vulnerability 27155 1016467 21007 oval:org.mitre.oval:def:3 Unspecified vulnerability in Microsoft Office 2003 SP1 and SP2, Office XP SP3, Office 2000 SP3, and other products, allows user-assisted attackers to execute arbitrary code via an Office file with malformed string that triggers memory corruption related to record lengths, aka "Microsoft Office Parsing Vulnerability," a different vulnerability than CVE-2006-2389. TA06-192A VU#580036 MS06-038 office-string-parse-bo(27607) ADV-2006-2756 18912 27148 1016469 21012 oval:org.mitre.oval:def:918 chpst in runit 1.3.3-1 for Debian GNU/Linux, when compiled on little endian i386 machines against dietlibc, does not properly handle when multiple groups are specified in the -u option, which causes chpst to assign permissions for the root group due to inconsistent bit sizes for the gid_t type. This vulnerability may be relevant only to Debian GNU/Linux implementations on little endian i386 machines. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=356016 runit-chpst-gain-privileges(25419) 17179 19323 util.c in rssh 2.3.0 in Debian GNU/Linux does not use braces to make a block, which causes a check for CVS to always succeed and allows rsync and rdist to bypass intended access restrictions in rssh.conf. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=346322 debian-rssh-rsync-rdist-bypass-security(25424) 18999 DSA-1109 21087 Cross-site scripting (XSS) vulnerability in webcheck before 1.9.6 allows remote attackers to inject arbitrary web script or HTML via the (1) url, (2) title, or (3) author name in a crawled page, which is not properly sanitized in the tooltips of a report. Versions before 1.0 are named "linbot" instead of "webcheck". http://ch.tudelft.nl/~arthur/webcheck/news.html#20060130 webcheck-content-xss(25428) 17212 19309 Novell Netware NWFTPD 5.06.05 allows remote attackers to cause a denial of service (ABEND) via an MDTM command that uses a long path for the target file, possibly due to a buffer overflow. http://support.novell.com/cgi-bin/search/searchtid.cgi?/2973435.htm netware-nwftpd-mdtm-dos(25289) ADV-2006-0975 17137 23949 1015781 19265 Directory traversal vulnerability in WinHKI 1.6 and earlier allows user-assisted attackers to overwrite arbitrary files via a (1) RAR, (2) TAR, (3) ZIP, or (4) TAR.GZ archive with a file whose file name contains ".." sequences. winhki-extract-directory-traversal(25335) ADV-2006-1010 17153 20060322 WinHKI 1.6x Archive Extraction Directory traversal 19296 http://hamid.ir/security/winhki.txt Cross-site scripting (XSS) vulnerability in acp/lib/class_db_mysql.php in Woltlab Burning Board (wBB) 2.3.4 allows remote attackers to inject arbitrary web script or HTML via the errormsg parameter when a SQL error is generated. ADV-2006-1003 17147 20060318 Xss in Wbb 2.3.4 19293 wbb-classdbmysql-xss(25313) 1015789 598 529 Cross-site scripting (XSS) vulnerability in Streber 0.055 allows remote attackers to inject arbitrary web script or HTML via unknown attack vectors. The vulnerability has been fixed in version 0.055 (development release). ADV-2006-1005 http://www.streber-pm.org/phpBB2/viewtopic.php?p=491#491 19263 streber-xss(25317) 17157 Multiple cross-site scripting (XSS) vulnerabilities in Invision Power Board 2.0.4 allow remote attackers to inject arbitrary web script or HTML via the (1) result_type, (2) search_in, (3) nav, (4) forums, and (5) s parameters in the Search action to index.php; (6) st parameter to index.php with showtopics set to 1; (7) m, (8) y, and (9) d parameters in a calendar action; (10) t parameter in a Print action; (11) MID parameter in a Mail action; (12) HID parameter in a Help action; (13) active parameter in a search action; (14) sort_order, (15) max_results, or (16) sort_key parameter in a Members action. 17144 20060317 XSS IN Invision Power Board 25015 25014 25013 25012 25011 25010 25009 SQL injection vulnerability in reg.php in SoftBB 0.1 allows remote attackers to execute arbitrary SQL commands via the mail parameter. ADV-2006-1002 19283 1594 softbb-reg-sql-injection(25320) 17160 23999 SQL injection vulnerability in count.php in Skull-Splitter PHP Downloadcounter for Wallpapers 1.0 allows remote attackers to execute arbitrary SQL commands via the (1) count_fieldname, (2) url_fieldname, or (3) url parameter. ADV-2006-1004 19314 http://evuln.com/vulns/105/summary.html downloadcounter-count-sql-injection(25316) 17156 20060329 [eVuln] Skull-Splitter's PHP Downloadcounter for Wallpapers SQL Injection 23972 649 The SASL negotiation in Jabber Studio jabberd before 2.0s11 allows remote attackers to cause a denial of service ("c2s segfault") by sending a "response stanza before an auth stanza". http://article.gmane.org/gmane.network.jabber.admin/27372 jabberd-sasl-dos(25334) ADV-2006-1009 17155 RHSA-2008:0261 http://support.apple.com/kb/HT4077 19281 APPLE-SA-2010-03-29-1 Multiple SQL injection vulnerabilities in phpWebsite 0.83 and earlier allow remote attackers to execute arbitrary SQL commands via the sid parameter to (1) friend.php or (2) article.php. phpwebsite-multiple-sql-injection(25328) ADV-2006-1039 17150 20060413 Re: phpWebsite <= SQL Injection (friend.php) & (article.php) 20060318 phpWebsite <= SQL Injection (friend.php) & (article.php) 19315 Multiple cross-site scripting (XSS) vulnerabilities in index.php in Noah's Classifieds 1.3 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) method or (2) list parameter. http://zone14.free.fr/advisories/1 17151 20060320 Noah's Classifieds Multiple Path Disclosure and Cross Site Scripting Vulnerabilities noahs-index-path-disclosure(25331) noahs-index-xss(25099) 20060308 Noah's Classifieds Multiple Cross-Site Scripting Vulnerabilities Noah's Classifieds 1.3 and earlier allows remote attackers to obtain sensitive information via an invalid list parameter in the showdetails method to index.php, which reveals the path in an error message. 20060320 Noah's Classifieds Multiple Path Disclosure and Cross Site Scripting Vulnerabilities noahs-index-path-disclosure(25331) 605 471 Multpile SQL injection vulnerabilities in BetaParticle Blog 6.0 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to template_permalink.asp or (2) fldGalleryID parameter to template_gallery_detail.asp. Update to version 6.02. 19292 ADV-2006-1000 17148 20060318 Advisory: BetaParticle Blog <= 6.0 Multiple Remote SQL InjectionVulnerabilities http://www.nukedx.com/?viewdoc=20 http://blog.betaparticle.com/UserFiles/File/6fix.txt bpblog-multiple-sql-injection(25327) 23966 23965 1015788 600 Multiple SQL injection vulnerabilities in Maian Weblog 2.0 allow remote attackers to execute arbitrary SQL commands via the (1) entry and (2) email parameters to (a) print.php and (b) mail.php. maianweblog-printmail-sql-injection(25295) ADV-2006-0994 23946 19273 http://evuln.com/vulns/101/summary.html 17247 17159 20060327 [eVuln] Maian Weblog Multiple SQL Injection Vulnerabilities 23945 1015818 638 gnome screensaver before 2.14, when running on an X server with AllowDeactivateGrabs and AllowClosedownGrabs enabled, allows attackers with physical access to cause the screensaver to crash and access the session via the Ctl+Alt+Keypad-Multiply keyboard sequence, which removes the grab from gnome. The vulnerability has reportedly been fixed in version 2.14. gnomescreensaver-security-bypass(25340) 24015 19280 http://bugzilla.gnome.org/show_bug.cgi?id=326663 Cross-site scripting vulnerability in calendar.php in ExtCalendar 1.0 and possibly other versions before 2.0 allows remote attackers to inject arbitrary web script or HTML via the (1) year, (2) month, (3) next, and (4) prev parameters. This issue is reportedly addressed in ExtCalendar 2.0. Symantec has not confirmed this fix. Affected users are advised to contact the vendor for further information. ADV-2006-1012 17146 20060319 ExtCalendar v1.0 Multiple Xss Vuln extcalendar-calendar-xss(25350) 23969 601 19321 Buffer overflow in the POP 3 (POP3) service in MailEnable Standard Edition before 1.93, Professional Edition before 1.73, and Enterprise Edition before 1.21 allows remote attackers to execute arbitrary code via unknown vectors before authentication. 19288 mailenable-pop-authentication(25314) ADV-2006-1006 17162 24012 http://www.mailenable.com/standardhistory.asp http://www.mailenable.com/professionalhistory.asp http://www.mailenable.com/enterprisehistory.asp 1015797 20060320 [MU-200603-01] MailEnable POP3 Pre-Authentication Buffer Overflow Webmail in MailEnable Professional Edition before 1.73 and Enterprise Edition before 1.21 allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors involving "incorrectly encoded quoted-printable emails". 19288 mailenable-webmail-component-dos(25315) ADV-2006-1006 17161 24014 http://www.mailenable.com/professionalhistory.asp http://www.mailenable.com/enterprisehistory.asp Directory traversal vulnerability in inc/functions.inc.php in CuteNews 1.4.1 and possibly other versions, when register_globals is enabled, allows remote attackers to include arbitrary files via a .. (dot dot) sequence and trailing NULL (%00) byte in the archive parameter in an HTTP POST or COOKIE request, which bypasses a sanity check that is only applied to a GET request. 17152 19289 http://hamid.ir/security/cutenews.txt cutenews-incfunction-directory-traversal(25324) 20060322 cutenews 1.4.1 Arbitrary File Access CuteNews 1.4.1 and possibly other versions allows remote attackers to obtain the installation path via unspecified vectors involving an invalid file path. Successful exploitation requires that the "register_globals" parameter is enabled. 17152 19289 http://hamid.ir/security/cutenews.txt 20060322 cutenews 1.4.1 Arbitrary File Access SQL injection vulnerability in events.php in Maian Events 1.0 allows remote attackers to execute arbitrary SQL commands via the (1) month and (2) year parameters. maianevents-events-sql-injection(25298) ADV-2006-0993 19274 http://evuln.com/vulns/102/description.html 20060328 [eVuln] Maian Events SQL Injection Vulnerability 23947 646 net/ipv4/af_inet.c in Linux kernel 2.4 does not clear sockaddr_in.sin_zero before returning IPv4 socket names from the (1) getsockname, (2) getpeername, and (3) accept functions, which allows local users to obtain portions of potentially sensitive memory. http://www.kernel.org/git/?p=linux/kernel/git/marcelo/linux-2.4.git;a=commit;h=09d3b3dcfa80c9094f1748c1be064b9326c9ef2b ADV-2006-4502 [linux-netdev] 20060304 BUG: Small information leak in SO_ORIGINAL_DST (2.4 and 2.6) and http://www.vmware.com/download/esx/esx-254-200610-patch.html http://www.vmware.com/download/esx/esx-213-200610-patch.html http://www.vmware.com/download/esx/esx-202-200610-patch.html 17203 20061113 VMSA-2006-0008 - VMware ESX Server 2.0.2 Upgrade Patch 2 20061113 VMSA-2006-0005 - VMware ESX Server 2.5.4 Upgrade Patch 1 20061113 VMSA-2006-0007 - VMware ESX Server 2.1.3 Upgrade Patch 2 20061113 VMSA-2006-0006 - VMware ESX Server 2.5.3 Upgrade Patch 4 RHSA-2006:0580 RHSA-2006:0579 SUSE-SA:2006:028 22875 21035 20398 19357 net/ipv4/netfilter/ip_conntrack_core.c in Linux kernel 2.4 and 2.6, and possibly net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c in 2.6, does not clear sockaddr_in.sin_zero before returning IPv4 socket names from the getsockopt function with SO_ORIGINAL_DST, which allows local users to obtain portions of potentially sensitive memory. [linux-netdev] 20060304 BUG: Small information leak in SO_ORIGINAL_DST (2.4 and 2.6) and ADV-2006-4502 ADV-2006-2071 oval:org.mitre.oval:def:10875 linux-sockaddr-memory-leak(25425) http://www.vmware.com/download/esx/esx-254-200610-patch.html http://www.vmware.com/download/esx/esx-213-200610-patch.html http://www.vmware.com/download/esx/esx-202-200610-patch.html USN-281-1 2006-0032 17203 20061113 VMSA-2006-0008 - VMware ESX Server 2.0.2 Upgrade Patch 2 20061113 VMSA-2006-0005 - VMware ESX Server 2.5.4 Upgrade Patch 1 20061113 VMSA-2006-0007 - VMware ESX Server 2.1.3 Upgrade Patch 2 20061113 VMSA-2006-0006 - VMware ESX Server 2.5.3 Upgrade Patch 4 20060531 rPSA-2006-0087-1 kernel RHSA-2006:0580 RHSA-2006:0579 RHSA-2006:0575 RHSA-2006:0437 29841 MDKSA-2006:150 MDKSA-2006:123 DSA-1184 DSA-1097 http://support.avaya.com/elmodocs2/security/ASA-2006-200.htm http://support.avaya.com/elmodocs2/security/ASA-2006-180.htm 22875 22417 22093 21983 21465 21136 21045 20671 19955 19357 Cross-site scripting (XSS) vulnerability in VeriSign haydn.exe, as used in Managed PKI (MPKI) 6.0, allows remote attackers to inject arbitrary web script or HTML via a javascript URI in the VHTML_FILE parameter. ADV-2006-1084 17170 20060320 CORE-2006-0124: Cross-Site Scripting in Verisign?s haydn.exe CGI script http://www.coresecurity.com/common/showdoc.php?idx=522&idxseccion=10 verisign-haydn-xss(25349) 1015813 614 polls.php in MyBB (aka MyBulletinBoard) 1.10 allows remote attackers to obtain sensitive information via a vote action with an "option[]=null" parameter value, which reveals the path in an error message. mybb-polls-path-disclosure(25337) 20060317 MyBB 1.10 Full Path Disclosure Directory traversal vulnerability in inc/setLang.php in Greg Neustaetter gCards 1.45 and earlier allows remote attackers to include and execute arbitrary local files via directory traversal sequences in a lang[*][file] parameter, as demonstrated by injecting PHP sequences into an Apache access_log file, which is then included by index.php. ADV-2006-1015 17165 1595 24016 19322 20060414 Provable vendor ACK for gcards issues SQL injection vulnerability in loginfunction.php in Greg Neustaetter gCards 1.45 and earlier allows remote attackers to execute arbitrary SQL commands via the username parameter. Vulnerability can only be exploited if the "magic_quotes_gpc" parameter is set to Off. ADV-2006-1015 17165 1595 gcards-loginfunction-sql-injection(25344) 24017 19322 20060414 Provable vendor ACK for gcards issues Cross-site scripting (XSS) vulnerability in index.php in Greg Neustaetter gCards 1.45 and earlier allows remote attackers to inject arbitrary web script or HTML via the lang[*][file] parameter, which is injected into an error message. NOTE: this issue might be resultant from CVE-2006-1346. gcards-incsetlang-xss(25343) ADV-2006-1015 17165 24018 1595 19322 20060414 Provable vendor ACK for gcards issues Multiple cross-site scripting (XSS) vulnerabilities in Musicbox 2.3 Beta 2 allow remote attackers to inject arbitrary web script or HTML via the (1) id and (2) type and (3) show parameters in a top action in (a) index.php; and the (4) message1 parameter in (b) cart.php. musicbox-multiple-xss(27925) musicbox-index-cart-xss(25525) 17149 20060724 MusicBox <= 2.3.4 XSS SQL injection Vulnerability 20060324 XSS & SQL Injection in Music Box v2.3 23968 23967 PHP remote file include vulnerability in index.php in 99Articles.com (aka ArticlesOne.com) Free articles directory allows remote attackers to include and execute arbitrary PHP code via a URL in the page parameter. ADV-2006-1037 20060321 Free Articles Directory Remote Command Exucetion freearticlesdirectory-index-file-include(25378) 17183 24024 616 19320 20060322 Free Articles Directory - file inclusion, code execution? BEA WebLogic Server 6.1 SP7 and earlier allows remote attackers to read arbitrary files via unknown attack vectors related to a "default internal servlet" accessed through HTTP. 17166 19310 BEA06-120.00 ADV-2006-1021 weblogic-server-default-servlet(25347) 1015792 BEA WebLogic Server and WebLogic Express 8.1 SP4 and earlier, 7.0 SP6 and earlier, and WebLogic Server 6.1 SP7 and earlier allow remote attackers to cause a denial of service (memory exhaustion) via crafted non-canonicalized XML documents. BEA06-123.00 ADV-2006-1021 17167 19310 weblogic-xml-parser-dos(25348) 1015790 Multiple SQL injection vulnerabilities in ASPPortal 3.1.1 and earlier allow remote attackers to execute arbitrary SQL commands via (1) the downloadid parameter in download_click.asp and (2) content_ID parameter in news/News_Item.asp; authenticated administrators can also conduct attacks via (3) user_id parameter to users/add_edit_user.asp, (4) bannerid parameter to banner_adds/banner_add_edit.asp, (5) cat_id parameter to categories/add_edit_cat.asp, (6) Content_ID parameter to News/add_edit_news.asp, (7) download_id parameter to downloads/add_edit_download.asp, (8) Poll_ID parameter to poll/add_edit_poll.asp, (9) contactid parameter to contactus/contactus_add_edit.asp, (10) sortby parameter to poll/poll_list.asp, and (11) unspecified inputs to downloads/add_edit_download.asp. ADV-2006-1014 http://www.nukedx.com/?viewdoc=21 1597 19286 aspportal-multiple-aspscripts-sql-injection(25346) 17174 20060322 Re: [SPAM:] - ASPPortal <= 3.1.1 Multiple Remote SQL Injection Vulnerabilities - Email has different SMTP TO: and MIME TO: fields in the email addresses 20060321 ASPPortal <= 3.1.1 Multiple Remote SQL Injection Vulnerabilities 24092 24091 24090 24089 24088 24087 24086 24085 24084 24020 608 20060322 Re: [SPAM:] - ASPPortal <= 3.1.1 Multiple Remote SQL Injection Vulnerabilities - Email has different SMTP TO: and MIME TO: fields in the email addresses 20060321 ASPPortal <= 3.1.1 Multiple Remote SQL Injection Vulnerabilities Unspecified vulnerability in FreeRADIUS 1.0.0 up to 1.1.0 allows remote attackers to bypass authentication or cause a denial of service (server crash) via "Insufficient input validation" in the EAP-MSCHAPv2 state machine module. 19300 ADV-2006-1016 http://www.freeradius.org/security.html oval:org.mitre.oval:def:10156 freeradius-eap-mschapv2-auth-bypass(25352) 2006-0020 17171 MDKSA-2006:060 GLSA-200604-03 DSA-1089 1015795 20461 19811 19527 19518 19405 RHSA-2006:0271 SUSE-SA:2006:019 20060404-01-U avast! Antivirus 4.6.763 and earlier sets "BUILTIN\Everyone" permissions to critical system files in the installation folder, which allows local users to gain privileges or disable protection by modifying those files. ADV-2006-1011 http://www.dslreports.com/forum/remark,15601404~days=9999~start=20 19284 http://forum.avast.com/index.php?topic=19862.0 avast-default-insecure-permissions(25336) 17158 Stack-based buffer overflow in the count_vcards function in LibVC 3, as used in Rolo, allows user-assisted attackers to execute arbitrary code via a vCard file (e.g. contacts.vcf) containing a long line. libvc-vc-bo(25430) 17237 23985 19295 http://osvdb.org/ref/23/23985-libvc.txt Cross-site scripting (XSS) vulnerability in my.support.php3 in F5 Firepass 4100 SSL VPN 5.4.2 allows remote attackers to inject arbitrary web script or HTML via the s parameter. ADV-2006-1036 17175 20060321 XSS in Firepass 4100 SSL VPN v.5.4.2 (and probably others) firepass-mysupport-xss(25393) 1015798 611 19337 Unspecified vulnerability in BEA WebLogic Portal 8.1 up to SP5 causes a JSR-168 Portlet to be retrieved from the cache for the wrong session, which might allow one user to see a Portlet of another user. 19308 BEA06-122.00 ftp://ftpna.beasys.com/pub/releases/security/patch_CR259534_81SP5.zip ADV-2006-1022 weblogic-portal-portlet-disclosure(25345) 17164 1015791 Microsoft Internet Explorer 6 and 7 Beta 2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a certain createTextRange call on a checkbox object, which results in a dereference of an invalid table pointer. TA06-101A VU#876678 ie-createtextrange-command-execution(25379) ADV-2006-1318 ADV-2006-1050 17196 20060328 Determina Fix for CVE-2006-1359 (Zero Day MS Internet Explorer Remote "CreateTextRange()" Code Execution) 20060328 EEYE: Temporary workaround for IE createTextRange vulnerability 20060323 Secunia Research: Microsoft Internet Explorer "createTextRange()"Code Execution 20060322 Microsoft Internet Explorer (mshtml.dll) - Remote Code Execution 20060322 IE crash 24050 MS06-013 http://www.microsoft.com/technet/security/advisory/917077.mspx http://www.computerterrorism.com/research/ct22-03-2006 Q-154 1015812 http://secunia.com/secunia_research/2006-7/advisory/ 18680 20060327 Determina Fix for the IE createTextRange() bug 20060322 FW: [Full-disclosure] IE crash 20060322 Microsoft Internet Explorer (mshtml.dll) - Remote Code Execution 20060322 IE crash oval:org.mitre.oval:def:985 oval:org.mitre.oval:def:1702 oval:org.mitre.oval:def:1678 oval:org.mitre.oval:def:1657 oval:org.mitre.oval:def:1178 Multiple SQL injection vulnerabilities in MusicBox 2.3 Beta 2 allow remote attackers to execute arbitrary SQL commands via the (1) id, (2) type, or (3) show parameter to (a) index.php; or the (4) message1 or (5) message parameter to (b) cart.php. musicbox-multiple-sql-injection(27926) 17149 20060724 MusicBox <= 2.3.4 XSS SQL injection Vulnerability 20060324 XSS & SQL Injection in Music Box v2.3 Cross-site scripting (XSS) vulnerability in OSWiki before 0.3.1 allows remote attackers to inject arbitrary web script or HTML via the username field to (1) list.rhtml or (2) show.rhtml. This vulnerability is addressed in the following product release: OSWiki, OSWiki, 0.3.1 19290 oswiki-username-xss(25410) ADV-2006-1035 17189 http://svn.sourceforge.net/viewcvs.cgi/opensourcewiki/branches/0.3/oswiki/app/views/user/list.rhtml?view=log Multiple SQL injection vulnerabilities in Mini-Nuke CMS System 1.8.2 and earlier allow remote attackers to execute arbitrary SQL commands via (1) the uid parameter in (a) members.asp, the (2) catid parameter in (b) articles.asp and (c) programs.asp, and the (3) id parameter in (d) hpages.asp and (e) forum.asp. NOTE: The pages.asp/id vector is already covered by CVE-2006-0870. 20060321 Mini-Nuke<=1.8.2 SQL injection (6) mininuke-multiple-sql-injection(25372) 617 18439 images.php in Justin White (aka YTZ) Free Web Publishing System (FreeWPS) 2.11 allows remote attackers to execute arbitrary PHP code by uploading a .php file into the /upload directory as specified in the dirPath parameter, then performing a direct request to that file. ADV-2006-1038 1600 freewps-images-file-include(25377) 19343 Microsoft w3wp (aka w3wp.exe) does not properly handle when the AspCompat directive is not used when referencing COM components in ASP.NET, which allows remote attackers to cause a denial of service (resource consumption or crash) by repeatedly requesting each of several documents that refer to COM components, or are restricted documents located under the ASP.NET application path. 17188 http://www.securiteam.com/windowsntfocus/5KP0O0KI0Y.html 1601 http://hackingspirits.com/vuln-rnd/w3wp-remote-dos.zip ms-aspnet-w3wp-dos(25392) 20060322 w3wp remote DoS 1015825 20060322 w3wp remote DoS 20060322 w3wp remote DoS due to improper reference of STA COM components in ASP.NET The Motorola PEBL U6, the Motorola V600, and possibly the Motorola E398 and other Motorola phones allow remote attackers to add an entry for their own Bluetooth device to a target device's list of trusted devices (aka Device History), and possibly obtain AT level access to the target device, by initiating and interrupting an OBEX Push Profile that pretends to send a vCard, aka a "HeloMoto" attack. 20060321 DMA[2006-0321a] - 'Motorola P2K Platform setpath() overflow and Blueline attack' http://www.digitalmunition.com/DMA[2006-0321a].txt http://trifinite.org/trifinite_stuff_helomoto.html Buffer overflow in the Motorola PEBL U6 08.83.76R, and possibly other Motorola P2K-based phones, allows remote attackers to cause a denial of service (device shutdown), and possibly execute arbitrary code, via a long OBEX setpath to the OBEX File Transfer (aka FTP) service on Bluetooth channel 9. Arbitrary code execution may also be possible, but has not been confirmed. This vulnerability may affect other versions of Motorola P2K-based phones. ADV-2006-1045 17185 20060321 DMA[2006-0321a] - 'Motorola P2K Platform setpath() overflow and Blueline attack' http://www.digitalmunition.com/DMA[2006-0321a].txt 19319 motorola-peblu6-v600-obex-bo(25401) 20060321 DMA[2006-0321a] - 'Motorola P2K Platform setpath() overflow and Blueline attack' The Motorola PEBL U6 08.83.76R, the Motorola V600, and possibly the Motorola E398 and other Motorola P2K-based phones does not require pairing for a connection related to the Headset Audio Gateway service, which allows user-assisted remote attackers to obtain AT level access and view phonebook entries and saved SMS messages by connecting on Bluetooth channel 3 and tricking the user into pressing Grant, aka a "Blueline" attack. NOTE: while user-assisted, the attack is made more feasible because of a GUI misrepresentation issue that allows a default message to be replaced by an attacker-specified one. motorola-peblu6-v600-name-spoofing(25402) ADV-2006-1045 17190 20060321 DMA[2006-0321a] - 'Motorola P2K Platform setpath() overflow and Blueline attack' http://www.digitalmunition.com/DMA[2006-0321a].txt 19319 20060321 DMA[2006-0321a] - 'Motorola P2K Platform setpath() overflow and Blueline attack' Buffer overflow in the USB Gadget RNDIS implementation in the Linux kernel before 2.6.16 allows remote attackers to cause a denial of service (kmalloc'd memory corruption) via a remote NDIS response to OID_GEN_SUPPORTED_LIST, which causes memory to be allocated for the reply data but not the reply structure. Update to version 2.6.16. ADV-2006-2554 ADV-2006-1046 USN-281-1 17831 MDKSA-2006:123 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16 http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=8763716bfe4d8a16bef28c9947cf9d799b1796a5 DSA-1103 DSA-1097 21045 20914 20671 19955 19330 Cross-site scripting (XSS) vulnerability in Invision Power Board (IPB) 2.1.5 and earlier before 20060308 allows remote attackers to inject arbitrary web script or HTML via a Private Message (PM) in certain circumstances. Update to version 2.1.5 (2006-03-08 or later). ADV-2006-1044 17187 19299 http://forums.invisionpower.com/index.php?showtopic=209178 invision-privatemessage-xss(25384) Buffer overflow in RealNetworks RealPlayer 10.5 6.0.12.1040 through 6.0.12.1348, RealPlayer 10, RealOne Player v2, RealOne Player v1, RealPlayer 8, and RealPlayer Enterprise before 20060322 allows remote attackers to have an unknown impact via a malicious Mimio boardCast (mbc) file. This vulnerability affects all versions of RealNetworks, RealPlayer from 10.5 v6.0.12.1040 through 10.5 v6.0.12.1348. VU#451556 http://www.service.real.com/realplayer/security/03162006_player/en/ realnetworks-mbc-bo(25411) ADV-2006-1057 17202 1015810 19358 Laurentiu Matei eXpandable Home Page (XHP) CMS 0.5 and earlier allows remote authenticated users to use the HTMLArea FileManager plugin to upload and execute arbitrary PHP files using (1) manager.php, (2) standalonemanager.php, and (3) images.php. 19353 http://xhp.targetit.ro/index.php?page=3&box_id=34&action=show_single_entry&post_id=10 xhpcms-filemanager-file-upload(25399) xhpcms-filemanager-file-upload(25399) ADV-2006-1052 17209 24059 24058 1605 20060324 XHP vendor ack/fix Multiple SQL injection vulnerabilities in 1WebCalendar 4.0 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) EventID parameter in viewEvent.cfm, (2) NewsID parameter in newsView.cfm, or (3) ThisDate parameter in mainCal.cfm. ADV-2006-1040 19329 1webcalendar-multiple-sql-injection(25373) 17193 24023 24022 24021 http://pridels0.blogspot.com/2006/03/1webcalendar-v-4x-vuln.html Cross-site scripting (XSS) vulnerability in status_image.php in PHP Live! 3.0 allows remote attackers to inject arbitrary web script or HTML via the base_url parameter. ADV-2006-1054 17184 20060322 PHP Live! XSS status_image.php 19340 phplive-statusimage-xss(25386) SQL injection vulnerability in viewStatement.php in AdMan 1.0.20051221 and earlier allows remote attackers to execute arbitrary SQL commands via the transactions_offset parameter. ADV-2006-1071 19351 adman-viewstatement-sql-injection(25403) 17208 24064 http://pridels0.blogspot.com/2006/03/adman-v10x-sql-vuln.html AdMan 1.0.20051221 and earlier allows remote attackers to obtain the full path via (1) a blank campaignId parameter to editCampaign.php and (2) a blank schemeId parameter to viewPricingScheme.php. ADV-2006-1071 19351 adman-multiple-path-disclosure(25404) 24066 24065 http://pridels0.blogspot.com/2006/03/adman-v10x-sql-vuln.html The installation of Debian GNU/Linux 3.1r1 from the network install CD creates /var/log/debian-installer/cdebconf with world writable permissions, which allows local users to cause a denial of service (disk consumption). 19331 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=358210 debian-cdebconf-world-writable(25526) Cross-site scripting (XSS) vulnerability in img.php in (1) EasyMoblog 0.5.1 and (2) CoMoblog 1.1 allows remote attackers to inject arbitrary web script or HTML via the i parameter. ADV-2006-1087 ADV-2006-1086 17201 17199 20060323 [KAPDA::#37] - CoMoblog XSS http://www.kapda.ir/advisory-301.html easymoblog-img-xss(25420) comoblog-img-xss(25416) 24094 24093 1015824 19379 19370 PasswordSafe 3.0 beta, when running on Windows before XP, uses a weak random number generator (C++ rand function) during generation of the database encryption key, which makes it easier for attackers to decrypt the database and steal passwords by generating keys for all possible rand() seed values and conducting a known plaintext attack. This vulnerability exists only in Windows OS environments before XP. For some reason it would not let me notate that in the "vulnerable software" section. passwordsafe-key-brute-force(25429) 17200 20060323 PasswordSafe 3.0 weak random number generator allows key recovery attack 20060907 Re: PasswordSafe 3.0 weak random number generator allows key recovery attack 618 Trend Micro PC-cillin Internet Security 2006 14.00.1485 and 14.10.0.1023, uses insecure DACLs for critical files, which allows local users to gain SYSTEM privileges by modifying executable programs such as (1) tmntsrv.exe and (2) tmproxy.exe. 19282 ADV-2006-1042 http://www.secumind.net/content/french/modules/news/article.php?storyid=9&sel_lang=english ISNTSmtp directory in Trend Micro InterScan Messaging Security Suite (IMSS) 5.5 build 1183 and possibly other versions before 5.7.0.1121, uses insecure DACLs for critical files, which allows local users to gain SYSTEM privileges by modifying ISNTSysMonitor.exe. 19022 ADV-2006-1041 http://www.secumind.net/content/french/modules/news/article.php?storyid=9&sel_lang=english imss-isntsmtp-directory-permissions(25415) Trend Micro OfficeScan 5.5, and probably other versions before 6.5, uses insecure DACLs for critical files, which allows local users to gain SYSTEM privileges by modifying tmlisten.exe. ADV-2006-1041 http://www.secumind.net/content/french/modules/news/article.php?storyid=9&sel_lang=english 11576 imss-isntsmtp-directory-permissions(25415) PHP remote file inclusion vulnerability in impex/ImpExData.php in vBulletin ImpEx module 1.74, when register_globals is disabled, allows remote attackers to include arbitrary files via the systempath parameter. ADV-2006-1056 19352 20060323 XOR Crew :: vBulletin ImpEx <= 1.74 - Remote Command Execution Vulnerability impex-systempath-file-include(34095) impex-impexdata-file-include(25391) 17206 20070504 Remote File Include In Script impex 24070 Directory traversal vulnerability in Baby FTP Server (BabyFTP) 1.24 allows remote authenticated users to determine existence of files outside the intended document root via unspecified manipulations, which generate different error messages depending on whether a file exists or not. ADV-2006-1069 17205 24057 19338 baby-ftp-information-disclosure(25413) Cross-site scripting (XSS) vulnerability in apwc_win_main.jsp in the web console in IBM Tivoli Business Systems Manager (TBSM) before 3.1.0.1 allows remote attackers to inject arbitrary web script or HTML via the skin parameter. OA14904 19332 ADV-2006-1073 tivoli-bsm-skin-xss(25412) 17210 24069 1015822 Stack-based buffer overflow in the parseTaggedData function in WavePacket.mm in KisMAC R54 through R73p allows remote attackers to execute arbitrary code via multiple SSIDs in a Cisco vendor tag in a 802.11 management frame. Update to version R73p. kismac-80211-parsing-bo(25422) ADV-2006-1070 17198 20060323 Advisory 03/2006: KisMAC Cisco Vendor Tag Encapsulated SSID Overflow http://www.hardened-php.net/advisory_032006.115.html 19354 http://kismac.de/_trac/changeset/113 kismac-80211-parsing-bo(25422) 24072 609 20060323 Advisory 03/2006: KisMAC Cisco Vendor Tag Encapsulated SSID Overflow The (1) rdiff and (2) preview scripts in TWiki 4.0 and 4.0.1 ignore access control settings, which allows remote attackers to read restricted areas and access restricted content in TWiki topics. ADV-2006-1116 http://twiki.org/cgi-bin/view/Codev/SecurityAlertTWiki4RdiffPreviewAccess twiki-restricted-content-access(25444) 17268 1015843 19410 TWiki 4.0, 4.0.1, and 20010901 through 20040904 allows remote authenticated users with edit rights to cause a denial of service (infinite recursion leading to CPU and memory consumption) via INCLUDE by URL statements that form a loop, such as a page that includes itself. ADV-2006-1116 http://twiki.org/cgi-bin/view/Codev/SecurityAdvisoryDosAttackWithInclude twiki-include-edit-dos(25445) 17267 19410 Unspecified vulnerability in Microsoft Internet Explorer 6.0 allows remote attackers to execute HTA files via unknown vectors. TA06-101A VU#434641 ie-hta-file-execution(25394) ADV-2006-1318 17181 1015800 http://news.zdnet.com/2100-1009_22-6052396.html?tag=zdfd.newsfeed http://jeffrey.vanderstad.net/grasshopper/ 24095 MS06-013 19378 20060321 IE .hta vulnerability reported oval:org.mitre.oval:def:1774 oval:org.mitre.oval:def:1724 oval:org.mitre.oval:def:1676 oval:org.mitre.oval:def:1642 oval:org.mitre.oval:def:1591 Unspecified vulnerability in swagentd in HP-UX B.11.00, B.11.04, and B.11.11 allows remote attackers to cause a denial of service (application crash) via unspecified vectors. HPSBUX02105 17215 1015819 19373 SSRT061134 ADV-2006-1089 hpux-swagentd-dos(25421) 24097 http://support.avaya.com/elmodocs2/security/ASA-2006-076.htm 19395 oval:org.mitre.oval:def:616 oval:org.mitre.oval:def:312 oval:org.mitre.oval:def:1031 The configuration of NetHack 3.4.3-r1 and earlier, Falcon's Eye 1.9.4a and earlier, and Slash'EM 0.0.760 and earlier on Gentoo Linux allows local users in the games group to modify saved games files to execute arbitrary code via buffer overflows and overwrite arbitrary files via symlink attacks. This vulnerability applies only to the following games/versions: 1) NetHack 3.4.3-r1 and previous 2) Falcon's Eye 1.9.4a and previous 3) Slash'EM 0.0.760 and previous GLSA-200603-23 17217 19376 http://bugs.gentoo.org/show_bug.cgi?id=127319 http://bugs.gentoo.org/show_bug.cgi?id=127167 http://bugs.gentoo.org/show_bug.cgi?id=125902 http://bugs.gentoo.org/show_bug.cgi?id=122376 gentoo-multiple-games-privilege-escalation(25528) 20060324 Re: [ GLSA 200603-23 ] NetHack, Slash'EM, Falcon's Eye: Local privilege escalation 20060324 Re: [ GLSA 200603-23 ] NetHack, Slash'EM, Falcon's Eye: Localprivilege escalation 24104 The (a) Quick 'n Easy Web Server before 3.1.1 and (b) Baby ASP Web Server 2.7.2 allows remote attackers to obtain the source code of ASP files via (1) . (dot) and (2) space characters in the extension of a URL. 17222 20060324 Secunia Research: Quick 'n Easy/Baby Web Server ASP CodeDisclosure Vulnerability 24100 http://secunia.com/secunia_research/2006-19/advisory/ 19306 ADV-2006-1088 ADV-2006-1085 19312 quickneasy-web-asp-disclosure(25418) baby-web-asp-disclosure(25417) 24099 624 Multiple cross-site scripting (XSS) vulnerabilities in index.cgi in the login server in University of Washington Pubcookie 3.0.0, 3.1.0, 3.1.1, 3.2 before 3.2.1b, and 3.3 before 3.3.0a allow remote attackers to inject arbitrary web script or HTML via unspecified inputs. VU#337585 pubcookie-login-server-xss(25427) 19348 http://pubcookie.org/news/20060306-login-secadv.html 17221 24521 Multiple cross-site scripting (XSS) vulnerabilities in the mod_pubcookie Apache application server module in University of Washington Pubcookie 1.x, 3.0.0, 3.1.0, 3.1.1, 3.2 before 3.2.1b, and 3.3 before 3.3.0a allow remote attackers to inject arbitrary web script or HTML via unspecified attack vectors. VU#314540 pubcookie-appserver-module-xss(25426) 19348 http://pubcookie.org/news/20060306-apps-secadv.html 17221 24103 Multiple cross-site scripting (XSS) vulnerabilities in the Microsoft IIS ISAPI filter (aka application server module) in University of Washington Pubcookie 3.1.0, 3.1.1, 3.2 before 3.2.1b, and 3.3 before 3.3.0a allow remote attackers to inject arbitrary web script or HTML via unspecified attack vectors. VU#314540 http://pubcookie.org/news/20060306-apps-secadv.html 17221 24520 19348 SQL injection vulnerability in mb.cgi in Cholod MySQL Based Message Board allows remote attackers to execute arbitrary SQL commands via unspecified vectors in a showmessage action, possibly the username parameter. NOTE: the provenance of this information is unknown; the details are obtained from third party information. ADV-2006-1153 17224 cholod-mb-sql-injection(25520) 19439 Multiple cross-site scripting (XSS) vulnerabilities in Cholod MySQL Based Message Board allow remote attackers to inject arbitrary web script or HTML via unknown vectors. NOTE: the provenance of this information is unknown; the details are obtained from third party information. ADV-2006-1153 17223 cholod-mb-xss(25518) 19439 Multiple cross-site scripting (XSS) vulnerabilities in (a) phpAdsNew and (b) phpPgAds before 2.0.8 allow remote attackers to inject arbitrary web script or HTML via the (1) certain parameters to the banner delivery module, which is not properly handled in the administrator interface, or (2) certain parameters to the login form. 17251 20060327 [PHPADSNEW-SA-2006-001] phpAdsNew and phpPgAds 2.0.8 fix multiple vulnerabilities http://sourceforge.net/project/shownotes.php?release_id=404964 http://sourceforge.net/project/shownotes.php?release_id=404963 1015829 1015828 19384 ADV-2006-1107 http://phpadsnew.com/two/nucleus/index.php?itemid=46 phpadsnew-login-banner-xss(25458) 24206 24205 633 Cross-site scripting (XSS) vulnerability in guestbook.php in G-Book 1.0 allows remote attackers to inject arbitrary web script or HTML via the g_message parameter. ADV-2006-1100 17253 20060327 HYSA-2006-006 G-Book 1.0 XSS And Other Vulnerabilities http://www.h4cky0u.org/advisories/HYSA-2006-006-g-book.txt 19414 gbook-guestbook-xss(25475) 24141 1015830 634 Cross-site scripting (XSS) vulnerability in searchresult.php in Meeting Reserve 1.0 beta allows remote attackers to inject arbitrary web script or HTML via the search_term parameter. NOTE: the provenance of this information is unknown; the details are obtained from third party information. meeting-reserve-searchresult-xss(25432) ADV-2006-1110 17256 19372 24162 Cross-site scripting (XSS) vulnerability in MyTasks/PersonalTaskEdit.asp in Metisware Instructor 1.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the Task parameter. ADV-2006-1112 17234 19385 metisware-instructor-personaltaskcreate-xss(25490) 24139 http://pridels0.blogspot.com/2006/03/metisware-instructor-xss-vuln.html Multiple cross-site scripting (XSS) vulnerabilities in search.php in Calendar Express 2.2 allow remote attackers to inject arbitrary web script or HTML via the (1) allwords or (2) oneword parameter. NOTE: the provenance of this information is unknown; the details are obtained from third party information. ADV-2006-1109 17240 19393 calendarexpress-search-xss(25467) 24161 Buffer overflow in client/server Doom (csDoom) 0.7 and earlier allows remote attackers to (1) cause a denial of service via a long nickname or teamname to the SV_SetupUserInfo function or (2) execute arbitrary code via a long string sent when joining a match or a long chat message to the SV_BroadcastPrintf function. 17248 http://aluigi.altervista.org/adv/csdoombof-adv.txt ADV-2006-1105 http://voxelsoft.com/csdoom/ 19389 csdoom-sv-setupuserinfo-bo(25449) csdoom-sv-broadcastprintf-bo(25448) Format string vulnerability in the PrintString function in c_console.cpp in client/server Doom (csDoom) 0.7 and earlier allows remote attackers cause a denial of service and possibly execute arbitrary commands via format string specifiers in strings passed to the console. 17248 http://voxelsoft.com/csdoom/ 19389 http://aluigi.altervista.org/adv/csdoombof-adv.txt ADV-2006-1105 csdoom-printf-format-string(25450) Multiple cross-site scripting (XSS) vulnerabilities in bol.cgi in BlankOL 1.0 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) file or (2) function parameter. ADV-2006-1111 19387 blankol-bol-xss(25488) 17265 24124 http://pridels0.blogspot.com/2006/03/blankol-xss-vuln.html Cross-site scripting (XSS) vulnerability in search.aspx in SweetSuite.NET Content Management System (ssCMS) 2.1.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the keywords parameter. sscms-search-xss(25452) ADV-2006-1097 17254 24120 19399 http://pridels0.blogspot.com/2006/03/sweetsuitenet-sscms-21x-xss-vuln.html Multiple cross-site scripting (XSS) vulnerabilities in wbadmlog.aspx in uniForum 4.0 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) txtuser or (2) txtpassword parameters. ADV-2006-1101 17245 24123 19397 uniforum-wbadmlog-xss(25433) http://pridels0.blogspot.com/2006/03/uniforum-xss-vuln.html Multiple cross-site scripting (XSS) vulnerabilities in Helm Web Hosting Control Panel 3.2.10 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) txtDomainName parameter to domains.asp or (2) SearchText or (3) UserLevel parameters to default.asp. These issues are reportedly fixed by the vendor. Version 3.2.10-stable will contain these fixes when it is released. Contact the vendor for further information on obtaining fixes. ADV-2006-1093 17263 19375 helm-domainsusersdefaault-xss(30309) helm-domainsdefault-xss(25470) 24126 24125 http://pridels0.blogspot.com/2006/03/helm-web-hosting-control-panel-xss.html 20060327 Helm Control Panel followup Vavoom 1.19.1 and earlier allows remote attackers to cause a denial of service (infinite loop) via (1) a packet with no data or (2) a large packet, which prevents Vavoom from discarding the packet from the socket. ADV-2006-1104 17261 19388 http://aluigi.altervista.org/adv/vaboom-adv.txt vavoom-fionread-dos(25454) Buffer overflow in Vavoom 1.19.1 and earlier allows remote attackers to cause a denial of service (application crash) via an invalid comprLength value in a compressed packet. ADV-2006-1104 17261 19388 http://aluigi.altervista.org/adv/vaboom-adv.txt vavoom-comprlength-bo(25455) Multiple cross-site scripting (XSS) vulnerabilities in XIGLA Absolute Live Support XE 2.0 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) Screen name or (2) Session Topic field. ADV-2006-1099 17258 19415 absolutelivesupport-register-xss(25434) 24131 http://pridels0.blogspot.com/2006/03/absolute-live-support-xe-v20-xss-vuln.html Cross-site scripting (XSS) vulnerability in Absolute Image Gallery XE 2.0 and earlier allows remote attackers to inject arbitrary web script or HTML via (1) the shownew parameter in gallery.asp and (2) unspecified search module parameters. ADV-2006-1103 absolute-gallery-xss(25466) 18712 24214 http://pridels0.blogspot.com/2006/03/absolute-image-gallery-xe-20-xss-vuln.html TFT Gallery 0.10 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the admin password file and obtain password hashes via a direct request to admin/passwd. ADV-2006-1115 19411 1611 tftgallery-passwd-disclosure(25465) 17250 20061204 Re: Multiple bugs in TFT-Gallery 20061204 Multiple bugs in TFT-Gallery Multiple cross-site scripting (XSS) vulnerabilities in EZHomepagePro 1.5 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) adid or (2) aname parameter in (a) common/email.asp, (b) users/users_search.asp, or (c) users/users_profiles.asp; (3) page parameter in (d) users/users_calendar.asp; (4) usid parameter in (e) users/users_mgallery.asp; or (5) m parameter in (f) users/users_search.asp. ADV-2006-1094 17236 24136 24135 24134 24133 24132 19386 ezhomepagepro-multiple-xss(25468) http://pridels0.blogspot.com/2006/03/ezhomepagepro-multiple-xss-vuln.html Multiple cross-site scripting (XSS) vulnerabilities in toast.asp in Toast Forums 1.6 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) author, (2) subject, (3) message, or (4) dayprune parameter. ADV-2006-1092 17249 24119 19401 toastforums-toast-xss(25440) http://pridels0.blogspot.com/2006/03/xss-in-toast-forums-16.html Cross-site scripting (XSS) vulnerability in iforget.aspx in dotNetBB 2.42EC SP 3 and earlier allows remote attackers to inject arbitrary web script or HTML via the em parameter. ADV-2006-1098 17246 24122 19398 dotnetbb-iforget-xss(25462) http://pridels0.blogspot.com/2006/03/xss-vuln-in-dotnetbb-v24.html Cross-site scripting (XSS) vulnerability in afmsearch.aspx in Absolute FAQ Manager .NET 4.0 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified search module parameters, possibly the question parameter. ADV-2006-1096 19396 absolutefaqmanager-search-xss(25463) 17242 24127 http://pridels0.blogspot.com/2006/03/absolute-faq-manager-net-xss-vuln.html Multiple cross-site scripting (XSS) vulnerabilities in Caloris Planitia Online Quiz System (aka Web Quiz pro), possibly 1.0, allow remote attackers to inject arbitrary web script or HTML via the (1) exam parameter in prequiz.asp or (2) msg parameter in student.asp. webquiz-multiple-xss(25431) ADV-2006-1091 17255 24130 24129 19416 http://pridels0.blogspot.com/2006/03/web-quiz-pro-xss-vuln.html Cross-site scripting (XSS) vulnerability in default.asp in Caloris Planitia E-School Management System 1.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the msg parameter. A new version of School Management System was released on May 28, 2006. eschoolmanagementsystem-default-xss(25469) ADV-2006-1095 17257 24128 19381 http://pridels0.blogspot.com/2006/03/e-school-management-system-xss-vuln.html SQL injection vulnerability in the Calendar module in nuked-klan 1.7.5 and earlier allows remote attackers to execute arbitrary SQL commands via the m parameter to index.php. ADV-2006-1134 20060326 nuked-klan<=1.7.5 SQL Injection nuked-klan-calendar-sql-injection(25446) 17233 24204 632 19382 SQL injection vulnerability in print.php in SaphpLesson 2.0 allows remote attackers to execute arbitrary SQL commands via the lessid parameter. 17239 20060325 SQL Injection in SaphpLesson2.0 saphplesson-print-sql-injection(25453) 24254 629 Multiple SQL injection vulnerabilities in akocomment.php in AkoComment 2.0 module for Mambo, with magic_quotes_gpc disabled, allow remote attackers to execute arbitrary SQL commands via the (1) acname or (2) contentid parameter. In order to exploit this vulnerability, the 'magic_quotes_gpc' parameter must be disabled. 17241 20060326 AkoComment SQL injection vulnerability akocomment-akocomment-sql-injection(25451) ADV-2006-1136 19392 24209 631 SQL injection vulnerability in details_view.php in PHP Booking Calendar 1.0c and earlier allows remote attackers to execute arbitrary SQL commands via the event_id parameter. 17230 1610 phpbookingcal-detailsview-sql-injection(25580) SQL injection vulnerability in showflat.php in UBB.threads 5.5.1, 6.0 br5, 6.0.1, 6.0.2, and earlier, allows remote attackers to execute arbitrary SQL commands via the Number parameter. 20060325 UBBThreads<=5.5.1+6.0.2+6.0 br5+6.0.1 SQL injection 628 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2006-1482. Reason: This candidate is a duplicate of CVE-2006-1482. Notes: All CVE users should reference CVE-2006-1482 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Cross-site scripting (XSS) vulnerability in track.php in phpmyfamily 1.4.1 allows remote attackers to inject arbitrary web script or HTML via the name parameter. ADV-2006-1130 20060327 HYSA-2006-007 phpmyfamily 1.4.1 CRLF injection & XSS 20060327 HYSA-2006-007 phpmyfamily 1.4.1 CRLF injection & XSS phpmyfamily-track-xss(25476) 17278 24166 636 19409 Multiple SQL injection vulnerabilities in Pixel Motion Blog allow remote attackers to execute arbitrary SQL commands via the (1) date parameter in index.php or bypass authentication via the (2) password parameter in admin/index.php. ADV-2006-1135 17260 20060327 Blog Pixel Motion<=1.xx Authentication Bypass Vulnerability & SQL injection 19421 pixelmotionblog-index-sql-injection(25481) pixelmotionblog-adminindex-security-bypass(25478) 24169 24168 Multiple cross-site scripting (XSS) vulnerabilities in WebAPP 0.9.9.3.2 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) action, (2) id, (3) num, (4) board, (5) cat, (6) real, (7) viewcat, (8) img, or (9) curcatname parameter in cgi-bin/index.cgi, or (10) vsSD parameter in /mods/calendar/index.cgi. ADV-2006-1102 webapp-index-xss(25435) http://www.web-app.net/cgi-bin/index.cgi?action=redirectd&cat=pastversions&id=1 http://www.web-app.net/cgi-bin/index.cgi?action=downloadinfo&cat=pastversions&id=1 17359 24279 24278 19506 http://pridels0.blogspot.com/2006/03/webapp-multiple-xss-vuln.html Multiple cross-site scripting (XSS) vulnerabilities in phpCOIN 1.2.2 and earlier allow remote attackers to inject arbitrary web script or HTML via the fs parameter to (1) mod.php or (2) mod_print.php. ADV-2006-1129 19419 phpcoin-multiple-xss(25492) 17279 24189 24188 http://pridels0.blogspot.com/2006/03/phpcoin-v122-xss-vuln.html Cross-site scripting (XSS) vulnerability in accountlogon.cfm in classifiedZONE 1.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the rtn parameter. ADV-2006-1132 17273 19427 classifiedzone-accountlogon-xss(25494) 24187 http://pridels0.blogspot.com/2006/03/classifiedzone-v12-xss-vuln.html Multiple cross-site scripting (XSS) vulnerabilities in CONTROLzx HMS (formerly DRZES) 3.3.4 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) dedicatedPlanID parameter to dedicated_order.php, (2) sharedPlanID parameter to shared_order.php, (3) plan_id parameter to customers/server_management.php, and (4) email field to customers/forgotpass.php. ADV-2006-1131 17282 24176 24175 24174 24173 19432 controlzshms-multiple-scripts-xss(25491) http://pridels0.blogspot.com/2006/03/controlzx-hms-hosting-management.html Cross-site scripting (XSS) vulnerability in local.cfm in fusionZONE couponZONE 4.2 allows remote attackers to inject arbitrary web script or HTML via URL-encoded (1) srchfor and (2) srchby parameters. ADV-2006-1127 17272 19430 couponzone-local-xss(25484) 24180 http://pridels0.blogspot.com/2006/03/couponzone-v42-multiple-vuln.html fusionZONE couponZONE 4.2 allows remote attackers to obtain the full path of the web server, and other sensitive information, via invalid values, as demonstrated using manipulations associated with SQL. couponzone-local-path-disclosure(25486) http://pridels0.blogspot.com/2006/03/couponzone-v42-multiple-vuln.html Annuaire (Directory) 1.0 allows remote attackers to obtain sensitive information via a direct request to include/lang-en.php, which reveals the full installation path. 24302 http://osvdb.org/ref/24/24302-annuaire_directory.txt annuaire-includelangen-path-disclosure(25668) 19548 Cross-site scripting (XSS) vulnerability in inscription.php in Annuaire (Directory) 1.0 allows remote attackers to inject arbitrary web script or HTML via the Comment Field (COMMENTAIRE parameter). 24303 http://osvdb.org/ref/24/24302-annuaire_directory.txt annuaire-inscription-xss(25669) 17393 19548 Cross-site scripting (XSS) vulnerability in genmessage.php in Accounting Receiving and Inventory Administration (ARIA) 0.99-6 allows remote attackers to inject arbitrary web script or HTML via the Message Field (message parameter). 24255 http://osvdb.org/ref/24/24255-aria.txt aria-genmessage-xss(25688) 17411 19551 Multiple cross-site scripting (XSS) vulnerabilities in UPOINT @1 Event Publisher allow remote attackers to inject arbitrary web script or HTML via the (1) Event, (2) Description, (3) Time, (4) Website, and (5) Public Remarks fields to (a) eventpublisher_admin.htm and (b) eventpublisher_usersubmit.htm. 24236 24235 http://osvdb.org/ref/24/24236-upoint.txt 17646 19727 UPOINT @1 Event Publisher stores sensitive information under the web document root with insufifcient access control, which allows remote attackers to read private comments via a direct request to eventpublisher.txt. 24237 http://osvdb.org/ref/24/24236-upoint.txt 17647 19727 Multiple cross-site scripting (XSS) vulnerabilities in Andy's PHP Knowledgebase (aphpkb) 0.57 allow remote attackers to inject arbitrary web script or HTML via the (1) keyword_list parameter to (a) index.php; (2) title, (3) article, (4) author, and (5) keywords parameters to (b) submit_article.php; and (6) Question, (7) Name, and (8) Email parameters to (c) submit_question.php. 24312 24311 24310 http://osvdb.org/ref/24/24310-aphpkb.txt aphpkb-multiple-scripts-xss(25666) 17377 19554 NSSecureTextField in AppKit in Apple Mac OS X 10.4.6 does not re-enable secure event input under certain circumstances, which could allow other applications in the window session to monitor input characters and keyboard events. This vulnerability is addressed in the following product release: Apple, Mac OS X, 10.4.6 (2006-003) TA06-132A APPLE-SA-2006-05-11 macos-appkit-nssecuretext-weak-security(26404) ADV-2006-1779 17951 25583 20077 BOM in Apple Mac OS X 10.3.9 and 10.4.6 allows attackers to overwrite arbitrary files via an archive that contains symbolic links. This vulnerability is addressed in the following product release: Apple, Mac OS X, 10.4.6 (2006-003) TA06-132A APPLE-SA-2006-05-11 ADV-2006-1779 macos-bom-archive-file-overwrite(26405) 17951 25584 1016082 20077 Integer overflow in CFNetwork in Apple Mac OS X 10.4.6 allows remote attackers to execute arbitrary code via crafted chunked transfer encoding. This vulnerability is addressed in the following product release: Apple, Mac OS X, 10.4.6 (2006-003) TA06-132A APPLE-SA-2006-05-11 ADV-2006-1779 macos-cfnetwork-chunked-overlow(26406) 17951 25585 1016082 20077 The bundle API in CoreFoundation in Apple Mac OS X 10.3.9 and 10.4.6 loads dynamic libraries even if the client application has not directly requested it, which allows attackers to execute arbitrary code from an untrusted bundle. This vulnerability is addressed in the following product release: Apple, Mac OS X, 10.4.6 (2006-003) TA06-132A APPLE-SA-2006-05-11 ADV-2006-1779 macos-corefoundation-bundle-code-execution(26407) 17951 25586 1016080 20077 Integer underflow in CoreFoundation in Apple Mac OS X 10.3.9 and 10.4.6 allows context-dependent attackers to execute arbitrary code via unspecified vectors involving conversions from string to file system representation within (1) CFStringGetFileSystemRepresentation or (2) getFileSystemRepresentation:maxLength:withPath in NSFileManager, and possibly other similar API functions. This vulnerability is addressed in the following product release: Apple, Mac OS X, 10.4.6 (2006-003) TA06-132A APPLE-SA-2006-05-11 ADV-2006-1779 macos-corefoundation-integer-underflow(26408) 17951 25587 1016080 20077 CoreGraphics in Apple Mac OS X 10.4.6, when "Enable access for assistive devices" is on, allows an application to bypass restrictions for secure event input and read certain events from other applications in the same window session by using Quartz Event Services. Successful exploitation requires that "Enable access for assistive devices" is on. This vulnerability is addressed in the following product release: Apple, Mac OS X, 10.4.6 (2006-003) TA06-132A APPLE-SA-2006-05-11 ADV-2006-1779 macos-coregraphics-quartz-security-bypass(26409) 17951 25588 1016079 20077 Buffer overflow in the FTP server (FTPServer) in Apple Mac OS X 10.3.9 and 10.4.6 allows remote authenticated users to execute arbitrary code via vectors related to "FTP server path name handling." This vulnerability is addressed in the following product release: Apple, Mac OS X, 10.4.6 (2006-003) TA06-132A APPLE-SA-2006-05-11 ADV-2006-1779 macos-ftpserver-code-execution(26411) 17951 25589 1016084 20077 Keychain in Apple Mac OS X 10.3.9 and 10.4.6 might allow an application to bypass a locked Keychain by first obtaining a reference to the Keychain when it is unlocked, then reusing that reference after the Keychain has been locked. This vulnerability is addressed in the following product release: Apple, Mac OS X, 10.4.6 (2006-003) TA06-132A APPLE-SA-2006-05-11 ADV-2006-1779 macos-keychain-security-bypass(26413) 17951 25590 1016072 20077 LaunchServices in Apple Mac OS X 10.4.6 allows remote attackers to cause Safari to launch unsafe content via long file name extensions, which prevents Download Validation from determining which application will be used to open the file. This vulnerability is addressed in the following product release: Apple, Mac OS X, 10.4.6 (2006-003) TA06-132A APPLE-SA-2006-05-11 ADV-2006-1779 macos-launchservices-security-bypass(26416) 17951 25591 1016081 20077 Finder in Apple Mac OS X 10.3.9 and 10.4.6 allows user-assisted attackers to execute arbitrary code by tricking a user into launching an Internet Location item that appears to use a safe URL scheme, but which actually has a different and more risky scheme. This vulnerability is addressed in the following product release: Apple, Mac OS X, 10.4.6 (2006-003) TA06-132A APPLE-SA-2006-05-11 ADV-2006-1779 17951 25592 1016082 20077 macos-finder-url-type-spoofing(26410) Integer overflow in Mail in Apple Mac OS X 10.3.9 and 10.4.6 allows remote attackers to execute arbitrary code via a crafted MacMIME encapsulated attachment. This vulnerability is addressed in the following product release: Apple, Mac OS X, 10.4.6 (2006-003) TA06-132A APPLE-SA-2006-05-11 ADV-2006-1779 macos-mail-macmime-bo(26417) 17951 25593 1016078 20077 Mail in Apple Mac OS X 10.3.9 and 10.4.6 allows remote attackers to execute arbitrary code via an enriched text e-mail message with "invalid color information" that causes Mail to allocate and initialize arbitrary classes. This vulnerability is addressed in the following product release: Apple, Mac OS X, 10.4.6 (2006-003) TA06-132A APPLE-SA-2006-05-11 ADV-2006-1779 macos-mail-color-code-execution(26419) 17951 25594 1016078 20077 MySQL Manager in Apple Mac OS X 10.3.9 and 10.4.6, when setting up a new MySQL database server, does not use the "New MySQL root password" that is provided, which causes the MySQL root password to be blank and allows local users to gain full privileges to that database. This vulnerability is addressed in the following product release: Apple, Mac OS X, 10.4.6 (2006-003) TA06-132A APPLE-SA-2006-05-11 ADV-2006-1779 macos-mysql-manager-blank-password(26420) 17951 25595 1016077 20077 Stack-based buffer overflow in Preview in Apple Mac OS 10.4 up to 10.4.6 allows local users to execute arbitrary code via a deep directory hierarchy. This vulnerability is addressed in the following product release: Apple, Mac OS X, 10.4.6 (2006-003) TA06-132A APPLE-SA-2006-05-11 ADV-2006-1779 macos-preview-directory-bo(26422) 17951 25596 1016076 20077 Stack-based buffer overflow in Apple QuickTime before 7.1 allows remote attackers to execute arbitrary code via a crafted QuickDraw PICT image format file containing malformed font information. TA06-132A TA06-132B 17953 17951 1016075 1016067 20077 20069 APPLE-SA-2006-05-11 APPLE-SA-2006-05-11 quicktime-pict-font-bo(26400) ADV-2006-1779 ADV-2006-1778 20060512 Apple QuickDraw/QuickTime Multiple Vulnerabilities 887 Heap-based buffer overflow in Apple QuickTime before 7.1 allows remote attackers to execute arbitrary code via a crafted QuickDraw PICT image format file with malformed image data. TA06-132A TA06-132B 17953 17951 1016075 1016067 20077 20069 APPLE-SA-2006-05-11 APPLE-SA-2006-05-11 quicktime-pict-image-bo(26401) ADV-2006-1779 ADV-2006-1778 20060512 Apple QuickDraw/QuickTime Multiple Vulnerabilities 887 QuickTime Streaming Server in Apple Mac OS X 10.3.9 and 10.4.6 allows remote attackers to cause a denial of service (crash and connection interruption) via a QuickTime movie with a missing track, which triggers a null dereference. TA06-132A APPLE-SA-2006-05-11 ADV-2006-1779 quicktime-missing-track-dos(26423) 17951 25599 1016070 20077 Buffer overflow in QuickTime Streaming Server in Apple Mac OS X 10.3.9 and 10.4.6 allows remote attackers to execute arbitrary code via a crafted RTSP request, which is not properly handled during message logging. TA06-132A APPLE-SA-2006-05-11 ADV-2006-1779 quicktime-rtsp-bo(26424) 17951 25600 1016070 20077 Safari on Apple Mac OS X 10.4.6, when "Open `safe' files after downloading" is enabled, will automatically expand archives, which could allow remote attackers to overwrite arbitrary files via an archive that contains a symlink. TA06-132A VU#519473 APPLE-SA-2006-05-11 ADV-2006-1779 safari-archive-code-execution(26427) 17951 25598 1016069 20077 Integer overflow in Apple QuickTime Player before 7.1 allows remote attackers to execute arbitrary code via a crafted JPEG image. VU#289705 TA06-132B 17953 1016067 20069 APPLE-SA-2006-05-11 quicktime-jpeg-overflow(26391) ADV-2006-1778 Multiple integer overflows in Apple QuickTime before 7.1 allow remote attackers to cause a denial of service or execute arbitrary code via a crafted QuickTime movie (.MOV). TA06-132B 17953 20060512 Apple QuickDraw/QuickTime Multiple Vulnerabilities 1016067 20069 APPLE-SA-2006-05-11 quicktime-mov-overflow(26392) ADV-2006-1778 887 Multiple buffer overflows in Apple QuickTime before 7.1 allow remote attackers to execute arbitrary code via a crafted QuickTime movie (.MOV), as demonstrated via a large size for a udta Atom. TA06-132B 17953 20060512 Apple QuickDraw/QuickTime Multiple Vulnerabilities 1016067 20069 APPLE-SA-2006-05-11 quicktime-mov-bo(26393) ADV-2006-1778 20060512 Apple QuickTime udta ATOM Heap Overflow http://secway.org/advisory/AD20060512.txt 887 20060512 Apple QuickTime udta ATOM Heap Overflow Multiple buffer overflows in Apple QuickTime before 7.1 allow remote attackers to execute arbitrary code via a crafted QuickTime Flash (SWF) file. TA06-132B 17953 20060512 Apple QuickDraw/QuickTime Multiple Vulnerabilities 1016067 20069 APPLE-SA-2006-05-11 quicktime-flash-bo(26394) ADV-2006-1778 887 Multiple integer overflows in Apple QuickTime before 7.1 allow remote attackers to execute arbitrary code via a crafted QuickTime H.264 (M4V) video format file. TA06-132B 17953 20060512 Apple QuickDraw/QuickTime Multiple Vulnerabilities 1016067 20069 APPLE-SA-2006-05-11 quicktime-h264-overflow(26395) ADV-2006-1778 887 Heap-based buffer overflow in Apple QuickTime before 7.1 allows remote attackers to execute arbitrary code via a H.264 (M4V) video format file with a certain modified size value. TA06-132B http://www.zerodayinitiative.com/advisories/ZDI-06-015.html 17953 20060511 ZDI-06-015: Apple QuickTime H.264 Parsing Heap Overflow Vulnerability 1016067 20069 APPLE-SA-2006-05-11 quicktime-h264-bo(26396) ADV-2006-1778 888 Buffer overflow in Apple QuickTime before 7.1 allows remote attackers to execute arbitrary code via a crafted QuickTime MPEG4 (M4P) video format file. VU#587937 TA06-132B 17953 20060512 Apple QuickDraw/QuickTime Multiple Vulnerabilities 1016067 20069 APPLE-SA-2006-05-11 ADV-2006-1778 quicktime-mpeg4-bo(26397) 887 Buffer overflow in Apple QuickTime before 7.1 allows remote attackers to execute arbitrary code via a crafted QuickTime AVI video format file. TA06-132B 17953 20060512 Apple QuickDraw/QuickTime Multiple Vulnerabilities 1016067 20069 APPLE-SA-2006-05-11 ADV-2006-1778 quicktime-avi-bo(26399) 887 Xcode Tools before 2.3 for Mac OS X 10.4, when running the WebObjects plugin, allows remote attackers to access or modify WebObjects projects through a network service. ADV-2006-1950 xcode-webobjects-unauth-access(26634) 18091 25889 1016143 20267 APPLE-SA-2006-05-23 Integer overflow in the AAC file parsing code in Apple iTunes before 6.0.5 on Mac OS X 10.2.8 or later, and Windows XP and 2000, allows remote user-assisted attackers to execute arbitrary code via an AAC (M4P, M4A, or M4B) file with a sample table size (STSZ) atom with a "malformed" sample_size_table value. VU#907836 20891 APPLE-SA-2006-06-29 itunes-aac-file-overflow(27481) http://www.zerodayinitiative.com/advisories/ZDI-06-020.html ADV-2006-2601 18730 20060630 ZDI-06-020: Apple iTunes AAC File Parsing Integer Overflow Vulnerability 1016413 Unspecified vulnerability in Apple File Protocol (AFP) server in Apple Mac OS X 10.4 up to 10.4.6 includes the names of restricted files and folders within search results, which might allow remote attackers to obtain sensitive information. This vulnerability is addressed in the following product release: Apple, Mac OS X, 10.4.7 APPLE-SA-2006-06-27 macosx-afp-information-disclosure(27477) ADV-2006-2566 18733 18686 26930 1016395 20877 Stack-based buffer overflow in ImageIO in Apple Mac OS X 10.4 up to 10.4.6 allows attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted TIFF image. VU#988356 macosx-imageio-tiff-bo(27478) ADV-2006-2566 18731 18686 26931 1016394 20877 APPLE-SA-2006-06-27 OpenLDAP in Apple Mac OS X 10.4 up to 10.4.6 allows remote attackers to cause a denial of service (crash) via an invalid LDAP request that triggers an assert error. VU#652196 18728 18686 1016396 macosx-openldap-directory-dos(27480) ADV-2006-2566 26932 20877 APPLE-SA-2006-06-27 Format string vulnerability in the CF_syslog function launchd in Apple Mac OS X 10.4 up to 10.4.6 allows local users to execute arbitrary code via format string specifiers that are not properly handled in a syslog call in the logging facility, as demonstrated by using a crafted plist file. macosx-launchd-format-string(27479) ADV-2006-2566 18724 18686 20060629 DMA[2006-0628a] - 'Apple OSX launchd unformatted syslog() vulnerability' 26933 1016397 20877 APPLE-SA-2006-06-27 Unspecified vulnerability in AFP Server in Apple Mac OS X 10.3.9 allows remote attackers to determing names of unauthorized files and folders via unknown vectors related to the search results. TA06-214A macosx-afp-file-disclosure(28134) ADV-2006-3101 19289 1016620 21253 APPLE-SA-2006-08-01 Integer overflow in AFP Server for Apple Mac OS X 10.3.9 and 10.4.7 allows remote attackers to cause a denial of service (crash) and execute arbitrary code via unknown vectors. VU#575372 TA06-214A macosx-afp-overflow(28135) ADV-2006-3101 19289 27731 1016620 21253 APPLE-SA-2006-08-01 Cross-site scripting (XSS) vulnerability in the "failed" functionality in Raindance Web Conferencing Pro allows remote attackers to inject arbitrary web script or HTML via the browser parameter. 20060324 [DDSi-SA] XSS in Raindance Communications Web Conferencing Pro Windows Firewall in Microsoft Windows XP SP2 does not produce application alerts when an application is executed using the NTFS Alternate Data Streams (ADS) filename:stream syntax, which might allow local users to launch a Trojan horse attack in which the victim does not obtain the alert that Windows Firewall would have produced for a non-ADS file. 20060324 Microsoft Windows XP SP2 Firewall issue winxp-firewall-ads-bypass(25597) 20060327 Re: Microsoft Windows XP SP2 Firewall issue Windows Firewall in Microsoft Windows XP SP2 produces incorrect application block alerts when the application filename is ".exe" (with no characters before the "."), which might allow local user-assisted users to trick a user into unblocking a Trojan horse program, as demonstrated by a malicious ".exe" program in a folder named "Internet Explorer," which triggers a question about whether to unblock the "Internet Explorer" program. 20060327 Re: Microsoft Windows XP SP2 Firewall issue 20060324 Microsoft Windows XP SP2 Firewall issue winxp-firewall-exe-bypass(25598) Multiple PHP remote file inclusion vulnerabilities in Turnkey Web Tools PHP Live Helper 1.8 allow remote attackers to include and execute arbitrary PHP code via the abs_path parameter in (1) initiate.php, (2) waiting.php, (3) welcome.php, (4) admin/index.php, (5) javascript.php, (6) checkchat.php, and (7) blank.php. This vulnerability may affect all versions prior to 1.8 as well. http://www.turnkeywebtools.com/forum/showthread.php?p=10415 http://www.worlddefacers.de/Public/WD-TMPLH.txt ADV-2006-1137 20060327 PHPLiveHelper 1.8 remote command execution (include) Xploit (perl) 19428 phplivehelper-abspath-file-include(25489) 18509 20060619 Re: PHP Live Helper <=([abs_path]) Remote File Include Vulnerabilities 20060619 PHP Live Helper <=([abs_path]) Remote File Include Vulnerabilities 24199 24198 24197 24196 24195 24194 24193 Directory traversal vulnerability in (1) initiate.php and (2) possibly other PHP scripts in Turnkey Web Tools PHP Live Helper 1.8, and possibly later versions, allows remote authenticated users to include and execute arbitrary local files via directory traversal sequences in the language cookie, as demonstrated by uploading PHP code in a gl_session cookie to users.php, which causes the code to be stored in error.log, which is then included by initiate.php. This vulnerability may affect all other versions of Turnkey Web Tools, PHP Live Helper. http://www.turnkeywebtools.com/forum/showthread.php?p=10415 http://www.worlddefacers.de/Public/WD-TMPLH.txt 20060327 PHPLiveHelper 1.8 remote command execution (include) Xploit (perl) phplivehelper-abspath-file-include(25489) 641 19428 Multiple cross-site scripting (XSS) vulnerabilities in Serge Rey gtd-php (aka Getting Things Done) 0.5 allow remote attackers to inject arbitrary web script or HTML via the Description field in (1) newProject.php, (2) newList.php, and (3) newWaitingOn.php; the Title field in (4) newProject.php, (5) newList.php, (6) newWaitingOn.php, (7) newChecklist.php, (8) newContext.php, and (9) newGoal.php; the (10) Category Name field in newCategory.php; the (11) listTitle field in listReport.php; the (12) projectName field in projectReport.php; and the (13) checklistTitle field in checklistReport.php. ADV-2006-1203 24158 24157 24156 24155 24154 24153 24152 24151 24150 24149 http://osvdb.org/ref/24/24149-gtd-php.txt gtdphp-multiple-scripts-xss(25553) 17366 19512 Directory traversal vulnerability in start.php in WebAlbum 2.02 allows remote attackers to include arbitrary files and execute commands by (1) injecting code into local log files via GET commands, then (2) accessing that log via a .. (dot dot) sequence and a trailing null (%00) byte in the skin2 COOKIE parameter. Successful exploitation requires that the "magic_quotes_gpc" parameter is disabled. ADV-2006-1108 17228 19400 1608 webalbum-skin2-parameter-file-include(25443) 24160 SQL injection vulnerability in search.php in PHP Ticket 0.71 allows remote authenticated users to execute arbitrary SQL commands and obtain usernames and passwords via the frm_search_in parameter. ADV-2006-1106 17229 19412 1609 phpticket-search-sql-injection(25436) Cross-site scripting (XSS) vulnerability in index.php in ConfTool 1.1 allows remote attackers to inject arbitrary web script or HTML via the page parameter. 20060327 CanfTool v1.1 Cross Site Scripting Attack canftool-index-xss(25437) 17231 24264 635 20060328 Conftool, not Canftool; appears to be distributable Blazix Web Server before 1.2.6, when running on Windows, allows remote attackers to obtain the source code of JSP files via (1) . (dot), (2) space, and (3) slash characters in the extension of a URL. 17270 20060328 Secunia Research: Blazix Web Server JSP Source Code DisclosureVulnerability http://secunia.com/secunia_research/2006-22/advisory/ 19341 ADV-2006-1133 blazix-jsp-source-disclosure(25485) 24178 1015837 643 Genius VideoCAM NB Driver does not drop privileges when saving files, which allows local users to gain privileges by opening arbitrary files via the "save as" dialog. genius-videocam-saveas-gain-privileges(25501) 17284 20060328 Genius VideoCAM NB Local Privilege Escalation genius-videocam-saveas-gain-privileges(25501) 1015839 19437 gm-upload.cgi in Greymatter 1.3.1 allows remote authenticated users with upload privileges to execute arbitrary programs by uploading files to locations within the web root. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. ADV-2006-1138 17271 19423 greymatter-gmupload-file-upload(25496) 24210 Multiple cross-site scripting (XSS) vulnerabilities in index.cfm in realestateZONE 4.2 allow remote attackers to inject arbitrary web script or HTML via the (1) bamin, (2) bemin, (3) pmin, and (4) state parameters. ADV-2006-1128 17277 19429 realestatezone-index-xss(25487) 24186 http://pridels0.blogspot.com/2006/03/realestatezone-42-multiple-xss-vuln.html Cross-site scripting (XSS) vulnerability in ActiveCampaign SupportTrio 2.50.2 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters to the KnowledgeBase search module. supporttrio-search-xss(25495) ADV-2006-1126 17276 24192 19431 http://pridels0.blogspot.com/2006/03/activecampaign-supporttrio-25-vuln.html ActiveCampaign SupportTrio 2.5 allows remote attackers to obtain the full path of the server via invalid (1) article or (2) print parameters in a kb action to index.php, or (3) an invalid category parameter to modules/KB/pdf.php, which leaks the path in an error message. ADV-2006-1126 19431 supporttrio-index-pdf-path-disclosure(25517) 24191 24190 http://pridels0.blogspot.com/2006/03/activecampaign-supporttrio-25-vuln.html Multiple SQL injection vulnerabilities in FusionZONE CouponZONE local.cfm in 4.2 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) companyid, (2) scat, and (3) coid parameters. 17274 24179 couponzone-local-sql-injection(25576) http://pridels0.blogspot.com/2006/03/couponzone-v42-multiple-vuln.html PHP before 5.1.3-RC1 might allow remote attackers to obtain portions of memory via crafted binary data sent to a script that processes user input in the html_entity_decode function and sends the encoded results back to the client, aka a "binary safety" issue. NOTE: this issue has been referred to as a "memory leak," but it is an information leak that discloses memory contents. TA06-333A http://cvs.php.net/viewcvs.cgi/php-src/ext/standard/html.c?r1=1.112&r2=1.113 ADV-2006-4750 ADV-2006-2685 ADV-2006-1149 20060328 Critical PHP bug - act ASAP if you are running web with sensitive data 20060328 Re: [Full-disclosure] Critical PHP bug - act ASAP if you are running web with sensitive data oval:org.mitre.oval:def:11084 http://cvs.php.net/viewcvs.cgi/php-src/ext/standard/html.c?view=log http://bugs.gentoo.org/show_bug.cgi?id=127939 php-htmlentitydecode-information-disclosure(25508) USN-320-1 2006-0020 17296 SUSE-SA:2006:024 MDKSA-2006:063 http://support.avaya.com/elmodocs2/security/ASA-2006-129.htm GLSA-200605-08 23155 21125 20951 20210 20052 19979 19832 19570 19499 19383 RHSA-2006:0276 APPLE-SA-2006-11-28 http://docs.info.apple.com/article.html?artnum=304829 20060501-01-U Eval injection vulnerability in Horde Application Framework versions 3.0 before 3.0.10 and 3.1 before 3.1.1 allows remote attackers to execute arbitrary code via the help viewer. horde-help-viewer-command-execution(25516) 17292 1015841 http://lists.horde.org/archives/announce/2006/000271.html ADV-2006-1154 SUSE-SR:2006:007 GLSA-200604-02 DSA-1034 DSA-1033 20060330 Recent unspecified Horde vuln is eval injection 19692 19619 19528 19504 19485 http://lists.horde.org/archives/announce/2006/000272.html http://cvs.horde.org/diff.php?f=horde%2Fservices%2Fhelp%2Findex.php&r1=2.85&r2=2.86 Directory traversal vulnerability in dir.php in Explorer XP allows remote attackers to read arbitrary files via the chemin parameter. http://www.zataz.com/news/10871/Probleme-de-securite-decouvert-dans-le-logiciel-ExploreXP.html ADV-2006-1165 http://www.silitix.com/explorerxp.php explorerxp-dir-directory-traversal(25523) 17303 24259 1015840 19460 20060329 ExplorerXP : Directory Traversal and Cross Site Scripting Cross-site scripting (XSS) vulnerability in dir.php in Explorer XP allows remote attackers to inject arbitrary web script or HTML via the chemin parameter. NOTE: it is possible that this issue is resultant from CVE-2006-1492. http://www.zataz.com/news/10871/Probleme-de-securite-decouvert-dans-le-logiciel-ExploreXP.html ADV-2006-1165 http://www.silitix.com/explorerxp.php explorerxp-dir-xss(25524) 17303 24260 1015840 19460 20060329 ExplorerXP : Directory Traversal and Cross Site Scripting Directory traversal vulnerability in file.c in PHP 4.4.2 and 5.1.2 allows local users to bypass open_basedir restrictions allows remote attackers to create files in arbitrary directories via the tempnam function. 20060408 tempnam() open_basedir bypass PHP 4.4.2 and 5.1.2 19599 ADV-2006-1290 oval:org.mitre.oval:def:10196 https://issues.rpath.com/browse/RPL-683 php-tempnam-directory-traversal(25705) USN-320-1 17439 20061005 rPSA-2006-0182-1 php php-mysql php-pgsql RHSA-2006:0568 RHSA-2006:0567 SUSE-SA:2006:024 MDKSA-2006:074 http://support.avaya.com/elmodocs2/security/ASA-2006-175.htm 1015881 677 22225 21723 21252 21202 21135 21125 21031 19979 19775 RHSA-2006:0549 20060701-01-U SQL injection vulnerability in general/sendpassword.php in (1) PHPCollab 2.4 and 2.5.rc3, and (2) NetOffice 2.5.3-pl1 and 2.6.0b2 allows remote attackers to execute arbitrary SQL commands via the loginForm parameter in the "forgotten password" option. netoffice-sendpassword-sql-injection(25503) ADV-2006-1142 ADV-2006-1141 17283 1617 GLSA-200812-20 33258 19449 http://downloads.securityfocus.com/vulnerabilities/exploits/PHPCollab_NetOffice_SQLINJ.php phpcollab-sendpassword-sql-injection(25505) netoffice-sendpassword-bypass-security(25503) 17286 24230 24226 19452 Multiple cross-site scripting (XSS) vulnerabilities in index.php in ViHor Design allow remote attackers to inject arbitrary web script or HTML via (1) a remote URL in the page parameter, which is processed by an fopen call, or (2) HTML or script in the page parameter, which is returned to the client in an error message for the failed fopen call. 17226 20060324 VihorDesing Script Remote Command Exucetion And Cross Scripting Attack 20060326 clarification of "VihorDesign" (not VihorDesing) issues 20060326 clarification of "VihorDesign" (not VihorDesing) issues vihordesign-index-xss(25483) 19403 Directory traversal vulnerability in index.php in ViHor Design allows remote attackers to read arbitrary files via the page parameter. 19403 ADV-2006-1114 17226 20060324 VihorDesing Script Remote Command Exucetion And Cross Scripting Attack 20060327 clarification of "VihorDesign" (not VihorDesing) issues 17227 20060326 clarification of "VihorDesign" (not VihorDesing) issues 625 Cross-site scripting (XSS) vulnerability in MediaWiki before 1.5.8 and 1.4.15 allows remote attackers to inject arbitrary web script or HTML via crafted encoded links. 17269 [MediaWiki-announce] 20060327 MediaWiki 1.5.8, 1.4.15 released [SECURITY] ADV-2006-1194 http://www.mediawiki.org/wiki/MediaWiki mediawiki-unspecified-xss(25588) SUSE-SR:2006:007 GLSA-200604-01 19517 19508 19504 SQL injection vulnerability in vCounter.php in vCounter 1.0 allows remote attackers to execute arbitrary SQL commands via the URI (_SERVER[REQUEST_URI] variable). ADV-2006-1147 19422 http://evuln.com/vulns/108/summary.html vcounter-url-sql-injection(25500) 17302 20060407 [eVuln] vCounter - sourceworkshop SQL Injection Vulnerability 24234 SQL injection vulnerability in index.php in Tilde CMS 3.0 allows remote attackers to execute arbitrary SQL commands via the id parameter. tildecms-index-sql-injection(25510) ADV-2006-1145 17299 24233 19447 http://osvdb.org/ref/24/24233-tilde.txt SQL injection vulnerability in index.php in OneOrZero 1.6.3.0 allows remote attackers to execute arbitrary SQL commands via the id parameter, possibly in the kans action. oneorzero-helpdesk-index-sql-injection(25511) ADV-2006-1146 17298 24228 19446 http://osvdb.org/ref/24/24228-oneorzero.txt Multiple integer overflows in MPlayer 1.0pre7try2 allow remote attackers to cause a denial of service and trigger heap-based buffer overflows via (1) a certain ASF file handled by asfheader.c that causes the asf_descrambling function to be passed a negative integer after the conversion from a char to an int or (2) an AVI file with a crafted wLongsPerEntry or nEntriesInUse value in the indx chunk, which is handled in aviheader.c. http://www.xfocus.org/advisories/200603/11.html ADV-2006-1156 17295 20060329 [xfocus-SD-060329]MPlayer: Multiple integer overflows 19418 20060329 [xfocus-SD-060329]MPlayer: Multiple integer overflows mplayer-aviheader-integer-overflow(25514) mplayer-asfheader-integer-overflow(25513) 24247 24246 MDKSA-2006:068 GLSA-200605-01 1015842 647 532 19919 19565 PHP remote file inclusion vulnerability in includes/functions_install.php in Virtual War (VWar) 1.5.0 R11 and earlier allows remote attackers to include and execute arbitrary PHP code via a URL in the vwar_root parameter. NOTE: this is a different vulnerability than CVE-2006-1636. Successful exploitation requires that the "register_globals" parameter is enabled. virtual-war-functionsinstall-file-include(25497) ADV-2006-1144 17290 20060328 VWar <= 1.5.0 R11 Remote Code Execution Exploit 24239 19438 20060403 Vendor ACK for VWar issue - VWar used by PhpNuke Clan Multiple cross-site scripting (XSS) vulnerabilities in Arab Portal 2.0 (aka Arab Dynamic Portal or ADP) stable allow remote attackers to inject arbitrary web script or HTML via the title parameter in (1) online.php and (2) download.php. Successful exploitation requires that the "register_globals" parameter is enabled. ADV-2006-1150 20060328 ArabPortal 2.0 Stable CrossSiteScripting 19445 arabportal-online-download-xss(25515) 17285 24221 24220 673 base_maintenance.php in Basic Analysis and Security Engine (BASE) before 1.2.4 (melissa), when running in standalone mode, allows remote attackers to bypass authentication, possibly by setting the standalone parameter to "yes". Succesful exploitation requires that the product is running in standalone mode. 24101 ADV-2006-1192 http://cvs.sourceforge.net/viewcvs.py/secureideas/base-php4/docs/CHANGELOG?rev=1.233&view=markup 17354 19510 Unspecified vulnerability in rsh in Sun Microsystems Sun Grid Engine 5.3 before 20060327 and N1 Grid Engine 6.0 before 20060327 allows local users to gain root privileges. This vulnerability affects Sun Microsystems, Sun Grid Engine 5.3 before 20060327 & N1 Grid Engine 6.0 before 20060327. 102268 1015835 ADV-2006-1155 Cross-site scripting (XSS) vulnerability in PHPKIT 1.6.03 allows remote attackers to inject arbitrary web script or HTML via the error parameter to include.php, possibly due to a problem in login/login.php. 17291 20060328 XSS in PHPKIT Version 1.6.03 phpkit-error-xss(25594) Multiple cross-site scripting (XSS) vulnerabilities in MH Software Connect Daily Web Calendar Software 3.2.9 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) calendar_id, (2) style_sheet, and (3) start parameters in (a) ViewDay.html; the (4) txtSearch and (5) opgSearch parameters in (b) ViewSearch.html; the (6) calendar_id and (7) approved parameters in (c) ViewYear.html; the (8) item_type_id parameter in (d) ViewCal.html; and the (9) week parameter in (e) ViewWeek.html. ADV-2006-1125 17287 19434 connectdailywebcalendar-multiple-xss(25474) 24185 24184 24183 24182 24181 http://pridels0.blogspot.com/2006/03/connect-daily-multiple-xss-vuln.html /sbin/passwd in HP-UX B.11.00, B.11.11, and B.11.23 before 20060326 "does not recover gracefully from some error conditions," which allows local users to cause a denial of service. This vulnerability affects all versions of HP-UX B.11.00, B.11.11, and B.11.23 before 20060326. SSRT5953 17280 HPSBUX02103 ADV-2006-1208 hpux-passwd-dos(25596) 19490 oval:org.mitre.oval:def:1690 oval:org.mitre.oval:def:1660 oval:org.mitre.oval:def:1412 Buffer overflow in calloc.c in the Microsoft Windows XP SP2 ntdll.dll system library, when used by the ILDASM disassembler in the Microsoft .NET 1.0 and 1.1 SDK, might allow user-assisted attackers to execute arbitrary code via a crafted .dll file with a large static method. Succesful exploitation can only occur when ntdll.dll system library is used by the ILDASM disassembler in the Microsoft .NET 1.0 and 1.1 SDK packages. 17243 19406 http://owasp.net/forums/234/showpost.aspx 20060327 Buffer OverFlow in ILASM and ILDASM ms-dotnet-ildasm-bo(25439) ADV-2006-1113 http://owasp.net/forums/257/showpost.aspx Buffer overflow in the ILASM assembler in the Microsoft .NET 1.0 and 1.1 Framework might allow user-assisted attackers to execute arbitrary code via a .il file that calls a function with a long name. ms-dotnet-ilasm-bo(25438) ADV-2006-1113 17243 19406 http://owasp.net/forums/257/showpost.aspx http://owasp.net/forums/234/showpost.aspx 20060327 Buffer OverFlow in ILASM and ILDASM ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2006-1712. Reason: This candidate is a reservation duplicate of CVE-2006-1712. Notes: All CVE users should reference CVE-2006-1712 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Multiple buffer overflows in abc2ps before 1.3.3 allow user-assisted attackers to execute arbitrary code via crafted ABC music files. DSA-1041 abc2ps-abc-bo(26043) ADV-2006-1511 17689 19807 19787 Multiple buffer overflows in the abcmidi-yaps translator in abcmidi 20050101, and other versions, allow remote attackers to execute arbitrary code via crafted ABC music files that trigger the overflows during translation into PostScript. 24974 DSA-1043 19829 19826 ADV-2006-1531 17704 Buffer overflow in the addnewword function in typespeed 0.4.4 and earlier might allow remote attackers to execute arbitrary code via unknown vectors. DSA-1084 20393 ADV-2006-2087 18194 20379 GLSA-200606-20 20708 The check_connection function in sql_parse.cc in MySQL 4.0.x up to 4.0.26, 4.1.x up to 4.1.18, and 5.0.x up to 5.0.20 allows remote attackers to read portions of memory via a username without a trailing null byte, which causes a buffer over-read. TA07-072A http://www.wisec.it/vulns.php?page=7 1016017 19929 http://dev.mysql.com/doc/refman/5.0/en/news-5-0-21.html ADV-2008-1326 ADV-2007-0930 ADV-2006-1633 20060502 MySQL Anonymous Login Handshake - Information Leakage. oval:org.mitre.oval:def:9918 http://bugs.debian.org/365938 mysql-login-packet-info-disclosure(26236) USN-283-1 2006-0028 17780 20060516 UPDATE: [ GLSA 200605-13 ] MySQL: Information leakage RHSA-2006:0544 SUSE-SR:2006:012 MDKSA-2006:084 GLSA-200605-13 DSA-1079 DSA-1073 DSA-1071 236703 SSA:2006-155-01 840 29847 24479 20762 20625 20457 20424 20333 20253 20241 20223 20076 20073 20002 SUSE-SA:2006:036 APPLE-SA-2007-03-13 http://docs.info.apple.com/article.html?artnum=305214 sql_parse.cc in MySQL 4.0.x up to 4.0.26, 4.1.x up to 4.1.18, and 5.0.x up to 5.0.20 allows remote attackers to obtain sensitive information via a COM_TABLE_DUMP request with an incorrect packet length, which includes portions of memory in an error message. TA07-072A http://www.wisec.it/vulns.php?page=8 1016016 19929 http://dev.mysql.com/doc/refman/5.0/en/news-5-0-21.html http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=365939 ADV-2008-1326 ADV-2007-0930 ADV-2006-1633 20060502 MySQL COM_TABLE_DUMP Information Leakage and Arbitrary commandexecution. oval:org.mitre.oval:def:11036 mysql-sqlparcecc-information-disclosure(26228) USN-283-1 2006-0028 17780 20060516 UPDATE: [ GLSA 200605-13 ] MySQL: Information leakage RHSA-2006:0544 25228 SUSE-SR:2006:012 MDKSA-2006:084 GLSA-200605-13 DSA-1079 DSA-1073 DSA-1071 236703 SSA:2006-155-01 839 29847 24479 20762 20625 20457 20424 20333 20253 20241 20223 20076 20073 20002 SUSE-SA:2006:036 APPLE-SA-2007-03-13 http://docs.info.apple.com/article.html?artnum=305214 Buffer overflow in the open_table function in sql_base.cc in MySQL 5.0.x up to 5.0.20 might allow remote attackers to execute arbitrary code via crafted COM_TABLE_DUMP packets with invalid length values. VU#602457 http://www.wisec.it/vulns.php?page=8 1016016 19929 http://dev.mysql.com/doc/refman/5.0/en/news-5-0-21.html http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=365939 ADV-2006-1633 20060502 MySQL COM_TABLE_DUMP Information Leakage and Arbitrary commandexecution. mysql-comtabledump-bo(26232) 17780 SUSE-SR:2006:012 DSA-1079 DSA-1073 DSA-1071 839 20762 20457 20333 20253 20241 SUSE-SA:2006:036 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2006-2224. Reason: This candidate is a duplicate of CVE-2006-2224. Notes: All CVE users should reference CVE-2006-2224 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Format string vulnerability in ANSI C Sender Policy Framework library (libspf) before 1.0.0-p5, when debugging is enabled, allows remote attackers to execute arbitrary code via format string specifiers, possibly in an e-mail address. http://www.libspf.org/index.html http://www.gossamer-threads.com/lists/spf/devel/27053?page=last http://permalink.gmane.org/gmane.mail.spam.spf.devel/849 ADV-2006-1846 libspf-debugging-format-string(26535) The sys_add_key function in the keyring code in Linux kernel 2.6.16.1 and 2.6.17-rc1, and possibly earlier versions, allows local users to cause a denial of service (OOPS) via keyctl requests that add a key to a user key instead of a keyring key, which causes an invalid dereference in the __keyring_search_one function. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=188466 17451 http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=c3a9d6541f84ac3ff566982d08389b87c1c36b4e 19573 linux-keyringsearchone-dos(25722) ADV-2006-1475 ADV-2006-1307 USN-302-1 RHSA-2006:0493 24507 MDKSA-2006:086 http://support.avaya.com/elmodocs2/security/ASA-2006-161.htm 21745 20716 20237 20157 19735 oval:org.mitre.oval:def:9325 FEDORA-2006-423 http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.3 The __group_complete_signal function in the RCU signal handling (signal.c) in Linux kernel 2.6.16, and possibly other versions, has unknown impact and attack vectors related to improper use of BUG_ON. [linux-kernel] 20060411 [PATCH] __group_complete_signal: remove bogus BUG_ON https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=188604 ADV-2006-2554 17640 SUSE-SA:2006:028 DSA-1103 20914 20398 madvise_remove in Linux kernel 2.6.16 up to 2.6.16.6 does not follow file and mmap restrictions, which allows local users to bypass IPC permissions and replace portions of readonly tmpfs files with zeroes, aka the MADV_REMOVE vulnerability. NOTE: this description was originally written in a way that combined two separate issues. The mprotect issue now has a separate name, CVE-2006-2071. 17587 19657 linux-madvise-security-bypass(25870) ADV-2006-2554 ADV-2006-1475 ADV-2006-1391 24714 SUSE-SA:2006:028 DSA-1103 DSA-1097 20914 20671 20398 19735 19664 FEDORA-2006-423 http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.6 ip_route_input in Linux kernel 2.6 before 2.6.16.8 allows local users to cause a denial of service (panic) via a request for a route for a multicast IP address, which triggers a null dereference. 17593 19709 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=189346 linux-ip-route-input-dos(25872) ADV-2006-2554 ADV-2006-1475 ADV-2006-1399 USN-281-1 RHSA-2006:0493 24715 SUSE-SA:2006:028 MDKSA-2006:086 DSA-1103 DSA-1097 http://support.avaya.com/elmodocs2/security/ASA-2006-161.htm 21745 21476 20914 20671 20398 20237 20157 19955 19735 oval:org.mitre.oval:def:10146 FEDORA-2006-423 http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.8 Buffer overflow in the X render (Xrender) extension in X.org X server 6.8.0 up to allows attackers to cause a denial of service (crash), as demonstrated by the (1) XRenderCompositeTriStrip and (2) XRenderCompositeTriFan requests in the rendertest from XCB xcb/xcb-demo, which leads to an incorrect memory allocation due to a typo in an expression that uses a "&" instead of a "*" operator. NOTE: the subject line of the original announcement used an incorrect CVE number for this issue. VU#633257 RHSA-2006:0451 SUSE-SA:2006:023 GLSA-200605-02 19956 19951 19943 19921 19916 19915 19900 [xorg] 20060502 [CVE-2006-1525] X.Org security advisory: Buffer overflow in the Xrender extension https://bugs.freedesktop.org/show_bug.cgi?id=6642 ADV-2006-1617 USN-280-1 [3.8] 007: SECURITY FIX: May 2, 2006 1016018 oval:org.mitre.oval:def:9929 xorg-xrender-bo(26200) 2006-0024 17795 FLSA:190777 MDKSA-2006:081 102339 19983 The SCTP-netfilter code in Linux kernel before 2.6.16.13 allows remote attackers to trigger a denial of service (infinite loop) via unknown vectors that cause an invalid SCTP chunk size to be processed by the for_each_sctp_chunk function. Upgrade to Linux Kernel version 2.6.16.13 : http://www.kernel.org/ ADV-2006-1632 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.13 oval:org.mitre.oval:def:10373 linux-sctp-netfilter-dos(26194) USN-302-1 2006-0024 17806 RHSA-2006:0493 25229 SUSE-SA:2006:028 MDKSA-2006:086 http://support.avaya.com/elmodocs2/security/ASA-2006-161.htm 21745 20716 20398 20237 20157 19926 Linux kernel before 2.6.13 allows local users to cause a denial of service (crash) via a dio transfer from the sg driver to memory mapped (mmap) IO space. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=168791 kernel-sg-dos(28510) ADV-2006-3330 USN-302-1 18101 RHSA-2006:0493 SUSE-SA:2006:047 SUSE-SA:2006:042 MDKSA-2006:123 DSA-1184 DSA-1183 http://support.avaya.com/elmodocs2/security/ASA-2006-161.htm 22093 22082 21745 21555 21498 21179 21045 20716 20237 oval:org.mitre.oval:def:11037 http://marc.theaimsgroup.com/?l=linux-scsi&m=112540053711489&w=2 http://linux.bkbits.net:8080/linux-2.6/cset@43220081yu9ClBQNuqSSnW_9amW7iQ http://kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.33.1 Unspecified vulnerability in Firefox and Thunderbird before 1.5.0.2, and SeaMonkey before 1.0.1, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown attack vectors related to DHTML. NOTE: due to the lack of sufficient public details from the vendor as of 20060413, it is unclear how CVE-2006-1529, CVE-2006-1530, CVE-2006-1531, and CVE-2006-1723 are different. This vulnerability is addressed in the following product releases: Mozilla, Firefox, 1.5.0.2 Mozilla, Thunderbird, 1.5.0.2 Mozilla, SeaMonkey, 1.0.1 VU#350262 http://www.mozilla.org/security/announce/2006/mfsa2006-20.html https://bugzilla.mozilla.org/show_bug.cgi?id=315254 ADV-2008-0083 ADV-2006-3749 ADV-2006-3748 ADV-2006-1356 SSRT061181 SSRT061181 SSRT061236 17516 SSRT061236 DSA-1051 DSA-1046 1015921 1015920 1015919 22066 22065 21033 19941 19863 19649 19631 SCOSA-2006.26 oval:org.mitre.oval:def:1947 Unspecified vulnerability in Firefox and Thunderbird before 1.5.0.2, and SeaMonkey before 1.0.1, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown attack vectors related to DHTML. NOTE: due to the lack of sufficient public details from the vendor as of 20060413, it is unclear how CVE-2006-1529, CVE-2006-1530, CVE-2006-1531, and CVE-2006-1723 are different. This vulnerability is addresses in the following product releases: Mozilla, Firefox, 1.5.0.2 Mozilla, Thunderbird, 1.5.0.2 Mozilla, SeaMonkey, 1.0.1 VU#350262 http://www.mozilla.org/security/announce/2006/mfsa2006-20.html https://bugzilla.mozilla.org/show_bug.cgi?id=326615 ADV-2008-0083 ADV-2006-3749 ADV-2006-3748 ADV-2006-1356 HPSBUX02153 SSRT061236 17516 HPSBUX02153 HPSBUX02156 DSA-1051 DSA-1046 1015921 1015920 1015919 22066 22065 21033 19941 19863 19649 19631 SCOSA-2006.26 oval:org.mitre.oval:def:1903 Unspecified vulnerability in Firefox and Thunderbird before 1.5.0.2, and SeaMonkey before 1.0.1, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown attack vectors related to DHTML. NOTE: due to the lack of sufficient public details from the vendor as of 20060413, it is unclear how CVE-2006-1529, CVE-2006-1530, CVE-2006-1531, and CVE-2006-1723 are different. VU#350262 ADV-2008-0083 ADV-2006-3749 ADV-2006-3748 HPSBUX02153 SSRT061236 http://www.mozilla.org/security/announce/2006/mfsa2006-20.html 17516 HPSBUX02153 HPSBUX02156 DSA-1051 DSA-1046 1015921 1015920 1015919 22066 22065 21033 19941 19863 19649 19631 SCOSA-2006.26 oval:org.mitre.oval:def:2023 Cross-site scripting (XSS) vulnerability in search.php in PHP Classifieds 6.18, 6.20, and possibly other versions, allows remote attackers to inject arbitrary web script or HTML via the searchword parameter. phpclassifieds-search-xss(25507) ADV-2006-1143 17305 24232 19440 http://osvdb.org/ref/24/24232-php_classifieds.txt SQL injection vulnerability in newsletter.php in Sourceworkshop newsletter 1.0 allows remote attackers to execute arbitrary SQL commands via the newsletteremail parameter. ADV-2006-1148 19425 http://evuln.com/vulns/107/summary.html newsletter-script-sql-injection(25498) 17304 20060407 [eVuln] newsletter - sourceworkshop SQL Injection Vulnerability 24229 Multiple SQL injection vulnerabilities in Null news allow remote attackers to execute arbitrary SQL commands via (1) the user_email parameter in (a) lostpass.php, and the (2) user_email and (3) user_username parameters in (b) sub.php and (c) unsub.php. Succesful exploitation of this vulnerability requires the "magic_quotes_gpc" parameter to be disabled. ADV-2006-1151 19413 http://evuln.com/vulns/109/summary.html nullnews-multiple-sql-injection(25502) 17300 20060408 [eVuln] Null news SQL Injection Vulnerability 24242 24241 24240 682 Cross-site scripting (XSS) vulnerability in login.php in Phoetux.net PhxContacts 0.93.1 beta and earlier allows remote attackers to inject arbitrary web script or HTML via the m parameter. 17307 20060328 PhxContacts <= 0.93.1 beta Multiple SQL injection & xss Multiple SQL injection vulnerabilities in Phoetux.net PhxContacts 0.93.1 beta and earlier allow remote attackers to execute arbitrary SQL commands via the (1) motclef and (2) nbr_line_view parameters in (a) carnet.php, and the (3) id_contact parameter in (b) contact_view.php. 17306 20060328 PhxContacts <= 0.93.1 beta Multiple SQL injection & xss Craig Knudsen WebCalendar 1.1.0-CVS allows remote attackers to obtain sensitive information via a direct request to (1) includes/index.php, (2) tests/add_duration_test.php, (3) tests/all_tests.php, (4) groups.php, (5) nonusers.php, (6) includes/settings.php, (7) includes/init.php, (8) includes/settings.php.orig, (9) includes/js/admin.php, (10) includes/js/edit_entry.php, (11) includes/js/edit_layer.php, (12) includes/js/export_import.php, (13) includes/js/popups.php, (14) includes/js/pref.php, or (15) includes/menu/index.php, which reveal the path in various error messages. 20060329 Full path disclosure in Webcalendar 1.1.0-CVS webcalendar-multiple-path-disclosure(25539) 24536 24535 24534 24533 24532 24531 24530 24529 24528 24527 24526 24525 24524 24523 24522 651 The Enova X-Wall ASIC encrypts with a key obtained via Microwire from a serial EEPROM that stores the key in cleartext, which allows local users with physical access to obtain the key by reading and duplicating an EEPROM that is located on a hardware token, or by sniffing the Microwire bus. Physical access to the device or hardware token is required to perform the attack. 20060329 [HV-INFO] Enova hardware encryption: false sense of security http://www.hexview.com/docs/20060328-1.txt enova-xwall-insecure-encryption-key(25527) 648 Multiple buffer overflows in the checkscores function in scores.c in tetris-bsd in bsd-games before 2.17-r1 in Gentoo Linux might allow local users with games group membership to gain privileges by modifying tetris-bsd.scores to contain crafted executable content, which is executed when another user launches tetris-bsd. 17308 GLSA-200603-26 http://bugs.gentoo.org/show_bug.cgi?id=122399 bsdgames-tetrisbsd-checkscores-bo(25611) 24261 19442 MSO.DLL in Microsoft Office 2000, Office XP (2002), and Office 2003 allows user-assisted attackers to cause a denial of service and execute arbitrary code via multiple attack vectors, as originally demonstrated using a crafted document record with a malformed string, as demonstrated by replacing a certain "01 00 00 00" byte sequence with an "FF FF FF FF" byte sequence, possibly causing an invalid array index, in (1) an Excel .xls document, which triggers an access violation in ole32.dll; (2) an Excel .xlw document, which triggers an access violation in excel.exe; (3) a Word document, which triggers an access violation in mso.dll in winword.exe; and (4) a PowerPoint document, which triggers an access violation in powerpnt.txt. NOTE: after the initial disclosure, this issue was demonstrated by triggering an integer overflow using an inconsistent size for a Unicode "Sheet Name" string. TA06-192A VU#609868 office-property-string-bo(27609) office-string-parse-bo(27607) ADV-2006-2756 18889 17252 20060710 SYMSA-2006-007: Microsoft Office Malformed String Parsing Vulnerability 27150 1615 MS06-038 1015855 21012 oval:org.mitre.oval:def:639 SQL injection vulnerability in Default.asp in EzASPSite 2.0 RC3 and earlier allows remote attackers to execute arbitrary SQL commands and obtain the SHA1 hash of the admin password via the Scheme parameter. ADV-2006-1164 http://www.nukedx.com/?viewdoc=22 1623 ezaspsite-default-sql-injection(25544) 17309 20060329 EzASPSite <= 2.0 RC3 Remote SQL Injection Exploit Vulnerability. 24256 19441 20060329 EzASPSite <= 2.0 RC3 Remote SQL Injection Exploit Vulnerability. Stack-based buffer overflow in Python 2.4.2 and earlier, running on Linux 2.6.12.5 under gcc 4.0.3 with libc 2.3.5, allows local users to cause a "stack overflow," and possibly gain privileges, by running a script from a current working directory that has a long name, related to the realpath function. NOTE: this might not be a vulnerability. However, the fact that it appears in a programming language interpreter could mean that some applications are affected, although attack scenarios might be limited because the attacker might already need to cross privilege boundaries to cause an exploitable program to be placed in a directory with a long name; or, depending on the method that Python uses to determine the current working directory, setuid applications might be affected. Successful exploitation requires that the Python is running on Linux 2.6.12.5 under gcc 4.0.3 with libc 2.3.5 RHSA-2008:0629 http://www.gotfault.net/research/exploit/gexp-python.py 31492 1591 Multiple SQL injection vulnerabilities in vscripts (aka Kuba Kunkiewicz) VNews 1.2 allow remote attackers to execute arbitrary SQL commands via the (1) loginvar parameter in (a) admin/admin.php, and the (2) news and (3) nom parameters in (b) news.php. ADV-2006-1173 http://www.evuln.com/vulns/112 vnews-adminnews-sql-injection(25529) 17316 20060411 [eVuln] VNews Multiple Vulnerabilities 24274 24273 19435 Multiple cross-site scripting (XSS) vulnerabilities in news.php in vscripts (aka Kuba Kunkiewicz) VNews 1.2 allow remote attackers to inject arbitrary web script or HTML via the (1) autorkomentarza and (2) tresckomentarza parameters. ADV-2006-1173 http://www.evuln.com/vulns/112 vnews-news-xss(25530) 17317 20060411 [eVuln] VNews Multiple Vulnerabilities 24275 19435 Direct static code injection vulnerability in admin/config.php in vscripts (aka Kuba Kunkiewicz) VNews 1.2 allows remote authenticated administrators to execute code by inserting the code into variables that are stored in admin/config.php. ADV-2006-1173 http://www.evuln.com/vulns/112 vnews-config-file-include(25531) 20060411 [eVuln] VNews Multiple Vulnerabilities 24276 19435 Apache Software Foundation (ASF) Struts before 1.2.9 allows remote attackers to bypass validation via a request with a 'org.apache.struts.taglib.html.Constants.CANCEL' parameter, which causes the action to be canceled but would not be detected from applications that do not use the isCancelled check. ADV-2006-1205 http://struts.apache.org/struts-doc-1.2.9/userGuide/release-notes.html [struts-user] 20060121 Validation Security Hole? [struts-devel] 20060122 Re: Validation Security Hole? http://issues.apache.org/bugzilla/show_bug.cgi?id=38374 struts-iscancelled-security-bypass(25612) 17342 1015856 20117 19493 SUSE-SR:2006:010 ActionForm in Apache Software Foundation (ASF) Struts before 1.2.9 with BeanUtils 1.7 allows remote attackers to cause a denial of service via a multipart/form-data encoded form with a parameter name that references the public getMultipartRequestHandler method, which provides further access to elements in the CommonsMultipartRequestHandler implementation and BeanUtils. http://struts.apache.org/struts-doc-1.2.9/userGuide/release-notes.html ADV-2006-1205 http://issues.apache.org/bugzilla/show_bug.cgi?id=38534 struts-actionform-dos(25613) 17342 1015856 20117 19493 SUSE-SR:2006:010 Cross-site scripting (XSS) vulnerability in (1) LookupDispatchAction and possibly (2) DispatchAction and (3) ActionDispatcher in Apache Software Foundation (ASF) Struts before 1.2.9 allows remote attackers to inject arbitrary web script or HTML via the parameter name, which is not filtered in the resulting error message. https://issues.apache.org/struts/browse/STR-2781 ADV-2006-1205 http://struts.apache.org/struts-doc-1.2.9/userGuide/release-notes.html http://issues.apache.org/bugzilla/show_bug.cgi?id=38749 struts-lookupmap-xss(25614) 17342 1015856 20117 19493 SUSE-SR:2006:010 PHP 4.4.2 and 5.1.2 allows local users to cause a crash (segmentation fault) by defining and executing a recursive function. NOTE: it has been reported by a reliable third party that some later versions are also affected. Upgrade to PHP 5.1.3-RC3 php-function-dos(25704) ADV-2006-1290 22766 20060414 Re: Re: function *() php/apache Crash PHP 4.4.2 and 5.1.2 20060412 Re: function *() php/apache Crash PHP 4.4.2 and 5.1.2 20060410 Re: function *() php/apache Crash PHP 4.4.2 and 5.1.2 20060409 function *() php/apache Crash PHP 4.4.2 and 5.1.2 http://www.php-security.org/MOPB/MOPB-02-2007.html 24485 1015880 676 2312 20060408 function *() php/apache Crash PHP 4.4.2 and 5.1.2 Multiple buffer overflows in the xfig import code (xfig-import.c) in Dia 0.87 and later before 0.95-pre6 allow user-assisted attackers to have an unknown impact via a crafted xfig file, possibly involving an invalid (1) color index, (2) number of points, or (3) depth. 17310 diaxfig-xfig-import-bo(25566) USN-266-1 20060329 Buffer overflows in Dia XFig import RHSA-2006:0280 FEDORA-2006-261 SUSE-SR:2006:009 MDKSA-2006:062 GLSA-200604-14 DSA-1025 1015853 19959 19897 19765 19546 19543 19507 19505 19469 oval:org.mitre.oval:def:10361 [dia-list] 20060329 Vulnerability in xfig import code Eval injection vulnerability in pajax_call_dispatcher.php in PAJAX 0.5.1 and earlier allows remote attackers to execute arbitrary code via the (1) $method and (2) $args parameters. ADV-2006-1353 http://www.redteam-pentesting.de/advisories/rt-sa-2006-001.php pajax-pajaxcalldispatcher-code-execution(25859) 17519 20060413 PAJAX Remote Code Injection and File Inclusion Vulnerability 24618 19653 20060413 PAJAX Remote file inclusion and File Inclusion Vulnerability Integer overflow in ImageIO in Apple Mac OS X 10.4 up to 10.4.5 allows remote attackers to cause a denial of service (crash) via a crafted JPEG image with malformed JPEG metadata, as demonstrated using Safari, aka "Deja-Doom". TA06-132A 20077 APPLE-SA-2006-05-11 macos-imageio-jpeg-bo(26412) ADV-2006-1779 17951 17321 25597 http://drunkenblog.com/drunkenblog-archives/000760.html SQL injection vulnerability in functions/final_functions.php in VSNS Lemon 3.2.0, with magic_quotes_gpc disabled, allows remote attackers to execute arbitrary SQL commands via the id parameter. Successful exploitation requires that the "magic_quotes_gpc" parameter is disabled. 17281 1015836 19420 http://evuln.com/vulns/106/description.html vsns-lemon-finalfunctions-sql-injection(25456) 20060406 [eVuln] VSNS Lemon Multiple Vulnerabilities 24211 Cross-site scripting (XSS) vulnerability in VSNS Lemon 3.2.0 allows remote attackers to inject arbitrary web script or HTML via the name parameter while adding a comment. Successful exploitation requires that the "magic_quotes_gpc" parameter is disabled. 19420 http://evuln.com/vulns/106/description.html vsns-lemon-name-xss(25457) 17395 20060406 [eVuln] VSNS Lemon Multiple Vulnerabilities 24212 1015836 VSNS Lemon 3.2.0 allows remote attackers to bypass authentication and access password-protected articles by setting the vsns[topic_id] cookie to the targeted topic. 17396 20060406 [eVuln] VSNS Lemon Multiple Vulnerabilities 24213 1015836 19420 http://evuln.com/vulns/106/description.html vsns-lemon-cookie-auth-bypass(25459) Multiple cross-site scripting (XSS) vulnerabilities in view_caricatier.php in AL-Caricatier 2.5 allow remote attackers to inject arbitrary web script or HTML via the (1) CatName, (2) CaricatierID, or (3) CatID parameter. 17289 20060328 XSS in AL-Caricatier 17292 alcaricatier-viewcaricatier-xss(25493) Multiple SQL injection vulnerabilities in X-Changer 0.2 allow remote attackers to execute arbitrary SQL commands via the (1) from and (2) into parameters in a calculate action, and the (3) id parameter in an edit action to index.php. ADV-2006-1188 17322 20060330 X-Changer <=v0.2 Demo SQL injection xchanger-index-sql-injection(25549) 24288 654 19459 Cross-site scripting (XSS) vulnerability in search.php in PHP Script Index allows remote attackers to inject arbitrary web script or HTML via the search parameter. ADV-2006-1158 17297 24243 19443 http://osvdb.org/ref/24/24243-script_index.txt SQL injection vulnerability in PHP Script Index allows remote attackers to execute arbitrary SQL commands via the search parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. ADV-2006-1158 Multiple SQL injection vulnerabilities in SkinTech phpNewsManager 1.48 allow remote attackers to execute arbitrary SQL commands via unspecified parameters, possibly (1) id and (2) topicid, in (a) browse.php, (b) category.php, (c) gallery.php, (d) poll.php, and (e) possibly other unspecified scripts. NOTE: portions of the description details are obtained from third party information. phpnewsmanager-multiple-sql-injection(25512) ADV-2006-1152 17301 http://evuln.com/vulns/110 20060410 [eVuln] phpNewsManager Multiple SQL Injections 20060408 [eVuln] phpNewsManager Multiple SQL Injections 24268 24267 24266 24265 680 19391 SQL injection vulnerability in index.php in vscripts (aka Kuba Kunkiewicz) [V]Book (aka VBook) 2.0 allows remote attackers to execute arbitrary SQL commands via the x parameter. Successful exploitation requires that "magic_quotes_gpc" is set to off. ADV-2006-1174 http://evuln.com/vulns/111 vbook-index-sql-injection(25519) 17320 20060411 [eVuln] [V]Book Multiple Vulnerabilities 24270 696 19448 Multiple cross-site scripting (XSS) vulnerabilities in index.php in vscripts (aka Kuba Kunkiewicz) [V]Book (aka VBook) 2.0 allow remote attackers to inject arbitrary web script or HTML via the (1) autor, (2) www, (3) temat, and (4) tresc parameters. ADV-2006-1174 http://evuln.com/vulns/111 vbook-index-xss(25521) 17319 20060411 [eVuln] [V]Book Multiple Vulnerabilities 24271 19448 Direct static code injection vulnerability in config.php in vscripts (aka Kuba Kunkiewicz) [V]Book (aka VBook) 2.0 allows remote administrators to execute arbitrary PHP code into the config file, which is included other [V]Book scripts. Successful exploitation requires that "magic_quotes_gpc" is set to off. ADV-2006-1174 http://evuln.com/vulns/111 vbook-config-file-include(25522) 20060411 [eVuln] [V]Book Multiple Vulnerabilities 24272 19448 Untrusted search path vulnerability in libapache2-svn 1.3.0-4 for Subversion in Debian GNU/Linux includes RPATH values under the /tmp/svn directory for the (1) mod_authz_svn.so and (2) mod_dav_svn.so modules, which might allow local users to gain privileges by installing malicious libraries in that directory. 17288 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=359234 libapache2-svn-file-upload(25680) Untrusted search path vulnerability in libgpib-perl 3.2.06-2 in Debian GNU/Linux includes an RPATH value under the /tmp/buildd directory for the LinuxGpib.so module, which might allow local users to gain privileges by installing malicious libraries in that directory. 17288 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=359239 libgpib-perl-buildd-file-upload(25681) Untrusted search path vulnerability in libtunepimp-perl 0.4.2-1 in Debian GNU/Linux includes an RPATH value under the /tmp/buildd directory for the tunepimp.so module, which might allow local users to gain privileges by installing malicious libraries in that directory. 17288 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=359241 libtunepimp-perl-buildd-file-upload(25682) Cross-site scripting (XSS) vulnerability in searchresults.asp in SiteSearch Indexer 3.5 and earlier allows remote attackers to inject arbitrary web script or HTML via the searchField parameter. ADV-2006-1185 19467 sitesearch-indexer-searchfield-xss(25564) 17332 24289 http://pridels0.blogspot.com/2006/03/sitesearch-indexer-35-xss-vuln.html Multiple cross-site scripting (XSS) vulnerabilities in register.php in RedCMS 0.1 allow remote attackers to inject arbitrary web script or HTML via the (1) email, (2) location, or (3) website parameters. Successful exploitation requires that "magic_quotes_gpc" is disabled. ADV-2006-1186 19475 http://evuln.com/vulns/115/summary.html redcms-register-xss(25577) 17336 20060413 [eVuln] RedCMS Multiple XSS and SQL Injection Vulnerabilities 24296 708 Multiple SQL injection vulnerabilities in RedCMS 0.1 allow remote attackers to execute arbitrary SQL commands via the (1) username or (2) password parameters to (a) login.php or (b) register.php; or (3) u parameter to (c) profile.php. Successful exploitation requires that "magic_quotes_gpc" is disabled. ADV-2006-1186 19475 http://evuln.com/vulns/115/summary.html redcms-multiple-sql-injection(25578) 17336 20060413 [eVuln] RedCMS Multiple XSS and SQL Injection Vulnerabilities 24299 24298 24297 Cross-site scripting (XSS) vulnerability in Esqlanelapse 2.0 and 2.2 allows remote attackers to inject arbitrary web script or HTML via unknown attack vectors. http://sourceforge.net/project/shownotes.php?release_id=406021 19474 ADV-2006-1183 esqlanelapse-xss(25568) 17331 24300 Multiple SQL injection vulnerabilities in loginprocess.php in qliteNews 2005.07.01 allow remote attackers to execute arbitrary SQL commands via the (1) username or (2) password parameters. Successful exploitation requires "magic_quotes_gpc" to be disabled. ADV-2006-1182 19476 http://evuln.com/vulns/114/summary.html qlitenews-loginprocess-sql-injection(25565) 17333 20060413 [eVuln] qliteNews SQL Injection Vulnerability 24301 701 SQL injection vulnerability in post.php in Oxygen 1.1.3 allows remote attackers to execute arbitrary SQL commands via the fid parameter in a newthread action. ADV-2006-1181 17324 20060330 Oxygen<=1.x.x SQL injection 19481 oxygen-post-sql-injection(25570) 24287 658 PHP remote file inclusion vulnerability in index.php in MediaSlash Gallery allows remote attackers to execute arbitrary PHP code via a URL in the rub parameter (part of the $page_menu variable). 17323 20060330 MediaSlash Gallery 'rub' variable Remote File inlcusion Vulnerability mediaslash-index-file-include(25583) 20060516 Re: MediaSlash Gallery 'rub' variable Remote File inlcusion Vulnerability 24313 657 Cross-site scripting (XSS) vulnerability in Groupmax World Wide Web, World Wide Web Desktop, World Wide Web for Scheduler, and Desktop for Scheduler, allows remote attackers to inject arbitrary web script or HTML via unknown attack vectors. Apply patch : http://www.hitachi-support.com/security_e/vuls_e/HS06-005_e/index-e.html http://www.hitachi-support.com/security_e/vuls_e/HS06-005_e/index-e.html ADV-2006-1180 19483 groupmax-www-xss(25574) 17337 24295 Multiple cross-site scripting (XSS) vulnerabilities in news.php in QLnews 1.2 allow remote attackers to inject arbitrary web script or HTML via the (1) autorx and (2) newsx parameters. 17335 19479 http://evuln.com/vulns/113/description.html qlnews-news-xss(25546) 20060412 [eVuln] QLnews XSS and PHP Code Insertion Vulnerabilities 24290 699 Direct static code injection vulnerability in QLnews 1.2 allows remote authenticated administrators to execute arbitrary PHP code by modifying config.php. 17335 19479 http://evuln.com/vulns/113/description.html qlnews-config-file-include(25548) 20060412 [eVuln] QLnews XSS and PHP Code Insertion Vulnerabilities 24291 Multiple cross-site scripting (XSS) vulnerabilities in view_all_set.php in Mantis 1.0.1, 1.0.0rc5, and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) start_day, (2) start_year, and (3) start_month parameters. ADV-2006-1184 17326 19471 mantis-viewallset-script-xss(25579) 24292 DSA-1133 21400 http://pridels0.blogspot.com/2006/03/mantis-xss-vuln.html Multiple SQL injection vulnerabilities in Keystone Digital Library Suite (DLS) 1.5.4 and earlier allow remote attackers to execute arbitrary SQL commands via the subject_type_id parameter in (1) the index page and (2) the search module. keystonedls-subjecttypeid-sql-injection(25571) http://pridels0.blogspot.com/2006/03/keystone-dls-sql-vuln.html SQL injection vulnerability in topics.php in Dynamic Bulletin Board System (DbbS) 2.0-alpha and earlier allows remote attackers to execute arbitrary SQL commands via the limite parameter. dbbs-topics-sql-injection(25584) 17338 20060331 DbbS<=2.0-alpha SQL injection Multiple cross-site scripting (XSS) vulnerabilities in Bugzero 4.3.1 and other versions allow remote attackers to inject arbitrary web script or HTML via the (1) msg parameter in query.jsp and (2) entryId parameter in edit.jsp. ADV-2006-1195 bugzero-query-edit-xss(25601) 17351 24329 24328 19492 http://pridels0.blogspot.com/2006/04/bugzero-xss-vuln.html Directory traversal vulnerability in index.php in Blank'N'Berg 0.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the _path parameter. http://www.silitix.com/bnb.php 17345 1015854 blanknberg-index-directory-traversal(25617) 24373 19520 Cross-site scripting (XSS) vulnerability in index.php in Blank'N'Berg 0.2 allows remote attackers to inject arbitrary web script or HTML via the _path parameter. NOTE: this might be resultant from the directory traversal issue. http://www.silitix.com/bnb.php 17346 1015854 blanknberg-index-xss(25618) 24374 19520 Cross-site scripting (XSS) vulnerability in index.php in Warcraft III Replay Parser for PHP 1.8c allows remote attackers to inject arbitrary web script or HTML via the page parameter. NOTE: post-disclosure analysis by CVE suggests that the "page" parameter is not used in this product, and "id" might be the affected parameter. 17334 20060331 Warcraft III Replay Parser Script Remote Command Exucetion Vulnerability And Cross-Site Scripting Attacking warcraft3-replay-parser-index-xss(25685) Unspecified vulnerability in index.php in Warcraft III Replay Parser for PHP 1.8c allows remote attackers to inject arbitrary web script or HTML via the page parameter, possibly related to fopen function calls or file uploads. NOTE: post-disclosure analysis by CVE suggests that the "page" parameter is not used in this product, and "id" might be the affected parameter. 17334 20060331 Warcraft III Replay Parser Script Remote Command Exucetion Vulnerability And Cross-Site Scripting Attacking warcraft3-replay-parser-index-file-include(25686) Multiple SQL injection vulnerabilities in MonAlbum 0.8.7 allow remote attackers to execute arbitrary SQL commands via (1) the pc parameter in (a) index.php and (2) pnom, (3) pcourriel, and (4) pcommentaire parameters in (b) image_agrandir.php. monalbum-image-imageagrandir-sql-injection(25572) ADV-2006-1206 20060331 MonAlbum 0.8.7 SQL Injection 17327 http://www.bash-x.net/undef/adv/monalbum.html 660 19503 SQL injection vulnerability in admin_login.asp in ISP of Egypt SiteMan allows remote attackers to execute arbitrary SQL commands via the pass parameter. ADV-2006-1190 17347 20060401 SiteMan <= All version SQL injection in admin_login.asp siteman-adminlogin-sql-injection(25595) 24362 19500 NetBSD 1.6 up to 3.0, when a user has "set record" in .mailrc with the default umask set, creates the record file with 0644 permissions, which allows local users to read the record file. 1015847 19465 bsd-mailrc-insecure-permissions(25581) 24258 The bridge ioctl (if_bridge code) in NetBSD 1.6 through 3.0 does not clear sensitive memory before copying ioctl results to the requesting process, which allows local users to obtain portions of kernel memory. 17312 1015846 19464 NetBSD-SA2006-005 bsd-ifbridge-information-disclosure(25582) 24262 The elf_load_file function in NetBSD 2.0 through 3.0 allows local users to cause a denial of service (kernel crash) via an ELF interpreter that does not have a PT_LOAD section in its header, which triggers a null dereference. The NetBSD 2.x versions are only affected if the kernel is compiled with the USE_TOPDOWN_VM option (not default in generic kernels). 1015848 NetBSD-SA2006-008 netbsd-elfloadfile-dos(25690) 24576 Cross-site scripting (XSS) vulnerability in the PrintFreshPage function in (1) Basic Analysis and Security Engine (BASE) 1.2.4 and (2) Analysis Console for Intrusion Databases (ACID) 0.9.6b23 allows remote attackers to inject arbitrary web script or HTML via the (a) back parameter to base_graph_main.php, (b) netmask parameter to base_stat_ipaddr.php, or (c) submit parameter to base_qry_alert.php within BASE, or (d) query string to acid_main.php in ACID, which causes the request URI ($_SERVER['REQUEST_URI']) to be inserted into a refresh operation. Analysis Console for Intrusion Databases - The vendor has discontinued this product and therefore has no patch or upgrade that mitigates this problem. Basic Analysis and Security Engine - Upgrade to cvs version or version 1.2.5 (daiga) or higher, as it has been reported to fix this vulnerability. ADV-2006-1264 24307 20835 [secureideas-base-devel] 20060328 3 XSS in BASE 1.2.4 base-multiple-scripts-xss(25671) 17391 19544 Heap-based buffer overflow in Microsoft Windows Help winhlp32.exe allows user-assisted attackers to execute arbitrary code via crafted embedded image data in a .hlp file. win-winhlp32-hlp-bo(25573) 17325 20060413 Windows Help Heap Overflow http://www.open-security.org/advisories/15 20060331 Windows Help Heap Overflow 700 Buffer overflow in the is_client_wad_ok function in w_wad.cpp for (1) Zdaemon 1.08.01 and (2) X-Doom allows remote attackers to execute arbitrary code via a long filename argument. ADV-2006-1199 ADV-2006-1198 20060331 Buffer-overflow and in-game crash in Zdaemon 1.08.01 19509 http://aluigi.altervista.org/adv/zdaebof-adv.txt zdaemon-isclientwadok-bo(25592) 17340 19496 20060331 Buffer-overflow and in-game crash in Zdaemon 1.08.01 The (1) ZD_MissingPlayer, (2) ZD_UseItem, and (3) ZD_LoadNewClientLevel functions in sv_main.cpp for (a) Zdaemon 1.08.01 and (b) X-Doom allows remote attackers to cause a denial of service (crash) via an invalid player slot or item number, which causes an invalid memory access, possibly due to an invalid array index. zdaemon-memory-access-dos(25593) ADV-2006-1199 ADV-2006-1198 17340 20060331 Buffer-overflow and in-game crash in Zdaemon 1.08.01 662 19509 19496 20060331 Buffer-overflow and in-game crash in Zdaemon 1.08.01 http://aluigi.altervista.org/adv/zdaebof-adv.txt Multiple directory traversal vulnerabilities in document/rqmkhtml.php in Claroline 1.7.4 and earlier allow remote attackers to use ".." (dot dot) sequences to (1) read arbitrary files via the file parameter in a rqEditHtml command to document/rqmkhtml.php or (2) execute arbitrary code via the includePath parameter to learnPath/include/scormExport.inc.php. Successful exploitation requires that "register_globals" is enabled. ADV-2006-1187 1627 19461 http://retrogod.altervista.org/claroline_174_incl_xpl.html claroline-rqmkhtml-directory-traversal(25561) 17343 Cross-site scripting (XSS) vulnerability in document/rqmkhtml.php in Claroline 1.7.4 and earlier allows remote attackers to read arbitrary files via ".." sequences in the file parameter in a rqEditHtml command. Successful exploitation requires that "register_globals" is enabled. claroline-rqmkhtml-xss(25562) ADV-2006-1187 17344 24285 19461 http://retrogod.altervista.org/claroline_174_incl_xpl.html 20060331 Re: [Full-disclosure] Claroline <= 1.7.4 (scormExport.inc.php) Remote Code Execution Exploit by rgod 24284 1627 PHP remote file inclusion vulnerability in learnPath/include/scormExport.inc.php in Claroline 1.7.4 and earlier allows remote attackers to execute arbitrary PHP code via the includePath parameter. claroline-scormexportinc-file-include(25563) ADV-2006-1187 17341 19461 http://retrogod.altervista.org/claroline_174_incl_xpl.html 20060331 Claroline <= 1.7.4 (scormExport.inc.php) Remote Code Execution Exploit by rgod 24286 1627 AN HTTPD 1.42n, and possibly other versions before 1.42p, allows remote attackers to obtain source code of scripts via crafted requests with (1) dot and (2) space characters in the file extension. 17350 19326 ADV-2006-1200 20060403 Secunia Research: AN HTTPD Script Source Disclosure Vulnerability http://secunia.com/secunia_research/2006-21/advisory anhttpd-script-source-disclosure(25591) 24323 1015858 Unspecified vulnerability in VCEngine.php in v-creator before 1.3-pre3, when the VC_CRYPTO_METHOD option is OPENSSL, allows remote attackers to execute arbitrary commands, possibly due to problems in the (1) enrypt and (2) decrypt functions. vcreator-vcengine-command-execution(25560) 19453 ADV-2006-1189 17328 http://sourceforge.net/forum/forum.php?forum_id=557129 24304 SQL injection vulnerability in category.php in PhpWebGallery 1.4.1 allows remote attackers to execute arbitrary SQL commands via the search parameter. 20060403 Phpwebgallery <= 1.4.1 SQL injection Vulnerability 669 Unspecified vulnerability in SunPlex Manager in Sun Cluster 3.1 4/04 allows local users with solaris.cluster.gui authorization to view arbitrary files via unspecified vectors. 19444 ADV-2006-1175 17313 102278 1015849 suncluster-sunplex-information-disclosure(25543) PHP remote file inclusion vulnerability in includes/functions_common.php in the VWar Account module (vWar_Account) in PHPNuke Clan 3.0.1 allows remote attackers to include arbitrary files via a URL in the vwar_root2 parameter. NOTE: it is possible that this issue stems from a problem in VWar itself, but this is not clear. ADV-2006-1202 17356 20060401 PHPNuke-Clan 3.0.1 Remote File Inclusion Exploit 19501 phpnukeclan-functionscommon-file-include(25609) 24481 Cross-site scripting (XSS) vulnerability in profile.php in phpBB 2.0.19 allows remote attackers to inject arbitrary web script or HTML via the cur_password parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. ADV-2006-1191 17355 19494 phpbb-profile-script-xss(25599) 24353 http://osvdb.org/ref/24/24353-phpbb.txt Unspecified vulnerability in Exponent CMS before 0.96.5 RC 1 has unknown impact and remote attack vectors related to variables that are not "typecasted." 17357 http://sourceforge.net/project/shownotes.php?release_id=406474&group_id=118524 19498 ADV-2006-1201 Unspecified vulnerability in the image module in Exponent CMS before 0.96.5 RC 1 allows remote attackers to execute arbitrary code via unknown vectors involving "parsed PHP." 17357 http://sourceforge.net/project/shownotes.php?release_id=406474&group_id=118524 19498 ADV-2006-1201 24358 Unspecified vulnerability in the image module in Exponent CMS before 0.96.5 RC 1 allows "directory disclosure" with unknown attack vectors. 17357 http://sourceforge.net/project/shownotes.php?release_id=406474&group_id=118524 19498 ADV-2006-1201 Unspecified vulnerability in the banner module in Exponent CMS before 0.96.5 RC 1 allows "php injection" via unknown attack vectors. 17357 http://sourceforge.net/project/shownotes.php?release_id=406474&group_id=118524 19498 ADV-2006-1201 exponent-banner-php-command-execution(25610) 24358 The copy function in file.c in PHP 4.4.2 and 5.1.2 allows local users to bypass safe mode and read arbitrary files via a source argument containing a compress.zlib:// URI. 20060408 copy() Safe Mode Bypass PHP 4.4.2 and 5.1.2 19599 ADV-2006-1290 php-copy-safemode-bypass(25706) USN-320-1 17439 20060723 Re: new shell bypass safe mode 20060718 new shell bypass safe mode 20060409 copy() Safe Mode Bypass PHP 4.4.2 and 5.1.2 24487 MDKSA-2006:074 http://us.php.net/releases/5_1_3.php 1015882 678 21125 19775 Unspecified vulnerability in Hitachi XFIT/S, XFIT/S/JCA, XFIT/S/ZGN, and XFIT/S ZENGIN TCP/IP Procedure allows remote attackers to cause a denial of service (server process and transfer control process stop) when the products "receive data unexpectedly". 17329 http://www.hitachi-support.com/security_e/vuls_e/HS06-004_e/index-e.html 19472 xfits-data-dos(25567) 24309 PHP remote file inclusion vulnerability in lib/armygame.php in SQuery 4.5 and earlier, as used in products such as Autonomous LAN party (ALP), allows remote attackers to execute arbitrary PHP code via a URL in the libpath parameter. NOTE: this only occurs when register_globals is disabled. squery-file-include(25605) ADV-2006-1204 17434 20060401 SQuery <= 4.5 Remote File Inclusion Exploit 24400 19482 1629 Directory traversal vulnerability in KGB Archiver before 1.1.5.22 allows remote attackers to overwrite arbitrary files wile decompressing an archive, possibly due to directory traversal sequences in a filename. This vulnerability affects all versions of KGB, Archiver before 1.1.5.22 http://sourceforge.net/project/shownotes.php?group_id=162546&release_id=406411 ADV-2006-1207 19511 kgb-archiver-archive-directory-traversal(25606) 17363 Multiple cross-site scripting (XSS) vulnerabilities in visview.php in aWebNews 1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) yname, (2) emailadd, (3) subject, and (4) comment parameters. Successful exploitation requires that "magic_quotes_gpc" is disabled. ADV-2006-1196 19487 http://evuln.com/vulns/116/summary.html awebnews-visview-xss(25589) 20060414 [eVuln] aWebNews Multiple XSS and SQL Injection Vulnerabilities 24333 707 Multiple SQL injection vulnerabilities in aWebNews 1.0 allow remote attackers to execute arbitrary SQL commands via the (1) user123 variable in (a) login.php or (b) fpass.php; or (2) cid parameter to (c) visview.php. Condition: magic_quotes_gpc = off ADV-2006-1196 19487 http://evuln.com/vulns/116/summary.html awebnews-multiple-sql-injection(25590) 20060414 [eVuln] aWebNews Multiple XSS and SQL Injection Vulnerabilities 24336 24335 24334 Integer overflow in the cli_scanpe function in the PE header parser (libclamav/pe.c) in Clam AntiVirus (ClamAV) before 0.88.1, when ArchiveMaxFileSize is disabled, allows remote attackers to cause a denial of service and possibly execute arbitrary code. TA06-132A DSA-1024 http://sourceforge.net/project/shownotes.php?release_id=407078&group_id=86638 19536 19534 ADV-2006-1779 ADV-2006-1258 2006-0020 17388 20060406 [Overflow.pl] Clam AntiVirus Win32-UPX Heap Overflow (not default configuration) http://www.overflow.pl/adv/clamavupxinteger.txt GLSA-200604-06 19570 clamav-pe-overflow(25660) 17951 24457 MDKSA-2006:067 http://up2date.astaro.com/2006/05/low_up2date_6202.html 1015887 23719 20077 19608 19567 19564 SUSE-SA:2006:020 APPLE-SA-2006-05-11 Multiple format string vulnerabilities in the logging code in Clam AntiVirus (ClamAV) before 0.88.1 might allow remote attackers to execute arbitrary code. NOTE: as of 20060410, it is unclear whether this is a vulnerability, as there is some evidence that the arguments are actually being sanitized properly. TA06-132A 17388 GLSA-200604-06 DSA-1024 http://sourceforge.net/project/shownotes.php?release_id=407078&group_id=86638 19608 19570 19564 19536 19534 SUSE-SA:2006:020 clamav-output-format-string(25661) ADV-2006-1779 ADV-2006-1258 2006-0020 17951 24458 MDKSA-2006:067 http://up2date.astaro.com/2006/05/low_up2date_6202.html 23719 20077 19567 APPLE-SA-2006-05-11 Multiple SQL injection vulnerabilities in Advanced Poll 2.02 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to comments.php or (2) poll_id parameter to page.php. http://ns79.hosteur.com/~secuti/advancedpoll.txt advancedpoll-comments-page-sql-injection(25676) Multiple cross-site scripting (XSS) vulnerabilities in Advanced Poll 2.02 allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to comments.php or (2) poll_id parameter to page.php. NOTE: it is possible that this issue is resultant from CVE-2006-1616. http://ns79.hosteur.com/~secuti/advancedpoll.txt advancedpoll-comments-page-xss(25677) Format string vulnerability in the (1) Con_message and (2) conPrintf functions in con_main.c in Doomsday engine 1.8.6 allows remote attackers to execute arbitrary code via format string specifiers in an argument to the JOIN command, and possibly other command arguments. ADV-2006-1221 19515 http://aluigi.altervista.org/adv/doomsdayfs-adv.txt doomsday-conmessage-conprintf-format-string(25622) 17369 20060403 Format string in Doomsday 1.8.6 GLSA-200604-05 1015860 19519 20060403 Format string in Doomsday 1.8.6 IBM WebSphere Application Server 4.0.1 through 4.0.3 allows remote attackers to cause a denial of service (application crash) via an HTTP request with a large header. ADV-2006-1214 PQ62144 1015857 websphere-http-header-dos(25619) admin/accounts/AccountActions.asp in Hosting Controller 2002 RC 1 allows remote attackers to modify passwords of other users, probably via an "Update User" ActionType with a modified UserName parameter and the PassCheck parameter set to TRUE. It was later reported that the vulnerability is present in 6.1 Hotfix 3.3 and earlier. hostingcontroller-multiple-security-bypass(39038) hosting-controller-accountactions-password(25673) 26862 20071213 Hosting Controller - Multiple Security Bugs (Extremely Critical) 20060402 Hosting Controller AccountActions.asp and saveuploadfiles.asp vulns (PoC) 24773 4730 28973 http://hostingcontroller.com/english/logs/Post-Hotfix-3_3-sec-Patch-ReleaseNotes.html Directory traversal vulnerability in admin/folders/saveuploadfiles.asp in Hosting Controller 2002 RC 1 allows remote authenticated users to overwrite arbitrary files via an absolute path in the OpenPath parameter. 20060402 Hosting Controller AccountActions.asp and saveuploadfiles.asp vulns (PoC) hosting-controller-Saveupload-file-upload(25675) 24772 Cross-site scripting (XSS) vulnerability in PHPSelect linksubmit allows remote attackers to inject arbitrary web script or HTML via (1) the description parameter to linklist.php and possibly other vectors involving (2) index.php and (3) linksubmit.php. 20060401 linksubmit <= All version Html Tag Injector in index.php linksubmit-linksubmit-xss(25607) Unspecified vulnerability in main.php in an unspecified "file created by Andries Bruinsma," possibly a FleXiBle Development (FXB) application, allows remote attackers to include and execute arbitrary PHP code. NOTE: this disclosure is extremely vague and has very little information about the specific vulnerability type. In addition, there is little public information on the named product. Finally, an XSS vector is implied in the subject line, but because there is no other information and evidence of a cut-and-paste error, it will not be assigned a separate CVE identifier unless additional information is provided. flexible-development-main-xss(25603) flexible-development-main-command-execution(25600) 20060405 Re: FleXiBle Development Script Remote Command Exucetion And XSS Attacking 20060401 FleXiBle Development Script Remote Command Exucetion And XSS Attacking 20060404 FleXiBle Development Script Remote Command Exucetion And XSS Attacking The default configuration of syslogd in the Linux sysklogd package does not enable the -x (disable name lookups) option, which allows remote attackers to cause a denial of service (traffic amplification) via messages with spoofed source IP addresses. 20060402 RE: DoS-ing sysklogd? 20060331 DoS-ing sysklogd? sysklogd-sourceip-dos(25672) Cross-site scripting (XSS) vulnerability in inc/functions_post.php in MyBB (aka MyBulletinBoard) 1.10 allows remote attackers to inject arbitrary web script or HTML via a JavaScript event in a BBCode email tag, as demonstrated using the onmousemove event. mybb-email-bbcode-xss(25615) mybb-email-bbcode-xss(25615) ADV-2006-1216 17368 20060402 MyBB 1.10 New CrossSiteScripting 24375 19516 Internet Explorer 6 for Windows XP SP2 and earlier allows remote attackers to spoof the address bar and possibly conduct phishing attacks by re-opening the window to a malicious Shockwave Flash application, then changing the window location back to a trusted URL while the Flash application is still loading. NOTE: this is a different vulnerability than CVE-2006-1192. This vulnerability affects any version of Windows OS previous to XP SP2 that is using Internet Explorer 6.0 ie-swf-addressbar-spoofing(25634) ADV-2006-2319 ADV-2006-1218 17404 20060721 about bid 17404 20060404 Another way to spoof Internet Explorer Address Bar 20060403 Another Internet Explorer Address Bar Spoofing Vulnerability MS06-021 1016291 http://secunia.com/Internet_Explorer_Address_Bar_Spoofing_Vulnerability_Test/ 19521 oval:org.mitre.oval:def:1918 oval:org.mitre.oval:def:1881 oval:org.mitre.oval:def:1842 oval:org.mitre.oval:def:1806 oval:org.mitre.oval:def:1604 oval:org.mitre.oval:def:1600 Adobe Document Server for Reader Extensions 6.0 does not provide proper access control, which allows remote authenticated users to perform privileged actions by modifying the (1) actionID and (2) pageID parameters. NOTE: due to an error during reservation, this identifier was inadvertently associated with multiple issues. Other CVE identifiers have been assigned to handle other problems that are covered by the same disclosure. ADV-2006-1342 http://www.adobe.com/support/techdocs/322699.html http://secunia.com/secunia_research/2005-68/advisory/ 15924 adobe-access-control-bypass(25769) 17500 20060413 Secunia Research: Adobe Document Server for Reader ExtensionsMultiple Vulnerabilities 1015905 Adobe LiveCycle Workflow 7.01 and LiveCycle Forum Manager 7.01 allows users to authenticate and perform privileged actions when their account is marked "OBSOLETE" but the account is also active, within the authentication system. http://www.adobe.com/support/techdocs/333036.html 19620 ADV-2006-1343 adobe-livecycle-information-disclosure(25779) 17511 1015906 OpenVPN 2.0 through 2.0.5 allows remote malicious servers to execute arbitrary code on the client by using setenv with the LD_PRELOAD environment variable. OpenVPN version 2.0.6 fixes this vulnerability. 17392 19531 http://openvpn.net/changelog.html ADV-2006-1261 http://www.osreviews.net/reviews/security/openvpn-print http://sourceforge.net/mailarchive/forum.php?thread_id=10093825&forum_id=8482 openvpn-ldpreload-code-execution(25667) 24444 SUSE-SR:2006:009 MDKSA-2006:069 DSA-1045 19897 19837 19598 The cli_bitset_set function in libclamav/others.c in Clam AntiVirus (ClamAV) before 0.88.1 allows remote attackers to cause a denial of service via unspecified vectors that trigger an "invalid memory access." TA06-132A DSA-1024 http://sourceforge.net/project/shownotes.php?release_id=407078&group_id=86638 19536 19534 ADV-2006-1779 ADV-2006-1258 17388 clamav-others-dos(25662) 2006-0020 17951 24459 MDKSA-2006:067 GLSA-200604-06 http://up2date.astaro.com/2006/05/low_up2date_6202.html 23719 20077 19608 19570 19567 19564 SUSE-SA:2006:020 APPLE-SA-2006-05-11 Unspecified vulnerability in the HTTP compression functionality in Cisco CSS 11500 Series Content Services switches allows remote attackers to cause a denial of service (device reload) via (1) "valid, but obsolete" or (2) "specially crafted" HTTP requests. 20060405 Cisco 11500 Content Services Switch HTTP Request Vulnerability ADV-2006-1257 cisco-css-http-comp-dos(25642) 17383 24433 1015870 19552 Cross-site scripting (XSS) vulnerability in index.php in LucidCMS 2.0.0 RC4 allows remote attackers to inject arbitrary web script or HTML via the command parameter. 17360 20060402 Multiple Vulnerabilities in LucidCMS lucidcms-index-login-panel-xss(25632) LucidCMS 2.0.0 RC4 allows remote attackers to obtain sensitive information via a direct request to /lucid_phplib/translator.php, which reveals the path in an error message. 20060402 Multiple Vulnerabilities in LucidCMS lucidcms-translator-path-disclosure(25633) PHP remote file inclusion vulnerability in get_header.php in VWar 1.5.0 R12 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the vwar_root parameter. NOTE: this is a different vulnerability than CVE-2006-1503. 19524 ADV-2006-1228 17358 20060402 VWar <= 1.5.0 R12 Remote File Inclusion Exploit 24480 http://downloads.securityfocus.com/vulnerabilities/exploits/VWar_1.5.0_R12.pl Multiple cross-site scripting (XSS) vulnerabilities in aWebBB 1.2 allow remote attackers to inject arbitrary web script or HTML via the (1) tname or (2) fpost parameters to (a) post.php; (3) fullname, (4) emailadd, (5) country, (6) sig, or (7) otherav parameters to (b) editac.php; or (8) fullname, (9) emailadd, or (10) country parameters to (c) register.php. awebbb-multiple-xss(25585) ADV-2006-1197 17352 20060415 [eVuln] aWebBB Multiple XSS and SQL Injection Vulnerabilities 24339 24338 24337 19486 http://evuln.com/vulns/117/summary.html Multiple SQL injection vulnerabilities in aWebBB 1.2 allow remote attackers to execute arbitrary SQL commands via the (1) Username parameter to (a) accounts.php, (b) changep.php, (c) editac.php, (d) feedback.php, (e) fpass.php, (f) login.php, (g) post.php, (h) reply.php, or (i) reply_log.php; (2) p parameter to (j) dpost.php; (3) c parameter to (k) list.php or (l) ndis.php; or (12) q parameter to (m) search.php. Successful exploitation requires "magic_quotes_gpc" to be disabled. ADV-2006-1197 19486 http://evuln.com/vulns/117/summary.html awebbb-multiple-sql-injection(25587) 17352 20060415 [eVuln] aWebBB Multiple XSS and SQL Injection Vulnerabilities 24352 24351 24350 24349 24348 24347 24346 24345 24344 24343 24342 24341 24340 SQL injection vulnerability in index.php in wpBlog 0.4 allows remote attackers to execute arbitrary SQL commands via the postid parameter. Successful exploitation requires that "magic_quotes_gpc" is disabled. This vulnerability may affect all previous versions of Wire Plastik Design, wpBlog before 0.4 ADV-2006-1238 19538 http://evuln.com/vulns/119/summary.html wpblog-index-sql-injection(25628) 17381 20060417 [eVuln] Wire Plastik wpBlog SQL Injection Vulnerability 24385 1015951 734 Cross-site scripting (XSS) vulnerability in news.php in CzarNews 1.14 allows remote attackers to inject arbitrary web script or HTML via the email parameter. ADV-2006-1237 19541 http://evuln.com/vulns/118/summary.html czarnews-news-xss(25623) 17380 20060417 [eVuln] CzarNews XSS and Multiple SQL Injection Vulnerabilities 24381 1015957 732 Multiple SQL injection vulnerabilities in CzarNews 1.14 allow remote attackers to execute arbitrary SQL commands via the (1) usern or (2) passw parameters to (a) cn_auth.php, (3) s parameter to (b) news.php, or (4) a parameter to (c) dpost.php. Successful exploitation requires that "magic_quotes_gpc" is disabled. ADV-2006-1237 19541 http://evuln.com/vulns/118/summary.html czarnews-multiple-sql-injection(25624) 17380 20060417 [eVuln] CzarNews XSS and Multiple SQL Injection Vulnerabilities 24384 24383 24382 1015957 Cross-site scripting (XSS) vulnerability in Interact 2.1.1 allows remote attackers to inject arbitrary web script or HTML via (1) the search_terms parameter to (a) search.php, and (2) the first_name, (3) last_name, (4) email, (5) password, and (6) confirm_password parameters to (b) userinput.php. NOTE: the provenance of this information is unknown; the details are obtained from third party. In addition, the lack of precision in the third party descriptions makes it unclear whether the named vectors are correct. ADV-2006-1244 19488 interact-search-xss(25652) 24461 24389 SQL injection vulnerability in login.php in Interact 2.1.1 allows remote attackers to execute arbitrary SQL commands via the user_name parameter. NOTE: the provenance of this information is unknown; the details are obtained from third party. ADV-2006-1244 19488 interact-login-sql-injection(25653) 17385 24390 login.php in Interact 2.1.1 generates different responses depending on whether or not a username is valid, which allows remote attackers to determine valid usernames. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. ADV-2006-1244 19488 interact-login-error-info-disclosure(25651) 24388 Cross-site scripting (XSS) vulnerability in Anton Vlasov and Rostislav Gaitkuloff ReloadCMS 1.2.5 and earlier allows remote attackers to inject arbitrary web script or HTML and gain leverage to execute arbitrary PHP code via the User-Agent HTTP header, which is displayed by admin/modules/general/statistic.php in the administration panel. ADV-2006-1193 17353 20060402 ReloadCMS <= 1.2.5stable Cross site scripting / remote command execution 19470 reloadcms-useragent-xss(25604) 24327 The Internet Key Exchange version 1 (IKEv1) implementation (isakmp_agg.c) in the Shoichi Sakane KAME Project racoon, as used by NetBSD 1.6, 2.x before 20060119, certain FreeBSD releases, and possibly other distributions of BSD or Linux operating systems, when running in aggressive mode, allows remote attackers to cause a denial of service (daemon crash) via crafted IKE packets, as demonstrated by the PROTOS ISAKMP Test Suite for IKEv1. http://www.niscc.gov.uk/niscc/docs/re-20051114-01014.pdf?lang=en http://www.ee.oulu.fi/research/ouspg/protos/testing/c09/isakmp/ 19463 http://mail-index.netbsd.org/source-changes/2006/01/19/0017.html An unspecified "logical programming mistake" in SMART SynchronEyes Student and Teacher 6.0, and possibly earlier versions, allows remote attackers to cause a denial of service via a large packet to the Teacher discovery port (UDP port 5496), which causes a thread to terminate and prevents communications on that port. ADV-2006-1241 17373 20060404 SMART Technologies SynchronEyes Remote Denial of Services synchroneyes-datagram-dos(25659) 1015869 19535 SMART SynchronEyes Student and Teacher 6.0, and possibly earlier versions, allows remote attackers to cause a denial of service (memory consumption) via a certain packet to the Teacher discovery port that causes SynchronEyes to connect to the attacker's machine and read a value that is used as a parameter to malloc. ADV-2006-1241 17373 20060404 SMART Technologies SynchronEyes Remote Denial of Services synchroneyes-packet-dos(25663) 24392 1015869 19535 The "restore to" selection in the "quarantine a file" capability of ESET NOD32 before 2.51.26 allows a restore to any directory that permits read access by the invoking user, which allows local users to create new files despite write-access directory permissions. ESET NOD32 Antivirus version 2.51.26 fixes this vulnerability. All versions of this product prior to 2.51.26 are vulnerable. 17374 20060404 NOD32 local privilege escalation vulnerability nod32-restoreto-file-upload(25640) ADV-2006-1242 24393 1015867 19054 672 Firefox 1.5.0.1 allows remote attackers to spoof the address bar and possibly conduct phishing attacks by re-opening the window to a malicious Shockwave Flash application, then changing the window location back to a trusted URL while the Flash application is still loading. NOTE: a followup was unable to replicate this issue. ie-swf-addressbar-spoofing(25634) 20060406 Re: Re: Another Internet Explorer Address Bar Spoofing Vulnerability 20060404 Re: Another Internet Explorer Address Bar Spoofing Vulnerability ** DISPUTED ** Microsoft ISA Server 2004 allows remote attackers to bypass certain filtering rules, including ones for (1) ICMP and (2) TCP, via IPv6 packets. NOTE: An established researcher has disputed this issue, saying that "Neither ISA Server 2004 nor Windows 2003 Basic Firewall support IPv6 filtering ... This is different network protocol." This vulnerability has been disputed. 20060404 Re: Bypassing ISA Server 2004 with IPv6 20060403 Bypassing ISA Server 2004 with IPv6 20060410 Re: Bypassing ISA Server 2004 with IPv6 20060405 Re: Re: Bypassing ISA Server 2004 with IPv6 Multiple buffer overflows in (a) UltraVNC (aka Ultr@VNC) 1.0.1 and earlier and (b) tabbed_viewer 1.29 (1) allow user-assisted remote attackers to execute arbitrary code via a malicious server that sends a long string to a client that connects on TCP port 5900, which triggers an overflow in Log::ReallyPrint; and (2) allow remote attackers to cause a denial of service (server crash) via a long HTTP GET request to TCP port 5800, which triggers an overflow in VNCLog::ReallyPrint. There are two seperate vulnerabilities here; One allows escalated priveleges to authenticated users, the other allows remote unauthenticated users to cause a Denial of Service (DoS). ultr@vnc-vnclogreallyprint-bo(25650) untr@vnc-error-bo(25648) ADV-2006-1240 17378 20060411 Re: Buffer-overflow in Ultr@VNC 1.0.1 viewer POC 20060405 Re: Buffer-overflow in Ultr@VNC 1.0.1 viewer and server 20060404 Buffer-overflow in Ultr@VNC 1.0.1 viewer and server 674 19513 1643 1642 20060404 Buffer-overflow in Ultr@VNC 1.0.1 viewer and server PHP remote file inclusion vulnerability in loadkernel.php in AngelineCMS 0.8.1 allows remote attackers to execute arbitrary PHP code via a URL in the installPath parameter. 17371 http://advisories.echo.or.id/adv/adv27-K-159-2006.txt angelinecms-loadkernel-file-include(25658) 20060404 [ECHO_ADV_27$2006] AngelineCMS 0.8.1 Installpath Remote File Inclusion 24610 Directory traversal vulnerability in the HP Color LaserJet 2500 Toolbox and Color LaserJet 4600 Toolbox on Microsoft Windows before 20060402 allows remote attackers to read arbitrary files via a .. (dot dot) in an HTTP GET request to TCP port 5225. SSRT061141 1015862 20060404 [SEC-1 LTD] HP Colour LaserJet 2500 and 4600 Toolbox Directory Traversal Vulnerability ADV-2006-1230 17367 HPSBPI2109 hp-laserjet-toolbox-directory-traversal(25627) 20060404 [SEC-1 LTD] HP Colour LaserJet 2500 and 4600 Toolbox Directory Traversal Vulnerability 24396 19529 Multiple buffer overflows in mpg123 0.59r allow user-assisted attackers to trigger a segmentation fault and possibly have other impacts via a certain MP3 file, as demonstrated by mpg1DoS3. NOTE: this issue might be related to CVE-2004-0991, but it is not clear. 17365 DSA-1074 20281 20275 20240 http://downloads.securityfocus.com/vulnerabilities/exploits/mpg1DoS3.pl MDKSA-2006:092 vserver in util-vserver 0.30.209 executes a command as root when the suexec userid parameter is invalid and non-numeric, which might cause local users to inadvertently execute dangerous commands as root. 17361 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=360438 https://savannah.nongnu.org/patch/?func=detailitem&item_id=4966 https://savannah.nongnu.org/bugs/?func=detailitem&item_id=15996 Cross-site scripting (XSS) vulnerability in index.php in Chucky A. Ivey N.T. 1.1.0 allows remote attackers to inject arbitrary web script or HTML via the username parameter, which is not filtered when the administrator views the "Login Log" page. ADV-2006-1243 19526 http://evuln.com/vulns/121/summary.html nt-index-xss(25638) 17387 20060419 [eVuln] N.T. Version 1.1.0 XSS and PHP Code Insertion Vulnerabilities 24397 741 Direct static code injection vulnerability in ticker.db.php in Chucky A. Ivey N.T. 1.1.0 allows remote administrators to insert arbitrary PHP code into the config file, which is included other N.T. scripts. ADV-2006-1243 19526 http://evuln.com/vulns/121/summary.html nt-ticker-file-include(25639) 17387 20060419 [eVuln] N.T. Version 1.1.0 XSS and PHP Code Insertion Vulnerabilities 24398 Multiple SQL injection vulnerabilities in Softbiz Image Gallery allow remote attackers to execute arbitrary SQL commands via the (1) id parameter in image_desc.php, (2) provided parameter in template.php, (3) cid parameter in suggest_image.php, (4) img_id parameter in insert_rating.php, and (5) cid parameter in images.php. This vulnerability most likely affects all versions of Softbiz, Image Gallery. ADV-2006-1217 17339 20060331 SQL Injection in Softbiz Image Gallery 24372 24371 24370 24369 24368 19523 softbizimagegallery-multiple-sql-injection(25616) Cross-site scripting (XSS) vulnerability in image_desc.php in Softbiz Image Gallery allows remote attackers to inject arbitrary web script or HTML via msg parameter. NOTE: the provenance of this information is unknown; the details are obtained from third party information. This vulnerability most likely affects all versions of Softbiz, Image Gallery. ADV-2006-1217 19523 Multiple cross-site scripting (XSS) vulnerabilities in SKForum 1.5 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) areaID parameter in area.View.action, (2) time parameter in planning.View.action, and (3) userID parameter in user.View.action. skforum-multiple-xss(25641) ADV-2006-1260 17389 24432 24431 24430 19484 http://pridels0.blogspot.com/2006/04/skforum-xss-vuln.html The frontpage option in Limbo CMS 1.0.4.2 and 1.0.4.1 allows remote attackers to execute arbitrary PHP commands via the Itemid parameter in index.php. 20060404 Re: Limbo CMS code execution 16902 20060228 Limbo CMS code execution limbocms-index-code-execution(24992) 519 20060228 Limbo CMS code execution ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2006-0996. Reason: This candidate is a reservation duplicate of CVE-2006-0996. Notes: All CVE users should reference CVE-2006-0996 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Buffer overflow in xine_list_delete_current in libxine 1.14 and earlier, as distributed in xine-lib 1.1.1 and earlier, allows remote attackers to execute arbitrary code via a crafted MPEG stream. http://www.securityfocus.com/data/vulnerabilities/exploits/xinelib_poc.pl 17370 FEDORA-2008-1047 FEDORA-2008-1043 xinelib-mpeg-bo(25670) GLSA-200604-16 http://sourceforge.net/project/shownotes.php?group_id=9655&release_id=571608 1015868 28666 19856 19853 1641 http://bugs.gentoo.org/show_bug.cgi?id=128838 Multiple cross-site scripting (XSS) vulnerabilities in Arab Portal 2.0.1 stable allow remote attackers to inject arbitrary web script or HTML via the (1) adminJump and (2) forum_middle parameters in (a) forum.php, and the (3) form parameter in (b) members.php, (c) pm.php, and (d) mail.php. arabportal-multiple-xss(25657) 17375 20060404 ArabPortal 2.0.1 Stable [ 9 CrossSiteScripting & 1 SQL Injection ] MultBugz SQL injection vulnerability in forum.php in Arab Portal 2.0.1 stable allows remote attackers to execute arbitrary SQL commands via the mineID parameter. arabportal-forum-sql-injection(25656) 17375 20060404 ArabPortal 2.0.1 Stable [ 9 CrossSiteScripting & 1 SQL Injection ] MultBugz 644 SQL injection vulnerability in slides.php in Eric Gerdes Crafty Syntax Image Gallery (CSIG) (aka PHP thumbnail Photo Gallery) 3.1g and earlier allows remote authenticated users to execute arbitrary SQL commands via the limitquery_s parameter when the $projectid variable is less than 1, which prevents the $limitquery_s from being set within slides.php. ADV-2006-1239 17379 19478 1645 http://bash-x.net/undef/exploits/crappy_syntax.txt http://bash-x.net/undef/adv/craftygallery.html crafty-slides-sql-injection(25654) 24386 newimage.php in Eric Gerdes Crafty Syntax Image Gallery (CSIG) (aka PHP thumbnail Photo Gallery) 3.1g and earlier allows remote authenticated users to upload and execute arbitrary PHP code via a multipart/form-data POST with a .jpg filename in the fullimage parameter and the ext parameter set to .php. Successful exploitation requires privileges to upload images. This product is also known as PHP thumbnail Photo Gallery. ADV-2006-1239 17379 19478 1645 http://bash-x.net/undef/exploits/crappy_syntax.txt http://bash-x.net/undef/adv/craftygallery.html crafty-http-post-code-execution(25655) 24387 SQL injection vulnerability in chat/messagesL.php3 in phpHeaven Team PHPMyChat 0.14.5 and earlier allows remote attackers to execute arbitrary SQL commands via the T parameter. NOTE: this issue can be leveraged to execute arbitrary shell commands since the username is later processed in an eval() call, but since the username originated from the SQL injection, it could be a resultant issue. 17382 20060405 PHPMyChat <= 0.14.5 remote commands execution 1015873 1646 phpmychat-messagesl-sql-injection(25687) Control cards for Cisco Optical Networking System (ONS) 15000 series nodes before 20060405 allow remote attackers to cause a denial of service (memory exhaustion and possibly card reset) by sending an invalid response when the final ACK is expected, aka bug ID CSCei45910. 17384 20060405 Cisco Optical Networking System 15000 Series and Cisco Transport Controller Vulnerabilities ADV-2006-1256 cisco-ons-iplan-ack-dos(25643) 24434 1015872 19553 Control cards for Cisco Optical Networking System (ONS) 15000 series nodes before 20060405 allow remote attackers to cause a denial of service (card reset) via (1) a "crafted" IP packet to a device with secure mode EMS-to-network-element access, aka bug ID CSCsc51390; (2) a "crafted" IP packet to a device with IP on the LAN interface, aka bug ID CSCsd04168; and (3) a "malformed" OSPF packet, aka bug ID CSCsc54558. The vendor has released fixes to address these issues. ADV-2006-1256 17384 20060405 Cisco Optical Networking System 15000 Series and Cisco Transport Controller Vulnerabilities cisco-ons-ospf-dos(25646) cisco-ons-cc-ip-dos(25645) cisco-ons-cc-ems-dos(25644) 24437 24436 24435 1015872 19553 The installation of Cisco Transport Controller (CTC) for Cisco Optical Networking System (ONS) 15000 series nodes adds a Java policy file entry with a wildcard that grants the java.security.AllPermission permission to any http URL containing "fs/LAUNCHER.jar", which allows remote attackers to execute arbitrary code on a CTC workstation, aka bug ID CSCea25049. ADV-2006-1256 17384 20060405 Cisco Optical Networking System 15000 Series and Cisco Transport Controller Vulnerabilities cisco-ons-ctc-code-execution(25647) 24438 1015871 19553 Cross-site scripting (XSS) vulnerability in vbugs.php in Dark_Wizard vBug Tracker 3.5.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the sortorder parameter. ADV-2006-1267 vbulletin-vbugtracker-vbugs-xss(25649) 17407 24448 19562 http://pridels0.blogspot.com/2006/04/vbug-tracker-for-vbulletin-35x-xss.html Cross-site scripting (XSS) vulnerability in search.php in PHPWebGallery 1.4.1 allows remote attackers to inject arbitrary web script or HTML via the id parameter, a different vulnerability than CVE-2006-1675. http://www.Silitix.com/phpwebgallery Multiple cross-site scripting (XSS) vulnerabilities in PHPWebGallery 1.4.1 allow remote attackers to inject arbitrary web script or HTML via the (1) cat, (2) num, and (3) search parameters to (a) category.php, and the (4) slideshow, (5) show_metadata, and (6) start parameters to (b) picture.php, a different vulnerability than CVE-2006-1674. ADV-2006-1301 17421 phpwebgallery-category-picture-xss(25733) 20060410 PHPWebGallery Multiple Cross Site Scripting Vulnerabilities 19610 SQL injection vulnerability in the display function in the Topics module for MAXdev MDPro (MD-Pro) 1.0.73 and 1.0.72, and possibly other versions before 1.076, allows remote attackers to execute arbitrary SQL commands via the topicid parameter in a display action, which is not properly handled in PNuserapi.PHP. mdpro-index-sql-injection(25710) ADV-2006-1282 17399 20060620 Re: MAXDEV CMS Multiple vulnerabilities 20060406 MAXDEV CMS Multiple vulnerabilities http://www.maxdev.com/Article592.phtml 19578 MAXdev MDPro 1.0.73 and 1.0.72, and possibly other versions before 1.076, allows remote attackers to obtain the full path of the server via a direct request to includes/legacy.php. mdpro-legacy-path-disclosure(25714) ADV-2006-1282 20060620 Re: MAXDEV CMS Multiple vulnerabilities 20060406 MAXDEV CMS Multiple vulnerabilities http://www.maxdev.com/Article592.phtml 19578 Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before 2.8.0.3 allow remote attackers to inject arbitrary web script or HTML via unknown vectors in unspecified scripts in the themes directory. http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2006-1 19556 ADV-2006-1263 17390 phpmyadmin-themes-xss(25689) 24450 SUSE-SR:2006:009 DSA-1207 22781 19897 Cross-site scripting (XSS) vulnerability in modules/online.php in Jupiter CMS 1.1.5 allows remote attackers to inject arbitrary web script or HTML via the layout parameter to index.php. ADV-2006-1302 17405 20060407 Multiple vulnerability in jupiter CMS 19582 jupitercm-index-xss(25700) Jupiter CMS 1.1.5, when display_errors is enabled, allows remote attackers to obtain the full server path via a direct request to modules/online.php. ADV-2006-1302 20060407 Multiple vulnerability in jupiter CMS jupitercm-online-path-disclosure(25703) 19582 Cross-site scripting (XSS) vulnerability in Cherokee HTTPD 0.5 and earlier allows remote attackers to inject arbitrary web script or HTML via a malformed request that generates an HTTP 400 error, which is not properly handled when the error message is generated. 19587 ADV-2006-1292 17408 20060406 XSS Bug in Cherokee Webserver cherokee-handlererror-xss(25698) 24469 Cross-site scripting (XSS) vulnerability in webplus.exe in TalentSoft Web+Shop 5.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the deptname parameter, possibly involving the webpshop/ department.wml script. ADV-2006-1289 17418 19594 webshop-deptname-xss(25721) http://pridels0.blogspot.com/2006/04/web-shop-50-xss.html SQL injection vulnerability in admin/login.php in Chipmunk Guestbook allows remote attackers to execute arbitrary SQL commands and bypass login authentication via the User name. ADV-2006-1323 20060407 SQL Injection in Chipmunk Guestbook chipmunk-guestbook-login-sql-injection(25695) 17483 19584 Unspecified vulnerability in ecotwo Shopsystem 1.0-192 and earlier allows remote attackers to include arbitrary local files via (1) the lang parameter in news.php and (2) other unspecified vectors. http://pridels0.blogspot.com/2006/04/ecotwo-shopsystem-vuln.html Multiple SQL injection vulnerabilities in modules.php in APT-webshop-system 4.0 PRO, 3.0 BASIC, and 3.0 LIGHT allow remote attackers to execute arbitrary SQL commands via the (1) group, (2) seite, and (3) id parameter, possibly involving the artikel functionality. NOTE: this vulnerability also allows resultant path disclosure when the SQL queries are invalid. ADV-2006-1293 19592 apt-webshop-sql-injection(25731) 17425 http://pridels0.blogspot.com/2006/04/apt-webshop-system-vuln.html Unspecified vulnerability in modules.php in APT-webshop-system 4.0 PRO, 3.0 BASIC, and 3.0 LIGHT allows remote attackers to access unspecified files via a modified warp parameter. http://pridels0.blogspot.com/2006/04/apt-webshop-system-vuln.html Cross-site scripting (XSS) vulnerability in APT-webshop-system 4.0 PRO, 3.0 BASIC, and 3.0 LIGHT allows remote attackers to inject arbitrary web script or HTML via the message parameter, probably involving the basket functionality. ADV-2006-1293 19592 http://pridels0.blogspot.com/2006/04/apt-webshop-system-vuln.html Multiple PHP remote file inclusion vulnerabilities in SQuery 4.5 and earlier, as used in products such as Autonomous LAN party (ALP), allow remote attackers to execute arbitrary PHP code via a URL in the libpath parameter to scripts in the lib directory including (1) ase.php, (2) devi.php, (3) doom3.php, (4) et.php, (5) flashpoint.php, (6) gameSpy.php, (7) gameSpy2.php, (8) gore.php, (9) gsvari.php, (10) halo.php, (11) hlife.php, (12) hlife2.php, (13) igi2.php, (14) main.lib.php, (15) netpanzer.php, (16) old_hlife.php, (17) pkill.php, (18) q2a.php, (19) q3a.php, (20) qworld.php, (21) rene.php, (22) rvbshld.php, (23) savage.php, (24) simracer.php, (25) sof1.php, (26) sof2.php, (27) unreal.php, (28) ut2004.php, and (29) vietcong.php. NOTE: the lib/armygame.php vector is already covered by CVE-2006-1610. The provenance of most of these additional vectors is unknown, although likely from post-disclosure analysis. NOTE: this only occurs when register_globals is disabled. ADV-2006-1284 17434 20060724 SQuery v.x (devi.php) (armygame.php) Remote File Inclusion 20060710 SQuery <= 4.5(libpath) Remote File Inclusion Exploit 20060408 Autonomous LAN party File iNclusion 24429 24428 24427 24426 24425 24424 24423 24422 24421 24420 24419 24418 24417 24416 24415 24414 24413 24412 24411 24410 24409 24408 24407 24406 24405 24404 24403 24402 24401 http://www.blogcu.com/Liz0ziM/431845/ 1015884 679 19588 19482 http://liz0zim.no-ip.org/alp.txt Unspecified vulnerability in su in HP HP-UX B.11.11, when using the LDAP netgroup feature, allows local users to gain unspecified access. HP-UX B.11.11: Install PHCO_34545 or later. ADV-2006-1272 SSRT061132 SSRT061132 24449 1015874 19560 hpux-su-ldap-privilege-escalation(25691) 17400 oval:org.mitre.oval:def:1754 Cross-site scripting (XSS) vulnerability in subscribe.php in MWNewsletter 1.0.0b allows remote attackers to inject arbitrary web script or HTML via the user_name parameter. ADV-2006-1270 19568 http://evuln.com/vulns/123/summary.html mwnewsletter-subscribe-xss(25684) 17412 24446 752 20060421 [eVuln] MWNewsletter SQL Injection and XSS Vulnerabilities SQL injection vulnerability in MWNewsletter 1.0.0b allows remote attackers to execute arbitrary SQL commands via the user_name parameter to unsubscribe.php. ADV-2006-1270 19568 http://evuln.com/vulns/123/summary.html mwnewsletter-unsubscribe-sql-injection(25683) 17412 24905 24445 20060421 [eVuln] MWNewsletter SQL Injection and XSS Vulnerabilities Multiple SQL injection vulnerabilities in MWNewsletter 1.0.0b allow remote attackers to execute arbitrary SQL commands via the (1) user_email parameter to (a) unsubscribe.php or (b) subscribe.php; or the (2) user_name parameter to subscribe.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information, although it is likely that this was discovered during post-disclosure analysis. ADV-2006-1270 19568 24905 24445 Unspecified vulnerability in GlobalSCAPE Secure FTP Server before 3.1.4 Build 01.10.2006 allows attackers to cause a denial of service (application crash) via a "custom command" with a long argument. This issue is addressed in Secure FTP Server 3.1.4 Build 01.10.2006. 17398 19547 http://www.globalscape.com/gsftps/history.asp globalscape-custom-commands-dos(25665) 24451 SQL injection vulnerability in members.php in XBrite Members 1.1 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter. ADV-2006-1283 17424 19602 1655 xbritemembers-id-sql-injection(25708) The fbgs script in the fbi package 2.01-1.4, when the TMPDIR environment variable is not defined, allows local users to overwrite arbitrary files via a symlink attack on temporary files in /var/tmp/fbps-[PID]. ADV-2006-1281 19559 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=361370 fbida-fbgs-tmpdir-symlink(25729) 17436 SUSE-SR:2006:019 GLSA-200604-13 DSA-1068 21459 20166 19766 Cross-site scripting (XSS) vulnerability in Gallery before 1.5.3 allows remote attackers to inject arbitrary web script or HTML via unknown attack vectors. http://sourceforge.net/project/shownotes.php?release_id=408602&group_id=7130 19580 ADV-2006-1285 gallery-unspecified-xss(25707) 17437 24466 Cross-site scripting (XSS) vulnerability in Matt Wright Guestbook 2.3.1 allows remote attackers to execute arbitrary web script or HTML via the (1) Your Name, (2) E-Mail, or (3) Comments fields when posting a message. ADV-2006-1287 17438 20060408 Matt Wright Guestbook Xss Script &#304;njection 24479 19586 http://liz0zim.no-ip.org/mattguestbook.html guestbook-guestbook-parameters-xss(25697) 681 Cross-site scripting (XSS) vulnerability in Matt Wright Guestbook 2.3.1 allows remote attackers to execute arbitrary web script or HTML via the (1) url, (2) city, (3) state, or (4) country parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information, although it is likely that they are the result of post-disclosure analysis. ADV-2006-1287 19586 guestbook-guestbook-parameters-xss(25697) Cross-site scripting (XSS) vulnerability in index.php in Aweb Banner Generator 3.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the banner parameter in view mode. ADV-2006-1348 17416 1015877 awebbannergenerator-index-xss(25782) 19621 Buy.php in Aweb Scripts Seller uses predictable cookies for authentication based on the time and the script number, which allows remote attackers to bypass authentication. 17417 1015878 19626 Cross-site scripting (XSS) vulnerability in the Pages module in Shadowed Portal allows remote attackers to inject arbitrary web script or HTML via the page parameter to load.php. ADV-2006-1286 20060408 Shadowed Portal Cross Site Scripting 19595 http://liz0zim.no-ip.org/shad0w.txt shadowedportal-load-xss(25716) 17430 685 PHP remote file inclusion vulnerability in spip_login.php3 in SPIP 1.8.3 allows remote attackers to execute arbitrary PHP code via a URL in the url parameter. 17423 20060409 Vulnerabilities in SPIP spip-spiplogin-file-include(25711) PHP remote file inclusion vulnerability in lire.php in Sire 2.0 nws allows remote attackers to execute arbitrary PHP code via a URL in the rub parameter. 17428 20060407 Sire 2.0 Nws Remote File inclusion & Arbitary Files Upload sire-lire-file-include(25726) 1015885 Sire 2.0 nws allows remote attackers to upload arbitrary image files without authentication via a direct request to upload.php. 17431 20060407 Sire 2.0 Nws Remote File inclusion & Arbitary Files Upload sire-upload-auth-bypass(25727) 1015885 Oracle Database 9.2.0.0 to 10.2.0.3 allows local users with "SELECT" privileges for a base table to insert, update, or delete data by creating a crafted view then performing the operations on that view. VU#805737 ADV-2006-1297 17426 20060410 Oracle read-only user can insert/update/delete data via specially crafted views http://www.red-database-security.com/advisory/oracle_modify_data_via_views.html 1015886 19574 oracle-base-table-data-manipulation(25696) 20060410 Oracle read-only user can insert/update/delete data via specially crafted views Multiple SQL injection vulnerabilities in Shopweezle 2.0 allow remote attackers to execute arbitrary SQL commands via the (1) itemID parameter to (a) login.php and (b) memo.php; and the (2) itemgr, (3) brandID, and (4) album parameters to (c) index.php. NOTE: this issue also produces resultant full path disclosure from invalid SQL queries. ADV-2006-1291 17441 19593 shopweezle-multiple-path-disclosure(25724) shopweezle-multiple-sql-injection(25723) 24473 24472 24471 24470 http://pridels0.blogspot.com/2006/04/shopweezle-20-multiple-vuln.html index.php in Shopweezle 2.0 allows remote attackers to include arbitrary local files via the url parameter. shopweezle-index-file-include(25725) 24474 http://pridels0.blogspot.com/2006/04/shopweezle-20-multiple-vuln.html SQL injection vulnerability in member.php in Clansys 1.1 allows remote attackers to execute arbitrary SQL commands via the showid parameter in the member page to index.php. ADV-2006-1295 19609 clansys-index-sql-injection(25746) 17456 1015935 1662 Cross-site scripting (XSS) vulnerability in shop_main.cgi in interaktiv.shop 5 allows remote attackers to inject arbitrary web script or HTML via the (1) pn and (2) sbeg parameters. ADV-2006-1326 17485 24557 19622 interaktiv-shopmain-xss(25739) http://pridels0.blogspot.com/2006/04/interaktivshop-v5-xss-vuln.html SQL injection vulnerability in admin.php in Design Nation DNGuestbook 2.0 allows remote attackers to execute arbitrary SQL commands via the (1) email and (2) id parameters. Successful exploitation requires that "magic_quotes_gpc" is disabled. dnguestbook-admin-sql-injection(25699) ADV-2006-1299 17435 19601 1653 Plone 2.0.5, 2.1.2, and 2.5-beta1 does not restrict access to the (1) changeMemberPortrait, (2) deletePersonalPortrait, and (3) testCurrentPassword methods, which allows remote attackers to modify portraits. https://svn.plone.org/svn/plone/PloneHotfix20060410/trunk/README.txt ADV-2006-1340 http://dev.plone.org/plone/ticket/5432 plone-memberid-data-manipulation(25781) 17484 DSA-1032 19640 19633 Cross-site scripting (XSS) vulnerability in the private archive script (private.py) in GNU Mailman 2.1.7 allows remote attackers to inject arbitrary web script or HTML via the action argument. 17403 1015876 19558 ADV-2006-1269 24442 [Mailman-Announce] 20060407 Released: Mailman 2.1.8 release candidate http://bugs.gentoo.org/show_bug.cgi?id=129136 http://www.mail-archive.com/mailman-checkins@python.org/msg06273.html Cross-site scripting (XSS) vulnerability in index.php in Christoph Roeder phpMyForum 4.0 allows remote attackers to inject arbitrary web script or HTML via the page parameter. 17420 20060410 phpMyForum Cross Site Scripting & CRLF injection phpmyforum-index-xss(25742) 20060425 Re: phpMyForum Cross Site Scripting & CRLF injection CRLF injection vulnerability in index.php in Christoph Roeder phpMyForum 4.0 allows remote attackers to inject HTTP headers via hex-encoded CRLF sequences in the type parameter. 17420 20060410 phpMyForum Cross Site Scripting & CRLF injection phpmyforum-index-crlf-injection(25750) 20060425 Re: phpMyForum Cross Site Scripting & CRLF injection Multiple directory traversal vulnerabilities in Christian Kindahl TUGZip 3.4.0.0, 3.3.0.0, and 3.1.0.2 allow user-assisted attackers to create files in arbitrary directories via a .. (dot dot) in an archive pack with a crafted (1) .gz, (2) .jar, (3) .rar, or (4) .zip file. tugzip-archive-directory-traversal(25713) 17432 20060410 TUGZip Archive Extraction Directory traversal http://www.hamid.ir/security/tugzip.txt 686 Cross-site scripting (XSS) vulnerability in inc/functions_post.php in MyBB (aka MyBulletinBoard) 1.10 allows remote attackers to inject arbitrary web script or HTML via a JavaScript event in a BBCode img tag. NOTE: the email vector is already covered by CVE-2006-1625, although it might stem from the same core issue. Successful exploitation requires that unauthenticated users are allowed to post new threads (not the default setting). mybb-email-img-bbcode-xss(25615) mybb-email-bbcode-xss(25615) 17413 20060407 [KAPDA::#38] - MyBB 1.1.0~functions_post.php~XSS Attack 24375 19516 http://myimei.com/security/2006-03-12/mybb-110functions_postphpxss-attack.html http://kapda.ir/advisory-305.html Cross-site scripting (XSS) vulnerability in newthread.php in MyBB (aka MyBulletinBoard) 1.10, when configured to permit new threads by unregistered users, allows remote attackers to inject arbitrary web script or HTML via the username. Successful exploitation requires that unauthenticated users are allowed to post new threads (not the default setting). 17427 20060409 MyBB 1.10 'newthread.php' < CrossSiteScripting > 19516 mybb-newthread-xss(25730) Magus Perde Clever Copy 3.0 and earlier stores sensitive information under the web root with insufficient access control, which allows remote attackers to view the database username and password via a direct request for connect.inc. ADV-2006-1316 17461 20060407 [ECHO_ADV_28$2006] Clever Copy <= 3.0 Connect.inc Critical Information Disclosure 19579 http://advisories.echo.or.id/adv/adv28-K-159-2006.txt clevercopy-connect-disclose-information(25720) Internet Explorer 6 allows remote attackers to cause a denial of service (application crash) via any scrollbar Cascading Style Sheets (CSS) property. 20060410 Re: IE6 Crash 20060407 IE6 Crash ie-css-scrollbar-dos(25852) Cross-site scripting (XSS) vulnerability in search.php in SaphpLesson 3.0 allows remote attackers to inject arbitrary web script or HTML via the Word parameter. NOTE: it is possible that this issue is resultant from SQL injection. ADV-2006-1317 20060407 Xss In SaphpLesson3.0 saphplesson-search-xss(25719) 17414 1015883 683 digestmd5.c in the CMU Cyrus Simple Authentication and Security Layer (SASL) library 2.1.18, and possibly other versions before 2.1.21, allows remote unauthenticated attackers to cause a denial of service (segmentation fault) via malformed inputs in DIGEST-MD5 negotiation. 17446 19618 http://labs.musecurity.com/advisories/MU-200604-01.txt cyrus-sasl-digest-dos(25738) ADV-2008-1744 ADV-2006-3852 ADV-2006-1306 http://www.vmware.com/security/advisories/VMSA-2008-0009.html USN-272-1 2006-0024 20080604 VMSA-2008-0009 Updates to VMware Workstation, VMware Player, VMware ACE, VMware Fusion, VMware Server, VMware VIX API, VMware ESX, VMware ESXi resolve critical security issues RHSA-2007:0878 RHSA-2007:0795 SUSE-SA:2006:025 MDKSA-2006:073 GLSA-200604-09 DSA-1042 http://support.avaya.com/elmodocs2/security/ASA-2007-426.htm 1016960 30535 27237 26857 26708 22187 20014 19964 19825 19809 19753 oval:org.mitre.oval:def:9861 20060410 [MU-200604-01] Cyrus SASL DIGEST-MD5 Pre-Authentication Denial of Service APPLE-SA-2006-09-29 http://asg.web.cmu.edu/archive/message.php?mailbox=archive.cyrus-sasl&msg=7775 20070901-01-P Cross-site scripting (XSS) vulnerability in suche.htm in ShopXS 4.0 allows remote attackers to inject arbitrary web script or HTML via the Suchstring1 (aka search) parameter. shopxs-search-xss(25715) http://pridels0.blogspot.com/2006/04/shopxs-v40-xss-vuln_10.html Unspecified vulnerability in Firefox and Thunderbird before 1.5.0.2, and SeaMonkey before 1.0.1, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown attack vectors related to DHTML. NOTE: due to the lack of sufficient public details from the vendor as of 20060413, it is unclear how CVE-2006-1529, CVE-2006-1530, CVE-2006-1531, and CVE-2006-1723 are different. This vulnerability is addressed in the following product releases: Mozilla, Firefox, 1.5.0.2 Mozilla, Thunderbird, 1.5.0.2 Mozilla, SeaMonkey, 1.0.1 VU#350262 http://www.mozilla.org/security/announce/2006/mfsa2006-20.html ADV-2008-0083 ADV-2006-3749 ADV-2006-3748 ADV-2006-1356 HPSBUX02153 SSRT061236 17516 SSRT061181 SSRT061236 DSA-1051 DSA-1046 1015921 1015920 1015919 22066 22065 21033 19941 19863 19649 19631 SCOSA-2006.26 oval:org.mitre.oval:def:1574 Unspecified vulnerability in Firefox and Thunderbird before 1.5.0.2, 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via attack vectors related to DHTML. Fixed in: Firefox 1.5.0.2 Thunderbird 1.5.0.2 SeaMonkey 1.0.1 TA06-107A VU#350262 https://bugzilla.mozilla.org/show_bug.cgi?id=282105 ADV-2008-0083 ADV-2006-3749 ADV-2006-3748 ADV-2006-1356 HPSBUX02153 SSRT061236 SSRT061145 http://www.mozilla.org/security/announce/2006/mfsa2006-20.html 228526 oval:org.mitre.oval:def:10243 17516 HPSBUX02153 HPSBUX02156 FLSA:189137-2 HPSBTU02118 RHSA-2006:0330 RHSA-2006:0328 FEDORA-2006-411 FEDORA-2006-410 DSA-1051 DSA-1046 http://support.avaya.com/elmodocs2/security/ASA-2006-205.htm 102550 1015921 1015920 1015919 22066 22065 21622 21033 19941 19863 19780 19714 19696 19649 19631 SCOSA-2006.26 oval:org.mitre.oval:def:1901 Mozilla Firefox 1.5 before 1.5.0.2 and SeaMonkey before 1.0.1 causes certain windows to become translucent due to an interaction between XUL content windows and the history mechanism, which might allow user-assisted remote attackers to trick users into executing arbitrary code. Fixed in: Firefox 1.5.0.2 SeaMonkey 1.0.1 https://bugzilla.mozilla.org/show_bug.cgi?id=327014 mozilla-xul-window-spoofing(25827) ADV-2008-0083 ADV-2006-3748 ADV-2006-1356 17516 SSRT061181 SSRT061181 http://www.mozilla.org/security/announce/2006/mfsa2006-29.html 22066 19649 19631 oval:org.mitre.oval:def:1471 Unspecified vulnerability in Firefox and Thunderbird 1.5 before 1.5.0.2, and SeaMonkey before 1.0.1, allows remote attackers to bypass the js_ValueToFunctionObject check and execute arbitrary code via unknown vectors involving setTimeout and Firefox' ForEach method. This vulnerability is addressed in the following product releases: Mozilla, Firefox, 1.5.0.2 Mozilla, Thunderbird, 1.5.0.2 Mozilla, SeaMonkey, 1.0.1 TA06-107A VU#968814 http://www.mozilla.org/security/announce/2006/mfsa2006-28.html mozilla-valuetofunctionobject-sec-bypass(25825) ADV-2008-0083 ADV-2006-3749 ADV-2006-3748 ADV-2006-1356 17516 SSRT061181 HPSBUX02153 SSRT061236 SSRT061236 SSRT061145 HPSBTU02118 1015933 1015932 1015931 22066 22065 19649 19631 oval:org.mitre.oval:def:1968 Unspecified vulnerability in Mozilla Firefox and Thunderbird 1.x before 1.5.0.2 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0.1 allows remote attackers to gain chrome privileges via multiple attack vectors related to the use of XBL scripts with "Print Preview". Fixed in: Firefox 1.5.0.2 Firefox 1.0.8 Thunderbird 1.5.0.2 Thunderbird 1.0.8 SeaMonkey 1.0.1 Mozilla Suite 1.7.13 ADV-2008-0083 ADV-2006-3749 ADV-2006-3748 ADV-2006-3391 ADV-2006-1356 USN-276-1 USN-275-1 USN-271-1 17516 HPSBUX02153 HPSBUX02153 SSRT061236 HPSBUX02122 SSRT061158 FLSA:189137-2 FLSA:189137-1 RHSA-2006:0330 RHSA-2006:0329 RHSA-2006:0328 FEDORA-2006-411 FEDORA-2006-410 SUSE-SA:2006:022 SUSE-SA:2006:004 http://www.mozilla.org/security/announce/2006/mfsa2006-25.html GLSA-200605-09 GLSA-200604-18 GLSA-200604-12 DSA-1051 DSA-1046 DSA-1044 228526 102550 1015929 1015928 1015927 1015926 21622 21033 19950 19941 19902 19863 19862 19852 19823 19821 19811 19759 19746 19721 19714 19649 19631 oval:org.mitre.oval:def:10364 SUSE-SA:2006:021 20060404-01-U SCOSA-2006.26 mozilla-printpreview-privilege-escalation(25824) SSRT061236 MDKSA-2006:078 MDKSA-2006:076 http://support.avaya.com/elmodocs2/security/ASA-2006-205.htm 22066 22065 20051 19780 19729 19696 oval:org.mitre.oval:def:1649 Unspecified vulnerability in Mozilla Firefox and Thunderbird 1.x before 1.5.0.2 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0.1 allows remote attackers to execute arbitrary code via unknown vectors related to the crypto.generateCRMFRequest method. Fixed in: Firefox 1.5.0.2 Firefox 1.0.8 Thunderbird 1.5.0.2 Thunderbird 1.0.8 SeaMonkey 1.0.1 Mozilla Suite 1.7.13 TA06-107A VU#932734 ADV-2008-0083 ADV-2007-0058 ADV-2006-3749 ADV-2006-3748 ADV-2006-3391 ADV-2006-1356 USN-276-1 USN-275-1 USN-271-1 17516 HPSBUX02153 SSRT061236 SSRT061158 HPSBUX02122 FLSA:189137-2 FLSA:189137-1 SSRT061145 SSRT061145 RHSA-2006:0330 RHSA-2006:0329 RHSA-2006:0328 FEDORA-2006-411 FEDORA-2006-410 SUSE-SA:2006:004 SUSE-SA:2006:004 http://www.mozilla.org/security/announce/2006/mfsa2006-24.html GLSA-200605-09 GLSA-200604-18 GLSA-200604-12 DSA-1051 DSA-1046 DSA-1044 1015925 1015924 1015923 1015922 19950 19941 19902 19863 19862 19852 19823 19821 19811 19794 19759 19746 19721 19714 19649 19631 oval:org.mitre.oval:def:10508 SUSE-SA:2006:021 20060404-01-U SCOSA-2006.26 mozilla-generatecrmfrequest-code-execution(25812) SSRT061181 SSRT061236 MDKSA-2006:078 MDKSA-2006:076 MDKSA-2006:075 http://support.avaya.com/elmodocs2/security/ASA-2006-205.htm 102763 102550 22066 22065 21622 21033 20051 19780 19729 19696 oval:org.mitre.oval:def:1698 Mozilla Firefox 1.x before 1.5.0.2 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0.1 allows remote attackers to read arbitrary files by (1) inserting the target filename into a text box, then turning that box into a file upload control, or (2) changing the type of the input control that is associated with an event handler. Fixed in: Firefox 1.5.0.2 Firefox 1.0.8 SeaMonkey 1.0.1 Mozilla Suite 1.7.13 mozilla-textbox-file-access(25823) ADV-2008-0083 ADV-2006-3748 ADV-2006-3391 ADV-2006-1356 USN-275-1 USN-271-1 17516 HPSBUX02153 HPSBUX02153 FLSA:189137-2 FLSA:189137-1 RHSA-2006:0329 RHSA-2006:0328 FEDORA-2006-411 FEDORA-2006-410 SUSE-SA:2006:035 http://www.mozilla.org/security/announce/2006/mfsa2006-23.html MDKSA-2006:076 MDKSA-2006:075 GLSA-200604-18 GLSA-200604-12 DSA-1051 DSA-1046 DSA-1044 http://support.avaya.com/elmodocs2/security/ASA-2006-205.htm 228526 102550 22066 21622 21033 19941 19902 19863 19862 19852 19811 19794 19759 19746 19729 19721 19714 19696 19649 19631 oval:org.mitre.oval:def:10922 SUSE-SA:2006:021 20060404-01-U SCOSA-2006.26 oval:org.mitre.oval:def:1929 Integer overflow in Mozilla Firefox and Thunderbird 1.x before 1.5.0.2 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0.1 allows remote attackers to execute arbitrary code via a large number in the CSS letter-spacing property that leads to a heap-based buffer overflow. Fixed in: Firefox 1.5.0.2 Firefox 1.0.8 Thunderbird 1.5.0.2 Thunderbird 1.0.8 SeaMonkey 1.0.1 Mozilla Suite 1.7.13 TA06-107A VU#179014 1015918 1015917 1015916 1015915 19649 19631 http://www.zerodayinitiative.com/advisories/ZDI-06-010.html ADV-2008-0083 ADV-2006-3749 ADV-2006-3748 ADV-2006-3391 ADV-2006-1356 USN-276-1 USN-275-1 USN-271-1 17516 HPSBUX02153 SSRT061236 SSRT061158 SSRT061158 FLSA:189137-2 FLSA:189137-1 SSRT061145 SSRT061145 20060415 ZDI-06-010: Mozilla Firefox CSS Letter-Spacing Heap Overflow Vulnerability RHSA-2006:0330 RHSA-2006:0329 RHSA-2006:0328 FEDORA-2006-411 FEDORA-2006-410 SUSE-SA:2006:004 SUSE-SA:2006:004 http://www.mozilla.org/security/announce/2006/mfsa2006-22.html GLSA-200605-09 GLSA-200604-18 GLSA-200604-12 DSA-1051 DSA-1046 DSA-1044 228526 102550 21033 19950 19941 19902 19863 19862 19852 19823 19821 19811 19794 19759 19746 19721 19714 oval:org.mitre.oval:def:10055 SUSE-SA:2006:021 20060404-01-U SCOSA-2006.26 mozilla-css-letterspacing-overflow(25826) SSRT061181 HPSBUX02156 MDKSA-2006:078 MDKSA-2006:076 MDKSA-2006:075 http://support.avaya.com/elmodocs2/security/ASA-2006-205.htm 720 22066 22065 21622 20051 19780 19729 19696 oval:org.mitre.oval:def:1614 Mozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 returns the Object class prototype instead of the global window object when (1) .valueOf.call or (2) .valueOf.apply are called without any arguments, which allows remote attackers to conduct cross-site scripting (XSS) attacks. Fixed in: Firefox 1.5 Firefox 1.0.8 Thunderbird 1.5 Thunderbird 1.0.8 SeaMonkey 1.0 Mozilla Suite 1.7.13 ADV-2006-3391 ADV-2006-1356 USN-276-1 USN-275-1 USN-271-1 17516 SSRT061158 HPSBUX02122 FLSA:189137-2 FLSA:189137-1 RHSA-2006:0330 RHSA-2006:0329 RHSA-2006:0328 FEDORA-2006-411 FEDORA-2006-410 SUSE-SA:2006:022 SUSE-SA:2006:004 http://www.mozilla.org/security/announce/2006/mfsa2006-19.html GLSA-200605-09 GLSA-200604-18 GLSA-200604-12 DSA-1051 DSA-1046 DSA-1044 http://support.avaya.com/elmodocs2/security/ASA-2006-205.htm 228526 102550 21622 21033 19950 19941 19902 19863 19862 19852 19823 19821 19811 19794 19759 19746 19729 19721 19714 19696 19631 oval:org.mitre.oval:def:9604 SUSE-SA:2006:021 20060404-01-U SCOSA-2006.26 mozilla-valueof-xss(25820) MDKSA-2006:078 MDKSA-2006:076 MDKSA-2006:075 20051 19780 oval:org.mitre.oval:def:1955 Unspecified vulnerability in Mozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 allows remote attackers to bypass same-origin protections and conduct cross-site scripting (XSS) attacks via unspecified vectors involving the window.controllers array. This vulnerability also affects Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 This vulnerability is addressed in the following product releases: Mozilla, Firefox, 1.5 Mozilla, Firefox, 1.0.8 Mozilla, Thunderbird, 1.5 Mozilla, Thunderbird, 1.0.8 Mozilla, SeaMonkey, 1.0 Mozilla, Suite, 1.7.13 https://bugzilla.mozilla.org/show_bug.cgi?id=313373 http://www.mozilla.org/security/announce/2006/mfsa2006-17.html ADV-2006-3391 ADV-2006-1356 SSRT061158 SUSE-SA:2006:004 228526 oval:org.mitre.oval:def:10232 mozilla-windows-controllers-xss(25818) USN-276-1 USN-275-1 USN-271-1 17516 SSRT061158 FLSA:189137-2 FLSA:189137-1 RHSA-2006:0330 RHSA-2006:0329 RHSA-2006:0328 FEDORA-2006-411 FEDORA-2006-410 SUSE-SA:2006:004 MDKSA-2006:078 MDKSA-2006:076 MDKSA-2006:075 GLSA-200605-09 GLSA-200604-18 GLSA-200604-12 DSA-1044 http://support.avaya.com/elmodocs2/security/ASA-2006-205.htm 102550 21622 21033 20051 19950 19902 19862 19852 19823 19821 19811 19794 19780 19759 19746 19729 19721 19714 19696 19631 SUSE-SA:2006:021 20060404-01-U SCOSA-2006.26 oval:org.mitre.oval:def:1887 Mozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 does not properly protect the compilation scope of privileged built-in XBL bindings, which allows remote attackers to execute arbitrary code via the (1) valueOf.call or (2) valueOf.apply methods of an XBL binding, or (3) "by inserting an XBL method into the DOM's document.body prototype chain." This vulnerability also affects Mozilla, SeaMonkey, 1.0 and Mozilla, Suite, 1.7.13 This vulnerabiloity is addressed in the following product releases: Mozilla, Firefox, 1.5 Mozilla, Firefox, 1.0.8 Mozilla, Thunderbird, 1.5 Mozilla, Thunderbird, 1.0.8 Mozilla, SeaMonkey, 1.0 Mozilla, Suite, 1.7.13 TA06-107A VU#488774 http://www.mozilla.org/security/announce/2006/mfsa2006-16.html 20060404-01-U ADV-2006-1356 USN-276-1 USN-275-1 USN-271-1 17516 SSRT061158 SSRT061158 FLSA:189137-2 FLSA:189137-1 SSRT061145 HPSBTU02118 RHSA-2006:0330 RHSA-2006:0329 RHSA-2006:0328 FEDORA-2006-411 FEDORA-2006-410 SUSE-SA:2006:004 SUSE-SA:2006:004 GLSA-200605-09 GLSA-200604-18 GLSA-200604-12 DSA-1051 DSA-1046 DSA-1044 http://support.avaya.com/elmodocs2/security/ASA-2006-205.htm 228526 102550 21622 21033 19950 19941 19902 19863 19862 19852 19823 19821 19811 19794 19759 19746 19721 19714 19631 oval:org.mitre.oval:def:10815 SUSE-SA:2006:021 SCOSA-2006.26 mozilla-valueof-code-execution(25817) MDKSA-2006:078 MDKSA-2006:076 MDKSA-2006:075 20051 19780 19729 19696 oval:org.mitre.oval:def:2020 Mozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 allows remote attackers to execute arbitrary code by using the Object.watch method to access the "clone parent" internal function. Fixed in: Firefox 1.5 Firefox 1.0.8 Thunderbird 1.5 Thunderbird 1.0.8 SeaMonkey 1.0 Mozilla Suite 1.7.13 TA06-107A VU#842094 ADV-2006-1356 USN-276-1 USN-275-1 USN-271-1 17516 SSRT061158 HPSBUX02122 FLSA:189137-2 FLSA:189137-1 SSRT061145 HPSBTU02118 RHSA-2006:0330 RHSA-2006:0329 RHSA-2006:0328 FEDORA-2006-411 FEDORA-2006-410 SUSE-SA:2006:022 SUSE-SA:2006:004 http://www.mozilla.org/security/announce/2006/mfsa2006-15.html GLSA-200605-09 GLSA-200604-18 GLSA-200604-12 DSA-1051 DSA-1046 DSA-1044 http://support.avaya.com/elmodocs2/security/ASA-2006-205.htm 228526 102550 21622 21033 19950 19941 19902 19863 19862 19852 19823 19821 19811 19794 19759 19746 19721 19714 19631 oval:org.mitre.oval:def:10755 SUSE-SA:2006:021 20060404-01-U SCOSA-2006.26 mozilla-cloneparent-code-execution(25816) MDKSA-2006:078 MDKSA-2006:076 MDKSA-2006:075 20051 19780 19729 19696 oval:org.mitre.oval:def:1247 Mozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 allows remote attackers to execute arbitrary code by using an eval in an XBL method binding (XBL.method.eval) to create Javascript functions that are compiled with extra privileges. Fixed in: Firefox 1.5 Firefox 1.0.8 Thunderbird 1.5 Thunderbird 1.0.8 SeaMonkey 1.0 Mozilla Suite 1.7.13 TA06-107A VU#813230 ADV-2006-1356 USN-276-1 USN-275-1 USN-271-1 17516 SSRT061158 HPSBUX02122 FLSA:189137-2 FLSA:189137-1 HPSBTU02118 HPSBTU02118 RHSA-2006:0330 RHSA-2006:0329 RHSA-2006:0328 FEDORA-2006-411 FEDORA-2006-410 SUSE-SA:2006:022 SUSE-SA:2006:004 http://www.mozilla.org/security/announce/2006/mfsa2006-14.html GLSA-200605-09 GLSA-200604-18 GLSA-200604-12 DSA-1051 DSA-1046 DSA-1044 http://support.avaya.com/elmodocs2/security/ASA-2006-205.htm 228526 102550 21622 21033 19950 19941 19902 19863 19862 19852 19823 19821 19811 19794 19759 19746 19721 19714 19631 oval:org.mitre.oval:def:10930 SUSE-SA:2006:021 20060404-01-U SCOSA-2006.26 mozilla-xbl-code-execution(25815) MDKSA-2006:078 MDKSA-2006:076 MDKSA-2006:075 20051 19780 19729 19696 oval:org.mitre.oval:def:1037 Mozilla Firefox 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 allows remote attackers to trick users into downloading and saving an executable file via an image that is overlaid by a transparent image link that points to the executable, which causes the executable to be saved when the user clicks the "Save image as..." option. NOTE: this attack is made easier due to a GUI truncation issue that prevents the user from seeing the malicious extension when there is extra whitespace in the filename. Fixed in: Firefox 1.5 Firefox 1.0.8 SeaMonkey 1.0 Mozilla Suite 1.7.13 https://bugzilla.mozilla.org/show_bug.cgi?id=293527 ADV-2006-1356 SSRT061158 http://www.mozilla.org/security/announce/2006/mfsa2006-13.html 228526 mozilla-saveimageas-ext-spoofing(25814) USN-275-1 USN-271-1 17516 HPSBUX02122 MDKSA-2006:076 MDKSA-2006:075 GLSA-200604-18 GLSA-200604-12 DSA-1051 DSA-1046 DSA-1044 http://support.avaya.com/elmodocs2/security/ASA-2006-205.htm 102550 21622 21033 19941 19902 19863 19862 19852 19794 19759 19746 19721 19631 SUSE-SA:2006:021 SCOSA-2006.26 oval:org.mitre.oval:def:1548 Integer overflow in Mozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary bytecode via JavaScript with a large regular expression. TA06-107A VU#329500 ADV-2006-1356 USN-276-1 USN-275-1 USN-271-1 17516 SSRT061158 HPSBUX02122 FLSA:189137-2 FLSA:189137-1 SSRT061145 SSRT061145 RHSA-2006:0330 RHSA-2006:0329 RHSA-2006:0328 FEDORA-2006-411 FEDORA-2006-410 SUSE-SA:2006:022 SUSE-SA:2006:004 http://www.mozilla.org/security/announce/2006/mfsa2006-11.html GLSA-200605-09 GLSA-200604-18 GLSA-200604-12 DSA-1051 DSA-1046 DSA-1044 http://support.avaya.com/elmodocs2/security/ASA-2006-205.htm 228526 102550 21622 21033 19950 19941 19902 19863 19862 19852 19823 19821 19811 19794 19759 19746 19721 19714 19631 oval:org.mitre.oval:def:10817 SUSE-SA:2006:021 20060404-01-U SCOSA-2006.26 mozilla-javascript-regexpr-memory-corruption(25808) MDKSA-2006:078 MDKSA-2006:076 MDKSA-2006:075 20051 19780 19729 19696 oval:org.mitre.oval:def:1829 Unspecified vulnerability in Mozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 allows remote attackers to cause a denial of service (crash) by changing the (1) -moz-grid and (2) -moz-grid-group display styles. TA06-107A VU#252324 ADV-2006-1356 SSRT061158 SSRT061145 http://www.mozilla.org/security/announce/2006/mfsa2006-11.html 228526 oval:org.mitre.oval:def:9405 mozilla-mozgrid-memory-corruption(25811) USN-276-1 USN-275-1 USN-271-1 17516 HPSBUX02122 FLSA:189137-2 FLSA:189137-1 SSRT061145 RHSA-2006:0330 RHSA-2006:0329 RHSA-2006:0328 FEDORA-2006-411 FEDORA-2006-410 MDKSA-2006:078 MDKSA-2006:076 MDKSA-2006:075 GLSA-200605-09 GLSA-200604-18 GLSA-200604-12 DSA-1051 DSA-1046 DSA-1044 http://support.avaya.com/elmodocs2/security/ASA-2006-205.htm 102550 21622 21033 20051 19950 19941 19902 19863 19862 19852 19821 19811 19794 19780 19759 19746 19729 19721 19714 19696 19631 SUSE-SA:2006:021 20060404-01-U SCOSA-2006.26 oval:org.mitre.oval:def:1687 The CSS border-rendering code in Mozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via certain Cascading Style Sheets (CSS) that causes an out-of-bounds array write and buffer overflow. Fixed in: Firefox 1.5 Firefox 1.0.8 Thunderbird 1.5 Thunderbird 1.0.8 SeaMonkey 1.0 Mozilla Suite 1.7.13 TA06-107A VU#935556 17516 http://www.mozilla.org/security/announce/2006/mfsa2006-11.html 19631 https://bugzilla.mozilla.org/show_bug.cgi?id=265736 ADV-2006-1356 USN-276-1 USN-275-1 USN-271-1 SSRT061158 SSRT061158 FLSA:189137-2 FLSA:189137-1 SSRT061145 HPSBTU02118 RHSA-2006:0330 RHSA-2006:0329 RHSA-2006:0328 FEDORA-2006-411 FEDORA-2006-410 SUSE-SA:2006:004 SUSE-SA:2006:004 GLSA-200605-09 GLSA-200604-18 GLSA-200604-12 DSA-1051 DSA-1046 DSA-1044 http://support.avaya.com/elmodocs2/security/ASA-2006-205.htm 228526 102550 21622 21033 19950 19941 19902 19863 19862 19852 19823 19821 19811 19794 19780 19759 19746 19729 19721 19714 19696 oval:org.mitre.oval:def:9817 SUSE-SA:2006:021 20060404-01-U SCOSA-2006.26 mozilla-css-memory-corruption(25810) MDKSA-2006:078 MDKSA-2006:076 MDKSA-2006:075 20051 oval:org.mitre.oval:def:1667 Mozilla Firefox 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 allows remote attackers to spoof secure site indicators such as the locked icon by opening the trusted site in a popup window, then changing the location to a malicious site. Fixed in: Firefox 1.5 Firefox 1.0.8 SeaMonkey 1.0 Mozilla Suite 1.7.13 https://bugzilla.mozilla.org/show_bug.cgi?id=271194 ADV-2006-1356 SSRT061158 http://www.mozilla.org/security/announce/2006/mfsa2006-12.html 228526 oval:org.mitre.oval:def:10424 mozilla-secure-site-spoofing(25813) USN-275-1 USN-271-1 17516 HPSBUX02122 FLSA:189137-2 FLSA:189137-1 RHSA-2006:0329 RHSA-2006:0328 FEDORA-2006-411 FEDORA-2006-410 MDKSA-2006:076 MDKSA-2006:075 GLSA-200604-18 GLSA-200604-12 DSA-1051 DSA-1046 DSA-1044 http://support.avaya.com/elmodocs2/security/ASA-2006-205.htm 102550 21622 21033 19941 19902 19863 19862 19852 19811 19794 19759 19746 19729 19721 19714 19696 19631 SUSE-SA:2006:021 20060404-01-U SCOSA-2006.26 oval:org.mitre.oval:def:1811 Mozilla Firefox 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 allows remote attackers to inject arbitrary Javascript into other sites by (1) "using a modal alert to suspend an event handler while a new page is being loaded", (2) using eval(), and using certain variants involving (3) "new Script;" and (4) using window.__proto__ to extend eval, aka "cross-site JavaScript injection". Fixed in: Firefox 1.5 Firefox 1.0.8 Mozilla Suite 1.7.13 SeaMonkey 1.0 mozilla-eventhandler-xss(25806) ADV-2006-1356 USN-276-1 USN-275-1 USN-271-1 SSRT061158 SSRT061158 FLSA:189137-2 FLSA:189137-1 RHSA-2006:0330 RHSA-2006:0329 RHSA-2006:0328 FEDORA-2006-411 FEDORA-2006-410 SUSE-SA:2006:004 SUSE-SA:2006:004 http://www.mozilla.org/security/announce/2006/mfsa2006-09.html MDKSA-2006:076 GLSA-200605-09 GLSA-200604-18 GLSA-200604-12 DSA-1051 DSA-1046 DSA-1044 http://support.avaya.com/elmodocs2/security/ASA-2006-205.htm 228526 102550 21622 21033 20051 19950 19941 19902 19863 19862 19852 19823 19821 19811 19780 19759 19746 19729 19721 19714 19696 19631 oval:org.mitre.oval:def:9167 SUSE-SA:2006:021 20060404-01-U SCOSA-2006.26 MDKSA-2006:078 oval:org.mitre.oval:def:1855 The JavaScript engine in Mozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 does not properly handle temporary variables that are not garbage collected, which might allow remote attackers to trigger operations on freed memory and cause memory corruption. Fixed in: Firefox 1.5 Firefox 1.0.8 Thunderbird 1.5 Thunderbird 1.0.8 SeaMonkey 1.0 Mozilla Suite 1.7.13 VU#492382 ADV-2006-1356 SSRT061158 SUSE-SA:2006:004 http://www.mozilla.org/security/announce/2006/mfsa2006-10.html 228526 oval:org.mitre.oval:def:11808 mozilla-garbage-memory-corruption(25807) USN-276-1 USN-275-1 USN-271-1 HPSBUX02122 FLSA:189137-2 FLSA:189137-1 RHSA-2006:0330 RHSA-2006:0329 RHSA-2006:0328 FEDORA-2006-411 FEDORA-2006-410 SUSE-SA:2006:004 MDKSA-2006:076 MDKSA-2006:075 GLSA-200605-09 GLSA-200604-18 GLSA-200604-12 DSA-1051 DSA-1046 DSA-1044 http://support.avaya.com/elmodocs2/security/ASA-2006-205.htm 102550 21622 21033 20051 19950 19941 19902 19863 19862 19852 19823 19811 19794 19780 19759 19746 19729 19721 19714 19696 19631 SUSE-SA:2006:021 20060404-01-U SCOSA-2006.26 oval:org.mitre.oval:def:1087 Multiple SQL injection vulnerabilities in form.php in JBook 1.4 allow remote attackers to execute arbitrary SQL commands via the (1) nom or (2) mail parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. ADV-2006-1315 17458 19613 jbook-form-sql-injection(25735) Buffer overflow in pl_main.c in sail in BSDgames before 2.17-7 allows local users to execute arbitrary code via a long player name that is used in a scanf function call. 24634 DSA-1036 19687 17401 http://www.pulltheplug.org/fu/?q=node/56 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=360989 736 Cross-site scripting (XSS) vulnerability in login.php in Bitweaver 1.3 allows remote attackers to inject arbitrary web script or HTML via the error parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. ADV-2006-1370 17406 19673 Directory traversal vulnerability in PHPList 2.10.2 and earlier allows remote attackers include arbitrary local files via the (1) GLOBALS[database_module] or (2) GLOBALS[language_module] parameters, which overwrite the underlying $GLOBALS variable. 20060411 Re: PHPList <= 2.10.2 remote commands execution ADV-2006-1296 17429 20061012 new version of phplist fix XSS vulnerability 20060410 PHPList <= 2.10.2 remote commands execution http://tincan.co.uk/?lid=851 1015889 http://downloads.securityfocus.com/vulnerabilities/exploits/PHPList-lfi.php phplist-index-file-include(25701) PHP remote file inclusion vulnerability in Virtual War (VWar) 1.5.0 allows remote attackers to execute arbitrary PHP code via a URL in the vwar_root parameter to (1) admin/admin.php, (2) war.php, (3) stats.php, (4) news.php, (5) joinus.php, (6) challenge.php, (7) calendar.php, (8) member.php, (9) popup.php, and other unspecified scripts in the admin folder. NOTE: these are different attack vectors than CVE-2006-1636 and CVE-2006-1503. 17443 http://www.blogcu.com/Liz0ziM/431925/ http://liz0zim.no-ip.org/vwar.txt virtualwar-member-file-include(28265) 19387 20060408 Virtual War File &#304;nclusion 1658 20060807 Virtual War v1.5.0 Remote File Include (vwar_root) Cross-site scripting (XSS) vulnerability in XMB Forum 1.9.5 allows remote attackers to inject arbitrary web script or HTML by uploading a Flash (.SWF) video that contains a getURL function call, which causes the video to be rendered without disabling ActionScript. 17445 20060409 XMB Forum 1.9.5-Final XSS xmb-swf-geturl-xss(25737) PHP remote file inclusion vulnerability in config.php in phpListPro 2.0 and earlier allows remote attackers to execute arbitrary PHP code via the returnpath parameter. NOTE: this issue was later reported to affect 2.01 as well. phplistpro-config-file-include(25760) ADV-2006-1325 17448 20060508 PhpListPro 2.01 Remote File Include Vulnerability 20060411 phpListPro <= 2.0 - Remote File Include Vulnerability 24540 19625 Multiple cross-site scripting (XSS) vulnerabilities in index.php in Autogallery 0.41 allow remote attackers to inject arbitrary web script or HTML via the (1) pic or (2) show parameters. autogallery-index-xss(25756) ADV-2006-1328 17480 http://www.elitemexico.org/12.txt 19629 20060411 Autogallery Multiple Cross-Site Scripting Vulnerabilitie Multiple SQL injection vulnerabilities in MvBlog before 1.6 allow remote attackers to execute arbitrary SQL commands via unknown vectors. 17481 19634 mvblog-multiple-sql-injection(25765) ADV-2006-1330 http://dev.mvblog.org/cgi-bin/trac.cgi/ticket/54 Multiple cross-site scripting (XSS) vulnerabilities in the backend in MvBlog before 1.6 allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) body fields in a comment. 19634 ADV-2006-1330 17481 http://dev.mvblog.org/cgi-bin/trac.cgi/ticket/55 mvblog-comment-xss(25767) A cron job in fcheck before 2.7.59 allows local users to overwrite arbitrary files via a symlink attack on a temporary file. This vulnerability is addressed in the following product releases: Fcheck, 2.7.59-7sarge1 Fcheck, 2.7.59-8 DSA-1035 19675 17524 fcheck-tmpfile-symlink(25830) SQL injection vulnerability in index.php in SWSoft Confixx 3.0.6, 3.0.8, and 3.1.2 allows remote attackers to execute arbitrary SQL commands via the SID parameter. 19611 ADV-2006-1331 17476 20060411 Confixx 3.1.2 <= SQL Injection confixx-index-sql-injection(25749) 20060419 Confixx SQL Injection exploit (confixx_exploit.pl) 20060413 Re: Confixx 3.1.2 <= SQL Injection http://download1.swsoft.com/Confixx/security_hotfix/release_notes.txt SQL injection vulnerability in admin.php in MD News 1 allows remote attackers to execute arbitrary SQL commands via the id parameter. ADV-2006-1259 17394 19530 http://evuln.com/vulns/120/summary.html mdnews-admin-sql-injection(25635) 20060418 [eVuln] MD News Authentication Bypass and SQL Injection Vulnerabilities 24454 MD News 1 allows remote attackers to bypass authentication via a direct request to a script in the Administration Area. ADV-2006-1259 17394 19530 http://evuln.com/vulns/120/summary.html mdnews-admin-security-bypass(25636) 20060418 [eVuln] MD News Authentication Bypass and SQL Injection Vulnerabilities 24455 Cross-site scripting (XSS) vulnerability in index.php in Vegadns 0.99 allows remote attackers to inject arbitrary web script or HTML via the message parameter. 17433 20060410 Vegadns blind sql injection and cross site scripting SQL injection vulnerability in index.php in Vegadns 0.99 allows remote attackers to execute arbitrary SQL commands via the cid parameter. ADV-2006-1298 17433 20060410 Vegadns blind sql injection and cross site scripting 19614 vegadns-index-sql-injection(25741) Cross-site scripting (XSS) vulnerability in allgemein_transfer.php in SWSoft Confixx 3.1.2 allows remote attackers to inject arbitrary web script or HTML via the jahr parameter. 19611 ADV-2006-1331 17466 20060410 Confixx 3.1.2 <= Cross Site Scripting Vuln 1015890 confixx-transfer-xss(25748) Multiple cross-site scripting (XSS) vulnerabilities in JetPhoto allow remote attackers to inject arbitrary web script or HTML via the page parameter in (1) Classic.view/thumbnail.php, (2) Classic.view/gallery.php, (3) Classic.view/detail.php, or (4) Orange.view/detail.php; or (5) the name parameter in Orange.view/slideshow.php. jetphoto-name-page-xss(25745) ADV-2006-1300 17449 24494 24493 24492 24491 19603 20060411 JetPhoto Multiple Cross-Site Scripting Vulnerabilitie Cross-site scripting vulnerability in index.php in blur6ex 0.3.452 allows remote attackers to inject arbitrary web script or HTML via the errormsg parameter, which is not sanitized in the error message. NOTE: the vector in the shard parameter is not XSS and has been assigned a separate name. 17465 20060411 Multiple vulnerabilities in Blur6ex 20060412 Multiple vulnerabilities in Blur6ex (fwd) blur6ex-index-xss(25757) 20060413 Re: Multiple vulnerabilities in Blur6ex Directory traversal vulnerability in index.php in blur6ex 0.3.452 allows remote attackers to include arbitrary files via the shard parameter. NOTE: this issue can be exploited to produce resultant XSS when the parameter has XSS manipulations, and path disclosure with other invalid values. 17465 20080502 blur6ex-0.3.462 LOCAL FILE INCLUSION Vulnerbility 20060411 Multiple vulnerabilities in Blur6ex 20060412 Multiple vulnerabilities in Blur6ex (fwd) blur6ex-index-path-disclosure(25758) 20060413 Re: Multiple vulnerabilities in Blur6ex Multiple SQL injection vulnerabilities in index.php in blur6ex 0.3.452 allows remote attackers to execute arbitrary SQL commands via the ID parameter in a (1) g_reply or (2) g_permaPost action to the blog shard (engine/shards/blog.php), or a (3) g_viewContent action to the content shard (engine/shards/content.php). 17465 20060411 Multiple vulnerabilities in Blur6ex blur6ex-index-sql-injection(25759) 689 Hosting Controller 6.1 stores forum/db/forum.mdb under the web document root with insufficient access control, which allows remote attackers to obtain sensitive information such as user name and password credentials. NOTE: the provenance of this information is unknown; the details are obtained from third party information. ADV-2006-1268 24447 19569 Cross-site scripting (XSS) vulnerability in index.php in JBook 1.3 allows remote attackers to inject arbitrary web script or HTML via the page parameter. 17419 20060410 Jbook Cross Site Scripting jbook-index-xss(25734) 19613 Multiple SQL injection vulnerabilities in Papoo 2.1.5, and 3 beta1 and earlier, allow remote attackers to execute arbitrary SQL commands via the (1) getlang and (2) reporeid parameter in (a) index.php, (3) menuid parameter in (b) plugin.php and (c) forumthread.php, and (4) msgid parameter in forumthread.php. papoo-multiple-scripts-sql-injection(25728) http://pridels0.blogspot.com/2006/04/papoo-multiple-sql-vuln.html Multiple PHP remote file inclusion vulnerabilities in nicecoder.com INDEXU 5.0.0 and 5.0.1 allow remote attackers to execute arbitrary PHP code via a URL in the theme_path parameter in (1) index.php, (2) become_editor.php, (3) add.php, (4) bad_link.php, (5) browse.php, (6) detail.php, (7) fav.php, (8) get_rated.php, (9) login.php, (10) mailing_list.php, (11) new.php, (12) modify.php, (13) pick.php, (14) power_search.php, (15) rating.php, (16) register.php, (17) review.php, (18) rss.php, (19) search.php, (20) send_pwd.php, (21) sendmail.php, (22) tell_friend.php, (23) top_rated.php, (24) user_detail.php, and (25) user_search.php; and the (26) base_path parameter in invoice.php. 17470 20060411 INDEXU <= 5.0.1 (theme_path)and (base_path) Remote File Inclusion Exploit 1015891 28427 28426 28425 28422 28419 28417 28416 28415 28413 28412 28410 28409 28406 24597 24596 1016331 http://ftp.kep.online.fr/Indexu_5.0.1_File_Inclusion_Exploit-by_King-Hacker_and-Khamaileon.txt Multiple cross-site scripting (XSS) vulnerabilities in register.php in Tritanium Bulletin Board (TBB) 1.2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) newuser_name, (2) newuser_email, and (3) newuser_hp parameters in the faction=register mode in index.php. Succesful exploitation requires that "register_globals" is enabled. ADV-2006-1329 17473 20060411 Tritanium Bulletin Board 1.2.3 - XSS tritaniumbb-register-xss(25751) 24556 19635 Multiple cross-site scripting (XSS) vulnerabilities in UserLand Manila 9.5 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the mode parameter in msgReader$1 and (2) the end of the URI in viewDepartment$. 17475 20060411 Manila <= 9.5 - XSS Vulnerabilities manila-multiple-xss(25753) 24554 692 19636 Multiple PHP remote file inclusion vulnerabilities in Azerbaijan Design & Development Group (AZDG) AzDGVote allow remote attackers to execute arbitrary PHP code via a URL in the int_path parameter in (1) vote.php, (2) view.php, (3) admin.php, and (4) admin/index.php. ADV-2006-1324 20060411 AzDGVote File inclusion 19630 azdgvote-intpath-file-inclusion(25762) 17447 695 Directory traversal vulnerability in misc in pbcs.dll in SAXoTECH SAXoPRESS, aka Saxotech Online (formerly Publicus) allows remote attackers to read arbitrary files and possibly execute arbitrary programs via a .. (dot dot) in the url parameter. saxopress-pbcs-directory-traversal(25768) ADV-2006-1327 17474 20060412 Re: SAXoPRESS - directory traversal aka Saxotech Online 20060411 SAXoPRESS - directory traversal 19566 debconf in Debian GNU/Linux, when configuring mnogosearch in the mnogosearch-common 3.2.31-1 package, uses the world-readable config.dat file instead of the restricted passwords.dat for storing the cleartext database administrator password in the mnogosearch-common/database_admin_pass record, which allows local users to view the password. 17477 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=361775 19589 SQL injection vulnerability in include.php in PHPKIT 1.6.1 Release 2 and earlier allows remote attackers to execute arbitrary SQL commands via the contentid parameter, possibly involving content/news.php. 17467 http://www.hamid.ir/security/phpkit.txt 1015888 phpkit-contentid-sql-injection(25743) HP System Management Homepage (SMH) 2.1.3.132, when running on CompaqHTTPServer/9.9 on Windows, Linux, or Tru64 UNIX, and when "Trust by Certificates" is not enabled, allows remote attackers to bypass authentication via a crafted URL. The only way to prevent this is to set the Trust level to "Trust by Certificates" 20060411 [SRC-Telindus advisory] - HP System Management Homepage Remote Unauthorized Access http://src.telindus.com/articles/hpsm_vulnerability.html 1015901 hp-smh-auth-bypass(25761) Multiple cross-site scripting (XSS) vulnerabilities in phpBB 2.0.19 allow remote attackers to inject arbitrary web script or HTML via the (1) Site Description field in (a) admin_board.php, the (2) Group name and (3) Group description fields in (b) admin_groups.php and (c) groupcp.php, the (4) Theme Name field in (d) admin_styles.php, and the (5) Rank Title field in (e) admin_ranks.php. NOTE: the profile.php/Current password vector is already covered by CVE-2006-1603. 24357 24356 24355 24354 http://osvdb.org/ref/24/24353-phpbb.txt PHP remote file inclusion vulnerability in doc/index.php in Jeremy Ashcraft Simplog 0.9.2 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the s parameter. ADV-2006-1332 17490 20060412 Simplog <=0.9.2 multiple vulnerabilities 24559 1015904 19628 http://retrogod.altervista.org/simplog_092_incl_xpl.html 1663 simplog-index-file-include(25775) Directory traversal vulnerability in doc/index.php in Jeremy Ashcraft Simplog 0.9.2 and earlier allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the s parameter, as demonstrated by injecting PHP sequences into an Apache error_log file, which is then included by doc/index.php. ADV-2006-1332 17490 20060412 Simplog <=0.9.2 multiple vulnerabilities 24559 1015904 19628 http://retrogod.altervista.org/simplog_092_incl_xpl.html 1663 simplog-index-file-include(25775) Multiple SQL injection vulnerabilities in Jeremy Ashcraft Simplog 0.9.2 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) blogid parameter in (a) index.php and (b) archive.php, the (2) m and (3) y parameters in archive.php, and the (4) sql parameter in (c) server.php. ADV-2006-1332 17491 20060412 Simplog <=0.9.2 multiple vulnerabilities 24561 24560 1015904 19628 http://retrogod.altervista.org/simplog_092_incl_xpl.html 1663 simplog-index-archive-sql-injection(25776) 702 Cross-site scripting (XSS) vulnerability in login.php in Jeremy Ashcraft Simplog 0.9.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the btag parameter. ADV-2006-1332 17493 20060412 Simplog <=0.9.2 multiple vulnerabilities 24562 1015904 19628 http://retrogod.altervista.org/simplog_092_incl_xpl.html 1663 simplog-login-xss(25778) The Bourne shell (sh) in Solaris 8, 9, and 10 allows local users to cause a denial of service (sh crash) via an unspecified attack vector that causes sh processes to crash during creation of temporary files. Apply patches. 19627 ADV-2006-1333 102282 solaris-sh-dos(25744) 17478 http://support.avaya.com/elmodocs2/security/ASA-2006-122.htm 1015902 21493 oval:org.mitre.oval:def:881 PHP remote file inclusion vulnerability in functions.php in Circle R Monster Top List (MTL) 1.4 allows remote attackers to execute arbitrary PHP code via a URL in the root_path parameter. NOTE: It was later reported that 1.4.2 and earlier are affected. monstertoplist-functions-file-include(25774) ADV-2006-1350 23074 17546 24650 3530 19688 http://pridels0.blogspot.com/2006/04/monstertoplist.html Unspecified vulnerability in Solaris 8 and 9 allows local users to obtain the LDAP Directory Server root Distinguished Name (rootDN) password when a privileged user (1) runs idsconfig; or "insecurely" runs LDAP2 commands with the -w option, including (2) ldapadd, (3) ldapdelete, (4) ldapmodify, (5) ldapmodrdn, and (6) ldapsearch. ADV-2006-1334 102113 19638 solaris-ldap2-password-disclosure(25747) 17479 24568 24567 24566 24565 24564 24563 http://support.avaya.com/elmodocs2/security/ASA-2006-122.htm 1015903 21493 oval:org.mitre.oval:def:1840 Cross-site scripting (XSS) vulnerability in PatroNet CMS allows remote attackers to inject arbitrary web script or HTML via the URI. 17495 20060412 PatroNet CMS Xss Vuln PHP remote file inclusion vulnerability in admin/configset.php in Sphider 1.3 and earlier, when register_globals is disabled, allows remote attackers to execute arbitrary PHP code via a URL in the settings_dir parameter. ADV-2006-1341 17514 19642 1665 sphider-configset-file-inclusion(25780) Adobe Document Server for Reader Extensions 6.0 allows remote authenticated users to inject arbitrary web script via a leading (1) ftp or (2) http URI in the ReaderURL variable in the "Update Download Site" section of ads-readerext. NOTE: it is not clear whether the vendor advisory addresses this issue. In addition, since the issue requires administrative privileges to exploit, it is not clear whether this crosses security boundaries. ADV-2006-1342 http://www.adobe.com/support/techdocs/322699.html http://secunia.com/secunia_research/2005-68/advisory/ 15924 adobe-readerurl-xss(25770) 17500 20060413 Secunia Research: Adobe Document Server for Reader ExtensionsMultiple Vulnerabilities 24588 Cross-site scripting (XSS) vulnerability in Adobe Document Server for Reader Extensions 6.0 allows remote attackers to inject arbitrary web script or HTML via (1) the actionID parameter in ads-readerext and (2) the op paremeter in AlterCast. NOTE: it is not clear whether the vendor advisory addresses this issue. ADV-2006-1342 http://www.adobe.com/support/techdocs/322699.html http://secunia.com/secunia_research/2005-68/advisory/ 15924 adobe-actionid-op-xss(25771) 17500 20060413 Secunia Research: Adobe Document Server for Reader ExtensionsMultiple Vulnerabilities 24590 24589 Adobe Document Server for Reader Extensions 6.0 includes a user's session (jsession) ID in the HTTP Referer header, which allows remote attackers to gain access to PDF files that are being processed within that session. http://www.adobe.com/support/techdocs/331915.html ADV-2006-1342 http://www.adobe.com/support/techdocs/322699.html http://secunia.com/secunia_research/2005-68/advisory/ 15924 adobe-jsessionid-information-disclosure(25773) 17500 20060413 Secunia Research: Adobe Document Server for Reader ExtensionsMultiple Vulnerabilities Adobe Document Server for Reader Extensions 6.0, during log on, provides different error messages depending on whether the user ID is valid or invalid, which allows remote attackers to more easily identify valid user IDs via brute force attacks. http://www.adobe.com/support/techdocs/331917.html ADV-2006-1342 http://secunia.com/secunia_research/2005-68/advisory/ 15924 adobe-error-account-enumeration(25772) 17500 20060413 Secunia Research: Adobe Document Server for Reader ExtensionsMultiple Vulnerabilities Directory traversal vulnerability in pajax_call_dispatcher.php in PAJAX 0.5.1 and earlier allows remote attackers to read arbitrary files via the $className variable. Users of PAJAX should upgrade to the latest version pajax-0.5.2 [1]. ADV-2006-1353 http://www.redteam-pentesting.de/advisories/rt-sa-2006-001.php pajax-pajaxcalldispatcher-dir-traversal(25860) 17519 20060413 PAJAX Remote Code Injection and File Inclusion Vulnerability 24862 19653 20060413 PAJAX Remote Code Injection and File Inclusion Vulnerability A regression fix in Mozilla Firefox 1.0.7 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the InstallTrigger.install method, which leads to memory corruption. mozilla-installtrigger-memory-corruption(25809) ADV-2006-1356 USN-276-1 USN-275-1 USN-271-1 17516 SSRT061158 SSRT061158 FLSA:189137-2 FLSA:189137-1 RHSA-2006:0330 RHSA-2006:0329 RHSA-2006:0328 FEDORA-2006-411 FEDORA-2006-410 http://www.mozilla.org/security/announce/2006/mfsa2006-11.html MDKSA-2006:076 MDKSA-2006:075 GLSA-200605-09 GLSA-200604-18 GLSA-200604-12 DSA-1051 DSA-1046 DSA-1044 http://support.avaya.com/elmodocs2/security/ASA-2006-205.htm 228526 102550 21622 21033 20051 19950 19941 19902 19863 19862 19852 19811 19794 19780 19759 19746 19729 19721 19714 19631 oval:org.mitre.oval:def:11202 SUSE-SA:2006:021 20060404-01-U SCOSA-2006.26 oval:org.mitre.oval:def:1266 Directory traversal vulnerability in acc.php in QuickBlogger 1.4 allows remote attackers to read or include arbitrary local files via the request parameter. NOTE: this issue can also produce resultant XSS when the associated include statement fails. 20060412 QuickBlogger v1.4 Cross-Site Scripting 15942 quickblogger-acc-xss(25795) 20060414 Re: QuickBlogger v1.4 Cross-Site Scripting Unspecified vulnerability in the POP service in MailEnable Standard Edition before 1.94, Professional Edition before 1.74, and Enterprise Edition before 1.22 has unknown attack vectors and impact related to "authentication exploits". NOTE: this is a different set of affected versions, and probably a different vulnerability than CVE-2006-1337. http://www.mailenable.com/standardhistory.asp http://www.mailenable.com/professionalhistory.asp http://www.mailenable.com/enterprisehistory.asp Directory traversal vulnerability in runCMS 1.2 and earlier allows remote attackers to read arbitrary files via the bbPath[path] parameter to (1) class.forumposts.php and (2) forumpollrenderer.php. NOTE: this issue is closely related to CVE-2006-0659. Succesful exploitation requires that register_globals = On & allow_url_fopen = On 20060209 runCMS <= 1.3a2 possible remote code execution through the integrated FCKEditor package http://retrogod.altervista.org/runcms_13a_xpl.html 16578 SQL injection vulnerability in Mambo 4.5.3, 4.5.3h, and possibly earlier versions allows remote attackers to execute arbitrary SQL commands via (1) the $username variable in the mosGetParam function and (2) the $task parameter in the mosMenuCheck function in (a) includes/mambo.php; and (3) the $filter variable to the showCategory function in the com_content component (content.php). Successful exploitation requires that "magic_quotes_gpc" is disabled. 16775 http://www.gulftech.org/?node=research&article_id=00104-02242006 http://source.mambo-foundation.org/view/news/Announcements/Security_Patch_Released/ 20060224 Mambo Multiple Vulnerabilities ADV-2006-0719 23503 23402 18935 mambo-index2-sql-injection(24951) Cross-site scripting (XSS) vulnerability in tablepublisher.cgi in UPDI Network Enterprise @1 Table Publisher 2006-03-23 allows remote attackers to inject arbitrary web script or HTML via the Title of Table field. http://www.osvdb.org/24238 http://www.osvdb.org/24238 17642 19723 Cross-site scripting (XSS) vulnerability in the paging links functionality in template-functions-links.php in Wordpress 1.5.2, and possibly other versions before 2.0.1, allows remote attackers to inject arbitrary web script or HTML to Internet Explorer users via the request URI ($_SERVER['REQUEST_URI']). The vulnerability manifests itself only when viewed by IE. This vulnerability is addressed in the following product release: Wordpress 2.0.1-1 http://trac.wordpress.org/ticket/1686 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=328909 The kernel in NetBSD-current before September 28, 2005 allows local users to cause a denial of service (system crash) by using the SIOCGIFALIAS ioctl to gather information on a non-existent alias of a network interface, which causes a NULL pointer dereference. 17497 1015908 19615 NetBSD-SA2006-012 bsd-siocgifalias-ioctl-dos(25766) 24578 SQL injection vulnerability in rateit.php in RateIt 2.2 allows remote attackers to execute arbitrary SQL commands via the rateit_id parameter. ADV-2006-1358 19637 http://evuln.com/vulns/124/summary.html rateit-rateit-sql-injection(25801) 17518 20060424 [eVuln] RateIt SQL Injection Vulnerability 24622 1015983 censtore.cgi in Censtore 7.3.002 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the page parameter. ADV-2006-1352 17515 19666 censtore-page-command-execution(25905) 1669 Directory traversal vulnerability in posts.php in SimpleBBS 1.0.6 through 1.1 allows remote attackers to include and execute arbitrary files via ".." sequences in the language cookie, as demonstrated by by injecting the code into the gl_session cookie of users.php, which is stored in error.log. http://www.worlddefacers.de/Public/WD-SMPL.txt 17501 20060412 SimpleBBS v1.1(posts.php) remote command execution http://downloads.securityfocus.com/vulnerabilities/exploits/SimpleBBS-RCE-posts.php.pl simplebbs-posts-command-execution(25788) Cross-site scripting (XSS) vulnerability in planetsearchplus.php in planetSearch+ allows remote attackers to inject arbitrary web script or HTML via the search_exp parameter. ADV-2006-1368 20060413 planetSearch+ - XSS Vulnerabilities 19681 http://d4igoro.blogspot.com/2006/04/planetsearch-xss-vulnerabilities.html planetsearchplus-script-xss(25832) 17527 Cross-site scripting (XSS) vulnerability in index.php in TinyWebGallery 1.3 and 1.4 allows remote attackers to inject arbitrary web script or HTML via the twg_album parameter. ADV-2006-1369 17536 20060415 Tiny Web Gallery <= 1.4 XSS 19660 tinywebgallery-index-xss(25831) 20060606 Re: Tiny Web Gallery <= 1.4 XSS 717 Cross-site scripting (XSS) vulnerability in sql.php in phpMyAdmin 2.7.0-pl1 allows remote attackers to inject arbitrary web script or HTML via the sql_query parameter. ADV-2006-1372 17487 20060414 Re: phpMyAdmin 2.7.0-pl1 20060412 phpMyAdmin 2.7.0-pl1 19659 phpmyadmin-sql-xss(25796) SUSE-SR:2006:009 19897 SQL injection vulnerability in sql.php in phpMyAdmin 2.7.0-pl1 allows remote attackers to execute arbitrary SQL commands via the sql_query parameter. This vulnerbability may affect earlier versions of phpMyAdmin as well. ADV-2006-1372 20060412 phpMyAdmin 2.7.0-pl1 19659 phpmyadmin-sql-sql-injection(25858) SUSE-SR:2006:009 19897 SQL injection vulnerability in member.php in PowerClan 1.14 allows remote attackers to execute arbitrary SQL commands via the memberid parameter. 19689 ADV-2006-1371 20060413 PowerClan 1.14 - SQL Injection http://d4igoro.blogspot.com/2006/04/powerclan-114-sql-injection.html powerclan-member-sql-injection(25876) 17528 706 Cross-site scripting (XSS) vulnerability in index.php in Musicbox 2.3.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the term parameter in a search action. ADV-2006-1373 19672 musicbox-multiple-xss(27925) musicbox-index-xss(25835) 17545 20060724 MusicBox <= 2.3.4 XSS SQL injection Vulnerability http://pridels0.blogspot.com/2006/04/musicbox-vuln.html Multiple SQL injection vulnerabilities in index.php in Musicbox 2.3.3 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) start parameter in a search action or (2) type parameter in a top action. ADV-2006-1373 19672 musicbox-multiple-sql-injection(27926) musicbox-index-sql-injection(25836) 17545 20060724 MusicBox <= 2.3.4 XSS SQL injection Vulnerability http://pridels0.blogspot.com/2006/04/musicbox-vuln.html Cross-site scripting (XSS) vulnerability in index.php in Lifetype 1.0.3 allows remote attackers to inject arbitrary web script or HTML via the show parameter in a Template operation. ADV-2006-1367 20060414 Vulnerabilities in lifetype 1015941 19646 lifetype-index-xss(25899) 17529 index.php in Lifetype 1.0.3 allows remote attackers to obtain sensitive information via an invalid show parameter, which reveals the path in an error message. 20060414 Vulnerabilities in lifetype 1015941 lifetype-index-path-disclosure(25903) 711 Multiple cross-site scripting (XSS) vulnerabilities in FlexBB 0.5.5 BETA allow remote attackers to inject arbitrary web script or HTML via the (1) ICQ, (2) AIM, (3) MSN, (4) Google Talk, (5) Website Name, (6) Website Address, (7) Email Address, (8) Location, (9) Signature, and (10) Sub-Titles fields in the user profile. 17539 20060416 FlexBB v0.5.5 BETA [SQL Inj] [XSS] [Login bypass] Multiple SQL injection vulnerabilities in FlexBB 0.5.5 BETA allow remote attackers to execute arbitrary SQL commands via the (1) id, (2) forumid, or (3) threadid parameter to index.php; the (4) ICQ, (5) AIM, (6) MSN, (7) Google Talk, (8) Website Name, (9) Website Address, (10) Email Address, (11) Location, (12) Signature, and (13) Sub-Titles fields in the user profile; or (14) flexbb_password field in a cookie. 20060416 FlexBB v0.5.5 BETA [SQL Inj] [XSS] [Login bypass] 17574 phpWebFTP 3.2 and earlier stores script.js under the web document root with insufficient access control, which allows remote attackers to obtain sensitive information. 17557 20060417 PhpWebFTP 3.2 Login Script phpwebftp-scriptjs-obtain-information(25921) 19706 Directory traversal vulnerability in index.php in phpWebFTP 3.2 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the language parameter. ADV-2006-1388 17557 20060417 PhpWebFTP 3.2 Login Script phpwebftp-index-directory-traversal(25920) 723 19706 NetBSD 1.6, 2.0, 2.1 and 3.0 allows local users to cause a denial of service (memory exhaustion) by using the sysctl system call to lock a large buffer into physical memory. 17498 1015909 19616 bsd-sysctl-dos(25764) 24579 Multiple cross-site scripting (XSS) vulnerabilities in register.php in Tritanium Bulletin Board (TBB) 1.2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) newuser_realname and (2) newuser_icq parameters, a different vector than CVE-2006-1768. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. ADV-2006-1329 24556 19635 tritaniumbb-register-xss(25751) 693 PHP remote file inclusion vulnerability in VBulletin 3.5.1, 3.5.2, and 3.5.4 allows remote attackers to execute arbitrary code via a URL in the systempath parameter to (1) ImpExModule.php, (2) ImpExController.php, and (3) ImpExDisplay.php. 20060412 Remote File Inclusion in VBulletin ImpEx impex-systempath-file-include(34095) impex-multiple-file-inclusion(25789) 20070504 Remote File Include In Script impex 24692 24691 24690 19352 SQL injection vulnerability in authcheck.php in warforge.NEWS 1.0, with magic_quotes_gpc disabled, allows remote attackers to execute arbitrary SQL commands via the (1) authusername and possibly the (2) authpassword cookie. ADV-2006-1359 http://evuln.com/vulns/125/summary.html warforgenews-authcheck-sql-injection(25900) 17705 17520 20060426 [eVuln] warforge.NEWS SQL Injection and Multiple XSS Vulnerabilities Multiple cross-site scripting (XSS) vulnerabilities in warforge.NEWS 1.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly including the (1) first_name and (2) last_name parameter in myaccounts.php. NOTE: portions of these details were obtained from third party sources instead of the original disclosure. ADV-2006-1359 http://evuln.com/vulns/125/summary.html 17520 20060426 [eVuln] warforge.NEWS SQL Injection and Multiple XSS Vulnerabilities Directory traversal vulnerability in the loadConfig function in index.php in phpWebSite 0.10.2 and earlier allows remote attackers to include arbitrary local files and execute arbitrary PHP code via the hub_dir parameter, as demonstrated by including access_log. NOTE: in some cases, arbitrary remote file inclusion could be performed under PHP 5 using an SMB share argument such as "\\systemname\sharename". ADV-2006-1361 17521 http://downloads.securityfocus.com/vulnerabilities/exploits/PHPWebSite_fi_poc phpwebsite-index-hubdir-file-include(25867) GLSA-200605-04 1015942 19914 19647 1673 Cross-site scripting (XSS) vulnerability in index.php in ModX 0.9.1 allows remote attackers to inject arbitrary web script or HTML via the id parameter. NOTE: this might be resultant from the directory traversal vulnerability. ADV-2006-1383 17533 20060414 Vulnerabilities in MODx 1015940 modx-index-xss(25894) 19645 Directory traversal vulnerability in index.php in ModX 0.9.1 allows remote attackers to read arbitrary files via a .. (dot dot) sequence and trailing NULL (%00) byte in the id parameter. To address this issue, the vendor has released a patch available at the following location: http://modxcms.com/forums/index.php/topic,3982.0.html ADV-2006-1383 17533 20060414 Vulnerabilities in MODx 1015940 modx-index-directory-traversal(25895) 19645 Cross-site scripting (XSS) vulnerability in search.php in FarsiNews 2.5.3 Pro and earlier allows remote attackers to inject arbitrary web script or HTML via the selected_search_arch parameter. ADV-2006-1411 17534 20060414 Farsinews Cross-Site Scripting & Path disclosure vulnerability http://www.aria-security.net/advisory/farsinews/farsinews042006.txt 1015943 farsinews-search-xss(25833) 710 19648 Directory traversal vulnerability in FarsiNews 2.5.3 Pro and earlier allows remote attackers to obtain the installation path via ".." sequences in the archive parameter to index.php, which leaks the full pathname in an error message. ADV-2006-1411 20060414 Farsinews Cross-Site Scripting & Path disclosure vulnerability 1015943 710 19648 Multiple cross-site scripting (XSS) vulnerabilities in PhpGuestbook.php in PhpGuestbook 1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) Name, (2) Website, and (3) Comment parameter. ADV-2006-1422 phpguestbook-script-xss(25850) 17594 17537 20060415 PhpGuestbook <= 1.0 XSS 19669 http://pridels0.blogspot.com/2006/04/phpguestbook-v10-script-insertion.html Cross-site scripting (XSS) vulnerability in index.php in phpLinks 2.1.3.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the term parameter. ADV-2006-1378 phplinks-index-xss(25890) 17586 http://pridels0.blogspot.com/2006/04/phplinks-2131-xss-vuln.html Multiple cross-site scripting (XSS) vulnerabilities in Snipe Gallery 3.1.4 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) gallery_id parameter in view.php, (2) keyword parameter in search.php, and (3) image_id parameter in image.php. NOTE: it is possible that vectors 1 and 3 are resultant from SQL injection. snipe-view-image-xss(25803) 17543 20060416 Re: Snipe Gallery <= 3.1.4 Multiple XSS 20060415 Snipe Gallery <= 3.1.4 Multiple XSS 1015947 Integer signedness error in format_jpeg.c in Asterisk 1.2.6 and earlier allows remote attackers to execute arbitrary code via a length value that passes a length check as a negative number, but triggers a buffer overflow when it is used as an unsigned length. http://www.cipher.org.uk/index.php?p=advisories/Asterisk_Codec_Integer_Overflow_07-04-2006.advisory http://ftp.digium.com/pub/asterisk/releases/asterisk-1.2.7-patch.gz ADV-2006-1478 17561 SUSE-SR:2006:009 DSA-1048 19897 19872 19800 SQL injection vulnerability in php121language.php in PHP121 1.4 allows remote attackers to execute arbitrary SQL commands and execute arbitrary code via the sess_username variable, as set by the php121un HTTP COOKIE parameter, which is used in multiple files including php121login.php. NOTE: the code execution occurs because the SQL query results are used in an include statement. Successful exploitation requires that "magic_quotes_gpc" is disabled. ADV-2006-1349 19643 1666 php121-php121login-sql-injection(25785) 17509 1015936 http://retrogod.altervista.org/php121im_14_sql_xpl.html EAServer Manager in Sybase EAServer 5.2 and 5.3 allows remote authenticated users, possibly guests, to obtain password credentials of arbitrary users via unspecified vectors involving (1) connection caches, (2) open password prompts, and (3) stored custom connection profiles. ADV-2006-1344 http://www.sybase.com/detail?id=1040117 17508 1015913 19605 easerver-password-disclosure(25777) Sun Java Studio Enterprise 8, when installed as root, creates certain files with world-writable permissions, which allows local users to execute arbitrary commands via unspecified vectors. 17517 102292 19632 ADV-2006-1357 sun-javastudio-insecure-permissions(25822) 1015930 Direct static code injection vulnerability in sysinfo.cgi in sysinfo 1.21 and possibly other versions before 2.25 allows remote attackers to execute arbitrary commands via a leading ; (semicolon) in the name parameter in a systemdoc action, which is injected into phpinfo.php. 17523 sysinfo-sysinfo-command-execution(25906) ADV-2006-1360 19690 1677 sysinfo.cgi in sysinfo 1.21 allows remote attackers to obtain the installation path via the debugger action. 17523 ADV-2006-1360 sysinfo-debugger-information-disclosure(25909) 19690 1677 Intel RNG Driver in NetBSD 1.6 through 3.0 may incorrectly detect the presence of the pchb interface, which will cause it to always generate the same random number, which allows remote attackers to more easily crack encryption keys generated from the interface. 24577 1015907 19585 NetBSD-SA2006-009 netbsd-intel-rng-security-bypass(25786) 17496 Integer signedness error in Opera before 8.54 allows remote attackers to execute arbitrary code via long values in a stylesheet attribute, which pass a length check. NOTE: a sign extension problem makes the attack easier with shorter strings. 17513 ADV-2006-1354 http://www.sec-consult.com/259.html http://www.opera.com/docs/changelogs/windows/854/ 1015912 20060413 SEC Consult SA-20060314 :: Opera Browser CSS Attribute Integer Wrap / Buffer Overflow opera-wcsncpy-css-bo(25829) 20060413 SEC Consult SA-20060314 :: Opera Browser CSS Attribute Integer Wrap / Buffer Overflow GLSA-200606-01 20117 SUSE-SR:2006:010 Cross-site scripting (XSS) vulnerability in yearcal.php in Calendarix allows remote attackers to inject arbitrary web script or HTML via the ycyear parameter. ADV-2006-1376 17562 20060416 Calendarix "yearcal.php" XSS Attacking calendarix-yearcal-xss(25874) 1015954 727 19710 Untrusted search path vulnerability in unspecified components in Symantec LiveUpdate for Macintosh 3.0.0 through 3.5.0 do not set the execution path, which allows local users to gain privileges via a Trojan horse program. http://securityresponse.symantec.com/avcenter/security/Content/2006.04.17b.html ADV-2006-1386 17571 20060418 [Symantec Security Advisory] LiveUpdate for Macintosh Local Privilege Escalation 1015953 19682 liveupdate-exepath-env-privilege-escalation(25839) 100 SQL injection vulnerability in archiv2.php in Fuju News 1.0 allows remote attackers to execute arbitrary SQL commands via the ID parameter. ADV-2006-1374 17572 19677 1682 fujunews-archiv2-sql-injection(25897) edit_kategorie.php in Fuju News 1.0 allows remote attackers to bypass authentication by setting the authorized cookie. ADV-2006-1374 17572 19677 1682 PHP remote file inclusion vulnerability in language.php in PHP Album 0.3.2.3, when register_globals is enabled, allows remote attackers to execute arbitrary code via an FTP URL in the data_dir parameter, which satisfies the file_exists function call. ADV-2006-1382 20060415 PHP Album <= 0.3.2.3 remote commnads execution 19661 http://retrogod.altervista.org/phpalbum_0323_incl_xpl.html phpalbum-language-file-include(25846) 17526 24741 Multiple format string vulnerabilities in Empire Server before 4.3.1 allow attackers to cause a denial of service (crash) via the (1) load, (2) spy and (3) bomb functions. http://sourceforge.net/project/shownotes.php?release_id=410001&group_id=24031 19674 empireserver-unspecified(25863) ADV-2006-1380 17585 24700 Cross-site scripting (XSS) vulnerability in search.php in boastMachine (bMachine) 2.7, and possibly other versions before 2.9b, allows remote attackers to inject arbitrary web script or HTML via the key parameter, as used by the search field. ADV-2006-1375 20060416 Xss In bMachine 2&#1643;7 19711 boastmachine-search-xss(25914) 17550 Cross-site scripting (XSS) vulnerability in global.php in ShoutBOOK 1.1 allows remote attackers to inject arbitrary web script or HTML via the (1) NAME and (2) COMMENTS parameters. ADV-2006-1385 17548 20060417 ShoutBOOK <= 1.1 XSS 1015958 19704 shoutbook-global-xss(25862) Cross-site scripting (XSS) vulnerability in global.php in ShoutBOOK 1.1 allows remote attackers to inject arbitrary web script or HTML via the (1) LOCATION and (2) URL parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. ADV-2006-1385 19704 shoutbook-global-xss(25862) The Debian installer for the (1) shadow 4.0.14 and (2) base-config 2.53.10 packages includes sensitive information in world-readable log files, including preseeded passwords and pppoeconf passwords, which might allow local users to gain privileges. 23922 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=356939 19170 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2006-0537. Reason: This candidate is a duplicate of CVE-2006-0537. Notes: All CVE users should reference CVE-2006-0537 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Cross-site scripting (XSS) vulnerability in the Your_Account module in PHP-Nuke 7.8 might allows remote attackers to inject arbitrary HTML and web script via the ublock parameter, which is saved in the user's personal menu. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. In addition, it is unclear whether this issue is a vulnerability, since it is related to the user's personal menu, which presumably is not modifiable by others. ADV-2006-0687 16774 23431 18972 SQL injection vulnerability in the Your_Account module in PHP-Nuke 7.8 might allows remote attackers to execute arbitrary SQL commands via the user_id parameter in the Your_Home functionality. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. phpnuke-yourhome-sql-injection(44730) ADV-2006-0687 16774 23432 18972 Multiple cross-site scripting (XSS) vulnerabilities in stats_view.php in LinPHA 1.1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) date_from, (2) date_to, and (3) date parameter. ADV-2006-1396 17581 20060417 Linpha 1.1.0 - XSS Vulnerabilities 19679 http://d4igoro.blogspot.com/2006/04/linpha-xss-vulnerabilities.html linpha-statsview-xss(25916) Multiple SQL injection vulnerabilities in members_only/index.cgi in xFlow 5.46.11 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) position and (2) id parameter. ADV-2006-1412 19707 xflow-index-sql-injection(25853) 17614 http://pridels0.blogspot.com/2006/04/xflow-v5x-multiple-vuln.html Multiple cross-site scripting (XSS) vulnerabilities in xFlow 5.46.11 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) level, (2) position, (3) id, and (4) action parameters to members_only/index.cgi, and the (5) page parameter to customer_area/index.cgi. ADV-2006-1412 19707 xflow-index-xss(25854) 17614 http://pridels0.blogspot.com/2006/04/xflow-v5x-multiple-vuln.html xFlow 5.46.11 and earlier allows remote attackers to determine the installation path of the application via the (1) action parameter to members_only/index.cgi and (2) page parameter customer_area/index.cgi, probably due to invalid values. xflow-index-path-disclosure(25855) 17614 http://pridels0.blogspot.com/2006/04/xflow-v5x-multiple-vuln.html SQL injection vulnerability in category.php in Article Publisher Pro 1.0.1 and earlier allows remote attackers to execute arbitrary SQL commands via the cname parameter. articlepublisher-category-sql-injection(25898) 24730 http://pridels0.blogspot.com/2006/04/article-publisher-pro-sql-inj.html Multiple SQL injection vulnerabilities in ModernBill 4.3.2 and earlier allow remote attackers or administrators to execute arbitrary SQL commands via the (1) id parameter in (a) user.php, or (2) where and (3) order parameters to (b) admin.php. ADV-2006-1415 17596 19641 modernbill-user-sql-injection(25926) http://pridels0.blogspot.com/2006/04/modernbill-multiple-sql-inj-vuln.html ** DISPUTED ** Multiple cross-site scripting (XSS) vulnerabilities in BluePay Manager 2.0 and earlier allow remote attackers to inject arbitrary web script or HTML during a login action via the (1) Account Name and (2) Username field. NOTE: the vendor has disputed this vulnerability, saying that "it does not exist currently in the Bluepay 2.0 product," and older versions might not have been affected either. As of 20060512, CVE has not formally investigated this dispute. http://pridels0.blogspot.com/2006/04/bluepay-manager-v20-script-insertion.html choose_new_parent in Linux kernel before 2.6.11.12 includes certain debugging code, which allows local users to cause a denial of service (panic) by causing certain circumstances involving termination of a parent process. https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=127302 oval:org.mitre.oval:def:11235 USN-302-1 18099 RHSA-2006:0493 SUSE-SA:2006:042 DSA-1184 http://support.avaya.com/elmodocs2/security/ASA-2006-161.htm 22093 21745 21179 20716 20237 Certain modifications to the Linux kernel 2.6.16 and earlier do not add the appropriate Linux Security Modules (LSM) file_permission hooks to the (1) readv and (2) writev functions, which might allow attackers to bypass intended access restrictions. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=191524 [linux-kernel] 20060426 [PATCH] LSM: add missing hook to do_compat_readv_writev() oval:org.mitre.oval:def:9927 [linux-security-module] 20050928 readv/writev syscalls are not checked by lsm USN-302-1 18105 RHSA-2006:0493 25747 MDKSA-2006:123 DSA-1184 http://support.avaya.com/elmodocs2/security/ASA-2006-161.htm 22093 21745 21045 20716 20237 Buffer overflow in SCTP in Linux kernel before 2.6.16.17 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a malformed HB-ACK chunk. linux-sctp-hback-dos(26584) ADV-2006-2554 ADV-2006-1893 USN-302-1 18085 RHSA-2006:0575 25695 SUSE-SA:2006:047 SUSE-SA:2006:042 MDKSA-2006:150 MDKSA-2006:123 DSA-1103 DSA-1097 http://support.avaya.com/elmodocs2/security/ASA-2006-200.htm 22417 21498 21476 21465 21179 21045 20914 20716 20671 20185 oval:org.mitre.oval:def:10622 http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.17 SCTP in Linux kernel before 2.6.16.17 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a chunk length that is inconsistent with the actual length of provided parameters. linux-sctp-parameter-dos(26585) ADV-2006-2554 ADV-2006-1893 USN-302-1 18085 RHSA-2006:0617 25696 SUSE-SA:2006:047 SUSE-SA:2006:042 MDKSA-2006:150 MDKSA-2006:123 DSA-1103 DSA-1097 http://support.avaya.com/elmodocs2/security/ASA-2006-203.htm 22174 21605 21498 21476 21179 21045 20914 20716 20671 20185 oval:org.mitre.oval:def:9510 http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.17 Memory leak in __setlease in fs/locks.c in Linux kernel before 2.6.16.16 allows attackers to cause a denial of service (memory consumption) via unspecified actions related to an "uninitialised return value," aka "slab leak." 20083 ADV-2006-1767 http://www.kernel.org/git/?p=linux/kernel/git/stable/linux-2.6.16.y.git;a=commit;h=1f0e637c94a9b041833947c79110d6c02fff8618 http://www.kernel.org/git/?p=linux/kernel/git/stable/linux-2.6.16.y.git;a=blobdiff;h=aa7f66091823dde953e15895dc427615701c39c7;hp=e75ac392a313f3fad823bf2e46a03f29701e3e34;hb=1f0e637c94a9b041833947c79110d6c02fff8618;f=fs/locks.c linux-locks-setlease-dos(26438) USN-302-1 2006-0028 18033 SUSE-SA:2006:042 MDKSA-2006:123 21179 21045 20716 lease_init in fs/locks.c in Linux kernel before 2.6.16.16 allows attackers to cause a denial of service (fcntl_setlease lockup) via actions that cause lease_init to free a lock that might not have been allocated on the stack. 17943 20083 ADV-2006-1767 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.16 http://www.kernel.org/git/?p=linux/kernel/git/stable/linux-2.6.16.y.git;a=commit;h=1f0e637c94a9b041833947c79110d6c02fff8618 http://www.kernel.org/git/?p=linux/kernel/git/stable/linux-2.6.16.y.git;a=blobdiff;h=aa7f66091823dde953e15895dc427615701c39c7;hp=e75ac392a313f3fad823bf2e46a03f29701e3e34;hb=1f0e637c94a9b041833947c79110d6c02fff8618;f=fs/locks.c linux-locks-lease-init-dos(26437) USN-302-1 2006-0028 25425 SUSE-SA:2006:042 MDKSA-2006:123 21179 21045 20716 Multiple integer overflows in FreeType before 2.2 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via attack vectors related to (1) bdf/bdflib.c, (2) sfnt/ttcmap.c, (3) cff/cffgload.c, and (4) the read_lwfn function and a crafted LWFN file in base/ftmac.c. NOTE: item 4 was originally identified by CVE-2006-2493. freetype-lwfn-overflow(26553) 18034 http://sourceforge.net/project/shownotes.php?release_id=416463 20100 FEDORA-2009-5644 FEDORA-2009-5558 https://issues.rpath.com/browse/RPL-429 https://bugzilla.redhat.com/show_bug.cgi?id=502565 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=190593#c8 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=190593 https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=128606 ADV-2007-0381 ADV-2006-1868 USN-291-1 20060612 rPSA-2006-0100-1 freetype RHSA-2009:1062 RHSA-2009:0329 RHSA-2006:0500 MDKSA-2006:099 GLSA-200710-09 DSA-1095 http://support.avaya.com/elmodocs2/security/ASA-2006-176.htm http://support.apple.com/kb/HT3438 102705 1016522 GLSA-200607-02 35233 35204 35200 33937 27271 27167 27162 23939 21701 21385 21135 21062 21000 20791 20638 20591 20525 oval:org.mitre.oval:def:9124 SUSE-SA:2006:037 SUSE-SR:2007:021 APPLE-SA-2009-02-12 20060701-01-U The virtual memory implementation in Linux kernel 2.6.x allows local users to cause a denial of service (panic) by running lsof a large number of times in a way that produces a heavy system load. RHSA-2006:0493 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=189260 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=189031 oval:org.mitre.oval:def:9390 31663 http://support.avaya.com/elmodocs2/security/ASA-2006-161.htm 21745 20237 Directory traversal vulnerability in CIFS in Linux 2.6.16 and earlier allows local users to escape chroot restrictions for an SMB-mounted filesystem via "..\\" sequences, a similar vulnerability to CVE-2006-1864. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=189434 http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=296034f7de8bdf111984ce1630ac598a9c94a253 ADV-2006-2554 ADV-2006-1542 RHBA-2007-0304 oval:org.mitre.oval:def:10383 kernel-cifs-directory-traversal(26141) 2006-0024 17742 25068 SUSE-SA:2006:028 MDKSA-2006:151 MDKSA-2006:150 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.11 DSA-1103 21614 20914 20398 19868 Directory traversal vulnerability in smbfs in Linux 2.6.16 and earlier allows local users to escape chroot restrictions for an SMB-mounted filesystem via "..\\" sequences, a similar vulnerability to CVE-2006-1863. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=189435 ADV-2006-4502 ADV-2006-2554 oval:org.mitre.oval:def:11327 kernel-smbfs-directory-traversal(26137) http://www.vmware.com/download/esx/esx-254-200610-patch.html http://www.vmware.com/download/esx/esx-213-200610-patch.html http://www.vmware.com/download/esx/esx-202-200610-patch.html USN-302-1 2006-0026 17735 20061113 VMSA-2006-0008 - VMware ESX Server 2.0.2 Upgrade Patch 2 20061113 VMSA-2006-0005 - VMware ESX Server 2.5.4 Upgrade Patch 1 20061113 VMSA-2006-0007 - VMware ESX Server 2.1.3 Upgrade Patch 2 20061113 VMSA-2006-0006 - VMware ESX Server 2.5.3 Upgrade Patch 4 RHSA-2006:0710 RHSA-2006:0580 RHSA-2006:0579 RHSA-2006:0493 25067 SUSE-SA:2006:028 MDKSA-2006:151 MDKSA-2006:150 DSA-1103 DSA-1097 http://support.avaya.com/elmodocs2/security/ASA-2006-254.htm http://support.avaya.com/elmodocs2/security/ASA-2006-161.htm 23064 22875 22497 21745 21614 21476 21035 20914 20716 20671 20398 20237 19869 Argument injection vulnerability in Beagle before 0.2.5 allows attackers to execute arbitrary commands via crafted filenames that inject command line arguments when Beagle launches external helper applications while indexing. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=189282 beagle-indexing-command-execution(26104) 17611 24938 SUSE-SR:2006:009 19897 19781 19778 http://scary.beasts.org/security/CESA-2006-002.html FEDORA-2006-440 Multiple unspecified vulnerabilities in Oracle Database Server 8.1.7.4, 9.0.1.5, 9.2.0.7, 10.1.0.5, and other versions have unknown impact and attack vectors in the (1) Advanced Replication component, as identified by Vuln# DB01, and (2) Oracle Spatial component, as identified by Vuln# DB10. NOTE: details are unavailable from Oracle, but as of 20060421, they have not publicly disputed a claim by a reliable independent researcher that states that DB01 is an unknown issue in the DBMS_REPUTIL package, and DB10 is SQL injection in the INSERT_CATALOG, UPDATE_CATALOG, and DELETE_CATALOG functions of the SDO_CATALOG package. TA06-109A VU#139049 http://www.oracle.com/technology/deploy/security/pdf/cpuapr2006.html 1015961 19712 oracle-sdocatalog-sql-injection(26054) oracle-dbmsreputil-sql-injection(26050) ADV-2006-1571 ADV-2006-1397 17590 SSRT061148 SSRT061148 http://www.red-database-security.com/advisory/oracle_cpu_apr_2006.html 19859 Unspecified vulnerability in Oracle Database Server 9.2.0.6 has unknown impact and attack vectors in the Advanced Replication component, aka Vuln# DB02. http://www.oracle.com/technology/deploy/security/pdf/cpuapr2006.html 1015961 ADV-2006-1571 ADV-2006-1397 17590 HPSBMA02113 19712 oracle-database-multiple-unspecified(26068) SSRT061148 19859 Buffer overflow in the Advanced Replication component in Oracle Database Server 10.1.0.4 allows database users to execute arbitrary code via the VERIFY_LOG procedure of the DBMS_SNAPSHOT_UTL package, aka Vuln# DB03. VU#797465 TA06-109A http://www.oracle.com/technology/deploy/security/pdf/cpuapr2006.html 1015961 oracle-dbmssnapshotutl-bo(26049) ADV-2006-1571 ADV-2006-1397 17590 HPSBMA02113 SSRT061148 20060420 [Argeniss] Oracle Database 10gR1 Buffer overflow in VERIFY_LOG procedure http://www.red-database-security.com/advisory/oracle_cpu_apr_2006.html http://www.argeniss.com/research/ARGENISS-ADV-040603.txt 19859 19712 Unspecified vulnerability in Oracle Database Server 8.1.7.4 and 9.0.1.5 has unknown impact and attack vectors in the Dictionary component, aka Vuln# DB04. TA06-109A VU#241481 http://www.oracle.com/technology/deploy/security/pdf/cpuapr2006.html 1015961 ADV-2006-1571 ADV-2006-1397 17590 HPSBMA02113 19712 oracle-dictionary-constraint-modification(26052) SSRT061148 19859 Unspecified vulnerability in Oracle Database Server 8.1.7.4, 9.0.1.5, 9.2.0.7, 10.1.0.5, and 10.2.0.2 has unknown impact and attack vectors in the Export component, aka Vuln# DB05. NOTE: details are unavailable from Oracle, but as of 20060427, they have not publicly commented on whether DB05 is the same issue as CVE-2006-2081. VU#452681 http://www.oracle.com/technology/deploy/security/pdf/cpuapr2006.html 1015961 ADV-2006-1571 ADV-2006-1397 17590 HPSBMA02113 HPSBMA02113 http://www.red-database-security.com/advisory/oracle_cpu_apr_2006.html 19859 19712 SQL injection vulnerability in Oracle Database Server 9.2.0.7 and 10.1.0.5 allows remote attackers to execute arbitrary SQL commands via the DELETE_FROM_TABLE function in the DBMS_LOGMNR_SESSION (Log Miner) package, aka Vuln# DB06. 1015961 oracle-dbmslogmnrsession-sql-injection(26047) ADV-2006-1571 ADV-2006-1397 17590 SSRT061148 HPSBMA02113 20060418 SQL Injection in package SYS.DBMS_LOGMNR_SESSION http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_logmnr_session.html http://www.oracle.com/technology/deploy/security/pdf/cpuapr2006.html 19859 19712 20060418 SQL Injection in package SYS.DBMS_LOGMNR_SESSION Unspecified vulnerability in Oracle Database Server 9.0.1.5 and 9.2.0.7 has unknown impact and attack vectors in the Oracle Enterprise Manager Intelligent Agent component, aka Vuln# DB07. Apply patches : http://www.oracle.com/technology/deploy/security/pdf/cpuapr2006.html ADV-2006-1571 ADV-2006-1397 17590 HPSBMA02113 http://www.oracle.com/technology/deploy/security/pdf/cpuapr2006.html 1015961 19712 oracle-database-multiple-unspecified(26068) HPSBMA02113 19859 Unspecified vulnerability in Oracle Database Server 9.2.0.7, 10.1.0.4, and 10.2.0.1 has unknown impact and attack vectors in the Oracle Spatial component, aka Vuln# DB08. Apply patches : http://www.oracle.com/technology/deploy/security/pdf/cpuapr2006.html oracle-database-multiple-unspecified(26068) ADV-2006-1571 ADV-2006-1397 17590 HPSBMA02113 HPSBMA02113 http://www.oracle.com/technology/deploy/security/pdf/cpuapr2006.html 1015961 19859 19712 Unspecified vulnerability in Oracle Database Server 8.1.7.4, 9.0.1.5, and 9.2.0.6 has unknown impact and attack vectors in the Oracle Spatial component, aka Vuln# DB09. NOTE: Oracle has not disputed reliable claims that this issue is SQL injection in MDSYS.PRVT_IDX using the (1) EXECUTE_INSERT, (2) EXECUTE_DELETE, (3) EXECUTE_UPDATE, (4) EXECUTE UPDATE, and (5) CRT_DUMMY functions. Apply patches. oracle-prvtidx-sql-injection(26053) ADV-2006-1571 ADV-2006-1397 17590 SSRT061148 HPSBMA02113 http://www.red-database-security.com/advisory/oracle_cpu_apr_2006.html http://www.oracle.com/technology/deploy/security/pdf/cpuapr2006.html 1015961 19859 19712 Unspecified vulnerability in Oracle Database Server 9.0.1.5, 9.2.0.7, and 10.1.0.5 has unknown impact and attack vectors in the Oracle Spatial component, aka Vuln# DB11. NOTE: Oracle has not disputed reliable researcher claims that this issue is SQL injection in MDSYS.SDO_LRS_TRIG_INS. The most severe of these vulnerabilities could possibly expose affected computers to complete compromise. 17590 http://www.oracle.com/technology/deploy/security/pdf/cpuapr2006.html 1015961 19712 oracle-sdolrstrigins-sql-injection(26055) ADV-2006-1571 ADV-2006-1397 HPSBMA02113 HPSBMA02113 http://www.red-database-security.com/advisory/oracle_cpu_apr_2006.html 19859 Unspecified vulnerability in Oracle Database Server 9.2.0.7 and 10.1.0.4 has unknown impact and attack vectors in the Oracle Spatial component, aka Vuln# DB12. NOTE: details are unavailable from Oracle, but as of 20060421, they have not publicly disputed a claim by a reliable independent researcher that states that the problem is SQL injection in the (1) GEN_RID_RANGE_BY_AREA and (2) GEN_RID_RANGE functions in the MDSYS.SDO_PRIDX package. VU#240249 http://www.oracle.com/technology/deploy/security/pdf/cpuapr2006.html 1015961 oracle-sdopridx-sql-injection(26051) ADV-2006-1571 ADV-2006-1397 17590 HPSBMA02113 SSRT061148 http://www.red-database-security.com/advisory/oracle_cpu_apr_2006.html 19859 19712 Unspecified vulnerability in Oracle Database Server 8.1.7.4, 9.0.1.5, and 9.2.0.7 has unknown impact and attack vectors in the Oracle Spatial component, aka Vuln# DB13. http://www.oracle.com/technology/deploy/security/pdf/cpuapr2006.html 1015961 oracle-database-multiple-unspecified(26068) ADV-2006-1571 ADV-2006-1397 17590 HPSBMA02113 SSRT061148 24861 19859 19712 Cross-site scripting (XSS) vulnerability in index.php in phpFaber TopSites allows remote attackers to inject arbitrary web script or HTML via the page parameter. ADV-2006-1394 17542 20060415 phpFaber TopSites Script Cross-Site Scripting phpfabertopsites-index-xss(25804) 1015945 760 719 19652 Multiple unspecified vulnerabilities in the Email Server component in Oracle Collaboration Suite 9.0.4.2, 10.1.1, 10.1.2.0, and 10.1.2.1 have unknown impact and attack vectors, aka Vuln# (1) OCS01, (2) OCS02, (3) OCS03, and (4) OCS04. TA06-109A VU#879041 VU#549146 17590 http://www.oracle.com/technology/deploy/security/pdf/cpuapr2006.html 1015961 19712 ADV-2006-1571 ADV-2006-1397 SSRT061148 oracle-collab-unauth-access(26057) HPSBMA02113 19859 Multiple unspecified vulnerabilities in Oracle E-Business Suite and Applications 11.5.10CU2 have unknown impact and attack vectors, as identified by Vuln# (1) APPS01 in the (a) Application Install component; (2) APPS09 in the (b) Oracle Diagnostics Interfaces component; (3) APPS10 in the (c) Oracle General Ledger component; (4) APPS12 and (5) APPS13 in the (d) Oracle Receivables component. VU#940729 17590 http://www.oracle.com/technology/deploy/security/pdf/cpuapr2006.html 1015961 19712 ADV-2006-1571 ADV-2006-1397 HPSBMA02113 oracle-ebusiness-multiple-unspecifed(26058) SSRT061148 19859 Unspecified vulnerability in the Financials for Asia/Pacific component in Oracle E-Business Suite and Applications 11.5.9 has unknown impact and attack vectors. component, aka Vuln# APPS02. 17590 http://www.oracle.com/technology/deploy/security/pdf/cpuapr2006.html 1015961 19712 ADV-2006-1571 ADV-2006-1397 HPSBMA02113 oracle-ebusiness-multiple-unspecifed(26058) HPSBMA02113 19859 Multiple unspecified vulnerabilities in Oracle E-Business Suite and Applications 11.5.10 have unknown impact and attack vectors, as identified by Vuln# (1) APPS03 in (a) iProcurement; (2) APPS04 in (b) Oracle Application Object Library; (3) APPS06, (4) APPS07, and (5) APPS08 in (c) Oracle Applications Technology Stack; and (6) APPS11 in (d) Oracle Order Capture. VU#824833 VU#619194 17590 http://www.oracle.com/technology/deploy/security/pdf/cpuapr2006.html 1015961 19712 ADV-2006-1571 ADV-2006-1397 HPSBMA02113 oracle-ebusiness-multiple-unspecifed(26058) SSRT061148 19859 Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite and Applications 11.5.10CU1 has unknown impact and attack vectors, aka Vuln# APPS05. 17590 http://www.oracle.com/technology/deploy/security/pdf/cpuapr2006.html 1015961 19712 ADV-2006-1571 ADV-2006-1397 HPSBMA02113 oracle-ebusiness-multiple-unspecifed(26058) SSRT061148 19859 Unspecified vulnerability in the Oracle Thesaurus Management System component in Oracle E-Business Suite and OPA 4.5.2 Applications has unknown impact and attack vectors, aka Vuln# OPA01. The vendor has addressed this issue through the release of product updates: http://www.oracle.com/technology/deploy/security/pdf/cpuapr2006.html 17590 http://www.oracle.com/technology/deploy/security/pdf/cpuapr2006.html 1015961 19712 oracle-ebusiness-multiple-unspecifed(26058) ADV-2006-1571 ADV-2006-1397 HPSBMA02113 HPSBMA02113 19859 Multiple unspecified vulnerabilities in the Reporting Framework component in Oracle Enterprise Manager 9.0.1.5 and 9.2.0.7 have unknown impact and attack vectors, aka Vuln# (1) EM01 and (2) EM02. VU#443265 17590 http://www.oracle.com/technology/deploy/security/pdf/cpuapr2006.html 1015961 19712 ADV-2006-1571 ADV-2006-1397 HPSBMA02113 oracle-reporting-framework-access(26056) HPSBMA02113 19859 Unspecified vulnerability in the PeopleTools component in Oracle PeopleSoft Enterprise 8.46.12 and 8.47.04 has unknown impact and attack vectors, aka Vuln# PSE01. TA06-109A 17590 http://www.oracle.com/technology/deploy/security/pdf/cpuapr2006.html 1015961 19712 ADV-2006-1571 ADV-2006-1397 HPSBMA02113 oracle-peopletools-unspecified(26059) SSRT061148 19859 Unspecified vulnerability in Oracle JD Edwards EnterpriseOne Security Server 8.95.J1 has unknown impact and attack vectors, aka Vuln# JDE01. TA06-109A 17590 http://www.oracle.com/technology/deploy/security/pdf/cpuapr2006.html 1015961 19712 ADV-2006-1571 ADV-2006-1397 HPSBMA02113 oracle-jdedwards-enterpriseone-unspecified(26069) HPSBMA02113 19859 phpGraphy 0.9.11 and earlier allows remote attackers to bypass authentication and gain administrator privileges via a direct request to index.php with the editwelcome parameter set to 1, which can then be used to modify the main page to inject arbitrary HTML and web script. NOTE: XSS attacks are resultant from this issue, since normal functionality allows the admin to modify pages. 17567 19705 phpgraphy-index-xss(25892) ADV-2006-1379 20060418 Re: - PHPGraphy <= 0.9.11 20060417 - PHPGraphy <= 0.9.11 1015971 733 http://retrogod.altervista.org/phpgraphy_0911_adv.html Cross-site scripting (XSS) vulnerability in the search action handler in index.php in Nils Asmussen (aka SCRIPTSOLUTION) Boardsolution 1.12 and earlier allows remote attackers to inject arbitrary web script or HTML via the "Search for" item (keyword parameter). ADV-2006-1413 17549 20060415 Boardsolution <= 1.12 XSS boardsolution-index-xss(25805) 1015948 766 718 19654 Multiple PHP remote file inclusion vulnerabilities in myWebland myEvent 1.2 allow remote attackers to execute arbitrary PHP code via a URL in the myevent_path parameter in (1) event.php and (2) initialize.php. NOTE: vector 2 was later reported to affect 1.4 as well. myevent-myevent-file-include(28347) myevent-event-initialize-file-include(25882) ADV-2006-1384 17575 20060416 MyEvent Remote File Execution And XSS Attacking 24723 24722 1016616 767 726 19680 Cross-site scripting (XSS) vulnerability in Martin Scheffler betaboard 0.1 allows remote attackers to inject arbitrary web script or HTML via a user's profile, possibly using the FormVal_profile parameter. NOTE: it is not clear whether this is a distributable product or a site-specific vulnerability. If it is site-specific, then it should not be included in CVE. betaboard-editprofile-xss(25838) ADV-2006-1377 17556 20060416 BetaBoard Cross Site Scripting vulnerability 1015955 19700 20060416 BetaBoard Cross Site Scripting vulnerability 765 724 avast! 4 Linux Home Edition 1.0.5 allows local users to modify permissions of arbitrary files via a symlink attack on the /tmp/_avast4_ temporary directory. ADV-2006-1387 17535 20060414 Avast Linux Home Edition (vulnerability on a temporary folder creation) 764 712 19683 Cross-site scripting (XSS) vulnerability in print.php in ar-blog 5.2 allows remote attackers to inject arbitrary web script or HTML via the id parameter. 17522 20060413 Xss In ar-blog v 5.2 arblog-print-xss(25834) 763 Cross-site scripting (XSS) vulnerability in RevoBoard 1.8, as derived from PunBB, allows remote attackers to inject arbitrary web script or HTML via a substitution cipher of the email tag, which is transformed when the application's e-mail address obfuscator reverses the transformation. NOTE: it is not clear whether this is a site-specific issue; however, the claimed codebase relationship with PunBB might be relevant. 20060413 RevoBoard [email] tag XSS 768 Direct static code injection vulnerability in includes/template.php in phpBB allows remote authenticated users with write access to execute arbitrary PHP code by modifying a template in a way that (1) bypasses a loose ".*" regular expression to match BEGIN and END statements in overall_header.tpl, or (2) is used in an eval statement by includes/bbcode.php for bbcode.tpl. 17573 20060414 phpBB template file code execution phpbb-template-code-execution(25888) 769 Unspecified vulnerability in phpBB allows remote authenticated users with Administration Panel access to execute arbitrary PHP code via crafted Font Colour 3 ($theme[fontcolor3] variable) and/or signature values, possibly involving the highlight functionality. NOTE: the original report does not clarify whether this issue is static code injection, eval injection, or another type of vulnerability. DSA-1066 20197 phpbb-admin-code-execution(25889) 20060418 Re: phpBB Admin command execution 20060414 phpBB Admin command execution 762 715 20093 Webplus (aka talentsoft) Web+Shop 5.3.6, when Redirect URL for "Script Not Found" Error is not configured, allows remote attackers to obtain sensitive information via a quote (') or possibly other invalid value in the storeid parameter in store.wml in webplus.exe, which reveals the path in a "Script Not Found" error message. 24621 20060413 TalentSoft Web+Shop Path Disclosure 19662 webplusshop-webplus-path-disclosure(25802) 761 703 Multiple cross-site scripting (XSS) vulnerabilities in Ralph Capper Tiny PHP Forum (TPF) 3.6 allow remote attackers to inject arbitrary web script or HTML via (1) the uname parameter in a view action in profile.php and (2) a login name. NOTE: the "Access to hash password" issue is already covered by CVE-2006-0103. 20060417 Tiny PHP forum - vulns tinyphpforum-profile-error-xss(25856) 17553 773 728 Multiple cross-site scripting (XSS) vulnerabilities in dev Neuron Blog 1.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) name and (2) website parameters. ADV-2006-1406 20060417 Neuron Blog <= 1.1 XSS neuronblog-addcomment-xss(25913) 17552 1015960 19703 Multiple buffer overflows in World Wide Web Consortium (W3C) Amaya 9.4, and possibly other versions including 8.x before 8.8.5, allow remote attackers to execute arbitrary code via a long value in (1) the COMPACT attribute of the COLGROUP element, (2) the ROWS attribute of the TEXTAREA element, and (3) the COLOR attribute of the LEGEND element; and via other unspecified attack vectors consisting of "dozens of possible snippets." amaya-various-attribute-bo(25791) 24624 24623 19670 ADV-2006-1351 17507 http://morph3us.org/advisories/20060412-amaya-94.txt http://morph3us.org/advisories/20060412-amaya-94-2.txt 20060412 [BuHa-Security] Stack Based Buffer Overflow Vulnerability in Amaya 9.4 #2 20060412 [BuHa-Security] Stack Based Buffer Overflow Vulnerability in Amaya 9.4 Mozilla Camino 1.0 and earlier allow remote attackers to cause a denial of service (null dereference and application crash or hang) via HTML with certain improperly nested elements. NOTE: this might be the same issue as CVE-2006-1724. 20060413 Camino Browser HTML Parsing Null Pointer Dereference Denial of Service Vulnerability 772 fold_binary in fold-const.c in GNU Compiler Collection (gcc) 4.1 improperly handles pointer overflow when folding a certain expr comparison to a corresponding offset comparison in cases other than EQ_EXPR and NE_EXPR, which might introduce buffer overflow vulnerabilities into applications that could be exploited by context-dependent attackers.NOTE: the vendor states that the essence of the issue is "not correctly interpreting an offset to a pointer as a signed value." 20060418 RE: gcc 4.1 bug miscompiles pointer range checks, may place you at risk 20060417 gcc 4.1 bug miscompiles pointer range checks, may place you at risk 20060418 Re: gcc 4.1 bug miscompiles pointer range checks, may place you at risk 20060418 Re: gcc 4.1 bug miscompiles pointer range checks, may place you at risk http://gcc.gnu.org/viewcvs/branches/gcc-4_1-branch/gcc/fold-const.c?r1=110549&r2=112698&pathrev=112698&diff_format=h [gcc-bugs] 20060417 [Bug middle-end/27180] New: pointer arithmetic overflow handling broken [gcc-bugs] 20060417 [Bug c/27180] New: pointer arithmetic overflow handling broken http://gcc.gnu.org/bugzilla/show_bug.cgi?id=26763 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=356896 Multiple cross-site scripting (XSS) vulnerabilities in UserLand Manila allow remote attackers to inject arbitrary web script or HTML (1) via the referer parameter in sendMail, and via attributes of (2) the A element and certain other HTML elements in web pages edited with the editInBrowser module. NOTE: the msgReader$1 mode attack vector is already covered by CVE-2006-1769. 20060414 manila.userland cross site scriptable 17565 17563 Cross-site scripting (XSS) vulnerability in index.php in AnimeGenesis Gallery allows remote attackers to inject arbitrary web script or HTML via the cat parameter. ADV-2006-1395 20060417 AnimeGenesis <= XSS Multiple format string vulnerabilities in xiTK (xitk/main.c) in xine 0.99.3 allow remote attackers to execute arbitrary code via format string specifiers in a long filename on an EXTINFO line in a playlist file. ADV-2006-1432 17579 20060418 Remote Xine Format String Vulnerability xine-playlist-format-string(25851) 24747 SUSE-SA:2006:025 MDKSA-2006:085 GLSA-200604-15 http://sourceforge.net/mailarchive/message.php?msg_id=15429845 1015959 20066 19854 19671 http://open-security.org/advisories/16 Cross-site scripting (XSS) vulnerability in index.php in jjgan852 phpLister 0.4.1 allows remote attackers to inject arbitrary web script or HTML via the page parameter. 20060418 phpLister v. 0.4.1 XSS Attacking http://advisory.patriotichackers.com/index.php?itemid=3 phplister-index-xss(25910) 17591 770 735 Multiple SQL injection vulnerabilities in myEvent 1.x allow remote attackers to inject arbitrary SQL commands via the event_id parameter to (1) addevent.php or (2) del.php or (3) event_desc parameter to addevent.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. ADV-2006-1384 19680 myevent-addevent-del-sql-injection(25886) 24721 24720 Cross-site scripting vulnerability in addevent.php in myEvent 1.x allows remote attackers to inject arbitrary web script or HTML via the event_desc parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. ADV-2006-1384 19680 myevent-addevent-xss(25885) 24719 Directory traversal vulnerability in index.php in Coppermine 1.4.4 allows remote attackers to read arbitrary files via a .//./ (modified dot dot slash) in the file parameter, which causes a regular expression to collapse the sequences into standard "../" sequences. ADV-2006-1392 17570 20060416 Re: [KAPDA]CopperminePhotoGallery1.4.4~ PluginInclusionSystem(index.php)~ RemoteFileInclusion attack 20060415 [KAPDA]CopperminePhotoGallery1.4.4~ PluginInclusionSystem(index.php)~ RemoteFileInclusion attack 19665 http://myimei.com/security/2006-04-14/copperminephotogallery144-plugininclusionsystemindexphp-remotefileinclusion-attack.html coppermine-index-file-include(25866) config.php in S9Y Serendipity 1.0 beta 2 allows remote attackers to inject arbitrary PHP code by editing values that are stored in config.php and later executed. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 17566 20040614 Serendipity Blog vuln Cross-site scripting (XSS) vulnerability in MyBB (MyBulletinBoard) 1.1 allows remote attackers to inject arbitrary web script or HTML via the attachment content disposition in an HTML attachment. This vulnerability is addressed in the following product release: MyBB, MyBB, 1.1.1 19668 http://community.mybboard.net/showthread.php?tid=8232 ADV-2006-1381 mybb-html-attachment-xss(25864) MyBB (MyBulletinBoard) 1.1.0 does not set the constant KILL_GLOBAL variable in (1) global.php and (2) inc/init.php, which allows remote attackers to initialize arbitrary variables that are processed by an @extract command, which could then be leveraged to conduct cross-site scripting (XSS) or SQL injection attacks. Upgrade to MyBB 1.1.1 mybb-global-init-data-manipulation(25865) ADV-2006-1381 24711 24710 19668 http://myimei.com/security/2006-04-14/mybb110globalphpparameterextracting.html http://community.mybboard.net/showthread.php?tid=8232 20060415 [KAPDA]MyBB1.1.0~global.php~ParameterExtracting Cross-site scripting (XSS) vulnerability in jax_guestbook.php in Jax Guestbook 3.1, 3.31, and 3.50 allows remote attackers to inject arbitrary web script or HTML via the page parameter. ADV-2006-1800 17560 16337 http://lostmon.blogspot.com/2005/08/jax-php-scripts-multiple.html jaxguestbook-admin-xss(26448) 24991 20110 19843 http://kiki91.altervista.org/exploit/jax.txt DbbS 2.0-alpha and earlier allows remote attackers to obtain sensitive information via an invalid (1) fcategoryid parameter to topics.php or (2) unavariabile, (3) GLOBALS, or (4) _SERVER[] parameters to script.php. NOTE: this information leak might be resultant from a global variable overwrite issue. 20060416 DbbS<=2.0-alpha Multiple Vulnerabilities dbbs-multiple-path-disclosure(25922) 771 SQL injection vulnerability in topics.php in DbbS 2.0-alpha and earlier allows remote attackers to execute arbitrary SQL commands via the fcategoryid parameter. 20060416 DbbS<=2.0-alpha Multiple Vulnerabilities 771 661 Multiple cross-site scripting (XSS) vulnerabilities in profile.php in DbbS 2.0-alpha and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) ulocation or (2) uhobbies parameters. 17559 20060416 DbbS<=2.0-alpha Multiple Vulnerabilities dbbs-profile-xss(25923) 771 SQL injection vulnerability in member.php in Blackorpheus ClanMemberSkript 1.0 allows remote attackers to execute arbitrary SQL commands via the userID parameter. ADV-2006-1405 17558 http://downloads.securityfocus.com/vulnerabilities/exploits/Blackorpheus_poc blackorpheus-member-sql-injection(25902) 19678 1683 Multiple cross-site scripting (XSS) vulnerabilities in Papoo 2.1.5 allow remote attackers to inject arbitrary web script or HTML via the menuid parameter to (1) index.php or (2) forum.php, or the (3) reporeid_print parameter to print.php. 1015939 17530 20060414 Vulnerabilities in Papoo PHP remote file inclusion vulnerability in index.php in Internet Photoshow 1.3 allows remote attackers to execute arbitrary PHP code via a URL in the page parameter. ADV-2006-1417 19726 1694 ip-index-file-include(25937) 17620 24743 SQL injection vulnerability in index.php in PMTool 1.2.2 allows remote attackers to execute arbitrary SQL commands via the order parameter in the include files (1) user.inc.php, (2) customer.inc.php, and (3) project.inc.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. ADV-2006-1416 19685 pmtool-order-sql-injection(25877) 17599 24782 24781 24780 nettools.php in PHP Net Tools 2.7.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the host parameter. ADV-2006-1420 19694 1695 phpnettools-nettools-command-execution(25941) 17601 20060609 [VIM] Update Regarding CVE-2006-1921 (fwd) PHP remote file inclusion vulnerability in (1) about.php or (2) auth.php in TotalCalendar allows remote attackers to execute arbitrary PHP code via a URL in the inc_dir parameter. ADV-2006-1418 19730 17618 24751 24748 http://sweetphp.com/files/downloads/patches/TotalCalendar/Security_Patch.zip http://pridels0.blogspot.com/2006/04/totalcalendar-remote-code-execution.html Multiple cross-site scripting (XSS) vulnerabilities in LinPHA before 1.1.1 allow remote attackers to inject arbitrary web script or HTML via (1) RSS/RSS.php and (2) possibly other vectors. 19719 ADV-2006-1424 linpha-rss-xss(26269) 17619 24816 20060420 LinPHA provenance/acknowledgement SQL injection vulnerability in functions/db_api.php in LinPHA 1.1.1 allows remote attackers to execute arbitrary SQL commands via unknown vectors. 19719 ADV-2006-1424 linpha-functionsdbapi-sql-injection(26268) 17619 24817 20060420 LinPHA provenance/acknowledgement Directory traversal vulnerability in the editnews module (inc/editnews.mdu) in index.php in CuteNews 1.4.1 allows remote attackers to read or modify files via the source parameter in the (1) editnews or (2) doeditnews action. NOTE: this can also produce resultant XSS when the target file does not exist. cutenews-index-source-xss(25935) 17592 20060420 Re: CuteNews 1.4.1 <= Cross Site Scripting 20060418 CuteNews 1.4.1 <= Cross Site Scripting 775 SQL injection vulnerability in showtopic.php in ThWboard 2.84 beta 3 and earlier allows remote attackers to execute arbitrary SQL commands via the pagenum parameter. 17606 20060419 ThWboard <= 3 Beta 2.84 SQL Injection thwboard-showtopic-sql-injection(25891) 20060613 Re: BUGTRAQ:20060611 ThWboard 3.0 <= SQL Injection 20060611 ThWboard 3.0 <= SQL Injection Cisco IOS XR, when configured for Multi Protocol Label Switching (MPLS) and running on Cisco CRS-1 or Cisco 12000 series routers, allows remote attackers to cause a denial of service (Line card crash) via certain MPLS packets, as identified by Cisco bug ID CSCsc77475. Only systems that are running Cisco IOS XR and configured for MPLS are affected by this vulnerability. ADV-2006-1433 17607 20060419 Cisco IOS XR MPLS Vulnerabilities cisco-iosxr-mpls-dos(25881) 1015964 19740 Cisco IOS XR, when configured for Multi Protocol Label Switching (MPLS) and running on Cisco CRS-1 routers, allows remote attackers to cause a denial of service (Modular Services Cards (MSC) crash or "MPLS packet handling problems") via certain MPLS packets, as identified by Cisco bug IDs (1) CSCsd15970 and (2) CSCsd55531. ADV-2006-1433 17607 20060419 Cisco IOS XR MPLS Vulnerabilities cisco-iosxr-mpls-dos(25881) 24811 1015964 19740 PHP remote file inclusion vulnerability in include/common.php in I-Rater Platinum allows remote attackers to execute arbitrary PHP code via a URL in the include_path parameter. ADV-2006-1431 19684 Irater-common-file-include(25963) 17623 24777 http://pridels0.blogspot.com/2006/04/i-rater-platinum-remote-file-inclusion.html ** DISPUTED ** Multiple SQL injection vulnerabilities in userscript.php in Green Minute 1.0 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) huserid, (2) pituus, or (3) date parameters. NOTE: this issue has been disputed by the vendor, saying "those parameters mentioned ARE checked (preg_match) before they are used in SQL-query... If someone decided to add SQL-injection stuff to certain parameter, they would see an error text, but only because _nothing_ was passed inside that parameter (to MySQL-database)." As allowed by the vendor, CVE investigated this report on 20060525 and found that the demo site demonstrated a non-sensitive SQL error when given standard SQL injection manipulations. greenminute-userscript-sql-injection(25942) 25207 http://pridels0.blogspot.com/2006/04/green-minute-sql-inj-vuln.html http://osvdb.org/ref/25/25207-dispute.txt http://hoito.org/en/products/ The HTTP/XMLRPC server in Ruby before 1.8.2 uses blocking sockets, which allows attackers to cause a denial of service (blocked connections) via a large amount of data. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=189540 http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-dev/27787 ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.2-webrick-dos-1.patch oval:org.mitre.oval:def:11100 ruby-socket-dos(26102) USN-273-1 17645 RHSA-2006:0427 24972 SUSE-SR:2006:012 MDKSA-2006:079 GLSA-200605-11 DSA-1157 1015978 21657 20457 20064 20024 19804 19772 16904 ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.2-xmlrpc-dos-1.patch Off-by-one error in the OID printing routine in Ethereal 0.10.x up to 0.10.14 has unknown impact and remote attack vectors. http://www.ethereal.com/appnotes/enpa-sa-00023.html ADV-2006-1501 oval:org.mitre.oval:def:9823 ethereal-oid-printing-offbyone(26012) 17682 RHSA-2006:0420 FEDORA-2006-461 FEDORA-2006-456 MDKSA-2006:077 GLSA-200604-17 DSA-1049 http://support.avaya.com/elmodocs2/security/ASA-2006-128.htm 1015985 20944 20210 20117 19962 19958 19839 19828 19805 19769 SUSE-SR:2006:010 20060501-01-U Multiple unspecified vulnerabilities in Ethereal 0.10.x up to 0.10.14 allow remote attackers to cause a denial of service (large or infinite loops) viarafted packets to the (1) UMA and (2) BER dissectors. http://www.ethereal.com/appnotes/enpa-sa-00023.html ADV-2006-1501 oval:org.mitre.oval:def:10841 ethereal-ber-loop-dos(26024) ethereal-uma-dissector-dos(26008) 17682 RHSA-2006:0420 FEDORA-2006-461 FEDORA-2006-456 MDKSA-2006:077 GLSA-200604-17 DSA-1049 http://support.avaya.com/elmodocs2/security/ASA-2006-128.htm 1015985 20944 20210 20117 19962 19958 19839 19828 19805 19769 SUSE-SR:2006:010 20060501-01-U Multiple buffer overflows in Ethereal 0.10.x up to 0.10.14 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the (1) ALCAP dissector, (2) Network Instruments file code, or (3) NetXray/Windows Sniffer file code. http://www.ethereal.com/appnotes/enpa-sa-00023.html ADV-2006-1501 oval:org.mitre.oval:def:10445 ethereal-netxwin-sniffer-bo(26027) ethereal-net-instr-bo(26026) ethereal-alcap-dissector-bo(26014) 17682 RHSA-2006:0420 FEDORA-2006-461 FEDORA-2006-456 MDKSA-2006:077 GLSA-200604-17 DSA-1049 http://support.avaya.com/elmodocs2/security/ASA-2006-128.htm 1015985 20944 20210 20117 19962 19958 19839 19828 19805 19769 SUSE-SR:2006:010 20060501-01-U Buffer overflow in Ethereal 0.9.15 up to 0.10.14 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the COPS dissector. http://www.ethereal.com/appnotes/enpa-sa-00023.html ADV-2006-1501 oval:org.mitre.oval:def:10811 ethereal-cops-dissector-bo(26013) 17682 RHSA-2006:0420 FEDORA-2006-461 FEDORA-2006-456 MDKSA-2006:077 GLSA-200604-17 DSA-1049 http://support.avaya.com/elmodocs2/security/ASA-2006-128.htm 1015985 20944 20210 20117 19962 19958 19839 19828 19805 19769 SUSE-SR:2006:010 20060501-01-U Buffer overflow in Ethereal 0.8.5 up to 0.10.14 allows remote attackers to execute arbitrary code via the telnet dissector. http://www.ethereal.com/appnotes/enpa-sa-00023.html ADV-2006-1501 oval:org.mitre.oval:def:10341 ethereal-telnet-dissector-bo(26029) 17682 RHSA-2006:0420 FEDORA-2006-461 FEDORA-2006-456 MDKSA-2006:077 GLSA-200604-17 DSA-1049 http://support.avaya.com/elmodocs2/security/ASA-2006-128.htm 1015985 20944 20210 20117 19962 19958 19839 19828 19805 19769 SUSE-SR:2006:010 20060501-01-U Multiple unspecified vulnerabilities in Ethereal 0.10.x up to 0.10.14 allow remote attackers to cause a denial of service (crash from null dereference) via (1) multiple vectors in H.248, and the (2) X.509if, (3) SRVLOC, (4) H.245, (5) AIM, and (6) general packet dissectors; and (7) the statistics counter. http://www.ethereal.com/appnotes/enpa-sa-00023.html ethereal-h248-dos(26031) ethereal-aim-dos(26019) ethereal-general-dissector-dos(26018) ethereal-statistics-counter-dos(26015) ethereal-h245-dos(26011) ethereal-srvloc-dos(26010) ethereal-x509if-dissector-dos(26009) ethereal-h248-dissector-dos(26007) ADV-2006-1501 17682 RHSA-2006:0420 FEDORA-2006-461 FEDORA-2006-456 MDKSA-2006:077 GLSA-200604-17 DSA-1049 http://support.avaya.com/elmodocs2/security/ASA-2006-128.htm 1015985 20944 20210 20117 19962 19958 19839 19828 19805 19769 oval:org.mitre.oval:def:10323 SUSE-SR:2006:010 20060501-01-U Multiple unspecified vulnerabilities in Ethereal 0.8.x up to 0.10.14 allow remote attackers to cause a denial of service (crash from null dereference) via the (1) Sniffer capture or (2) SMB PIPE dissector. http://www.ethereal.com/appnotes/enpa-sa-00023.html ADV-2006-1501 oval:org.mitre.oval:def:9850 ethereal-smbpipe-dos(26023) ethereal-sniffer-capture-dos(26016) 17682 RHSA-2006:0420 FEDORA-2006-461 FEDORA-2006-456 MDKSA-2006:077 GLSA-200604-17 DSA-1049 http://support.avaya.com/elmodocs2/security/ASA-2006-128.htm 1015985 20944 20210 20117 19962 19958 19839 19828 19805 19769 SUSE-SR:2006:010 20060501-01-U Multiple unspecified vulnerabilities in Ethereal 0.9.x up to 0.10.14 allow remote attackers to cause a denial of service (crash from null dereference) via (1) an invalid display filter, or the (2) GSM SMS, (3) ASN.1-based, (4) DCERPC NT, (5) PER, (6) RPC, (7) DCERPC, and (8) ASN.1 dissectors. http://www.ethereal.com/appnotes/enpa-sa-00023.html ADV-2006-1501 oval:org.mitre.oval:def:11030 ethereal-per-diss-dos(26033) ethereal-dcerpcnt-dissector-dos(26032) ethereal-asn1based-dissector-dos(26030) ethereal-gsmsms-dissector-dos(26028) ethereal-asn1-dissector-dos(26022) ethereal-dcerpc-dissector-dos(26021) ethereal-rpc-dos(26020) ethereal-display-filter-dos(26017) 17682 RHSA-2006:0420 FEDORA-2006-461 FEDORA-2006-456 MDKSA-2006:077 GLSA-200604-17 DSA-1049 http://support.avaya.com/elmodocs2/security/ASA-2006-128.htm 1015985 20944 20210 20117 19962 19958 19839 19828 19805 19769 SUSE-SR:2006:010 20060501-01-U Unspecified vulnerability in Ethereal 0.10.4 up to 0.10.14 allows remote attackers to cause a denial of service (abort) via the SNDCP dissector. http://www.ethereal.com/appnotes/enpa-sa-00023.html ADV-2006-1501 oval:org.mitre.oval:def:9781 ethereal-sndcp-dissector-dos(26025) 17682 RHSA-2006:0420 FEDORA-2006-461 FEDORA-2006-456 MDKSA-2006:077 GLSA-200604-17 DSA-1049 http://support.avaya.com/elmodocs2/security/ASA-2006-128.htm 1015985 20944 20210 20117 19962 19958 19839 19828 19805 19769 SUSE-SR:2006:010 20060501-01-U Neon Responder 5.4 for LANsurveyor allows remote attackers to cause a denial of service (application outage) via a crafted Clock Synchronisation packet that triggers an access violation. 20060417 Neon Responder (Dos,Exploit) ADV-2006-1442 17569 neonresponder-clocksynchronization-dos(25904) 1015950 776 731 19702 Mozilla Firefox 1.5.0.2 and possibly other versions before 1.5.0.4, Netscape 8.1, 8.0.4, and 7.2, and K-Meleon 0.9.13 allows user-assisted remote attackers to open local files via a web page with an IMG element containing a SRC attribute with a non-image file:// URL, then tricking the user into selecting View Image for the broken image, as demonstrated using a .wma file to launch Windows Media Player, or by referencing an "alternate web page." http://www.gavinsharp.com/tmp/ImageVuln.html https://bugzilla.mozilla.org/show_bug.cgi?id=334341 firefox-viewimage-security-bypass(25925) ADV-2008-0083 ADV-2006-3748 ADV-2006-2106 18228 SSRT061181 SSRT061181 20060602 rPSA-2006-0091-1 firefox thunderbird 20060507 Re: Firefox 1.5.0.3 code execution exploit 20060505 Firefox 1.5.0.3 code execution exploit 20060418 Another flaw in Firefox 1.5.0.2: to open files from remote 24713 SUSE-SA:2006:035 http://www.networksecurity.fi/advisories/netscape-view-image.html http://www.mozilla.org/security/announce/2006/mfsa2006-39.html DSA-1134 DSA-1120 DSA-1118 1016202 22066 21324 21183 21176 20376 20063 19988 19698 Multiple cross-site scripting (XSS) vulnerabilities in Smarter Scripts IntelliLink Pro 5.06 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) url parameter in addlink_lwp.cgi and the (2) id, (3) forgotid, and (4) forgotpass parameters in edit.cgi. ADV-2006-1409 17605 19701 intellilink-multiple-xss(25929) 24733 24732 http://pridels0.blogspot.com/2006/04/intellilink-pro-xss-vuln.html Multiple cross-site scripting (XSS) vulnerabilities in SibSoft CommuniMail 1.2 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the list_id parameter in mailadmin.cgi and (2) the form_id parameter in templates.cgi. ADV-2006-1407 17602 19667 communimail-multiple-xss(25931) 24736 24735 http://pridels0.blogspot.com/2006/04/communimail-xss-vuln.html Cross-site scripting (XSS) vulnerability in awstats.pl in AWStats 6.5 and earlier allows remote attackers to inject arbitrary web script or HTML via the config parameter. NOTE: this might be the same core issue as CVE-2005-2732. 17621 GLSA-200606-06 20496 http://pridels0.blogspot.com/2006/04/awstats-65-vuln.html Multiple cross-site scripting (XSS) vulnerabilities in Visale 1.0 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the keyval parameter in pbpgst.cgi, (2) the catsubno parameter in pblscg.cgi, and (3) the listno parameter in pblsmb.cgi. ADV-2006-1408 17598 24718 24717 24716 19655 visale-multiple-xss(25928) http://pridels0.blogspot.com/2006/04/visale-xss-vuln.html Multiple SQL injection vulnerabilities in plexum.php in NicPlex Plexum X5 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) pagesize, (2) maxrec, and (3) startpos parameters. ADV-2006-1423 17617 19720 plexum-multiple-sql-injection(25918) http://pridels0.blogspot.com/2006/04/plexum-x5-sql-vuln.html The "Add Sender to Address Book" operation (AddSenderToAddressBook.lss) and NameHelper.lss in IBM Lotus Notes 6.0 and 6.5 before 20060331 do not properly store information in the Personal Address Book when multiple messages are checked and a message uses AltFrom, which might allow user-assisted remote attackers to trick a user into sending e-mail to an unauthorized recipient. http://www-1.ibm.com/support/docview.wss?rs=475&uid=swg21232945 1015914 SQL injection vulnerability in plexcart.pl in NicPlex PlexCart X3 and earlier allows remote attackers to execute arbitrary SQL commands via the catid parameter. plexcartx3-catid-sql-injection(25917) 18033 http://pridels0.blogspot.com/2006/04/plexcart-x3-sql-inj.html Multiple cross-site scripting (XSS) vulnerabilities in banners.cgi in PerlCoders BannerFarm 2.3 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) aff and (2) cat parameters. ADV-2006-1410 17613 19718 bannerfarm-banners-xss(25919) 24728 http://pridels0.blogspot.com/2006/04/bannerfarm-xss-vuln.html Directory traversal vulnerability in SolarWinds TFTP Server 8.1 and earlier allows remote attackers to download arbitrary files via a crafted GET request including "....//" sequences, which are collapsed into "../" sequences by filtering. 17648 20060421 Rapid7 Advisory R7-0019: Directory traversal vulnerability in SolarWinds TFTP Server for Windows http://www.rapid7.com/advisories/R7-0019.html ADV-2006-1561 tftp-dotdotdotdot-directory-traversal(25969) 778 19848 20060421 Rapid7 Advisory R7-0019: Directory traversal vulnerability in SolarWinds TFTP Server for Windows Directory traversal vulnerability in WinAgents TFTP Server for Windows 3.1 and earlier allows remote attackers to read arbitrary files via "..." (triple dot) sequences in a GET request. According to the vendor, WinAgents TFTP server version 3.2 fixes this directory traversal vulnerability. ADV-2006-1562 http://www.rapid7.com/advisories/R7-0020.html tftp-dotdotdot-directory-traversal(25971) http://www.winagents.com/en/news/410.php 17718 19844 Directory traversal vulnerability in Caucho Resin 3.0.17 and 3.0.18 for Windows allows remote attackers to read arbitrary files via a "C:%5C" (encoded drive letter) in a URL. This vulnerability is addressed in the following product release: Caucho Technology, Resin, 3.0.19 The following product releases are not vulnerable: Caucho Technology, Resin, 3.0.16 Caucho Technology, Resin, 2.1.12 Caucho Technology, Resin, 2.1.2 Caucho Technology, Resin, 2.1.1 Caucho Technology, Resin, 2.0 18005 20060516 Caucho Resin Windows Directory Traversal Vulnerability ADV-2006-1831 resin-webserver-directory-traversal(26478) http://www.rapid7.com/advisories/R7-0024.html 25570 1016109 904 20125 20060516 Caucho Resin Windows Directory Traversal Vulnerability SQL injection vulnerability in authent.php4 in Nicolas Fischer (aka NFec) RechnungsZentrale V2 1.1.3, and possibly earlier versions, allows remote attackers to execute arbitrary SQL commands via the User field. ADV-2006-1425 17588 http://www.g-0.org/code/rz2-adv.html rechnungszentrale-authent-sql-injection(25911) 24752 19728 1699 20060419 RechnungsZentrale V2 - SQL injection and Remote PHP inclusion vulnerabilities PHP remote file inclusion vulnerability in authent.php4 in Nicolas Fischer (aka NFec) RechnungsZentrale V2 1.1.3, and possibly earlier versions, allows remote attackers to execute arbitrary PHP code via a URL in the rootpath parameter. ADV-2006-1425 17589 http://www.g-0.org/code/rz2-adv.html rechnungszentrale-authent-file-inclusion(25912) 24753 19728 1699 20060419 RechnungsZentrale V2 - SQL injection and Remote PHP inclusion vulnerabilities The com_rss option (rss.php) in (1) Mambo and (2) Joomla! allows remote attackers to obtain sensitive information via an invalid feed parameter, which reveals the path in an error message. 20060418 [KAPDA::#41] - Mambo/Joomla rss component vulnerability http://www.kapda.ir/advisory-313.html http://irannetjob.com/content/view/209/28/ The com_rss option (rss.php) in (1) Mambo and (2) Joomla! allows remote attackers to cause a denial of service (disk consumption and possibly web-server outage) via multiple requests with different values of the feed parameter. 20060418 [KAPDA::#41] - Mambo/Joomla rss component vulnerability http://www.kapda.ir/advisory-313.html http://irannetjob.com/content/view/209/28/ mambo-joomla-rss-dos(26131) 20060419 Re: [KAPDA::#41] - Mambo/Joomla rss component vulnerability Multiple SQL injection vulnerabilities in WWWThreads RC 3 allow remote attackers to execute arbitrary SQL commands via (1) the forumreferrer cookie to register.php and (2) the messages parameter in message_list.php. ADV-2006-1447 17615 20060419 WWWThread RC 3 MultBugs wwwthreads-multiple-sql-injection(25936) 739 19732 PHP remote file inclusion vulnerability in direct.php in ActualScripts ActualAnalyzer Lite 2.72 and earlier, Gold 7.63 and earlier, and Server 8.23 and earlier allows remote attackers to execute arbitrary code via a URL in the rf parameter. ADV-2006-1430 17597 20060419 [MajorSecurity]ActualAnalyzer - Remote File Include Vulnerability 19743 actualanalyzer-direct-file-include(25893) 20060520 ActualAnalyzer Server <=8.23 - Remote File Include Vulnerability 24778 1015967 742 Cross-site scripting (XSS) vulnerability in the appliance web user interface in Cisco CiscoWorks Wireless LAN Solution Engine (WLSE) and WLSE Express before 2.13 allows remote attackers to inject arbitrary web script or HTML, possibly via the displayMsg parameter to archiveApplyDisplay.jsp, aka bug ID CSCsc01095. 20060419 Multiple Vulnerabilities in the WLSE Appliance 1015965 19736 ADV-2006-1434 cisco-wlse-user-xss(25883) 17604 20060419 Multiple vulnerabilities in Linux based Cisco products 20060419 Re: Multiple vulnerabilities in Linux based Cisco products 24812 http://www.assurance.com.au/advisories/200604-cisco.txt Cisco CiscoWorks Wireless LAN Solution Engine (WLSE) and WLSE Express before 2.13, Hosting Solution Engine (HSE) and User Registration Tool (URT) before 20060419, and all versions of Ethernet Subscriber Solution Engine (ESSE) and CiscoWorks2000 Service Management Solution (SMS) allow local users to gain Linux shell access via shell metacharacters in arguments to the "show" command in the application's command line interface (CLI), aka bug ID CSCsd21502 (WLSE), CSCsd22861 (URT), and CSCsd22859 (HSE). NOTE: other issues might be addressed by the Cisco advisory. 20060419 Response to Privilege Escalation on Multiple Cisco Products 20060419 Multiple Vulnerabilities in the WLSE Appliance 1015965 19736 cisco-wlse-shell-privilege-escalation(25884) ADV-2006-1435 ADV-2006-1434 17609 20060419 Multiple vulnerabilities in Linux based Cisco products 20060419 Re: Multiple vulnerabilities in Linux based Cisco products 24813 http://www.assurance.com.au/advisories/200604-cisco.txt 19741 19739 SQL injection vulnerability in PCPIN Chat 5.0.4 and earlier allows remote attackers to execute arbitrary SQL commands via the username field (login parameter) to main.php. pcpin-chat-main-sql-injection(25961) ADV-2006-1441 17632 20060604 Re: PCPIN Chat <= 5.0.4 20060419 PCPIN Chat <= 5.0.4 1015968 19708 http://retrogod.altervista.org/pcpin_504_xpl.html Directory traversal vulnerability in main.php in PCPIN Chat 5.0.4 and earlier allows remote authenticated users to include and execute arbitrary PHP code via a ".." (dot dot) in a language cookie, as demonstrated by uploading then accessing a smiliefile image that actually contains PHP code. ADV-2006-1441 17632 20060419 PCPIN Chat <= 5.0.4 "login/language" remote cmmnds xctn 19708 http://retrogod.altervista.org/pcpin_504_xpl.html pcpin-chat-main-file-include(25962) 20060604 Re: PCPIN Chat <= 5.0.4 "login/language" remote cmmnds xctn 1015968 SQL injection vulnerability in Haberler.asp in ASPSitem 1.83 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter. 17616 20060419 ASPSitem <= 1.83 Remote SQL Injection Vulnerability http://www.nukedx.com/?getxpl=23 19693 ADV-2006-1439 aspsitem-haberler-sql-injection(25932) Multiple cross-site scripting (XSS) vulnerabilities in aasi media Net Clubs Pro 4.0 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) onuser, (2) pass, (3) chatsys, (4) room, (5) username, and (6) to parameters in (a) sendim.cgi; the (7) username parameter in (b) imessage.cgi; the (8) password parameter in (c) login.cgi; and the (9) cat_id parameter in (d) viewcat.cgi. ADV-2006-1436 netclubspro-multiple-xss(25957) 17622 24757 24756 24755 24754 19651 http://pridels0.blogspot.com/2006/04/net-clubs-pro-xss-vuln.html An unspecified Fortinet product, possibly Fortinet28, allows remote attackers to cause a denial of service via a "small synflood" to the SMTP port (TCP port 25), as demonstrated by a 10-microsecond wait between sending packets. NOTE: this issue has been disputed in followup posts that suggest that a protection feature is triggering a RST. 20060416 Fortinet28 box does not resist has small synflood! 20060418 Re: Fortinet28 box does not resist has small synflood! 20060418 Re: Fortinet28 box does not resist has small synflood! Cross-site scripting (XSS) vulnerability in calendar/Visitor.cgi in KCScripts Calendar, distributed individually and as part of Portal Pack 6.0 and earlier, allows remote attackers to inject arbitrary web script or HTML via the sort_order parameter. portalpack-multiple-xss(25940) ADV-2006-1440 17628 24761 19695 503 http://pridels0.blogspot.com/2006/04/portal-pack-6-xss-vuln.html Cross-site scripting (XSS) vulnerability in news/NsVisitor.cgi in KCScripts News Publisher, distributed individually and as part of Portal Pack 6.0 and earlier, allows remote attackers to inject arbitrary web script or HTML via the sort_order parameter. portalpack-multiple-xss(25940) ADV-2006-1440 17628 24762 19695 http://pridels0.blogspot.com/2006/04/portal-pack-6-xss-vuln.html Cross-site scripting (XSS) vulnerability in search/search.cgi in an unspecified KCScripts script, probably Search Engine or Site Search, distributed individually and as part of Portal Pack 6.0 and earlier, allows remote attackers to inject arbitrary web script or HTML via the q parameter. ADV-2006-1440 19695 portalpack-multiple-xss(25940) 17628 24763 http://pridels0.blogspot.com/2006/04/portal-pack-6-xss-vuln.html Cross-site scripting (XSS) vulnerability in classifieds/viewcat.cgi in KCScripts Classifieds, distributed individually and as part of Portal Pack 6.0 and earlier, allows remote attackers to inject arbitrary web script or HTML via the cat_id parameter. ADV-2006-1440 19695 portalpack-multiple-xss(25940) 17628 24764 http://pridels0.blogspot.com/2006/04/portal-pack-6-xss-vuln.html Cross-site scripting (XSS) vulnerability in login.php in KRANKIKOM ContentBoxX allows remote attackers to inject arbitrary web script or HTML via the action parameter. ADV-2006-1438 17612 20060419 ContentBoxx Login.php Cross-Site Scripting 19733 contentboxx-login-xss(25952) 24768 779 740 Cross-site scripting (XSS) vulnerability in EasyGallery.php in Wingnut EasyGallery allows remote attackers to inject arbitrary web script or HTML via the ordner parameter. ADV-2006-1437 20060419 EasyGallery Cross-Site Scripting http://advisory.patriotichackers.com/index.php?itemid=5 easygallery-script-xss(25943) 17624 746 19713 Multiple unspecified vulnerabilities in Linksys RT31P2 VoIP router allow remote attackers to cause a denial of service via malformed Session Initiation Protocol (SIP) messages. VU#621566 ADV-2006-1443 http://www.kb.cert.org/vuls/id/MIMG-6GMMW4 linksys-rt31p2-sip-dos(25915) 17631 24810 19722 SQL injection vulnerability in index.php in MyBB (MyBulletinBoard) before 1.04 allows remote attackers to execute arbitrary SQL commands via the referrer parameter. http://www.securityfocus.com/bid/16443/exploit 16443 Cross-site scripting (XSS) vulnerability in guestbook_newentry.php in PHP-Gastebuch 1.61 allows remote attackers to inject arbitrary web script or HTML via the Kommentar field. 23962 http://osvdb.org/ref/23/23962-gastebuch.txt 19810 Cross-site scripting (XSS) vulnerability in addRequest.php in Prayer Request Board (PRB) Beta 1 before 20060320 allows remote attackers to inject arbitrary web script or HTML via the Request field. 23958 http://osvdb.org/ref/23/23958-prb.txt Cross-site scripting (XSS) vulnerability in FlexBB 0.5.7 BETA and earlier allows remote attackers to inject arbitrary web script or HTML via the (1) name and (2) message parameters. ADV-2006-1393 20060415 FlexBB <= 0.5.7 BETA XSS 1015946 flexbb-newthread-xss(25868) 777 SQL injection vulnerability in inc/start.php in FlexBB 0.5.5 and earlier allows remote attackers to execute arbitrary SQL commands via the flexbb_username COOKIE parameter. 20060417 FlexBB 0.5.5 Bypass Exploit 1015949 17568 1686 Cross-site scripting (XSS) vulnerability in mwguest.php in Manic Web MWGuest 2.1.0 allows remote attackers to inject arbitrary web script or HTML via the homepage parameter. 17630 20060420 [eVuln] MWGuest XSS Vulnerability http://evuln.com/vulns/122/summary.html mwguest-mwguest-xss(25674) 747 Cross-site scripting (XSS) vulnerability in W2B Online Banking allows remote attackers to inject arbitrary web script or HTML via the (1) query string, (2) SID parameter, or (3) ilang parameter. w2bonlinebanking-sid-xss(25947) ADV-2006-1445 17626 24759 19717 http://pridels0.blogspot.com/2006/04/w2b-online-banking-vuln.html Unspecified vulnerability in Java InputMethods on Mac OS X 10.4.5 may cause InputMethods to send input events for secure fields to the wrong text field, which might reveal the password to others who can view the screen. ADV-2006-1398 http://docs.info.apple.com/article.html?artnum=303658 macosx-java-inputmethods-info-disclosure(26167) Heap-based buffer overflow in the LZWDecodeVector function in Mac OS X before 10.4.6, as used in applications that use ImageIO or AppKit, allows remote attackers to execute arbitrary code via crafted TIFF images. TA06-132A http://www.security-protocols.com/sp-x24-advisory.php 20077 APPLE-SA-2006-05-11 http://docs.info.apple.com/article.html?artnum=303411 ADV-2006-1779 ADV-2006-1452 17951 17634 http://www.security-protocols.com/modules.php?name=News&file=article&sid=3233 31837 19686 Multiple heap-based buffer overflows in Mac OS X 10.4.6 and earlier allow remote attackers to cause a denial of service and possibly execute arbitrary code via the (1) PredictorVSetField function for TIFF or (2) CFAllocatorAllocate function for GIF, as used in applications that use ImageIO or AppKit. NOTE: the BMP vector has been re-assigned to CVE-2006-2238 because it affects a separate product family. TA06-132A 1016067 20077 APPLE-SA-2006-05-11 macosx-predictorvsetfield-bo(25951) macosx-cfallocatorallocate-bo(25949) ADV-2006-1779 ADV-2006-1452 17951 17634 http://www.security-protocols.com/sp-x30-advisory.php http://www.security-protocols.com/sp-x28-advisory.php http://www.security-protocols.com/modules.php?name=News&file=article&sid=3233 24822 24821 19686 Unspecified vulnerability in the _cg_TIFFSetField function in Mac OS X 10.4.6 and earlier, as used in applications that use ImageIO or AppKit, allows remote attackers to cause a denial of service (application crash) via a crafted TIFF image that triggers a null dereference. TA06-132A 20077 APPLE-SA-2006-05-11 macosx-tiffsetfield-bo(25950) ADV-2006-1779 ADV-2006-1452 17951 17634 http://www.security-protocols.com/sp-x29-advisory.php http://www.security-protocols.com/modules.php?name=News&file=article&sid=3233 19686 Heap-based buffer overflow in BOM BOMArchiveHelper 10.4 (6.3) Build 312, as used in Mac OS X 10.4.6 and earlier, allows user-assisted attackers to execute arbitrary code via a crafted archive (such as ZIP) that contains long path names, which triggers an error in the BOMStackPop function. TA06-132A http://www.security-protocols.com/sp-x25-advisory.php 20077 APPLE-SA-2006-05-11 macosx-archivehelper-bo(25945) ADV-2006-1779 ADV-2006-1452 17951 17634 http://www.security-protocols.com/modules.php?name=News&file=article&sid=3233 24819 1016082 19686 Apple Safari 2.0.3 allows remote attackers to cause a denial of service and possibly execute code via a large CELLSPACING attribute in a TABLE tag, which triggers an error in KWQListIteratorImpl::KWQListIteratorImpl. ADV-2006-1452 17634 http://www.security-protocols.com/sp-x26-advisory.php http://security-protocols.com/poc/sp-x26-1.html macosx-safari-dos(25946) 24823 19686 Apple Safari 2.0.3 allows remote attackers to cause a denial of service and possibly execute code via an invalid FRAME tag, possibly due to (1) multiple SCROLLING attributes with no values, or (2) a SRC attribute with no value. NOTE: due to lack of diagnosis by the researcher, it is unclear which vector is responsible. ADV-2006-1452 17634 http://www.security-protocols.com/sp-x26-advisory.php http://security-protocols.com/poc/sp-x26-4.html macosx-safari-dos(25946) 19686 The WebTextRenderer(WebInternal) _CG_drawRun:style:geometry: function in Apple Safari 2.0.3 allows remote attackers to cause a denial of service (application crash) via an HTML LI tag with a large VALUE attribute (list item number), which triggers a null dereference in QPainter::drawText, probably due to a failed memory allocation that uses the VALUE. ADV-2006-1452 17634 http://www.security-protocols.com/sp-x26-advisory.php macosx-safari-dos(25946) 24823 http://security-protocols.com/poc/sp-x26-2.html 19686 Buffer overflow in the get_database function in the HTTP client in Freshclam in ClamAV 0.80 to 0.88.1 might allow remote web servers to execute arbitrary code via long HTTP headers. This vulnerability is addressed in the following product release: Clam Anti-Virus, ClamAV, 0.88.2 VU#599220 17754 19880 ADV-2006-2566 ADV-2006-1586 2006-0024 25120 SUSE-SA:2006:025 GLSA-200605-03 DSA-1050 http://www.clamav.net/security/0.88.2.html 20159 20117 19964 19963 19912 19874 SUSE-SR:2006:010 APPLE-SA-2006-06-27 http://kolab.org/security/kolab-vendor-notice-09.txt clamav-freshclam-http-bo(26182) MDKSA-2006:080 1016392 20877 Integer overflow in the wordwrap function in string.c in PHP 4.4.2 and 5.1.2 might allow context-dependent attackers to execute arbitrary code via certain long arguments that cause a small buffer to be allocated, which triggers a heap-based buffer overflow in a memcpy function call, a different vulnerability than CVE-2002-1396. TA06-333A ADV-2006-4750 ADV-2006-1500 MDKSA-2006:091 http://www.infigo.hr/en/in_focus/advisories/INFIGO-2006-04-02 oval:org.mitre.oval:def:9696 https://issues.rpath.com/browse/RPL-683 php-wordwrap-string-bo(26001) USN-320-1 TLSA-2006-38 20061005 rPSA-2006-0182-1 php php-mysql php-pgsql RHSA-2006:0568 RHSA-2006:0501 SUSE-SA:2006:031 MDKSA-2006:122 MDKSA-2006:091 http://support.avaya.com/elmodocs2/security/ASA-2006-175.htm http://support.avaya.com/elmodocs2/security/ASA-2006-160.htm 1015979 GLSA-200605-08 23155 22225 21723 21564 21252 21135 21125 21050 21031 20676 20269 20222 20052 19803 RHSA-2006:0549 APPLE-SA-2006-11-28 http://docs.info.apple.com/article.html?artnum=304829 20060701-01-U The substr_compare function in string.c in PHP 5.1.2 allows context-dependent attackers to cause a denial of service (memory access violation) via an out-of-bounds offset argument. 20269 php-substrcompare-length-dos(26003) ADV-2006-1500 USN-320-1 SUSE-SA:2006:031 MDKSA-2006:091 MDKSA-2006:091 http://www.infigo.hr/en/in_focus/advisories/INFIGO-2006-04-02 1015979 GLSA-200605-08 21125 20676 20052 mshtml.dll 6.00.2900.2873, as used in Microsoft Internet Explorer, allows remote attackers to cause a denial of service (crash) via nested OBJECT tags, which trigger invalid pointer dereferences including NULL dereferences. NOTE: the possibility of code execution was originally theorized, but Microsoft has stated that this issue is non-exploitable. MS06-021 1016291 19762 ie-object-memory-corruption(25978) ADV-2006-1507 17658 20060422 MSIE (mshtml.dll) OBJECT tag vulnerability 27475 1016001 781 20060423 MSIE (mshtml.dll) OBJECT tag vulnerability 20060422 Re: MSIE (mshtml.dll) OBJECT tag vulnerability Mozilla Firefox 1.5.0.2, when designMode is enabled, allows remote attackers to cause a denial of service and possibly execute arbitrary code via certain Javascript that is not properly handled by the contentWindow.focus method in an iframe, which causes a reference to a deleted controller context object. NOTE: this was originally claimed to be a buffer overflow in (1) js320.dll and (2) xpcom_core.dll, but the vendor disputes this claim. VU#866300 17671 19802 firefox-iframe-contentwindowfocus-bo(25994) ADV-2008-0083 ADV-2006-3748 ADV-2006-1922 ADV-2006-1614 HPSBUX02153 HPSBUX02153 SSRT061145 SSRT061145 20060424 Firefox Remote Code Execution and DoS 1.5.0.2 http://www.securident.com/vuln/ff.txt http://www.mozilla.org/security/announce/2006/mfsa2006-30.html GLSA-200605-06 DSA-1055 DSA-1053 1015981 780 22066 20214 20070 20019 20015 oval:org.mitre.oval:def:1790 PHP remote file inclusion vulnerability in dForum 1.5 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the DFORUM_PATH parameter to (1) about.php, (2) admin.php, (3) anmelden.php, (4) losethread.php, (5) config.php, (6) delpost.php, (7) delthread.php, (8) dfcode.php, (9) download.php, (10) editanoc.php, (11) forum.php, (12) login.php, (13) makethread.php, (14) menu.php, (15) newthread.php, (16) openthread.php, (17) overview.php, (18) post.php, (19) suchen.php, (20) user.php, (21) userconfig.php, (22) userinfo.php, and (23) verwalten.php. ADV-2006-1482 17650 20060421 dForum <= 1.5 Multiple Remote File Inclusion Vulnerabilities. http://www.nukedx.com/?viewdoc=27 19788 dforum-dforumpath-parameter-file-include(26035) 20060421 dForum <= 1.5 Multiple Remote File Inclusion Vulnerabilities. Directory traversal vulnerability in index.php in Scry Gallery 1.1 allows remote attackers to read arbitrary files via ".." sequences in the p parameter, which is not properly sanitized due to an rtrim function call with the arguments in the wrong order. ADV-2006-1490 17649 20060421 Scry Gallery Directory Traversal & Full Path Disclosure Vulnerabilites http://downloads.securityfocus.com/vulnerabilities/exploits/17649-directory-traversal.exploit scry-gallery-index-directory-traversal(25991) 17668 24889 784 19777 20060425 Interesting Scry stuff Scry Gallery 1.1 allows remote attackers to obtain sensitive information via an invalid p parameter, which reveals the path in an error message. ADV-2006-1490 20060421 Scry Gallery Directory Traversal & Full Path Disclosure Vulnerabilites scry-gallery-index-path-disclosure(25990) 17668 24890 784 19777 20060425 Interesting Scry stuff Unspecified vulnerability in Sybase Pylon Anywhere groupware synchronization server before 7.0 allows local users to obtain sensitive information such as email and PIM data of another user via unknown attack vectors. http://www.sybase.com/detail?id=1040213 19784 pylon-groupware-unauth-access(25989) ADV-2006-1477 17677 OpenTTD 0.4.7 and earlier allows local users to cause a denial of service (application exit) via a large invalid error number, which triggers an error. http://aluigi.altervista.org/adv/openttdx-adv.txt ADV-2006-1480 19768 openttd-command-packet-dos(26000) 17661 20060423 Denial of service bugs in OpenTTD 0.4.7 GLSA-200609-03 21799 The multiplayer menu in OpenTTD 0.4.7 allows remote attackers to cause a denial of service via a UDP packet with an incorrect size, which causes the client to return to the main menu. http://aluigi.altervista.org/adv/openttdx-adv.txt ADV-2006-1480 19768 openttd-udp-packet-dos(26004) 17661 20060423 Denial of service bugs in OpenTTD 0.4.7 GLSA-200609-03 21799 Cross-site scripting (XSS) vulnerability in /lms/a2z.jsp in logMethods 0.9 allows remote attackers to inject arbitrary web script or HTML via the kwd parameter. ADV-2006-1484 19793 logmethods-lmsa2z-xss(25968) 17675 24876 http://pridels0.blogspot.com/2006/04/logmethods-xss-vuln.html Cross-site scripting (XSS) vulnerability in index.php in Scry Gallery 1.1 allows remote attackers to inject arbitrary web script or HTML via the p parameter. NOTE: this is a different vulnerability than the directory traversal vector. ADV-2006-1490 20060424 Scry Gallery XSS Vulnerability scry-gallery-index-xss(26101) 17668 24891 783 19777 20060425 Interesting Scry stuff PHP remote file inclusion vulnerability in stats.php in MyGamingLadder 7.0 allows remote attackers to execute arbitrary PHP code via a URL in the dir[base] parameter. Successful exploitation requires that "register_globals" is enabled. ADV-2006-1483 17657 20060422 Advisory: My Gaming Ladder Combo System <= 7.0 Remote File Inclusion Vulnerability. http://www.nukedx.com/?viewdoc=28 19773 mygamingladder-stats-file-inclusion(25992) 24892 Cross-site scripting (XSS) vulnerability in cgi-bin/guest in Community Architect Guestbook allows remote attackers to inject arbitrary web script or HTML by signing the guestbook, which is displayed by fsguestbook.html. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. ADV-2006-1446 24784 19742 Multiple SQL injection vulnerabilities in RI Blog 1.1 allow remote attackers to execute arbitrary SQL command via the (1) username or (2) password fields. ADV-2006-1489 17654 19783 http://colander.altervista.org/advisory/riblog.txt riblog-login-sql-injection(26132) 20060423 RIblog Remote SQL Injection Exploit Eval injection vulnerability in index.php in ClanSys 1.1 allows remote attackers to execute arbitrary PHP code via PHP code in the page parameter, as demonstrated by using an "include" statement that is injected into the eval statement. NOTE: this issue has been described as file inclusion by some sources, but that is just one attack; the primary vulnerability is eval injection. 17660 20060423 Advisory: Clansys <= 1.1 PHP Code Insertion Vulnerability. http://www.nukedx.com/?getxpl=29 1015988 clansys-index-file-include(25976) 25083 782 Multiple directory traversal vulnerabilities in IZArc Archiver 3.5 beta 3 allow remote attackers to write arbitrary files via a ..\ (dot dot backslash) in a (1) .rar, (2) .tar, (3) .zip, (4) .jar, or (5) .gz archive. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. ADV-2006-1488 17664 19791 izarc-extract-directory-traversal(26039) 24895 Heap-based buffer overflow in Winny 2.0 b7.1 and earlier allows remote attackers to execute arbitrary code via long strings to certain commands sent to the file transfer port. VU#167033 ADV-2006-1486 17666 http://www.eeye.com/html/research/advisories/AD20060421.html 19795 JVN#74294680 winny-file-transfer-bo(25986) 24883 PHP remote file inclusion vulnerability in movie_cls.php in Built2Go PHP Movie Review 2B and earlier allows remote attackers to execute arbitrary PHP code via a URL in the full_path parameter. ADV-2006-1481 19749 1711 moviereview-moviecls-file-include(26063) 17679 24887 PHP remote file inclusion vulnerability in agenda.php3 in phpMyAgenda 3.0 Final and earlier allows remote attackers to execute arbitrary PHP code via a URL in the rootagenda parameter. ADV-2006-1509 17670 20060424 [MajorSecurity] phpMyAgenda 3.0 Final - Remote File Include Vulnerability http://downloads.securityfocus.com/vulnerabilities/exploits/phpMyAgenda_fi.txt phpmyagenda-rootagenda-file-include(26062) 20060515 tyree[at]users.sourceforge.net 24943 1015984 787 19748 http://osvdb.org/ref/29/2914x-phpmyagenda.txt Multiple SQL injection vulnerabilities in check_login.asp in Bloggage allow remote attackers to execute arbitrary SQL commands via the (1) acc_name and (2) password parameter. ADV-2006-1448 19751 http://colander.altervista.org/advisory/bloggage.txt bloggage-checklogin-sql-injection(25955) 17639 20060421 bloggage Remote SQL Injection 24797 751 Cross-site scripting (XSS) vulnerability in member.php in 4images 1.7 and earlier allows remote attackers to inject arbitrary web script or HTML via the nickname, probably involving the user_name parameter in register.php. ADV-2006-1449 17625 20060420 4images <= 1.7 XSS 19745 4images-member-xss(25987) 24796 Format string vulnerability in Skulltag 0.96f and earlier allows remote attackers to cause a denial of service via the version string. ADV-2006-1479 19767 http://aluigi.altervista.org/adv/skulltagfs-adv.txt skulltag-version-format-string(25988) 17659 20060423 Format string bug in Skulltag 0.96f SQL injection vulnerability in page.php in SL_site 1.0 allows remote attackers to execute arbitrary SQL commands via the id_page parameter. NOTE: this issue could be used to produce resultant XSS from an error message. ADV-2006-1487 1015972 19792 slsite-page-sql-injection(26036) 17667 24896 Directory traversal vulnerability in gallerie.php in SL_site 1.0 allows remote attackers to list images in arbitrary directories via ".." sequences in the rep parameter, which is used to construct a directory name in admin/config.inc.php. NOTE: this issue could be used to produce resultant XSS from an error message. ADV-2006-1487 1015972 19792 slsite-gallerie-directory-traversal(26037) 17672 17667 24897 Cross-site scripting (XSS) vulnerability in SL_site 1.0 allows remote attackers to inject arbitrary web script or HTML via the recherche parameter in recherche.php. NOTE: other XSS vectors, as reported in the original disclosure, are resultant from other primary vulnerabilities that have separate CVE names. ADV-2006-1487 1015972 19792 slsite-recherche-xss(26038) 17667 24898 Multiple cross-site scripting (XSS) vulnerabilities in phpLDAPadmin 0.9.8 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) dn parameter in (a) compare_form.php, (b) copy_form.php, (c) rename_form.php, (d) template_engine.php, and (e) delete_form.php; (2) scope parameter in (f) search.php; and (3) Container DN, (4) Machine Name, and (5) UID Number fields in (g) template_engine.php. ADV-2006-1450 17643 24794 24793 24792 24790 24789 24788 19747 phpldapadmin-templateengine-xss(25959) phpldapadmin-scope-dn-xss(25958) DSA-1057 20124 http://pridels0.blogspot.com/2006/04/phpldapadmin-multiple-vuln.html Dnsmasq 2.29 allows remote attackers to cause a denial of service (application crash) via a DHCP client broadcast reply request. This vulnerability is addressed in the following product release: version 2.30 17662 19760 ADV-2006-1494 http://thekelleys.org.uk/dnsmasq/CHANGELOG dnsmasq-dhcp-dos(26005) 24884 SQL injection vulnerability in calendar.php in vBulletin 3.0.x allows remote attackers to execute arbitrary SQL commands via the eventid parameter. NOTE: the affected version has been disputed by the vendor. It appears that this is the same issue as CVE-2004-0036, which was fixed in 2.3.4. This vulnerability has been disputed by the vendor. The affected version has been disputed by the vendor via e-mail to CVE. It appears that this is the same issue as CVE-2004-0036, which was fixed in 2.3.4. 20060423 vbulletin<--3.0.x SQL Injection 20060424 Re: vbulletin<--3.0.x SQL Injection Apple Mac OS X Safari 2.0.3, 1.3.1, and possibly other versions allows remote attackers to cause a denial of service (CPU consumption and crash) via a TD element with a large number in the rowspan attribute. ADV-2006-1508 17674 20060424 Re: Apple Mac OS X Safari 2.0.3 Vulnerability 20060424 Apple Mac OS X Safari 2.0.3 Vulnerability 1015982 19763 20060424 Apple Mac OS X Safari 2.0.3 Vulnerability macosx-safari-table-dos(25998) 1715 Asterisk Recording Interface (ARI) in Asterisk@Home before 2.8 stores recordings/includes/main.conf under the web document root with insufficient access control, which allows remote attackers to obtain password information. This vulnerability is addressed in the following product releases: Littlejohn Consulting, Asterisk Recording Interface, 0.10.00 and higher 24805 19744 ADV-2006-1457 http://www.securiweb.net/wiki/Ressources/AvisDeSecurite/2006.1 20060421 [SecuriWeb 2006.1] directory traversal in Asterisk@Home and ARI asterisk-mail-disclose-information(25993) Absolute path traversal vulnerability in recordings/misc/audio.php in the Asterisk Recording Interface (ARI) web interface in Asterisk@Home before 2.8 allows remote attackers to read arbitrary MP3, WAV, and GSM files via a full pathname in the recording parameter. NOTE: this issue can also be used to determine existence of files. This vulnerability is addressed in the following product release: Asterisk@Home, Asterisk@Home, 2.8 17641 19744 ADV-2006-1457 http://www.securiweb.net/wiki/Ressources/AvisDeSecurite/2006.1 20060421 [SecuriWeb 2006.1] directory traversal in Asterisk@Home and ARI asterisk-audio-directory-traversal(25996) 24806 750 Buffer overflow in the parse_url function in the RTSP module (rtsp/parse_url.c) in Fenice 1.10 and earlier allows remote attackers to execute arbitrary code via a long URL. ADV-2006-1491 17678 20060423 Buffer-overflow and crash in Fenice OMS 1.10 19770 fenice-parseurl-bo(26078) 20060607 Re: Buffer-overflow and crash in Fenice OMS 1.10 20060425 Fenice - Open Media Streaming Server remote BOF exploit 794 http://aluigi.altervista.org/adv/fenicex-adv.txt Integer overflow in the RTSP_msg_len function in rtsp/RTSP_msg_len.c in Fenice 1.10 and earlier allows remote attackers to cause a denial of service (application crash) via a large HTTP Content-Length value, which leads to an invalid memory access. ADV-2006-1491 17678 20060423 Buffer-overflow and crash in Fenice OMS 1.10 19770 fenice-contentlength-dos(26080) 20060607 Re: Buffer-overflow and crash in Fenice OMS 1.10 24882 794 http://aluigi.altervista.org/adv/fenicex-adv.txt Multiple vulnerabilities in libtiff before 3.8.1 allow context-dependent attackers to cause a denial of service via a TIFF image that triggers errors in (1) the TIFFFetchAnyArray function in (a) tif_dirread.c; (2) certain "codec cleanup methods" in (b) tif_lzw.c, (c) tif_pixarlog.c, and (d) tif_zip.c; (3) and improper restoration of setfield and getfield methods in cleanup functions within (e) tif_jpeg.c, tif_pixarlog.c, (f) tif_fax3.c, and tif_zip.c. This vulnerability is addressed in the following product release: libTIFF, libTIFF, 3.8.1 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=189933 ADV-2006-1563 oval:org.mitre.oval:def:9893 http://bugzilla.remotesensing.org/show_bug.cgi?id=1102 libtiff-tifffetchanyarray-dos(26133) USN-277-1 2006-0024 17730 RHSA-2006:0425 SUSE-SR:2006:009 MDKSA-2006:082 GLSA-200605-17 DSA-1054 http://support.avaya.com/elmodocs2/security/ASA-2006-119.htm 201332 103099 20667 20345 20210 20023 20021 19964 19949 19936 19897 19851 19838 20060501-01-U Integer overflow in the TIFFFetchData function in tif_dirread.c for libtiff before 3.8.1 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via a crafted TIFF image. This vulnerability is addressed in the following product release: libTIFF, libTIFF, 3.8.1 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=189933 http://bugzilla.remotesensing.org/show_bug.cgi?id=1102 ADV-2006-1563 oval:org.mitre.oval:def:10593 libtiff-tifffetchdata-overflow(26134) USN-277-1 2006-0024 17732 RHSA-2006:0425 SUSE-SR:2006:009 MDKSA-2006:082 GLSA-200605-17 DSA-1054 http://support.avaya.com/elmodocs2/security/ASA-2006-119.htm 201332 103099 20667 20345 20210 20023 20021 19964 19949 19936 19897 19838 20060501-01-U Double free vulnerability in tif_jpeg.c in libtiff before 3.8.1 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted TIFF image that triggers errors related to "setfield/getfield methods in cleanup functions." This vulnerability is addressed in the following product release: libTIFF, libTIFF, 3.8.1 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=189933 http://bugzilla.remotesensing.org/show_bug.cgi?id=1102 libtiff-tifjpeg-doublefree-memory-corruption(26135) ADV-2006-1563 USN-277-1 2006-0024 17733 RHSA-2006:0425 SUSE-SR:2006:009 MDKSA-2006:082 GLSA-200605-17 DSA-1054 http://support.avaya.com/elmodocs2/security/ASA-2006-119.htm 20667 20345 20210 20023 20021 19964 19949 19936 19897 19838 oval:org.mitre.oval:def:11389 20060501-01-U 201332 103099 Buffer overflow in Unicode processing in the logging functionality in Pablo Software Solutions Quick 'n Easy FTP Server Professional and Lite, probably 3.0, allows remote authenticated users to execute arbitrary code by sending a command with a long argument, which triggers a buffer overflow when an admin selects the Logging section in the FTP server main window. NOTE: the original researcher claims that the vendor disputes this issue. 20060424 Quick 'n Easy FTP Server pro/lite Logging unicode stack overflow 17681 25235 788 Cross-site scripting (XSS) vulnerability in imagelist.php in Jeremy Ashcraft Simplog 0.9.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the imagedir parameter. NOTE: this issue might be resultant from directory traversal. ADV-2006-1493 17653 20060421 Advisory: Simplog <= 0.93 Multiple Remote Vulnerabilities. 24880 http://www.nukedx.com/?getxpl=25 19764 20060423 RE: Advisory: Simplog <= 0.93 Multiple Remote Vulnerabilities. simplog-imagelist-xss(25984) 799 Multiple SQL injection vulnerabilities in Jeremy Ashcraft Simplog 0.9.3 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) tid parameter in (a) preview.php; the (2) cid, (3) pid, and (4) eid parameters in (b) archive.php; and the (5) pid parameter in (c) comments.php. ADV-2006-1493 20060421 Advisory: Simplog <= 0.93 Multiple Remote Vulnerabilities. 24879 24878 24877 http://www.nukedx.com/?getxpl=25 1015976 19764 20060423 RE: Advisory: Simplog <= 0.93 Multiple Remote Vulnerabilities. simplog-multiple-sql-injection(25982) http://www.simplog.org/archive.php?blogid=1&pid=57 799 The Allied Telesyn AT-9724TS switch allows remote attackers to cause a denial of service via a large amount of UDP data to the switch, which leads to unstable operation and possibly failure of the management interface or routing. 20060419 Allied Telesyn Switch UDP Data Flood Management Denial Of Service Vulnerability telesyn-udp-dos(25938) Cross-site scripting (XSS) vulnerability in index.php in phpMyAdmin 2.8.0.3, 2.8.0.2, 2.8.1-dev, and 2.9.0-dev allows remote attackers to inject arbitrary web script or HTML via the lang parameter. 19659 phpmyadmin-index-xss(25954) http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2006-2 http://pridels0.blogspot.com/2006/04/phpmyadmin-xss-vuln.html Multiple SQL injection vulnerabilities in Core CoreNews 2.0.1 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) icon_id and (2) userid parameters in preview.php. 17655 20060421 Advisory: CoreNews <= 2.0.1 Multiple Remote Vulnerabilities. http://www.nukedx.com/?getxpl=24 corenews-preview-sql-injection(25977) 797 20060421 Advisory: CoreNews <= 2.0.1 Multiple Remote Vulnerabilities. PHP remote file inclusion vulnerability in Core CoreNews 2.0.1 and earlier allows remote authenticated users to execute arbitrary commands via the show parameter. NOTE: this is a different vector than CVE-2006-1212, although it might be the same primary issue. 17655 20060421 Advisory: CoreNews <= 2.0.1 Multiple Remote Vulnerabilities. http://www.nukedx.com/?getxpl=24 corenews-index-file-include(25979) 797 20060421 Advisory: CoreNews <= 2.0.1 Multiple Remote Vulnerabilities. SQL injection vulnerability in function/showprofile.php in FlexBB 0.5.5 allows remote attackers to execute arbitrary SQL commands, and view all usernames and passwords, via the id parameter to the showprofile page in index.php. 17574 20060421 FlexBB 0.5.5 Exploit [ function/showprofile.php ] Remote SQL Injection 24867 Websense, when configured to permit access to the dynamic content category, allows local users to bypass intended blocking of the Uncategorized category by appending a "/?" sequence to a URL. 20060421 RE: [BULK] - Websense Filter Bypass 20060420 Websense Filter Bypass websense-uncategorized-filter-bypass(25980) 25211 iOpus Secure Email Attachments (SEA), probably 1.0, does not properly handle passwords that consist of repetitions of a substring, which allows attackers to decrypt files by entering only the substring. 17656 20060422 ADVISORY FOR IOPUS SECURE EMAIL ATTACHMENTS iopus-insecure-passwords(26266) 20060425 Re: ADVISORY FOR IOPUS SECURE EMAIL ATTACHMENTS 1015980 19771 Cross-site scripting (XSS) vulnerability in index.php in Thwboard 3.0 Beta 2.84 allows remote attackers to inject arbitrary web script or HTML via the navpath parameter. 17627 20060420 ThWboard 3 Beta 2.84 Cross Site Scripting thwboard-index-xss(25953) Multiple SQL injection vulnerabilities in ampleShop 2.1 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) RecordID parameter in (a) Customeraddresses_RecordAction.cfm and (b) youraccount.cfm; (2) solus parameter in (c) detail.cfm; and (3) cat parameter in (d) category.cfm. ADV-2006-1512 19806 ampleshop-multiple-sql-injection(26064) 24937 24936 24935 24934 http://pridels0.blogspot.com/2006/04/ampleshop-ecommerce-software-vuln.html Multiple SQL injection vulnerabilities in the osTicket module in Help Center Live before 2.1.0 allow remote attackers to execute arbitrary SQL commands via unknown vectors. 17676 19776 ADV-2006-1492 http://sourceforge.net/project/shownotes.php?release_id=411859 helpcenterlive-osticket-sql-injection(26040) Multiple SQL injection vulnerabilities in photokorn 1.53 and 1.542 allow remote attackers to execute arbitrary SQL commands via the (1) cat, (2) pic and (3) page parameter in index.php; (4) id parameter in postcard.php; and (5) cat parameter in print.php. ADV-2006-1525 17683 20060425 photokorn 1.53 , 1.542 << Sql photokorn-multiple-sql-injection(26066) 24983 24982 24981 789 19836 PhpWebGallery before 1.6.0RC1 allows remote attackers to obtain arbitrary pictures via a request to picture.php without specifying the cat parameter. NOTE: the provenance of this information is unknown; the details are obtained from third party information. 19801 ADV-2006-1515 phpwebgallery-picture-bypass-security(26079) Adobe Dreamweaver 8 before 8.0.2 and MX 2004 can generate code that allows SQL injection attacks in the (1) ColdFusion, (2) PHP mySQL, (3) ASP, (4) ASP.NET, and (5) JSP server models. This vulnerability affects all versions of Adobe, Dreamweaver, 8.0 before 8.0.2 This vulnerability is addressed in the following product releases: Adobe, Dreamweaver, 8.0.2 Code update for Macromedia, Dreamweaver MX, 2004 http://www.adobe.com/support/security/bulletins/apsb06-07.html ADV-2006-1753 dreamweaver-server-sql-injection(26339) 17928 25361 1016050 20054 20060509 Multiple SQL Injection Vulnerabilities in Dreamweaver Generated Code na-img-4.0.34.bin for the IP3 Networks NetAccess NA75 allows local users to gain Unix shell access via "`" (backtick) characters in the appliance's command line interface (CLI). ADV-2006-1540 17698 20060424 Multiple vulnerabilities in IP3 Networks 'NetAccess' NA75 appliance ip3-na75-backtick-command-injection(26108) 793 19818 na-img-4.0.34.bin for the IP3 Networks NetAccess NA75 has a default username of admin and a default password of admin. ADV-2006-1540 17698 20060424 Multiple vulnerabilities in IP3 Networks 'NetAccess' NA75 appliance ip3-na75-default-account(26112) 793 19818 The (1) shadow password file in na-img-4.0.34.bin for the IP3 Networks NetAccess NA75 has world readable permissions, which allows local users to view encrypted passwords; and the (2) NetAccess database file has world readable and writable permissions, which allows local users to view sensitive information and modify data. ADV-2006-1540 17698 20060424 Multiple vulnerabilities in IP3 Networks 'NetAccess' NA75 appliance ip3-na75-database-file-permission(26110) ip3-na75-shadow-file-permission(26109) 19818 Multiple SQL injection vulnerabilities in Application Dynamics Cartweaver ColdFusion 2.16.11 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) category and (2) keywords parameters in (a) Results.cfm, and the (3) ProdID parameter in (b) Details.cfm. ADV-2006-1513 cartweaver-multiple-sql-injection(26060) http://www.techfeed.net/blog/index.cfm/2006/4/26/cartweaver-holes 25210 17941 24962 24961 4264 19812 http://pridels0.blogspot.com/2006/04/cartweaver-coldfusion-vuln.html Application Dynamics Cartweaver ColdFusion 2.16.11 and earlier allows remote attackers to obtain sensitive information via an invalid (1) secondary, (2) PageNum_Results, (3) category, or (4) keywords parameter in (a) Results.cfm; or an invalid (5) ProdID parameter in (b) Details.cfm; which reveal the path in various error messages. NOTE: the behavior for the category, keywords, and ProdID parameters might be resultant from SQL injection. ADV-2006-1513 cartweaver-multiple-path-disclosure(26061) 24964 24963 19812 http://pridels0.blogspot.com/2006/04/cartweaver-coldfusion-vuln.html Multiple cross-site scripting (XSS) vulnerabilities in index.php in Edwin van Wijk phpWebFTP 2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) port, (2) server, and (3) user parameters. NOTE: it is possible that the affected version is actually 3.2. ADV-2006-1530 http://www.subjectzero.net/research/phpwebftpxss.htm 20060425 PhpWebFtp Cross Site Scripting Vulnerability phpwebftp-index-xss(26067) 17688 24975 786 19827 Cross-site scripting (XSS) vulnerability in dcboard.cgi in DCScripts DCForumLite 3.0 allows remote attackers to inject arbitrary web script or HTML via the az parameter. ADV-2006-1532 17697 20060425 DCForumLite V 3.0<--XSS/SQL Injection dcforumlite-dcboard-xss(26083) 24988 792 19815 SQL injection vulnerability in dcboard.cgi in DCScripts DCForumLite 3.0 allows remote attackers to execute arbitrary SQL commands via the az parameter. 17697 20060425 DCForumLite V 3.0<--XSS/SQL Injection deforumlite-dcboard-sql-injection(26084) 24989 792 Multiple cross-site scripting (XSS) vulnerabilities in myadmin/index.php in NextAge Shopping Cart allow remote attackers to inject arbitrary web script or HTML via the (1) username and (2) password parameters. 20060425 NextAge Shopping Cart Software XSS http://www.aria-security.net/advisory/nextage/nextageshoppingcart.txt nextageshoppingcart-index-xss(26065) 17685 791 Cross-site scripting (XSS) vulnerability in Verosky Media Instant Photo Gallery allows remote attackers to inject arbitrary web script or HTML via the member parameter in a viewpro action in member.php. NOTE: the original report may be inaccurate, since the "viewpro" string does not appear in the source code for version 1.0.2 of the product. 17696 20060427 Re: Instant Photo Gallery <= Multiple XSS 20060425 Instant Photo Gallery <= Multiple XSS 24984 790 Multiple SQL injection vulnerabilities in QuickEStore 7.9 and earlier allow remote attackers to execute arbitrary SQL commands via (1) the OrderID parameter in (a) shipping.cfm and (b) checkout.cfm, (2) ItemID parameter in (c) proddetail.cfm, (3) SubCatID parameter in (d) index.cfm, the (4) CategoryID parameter in (e) prodpage.cfm, and (5) ProdID parameter in (f) Details.cfm. NOTE: these issues can also be exploited for path disclosure. ADV-2006-1514 quickestore-multiple-sql-injection(26045) 24980 24979 24978 24977 24976 19817 http://pridels0.blogspot.com/2006/04/quickestore-79-vuln.html 3Com Baseline Switch 2848-SFP Plus Model #3C16486 with firmware before 1.0.2.0 allows remote attackers to cause a denial of service (unstable operation) via long DHCP packets. Update to firmware version 1.0.2.0. http://www.3com.com/products/en_...e&order=desc&prodcat=all ADV-2006-1510 17686 http://support.3com.com/infodeli/tools/switches/baseline/3C16486_V1_0_2_0_readme.pdf 19756 3com-baseline-dhcp-dos(26076) 24942 1015997 Argument injection vulnerability in Microsoft Outlook 2003 SP1 allows user-assisted remote attackers to modify command line arguments to an invoked mail client via " (double quote) characters in a mailto: scheme handler, as demonstrated by launching Microsoft Outlook with an arbitrary filename as an attachment. NOTE: it is not clear whether this issue is implementation-specific or a problem in the Microsoft API. office-mailto-obtain-information(26118) ADV-2006-1538 25003 19819 http://ingehenriksen.blogspot.com/2006/04/office-2003-file-attachment-exploit.html Argument injection vulnerability in Internet Explorer 6 for Windows XP SP2 allows user-assisted remote attackers to modify command line arguments to an invoked mail client via " (double quote) characters in a mailto: scheme handler, as demonstrated by launching Microsoft Outlook with an arbitrary filename as an attachment. NOTE: it is not clear whether this issue is implementation-specific or a problem in the Microsoft API. ADV-2006-1538 http://ingehenriksen.blogspot.com/2006/04/office-2003-file-attachment-exploit.html office-mailto-obtain-information(26118) Argument injection vulnerability in Mozilla Firefox 1.0.6 allows user-assisted remote attackers to modify command line arguments to an invoked mail client via " (double quote) characters in a mailto: scheme handler, as demonstrated by launching Microsoft Outlook with an arbitrary filename as an attachment. NOTE: it is not clear whether this issue is implementation-specific or a problem in the Microsoft API. ADV-2006-1538 20060424 Multiple browsers Windows mailto protocol Office 2003 file attachment exploit http://ingehenriksen.blogspot.com/2006/04/office-2003-file-attachment-exploit.html office-mailto-obtain-information(26118) Argument injection vulnerability in Avant Browser 10.1 Build 17 allows user-assisted remote attackers to modify command line arguments to an invoked mail client via " (double quote) characters in a mailto: scheme handler, as demonstrated by launching Microsoft Outlook with an arbitrary filename as an attachment. NOTE: it is not clear whether this issue is implementation-specific or a problem in the Microsoft API. ADV-2006-1538 20060424 Multiple browsers Windows mailto protocol Office 2003 file attachment exploit http://ingehenriksen.blogspot.com/2006/04/office-2003-file-attachment-exploit.html office-mailto-obtain-information(26118) 785 action_public/search.php in Invision Power Board (IPB) 2.1.x and 2.0.x before 20060425 allows remote attackers to execute arbitrary PHP code via a search with a crafted value of the lastdate parameter, which alters the behavior of a regular expression to add a "#e" (execute) modifier. http://forums.invisionpower.com/index.php?showtopic=213374 ADV-2006-1534 17695 20060425 Invision Vulnerabilities, including remote code execution invision-search-file-include(26070) 20060710 Re: RE: Invision Vulnerabilities, including remote code execution 20060427 Invision Power Board 2.1.5 POC 20060427 Re: Invision Vulnerabilities, including remote code execution 25005 796 19830 Directory traversal vulnerability in action_admin/paysubscriptions.php in Invision Power Board (IPB) 2.1.x and 2.0.x before 20060425 allows remote authenticated administrators to include and execute arbitrary local PHP files via a .. (dot dot) in the name parameter, preceded by enough backspace (%08) characters to erase the initial static portion of a filename. If you've downloaded IPB 2.1.5 since the time of this post, there is no need to update your installation as the main download has been updated. http://forums.invisionpower.com/index.php?showtopic=213374 ADV-2006-1534 20060425 Invision Vulnerabilities, including remote code execution invision-admin-file-include(26072) 20060710 Re: RE: Invision Vulnerabilities, including remote code execution 20060427 Re: Invision Vulnerabilities, including remote code execution 25008 796 19830 SQL injection vulnerability in lib/func_taskmanager.php in Invision Power Board (IPB) 2.1.x and 2.0.x before 20060425 allows remote attackers to execute arbitrary SQL commands via the ck parameter, which can inject at most 32 characters. The vendor has released an update to address this and other versions. 17690 ADV-2006-1534 20060425 Invision Vulnerabilities, including remote code execution http://forums.invisionpower.com/index.php?showtopic=213374 invision-index-ck-sql-injection(26071) 20060427 Re: Invision Vulnerabilities, including remote code execution 796 19830 Multiple SQL injection vulnerabilities in Leadhound Full and LITE 2.1, and probably the Network Version "Full Version", allow remote attackers to execute arbitrary SQL commands via the (1) banner parameter in agent_links.pl; the offset parameter in (2) agent_links.pl, (3) agent_transactions.pl, (4) agent_subaffiliates.pl, and (5) agent_summary.pl; the camp_id parameter in (6) agent_transactions_csv.pl, (7) agent_subaffiliates.pl, and (8) agent_camp_det.pl; the (9) login parameter in agent_commission_statement.pl; the logged parameter in (10) agent_commission_statement.pl and (11) agent_camp_det.pl; the (12) agent_id parameter in agent_commission_statement.pl; and the (13) sub parameter in unspecified files. 25029 25028 25027 25026 25025 25024 25023 19867 http://pridels0.blogspot.com/2006/04/leadhound-multiple-vuln.html Multiple cross-site scripting (XSS) vulnerabilities in Leadhound Full and LITE 2.1, and probably the Network Version "Full Version", allow remote attackers to inject arbitrary web script or HTML via the login parameter in (1) agent_affil.pl, (2) agent_help.pl, (3) agent_faq.pl, (4) agent_help_insert.pl, (5) sign_out.pl, (6) members.pl, (7) modify_agent_1.pl, (8) modify_agent_2.pl, (9) modify_agent.pl, (10) agent_links.pl, (11) agent_stats_pending_leads.pl, (12) agent_logoff.pl, (13) agent_rev_det.pl, (14) agent_subaffiliates.pl, (15) agent_stats_pending_leads.pl, (16) agent_transactions.pl, (17) agent_payment_history.pl, (18) agent_summary.pl, (19) agent_camp_all.pl, (20) agent_camp_new.pl, (21) agent_camp_notsub.pl, (22) agent_campaign.pl, (23) agent_camp_expired.pl, (24) agent_stats_det.pl, (25) agent_stats.pl, (26) agent_camp_det.pl, (27) agent_camp_sub.pl, (28) agent_affil_list.pl, and (29) agent_affil_code.pl; the logged parameter in (30) agent_faq.pl, (31) agent_help_insert.pl, (32) members.pl, (33) modify_agent_1.pl, (34) modify_agent_2.pl, (35) modify_agent.pl, (36) agent_links.pl, (37) agent_subaffiliates.pl, (38) agent_stats_pending_leads.pl, (39) agent_transactions.pl, (40) agent_summary.pl, (41) agent_camp_all.pl, (42) agent_camp_new.pl, (43) agent_camp_notsub.pl, (44) agent_campaign.pl, (45) agent_camp_expired.pl, (46) agent_stats.pl, (47) agent_camp_det.pl, (48) agent_camp_sub.pl, (49) agent_affil_list.pl, and (50) agent_affil_code.pl; the camp_id parameter in (51) agent_links.pl, (52) agent_subaffiliates.pl, and (53) agent_camp_det.pl; the (54) banner parameter in agent_links.pl; the offset parameter in (55) agent_links.pl, (56) agent_subaffiliates.pl, (57) agent_transactions.pl, and (58) agent_summary.pl; the date parameter in (59) agent_subaffiliates.pl, (60) agent_transactions.pl, and (61) agent_summary.pl; the dates parameter in (62) agent_rev_det.pl and (63) agent_stats_det.pl; the (64) page parameter in agent_camp_det.pl; the (65) agent_id parameter in agent_commission_statement.pl; and the (66) lost password field in lost_pwd.pl. 25060 25059 25058 25057 25056 25055 25054 25053 25052 25051 25050 25049 25048 25047 25046 25045 25044 25043 25042 25041 25039 25038 25037 25036 25035 25034 25033 25032 25031 25030 19867 http://pridels0.blogspot.com/2006/04/leadhound-multiple-vuln.html Unspecified vulnerability in the libpkcs11 library in Sun Solaris 10 might allow local users to gain privileges or cause a denial of service (application failure) via unknown attack vectors that involve the getpwnam family of non-reentrant functions. 17687 102316 1015987 19789 ADV-2006-1504 solaris-libpkcs11-privilege-escalation(26075) SQL injection vulnerability in save.php in PHPSurveyor 0.995 and earlier allows remote attackers to execute arbitrary SQL commands via the surveyid cookie. NOTE: this issue could be leveraged to execute arbitrary PHP code, as demonstrated by inserting directory traversal sequences into the database, which are then processed by the thissurvey['language'] variable. 19761 1015970 http://retrogod.altervista.org/phpsurveyor_0995_xpl.html phpsurveyor-surveyid-shell-execution(25970) 17633 20060420 PHPSurveyor <= 0.995 'save.php/surveyid' remote cmmnds xctn 24787 Multiple cross-site scripting (XSS) vulnerabilities pm_popup.php in MKPortal 1.1 Rc1 and earlier, as used with vBulletin 3.5.4 and earlier, allow remote attackers to inject arbitrary web script or HTML via the (1) u1, (2) m1, (3) m2, (4) m3, (5) m4 parameters. ADV-2006-1485 20232 17651 20060928 Re: xxs in MKPortal M1.1 20060927 MkPortal Cross Site Scripting (All versions) xSS 20060421 vBulletin <= 3.5.4 with MKPortal 1.1 Remote SQL Injection Vulnerability. 24901 http://www.nukedx.com/?viewdoc=26 1015977 801 19786 SQL injection vulnerability in vb_board_functions.php in MKPortal 1.1, as used with vBulletin 3.5.4 and earlier, allows remote attackers to execute arbitrary SQL commands via the userid parameter. 20060421 vBulletin <= 3.5.4 with MKPortal 1.1 Remote SQL Injection Vulnerability. http://www.nukedx.com/?viewdoc=26 1015977 17651 801 Unspecified vulnerability in Hitachi JP1 products allow remote attackers to cause a denial of service (application stop or fail) via unexpected requests or data. http://www.hitachi-support.com/security_e/vuls_e/HS06-007_e/index-e.html ADV-2006-1524 19841 hitachi-jp1-request-dos(26087) 17706 The recursor in PowerDNS before 3.0.1 allows remote attackers to cause a denial of service (application crash) via malformed EDNS0 packets.