Buffer overflow in Apple QuickTime 7.1.3 allows remote attackers to execute arbitrary code via a long rtsp:// URI. VU#442497 TA07-005A quicktime-rtsp-url-bo(31203) ADV-2007-0001 23540 21829 3064 1017461 http://projects.info-pull.com/moab/MOAB-01-01-2007.html http://landonf.bikemonkey.org/code/macosx/MOAB_Day_1.20070102060815.15950.zadder.local.html 31023 http://secunia.com/blog/7/ 3064 APPLE-SA-2007-01-23 http://isc.sans.org/diary.html?storyid=2094 http://docs.info.apple.com/article.html?artnum=304989 Multiple format string vulnerabilities in (1) the cdio_log_handler function in modules/access/cdda/access.c in the CDDA (libcdda_plugin) plugin, and the (2) cdio_log_handler and (3) vcd_log_handler functions in modules/access/vcdx/access.c in the VCDX (libvcdx_plugin) plugin, in VideoLAN VLC 0.7.0 through 0.8.6 allow user-assisted remote attackers to execute arbitrary code via format string specifiers in an invalid URI, as demonstrated by a udp://-- URI in an M3U file. vlcmediaplayer-udp-format-string(31226) http://www.videolan.org/sa0701.html http://www.videolan.org/patches/vlc-0.8.6-MOAB-02-01-2007.patch [vlc-devel] 20070102 Security hole in VLC media player for Mac... ADV-2007-0026 http://trac.videolan.org/vlc/changeset/18481 1017464 23592 http://projects.info-pull.com/moab/MOAB-02-01-2007.html 31163 http://landonf.bikemonkey.org/code/macosx/MOAB_Day_2.20070103045559.6753.timor.html http://applefun.blogspot.com/2007/01/moab-02-01-2007-vlc-media-player-udp.html 21852 SUSE-SA:2007:013 DSA-1252 GLSA-200701-24 23971 23910 23829 Stack-based buffer overflow in MoviePlay 4.76 allows remote attackers to execute arbitrary code via a long filename in a LST file. 21840 4051 22959 32547 Adobe Acrobat Reader Plugin before 8.0.0, and possibly the plugin distributed with Adobe Reader 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2, when used with Internet Explorer, Google Chrome, or Opera, allows remote attackers to cause a denial of service (memory consumption) via a long sequence of # (hash) characters appended to a PDF URL, related to a "cross-site scripting issue." TA09-286B http://www.wisec.it/vulns.php?page=9 adobe-acrobat-character-dos(31273) ADV-2009-2898 20070103 Adobe Acrobat Reader Plugin - Multiple Vulnerabilities ADV-2007-0032 http://www.adobe.com/support/security/bulletins/apsb09-15.html http://www.adobe.com/support/security/bulletins/apsb07-01.html 1023007 1017469 GLSA-200701-16 33754 23882 23812 31596 SUSE-SA:2007:011 http://googlechromereleases.blogspot.com/2009/01/stable-beta-update-yahoo-mail-and.html http://events.ccc.de/congress/2006/Fahrplan/attachments/1158-Subverting_Ajax.pdf 2090 CRLF injection vulnerability in Adobe Acrobat Reader Plugin before 8.0.0, when used with the Microsoft.XMLHTTP ActiveX object in Internet Explorer, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the javascript: URI in the (1) FDF, (2) XML, or (3) XFDF AJAX request parameters. adobe-acrobat-xmlhttp-response-splitting(31291) ADV-2007-0032 1017469 23882 SUSE-SA:2007:011 http://events.ccc.de/congress/2006/Fahrplan/attachments/1158-Subverting_Ajax.pdf Double free vulnerability in the Adobe Acrobat Reader Plugin before 8.0.0, as used in Mozilla Firefox 1.5.0.7, allows remote attackers to execute arbitrary code by causing an error via a javascript: URI call to document.write in the (1) FDF, (2) XML, or (3) XFDF AJAX request parameters. http://www.wisec.it/vulns.php?page=9 20070103 Adobe Acrobat Reader Plugin - Multiple Vulnerabilities http://events.ccc.de/congress/2006/Fahrplan/attachments/1158-Subverting_Ajax.pdf RHSA-2007:0017 adobe-acrobat-msvcrt-code-execution(31272) RHSA-2007:0021 ADV-2007-0957 ADV-2007-0032 http://www.adobe.com/support/security/bulletins/apsb07-01.html 102847 1017469 2090 GLSA-200701-16 24533 23882 23877 23812 23691 SUSE-SA:2007:011 Multiple cross-site scripting (XSS) vulnerabilities in Adobe Acrobat Reader Plugin before 8.0.0, and possibly the plugin distributed with Adobe Reader 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2, for Mozilla Firefox, Microsoft Internet Explorer 6 SP1, Google Chrome, Opera 8.5.4 build 770, and Opera 9.10.8679 on Windows allow remote attackers to inject arbitrary JavaScript and conduct other attacks via a .pdf URL with a javascript: or res: URI with (1) FDF, (2) XML, and (3) XFDF AJAX parameters, or (4) an arbitrarily named name=URI anchor identifier, aka "Universal XSS (UXSS)." TA09-286B VU#815960 http://www.wisec.it/vulns.php?page=9 RHSA-2007:0017 adobe-acrobat-pdf-xss(31271) ADV-2009-2898 21858 20070104 Universal PDF XSS After Party 20070103 Adobe Acrobat Reader Plugin - Multiple Vulnerabilities 20070103 RE: [WEB SECURITY] Universal XSS with PDF files: highly dangerous 20070103 Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous 20070103 Re: Universal XSS with PDF files: highly dangerous 20070103 Universal XSS with PDF files: highly dangerous RHSA-2007:0021 http://www.mozilla.org/security/announce/2007/mfsa2007-02.html http://www.gnucitizen.org/blog/universal-pdf-xss-after-party http://www.gnucitizen.org/blog/danger-danger-danger/ ADV-2007-0957 ADV-2007-0032 http://www.disenchant.ch/blog/hacking-with-browser-plugins/34 http://www.adobe.com/support/security/bulletins/apsb09-15.html http://www.adobe.com/support/security/bulletins/apsb07-01.html http://www.adobe.com/support/security/advisories/apsa07-02.html http://www.adobe.com/support/security/advisories/apsa07-01.html 102847 1023007 1017469 GLSA-200701-16 33754 24533 23882 23877 23812 23691 23483 SUSE-SA:2007:011 http://googlechromereleases.blogspot.com/2009/01/stable-beta-update-yahoo-mail-and.html SSA:2007-066-05 2090 24457 SSRT061181 Adobe Acrobat Reader Plugin before 8.0.0 for the Firefox, Internet Explorer, and Opera web browsers allows remote attackers to force the browser to make unauthorized requests to other web sites via a URL in the (1) FDF, (2) xml, and (3) xfdf AJAX request parameters, following the # (hash) character, aka "Universal CSRF and session riding." http://www.wisec.it/vulns.php?page=9 adobe-acrobat-pdf-csrf(31266) 21858 20070103 Adobe Acrobat Reader Plugin - Multiple Vulnerabilities RHSA-2008:0144 ADV-2007-0032 1017469 2090 GLSA-200701-16 29065 23882 23812 SUSE-SA:2007:011 http://events.ccc.de/congress/2006/Fahrplan/attachments/1158-Subverting_Ajax.pdf ** DISPUTED ** PHP remote file inclusion vulnerability in index.php in OpenPinboard 2.0 allows remote attackers to execute arbitrary PHP code via a URL in the language parameter. NOTE: this issue has been disputed by the developer and a third party, since the variable is set before use. CVE analysis suggests that there is a small time window of risk before the installation is complete. 20070103 OpenPinboard <= Remote File Include 20070103 Re: OpenPinboard <= Remote File Include 33375 20070106 Re: OpenPinboard <= Remote File Include Geckovich TaskTracker Pro 1.5 and earlier allows remote attackers to add administrative or other accounts via an Add action with a modified GroupID in a direct request to Customize.asp. tasktrackerpro-customize-auth-bypass(31235) 21847 23564 31682 3068 Format string vulnerability in Apple iPhoto 6.0.5 (316), and other versions before 6.0.6, allows remote user-assisted attackers to execute arbitrary code via a crafted photocast with format string specifiers in the title of an RSS iPhoto feed. iphoto-xmltitle-format-string(31281) 21871 20070104 DMA[2007-0104a] - 'iLife iPhoto Photocasing Format String Vulnerability' 3080 ADV-2007-0057 http://www.digitalmunition.com/DMA[2007-0104a].txt 23615 http://projects.info-pull.com/moab/MOAB-04-01-2007.html 31165 3080 APPLE-SA-2007-03-13 http://docs.info.apple.com/article.html?artnum=305215 20070104 DMA[2007-0104a] - 'iLife iPhoto Photocasing Format String Vulnerability' Directory traversal vulnerability in formbankcgi.exe/AbfrageForm in Formbankserver 1.9 allows remote attackers to read arbitrary files via directory traversal sequences in the Name parameter. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. 3063 ADV-2007-0012 23539 32545 formbankserver-name-directory-traversal(31214) 3063 Cross-site scripting (XSS) vulnerability in gbrowse.php in Belchior Foundry vCard PRO allows remote attackers to inject arbitrary web script or HTML via the sortby parameter. 21844 20070101 vBulletin vCard PRO XSS 33359 vcard-gbrowse-xss(31182) SQL injection vulnerability in detail.asp in ASP SiteWare autoDealer 2.0 and earlier allows remote attackers to execute arbitrary SQL commands via the iPro parameter. 21833 ADV-2007-0016 23572 32539 3062 autodealer-detail-sql-injection(31219) SQL injection vulnerability in haberdetay.asp in Vizayn Haber allows remote attackers to execute arbitrary SQL commands via the id parameter. 21836 ADV-2007-0015 23576 31518 3061 vicayn-haberdetay-sql-injection(31213) Multiple cross-site scripting (XSS) vulnerabilities in AShop Deluxe 4.5 and AShop Administration Panel allow remote attackers to inject arbitrary web script or HTML via the (1) cat parameter to (a) ashop/catalogue.php and (b) ashop/basket.php, the (2) exp parameter to ashop/catalogue.php, the (3) searchstring parameter to (c) ashop/search.php, the (4) checkout and (5) action parameters to (d) ashop/shipping.php, the cat parameter to (f) cart-path/admin/editcatalogue.php, and the (7) resultpage parameter to (g) cart-path/admin/salesadmin.php. 21845 20070101 AShop Shopping Cart Multiple XSS Vulnerabilities 32558 32557 32556 32555 32554 32553 ashop-multiple-scripts-xss(31178) ADV-2007-0028 2091 23547 Cisco Clean Access (CCA) 3.6.x through 3.6.4.2 and 4.0.x through 4.0.3.2 does not properly configure or allow modification of a shared secret authentication key, which causes all devices to have the same shared sercet and allows remote attackers to gain unauthorized access. ADV-2007-0030 20070103 Multiple Vulnerabilities in Cisco Clean Access 32578 1017465 23617 Cisco Clean Access (CCA) 3.5.x through 3.5.9 and 3.6.x through 3.6.1.1 on the Clean Access Manager (CAM) allows remote attackers to bypass authentication and download arbitrary manual database backups by guessing the snapshot filename using brute force, then making a direct request for the file. ADV-2007-0030 20070103 Multiple Vulnerabilities in Cisco Clean Access 1017465 23556 32579 Cross-zone scripting vulnerability in Apple Quicktime 3 to 7.1.3 allows remote user-assisted attackers to execute arbitrary code and list filesystem contents via a QuickTime movie (.MOV) with an HREF Track (HREFTrack) that contains an automatic action tag with a local URI, which is executed in a local zone during preview, as exploited by a MySpace worm. VU#304064 http://www.gnucitizen.org/blog/backdooring-quicktime-movies/ http://projects.info-pull.com/moab/MOAB-03-01-2007.html 31164 APPLE-SA-2007-03-05 http://docs.info.apple.com/article.html?artnum=305149 AspBB stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing user passwords via a direct request for db/aspbb.mdb. aspbb-aspbb-info-disclosure(31230) 20070102 AspBB Remote Password Disclosure http://www.aria-security.com/forum/showthread.php?t=82 33364 2100 Openforum stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing user passwords via a direct request for openforum.mdb. openforum-openforum-password-disclosure(31209) 20070102 Openforum Remote password Disclosure http://www.aria-security.com/forum/showthread.php?t=80 33366 2099 lblog stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for a certain file in admin/db/newFolder/. lblog-newfolder-information-disclosure(31229) 20070102 lblog Remote Password Disclosure http://www.aria-security.com/forum/showthread.php?t=79 1017462 33367 2098 BattleBlog stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for database/blankmaster.mdb. battleblog-blankmaster-info-disclosure(31224) 20070101 BattleBlog Database Download Vulnerability http://www.aria-security.com/forum/showthread.php?t=76 33360 2097 rblog stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for (1) data/admin.mdb or (2) data/rblog.mdb. rblog-database-info-disclosure(31200) 20070101 rblog Database Download Vulnerability http://www.aria-security.com/forum/showthread.php?t=77 23538 32572 2102 ** DISPUTED ** Buffer overflow in the SMB_Connect_Server function in FreeRadius 1.1.3 and earlier allows attackers to execute arbitrary code related to the server desthost field of an SMB_Handle_Type instance. NOTE: the impact of this issue has been disputed by a reliable third party and the vendor, who states that exploitation is limited "only to local administrators who have write access to the server configuration files." CVE concurs with the dispute. A buffer overflow in the SMB_Connect_Server function in FreeRADIUS 1.1.4 and earlier allows attackers to execute arbitrary code related to the server desthost field of an SMB_Handle_Type instance. This issue can not be exploited remotely, and can only be exploited by administrators who have write access to the server configuration files. -- Official Vendor Statement from the FreeRADIUS Server project This issue is not a security vulnerability. The exploit is available only to local administrators who have write access to the server configuration files. As such, this issue has no security impact on any system running FreeRADIUS. -- Official Vendor Statement from the FreeRADIUS Server project freeradius-smbconnectserver-bo(31248) 20070102 FreeRadius 1.1.3 SMB_Handle_Type SMB_Connect_Server arbitrary code execution 20070103 Re: FreeRadius 1.1.3 SMB_Handle_Type SMB_Connect_Server arbitrary code execution http://www.freeradius.org/security.html 20070211 FreeRADIUS dispute of CVE-2007-0080 1017463 32082 Sunbelt Kerio Personal Firewall (SKPF) 4.3.268 and 4.3.246, and possibly other versions allows local users to provide a Trojan horse iphlpapi.dll to SKPF by placing it in the installation directory. kerio-directory-code-execution(31232) 21828 20070101 Kerio Fake 'iphlpapi' DLL injection Vulnerability http://www.matousec.com/info/advisories/Kerio-Fake-iphlpapi-DLL-injection.php 33356 2095 users_adm/start1.php in IMGallery 2.5 and earlier does not properly handle files with multiple extensions, which allows remote authenticated users to upload and execute arbitrary PHP scripts. imgallery-start1-file-upload(31237) 21827 3049 ADV-2007-0010 3049 Cross-site scripting (XSS) vulnerability in Nuked Klan 1.7 and earlier allows remote attackers to inject arbitrary web script or HTML via a javascript: URI in a getURL statement in a .swf file, as demonstrated by "Remote Cookie Disclosure." NOTE: it could be argued that this is an issue in Shockwave instead of Nuked Klan. 21850 20070102 Nuked Klan <= 1.7 Remote Cookie Disclosure Exploit 33368 2101 ** DISPUTED ** Buffer overflow in the Windows NT Message Compiler (MC) 1.00.5239 on Microsoft Windows XP allows local users to gain privileges via a long MC-filename. NOTE: this issue has been disputed by a reliable third party who states that the compiler is not a privileged program, so privilege boundaries cannot be crossed. 20070102 Windows NT Message Compiler 1.00.5239 arbitrary code execution 20070103 Re: Windows NT Message Compiler 1.00.5239 arbitrary code execution 37817 Unspecified vulnerability in sys/dev/pci/vga_pci.c in the VGA graphics driver for wscons in OpenBSD 3.9 and 4.0, when the kernel is compiled with the PCIAGP option and a non-AGP device is being used, allows local users to gain privileges via unspecified vectors, possibly related to agp_ioctl NULL pointer reference. [3.9] 017: SECURITY FIX: January 3, 2007 [4.0] 007: SECURITY FIX: January 3, 2007 1017468 23608 openbsd-vga-privilege-escalation(31276) ADV-2007-0043 [openbsd-cvs] 20070103 CVS: cvs.openbsd.org: www [openbsd-cvs] 20070103 Re: CVS: cvs.openbsd.org: src http://ilja.netric.org/files/Unusual%20bugs%2023c3.pdf 32574 ** DISPUTED ** The Apache HTTP Server, when accessed through a TCP connection with a large window size, allows remote attackers to cause a denial of service (network bandwidth consumption) via a Range header that specifies multiple copies of the same fragment. NOTE: the severity of this issue has been disputed by third parties, who state that the large window size required by the attack is not normally supported or configured by the server, or that a DDoS-style attack would accomplish the same goal. 20070103 a cheesy Apache / IIS DoS vuln (+a question) 20070104 Re: a cheesy Apache / IIS DoS vuln (+a question) 20070104 Re: a cheesy Apache / IIS DoS vuln (+a question) 20070104 Re: a cheesy Apache / IIS DoS vuln (+a question) 33456 ** DISPUTED ** Microsoft Internet Information Services (IIS), when accessed through a TCP connection with a large window size, allows remote attackers to cause a denial of service (network bandwidth consumption) via a Range header that specifies multiple copies of the same fragment. NOTE: the severity of this issue has been disputed by third parties, who state that the large window size required by the attack is not normally supported or configured by the server, or that a DDoS-style attack would accomplish the same goal. 20070103 a cheesy Apache / IIS DoS vuln (+a question) 20070104 Re: a cheesy Apache / IIS DoS vuln (+a question) 20070104 Re: a cheesy Apache / IIS DoS vuln (+a question) 20070104 Re: a cheesy Apache / IIS DoS vuln (+a question) 33457 Multiple directory traversal vulnerabilities in openmedia allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) src parameter to page.php or the (2) format parameter to search_form.php. openmedia-page-directory-traversal(31258) 20070102 openmedia local read file 33371 33370 2103 jgbbs stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for db/bbs.mdb. 20070103 jgbbs 33376 http://aria-security.com/forum/showthread.php?t=87 jgbbs-bbs-information-disclosure(31274) WineGlass stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for db/data.mdb. 20070103 WineGlass "data.mdb" Remote Password Disclosure 32575 http://aria-security.com/forum/showthread.php?p=112 ADV-2007-0037 23594 newsCMSlite stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for newsCMS.mdb. newscmslite-newscms-info-disclosure(31222) 3066 37548 3066 SQL injection vulnerability in productdetail.asp in E-SMARTCART 1.0 allows remote attackers to execute arbitrary SQL commands via the product_id parameter. 3074 23610 31679 esmartcart-productdetail-sql-injection(31243) ADV-2007-0036 3074 SQL injection vulnerability in page.php in Simple Web Content Management System allows remote attackers to execute arbitrary SQL commands via the id parameter. swcms-page-sql-injection(31261) 20070103 Simple Web Content Management System SQL Injection Exploit 3076 ADV-2007-0040 23590 31657 3076 http://acid-root.new.fr/poc/18070102.txt 2106 Sven Moderow GuestBook 0.3a stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for (1) gbook97.mdb or (2) gbook.mdb in ~db/. 20070103 GuestBook v0.3a Remote Password Disclosure 33363 http://aria-security.com/forum/showthread.php?p=114 guestbook-gbook-information-disclosure(31245) 2105 phpMyAdmin 2.9.1.1 allows remote attackers to obtain sensitive information via a direct request for themes/darkblue_orange/layout.inc.php, which reveals the path in an error message. phpmyadmin-darkblueorange-path-disclosure(31223) 33257 20070102 Inforamtion Discloser Vulnerabilities in phpMyAdmin 20070102 Inforamtion Discloser Vulnerabilities in "phpMyAdmin" MDKSA-2007:199 2104 CarbonCommunities stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for DataBase/Carbon2.4d.mdb. carboncommunities-carbon2-info-disclosure(31253) ADV-2007-0038 37549 http://aria-security.com/forum/showthread.php?t=85 Multiple stack-based buffer overflows in the (1) LoadTree and (2) ReadHeader functions in PAISO.DLL 1.7.3.0 (1.7.3 beta) in ConeXware PowerArchiver 2006 9.64.02 allow user-assisted attackers to execute arbitrary code via a crafted ISO file containing a file within several nested directories. ADV-2007-0041 http://vuln.sg/powarc964-en.html 23559 32576 20070104 [vuln.sg] PowerArchiver PAISO.DLL Buffer Overflow powerarchiver-loadtree-readheader-bo(31263) 20070104 [vuln.sg] PowerArchiver PAISO.DLL Buffer Overflow Vulnerability Directory traversal vulnerability in language.php in VerliAdmin 0.3 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the lang cookie, as demonstrated by injecting PHP sequences into an Apache HTTP Server log file, which is then included by language.php. 3075 ADV-2007-0035 32352 verliadmin-language-file-include(31241) 3075 Race condition in the msxml3 module in Microsoft XML Core Services 3.0, as used in Internet Explorer 6 and other applications, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via many nested tags in an XML document in an IFRAME, when synchronous document rendering is frequently disrupted with asynchronous events, as demonstrated using a JavaScript timer, which can trigger NULL pointer dereferences or memory corruption, aka "MSXML Memory Corruption Vulnerability." TA08-316A 21872 MS08-069 ADV-2008-3111 20070104 Re: RE: [Full-disclosure] Concurrency strikes MSIE (potentially exploitablemsxml3 flaws) 20070104 RE: [Full-disclosure] Concurrency strikes MSIE (potentially exploitablemsxml3 flaws) 20070104 Concurrency strikes MSIE (potentially exploitable msxml3 flaws) 1021164 23655 20070104 Concurrency strikes MSIE (potentially exploitable msxml3 flaws) oval:org.mitre.oval:def:5793 32627 http://isc.sans.org/diary.php?storyid=2004 20070104 Re: Concurrency strikes MSIE (potentially exploitablemsxml3 flaws) The Perforce client does not restrict the set of files that it overwrites upon receiving a request from the server, which allows remote attackers to overwrite arbitrary files by modifying the client config file on the server, or by operating a malicious server. 20070104 Perforce client: security hole by design 33369 Cross-site request forgery (CSRF) vulnerability in SPINE allows remote attackers to perform unauthorized actions as administrators via unspecified vectors. NOTE: some of these details are obtained from third party information. ADV-2007-0042 http://spine.sourceforge.net/changelog.html spine-unspecified-csrf(31283) 23537 32577 The Adobe PDF specification 1.3, as implemented by Apple Mac OS X Preview, allows remote attackers to have an unknown impact, possibly including denial of service (infinite loop), arbitrary code execution, or memory corruption, via a PDF file with a (1) crafted catalog dictionary or (2) a crafted Pages attribute that references an invalid page tree node. TA07-072A 21910 multiple-vendor-pdf-code-execution(31364) 1017749 ADV-2007-0930 24479 http://projects.info-pull.com/moab/MOAB-06-01-2007.html 31221 http://docs.info.apple.com/article.html?artnum=305214 The Adobe PDF specification 1.3, as implemented by Adobe Acrobat before 8.0.0, allows remote attackers to have an unknown impact, possibly including denial of service (infinite loop), arbitrary code execution, or memory corruption, via a PDF file with a (1) crafted catalog dictionary or (2) a crafted Pages attribute that references an invalid page tree node. TA07-072A multiple-vendor-pdf-code-execution(31364) 1017749 21910 ADV-2007-0930 24479 http://projects.info-pull.com/moab/MOAB-06-01-2007.html http://docs.info.apple.com/article.html?artnum=305214 The Adobe PDF specification 1.3, as implemented by (a) xpdf 3.0.1 patch 2, (b) kpdf in KDE before 3.5.5, (c) poppler before 0.5.4, and other products, allows remote attackers to have an unknown impact, possibly including denial of service (infinite loop), arbitrary code execution, or memory corruption, via a PDF file with a (1) crafted catalog dictionary or (2) a crafted Pages attribute that references an invalid page tree node. TA07-072A https://issues.rpath.com/browse/RPL-964 multiple-vendor-pdf-code-execution(31364) USN-410-2 USN-410-1 1017749 21910 20070116 [KDE Security Advisory] kpdf/kword/xpdf denial of service vulnerability SUSE-SR:2007:003 MDKSA-2007:024 MDKSA-2007:022 MDKSA-2007:021 MDKSA-2007:020 MDKSA-2007:019 MDKSA-2007:018 http://www.kde.org/info/security/advisory-20070115-1.txt ADV-2007-0930 ADV-2007-0244 ADV-2007-0212 ADV-2007-0203 http://support.novell.com/techcenter/psdb/44d7cb9b669d58e0ce5aa5d7ab2c7c53.html 1017514 24479 24204 23876 23844 23839 23815 23813 23808 23799 23791 http://projects.info-pull.com/moab/MOAB-06-01-2007.html MDKSA-2007:024 MDKSA-2007:021 MDKSA-2007:019 http://docs.info.apple.com/article.html?artnum=305214 Stack-based buffer overflow in the CSAdmin service in Cisco Secure Access Control Server (ACS) for Windows before 4.1 and ACS Solution Engine before 4.1 allows remote attackers to execute arbitrary code via a crafted HTTP GET request. VU#744249 ADV-2007-0068 23629 cisco-acs-csadmin-bo(31323) 21900 20070105 Multiple Vulnerabilities in Cisco Secure Access Control Server 1017475 32642 Cross-site scripting (XSS) vulnerability in the CSRF protection scheme in WordPress before 2.0.6 allows remote attackers to inject arbitrary web script or HTML via a CSRF attack with an invalid token and quote characters or HTML tags in URL variable names, which are not properly handled when WordPress generates a new link to verify the request. 21893 http://wordpress.org/development/2007/01/wordpress-206/ 20070105 Advisory 01/2007: WordPress CSRF Protection XSS Vulnerability http://www.hardened-php.net/advisory_012007.140.html ADV-2007-0061 23595 33397 2114 WordPress before 2.0.6, when mbstring is enabled for PHP, decodes alternate character sets after escaping the SQL query, which allows remote attackers to bypass SQL injection protection schemes and execute arbitrary SQL commands via multibyte charsets, as demonstrated using UTF-7. Successful exploitation requires that the "mbstring" extension be enabled. This vulnerability is addressed in the following product release: WordPress, WordPress, 2.0.6 wordpress-mbstring-security-bypass(31297) 21907 20070105 Advisory 02/2007: WordPress Trackback Charset Decoding SQL Injection Vulnerability OpenPKG-SA-2007.005 http://www.hardened-php.net/advisory_022007.141.html ADV-2007-0061 http://wordpress.org/development/2007/01/wordpress-206/ 23595 31579 2112 GLSA-200701-10 23741 nwgina.dll in Novell Client 4.91 SP3 for Windows 2000/XP/2003 does not delete user profiles during a Terminal Service or Citrix session, which allows remote authenticated users to invoke alternate user profiles. novell-profile-security-bypass(31343) 21886 ADV-2007-0064 http://support.novell.com/cgi-bin/search/searchtid.cgi?/2974970.htm 1017471 23619 31358 wp-login.php in WordPress 2.0.5 and earlier displays different error messages if a user exists or not, which allows remote attackers to obtain sensitive information and facilitates brute force attacks. wordpress-account-enumeration(31262) 20070103 Wordpress <= 2.x dictionnary & Bruteforce attack ADV-2007-0062 23621 31577 2113 GLSA-200701-10 23741 Cross-site scripting (XSS) vulnerability in nidp/idff/sso in Novell Access Manager Identity Server before 3.0.0-1013 allows remote attackers to inject arbitrary web script or HTML via the IssueInstant parameter, which is not properly handled in the resulting error message. https://secure-support.novell.com/KanisaPlatform/Publishing/143/3615264_f.SAL_Public.html 21921 ADV-2007-0073 23654 31359 1017483 Buffer overflow in Resco Photo Viewer for PocketPC 4.11 and 6.01, as used in mobile devices running Windows Mobile 5.0, 2003, and 2003SE, allows remote attackers to execute arbitrary code via a crafted PNG image. http://www.trendmicro.com/vinfo/secadvisories/default6.asp?VName=Vulnerability+in+Resco+Photo+Viewer+6%2E01+Enabling+Code+Injection+and+Arbitrary+Code+Execution 21920 ADV-2007-0072 23658 32644 http://blog.trendmicro.com/flaw-in-3rd-party-app-weakens-windows-mobile/ SQL injection vulnerability in cats.asp in createauction allows remote attackers to execute arbitrary SQL commands via the catid parameter. createauction-cats-sql-injection(31356) 21929 20070107 createauction (cats.asp) Remote SQL Injection Vulnerability 33406 2111 Buffer overflow in Packeteer PacketShaper PacketWise 8.x allows remote authenticated users to cause a denial of service (reset or reboot) via (1) a long traffic class argument to the "class show" command or (2) a long POLICY parameter value in clastree.htm. packetshaper-argument-dos(31357) 21933 20070108 Packeteer PacketWise CLI overflow DoS ADV-2007-0098 23685 31656 2110 Sun Java System Content Delivery Server 5.0 and 5.0 PU1 allows remote attackers to obtain sensitive information regarding "content details" via unspecified vectors. ADV-2007-0076 102764 23630 sun-java-cds-info-disclosure(31345) 21908 32645 Static code injection vulnerability in Coppermine Photo Gallery 1.4.10 and earlier allows remote authenticated administrators to execute arbitrary PHP code via the Username to login.php, which is injected into an error message in security.log.php, which can then be accessed using viewlog.php. 20070105 Coppermine Photo Gallery <= 1.4.10 SQL Injection Exploit 20070108 Source verify - Coppermine Photo Gallery <= 1.4.10 code injection 33383 http://acid-root.new.fr/poc/19070104.txt 2107 Digger Solutions Intranet Open Source (IOS) stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for data/intranet.mdb. 20070105 Intranet Open Source Remote Password Disclosure "intranet.mdb" 33379 intranet-intranet-info-disclosure(31308) 2109 DiskManagementTool in the DiskManagement.framework 92.29 on Mac OS X 10.4.8 does not properly validate Bill of Materials (BOM) files, which allows attackers to gain privileges via a BOM file under /Library/Receipts/, which triggers arbitrary file permission changes upon execution of a diskutil permission repair operation. 21899 http://projects.info-pull.com/moab/MOAB-05-01-2007.html 31167 ADV-2007-0074 23653 Multiple absolute path traversal vulnerabilities in EditTag 1.2 allow remote attackers to read arbitrary files via an absolute pathname in the file parameter to (1) edittag.cgi, (2) edittag.pl, (3) edittag_mp.cgi, or (4) edittag_mp.pl. 21890 20070105 Multiple bugs in EditTag 33396 33395 33394 33393 7950 Multiple cross-site scripting (XSS) vulnerabilities in EditTag 1.2 allow remote attackers to inject arbitrary web script or HTML via the plain parameter to (1) mkpw_mp.cgi, (2) mkpw.pl, or (3) mkpw.cgi. 21891 20070105 Multiple bugs in EditTag 33392 33391 33390 7950 Acunetix Web Vulnerability Scanner (WVS) 4.0 Build 20060717 and earlier allows remote attackers to cause a denial of service (application crash) via multiple HTTP requests containing invalid Content-Length values. acunetix-content-length-dos(31279) 21898 3078 37580 3078 Cross-site scripting (XSS) vulnerability in search.asp in RI Blog 1.3 allows remote attackers to inject arbitrary web script or HTML via the q parameter. 21880 20070105 RI Blog 1.3 XSS Vuln. 31637 riblog-search-xss(31317) ADV-2007-0083 2108 23657 Multiple SQL injection vulnerabilities in Coppermine Photo Gallery 1.4.10 and earlier allow remote authenticated administrators to execute arbitrary SQL commands via (1) the cat parameter to albmgr.php, and possibly (2) the gid parameter to usermgr.php; (3) the start parameter to db_ecard.php; and the albumid parameter to unspecified files, related to the (4) filename_to_title and (5) del_titles functions. 21894 20070105 Coppermine Photo Gallery <= 1.4.10 SQL Injection Exploit 35856 35855 35854 35853 35852 http://acid-root.new.fr/poc/19070104.txt 2123 25846 3085 Unrestricted file upload vulnerability in Uber Uploader 4.2 allows remote attackers to upload and execute arbitrary PHP scripts by naming them with a .phtml extension, which bypasses the .php extension check but is still executable on some server configurations. 20070105 Uber Uploader 4.2 Arbitrary File Upload Vulnerability uber-uploader-phtml-file-upload(31303) 2116 Unspecified vulnerability in Drupal before 4.6.11, and 4.7 before 4.7.5, when MySQL is used, allows remote authenticated users to cause a denial of service by poisoning the page cache via unspecified vectors, which triggers erroneous 404 HTTP errors for pages that exist. 21895 20070105 [DRUPAL-SA-2007-002] Drupal 4.6.11 / 4.7.5 fixes DoS issue ADV-2007-0051 23586 http://drupal.org/node/104238 32131 2115 Kaspersky Labs Antivirus Engine 6.0 for Windows and 5.5-10 for Linux before 20070102 enter an infinite loop upon encountering an invalid NumberOfRvaAndSizes value in the Optional Windows Header of a portable executable (PE) file, which allows remote attackers to cause a denial of service (CPU consumption) by scanning a crafted PE file. kaspersky-antivirus-pe-dos(31315) 21901 ADV-2007-0067 1017476 23575 32588 20070105 Kaspersky Antivirus Scan Engine PE File Denial of Service Vulnerability Heap-based buffer overflow in Opera 9.02 allows remote attackers to execute arbitrary code via a JPEG file with an invalid number of index bytes in the Define Huffman Table (DHT) marker. http://www.opera.com/support/search/supsearch.dml?index=852 ADV-2007-0060 opera-jpeg-dht-bo(31305) GLSA-200701-08 1017473 23771 23739 23613 31574 SUSE-SA:2007:009 20070105 Opera Software Opera Web Browser JPG Image DHT Marker Heap Corruption Vulnerability The Javascript SVG support in Opera before 9.10 does not properly validate object types in a createSVGTransformFromMatrix request, which allows remote attackers to execute arbitrary code via JavaScript code that uses an invalid object in this request that causes a controlled pointer to be referenced during the virtual function call. ADV-2007-0060 23613 20070105 Opera Software Opera Web Browser createSVGTransformFromMatrix Object Typecasting Vulnerability http://www.opera.com/support/search/supsearch.dml?index=851 GLSA-200701-08 1017473 23771 23739 31575 SUSE-SA:2007:009 SQL injection vulnerability in info_book.asp in Digirez 3.4 and earlier allows remote attackers to execute arbitrary SQL commands via the book_id parameter. ADV-2007-0053 23606 31677 3081 SQL injection vulnerability in main.asp in LocazoList 2.01a beta5 and earlier allows remote attackers to execute arbitrary SQL commands via the subcatID parameter. locazolist-main-sql-injection(31242) 3073 35813 ADV-2007-0052 3073 SQL injection vulnerability in user.php in iGeneric iG Calendar 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter. 21873 3082 ADV-2007-0055 23602 31678 igcalendar-user-sql-injection(31300) 20070105 IG Calendar SQL Injection 3082 JAMWiki before 0.5.0 does not properly check permissions during moves of "read-only or admin-only topics," which allows remote attackers to make unauthorized changes to the wiki. http://sourceforge.net/project/shownotes.php?group_id=171441&release_id=475663 23634 32581 jamwiki-permission-security-bypass(31296) 21879 SQL injection vulnerability in compare_product.php in iGeneric iG Shop 1.4 allows remote attackers to execute arbitrary SQL commands via the id parameter. 3083 ADV-2007-0056 23604 http://packetstormsecurity.nl/0701-exploits/igshop10-multiple.txt 33385 igshop-compareproduct-sql-injection(31299) 21874 20070105 IG Shop remote code execution 3083 Multiple SQL injection vulnerabilities in display_review.php in iGeneric iG Shop 1.4 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) id or (2) user_login_cookie parameter. ADV-2007-0056 33386 Multiple eval injection vulnerabilities in iGeneric iG Shop 1.0 allow remote attackers to execute arbitrary code via the action parameter, which is supplied to an eval function call in (1) cart.php and (2) page.php. NOTE: a later report and CVE analysis indicate that the vulnerability is present in 1.4. igshop-cartpage-code-execution(31301) 21875 20070619 iG Shop 1.4 eval Inclusion Vulnerability 20070105 IG Shop remote code execution 3083 ADV-2007-0056 20070618 Dup: iG Shop 1.4 (page.php) Remote Code Execution Exploit 23604 http://packetstormsecurity.nl/0701-exploits/igshop10-multiple.txt 33388 33387 3083 PHP remote file inclusion vulnerability in inc/init.inc.php in Aratix 0.2.2 beta 11 and earlier, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the current_path parameter. 3079 ADV-2007-0054 20070108 Source verify of Aratix RFI http://securityreason.com/exploitalert/1698 33405 aratix-init-file-include(31282) 3079 Multiple cross-site scripting (XSS) vulnerabilities in Drupal before 4.6.11, and 4.7 before 4.7.5, allow remote attackers to inject arbitrary web script or HTML via unspecified parameters in the (1) filter and (2) system modules. NOTE: some of these details are obtained from third party information. http://drupal.org/node/104233 ADV-2007-0050 32140 32139 20070105 [DRUPAL-SA-2007-001] Drupal 4.6.11 / 4.7.5 fixes drupal-core-unspecified-xss(31311) 20070105 [DRUPAL-SA-2007-001] Drupal 4.6.11 / 4.7.5 fixes XSS issue http://drupal.org/files/sa-2007-001/advisory.txt Cross-site scripting (XSS) vulnerability in SimpleBoxes/SerendipityNZ Serene Bach 2.05R and earlier, and 2.08D and earlier in the 2.08 series; and (2) sb 1.13D and earlier, and 1.18R and earlier in the 1.18 series; allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. 23623 http://serenebach.net/log/sb209R.html http://serenebach.net/log/sb119R.html 32580 JVN#65500885 serene-bach-unspecified-xss(31302) 21884 ADV-2007-0065 1017470 formbankcgi.exe in Fersch Formbankserver 1.9, when the PATH_INFO begins with (1) AbfrageForm or (2) EingabeForm, allows remote attackers to cause a denial of service (daemon crash) via multiple requests containing many /../ sequences in the Name parameter. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. formbankserver-formbank-dos(31216) 23539 32546 Unspecified vulnerability in the DECnet-Plus 7.3-2 feature in DECnet/OSI 7.3-2 for OpenVMS ALPHA, and the DECnet-Plus 7.3 feature in DECnet/OSI 7.3 for OpenVMS VAX, allows attackers to obtain "unintended privileged access to data and system resources" via unspecified vectors, related to (1) [SYSEXE]CTF$UI.EXE, (2) [SYSMSG]CTF$MESSAGES.EXE, (3) [SYSHLP]CTF$HELP.HLB, and (4) [SYSMGR]CTF$STARTUP.COM. 23636 ftp://ftp.itrc.hp.com/openvms_patches/vax/V7.3/VAX_DNVOSIMUP01-V0703.txt ftp://ftp.itrc.hp.com/openvms_patches/alpha/V7.3-2/AXP_DNVOSIMUP01-V0703-2.txt 32586 32585 32584 32583 ADV-2007-0063 SQL injection vulnerability in down.asp in Kolayindir Download (Yenionline) allows remote attackers to execute arbitrary SQL commands via the id parameter. 21889 20070105 Kolayindir Download (Yenionline) (tr) SqL Injection Vuln. ADV-2007-0079 23645 31625 kolayindirdownload-down-sql-injection(31320) 2122 Cross-site scripting (XSS) vulnerability in yald.php in Yet Another Link Directory 1.0 allows remote attackers to inject arbitrary web script or HTML via the search parameter. 21904 20070106 Yet Another Link Directory v1.0 ADV-2007-0082 23646 31626 yald-yald-xss(31322) 2121 SQL injection vulnerability in orange.asp in ShopStoreNow E-commerce Shopping Cart allows remote attackers to execute arbitrary SQL commands via the CatID parameter. 21905 20070106 shopstorenow (orange.asp) sql injection ADV-2007-0080 23642 31665 shopstorenow-orange-sql-injection(31313) 2120 Multiple PHP remote file inclusion vulnerabilities in NUNE News Script 2.0pre2 allow remote attackers to execute arbitrary PHP code via a URL in the custom_admin_path parameter to (1) index.php or (2) archives.php. ADV-2007-0078 23635 31209 31208 3090 nune-index-archives-file-include(31312) 20070107 NUNE News Script (custom_admin_path) Remote File Include Vulnerablity Cross-site scripting (XSS) vulnerability in search.asp in Digitizing Quote And Ordering System 1.0 allows remote authenticated attackers to inject arbitrary web script or HTML via the ordernum parameter. 3089 23652 31690 qos-search-xss(31321) 3089 PHP remote file inclusion vulnerability in bn_smrep1.php in BinGoPHP News (BP News) 3.01 allows remote attackers to execute arbitrary PHP code via a URL in the bnrep parameter, a different vector than CVE-2006-4648 and CVE-2006-4649. 1017477 35898 bingo-bnsmrep1-file-include(31328) Multiple cross-site scripting (XSS) vulnerabilities in Fix and Chips CMS 1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter in (a) delete-announce.php; the (2) Announcement form field in (b) staff.php; the (3) Client Name, (4) Business Name, (5) Street, (6) Address 2, (7) Town/City, (8) Postcode, (9) Phone Number, (10) Email Address and (11) Website Address form fields in (c) new_customer.php; and unspecified fields in (d) search.php and (e) client-results.php. 20070106 Fix & Chips CMS v1.0 ADV-2007-0081 23625 fixandchips-multiple-scripts-xss(31319) 32650 32649 32648 32647 32646 2119 Cuyahoga before 1.0.1 installs the FCKEditor component with an incorrect deny statement in a Web.config file, which allows remote attackers to upload files when these privileges were intended only for the Administrator and Editor roles. http://www.cuyahoga-project.org/10/section.aspx/61 23662 http://cuyahoga.svn.sourceforge.net/viewvc/cuyahoga?view=rev&revision=551 32643 21927 Format string vulnerability in OmniGroup OmniWeb 5.5.1 allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via format string specifiers in the Javascript alert function. http://www.omnigroup.com/applications/omniweb/releasenotes/ ADV-2007-0075 23624 http://projects.info-pull.com/moab/MOAB-07-01-2007.html 31222 omniweb-alert-format-string(31324) 21911 20070111 DMA[2007-0107a] OmniWeb Javascript Alert Format String Vulnerabiity and DMA[2007-0109a] Apple Finder Disk Image Volume Label Overflow / DoS 3098 http://www.digitalmunition.com/DMA%5B2007-0107a%5D.txt 3098 http://blog.omnigroup.com/2007/01/07/omniweb-552-now-available-and-more-secure/ EMembersPro 1.0 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for users.mdb. 20070107 EMembersPro 1.0 Remote Password Disclosure Vulnerability 33403 ememberspro-users-info-disclosure(31329) 2118 Multiple PHP remote file inclusion vulnerabilities in index.php in Dayfox Blog allow remote attackers to execute arbitrary PHP code via a URL in the (1) page, (2) subject, and (3) q parameters. 20070107 Dayfox Blog Remote File Include Vuln. 31259 dayfoxblog-index-file-include(31336) ADV-2007-0099 2117 23661 MitiSoft stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for access_MS/MitiSoft.mdb. 20070107 MitiSoft Remote Password Disclosure Vulnerability 33409 mitisoft-mitisoft-info-disclosure(31341) OhhASP stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for db/OhhASP.mdb. 20070106 ohhASP Remote Password Disclosure 33381 http://64.38.62.221/ariasecucom/forum/showthread.php?t=89 ohhasp-ohhasp-info-disclosure(31342) AJLogin 3.5 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for ajlogin.mdb. 20070107 AJLogin v3.5 Remote Password Disclosure Vulnerability 33404 ajlogin-ajlogin-info-disclosure(31331) 2127 Webulas stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for db/db.mdb. 20070107 Webulas Remote Password Disclosure Vulnerability 33401 webulas-db-info-disclosure(31338) 2126 HarikaOnline 2.0 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for harikaonline.mdb. 20070107 HarikaOnline v2.0 Remote Password Disclosure Vulnerability 33410 harikaonline-harikaonline-info-disclosure(31339) 2125 M-Core stores the database under the web document root, which allows remote attackers to obtain sensitive information via a direct request to db/uyelik.mdb. 20070107 M-Core Remote Password Disclosure Vulnerability 33402 mcore-uyelik-info-disclosure(31340) 2124 Array index error in the uri_lookup function in the URI parser for neon 0.26.0 to 0.26.2, possibly only on 64-bit platforms, allows remote malicious servers to cause a denial of service (crash) via a URI with non-ASCII characters, which triggers a buffer under-read due to a type conversion error that generates a negative index. 39247 [neon] 20070107 invalid chars cause sigserv in neon http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=404723 http://bugs.debian.org/cgi-bin/bugreport.cgi/neon26_0.26.2-3_to_mdx1.diff?bug=404723;msg=5;att=2 http://www.webdav.org/cadaver/ 22035 SUSE-SR:2007:002 MDKSA-2007:013 ADV-2007-0362 ADV-2007-0172 23984 23763 23751 [cadaver] 20070123 release 0.22.5 Microsoft Excel 2000 SP3, 2002 SP3, 2003 SP2, 2004 for Mac, and v.X for Mac allows remote attackers to execute arbitrary code via malformed IMDATA records that trigger memory corruption. TA07-009A VU#749964 21856 MS07-002 ADV-2007-0103 1017487 HPSBST02184 31255 oval:org.mitre.oval:def:119 Microsoft Excel 2000, 2002, 2003, Viewer 2003, Office 2004 for Mac, and Office v.X for Mac does not properly handle certain opcodes, which allows user-assisted remote attackers to execute arbitrary code via a crafted XLS file, which results in an "Improper Memory Access Vulnerability." NOTE: an early disclosure of this issue used CVE-2006-3432, but only CVE-2007-0028 should be used. VU#493185 TA07-009A MS07-002 ADV-2007-0103 21952 SSRT071296 31249 http://www.fortinet.com/FortiGuardCenter/advisory/FGA-2007-01.html http://www.fortinet.com/FortiGuardCenter/advisory/FG-2006-30.html 1017485 23676 oval:org.mitre.oval:def:768 Microsoft Excel 2000 SP3, 2002 SP3, 2003 SP2, 2004 for Mac, and v.X for Mac allows user-assisted remote attackers to execute arbitrary code via a malformed string, aka "Excel Malformed String Vulnerability." TA07-009A MS07-002 21877 SSRT071296 31256 ADV-2007-0103 1017487 oval:org.mitre.oval:def:1102 Microsoft Excel 2000 SP3, 2002 SP3, 2003 SP2, 2004 for Mac, and v.X for Mac allows user-assisted remote attackers to execute arbitrary code via an Excel file with an out-of-range Column field in certain BIFF8 record types, which references arbitrary memory. TA07-009A VU#302836 MS07-002 20070109 Microsoft Excel Invalid Column Heap Corruption Vulnerability 21925 SSRT071296 31257 ADV-2007-0103 1017487 oval:org.mitre.oval:def:323 Heap-based buffer overflow in Microsoft Excel 2000 SP3, 2002 SP3, 2003 SP2, 2004 for Mac, and v.X for Mac allows user-assisted remote attackers to execute arbitrary code via a BIFF8 spreadsheet with a PALETTE record that contains a large number of entries. TA07-009A VU#625532 MS07-002 20070109 Microsoft Excel Long Palette Heap Overflow Vulnerability 21922 HPSBST02184 31258 ADV-2007-0103 1017487 oval:org.mitre.oval:def:753 Microsoft Outlook 2002 and 2003 allows user-assisted remote attackers to execute arbitrary code via a malformed VEVENT record in an .iCal meeting request or ICS file. TA07-009A VU#476900 MS07-003 21931 HPSBST02184 31252 ADV-2007-0104 1017488 23674 oval:org.mitre.oval:def:516 Buffer overflow in the Advanced Search (Finder.exe) feature of Microsoft Outlook 2000, 2002, and 2003 allows user-assisted remote attackers to execute arbitrary code via a crafted Outlook Saved Searches (OSS) file that triggers memory corruption, aka "Microsoft Outlook Advanced Find Vulnerability." TA07-009A VU#271860 MS07-003 21936 SSRT071296 20070111 Computer Terrorism (UK) :: Incident Response Centre - Microsoft Outlook Vulnerability 31254 ADV-2007-0104 http://www.computerterrorism.com/research/ct09-01-2007.htm 1017488 23674 oval:org.mitre.oval:def:153 Integer overflow in the Vector Markup Language (VML) implementation (vgx.dll) in Microsoft Internet Explorer 5.01, 6, and 7 on Windows 2000 SP4, XP SP2, Server 2003, and Server 2003 SP1 allows remote attackers to execute arbitrary code via a crafted web page that contains unspecified integer properties that cause insufficient memory allocation and trigger a buffer overflow, aka the "VML Buffer Overrun Vulnerability." VU#122084 TA07-009A ie-vml-record-bo(31287) 21930 31250 MS07-004 ADV-2007-0105 929969 1017489 23677 20070109 Microsoft Windows VML Element Integer Overflow Vulnerability HPSBST02184 HPSBST02184 20070117 Re: MS07-004 VML Integer Overflow Exploit 20070116 MS07-004 VML Integer Overflow Exploit ADV-2007-0129 http://support.avaya.com/elmodocs2/security/ASA-2007-009.htm oval:org.mitre.oval:def:1058 Directory traversal vulnerability in the GeoIP_update_database_general function in libGeoIP/GeoIPUpdate.c in GeoIP 1.4.0 allows remote malicious update servers (possibly only update.maxmind.com) to overwrite arbitrary files via a .. (dot dot) in the database filename, which is returned by a request to app/update_getfilename. MDKSA-2007:004 http://arctic.org/~dean/patches/GeoIP-1.4.0-update-vulnerability.patch 31618 geoip-geoipupdate-directory-traversal(31383) USN-412-1 21959 MDKSA-2007:004 ADV-2007-0118 ADV-2007-0117 23906 23880 Stack-based buffer overflow in the LiveJournal support (hooks/ljhook.cc) in CenterICQ 4.9.11 through 4.21.0, when using unofficial LiveJournal servers, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code by adding the victim as a friend and using long (1) username and (2) real name strings. Failed exploitation attempts will likely result in a denial-of-service condition. centericq-username-bo(31330) 21932 20070107 TK53 Advisory #1: CenterICQ remote DoS buffer overflow in LiveJournal handling GLSA-200701-20 ADV-2007-0306 1017545 2129 33408 The PML Driver HPZ12 (HPZipm12.exe) in the HP all-in-one drivers, as used by multiple HP products, uses insecure SERVICE_CHANGE_CONFIG DACL permissions, which allows local users to gain privileges and execute arbitrary programs, as demonstrated by modifying the binpath argument, a related issue to CVE-2006-0023. 21935 20070108 HP Multiple Products PML Driver Local Privilege Escalation ADV-2007-0094 http://secway.org/advisory/AD20070108.txt 23663 32654 pml-driver-config-privilege-escalation(31361) 2128 Unsanity Application Enhancer (APE) 2.0.2 installs with insecure permissions for the (1) ApplicationEnhancer binary and the (2) /Library/Frameworks/ApplicationEnhancer.framework directory, which allows local users to gain privileges by modifying or replacing the binary or library files. http://projects.info-pull.com/moab/MOAB-08-01-2007.html 32661 http://landonf.bikemonkey.org/code/macosx/MOAB_Day_8.20070109002959.18582.timor.html ape-appenhancer-privilege-escalation(31349) 21951 23649 SecureKit Steganography 1.7.1 and 1.8 embeds password information in the carrier file, which allows remote attackers to bypass authentication requirements and decrypt embedded steganography by replacing the last 20 bytes of the JPEG image with alternate password information. 20070106 Cracking Steganography Application in less than ONE minute 23639 31244 http://homepage.mac.com/adonismac/Advisory/steg/steganography.html steganography-password-security-bypass(31378) 20070107 A Major design Bug in Steganography 1.7.x, 1.8 (latest) (Updated Version) Camouflage 1.2.1 embeds password information in the carrier file, which allows remote attackers to bypass authentication requirements and decrypt embedded steganography by replacing certain bytes of the JPEG image with alternate password information. 21939 23578 32651 http://homepage.mac.com/adonismac/Advisory/steg/camouflage.html camouflage-password-security-bypass(31375) 20070107 A Major design Bug in Camouflage 1.2.1 (latest) Unspecified vulnerability in libnsl in Sun Solaris 8 and 9 allows remote attackers to cause a denial of service (crash) via malformed RPC requests that trigger a crash in rpcbind. 102713 oval:org.mitre.oval:def:5920 31576 solaris-rpcbind-dos(31366) 21964 ADV-2007-0110 http://support.avaya.com/elmodocs2/security/ASA-2007-036.htm 1017492 24056 23700 oval:org.mitre.oval:def:2210 Multiple PHP file inclusion vulnerabilities in WGS-PPC (aka PPC Search Engine), as distributed with other aliases, allow remote attackers to execute arbitrary PHP code via a URL in the INC parameter in (1) config_admin.php, (2) config_main.php, (3) config_member.php, and (4) mysql_config.php in config/; (5) admin.php and (6) index.php in admini/; (7) paypalipn/ipnprocess.php; (8) index.php and (9) registration.php in members/; and (10) ppcbannerclick.php and (11) ppcclick.php in main/. 21961 20070109 ppc engine Multiple file inclusion 20070109 "ppc engine" is WGS-PPC demoppc-inc-file-include(31355) 33454 33453 33452 33451 33450 33449 33448 33447 33446 33445 33444 3104 2134 3104 PHP remote file inclusion vulnerability in index.php in AllMyVisitors 0.4.0 allows remote attackers to execute arbitrary PHP code via a URL in the AMV_serverpath parameter. allmyvisitors-index-file-include(31316) 21917 3097 35904 3097 PHP remote file inclusion vulnerability in index.php in AllMyLinks 0.5.0 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the AML_opensite parameter. allmylinks-index-file-include(31314) 21916 3096 35909 3096 Multiple PHP remote file inclusion vulnerabilities in AllMyGuests 0.3.0 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the AMG_serverpath parameter to (1) comments.php and (2) signin.php; and possibly via a URL in unspecified parameters to (3) include/submit.inc.php, (4) admin/index.php, (5) include/cm_submit.inc.php, and (6) index.php. allmyguests-multiple-file-include(31310) 21918 3093 35923 35921 35919 35917 35916 35915 3093 Directory traversal vulnerability in index.php in L2J Statistik Script 0.09 and earlier, when register_globals is enabled and magic_quotes is disabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the page parameter, as demonstrated by injecting PHP sequences into an Apache HTTP Server log file, which is then included by index.php. l2j-statistik-index-file-include(31309) 21914 3091 35914 ADV-2007-0097 3091 Multiple stack-based multiple buffer overflows in the BRWOSSRE2UC.dll ActiveX Control in Sina UC2006 and earlier allow remote attackers to execute arbitrary code via a long string in the (1) astrVerion parameter to the SendChatRoomOpt function or (2) the astrDownDir parameter to the SendDownLoadFile function. ADV-2007-0093 http://secway.org/advisory/ad20070109EN.txt 23638 32659 20070109 Sina UC ActiveX Multiple Remote Stack Overflow sinauc-senddownloadfile-bo(31350) sinauc-sendchatroomopt-bo(31348) 21958 20070109 Sina UC ActiveX Multiple Remote Stack Overflow Cross-site scripting (XSS) vulnerability in htsrv/login.php in b2evolution 1.8.6 allows remote attackers to inject arbitrary web script or HTML via scriptable attributes in the redirect_to parameter. b2evolution-login-xss(31368) 21953 DSA-1568 30093 23656 32027 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=410568 Cross-site scripting (XSS) vulnerability in search/advanced_search.php in GForge 4.5.11 allows remote attackers to inject arbitrary web script or HTML via the words parameter. 21946 20070108 GForge Cross Site Scripting vulnerability http://www.eazel.es/advisory006-gforge-cross-site-scripting-vulnerability.html 1017482 23675 31248 gforge-words-xss(31346) DSA-1475 2133 28598 Cross-site scripting (XSS) vulnerability in the AJAX module in MediaWiki before 1.6.9, 1.7 before 1.7.2, 1.8 before 1.8.3, and 1.9 before 1.9.0rc2, when wgUseAjax is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. 21956 ADV-2007-0096 http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_9_0RC2/phase3/RELEASE-NOTES http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_8_3/phase3/RELEASE-NOTES http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_7_2/phase3/RELEASE-NOTES http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_6_9/phase3/RELEASE-NOTES http://sourceforge.net/forum/forum.php?forum_id=652721 23647 31525 mediawiki-ajax-unspecified-xss(31359) SUSE-SR:2007:006 24889 PHP remote file inclusion vulnerability in info.php in Easy Banner Pro 2.8 allows remote attackers to execute arbitrary PHP code via a URL in the s[phppath] parameter. 20070108 Easy Banner Pro Version 2.8 <= Remote File Inclusion 33455 easybannerpro-info-file-include(31374) 21967 2132 SQL injection vulnerability in comment.php in PHPKIT 1.6.1 R2 allows remote attackers to execute arbitrary SQL commands via the subid parameter. 21962 20070109 Re: PHPKit 1.6.1 RC2 (faq/faq.php) Remote SQL Injection Exploit 31266 2131 Stack-based buffer overflow in EF Commander 5.75 allows user-assisted attackers to execute arbitrary code via a crafted ISO file containing a file within several nested directories, which produces a large filename that triggers the overflow. http://vuln.sg/efcommander575-en.html 23659 32660 efcommander-iso-pathname-bo(31365) 21969 PHP remote file inclusion vulnerability in include/common_function.php in magic photo storage website allows remote attackers to execute arbitrary PHP code via a URL in the _config[site_path] parameter. 20070108 magic photo storage website Remote File Inclusion magicphotostorage-config-file-include(31347) 21965 ADV-2007-0136 23687 3100 SQL injection vulnerability in admin_check_user.asp in Motionborg Web Real Estate 2.1 and earlier allows remote attackers to execute arbitrary SQL commands via the username field (txtUserName parameter) and possibly other parameters. NOTE: some details were obtained from third party information. motionborg-admincheckuser-sql-injection(31360) 21963 3105 ADV-2007-0143 23531 32718 3105 Finder 10.4.6 on Apple Mac OS X 10.4.8 allows user-assisted remote attackers to cause a denial of service and possibly execute arbitrary code via a long volume name in a DMG disk image, which results in memory corruption. TA07-047A VU#240880 macos-finder-dos(31410) 1017662 21980 20070111 DMA[2007-0107a] OmniWeb Javascript Alert Format String Vulnerabiity and DMA[2007-0109a] Apple Finder Disk Image Volume Label Overflow / DoS 32714 ADV-2007-0140 http://www.digitalmunition.com/DMA%5B2007-0109a%5D.txt 24198 http://projects.info-pull.com/moab/MOAB-09-01-2007.html APPLE-SA-2007-02-15 http://docs.info.apple.com/article.html?artnum=305102 The JTapi Gateway process in Cisco Unified Contact Center Enterprise, Unified Contact Center Hosted, IP Contact Center Enterprise, and Cisco IP Contact Center Hosted 5.0 through 7.1 allows remote attackers to cause a denial of service (repeated process restart) via a certain TCP session on the JTapi server port. 20070110 Cisco Unified Contact Center and IP Contact Center JTapi Gateway Vulnerability 21988 32682 ADV-2007-0138 1017499 23710 The Data-link Switching (DLSw) feature in Cisco IOS 11.0 through 12.4 allows remote attackers to cause a denial of service (device reload) via "an invalid value in a DLSw message... during the capabilities exchange." 20070110 DLSw Vulnerability oval:org.mitre.oval:def:5714 32683 21990 ADV-2007-0139 1017498 23697 PHP remote file inclusion vulnerability in template.php in Geoffrey Golliher Axiom Photo/News Gallery (axiompng) 0.8.6 allows remote attackers to execute arbitrary PHP code via a URL in the baseAxiomPath parameter. 3108 ADV-2007-0107 20070110 source verify - Axiom RFI 32716 axiom-template-file-include(31372) 21972 23715 3108 Buffer overflow in the cmd_usr function in ftp-gw in TIS Internet Firewall Toolkit (FWTK) allows remote attackers to execute arbitrary code via a long destination hostname (dest). tisfwtk-ftpgw-bo(31363) 21960 http://www.ranum.com/security/computer_security/editorials/codetools/ 1017481 35967 SQL injection vulnerability in index.php in @lex Guestbook 4.0.2 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the lang parameter. @lexguestbook-index-sql-injection(31393) 21926 20070107 @lex Guestbook <= 4.0.2 Remote Command Execution Exploit 3103 23637 31707 http://acid-root.new.fr/poc/20070107.txt ADV-2007-0137 2135 3103 Multiple unspecified vulnerabilities in phpMyAdmin before 2.9.2-rc1 have unknown impact and attack vectors. http://www.phpmyadmin.net/home_page/downloads.php?relnotes=0 23702 ADV-2007-0125 32666 21987 MDKSA-2007:199 Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before 2.9.2-rc1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: some of these details are obtained from third party information. ADV-2007-0125 23702 http://www.phpmyadmin.net/home_page/downloads.php?relnotes=0 32667 phpmyadmin-unspecified-xss(31387) 21987 MDKSA-2007:199 The jail rc.d script in FreeBSD 5.3 up to 6.2 does not verify pathnames when writing to /var/log/console.log during a jail start-up, or when file systems are mounted or unmounted, which allows local root users to overwrite arbitrary files, or mount/unmount files, outside of the jail via a symlink attack. FreeBSD-SA-07:01 32726 22011 1017505 23730 Directory traversal vulnerability in admin/skins.php for @lex Guestbook 4.0.2 and earlier allows remote attackers to create files in arbitrary directories via ".." sequences in the (1) aj_skin and (2) skin_edit parameters. NOTE: this can be leveraged for file inclusion by creating a skin file in the lang directory, then referencing that file via the lang parameter to index.php, which passes a sanity check in livre_include.php. @lexguestbook-livreinclude-file-include(31397) 21926 20070107 @lex Guestbook <= 4.0.2 Remote Command Execution Exploit 3103 2135 31709 31708 3103 http://acid-root.new.fr/poc/20070107.txt The Tape Engine service in Computer Associates (CA) BrightStor ARCserve Backup 9.01 through 11.5, Enterprise Backup 10.5, and CA Server/Business Protection Suite r2 allows remote attackers to execute arbitrary code via certain data in opnum 0xBF in an RPC request, which is directly executed. VU#662400 http://supportconnectw.ca.com/public/storage/infodocs/babimpsec-notice.asp http://www.zerodayinitiative.com/advisories/ZDI-07-002.html 31327 brightstor-tapeengine-code-execution(31442) 22010 20070111 ZDI-07-002: CA BrightStor ARCserve Backup Tape Engine Code Execution Vulnerability 20070111 [CAID 34955, 34956, 34957, 34958, 34959, 34817]: CA BrightStor ARCserve Backup Multiple Overflow Vulnerabilities 20070111 LS-20061002 - Computer Associates BrightStor ARCserve Backup Remote Code Execution Vulnerability http://www.lssec.com/advisories/LS-20061002.pdf ADV-2007-0154 1017506 23648 http://livesploit.com/advisories/LS-20061002.pdf Multiple buffer overflows in Computer Associates (CA) BrightStor ARCserve Backup 9.01 through 11.5, Enterprise Backup 10.5, and CA Server/Business Protection Suite r2 allow remote attackers to execute arbitrary code via RPC requests with crafted data for opnums (1) 0x2F and (2) 0x75 in the (a) Message Engine RPC service, or opnum (3) 0xCF in the Tape Engine service. VU#180336 VU#151032 http://supportconnectw.ca.com/public/storage/infodocs/babimpsec-notice.asp http://www.zerodayinitiative.com/advisories/ZDI-07-004.html http://www.zerodayinitiative.com/advisories/ZDI-07-003.html 20070111 ZDI-07-003: CA BrightStor ARCserve Backup Message Engine Buffer Overflow Vulnerability ADV-2007-0154 23648 31327 20070111 Computer Associates BrightStor ARCserve Backup RPC Engine PFC Request Buffer Overflow Vulnerability brightstor-messageengine-rpc-bo(31443) brightstor-tapeengine-rpc-bo(31433) 22006 22005 20070111 ZDI-07-004: CA BrightStor ARCserve Backup Tape Engine Buffer Overflow Vulnerability 20070111 [CAID 34955, 34956, 34957, 34958, 34959, 34817]: CA BrightStor ARCserve Backup Multiple Overflow Vulnerabilities 1017506 Unspecified vulnerability in HP OpenView Network Node Manager (OV NNM) 6.20, 6.4x, 7.01, and 7.50 allows remote attackers to read arbitrary files via unknown vectors. 22009 SSRT061174 32729 ADV-2007-0153 1017503 2140 Multiple PHP remote file inclusion vulnerabilities in magic photo storage website allow remote attackers to execute arbitrary PHP code via a URL in the _config[site_path] parameter to (1) admin_password.php, (2) add_welcome_text.php, (3) admin_email.php, (4) add_templates.php, (5) admin_paypal_email.php, (6) approve_member.php, (7) delete_member.php, (8) index.php, (9) list_members.php, (10) membership_pricing.php, or (11) send_email.php in admin/; (12) config.php or (13) db_config.php in include/; or (14) add_category.php, (15) add_news.php, (16) change_catalog_template.php, (17) couple_milestone.php, (18) couple_profile.php, (19) delete_category.php, (20) index.php, (21) login.php, (22) logout.php, (23) register.php, (24) upload_photo.php, (25) user_catelog_password.php, (26) user_email.php, (27) user_extend.php, or (28) user_membership_password.php in user/. NOTE: the include/common_function.php vector is already covered by another candidate from the same date. 20070108 magic photo storage website Multiple Remote File Inclusion 21965 33439 33438 33437 33436 33435 33434 33433 33432 33431 33430 33429 33428 33427 33426 33425 33423 33422 33421 33420 33419 33418 33417 33416 33415 33414 33413 33412 33411 32668 2136 Cross-site scripting (XSS) vulnerability in /search in iPlanet Web Server 4.x allows remote attackers to inject arbitrary web script or HTML via the NS-max-records parameter. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. 21977 23605 32662 Getahead Direct Web Remoting (DWR) before 1.1.4 allows attackers to obtain unauthorized access to public methods via a crafted request that bypasses the include/exclude checks. ADV-2007-0095 21955 23641 32657 SUSE-SR:2009:004 http://getahead.ltd.uk/dwr/changelog dwr-include-exclude-security-bypass(31377) Getahead Direct Web Remoting (DWR) before 1.1.4 allows attackers to cause a denial of service (memory exhaustion and servlet outage) via unknown vectors related to a large number of calls in a batch. ADV-2007-0095 23641 21955 32658 SUSE-SR:2009:004 http://getahead.ltd.uk/dwr/changelog dwr-servlet-engine-dos(31382) Multiple cross-site scripting (XSS) vulnerabilities in F5 FirePass SSL VPN allow remote attackers to inject arbitrary web script or HTML via (1) the xcho parameter to my.logon.php3; the (2) topblue, (3) midblue, (4) wtopblue, and certain other Custom color parameters in a per action to vdesk/admincon/index.php; the (5) h321, (6) h311, (7) h312, and certain other Front Door custom text color parameters in a per action to vdesk/admincon/index.php; the (8) ua parameter in a bro action to vdesk/admincon/index.php; the (9) app_param and (10) app_name parameters to webyfiers.php; (11) double eval functions; (12) JavaScript contained in an <FP_DO_NOT_TOUCH> element; and (13) the vhost parameter to my.activation.php. NOTE: it is possible that this candidate overlaps CVE-2006-3550. https://tech.f5.com/home/solutions/sol6920.html https://tech.f5.com/home/solutions/sol6919.html 21957 http://www.mnin.org/advisories/2007_firepass.pdf 23643 23627 20070106 NNL-Labs & MNIN - F5 FirePass Security Advisory 32743 32742 32741 32740 32739 32738 32737 F5 FirePass 5.4 through 5.5.2 and 6.0 allows remote attackers to access restricted URLs via (1) a trailing null byte, (2) multiple leading slashes, (3) Unicode encoding, (4) URL-encoded directory traversal or same-directory characters, or (5) upper case letters in the domain name. https://tech.f5.com/home/solutions/sol6924.html 21957 http://www.mnin.org/advisories/2007_firepass.pdf 39167 20070105 NNL-Labs & MNIN - F5 FirePass Security Advisory https://tech.f5.com/home/solutions/sol6916.html 23640 23626 20070106 NNL-Labs & MNIN - F5 FirePass Security Advisory F5 FirePass 5.4 through 5.5.1 does not properly enforce host access restrictions when a client uses a single integer (dword) representation of an IP address ("dotless IP address"), which allows remote authenticated users to connect to the FirePass administrator console and certain other network resources. https://tech.f5.com/home/solutions/sol6922.html 21957 http://www.mnin.org/advisories/2007_firepass.pdf 32734 23640 20070106 NNL-Labs & MNIN - F5 FirePass Security Advisory ** DISPUTED ** PHP remote file inclusion vulnerability in index.php in GeoBB Georgian Bulletin Board allows remote attackers to execute arbitrary PHP code via a URL in the action parameter. NOTE: CVE disputes this issue, since GeoBB 1.0 sets $action to a whitelisted value. geobb-index-file-include(31335) 20070107 GeoBB Georgian Bulletin Board Remote File Include Vuln. 20070110 Dispute of GeoBB RFI 33440 2141 PHP remote file inclusion vulnerability in edit_address.php in edit-x ecommerce allows remote attackers to execute arbitrary PHP code via a URL in the include_dir parameter. 20070109 edit-x ecommerce (include_dir) Remote File include editx-editaddress-file-include(31384) 21974 ADV-2007-0158 2139 Cross-site scripting (XSS) vulnerability in admin.php in MKPortal allows remote attackers to inject arbitrary web script or HTML via two certain fields in a contents_new operation in the ad_contents section. mkportal-admin-xss(31304) 20070105 MkPortal Admin XSS 33399 2138 Cross-site request forgery (CSRF) vulnerability in the save_main operation in the ad_perms section in admin.php in MKPortal allows remote attackers to modify privilege settings, as demonstrated using a getURL of admin.php within a .swf file contained in an IFRAME element, aka the "All Guests are Admin" attack. 20070104 MkPortal "All Guests are Admin" Exploit 33400 2137 FON La Fonera routers do not properly limit DNS service access by unauthenticated clients, which allows remote attackers to tunnel traffic via DNS requests for hosts that should not be accessible before authentication. 20070107 Re: FON Router allows anonymous web access 20070106 FON Router allows anonymous web access 33441 admin.php in MKPortal M1.1 RC1 allows remote attackers to obtain sensitive information via a direct request with an MK_PATH=1 query string, which reveals the path in an error message. 20070108 MKPortal Full Path Disclosure 33407 mkportal-admin-path-disclosure(31333) my.activation.php3 in F5 FirePass 5.4 through 5.5.1 and 6.0 displays different error messages for failed login attempts with a valid username than for those with an invalid username, which allows remote attackers to confirm the validity of an LDAP account. https://tech.f5.com/home/solutions/sol6923.html 21957 http://www.mnin.org/advisories/2007_firepass.pdf 32736 23627 20070106 NNL-Labs & MNIN - F5 FirePass Security Advisory SQL injection vulnerability in shared/code/cp_functions_downloads.php in Nicola Asuni All In One Control Panel (AIOCP) before 1.3.009 allows remote attackers to execute arbitrary SQL commands via the download_category parameter. http://sourceforge.net/project/shownotes.php?release_id=477845 23726 aiocp-cpfunctionsdownloads-sql-injection(31591) 22019 31641 SQL injection vulnerability in shopgiftregsearch.asp in VP-ASP Shopping Cart 6.09 and earlier allows remote attackers to execute arbitrary SQL commands via the LoginLastname parameter. 3115 23699 32732 vpasp-shopgift-sql-injection(31447) 3115 Cross-site scripting (XSS) vulnerability in shopcustadmin.asp in VP-ASP Shopping Cart 6.09 and earlier allows remote attackers to inject arbitrary web script or HTML via the msg parameter. 3115 23699 32733 vpasp-shopcustadmin-xss(31449) 3115 SQL injection vulnerability in wbsearch.aspx in uniForum 4 and earlier allows remote attackers to execute arbitrary SQL commands via the "by User" field (aka the TXbyuser parameter). uniforum-wbsearch-sql-injection(31362) 21966 3106 32927 20070125 uniForum <= v4 (wbsearch.aspx) Remote SQL Injection Vulnerability 23827 3106 slocate 3.1 does not properly manage database entries that specify names of files in protected directories, which allows local users to obtain the names of private files. NOTE: another researcher reports that the issue is not present in slocate 2.7. 21989 20070329 FLEA-2007-0005-1: slocate 20070110 Re: slocate leaks filenames of protected directories 20070110 slocate leaks filenames of protected directories 20070111 Re: slocate leaks filenames of protected directories 33465 USN-425-1 20070112 Re: slocate leaks filenames of protected directories The DataCollector service in EIQ Networks Network Security Analyzer allows remote attackers to cause a denial of service (service crash) via a (1) &CONNECTSERVER& (2) &ADDENTRY& (3) &FIN& (4) &START& (5) &LOGPATH& (6) &FWADELTA& (7) &FWALOG& (8) &SETSYNCHRONOUS& (9) &SETPRGFILE&, or (10) &SETREPLYPORT& string to TCP port 10618, which triggers a NULL pointer dereference. 21994 32725 20070110 EIQ Networks Network Security Analyzer DoS Vulnerability eiq-datacollector-dos(31428) ADV-2007-0147 23693 Integer overflow in the ffs_mountfs function in Mac OS X 10.4.8 and FreeBSD 6.1 allows local users to cause a denial of service (panic) and possibly gain privileges via a crafted DMG image that causes "allocation of a negative size buffer" leading to a heap-based buffer overflow, a related issue to CVE-2006-5679. NOTE: a third party states that this issue does not cross privilege boundaries in FreeBSD because only root may mount a filesystem. TA07-072A macos-ffsmountfs-bo(31409) 21993 ADV-2007-0141 23703 http://projects.info-pull.com/moab/MOAB-10-01-2007.html [freebsd-security] 20070114 MOAB advisories http://applefun.blogspot.com/2007/01/moab-10-01-2007-apple-dmg-ufs.html 1017751 32684 ADV-2007-0930 24479 APPLE-SA-2007-03-13 http://docs.info.apple.com/article.html?artnum=305214 ** DISPUTED ** PHP remote file inclusion vulnerability in install.php in CS-Cart 1.3.3 allows remote attackers to execute arbitrary PHP code via a URL in the install_dir parameter. NOTE: CVE and third parties dispute this vulnerability because install_dir is defined before use. cscart-install-file-include(31408) 20070109 CS-Cart 1.3.3 (install.php) Remote File Include Vulnerability 20070110 [bogus] [ahmed_labib_hilmy at yahoo.com: CS-Cart 1.3.3 (install.php) Remote File Include Vulnerability] (fwd) 31277 Cross-site scripting (XSS) vulnerability in Movable Type (MT) 3.33, when nofollow is disabled and unmoderated comments are enabled, allows remote attackers to inject arbitrary web script or HTML via the Comments field. http://www.zackvision.com/weblog/2007/01/movabletype-security-bug.html 23669 32717 http://golem.ph.utexas.edu/~distler/blog/archives/001102.html ADV-2007-0142 PHP remote file inclusion vulnerability in routines/fieldValidation.php in Jshop Server 1.3 allows remote attackers to execute arbitrary PHP code via a URL in the jssShopFileSystem parameter. 21995 3113 33459 jshop-fieldvalidation-file-include(31425) 20070110 Jshop Server 1.3 2146 3113 wp-trackback.php in WordPress 2.0.6 and earlier does not properly unset variables when the input data includes a numeric parameter with a value matching an alphanumeric parameter's hash value, which allows remote attackers to execute arbitrary SQL commands via the tb_id parameter. NOTE: it could be argued that this vulnerability is due to a bug in the unset PHP command (CVE-2006-3017) and the proper fix should be in PHP; if so, then this should not be treated as a vulnerability in WordPress. 21983 3109 36860 wordpress-tbid-sql-injection(31385) 3109 Stack-based buffer overflow in the glibtop_get_proc_map_s function in libgtop before 2.14.6 (libgtop2) allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a process with a long filename that is mapped in its address space, which triggers the overflow in gnome-system-monitor. https://launchpad.net/bugs/79206 https://issues.rpath.com/browse/RPL-972 libgtop2-glibtopbo(31522) USN-407-1 22054 MDKSA-2007:023 ADV-2007-0187 ADV-2007-0185 DSA-1255 GLSA-200701-17 24015 23872 23840 23814 23777 23736 32815 http://ftp.gnome.org/pub/gnome/sources/libgtop/2.14/libgtop-2.14.6.news http://bugzilla.gnome.org/show_bug.cgi?id=396477 1018526 RHSA-2007:0765 26367 Double free vulnerability in the _ATPsndrsp function in Apple Mac OS X 10.4.8, and possibly other versions, allows remote attackers to cause a denial of service (kernel panic) and possibly execute arbitrary code via a crafted AppleTalk request that triggers a heap-based buffer overflow. TA07-072A 1017751 22041 32687 3130 ADV-2007-0930 ADV-2007-0191 1017513 24479 23708 http://projects.info-pull.com/moab/MOAB-14-01-2007.html APPLE-SA-2007-03-13 http://docs.info.apple.com/article.html?artnum=305214 squid/src/ftp.c in Squid before 2.6.STABLE7 allows remote FTP servers to cause a denial of service (core dump) via crafted FTP directory listing responses, possibly related to the (1) ftpListingFinish and (2) ftpHtmlifyListEntry functions. squid-multiple-dos(31523) USN-414-1 http://www.squid-cache.org/Versions/v2/2.6/squid-2.6.STABLE7-RELEASENOTES.html#s12 http://www.squid-cache.org/bugs/show_bug.cgi?id=1857 22079 SUSE-SA:2007:012 MDKSA-2007:026 GLSA-200701-22 ADV-2007-0199 23946 23921 23889 23837 23810 23805 23767 39839 MDKSA-2007:026 The aclMatchExternal function in Squid before 2.6.STABLE7 allows remote attackers to cause a denial of service (crash) by causing an external_acl queue overload, which triggers an infinite loop. 23767 http://www.squid-cache.org/Versions/v2/2.6/squid-2.6.STABLE7-RELEASENOTES.html#s12 http://www.squid-cache.org/bugs/show_bug.cgi?id=1848 squid-externalacl-dos(31525) USN-414-1 22203 SUSE-SA:2007:012 MDKSA-2007:026 GLSA-200701-22 ADV-2007-0199 23946 23921 23889 23805 MDKSA-2007:026 Cross-site scripting (XSS) vulnerability in index.php in Nwom topsites 3.0 allows remote attackers to inject arbitrary web script or HTML via the o parameter. 22012 20070111 Nwom topsites v3.0 33461 2149 index.php in Nwom topsites 3.0 allows remote attackers to obtain potentially sensitive information via a ' (quote) character in the o parameter, which forces a SQL error. 22012 20070111 Nwom topsites v3.0 33462 2149 Integer underflow in the DecodeGRE function in src/decode.c in Snort 2.6.1.2 allows remote attackers to trigger dereferencing of certain memory locations via crafted GRE packets, which may cause corruption of log files or writing of sensitive information into log files. http://www.snort.org/got_source/source.html 22004 20070111 Calyptix Security Advisory CX-2007-001 - Snort 2.6.1.2 Integer Underflow Vulnerability 33464 32095 http://labs.calyptix.com/advisories/CX-2007-01.txt ADV-2007-0152 1017507 2165 Unspecified vulnerability in easy-content filemanager allows remote attackers to upload or modify arbitrary files via unspecified vectors. 20070111 easy-content filemanager 33463 ** DISPUTED ** Unspecified vulnerability in the grsecurity patch has unspecified impact and remote attack vectors, a different vulnerability than the expand_stack vulnerability from the Digital Armaments 20070110 pre-advisory. NOTE: the grsecurity developer has disputed this issue, stating that "the function they claim the vulnerability to be in is a trivial function, which can, and has been, easily checked for any supposed vulnerabilities." The developer also cites a past disclosure that was not proven. http://www.digitalarmaments.com/news_news.shtml http://grsecurity.net/news.php#digitalfud http://forums.grsecurity.net/viewtopic.php?t=1646 Format string vulnerability in the errors_create_window function in errors.c in xine-ui allows attackers to execute arbitrary code via unknown vectors. 22002 20070111 Xine-ui format string Vulnerabilties. 31594 xineui-errorscreatewindow-format-string(31505) MDKSA-2007:154 MDKSA-2007:027 GLSA-200701-18 23931 23891 23709 MDKSA-2007:027 XINE 0.99.4 allows user-assisted remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a certain M3U file that contains a long #EXTINF line and contains format string specifiers in an invalid udp:// URI, possibly a variant of CVE-2007-0017. 20070110 VLC Format String Vulnerability also in XINE 31666 22252 MDKSA-2007:154 MDKSA-2007:027 23931 MDKSA-2007:027 VideoLAN VLC 0.8.6a allows remote attackers to cause a denial of service (application crash) via a crafted .wmv file. 22003 http://wiki.videolan.org/Changelog/0.8.6b 39022 http://downloads.securityfocus.com/vulnerabilities/exploits/22003.py vlcmediaplayer-wmv-dos(31515) ** DISPUTED ** Unspecified vulnerability in the expand_stack function in grsecurity PaX allows local users to gain privileges via unspecified vectors. NOTE: the grsecurity developer has disputed this issue, stating that "the function they claim the vulnerability to be in is a trivial function, which can, and has been, easily checked for any supposed vulnerabilities." The developer also cites a past disclosure that was not proven. As of 20070120, the original researcher has released demonstration code. 22014 20070309 Re: Digital Armaments Security Advisory 20.01.2007: Grsecurity Kernel PaX Vulnerability 20070120 Digital Armaments Security Advisory 20.01.2007: Grsecurity Kernel PaX Vulnerability 20070112 Lies? [Was: Re: Digital Armaments Security Pre-Advisory11.01.2007: Grsecurity Kernel PaX - Local root vulnerability] 20070111 Digital Armaments Security Pre-Advisory 11.01.2007: Grsecurity Kernel PaX - Local root vulnerability ADV-2007-0155 http://www.digitalarmaments.com/pre2007-00018659.html http://www.digitalarmaments.com/news_news.shtml 1017509 23713 32727 http://grsecurity.net/news.php#digitalfud http://forums.grsecurity.net/viewtopic.php?t=1646 Cross-site scripting (XSS) vulnerability in index.php in (1) Fastilo 2.0 and (2) Open Solution Quick.Cart 2.0 allows remote attackers to inject arbitrary web script or HTML via the p parameter. NOTE: some of these details are obtained from third party information. 22007 23738 23733 32731 32730 http://14house.blogspot.com/2007/01/fastilo-open-source-shopping-cart-vuln.html quickcart-p-xss(31475) 21971 ADV-2007-0157 ADV-2007-0156 Ezboxx Portal System Beta 0.7.6 and earlier allows remote attackers to obtain sensitive information via a invalid cat parameter to boxx/knowledgebase.asp, which reveals the path in an error message. 20070111 Ezboxx multiple vulnerabilities. 33470 32829 ADV-2007-0208 http://www.bugsec.com/articles.php?Security=20 ** DISPUTED ** PHP remote file inclusion vulnerability in index.php in Naig 0.5.2 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the this_path parameter. NOTE: a reliable third party disputes this vulnerability because this_path is defined before use. 20070112 Naig <= 0.5.2 (this_path) Remote File Include Vulnerability 20070112 Fwd: Naig <= 0.5.2 (this_path) Remote File Include Vulnerability 33472 20070113 Re: Naig <= 0.5.2 (this_path) Remote File Include Vulnerability 2145 snews.php in sNews 1.5.30 and earlier does not properly exit when authentication fails, which allows remote attackers to perform unauthorized administrative actions, as demonstrated by changing an administrative password via the changeup task, and by uploading PHP code via the imagefile parameter. 22025 3116 32817 snews-image-file-upload(31535) 23746 3116 WordPress 2.0.6, and 2.1Alpha 3 (SVN:4662), does not properly verify that the m parameter value has the string data type, which allows remote attackers to obtain sensitive information via an invalid m[] parameter, as demonstrated by obtaining the path, and obtaining certain SQL information such as the table prefix. 20070112 Wordpress disclosure of Table Prefix Weakness 33458 Unspecified vulnerability in Total Commander before 6.5.6 allows user-assisted remote attackers to delete arbitrary files and corrupt a filesystem via a crafted RAR file. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. 22033 http://www.ghisler.com/whatsnew.htm 39837 Buffer overflow in Winzip32.exe in WinZip 9.0 allows local users to cause a denial of service (application crash) and possibly execute arbitrary code via a long command line argument. NOTE: this issue may cross privilege boundaries if an application automatically invokes Winzip32.exe for untrusted input filenames, as in the case of a file upload application. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. This vulnerability is addressed in the following product release: WinZip, WinZip, 9.0 SR1 22020 39800 Multiple cross-site scripting (XSS) vulnerabilities in Ezboxx Portal System Beta 0.7.6 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the pic parameter to custom/piczoom.asp, (2) the nocatname parameter to boxx/user-upload.asp, or (3) the iid parameter to indexes/newscomments.asp. 20070111 Ezboxx multiple vulnerabilities. 33469 33468 33467 32828 32827 32826 ADV-2007-0208 http://www.bugsec.com/articles.php?Security=20 23759 SQL injection vulnerability in boxx/ShowAppendix.asp in Ezboxx Portal System Beta 0.7.6 and earlier allows remote attackers to inject arbitrary web script or HTML via the iid parameter. 20070111 Ezboxx multiple vulnerabilities. 33466 32825 ADV-2007-0208 http://www.bugsec.com/articles.php?Security=20 23759 The ufs_lookup function in the Mac OS X 10.4.8 and FreeBSD 6.1 kernels allows local users to cause a denial of service (kernel panic) and possibly corrupt other filesystems by mounting a crafted UNIX File System (UFS) DMG image that contains a corrupted directory entry (struct direct), related to the ufs_dirbad function. NOTE: a third party states that the FreeBSD issue does not cross privilege boundaries. TA07-072A 1017751 22036 32686 ADV-2007-0930 ADV-2007-0171 24479 23721 http://projects.info-pull.com/moab/MOAB-12-01-2007.html [freebsd-security] 20070114 MOAB advisories http://docs.info.apple.com/article.html?artnum=305214 APPLE-SA-2007-03-13 ChainKey Java Code Protection allows attackers to decompile Java class files via a Java class loader with a modified defineClass method that saves the bytecode to a file before it is passed to the JVM. 20070112 Re: Corsaire Security Advisory: ChainKey Java Code Protection Bypass issue 20070112 Corsaire Security Advisory: ChainKey Java Code Protection Bypass issue 33473 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2007-0243. Reason: This candidate is a duplicate of CVE-2007-0243. Notes: All CVE users should reference CVE-2007-0243 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Directory traversal vulnerability in the EmChartBean server side component for Oracle Application Server 10g allows remote attackers to read arbitrary files via unknown vectors, probably "\.." sequences in the beanId parameter. NOTE: this is likely a duplicate of another CVE that Oracle addressed in CPU Jan 2007, but due to lack of details by Oracle, it is unclear which BugID this issue is associated with, so the other CVE cannot be determined. Possibilities include EM02 (CVE-2007-0292) or EM05 (CVE-2007-0293). 22027 20070115 SYMSA-2007-001: Oracle Application Server 10g - Directory Traversal 23794 20070131 Oracle 10g R2 Enterprise Manager Directory Traversal http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html 1017522 22083 Multiple unspecified vulnerabilities in Oracle Database 9.0.1.5, 9.2.0.7, and 10.1.0.5 have unknown impact and attack vectors related to (1) the Advanced Queuing component and sys.dbms_aqsys.dbms_aq privileges (DB01), (2) Advanced Replication and sys.dbms_repcat_untrusted (DB07), and (3) Oracle Text and ctxload (DB15). NOTE: Oracle has not publicly claims by reliable researchers that DB01 is for SQL injection in the SYS.DBMS_AQ_INV package, and DB07 is for a buffer overflow in the UNREGISTER_SNAPSHOT procedure in the DBMS_REPCAT_UNTRUSTED package. TA07-017A VU#221788 22083 http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html 23794 oracle-cpu-jan2007(31541) 20070129 Re: Re: Oracle Buffer Overflows in DBMS_CAPTURE_ADM_INTERNAL 20070124 Oracle Buffer Overflow in DBMS_REPCAT_UNTRUSTED.UNREGISTER_SNAPSHOT http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_aq_inv.html 1017522 32921 32913 32907 Unspecified vulnerability in Oracle Database 9.2.0.8, 10.1.0.5, and 10.2.0.3 has unknown impact and attack vectors related to the Change Data Capture and sys.dbms_cdc_subscribe privileges, aka DB02. TA07-017A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html 23794 32908 oracle-cpu-jan2007(31541) 22083 1017522 Buffer overflow in SYS.DBMS_DRS in Oracle Database 9.2.0.7 and 10.1.0.4 allows remote authenticated users to cause a denial of service (crash) or execute arbitrary code via the GET_PROPERTY function in SYS.DBMS_DRS, aka DB03. TA07-017A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html 23794 oracle-cpu-jan2007(31541) 22083 20070718 Oracle Database Buffer overflow vulnerabilities in procedure DBMS_DRS.GET_PROPERTY (DB03) 20070124 Oracle Buffer Overflow in DBMS_DRS.GET_PROPERTY http://www.appsecinc.com/resources/alerts/oracle/2007-04.shtml 1017522 32909 Unspecified vulnerability in Oracle Database 9.0.1.5 and 9.2.0.7 has unknown impact and attack vectors related to the Log Miner component and sys.dbms_log_mnr privileges, aka DB04. NOTE: Oracle has not disputed a reliable researcher claim that this is a buffer overflow in the ADD_LOGFILE procedure for the SYS.DBMS_LOGMNR package that allows code execution. TA07-017A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html 23794 oracle-cpu-jan2007(31541) 22083 20070129 Re: Re: Oracle Buffer Overflows in DBMS_CAPTURE_ADM_INTERNAL 20070124 Oracle Buffer Overflow in DBMS_LOGMNR.ADD_LOGFILE http://www.appsecinc.com/resources/alerts/oracle/2007-01.shtml 1017522 32910 Multiple buffer overflows in MDSYS.MD in Oracle Database 8.1.7.4, 9.0.1.5, 9.2.0.7, and 10.1.0.4 allows remote authenticated users to cause a denial of service (crash) or execute arbitrary code via unspecified vectors involving certain public procedures, aka DB05. TA07-017A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html 23794 oracle-cpu-jan2007(31541) 22083 20070718 Oracle Database Buffer overflows and Denial of service vulnerabilities in public procedures of MDSYS.MD (DB12) 20070124 Oracle Multiple Buffer Overflows and DoS attacks in public procedures of MDSYS.MD http://www.appsecinc.com/resources/alerts/oracle/2007-05.shtml 1017522 32911 Unspecified vulnerability in Oracle Database 9.0.1.5, 9.2.0.8, 10.1.0.5, and 10.2.0.3 has unknown impact and attack vectors related to XMLDB, aka DB06. NOTE: as of 20070123, Oracle has not disputed claims by a reliable researcher that DB06 is for multiple cross-site scripting (XSS) vulnerabilities. TA07-017A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html 23794 oracle-cpu-jan2007(31541) 22083 http://www.red-database-security.com/advisory/oracle_xmldb_css2.html 1017522 32912 Multiple unspecified vulnerabilities in Oracle Database 9.2.0.7 and 10.1.0.5 have unknown impact and attack vectors related to (1) Export and sys.dbms_logrep_util (DB08), and (2) Oracle Streams and sys.dbms_capture_adm_internal privileges (DB09). NOTE: Oracle has not disputed reliable researcher claims that DB08 is for a buffer overflow in the GET_OBJECT_NAME procedure in the DBMS_LOGREP_UTIL package, and DB09 is for buffer overflows in the CREATE_CAPTURE, ALTER_CAPTURE, and ABORT_TABLE_INSTANTIATION procedures in SYS.DBMS_CAPTURE_ADM_INTERNAL. TA07-017A 22083 http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html 23794 oracle-cpu-jan2007(31541) 20070129 Re: Re: Oracle Buffer Overflows in DBMS_CAPTURE_ADM_INTERNAL 20070125 Re: Oracle Buffer Overflow in DBMS_LOGREP_UTIL.GET_OBJECT_NAME 20070125 Re: Oracle Buffer Overflows in DBMS_CAPTURE_ADM_INTERNAL 20070124 Oracle Buffer Overflows in DBMS_CAPTURE_ADM_INTERNAL 20070124 Oracle Buffer Overflow in DBMS_LOGREP_UTIL.GET_OBJECT_NAME 1017522 32915 32914 Cross-site scripting (XSS) vulnerability in Oracle Reports Web Cartridge (RWCGI60) in the Workflow Cartridge component, as used in Oracle Database 9.2.0.8, 10.1.0.5, and 10.2.0.3; Application Server 9.0.4.3, 10.1.2.0.2, and 10.1.2.2; Collaboration Suite 10.1.2; and Oracle E-Business Suite and Applications 11.5.10CU2; allows remote authenticated users to inject arbitrary HTML or web script via the genuser parameter to rwcgi60, aka OWF01. TA07-017A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html 23794 oracle-cpu-jan2007(31541) 22083 20070117 [ISecAuditors Security Advisories] Oracle Reports Web Cartridge (RWCGI60) vulnerable to XSS 1017522 32906 Multiple unspecified vulnerabilities in Oracle Database 8.1.7.4 and 9.0.1.5 have unknown impact and attack vectors related to (1) Advanced Security Option and oklist or okdstry (DB10), (2) Oracle Net Services (DB13), and (3) Recovery Manager and oklist (DB16). TA07-017A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html 23794 32922 32919 32916 oracle-cpu-jan2007(31541) 22083 1017522 Unspecified vulnerability in Oracle Database client-only 10.1.0.4 has unknown impact and attack vectors related to the Export component and expdp or impdp, aka DB11. TA07-017A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html 23794 32917 oracle-cpu-jan2007(31541) 22083 1017522 Multiple unspecified vulnerabilities in Oracle Database 8.1.7.4, 9.0.1.5, 9.2.0.7, and 10.1.0.5 have unknown impact and attack vectors related to (1) NLS Runtime and lmsgen (DB12), and (2) Oracle Text and ctxkbtc (DB14). TA07-017A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html 23794 32920 32918 oracle-cpu-jan2007(31541) 22083 1017522 Multiple unspecified vulnerabilities in Oracle HTTP Server 9.2.0.8 and Oracle E-Business Suite and Applications 11.5.10CU2 have unknown impact and attack vectors, aka (1) OHS01, (2) OHS02, (3) OHS05, (4) OHS06, and (5) OHS07. TA07-017A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html 23794 32887 32886 32885 32882 32881 oracle-cpu-jan2007(31541) 22083 1017522 Unspecified vulnerability in Oracle HTTP Server 9.0.1.5, Application Server 9.0.4.3, 10.1.2.0.0, 10.1.2.0.2, and 10.1.2.2; and Collaboration Suite 9.0.4.2 and 10.1.2; has unknown impact and attack vectors related to the Oracle Process Mgmt & Notification component, aka OPMN01. NOTE: as of 20070123, Oracle has not disputed claims by a reliable researcher that OPMN01 is for a buffer overflow in Oracle Notification Service (ONS). TA07-017A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html 23794 oracle-cpu-jan2007(31541) 22083 http://www.red-database-security.com/advisory/oracle_buffer_overflow_ons.html 1017522 32905 Multiple unspecified vulnerabilities in Oracle HTTP Server 9.0.1.5, 9.2.0.8, 10.1.0.5, and 10.2.0.3; Application Server 9.0.4.3, 10.1.2.0.0, 10.1.2.0.1, 10.1.2.0.2, 10.1.2.1, and 10.1.3.0; and Collaboration Suite 9.0.4.2 and 10.1.2; have unknown impact and attack vectors related to the Oracle HTTP Server, aka (1) OHS03 and (2) OHS04. TA07-017A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html 23794 32884 32883 oracle-cpu-jan2007(31541) 22083 1017522 Unspecified vulnerability in Oracle HTTP Server 9.0.1.5, Application Server 9.0.4.2 and 10.1.2.0.0, and Collaboration Suite 9.0.4.2 has unknown impact and attack vectors related to the Oracle Process Mgmt & Notification component, aka OPMN02. TA07-017A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html 23794 oracle-cpu-jan2007(31541) 22083 1017522 Unspecified vulnerability in Oracle Application Server 9.0.4.3 and Collaboration Suite 9.0.4.2 has unknown impact and attack vectors related to Oracle Containers for J2EE, aka OC4J02. TA07-017A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html 23794 32896 oracle-cpu-jan2007(31541) 22083 1017522 Multiple unspecified vulnerabilities in Oracle Application Server 9.0.4.3 and 10.1.2.0.0, and Collaboration Suite 9.0.4.2, have unknown impact and attack vectors related to Oracle Containers for J2EE, aka (1) OC4J03 and (2) OC4J04. TA07-017A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html 23794 32898 32897 oracle-cpu-jan2007(31541) 22083 1017522 Unspecified vulnerability in Oracle Application Server 9.0.4.3, 10.1.2.0.2, and 10.1.2.2; Collaboration Suite 9.0.4.2 and 10.1.2; and E-Business Suite and Applications 11.5.10CU2 has unknown impact and attack vectors related to Oracle Reports Developer, aka REP01. TA07-017A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html 23794 32894 oracle-cpu-jan2007(31541) 22083 1017522 Unspecified vulnerability in Oracle Application Server 10.1.2.0.2 and 10.1.3.0, and Collaboration Suite 10.1.2, has unknown impact and attack vectors related to Containers for J2EE, aka OC4J07. TA07-017A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html 23794 32901 oracle-cpu-jan2007(31541) 22083 1017522 Unspecified vulnerability in Oracle Application Server 9.0.4.3, 10.1.2.0.0, and 10.1.2.0.2; and Collaboration Suite 9.0.4.2 and 10.1.2; has unknown impact and attack vectors related to Containers for J2EE, aka OC4J08. TA07-017A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html 23794 32902 oracle-cpu-jan2007(31541) 22083 1017522 Unspecified vulnerability in Oracle Application Server 10.1.4.0 has unknown impact and attack vectors related to Oracle Internet Directory, aka OID01. TA07-017A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html 23794 32903 oracle-cpu-jan2007(31541) 22083 1017522 Multiple unspecified vulnerabilities in Oracle Collaboration Suite 9.0.4.2 have unknown impact and attack vectors related to Oracle Containers for J2EE, aka (1) OC4J01, (2) OC4J05, and (3) OC4J06. TA07-017A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html 23794 32900 32899 32895 oracle-cpu-jan2007(31541) 22083 1017522 Multiple unspecified vulnerabilities in Oracle E-Business Suite and Applications 11.5.10CU2 have unknown impact and attack vectors related to (1) Application Object Library (APPS01), (2) Human Resources (APPS03), (3) Payables (APPS04), (4) Trading Community Architecture (APPS05), and (5) Web Applications Desktop Integrator (APPS06). TA07-017A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html 23794 32893 32892 32891 32890 32888 oracle-cpu-jan2007(31541) 22083 1017522 Unspecified vulnerability in Oracle E-Business Suite and Applications 6.2.3 has unknown impact and attack vectors related to Oracle Exchange, aka APPS02. TA07-017A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html 23794 32889 oracle-cpu-jan2007(31541) 22083 1017522 Multiple unspecified vulnerabilities in Oracle Enterprise Manager 10.1.0.5 have unknown impact and attack vectors related to Oracle Agent, aka (1) EM01 and (2) EM02. NOTE: EM05 might be related to CVE-2007-0222. TA07-017A 22083 http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html 23794 oracle-cpu-jan2007(31541) 1017522 32876 32875 Multiple unspecified vulnerabilities in Oracle Enterprise Manager 10.1.0.5 and 10.2.0.1 have unknown impact and attack vectors related to (1) Oracle Agent (EM03) and (2) EM04 and (3) EM05 in Enterprise Manager Console. NOTE: EM05 might be related to CVE-2007-0222. TA07-017A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html 23794 oracle-cpu-jan2007(31541) 22083 1017522 32879 32878 32877 Unspecified vulnerability in Oracle Enterprise Manager 10.2.0.1 has unknown impact and attack vectors related to Database Cloning & Data Guard Management, aka EM06. TA07-017A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html 23794 32880 oracle-cpu-jan2007(31541) 22083 1017522 Unspecified vulnerability in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.22.13 and 8.47.11 has unknown impact and attack vectors in PeopleTools, aka PSE01. TA07-017A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html 23794 oracle-cpu-jan2007(31541) 22083 1017522 Unspecified vulnerability in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.22.13, 8.47.11, and 8.48.06 has unknown impact and attack vectors in PeopleTools, aka PSE02. TA07-017A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html 23794 oracle-cpu-jan2007(31541) 22083 1017522 Unspecified vulnerability in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.47.11 and 8.48.06 has unknown impact and attack vectors in PeopleTools, aka PSE03. TA07-017A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html 23794 oracle-cpu-jan2007(31541) 22083 1017522 PHP remote file inclusion vulnerability in show.php in LunarPoll, when register_globals is enabled, allows remote attackers execute arbitrary PHP code via a URL in the PollDir parameter. 22024 20070112 LunarPoll (PollDir) Remote File Include Vulnerabilities 31639 20070112 Source Verify of LunarPoll PollDir RFI lunarpoll-show-file-include(31472) ADV-2007-0177 1017510 2152 23760 3117 Integer overflow in the byte_swap_sbin function in bsd/ufs/ufs/ufs_byte_order.c in Mac OS X 10.4.8 allows user-assisted remote attackers to cause a denial of service (kernel panic) by mounting a crafted Unix File System (UFS) DMG image, which triggers an invalid pointer dereference. VU#515792 TA07-072A 1017751 31653 ADV-2007-0930 24479 23725 http://projects.info-pull.com/moab/MOAB-11-01-2007.html http://docs.info.apple.com/article.html?artnum=305214 APPLE-SA-2007-03-13 Buffer overflow in Sun JDK and Java Runtime Environment (JRE) 5.0 Update 9 and earlier, SDK and JRE 1.4.2_12 and earlier, and SDK and JRE 1.3.1_18 and earlier allows applets to gain privileges via a GIF image with a block with a 0 width field, which triggers memory corruption. TA07-022A VU#388289 http://www.zerodayinitiative.com/advisories/ZDI-07-005.html 102760 jre-gif-bo(31537) 22085 20070121 Sun Microsystems Java GIF File Parsing Memory Corruption Vulnerability Prove Of Concept Exploit 20070117 ZDI-07-005: Sun Microsystems Java GIF File Parsing Memory Corruption Vulnerability RHSA-2007:0956 RHSA-2007:0167 RHSA-2007:0166 SUSE-SA:2007:045 GLSA-200702-07 ADV-2007-4224 ADV-2007-1814 ADV-2007-0936 ADV-2007-0211 http://support.novell.com/techcenter/psdb/d2f549cc040cd81ae4a268bb5edfe918.html http://support.novell.com/techcenter/psdb/4f850d1e2b871db609de64ec70f0089c.html 1017520 2158 GLSA-200702-08 28115 27203 26645 26119 26049 25283 24993 24468 24202 24189 23757 32834 APPLE-SA-2007-12-14 SSRT071318 SSRT071318 SSRT071318 SSRT071318 SSRT071318 SSRT071318 SSRT071318 SSRT071318 SSRT071318 SSRT071318 http://docs.info.apple.com/article.html?artnum=307177 BEA07-172.00 RHSA-2008:0261 PHP remote file inclusion vulnerability in i-accueil.php in TLM CMS 1.1 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the chemin parameter. Successful exploitation requires that "register_globals" is enabled. 22021 ADV-2007-0176 23722 32814 3118 20070112 [Bogus - partly] V TLM CMS <= 1.1 (i-accueil.php chemin) Remote File Include Vulnerability (fwd) PHP remote file inclusion vulnerability in _admin/admin_menu.php in FdWeB Espace Membre 2.1 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the path parameter. Successful exploitation requires that "register_globals" is enabled. 22040 ADV-2007-0178 23743 32824 3123 Multiple cross-site scripting (XSS) vulnerabilities in InstantASP 4.1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) SessionID parameter to (a) Logon.aspx, and the (2) Username and (3) Update parameters to (b) Members1.aspx. 22052 20070115 InstantForum.NET Multiple Cross-Site Scripting Vulnerability 32853 32852 instantforum-multiple-scripts-xss(31521) ADV-2007-0227 2164 23787 Multiple unspecified vulnerabilities in Zina 1.0rc1 and earlier have unknown impact and attack vectors related to "Potential security bugs." 22049 http://www.pancake.org/zina-changelog-12 ADV-2007-0181 SQL injection vulnerability in duyuru.asp in MiNT Haber Sistemi 2.7 allows remote attackers to execute arbitrary SQL commands via the id parameter. 3120 ADV-2007-0175 23756 32820 3120 SQL injection vulnerability in etkinlikbak.asp in Okul Web Otomasyon Sistemi 4.0.1 allows remote attackers to execute arbitrary SQL commands via the id parameter. 22060 20070115 Okul Web Otomasyon Sistemi (etkinlikbak.asp) SQL Injection Vulnerability 3135 23755 32819 ADV-2007-0206 2151 3135 SQL injection vulnerability in visu_user.asp in Digiappz DigiAffiliate 1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter. 22039 ADV-2007-0179 23744 32818 3122 PHP remote file inclusion vulnerability in include/common.php in Poplar Gedcom Viewer 2.0 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the env[rootPath] parameter. 22038 ADV-2007-0174 23761 32807 3121 Cross-site scripting (XSS) vulnerability in Plain Black WebGUI before 7.3.4 (beta) allows remote attackers to inject arbitrary web script or HTML via Wiki Page titles. 22051 http://www.plainblack.com/getwebgui/advisories/webgui-7_3_4-beta-released#BUeIjcWiQasypsJxD-YwgQ 23718 32813 SQL injection vulnerability in blocks/block-Old_Articles.php in Francisco Burzi PHP-Nuke 7.9 and earlier, when register_globals is enabled and magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the cat parameter. 22037 20070113 PHP-Nuke <= 7.9 Old-Articles Block "cat" SQL Injection vulnerability http://www.neosecurityteam.net/advisories/PHP-Nuke--7.9-Old-Articles-Block-cat-SQL-Injection-vulnerability-31.html 1017511 32863 phpnuke-blockoldarticles-sql-injection(31482) 2153 23748 BMC Remedy Action Request System 5.01.02 Patch 1267 generates different error messages for failed login attempts with a valid username than for those with an invalid username, which allows remote attackers to determine valid account names. 22066 20070115 Remedy Action Request System 5.01.02 - User Enumeration http://www.alighieri.org/advisories/advisory-remedy50102.txt 23775 31658 rars-login-information-disclosure(31527) 20070116 Re: Remedy Action Request System 5.01.02 - User Enumeration ADV-2007-0204 1017515 2162 Texas Imperial Software WFTPD and WFTPD Pro Server 3.25 and earlier allow remote attackers to cause a denial of service (application crash) via a long SITE ADMIN command. 22046 3126 wftpd-admn-dos(31517) 3126 wcSimple Poll stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain password hashes via a direct request for password.txt. 20070114 wcSimple Poll (password.txt) Remote Password Disclosure Vulnerablity 33539 2157 Unspecified vulnerability in GONICUS System Administration (GOsa) before 2.5.8 allows remote authenticated users to modify certain settings, including the admin password, via crafted POST requests. [gosa] 20070115 GOsa 2.5.8 released (security fixes!) ADV-2007-0207 23749 32821 gosa-unspecified-data-manipulation(31516) Multiple PHP remote file inclusion vulnerabilities in Article System 1.0 allow remote attackers to execute arbitrary PHP code via a URL in the INCLUDE_DIR parameter to (1) forms.php, (2) issue_edit.php, (3) client.php, and (4) classes.php. article-system-includedir-file-include(31446) 22017 3114 3114 Multiple buffer overflows in FileZilla before 2.2.30a allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via unspecified vectors related to (1) Options.cpp when storing settings in the registry, and (2) the transfer queue (QueueCtrl.cpp). NOTE: some of these details are obtained from third party information. Failed exploit attempts may result in a application level denial-of-service condition. filezilla-options-queuectrl-bo(31500) 22057 ADV-2007-0183 http://sourceforge.net/project/shownotes.php?release_id=475423&group_id=21558