The file watch implementation in the audit subsystem (auditctl -w) in the Red Hat Enterprise Linux (RHEL) 4 kernel 2.6.9 allows local users to cause a denial of service (kernel panic) by replacing a watched file, which does not cause the watch on the old inode to be dropped. Successful exploitation requires that the attacker previously created a watch for a file. RHSA-2007:0085 http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=223129 1017705 22737 24300 oval:org.mitre.oval:def:9560 33031 Multiple heap-based buffer overflows in WordPerfect Document importer/exporter (libwpd) before 0.8.9 allow user-assisted remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted WordPerfect file in which values to loop counters are not properly handled in the (1) WP3TablesGroup::_readContents and (2) WP5DefinitionGroup_DefineTablesSubGroup::WP5DefinitionGroup_DefineTablesSubGroup functions. NOTE: the integer overflow has been split into CVE-2007-1466. This vulnerability has been addressed by the vendor through a product update: http://sourceforge.net/projects/libwpd/ ADV-2007-1339 ADV-2007-1032 ADV-2007-0976 USN-437-1 1017789 23006 20070316 rPSA-2007-0057-1 libwpd RHSA-2007:0055 MDKSA-2007:064 MDKSA-2007:063 GLSA-200704-12 DSA-1270 DSA-1268 102863 http://sourceforge.net/project/shownotes.php?release_id=494122 SSA-2007-085-02 GLSA-200704-07 24906 24856 24794 24613 24593 24591 24588 24581 24580 24573 24572 24557 24507 24465 oval:org.mitre.oval:def:11535 SUSE-SA:2007:023 20070316 Multiple Vendor libwpd Multiple Buffer Overflow Vulnerabilities FEDORA-2007-350 pam_unix.so in Linux-PAM 0.99.7.0 allows context-dependent attackers to log into accounts whose password hash, as stored in /etc/passwd or /etc/shadow, has only two characters. [pam-list] 20070123 Linux-PAM 0.99.7.1 released ADV-2007-0323 [fedora-devel-list] 20070122 Re: rawhide report: 20070120 changes [fedora-devel-list] 20070122 Re: rawhide report: 20070120 changes 32017 linuxpam-pamunix-security-bypass(31739) 22204 SUSE-SR:2007:003 23858 The NFS client implementation in the kernel in Red Hat Enterprise Linux (RHEL) 3, when a filesystem is mounted with the noacl option, checks permissions for the open system call via vfs_permission (mode bits) data rather than an NFS ACCESS call to the server, which allows local client processes to obtain a false success status from open calls that the server would deny, and possibly obtain sensitive information about file permissions on the server, as demonstrated in a root_squash environment. NOTE: it is uncertain whether any scenarios involving this issue cross privilege boundaries. https://bugzilla.redhat.com/show_bug.cgi?id=199715 Multiple buffer overflows in the (1) read and (2) write handlers in the Omnikey CardMan 4040 driver in the Linux kernel before 2.6.21-rc3 allow local users to gain privileges. http://kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.21-rc3 https://issues.rpath.com/browse/RPL-1035 kernel-cardman4040drivers-bo(32880) ADV-2007-0872 USN-489-1 USN-486-1 22870 20070309 Buffer Overflow in Linux Drivers for Omnikey CardMan 4040 (CVE-2007-0005) 20070615 rPSA-2007-0124-1 kernel xen RHSA-2007:0099 33023 MDKSA-2007:078 DSA-1286 26139 26133 25691 25078 24901 24777 24518 24436 oval:org.mitre.oval:def:11238 FEDORA-2007-336 FEDORA-2007-335 The key serial number collision avoidance code in the key_alloc_serial function in Linux kernel 2.6.9 up to 2.6.20 allows local users to cause a denial of service (crash) via vectors that trigger a null dereference, as originally reported as "spinlock CPU recursion." The scheme for selecting serial numbers was changed from incrementing a counter to random number selection, increasing the likelihood of a serial number collision. https://issues.rpath.com/browse/RPL-1097 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=227495 USN-451-1 22539 20070615 rPSA-2007-0124-1 kernel xen RHSA-2007:0099 RHSA-2007:0085 SUSE-SA:2007:021 MDKSA-2007:060 MDKSA-2007:047 25691 24752 24547 24482 24429 24300 24259 24109 oval:org.mitre.oval:def:9829 http://bugzilla.kernel.org/show_bug.cgi?id=7727 gnucash 2.0.4 and earlier allows local users to overwrite arbitrary files via a symlink attack on the (1) gnucash.trace, (2) qof.trace, and (3) qof.trace.[PID] temporary files. 24225 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=223233 ADV-2007-0653 gnucash-symlink(32558) 22610 MDKSA-2007:046 http://sourceforge.net/project/shownotes.php?group_id=192&release_id=487446 24317 24226 FEDORA-2007-256 Integer underflow in the SSLv2 support in Mozilla Network Security Services (NSS) before 3.11.5, as used by Firefox before 1.5.0.10 and 2.x before 2.0.0.2, SeaMonkey before 1.0.8, Thunderbird before 1.5.0.10, and certain Sun Java System server products before 20070611, allows remote attackers to execute arbitrary code via a crafted SSLv2 server message containing a public key that is too short to encrypt the "Master Secret", which results in a heap-based overflow. VU#377812 http://www.mozilla.org/security/announce/2007/mfsa2007-06.html https://issues.rpath.com/browse/RPL-1103 https://issues.rpath.com/browse/RPL-1081 https://bugzilla.mozilla.org/show_bug.cgi?id=364319 nss-mastersecret-bo(32666) ADV-2007-2141 ADV-2007-1165 ADV-2007-0719 ADV-2007-0718 USN-431-1 USN-428-1 1017696 22694 20070303 rPSA-2007-0040-3 firefox thunderbird 20070226 rPSA-2007-0040-1 firefox RHSA-2007:0108 RHSA-2007:0097 RHSA-2007:0079 RHSA-2007:0078 32105 MDKSA-2007:052 GLSA-200703-22 DSA-1336 102856 GLSA-200703-18 24703 24650 24562 24522 24410 24395 24389 24384 24343 24333 24328 24320 24293 24290 24287 24277 24253 24252 24238 24205 RHSA-2007:0077 oval:org.mitre.oval:def:10502 SUSE-SA:2007:019 20070223 Mozilla Network Security Services SSLv2 Client Integer Underflow Vulnerability HPSBUX02153 FEDORA-2007-293 FEDORA-2007-281 FEDORA-2007-279 FEDORA-2007-278 20070301-01-P SUSE-SA:2007:022 MDKSA-2007:050 102945 SSA:2007-066-03 SSA:2007-066-04 SSA:2007-066-05 25597 25588 24457 24456 24455 24406 24342 HPSBUX02153 FEDORA-2007-309 FEDORA-2007-308 20070202-01-P Stack-based buffer overflow in the SSLv2 support in Mozilla Network Security Services (NSS) before 3.11.5, as used by Firefox before 1.5.0.10 and 2.x before 2.0.0.2, Thunderbird before 1.5.0.10, SeaMonkey before 1.0.8, and certain Sun Java System server products before 20070611, allows remote attackers to execute arbitrary code via invalid "Client Master Key" length values. VU#592796 https://issues.rpath.com/browse/RPL-1103 https://issues.rpath.com/browse/RPL-1081 https://bugzilla.mozilla.org/show_bug.cgi?id=364323 nss-clientmasterkey-bo(32663) ADV-2007-2141 ADV-2007-1165 ADV-2007-0719 ADV-2007-0718 USN-431-1 USN-428-1 1017696 20070303 rPSA-2007-0040-3 firefox thunderbird 20070226 rPSA-2007-0040-1 firefox RHSA-2007:0108 RHSA-2007:0097 RHSA-2007:0079 RHSA-2007:0078 32106 http://www.mozilla.org/security/announce/2007/mfsa2007-06.html MDKSA-2007:052 MDKSA-2007:050 GLSA-200703-22 DSA-1336 102945 102856 SSA:2007-066-03 SSA:2007-066-04 SSA:2007-066-05 GLSA-200703-18 24703 24650 24562 24522 24410 24395 24389 24384 24343 24333 24293 24290 24287 24277 24253 RHSA-2007:0077 oval:org.mitre.oval:def:10174 SUSE-SA:2007:019 20070223 Mozilla Network Security Services SSLv2 Server Stack Overflow Vulnerability HPSBUX02153 FEDORA-2007-309 FEDORA-2007-308 FEDORA-2007-279 FEDORA-2007-278 20070301-01-P 20070202-01-P SUSE-SA:2007:022 25597 25588 24457 24456 24455 24406 24342 HPSBUX02153 The GdkPixbufLoader function in GIMP ToolKit (GTK+) in GTK 2 (gtk2) before 2.4.13 allows context-dependent attackers to cause a denial of service (crash) via a malformed image file. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=218932 ADV-2007-0331 RHSA-2007:0019 oval:org.mitre.oval:def:10325 31621 https://issues.rpath.com/browse/RPL-984 USN-415-1 22209 SUSE-SR:2007:002 MDKSA-2007:039 1017552 24095 24010 24006 23984 23935 23933 23884 DSA-1256 The web portal interface in Citrix Access Gateway (aka Citrix Advanced Access Control) before Advanced Edition 4.5 HF1 places a session ID in the URL, which allows context-dependent attackers to hijack sessions by reading "residual information", including the a referer log, browser history, or browser cache. 24975 26143 citrix-access-unspeci-information-disclosure(35510) ADV-2007-2583 20071022 Corsaire Security Advisory - Citrix Access Gateway session ID disclosure issue http://support.citrix.com/article/CTX113814 http://support.citrix.com/article/CTX112803 1018435 45288 Sun JRE 5.0 before update 14 allows remote attackers to cause a denial of service (Internet Explorer crash) via an object tag with an encoded applet and an undefined name attribute, which triggers a NULL pointer dereference in jpiexp32.dll when the applet is decoded and passed to the JVM. sun-java-jpiexp32-dos(39549) 27185 20080108 Corsaire Security Advisory: Sun J2RE DoS issue 3527 ChainKey Java Code Protection allows attackers to decompile Java class files via a Java class loader with a modified defineClass method that saves the bytecode to a file before it is passed to the JVM. 20070112 Re: Corsaire Security Advisory: ChainKey Java Code Protection Bypass issue 20070112 Corsaire Security Advisory: ChainKey Java Code Protection Bypass issue 33473 Buffer overflow in Apple QuickTime 7.1.3 allows remote attackers to execute arbitrary code via a long rtsp:// URI. VU#442497 TA07-005A quicktime-rtsp-url-bo(31203) 23540 ADV-2007-0001 21829 1017461 http://projects.info-pull.com/moab/MOAB-01-01-2007.html http://landonf.bikemonkey.org/code/macosx/MOAB_Day_1.20070102060815.15950.zadder.local.html 31023 http://secunia.com/blog/7/ 3064 APPLE-SA-2007-01-23 http://isc.sans.org/diary.html?storyid=2094 http://docs.info.apple.com/article.html?artnum=304989 Stack-based buffer overflow in MoviePlay 4.76 allows remote attackers to execute arbitrary code via a long filename in a LST file. 21840 4051 22959 32547 Multiple format string vulnerabilities in (1) the cdio_log_handler function in modules/access/cdda/access.c in the CDDA (libcdda_plugin) plugin, and the (2) cdio_log_handler and (3) vcd_log_handler functions in modules/access/vcdx/access.c in the VCDX (libvcdx_plugin) plugin, in VideoLAN VLC 0.7.0 through 0.8.6 allow user-assisted remote attackers to execute arbitrary code via format string specifiers in an invalid URI, as demonstrated by a udp://-- URI in an M3U file. http://www.videolan.org/patches/vlc-0.8.6-MOAB-02-01-2007.patch vlcmediaplayer-udp-format-string(31226) ADV-2007-0026 http://www.videolan.org/sa0701.html [vlc-devel] 20070102 Security hole in VLC media player for Mac... 21852 SUSE-SA:2007:013 DSA-1252 http://trac.videolan.org/vlc/changeset/18481 1017464 GLSA-200701-24 23971 23910 23829 23592 http://projects.info-pull.com/moab/MOAB-02-01-2007.html oval:org.mitre.oval:def:14313 31163 http://landonf.bikemonkey.org/code/macosx/MOAB_Day_2.20070103045559.6753.timor.html http://applefun.blogspot.com/2007/01/moab-02-01-2007-vlc-media-player-udp.html Stack-based buffer overflow in the NCTAudioFile2.AudioFile ActiveX control (NCTAudioFile2.dll), as used by multiple products, allows remote attackers to execute arbitrary code via a long argument to the SetFormatLikeSample function. NOTE: the products include (1) NCTsoft NCTAudioStudio, NCTAudioEditor, and NCTDialogicVoice; (2) Magic Audio Recorder, Music Editor, and Audio Converter; (3) Aurora Media Workshop; DB Audio Mixer And Editor; (4) J. Hepple Products including Fx Audio Editor and others; (5) EXPStudio Audio Editor; (6) iMesh; (7) Quikscribe; (8) RMBSoft AudioConvert and SoundEdit Pro 2.1; (9) CDBurnerXP; (10) Code-it Software Wave MP3 Editor and aBasic Editor; (11) Movavi VideoMessage, DVD to iPod, and others; (12) SoftDiv Software Dexster, iVideoMAX, and others; (13) Sienzo Digital Music Mentor (DMM); (14) MP3 Normalizer; (15) Roemer Software FREE and Easy Hi-Q Recorder, and Easy Hi-Q Converter; (16) Audio Edit Magic; (17) Joshua Video and Audio Converter; (18) Virtual CD; (19) Cheetah CD and DVD Burner; (20) Mystik Media AudioEdit Deluxe, Blaze Media, and others; (21) Power Audio Editor; (22) DanDans Digital Media Full Audio Converter, Music Editing Master, and others; (23) Xrlly Software Text to Speech Makerand Arial Sound Recorder / Audio Converter; (24) Absolute Sound Recorder, Video to Audio Converter, and MP3 Splitter; (25) Easy Ringtone Maker; (26) RecordNRip; (27) McFunSoft iPod Audio Studio, Audio Recorder for Free, and others; (28) MP3 WAV Converter; (29) BearShare 6.0.2.26789; and (30) Oracle Siebel SimBuilder and CRM 7.x. VU#292713 ADV-2007-0310 http://secunia.com/secunia_research/2007-9/advisory/ http://secunia.com/secunia_research/2007-8/advisory/ http://secunia.com/secunia_research/2007-7/advisory/ http://secunia.com/secunia_research/2007-6/advisory/ http://secunia.com/secunia_research/2007-5/advisory/ http://secunia.com/secunia_research/2007-4/advisory/ http://secunia.com/secunia_research/2007-34/advisory/ http://secunia.com/secunia_research/2007-33/advisory/ http://secunia.com/secunia_research/2007-32/advisory/ http://secunia.com/secunia_research/2007-31/advisory/ http://secunia.com/secunia_research/2007-30/advisory/ http://secunia.com/secunia_research/2007-3/advisory/ http://secunia.com/secunia_research/2007-29/advisory/ http://secunia.com/secunia_research/2007-28/advisory/ http://secunia.com/secunia_research/2007-27/advisory/ http://secunia.com/secunia_research/2007-26/advisory/ http://secunia.com/secunia_research/2007-25/advisory/ http://secunia.com/secunia_research/2007-24/advisory/ http://secunia.com/secunia_research/2007-23/advisory/ http://secunia.com/secunia_research/2007-22/advisory/ http://secunia.com/secunia_research/2007-21/advisory/ http://secunia.com/secunia_research/2007-20/advisory/ http://secunia.com/secunia_research/2007-2/advisory/ http://secunia.com/secunia_research/2007-19/advisory/ http://secunia.com/secunia_research/2007-18/advisory/ http://secunia.com/secunia_research/2007-17/advisory/ http://secunia.com/secunia_research/2007-16/advisory/ http://secunia.com/secunia_research/2007-15/advisory/ http://secunia.com/secunia_research/2007-14/advisory/ http://secunia.com/secunia_research/2007-13/advisory/ http://secunia.com/secunia_research/2007-12/advisory/ http://secunia.com/secunia_research/2007-11/advisory/ http://secunia.com/secunia_research/2007-10/advisory/ http://secunia.com/blog/6/ 30459 30450 30447 30446 30439 30424 30406 23568 23557 23553 23552 23551 23543 23534 23532 23530 23516 23511 23495 23493 23485 23475 nctaudiofile2-multiple-bo(31707) 23892 22196 20070124 Re: Secunia Research: NCTsoft Products NCTAudioFile2 ActiveXControl Buffer Overflow 20070124 Secunia Research: Sienzo Digital Music Mentor NCTAudioFile2ActiveX Control Buffer Overflow 20070124 Secunia Research: NCTsoft Products NCTAudioFile2 ActiveX ControlBuffer Overflow http://secunia.com/secunia_research/2007-50/advisory/ 28407 26101 26100 26046 25993 23795 23753 23745 23565 23562 23561 23560 23558 23554 23550 23548 23546 23544 23542 23541 23536 23535 22922 Multiple heap-based buffer overflows in rumpusd in Rumpus 5.1 and earlier (1) allow remote authenticated users to execute arbitrary code via a long LIST command and other unspecified requests to the FTP service, and (2) allow remote attackers to execute arbitrary code via unspecified requests to the HTTP service. rumpus-ftp-http-bo(31594) http://projects.info-pull.com/moab/MOAB-18-01-2007.html 32692 32689 rumpus-ftp-service-bo(31594) 23842 Heap-based buffer overflow in the SFTP protocol handler for Panic Transmit (Transmit.app) up to 3.5.5 allows remote attackers to execute arbitrary code via a long ftps:// URL. ADV-2007-0273 22145 23861 http://projects.info-pull.com/moab/MOAB-19-01-2007.html 32694 transmit-url-handler-bo(31673) 3160 Format string vulnerability in Apple iChat 3.1.6 allows remote attackers to cause a denial of service (null pointer dereference and application crash) and possibly execute arbitrary code via format string specifiers in an aim:// URI. TA07-047A VU#794752 ADV-2007-0274 http://projects.info-pull.com/moab/MOAB-20-01-2007.html 32715 ichat-aim-format-string(31679) 1017661 22146 24198 APPLE-SA-2007-02-15 http://docs.info.apple.com/article.html?artnum=305102 Untrusted search path vulnerability in writeconfig in Apple Mac OS X 10.4.8 allows local users to gain privileges via a modified PATH that points to a malicious launchctl program. TA07-109A macos-writeconfig-privilege-escalation(31677) ADV-2007-1470 ADV-2007-0074 1017941 22148 31605 24966 23793 http://projects.info-pull.com/moab/MOAB-21-01-2007.html APPLE-SA-2007-04-19 http://docs.info.apple.com/article.html?artnum=305391 The CFUserNotificationSendRequest function in UserNotificationCenter.app in Apple Mac OS X 10.4.8, when used in combination with diskutil, allows local users to gain privileges via a malicious InputManager in Library/InputManagers in a user's home directory, which is executed when Cocoa applications attempt to notify the user. TA07-047A VU#315856 ADV-2007-0074 http://projects.info-pull.com/moab/MOAB-22-01-2007.html macos-inputmanager-privilege-escalation(31676) 22188 32695 1017542 24198 23846 APPLE-SA-2007-02-15 http://docs.info.apple.com/article.html?artnum=305102 Integer overflow in the Vector Markup Language (VML) implementation (vgx.dll) in Microsoft Internet Explorer 5.01, 6, and 7 on Windows 2000 SP4, XP SP2, Server 2003, and Server 2003 SP1 allows remote attackers to execute arbitrary code via a crafted web page that contains unspecified integer properties that cause insufficient memory allocation and trigger a buffer overflow, aka the "VML Buffer Overrun Vulnerability." VU#122084 TA07-009A ie-vml-record-bo(31287) 21930 31250 MS07-004 929969 1017489 23677 20070109 Microsoft Windows VML Element Integer Overflow Vulnerability ADV-2007-0129 ADV-2007-0105 SSRT071296 SSRT071296 20070117 Re: MS07-004 VML Integer Overflow Exploit 20070116 MS07-004 VML Integer Overflow Exploit http://support.avaya.com/elmodocs2/security/ASA-2007-009.htm oval:org.mitre.oval:def:1058 The MFC component in Microsoft Windows 2000 SP4, XP SP2, and 2003 SP1 and Visual Studio .NET 2000, 2002 SP1, 2003, and 2003 SP1 allows user-assisted remote attackers to execute arbitrary code via an RTF file with a malformed OLE object that triggers memory corruption. NOTE: this might be due to a stack-based buffer overflow in the AfxOleSetEditMenu function in MFC42u.dll. TA07-044A VU#932041 MS07-012 ADV-2007-0581 1017638 22476 31887 24150 oval:org.mitre.oval:def:157 The OLE Dialog component in Microsoft Windows 2000 SP4, XP SP2, and 2003 SP1 allows user-assisted remote attackers to execute arbitrary code via an RTF file with a malformed OLE object that triggers memory corruption. TA07-044A VU#497756 MS07-011 ADV-2007-0580 1017637 22483 31885 24147 oval:org.mitre.oval:def:540 Microsoft Excel 2000 SP3, 2002 SP3, 2003 SP2, 2004 for Mac, and v.X for Mac allows remote attackers to execute arbitrary code via malformed IMDATA records that trigger memory corruption. TA07-009A VU#749964 21856 MS07-002 1017487 ADV-2007-0103 HPSBST02184 HPSBST02184 31255 oval:org.mitre.oval:def:119 Microsoft Excel 2000, 2002, 2003, Viewer 2003, Office 2004 for Mac, and Office v.X for Mac does not properly handle certain opcodes, which allows user-assisted remote attackers to execute arbitrary code via a crafted XLS file, which results in an "Improper Memory Access Vulnerability." NOTE: an early disclosure of this issue used CVE-2006-3432, but only CVE-2007-0028 should be used. VU#493185 TA07-009A MS07-002 ADV-2007-0103 21952 HPSBST02184 SSRT071296 31249 http://www.fortinet.com/FortiGuardCenter/advisory/FGA-2007-01.html http://www.fortinet.com/FortiGuardCenter/advisory/FG-2006-30.html 1017485 23676 oval:org.mitre.oval:def:768 Microsoft Excel 2000 SP3, 2002 SP3, 2003 SP2, 2004 for Mac, and v.X for Mac allows user-assisted remote attackers to execute arbitrary code via a malformed string, aka "Excel Malformed String Vulnerability." TA07-009A MS07-002 ADV-2007-0103 21877 HPSBST02184 HPSBST02184 31256 1017487 oval:org.mitre.oval:def:1102 Microsoft Excel 2000 SP3, 2002 SP3, 2003 SP2, 2004 for Mac, and v.X for Mac allows user-assisted remote attackers to execute arbitrary code via an Excel file with an out-of-range Column field in certain BIFF8 record types, which references arbitrary memory. TA07-009A VU#302836 MS07-002 20070109 Microsoft Excel Invalid Column Heap Corruption Vulnerability ADV-2007-0103 21925 HPSBST02184 HPSBST02184 31257 1017487 oval:org.mitre.oval:def:323 Heap-based buffer overflow in Microsoft Excel 2000 SP3, 2002 SP3, 2003 SP2, 2004 for Mac, and v.X for Mac allows user-assisted remote attackers to execute arbitrary code via a BIFF8 spreadsheet with a PALETTE record that contains a large number of entries. TA07-009A VU#625532 MS07-002 20070109 Microsoft Excel Long Palette Heap Overflow Vulnerability ADV-2007-0103 21922 SSRT071296 HPSBST02184 31258 1017487 oval:org.mitre.oval:def:753 Microsoft Outlook 2002 and 2003 allows user-assisted remote attackers to execute arbitrary code via a malformed VEVENT record in an .iCal meeting request or ICS file. TA07-009A VU#476900 MS07-003 ADV-2007-0104 21931 HPSBST02184 HPSBST02184 31252 1017488 23674 oval:org.mitre.oval:def:516 Buffer overflow in the Advanced Search (Finder.exe) feature of Microsoft Outlook 2000, 2002, and 2003 allows user-assisted remote attackers to execute arbitrary code via a crafted Outlook Saved Searches (OSS) file that triggers memory corruption, aka "Microsoft Outlook Advanced Find Vulnerability." TA07-009A VU#271860 MS07-003 ADV-2007-0104 21936 HPSBST02184 HPSBST02184 20070111 Computer Terrorism (UK) :: Incident Response Centre - Microsoft Outlook Vulnerability 31254 http://www.computerterrorism.com/research/ct09-01-2007.htm 1017488 23674 oval:org.mitre.oval:def:153 Word (or Word Viewer) in Microsoft Office 2000 SP3, XP SP3, 2003 SP2, 2004 for Mac, and Works Suite 2004, 2005, and 2006 does not properly handle data in a certain array, which allows user-assisted remote attackers to execute arbitrary code, aka the "Word Array Overflow Vulnerability." TA07-128A VU#260777 MS07-024 ADV-2007-1709 1018013 23804 HPSBST02214 SSRT071422 34387 oval:org.mitre.oval:def:1737 Stack-based buffer overflow in the animated cursor code in Microsoft Windows 2000 SP4 through Vista allows remote attackers to execute arbitrary code or cause a denial of service (persistent reboot) via a large length value in the second (or later) anih block of a RIFF .ANI, cur, or .ico file, which results in memory corruption when processing cursors, animated cursors, and icons, a variant of CVE-2005-0416, as originally demonstrated using Internet Explorer 6 and 7. NOTE: this might be a duplicate of CVE-2007-1765; if so, then CVE-2007-0038 should be preferred. TA07-100A TA07-093A TA07-089A VU#191609 windows-ani-code-execution(33301) windows-ani-code-execution(33301) ADV-2007-1215 SSRT071354 SSRT071354 20070402 MS announces out-of-band patch for ANI 0day 20070402 More information on ZERT patch for ANI 0day 20070331 RE: [Full-disclosure] 0-day ANI vulnerability in Microsoft Windows(CVE-2007-0038) 20070331 Re: 0-day ANI vulnerability in Microsoft Windows (CVE-2007-0038) 20070330 Re: 0-day ANI vulnerability in Microsoft Windows (CVE-2007-0038) 20070330 0-day ANI vulnerability in Microsoft Windows (CVE-2007-0038) 33629 MS07-017 http://www.determina.com/security_center/security_advisories/securityadvisory_0day_032907.asp 2542 24659 3634 20070330 0-day ANI vulnerability in Microsoft Windows (CVE-2007-0038) oval:org.mitre.oval:def:1854 The Exchange Collaboration Data Objects (EXCDO) functionality in Microsoft Exchange Server 2000 SP3, 2003 SP1 and SP2, and 2007 allows remote attackers to cause a denial of service (crash) via an Internet Calendar (iCal) file containing multiple X-MICROSOFT-CDO-MODPROPS (MODPROPS) properties in which the second MODPROPS is longer than the first, which triggers a NULL pointer dereference and an unhandled exception. TA07-128A MS07-026 exchange-ical-dos(33888) ADV-2007-1711 1018015 23808 HPSBST02214 HPSBST02214 20070508 Exchange Calendar MODPROPS Denial of Service (CVE-2007-0039) 34390 http://www.determina.com/security.research/vulnerabilities/exchange-ical-modprops.html 25183 20070509 Exchange Calendar MODPROPS Denial of Service (CVE-2007-0039) oval:org.mitre.oval:def:1593 The LDAP service in Windows Active Directory in Microsoft Windows 2000 Server SP4, Server 2003 SP1 and SP2, Server 2003 x64 Edition and SP2, and Server 2003 for Itanium-based Systems SP1 and SP2 allows remote attackers to execute arbitrary code via a crafted LDAP request with an unspecified number of "convertible attributes." TA07-191A VU#487905 MS07-039 ADV-2007-2481 35960 1018355 24800 20070710 Microsoft Windows Active Directory Remote Code Execution 26002 SSRT071446 oval:org.mitre.oval:def:2012 The PE Loader service in Microsoft .NET Framework 1.0, 1.1, and 2.0 for Windows 2000, XP, Server 2003, and Vista allows remote attackers to execute arbitrary code via unspecified vectors involving an "unchecked buffer" and unvalidated message lengths, probably a buffer overflow. TA07-191A MS07-040 ms-dotnet-pe-loader-bo(34637) ADV-2007-2482 1018356 24778 26003 35954 SSRT071446 oval:org.mitre.oval:def:2093 Interpretation conflict in ASP.NET in Microsoft .NET Framework 1.0, 1.1, and 2.0 for Windows 2000, XP, Server 2003, and Vista allows remote attackers to access configuration files and obtain sensitive information, and possibly bypass security mechanisms that try to constrain the final substring of a string, via %00 characters, related to use of %00 as a string terminator within POSIX functions but a data character within .NET strings, aka "Null Byte Termination Vulnerability." TA07-191A ADV-2007-2482 1018356 MS07-040 http://security-assessment.com/files/advisories/2007-07-11_Multiple_.NET_Null_Byte_Injection_Vulnerabilities.pdf 26003 SSRT071446 oval:org.mitre.oval:def:2070 The Just In Time (JIT) Compiler service in Microsoft .NET Framework 1.0, 1.1, and 2.0 for Windows 2000, XP, Server 2003, and Vista allows user-assisted remote attackers to execute arbitrary code via unspecified vectors involving an "unchecked buffer," probably a buffer overflow, aka ".NET JIT Compiler Vulnerability". TA07-191A MS07-040 ms-dotnet-jit-bo(34639) ADV-2007-2482 1018356 24811 26003 35956 SSRT071446 oval:org.mitre.oval:def:1873 Adobe Acrobat Reader Plugin before 8.0.0 for the Firefox, Internet Explorer, and Opera web browsers allows remote attackers to force the browser to make unauthorized requests to other web sites via a URL in the (1) FDF, (2) xml, and (3) xfdf AJAX request parameters, following the # (hash) character, aka "Universal CSRF and session riding." http://www.wisec.it/vulns.php?page=9 adobe-acrobat-pdf-csrf(31266) ADV-2007-0032 21858 20070103 Adobe Acrobat Reader Plugin - Multiple Vulnerabilities RHSA-2008:0144 1017469 2090 GLSA-200701-16 29065 23882 23812 oval:org.mitre.oval:def:10042 SUSE-SA:2007:011 http://events.ccc.de/congress/2006/Fahrplan/attachments/1158-Subverting_Ajax.pdf Multiple cross-site scripting (XSS) vulnerabilities in Adobe Acrobat Reader Plugin before 8.0.0, and possibly the plugin distributed with Adobe Reader 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2, for Mozilla Firefox, Microsoft Internet Explorer 6 SP1, Google Chrome, Opera 8.5.4 build 770, and Opera 9.10.8679 on Windows allow remote attackers to inject arbitrary JavaScript and conduct other attacks via a .pdf URL with a javascript: or res: URI with (1) FDF, (2) XML, and (3) XFDF AJAX parameters, or (4) an arbitrarily named name=URI anchor identifier, aka "Universal XSS (UXSS)." TA09-286B VU#815960 http://www.wisec.it/vulns.php?page=9 RHSA-2007:0017 adobe-acrobat-pdf-xss(31271) ADV-2009-2898 ADV-2007-0957 ADV-2007-0032 21858 20070104 Universal PDF XSS After Party 20070103 Adobe Acrobat Reader Plugin - Multiple Vulnerabilities 20070103 RE: [WEB SECURITY] Universal XSS with PDF files: highly dangerous 20070103 Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous 20070103 Re: Universal XSS with PDF files: highly dangerous 20070103 Universal XSS with PDF files: highly dangerous RHSA-2007:0021 http://www.mozilla.org/security/announce/2007/mfsa2007-02.html http://www.gnucitizen.org/blog/universal-pdf-xss-after-party http://www.gnucitizen.org/blog/danger-danger-danger/ http://www.disenchant.ch/blog/hacking-with-browser-plugins/34 http://www.adobe.com/support/security/bulletins/apsb09-15.html http://www.adobe.com/support/security/bulletins/apsb07-01.html http://www.adobe.com/support/security/advisories/apsa07-02.html http://www.adobe.com/support/security/advisories/apsa07-01.html 102847 SSA:2007-066-05 1023007 1017469 2090 GLSA-200701-16 33754 24533 24457 23882 23877 23812 23691 23483 oval:org.mitre.oval:def:9693 oval:org.mitre.oval:def:6487 SUSE-SA:2007:011 HPSBUX02153 HPSBUX02153 http://googlechromereleases.blogspot.com/2009/01/stable-beta-update-yahoo-mail-and.html Double free vulnerability in the Adobe Acrobat Reader Plugin before 8.0.0, as used in Mozilla Firefox 1.5.0.7, allows remote attackers to execute arbitrary code by causing an error via a javascript: URI call to document.write in the (1) FDF, (2) XML, or (3) XFDF AJAX request parameters. http://www.wisec.it/vulns.php?page=9 ADV-2007-0957 ADV-2007-0032 20070103 Adobe Acrobat Reader Plugin - Multiple Vulnerabilities oval:org.mitre.oval:def:9684 http://events.ccc.de/congress/2006/Fahrplan/attachments/1158-Subverting_Ajax.pdf RHSA-2007:0017 adobe-acrobat-msvcrt-code-execution(31272) RHSA-2007:0021 http://www.adobe.com/support/security/bulletins/apsb07-01.html 102847 1017469 2090 GLSA-200701-16 24533 23882 23877 23812 23691 SUSE-SA:2007:011 CRLF injection vulnerability in Adobe Acrobat Reader Plugin before 8.0.0, when used with the Microsoft.XMLHTTP ActiveX object in Internet Explorer, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the javascript: URI in the (1) FDF, (2) XML, or (3) XFDF AJAX request parameters. adobe-acrobat-xmlhttp-response-splitting(31291) ADV-2007-0032 1017469 23882 SUSE-SA:2007:011 http://events.ccc.de/congress/2006/Fahrplan/attachments/1158-Subverting_Ajax.pdf Adobe Acrobat Reader Plugin before 8.0.0, and possibly the plugin distributed with Adobe Reader 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2, when used with Internet Explorer, Google Chrome, or Opera, allows remote attackers to cause a denial of service (memory consumption) via a long sequence of # (hash) characters appended to a PDF URL, related to a "cross-site scripting issue." TA09-286B http://www.wisec.it/vulns.php?page=9 adobe-acrobat-character-dos(31273) ADV-2009-2898 ADV-2007-0032 20070103 Adobe Acrobat Reader Plugin - Multiple Vulnerabilities http://www.adobe.com/support/security/bulletins/apsb09-15.html http://www.adobe.com/support/security/bulletins/apsb07-01.html 1023007 1017469 GLSA-200701-16 33754 23882 23812 oval:org.mitre.oval:def:6348 31596 SUSE-SA:2007:011 http://googlechromereleases.blogspot.com/2009/01/stable-beta-update-yahoo-mail-and.html http://events.ccc.de/congress/2006/Fahrplan/attachments/1158-Subverting_Ajax.pdf 2090 Geckovich TaskTracker Pro 1.5 and earlier allows remote attackers to add administrative or other accounts via an Add action with a modified GroupID in a direct request to Customize.asp. tasktrackerpro-customize-auth-bypass(31235) 21847 23564 31682 3068 ** DISPUTED ** PHP remote file inclusion vulnerability in index.php in OpenPinboard 2.0 allows remote attackers to execute arbitrary PHP code via a URL in the language parameter. NOTE: this issue has been disputed by the developer and a third party, since the variable is set before use. CVE analysis suggests that there is a small time window of risk before the installation is complete. 20070103 OpenPinboard <= Remote File Include 20070103 Re: OpenPinboard <= Remote File Include 33375 20070106 Re: OpenPinboard <= Remote File Include Format string vulnerability in Apple iPhoto 6.0.5 (316), and other versions before 6.0.6, allows remote user-assisted attackers to execute arbitrary code via a crafted photocast with format string specifiers in the title of an RSS iPhoto feed. iphoto-xmltitle-format-string(31281) ADV-2007-0057 21871 20070104 DMA[2007-0104a] - 'iLife iPhoto Photocasing Format String Vulnerability' http://www.digitalmunition.com/DMA[2007-0104a].txt 23615 http://projects.info-pull.com/moab/MOAB-04-01-2007.html 31165 3080 APPLE-SA-2007-03-13 http://docs.info.apple.com/article.html?artnum=305215 20070104 DMA[2007-0104a] - 'iLife iPhoto Photocasing Format String Vulnerability' SQL injection vulnerability in haberdetay.asp in Vizayn Haber allows remote attackers to execute arbitrary SQL commands via the id parameter. ADV-2007-0015 21836 23576 31518 3061 vicayn-haberdetay-sql-injection(31213) SQL injection vulnerability in detail.asp in ASP SiteWare autoDealer 2.0 and earlier allows remote attackers to execute arbitrary SQL commands via the iPro parameter. ADV-2007-0016 21833 23572 32539 3062 autodealer-detail-sql-injection(31219) Cross-site scripting (XSS) vulnerability in gbrowse.php in Belchior Foundry vCard PRO allows remote attackers to inject arbitrary web script or HTML via the sortby parameter. 21844 20070101 vBulletin vCard PRO XSS 33359 vcard-gbrowse-xss(31182) Directory traversal vulnerability in formbankcgi.exe/AbfrageForm in Formbankserver 1.9 allows remote attackers to read arbitrary files via directory traversal sequences in the Name parameter. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. ADV-2007-0012 23539 32545 formbankserver-name-directory-traversal(31214) 3063 Multiple cross-site scripting (XSS) vulnerabilities in AShop Deluxe 4.5 and AShop Administration Panel allow remote attackers to inject arbitrary web script or HTML via the (1) cat parameter to (a) ashop/catalogue.php and (b) ashop/basket.php, the (2) exp parameter to ashop/catalogue.php, the (3) searchstring parameter to (c) ashop/search.php, the (4) checkout and (5) action parameters to (d) ashop/shipping.php, the cat parameter to (f) cart-path/admin/editcatalogue.php, and the (7) resultpage parameter to (g) cart-path/admin/salesadmin.php. ADV-2007-0028 21845 20070101 AShop Shopping Cart Multiple XSS Vulnerabilities 32558 32557 32556 32555 32554 32553 ashop-multiple-scripts-xss(31178) 2091 23547 Cisco Clean Access (CCA) 3.6.x through 3.6.4.2 and 4.0.x through 4.0.3.2 does not properly configure or allow modification of a shared secret authentication key, which causes all devices to have the same shared sercet and allows remote attackers to gain unauthorized access. 20070103 Multiple Vulnerabilities in Cisco Clean Access ADV-2007-0030 32578 1017465 23617 Cisco Clean Access (CCA) 3.5.x through 3.5.9 and 3.6.x through 3.6.1.1 on the Clean Access Manager (CAM) allows remote attackers to bypass authentication and download arbitrary manual database backups by guessing the snapshot filename using brute force, then making a direct request for the file. ADV-2007-0030 20070103 Multiple Vulnerabilities in Cisco Clean Access 1017465 23556 32579 Cross-zone scripting vulnerability in Apple Quicktime 3 to 7.1.3 allows remote user-assisted attackers to execute arbitrary code and list filesystem contents via a QuickTime movie (.MOV) with an HREF Track (HREFTrack) that contains an automatic action tag with a local URI, which is executed in a local zone during preview, as exploited by a MySpace worm. VU#304064 http://www.gnucitizen.org/blog/backdooring-quicktime-movies/ http://projects.info-pull.com/moab/MOAB-03-01-2007.html 31164 APPLE-SA-2007-03-05 http://docs.info.apple.com/article.html?artnum=305149 Stack-based buffer overflow in the Message Queuing Server (Cam.exe) in CA (formerly Computer Associates) Message Queuing (CAM / CAFT) software before 1.11 Build 54_4 on Windows and NetWare, as used in CA Advantage Data Transport, eTrust Admin, certain BrightStor products, certain CleverPath products, and certain Unicenter products, allows remote attackers to execute arbitrary code via a crafted message to TCP port 3104. systems-management-bo(32234) ADV-2007-2638 25051 20070724 CA Message Queuing Server (Cam.exe) Overflow http://supportconnectw.ca.com/public/dto_transportit/infodocs/camsgquevul-secnot.asp 26190 1018449 20070725 [CAID 35527]: CA Message Queuing (CAM / CAFT) Buffer Overflow Vulnerability http://www.ca.com/us/securityadvisor/newsinfo/collateral.aspx?cid=149809 The DHCP server in EMC VMware Workstation before 5.5.5 Build 56455 and 6.x before 6.0.1 Build 55017, Player before 1.0.5 Build 56455 and Player 2 before 2.0.1 Build 55017, ACE before 1.0.3 Build 54075 and ACE 2 before 2.0.1 Build 55017, and Server before 1.0.4 Build 56528 allows remote attackers to execute arbitrary code via a malformed packet that triggers "corrupt stack memory." dhcp-malformed-packet-bo(33101) http://www.vmware.com/support/ws6/doc/releasenotes_ws6.html http://www.vmware.com/support/ws55/doc/releasenotes_ws55.html http://www.vmware.com/support/server/doc/releasenotes_server.html http://www.vmware.com/support/player2/doc/releasenotes_player2.html http://www.vmware.com/support/player/doc/releasenotes_player.html http://www.vmware.com/support/ace2/doc/releasenotes_ace2.html http://www.vmware.com/support/ace/doc/releasenotes_ace.html ADV-2007-3229 25729 20070919 VMWare DHCP Server Remote Code Execution Vulnerabilities USN-543-1 1018717 GLSA-200711-23 27706 27694 26890 20070920 VMSA-2007-0006 Critical security updates for all supported versions of VMware ESX Server, VMware Server, VMware Workstation, VMware ACE, and VMware Player Integer overflow in the ISC dhcpd 3.0.x before 3.0.7 and 3.1.x before 3.1.1; and the DHCP server in EMC VMware Workstation before 5.5.5 Build 56455 and 6.x before 6.0.1 Build 55017, Player before 1.0.5 Build 56455 and Player 2 before 2.0.1 Build 55017, ACE before 1.0.3 Build 54075 and ACE 2 before 2.0.1 Build 55017, and Server before 1.0.4 Build 56528; allows remote attackers to cause a denial of service (daemon crash) or execute arbitrary code via a malformed DHCP packet with a large dhcp-max-message-size that triggers a stack-based buffer overflow, related to servers configured to send many DHCP options to clients. dhcp-param-overflow(33102) http://www.vmware.com/support/ws6/doc/releasenotes_ws6.html http://www.vmware.com/support/ws55/doc/releasenotes_ws55.html http://www.vmware.com/support/server/doc/releasenotes_server.html http://www.vmware.com/support/player2/doc/releasenotes_player2.html http://www.vmware.com/support/player/doc/releasenotes_player.html http://www.vmware.com/support/ace2/doc/releasenotes_ace2.html http://www.vmware.com/support/ace/doc/releasenotes_ace.html 25729 20070919 VMWare DHCP Server Remote Code Execution Vulnerabilities https://bugzilla.redhat.com/show_bug.cgi?id=339561 ADV-2007-3229 USN-543-1 1018717 20090312 rPSA-2009-0041-1 dhclient dhcp libdhcp4client MDVSA-2009:153 http://wiki.rpath.com/Advisories:rPSA-2009-0041 GLSA-200808-05 GLSA-200711-23 34263 31396 27706 27694 26890 SUSE-SR:2009:005 20070920 VMSA-2007-0006 Critical security updates for all supported versions of VMware ESX Server, VMware Server, VMware Workstation, VMware ACE, and VMware Player http://bugs.gentoo.org/show_bug.cgi?id=227135 Integer underflow in the DHCP server in EMC VMware Workstation before 5.5.5 Build 56455 and 6.x before 6.0.1 Build 55017, Player before 1.0.5 Build 56455 and Player 2 before 2.0.1 Build 55017, ACE before 1.0.3 Build 54075 and ACE 2 before 2.0.1 Build 55017, and Server before 1.0.4 Build 56528 allows remote attackers to execute arbitrary code via a malformed DHCP packet that triggers a stack-based buffer overflow. dhcp-param-underflow(33103) http://www.vmware.com/support/ws6/doc/releasenotes_ws6.html http://www.vmware.com/support/ws55/doc/releasenotes_ws55.html http://www.vmware.com/support/server/doc/releasenotes_server.html http://www.vmware.com/support/player2/doc/releasenotes_player2.html http://www.vmware.com/support/player/doc/releasenotes_player.html http://www.vmware.com/support/ace2/doc/releasenotes_ace2.html http://www.vmware.com/support/ace/doc/releasenotes_ace.html 25729 20070919 VMWare DHCP Server Remote Code Execution Vulnerabilities ADV-2007-3229 USN-543-1 1018717 GLSA-200711-23 27706 27694 26890 20070920 VMSA-2007-0006 Critical security updates for all supported versions of VMware ESX Server, VMware Server, VMware Workstation, VMware ACE, and VMware Player Heap-based buffer overflow in Windows Media Format Runtime 7.1, 9, 9.5, 9.5 x64 Edition, 11, and Windows Media Services 9.1 for Microsoft Windows 2000, XP, Server 2003, and Vista allows user-assisted remote attackers to execute arbitrary code via a crafted Advanced Systems Format (ASF) file. TA07-345A VU#319385 MS07-068 ADV-2007-4183 1019074 26776 SSRT071506 SSRT071506 28034 oval:org.mitre.oval:def:3622 Heap-based buffer overflow in Object Linking and Embedding (OLE) Automation in Microsoft Windows 2000 SP4, XP SP2, Server 2003 SP1 and SP2, Vista, Office 2004 for Mac, and Visual basic 6.0 SP6 allows remote attackers to execute arbitrary code via a crafted script request. TA08-043C MS08-008 ADV-2008-0510 SSRT080016 1019373 27661 28902 SSRT080016 oval:org.mitre.oval:def:5388 The kernel in Microsoft Windows 2000 SP4, XP SP2, and Server 2003, when ICMP Router Discovery Protocol (RDP) is enabled, allows remote attackers to cause a denial of service via fragmented router advertisement ICMP packets that trigger an out-of-bounds read, aka "Windows Kernel TCP/IP/ICMP Vulnerability." TA08-008A MS08-001 28297 win-tcpip-icmp-dos(39254) ADV-2008-0069 27139 SSRT080003 HPSBST02304 20070108 Multiple (3) Microsoft Windows TCP/IP Remote Code Execution and DoS Vulnerabilities 1019166 http://blogs.technet.com/swi/archive/2008/01/08/ms08-001-part-2-the-case-of-the-moderate-icmp-mitigations.aspx oval:org.mitre.oval:def:5271 Unspecified vulnerability in the Lotus Domino Web Server 6.0, 6.5.x before 6.5.6, and 7.0.x before 7.0.3 allows remote attackers to cause a denial of service (daemon crash) via requests for URLs that reference certain files. 24307 http://www-1.ibm.com/support/docview.wss?uid=swg21257251 25542 domino-unspecified-dos(34689) ADV-2007-2046 35766 1018189 IBM Lotus Domino 7.0.x before 7.0.3 does not revalidate the signature on a signed scheduled agent after the agent is modified, which allows remote authenticated users to gain privileges via a modified agent in a server database. ADV-2007-2063 24322 http://www-1.ibm.com/support/docview.wss?uid=swg21258784 25520 35765 domino-signature-privilege-escalation(34718) Unspecified vulnerability in the kernel in Microsoft Windows XP SP2, Server 2003, and Vista allows remote attackers to cause a denial of service (CPU consumption) and possibly execute arbitrary code via crafted (1) IGMPv3 and (2) MLDv2 packets that trigger memory corruption, aka "Windows Kernel TCP/IP/IGMPv3 and MLDv2 Vulnerability." TA08-008A VU#115083 MS08-001 28297 win-ssm-mld-bo(39453) win-ssm-igmp-bo(39452) ADV-2008-0069 27100 HPSBST02304 HPSBST02304 20070108 Multiple (3) Microsoft Windows TCP/IP Remote Code Execution and DoS Vulnerabilities 1019166 http://blogs.technet.com/swi/archive/2008/01/08/ms08-001-part-3-the-case-of-the-igmp-network-critical.aspx oval:org.mitre.oval:def:5370 Integer overflow in Adobe Flash Player 9.0.115.0 and earlier, and 8.0.39.0 and earlier, allows remote attackers to execute arbitrary code via a crafted SWF file with a negative Scene Count value, which passes a signed comparison, is used as an offset of a NULL pointer, and triggers a buffer overflow. TA08-150A TA08-149A TA08-100A VU#395473 VU#159523 multimedia-file-integer-overflow(37277) http://www.zerodayinitiative.com/advisories/ZDI-08-032/ ADV-2008-1724 ADV-2008-1697 ADV-2008-1662 1019811 29386 28695 RHSA-2008:0221 44282 http://www.matasano.com/log/1032/this-new-vulnerability-dowds-inhuman-flash-exploit/ 20080408 Adobe Flash Player Invalid Pointer Vulnerability GLSA-200804-21 http://www.adobe.com/support/security/bulletins/apsb08-11.html 238305 30507 30430 30404 29865 29763 oval:org.mitre.oval:def:10379 SUSE-SA:2008:022 APPLE-SA-2008-05-28 http://isc.sans.org/diary.html?storyid=4465 http://documents.iss.net/whitepapers/IBM_X-Force_WP_final.pdf http://blogs.adobe.com/psirt/2008/05/potential_flash_player_issue.html Heap-based buffer overflow in an unspecified procedure in Trend Micro ServerProtect 5.7 and 5.58 allows remote attackers to execute arbitrary code via unknown vectors, possibly related to a read operation over RPC. VU#768681 application-rpc-read-bo(38760) ADV-2008-3127 32261 20081111 Trend Micro ServerProtect [PROCEDURE NAME REDACTED] Heap Overflows (3) 32618 http://blogs.iss.net/archive/trend.html Heap-based buffer overflow in an unspecified procedure in Trend Micro ServerProtect 5.7 and 5.58 allows remote attackers to execute arbitrary code via unknown vectors, possibly related to a file read operation over RPC. VU#768681 application-rpc-file-read-bo(39050) ADV-2008-3127 32261 20081111 Trend Micro ServerProtect [PROCEDURE NAME REDACTED] Heap Overflows (3) 32618 http://blogs.iss.net/archive/trend.html Heap-based buffer overflow in an unspecified procedure in Trend Micro ServerProtect 5.7 and 5.58 allows remote attackers to execute arbitrary code via unknown vectors, possibly related to a folder read operation over RPC. VU#768681 application-rpc-folder-read-bo(39051) ADV-2008-3127 32261 20081111 Trend Micro ServerProtect [PROCEDURE NAME REDACTED] Heap Overflows (3) 32618 http://blogs.iss.net/archive/trend.html AspBB stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing user passwords via a direct request for db/aspbb.mdb. aspbb-aspbb-info-disclosure(31230) 20070102 AspBB Remote Password Disclosure http://www.aria-security.com/forum/showthread.php?t=82 33364 2100 Openforum stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing user passwords via a direct request for openforum.mdb. openforum-openforum-password-disclosure(31209) 20070102 Openforum Remote password Disclosure http://www.aria-security.com/forum/showthread.php?t=80 33366 2099 lblog stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for a certain file in admin/db/newFolder/. lblog-newfolder-information-disclosure(31229) 20070102 lblog Remote Password Disclosure http://www.aria-security.com/forum/showthread.php?t=79 1017462 33367 2098 BattleBlog stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for database/blankmaster.mdb. battleblog-blankmaster-info-disclosure(31224) 20070101 BattleBlog Database Download Vulnerability http://www.aria-security.com/forum/showthread.php?t=76 33360 2097 rblog stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for (1) data/admin.mdb or (2) data/rblog.mdb. rblog-database-info-disclosure(31200) 20070101 rblog Database Download Vulnerability http://www.aria-security.com/forum/showthread.php?t=77 23538 32572 2102 ** DISPUTED ** Buffer overflow in the SMB_Connect_Server function in FreeRadius 1.1.3 and earlier allows attackers to execute arbitrary code related to the server desthost field of an SMB_Handle_Type instance. NOTE: the impact of this issue has been disputed by a reliable third party and the vendor, who states that exploitation is limited "only to local administrators who have write access to the server configuration files." CVE concurs with the dispute. A buffer overflow in the SMB_Connect_Server function in FreeRADIUS 1.1.4 and earlier allows attackers to execute arbitrary code related to the server desthost field of an SMB_Handle_Type instance. This issue can not be exploited remotely, and can only be exploited by administrators who have write access to the server configuration files. -- Official Vendor Statement from the FreeRADIUS Server project This issue is not a security vulnerability. The exploit is available only to local administrators who have write access to the server configuration files. As such, this issue has no security impact on any system running FreeRADIUS. -- Official Vendor Statement from the FreeRADIUS Server project freeradius-smbconnectserver-bo(31248) 20070102 FreeRadius 1.1.3 SMB_Handle_Type SMB_Connect_Server arbitrary code execution 20070103 Re: FreeRadius 1.1.3 SMB_Handle_Type SMB_Connect_Server arbitrary code execution http://www.freeradius.org/security.html 20070211 FreeRADIUS dispute of CVE-2007-0080 1017463 32082 Sunbelt Kerio Personal Firewall (SKPF) 4.3.268 and 4.3.246, and possibly other versions allows local users to provide a Trojan horse iphlpapi.dll to SKPF by placing it in the installation directory. kerio-directory-code-execution(31232) 21828 20070101 Kerio Fake 'iphlpapi' DLL injection Vulnerability http://www.matousec.com/info/advisories/Kerio-Fake-iphlpapi-DLL-injection.php 33356 2095 users_adm/start1.php in IMGallery 2.5 and earlier does not properly handle files with multiple extensions, which allows remote authenticated users to upload and execute arbitrary PHP scripts. imgallery-start1-file-upload(31237) ADV-2007-0010 21827 3049 Cross-site scripting (XSS) vulnerability in Nuked Klan 1.7 and earlier allows remote attackers to inject arbitrary web script or HTML via a javascript: URI in a getURL statement in a .swf file, as demonstrated by "Remote Cookie Disclosure." NOTE: it could be argued that this is an issue in Shockwave instead of Nuked Klan. 21850 20070102 Nuked Klan <= 1.7 Remote Cookie Disclosure Exploit 33368 2101 ** DISPUTED ** Buffer overflow in the Windows NT Message Compiler (MC) 1.00.5239 on Microsoft Windows XP allows local users to gain privileges via a long MC-filename. NOTE: this issue has been disputed by a reliable third party who states that the compiler is not a privileged program, so privilege boundaries cannot be crossed. 20070102 Windows NT Message Compiler 1.00.5239 arbitrary code execution 20070103 Re: Windows NT Message Compiler 1.00.5239 arbitrary code execution 37817 Unspecified vulnerability in sys/dev/pci/vga_pci.c in the VGA graphics driver for wscons in OpenBSD 3.9 and 4.0, when the kernel is compiled with the PCIAGP option and a non-AGP device is being used, allows local users to gain privileges via unspecified vectors, possibly related to agp_ioctl NULL pointer reference. [3.9] 017: SECURITY FIX: January 3, 2007 [4.0] 007: SECURITY FIX: January 3, 2007 1017468 23608 openbsd-vga-privilege-escalation(31276) ADV-2007-0043 [openbsd-cvs] 20070103 CVS: cvs.openbsd.org: www [openbsd-cvs] 20070103 Re: CVS: cvs.openbsd.org: src http://ilja.netric.org/files/Unusual%20bugs%2023c3.pdf 32574 ** DISPUTED ** The Apache HTTP Server, when accessed through a TCP connection with a large window size, allows remote attackers to cause a denial of service (network bandwidth consumption) via a Range header that specifies multiple copies of the same fragment. NOTE: the severity of this issue has been disputed by third parties, who state that the large window size required by the attack is not normally supported or configured by the server, or that a DDoS-style attack would accomplish the same goal. 20070103 a cheesy Apache / IIS DoS vuln (+a question) 20070104 Re: a cheesy Apache / IIS DoS vuln (+a question) 20070104 Re: a cheesy Apache / IIS DoS vuln (+a question) 20070104 Re: a cheesy Apache / IIS DoS vuln (+a question) 33456 ** DISPUTED ** Microsoft Internet Information Services (IIS), when accessed through a TCP connection with a large window size, allows remote attackers to cause a denial of service (network bandwidth consumption) via a Range header that specifies multiple copies of the same fragment. NOTE: the severity of this issue has been disputed by third parties, who state that the large window size required by the attack is not normally supported or configured by the server, or that a DDoS-style attack would accomplish the same goal. 20070103 a cheesy Apache / IIS DoS vuln (+a question) 20070104 Re: a cheesy Apache / IIS DoS vuln (+a question) 20070104 Re: a cheesy Apache / IIS DoS vuln (+a question) 20070104 Re: a cheesy Apache / IIS DoS vuln (+a question) 33457 Multiple directory traversal vulnerabilities in openmedia allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) src parameter to page.php or the (2) format parameter to search_form.php. openmedia-page-directory-traversal(31258) 20070102 openmedia local read file 33371 33370 2103 jgbbs stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for db/bbs.mdb. 20070103 jgbbs 33376 http://aria-security.com/forum/showthread.php?t=87 jgbbs-bbs-information-disclosure(31274) WineGlass stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for db/data.mdb. ADV-2007-0037 20070103 WineGlass "data.mdb" Remote Password Disclosure 32575 http://aria-security.com/forum/showthread.php?p=112 23594 newsCMSlite stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for newsCMS.mdb. newscmslite-newscms-info-disclosure(31222) 37548 3066 SQL injection vulnerability in productdetail.asp in E-SMARTCART 1.0 allows remote attackers to execute arbitrary SQL commands via the product_id parameter. ADV-2007-0036 23610 31679 esmartcart-productdetail-sql-injection(31243) 3074 SQL injection vulnerability in page.php in Simple Web Content Management System allows remote attackers to execute arbitrary SQL commands via the id parameter. swcms-page-sql-injection(31261) ADV-2007-0040 20070103 Simple Web Content Management System SQL Injection Exploit 23590 31657 3076 http://acid-root.new.fr/poc/18070102.txt 2106 Sven Moderow GuestBook 0.3a stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for (1) gbook97.mdb or (2) gbook.mdb in ~db/. 20070103 GuestBook v0.3a Remote Password Disclosure 33363 http://aria-security.com/forum/showthread.php?p=114 guestbook-gbook-information-disclosure(31245) 2105 phpMyAdmin 2.9.1.1 allows remote attackers to obtain sensitive information via a direct request for themes/darkblue_orange/layout.inc.php, which reveals the path in an error message. phpmyadmin-darkblueorange-path-disclosure(31223) 33257 20070102 Inforamtion Discloser Vulnerabilities in phpMyAdmin 20070102 Inforamtion Discloser Vulnerabilities in "phpMyAdmin" MDKSA-2007:199 2104 CarbonCommunities stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for DataBase/Carbon2.4d.mdb. carboncommunities-carbon2-info-disclosure(31253) ADV-2007-0038 37549 http://aria-security.com/forum/showthread.php?t=85 Multiple stack-based buffer overflows in the (1) LoadTree and (2) ReadHeader functions in PAISO.DLL 1.7.3.0 (1.7.3 beta) in ConeXware PowerArchiver 2006 9.64.02 allow user-assisted attackers to execute arbitrary code via a crafted ISO file containing a file within several nested directories. http://vuln.sg/powarc964-en.html 23559 ADV-2007-0041 32576 20070104 [vuln.sg] PowerArchiver PAISO.DLL Buffer Overflow powerarchiver-loadtree-readheader-bo(31263) 20070104 [vuln.sg] PowerArchiver PAISO.DLL Buffer Overflow Vulnerability Directory traversal vulnerability in language.php in VerliAdmin 0.3 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the lang cookie, as demonstrated by injecting PHP sequences into an Apache HTTP Server log file, which is then included by language.php. ADV-2007-0035 32352 verliadmin-language-file-include(31241) 3075 Race condition in the msxml3 module in Microsoft XML Core Services 3.0, as used in Internet Explorer 6 and other applications, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via many nested tags in an XML document in an IFRAME, when synchronous document rendering is frequently disrupted with asynchronous events, as demonstrated using a JavaScript timer, which can trigger NULL pointer dereferences or memory corruption, aka "MSXML Memory Corruption Vulnerability." TA08-316A 21872 MS08-069 ADV-2008-3111 20070104 Re: RE: [Full-disclosure] Concurrency strikes MSIE (potentially exploitablemsxml3 flaws) 20070104 RE: [Full-disclosure] Concurrency strikes MSIE (potentially exploitablemsxml3 flaws) 20070104 Concurrency strikes MSIE (potentially exploitable msxml3 flaws) 1021164 23655 20070104 Concurrency strikes MSIE (potentially exploitable msxml3 flaws) oval:org.mitre.oval:def:5793 32627 SSRT080164 HPSBST02386 http://isc.sans.org/diary.php?storyid=2004 20070104 Re: Concurrency strikes MSIE (potentially exploitablemsxml3 flaws) The Perforce client does not restrict the set of files that it overwrites upon receiving a request from the server, which allows remote attackers to overwrite arbitrary files by modifying the client config file on the server, or by operating a malicious server. 20070104 Perforce client: security hole by design 33369 Cross-site request forgery (CSRF) vulnerability in SPINE allows remote attackers to perform unauthorized actions as administrators via unspecified vectors. NOTE: some of these details are obtained from third party information. http://spine.sourceforge.net/changelog.html spine-unspecified-csrf(31283) ADV-2007-0042 23537 32577 The Adobe PDF specification 1.3, as implemented by Apple Mac OS X Preview, allows remote attackers to have an unknown impact, possibly including denial of service (infinite loop), arbitrary code execution, or memory corruption, via a PDF file with a (1) crafted catalog dictionary or (2) a crafted Pages attribute that references an invalid page tree node. TA07-072A 21910 multiple-vendor-pdf-code-execution(31364) ADV-2007-0930 1017749 24479 http://projects.info-pull.com/moab/MOAB-06-01-2007.html 31221 http://docs.info.apple.com/article.html?artnum=305214 The Adobe PDF specification 1.3, as implemented by Adobe Acrobat before 8.0.0, allows remote attackers to have an unknown impact, possibly including denial of service (infinite loop), arbitrary code execution, or memory corruption, via a PDF file with a (1) crafted catalog dictionary or (2) a crafted Pages attribute that references an invalid page tree node. TA07-072A multiple-vendor-pdf-code-execution(31364) ADV-2007-0930 1017749 21910 24479 http://projects.info-pull.com/moab/MOAB-06-01-2007.html http://docs.info.apple.com/article.html?artnum=305214 The Adobe PDF specification 1.3, as implemented by (a) xpdf 3.0.1 patch 2, (b) kpdf in KDE before 3.5.5, (c) poppler before 0.5.4, and other products, allows remote attackers to have an unknown impact, possibly including denial of service (infinite loop), arbitrary code execution, or memory corruption, via a PDF file with a (1) crafted catalog dictionary or (2) a crafted Pages attribute that references an invalid page tree node. TA07-072A https://issues.rpath.com/browse/RPL-964 multiple-vendor-pdf-code-execution(31364) ADV-2007-0930 ADV-2007-0244 ADV-2007-0212 ADV-2007-0203 USN-410-2 USN-410-1 1017749 21910 20070116 [KDE Security Advisory] kpdf/kword/xpdf denial of service vulnerability SUSE-SR:2007:003 MDKSA-2007:024 MDKSA-2007:022 MDKSA-2007:021 MDKSA-2007:020 MDKSA-2007:019 MDKSA-2007:018 http://www.kde.org/info/security/advisory-20070115-1.txt http://support.novell.com/techcenter/psdb/44d7cb9b669d58e0ce5aa5d7ab2c7c53.html 1017514 24479 24204 23876 23844 23839 23815 23813 23808 23799 23791 http://projects.info-pull.com/moab/MOAB-06-01-2007.html http://docs.info.apple.com/article.html?artnum=305214 Stack-based buffer overflow in the CSAdmin service in Cisco Secure Access Control Server (ACS) for Windows before 4.1 and ACS Solution Engine before 4.1 allows remote attackers to execute arbitrary code via a crafted HTTP GET request. VU#744249 23629 cisco-acs-csadmin-bo(31323) ADV-2007-0068 21900 20070105 Multiple Vulnerabilities in Cisco Secure Access Control Server 1017475 32642 Cross-site scripting (XSS) vulnerability in the CSRF protection scheme in WordPress before 2.0.6 allows remote attackers to inject arbitrary web script or HTML via a CSRF attack with an invalid token and quote characters or HTML tags in URL variable names, which are not properly handled when WordPress generates a new link to verify the request. 21893 http://wordpress.org/development/2007/01/wordpress-206/ ADV-2007-0061 20070105 Advisory 01/2007: WordPress CSRF Protection XSS Vulnerability http://www.hardened-php.net/advisory_012007.140.html 23595 33397 2114 WordPress before 2.0.6, when mbstring is enabled for PHP, decodes alternate character sets after escaping the SQL query, which allows remote attackers to bypass SQL injection protection schemes and execute arbitrary SQL commands via multibyte charsets, as demonstrated using UTF-7. Successful exploitation requires that the "mbstring" extension be enabled. This vulnerability is addressed in the following product release: WordPress, WordPress, 2.0.6 wordpress-mbstring-security-bypass(31297) 21907 20070105 Advisory 02/2007: WordPress Trackback Charset Decoding SQL Injection Vulnerability OpenPKG-SA-2007.005 http://www.hardened-php.net/advisory_022007.141.html http://wordpress.org/development/2007/01/wordpress-206/ 23595 ADV-2007-0061 31579 2112 GLSA-200701-10 23741 nwgina.dll in Novell Client 4.91 SP3 for Windows 2000/XP/2003 does not delete user profiles during a Terminal Service or Citrix session, which allows remote authenticated users to invoke alternate user profiles. novell-profile-security-bypass(31343) ADV-2007-0064 21886 http://support.novell.com/cgi-bin/search/searchtid.cgi?/2974970.htm 1017471 23619 31358 wp-login.php in WordPress 2.0.5 and earlier displays different error messages if a user exists or not, which allows remote attackers to obtain sensitive information and facilitates brute force attacks. wordpress-account-enumeration(31262) ADV-2007-0062 20070103 Wordpress <= 2.x dictionnary & Bruteforce attack 23621 31577 2113 GLSA-200701-10 23741 Cross-site scripting (XSS) vulnerability in nidp/idff/sso in Novell Access Manager Identity Server before 3.0.0-1013 allows remote attackers to inject arbitrary web script or HTML via the IssueInstant parameter, which is not properly handled in the resulting error message. https://secure-support.novell.com/KanisaPlatform/Publishing/143/3615264_f.SAL_Public.html ADV-2007-0073 21921 23654 31359 1017483 Buffer overflow in Resco Photo Viewer for PocketPC 4.11 and 6.01, as used in mobile devices running Windows Mobile 5.0, 2003, and 2003SE, allows remote attackers to execute arbitrary code via a crafted PNG image. ADV-2007-0072 http://www.trendmicro.com/vinfo/secadvisories/default6.asp?VName=Vulnerability+in+Resco+Photo+Viewer+6%2E01+Enabling+Code+Injection+and+Arbitrary+Code+Execution 21920 23658 32644 http://blog.trendmicro.com/flaw-in-3rd-party-app-weakens-windows-mobile/ SQL injection vulnerability in cats.asp in createauction allows remote attackers to execute arbitrary SQL commands via the catid parameter. createauction-cats-sql-injection(31356) 21929 20070107 createauction (cats.asp) Remote SQL Injection Vulnerability 33406 2111 Buffer overflow in Packeteer PacketShaper PacketWise 8.x allows remote authenticated users to cause a denial of service (reset or reboot) via (1) a long traffic class argument to the "class show" command or (2) a long POLICY parameter value in clastree.htm. packetshaper-argument-dos(31357) ADV-2007-0098 21933 20070108 Packeteer PacketWise CLI overflow DoS 23685 31656 2110 Sun Java System Content Delivery Server 5.0 and 5.0 PU1 allows remote attackers to obtain sensitive information regarding "content details" via unspecified vectors. 102764 23630 sun-java-cds-info-disclosure(31345) ADV-2007-0076 21908 32645 Static code injection vulnerability in Coppermine Photo Gallery 1.4.10 and earlier allows remote authenticated administrators to execute arbitrary PHP code via the Username to login.php, which is injected into an error message in security.log.php, which can then be accessed using viewlog.php. 20070105 Coppermine Photo Gallery <= 1.4.10 SQL Injection Exploit 20070108 Source verify - Coppermine Photo Gallery <= 1.4.10 code injection 33383 http://acid-root.new.fr/poc/19070104.txt 2107 Digger Solutions Intranet Open Source (IOS) stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for data/intranet.mdb. 20070105 Intranet Open Source Remote Password Disclosure "intranet.mdb" 33379 intranet-intranet-info-disclosure(31308) 2109 DiskManagementTool in the DiskManagement.framework 92.29 on Mac OS X 10.4.8 does not properly validate Bill of Materials (BOM) files, which allows attackers to gain privileges via a BOM file under /Library/Receipts/, which triggers arbitrary file permission changes upon execution of a diskutil permission repair operation. ADV-2007-0074 21899 http://projects.info-pull.com/moab/MOAB-05-01-2007.html 31167 23653 Multiple absolute path traversal vulnerabilities in EditTag 1.2 allow remote attackers to read arbitrary files via an absolute pathname in the file parameter to (1) edittag.cgi, (2) edittag.pl, (3) edittag_mp.cgi, or (4) edittag_mp.pl. 21890 20070105 Multiple bugs in EditTag 33396 33395 33394 33393 7950 Multiple cross-site scripting (XSS) vulnerabilities in EditTag 1.2 allow remote attackers to inject arbitrary web script or HTML via the plain parameter to (1) mkpw_mp.cgi, (2) mkpw.pl, or (3) mkpw.cgi. 21891 20070105 Multiple bugs in EditTag 33392 33391 33390 7950 Acunetix Web Vulnerability Scanner (WVS) 4.0 Build 20060717 and earlier allows remote attackers to cause a denial of service (application crash) via multiple HTTP requests containing invalid Content-Length values. acunetix-content-length-dos(31279) 21898 37580 3078 Cross-site scripting (XSS) vulnerability in search.asp in RI Blog 1.3 allows remote attackers to inject arbitrary web script or HTML via the q parameter. ADV-2007-0083 21880 20070105 RI Blog 1.3 XSS Vuln. 31637 riblog-search-xss(31317) 2108 23657 Multiple SQL injection vulnerabilities in Coppermine Photo Gallery 1.4.10 and earlier allow remote authenticated administrators to execute arbitrary SQL commands via (1) the cat parameter to albmgr.php, and possibly (2) the gid parameter to usermgr.php; (3) the start parameter to db_ecard.php; and the albumid parameter to unspecified files, related to the (4) filename_to_title and (5) del_titles functions. 21894 20070105 Coppermine Photo Gallery <= 1.4.10 SQL Injection Exploit 35856 35855 35854 35853 35852 http://acid-root.new.fr/poc/19070104.txt 2123 25846 3085 Unrestricted file upload vulnerability in Uber Uploader 4.2 allows remote attackers to upload and execute arbitrary PHP scripts by naming them with a .phtml extension, which bypasses the .php extension check but is still executable on some server configurations. 20070105 Uber Uploader 4.2 Arbitrary File Upload Vulnerability uber-uploader-phtml-file-upload(31303) 2116 Unspecified vulnerability in Drupal before 4.6.11, and 4.7 before 4.7.5, when MySQL is used, allows remote authenticated users to cause a denial of service by poisoning the page cache via unspecified vectors, which triggers erroneous 404 HTTP errors for pages that exist. 21895 20070105 [DRUPAL-SA-2007-002] Drupal 4.6.11 / 4.7.5 fixes DoS issue 23586 http://drupal.org/node/104238 ADV-2007-0051 32131 2115 Kaspersky Labs Antivirus Engine 6.0 for Windows and 5.5-10 for Linux before 20070102 enter an infinite loop upon encountering an invalid NumberOfRvaAndSizes value in the Optional Windows Header of a portable executable (PE) file, which allows remote attackers to cause a denial of service (CPU consumption) by scanning a crafted PE file. kaspersky-antivirus-pe-dos(31315) ADV-2007-0067 21901 1017476 23575 32588 20070105 Kaspersky Antivirus Scan Engine PE File Denial of Service Vulnerability Heap-based buffer overflow in Opera 9.02 allows remote attackers to execute arbitrary code via a JPEG file with an invalid number of index bytes in the Define Huffman Table (DHT) marker. http://www.opera.com/support/search/supsearch.dml?index=852 opera-jpeg-dht-bo(31305) ADV-2007-0060 GLSA-200701-08 1017473 23771 23739 23613 31574 SUSE-SA:2007:009 20070105 Opera Software Opera Web Browser JPG Image DHT Marker Heap Corruption Vulnerability The Javascript SVG support in Opera before 9.10 does not properly validate object types in a createSVGTransformFromMatrix request, which allows remote attackers to execute arbitrary code via JavaScript code that uses an invalid object in this request that causes a controlled pointer to be referenced during the virtual function call. 23613 20070105 Opera Software Opera Web Browser createSVGTransformFromMatrix Object Typecasting Vulnerability ADV-2007-0060 http://www.opera.com/support/search/supsearch.dml?index=851 GLSA-200701-08 1017473 23771 23739 31575 SUSE-SA:2007:009 SQL injection vulnerability in info_book.asp in Digirez 3.4 and earlier allows remote attackers to execute arbitrary SQL commands via the book_id parameter. ADV-2007-0053 23606 31677 3081 SQL injection vulnerability in main.asp in LocazoList 2.01a beta5 and earlier allows remote attackers to execute arbitrary SQL commands via the subcatID parameter. locazolist-main-sql-injection(31242) ADV-2007-0052 35813 3073 SQL injection vulnerability in user.php in iGeneric iG Calendar 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter. ADV-2007-0055 21873 23602 31678 igcalendar-user-sql-injection(31300) 20070105 IG Calendar SQL Injection 3082 JAMWiki before 0.5.0 does not properly check permissions during moves of "read-only or admin-only topics," which allows remote attackers to make unauthorized changes to the wiki. http://sourceforge.net/project/shownotes.php?group_id=171441&release_id=475663 23634 32581 jamwiki-permission-security-bypass(31296) 21879 SQL injection vulnerability in compare_product.php in iGeneric iG Shop 1.4 allows remote attackers to execute arbitrary SQL commands via the id parameter. ADV-2007-0056 23604 http://packetstormsecurity.nl/0701-exploits/igshop10-multiple.txt 33385 igshop-compareproduct-sql-injection(31299) 21874 20070105 IG Shop remote code execution 3083 Multiple SQL injection vulnerabilities in display_review.php in iGeneric iG Shop 1.4 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) id or (2) user_login_cookie parameter. ADV-2007-0056 33386 Multiple eval injection vulnerabilities in iGeneric iG Shop 1.0 allow remote attackers to execute arbitrary code via the action parameter, which is supplied to an eval function call in (1) cart.php and (2) page.php. NOTE: a later report and CVE analysis indicate that the vulnerability is present in 1.4. igshop-cartpage-code-execution(31301) ADV-2007-0056 21875 20070619 iG Shop 1.4 eval Inclusion Vulnerability 20070105 IG Shop remote code execution 20070618 Dup: iG Shop 1.4 (page.php) Remote Code Execution Exploit 23604 http://packetstormsecurity.nl/0701-exploits/igshop10-multiple.txt 33388 33387 3083 PHP remote file inclusion vulnerability in inc/init.inc.php in Aratix 0.2.2 beta 11 and earlier, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the current_path parameter. ADV-2007-0054 20070108 Source verify of Aratix RFI http://securityreason.com/exploitalert/1698 33405 aratix-init-file-include(31282) 3079 Multiple cross-site scripting (XSS) vulnerabilities in Drupal before 4.6.11, and 4.7 before 4.7.5, allow remote attackers to inject arbitrary web script or HTML via unspecified parameters in the (1) filter and (2) system modules. NOTE: some of these details are obtained from third party information. http://drupal.org/node/104233 ADV-2007-0050 32140 32139 20070105 [DRUPAL-SA-2007-001] Drupal 4.6.11 / 4.7.5 fixes drupal-core-unspecified-xss(31311) 20070105 [DRUPAL-SA-2007-001] Drupal 4.6.11 / 4.7.5 fixes XSS issue http://drupal.org/files/sa-2007-001/advisory.txt Cross-site scripting (XSS) vulnerability in SimpleBoxes/SerendipityNZ Serene Bach 2.05R and earlier, and 2.08D and earlier in the 2.08 series; and (2) sb 1.13D and earlier, and 1.18R and earlier in the 1.18 series; allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. 23623 ADV-2007-0065 http://serenebach.net/log/sb209R.html http://serenebach.net/log/sb119R.html 32580 JVN#65500885 serene-bach-unspecified-xss(31302) 21884 1017470 formbankcgi.exe in Fersch Formbankserver 1.9, when the PATH_INFO begins with (1) AbfrageForm or (2) EingabeForm, allows remote attackers to cause a denial of service (daemon crash) via multiple requests containing many /../ sequences in the Name parameter. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. formbankserver-formbank-dos(31216) 23539 32546 Unspecified vulnerability in the DECnet-Plus 7.3-2 feature in DECnet/OSI 7.3-2 for OpenVMS ALPHA, and the DECnet-Plus 7.3 feature in DECnet/OSI 7.3 for OpenVMS VAX, allows attackers to obtain "unintended privileged access to data and system resources" via unspecified vectors, related to (1) [SYSEXE]CTF$UI.EXE, (2) [SYSMSG]CTF$MESSAGES.EXE, (3) [SYSHLP]CTF$HELP.HLB, and (4) [SYSMGR]CTF$STARTUP.COM. 23636 ftp://ftp.itrc.hp.com/openvms_patches/vax/V7.3/VAX_DNVOSIMUP01-V0703.txt ftp://ftp.itrc.hp.com/openvms_patches/alpha/V7.3-2/AXP_DNVOSIMUP01-V0703-2.txt ADV-2007-0063 32586 32585 32584 32583 SQL injection vulnerability in down.asp in Kolayindir Download (Yenionline) allows remote attackers to execute arbitrary SQL commands via the id parameter. ADV-2007-0079 21889 20070105 Kolayindir Download (Yenionline) (tr) SqL Injection Vuln. 23645 31625 kolayindirdownload-down-sql-injection(31320) 2122 Cross-site scripting (XSS) vulnerability in yald.php in Yet Another Link Directory 1.0 allows remote attackers to inject arbitrary web script or HTML via the search parameter. ADV-2007-0082 21904 20070106 Yet Another Link Directory v1.0 23646 31626 yald-yald-xss(31322) 2121 SQL injection vulnerability in orange.asp in ShopStoreNow E-commerce Shopping Cart allows remote attackers to execute arbitrary SQL commands via the CatID parameter. ADV-2007-0080 21905 20070106 shopstorenow (orange.asp) sql injection 23642 31665 shopstorenow-orange-sql-injection(31313) 2120 Multiple PHP remote file inclusion vulnerabilities in NUNE News Script 2.0pre2 allow remote attackers to execute arbitrary PHP code via a URL in the custom_admin_path parameter to (1) index.php or (2) archives.php. ADV-2007-0078 23635 31209 31208 3090 nune-index-archives-file-include(31312) 20070107 NUNE News Script (custom_admin_path) Remote File Include Vulnerablity Cross-site scripting (XSS) vulnerability in search.asp in Digitizing Quote And Ordering System 1.0 allows remote authenticated attackers to inject arbitrary web script or HTML via the ordernum parameter. 23652 31690 qos-search-xss(31321) 3089 PHP remote file inclusion vulnerability in bn_smrep1.php in BinGoPHP News (BP News) 3.01 allows remote attackers to execute arbitrary PHP code via a URL in the bnrep parameter, a different vector than CVE-2006-4648 and CVE-2006-4649. 1017477 35898 bingo-bnsmrep1-file-include(31328) Multiple cross-site scripting (XSS) vulnerabilities in Fix and Chips CMS 1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter in (a) delete-announce.php; the (2) Announcement form field in (b) staff.php; the (3) Client Name, (4) Business Name, (5) Street, (6) Address 2, (7) Town/City, (8) Postcode, (9) Phone Number, (10) Email Address and (11) Website Address form fields in (c) new_customer.php; and unspecified fields in (d) search.php and (e) client-results.php. ADV-2007-0081 20070106 Fix & Chips CMS v1.0 23625 fixandchips-multiple-scripts-xss(31319) 32650 32649 32648 32647 32646 2119 Cuyahoga before 1.0.1 installs the FCKEditor component with an incorrect deny statement in a Web.config file, which allows remote attackers to upload files when these privileges were intended only for the Administrator and Editor roles. http://www.cuyahoga-project.org/10/section.aspx/61 23662 http://cuyahoga.svn.sourceforge.net/viewvc/cuyahoga?view=rev&revision=551 32643 21927 Format string vulnerability in OmniGroup OmniWeb 5.5.1 allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via format string specifiers in the Javascript alert function. http://www.omnigroup.com/applications/omniweb/releasenotes/ 23624 ADV-2007-0075 http://projects.info-pull.com/moab/MOAB-07-01-2007.html 31222 omniweb-alert-format-string(31324) 21911 20070111 DMA[2007-0107a] OmniWeb Javascript Alert Format String Vulnerabiity and DMA[2007-0109a] Apple Finder Disk Image Volume Label Overflow / DoS http://www.digitalmunition.com/DMA%5B2007-0107a%5D.txt 3098 http://blog.omnigroup.com/2007/01/07/omniweb-552-now-available-and-more-secure/ EMembersPro 1.0 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for users.mdb. 20070107 EMembersPro 1.0 Remote Password Disclosure Vulnerability 33403 ememberspro-users-info-disclosure(31329) 2118 Multiple PHP remote file inclusion vulnerabilities in index.php in Dayfox Blog allow remote attackers to execute arbitrary PHP code via a URL in the (1) page, (2) subject, and (3) q parameters. ADV-2007-0099 20070107 Dayfox Blog Remote File Include Vuln. 31259 dayfoxblog-index-file-include(31336) 2117 23661 MitiSoft stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for access_MS/MitiSoft.mdb. 20070107 MitiSoft Remote Password Disclosure Vulnerability 33409 mitisoft-mitisoft-info-disclosure(31341) OhhASP stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for db/OhhASP.mdb. 20070106 ohhASP Remote Password Disclosure 33381 http://64.38.62.221/ariasecucom/forum/showthread.php?t=89 ohhasp-ohhasp-info-disclosure(31342) AJLogin 3.5 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for ajlogin.mdb. 20070107 AJLogin v3.5 Remote Password Disclosure Vulnerability 33404 ajlogin-ajlogin-info-disclosure(31331) 2127 Webulas stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for db/db.mdb. 20070107 Webulas Remote Password Disclosure Vulnerability 33401 webulas-db-info-disclosure(31338) 2126 HarikaOnline 2.0 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for harikaonline.mdb. 20070107 HarikaOnline v2.0 Remote Password Disclosure Vulnerability 33410 harikaonline-harikaonline-info-disclosure(31339) 2125 M-Core stores the database under the web document root, which allows remote attackers to obtain sensitive information via a direct request to db/uyelik.mdb. 20070107 M-Core Remote Password Disclosure Vulnerability 33402 mcore-uyelik-info-disclosure(31340) 2124 Array index error in the uri_lookup function in the URI parser for neon 0.26.0 to 0.26.2, possibly only on 64-bit platforms, allows remote malicious servers to cause a denial of service (crash) via a URI with non-ASCII characters, which triggers a buffer under-read due to a type conversion error that generates a negative index. ADV-2007-0362 ADV-2007-0172 39247 [neon] 20070107 invalid chars cause sigserv in neon http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=404723 http://bugs.debian.org/cgi-bin/bugreport.cgi/neon26_0.26.2-3_to_mdx1.diff?bug=404723;msg=5;att=2 http://www.webdav.org/cadaver/ 22035 SUSE-SR:2007:002 MDKSA-2007:013 23984 23763 23751 [cadaver] 20070123 release 0.22.5 Directory traversal vulnerability in the GeoIP_update_database_general function in libGeoIP/GeoIPUpdate.c in GeoIP 1.4.0 allows remote malicious update servers (possibly only update.maxmind.com) to overwrite arbitrary files via a .. (dot dot) in the database filename, which is returned by a request to app/update_getfilename. http://arctic.org/~dean/patches/GeoIP-1.4.0-update-vulnerability.patch ADV-2007-0118 ADV-2007-0117 31618 geoip-geoipupdate-directory-traversal(31383) USN-412-1 21959 MDKSA-2007:004 23906 23880 Stack-based buffer overflow in the LiveJournal support (hooks/ljhook.cc) in CenterICQ 4.9.11 through 4.21.0, when using unofficial LiveJournal servers, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code by adding the victim as a friend and using long (1) username and (2) real name strings. Failed exploitation attempts will likely result in a denial-of-service condition. centericq-username-bo(31330) ADV-2007-0306 21932 20070107 TK53 Advisory #1: CenterICQ remote DoS buffer overflow in LiveJournal handling GLSA-200701-20 1017545 2129 33408 The PML Driver HPZ12 (HPZipm12.exe) in the HP all-in-one drivers, as used by multiple HP products, uses insecure SERVICE_CHANGE_CONFIG DACL permissions, which allows local users to gain privileges and execute arbitrary programs, as demonstrated by modifying the binpath argument, a related issue to CVE-2006-0023. ADV-2007-0094 21935 20070108 HP Multiple Products PML Driver Local Privilege Escalation http://secway.org/advisory/AD20070108.txt 23663 32654 pml-driver-config-privilege-escalation(31361) 2128 Unsanity Application Enhancer (APE) 2.0.2 installs with insecure permissions for the (1) ApplicationEnhancer binary and the (2) /Library/Frameworks/ApplicationEnhancer.framework directory, which allows local users to gain privileges by modifying or replacing the binary or library files. http://projects.info-pull.com/moab/MOAB-08-01-2007.html 32661 http://landonf.bikemonkey.org/code/macosx/MOAB_Day_8.20070109002959.18582.timor.html ape-appenhancer-privilege-escalation(31349) 21951 23649 SecureKit Steganography 1.7.1 and 1.8 embeds password information in the carrier file, which allows remote attackers to bypass authentication requirements and decrypt embedded steganography by replacing the last 20 bytes of the JPEG image with alternate password information. 20070106 Cracking Steganography Application in less than ONE minute 23639 31244 http://homepage.mac.com/adonismac/Advisory/steg/steganography.html steganography-password-security-bypass(31378) 20070107 A Major design Bug in Steganography 1.7.x, 1.8 (latest) (Updated Version) Camouflage 1.2.1 embeds password information in the carrier file, which allows remote attackers to bypass authentication requirements and decrypt embedded steganography by replacing certain bytes of the JPEG image with alternate password information. 21939 23578 32651 http://homepage.mac.com/adonismac/Advisory/steg/camouflage.html camouflage-password-security-bypass(31375) 20070107 A Major design Bug in Camouflage 1.2.1 (latest) Unspecified vulnerability in libnsl in Sun Solaris 8 and 9 allows remote attackers to cause a denial of service (crash) via malformed RPC requests that trigger a crash in rpcbind. 102713 ADV-2007-0110 oval:org.mitre.oval:def:5920 31576 solaris-rpcbind-dos(31366) 21964 http://support.avaya.com/elmodocs2/security/ASA-2007-036.htm 1017492 24056 23700 oval:org.mitre.oval:def:2210 The jail rc.d script in FreeBSD 5.3 up to 6.2 does not verify pathnames when writing to /var/log/console.log during a jail start-up, or when file systems are mounted or unmounted, which allows local root users to overwrite arbitrary files, or mount/unmount files, outside of the jail via a symlink attack. FreeBSD-SA-07:01 32726 22011 1017505 23730 Multiple PHP file inclusion vulnerabilities in WGS-PPC (aka PPC Search Engine), as distributed with other aliases, allow remote attackers to execute arbitrary PHP code via a URL in the INC parameter in (1) config_admin.php, (2) config_main.php, (3) config_member.php, and (4) mysql_config.php in config/; (5) admin.php and (6) index.php in admini/; (7) paypalipn/ipnprocess.php; (8) index.php and (9) registration.php in members/; and (10) ppcbannerclick.php and (11) ppcclick.php in main/. 21961 20070109 ppc engine Multiple file inclusion 20070109 "ppc engine" is WGS-PPC demoppc-inc-file-include(31355) 33454 33453 33452 33451 33450 33449 33448 33447 33446 33445 33444 2134 3104 The Tape Engine service in Computer Associates (CA) BrightStor ARCserve Backup 9.01 through 11.5, Enterprise Backup 10.5, and CA Server/Business Protection Suite r2 allows remote attackers to execute arbitrary code via certain data in opnum 0xBF in an RPC request, which is directly executed. VU#662400 http://supportconnectw.ca.com/public/storage/infodocs/babimpsec-notice.asp http://www.zerodayinitiative.com/advisories/ZDI-07-002.html ADV-2007-0154 31327 brightstor-tapeengine-code-execution(31442) 22010 20070111 ZDI-07-002: CA BrightStor ARCserve Backup Tape Engine Code Execution Vulnerability 20070111 [CAID 34955, 34956, 34957, 34958, 34959, 34817]: CA BrightStor ARCserve Backup Multiple Overflow Vulnerabilities 20070111 LS-20061002 - Computer Associates BrightStor ARCserve Backup Remote Code Execution Vulnerability http://www.lssec.com/advisories/LS-20061002.pdf 1017506 23648 http://livesploit.com/advisories/LS-20061002.pdf Multiple buffer overflows in Computer Associates (CA) BrightStor ARCserve Backup 9.01 through 11.5, Enterprise Backup 10.5, and CA Server/Business Protection Suite r2 allow remote attackers to execute arbitrary code via RPC requests with crafted data for opnums (1) 0x2F and (2) 0x75 in the (a) Message Engine RPC service, or opnum (3) 0xCF in the Tape Engine service. VU#180336 VU#151032 http://supportconnectw.ca.com/public/storage/infodocs/babimpsec-notice.asp brightstor-messageengine-rpc-bo(31443) brightstor-tapeengine-rpc-bo(31433) http://www.zerodayinitiative.com/advisories/ZDI-07-004.html http://www.zerodayinitiative.com/advisories/ZDI-07-003.html ADV-2007-0154 22006 22005 20070111 ZDI-07-003: CA BrightStor ARCserve Backup Message Engine Buffer Overflow Vulnerability 20070111 ZDI-07-004: CA BrightStor ARCserve Backup Tape Engine Buffer Overflow Vulnerability 20070111 [CAID 34955, 34956, 34957, 34958, 34959, 34817]: CA BrightStor ARCserve Backup Multiple Overflow Vulnerabilities 1017506 23648 31327 20070111 Computer Associates BrightStor ARCserve Backup RPC Engine PFC Request Buffer Overflow Vulnerability PHP remote file inclusion vulnerability in index.php in AllMyVisitors 0.4.0 allows remote attackers to execute arbitrary PHP code via a URL in the AMV_serverpath parameter. allmyvisitors-index-file-include(31316) 21917 35904 3097 PHP remote file inclusion vulnerability in index.php in AllMyLinks 0.5.0 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the AML_opensite parameter. allmylinks-index-file-include(31314) 21916 35909 3096 Multiple PHP remote file inclusion vulnerabilities in AllMyGuests 0.3.0 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the AMG_serverpath parameter to (1) comments.php and (2) signin.php; and possibly via a URL in unspecified parameters to (3) include/submit.inc.php, (4) admin/index.php, (5) include/cm_submit.inc.php, and (6) index.php. allmyguests-multiple-file-include(31310) 21918 35923 35921 35919 35917 35916 35915 3093 Directory traversal vulnerability in index.php in L2J Statistik Script 0.09 and earlier, when register_globals is enabled and magic_quotes is disabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the page parameter, as demonstrated by injecting PHP sequences into an Apache HTTP Server log file, which is then included by index.php. l2j-statistik-index-file-include(31309) ADV-2007-0097 21914 35914 3091 Multiple stack-based multiple buffer overflows in the BRWOSSRE2UC.dll ActiveX Control in Sina UC2006 and earlier allow remote attackers to execute arbitrary code via a long string in the (1) astrVerion parameter to the SendChatRoomOpt function or (2) the astrDownDir parameter to the SendDownLoadFile function. ADV-2007-0093 http://secway.org/advisory/ad20070109EN.txt 23638 32659 20070109 Sina UC ActiveX Multiple Remote Stack Overflow sinauc-senddownloadfile-bo(31350) sinauc-sendchatroomopt-bo(31348) 21958 20070109 Sina UC ActiveX Multiple Remote Stack Overflow Cross-site scripting (XSS) vulnerability in htsrv/login.php in b2evolution 1.8.6 allows remote attackers to inject arbitrary web script or HTML via scriptable attributes in the redirect_to parameter. b2evolution-login-xss(31368) 21953 DSA-1568 30093 23656 32027 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=410568 Cross-site scripting (XSS) vulnerability in search/advanced_search.php in GForge 4.5.11 allows remote attackers to inject arbitrary web script or HTML via the words parameter. 21946 20070108 GForge Cross Site Scripting vulnerability http://www.eazel.es/advisory006-gforge-cross-site-scripting-vulnerability.html 1017482 23675 31248 gforge-words-xss(31346) DSA-1475 2133 28598 Cross-site scripting (XSS) vulnerability in the AJAX module in MediaWiki before 1.6.9, 1.7 before 1.7.2, 1.8 before 1.8.3, and 1.9 before 1.9.0rc2, when wgUseAjax is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. 21956 http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_9_0RC2/phase3/RELEASE-NOTES http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_8_3/phase3/RELEASE-NOTES http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_7_2/phase3/RELEASE-NOTES http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_6_9/phase3/RELEASE-NOTES http://sourceforge.net/forum/forum.php?forum_id=652721 ADV-2007-0096 23647 31525 mediawiki-ajax-unspecified-xss(31359) SUSE-SR:2007:006 24889 PHP remote file inclusion vulnerability in info.php in Easy Banner Pro 2.8 allows remote attackers to execute arbitrary PHP code via a URL in the s[phppath] parameter. 20070108 Easy Banner Pro Version 2.8 <= Remote File Inclusion 33455 easybannerpro-info-file-include(31374) 21967 2132 SQL injection vulnerability in comment.php in PHPKIT 1.6.1 R2 allows remote attackers to execute arbitrary SQL commands via the subid parameter. 21962 20070109 Re: PHPKit 1.6.1 RC2 (faq/faq.php) Remote SQL Injection Exploit 31266 2131 Stack-based buffer overflow in EF Commander 5.75 allows user-assisted attackers to execute arbitrary code via a crafted ISO file containing a file within several nested directories, which produces a large filename that triggers the overflow. http://vuln.sg/efcommander575-en.html 23659 32660 efcommander-iso-pathname-bo(31365) 21969 PHP remote file inclusion vulnerability in include/common_function.php in magic photo storage website allows remote attackers to execute arbitrary PHP code via a URL in the _config[site_path] parameter. ADV-2007-0136 20070108 magic photo storage website Remote File Inclusion magicphotostorage-config-file-include(31347) 21965 23687 3100 Multiple PHP remote file inclusion vulnerabilities in magic photo storage website allow remote attackers to execute arbitrary PHP code via a URL in the _config[site_path] parameter to (1) admin_password.php, (2) add_welcome_text.php, (3) admin_email.php, (4) add_templates.php, (5) admin_paypal_email.php, (6) approve_member.php, (7) delete_member.php, (8) index.php, (9) list_members.php, (10) membership_pricing.php, or (11) send_email.php in admin/; (12) config.php or (13) db_config.php in include/; or (14) add_category.php, (15) add_news.php, (16) change_catalog_template.php, (17) couple_milestone.php, (18) couple_profile.php, (19) delete_category.php, (20) index.php, (21) login.php, (22) logout.php, (23) register.php, (24) upload_photo.php, (25) user_catelog_password.php, (26) user_email.php, (27) user_extend.php, or (28) user_membership_password.php in user/. NOTE: the include/common_function.php vector is already covered by another candidate from the same date. 20070108 magic photo storage website Multiple Remote File Inclusion 21965 33439 33438 33437 33436 33435 33434 33433 33432 33431 33430 33429 33428 33427 33426 33425 33423 33422 33421 33420 33419 33418 33417 33416 33415 33414 33413 33412 33411 32668 2136 Cross-site scripting (XSS) vulnerability in /search in iPlanet Web Server 4.x allows remote attackers to inject arbitrary web script or HTML via the NS-max-records parameter. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. 21977 23605 32662 Getahead Direct Web Remoting (DWR) before 1.1.4 allows attackers to obtain unauthorized access to public methods via a crafted request that bypasses the include/exclude checks. ADV-2007-0095 21955 23641 32657 SUSE-SR:2009:004 http://getahead.ltd.uk/dwr/changelog dwr-include-exclude-security-bypass(31377) Getahead Direct Web Remoting (DWR) before 1.1.4 allows attackers to cause a denial of service (memory exhaustion and servlet outage) via unknown vectors related to a large number of calls in a batch. 23641 ADV-2007-0095 21955 32658 SUSE-SR:2009:004 http://getahead.ltd.uk/dwr/changelog dwr-servlet-engine-dos(31382) Multiple cross-site scripting (XSS) vulnerabilities in F5 FirePass SSL VPN allow remote attackers to inject arbitrary web script or HTML via (1) the xcho parameter to my.logon.php3; the (2) topblue, (3) midblue, (4) wtopblue, and certain other Custom color parameters in a per action to vdesk/admincon/index.php; the (5) h321, (6) h311, (7) h312, and certain other Front Door custom text color parameters in a per action to vdesk/admincon/index.php; the (8) ua parameter in a bro action to vdesk/admincon/index.php; the (9) app_param and (10) app_name parameters to webyfiers.php; (11) double eval functions; (12) JavaScript contained in an <FP_DO_NOT_TOUCH> element; and (13) the vhost parameter to my.activation.php. NOTE: it is possible that this candidate overlaps CVE-2006-3550. https://tech.f5.com/home/solutions/sol6920.html https://tech.f5.com/home/solutions/sol6919.html 21957 http://www.mnin.org/advisories/2007_firepass.pdf 23643 23627 20070106 NNL-Labs & MNIN - F5 FirePass Security Advisory 32743 32742 32741 32740 32739 32738 32737 F5 FirePass 5.4 through 5.5.2 and 6.0 allows remote attackers to access restricted URLs via (1) a trailing null byte, (2) multiple leading slashes, (3) Unicode encoding, (4) URL-encoded directory traversal or same-directory characters, or (5) upper case letters in the domain name. https://tech.f5.com/home/solutions/sol6924.html 21957 http://www.mnin.org/advisories/2007_firepass.pdf 39167 20070105 NNL-Labs & MNIN - F5 FirePass Security Advisory https://tech.f5.com/home/solutions/sol6916.html 23640 23626 20070106 NNL-Labs & MNIN - F5 FirePass Security Advisory F5 FirePass 5.4 through 5.5.1 does not properly enforce host access restrictions when a client uses a single integer (dword) representation of an IP address ("dotless IP address"), which allows remote authenticated users to connect to the FirePass administrator console and certain other network resources. https://tech.f5.com/home/solutions/sol6922.html 21957 http://www.mnin.org/advisories/2007_firepass.pdf 32734 23640 20070106 NNL-Labs & MNIN - F5 FirePass Security Advisory ** DISPUTED ** PHP remote file inclusion vulnerability in index.php in GeoBB Georgian Bulletin Board allows remote attackers to execute arbitrary PHP code via a URL in the action parameter. NOTE: CVE disputes this issue, since GeoBB 1.0 sets $action to a whitelisted value. geobb-index-file-include(31335) 20070107 GeoBB Georgian Bulletin Board Remote File Include Vuln. 20070110 Dispute of GeoBB RFI 33440 2141 PHP remote file inclusion vulnerability in edit_address.php in edit-x ecommerce allows remote attackers to execute arbitrary PHP code via a URL in the include_dir parameter. ADV-2007-0158 20070109 edit-x ecommerce (include_dir) Remote File include editx-editaddress-file-include(31384) 21974 2139 Cross-site scripting (XSS) vulnerability in admin.php in MKPortal allows remote attackers to inject arbitrary web script or HTML via two certain fields in a contents_new operation in the ad_contents section. mkportal-admin-xss(31304) 20070105 MkPortal Admin XSS 33399 2138 Cross-site request forgery (CSRF) vulnerability in the save_main operation in the ad_perms section in admin.php in MKPortal allows remote attackers to modify privilege settings, as demonstrated using a getURL of admin.php within a .swf file contained in an IFRAME element, aka the "All Guests are Admin" attack. 20070104 MkPortal "All Guests are Admin" Exploit 33400 2137 FON La Fonera routers do not properly limit DNS service access by unauthenticated clients, which allows remote attackers to tunnel traffic via DNS requests for hosts that should not be accessible before authentication. 20070107 Re: FON Router allows anonymous web access 20070106 FON Router allows anonymous web access 33441 admin.php in MKPortal M1.1 RC1 allows remote attackers to obtain sensitive information via a direct request with an MK_PATH=1 query string, which reveals the path in an error message. 20070108 MKPortal Full Path Disclosure 33407 mkportal-admin-path-disclosure(31333) my.activation.php3 in F5 FirePass 5.4 through 5.5.1 and 6.0 displays different error messages for failed login attempts with a valid username than for those with an invalid username, which allows remote attackers to confirm the validity of an LDAP account. https://tech.f5.com/home/solutions/sol6923.html 21957 http://www.mnin.org/advisories/2007_firepass.pdf 32736 23627 20070106 NNL-Labs & MNIN - F5 FirePass Security Advisory SQL injection vulnerability in admin_check_user.asp in Motionborg Web Real Estate 2.1 and earlier allows remote attackers to execute arbitrary SQL commands via the username field (txtUserName parameter) and possibly other parameters. NOTE: some details were obtained from third party information. motionborg-admincheckuser-sql-injection(31360) ADV-2007-0143 21963 23531 32718 3105 Finder 10.4.6 on Apple Mac OS X 10.4.8 allows user-assisted remote attackers to cause a denial of service and possibly execute arbitrary code via a long volume name in a DMG disk image, which results in memory corruption. TA07-047A VU#240880 macos-finder-dos(31410) ADV-2007-0140 1017662 21980 20070111 DMA[2007-0107a] OmniWeb Javascript Alert Format String Vulnerabiity and DMA[2007-0109a] Apple Finder Disk Image Volume Label Overflow / DoS 32714 http://www.digitalmunition.com/DMA%5B2007-0109a%5D.txt 24198 http://projects.info-pull.com/moab/MOAB-09-01-2007.html APPLE-SA-2007-02-15 http://docs.info.apple.com/article.html?artnum=305102 The JTapi Gateway process in Cisco Unified Contact Center Enterprise, Unified Contact Center Hosted, IP Contact Center Enterprise, and Cisco IP Contact Center Hosted 5.0 through 7.1 allows remote attackers to cause a denial of service (repeated process restart) via a certain TCP session on the JTapi server port. 20070110 Cisco Unified Contact Center and IP Contact Center JTapi Gateway Vulnerability ADV-2007-0138 21988 32682 1017499 23710 The Data-link Switching (DLSw) feature in Cisco IOS 11.0 through 12.4 allows remote attackers to cause a denial of service (device reload) via "an invalid value in a DLSw message... during the capabilities exchange." 20070110 DLSw Vulnerability ADV-2007-0139 oval:org.mitre.oval:def:5714 32683 21990 1017498 23697 PHP remote file inclusion vulnerability in template.php in Geoffrey Golliher Axiom Photo/News Gallery (axiompng) 0.8.6 allows remote attackers to execute arbitrary PHP code via a URL in the baseAxiomPath parameter. ADV-2007-0107 20070110 source verify - Axiom RFI 32716 axiom-template-file-include(31372) 21972 23715 3108 Buffer overflow in the cmd_usr function in ftp-gw in TIS Internet Firewall Toolkit (FWTK) allows remote attackers to execute arbitrary code via a long destination hostname (dest). tisfwtk-ftpgw-bo(31363) 21960 http://www.ranum.com/security/computer_security/editorials/codetools/ 1017481 35967 SQL injection vulnerability in index.php in @lex Guestbook 4.0.2 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the lang parameter. @lexguestbook-index-sql-injection(31393) ADV-2007-0137 21926 20070107 @lex Guestbook <= 4.0.2 Remote Command Execution Exploit 23637 31707 http://acid-root.new.fr/poc/20070107.txt 2135 3103 Multiple unspecified vulnerabilities in phpMyAdmin before 2.9.2-rc1 have unknown impact and attack vectors. http://www.phpmyadmin.net/home_page/downloads.php?relnotes=0 23702 ADV-2007-0125 32666 21987 MDKSA-2007:199 Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before 2.9.2-rc1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: some of these details are obtained from third party information. 23702 ADV-2007-0125 http://www.phpmyadmin.net/home_page/downloads.php?relnotes=0 32667 phpmyadmin-unspecified-xss(31387) 21987 MDKSA-2007:199 Directory traversal vulnerability in admin/skins.php for @lex Guestbook 4.0.2 and earlier allows remote attackers to create files in arbitrary directories via ".." sequences in the (1) aj_skin and (2) skin_edit parameters. NOTE: this can be leveraged for file inclusion by creating a skin file in the lang directory, then referencing that file via the lang parameter to index.php, which passes a sanity check in livre_include.php. @lexguestbook-livreinclude-file-include(31397) 21926 20070107 @lex Guestbook <= 4.0.2 Remote Command Execution Exploit 2135 31709 31708 3103 http://acid-root.new.fr/poc/20070107.txt Unspecified vulnerability in HP OpenView Network Node Manager (OV NNM) 6.20, 6.4x, 7.01, and 7.50 allows remote attackers to read arbitrary files via unknown vectors. ADV-2007-0153 22009 SSRT061174 HPSBMA02175 32729 1017503 2140 Microsoft Word in Office 2000 SP3, XP SP3, Office 2003 SP2, Works Suite 2004 to 2006, and Office 2004 for Mac does not correctly check the properties of certain documents and warn the user of macro content, which allows user-assisted remote attackers to execute arbitrary code. TA07-044A MS07-014 ADV-2007-0583 1017639 22477 34385 oval:org.mitre.oval:def:700 Microsoft Word in Office 2000 SP3, XP SP3, Office 2003 SP2, Works Suite 2004 to 2006, and Office 2004 for Mac allows user-assisted remote attackers to execute arbitrary code via a Word file with a malformed drawing object, which leads to memory corruption. TA07-044A ADV-2007-0583 1017639 22482 MS07-014 34386 oval:org.mitre.oval:def:187 The Window Image Acquisition (WIA) Service in Microsoft Windows XP SP2 allows local users to gain privileges via unspecified vectors involving an "unchecked buffer," probably a buffer overflow. TA07-044A MS07-007 ADV-2007-0576 1017634 22499 31889 24132 oval:org.mitre.oval:def:186 The hardware detection functionality in the Windows Shell in Microsoft Windows XP SP2 and Professional, and Server 2003 SP1 allows local users to gain privileges via an unvalidated parameter to a function related to the "detection and registration of new hardware." TA07-044A VU#240796 MS07-006 ADV-2007-0575 1017633 22481 31890 24126 oval:org.mitre.oval:def:224 Microsoft Exchange Server 2000 SP3, 2003 SP1 and SP2, and 2007 does not properly decode certain MIME encoded e-mails, which allows remote attackers to execute arbitrary code via a crafted base64-encoded MIME e-mail message. TA07-128A VU#343145 MS07-026 ADV-2007-1711 SSRT071422 exchange-mime-base64-code-execution(33889) 1018015 23809 HPSBST02214 34391 25183 oval:org.mitre.oval:def:1890 The HTML Help ActiveX control (Hhctrl.ocx) in Microsoft Windows 2000 SP3, XP SP2 and Professional, 2003 SP1 allows remote attackers to execute arbitrary code via unspecified functions, related to uninitialized parameters. VU#563756 TA07-044A MS07-008 ADV-2007-0577 1017635 22478 31884 24136 oval:org.mitre.oval:def:125 Stack-based buffer overflow in Microsoft Excel 2000 SP3, 2002 SP3, 2003 SP2, and 2003 Viewer allows user-assisted remote attackers to execute arbitrary code via a .XLS BIFF file with a malformed Named Graph record, which results in memory corruption. TA07-128A http://www.zerodayinitiative.com/advisories/ZDI-07-026.html MS07-023 ADV-2007-1708 SSRT071422 excel-biff-file-bo(33913) 1018012 23760 SSRT071422 20070508 ZDI-07-026: Microsoft Excel BIFF File Format Named Graph Record Parsing Stack Overflow Vulnerability 34393 25150 oval:org.mitre.oval:def:1971 wkcvqd01.dll in Microsoft Works 6 File Converter, as used in Office 2003 SP2, Works 8.0, and Works Suite 2005, allows remote attackers to execute arbitrary code via a .wps file with crafted section length headers, aka "Microsoft Works File Converter Input Validation Vulnerability." TA08-043C MS08-011 ADV-2008-0513 1019386 27657 28904 SSRT080016 HPSBST02314 20080208 Microsoft Office Works Converter Heap Overflow Vulnerability oval:org.mitre.oval:def:5309 The wininet.dll FTP client code in Microsoft Internet Explorer 5.01 and 6 might allow remote attackers to execute arbitrary code via an FTP server response of a specific length that causes a terminating null byte to be written outside of a buffer, which causes heap corruption. VU#613564 TA07-044A MS07-016 ADV-2007-0584 1017642 22489 31892 24156 20070213 Microsoft 'wininet.dll' FTP Reply Null Termination Heap Corruption Vulnerability 20070309 MS07-016 FTP Response DOS PoC oval:org.mitre.oval:def:1141 Microsoft Internet Explorer 5.01 and 6 allows remote attackers to execute arbitrary code by instantiating certain COM objects from Urlmon.dll, which triggers memory corruption during a call to the IObjectSafety function. TA07-163A MS07-033 webbrowser-object-code-execution(32106) ADV-2007-2153 24372 HPSBST02231 HPSBST02231 1018235 25627 35348 20070612 Microsoft License Manager and urlmon.dll COM Object Interaction Invalid Memory Access Vulnerability oval:org.mitre.oval:def:1084 Microsoft Internet Explorer 5.01, 6, and 7 uses certain COM objects from (1) Msb1fren.dll, (2) Htmlmm.ocx, and (3) Blnmgrps.dll as ActiveX controls, which allows remote attackers to execute arbitrary code via unspecified vectors, a different issue than CVE-2006-4697. VU#771788 TA07-044A MS07-016 ie-com-activex-code-execution(32427) ADV-2007-0584 1017643 22504 31895 31894 31893 24156 oval:org.mitre.oval:def:257 Cross-site scripting (XSS) vulnerability in Outlook Web Access (OWA) in Microsoft Exchange Server 2000 SP3, and 2003 SP1 and SP2 allows remote attackers to execute arbitrary scripts, spoof content, or obtain sensitive information via certain UTF-encoded, script-based e-mail attachments, involving an "incorrectly handled UTF character set label". TA07-128A VU#124113 MS07-026 ADV-2007-1711 SSRT071422 exchange-utf-xss(33887) 1018015 23806 HPSBST02214 34389 25183 oval:org.mitre.oval:def:1371 Integer overflow in the IMAP (IMAP4) support in Microsoft Exchange Server 2000 SP3 allows remote attackers to cause a denial of service (service hang) via crafted literals in an IMAP command, aka the "IMAP Literal Processing Vulnerability." TA07-128A 1018015 MS07-026 25183 20070508 Microsoft Exchange Server 2000 IMAP Literal Processing DoS Vulnerability exchange-imap-command-dos(33890) ADV-2007-1711 23810 HPSBST02214 SSRT071422 34392 oval:org.mitre.oval:def:2054 Directory traversal vulnerability in the EmChartBean server side component for Oracle Application Server 10g allows remote attackers to read arbitrary files via unknown vectors, probably "\.." sequences in the beanId parameter. NOTE: this is likely a duplicate of another CVE that Oracle addressed in CPU Jan 2007, but due to lack of details by Oracle, it is unclear which BugID this issue is associated with, so the other CVE cannot be determined. Possibilities include EM02 (CVE-2007-0292) or EM05 (CVE-2007-0293). 22027 20070115 SYMSA-2007-001: Oracle Application Server 10g - Directory Traversal 23794 20070131 Oracle 10g R2 Enterprise Manager Directory Traversal http://www.oracle.com/technetwork/topics/security/cpujan2007-101493.html 1017522 22083 SQL injection vulnerability in shared/code/cp_functions_downloads.php in Nicola Asuni All In One Control Panel (AIOCP) before 1.3.009 allows remote attackers to execute arbitrary SQL commands via the download_category parameter. http://sourceforge.net/project/shownotes.php?release_id=477845 23726 aiocp-cpfunctionsdownloads-sql-injection(31591) 22019 31641 SQL injection vulnerability in shopgiftregsearch.asp in VP-ASP Shopping Cart 6.09 and earlier allows remote attackers to execute arbitrary SQL commands via the LoginLastname parameter. 23699 32732 vpasp-shopgift-sql-injection(31447) 3115 Cross-site scripting (XSS) vulnerability in shopcustadmin.asp in VP-ASP Shopping Cart 6.09 and earlier allows remote attackers to inject arbitrary web script or HTML via the msg parameter. 23699 32733 vpasp-shopcustadmin-xss(31449) 3115 SQL injection vulnerability in wbsearch.aspx in uniForum 4 and earlier allows remote attackers to execute arbitrary SQL commands via the "by User" field (aka the TXbyuser parameter). uniforum-wbsearch-sql-injection(31362) 21966 32927 20070125 uniForum <= v4 (wbsearch.aspx) Remote SQL Injection Vulnerability 23827 3106 slocate 3.1 does not properly manage database entries that specify names of files in protected directories, which allows local users to obtain the names of private files. NOTE: another researcher reports that the issue is not present in slocate 2.7. 21989 20070329 FLEA-2007-0005-1: slocate 20070110 Re: slocate leaks filenames of protected directories 20070110 slocate leaks filenames of protected directories 20070111 Re: slocate leaks filenames of protected directories 33465 USN-425-1 20070112 Re: slocate leaks filenames of protected directories The DataCollector service in EIQ Networks Network Security Analyzer allows remote attackers to cause a denial of service (service crash) via a (1) &CONNECTSERVER& (2) &ADDENTRY& (3) &FIN& (4) &START& (5) &LOGPATH& (6) &FWADELTA& (7) &FWALOG& (8) &SETSYNCHRONOUS& (9) &SETPRGFILE&, or (10) &SETREPLYPORT& string to TCP port 10618, which triggers a NULL pointer dereference. ADV-2007-0147 21994 32725 20070110 EIQ Networks Network Security Analyzer DoS Vulnerability eiq-datacollector-dos(31428) 23693 Integer overflow in the ffs_mountfs function in Mac OS X 10.4.8 and FreeBSD 6.1 allows local users to cause a denial of service (panic) and possibly gain privileges via a crafted DMG image that causes "allocation of a negative size buffer" leading to a heap-based buffer overflow, a related issue to CVE-2006-5679. NOTE: a third party states that this issue does not cross privilege boundaries in FreeBSD because only root may mount a filesystem. TA07-072A macos-ffsmountfs-bo(31409) ADV-2007-0930 ADV-2007-0141 1017751 21993 32684 24479 23703 http://projects.info-pull.com/moab/MOAB-10-01-2007.html [freebsd-security] 20070114 MOAB advisories APPLE-SA-2007-03-13 http://docs.info.apple.com/article.html?artnum=305214 http://applefun.blogspot.com/2007/01/moab-10-01-2007-apple-dmg-ufs.html ** DISPUTED ** PHP remote file inclusion vulnerability in install.php in CS-Cart 1.3.3 allows remote attackers to execute arbitrary PHP code via a URL in the install_dir parameter. NOTE: CVE and third parties dispute this vulnerability because install_dir is defined before use. cscart-install-file-include(31408) 20070109 CS-Cart 1.3.3 (install.php) Remote File Include Vulnerability 20070110 [bogus] [ahmed_labib_hilmy at yahoo.com: CS-Cart 1.3.3 (install.php) Remote File Include Vulnerability] (fwd) 31277 Cross-site scripting (XSS) vulnerability in Movable Type (MT) 3.33, when nofollow is disabled and unmoderated comments are enabled, allows remote attackers to inject arbitrary web script or HTML via the Comments field. http://www.zackvision.com/weblog/2007/01/movabletype-security-bug.html ADV-2007-0142 23669 32717 http://golem.ph.utexas.edu/~distler/blog/archives/001102.html PHP remote file inclusion vulnerability in routines/fieldValidation.php in Jshop Server 1.3 allows remote attackers to execute arbitrary PHP code via a URL in the jssShopFileSystem parameter. 21995 33459 jshop-fieldvalidation-file-include(31425) 20070110 Jshop Server 1.3 2146 3113 wp-trackback.php in WordPress 2.0.6 and earlier does not properly unset variables when the input data includes a numeric parameter with a value matching an alphanumeric parameter's hash value, which allows remote attackers to execute arbitrary SQL commands via the tb_id parameter. NOTE: it could be argued that this vulnerability is due to a bug in the unset PHP command (CVE-2006-3017) and the proper fix should be in PHP; if so, then this should not be treated as a vulnerability in WordPress. 21983 36860 wordpress-tbid-sql-injection(31385) 3109 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2007-0243. Reason: This candidate is a duplicate of CVE-2007-0243. Notes: All CVE users should reference CVE-2007-0243 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Stack-based buffer overflow in the glibtop_get_proc_map_s function in libgtop before 2.14.6 (libgtop2) allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a process with a long filename that is mapped in its address space, which triggers the overflow in gnome-system-monitor. https://launchpad.net/bugs/79206 https://issues.rpath.com/browse/RPL-972 libgtop2-glibtopbo(31522) ADV-2007-0187 ADV-2007-0185 USN-407-1 22054 MDKSA-2007:023 DSA-1255 GLSA-200701-17 24015 23872 23840 23814 23777 23736 oval:org.mitre.oval:def:10720 32815 http://ftp.gnome.org/pub/gnome/sources/libgtop/2.14/libgtop-2.14.6.news http://bugzilla.gnome.org/show_bug.cgi?id=396477 1018526 RHSA-2007:0765 26367 Double free vulnerability in the _ATPsndrsp function in Apple Mac OS X 10.4.8, and possibly other versions, allows remote attackers to cause a denial of service (kernel panic) and possibly execute arbitrary code via a crafted AppleTalk request that triggers a heap-based buffer overflow. TA07-072A ADV-2007-0930 ADV-2007-0191 1017751 22041 32687 3130 1017513 24479 23708 http://projects.info-pull.com/moab/MOAB-14-01-2007.html APPLE-SA-2007-03-13 http://docs.info.apple.com/article.html?artnum=305214 The ndeb-binary feature in Lookup (lookup-el) allows local users to overwrite arbitrary files via a symlink attack on temporary files. DSA-1269 24590 24377 34263 lookup-ndebbinary-symlink(33052) 1017792 23026 GLSA-200712-07 28023 http://bugs.gentoo.org/show_bug.cgi?id=197306 Stack-based buffer overflow in filter\starcalc\scflt.cxx in the StarCalc parser in OpenOffice.org (OOo) Office Suite before 2.2, and 1.x before 1.1.5 Patch, allows user-assisted remote attackers to execute arbitrary code via a document with a long Note. https://issues.rpath.com/browse/RPL-1118 https://issues.foresightlinux.org/browse/FL-211 openoffice-starcalc-bo(33112) ADV-2007-1117 ADV-2007-1032 USN-444-1 1017799 23067 20070404 High Risk Vulnerability in OpenOffice RHSA-2007:0069 RHSA-2007:0033 http://www.openoffice.org/security/CVE-2007-0238 http://www.ngssoftware.com/advisories/high-risk-vulnerabilities-in-the-openoffice-suite/ MDKSA-2007:073 GLSA-200704-12 DSA-1270 102794 24906 24810 24676 24647 24646 24613 24588 24550 24465 oval:org.mitre.oval:def:8968 SUSE-SA:2007:023 OpenOffice.org (OOo) Office Suite allows user-assisted remote attackers to execute arbitrary commands via shell metacharacters in a prepared link in a crafted document. ADV-2007-1117 ADV-2007-1032 1017799 DSA-1270 oval:org.mitre.oval:def:11422 https://issues.rpath.com/browse/RPL-1118 https://issues.foresightlinux.org/browse/FL-211 openoffice-shell-command-execution(33113) USN-444-1 22812 RHSA-2007:0069 RHSA-2007:0033 MDKSA-2007:073 GLSA-200704-12 102807 24906 24810 24676 24647 24646 24613 24588 24550 24465 SUSE-SA:2007:023 Cross-site scripting (XSS) vulnerability in Zope 2.10.2 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors in a HTTP GET request. http://www.zope.org/Products/Zope/Hotfix-2007-03-20/announcement/view ADV-2007-1041 zope-unspecifiedget-xss(33187) 23084 DSA-1275 25239 24713 24017 SUSE-SR:2007:011 The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters. http://www.trolltech.com/company/newsroom/announcements/press.2007-03-30.9172215350 ADV-2007-1212 http://www.nabble.com/Bug-417390:-CVE-2007-0242,--Qt-UTF-8-overlong-sequence-decoding-vulnerability-t3506065.html 46117 RHSA-2011:1324 oval:org.mitre.oval:def:11510 https://issues.rpath.com/browse/RPL-1202 qt-utf8-xss(33397) USN-452-1 23269 RHSA-2007:0909 RHSA-2007:0883 SUSE-SR:2007:006 MDKSA-2007:076 MDKSA-2007:075 MDKSA-2007:074 DSA-1292 http://support.novell.com/techcenter/psdb/fc79b7f48d739f9c803a24ddad933384.html http://support.novell.com/techcenter/psdb/39ea4b325a7da742cb8b6995fa585b14.html http://support.avaya.com/elmodocs2/security/ASA-2007-424.htm SSA:2007-093-03 27275 27108 26857 26804 25263 24889 24847 24797 24759 24727 24726 24705 24699 FEDORA-2007-703 20070901-01-P Buffer overflow in Sun JDK and Java Runtime Environment (JRE) 5.0 Update 9 and earlier, SDK and JRE 1.4.2_12 and earlier, and SDK and JRE 1.3.1_18 and earlier allows applets to gain privileges via a GIF image with a block with a 0 width field, which triggers memory corruption. TA07-022A VU#388289 http://www.zerodayinitiative.com/advisories/ZDI-07-005.html 102760 jre-gif-bo(31537) ADV-2007-4224 ADV-2007-1814 ADV-2007-0936 ADV-2007-0211 22085 20070121 Sun Microsystems Java GIF File Parsing Memory Corruption Vulnerability Prove Of Concept Exploit 20070117 ZDI-07-005: Sun Microsystems Java GIF File Parsing Memory Corruption Vulnerability RHSA-2007:0956 RHSA-2007:0167 RHSA-2007:0166 SUSE-SA:2007:045 GLSA-200702-07 http://support.novell.com/techcenter/psdb/d2f549cc040cd81ae4a268bb5edfe918.html http://support.novell.com/techcenter/psdb/4f850d1e2b871db609de64ec70f0089c.html 1017520 2158 GLSA-200702-08 28115 27203 26645 26119 26049 25283 24993 24468 24202 24189 23757 oval:org.mitre.oval:def:11073 32834 APPLE-SA-2007-12-14 HPSBUX02196 HPSBUX02196 http://docs.info.apple.com/article.html?artnum=307177 BEA07-172.00 RHSA-2008:0261 pptpgre.c in PoPToP Point to Point Tunneling Server (pptpd) before 1.3.4 allows remote attackers to cause a denial of service (PPTP connection tear-down) via (1) GRE packets with out-of-order sequence numbers or (2) certain GRE packets that are processed using a wrong pointer and improperly dequeued. DSA-1288 ADV-2007-1743 23886 http://sourceforge.net/project/shownotes.php?release_id=501476&group_id=44827 USN-459-2 USN-459-1 2007-0017 1018064 SUSE-SR:2007:019 SUSE-SR:2007:010 GLSA-200705-18 26987 25255 25220 Heap-based buffer overflow in OpenOffice.org (OOo) 2.2.1 and earlier allows remote attackers to execute arbitrary code via a RTF file with a crafted prtdata tag with a length parameter inconsistency, which causes vtable entries to be overwritten. DSA-1307 https://issues.rpath.com/browse/RPL-1570 openoffice-rtf-bo(34843) ADV-2007-2229 ADV-2007-2166 USN-482-1 1018239 24450 20070613 High risk vulnerability in OpenOffice RTF parser RHSA-2007:0406 SUSE-SA:2007:037 MDKSA-2007:144 GLSA-200707-02 http://sw.openoffice.org/source/browse/sw/sw/source/filter/rtf/swparrtf.cxx?rev=1.67 102917 26476 26022 26010 25905 25894 25862 25705 25673 25650 25648 oval:org.mitre.oval:def:10002 35378 20070602-01-P plugins/scmcvs/www/cvsweb.php in the CVSWeb CGI in GForge 4.5.16 before 20070524, aka gforge-plugin-scmcvs, allows remote attackers to execute arbitrary commands via shell metacharacters in the PATH_INFO. 25416 25395 gforge-cvsweb-command-execution(34510) ADV-2007-1942 24141 DSA-1297 36526 http://gforge.org/scm/viewvc.php/branches/Branch_4_5/gforge/plugins/scmcvs/www/cvsweb.php?root=gforge&r1=5849&r2=6038&pathrev=6038 gforge-cvsweb-code-execution(34510) squid/src/ftp.c in Squid before 2.6.STABLE7 allows remote FTP servers to cause a denial of service (core dump) via crafted FTP directory listing responses, possibly related to the (1) ftpListingFinish and (2) ftpHtmlifyListEntry functions. squid-multiple-dos(31523) ADV-2007-0199 USN-414-1 http://www.squid-cache.org/Versions/v2/2.6/squid-2.6.STABLE7-RELEASENOTES.html#s12 http://www.squid-cache.org/bugs/show_bug.cgi?id=1857 22079 SUSE-SA:2007:012 MDKSA-2007:026 GLSA-200701-22 23946 23921 23889 23837 23810 23805 23767 39839 The aclMatchExternal function in Squid before 2.6.STABLE7 allows remote attackers to cause a denial of service (crash) by causing an external_acl queue overload, which triggers an infinite loop. 23767 ADV-2007-0199 http://www.squid-cache.org/Versions/v2/2.6/squid-2.6.STABLE7-RELEASENOTES.html#s12 http://www.squid-cache.org/bugs/show_bug.cgi?id=1848 squid-externalacl-dos(31525) USN-414-1 22203 SUSE-SA:2007:012 MDKSA-2007:026 GLSA-200701-22 23946 23921 23889 23805 Cross-site scripting (XSS) vulnerability in index.php in Nwom topsites 3.0 allows remote attackers to inject arbitrary web script or HTML via the o parameter. 22012 20070111 Nwom topsites v3.0 33461 2149 index.php in Nwom topsites 3.0 allows remote attackers to obtain potentially sensitive information via a ' (quote) character in the o parameter, which forces a SQL error. 22012 20070111 Nwom topsites v3.0 33462 2149 Integer underflow in the DecodeGRE function in src/decode.c in Snort 2.6.1.2 allows remote attackers to trigger dereferencing of certain memory locations via crafted GRE packets, which may cause corruption of log files or writing of sensitive information into log files. ADV-2007-0152 http://www.snort.org/got_source/source.html 22004 20070111 Calyptix Security Advisory CX-2007-001 - Snort 2.6.1.2 Integer Underflow Vulnerability 33464 32095 http://labs.calyptix.com/advisories/CX-2007-01.txt 1017507 2165 Unspecified vulnerability in easy-content filemanager allows remote attackers to upload or modify arbitrary files via unspecified vectors. 20070111 easy-content filemanager 33463 ** DISPUTED ** Unspecified vulnerability in the grsecurity patch has unspecified impact and remote attack vectors, a different vulnerability than the expand_stack vulnerability from the Digital Armaments 20070110 pre-advisory. NOTE: the grsecurity developer has disputed this issue, stating that "the function they claim the vulnerability to be in is a trivial function, which can, and has been, easily checked for any supposed vulnerabilities." The developer also cites a past disclosure that was not proven. http://www.digitalarmaments.com/news_news.shtml http://grsecurity.net/news.php#digitalfud http://forums.grsecurity.net/viewtopic.php?t=1646 Format string vulnerability in the errors_create_window function in errors.c in xine-ui allows attackers to execute arbitrary code via unknown vectors. 22002 20070111 Xine-ui format string Vulnerabilties. 31594 xineui-errorscreatewindow-format-string(31505) MDKSA-2007:154 MDKSA-2007:027 GLSA-200701-18 23931 23891 23709 XINE 0.99.4 allows user-assisted remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a certain M3U file that contains a long #EXTINF line and contains format string specifiers in an invalid udp:// URI, possibly a variant of CVE-2007-0017. 20070110 VLC Format String Vulnerability also in XINE 31666 22252 MDKSA-2007:154 MDKSA-2007:027 23931 VideoLAN VLC 0.8.6a allows remote attackers to cause a denial of service (application crash) via a crafted .wmv file. 22003 http://wiki.videolan.org/Changelog/0.8.6b oval:org.mitre.oval:def:14698 39022 http://downloads.securityfocus.com/vulnerabilities/exploits/22003.py vlcmediaplayer-wmv-dos(31515) ** DISPUTED ** Unspecified vulnerability in the expand_stack function in grsecurity PaX allows local users to gain privileges via unspecified vectors. NOTE: the grsecurity developer has disputed this issue, stating that "the function they claim the vulnerability to be in is a trivial function, which can, and has been, easily checked for any supposed vulnerabilities." The developer also cites a past disclosure that was not proven. As of 20070120, the original researcher has released demonstration code. ADV-2007-0155 22014 20070309 Re: Digital Armaments Security Advisory 20.01.2007: Grsecurity Kernel PaX Vulnerability 20070120 Digital Armaments Security Advisory 20.01.2007: Grsecurity Kernel PaX Vulnerability 20070112 Lies? [Was: Re: Digital Armaments Security Pre-Advisory11.01.2007: Grsecurity Kernel PaX - Local root vulnerability] 20070111 Digital Armaments Security Pre-Advisory 11.01.2007: Grsecurity Kernel PaX - Local root vulnerability http://www.digitalarmaments.com/pre2007-00018659.html http://www.digitalarmaments.com/news_news.shtml 1017509 23713 32727 http://grsecurity.net/news.php#digitalfud http://forums.grsecurity.net/viewtopic.php?t=1646 Cross-site scripting (XSS) vulnerability in index.php in (1) Fastilo 2.0 and (2) Open Solution Quick.Cart 2.0 allows remote attackers to inject arbitrary web script or HTML via the p parameter. NOTE: some of these details are obtained from third party information. ADV-2007-0157 ADV-2007-0156 22007 23738 23733 32731 32730 http://14house.blogspot.com/2007/01/fastilo-open-source-shopping-cart-vuln.html quickcart-p-xss(31475) 21971 Ezboxx Portal System Beta 0.7.6 and earlier allows remote attackers to obtain sensitive information via a invalid cat parameter to boxx/knowledgebase.asp, which reveals the path in an error message. ADV-2007-0208 20070111 Ezboxx multiple vulnerabilities. 33470 32829 http://www.bugsec.com/articles.php?Security=20 ** DISPUTED ** PHP remote file inclusion vulnerability in index.php in Naig 0.5.2 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the this_path parameter. NOTE: a reliable third party disputes this vulnerability because this_path is defined before use. 20070112 Naig <= 0.5.2 (this_path) Remote File Include Vulnerability 20070112 Fwd: Naig <= 0.5.2 (this_path) Remote File Include Vulnerability 33472 20070113 Re: Naig <= 0.5.2 (this_path) Remote File Include Vulnerability 2145 snews.php in sNews 1.5.30 and earlier does not properly exit when authentication fails, which allows remote attackers to perform unauthorized administrative actions, as demonstrated by changing an administrative password via the changeup task, and by uploading PHP code via the imagefile parameter. 22025 32817 snews-image-file-upload(31535) 23746 3116 WordPress 2.0.6, and 2.1Alpha 3 (SVN:4662), does not properly verify that the m parameter value has the string data type, which allows remote attackers to obtain sensitive information via an invalid m[] parameter, as demonstrated by obtaining the path, and obtaining certain SQL information such as the table prefix. 20070112 Wordpress disclosure of Table Prefix Weakness 33458 Unspecified vulnerability in Total Commander before 6.5.6 allows user-assisted remote attackers to delete arbitrary files and corrupt a filesystem via a crafted RAR file. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. 22033 http://www.ghisler.com/whatsnew.htm 39837 Buffer overflow in Winzip32.exe in WinZip 9.0 allows local users to cause a denial of service (application crash) and possibly execute arbitrary code via a long command line argument. NOTE: this issue may cross privilege boundaries if an application automatically invokes Winzip32.exe for untrusted input filenames, as in the case of a file upload application. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. This vulnerability is addressed in the following product release: WinZip, WinZip, 9.0 SR1 22020 39800 Multiple cross-site scripting (XSS) vulnerabilities in Ezboxx Portal System Beta 0.7.6 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the pic parameter to custom/piczoom.asp, (2) the nocatname parameter to boxx/user-upload.asp, or (3) the iid parameter to indexes/newscomments.asp. ADV-2007-0208 20070111 Ezboxx multiple vulnerabilities. 33469 33468 33467 32828 32827 32826 http://www.bugsec.com/articles.php?Security=20 23759 SQL injection vulnerability in boxx/ShowAppendix.asp in Ezboxx Portal System Beta 0.7.6 and earlier allows remote attackers to inject arbitrary web script or HTML via the iid parameter. ADV-2007-0208 20070111 Ezboxx multiple vulnerabilities. 33466 32825 http://www.bugsec.com/articles.php?Security=20 23759 The ufs_lookup function in the Mac OS X 10.4.8 and FreeBSD 6.1 kernels allows local users to cause a denial of service (kernel panic) and possibly corrupt other filesystems by mounting a crafted UNIX File System (UFS) DMG image that contains a corrupted directory entry (struct direct), related to the ufs_dirbad function. NOTE: a third party states that the FreeBSD issue does not cross privilege boundaries. TA07-072A ADV-2007-0930 ADV-2007-0171 1017751 22036 32686 24479 23721 http://projects.info-pull.com/moab/MOAB-12-01-2007.html [freebsd-security] 20070114 MOAB advisories APPLE-SA-2007-03-13 http://docs.info.apple.com/article.html?artnum=305214 Multiple unspecified vulnerabilities in Oracle Database 9.0.1.5, 9.2.0.7, and 10.1.0.5 have unknown impact and attack vectors related to (1) the Advanced Queuing component and sys.dbms_aqsys.dbms_aq privileges (DB01), (2) Advanced Replication and sys.dbms_repcat_untrusted (DB07), and (3) Oracle Text and ctxload (DB15). NOTE: Oracle has not publicly claims by reliable researchers that DB01 is for SQL injection in the SYS.DBMS_AQ_INV package, and DB07 is for a buffer overflow in the UNREGISTER_SNAPSHOT procedure in the DBMS_REPCAT_UNTRUSTED package. TA07-017A VU#221788 22083 23794 oracle-cpu-jan2007(31541) 20070129 Re: Re: Oracle Buffer Overflows in DBMS_CAPTURE_ADM_INTERNAL 20070124 Oracle Buffer Overflow in DBMS_REPCAT_UNTRUSTED.UNREGISTER_SNAPSHOT http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_aq_inv.html http://www.oracle.com/technetwork/topics/security/cpujan2007-101493.html 1017522 32921 32913 32907 Unspecified vulnerability in Oracle Database 9.2.0.8, 10.1.0.5, and 10.2.0.3 has unknown impact and attack vectors related to the Change Data Capture and sys.dbms_cdc_subscribe privileges, aka DB02. TA07-017A 23794 http://www.oracle.com/technetwork/topics/security/cpujan2007-101493.html 32908 oracle-cpu-jan2007(31541) 22083 1017522 Buffer overflow in SYS.DBMS_DRS in Oracle Database 9.2.0.7 and 10.1.0.4 allows remote authenticated users to cause a denial of service (crash) or execute arbitrary code via the GET_PROPERTY function in SYS.DBMS_DRS, aka DB03. TA07-017A 23794 oracle-cpu-jan2007(31541) 22083 20070718 Oracle Database Buffer overflow vulnerabilities in procedure DBMS_DRS.GET_PROPERTY (DB03) 20070124 Oracle Buffer Overflow in DBMS_DRS.GET_PROPERTY http://www.oracle.com/technetwork/topics/security/cpujan2007-101493.html http://www.appsecinc.com/resources/alerts/oracle/2007-04.shtml 1017522 32909 Unspecified vulnerability in Oracle Database 9.0.1.5 and 9.2.0.7 has unknown impact and attack vectors related to the Log Miner component and sys.dbms_log_mnr privileges, aka DB04. NOTE: Oracle has not disputed a reliable researcher claim that this is a buffer overflow in the ADD_LOGFILE procedure for the SYS.DBMS_LOGMNR package that allows code execution. TA07-017A 23794 oracle-cpu-jan2007(31541) 22083 20070129 Re: Re: Oracle Buffer Overflows in DBMS_CAPTURE_ADM_INTERNAL 20070124 Oracle Buffer Overflow in DBMS_LOGMNR.ADD_LOGFILE http://www.oracle.com/technetwork/topics/security/cpujan2007-101493.html http://www.appsecinc.com/resources/alerts/oracle/2007-01.shtml 1017522 32910 Multiple buffer overflows in MDSYS.MD in Oracle Database 8.1.7.4, 9.0.1.5, 9.2.0.7, and 10.1.0.4 allows remote authenticated users to cause a denial of service (crash) or execute arbitrary code via unspecified vectors involving certain public procedures, aka DB05. TA07-017A 23794 oracle-cpu-jan2007(31541) 22083 20070718 Oracle Database Buffer overflows and Denial of service vulnerabilities in public procedures of MDSYS.MD (DB12) 20070124 Oracle Multiple Buffer Overflows and DoS attacks in public procedures of MDSYS.MD http://www.oracle.com/technetwork/topics/security/cpujan2007-101493.html http://www.appsecinc.com/resources/alerts/oracle/2007-05.shtml 1017522 32911 Unspecified vulnerability in Oracle Database 9.0.1.5, 9.2.0.8, 10.1.0.5, and 10.2.0.3 has unknown impact and attack vectors related to XMLDB, aka DB06. NOTE: as of 20070123, Oracle has not disputed claims by a reliable researcher that DB06 is for multiple cross-site scripting (XSS) vulnerabilities. TA07-017A 23794 oracle-cpu-jan2007(31541) 22083 http://www.red-database-security.com/advisory/oracle_xmldb_css2.html http://www.oracle.com/technetwork/topics/security/cpujan2007-101493.html 1017522 32912 Multiple unspecified vulnerabilities in Oracle Database 9.2.0.7 and 10.1.0.5 have unknown impact and attack vectors related to (1) Export and sys.dbms_logrep_util (DB08), and (2) Oracle Streams and sys.dbms_capture_adm_internal privileges (DB09). NOTE: Oracle has not disputed reliable researcher claims that DB08 is for a buffer overflow in the GET_OBJECT_NAME procedure in the DBMS_LOGREP_UTIL package, and DB09 is for buffer overflows in the CREATE_CAPTURE, ALTER_CAPTURE, and ABORT_TABLE_INSTANTIATION procedures in SYS.DBMS_CAPTURE_ADM_INTERNAL. TA07-017A 22083 23794 oracle-cpu-jan2007(31541) 20070129 Re: Re: Oracle Buffer Overflows in DBMS_CAPTURE_ADM_INTERNAL 20070125 Re: Oracle Buffer Overflow in DBMS_LOGREP_UTIL.GET_OBJECT_NAME 20070125 Re: Oracle Buffer Overflows in DBMS_CAPTURE_ADM_INTERNAL 20070124 Oracle Buffer Overflows in DBMS_CAPTURE_ADM_INTERNAL 20070124 Oracle Buffer Overflow in DBMS_LOGREP_UTIL.GET_OBJECT_NAME http://www.oracle.com/technetwork/topics/security/cpujan2007-101493.html 1017522 32915 32914 Cross-site scripting (XSS) vulnerability in Oracle Reports Web Cartridge (RWCGI60) in the Workflow Cartridge component, as used in Oracle Database 9.2.0.8, 10.1.0.5, and 10.2.0.3; Application Server 9.0.4.3, 10.1.2.0.2, and 10.1.2.2; Collaboration Suite 10.1.2; and Oracle E-Business Suite and Applications 11.5.10CU2; allows remote authenticated users to inject arbitrary HTML or web script via the genuser parameter to rwcgi60, aka OWF01. TA07-017A 23794 oracle-cpu-jan2007(31541) 22083 20070117 [ISecAuditors Security Advisories] Oracle Reports Web Cartridge (RWCGI60) vulnerable to XSS http://www.oracle.com/technetwork/topics/security/cpujan2007-101493.html 1017522 32906 Multiple unspecified vulnerabilities in Oracle Database 8.1.7.4 and 9.0.1.5 have unknown impact and attack vectors related to (1) Advanced Security Option and oklist or okdstry (DB10), (2) Oracle Net Services (DB13), and (3) Recovery Manager and oklist (DB16). TA07-017A 23794 http://www.oracle.com/technetwork/topics/security/cpujan2007-101493.html 32922 32919 32916 oracle-cpu-jan2007(31541) 22083 1017522 Unspecified vulnerability in Oracle Database client-only 10.1.0.4 has unknown impact and attack vectors related to the Export component and expdp or impdp, aka DB11. TA07-017A 23794 http://www.oracle.com/technetwork/topics/security/cpujan2007-101493.html 32917 oracle-cpu-jan2007(31541) 22083 1017522 Multiple unspecified vulnerabilities in Oracle Database 8.1.7.4, 9.0.1.5, 9.2.0.7, and 10.1.0.5 have unknown impact and attack vectors related to (1) NLS Runtime and lmsgen (DB12), and (2) Oracle Text and ctxkbtc (DB14). TA07-017A 23794 http://www.oracle.com/technetwork/topics/security/cpujan2007-101493.html 32920 32918 oracle-cpu-jan2007(31541) 22083 1017522 Multiple unspecified vulnerabilities in Oracle HTTP Server 9.2.0.8 and Oracle E-Business Suite and Applications 11.5.10CU2 have unknown impact and attack vectors, aka (1) OHS01, (2) OHS02, (3) OHS05, (4) OHS06, and (5) OHS07. TA07-017A 23794 http://www.oracle.com/technetwork/topics/security/cpujan2007-101493.html 32887 32886 32885 32882 32881 oracle-cpu-jan2007(31541) 22083 1017522 Unspecified vulnerability in Oracle HTTP Server 9.0.1.5, Application Server 9.0.4.3, 10.1.2.0.0, 10.1.2.0.2, and 10.1.2.2; and Collaboration Suite 9.0.4.2 and 10.1.2; has unknown impact and attack vectors related to the Oracle Process Mgmt & Notification component, aka OPMN01. NOTE: as of 20070123, Oracle has not disputed claims by a reliable researcher that OPMN01 is for a buffer overflow in Oracle Notification Service (ONS). TA07-017A 23794 oracle-cpu-jan2007(31541) 22083 http://www.red-database-security.com/advisory/oracle_buffer_overflow_ons.html http://www.oracle.com/technetwork/topics/security/cpujan2007-101493.html 1017522 32905 Multiple unspecified vulnerabilities in Oracle HTTP Server 9.0.1.5, 9.2.0.8, 10.1.0.5, and 10.2.0.3; Application Server 9.0.4.3, 10.1.2.0.0, 10.1.2.0.1, 10.1.2.0.2, 10.1.2.1, and 10.1.3.0; and Collaboration Suite 9.0.4.2 and 10.1.2; have unknown impact and attack vectors related to the Oracle HTTP Server, aka (1) OHS03 and (2) OHS04. TA07-017A 23794 http://www.oracle.com/technetwork/topics/security/cpujan2007-101493.html 32884 32883 oracle-cpu-jan2007(31541) 22083 1017522 Unspecified vulnerability in Oracle HTTP Server 9.0.1.5, Application Server 9.0.4.2 and 10.1.2.0.0, and Collaboration Suite 9.0.4.2 has unknown impact and attack vectors related to the Oracle Process Mgmt & Notification component, aka OPMN02. TA07-017A 23794 http://www.oracle.com/technetwork/topics/security/cpujan2007-101493.html oracle-cpu-jan2007(31541) 22083 1017522 Unspecified vulnerability in Oracle Application Server 9.0.4.3 and Collaboration Suite 9.0.4.2 has unknown impact and attack vectors related to Oracle Containers for J2EE, aka OC4J02. TA07-017A 23794 http://www.oracle.com/technetwork/topics/security/cpujan2007-101493.html 32896 oracle-cpu-jan2007(31541) 22083 1017522 Multiple unspecified vulnerabilities in Oracle Application Server 9.0.4.3 and 10.1.2.0.0, and Collaboration Suite 9.0.4.2, have unknown impact and attack vectors related to Oracle Containers for J2EE, aka (1) OC4J03 and (2) OC4J04. TA07-017A 23794 http://www.oracle.com/technetwork/topics/security/cpujan2007-101493.html 32898 32897 oracle-cpu-jan2007(31541) 22083 1017522 Unspecified vulnerability in Oracle Application Server 9.0.4.3, 10.1.2.0.2, and 10.1.2.2; Collaboration Suite 9.0.4.2 and 10.1.2; and E-Business Suite and Applications 11.5.10CU2 has unknown impact and attack vectors related to Oracle Reports Developer, aka REP01. TA07-017A 23794 http://www.oracle.com/technetwork/topics/security/cpujan2007-101493.html 32894 oracle-cpu-jan2007(31541) 22083 1017522 Unspecified vulnerability in Oracle Application Server 10.1.2.0.2 and 10.1.3.0, and Collaboration Suite 10.1.2, has unknown impact and attack vectors related to Containers for J2EE, aka OC4J07. TA07-017A 23794 http://www.oracle.com/technetwork/topics/security/cpujan2007-101493.html 32901 oracle-cpu-jan2007(31541) 22083 1017522 Unspecified vulnerability in Oracle Application Server 9.0.4.3, 10.1.2.0.0, and 10.1.2.0.2; and Collaboration Suite 9.0.4.2 and 10.1.2; has unknown impact and attack vectors related to Containers for J2EE, aka OC4J08. TA07-017A 23794 http://www.oracle.com/technetwork/topics/security/cpujan2007-101493.html 32902 oracle-cpu-jan2007(31541) 22083 1017522 Unspecified vulnerability in Oracle Application Server 10.1.4.0 has unknown impact and attack vectors related to Oracle Internet Directory, aka OID01. TA07-017A 23794 http://www.oracle.com/technetwork/topics/security/cpujan2007-101493.html 32903 oracle-cpu-jan2007(31541) 22083 1017522 Multiple unspecified vulnerabilities in Oracle Collaboration Suite 9.0.4.2 have unknown impact and attack vectors related to Oracle Containers for J2EE, aka (1) OC4J01, (2) OC4J05, and (3) OC4J06. TA07-017A 23794 http://www.oracle.com/technetwork/topics/security/cpujan2007-101493.html 32900 32899 32895 oracle-cpu-jan2007(31541) 22083 1017522 Multiple unspecified vulnerabilities in Oracle E-Business Suite and Applications 11.5.10CU2 have unknown impact and attack vectors related to (1) Application Object Library (APPS01), (2) Human Resources (APPS03), (3) Payables (APPS04), (4) Trading Community Architecture (APPS05), and (5) Web Applications Desktop Integrator (APPS06). TA07-017A 23794 http://www.oracle.com/technetwork/topics/security/cpujan2007-101493.html 32893 32892 32891 32890 32888 oracle-cpu-jan2007(31541) 22083 1017522 Unspecified vulnerability in Oracle E-Business Suite and Applications 6.2.3 has unknown impact and attack vectors related to Oracle Exchange, aka APPS02. TA07-017A 23794 http://www.oracle.com/technetwork/topics/security/cpujan2007-101493.html 32889 oracle-cpu-jan2007(31541) 22083 1017522 Multiple unspecified vulnerabilities in Oracle Enterprise Manager 10.1.0.5 have unknown impact and attack vectors related to Oracle Agent, aka (1) EM01 and (2) EM02. NOTE: EM05 might be related to CVE-2007-0222. TA07-017A 22083 23794 oracle-cpu-jan2007(31541) http://www.oracle.com/technetwork/topics/security/cpujan2007-101493.html 1017522 32876 32875 Multiple unspecified vulnerabilities in Oracle Enterprise Manager 10.1.0.5 and 10.2.0.1 have unknown impact and attack vectors related to (1) Oracle Agent (EM03) and (2) EM04 and (3) EM05 in Enterprise Manager Console. NOTE: EM05 might be related to CVE-2007-0222. TA07-017A 23794 oracle-cpu-jan2007(31541) 22083 http://www.oracle.com/technetwork/topics/security/cpujan2007-101493.html 1017522 32879 32878 32877 Unspecified vulnerability in Oracle Enterprise Manager 10.2.0.1 has unknown impact and attack vectors related to Database Cloning & Data Guard Management, aka EM06. TA07-017A 23794 http://www.oracle.com/technetwork/topics/security/cpujan2007-101493.html 32880 oracle-cpu-jan2007(31541) 22083 1017522 Unspecified vulnerability in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.22.13 and 8.47.11 has unknown impact and attack vectors in PeopleTools, aka PSE01. TA07-017A 23794 http://www.oracle.com/technetwork/topics/security/cpujan2007-101493.html oracle-cpu-jan2007(31541) 22083 1017522 Unspecified vulnerability in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.22.13, 8.47.11, and 8.48.06 has unknown impact and attack vectors in PeopleTools, aka PSE02. TA07-017A 23794 http://www.oracle.com/technetwork/topics/security/cpujan2007-101493.html oracle-cpu-jan2007(31541) 22083 1017522 Unspecified vulnerability in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.47.11 and 8.48.06 has unknown impact and attack vectors in PeopleTools, aka PSE03. TA07-017A 23794 http://www.oracle.com/technetwork/topics/security/cpujan2007-101493.html oracle-cpu-jan2007(31541) 22083 1017522 PHP remote file inclusion vulnerability in show.php in LunarPoll, when register_globals is enabled, allows remote attackers execute arbitrary PHP code via a URL in the PollDir parameter. ADV-2007-0177 22024 20070112 LunarPoll (PollDir) Remote File Include Vulnerabilities 31639 20070112 Source Verify of LunarPoll PollDir RFI lunarpoll-show-file-include(31472) 1017510 2152 23760 3117 Integer overflow in the byte_swap_sbin function in bsd/ufs/ufs/ufs_byte_order.c in Mac OS X 10.4.8 allows user-assisted remote attackers to cause a denial of service (kernel panic) by mounting a crafted Unix File System (UFS) DMG image, which triggers an invalid pointer dereference. VU#515792 TA07-072A ADV-2007-0930 1017751 31653 24479 23725 http://projects.info-pull.com/moab/MOAB-11-01-2007.html http://docs.info.apple.com/article.html?artnum=305214 APPLE-SA-2007-03-13 PHP remote file inclusion vulnerability in i-accueil.php in TLM CMS 1.1 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the chemin parameter. Successful exploitation requires that "register_globals" is enabled. ADV-2007-0176 22021 23722 32814 3118 20070112 [Bogus - partly] V TLM CMS <= 1.1 (i-accueil.php chemin) Remote File Include Vulnerability (fwd) PHP remote file inclusion vulnerability in _admin/admin_menu.php in FdWeB Espace Membre 2.1 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the path parameter. Successful exploitation requires that "register_globals" is enabled. ADV-2007-0178 22040 23743 32824 3123 Multiple cross-site scripting (XSS) vulnerabilities in InstantASP 4.1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) SessionID parameter to (a) Logon.aspx, and the (2) Username and (3) Update parameters to (b) Members1.aspx. ADV-2007-0227 22052 20070115 InstantForum.NET Multiple Cross-Site Scripting Vulnerability 32853 32852 instantforum-multiple-scripts-xss(31521) 2164 23787 Multiple unspecified vulnerabilities in Zina 1.0rc1 and earlier have unknown impact and attack vectors related to "Potential security bugs." ADV-2007-0181 22049 http://www.pancake.org/zina-changelog-12 SQL injection vulnerability in duyuru.asp in MiNT Haber Sistemi 2.7 allows remote attackers to execute arbitrary SQL commands via the id parameter. ADV-2007-0175 23756 32820 3120 SQL injection vulnerability in etkinlikbak.asp in Okul Web Otomasyon Sistemi 4.0.1 allows remote attackers to execute arbitrary SQL commands via the id parameter. ADV-2007-0206 22060 20070115 Okul Web Otomasyon Sistemi (etkinlikbak.asp) SQL Injection Vulnerability 23755 32819 2151 3135 SQL injection vulnerability in visu_user.asp in Digiappz DigiAffiliate 1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter. ADV-2007-0179 22039 23744 32818 3122 PHP remote file inclusion vulnerability in include/common.php in Poplar Gedcom Viewer 2.0 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the env[rootPath] parameter. ADV-2007-0174 22038 23761 32807 3121 Cross-site scripting (XSS) vulnerability in Plain Black WebGUI before 7.3.4 (beta) allows remote attackers to inject arbitrary web script or HTML via Wiki Page titles. 22051 http://www.plainblack.com/getwebgui/advisories/webgui-7_3_4-beta-released#BUeIjcWiQasypsJxD-YwgQ 23718 32813 SQL injection vulnerability in blocks/block-Old_Articles.php in Francisco Burzi PHP-Nuke 7.9 and earlier, when register_globals is enabled and magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the cat parameter. 22037 20070113 PHP-Nuke <= 7.9 Old-Articles Block "cat" SQL Injection vulnerability http://www.neosecurityteam.net/advisories/PHP-Nuke--7.9-Old-Articles-Block-cat-SQL-Injection-vulnerability-31.html 1017511 32863 phpnuke-blockoldarticles-sql-injection(31482) 2153 23748 BMC Remedy Action Request System 5.01.02 Patch 1267 generates different error messages for failed login attempts with a valid username than for those with an invalid username, which allows remote attackers to determine valid account names. ADV-2007-0204 22066 20070115 Remedy Action Request System 5.01.02 - User Enumeration http://www.alighieri.org/advisories/advisory-remedy50102.txt 23775 31658 rars-login-information-disclosure(31527) 20070116 Re: Remedy Action Request System 5.01.02 - User Enumeration 1017515 2162 Texas Imperial Software WFTPD and WFTPD Pro Server 3.25 and earlier allow remote attackers to cause a denial of service (application crash) via a long SITE ADMIN command. wftpd-admn-dos(31517) 22046 3126 wcSimple Poll stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain password hashes via a direct request for password.txt. 20070114 wcSimple Poll (password.txt) Remote Password Disclosure Vulnerablity 33539 2157 Unspecified vulnerability in GONICUS System Administration (GOsa) before 2.5.8 allows remote authenticated users to modify certain settings, including the admin password, via crafted POST requests. [gosa] 20070115 GOsa 2.5.8 released (security fixes!) ADV-2007-0207 23749 32821 gosa-unspecified-data-manipulation(31516) Multiple PHP remote file inclusion vulnerabilities in Article System 1.0 allow remote attackers to execute arbitrary PHP code via a URL in the INCLUDE_DIR parameter to (1) forms.php, (2) issue_edit.php, (3) client.php, and (4) classes.php. article-system-includedir-file-include(31446) 22017 3114 Multiple buffer overflows in FileZilla before 2.2.30a allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via unspecified vectors related to (1) Options.cpp when storing settings in the registry, and (2) the transfer queue (QueueCtrl.cpp). NOTE: some of these details are obtained from third party information. Failed exploit attempts may result in a application level denial-of-service condition. filezilla-options-queuectrl-bo(31500) 22057 http://sourceforge.net/project/shownotes.php?release_id=475423&group_id=21558 ADV-2007-0183 Multiple SQL injection vulnerabilities in All In One Control Panel (AIOCP) 1.3.010 and earlier, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) xuser_name parameter to shared/code/cp_authorization.php, and the (2) did parameter to public/code/cp_downloads.php, different vectors than CVE-2007-0223. aiocp-cpdownloads-sql-injection(31485) ADV-2007-0190 22032 20070112 AIOCP Login Bypass Vulnerability 20070112 AIOCP SQL Injection Vulnerability 23740 32810 32809 2166 Format string vulnerability in the LogMessage function in FileZilla before 3.0.0-beta5 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted arguments. NOTE: some of these details are obtained from third party information. filezilla-logmessage-format-string(31497) 22063 http://sourceforge.net/project/shownotes.php?release_id=477793&group_id=21558 ADV-2007-0182 The do_hfs_truncate function in Mac OS X 10.4.8 allows context-dependent attackers to cause a denial of service (kernel panic) via a crafted HFS+ filesystem in a DMG image, which causes an access of an invalid vnode structure during file removal. TA07-072A ADV-2007-0930 ADV-2007-0171 23742 1017759 32685 24479 http://projects.info-pull.com/moab/MOAB-13-01-2007.html APPLE-SA-2007-03-13 http://docs.info.apple.com/article.html?artnum=305214 Multiple stack-based buffer overflows in the Motive ActiveEmailTest.EmailData (ActiveUtils EmailData) ActiveX control in ActiveUtils.dll in Motive Service Activation Manager 5.1 and Self Service Manager 5.1 and earlier allow remote attackers to execute arbitrary code via unspecified vectors. VU#747233 activeutils-emaildata-bo(36034) ADV-2007-2881 25312 http://www.motive.com/securitybulletin_08122007.asp MS07-045 37710 1018571 26481 Multiple buffer overflows in (a) an ActiveX control (iftw.dll) and (b) Netscape plug-in (npiftw32.dll) for Macrovision (formerly InstallShield) InstallFromTheWeb allow remote attackers to execute arbitrary code via crafted HTML documents. VU#181041 macrovision-installfromtheweb-activex-bo(32645) macrovision-installfromtheweb-activex-bo(32645) ADV-2007-0705 22672 http://www.kb.cert.org/vuls/id/MAPG-6UQUDP 24285 33531 33530 Buffer overflow in the Update Service Agent ActiveX Control in isusweb.dll for Macrovision FLEXnet Connect (formerly InstallShield Update Service) allows remote attackers to execute arbitrary code via the Download method. VU#847993 macrovision-updateservice-activex-bo(32678) ADV-2007-0706 http://www.kb.cert.org/vuls/id/MAPG-6UERNR http://support.installshield.com/kb/view.asp?articleid=Q113020 24270 33532 Multiple stack-based buffer overflows in the Intuit QuickBooks Online Edition ActiveX control before 10 allow remote attackers to execute arbitrary code via unspecified vectors. VU#907481 quickbooks-activex-bo(36462) 25544 26659 Buffer overflow in the SetLanguage function in Research In Motion (RIM) TeamOn Import Object ActiveX control (TOImport.dll) allows remote attackers to execute arbitrary code via unspecified vectors. VU#869641 TA07-128A MS07-027 ADV-2007-1716 HPSBST02214 35873 rim-toimport-activex-bo(34182) 23331 HPSBST02214 http://www.blackberry.com/btsc/articles/74/KB13142_f.SAL_Public.html 25218 Multiple buffer overflows in the LizardTech DjVu Browser Plug-in before 6.1.1 allow remote attackers to execute arbitrary code via unspecified vectors. VU#522393 22569 20070215 Lizardtech DjVu Browser Plug-in - Multiple Vulnerabilities 24149 ADV-2007-0618 http://www.lizardtech.com/products/doc/djvupluginrelease.php 33199 djvu-browser-multiple-bo(32510) 2259 Multiple buffer overflows in the Trend Micro OfficeScan Web-Deployment SetupINICtrl ActiveX control in OfficeScanSetupINI.dll, as used in OfficeScan 7.0 before Build 1344, OfficeScan 7.3 before Build 1241, and Client / Server / Messaging Security 3.0 before Build 1197, allow remote attackers to execute arbitrary code via a crafted HTML document. Successful exploitation requires that OfficeScan client was installed using web deployment. The vendor has issued a fix (7.0 Security Patch - Build 1344; 7.3 Security Patch - Build 1241). VU#784369 24193 ADV-2007-0638 http://www.trendmicro.com/ftp/documentation/readme/osce_70_win_en_securitypatch_1344_readme.txt 1017664 22585 33040 http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034288 Multiple stack-based buffer overflows in the PhotoChannel Networks PNI Digital Media Photo Upload Plugin ActiveX control before 2.0.0.10, as used by multiple retailers, allow remote attackers to execute arbitrary code via unspecified vectors. This vulnerability is addressed in the following product release: PhotoChannel, PNI Digital Media Photo Upload Plugin ActiveX control, 2.0.0.10 VU#854769 ADV-2007-3181 37958 photochannel-photo-upload-bo(36643) 1018701 25685 26830 The DWUpdateService ActiveX control in the agent (agent.exe) in Macrovision FLEXnet Connect 6.0 and Update Service 3.x to 5.x allows remote attackers to execute arbitrary commands via (1) the Execute method, and obtain the exit status using (2) the GetExitCode method. VU#524681 http://support.installshield.com/kb/view.asp?articleid=Q113020 macrovision-dwupdate-command-execution(34660) ADV-2008-3278 ADV-2007-2017 http://www.blackberry.com/btsc/articles/749/KB16469_f.SAL_Public.html 32842 25501 36896 download.php in Joonas Viljanen JV2 Folder Gallery allows remote attackers to read sensitive files via a relative pathname in the file parameter, as demonstrated by config/gallerysetup.php. NOTE: this issue might be resultant from a directory traversal vulnerability. ADV-2007-0180 23724 32811 3125 Buffer overflow in wsbho2k0.dll, as used by wsftpurl.exe, in Ipswitch WS_FTP 2007 Professional allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a long ftp:// URL in an HTML document, and possibly other vectors. 22062 20070116 Re: Ipswitch WS_FTP 2007 Professional "wsftpurl" access violation vulnerability 20070114 Re: Ipswitch WS_FTP 2007 Professional "wsftpurl" access violation vulnerability 20070112 Ipswitch WS_FTP 2007 Professional "wsftpurl" access violation vulnerability 33476 2160 Cross-site scripting (XSS) vulnerability in liens.php3 in liens_dynamiques 2.1 allows remote attackers to inject arbitrary web script or HTML by using the ajouter=1 query string and the add menu. 22070 20070114 liens_dynamiques xss and admin authentification 33540 liensdynamiques-liens-xss(31528) (1) admin/adminlien.php3 and (2) admin/modif.php3 in liens_dynamiques 2.1 do not require authentication, which allows remote attackers to perform unauthorized administrative actions using a direct request. 22068 20070114 liens_dynamiques xss and admin authentification 33542 33541 Agnitum Outpost Firewall PRO 4.0 allows local users to bypass access restrictions and insert Trojan horse drivers into the product's installation directory by creating links using FileLinkInformation requests with the ZwSetInformationFile function, as demonstrated by modifying SandBox.sys. 22069 20070115 Outpost Bypassing Self-Protection using file links Vulnerability http://www.matousec.com/info/advisories/Outpost-Bypassing-Self-Protection-using-file-links.php 33480 outpostfirewall-zwset-privilege-escalation(31529) 2163 Unspecified vulnerability in the SIP module in InGate Firewall and SIParator before 4.5.1 allows remote attackers to conduct replay attacks on the authentication mechanism via unknown vectors. 23737 ADV-2007-0209 22080 http://www.ingate.com/relnote-451.php 32831 ingate-sip-security-bypass(31546) Multiple directory traversal vulnerabilities in Jax Petition Book 1.0.3.06 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the languagepack parameter to (1) jax_petitionbook.php or (2) smileys.php. ADV-2007-0220 22072 20070116 Re: Jax Petition Book (languagepack) Remote File Include Vulnerabilities 20070115 Re: Jax Petition Book (languagepack) Remote File Include Vulnerabilities 20070114 Jax Petition Book (languagepack) Remote File Include Vulnerabilities 32836 32835 petitionbook-language-file-include(31543) 2161 23784 Undercover.app/Contents/Resources/uc in Rixstep Undercover allows local users to overwrite arbitrary files, probably related to a race condition. 22071 20070115 Rixstep aren't as leet as they thought they were Directory traversal vulnerability in sesskglogadmin.php in KGB 1.9 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the skinnn parameter, as demonstrated by invoking kg.php with a postek parameter containing PHP code, which is injected into a file in the kg directory, and then included by sesskglogadmin.php. ADV-2007-0228 22065 31585 kgb-sesskglogadmin-file-include(31508) 23768 3134 Heap-based buffer overflow in Dream FTP Server allows remote attackers to execute arbitrary code via a USER command with a large number of format string specifiers, which triggers the overflow during processing of the Server Log. 23731 32816 3128 SQL injection vulnerability in index.php (aka the login form) in Scriptme SMe FileMailer 1.21 allows remote attackers to execute arbitrary SQL commands via the Password field (ps parameter). NOTE: some of these details are obtained from third party information. 20070116 [x0n3-h4ck] SmE FileMailer 1.21 Remote Sql Injextion Exploit 20070117 Source VERIFY of SMe FileMailer 1.21 SQL injection 23766 32832 2154 SQL injection vulnerability in inc/header.inc.php in ThWboard 3.0b2.84-php5 and earlier allows remote attackers to execute arbitrary SQL commands via the board[styleid] parameter to index.php. 23735 32837 3124 Cross-site scripting (XSS) vulnerability in phpMyAdmin 2.8.1 and earlier, when Microsoft Internet Explorer 6 is used, allows remote attackers to inject arbitrary web script or HTML via a javascript: URI in a CSS style in the convcharset parameter to the top-level URI, a different vulnerability than CVE-2005-0992. http://www.virtuax.be/advisories/Advisory1-12012007.txt 20070112 Re: xss in phpmyadmin <= 2.8.1 20070112 xss in phpmyadmin <= 2.8.1 WebCore in Apple WebKit build 18794 allows remote attackers to cause a denial of service (null dereference and application crash) via a TD element with a large number in the ROWSPAN attribute, as demonstrated by a crash of OmniWeb 5.5.3 on Mac OS X 10.4.8, a different vulnerability than CVE-2006-2019. 22059 http://security-protocols.com/sp-x41-advisory.php OpenBSD before 20070116 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via certain IPv6 ICMP (aka ICMP6) echo request packets. 22087 [3.9] 018: RELIABILITY FIX: January 16, 2007 [4.0] 008: RELIABILITY FIX: January 16, 2007 1017518 32935 23830 Multiple format string vulnerabilities in (1) _invitedToRoom: and (2) _invitedToDirectChat: in Colloquy 2.1 and earlier allow remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via format string specifiers in the channel name of an INVITE request, related to the implementation of AlertSheet and AlertPanel in Apple AppKit. 22086 23801 ADV-2007-0238 32688 http://projects.info-pull.com/moab/MOAB-16-01-2007.html 3139 The (1) Activity Monitor.app/Contents/Resources/pmTool, (2) Keychain Access.app/Contents/Resources/kcproxy, and (3) ODBC Administrator.app/Contents/Resources/iodbcadmintool programs in /Applications/Utilities/ in Mac OS X 10.4.8 have weak permissions (writable by admin group), which allows local admin users to gain root privileges by modifying a program and then performing permissions repair via diskutil. http://projects.info-pull.com/moab/MOAB-15-01-2007.html macosx-applications-privilege-escalation(31530) 32702 32701 32700 3136 SQL injection vulnerability in index.php in SmE FileMailer 1.21 allows remote attackers to execute arbitrary SQL commands via the us parameter. ADV-2007-0221 20070117 Source VERIFY of SMe FileMailer 1.21 SQL injection 32832 smefilemailer-login-sql-injection(31533) The is_eow function in format.c in CVSTrac before 2.0.1 does not properly check for the "'" (quote) character, which allows remote authenticated users to execute limited SQL injection attacks and cause a denial of service (database error) via a ' character in certain messages, tickets, or Wiki entries. The DoS vulnerability exists because the is_eow() function in "format.c" does NOT just check the FIRST character of the supplied string for an End-Of-Word terminating character, but instead iterates over string and this way can skip a single embedded quotation mark. The is_repository_file() function then in turn assumes that the filename string can never contain a single quotation mark and traps into a SQL escaping problem. An SQL injection via this technique is somewhat limited as is_eow() bails on whitespace. So while one _can_ do an SQL injection, one is limited to SQL queries containing only characters which get past the function isspace(3). This effectively limits attacks to SQL commands like "VACUUM". Successful remote unauthenticated exploit requires that CVSTrac is explicitly configured to allow anonymous users to add tickets (it is not by default). 20070129 CVSTrac 2.0.0 Denial of Service (DoS) vulnerability http://www.cvstrac.org/cvstrac/tktview?tn=683 http://www.cvstrac.org/cvstrac/chngview?cn=850 20070129 CVSTrac 2.0.0 Denial of Service (DoS) vulnerability ADV-2007-0398 OpenPKG-SA-2007.008 31935 22296 2192 23940 Stack-based buffer overflow in the IASystemInfo.dll ActiveX control in (1) InterActual Player 2.60.12.0717, (2) Roxio CinePlayer 3.2, (3) WinDVD 7.0.27.172, and possibly other products, allows remote attackers to execute arbitrary code via a long ApplicationType property. VU#922969 interactual-iasysteminfo-bo(33186) ADV-2007-1043 ADV-2007-1042 23071 20070321 Secunia Research: InterActual Player / CinePlayer IASystemInfo.dllActiveX Control Buffer Overflow http://secunia.com/secunia_research/2007-37/advisory/ 24556 23075 23032 34315 34314 Directory traversal vulnerability in upgrade.php in nicecoder.com INDEXU 5.x allows remote attackers to include arbitrary local files via a .. (dot dot) in the gateway parameter. 20070116 vulnerability script indexu all versions 45533 indexu-upgrade-file-include(31539) Multiple SQL injection vulnerabilities in (a) index.php and (b) dl.php in SmE FileMailer 1.21 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) ps, (2) us, (3) f, or (4) code parameter. NOTE: the us vector in index.php is already covered by CVE-2007-0346. smefilemailer-login-sql-injection(31533) ADV-2007-0221 32833 20070117 Source VERIFY of SMe FileMailer 1.21 SQL injection 20070116 [x0n3-h4ck] SmE FileMailer 1.21 Remote Sql Injextion Exploit Microsoft Windows XP and Windows Server 2003 do not properly handle user logoff, which might allow local users to gain the privileges of a previous system user, possibly related to user profile unload failure. NOTE: it is not clear whether this is an issue in Windows itself, or an interaction with another product. The issue might involve ZoneAlarm not being able to terminate processes when it cannot prompt the user. 20070211 Windows logoff bug solution possibly. 20070123 Re: Windows logoff bug possible security vulnerability and exploit. 20070118 Re: Windows logoff bug possible security vulnerability and exploit. 20070117 Re: Windows logoff bug possible security vulnerability and exploit. 20070117 Windows logoff bug possible security vulnerability and exploit. Stack-based buffer overflow in Microsoft Help Workshop 4.03.0002 allows user-assisted remote attackers to execute arbitrary code via a crafted .cnt file composed of lines that begin with an integer followed by a space and a long string. 20070117 Microsoft Help Workshop .CNT contents files buffer overflow vulnerability http://www.anspi.pl/~porkythepig/visualization/cnt-expl1.cpp 31898 ms-help-workshop-cnt-bo(31555) 22100 1017530 2156 23862 3149 Cross-site scripting (XSS) vulnerability in (1) index.php and (2) login.php in myBloggie 2.1.5 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO string. 22097 20070117 [x0n3-h4ck] myBloggie 2.1.5 XSS exploit 32930 32929 http://mywebland.com/forums/showtopic.php?t=1224 20070117 [x0n3-h4ck] myBloggie 2.1.5 XSS exploit mybloggie-indexlogin-xss(31554) 1017531 2155 SQL injection vulnerability in email.php in MGB OpenSource Guestbook 0.5.4.5 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter. ADV-2007-0232 http://www.tv-kritik.net/mgb/index.php 22094 20070118 vendor ACK for MGB Guestbook issue 31612 mgb-email-sql-injection(31551) 23825 3141 Buffer overflow in the Apple Minimal SLP v2 Service Agent (slpd) in Mac OS X 10.4.11 and earlier, including 10.4.8, allows local users, and possibly remote attackers, to gain privileges and possibly execute arbitrary code via a registration request with an invalid attr-list field. TA08-043B macos-slpd-bo(31562) ADV-2007-0239 22101 32693 1017533 23796 http://projects.info-pull.com/moab/MOAB-17-01-2007.html 3151 APPLE-SA-2008-02-11 1019359 http://docs.info.apple.com/article.html?artnum=307430 The Common Controls Replacement Project (CCRP) FolderTreeview (FTV) ActiveX control (ccrpftv6.ocx) allows remote attackers to cause a denial of service (Internet Explorer 7 crash) via a long CCRP.RootFolder property value. 22092 ie-ccrp-dos(31549) 3142 Directory traversal vulnerability in the AVM IGD CTRL Service in Fritz!DSL 02.02.29 allows remote attackers to read arbitrary files via ..%5C (URL-encoded dot dot backslash) sequences in a URI requested from the AR7 webserver. ADV-2007-0236 22093 32866 20070117 Flaw in AVM UPNP service for windows fritz-avm-directory-traversal(31556) 2159 23774 Unspecified vulnerability in the FTP server implementation in HP Jetdirect firmware x.20.nn through x.24.nn allows remote attackers to cause a denial of service via unknown vectors. 23802 ADV-2007-0233 32867 HPSBPI02185 HPSBPI02185 hp-jetdirect-unspecified-dos(31589) 22105 1017532 PHP remote file inclusion vulnerability in frontpage.php in Uberghey CMS 0.3.1 allows remote attackers to execute arbitrary PHP code via a URL in the setup_folder parameter. ADV-2007-0230 20070118 source verify: Uberghey CMS 0.3.1 RFI uberghey-frontpage-file-include(31553) 22098 3147 PHP remote file inclusion vulnerability in lang/index.php in Oreon 1.2.3 RC4 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the file parameter. ADV-2007-0229 33711 oreon-index-file-include(31568) 22107 20070211 Oreon1.2.x Series Exploit Coded 3150 PHP remote file inclusion vulnerability in mep/frame.php in PHPMyphorum 1.5a allows remote attackers to execute arbitrary PHP code via a URL in the chem parameter. ADV-2007-0231 phpmyphorum-frame-file-include(31552) 22099 3145 Cross-site scripting (XSS) vulnerability in the RSS feed component in FreshReader before 1.0.07010600 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly related to tag attributes. ADV-2007-0241 23806 32923 http://manual.freshreader.com/archives/2007/01/20070118_javasc.html JVN#95249468 freshreader-rssfeed-xss(31566) 22106 Cross-site scripting (XSS) vulnerability in admin-search.php in (1) Openads for PostgreSQL (aka phpPgAds) before 2.0.10 and (2) Openads (aka phpAdsNew) before 2.0.10 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters. http://sourceforge.net/project/shownotes.php?group_id=36679&release_id=479426 http://sourceforge.net/project/shownotes.php?group_id=11386&release_id=479424 23720 ADV-2007-0240 openads-unspecified-xss(31570) 22124 Multiple cross-site scripting (XSS) vulnerabilities in nicecoder.com INDEXU 5.3 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) error_msg parameter to (a) suggest_category.php; the (2) u parameter to (b) user_detail.php; the (3) friend_name, (4) friend_email, (5) error_msg, (6) my_name, (7) my_email, and (8) id parameters to (c) tell_friend.php; the (9) error_msg, (10) email, (11) name, and (12) subject parameters to (d) sendmail.php; the (13) email, (14) error_msg, and (15) username parameters to (e) send_pwd.php; the (16) keyword parameter to (f) search.php; the (17) error_msg, (18) username, (19) password, (20) password2, and (21) email parameters to (g) register.php; the (22) url, (23) contact_name, and (24) email parameters to (h) power_search.php; the (25) path and (26) total parameters to (i) new.php; the (27) query parameter to (j) modify.php; the (28) error_msg parameter to (k) login.php; the (29) error_msg and (30) email parameters to (l) mailing_list.php; the (31) gateway parameter to (m) upgrade.php; and another unspecified vector. indexu-multiple-scripts-xss(31538) ADV-2007-0222 22084 20070116 vulnerability script indexu all versions 32851 32850 32849 32848 32847 32846 32845 32844 32843 32842 32841 32840 32838 23764 32839 Multiple cross-site scripting (XSS) vulnerabilities in All In One Control Panel (AIOCP) 1.3.009 and earlier allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: this is probably a different vulnerability than CVE-2006-5830. aiocp-unspecified-xss(31486) http://sourceforge.net/project/shownotes.php?release_id=478370 23732 ADV-2007-0189 32808 Untrusted search path vulnerability in Rumpus 5.1 and earlier allows local users to gain privileges via a modified PATH that points to a malicious ipfw program. rumpus-path-privilege-escalation(31597) http://projects.info-pull.com/moab/MOAB-18-01-2007.html 32690 rumpus-path-privilege-escalation(31597) 23842 Rumpus 5.1 and earlier has weak permissions for certain files and directories under /usr/local/Rumpus, including the configuration file, which allows local users to have an unknown impact by creating, modifying, or deleting files. http://projects.info-pull.com/moab/MOAB-18-01-2007.html 32691 23842 Stack-based buffer overflow in mbse-bbs 0.70 and earlier allows local users to execute arbitrary code via a long string in the MBSE_ROOT environment variable. 22112 http://www.mbse.eu/mbse/mbsebbs/index.html mbsebbs-mbuseradd-bo(31639) 3154 20070118 mbsebbs 0.70.0 & below local root exploit SQL injection vulnerability in phpBP RC3 (2.204) and earlier allows remote attackers to execute arbitrary SQL commands via the comment forum. 34763 phpbp-comment-sql-injection(31622) 3153 Unrestricted file upload vulnerability in index.php in phpBP RC3 (2.204) and earlier allows remote administrators to inject arbitrary PHP code into an upload/banners/ file via a banners add operation that uploads the PHP code through an image_form parameter specifying a multiple-extension filename such as .jpg.vil.gif.php, which is stored in upload/banners/ under a different name, and executable via a direct request. NOTE: a separate SQL injection issue could be leveraged to make this vulnerability reachable by remote unauthenticated attackers. 34762 phpbp-banner-file-upload(31619) 3153 A certain ActiveX control in the Common Controls Replacement Project (CCRP) CCRP BrowseDialog Server (ccrpbds6.dll) allows remote attackers to cause a denial of service (Internet Explorer 7 crash) via a long CCRP_BDc.SelectedFolder property value. 22110 34647 3155 Multiple SQL injection vulnerabilities in Francisco Burzi PHP-Nuke 7.9 allow remote attackers to execute arbitrary SQL commands via (1) the active parameter in admin/modules/modules.php; the (2) ad_class, (3) imageurl, (4) clickurl, (5) ad_code, or (6) position parameter in modules/Advertising/admin/index.php; or unspecified vectors in the (7) advertising, (8) weblinks, or (9) reviews section. 22116 http://www.hackers.ir/advisories/festival.txt 33702 33701 33700 33699 33698 20070118 The vulnerabilities festival ! 20070204 Sql injection bugs in PHP-Nuke Multiple SQL injection vulnerabilities in Joomla! 1.5.0 Beta allow remote attackers to execute arbitrary SQL commands via (1) the searchword parameter in certain files; the where parameter in (2) plugins/search/content.php or (3) plugins/search/weblinks.php; the text parameter in (4) plugins/search/contacts.php, (5) plugins/search/categories.php, or (6) plugins/search/sections.php; or (7) the email parameter in database/table/user.php, which is not properly handled by the check function. 22122 http://www.hackers.ir/advisories/festival.txt 32533 32532 32531 32530 32529 32528 32527 20070118 The vulnerabilities festival ! 20070204 Sql injection bugs in Joomla and Mambo SQL injection vulnerability in (1) Joomla! 1.0.11 and 1.5 Beta, and (2) Mambo 4.6.1, allows remote attackers to execute arbitrary SQL commands via the id parameter when cancelling content editing. 20070118 The vulnerabilities festival ! 19734 http://www.hackers.ir/advisories/festival.txt 32520 20070204 Sql injection bugs in Joomla and Mambo Joomla! 1.5.0 Beta allows remote attackers to obtain sensitive information via a direct request for (1) plugins/user/example.php; (2) gmail.php, (3) example.php, or (4) ldap.php in plugins/authentication/; (5) modules/mod_mainmenu/menu.php; or other unspecified PHP scripts, which reveals the path in various error messages, related to a jimport function call at the beginning of each script. http://www.hackers.ir/advisories/festival.txt 32526 32525 32524 32523 32522 20070118 The vulnerabilities festival ! 20070204 Sql injection bugs in Joomla and Mambo Cross-site scripting (XSS) vulnerability in Virtuemart 1.0.7 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. 22123 http://www.hackers.ir/advisories/festival.txt http://virtuemart.svn.sourceforge.net/viewvc/*checkout*/virtuemart/branches/virtuemart-1_0_0/virtuemart/CHANGELOG.php?revision=607 20070118 The vulnerabilities festival ! 20070204 Sql injection bugs in Virtuemart and Letterman 24058 Multiple SQL injection vulnerabilities in Xoops 2.0.16 allow remote attackers to execute arbitrary SQL commands via (1) the id parameter in kernel/group.php in core, (2) the lid parameter in class/table_broken.php in the Weblinks module, and other unspecified vectors. http://www.hackers.ir/advisories/festival.txt 33685 33684 20070118 The vulnerabilities festival ! 22399 20070204 Sql injection bugs in Xoops 2.0.16 + Weblinks module Multiple SQL injection vulnerabilities in DocMan 1.3 RC2 allow attackers to execute arbitrary SQL commands via unspecified vectors. http://www.hackers.ir/advisories/festival.txt 34650 20070118 The vulnerabilities festival ! Cross-site scripting (XSS) vulnerability in DocMan 1.3 RC2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. http://www.hackers.ir/advisories/festival.txt 34651 20070118 The vulnerabilities festival ! DocMan 1.3 RC2 allows remote attackers to obtain sensitive information (the full path) via unspecified vectors. http://www.hackers.ir/advisories/festival.txt 34652 20070118 The vulnerabilities festival ! Multiple SQL injection vulnerabilities in ATutor 1.5.3.2 allow remote attackers to execute arbitrary SQL commands via unspecified parameters. NOTE: CVE analysis suggests that the vendor fixed these issues. http://www.atutor.ca/atutor/mantis/changelog_page.php http://www.hackers.ir/advisories/festival.txt 34660 20070118 The vulnerabilities festival ! Multiple SQL injection vulnerabilities in letterman.class.php in the Letterman 1.2.3 (com_letterman) component for Joomla! before 1.0.12 allow remote attackers to execute arbitrary SQL commands via the id parameter, related to the (1) lm_sendMail, (2) saveNewsletter, and (3) cancelNewsletter functions. 22117 http://www.hackers.ir/advisories/festival.txt 33688 20070118 The vulnerabilities festival ! 20070204 Sql injection bugs in Virtuemart and Letterman ** DISPUTED ** WDaemon 9.5.4 allows remote attackers to access the /WorldClient.dll URI on TCP port 3000, which has unknown impact. NOTE: The researcher reports that the vendor response was "this is not a security bug." http://www.hackers.ir/advisories/festival.txt 34661 20070118 The vulnerabilities festival ! Cross-site scripting (XSS) vulnerability in preview in the reviews section in PostNuke 0.764 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. 22119 http://www.hackers.ir/advisories/festival.txt 35473 http://noc.postnuke.com/plugins/scmsvn/viewcvs.php/trunk/Historic/PostNuke7x/html/modules/?root=postnuke 20070118 The vulnerabilities festival ! The faq section in PostNuke 0.764 allows remote attackers to obtain sensitive information (the full path) via "unvalidated output" in FAQ/index.php, possibly involving an undefined id_cat variable. http://www.hackers.ir/advisories/festival.txt 35472 http://noc.postnuke.com/plugins/scmsvn/viewcvs.php/trunk/Historic/PostNuke7x/html/modules/FAQ/index.php?root=postnuke&r1=20350&r2=20911 http://noc.postnuke.com/plugins/scmsvn/viewcvs.php/trunk/Historic/PostNuke7x/html/modules/?root=postnuke 20070118 The vulnerabilities festival ! Unspecified vulnerability in the rating section in PostNuke 0.764 has unknown impact and attack vectors, related to "an interesting bug." http://www.hackers.ir/advisories/festival.txt 35471 20070118 The vulnerabilities festival ! SQL injection vulnerability in models/category.php in the Weblinks component for Joomla! SVN 20070118 (com_weblinks) allows remote attackers to execute arbitrary SQL commands via the catid parameter. http://www.hackers.ir/advisories/festival.txt 34792 20070118 The vulnerabilities festival ! 20070204 Sql injection bugs in Joomla and Mambo SQL injection vulnerability in search.php in Woltlab Burning Board (wBB) 1.0.2 and earlier, and 2.3.6 and earlier in the 2.x series, allows remote attackers to execute arbitrary SQL commands via the boardids[1] and other boardids[] parameters. wbb-search-sql-injection(31550) 33872 3144 3143 Directory traversal vulnerability in ArsDigita Community System (ACS) 3.4.10 and earlier, and ArsDigita Community Education Solution (ACES) 1.1, allows remote attackers to read arbitrary files via .%252e/ (double-encoded dot dot slash) sequences in the URI. ADV-2007-0286 22121 20070118 Directory Traversal in ArsDigita Community System 33552 acs-url-directory-traversal(31613) Cross-site scripting (XSS) vulnerability in index.php in sabros.us 1.7 allows remote attackers to inject arbitrary web script or HTML via the tag parameter. 22115 20070118 [x0n3-h4ck] sabros.us 1.7 XSS Exploit 31602 20070118 [x0n3-h4ck] sabros.us 1.7 XSS Exploit sabros-index-xss(31600) 2170 23824 20070118 [x0ne-h4ck] sabros.us 1.7 XSS Exploit Format string vulnerability in the log creation functionality of BitDefender Client Professional Plus 8.02 allows attackers to execute arbitrary code via certain scan job settings. ADV-2007-0253 http://www.bitdefender.com/KB325-en--Format-string-vulnerability.html 20070119 Layered Defense Research Advisory: BitDefender Client 8.02 Format String Vulnerability bitdefender-scanjob-format-string(31608) 22128 20070119 Layered Defense Research Advisory: BitDefender Client 8.02 Format String Vulnerability IBM AIX 5.3 does not properly verify the status of file descriptors before setuid execution, which allows local users to gain privileges by closing file descriptor 0, 1, or 2 and then invoking a setuid program, a variant of CVE-2002-0572. 20070118 Re: Multiple OS kernel insecure handling of stdio file descriptor 20070118 Multiple OS kernel insecure handling of stdio file descriptor Sun Solaris 9 does not properly verify the status of file descriptors before setuid execution, which allows local users to gain privileges by closing file descriptor 0, 1, or 2 and then invoking a setuid program, a variant of CVE-2002-0572. 20070118 Re: Multiple OS kernel insecure handling of stdio file descriptor 20070118 Multiple OS kernel insecure handling of stdio file descriptor HP HP-UX B11.11 does not properly verify the status of file descriptors before setuid execution, which allows local users to gain privileges by closing file descriptor 0, 1, or 2 and then invoking a setuid program, a variant of CVE-2002-0572. 20070118 Re: Multiple OS kernel insecure handling of stdio file descriptor 20070118 Multiple OS kernel insecure handling of stdio file descriptor PHP remote file inclusion vulnerability in libraries/grab_globals.lib.php in ComVironment 4.0 allows remote attackers to execute arbitrary PHP code via a URL in the inc_dir parameter. ADV-2007-0266 22108 34621 comvironment-grabglobals-file-include(31564) 3152 Unspecified vulnerability in HP-UX B.11.23, when running IPFilter in combination with PHNE_34474, allows remote attackers to cause a denial of service (system crash) via unspecified vectors. ADV-2007-0234 22103 1017527 23800 oval:org.mitre.oval:def:6104 32869 HPSBUX02181 HPSBUX02181 hp-ipfilter-dos(31565) The Cisco Security Monitoring, Analysis and Response System (CS-MARS) before 4.2.3 and Adaptive Security Device Manager (ASDM) before 5.2(2.54) do not validate the SSL/TLS certificates or SSH public keys when connecting to devices, which allows remote attackers to spoof those devices to obtain sensitive information or generate incorrect information. 20070118 SSL/TLS Certificate and SSH Public Key Validation Vulnerability ADV-2007-0245 32720 cisco-csmars-asdm-device-spoofing(31567) 22111 1017536 1017535 23836 Multiple cross-site scripting (XSS) vulnerabilities in forum.php3 in Arnaud Guyonne (aka Arnotic) a-forum allow remote attackers to inject arbitrary web script or HTML via the (1) Sujet or (2) Pseudo field. aforum-unspecified-xss(31610) 20070119 a-forum xss 20070122 a-forum xss - who? what? where? Multiple cross-site scripting (XSS) vulnerabilities in index.php in Simple Machines Forum (SMF) 1.1 RC3 allow remote authenticated users to inject arbitrary web script or HTML via the (1) recipient or (2) BCC field when selecting send in a pm action. 20070120 SMF "index.php?action=pm" Cross Site-Scripting 32606 http://aria-security.com/forum/showthread.php?p=128 smf-pm-xss(31612) 22143 20070202 Re: SMF "index.php?action=pm" Cross Site-Scripting 20070126 Re: Re: Re: Re: SMF "index.php?action=pm" Cross Site-Scripting 20070122 Re: Re: Re: SMF "index.php?action=pm" Cross Site-Scripting 20070121 Re: SMF "index.php?action=pm" Cross Site-Scripting 2169 Cross-site scripting (XSS) vulnerability in admin/memberlist.php in Easebay Resources Login Manager 3.0 allows remote attackers to inject arbitrary web script or HTML via the keyword parameter. 20070120 Login Manager Multiple HTML Injections loginmanager-memberlist-xss(31614) 2167 SQL injection vulnerability in admin/memberlist.php in Easebay Resources Login Manager 3.0 allows remote attackers to execute arbitrary SQL commands via the init_row parameter. 20070120 Login Manager Multiple HTML Injections 2167 Cross-site scripting (XSS) vulnerability in admin/edit_member.php in Easebay Resources Paypal Subscription Manager allows remote attackers to inject arbitrary web script or HTML via the username parameter. 20070120 Paypal Subscription Manager Multiple HTML Injections 33559 psm-editmember-xss(31618) 2168 SQL injection vulnerability in admin/memberlist.php in Easebay Resources Paypal Subscription Manager allows remote attackers to execute arbitrary SQL commands via the keyword parameter. 20070120 Paypal Subscription Manager Multiple HTML Injections 36103 33560 psm-memberlist-sql-injection(31616) 2168 bin/compile-messages.py in Django 0.95 does not quote argument strings before invoking the msgfmt program through the os.system function, which allows attackers to execute arbitrary commands via shell metacharacters in a (1) .po or (2) .mo file. 23826 http://code.djangoproject.com/changeset/3592 django-po-code-execution(31627) 22134 The LazyUser class in the AuthenticationMiddleware for Django 0.95 does not properly cache the user name across requests, which allows remote authenticated users to gain the privileges of a different user. 23826 django-request-session-hijacking(31628) 22138 http://code.djangoproject.com/changeset/3754 Multiple buffer overflows in the (1) main function in (a) client.c, and the (2) server_setup and (3) server_client_connect functions in (b) server.c in gxine 0.5.9 and earlier allow local users to cause a denial of service (daemon crash) or gain privileges via a long HOME environment variable. NOTE: some of these details are obtained from third party information. http://xinehq.de/index.php/news?show_category_id=1 ADV-2007-0259 http://sourceforge.net/project/shownotes.php?group_id=9655&release_id=476891 38321 38320 gxine-serversetup-serverclient-bo(31604) Cross-site scripting (XSS) vulnerability in Operation/User.pm in Plain Black WebGUI before 7.3.5 (beta) allows remote attackers to inject arbitrary web script or HTML via the username parameter during anonymous registration, a different vector than CVE-2007-0308. NOTE: it is possible that a separate "WikiPage titles" issue was also fixed. webgui-username-xss(31573) ADV-2007-0242 22114 http://www.plainblack.com/downloads/builds/7.3.5-beta/WebGUI/docs/changelog/7.x.x.txt http://www.plainblack.com/bugs/tracker/security-update-cross-site-scripting-vulnerability 23754 32928 BEA Weblogic Server 8.1 through 8.1 SP4 does not properly validate client certificates when reusing cached connections, which allows remote attackers to obtain access via an untrusted X.509 certificate. BEA07-135.00 ADV-2007-0213 1017519 23750 38500 22082 BEA WebLogic 7.0 through 7.0 SP6, 8.1 through 8.1 SP4, and 9.0 initial release does not encrypt passwords stored in the JDBCDataSourceFactory MBean Properties, which allows local administrative users to read the cleartext password. BEA07-136.00 ADV-2007-0213 1017525 23750 38501 22082 Unspecified vulnerability in the thread management in BEA WebLogic 7.0 through 7.0 SP6, 8.1 through 8.1 SP5, 9.0, and 9.1, when T3 authentication is used, allows remote attackers to cause a denial of service (thread and system hang) via unspecified "sequences of events." BEA07-137.00 ADV-2007-0213 1017525 23750 38502 22082 BEA WebLogic Server 8.1 through 8.1 SP5, 9.0, 9.1, and 9.2 Gold, when WS-Security is used, does not properly validate certificates, which allows remote attackers to conduct a man-in-the-middle (MITM) attack. BEA07-138.00 ADV-2007-0213 1017525 23750 38503 22082 BEA WebLogic Server 6.1 through 6.1 SP7, 7.0 through 7.0 SP7, and 8.1 through 8.1 SP5 allows remote attackers to read arbitrary files inside the class-path property via .ear or exploded .ear files that use the manifest class-path property to point to utility jar files. BEA07-139.00 ADV-2007-0213 1017525 23750 38505 22082 BEA WebLogic Server 8.1 through 8.1 SP5 stores cleartext data in a backup of config.xml after offline editing, which allows local users to obtain sensitive information by reading this backup file. BEA07-140.00 ADV-2007-0213 22082 1017525 23750 38504 BEA WebLogic Server 6.1 through 6.1 SP7, 7.0 through 7.0 SP6, 8.1 through 8.1 SP5, and 9.0 allows remote attackers to cause a denial of service (server hang) via certain requests that cause muxer threads to block when processing error pages. BEA07-141.00 ADV-2007-0213 1017525 23750 38506 22082 BEA WebLogic Server 8.1 through 8.1 SP5 does not properly enforce access control after a dynamic update and dynamic redeployment of an application that is implemented through exploded jars, which allows attackers to bypass intended access restrictions. BEA07-142.00 ADV-2007-0213 1017525 23750 38509 22082 The WSEE runtime (WS-Security runtime) in BEA WebLogic Server 9.0 and 9.1 does not verify credentials when decrypting client messages, which allows remote attackers to bypass application security. BEA07-143.00 ADV-2007-0213 1017525 23750 38510 22082 BEA WebLogic Server 7.0 through 7.0 SP7, 8.1 through 8.1 SP5, 9.0, and 9.1, when using the WebLogic Server 6.1 compatibility realm, allows attackers to execute certain EJB container persistence operations with an administrative identity. BEA07-144.00 ADV-2007-0213 1017525 23750 38511 22082 BEA WebLogic Server 7.0 through 7.0 SP6, 8.1 through 8.1 SP5, 9.0, and 9.1 does not enforce a security policy that declares permissions for EJB methods that have array parameters, which allows remote attackers to obtain unauthorized access to these methods. BEA07-145.00 ADV-2007-0213 1017525 23750 38512 22082 The BEA WebLogic Server proxy plug-in before June 2006 for the Apache HTTP Server does not properly handle protocol errors, which allows remote attackers to cause a denial of service (server outage). BEA07-146.00 ADV-2007-0213 1017525 23750 38513 22082 BEA WebLogic Server 9.0, 9.1, and 9.2 Gold allows remote attackers to obtain sensitive information via malformed HTTP requests, which reveal data from previous requests. BEA07-147.00 ADV-2007-0213 1017525 23750 38514 22082 BEA WebLogic Server 6.1 through 6.1 SP7, and 7.0 through 7.0 SP7 allows remote attackers to cause a denial of service (disk consumption) via requests containing malformed headers, which cause a large amount of data to be written to the server log. BEA07-148.00 ADV-2007-0213 1017525 23750 32859 22082 BEA WebLogic Server 9.0, 9.1, and 9.2 Gold, when running on Solaris 9, allows remote attackers to cause a denial of service (server inaccessibility) via manipulated socket connections. BEA07-150.00 ADV-2007-0213 1017525 23750 32858 22082 BEA WebLogic Portal 9.2 does not properly handle when an administrator deletes entitlements for a role, which causes other role entitlements to be "inadvertently affected," which has an unknown impact. BEA07-151.00 ADV-2007-0213 23750 32857 22082 1017521 Unspecified vulnerability in the BEA WebLogic Server proxy plug-in for Netscape Enterprise Server before September 2006 for Netscape Enterprise Server allow remote attackers to cause a denial of service via certain requests that trigger errors that lead to a server being marked as unavailable, hosting web server failure, or CPU consumption. BEA07-152.00 ADV-2007-0213 1017525 23750 32856 22082 Unspecified vulnerability in BEA WebLogic Platform and Server 8.1 through 8.1 SP5, and JRockit 1.4.2 R4.5 and earlier, allows attackers to gain privileges via unspecified vectors, related to an "overflow condition," probably a buffer overflow. ADV-2007-0213 1017525 23750 38515 BEA07-155.00 BEA WebLogic Portal 9.2, when running in a WebLogic Server clustered environment using WebLogic Portal entitlements, does not properly propagate entitlement policy changes if the changes are made on a managed server while the Administrative Server is unavailable, which might allow attackers to bypass intended restrictions. BEA07-156.00 ADV-2007-0213 23750 38516 32854 22082 1017521 Stack-based buffer overflow in Microsoft Help Workshop 4.03.0002 allows user-assisted remote attackers to execute arbitrary code via a help project (.HPJ) file with a long HLP field in the OPTIONS section. 22135 20070119 Help project files (.HPJ) buffer overflow vulnerability in Microsoft Help Workshop http://www.anspi.pl/~porkythepig/visualization/hpj-x01.cpp 31899 2177 23862 Unspecified vulnerability in the chtbl_lookup function in hash.c for WzdFTPD 8.0 and earlier allows remote attackers to cause a denial of service via a crafted FTP command, probably due to a NULL pointer dereference. wzdftpd-ftp-dos(31599) ADV-2007-0277 20070119 WzdFTPD < 8.1 Denial of service http://www.s21sec.com/avisos/s21sec-033-en.txt 1017537 32941 20070119 WzdFTPD < 8.1 Denial of service 2171 23852 DivXBrowserPlugin (aka DivX Web Player) npdivx32.dll, as distributed with DivX Player 6.4.1, allows remote attackers to cause a denial of service (Internet Explorer 7 crash) by invoking the GoWindowed method for a certain instance of the ActiveX object. divx-divxbrowserplugin-dos(31601) 22133 37693 3157 The shared_region_map_file_np function in Apple Mac OS X 10.4.8 and earlier kernel allows local users to cause a denial of service (memory corruption) via a large mappingCount value. ADV-2007-0275 20070119 [RISE-2007001] Apple Mac OS X 10.4.x kernel shared_region_map_file_np() memory corruption vulnerability macos-sharedregionmapfilenp-dos(31645) 32942 1017538 2178 23823 http://risesecurity.org/advisory.php?id=RISE-2007001.txt AVM Fritz!Box 7050, and possibly other product models, allows remote attackers to cause a denial of service (VoIP application crash) via a zero-length UDP packet to the SIP port (port 5060). ADV-2007-0272 22130 20070119 DoS against AVM Fritz!Box 7050 (and others) 32940 http://mazzoo.de/blog/2007/01/18#FritzBox_DoS 20070119 DoS against AVM Fritz!Box 7050 (and others) fritzbox-udp-packet-dos(31633) 20070123 Re: DoS against AVM Fritz!Box 7050 (and others) 23868 ftp://ftp.avm.de/fritz.box/fritzbox.fon_wlan_7050/firmware/info.txt BEA AquaLogic Service Bus 2.0, 2.1, and 2.5 does not properly reject malformed request messages to a proxy service, which might allow remote attackers to bypass authorization policies and route requests to back-end services or conduct other unauthorized activities. 1017523 23786 32862 BEA07-157.00 22082 Unspecified vulnerability in BEA AquaLogic Enterprise Security 2.0 through 2.0 SP2, 2.1 through 2.1 SP1, and 2.2, when using Active Directory LDAP for authentication, allows remote authenticated users to access the server even after the account has been disabled. 1017524 23786 32861 BEA07-154.00 22082 BEA AquaLogic Enterprise Security 2.0 through 2.0 SP2, 2.1 through 2.1 SP1, and 2.2 does not properly set the severity level of audit events when the system load is high, which might make it easier for attackers to avoid detection. 23786 32860 BEA07-153.00 22082 T-Com Speedport 500V routers with firmware 1.31 allow remote attackers to bypass authentication and reconfigure the device via a LOGINKEY=TECOM cookie value. 20070119 Virginity Security Advisory 2007-001 : T-Com Speedport 500V Login bypass 32995 tcom-login-authentication-bypass(31621) 22160 20070216 Re: Virginity Security Advisory 2007-001 : T-Com Speedport 500V Login bypass 20070122 Re: Virginity Security Advisory 2007-001 : T-Com Speedport 500V Login bypass 20070121 Re: Virginity Security Advisory 2007-001 : T-Com Speedport 500V Login bypass 23853 Barron McCann X-Kryptor Driver BMS1446HRR (Xgntr BMS1351 Install BMS1472) in X-Kryptor Secure Client does not drop privileges when launching an Explorer window in response to a help command, which allows local users to gain LocalSystem privileges via interactive use of Explorer. ADV-2007-0496 22424 http://www.cpni.gov.uk/Products/vulnerabilitydisclosures/default.aspx?id=va-20070129-0107.xml http://www.cpni.gov.uk/Products/advisories/default.aspx?id=al-20070129-0107.xml http://www.bemacpromotions.com/files/xkpatch462660.zip http://www.barronmccann.com/ISec/s2pressrelease.asp?PRID=141&S2ID=14 24045 33110 http://jvn.jp/niscc/NISCC-462660/index.html Multiple cross-site scripting (XSS) vulnerabilities in the sample Cache' Server Page (CSP) scripts in InterSystems Cache' allow remote attackers to inject arbitrary web script or HTML via (1) the TO parameter to loop.csp, (2) the VALUE parameter to cookie.csp, and (3) the PAGE parameter to showsource.csp in csp/samples/; and allow remote authenticated users to inject arbitrary web script or HTML via (4) the ERROR parameter to csp/samples/xmlclasseserror.csp, and unspecified vectors in (5) object.csp and (6) lotteryhistory.csp in csp/samples/. http://www.mwrinfosecurity.com/news/1658.html http://www.mwrinfosecurity.com/advisories/mwri_cache-sample-files-xss-advisory_2007-04-04.pdf http://www.cpni.gov.uk/Products/alerts/2928.aspx Unspecified vulnerability in HP OpenView Network Node Manager (OV NNM) 6.20, 6.4x, 7.01, and 7.50 allows remote attackers to execute arbitrary commands via unknown vectors. SSRT05103 ADV-2007-0153 SSRT05103 1017504 32728 Unspecified vulnerability in IBM OS/400 R530 and R535 has unknown impact and remote attack vectors, related to an "Integrity Problem" involving LIC-TCPIP and TCP reset. NOTE: it is possible that this issue is related to CVE-2004-0230, but this is not certain. MA33860 MA33861 23765 32812 Multiple buffer overflows in the CDDBControl ActiveX control in Gracenote CDDB before 20070418 allow remote attackers to execute arbitrary code via long values for certain Proxy configuration parameters. The vendor has address this issue with the following information: http://www.gracenote.com/corporate/FAQs.html/faqset=update/page=0 http://www.zerodayinitiative.com/advisories/ZDI-07-021.html 23567 22924 ADV-2007-1475 1017937 http://www.gracenote.com/corporate/FAQs.html/faqset=update/page=0 34327 cddbcontrol-activex-bo(33773) 20070420 ZDI-07-021: GraceNote CDDBControl ActiveX Buffer Overflow Vulnerability Stack-based buffer overflow in the print provider library (cpprov.dll) in Citrix Presentation Server 4.0, MetaFrame Presentation Server 3.0, and MetaFrame XP 1.0 allows local users and remote attackers to execute arbitrary code via long arguments to the (1) EnumPrintersW and (2) OpenPrinter functions. http://www.zerodayinitiative.com/advisories/ZDI-07-006.html ADV-2007-0328 http://www.securityfocus.com/data/vulnerabilities/exploits/testlpc.c 22217 20070124 ZDI-07-006: Citrix Metaframe Presentation Server Print Provider Buffer Overflow Vulnerability http://support.citrix.com/article/CTX111686 1017553 23869 32958 Heap-based buffer overflow in the arj.ppl module in the OnDemand Scanner in Kaspersky Anti-Virus, Anti-Virus for Workstations, and Anti-Virus for File Servers 6.0, and Internet Security 6.0 before Maintenance Pack 2 build 6.0.2.614 allows remote attackers to execute arbitrary code via crafted ARJ archives. http://www.kaspersky.com/technews?id=203038694 http://www.kaspersky.com/technews?id=203038693 24778 http://www.zerodayinitiative.com/advisories/ZDI-07-013.html ADV-2007-1268 kaspersky-arj-bo(33489) 1017883 1017882 23346 20070405 ZDI-07-013: Kaspersky AntiVirus Engine ARJ Archive Parsing Heap Overflow Vulnerability Stack-based buffer overflow in magentproc.exe for Hewlett-Packard Mercury LoadRunner Agent 8.0 and 8.1, Performance Center Agent 8.0 and 8.1, and Monitor over Firewall 8.1 allows remote attackers to execute arbitrary code via a packet with a long server_ip_name field to TCP port 54345, which triggers the overflow in mchan.dll. VU#303012 SSRT061280 http://www.zerodayinitiative.com/advisories/ZDI-07-007.html ADV-2007-0535 33132 SSRT061280 mercury-multiple-agent-bo(32390) 22487 20070208 ZDI-07-007: HP Mercury LoadRunner Agent Stack Overflow Vulnerability R-123 1017613 1017612 1017611 24112 Heap-based buffer overflow in the Decomposer component in multiple Symantec products allows remote attackers to execute arbitrary code via multiple crafted CAB archives. http://securityresponse.symantec.com/avcenter/security/Content/2007.07.11f.html http://www.zerodayinitiative.com/advisories/ZDI-07-040.html ADV-2007-2508 24282 26053 36118 The fopen function in PHP 5.2.0 does not properly handle invalid URI handlers, which allows context-dependent attackers to bypass safe_mode restrictions and read arbitrary files via a file path specified with an invalid URI, as demonstrated via the srpath URI. 22261 20070125 PHP 5.2.0 safe_mode bypass (by Writing Mode) 2175 Multiple buffer overflows in LGSERVER.EXE in CA BrightStor ARCserve Backup for Laptops and Desktops r11.0 through r11.1 SP1, Mobile Backup r4.0, Desktop and Business Protection Suite r2, and Desktop Management Suite (DMS) r11.0 and r11.1 allow remote attackers to execute arbitrary code via crafted packets to TCP port (1) 1900 or (2) 2200. VU#611276 VU#357308 http://supportconnectw.ca.com/public/sams/lifeguard/infodocs/babldimpsec-notice.asp 23897 http://www3.ca.com/securityadvisor/vulninfo/Vuln.aspx?ID=34993 http://www3.ca.com/securityadvisor/newsinfo/collateral.aspx?cid=97696 ADV-2007-0314 22342 22340 22199 20070131 Remote Unauthenticated Code Execution II CA BrightStor ARCserve Backup for Laptops & Desktops 20070131 Remote Unauthenticated Code Execution CA BrightStor ARCserve Backup 20070124 [CAID 34993]: CA BrightStor ARCserve Backup for Laptops and Desktops Multiple Overflow Vulnerabilities 31593 1017548 Directory traversal vulnerability in Apache HTTP Server and Tomcat 5.x before 5.5.22 and 6.x before 6.0.10, when using certain proxy modules (mod_proxy, mod_rewrite, mod_jk), allows remote attackers to read arbitrary files via a .. (dot dot) sequence with combinations of (1) "/" (slash), (2) "\" (backslash), and (3) URL-encoded backslash (%5C) characters in the URL, which are valid separators in Tomcat but not in Apache. 20070314 SEC Consult SA-20070314-0 :: Apache HTTP Server / Tomcat directory traversal tomcat-proxy-directory-traversal(32988) ADV-2009-0233 ADV-2008-1979 ADV-2008-0065 ADV-2007-3386 ADV-2007-3087 ADV-2007-2732 ADV-2007-0975 22960 20090127 CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities (Updated - v1.1) 20090124 CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities http://www.sec-consult.com/fileadmin/Advisories/20070314-0-apache_tomcat_directory_traversal.txt http://www.sec-consult.com/287.html RHSA-2007:0327 SUSE-SR:2007:005 http://tomcat.apache.org/security-6.html http://tomcat.apache.org/security-5.html http://tomcat.apache.org/security-4.html http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540 GLSA-200705-03 33668 25280 25106 24732 oval:org.mitre.oval:def:10643 SSRT071447 http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx 25159 20080108 VMSA-2008-0002 Low severity security update for VirtualCenter and ESX Server 3.0.2, and ESX 3.0.1 RHSA-2008:0261 RHSA-2007:0360 SUSE-SR:2007:015 MDKSA-2007:241 http://www.fujitsu.com/global/support/software/security/products-f/interstage-200702e.html http://support.avaya.com/elmodocs2/security/ASA-2007-206.htm 239312 2446 30908 30899 28365 27037 26660 26235 [Security-announce] 20080107 VMSA-2008-0002 Low severity security update for VirtualCenter and ESX Server 3.0.2, and ESX 3.0.1 APPLE-SA-2007-07-31 HPSBUX02262 http://docs.info.apple.com/article.html?artnum=306172 Apache SpamAssassin before 3.1.8 allows remote attackers to cause a denial of service via long URLs in malformed HTML, which triggers "massive memory usage." Upgrade to SpamAssassin version 3.1.8 22584 https://issues.rpath.com/browse/RPL-1073 spamassassin-url-dos(32536) ADV-2007-0628 1017666 RHSA-2007:0075 SUSE-SR:2007:006 MDKSA-2007:049 http://svn.apache.org/repos/asf/spamassassin/branches/3.1/build/announcements/3.1.8.txt http://spamassassin.apache.org/advisories/cve-2007-0451.txt GLSA-200703-02 24889 24307 24265 24256 24250 24200 24197 RHSA-2007:0074 oval:org.mitre.oval:def:10018 33207 smbd in Samba 3.0.6 through 3.0.23d allows remote authenticated users to cause a denial of service (memory and CPU exhaustion) by renaming a file in a way that prevents a request from being removed from the deferred open queue, which triggers an infinite loop. 20070205 [SAMBA-SECURITY] CVE-2007-0452: Potential DoS against smbd in Samba 3.0.6 - 3.0.23d ADV-2007-1278 ADV-2007-0483 oval:org.mitre.oval:def:9758 33100 HPSBUX02204 HPSBUX02204 https://issues.rpath.com/browse/RPL-1005 samba-smbd-filerename-dos(32301) USN-419-1 2007-0007 22395 20070207 rPSA-2007-0026-1 samba samba-swat RHSA-2007:0061 RHSA-2007:0060 MDKSA-2007:034 GLSA-200702-01 DSA-1257 http://us1.samba.org/samba/security/CVE-2007-0452.html 200588 SSA:2007-038-01 1017587 2219 24792 24284 24188 24151 24145 24140 24101 24076 24067 24060 24046 24030 24021 SUSE-SA:2007:016 FEDORA-2007-220 FEDORA-2007-219 20070201-01-P Buffer overflow in the nss_winbind.so.1 library in Samba 3.0.21 through 3.0.23d, as used in the winbindd daemon on Solaris, allows attackers to execute arbitrary code via the (1) gethostbyname and (2) getipnodebyname functions. 20070205 [SAMBA-SECURITY] CVE-2007-0453: Buffer overrun in nss_winbind.so.1 on Solaris ADV-2007-0483 33098 https://issues.rpath.com/browse/RPL-1005 samba-winbind-bo(32231) 2007-0007 22410 20070207 rPSA-2007-0026-1 samba samba-swat OpenPKG-SA-2007.012 http://us1.samba.org/samba/security/CVE-2007-0453.html SSA:2007-038-01 1017589 24151 24101 24043 Format string vulnerability in the afsacl.so VFS module in Samba 3.0.6 through 3.0.23d allows context-dependent attackers to execute arbitrary code via format string specifiers in a filename on an AFS file system, which is not properly handled during Windows ACL mapping. VU#649732 22403 https://issues.rpath.com/browse/RPL-1005 samba-afsacl-format-string(32304) ADV-2007-0483 USN-419-1 2007-0007 20070207 rPSA-2007-0026-1 samba samba-swat 20070205 [SAMBA-SECURITY] CVE-2007-0454: Format string bug in afsacl.so VFS plugin OpenPKG-SA-2007.012 MDKSA-2007:034 GLSA-200702-01 DSA-1257 http://us1.samba.org/samba/security/CVE-2007-0454.html SSA:2007-038-01 1017588 24151 24145 24101 24067 24060 24046 24021 33101 Buffer overflow in the gdImageStringFTEx function in gdft.c in GD Graphics Library 2.0.33 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted string with a JIS encoded font. https://issues.rpath.com/browse/RPL-1268 https://issues.rpath.com/browse/RPL-1030 ADV-2011-0022 ADV-2007-0400 2007-0007 22289 20070418 rPSA-2007-0073-1 php php-mysql php-pgsql RHSA-2007:0162 RHSA-2007:0153 MDKSA-2007:038 MDKSA-2007:036 MDKSA-2007:035 42813 24965 24945 24924 24151 24143 24107 24053 24052 24022 23916 RHSA-2007:0155 oval:org.mitre.oval:def:11303 [security-announce] 20070208 rPSA-2007-0028-1 gd FEDORA-2010-19022 FEDORA-2010-19033 FEDORA-2007-150 http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=224607 USN-473-1 RHSA-2008:0146 MDKSA-2007:109 29157 25575 Unspecified vulnerability in the LLT dissector in Wireshark (formerly Ethereal) 0.99.3 and 0.99.4 allows remote attackers to cause a denial of service (application crash) via unspecified vectors. http://www.wireshark.org/security/wnpa-sec-2007-01.html 22352 24016 https://issues.rpath.com/browse/RPL-985 wireshark-lltdissector-dos(32056) ADV-2007-0443 RHSA-2007:0066 MDKSA-2007:033 http://support.avaya.com/elmodocs2/security/ASA-2007-166.htm 1017581 24970 24650 24515 24084 24025 24011 oval:org.mitre.oval:def:14867 oval:org.mitre.oval:def:11342 33073 FEDORA-2007-207 20070301-01-P Unspecified vulnerability in the IEEE 802.11 dissector in Wireshark (formerly Ethereal) 0.10.14 through 0.99.4 allows remote attackers to cause a denial of service (application crash) via unspecified vectors. http://www.wireshark.org/security/wnpa-sec-2007-01.html 22352 24016 https://issues.rpath.com/browse/RPL-985 wireshark-ieeedissector-dos(32055) ADV-2007-0443 RHSA-2007:0066 MDKSA-2007:033 http://support.avaya.com/elmodocs2/security/ASA-2007-166.htm 1017581 24970 24650 24515 24084 24025 24011 oval:org.mitre.oval:def:11003 33074 FEDORA-2007-207 20070301-01-P Unspecified vulnerability in the HTTP dissector in Wireshark (formerly Ethereal) 0.99.3 and 0.99.4 allows remote attackers to cause a denial of service (application crash) via unspecified vectors, a different issue than CVE-2006-5468. http://www.wireshark.org/security/wnpa-sec-2007-01.html 22352 https://issues.rpath.com/browse/RPL-985 wireshark-httpdissector-dos(32054) ADV-2007-0443 RHSA-2007:0066 MDKSA-2007:033 http://support.avaya.com/elmodocs2/security/ASA-2007-166.htm 1017581 24970 24650 24515 24084 24025 24016 24011 oval:org.mitre.oval:def:14836 oval:org.mitre.oval:def:10966 33075 FEDORA-2007-207 20070301-01-P packet-tcp.c in the TCP dissector in Wireshark (formerly Ethereal) 0.99.2 through 0.99.4 allows remote attackers to cause a denial of service (application crash or hang) via fragmented HTTP packets. http://www.wireshark.org/security/wnpa-sec-2007-01.html 22352 24016 https://issues.rpath.com/browse/RPL-985 wireshark-tcpdissector-dos(32053) ADV-2007-0443 RHSA-2007:0066 MDKSA-2007:033 http://support.avaya.com/elmodocs2/security/ASA-2007-166.htm 1017581 24970 24650 24515 24084 24025 24011 oval:org.mitre.oval:def:14875 oval:org.mitre.oval:def:10465 FEDORA-2007-207 http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1200 20070301-01-P Multiple buffer overflows in ulogd for SUSE Linux 9.3 up to 10.1, and possibly other distributions, have unknown impact and attack vectors related to "improper string length calculations." 22139 SUSE-SR:2007:001 MDKSA-2007:028 GLSA-200703-17 24524 23863 32939 Multiple memory leaks in the Dazuko anti-virus helper module before 2.3.2 allow attackers to cause a denial of service (memory consumption) via unknown vectors. SUSE-SR:2007:001 38322 The _GetSrcBits32ARGB function in Apple QuickDraw, as used by Quicktime 7.1.3 and other applications on Mac OS X 10.4.8 and earlier, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted PICT image with a malformed Alpha RGB (ARGB) record, which triggers memory corruption. ADV-2007-0337 http://projects.info-pull.com/moab/MOAB-23-01-2007.html macos-argb-dos(31698) 22207 32696 23859 Format string vulnerability in Apple Software Update 2.0.5 on Mac OS X 10.4.8 allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via format string specifiers in (1) SWUTMP or (2) SUCATALOG filenames, or using the (3) application/x-apple.sucatalog+xml MIME type. TA07-072A ADV-2007-0930 ADV-2007-0337 http://projects.info-pull.com/moab/MOAB-24-01-2007.html 1017755 22222 32703 24479 APPLE-SA-2007-03-13 http://docs.info.apple.com/article.html?artnum=305214 The _CFNetConnectionWillEnqueueRequests function in CFNetwork 129.19 on Apple Mac OS X 10.4 through 10.4.10 allows remote attackers to cause a denial of service (application crash) via a crafted HTTP 301 response, which results in a NULL pointer dereference. TA07-319A macos-cfnetwork-dos(31837) ADV-2007-3868 26444 22249 32704 3200 27643 http://projects.info-pull.com/moab/MOAB-25-01-2007.html APPLE-SA-2007-11-14 http://docs.info.apple.com/article.html?artnum=307041 Format string vulnerability in Apple Installer 2.1.5 on Mac OS X 10.4.8 allows user-assisted remote attackers to execute arbitrary code via format string specifiers in a (1) PKG, (2) DISTZ, or (3) MPKG package filename. TA07-109A ADV-2007-1470 22272 http://projects.info-pull.com/moab/MOAB-26-01-2007.html macos-installer-format-string(31883) 1017940 32705 24966 APPLE-SA-2007-04-19 http://docs.info.apple.com/article.html?artnum=305391 Telestream Flip4Mac Windows Media Components for Quicktime 2.1.0.33 allows remote attackers to execute arbitrary code via a crafted ASF_File_Properties_Object size field in a WMV file, which triggers memory corruption. ADV-2007-0389 22286 23958 http://projects.info-pull.com/moab/MOAB-27-01-2007.html 32697 crashdump in Apple Mac OS X 10.4.8 allows local users in the admin group to modify arbitrary files or gain privileges via a symlink attack on application logs in /Library/Logs/CrashReporter/. Successful exploitation requires that the attacker is already a part of the administrator group. TA07-072A VU#363112 macos-crashreporterd-privilege-escalation(31888) ADV-2007-0930 1017751 24479 http://projects.info-pull.com/moab/MOAB-28-01-2007.html http://docs.info.apple.com/article.html?artnum=305214 32706 APPLE-SA-2007-03-13 Stack-based buffer overflow in rcdll.dll in msdev.exe in Visual C++ (MSVC) in Microsoft Visual Studio 6.0 SP6 allows user-assisted remote attackers to execute arbitrary code via a long file path in the "1 TYPELIB MOVEABLE PURE" option in an RC file. ADV-2007-0296 20070122 Microsoft Visual C++ (.RC) resource files buffer overflow vulnerability http://www.anspi.pl/~porkythepig/visualization/rc-kupiekrowe.cpp 23856 31607 visualstudio-rc-bo(31665) 2172 The extract_files function in installer.rb in RubyGems before 0.9.1 does not check whether files exist before overwriting them, which allows user-assisted remote attackers to overwrite arbitrary files, cause a denial of service, or execute arbitrary code via crafted GEM packages. http://rubyforge.org/frs/shownotes.php?release_id=9074 ADV-2007-0295 rubygems-extractfiles-file-overwrite(31688) 20070121 RubyGems 0.9.0 and earlier installation exploit SUSE-SR:2007:004 20070121 RubyGems 0.9.0 and earlier installation exploit Multiple unspecified vulnerabilities in tip in Sun Solaris 8, 9, and 10 allow local users to gain uucp account privileges via unspecified vectors. 102773 ADV-2007-0317 31616 solaris-tip-privilege-escalation(31669) 22190 1017546 23821 oval:org.mitre.oval:def:2038 sre/params.php in the Integrity Clientless Security (ICS) component in Check Point Connectra NGX R62 3.x and earlier before Security Hotfix 5, and possibly VPN-1 NGX R62, allows remote attackers to bypass security requirements via a crafted Report parameter, which returns a valid ICSCookie authentication token. checkpoint-params-security-bypass(31646) ADV-2007-0276 20070122 Check Point Connectra End Point security bypass 20070122 Re: [Full-disclosure] Check Point Connectra End Point security bypass http://www.checkpoint.com/downloads/latest/hfa/vpn1_security/vpn1_R62_Windows.html http://www.checkpoint.com/downloads/latest/hfa/connectra/security_r62.html http://updates.checkpoint.com/fileserver/ID/7126/FILE/VPN-1_Hotfix1.pdf 1017560 1017559 2179 23847 31655 20070122 Check Point Connectra End Point security bypass Multiple race conditions in Smb4K before 0.8.0 allow local users to (1) modify arbitrary files via unspecified manipulations of Smb4K's lock file, which is not properly handled by the remove_lock_file function in core/smb4kfileio.cpp, and (2) add lines to the sudoers file via a symlink attack on temporary files, which isn't properly handled by the writeFile function in core/smb4kfileio.cpp. [smb4k-announce] 20061221 Smb4K 0.8.0 and security fixes released 23937 ADV-2007-0393 http://developer.berlios.de/project/shownotes.php?release_id=9777 http://developer.berlios.de/project/shownotes.php?release_id=11902 http://developer.berlios.de/project/shownotes.php?release_id=11706 http://developer.berlios.de/bugs/?func=detailbug&bug_id=9630&group_id=769 22299 MDKSA-2007:042 GLSA-200703-09 24469 24111 23984 SUSE-SR:2007:002 The writeFile function in core/smb4kfileio.cpp in Smb4K before 0.8.0 does not preserve /etc/sudoers permissions across modifications, which allows local users to obtain sensitive information (/etc/sudoers contents) by reading this file. [smb4k-announce] 20061221 Smb4K 0.8.0 and security fixes released 23937 ADV-2007-0393 http://developer.berlios.de/project/shownotes.php?release_id=9777 http://developer.berlios.de/project/shownotes.php?release_id=11902 http://developer.berlios.de/project/shownotes.php?release_id=11706 http://developer.berlios.de/bugs/?func=detailbug&bug_id=9630&group_id=769 22299 MDKSA-2007:042 GLSA-200703-09 24469 24111 23984 SUSE-SR:2007:002 Smb4K before 0.8.0 allow local users, when present on the Smb4K sudoers list, to kill arbitrary processes, related to a "design issue with smb4k_kill." [smb4k-announce] 20061221 Smb4K 0.8.0 and security fixes released 23937 ADV-2007-0393 http://developer.berlios.de/project/shownotes.php?release_id=9777 http://developer.berlios.de/project/shownotes.php?release_id=11902 http://developer.berlios.de/project/shownotes.php?release_id=11706 http://developer.berlios.de/bugs/?func=detailbug&bug_id=9631&group_id=769 22299 MDKSA-2007:042 GLSA-200703-09 24469 24111 23984 SUSE-SR:2007:002 Multiple stack-based buffer overflows in utilities/smb4k_*.cpp in Smb4K before 0.8.0 allow local users, when present on the Smb4K sudoers list, to gain privileges via unspecified vectors related to the args variable and unspecified other variables, in conjunction with the sudo configuration. [smb4k-announce] 20061221 Smb4K 0.8.0 and security fixes released 23937 ADV-2007-0393 http://developer.berlios.de/project/shownotes.php?release_id=9777 http://developer.berlios.de/project/shownotes.php?release_id=11902 http://developer.berlios.de/project/shownotes.php?release_id=11706 http://developer.berlios.de/bugs/?func=detailbug&bug_id=9631&group_id=769 22299 MDKSA-2007:042 GLSA-200703-09 24469 24111 23984 SUSE-SR:2007:002 The gencert.sh script, when installing OpenLDAP before 2.1.30-r10, 2.2.x before 2.2.28-r7, and 2.3.x before 2.3.30-r2 as an ebuild in Gentoo Linux, does not create temporary directories in /tmp securely during emerge, which allows local users to overwrite arbitrary files via a symlink attack. ADV-2007-0305 GLSA-200701-19 23881 31617 22195 Cross-site scripting (XSS) vulnerability in Openads 2.0.x before 2.0.10, 2.3 before 2.3.31 (aka Max Media Manager before 0.3.31-alpha-pr2), and phpAdsNew/phpPgAds before 2.0.9-pr1 allows remote attackers to inject arbitrary web script or HTML via (1) the keyword parameter in admin-search.php and (2) affiliate-search.php. NOTE: this issue may overlap CVE-2007-0363. https://developer.openads.org/browser/branches/max/trunk/CHANGELOG.txt?format=raw ADV-2007-0315 20070127 Re: [OPENADS-SA-2007-002] Max Media Manager v0.1.29 and v0.3.30 vulnerability fixed 20070126 [OPENADS-SA-2007-002] Max Media Manager v0.1.29 and v0.3.30 vulnerability fixed 20070124 [OPENADS-SA-2007-001] phpAdsNew and phpPgAds 2.0.9-pr1 vulnerability fixed 32926 JVN#07274813 http://forum.openads.org/index.php?showtopic=503412651 WebCore on Apple Mac OS X 10.3.9 and 10.4.10, as used in Safari, does not properly parse HTML comments in TITLE elements, which allows remote attackers to conduct cross-site scripting (XSS) attacks and bypass some XSS protection schemes by embedding certain HTML tags within an HTML comment. safari-html-xss(31846) safari-html-xss(31846) ADV-2007-2732 25159 20070123 Safari Improperly Parses HTML Documents & BlogSpot XSS vulnerability http://www.beanfuzz.com/wordpress/?p=99 1018494 26235 23893 32712 APPLE-SA-2007-07-31 http://docs.info.apple.com/article.html?artnum=306172 Memory leak in the TCP listener in Cisco IOS 9.x, 10.x, 11.x, and 12.x allows remote attackers to cause a denial of service by sending crafted TCP traffic to an IPv4 address on the IOS device. VU#217912 TA07-024A cisco-tcp-ipv4-dos(31716) ADV-2007-0329 22208 20070124 Crafted TCP Packet Can Cause Denial of Service 1017551 23867 oval:org.mitre.oval:def:5080 32093 Cisco IOS 9.x, 10.x, 11.x, and 12.x and IOS XR 2.0.x, 3.0.x, and 3.2.x allows remote attackers to cause a denial of service or execute arbitrary code via a crafted IP option in the IP header in a (1) ICMP, (2) PIMv2, (3) PGM, or (4) URD packet. VU#341288 TA07-024A cisco-ip-option-code-execution(31725) ADV-2007-0329 20070124 Crafted IP Option Vulnerability 1017555 23867 oval:org.mitre.oval:def:5666 32092 22211 Cisco IOS allows remote attackers to cause a denial of service (crash) via a crafted IPv6 Type 0 Routing header. VU#274760 TA07-024A cisco-ios-ipv6-type0-dos(31715) ADV-2007-0329 20070124 IPv6 Routing Header Vulnerability 1017550 23867 oval:org.mitre.oval:def:5857 32091 22210 cgi-bin/main in Sun Ray Server Software 2.0 and 3.0 before 20070123 allows local users to obtain the utadmin password by reading a web server's log file, or by conducting a different, unspecified local attack. ADV-2007-0316 102779 31671 sunray-utadmin-information-disclosure(31700) 22192 1017547 23900 Multiple cross-site scripting (XSS) vulnerabilities in Enthusiast 3.1 allow remote attackers to inject arbitrary web script or HTML via the URI for (1) show_owned.php or (2) show_joined.php. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. 23865 31608 enthusiast-show-xss(31667) 22180 Multiple SQL injection vulnerabilities in Enthusiast 3.1 allow remote attackers to execute arbitrary SQL commands via the cat parameter to (1) show_owned.php, (2) show_joined.php, and possibly other files. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. 23865 31610 31609 enthusiast-show-sql-injection(31666) 22180 PHP remote file inclusion vulnerability in defines.php in WebChat 0.77 allows remote attackers to execute arbitrary PHP code via a URL in the WEBCHATPATH parameter. webchat-definesphp-file-include(31624) 1006193 7000 20030303 WebChat (PHP) 8206 3169 ** DISPUTED ** Multiple PHP remote file inclusion vulnerabilities in Openads (aka phpAdsNew) 2.0.7 allow remote attackers to execute arbitrary PHP code via a URL in the (1) phpAds_geoPlugin parameter to libraries/lib-remotehost.inc, the (2) filename parameter to admin/report-index, or the (3) phpAds_config[my_footer] parameter to admin/lib-gui.inc. NOTE: the vendor has disputed this issue, stating that the relevant variables are used within function definitions. 22172 20070124 Re: phpAdsNew 2.0.7 Remote File Include 20070122 Re: phpAdsNew 2.0.7 Remote File Include 20070120 phpAdsNew 2.0.7 Remote File Include 2174 33573 ** DISPUTED ** PHP remote file inclusion vulnerability in index.php in FreeForum 0.9.0 allows remote attackers to execute arbitrary PHP code via a URL in the fpath parameter. NOTE: this issue has been disputed by third party researchers, stating that fpath variable is initialized before being used. 20070124 Re: FreeForum 0.9.0 <=- (index.php fpath) Remote File Include Vulnerability 20070121 FreeForum 0.9.0 <=- (index.php fpath) Remote File Include Vulnerability The Huawei Versatile Routing Platform 1.43 2500E-003 firmware on the Quidway R1600 Router, and possibly other models, allows remote attackers to cause a denial of service (device crash) via a long show arp command. quidway-arp-dos(31641) 40355 20070118 The Quidway Router local DOS 2176 PHP remote file inclusion vulnerability in includes/functions.visohotlink.php in VisoHotlink 1.01 and possibly earlier allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter. visohotlink-functions-file-include(31654) ADV-2007-0285 23878 31611 3175 22171 index.php in Open-Realty 2.3.4 allows remote attackers to obtain sensitive information (the full path) via an invalid listingID parameter in a listingview action. 20070121 Full Path Disclosure in Open-Realty ( v2.3.4 ) openrealty-index-path-disclosure(31657) PHP remote file inclusion vulnerability in up.php in Sky GUNNING MySpeach 3.0.6 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the my_ms[root] parameter, a different vector than CVE-2006-4630. NOTE: Some of these details are obtained from third party information. ADV-2007-0269 23850 Multiple SQL injection vulnerabilities in gallery.php in webSPELL 4.01.02 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) id or (2) galleryID parameter. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. ADV-2007-0270 webspell-gallery-sql-injection(31632) Use-after-free vulnerability in ISC BIND 9.3.0 up to 9.3.3, 9.4.0a1 up to 9.4.0a6, 9.4.0b1 up to 9.4.0b4, 9.4.0rc1, and 9.5.0a1 (Bind Forum only) allows remote attackers to cause a denial of service (named daemon crash) via unspecified vectors that cause named to "dereference a freed fetch context." http://www.isc.org/index.pl?/sw/bind/view/?release=9.3.4 http://www.isc.org/index.pl?/sw/bind/view/?release=9.2.8 SSRT061239 SSRT071304 SSRT061213 ADV-2007-2315 ADV-2007-2163 ADV-2007-1939 ADV-2007-1401 ADV-2007-0349 23904 oval:org.mitre.oval:def:9614 [bind-announce] 20070125 Internet Systems Consortium Security Advisory. 20070125 BIND remote exploit (low severity) [Fwd: Internet Systems Consortium Security Advisory.] SSRT061273 SSRT061213 https://issues.rpath.com/browse/RPL-989 USN-418-1 2007-0005 22229 20070125 BIND remote exploit (low severity) [Fwd: Internet Systems Consortium Security Advisory.] RHSA-2007:0057 OpenPKG-SA-2007.007 MDKSA-2007:030 http://www.isc.org/index.pl?/sw/bind/bind-security.php SSA:2007-026-01 1017561 GLSA-200702-06 FreeBSD-SA-07:02 25649 25402 24950 24930 24203 24129 24054 24048 24014 23977 23974 23972 23943 23924 SUSE-SA:2007:014 APPLE-SA-2007-05-24 HPSBUX02219 NetBSD-SA2007-003 FEDORA-2007-164 FEDORA-2007-147 http://docs.info.apple.com/article.html?artnum=305530 ISC BIND 9.0.x, 9.1.x, 9.2.0 up to 9.2.7, 9.3.0 up to 9.3.3, 9.4.0a1 up to 9.4.0a6, 9.4.0b1 up to 9.4.0b4, 9.4.0rc1, and 9.5.0a1 (Bind Forum only) allows remote attackers to cause a denial of service (exit) via a type * (ANY) DNS query response that contains multiple RRsets, which triggers an assertion error, aka the "DNSSEC Validation" vulnerability. Syccessful exploitation requires that the victim has enabled dnssec validation in named.conf by specifying trusted-keys. http://www.isc.org/index.pl?/sw/bind/view/?release=9.3.4 http://www.isc.org/index.pl?/sw/bind/view/?release=9.2.8 23904 [bind-announce] 20070125 Internet Systems Consortium Security Advisory. SSRT071304 SSRT061239 SSRT071304 SSRT061213 https://issues.rpath.com/browse/RPL-989 ADV-2007-3229 ADV-2007-2315 ADV-2007-2245 ADV-2007-2163 ADV-2007-2002 ADV-2007-1939 ADV-2007-1401 USN-418-1 2007-0005 22231 RHSA-2007:0057 RHSA-2007:0044 OpenPKG-SA-2007.007 MDKSA-2007:030 http://www.isc.org/index.pl?/sw/bind/bind-security.php DSA-1254 IY96324 IY96144 IY95619 IY95618 http://support.avaya.com/elmodocs2/security/ASA-2007-125.htm 102969 SSA:2007-026-01 1017573 GLSA-200702-06 FreeBSD-SA-07:02 25402 24950 24930 24648 24203 24129 24083 24054 24048 24014 23977 23974 23972 23944 23943 23924 oval:org.mitre.oval:def:11523 SUSE-SA:2007:014 20070920 VMSA-2007-0006 Critical security updates for all supported versions of VMware ESX Server, VMware Server, VMware Workstation, VMware ACE, and VMware Player APPLE-SA-2007-05-24 SSRT061273 SSRT061273 NetBSD-SA2007-003 FEDORA-2007-164 FEDORA-2007-147 http://docs.info.apple.com/article.html?artnum=305530 20070201-01-P bind-rrsets-dos(31838) 27706 26909 25715 25649 25482 24284 PHP remote file inclusion vulnerability in include/config.inc.php in PhpSherpa allows remote attackers to execute arbitrary PHP code via a URL in the racine parameter. ADV-2007-0263 23817 31599 3161 PHP remote file inclusion vulnerability in lib/nl/nl.php in Neon Labs Website (nlws) 3.2 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the g_strRootDir parameter. ADV-2007-0268 36797 3163 PHP remote file inclusion vulnerability in upload/top.php in Upload-Service 1.0, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the maindir parameter. ADV-2007-0265 23845 32938 http://echo.or.id/adv/adv62-y3dips-2007.txt uploadservice-top-file-include(31634) 22189 20070123 [ECHO_ADV_62$2007] Upload Service 1.0 remote file inclusion PHP remote file inclusion vulnerability in up.php in MySpeach 2.1 beta and possibly earlier allows remote attackers to execute arbitrary PHP code via a URL in the my[root] parameter. 31603 3165 PHP remote file inclusion vulnerability in config.php in Sangwan Kim phpIndexPage 1.0.1 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the env[inc_path] parameter. ADV-2007-0267 22161 23992 33014 3164 PHP remote file inclusion vulnerability in include/includes.php in Bradabra 2.0.5 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the include_path parameter. ADV-2007-0264 23851 31604 3162 PHP remote file inclusion vulnerability in index.php in Mafia Scum Tools 2.0.0 in Matthew Wardrop Advanced Random Generators (adv-random-gen) allows remote attackers to execute arbitrary PHP code via a URL in the gen parameter. mafiascum-index-file-include(31637) ADV-2007-0271 22151 36810 3171 SQL injection vulnerability in gallery.php in webSPELL 4.01.02 allows remote attackers to execute arbitrary SQL commands via the picID parameter, a different vector than CVE-2007-0492. ADV-2007-0270 36798 webspell-gallery-sql-injection(31632) 22149 3172 Unspecified vulnerability in kcms_calibrate in Sun Solaris 8 and 9 before 20071122 allows local users to execute arbitrary commands via unknown vectors. 102728 solaris-kcmscalibrate-privilege-escalation(31668) ADV-2007-0287 1017541 23885 31598 22175 http://support.avaya.com/elmodocs2/security/ASA-2007-040.htm oval:org.mitre.oval:def:1495 Eval injection vulnerability in poll_frame.php in Vote! Pro 4.0, and possibly other scripts, allows remote attackers to execute arbitrary code via the poll_id parameter, which is supplied to an eval function call, a different vulnerability type than CVE-2005-4632.