The file watch implementation in the audit subsystem (auditctl -w) in the Red Hat Enterprise Linux (RHEL) 4 kernel 2.6.9 allows local users to cause a denial of service (kernel panic) by replacing a watched file, which does not cause the watch on the old inode to be dropped. Successful exploitation requires that the attacker previously created a watch for a file. RHSA-2007:0085 http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=223129 1017705 22737 24300 oval:org.mitre.oval:def:9560 33031 Multiple heap-based buffer overflows in WordPerfect Document importer/exporter (libwpd) before 0.8.9 allow user-assisted remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted WordPerfect file in which values to loop counters are not properly handled in the (1) WP3TablesGroup::_readContents and (2) WP5DefinitionGroup_DefineTablesSubGroup::WP5DefinitionGroup_DefineTablesSubGroup functions. NOTE: the integer overflow has been split into CVE-2007-1466. This vulnerability has been addressed by the vendor through a product update: http://sourceforge.net/projects/libwpd/ ADV-2007-1339 ADV-2007-1032 ADV-2007-0976 USN-437-1 1017789 23006 20070316 rPSA-2007-0057-1 libwpd RHSA-2007:0055 MDKSA-2007:064 MDKSA-2007:063 GLSA-200704-12 DSA-1270 DSA-1268 102863 http://sourceforge.net/project/shownotes.php?release_id=494122 SSA-2007-085-02 GLSA-200704-07 24906 24856 24794 24613 24593 24591 24588 24581 24580 24573 24572 24557 24507 24465 oval:org.mitre.oval:def:11535 SUSE-SA:2007:023 20070316 Multiple Vendor libwpd Multiple Buffer Overflow Vulnerabilities FEDORA-2007-350 pam_unix.so in Linux-PAM 0.99.7.0 allows context-dependent attackers to log into accounts whose password hash, as stored in /etc/passwd or /etc/shadow, has only two characters. [pam-list] 20070123 Linux-PAM 0.99.7.1 released ADV-2007-0323 [fedora-devel-list] 20070122 Re: rawhide report: 20070120 changes [fedora-devel-list] 20070122 Re: rawhide report: 20070120 changes 32017 linuxpam-pamunix-security-bypass(31739) 22204 SUSE-SR:2007:003 23858 The NFS client implementation in the kernel in Red Hat Enterprise Linux (RHEL) 3, when a filesystem is mounted with the noacl option, checks permissions for the open system call via vfs_permission (mode bits) data rather than an NFS ACCESS call to the server, which allows local client processes to obtain a false success status from open calls that the server would deny, and possibly obtain sensitive information about file permissions on the server, as demonstrated in a root_squash environment. NOTE: it is uncertain whether any scenarios involving this issue cross privilege boundaries. https://bugzilla.redhat.com/show_bug.cgi?id=199715 Multiple buffer overflows in the (1) read and (2) write handlers in the Omnikey CardMan 4040 driver in the Linux kernel before 2.6.21-rc3 allow local users to gain privileges. http://kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.21-rc3 https://issues.rpath.com/browse/RPL-1035 kernel-cardman4040drivers-bo(32880) ADV-2007-0872 USN-489-1 USN-486-1 22870 20070309 Buffer Overflow in Linux Drivers for Omnikey CardMan 4040 (CVE-2007-0005) 20070615 rPSA-2007-0124-1 kernel xen RHSA-2007:0099 33023 MDKSA-2007:078 DSA-1286 26139 26133 25691 25078 24901 24777 24518 24436 oval:org.mitre.oval:def:11238 FEDORA-2007-336 FEDORA-2007-335 The key serial number collision avoidance code in the key_alloc_serial function in Linux kernel 2.6.9 up to 2.6.20 allows local users to cause a denial of service (crash) via vectors that trigger a null dereference, as originally reported as "spinlock CPU recursion." The scheme for selecting serial numbers was changed from incrementing a counter to random number selection, increasing the likelihood of a serial number collision. https://issues.rpath.com/browse/RPL-1097 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=227495 USN-451-1 22539 20070615 rPSA-2007-0124-1 kernel xen RHSA-2007:0099 RHSA-2007:0085 SUSE-SA:2007:021 MDKSA-2007:060 MDKSA-2007:047 25691 24752 24547 24482 24429 24300 24259 24109 oval:org.mitre.oval:def:9829 http://bugzilla.kernel.org/show_bug.cgi?id=7727 gnucash 2.0.4 and earlier allows local users to overwrite arbitrary files via a symlink attack on the (1) gnucash.trace, (2) qof.trace, and (3) qof.trace.[PID] temporary files. 24225 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=223233 ADV-2007-0653 gnucash-symlink(32558) 22610 MDKSA-2007:046 http://sourceforge.net/project/shownotes.php?group_id=192&release_id=487446 24317 24226 FEDORA-2007-256 Integer underflow in the SSLv2 support in Mozilla Network Security Services (NSS) before 3.11.5, as used by Firefox before 1.5.0.10 and 2.x before 2.0.0.2, SeaMonkey before 1.0.8, Thunderbird before 1.5.0.10, and certain Sun Java System server products before 20070611, allows remote attackers to execute arbitrary code via a crafted SSLv2 server message containing a public key that is too short to encrypt the "Master Secret", which results in a heap-based overflow. VU#377812 http://www.mozilla.org/security/announce/2007/mfsa2007-06.html https://issues.rpath.com/browse/RPL-1103 https://issues.rpath.com/browse/RPL-1081 https://bugzilla.mozilla.org/show_bug.cgi?id=364319 nss-mastersecret-bo(32666) ADV-2007-2141 ADV-2007-1165 ADV-2007-0719 ADV-2007-0718 USN-431-1 USN-428-1 1017696 22694 20070303 rPSA-2007-0040-3 firefox thunderbird 20070226 rPSA-2007-0040-1 firefox RHSA-2007:0108 RHSA-2007:0097 RHSA-2007:0079 RHSA-2007:0078 32105 MDKSA-2007:052 GLSA-200703-22 DSA-1336 102856 GLSA-200703-18 24703 24650 24562 24522 24410 24395 24389 24384 24343 24333 24328 24320 24293 24290 24287 24277 24253 24252 24238 24205 RHSA-2007:0077 oval:org.mitre.oval:def:10502 SUSE-SA:2007:019 20070223 Mozilla Network Security Services SSLv2 Client Integer Underflow Vulnerability HPSBUX02153 FEDORA-2007-293 FEDORA-2007-281 FEDORA-2007-279 FEDORA-2007-278 20070301-01-P SUSE-SA:2007:022 MDKSA-2007:050 102945 SSA:2007-066-03 SSA:2007-066-04 SSA:2007-066-05 25597 25588 24457 24456 24455 24406 24342 HPSBUX02153 FEDORA-2007-309 FEDORA-2007-308 20070202-01-P Stack-based buffer overflow in the SSLv2 support in Mozilla Network Security Services (NSS) before 3.11.5, as used by Firefox before 1.5.0.10 and 2.x before 2.0.0.2, Thunderbird before 1.5.0.10, SeaMonkey before 1.0.8, and certain Sun Java System server products before 20070611, allows remote attackers to execute arbitrary code via invalid "Client Master Key" length values. VU#592796 https://issues.rpath.com/browse/RPL-1103 https://issues.rpath.com/browse/RPL-1081 https://bugzilla.mozilla.org/show_bug.cgi?id=364323 nss-clientmasterkey-bo(32663) ADV-2007-2141 ADV-2007-1165 ADV-2007-0719 ADV-2007-0718 USN-431-1 USN-428-1 1017696 20070303 rPSA-2007-0040-3 firefox thunderbird 20070226 rPSA-2007-0040-1 firefox RHSA-2007:0108 RHSA-2007:0097 RHSA-2007:0079 RHSA-2007:0078 32106 http://www.mozilla.org/security/announce/2007/mfsa2007-06.html MDKSA-2007:052 MDKSA-2007:050 GLSA-200703-22 DSA-1336 102945 102856 SSA:2007-066-03 SSA:2007-066-04 SSA:2007-066-05 GLSA-200703-18 24703 24650 24562 24522 24410 24395 24389 24384 24343 24333 24293 24290 24287 24277 24253 RHSA-2007:0077 oval:org.mitre.oval:def:10174 SUSE-SA:2007:019 20070223 Mozilla Network Security Services SSLv2 Server Stack Overflow Vulnerability HPSBUX02153 FEDORA-2007-309 FEDORA-2007-308 FEDORA-2007-279 FEDORA-2007-278 20070301-01-P 20070202-01-P SUSE-SA:2007:022 25597 25588 24457 24456 24455 24406 24342 HPSBUX02153 The GdkPixbufLoader function in GIMP ToolKit (GTK+) in GTK 2 (gtk2) before 2.4.13 allows context-dependent attackers to cause a denial of service (crash) via a malformed image file. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=218932 ADV-2007-0331 RHSA-2007:0019 oval:org.mitre.oval:def:10325 31621 https://issues.rpath.com/browse/RPL-984 USN-415-1 22209 SUSE-SR:2007:002 MDKSA-2007:039 1017552 24095 24010 24006 23984 23935 23933 23884 DSA-1256 The web portal interface in Citrix Access Gateway (aka Citrix Advanced Access Control) before Advanced Edition 4.5 HF1 places a session ID in the URL, which allows context-dependent attackers to hijack sessions by reading "residual information", including the a referer log, browser history, or browser cache. 24975 26143 citrix-access-unspeci-information-disclosure(35510) ADV-2007-2583 20071022 Corsaire Security Advisory - Citrix Access Gateway session ID disclosure issue http://support.citrix.com/article/CTX113814 http://support.citrix.com/article/CTX112803 1018435 45288 Sun JRE 5.0 before update 14 allows remote attackers to cause a denial of service (Internet Explorer crash) via an object tag with an encoded applet and an undefined name attribute, which triggers a NULL pointer dereference in jpiexp32.dll when the applet is decoded and passed to the JVM. sun-java-jpiexp32-dos(39549) 27185 20080108 Corsaire Security Advisory: Sun J2RE DoS issue 3527 ChainKey Java Code Protection allows attackers to decompile Java class files via a Java class loader with a modified defineClass method that saves the bytecode to a file before it is passed to the JVM. 20070112 Re: Corsaire Security Advisory: ChainKey Java Code Protection Bypass issue 20070112 Corsaire Security Advisory: ChainKey Java Code Protection Bypass issue 33473 Buffer overflow in Apple QuickTime 7.1.3 allows remote attackers to execute arbitrary code via a long rtsp:// URI. VU#442497 TA07-005A quicktime-rtsp-url-bo(31203) 23540 ADV-2007-0001 21829 1017461 http://projects.info-pull.com/moab/MOAB-01-01-2007.html http://landonf.bikemonkey.org/code/macosx/MOAB_Day_1.20070102060815.15950.zadder.local.html 31023 http://secunia.com/blog/7/ 3064 APPLE-SA-2007-01-23 http://isc.sans.org/diary.html?storyid=2094 http://docs.info.apple.com/article.html?artnum=304989 Stack-based buffer overflow in MoviePlay 4.76 allows remote attackers to execute arbitrary code via a long filename in a LST file. 21840 4051 22959 32547 Multiple format string vulnerabilities in (1) the cdio_log_handler function in modules/access/cdda/access.c in the CDDA (libcdda_plugin) plugin, and the (2) cdio_log_handler and (3) vcd_log_handler functions in modules/access/vcdx/access.c in the VCDX (libvcdx_plugin) plugin, in VideoLAN VLC 0.7.0 through 0.8.6 allow user-assisted remote attackers to execute arbitrary code via format string specifiers in an invalid URI, as demonstrated by a udp://-- URI in an M3U file. http://www.videolan.org/patches/vlc-0.8.6-MOAB-02-01-2007.patch vlcmediaplayer-udp-format-string(31226) ADV-2007-0026 http://www.videolan.org/sa0701.html [vlc-devel] 20070102 Security hole in VLC media player for Mac... 21852 SUSE-SA:2007:013 DSA-1252 http://trac.videolan.org/vlc/changeset/18481 1017464 GLSA-200701-24 23971 23910 23829 23592 http://projects.info-pull.com/moab/MOAB-02-01-2007.html oval:org.mitre.oval:def:14313 31163 http://landonf.bikemonkey.org/code/macosx/MOAB_Day_2.20070103045559.6753.timor.html http://applefun.blogspot.com/2007/01/moab-02-01-2007-vlc-media-player-udp.html Stack-based buffer overflow in the NCTAudioFile2.AudioFile ActiveX control (NCTAudioFile2.dll), as used by multiple products, allows remote attackers to execute arbitrary code via a long argument to the SetFormatLikeSample function. NOTE: the products include (1) NCTsoft NCTAudioStudio, NCTAudioEditor, and NCTDialogicVoice; (2) Magic Audio Recorder, Music Editor, and Audio Converter; (3) Aurora Media Workshop; DB Audio Mixer And Editor; (4) J. Hepple Products including Fx Audio Editor and others; (5) EXPStudio Audio Editor; (6) iMesh; (7) Quikscribe; (8) RMBSoft AudioConvert and SoundEdit Pro 2.1; (9) CDBurnerXP; (10) Code-it Software Wave MP3 Editor and aBasic Editor; (11) Movavi VideoMessage, DVD to iPod, and others; (12) SoftDiv Software Dexster, iVideoMAX, and others; (13) Sienzo Digital Music Mentor (DMM); (14) MP3 Normalizer; (15) Roemer Software FREE and Easy Hi-Q Recorder, and Easy Hi-Q Converter; (16) Audio Edit Magic; (17) Joshua Video and Audio Converter; (18) Virtual CD; (19) Cheetah CD and DVD Burner; (20) Mystik Media AudioEdit Deluxe, Blaze Media, and others; (21) Power Audio Editor; (22) DanDans Digital Media Full Audio Converter, Music Editing Master, and others; (23) Xrlly Software Text to Speech Makerand Arial Sound Recorder / Audio Converter; (24) Absolute Sound Recorder, Video to Audio Converter, and MP3 Splitter; (25) Easy Ringtone Maker; (26) RecordNRip; (27) McFunSoft iPod Audio Studio, Audio Recorder for Free, and others; (28) MP3 WAV Converter; (29) BearShare 6.0.2.26789; and (30) Oracle Siebel SimBuilder and CRM 7.x. VU#292713 ADV-2007-0310 http://secunia.com/secunia_research/2007-9/advisory/ http://secunia.com/secunia_research/2007-8/advisory/ http://secunia.com/secunia_research/2007-7/advisory/ http://secunia.com/secunia_research/2007-6/advisory/ http://secunia.com/secunia_research/2007-5/advisory/ http://secunia.com/secunia_research/2007-4/advisory/ http://secunia.com/secunia_research/2007-34/advisory/ http://secunia.com/secunia_research/2007-33/advisory/ http://secunia.com/secunia_research/2007-32/advisory/ http://secunia.com/secunia_research/2007-31/advisory/ http://secunia.com/secunia_research/2007-30/advisory/ http://secunia.com/secunia_research/2007-3/advisory/ http://secunia.com/secunia_research/2007-29/advisory/ http://secunia.com/secunia_research/2007-28/advisory/ http://secunia.com/secunia_research/2007-27/advisory/ http://secunia.com/secunia_research/2007-26/advisory/ http://secunia.com/secunia_research/2007-25/advisory/ http://secunia.com/secunia_research/2007-24/advisory/ http://secunia.com/secunia_research/2007-23/advisory/ http://secunia.com/secunia_research/2007-22/advisory/ http://secunia.com/secunia_research/2007-21/advisory/ http://secunia.com/secunia_research/2007-20/advisory/ http://secunia.com/secunia_research/2007-2/advisory/ http://secunia.com/secunia_research/2007-19/advisory/ http://secunia.com/secunia_research/2007-18/advisory/ http://secunia.com/secunia_research/2007-17/advisory/ http://secunia.com/secunia_research/2007-16/advisory/ http://secunia.com/secunia_research/2007-15/advisory/ http://secunia.com/secunia_research/2007-14/advisory/ http://secunia.com/secunia_research/2007-13/advisory/ http://secunia.com/secunia_research/2007-12/advisory/ http://secunia.com/secunia_research/2007-11/advisory/ http://secunia.com/secunia_research/2007-10/advisory/ http://secunia.com/blog/6/ 30459 30450 30447 30446 30439 30424 30406 23568 23557 23553 23552 23551 23543 23534 23532 23530 23516 23511 23495 23493 23485 23475 nctaudiofile2-multiple-bo(31707) 23892 22196 20070124 Re: Secunia Research: NCTsoft Products NCTAudioFile2 ActiveXControl Buffer Overflow 20070124 Secunia Research: Sienzo Digital Music Mentor NCTAudioFile2ActiveX Control Buffer Overflow 20070124 Secunia Research: NCTsoft Products NCTAudioFile2 ActiveX ControlBuffer Overflow http://secunia.com/secunia_research/2007-50/advisory/ 28407 26101 26100 26046 25993 23795 23753 23745 23565 23562 23561 23560 23558 23554 23550 23548 23546 23544 23542 23541 23536 23535 22922 Multiple heap-based buffer overflows in rumpusd in Rumpus 5.1 and earlier (1) allow remote authenticated users to execute arbitrary code via a long LIST command and other unspecified requests to the FTP service, and (2) allow remote attackers to execute arbitrary code via unspecified requests to the HTTP service. rumpus-ftp-http-bo(31594) http://projects.info-pull.com/moab/MOAB-18-01-2007.html 32692 32689 rumpus-ftp-service-bo(31594) 23842 Heap-based buffer overflow in the SFTP protocol handler for Panic Transmit (Transmit.app) up to 3.5.5 allows remote attackers to execute arbitrary code via a long ftps:// URL. ADV-2007-0273 22145 23861 http://projects.info-pull.com/moab/MOAB-19-01-2007.html 32694 transmit-url-handler-bo(31673) 3160 Format string vulnerability in Apple iChat 3.1.6 allows remote attackers to cause a denial of service (null pointer dereference and application crash) and possibly execute arbitrary code via format string specifiers in an aim:// URI. TA07-047A VU#794752 ADV-2007-0274 http://projects.info-pull.com/moab/MOAB-20-01-2007.html 32715 ichat-aim-format-string(31679) 1017661 22146 24198 APPLE-SA-2007-02-15 http://docs.info.apple.com/article.html?artnum=305102 Untrusted search path vulnerability in writeconfig in Apple Mac OS X 10.4.8 allows local users to gain privileges via a modified PATH that points to a malicious launchctl program. TA07-109A macos-writeconfig-privilege-escalation(31677) ADV-2007-1470 ADV-2007-0074 1017941 22148 31605 24966 23793 http://projects.info-pull.com/moab/MOAB-21-01-2007.html APPLE-SA-2007-04-19 http://docs.info.apple.com/article.html?artnum=305391 The CFUserNotificationSendRequest function in UserNotificationCenter.app in Apple Mac OS X 10.4.8, when used in combination with diskutil, allows local users to gain privileges via a malicious InputManager in Library/InputManagers in a user's home directory, which is executed when Cocoa applications attempt to notify the user. TA07-047A VU#315856 ADV-2007-0074 http://projects.info-pull.com/moab/MOAB-22-01-2007.html macos-inputmanager-privilege-escalation(31676) 22188 32695 1017542 24198 23846 APPLE-SA-2007-02-15 http://docs.info.apple.com/article.html?artnum=305102 Integer overflow in the Vector Markup Language (VML) implementation (vgx.dll) in Microsoft Internet Explorer 5.01, 6, and 7 on Windows 2000 SP4, XP SP2, Server 2003, and Server 2003 SP1 allows remote attackers to execute arbitrary code via a crafted web page that contains unspecified integer properties that cause insufficient memory allocation and trigger a buffer overflow, aka the "VML Buffer Overrun Vulnerability." VU#122084 TA07-009A ie-vml-record-bo(31287) 21930 31250 MS07-004 929969 1017489 23677 20070109 Microsoft Windows VML Element Integer Overflow Vulnerability ADV-2007-0129 ADV-2007-0105 SSRT071296 SSRT071296 20070117 Re: MS07-004 VML Integer Overflow Exploit 20070116 MS07-004 VML Integer Overflow Exploit http://support.avaya.com/elmodocs2/security/ASA-2007-009.htm oval:org.mitre.oval:def:1058 The MFC component in Microsoft Windows 2000 SP4, XP SP2, and 2003 SP1 and Visual Studio .NET 2000, 2002 SP1, 2003, and 2003 SP1 allows user-assisted remote attackers to execute arbitrary code via an RTF file with a malformed OLE object that triggers memory corruption. NOTE: this might be due to a stack-based buffer overflow in the AfxOleSetEditMenu function in MFC42u.dll. TA07-044A VU#932041 MS07-012 ADV-2007-0581 1017638 22476 31887 24150 oval:org.mitre.oval:def:157 The OLE Dialog component in Microsoft Windows 2000 SP4, XP SP2, and 2003 SP1 allows user-assisted remote attackers to execute arbitrary code via an RTF file with a malformed OLE object that triggers memory corruption. TA07-044A VU#497756 MS07-011 ADV-2007-0580 1017637 22483 31885 24147 oval:org.mitre.oval:def:540 Microsoft Excel 2000 SP3, 2002 SP3, 2003 SP2, 2004 for Mac, and v.X for Mac allows remote attackers to execute arbitrary code via malformed IMDATA records that trigger memory corruption. TA07-009A VU#749964 21856 MS07-002 1017487 ADV-2007-0103 HPSBST02184 HPSBST02184 31255 oval:org.mitre.oval:def:119 Microsoft Excel 2000, 2002, 2003, Viewer 2003, Office 2004 for Mac, and Office v.X for Mac does not properly handle certain opcodes, which allows user-assisted remote attackers to execute arbitrary code via a crafted XLS file, which results in an "Improper Memory Access Vulnerability." NOTE: an early disclosure of this issue used CVE-2006-3432, but only CVE-2007-0028 should be used. VU#493185 TA07-009A MS07-002 ADV-2007-0103 21952 HPSBST02184 SSRT071296 31249 http://www.fortinet.com/FortiGuardCenter/advisory/FGA-2007-01.html http://www.fortinet.com/FortiGuardCenter/advisory/FG-2006-30.html 1017485 23676 oval:org.mitre.oval:def:768 Microsoft Excel 2000 SP3, 2002 SP3, 2003 SP2, 2004 for Mac, and v.X for Mac allows user-assisted remote attackers to execute arbitrary code via a malformed string, aka "Excel Malformed String Vulnerability." TA07-009A MS07-002 ADV-2007-0103 21877 HPSBST02184 HPSBST02184 31256 1017487 oval:org.mitre.oval:def:1102 Microsoft Excel 2000 SP3, 2002 SP3, 2003 SP2, 2004 for Mac, and v.X for Mac allows user-assisted remote attackers to execute arbitrary code via an Excel file with an out-of-range Column field in certain BIFF8 record types, which references arbitrary memory. TA07-009A VU#302836 MS07-002 20070109 Microsoft Excel Invalid Column Heap Corruption Vulnerability ADV-2007-0103 21925 HPSBST02184 HPSBST02184 31257 1017487 oval:org.mitre.oval:def:323 Heap-based buffer overflow in Microsoft Excel 2000 SP3, 2002 SP3, 2003 SP2, 2004 for Mac, and v.X for Mac allows user-assisted remote attackers to execute arbitrary code via a BIFF8 spreadsheet with a PALETTE record that contains a large number of entries. TA07-009A VU#625532 MS07-002 20070109 Microsoft Excel Long Palette Heap Overflow Vulnerability ADV-2007-0103 21922 SSRT071296 HPSBST02184 31258 1017487 oval:org.mitre.oval:def:753 Microsoft Outlook 2002 and 2003 allows user-assisted remote attackers to execute arbitrary code via a malformed VEVENT record in an .iCal meeting request or ICS file. TA07-009A VU#476900 MS07-003 ADV-2007-0104 21931 HPSBST02184 HPSBST02184 31252 1017488 23674 oval:org.mitre.oval:def:516 Buffer overflow in the Advanced Search (Finder.exe) feature of Microsoft Outlook 2000, 2002, and 2003 allows user-assisted remote attackers to execute arbitrary code via a crafted Outlook Saved Searches (OSS) file that triggers memory corruption, aka "Microsoft Outlook Advanced Find Vulnerability." TA07-009A VU#271860 MS07-003 ADV-2007-0104 21936 HPSBST02184 HPSBST02184 20070111 Computer Terrorism (UK) :: Incident Response Centre - Microsoft Outlook Vulnerability 31254 http://www.computerterrorism.com/research/ct09-01-2007.htm 1017488 23674 oval:org.mitre.oval:def:153 Word (or Word Viewer) in Microsoft Office 2000 SP3, XP SP3, 2003 SP2, 2004 for Mac, and Works Suite 2004, 2005, and 2006 does not properly handle data in a certain array, which allows user-assisted remote attackers to execute arbitrary code, aka the "Word Array Overflow Vulnerability." TA07-128A VU#260777 MS07-024 ADV-2007-1709 1018013 23804 HPSBST02214 SSRT071422 34387 oval:org.mitre.oval:def:1737 Stack-based buffer overflow in the animated cursor code in Microsoft Windows 2000 SP4 through Vista allows remote attackers to execute arbitrary code or cause a denial of service (persistent reboot) via a large length value in the second (or later) anih block of a RIFF .ANI, cur, or .ico file, which results in memory corruption when processing cursors, animated cursors, and icons, a variant of CVE-2005-0416, as originally demonstrated using Internet Explorer 6 and 7. NOTE: this might be a duplicate of CVE-2007-1765; if so, then CVE-2007-0038 should be preferred. TA07-100A TA07-093A TA07-089A VU#191609 windows-ani-code-execution(33301) ADV-2007-1215 SSRT071354 SSRT071354 20070402 MS announces out-of-band patch for ANI 0day 20070402 More information on ZERT patch for ANI 0day 20070331 RE: [Full-disclosure] 0-day ANI vulnerability in Microsoft Windows(CVE-2007-0038) 20070331 Re: 0-day ANI vulnerability in Microsoft Windows (CVE-2007-0038) 20070330 Re: 0-day ANI vulnerability in Microsoft Windows (CVE-2007-0038) 20070330 0-day ANI vulnerability in Microsoft Windows (CVE-2007-0038) 33629 MS07-017 http://www.determina.com/security_center/security_advisories/securityadvisory_0day_032907.asp 2542 24659 3634 20070330 0-day ANI vulnerability in Microsoft Windows (CVE-2007-0038) oval:org.mitre.oval:def:1854 The Exchange Collaboration Data Objects (EXCDO) functionality in Microsoft Exchange Server 2000 SP3, 2003 SP1 and SP2, and 2007 allows remote attackers to cause a denial of service (crash) via an Internet Calendar (iCal) file containing multiple X-MICROSOFT-CDO-MODPROPS (MODPROPS) properties in which the second MODPROPS is longer than the first, which triggers a NULL pointer dereference and an unhandled exception. TA07-128A MS07-026 exchange-ical-dos(33888) ADV-2007-1711 1018015 23808 HPSBST02214 HPSBST02214 20070508 Exchange Calendar MODPROPS Denial of Service (CVE-2007-0039) 34390 http://www.determina.com/security.research/vulnerabilities/exchange-ical-modprops.html 25183 20070509 Exchange Calendar MODPROPS Denial of Service (CVE-2007-0039) oval:org.mitre.oval:def:1593 The LDAP service in Windows Active Directory in Microsoft Windows 2000 Server SP4, Server 2003 SP1 and SP2, Server 2003 x64 Edition and SP2, and Server 2003 for Itanium-based Systems SP1 and SP2 allows remote attackers to execute arbitrary code via a crafted LDAP request with an unspecified number of "convertible attributes." TA07-191A VU#487905 MS07-039 ADV-2007-2481 1018355 24800 20070710 Microsoft Windows Active Directory Remote Code Execution 26002 SSRT071446 oval:org.mitre.oval:def:2012 The PE Loader service in Microsoft .NET Framework 1.0, 1.1, and 2.0 for Windows 2000, XP, Server 2003, and Vista allows remote attackers to execute arbitrary code via unspecified vectors involving an "unchecked buffer" and unvalidated message lengths, probably a buffer overflow. TA07-191A MS07-040 ms-dotnet-pe-loader-bo(34637) ADV-2007-2482 1018356 24778 26003 SSRT071446 oval:org.mitre.oval:def:2093 Interpretation conflict in ASP.NET in Microsoft .NET Framework 1.0, 1.1, and 2.0 for Windows 2000, XP, Server 2003, and Vista allows remote attackers to access configuration files and obtain sensitive information, and possibly bypass security mechanisms that try to constrain the final substring of a string, via %00 characters, related to use of %00 as a string terminator within POSIX functions but a data character within .NET strings, aka "Null Byte Termination Vulnerability." TA07-191A ADV-2007-2482 1018356 MS07-040 http://security-assessment.com/files/advisories/2007-07-11_Multiple_.NET_Null_Byte_Injection_Vulnerabilities.pdf 26003 SSRT071446 oval:org.mitre.oval:def:2070 The Just In Time (JIT) Compiler service in Microsoft .NET Framework 1.0, 1.1, and 2.0 for Windows 2000, XP, Server 2003, and Vista allows user-assisted remote attackers to execute arbitrary code via unspecified vectors involving an "unchecked buffer," probably a buffer overflow, aka ".NET JIT Compiler Vulnerability". TA07-191A MS07-040 ms-dotnet-jit-bo(34639) ADV-2007-2482 1018356 24811 26003 SSRT071446 oval:org.mitre.oval:def:1873 Adobe Acrobat Reader Plugin before 8.0.0 for the Firefox, Internet Explorer, and Opera web browsers allows remote attackers to force the browser to make unauthorized requests to other web sites via a URL in the (1) FDF, (2) xml, and (3) xfdf AJAX request parameters, following the # (hash) character, aka "Universal CSRF and session riding." http://www.wisec.it/vulns.php?page=9 adobe-acrobat-pdf-csrf(31266) ADV-2007-0032 21858 20070103 Adobe Acrobat Reader Plugin - Multiple Vulnerabilities RHSA-2008:0144 1017469 2090 GLSA-200701-16 29065 23882 23812 oval:org.mitre.oval:def:10042 SUSE-SA:2007:011 http://events.ccc.de/congress/2006/Fahrplan/attachments/1158-Subverting_Ajax.pdf Multiple cross-site scripting (XSS) vulnerabilities in Adobe Acrobat Reader Plugin before 8.0.0, and possibly the plugin distributed with Adobe Reader 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2, for Mozilla Firefox, Microsoft Internet Explorer 6 SP1, Google Chrome, Opera 8.5.4 build 770, and Opera 9.10.8679 on Windows allow remote attackers to inject arbitrary JavaScript and conduct other attacks via a .pdf URL with a javascript: or res: URI with (1) FDF, (2) XML, and (3) XFDF AJAX parameters, or (4) an arbitrarily named name=URI anchor identifier, aka "Universal XSS (UXSS)." TA09-286B VU#815960 http://www.wisec.it/vulns.php?page=9 RHSA-2007:0017 adobe-acrobat-pdf-xss(31271) ADV-2009-2898 ADV-2007-0957 ADV-2007-0032 21858 20070104 Universal PDF XSS After Party 20070103 Adobe Acrobat Reader Plugin - Multiple Vulnerabilities 20070103 RE: [WEB SECURITY] Universal XSS with PDF files: highly dangerous 20070103 Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous 20070103 Re: Universal XSS with PDF files: highly dangerous 20070103 Universal XSS with PDF files: highly dangerous RHSA-2007:0021 http://www.mozilla.org/security/announce/2007/mfsa2007-02.html http://www.gnucitizen.org/blog/universal-pdf-xss-after-party http://www.gnucitizen.org/blog/danger-danger-danger/ http://www.disenchant.ch/blog/hacking-with-browser-plugins/34 http://www.adobe.com/support/security/bulletins/apsb09-15.html http://www.adobe.com/support/security/bulletins/apsb07-01.html http://www.adobe.com/support/security/advisories/apsa07-02.html http://www.adobe.com/support/security/advisories/apsa07-01.html 102847 SSA:2007-066-05 1023007 1017469 2090 GLSA-200701-16 33754 24533 24457 23882 23877 23812 23691 23483 oval:org.mitre.oval:def:9693 oval:org.mitre.oval:def:6487 SUSE-SA:2007:011 HPSBUX02153 HPSBUX02153 http://googlechromereleases.blogspot.com/2009/01/stable-beta-update-yahoo-mail-and.html Double free vulnerability in the Adobe Acrobat Reader Plugin before 8.0.0, as used in Mozilla Firefox 1.5.0.7, allows remote attackers to execute arbitrary code by causing an error via a javascript: URI call to document.write in the (1) FDF, (2) XML, or (3) XFDF AJAX request parameters. http://www.wisec.it/vulns.php?page=9 ADV-2007-0957 ADV-2007-0032 20070103 Adobe Acrobat Reader Plugin - Multiple Vulnerabilities oval:org.mitre.oval:def:9684 http://events.ccc.de/congress/2006/Fahrplan/attachments/1158-Subverting_Ajax.pdf RHSA-2007:0017 adobe-acrobat-msvcrt-code-execution(31272) RHSA-2007:0021 http://www.adobe.com/support/security/bulletins/apsb07-01.html 102847 1017469 2090 GLSA-200701-16 24533 23882 23877 23812 23691 SUSE-SA:2007:011 CRLF injection vulnerability in Adobe Acrobat Reader Plugin before 8.0.0, when used with the Microsoft.XMLHTTP ActiveX object in Internet Explorer, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the javascript: URI in the (1) FDF, (2) XML, or (3) XFDF AJAX request parameters. adobe-acrobat-xmlhttp-response-splitting(31291) ADV-2007-0032 1017469 23882 SUSE-SA:2007:011 http://events.ccc.de/congress/2006/Fahrplan/attachments/1158-Subverting_Ajax.pdf Adobe Acrobat Reader Plugin before 8.0.0, and possibly the plugin distributed with Adobe Reader 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2, when used with Internet Explorer, Google Chrome, or Opera, allows remote attackers to cause a denial of service (memory consumption) via a long sequence of # (hash) characters appended to a PDF URL, related to a "cross-site scripting issue." TA09-286B http://www.wisec.it/vulns.php?page=9 adobe-acrobat-character-dos(31273) ADV-2009-2898 ADV-2007-0032 20070103 Adobe Acrobat Reader Plugin - Multiple Vulnerabilities http://www.adobe.com/support/security/bulletins/apsb09-15.html http://www.adobe.com/support/security/bulletins/apsb07-01.html 1023007 1017469 GLSA-200701-16 33754 23882 23812 oval:org.mitre.oval:def:6348 31596 SUSE-SA:2007:011 http://googlechromereleases.blogspot.com/2009/01/stable-beta-update-yahoo-mail-and.html http://events.ccc.de/congress/2006/Fahrplan/attachments/1158-Subverting_Ajax.pdf 2090 Geckovich TaskTracker Pro 1.5 and earlier allows remote attackers to add administrative or other accounts via an Add action with a modified GroupID in a direct request to Customize.asp. tasktrackerpro-customize-auth-bypass(31235) 21847 23564 31682 3068 ** DISPUTED ** PHP remote file inclusion vulnerability in index.php in OpenPinboard 2.0 allows remote attackers to execute arbitrary PHP code via a URL in the language parameter. NOTE: this issue has been disputed by the developer and a third party, since the variable is set before use. CVE analysis suggests that there is a small time window of risk before the installation is complete. 20070103 OpenPinboard <= Remote File Include 20070103 Re: OpenPinboard <= Remote File Include 33375 20070106 Re: OpenPinboard <= Remote File Include Format string vulnerability in Apple iPhoto 6.0.5 (316), and other versions before 6.0.6, allows remote user-assisted attackers to execute arbitrary code via a crafted photocast with format string specifiers in the title of an RSS iPhoto feed. iphoto-xmltitle-format-string(31281) ADV-2007-0057 21871 20070104 DMA[2007-0104a] - 'iLife iPhoto Photocasing Format String Vulnerability' http://www.digitalmunition.com/DMA[2007-0104a].txt 23615 http://projects.info-pull.com/moab/MOAB-04-01-2007.html 31165 3080 APPLE-SA-2007-03-13 http://docs.info.apple.com/article.html?artnum=305215 20070104 DMA[2007-0104a] - 'iLife iPhoto Photocasing Format String Vulnerability' SQL injection vulnerability in haberdetay.asp in Vizayn Haber allows remote attackers to execute arbitrary SQL commands via the id parameter. ADV-2007-0015 21836 23576 31518 3061 vicayn-haberdetay-sql-injection(31213) SQL injection vulnerability in detail.asp in ASP SiteWare autoDealer 2.0 and earlier allows remote attackers to execute arbitrary SQL commands via the iPro parameter. ADV-2007-0016 21833 23572 32539 3062 autodealer-detail-sql-injection(31219) Cross-site scripting (XSS) vulnerability in gbrowse.php in Belchior Foundry vCard PRO allows remote attackers to inject arbitrary web script or HTML via the sortby parameter. 21844 20070101 vBulletin vCard PRO XSS 33359 vcard-gbrowse-xss(31182) Directory traversal vulnerability in formbankcgi.exe/AbfrageForm in Formbankserver 1.9 allows remote attackers to read arbitrary files via directory traversal sequences in the Name parameter. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. ADV-2007-0012 23539 32545 formbankserver-name-directory-traversal(31214) 3063 Multiple cross-site scripting (XSS) vulnerabilities in AShop Deluxe 4.5 and AShop Administration Panel allow remote attackers to inject arbitrary web script or HTML via the (1) cat parameter to (a) ashop/catalogue.php and (b) ashop/basket.php, the (2) exp parameter to ashop/catalogue.php, the (3) searchstring parameter to (c) ashop/search.php, the (4) checkout and (5) action parameters to (d) ashop/shipping.php, the cat parameter to (f) cart-path/admin/editcatalogue.php, and the (7) resultpage parameter to (g) cart-path/admin/salesadmin.php. ADV-2007-0028 21845 20070101 AShop Shopping Cart Multiple XSS Vulnerabilities 32558 32557 32556 32555 32554 32553 ashop-multiple-scripts-xss(31178) 2091 23547 Cisco Clean Access (CCA) 3.6.x through 3.6.4.2 and 4.0.x through 4.0.3.2 does not properly configure or allow modification of a shared secret authentication key, which causes all devices to have the same shared sercet and allows remote attackers to gain unauthorized access. 20070103 Multiple Vulnerabilities in Cisco Clean Access ADV-2007-0030 32578 1017465 23617 Cisco Clean Access (CCA) 3.5.x through 3.5.9 and 3.6.x through 3.6.1.1 on the Clean Access Manager (CAM) allows remote attackers to bypass authentication and download arbitrary manual database backups by guessing the snapshot filename using brute force, then making a direct request for the file. ADV-2007-0030 20070103 Multiple Vulnerabilities in Cisco Clean Access 1017465 23556 32579 Cross-zone scripting vulnerability in Apple Quicktime 3 to 7.1.3 allows remote user-assisted attackers to execute arbitrary code and list filesystem contents via a QuickTime movie (.MOV) with an HREF Track (HREFTrack) that contains an automatic action tag with a local URI, which is executed in a local zone during preview, as exploited by a MySpace worm. VU#304064 http://www.gnucitizen.org/blog/backdooring-quicktime-movies/ http://projects.info-pull.com/moab/MOAB-03-01-2007.html 31164 APPLE-SA-2007-03-05 http://docs.info.apple.com/article.html?artnum=305149 Stack-based buffer overflow in the Message Queuing Server (Cam.exe) in CA (formerly Computer Associates) Message Queuing (CAM / CAFT) software before 1.11 Build 54_4 on Windows and NetWare, as used in CA Advantage Data Transport, eTrust Admin, certain BrightStor products, certain CleverPath products, and certain Unicenter products, allows remote attackers to execute arbitrary code via a crafted message to TCP port 3104. systems-management-bo(32234) ADV-2007-2638 25051 20070724 CA Message Queuing Server (Cam.exe) Overflow http://supportconnectw.ca.com/public/dto_transportit/infodocs/camsgquevul-secnot.asp 26190 1018449 20070725 [CAID 35527]: CA Message Queuing (CAM / CAFT) Buffer Overflow Vulnerability http://www.ca.com/us/securityadvisor/newsinfo/collateral.aspx?cid=149809 The DHCP server in EMC VMware Workstation before 5.5.5 Build 56455 and 6.x before 6.0.1 Build 55017, Player before 1.0.5 Build 56455 and Player 2 before 2.0.1 Build 55017, ACE before 1.0.3 Build 54075 and ACE 2 before 2.0.1 Build 55017, and Server before 1.0.4 Build 56528 allows remote attackers to execute arbitrary code via a malformed packet that triggers "corrupt stack memory." dhcp-malformed-packet-bo(33101) http://www.vmware.com/support/ws6/doc/releasenotes_ws6.html http://www.vmware.com/support/ws55/doc/releasenotes_ws55.html http://www.vmware.com/support/server/doc/releasenotes_server.html http://www.vmware.com/support/player2/doc/releasenotes_player2.html http://www.vmware.com/support/player/doc/releasenotes_player.html http://www.vmware.com/support/ace2/doc/releasenotes_ace2.html http://www.vmware.com/support/ace/doc/releasenotes_ace.html ADV-2007-3229 25729 20070919 VMWare DHCP Server Remote Code Execution Vulnerabilities USN-543-1 1018717 GLSA-200711-23 27706 27694 26890 20070920 VMSA-2007-0006 Critical security updates for all supported versions of VMware ESX Server, VMware Server, VMware Workstation, VMware ACE, and VMware Player Integer overflow in the ISC dhcpd 3.0.x before 3.0.7 and 3.1.x before 3.1.1; and the DHCP server in EMC VMware Workstation before 5.5.5 Build 56455 and 6.x before 6.0.1 Build 55017, Player before 1.0.5 Build 56455 and Player 2 before 2.0.1 Build 55017, ACE before 1.0.3 Build 54075 and ACE 2 before 2.0.1 Build 55017, and Server before 1.0.4 Build 56528; allows remote attackers to cause a denial of service (daemon crash) or execute arbitrary code via a malformed DHCP packet with a large dhcp-max-message-size that triggers a stack-based buffer overflow, related to servers configured to send many DHCP options to clients. dhcp-param-overflow(33102) http://www.vmware.com/support/ws6/doc/releasenotes_ws6.html http://www.vmware.com/support/ws55/doc/releasenotes_ws55.html http://www.vmware.com/support/server/doc/releasenotes_server.html http://www.vmware.com/support/player2/doc/releasenotes_player2.html http://www.vmware.com/support/player/doc/releasenotes_player.html http://www.vmware.com/support/ace2/doc/releasenotes_ace2.html http://www.vmware.com/support/ace/doc/releasenotes_ace.html 25729 20070919 VMWare DHCP Server Remote Code Execution Vulnerabilities https://bugzilla.redhat.com/show_bug.cgi?id=339561 ADV-2007-3229 USN-543-1 1018717 20090312 rPSA-2009-0041-1 dhclient dhcp libdhcp4client MDVSA-2009:153 http://wiki.rpath.com/Advisories:rPSA-2009-0041 GLSA-200808-05 GLSA-200711-23 34263 31396 27706 27694 26890 SUSE-SR:2009:005 20070920 VMSA-2007-0006 Critical security updates for all supported versions of VMware ESX Server, VMware Server, VMware Workstation, VMware ACE, and VMware Player http://bugs.gentoo.org/show_bug.cgi?id=227135 Integer underflow in the DHCP server in EMC VMware Workstation before 5.5.5 Build 56455 and 6.x before 6.0.1 Build 55017, Player before 1.0.5 Build 56455 and Player 2 before 2.0.1 Build 55017, ACE before 1.0.3 Build 54075 and ACE 2 before 2.0.1 Build 55017, and Server before 1.0.4 Build 56528 allows remote attackers to execute arbitrary code via a malformed DHCP packet that triggers a stack-based buffer overflow. dhcp-param-underflow(33103) http://www.vmware.com/support/ws6/doc/releasenotes_ws6.html http://www.vmware.com/support/ws55/doc/releasenotes_ws55.html http://www.vmware.com/support/server/doc/releasenotes_server.html http://www.vmware.com/support/player2/doc/releasenotes_player2.html http://www.vmware.com/support/player/doc/releasenotes_player.html http://www.vmware.com/support/ace2/doc/releasenotes_ace2.html http://www.vmware.com/support/ace/doc/releasenotes_ace.html 25729 20070919 VMWare DHCP Server Remote Code Execution Vulnerabilities ADV-2007-3229 USN-543-1 1018717 GLSA-200711-23 27706 27694 26890 20070920 VMSA-2007-0006 Critical security updates for all supported versions of VMware ESX Server, VMware Server, VMware Workstation, VMware ACE, and VMware Player Heap-based buffer overflow in Windows Media Format Runtime 7.1, 9, 9.5, 9.5 x64 Edition, 11, and Windows Media Services 9.1 for Microsoft Windows 2000, XP, Server 2003, and Vista allows user-assisted remote attackers to execute arbitrary code via a crafted Advanced Systems Format (ASF) file. TA07-345A VU#319385 MS07-068 ADV-2007-4183 1019074 26776 SSRT071506 SSRT071506 28034 oval:org.mitre.oval:def:3622 Heap-based buffer overflow in Object Linking and Embedding (OLE) Automation in Microsoft Windows 2000 SP4, XP SP2, Server 2003 SP1 and SP2, Vista, Office 2004 for Mac, and Visual basic 6.0 SP6 allows remote attackers to execute arbitrary code via a crafted script request. TA08-043C MS08-008 ADV-2008-0510 SSRT080016 1019373 27661 28902 SSRT080016 oval:org.mitre.oval:def:5388 The kernel in Microsoft Windows 2000 SP4, XP SP2, and Server 2003, when ICMP Router Discovery Protocol (RDP) is enabled, allows remote attackers to cause a denial of service via fragmented router advertisement ICMP packets that trigger an out-of-bounds read, aka "Windows Kernel TCP/IP/ICMP Vulnerability." TA08-008A MS08-001 28297 win-tcpip-icmp-dos(39254) ADV-2008-0069 27139 SSRT080003 HPSBST02304 20070108 Multiple (3) Microsoft Windows TCP/IP Remote Code Execution and DoS Vulnerabilities 1019166 http://blogs.technet.com/swi/archive/2008/01/08/ms08-001-part-2-the-case-of-the-moderate-icmp-mitigations.aspx oval:org.mitre.oval:def:5271 Unspecified vulnerability in the Lotus Domino Web Server 6.0, 6.5.x before 6.5.6, and 7.0.x before 7.0.3 allows remote attackers to cause a denial of service (daemon crash) via requests for URLs that reference certain files. 24307 http://www-1.ibm.com/support/docview.wss?uid=swg21257251 25542 domino-unspecified-dos(34689) ADV-2007-2046 35766 1018189 IBM Lotus Domino 7.0.x before 7.0.3 does not revalidate the signature on a signed scheduled agent after the agent is modified, which allows remote authenticated users to gain privileges via a modified agent in a server database. ADV-2007-2063 24322 http://www-1.ibm.com/support/docview.wss?uid=swg21258784 25520 35765 domino-signature-privilege-escalation(34718) Unspecified vulnerability in the kernel in Microsoft Windows XP SP2, Server 2003, and Vista allows remote attackers to cause a denial of service (CPU consumption) and possibly execute arbitrary code via crafted (1) IGMPv3 and (2) MLDv2 packets that trigger memory corruption, aka "Windows Kernel TCP/IP/IGMPv3 and MLDv2 Vulnerability." TA08-008A VU#115083 MS08-001 28297 win-ssm-mld-bo(39453) win-ssm-igmp-bo(39452) ADV-2008-0069 27100 HPSBST02304 HPSBST02304 20070108 Multiple (3) Microsoft Windows TCP/IP Remote Code Execution and DoS Vulnerabilities 1019166 http://blogs.technet.com/swi/archive/2008/01/08/ms08-001-part-3-the-case-of-the-igmp-network-critical.aspx oval:org.mitre.oval:def:5370 Integer overflow in Adobe Flash Player 9.0.115.0 and earlier, and 8.0.39.0 and earlier, allows remote attackers to execute arbitrary code via a crafted SWF file with a negative Scene Count value, which passes a signed comparison, is used as an offset of a NULL pointer, and triggers a buffer overflow. TA08-150A TA08-149A TA08-100A VU#395473 VU#159523 multimedia-file-integer-overflow(37277) http://www.zerodayinitiative.com/advisories/ZDI-08-032/ ADV-2008-1724 ADV-2008-1697 ADV-2008-1662 1019811 29386 28695 RHSA-2008:0221 44282 http://www.matasano.com/log/1032/this-new-vulnerability-dowds-inhuman-flash-exploit/ 20080408 Adobe Flash Player Invalid Pointer Vulnerability GLSA-200804-21 http://www.adobe.com/support/security/bulletins/apsb08-11.html 238305 30507 30430 30404 29865 29763 oval:org.mitre.oval:def:10379 SUSE-SA:2008:022 APPLE-SA-2008-05-28 http://isc.sans.org/diary.html?storyid=4465 http://documents.iss.net/whitepapers/IBM_X-Force_WP_final.pdf http://blogs.adobe.com/psirt/2008/05/potential_flash_player_issue.html Heap-based buffer overflow in an unspecified procedure in Trend Micro ServerProtect 5.7 and 5.58 allows remote attackers to execute arbitrary code via unknown vectors, possibly related to a read operation over RPC. application-rpc-read-bo(38760) ADV-2008-3127 32261 20081111 Trend Micro ServerProtect [PROCEDURE NAME REDACTED] Heap Overflows (3) 32618 http://blogs.iss.net/archive/trend.html Heap-based buffer overflow in an unspecified procedure in Trend Micro ServerProtect 5.7 and 5.58 allows remote attackers to execute arbitrary code via unknown vectors, possibly related to a file read operation over RPC. application-rpc-file-read-bo(39050) ADV-2008-3127 32261 20081111 Trend Micro ServerProtect [PROCEDURE NAME REDACTED] Heap Overflows (3) 32618 http://blogs.iss.net/archive/trend.html Heap-based buffer overflow in an unspecified procedure in Trend Micro ServerProtect 5.7 and 5.58 allows remote attackers to execute arbitrary code via unknown vectors, possibly related to a folder read operation over RPC. application-rpc-folder-read-bo(39051) ADV-2008-3127 32261 20081111 Trend Micro ServerProtect [PROCEDURE NAME REDACTED] Heap Overflows (3) 32618 http://blogs.iss.net/archive/trend.html AspBB stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing user passwords via a direct request for db/aspbb.mdb. aspbb-aspbb-info-disclosure(31230) 20070102 AspBB Remote Password Disclosure http://www.aria-security.com/forum/showthread.php?t=82 33364 2100 Openforum stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing user passwords via a direct request for openforum.mdb. openforum-openforum-password-disclosure(31209) 20070102 Openforum Remote password Disclosure http://www.aria-security.com/forum/showthread.php?t=80 33366 2099 lblog stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for a certain file in admin/db/newFolder/. lblog-newfolder-information-disclosure(31229) 20070102 lblog Remote Password Disclosure http://www.aria-security.com/forum/showthread.php?t=79 1017462 33367 2098 BattleBlog stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for database/blankmaster.mdb. battleblog-blankmaster-info-disclosure(31224) 20070101 BattleBlog Database Download Vulnerability http://www.aria-security.com/forum/showthread.php?t=76 33360 2097 rblog stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for (1) data/admin.mdb or (2) data/rblog.mdb. rblog-database-info-disclosure(31200) 20070101 rblog Database Download Vulnerability http://www.aria-security.com/forum/showthread.php?t=77 23538 32572 2102 ** DISPUTED ** Buffer overflow in the SMB_Connect_Server function in FreeRadius 1.1.3 and earlier allows attackers to execute arbitrary code related to the server desthost field of an SMB_Handle_Type instance. NOTE: the impact of this issue has been disputed by a reliable third party and the vendor, who states that exploitation is limited "only to local administrators who have write access to the server configuration files." CVE concurs with the dispute. A buffer overflow in the SMB_Connect_Server function in FreeRADIUS 1.1.4 and earlier allows attackers to execute arbitrary code related to the server desthost field of an SMB_Handle_Type instance. This issue can not be exploited remotely, and can only be exploited by administrators who have write access to the server configuration files. -- Official Vendor Statement from the FreeRADIUS Server project This issue is not a security vulnerability. The exploit is available only to local administrators who have write access to the server configuration files. As such, this issue has no security impact on any system running FreeRADIUS. -- Official Vendor Statement from the FreeRADIUS Server project freeradius-smbconnectserver-bo(31248) 20070102 FreeRadius 1.1.3 SMB_Handle_Type SMB_Connect_Server arbitrary code execution 20070103 Re: FreeRadius 1.1.3 SMB_Handle_Type SMB_Connect_Server arbitrary code execution http://www.freeradius.org/security.html 20070211 FreeRADIUS dispute of CVE-2007-0080 1017463 32082 Sunbelt Kerio Personal Firewall (SKPF) 4.3.268 and 4.3.246, and possibly other versions allows local users to provide a Trojan horse iphlpapi.dll to SKPF by placing it in the installation directory. kerio-directory-code-execution(31232) 21828 20070101 Kerio Fake 'iphlpapi' DLL injection Vulnerability http://www.matousec.com/info/advisories/Kerio-Fake-iphlpapi-DLL-injection.php 33356 2095 users_adm/start1.php in IMGallery 2.5 and earlier does not properly handle files with multiple extensions, which allows remote authenticated users to upload and execute arbitrary PHP scripts. imgallery-start1-file-upload(31237) ADV-2007-0010 21827 3049 Cross-site scripting (XSS) vulnerability in Nuked Klan 1.7 and earlier allows remote attackers to inject arbitrary web script or HTML via a javascript: URI in a getURL statement in a .swf file, as demonstrated by "Remote Cookie Disclosure." NOTE: it could be argued that this is an issue in Shockwave instead of Nuked Klan. 21850 20070102 Nuked Klan <= 1.7 Remote Cookie Disclosure Exploit 33368 2101 ** DISPUTED ** Buffer overflow in the Windows NT Message Compiler (MC) 1.00.5239 on Microsoft Windows XP allows local users to gain privileges via a long MC-filename. NOTE: this issue has been disputed by a reliable third party who states that the compiler is not a privileged program, so privilege boundaries cannot be crossed. 20070102 Windows NT Message Compiler 1.00.5239 arbitrary code execution 20070103 Re: Windows NT Message Compiler 1.00.5239 arbitrary code execution 37817 Unspecified vulnerability in sys/dev/pci/vga_pci.c in the VGA graphics driver for wscons in OpenBSD 3.9 and 4.0, when the kernel is compiled with the PCIAGP option and a non-AGP device is being used, allows local users to gain privileges via unspecified vectors, possibly related to agp_ioctl NULL pointer reference. [3.9] 017: SECURITY FIX: January 3, 2007 [4.0] 007: SECURITY FIX: January 3, 2007 1017468 23608 openbsd-vga-privilege-escalation(31276) ADV-2007-0043 [openbsd-cvs] 20070103 CVS: cvs.openbsd.org: www [openbsd-cvs] 20070103 Re: CVS: cvs.openbsd.org: src http://ilja.netric.org/files/Unusual%20bugs%2023c3.pdf 32574 ** DISPUTED ** The Apache HTTP Server, when accessed through a TCP connection with a large window size, allows remote attackers to cause a denial of service (network bandwidth consumption) via a Range header that specifies multiple copies of the same fragment. NOTE: the severity of this issue has been disputed by third parties, who state that the large window size required by the attack is not normally supported or configured by the server, or that a DDoS-style attack would accomplish the same goal. 20070103 a cheesy Apache / IIS DoS vuln (+a question) 20070104 Re: a cheesy Apache / IIS DoS vuln (+a question) 20070104 Re: a cheesy Apache / IIS DoS vuln (+a question) 20070104 Re: a cheesy Apache / IIS DoS vuln (+a question) 33456 ** DISPUTED ** Microsoft Internet Information Services (IIS), when accessed through a TCP connection with a large window size, allows remote attackers to cause a denial of service (network bandwidth consumption) via a Range header that specifies multiple copies of the same fragment. NOTE: the severity of this issue has been disputed by third parties, who state that the large window size required by the attack is not normally supported or configured by the server, or that a DDoS-style attack would accomplish the same goal. 20070103 a cheesy Apache / IIS DoS vuln (+a question) 20070104 Re: a cheesy Apache / IIS DoS vuln (+a question) 20070104 Re: a cheesy Apache / IIS DoS vuln (+a question) 20070104 Re: a cheesy Apache / IIS DoS vuln (+a question) 33457 Multiple directory traversal vulnerabilities in openmedia allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) src parameter to page.php or the (2) format parameter to search_form.php. openmedia-page-directory-traversal(31258) 20070102 openmedia local read file 33371 33370 2103 jgbbs stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for db/bbs.mdb. 20070103 jgbbs 33376 http://aria-security.com/forum/showthread.php?t=87 jgbbs-bbs-information-disclosure(31274) WineGlass stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for db/data.mdb. ADV-2007-0037 20070103 WineGlass "data.mdb" Remote Password Disclosure 32575 http://aria-security.com/forum/showthread.php?p=112 23594 newsCMSlite stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for newsCMS.mdb. newscmslite-newscms-info-disclosure(31222) 37548 3066 SQL injection vulnerability in productdetail.asp in E-SMARTCART 1.0 allows remote attackers to execute arbitrary SQL commands via the product_id parameter. ADV-2007-0036 23610 31679 esmartcart-productdetail-sql-injection(31243) 3074 SQL injection vulnerability in page.php in Simple Web Content Management System allows remote attackers to execute arbitrary SQL commands via the id parameter. swcms-page-sql-injection(31261) ADV-2007-0040 20070103 Simple Web Content Management System SQL Injection Exploit 23590 31657 3076 http://acid-root.new.fr/poc/18070102.txt 2106 Sven Moderow GuestBook 0.3a stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for (1) gbook97.mdb or (2) gbook.mdb in ~db/. 20070103 GuestBook v0.3a Remote Password Disclosure 33363 http://aria-security.com/forum/showthread.php?p=114 guestbook-gbook-information-disclosure(31245) 2105 phpMyAdmin 2.9.1.1 allows remote attackers to obtain sensitive information via a direct request for themes/darkblue_orange/layout.inc.php, which reveals the path in an error message. phpmyadmin-darkblueorange-path-disclosure(31223) 33257 20070102 Inforamtion Discloser Vulnerabilities in phpMyAdmin 20070102 Inforamtion Discloser Vulnerabilities in "phpMyAdmin" MDKSA-2007:199 2104 CarbonCommunities stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for DataBase/Carbon2.4d.mdb. carboncommunities-carbon2-info-disclosure(31253) ADV-2007-0038 37549 http://aria-security.com/forum/showthread.php?t=85 Multiple stack-based buffer overflows in the (1) LoadTree and (2) ReadHeader functions in PAISO.DLL 1.7.3.0 (1.7.3 beta) in ConeXware PowerArchiver 2006 9.64.02 allow user-assisted attackers to execute arbitrary code via a crafted ISO file containing a file within several nested directories. http://vuln.sg/powarc964-en.html 23559 ADV-2007-0041 32576 20070104 [vuln.sg] PowerArchiver PAISO.DLL Buffer Overflow powerarchiver-loadtree-readheader-bo(31263) 20070104 [vuln.sg] PowerArchiver PAISO.DLL Buffer Overflow Vulnerability Directory traversal vulnerability in language.php in VerliAdmin 0.3 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the lang cookie, as demonstrated by injecting PHP sequences into an Apache HTTP Server log file, which is then included by language.php. ADV-2007-0035 32352 verliadmin-language-file-include(31241) 3075 Race condition in the msxml3 module in Microsoft XML Core Services 3.0, as used in Internet Explorer 6 and other applications, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via many nested tags in an XML document in an IFRAME, when synchronous document rendering is frequently disrupted with asynchronous events, as demonstrated using a JavaScript timer, which can trigger NULL pointer dereferences or memory corruption, aka "MSXML Memory Corruption Vulnerability." TA08-316A 21872 MS08-069 ADV-2008-3111 20070104 Re: RE: [Full-disclosure] Concurrency strikes MSIE (potentially exploitablemsxml3 flaws) 20070104 RE: [Full-disclosure] Concurrency strikes MSIE (potentially exploitablemsxml3 flaws) 20070104 Concurrency strikes MSIE (potentially exploitable msxml3 flaws) 1021164 23655 20070104 Concurrency strikes MSIE (potentially exploitable msxml3 flaws) oval:org.mitre.oval:def:5793 32627 http://isc.sans.org/diary.php?storyid=2004 20070104 Re: Concurrency strikes MSIE (potentially exploitablemsxml3 flaws) The Perforce client does not restrict the set of files that it overwrites upon receiving a request from the server, which allows remote attackers to overwrite arbitrary files by modifying the client config file on the server, or by operating a malicious server. 20070104 Perforce client: security hole by design 33369 Cross-site request forgery (CSRF) vulnerability in SPINE allows remote attackers to perform unauthorized actions as administrators via unspecified vectors. NOTE: some of these details are obtained from third party information. http://spine.sourceforge.net/changelog.html spine-unspecified-csrf(31283) ADV-2007-0042 23537 32577 The Adobe PDF specification 1.3, as implemented by Apple Mac OS X Preview, allows remote attackers to have an unknown impact, possibly including denial of service (infinite loop), arbitrary code execution, or memory corruption, via a PDF file with a (1) crafted catalog dictionary or (2) a crafted Pages attribute that references an invalid page tree node. TA07-072A 21910 multiple-vendor-pdf-code-execution(31364) ADV-2007-0930 1017749 24479 http://projects.info-pull.com/moab/MOAB-06-01-2007.html 31221 http://docs.info.apple.com/article.html?artnum=305214 The Adobe PDF specification 1.3, as implemented by Adobe Acrobat before 8.0.0, allows remote attackers to have an unknown impact, possibly including denial of service (infinite loop), arbitrary code execution, or memory corruption, via a PDF file with a (1) crafted catalog dictionary or (2) a crafted Pages attribute that references an invalid page tree node. TA07-072A multiple-vendor-pdf-code-execution(31364) ADV-2007-0930 1017749 21910 24479 http://projects.info-pull.com/moab/MOAB-06-01-2007.html http://docs.info.apple.com/article.html?artnum=305214 The Adobe PDF specification 1.3, as implemented by (a) xpdf 3.0.1 patch 2, (b) kpdf in KDE before 3.5.5, (c) poppler before 0.5.4, and other products, allows remote attackers to have an unknown impact, possibly including denial of service (infinite loop), arbitrary code execution, or memory corruption, via a PDF file with a (1) crafted catalog dictionary or (2) a crafted Pages attribute that references an invalid page tree node. TA07-072A https://issues.rpath.com/browse/RPL-964 multiple-vendor-pdf-code-execution(31364) ADV-2007-0930 ADV-2007-0244 ADV-2007-0212 ADV-2007-0203 USN-410-2 USN-410-1 1017749 21910 20070116 [KDE Security Advisory] kpdf/kword/xpdf denial of service vulnerability SUSE-SR:2007:003 MDKSA-2007:024 MDKSA-2007:022 MDKSA-2007:021 MDKSA-2007:020 MDKSA-2007:019 MDKSA-2007:018 http://www.kde.org/info/security/advisory-20070115-1.txt http://support.novell.com/techcenter/psdb/44d7cb9b669d58e0ce5aa5d7ab2c7c53.html 1017514 24479 24204 23876 23844 23839 23815 23813 23808 23799 23791 http://projects.info-pull.com/moab/MOAB-06-01-2007.html http://docs.info.apple.com/article.html?artnum=305214 Stack-based buffer overflow in the CSAdmin service in Cisco Secure Access Control Server (ACS) for Windows before 4.1 and ACS Solution Engine before 4.1 allows remote attackers to execute arbitrary code via a crafted HTTP GET request. VU#744249 23629 cisco-acs-csadmin-bo(31323) ADV-2007-0068 21900 20070105 Multiple Vulnerabilities in Cisco Secure Access Control Server 1017475 32642 Cross-site scripting (XSS) vulnerability in the CSRF protection scheme in WordPress before 2.0.6 allows remote attackers to inject arbitrary web script or HTML via a CSRF attack with an invalid token and quote characters or HTML tags in URL variable names, which are not properly handled when WordPress generates a new link to verify the request. 21893 http://wordpress.org/development/2007/01/wordpress-206/ ADV-2007-0061 20070105 Advisory 01/2007: WordPress CSRF Protection XSS Vulnerability http://www.hardened-php.net/advisory_012007.140.html 23595 33397 2114 WordPress before 2.0.6, when mbstring is enabled for PHP, decodes alternate character sets after escaping the SQL query, which allows remote attackers to bypass SQL injection protection schemes and execute arbitrary SQL commands via multibyte charsets, as demonstrated using UTF-7. Successful exploitation requires that the "mbstring" extension be enabled. This vulnerability is addressed in the following product release: WordPress, WordPress, 2.0.6 wordpress-mbstring-security-bypass(31297) 21907 20070105 Advisory 02/2007: WordPress Trackback Charset Decoding SQL Injection Vulnerability OpenPKG-SA-2007.005 http://www.hardened-php.net/advisory_022007.141.html http://wordpress.org/development/2007/01/wordpress-206/ 23595 ADV-2007-0061 31579 2112 GLSA-200701-10 23741 nwgina.dll in Novell Client 4.91 SP3 for Windows 2000/XP/2003 does not delete user profiles during a Terminal Service or Citrix session, which allows remote authenticated users to invoke alternate user profiles. novell-profile-security-bypass(31343) ADV-2007-0064 21886 http://support.novell.com/cgi-bin/search/searchtid.cgi?/2974970.htm 1017471 23619 31358 wp-login.php in WordPress 2.0.5 and earlier displays different error messages if a user exists or not, which allows remote attackers to obtain sensitive information and facilitates brute force attacks. wordpress-account-enumeration(31262) ADV-2007-0062 20070103 Wordpress <= 2.x dictionnary & Bruteforce attack 23621 31577 2113 GLSA-200701-10 23741 Cross-site scripting (XSS) vulnerability in nidp/idff/sso in Novell Access Manager Identity Server before 3.0.0-1013 allows remote attackers to inject arbitrary web script or HTML via the IssueInstant parameter, which is not properly handled in the resulting error message. https://secure-support.novell.com/KanisaPlatform/Publishing/143/3615264_f.SAL_Public.html ADV-2007-0073 21921 23654 31359 1017483 Buffer overflow in Resco Photo Viewer for PocketPC 4.11 and 6.01, as used in mobile devices running Windows Mobile 5.0, 2003, and 2003SE, allows remote attackers to execute arbitrary code via a crafted PNG image. ADV-2007-0072 http://www.trendmicro.com/vinfo/secadvisories/default6.asp?VName=Vulnerability+in+Resco+Photo+Viewer+6%2E01+Enabling+Code+Injection+and+Arbitrary+Code+Execution 21920 23658 32644 http://blog.trendmicro.com/flaw-in-3rd-party-app-weakens-windows-mobile/ SQL injection vulnerability in cats.asp in createauction allows remote attackers to execute arbitrary SQL commands via the catid parameter. createauction-cats-sql-injection(31356) 21929 20070107 createauction (cats.asp) Remote SQL Injection Vulnerability 33406 2111 Buffer overflow in Packeteer PacketShaper PacketWise 8.x allows remote authenticated users to cause a denial of service (reset or reboot) via (1) a long traffic class argument to the "class show" command or (2) a long POLICY parameter value in clastree.htm. packetshaper-argument-dos(31357) ADV-2007-0098 21933 20070108 Packeteer PacketWise CLI overflow DoS 23685 31656 2110 Sun Java System Content Delivery Server 5.0 and 5.0 PU1 allows remote attackers to obtain sensitive information regarding "content details" via unspecified vectors. 102764 23630 sun-java-cds-info-disclosure(31345) ADV-2007-0076 21908 32645 Static code injection vulnerability in Coppermine Photo Gallery 1.4.10 and earlier allows remote authenticated administrators to execute arbitrary PHP code via the Username to login.php, which is injected into an error message in security.log.php, which can then be accessed using viewlog.php. 20070105 Coppermine Photo Gallery <= 1.4.10 SQL Injection Exploit 20070108 Source verify - Coppermine Photo Gallery <= 1.4.10 code injection 33383 http://acid-root.new.fr/poc/19070104.txt 2107 Digger Solutions Intranet Open Source (IOS) stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for data/intranet.mdb. 20070105 Intranet Open Source Remote Password Disclosure "intranet.mdb" 33379 intranet-intranet-info-disclosure(31308) 2109 DiskManagementTool in the DiskManagement.framework 92.29 on Mac OS X 10.4.8 does not properly validate Bill of Materials (BOM) files, which allows attackers to gain privileges via a BOM file under /Library/Receipts/, which triggers arbitrary file permission changes upon execution of a diskutil permission repair operation. ADV-2007-0074 21899 http://projects.info-pull.com/moab/MOAB-05-01-2007.html 31167 23653 Multiple absolute path traversal vulnerabilities in EditTag 1.2 allow remote attackers to read arbitrary files via an absolute pathname in the file parameter to (1) edittag.cgi, (2) edittag.pl, (3) edittag_mp.cgi, or (4) edittag_mp.pl. 21890 20070105 Multiple bugs in EditTag 33396 33395 33394 33393 7950 Multiple cross-site scripting (XSS) vulnerabilities in EditTag 1.2 allow remote attackers to inject arbitrary web script or HTML via the plain parameter to (1) mkpw_mp.cgi, (2) mkpw.pl, or (3) mkpw.cgi. 21891 20070105 Multiple bugs in EditTag 33392 33391 33390 7950 Acunetix Web Vulnerability Scanner (WVS) 4.0 Build 20060717 and earlier allows remote attackers to cause a denial of service (application crash) via multiple HTTP requests containing invalid Content-Length values. acunetix-content-length-dos(31279) 21898 37580 3078 Cross-site scripting (XSS) vulnerability in search.asp in RI Blog 1.3 allows remote attackers to inject arbitrary web script or HTML via the q parameter. ADV-2007-0083 21880 20070105 RI Blog 1.3 XSS Vuln. 31637 riblog-search-xss(31317) 2108 23657 Multiple SQL injection vulnerabilities in Coppermine Photo Gallery 1.4.10 and earlier allow remote authenticated administrators to execute arbitrary SQL commands via (1) the cat parameter to albmgr.php, and possibly (2) the gid parameter to usermgr.php; (3) the start parameter to db_ecard.php; and the albumid parameter to unspecified files, related to the (4) filename_to_title and (5) del_titles functions. 21894 20070105 Coppermine Photo Gallery <= 1.4.10 SQL Injection Exploit 35856 35855 35854 35853 35852 http://acid-root.new.fr/poc/19070104.txt 2123 25846 3085 Unrestricted file upload vulnerability in Uber Uploader 4.2 allows remote attackers to upload and execute arbitrary PHP scripts by naming them with a .phtml extension, which bypasses the .php extension check but is still executable on some server configurations. 20070105 Uber Uploader 4.2 Arbitrary File Upload Vulnerability uber-uploader-phtml-file-upload(31303) 2116 Unspecified vulnerability in Drupal before 4.6.11, and 4.7 before 4.7.5, when MySQL is used, allows remote authenticated users to cause a denial of service by poisoning the page cache via unspecified vectors, which triggers erroneous 404 HTTP errors for pages that exist. 21895 20070105 [DRUPAL-SA-2007-002] Drupal 4.6.11 / 4.7.5 fixes DoS issue 23586 http://drupal.org/node/104238 ADV-2007-0051 32131 2115 Kaspersky Labs Antivirus Engine 6.0 for Windows and 5.5-10 for Linux before 20070102 enter an infinite loop upon encountering an invalid NumberOfRvaAndSizes value in the Optional Windows Header of a portable executable (PE) file, which allows remote attackers to cause a denial of service (CPU consumption) by scanning a crafted PE file. kaspersky-antivirus-pe-dos(31315) ADV-2007-0067 21901 1017476 23575 32588 20070105 Kaspersky Antivirus Scan Engine PE File Denial of Service Vulnerability Heap-based buffer overflow in Opera 9.02 allows remote attackers to execute arbitrary code via a JPEG file with an invalid number of index bytes in the Define Huffman Table (DHT) marker. http://www.opera.com/support/search/supsearch.dml?index=852 opera-jpeg-dht-bo(31305) ADV-2007-0060 GLSA-200701-08 1017473 23771 23739 23613 31574 SUSE-SA:2007:009 20070105 Opera Software Opera Web Browser JPG Image DHT Marker Heap Corruption Vulnerability The Javascript SVG support in Opera before 9.10 does not properly validate object types in a createSVGTransformFromMatrix request, which allows remote attackers to execute arbitrary code via JavaScript code that uses an invalid object in this request that causes a controlled pointer to be referenced during the virtual function call. 23613 20070105 Opera Software Opera Web Browser createSVGTransformFromMatrix Object Typecasting Vulnerability ADV-2007-0060 http://www.opera.com/support/search/supsearch.dml?index=851 GLSA-200701-08 1017473 23771 23739 31575 SUSE-SA:2007:009 SQL injection vulnerability in info_book.asp in Digirez 3.4 and earlier allows remote attackers to execute arbitrary SQL commands via the book_id parameter. ADV-2007-0053 23606 31677 3081 SQL injection vulnerability in main.asp in LocazoList 2.01a beta5 and earlier allows remote attackers to execute arbitrary SQL commands via the subcatID parameter. locazolist-main-sql-injection(31242) ADV-2007-0052 35813 3073 SQL injection vulnerability in user.php in iGeneric iG Calendar 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter. ADV-2007-0055 21873 23602 31678 igcalendar-user-sql-injection(31300) 20070105 IG Calendar SQL Injection 3082 JAMWiki before 0.5.0 does not properly check permissions during moves of "read-only or admin-only topics," which allows remote attackers to make unauthorized changes to the wiki. http://sourceforge.net/project/shownotes.php?group_id=171441&release_id=475663 23634 32581 jamwiki-permission-security-bypass(31296) 21879 SQL injection vulnerability in compare_product.php in iGeneric iG Shop 1.4 allows remote attackers to execute arbitrary SQL commands via the id parameter. ADV-2007-0056 23604 http://packetstormsecurity.nl/0701-exploits/igshop10-multiple.txt 33385 igshop-compareproduct-sql-injection(31299) 21874 20070105 IG Shop remote code execution 3083 Multiple SQL injection vulnerabilities in display_review.php in iGeneric iG Shop 1.4 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) id or (2) user_login_cookie parameter. ADV-2007-0056 33386 Multiple eval injection vulnerabilities in iGeneric iG Shop 1.0 allow remote attackers to execute arbitrary code via the action parameter, which is supplied to an eval function call in (1) cart.php and (2) page.php. NOTE: a later report and CVE analysis indicate that the vulnerability is present in 1.4. igshop-cartpage-code-execution(31301) ADV-2007-0056 21875 20070619 iG Shop 1.4 eval Inclusion Vulnerability 20070105 IG Shop remote code execution 20070618 Dup: iG Shop 1.4 (page.php) Remote Code Execution Exploit 23604 http://packetstormsecurity.nl/0701-exploits/igshop10-multiple.txt 33388 33387 3083 PHP remote file inclusion vulnerability in inc/init.inc.php in Aratix 0.2.2 beta 11 and earlier, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the current_path parameter. ADV-2007-0054 20070108 Source verify of Aratix RFI http://securityreason.com/exploitalert/1698 33405 aratix-init-file-include(31282) 3079 Multiple cross-site scripting (XSS) vulnerabilities in Drupal before 4.6.11, and 4.7 before 4.7.5, allow remote attackers to inject arbitrary web script or HTML via unspecified parameters in the (1) filter and (2) system modules. NOTE: some of these details are obtained from third party information. http://drupal.org/node/104233 ADV-2007-0050 32140 32139 20070105 [DRUPAL-SA-2007-001] Drupal 4.6.11 / 4.7.5 fixes drupal-core-unspecified-xss(31311) 20070105 [DRUPAL-SA-2007-001] Drupal 4.6.11 / 4.7.5 fixes XSS issue http://drupal.org/files/sa-2007-001/advisory.txt Cross-site scripting (XSS) vulnerability in SimpleBoxes/SerendipityNZ Serene Bach 2.05R and earlier, and 2.08D and earlier in the 2.08 series; and (2) sb 1.13D and earlier, and 1.18R and earlier in the 1.18 series; allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. 23623 ADV-2007-0065 http://serenebach.net/log/sb209R.html http://serenebach.net/log/sb119R.html 32580 JVN#65500885 serene-bach-unspecified-xss(31302) 21884 1017470 formbankcgi.exe in Fersch Formbankserver 1.9, when the PATH_INFO begins with (1) AbfrageForm or (2) EingabeForm, allows remote attackers to cause a denial of service (daemon crash) via multiple requests containing many /../ sequences in the Name parameter. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. formbankserver-formbank-dos(31216) 23539 32546 Unspecified vulnerability in the DECnet-Plus 7.3-2 feature in DECnet/OSI 7.3-2 for OpenVMS ALPHA, and the DECnet-Plus 7.3 feature in DECnet/OSI 7.3 for OpenVMS VAX, allows attackers to obtain "unintended privileged access to data and system resources" via unspecified vectors, related to (1) [SYSEXE]CTF$UI.EXE, (2) [SYSMSG]CTF$MESSAGES.EXE, (3) [SYSHLP]CTF$HELP.HLB, and (4) [SYSMGR]CTF$STARTUP.COM. 23636 ftp://ftp.itrc.hp.com/openvms_patches/vax/V7.3/VAX_DNVOSIMUP01-V0703.txt ftp://ftp.itrc.hp.com/openvms_patches/alpha/V7.3-2/AXP_DNVOSIMUP01-V0703-2.txt ADV-2007-0063 32586 32585 32584 32583 SQL injection vulnerability in down.asp in Kolayindir Download (Yenionline) allows remote attackers to execute arbitrary SQL commands via the id parameter. ADV-2007-0079 21889 20070105 Kolayindir Download (Yenionline) (tr) SqL Injection Vuln. 23645 31625 kolayindirdownload-down-sql-injection(31320) 2122 Cross-site scripting (XSS) vulnerability in yald.php in Yet Another Link Directory 1.0 allows remote attackers to inject arbitrary web script or HTML via the search parameter. ADV-2007-0082 21904 20070106 Yet Another Link Directory v1.0 23646 31626 yald-yald-xss(31322) 2121 SQL injection vulnerability in orange.asp in ShopStoreNow E-commerce Shopping Cart allows remote attackers to execute arbitrary SQL commands via the CatID parameter. ADV-2007-0080 21905 20070106 shopstorenow (orange.asp) sql injection 23642 31665 shopstorenow-orange-sql-injection(31313) 2120 Multiple PHP remote file inclusion vulnerabilities in NUNE News Script 2.0pre2 allow remote attackers to execute arbitrary PHP code via a URL in the custom_admin_path parameter to (1) index.php or (2) archives.php. ADV-2007-0078 23635 31209 31208 3090 nune-index-archives-file-include(31312) 20070107 NUNE News Script (custom_admin_path) Remote File Include Vulnerablity Cross-site scripting (XSS) vulnerability in search.asp in Digitizing Quote And Ordering System 1.0 allows remote authenticated attackers to inject arbitrary web script or HTML via the ordernum parameter. 23652 31690 qos-search-xss(31321) 3089 PHP remote file inclusion vulnerability in bn_smrep1.php in BinGoPHP News (BP News) 3.01 allows remote attackers to execute arbitrary PHP code via a URL in the bnrep parameter, a different vector than CVE-2006-4648 and CVE-2006-4649. 1017477 35898 bingo-bnsmrep1-file-include(31328) Multiple cross-site scripting (XSS) vulnerabilities in Fix and Chips CMS 1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter in (a) delete-announce.php; the (2) Announcement form field in (b) staff.php; the (3) Client Name, (4) Business Name, (5) Street, (6) Address 2, (7) Town/City, (8) Postcode, (9) Phone Number, (10) Email Address and (11) Website Address form fields in (c) new_customer.php; and unspecified fields in (d) search.php and (e) client-results.php. ADV-2007-0081 20070106 Fix & Chips CMS v1.0 23625 fixandchips-multiple-scripts-xss(31319) 32650 32649 32648 32647 32646 2119 Cuyahoga before 1.0.1 installs the FCKEditor component with an incorrect deny statement in a Web.config file, which allows remote attackers to upload files when these privileges were intended only for the Administrator and Editor roles. http://www.cuyahoga-project.org/10/section.aspx/61 23662 http://cuyahoga.svn.sourceforge.net/viewvc/cuyahoga?view=rev&revision=551 32643 21927 Format string vulnerability in OmniGroup OmniWeb 5.5.1 allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via format string specifiers in the Javascript alert function. http://www.omnigroup.com/applications/omniweb/releasenotes/ 23624 ADV-2007-0075 http://projects.info-pull.com/moab/MOAB-07-01-2007.html 31222 omniweb-alert-format-string(31324) 21911 20070111 DMA[2007-0107a] OmniWeb Javascript Alert Format String Vulnerabiity and DMA[2007-0109a] Apple Finder Disk Image Volume Label Overflow / DoS http://www.digitalmunition.com/DMA%5B2007-0107a%5D.txt 3098 http://blog.omnigroup.com/2007/01/07/omniweb-552-now-available-and-more-secure/ EMembersPro 1.0 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for users.mdb. 20070107 EMembersPro 1.0 Remote Password Disclosure Vulnerability 33403 ememberspro-users-info-disclosure(31329) 2118 Multiple PHP remote file inclusion vulnerabilities in index.php in Dayfox Blog allow remote attackers to execute arbitrary PHP code via a URL in the (1) page, (2) subject, and (3) q parameters. ADV-2007-0099 20070107 Dayfox Blog Remote File Include Vuln. 31259 dayfoxblog-index-file-include(31336) 2117 23661 MitiSoft stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for access_MS/MitiSoft.mdb. 20070107 MitiSoft Remote Password Disclosure Vulnerability 33409 mitisoft-mitisoft-info-disclosure(31341) OhhASP stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for db/OhhASP.mdb. 20070106 ohhASP Remote Password Disclosure 33381 http://64.38.62.221/ariasecucom/forum/showthread.php?t=89 ohhasp-ohhasp-info-disclosure(31342) AJLogin 3.5 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for ajlogin.mdb. 20070107 AJLogin v3.5 Remote Password Disclosure Vulnerability 33404 ajlogin-ajlogin-info-disclosure(31331) 2127 Webulas stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for db/db.mdb. 20070107 Webulas Remote Password Disclosure Vulnerability 33401 webulas-db-info-disclosure(31338) 2126 HarikaOnline 2.0 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for harikaonline.mdb. 20070107 HarikaOnline v2.0 Remote Password Disclosure Vulnerability 33410 harikaonline-harikaonline-info-disclosure(31339) 2125 M-Core stores the database under the web document root, which allows remote attackers to obtain sensitive information via a direct request to db/uyelik.mdb. 20070107 M-Core Remote Password Disclosure Vulnerability 33402 mcore-uyelik-info-disclosure(31340) 2124 Array index error in the uri_lookup function in the URI parser for neon 0.26.0 to 0.26.2, possibly only on 64-bit platforms, allows remote malicious servers to cause a denial of service (crash) via a URI with non-ASCII characters, which triggers a buffer under-read due to a type conversion error that generates a negative index. ADV-2007-0362 ADV-2007-0172 39247 [neon] 20070107 invalid chars cause sigserv in neon http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=404723 http://bugs.debian.org/cgi-bin/bugreport.cgi/neon26_0.26.2-3_to_mdx1.diff?bug=404723;msg=5;att=2 http://www.webdav.org/cadaver/ 22035 SUSE-SR:2007:002 MDKSA-2007:013 23984 23763 23751 [cadaver] 20070123 release 0.22.5 Directory traversal vulnerability in the GeoIP_update_database_general function in libGeoIP/GeoIPUpdate.c in GeoIP 1.4.0 allows remote malicious update servers (possibly only update.maxmind.com) to overwrite arbitrary files via a .. (dot dot) in the database filename, which is returned by a request to app/update_getfilename. http://arctic.org/~dean/patches/GeoIP-1.4.0-update-vulnerability.patch ADV-2007-0118 ADV-2007-0117 31618 geoip-geoipupdate-directory-traversal(31383) USN-412-1 21959 MDKSA-2007:004 23906 23880 Stack-based buffer overflow in the LiveJournal support (hooks/ljhook.cc) in CenterICQ 4.9.11 through 4.21.0, when using unofficial LiveJournal servers, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code by adding the victim as a friend and using long (1) username and (2) real name strings. Failed exploitation attempts will likely result in a denial-of-service condition. centericq-username-bo(31330) ADV-2007-0306 21932 20070107 TK53 Advisory #1: CenterICQ remote DoS buffer overflow in LiveJournal handling GLSA-200701-20 1017545 2129 33408 The PML Driver HPZ12 (HPZipm12.exe) in the HP all-in-one drivers, as used by multiple HP products, uses insecure SERVICE_CHANGE_CONFIG DACL permissions, which allows local users to gain privileges and execute arbitrary programs, as demonstrated by modifying the binpath argument, a related issue to CVE-2006-0023. ADV-2007-0094 21935 20070108 HP Multiple Products PML Driver Local Privilege Escalation http://secway.org/advisory/AD20070108.txt 23663 32654 pml-driver-config-privilege-escalation(31361) 2128 Unsanity Application Enhancer (APE) 2.0.2 installs with insecure permissions for the (1) ApplicationEnhancer binary and the (2) /Library/Frameworks/ApplicationEnhancer.framework directory, which allows local users to gain privileges by modifying or replacing the binary or library files. http://projects.info-pull.com/moab/MOAB-08-01-2007.html 32661 http://landonf.bikemonkey.org/code/macosx/MOAB_Day_8.20070109002959.18582.timor.html ape-appenhancer-privilege-escalation(31349) 21951 23649 SecureKit Steganography 1.7.1 and 1.8 embeds password information in the carrier file, which allows remote attackers to bypass authentication requirements and decrypt embedded steganography by replacing the last 20 bytes of the JPEG image with alternate password information. 20070106 Cracking Steganography Application in less than ONE minute 23639 31244 http://homepage.mac.com/adonismac/Advisory/steg/steganography.html steganography-password-security-bypass(31378) 20070107 A Major design Bug in Steganography 1.7.x, 1.8 (latest) (Updated Version) Camouflage 1.2.1 embeds password information in the carrier file, which allows remote attackers to bypass authentication requirements and decrypt embedded steganography by replacing certain bytes of the JPEG image with alternate password information. 21939 23578 32651 http://homepage.mac.com/adonismac/Advisory/steg/camouflage.html camouflage-password-security-bypass(31375) 20070107 A Major design Bug in Camouflage 1.2.1 (latest) Unspecified vulnerability in libnsl in Sun Solaris 8 and 9 allows remote attackers to cause a denial of service (crash) via malformed RPC requests that trigger a crash in rpcbind. 102713 ADV-2007-0110 oval:org.mitre.oval:def:5920 31576 solaris-rpcbind-dos(31366) 21964 http://support.avaya.com/elmodocs2/security/ASA-2007-036.htm 1017492 24056 23700 oval:org.mitre.oval:def:2210 The jail rc.d script in FreeBSD 5.3 up to 6.2 does not verify pathnames when writing to /var/log/console.log during a jail start-up, or when file systems are mounted or unmounted, which allows local root users to overwrite arbitrary files, or mount/unmount files, outside of the jail via a symlink attack. FreeBSD-SA-07:01 32726 22011 1017505 23730 Multiple PHP file inclusion vulnerabilities in WGS-PPC (aka PPC Search Engine), as distributed with other aliases, allow remote attackers to execute arbitrary PHP code via a URL in the INC parameter in (1) config_admin.php, (2) config_main.php, (3) config_member.php, and (4) mysql_config.php in config/; (5) admin.php and (6) index.php in admini/; (7) paypalipn/ipnprocess.php; (8) index.php and (9) registration.php in members/; and (10) ppcbannerclick.php and (11) ppcclick.php in main/. 21961 20070109 ppc engine Multiple file inclusion 20070109 "ppc engine" is WGS-PPC demoppc-inc-file-include(31355) 33454 33453 33452 33451 33450 33449 33448 33447 33446 33445 33444 2134 3104 The Tape Engine service in Computer Associates (CA) BrightStor ARCserve Backup 9.01 through 11.5, Enterprise Backup 10.5, and CA Server/Business Protection Suite r2 allows remote attackers to execute arbitrary code via certain data in opnum 0xBF in an RPC request, which is directly executed. VU#662400 http://supportconnectw.ca.com/public/storage/infodocs/babimpsec-notice.asp http://www.zerodayinitiative.com/advisories/ZDI-07-002.html ADV-2007-0154 31327 brightstor-tapeengine-code-execution(31442) 22010 20070111 ZDI-07-002: CA BrightStor ARCserve Backup Tape Engine Code Execution Vulnerability 20070111 [CAID 34955, 34956, 34957, 34958, 34959, 34817]: CA BrightStor ARCserve Backup Multiple Overflow Vulnerabilities 20070111 LS-20061002 - Computer Associates BrightStor ARCserve Backup Remote Code Execution Vulnerability http://www.lssec.com/advisories/LS-20061002.pdf 1017506 23648 http://livesploit.com/advisories/LS-20061002.pdf Multiple buffer overflows in Computer Associates (CA) BrightStor ARCserve Backup 9.01 through 11.5, Enterprise Backup 10.5, and CA Server/Business Protection Suite r2 allow remote attackers to execute arbitrary code via RPC requests with crafted data for opnums (1) 0x2F and (2) 0x75 in the (a) Message Engine RPC service, or opnum (3) 0xCF in the Tape Engine service. VU#180336 VU#151032 http://supportconnectw.ca.com/public/storage/infodocs/babimpsec-notice.asp brightstor-messageengine-rpc-bo(31443) brightstor-tapeengine-rpc-bo(31433) http://www.zerodayinitiative.com/advisories/ZDI-07-004.html http://www.zerodayinitiative.com/advisories/ZDI-07-003.html ADV-2007-0154 22006 22005 20070111 ZDI-07-003: CA BrightStor ARCserve Backup Message Engine Buffer Overflow Vulnerability 20070111 ZDI-07-004: CA BrightStor ARCserve Backup Tape Engine Buffer Overflow Vulnerability 20070111 [CAID 34955, 34956, 34957, 34958, 34959, 34817]: CA BrightStor ARCserve Backup Multiple Overflow Vulnerabilities 1017506 23648 31327 20070111 Computer Associates BrightStor ARCserve Backup RPC Engine PFC Request Buffer Overflow Vulnerability PHP remote file inclusion vulnerability in index.php in AllMyVisitors 0.4.0 allows remote attackers to execute arbitrary PHP code via a URL in the AMV_serverpath parameter. allmyvisitors-index-file-include(31316) 21917 35904 3097 PHP remote file inclusion vulnerability in index.php in AllMyLinks 0.5.0 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the AML_opensite parameter. allmylinks-index-file-include(31314) 21916 35909 3096 Multiple PHP remote file inclusion vulnerabilities in AllMyGuests 0.3.0 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the AMG_serverpath parameter to (1) comments.php and (2) signin.php; and possibly via a URL in unspecified parameters to (3) include/submit.inc.php, (4) admin/index.php, (5) include/cm_submit.inc.php, and (6) index.php. allmyguests-multiple-file-include(31310) 21918 35923 35921 35919 35917 35916 35915 3093 Directory traversal vulnerability in index.php in L2J Statistik Script 0.09 and earlier, when register_globals is enabled and magic_quotes is disabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the page parameter, as demonstrated by injecting PHP sequences into an Apache HTTP Server log file, which is then included by index.php. l2j-statistik-index-file-include(31309) ADV-2007-0097 21914 35914 3091 Multiple stack-based multiple buffer overflows in the BRWOSSRE2UC.dll ActiveX Control in Sina UC2006 and earlier allow remote attackers to execute arbitrary code via a long string in the (1) astrVerion parameter to the SendChatRoomOpt function or (2) the astrDownDir parameter to the SendDownLoadFile function. ADV-2007-0093 http://secway.org/advisory/ad20070109EN.txt 23638 32659 20070109 Sina UC ActiveX Multiple Remote Stack Overflow sinauc-senddownloadfile-bo(31350) sinauc-sendchatroomopt-bo(31348) 21958 20070109 Sina UC ActiveX Multiple Remote Stack Overflow Cross-site scripting (XSS) vulnerability in htsrv/login.php in b2evolution 1.8.6 allows remote attackers to inject arbitrary web script or HTML via scriptable attributes in the redirect_to parameter. b2evolution-login-xss(31368) 21953 DSA-1568 30093 23656 32027 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=410568 Cross-site scripting (XSS) vulnerability in search/advanced_search.php in GForge 4.5.11 allows remote attackers to inject arbitrary web script or HTML via the words parameter. 21946 20070108 GForge Cross Site Scripting vulnerability http://www.eazel.es/advisory006-gforge-cross-site-scripting-vulnerability.html 1017482 23675 31248 gforge-words-xss(31346) DSA-1475 2133 28598 Cross-site scripting (XSS) vulnerability in the AJAX module in MediaWiki before 1.6.9, 1.7 before 1.7.2, 1.8 before 1.8.3, and 1.9 before 1.9.0rc2, when wgUseAjax is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. 21956 http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_9_0RC2/phase3/RELEASE-NOTES http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_8_3/phase3/RELEASE-NOTES http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_7_2/phase3/RELEASE-NOTES http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_6_9/phase3/RELEASE-NOTES http://sourceforge.net/forum/forum.php?forum_id=652721 ADV-2007-0096 23647 31525 mediawiki-ajax-unspecified-xss(31359) SUSE-SR:2007:006 24889 PHP remote file inclusion vulnerability in info.php in Easy Banner Pro 2.8 allows remote attackers to execute arbitrary PHP code via a URL in the s[phppath] parameter. 20070108 Easy Banner Pro Version 2.8 <= Remote File Inclusion 33455 easybannerpro-info-file-include(31374) 21967 2132 SQL injection vulnerability in comment.php in PHPKIT 1.6.1 R2 allows remote attackers to execute arbitrary SQL commands via the subid parameter. 21962 20070109 Re: PHPKit 1.6.1 RC2 (faq/faq.php) Remote SQL Injection Exploit 31266 2131 Stack-based buffer overflow in EF Commander 5.75 allows user-assisted attackers to execute arbitrary code via a crafted ISO file containing a file within several nested directories, which produces a large filename that triggers the overflow. http://vuln.sg/efcommander575-en.html 23659 32660 efcommander-iso-pathname-bo(31365) 21969 PHP remote file inclusion vulnerability in include/common_function.php in magic photo storage website allows remote attackers to execute arbitrary PHP code via a URL in the _config[site_path] parameter. ADV-2007-0136 20070108 magic photo storage website Remote File Inclusion magicphotostorage-config-file-include(31347) 21965 23687 3100 Multiple PHP remote file inclusion vulnerabilities in magic photo storage website allow remote attackers to execute arbitrary PHP code via a URL in the _config[site_path] parameter to (1) admin_password.php, (2) add_welcome_text.php, (3) admin_email.php, (4) add_templates.php, (5) admin_paypal_email.php, (6) approve_member.php, (7) delete_member.php, (8) index.php, (9) list_members.php, (10) membership_pricing.php, or (11) send_email.php in admin/; (12) config.php or (13) db_config.php in include/; or (14) add_category.php, (15) add_news.php, (16) change_catalog_template.php, (17) couple_milestone.php, (18) couple_profile.php, (19) delete_category.php, (20) index.php, (21) login.php, (22) logout.php, (23) register.php, (24) upload_photo.php, (25) user_catelog_password.php, (26) user_email.php, (27) user_extend.php, or (28) user_membership_password.php in user/. NOTE: the include/common_function.php vector is already covered by another candidate from the same date. 20070108 magic photo storage website Multiple Remote File Inclusion 21965 33439 33438 33437 33436 33435 33434 33433 33432 33431 33430 33429 33428 33427 33426 33425 33423 33422 33421 33420 33419 33418 33417 33416 33415 33414 33413 33412 33411 32668 2136 Cross-site scripting (XSS) vulnerability in /search in iPlanet Web Server 4.x allows remote attackers to inject arbitrary web script or HTML via the NS-max-records parameter. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. 21977 23605 32662 Getahead Direct Web Remoting (DWR) before 1.1.4 allows attackers to obtain unauthorized access to public methods via a crafted request that bypasses the include/exclude checks. ADV-2007-0095 21955 23641 32657 SUSE-SR:2009:004 http://getahead.ltd.uk/dwr/changelog dwr-include-exclude-security-bypass(31377) Getahead Direct Web Remoting (DWR) before 1.1.4 allows attackers to cause a denial of service (memory exhaustion and servlet outage) via unknown vectors related to a large number of calls in a batch. 23641 ADV-2007-0095 21955 32658 SUSE-SR:2009:004 http://getahead.ltd.uk/dwr/changelog dwr-servlet-engine-dos(31382) Multiple cross-site scripting (XSS) vulnerabilities in F5 FirePass SSL VPN allow remote attackers to inject arbitrary web script or HTML via (1) the xcho parameter to my.logon.php3; the (2) topblue, (3) midblue, (4) wtopblue, and certain other Custom color parameters in a per action to vdesk/admincon/index.php; the (5) h321, (6) h311, (7) h312, and certain other Front Door custom text color parameters in a per action to vdesk/admincon/index.php; the (8) ua parameter in a bro action to vdesk/admincon/index.php; the (9) app_param and (10) app_name parameters to webyfiers.php; (11) double eval functions; (12) JavaScript contained in an <FP_DO_NOT_TOUCH> element; and (13) the vhost parameter to my.activation.php. NOTE: it is possible that this candidate overlaps CVE-2006-3550. https://tech.f5.com/home/solutions/sol6920.html https://tech.f5.com/home/solutions/sol6919.html 21957 http://www.mnin.org/advisories/2007_firepass.pdf 23643 23627 20070106 NNL-Labs & MNIN - F5 FirePass Security Advisory 32743 32742 32741 32740 32739 32738 32737 F5 FirePass 5.4 through 5.5.2 and 6.0 allows remote attackers to access restricted URLs via (1) a trailing null byte, (2) multiple leading slashes, (3) Unicode encoding, (4) URL-encoded directory traversal or same-directory characters, or (5) upper case letters in the domain name. https://tech.f5.com/home/solutions/sol6924.html 21957 http://www.mnin.org/advisories/2007_firepass.pdf 39167 20070105 NNL-Labs & MNIN - F5 FirePass Security Advisory https://tech.f5.com/home/solutions/sol6916.html 23640 23626 20070106 NNL-Labs & MNIN - F5 FirePass Security Advisory F5 FirePass 5.4 through 5.5.1 does not properly enforce host access restrictions when a client uses a single integer (dword) representation of an IP address ("dotless IP address"), which allows remote authenticated users to connect to the FirePass administrator console and certain other network resources. https://tech.f5.com/home/solutions/sol6922.html 21957 http://www.mnin.org/advisories/2007_firepass.pdf 32734 23640 20070106 NNL-Labs & MNIN - F5 FirePass Security Advisory ** DISPUTED ** PHP remote file inclusion vulnerability in index.php in GeoBB Georgian Bulletin Board allows remote attackers to execute arbitrary PHP code via a URL in the action parameter. NOTE: CVE disputes this issue, since GeoBB 1.0 sets $action to a whitelisted value. geobb-index-file-include(31335) 20070107 GeoBB Georgian Bulletin Board Remote File Include Vuln. 20070110 Dispute of GeoBB RFI 33440 2141 PHP remote file inclusion vulnerability in edit_address.php in edit-x ecommerce allows remote attackers to execute arbitrary PHP code via a URL in the include_dir parameter. ADV-2007-0158 20070109 edit-x ecommerce (include_dir) Remote File include editx-editaddress-file-include(31384) 21974 2139 Cross-site scripting (XSS) vulnerability in admin.php in MKPortal allows remote attackers to inject arbitrary web script or HTML via two certain fields in a contents_new operation in the ad_contents section. mkportal-admin-xss(31304) 20070105 MkPortal Admin XSS 33399 2138 Cross-site request forgery (CSRF) vulnerability in the save_main operation in the ad_perms section in admin.php in MKPortal allows remote attackers to modify privilege settings, as demonstrated using a getURL of admin.php within a .swf file contained in an IFRAME element, aka the "All Guests are Admin" attack. 20070104 MkPortal "All Guests are Admin" Exploit 33400 2137 FON La Fonera routers do not properly limit DNS service access by unauthenticated clients, which allows remote attackers to tunnel traffic via DNS requests for hosts that should not be accessible before authentication. 20070107 Re: FON Router allows anonymous web access 20070106 FON Router allows anonymous web access 33441 admin.php in MKPortal M1.1 RC1 allows remote attackers to obtain sensitive information via a direct request with an MK_PATH=1 query string, which reveals the path in an error message. 20070108 MKPortal Full Path Disclosure 33407 mkportal-admin-path-disclosure(31333) my.activation.php3 in F5 FirePass 5.4 through 5.5.1 and 6.0 displays different error messages for failed login attempts with a valid username than for those with an invalid username, which allows remote attackers to confirm the validity of an LDAP account. https://tech.f5.com/home/solutions/sol6923.html 21957 http://www.mnin.org/advisories/2007_firepass.pdf 32736 23627 20070106 NNL-Labs & MNIN - F5 FirePass Security Advisory SQL injection vulnerability in admin_check_user.asp in Motionborg Web Real Estate 2.1 and earlier allows remote attackers to execute arbitrary SQL commands via the username field (txtUserName parameter) and possibly other parameters. NOTE: some details were obtained from third party information. motionborg-admincheckuser-sql-injection(31360) ADV-2007-0143 21963 23531 32718 3105 Finder 10.4.6 on Apple Mac OS X 10.4.8 allows user-assisted remote attackers to cause a denial of service and possibly execute arbitrary code via a long volume name in a DMG disk image, which results in memory corruption. TA07-047A VU#240880 macos-finder-dos(31410) ADV-2007-0140 1017662 21980 20070111 DMA[2007-0107a] OmniWeb Javascript Alert Format String Vulnerabiity and DMA[2007-0109a] Apple Finder Disk Image Volume Label Overflow / DoS 32714 http://www.digitalmunition.com/DMA%5B2007-0109a%5D.txt 24198 http://projects.info-pull.com/moab/MOAB-09-01-2007.html APPLE-SA-2007-02-15 http://docs.info.apple.com/article.html?artnum=305102 The JTapi Gateway process in Cisco Unified Contact Center Enterprise, Unified Contact Center Hosted, IP Contact Center Enterprise, and Cisco IP Contact Center Hosted 5.0 through 7.1 allows remote attackers to cause a denial of service (repeated process restart) via a certain TCP session on the JTapi server port. 20070110 Cisco Unified Contact Center and IP Contact Center JTapi Gateway Vulnerability ADV-2007-0138 21988 32682 1017499 23710 The Data-link Switching (DLSw) feature in Cisco IOS 11.0 through 12.4 allows remote attackers to cause a denial of service (device reload) via "an invalid value in a DLSw message... during the capabilities exchange." 20070110 DLSw Vulnerability ADV-2007-0139 oval:org.mitre.oval:def:5714 32683 21990 1017498 23697 PHP remote file inclusion vulnerability in template.php in Geoffrey Golliher Axiom Photo/News Gallery (axiompng) 0.8.6 allows remote attackers to execute arbitrary PHP code via a URL in the baseAxiomPath parameter. ADV-2007-0107 20070110 source verify - Axiom RFI 32716 axiom-template-file-include(31372) 21972 23715 3108 Buffer overflow in the cmd_usr function in ftp-gw in TIS Internet Firewall Toolkit (FWTK) allows remote attackers to execute arbitrary code via a long destination hostname (dest). tisfwtk-ftpgw-bo(31363) 21960 http://www.ranum.com/security/computer_security/editorials/codetools/ 1017481 35967 SQL injection vulnerability in index.php in @lex Guestbook 4.0.2 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the lang parameter. @lexguestbook-index-sql-injection(31393) ADV-2007-0137 21926 20070107 @lex Guestbook <= 4.0.2 Remote Command Execution Exploit 23637 31707 http://acid-root.new.fr/poc/20070107.txt 2135 3103 Multiple unspecified vulnerabilities in phpMyAdmin before 2.9.2-rc1 have unknown impact and attack vectors. http://www.phpmyadmin.net/home_page/downloads.php?relnotes=0 23702 ADV-2007-0125 32666 21987 MDKSA-2007:199 Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before 2.9.2-rc1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: some of these details are obtained from third party information. 23702 ADV-2007-0125 http://www.phpmyadmin.net/home_page/downloads.php?relnotes=0 32667 phpmyadmin-unspecified-xss(31387) 21987 MDKSA-2007:199 Directory traversal vulnerability in admin/skins.php for @lex Guestbook 4.0.2 and earlier allows remote attackers to create files in arbitrary directories via ".." sequences in the (1) aj_skin and (2) skin_edit parameters. NOTE: this can be leveraged for file inclusion by creating a skin file in the lang directory, then referencing that file via the lang parameter to index.php, which passes a sanity check in livre_include.php. @lexguestbook-livreinclude-file-include(31397) 21926 20070107 @lex Guestbook <= 4.0.2 Remote Command Execution Exploit 2135 31709 31708 3103 http://acid-root.new.fr/poc/20070107.txt Unspecified vulnerability in HP OpenView Network Node Manager (OV NNM) 6.20, 6.4x, 7.01, and 7.50 allows remote attackers to read arbitrary files via unknown vectors. ADV-2007-0153 22009 SSRT061174 HPSBMA02175 32729 1017503 2140 Microsoft Word in Office 2000 SP3, XP SP3, Office 2003 SP2, Works Suite 2004 to 2006, and Office 2004 for Mac does not correctly check the properties of certain documents and warn the user of macro content, which allows user-assisted remote attackers to execute arbitrary code. TA07-044A MS07-014 ADV-2007-0583 1017639 22477 34385 oval:org.mitre.oval:def:700 Microsoft Word in Office 2000 SP3, XP SP3, Office 2003 SP2, Works Suite 2004 to 2006, and Office 2004 for Mac allows user-assisted remote attackers to execute arbitrary code via a Word file with a malformed drawing object, which leads to memory corruption. TA07-044A ADV-2007-0583 1017639 22482 MS07-014 34386 oval:org.mitre.oval:def:187 The Window Image Acquisition (WIA) Service in Microsoft Windows XP SP2 allows local users to gain privileges via unspecified vectors involving an "unchecked buffer," probably a buffer overflow. TA07-044A MS07-007 ADV-2007-0576 1017634 22499 31889 24132 oval:org.mitre.oval:def:186 The hardware detection functionality in the Windows Shell in Microsoft Windows XP SP2 and Professional, and Server 2003 SP1 allows local users to gain privileges via an unvalidated parameter to a function related to the "detection and registration of new hardware." TA07-044A VU#240796 MS07-006 ADV-2007-0575 1017633 22481 31890 24126 oval:org.mitre.oval:def:224 Microsoft Exchange Server 2000 SP3, 2003 SP1 and SP2, and 2007 does not properly decode certain MIME encoded e-mails, which allows remote attackers to execute arbitrary code via a crafted base64-encoded MIME e-mail message. TA07-128A VU#343145 MS07-026 ADV-2007-1711 SSRT071422 exchange-mime-base64-code-execution(33889) 1018015 23809 HPSBST02214 34391 25183 oval:org.mitre.oval:def:1890 The HTML Help ActiveX control (Hhctrl.ocx) in Microsoft Windows 2000 SP3, XP SP2 and Professional, 2003 SP1 allows remote attackers to execute arbitrary code via unspecified functions, related to uninitialized parameters. VU#563756 TA07-044A MS07-008 ADV-2007-0577 1017635 22478 31884 24136 oval:org.mitre.oval:def:125 Stack-based buffer overflow in Microsoft Excel 2000 SP3, 2002 SP3, 2003 SP2, and 2003 Viewer allows user-assisted remote attackers to execute arbitrary code via a .XLS BIFF file with a malformed Named Graph record, which results in memory corruption. TA07-128A http://www.zerodayinitiative.com/advisories/ZDI-07-026.html MS07-023 ADV-2007-1708 SSRT071422 excel-biff-file-bo(33913) 1018012 23760 SSRT071422 20070508 ZDI-07-026: Microsoft Excel BIFF File Format Named Graph Record Parsing Stack Overflow Vulnerability 34393 25150 oval:org.mitre.oval:def:1971 wkcvqd01.dll in Microsoft Works 6 File Converter, as used in Office 2003 SP2, Works 8.0, and Works Suite 2005, allows remote attackers to execute arbitrary code via a .wps file with crafted section length headers, aka "Microsoft Works File Converter Input Validation Vulnerability." TA08-043C MS08-011 ADV-2008-0513 1019386 27657 28904 SSRT080016 HPSBST02314 20080208 Microsoft Office Works Converter Heap Overflow Vulnerability oval:org.mitre.oval:def:5309 The wininet.dll FTP client code in Microsoft Internet Explorer 5.01 and 6 might allow remote attackers to execute arbitrary code via an FTP server response of a specific length that causes a terminating null byte to be written outside of a buffer, which causes heap corruption. VU#613564 TA07-044A MS07-016 ADV-2007-0584 1017642 22489 31892 24156 20070213 Microsoft 'wininet.dll' FTP Reply Null Termination Heap Corruption Vulnerability 20070309 MS07-016 FTP Response DOS PoC oval:org.mitre.oval:def:1141 Microsoft Internet Explorer 5.01 and 6 allows remote attackers to execute arbitrary code by instantiating certain COM objects from Urlmon.dll, which triggers memory corruption during a call to the IObjectSafety function. TA07-163A MS07-033 webbrowser-object-code-execution(32106) ADV-2007-2153 24372 HPSBST02231 HPSBST02231 1018235 25627 20070612 Microsoft License Manager and urlmon.dll COM Object Interaction Invalid Memory Access Vulnerability oval:org.mitre.oval:def:1084 Microsoft Internet Explorer 5.01, 6, and 7 uses certain COM objects from (1) Msb1fren.dll, (2) Htmlmm.ocx, and (3) Blnmgrps.dll as ActiveX controls, which allows remote attackers to execute arbitrary code via unspecified vectors, a different issue than CVE-2006-4697. VU#771788 TA07-044A MS07-016 ie-com-activex-code-execution(32427) ADV-2007-0584 1017643 22504 31895 31894 31893 24156 oval:org.mitre.oval:def:257 Cross-site scripting (XSS) vulnerability in Outlook Web Access (OWA) in Microsoft Exchange Server 2000 SP3, and 2003 SP1 and SP2 allows remote attackers to execute arbitrary scripts, spoof content, or obtain sensitive information via certain UTF-encoded, script-based e-mail attachments, involving an "incorrectly handled UTF character set label". TA07-128A VU#124113 MS07-026 ADV-2007-1711 SSRT071422 exchange-utf-xss(33887) 1018015 23806 HPSBST02214 34389 25183 oval:org.mitre.oval:def:1371 Integer overflow in the IMAP (IMAP4) support in Microsoft Exchange Server 2000 SP3 allows remote attackers to cause a denial of service (service hang) via crafted literals in an IMAP command, aka the "IMAP Literal Processing Vulnerability." TA07-128A 1018015 MS07-026 25183 20070508 Microsoft Exchange Server 2000 IMAP Literal Processing DoS Vulnerability exchange-imap-command-dos(33890) ADV-2007-1711 23810 HPSBST02214 SSRT071422 34392 oval:org.mitre.oval:def:2054 Directory traversal vulnerability in the EmChartBean server side component for Oracle Application Server 10g allows remote attackers to read arbitrary files via unknown vectors, probably "\.." sequences in the beanId parameter. NOTE: this is likely a duplicate of another CVE that Oracle addressed in CPU Jan 2007, but due to lack of details by Oracle, it is unclear which BugID this issue is associated with, so the other CVE cannot be determined. Possibilities include EM02 (CVE-2007-0292) or EM05 (CVE-2007-0293). 22027 20070115 SYMSA-2007-001: Oracle Application Server 10g - Directory Traversal 23794 20070131 Oracle 10g R2 Enterprise Manager Directory Traversal http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html 1017522 22083 SQL injection vulnerability in shared/code/cp_functions_downloads.php in Nicola Asuni All In One Control Panel (AIOCP) before 1.3.009 allows remote attackers to execute arbitrary SQL commands via the download_category parameter. http://sourceforge.net/project/shownotes.php?release_id=477845 23726 aiocp-cpfunctionsdownloads-sql-injection(31591) 22019 31641 SQL injection vulnerability in shopgiftregsearch.asp in VP-ASP Shopping Cart 6.09 and earlier allows remote attackers to execute arbitrary SQL commands via the LoginLastname parameter. 23699 32732 vpasp-shopgift-sql-injection(31447) 3115 Cross-site scripting (XSS) vulnerability in shopcustadmin.asp in VP-ASP Shopping Cart 6.09 and earlier allows remote attackers to inject arbitrary web script or HTML via the msg parameter. 23699 32733 vpasp-shopcustadmin-xss(31449) 3115 SQL injection vulnerability in wbsearch.aspx in uniForum 4 and earlier allows remote attackers to execute arbitrary SQL commands via the "by User" field (aka the TXbyuser parameter). uniforum-wbsearch-sql-injection(31362) 21966 32927 20070125 uniForum <= v4 (wbsearch.aspx) Remote SQL Injection Vulnerability 23827 3106 slocate 3.1 does not properly manage database entries that specify names of files in protected directories, which allows local users to obtain the names of private files. NOTE: another researcher reports that the issue is not present in slocate 2.7. 21989 20070329 FLEA-2007-0005-1: slocate 20070110 Re: slocate leaks filenames of protected directories 20070110 slocate leaks filenames of protected directories 20070111 Re: slocate leaks filenames of protected directories 33465 USN-425-1 20070112 Re: slocate leaks filenames of protected directories The DataCollector service in EIQ Networks Network Security Analyzer allows remote attackers to cause a denial of service (service crash) via a (1) &CONNECTSERVER& (2) &ADDENTRY& (3) &FIN& (4) &START& (5) &LOGPATH& (6) &FWADELTA& (7) &FWALOG& (8) &SETSYNCHRONOUS& (9) &SETPRGFILE&, or (10) &SETREPLYPORT& string to TCP port 10618, which triggers a NULL pointer dereference. ADV-2007-0147 21994 32725 20070110 EIQ Networks Network Security Analyzer DoS Vulnerability eiq-datacollector-dos(31428) 23693 Integer overflow in the ffs_mountfs function in Mac OS X 10.4.8 and FreeBSD 6.1 allows local users to cause a denial of service (panic) and possibly gain privileges via a crafted DMG image that causes "allocation of a negative size buffer" leading to a heap-based buffer overflow, a related issue to CVE-2006-5679. NOTE: a third party states that this issue does not cross privilege boundaries in FreeBSD because only root may mount a filesystem. TA07-072A macos-ffsmountfs-bo(31409) ADV-2007-0930 ADV-2007-0141 1017751 21993 32684 24479 23703 http://projects.info-pull.com/moab/MOAB-10-01-2007.html [freebsd-security] 20070114 MOAB advisories APPLE-SA-2007-03-13 http://docs.info.apple.com/article.html?artnum=305214 http://applefun.blogspot.com/2007/01/moab-10-01-2007-apple-dmg-ufs.html ** DISPUTED ** PHP remote file inclusion vulnerability in install.php in CS-Cart 1.3.3 allows remote attackers to execute arbitrary PHP code via a URL in the install_dir parameter. NOTE: CVE and third parties dispute this vulnerability because install_dir is defined before use. cscart-install-file-include(31408) 20070109 CS-Cart 1.3.3 (install.php) Remote File Include Vulnerability 20070110 [bogus] [ahmed_labib_hilmy at yahoo.com: CS-Cart 1.3.3 (install.php) Remote File Include Vulnerability] (fwd) 31277 Cross-site scripting (XSS) vulnerability in Movable Type (MT) 3.33, when nofollow is disabled and unmoderated comments are enabled, allows remote attackers to inject arbitrary web script or HTML via the Comments field. http://www.zackvision.com/weblog/2007/01/movabletype-security-bug.html ADV-2007-0142 23669 32717 http://golem.ph.utexas.edu/~distler/blog/archives/001102.html PHP remote file inclusion vulnerability in routines/fieldValidation.php in Jshop Server 1.3 allows remote attackers to execute arbitrary PHP code via a URL in the jssShopFileSystem parameter. 21995 33459 jshop-fieldvalidation-file-include(31425) 20070110 Jshop Server 1.3 2146 3113 wp-trackback.php in WordPress 2.0.6 and earlier does not properly unset variables when the input data includes a numeric parameter with a value matching an alphanumeric parameter's hash value, which allows remote attackers to execute arbitrary SQL commands via the tb_id parameter. NOTE: it could be argued that this vulnerability is due to a bug in the unset PHP command (CVE-2006-3017) and the proper fix should be in PHP; if so, then this should not be treated as a vulnerability in WordPress. 21983 36860 wordpress-tbid-sql-injection(31385) 3109 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2007-0243. Reason: This candidate is a duplicate of CVE-2007-0243. Notes: All CVE users should reference CVE-2007-0243 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Stack-based buffer overflow in the glibtop_get_proc_map_s function in libgtop before 2.14.6 (libgtop2) allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a process with a long filename that is mapped in its address space, which triggers the overflow in gnome-system-monitor. https://launchpad.net/bugs/79206 https://issues.rpath.com/browse/RPL-972 libgtop2-glibtopbo(31522) ADV-2007-0187 ADV-2007-0185 USN-407-1 22054 MDKSA-2007:023 DSA-1255 GLSA-200701-17 24015 23872 23840 23814 23777 23736 oval:org.mitre.oval:def:10720 32815 http://ftp.gnome.org/pub/gnome/sources/libgtop/2.14/libgtop-2.14.6.news http://bugzilla.gnome.org/show_bug.cgi?id=396477 1018526 RHSA-2007:0765 26367 Double free vulnerability in the _ATPsndrsp function in Apple Mac OS X 10.4.8, and possibly other versions, allows remote attackers to cause a denial of service (kernel panic) and possibly execute arbitrary code via a crafted AppleTalk request that triggers a heap-based buffer overflow. TA07-072A ADV-2007-0930 ADV-2007-0191 1017751 22041 32687 3130 1017513 24479 23708 http://projects.info-pull.com/moab/MOAB-14-01-2007.html APPLE-SA-2007-03-13 http://docs.info.apple.com/article.html?artnum=305214 The ndeb-binary feature in Lookup (lookup-el) allows local users to overwrite arbitrary files via a symlink attack on temporary files. DSA-1269 24590 24377 34263 lookup-ndebbinary-symlink(33052) 1017792 23026 GLSA-200712-07 28023 http://bugs.gentoo.org/show_bug.cgi?id=197306 Stack-based buffer overflow in filter\starcalc\scflt.cxx in the StarCalc parser in OpenOffice.org (OOo) Office Suite before 2.2, and 1.x before 1.1.5 Patch, allows user-assisted remote attackers to execute arbitrary code via a document with a long Note. https://issues.rpath.com/browse/RPL-1118 https://issues.foresightlinux.org/browse/FL-211 openoffice-starcalc-bo(33112) ADV-2007-1117 ADV-2007-1032 USN-444-1 1017799 23067 20070404 High Risk Vulnerability in OpenOffice RHSA-2007:0069 RHSA-2007:0033 http://www.openoffice.org/security/CVE-2007-0238 http://www.ngssoftware.com/advisories/high-risk-vulnerabilities-in-the-openoffice-suite/ MDKSA-2007:073 GLSA-200704-12 DSA-1270 102794 24906 24810 24676 24647 24646 24613 24588 24550 24465 oval:org.mitre.oval:def:8968 SUSE-SA:2007:023 OpenOffice.org (OOo) Office Suite allows user-assisted remote attackers to execute arbitrary commands via shell metacharacters in a prepared link in a crafted document. ADV-2007-1117 ADV-2007-1032 1017799 DSA-1270 oval:org.mitre.oval:def:11422 https://issues.rpath.com/browse/RPL-1118 https://issues.foresightlinux.org/browse/FL-211 openoffice-shell-command-execution(33113) USN-444-1 22812 RHSA-2007:0069 RHSA-2007:0033 MDKSA-2007:073 GLSA-200704-12 102807 24906 24810 24676 24647 24646 24613 24588 24550 24465 SUSE-SA:2007:023 Cross-site scripting (XSS) vulnerability in Zope 2.10.2 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors in a HTTP GET request. http://www.zope.org/Products/Zope/Hotfix-2007-03-20/announcement/view ADV-2007-1041 zope-unspecifiedget-xss(33187) 23084 DSA-1275 25239 24713 24017 SUSE-SR:2007:011 The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters. http://www.trolltech.com/company/newsroom/announcements/press.2007-03-30.9172215350 ADV-2007-1212 http://www.nabble.com/Bug-417390:-CVE-2007-0242,--Qt-UTF-8-overlong-sequence-decoding-vulnerability-t3506065.html oval:org.mitre.oval:def:11510 https://issues.rpath.com/browse/RPL-1202 qt-utf8-xss(33397) USN-452-1 23269 RHSA-2007:0909 RHSA-2007:0883 SUSE-SR:2007:006 MDKSA-2007:076 MDKSA-2007:075 MDKSA-2007:074 DSA-1292 http://support.novell.com/techcenter/psdb/fc79b7f48d739f9c803a24ddad933384.html http://support.novell.com/techcenter/psdb/39ea4b325a7da742cb8b6995fa585b14.html http://support.avaya.com/elmodocs2/security/ASA-2007-424.htm SSA:2007-093-03 27275 27108 26857 26804 25263 24889 24847 24797 24759 24727 24726 24705 24699 FEDORA-2007-703 20070901-01-P Buffer overflow in Sun JDK and Java Runtime Environment (JRE) 5.0 Update 9 and earlier, SDK and JRE 1.4.2_12 and earlier, and SDK and JRE 1.3.1_18 and earlier allows applets to gain privileges via a GIF image with a block with a 0 width field, which triggers memory corruption. TA07-022A VU#388289 http://www.zerodayinitiative.com/advisories/ZDI-07-005.html 102760 jre-gif-bo(31537) ADV-2007-4224 ADV-2007-1814 ADV-2007-0936 ADV-2007-0211 22085 20070121 Sun Microsystems Java GIF File Parsing Memory Corruption Vulnerability Prove Of Concept Exploit 20070117 ZDI-07-005: Sun Microsystems Java GIF File Parsing Memory Corruption Vulnerability RHSA-2007:0956 RHSA-2007:0167 RHSA-2007:0166 SUSE-SA:2007:045 GLSA-200702-07 http://support.novell.com/techcenter/psdb/d2f549cc040cd81ae4a268bb5edfe918.html http://support.novell.com/techcenter/psdb/4f850d1e2b871db609de64ec70f0089c.html 1017520 2158 GLSA-200702-08 28115 27203 26645 26119 26049 25283 24993 24468 24202 24189 23757 oval:org.mitre.oval:def:11073 32834 APPLE-SA-2007-12-14 HPSBUX02196 HPSBUX02196 http://docs.info.apple.com/article.html?artnum=307177 BEA07-172.00 RHSA-2008:0261 pptpgre.c in PoPToP Point to Point Tunneling Server (pptpd) before 1.3.4 allows remote attackers to cause a denial of service (PPTP connection tear-down) via (1) GRE packets with out-of-order sequence numbers or (2) certain GRE packets that are processed using a wrong pointer and improperly dequeued. DSA-1288 ADV-2007-1743 23886 http://sourceforge.net/project/shownotes.php?release_id=501476&group_id=44827 USN-459-2 USN-459-1 2007-0017 1018064 SUSE-SR:2007:019 SUSE-SR:2007:010 GLSA-200705-18 26987 25255 25220 Heap-based buffer overflow in OpenOffice.org (OOo) 2.2.1 and earlier allows remote attackers to execute arbitrary code via a RTF file with a crafted prtdata tag with a length parameter inconsistency, which causes vtable entries to be overwritten. DSA-1307 https://issues.rpath.com/browse/RPL-1570 openoffice-rtf-bo(34843) ADV-2007-2229 ADV-2007-2166 USN-482-1 1018239 24450 20070613 High risk vulnerability in OpenOffice RTF parser RHSA-2007:0406 SUSE-SA:2007:037 MDKSA-2007:144 GLSA-200707-02 http://sw.openoffice.org/source/browse/sw/sw/source/filter/rtf/swparrtf.cxx?rev=1.67 102917 26476 26022 26010 25905 25894 25862 25705 25673 25650 25648 oval:org.mitre.oval:def:10002 20070602-01-P plugins/scmcvs/www/cvsweb.php in the CVSWeb CGI in GForge 4.5.16 before 20070524, aka gforge-plugin-scmcvs, allows remote attackers to execute arbitrary commands via shell metacharacters in the PATH_INFO. 25416 25395 ADV-2007-1942 24141 DSA-1297 http://gforge.org/scm/viewvc.php/branches/Branch_4_5/gforge/plugins/scmcvs/www/cvsweb.php?root=gforge&r1=5849&r2=6038&pathrev=6038 gforge-cvsweb-code-execution(34510) squid/src/ftp.c in Squid before 2.6.STABLE7 allows remote FTP servers to cause a denial of service (core dump) via crafted FTP directory listing responses, possibly related to the (1) ftpListingFinish and (2) ftpHtmlifyListEntry functions. squid-multiple-dos(31523) ADV-2007-0199 USN-414-1 http://www.squid-cache.org/Versions/v2/2.6/squid-2.6.STABLE7-RELEASENOTES.html#s12 http://www.squid-cache.org/bugs/show_bug.cgi?id=1857 22079 SUSE-SA:2007:012 MDKSA-2007:026 GLSA-200701-22 23946 23921 23889 23837 23810 23805 23767 39839 The aclMatchExternal function in Squid before 2.6.STABLE7 allows remote attackers to cause a denial of service (crash) by causing an external_acl queue overload, which triggers an infinite loop. 23767 ADV-2007-0199 http://www.squid-cache.org/Versions/v2/2.6/squid-2.6.STABLE7-RELEASENOTES.html#s12 http://www.squid-cache.org/bugs/show_bug.cgi?id=1848 squid-externalacl-dos(31525) USN-414-1 22203 SUSE-SA:2007:012 MDKSA-2007:026 GLSA-200701-22 23946 23921 23889 23805 Cross-site scripting (XSS) vulnerability in index.php in Nwom topsites 3.0 allows remote attackers to inject arbitrary web script or HTML via the o parameter. 22012 20070111 Nwom topsites v3.0 33461 2149 index.php in Nwom topsites 3.0 allows remote attackers to obtain potentially sensitive information via a ' (quote) character in the o parameter, which forces a SQL error. 22012 20070111 Nwom topsites v3.0 33462 2149 Integer underflow in the DecodeGRE function in src/decode.c in Snort 2.6.1.2 allows remote attackers to trigger dereferencing of certain memory locations via crafted GRE packets, which may cause corruption of log files or writing of sensitive information into log files. ADV-2007-0152 http://www.snort.org/got_source/source.html 22004 20070111 Calyptix Security Advisory CX-2007-001 - Snort 2.6.1.2 Integer Underflow Vulnerability 33464 32095 http://labs.calyptix.com/advisories/CX-2007-01.txt 1017507 2165 Unspecified vulnerability in easy-content filemanager allows remote attackers to upload or modify arbitrary files via unspecified vectors. 20070111 easy-content filemanager 33463 ** DISPUTED ** Unspecified vulnerability in the grsecurity patch has unspecified impact and remote attack vectors, a different vulnerability than the expand_stack vulnerability from the Digital Armaments 20070110 pre-advisory. NOTE: the grsecurity developer has disputed this issue, stating that "the function they claim the vulnerability to be in is a trivial function, which can, and has been, easily checked for any supposed vulnerabilities." The developer also cites a past disclosure that was not proven. http://www.digitalarmaments.com/news_news.shtml http://grsecurity.net/news.php#digitalfud http://forums.grsecurity.net/viewtopic.php?t=1646 Format string vulnerability in the errors_create_window function in errors.c in xine-ui allows attackers to execute arbitrary code via unknown vectors. 22002 20070111 Xine-ui format string Vulnerabilties. 31594 xineui-errorscreatewindow-format-string(31505) MDKSA-2007:154 MDKSA-2007:027 GLSA-200701-18 23931 23891 23709 XINE 0.99.4 allows user-assisted remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a certain M3U file that contains a long #EXTINF line and contains format string specifiers in an invalid udp:// URI, possibly a variant of CVE-2007-0017. 20070110 VLC Format String Vulnerability also in XINE 31666 22252 MDKSA-2007:154 MDKSA-2007:027 23931 VideoLAN VLC 0.8.6a allows remote attackers to cause a denial of service (application crash) via a crafted .wmv file. 22003 http://wiki.videolan.org/Changelog/0.8.6b oval:org.mitre.oval:def:14698 39022 http://downloads.securityfocus.com/vulnerabilities/exploits/22003.py vlcmediaplayer-wmv-dos(31515) ** DISPUTED ** Unspecified vulnerability in the expand_stack function in grsecurity PaX allows local users to gain privileges via unspecified vectors. NOTE: the grsecurity developer has disputed this issue, stating that "the function they claim the vulnerability to be in is a trivial function, which can, and has been, easily checked for any supposed vulnerabilities." The developer also cites a past disclosure that was not proven. As of 20070120, the original researcher has released demonstration code. ADV-2007-0155 22014 20070309 Re: Digital Armaments Security Advisory 20.01.2007: Grsecurity Kernel PaX Vulnerability 20070120 Digital Armaments Security Advisory 20.01.2007: Grsecurity Kernel PaX Vulnerability 20070112 Lies? [Was: Re: Digital Armaments Security Pre-Advisory11.01.2007: Grsecurity Kernel PaX - Local root vulnerability] 20070111 Digital Armaments Security Pre-Advisory 11.01.2007: Grsecurity Kernel PaX - Local root vulnerability http://www.digitalarmaments.com/pre2007-00018659.html http://www.digitalarmaments.com/news_news.shtml 1017509 23713 32727 http://grsecurity.net/news.php#digitalfud http://forums.grsecurity.net/viewtopic.php?t=1646 Cross-site scripting (XSS) vulnerability in index.php in (1) Fastilo 2.0 and (2) Open Solution Quick.Cart 2.0 allows remote attackers to inject arbitrary web script or HTML via the p parameter. NOTE: some of these details are obtained from third party information. ADV-2007-0157 ADV-2007-0156 22007 23738 23733 32731 32730 http://14house.blogspot.com/2007/01/fastilo-open-source-shopping-cart-vuln.html quickcart-p-xss(31475) 21971 Ezboxx Portal System Beta 0.7.6 and earlier allows remote attackers to obtain sensitive information via a invalid cat parameter to boxx/knowledgebase.asp, which reveals the path in an error message. ADV-2007-0208 20070111 Ezboxx multiple vulnerabilities. 33470 32829 http://www.bugsec.com/articles.php?Security=20 ** DISPUTED ** PHP remote file inclusion vulnerability in index.php in Naig 0.5.2 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the this_path parameter. NOTE: a reliable third party disputes this vulnerability because this_path is defined before use. 20070112 Naig <= 0.5.2 (this_path) Remote File Include Vulnerability 20070112 Fwd: Naig <= 0.5.2 (this_path) Remote File Include Vulnerability 33472 20070113 Re: Naig <= 0.5.2 (this_path) Remote File Include Vulnerability 2145 snews.php in sNews 1.5.30 and earlier does not properly exit when authentication fails, which allows remote attackers to perform unauthorized administrative actions, as demonstrated by changing an administrative password via the changeup task, and by uploading PHP code via the imagefile parameter. 22025 32817 snews-image-file-upload(31535) 23746 3116 WordPress 2.0.6, and 2.1Alpha 3 (SVN:4662), does not properly verify that the m parameter value has the string data type, which allows remote attackers to obtain sensitive information via an invalid m[] parameter, as demonstrated by obtaining the path, and obtaining certain SQL information such as the table prefix. 20070112 Wordpress disclosure of Table Prefix Weakness 33458 Unspecified vulnerability in Total Commander before 6.5.6 allows user-assisted remote attackers to delete arbitrary files and corrupt a filesystem via a crafted RAR file. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. 22033 http://www.ghisler.com/whatsnew.htm 39837 Buffer overflow in Winzip32.exe in WinZip 9.0 allows local users to cause a denial of service (application crash) and possibly execute arbitrary code via a long command line argument. NOTE: this issue may cross privilege boundaries if an application automatically invokes Winzip32.exe for untrusted input filenames, as in the case of a file upload application. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. This vulnerability is addressed in the following product release: WinZip, WinZip, 9.0 SR1 22020 39800 Multiple cross-site scripting (XSS) vulnerabilities in Ezboxx Portal System Beta 0.7.6 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the pic parameter to custom/piczoom.asp, (2) the nocatname parameter to boxx/user-upload.asp, or (3) the iid parameter to indexes/newscomments.asp. ADV-2007-0208 20070111 Ezboxx multiple vulnerabilities. 33469 33468 33467 32828 32827 32826 http://www.bugsec.com/articles.php?Security=20 23759 SQL injection vulnerability in boxx/ShowAppendix.asp in Ezboxx Portal System Beta 0.7.6 and earlier allows remote attackers to inject arbitrary web script or HTML via the iid parameter. ADV-2007-0208 20070111 Ezboxx multiple vulnerabilities. 33466 32825 http://www.bugsec.com/articles.php?Security=20 23759 The ufs_lookup function in the Mac OS X 10.4.8 and FreeBSD 6.1 kernels allows local users to cause a denial of service (kernel panic) and possibly corrupt other filesystems by mounting a crafted UNIX File System (UFS) DMG image that contains a corrupted directory entry (struct direct), related to the ufs_dirbad function. NOTE: a third party states that the FreeBSD issue does not cross privilege boundaries. TA07-072A ADV-2007-0930 ADV-2007-0171 1017751 22036 32686 24479 23721 http://projects.info-pull.com/moab/MOAB-12-01-2007.html [freebsd-security] 20070114 MOAB advisories APPLE-SA-2007-03-13 http://docs.info.apple.com/article.html?artnum=305214 Multiple unspecified vulnerabilities in Oracle Database 9.0.1.5, 9.2.0.7, and 10.1.0.5 have unknown impact and attack vectors related to (1) the Advanced Queuing component and sys.dbms_aqsys.dbms_aq privileges (DB01), (2) Advanced Replication and sys.dbms_repcat_untrusted (DB07), and (3) Oracle Text and ctxload (DB15). NOTE: Oracle has not publicly claims by reliable researchers that DB01 is for SQL injection in the SYS.DBMS_AQ_INV package, and DB07 is for a buffer overflow in the UNREGISTER_SNAPSHOT procedure in the DBMS_REPCAT_UNTRUSTED package. TA07-017A VU#221788 22083 http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html 23794 oracle-cpu-jan2007(31541) 20070129 Re: Re: Oracle Buffer Overflows in DBMS_CAPTURE_ADM_INTERNAL 20070124 Oracle Buffer Overflow in DBMS_REPCAT_UNTRUSTED.UNREGISTER_SNAPSHOT http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_aq_inv.html 1017522 32921 32913 32907 Unspecified vulnerability in Oracle Database 9.2.0.8, 10.1.0.5, and 10.2.0.3 has unknown impact and attack vectors related to the Change Data Capture and sys.dbms_cdc_subscribe privileges, aka DB02. TA07-017A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html 23794 32908 oracle-cpu-jan2007(31541) 22083 1017522 Buffer overflow in SYS.DBMS_DRS in Oracle Database 9.2.0.7 and 10.1.0.4 allows remote authenticated users to cause a denial of service (crash) or execute arbitrary code via the GET_PROPERTY function in SYS.DBMS_DRS, aka DB03. TA07-017A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html 23794 oracle-cpu-jan2007(31541) 22083 20070718 Oracle Database Buffer overflow vulnerabilities in procedure DBMS_DRS.GET_PROPERTY (DB03) 20070124 Oracle Buffer Overflow in DBMS_DRS.GET_PROPERTY http://www.appsecinc.com/resources/alerts/oracle/2007-04.shtml 1017522 32909 Unspecified vulnerability in Oracle Database 9.0.1.5 and 9.2.0.7 has unknown impact and attack vectors related to the Log Miner component and sys.dbms_log_mnr privileges, aka DB04. NOTE: Oracle has not disputed a reliable researcher claim that this is a buffer overflow in the ADD_LOGFILE procedure for the SYS.DBMS_LOGMNR package that allows code execution. TA07-017A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html 23794 oracle-cpu-jan2007(31541) 22083 20070129 Re: Re: Oracle Buffer Overflows in DBMS_CAPTURE_ADM_INTERNAL 20070124 Oracle Buffer Overflow in DBMS_LOGMNR.ADD_LOGFILE http://www.appsecinc.com/resources/alerts/oracle/2007-01.shtml 1017522 32910 Multiple buffer overflows in MDSYS.MD in Oracle Database 8.1.7.4, 9.0.1.5, 9.2.0.7, and 10.1.0.4 allows remote authenticated users to cause a denial of service (crash) or execute arbitrary code via unspecified vectors involving certain public procedures, aka DB05. TA07-017A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html 23794 oracle-cpu-jan2007(31541) 22083 20070718 Oracle Database Buffer overflows and Denial of service vulnerabilities in public procedures of MDSYS.MD (DB12) 20070124 Oracle Multiple Buffer Overflows and DoS attacks in public procedures of MDSYS.MD http://www.appsecinc.com/resources/alerts/oracle/2007-05.shtml 1017522 32911 Unspecified vulnerability in Oracle Database 9.0.1.5, 9.2.0.8, 10.1.0.5, and 10.2.0.3 has unknown impact and attack vectors related to XMLDB, aka DB06. NOTE: as of 20070123, Oracle has not disputed claims by a reliable researcher that DB06 is for multiple cross-site scripting (XSS) vulnerabilities. TA07-017A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html 23794 oracle-cpu-jan2007(31541) 22083 http://www.red-database-security.com/advisory/oracle_xmldb_css2.html 1017522 32912 Multiple unspecified vulnerabilities in Oracle Database 9.2.0.7 and 10.1.0.5 have unknown impact and attack vectors related to (1) Export and sys.dbms_logrep_util (DB08), and (2) Oracle Streams and sys.dbms_capture_adm_internal privileges (DB09). NOTE: Oracle has not disputed reliable researcher claims that DB08 is for a buffer overflow in the GET_OBJECT_NAME procedure in the DBMS_LOGREP_UTIL package, and DB09 is for buffer overflows in the CREATE_CAPTURE, ALTER_CAPTURE, and ABORT_TABLE_INSTANTIATION procedures in SYS.DBMS_CAPTURE_ADM_INTERNAL. TA07-017A 22083 http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html 23794 oracle-cpu-jan2007(31541) 20070129 Re: Re: Oracle Buffer Overflows in DBMS_CAPTURE_ADM_INTERNAL 20070125 Re: Oracle Buffer Overflow in DBMS_LOGREP_UTIL.GET_OBJECT_NAME 20070125 Re: Oracle Buffer Overflows in DBMS_CAPTURE_ADM_INTERNAL 20070124 Oracle Buffer Overflows in DBMS_CAPTURE_ADM_INTERNAL 20070124 Oracle Buffer Overflow in DBMS_LOGREP_UTIL.GET_OBJECT_NAME 1017522 32915 32914 Cross-site scripting (XSS) vulnerability in Oracle Reports Web Cartridge (RWCGI60) in the Workflow Cartridge component, as used in Oracle Database 9.2.0.8, 10.1.0.5, and 10.2.0.3; Application Server 9.0.4.3, 10.1.2.0.2, and 10.1.2.2; Collaboration Suite 10.1.2; and Oracle E-Business Suite and Applications 11.5.10CU2; allows remote authenticated users to inject arbitrary HTML or web script via the genuser parameter to rwcgi60, aka OWF01. TA07-017A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html 23794 oracle-cpu-jan2007(31541) 22083 20070117 [ISecAuditors Security Advisories] Oracle Reports Web Cartridge (RWCGI60) vulnerable to XSS 1017522 32906 Multiple unspecified vulnerabilities in Oracle Database 8.1.7.4 and 9.0.1.5 have unknown impact and attack vectors related to (1) Advanced Security Option and oklist or okdstry (DB10), (2) Oracle Net Services (DB13), and (3) Recovery Manager and oklist (DB16). TA07-017A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html 23794 32922 32919 32916 oracle-cpu-jan2007(31541) 22083 1017522 Unspecified vulnerability in Oracle Database client-only 10.1.0.4 has unknown impact and attack vectors related to the Export component and expdp or impdp, aka DB11. TA07-017A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html 23794 32917 oracle-cpu-jan2007(31541) 22083 1017522 Multiple unspecified vulnerabilities in Oracle Database 8.1.7.4, 9.0.1.5, 9.2.0.7, and 10.1.0.5 have unknown impact and attack vectors related to (1) NLS Runtime and lmsgen (DB12), and (2) Oracle Text and ctxkbtc (DB14). TA07-017A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html 23794 32920 32918 oracle-cpu-jan2007(31541) 22083 1017522 Multiple unspecified vulnerabilities in Oracle HTTP Server 9.2.0.8 and Oracle E-Business Suite and Applications 11.5.10CU2 have unknown impact and attack vectors, aka (1) OHS01, (2) OHS02, (3) OHS05, (4) OHS06, and (5) OHS07. TA07-017A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html 23794 32887 32886 32885 32882 32881 oracle-cpu-jan2007(31541) 22083 1017522 Unspecified vulnerability in Oracle HTTP Server 9.0.1.5, Application Server 9.0.4.3, 10.1.2.0.0, 10.1.2.0.2, and 10.1.2.2; and Collaboration Suite 9.0.4.2 and 10.1.2; has unknown impact and attack vectors related to the Oracle Process Mgmt & Notification component, aka OPMN01. NOTE: as of 20070123, Oracle has not disputed claims by a reliable researcher that OPMN01 is for a buffer overflow in Oracle Notification Service (ONS). TA07-017A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html 23794 oracle-cpu-jan2007(31541) 22083 http://www.red-database-security.com/advisory/oracle_buffer_overflow_ons.html 1017522 32905 Multiple unspecified vulnerabilities in Oracle HTTP Server 9.0.1.5, 9.2.0.8, 10.1.0.5, and 10.2.0.3; Application Server 9.0.4.3, 10.1.2.0.0, 10.1.2.0.1, 10.1.2.0.2, 10.1.2.1, and 10.1.3.0; and Collaboration Suite 9.0.4.2 and 10.1.2; have unknown impact and attack vectors related to the Oracle HTTP Server, aka (1) OHS03 and (2) OHS04. TA07-017A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html 23794 32884 32883 oracle-cpu-jan2007(31541) 22083 1017522 Unspecified vulnerability in Oracle HTTP Server 9.0.1.5, Application Server 9.0.4.2 and 10.1.2.0.0, and Collaboration Suite 9.0.4.2 has unknown impact and attack vectors related to the Oracle Process Mgmt & Notification component, aka OPMN02. TA07-017A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html 23794 oracle-cpu-jan2007(31541) 22083 1017522 Unspecified vulnerability in Oracle Application Server 9.0.4.3 and Collaboration Suite 9.0.4.2 has unknown impact and attack vectors related to Oracle Containers for J2EE, aka OC4J02. TA07-017A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html 23794 32896 oracle-cpu-jan2007(31541) 22083 1017522 Multiple unspecified vulnerabilities in Oracle Application Server 9.0.4.3 and 10.1.2.0.0, and Collaboration Suite 9.0.4.2, have unknown impact and attack vectors related to Oracle Containers for J2EE, aka (1) OC4J03 and (2) OC4J04. TA07-017A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html 23794 32898 32897 oracle-cpu-jan2007(31541) 22083 1017522 Unspecified vulnerability in Oracle Application Server 9.0.4.3, 10.1.2.0.2, and 10.1.2.2; Collaboration Suite 9.0.4.2 and 10.1.2; and E-Business Suite and Applications 11.5.10CU2 has unknown impact and attack vectors related to Oracle Reports Developer, aka REP01. TA07-017A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html 23794 32894 oracle-cpu-jan2007(31541) 22083 1017522 Unspecified vulnerability in Oracle Application Server 10.1.2.0.2 and 10.1.3.0, and Collaboration Suite 10.1.2, has unknown impact and attack vectors related to Containers for J2EE, aka OC4J07. TA07-017A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html 23794 32901 oracle-cpu-jan2007(31541) 22083 1017522 Unspecified vulnerability in Oracle Application Server 9.0.4.3, 10.1.2.0.0, and 10.1.2.0.2; and Collaboration Suite 9.0.4.2 and 10.1.2; has unknown impact and attack vectors related to Containers for J2EE, aka OC4J08. TA07-017A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html 23794 32902 oracle-cpu-jan2007(31541) 22083 1017522 Unspecified vulnerability in Oracle Application Server 10.1.4.0 has unknown impact and attack vectors related to Oracle Internet Directory, aka OID01. TA07-017A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html 23794 32903 oracle-cpu-jan2007(31541) 22083 1017522 Multiple unspecified vulnerabilities in Oracle Collaboration Suite 9.0.4.2 have unknown impact and attack vectors related to Oracle Containers for J2EE, aka (1) OC4J01, (2) OC4J05, and (3) OC4J06. TA07-017A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html 23794 32900 32899 32895 oracle-cpu-jan2007(31541) 22083 1017522 Multiple unspecified vulnerabilities in Oracle E-Business Suite and Applications 11.5.10CU2 have unknown impact and attack vectors related to (1) Application Object Library (APPS01), (2) Human Resources (APPS03), (3) Payables (APPS04), (4) Trading Community Architecture (APPS05), and (5) Web Applications Desktop Integrator (APPS06). TA07-017A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html 23794 32893 32892 32891 32890 32888 oracle-cpu-jan2007(31541) 22083 1017522 Unspecified vulnerability in Oracle E-Business Suite and Applications 6.2.3 has unknown impact and attack vectors related to Oracle Exchange, aka APPS02. TA07-017A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html 23794 32889 oracle-cpu-jan2007(31541) 22083 1017522 Multiple unspecified vulnerabilities in Oracle Enterprise Manager 10.1.0.5 have unknown impact and attack vectors related to Oracle Agent, aka (1) EM01 and (2) EM02. NOTE: EM05 might be related to CVE-2007-0222. TA07-017A 22083 http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html 23794 oracle-cpu-jan2007(31541) 1017522 32876 32875 Multiple unspecified vulnerabilities in Oracle Enterprise Manager 10.1.0.5 and 10.2.0.1 have unknown impact and attack vectors related to (1) Oracle Agent (EM03) and (2) EM04 and (3) EM05 in Enterprise Manager Console. NOTE: EM05 might be related to CVE-2007-0222. TA07-017A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html 23794 oracle-cpu-jan2007(31541) 22083 1017522 32879 32878 32877 Unspecified vulnerability in Oracle Enterprise Manager 10.2.0.1 has unknown impact and attack vectors related to Database Cloning & Data Guard Management, aka EM06. TA07-017A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html 23794 32880 oracle-cpu-jan2007(31541) 22083 1017522 Unspecified vulnerability in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.22.13 and 8.47.11 has unknown impact and attack vectors in PeopleTools, aka PSE01. TA07-017A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html 23794 oracle-cpu-jan2007(31541) 22083 1017522 Unspecified vulnerability in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.22.13, 8.47.11, and 8.48.06 has unknown impact and attack vectors in PeopleTools, aka PSE02. TA07-017A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html 23794 oracle-cpu-jan2007(31541) 22083 1017522 Unspecified vulnerability in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.47.11 and 8.48.06 has unknown impact and attack vectors in PeopleTools, aka PSE03. TA07-017A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html 23794 oracle-cpu-jan2007(31541) 22083 1017522 PHP remote file inclusion vulnerability in show.php in LunarPoll, when register_globals is enabled, allows remote attackers execute arbitrary PHP code via a URL in the PollDir parameter. ADV-2007-0177 22024 20070112 LunarPoll (PollDir) Remote File Include Vulnerabilities 31639 20070112 Source Verify of LunarPoll PollDir RFI lunarpoll-show-file-include(31472) 1017510 2152 23760 3117 Integer overflow in the byte_swap_sbin function in bsd/ufs/ufs/ufs_byte_order.c in Mac OS X 10.4.8 allows user-assisted remote attackers to cause a denial of service (kernel panic) by mounting a crafted Unix File System (UFS) DMG image, which triggers an invalid pointer dereference. VU#515792 TA07-072A ADV-2007-0930 1017751 31653 24479 23725 http://projects.info-pull.com/moab/MOAB-11-01-2007.html http://docs.info.apple.com/article.html?artnum=305214 APPLE-SA-2007-03-13 PHP remote file inclusion vulnerability in i-accueil.php in TLM CMS 1.1 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the chemin parameter. Successful exploitation requires that "register_globals" is enabled. ADV-2007-0176 22021 23722 32814 3118 20070112 [Bogus - partly] V TLM CMS <= 1.1 (i-accueil.php chemin) Remote File Include Vulnerability (fwd) PHP remote file inclusion vulnerability in _admin/admin_menu.php in FdWeB Espace Membre 2.1 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the path parameter. Successful exploitation requires that "register_globals" is enabled. ADV-2007-0178 22040 23743 32824 3123 Multiple cross-site scripting (XSS) vulnerabilities in InstantASP 4.1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) SessionID parameter to (a) Logon.aspx, and the (2) Username and (3) Update parameters to (b) Members1.aspx. ADV-2007-0227 22052 20070115 InstantForum.NET Multiple Cross-Site Scripting Vulnerability 32853 32852 instantforum-multiple-scripts-xss(31521) 2164 23787 Multiple unspecified vulnerabilities in Zina 1.0rc1 and earlier have unknown impact and attack vectors related to "Potential security bugs." ADV-2007-0181 22049 http://www.pancake.org/zina-changelog-12 SQL injection vulnerability in duyuru.asp in MiNT Haber Sistemi 2.7 allows remote attackers to execute arbitrary SQL commands via the id parameter. ADV-2007-0175 23756 32820 3120 SQL injection vulnerability in etkinlikbak.asp in Okul Web Otomasyon Sistemi 4.0.1 allows remote attackers to execute arbitrary SQL commands via the id parameter. ADV-2007-0206 22060 20070115 Okul Web Otomasyon Sistemi (etkinlikbak.asp) SQL Injection Vulnerability 23755 32819 2151 3135 SQL injection vulnerability in visu_user.asp in Digiappz DigiAffiliate 1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter. ADV-2007-0179 22039 23744 32818 3122 PHP remote file inclusion vulnerability in include/common.php in Poplar Gedcom Viewer 2.0 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the env[rootPath] parameter. ADV-2007-0174 22038 23761 32807 3121 Cross-site scripting (XSS) vulnerability in Plain Black WebGUI before 7.3.4 (beta) allows remote attackers to inject arbitrary web script or HTML via Wiki Page titles. 22051 http://www.plainblack.com/getwebgui/advisories/webgui-7_3_4-beta-released#BUeIjcWiQasypsJxD-YwgQ 23718 32813 SQL injection vulnerability in blocks/block-Old_Articles.php in Francisco Burzi PHP-Nuke 7.9 and earlier, when register_globals is enabled and magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the cat parameter. 22037 20070113 PHP-Nuke <= 7.9 Old-Articles Block "cat" SQL Injection vulnerability http://www.neosecurityteam.net/advisories/PHP-Nuke--7.9-Old-Articles-Block-cat-SQL-Injection-vulnerability-31.html 1017511 32863 phpnuke-blockoldarticles-sql-injection(31482) 2153 23748 BMC Remedy Action Request System 5.01.02 Patch 1267 generates different error messages for failed login attempts with a valid username than for those with an invalid username, which allows remote attackers to determine valid account names. ADV-2007-0204 22066 20070115 Remedy Action Request System 5.01.02 - User Enumeration http://www.alighieri.org/advisories/advisory-remedy50102.txt 23775 31658 rars-login-information-disclosure(31527) 20070116 Re: Remedy Action Request System 5.01.02 - User Enumeration 1017515 2162 Texas Imperial Software WFTPD and WFTPD Pro Server 3.25 and earlier allow remote attackers to cause a denial of service (application crash) via a long SITE ADMIN command. wftpd-admn-dos(31517) 22046 3126 wcSimple Poll stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain password hashes via a direct request for password.txt. 20070114 wcSimple Poll (password.txt) Remote Password Disclosure Vulnerablity 33539 2157 Unspecified vulnerability in GONICUS System Administration (GOsa) before 2.5.8 allows remote authenticated users to modify certain settings, including the admin password, via crafted POST requests. [gosa] 20070115 GOsa 2.5.8 released (security fixes!) ADV-2007-0207 23749 32821 gosa-unspecified-data-manipulation(31516) Multiple PHP remote file inclusion vulnerabilities in Article System 1.0 allow remote attackers to execute arbitrary PHP code via a URL in the INCLUDE_DIR parameter to (1) forms.php, (2) issue_edit.php, (3) client.php, and (4) classes.php. article-system-includedir-file-include(31446) 22017 3114 Multiple buffer overflows in FileZilla before 2.2.30a allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via unspecified vectors related to (1) Options.cpp when storing settings in the registry, and (2) the transfer queue (QueueCtrl.cpp). NOTE: some of these details are obtained from third party information. Failed exploit attempts may result in a application level denial-of-service condition. filezilla-options-queuectrl-bo(31500) 22057 http://sourceforge.net/project/shownotes.php?release_id=475423&group_id=21558 ADV-2007-0183 Multiple SQL injection vulnerabilities in All In One Control Panel (AIOCP) 1.3.010 and earlier, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) xuser_name parameter to shared/code/cp_authorization.php, and the (2) did parameter to public/code/cp_downloads.php, different vectors than CVE-2007-0223. aiocp-cpdownloads-sql-injection(31485) ADV-2007-0190 22032 20070112 AIOCP Login Bypass Vulnerability 20070112 AIOCP SQL Injection Vulnerability 23740 32810 32809 2166 Format string vulnerability in the LogMessage function in FileZilla before 3.0.0-beta5 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted arguments. NOTE: some of these details are obtained from third party information. filezilla-logmessage-format-string(31497) 22063 http://sourceforge.net/project/shownotes.php?release_id=477793&group_id=21558 ADV-2007-0182 The do_hfs_truncate function in Mac OS X 10.4.8 allows context-dependent attackers to cause a denial of service (kernel panic) via a crafted HFS+ filesystem in a DMG image, which causes an access of an invalid vnode structure during file removal. TA07-072A ADV-2007-0930 ADV-2007-0171 23742 1017759 32685 24479 http://projects.info-pull.com/moab/MOAB-13-01-2007.html APPLE-SA-2007-03-13 http://docs.info.apple.com/article.html?artnum=305214 Multiple stack-based buffer overflows in the Motive ActiveEmailTest.EmailData (ActiveUtils EmailData) ActiveX control in ActiveUtils.dll in Motive Service Activation Manager 5.1 and Self Service Manager 5.1 and earlier allow remote attackers to execute arbitrary code via unspecified vectors. VU#747233 activeutils-emaildata-bo(36034) ADV-2007-2881 25312 http://www.motive.com/securitybulletin_08122007.asp MS07-045 37710 1018571 26481 Multiple buffer overflows in (a) an ActiveX control (iftw.dll) and (b) Netscape plug-in (npiftw32.dll) for Macrovision (formerly InstallShield) InstallFromTheWeb allow remote attackers to execute arbitrary code via crafted HTML documents. VU#181041 macrovision-installfromtheweb-activex-bo(32645) macrovision-installfromtheweb-activex-bo(32645) ADV-2007-0705 22672 http://www.kb.cert.org/vuls/id/MAPG-6UQUDP 24285 33531 33530 Buffer overflow in the Update Service Agent ActiveX Control in isusweb.dll for Macrovision FLEXnet Connect (formerly InstallShield Update Service) allows remote attackers to execute arbitrary code via the Download method. VU#847993 macrovision-updateservice-activex-bo(32678) ADV-2007-0706 http://www.kb.cert.org/vuls/id/MAPG-6UERNR http://support.installshield.com/kb/view.asp?articleid=Q113020 24270 33532 Multiple stack-based buffer overflows in the Intuit QuickBooks Online Edition ActiveX control before 10 allow remote attackers to execute arbitrary code via unspecified vectors. VU#907481 quickbooks-activex-bo(36462) 25544 26659 Buffer overflow in the SetLanguage function in Research In Motion (RIM) TeamOn Import Object ActiveX control (TOImport.dll) allows remote attackers to execute arbitrary code via unspecified vectors. VU#869641 TA07-128A MS07-027 ADV-2007-1716 HPSBST02214 35873 rim-toimport-activex-bo(34182) 23331 HPSBST02214 http://www.blackberry.com/btsc/articles/74/KB13142_f.SAL_Public.html 25218 Multiple buffer overflows in the LizardTech DjVu Browser Plug-in before 6.1.1 allow remote attackers to execute arbitrary code via unspecified vectors. VU#522393 22569 20070215 Lizardtech DjVu Browser Plug-in - Multiple Vulnerabilities 24149 ADV-2007-0618 http://www.lizardtech.com/products/doc/djvupluginrelease.php 33199 djvu-browser-multiple-bo(32510) 2259 Multiple buffer overflows in the Trend Micro OfficeScan Web-Deployment SetupINICtrl ActiveX control in OfficeScanSetupINI.dll, as used in OfficeScan 7.0 before Build 1344, OfficeScan 7.3 before Build 1241, and Client / Server / Messaging Security 3.0 before Build 1197, allow remote attackers to execute arbitrary code via a crafted HTML document. Successful exploitation requires that OfficeScan client was installed using web deployment. The vendor has issued a fix (7.0 Security Patch - Build 1344; 7.3 Security Patch - Build 1241). VU#784369 24193 ADV-2007-0638 http://www.trendmicro.com/ftp/documentation/readme/osce_70_win_en_securitypatch_1344_readme.txt 1017664 22585 33040 http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034288 Multiple stack-based buffer overflows in the PhotoChannel Networks PNI Digital Media Photo Upload Plugin ActiveX control before 2.0.0.10, as used by multiple retailers, allow remote attackers to execute arbitrary code via unspecified vectors. This vulnerability is addressed in the following product release: PhotoChannel, PNI Digital Media Photo Upload Plugin ActiveX control, 2.0.0.10 VU#854769 ADV-2007-3181 37958 photochannel-photo-upload-bo(36643) 1018701 25685 26830 The DWUpdateService ActiveX control in the agent (agent.exe) in Macrovision FLEXnet Connect 6.0 and Update Service 3.x to 5.x allows remote attackers to execute arbitrary commands via (1) the Execute method, and obtain the exit status using (2) the GetExitCode method. VU#524681 http://support.installshield.com/kb/view.asp?articleid=Q113020 macrovision-dwupdate-command-execution(34660) ADV-2008-3278 ADV-2007-2017 http://www.blackberry.com/btsc/articles/749/KB16469_f.SAL_Public.html 32842 25501 36896 download.php in Joonas Viljanen JV2 Folder Gallery allows remote attackers to read sensitive files via a relative pathname in the file parameter, as demonstrated by config/gallerysetup.php. NOTE: this issue might be resultant from a directory traversal vulnerability. ADV-2007-0180 23724 32811 3125 Buffer overflow in wsbho2k0.dll, as used by wsftpurl.exe, in Ipswitch WS_FTP 2007 Professional allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a long ftp:// URL in an HTML document, and possibly other vectors. 22062 20070116 Re: Ipswitch WS_FTP 2007 Professional "wsftpurl" access violation vulnerability 20070114 Re: Ipswitch WS_FTP 2007 Professional "wsftpurl" access violation vulnerability 20070112 Ipswitch WS_FTP 2007 Professional "wsftpurl" access violation vulnerability 33476 2160 Cross-site scripting (XSS) vulnerability in liens.php3 in liens_dynamiques 2.1 allows remote attackers to inject arbitrary web script or HTML by using the ajouter=1 query string and the add menu. 22070 20070114 liens_dynamiques xss and admin authentification 33540 liensdynamiques-liens-xss(31528) (1) admin/adminlien.php3 and (2) admin/modif.php3 in liens_dynamiques 2.1 do not require authentication, which allows remote attackers to perform unauthorized administrative actions using a direct request. 22068 20070114 liens_dynamiques xss and admin authentification 33542 33541 Agnitum Outpost Firewall PRO 4.0 allows local users to bypass access restrictions and insert Trojan horse drivers into the product's installation directory by creating links using FileLinkInformation requests with the ZwSetInformationFile function, as demonstrated by modifying SandBox.sys. 22069 20070115 Outpost Bypassing Self-Protection using file links Vulnerability http://www.matousec.com/info/advisories/Outpost-Bypassing-Self-Protection-using-file-links.php 33480 outpostfirewall-zwset-privilege-escalation(31529) 2163 Unspecified vulnerability in the SIP module in InGate Firewall and SIParator before 4.5.1 allows remote attackers to conduct replay attacks on the authentication mechanism via unknown vectors. 23737 ADV-2007-0209 22080 http://www.ingate.com/relnote-451.php 32831 ingate-sip-security-bypass(31546) Multiple directory traversal vulnerabilities in Jax Petition Book 1.0.3.06 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the languagepack parameter to (1) jax_petitionbook.php or (2) smileys.php. ADV-2007-0220 22072 20070116 Re: Jax Petition Book (languagepack) Remote File Include Vulnerabilities 20070115 Re: Jax Petition Book (languagepack) Remote File Include Vulnerabilities 20070114 Jax Petition Book (languagepack) Remote File Include Vulnerabilities 32836 32835 petitionbook-language-file-include(31543) 2161 23784 Undercover.app/Contents/Resources/uc in Rixstep Undercover allows local users to overwrite arbitrary files, probably related to a race condition. 22071 20070115 Rixstep aren't as leet as they thought they were Directory traversal vulnerability in sesskglogadmin.php in KGB 1.9 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the skinnn parameter, as demonstrated by invoking kg.php with a postek parameter containing PHP code, which is injected into a file in the kg directory, and then included by sesskglogadmin.php. ADV-2007-0228 22065 31585 kgb-sesskglogadmin-file-include(31508) 23768 3134 Heap-based buffer overflow in Dream FTP Server allows remote attackers to execute arbitrary code via a USER command with a large number of format string specifiers, which triggers the overflow during processing of the Server Log. 23731 32816 3128 SQL injection vulnerability in index.php (aka the login form) in Scriptme SMe FileMailer 1.21 allows remote attackers to execute arbitrary SQL commands via the Password field (ps parameter). NOTE: some of these details are obtained from third party information. 20070116 [x0n3-h4ck] SmE FileMailer 1.21 Remote Sql Injextion Exploit 20070117 Source VERIFY of SMe FileMailer 1.21 SQL injection 23766 32832 2154 SQL injection vulnerability in inc/header.inc.php in ThWboard 3.0b2.84-php5 and earlier allows remote attackers to execute arbitrary SQL commands via the board[styleid] parameter to index.php. 23735 32837 3124 Cross-site scripting (XSS) vulnerability in phpMyAdmin 2.8.1 and earlier, when Microsoft Internet Explorer 6 is used, allows remote attackers to inject arbitrary web script or HTML via a javascript: URI in a CSS style in the convcharset parameter to the top-level URI, a different vulnerability than CVE-2005-0992. http://www.virtuax.be/advisories/Advisory1-12012007.txt 20070112 Re: xss in phpmyadmin <= 2.8.1 20070112 xss in phpmyadmin <= 2.8.1 WebCore in Apple WebKit build 18794 allows remote attackers to cause a denial of service (null dereference and application crash) via a TD element with a large number in the ROWSPAN attribute, as demonstrated by a crash of OmniWeb 5.5.3 on Mac OS X 10.4.8, a different vulnerability than CVE-2006-2019. 22059 http://security-protocols.com/sp-x41-advisory.php OpenBSD before 20070116 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via certain IPv6 ICMP (aka ICMP6) echo request packets. 22087 [3.9] 018: RELIABILITY FIX: January 16, 2007 [4.0] 008: RELIABILITY FIX: January 16, 2007 1017518 32935 23830 Multiple format string vulnerabilities in (1) _invitedToRoom: and (2) _invitedToDirectChat: in Colloquy 2.1 and earlier allow remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via format string specifiers in the channel name of an INVITE request, related to the implementation of AlertSheet and AlertPanel in Apple AppKit. 22086 23801 ADV-2007-0238 32688 http://projects.info-pull.com/moab/MOAB-16-01-2007.html 3139 The (1) Activity Monitor.app/Contents/Resources/pmTool, (2) Keychain Access.app/Contents/Resources/kcproxy, and (3) ODBC Administrator.app/Contents/Resources/iodbcadmintool programs in /Applications/Utilities/ in Mac OS X 10.4.8 have weak permissions (writable by admin group), which allows local admin users to gain root privileges by modifying a program and then performing permissions repair via diskutil. http://projects.info-pull.com/moab/MOAB-15-01-2007.html macosx-applications-privilege-escalation(31530) 32702 32701 32700 3136 SQL injection vulnerability in index.php in SmE FileMailer 1.21 allows remote attackers to execute arbitrary SQL commands via the us parameter. ADV-2007-0221 20070117 Source VERIFY of SMe FileMailer 1.21 SQL injection 32832 smefilemailer-login-sql-injection(31533) The is_eow function in format.c in CVSTrac before 2.0.1 does not properly check for the "'" (quote) character, which allows remote authenticated users to execute limited SQL injection attacks and cause a denial of service (database error) via a ' character in certain messages, tickets, or Wiki entries. The DoS vulnerability exists because the is_eow() function in "format.c" does NOT just check the FIRST character of the supplied string for an End-Of-Word terminating character, but instead iterates over string and this way can skip a single embedded quotation mark. The is_repository_file() function then in turn assumes that the filename string can never contain a single quotation mark and traps into a SQL escaping problem. An SQL injection via this technique is somewhat limited as is_eow() bails on whitespace. So while one _can_ do an SQL injection, one is limited to SQL queries containing only characters which get past the function isspace(3). This effectively limits attacks to SQL commands like "VACUUM". Successful remote unauthenticated exploit requires that CVSTrac is explicitly configured to allow anonymous users to add tickets (it is not by default). 20070129 CVSTrac 2.0.0 Denial of Service (DoS) vulnerability http://www.cvstrac.org/cvstrac/tktview?tn=683 http://www.cvstrac.org/cvstrac/chngview?cn=850 20070129 CVSTrac 2.0.0 Denial of Service (DoS) vulnerability ADV-2007-0398 OpenPKG-SA-2007.008 31935 22296 2192 23940 Stack-based buffer overflow in the IASystemInfo.dll ActiveX control in (1) InterActual Player 2.60.12.0717, (2) Roxio CinePlayer 3.2, (3) WinDVD 7.0.27.172, and possibly other products, allows remote attackers to execute arbitrary code via a long ApplicationType property. VU#922969 interactual-iasysteminfo-bo(33186) ADV-2007-1043 ADV-2007-1042 23071 20070321 Secunia Research: InterActual Player / CinePlayer IASystemInfo.dllActiveX Control Buffer Overflow http://secunia.com/secunia_research/2007-37/advisory/ 24556 23075 23032 34315 34314 Directory traversal vulnerability in upgrade.php in nicecoder.com INDEXU 5.x allows remote attackers to include arbitrary local files via a .. (dot dot) in the gateway parameter. 20070116 vulnerability script indexu all versions 45533 indexu-upgrade-file-include(31539) Multiple SQL injection vulnerabilities in (a) index.php and (b) dl.php in SmE FileMailer 1.21 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) ps, (2) us, (3) f, or (4) code parameter. NOTE: the us vector in index.php is already covered by CVE-2007-0346. smefilemailer-login-sql-injection(31533) ADV-2007-0221 32833 20070117 Source VERIFY of SMe FileMailer 1.21 SQL injection 20070116 [x0n3-h4ck] SmE FileMailer 1.21 Remote Sql Injextion Exploit Microsoft Windows XP and Windows Server 2003 do not properly handle user logoff, which might allow local users to gain the privileges of a previous system user, possibly related to user profile unload failure. NOTE: it is not clear whether this is an issue in Windows itself, or an interaction with another product. The issue might involve ZoneAlarm not being able to terminate processes when it cannot prompt the user. 20070211 Windows logoff bug solution possibly. 20070123 Re: Windows logoff bug possible security vulnerability and exploit. 20070118 Re: Windows logoff bug possible security vulnerability and exploit. 20070117 Re: Windows logoff bug possible security vulnerability and exploit. 20070117 Windows logoff bug possible security vulnerability and exploit. Stack-based buffer overflow in Microsoft Help Workshop 4.03.0002 allows user-assisted remote attackers to execute arbitrary code via a crafted .cnt file composed of lines that begin with an integer followed by a space and a long string. 20070117 Microsoft Help Workshop .CNT contents files buffer overflow vulnerability http://www.anspi.pl/~porkythepig/visualization/cnt-expl1.cpp 31898 ms-help-workshop-cnt-bo(31555) 22100 1017530 2156 23862 3149 Cross-site scripting (XSS) vulnerability in (1) index.php and (2) login.php in myBloggie 2.1.5 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO string. 22097 20070117 [x0n3-h4ck] myBloggie 2.1.5 XSS exploit 32930 32929 http://mywebland.com/forums/showtopic.php?t=1224 20070117 [x0n3-h4ck] myBloggie 2.1.5 XSS exploit mybloggie-indexlogin-xss(31554) 1017531 2155 SQL injection vulnerability in email.php in MGB OpenSource Guestbook 0.5.4.5 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter. ADV-2007-0232 http://www.tv-kritik.net/mgb/index.php 22094 20070118 vendor ACK for MGB Guestbook issue 31612 mgb-email-sql-injection(31551) 23825 3141 Buffer overflow in the Apple Minimal SLP v2 Service Agent (slpd) in Mac OS X 10.4.11 and earlier, including 10.4.8, allows local users, and possibly remote attackers, to gain privileges and possibly execute arbitrary code via a registration request with an invalid attr-list field. TA08-043B macos-slpd-bo(31562) ADV-2007-0239 22101 32693 1017533 23796 http://projects.info-pull.com/moab/MOAB-17-01-2007.html 3151 APPLE-SA-2008-02-11 1019359 http://docs.info.apple.com/article.html?artnum=307430 The Common Controls Replacement Project (CCRP) FolderTreeview (FTV) ActiveX control (ccrpftv6.ocx) allows remote attackers to cause a denial of service (Internet Explorer 7 crash) via a long CCRP.RootFolder property value. 22092 ie-ccrp-dos(31549) 3142 Directory traversal vulnerability in the AVM IGD CTRL Service in Fritz!DSL 02.02.29 allows remote attackers to read arbitrary files via ..%5C (URL-encoded dot dot backslash) sequences in a URI requested from the AR7 webserver. ADV-2007-0236 22093 32866 20070117 Flaw in AVM UPNP service for windows fritz-avm-directory-traversal(31556) 2159 23774 Unspecified vulnerability in the FTP server implementation in HP Jetdirect firmware x.20.nn through x.24.nn allows remote attackers to cause a denial of service via unknown vectors. 23802 ADV-2007-0233 32867 HPSBPI02185 HPSBPI02185 hp-jetdirect-unspecified-dos(31589) 22105 1017532 PHP remote file inclusion vulnerability in frontpage.php in Uberghey CMS 0.3.1 allows remote attackers to execute arbitrary PHP code via a URL in the setup_folder parameter. ADV-2007-0230 20070118 source verify: Uberghey CMS 0.3.1 RFI uberghey-frontpage-file-include(31553) 22098 3147 PHP remote file inclusion vulnerability in lang/index.php in Oreon 1.2.3 RC4 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the file parameter. ADV-2007-0229 33711 oreon-index-file-include(31568) 22107 20070211 Oreon1.2.x Series Exploit Coded 3150 PHP remote file inclusion vulnerability in mep/frame.php in PHPMyphorum 1.5a allows remote attackers to execute arbitrary PHP code via a URL in the chem parameter. ADV-2007-0231 phpmyphorum-frame-file-include(31552) 22099 3145 Cross-site scripting (XSS) vulnerability in the RSS feed component in FreshReader before 1.0.07010600 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly related to tag attributes. ADV-2007-0241 23806 32923 http://manual.freshreader.com/archives/2007/01/20070118_javasc.html JVN#95249468 freshreader-rssfeed-xss(31566) 22106 Cross-site scripting (XSS) vulnerability in admin-search.php in (1) Openads for PostgreSQL (aka phpPgAds) before 2.0.10 and (2) Openads (aka phpAdsNew) before 2.0.10 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters. http://sourceforge.net/project/shownotes.php?group_id=36679&release_id=479426 http://sourceforge.net/project/shownotes.php?group_id=11386&release_id=479424 23720 ADV-2007-0240 openads-unspecified-xss(31570) 22124 Multiple cross-site scripting (XSS) vulnerabilities in nicecoder.com INDEXU 5.3 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) error_msg parameter to (a) suggest_category.php; the (2) u parameter to (b) user_detail.php; the (3) friend_name, (4) friend_email, (5) error_msg, (6) my_name, (7) my_email, and (8) id parameters to (c) tell_friend.php; the (9) error_msg, (10) email, (11) name, and (12) subject parameters to (d) sendmail.php; the (13) email, (14) error_msg, and (15) username parameters to (e) send_pwd.php; the (16) keyword parameter to (f) search.php; the (17) error_msg, (18) username, (19) password, (20) password2, and (21) email parameters to (g) register.php; the (22) url, (23) contact_name, and (24) email parameters to (h) power_search.php; the (25) path and (26) total parameters to (i) new.php; the (27) query parameter to (j) modify.php; the (28) error_msg parameter to (k) login.php; the (29) error_msg and (30) email parameters to (l) mailing_list.php; the (31) gateway parameter to (m) upgrade.php; and another unspecified vector. indexu-multiple-scripts-xss(31538) ADV-2007-0222 22084 20070116 vulnerability script indexu all versions 32851 32850 32849 32848 32847 32846 32845 32844 32843 32842 32841 32840 32838 23764 32839 Multiple cross-site scripting (XSS) vulnerabilities in All In One Control Panel (AIOCP) 1.3.009 and earlier allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: this is probably a different vulnerability than CVE-2006-5830. aiocp-unspecified-xss(31486) http://sourceforge.net/project/shownotes.php?release_id=478370 23732 ADV-2007-0189 32808 Untrusted search path vulnerability in Rumpus 5.1 and earlier allows local users to gain privileges via a modified PATH that points to a malicious ipfw program. rumpus-path-privilege-escalation(31597) http://projects.info-pull.com/moab/MOAB-18-01-2007.html 32690 rumpus-path-privilege-escalation(31597) 23842 Rumpus 5.1 and earlier has weak permissions for certain files and directories under /usr/local/Rumpus, including the configuration file, which allows local users to have an unknown impact by creating, modifying, or deleting files. http://projects.info-pull.com/moab/MOAB-18-01-2007.html 32691 23842 Stack-based buffer overflow in mbse-bbs 0.70 and earlier allows local users to execute arbitrary code via a long string in the MBSE_ROOT environment variable. 22112 http://www.mbse.eu/mbse/mbsebbs/index.html mbsebbs-mbuseradd-bo(31639) 3154 20070118 mbsebbs 0.70.0 & below local root exploit SQL injection vulnerability in phpBP RC3 (2.204) and earlier allows remote attackers to execute arbitrary SQL commands via the comment forum. 34763 phpbp-comment-sql-injection(31622) 3153 Unrestricted file upload vulnerability in index.php in phpBP RC3 (2.204) and earlier allows remote administrators to inject arbitrary PHP code into an upload/banners/ file via a banners add operation that uploads the PHP code through an image_form parameter specifying a multiple-extension filename such as .jpg.vil.gif.php, which is stored in upload/banners/ under a different name, and executable via a direct request. NOTE: a separate SQL injection issue could be leveraged to make this vulnerability reachable by remote unauthenticated attackers. 34762 phpbp-banner-file-upload(31619) 3153 A certain ActiveX control in the Common Controls Replacement Project (CCRP) CCRP BrowseDialog Server (ccrpbds6.dll) allows remote attackers to cause a denial of service (Internet Explorer 7 crash) via a long CCRP_BDc.SelectedFolder property value. 22110 34647 3155 Multiple SQL injection vulnerabilities in Francisco Burzi PHP-Nuke 7.9 allow remote attackers to execute arbitrary SQL commands via (1) the active parameter in admin/modules/modules.php; the (2) ad_class, (3) imageurl, (4) clickurl, (5) ad_code, or (6) position parameter in modules/Advertising/admin/index.php; or unspecified vectors in the (7) advertising, (8) weblinks, or (9) reviews section. 22116 http://www.hackers.ir/advisories/festival.txt 33702 33701 33700 33699 33698 20070118 The vulnerabilities festival ! 20070204 Sql injection bugs in PHP-Nuke Multiple SQL injection vulnerabilities in Joomla! 1.5.0 Beta allow remote attackers to execute arbitrary SQL commands via (1) the searchword parameter in certain files; the where parameter in (2) plugins/search/content.php or (3) plugins/search/weblinks.php; the text parameter in (4) plugins/search/contacts.php, (5) plugins/search/categories.php, or (6) plugins/search/sections.php; or (7) the email parameter in database/table/user.php, which is not properly handled by the check function. 22122 http://www.hackers.ir/advisories/festival.txt 32533 32532 32531 32530 32529 32528 32527 20070118 The vulnerabilities festival ! 20070204 Sql injection bugs in Joomla and Mambo SQL injection vulnerability in (1) Joomla! 1.0.11 and 1.5 Beta, and (2) Mambo 4.6.1, allows remote attackers to execute arbitrary SQL commands via the id parameter when cancelling content editing. 20070118 The vulnerabilities festival ! 19734 http://www.hackers.ir/advisories/festival.txt 32520 20070204 Sql injection bugs in Joomla and Mambo Joomla! 1.5.0 Beta allows remote attackers to obtain sensitive information via a direct request for (1) plugins/user/example.php; (2) gmail.php, (3) example.php, or (4) ldap.php in plugins/authentication/; (5) modules/mod_mainmenu/menu.php; or other unspecified PHP scripts, which reveals the path in various error messages, related to a jimport function call at the beginning of each script. http://www.hackers.ir/advisories/festival.txt 32526 32525 32524 32523 32522 20070118 The vulnerabilities festival ! 20070204 Sql injection bugs in Joomla and Mambo Cross-site scripting (XSS) vulnerability in Virtuemart 1.0.7 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. 22123 http://www.hackers.ir/advisories/festival.txt http://virtuemart.svn.sourceforge.net/viewvc/*checkout*/virtuemart/branches/virtuemart-1_0_0/virtuemart/CHANGELOG.php?revision=607 20070118 The vulnerabilities festival ! 20070204 Sql injection bugs in Virtuemart and Letterman 24058 Multiple SQL injection vulnerabilities in Xoops 2.0.16 allow remote attackers to execute arbitrary SQL commands via (1) the id parameter in kernel/group.php in core, (2) the lid parameter in class/table_broken.php in the Weblinks module, and other unspecified vectors. http://www.hackers.ir/advisories/festival.txt 33685 33684 20070118 The vulnerabilities festival ! 22399 20070204 Sql injection bugs in Xoops 2.0.16 + Weblinks module Multiple SQL injection vulnerabilities in DocMan 1.3 RC2 allow attackers to execute arbitrary SQL commands via unspecified vectors. http://www.hackers.ir/advisories/festival.txt 34650 20070118 The vulnerabilities festival ! Cross-site scripting (XSS) vulnerability in DocMan 1.3 RC2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. http://www.hackers.ir/advisories/festival.txt 34651 20070118 The vulnerabilities festival ! DocMan 1.3 RC2 allows remote attackers to obtain sensitive information (the full path) via unspecified vectors. http://www.hackers.ir/advisories/festival.txt 34652 20070118 The vulnerabilities festival ! Multiple SQL injection vulnerabilities in ATutor 1.5.3.2 allow remote attackers to execute arbitrary SQL commands via unspecified parameters. NOTE: CVE analysis suggests that the vendor fixed these issues. http://www.atutor.ca/atutor/mantis/changelog_page.php http://www.hackers.ir/advisories/festival.txt 34660 20070118 The vulnerabilities festival ! Multiple SQL injection vulnerabilities in letterman.class.php in the Letterman 1.2.3 (com_letterman) component for Joomla! before 1.0.12 allow remote attackers to execute arbitrary SQL commands via the id parameter, related to the (1) lm_sendMail, (2) saveNewsletter, and (3) cancelNewsletter functions. 22117 http://www.hackers.ir/advisories/festival.txt 33688 20070118 The vulnerabilities festival ! 20070204 Sql injection bugs in Virtuemart and Letterman ** DISPUTED ** WDaemon 9.5.4 allows remote attackers to access the /WorldClient.dll URI on TCP port 3000, which has unknown impact. NOTE: The researcher reports that the vendor response was "this is not a security bug." http://www.hackers.ir/advisories/festival.txt 34661 20070118 The vulnerabilities festival ! Cross-site scripting (XSS) vulnerability in preview in the reviews section in PostNuke 0.764 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. 22119 http://www.hackers.ir/advisories/festival.txt 35473 http://noc.postnuke.com/plugins/scmsvn/viewcvs.php/trunk/Historic/PostNuke7x/html/modules/?root=postnuke 20070118 The vulnerabilities festival ! The faq section in PostNuke 0.764 allows remote attackers to obtain sensitive information (the full path) via "unvalidated output" in FAQ/index.php, possibly involving an undefined id_cat variable. http://www.hackers.ir/advisories/festival.txt 35472 http://noc.postnuke.com/plugins/scmsvn/viewcvs.php/trunk/Historic/PostNuke7x/html/modules/FAQ/index.php?root=postnuke&r1=20350&r2=20911 http://noc.postnuke.com/plugins/scmsvn/viewcvs.php/trunk/Historic/PostNuke7x/html/modules/?root=postnuke 20070118 The vulnerabilities festival ! Unspecified vulnerability in the rating section in PostNuke 0.764 has unknown impact and attack vectors, related to "an interesting bug." http://www.hackers.ir/advisories/festival.txt 35471 20070118 The vulnerabilities festival ! SQL injection vulnerability in models/category.php in the Weblinks component for Joomla! SVN 20070118 (com_weblinks) allows remote attackers to execute arbitrary SQL commands via the catid parameter. http://www.hackers.ir/advisories/festival.txt 34792 20070118 The vulnerabilities festival ! 20070204 Sql injection bugs in Joomla and Mambo SQL injection vulnerability in search.php in Woltlab Burning Board (wBB) 1.0.2 and earlier, and 2.3.6 and earlier in the 2.x series, allows remote attackers to execute arbitrary SQL commands via the boardids[1] and other boardids[] parameters. wbb-search-sql-injection(31550) 33872 3144 3143 Directory traversal vulnerability in ArsDigita Community System (ACS) 3.4.10 and earlier, and ArsDigita Community Education Solution (ACES) 1.1, allows remote attackers to read arbitrary files via .%252e/ (double-encoded dot dot slash) sequences in the URI. ADV-2007-0286 22121 20070118 Directory Traversal in ArsDigita Community System 33552 acs-url-directory-traversal(31613) Cross-site scripting (XSS) vulnerability in index.php in sabros.us 1.7 allows remote attackers to inject arbitrary web script or HTML via the tag parameter. 22115 20070118 [x0n3-h4ck] sabros.us 1.7 XSS Exploit 31602 20070118 [x0n3-h4ck] sabros.us 1.7 XSS Exploit sabros-index-xss(31600) 2170 23824 20070118 [x0ne-h4ck] sabros.us 1.7 XSS Exploit Format string vulnerability in the log creation functionality of BitDefender Client Professional Plus 8.02 allows attackers to execute arbitrary code via certain scan job settings. ADV-2007-0253 http://www.bitdefender.com/KB325-en--Format-string-vulnerability.html 20070119 Layered Defense Research Advisory: BitDefender Client 8.02 Format String Vulnerability bitdefender-scanjob-format-string(31608) 22128 20070119 Layered Defense Research Advisory: BitDefender Client 8.02 Format String Vulnerability IBM AIX 5.3 does not properly verify the status of file descriptors before setuid execution, which allows local users to gain privileges by closing file descriptor 0, 1, or 2 and then invoking a setuid program, a variant of CVE-2002-0572. 20070118 Re: Multiple OS kernel insecure handling of stdio file descriptor 20070118 Multiple OS kernel insecure handling of stdio file descriptor Sun Solaris 9 does not properly verify the status of file descriptors before setuid execution, which allows local users to gain privileges by closing file descriptor 0, 1, or 2 and then invoking a setuid program, a variant of CVE-2002-0572. 20070118 Re: Multiple OS kernel insecure handling of stdio file descriptor 20070118 Multiple OS kernel insecure handling of stdio file descriptor HP HP-UX B11.11 does not properly verify the status of file descriptors before setuid execution, which allows local users to gain privileges by closing file descriptor 0, 1, or 2 and then invoking a setuid program, a variant of CVE-2002-0572. 20070118 Re: Multiple OS kernel insecure handling of stdio file descriptor 20070118 Multiple OS kernel insecure handling of stdio file descriptor PHP remote file inclusion vulnerability in libraries/grab_globals.lib.php in ComVironment 4.0 allows remote attackers to execute arbitrary PHP code via a URL in the inc_dir parameter. ADV-2007-0266 22108 34621 comvironment-grabglobals-file-include(31564) 3152 Unspecified vulnerability in HP-UX B.11.23, when running IPFilter in combination with PHNE_34474, allows remote attackers to cause a denial of service (system crash) via unspecified vectors. ADV-2007-0234 22103 1017527 23800 oval:org.mitre.oval:def:6104 32869 HPSBUX02181 HPSBUX02181 hp-ipfilter-dos(31565) The Cisco Security Monitoring, Analysis and Response System (CS-MARS) before 4.2.3 and Adaptive Security Device Manager (ASDM) before 5.2(2.54) do not validate the SSL/TLS certificates or SSH public keys when connecting to devices, which allows remote attackers to spoof those devices to obtain sensitive information or generate incorrect information. 20070118 SSL/TLS Certificate and SSH Public Key Validation Vulnerability ADV-2007-0245 32720 cisco-csmars-asdm-device-spoofing(31567) 22111 1017536 1017535 23836 Multiple cross-site scripting (XSS) vulnerabilities in forum.php3 in Arnaud Guyonne (aka Arnotic) a-forum allow remote attackers to inject arbitrary web script or HTML via the (1) Sujet or (2) Pseudo field. aforum-unspecified-xss(31610) 20070119 a-forum xss 20070122 a-forum xss - who? what? where? Multiple cross-site scripting (XSS) vulnerabilities in index.php in Simple Machines Forum (SMF) 1.1 RC3 allow remote authenticated users to inject arbitrary web script or HTML via the (1) recipient or (2) BCC field when selecting send in a pm action. 20070120 SMF "index.php?action=pm" Cross Site-Scripting 32606 http://aria-security.com/forum/showthread.php?p=128 smf-pm-xss(31612) 22143 20070202 Re: SMF "index.php?action=pm" Cross Site-Scripting 20070126 Re: Re: Re: Re: SMF "index.php?action=pm" Cross Site-Scripting 20070122 Re: Re: Re: SMF "index.php?action=pm" Cross Site-Scripting 20070121 Re: SMF "index.php?action=pm" Cross Site-Scripting 2169 Cross-site scripting (XSS) vulnerability in admin/memberlist.php in Easebay Resources Login Manager 3.0 allows remote attackers to inject arbitrary web script or HTML via the keyword parameter. 20070120 Login Manager Multiple HTML Injections loginmanager-memberlist-xss(31614) 2167 SQL injection vulnerability in admin/memberlist.php in Easebay Resources Login Manager 3.0 allows remote attackers to execute arbitrary SQL commands via the init_row parameter. 20070120 Login Manager Multiple HTML Injections 2167 Cross-site scripting (XSS) vulnerability in admin/edit_member.php in Easebay Resources Paypal Subscription Manager allows remote attackers to inject arbitrary web script or HTML via the username parameter. 20070120 Paypal Subscription Manager Multiple HTML Injections 33559 psm-editmember-xss(31618) 2168 SQL injection vulnerability in admin/memberlist.php in Easebay Resources Paypal Subscription Manager allows remote attackers to execute arbitrary SQL commands via the keyword parameter. 20070120 Paypal Subscription Manager Multiple HTML Injections 36103 33560 psm-memberlist-sql-injection(31616) 2168 bin/compile-messages.py in Django 0.95 does not quote argument strings before invoking the msgfmt program through the os.system function, which allows attackers to execute arbitrary commands via shell metacharacters in a (1) .po or (2) .mo file. 23826 http://code.djangoproject.com/changeset/3592 django-po-code-execution(31627) 22134 The LazyUser class in the AuthenticationMiddleware for Django 0.95 does not properly cache the user name across requests, which allows remote authenticated users to gain the privileges of a different user. 23826 django-request-session-hijacking(31628) 22138 http://code.djangoproject.com/changeset/3754 Multiple buffer overflows in the (1) main function in (a) client.c, and the (2) server_setup and (3) server_client_connect functions in (b) server.c in gxine 0.5.9 and earlier allow local users to cause a denial of service (daemon crash) or gain privileges via a long HOME environment variable. NOTE: some of these details are obtained from third party information. http://xinehq.de/index.php/news?show_category_id=1 ADV-2007-0259 http://sourceforge.net/project/shownotes.php?group_id=9655&release_id=476891 38321 38320 gxine-serversetup-serverclient-bo(31604) Cross-site scripting (XSS) vulnerability in Operation/User.pm in Plain Black WebGUI before 7.3.5 (beta) allows remote attackers to inject arbitrary web script or HTML via the username parameter during anonymous registration, a different vector than CVE-2007-0308. NOTE: it is possible that a separate "WikiPage titles" issue was also fixed. webgui-username-xss(31573) ADV-2007-0242 22114 http://www.plainblack.com/downloads/builds/7.3.5-beta/WebGUI/docs/changelog/7.x.x.txt http://www.plainblack.com/bugs/tracker/security-update-cross-site-scripting-vulnerability 23754 32928 BEA Weblogic Server 8.1 through 8.1 SP4 does not properly validate client certificates when reusing cached connections, which allows remote attackers to obtain access via an untrusted X.509 certificate. BEA07-135.00 ADV-2007-0213 1017519 23750 38500 22082 BEA WebLogic 7.0 through 7.0 SP6, 8.1 through 8.1 SP4, and 9.0 initial release does not encrypt passwords stored in the JDBCDataSourceFactory MBean Properties, which allows local administrative users to read the cleartext password. BEA07-136.00 ADV-2007-0213 1017525 23750 38501 22082 Unspecified vulnerability in the thread management in BEA WebLogic 7.0 through 7.0 SP6, 8.1 through 8.1 SP5, 9.0, and 9.1, when T3 authentication is used, allows remote attackers to cause a denial of service (thread and system hang) via unspecified "sequences of events." BEA07-137.00 ADV-2007-0213 1017525 23750 38502 22082 BEA WebLogic Server 8.1 through 8.1 SP5, 9.0, 9.1, and 9.2 Gold, when WS-Security is used, does not properly validate certificates, which allows remote attackers to conduct a man-in-the-middle (MITM) attack. BEA07-138.00 ADV-2007-0213 1017525 23750 38503 22082 BEA WebLogic Server 6.1 through 6.1 SP7, 7.0 through 7.0 SP7, and 8.1 through 8.1 SP5 allows remote attackers to read arbitrary files inside the class-path property via .ear or exploded .ear files that use the manifest class-path property to point to utility jar files. BEA07-139.00 ADV-2007-0213 1017525 23750 38505 22082 BEA WebLogic Server 8.1 through 8.1 SP5 stores cleartext data in a backup of config.xml after offline editing, which allows local users to obtain sensitive information by reading this backup file. BEA07-140.00 ADV-2007-0213 22082 1017525 23750 38504 BEA WebLogic Server 6.1 through 6.1 SP7, 7.0 through 7.0 SP6, 8.1 through 8.1 SP5, and 9.0 allows remote attackers to cause a denial of service (server hang) via certain requests that cause muxer threads to block when processing error pages. BEA07-141.00 ADV-2007-0213 1017525 23750 38506 22082 BEA WebLogic Server 8.1 through 8.1 SP5 does not properly enforce access control after a dynamic update and dynamic redeployment of an application that is implemented through exploded jars, which allows attackers to bypass intended access restrictions. BEA07-142.00 ADV-2007-0213 1017525 23750 38509 22082 The WSEE runtime (WS-Security runtime) in BEA WebLogic Server 9.0 and 9.1 does not verify credentials when decrypting client messages, which allows remote attackers to bypass application security. BEA07-143.00 ADV-2007-0213 1017525 23750 38510 22082 BEA WebLogic Server 7.0 through 7.0 SP7, 8.1 through 8.1 SP5, 9.0, and 9.1, when using the WebLogic Server 6.1 compatibility realm, allows attackers to execute certain EJB container persistence operations with an administrative identity. BEA07-144.00 ADV-2007-0213 1017525 23750 38511 22082 BEA WebLogic Server 7.0 through 7.0 SP6, 8.1 through 8.1 SP5, 9.0, and 9.1 does not enforce a security policy that declares permissions for EJB methods that have array parameters, which allows remote attackers to obtain unauthorized access to these methods. BEA07-145.00 ADV-2007-0213 1017525 23750 38512 22082 The BEA WebLogic Server proxy plug-in before June 2006 for the Apache HTTP Server does not properly handle protocol errors, which allows remote attackers to cause a denial of service (server outage). BEA07-146.00 ADV-2007-0213 1017525 23750 38513 22082 BEA WebLogic Server 9.0, 9.1, and 9.2 Gold allows remote attackers to obtain sensitive information via malformed HTTP requests, which reveal data from previous requests. BEA07-147.00 ADV-2007-0213 1017525 23750 38514 22082 BEA WebLogic Server 6.1 through 6.1 SP7, and 7.0 through 7.0 SP7 allows remote attackers to cause a denial of service (disk consumption) via requests containing malformed headers, which cause a large amount of data to be written to the server log. BEA07-148.00 ADV-2007-0213 1017525 23750 32859 22082 BEA WebLogic Server 9.0, 9.1, and 9.2 Gold, when running on Solaris 9, allows remote attackers to cause a denial of service (server inaccessibility) via manipulated socket connections. BEA07-150.00 ADV-2007-0213 1017525 23750 32858 22082 BEA WebLogic Portal 9.2 does not properly handle when an administrator deletes entitlements for a role, which causes other role entitlements to be "inadvertently affected," which has an unknown impact. BEA07-151.00 ADV-2007-0213 23750 32857 22082 1017521 Unspecified vulnerability in the BEA WebLogic Server proxy plug-in for Netscape Enterprise Server before September 2006 for Netscape Enterprise Server allow remote attackers to cause a denial of service via certain requests that trigger errors that lead to a server being marked as unavailable, hosting web server failure, or CPU consumption. BEA07-152.00 ADV-2007-0213 1017525 23750 32856 22082 Unspecified vulnerability in BEA WebLogic Platform and Server 8.1 through 8.1 SP5, and JRockit 1.4.2 R4.5 and earlier, allows attackers to gain privileges via unspecified vectors, related to an "overflow condition," probably a buffer overflow. ADV-2007-0213 1017525 23750 38515 BEA07-155.00 BEA WebLogic Portal 9.2, when running in a WebLogic Server clustered environment using WebLogic Portal entitlements, does not properly propagate entitlement policy changes if the changes are made on a managed server while the Administrative Server is unavailable, which might allow attackers to bypass intended restrictions. BEA07-156.00 ADV-2007-0213 23750 38516 32854 22082 1017521 Stack-based buffer overflow in Microsoft Help Workshop 4.03.0002 allows user-assisted remote attackers to execute arbitrary code via a help project (.HPJ) file with a long HLP field in the OPTIONS section. 22135 20070119 Help project files (.HPJ) buffer overflow vulnerability in Microsoft Help Workshop http://www.anspi.pl/~porkythepig/visualization/hpj-x01.cpp 31899 2177 23862 Unspecified vulnerability in the chtbl_lookup function in hash.c for WzdFTPD 8.0 and earlier allows remote attackers to cause a denial of service via a crafted FTP command, probably due to a NULL pointer dereference. wzdftpd-ftp-dos(31599) ADV-2007-0277 20070119 WzdFTPD < 8.1 Denial of service http://www.s21sec.com/avisos/s21sec-033-en.txt 1017537 32941 20070119 WzdFTPD < 8.1 Denial of service 2171 23852 DivXBrowserPlugin (aka DivX Web Player) npdivx32.dll, as distributed with DivX Player 6.4.1, allows remote attackers to cause a denial of service (Internet Explorer 7 crash) by invoking the GoWindowed method for a certain instance of the ActiveX object. divx-divxbrowserplugin-dos(31601) 22133 37693 3157 The shared_region_map_file_np function in Apple Mac OS X 10.4.8 and earlier kernel allows local users to cause a denial of service (memory corruption) via a large mappingCount value. ADV-2007-0275 20070119 [RISE-2007001] Apple Mac OS X 10.4.x kernel shared_region_map_file_np() memory corruption vulnerability macos-sharedregionmapfilenp-dos(31645) 32942 1017538 2178 23823 http://risesecurity.org/advisory.php?id=RISE-2007001.txt AVM Fritz!Box 7050, and possibly other product models, allows remote attackers to cause a denial of service (VoIP application crash) via a zero-length UDP packet to the SIP port (port 5060). ADV-2007-0272 22130 20070119 DoS against AVM Fritz!Box 7050 (and others) 32940 http://mazzoo.de/blog/2007/01/18#FritzBox_DoS 20070119 DoS against AVM Fritz!Box 7050 (and others) fritzbox-udp-packet-dos(31633) 20070123 Re: DoS against AVM Fritz!Box 7050 (and others) 23868 ftp://ftp.avm.de/fritz.box/fritzbox.fon_wlan_7050/firmware/info.txt BEA AquaLogic Service Bus 2.0, 2.1, and 2.5 does not properly reject malformed request messages to a proxy service, which might allow remote attackers to bypass authorization policies and route requests to back-end services or conduct other unauthorized activities. 1017523 23786 32862 BEA07-157.00 22082 Unspecified vulnerability in BEA AquaLogic Enterprise Security 2.0 through 2.0 SP2, 2.1 through 2.1 SP1, and 2.2, when using Active Directory LDAP for authentication, allows remote authenticated users to access the server even after the account has been disabled. 1017524 23786 32861 BEA07-154.00 22082 BEA AquaLogic Enterprise Security 2.0 through 2.0 SP2, 2.1 through 2.1 SP1, and 2.2 does not properly set the severity level of audit events when the system load is high, which might make it easier for attackers to avoid detection. 23786 32860 BEA07-153.00 22082 T-Com Speedport 500V routers with firmware 1.31 allow remote attackers to bypass authentication and reconfigure the device via a LOGINKEY=TECOM cookie value. 20070119 Virginity Security Advisory 2007-001 : T-Com Speedport 500V Login bypass 32995 tcom-login-authentication-bypass(31621) 22160 20070216 Re: Virginity Security Advisory 2007-001 : T-Com Speedport 500V Login bypass 20070122 Re: Virginity Security Advisory 2007-001 : T-Com Speedport 500V Login bypass 20070121 Re: Virginity Security Advisory 2007-001 : T-Com Speedport 500V Login bypass 23853 Barron McCann X-Kryptor Driver BMS1446HRR (Xgntr BMS1351 Install BMS1472) in X-Kryptor Secure Client does not drop privileges when launching an Explorer window in response to a help command, which allows local users to gain LocalSystem privileges via interactive use of Explorer. ADV-2007-0496 22424 http://www.cpni.gov.uk/Products/vulnerabilitydisclosures/default.aspx?id=va-20070129-0107.xml http://www.cpni.gov.uk/Products/advisories/default.aspx?id=al-20070129-0107.xml http://www.bemacpromotions.com/files/xkpatch462660.zip http://www.barronmccann.com/ISec/s2pressrelease.asp?PRID=141&S2ID=14 24045 33110 http://jvn.jp/niscc/NISCC-462660/index.html Multiple cross-site scripting (XSS) vulnerabilities in the sample Cache' Server Page (CSP) scripts in InterSystems Cache' allow remote attackers to inject arbitrary web script or HTML via (1) the TO parameter to loop.csp, (2) the VALUE parameter to cookie.csp, and (3) the PAGE parameter to showsource.csp in csp/samples/; and allow remote authenticated users to inject arbitrary web script or HTML via (4) the ERROR parameter to csp/samples/xmlclasseserror.csp, and unspecified vectors in (5) object.csp and (6) lotteryhistory.csp in csp/samples/. http://www.mwrinfosecurity.com/news/1658.html http://www.mwrinfosecurity.com/advisories/mwri_cache-sample-files-xss-advisory_2007-04-04.pdf http://www.cpni.gov.uk/Products/alerts/2928.aspx Unspecified vulnerability in HP OpenView Network Node Manager (OV NNM) 6.20, 6.4x, 7.01, and 7.50 allows remote attackers to execute arbitrary commands via unknown vectors. SSRT05103 ADV-2007-0153 SSRT05103 1017504 32728 Unspecified vulnerability in IBM OS/400 R530 and R535 has unknown impact and remote attack vectors, related to an "Integrity Problem" involving LIC-TCPIP and TCP reset. NOTE: it is possible that this issue is related to CVE-2004-0230, but this is not certain. MA33860 MA33861 23765 32812 Multiple buffer overflows in the CDDBControl ActiveX control in Gracenote CDDB before 20070418 allow remote attackers to execute arbitrary code via long values for certain Proxy configuration parameters. The vendor has address this issue with the following information: http://www.gracenote.com/corporate/FAQs.html/faqset=update/page=0 http://www.zerodayinitiative.com/advisories/ZDI-07-021.html 23567 22924 ADV-2007-1475 1017937 http://www.gracenote.com/corporate/FAQs.html/faqset=update/page=0 34327 cddbcontrol-activex-bo(33773) 20070420 ZDI-07-021: GraceNote CDDBControl ActiveX Buffer Overflow Vulnerability Stack-based buffer overflow in the print provider library (cpprov.dll) in Citrix Presentation Server 4.0, MetaFrame Presentation Server 3.0, and MetaFrame XP 1.0 allows local users and remote attackers to execute arbitrary code via long arguments to the (1) EnumPrintersW and (2) OpenPrinter functions. http://www.zerodayinitiative.com/advisories/ZDI-07-006.html ADV-2007-0328 http://www.securityfocus.com/data/vulnerabilities/exploits/testlpc.c 22217 20070124 ZDI-07-006: Citrix Metaframe Presentation Server Print Provider Buffer Overflow Vulnerability http://support.citrix.com/article/CTX111686 1017553 23869 32958 Heap-based buffer overflow in the arj.ppl module in the OnDemand Scanner in Kaspersky Anti-Virus, Anti-Virus for Workstations, and Anti-Virus for File Servers 6.0, and Internet Security 6.0 before Maintenance Pack 2 build 6.0.2.614 allows remote attackers to execute arbitrary code via crafted ARJ archives. http://www.kaspersky.com/technews?id=203038694 http://www.kaspersky.com/technews?id=203038693 24778 http://www.zerodayinitiative.com/advisories/ZDI-07-013.html ADV-2007-1268 kaspersky-arj-bo(33489) 1017883 1017882 23346 20070405 ZDI-07-013: Kaspersky AntiVirus Engine ARJ Archive Parsing Heap Overflow Vulnerability Stack-based buffer overflow in magentproc.exe for Hewlett-Packard Mercury LoadRunner Agent 8.0 and 8.1, Performance Center Agent 8.0 and 8.1, and Monitor over Firewall 8.1 allows remote attackers to execute arbitrary code via a packet with a long server_ip_name field to TCP port 54345, which triggers the overflow in mchan.dll. VU#303012 SSRT061280 http://www.zerodayinitiative.com/advisories/ZDI-07-007.html ADV-2007-0535 33132 SSRT061280 mercury-multiple-agent-bo(32390) 22487 20070208 ZDI-07-007: HP Mercury LoadRunner Agent Stack Overflow Vulnerability R-123 1017613 1017612 1017611 24112 Heap-based buffer overflow in the Decomposer component in multiple Symantec products allows remote attackers to execute arbitrary code via multiple crafted CAB archives. http://securityresponse.symantec.com/avcenter/security/Content/2007.07.11f.html http://www.zerodayinitiative.com/advisories/ZDI-07-040.html ADV-2007-2508 24282 26053 The fopen function in PHP 5.2.0 does not properly handle invalid URI handlers, which allows context-dependent attackers to bypass safe_mode restrictions and read arbitrary files via a file path specified with an invalid URI, as demonstrated via the srpath URI. 22261 20070125 PHP 5.2.0 safe_mode bypass (by Writing Mode) 2175 Multiple buffer overflows in LGSERVER.EXE in CA BrightStor ARCserve Backup for Laptops and Desktops r11.0 through r11.1 SP1, Mobile Backup r4.0, Desktop and Business Protection Suite r2, and Desktop Management Suite (DMS) r11.0 and r11.1 allow remote attackers to execute arbitrary code via crafted packets to TCP port (1) 1900 or (2) 2200. VU#611276 VU#357308 http://supportconnectw.ca.com/public/sams/lifeguard/infodocs/babldimpsec-notice.asp 23897 http://www3.ca.com/securityadvisor/vulninfo/Vuln.aspx?ID=34993 http://www3.ca.com/securityadvisor/newsinfo/collateral.aspx?cid=97696 ADV-2007-0314 22342 22340 22199 20070131 Remote Unauthenticated Code Execution II CA BrightStor ARCserve Backup for Laptops & Desktops 20070131 Remote Unauthenticated Code Execution CA BrightStor ARCserve Backup 20070124 [CAID 34993]: CA BrightStor ARCserve Backup for Laptops and Desktops Multiple Overflow Vulnerabilities 31593 1017548 Directory traversal vulnerability in Apache HTTP Server and Tomcat 5.x before 5.5.22 and 6.x before 6.0.10, when using certain proxy modules (mod_proxy, mod_rewrite, mod_jk), allows remote attackers to read arbitrary files via a .. (dot dot) sequence with combinations of (1) "/" (slash), (2) "\" (backslash), and (3) URL-encoded backslash (%5C) characters in the URL, which are valid separators in Tomcat but not in Apache. 20070314 SEC Consult SA-20070314-0 :: Apache HTTP Server / Tomcat directory traversal tomcat-proxy-directory-traversal(32988) ADV-2009-0233 ADV-2008-1979 ADV-2008-0065 ADV-2007-3386 ADV-2007-3087 ADV-2007-2732 ADV-2007-0975 22960 20090127 CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities (Updated - v1.1) 20090124 CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities http://www.sec-consult.com/fileadmin/Advisories/20070314-0-apache_tomcat_directory_traversal.txt http://www.sec-consult.com/287.html RHSA-2007:0327 SUSE-SR:2007:005 http://tomcat.apache.org/security-6.html http://tomcat.apache.org/security-5.html http://tomcat.apache.org/security-4.html http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540 GLSA-200705-03 33668 25280 25106 24732 oval:org.mitre.oval:def:10643 SSRT071447 http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx 25159 20080108 VMSA-2008-0002 Low severity security update for VirtualCenter and ESX Server 3.0.2, and ESX 3.0.1 RHSA-2008:0261 RHSA-2007:0360 SUSE-SR:2007:015 MDKSA-2007:241 http://www.fujitsu.com/global/support/software/security/products-f/interstage-200702e.html http://support.avaya.com/elmodocs2/security/ASA-2007-206.htm 239312 2446 30908 30899 28365 27037 26660 26235 [Security-announce] 20080107 VMSA-2008-0002 Low severity security update for VirtualCenter and ESX Server 3.0.2, and ESX 3.0.1 APPLE-SA-2007-07-31 HPSBUX02262 http://docs.info.apple.com/article.html?artnum=306172 Apache SpamAssassin before 3.1.8 allows remote attackers to cause a denial of service via long URLs in malformed HTML, which triggers "massive memory usage." Upgrade to SpamAssassin version 3.1.8 22584 https://issues.rpath.com/browse/RPL-1073 spamassassin-url-dos(32536) ADV-2007-0628 1017666 RHSA-2007:0075 SUSE-SR:2007:006 MDKSA-2007:049 http://svn.apache.org/repos/asf/spamassassin/branches/3.1/build/announcements/3.1.8.txt http://spamassassin.apache.org/advisories/cve-2007-0451.txt GLSA-200703-02 24889 24307 24265 24256 24250 24200 24197 RHSA-2007:0074 oval:org.mitre.oval:def:10018 33207 smbd in Samba 3.0.6 through 3.0.23d allows remote authenticated users to cause a denial of service (memory and CPU exhaustion) by renaming a file in a way that prevents a request from being removed from the deferred open queue, which triggers an infinite loop. 20070205 [SAMBA-SECURITY] CVE-2007-0452: Potential DoS against smbd in Samba 3.0.6 - 3.0.23d ADV-2007-1278 ADV-2007-0483 oval:org.mitre.oval:def:9758 33100 HPSBUX02204 HPSBUX02204 https://issues.rpath.com/browse/RPL-1005 samba-smbd-filerename-dos(32301) USN-419-1 2007-0007 22395 20070207 rPSA-2007-0026-1 samba samba-swat RHSA-2007:0061 RHSA-2007:0060 MDKSA-2007:034 GLSA-200702-01 DSA-1257 http://us1.samba.org/samba/security/CVE-2007-0452.html 200588 SSA:2007-038-01 1017587 2219 24792 24284 24188 24151 24145 24140 24101 24076 24067 24060 24046 24030 24021 SUSE-SA:2007:016 FEDORA-2007-220 FEDORA-2007-219 20070201-01-P Buffer overflow in the nss_winbind.so.1 library in Samba 3.0.21 through 3.0.23d, as used in the winbindd daemon on Solaris, allows attackers to execute arbitrary code via the (1) gethostbyname and (2) getipnodebyname functions. 20070205 [SAMBA-SECURITY] CVE-2007-0453: Buffer overrun in nss_winbind.so.1 on Solaris ADV-2007-0483 33098 https://issues.rpath.com/browse/RPL-1005 samba-winbind-bo(32231) 2007-0007 22410 20070207 rPSA-2007-0026-1 samba samba-swat OpenPKG-SA-2007.012 http://us1.samba.org/samba/security/CVE-2007-0453.html SSA:2007-038-01 1017589 24151 24101 24043 Format string vulnerability in the afsacl.so VFS module in Samba 3.0.6 through 3.0.23d allows context-dependent attackers to execute arbitrary code via format string specifiers in a filename on an AFS file system, which is not properly handled during Windows ACL mapping. VU#649732 22403 https://issues.rpath.com/browse/RPL-1005 samba-afsacl-format-string(32304) ADV-2007-0483 USN-419-1 2007-0007 20070207 rPSA-2007-0026-1 samba samba-swat 20070205 [SAMBA-SECURITY] CVE-2007-0454: Format string bug in afsacl.so VFS plugin OpenPKG-SA-2007.012 MDKSA-2007:034 GLSA-200702-01 DSA-1257 http://us1.samba.org/samba/security/CVE-2007-0454.html SSA:2007-038-01 1017588 24151 24145 24101 24067 24060 24046 24021 33101 Buffer overflow in the gdImageStringFTEx function in gdft.c in GD Graphics Library 2.0.33 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted string with a JIS encoded font. https://issues.rpath.com/browse/RPL-1268 https://issues.rpath.com/browse/RPL-1030 ADV-2011-0022 ADV-2007-0400 2007-0007 22289 20070418 rPSA-2007-0073-1 php php-mysql php-pgsql RHSA-2007:0162 RHSA-2007:0153 MDKSA-2007:038 MDKSA-2007:036 MDKSA-2007:035 42813 24965 24945 24924 24151 24143 24107 24053 24052 24022 23916 RHSA-2007:0155 oval:org.mitre.oval:def:11303 [security-announce] 20070208 rPSA-2007-0028-1 gd FEDORA-2010-19022 FEDORA-2010-19033 FEDORA-2007-150 http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=224607 USN-473-1 RHSA-2008:0146 MDKSA-2007:109 29157 25575 Unspecified vulnerability in the LLT dissector in Wireshark (formerly Ethereal) 0.99.3 and 0.99.4 allows remote attackers to cause a denial of service (application crash) via unspecified vectors. http://www.wireshark.org/security/wnpa-sec-2007-01.html 22352 24016 https://issues.rpath.com/browse/RPL-985 wireshark-lltdissector-dos(32056) ADV-2007-0443 RHSA-2007:0066 MDKSA-2007:033 http://support.avaya.com/elmodocs2/security/ASA-2007-166.htm 1017581 24970 24650 24515 24084 24025 24011 oval:org.mitre.oval:def:11342 33073 FEDORA-2007-207 20070301-01-P Unspecified vulnerability in the IEEE 802.11 dissector in Wireshark (formerly Ethereal) 0.10.14 through 0.99.4 allows remote attackers to cause a denial of service (application crash) via unspecified vectors. http://www.wireshark.org/security/wnpa-sec-2007-01.html 22352 24016 https://issues.rpath.com/browse/RPL-985 wireshark-ieeedissector-dos(32055) ADV-2007-0443 RHSA-2007:0066 MDKSA-2007:033 http://support.avaya.com/elmodocs2/security/ASA-2007-166.htm 1017581 24970 24650 24515 24084 24025 24011 oval:org.mitre.oval:def:11003 33074 FEDORA-2007-207 20070301-01-P Unspecified vulnerability in the HTTP dissector in Wireshark (formerly Ethereal) 0.99.3 and 0.99.4 allows remote attackers to cause a denial of service (application crash) via unspecified vectors, a different issue than CVE-2006-5468. http://www.wireshark.org/security/wnpa-sec-2007-01.html 22352 https://issues.rpath.com/browse/RPL-985 wireshark-httpdissector-dos(32054) ADV-2007-0443 RHSA-2007:0066 MDKSA-2007:033 http://support.avaya.com/elmodocs2/security/ASA-2007-166.htm 1017581 24970 24650 24515 24084 24025 24016 24011 oval:org.mitre.oval:def:10966 33075 FEDORA-2007-207 20070301-01-P packet-tcp.c in the TCP dissector in Wireshark (formerly Ethereal) 0.99.2 through 0.99.4 allows remote attackers to cause a denial of service (application crash or hang) via fragmented HTTP packets. http://www.wireshark.org/security/wnpa-sec-2007-01.html 22352 24016 https://issues.rpath.com/browse/RPL-985 wireshark-tcpdissector-dos(32053) ADV-2007-0443 RHSA-2007:0066 MDKSA-2007:033 http://support.avaya.com/elmodocs2/security/ASA-2007-166.htm 1017581 24970 24650 24515 24084 24025 24011 oval:org.mitre.oval:def:10465 FEDORA-2007-207 http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1200 20070301-01-P Multiple buffer overflows in ulogd for SUSE Linux 9.3 up to 10.1, and possibly other distributions, have unknown impact and attack vectors related to "improper string length calculations." 22139 SUSE-SR:2007:001 MDKSA-2007:028 GLSA-200703-17 24524 23863 32939 Multiple memory leaks in the Dazuko anti-virus helper module before 2.3.2 allow attackers to cause a denial of service (memory consumption) via unknown vectors. SUSE-SR:2007:001 38322 The _GetSrcBits32ARGB function in Apple QuickDraw, as used by Quicktime 7.1.3 and other applications on Mac OS X 10.4.8 and earlier, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted PICT image with a malformed Alpha RGB (ARGB) record, which triggers memory corruption. ADV-2007-0337 http://projects.info-pull.com/moab/MOAB-23-01-2007.html macos-argb-dos(31698) 22207 32696 23859 Format string vulnerability in Apple Software Update 2.0.5 on Mac OS X 10.4.8 allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via format string specifiers in (1) SWUTMP or (2) SUCATALOG filenames, or using the (3) application/x-apple.sucatalog+xml MIME type. TA07-072A ADV-2007-0930 ADV-2007-0337 http://projects.info-pull.com/moab/MOAB-24-01-2007.html 1017755 22222 32703 24479 APPLE-SA-2007-03-13 http://docs.info.apple.com/article.html?artnum=305214 The _CFNetConnectionWillEnqueueRequests function in CFNetwork 129.19 on Apple Mac OS X 10.4 through 10.4.10 allows remote attackers to cause a denial of service (application crash) via a crafted HTTP 301 response, which results in a NULL pointer dereference. TA07-319A macos-cfnetwork-dos(31837) ADV-2007-3868 26444 22249 32704 3200 27643 http://projects.info-pull.com/moab/MOAB-25-01-2007.html APPLE-SA-2007-11-14 http://docs.info.apple.com/article.html?artnum=307041 Format string vulnerability in Apple Installer 2.1.5 on Mac OS X 10.4.8 allows user-assisted remote attackers to execute arbitrary code via format string specifiers in a (1) PKG, (2) DISTZ, or (3) MPKG package filename. TA07-109A ADV-2007-1470 22272 http://projects.info-pull.com/moab/MOAB-26-01-2007.html macos-installer-format-string(31883) 1017940 32705 24966 APPLE-SA-2007-04-19 http://docs.info.apple.com/article.html?artnum=305391 Telestream Flip4Mac Windows Media Components for Quicktime 2.1.0.33 allows remote attackers to execute arbitrary code via a crafted ASF_File_Properties_Object size field in a WMV file, which triggers memory corruption. ADV-2007-0389 22286 23958 http://projects.info-pull.com/moab/MOAB-27-01-2007.html 32697 crashdump in Apple Mac OS X 10.4.8 allows local users in the admin group to modify arbitrary files or gain privileges via a symlink attack on application logs in /Library/Logs/CrashReporter/. Successful exploitation requires that the attacker is already a part of the administrator group. TA07-072A VU#363112 macos-crashreporterd-privilege-escalation(31888) ADV-2007-0930 1017751 24479 http://projects.info-pull.com/moab/MOAB-28-01-2007.html http://docs.info.apple.com/article.html?artnum=305214 32706 APPLE-SA-2007-03-13 Stack-based buffer overflow in rcdll.dll in msdev.exe in Visual C++ (MSVC) in Microsoft Visual Studio 6.0 SP6 allows user-assisted remote attackers to execute arbitrary code via a long file path in the "1 TYPELIB MOVEABLE PURE" option in an RC file. ADV-2007-0296 20070122 Microsoft Visual C++ (.RC) resource files buffer overflow vulnerability http://www.anspi.pl/~porkythepig/visualization/rc-kupiekrowe.cpp 23856 31607 visualstudio-rc-bo(31665) 2172 The extract_files function in installer.rb in RubyGems before 0.9.1 does not check whether files exist before overwriting them, which allows user-assisted remote attackers to overwrite arbitrary files, cause a denial of service, or execute arbitrary code via crafted GEM packages. http://rubyforge.org/frs/shownotes.php?release_id=9074 ADV-2007-0295 rubygems-extractfiles-file-overwrite(31688) 20070121 RubyGems 0.9.0 and earlier installation exploit SUSE-SR:2007:004 20070121 RubyGems 0.9.0 and earlier installation exploit Multiple unspecified vulnerabilities in tip in Sun Solaris 8, 9, and 10 allow local users to gain uucp account privileges via unspecified vectors. 102773 ADV-2007-0317 31616 solaris-tip-privilege-escalation(31669) 22190 1017546 23821 oval:org.mitre.oval:def:2038 sre/params.php in the Integrity Clientless Security (ICS) component in Check Point Connectra NGX R62 3.x and earlier before Security Hotfix 5, and possibly VPN-1 NGX R62, allows remote attackers to bypass security requirements via a crafted Report parameter, which returns a valid ICSCookie authentication token. checkpoint-params-security-bypass(31646) ADV-2007-0276 20070122 Check Point Connectra End Point security bypass 20070122 Re: [Full-disclosure] Check Point Connectra End Point security bypass http://www.checkpoint.com/downloads/latest/hfa/vpn1_security/vpn1_R62_Windows.html http://www.checkpoint.com/downloads/latest/hfa/connectra/security_r62.html http://updates.checkpoint.com/fileserver/ID/7126/FILE/VPN-1_Hotfix1.pdf 1017560 1017559 2179 23847 31655 20070122 Check Point Connectra End Point security bypass Multiple race conditions in Smb4K before 0.8.0 allow local users to (1) modify arbitrary files via unspecified manipulations of Smb4K's lock file, which is not properly handled by the remove_lock_file function in core/smb4kfileio.cpp, and (2) add lines to the sudoers file via a symlink attack on temporary files, which isn't properly handled by the writeFile function in core/smb4kfileio.cpp. [smb4k-announce] 20061221 Smb4K 0.8.0 and security fixes released 23937 ADV-2007-0393 http://developer.berlios.de/project/shownotes.php?release_id=9777 http://developer.berlios.de/project/shownotes.php?release_id=11902 http://developer.berlios.de/project/shownotes.php?release_id=11706 http://developer.berlios.de/bugs/?func=detailbug&bug_id=9630&group_id=769 22299 MDKSA-2007:042 GLSA-200703-09 24469 24111 23984 SUSE-SR:2007:002 The writeFile function in core/smb4kfileio.cpp in Smb4K before 0.8.0 does not preserve /etc/sudoers permissions across modifications, which allows local users to obtain sensitive information (/etc/sudoers contents) by reading this file. [smb4k-announce] 20061221 Smb4K 0.8.0 and security fixes released 23937 ADV-2007-0393 http://developer.berlios.de/project/shownotes.php?release_id=9777 http://developer.berlios.de/project/shownotes.php?release_id=11902 http://developer.berlios.de/project/shownotes.php?release_id=11706 http://developer.berlios.de/bugs/?func=detailbug&bug_id=9630&group_id=769 22299 MDKSA-2007:042 GLSA-200703-09 24469 24111 23984 SUSE-SR:2007:002 Smb4K before 0.8.0 allow local users, when present on the Smb4K sudoers list, to kill arbitrary processes, related to a "design issue with smb4k_kill." [smb4k-announce] 20061221 Smb4K 0.8.0 and security fixes released 23937 ADV-2007-0393 http://developer.berlios.de/project/shownotes.php?release_id=9777 http://developer.berlios.de/project/shownotes.php?release_id=11902 http://developer.berlios.de/project/shownotes.php?release_id=11706 http://developer.berlios.de/bugs/?func=detailbug&bug_id=9631&group_id=769 22299 MDKSA-2007:042 GLSA-200703-09 24469 24111 23984 SUSE-SR:2007:002 Multiple stack-based buffer overflows in utilities/smb4k_*.cpp in Smb4K before 0.8.0 allow local users, when present on the Smb4K sudoers list, to gain privileges via unspecified vectors related to the args variable and unspecified other variables, in conjunction with the sudo configuration. [smb4k-announce] 20061221 Smb4K 0.8.0 and security fixes released 23937 ADV-2007-0393 http://developer.berlios.de/project/shownotes.php?release_id=9777 http://developer.berlios.de/project/shownotes.php?release_id=11902 http://developer.berlios.de/project/shownotes.php?release_id=11706 http://developer.berlios.de/bugs/?func=detailbug&bug_id=9631&group_id=769 22299 MDKSA-2007:042 GLSA-200703-09 24469 24111 23984 SUSE-SR:2007:002 The gencert.sh script, when installing OpenLDAP before 2.1.30-r10, 2.2.x before 2.2.28-r7, and 2.3.x before 2.3.30-r2 as an ebuild in Gentoo Linux, does not create temporary directories in /tmp securely during emerge, which allows local users to overwrite arbitrary files via a symlink attack. ADV-2007-0305 GLSA-200701-19 23881 31617 22195 Cross-site scripting (XSS) vulnerability in Openads 2.0.x before 2.0.10, 2.3 before 2.3.31 (aka Max Media Manager before 0.3.31-alpha-pr2), and phpAdsNew/phpPgAds before 2.0.9-pr1 allows remote attackers to inject arbitrary web script or HTML via (1) the keyword parameter in admin-search.php and (2) affiliate-search.php. NOTE: this issue may overlap CVE-2007-0363. https://developer.openads.org/browser/branches/max/trunk/CHANGELOG.txt?format=raw ADV-2007-0315 20070127 Re: [OPENADS-SA-2007-002] Max Media Manager v0.1.29 and v0.3.30 vulnerability fixed 20070126 [OPENADS-SA-2007-002] Max Media Manager v0.1.29 and v0.3.30 vulnerability fixed 20070124 [OPENADS-SA-2007-001] phpAdsNew and phpPgAds 2.0.9-pr1 vulnerability fixed 32926 JVN#07274813 http://forum.openads.org/index.php?showtopic=503412651 WebCore on Apple Mac OS X 10.3.9 and 10.4.10, as used in Safari, does not properly parse HTML comments in TITLE elements, which allows remote attackers to conduct cross-site scripting (XSS) attacks and bypass some XSS protection schemes by embedding certain HTML tags within an HTML comment. safari-html-xss(31846) safari-html-xss(31846) ADV-2007-2732 25159 20070123 Safari Improperly Parses HTML Documents & BlogSpot XSS vulnerability http://www.beanfuzz.com/wordpress/?p=99 1018494 26235 23893 32712 APPLE-SA-2007-07-31 http://docs.info.apple.com/article.html?artnum=306172 Memory leak in the TCP listener in Cisco IOS 9.x, 10.x, 11.x, and 12.x allows remote attackers to cause a denial of service by sending crafted TCP traffic to an IPv4 address on the IOS device. VU#217912 TA07-024A cisco-tcp-ipv4-dos(31716) ADV-2007-0329 22208 20070124 Crafted TCP Packet Can Cause Denial of Service 1017551 23867 oval:org.mitre.oval:def:5080 32093 Cisco IOS 9.x, 10.x, 11.x, and 12.x and IOS XR 2.0.x, 3.0.x, and 3.2.x allows remote attackers to cause a denial of service or execute arbitrary code via a crafted IP option in the IP header in a (1) ICMP, (2) PIMv2, (3) PGM, or (4) URD packet. VU#341288 TA07-024A cisco-ip-option-code-execution(31725) ADV-2007-0329 20070124 Crafted IP Option Vulnerability 1017555 23867 oval:org.mitre.oval:def:5666 32092 22211 Cisco IOS allows remote attackers to cause a denial of service (crash) via a crafted IPv6 Type 0 Routing header. VU#274760 TA07-024A cisco-ios-ipv6-type0-dos(31715) ADV-2007-0329 20070124 IPv6 Routing Header Vulnerability 1017550 23867 oval:org.mitre.oval:def:5857 32091 22210 cgi-bin/main in Sun Ray Server Software 2.0 and 3.0 before 20070123 allows local users to obtain the utadmin password by reading a web server's log file, or by conducting a different, unspecified local attack. ADV-2007-0316 102779 31671 sunray-utadmin-information-disclosure(31700) 22192 1017547 23900 Multiple cross-site scripting (XSS) vulnerabilities in Enthusiast 3.1 allow remote attackers to inject arbitrary web script or HTML via the URI for (1) show_owned.php or (2) show_joined.php. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. 23865 31608 enthusiast-show-xss(31667) 22180 Multiple SQL injection vulnerabilities in Enthusiast 3.1 allow remote attackers to execute arbitrary SQL commands via the cat parameter to (1) show_owned.php, (2) show_joined.php, and possibly other files. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. 23865 31610 31609 enthusiast-show-sql-injection(31666) 22180 PHP remote file inclusion vulnerability in defines.php in WebChat 0.77 allows remote attackers to execute arbitrary PHP code via a URL in the WEBCHATPATH parameter. webchat-definesphp-file-include(31624) 1006193 7000 20030303 WebChat (PHP) 8206 3169 ** DISPUTED ** Multiple PHP remote file inclusion vulnerabilities in Openads (aka phpAdsNew) 2.0.7 allow remote attackers to execute arbitrary PHP code via a URL in the (1) phpAds_geoPlugin parameter to libraries/lib-remotehost.inc, the (2) filename parameter to admin/report-index, or the (3) phpAds_config[my_footer] parameter to admin/lib-gui.inc. NOTE: the vendor has disputed this issue, stating that the relevant variables are used within function definitions. 22172 20070124 Re: phpAdsNew 2.0.7 Remote File Include 20070122 Re: phpAdsNew 2.0.7 Remote File Include 20070120 phpAdsNew 2.0.7 Remote File Include 2174 33573 ** DISPUTED ** PHP remote file inclusion vulnerability in index.php in FreeForum 0.9.0 allows remote attackers to execute arbitrary PHP code via a URL in the fpath parameter. NOTE: this issue has been disputed by third party researchers, stating that fpath variable is initialized before being used. 20070124 Re: FreeForum 0.9.0 <=- (index.php fpath) Remote File Include Vulnerability 20070121 FreeForum 0.9.0 <=- (index.php fpath) Remote File Include Vulnerability The Huawei Versatile Routing Platform 1.43 2500E-003 firmware on the Quidway R1600 Router, and possibly other models, allows remote attackers to cause a denial of service (device crash) via a long show arp command. quidway-arp-dos(31641) 40355 20070118 The Quidway Router local DOS 2176 PHP remote file inclusion vulnerability in includes/functions.visohotlink.php in VisoHotlink 1.01 and possibly earlier allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter. visohotlink-functions-file-include(31654) ADV-2007-0285 23878 31611 3175 22171 index.php in Open-Realty 2.3.4 allows remote attackers to obtain sensitive information (the full path) via an invalid listingID parameter in a listingview action. 20070121 Full Path Disclosure in Open-Realty ( v2.3.4 ) openrealty-index-path-disclosure(31657) PHP remote file inclusion vulnerability in up.php in Sky GUNNING MySpeach 3.0.6 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the my_ms[root] parameter, a different vector than CVE-2006-4630. NOTE: Some of these details are obtained from third party information. ADV-2007-0269 23850 Multiple SQL injection vulnerabilities in gallery.php in webSPELL 4.01.02 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) id or (2) galleryID parameter. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. ADV-2007-0270 webspell-gallery-sql-injection(31632) Use-after-free vulnerability in ISC BIND 9.3.0 up to 9.3.3, 9.4.0a1 up to 9.4.0a6, 9.4.0b1 up to 9.4.0b4, 9.4.0rc1, and 9.5.0a1 (Bind Forum only) allows remote attackers to cause a denial of service (named daemon crash) via unspecified vectors that cause named to "dereference a freed fetch context." http://www.isc.org/index.pl?/sw/bind/view/?release=9.3.4 http://www.isc.org/index.pl?/sw/bind/view/?release=9.2.8 SSRT061239 SSRT071304 SSRT061213 ADV-2007-2315 ADV-2007-2163 ADV-2007-1939 ADV-2007-1401 ADV-2007-0349 23904 oval:org.mitre.oval:def:9614 [bind-announce] 20070125 Internet Systems Consortium Security Advisory. 20070125 BIND remote exploit (low severity) [Fwd: Internet Systems Consortium Security Advisory.] SSRT061273 SSRT061213 https://issues.rpath.com/browse/RPL-989 USN-418-1 2007-0005 22229 20070125 BIND remote exploit (low severity) [Fwd: Internet Systems Consortium Security Advisory.] RHSA-2007:0057 OpenPKG-SA-2007.007 MDKSA-2007:030 http://www.isc.org/index.pl?/sw/bind/bind-security.php SSA:2007-026-01 1017561 GLSA-200702-06 FreeBSD-SA-07:02 25649 25402 24950 24930 24203 24129 24054 24048 24014 23977 23974 23972 23943 23924 SUSE-SA:2007:014 APPLE-SA-2007-05-24 HPSBUX02219 NetBSD-SA2007-003 FEDORA-2007-164 FEDORA-2007-147 http://docs.info.apple.com/article.html?artnum=305530 ISC BIND 9.0.x, 9.1.x, 9.2.0 up to 9.2.7, 9.3.0 up to 9.3.3, 9.4.0a1 up to 9.4.0a6, 9.4.0b1 up to 9.4.0b4, 9.4.0rc1, and 9.5.0a1 (Bind Forum only) allows remote attackers to cause a denial of service (exit) via a type * (ANY) DNS query response that contains multiple RRsets, which triggers an assertion error, aka the "DNSSEC Validation" vulnerability. Syccessful exploitation requires that the victim has enabled dnssec validation in named.conf by specifying trusted-keys. http://www.isc.org/index.pl?/sw/bind/view/?release=9.3.4 http://www.isc.org/index.pl?/sw/bind/view/?release=9.2.8 23904 [bind-announce] 20070125 Internet Systems Consortium Security Advisory. SSRT071304 SSRT061239 SSRT071304 SSRT061213 https://issues.rpath.com/browse/RPL-989 ADV-2007-3229 ADV-2007-2315 ADV-2007-2245 ADV-2007-2163 ADV-2007-2002 ADV-2007-1939 ADV-2007-1401 USN-418-1 2007-0005 22231 RHSA-2007:0057 RHSA-2007:0044 OpenPKG-SA-2007.007 MDKSA-2007:030 http://www.isc.org/index.pl?/sw/bind/bind-security.php DSA-1254 IY96324 IY96144 IY95619 IY95618 http://support.avaya.com/elmodocs2/security/ASA-2007-125.htm 102969 SSA:2007-026-01 1017573 GLSA-200702-06 FreeBSD-SA-07:02 25402 24950 24930 24648 24203 24129 24083 24054 24048 24014 23977 23974 23972 23944 23943 23924 oval:org.mitre.oval:def:11523 SUSE-SA:2007:014 20070920 VMSA-2007-0006 Critical security updates for all supported versions of VMware ESX Server, VMware Server, VMware Workstation, VMware ACE, and VMware Player APPLE-SA-2007-05-24 SSRT061273 SSRT061273 NetBSD-SA2007-003 FEDORA-2007-164 FEDORA-2007-147 http://docs.info.apple.com/article.html?artnum=305530 20070201-01-P bind-rrsets-dos(31838) 27706 26909 25715 25649 25482 24284 PHP remote file inclusion vulnerability in include/config.inc.php in PhpSherpa allows remote attackers to execute arbitrary PHP code via a URL in the racine parameter. ADV-2007-0263 23817 31599 3161 PHP remote file inclusion vulnerability in lib/nl/nl.php in Neon Labs Website (nlws) 3.2 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the g_strRootDir parameter. ADV-2007-0268 36797 3163 PHP remote file inclusion vulnerability in upload/top.php in Upload-Service 1.0, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the maindir parameter. ADV-2007-0265 23845 32938 http://echo.or.id/adv/adv62-y3dips-2007.txt uploadservice-top-file-include(31634) 22189 20070123 [ECHO_ADV_62$2007] Upload Service 1.0 remote file inclusion PHP remote file inclusion vulnerability in up.php in MySpeach 2.1 beta and possibly earlier allows remote attackers to execute arbitrary PHP code via a URL in the my[root] parameter. 31603 3165 PHP remote file inclusion vulnerability in config.php in Sangwan Kim phpIndexPage 1.0.1 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the env[inc_path] parameter. ADV-2007-0267 22161 23992 33014 3164 PHP remote file inclusion vulnerability in include/includes.php in Bradabra 2.0.5 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the include_path parameter. ADV-2007-0264 23851 31604 3162 PHP remote file inclusion vulnerability in index.php in Mafia Scum Tools 2.0.0 in Matthew Wardrop Advanced Random Generators (adv-random-gen) allows remote attackers to execute arbitrary PHP code via a URL in the gen parameter. mafiascum-index-file-include(31637) ADV-2007-0271 22151 36810 3171 SQL injection vulnerability in gallery.php in webSPELL 4.01.02 allows remote attackers to execute arbitrary SQL commands via the picID parameter, a different vector than CVE-2007-0492. ADV-2007-0270 36798 webspell-gallery-sql-injection(31632) 22149 3172 Unspecified vulnerability in kcms_calibrate in Sun Solaris 8 and 9 before 20071122 allows local users to execute arbitrary commands via unknown vectors. 102728 solaris-kcmscalibrate-privilege-escalation(31668) ADV-2007-0287 1017541 23885 31598 22175 http://support.avaya.com/elmodocs2/security/ASA-2007-040.htm oval:org.mitre.oval:def:1495 Eval injection vulnerability in poll_frame.php in Vote! Pro 4.0, and possibly other scripts, allows remote attackers to execute arbitrary code via the poll_id parameter, which is supplied to an eval function call, a different vulnerability type than CVE-2005-4632. ADV-2007-0300 23834 31606 3180 Unrestricted file upload vulnerability in the Project issue tracking 4.7.0 through 5.x before 20070123, a module for Drupal, allows remote authenticated users to execute arbitrary code by attaching a file with executable or multiple extensions to a project issue. http://drupal.org/node/112146 ADV-2007-0312 32134 projecttracking-extension-file-upload(31729) 22224 23887 The project_issue_access function in the Project issue tracking 4.7.0 through 5.x before 20070123 module for Drupal allows remote authenticated users to bypass other access control modules and obtain attached files by guessing the filename, and obtain issue information via direct requests. http://drupal.org/node/112146 projecttracking-access-info-disclosure(31727) ADV-2007-0312 32135 projecttracking-access-weak-security(31727) 22224 23887 SQL injection vulnerability in the Acidfree module for Drupal before 4.6.x-1.0, and before 4.7.x-1.0 in the 4.7 series, allows remote authenticated users with "create acidfree albums" privileges to execute arbitrary SQL commands via node titles. http://drupal.org/node/112145 ADV-2007-0313 23895 32132 acidfree-albums-sql-injection(31724) 22202 PHP remote file inclusion vulnerability in lib/selectlang.php in BBClone 0.31 allows remote attackers to execute arbitrary PHP code via a URL in the BBC_LANGUAGE_PATH parameter. ADV-2007-0318 23874 32957 3183 Multiple unspecified vulnerabilities in MaklerPlus before 1.2 have unknown impact and attack vectors, possibly relating to cross-site scripting (XSS) in the slogan parameter in main.tpl, or information leaks in error messages. http://sourceforge.net/project/shownotes.php?release_id=479940 ADV-2007-0321 23864 32950 maklerplus-multiple-unspecified(31734) 22206 Multiple buffer overflows in (1) graphs.c, (2) output.c, and (3) preserve.c in AWFFull 3.7.1 and earlier have unknown impact and attack vectors. NOTE: some of these details are obtained from third party information. NOTE: There may not be any attack vector that crosses privilege boundaries. http://www.stedee.id.au/awffull#changes ADV-2007-0320 [AWFFULL] 20070123 Regarding the fixes in 3.7.2 32956 awffull-multiple-bo(31731) 23831 Multiple PHP remote file inclusion vulnerabilities in phpXMLDOM (phpXD) 0.3 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the path parameter to (1) dom.php, (2) dtd.php, or (3) parser.php in include/. ADV-2007-0309 23875 32955 32954 32953 phpxd-path-file-include(31726) 22201 3184 Hitachi TP1/LiNK 05-00 through 05-03-/F, 03-04 through 03-06-/K, and 03-00 through 03-03-/H; and TP1/Server Base 05-00 through 05-00-/M, 03-01-E through 03-01-FD, 03-01 through 03-01-DB, and 05-03; allow attackers to cause a denial of service (process crash) via invalid data to an OpenTP1 port. http://www.hitachi-support.com/security_e/vuls_e/HS06-021_e/01-e.html ADV-2007-0325 32962 22223 23866 Hitachi HiRDB Datareplicator 7HiRDB, 7(64), 6, 6(64), 5.0, and 5.0(64); and various products that bundle HiRDB Datareplicator; allows attackers to cause a denial of service (CPU consumption) via certain data. http://www.hitachi-support.com/security_e/vuls_e/HS06-023_e/01-e.html ADV-2007-0327 32996 hitachi-hirdb-request-dos(31735) 22244 23816 Multiple cross-site scripting (XSS) vulnerabilities in multiple Hitachi Web Server, uCosminexus, and Cosminexus products before 20070124 allow remote attackers to inject arbitrary web script or HTML via (1) HTTP Expect headers or (2) image maps. http://www.hitachi-support.com/security_e/vuls_e/HS06-022_e/01-e.html ADV-2007-0326 32998 32997 23843 Unspecified vulnerability in Microsoft Word allows user-assisted remote attackers to execute arbitrary code on Word 2000, and cause a denial of service on Word 2003, via unknown attack vectors that trigger memory corruption, as exploited by Trojan.Mdropper.W and later by Trojan.Mdropper.X, a different issue than CVE-2006-6456, CVE-2006-5994, and CVE-2006-6561. TA07-044A VU#412225 word-document-code-execution(31834) ADV-2007-0350 http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2007-013010-5422-99&tabid=2 http://www.symantec.com/enterprise/security_response/weblog/2007/01/new_microsoft_word_2000_vulner.html http://www.symantec.com/enterprise/security_response/weblog/2007/01/multiple_organizations_targett.html 22328 22225 MS07-014 http://www.microsoft.com/technet/security/advisory/932114.mspx 1017564 23950 31900 http://isc.sans.org/diary.html?storyid=2133 oval:org.mitre.oval:def:528 Yana Framework before 2.8.5a allows remote authenticated users with permissions to modify a guestbook profile to modify or delete arbitrary guestbook profiles via unspecified vectors. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. http://all-community.de/pub/pages/changes.php?language=en yana-unspecified-security-bypass(31671) 31615 23855 Scriptsez Random PHP Quote 1.0 stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain password information via a direct request for pwd.txt. 20070123 RANDOM PHP QUOTE 1.0 (pwd.txt) Remote Password Disclosur 32947 randomphpquote-pwd-information-disclosure(31696) 2184 23888 Scriptsez Smart PHP Subscriber (aka subscribe) stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain encoded passwords via a direct request for pwd.txt. 20070123 subscribe (pwd.txt) Remote Password Disclosur 23886 32946 subscriber-pwd-information-disclosure(31701) 2183 Cross-site scripting (XSS) vulnerability in memcp.php in XMB U2U Instant Messenger allows remote authenticated users to inject arbitrary web script or HTML via the recipient field. u2u-memcp-xss(31661) 20070120 XMB "U2U Instant Messenger" Cross-Site Scripting 2182 http://aria-security.com/forum/showthread.php?p=129 SQL injection vulnerability in banner.php in Unique Ads (UDS) 1.x allows remote attackers to execute arbitrary SQL commands via the bid parameter. uniqueads-banner-sql-injection(31660) 20070121 SQL Injection in Unique Ads ( UDS ) 2181 The Sony Ericsson K700i and W810i phones allow remote attackers to cause a denial of service (continual modal dialogs and UI unavailability) by repeatedly trying to OBEX push a file over Bluetooth, as demonstrated by ussp-push. 20070123 Re: Bluetooth DoS by obex push [readable] 20070123 Bluetooth DoS by obex push 2180 The Motorola MOTORAZR V3 phone allows remote attackers to cause a denial of service (continual modal dialogs and UI unavailability) by repeatedly trying to OBEX push a file over Bluetooth, as demonstrated by ussp-push. 20070123 Re: Bluetooth DoS by obex push [readable] 20070123 Bluetooth DoS by obex push 2180 The Nokia N70 phone allows remote attackers to cause a denial of service (continual modal dialogs and UI unavailability) by repeatedly trying to OBEX push a file over Bluetooth, as demonstrated by ussp-push. 20070123 Re: Bluetooth DoS by obex push [readable] 20070123 Bluetooth DoS by obex push 2180 The LG Chocolate KG800 phone allows remote attackers to cause a denial of service (continual modal dialogs and UI unavailability) by repeatedly trying to OBEX push a file over Bluetooth, as demonstrated by ussp-push. 20070123 Re: Bluetooth DoS by obex push [readable] 20070123 Bluetooth DoS by obex push 2180 Multiple buffer overflows in Nickolas Grigoriadis Mini Web server (MiniWebsvr) before 0.05 have unknown impact and attack vectors. http://sourceforge.net/project/shownotes.php?release_id=479480&group_id=187000 ADV-2007-0294 33512 Multiple cross-site scripting (XSS) vulnerabilities in Bitweaver 1.3.1 allow remote attackers to inject arbitrary web script or HTML via the URL (PATH_INFO) to (1) articles/edit.php, (2) articles/list.php, (3) blogs/list_blogs.php, or (4) blogs/rankings.php. bitweaver-multiple-scripts-xss(31655) 20070122 [x0n3-h4ck] bitweaver 1.3.1 XSS Exploit 33581 33580 33579 33578 2186 SQL injection vulnerability in the is_remembered function in class.login.php in Website Baker 2.6.5 and earlier allows remote attackers to execute arbitrary SQL commands via the REMEMBER_KEY cookie parameter. NOTE: some of these details are obtained from third party information. websitebaker-login-sql-injection(31692) ADV-2007-0311 22176 20070122 SQL Injection by using Cookie Poisoning for Website Baker Version 2.6.5 and before 2185 23828 32945 The admin web console implemented by the Centrality Communications (aka Aredfox) PA168 chipset and firmware 1.54 and earlier, as provided by various IP phones, does not require passwords or authentication tokens when using HTTP, which allows remote attackers to connect to existing superuser sessions and obtain sensitive information (passwords and configuration data). ADV-2007-0346 20070123 PR06-14: IP Phones based on Centrality Communications/Aredfox PA168 chipset weak session management vulnerability http://www.procheckup.com/Vulner_PR0614.php 32966 23936 23919 3189 Cross-site scripting (XSS) vulnerability in index.html (aka the administration page) in PHP Link Directory (phpLD) 3.0.6 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted link, which is triggered when the administrator uses the "Validate Links" functionality. phpld-admin-xss(31662) http://www.smilehouse.com/advisory/phplinkdirectory_070121.txt 20070121 PHP Link Directory XSS Vulnerability version <= 3.0.6 32952 ** DISPUTED ** Multiple PHP remote file inclusion vulnerabilities in Advanced Guestbook 2.4.2 allow remote attackers to execute arbitrary PHP code via a URL in the include_path parameter to (1) index.php, (2) addentry.php, or (3) picture.php, a different set of vectors than CVE-2006-5804. NOTE: this issue has been disputed by third party researchers, stating that the include_path variable is instantiated before use. 20070123 Advanced Guestbook <=- 2.4.2 (include_path) Remote File Include Vulnerability 20070123 Re: Advanced Guestbook <=- 2.4.2 (include_path) Remote File Include Vulnerability PHP remote file inclusion vulnerability in includes/login.php in FreeWebShop 2.2.3 and 2.2.4 before 20070123 allows remote attackers to execute arbitrary PHP code via a URL in the lang_file parameter. ADV-2007-0319 http://www.freewebshop.org/?id=36 23898 32951 http://14house.blogspot.com/2007/01/freewebshoporg-remote-file-inclusion.html freewebshop-login-file-include(31732) 1017549 Tuan Do Uploader (aka php-uploader) 6 beta 1 stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain the administrator password hash via a direct request for userdata/user_1.txt. uploader-userdata-info-disclosure(31683) 20070122 Uploader <= (userdata/user_1.txt) Password Disclosure Vulnerability 2187 The AToZed IntraWeb component 8.0 and earlier for Borland Delphi and Kylix, and IntraWeb 9.0 before build (9.0.12), allows remote attackers to cause a denial of service (thread hang or CPU consumption) via a crafted HTTP request, related to the OnBeforeDispatch function in the TIWServerController object. intraweb-component-dos(31685) ADV-2007-0355 20070123 AToZed Software Intraweb Component for Borland Delphi and Kylix DoS vulnerability 20070125 Re: AToZed Software Intraweb Component for Borland Delphi and Kylix DoS vulnerability 32973 http://blogs.atozed.com/Olaf/20070124A.en.aspx http://blogs.atozed.com/Olaf/20070124.en.aspx 22185 20070124 Re: AToZed Software Intraweb Component for Borland Delphi and Kylix DoS vulnerability 23902 Multiple cross-site scripting (XSS) vulnerabilities in the (1) Project issue tracking 4.7.0 through 5.x before 20070123 and (2) Project 4.6.0 through 5.x before 20070123 modules for Drupal allow remote authenticated users to inject arbitrary web script or HTML via (a) certain "fields on project nodes" or (b) "certain project-specific settings regarding issue tracking." ADV-2007-0312 32133 http://drupal.org/node/112146 projecttracking-unspecified-xss(31728) 22224 23908 Multiple eval injection vulnerabilities in Vote! Pro 4.0, and possibly earlier, allow remote attackers to execute arbitrary code via requests to unspecified PHP scripts with the poll_id parameter, which is supplied to eval function calls, a different set of vectors than CVE-2007-0504. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. ADV-2007-0300 23834 31606 The chroot helper in rMake for rPath Linux 1 does not drop supplemental groups, which causes packages to be installed with insecure permissions and might allow local users to gain privileges. https://issues.rpath.com/browse/RPL-987 32972 http://lists.rpath.com/pipermail/security-announce/2007-January/000137.html rpath-rmake-privilege-escalation(31942) 23922 The KDE HTML library (kdelibs), as used by Konqueror 3.5.5, does not properly parse HTML comments, which allows remote attackers to conduct cross-site scripting (XSS) attacks and bypass some XSS protection schemes by embedding certain HTML tags within a comment in a title tag, a related issue to CVE-2007-0478. https://issues.rpath.com/browse/RPL-1117 ADV-2007-0505 USN-420-1 22428 20070124 Re: Safari Improperly Parses HTML Documents & BlogSpot XSS vulnerability RHSA-2007:0909 SUSE-SR:2007:006 MDKSA-2007:157 MDKSA-2007:031 http://www.kde.org/info/security/advisory-20070206-1.txt GLSA-200703-10 1017591 27108 24889 24463 24442 24065 24013 23932 oval:org.mitre.oval:def:10244 32975 Telligent Community Server 2.1 and earlier allows remote attackers to cause a denial of service (bandwidth or thread consumption) via pingback service calls with a source URI that corresponds to (1) a large file, which triggers a long download session without a timeout constraint; or (2) a file with a binary content type, which is downloaded even though it cannot contain usable pingback data. 20070124 DoS against Telligent Community Server 20070124 Weaknesses in Pingback Design 33584 33583 2211 The wp_remote_fopen function in WordPress before 2.1 allows remote attackers to cause a denial of service (bandwidth or thread consumption) via pingback service calls with a source URI that corresponds to a large file, which triggers a long download session without a timeout constraint. 20070124 Multiple Remote Vulnerabilities in Wordpress 20070124 Weaknesses in Pingback Design 2191 WordPress allows remote attackers to cause a denial of service (bandwidth or thread consumption) via pingback service calls with a source URI that corresponds to a file with a binary content type, which is downloaded even though it cannot contain usable pingback data. 20070124 Multiple Remote Vulnerabilities in Wordpress 20070124 Weaknesses in Pingback Design DSA-1564 2191 30013 WordPress allows remote attackers to determine the existence of arbitrary files, and possibly read portions of certain files, via pingback service calls with a source URI that corresponds to a local pathname, which triggers different fault codes for existing and non-existing files, and in certain configurations causes a brief file excerpt to be published as a blog comment. 20070124 Multiple Remote Vulnerabilities in Wordpress 20070124 Weaknesses in Pingback Design 2191 Cross-site scripting (XSS) vulnerability in show.php in 212cafe Guestbook 4.00 beta allows remote attackers to inject arbitrary web script or HTML via the user parameter. guestbook-show-xss(31663) 20070121 XSS in Guestbook ( v.4.00 beta ) 2190 ZixForum 1.14 and earlier stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for Zixforum.mdb. NOTE: a followup post suggests that this issue only occurs if the administrator does not properly follow installation directions. 20070124 Re: ZixForum <= 1.14 (Zixforum.mdb) Remote Password Disclosure Vulnerability 20070124 ZixForum <= 1.14 (Zixforum.mdb) Remote Password Disclosure Vulnerability 2189 Cross-site scripting (XSS) vulnerability in private.php in MyBB (aka MyBulletinBoard) allows remote authenticated users to inject arbitrary web script or HTML via the Subject field, a different vector than CVE-2006-2949. 20070124 [Aria-Security Team] MyBB Cross-Site Scripting 32967 mybb-subject-field-xss(31740) 22205 28837 23934 Maxtricity Tagger 0.1 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for tagger.mdb. 20070124 Maxtricity Tagger Password Disclosure Vulnerability 33577 2214 Toxiclab Shoutbox 1 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for db.mdb. 20070124 Toxiclab Shoutbox Password Disclosure Vulnerability 33576 2213 Cross-site scripting (XSS) vulnerability in CGI-RESCUE WebFORM 4.3 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. 23913 ADV-2007-0344 32964 JVN#05123538 KarjaSoft Sami HTTP Server 2.0.1 allows remote attackers to cause a denial of service (daemon hang) via a large number of requests for nonexistent objects. sami-http-request-dos(31690) 23901 31623 3182 Cross-site scripting (XSS) vulnerability in list3.php in 212cafeBoard 6.30 Beta allows remote attackers to inject arbitrary web script or HTML via the user parameter. 212cafeboard-list3-xss(31650) 20070121 XSS in 212cafeBoard ( Verision 0.08 & 6.30 Beta ) 2212 Cross-site scripting (XSS) vulnerability in search.php in 212cafeBoard 0.08 Beta allows remote attackers to inject arbitrary web script or HTML via keyword parameter. 212cafeboard-search-xss(31651) 20070121 XSS in 212cafeBoard ( Verision 0.08 & 6.30 Beta ) 2212 Multiple PHP remote file inclusion vulnerabilities in cmsimple/cms.php in CMSimple 2.7 allow remote attackers to execute arbitrary PHP code via a URL in the (1) pth[file][config] and (2) pth[file][image] parameters. cmsimple-cms-file-include(31658) 20070120 cmsimple 2.7 Remote File Include 33572 2195 Cross-site scripting (XSS) vulnerability in install/default/error404.html in Oh no! Not another CMS (Onnac) 0.0.8.4 and earlier allows remote attackers to inject arbitrary web script or HTML via the error_url parameter. http://onnac.svn.sourceforge.net/viewvc/onnac/trunk/install/default/error404.html?view=log ADV-2007-0347 http://sourceforge.net/forum/forum.php?forum_id=655260 36811 onnac-error-xss(31795) 22256 Multiple cross-site scripting (XSS) vulnerabilities in index.inc.php in PHProxy before 0.5 beta 2 allow remote attackers to inject arbitrary web script or HTML via the (1) data[realm] and (2) _url parameters, different vectors than CVE-2004-2604. NOTE: some of these details are obtained from third party information. http://sourceforge.net/project/shownotes.php?release_id=479999&group_id=110693 ADV-2007-0348 36812 22255 SQL injection vulnerability in print.asp in Guo Xu Guos Posting System (GPS) 1.2 allows remote attackers to execute arbitrary SQL commands via the id parameter. ADV-2007-0353 20070125 GPS 1.2 Content Managing System (print.asp) Remote SQL Injection Vulnerability 31635 gps-print-sql-injection(31759) 22232 2209 23929 3195 PostgreSQL 7.3 before 7.3.13, 7.4 before 7.4.16, 8.0 before 8.0.11, 8.1 before 8.1.7, and 8.2 before 8.2.2 allows attackers to disable certain checks for the data types of SQL function arguments, which allows remote authenticated users to cause a denial of service (server crash) and possibly access database content. 24033 ADV-2007-0774 ADV-2007-0478 USN-417-1 http://www.postgresql.org/support/security oval:org.mitre.oval:def:9739 33087 https://issues.rpath.com/browse/RPL-830 https://issues.rpath.com/browse/RPL-1025 postgresql-sqlfunctions-info-disclosure(32195) USN-417-2 2007-0007 22387 20070208 rPSA-2007-0025-2 postgresql postgresql-server 20070206 rPSA-2007-0025-1 postgresql postgresql-server RHSA-2007:0068 RHSA-2007:0067 RHSA-2007:0064 SUSE-SR:2007:010 MDKSA-2007:037 DSA-1261 http://support.avaya.com/elmodocs2/security/ASA-2007-117.htm 102825 1017597 GLSA-200703-15 25220 24577 24513 24315 24284 24158 24151 24094 24057 24050 24042 24028 [security-announce] 20070206 rPSA-2007-0025-1 postgresql postgresql-server FEDORA-2007-198 20070201-01-P The query planner in PostgreSQL before 8.0.11, 8.1 before 8.1.7, and 8.2 before 8.2.2 does not verify that a table is compatible with a "previously made query plan," which allows remote authenticated users to cause a denial of service (server crash) and possibly access database content via an "ALTER COLUMN TYPE" SQL statement, which can be leveraged to read arbitrary memory from the server. ADV-2007-0774 ADV-2007-0478 USN-417-1 http://www.postgresql.org/support/security 24033 oval:org.mitre.oval:def:11353 33302 https://issues.rpath.com/browse/RPL-830 https://issues.rpath.com/browse/RPL-1025 postgresql-datatype-information-disclosure(32191) USN-417-2 2007-0007 22387 20070208 rPSA-2007-0025-2 postgresql postgresql-server 20070206 rPSA-2007-0025-1 postgresql postgresql-server RHSA-2007:0068 RHSA-2007:0067 SUSE-SR:2007:010 MDKSA-2007:037 http://support.avaya.com/elmodocs2/security/ASA-2007-117.htm 102825 1017597 GLSA-200703-15 25220 24577 24513 24315 24151 24057 24050 24042 24028 [security-announce] 20070206 rPSA-2007-0025-1 postgresql postgresql-server FEDORA-2007-198 rMake before 1.0.4 drops root privileges in a way that retains the original supplemental groups, which might allow attackers to gain privileges via a crafted recipe file, a different vulnerability than CVE-2007-0536. https://issues.rpath.com/browse/RPL-1002 32971 PHP remote file inclusion vulnerability in modules/mail/main.php in Inter7 vHostAdmin 1.0 allows remote attackers to execute arbitrary PHP code via a URL in the MODULES_DIR parameter. ADV-2007-0339 36627 3191 PHP remote file inclusion vulnerability in config.php in RPW 1.0.2 allows remote attackers to execute arbitrary PHP code via a URL in the sql_language parameter. ADV-2007-0342 36626 3185 SQL injection vulnerability in user.asp in ASP EDGE 1.2b and earlier allows remote attackers to execute arbitrary SQL commands via the user parameter. ADV-2007-0341 31619 aspedge-user-sql-injection(31723) 22212 20070125 ASP EDGE <= V1.2b (user.asp) Remote SQL Injection Vulnerability 23894 3186 Multiple PHP remote file inclusion vulnerabilities in Xero Portal 1.2 allow remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter to (1) admin_linkdb.php, (2) admin_forum_prune.php, (3) admin_extensions.php, (4) admin_board.php, (5) admin_attachments.php, or (6) admin_users.php in admin/. ADV-2007-0338 31981 31980 31979 31978 31977 31634 xero-multiple-scripts-file-include(31767) 22227 20070125 Xero Portal v1.2 (phpbb_root_path) Remote File Include Vulnerablity 23952 3192 Windows Explorer (explorer.exe) 6.0.2900.2180 in Microsoft Windows XP SP2 allows user-assisted remote attackers to cause a denial of service (application crash) via a crafted .avi file, which triggers the crash when the user right clicks on the file. 43307 3190 Multiple cross-site scripting (XSS) vulnerabilities in Symantec Web Security (SWS) before 3.0.1.85 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors related to (1) error messages and (2) blocked page messages produced by SWS. http://securityresponse.symantec.com/avcenter/security/Content/2007.01.24c.html 23896 symantec-html-xss(31750) ADV-2007-0330 22184 1017558 32961 32960 The license registering interface in Symantec Web Security (SWS) before 3.0.1.85 allows attackers to cause a denial of service (CPU consumption) by submitting a large file. This vulnerablity is addressed in the following product release: Symantec, Symantec Web Security, 3.0.1.85 http://securityresponse.symantec.com/avcenter/security/Content/2007.01.24c.html 23896 ADV-2007-0330 1017558 CGI-Rescue Shopping Basket Professional 7.50 and earlier allows remote attackers to inject arbitrary operating system commands via unspecified vectors. 22245 23909 31622 JVN#82258242 SQL injection vulnerability in news_detail.asp in ASP NEWS 3 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter. ADV-2007-0340 33582 aspnews-newsdetail-sql-injection(31719) 22214 20070125 ASP NEWS <= V3 (news_detail.asp) Remote SQL Injection Vulnerability 3187 Cross-site scripting (XSS) vulnerability in admin.php in Interactive-Scripts.Com PHP Membership Manager 1.5 allows remote attackers to inject arbitrary web script or HTML via the _p parameter. 22263 20070126 PHP Membership Manager Cross-Site Scripting Vulnerability 33601 phpmembership-admin-xss(31916) PHP remote file inclusion vulnerability in system/lib/package.php in MyPHPCommander 2.0 allows remote attackers to execute arbitrary PHP code via a URL in the gl_root parameter. ADV-2007-0385 22257 23890 32055 myphpcommander-package-file-include(31906) 3201 SQL injection vulnerability in xNews.php in xNews 1.3 allows remote attackers to execute arbitrary SQL commands via the id parameter in a shownews action. 22284 23954 32999 3216 xnews-xnews-sql-injection(31855) PHP remote file inclusion vulnerability in ains_main.php in Johannes Gijsbers (aka Taradino) Ad Fundum Integratable News Script (AINS) 0.02b allows remote attackers to execute arbitrary PHP code via a URL in the ains_path parameter. ains-ainsmain-file-include(31850) ADV-2007-0384 22259 36620 3202 PHP remote file inclusion vulnerability in include/lib/lib_head.php in phpMyReports 3.0.11 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the cfgPathModule parameter. ADV-2007-0386 33003 phpmyreports-libhead-file-include(31857) 22290 23959 3212 PHP remote file inclusion vulnerability in include/irc/phpIRC.php in Drunken:Golem Gaming Portal 0.5.1 Alpha 2 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter. ADV-2007-0390 36619 drunkengolem-phpirc-file-include(31873) 3207 PHP remote file inclusion vulnerability in includes/config.inc.php in nsGalPHP 0.41 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the racineTBS parameter. ADV-2007-0392 22277 VIM 20070130 Source VERIFY: nsGalPHP RFI 23969 32994 3205 nsgalphp-config-file-include(31861) SQL injection vulnerability in rss/show_webfeed.php in SpoonLabs Vivvo Article Management CMS (aka phpWordPress) 3.40 allows remote attackers to execute arbitrary SQL commands via the wcHeadlines parameter, a different vector than CVE-2006-4715. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. 22282 36631 Multiple SQL injection vulnerabilities in the administrative login page (admin/login.asp) in ASPCode.net AdMentor allow remote attackers to execute arbitrary SQL commands via the (1) Userid and (2) Password fields. admentor-adminlogin-sql-injection(31908) 22281 20070220 AdMentor Script Remote SQL injection Exploit 20070127 AdMentor (banners) admin SQL injection http://forums.avenir-geopolitique.net/viewtopic.php?t=2606 2207 PHP remote file inclusion vulnerability in xt_counter.php in Xt-Stats 2.3.x up to 2.4.0.b3 allows remote attackers to execute arbitrary PHP code via a URL in the server_base_dir parameter. xtstats-xtcounter-file-include(31871) http://www.xt-scripts.com/ ADV-2007-0387 22276 23967 20070127 Xt-Stats v.2.4.0.b3 - Remote File Include Vulnerabilities 32980 3209 PHP remote file inclusion vulnerability in function.inc.php in ACGVclick 0.2.0 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the path parameter. ADV-2007-0391 22278 23970 3206 acgvclick-function-file-include(31859) The http_open function in httpget.c in mpg123 before 0.64 allows remote attackers to cause a denial of service (infinite loop) by closing the HTTP connection early. 22274 http://www.mpg123.de/cgi-bin/news.cgi http://sourceforge.net/project/shownotes.php?group_id=135704&release_id=478747 ADV-2007-0366 40128 MDKSA-2007:032 Unspecified vulnerability in the calendar component in Horde Groupware Webmail Edition before 1.0, and Groupware before 1.0, allows remote attackers to include certain files via unspecified vectors. NOTE: some of these details are obtained from third party information. 22273 [horde-announce] 20070114 Horde Groupware Webmail Edition 1.0 (final) [horde-announce] 20070114 Horde Groupware 1.0 (final) horde-calendar-file-include(31849) ADV-2007-0368 33083 PHP remote file inclusion vulnerability in menu.php in Foro Domus 2.10 allows remote attackers to execute arbitrary PHP code via a URL in the sesion_idioma parameter. ADV-2007-0396 22285 23949 33004 3215 forodomus-menu-file-include(31853) PHP remote file inclusion vulnerability in functions.php in EclipseBB 0.5.0 Lite allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter. ADV-2007-0397 22283 35416 eclipsebb-functions-file-include(31852) 20070418 EclipseBB Remote File Inclusion 3214 SQL injection vulnerability in default.asp in ChernobiLe 1.0 allows remote attackers to execute arbitrary SQL commands via the User (username) field. chernobile-default-sql-injection(31939) 22280 36618 3210 Multiple cross-site scripting (XSS) vulnerabilities in HTTP Commander 6.0, and possibly earlier, allow remote attackers to inject arbitrary web script or HTML via the (1) LogoffMessage parameter to logofflast.aspx or the (2) txtUsername parameter to Default.aspx. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. 23964 32986 32985 httpcommander-multiple-xss(31877) 22298 PHP remote file inclusion vulnerability in membres/membreManager.php in PhP Generic Library & Framework for comm (g-neric) allows remote attackers to execute arbitrary PHP code via a URL in the include_path parameter. ADV-2007-0394 22287 36632 33606 phpgeneric-membremanager-file-include(31895) 20070129 PhP Generic library & framework (include_path) Remote File Include Exploit 3217 include/debug.php in Webfwlog 0.92 and earlier, when register_globals is enabled, allows remote attackers to obtain source code of files via the conffile parameter. NOTE: some of these details are obtained from third party information. It is likely that this issue can be exploited to conduct directory traversal attacks. Successful exploitation requires that "register_globals" is enabled. ADV-2007-0399 http://webfwlog.cvs.sourceforge.net/*checkout*/webfwlog/webfwlog/ChangeLog 33015 webfwlog-debug-file-include(31881) 22291 23968 3222 The InternalUnpackBits function in Apple QuickDraw, as used by Quicktime 7.1.3 and other applications on Mac OS X 10.4.8 and earlier, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted PICT file that triggers memory corruption in the _GetSrcBits32ARGB function. NOTE: this issue might overlap CVE-2007-0462. VU#396820 TA07-072A ADV-2007-0930 1017760 22228 http://security-protocols.com/sp-x43-advisory.php 24479 http://docs.info.apple.com/article.html?artnum=305214 33365 APPLE-SA-2007-03-13 SQL injection vulnerability in Forum Livre 1.0 allows remote attackers to execute arbitrary SQL commands via the user parameter to info_user.asp. 36644 3197 Cross-site scripting (XSS) vulnerability in busca2.asp in Forum Livre 1.0 remote attackers to inject arbitrary web script or HTML via the palavra parameter. 36645 3197 PHP remote file inclusion vulnerability in configure.php in Vu Le An Virtual Path (VirtualPath) 1.0 allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter. ADV-2007-0352 31636 22241 23918 3198 Cross-site scripting (XSS) vulnerability in EzDatabase 2.1.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to admin/login.php and the Admin Panel Database. ezdatabase-adminpanel-xss(31768) 22235 20070125 EzDatabase Multiple Cross-Site Scripting Vulnerability 36955 36954 2196 Siteman 1.1.11 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing password hashes via a direct request for data/members.txt. siteman-members-info-disclosure(45485) 31440 20070125 [x0n3-h4ck] Siteman 1.1.11 Remote Md5 Hash Disclosure Vulnerability 31662 siteman-members-information-disclosure(31780) 2205 23925 Siteman 2.0.x2 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing password hashes via a direct request for db/siteman/users.MYD. 20070125 [x0n3-h4ck] Siteman 2.0.x2 Remote Md5 Hash Disclosure Vulnerability 33590 2206 Cross-site scripting (XSS) vulnerability in search in High 5 Review Site allows remote attackers to inject arbitrary web script or HTML via the q parameter (aka the search box). high5review-search-xss(31797) ADV-2007-0363 20070125 high5 Review script Security Risk 23905 32974 PHP remote file inclusion vulnerability in index/main.php in Aztek Forum 4.00 allows remote authenticated administrators to execute arbitrary PHP code via a URL in the PF[top_url] parameter. 20070125 Re: Aztek Forum 4.1 Multiple Vulnerabilities Exploit 20070125 Aztek Forum 4.1 Multiple Vulnerabilities Exploit 33593 http://acid-root.new.fr/poc/21070125.txt Aztek Forum 4.00 allows remote attackers to obtain sensitive information via a direct request to forum.php with the fid=XD query string, which reveals the path in an error message. 20070125 Re: Aztek Forum 4.1 Multiple Vulnerabilities Exploit 20070125 Aztek Forum 4.1 Multiple Vulnerabilities Exploit 33594 http://acid-root.new.fr/poc/21070125.txt SQL injection vulnerability in forum/load.php in Aztek Forum 4.00 allows remote attackers to execute arbitrary SQL commands via the fid cookie to forum.php. 20070125 Re: Aztek Forum 4.1 Multiple Vulnerabilities Exploit 20070125 Aztek Forum 4.1 Multiple Vulnerabilities Exploit 33595 http://acid-root.new.fr/poc/21070125.txt Variable overwrite vulnerability in common/config.php in Aztek Forum 4.00 allows remote attackers to overwrite arbitrary program variables and conduct other unauthorized activities, such as copying arbitrary files using index/common_actions.php, via vectors associated with extract operations on the (1) POST, (2) GET, (3) COOKIE, and (4) SERVER superglobal arrays. 20070125 Re: Aztek Forum 4.1 Multiple Vulnerabilities Exploit 20070125 Aztek Forum 4.1 Multiple Vulnerabilities Exploit 33596 http://acid-root.new.fr/poc/21070125.txt SQL injection vulnerability in news_page.asp in Martyn Kilbryde Newsposter Script (aka makit news/blog poster) 3 and earlier allows remote attackers to execute arbitrary SQL commands via the uid parameter. newsposter-newspage-sql-injection(31747) ADV-2007-0354 22230 20070125 makit news/blog poster <=v3(news_page.asp) Remote SQL Injection Vulnerability 23930 36633 31640 2208 3194 common/safety.php in Aztek Forum 4.00 allows remote attackers to enter certain data containing %22 sequences (URL encoded double quotes) and other potentially dangerous manipulations by sending a cookie, which bypasses the blacklist matching against the GET and PUT superglobal arrays. 20070125 Re: Aztek Forum 4.1 Multiple Vulnerabilities Exploit 20070125 Aztek Forum 4.1 Multiple Vulnerabilities Exploit 33597 http://acid-root.new.fr/poc/21070125.txt Buffer overflow in libvsapi.so in the VSAPI library in Trend Micro VirusWall 3.81 for Linux, as used by IScan.BASE/vscan, allows local users to gain privileges via a long command line argument, a different vulnerability than CVE-2005-0533. http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034124&id=EN-1034124 ADV-2007-0367 20070125 Buffer overflow in VSAPI library of Trend Micro VirusWall 3.81 for Linux http://www.devtarget.org/trendmicro-advisory-01-2007.txt http://www.devtarget.org/tmvwall381v3_exp.c 33043 1017562 2204 PGP Desktop before 9.5.1 does not validate data objects received over the (1) \pipe\pgpserv named pipe for PGPServ.exe or the (2) \pipe\pgpsdkserv named pipe for PGPsdkServ.exe, which allows remote authenticated users to gain privileges by sending a data object representing an absolute pointer, which causes code execution at the corresponding address. VU#102465 ADV-2007-0356 20070125 Medium Risk Vulnerability in PGP Desktop http://www.ngssoftware.com/advisories/medium-risk-vulnerability-in-pgp-desktop/ 23938 32970 32969 20070125 Medium Risk Vulnerability in PGP Desktop 22247 1017563 2203 Cross-site scripting (XSS) vulnerability in Movable Type (MT) before 3.34 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to the MTCommentPreviewIsStatic tag, which can open the "comment entry screen," a different vulnerability than CVE-2007-0231. http://www.sixapart.com/movabletype/beta/distros/MT-3.34-beta-Release-Notes.html 32987 Cross-site scripting (XSS) vulnerability in picture.php in Advanced Guestbook 2.4.2 allows remote attackers to inject arbitrary web script or HTML via the picture parameter. Successful exploitation requires that "register_globals" is enabled. advanced-picture-index-xss(34156) ADV-2007-1726 23873 20070507 Advanced Guestbook version 2.4.2 Multiple XSS Attack Vulnerabilities 33877 http://www.netvigilance.com/advisory0012 25153 2663 w-agora 4.2.1 allows remote attackers to obtain sensitive information by via the (1) bn[] array parameter to index.php, which expects a string, and (2) certain parameters to delete_forum.php, which displays the path name in the resulting error message. wagora-deleteforumindex-path-disclosure(33076) 20070319 w-agora version 4.2.1 Multiple Path Disclosure Vulnerabilities 31669 31668 http://www.netvigilance.com/advisory0014 2461 W-Agora (Web-Agora) 4.2.1, when register_globals is enabled, stores globals.inc under the web document root with insufficient access control, which allows remote attackers to obtain application path information via a direct request. 20070319 w-agora version 4.2.1 Information Disclosure Vulnerability 31670 http://www.netvigilance.com/advisory0015 wagora-globals-information-disclosure(33073) 2465 20070319 w-agora version 4.2.1 Information Disclosure Vulnerability Advanced Guestbook 2.4.2 allows remote attackers to obtain sensitive information via an invalid (1) GB_TBL parameter to (a) lang/codes-english.php or (b) image.php, which reveal the database name; (2) an invalid GB_DB parameter to index.php, coupled with a ../index lang cookie, which reveals the installation path; or (3) a direct request to index.php with no parameters or cookies, which reveals the installation path. Successful exploitation requires that "register_globals" is enabled. advanced-multiple-script-info-disclosure(34161) ADV-2007-1726 20070507 Advanced Guestbook version 2.4.2 Multiple Error Information Leak Vulnerabilities 33879 33878 33876 http://www.netvigilance.com/advisory0011 25153 2661 Directory traversal vulnerability in Advanced Guestbook 2.4.2 allows remote attackers to bypass .htaccess settings, and execute arbitrary PHP local files or read arbitrary local templates, via a .. (dot dot) in a lang cookie, followed by a filename without its .php extension, as demonstrated via a request to index.php. advanced-index-directory-traversal(34152) ADV-2007-1726 23876 20070507 Advanced Guestbook version 2.4.2 Directory Traversal Vulnerability 20070507 Advanced Guestbook version 2.4.2 Multiple XSS Attack Vulnerabilities http://www.netvigilance.com/advisory0013 http://www.netvigilance.com/advisory0012 25153 2662 Cross-site scripting (XSS) vulnerability in the mailform feature in CMSimple 2.7 fix1 allows remote attackers to inject arbitrary web script or HTML via the sender parameter. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. 23951 32976 cmsimple-sender-xss(31841) 22250 Multiple cross-site scripting (XSS) vulnerabilities in Free LAN In(tra|ter)net Portal (FLIP) before 1.0-RC2 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors in (1) inc.page.php and (2) inc.text.php. ADV-2007-0360 http://sourceforge.net/project/shownotes.php?release_id=480714&group_id=98260 36683 36682 Multiple ActiveX controls in Microsoft Windows 2000, XP, 2003, and Vista allows remote attackers to cause a denial of service (Internet Explorer crash) by accessing the bgColor, fgColor, linkColor, alinkColor, vlinkColor, or defaultCharset properties in the (1) giffile, (2) htmlfile, (3) jpegfile, (4) mhtmlfile, (5) ODCfile, (6) pjpegfile, (7) pngfile, (8) xbmfile, (9) xmlfile, (10) xslfile, or (11) wdfile objects in (a) mshtml.dll; or the (12) TriEditDocument.TriEditDocument or (13) TriEditDocument.TriEditDocument.1 objects in (b) triedit.dll, which cause a NULL pointer dereference. ie-activex-bgcolor-dos(31867) 22288 20070129 Internet Explorer 7 ActiveX bgColor property NULL pointer dereference (DoS) http://www.determina.com/security.research/vulnerabilities/activex-bgcolor.html 32628 20070129 Internet Explorer 7 ActiveX bgColor property NULL pointer dereference (DoS) 20070128 Internet Explorer 7 ActiveX bgColor property NULL pointer dereference (DoS) 2199 The Bonjour functionality in mDNSResponder, iChat 3.1.6, and InstantMessage framework 428 in Apple Mac OS X 10.4.8 does not check for duplicate entries when adding newly discovered available contacts, which allows remote attackers to cause a denial of service (disrupted communication) via a flood of duplicate _presence._tcp mDNS queries. 22304 http://projects.info-pull.com/moab/MOAB-29-01-2007.html 32699 32698 The Bonjour functionality in mDNSResponder, iChat 3.1.6, and InstantMessage framework 428 in Apple Mac OS X 10.4.8 allows remote attackers to cause a denial of service (persistent application crash) via a crafted phsh hash attribute in a TXT key. 22304 http://projects.info-pull.com/moab/MOAB-29-01-2007.html 1017661 32713 24198 23945 APPLE-SA-2007-02-15 http://docs.info.apple.com/article.html?artnum=305102 Unspecified vulnerability in Hitachi JP1/HIBUN Advanced Edition Management Server and Log Server before 20070124 allows remote attackers to cause a denial of service (application stop) via unexpected data. hitachi-jp1-hibun-request-dos(31733) ADV-2007-0324 22237 http://www.hitachi-support.com/security_e/vuls_e/HS06-019_e/01-e.html 23854 32963 Directory traversal vulnerability in zen/template-functions.php in zenphoto 1.0.4 up to 1.0.6 allows remote attackers to list arbitrary directories via ".." sequences in the album parameter to index.php. http://www.zenphoto.org/support/topic.php?id=1148 http://www.zenphoto.org/support/topic.php?id=1146&replies=3 ADV-2007-0470 33072 zenphoto-template-directory-traversal(32102) 22368 24026 The SpamBlocker.dll ActiveX control in Earthlink TotalAccess is marked "safe for scripting," which allows remote attackers to add arbitrary e-mail addresses and domains to the spam blocker whitelist via the (1) AddSenderToWhitelist and (2) AddDomainToWhitelist functions. Medium complexity because phishing attack earthlink-spamblocker-security-bypass(31827) 22238 20070125 Earthlink TotalAccess ActiveX Unsafe Methods Vulnerability 2210 Unspecified vulnerability in (1) pop3d, (2) pop3ds, (3) imapd, and (4) imapds in IBM AIX 5.3.0 has unspecified impact and attack vectors, involving an "authentication vulnerability." 22262 ADV-2007-0382 IY93084 23957 ftp://aix.software.ibm.com/aix/efixes/security/README aix-mailservices-rlogin-security-bypass(31875) chmlib before 0.39 allows user-assisted remote attackers to execute arbitrary code via a crafted page block length in a CHM file, which triggers memory corruption. Update to version 0.39. http://morte.jedrea.com/~jedwin/projects/chmlib/ ADV-2007-0361 1017565 23975 20070126 Multiple Vendor libchm Page Block Length Memory Corruption Vulnerability 22258 SUSE-SR:2007:003 GLSA-200702-12 24335 download.php in FD Script 1.3.2 and earlier allows remote attackers to read source of files under the web document root with certain extensions, including .php, via a relative pathname in the fname parameter, as demonstrated by downloading config.php. ADV-2007-0383 22265 20070126 FdScript <= v1.3.2 Remote File Disclosure Vulnerability 23947 33001 fdscript-download-file-disclosure(31915) 2197 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2006-6456. Reason: This candidate is a duplicate of CVE-2006-6456. It was assigned for a targeted zero-day attack, but further analysis revealed it was for an older issue. Notes: All CVE users should reference CVE-2006-6456 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Cross-site request forgery (CSRF) vulnerability in MyBB (aka MyBulletinBoard) 1.2.2 allows remote attackers to send messages to arbitrary users. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 23934 32968 SQL injection vulnerability in index.php in MAXdev MDPro 1.0.76 allows remote attackers to execute arbitrary SQL commands via the startrow parameter. ADV-2007-0412 22293 20070129 MDPro 1.0.76 - Multiple Remote Vulnerabilities 23948 33612 33011 mdpro-startrow-sql-injection(31897) 2198 user.php in MAXdev MDPro 1.0.76 allows remote attackers to obtain the full path via a ' (quote) character, and possibly other invalid values, in the uname parameter in a userinfo operation. 20070129 MDPro 1.0.76 - Multiple Remote Vulnerabilities 33613 mdpro-user-path-disclosure(31898) 2198 nxconfigure.sh in NoMachine NX Server before 2.1.0-18 does not validate the invoking user, which allows local users to modify server configuration keys in /usr/NX/etc/server.cfg, resulting in an unspecified denial of service. http://www.nomachine.com/news_read.php?idnews=190 23993 ADV-2007-0413 22308 http://www.nomachine.com/tr/view.php?id=TR01E01622 33009 nxserver-nxconfigure-dos(31941) The comment_form_add_preview function in comment.module in Drupal before 4.7.6, and 5.x before 5.1, and vbDrupal, allows remote attackers with "post comments" privileges and access to multiple input filters to execute arbitrary code by previewing comments, which are not processed by "normal form validation routines." Successful exploitation requires "post comments" privileges and access to multiple input filters (not the default). 23960 http://drupal.org/node/113935 drupal-commentformaddpreview-code-execution(31940) ADV-2007-0415 ADV-2007-0406 http://www.vbdrupal.org/forum/showthread.php?t=786 22306 23990 32136 20070129 [DRUPAL-SA-2007-005] Drupal 4.7.6 / 5.1 fixes arbitrary code execution issue Michael Still gtalkbot before 1.2 places username and password arguments on the command line, which allows local users to obtain sensitive information by listing the process. ADV-2007-0408 http://www.stillhq.com/gtalkbot/000003.html http://www.stillhq.com/gtalkbot/ 33071 http://freshmeat.net/projects/gtalkbot/?branch_id=67830&release_id=245004 gtalkbot-ps-information-disclosure(31923) 22322 23942 Multiple cross-site scripting (XSS) vulnerabilities in Sun Java System Access Manager 6.1, 6.2, 6 2005Q1 (6.3), and 7 2005Q4 (7.0) before 20070129 allow remote attackers to inject arbitrary web script or HTML via the (1) goto or (2) gx-charset parameter. NOTE: some of these details are obtained from third party information. 22302 java-access-server-unspecified-xss(31936) java-access-server-unspecified-xss(31936) ADV-2007-0411 102621 1017570 23979 33010 The www_purgeList method in Plain Black WebGUI before 7.3.8 does not properly check user permissions, which allows attackers to delete unauthorized assets. NOTE: some of these details are obtained from third party information. 22294 http://www.plainblack.com/getwebgui/advisories/security-defect-discovered-in-7.x-versions http://sourceforge.net/project/shownotes.php?group_id=51417&release_id=481584 23981 webgui-wwwpurgelist-data-manipulation(31905) 32992 webgui-wwwpurgelist-data-manipulation(31905) Multiple SQL injection vulnerabilities in the generate_csv function in classes/class.news.php in X-dev xNews 1.3 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) id, (2) from, and (3) q parameters, different vectors than CVE-2007-0569. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. ADV-2007-0395 33000 SQL injection vulnerability in index.php in Eclectic Designs CascadianFAQ 4.1 and earlier allows remote attackers to execute arbitrary SQL commands via the catid parameter. ADV-2007-0424 22314 cascadianfaq-index-sql-injection(31968) 31675 23965 3227 SQL injection vulnerability in artreplydelete.asp in ASP EDGE 1.3a and earlier allows remote attackers to execute arbitrary SQL commands via a username cookie, a different vector than CVE-2007-0560. ADV-2007-0341 36634 PHP remote file inclusion vulnerability in include/themes/themefunc.php in MyNews 4.2.2 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the myNewsConf[path][sys][index] parameter. ADV-2007-0423 22313 33019 mynews-themefunc-file-include(31971) 23973 3228 Unspecified vulnerability in Sun Solaris 10 before 20070130 allows remote attackers to cause a denial of service (system crash) via certain ICMP packets. VU#967236 22323 1017574 23982 solaris-icmp-dos(32010) ADV-2007-0420 102697 31878 oval:org.mitre.oval:def:1249 Multiple PHP remote file inclusion vulnerabilities in EncapsCMS 0.3.6 allow remote attackers to execute arbitrary PHP code via a URL in the (1) config[path] parameter to (a) common_foot.php or (b) blogs.php, or (2) the config[theme] parameter to (c) admin/gallery_head.php. encapsms-config-file-include(31978) ADV-2007-0430 22319 20070130 EncapsCMS 0.3.6 (common_foot.php) Remote File Include 33036 33035 33034 2200 23987 Unspecified vulnerability in inotify before 0.3.5 has unknown impact and attack vectors, related to "access rights to watched files." 22305 ADV-2007-0405 38132 http://inotify.aiken.cz/?section=incron&page=changelog Directory traversal vulnerability in zd_numer.php in Galeria Zdjec 3.0 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the galeria parameter, as demonstrated by injecting PHP sequences into an Apache HTTP Server log file, which is then included by zd_numer.php. galeria-zdnumer-file-include(31967) ADV-2007-0425 22324 33033 23956 3225 show.php in Vlad Alexa Mancini PHPFootball 1.6 allows remote attackers to obtain sensitive information (database contents) via a % (percent) character in the dbfieldv parameter. phpfootball-show-information-disclosure(31976) ADV-2007-0429 22312 33070 23962 3226 Multiple static code injection vulnerabilities in error.php in GuppY 4.5.16 and earlier allow remote attackers to inject arbitrary PHP code into a .inc file in the data/ directory via (1) a REMOTE_ADDR cookie or (2) a cookie specifying an element of the msg array with an error number in the first dimension and 0 in the second dimension, as demonstrated by msg[999][0]. 23914 guppy-error-code-execution(31882) guppy-error-code-execution(31882) ADV-2007-0421 1017569 http://retrogod.altervista.org/guppy_4516_cmd.html 33016 3221 Buffer overflow in ZABBIX before 1.1.5 has unknown impact and attack vectors related to "SNMP IP addresses." http://www.zabbix.com/rn1.1.5.php 22321 ADV-2007-0416 33081 zabbix-snmp-bo(32038) 24020 Buffer overflow in the EnumPrintersA function in dapcnfsd.dll 0.6.4.0 in Shaffer Solutions (SSC) DiskAccess NFS Client allows remote attackers to execute arbitrary code via a long argument, an issue similar to CVE-2006-5854 and CVE-2007-0444. http://www.securityfocus.com/data/vulnerabilities/exploits/testlpc.c 22301 38119 SQL injection vulnerability in tForum 2.00 in the Raymond BERTHOU script collection (aka RBL - ASP) allows remote attackers to execute arbitrary SQL commands via the (1) id and (2) pass to user_confirm.asp. rbl-userpass-sql-injection(31927) 22350 20070129 RBL - ASP (scripts with db) SQL injection 20070127 RBL - ASP (scripts with db) SQL injection 36040 20070131 Partial source code verify - "RBL - ASP" scripts SQL injection 2201 http://forums.avenir-geopolitique.net/viewtopic.php?t=2607 Stack-based buffer overflow in Bloodshed Dev-C++ 4.9.9.2 allows user-assisted remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a long line in a .cpp file. 22315 38131 3229 Format string vulnerability in Apple Safari 2.0.4 (419.3) allows remote user-assisted attackers to cause a denial of service (crash) via format string specifiers in filenames that are not properly handled when calling the (1) NSLog and (2) NSBeginAlertSheet Apple AppKit functions. http://www.digitalmunition.com/MOAB-30-01-2007.html 22326 32710 Format string vulnerability in iPhoto 6.0.5 allows remote user-assisted attackers to cause a denial of service (crash) via format string specifiers in a filename, which is not properly handled when calling certain Apple AppKit functions. http://www.digitalmunition.com/MOAB-30-01-2007.html 22326 32711 http://projects.info-pull.com/moab/MOAB-30-01-2007.html Format string vulnerability in iMovie HD 6.0.3, and Safari in Apple Mac OS X 10.4 through 10.4.10, allows remote user-assisted attackers to cause a denial of service (crash) via format string specifiers in a filename, which is not properly handled when calling the NSRunCriticalAlertPanel Apple AppKit function. TA07-319A TA07-109A ADV-2007-3868 ADV-2007-1470 26444 22326 http://www.digitalmunition.com/MOAB-30-01-2007.html 27643 24966 APPLE-SA-2007-11-14 APPLE-SA-2007-04-19 http://docs.info.apple.com/article.html?artnum=307041 http://docs.info.apple.com/article.html?artnum=305391 Format string vulnerability in Help Viewer 3.0.0 allows remote user-assisted attackers to cause a denial of service (crash) via format string specifiers in a filename, which is not properly handled when calling the NSBeginAlertSheet Apple AppKit function. http://www.digitalmunition.com/MOAB-30-01-2007.html 22326 32707 Cisco IOS after 12.3(14)T, 12.3(8)YC1, 12.3(8)YG, and 12.4, with voice support and without Session Initiated Protocol (SIP) configured, allows remote attackers to cause a denial of service (crash) by sending a crafted packet to port 5060/UDP. VU#438176 20070131 SIP Packet Reloads IOS Devices Not Configured for SIP cisco-sip-packet-dos(31990) ADV-2007-0428 22330 http://www.cisco.com/warp/public/707/cisco-air-20070131-sip.shtml 23978 oval:org.mitre.oval:def:5138 1017575 Variable overwrite vulnerability in interface/globals.php in OpenEMR 2.8.2 and earlier allows remote attackers to overwrite arbitrary program variables and conduct other unauthorized activities, such as conduct (a) remote file inclusion attacks via the srcdir parameter in custom/import_xml.php or (b) cross-site scripting (XSS) attacks via the rootdir parameter in interface/login/login_frame.php, via vectors associated with extract operations on the (1) POST and (2) GET superglobal arrays. NOTE: this issue was originally disputed before the extract behavior was identified in post-disclosure analysis. Also, the original report identified "Open Conference Systems," but this was an error. Incorrect bug report. This CVE should have a score of 0 because there are no products affected. 22348 22346 20070130 Re: Fake: Open Conference Systems = 2.8.2 Remote File Inclusion 20070128 Re: Open Conference Systems = 2.8.2 Remote File Inclusion 20070129 Re: Fake: Open Conference Systems = 2.8.2 Remote File Inclusion 20070129 Fake: Open Conference Systems = 2.8.2 Remote File Inclusion 20070127 Re: Open Conference Systems = 2.8.2 Remote File Inclusion 20070127 Open Conference Systems = 2.8.2 Remote File Inclusion 2202 33609 33603 20070131 VERIFY of RFI and XSS in OpenEMR 2.8.2 (was [still bogus] V [mike at carstein.kill-9.pl: Re: Open Conference Systems = 2.8.2 Remote File Inclusion]) 20070129 [still bogus] V [mike at carstein.kill-9.pl: Re: Open Conference Systems = 2.8.2 Remote File Inclusion] (fwd) Buffer overflow in the open_sty function in mkind.c for makeindex 2.14 in teTeX might allow user-assisted remote attackers to overwrite files and possibly execute arbitrary code via a long filename. NOTE: other overflows exist but might not be exploitable, such as a heap-based overflow in the check_idx function. https://issues.rpath.com/browse/RPL-1036 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=225491 tetex-makeindex-opensty-bo(32284) ADV-2007-1706 23872 MDKSA-2007:109 GLSA-200805-13 GLSA-200711-34 GLSA-200709-17 30168 26982 Multiple cross-site scripting (XSS) vulnerabilities in MailEnable Professional before 2.37 allow remote attackers to inject arbitrary Javascript script via (1) e-mail messages and (2) the ID parameter to (a) right.asp, (b) Forms/MAI/list.asp, and (c) Forms/VCF/list.asp in mewebmail/base/default/lang/EN/. 20070214 Secunia Research: MailEnable Web Mail Client MultipleVulnerabilities http://secunia.com/secunia_research/2007-38/advisory/ 23998 mailenable-id-xss(32480) mailenable-email-messages-xss(32476) ADV-2007-0595 22554 http://www.mailenable.com/Professional20-ReleaseNotes.txt 33190 33189 33188 2258 Cross-site request forgery (CSRF) vulnerability in MailEnable Professional before 2.37 allows remote attackers to modify arbitrary configurations and perform unauthorized actions as arbitrary users via a link or IMG tag. 20070214 Secunia Research: MailEnable Web Mail Client MultipleVulnerabilities http://secunia.com/secunia_research/2007-38/advisory/ 23998 ADV-2007-0595 22554 33191 2258 Integer overflow in X MultiMedia System (xmms) 1.2.10, and possibly other versions, allows user-assisted remote attackers to execute arbitrary code via crafted header information in a skin bitmap image, which triggers memory corruption. ADV-2007-1057 23078 http://secunia.com/secunia_research/2007-47/advisory/ 23986 xmms-skinbitmap-code-execution(33205) USN-445-1 20070321 Secunia Research: XMMS Integer Overflow and UnderflowVulnerabilities SUSE-SR:2007:006 MDKSA-2007:071 DSA-1277 24889 24804 24645 Integer underflow in X MultiMedia System (xmms) 1.2.10 allows user-assisted remote attackers to execute arbitrary code via crafted header information in a skin bitmap image, which results in a stack-based buffer overflow. ADV-2007-1057 23078 http://secunia.com/secunia_research/2007-47/advisory/ 23986 xmms-skinbitmap-bo(33203) USN-445-1 20070321 Secunia Research: XMMS Integer Overflow and UnderflowVulnerabilities SUSE-SR:2007:006 MDKSA-2007:071 DSA-1277 24889 24804 24645 The MicroWorld Agent service (MWAGENT.EXE) in MicroWorld Technologies eScan 8.0.671.1, and possibly other versions, allows remote or local attackers to gain privileges and execute arbitrary commands by connecting directly to TCP port 2222. ADV-2007-1609 1018007 23759 http://secunia.com/secunia_research/2007-45/advisory/ 23809 35732 escan-mwagent-security-bypass(34009) PHP remote file inclusion vulnerability in includes/functions.php in phpBB2-MODificat 0.2.0 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter. ADV-2007-0422 22320 36018 phpbb2modificat-functions-file-include(31985) 3231 Unspecified vulnerability in Nexuiz 2.2.2 allows remote attackers to read and overwrite arbitrary files via the gamedir command. http://www.alientrap.org/devwiki/index.php?n=Nexuiz.Patch 23963 ADV-2007-0427 33018 nexuiz-gamedir-information-disclosure(32040) 22332 The (1) Textimage 4.7.x before 4.7-1.2 and 5.x before 5.x-1.1 module for Drupal and the (2) Captcha 4.7.x before 4.7-1.2 and 5.x before 5.x-1.1 module for Drupal allow remote attackers to bypass the CAPTCHA test via an empty captcha element in $_SESSION. 23985 23983 http://drupal.org/node/114519 http://drupal.org/node/114364 http://cvs.drupal.org/viewcvs/drupal/contributions/modules/textimage/captcha.inc?r1=1.1&r2=1.1.2.1 http://cvs.drupal.org/viewcvs/drupal/contributions/modules/captcha/captcha.module?r1=1.25.2.1&r2=1.25.2.2 ADV-2007-0431 22329 32138 32137 captcha-response-security-bypass(31994) textimage-captcha-security-bypass(31984) download.php in the MuddyDogPaws FileDownload snippet before 2.5 for MODx allows remote attackers to download arbitrary files, as demonstrated by downloading config.inc.php to obtain database credentials. 22327 23953 ADV-2007-0426 http://www.muddydogpaws.com/Home.html http://modxcms.com/forums/index.php/topic,10470.0.html Cross-site scripting (XSS) vulnerability in the IFrame module before 03.02.01 for DotNetNuke (DNN) allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "Pass through values." ADV-2007-0433 http://www.dotnetnuke.com/Default.aspx?tabid=825&EntryID=1278 36476 dotnetnuke-iframe-unspecified-xss(32037) 22334 Intel Enterprise Southbridge 2 Baseboard Management Controller (BMC), Intel Server Boards 5000XAL, S5000PAL, S5000PSL, S5000XVN, S5000VCL, S5000VSA, SC5400RA, and OEM Firmware for Intel Enterprise Southbridge Baseboard Management Controller before 20070119, when Intelligent Platform Management Interface (IPMI) is enabled, allow remote attackers to connect and issue arbitrary IPMI commands, possibly triggering a denial of service. The IPMI configuration does not appear to be the cause, but an extra condition for when it's possible. This is the reason for medium access complexity. http://lz1.intel.com/psirt/advisory.aspx?intelid=INTEL-SA-00012&languageid=en-fr ADV-2007-0432 23989 33044 22341 PHP remote file inclusion vulnerability in includes/usercp_viewprofile.php in Hailboards 1.2.0 allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter. ADV-2007-0450 22333 33078 hailboards-usercpviewprofile-file-include(31997) 24002 3236 SQL injection vulnerability in index.php in Eclectic Designs CascadianFAQ 4.1 and earlier allows remote attackers to execute arbitrary SQL commands via the qid parameter, a different vector than CVE-2007-0631. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. ADV-2007-0424 thttpd before 2.25b-r6 in Gentoo Linux is started from the system root directory (/) by the Gentoo baselayout 1.12.6 package, which allows remote attackers to read arbitrary files. GLSA-200701-28 24018 http://bugs.gentoo.org/show_bug.cgi?id=142047 22349 31965 Format string vulnerability in the SCP module in Ipswitch WS_FTP 2007 Professional might allow remote attackers to execute arbitrary commands via format string specifiers in the filename, related to the SHELL WS_FTP script command. wsftp-scphandler-format-string(31865) 22275 20070126 WS_FTP 2007 Professional SCP handling format string vulnerability 33602 Ipswitch WS_FTP Server 5.04 allows FTP site administrators to execute arbitrary code on the system via a long input string to the (1) iFTPAddU or (2) iFTPAddH file, or to a (3) edition module. wsftp-iftpaddu-privilege-escalation(32176) 20070202 Re: Re: Ipswitch WS_FTP Server 5.04 multiple arbitrary code execution vulnerabilities 20070202 Re[2]: Ipswitch WS_FTP Server 5.04 multiple arbitrary code execution vulnerabilities 20070202 Re: Ipswitch WS_FTP Server 5.04 multiple arbitrary code execution vulnerabilities 20070201 Ipswitch WS_FTP Server 5.04 multiple arbitrary code execution vulnerabilities 33647 33646 The redirect function in Form.pm for (1) LedgerSMB before 1.1.5 and (2) SQL-Ledger allows remote authenticated users to execute arbitrary code via redirects, related to callbacks, a different issue than CVE-2006-5872. ADV-2007-0407 22295 20070206 Unofficial SQL-Ledger patch for CVE-2007-0667 20070127 Arbitrary Code Execution in SQL-Ledger and LedgerSMB through redirects 2217 The Loopback Filesystem (LOFS) in Sun Solaris 10 allows local users in a non-global zone to move and rename files in a read-only filesystem, which could lead to a denial of service. 102699 ADV-2007-0462 31879 solaris-loopbackfs-dos(32140) 22364 1017582 23996 oval:org.mitre.oval:def:1372 Unspecified vulnerability in Twiki 4.0.0 through 4.1.0 allows local users to execute arbitrary Perl code via unknown vectors related to CGI session files. VU#584436 ADV-2007-0544 http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2007-0669 33168 20070208 TWiki Security Alert: Arbitrary code execution in session files (CVE-2007-0669) twiki-cgisession-code-execution(32389) 22378 OpenPKG-SA-2007.009 24091 Buffer overflow in bos.rte.libc in IBM AIX 5.2 and 5.3 allows local users to execute arbitrary code via the "r-commands", possibly including (1) rdist, (2) rsh, (3) rcp, (4) rsync, and (5) rlogin. aix-rdist-bo(32184) ADV-2007-0471 22456 22370 31696 IY94368 IY94301 1017607 1017583 23995 ftp://aix.software.ibm.com/aix/efixes/security/README Unspecified vulnerability in Microsoft Excel 2000, XP, 2003, and 2004 for Mac, and possibly other Office products, allows remote user-assisted attackers to execute arbitrary code via unknown attack vectors, as demonstrated by Exploit-MSExcel.h in targeted zero-day attacks. TA07-044A VU#613740 office-unspecified-code-execution(32178) ADV-2007-0463 22383 MS07-015 http://www.microsoft.com/technet/security/advisory/932553.mspx http://www.avertlabs.com/research/blog/?p=191 http://vil.nai.com/vil/content/v_141393.htm 1017584 24008 31901 oval:org.mitre.oval:def:301 LGSERVER.EXE in BrightStor Mobile Backup 4.0 allows remote attackers to cause a denial of service (disk consumption and daemon hang) via a value of 0xFFFFFF7F at a certain point in an authentication negotiation packet, which writes a large amount of data to a .USX file in CA_BABLDdata\Server\data\transfer\. 22339 http://supportconnectw.ca.com/public/sams/lifeguard/infodocs/babldimpsec-notice.asp 20070131 Remote Unauthenticated Resource Exhaustion CA Mobile BackupService LGSERVER.EXE in BrightStor ARCserve Backup for Laptops & Desktops r11.1 allows remote attackers to cause a denial of service (daemon crash) via a value of 0xFFFFFFFF at a certain point in an authentication negotiation packet, which results in an out-of-bounds read. 22337 http://supportconnectw.ca.com/public/sams/lifeguard/infodocs/babldimpsec-notice.asp 20070131 Remote DOS BrightStor ARCserve Backup for Laptops & Desktops 2218 32948 Pictures and Videos on Windows Mobile 5.0 and Windows Mobile 2003 and 2003SE for Smartphones and PocketPC allows user-assisted remote attackers to cause a denial of service (device hang) via a malformed JPEG file. picturesvideos-jpeg-dos(32002) ADV-2007-0434 22343 36148 http://blog.trendmicro.com/trend-micro-finds-more-windows-mobile-flaws/ A certain ActiveX control in sapi.dll (aka the Speech API) in Speech Components in Microsoft Windows Vista, when the Speech Recognition feature is enabled, allows user-assisted remote attackers to delete arbitrary files, and conduct other unauthorized activities, via a web page with an embedded sound object that contains voice commands to an enabled microphone, allowing for interaction with Windows Explorer. TA08-162B ADV-2008-1779 1020232 22359 MS08-032 30578 oval:org.mitre.oval:def:5489 SSRT080087 SSRT080087 [dailydave] 20070131 Vista speach recognition [dailydave] 20070130 Vista speach recognition [dailydave] 20070130 Vista speach recognition [dailydave] 20070130 Vista speach recognition http://blogs.technet.com/msrc/archive/2007/01/31/issue-regarding-windows-vista-speech-recognition.aspx SQL injection vulnerability in faq.php in ExoPHPDesk 1.2.1 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter. Successful exploitation requires that "magic_quotes_gpc" is disabled. exophpdesk-faq-sql-injection(31998) ADV-2007-0452 22338 36027 3234 PHP remote file inclusion vulnerability in fw/class.Quick_Config_Browser.php in Cadre PHP Framework 20020724 allows remote attackers to execute arbitrary PHP code via a URL in the GLOBALS[config][framework_path] parameter. cadre-classquickconfigbrowser-file-include(32005) ADV-2007-0449 22336 20070131 [ECHO_ADV_63$2007] Cadre remote file inclusion 33631 http://echo.or.id/adv/adv63-y3dips-2007.txt 2215 3237 SQL injection vulnerability in windows.asp in Fullaspsite Asp Hosting Sitesi allows remote attackers to execute arbitrary SQL commands via the kategori_id parameter. ADV-2007-0453 22347 36041 fullaspsite-windows-sql-injection(32020) 3233 PHP remote file inclusion vulnerability in lang/leslangues.php in Nicolas Grandjean PHPMyRing 4.1.3b and earlier allows remote attackers to execute arbitrary PHP code via a URL in the fichier parameter. ADV-2007-0448 22345 36039 phpmyring-leslangues-file-include(32033) 3238 PHP remote file inclusion vulnerability in includes/functions.php in Phpbb Tweaked 3 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter. http://www.xoron.info/bugs/phpbbtweaked.txt ADV-2007-0451 22344 33079 phpbbtweaked-functions-file-include(32024) 24001 3235 profile.php in ExtCalendar 2 and earlier allows remote attackers to change the passwords of arbitrary users without providing the original password, and possibly perform other unauthorized actions, via modified values to register.php. 38130 extcalendar-profile-security-bypass(32035) 3239 PHP remote file inclusion vulnerability in theme/include_mode/template.php in JV2 Folder Gallery 3.0.2 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the galleryfilesdir parameter. ADV-2007-0447 24012 33077 jv2gallery-template-file-include(32043) 22354 3240 PHP remote file inclusion vulnerability in includes/functions.php in Omegaboard 1.0beta4 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter. http://www.xoron.info/bugs/omegaboard-perl.txt http://www.xoron.info/bugs/omegaboard-html.txt ADV-2007-0445 omegaboard-functions-file-include(32057) 22355 20070201 Omegaboard v1.0b4 (phpbb_root_path) Remote File Include Exploit 3242 20070201 Omegaboard v1.0b4 (phpbb_root_path) Remote File Include Exploit PHP remote file inclusion vulnerability in portal.php in Cerulean Portal System 0.7b allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter. http://www.xoron.info/bugs/ceruleanportalsystem-perl.txt http://www.xoron.info/bugs/ceruleanportalsystem-html.txt ADV-2007-0444 cerulean-portal-file-include(32058) 22356 20070201 Cerulean Portal System (phpbb_root_path) Remote File Include Exploit 3243 Internet Explorer on Windows Mobile 5.0 and Windows Mobile 2003 and 2003SE for Smartphones and PocketPC allows attackers to cause a denial of service (application crash and device instability) via unspecified vectors, possibly related to a buffer overflow. ie-mobile-unspecified-dos(32001) ie-mobile-unspecified-bo(32001) ADV-2007-0434 22343 36149 http://blog.trendmicro.com/trend-micro-finds-more-windows-mobile-flaws/ The Intel 2200BG 802.11 Wireless Mini-PCI driver 9.0.3.9 (w29n51.sys) allows remote attackers to cause a denial of service (system crash) via crafted disassociation packets, which triggers memory corruption of "internal kernel structures," a different vulnerability than CVE-2006-6651. NOTE: this issue might overlap CVE-2006-3992. 37996 3224 SQL injection vulnerability in i-search.php in Michelle's L2J Dropcalc 4 and earlier allows remote authenticated users to execute arbitrary SQL commands via the itemid parameter. l2j-isearch-sql-injection(32003) 22335 36038 3232 SQL injection vulnerability in oku.asp in Hunkaray Duyuru Scripti allows remote attackers to execute arbitrary SQL commands via the id parameter. ADV-2007-0446 34086 hds-oku-sql-injection(32042) 24367 20070607 H&uuml;nkaray Duyuru Script Remote SQL &#304;njection 25581 3241 MyBB 1.2.4 allows remote attackers to obtain sensitive information via the (1) action[] parameter to member.php, (2) imagehash[] parameter to captcha.php, and (3) a direct request to inc/datahandlers/event.php, which reveal the installation path in the resulting error message. http://www.netvigilance.com/advisory0017 35549 35548 20070513 MyBB version 1.2.4 Multiple Path Disclosure Vulnerabilities mybb-eventmembercaptcha-info-disclosure(34336) 20070513 MyBB version 1.2.4 Multiple Path Disclosure Vulnerabilities myEvent 1.6 allows remote attackers to obtain sensitive information via (1) a Log In action without a password to login.php, or an invalid (2) view[] or (3) monthno[] parameter to myevent.php, which reveals the path in various error messages. 20070528 myEvent version 1.6 Multiple Path Disclosure Vulnerabilities 34272 38336 myevent-myevent-login-path-disclosure(34542) 2744 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2007-2066. Reason: This candidate is a duplicate of CVE-2007-2066. Notes: All CVE users should reference CVE-2007-2066 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. DGNews 2.1 allows remote attackers to obtain sensitive information via a fullnews request to news.php with an invalid newsid parameter, and other unspecified vectors, which reveal the path in various error messages. 20070528 DGNews version 2.1 Path Disclosure Vulnerability 34226 dgnews-news-path-disclosure(34540) 2741 SQL injection vulnerability in news.php in DGNews 2.1 allows remote attackers to execute arbitrary SQL commands via the catid parameter in a newslist action. NOTE: this issue can produce resultant cross-site scripting (XSS). ADV-2007-1981 24201 20070528 DGNews version 2.1 SQL Injection Vulnerability 34227 dgnews-news-sql-injection(34539) 2740 25438 Cross-site scripting (XSS) vulnerability in footer.php in DGNews 2.1 allows remote attackers to inject arbitrary web script or HTML via the copyright parameter. ADV-2007-1981 24200 20070528 DGNews version 2.1 XSS Attack Vulnerability 34228 dgnews-footer-xss(34537) 2739 25438 Multiple SQL injection vulnerabilities in Free LAN In(tra|ter)net Portal (FLIP) before 1.0-RC3 allow remote attackers to execute arbitrary SQL commands via unspecified vectors. NOTE: some sources mention the escape_sqlData, implode_sql, and implode_sqlIn functions, but these are protection schemes, not the vulnerable functions. flip-multiple-sql-injection(31902) ADV-2007-0454 20070203 FLIP SQL injection clarification http://sourceforge.net/project/shownotes.php?release_id=481131&group_id=98260 33649 Cross-site scripting (XSS) vulnerability in error messages in Free LAN In(tra|ter)net Portal (FLIP) before 1.0-RC3 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters, different vectors than CVE-2007-0611. flip-triggererrortext-xss(31900) ADV-2007-0454 http://sourceforge.net/project/shownotes.php?release_id=481131&group_id=98260 33650 index2.php in ACGVannu 1.3 and earlier allows remote attackers to change the password or profile of a user via a modified id parameter, related to templates/modif.html. NOTE: some of these details are obtained from third party information. acgv-multiple-security-bypass(31893) acgv-modif-security-bypass(31893) ADV-2007-0388 22279 33115 24072 3208 Multiple SQL injection vulnerabilities in ACGVannu 1.3 and earlier allow remote attackers to execute arbitrary SQL commands via the id_mod parameter to templates/modif.html, and other unspecified vectors. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. acgv-modif-sql-injection(32257) ADV-2007-0388 34666 PHP remote file inclusion vulnerability in includes/includes.php in Guernion Sylvain Portail Web Php (aka Gsylvain35 Portail Web, PwP) before 2.5.1.1 allows remote attackers to execute arbitrary PHP code via a URL in the site_path parameter. portailwebphp-includes-file-include(32121) ADV-2007-0457 22361 20070201 php web portail [remote file include & local file include] 20070201 Fwd: php web portail [remote file include & local file include] http://sourceforge.net/project/shownotes.php?release_id=480538&group_id=178400 2223 33633 Directory traversal vulnerability in index.php in Guernion Sylvain Portail Web Php (aka Gsylvain35 Portail Web, PwP) allows remote attackers to read arbitrary files via a .. (dot dot) in the page parameter. NOTE: this issue was later reported for 2.5.1.1. portailwebphp-index-file-include(32115) 22361 20070201 php web portail [remote file include & local file include] 20070202 Local File Inclusion inconclusive in PwP (was Fwd: php web portail [remote file include & local fileinclude]) 20070202 Local File Inclusion inconclusive in PwP (was Fwd: php web portail [remote file include & local fileinclude]) 20070201 Fwd: php web portail [remote file include & local file include] 33634 27962 5182 PHP remote file inclusion vulnerability in inc/common.inc.php in Epistemon 1.0 allows remote attackers to execute arbitrary PHP code via a URL in the inc_path parameter. ADV-2007-0459 22360 20070201 true: Epistemon 1.0 <= Remote File Include Vulnerability 31938 24003 3247 Multiple PHP remote file inclusion vulnerabilities in phpEventMan 1.0.2 allow remote attackers to execute arbitrary PHP code via a URL in the level parameter to (1) Shared/controller/text.ctrl.php or (2) UserMan/controller/common.function.php. ADV-2007-0460 22358 20070201 true: phpEventMan RFI Vuln. 24000 31937 31936 3246 PHP remote file inclusion vulnerability in library/StageLoader.php in WebBuilder 2.0 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the GLOBALS[core][module_path] parameter. ADV-2007-0458 20070201 true: WebBuilder <= 2.0 Remote File Include Vulnerability 33607 3249 PHP remote file inclusion vulnerability in install.php in Somery 0.4.6 allows remote attackers to execute arbitrary PHP code via a URL in the skindir parameter, a different vector than CVE-2006-4669. NOTE: the documentation says to remove install.php after installation. 20070201 True: Somery 0.4.6 (skindir install.php) Remote file include 33608 2329 Cross-zone scripting vulnerability in Sleipnir 2.49 and earlier, and Portable Sleipnir 2.45 and earlier, allows remote attackers to bypass Web content zone restrictions via certain script contained in RSS data. NOTE: some of these details are obtained from third party information. ADV-2007-0364 http://www.ipa.go.jp/security/vuln/documents/2006/JVN_93700808.html http://www.fenrir.co.jp/press/20070126_2.html 23927 32977 JVN#93700808 Cross-zone scripting vulnerability in Darksky RSS bar for Internet Explorer before 1.29, RSS bar for Sleipnir before 1.29, and RSS bar for unDonut before 1.29 allows remote attackers to bypass Web content zone restrictions via certain script contained in RSS data. NOTE: some of these details are obtained from third party information. ADV-2007-0365 http://www.fenrir.co.jp/press/20070126_2.html JVN#93700808 Stack-based buffer overflow in GOM Player 2.0.12.3375 allows user-assisted remote attackers to execute arbitrary code via a .ASX file with a long URI in the "ref href" tag. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. 23994 http://www.gomplayer.com/forum/viewtopic.html?t=221 33080 gomplayer-asx-bo(32164) cmdmon.sys in Comodo Firewall Pro (formerly Comodo Personal Firewall) before 2.4.16.174 does not validate arguments that originate in user mode for the (1) NtConnectPort and (2) NtCreatePort hooked SSDT functions, which allows local users to cause a denial of service (system crash) and possibly gain privileges via invalid arguments. comodofirewallpro-cmdmon-dos(32059) 22357 20070201 Comodo Multiple insufficient argument validation of hooked SSDT function Vulnerability http://www.matousec.com/info/advisories/Comodo-Multiple-insufficient-argument-validation-of-hooked-SSDT-functions.php 1017580 cmdmon.sys in Comodo Firewall Pro (formerly Comodo Personal Firewall) 2.4.16.174 and earlier does not validate arguments that originate in user mode for the (1) NtCreateSection, (2) NtOpenProcess, (3) NtOpenSection, (4) NtOpenThread, and (5) NtSetValueKey hooked SSDT functions, which allows local users to cause a denial of service (system crash) and possibly gain privileges via invalid arguments. comodofirewallpro-cmdmon-dos(32059) 22357 20070201 Comodo Multiple insufficient argument validation of hooked SSDT function Vulnerability http://www.matousec.com/info/advisories/Comodo-Multiple-insufficient-argument-validation-of-hooked-SSDT-functions.php 1017580 The Bonjour functionality in iChat in Apple Mac OS X 10.3.9 allows remote attackers to cause a denial of service (persistent application crash) via unspecified vectors, possibly related to CVE-2007-0614. VU#836024 24198 http://docs.info.apple.com/article.html?artnum=305102 1017661 22304 32713 APPLE-SA-2007-02-15 Integer overflow in Apple QuickTime before 7.1.5, when installed on Windows operating systems, allows remote user-assisted attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted 3GP video file. TA07-065A VU#568689 http://docs.info.apple.com/article.html?artnum=305149 quicktime-3gpvideo-overflow(32814) ADV-2007-0825 1017725 22827 24359 33905 APPLE-SA-2007-03-05 Heap-based buffer overflow in Apple QuickTime before 7.1.5 allows remote user-assisted attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted MIDI file. TA07-065A VU#822481 quicktime-midi-files-bo(32816) ADV-2007-0825 1017725 22827 24359 33904 APPLE-SA-2007-03-05 http://docs.info.apple.com/article.html?artnum=305149 Heap-based buffer overflow in Apple QuickTime before 7.1.5 allows remote user-assisted attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted QuickTime movie file. TA07-065A VU#880561 http://docs.info.apple.com/article.html?artnum=305149 ADV-2007-0825 APPLE-SA-2007-03-05 quicktime-quicktime-bo(32817) 1017725 22843 22827 20070306 Apple QuickTime Player Remote Heap Overflow http://www.piotrbania.com/all/adv/quicktime-heap-adv-7.1.txt 24359 Integer overflow in Apple QuickTime before 7.1.5 allows remote user-assisted attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted QuickTime movie with a User Data Atom (UDTA) with an Atom size field with a large value. This vulnerability is addressed in latest version of Quicktime 7.1.5 TA07-065A VU#861817 1017725 24359 http://docs.info.apple.com/article.html?artnum=305149 quicktime-udta-atoms-overflow(32819) http://www.zerodayinitiative.com/advisories/ZDI-07-010.html ADV-2007-0825 22844 22827 20070307 ZDI-07-010: Apple Quicktime UDTA Parsing Heap Overflow Vulnerability 20070306 Apple QuickTime udta ATOM Integer Overflow http://secway.org/advisory/AD20070306.txt 33902 APPLE-SA-2007-03-05 20070306 Apple QuickTime udta ATOM Integer Overflow Heap-based buffer overflow in Apple QuickTime before 7.1.5 allows remote user-assisted attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted PICT file. TA07-065A VU#448745 http://docs.info.apple.com/article.html?artnum=305149 ADV-2007-0825 33901 APPLE-SA-2007-03-05 quicktime-pict-file-bo(32821) 1017725 22827 24359 Stack-based buffer overflow in Apple QuickTime before 7.1.5 allows remote user-assisted attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted QTIF file. TA07-065A VU#642433 http://docs.info.apple.com/article.html?artnum=305149 quicktime-qtif-bo(32822) ADV-2007-0825 1017725 22827 24359 33900 APPLE-SA-2007-03-05 Integer overflow in Apple QuickTime before 7.1.5 allows remote user-assisted attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted QTIF file. TA07-065A VU#410993 http://docs.info.apple.com/article.html?artnum=305149 quicktime-qtif-overflow(32823) ADV-2007-0825 1017725 22827 24359 33899 APPLE-SA-2007-03-05 Heap-based buffer overflow in Apple QuickTime before 7.1.5 allows remote user-assisted attackers to cause a denial of service (crash) and possibly execute arbitrary code via a QTIF file with a Video Sample Description containing a Color table ID of 0, which triggers memory corruption when QuickTime assumes that a color table exists. TA07-065A VU#313225 1017725 24359 http://docs.info.apple.com/article.html?artnum=305149 quicktime-qtif-file-bo(32826) ADV-2007-0825 22839 22827 20070306 [Reversemode Advisory] Apple Quicktime Color ID remote heap corruption APPLE-SA-2007-03-05 20070305 Apple QuickTime Color Table ID Heap Corruption Vulnerability Stack-based buffer overflow in Apple Mac OS X 10.3.9 and 10.4 through 10.4.8 allows remote user-assisted attackers to execute arbitrary code via an image with a crafted ColorSync profile. TA07-072A VU#449440 APPLE-SA-2007-03-13 ADV-2007-0930 1017751 22948 34845 24479 http://docs.info.apple.com/article.html?artnum=305214 The CUPS service on multiple platforms allows remote attackers to cause a denial of service (service hang) via a "partially-negotiated" SSL connection, which prevents other requests from being accepted. TA07-072A APPLE-SA-2007-03-13 https://issues.rpath.com/browse/RPL-1173 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=232243 ADV-2007-0949 ADV-2007-0930 1017750 23127 22948 20070325 FLEA-2007-0003-1: cups RHSA-2007:0123 SUSE-SR:2007:009 SUSE-SR:2007:014 MDKSA-2007:086 http://support.avaya.com/elmodocs2/security/ASA-2007-194.htm GLSA-200703-28 26413 26083 25497 25119 24895 24878 24660 24530 24517 24479 oval:org.mitre.oval:def:11046 FEDORA-2007-1219 http://docs.info.apple.com/article.html?artnum=305214 Unspecified vulnerability in diskimages-helper in Apple Mac OS X 10.3.9 and 10.4 through 10.4.8 allows remote user-assisted attackers to execute arbitrary code via a crafted compressed disk image that triggers memory corruption. TA07-072A APPLE-SA-2007-03-13 ADV-2007-0930 1017751 22948 34846 24479 http://docs.info.apple.com/article.html?artnum=305214 Integer overflow in Apple Mac OS X 10.3.9 and 10.4 through 10.4.8 allows remote user-assisted attackers to execute arbitrary code via a crafted AppleSingleEncoding disk image. TA07-072A VU#124280 APPLE-SA-2007-03-13 ADV-2007-0930 1017751 22948 34847 24479 http://docs.info.apple.com/article.html?artnum=305214 Unspecified vulnerability in the authentication feature for DirectoryService (DS Plug-Ins) for Apple Mac OS X 10.3.9 and 10.4 through 10.4.8 allows remote authenticated LDAP users to modify the root password and gain privileges via unknown vectors. TA07-072A VU#557064 APPLE-SA-2007-03-13 ADV-2007-0930 1017751 22948 34848 24479 http://docs.info.apple.com/article.html?artnum=305214 The IOKit HID interface in Apple Mac OS X 10.3.9 and 10.4 through 10.4.8 does not sufficiently limit access to certain controls, which allows local users to gain privileges by using HID device events to read keystrokes from the console. TA07-109A TA07-072A APPLE-SA-2007-03-13 ADV-2007-1470 ADV-2007-0930 macos-hid-privilege-escalation(32973) 1017942 1017751 22948 34855 24966 24479 APPLE-SA-2007-04-19 http://docs.info.apple.com/article.html?artnum=305391 http://docs.info.apple.com/article.html?artnum=305214 Buffer overflow in the AirPortDriver module for AirPort in Apple Mac OS X 10.3.9 through 10.4.9, when running on hardware with the original AirPort wireless card, allows local users to execute arbitrary code by "sending malformed control commands." TA07-109A ADV-2007-1470 APPLE-SA-2007-04-19 http://docs.info.apple.com/article.html?artnum=305391 23569 34857 24966 The SSH key generation process in OpenSSH in Apple Mac OS X 10.3.9 and 10.4 through 10.4.8 allows remote attackers to cause a denial of service by connecting to the server before SSH has finished creating keys, which causes the keys to be regenerated and can break trust relationships that were based on the original keys. TA07-072A APPLE-SA-2007-03-13 ADV-2007-0930 macos-openssh-dos(32975) 1017756 22948 34850 24479 http://docs.info.apple.com/article.html?artnum=305214 Unspecified vulnerability in Apple Mac OS X 10.3.9 and 10.4 through 10.4.8 creates files insecurely while initializing a USB printer, which allows local users to create or overwrite arbitrary files. TA07-072A APPLE-SA-2007-03-13 ADV-2007-0930 macos-usbprinter-file-overwrite(32976) 1017751 22948 34849 24479 http://docs.info.apple.com/article.html?artnum=305214 Apple File Protocol (AFP) Client in Apple Mac OS X 10.3.9 through 10.4.9 does not properly clean the environment before executing commands, which allows local users to gain privileges by setting unspecified environment variables. TA07-109A VU#312424 http://docs.info.apple.com/article.html?artnum=305391 ADV-2007-1470 1017944 23569 34858 24966 APPLE-SA-2007-04-19 Server Manager (servermgrd) in Apple Mac OS X 10.3.9 and 10.4 through 10.4.8 does not sufficiently validate authentication credentials, which allows remote attackers to bypass authentication and modify system configuration. TA07-072A APPLE-SA-2007-03-13 ADV-2007-0930 macos-servermanager-authentication-bypass(32978) 1017751 22948 34851 24479 http://docs.info.apple.com/article.html?artnum=305214 Stack-based buffer overflow in the Apple-specific Samba module (SMB File Server) in Apple Mac OS X 10.4 through 10.4.8 allows context-dependent attackers to execute arbitrary code via a long ACL. TA07-072A APPLE-SA-2007-03-13 ADV-2007-0930 macos-smbfileserver-bo(32979) 1017754 22948 34852 24479 http://docs.info.apple.com/article.html?artnum=305214 Unspecified vulnerability in the CoreServices daemon in CarbonCore in Apple Mac OS X 10.4 through 10.4.9 allows local users to gain privileges via unspecified vectors involving "obtaining a send right to [the] Mach task port." The vendor has addressed this issue through Mac OS software updates. TA07-109A ADV-2007-1470 APPLE-SA-2007-04-19 http://docs.info.apple.com/article.html?artnum=305391 1017942 23569 34859 24966 Unspecified vulnerability in ImageIO in Apple Mac OS X 10.3.9 and 10.4 through 10.4.8 allows remote user-assisted attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted RAW image that triggers memory corruption. TA07-072A VU#873868 APPLE-SA-2007-03-13 ADV-2007-0930 macos-imageio-code-execution(32974) 1017758 22948 34853 24479 http://docs.info.apple.com/article.html?artnum=305214 fsck, as used by the AirPort Disk feature of the AirPort Extreme Base Station with 802.11n before Firmware Update 7.1, and by Apple Mac OS X 10.3.9 through 10.4.9, does not properly enforce password protection of a USB hard drive, which allows context-dependent attackers to list arbitrary directories or execute arbitrary code, resulting from memory corruption. TA07-109A http://docs.info.apple.com/article.html?artnum=305366 airportextreme-airportdisk-info-disclosure(33527) ADV-2007-1470 ADV-2007-1308 1017942 1017889 23569 23396 24966 24830 APPLE-SA-2007-04-19 APPLE-SA-2007-04-09 http://docs.info.apple.com/article.html?artnum=305391 Use-after-free vulnerability in Libinfo in Apple Mac OS X 10.3.9 through 10.4.9 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unspecified vectors involving crafted web pages that trigger certain error conditions that are not properly reported in certain circumstances, resulting in accessing deallocated memory. TA07-109A 23569 ADV-2007-1470 APPLE-SA-2007-04-19 http://docs.info.apple.com/article.html?artnum=305391 1017942 34860 24966 Integer overflow in the RPC library in Libinfo in Apple Mac OS X 10.3.9 through 10.4.9 allows remote attackers to execute arbitrary code via crafted requests to portmap. TA07-109A 23569 ADV-2007-1470 APPLE-SA-2007-04-19 http://docs.info.apple.com/article.html?artnum=305391 macos-rpc-code-execution(33782) 1017942 34861 24966 The Login Window in Apple Mac OS X 10.3.9 through 10.4.9 does not properly check certain environment variables, which allows local users to gain privileges via unspecified vectors. TA07-109A 23569 ADV-2007-1470 1017939 APPLE-SA-2007-04-19 http://docs.info.apple.com/article.html?artnum=305391 34862 24966 The Login Window in Apple Mac OS X 10.4 through 10.4.9 does not display the screen saver authentication dialog in certain circumstances when waking from sleep, even though the "require a password to wake the computer from sleep" option is enabled, which allows local users to bypass authentication controls. TA07-109A 23569 ADV-2007-1470 1017939 APPLE-SA-2007-04-19 http://docs.info.apple.com/article.html?artnum=305391 34863 24966 The Login Window in Apple Mac OS X 10.4 through 10.4.9 displays the software update window beneath the loginwindow authentication dialog in certain circumstances related to running scheduled tasks, which allows local users to bypass authentication controls. TA07-109A 23569 ADV-2007-1470 1017939 APPLE-SA-2007-04-19 http://docs.info.apple.com/article.html?artnum=305391 34864 24966 Alias Manager in Apple Mac OS X 10.3.9 and 10.4.9 does not display files with the same name in mounted disk images that have the same name, which might allow user-assisted attackers to trick a user into executing malicious files. ADV-2007-1939 APPLE-SA-2007-05-24 macos-diskimage-code-execution(34498) 1018121 24144 35147 25402 http://docs.info.apple.com/article.html?artnum=305530 Buffer overflow in natd in network_cmds in Apple Mac OS X 10.3.9 through 10.4.9, when Internet Sharing is enabled, allows remote attackers to execute arbitrary code via malformed RTSP packets. TA07-109A 23569 ADV-2007-1470 APPLE-SA-2007-04-19 http://docs.info.apple.com/article.html?artnum=305391 1017942 34865 24966 The WebFoundation framework in Apple Mac OS X 10.3.9 and earlier allows subdomain cookies to be accessed by the parent domain, which allows remote attackers to obtain sensitive information. TA07-109A 23569 ADV-2007-1470 APPLE-SA-2007-04-19 http://docs.info.apple.com/article.html?artnum=305391 1017942 34866 24966 URLMount in Apple Mac OS X 10.3.9 through 10.4.9 passes the username and password credentials for mounting filesystems on SMB servers as command line arguments to the mount_sub command, which may allow local users to obtain sensitive information by listing the process. TA07-109A 23569 ADV-2007-1470 APPLE-SA-2007-04-19 http://docs.info.apple.com/article.html?artnum=305391 1017942 34867 24966 SMB in Apple Mac OS X 10.3.9 through 10.4.9 does not properly clean the environment when executing commands, which allows local users to gain privileges by setting unspecified environment variables. TA07-109A 23569 ADV-2007-1470 APPLE-SA-2007-04-19 http://docs.info.apple.com/article.html?artnum=305391 34868 24966 The Apple Security Update 2007-004 uses an incorrect configuration file for FTPServer in Apple Mac OS X Server 10.4.9, which might allow remote authenticated users to access additional directories. APPLE-SA-2007-05-01 macos-ftpserver-unauthorized-access(34001) 1017990 34869 Heap-based buffer overflow in the VideoConference framework in Apple Mac OS X 10.3.9 through 10.4.9 allows remote attackers to execute arbitrary code via a "crafted SIP packet when initializing an audio/video conference". VU#969969 TA07-109A 23569 ADV-2007-1470 APPLE-SA-2007-04-19 http://docs.info.apple.com/article.html?artnum=305391 1017942 34870 24966 load_webdav in Apple Mac OS X 10.3.9 through 10.4.9 does not properly clean the environment when mounting a WebDAV filesystem, which allows local users to gain privileges by setting unspecified environment variables. TA07-109A VU#474969 23569 ADV-2007-1470 APPLE-SA-2007-04-19 http://docs.info.apple.com/article.html?artnum=305391 1017942 34871 24966 Heap-based buffer overflow in Apple Darwin Streaming Proxy, when using Darwin Streaming Server before 5.5.5, allows remote attackers to execute arbitrary code via multiple trackID values in a SETUP RTSP request. 25193 20070510 Apple Darwin Streaming Proxy Multiple Vulnerabilities http://docs.info.apple.com/article.html?artnum=305495 ADV-2007-1770 23918 35975 APPLE-SA-2007-05-10 darwin-trackid-bo(34225) 1018047 Multiple stack-based buffer overflows in the is_command function in proxy.c in Apple Darwin Streaming Proxy, when using Darwin Streaming Server before 5.5.5, allow remote attackers to execute arbitrary code via a long (1) cmd or (2) server value in an RTSP request. 23918 25193 APPLE-SA-2007-05-10 20070510 Apple Darwin Streaming Proxy Multiple Vulnerabilities http://docs.info.apple.com/article.html?artnum=305495 ADV-2007-1770 35976 darwin-iscommand-bo(34222) 1018047 Integer overflow in CoreGraphics in Apple Mac OS X 10.4 up to 10.4.9 allows remote user-assisted attackers to cause a denial of service (application termination) or execute arbitrary code via a crafted PDF file. ADV-2007-1939 APPLE-SA-2007-05-24 macos-pdf-bo(34499) 1018114 24144 35146 25402 http://docs.info.apple.com/article.html?artnum=305530 A cleanup script in crontabs in Apple Mac OS X 10.3.9 and 10.4.9 might delete filesystems that have been mounted in /tmp, which might allow local users to cause a denial of service, related to the find command. ADV-2007-1939 APPLE-SA-2007-05-24 macos-tmpfilesystem-dos(34500) 1018117 24144 35145 25402 http://docs.info.apple.com/article.html?artnum=305530 The PPP daemon (pppd) in Apple Mac OS X 10.4.8 checks ownership of the stdin file descriptor to determine if the invoker has sufficient privileges, which allows local users to load arbitrary plugins and gain root privileges by bypassing this check. ADV-2007-1939 APPLE-SA-2007-05-24 20070524 Apple Computer Mac OS X pppd Plugin Loading Privilege Escalation Vulnerability http://docs.info.apple.com/article.html?artnum=305530 macos-pppd-privilege-escalation(34503) 1018124 24144 35144 25402 Format string vulnerability in the VPN daemon (vpnd) in Apple Mac OS X 10.3.9 and 10.4.9 allows local users to execute arbitrary code via the -i parameter. macos-vpnd-format-string(34505) ADV-2007-1939 1018125 24208 24144 20070529 Re: Mac OS X vpnd local format string 20070529 Mac OS X vpnd local format string 35143 25402 APPLE-SA-2007-05-24 http://docs.info.apple.com/article.html?artnum=305530 Heap-based buffer overflow in Apple QuickTime before 7.1.3 allows user-assisted remote attackers to execute arbitrary code via a crafted Sample Table Sample Descriptor (STSD) atom size in a QuickTime movie. This vulnerability is addressed in the following product release: Apple, QuickTime, 7.1.3 23923 20070511 TPTI-07-07: Apple QuickTime STSD Parsing Heap Overflow Vulnerability http://dvlabs.tippingpoint.com/advisory/TPTI-07-07 http://docs.info.apple.com/article.html?artnum=304357 quicktime-stsd-bo(34244) 35574 2703 Chicken of the VNC (cotv) 2.0 allows remote attackers to cause a denial of service (application crash) via a large computer-name size value in a ServerInit packet, which triggers a failed malloc and a resulting NULL dereference. 22372 20070202 Chicken of the VNC 2.0 remote DoS 33637 cotv-serverinit-dos(32166) 20070426 Re: Chicken of the VNC 2.0 remote DoS 2220 3257 PHP remote file inclusion vulnerability in index.php in Miguel Nunes Call of Duty 2 (CoD2) DreamStats System 4.2 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the rootpath parameter. ADV-2007-0479 22371 20070202 true: DreamStats V 4.2=(index.php)=>Remote File Include 33095 cod2dreamstats-index-file-include(32160) 24037 3251 PHP remote file inclusion vulnerability in lang.php in PHPProbid 5.24 allows remote attackers to execute arbitrary PHP code via a URL in the SRC attribute of an HTML element in the lang parameter. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. phpprobid-lang-file-include(32273) 22374 34667 Multiple SQL injection vulnerabilities in EasyMoblog 0.5.1 allow remote attackers to execute arbitrary SQL commands via the (1) i or (2) post_id parameter to add_comment.php, which triggers an injection in libraries.inc.php; or (3) the i parameter to list_comments.php, which triggers an injection in libraries.inc.php. http://www.zion-security.com/text/Sql_Vulnerability_EasymoBlog.txt http://www.zion-security.com/text/Sql_Vulnerability_EasymoBlog%232.txt 22369 19370 33636 20070201 Remote Sql Injection in EasyMoblog 0.5.1 20070201 Remote Sql Injection in EasyMoblog 0.5.1 # 2 EQdkp 1.3.1 and earlier authenticates administrative requests by verifying that the HTTP Referer header specifies an admin/ URL, which allows remote attackers to read or modify account names and passwords via a spoofed Referer. 20805 33112 eqdkp-backup-information-disclosure(32152) 24038 3252 PHP remote file inclusion vulnerability in config.php in phpBB ezBoard converter (ezconvert) 0.2 allows remote attackers to execute arbitrary PHP code via a URL in the ezconvert_dir parameter. ezboard-config-file-include(32157) http://www.xoron.info/bugs/ezconvert.txt ADV-2007-0473 20070202 true: phpBB ezBoard converter 0.2 (ezconvert_dir) Remote File Include Exploit 33645 3258 PHP remote file inclusion vulnerability in includes/functions.php in phpBB++ Build 100 allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter. ADV-2007-0472 20070202 phpBB++ Build 100 (phpbb_root_path) Remote File Include Exploit 33092 phpbbplusplus-functions-file-include(32159) 22376 24034 3259 Cross-site scripting (XSS) vulnerability in the news comment functionality in F3Site 2.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the Autor field. 22379 34668 f3site-autor-xss(32188) 3255 Unrestricted file upload vulnerability in F3Site 2.1 and earlier allows remote authenticated administrators to upload and execute arbitrary PHP scripts via GIF86 header in a file in the uplf parameter, which can be later accessed via a relative pathname in the dir parameter in adm.php. 34669 f3site-adm-file-upload(32189) 3255 SQL injection vulnerability in news.php in dB Masters Curium CMS 1.03 and earlier allows remote attackers to execute arbitrary SQL commands via the c_id parameter. curium-news-sql-injection(32148) ADV-2007-0474 22373 33111 24032 3256 Stack-based buffer overflow in Remotesoft .NET Explorer 2.0.1 allows user-assisted remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a long line in a .cpp file. 22377 34755 3254 netexplorer-char-bo(32182) Cross-site scripting (XSS) vulnerability in the core in Phorum before 5.1.18 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. ADV-2007-0410 http://www.phorum.org/phorum5/read.php?12,119757 34727 phorum-core-xss(44201) Multiple cross-site scripting (XSS) vulnerabilities in the Contact Details functionality in Yahoo! Messenger 8.1.0.209 and earlier allow user-assisted remote attackers to inject arbitrary web script or HTML via a javascript: URI in the SRC attribute of an IMG element to the (1) First Name, (2) Last Name, and (3) Nickname fields. NOTE: some of these details are obtained from third party information. Access Complexity: Successful exploitation requires that the attacker is in the messenger list of the target. 22269 20070127 Re: Cross-site Scripting with Local Privilege Vulnerability in Yahoo Messenger 20070127 RE: Cross-site Scripting with Local Privilege Vulnerability in Yahoo Messenger 20070126 Cross-site Scripting with Local Privilege Vulnerability in Yahoo Messenger 23928 31674 ** DISPUTED ** Cross-site scripting (XSS) vulnerability in register.php in Phorum 5.1.18 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: the vendor disputes this vulnerability, stating that "The characters are escaped properly." ADV-2007-0410 22297 20070129 Re: Phorum HTML Injection Vulnerability 20070129 Phorum HTML Injection Vulnerability http://www.phorum.org/phorum5/read.php?12,119757 Buffer overflow in GraphicsMagick and ImageMagick allows user-assisted remote attackers to cause a denial of service and possibly execute arbitrary code via a PALM image that is not properly handled by the ReadPALMImage function in coders/palm.c. NOTE: this issue is due to an incomplete patch for CVE-2006-5456. https://issues.rpath.com/browse/RPL-1034 20070208 rPSA-2007-0029-1 ImageMagick USN-422-1 31911 SUSE-SR:2007:003 MDKSA-2007:041 DSA-1260 24196 24167 The utrace support in Linux kernel 2.6.18, and other versions, allows local users to cause a denial of service (system hang) related to "MT exec + utrace_attach spin failure mode," as demonstrated by ptrace-thrash.c. RHSA-2007:0169 https://bugzilla.redhat.com/show_bug.cgi?id=228816 https://bugzilla.redhat.com/show_bug.cgi?id=227952 kernel-utracesupport-dos(34128) 23720 1017979 25080 oval:org.mitre.oval:def:9447 35927 The Linux kernel 2.6.13 and other versions before 2.6.20.1 allows remote attackers to cause a denial of service (oops) via a crafted NFSACL 2 ACCESS request that triggers a free of an incorrect pointer. https://issues.rpath.com/browse/RPL-1063 kernel-nfsaclsvc-dos(32578) ADV-2007-0660 USN-451-1 22625 20070615 rPSA-2007-0124-1 kernel xen SUSE-SA:2007:021 SUSE-SA:2007:018 MDKSA-2007:078 MDKSA-2007:060 25691 24777 24752 24547 24482 24400 24215 24201 33022 http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20.1 The Linux kernel before 2.6.9-42.0.8 in Red Hat 4.4 allows local users to cause a denial of service (kernel OOPS from null dereference) via fput in a 32-bit ioctl on 64-bit x86 systems, an incomplete fix of CVE-2005-3044.1. RHSA-2007:0488 http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=243252 oval:org.mitre.oval:def:11267 SUSE-SA:2007:053 http://support.avaya.com/elmodocs2/security/ASA-2007-287.htm 27227 26289 25838 Stack-based buffer overflow in the map_uri_to_worker function (native/common/jk_uri_worker_map.c) in mod_jk.so for Apache Tomcat JK Web Server Connector 1.2.19 and 1.2.20, as used in Tomcat 4.1.34 and 5.5.20, allows remote attackers to execute arbitrary code via a long URL that triggers the overflow in a URI worker map routine. http://tomcat.apache.org/connectors-doc/miscellaneous/changelog.html http://www.zerodayinitiative.com/advisories/ZDI-07-008.html ADV-2008-0331 ADV-2007-3386 ADV-2007-0809 oval:org.mitre.oval:def:5513 SSRT071447 tomcat-mapuritoworker-bo(32794) 22791 20070302 ZDI-07-008: Apache Tomcat JK Web Server Connector Long URL Stack Overflow Vulnerability RHSA-2007:0096 GLSA-200703-16 20080130 Cisco Wireless Control System Tomcat mod_jk.so Vulnerability http://tomcat.apache.org/security-jk.html 1017719 28711 27037 24558 24398 HPSBUX02262 Multiple unspecified vulnerabilities in the layout engine in Mozilla Firefox before 1.5.0.10 and 2.x before 2.0.0.2, Thunderbird before 1.5.0.10, and SeaMonkey before 1.0.8 allow remote attackers to cause a denial of service (crash) and potentially execute arbitrary code via certain vectors. VU#761756 http://www.mozilla.org/security/announce/2007/mfsa2007-01.html https://issues.rpath.com/browse/RPL-1103 https://issues.rpath.com/browse/RPL-1081 mozilla-multiple-layout-code-execution(32704) ADV-2008-0083 ADV-2007-0719 ADV-2007-0718 USN-431-1 USN-428-1 1017698 22694 20070303 rPSA-2007-0040-3 firefox thunderbird 20070226 rPSA-2007-0040-1 firefox RHSA-2007:0108 RHSA-2007:0097 RHSA-2007:0079 RHSA-2007:0078 MDKSA-2007:052 MDKSA-2007:050 GLSA-200703-08 DSA-1336 SSA:2007-066-03 SSA:2007-066-04 SSA:2007-066-05 GLSA-200703-18 GLSA-200703-04 24650 24522 24437 24410 24395 24393 24389 24384 24343 24333 24328 24320 24293 24290 24287 24252 24238 24205 RHSA-2007:0077 oval:org.mitre.oval:def:10012 SUSE-SA:2007:019 SSRT061181 FEDORA-2007-309 FEDORA-2007-308 FEDORA-2007-293 FEDORA-2007-281 20070301-01-P 20070202-01-P 32114 SUSE-SA:2007:022 25588 24457 24456 24455 24406 24342 SSRT061181 Heap-based buffer overflow in the _cairo_pen_init function in Mozilla Firefox 2.x before 2.0.0.2, Thunderbird before 1.5.0.10, and SeaMonkey before 1.0.8 allows remote attackers to execute arbitrary code via a large stroke-width attribute in the clipPath element in an SVG file. VU#551436 http://www.mozilla.org/security/announce/2007/mfsa2007-01.html https://issues.rpath.com/browse/RPL-1081 https://bugzilla.mozilla.org/show_bug.cgi?id=360645 firefox-strokewidth-bo(32698) ADV-2008-0083 ADV-2007-0719 ADV-2007-0718 USN-431-1 USN-428-1 1017698 22694 20070303 rPSA-2007-0040-3 firefox thunderbird 20070226 rPSA-2007-0040-1 firefox 32113 SUSE-SA:2007:022 MDKSA-2007:052 GLSA-200703-08 SSA:2007-066-03 SSA:2007-066-04 SSA:2007-066-05 GLSA-200703-18 GLSA-200703-04 24522 24457 24456 24455 24437 24410 24406 24393 24389 24384 24333 24328 24320 24293 24252 24238 24205 SUSE-SA:2007:019 SSRT061181 SSRT061181 FEDORA-2007-309 FEDORA-2007-308 FEDORA-2007-293 FEDORA-2007-281 The JavaScript engine in Mozilla Firefox before 1.5.0.10 and 2.x before 2.0.0.2, Thunderbird before 1.5.0.10, and SeaMonkey before 1.0.8 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via certain vectors that trigger memory corruption. Successful exploitation in Thunderbird requires that JavaScript be enabled in mail which is not the default setting. VU#269484 http://www.mozilla.org/security/announce/2007/mfsa2007-01.html 24238 https://issues.rpath.com/browse/RPL-1103 https://issues.rpath.com/browse/RPL-1081 mozilla-multiple-javascript-code-execution(32699) ADV-2008-0083 ADV-2007-0719 ADV-2007-0718 USN-431-1 USN-428-1 1017698 22694 20070303 rPSA-2007-0040-3 firefox thunderbird 20070226 rPSA-2007-0040-1 firefox RHSA-2007:0108 RHSA-2007:0097 RHSA-2007:0079 RHSA-2007:0078 MDKSA-2007:052 GLSA-200703-08 GLSA-200703-18 GLSA-200703-04 24650 24522 24437 24410 24395 24393 24389 24384 24343 24333 24328 24320 24293 24290 24287 24252 24205 RHSA-2007:0077 oval:org.mitre.oval:def:11331 SUSE-SA:2007:019 SSRT061181 FEDORA-2007-293 FEDORA-2007-281 20070301-01-P 32115 SUSE-SA:2007:022 MDKSA-2007:050 SSA:2007-066-03 SSA:2007-066-04 SSA:2007-066-05 24457 24456 24455 24406 24342 SSRT061181 FEDORA-2007-309 FEDORA-2007-308 20070202-01-P The page cache feature in Mozilla Firefox before 1.5.0.10 and 2.x before 2.0.0.2, and SeaMonkey before 1.0.8 can generate hash collisions that cause page data to be appended to the wrong page cache, which allows remote attackers to obtain sensitive information or enable further attack vectors when the target page is reloaded from the cache. http://www.mozilla.org/security/announce/2007/mfsa2007-03.html https://issues.rpath.com/browse/RPL-1103 https://issues.rpath.com/browse/RPL-1081 https://bugzilla.mozilla.org/show_bug.cgi?id=347852 mozilla-diskcache-information-disclosure(32671) ADV-2008-0083 ADV-2007-0718 USN-428-1 22694 20070303 rPSA-2007-0040-3 firefox thunderbird 20070226 rPSA-2007-0040-1 firefox RHSA-2007:0108 RHSA-2007:0097 RHSA-2007:0079 RHSA-2007:0078 32110 GLSA-200703-08 1017699 GLSA-200703-04 24650 24437 24395 24393 24384 24343 24333 24328 24320 24293 24290 24287 24238 24205 RHSA-2007:0077 oval:org.mitre.oval:def:9151 SUSE-SA:2007:019 SSRT061181 FEDORA-2007-293 FEDORA-2007-281 20070301-01-P SUSE-SA:2007:022 MDKSA-2007:050 DSA-1336 SSA:2007-066-03 SSA:2007-066-05 25588 24457 24455 24342 HPSBUX02153 20070202-01-P GUI overlay vulnerability in Mozilla Firefox 1.5.x before 1.5.0.10 and 2.x before 2.0.0.2, and SeaMonkey before 1.0.8 allows remote attackers to spoof certain user interface elements, such as the host name or security indicators, via the CSS3 hotspot property with a large, transparent, custom cursor. 22694 http://www.mozilla.org/security/announce/2007/mfsa2007-04.html https://issues.rpath.com/browse/RPL-1103 https://issues.rpath.com/browse/RPL-1081 https://bugzilla.mozilla.org/show_bug.cgi?id=361298 ADV-2008-0083 ADV-2007-0718 USN-428-1 1017700 20070303 rPSA-2007-0040-3 firefox thunderbird 20070226 rPSA-2007-0040-1 firefox RHSA-2007:0108 RHSA-2007:0097 RHSA-2007:0079 RHSA-2007:0078 SUSE-SA:2007:022 MDKSA-2007:050 GLSA-200703-08 SSA:2007-066-03 SSA:2007-066-05 GLSA-200703-04 24650 24457 24455 24437 24395 24393 24384 24343 24342 24333 24328 24320 24293 24290 24287 24238 24205 RHSA-2007:0077 oval:org.mitre.oval:def:8757 32109 SUSE-SA:2007:019 SSRT061181 SSRT061181 FEDORA-2007-293 FEDORA-2007-281 20070301-01-P 20070202-01-P browser.js in Mozilla Firefox 1.5.x before 1.5.0.10 and 2.x before 2.0.0.2, and SeaMonkey before 1.0.8 uses the requesting URI to identify child windows, which allows remote attackers to conduct cross-site scripting (XSS) attacks by opening a blocked popup originating from a javascript: URI in combination with multiple frames having the same data: URI. http://www.mozilla.org/security/announce/2007/mfsa2007-05.html https://bugzilla.mozilla.org/show_bug.cgi?id=354973 ADV-2007-0718 oval:org.mitre.oval:def:9884 SSRT061181 https://issues.rpath.com/browse/RPL-1103 https://issues.rpath.com/browse/RPL-1081 mozilla-dataurl-xss(32667) USN-428-1 1017702 22694 20070303 rPSA-2007-0040-3 firefox thunderbird 20070226 rPSA-2007-0040-1 firefox RHSA-2007:0108 RHSA-2007:0097 RHSA-2007:0079 RHSA-2007:0078 32107 SUSE-SA:2007:022 MDKSA-2007:050 GLSA-200703-08 SSA:2007-066-03 SSA:2007-066-05 GLSA-200703-04 24650 24457 24455 24437 24395 24393 24384 24343 24342 24333 24328 24320 24293 24290 24287 24238 24205 RHSA-2007:0077 SUSE-SA:2007:019 SSRT061181 FEDORA-2007-293 FEDORA-2007-281 20070301-01-P 20070202-01-P SQL injection vulnerability in login.asp for tPassword in the Raymond BERTHOU script collection (aka RBL - ASP) allows remote attackers to execute arbitrary SQL commands via the (1) User and (2) Password parameters. 20070129 RBL - ASP (scripts with db) SQL injection 20070127 RBL - ASP (scripts with db) SQL injection 20070131 Partial source code verify - "RBL - ASP" scripts SQL injection http://forums.avenir-geopolitique.net/viewtopic.php?t=2607 2225 PHP remote file inclusion vulnerability in previewtheme.php in Flipsource Flip 2.01-final 1.0 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the inc_path parameter. ADV-2007-0476 22385 35748 flip-previewtheme-file-include(32174) 3266 SQL injection vulnerability in view.php in Noname Media Photo Galerie Standard 1.1.1 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter. ADV-2007-0475 22384 33089 photogalerie-view-sql-injection(32171) 24029 3261 PHP remote file inclusion vulnerability in controller.php in Simple Invoices before 20070202 allows remote attackers to execute arbitrary PHP code via a URL in the (1) module or (2) view parameter. NOTE: some of these details are obtained from third party information. Successful exploitation requires that "register_globals" is enabled and "magic_quotes_gpc" is disabled. ADV-2007-0481 http://www.simpleinvoices.org/index.php?news=25 24040 31796 simpleinvoices-controller-file-include(32207) 22389 Cross-site scripting (XSS) vulnerability in MediaWiki 1.9.x before 1.9.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "sortable tables JavaScript." ADV-2007-0490 http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_9_2/phase3/RELEASE-NOTES 24039 33091 mediawiki-sortabletable-xss(32217) 22397 [MediaWiki-announce] 20070204 MediaWiki 1.9.2 released SQL injection vulnerability in Mambo before 4.5.5 allows remote attackers to execute arbitrary SQL commands via unspecified vectors in cancel edit functions, possibly related to the id parameter. ADV-2007-0480 24044 33088 Heap-based buffer overflow in SmartFTP 2.0.1002 allows remote FTP servers to execute arbitrary code via a large banner. smartftp-banner-bo(32214) 22390 3277 24051 33086 Cross-site scripting (XSS) vulnerability in Atom feeds in Bugzilla 2.20.3, 2.22.1, and 2.23.3, and earlier versions down to 2.20.1, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. ADV-2007-0477 22380 20070203 Security Advisory for Bugzilla 2.20.3, 2.22.1, and 2.23.3 http://www.bugzilla.org/security/2.20.3/ 1017585 24031 33090 bugzilla-atom-feed-xss(32248) 2222 The mod_perl initialization script in Bugzilla 2.23.3 does not set the Bugzilla Apache configuration to allow .htaccess permissions to override file permissions, which allows remote attackers to obtain the database username and password via a direct request for the localconfig file. ADV-2007-0477 22380 20070203 Security Advisory for Bugzilla 2.20.3, 2.22.1, and 2.23.3 http://www.bugzilla.org/security/2.20.3/ 1017585 35862 bugzilla-htaccess-information-disclosure(32252) 2222 PHP remote file inclusion vulnerability in inc/common.php in GlobalMegaCorp dvddb 0.6 allows remote attackers to execute arbitrary PHP code via a URL in the config parameter. 20070204 dvddb-0.6 media remote file include vuln. 33679 2221 ** DISPUTED ** SQL injection vulnerability in inc/common.php in GlobalMegaCorp dvddb 0.6 allows remote attackers to execute arbitrary SQL commands via the user parameter. NOTE: this issue has been disputed by a reliable third party, who states that inc/common.php only contains function definitions. 20071002 Re: dvddb-0.6 media sql-inj. vuln. 20070205 Re: dvddb-0.6 media sql-inj. vuln. 20070204 dvddb-0.6 media sql-inj. vuln. 33670 Multiple PHP remote file inclusion vulnerabilities in Wap Portal Server 1.x allow remote attackers to execute arbitrary PHP code via a URL in the language parameter to (1) index.php and (2) admin/index.php. 20070203 Wap Portal Serve 1.* <= Remote File Inclusion 35770 33672 33671 wapportal-index-file-include(32196) 2216 Blue Coat Systems WinProxy 6.1a and 6.0 r1c, and possibly earlier, allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a long HTTP CONNECT request, which triggers heap corruption. 20070202 Blue Coat Systems WinProxy CONNECT Method Heap Overflow Vulnerability ADV-2007-0482 33097 winproxy-connect-bo(32204) 22393 1017586 24049 PHP remote file inclusion vulnerability in theme/settings.php in bluevirus-design SMA-DB 0.3.9 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the pfad_z parameter. ADV-2007-0494 22391 33096 smadb-settings-file-include(32190) 24035 3268 Multiple cross-site scripting (XSS) vulnerabilities in Ublog Reload 1.0.5 allow remote attackers to inject arbitrary web script or HTML via unspecified parameters to (1) login.asp; and allow remote authenticated users to inject arbitrary web script or HTML via unspecified parameters to (2) badword.asp, (3) polls.asp, and (4) users.asp. ublog-login-xss(32185) 22382 20070203 Ublog Reload Admin Panel Multiple HTML Injections http://www.hackerscenter.com/archive/view.asp?id=27270 33644 33643 33642 33641 SQL injection vulnerability in badword.asp in Ublog Reload 1.0.5 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. 22382 20070203 Ublog Reload Admin Panel Multiple HTML Injections http://www.hackerscenter.com/archive/view.asp?id=27270 33640 ublog-badword-sql-injection(32187) Cross-zone vulnerability in Mozilla Firefox 1.5.0.9 considers blocked popups to have an internal zone origin, which allows user-assisted remote attackers to cross zone restrictions and read arbitrary file:// URIs by convincing a user to show a blocked popup. ADV-2008-0083 ADV-2007-0718 22396 20070205 Firefox + popup blocker + XMLHttpRequest + srand() = oops 20070205 Re: [Full-disclosure] Firefox + popup blocker + XMLHttpRequest + srand() = oops oval:org.mitre.oval:def:10654 SSRT061181 https://issues.rpath.com/browse/RPL-1103 https://issues.rpath.com/browse/RPL-1081 firefox-popup-security-bypass(32194) USN-428-1 1017702 22694 20070303 rPSA-2007-0040-3 firefox thunderbird 20070226 rPSA-2007-0040-1 firefox RHSA-2007:0108 RHSA-2007:0097 RHSA-2007:0079 RHSA-2007:0078 32108 SUSE-SA:2007:022 http://www.mozilla.org/security/announce/2007/mfsa2007-05.html MDKSA-2007:050 GLSA-200703-08 SSA:2007-066-05 GLSA-200703-04 24650 24457 24437 24395 24393 24384 24343 24342 24333 24328 24320 24293 24290 24287 24238 24205 RHSA-2007:0077 SUSE-SA:2007:019 20070205 Re: Firefox + popup blocker + XMLHttpRequest + srand() = oops 20070205 Firefox + popup blocker + XMLHttpRequest + srand() = oops HPSBUX02153 FEDORA-2007-293 FEDORA-2007-281 20070301-01-P 20070202-01-P The nsExternalAppHandler::SetUpTempFile function in Mozilla Firefox 1.5.0.9 creates temporary files with predictable filenames based on creation time, which allows remote attackers to execute arbitrary web script or HTML via a crafted XMLHttpRequest. 22396 20070205 Firefox + popup blocker + XMLHttpRequest + srand() = oops 20070205 Re: [Full-disclosure] Firefox + popup blocker + XMLHttpRequest + srand() = oops 32108 GLSA-200703-08 GLSA-200703-04 24437 24393 Mozilla Firefox 2.0.0.1 allows remote attackers to bypass the Phishing Protection mechanism by adding certain characters to the end of the domain name, as demonstrated by the "." and "/" characters, which is not caught by the Phishing List blacklist filter. https://bugzilla.mozilla.org/show_bug.cgi?id=367538 20070206 Firefox 2.0.0.1 and Opera 9.10 Anty Fraud/Phishing Protection bypass. 33705 http://kaneda.bohater.net/security/20070111-firefox_2.0.0.1_bypass_phishing_protection.php 20070418 Firefox 2.0.0.3 Phishing Protection Bypass Vulnerability Multiple buffer overflows in STLport before 5.0.3 allow remote attackers to execute arbitrary code via unspecified vectors relating to (1) "print floats" and (2) a missing null termination in the "rope constructor." 22423 ADV-2007-0498 http://sourceforge.net/project/shownotes.php?release_id=483468 24024 33107 33106 stlport-rope-constructors-bo(32244) stlport-printed-floats-bo(32242) GLSA-200703-07 24428 Directory traversal vulnerability in admin/subpages.php in GGCMS 1.1.0 RC1 and earlier allows remote attackers to inject arbitrary PHP code into arbitrary files via ".." sequences in the subpageName parameter, as demonstrated by injecting PHP code into a template file. ggcms-subpages-code-execution(32211) ADV-2007-0492 22412 35849 3271 The ps (/usr/ucb/ps) command on HP Tru64 UNIX 5.1 1885 allows local users to obtain sensitive information, including environment variables of arbitrary processes, via the "auxewww" argument, a similar issue to CVE-1999-1587. ADV-2007-1654 20070206 PS Information Leak on HP True64 Alpha OSF1 v5.1 1885 20070206 Re: [Full-disclosure] PS Information Leak on HP Tru64 Alpha OSF1v5.1 1885 24041 http://rawlab.mindcreations.com/codes/exp/nix/osf1tru64ps.ksh 33113 20070206 PS Information Leak on HP True64 Alpha OSF1 v5.1 1885 SSRT061256 tru64-ps-information-disclosure(32276) 1018005 20070207 Re: PS Information Leak on HP True64 Alpha OSF1 v5.1 1885 1017592 25135 HPSBTU02179 Les News 2.2 allows remote attackers to bypass authentication and gain administrative access via a direct request for adminews/index_fr.php3, and possibly the adminews index documents for other localizations. 20070204 Les News v2.2 [Admin news without password] 33686 http://forums.avenir-geopolitique.net/viewtopic.php?t=2622 2226 Cross-site scripting (XSS) vulnerability in info.php in flashChat 4.7.8 allows remote attackers to inject arbitrary web script or HTML via a channel title (aka room name) that is not properly handled by the "who's online" feature. flashchat-info-xss(32208) ADV-2007-0495 22411 20070205 flashChat 4.7.8 Cross Site Scripting Vulnerability 24071 2228 PHP remote file inclusion vulnerability in Mina Ajans Script allows remote attackers to execute arbitrary PHP code via a URL in the syf parameter to an unspecified PHP script. 20070205 Mina Ajans Script Remote File Inclusion Vuln. 33687 mina-multiple-file-include(32243) PHP remote file inclusion vulnerability in includes/class_template.php in Categories hierarchy (aka CH or mod-CH) 2.1.2 in ptirhiikmods allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter. Ch-classtemplate-file-include(32193) ADV-2007-0493 33722 20070207 true: Categories hierarchy class_template.php RFI ch-classtemplate-file-include(32193) 22400 3270 PHP remote file inclusion vulnerability in MVCnPHP/BaseView.php in GeekLog 2 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the glConf[path_libraries] parameter. NOTE: this might be a vulnerability in MVCnPHP rather than a vulnerability in GeekLog. 35749 geeklog-baseview-file-include(32205) 22386 3267 Microsoft Internet Explorer 6.0 SP1 on Windows 2000, and 6.0 SP2 on Windows XP, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an HTML document containing a certain JavaScript for loop with an empty loop body, possibly involving getElementById. http://www.powerhacker.net/exploit/IE_NULL_CRASH.html 37636 22408 3272 SQL injection vulnerability in pms.php in Woltlab Burning Board (wBB) Lite 1.0.2pl3e and earlier allows remote authenticated users to execute arbitrary SQL commands via the pmid[0] parameter. ADV-2007-0491 32034 wbblite-pms-sql-injection(32172) 22415 24027 3262 Cross-site scripting (XSS) vulnerability in Home production MySearchEngine allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. 22402 20070204 MysearchEngine XSS 33653 http://forums.avenir-geopolitique.net/viewtopic.php?t=2621 mysearchengine-search-xss(32201) Multiple cross-site scripting (XSS) vulnerabilities in Adrenalin's ASP Chat allow remote attackers to inject arbitrary web script or HTML (1) via the psuedo (pseudo) field or (2) during chat. 22392 20070203 Adrenalin's ASP Chat XSS 33654 http://forums.avenir-geopolitique.net/viewtopic.php?t=2620 adrenalin-unspecified-script-xss(32203) 2233 Cross-site scripting (XSS) vulnerability in images_archive.asp in Uapplication Uphotogallery 1.1 allows remote authenticated administrators to inject arbitrary web script or HTML via the s parameter. NOTE: the thumbnails.asp vector is already covered by CVE-2006-3023. 22404 20070204 Uphotogallery Multiple Cross-Site Scripting Vulnerability 33243 uphotogallery-imagesarchive-xss(32229) 2227 The RPC Server service (catirpc.exe) in CA (formerly Computer Associates) BrightStor ARCserve Backup 11.5 SP2 and earlier allows remote attackers to cause a denial of service (service crash) via a crafted TADDR2UADDR that triggers a null pointer dereference in catirpc.dll, possibly related to null credentials or verifier fields. brightstor-catirpc-dos(32137) brightstor-catirpc-dos(32137) http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=35058 http://www3.ca.com/securityadvisor/newsinfo/collateral.aspx?cid=101317 ADV-2007-0461 22365 http://supportconnectw.ca.com/public/storage/infodocs/babtapeng-securitynotice.asp 24512 24009 32989 3248 Cross-site scripting (XSS) vulnerability in Adobe ColdFusion web server allows remote attackers to inject arbitrary HTML or web script via the User-Agent HTTP header, which is not sanitized before being displayed in an error page. ADV-2007-0593 22401 20070205 Cold Fusion Web Server XSS 0 day 32120 1017645 http://www.adobe.com/support/security/bulletins/apsb07-04.html 24115 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2007-0396. Reason: This candidate is a duplicate of CVE-2007-0396. Notes: All CVE users should reference CVE-2007-0396 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. The configuration has conditions of "IPFilter with PHNE_34474 applied" must be set, so a medium difficulty. HP Network Node Manager (NNM) Remote Console 7.50, 7.51, and 7.53 assigns Everyone Full Control permission for the %PROGRAMFILES%\HP OpenView directory tree, which allows local users to gain privileges via a Trojan horse executable file or ActiveX component, or a modified bin\ovtrcsvc.exe for the HP Open View Shared Trace Service. ADV-2007-0533 http://securityvulns.com/news/HP/NNM/RC/WP.html 33130 SSRT061231 SSRT061231 20070208 SecurityVulns.com: HP Network Node Manager remote console weak files permissions openview-nnm-directory-privilege-escalation(32362) 22475 1017609 24066 Multiple PHP remote file inclusion vulnerabilities in Cedric CLAIRE PortailPhp 2 allow remote attackers to execute arbitrary PHP code via a URL in the chemin parameter to (1) mod_news/index.php, (2) mod_news/goodies.php, or (3) mod_search/index.php. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. portailphp-index-file-include(42123) 28867 22381 35758 35757 35756 Multiple directory traversal vulnerabilities in Cedric CLAIRE PortailPhp 2 allow remote attackers to read arbitrary files via a .. (dot dot) in the chemin parameter to (1) mod_news/index.php or (2) mod_news/goodies.php. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. 22381 35851 35850 umount, when running with the Linux 2.6.15 kernel on Slackware Linux 10.2, allows local users to trigger a NULL dereference and application crash by invoking the program with a pathname for a USB pen drive that was mounted and then physically removed, which might allow the users to obtain sensitive information, including core file contents. 33652 http://gotfault.wordpress.com/2007/01/18/umount-bug/ 20070201 umount crash and xterm (kind of) information leak! 1017729 22850 MDKSA-2007:053 xterm on Slackware Linux 10.2 stores information that had been displayed for a different user account using the same xterm process, which might allow local users to bypass file permissions and read other users' files, or obtain other sensitive information, by reading the xterm process memory. NOTE: it could be argued that this is an expected consequence of multiple users sharing the same interactive process, in which case this is not a vulnerability. 33651 http://gotfault.wordpress.com/2007/02/01/a-funny-case/ 20070201 umount crash and xterm (kind of) information leak! PHP remote file inclusion vulnerability in inhalt.php in LightRO CMS 1.0 allows remote attackers to execute arbitrary PHP code via a URL in the dateien[news] parameter. ADV-2007-0511 22430 34599 lightro-inhalt-file-include(32270) 3275 FlashFXP 3.4.0 build 1145 allows remote servers to cause a denial of service (CPU consumption) via a response to a PWD command that contains a long string with deeply nested directory structure, possibly due to a buffer overflow. 22433 35796 flashfxp-pwdcommand-dos(32416) 3276 SQL injection vulnerability in forum.asp in Kisisel Site 2007 allows remote attackers to execute arbitrary SQL commands via the forumid parameter. ADV-2007-0510 35831 kisisel-forum-sql-injection(32422) 22435 3278 The Alibaba Alipay PTA Module ActiveX control (PTA.DLL) allows remote attackers to execute arbitrary code via a JavaScript function that invokes the Remove method with an invalid index argument, which is used as an offset for a function call. alipay-activex-code-execution(32367) ADV-2007-0520 22446 24063 33123 3279 20070207 Alibaba Alipay Remote Code Execute Vulnerability-0DAY PHP remote file inclusion vulnerability in affichearticles.php3 in MySQLNewsEngine allows remote attackers to execute arbitrary PHP code via a URL in the newsenginedir parameter. ADV-2007-0513 22431 20070206 MySQLNewsEngine (affichearticles.php3) Remote File Inc. Vuln. 33678 mysqlnewsengine-affichearticle-file-include(32266) 2229 avast! Server Edition before 4.7.726 does not demand a password in a certain intended context, even when a password has been set, which allows local users to bypass authentication requirements. ADV-2007-0499 22425 http://www.avast.com/eng/avast-4-server-revision-history.html 24068 33114 avast-password-security-bypass(32269) ** DISPUTED ** Multiple cross-site scripting (XSS) vulnerabilities in the Admin Control Panel (AdminCP) in Jelsoft vBulletin 3.6.4 allow remote authenticated administrators to inject arbitrary web script or HTML via unspecified vectors related to the (1) User Group Manager, (2) User Rank Manager, (3) User Title Manager, (4) BB Code Manager, (5) Attachment Manager, (6) Calendar Manager, and (7) Forums & Moderators functions. NOTE: the vendor disputes this issue, stating that modifying HTML is an intended privilege of an administrator. NOTE: it is possible that this issue overlaps CVE-2006-6040. Vendor has stated that remotely authenticated administrators were given the ability to inject arbitrary HTML/webscript code by design. vbulletin-admincp-index-xss(32268) 20070207 Re: VBulletin AdminCP Index.PHP Multiple Cross-Site Scripting Vulnerability 20070206 VBulletin AdminCP Index.PHP Multiple Cross-Site Scripting Vulnerability 24085 35152 ** DISPUTED ** Multiple PHP remote file inclusion vulnerabilities in Atsphp 5.0.1 allow remote attackers to execute arbitrary PHP code via a URL in the CONF[path] parameter to (1) index.php, (2) sources/usercp.php, or (3) sources/admin.php. NOTE: Another researcher has disputed this vulnerability, noting that CONF[path] is defined before use in index.php, that CONF[path] inclusion cannot occur through a direct request to other affected files, and that usercp.php is a typo of user_cp.php. 20070130 Re: BOGUS: Atsphp 5.0.1 [Top Sites] [index.php] - Remote File Include 20070130 Atsphp 5.0.1 [Top Sites] [index.php] - Remote File Include VMware Workstation 5.5.3 34685 does not immediately change the availability of a shared clipboard when the "Enable copy and paste to and from this virtual machine" checkbox is changed, which allows local users to obtain sensitive information or conduct certain attacks that are facilitated by weaker isolation between the host and guest operating systems. 22413 20070203 Vmare workstation guest isolation weaknesses (clipboard transfer) 33222 VMware Workstation 5.5.3 34685, when the "Enable copy and paste to and from this virtual machine" option is enabled, preserves clipboard data on the guest operating system after it was deleted on the host operating system, which might allow local users to read clipboard contents by moving the focus back to the host operating system. 22413 20070203 Vmare workstation guest isolation weaknesses (clipboard transfer) 33221 Cross-site scripting (XSS) vulnerability in FlashChat 4.7.8 allows remote attackers to inject arbitrary web script or HTML via the user name field when the user joins a chat room, a different vulnerability than CVE-2007-0807. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 24071 35797 flashchat-username-xss(32417) admin.php in Coppermine Photo Gallery 1.4.10, and possibly earlier, allows remote authenticated users to execute arbitrary shell commands via shell metacharacters (";" semicolon) in the "Command line options for ImageMagick" form field, when used as an option to ImageMagick's convert command. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. coppermine-admin-command-execution(32236) 22406 24019 33093 admin.php in Coppermine Photo Gallery 1.4.10, and possibly earlier, allows remote authenticated users to include arbitrary local and possibly remote files via the (1) "Path to custom header include" and (2) "Path to custom footer include" form fields. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. coppermine-admin-file-include(32233) 22409 24019 33094 PHP remote file inclusion vulnerability in examples/inc/top.inc.php in AgerMenu 0.03 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the rootdir parameter. ADV-2007-0512 20070207 false: Agermenu 0.03 20070207 true: agermenu 33681 agermenu-topinc-file-include(32283) 22442 3280 FreeProxy before 3.92 Build 1626 allows malicious users to cause a denial of service (infinite loop) via a HOST: header with a hostname and port number that refers to the server itself. http://www.handcraftedsoftware.org/index.php?page=3&mode=article&k=60 ADV-2007-0514 33116 20070206 Medium level security hole in FreeProxy 20070206 Medium level security hole in FreeProxy freeproxy-hostname-portnumber-dos(32303) 22445 24064 Multiple PHP remote file inclusion vulnerabilities in index/index_album.php in Valarsoft WebMatic 2.6 allow remote attackers to execute arbitrary PHP code via a URL in the (1) P_LIB and (2) P_INDEX parameters. ADV-2007-0534 22444 20070207 true: WebMatic 2.6 RFI 33126 webmatic-indexalbum-file-include(32318) 24092 3281 Cross-site scripting (XSS) vulnerability in HLstats before 1.35 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors in the search class. NOTE: it is possible that this issue overlaps CVE-2006-4543.3 or CVE-2006-4454. 22422 http://sourceforge.net/project/shownotes.php?release_id=484226 24062 33099 Multiple unspecified vulnerabilities in vbDrupal before 4.7.6.0 have unknown impact and remote attack vectors. NOTE: the vector related to Drupal is covered by CVE-2007-0626. These vulnerabilities might be associated with other CVE identifiers. http://www.vbdrupal.org/forum/showthread.php?t=786 ADV-2007-0415 23990 35848 The 64-bit versions of Microsoft Visual C++ 8.0 standard library (MSVCR80.DLL) time functions, including (1) localtime, (2) localtime_s, (3) gmtime, (4) gmtime_s, (5) ctime, (6) ctime_s, (7) wctime, (8) wctime_s, and (9) fstat, trigger an assertion error instead of a NULL pointer or EINVAL when processing a time argument later than Jan 1, 3000, which might allow context-dependent attackers to cause a denial of service (application exit) via large time values. NOTE: it could be argued that this is a design limitation of the functions, and the vulnerability lies with any application that does not validate arguments to these functions. However, this behavior is inconsistent with documentation, which does not list assertions as a possible result of an error condition. visualstudio-time-dos(32454) 20070212 SecurityVulns.com: Microsoft Visual C++ 8.0 standard library time functions invalid assertion DoS (Problem 3000). 2237 33626 http://msdn2.microsoft.com/en-us/library/a442x3ye(VS.80).aspx The ReadDirectoryChangesW API function on Microsoft Windows 2000, XP, Server 2003, and Vista does not check permissions for child objects, which allows local users to bypass permissions by opening a directory with LIST (READ) access and using ReadDirectoryChangesW to monitor changes of files that do not have LIST permissions, which can be leveraged to determine filenames, access times, and other sensitive information. win-readdirectory-information-disclosure(32644) ADV-2007-0701 22664 20070222 Microsoft Windows 2000/XP/2003/Vista ReadDirectoryChangesW informaton leak 20070222 Re[2]: [Full-disclosure] Microsoft Windows 2000/XP/2003/Vista ReadDirectoryChangesW informaton leak http://securityvulns.com/advisories/readdirectorychanges.asp 2282 24245 33474 20070222 Microsoft Windows 2000/XP/2003/Vista ReadDirectoryChangesW informaton leak The auth_via_key function in pam_ssh.c in pam_ssh before 1.92, when the allow_blank_passphrase option is disabled, allows remote attackers to bypass authentication restrictions and use private encryption keys requiring a blank passphrase by entering a non-blank passphrase. http://sourceforge.net/project/shownotes.php?release_id=484376 ADV-2007-0524 24061 33119 22461 admin/index.php in Advanced Poll 2.0.0 through 2.0.5-dev allows remote attackers to bypass authentication and gain administrator privileges by obtaining a valid session identifier and setting the uid parameter to 1. advancedpoll-index-code-execution(32337) 22451 35847 advancedpoll-uid-authentication-bypass(32337) 3282 Cross-site scripting (XSS) vulnerability in forum.php in Open Tibia Server CMS (OTSCMS) 2.1.5 and earlier allows remote attackers to inject arbitrary HTML or web script via the name parameter. 22450 33170 otscms-forum-xss(32324) 24116 3283 SQL injection vulnerability in mod/PM/reply.php in Open Tibia Server CMS (OTSCMS) 2.1.5 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter to priv.php. 22450 33169 otscms-priv-sql-injection(32322) 24116 3283 PHP remote file inclusion vulnerability in classes/class_mail.inc.php in Maian Recipe 1.0 allows remote attackers to execute arbitrary PHP code via a URL in the path_to_folder parameter. ADV-2007-0537 20070207 true: Agermenu 0.03 24074 33689 33125 maianrecipe-classmail-file-include(32346) 3284 scripts/cronscript.php in SysCP 1.2.15 and earlier does not properly quote pathnames in user home directories, which allows local users to gain privileges by placing shell metacharacters in a directory name, and then using the control panel to protect this directory, a different vulnerability than CVE-2005-2568. 22453 20070207 Ability to inject and execute any code as root in SysCP http://www.syscp.org/wiki/Security/SyscpOrgAbilityToInjectAndExecuteAnyCodeAsRootInSysCP 33128 24102 scripts/cronscript.php in SysCP 1.2.15 and earlier includes and executes arbitrary PHP scripts that are referenced by the panel_cronscript table in the SysCP database, which allows attackers with database write privileges to execute arbitrary code by constructing a PHP file and adding its filename to this table. http://www.syscp.org/wiki/Security/SyscpOrgAbilityToInjectAndExecuteAnyCodeAsRootInSysCP 22454 20070207 Ability to inject and execute any code as root in SysCP 33127 syscp-cronscript-code-execution(32330) 24102 Buffer overflow in the Trend Micro Scan Engine 8.000 and 8.300 before virus pattern file 4.245.00, as used in other products such as Cyber Clean Center (CCC) Cleaner, allows remote attackers to execute arbitrary code via a malformed UPX compressed executable. Failed exploit attempts will likely cause a denial-of-service condition. VU#276432 22449 1017601 24087 20070208 Trend Micro AntiVirus UPX Parsing Kernel Buffer Overflow Vulnerability http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034289 antivirus-upx-bo(32352) ADV-2007-0569 ADV-2007-0522 http://www.jpcert.or.jp/at/2007/at070004.txt 1017603 1017602 24128 33038 JVN#77366274 Cross-site scripting (XSS) vulnerability in DevTrack 6.x allows remote attackers to inject arbitrary web script or HTML via the "Keyword search" form field and unspecified other form fields that populate a public saved query. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 23217 33122 22460 SQL injection vulnerability in DevTrack 6.0.3 allows remote attackers to execute arbitrary SQL commands via the Username form field. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 23217 33121 devtrack-username-sql-injection(32348) 22460 Remote file inclusion vulnerability in scripts2/objcache in cPanel WebHost Manager (WHM) allows remote attackers to execute arbitrary code via a URL in the obj parameter. NOTE: a third party claims that this issue is not file inclusion because the contents are not parsed, but the attack can be used to overwrite files in /var/cpanel/objcache or provide unexpected web page contents. cpanel-webhost-objcache-xss(32400) ADV-2007-0545 22455 20070207 remote file include in whm (all version) 20070208 Re: remote file include in whm (all version) 24097 35750 33240 32043 http://changelog.cpanel.net/index.cgi Stack-based buffer overflow in RARLabs Unrar, as packaged in WinRAR and possibly other products, allows user-assisted remote attackers to execute arbitrary code via a crafted, password-protected archive. 1017593 24077 20070207 RARLabs Unrar Password Prompt Buffer Overflow Vulnerability unrar-password-archive-bo(32357) ADV-2007-0523 22447 SUSE-SR:2007:005 GLSA-200702-04 24165 33124 TmComm.sys 1.5.0.1052 in the Trend Micro Anti-Rootkit Common Module (RCM), with the VsapiNI.sys 3.320.0.1003 scan engine, as used in Trend Micro PC-cillin Internet Security 2007, Antivirus 2007, Anti-Spyware for SMB 3.2 SP1, Anti-Spyware for Consumer 3.5, Anti-Spyware for Enterprise 3.0 SP2, Client / Server / Messaging Security for SMB 3.5, Damage Cleanup Services 3.2, and possibly other products, assigns Everyone write permission for the \\.\TmComm DOS device interface, which allows local users to access privileged IOCTLs and execute arbitrary code or overwrite arbitrary memory in the kernel context. VU#666800 VU#282240 24069 http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034432&id=EN-1034432 ADV-2007-0521 22448 1017606 1017605 1017604 33039 20070207 Trend Micro TmComm Local Privilege Escalation Vulnerability trendmicro-tmcomm-privilege-escalation(32353) Multiple cross-site scripting (XSS) vulnerabilities in MoinMoin before 1.5.7 allow remote attackers to inject arbitrary web script or HTML via (1) the page info, or the page name in a (2) AttachFile, (3) RenamePage, or (4) LocalSiteMap action. 24096 ADV-2007-0553 31873 31872 31871 http://moinmoin.wikiwikiweb.de/MoinMoinRelease1.5/CHANGES moinmoin-pageinfo-pagename-xss(32377) USN-421-1 22506 31874 24117 The Find feature in Palm OS Treo smart phones operates despite the system password lock, which allows attackers with physical access to obtain sensitive information (memory contents) by doing (1) text searches or (2) paste operations after pressing certain keyboard shortcut keys. http://www.symantec.com/enterprise/research/SYMSA-2007-002.txt 22468 20070213 SYMSA-2007-002: Palm OS Treo Find Feature System Password Bypass 33724 palmos-findfeature-security-bypass(32502) 20070222 RE: SYMSA-2007-002: Palm OS Treo Find Feature System Password Bypass 20070222 Re: Re: SYMSA-2007-002: Palm OS Treo Find Feature System Password Bypass 20070222 Re: SYMSA-2007-002: Palm OS Treo Find Feature System Password Bypass 20070222 SYMSA-2007-002-1: Palm OS Treo Find Feature System Password Bypass 20070216 Re: SYMSA-2007-002: Palm OS Treo Find Feature System Password Bypass 2260 http://discussion.treocentral.com/showthread.php?p=1199445&posted=1#post1199445 ** DISPUTED ** Multiple PHP remote file inclusion vulnerabilities in local Calendar System 1.1 allow remote attackers to execute arbitrary PHP code via a URL in the (1) TEMPLATE_DIR parameter to (a) showinvoices.php, (b) showmonth.php, (c) showevents.php, (d) retrieveinvoice.php, (e) modifyitem.php, and (f) lookup_userid.php; or the LIBDIR parameter to (g) editevent.php, (h) resetpassword.php, (i) signup.php, showmonth.php, (j) showday.php, showevents.php, and lookup_userid.php. NOTE: this issue has been disputed by a third party, who states that the associated variables are set in config.php before use. 20070128 Re: local Calendar System v1.1 (lcStdLib.inc) Remote File Include 20070127 local Calendar System v1.1 (lcStdLib.inc) Remote File Include ** DISPUTED ** PHP remote file inclusion vulnerability in modules/mail/index.php in phpCOIN RC-1 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the _CCFG['_PKG_PATH_MDLS'] parameter. NOTE: this issue has been disputed by a reliable third party, who states that a fatal error occurs before the relevant code is reached. 20070125 phpCOIN <= RC-1 (modules/mail/index.php) Remote File Include Vulnerability 20070125 Re: phpCOIN <= RC-1 (modules/mail/index.php) Remote File Include Vulnerability 33591 2230 ** DISPUTED ** PHP remote file inclusion vulnerability in index.php in gnopaste 0.5.3 and earlier allows remote attackers to execute arbitrary PHP code via the GNP_REAL_PATH parameter. NOTE: CVE and a third party dispute this issue, since GNP_REAL_PATH is a constant, not a variable. CVE and a third party dispute this issue, since GNP_REAL_PATH is a constant, not a variable. 20070129 Re: gnopaste <= 0.5.3 (index.php) Remote File Include Vulnerability 20070129 gnopaste <= 0.5.3 (index.php) Remote File Include Vulnerability ** DISPUTED ** PHP remote file inclusion vulnerability in Trevorchan 0.7 and earlier allows remote attackers to execute arbitrary code via the tc_config[rootdir] parameter to (1) upgrade.php, (2) paint_save.php, (3) menu.php, (4) manage.php, and (5) banned.php. NOTE: his issue has been disputed by reliable third parties, who state that the variable is set before use in config.php. 20070115 [Bogus] [ilkerkandemir at mynet.com: Trevorchan <= v0.7 Remote File Include Vulnerability] (fwd) 1017512 33475 SQL injection vulnerability in register.php in LushiWarPlaner 1.0 allows remote attackers to inject arbitrary SQL commands via the id parameter. ADV-2007-0538 22470 33167 lushiwarplaner-register-sql-injection(32365) 24079 3288 SQL injection vulnerability in comments.php in LushiNews 1.01 and earlier allows remote authenticated users to inject arbitrary SQL commands via the id parameter. ADV-2007-0539 22469 33134 lushinews-comments-sql-injection(32360) 24081 3287 Unspecified vulnerability in HP OpenView Storage Data Protector on HP-UX B.11.00, B.11.11, or B.11.23 allows local users to execute arbitrary code via unknown vectors. SSRT071300 ADV-2007-0542 HPSBMA02190 1017614 33164 openview-dataprotector-privilege-escalation(32386) 22488 24113 PHP remote file inclusion vulnerability in classes/menu.php in Site-Assistant 0990 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the paths[version] parameter. ADV-2007-0541 22467 34695 siteassistant-menu-file-include(32364) 3285 Unspecified vulnerability in the Chat Room functionality in Yahoo! Messenger 8.1.0.239 and earlier allows remote attackers to cause a denial of service via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 22407 34696 Cross-site scripting (XSS) vulnerability in the Attachment Manager (admincp/attachment.php) in Jelsoft vBulletin 3.6.4 allows remote attackers to inject arbitrary web script or HTML via the Extension field. NOTE: this might be a duplicate of CVE-2007-0830.5. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 22466 24085 33129 Unspecified vulnerability in Microsoft Word 2000 allows remote attackers to cause a denial of service (crash) via unknown vectors, a different vulnerability than CVE-2006-5994, CVE-2006-6456, CVE-2006-6561, and CVE-2007-0515, a variant of Exploit-MS06-027. TA07-128A VU#332404 word-document-string-code-execution(32503) ADV-2007-1709 ADV-2007-0607 SSRT071422 http://www.avertlabs.com/research/blog/?p=199 33196 20070215 Word flaw CVE-2007-0870 confirmed as code execution type issue word-document-string-code-execution(32503) 1017653 22567 SSRT071422 MS07-024 http://www.microsoft.com/technet/security/advisory/933052.mspx http://www.avertlabs.com/research/blog/?p=206 24122 oval:org.mitre.oval:def:1860 Unrestricted file upload vulnerability in eXtremePow eXtreme File Hosting allows remote attackers to upload arbitrary PHP code via a filename with a double extension such as (1) .rar.php or (2) .zip.php. 22498 20070209 eXtreme File Hosting remote file upload vulnerability 33181 extremefilehosting-compressed-file-upload(32435) 2231 24088 Directory traversal vulnerability in the Plain Old Webserver (POW) add-on before 0.0.9 for Mozilla Firefox allows remote attackers to read arbitrary files via a .. (dot dot) in the URI. https://addons.mozilla.org/firefox/3002/ ADV-2007-0558 22502 20070209 Re: [WEB SECURITY] Plain Old Webserver - The coolest firefox extension 20070209 Re: [WEB SECURITY] Plain Old Webserver - The coolest firefox extension 33174 pow-httprequest-directory-traversal(32467) 24127 nabopoll 1.1.2 allows remote attackers to bypass authentication and access certain administrative functionality via a direct request for (1) config_edit.php, (2) template_edit.php, or (3) survey_edit.php in admin/. nabopoll-adminscripts-unauthorized-access(32472) 22509 20070210 nabopoll 1.1.2 sensitive file (admin without password) 3305 33692 http://forums.avenir-geopolitique.net/viewtopic.php?t=2643 20070215 [milw0rm] exploit 3305 nabopoll-configedit-unathorized-access(32472) 2232 Allons_voter 1.0 allows remote attackers to bypass authentication and access certain administrative functionality via a direct request for (1) admin_ajouter.php or (2) admin_supprimer.php. NOTE: this could be leveraged to conduct cross-site scripting (XSS) attacks. 22508 20070209 Allons_voter Version 1.0 xss and admin votes 33691 33690 http://forums.avenir-geopolitique.net/viewtopic.php?t=2641 allonsvoter-admin-authentication-bypass(32431) 2234 ** DISPUTED ** SQL injection vulnerability in install.php in mcRefer allows remote attackers to execute arbitrary SQL commands via unspecified vectors. NOTE: this issue has been disputed by a third party, stating that the file does not use a SQL database. 22507 20070211 Re: mcRefer SQL injection 20070209 mcRefer SQL injection 2235 33675 http://forums.avenir-geopolitique.net/viewtopic.php?t=2642 Cross-site scripting (XSS) vulnerability in Quick Digital Image Gallery (Qdig) 1.2.9.3 and devel-20060624 allows remote attackers to inject arbitrary web script or HTML via the Qwd parameter to the top-level URI. 20070211 Re: [XSS] Qdig - Quick Digital Image Gallery Version 1.2.9.3 and -devel ADV-2007-0555 22510 20070210 [XSS] Qdig - Quick Digital Image Gallery Version 1.2.9.3 and -devel http://sourceforge.net/project/shownotes.php?group_id=69837&release_id=485558 32194 qdig-qwd-xss(32421) 24110 Unspecified vulnerability in March Networks DVR 3000 and 4000 Digital Video Recorders allows attackers to cause an unspecified denial of service. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 22497 38098 Unspecified vulnerability in Microsoft Internet Explorer on Windows Mobile 5.0 allows remote attackers to cause a denial of service (loss of browser and other device functionality) via a malformed WML page, related to an "overflow state." NOTE: it is possible that this issue is related to CVE-2007-0685. ie-mobile-wml-dos(32394) ie-mobile-wml-dos(32394) 22500 20070209 RE: Denial Of Service in Internet Explorer for MS Windows Mobile 5.0 20070209 Re: Denial Of Service in Internet Explorer for MS Windows Mobile 5.0 20070209 Denial Of Service in Internet Explorer for MS Windows Mobile 5.0 32629 20070209 Denial Of Service in Internet Explorer for MS Windows Mobile 5.0 Buffer overflow in SmidgeonSoft PEBrowse Professional 8.2.1.0 allows user-assisted remote attackers to execute arbitrary code via certain executable files in PE format. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. ADV-2007-0665 22501 38134 smidgeonsoft-files-bo(32524) Capital Request Forms stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain database credentials via a direct request for inc/common_db.inc. 20070209 Capital Request Forms Db Username and Password Vulnerabilities 33682 PHP remote file inclusion vulnerability in the Seitenschutz plugin for OPENi-CMS 1.0 allows remote attackers to execute arbitrary PHP code via a URL in the (1) config[oi_dir] and possibly (2) config[openi_dir] parameters to open-admin/plugins/site_protection/index.php. NOTE: vector 2 might be the same as CVE-2006-4750. Successful exploitation requires that "register_globals" is enabled. ADV-2007-0556 24119 33175 http://echo.or.id/adv/adv64-y3dips-2007.txt internalrange-oidir-file-include(32423) 22511 3292 Argument injection vulnerability in the telnet daemon (in.telnetd) in Solaris 10 and 11 (SunOS 5.10 and 5.11) misinterprets certain client "-f" sequences as valid requests for the login program to skip authentication, which allows remote attackers to log into certain accounts, as demonstrated by the bin account. TA07-059A VU#881872 solaris-telnet-authentication-bypass(32434) ADV-2007-0560 1017625 22512 20070214 RE: [Full-disclosure] Solaris telnet vulnberability - how many onyour network? 20070214 Solaris telnet vuln solutions digest and network risks 20070213 Re: [BLACKLIST] [Full-disclosure] Solaris telnet vulnberability - how many on yournetwork? 20070212 Re: [BLACKLIST] [Full-disclosure] Solaris telnet vulnberability - how many on yournetwork? 20070212 Solaris telnet vulnberability - how many on your network? 20070212 Re: [Full-disclosure] Solaris telnet vulnberability - how many on your network? 102802 24120 20070211 31881 3293 http://isc.sans.org/diary.html?storyid=2220 http://erratasec.blogspot.com/2007/02/trivial-remote-solaris-0day-disable.html oval:org.mitre.oval:def:2202 Directory traversal vulnerability in portalgroups/portalgroups/getfile.cgi in IP3 NetAccess before firmware 4.1.9.6 allows remote attackers to read arbitrary files via a .. (dot dot) in the filename parameter. http://www.devtarget.org/ip3-advisory-02-2007.txt ADV-2007-0615 31912 20070211 Arbitrary file disclosure vulnerability in IP3 NetAccess < 4.1.9.6 ip3netaccess-getfile-directory-traversal(32432) 1017623 22513 20070211 Arbitrary file disclosure vulnerability in IP3 NetAccess < 4.1.9.6 24118 3294 Buffer overflow in Roaring Penguin MIMEDefang 2.59 and 2.60 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via unspecified vectors. Upgrade to 2.61 [mimedefang] 20070209 SECURITY: MIMEDefang 2.61 is Released ADV-2007-0572 24133 33171 mimedefang-unspecified-bo(32466) 22514 http://www.mimedefang.org/node.php?id=62 Cross-site scripting (XSS) vulnerability in jira/secure/BrowseProject.jspa in Rainbow with the Zen (Rainbow.Zen) extension allows remote attackers to inject arbitrary web script or HTML via the id parameter. 20070209 XSS in Rainbow with Rainbow.Zen 33683 rainbow-browseproject-xss(32418) 22503 Heap-based buffer underflow in axigen 1.2.6 through 2.0.0b1 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via certain base64-encoded data on the pop3 port (110/tcp), which triggers an integer overflow. axigen-memcpy-dos(32342) 22473 38133 20070208 Axigen <2.0.0b1 DoS 24073 3289 axigen 1.2.6 through 2.0.0b1 does not properly parse login credentials, which allows remote attackers to cause a denial of service (NULL dereference and application crash) via a base64-encoded "*\x00" sequence on the imap port (143/tcp). axigen-nullpointer-dos(32345) 22473 33165 20070208 Axigen <2.0.0b1 DoS 24073 3290 Directory traversal vulnerability in the TFTP server in Kiwi CatTools before 3.2.0 beta allows remote attackers to read arbitrary files, and upload files to arbitrary locations, via ..// (dot dot) sequences in the pathname argument to an FTP (1) GET or (2) PUT command. This vulnerability is addressed in the following product update: Kiwi Enterprises, Kiwi CatTools, 3.2.0 Beta 20070208 TFTP directory traversal in Kiwi CatTools ADV-2007-0536 kiwicattools-tftp-directory-traversal(32398) 22490 20070213 Re: TFTP directory traversal in Kiwi CatTools 33162 http://www.kiwisyslog.com/kb/idx/5/178/article/ 2236 24103 Kiwi CatTools before 3.2.0 beta uses weak encryption ("reversible encoding") for passwords, account names, and IP addresses in kiwidb-cattools.kdb, which might allow local users to gain sensitive information by decrypting the file. NOTE: this issue could be leveraged with a directory traversal vulnerability for a remote attack vector. 20070208 TFTP directory traversal in Kiwi CatTools 33163 2236 24103 Cross-site scripting (XSS) vulnerability in scripts/passwdmysql in cPanel WebHost Manager (WHM) 11.0.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the password parameter. ADV-2007-0568 22474 20070208 local bug :[xxs] in whm 32044 http://changelog.cpanel.net/index.cgi 24106 Cross-site scripting (XSS) vulnerability in the GetCurrentCompletePath function in phpmyvisites.php in phpMyVisites before 2.2 allows remote attackers to inject arbitrary web script or HTML via the query string. ADV-2007-0566 24124 33176 20070211 Multiple vulnerabilities in phpMyVisites phpmyvisites-phpmyvisites-xss(32430) 22516 20070211 Multiple vulnerabilities in phpMyVisites CRLF injection vulnerability in phpMyVisites before 2.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the url parameter, when the pagename parameter begins with "FILE:". 33177 20070211 Multiple vulnerabilities in phpMyVisites phpmyvisites-pagename-response-splitting(32428) 20070211 Multiple vulnerabilities in phpMyVisites Directory traversal vulnerability in phpMyVisites before 2.2 allows remote attackers to include arbitrary files via leading ".." sequences on the pmv_ck_view COOKIE parameter, which bypasses the protection scheme. 33178 20070211 Multiple vulnerabilities in phpMyVisites phpmyvisites-pmvckview-file-include(32433) 22516 20070211 Multiple vulnerabilities in phpMyVisites MediaWiki before 1.9.2 allows remote attackers to obtain sensitive information via a direct request to (1) Simple.deps.php, (2) MonoBook.deps.php, (3) MySkin.deps.php, or (4) Chick.deps.php in wiki/skins, which shows the installation path in the resulting error message. http://svn.wikimedia.org/viewvc/mediawiki?view=rev&revision=19681 http://zone14.free.fr/advisories/7/ 20070211 MediaWiki Full Path Disclosure Vulnerability 33709 33708 33707 33706 http://bugzilla.wikimedia.org/show_bug.cgi?id=8819 mediawiki-multiple-scripts-path-disclosure(32440) Race condition in recursive directory deletion with the (1) -r or (2) -R option in rm in Solaris 8 through 10 before 20070208 allows local users to delete files and directories as the user running rm by moving a low-level directory to a higher level as it is being deleted, which causes rm to chdir to a ".." directory that is higher than expected, possibly up to the root file system, a related issue to CVE-2002-0435. 24082 ADV-2007-0543 102782 solaris-rm-dos(32399) 31880 http://support.avaya.com/elmodocs2/security/ASA-2007-102.htm 24405 oval:org.mitre.oval:def:8272 Cross-site scripting (XSS) vulnerability in the (1) Sage before 1.3.10, and (2) Sage++ extensions for Firefox, allows remote attackers to inject arbitrary web script or HTML via a "<SCRIPT/=''SRC='" sequence in an RSS feed, a different vulnerability than CVE-2006-4712. sage-rssfeed-xss(32395) 1017624 22493 24086 http://sage.mozdev.org/blog/archives/2007/1/sage_1_3_10_released.html 33131 http://mozdev.org/bugs/show_bug.cgi?id=16320 JVN#84430861 Clam AntiVirus ClamAV before 0.90 does not close open file descriptors under certain conditions, which allows remote attackers to cause a denial of service (file descriptor consumption and failed scans) via CAB archives with a cabinet header record length of zero, which causes a function to return without closing a file descriptor. This vulnerability is addressed in the following product release: Clam AntiVirus, ClamAV, 0.90 Stable 22580 24187 clamav-cabfile-dos(32531) ADV-2008-0924 ADV-2007-0623 1017659 MDKSA-2007:043 DSA-1263 GLSA-200703-03 24425 24332 24319 24192 24183 32283 SUSE-SA:2007:017 20070215 Multiple Vendor ClamAV CAB File Denial of Service Vulnerability 29420 APPLE-SA-2008-03-18 http://docs.info.apple.com/article.html?artnum=307562 Directory traversal vulnerability in clamd in Clam AntiVirus ClamAV before 0.90 allows remote attackers to overwrite arbitrary files via a .. (dot dot) in the id MIME header parameter in a multi-part message. This vulnerability is addressed in the following product release: Clam Anti-Virus, ClamAV, 0.90 22581 24187 20070215 Multiple Vendor ClamAV MIME Parsing Directory Traversal Vulnerability clamav-mimeheader-directory-traversal(32535) ADV-2008-0924 ADV-2007-0623 1017660 MDKSA-2007:043 DSA-1263 GLSA-200703-03 24425 24332 24319 24192 24183 32282 SUSE-SA:2007:017 29420 APPLE-SA-2008-03-18 http://docs.info.apple.com/article.html?artnum=307562 Multiple PHP remote file inclusion vulnerabilities in TagIt! Tagboard 2.1.B Build 2 and earlier, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the (1) configpath parameter to (a) tagviewer.php, (b) tag_process.php, and (c) CONFIG/errmsg.inc.php; and (d) addTagmin.php, (e) ban_watch.php, (f) delTagmin.php, (g) delTag.php, (h) editTagmin.php, (i) editTag.php, (j) manageTagmins.php, and (k) verify.php in tagmin/; the (2) adminpath parameter to (l) tagviewer.php, (m) tag_process.php, and (n) tagmin/index.php; and the (3) admin parameter to (o) readconf.php, (p) updateconf.php, (q) updatefilter.php, and (r) wordfilter.php in tagmin/; different vectors than CVE-2006-5249. ADV-2007-0557 http://advisories.echo.or.id/adv/adv65-K-159-2007.txt tagit-multiplescripts-file-include(32436) 22518 34618 34617 34616 34615 34614 34613 34612 34611 34610 34609 34608 34607 34606 34605 34604 34603 Multiple cross-site scripting (XSS) vulnerabilities in Info pages in MoinMoin 1.5.7 allow remote attackers to inject arbitrary web script or HTML via the (1) hitcounts and (2) general parameters, different vectors than CVE-2007-0857. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 24138 33172 USN-423-1 22515 24244 Unspecified vulnerability in the "Show debugging information" feature in MoinMoin 1.5.7 allows remote attackers to obtain sensitive information. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 24138 33173 USN-423-1 22515 24244 Unspecified vulnerability in the mod_roster_odbc module in ejabberd before 1.1.3 has unknown impact and attack vectors. ADV-2007-0570 http://www.process-one.net/en/ejabberd/release_notes/release_note_ejabberd_113/ 24075 33179 ejabberd-modrosterodbc-unspecified(32437) 22525 SQL injection vulnerability in projects.php in LightRO CMS 1.0 allows remote attackers to execute arbitrary SQL commands via the ID parameter to index.php. lightro-index-sql-injection(32347) ADV-2007-0540 34598 3286 PHP before 5.2.1 allows attackers to bypass safe_mode and open_basedir restrictions via unspecified vectors in the session extension. NOTE: it is possible that this issue is a duplicate of CVE-2006-6383. 22496 ADV-2007-0546 http://www.php.net/releases/5_2_1.php http://www.php.net/ChangeLog-5.php#5.2.1 24089 32768 2007-0009 OpenPKG-SA-2007.010 24419 Multiple buffer overflows in PHP before 5.2.1 allow attackers to cause a denial of service and possibly execute arbitrary code via unspecified vectors in the (1) session, (2) zip, (3) imap, and (4) sqlite extensions; (5) stream filters; and the (6) str_replace, (7) mail, (8) ibase_delete_user, (9) ibase_add_user, and (10) ibase_modify_user functions. NOTE: vector 6 might actually be an integer overflow (CVE-2007-1885). NOTE: as of 20070411, vector (3) might involve the imap_mail_compose function (CVE-2007-1825). 22496 https://issues.rpath.com/browse/RPL-1268 https://issues.rpath.com/browse/RPL-1088 ADV-2007-0546 DSA-1264 USN-424-2 USN-424-1 2007-0009 1017671 20070418 rPSA-2007-0073-1 php php-mysql php-pgsql 20070227 rPSA-2007-0043-1 php php-mysql php-pgsql RHSA-2007:0088 RHSA-2007:0082 RHSA-2007:0081 RHSA-2007:0076 http://www.php.net/releases/5_2_1.php http://www.php.net/ChangeLog-5.php#5.2.1 32776 OpenPKG-SA-2007.010 MDKSA-2007:048 http://support.avaya.com/elmodocs2/security/ASA-2007-136.htm http://support.avaya.com/elmodocs2/security/ASA-2007-101.htm GLSA-200703-21 26048 24945 24642 24606 24514 24432 24421 24419 24322 24295 24284 24248 24236 24217 24195 24089 RHSA-2007:0089 oval:org.mitre.oval:def:8992 34715 34714 34713 34712 34711 34710 34709 34708 34707 34706 SUSE-SA:2007:020 SUSE-SA:2007:044 20070201-01-P Buffer underflow in PHP before 5.2.1 allows attackers to cause a denial of service via unspecified vectors involving the sapi_header_op function. 22496 https://issues.rpath.com/browse/RPL-1088 ADV-2007-0546 DSA-1264 USN-424-2 USN-424-1 1017671 20070227 rPSA-2007-0043-1 php php-mysql php-pgsql RHSA-2007:0088 RHSA-2007:0082 RHSA-2007:0081 RHSA-2007:0076 http://www.php.net/releases/5_2_1.php http://www.php.net/ChangeLog-5.php#5.2.1 OpenPKG-SA-2007.010 http://support.avaya.com/elmodocs2/security/ASA-2007-136.htm http://support.avaya.com/elmodocs2/security/ASA-2007-101.htm GLSA-200703-21 24642 24606 24514 24432 24421 24322 24295 24248 24236 24217 24195 24089 RHSA-2007:0089 oval:org.mitre.oval:def:11321 32767 SUSE-SA:2007:020 2007-0009 MDKSA-2007:048 24419 24284 20070201-01-P The WDDX deserializer in the wddx extension in PHP 5 before 5.2.1 and PHP 4 before 4.4.5 does not properly initialize the key_length variable for a numerical key, which allows context-dependent attackers to read stack memory via a wddxPacket element that contains a variable with a string name before a numerical variable. 22496 https://issues.rpath.com/browse/RPL-1088 php-wddx-information-disclosure(32493) ADV-2007-0546 DSA-1264 USN-424-2 USN-424-1 2007-0009 1017671 22806 20070227 rPSA-2007-0043-1 php php-mysql php-pgsql RHSA-2007:0088 RHSA-2007:0082 RHSA-2007:0081 RHSA-2007:0076 http://www.php.net/releases/5_2_1.php http://www.php.net/ChangeLog-5.php#5.2.1 http://www.php-security.org/MOPB/MOPB-11-2007.html OpenPKG-SA-2007.010 MDKSA-2007:048 http://support.avaya.com/elmodocs2/security/ASA-2007-136.htm http://support.avaya.com/elmodocs2/security/ASA-2007-101.htm 2321 GLSA-200703-21 24642 24606 24514 24432 24421 24419 24322 24295 24284 24248 24236 24217 24195 24089 RHSA-2007:0089 oval:org.mitre.oval:def:11185 32766 SUSE-SA:2007:020 20070201-01-P Multiple format string vulnerabilities in PHP before 5.2.1 might allow attackers to execute arbitrary code via format string specifiers to (1) all of the *print functions on 64-bit systems, and (2) the odbc_result_all function. https://issues.rpath.com/browse/RPL-1088 ADV-2007-0546 DSA-1264 USN-424-2 USN-424-1 1017671 22496 20070227 rPSA-2007-0043-1 php php-mysql php-pgsql RHSA-2007:0088 RHSA-2007:0082 RHSA-2007:0081 RHSA-2007:0076 http://www.php.net/releases/5_2_1.php http://www.php.net/ChangeLog-5.php#5.2.1 OpenPKG-SA-2007.010 http://support.avaya.com/elmodocs2/security/ASA-2007-101.htm GLSA-200703-21 24606 24514 24432 24421 24322 24295 24248 24236 24217 24195 24089 RHSA-2007:0089 oval:org.mitre.oval:def:9722 32765 32764 SUSE-SA:2007:020 2007-0009 MDKSA-2007:048 http://support.avaya.com/elmodocs2/security/ASA-2007-136.htm 24642 24419 24284 20070201-01-P Unspecified vulnerability in PHP before 5.2.1 allows attackers to "clobber" certain super-global variables via unspecified vectors. 22496 https://issues.rpath.com/browse/RPL-1268 https://issues.rpath.com/browse/RPL-1088 ADV-2007-0546 DSA-1264 USN-424-2 USN-424-1 2007-0009 1017671 20070418 rPSA-2007-0073-1 php php-mysql php-pgsql 20070227 rPSA-2007-0043-1 php php-mysql php-pgsql RHSA-2007:0088 RHSA-2007:0082 RHSA-2007:0081 RHSA-2007:0076 http://www.php.net/releases/5_2_1.php http://www.php.net/ChangeLog-5.php#5.2.1 OpenPKG-SA-2007.010 MDKSA-2007:048 http://support.avaya.com/elmodocs2/security/ASA-2007-136.htm http://support.avaya.com/elmodocs2/security/ASA-2007-101.htm GLSA-200703-21 24945 24642 24606 24514 24432 24421 24419 24322 24295 24284 24248 24236 24217 24195 24089 RHSA-2007:0089 oval:org.mitre.oval:def:9514 32763 SUSE-SA:2007:020 20070201-01-P Off-by-one error in the str_ireplace function in PHP 5.2.1 might allow context-dependent attackers to cause a denial of service (crash). 22505 33952 [php-dev] 20070210 Re: PHP 5.2.1 crashing Apache/IIS... [php-dev] 20070209 PHP 5.2.1 crashing Apache/IIS... http://cvs.php.net/viewvc.cgi/php-src/ext/standard/string.c?r1=1.445.2.14.2.36&r2=1.445.2.14.2.37 20070209 PHP 5.2.1 crash bug GLSA-200703-21 24606 24514 SUSE-SA:2007:020 Cross-Site Request Forgery (CSRF) vulnerability in admin/admin.adm.php in Jportal 2.3.1, and possibly earlier, allows remote attackers to perform privileged actions as administrators by tricking the admin into accessing a URL with modified arguments to admin/admin.adm.php. 20070211 Jportal 2.3.1 CSRF vulnerability 33712 jportal-admin-csrf(32458) 2239 Unspecified vulnerability in Microsoft Powerpoint allows remote user-assisted attackers to execute arbitrary code via unknown attack vectors, as exploited by Trojan.PPDropper.G. NOTE: as of 20070213, it is not clear whether this is the same issue as CVE-2006-5296, CVE-2006-4694, CVE-2006-3876, CVE-2006-3877, or older issues. http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2007-021312-5133-99&tabid=2 35763 Race condition in the TCP subsystem for Solaris 10 allows remote attackers to cause a denial of service (system panic) via unknown vectors. 22550 102796 solaris-tcp-race-condition-dos(32484) ADV-2007-0588 1017649 24166 33194 oval:org.mitre.oval:def:2120 Distributed SLS daemon (SLSd) on HP-UX B.11.11 allows remote attackers to overwrite arbitrary files and gain privileges via a crafted RPC request. See HP's advisory. hpux-slsd-unauthorized-access(32471) HPSBUX02191 HPSBUX02191 ADV-2007-0590 1017630 22551 33186 hpux-slsd-unauthorized-access(32471) 24169 20070213 Hewlett-Packard HP-UX SLSd Arbitrary File Creation Vulnerability Unspecified vulnerability in the Address and Routing Parameter Area (ARPA) transport functionality in HP-UX B.11.11 and B.11.23 allows local users to cause an unspecified denial of service via unknown vectors. hpux-arpa-dos(32468) SSRT061233 HPSBUX02192 ADV-2007-0596 1017629 22546 24173 oval:org.mitre.oval:def:5239 33198 The Intrusion Prevention System (IPS) feature for Cisco IOS 12.4XE to 12.3T allows remote attackers to bypass IPS signatures that use regular expressions via fragmented packets. ADV-2007-0597 1017631 20070213 Multiple IOS IPS Vulnerabilities oval:org.mitre.oval:def:5858 33052 cisco-ios-ips-security-bypass(32473) 22549 http://www.cisco.com/en/US/products/products_security_response09186a00807e0a5e.html 24142 The ATOMIC.TCP signature engine in the Intrusion Prevention System (IPS) feature for Cisco IOS 12.4XA, 12.3YA, 12.3T, and other trains allows remote attackers to cause a denial of service (IPS crash and traffic loss) via unspecified manipulations that are not properly handled by the regular expression feature, as demonstrated using the 3123.0 (Netbus Pro Traffic) signature. 20070213 Multiple IOS IPS Vulnerabilities cisco-ios-ips-dos(32474) ADV-2007-0597 1017631 22549 http://www.cisco.com/en/US/products/products_security_response09186a00807e0a5e.html 24142 oval:org.mitre.oval:def:5832 33053 Directory traversal vulnerability in Nickolas Grigoriadis Mini Web server (MiniWebsvr) 0.0.6 allows remote attackers to list the directory immediately above the web root via a ..%00 sequence in the URI. 22523 20070211 Miniwebsvr 0.0.6 - Directory traversal 33513 20060213 Verified: dot in Miniwebsvr 0.0.6 miniwebsvr-unspecified-directory-traversal(32451) 2248 SQL injection vulnerability in philboard_forum.asp in Philboard 1.14 and earlier allows remote attackers to execute arbitrary SQL commands via the forumid parameter. philboard-philboardforum-sql-injection(32442) ADV-2007-0600 22532 35678 3295 Portal Search allows remote attackers to redirect a URL to an arbitrary web site by placing the URL in the query string to the top-level URI. 22533 20070212 Radical Technologies - Portal Search- multiple XSS issue 33713 portalsearch-frame-url-spoofing(32460) 2247 Cross-site scripting (XSS) vulnerability in buscador/buscador.htm in Portal Search allows remote attackers to inject arbitrary web script or HTML via the query string. 22533 20070212 Radical Technologies - Portal Search- multiple XSS issue 33714 2247 buscador/buscador.htm in Portal Search allows remote attackers to obtain sensitive information (business logic) via a query string composed of a search for certain characters. 22533 20070212 Radical Technologies - Portal Search- multiple XSS issue 33715 portalsearch-buscador-info-disclosure(32452) 2247 Till Gerken phpPolls 1.0.3 allows remote attackers to bypass authentication and perform certain administrative actions via a direct request to phpPollAdmin.php3. NOTE: this issue might subsume CVE-2006-3764. 22522 20070211 phpPolls 1.0.3 (acces to sensitive file) 33694 2242 Cross-site scripting (XSS) vulnerability in search/SearchResults.aspx in Community Server allows remote attackers to inject arbitrary web script or HTML via the q parameter. 22529 20070209 XSS in communityserver ! 33717 communityserver-searchresults-xss(32444) 2241 The dologin function in guestbook.php in KvGuestbook 1.0 Beta allows remote attackers to gain administrative privileges, probably via modified $mysql['pass'] and $gbpass variables. 20070211 KvGuestbook Remote Add Admin Exploit 33710 2246 Heap-based buffer overflow in uTorrent 1.6 allows remote attackers to execute arbitrary code via a torrent file with a crafted announce header. ADV-2007-0571 22530 utorrent-torrent-bo(32455) 1017648 20070216 utorrent issue? 33180 24130 3296 Virtual Calendar stores sensitive information under the web root with insufficient access control, which allows remote attackers to download an encoded password via a direct request for pwd.txt. 20070210 Virtual Calendar <= (pwd.txt) Remote Password Disclosur Vulnerability 33183 virtualcalendar-pwd-information-disclosure(32446) 2240 24125 Directory traversal vulnerability in php rrd browser before 0.2.1 allows remote attackers to read arbitrary files via ".." sequences in the p parameter. http://sourceforge.net/project/shownotes.php?group_id=176562&release_id=485414 prb-p-directory-traversal(32425) prb-url-file-disclosure(32425) 20070211 Arbitrary file disclosure vulnerability in php rrd browser < 0.2.1 (prb) 33693 20070213 true: [Full-disclosure] Arbitrary file disclosure vulnerability in php rrd browser < 0.2.1 (prb) 2245 Variable extract vulnerability in Apache Stats before 0.0.3beta allows attackers to modify arbitrary variables and conduct attacks via unknown vectors involving the use of PHP's extract function. 22388 http://sourceforge.net/forum/forum.php?forum_id=660919 ADV-2007-0559 Heap-based buffer overflow in the management interfaces in (1) Aruba Mobility Controllers 200, 800, 2400, and 6000 and (2) Alcatel-Lucent OmniAccess Wireless 43xx and 6000 allows remote attackers to cause a denial of service (process crash) and possibly execute arbitrary code via long credential strings. VU#319913 aruba-management-interface-bo(32459) 22538 20070213 Aruba Mobility Controller Management Buffer Overflow 24144 33184 20070213 Aruba Mobility Controller Management Buffer Overflow 2244 The (1) Aruba Mobility Controllers 200, 600, 2400, and 6000 and (2) Alcatel-Lucent OmniAccess Wireless 43xx and 6000 do not properly implement authentication and privilege assignment for the guest account, which allows remote attackers to access administrative interfaces or the WLAN. VU#613833 aruba-guestaccount-privilege-escalation(32461) 22538 20070213 Aruba Networks - Unauthorized Administrative and WLAN Access through Guest Account 2243 24144 33185 20070213 Aruba Networks - Unauthorized Administrative and WLAN Access through Guest Account Buffer overflow in the wireless driver 6.0.0.18 for D-Link DWL-G650+ (Rev. A1) on Windows XP allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a beacon frame with a long TIM Information Element. http://www.blackhat.com/presentations/bh-europe-07/Butti/Presentation/bh-eu-07-Butti.pdf 36160 24438 25602 Unspecified vulnerability in Microsoft Visio 2002 allows remote user-assisted attackers to execute arbitrary code via a Visio (.VSD, VSS, .VST) file with a crafted version number that triggers memory corruption. TA07-163A ADV-2007-2150 HPSBST02231 MS07-030 visio-version-code-execution(34607) 1018227 24349 SSRT071438 25619 oval:org.mitre.oval:def:1925 Multiple unspecified vulnerabilities in Microsoft Visio 2002 allow remote user-assisted attackers to execute arbitrary code via a Visio (.VSD, VSS, .VST) file with a crafted packed object that triggers memory corruption, aka "Visio Document Packaging Vulnerability." TA07-163A ADV-2007-2150 HPSBST02231 MS07-030 1018227 24384 HPSBST02231 25619 oval:org.mitre.oval:def:1369 Microsoft Content Management Server (MCMS) 2001 SP1 and 2002 SP2 does not properly handle certain characters in a crafted HTTP GET request, which allows remote attackers to execute arbitrary code, aka the "CMS Memory Corruption Vulnerability." VU#434137 MS07-018 ADV-2007-1322 HPSBST02208 mcms-http-get-code-execution(32736) 1017894 22861 HPSBST02208 34006 24819 oval:org.mitre.oval:def:2001 Cross-site scripting (XSS) vulnerability in Microsoft Content Management Server (MCMS) 2001 SP1 and 2002 SP2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving HTML redirection queries, aka "Cross-site Scripting and Spoofing Vulnerability." MS07-018 ADV-2007-1322 1017894 22860 HPSBST02208 SSRT071365 34007 24819 oval:org.mitre.oval:def:1575 Unspecified vulnerability in the Cryptographic API Component Object Model Certificates ActiveX control (CAPICOM.dll) in Microsoft CAPICOM and BizTalk Server 2004 SP1 and SP2 allows remote attackers to execute arbitrary code via unspecified vectors, aka the "CAPICOM.Certificates Vulnerability." TA07-128A VU#866305 ADV-2007-1713 SSRT071422 MS07-028 ms-capicom-code-execution(32739) 1018017 1018016 23782 SSRT071422 34397 25185 oval:org.mitre.oval:def:1670 Microsoft Internet Explorer 5.01 SP4 on Windows 2000 SP4; 6 SP1 on Windows 2000 SP4; 6 and 7 on Windows XP SP2, or Windows Server 2003 SP1 or SP2; and possibly 7 on Windows Vista does not properly "instantiate certain COM objects as ActiveX controls," which allows remote attackers to execute arbitrary code via a crafted COM object from chtskdic.dll. TA07-128A MS07-027 ie-chtskdic-com-code-execution(33252) ADV-2007-1712 1018019 SSRT071422 SSRT071422 34399 23769 oval:org.mitre.oval:def:1939 Unspecified vulnerability in Internet Explorer 5.01 and 6 SP1 allows remote attackers to execute arbitrary code via crafted Cascading Style Sheets (CSS) strings that trigger memory corruption during parsing, related to use of out-of-bounds pointers. TA07-226A ADV-2007-2869 25288 36397 http://www.nsfocus.com/english/homepage/research/0701.htm MS07-045 1018562 26419 oval:org.mitre.oval:def:1673 Unspecified vulnerability in the CTableCol::OnPropertyChange method in Microsoft Internet Explorer 5.01 SP4 on Windows 2000 SP4; 6 SP1 on Windows 2000 SP4; and 6 on Windows XP SP2, or Windows Server 2003 SP1 or SP2 allows remote attackers to execute arbitrary code by calling deleteCell on a named table row in a named table column, then accessing the column, which causes Internet Explorer to access previously deleted objects, aka the "Uninitialized Memory Corruption Vulnerability." TA07-128A MS07-027 http://www.zerodayinitiative.com/advisories/ZDI-07-027.html ADV-2007-1712 SSRT071422 ie-object-array-code-execution(33253) 1018019 23771 SSRT071422 20070508 ZDI-07-027: Microsoft Internet Explorer Table Column Deletion Memory Corruption Vulnerability 34400 23769 oval:org.mitre.oval:def:1722 Microsoft Internet Explorer 6 SP1 on Windows 2000 SP4; 6 and 7 on Windows XP SP2, or Windows Server 2003 SP1 or SP2; and 7 on Windows Vista allows remote attackers to execute arbitrary code via certain property methods that may trigger memory corruption, aka "Property Memory Corruption Vulnerability." TA07-128A MS07-027 ADV-2007-1712 SSRT071422 1018019 23769 HPSBST02214 34401 23769 oval:org.mitre.oval:def:1463 Unspecified vulnerability in Microsoft Internet Explorer 7 on Windows XP SP2, Windows Server 2003 SP1 or SP2, or Windows Vista allows remote attackers to execute arbitrary code via crafted HTML objects, which results in memory corruption, aka the first of two "HTML Objects Memory Corruption Vulnerabilities" and a different issue than CVE-2007-0947. TA07-128A MS07-027 ADV-2007-1712 SSRT071422 ie-html-memory-code-execution(33255) 1018019 23770 SSRT071422 34402 23769 oval:org.mitre.oval:def:1441 Use-after-free vulnerability in Microsoft Internet Explorer 7 on Windows XP SP2, Windows Server 2003 SP1 or SP2, or Windows Vista allows remote attackers to execute arbitrary code via crafted HTML objects, resulting in accessing deallocated memory of CMarkup objects, aka the second of two "HTML Objects Memory Corruption Vulnerabilities" and a different issue than CVE-2007-0946. FrSIRT has noted the following: Multiple vulnerabilities have been identified in Microsoft Internet Explorer, which could be exploited by remote attackers to take complete control of an affected system. TA07-128A 23772 MS07-027 http://secunia.com/secunia_research/2007-36/advisory/ 23769 ie-html-memory-code-execution-variant(33256) ADV-2007-1712 1018019 SSRT071422 SSRT071422 34403 oval:org.mitre.oval:def:2048 Heap-based buffer overflow in Microsoft Virtual PC 2004 and PC for Mac 7.1 and 7, and Virtual Server 2005 and 2005 R2, allows local guest OS administrators to execute arbitrary code on the host OS via unspecified vectors related to "interaction and initialization of components." TA07-226A 25298 MS07-049 ADV-2007-2873 1018567 26444 oval:org.mitre.oval:def:1259 Stack-based buffer overflow in iTinySoft Studio Total Video Player 1.03, and possibly earlier, allows remote attackers to execute arbitrary code via a M3U playlist file that contains a long file name. NOTE: it was later reported that 1.20 and 1.30 are also affected. 22553 5077 5032 23999 33187 totalvideoplayer-m3u-bo(32479) Cross-site scripting (XSS) vulnerability in listmain.asp in Fullaspsite ASP Hosting Site allows remote attackers to inject arbitrary web script or HTML via the cat parameter. 22545 20070213 Fullaspsite Shop (tr) Xss & SqL &#304;nj. VulnZ. 33720 fullaspsite-listmain-xss(32469) 2250 SQL injection vulnerability in listmain.asp in Fullaspsite ASP Hosting Site allows remote attackers to execute arbitrary SQL commands via the cat parameter. 22545 20070213 Fullaspsite Shop (tr) Xss & SqL &#304;nj. VulnZ. 33721 fullaspsite-listmain-sql-injection(32470) 2250 Multiple cross-site scripting (XSS) vulnerabilities in Scriptsez.net Virtual Calendar allow remote attackers to inject arbitrary web script or HTML via the (1) t and (2) yr parameters, and the (3) sho parameter when the m parameter is outside the intended range. virtualcalendar-unspecified-xss(32448) 22536 24125 33182 Cross-site scripting (XSS) vulnerability in search.pl in @Mail 4.61 and earlier allows remote attackers to inject arbitrary web script or HTML via the keywords parameter. @mail-search-xss(32483) ADV-2007-0603 22552 24155 33193 http://lostmon.blogspot.com/2007/02/mail-searchpl-keywords-variable-cross.html http://kb.atmail.com/?p=410 MOHA Chat 0.1b7 and earlier does not require authentication for use of the plug in API, which has unknown impact and attack vectors. http://mohachat.sourceforge.net/download/release_notes/#0.1b8 ADV-2007-0599 31934 The NTLM_UnPack_Type3 function in MENTLM.dll in MailEnable Professional 2.35 and earlier allows remote attackers to cause a denial of service (application crash) via certain base64-encoded data following an AUTHENTICATE NTLM command to the imap port (143/tcp), which results in an out-of-bounds read. mailenable-ntlm-dos(32482) ADV-2007-0614 24139 33195 20071214 MailEnable DoS POC 20070214 MailEnable DoS POC-2 20070214 MailEnable DoS POC 2249 The telnet daemon (telnetd) in MIT krb5 before 1.6.1 allows remote attackers to bypass authentication and gain system access via a username beginning with a '-' character, a similar issue to CVE-2007-0882. The vendor will address this issue in the upcoming krb5-1.6.1 release. VU#220816 TA07-093B ADV-2007-1249 ADV-2007-1218 USN-449-1 20070405 FLEA-2007-0008-1: krb5 RHSA-2007:0095 DSA-1276 http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-001-telnetd.txt 24757 24736 24706 oval:org.mitre.oval:def:10046 kerberos-telnet-security-bypass(33414) 1017848 23281 20070404 rPSA-2007-0063-1 krb5 krb5-server krb5-services krb5-test krb5-workstation 20070403 MITKRB5-SA-2007-001: telnetd allows login as arbitrary user [CVE-2007-0956] MDKSA-2007:077 102867 GLSA-200704-02 24817 24786 24785 24755 24750 24740 24735 SUSE-SA:2007:025 20070401-01-P Stack-based buffer overflow in the krb5_klog_syslog function in the kadm5 library, as used by the Kerberos administration daemon (kadmind) and Key Distribution Center (KDC), in MIT krb5 before 1.6.1 allows remote authenticated users to execute arbitrary code and modify the Kerberos key database via crafted arguments, possibly involving certain format string specifiers. VU#704024 TA07-109A TA07-093B USN-449-1 RHSA-2007:0095 DSA-1276 http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-002-syslog.txt 24757 24736 24706 ADV-2007-1983 ADV-2007-1470 ADV-2007-1250 ADV-2007-1218 20070405 FLEA-2007-0008-1: krb5 oval:org.mitre.oval:def:10757 kerberos-krb5klogsyslog-bo(33411) 1017849 23285 20070404 rPSA-2007-0063-1 krb5 krb5-server krb5-services krb5-test krb5-workstation 20070403 MITKRB5-SA-2007-002: KDC, kadmind stack overflow in krb5_klog_syslog [CVE-2007-0957] MDKSA-2007:077 102930 GLSA-200704-02 25464 24966 24817 24798 24786 24785 24750 24740 24735 SUSE-SA:2007:025 APPLE-SA-2007-04-19 http://docs.info.apple.com/article.html?artnum=305391 20070401-01-P Linux kernel 2.6.x before 2.6.20 allows local users to read unreadable binaries by using the interpreter (PT_INTERP) functionality and triggering a core dump, a variant of CVE-2004-1073. USN-451-1 22903 RHSA-2007:0099 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20 http://www.isec.pl/vulnerabilities/isec-0017-binfmt_elf.txt DSA-1286 25078 24777 24752 24482 oval:org.mitre.oval:def:10343 35930 MDKSA-2007:078 MDKSA-2007:060 DSA-1304 http://support.avaya.com/elmodocs2/security/ASA-2007-287.htm 26289 25838 25714 RHSA-2007:0488 Cisco PIX 500 and ASA 5500 Series Security Appliances 7.2.2, when configured to inspect certain TCP-based protocols, allows remote attackers to cause a denial of service (device reboot) via malformed TCP packets. 1017651 ADV-2007-0608 22562 20070214 Multiple Vulnerabilities in Cisco PIX and ASA Appliances 24160 33062 cisco-pix-asa-tcp-dos(32488) 1017652 22561 Unspecified vulnerability in Cisco PIX 500 and ASA 5500 Series Security Appliances 7.2.2, when configured to use the LOCAL authentication method, allows remote authenticated users to gain privileges via unspecified vectors. 1017651 ADV-2007-0608 22562 20070214 Multiple Vulnerabilities in Cisco PIX and ASA Appliances 24160 33063 cisco-pix-asa-local-privilege-escalation(32489) 1017652 22561 24179 Cisco PIX 500 and ASA 5500 Series Security Appliances 6.x before 6.3(5.115), 7.0 before 7.0(5.2), and 7.1 before 7.1(2.5), and the FWSM 3.x before 3.1(3.24), when the "inspect sip" option is enabled, allows remote attackers to cause a denial of service (device reboot) via malformed SIP packets. VU#430969 20070214 Multiple Vulnerabilities in Cisco PIX and ASA Appliances 20070214 Multiple Vulnerabilities in Firewall Services Module 1017651 24180 ADV-2007-0608 22562 24160 33054 cisco-fwsm-sip-dos(32501) cisco-pix-asa-sip-dos(32487) 1017652 22561 24179 Cisco PIX 500 and ASA 5500 Series Security Appliances 7.0 before 7.0(4.14) and 7.1 before 7.1(2.1), and the FWSM 2.x before 2.3(4.12) and 3.x before 3.1(3.24), when "inspect http" is enabled, allows remote attackers to cause a denial of service (device reboot) via malformed HTTP traffic. 20070214 Multiple Vulnerabilities in Cisco PIX and ASA Appliances 20070214 Multiple Vulnerabilities in Firewall Services Module 1017651 24180 ADV-2007-0608 22562 24160 33055 cisco-pix-asa-http-dos(32486) 1017652 22561 Unspecified vulnerability in Cisco Firewall Services Module (FWSM) 3.x before 3.1(3.3), when set to log at the "debug" level, allows remote attackers to cause a denial of service (device reboot) by sending packets that are not of a particular protocol such as TCP or UDP, which triggers the reboot during generation of Syslog message 710006. 20070214 Multiple Vulnerabilities in Firewall Services Module ADV-2007-0609 24172 22561 Cisco FWSM 3.x before 3.1(3.18), when authentication is configured to use "aaa authentication match" or "aaa authentication include", allows remote attackers to cause a denial of service (device reboot) via a malformed HTTPS request. 20070214 Multiple Vulnerabilities in Firewall Services Module ADV-2007-0609 24172 22561 Cisco FWSM 3.x before 3.1(3.2), when authentication is configured to use "aaa authentication match" or "aaa authentication include", allows remote attackers to cause a denial of service (device reboot) via a long HTTP request. 20070214 Multiple Vulnerabilities in Firewall Services Module ADV-2007-0609 24172 22561 Cisco Firewall Services Module (FWSM) 3.x before 3.1(3.11), when the HTTPS server is enabled, allows remote attackers to cause a denial of service (device reboot) via certain HTTPS traffic. 20070214 Multiple Vulnerabilities in Firewall Services Module ADV-2007-0609 24172 cisco-fwsm-https-server-dos(32513) cisco-fwsm-http-dos(32497) 22561 Cisco Firewall Services Module (FWSM) 3.x before 3.1(3.1) allows remote attackers to cause a denial of service (device reboot) via malformed SNMP requests. 20070214 Multiple Vulnerabilities in Firewall Services Module ADV-2007-0609 24172 cisco-fwsm-snmp-dos(32515) 22561 Unspecified vulnerability in Cisco Firewall Services Module (FWSM) before 2.3(4.7) and 3.x before 3.1(3.1) causes the access control entries (ACE) in an ACL to be improperly evaluated, which allows remote authenticated users to bypass intended certain ACL protections. 20070214 Multiple Vulnerabilities in Firewall Services Module cisco-fwsm-acl-security-bypass(32521) ADV-2007-0609 1017650 22561 24172 Multiple cross-site scripting (XSS) vulnerabilities in WebTester 5.0.20060927 and earlier allow remote attackers to inject arbitrary web script or HTML via unspecified vectors related to POST parameters to multiple files. ADV-2007-0633 22559 20070214 WebTester 5.0.2 sql injection and XSS vulnerabilities 33202 webtester-post-xss(32492) 2261 24157 Multiple SQL injection vulnerabilities in WebTester 5.0.20060927 and earlier allow remote attackers to execute arbitrary SQL commands via the testID parameter to directions.php, and unspecified parameters to other files that accept GET or POST input. ADV-2007-0633 22559 20070214 WebTester 5.0.2 sql injection and XSS vulnerabilities 33204 33203 webtester-directions-sql-injection(32490) 2261 24157 Multiple SQL injection vulnerabilities in Jupiter CMS 1.1.5 allow remote attackers to execute arbitrary SQL commands via the Client-IP HTTP header and certain other HTTP headers, which set the ip variable that is used in SQL queries performed by index.php and certain other PHP scripts. NOTE: the attack vector might involve _SERVER. 22560 20070214 Re: Jupiter CMS 1.1.5 Multiple Vulnerabilities 20070214 Jupiter CMS 1.1.5 Multiple Vulnerabilities http://www.acid-root.new.fr/advisories/12070214.txt 33727 http://mgsdl.free.fr/advisories/12070214.txt 3310 Unrestricted file upload vulnerability in modules/emoticons.php in Jupiter CMS 1.1.5 allows remote attackers to upload arbitrary files by modifying the HTTP request to send an image content type, and to omit is_guest and is_user parameters. NOTE: this issue might be related to CVE-2006-4875. 22560 20070214 Re: Jupiter CMS 1.1.5 Multiple Vulnerabilities 20070214 Jupiter CMS 1.1.5 Multiple Vulnerabilities http://www.acid-root.new.fr/advisories/12070214.txt 33728 http://mgsdl.free.fr/advisories/12070214.txt jupitercm-emoticons-file-upload(32517) 3311 Multiple cross-site scripting (XSS) vulnerabilities in index.php in Jupiter CMS 1.1.5 allow remote attackers to inject arbitrary web script or HTML via the Referer HTTP header and certain other HTTP headers, which are displayed without proper sanitization when an administrator performs a Logged Guest action. 22560 20070214 Re: Jupiter CMS 1.1.5 Multiple Vulnerabilities 20070214 Jupiter CMS 1.1.5 Multiple Vulnerabilities http://www.acid-root.new.fr/advisories/12070214.txt 33729 http://mgsdl.free.fr/advisories/12070214.txt jupitercm-loggedguests-xss(32518) Multiple unspecified vulnerabilities in Ian Bezanson DropBox before 0.0.4 beta have unknown impact and attack vectors, possibly related to a variable extraction vulnerability. ADV-2007-0598 http://sourceforge.net/forum/forum.php?forum_id=660819 35704 Variable extraction vulnerability in Ian Bezanson Apache Stats before 0.0.3 beta allows attackers to overwrite critical variables, with unknown impact, when the extract function is used on the _REQUEST superglobal array. http://superb-east.dl.sourceforge.net/sourceforge/apachestats/apacheStats_0.0.3Beta.tar.bz2 http://sourceforge.net/forum/forum.php?forum_id=660919 ADV-2007-0598 Buffer overflow in the ActSoft DVD-Tools ActiveX control (dvdtools.ocx) allows remote attackers to execute arbitrary code via a long DVD_TOOLS.OpenDVD property value. 22558 3307 33732 dvdtools-dvdtools-bo(32529) http://www.shinnai.altervista.org/viewtopic.php?id=41&t_id=30 http://www.shinnai.altervista.org/moaxb/20070504/actsoft.txt 3610 IBM Lotus Domino R5 and R6 WebMail, with "Generate HTML for all fields" enabled, stores HTTPPassword hashes from names.nsf in a manner accessible through Readviewentries and OpenDocument requests to the defaultview view, a different vector than CVE-2005-2428. "Generate HTML for all fields" must be enabled for successful exploitation. 3302 35764 Buffer overflow in swcons in IBM AIX 5.3 allows local users to gain privileges via long input data. ADV-2007-0617 IY94901 24154 33200 aix-swcons-bo(32508) 1017656 Unspecified vulnerability in LifeType before 1.1.6, and 1.2 before 1.2-beta2, allows remote attackers to obtain sensitive information (file contents) via a "crafted URL." ADV-2007-0616 22572 http://www.lifetype.net/blog/lifetype-development-journal/releases 24170 33210 Unspecified vulnerability in HP Serviceguard for Linux; packaged for SuSE SLES8 and United Linux 1.0 before SG A.11.15.07, SuSE SLES9 and SLES10 before SG A.11.16.10, and Red Hat Enterprise Linux (RHEL) before SG A.11.16.10; allows remote attackers to obtain unauthorized access via unspecified vectors. 22574 HBSBGN02189 ADV-2007-0619 1017655 24134 33201 SSRT071297 Mozilla based browsers, including Firefox before 1.5.0.10 and 2.x before 2.0.0.2, and SeaMonkey before 1.0.8, allow remote attackers to bypass the same origin policy, steal cookies, and conduct other attacks by writing a URI with a null byte to the hostname (location.hostname) DOM property, due to interactions with DNS resolver code. VU#885753 https://issues.rpath.com/browse/RPL-1103 https://issues.rpath.com/browse/RPL-1081 https://bugzilla.mozilla.org/show_bug.cgi?id=370445 firefox-locationhostname-security-bypass(32533) ADV-2008-0083 ADV-2007-0718 ADV-2007-0624 USN-428-1 22566 20070303 rPSA-2007-0040-3 firefox thunderbird 20070226 rPSA-2007-0040-1 firefox 20070214 Firefox: serious cookie stealing / same-domain bypass vulnerability 20070215 Re: [Full-disclosure] Firefox: serious cookie stealing / same-domain bypass vulnerability 20070215 Re: [Full-disclosure] Firefox: serious cookie stealing / same-domain bypass vulnerability RHSA-2007:0108 RHSA-2007:0097 RHSA-2007:0079 RHSA-2007:0078 32104 SUSE-SA:2007:022 http://www.mozilla.org/security/announce/2007/mfsa2007-07.html MDKSA-2007:050 GLSA-200703-08 DSA-1336 SSA:2007-066-03 SSA:2007-066-05 1017654 GLSA-200703-04 24650 24457 24455 24437 24395 24393 24384 24343 24342 24333 24328 24320 24293 24290 24287 24238 24205 24175 RHSA-2007:0077 oval:org.mitre.oval:def:9730 SUSE-SA:2007:019 http://lcamtuf.dione.cc/ffhostname.html SSRT061181 FEDORA-2007-293 FEDORA-2007-281 20070301-01-P 20070202-01-P 2262 25588 SSRT061181 Cross-site scripting (XSS) vulnerability in error.php in TaskFreak! 0.5.5 allows remote attackers to inject arbitrary web script or HTML via the tznMessage parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 22537 24123 33120 http://www.taskfreak.com/versions.html PHP remote file inclusion vulnerability in _admin/nav.php in AT Contenator 1.0 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the Root_To_Script parameter. atcontenator-nav-file-include(32453) ADV-2007-0606 24141 33209 3297 20070213 true: AT Contenator <= v1.0 (Root_To_Script) Remote File Include Exploit SQL injection vulnerability in admin_poll.asp in PollMentor 2.0 allows remote attackers to execute arbitrary SQL commands via the id parameter to pollmentorres.asp. pollmentor-pollmentorres-sql-injection(32456) ADV-2007-0601 22542 3301 24137 33192 SQL injection vulnerability in nickpage.php in phpCC 4.2 beta and earlier allows remote attackers to execute arbitrary SQL commands via the npid parameter in a sign_gb action. ADV-2007-0602 22540 3299 35129 PHP remote file inclusion vulnerability in index.php in Jupiter CMS 1.1.5, when PHP 5.0.0 or later is used, allows remote attackers to execute arbitrary PHP code via an ftp URL in the n parameter. This vulnerability requires that Jupiter CMS 1.1.5 is used with PHP 5.0.0 or later. Successful exploitation requires that "magic_quotes_gpc" is disabled and that "allow_url_fopen" is enabled. jupitercm-index-n-file-include(32519) 22560 20070214 Re: Jupiter CMS 1.1.5 Multiple Vulnerabilities 20070214 Jupiter CMS 1.1.5 Multiple Vulnerabilities http://www.acid-root.new.fr/advisories/12070214.txt 33730 3309 http://mgsdl.free.fr/advisories/12070214.txt Directory traversal vulnerability in index.php in Jupiter CMS 1.1.5 allows remote attackers to include and execute arbitrary local files via a .. (dot dot), or an absolute pathname, in the n parameter. 22560 20070214 Re: Jupiter CMS 1.1.5 Multiple Vulnerabilities 20070214 Jupiter CMS 1.1.5 Multiple Vulnerabilities http://www.acid-root.new.fr/advisories/12070214.txt 33731 http://mgsdl.free.fr/advisories/12070214.txt 3309 The zend_hash_init function in PHP 5 before 5.2.1 and PHP 4 before 4.4.5, when running on a 64-bit platform, allows context-dependent attackers to cause a denial of service (infinite loop) by unserializing certain integer expressions, which only cause 32-bit arguments to be used after the check for a negative value, as demonstrated by an "a:2147483649:{" argument. Availability also affected by time out alarm for the script, which helps prevent infinite loops. http://www.php.net/releases/5_2_1.php https://issues.rpath.com/browse/RPL-1088 php-zendhashinit-dos(32709) ADV-2007-2374 ADV-2007-1991 DSA-1264 USN-424-2 USN-424-1 2007-0009 1017671 20070227 rPSA-2007-0043-1 php php-mysql php-pgsql RHSA-2007:0088 RHSA-2007:0082 RHSA-2007:0081 RHSA-2007:0076 http://www.php-security.org/MOPB/MOPB-05-2007.html OpenPKG-SA-2007.010 SUSE-SA:2007:032 MDKSA-2007:048 http://support.avaya.com/elmodocs2/security/ASA-2007-136.htm http://support.avaya.com/elmodocs2/security/ASA-2007-101.htm 2315 GLSA-200703-21 25850 25423 25056 24642 24606 24432 24421 24419 24322 24295 24284 24248 24236 24217 24195 RHSA-2007:0089 oval:org.mitre.oval:def:11092 32762 SSRT071429 SSRT071429 SSRT071423 SSRT071423 http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=228858 20070201-01-P ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2007-0933. Reason: This candidate is a duplicate of CVE-2007-0933 due to a typo. Notes: All CVE users should reference CVE-2007-0933 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. A regression error in Mozilla Firefox 2.x before 2.0.0.2 and 1.x before 1.5.0.10, and SeaMonkey 1.1 before 1.1.1 and 1.0 before 1.0.8, allows remote attackers to execute arbitrary JavaScript as the user via an HTML mail message with a javascript: URI in an (1) img, (2) link, or (3) style tag, which bypasses the access checks and executes code with chrome privileges. http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=230733 https://issues.rpath.com/browse/RPL-1103 ADV-2007-0823 22826 RHSA-2007:0097 SUSE-SA:2007:022 http://www.mozilla.org/security/announce/2007/mfsa2007-09.html DSA-1336 SSA:2007-066-03 SSA:2007-066-05 1017726 25588 24650 24457 24455 24395 24384 oval:org.mitre.oval:def:9749 SUSE-SA:2007:019 HPSBUX02153 SSRT061181 20070301-01-P 20070202-01-P Mozilla Firefox before 1.5.0.10 and 2.x before 2.0.0.2, and SeaMonkey before 1.0.8 ignores trailing invalid HTML characters in attribute names, which allows remote attackers to bypass content filters that use regular expressions. http://www.mozilla.org/security/announce/2007/mfsa2007-02.html https://issues.rpath.com/browse/RPL-1103 https://issues.rpath.com/browse/RPL-1081 ADV-2008-0083 ADV-2007-0718 USN-428-1 1017702 22694 20070303 rPSA-2007-0040-3 firefox thunderbird 20070226 rPSA-2007-0040-1 firefox RHSA-2007:0108 RHSA-2007:0097 RHSA-2007:0079 RHSA-2007:0078 32111 SUSE-SA:2007:022 MDKSA-2007:050 GLSA-200703-08 DSA-1336 SSA:2007-066-03 SSA:2007-066-05 GLSA-200703-04 25588 24650 24457 24455 24437 24395 24393 24384 24343 24342 24333 24328 24320 24293 24290 24287 24238 24205 RHSA-2007:0077 oval:org.mitre.oval:def:10164 32112 SUSE-SA:2007:019 http://ha.ckers.org/xss.html#XSS_Non_alpha_non_digit2 SSRT061181 FEDORA-2007-293 FEDORA-2007-281 20070301-01-P 20070202-01-P SSRT061181 The child frames in Mozilla Firefox before 1.5.0.10 and 2.x before 2.0.0.2, and SeaMonkey before 1.0.8 inherit the default charset from the parent window, which allows remote attackers to conduct cross-site scripting (XSS) attacks, as demonstrated using the UTF-7 character set. http://www.mozilla.org/security/announce/2007/mfsa2007-02.html ADV-2007-0718 RHSA-2007:0079 http://www.hardened-php.net/advisory_032007.142.html oval:org.mitre.oval:def:10086 33812 SSRT061181 https://issues.rpath.com/browse/RPL-1103 USN-428-1 1017702 22694 20070226 rPSA-2007-0040-1 firefox 20070223 Advisory 03/2007: Multiple Browsers Cross Domain Charset Inheritance Vulnerability RHSA-2007:0108 RHSA-2007:0097 RHSA-2007:0078 SUSE-SA:2007:022 MDKSA-2007:050 DSA-1336 SSA:2007-066-03 SSA:2007-066-05 25588 24650 24457 24455 24395 24384 24343 24342 24333 24328 24320 24290 24287 24205 RHSA-2007:0077 SUSE-SA:2007:019 HPSBUX02153 FEDORA-2007-293 FEDORA-2007-281 20070301-01-P 20070202-01-P Race condition in the tee (sys_tee) system call in the Linux kernel 2.6.17 through 2.6.17.6 might allow local users to cause a denial of service (system crash), obtain sensitive information (kernel memory contents), or gain privileges via unspecified vectors related to a potentially dropped ipipe lock during a race between two pipe readers. [linux-kernel] 20060717 [patch 25/45] splice: fix problems with sys_tee() http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.18 The VNC server implementation in QEMU, as used by Xen and possibly other environments, allows local users of a guest operating system to read arbitrary files on the host operating system via unspecified vectors related to QEMU monitor mode, as demonstrated by mapping files to a CDROM device. NOTE: some of these details are obtained from third party information. RHSA-2007:0114 fedora-xen-qemuvnc-information-disclosure(33085) ADV-2007-1021 ADV-2007-1020 ADV-2007-1019 1017764 22967 24575 oval:org.mitre.oval:def:10486 34304 Format string vulnerability in Ekiga 2.0.3, and probably other versions, allows remote attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2007-1006. This vulnerability has been addressed through a product update using MandrivaUpdate. USN-434-1 oval:org.mitre.oval:def:10944 RHSA-2007:0087 MDKSA-2007:058 The ipv6_getsockopt_sticky function in net/ipv6/ipv6_sockglue.c in the Linux kernel before 2.6.20.2 allows local users to read arbitrary kernel memory via certain getsockopt calls that trigger a NULL dereference. VU#920689 22904 ADV-2007-0907 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20.2 oval:org.mitre.oval:def:10015 http://bugzilla.kernel.org/show_bug.cgi?id=8134 https://issues.rpath.com/browse/RPL-1153 http://www.wslabi.com/wabisabilabi/initPublishedBid.do? USN-489-1 USN-486-1 20070615 rPSA-2007-0124-1 kernel xen RHSA-2007:0169 33025 MDKSA-2007:078 26139 26133 25691 25099 25080 24901 24777 24518 24493 SUSE-SA:2007:029 FEDORA-2007-336 FEDORA-2007-335 Multiple integer overflows in the (1) createwbmp and (2) readwbmp functions in wbmp.c in the GD library (libgd) in PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 allow context-dependent attackers to execute arbitrary code via Wireless Bitmap (WBMP) images with large width or height values. https://issues.rpath.com/browse/RPL-1268 php-gd-overflow(33453) ADV-2007-2732 ADV-2007-1269 SSA:2007-127 25159 23357 20070418 rPSA-2007-0073-1 php php-mysql php-pgsql 20070407 PHP <= 5.2.1 wbmp file handling integer overflow RHSA-2007:0162 RHSA-2007:0153 SUSE-SA:2007:032 MDKSA-2007:090 MDKSA-2007:089 MDKSA-2007:088 MDKSA-2007:087 http://us2.php.net/releases/5_2_2.php http://us2.php.net/releases/4_4_7.php GLSA-200705-19 26235 25445 25151 25056 24965 24945 24924 24909 24814 RHSA-2007:0155 oval:org.mitre.oval:def:10179 APPLE-SA-2007-07-31 http://ifsec.blogspot.com/2007/04/php-521-wbmp-file-handling-integer.html http://docs.info.apple.com/article.html?artnum=306172 http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/wbmp.c?revision=1.2.4.1.8.1&view=markup http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/wbmp.c?r1=1.2.4.1&r2=1.2.4.1.8.1 Format string vulnerability in the write_html function in calendar/gui/e-cal-component-memo-preview.c in Evolution Shared Memo 2.8.2.1, and possibly earlier versions, allows user-assisted remote attackers to execute arbitrary code via format specifiers in the categories of a crafted shared memo. evolution-writehtml-format-string(33106) ADV-2007-1058 20070405 FLEA-2007-0010-1: evolution http://secunia.com/secunia_research/2007-44/advisory/ 24234 oval:org.mitre.oval:def:10100 RHSA-2007:0158 USN-442-1 1017808 23073 20070321 Secunia Research: Evolution Shared Memo Categories Format StringVulnerability SUSE-SR:2007:015 MDKSA-2007:070 DSA-1325 GLSA-200706-02 25880 25551 25102 24668 24651 Integer overflow in ALLOCATE_LOCAL in the ProcXCMiscGetXIDList function in the XC-MISC extension in the X.Org X11 server (xserver) 7.1-1.1.0, and other versions before 20070403, allows remote authenticated users to execute arbitrary code via a large expression, which results in memory corruption. USN-448-1 23284 RHSA-2007:0126 24770 24756 ADV-2007-1548 ADV-2007-1217 1017857 24741 oval:org.mitre.oval:def:9798 [xorg-announce] 20070403 various integer overflow vulnerabilites in xserver, libX11 and libXfont 20070403 Multiple Vendor X Server XC-MISC Extension Memory Corruption Vulnerability https://issues.rpath.com/browse/RPL-1213 xorg-xcmisc-overflow(33424) 23300 20070405 FLEA-2007-0009-1: xorg-x11 freetype 20070404 rPSA-2007-0065-1 freetype xorg-x11 xorg-x11-fonts xorg-x11-tools xorg-x11-xfs RHSA-2007:0127 [4.0] 011: SECURITY FIX: April 4, 2007 [3.9] 021: SECURITY FIX: April 4, 2007 SUSE-SA:2007:027 MDKSA-2007:080 MDKSA-2007:079 DSA-1294 http://support.avaya.com/elmodocs2/security/ASA-2007-178.htm 102886 GLSA-200705-10 29622 25305 25216 25195 25006 25004 24791 24772 24771 24765 24758 24745 RHSA-2007:0125 SUSE-SR:2008:008 http://issues.foresightlinux.org/browse/FL-223 oval:org.mitre.oval:def:1980 Mozilla Firefox might allow remote attackers to conduct spoofing and phishing attacks by writing to an about:blank tab and overlaying the location bar. firefox-aboutblank-security-bypass(32580) 22601 20070219 RE: Firefox: about:blank is phisher's best friend 20070217 Re: Firefox: about:blank is phisher's best friend 20070216 Firefox: about:blank is phisher's best friend 2264 24153 33769 33255 Heap-based buffer overflow in SW3eng.exe in the eID Engine service in CA (formerly Computer Associates) eTrust Intrusion Detection 3.0.5.57 and earlier allows remote attackers to cause a denial of service (application crash) via a long key length value to the remote administration port (9191/tcp). 22743 http://supportconnectw.ca.com/public/ca_common_docs/eid_secnotice.asp 24309 20070227 Computer Associates eTrust Intrusion Detection Denial of Service Vulnerability ADV-2007-0776 32290 1017706 20070228 [CAID 35112]: CA eTrust Intrusion Detection Denial of Service Vulnerability Multiple format string vulnerabilities in the gm_main_window_flash_message function in Ekiga before 2.0.5 allow attackers to cause a denial of service and possibly execute arbitrary code via a crafted Q.931 SETUP packet. Update to version 2.0.5. ADV-2007-0655 USN-426-1 1017673 22613 RHSA-2007:0087 31939 SUSE-SR:2007:009 MDKSA-2007:044 http://www.ekiga.org/index.php?rub=10&archive=1 DSA-1262 GLSA-200703-25 25119 24680 24379 24271 24229 24228 24194 oval:org.mitre.oval:def:11642 [Ekiga-list] 20070213 Ekiga 2.0.5 available http://labs.musecurity.com/advisories/MU-200702-01.txt FEDORA-2007-263 FEDORA-2007-262 Format string vulnerability in GnomeMeeting 1.0.2 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format strings in the name, which is not properly handled in a call to the gnomemeeting_log_insert function. The product "GnomeMeeting" is now called "Ekiga". Failed exploit attempts will like result in a system level denial-of-service condition. RHSA-2007:0086 24185 oval:org.mitre.oval:def:11776 32083 http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=229266 USN-426-1 SUSE-SR:2007:009 MDKSA-2007:045 DSA-1262 25119 24379 24284 24271 20070201-01-P Apple iTunes 7.0.2 allows user-assisted remote attackers to cause a denial of service (application crash) via a crafted XML list of radio stations, which results in memory corruption. NOTE: iTunes retrieves the XML document from a static URL, which requires an attacker to perform DNS spoofing or man-in-the-middle attacks for exploitation. Successful exploitation requires that an attacker perform some type of DNS spoofing or man-in-the-middle attack prior to launching this attack. 22615 20070219 iTunes remote memory corruption vulnerability 33742 2278 Macrovision InstallAnywhere Enterprise before 8.0.1 uses the InstallScript.iap_xml configuration file without integrity protection to verify authorization for installing an application, which allows local users to perform unauthorized installations by removing the (1) password or (2) serial number verification sections from this file. 22643 ADV-2007-1433 http://www.symantec.com/content/en/us/enterprise/research/SYMSA-2007-003.txt 20070416 SYMSA-2007-003 Macrovision InstallAnywhere Password and Serial Number Bypass 2596 Multiple PHP remote file inclusion vulnerabilities in ZebraFeeds 1.0, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the zf_path parameter to (1) aggregator.php and (2) controller.php in newsfeeds/includes/. 22576 24162 http://cazalet.org/category/zebrafeeds zebrafeeds-zfpath-file-include(32507) ADV-2007-0622 3314 33206 33205 http://cazalet.org/zebrafeeds/forums/viewtopic.php?pid=358 PHP remote file inclusion vulnerability in functions_inc.php in VS-Gastebuch 1.5.3 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the gb_pfad parameter. ADV-2007-0646 22605 24182 33223 3328 vsgastebuch-functions-file-include(32555) Cross-site scripting (XSS) vulnerability in faq.php in DeskPRO 1.1.0 allows remote attackers to inject arbitrary web script or HTML via the article parameter. deskprocom-faq-xss(32525) 20070214 XSS in [deskpro.com v1.1.0 ] 2267 33725 PHP remote file inclusion vulnerability in generate.php in VirtualSystem Htaccess Passwort Generator 1.1 allows remote attackers to execute arbitrary PHP code via a URL in the ht_pfad parameter. ADV-2007-0643 22598 3324 33244 htaccess-generate-file-include(32559) 24214 Stack-based buffer overflow in VicFTPS before 5.0 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a long CWD command. 22608 24161 ADV-2007-0648 3331 http://vicftps.50webs.com/ 33227 vicftps-cwd-bo(32557) SQL injection vulnerability in HaberDetay.asp in Aktueldownload Haber script allows remote attackers to execute arbitrary SQL commands via the id parameter. aktueldownload-haberdetay-sql-injection(32527) ADV-2007-0620 3318 SQL injection vulnerability in Aktueldownload Haber script allows remote attackers to execute arbitrary SQL commands via certain vectors related to the HaberDetay.asp and rss.asp components, and the id and kid parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. NOTE: the combination of the HaberDetay.asp component and the id parameter is already covered by another February 2007 CVE candidate. ADV-2007-0620 PHP remote file inclusion vulnerability in show_news_inc.php in VirtualSystem VS-News-System 1.2.1 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the newsordner parameter. Successful exploitation requires that "register_globals" is enabled. vsnewssystem-shownewsinc-file-include(32544) ADV-2007-0649 22592 3322 24220 33247 PHP remote file inclusion vulnerability in tpl/header.php in VirtualSystem VS-News-System 1.2.1 and earlier, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the newsordner parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 24220 33248 SQL injection vulnerability in news.php in webSPELL 4.01.02, when register_globals is enabled, allows remote attackers to execute arbitrary SQL commands via the showonly parameter to index.php, a different vector than CVE-2006-5388. Successful exploitation e.g. allows retrieval of password hashes, but requires that "register_globals" is enabled. webspell-showonly-sql-injection(32554) ADV-2007-0650 22541 3325 24191 33229 Cross-site scripting (XSS) vulnerability in index.php in CedStat 1.31 allows remote attackers to inject arbitrary web script or HTML via the hier parameter. Cedstat-index-xss(32537) Cedstat-index-xss(32537) ADV-2007-0680 22588 20070215 CedStat v1.31 XSS 33734 http://forums.avenir-geopolitique.net/viewtopic.php?t=2672 22653 2265 SQL injection vulnerability in inc_listnews.asp in CodeAvalanche News 1.x allows remote attackers to execute arbitrary SQL commands via the CAT_ID parameter. codeavalanche-inclistnews-sql-injection(32528) ADV-2007-0621 22582 3317 35130 SQL injection vulnerability in h_goster.asp in Turuncu Portal 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 22591 24209 33245 turuncu-hgoster-sql-injection(32571) SQL injection vulnerability in pop_profile.asp in Snitz Forums 2000 3.1 SR4 allows remote attackers to execute arbitrary SQL commands via the id parameter. snitzforums-popprofile-sql-injection(32543) 22593 3321 35131 PHP remote file inclusion vulnerability in include.php in Meganoide's news 1.1.1 allows remote attackers to execute arbitrary PHP code via a URL in the _SERVER[DOCUMENT_ROOT] parameter. meganoidesnews-include-file-include(32546) 22589 20070216 Meganoide's news v1.1.1 < = RFi Vulnerabilities 33736 20070220 [True] Meganoide's news v1.1.1 < = RFi Vulnerabilities 2266 PHP remote file inclusion vulnerability in inc/functions_inc.php in VS-Link-Partner 2.1 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the gb_pfad, or possibly script_pfad, parameter. vslinkpartner-functions-file-include(32547) ADV-2007-0651 22594 3323 35132 SQL injection vulnerability in view.php in XLAtunes 0.1 and earlier allows remote attackers to execute arbitrary SQL commands via the album parameter in view mode. NOTE: some of these details are obtained from third party information. xlatunes-album-sql-injection(32556) ADV-2007-0644 22602 20070221 XLAtunes 0.1 (album) Remote SQL Injection Vulnerability 20070220 Re: XLAtunes 0.1 (album) Remote SQL Injection Vulnerability 20070219 XLAtunes 0.1 (album) Remote SQL Injection Vulnerability 3327 33743 Certain setuid DB2 binaries in IBM DB2 before 9 Fix Pack 2 for Linux and Unix allow local users to overwrite arbitrary files via a symlink attack on the DB2DIAG.LOG temporary file. ADV-2007-0652 1017695 1017665 22614 IY94817 24213 34024 Cross-site scripting (XSS) vulnerability in the Barry Jaspan Image Pager 4.7.x-1.x-dev and 5.x-1.x-dev before 2007-02-08 module for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to HTML entities and the IMG element. imagepager-img-xss(32539) ADV-2007-0636 22586 35151 http://drupal.org/node/119293 Stack-based buffer overflow in the Connect method in the IMAP4 component in Quiksoft EasyMail Objects before 6.5 allows remote attackers to execute arbitrary code via a long host name. 22583 20070215 EasyMail Objects v6.5 Connect Method Stack Overflow easymailobjects-connect-bo(32540) ADV-2007-0634 http://security-assessment.com/files/advisories/easymail_advisory.pdf 24199 33208 2277 Niels Provos libevent 1.2 and 1.2a allows remote attackers to cause a denial of service (infinite loop) via a DNS response containing a label pointer that references its own offset. 22606 ADV-2007-0647 20070219 Remote DoS in libevent DNS parsing <= 1.2a 24181 33228 http://monkey.org/~provos/libevent/ 2268 Directory traversal vulnerability in include/db_conn.php in SpoonLabs Vivvo Article Management CMS 3.4 allows remote attackers to include and execute arbitrary local files via the root parameter. vivvo-dbconn-file-include(32553) 22600 3326 35159 Unspecified vulnerability in phpMyFAQ 1.6.9 and earlier, when register_globals is enabled, allows remote attackers to "gain the privilege for uploading files on the server." Successful exploitation requires that "register_globals" is enabled. 24230 phpmyfaq-unspecified-globals-file-upload(32573) phpmyfaq-php-file-upload(32573) http://www.phpmyfaq.de/advisory_2007-02-18.php 32603 Unspecified vulnerability in the Secure site 4.7.x-1.x-dev and 5.x-1.x-dev module for Drupal allows remote attackers to bypass access restrictions via a crafted URL. http://drupal.org/node/119619 securesite-url-security-bypass(32538) ADV-2007-0637 35160 SQL injection vulnerability in the category file in modules.php in the Emporium 2.3.0 and earlier module for PHP-Nuke allows remote attackers to execute arbitrary SQL commands via the category_id parameter. emporium-modules-sql-injection(23699) ADV-2007-0661 22612 3334 35981 Unspecified vulnerability in certain demonstration scripts in getID3 1.7.1, as used in the Mediafield and Audio modules for Drupal, allows remote attackers to read and delete arbitrary files, list arbitrary directories, and write to empty files or .mp3 files via unknown vectors. This vulnerability affects the following versions of Drupal Mediafield Module: Drupal, Mediafield Module, 4.7.x-1.x-dev Drupal, Mediafield Module, 5.x-1.x-dev This vulnerability affects the following versions of Drupal Audio Module: Drupal, Audio Module, 4.7.x-1.x-dev Drupal, Audio Module, 5.x-0.2 Drupal, Audio Module, 5.x-0.x-dev drupal-getid3-code-execution(32542) 22587 http://drupal.org/node/119385 ADV-2007-0635 35161 http://blamcast.net/articles/highly-critical-security-flaws-in-drupal-audio-module The default configuration of JBoss does not restrict access to the (1) console and (2) web management interfaces, which allows remote attackers to bypass authentication and gain administrative access via direct requests. VU#632656 jboss-admin-unauth-access(32596) 1017677 20070220 Re: Jboss vulnerability 20070220 Jboss vulnerability 20070220 Re: Jboss vulnerability http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureTheJmxConsole http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureJBoss 33744 Stack-based buffer overflow in News File Grabber 4.1.0.1 and earlier allows remote attackers to execute arbitrary code via a .nzb file with a long subject field. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. newsfilegrabber-nzb-bo(32577) ADV-2007-0662 22617 24237 33252 Shemes.com Grabit 1.5.3, and possibly earlier, allows remote attackers to cause a denial of service (application crash) via a .nzb file with a subject field containing ';' (semicolon) characters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. ADV-2007-0664 22619 38906 grabit-nzb-dos(32579) Unspecified vulnerability in Peanut Knowledge Base (PeanutKB) 0.0.3 and earlier has unknown impact and attack vectors. ADV-2007-0666 http://sourceforge.net/project/shownotes.php?group_id=157653&release_id=483888 42001 peanutkb-multiple-unspecified(32574) 22628 Directory traversal vulnerability in archives.php in Xpression News (X-News) 1.0.1 allows remote attackers to include arbitrary files or obtain sensitive information via a .. (dot dot) in the xnews-template parameter. xnews-archives-news-directory-traversal(32560) ADV-2007-0645 22609 3332 24177 33225 Multiple stack-based buffer overflows in S&H Computer Systems News Rover 12.1 Rev 1 allow remote attackers to execute arbitrary code via a .nzb file with a long (1) group or (2) subject string. newsrover-nzb-bo(32576) ADV-2007-0663 22618 3342 24216 33253 Directory traversal vulnerability in news.php in Xpression News (X-News) 1.0.1, when magic_quotes_gpc is disabled, allows remote attackers to include arbitrary files or obtain sensitive information via a .. (dot dot) in the xnews-template parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. xnews-archives-news-directory-traversal(32560) 24177 33226 Ezboo webstats, possibly 3.0.3, allows remote attackers to bypass authentication and gain access via a direct request to (1) update.php and (2) config.php. ezboo-update-unauthorized-access(32563) 22590 20070215 Ezboo webstats acces to sensitive files 34181 http://forums.avenir-geopolitique.net/viewtopic.php?t=2674 2275 Pearson Education PowerSchool 4.3.6 allows remote attackers to list the contents of the admin folder via a URI composed of the admin/ directory name and an arbitrary filename ending in ".js." NOTE: it was later reported that this issue had been addressed by 5.1.2. powerschool-js-information-disclosure(32569) 22611 20071204 Re: Powerschool 404 Admin Exposure 20070219 Powerschool 404 Admin Exposure 2276 33741 mAlbum 0.3 has default accounts (1) "login"/"pass" for its administrative account and (2) "dqsfg"/"sdfg", which allows remote attackers to gain privileges. mAlbum should reconfigure their administrative login and password from their default values. malbum-default-admin-account(32562) 20070217 mAlbum v0.3 admin by default user/pass 2272 33740 http://forums.avenir-geopolitique.net/viewtopic.php?t=2677 Dem_trac allows remote attackers to read log file contents via a direct request for /anc_sit.txt. demtrac-ancsit-information-disclosure(32566) 20070215 Dem_trac acces to log file wihtout authentification 33735 http://forums.avenir-geopolitique.net/viewtopic.php?t=2673 2271 Unspecified vulnerability in Distributed Checksum Clearinghouse (DCC) before 1.3.51 allows remote attackers to delete or add hosts in /var/dcc/maps. http://www.rhyolite.com/anti-spam/dcc/CHANGES ADV-2007-0654 22622 24176 33251 PHP remote file inclusion vulnerability in admin_rebuild_search.php in phpbb_wordsearch allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter. phpbbwordsearch-rebuildsearch-file-include(32551) 20070216 phpbb_wordsearch < = RFi Vulnerabilities 34243 2280 Cross-site scripting (XSS) vulnerability in the wp_explain_nonce function in the nonce AYS functionality (wp-includes/functions.php) for WordPress 2.0 before 2.0.9 and 2.1 before 2.1.1 allows remote attackers to inject arbitrary web script or HTML via the file parameter to wp-admin/templates.php, and possibly other vectors involving the action variable. http://trac.wordpress.org/changeset/4876 ADV-2007-0741 22534 http://trac.wordpress.org/ticket/3781 http://trac.wordpress.org/changeset/4877 33766 http://downloads.securityfocus.com/vulnerabilities/exploits/22534.html GLSA-200703-23 24566 24306 Multiple cross-site scripting (XSS) vulnerabilities in index.php in AbleDesign MyCalendar allow remote attackers to inject arbitrary web script or HTML via (1) the go parameter, (2) the keyword parameter in the search menu (go=search), or (3) the username or (4) the password in a go=Login action. mycalendar-index-xss(32581) ADV-2007-0679 22635 20070219 MyCalendar multiple XSS 2270 24222 33319 33318 33317 http://forums.avenir-geopolitique.net/viewtopic.php?t=2686 Comodo Firewall Pro (formerly Comodo Personal Firewall) 2.4.17.183 and earlier uses a weak cryptographic hashing function (CRC32) to identify trusted modules, which allows local users to bypass security protections by substituting modified modules that have the same CRC32 value. comodofirewallpro-crc32-security-bypass(32530) 20070215 Comodo DLL injection via weak hash function exploitation Vulnerability http://www.matousec.com/info/advisories/Comodo-DLL-injection-via-weak-hash-function-exploitation.php 45243 20070215 Comodo DLL injection via weak hash function exploitation Vulnerability 2279 ** DISPUTED ** PHP remote file inclusion vulnerability in index.php in PBLang (PBL) 4.60 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the dbpath parameter, a different vector than CVE-2006-5062. NOTE: this issue has been disputed by a reliable third party for 4.65, stating that the dbpath variable is initialized in an included file that is created upon installation. 20070216 PBLang 4.60 <= (index.php) Remote File Include Vulnerability 33737 20070216 PBLang 4.60 <= (index.php) Remote File Include Vulnerability 2269 ** DISPUTED ** Multiple PHP remote file inclusion vulnerabilities in phpXmms 1.0 allow remote attackers to execute arbitrary PHP code via a URL in the tcmdp parameter to (1) phpxmmsb.php or (2) phpxmmst.php. NOTE: this issue has been disputed by a reliable third party, stating that the tcmdp variable is initialized by config.php. 20070220 phpXmms 1.0 (tcmdp) Remote File Include Vulnerabilities 33749 20070220 false: phpXmms 1.0 (tcmdp) Remote File Include Vulnerabilities 2273 Cross-site scripting (XSS) vulnerability in the AJAX features in index.php in MediaWiki 1.6.x through 1.9.2, when $wgUseAjax is enabled, allows remote attackers to inject arbitrary web script or HTML via a UTF-7 encoded value of the rs parameter, which is processed by Internet Explorer. Successful exploitation requires that "$wgUseAjax" is enabled ADV-2007-0678 20070220 MediaWiki Cross-site Scripting http://www.bugsec.com/articles.php?Security=24 http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_9_3/phase3/RELEASE-NOTES 32078 20070221 [unsure] MediaWiki Cross-site Scripting mediawiki-index-xss(32586) http://sourceforge.net/project/shownotes.php?release_id=487921&group_id=34373 2274 24211 Cross-site scripting (XSS) vulnerability in the AJAX features in index.php in MediaWiki 1.9.x before 1.9.0rc2, and 1.8.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the rs parameter. NOTE: this issue might be a duplicate of CVE-2007-0177. 20070220 MediaWiki Cross-site Scripting http://www.bugsec.com/articles.php?Security=24 http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_9_0/phase3/RELEASE-NOTES 37343 mediawiki-index-xss(32586) 2274 VMware Workstation 5.5.3 build 34685 does not provide per-user restrictions on certain privileged actions, which allows local users to perform restricted operations such as changing system time, accessing hardware components, and stopping the "VMware tools service" service. NOTE: exploitation is simplified via (1) weak file permisssions (Users = Read & Execute) for %PROGRAMFILES%\VMware; and weak registry key permissions (access by Users) for (2) vmmouse, (3) vmscsi, (4) VMTools, (5) vmx_svga, and (6) vmxnet in HKLM\SYSTEM\CurrentControlSet\Services\; which allows local users to perform various privileged actions outside of the guest OS by executing certain files under %PROGRAMFILES%\VMware\VMware Tools, as demonstrated by (a) VMControlPanel.cpl and (b) vmwareservice.exe. 20070303 Re: VMware Workstation multiple denial of service and isolation manipulation vulnerabilities 20070219 VMware Workstation multiple denial of service and isolation manipulation vulnerabilities 2281 45244 The Net Direct client for Linux before 6.0.5 in Nortel Application Switch 2424, VPN 3050 and 3070, and SSL VPN Module 1000 extracts and executes files with insecure permissions, which allows local users to exploit a race condition to replace a world-writable file in /tmp/NetClient and cause another user to execute arbitrary code when attempting to execute this client, as demonstrated by replacing /tmp/NetClient/client. http://www130.nortelnetworks.com/go/main.jsp?cscat=BLTNDETAIL&DocumentOID=540071 netdirect-permissions-privilege-escalation(32597) http://www116.nortelnetworks.com/pub/repository/CLARIFY/DOCUMENT/2007/08/021886-01.pdf ADV-2007-0671 1017678 22632 3356 http://spoofed.org/blog/archive/2007/02/nortel_vpn_unix_client_local_root_compromise.html 24231 33304 SQL injection vulnerability in user_pages/page.asp in Online Web Building 2.0 allows remote attackers to execute arbitrary SQL commands via the art_id parameter. userpages2-page-sql-injection(32583) ADV-2007-0674 24208 32677 3339 onlineweb-page-sql-injection(32583) PHP remote file inclusion vulnerability in function.php in Ultimate Fun Book 1.02 allows remote attackers to execute arbitrary PHP code via a URL in the gbpfad parameter. NOTE: some sources mention "Ultimate Fun Board," but this appears to be an error. ADV-2007-0675 22633 24219 33305 3336 ultimatefunbook-function-file-include(32584) Multiple PHP remote file inclusion vulnerabilities in Interspire SendStudio 2004.14 and earlier, when register_globals and allow_fopenurl are enabled, allow remote attackers to execute arbitrary PHP code via a URL in the ROOTDIR parameter to (1) createemails.inc.php and (2) send_emails.inc.php in /admin/includes/. ADV-2007-0672 20070223 Re: [ECHO_ADV_66$2007] SendStudio <= 2004.14 Remote File Inclusion Vulnerability 3348 24212 33265 33264 http://advisories.echo.or.id/adv/adv66-K-159-2007.txt sendstudio-rootdir-file-include(32602) 22642 20070221 [ECHO_ADV_66$2007] SendStudio <= 2004.14 Remote File Inclusion Vulnerability SQL injection vulnerability in index.php in Francisco Burzi PHP-Nuke 8.0 Final and earlier, when the "HTTP Referers" block is enabled, allows remote attackers to execute arbitrary SQL commands via the HTTP Referer header (HTTP_REFERER variable). ADV-2007-0673 3346 24224 33316 phpnuke-index-sql-injection(32607) 22638 20070224 Blind sql injection attack in INSERT syntax on PHP-nuke <=8.0 Final 20070220 Blind sql injection attack in INSERT syntax on PHP-nuke <=8.0 Final The Cisco Unified IP Conference Station 7935 3.2(15) and earlier, and Station 7936 3.3(12) and earlier does not properly handle administrator HTTP sessions, which allows remote attackers to bypass authentication controls via a direct URL request to the administrative HTTP interface for a limited time 20070221 Cisco Unified IP Conference Station and IP Phone Vulnerabilities cisco-unified-ip-conference-url-auth-bypass(32623) ADV-2007-0688 22647 20070221 Identifying and Mitigating Exploitation of Cisco Unified IP Conference Station and IP Phone Vulnerabilities 1017680 24262 45245 The SSH server in Cisco Unified IP Phone 7906G, 7911G, 7941G, 7961G, 7970G, and 7971G, with firmware 8.0(4)SR1 and earlier, uses a hard-coded username and password, which allows remote attackers to access the device. ADV-2007-0689 20070221 Cisco Unified IP Conference Station and IP Phone Vulnerabilities 45246 cisco-unified-ip-phone-default-user-account(32627) 1017681 22647 20070221 Identifying and Mitigating Exploitation of Cisco Unified IP Conference Station and IP Phone Vulnerabilities 24262 Cisco Secure Services Client (CSSC) 4.x, Trust Agent 1.x and 2.x, Cisco Security Agent (CSA) 5.0 and 5.1 (when a vulnerable Trust Agent has been deployed), and the Meetinghouse AEGIS SecureConnect Client do not drop privileges when the help facility in the supplicant GUI is invoked, which allows local users to gain privileges, aka CSCsf14120. 20070221 Multiple Vulnerabilities in 802.1X Supplicant cisco-cssc-help-privilege-escalation(32621) ADV-2007-0690 1017684 1017683 22648 24258 33049 Cisco Secure Services Client (CSSC) 4.x, Trust Agent 1.x and 2.x, Cisco Security Agent (CSA) 5.0 and 5.1 (when a vulnerable Trust Agent has been deployed), and the Meetinghouse AEGIS SecureConnect Client allows local users to gain SYSTEM privileges via unspecified vectors in the supplicant, aka CSCsf15836. 20070221 Multiple Vulnerabilities in 802.1X Supplicant cisco-cssc-privilege-escalation(32622) ADV-2007-0690 1017684 1017683 22648 24258 33048 Cisco Secure Services Client (CSSC) 4.x, Trust Agent 1.x and 2.x, Cisco Security Agent (CSA) 5.0 and 5.1 (when a vulnerable Trust Agent has been deployed), and the Meetinghouse AEGIS SecureConnect Client use an insecure default Discretionary Access Control Lists (DACL) for the connection client GUI, which allows local users to gain privileges by injecting "a thread under ConnectionClient.exe," aka CSCsg20558. 20070221 Multiple Vulnerabilities in 802.1X Supplicant cisco-cssc-dacl-privilege-escalation(32625) ADV-2007-0690 1017684 1017683 22648 24258 33047 Cisco Secure Services Client (CSSC) 4.x, Trust Agent 1.x and 2.x, Cisco Security Agent (CSA) 5.0 and 5.1 (when a vulnerable Trust Agent has been deployed), and the Meetinghouse AEGIS SecureConnect Client do not properly parse commands, which allows local users to gain privileges via unspecified vectors, aka CSCsh30624. cisco-cssc-parsing-privilege-escalation(32624) ADV-2007-0690 1017684 1017683 22648 20070221 Multiple Vulnerabilities in 802.1X Supplicant 24258 33045 The (1) TTLS CHAP, (2) TTLS MSCHAP, (3) TTLS MSCHAPv2, (4) TTLS PAP, (5) MD5, (6) GTC, (7) LEAP, (8) PEAP MSCHAPv2, (9) PEAP GTC, and (10) FAST authentication methods in Cisco Secure Services Client (CSSC) 4.x, Trust Agent 1.x and 2.x, Cisco Security Agent (CSA) 5.0 and 5.1 (when a vulnerable Trust Agent has been deployed), and the Meetinghouse AEGIS SecureConnect Client store transmitted authentication credentials in plaintext log files, which allows local users to obtain sensitive information by reading these files, aka CSCsg34423. 20070221 Multiple Vulnerabilities in 802.1X Supplicant cisco-cssc-password-information-disclosure(32626) ADV-2007-0690 1017684 1017683 22648 24258 33046 The memory management in VMware Workstation before 5.5.4 allows attackers to cause a denial of service (Windows virtual machine crash) by triggering certain general protection faults (GPF). http://www.vmware.com/support/ws55/doc/releasenotes_ws55.html#554 ADV-2007-1592 20070518 VMSA-2007-0004.1 Updated: Multiple Denial-of-Service issues fixed and directory traversal vulnerability 20070507 VMSA-2007-0004 Multiple Denial-of-Service issues fixed 35507 vmware-gpf-dos(33994) 1018011 23732 20070507 [Reversemode Advisory] VMware Products - GPF Denial of Service http://www.reversemode.com/index.php?option=com_remository&Itemid=2&func=fileinfo&id=49 25079 Multiple stack-based buffer overflows in Trend Micro ServerProtect for Windows and EMC 5.58, and for Network Appliance Filer 5.61 and 5.62, allow remote attackers to execute arbitrary code via crafted RPC requests to TmRpcSrv.dll that trigger overflows when calling the (1) CMON_NetTestConnection, (2) CMON_ActiveUpdate, and (3) CMON_ActiveRollback functions in (a) StCommon.dll, and (4) ENG_SetRealTimeScanConfigInfo and (5) ENG_SendEMail functions in (b) eng50.dll. VU#730433 VU#630025 VU#466609 VU#349393 http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034290 ADV-2007-0670 http://www.trendmicro.com/ftp/documentation/readme/spnt_558_win_en_securitypatch1_readme.txt http://www.tippingpoint.com/security/advisories/TSRT-07-02.html http://www.tippingpoint.com/security/advisories/TSRT-07-01.html 33042 serverprotect-stcommon-bo(32601) serverprotect-eng50-bo(32594) 1017676 22639 20070220 TSRT-07-02: Trend Micro ServerProtect eng50.dll Stack Overflow Vulnerabilities 20070220 TSRT-07-01: Trend Micro ServerProtect StCommon.dll Stack Overflow Vulnerabilities 24243 Integer overflow in the gifGetBandProc function in ImageIO in Apple Mac OS X 10.4.8 allows remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a crafted GIF image that triggers the overflow during decompression. NOTE: this is a different issue than CVE-2006-3502 and CVE-2006-3503. TA07-072A VU#559444 ADV-2007-0930 22630 http://security-protocols.com/sp-x39-advisory.php 1017758 34854 24479 APPLE-SA-2007-03-13 http://docs.info.apple.com/article.html?artnum=305214 The command line interface (CLI) in Cisco Unified IP Phone 7906G, 7911G, 7941G, 7961G, 7970G, and 7971G, with firmware 8.0(4)SR1 and earlier allows local users to obtain privileges or cause a denial of service via unspecified vectors. NOTE: this issue can be leveraged remotely via CVE-2007-1063. 20070221 Cisco Unified IP Conference Station and IP Phone Vulnerabilities 20070221 Identifying and Mitigating Exploitation of Cisco Unified IP Conference Station and IP Phone Vulnerabilities 24262 33064 22647 Static code injection vulnerability in install.php in mcRefer allows remote attackers to execute arbitrary PHP code via the bgcolor parameter, which is inserted into mcrconf.inc.php. 20070211 Re: mcRefer SQL injection 42619 2283 Multiple buffer overflows in NewsBin Pro 5.33 and NewsBin Pro 4.x allow user-assisted remote attackers to execute arbitrary code via a long (1) DataPath or (2) DownloadPath attributed in a (a) NBI file, or (3) a long group field in a (b) NZB file. Successful exploitation allows execution of arbitrary code, but requires that the user is tricked into e.g. loading a malicious NBI configuration file. newsbinpro-nbi-bo(32598) ADV-2007-0694 22652 3349 24261 33378 33377 newsbinpro-nzb-bo(32608) TurboFTP 5.30 Build 572 allows remote servers to cause a denial of service (CPU consumption) via a response with a large number of newline characters. 22634 3341 33751 Multiple directory traversal vulnerabilities in phpTrafficA 1.4.1, and possibly earlier, allow remote attackers to include arbitrary local files via a .. (dot dot) in the (1) file parameter to plotStat.php and the (2) lang parameter to banref.php. phptraffica-plotstat-banref-file-include(32628) ADV-2007-0709 22655 http://www.bugtraq.ir/articles/file-inclusion/phpTrafficA-1.4.1-Local-File-Inclusion/1 http://soft.zoneo.net/phpTrafficA/news.php 24242 33374 33373 20070222 [true] phpTrafficA-1.4.1 Local File Inclusion SQL injection vulnerability in page.asp in Design4Online UserPages2 2.0 allows remote attackers to execute arbitrary SQL commands via the art_id parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 22636 36843 PHP remote file inclusion vulnerability in index.php in FlashGameScript 1.5.4 allows remote attackers to execute arbitrary PHP code via a URL in the func parameter. flashgamescript-index-file-include(32635) ADV-2007-0707 22646 20070221 FlashGameScript v1.5.4 Remote File Inclusion Vulnerability 3360 24267 33492 Stack-based buffer overflow in Rhino Software, Inc. FTP Voyager 14.0.0.3 and earlier allows remote servers to cause a denial of service (crash) via a long response to a CWD command, which triggers the overflow when the user aborts the command. ftpvoyager-cwd-dos(32593) 22637 3343 33746 Multiple heap-based buffer overflows in TurboFTP 5.30 Build 572 allow remote servers to cause a denial of service via (1) long filename in a response to a LIST command, and (2) a long response to a CWD command. 22634 3341 33782 33752 turboftp-cwd-dos(32605) turboftp-list-dos(32604) The start function in class.t3lib_formmail.php in TYPO3 before 4.0.5, 4.1beta, and 4.1RC1 allows attackers to inject arbitrary email headers via unknown vectors. NOTE: some details were obtained from third party information. typo3-t3libformmail-header-injection(32630) ADV-2007-0697 http://typo3.org/teams/security/security-bulletins/typo3-20070221-1 33471 typo3-t3libformmail-header-injection(32630) 22668 24207 FTP Explorer 1.0.1 Build 047, and other versions before 1.0.1.52, allows remote servers to cause a denial of service (CPU consumption) via a long response to a PWD command. 20070324 Vendor ACK for FTPx DoS (CVE-2007-1082) ftpexplorer-pwd-dos(32606) 22640 3347 33496 Buffer overflow in the Configuration Checker (ConfigChk) ActiveX control in VSCnfChk.dll 2.0.0.2 for Verisign Managed PKI Service, Secure Messaging for Microsoft Exchange, and Go Secure! allows remote attackers to execute arbitrary code via long arguments to the VerCompare method. VU#308087 https://download.verisign.co.jp/support/announce/20070216.html verisign-configchk-bo(32639) ADV-2007-0702 1017694 1017693 1017692 22676 22671 http://www.jpcert.or.jp/at/2007/at070006.txt 24249 33479 20070222 VeriSign ConfigChk ActiveX Control Buffer Overflow Vulnerability http://jvn.jp/cert/JVNVU%23308087/index.html 20070223 Verisign ConfigChk ActiveX Overflow(s) 20070222 Verisign ConfigChk ActiveX Overflow(s) Mozilla Firefox 2.0.0.1 and earlier does not prompt users before saving bookmarklets, which allows remote attackers to bypass the same-domain policy by tricking a user into saving a bookmarklet with a data: scheme, which is executed in the context of the last visited web page. https://bugzilla.mozilla.org/show_bug.cgi?id=371179 https://bugzilla.mozilla.org/show_bug.cgi?id=371179 22666 20070223 Re: [Full-disclosure] Firefox bookmark cross-domain surfingvulnerability 20070222 Re: [Full-disclosure] Firefox bookmark cross-domain surfing vulnerability 20070221 Firefox bookmark cross-domain surfing vulnerability 20070221 Re: [Full-disclosure] Firefox bookmark cross-domain surfing vulnerability 20070221 Re: [Full-disclosure] Firefox bookmark cross-domain surfing vulnerability http://www.heise-security.co.uk/news/85728 2304 33803 http://lcamtuf.coredump.cx/ffbook/ http://lcamtuf.coredump.cx/ffbook 20070221 Firefox bookmark cross-domain surfing vulnerability Cross-site scripting (XSS) vulnerability in Google Desktop allows remote attackers to bypass protection schemes and inject arbitrary web script or HTML, and possibly gain full access to the system, by using an XSS vulnerability in google.com to extract the signature for the internal web server, then calling the "under" parameter in Advanced Search with the proper signature. VU#615857 20070221 Overtaking Google Desktop http://www.watchfire.com/resources/Overtaking-Google-Desktop.pdf 1017686 22650 20070222 RE: Overtaking Google Desktop 33483 2301 Unspecified binaries in IBM DB2 8.x before 8.1 FixPak 15 and 9.1 before Fix Pack 2 allow local users to create or modify arbitrary files via unspecified environment variables related to "unsafe file access." 22677 20070222 IBM DB2 Universal Database Multiple Privilege Escalation Vulnerabilities IY94833 40969 db2-setuid-privilege-escalation(32650) 20070818 Recent DB2 Vulnerabilities IBM DB2 8.x before 8.1 FixPak 15 and 9.1 before Fix Pack 2 does not properly terminate certain input strings, which allows local users to execute arbitrary code via unspecified environment variables that trigger a heap-based buffer overflow. 22677 IY94833 20070222 IBM DB2 Universal Database Multiple Privilege Escalation Vulnerabilities 40970 db2-bss-bo(32651) 20070818 Recent DB2 Vulnerabilities Stack-based buffer overflow in IBM DB2 8.x before 8.1 FixPak 15 and 9.1 before Fix Pack 2 allows local users to execute arbitrary code via a long string in unspecified environment variables. 22677 IY94833 20070222 IBM DB2 Universal Database Multiple Privilege Escalation Vulnerabilities 40971 db2-variable-bo(32652) 20070818 Recent DB2 Vulnerabilities IBM DB2 Universal Database (UDB) 9.1 GA through 9.1 FP1 allows local users with table SELECT privileges to perform unauthorized UPDATE and DELETE SQL commands via unknown vectors. JR25941 24283 ADV-2007-0721 20070818 Recent DB2 Vulnerabilities Microsoft Windows Explorer on Windows XP and 2003 allows remote user-assisted attackers to cause a denial of service (crash) via a malformed WMF file, which triggers the crash when the user browses the folder. 22715 20070225 Few unreported vulnerabilities by SehaTo http://securityvulns.com/Qdocument170.html http://securityvulns.com/news/Microsoft/Windows/Explorer/DoS.html 34490 Microsoft Internet Explorer 7 allows remote attackers to prevent users from leaving a site, spoof the address bar, and conduct phishing and other attacks via onUnload Javascript handlers. TA07-282A 23014 ie-mozilla-onunload-dos(32647) ADV-2007-0713 22680 SSRT071480 20070223 Secunia Research: Internet Explorer 7 "onunload" Event SpoofingVulnerability 20070223 MSIE7 browser entrapment vulnerability (probably Firefox, too) 20070223 MSIE7 browser entrapment vulnerability (probably Firefox, too) http://lcamtuf.coredump.cx/ietrap ie-mozilla-onunload-url-spoofing(32649) HPSBST02280 MS07-057 1018788 2291 oval:org.mitre.oval:def:2162 Mozilla Firefox 1.5.0.9 and 2.0.0.1, and SeaMonkey before 1.0.8 allow remote attackers to execute arbitrary code via JavaScript onUnload handlers that modify the structure of a document, wich triggers memory corruption due to the lack of a finalize hook on DOM window objects. VU#393921 22679 https://issues.rpath.com/browse/RPL-1103 https://bugzilla.mozilla.org/show_bug.cgi?id=371321 mozilla-onunload-code-execution(32648) ie-mozilla-onunload-dos(32647) USN-428-1 1017701 20070223 Firefox onUnload + document.write() memory corruption vulnerability (MSIE7 null ptr) RHSA-2007:0078 http://www.mozilla.org/security/announce/2007/mfsa2007-08.html 24650 24395 24384 24343 24333 oval:org.mitre.oval:def:11158 32103 SUSE-SA:2007:019 HPSBUX02153 20070222 Firefox onUnload + document.write() memory corruption vulnerability (MSIE7 null ptr) 20070301-01-P 20070202-01-P SUSE-SA:2007:022 MDKSA-2007:050 SSA:2007-066-05 2302 24457 SSRT061181 Multiple unspecified vulnerabilities in JP1/Cm2/Network Node Manager (NNM) before 07-10-05, and before 08-00-02 in the 08-x series, allow remote attackers to execute arbitrary code, cause a denial of service, or trigger invalid Web utility behavior. http://www.hitachi-support.com/security_e/vuls_e/HS07-002_e/index-e.html 24276 nnm-unspecified-dos(32683) nnm-unspecified-code-execution(32682) ADV-2007-0739 33529 33528 Microsoft Internet Explorer 7 allows remote attackers to cause a denial of service (NULL dereference and application crash) via JavaScript onUnload handlers that modify the structure of a document. 22678 ie-mozilla-onunload-dos(32647) 20070223 Firefox onUnload + document.write() memory corruption vulnerability (MSIE7 null ptr) 45248 2302 Mozilla Firefox before 2.0.0.8 and SeaMonkey before 1.1.5 do not properly implement JavaScript onUnload handlers, which allows remote attackers to run certain JavaScript code and access the location DOM hierarchy in the context of the next web site that is visited by a client. FEDORA-2007-2664 FEDORA-2007-2601 FEDORA-2007-3431 https://issues.rpath.com/browse/RPL-1858 https://bugzilla.mozilla.org/show_bug.cgi?id=371360 ie-mozilla-onunload-url-spoofing(32649) ie-mozilla-onunload-dos(32647) ADV-2008-0083 ADV-2007-3587 ADV-2007-3544 USN-535-1 USN-536-1 22688 20071029 rPSA-2007-0225-2 firefox thunderbird 20071029 FLEA-2007-0062-1 firefox 20071026 rPSA-2007-0225-1 firefox 20070223 MSIE7 browser entrapment vulnerability (probably Firefox, too) 20070223 Firefox: onUnload tailgating (MSIE7 entrapment bug variant) RHSA-2007:0981 RHSA-2007:0980 RHSA-2007:0979 SUSE-SA:2007:057 http://www.mozilla.org/security/announce/2007/mfsa2007-30.html MDKSA-2007:202 GLSA-200711-14 DSA-1401 DSA-1396 DSA-1392 http://support.novell.com/techcenter/psdb/60eb95b75c76f9fbfcc9a89f99cd8f79.html 1018837 2310 28398 27680 27665 27480 27425 27414 27403 27387 27383 27360 27356 27336 27335 27327 27325 27315 27311 27298 27276 oval:org.mitre.oval:def:11665 33809 20070223 MSIE7 browser entrapment vulnerability (probably Firefox, too) http://lcamtuf.coredump.cx/ietrap/ff/ SSRT061181 HPSBUX02153 201516 Cross-site scripting (XSS) vulnerability in ps_cart.php in VirtueMart before 20070116 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: this issue might overlap CVE-2007-0376. ADV-2007-0817 http://virtuemart.svn.sourceforge.net/viewvc/*checkout*/virtuemart/trunk/virtuemart/CHANGELOG.php?revision=692 24399 Unrestricted file upload vulnerability in the onAttachFiles function in the upload tool (inc/lib/attachment.lib.php) in Wiclear before 0.11.1 allows remote attackers to upload and execute arbitrary PHP code via unspecified vectors related to filename validation. NOTE: some details were obtained from third party information. wiclear-onattachfiles-file-upload(32757) ADV-2007-0792 http://wiclear.free.fr/?Download 24286 33598 Multiple unspecified vulnerabilities in ScryMUD before 2.1.11 have unknown impact and attack vectors, possibly related to denial of service caused by a search that begins with a .* sequence. [ScryMUD] 20070223 ScryMUD 2.1.11 (stable) has been released. http://scrymud.net/downloads/Changelog-2.1.10-2.1.11.txt 33600 dbclient in Dropbear SSH client before 0.49 does not sufficiently warn the user when it detects a hostkey mismatch, which might allow remote attackers to conduct man-in-the-middle attacks. ADV-2007-0785 33814 http://matt.ucc.asn.au/dropbear/CHANGES dropbear-hostkey-weak-security(32762) 22761 32088 24345 Directory traversal vulnerability in download.php in Ahmet Sacan Pickle before 20070301 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter. pickle-download-directory-traversal(32712) ADV-2007-0748 22703 20070223 pickle download local file http://user.ceng.metu.edu.tr/~ahmet/Wiki/Software/pickle/pickle 24294 33763 2293 Multiple cross-site scripting (XSS) vulnerabilities in Photostand 1.2.0 allow remote attackers to inject arbitrary web script or HTML via the (1) message ("comment") or (2) name field, or the (3) q parameter in a search action in index.php. photostand-index-xss(32701) ADV-2007-0752 22707 22706 20070224 Photostand_1.2.0 Multiple Cross Site Scripting 2296 24310 33773 Photostand 1.2.0 allows remote attackers to obtain sensitive information via a ' (quote) character in (1) a PHPSESSID cookie or (2) the id parameter in an article action in index.php, which reveal the path in various error messages. ADV-2007-0752 20070224 Photostand_1.2.0 Multiple Cross Site Scripting 33775 33774 photostand-index-path-disclosure(32702) 2296 Tor does not verify a node's uptime and bandwidth advertisements, which allows remote attackers who operate a low resource node to make false claims of greater resources, which places the node into use for many circuits and compromises the anonymity of traffic sources and destinations. http://www.cs.colorado.edu/department/publications/reports/docs/CU-CS-1025-07.pdf 45249 [or-talk] 20070225 Re: ISP controlling entry/exti ("Low-Resource Routing Attacks Against Anonymous Systems") [or-talk] 20070225 Re: "Low-Resource Routing Attacks Against Anonymous Systems" [or-talk] 20070225 "Low-Resource Routing Attacks Against Anonymous Systems" PHP remote file inclusion vulnerability in top.php in PHP Module Implementation (PHP-MIP) 0.1 allows remote attackers to execute arbitrary PHP code via a URL in the laypath parameter. ADV-2007-0732 3374 36881 phpmodule-top-file-include(32672) 22714 PHP remote file inclusion vulnerability in functions.php in Extreme phpBB (aka phpBB Extreme) 3.0.1 allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter. ADV-2007-0733 22708 3370 36957 extremephpbb-functions-file-include(32685) PHP remote file inclusion vulnerability in includes/functions_nomoketos_rules.php in the NoMoKeTos Rules 0.0.1 module for phpBB allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter. ADV-2007-0735 22713 3373 37000 nomoketo-functions-file-include(32686) SQL injection vulnerability in thumbnails.php in Coppermine Photo Gallery (CPG) 1.3.x allows remote authenticated users to execute arbitrary SQL commands via a cpg131_fav cookie. NOTE: it was later reported that 1.4.10, 1.4.14, and other 1.4.x versions are also affected using similar cookies. copperminephoto-thumbnails-sql-injection(39806) 27372 20070224 Coppermine Photo Gallery 1.3.x Blind SQL Injection Exploit 4961 4950 3371 33133 coppermine-thumbnails-sql-injection(32688) 22709 2297 PHP remote file inclusion vulnerability in index.php in Christian Schneider CS-Gallery 2.0 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the album parameter during a securealbum todo action. ADV-2007-0734 22712 3372 33754 csgallery-index-file-include(32674) 24291 Multiple cross-site scripting (XSS) vulnerabilities in Phpwebgallery 1.4.1 allow remote attackers to inject arbitrary web script or HTML via the (1) login or (2) mail_address field in Register.php, or the (3) search_author, (4) mode, (5) start_year, (6) end_year, or (7) date_type field in Search.php, a different vulnerability than CVE-2006-1674. NOTE: 1.6.2 and other versions might also be affected. phpwebgallery-register-search-xss(32687) 22711 20070224 Phpwebgallery-1.4.1, Multiple Cross Site Scripting 2298 24308 33762 33761 Directory traversal vulnerability in data/showcode.php in ActiveCalendar 1.2.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the page parameter. ADV-2007-0759 22704 20070224 ActiveCalendar 1.2.0, Multiple vulnerabilities activecalendar-showcode-file-include(32691) 20070224 Re: ActiveCalendar 1.2.0, Multiple vulnerabilities 33144 2299 Multiple cross-site scripting (XSS) vulnerabilities in ActiveCalendar 1.2.0 allow remote attackers to inject arbitrary web script or HTML via the css parameter to (1) flatevents.php, (2) js.php, (3) mysqlevents.php, (4) m_2.php, (5) m_3.php, (6) m_4.php, (7) xmlevents.php, (8) y_2.php, or (9) y_3.php in data/. ADV-2007-0759 22705 20070224 ActiveCalendar 1.2.0, Multiple vulnerabilities activecalendar-multiple-scripts-xss(32690) 20070224 Re: ActiveCalendar 1.2.0, Multiple vulnerabilities 33153 33152 33151 33150 33149 33148 33147 33146 33145 2299 Kaspersky Anti-Virus 6.0 and Internet Security 6.0 exposes unsafe methods in the (a) AXKLPROD60Lib.KAV60Info (AxKLProd60.dll) and (b) AXKLSYSINFOLib.SysInfo (AxKLSysInfo.dll) ActiveX controls, which allows remote attackers to "download" or delete arbitrary files via crafted arguments to the (1) DeleteFile, (2) StartBatchUploading, (3) StartStrBatchUploading, or (4) StartUploading methods. http://www.kaspersky.com/technews?id=203038694 24778 http://www.zerodayinitiative.com/advisories/ZDI-07-014.html ADV-2007-1268 kaspersky-startuploading-info-disclosure(33464) 1017885 1017884 23345 20070405 ZDI-07-014: Kaspersky Anti-Virus ActiveX Control Unsafe Method Exposure Vulnerablity The child frames in Microsoft Internet Explorer 7 inherit the default charset from the parent window when a charset is not specified in an HTTP Content-Type header or META tag, which allows remote attackers to conduct cross-site scripting (XSS) attacks, as demonstrated using the UTF-7 character set. ADV-2007-0744 http://www.hardened-php.net/advisory_032007.142.html 22701 20070223 Advisory 03/2007: Multiple Browsers Cross Domain Charset Inheritance Vulnerability 32119 24314 The child frames in Opera 9 before 9.20 inherit the default charset from the parent window when a charset is not specified in an HTTP Content-Type header or META tag, which allows remote attackers to conduct cross-site scripting (XSS) attacks, as demonstrated using the UTF-7 character set. http://www.hardened-php.net/advisory_032007.142.html ADV-2007-0745 1017909 22701 20070223 Advisory 03/2007: Multiple Browsers Cross Domain Charset Inheritance Vulnerability http://www.opera.com/support/search/view/855/ SUSE-SA:2007:028 25027 24312 32118 The CheckLoadURI function in Mozilla Firefox 1.8 lists the about: URI as a ChromeProtocol and can be loaded via JavaScript, which allows remote attackers to obtain sensitive information by querying the browser's session history. Comments in the hyperlinks also pointed to Firefox 2.0.0.2 containing the vulnerability. https://bugzilla.mozilla.org/show_bug.cgi?id=371375 20070223 Re: [Full-disclosure] Firefox Cache Hack - Firefox History Hack redux 20070223 Firefox Cache Hack - Firefox History Hack redux http://www.gnucitizen.org/projects/hscan-redux/ 2309 33804 Unspecified vulnerability in Publisher 2007 in Microsoft Office 2007 allows remote attackers to execute arbitrary code via unspecified vectors, related to a "file format vulnerability." NOTE: this information is based upon a vague pre-advisory with no actionable information. However, the advisory is from a reliable source. http://research.eeye.com/html/advisories/upcoming/20070216.html 45264 http://news.com.com/2100-1002_3-6161835.html 22702 Multiple PHP remote file inclusion vulnerabilities in eFiction 3.1.1 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the path_to_smf parameter to (1) bridges/SMF/logout.php or (2) get_session_vars.php. ADV-2007-0708 22682 3361 24268 33527 33526 efiction-pathtosmf-file-include(32662) Unspecified vulnerability in Novell ZENworks 7 Desktop Management Support Pack 1 before Hot patch 3 (ZDM7SP1HP3) allows remote attackers to upload images to certain folders that were not configured in the "Only allow uploads to the following directories" setting via unspecified vectors. https://secure-support.novell.com/KanisaPlatform/Publishing/650/3484245_f.SAL_Public.html https://secure-support.novell.com/KanisaPlatform/Publishing/408/3563780_f.SAL_Public.html 22686 24274 ADV-2007-0712 33533 The (1) Import.LoadFromURL and (2) Export.asText.SaveToFile functions in TeeChart Pro ActiveX control (TeeChart7.ocx) allow remote attackers to download a crafted .tee file to an arbitrary location. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 22689 24263 33534 teechart-activex-file-upload(32694) Multiple SQL injection vulnerabilities in Mathis Dirksen-Thedens ZephyrSoft Toolbox Address Book Continued (ABC) 1.00 allow remote attackers to execute arbitrary SQL commands via the id parameter to the (1) updateRow and (2) deleteRow functions in functions.php. NOTE: some of these details are obtained from third party information. http://sourceforge.net/project/shownotes.php?release_id=488406 24269 ADV-2007-0715 22685 zephyrsoft-id-sql-injection(32665) Multiple SQL injection vulnerabilities in Mathis Dirksen-Thedens ZephyrSoft Toolbox Address Book Continued (ABC) 1.00 and 1.01 allow remote attackers to execute arbitrary SQL commands via the id parameter to the (1) updateRow and (2) deleteRow functions in functions.php, a variant of a SQL injection issue that was fixed in 1.01. NOTE: some of these details are obtained from third party information. ADV-2007-0715 22685 http://sourceforge.net/project/downloading.php?group_id=153333&use_mirror=osdn&filename=abc-1.02.zip 24269 Multiple PHP remote file inclusion vulnerabilities in ZPanel 2.0 allow remote attackers to execute arbitrary PHP code via a URL in (1) the body parameter to templates/ZPanelV2/template.php or (2) the page parameter to zpanel.php. NOTE: the zpanel.php vector may overlap CVE-2005-0793.2. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. zpanel-template-file-include(32659) ADV-2007-0710 22683 24275 33498 zpanel-zpanel-file-include(32680) Directory traversal vulnerability in gallery.php in XeroXer Simple one-file gallery allows remote attackers to read arbitrary files via a .. (dot dot) in the f parameter. 22700 20070223 Simple one-file gallery 33760 sofg-gallery-file-include(32654) 2292 Cross-site scripting (XSS) vulnerability in gallery.php in XeroXer Simple one-file gallery allows remote attackers to inject arbitrary web script or HTML via the f parameter. ADV-2007-0740 22700 20070223 Simple one-file gallery 33759 sofg-gallery-xss(32655) 2292 24292 Directory traversal vulnerability in index.php in xtcommerce allows remote attackers to read arbitrary files via a .. (dot dot) in the template parameter. ADV-2007-0746 20070223 xtcommerce local file include 33758 xtcommerce-index-file-include(32656) 22698 2294 24301 Directory traversal vulnerability in enc/stylecss.php in shopkitplus allows remote attackers to read arbitrary files via a .. (dot dot) in the changetheme parameter. 22697 ADV-2007-0747 20070223 shopkitplus local file include 33755 shopkitplus-stylecss-file-include(32660) 2295 24279 shopkitplus allows remote attackers to obtain sensitive information via a request to (1) events.php with a curmonth[]=01 query string or (2) enc/stylecss.php with a changetheme[]= query string, which reveals the path in various error messages. 20070223 shopkitplus local file include 33757 33756 shopkitplus-events-stylecss-info-disclosure(32661) 2295 Multiple unrestricted file upload vulnerabilities in MTCMS 3.2 allow remote attackers to upload and execute files via (1) an avatar upload in an add_down action, or (2) an add_link action. Per: http://cwe.mitre.org/data/definitions/434.html 'CWE-434: Unrestricted Upload of File with Dangerous Type' ADV-2007-0755 22690 20070223 MTCMS multiple upload vulnerabilities 33778 PHP remote file inclusion vulnerability in sinagb.php in Sinapis Gastebuch 2.2 allows remote attackers to execute arbitrary PHP code via a URL in the fuss parameter. ADV-2007-0737 22696 3366 37007 sinapis-gastebuch-sinagb-file-include(32657) PHP remote file inclusion vulnerability in sinapis.php in Sinapis Forum 2.2 allows remote attackers to execute arbitrary PHP code via a URL in the fuss parameter. ADV-2007-0738 22699 3367 37008 sinapisforum-sinapis-file-include(32658) Multiple cross-site scripting (XSS) vulnerabilities in the "Contact Us" functionality in MTCMS 2.2 allow remote attackers to inject arbitrary web script or HTML via the (1) message and (2) title fields. ADV-2007-0755 22690 20070223 MTCMS multiple upload vulnerabilities 37443 PHP remote file inclusion vulnerability in fcring.php in FCRing 1.3 allows remote attackers to execute arbitrary PHP code via a URL in the s_fuss parameter. ADV-2007-0736 22693 3365 33802 fcring-fcring-file-include(32653) 24305 Unspecified vulnerability in Watchtower (WT) before 0.12 has unknown impact and attack vectors, related to "unauthorized accounts." Watchtower is prone to an unspecified authentication-bypass vulnerability. An attacker can exploit this issue to gain unauthorized access to the application. Versions prior to 0.12 are vulnerable. http://www.securityfocus.com/bid/22721/info The vendor has released version 0.12 to address this issue. Download: http://downloads.sourceforge.net/wtelements/wt0.12.tar.gz?modtime=1171 460836&big_mirror=0 ADV-2007-0743 22721 http://sourceforge.net/project/shownotes.php?release_id=486435&group_id=188798 41106 Multiple SQL injection vulnerabilities in WebMplayer before 0.6.1-Alpha allow remote attackers to execute arbitrary SQL commands via the (1) strid parameter to index.php and the (2) id[0] or other id array index parameter to filecheck.php. http://sourceforge.net/project/shownotes.php?release_id=486880&group_id=172354 ADV-2007-0742 34443 34442 22726 index.php in WebMplayer before 0.6.1-Alpha allows remote attackers to execute arbitrary code via shell metacharacters in an exec function call. NOTE: some sources have referred to this as eval injection in the param parameter, but CVE source inspection suggests that this is erroneous. ADV-2007-0742 22726 http://sourceforge.net/project/shownotes.php?release_id=486880&group_id=172354 34441 20070227 WebMplayer "eval injection" is actually OS command injection putmail.py in Putmail before 1.4 does not detect when a user attempts to use TLS with a server that does not support it, which causes putmail.py to send the username and password in plaintext while the user believes encryption is in use, and allows remote attackers to obtain sensitive information. ADV-2007-0753 24266 http://putmail.sourceforge.net/home.html 33764 putmail-tls-password-plaintext(32689) 22718 Absolute path traversal vulnerability in list_main_pages.php in Cromosoft Simple Plantilla PHP (SPP) allows remote attackers to list arbitrary directories, and read arbitrary files, via an absolute pathname in the nfolder parameter. 22669 20070222 Plantilla PHP Simple 2332 33138 Unrestricted file upload vulnerability in Cromosoft Simple Plantilla PHP (SPP) allows remote attackers to upload arbitrary scripts via a filename with a double extension. 22669 20070222 Plantilla PHP Simple 2332 33139 Directory traversal vulnerability in edit.php in pheap allows remote attackers to read and modify arbitrary files via a .. (dot dot) in the filename parameter. 22670 20070222 pheap [edit LFI] vulnerability 2354 33140 PHP remote file inclusion vulnerability in preview.php in Magic News Plus 1.0.2 allows remote attackers to execute arbitrary PHP code via a URL in the php_script_path parameter. NOTE: This issue may overlap CVE-2006-0723. 22661 20070221 Magic News Plus File Inclusion And Xss Vulnerabilitis 2334 33135 Cross-site scripting (XSS) vulnerability in Magic News Plus 1.0.2 allows remote attackers to inject arbitrary web script or HTML via the link_parameters parameter in (1) news.php and (2) n_layouts.php. 22661 20070221 Magic News Plus File Inclusion And Xss Vulnerabilitis 2334 33137 33136 Directory traversal vulnerability in pn-menu.php in J-Web Pics Navigator 1.0 allows remote attackers to list arbitrary directories via a .. (dot dot) in the dir parameter. picsnavigator-dir-directory-traversal(32646) 20070222 Pics Navigator Directory Traversal Vulnerability 2340 33118 http://forums.avenir-geopolitique.net/viewtopic.php?t=2692 Directory traversal vulnerability in jwpn-photos.php in J-Web Pics Navigator 2.0 allows remote attackers to list arbitrary directories via a .. (dot dot) in the dir parameter. J-Web Pics Navigator is prone to a directory-traversal vulnerability because it fails to properly sanitize user-supplied input. An attacker can exploit this vulnerability to retrieve and edit the contents of arbitrary files from the vulnerable system in the context of the affected application. J-Web Pics Navigator 2.0 is vulnerable to this issue; other versions may also be affected. http://www.securityfocus.com/bid/22681 picsnavigator-dir-directory-traversal(32646) ADV-2007-0711 22681 20070222 Pics Navigator Directory Traversal Vulnerability 2340 24273 33117 http://forums.avenir-geopolitique.net/viewtopic.php?t=2692 Multiple cross-site scripting (XSS) vulnerabilities in Kayako SupportSuite - ESupport 3.00.13 and 3.04.10 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors related to a (1) lostpassword or (2) register action in index.php, (3) unspecified vectors in the Submit form in a submit action in index.php, and (4) the user's name in index.php; and (5) allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors related to the Admin and Staff Control Panel. NOTE: this might issue overlap CVE-2004-1412, CVE-2005-0487, or CVE-2005-0842. ADV-2007-0717 22631 20070219 ESupport Multiple HTML Injection Vulnerabilities 2335 24223 33536 33535 PHP remote file inclusion vulnerability in function.php in arabhost allows remote attackers to execute arbitrary PHP code via a URL in the adminfolder parameter. 20070222 Hasadya Raed 33839 20070227 Verified: arabhost function.php RFI 2339 PHP remote file inclusion vulnerability in view.php in hbm allows remote attackers to execute arbitrary PHP code via a URL in the hbmpath parameter. 20070222 Hasadya Raed 2339 36878 PHP remote file inclusion vulnerability in install/index.php in LoveCMS 1.4 allows remote attackers to execute arbitrary PHP code via a URL in the step parameter. ADV-2007-0716 22675 20070222 LoveCMS 1.4 multiple vulnerabilities 2338 33516 Multiple directory traversal vulnerabilities in LoveCMS 1.4 allow remote attackers to read arbitrary files via a .. (dot dot) in (1) the step parameter to install/index.php or (2) the load parameter to the top-level URI. ADV-2007-0716 22675 20070222 LoveCMS 1.4 multiple vulnerabilities 2338 33518 33517 Unrestricted file upload vulnerability in LoveCMS 1.4 allows remote authenticated administrators to upload arbitrary files to /modules/content/pictures/tmp/. 22675 20070222 LoveCMS 1.4 multiple vulnerabilities 2338 33519 Cross-site scripting (XSS) vulnerability in LoveCMS 1.4 allows remote attackers to inject arbitrary web script or HTML via the id parameter to the top-level URI, possibly related to a SQL error. ADV-2007-0716 22675 20070222 LoveCMS 1.4 multiple vulnerabilities 2338 33520 Multiple directory traversal vulnerabilities in Pyrophobia 2.1.3.1 allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) act or (2) pid parameter to the top-level URI (index.php), or the (3) action parameter to admin/index.php. NOTE: some of these details are obtained from third party information. 33861 22667 8095 37398 Multiple PHP remote file inclusion vulnerabilities in CutePHP CuteNews 1.3.6 allow remote attackers to execute arbitrary PHP code via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. NOTE: issue might overlap CVE-2004-1660 or CVE-2006-4445. 22674 37397 SQL injection vulnerability in webSPELL allows remote attackers to execute arbitrary SQL commands via a ws_auth cookie, a different vulnerability than CVE-2006-4782. Affected product versions not specified. Successful exploitation requires that "magic_quotes_gpc" is disabled. webspell-login-sql-injection(32669) 20070222 WebSpell > 4.0 Authentication Bypass and arbitrary code execution 2337 Unrestricted file upload vulnerability in webSPELL allows remote authenticated administrators to upload and execute arbitrary PHP code via the add squad feature. NOTE: this issue may be an administrative feature, in which case this CVE may be REJECTED. Affected product versions unspecified. webspell-addsquad-file-upload(32670) 20070222 WebSpell > 4.0 Authentication Bypass and arbitrary code execution 2337 JBrowser allows remote attackers to bypass authentication and access certain administrative capabilities via a direct request for _admin/. 20070222 JBrowser acces to admin/config files 33141 http://forums.avenir-geopolitique.net/viewtopic.php?t=2693 9537 20070223 JBrowser Acces to Admin Panel Exploit 1008909 2370 Cross-site request forgery (CSRF) vulnerability in jmx-console/HtmlAdaptor in JBoss allows remote attackers to perform privileged actions as administrators via certain MBean operations, a different vulnerability than CVE-2006-3733. Affected product versions unspecified. jboss-jmxconsole-csrf(32673) 20070222 JBoss jmx-console CSRF 20070223 Re: JBoss jmx-console CSRF 33142 Directory traversal vulnerability in index.php in the Pagesetter 6.2.0 through 6.3.0 beta 5 module for PostNuke allows remote attackers to read arbitrary files via a .. (dot dot) in the id parameter. 24299 ADV-2007-0758 22733 20070226 SEC Consult SA-20070226-0 :: File Disclosure in Pagesetter for PostNuke http://www.elfisk.dk/index.php?module=pagesetter&func=viewpub&tid=7&pid=125 33781 20070227 Re:SEC Consult SA-20070226-0 :: File Disclosure 20070226 SEC Consult SA-20070226-0 :: File Disclosure in pagesetter-index-directory-traversal(32695) 2336 Cross-site scripting (XSS) vulnerability in modules/out.php in Pyrophobia 2.1.3.1 allows remote attackers to inject arbitrary web script or HTML via the id parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 22667 36879 webSPELL 4.0, and possibly later versions, allows remote attackers to bypass authentication via a ws_auth cookie, a different vulnerability than CVE-2006-4782. This vulnerability may affect more recent versions of the product as well. (WebSPELL, WebSPELL, 4.0 and later) 20070222 WebSpell > 4.0 Authentication Bypass and arbitrary code execution 2337 33143 Cross-site scripting (XSS) vulnerability in call_entry.php in Call Center Software 0,93 allows remote attackers to inject arbitrary web script or HTML via the problem_desc parameter, as demonstrated by the ONLOAD attribute of a BODY element. 20070221 Call Center Software - Remote Xss Post Exploit - 20070222 [TRUE] Call Center Software - Remote Xss Post Exploit - 2333 33037 A certain ActiveX control in the Common Controls Replacement Project (CCRP) CCRP BrowseDialog Server (ccrpbds6.dll) allows remote attackers to cause a denial of service (Internet Explorer 7 crash) via a long (1) IsFolderAvailable or (2) RootFolder property value, different vectors than CVE-2007-0371. http://www.securityfocus.com/data/vulnerabilities/exploits/22645.html 22645 3350 34963 SQL injection vulnerability in printview.php in webSPELL 4.01.02 and earlier allows remote attackers to execute arbitrary SQL commands via the topic parameter, a different vector than CVE-2007-1019, CVE-2006-5388, and CVE-2006-4783. ADV-2007-0714 22659 3351 24257 33231 Multiple PHP remote file inclusion vulnerabilities in DBImageGallery 1.2.2 allow remote attackers to execute arbitrary PHP code via a URL in the donsimg_base_path parameter to (1) attributes.php, (2) images.php, or (3) scan.php in admin/; or (4) attributes.php, (5) db_utils.php, (6) images.php, (7) utils.php, or (8) values.php in includes/. dbimagegallery-donsimg-file-include(32612) ADV-2007-0692 22657 20070305 Re: Remote File Include In DBImageGallery 20070302 Remote File Include In DBImageGallery 3353 34944 34943 34942 34941 34940 34939 34938 34937 Multiple PHP remote file inclusion vulnerabilities in DBGuestbook 1.1 allow remote attackers to execute arbitrary PHP code via a URL in the dbs_base_path parameter to (1) utils.php, (2) guestbook.php, or (3) views.php in includes/. ADV-2007-0693 22658 3354 33495 33494 33493 SQL injection vulnerability in result.php in Nabopoll 1.2 allows remote attackers to execute arbitrary SQL commands via the surv parameter. 22649 20070221 Nabopoll Blind SQL Injection vulnerabilies 3355 2372 33753 20070222 [TRUE] Nabopoll Blind SQL Injection vulnerabilies inc/filebrowser/browser.php in deV!L`z Clanportal (DZCP) 1.4.5 and earlier allows remote attackers to obtain MySQL data via the inc/mysql.php value of the file parameter. This vulnerability is addressed in the following product release: 1.4.6 24260 ADV-2007-0695 22660 3357 http://www.dzcp.de/inc/tinymce_files/Downloads/dzcp_update/notes_1.4.6.txt 33372 Trend Micro ServerProtect for Linux (SPLX) 1.25, 1.3, and 2.5 before 20070216 allows remote attackers to access arbitrary web pages and reconfigure the product via HTTP requests with the splx_2376_info cookie to the web interface port (14942/tcp). http://www.trendmicro.com/download/product.asp?productid=20 22662 1017685 24264 ADV-2007-0691 20070221 Trend Micro ServerProtect Web Interface Authorization Bypass Vulnerability The web interface in Trend Micro ServerProtect for Linux (SPLX) 1.25, 1.3, and 2.5 before 20070216 accepts logon requests through unencrypted HTTP, which might allow remote attackers to obtain credentials by sniffing the network. http://www.trendmicro.com/download/product.asp?productid=20 SimBin GTR - FIA GT Racing Game 1.5.0.0 and earlier, GT Legends 1.1.0.0 and earlier, GTR 2 1.1 and earlier, and RACE - The WTCC Game 1.0 and earlier allow remote attackers to cause a denial of service (client disconnection) via an empty UDP packet to the server port. ADV-2007-0696 22651 20070221 Players disconnection in Simbin racing games 34240 2369 http://aluigi.altervista.org/adv/simbinzero-adv.txt SQL injection vulnerability in includes/nsbypass.php in NukeSentinel 2.5.05, 2.5.11, and other versions before 2.5.12 allows remote attackers to execute arbitrary SQL commands via an admin cookie. nukesentinel-nsbypass-sql-injection(32582) http://www.waraxe.us/advisory-53.html 25805 22629 20070928 Re: [waraxe-2007-SA#053] - Critical Sql Injection in NukeSentinel 2.5.11 20070925 [waraxe-2007-SA#053] - Critical Sql Injection in NukeSentinel 2.5.11 20070220 NukeSentinel 2.5.05 (nsbypass.php) Blind SQL Injection Exploit http://www.nukescripts.net/index.php?op=NEArticle&sid=4076 3337 20070928 CVE-2007-5125 - dupe 2344 26954 SQL injection vulnerability in nukesentinel.php in NukeSentinel 2.5.05, and possibly earlier, allows remote attackers to execute arbitrary SQL commands via the Client-IP HTTP header, aka the "File Disclosure Exploit." 20070220 NukeSentinel 2.5.05 (nukesentinel.php) File Disclosure Exploit 3338 2341 24221 20070314 SQL injection (x2) in NukeSentinel Multiple buffer overflows in the CentennialIPTransferServer service (XFERWAN.EXE), as used by (1) Centennial Discovery 2006 Feature Pack 1, (2) Numara Asset Manager 8.0, and (3) Symantec Discovery 6.5, allow remote attackers to execute arbitrary code via long strings in a crafted TCP packet. xferwan-tcp-bo(34313) ADV-2007-1834 ADV-2007-1833 ADV-2007-1832 1018072 24002 http://secunia.com/secunia_research/2007-43/advisory/ http://secunia.com/secunia_research/2007-42/advisory/ http://secunia.com/secunia_research/2007-41/advisory/ 24329 24281 24090 35076 Multiple cross-site scripting (XSS) vulnerabilities in WebAPP before 20070214 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to unspecified fields in user Profiles. NOTE: some of these details are obtained from third party information. http://www.web-app.org/cgi-bin/index.cgi?action=viewnews&id=251 webapporg-net-profileedit-xss(32506) webapporg-net-profileedit-xss(32506) ADV-2007-0605 22563 33301 Cross-site scripting (XSS) vulnerability in an admin feature in WebAPP before 20070209 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. http://www.web-app.org/cgi-bin/index.cgi?action=viewnews&id=249 ADV-2007-0604 22563 33275 Multiple cross-site scripting (XSS) vulnerabilities in WebAPP before 0.9.9.5 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors related to (1) Gallery Comments pages, (2) Feedback pages, (3) Search Results pages, and (4) the Statistics Log viewer. http://www.web-app.org/cgi-bin/index.cgi?action=viewnews&id=250 webapp-gallery-feedback-xss(32526) webapp-searchresultspages-xss(32499) webapp-statisticslogviewer-xss(32498) ADV-2007-0604 22563 24080 33290 33289 33288 33276 WebAPP before 0.9.9.5 does not properly filter certain characters in contexts related to (1) the query string, (2) Profiles, (3) the Forum Post icon field, (4) the Edit Profile, and (5) the Gallery, which has unknown impact and remote attack vectors, possibly related to cross-site scripting (XSS). 22563 24080 http://www.web-app.org/cgi-bin/index.cgi?action=viewnews&id=250 ADV-2007-0604 33287 33286 33283 33277 WebAPP before 0.9.9.5 does not check access in certain contexts related to (1) Calendar Administration, (2) Instant Messages Administration, and (3) the Image Uploader, which has unknown impact and attack vectors. http://www.web-app.org/cgi-bin/index.cgi?action=viewnews&id=250 ADV-2007-0604 22563 24080 33282 33279 WebAPP before 0.9.9.5 does not properly manage e-mail addresses in certain contexts related to (1) the Recommend feature, Email Article (2) senders and (3) recipients, (4) New User Approval, (5) Edit Profiles, (6) the Newsletter Subscription form, (7) the Recommend form, and (8) sending of articles, which has unknown impact, and remote attack vectors related to spam attacks and possibly other attacks. http://www.web-app.org/cgi-bin/index.cgi?action=viewnews&id=250 ADV-2007-0604 22563 24080 33284 WebAPP before 0.9.9.5 does not check referrers in certain forms, which might facilitate remote cross-site request forgery (CSRF) attacks or have other unknown impact. http://www.web-app.org/cgi-bin/index.cgi?action=viewnews&id=250 ADV-2007-0604 22563 24080 33285 WebAPP before 0.9.9.5 passes (1) Unused Informations and (2) the username through Edit Profile forms, which has unknown impact and attack vectors. 22563 http://www.web-app.org/cgi-bin/index.cgi?action=viewnews&id=250 ADV-2007-0604 24080 33291 WebAPP before 0.9.9.5 allows remote Guest users to edit a Guest profile, which has unknown impact. 22563 http://www.web-app.org/cgi-bin/index.cgi?action=viewnews&id=250 ADV-2007-0604 24080 33292 WebAPP before 0.9.9.5 allows remote authenticated users to spoof another user's Real Name via whitespace, which has unknown impact and attack vectors. http://www.web-app.org/cgi-bin/index.cgi?action=viewnews&id=250 ADV-2007-0604 22563 24080 33293 The default configuration of WebAPP before 0.9.9.5 has a CAPTCHA setting of "no," which makes it easier for automated programs to submit false data. 22563 http://www.web-app.org/cgi-bin/index.cgi?action=viewnews&id=250 ADV-2007-0604 24080 33294 The (1) Search, (2) Edit Profile, (3) Recommend, and (4) User Approval forms in WebAPP before 0.9.9.5 use hidden inputs, which has unknown impact and remote attack vectors. 22563 http://www.web-app.org/cgi-bin/index.cgi?action=viewnews&id=250 ADV-2007-0604 24080 33295 WebAPP before 0.9.9.5 does not "censor" the Latest Member real name, which has unknown impact. 22563 http://www.web-app.org/cgi-bin/index.cgi?action=viewnews&id=250 ADV-2007-0604 24080 33296 WebAPP before 0.9.9.5 allows remote authenticated users, without admin privileges, to obtain sensitive information via (1) the Forum Archive feature and (2) Recent Searches. 22563 http://www.web-app.org/cgi-bin/index.cgi?action=viewnews&id=250 ADV-2007-0604 24080 33298 33281 WebAPP before 0.9.9.5 allows remote attackers to submit Search form input that is not checked for (1) composition or (2) length, which has unknown impact, possibly related to "search form hijacking". 22563 http://www.web-app.org/cgi-bin/index.cgi?action=viewnews&id=250 ADV-2007-0604 24080 33299 Integer overflow in the envwrite function in the Alcatel-Lucent Bell Labs Plan 9 kernel allows local users to overwrite certain memory addresses with kernel memory via a large n argument, as demonstrated by (1) modifying the iseve function to gain privileges and (2) making the devpermcheck function grant unrestricted device permissions. 22749 3383 34956 [dailydave] 20070227 Wow, free kernel zero day? http://kernelspace.us/itheft.c Unspecified vulnerability in the EmbeddedWB Web Browser ActiveX control allows remote attackers to execute arbitrary code via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 22755 36205 The Social Bookmarks (del.icio.us) plug-in 8F in Quicksilver writes usernames and passwords in plaintext to the /Library/Logs/Console/UID/Console.log file, which allows local users to obtain sensitive information by reading this file. 22752 socialbookmarks-password-plaintext(32721) 34486 20070228 Quicksilver Social Bookmark plugin v.8F: password in clear text 2368 Thomas R. Pasawicz HyperBook Guestbook 1.30 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download an admin password hash via a direct request for data/gbconfiguration.dat. 22754 33868 http://downloads.securityfocus.com/vulnerabilities/exploits/22754.py 24392 Multiple unspecified vulnerabilities in the Login page in OrangeHRM before 20070212 have unknown impact and attack vectors. Successful exploitation requires that "magic_quotes_gpc" is disabled. 22756 http://sourceforge.net/tracker/index.php?func=detail&aid=1656000&group_id=156477&atid=799942 ADV-2007-0781 35993 Norman SandBox Analyzer does not use the proper range for Interrupt Descriptor Table (IDT) entries, which allows local users to determine that the local machine is an emulator, or a similar environment not based on a physical Intel processor, which allows attackers to produce malware that is more difficult to analyze. 20070303 Re: Evading the Norman SandBox Analyzer 20070302 Re: Evading the Norman SandBox Analyzer 20070228 Evading the Norman SandBox Analyzer http://www.ntsecurity.nu/onmymind/2007/2007-02-27.html 34955 Multiple buffer overflows in XM Easy Personal FTP Server 5.3.0 allow remote attackers to execute arbitrary code via unspecified vectors. NOTE: this issue might overlap CVE-2006-2225, CVE-2006-2226, or CVE-2006-5728. ADV-2007-0786 22747 3385 33813 http://downloads.securityfocus.com/vulnerabilities/exploits/22747.pl Unspecified vulnerability in Citrix Presentation Server Client for Windows before 10.0 allows remote web sites to execute arbitrary code via unspecified vectors, related to the implementation of ICA connectivity through proxy servers. Upgrade to Citrix Presentation Server Client for Windows version 10.0: http://www.citrix.com/English/SS/downloads/downloads.asp?dID=2755 VU#798364 ADV-2007-0784 http://support.citrix.com/article/CTX112589 33833 citrix-ica-code-execution(32754) 1017712 22762 24350 Multiple unspecified vulnerabilities in Epiware before 4.7.5 have unknown impact and attack vectors, possibly related to cross-site scripting (XSS) and other unspecified issues. http://sourceforge.net/forum/forum.php?forum_id=669653 33817 Cross-site scripting (XSS) vulnerability in TaskFreak! before 0.5.7 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly a variant of CVE-2007-0982. http://www.taskfreak.com/versions.html 32089 Adobe Reader and Acrobat Trial allow remote attackers to read arbitrary files via a file:// URI in a PDF document, as demonstrated with <</URI(file:///C:/)/S/URI>>, a different issue than CVE-2007-0045. adobe-pdf-file-information-disclosure(32815) 22753 http://www.gnucitizen.org/projects/pdf-strikes-back/ 33897 GLSA-200803-01 29205 24408 Unspecified vulnerability in certain COM objects in Microsoft Office Web Components 2000 allows user-assisted remote attackers to execute arbitrary code via vectors related to DataSource that trigger memory corruption, aka "Office Web Components DataSource Vulnerability." TA08-071A 28136 MS08-017 ADV-2008-0849 1019581 29328 SSRT080028 SSRT080028 oval:org.mitre.oval:def:5327 Word (or Word Viewer) in Microsoft Office 2000 SP3, XP SP3, 2003 SP2, 2004 for Mac, and Works Suite 2004, 2005, and 2006 does not properly parse certain rich text "property strings of certain control words," which allows user-assisted remote attackers to trigger heap corruption and execute arbitrary code, aka the "Word RTF Parsing Vulnerability." TA07-128A VU#555489 1018013 23836 MS07-024 20070508 Microsoft Word RTF File Parsing Heap Corruption Vulnerability ADV-2007-1709 SSRT071422 HPSBST02214 34388 oval:org.mitre.oval:def:1900 Unspecified vulnerability in Microsoft Excel 2000 SP3, 2002 SP3, 2003 SP2, 2003 Viewer, 2004 for Mac, and 2007 allows user-assisted remote attackers to execute arbitrary code via a crafted set font value in an Excel file, which results in memory corruption. TA07-128A MS07-023 ADV-2007-1708 SSRT071422 excel-placeholder-code-execution(33914) 1018012 23779 HPSBST02214 34394 25150 oval:org.mitre.oval:def:2014 Stack-based buffer overflow in the Universal Plug and Play (UPnP) service in Microsoft Windows XP SP2 allows remote attackers on the same subnet to execute arbitrary code via crafted HTTP headers in request or notification messages, which trigger memory corruption. MS07-019 ADV-2007-1323 1017895 23371 HPSBST02208 HPSBST02208 34010 24822 20070410 Microsoft Windows Universal Plug and Play Memory Corruption Vulnerability oval:org.mitre.oval:def:2049 Unspecified vulnerability in Microsoft Agent (msagent\agentsvr.exe) in Windows 2000 SP4, XP SP2, and Server 2003, 2003 SP1, and 2003 SP2 allows remote attackers to execute arbitrary code via crafted URLs, which result in memory corruption. VU#728057 TA07-100A MS07-020 ADV-2007-1324 1017896 23337 HPSBST02208 20070410 Secunia Research: Microsoft Agent URL Parsing Memory CorruptionVulnerability http://secunia.com/secunia_research/2006-74/advisory/ 22896 HPSBST02208 oval:org.mitre.oval:def:2034 The Virtual DOS Machine (VDM) in the Windows Kernel in Microsoft Windows NT 4.0; 2000 SP4; XP SP2; Server 2003, 2003 SP1, and 2003 SP2; and Windows Vista before June 2006; uses insecure permissions (PAGE_READWRITE) for a physical memory view, which allows local users to gain privileges by modifying the "zero page" during a race condition before the view is unmapped. TA07-100A VU#337953 MS07-022 ADV-2007-1326 23367 SSRT071365 SSRT071365 20070410 EEYE: Windows VDM Zero Page Race Condition Privilege Escalation 34011 1017898 24834 http://research.eeye.com/html/advisories/published/AD20070410a.html oval:org.mitre.oval:def:1639 Use-after-free vulnerability in the Client/Server Run-time Subsystem (CSRSS) in Microsoft Windows Vista does not properly handle connection resources when starting and stopping processes, which allows local users to gain privileges by opening and closing multiple ApiPort connections, which leaves a "dangling pointer" to a process data structure. TA07-100A VU#219848 MS07-021 ADV-2007-1325 1017897 23338 SSRT071365 SSRT071365 20070410 EEYE: Windows Vista CSRSS Dangling Process Pointer Privilege Escalation 34008 2531 24823 http://research.eeye.com/html/advisories/published/AD20070410b.html oval:org.mitre.oval:def:1524 Unspecified kernel GDI functions in Microsoft Windows 2000 SP4; XP SP2; and Server 2003 Gold, SP1, and SP2 allows user-assisted remote attackers to cause a denial of service (possibly persistent restart) via a crafted Windows Metafile (WMF) image that causes an invalid dereference of an offset in a kernel structure, a related issue to CVE-2005-4560. MS07-017 win-wmf-dos(33258) ADV-2007-1215 1017843 23275 HPSBST02206 HPSBST02206 20070403 Microsoft Windows WMF Triggerable Kernel Design Error DoS Vulnerability oval:org.mitre.oval:def:1571 Buffer overflow in the Graphics Device Interface (GDI) in Microsoft Windows 2000 SP4; XP SP2; Server 2003 Gold, SP1, and SP2; and Vista allows local users to gain privileges via a crafted Enhanced Metafile (EMF) image format file. MS07-017 ADV-2007-1215 1017844 23278 HPSBST02206 SSRT071354 oval:org.mitre.oval:def:1923 The TrueType Fonts rasterizer in Microsoft Windows 2000 SP4 allows local users to gain privileges via crafted TrueType fonts, which result in an uninitialized function pointer. MS07-017 ADV-2007-1215 1017845 23276 HPSBST02206 HPSBST02206 oval:org.mitre.oval:def:1797 Microsoft Excel 2000 SP3, 2002 SP3, 2003 SP2, 2003 Viewer, and 2004 for Mac allows user-assisted remote attackers to execute arbitrary code via a crafted AutoFilter filter record in an Excel BIFF8 format XLS file, which triggers memory corruption. TA07-128A VU#253825 1018012 MS07-023 25150 20070508 Microsoft Excel Filter Record Code Execution Vulnerability excel-autofilter-code-execution(33915) ADV-2007-1708 23780 SSRT071422 SSRT071422 34395 oval:org.mitre.oval:def:2064 Buffer overflow in the Graphics Device Interface (GDI) in Microsoft Windows 2000 SP4; XP SP2; Server 2003 Gold, SP1, and SP2; and Vista allows local users to gain privileges via certain "color-related parameters" in crafted images. ADV-2007-1215 1017847 23273 HPSBST02206 MS07-017 HPSBST02206 oval:org.mitre.oval:def:1927 Double free vulnerability in the GSS-API library (lib/gssapi/krb5/k5unseal.c), as used by the Kerberos administration daemon (kadmind) in MIT krb5 before 1.6.1, when used with the authentication method provided by the RPCSEC_GSS RPC library, allows remote authenticated users to execute arbitrary code and modify the Kerberos key database via a message with an "an invalid direction encoding". VU#419344 TA07-109A TA07-093B USN-449-1 RHSA-2007:0095 DSA-1276 http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-003.txt 24757 24736 24706 kerberos-kadmind-code-execution(33413) ADV-2007-1916 ADV-2007-1470 ADV-2007-1218 1017852 23282 20070405 FLEA-2007-0008-1: krb5 20070404 rPSA-2007-0063-1 krb5 krb5-server krb5-services krb5-test krb5-workstation 20070403 MITKRB5-SA-2007-003: double-free vulnerability in kadmind (via GSS-API library) [CVE-2007-1216] MDKSA-2007:077 GLSA-200704-02 25388 24966 24817 24786 24785 24750 24740 24735 oval:org.mitre.oval:def:11135 SUSE-SA:2007:025 APPLE-SA-2007-04-19 SSRT071337 SSRT071337 http://docs.info.apple.com/article.html?artnum=305391 20070401-01-P Buffer overflow in the bufprint function in capiutil.c in libcapi, as used in Linux kernel 2.6.9 to 2.6.20 and isdn4k-utils, allows local users to cause a denial of service (crash) and possibly gain privileges via a crafted CAPI packet. 23333 GLSA-200704-23 24777 oval:org.mitre.oval:def:10503 34742 http://bugzilla.kernel.org/show_bug.cgi?id=8028 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=408530 1018539 RHSA-2007:0774 RHSA-2007:0705 RHSA-2007:0673 RHSA-2007:0672 RHSA-2007:0671 MDKSA-2007:078 http://support.avaya.com/elmodocs2/security/ASA-2007-404.htm 27528 26760 26709 26478 26379 Off-by-one buffer overflow in the parse_elements function in the 802.11 printer code (print-802_11.c) for tcpdump 3.9.5 and earlier allows remote attackers to cause a denial of service (crash) via a crafted 802.11 frame. NOTE: this was originally referred to as heap-based, but it might be stack-based. TA07-352A https://issues.rpath.com/browse/RPL-1100 https://bugs.gentoo.org/show_bug.cgi?id=168916 tcpdump-print80211c-bo(32749) ADV-2007-4238 ADV-2007-0793 USN-429-1 TLSA-2007-46 1017717 22772 RHSA-2007:0387 RHSA-2007:0368 32427 MDKSA-2007:155 MDKSA-2007:056 DSA-1272 28136 27580 24610 24583 24451 24423 24354 24318 20070301 tcpdump: off-by-one heap overflow in 802.11 printer oval:org.mitre.oval:def:9520 APPLE-SA-2007-12-17 FEDORA-2007-348 FEDORA-2007-347 http://docs.info.apple.com/article.html?artnum=307179 http://cvs.tcpdump.org/cgi-bin/cvsweb/tcpdump/print-802_11.c?r1=1.31.2.11&r2=1.31.2.12 http://cvs.tcpdump.org/cgi-bin/cvsweb/tcpdump/print-802_11.c PHP remote file inclusion vulnerability in actions/del.php in Admin Phorum 3.3.1a allows remote attackers to execute arbitrary PHP code via a URL in the include_path parameter. admin-phorum-del-file-include(32719) ADV-2007-0778 22739 3382 34635 The Hypervisor in Microsoft Xbox 360 kernel 4532 and 4548 does not properly verify the parameters passed to the syscall dispatcher, which allows attackers with physical access to bypass code-signing requirements and execute arbitrary code. 22745 20070227 Xbox 360 Hypervisor Privilege Escalation Vulnerability 2367 The Hypervisor in Microsoft Xbox 360 kernel 4532 and 4548 allows attackers with physical access to force execution of the hypervisor syscall with a certain register set, which bypasses intended code protection. 22745 20070227 Xbox 360 Hypervisor Privilege Escalation Vulnerability 20070327 Re: RE: Xbox 360 Hypervisor Privilege Escalation Vulnerability 2367 Parallels Desktop for Mac before 20070216 implements Drag and Drop by sharing the entire host filesystem as the .psf share, which allows local users of the guest operating system to write arbitrary files to the host filesystem, and execute arbitrary code via launchd by writing a plist file to a LaunchAgents directory. 24171 33799 [dailydave] 20070216 Minor Virtualization Vulnerability Unspecified vulnerability in Hitachi OSAS/FT/W before 20070223 allows attackers to cause a denial of service (responder control processing halt) by sending "data unexpectedly through the port". osas-unspecified-dos(32696) http://www.hitachi-support.com/security_e/vuls_e/HS07-004_e/index-e.html 36003 Grok Developments NetProxy 4.03 allows remote attackers to bypass URL filtering via a request that omits "http://" from the URL and specifies the destination port (:80). netproxy-url-filtering-bypass(32697) ADV-2007-0779 22741 3381 36001 The connection log file implementation in Grok Developments NetProxy 4.03 does not record requests that omit http:// in a URL, which might allow remote attackers to conduct unauthorized activities and avoid detection. netproxy-url-filtering-bypass(32697) ADV-2007-0779 22741 3381 36002 McAfee VirusScan for Mac (Virex) before 7.7 patch 1 has weak permissions (0666) for /Library/Application Support/Virex/VShieldExclude.txt, which allows local users to reconfigure Virex to skip scanning of arbitrary files. 24337 https://knowledge.mcafee.com/SupportSite/dynamickc.do?externalId=518722&sliceId=SAL_Public&command=show&forward=nonthreadedKC&kcId=518722 ADV-2007-0777 1017707 22744 20070227 [NETRAGARD-20070220 SECURITY ADVISORY] [McAfee VirusScan for Mac (Virex) Local root exploit and Scan Bypass] 33798 2342 VShieldCheck in McAfee VirusScan for Mac (Virex) before 7.7 patch 1 allow local users to change permissions of arbitrary files via a symlink attack on /Library/Application Support/Virex/VShieldExclude.txt, as demonstrated by symlinking to the root crontab file to execute arbitrary commands. Apply patch 1 for McAfee Virex version 7.7: https://mysupport.mcafee.com/eservice_enu/ mcafee-virex-library-privilege-escalation(32729) ADV-2007-0777 1017707 22744 20070227 [NETRAGARD-20070220 SECURITY ADVISORY] [McAfee VirusScan for Mac (Virex) Local root exploit and Scan Bypass] 2342 24337 33797 IBM DB2 UDB 8.2 before Fixpak 7 (aka fixpack 14), and DB2 9 before Fix Pack 2, on UNIX allows the "fenced" user to access certain unauthorized directories. 1017731 22729 IY87492 IY86711 24387 Cross-site scripting (XSS) vulnerability in the Nullsoft ShoutcastServer 1.9.7 allows remote attackers to inject arbitrary web script or HTML via the top-level URI on the Incoming interface (port 8001/tcp), which is not properly handled in the administrator interface when viewing the log file. shoutcast-admin-interface-xss(32726) ADV-2007-0775 22742 20070227 Nullsoft ShoutcastServer Persistant XSS - 0day 24323 33793 20070227 Nullsoft ShoutcastServer Persistant XSS - 0day Multiple cross-site scripting (XSS) vulnerabilities in wp-includes/functions.php in WordPress before 2.1.2-alpha allow remote attackers to inject arbitrary web script or HTML via (1) the Referer HTTP header or (2) the URI, a different vulnerability than CVE-2007-1049. http://trac.wordpress.org/changeset/4952 http://trac.wordpress.org/changeset/4951 ADV-2007-0756 34361 GLSA-200703-23 24566 Multiple cross-site scripting (XSS) vulnerabilities in SQLiteManager 1.2.0 allow remote attackers to inject arbitrary web script or HTML via the (1) database name, (2) table name, (3) ViewName, (4) view, (5) trigger, and (6) function fields in main.php and certain other files. sqlitemanager-main-xss(32692) 22731 20070224 SQLiteManager v1.2.0 Multiple Vulnerabilities 2366 34634 Directory traversal vulnerability in SQLiteManager 1.2.0 allows remote attackers to read arbitrary files via a .. (dot dot) in a SQLiteManager_currentTheme cookie. Successful exploitation requires that "magic_quotes_gpc" is disabled. Additionally, in order to exploit this vulnerability to execute arbitrary code, the attacker would first be required to upload a malicious file or inject arbitrary commands into an existing file. sqlitemanager-sqlitemanager-file-include(32693) 22727 20070224 SQLiteManager v1.2.0 Multiple Vulnerabilities 24296 33801 2366 PHP remote file inclusion vulnerability in downloadcounter.php in STWC-Counter 3.4.0.0 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the stwc_counter_verzeichniss parameter. stwccounter-downloadcounter-file-include(32681) ADV-2007-0754 22723 3379 24280 33777 Multiple cross-site scripting (XSS) vulnerabilities in sitex allow remote attackers to inject arbitrary web script or HTML via (1) the sxYear parameter to calendar.php, (2) the search parameter to search.php, (3) the linkid parameter to redirect.php, or (4) the page parameter to calendar_events.php. 20070414 Re: sitex multiple vulnerabilities 20070223 sitex multiple vulnerabilities 2373 33161 33160 33159 33158 Unrestricted file upload vulnerability in sitex allows remote attackers to upload arbitrary PHP code via an avatar filename with a double extension such as .php.jpg, which fails verification and is saved as a .php file. 20070223 sitex multiple vulnerabilities 2373 33157 sitex allows remote attackers to obtain sensitive information via a request with a numerical value for the (1) sxMonth[] or (2) sxYear[] parameter to calendar.php, or the (3) page[] parameter to calendar_events.php, which reveals the path in various error messages. 20070223 sitex multiple vulnerabilities 33156 33155 2373 sitex allows remote attackers to obtain potentially sensitive information via a ' (quote) value for certain parameters, as demonstrated by parameters used in forum and search, which forces a SQL error. 20070223 sitex multiple vulnerabilities 2373 33154 Microsoft Office 2003 allows user-assisted remote attackers to cause a denial of service (application crash) by attempting to insert a corrupted WMF file. 20070225 Few unreported vulnerabilities by SehaTo http://securityvulns.com/Qdocument120.html 34489 Microsoft Excel 2003 does not properly parse .XLS files, which allows remote attackers to cause a denial of service (application crash) via a file with a (1) corrupted XML format or a (2) corrupted XLS format, which triggers a NULL pointer dereference. 20070225 Few unreported vulnerabilities by SehaTo http://securityvulns.com/news/Microsoft/Excel/XML/DoS.html 22717 Multiple cross-site scripting (XSS) vulnerabilities in Docebo CMS 3.0.3 through 3.0.5 allow remote attackers to inject arbitrary web script or HTML via (1) the searchkey parameter to index.php, or the (2) sn or (3) ri parameter to modules/htmlframechat/index.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. Docebocms-index-xss(32842) 22719 35996 35995 http://downloads.securityfocus.com/vulnerabilities/exploits/22719.html Cross-site scripting (XSS) vulnerability in setup.php in Audins Audiens 3.3 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 22728 35994 http://downloads.securityfocus.com/vulnerabilities/exploits/22728.html audins-setup-xss(32839) SQL injection vulnerability in system/index.php in Audins Audiens 3.3 allows remote attackers to execute arbitrary SQL commands via the PHPSESSID cookie. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 22728 34631 audins-index-sql-injection(32837) Audins Audiens 3.3 allows remote attackers to bypass authentication and perform certain privileged actions, possibly an uninstall of the product, by calling unistall.php with the values cnf=disinstalla and status=on. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. audins-unistall-authentication-bypass(32707) 22728 24254 33792 Cross-site request forgery (CSRF) vulnerability in the AdminPanel in WordPress 2.1.1 and earlier allows remote attackers to perform privileged actions as administrators, as demonstrated using the delete action in wp-admin/post.php. NOTE: this issue can be leveraged to perform cross-site scripting (XSS) attacks and steal cookies via the post parameter. 22735 20070226 WordPress AdminPanel CSRF/XSS - 0day 33788 33787 20070226 WordPress AdminPanel CSRF/XSS - 0day wordpress-post-csrf(32703) GLSA-200703-23 24566 IrfanView 3.99 allows remote attackers to cause a denial of service (application crash) via a malformed WMF file. 20070225 Few unreported vulnerabilities by SehaTo http://securityvulns.com/Qdocument120.html http://securityvulns.com/news/IrfanView/WMF/DoS.html 34487 The DMO_VideoDecoder_Open function in loader/dmo/DMO_VideoDecoder.c in MPlayer 1.0rc1 and earlier, as used in xine-lib, does not set the biSize before use in a memcpy, which allows user-assisted remote attackers to cause a buffer overflow and possibly execute arbitrary code, a different vulnerability than CVE-2007-1387. Failed exploit attempts will likely result in a denial-of-service condition. mplayer-dmovideodecoder-bo(32747) http://svn.mplayerhq.hu/mplayer/trunk/loader/dmo/DMO_VideoDecoder.c ADV-2007-0794 USN-433-1 22771 20070423 FLEA-2007-0013-1: xine-lib SUSE-SR:2007:005 SUSE-SR:2007:007 MDKSA-2007:057 MDKSA-2007:055 DSA-1536 http://svn.mplayerhq.hu/mplayer/trunk/loader/dmo/DMO_VideoDecoder.c?r1=22019&r2=22204 SSA:2007-109-02 GLSA-200705-21 GLSA-200704-09 29601 25462 24995 24897 24866 24462 24448 24446 24444 24443 20070301 MPlayer DMO buffer overflow Multiple PHP remote file inclusion vulnerabilities in aWeb Labs aWebNews 1.5 allow remote attackers to execute arbitrary PHP code via a URL in the path_to_news parameter to (1) listing.php or (2) visview.php. Successful exploitation requires that "register_globals" is enabled. awebnews-pathtonews-file-include(32770) ADV-2007-0808 22781 20070301 aWebNews V 1.1 20070301 aWebNews v 1.1=>RFI 2365 24351 33825 33824 Multiple cross-site scripting (XSS) vulnerabilities in built2go News Manager Blog 1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) cid, (2) uid, and (3) nid parameters to (a) news.php, and the nid parameter to (b) rating.php. newsmanagerblog-news-rating-xss(32772) ADV-2007-0818 22783 20070301 Built2Go v.1.0 => ( news.php & rating.php ) Cross Site Scripting 2343 24334 MoveSortedContentAction in C1 Financial Services Contelligent 9.1.4 does not check "the additional environment security configuration," which allows remote attackers with write permissions to reorder components. contelligent-sortedcontent-security-bypass(32775) ADV-2007-0814 22785 http://www.contelligent.com/contell/cms/c1web/contelligent/site/contelligent/changelog.html?fromRelease=9.1.4 24364 33497 SQL injection vulnerability in section/default.asp in ANGEL Learning Management Suite (LMS) 7.1 allows remote attackers to execute arbitrary SQL commands via the id parameter. angellms-default-sql-injection(32756) ADV-2007-0807 22768 20070301 [Fwd: Re: Angel LMS 7.1 - Remote SQL Injection] 20070301 Re: Angel LMS 7.1 - Remote SQL Injection 20070301 Angel LMS 7.1 - Remote SQL Injection 3390 24368 33846 Format string vulnerability in the new_warning function in ntserv/warning.c for Netrek Vanilla Server 2.12.0, when EVENTLOG is enabled, allows remote attackers to cause a denial of service (crash) or execute arbitrary code via format string specifiers in the message handling. This vulnerability is addressed in the following product update: http://sourceforge.net/project/shownotes.php?release_id=490561 vanilla-vsprintf-format-string(32777) ADV-2007-0815 22786 20070302 Limited format string in Netrek 2.12.0 http://sourceforge.net/project/shownotes.php?release_id=490561 24357 http://aluigi.altervista.org/adv/netrekfs-adv.txt Buffer overflow in Symantec Mail Security for SMTP 5.0 before Patch 175 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted headers in an e-mail message. NOTE: some information was obtained from third party sources. VU#875633 22782 ADV-2007-0799 24371 33840 ftp://ftp.symantec.com/public/english_us_canada/products/symantec_mail_security/5.0_smtp/updates/release_notes_p175.txt symantec-email-headers-code-execution(32781) 1017716 Eval injection vulnerability in the (a) kmz_ImportWithMesh.py Script for Blender 0.1.9h, as used in (b) Blender before 2.43, allows user-assisted remote attackers to execute arbitrary Python code by importing a crafted (1) KML or (2) KMZ file. This vulnerability is addressed in the following product update: http://www.blender.org/download/get-blender/ blender-kml-kmz-command-execution(32778) ADV-2007-0798 1017714 22770 GLSA-200704-19 http://secunia.com/secunia_research/2007-40/advisory/ http://secunia.com/secunia_research/2007-39/advisory/ 24991 24233 24232 33836 SQL injection vulnerability in part.userprofile.php in Connectix Boards 0.7 and earlier allows remote authenticated users to execute arbitrary SQL commands and obtain privileges via the p_skin parameter to index.php. 20070221 Connectix Boards <= 0.7 (p_skin) Multiple Vulnerabilities Exploit 24255 33537 3352 2364 Unrestricted file upload vulnerability in admin.bbcode.php in Connectix Boards 0.7 and earlier allows remote authenticated administrators to execute arbitrary PHP code by uploading a crafted GIF smiley image with a .php extension via the uploadimage parameter to admin.php, which can be later accessed via a direct request for the file in smileys/. NOTE: this can be leveraged with a separate SQL injection issue for remote unauthenticated attacks. 20070221 Connectix Boards <= 0.7 (p_skin) Multiple Vulnerabilities Exploit 24255 33538 3352 2364 Mozilla Firefox 2.0.0.2 allows remote attackers to spoof the address bar, favicons, and document source, and perform updates in the context of arbitrary websites, by repeatedly setting document.location in the onunload attribute when linking to another website, a variant of CVE-2007-1092. 20070227 Re: [Full-disclosure] Firefox onUnload + document.write() memory corruption vulnerability (MSIE7 null ptr) 35913 20070227 RE: [Full-disclosure] Firefox onUnload + document.write() memory corruption vulnerability (MSIE7 null ptr) 20070227 Re: [Full-disclosure] Firefox onUnload + document.write() memory corruption vulnerability (MSIE7 null ptr) The Network Analysis Module (NAM) in Cisco Catalyst Series 6000, 6500, and 7600 allows remote attackers to execute arbitrary commands via certain SNMP packets that are spoofed from the NAM's own IP address. Per: http://www.cisco.com/warp/public/707/cisco-sa-20070228-nam.shtml#@ID "Only Cisco Catalyst systems that have a NAM on them are affected. This vulnerability affects systems that run Internetwork Operating System (IOS) or Catalyst Operating System (CatOS). " VU#472412 cisco-catalyst-nam-unauthorized-access(32750) ADV-2007-0783 1017710 22751 20070228 Cisco Catalyst 6000, 6500 Series and Cisco 7600 Series NAM (Network Analysis Module) Vulnerability 24344 oval:org.mitre.oval:def:5188 33066 Unspecified vulnerability in Cisco IOS 12.2SXA, SXB, SXD, and SXF; and the MSFC2, MSFC2a and MSFC3 running in Hybrid Mode on Cisco Catalyst 6000, 6500 and Cisco 7600 series systems; allows remote attackers on a local network segment to cause a denial of service (software reload) via a certain MPLS packet. cisco-catalyst-mpls-dos(32748) ADV-2007-0782 1017709 20070228 Cisco Catalyst 6000, 6500 and Cisco 7600 Series MPLS Packet Vulnerability 24348 oval:org.mitre.oval:def:5869 33067 Multiple unspecified vulnerabilities in WebAPP before 0.9.9.6 have unknown impact and attack vectors. http://www.web-app.org/cgi-bin/index.cgi?action=viewnews&id=254 http://www.web-app.org/cgi-bin/index.cgi?action=viewnews&id=252 ADV-2007-0720 24227 33272 Stack-based buffer overflow in the connectHandle function in server.cpp in WebMod 0.48 allows remote attackers to execute arbitrary code via a long string in the Content-Length HTTP header. 24346 33834 http://cybermind.user.stfunoob.com/w48crash/ webmod-contentlength-bo(32755) 22788 3395 Unspecified vulnerability in the reports system in OpenBiblio before 0.6.0 allows attackers to gain privileges via unspecified vectors. This vulnerability is addressed in the following product update: http://sourceforge.net/project/showfiles.php?group_id=50071 openbiblio-reports-privilege-escalation(32758) ADV-2007-0790 http://sourceforge.net/project/shownotes.php?group_id=50071&release_id=488061 35998 Multiple cross-site scripting (XSS) vulnerabilities in the HTML filter in SquirrelMail 1.4.0 through 1.4.9a allow remote attackers to inject arbitrary web script or HTML via the (1) data: URI in an HTML e-mail attachment or (2) various non-ASCII character sets that are not properly filtered when viewed with Microsoft Internet Explorer. 25200 RHSA-2007:0358 ADV-2007-2732 ADV-2007-1748 http://www.squirrelmail.org/security/issue/2007-05-09 1018033 23910 DSA-1290 25320 25236 oval:org.mitre.oval:def:11712 JVNDB-2007-000398 JVN#09157962 https://issues.rpath.com/browse/RPL-1353 25159 SUSE-SR:2007:013 MDKSA-2007:106 26235 25787 25690 APPLE-SA-2007-07-31 http://docs.info.apple.com/article.html?artnum=306172 GnuPG 1.4.6 and earlier and GPGME before 1.1.4, when run from the command line, does not visually distinguish signed and unsigned portions of OpenPGP messages with multiple components, which might allow remote attackers to forge the contents of a message without detection. http://www.coresecurity.com/?action=item&id=1687 ADV-2007-0835 22757 20070305 CORE-2007-0115: GnuPG and GnuPG clients unsigned data injection vulnerability 20070305 CORE-2007-0115: GnuPG and GnuPG clients unsigned data injection vulnerability oval:org.mitre.oval:def:10496 https://issues.rpath.com/browse/RPL-1111 USN-432-2 USN-432-1 2007-0009 1017727 RHSA-2007:0107 RHSA-2007:0106 MDKSA-2007:059 DSA-1266 http://support.avaya.com/elmodocs2/security/ASA-2007-144.htm 2353 24875 24734 24650 24544 24511 24489 24438 24420 24419 24407 24365 SUSE-SA:2007:024 [gnupg-users] 20070306 [Announce] Multiple Messages Problem in GnuPG and GPGME FEDORA-2007-315 FEDORA-2007-316 20070301-01-P Enigmail 0.94.2 and earlier does not properly use the --status-fd argument when invoking GnuPG, which prevents Enigmail from visually distinguishing between signed and unsigned portions of OpenPGP messages with multiple components, which allows remote attackers to forge the contents of a message without detection. http://www.coresecurity.com/?action=item&id=1687 ADV-2007-0835 22758 20070305 CORE-2007-0115: GnuPG and GnuPG clients unsigned data injection vulnerability 20070305 CORE-2007-0115: GnuPG and GnuPG clients unsigned data injection vulnerability 1017727 2353 24416 [gnupg-users] 20070306 [Announce] Multiple Messages Problem in GnuPG and GPGME KMail 1.9.5 and earlier does not properly use the --status-fd argument when invoking GnuPG, which prevents KMail from visually distinguishing between signed and unsigned portions of OpenPGP messages with multiple components, which allows remote attackers to forge the contents of a message without detection. ADV-2007-0835 22759 20070305 CORE-2007-0115: GnuPG and GnuPG clients unsigned data injection vulnerability 20070305 CORE-2007-0115: GnuPG and GnuPG clients unsigned data injection vulnerability http://www.coresecurity.com/?action=item&id=1687 1017727 2353 24413 [gnupg-users] 20070306 [Announce] Multiple Messages Problem in GnuPG and GPGME Evolution 2.8.1 and earlier does not properly use the --status-fd argument when invoking GnuPG, which prevents Evolution from visually distinguishing between signed and unsigned portions of OpenPGP messages with multiple components, which allows remote attackers to forge the contents of a message without detection. http://www.coresecurity.com/?action=item&id=1687 ADV-2007-0835 22760 20070305 CORE-2007-0115: GnuPG and GnuPG clients unsigned data injection vulnerability 20070305 CORE-2007-0115: GnuPG and GnuPG clients unsigned data injection vulnerability 1017727 2353 24412 [gnupg-users] 20070306 [Announce] Multiple Messages Problem in GnuPG and GPGME Sylpheed 2.2.7 and earlier does not properly use the --status-fd argument when invoking GnuPG, which prevents Sylpheed from visually distinguishing between signed and unsigned portions of OpenPGP messages with multiple components, which allows remote attackers to forge the contents of a message without detection. 20070305 CORE-2007-0115: GnuPG and GnuPG clients unsigned data injection vulnerability ADV-2007-0835 22777 20070305 CORE-2007-0115: GnuPG and GnuPG clients unsigned data injection vulnerability http://www.coresecurity.com/?action=item&id=1687 1017727 2353 24414 [gnupg-users] 20070306 [Announce] Multiple Messages Problem in GnuPG and GPGME Mutt 1.5.13 and earlier does not properly use the --status-fd argument when invoking GnuPG, which prevents Mutt from visually distinguishing between signed and unsigned portions of OpenPGP messages with multiple components, which allows remote attackers to forge the contents of a message without detection. 20070305 CORE-2007-0115: GnuPG and GnuPG clients unsigned data injection vulnerability ADV-2007-0835 22778 20070305 CORE-2007-0115: GnuPG and GnuPG clients unsigned data injection vulnerability http://www.coresecurity.com/?action=item&id=1687 1017727 2353 24415 [gnupg-users] 20070306 [Announce] Multiple Messages Problem in GnuPG and GPGME GNUMail 1.1.2 and earlier does not properly use the --status-fd argument when invoking GnuPG, which prevents GNUMail from visually distinguishing between signed and unsigned portions of OpenPGP messages with multiple components, which allows remote attackers to forge the contents of a message without detection. 20070305 CORE-2007-0115: GnuPG and GnuPG clients unsigned data injection vulnerability ADV-2007-0835 22779 20070305 CORE-2007-0115: GnuPG and GnuPG clients unsigned data injection vulnerability http://www.coresecurity.com/?action=item&id=1687 1017727 2353 24417 [gnupg-users] 20070306 [Announce] Multiple Messages Problem in GnuPG and GPGME Double free vulnerability in VMware ESX Server 3.0.0 and 3.0.1 allows attackers to cause a denial of service (crash), obtain sensitive information, or possibly execute arbitrary code via unspecified vectors. ADV-2007-1267 http://www.vmware.com/support/vi3/doc/esx-6431040-patch.html http://www.vmware.com/support/vi3/doc/esx-5754280-patch.html 1017875 23323 20070404 VMSA-2007-0003 VMware ESX 3.0.1 and 3.0.0 server security updates 2524 24788 oval:org.mitre.oval:def:5463 35268 Buffer overflow in VMware ESX Server 3.0.0 and 3.0.1 might allow attackers to gain privileges or cause a denial of service (application crash) via unspecified vectors. http://www.vmware.com/support/vi3/doc/esx-6431040-patch.html http://www.vmware.com/support/vi3/doc/esx-5754280-patch.html 23322 24788 ADV-2007-1267 20070404 VMSA-2007-0003 VMware ESX 3.0.1 and 3.0.0 server security updates oval:org.mitre.oval:def:5552 1017875 2524 Integer overflow in the ktruser function in NetBSD-current before 20061022, NetBSD 3 and 3-0 before 20061024, and NetBSD 2 before 20070209, when the kernel is built with the COMPAT_FREEBSD or COMPAT_DARWIN option, allows local users to cause a denial of service and possibly gain privileges. 22878 35453 NetBSD-SA2007-001 Multiple cross-site scripting (XSS) vulnerabilities in chooser.cgi in Webmin before 1.330 and Usermin before 1.260 allow remote attackers to inject arbitrary web script or HTML via a crafted filename. webmin-chooser-xss(32725) http://www.webmin.com/security.html http://www.webmin.com/changes-1.330.html ADV-2007-0780 1017711 24321 33832 WordPress 2.1.1, as downloaded from some official distribution sites during February and March 2007, contains an externally introduced backdoor that allows remote attackers to execute arbitrary commands via (1) an eval injection vulnerability in the ix parameter to wp-includes/feed.php, and (2) an untrusted passthru call in the iz parameter to wp-includes/theme.php. This vulnerability is addressed in the following product update: http://wordpress.org/development/2007/03/upgrade-212/ VU#641456 VU#214480 wordpress-theme-command-execution(32807) wordpress-feed-code-execution(32804) ADV-2007-0812 22797 20070303 WordPress source code compromised to enable remote code execution http://wordpress.org/development/2007/03/upgrade-212/ 24374 http://ifsec.blogspot.com/2007/03/wordpress-code-compromised-to-enable.html Unspecified vulnerability in the IIS connector in Adobe JRun 4.0 Updater 6, and ColdFusion MX 6.1 and 7.0 Enterprise, when using Microsoft IIS 6, allows remote attackers to cause a denial of service via unspecified vectors, involving the request of a file in the JRun web root. Per: http://www.adobe.com/support/security/bulletins/apsb07-07.html CVE number: CVE-2007-1278 Platform: Windows only Affected software versions: ColdFusion MX 7.X * JRun 4.0 Updater 6 * ColdFusion MX 7.0 Enterprise Edition, if installed as the "Multi-Server" option * ColdFusion MX 6.1 Enterprise, if installed with the "J2EE" option and deployed on JRun 4.0 Updater 6 NOTE: ColdFusion MX 6.1 and 7.0 Standard editions are not affected. This vulnerability has been addressed by the vendor with the following patch: http://www.adobe.com/support/security/bulletins/apsb07-07.html http://www.adobe.com/support/security/bulletins/apsb07-07.html coldfusion-jrun-iisconnector-dos(32994) ADV-2007-0932 1017752 22958 24488 34039 Unspecified vulnerability in the installer for Adobe Bridge 1.0.3 update for Apple OS X, when patching with desktop management tools, allows local users to gain privileges via unspecified vectors during installation of the update by a different user who has administrative privileges. http://www.adobe.com/support/security/bulletins/apsb07-09.html bridge-unspecified-privilege-escalation(33570) ADV-2007-1342 1017900 23404 34896 24854 Cross-site scripting (XSS) vulnerability in Adobe RoboHelp X5, 6, and Server 6 allows remote attackers to inject arbitrary web script or HTML via a URL after a # (hash) in the URL path, as demonstrated using en/frameset-7.html, and possibly other unspecified vectors involving templates and (1) whstart.js and (2) whcsh_home.htm in WebHelp, (3) wf_startpage.js and (4) wf_startqs.htm in FlashHelp, or (5) WindowManager.dll in RoboHelp Server 6. 23878 http://www.adobe.com/support/security/bulletins/apsb07-10.html 25211 robohelp-files-xss(34181) ADV-2007-1714 1018020 20070511 Cross-Site Scripting in Adobe RoboHelp 6, Server 6 and X5 http://www.devtarget.org/adobe-advisory-05-2007.txt 35867 Kaspersky AntiVirus Engine 6.0.1.411 for Windows and 5.5-10 for Linux allows remote attackers to cause a denial of service (CPU consumption) via a crafted UPX compressed file with a negative offset, which triggers an infinite loop during decompression. kaspersky-upx-dos(32797) ADV-2007-0810 1017718 22795 24391 20070302 Kaspersky AntiVirus UPX File Decompression DoS Vulnerability Integer overflow in Mozilla Thunderbird before 1.5.0.10 and SeaMonkey before 1.0.8 allows remote attackers to trigger a buffer overflow and possibly execute arbitrary code via a text/enhanced or text/richtext e-mail message with an extremely long line. RHSA-2007:0078 http://www.mozilla.org/security/announce/2007/mfsa2007-10.html https://bugzilla.mozilla.org/show_bug.cgi?id=362735 mozilla-email-messages-overflow(32810) ADV-2007-0824 22845 RHSA-2007:0108 GLSA-200703-18 24522 oval:org.mitre.oval:def:11313 33810 20070202-01-P DSA-1336 SSA:2007-066-04 SSA:2007-066-05 25588 24457 24456 24406 FEDORA-2007-309 FEDORA-2007-308 The Zend Engine in PHP 4.x before 4.4.7, and 5.x before 5.2.2, allows remote attackers to cause a denial of service (stack exhaustion and PHP crash) via deeply nested arrays, which trigger deep recursion in the variable destruction routines. https://launchpad.net/bugs/173043 https://issues.rpath.com/browse/RPL-1268 USN-549-1 USN-549-2 1017771 22764 20070418 rPSA-2007-0073-1 php php-mysql php-pgsql RHSA-2007:0162 RHSA-2007:0082 http://www.php.net/releases/5_2_4.php http://www.php.net/releases/4_4_8.php http://www.php.net/ChangeLog-5.php#5.2.4 http://www.php.net/ChangeLog-4.php http://www.php-security.org/MOPB/MOPB-03-2007.html 32769 MDKSA-2007:090 MDKSA-2007:089 MDKSA-2007:088 MDKSA-2007:087 http://us2.php.net/releases/5_2_2.php http://us2.php.net/releases/4_4_7.php SSA:2008-045-03 GLSA-200705-19 28936 27864 26642 26048 25445 24945 24941 24924 24910 24909 RHSA-2007:0163 RHSA-2007:0155 RHSA-2007:0154 oval:org.mitre.oval:def:11017 SUSE-SA:2007:044 Integer overflow in PHP 4.4.4 and earlier allows remote context-dependent attackers to execute arbitrary code via a long string to the unserialize function, which triggers the overflow in the ZVAL reference counter. http://www.php-security.org/MOPB/MOPB-04-2007.html ADV-2007-2374 ADV-2007-1991 oval:org.mitre.oval:def:11575 HPSBTU02232 HPSBMA02215 https://issues.rpath.com/browse/RPL-1268 php-zval-code-execution(32796) 2007-0009 22765 20070418 rPSA-2007-0073-1 php php-mysql php-pgsql 32771 MDKSA-2007:088 MDKSA-2007:087 DSA-1283 DSA-1282 GLSA-200705-19 GLSA-200703-21 25850 25445 25423 25062 25025 24945 24941 24924 24910 24606 24419 RHSA-2007:0163 RHSA-2007:0155 RHSA-2007:0154 SSRT071429 HPSBMA02215 A regression error in the phpinfo function in PHP 4.4.3 to 4.4.6, and PHP 6.0 in CVS, allows remote attackers to conduct cross-site scripting (XSS) attacks via GET, POST, or COOKIE array values, which are not escaped in the phpinfo output, as originally fixed for CVE-2005-3388. http://www.php-security.org/MOPB/MOPB-08-2007.html ADV-2007-2732 25159 32774 http://us2.php.net/releases/4_4_7.php 26235 APPLE-SA-2007-07-31 http://docs.info.apple.com/article.html?artnum=306172 Multiple PHP remote file inclusion vulnerabilities in Webmobo WB News 1.4.1 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the config[installdir] parameter to (1) comment.php, (2) themes.php, (3) directory.php, and (4) sendmsg.php in admin/. wbnews-multiple-scripts-file-include(32774) 20070301 WB News Remote File Include in all versions 34954 34953 34952 34951 2355 SQL injection vulnerability in ViewBugs.php in Tyger Bug Tracking System (TygerBT) 1.1.3 allows remote attackers to execute arbitrary SQL commands via the s parameter. ADV-2007-0822 22799 20070303 Tyger Bug Tracking System Multiple Vulnerability 24385 35817 tyger-viewbugs-sql-injection(32791) 2356 SQL injection vulnerability in ViewReport.php in Tyger Bug Tracking System (TygerBT) 1.1.3 allows remote attackers to execute arbitrary SQL commands via the bug parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 24385 tyger-viewbugs-sql-injection(32791) Multiple cross-site scripting (XSS) vulnerabilities in Tyger Bug Tracking System (TygerBT) 1.1.3 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) Login.php and (2) Register.php. ADV-2007-0822 22799 20070303 Tyger Bug Tracking System Multiple Vulnerability 24385 tyger-login-register-xss(32792) 2356 SQL injection vulnerability in inlinemod.php in Jelsoft vBulletin before 3.5.8, and before 3.6.5 in the 3.6.x series, might allow remote authenticated users to execute arbitrary SQL commands via the postids parameter. NOTE: the vendor states that the attack is feasible only in circumstances "almost impossible to achieve." http://www.vbulletin.com/forum/showthread.php?postid=1314422 vbulletin-inlinemod-sql-injection(32746) 22780 3387 24341 33835 SQL injection vulnerability in Rigter Portal System (RPS) 6.2, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the categoria parameter to the top-level URI (index.php), possibly related to ver_descarga.php. ADV-2007-0813 3403 24382 33831 rps-index-sql-injection(32784) 22813 20070303 RPS 6.2 SQL Injection Exploit A certain ActiveX control in the DivXBrowserPlugin (npdivx32.dll) in DivX Web Player, as distributed with DivX Player 1.3.0, allows remote attackers to cause a denial of service (Internet Explorer 7 crash) via large values to DivxWP.Resize, related to resizing images. divxwebplayer-npdivx32-dos(32759) 22776 3392 35377 SQL injection vulnerability in topic_title.php in AJ Forum 1.0 allows remote attackers to execute arbitrary SQL commands via the td_id parameter. ADV-2007-0820 22808 24378 33827 3411 ajforum-topictitle-sql-injection(32785) SQL injection vulnerability in postingdetails.php in AJ Classifieds 1.0 allows remote attackers to execute arbitrary SQL commands via the postingid parameter. ADV-2007-0833 22808 3410 35452 ajclassifieds-postingdetails-sql-injection(32786) SQL injection vulnerability in view_profile.php in AJDating 1.0 allows remote attackers to execute arbitrary SQL commands via the user_id parameter. ADV-2007-0821 22808 5593 3409 33828 ajdating-userid-sql-injection(42326) ajdating-viewprofile-sql-injection(32788) 29154 24376 SQL injection vulnerability in subcat.php in AJ Auction 1.0 allows remote attackers to execute arbitrary SQL commands via the cate_id parameter. ADV-2007-0819 22808 3408 33826 ajauctionpro-subcat-sql-injection(32789) 24375 PHP remote file inclusion vulnerability in index.php in Mani Stats Reader 1.2 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the ipath parameter. mani-stats-index-file-include(32782) 22794 3398 33870 24394 DOURAN Software Technologies ISPUtil 3.32.84.1, and possibly earlier versions, stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain user and reseller data via a direct request for scripts/activesessions.ini. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 24304 33845 isputil-activesessions-info-disclosure(32800) Stack-based buffer overflow in the IMAP service in MailEnable Enterprise and Professional Editions 2.37 and earlier allows remote authenticated users to execute arbitrary code via a long argument to the APPEND command. NOTE: this is probably different than CVE-2006-6423. mailenable-append-bo(32801) ADV-2007-0811 1017739 22792 3397 http://www.mailenable.com/hotfix/ 24361 SQL injection vulnerability in guestbook.php in LI-Guestbook 1.1, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the country parameter. NOTE: it was later reported that 1.2 is also affected. Successful exploitation requires "magic_quotes_gpc" to be disabled. liguestbook-country-sql-injection(38369) 22821 20071109 li-guestbook sql inj 20070305 LI-Guestbook SQL Injection Vulnerability http://www.security-news.ws/li-sql-injection 2348 27650 http://belsec.com/advisories/139/summary.html Directory traversal vulnerability in rb.cgi in RRDBrowse 1.6 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter. 22817 http://www.rrdbrowse.org/index.php ADV-2007-0834 20070304 Arbitrary file disclosure vulnerability in rrdbrowse <= 1.6 http://www.devtarget.org/rrdbrowse-advisory-03-2007.txt rrdbrowse-file-directory-traversal(32793) 2349 Multiple SQL injection vulnerabilities in add2.php in Sava's Guestbook 23.11.2006, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) name, (2) country, (3) email, (4) website, and (5) message parameters. Successful exploitation requires that "magic_quotes_gpc" is disabled. 22820 20070305 Sava's GuestBook Multiple Vulnerabilities savasguestbook-add2-sql-injection(32811) 2350 24411 http://belsec.com/advisories/142/summary.html Multiple cross-site scripting (XSS) vulnerabilities in add2.php in Sava's Guestbook 23.11.2006 allow remote attackers to inject arbitrary web script or HTML via the (1) name, (2) country, (3) email, and (4) website parameters. 22820 20070305 Sava's GuestBook Multiple Vulnerabilities savasguestbook-add2-xss(32812) 2350 24411 http://belsec.com/advisories/142/summary.html Asterisk 1.4 before 1.4.1 and 1.2 before 1.2.16 allows remote attackers to cause a denial of service (crash) by sending a Session Initiation Protocol (SIP) packet without a URI and SIP-version header, which results in a NULL pointer dereference. Per: http://cwe.mitre.org/data/definitions/476.html 'CWE-476: NULL Pointer Dereference' VU#228032 asterisk-sip-channeldriver-dos(32830) ADV-2007-0830 1017723 22838 33888 SUSE-SA:2007:034 DSA-1358 GLSA-200703-14 25582 24578 24380 http://labs.musecurity.com/advisories/MU-200703-01.txt http://asterisk.org/node/48320 http://asterisk.org/node/48319 Unspecified vulnerability in Lenovo Intel PRO/1000 LAN adapter before Build 135400, as used on IBM Lenovo ThinkPad systems, has unknown impact and attack vectors. 22822 http://www-307.ibm.com/pc/support/site.wss/document.do?sitestyle=lenovo&lndocid=MIGR-62922 24349 ADV-2007-0801 33854 ecma/kjs_html.cpp in KDE JavaScript (KJS), as used in Konqueror in KDE 3.5.5, allows remote attackers to cause a denial of service (crash) by accessing the content of an iframe with an ftp:// URI in the src attribute, probably due to a NULL pointer dereference. 20070304 Konqueror DoS Via JavaScript Read Of FTP Iframe 20070304 Konqueror DoS Via JavaScript Read Of FTP Iframe http://bindshell.net/advisories/konq355 konqueror-ftp-dos(32798) ADV-2007-0886 USN-447-1 22814 RHSA-2007:0909 MDKSA-2007:054 2345 27108 oval:org.mitre.oval:def:10551 http://bindshell.net/advisories/konq355/konq355-patch.diff Novell Access Management 3 SSLVPN Server allows remote authenticated users to bypass VPN restrictions by making policy.txt read-only, disconnecting, then manually modifying policy.txt. https://secure-support.novell.com/KanisaPlatform/Publishing/648/3429077_f.SAL_Public.html 1017722 24369 ADV-2007-0800 33841 NETxAutomation NETxEIB OPC Server before 3.0.1300 does not properly validate OLE for Process Control (OPC) server handles, which allows attackers to cause a denial of service or possibly execute arbitrary code via unspecified vectors involving the (1) IOPCSyncIO::Read, (2) IOPCSyncIO::Write, (3) IOPCServer::AddGroup, (4) IOPCServer::RemoveGroup, (5) IOPCCommon::SetClientName, and (6) IOPCGroupStateMgt::CloneGroup functions, which allow access to arbitrary memory. NOTE: the vectors might be limited to attackers with physical access. http://www.kb.cert.org/vuls/id/MIMG-6XEPXN VU#296593 ADV-2007-1038 1017803 23059 20070322 [NB07-22] Multiple vulnerabilities in NETxEIB OPC server http://www.neutralbit.com/advisories/NB07-22.txt 24612 34440 Unspecified vulnerability in the IOPCServer::RemoveGroup function in the OPCDA interface in Takebishi Electric DeviceXPlorer OLE for Process Control (OPC) Server before 3.12 Build3 allows remote attackers to execute arbitrary code via unspecified vectors involving access to arbitrary memory. NOTE: this issue affects the (1) HIDIC, (2) MELSEC, (3) FA-M3, (4) MODBUS, and (5) SYSMAC OPC Servers. This vulnerability is addressed in the following product update: http://www.faweb.net/us/opc/1231207.html VU#926551 ADV-2007-1029 1017793 23037 20070322 [NB07-10] Multiple vulnerabilities in Takebishi Electric DeviceXplorer MODBUS OPC server 20070322 [NB07-09] Multiple vulnerabilities in Takebishi Electric DeviceXplorer FA-M3 OPC server 20070322 [NB07-08] Multiple vulnerabilities in Takebishi Electric DeviceXplorer MELSEC OPC server 20070322 [NB07-07] Multiple vulnerabilities in Takebishi Electric DeviceXplorer HIDIC OPC server 20070322 [NB07-17] Multiple vulnerabilities in Takebishi Electric DeviceXplorer SYSMAC OPC server http://www.neutralbit.com/advisories/NB07-17.txt http://www.neutralbit.com/advisories/NB07-10.txt http://www.neutralbit.com/advisories/NB07-09.txt http://www.neutralbit.com/advisories/NB07-08.txt http://www.neutralbit.com/advisories/NB07-07.txt http://www.faweb.net/us/opc/1231207.html 24570 Multiple heap-based buffer overflows in the cirrus_invalidate_region function in the Cirrus VGA extension in QEMU 0.8.2, as used in Xen and possibly other products, might allow local users to execute arbitrary code via unspecified vectors related to "attempting to mark non-existent regions as dirty," aka the "bitblt" heap overflow. FEDORA-2008-4604 FEDORA-2008-4386 FEDORA-2007-713 ADV-2007-1597 23731 RHSA-2007:0323 MDVSA-2008:162 MDKSA-2007:203 DSA-1384 DSA-1284 http://taviso.decsystem.org/virtsec.pdf 33568 30413 29129 27486 27103 27085 27047 25095 25073 oval:org.mitre.oval:def:10315 SUSE-SR:2009:002 Integer signedness error in the NE2000 emulator in QEMU 0.8.2, as used in Xen and possibly other products, allows local users to trigger a heap-based buffer overflow via certain register values that bypass sanity checks, aka QEMU NE2000 "receive" integer signedness error. NOTE: this identifier was inadvertently used by some sources to cover multiple issues that were labeled "NE2000 network driver and the socket code," but separate identifiers have been created for the individual vulnerabilities since there are sometimes different fixes; see CVE-2007-5729 and CVE-2007-5730. FEDORA-2007-713 FEDORA-2007-2270 FEDORA-2007-2708 ADV-2007-1597 23731 RHSA-2007:0323 MDVSA-2008:162 MDKSA-2007:203 DSA-1284 20071030 Clarification on old QEMU/NE2000/Xen issues http://taviso.decsystem.org/virtsec.pdf 1018761 29129 27486 27103 27072 27047 25095 25073 oval:org.mitre.oval:def:9302 QEMU 0.8.2 allows local users to halt a virtual machine by executing the icebp instruction. ADV-2007-1597 23731 DSA-1284 http://taviso.decsystem.org/virtsec.pdf 29129 25095 25073 qemu-icebp-dos(34043) MDVSA-2008:162 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2007-2893. Reason: this candidate was intended for one issue, but some sources used this identifier for a separate issue, and a duplicate identifier had also been created by the time dual use was detected. Notes: All CVE users should consult CVE-2007-2893 to determine if it is appropriate. All references and descriptions in this candidate have been removed to prevent accidental usage. SnapGear 560, 585, 580, 640, 710, and 720 appliances before the 3.1.4u5 firmware allow remote attackers to cause a denial of service (complete packet loss) via a packet flood, a different vulnerability than CVE-2006-4613. http://www.cyberguard.info/snapgear/releases.html ADV-2007-0850 22835 24388 33864 snapgear-packet-dos(32824) The PMA_ArrayWalkRecursive function in libraries/common.lib.php in phpMyAdmin before 2.10.0.2 does not limit recursion on arrays provided by users, which allows context-dependent attackers to cause a denial of service (web server crash) via an array with many dimensions. NOTE: it could be argued that this vulnerability is caused by a problem in PHP (CVE-2006-1549) and the proper fix should be in PHP; if so, then this should not be treated as a vulnerability in phpMyAdmin. This vulnerability is addressed in the following product update: http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2007-3 22841 http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2007-3 http://sourceforge.net/tracker/index.php?func=detail&aid=1671813&group_id=23067&atid=377408 ADV-2007-0831 http://www.php-security.org/MOPB/MOPB-02-2007.html 36834 DSA-1370 http://www.php.net/releases/4_4_8.php http://www.php.net/ChangeLog-4.php MDKSA-2007:199 26733 SQL injection vulnerability in index.php in Serendipity 1.1.1 allows remote attackers to execute arbitrary SQL commands via the serendipity[multiCat][] parameter. serendipity-index-sql-injection(32768) 20070301 Serendipity unauthenticated SQL-Injection 34935 2383 The SILC_SERVER_CMD_FUNC function in apps/silcd/command.c in silc-server 1.0.2 allows remote attackers to cause a denial of service (NULL dereference and daemon crash) via a request without a cipher algorithm and an invalid HMAC algorithm. 20070306 silc-server 1.0.2 denial-of-service vulnerability 22846 33887 silc-command-dos(32846) GLSA-200703-12 24431 24426 Cross-site scripting (XSS) vulnerability in formulaire.php in Bernard JOLY BJ Webring allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter related to the add link menu. 20070303 BJ Webring XSS http://forums.avenir-geopolitique.net/viewtopic.php?t=2707 2384 Directory traversal vulnerability in SQL-Ledger, and LedgerSMB before 1.1.5, allows remote attackers to read and overwrite arbitrary files, and execute arbitrary code, via . (dot) characters adjacent to (1) users and (2) users/members strings, which are removed by blacklisting functions that filter these strings and collapse into .. (dot dot) sequences. sqlledger-userpathmemberfile-dir-traversal(32776) 20070301 Full disclosure: Directory Transversal and Arbitrary Code Execution Vulnerability in SQL-Ledger and LedgerSMB 1017715 33621 33619 2381 24366 24363 Comodo Firewall Pro (CFP) (formerly Comodo Personal Firewall) 2.4.18.184 and earlier allows local users to bypass driver protections on the HKLM\SYSTEM\Software\Comodo\Personal Firewall registry key by guessing the name of a named pipe under \Device\NamedPipe\OLE and attempting to open it multiple times. comodofirewallpro-pipe-security-bypass(32771) 22775 20070301 Comodo Bypassing settings protection using magic pipe Vulnerability http://www.matousec.com/info/advisories/Comodo-Bypassing-settings-protection-using-magic-pipe.php 34957 2388 Multiple cross-site scripting (XSS) vulnerabilities in TKS Banking Solutions ePortfolio 1.0 Java allow remote attackers to inject arbitrary web script or HTML via unspecified vectors that bypass the client-side protection scheme, one of which may be the q parameter to the search program. NOTE: some of these details are obtained from third party information. 22829 20070305 ePortfolio version 1.0 Java Multiple Input Validation Vulnerabilities http://www.scip.ch/publikationen/advisories/scip_advisory-2893_eportfolio_%201.0_java_multiple_vulnerabilities.txt http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=2893 2385 24331 Multiple cross-site request forgery (CSRF) vulnerabilities in TKS Banking Solutions ePortfolio 1.0 Java allow remote attackers to perform unspecified restricted actions in the context of certain accounts by bypassing the client-side protection scheme. 22829 20070305 ePortfolio version 1.0 Java Multiple Input Validation Vulnerabilities http://www.scip.ch/publikationen/advisories/scip_advisory-2893_eportfolio_%201.0_java_multiple_vulnerabilities.txt http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=2893 2385 24331 The virtual machine process (VMX) in VMware Workstation before 5.5.4 does not properly read state information when moving from the ACPI sleep state to the run state, which allows attackers to cause a denial of service (virtual machine reboot) via unknown vectors. http://www.vmware.com/support/ws55/doc/releasenotes_ws55.html#554 vmware-acpi-unspecified(33990) ADV-2007-1592 20070518 VMSA-2007-0004.1 Updated: Multiple Denial-of-Service issues fixed and directory traversal vulnerability 20070507 VMSA-2007-0004 Multiple Denial-of-Service issues fixed 35508 1018011 23732 25079 The default configuration of the AirPort utility in Apple AirPort Extreme creates an IPv6 tunnel but does not enable the "Block incoming IPv6 connections" setting, which might allow remote attackers to bypass intended access restrictions by establishing IPv6 sessions that would have been rejected over IPv4. ADV-2007-1308 34843 http://arstechnica.com/journals/apple.ars/2007/2/14/7063 airportextreme-ipv6-security-bypass(33526) 1017889 24830 APPLE-SA-2007-04-09 http://docs.info.apple.com/article.html?artnum=305366 SQL injection vulnerability in index.php in Links Management Application 1.0 allows remote attackers to execute arbitrary SQL commands via the lcnt parameter. ADV-2007-0849 22825 24355 33862 3416 links-index-sql-injection(32813) PHP remote file inclusion vulnerability in eintrag.php in Weltennetz News-Letterman 1.1 allows remote attackers to execute arbitrary PHP code via a URL in the sqllog parameter. newsletterman-eintrag-file-include(32787) 22807 3406 35355 include/auth/auth.php in Simple Invoices before 2007 03 05 does not use the login system to protect print preview pages for invoices, which might allow attackers to obtain sensitive information. 22818 https://sourceforge.net/project/shownotes.php?group_id=164303&release_id=491300 24402 33860 http://forum.tufat.com/showthread.php?p=116753#post116753 http://code.google.com/p/simpleinvoices/issues/detail?id=35 Cross-site scripting (XSS) vulnerability in admincp/index.php in Jelsoft vBulletin 3.6.5 and earlier allows remote attackers to inject arbitrary web script or HTML via the add rss url form. vbulletin-admincpindex-xss(32780) 22790 20070302 vBulletin v3.6.5 admincp/index.php ( rss feed ) xss vuln. 2396 includes/functions.php in Craig Knudsen WebCalendar before 1.0.5 does not protect the noSet variable from external modification, which allows remote attackers to set arbitrary global variables via a URL with modified values in the noSet parameter, which leads to resultant vulnerabilities that probably include remote file inclusion and other issues. 22834 http://webcalendar.cvs.sourceforge.net/webcalendar/webcalendar/includes/functions.php?view=log http://webcalendar.cvs.sourceforge.net/webcalendar/webcalendar/includes/functions.php?r1=1.211.2.7&r2=1.211.2.8 http://sourceforge.net/project/shownotes.php?group_id=3870&release_id=491130 24403 ADV-2007-0851 webcalendar-noset-variable-overwrite(32832) DSA-1267 [webcalendar-announce] 20070304 Announce: Release 1.0.5 (security patch) 24519 Multiple buffer overflows in src/ezstream.c in Ezstream before 0.3.0 allow remote attackers to execute arbitrary code via a crafted XML configuration file processed by the (1) urlParse function, which causes a stack-based overflow and the (2) ReplaceString function, which causes a heap-based overflow. NOTE: some of these details are obtained from third party information. This vulnerability has been addressed through a product update: http://www.icecast.org/ezstream.php#ez_download 24383 ADV-2007-0852 http://www.icecast.org/ezstream.php#ez_relnotes 33869 ezstream-replacestring-urlparse-bo(32867) 22840 Unspecified vulnerability in cube.exe in the GINA component for CA (Computer Associates) eTrust Admin 8.1.0 through 8.1.2 allows attackers with physical interactive or Remote Desktop access to bypass authentication and gain privileges via the password reset interface. This vulnerability has been addressed by the vendor with the following product patch: ftp://ftp.ca.com/pub/etrust/etradm/ETRADM81SP2/CR_Manual_Updates-8.1sp2-CR6-070301.zip http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=35145 ca-etrust-admin-authentication-bypass(32887) ADV-2007-0885 1017740 22885 20070309 [CAID 35145]: CA eTrust Admin Privilege Escalation Vulnerability 32722 24441 2404 Unspecified vulnerability in ipmitool for Sun Fire X2100M2 and X2200M2 allows local users to gain privileges and reset or turn off the server. ADV-2007-0869 22859 102828 33889 1017738 24447 Microsoft Windows Explorer on Windows 2000 SP4 FR and XP SP2 FR, and possibly other versions and platforms, allows remote attackers to cause a denial of service (memory corruption and crash) via an Office file with crafted document summary information, which causes an error in Ole32.dll. VU#194944 1017736 22847 3419 36141 http://lostmon.blogspot.com/2007/08/windows-extended-file-attributes-buffer.html PerlRun.pm in Apache mod_perl before 1.30, and RegistryCooker.pm in mod_perl 2.x, does not properly escape PATH_INFO before use in a regular expression, which allows remote attackers to cause a denial of service (resource consumption) via a crafted URI. 23192 ADV-2007-1150 USN-488-1 1018259 RHSA-2008:0627 RHSA-2008:0261 RHSA-2007:0486 RHSA-2007:0396 SUSE-SR:2007:008 SUSE-SR:2007:012 MDKSA-2007:083 http://www.gossamer-threads.com/lists/modperl/modperl/92739 http://svn.apache.org/repos/asf/perl/modperl/branches/1.x/Changes http://support.avaya.com/elmodocs2/security/ASA-2007-293.htm 1021508 248386 GLSA-200705-04 33723 33720 31493 31490 26290 26231 26084 25894 25730 25655 25432 25110 25072 24839 24678 RHSA-2008:0630 RHSA-2007:0395 oval:org.mitre.oval:def:8349 oval:org.mitre.oval:def:10987 20070602-01-P Stack-based buffer overflow in webadmin.exe in Novell NetMail 3.5.2 allows remote attackers to execute arbitrary code via a long username during HTTP Basic authentication. VU#919369 netmail-sprintf-bo(32861) 22857 http://download.novell.com/Download?buildid=sMYRODW09pw http://www.zerodayinitiative.com/advisories/ZDI-07-009.html ADV-2007-0870 20070307 ZDI-07-009: Novell Netmail WebAdmin Buffer Overflow Vulnerability 1017734 2395 24445 Integer overflow in the bdfReadCharacters function in bdfread.c in (1) X.Org libXfont before 20070403 and (2) freetype 2.3.2 and earlier allows remote authenticated users to execute arbitrary code via crafted BDF fonts, which result in a heap overflow. 23283 20070403 Multiple Vendor X Server BDF Font Parsing Integer Overflow Vulnerability https://issues.rpath.com/browse/RPL-1213 xorg-bdf-font-bo(33417) ADV-2007-1548 ADV-2007-1264 ADV-2007-1217 USN-448-1 TSLSA-2007-0013 TSLSA-2007-0013 1017857 23402 23300 20070405 FLEA-2007-0009-1: xorg-x11 freetype 20070404 rPSA-2007-0065-1 freetype xorg-x11 xorg-x11-fonts xorg-x11-tools xorg-x11-xfs RHSA-2007:0150 RHSA-2007:0132 RHSA-2007:0126 [4.0] 011: SECURITY FIX: April 4, 2007 [3.9] 021: SECURITY FIX: April 4, 2007 SUSE-SR:2007:006 SUSE-SA:2007:027 http://support.apple.com/kb/HT3438 102886 http://sourceforge.net/project/shownotes.php?release_id=498954 http://sourceforge.net/project/shownotes.php?group_id=3157&release_id=498954 SSA:2007-109-01 GLSA-200705-10 GLSA-200705-02 33937 25006 25004 24996 24921 24889 24885 24791 24776 24772 24771 24770 24768 24765 24758 24756 24745 24741 RHSA-2007:0125 oval:org.mitre.oval:def:11266 [xorg-announce] 20070403 various integer overflow vulnerabilites in xserver, libX11 and libXfont APPLE-SA-2009-02-12 http://issues.foresightlinux.org/browse/FL-223 MDKSA-2007:081 MDKSA-2007:080 MDKSA-2007:079 GLSA-200805-07 DSA-1454 DSA-1294 http://support.avaya.com/elmodocs2/security/ASA-2007-193.htm http://support.avaya.com/elmodocs2/security/ASA-2007-178.htm 30161 28333 25495 25305 25216 25195 25096 APPLE-SA-2007-11-14 oval:org.mitre.oval:def:1810 Integer overflow in the FontFileInitTable function in X.Org libXfont before 20070403 allows remote authenticated users to execute arbitrary code via a long first line in the fonts.dir file, which results in a heap overflow. The vendor has addressed this vulnerability in the following product update: http://xorg.freedesktop.org/archive/X11R7.2/patches/ 24770 24756 ADV-2007-1548 ADV-2007-1217 USN-448-1 1017857 23283 RHSA-2007:0126 http://support.apple.com/kb/HT3438 33937 24741 oval:org.mitre.oval:def:10523 [xorg-announce] 20070403 various integer overflow vulnerabilites in xserver, libX11 and libXfont APPLE-SA-2009-02-12 20070403 Multiple Vendor X Server fonts.dir File Parsing Integer Overflow Vulnerability https://issues.rpath.com/browse/RPL-1213 xorg-fontsdir-bo(33419) 23300 20070405 FLEA-2007-0009-1: xorg-x11 freetype 20070404 rPSA-2007-0065-1 freetype xorg-x11 xorg-x11-fonts xorg-x11-tools xorg-x11-xfs RHSA-2007:0132 [4.0] 011: SECURITY FIX: April 4, 2007 [3.9] 021: SECURITY FIX: April 4, 2007 SUSE-SA:2007:027 MDKSA-2007:080 MDKSA-2007:079 DSA-1294 http://support.avaya.com/elmodocs2/security/ASA-2007-178.htm 102886 GLSA-200705-10 25305 25216 25195 25006 25004 24791 24772 24771 24765 24758 24745 RHSA-2007:0125 APPLE-SA-2007-11-14 http://issues.foresightlinux.org/browse/FL-223 oval:org.mitre.oval:def:13243 The setsockopt function in the L2CAP and HCI Bluetooth support in the Linux kernel before 2.4.34.3 allows context-dependent attackers to read kernel memory and obtain sensitive information via unspecified vectors involving the copy_from_user function accessing an uninitialized stack buffer. ADV-2007-1495 23594 http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.34.3 24976 oval:org.mitre.oval:def:10626 RHSA-2007:0376 USN-489-1 USN-486-1 USN-470-1 RHSA-2007:0673 RHSA-2007:0672 RHSA-2007:0671 SUSE-SA:2007:035 DSA-1504 DSA-1503 DSA-1356 http://support.avaya.com/elmodocs2/security/ASA-2007-404.htm http://support.avaya.com/elmodocs2/security/ASA-2007-287.htm 29058 27528 26478 26450 26379 26289 26139 26133 25838 25700 25683 25596 RHSA-2007:0488 The Access Control functionality (JMXOpsAccessControlFilter) in JMX Console in JBoss Application Server 4.0.2 and 4.0.5 before 20070416 uses a member variable to store the roles of the current user, which allows remote authenticated administrators to trigger a race condition and gain privileges by logging in during a session by a more privileged administrator, as demonstrated by privilege escalation from Read Mode to Write Mode. [jboss-watch-list] 20070416 [RHSA-2007:0151-01] Low: JBoss Application Server security update RHSA-2007:0151 http://jira.jboss.com/jira/browse/ASPATCH-175 http://jira.jboss.com/jira/browse/ASPATCH-172 46765 Multiple cross-site scripting (XSS) vulnerabilities in the appdev/sample/web/hello.jsp example application in Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.23, and 6.0.0 through 6.0.10 allow remote attackers to inject arbitrary web script or HTML via the test parameter and unspecified vectors. 24058 ADV-2009-0233 ADV-2008-1981 ADV-2008-1979 ADV-2007-3386 20090127 CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities (Updated - v1.1) 20090124 CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities 20070519 [CVE-2007-1355] Tomcat documentation XSS vulnerabilities http://tomcat.apache.org/security-6.html http://tomcat.apache.org/security-5.html http://tomcat.apache.org/security-4.html http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540 33668 31493 RHSA-2008:0630 oval:org.mitre.oval:def:6111 HPSBUX02262 http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx FEDORA-2007-3456 tomcat-hello-xss(34377) RHSA-2008:0261 http://support.apple.com/kb/HT2163 239312 2722 30908 30899 30802 27727 27037 APPLE-SA-2008-06-30 HPSBUX02262 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. The atalk_sum_skb function in AppleTalk for Linux kernel 2.6.x before 2.6.21, and possibly 2.4.x, allows remote attackers to cause a denial of service (crash) via an AppleTalk frame that is shorter than the specified length, which triggers a BUG_ON call when an attempt is made to perform a checksum. 23376 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235857 ADV-2007-1340 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20.5 24793 https://issues.rpath.com/browse/RPL-1244 USN-464-1 20070615 rPSA-2007-0124-1 kernel xen SUSE-SA:2007:043 SUSE-SA:2007:035 SUSE-SA:2007:030 DSA-1304 DSA-1286 25961 25714 25691 25683 25392 25226 25099 25078 24901 SUSE-SA:2007:029 Cross-site scripting (XSS) vulnerability in certain applications using Apache Tomcat 4.0.0 through 4.0.6 and 4.1.0 through 4.1.34 allows remote attackers to inject arbitrary web script or HTML via crafted "Accept-Language headers that do not conform to RFC 2616". FEDORA-2007-3456 ADV-2009-0233 ADV-2008-1979 ADV-2007-3386 ADV-2007-3087 ADV-2007-2732 ADV-2007-1729 1018269 25159 24524 20090127 CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities (Updated - v1.1) 20090124 CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities 20070618 [CVE-2007-1358] Apache Tomcat XSS vulnerability in Accept-Language header processing RHSA-2008:0261 http://www.fujitsu.com/global/support/software/security/products-f/interstage-200704e.html http://tomcat.apache.org/security-4.html http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540 239312 33668 31493 30908 30899 27727 27037 26660 26235 25721 RHSA-2008:0630 oval:org.mitre.oval:def:10679 APPLE-SA-2007-07-31 JVN#16535199 SSRT071447 SSRT071447 http://docs.info.apple.com/article.html?artnum=306172 http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx Interpretation conflict in ModSecurity (mod_security) 2.1.0 and earlier allows remote attackers to bypass request rules via application/x-www-form-urlencoded POST data that contains an ASCIIZ (0x00) byte, which mod_security treats as a terminator even though it is still processed as normal data by some HTTP parsers including PHP 5.2.0, and possibly parsers in Perl, and Python. modsecurity-formurlencoded-security-bypass(32872) ADV-2008-2115 ADV-2008-2109 ADV-2007-0868 22831 http://www.php-security.org/MOPB/BONUS-12-2007.html 32778 http://www.modsecurity.org/blog/archives/2007/03/modsecurity_asc.html GLSA-200705-17 25316 24373 SSRT061201 http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2008.html 31113 31087 SSRT061201 Unspecified vulnerability in the Nodefamily module for Drupal 5.x before 5.x-1.0 allows remote authenticated users to access and modify other users' profiles via unspecified URL parameters. 22853 http://drupal.org/node/125324 ADV-2007-0855 24372 33911 nodefamily-url-security-bypass(32873) Cross-site scripting (XSS) vulnerability in virtuemart_parser.php in VirtueMart before 20070213 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: this issue is probably different than CVE-2007-0376. 24399 ADV-2007-0817 http://sourceforge.net/project/shownotes.php?release_id=490831 33829 22816 Mozilla Firefox 1.5.x before 1.5.0.12 and 2.x before 2.0.0.4, and SeaMonkey 1.0.9 and 1.1.2, allows remote attackers to cause a denial of service via (1) a large cookie path parameter, which triggers memory consumption, or (2) an internal delimiter within cookie path or name values, which could trigger a misinterpretation of cookie data, aka "Path Abuse in Cookies." TA07-151A http://www.mozilla.org/security/announce/2007/mfsa2007-14.html ADV-2007-1994 oval:org.mitre.oval:def:10759 HPSBUX02153 https://issues.rpath.com/browse/RPL-1424 mozilla-doccookie-dos(34613) USN-468-1 1018163 1018162 24242 22879 20070531 FLEA-2007-0023-1: firefox RHSA-2007:0402 RHSA-2007:0401 RHSA-2007:0400 35139 SUSE-SA:2007:036 MDKSA-2007:126 MDKSA-2007:120 DSA-1308 DSA-1306 DSA-1300 SSA:2007-152-02 GLSA-200706-06 25858 25750 25685 25647 25635 25559 25534 25533 25490 25476 HPSBUX02153 Multiple SQL injection vulnerabilities in DropAFew before 0.2.1 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter in the delete action in (a) search.php or (b) search-pda.php, or the (2) calories parameter in a save action in editlogcal.php. http://www.dropafew.com/sphpblog/comments.php?y=07&m=04&entry=entry070403-224437 23400 http://www.cynops.de/advisories/CVE-2007-1363.txt 24861 dropafew-multiple-sql-injection(33560) DropAFew before 0.2.1 does not require authorization for certain privileged actions, which allows remote attackers to (1) view the logged calorie information of arbitrary users via the id parameter in editlogcal.php, (2) add arbitrary links via links.php, or (3) create arbitrary users via newaccount2.php. http://www.dropafew.com/sphpblog/comments.php?y=07&m=04&entry=entry070403-224437 https://www.cynops.de/advisories/CVE-2007-1363.txt dropafew-editlogcal-information-disclosure(33561) 23400 24861 Buffer overflow in kern/uipc_mbuf2.c in OpenBSD 3.9 and 4.0 allows remote attackers to execute arbitrary code via fragmented IPv6 packets due to "incorrect mbuf handling for ICMP6 packets." NOTE: this was originally reported as a denial of service. VU#986425 [3.9] 020: SECURITY FIX: March 7, 2007 1017744 22901 [4.0] 010: SECURITY FIX: March 7, 2007 http://www.coresecurity.com/?action=item&id=1703 1017735 24490 [source-changes] 20070226 CVS: cvs.openbsd.org: src 33050 QEMU 0.8.2 allows local users to crash a virtual machine via the divisor operand to the aam instruction, as demonstrated by "aam 0x0," which triggers a divide-by-zero error. ADV-2007-1597 23731 DSA-1284 http://taviso.decsystem.org/virtsec.pdf 29129 25095 25073 [Qemu-devel] 20070429 Re: Qemu crashes on AAM 0 [Qemu-devel] 20070428 Qemu crashes on AAM 0 qemu-aam-dos(34046) MDVSA-2008:162 Cross-site scripting (XSS) vulnerability in the login page in Avaya Communications Manager (CM) S87XX, S8500, and S8300 products before 3.1.3 allows remote attackers to inject arbitrary web script or HTML via the Login field. http://support.avaya.com/elmodocs2/security/ASA-2007-064.htm 22866 24397 33297 The Project issue tracking module before 4.7.x-1.3, 4.7.x-2.* before 4.7.x-2.3, and 5 before 5.x-0.2-beta for Drupal allows remote authenticated users, with "access project issues" permission, to read the contents of a private node via a URL with a modified node identifier. 22867 24409 http://drupal.org/node/125833 ADV-2007-0873 33913 http://drupal.org/node/125832 projectissuetracking-node-security-bypass(32871) ini_modifier (sgid-zendtech) in Zend Platform 2.2.3 and earlier allows local users to modify the system php.ini file by editing a copy of php.ini file using the -f parameter, and then performing a symlink attack using the directory that contains the attacker-controlled php.ini file, and linking this directory to /usr/local/Zend/etc. http://www.zend.com/products/zend_platform/security_vulnerabilities zend-inimodifier-privilege-escalation(32820) ADV-2007-0829 22802 http://www.php-security.org/MOPB/BONUS-07-2007.html 33930 32773 24501 Zend Platform 2.2.3 and earlier has incorrect ownership for scd.sh and certain other files, which allows local users to gain root privileges by modifying the files. NOTE: this only occurs when safe_mode and open_basedir are disabled; other settings require leverage for other vulnerabilities. http://www.php-security.org/MOPB/BONUS-06-2007.html zend-scd-privilege-escalation(32825) http://www.zend.com/products/zend_platform/security_vulnerabilities ADV-2007-0829 22801 32772 24501 Multiple buffer overflows in Conquest 8.2a and earlier (1) allow local users to gain privileges by querying a metaserver that sends a long server entry processed by metaGetServerList and allow remote metaservers to execute arbitrary code via a long server entry processed by metaGetServerList; (2) allow attackers to have an unknown impact by exceeding the configured number of metaservers; and allow remote attackers to corrupt memory via a SP_CLIENTSTAT packet with certain values of (3) unum or (4) snum, different vulnerabilities than CVE-2003-0933. conquest-processpacket-dos(32860) conquest-metagetserverlist-bo(32849) ADV-2007-0854 22855 20070307 Buffer-overflow in Conquest client 8.2a (svn 691) [conquest] 20070303 Re: security bugs in conquest 24370 2399 PHP remote file inclusion vulnerability in styles/internal/header.php in the PostGuestbook 0.6.1 module for PHP-Nuke allows remote attackers to execute arbitrary PHP code via a URL in the tpl_pgb_moddir parameter. postguestbook-header-file-include(32866) ADV-2007-0880 22858 3423 36320 Stack-based buffer overflow in Mercury/32 (aka Mercury Mail Transport System) 4.01b and earlier allows remote attackers to execute arbitrary code via a long LOGIN command. NOTE: this might be the same issue as CVE-2006-5961. mercury-imap-bo(32848) 24367 33883 20070306 Mercury/32 4.01b 2398 Cross-site scripting (XSS) vulnerability in pop_profile.asp in Snitz Forums 2000 3.4.06 allows remote attackers to inject arbitrary web script or HTML via the MSN parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. snitzforums-popprofile-xss(32879) 22869 24358 33885 Integer overflow in the substr_compare function in PHP 5.2.1 and earlier allows context-dependent attackers to read sensitive memory via a large value in the length argument, a different vulnerability than CVE-2006-1991. 22851 http://www.php-security.org/MOPB/MOPB-14-2007.html 3424 USN-455-1 32780 SUSE-SA:2007:032 MDKSA-2007:187 DSA-1283 http://us2.php.net/releases/5_2_2.php GLSA-200703-21 26895 25062 25057 25056 24606 The shmop functions in PHP before 4.4.5, and before 5.2.1 in the 5.x series, do not verify that their arguments correspond to a shmop resource, which allows context-dependent attackers to read and write arbitrary memory locations via arguments associated with an inappropriate resource, as demonstrated by a GD Image resource. 22862 http://www.php-security.org/MOPB/MOPB-15-2007.html 3427 3426 USN-455-1 32781 SUSE-SA:2007:032 DSA-1283 GLSA-200703-21 25062 25057 25056 24606 AcroPDF.DLL in Adobe Reader 8.0, when accessed from Mozilla Firefox, Netscape, or Opera, allows remote attackers to cause a denial of service (unspecified resource consumption) via a .pdf URL with an anchor identifier that begins with search= followed by many %n sequences, a different vulnerability than CVE-2006-6027 and CVE-2006-6236. adobe-acropdf-dos(32896) http://www.securityfocus.com/data/vulnerabilities/exploits/22856.html 22856 The ovrimos_longreadlen function in the Ovrimos extension for PHP before 4.4.5 allows context-dependent attackers to write to arbitrary memory locations via the result_id and length arguments. 22833 http://www.php-security.org/MOPB/MOPB-13-2007.html 32779 The ovrimos_close function in the Ovrimos extension for PHP before 4.4.5 can trigger efree of an arbitrary address, which might allow context-dependent attackers to execute arbitrary code. 22833 http://www.php-security.org/MOPB/MOPB-13-2007.html 34691 The php_binary serialization handler in the session extension in PHP before 4.4.5, and 5.x before 5.2.1, allows context-dependent attackers to obtain sensitive information (memory contents) via a serialized variable entry with a large length value, which triggers a buffer over-read. ADV-2007-2374 ADV-2007-1991 22805 http://www.php-security.org/MOPB/MOPB-10-2007.html 3413 GLSA-200703-21 24606 24514 oval:org.mitre.oval:def:10792 SUSE-SA:2007:020 HPSBTU02232 HPSBMA02215 USN-455-1 SUSE-SA:2007:032 DSA-1283 DSA-1282 25850 25423 25062 25057 25056 25025 SSRT071429 SSRT071423 The wddx_deserialize function in wddx.c 1.119.2.10.2.12 and 1.119.2.10.2.13 in PHP 5, as modified in CVS on 20070224 and fixed on 20070304, calls strlcpy where strlcat was intended and uses improper arguments, which allows context-dependent attackers to execute arbitrary code via a WDDX packet with a malformed overlap of a STRING element, which triggers a buffer overflow. This vulnerability impacts PHP CVS as of 2007-02-24 http://www.php-security.org/MOPB/MOPB-09-2007.html 32775 http://cvs.php.net/viewvc.cgi/php-src/ext/wddx/wddx.c?revision=1.119.2.10.2.14&view=markup http://cvs.php.net/viewvc.cgi/php-src/ext/wddx/wddx.c?r1=1.119.2.10.2.13&r2=1.119.2.10.2.14 The PHP COM extensions for PHP on Windows systems allow context-dependent attackers to execute arbitrary code via a WScript.Shell COM object, as demonstrated by using the Run method of this object to execute cmd.exe, which bypasses PHP's safe mode. 3429 Integer overflow in the 16 bit variable reference counter in PHP 4 allows context-dependent attackers to execute arbitrary code by overflowing this counter, which causes the same variable to be destroyed twice, a related issue to CVE-2007-1286. 22765 http://www.php-security.org/MOPB/MOPB-01-2007.html 32770 SUSE-SA:2007:032 GLSA-200703-21 25056 24606 Directory traversal vulnerability in torrent.cpp in KTorrent before 2.1.2 allows remote attackers to overwrite arbitrary files via ".." sequences in a torrent filename. This vulnerability has been addressed with the following product update: http://ktorrent.org/index.php?page=downloads https://launchpad.net/bugs/91174 ADV-2007-0913 [kde-announce] 20070309 KTorrent 2.1.2 is out http://ktorrent.org/forum/viewtopic.php?t=1401 USN-436-1 1017747 22930 SUSE-SR:2007:007 SSA:2007-093-02 GLSA-200705-01 25097 24995 24753 24486 24459 chunkcounter.cpp in KTorrent before 2.1.2 allows remote attackers to cause a denial of service (crash) and heap corruption via a negative or large idx value. This vulnerability has been addressed in the following product update: http://ktorrent.org/index.php?page=downloads https://launchpad.net/bugs/91174 ADV-2007-0913 [kde-announce] 20070309 KTorrent 2.1.2 is out http://ktorrent.org/forum/viewtopic.php?t=1401 USN-436-1 1017747 22930 SUSE-SR:2007:007 SSA:2007-093-02 GLSA-200705-01 25097 24995 24753 24486 24459 The DirectShow loader (loader/dshow/DS_VideoDecoder.c) in MPlayer 1.0rc1 and earlier, as used in xine-lib, does not set the biSize before use in a memcpy, which allows user-assisted remote attackers to cause a buffer overflow and possibly execute arbitrary code, a different vulnerability than CVE-2007-1246. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=414072;msg=12;filename=DS_VideoDecoder.c---SVN--22205.patch;att=1 USN-435-1 24462 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=414072 22933 MDKSA-2007:062 MDKSA-2007:061 DSA-1536 GLSA-200705-21 29601 25462 24444 24443 The do_ipv6_setsockopt function in net/ipv6/ipv6_sockglue.c in Linux kernel before 2.6.20, and possibly other versions, allows local users to cause a denial of service (oops) by calling setsockopt with the IPV6_RTHDR option name and possibly a zero option length or invalid option value, which triggers a NULL pointer dereference. https://issues.rpath.com/browse/RPL-1154 ADV-2007-1122 USN-464-1 23142 RHSA-2007:0169 MDKSA-2007:078 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20.4 25392 25099 25080 24901 24777 oval:org.mitre.oval:def:11509 SUSE-SA:2007:029 http://bugzilla.kernel.org/show_bug.cgi?id=8155 dynaliens 2.0 and 2.1 allows remote attackers to bypass authentication and perform certain privileged actions via a direct request for (1) validlien.php3 (2) supprlien.php3 (3) supprub.php3 (4) validlien.php3 (5) confsuppr.php3 (6) modiflien.php3, or (7) confmodif.php3 in admin/. 22873 20070308 dynaliens v2.0/v2.1 bypass admin authentification + XSS http://forums.avenir-geopolitique.net/viewtopic.php?t=2722 2403 Multiple cross-site scripting (XSS) vulnerabilities in dynaliens 2.0 and 2.1 allow remote attackers to inject arbitrary web script or HTML via unspecified parameters to (1) recherche.php3 or (2) ajouter.php3. 22874 20070308 dynaliens v2.0/v2.1 bypass admin authentification + XSS http://forums.avenir-geopolitique.net/viewtopic.php?t=2722 2403 PHP remote file inclusion vulnerability in modules/abook/foldertree.php in Leo West WEBO (aka weborganizer) 1.0 allows remote attackers to execute arbitrary PHP code via a URL in the baseDir parameter. webo-foldertree-file-include(32877) ADV-2007-0883 22877 3436 http://advisories.echo.or.id/adv/adv67-K-159-2007.txt 20070309 [ECHO_ADV_67$2007] WEBO (Web Organizer) <= 1.0 (baseDir) Remote File Inclusion Vulnerability Directory traversal vulnerability in down.php in netForo! 0.1g allows remote attackers to read arbitrary files via a .. (dot dot) in the file_to_download parameter. netforo-down-directory-traversal(32878) ADV-2007-0884 22875 3435 24449 PHP remote file inclusion vulnerability in mysave.php in Magic CMS 4.2.747 allows remote attackers to execute arbitrary PHP code via a URL in the file parameter. ADV-2007-0881 22162 3438 33893 magiccms-mysave-file-include(32883) 24439 Direct static code injection vulnerability in startsession.php in Flat Chat 2.0 allows remote attackers to execute arbitrary PHP code via the Chat Name field, which is inserted into online.txt and included by users.php. NOTE: some of these details are obtained from third party information. ADV-2007-0871 22865 3428 24433 33890 flatchat-startsession-code-execution(32882) Incomplete blacklist vulnerability in index.php in phpMyAdmin 2.8.0 through 2.9.2 allows remote attackers to conduct cross-site scripting (XSS) attacks by injecting arbitrary JavaScript or HTML in a (1) db or (2) table parameter value followed by an uppercase </SCRIPT> end tag, which bypasses the protection against lowercase </script>. phpmyadmin-dbtable-xss(32858) http://www.virtuax.be/advisories/Advisory2-24012007.txt 20070307 xss in phpmyadmin >=2.8.0 and < 2.10.0 35048 DSA-1370 MDKSA-2007:199 2402 26733 The import_request_variables function in PHP 4.0.7 through 4.4.6, and 5.x before 5.2.2, when called without a prefix, does not prevent the (1) GET, (2) POST, (3) COOKIE, (4) FILES, (5) SERVER, (6) SESSION, and other superglobals from being overwritten, which allows remote attackers to spoof source IP address and Referer data, and have other unspecified impact. NOTE: it could be argued that this is a design limitation of PHP and that only the misuse of this feature, i.e. implementation bugs in applications, should be included in CVE. However, it has been fixed by the vendor. 22886 20070314 Re: Re: [Full-disclosure] PHP import_request_variables() arbitrary variable overwrite 20070312 Re: [Full-disclosure] PHP import_request_variables() arbitrary variable overwrite 20070310 Re: [Full-disclosure] PHP import_request_variables() arbitrary variable overwrite 20070308 PHP import_request_variables() arbitrary variable overwrite http://us2.php.net/releases/5_2_2.php http://us2.php.net/releases/4_4_7.php 2406 26048 SUSE-SA:2007:044 Multiple stack-based buffer overflows in the (1) ExtractRnick and (2) decrypt_topic_332 functions in FiSH allow remote attackers to execute arbitrary code via long strings. ADV-2007-0910 22880 8216 http://blogs.23.nu/ilja/stories/14493/ fish-multiple-bo(32892) 24495 The frag3 preprocessor in Snort 2.6.1.1, 2.6.1.2, and 2.7.0 beta, when configured for inline use on Linux without the ip_conntrack module loaded, allows remote attackers to cause a denial of service (segmentation fault and application crash) via certain UDP packets produced by send_morefrag_packet and send_overlap_packet. 22872 3434 http://www.snort.org/docs/release_notes/release_notes_2613.txt 33024 Stack-based buffer overflow in the zip:// URL wrapper in PECL ZIP 1.8.3 and earlier, as bundled with PHP 5.2.0 and 5.2.1, allows remote attackers to execute arbitrary code via a long zip:// URL, as demonstrated by actively triggering URL access from a remote PHP interpreter via avatar upload or blog pingback. ADV-2007-0898 22883 http://www.php-security.org/MOPB/MOPB-16-2007.html pecl-url-wrapper-bo(32889) 32782 DSA-1330 25938 24514 24471 SUSE-SA:2007:020 Plash permits sandboxed processes to open /dev/tty, which allows local users to escape sandbox restrictions and execute arbitrary commands by sending characters to a shell process on the same termimal via the TIOCSTI ioctl. 32598 http://plash.beasts.org/wiki/PlashIssues/TtyVulnerability ADV-2007-0909 [plash] 20070301 TTY ioctl() vulnerability 22892 24498 Buffer overflow in the crack extension (CrackLib), as bundled with PHP 4.4.6 and other versions before 5.0.0, might allow local users to gain privileges via a long argument to the crack_opendict function. 20070308 PHP 4.4.6 crack_opendict() local buffer overflow poc exploit 3431 http://retrogod.altervista.org/php_446_crack_opendict_local_bof.html 2405 The Rediff Toolbar 2.0 ActiveX control in redifftoolbar.dll allows remote attackers to cause a denial of service via unspecified manipulations, possibly involving improper initialization or blank arguments. 21924 36899 http://downloads.securityfocus.com/vulnerabilities/exploits/21924.html Multiple stack-based buffer overflows in an ActiveX control in SwDir.dll 10.1.4.20 in Macromedia Shockwave allow remote attackers to cause a denial of service (Internet Explorer 7 crash) and possibly execute arbitrary code via a long (1) BGCOLOR, (2) SRC, (3) AutoStart, (4) Sound, (5) DrawLogo, or (6) DrawProgress property value, different vectors than CVE-2006-6885. 3421 36005 22842 tftpd.exe in ProSysInfo TFTP Server TFTPDWIN 0.4.2 allows remote attackers to cause a denial of service via a long UDP packet that is not properly handled in a recv_from call. NOTE: this issue might be related to CVE-2006-4948. 3432 24452 33919 tftpdwin-recvfrom-dos(32886) Cross-site scripting (XSS) vulnerability in the "download wiki page as text" feature in Trac before 0.10.3.1, when Microsoft Internet Explorer is used, allows remote attackers to inject arbitrary web script or HTML via unspecified parameters. http://trac.edgewall.org/wiki/ChangeLog ADV-2007-0900 24470 trac-downloadwikipageastext-xss(32897) 22888 Trac before 0.10.3.1 does not send a Content-Disposition HTTP header specifying an attachment in certain "unsafe" situations, which has unknown impact and remote attack vectors. This vulnerability has been addressed by the following vendor update: http://trac.edgewall.org/wiki/TracDownload http://trac.edgewall.org/wiki/ChangeLog Unspecified vulnerability in OpenSolution Quick.Cart before 2.1 has unknown impact and attack vectors, related to a "low critical exploit." This vulnerability has been addressed through an updated version of the product: http://opensolution.org/download/ http://opensolution.org/Quick.Cart/forum/?p=readTopic&nr=3878 http://opensolution.org/download/Quick.Cart/changeLog.txt Multiple vulnerabilities in (1) bank.php, (2) landfill.php, (3) outposts.php, (4) tribes.php, (5) house.php, (6) tribearmor.php, (7) tribeastral.php, (8) tribeware.php, and (9) includes/head.php in Bartek Jasicki Vallheru before 1.3 beta have unknown impact and remote attack vectors, probably related to large integer values containing more than 15 digits. NOTE: the original vendor report is for integer overflows, but this is probably an incorrect usage of the term. This vulnerability is addressed in the following product release: Vallheru, Vallheru, 1.3 Beta http://sourceforge.net/project/shownotes.php?release_id=491871&group_id=118350 http://vallheru.svn.sourceforge.net/viewvc/vallheru/vallheru2/bank.php?r1=910&r2=918 http://sourceforge.net/forum/forum.php?forum_id=672237 WordPress allows remote attackers to obtain sensitive information via a direct request for wp-admin/admin-functions.php, which reveals the path in an error message. 20070308 Re: Word Press Sensitive Directory exposure (SQL) 20070308 Word Press Sensitive Directory exposure (SQL) GLSA-200703-23 24566 SQL injection vulnerability in kategori.asp in GaziYapBoz Game Portal allows remote attackers to execute arbitrary SQL commands via the kategori parameter. ADV-2007-0882 22871 3437 35600 gaziyapboz-kategori-sql-injection(32884) Buffer overflow in PHP 4.4.6 and earlier, and unspecified PHP 5 versions, allows local and possibly remote attackers to execute arbitrary code via long server name arguments to the (1) mssql_connect and (2) mssql_pconnect functions. ADV-2007-0867 22832 20070306 PHP <= 4.4.6 mssql_connect() & mssql_pconnect() local buffer overflow and safe_mode bypass http://retrogod.altervista.org/php_446_mssql_connect_bof.html php-ntwdblib-bo(32885) 2407 24353 The cpdf_open function in the ClibPDF (cpdf) extension in PHP 4.4.6 allows context-dependent attackers to obtain sensitive information (script source code) via a long string in the second argument. 22897 3442 php-clibpdf-source-disclosure(32986) Buffer overflow in the snmpget function in the snmp extension in PHP 5.2.3 and earlier, including PHP 4.4.6 and probably other PHP 4 versions, allows context-dependent attackers to execute arbitrary code via a long value in the third argument (object id). Failed exploit attempts will likely cause a denial of serivce on the webserver. php-snmpget-function-bo(35517) 22893 4204 3439 24440 http://retrogod.altervista.org/php_446_snmpget_local_bof.html Multiple PHP remote file inclusion vulnerabilities in Coppermine Photo Gallery (CPG) allow remote attackers to execute arbitrary PHP code via a URL in the (1) cmd parameter to (a) image_processor.php or (b) picmgmt.inc.php, or the (2) path parameter to (c) include/functions.php, (d) include/plugin_api.inc.php, (e) index.php, or (f) pluginmgr.php. coppermine-multiple-scripts-file-include(32894) 22896 20070309 Remote File Include In Script Coppermine Photo Gallery 20070322 Remote File Include In Coppermine Photo Gallery 35070 35069 35068 35067 35066 35065 2416 Multiple PHP remote file inclusion vulnerabilities in PMB Services 3.0.13 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the (1) class_path parameter to (a) includes/resa_func.inc.php (b) admin/notices/perso.inc.php, or (c) admin/quotas/main.inc.php; the (2) base_path parameter to (d) opac_css/rec_panier.php or (e) opac_css/includes/author_see.inc.php; or the (3) include_path parameter to (f) bull_info.inc.php or (g) misc.inc.php in includes/; (h) options_date_box.php, (i) options_file_box.php, (j) options_list.php, (k) options_query_list.php, or (l) options_text.php in includes/options/; (m) options.php, (n) options_comment.php, (o) options_date_box.php, (p) options_list.php, (q) options_query_list.php, or (r) options_text.php in includes/options_empr/; or (s) admin/import/iimport_expl.php, (t) admin/netbase/clean.php, (u) admin/param/param_func.inc.php, (v) admin/sauvegarde/lieux.inc.php, (w) autorites.php, (x) account.php, (y) cart.php, or (z) edit.php. pmbservices-multiple-scripts-file-include(32890) ADV-2007-0917 22895 20070310 [ECHO_ADV_68$2007] PMB Services <= 3.0.13 Multiple Remote File Inclusion Vulnerability 35125 35124 35123 35122 35121 35120 35119 35118 35117 35116 35115 35114 35113 35112 35111 35110 35109 35108 35107 35106 35105 35104 35103 35102 35101 3443 http://advisories.echo.or.id/adv/adv68-K-159-2007.txt PHP remote file inclusion vulnerability in createurl.php in JCcorp (aka James Coyle) URLshrink allows remote attackers to execute arbitrary PHP code via a URL in the formurl parameter. ADV-2007-0902 22894 20070309 Remote File Include In Script copyright (c) James Coyle; JCcorp 33982 20070322 Remote File Include In copyright &copy; James Coyle; JCcorp 2415 24340 SQL injection vulnerability in index.php in HC NEWSSYSTEM 1.0-4 allows remote attackers to execute arbitrary SQL commands via the ID parameter in a komm aktion. ADV-2007-0904 22898 20070309 HC NEWSSYSTEM 1.0-4 (index.php "ID") Blind SQL Injection 33976 2414 24477 3449 Cross-site scripting (XSS) vulnerability in skins/ace/popup-notopic.php in MindTouch OpenGarden DekiWiki before Gooseberry++ allows remote attackers to inject arbitrary web script or HTML via the message parameter. 22891 24453 dekiwiki-popupnotopic-xss(32893) ADV-2007-0899 http://sourceforge.net/project/shownotes.php?group_id=173074&release_id=492249 The Java Management Extensions Remote API Remote Method Invocation over Internet Inter-ORB Protocol (JMX RMI-IIOP) API in Java Dynamic Management Kit 5.1 before 20070309 does not properly enforce the java.policy, which allows local users to obtain certain MBeans data access by operating a server application accessed by a privileged remote authenticated user. 102835 ADV-2007-0906 34018 1017745 22907 24497 MySQL 5.x before 5.0.36 allows local users to cause a denial of service (database crash) by performing information_schema table subselects and using ORDER BY to sort a single-row result, which prevents certain structure elements from being initialized and triggers a NULL dereference in the filesort function. 22900 https://issues.rpath.com/browse/RPL-1127 ADV-2007-0908 USN-440-1 1017746 20070309 SEC Consult SA-20070309-0 :: MySQL 5 Single Row Subselect Denial of Service http://www.sec-consult.com/284.html RHSA-2008:0364 MDKSA-2007:139 2413 GLSA-200705-11 30351 25946 25389 25196 24609 24483 oval:org.mitre.oval:def:9530 http://dev.mysql.com/doc/refman/5.0/en/releasenotes-es-5-0-36.html http://bugs.mysql.com/bug.php?id=24630 Multiple PHP remote file inclusion vulnerabilities in Premod SubDog 2 allow remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter to (1) functions_kb.php, (2) themen_portal_mitte.php, or (3) logger_engine.php in includes/. 22912 20070310 Remote File Include In Script Premod SubDog 2 35081 35080 35079 2412 SQL injection vulnerability in goster.asp in fystyq Duyuru Scripti allows remote attackers to execute arbitrary SQL commands via the id parameter, a different vector than CVE-2007-0688. 22910 20070310 F&#305;st&#305;q Duyuru Scripti Remote Sql &#304;njection Exploit 34087 Multiple PHP remote file inclusion vulnerabilities in WORK system e-commerce 3.0.5 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the g_include parameter to include/include_top.php and certain other PHP scripts. Successful exploitation requires that "register_globals" is enabled. ADV-2007-0903 22908 24476 33973 3448 Multiple PHP remote file inclusion vulnerabilities in Softnews Media Group DataLife Engine allow remote attackers to execute arbitrary PHP code via a URL in the root_dir parameter to (1) init.php and (2) Ajax/editnews.php. NOTE: some of these details are obtained from third party information. 22913 20070310 Remote File Include In Script SoftNews Media Group 35712 2411 SQL injection vulnerability in index.php in Triexa SonicMailer Pro 3.2.3 and earlier allows remote attackers to execute arbitrary SQL commands via the list parameter in an archive action. ADV-2007-0905 22920 3457 24474 33986 The web interface in AstroCam 2.0.0 through 2.6.5 allows remote attackers to cause a denial of service (daemon shutdown) via requests that contain a large amount of data in the "a" variable, which "fills up the message queue." ADV-2007-0901 22924 32868 http://sourceforge.net/project/shownotes.php?group_id=85523&release_id=492572 24480 http://astrocam.svn.sourceforge.net/viewvc/astrocam/BUGS?view=markup Directory traversal vulnerability in download_pdf.php in AssetMan 2.4a and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the pdf_file parameter. 22921 20070311 AssetMan 2.4a <= (download_pdf.php) Remote File Disclosure Vulnerability 3458 2410 SQL injection vulnerability in search.php in PHP Labs JobSitePro 1.0 allows remote attackers to execute arbitrary SQL commands via the salary parameter. ADV-2007-0918 22916 24454 33985 3455 Multiple PHP remote file inclusion vulnerabilities in Moodle 1.7.1 allow remote attackers to execute arbitrary PHP code via a URL in the cmd parameter to (1) admin/utfdbmigrate.php or (2) filter.php. 20070311 Remote File Include In Script moodle-1.7.1 SUSE-SR:2007:015 2409 PHP remote file inclusion vulnerability in include/adodb-connection.inc.php in ClipShare 1.5.3 allows remote attackers to execute arbitrary PHP code via a URL in the cmd parameter. 20070311 Remote File Include In ClipShare.v1.5.3 22928 2408 Multiple unspecified vulnerabilities in PennMUSH 1.8.3 before 1.8.3p1 and 1.8.2 before 1.8.2p3 allow attackers to cause a denial of service (crash) related to the (1) speak and (2) buy functions. [pennmush-announce] 20070311 PennMUSH 1.8.2p3 and 1.8.3p1 Released 24504 ADV-2007-0921 22935 34005 Grayscale Blog 0.8.0, and possibly earlier versions, allows remote attackers to gain privileges via direct requests with modified arguments in (1) the user_permissions parameter to add_users.php, and unspecified parameters to (2) addblog.php, (3) editblog.php, (4) editlinks.php, (5) edit_users.php, and (6) add_links.php. ADV-2007-0916 22911 20070310 Grayscale <= 0.8.0 Multiple Vulnerabilities 2417 Cross-site scripting (XSS) vulnerability in Grayscale Blog 0.8.0, and possibly earlier versions, allows remote attackers to inject arbitrary web script or HTML via the comment fields to (1) scripts/addblog_comment.php and (2) detail.php. ADV-2007-0916 22911 20070310 Grayscale <= 0.8.0 Multiple Vulnerabilities 2417 SQL injection vulnerability in Grayscale Blog 0.8.0, and possibly earlier versions, might allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to (a) userdetail.php, id and (2) url parameter to (b) jump.php, and id variable to (c) detail.php. ADV-2007-0916 22911 20070310 Grayscale <= 0.8.0 Multiple Vulnerabilities 2417 Buffer overflow in D-Link TFTP Server 1.0 allows remote attackers to cause a denial of service (crash) via a long (1) GET or (2) PUT request, which triggers memory corruption. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 22923 24360 33977 Unspecified vulnerability in admin.pl in SQL-Ledger before 2.6.26 and LedgerSMB before 1.1.9 allows remote attackers to bypass authentication via unknown vectors that prevents a password check from occurring. This vulnerability is addressed in the following product updates: SQL-Ledger, 2.6.26 LedgerSMB, 1.1.9 22889 24496 20070309 Security bypass vulnerability in LedgerSMB and SQL-Ledger (fixes released today) 24467 33623 33622 http://sourceforge.net/project/shownotes.php?release_id=494462&group_id=175965 2436 Unspecified vulnerability in LedgerSMB before 1.1.5 and SQL-Ledger before 2.6.25 allows remote attackers to overwrite files and possibly bypass authentication, and remote authenticated users to execute unauthorized code, by calling a custom error function that returns from execution. 20070305 DoS and code execution issue in LedgerSMB < 1.1.5 and SQL-Ledger < 2.6.25 24366 24363 2435 SQL injection vulnerability in devami.asp in X-Ice News System 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter. ADV-2007-0941 22939 3469 24502 PHP remote file inclusion vulnerability in ressourcen/dbopen.php in bitesser MySQL Commander 2.7 and earlier, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the home parameter. Successful exploitation requires that register_globals is enabled. ADV-2007-0942 22941 20070313 [ECHO_ADV_73$2007] MySQL Commander <= 2.7 (home) Remote File Inclusion Vulnerability 3468 34038 http://advisories.echo.or.id/adv/adv73-K-159-2007.txt 2423 24500 SQL injection vulnerability in search.asp in JGBBS 3.0 Beta 1 allows remote attackers to execute arbitrary SQL commands via the author parameter. ADV-2007-0940 22943 20070313 JGBBS 3.0beta1 Version Search.ASP "Author" SQL Injection Exploit 3470 2431 The 4thPass browser (BlackBerry Browser) on the RIM BlackBerry 8100 (Pearl) before 4.2.1 allows remote attackers to cause a denial of service (temporary functionality loss) via a long href attribute in a link in a WML page. ADV-2007-0945 1017748 20070313 Re: Re: RIM BlackBerry Pearl 8100 Browser DoS 20070312 RIM BlackBerry Pearl 8100 Browser DoS 2434 35030 Oracle Database 10g uses a NULL pDacl parameter when calling the SetSecurityDescriptorDacl function to create discretionary access control lists (DACLs), which allows local users to gain privileges. 22905 24475 33979 http://argeniss.com/research/10MinSecAudit.zip Multiple cross-site scripting (XSS) vulnerabilities in register.php in Woltlab Burning Board (wBB) 2.3.6 and Burning Board Lite 1.0.2pl3e allow remote attackers to inject arbitrary web script or HTML via the (1) r_username, (2) r_email, (3) r_password, (4) r_confirmpassword, (5) r_homepage, (6) r_icq, (7) r_aim, (8) r_yim, (9) r_msn, (10) r_year, (11) r_month, (12) r_day, (13) r_gender, (14) r_signature, (15) r_usertext, (16) r_invisible, (17) r_usecookies, (18) r_admincanemail, (19) r_emailnotify, (20) r_notificationperpm, (21) r_receivepm, (22) r_emailonpm, (23) r_pmpopup, (24) r_showsignatures, (25) r_showavatars, (26) r_showimages, (27) r_daysprune, (28) r_umaxposts, (29) r_dateformat, (30) r_timeformat, (31) r_startweek, (32) r_timezoneoffset, (33) r_usewysiwyg, (34) r_styleid, (35) r_langid, (36) key_string, (37) key_number, (38) disablesmilies, (39) disablebbcode, (40) disableimages, (41) field[1], (42) field[2], and (43) field[3] parameters. NOTE: a third-party researcher has disputed some of these vectors, stating that only the r_dateformat and r_timeformat parameters in Burning Board 2.3.6 are affected. ADV-2007-0856 20070302 Re: Woltlab Burning Board (wbb) 2.3.6 CSRF/XSS - 0day 20070302 Woltlab Burning Board (wbb) 2.3.6 CSRF/XSS - 0day 2424 24404 24386 netserver in netperf 2.4.3 allows local users to overwrite arbitrary files via a symlink attack on /tmp/netperf.debug. ADV-2007-0912 22925 24464 33975 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=413658 SQL injection vulnerability in the heme preview feature for default.asp in BP Blog 7.0 through 7.0.2 allows remote attackers to execute arbitrary SQL commands via the layout parameter. 24473 http://blog.betaparticle.com/template_permalink.asp?id=134 ADV-2007-0919 33997 3466 Multiple PHP remote file inclusion vulnerabilities in Open Education System (OES) 0.1beta allow remote attackers to execute arbitrary PHP code via a URL in the CONF_INCLUDE_PATH parameter to (1) lib-account.inc.php, (2) lib-file.inc.php, (3) lib-group.inc.php, (4) lib-log.inc.php, (5) lib-mydb.inc.php, (6) lib-template-mod.inc.php, and (7) lib-themes.inc.php in includes/. ADV-2007-0920 22934 20070313 [ECHO_ADV_69$2007] OES (Open Educational System) 0.1beta Remote File Inclusion Vulnerability 2421 http://advisories.echo.or.id/adv/adv69-K-159-2007.txt The Tape Engine in CA (formerly Computer Associates) BrightStor ARCserve Backup 11.5 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via certain RPC procedure arguments, which result in memory corruption, a different vulnerability than CVE-2006-6076. VU#375353 http://www3.ca.com/securityadvisor/newsinfo/collateral.aspx?cid=101317 ADV-2007-0971 32990 http://supportconnectw.ca.com/public/storage/infodocs/babtapeng-securitynotice.asp brightstor-rpc-tapeengine-code-execution(33017) 1017783 22994 24512 The Tape Engine in CA (formerly Computer Associates) BrightStor ARCserve Backup 11.5 and earlier allows remote attackers to cause a denial of service (disabled interface) by calling an unspecified RPC function. VU#647273 http://www3.ca.com/securityadvisor/newsinfo/collateral.aspx?cid=101317 ADV-2007-0971 32991 http://supportconnectw.ca.com/public/storage/infodocs/babtapeng-securitynotice.asp brightstor-rpc-tapeengine-dos(33020) 1017783 22994 24512 Directory traversal vulnerability in mainfile.php in PHP-Nuke 8.0 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the lang parameter. 22909 20070311 Re: PHP-Nuke <= 8.0 Cookie Manipulation (lang) 20070310 PHP-Nuke <= 8.0 Cookie Manipulation (lang) 24484 SQL injection vulnerability in mainfile.php in PHP-Nuke 8.0 and earlier allows remote attackers to execute arbitrary SQL commands in the Top or News module via the lang parameter. 22909 20070310 PHP-Nuke <= 8.0 Cookie Manipulation (lang) GuppY 4.0 allows remote attackers to delete arbitrary files via a direct request to install/install.php, then selecting "Installation propre" (cleanup.php) and then "Suppression des fichiers d'installation" (delete.php). 20070311 GuppY v4.0 remote del files/index 35085 http://forums.avenir-geopolitique.net/viewtopic.php?t=2728 2433 The FDF support (ext/fdf) in PHP 5.2.0 and earlier does not implement the input filtering hooks for ext/filter, which allows remote attackers to bypass web site filters via an application/vnd.fdf formatted POST. 22906 http://www.php-security.org/MOPB/MOPB-17-2007.html Buffer underflow in the PHP_FILTER_TRIM_DEFAULT macro in the filtering extension (ext/filter) in PHP 5.2.0 allows context-dependent attackers to execute arbitrary code by calling filter_var with certain modes such as FILTER_VALIDATE_INT, which causes filter to write a null byte in whitespace that precedes the buffer. 22922 http://www.php.net/releases/5_2_1.php http://www.php-security.org/MOPB/MOPB-19-2007.html SUSE-SA:2007:032 DSA-1283 25062 25056 ext/filter in PHP 5.2.0, when FILTER_SANITIZE_STRING is used with the FILTER_FLAG_STRIP_LOW flag, does not properly strip HTML tags, which allows remote attackers to conduct cross-site scripting (XSS) attacks via HTML with a '<' character followed by certain whitespace characters, which passes one filter but is collapsed into a valid tag, as demonstrated using %0b. http://www.php-security.org/MOPB/MOPB-18-2007.html 22914 SUSE-SA:2007:032 MDKSA-2007:090 DSA-1283 25062 25056 Multiple absolute path traversal vulnerabilities in Fantastico, as used with cPanel 10.x, allow remote authenticated users to include and execute arbitrary local files via (1) the userlanguage parameter to includes/load_language.php or (2) the fantasticopath parameter to includes/mysqlconfig.php and certain other files. 20070311 Fantastico In all Version Cpanel 10.x <= local File Include 35037 35036 2420 ** DISPUTED ** PHP remote file inclusion vulnerability in common.php in PHP Photo Album allows remote attackers to execute arbitrary PHP code via a URL in the db_file parameter. NOTE: CVE disputes this vulnerability, because versions 0.3.2.6 and 0.4.1beta do not contain this file. However, it is possible that the original researcher was referring to a different product. 20070314 Re: Remote File Include In Script PHP Photo Album 20070311 Remote File Include In Script PHP Photo Album 20070314 [false] Remote File Include In Script PHP Photo Album 2422 Buffer overflow in the urarlib_get function in Christian Scheurer UniquE RAR File Library (unrarlib, aka URARFileLib) 0.4 allows context-dependent attackers to execute arbitrary code via a long (1) filename, (2) rarfile, or (3) libpassword argument. ADV-2007-0961 22942 http://unrarlib.svn.sourceforge.net/viewvc/unrarlib/tags/unrarlib040/unrarlib/unrarlib.c?revision=3&view=markup 24472 34076 20070313 Unrarlib 0.4.0 (urarlib_get) Local buffer overflow Multiple PHP remote file inclusion vulnerabilities in CARE2X 1.1 allow remote attackers to execute arbitrary PHP code via a URL in the root_path parameter to (1) inc_checkdate_lang.php, (2) inc_charset_fx.php, (3) inc_config_color.php, (4) inc_currency_set.php, (5) inc_db_makelink.php, (6) inc_diagnostics_report_fx.php, (7) inc_environment_global.php, (8) inc_front_chain_lang.php, (9) inc_init_crypt.php, (10) inc_load_copyrite.php, or (11) inc_news_save.php in include/; (12) diagnostics-report-index.php, (13) config_options_mascot.php, (14) barcode-labels.php, (15) chg-color.php, or (16) config_options_gui_template.php in main/; or unspecified other files. care2x-rootpath-file-include(32981) ADV-2007-0938 22951 20070314 [ECHO_ADV_72$2007] CARE2X (root_path) Remote File Inclusion Vulnerability 34060 34059 34058 34057 34056 34055 34054 34053 34052 34051 34050 34049 34048 34047 34046 34045 24481 http://advisories.echo.or.id/adv/adv72-theday-2007.txt Multiple PHP remote file inclusion vulnerabilities in WebCreator 0.2.6-rc3 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the moddir parameter to (1) content/load.inc.php, (2) config/load.inc.php, (3) http/load.inc.php, and unspecified other files. webcreator-loadinc-file-include(32972) ADV-2007-0937 22953 20070314 [ECHO_ADV_74$2007] WebCreator <= 0.2.6-rc3 (moddir) Remote File Inclusion Vulnerability 3473 http://advisories.echo.or.id/adv/adv74-theday-2007.txt The zip:// URL wrapper provided by the PECL zip extension in PHP before 4.4.7, and 5.2.0 and 5.2.1, does not implement safemode or open_basedir checks, which allows remote attackers to read ZIP archives located outside of the intended directories. ADV-2007-2732 25159 22954 http://www.php-security.org/MOPB/MOPB-20-2007.html SUSE-SA:2007:032 http://us2.php.net/releases/5_2_2.php http://us2.php.net/releases/4_4_7.php 26235 25056 APPLE-SA-2007-07-31 http://docs.info.apple.com/article.html?artnum=306172 The compress.bzip2:// URL wrapper provided by the bz2 extension in PHP before 4.4.7, and 5.x before 5.2.2, does not implement safemode or open_basedir checks, which allows remote attackers to read bzip2 archives located outside of the intended directories. ADV-2007-2732 25159 22954 http://www.php-security.org/MOPB/MOPB-21-2007.html SUSE-SA:2007:032 http://us2.php.net/releases/5_2_2.php http://us2.php.net/releases/4_4_7.php 26235 25056 APPLE-SA-2007-07-31 http://docs.info.apple.com/article.html?artnum=306172 The luci server component in conga preserves the password between page loads for the Add System/Cluster task flow by storing the password in the Value attribute of a password entry field, which allows attackers to steal the password by performing a "view source" or other operation to obtain the web page. NOTE: there are limited circumstances under which such an attack is feasible. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=228637 35086 Format string vulnerability in Inkscape before 0.45.1 allows user-assisted remote attackers to execute arbitrary code via format string specifiers in a URI, which is not properly handled by certain dialogs. http://sourceforge.net/project/shownotes.php?group_id=93438&release_id=495106 https://issues.rpath.com/browse/RPL-1170 inkscape-dialogs-format-string(33163) ADV-2007-1059 USN-438-1 23070 20070324 FLEA-2007-0002-1: inkscape SUSE-SR:2007:008 GLSA-200704-10 25072 24859 24661 24615 24597 24584 23138 MDKSA-2007:069 Format string vulnerability in the whiteboard Jabber protocol in Inkscape before 0.45.1 allows user-assisted remote attackers to execute arbitrary code via unspecified vectors. ADV-2007-1059 http://sourceforge.net/project/shownotes.php?group_id=93438&release_id=495106 https://issues.rpath.com/browse/RPL-1170 inkscape-jabber-format-string(33164) 23138 20070324 FLEA-2007-0002-1: inkscape SUSE-SR:2007:008 GLSA-200704-10 25072 24859 24661 24615 Stack-based buffer overflow in dproxy.c for dproxy 0.1 through 0.5 allows remote attackers to execute arbitrary code via a long DNS query packet to UDP port 53. https://www.cynops.de/advisories/CVE-2007-1465.txt ADV-2007-1091 20070323 dproxy - arbitrary code execution through stack buffer overflow vulnerability 34449 dproxy-udp-packet-bo(33171) 23112 24623 Integer overflow in the WP6GeneralTextPacket::_readContents function in WordPerfect Document importer/exporter (libwpd) before 0.8.9 allows user-assisted remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted WordPerfect file, a different vulnerability than CVE-2007-0002. This vulnerability has been addressed by the vendor through a product update: http://sourceforge.net/project/showfiles.php?group_id=62662 23006 ADV-2007-0976 USN-437-1 1017789 20070316 rPSA-2007-0057-1 libwpd RHSA-2007:0055 RHSA-2007:0033 MDKSA-2007:064 MDKSA-2007:063 DSA-1268 102863 http://sourceforge.net/project/shownotes.php?release_id=494122 GLSA-200704-07 24856 24794 24588 24581 24580 24573 24572 24557 24550 24507 oval:org.mitre.oval:def:10862 20070316 Multiple Vendor libwpd Multiple Buffer Overflow Vulnerabilities FEDORA-2007-350 Multiple cross-site scripting (XSS) vulnerabilities in (1) PreSearch.html and (2) PreSearch.class in Cisco Secure Access Control Server (ACS), VPN Client, Unified Personal Communicator, MeetingPlace, Unified MeetingPlace, Unified MeetingPlace Express, CallManager, IP Communicator, Unified Video Advantage, Unified Videoconferencing 35xx products, Unified Videoconferencing Manager, WAN Manager, Security Device Manager, Network Analysis Module (NAM), CiscoWorks and related products, Wireless LAN Solution Engine (WLSE), 2006 Wireless LAN Controllers (WLC), and Wireless Control System (WCS) allow remote attackers to inject arbitrary web script or HTML via the text field of the search form. ADV-2007-0973 22982 20070315 Re: XSS vulnerability in the online help system of several Cisco products 20070315 XSS vulnerability in the online help system of several Cisco products 20070315 Cross-Site Scripting Vulnerability in Online Help System cisco-presearch-xss(33024) 1017778 2437 24499 Cross-site scripting (XSS) vulnerability in IBM Rational ClearQuest (CQ) Web 7.0.0.0 allows remote attackers to inject arbitrary web script or HTML via an attachment to a defect log entry. clearquest-defecttracking-xss(33001) ADV-2007-1036 1017786 22981 20070315 IBM Rational ClearQuest Web - Cross Site Scripting 2442 24523 34346 SQL injection vulnerability in gallery.asp in Absolute Image Gallery 2.0 allows remote attackers to execute arbitrary SQL commands via the categoryid parameter in a viewimage action. absolute-gallery-sql-injection(33005) ADV-2007-1002 22988 20070315 Absolute Image Gallery Gallery.ASP (categoryid) MSSQL Injection Exploit 34239 2429 24543 Multiple buffer overflows in LIBFtp 5.0 allow user-assisted remote attackers to execute arbitrary code via certain long arguments to the (1) FtpArchie, (2) FtpDebugDebug, (3) FtpOpenDir, (4) FtpSize, or (5) FtpChmod function. 22987 20070315 LIBFtp 5.0 (sprintf(), strcpy()) Multiple local buffer overflow 2441 35038 admin/default.asp in Orion-Blog 2.0 allows remote attackers to bypass authentication controls and gain privileges via a direct URL request for admin/AdminBlogNewsEdit.asp. 20070315 Orion-Blog v2.0 Version Remote Privilege Escalation Exploit 35039 2440 Variable overwrite vulnerability in groupit/base/groupit.start.inc in Groupit 2.00b5 allows remote attackers to conduct remote file inclusion attacks and execute arbitrary PHP code via arguments that are written to $_GLOBALS, as demonstrated using a URL in the c_basepath parameter to (1) content.php, (2) userprofile.php, (3) password.php, (4) dispatch.php, and (5) deliver.php in html/, and possibly (6) load.inc.php and related files. groupit-cbasepath-file-include(33000) ADV-2007-0995 20070315 [ECHO_ADV_75$2007] Groupit 2.00b5 (c_basepath) Remote File Inclusion Vulnerability 3486 20070315 [ECHO_ADV_75$2007] Groupit 2.00b5 (c_basepath) Remote File Inclusion Vulnerability 20070315 [ECHO_ADV_75$2007] Groupit 2.00b5 (c_basepath) Remote File Inclusion Vulnerability 2428 34476 Cross-site scripting (XSS) vulnerability in framework/NLS/NLS.php in Horde Framework before 3.1.4 RC1, when the login page contains a language selection box, allows remote attackers to inject arbitrary web script or HTML via the new_lang parameter to login.php. [announce] 20070314 Horde 3.1.4 (final) ADV-2007-0965 22984 20070315 Horde 3.1.4 (RC1) fixes XSS issue 1017775 horde-login-xss(33013) 33084 SUSE-SR:2007:007 DSA-1406 2427 27565 24995 24528 Argument injection vulnerability in the cleanup cron script in Horde Project Horde and IMP before Horde Application Framework 3.1.4 allows local users to delete arbitrary files and possibly gain privileges via multiple space-delimited pathnames. [announce] 20070314 Horde 3.1.4 (final) ADV-2007-0965 22985 20070315 Horde Project Cleanup Script Arbitrary File Deletion Vulnerability horde-cron-file-deletion(32997) 1017785 1017784 DSA-1406 27565 Multiple buffer overflows in the (1) ibase_connect and (2) ibase_pconnect functions in the interbase extension in PHP 4.4.6 and earlier allow context-dependent attackers to execute arbitrary code via a long argument. Successful exploitation requires that the Interbase extension is installed. php-interbase-extension-bo(33019) 22976 20070315 PHP <= 4.4.6 ibase_connect() local buffer overflow 24529 http://retrogod.altervista.org/php_446_ibase_connect_bof.html 3488 2439 The SymTDI device driver (SYMTDI.SYS) in Symantec Norton Personal Firewall 2006 9.1.1.7 and earlier, Internet Security 2005 and 2006, AntiVirus Corporate Edition 3.0.x through 10.1.x, and other Norton products, allows local users to cause a denial of service (system crash) by sending crafted data to the driver's \Device file, which triggers invalid memory access, a different vulnerability than CVE-2006-4855. symantec-firewall-symtdi-dos(33003) http://www.symantec.com/avcenter/security/Content/2007.09.05.html 22977 20070315 Norton Insufficient validation of 'SymTDI' driver input buffer http://www.matousec.com/info/advisories/Norton-Insufficient-validation-of-SymTDI-driver-input-buffer.php 1018656 2438 35088 20070315 Norton Insufficient validation of 'SymTDI' driver ** DISPUTED ** Directory traversal vulnerability in index.php in PHP Point Of Sale for osCommerce 1.1 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the cfg_language parameter. NOTE: this issue has been disputed by CVE, since the cfg_language variable is configured upon proper product installation. pos-index-file-include(33006) 20070312 PHP Point Of Sale for osCommerce <= (index.php) Remote File Include Vuln 20070427 FALSE -> PHP Point of Sale (osCommerce) LFI 2426 download.php in McGallery 0.5b allows remote attackers to read arbitrary files and obtain script source code via the filename parameter. mcgallery-download-information-disclosure(33004) ADV-2007-1003 22989 3494 Cross-site scripting (XSS) vulnerability in Guestbook.php in Creative Guestbook 1.0 allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter. 3489 34233 creative-schreiben-xss(33015) 24536 Creative Guestbook 1.0 allows remote attackers to add an administrative account via a direct request to createadmin.php with Name, Email, and PASSWORD parameters set. creative-createadmin-authentication-bypass(33014) 3489 24536 34234 SQL injection vulnerability in index.php in WBBlog allows remote attackers to execute arbitrary SQL commands via the e_id parameter in a viewentry cmd. ADV-2007-1001 3490 wbblog-viewentry-sql-injection(33010) 22998 24532 Cross-site scripting (XSS) vulnerability in index.php in WBBlog allows remote attackers to inject arbitrary web script or HTML via the e_id parameter in a viewentry cmd. wbblog-viewentry-xss(33011) ADV-2007-1001 22998 3490 24532 Multiple PHP remote file inclusion vulnerabilities in WebCalendar 0.9.45 allow remote attackers to execute arbitrary PHP code via a URL in the includedir parameter to (1) login.php, (2) get_reminders.php, or (3) get_events.php. 23054 webcalendar-multiple-file-include(33008) 20070315 WebCalendar v0.9.45 (13 Dec 2004) (login.php) Remote File include 20070320 Re: WebCalendar v0.9.45 (13 Dec 2004) (login.php) Remote File include 3492 [webcalendar-announce] 20070304 Announce: Release 1.0.5 (security patch) 2425 The array_user_key_compare function in PHP 4.4.6 and earlier, and 5.x up to 5.2.1, makes erroneous calls to zval_dtor, which triggers memory corruption and allows local users to bypass safe_mode and execute arbitrary code via a certain unset operation after array_user_key_compare has been called. ADV-2007-2732 http://www.php-security.org/MOPB/MOPB-24-2007.html 24542 USN-455-1 25159 22990 SUSE-SA:2007:032 http://us2.php.net/releases/5_2_2.php http://us2.php.net/releases/4_4_7.php GLSA-200705-19 26235 25445 25057 25056 APPLE-SA-2007-07-31 http://docs.info.apple.com/article.html?artnum=306172 ** DISPUTED ** Buffer overflow in the set_umask function in QFTP in LIBFtp 3.1-1 allows local users to execute arbitrary code via a long -m argument. NOTE: CVE disputes this issue because QFTP is not setuid, and it is unlikely that there are web interfaces to QFTP that would accept untrusted command line arguments. 22986 20070315 QFTP (LIBFtp 3.1-1) (command line) sprintf() local buffer overflow 35089 2443 PHP remote file inclusion vulnerability in template.class.php in Carbonize Lazarus Guestbook before 1.7.3 allows remote attackers to execute arbitrary PHP code via a URL in the include_path parameter to admin.php, probably due to a dynamic variable evaluation vulnerability. This vulnerability has been addressed by the vendor with a product update: http://carbonize.co.uk/Lazarus/downloads.php ADV-2007-0874 20070308 Re: [Bogus] Lazarus Guestbook (admin.php)Remote File Include Expliot - 20070307 Lazarus Guestbook (admin.php)Remote File Include Expliot 20070307 Bogus - [c_r_ck at hotmail.com: Lazarus Guestbook (admin.php)Remote File Include Expliot] http://carbonize.co.uk/Lazarus/Forum/index.php?topic=1164.0 20070520 Re: Re: [Bogus] Lazarus Guestbook (admin.php)Remote File Include Expliot - 20070316 Re: [Bogus] Lazarus Guestbook (admin.php)Remote File Include Expliot 2432 Directory traversal vulnerability in index.php in Sascha Schroeder (aka CyberTeddy or Cyber-inside) WebLog allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter in a showarticles action. ADV-2007-0967 3484 24521 34043 weblog-index-directory-traversal(32998) 22995 Unspecified vulnerability in Sun Java System Web Server 6.0 and 6.1 before 20070315 allows remote attackers to "gain unauthorized access to data", possibly involving a sample application. 22993 24545 sun-java-url-information-disclosure(33016) ADV-2007-0972 1017788 102833 34080 Unspecified vulnerability in web-app.org Web Automated Perl Portal (WebAPP) 0.9.9.4 to 0.9.9.6 allows remote attackers to obtain admin access by modifying cookies and performing "certain consecutive actions," possibly due to a cross-site request forgery (CSRF) vulnerability. http://www.web-app.org/cgi-bin/index.cgi?action=downloadinfo&cat=crip&id=2 http://www.web-app.org/cgi-bin/index.cgi?action=viewnews&id=259 http://www.web-app.org/cgi-bin/index.cgi?action=viewnews&id=256 20070320 WebAPP Audit 24540 33273 Unspecified maintenance web pages in Avaya S87XX, S8500, and S8300 before CM 3.1.3, and Avaya SES allow remote authenticated users to execute arbitrary commands via shell metacharacters in unspecified vectors (aka "shell command injection"). http://support.avaya.com/elmodocs2/security/ASA-2007-052.htm 24434 33300 Apache Tomcat in Avaya S87XX, S8500, and S8300 before CM 3.1.3, and Avaya SES allows connections from external interfaces via port 8009, which exposes it to attacks from outside parties. http://support.avaya.com/elmodocs2/security/ASA-2007-051.htm 24434 33346 winmm.dll in Microsoft Windows XP allows user-assisted remote attackers to cause a denial of service (infinite loop) via a large cch argument value to the mmioRead function, as demonstrated by a crafted WAV file. 22938 34101 20070310 Windows Multimedia mmioRead Denial of Service Vulnerability nukesentinel.php in NukeSentinel 2.5.06 and earlier uses a permissive regular expression to validate an IP address, which allows remote attackers to execute arbitrary SQL commands via the Client-IP HTTP header, due to an incomplete patch for CVE-2007-1172. 20070310 NukeSentinel <= 2.5.06 SQL Injection (mysql >= 4.0.24) Exploit 20070314 SQL injection (x2) in NukeSentinel 2430 Cross-site scripting (XSS) vulnerability in NukeSentinel before 2.5.06 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to the "filters for https:// and http://". http://www.nukescripts.net/modules.php?name=Downloads&op=getit&lid=1055 35078 The \Device\SymEvent driver in Symantec Norton Personal Firewall 2006 9.1.1.7, and possibly other products using symevent.sys 12.0.0.20, allows local users to cause a denial of service (system crash) via invalid data, as demonstrated by calling DeviceIoControl to send the data, a reintroduction of CVE-2006-4855. 22961 20070314 SymEvent Driver Local Access System Denial of Service 2445 nfnetlink_log in netfilter in the Linux kernel before 2.6.20.3 allows attackers to cause a denial of service (crash) via unspecified vectors involving the (1) nfulnl_recv_config function, (2) using "multiple packets per netlink message", and (3) bridged packets, which trigger a NULL pointer dereference. 22946 ADV-2007-0944 RHSA-2007:0347 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20.3 DSA-1289 25288 25228 24492 oval:org.mitre.oval:def:9831 USN-464-1 SUSE-SA:2007:043 MDKSA-2007:171 26620 25961 25392 nf_conntrack in netfilter in the Linux kernel before 2.6.20.3 does not set nfctinfo during reassembly of fragmented packets, which leaves the default value as IP_CT_ESTABLISHED and might allow remote attackers to bypass certain rulesets using IPv6 fragments. 24492 ADV-2007-0944 23976 RHSA-2007:0347 33028 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20.3 DSA-1289 25288 25228 oval:org.mitre.oval:def:10457 USN-464-1 SUSE-SA:2007:043 MDKSA-2007:196 MDKSA-2007:171 26620 25961 25392 Multiple stack-based buffer overflows in the SiteManager.SiteMgr.1 ActiveX control (SiteManager.dll) in the ePO management console in McAfee ePolicy Orchestrator (ePO) before 3.6.1 Patch 1 and ProtectionPilot (PRP) before 1.5.0 HotFix allow remote attackers to execute arbitrary code via a long argument to the (1) ExportSiteList and (2) VerifyPackageCatalog functions, and (3) unspecified vectors involving a swprintf function call. VU#714593 https://knowledge.mcafee.com/article/26/612496_f.SAL_Public.html https://knowledge.mcafee.com/article/25/612495_f.SAL_Public.html 22952 24466 20070314 [Advisory]McAfee ePolicy Orchestrator Multiple Remote Buffer Overflow Vulnerabilities ADV-2007-0931 1017757 2444 Microsoft Internet Explorer 7.0 on Windows XP and Vista allows remote attackers to conduct phishing attacks and possibly execute arbitrary code via a res: URI to navcancl.htm with an arbitrary URL as an argument, which displays the URL in the location bar of the "Navigation Canceled" page and injects the script into the "Refresh the page" link, aka Navigation Cancel Page Spoofing Vulnerability." TA07-163A ie-navcancl-xss(33026) ADV-2007-2153 ADV-2007-0946 22966 HPSBST02231 HPSBST02231 20070315 RE: Phishing using IE7 local resource vulnerability 20070315 Re: Phishing using IE7 local resource vulnerability 20070314 Phishing using IE7 local resource vulnerability MS07-033 1018235 2448 25627 24535 http://news.com.com/2100-1002_3-6167410.html http://aviv.raffon.net/2007/03/14/PhishingUsingIE7LocalResourceVulnerability.aspx oval:org.mitre.oval:def:1715 The Linux Security Auditing Tool (LSAT) allows local users to overwrite arbitrary files via a symlink attack on temporary files, as demonstrated using /tmp/lsat1.lsat. GLSA-200703-20 24526 34267 http://bugs.gentoo.org/show_bug.cgi?id=159542 gentoo-lsat-symlink(33057) 23014 Stack-based buffer overflow in Avant Browser 11.0 build 26 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long Content-Type HTTP header. 23002 3514 34990 avantbrowser-contenttype-dos(33049) Multiple buffer overflows in Rhapsody IRC 0.28b allow remote attackers to execute arbitrary code via a (1) long command, (2) long server argument to the (a) connect or (b) server commands, (3) long nick argument to the (c) nick command, or a long (4) nick or (5) message argument to the (d) ctcp, (e) chat, (f) notice, (g) message (msg), or (h) query commands. 23011 20070317 Rhapsody IRC 0.28b (NICK) Multiple fs and bof vulnerability 35004 35003 35002 2447 Multiple format string vulnerabilities in comm.c in Rhapsody IRC 0.28b allow remote attackers to execute arbitrary code via format string specifiers to the create_ctcp_message function using the message argument to the (1) me or (2) ctcp commands, and possibly related vectors involving the (3) whois, (4) mode, and (5) topic commands. 23011 20070317 Rhapsody IRC 0.28b (NICK) Multiple fs and bof vulnerability 35001 2447 Cross-site scripting (XSS) vulnerability in the Servlet Service in Fujitsu Interstage Application Server (IJServer) 8.0.2 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly involving web.xml and HTTP 404 and 500 status codes. ADV-2007-0996 http://www.fujitsu.com/global/support/software/security/products-f/interstage-200701e.html http://software.fujitsu.com/jp/security/vulnerabilities/jvn-83832818.html 24508 34276 JVN#83832818 interstage-application-servlet-xss(33099) 23020 Fujistu FENCE-Pro before V5L01, and Systemwalker Desktop Encryption V12.0L10, V12.0L10A, V12.0L10B, V12.0L20 and V13.0.0 allows local users to obtain sensitive information by extracting the decoding password from certain "self-decoding" file types. 24549 24537 23001 http://software.fujitsu.com/jp/security/products-fujitsu/solution/systemwalker_dte_200701.html http://segroup.fujitsu.com/secure/products/fence/notice/alert20070316.html 34184 JVN#19795972 systemwalker-selfdecoding-info-disclosure(33029) Cross-site scripting (XSS) vulnerability in PORTAL.wwv_main.render_warning_screen in the Oracle Portal 10g allows remote attackers to inject arbitrary web script or HTML via the (1) p_oldurl and (2) p_newurl parameters. 22999 20070316 Oracle Portal PORTAL.wwv_main.render_warning_screen XSS 34299 oracleportal-portalwarning-xss(33028) 2463 The default configuration in OpenAFS 1.4.x before 1.4.4 and 1.5.x before 1.5.17 supports setuid programs within the local cell, which might allow attackers to gain privileges by spoofing a response to an AFS cache manager FetchStatus request, and setting setuid and root ownership for files in the cache. [OpenAFS-announce] 20070319 OpenAFS 1.5.17 release available openafs-setuid-privilege-escalation(33180) ADV-2007-1033 1017807 23060 [OpenAFS-announce] 20070320 OpenAFS Security Advisory 2007-001: privilege escalation in Unix-based clients [OpenAFS-announce] 20070319 OpenAFS 1.4.4 available MDKSA-2007:066 DSA-1271 GLSA-200704-03 24720 24607 24599 24582 Cross-site scripting (XSS) vulnerability in CMD_USER_STATS in DirectAdmin allows remote attackers to inject arbitrary web script or HTML via the RESULT parameter, a different vector than CVE-2006-5983. ADV-2007-1037 22996 20070315 DirectAdmin Cross Site Scripting XSS 34273 directadmin-cmduserstats-xss(33023) 24551 Directory traversal vulnerability in enkrypt.php in Sascha Schroeder krypt (aka Holtstraeter Rot 13) allows remote attackers to read arbitrary files via a .. (dot dot) in the datei parameter. 22997 20070316 Rot 13 <= (enkrypt.php) Remote File Disclosure Vulnerability 34089 rot-enkrypt-directory-traversal(33027) 2458 SQL injection vulnerability in post.php in Particle Blogger 1.0.0 through 1.2.0 allows remote attackers to execute arbitrary SQL commands via the postid parameter. ADV-2007-1006 23005 20070316 Particle Blogger All Version Post.PHP (PostID) Remote SQL Injection Exploit 34305 particle-post-sql-injection(33030) 3500 2460 24559 http://forums.particlesoft.net/viewtopic.php?t=675 Buffer overflow in FrontBase Relational Database Server 4.2.7 and earlier allows remote authenticated users, with privileges for creating a stored procedure, to execute arbitrary code via a CREATE PROCEDURE request with a long procedure name. ADV-2007-0999 23007 20070316 [NETRAGARD-20070316 SECURITY ADVISORY][FrontBase Database <= 4.2.7 ALL PLATFORMS][REMOTE BUFFER OVERFLOW CONDITION][LEVEL: EASY][RISK:MEDIUM] 34282 2470 24555 Stack-based buffer overflow in the AfxOleSetEditMenu function in the MFC component in Microsoft Windows 2000 SP4, XP SP2, and Server 2003 Gold and SP1, and Visual Studio .NET 2002 Gold and SP1, and 2003 Gold and SP1 allows user-assisted remote attackers to have an unknown impact (probably crash) via an RTF file with a malformed OLE object, which results in writing two 0x00 characters past the end of szBuffer, aka the "MFC42u.dll Off-by-Two Overflow." NOTE: this issue is due to an incomplete patch (MS07-012) for CVE-2007-0025. 20070316 MS07-012 Not Fixed PHP remote file inclusion vulnerability in comanda.php in GraFX Company WebSite Builder (CWB) PRO 1.9.8, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the INCLUDE_PATH parameter. ADV-2007-0994 22974 20070315 [ECHO_ADV_76$2007] Company WebSite Builder PRO (INCLUDE_PATH) Remote File Inclusion Vulnerability 3485 34946 http://advisories.echo.or.id/adv/adv76-theday-2007.txt cwb-comanda-file-include(33035) 2452 PHP remote file inclusion vulnerability in index.php in ViperWeb Portal alpha 0.1 allows remote attackers to execute arbitrary PHP code via a URL in the modpath parameter. 22979 20070315 Remote File Inclusion in ViperWeb 34310 viperweb-index-file-include(33034) 2449 Multiple cross-site scripting (XSS) vulnerabilities in Horde IMP H3 4.1.3, and possibly earlier, allow remote attackers to inject arbitrary web script or HTML via (1) the email Subject header in thread.php, (2) the edit_query parameter in search.php, or other unspecified parameters in search.php. NOTE: some of these details are obtained from third party information. [announce] 20070314 IMP H3 (4.1.4) (final) ADV-2007-0964 22975 20070315 Horde IMP Webmail Client version H3 (4.1.4) fixes multiple XSS issues 24541 20070315 Horde IMP Webmail Client version H3 (4.1.4) fixes multiple XSS issues 1017774 PHP remote file inclusion vulnerability in functions/update.php in Cicoandcico CcMail 1.0 allows remote attackers to execute arbitrary PHP code via a URL in the functions_dir parameter. ADV-2007-1000 22983 3487 34311 ccmail-update-file-include(32999) SQL injection vulnerability in comments.php in WSN Guest 1.02 and 1.21 allows remote attackers to execute arbitrary SQL commands via the id parameter. ADV-2007-0968 22969 20070314 WSN Guest 1.21 Version Comments.PHP "ID" SQL Injection Exploit 34512 wsnguest-comments-sql-injection(32983) 3477 2451 SQL injection vulnerability in usergroups.php in Woltlab Burning Board (wBB) 2.x allows remote attackers to execute arbitrary SQL commands via the array index of the applicationids array. 22970 20070314 Woltab Burning Board SQL Injection usergroups.php 20070315 Re: [Full-disclosure] Woltab Burning Board SQL Injection usergroups.php 2455 Cross-site scripting (XSS) vulnerability in modules.php in PHP-Nuke 8.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the query parameter in a search operation in the Downloads module, a different product than CVE-2006-3948. http://www.wisec.it/ush/phpnukexss.html http://www.ush.it/2007/03/09/php-nuke-wild-post-xss/ 20070309 Php Nuke POST XSS on steroids 24629 http://phpfi.com/214668 The cross-site request forgery (CSRF) protection in PHP-Nuke 8.0 and earlier does not ensure the SERVER superglobal is an array before validating the HTTP_REFERER, which allows remote attackers to conduct CSRF attacks. http://www.wisec.it/ush/phpnukexss.html http://www.ush.it/2007/03/09/php-nuke-wild-post-xss/ 20070313 Re: Php Nuke POST XSS on steroids 20070311 Re: Php Nuke POST XSS on steroids 20070309 Php Nuke POST XSS on steroids 24629 http://phpfi.com/214668 34501 Double free vulnerability in PHP before 4.4.7, and 5.x before 5.2.2, allows context-dependent attackers to execute arbitrary code by interrupting the session_regenerate_id function, as demonstrated by calling a userspace error handler or triggering a memory limit violation. ADV-2007-2732 ADV-2007-0960 USN-455-1 22968 http://www.php-security.org/MOPB/MOPB-22-2007.html DSA-1283 DSA-1282 http://us2.php.net/releases/5_2_2.php http://us2.php.net/releases/4_4_7.php 25062 25057 25025 24505 25159 SUSE-SA:2007:032 GLSA-200705-19 26235 25445 25056 APPLE-SA-2007-07-31 http://docs.info.apple.com/article.html?artnum=306172 Double free vulnerability in the session extension in PHP 5.2.0 and 5.2.1 allows context-dependent attackers to execute arbitrary code via illegal characters in a session identifier, which is rejected by an internal session storage module, which calls the session identifier generator with an improper environment, leading to code execution when the generator is interrupted, as demonstrated by triggering a memory limit violation or certain PHP errors. ADV-2007-0960 http://www.php-security.org/MOPB/MOPB-23-2007.html 22971 SUSE-SA:2007:032 25056 24505 Heap-based buffer overflow in the kernel in NetBSD 3.0, certain versions of FreeBSD and OpenBSD, and possibly other BSD derived operating systems allows local users to have an unknown impact. NOTE: this information is based upon a vague pre-advisory with no actionable information. Details will be updated after 20070329. 22945 http://www.blackhat.com/html/bh-europe-07/bh-eu-07-speakers.html#Eriksson 34593 http://kernelwars.blogspot.com/2007/01/alive.html Directory traversal vulnerability in themes/default/ in ZomPlog 3.7.6 and earlier allows remote attackers to include arbitrary local files via a .. (dot dot) in the settings[skin] parameter, as demonstrated by injecting PHP code into an Apache HTTP Server log file, which can then be included via themes/default/. ADV-2007-0966 22157 3467 zomplog-index-file-include(32982) 24520 Direct static code injection vulnerability in postpost.php in Dayfox Blog (dfblog) 4 allows remote attackers to execute arbitrary PHP code via the cat parameter, which can be executed via a request to posts.php. ADV-2007-0969 3478 34073 22972 24534 http://infusion.110mb.com/enter/dfblog4.zip Sun Java System Web Server 6.1 before 20070314 allows remote authenticated users with revoked client certificates to bypass the Certificate Revocation List (CRL) authorization control and access secure web server instances running under an account different from that used for the admin server via unspecified vectors. 102822 ADV-2007-0958 34074 1017777 24531 The LLTD Mapper in Microsoft Windows Vista does not verify that an IP address in a TLV type 0x07 field in a HELLO packet corresponds to a valid IP address for the local network, which allows remote attackers to trick users into communicating with an external host by sending a HELLO packet with the MW characteristic and a spoofed TLV type 0x07 field, aka the "Spoof and Management URL IP Redirect" attack. http://www.symantec.com/avcenter/reference/Vista_Network_Attack_Surface_RTM.pdf 20070313 New report on Windows Vista network attack surface 33663 http://www.symantec.com/enterprise/security_response/weblog/2007/04/microsofts_inaccurate_teredo_d.html 23279 20070403 Nine Vista CVEs, including Microsoft inaccurate Teredo use case documentation The LLTD Mapper in Microsoft Windows Vista allows remote attackers to spoof hosts, and nonexistent bridge relationships, into the network topology map by using a MAC address that differs from the MAC address provided in the Real Source field of the LLTD BASE header of a HELLO packet, aka the "Spoof on Bridge" attack. http://www.symantec.com/avcenter/reference/Vista_Network_Attack_Surface_RTM.pdf 23280 20070313 New report on Windows Vista network attack surface 33662 http://www.symantec.com/enterprise/security_response/weblog/2007/04/microsofts_inaccurate_teredo_d.html 20070403 Nine Vista CVEs, including Microsoft inaccurate Teredo use case documentation The LLTD Responder in Microsoft Windows Vista does not send the Mapper a response to a DISCOVERY packet if another host has sent a spoofed response first, which allows remote attackers to spoof arbitrary hosts via a network-based race condition, aka the "Total Spoof" attack. http://www.symantec.com/avcenter/reference/Vista_Network_Attack_Surface_RTM.pdf 20070313 New report on Windows Vista network attack surface 33661 http://www.symantec.com/enterprise/security_response/weblog/2007/04/microsofts_inaccurate_teredo_d.html 23263 20070403 Nine Vista CVEs, including Microsoft inaccurate Teredo use case documentation The LLTD Mapper in Microsoft Windows Vista does not properly gather responses to EMIT packets, which allows remote attackers to cause a denial of service (mapping failure) by omitting an ACK response, which triggers an XML syntax error. http://www.symantec.com/avcenter/reference/Vista_Network_Attack_Surface_RTM.pdf 20070313 New report on Windows Vista network attack surface 33660 http://www.symantec.com/enterprise/security_response/weblog/2007/04/microsofts_inaccurate_teredo_d.html 23271 20070403 Nine Vista CVEs, including Microsoft inaccurate Teredo use case documentation Microsoft Windows XP and Vista overwrites ARP table entries included in gratuitous ARP, which allows remote attackers to cause a denial of service (loss of network access) by sending a gratuitous ARP for the address of the Vista host. http://www.symantec.com/enterprise/security_response/weblog/2007/04/microsofts_inaccurate_teredo_d.html http://www.symantec.com/avcenter/reference/Vista_Network_Attack_Surface_RTM.pdf 23266 20070403 Nine Vista CVEs, including Microsoft inaccurate Teredo use case documentation 20070313 New report on Windows Vista network attack surface 33664 The neighbor discovery implementation in Microsoft Windows Vista allows remote attackers to conduct a redirect attack by (1) responding to queries by sending spoofed Neighbor Advertisements or (2) blindly sending Neighbor Advertisements. http://www.symantec.com/avcenter/reference/Vista_Network_Attack_Surface_RTM.pdf 20070313 New report on Windows Vista network attack surface 33665 http://www.symantec.com/enterprise/security_response/weblog/2007/04/microsofts_inaccurate_teredo_d.html 23293 20070403 Nine Vista CVEs, including Microsoft inaccurate Teredo use case documentation The Teredo implementation in Microsoft Windows Vista uses the same nonce for communication with different UDP ports within a solicitation session, which makes it easier for remote attackers to spoof the nonce through brute force attacks. http://www.symantec.com/avcenter/reference/Vista_Network_Attack_Surface_RTM.pdf 20070313 New report on Windows Vista network attack surface 33666 http://www.symantec.com/enterprise/security_response/weblog/2007/04/microsofts_inaccurate_teredo_d.html 23301 20070403 Nine Vista CVEs, including Microsoft inaccurate Teredo use case documentation DFSR.exe in Windows Meeting Space in Microsoft Windows Vista remains available for remote connections on TCP port 5722 for 2 minutes after Windows Meeting Space is closed, which allows remote attackers to have an unknown impact by connecting to this port during the time window. http://www.symantec.com/enterprise/security_response/weblog/2007/04/microsofts_inaccurate_teredo_d.html http://www.symantec.com/avcenter/reference/Vista_Network_Attack_Surface_RTM.pdf 20070403 Nine Vista CVEs, including Microsoft inaccurate Teredo use case documentation 20070313 New report on Windows Vista network attack surface 33668 Microsoft Windows Vista establishes a Teredo address without user action upon connection to the Internet, contrary to documentation that Teredo is inactive without user action, which increases the attack surface and allows remote attackers to communicate via Teredo. http://www.symantec.com/enterprise/security_response/weblog/2007/04/microsofts_inaccurate_teredo_d.html http://www.symantec.com/avcenter/reference/Vista_Network_Attack_Surface_RTM.pdf 23267 20070403 Nine Vista CVEs, including Microsoft inaccurate Teredo use case documentation 20070313 New report on Windows Vista network attack surface 33667 Integer underflow in the file_printf function in the "file" program before 4.20 allows user-assisted attackers to execute arbitrary code via a file that triggers a heap-based buffer overflow. VU#606700 24548 [file] 20070302 file-4.20 is now available https://issues.rpath.com/browse/RPL-1148 https://bugs.gentoo.org/show_bug.cgi?id=171452 openbsd-file-bo(36283) ADV-2007-1939 ADV-2007-1040 USN-439-1 1017796 23021 20070828 Re: OpenBSD 4.1 - Heap overflow vulnerabillity 20070825 OpenBSD 4.1 - Heap overflow vulnerabillity RHSA-2007:0124 SUSE-SR:2007:005 SUSE-SA:2007:040 MDKSA-2007:067 DSA-1274 http://support.avaya.com/elmodocs2/security/ASA-2007-179.htm SSA:2007-093-01 GLSA-200710-19 GLSA-200703-26 FreeBSD-SA-07:04 29179 27314 27307 25989 25931 25402 25393 25133 24754 24723 24617 24616 24608 24604 24592 oval:org.mitre.oval:def:10658 [4.0] 20070709 015: SECURITY FIX: July 9, 2007 APPLE-SA-2007-05-24 http://docs.info.apple.com/article.html?artnum=305530 NetBSD-SA2008-001 \Device\NdisTapi (NDISTAPI.sys) in Microsoft Windows XP SP2 and 2003 SP1 uses weak permissions, which allows local users to write to the device and cause a denial of service, as demonstrated by using an IRQL to acquire a spinlock on paged memory via the NdisTapiDispatch function. windows-ndistapi-dos(33086) ADV-2007-1031 23025 20070319 [Reversemode Advisory] Microsoft Windows Ndistapi.sys IRQL escalation http://www.reversemode.com/index.php?option=com_remository&Itemid=2&func=fileinfo&id=47 24598 33628 2471 ** DISPUTED ** McAfee VirusScan Enterprise 8.5.0.i uses insecure permissions for certain Windows Registry keys, which allows local users to bypass local password protection via the UIP value in (1) HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\DesktopProtection or (2) HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\VirusScan Entreprise\CurrentVersion. NOTE: this issue has been disputed by third-party researchers, stating that the default permissions for HKEY_LOCAL_MACHINE\SOFTWARE does not allow for write access and the product does not modify the inherited permissions. There might be an interaction error with another product. 1017791 20070319 RE: Bypassing Mcafee Entreprise Password Protection 20070317 Re: Bypassing Mcafee Entreprise Password Protection 20070317 Bypassing Mcafee Entreprise Password Protection http://homepage.mac.com/adonismac/Advisory/crack_mcafee_password_protection.html http://homepage.mac.com/adonismac/Advisory/bypass_mcafee_entreprise_password.html 33800 Directory traversal vulnerability in inc/map.func.php in pragmaMX Landkarten 2.1 module allows remote attackers to include arbitrary files via a .. (dot dot) sequence in the module_name parameter, as demonstrated via a static PHP code injection attack in an Apache log file. ADV-2007-1030 24589 34306 3521 pragma-mapfunc-file-include(33084) 23044 Directory traversal vulnerability in am.pl in (1) SQL-Ledger 2.6.27 and earlier, and (2) LedgerSMB before 1.2.0, allows remote attackers to run arbitrary executables and bypass authentication via a .. (dot dot) sequence and trailing NULL (%00) in the login parameter. NOTE: this issue was reportedly addressed in SQL-Ledger 2.6.27, however third-party researchers claim that the file is still executed even though an error is generated. http://sourceforge.net/project/shownotes.php?release_id=494462&group_id=175965 ADV-2007-1025 ADV-2007-1024 23034 20070318 Full Disclosure: Arbitrary execution vulnerability in SQL-Ledger and LedgerSMB 33624 http://sql-ledger.com/cgi-bin/nav.pl?page=news.html&title=What's%20New 24585 24560 Directory traversal vulnerability in am.pl in SQL-Ledger 2.6.27 only checks for the presence of a NULL (%00) character to protect against directory traversal attacks, which allows remote attackers to run arbitrary executables and bypass authentication via a .. (dot dot) sequence in the login parameter. ADV-2007-1025 23034 20070318 Full Disclosure: Arbitrary execution vulnerability in SQL-Ledger and LedgerSMB http://sql-ledger.com/cgi-bin/nav.pl?page=news.html&title=What's%20New 24560 Unspecified vulnerability in the Cisco IP Phone 7940 and 7960 running firmware before POS8-6-0 allows remote attackers to cause a denial of service via the Remote-Party-ID sipURI field in a SIP INVITE request. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. ADV-2007-1023 23047 24600 cisco-ipphone-sip-invite-dos(33098) 1017797 20070320 Cisco IP Phone 7940/7960 SIP INVITE Denial of Service Stack-based buffer overflow in the accept_att_local function in server/os/connection.c in Network Audio System (NAS) before 1.8a SVN 237 allows remote attackers to execute arbitrary code via a long path slave name in a USL socket connection. http://aluigi.altervista.org/adv/nasbugs-adv.txt nas-uslsocket-bo(33047) ADV-2007-0997 23017 20070403 FLEA-2007-0007-1: nas 24527 https://issues.rpath.com/browse/RPL-1155 USN-446-1 1017822 http://www.radscan.com/nas/HISTORY MDKSA-2007:065 DSA-1273 GLSA-200704-20 24980 24783 24638 24628 24601 Integer overflow in the ProcAuWriteElement function in server/dia/audispatch.c in Network Audio System (NAS) before 1.8a SVN 237 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large max_samples value. http://aluigi.altervista.org/adv/nasbugs-adv.txt nas-procauwriteelement-dos(33051) ADV-2007-0997 23017 20070403 FLEA-2007-0007-1: nas 24527 USN-446-1 1017822 http://www.radscan.com/nas/HISTORY MDKSA-2007:065 DSA-1273 GLSA-200704-20 24980 24638 24628 24601 The AddResource function in server/dia/resource.c in Network Audio System (NAS) before 1.8a SVN 237 allows remote attackers to cause a denial of service (server crash) via a nonexistent client ID. http://aluigi.altervista.org/adv/nasbugs-adv.txt nas-addresource-dos(33050) ADV-2007-0997 23017 20070403 FLEA-2007-0007-1: nas 24527 USN-446-1 1017822 http://www.radscan.com/nas/HISTORY MDKSA-2007:065 DSA-1273 GLSA-200704-20 24980 24638 24628 24601 Array index error in Network Audio System (NAS) before 1.8a SVN 237 allows remote attackers to cause a denial of service (crash) via (1) large num_action values in the ProcAuSetElements function in server/dia/audispatch.c or (2) a large inputNum parameter to the compileInputs function in server/dia/auutil.c. http://aluigi.altervista.org/adv/nasbugs-adv.txt nas-procausetelements-dos(33054) ADV-2007-0997 23017 20070403 FLEA-2007-0007-1: nas 24527 nas-compileinputs-dos(33055) USN-446-1 1017822 http://www.radscan.com/nas/HISTORY MDKSA-2007:065 DSA-1273 GLSA-200704-20 24980 24638 24628 24601 The ReadRequestFromClient function in server/os/io.c in Network Audio System (NAS) before 1.8a SVN 237 allows remote attackers to cause a denial of service (crash) via multiple simultaneous connections, which triggers a NULL pointer dereference. nas-readrequestfromclient-dos(33059) ADV-2007-0997 23017 20070403 FLEA-2007-0007-1: nas 24527 http://aluigi.altervista.org/adv/nasbugs-adv.txt USN-446-1 1017822 http://www.radscan.com/nas/HISTORY MDKSA-2007:065 DSA-1273 GLSA-200704-20 24980 24638 24628 24601 SQL injection vulnerability in functions/functions_filters.asp in Web Wiz Forums before 8.05a (MySQL version) does not properly filter certain characters in SQL commands, which allows remote attackers to execute arbitrary SQL commands via \"' (backslash double-quote quote) sequences, which are collapsed into \'', as demonstrated via the name parameter to forum/pop_up_member_search.asp. webwizforums-popupmember-sql-injection(33095) ADV-2007-1061 23051 20070320 Web Wiz Forums 8.05 (MySQL version) SQL Injection 2456 24561 34344 http://ifsec.blogspot.com/2007/03/web-wiz-forums-805-mysql-version-sql.html Unrestricted file upload vulnerability in gallery.php in phpx 3.5.15 allows remote attackers to upload and execute arbitrary PHP scripts via an addImage action, which places scripts into the gallery/shelties/ directory. 23033 20070319 phpx 3.5.15 multiples vulnerabilities phpx-gallery-file-upload(33151) 2457 Multiple SQL injection vulnerabilities in phpx 3.5.15 allow remote attackers to execute arbitrary SQL commands via the (1) image_id or (2) cat_id parameter to (a) gallery.php; the (3) news_id parameter to (b) news.php or (c) print.php; (4) the news_cat_id parameter to news.php; the (5) cat_id, (6) topic_id, or (7) post_id parameter to (d) forums.php; or (8) the user_id parameter to (e) users.php. ADV-2007-1087 23033 20070319 phpx 3.5.15 multiples vulnerabilities 34418 34417 34416 34415 34414 phpx-multiple-sql-injection(33155) 2457 24565 Multiple cross-site scripting (XSS) vulnerabilities in phpx 3.5.15 allow remote attackers to inject arbitrary web script or HTML via (1) the signature in "dans profile," or (2) search.php. ADV-2007-1087 23033 20070319 phpx 3.5.15 multiples vulnerabilities 34413 34412 phpx-search-xss(33154) phpx-signature-xss(33153) 2457 24565 Unrestricted file upload vulnerability in usercp.php in MetaForum 0.513 Beta restricts file types based on the MIME type in the Content-type HTTP header, which allows remote attackers to upload and execute arbitrary scripts via an image MIME type with a filename containing an executable extension such as .php. 23032 20070318 MetaForum <= 0.513 Beta - Remote file upload Vulnerability http://www.aeroxteam.fr/exploit-MetaForum-0.513b.txt 34523 metaforum-mime-file-upload(33097) 3516 2454 admin/configuration.php in Guestbara 1.2 and earlier allows remote attackers to modify the e-mail, name, and password of the admin account by setting the zapis parameter to "ok" and providing modified admin_mail, login, and pass parameters. 3506 34519 Direct static code injection vulnerability in admin/configuration.php in Guestbara 1.2 and earlier allows remote authenticated users to inject arbitrary PHP code into config.php via the (1) admin_mail, (2) emotpatch, (3) login, (4) pass, and unspecified other parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. ADV-2007-1010 33783 SQL injection vulnerability in forum.php in the Minerva mod 2.0.21 build 238a and earlier for phpBB allows remote attackers to execute arbitrary SQL commands via the c parameter. ADV-2007-1028 23036 3519 minerva-forum-sql-injection(33082) 33748 SQL injection vulnerability in kommentare.php in Creative Files 1.2 allows remote attackers to execute arbitrary SQL commands via the dlid parameter. creative-kommentare-sql-injection(33021) 23000 3498 33747 Format string vulnerability in F-Secure Anti-Virus Client Security 6.02 allows local users to cause a denial of service and possibly gain privileges via format string specifiers in the Management Server name field on the Communication settings page. 23023 20070319 Layered Defense Research Advisory: F-Secure Anti-Virus Client Security 6.02 Format String Vulnerability http://www.layereddefense.com/F-SecureMar18.html ADV-2007-1055 34764 2472 The APOP protocol allows remote attackers to guess the first 3 characters of a password via man-in-the-middle (MITM) attacks that use crafted message IDs and MD5 collisions. NOTE: this design-level issue potentially affects all products that use APOP, including (1) Thunderbird 1.x before 1.5.0.12 and 2.x before 2.0.0.4, (2) Evolution, (3) mutt, (4) fetchmail before 6.3.8, (5) SeaMonkey 1.0.x before 1.0.9 and 1.1.x before 1.1.2, (6) Balsa 2.3.16 and earlier, (7) Mailfilter before 0.8.2, and possibly other products. TA07-151A 23257 http://www.mozilla.org/security/announce/2007/mfsa2007-15.html DSA-1305 https://issues.rpath.com/browse/RPL-1424 https://issues.rpath.com/browse/RPL-1232 https://issues.rpath.com/browse/RPL-1231 ADV-2008-0082 ADV-2007-2788 ADV-2007-1994 ADV-2007-1939 ADV-2007-1480 ADV-2007-1468 ADV-2007-1467 ADV-2007-1466 USN-520-1 USN-469-1 1018008 20070620 FLEA-2007-0027-1: thunderbird 20070619 FLEA-2007-0026-1: evolution-data-server 20070615 rPSA-2007-0122-1 evolution-data-server 20070531 FLEA-2007-0023-1: firefox 20070403 Re: APOP vulnerability 20070402 APOP vulnerability RHSA-2009:1140 RHSA-2007:0402 RHSA-2007:0401 RHSA-2007:0386 RHSA-2007:0385 RHSA-2007:0353 RHSA-2007:0344 [oss-security] 20090818 Re: CVE-2007-1558 update (was: mailfilter 0.8.2 fixes CVE-2007-1558 (APOP)) [oss-security] 20090815 mailfilter 0.8.2 fixes CVE-2007-1558 (APOP) SUSE-SA:2007:036 SUSE-SR:2007:014 MDKSA-2007:131 MDKSA-2007:119 MDKSA-2007:113 MDKSA-2007:107 MDKSA-2007:105 DSA-1300 http://www.claws-mail.org/news.php http://sylpheed.sraoss.jp/en/news.html http://sourceforge.net/forum/forum.php?forum_id=683706 SSA:2007-152-02 GLSA-200706-06 35699 25559 25546 25529 25496 25476 25402 25353 oval:org.mitre.oval:def:9782 [balsa-list] 20070704 balsa-2.3.17 released APPLE-SA-2007-05-24 SSRT061236 SSRT061236 SSRT061181 http://fetchmail.berlios.de/fetchmail-SA-2007-01.txt http://docs.info.apple.com/article.html?artnum=305530 http://balsa.gnome.org/download.html 20070602-01-P 26415 26083 25894 25858 25798 25750 25664 25534 SSRT061181 Multiple stack-based buffer overflows in SonicDVDDashVRNav.dll in Roxio CinePlayer 3.2 allow remote attackers to execute arbitrary code via (1) unspecified long property values to SonicMediaPlayer.dll or (2) long arguments to unspecified methods in SonicMediaPlayer.dll. ADV-2007-1337 http://secunia.com/secunia_research/2007-46/advisory/ 22251 34779 cineplayer-sonicmediaplayer-bo(33590) 1017906 23412 The clientProcessRequest() function in src/client_side.c in Squid 2.6 before 2.6.STABLE12 allows remote attackers to cause a denial of service (daemon crash) via crafted TRACE requests that trigger an assertion error. http://www.squid-cache.org/Advisories/SQUID-2007_1.txt 24611 squid-clientprocessrequest-dos(33124) ADV-2007-1035 USN-441-1 http://www.squid-cache.org/Versions/v2/2.6/changesets/11349.patch 1017805 23085 RHSA-2007:0131 SUSE-SR:2007:005 MDKSA-2007:068 GLSA-200703-27 24911 24662 24625 24614 oval:org.mitre.oval:def:10291 The channel driver in Asterisk before 1.2.17 and 1.4.x before 1.4.2 allows remote attackers to cause a denial of service (crash) via a SIP INVITE message with an SDP containing one valid and one invalid IP address. 23031 asterisk-sip-invite-dos(33068) ADV-2007-1039 http://www.sineapps.com/news.php?rssid=1707 1017794 20070321 Two new DoS Vulnerabilities in Asterisk Fixed [VOIPSEC] 20070319 Asterisk SDP DOS vulnerability 20070319 Asterisk SDP DOS vulnerability http://asterisk.org/node/48339 34479 SUSE-SA:2007:034 DSA-1358 GLSA-200704-01 25582 24719 24564 The FTP protocol implementation in Mozilla Firefox before 1.5.0.11 and 2.x before 2.0.0.3 allows remote attackers to force the client to connect to other servers, perform a proxied port scan, or obtain sensitive information by specifying an alternate server address in an FTP PASV response. https://issues.rpath.com/browse/RPL-1424 https://issues.rpath.com/browse/RPL-1157 https://bugzilla.mozilla.org/show_bug.cgi?id=370559 firefox-nsftpstate-information-disclosure(33119) ADV-2007-1034 USN-443-1 1017800 23082 20070531 FLEA-2007-0023-1: firefox 20070322 FLEA-2007-0001-1: firefox RHSA-2007:0402 RHSA-2007:0400 SUSE-SA:2007:036 http://www.mozilla.org/security/announce/2007/mfsa2007-11.html 25858 25490 25476 oval:org.mitre.oval:def:11431 SSRT061181 HPSBUX02153 http://bindshell.net/papers/ftppasv/ftp-client-pasv-manipulation.pdf The FTP protocol implementation in Opera 9.10 allows remote attackers to allows remote servers to force the client to connect to other servers, perform a proxied port scan, or obtain sensitive information by specifying an alternate server address in an FTP PASV response. ADV-2007-1075 1017802 23089 SUSE-SA:2007:028 25027 http://bindshell.net/papers/ftppasv/ftp-client-pasv-manipulation.pdf The FTP protocol implementation in Konqueror 3.5.5 allows remote servers to force the client to connect to other servers, perform a proxied port scan, or obtain sensitive information by specifying an alternate server address in an FTP PASV response. https://issues.rpath.com/browse/RPL-1201 ADV-2007-1076 USN-447-1 23091 RHSA-2007:0909 SUSE-SR:2007:006 MDKSA-2007:072 http://www.kde.org/info/security/advisory-20070326-1.txt 1017801 27108 24889 oval:org.mitre.oval:def:10646 http://bindshell.net/papers/ftppasv/ftp-client-pasv-manipulation.pdf Konqueror 3.5.5 allows remote attackers to cause a denial of service (crash) by using JavaScript to read a child iframe having an ftp:// URI. http://bindshell.net/papers/ftppasv/ftp-client-pasv-manipulation.pdf SQL injection vulnerability in News/page.asp in NetVIOS Portal allows remote attackers to execute arbitrary SQL commands via the NewsID parameter. NOTE: this issue might be the same as CVE-2006-5954. netviosportal-page-sql-injection(33072) 23045 3520 Stack-based buffer overflow in War FTP Daemon 1.65, and possibly earlier, allows remote attackers to cause a denial of service or execute arbitrary code via unspecified vectors, as demonstrated by warftp_165.tar by Immunity. NOTE: this might be the same issue as CVE-1999-0256, CVE-2000-0131, or CVE-2006-2171, but due to Immunity's lack of details, this cannot be certain. https://www.immunityinc.com/downloads/immpartners/warftp_165.tar ADV-2007-0933 22944 24494 Stack-based buffer overflow in DaanSystems NewsReactor 20070220.21 allows remote attackers to execute arbitrary code via a yEnc (yEncode) encoded article with a long filename. ADV-2007-0934 3463 3462 24487 34035 Stack-based buffer overflow in NewsBin Pro 4.32 allows remote attackers to cause a denial of service or execute arbitrary code via a yEnc (yEncode) encoded article with a long filename, as demonstrated using a .nzb file. NOTE: some of these details are obtained from third party information. ADV-2007-0935 22940 3464 24491 34003 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2007-1438. Reason: This candidate is a duplicate of CVE-2007-1438. Notes: All CVE users should reference CVE-2007-1438 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. PHP remote file inclusion vulnerability in includes/base.php in Radical Designs Activist Mobilization Platform (AMP) 3.2, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the base_path parameter. amp-base-file-include(33009) ADV-2007-0939 3471 http://advisories.echo.or.id/adv/adv71-theday-2007.txt 20070314 [ECHO_ADV_71$2007] AMP v3.2 (base_path) Remote File Inclusion Vulnerability SQL injection vulnerability in search.asp in JGBBS 3.0 Beta 1 and earlier allows remote attackers to execute arbitrary SQL commands via the title parameter, a different vector than CVE-2007-1440. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. ADV-2007-0940 SQL injection vulnerability in admincp/attachment.php in Jelsoft vBulletin 3.6.5 allows remote authenticated administrators to execute arbitrary SQL commands via the "Attached Before" field. http://www.vbulletin.com/forum/project.php?issueid=21615 20070313 vbulletin admincp sql injection 24503 34070 CARE2X 2.2, and possibly earlier, allows remote attackers to obtain configuration information via a direct request to phpinfo.php, which calls the phpinfo function. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 24481 34044 Multiple SQL injection vulnerabilities in PHProjekt 5.2.0, when magic_quotes_gpc is disabled, allow remote authenticated users to execute arbitrary SQL commands via (1) unspecified vectors to the (a) calendar and (2) search modules, and an (2) unspecified cookie when the user logs out. http://www.phprojekt.com/index.php?name=News&file=article&sid=276 22955 20070314 n.runs-SA-2007.003 - PHProjekt 5.2.0 - SQL Injection http://www.nruns.com/security_advisory_phprojekt_sql_injection.php 24509 2466 GLSA-200706-07 25748 Multiple cross-site scripting (XSS) vulnerabilities in PHProjekt 5.2.0, when magic_quotes_gpc is disabled, allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors to the (1) Projects, (2) Contacts, (3) Helpdesk, (4) Search (only Gecko engine driven Browsers), and (5) Notes modules; the (6) Mail summary page; and unspecified other files. http://www.phprojekt.com/index.php?name=News&file=article&sid=276 22957 20070314 n.runs-SA-2007.004 - PHProjekt 5.2.0 - Cross Site Scripting and Filter Evasion http://www.nruns.de/security_advisory_phprojekt_xss_and_filter_evasion.php 24509 34069 34068 34067 34066 34065 34064 2459 GLSA-200706-07 25748 Directory traversal vulnerability in index.php in GeBlog 0.1 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the GLOBALS[tplname] parameter, as demonstrated by injecting PHP sequences into an Apache HTTP Server log file, which is then included by index.php. geblog-index-file-include(33089) 23052 3522 33776 Multiple integer signedness errors in the NTLM implementation in Atrium MERCUR IMAPD (mcrimap4.exe) 5.00.14, with SP4, allow remote attackers to execute arbitrary code via a long NTLMSSP argument that triggers a stack-based buffer overflow. mercur-imap-ntlm-bo(33120) ADV-2007-1053 23058 33545 3527 http://www.digit-labs.org/files/exploits/mercur-v1.pl 1017798 24596 20070320 Mercur SP4 IMAPD Stack-based buffer overflow in Atrium MERCUR IMAPD allows remote attackers to have an unknown impact via a certain SUBSCRIBE command. https://www.immunityinc.com/downloads/immpartners/MercurImapSubscribe.tar ADV-2007-1092 23050 33546 3537 http://www.immunitysec.com/partners-index.shtml 24619 FTPDMIN 0.96 allows remote attackers to cause a denial of service (daemon crash) via a LIST command for a Windows drive letter, as demonstrated using "//A:". NOTE: this has been reported as a buffer overflow by some sources, but there is not a long argument. ftpdmin-list-dos(33091) 23049 3523 34524 The resource system in PHP 5.0.0 through 5.2.1 allows context-dependent attackers to execute arbitrary code by interrupting the hash_update_file function via a userspace (1) error or (2) stream handler, which can then be used to destroy and modify internal resources. NOTE: it was later reported that PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 are also affected. 23062 http://www.php-security.org/MOPB/MOPB-28-2007.html 24542 http://php-security.org/2010/05/01/mops-2010-001-php-hash_update_file-already-freed-resource-access-vulnerability/index.html The resource system in PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 allows context-dependent attackers to execute arbitrary code by interrupting certain functions in the GD (ext/gd) extension and unspecified other extensions via a userspace error handler, which can be used to destroy and modify internal resources. 23046 http://www.php-security.org/MOPB/MOPB-27-2007.html 3525 24542 The mb_parse_str function in PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 sets the internal register_globals flag and does not disable it in certain cases when a script terminates, which allows remote attackers to invoke available PHP scripts with register_globals functionality that is not detectable by these scripts, as demonstrated by forcing a memory_limit violation. ADV-2007-2732 23016 http://www.php-security.org/MOPB/MOPB-26-2007.html oval:org.mitre.oval:def:10245 https://issues.rpath.com/browse/RPL-1268 USN-455-1 25159 20070418 rPSA-2007-0073-1 php php-mysql php-pgsql RHSA-2007:0162 RHSA-2007:0153 SUSE-SA:2007:032 MDKSA-2007:090 MDKSA-2007:089 MDKSA-2007:088 DSA-1283 http://us2.php.net/releases/5_2_2.php http://us2.php.net/releases/4_4_7.php GLSA-200705-19 26235 25445 25062 25057 25056 24965 24945 24924 24909 RHSA-2007:0155 APPLE-SA-2007-07-31 http://docs.info.apple.com/article.html?artnum=306172 Buffer underflow in the header function in PHP 5.2.0 allows context-dependent attackers to execute arbitrary code by passing an all-whitespace string to this function, which causes it to write '\0' characters in whitespace that precedes the string. http://www.php-security.org/MOPB/MOPB-25-2007.html 3517 The Linksys WAG200G with firmware 1.01.01, WRT54GC 2 with firmware 1.00.7, and WRT54GC 1 with firmware 1.03.0 and earlier allow remote attackers to obtain sensitive information (passwords and configuration data) via a packet to UDP port 916. NOTE: some of these details are obtained from third party information. 23063 20070320 Linksys WAG200G - Information disclosure 24658 20070325 Re: Linksys WAG200G - Information disclosure ZynOS 3.40 allows remote attackers to cause a denial of service (link restart) by sending a request for the name \M via the SMB Mail Slot Protocol. 23061 20070319 ZynOS v3.40 One packet killer 1017795 34522 templates/config/mail.tpl in Tim Soderstrom StatsDawg 0.92 allows remote attackers to execute arbitrary programs by specifying the program name in the qshapeLocation parameter. http://www.statsdawg.org/ server.cpp in MyServer 0.8.5 calls Process::setuid before calling Process::setgid and thus does not properly drop privileges, which might allow remote attackers to execute CGI programs with unintended privileges. [myserver-commit] 20070210 SF.net SVN: myserver: [2183] trunk/myserver/source/server.cpp http://www.myserverproject.net/news.php 34521 TrueCrypt before 4.3, when set-euid mode is used on Linux, allows local users to cause a denial of service (filesystem unavailability) by dismounting a volume mounted by a different user. http://www.truecrypt.org/docs/?s=version-history ADV-2007-1103 23128 24627 The Grandstream BudgeTone 200 IP phone, with program 1.1.1.14 and bootloader 1.1.1.5, allows remote attackers to cause a denial of service (device crash) via SIP (1) INVITE, (2) CANCEL, or unspecified other messages with a WWW-Authenticate header containing a crafted Digest domain. ADV-2007-1054 24538 34347 20070321 Grandstream Budge Tone-200 denial of service vulnerability grandstream-wwwauthenticate-dos(33108) 1017804 23075 VsapiNT.sys in the Scan Engine 8.0 for Trend Micro AntiVirus 14.10.1041, and other products, allows remote attackers to cause a denial of service (kernel fault and system crash) via a crafted UPX file with a certain field that triggers a divide-by-zero error. http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034587 ADV-2007-0959 20070314 Trend Micro Antivirus UPX Parsing Kernel Divide by Zero Vulnerability 1017768 20070316 RE: [VulnWatch] iDefense Security Advisory 03.14.07: Trend Micro Antivirus UPX Parsing Kernel Divide by Zero Vulnerability net/ipv6/tcp_ipv6.c in Linux kernel 2.6.x up to 2.6.21-rc3 inadvertently copies the ipv6_fl_socklist from a listening TCP socket to child sockets, which allows local users to cause a denial of service (OOPS) or double free by opening a listening IPv6 socket, attaching a flow label, and connecting to that socket. The vendor has addressed this vulnerability by releasing a patch for the Linux Kernel 2.6.21-rc3: http://www.kernel.org/pub/linux/kernel/v2.6/testing/patch-2.6.21-rc6.bz2 23104 [linux-netdev] 20070316 [PATCH 2.6.21-rc3] IPV6: ipv6_fl_socklist is inadvertently shared. http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=d35690beda1429544d46c8eb34b2e3a8c37ab299 kernel-tcpv6synrecvsoc-dos(33176) ADV-2007-1084 USN-464-1 RHSA-2007:0673 RHSA-2007:0672 RHSA-2007:0347 SUSE-SA:2007:043 SUSE-SA:2007:035 SUSE-SA:2007:030 MDVSA-2011:051 MDKSA-2007:078 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20.4 DSA-1503 DSA-1304 DSA-1286 http://support.avaya.com/elmodocs2/security/ASA-2007-404.htm 29058 27528 26379 25961 25714 25683 25630 25392 25288 25226 25099 25078 24777 24618 RHSA-2007:0436 RHBA-2007-0304 oval:org.mitre.oval:def:10130 SUSE-SA:2007:029 http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=233478 The administrative service in Symantec Veritas Volume Replicator (VVR) for Windows 3.1 through 4.3, and VVR for Unix 3.5 through 5.0, in Symantec Storage Foundation products allows remote attackers to cause a denial of service (memory consumption and service crash) via a crafted packet to the service port (8199/tcp) that triggers a request for more memory than available, which causes the service to write to an invalid pointer. http://www.symantec.com/avcenter/security/Content/2007.06.01a.html 20070601 Symantec VERITAS Storage Foundation Administration Service DoS Vulnerability symantec-vvr-dos(34676) ADV-2007-2036 1018184 24160 25516 http://cirt.dk/advisories/cirt-53-advisory.txt The handle_response function in chan_sip.c in Asterisk before 1.2.17 and 1.4.x before 1.4.2 allows remote attackers to cause a denial of service (crash) via a SIP Response code 0 in a SIP packet. 24579 ADV-2007-1077 http://www.sineapps.com/news.php?rssid=1707 1017809 23093 20070321 Two new DoS Vulnerabilities in Asterisk Fixed http://www.asterisk.org/node/48338 [VOIPSEC] 20070319 Asterisk SDP DOS vulnerability http://svn.digium.com/view/asterisk/trunk/channels/chan_sip.c?r1=58907&r2=59038 GLSA-200704-01 24719 http://bugs.digium.com/view.php?id=9313 SUSE-SA:2007:034 25582 The Asterisk Extension Language (AEL) in pbx/pbx_ael.c in Asterisk does not properly generate extensions, which allows remote attackers to execute arbitrary extensions and have an unknown impact by specifying an invalid extension in a certain form. http://svn.digium.com/view/asterisk?rev=59073&view=rev ADV-2007-1123 http://bugs.digium.com/view.php?id=9316 23155 SUSE-SA:2007:034 25582 24694 Multiple PHP remote file inclusion vulnerabilities in the NFN Address Book (com_nfn_addressbook) 0.4 component for Mambo and Joomla! allow remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter to (1) components/com_nfn_addressbook/nfnaddressbook.php or (2) administrator/components/com_nfn_addressbook/nfnaddressbook.php. ADV-2007-1073 23092 3539 43554 43553 nfnaddressbook-nfnaddressbook-file-include(33133) Unclassified NewsBoard 1.6.3 stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain (1) the board log via a direct request for logs/board-YYYY-MM-DD.log, (2) the mail and private message (PM) log via a direct request for logs/email-YY-MM-DD-HH-MM-SS.log, (3) the SQL error message log via a direct request for logs/error-YY-MM.log, and (4) the IP log via a direct request for logs/ip.log. 20070319 Unclassified NewsBoard 1.6.3 multiples logs disclosure 35201 unb-log-information-disclosure(33150) Stack-based buffer overflow in InterVations FileCOPA FTP Server 1.01 allows remote attackers to execute arbitrary code via unspecified vectors, as demonstrated by filecopa.tar by Immunity. NOTE: some of these details are obtained from third party information. NOTE: As of 20070322, this disclosure has no actionable information. However, since it is from a reliable researcher, it is being assigned a CVE identifier for tracking purposes. https://www.immunityinc.com/downloads/immpartners/filecopa.tar 23056 http://www.immunitysec.com/partners-index.shtml 43559 wp-login.php in WordPress allows remote attackers to redirect authenticated users to other websites and potentially obtain sensitive information via the redirect_to parameter. 20070320 Advisory - Redirection Vulnerability in wp-login.php. http://www.metaeye.org/advisories/40 DSA-1601 30960 PHP remote file inclusion vulnerability in module.php in Digital Eye Gallery 1.1 Beta (aka 0.1.1b) allows remote attackers to execute arbitrary PHP code via a URL in the menu parameter. ADV-2007-1070 23083 3533 37241 digital-eye-module-file-include(33115) ** DISPUTED ** Directory traversal vulnerability in check_vote.php in Weekly Drawing Contest 0.0.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the order parameter. NOTE: another researcher disputes this vulnerability, noting that the order variable is not used in any context that allows opening files. 20070313 Re: Weekly Drawing Contest <= (check_vote.php) Remote File Disclosure Vuln 20070313 Weekly Drawing Contest <= (check_vote.php) Remote File Disclosure Vuln 35148 2453 SQL injection vulnerability in check_vote.php in Weekly Drawing Contest 0.0.1 allows remote attackers to execute arbitrary SQL commands via the order parameter. 20070313 Re: Weekly Drawing Contest <= (check_vote.php) Remote File Disclosure Vuln 2453 admin/contest.php in Weekly Drawing Contest 0.0.1 allows remote attackers to bypass authentication, and insert new contest information into a database, via a direct POST request. 20070313 Re: Weekly Drawing Contest <= (check_vote.php) Remote File Disclosure Vuln 2453 Multiple unrestricted file upload vulnerabilities in w-Agora (Web-Agora) allow remote attackers to upload and execute arbitrary PHP code (1) via a forum message with an attached file, which is stored under forums/hello/hello/notes/ or (2) by using browse_avatar.php to upload a file with a double extension, as demonstrated by .php.jpg. 23055 20070320 w-agora [multiples file upload,xss,full path disclosure,error sql] 24605 34384 34383 wagora-browseavatar-file-upload(33173) 2462 w-Agora (Web-Agora) allows remote attackers to obtain sensitive information via a request to rss.php with an invalid (1) site or (2) bn parameter, (3) a certain value of the site[] parameter, or (4) an empty value of the bn[] parameter; a request to index.php with a certain value of the (5) site[] or (6) sort[] parameter; (7) a request to profile.php with an empty value of the site[] parameter; or a request to search.php with (8) an empty value of the bn[] parameter or a certain value of the (9) pattern[] or (10) search_date[] parameter, which reveal the path in various error messages, probably related to variable type inconsistencies. NOTE: the bn[] parameter to index.php is already covered by CVE-2007-0606.1. 23057 20070320 w-agora [multiples file upload,xss,full path disclosure,error sql] 24605 34382 34381 34380 wagora-multiple-path-disclosure(33174) 2462 Multiple cross-site scripting (XSS) vulnerabilities in w-Agora (Web-Agora) allow remote attackers to inject arbitrary web script or HTML via (1) the showuser parameter to profile.php, the (2) search_forum or (3) search_user parameter to search.php, or (4) the userid parameter to change_password.php. 23057 20070320 w-agora [multiples file upload,xss,full path disclosure,error sql] 24605 34379 34378 34377 wagora-multiple-xss(33175) 2462 search.php in w-Agora (Web-Agora) allows remote attackers to obtain potentially sensitive information via a ' (quote) value followed by certain SQL sequences in the (1) search_forum or (2) search_user parameter, which force a SQL error. 23057 20070320 w-agora [multiples file upload,xss,full path disclosure,error sql] 24605 34376 wagora-search-sql-injection(33177) 2462 CRLF injection vulnerability in IBM WebSphere Application Server (WAS) before 6.0.2.19 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a single CRLF sequence in a context that is not a valid multi-line header. PK39732 ADV-2007-1062 23086 24552 34484 websphere-unspecified-response-splitting(33123) 1017806 Cross-site scripting (XSS) vulnerability in servlet/Spy in Dynamic Monitoring Services (DMS) in Oracle Application Server (OAS) 10g 10.1.2.0.0 allows remote attackers to inject arbitrary web script or HTML via the table parameter. NOTE: This may be related to CVE-2002-0563. ADV-2007-1078 20080905 Re: Oracle 10g Dynamic Monitoring Services XSS /servlet/Spy 20070320 Oracle 10g Dynamic Monitoring Services XSS /servlet/Spy oracle-dynamicmonitoring-xss(33146) 23102 33521 2474 24554 Cross-site scripting (XSS) vulnerability in the RSS reader in Glue Software NewsGlue before 1.3.4 allows remote attackers to inject arbitrary web script or HTML via a feed. ADV-2007-1074 http://www.gluesoft.co.jp/NewsGlue/Update.aspx 34408 JVN#64227086 newsglue-rss-feed-xss(33166) 23094 24603 Cross-site scripting (XSS) vulnerability in the RSS reader in a certain SOURCENEXT product, probably IKANARI JIJYOU 1.0.0 and 1.0.1, allows remote attackers to inject arbitrary web script or HTML via the title of an article in a feed. http://www.sourcenext.info/download/jijou.html JVN#64227086 SQL injection vulnerability in index.php in Katalog Plyt Audio 1.0 and earlier allows remote attackers to execute arbitrary SQL commands via the kolumna parameter. ADV-2007-1015 24539 34269 3513 katalog-index-sql-injection(33048) 23024 Directory traversal vulnerability in view.php in MPM Chat 2.5 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the logi parameter. ADV-2007-1008 23009 24576 34278 3503 Stack-based buffer overflow in the zzip_open_shared_io function in zzip/file.c in ZZIPlib Library before 0.13.49 allows user-assisted remote attackers to cause a denial of service (application crash) or execute arbitrary code via a long filename. http://sourceforge.net/project/shownotes.php?group_id=6389&release_id=494587 24586 ADV-2007-0998 http://www.securitylab.ru/forum/read.php?FID=21&TID=40858&MID=326187 33838 23013 MDKSA-2007:093 GLSA-200704-05 24708 SQL injection vulnerability in index.php in ScriptMagix Jokes 2.0 and earlier allows remote attackers to execute arbitrary SQL commands via the catid parameter. ADV-2007-1012 24595 3509 scriptmagixjokes-index-sql-injection(33063) 23015 SQL injection vulnerability in index.php in ScriptMagix Lyrics 2.0 and earlier allows remote attackers to execute arbitrary SQL commands via the recid parameter. ADV-2007-1016 24563 34283 3515 scriptmagixlyrics-index-sql-injection(33056) 23019 SQL injection vulnerability in index.php in ScriptMagix Recipes 2.0 and earlier allows remote attackers to execute arbitrary SQL commands via the catid parameter. ADV-2007-1013 24594 34286 3510 SQL injection vulnerability in index.php in ScriptMagix FAQ Builder 2.0 and earlier allows remote attackers to execute arbitrary SQL commands via the catid parameter. ADV-2007-1011 3507 34619 24704 SQL injection vulnerability in viewcomments.php in ScriptMagix Photo Rating 2.0 and earlier allows remote attackers to execute arbitrary SQL commands via the phid parameter. ADV-2007-1014 3511 34629 scriptmagixphoto-viewcomments-sql-injection(33061) 23018 24698 Multiple PHP remote file inclusion vulnerabilities in PHP DB Designer 1.02 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the (1) _SESSION[SITE_PATH] parameter to (a) wind/help.php or (b) wind/about.php, or the (2) _SESSION[DRIVER] parameter to (c) db/session.php. phpdbdesigner-multiple-script-file-include(33033) ADV-2007-1007 3501 37212 37211 37210 PHP remote file inclusion vulnerability in templates/head.php in Active PHP Bookmark Notes (APB) 0.2.5 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the APB_SETTINGS[template_path] parameter. NOTE: this issue might be related to CVE-2003-1254. apbn-head-file-include(33065) ADV-2007-1009 23010 3504 37226 Cross-site scripting (XSS) vulnerability in wp-admin/vars.php in WordPress before 2.0.10 RC2, and before 2.1.3 RC2 in the 2.1 series, allows remote authenticated users with theme privileges to inject arbitrary web script or HTML via the PATH_INFO in the administration interface, related to loose regular expression processing of PHP_SELF. http://www.buayacorp.com/files/wordpress/wordpress-advisory.txt ADV-2007-1005 http://sla.ckers.org/forum/read.php?2,7935#msg-8006 24567 23027 DSA-1285 25108 Multiple cross-site scripting (XSS) vulnerabilities in realGuestbook 5.01, when register_globals is enabled, allow remote attackers to inject arbitrary web script or HTML via the (1) bg_color_1, (2) fs_menu, (3) fc_menu, (4) ff_menu, (5) bg_color_2, (6) fs_normal, (7) fc_normal, and (8) ff_normal parameters to welcome_admin.php; and possibly unspecified other parameters and files. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 24602 34341 Multiple SQL injection vulnerabilities in realGuestbook 5.01 allow remote attackers to execute arbitrary SQL commands via the (1) name, (2) email, (3) homepage, and (4) text parameters to save_entry.php, as reachable through add_entry.php; and possibly other unspecified parameters and files. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. ADV-2007-1060 23072 24602 34342 Cross-site scripting (XSS) vulnerability in save_entry.php in realGuestbook 5.01 allows remote attackers to inject arbitrary web script or HTML via the homepage parameter, as reachable through add_entry.php. NOTE: the original report stated that the vulnerability was in add_entry.php, which does not receive the input data. ADV-2007-1060 23072 http://trew.icenetx.net/toolz/advisory-realGuestbook_V5-en.txt 24602 34343 PHP remote file inclusion vulnerability in iframe.php in the iFrame Module for PHP-NUKE allows remote attackers to execute arbitrary PHP code via a URL in the file parameter. iframe-iframe-file-include(33060) 23038 3512 37222 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2006-4606. Reason: This candidate is a duplicate of CVE-2006-4606. Notes: All CVE users should reference CVE-2006-4606 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Multiple PHP remote file inclusion vulnerabilities in Study planner (Studiewijzer) 0.15 and earlier, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the SPL_CFG[dirroot] parameter to (1) service.alert.inc.php or (2) settings.ses.php in inc/; (3) db/mysql/db.inc.php; (4) integration/shortstat/configuration.php; (5) ali.class.php or (6) cat.class.php in methodology/traditional/class/; (7) cat_browse.inc.php, (8) chr_browse.inc.php, (9) chr_display.inc.php, or (10) dash_browse.inc.php in methodology/traditional/ui/inc/; (11) spl.webservice.php or (12) konfabulator/gateway_admin.php in ws/; or other unspecified files. studyplanner-multiple-scripts-file-include(33128) ADV-2007-1069 23076 20070322 [ECHO_ADV_77$2007] Study planner (Studiewijzer) <= 0.15 Remote File Inclusion Vulnerability 3532 http://advisories.echo.or.id/adv/adv77-K-159-2007.txt SQL injection vulnerability in default.asp in ActiveWebSoftwares Active Photo Gallery allows remote attackers to execute arbitrary SQL commands via the catid parameter. ADV-2007-1072 23077 3536 active-default-sql-injection(33129) 24568 SQL injection vulnerability in default.asp in ActiveWebSoftwares Active Link Engine allows remote attackers to execute arbitrary SQL commands via the catid parameter. ADV-2007-1071 23080 3534 active-link-default-sql-injection(33111) 34364 24574 ** DISPUTED ** PHP remote file inclusion vulnerability in signup.php in CLBOX 1.01 allows remote attackers to execute arbitrary PHP code via a URL in the header parameter. NOTE: this issue has been disputed by a reliable third party, stating that header is defined through an include file before use. 20070317 CLBOX <= (signup.php header) Remote File Include Vulnerability 20070319 Bogus - [CLBOX <= (signup.php header) Remote File Include Vulnerability] 33503 2469 Unspecified vulnerability in TYPOlight webCMS before 2.2 Build 5 has unknown impact and attack vectors related to a "major security hole." 24546 ADV-2007-1026 http://www.typolight.org/changelog.html 33303 Directory traversal vulnerability in bbcode_ref.php in the Giorgio Ciranni Splatt Forum 4.0 RC1 module for PHP-Nuke allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the name parameter, as demonstrated by injecting PHP sequences into an Apache HTTP Server log file, which is then included by bbcode_ref.php. ADV-2007-1027 23035 3518 38599 Variable extraction vulnerability in grab_globals.php in Net Portal Dynamic System (NPDS) 5.10 and earlier allows remote attackers to conduct SQL injection attacks via the _FILES[DB][tmp_name] parameter to print.php, which overwrites the $DB variable with dynamic variable evaluation. 20070318 Net Portal Dynamic System (NPDS) <= 5.10 Remote Code Execution 0day 20070323 Root cause of NPDS SQL injection is variable extraction/evaluation 24571 2473 Static code injection vulnerability in admin/settings.php in Net Portal Dynamic System (NPDS) 5.10 and earlier allows remote authenticated users to inject arbitrary PHP code via the xtop parameter in a "ConfigSave" op to admin.php, which can later be accessed via a "Configure" op to admin.php. 20070318 Net Portal Dynamic System (NPDS) <= 5.10 Remote Code Execution 0day 24571 34303 2473 Directory traversal vulnerability in index.php in RoseOnlineCMS 3 B1 allows remote attackers to include arbitrary files via a .. (dot dot) sequence in the op parameter, as demonstrated by injecting PHP code into Apache log files via the URL and User-Agent HTTP header. roseonlinecms-index-file-include(33185) ADV-2007-1094 23108 3548 38601 Multiple buffer overflows in the IMAILAPILib ActiveX control (IMailAPI.dll) in Ipswitch IMail Server before 2006.2 allow remote attackers to execute arbitrary code via the (1) WebConnect and (2) Connect members in the (a) IMailServer control; (3) Sync3 and (4) Init3 members in the (b) IMailLDAPService control; and the (5) SetReplyTo member in the (c) IMailUserCollection control. Upgrade to version 2006.2. ADV-2007-0853 1017737 http://support.ipswitch.com/kb/IM-20070305-JH01.htm 24422 20070307 Ipswitch IMail Server 2006 Multiple ActiveX Control Buffer Overflow Vulnerabilitie Multiple cross-site request forgery (CSRF) vulnerabilities in the check_csrftoken function in lib/lib.inc.php in PHProjekt 5.2.0, when magic_quotes_gpc is disabled, allow remote attackers to perform unauthorized actions as an arbitrary user via the (1) Projects, (2) Contacts, (3) Helpdesk, (4) Notes, (5) Search, (6) Mail, or (7) Filemanager module; the (9) summary page; or unspecified other files. Successful exploitation requires that variable "magic_quotes_gpc" is disabled. Upgrade to version 5.2.1, 24509 phprojekt-multiple-modules-csrf(32989) 20070314 n.runs-SA-2007.005 - PHProjekt 5.2.0 - Cross Site Request Forgery http://www.phprojekt.com/index.php?name=News&file=article&sid=276 http://www.nruns.de/security_advisory_phprojekt_csrf.php 35162 2477 GLSA-200706-07 25748 Unrestricted file upload vulnerability in PHProjekt 5.2.0, when magic_quotes_gpc is disabled, allows remote authenticated users to upload and execute arbitrary PHP code via a file with an executable extension, which is then accessed by the (1) calendar or (2) file management module, or possibly unspecified other files. Successful exploitation requires that variable "magic_quotes_gpc" is disabled. Upgrade to version 5.2.1. 22956 24509 phprojekt-calendarfile-file-upload(32995) 20070314 n.runs-SA-2007.006 - PHProjekt 5.2.0 - Privilege escalation http://www.phprojekt.com/index.php?name=News&file=article&sid=276 http://www.nruns.de/security_advisory_phprojekt_privilege_escalation.php 35163 2476 GLSA-200706-07 25748 Multiple PHP remote file inclusion vulnerabilities in ClassWeb 2.03 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the BASE parameter to (1) language.php and (2) phpadmin/survey.php. ADV-2007-1085 23095 3542 37215 37214 classweb-languagesurvey-file-include(33162) SQL injection vulnerability in index.php in PortailPHP 2.0 allows remote attackers to execute arbitrary SQL commands via the idnews parameter. 23096 3543 34410 portailphp-idnews-sql-injection(33145) 24620 Unspecified vulnerability in ManageEngine Firewall Analyzer allows remote authenticated users to "access any common file" via a direct URL request. manageengine-unspecified-info-disclosure(33319) 23097 20070330 Re: ManageEngine Firewall Analyzer arbitrary file disclosure to authorized user 20070329 Re: ManageEngine Firewall Analyzer arbitrary file disclosure to authorized user 20070322 ManageEngine Firewall Analyzer arbitrary file disclosure to authorized user 2479 24707 34525 Multiple PHP remote file inclusion vulnerabilities in LAN Management System (LMS) 1.8.9 Vala and earlier allow remote attackers to execute arbitrary PHP code via a URL in (1) the CONFIG[directories][userpanel_dir] parameter to userpanel.php or the (2) _LIB_DIR parameter to welcome.php. lms-userpanelwelcome-file-include(33158) ADV-2007-1086 23100 23099 3545 20070426 true: 2 distinct LMS RFI, one old, one new; and vague ACK 24621 The dynamic DNS update mechanism in the DNS Server service on Microsoft Windows does not properly authenticate clients in certain deployments or configurations, which allows remote attackers to change DNS records for a web proxy server and conduct man-in-the-middle (MITM) attacks on web traffic, conduct pharming attacks by poisoning DNS records, and cause a denial of service (erroneous name resolution). 3544 43603 Buffer overflow in FutureSoft TFTP Server 2000 on Microsoft Windows 2000 SP4 allows remote attackers to execute arbitrary code via a long request on UDP port 69. NOTE: this issue might overlap CVE-2006-4781 or CVE-2005-1812. 3541 futuresoft-seh-bo(33188) Multiple cross-site scripting (XSS) vulnerabilities in SubHub 2.3.0 allow remote attackers to inject arbitrary web script or HTML via (1) the searchtext parameter to (a) /search, or the (2) message parameter to (b) /calendar or (c) /subscribe. 20070321 **SubHub v2.3.0** subhub-search-xss(33161) 2475 Moodle 1.5.2 and earlier stores sensitive information under the web root with insufficient access control, and provides directory listings, which allows remote attackers to obtain user names, password hashes, and other sensitive information via a direct request for session (sess_*) files in moodledata/sessions/. moodle-sessions-information-disclosure(33147) 3508 43558 0irc 1345 build 20060823 allows remote attackers to cause a denial of service (application crash) by operating an IRC server that sends a long string to a client, which triggers a NULL pointer dereference. 23101 3547 43557 oircclient-null-pointer-dos(33224) PHP 5.2.1 allows context-dependent attackers to read portions of heap memory by executing certain scripts with a serialized data input string beginning with S:, which does not properly track the number of input bytes being processed. http://www.php-security.org/MOPB/MOPB-29-2007.html php-unserialize-information-disclosure(33170) 23105 MDVSA-2008:126 http://us2.php.net/releases/5_2_2.php 24630 pcapsipdump.cpp in pcapsipdump before 0.1.3 allows remote attackers to cause a denial of service (application crash) via a malformed SIP packet, which results in a NULL pointer dereference. Update to version 0.1.3. http://sourceforge.net/project/shownotes.php?release_id=495646&group_id=173277 43556 Cross-site request forgery (CSRF) vulnerability in OpenID allows remote attackers to restore the login session of a user on an OpenID enabled site via unspecified vectors related to an arbitrary remote web site and cached tokens, after the user has signed into an OpenID server, logged into the OpenID enabled site, and then logged out of the OpenID enabled site. 43600 [security] 20070322 MyOpenID [security] 20070321 MyOpenID [security] 20070321 MyOpenID [security] 20070321 MyOpenID [security] 20070321 MyOpenID http://janrain.com/blog/2007/03/22/myopenid-security-fix/ OpenID allows remote attackers to forcibly log a user into an OpenID enabled site, divulge the user's personal information to this site, and add it site to the trusted sites list via a crafted web page, related to cached tokens. 43601 [security] 20070322 MyOpenID [security] 20070321 MyOpenID [security] 20070321 MyOpenID [security] 20070321 MyOpenID [security] 20070321 MyOpenID http://janrain.com/blog/2007/03/22/myopenid-security-fix/ GlowWorm FW before 1.5.3b4 allows remote attackers to cause a denial of service (kernel panic) via certain DNS responses that trigger infinite recursion in TrueDNS packet parsing, as originally observed with certain login.yahoo.com responses. 43597 http://glowworm.us/history/release_1_5_3_b4.html Buffer overflow in the Ne7sshSftp::addOpenHandle function in ne7ssh_sftp.cpp in NetSieben SSH Library (ne7ssh) before 1.2.1 allows user-assisted remote SFTP servers to cause a denial of service (crash) or possibly execute arbitrary code via multiple file transfers, related to multiple open file handles in SFTP (1) put and (2) get operations. 43555 http://netsieben.com/files/CHANGELOG Buffer overflow in the fun_ladd function in funmath.cpp in TinyMUX before 20070126 might allow remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via unspecified vectors related to lists of numbers. ADV-2007-1213 http://www.tinymux.org/changes.txt 34686 http://code.google.com/p/tinymux/issues/detail?id=282&can=2&q= 23292 DSA-1317 25784 24733 Multiple SQL injection vulnerabilities in index.php in Katalog Plyt Audio 1.0 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) fraza and (2) litera parameters, different vectors than CVE-2007-1612. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. ADV-2007-1015 37184 Stack-based buffer overflow in the file_compress function in minigzip (Modules/zlib) in Python 2.5 allows context-dependent attackers to execute arbitrary code via a long file argument. 22964 20070314 Fwd: Python 2.5 (Modules/zlib) minigzip local buffer overflow vulnerability 43550 20070314 [TRUE] Python 2.5 (Modules/zlib) minigzip local buffer overflow vulnerability Windows Mail in Microsoft Windows Vista might allow user-assisted remote attackers to execute certain programs via a link to a (1) local file or (2) UNC share pathname in which there is a directory with the same base name as an executable program at the same level, as demonstrated using C:/windows/system32/winrm (winrm.cmd) and migwiz (migwiz.exe). TA07-163A windows-mail-code-execution(33167) ADV-2007-2154 23103 HPSBST02231 20070323 Re: Microsoft Windows Vista - Windows Mail Client Side Code Execution Vulnerability 20070323 Re: Microsoft Windows Vista - Windows Mail Client Side Code Execution Vulnerability 20070323 Microsoft Windows Vista - Windows Mail Client Side Code Execution Vulnerability 1017816 SSRT071438 MS07-034 http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9014194 25639 http://news.com.com/2100-1002_3-6170133.html http://isc.sans.org/diary.html?storyid=2507 oval:org.mitre.oval:def:1861 Perl-Compatible Regular Expression (PCRE) library before 7.3 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via regex patterns containing unmatched "\Q\E" sequences with orphan "\E" codes. TA07-352A 26346 DSA-1399 FEDORA-2008-1842 https://issues.rpath.com/browse/RPL-1738 pcre-regex-code-execution(38272) ADV-2008-0924 ADV-2007-4238 ADV-2007-3790 ADV-2007-3725 USN-547-1 20071112 FLEA-2007-0064-1 pcre 20071106 rPSA-2007-0231-1 pcre RHSA-2007:1068 RHSA-2007:0967 http://www.pcre.org/changelog.txt SUSE-SA:2007:062 SUSE-SR:2007:025 MDVSA-2008:030 MDKSA-2007:212 MDKSA-2007:211 DSA-1570 http://support.avaya.com/elmodocs2/security/ASA-2007-505.htm 1018895 GLSA-200805-11 GLSA-200801-19 GLSA-200801-18 GLSA-200801-02 GLSA-200711-30 30155 30106 29420 29267 28720 28714 28658 28414 28406 28136 28041 27965 27773 27741 27697 27598 27554 27547 27543 27538 oval:org.mitre.oval:def:9725 [gtk-devel-list] 20071107 GLib 2.14.3 SUSE-SA:2008:004 APPLE-SA-2008-03-18 APPLE-SA-2007-12-17 http://docs.info.apple.com/article.html?artnum=307562 http://docs.info.apple.com/article.html?artnum=307179 http://bugs.gentoo.org/show_bug.cgi?id=198976 30219 Perl-Compatible Regular Expression (PCRE) library before 7.0 does not properly calculate sizes for unspecified "multiple forms of character class", which triggers a buffer overflow that allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code. TA07-352A 26346 DSA-1399 https://issues.rpath.com/browse/RPL-1738 https://bugzilla.redhat.com/show_bug.cgi?id=315881 pcre-character-class-dos(38273) ADV-2008-1234 ADV-2008-0924 ADV-2007-4238 ADV-2007-3790 ADV-2007-3725 USN-547-1 20080416 VMSA-2008-0007 Moderate Updated Service Console packages pcre, net-snmp, and OpenPegasus 20071112 FLEA-2007-0064-1 pcre 20071106 rPSA-2007-0231-1 pcre RHSA-2007:1065 RHSA-2007:1063 RHSA-2007:0968 RHSA-2007:0967 SUSE-SA:2007:062 SUSE-SR:2007:025 MDKSA-2007:213 MDKSA-2007:212 MDKSA-2007:211 DSA-1570 http://support.avaya.com/elmodocs2/security/ASA-2007-488.htm 1018895 GLSA-200801-19 GLSA-200801-18 GLSA-200801-02 GLSA-200711-30 30106 29785 29420 28720 28714 28658 28414 28406 28136 27965 27862 27776 27773 27741 27697 27598 27554 27547 27543 27538 oval:org.mitre.oval:def:10562 [gtk-devel-list] 20071107 GLib 2.14.3 [Security-announce] 20080415 VMSA-2008-0007 Moderate Updated Service Console packages pcre, net-snmp, and OpenPegasus SUSE-SA:2008:004 APPLE-SA-2008-03-18 APPLE-SA-2007-12-17 http://docs.info.apple.com/article.html?artnum=307562 http://docs.info.apple.com/article.html?artnum=307179 http://bugs.gentoo.org/show_bug.cgi?id=198976 RHSA-2008:0546 GLSA-200805-11 31124 30219 30155 Perl-Compatible Regular Expression (PCRE) library before 7.3 backtracks too far when matching certain input bytes against some regex patterns in non-UTF-8 mode, which allows context-dependent attackers to obtain sensitive information or cause a denial of service (crash), as demonstrated by the "\X?\d" and "\P{L}?\d" patterns. TA07-352A DSA-1399 ADV-2008-0924 ADV-2007-4238 ADV-2007-3790 ADV-2007-3725 http://www.pcre.org/changelog.txt DSA-1570 30106 FEDORA-2008-1842 https://issues.rpath.com/browse/RPL-1738 pcre-nonutf8-dos(38274) USN-547-1 26346 20071112 FLEA-2007-0064-1 pcre 20071106 rPSA-2007-0231-1 pcre SUSE-SA:2007:062 MDKSA-2007:211 GLSA-200805-11 GLSA-200801-19 GLSA-200801-18 GLSA-200801-02 GLSA-200711-30 30219 30155 29420 29267 28720 28714 28414 28406 28136 27773 27741 27697 27554 27543 27538 [gtk-devel-list] 20071107 GLib 2.14.3 APPLE-SA-2008-03-18 APPLE-SA-2007-12-17 http://docs.info.apple.com/article.html?artnum=307562 http://docs.info.apple.com/article.html?artnum=307179 http://bugs.gentoo.org/show_bug.cgi?id=198976 Perl-Compatible Regular Expression (PCRE) library before 7.3 reads past the end of the string when searching for unmatched brackets and parentheses, which allows context-dependent attackers to cause a denial of service (crash), possibly involving forward references. TA07-352A DSA-1399 ADV-2008-0924 ADV-2007-4238 ADV-2007-3790 ADV-2007-3725 http://www.pcre.org/changelog.txt DSA-1570 30106 FEDORA-2008-1842 https://issues.rpath.com/browse/RPL-1738 pcre-unmatched-dos(38275) USN-547-1 26346 20071112 FLEA-2007-0064-1 pcre 20071106 rPSA-2007-0231-1 pcre MDKSA-2007:211 GLSA-200805-11 GLSA-200801-19 GLSA-200801-18 GLSA-200801-02 GLSA-200711-30 30219 30155 29420 29267 28720 28714 28414 28406 28136 27741 27697 27554 27543 27538 [gtk-devel-list] 20071107 GLib 2.14.3 APPLE-SA-2008-03-18 APPLE-SA-2007-12-17 http://docs.info.apple.com/article.html?artnum=307562 http://docs.info.apple.com/article.html?artnum=307179 http://bugs.gentoo.org/show_bug.cgi?id=198976 Memory leak in the image message functionality in ekg before 1:1.7~rc2-1etch1 on Debian GNU/Linux Etch allows remote attackers to cause a denial of service. DSA-1318 24600 ekg-image-message-dos(35134) ekg before 1:1.7~rc2-1etch1 on Debian GNU/Linux Etch allows remote attackers to cause a denial of service (NULL pointer dereference) via a vector related to the token OCR functionality. DSA-1318 24600 ekg-token-ocr-dos(35135) Memory leak in the token OCR functionality in ekg before 1:1.7~rc2-1etch1 on Debian GNU/Linux Etch allows remote attackers to cause a denial of service. DSA-1318 24600 ekg-ocr-function-dos(35136) The processor_request function in the debugger server for DataRescue IDA Pro 5.0 and 5.1 does not verify that authentication has taken place before invoking the perform_request function, which allows remote attackers to perform unauthorized actions. This vulnerability has been addressed in the following product updates. DataRescue IDA Pro 5.0 DataRescue ida_remdeb_fix_22032007.zip http://www.datarescue.com/freefiles/ida_remdeb_fix_22032007.zip DataRescue IDA Pro 5.1 DataRescue ida_remdeb_fix_22032007.zip http://www.datarescue.com/freefiles/ida_remdeb_fix_22032007.zip http://www.datarescue.com/freefiles/ida_remdeb_fix_22032007.zip idapro-processorrequest-code-execution(33190) ADV-2007-1089 1017815 23114 33523 24635 20070323 DataRescue IDA Pro Remote Debugger Server Authentication Bypass Vulnerability Multiple integer overflows in (1) the XGetPixel function in ImUtil.c in X.Org libx11 before 1.0.3, and (2) XInitImage function in xwd.c for ImageMagick, allow user-assisted remote attackers to cause a denial of service (crash) or obtain sensitive information via crafted images with large or negative values that trigger a buffer overflow. https://issues.rpath.com/browse/RPL-1213 https://issues.rpath.com/browse/RPL-1211 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=231684 ADV-2007-1531 ADV-2007-1217 USN-481-1 USN-453-2 USN-453-1 1017864 23300 20070405 FLEA-2007-0009-1: xorg-x11 freetype 20070404 rPSA-2007-0065-1 freetype xorg-x11 xorg-x11-fonts xorg-x11-tools xorg-x11-xfs RHSA-2007:0157 RHSA-2007:0126 [4.0] 011: SECURITY FIX: April 4, 2007 [3.9] 021: SECURITY FIX: April 4, 2007 SUSE-SR:2007:008 SUSE-SA:2007:027 MDKSA-2007:147 MDKSA-2007:079 GLSA-200805-07 DSA-1858 DSA-1294 http://support.avaya.com/elmodocs2/security/ASA-2007-176.htm http://support.apple.com/kb/HT3438 102888 GLSA-200705-06 36260 33937 30161 26177 25992 25305 25131 25112 25072 25004 24975 24953 24791 24771 24765 24758 24756 24745 24741 24739 RHSA-2007:0125 oval:org.mitre.oval:def:9776 [xorg-announce] 20070403 various integer overflow vulnerabilites in xserver, libX11 and libXfont APPLE-SA-2009-02-12 http://issues.foresightlinux.org/browse/FL-223 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=414045 oval:org.mitre.oval:def:1693 zoo decoder 2.10 (zoo-2.10), as used in multiple products including (1) Barracuda Spam Firewall 3.4 and later with virusdef before 2.0.6399, (2) Spam Firewall before 3.4 20070319 with virusdef before 2.0.6399o, and (3) AMaViS 2.4.1 and earlier, allows remote attackers to cause a denial of service (infinite loop) via a ZOO archive with a direntry structure that points to a previous file. 25122 multiple-vendor-zoo-dos(34080) ADV-2007-1699 23823 20070504 Multiple vendors ZOO file decompression infinite loop DoS 35795 20070724 zoo - amavis - barracuda cross-ref problems http://www.amavis.org/security/asa-2007-2.txt 2680 25315 Panda Software Antivirus before 20070402 allows remote attackers to cause a denial of service (infinite loop) via a ZOO archive with a direntry structure that points to a previous file. 20070504 Multiple vendors ZOO file decompression infinite loop DoS multiple-vendor-zoo-dos(34080) ADV-2007-1700 23823 25152 avpack32.dll before 7.3.0.6 in Avira AntiVir allows remote attackers to cause a denial of service (infinite loop) via a ZOO archive with a direntry structure that points to a previous file. 20070504 Multiple vendors ZOO file decompression infinite loop DoS multiple-vendor-zoo-dos(34080) ADV-2007-1702 23823 25140 2680 avast! antivirus before 4.7.981 allows remote attackers to cause a denial of service (infinite loop) via a ZOO archive with a direntry structure that points to a previous file. 20070504 Multiple vendors ZOO file decompression infinite loop DoS multiple-vendor-zoo-dos(34080) ADV-2007-1701 23823 25137 2680 unzoo.c, as used in multiple products including AMaViS 2.4.1 and earlier, allows remote attackers to cause a denial of service (infinite loop) via a ZOO archive with a direntry structure that points to a previous file. http://xforce.iss.net/xforce/xfdb/34080 For Barracuda Spam Firewall: Upgrade to the latest virus definition version of Barracuda Spam Firewall (virusdef 2.0.6399 for 3.4 and after or virusdef 2.0.6399o for prior to 3.4), available from the automatic update. For Panda Software Antivirus: Upgrade to the latest version of Panda Software Antivirus (4/2/2007 or later), available from the automatic update feature. For avast! antivirus: Upgrade to the latest version of Panda Software Antivirus (4.7.981 or later), available from the avast! antivirus Web site. See references. For Avira AntiVir: Upgrade to the latest version of Avira AntiVir (avpack32.dll version 7.3.0.6 or later), available from the automatic update feature. For AMaViS: Refer to ASA-2007-2 for patch, upgrade, or suggested workaround information. See References. multiple-vendor-zoo-dos(34080) 23823 20070504 Multiple vendors ZOO file decompression infinite loop DoS http://www.amavis.org/security/asa-2007-2.txt 2680 25315 36208 Stack-based buffer overflow in the Alert Service (aolnsrvr.exe) in LANDesk Management Suite 8.7 allows remote attackers to execute arbitrary code via a crafted packet to port 65535/UDP. http://www.tippingpoint.com/security/advisories/TSRT-07-04.html http://kb.landesk.com/display/4n/kb/article.asp?aid=4142 ADV-2007-1391 1017912 23483 20070413 TSRT-07-04: LANDesk Management Suite Alert Service Stack Overflow Vulnerability 24892 34964 landesk-aolnsrvr-bo(33657) Buffer overflow in the CRAM-MD5 authentication mechanism in the IMAP server (nimap.exe) in IBM Lotus Domino before 6.5.6 and 7.x before 7.0.2 FP1 allows remote attackers to cause a denial of service via a long username. 23173 http://www-1.ibm.com/support/docview.wss?uid=swg21257028 domino-imap-dos(33276) http://www.zerodayinitiative.com/advisories/ZDI-07-011.html ADV-2007-1133 1017823 23172 24633 Multiple buffer overflows in the ISO network protocol support in the NetBSD kernel 2.0 through 4.0_BETA2, and NetBSD-current before 20070329, allow local users to execute arbitrary code via long parameters to certain functions, as demonstrated by a long sockaddr structure argument to the clnp_route function. ADV-2007-1159 23193 43596 NetBSD-SA2007-004 1017832 Cross-site scripting (XSS) vulnerability in the Fizzle 0.5 extension for Firefox allows remote attackers to inject arbitrary web script or HTML via RSS feeds, which are executed by the chrome: URI handler. ADV-2007-1112 20070324 Fizzle : Firefox Extension Vulnerability 24654 fizzle-rssfeed-xss(33227) 23144 33522 2480 ** DISPUTED ** Multiple cross-site scripting (XSS) vulnerabilities in Horde Groupware Webmail 1.0 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors in (1) imp/search.php and (2) ingo/rule.php. NOTE: this issue has been disputed by the vendor, noting that the search.php issue was resolved in CVE-2006-4255, and attackers can only use rule.php to inject XSS into their own pages. horde-search-rule-xss(33228) 23136 20070326 Re: Horde Webmail Multiple HTML Injection vulnerability 20070325 Horde Webmail Multiple HTML Injection vulnerability 2487 Stack-based buffer overflow in the createAndJoinConference function in the AudioConf ActiveX control (yacscom.dll) in Yahoo! Messenger before 20070313 allows remote attackers to execute arbitrary code via long (1) socksHostname and (2) hostname properties. VU#388377 http://www.zerodayinitiative.com/advisories/ZDI-07-012.html 23291 24742 http://messenger.yahoo.com/security_update.php?id=031207 ADV-2007-1219 20070403 ZDI-07-012: Yahoo! Messenger AudioConf ActiveX Control Buffer Overflow 34319 yahoo-yahooaudioconf-activex-bo(33408) 1017867 2523 Format string vulnerability in libwebconsole_services.so in Sun Java Web Console 2.2.2 through 2.2.5 allows remote attackers to cause a denial of service (application crash), obtain sensitive information, and possibly execute arbitrary code via unspecified vectors during a failed login attempt, related to syslog. Root level code execution is only possible if the web console is running as root, which it does not by default. The vendor has addressed this issue through multiple product updates: Sun Java Web Console 2.2.2 http://www.sun.com/download/products.xml?id=461d58be Sun Java Web Console x86 2.2.2 http://www.sun.com/download/products.xml?id=461d58be Sun Java Web Console x86 2.2.3 http://www.sun.com/download/products.xml?id=461d58be Sun Java Web Console 2.2.3 http://www.sun.com/download/products.xml?id=461d58be Sun Java Web Console x86 2.2.4 http://www.sun.com/download/products.xml?id=461d58be Sun Java Web Console 2.2.4 http://www.sun.com/download/products.xml?id=461d58be Sun Java Web Console x86 2.2.5 http://www.sun.com/download/products.xml?id=461d58be Sun Java Web Console 2.2.5 http://www.sun.com/download/products.xml?id=461d58be ADV-2007-1443 23539 20070417 n.runs-SA-2007.007 - Sun Solaris 10 - Format string vulnerability http://www.nruns.com/security_advisory_sun_java_format_string.php 102854 34902 javawebconsole-libcsyslog-format-string(33731) 1017930 24927 oval:org.mitre.oval:def:1252 Multiple stack-based buffer overflows in the FileManager ActiveX control in SAFmgPws.dll in SoftArtisans XFile before 2.4.0 allow remote attackers to execute arbitrary code via unspecified calls to the (1) BuildPath, (2) GetDriveName, (3) DriveExists, or (4) DeleteFile method. VU#914785 30826 http://support.softartisans.com/Support-114.aspx 31615 Stack-based buffer overflow in the DoWebMenuAction function in the IncrediMail IMMenuShellExt ActiveX control (ImShExt.dll) allows remote attackers to execute arbitrary code via unspecified vectors. VU#906777 ADV-2007-1551 34331 incredimail-immenushellext-bo(33928) 23674 25051 The Run function in SolidWorks sldimdownload ActiveX control in sldimdownload.dll before 16.0.0.6 allows remote attackers to execute arbitrary commands via the (1) installerpath and (2) applicationarguments arguments. VU#556801 23290 24762 ADV-2007-1216 1017855 34320 solidworks-activex-command-execution(33428) Buffer overflow in k9filter.exe in BlueCoat K9 Web Protection 3.2.36, and probably other versions before 3.2.44, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long HTTP GET request to port 2372. ADV-2007-2104 http://www.csis.dk/dk/forside/Bluecoat-k9.pdf bluecoat-management-interface-bo(34773) 1018210 24373 20070608 CSIS Advisory: BlueCoat K9 Web Protection 3.2.36 Overflow 25593 20070608 CSIS Advisory: BlueCoat K9 Web Protection 3.2.36 Overflow Multiple buffer overflows in the Internet Pictures Corporation iPIX Image Well ActiveX control (iPIX-ImageWell-ipix.dll) allow remote attackers to execute arbitrary code via unspecified vectors. VU#958609 ADV-2007-1309 34321 ipix-imagewell-activex-unspecified-bo(33543) 1017888 23379 24816 Buffer overflow in the PhPInfo ActiveX control in PhPCtrl.dll in Callisto PhotoParade Player allows remote attackers to execute arbitrary code via the FileVersionof property. VU#171449 ADV-2007-3138 25654 37731 photoparade-phpinfo-bo(36588) 26789 Buffer overflow in the ISAlertDataCOM ActiveX control in ISLALERT.DLL for Norton Personal Firewall 2004 and Internet Security 2004 allows remote attackers to execute arbitrary code via long arguments to the (1) Get and (2) Set functions. VU#983953 http://www.symantec.com/avcenter/security/Content/2007.05.16.html symantec-islalert-bo(34328) ADV-2007-1843 1018073 23936 20070516 Symantec Product Security: Norton Personal Firewall 2004 ActiveX Control vulnerability 25290 36164 Multiple stack-based buffer overflows in Second Sight Software ActiveGS ActiveX control (ActiveGS.ocx) allow remote attackers to execute arbitrary code via unspecified vectors. VU#118737 activegs-unspecified-bo(33759) ADV-2007-1454 34326 activegs-slot-bo(33759) 23554 24960 Stack-based buffer overflow in Second Sight Software ActiveMod ActiveX control (ActiveMod.ocx) allows remote attackers to execute arbitrary code via unspecified vectors. VU#962305 activemod-unspecified-bo(33757) ADV-2007-1454 34325 activemod-filename-bo(33757) 23554 24928 The default configuration of Microsoft Windows uses the Web Proxy Autodiscovery Protocol (WPAD) without static WPAD entries, which might allow remote attackers to intercept web traffic by registering a proxy server using WINS or DNS, then responding to WPAD requests, as demonstrated using Internet Explorer. NOTE: it could be argued that if an attacker already has control over WINS/DNS, then web traffic could already be intercepted by modifying WINS or DNS records, so this would not cross privilege boundaries and would not be a vulnerability. It has also been reported that DHCP is an alternate attack vector. windows-wpad-information-disclosure(33244) ADV-2007-1115 934864 http://news.com.com/Windows+weakness+can+lead+to+network+traffic+hijacks/2100-1002_3-6170229.html http://isc.sans.org/diary.html?storyid=2517 [ISN] 20070326 Windows weakness can lead to network traffic hijacks The SIP channel module in Yet Another Telephony Engine (Yate) before 1.2.0 sets the caller_info_uri parameter using a incorrect variable that can be NULL, which allows remote attackers to cause a denial of service (NULL dereference and application crash) via a Call-Info header without a purpose parameter. 20070501 Radware Security Advisory - Yate 1.1.0 Denial of Service Vulnerability http://voip.null.ro/cgi-bin/cvsweb.cgi/yate/modules/ysipchan.cpp 23746 2716 ** DISPUTED ** PHP remote file inclusion vulnerability in includes/usercp_register.php in phpBB 2.0.19 allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter. NOTE: this issue has been disputed by third-party researchers, stating that the file checks for a global constant and cannot be accessed directly. 20070324 Remote File Include In phpBB-2.0.19 20070324 BOGUS: Remote File Include In phpBB-2.0.19 SQL injection vulnerability in ViewNewspapers.asp in Active Newsletter 4.3 and earlier allows remote attackers to execute arbitrary SQL commands via the NewsPaperID parameter. ADV-2007-1098 23115 3556 activenewsletter-newspaperid-sql-injection(33197) 34491 24640 PHP remote file inclusion vulnerability in header.inc.php in Philex 0.2.3 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the CssFile parameter. ADV-2007-1099 23111 3552 37220 philex-header-file-include(33179) download.php in Philex 0.2.3 and earlier allows remote attackers to read arbitrary files and source code, and obtain sensitive information via the file parameter. ADV-2007-1099 23111 3552 philex-download-file-disclosure(33181) Multiple PHP remote file inclusion vulnerabilities in the SWmenu (com_swmenupro and com_swmenufree) 4.0 component for Mambo and Joomla! allow remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter to ImageManager/Classes/ImageManager.php under the (1) components/ or (2) administrator/components/ directory trees. ADV-2007-1100 23116 3557 38791 38790 swmenufree-imagemanager-file-include(33204) The session extension in PHP 4 before 4.4.5, and PHP 5 before 5.2.1, calculates the reference count for the session variables without considering the internal pointer from the session globals, which allows context-dependent attackers to execute arbitrary code via a crafted string in the session_register after unsetting HTTP_SESSION_VARS and _SESSION, which destroys the session data Hashtable. ADV-2007-2374 ADV-2007-1991 23119 http://www.php-security.org/MOPB/MOPB-30-2007.html HPSBTU02232 HPSBMA02215 USN-455-1 SUSE-SA:2007:032 DSA-1283 GLSA-200705-19 25850 25445 25423 25062 25057 25056 HPSBTU02232 SSRT071423 PHP 4 before 4.4.5, and PHP 5 before 5.2.1, when register_globals is enabled, allows context-dependent attackers to execute arbitrary code via deserialization of session data, which overwrites arbitrary global variables, as demonstrated by calling session_decode on a string beginning with "_SESSION|s:39:". Successful exploitation requires that variable "register_globals" is enabled. ADV-2007-2374 ADV-2007-1991 23120 http://www.php-security.org/MOPB/MOPB-31-2007.html oval:org.mitre.oval:def:11034 HPSBTU02232 HPSBMA02215 GLSA-200705-19 25850 25445 25423 SSRT071429 HPSBMA02215 PHP remote file inclusion vulnerability in mod_flatmenu.php in the Flatmenu 1.07 and earlier Mambo module allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter. ADV-2007-1106 3567 20070326 Confirm - Mambo 4.5.1 Modules Flatmenu <= 1.07 Remote File Include Exploit flatmenu-modflatmenu-file-include(33200) 23125 SQL injection vulnerability in index.php in the RWCards (com_rwcards) 2.4.3 and earlier component for Joomla! allows remote attackers to execute arbitrary SQL commands via the category_id parameter. ADV-2007-1105 3565 37213 rwcards-index-sql-injection(33194) 23126 SQL injection vulnerability in index.php in the Car Manager (com_resman) 1.1 and earlier component for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter. ADV-2007-1104 3564 37199 carmanager-index-sql-injection(33193) 23131 SQL injection vulnerability in default.asp in Active Trade 2 allows remote attackers to execute arbitrary SQL commands via the catid parameter. ADV-2007-1095 3549 24631 activetrade-default-sql-injection(33184) SQL injection vulnerability in eWebQuiz.asp in eWebQuiz 8 allows remote attackers to execute arbitrary SQL commands via the QuizID parameter. ADV-2007-1101 3558 24653 34439 ewebquiz-ewebquiz-sql-injection(33195) PHP remote file inclusion vulnerability in index.php in Net Side Content Management System (Net-Side.net CMS) allows remote attackers to execute arbitrary PHP code via a URL in the cms parameter. 3562 37194 23130 PHP remote file inclusion vulnerability in lib/db/ez_sql.php in ttCMS 4 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the lib_path parameter. ADV-2007-1102 3563 37198 ttcms-ezsql-file-include(33202) 23139 Buffer overflow in the confirm_phpdoc_compiled function in the phpDOC extension (PECL phpDOC) in PHP 5.2.1 allows context-dependent attackers to execute arbitrary code via a long argument string. phpdoc-confirmcompiled-bo(33236) 23124 20070325 PHP 5.2.1 with PECL phpDOC local buffer overflow 3576 2512 http://retrogod.altervista.org/php521_phpdoc_bof.html The readfile function in PHP 4.4.4, 5.1.6, and 5.2.1 allows context-dependent attackers to bypass safe_mode restrictions and read arbitrary files by referring to local files with a certain URL syntax instead of a pathname syntax, as demonstrated by a filename preceded a "php://../../" sequence. ADV-2007-2374 ADV-2007-1991 3573 SSRT071429 SSRT071423 25850 25423 HPSBTU02232 SSRT071423 Double free vulnerability in the unserializer in PHP 4.4.5 and 4.4.6 allows context-dependent attackers to execute arbitrary code by overwriting variables pointing to (1) the GLOBALS array or (2) the session data in _SESSION. NOTE: this issue was introduced when attempting to patch CVE-2007-1701 (MOPB-31-2007). https://issues.rpath.com/browse/RPL-1268 ADV-2007-2732 23121 20070418 rPSA-2007-0073-1 php php-mysql php-pgsql http://www.php-security.org/MOPB/MOPB-32-2007.html DSA-1283 DSA-1282 25062 25025 24945 24941 24924 24910 RHSA-2007:0163 RHSA-2007:0155 RHSA-2007:0154 oval:org.mitre.oval:def:10406 25159 MDKSA-2007:088 MDKSA-2007:087 GLSA-200705-19 26235 25445 APPLE-SA-2007-07-31 http://docs.info.apple.com/article.html?artnum=306172 SQL injection vulnerability in default.asp in ActiveWebSoftwares Active Auction Pro 7.1 allows remote attackers to execute arbitrary SQL commands via the catid parameter. ADV-2007-1097 24626 3551 activeauctionpro-default-sql-injection(33182) 34420 CRLF injection vulnerability in BSMTP.DLL in B21Soft BASP21 2003.0211, and BASP21 Pro 1.0.702.27 and earlier, allows remote attackers to inject arbitrary headers into e-mail messages via CRLF sequences in Subject lines. basp21-bsmtp-mail-relay(33211) ADV-2007-1113 23134 http://www.hi-ho.ne.jp/babaq/basp21.html 24652 34495 JVN#86092776 Cross-site scripting (XSS) vulnerability in index.php in CcCounter 2.0 allows remote attackers to inject arbitrary web script or HTML via dir parameter. ADV-2007-1120 23135 20070324 CcCounter 2.0 cross-site scripting vulnerability 34485 cccounter-index-xss(33213) 2481 24655 PHP remote file inclusion vulnerability in frontpage.php in Free Image Hosting 2.0 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the AD_BODY_TEMP parameter. NOTE: the forgot_pass.php vector is already covered by CVE-2006-5670, and the login.php vector overlaps CVE-2006-5763. freeimagehosting-adbodytemp-file-include(33196) 3568 37179 pam_console does not properly restore ownership for certain console devices when there are multiple users logged into the console and one user logs out, which might allow local users to gain privileges. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=230823 ADV-2007-3229 oval:org.mitre.oval:def:11483 37271 RHSA-2007:0737 RHSA-2007:0555 RHSA-2007:0465 http://support.avaya.com/elmodocs2/security/ASA-2007-526.htm GLSA-200711-23 28319 27706 27590 26909 25894 25631 20070920 VMSA-2007-0006 Critical security updates for all supported versions of VMware ESX Server, VMware Server, VMware Workstation, VMware ACE, and VMware Player 20070602-01-P The mail function in PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 truncates e-mail messages at the first ASCIIZ ('\0') byte, which might allow context-dependent attackers to prevent intended information from being delivered in e-mail messages. NOTE: this issue might be security-relevant in cases when the trailing contents of e-mail messages are important, such as logging information or if the message is expected to be well-formed. ADV-2007-2732 23146 http://www.php-security.org/MOPB/MOPB-33-2007.html 25159 SUSE-SA:2007:032 http://us2.php.net/releases/5_2_2.php http://us2.php.net/releases/4_4_7.php GLSA-200705-19 26235 25445 25056 APPLE-SA-2007-07-31 http://docs.info.apple.com/article.html?artnum=306172 CRLF injection vulnerability in the mail function in PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 allows remote attackers to inject arbitrary e-mail headers and possibly conduct spam attacks via a control character immediately following folding of the (1) Subject or (2) To parameter, as demonstrated by a parameter containing a "\r\n\t\n" sequence, related to an increment bug in the SKIP_LONG_HEADER_SEP macro. 23145 http://www.php-security.org/MOPB/MOPB-34-2007.html oval:org.mitre.oval:def:10951 USN-455-1 1017946 RHSA-2007:0162 RHSA-2007:0153 SUSE-SA:2007:032 MDKSA-2007:090 MDKSA-2007:089 MDKSA-2007:088 MDKSA-2007:087 DSA-1283 DSA-1282 http://us2.php.net/releases/5_2_2.php GLSA-200705-19 25445 25062 25057 25056 25025 24965 24924 24909 RHSA-2007:0155 Buffer overflow in eject.c in Jason W. Bacon mcweject 0.9 on FreeBSD, and possibly other versions, allows local users to execute arbitrary code via a long command line argument, possibly involving the device name. ADV-2007-1125 3578 freebsd-eject-bo(33212) 24641 Directory traversal vulnerability in addressbook.php in the Addressbook 1.2 module for PHP-Nuke allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the module_name parameter, as demonstrated by injecting PHP sequences into an Apache HTTP Server log file. ADV-2007-1118 3582 36572 addressbook-addressbook-file-include(33243) 23156 24697 Multiple PHP remote file inclusion vulnerabilities in C-Arbre 0.6PR7 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the root_path parameter to (1) Richtxt_functions.inc.php, (2) adddocfile.php, (3) auth_check.php, (4) browse_current_category.inc.php, (5) docfile_details.php, (6) main.php, (7) mainarticle.php, (8) maindocfile.php, (9) modify.php, (10) new.php, (11) resource_details.php, or (12) smallsearch.php in lib/; or (13) mwiki/LocalSettings.php. ADV-2007-1119 3583 http://advisories.echo.or.id/adv/adv78-K-159-2007.txt carbre-rootpath-file-include(33238) 23154 20070327 [ECHO_ADV_78$2007] C-Arbre <= 0.6PR7 (root_path) Remote File Inclusion Vulnerability 2491 Buffer overflow in the DownloadCertificateExt function in SignKorea SKCommAX ActiveX control module 7.2.0.2 and 3280 6.6.0.1 allows remote attackers to execute arbitrary code via a long pszUserID argument. ADV-2007-1114 24587 20070327 SignKorea's ActiveX Buffer Overflow Vulnerability skcommax-downloadcertificate-bo(33245) 23149 Multiple cross-site scripting (XSS) vulnerabilities in the administration console in Secure Computing CipherTrust IronMail 6.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) network, (2) defRouterIp, (3) hostName, (4) domainName, (5) ipAddress, (6) defaultRouter, (7) dns1, or (8) dns2 parameter to (a) admin/system_IronMail.do; the (9) ipAddress parameter to (b) admin/systemOutOfBand.do; the (10) password or (11) confirmPassword parameter to (c) admin/systemBackup.do; the (12) Klicense parameter to (d) admin/systemLicenseManager.do; the (13) rows[1].attrValueStr or (14) rows[2].attrValueStr parameter to (e) admin/systemWebAdminConfig.do; the (15) rows[0].attrValueStr, rows[1].attrValueStr, (16) rows[2].attrValue, or (17) rows[2].attrValueStrClone parameter to (f) admin/ldap_ConfigureServiceProperties.do; the (18) input1 parameter to (g) admin/mailFirewall_MailRoutingInternal.do; or the (19) rows[2].attrValueStr, (20) rows[3].attrValueStr, (21) rows[5].attrValueStr, or (22) rows[6].attrValueStr parameter to (h) admin/mailIdsConfig.do. ADV-2007-1164 1017821 20070326 Multiple XSS in IronMail http://www.514.es/2007/03/siaadv07004_multiples_vulnerab.html 2484 24657 34533 34532 34531 34530 34529 34528 34527 34526 Unspecified vulnerability in ReactOS 0.3.1 has unknown impact and attack vectors, related to a fix for "dozens of win32k bugs and failures," in which the fix itself introduces a vulnerability, possibly related to user-mode and kernel-mode copy failures. http://www.reactos.org/wiki/index.php/ChangeLog-0.3.1 43446 SQL injection vulnerability in index.php in IceBB 1.0-rc5 allows remote authenticated users to execute arbitrary SQL commands via the filename of an uploaded file to the avatar function, as demonstrated by setting admin privileges. Successful exploitation allows an attacker to gain administrator privileges, but requires that "magic_quotes_gpc" is disabled. ADV-2007-1116 24644 34497 3581 3580 icebb-index-sql-injection(33240) 23158 Unrestricted file upload vulnerability in index.php in IceBB 1.0-rc5 allows remote authenticated users to upload arbitrary files via the avatar function, which can later be accessed in uploads/. ADV-2007-1116 24644 34498 3581 icebb-index-file-upload(33242) 23151 Unspecified vulnerability in HP OpenView Network Node Manager (OV NNM) 6.20, 6.4x, 7.01, 7.50, and 7.51 allows remote authenticated users to access certain privileged "facilities" via unspecified vectors. HPSBMA02198 SSRT061177 ADV-2007-1121 1017817 hp-openview-nnm-unspecified-security-bypass(33241) 23163 24746 The Remote Play feature in Sony Playstation 3 (PS3) 1.60 and Playstation Portable (PSP) 3.10 OE-A allows remote attackers to cause a denial of service via a flood of UDP packets. 20070326 Playstation 3 "Remote Play" Remote DoS Exploit 35184 ps3-psp-udp-dos(33503) 2485 SQL injection vulnerability in includes/start.php in Flexbb 1.0.0 10005 Beta Release 1 allows remote attackers to execute arbitrary SQL commands via the flexbb_lang_id COOKIE parameter to index.php. ADV-2007-1141 20070327 [KAPDA::#64] - Flexbb Sql Injection http://www.kapda.ir/advisory-481.html flexbb-index-sql-injection(33250) 23161 2486 Integer signedness error in the DCCP support in the do_dccp_getsockopt function in net/dccp/proto.c in Linux kernel 2.6.20 and later allows local users to read kernel memory or cause a denial of service (oops) via a negative optlen value. ADV-2007-1143 20070327 Linux Kernel DCCP Memory Disclosure Vulnerability kernel-dccp-information-disclosure(33274) USN-464-1 1017820 23162 20070329 Re: Re: [Full-disclosure] Linux Kernel DCCP Memory Disclosure Vulnerability 2482 25392 [dccp] 20070328 [PATCH 1/1] getsockopt: Fix DCCP_SOCKOPT_[SEND,RECV]_CSCOV Multiple stack-based buffer overflows in High Performance Anonymous FTP Server (hpaftpd) 1.01 allow remote attackers to execute arbitrary code via long arguments to the (1) USER, (2) PASS, (3) CWD, (4) MKD, (5) RMD, (6) DELE, (7) RNFR, or (8) RNTO FTP command. ADV-2007-1142 23147 http://www.securiteam.com/securitynews/5AP0L1PKUU.html 35182 hpaftpd-multiple-commands-bo(33288) ** DISPUTED ** Cross-site scripting (XSS) vulnerability in an mt import in wp-admin/admin.php in WordPress 2.1.2 allows remote authenticated administrators to inject arbitrary web script or HTML via the demo parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. NOTE: another researcher disputes this issue, stating that this is legitimate functionality for administrators. However, it has been patched by at least one vendor. Successful exploitation requires that the target user is logged in as administrator. GLSA-200703-23 24566 24430 33884 20070306 Re: Wordpress <= v2.1.0 http://codex.wordpress.org/Roles_and_Capabilities Buffer overflow in InterVations NaviCOPA HTTP Server 2.01 allows remote attackers to execute arbitrary code via a long (1) /cgi-bin/ or (2) /cgi/ pathname in an HTTP GET request, probably a different issue than CVE-2006-5112. http://www.skilltube.com/index.php?option=com_content&task=view&id=13&Itemid=37 ADV-2007-1137 23179 20070327 Buffer Overflow in InterVetions' NaviCopa HTTP server 2.01 24673 34503 navicopa-cgi-bo(33296) 3589 2483 The DCCP support in the do_dccp_getsockopt function in net/dccp/proto.c in Linux kernel 2.6.20 and later does not verify the upper bounds of the optlen value, which allows local users running on certain architectures to read kernel memory or cause a denial of service (oops), a related issue to CVE-2007-1730. 1017820 20070327 Re: [Full-disclosure] Linux Kernel DCCP Memory Disclosure Vulnerability linux-kernel-dccp-info-disclosure(43321) kernel-dccp-information-disclosure(33274) 2511 Stack-based buffer overflow in Corel WordPerfect Office X3 (13.0.0.565) allows user-assisted remote attackers to execute arbitrary code via a long printer selection (PRS) name in a Wordperfect document. wordperfect-printer-selection-bo(33286) ADV-2007-1145 23177 20070328 Corel Wordperfect Office X3 Stack Overflow http://www.nop-art.net/advisories/wpwinX3.txt 3593 2489 24664 Mozilla Firefox 2.0.0.3 does not check URLs embedded in (1) object or (2) iframe HTML tags against the phishing site blacklist, which allows remote attackers to bypass phishing protection. 20070328 Bypass phishing protection in Firefox / Opera 2488 Opera 9.10 does not check URLs embedded in (1) object or (2) iframe HTML tags against the phishing site blacklist, which allows remote attackers to bypass phishing protection. 20070328 Bypass phishing protection in Firefox / Opera 2488 TrueCrypt 4.3, when installed setuid root, allows local users to cause a denial of service (filesystem unavailability) or gain privileges by mounting a crafted TrueCrypt volume, as demonstrated using (1) /usr/bin or (2) another user's home directory, a different issue than CVE-2007-1589. 23180 20070328 Denial of Service Vulnerabilities in TrueCrypt 4.3 Linux (re. bid 23180) 24643 20070404 Re: Denial of Service Vulnerabilities in TrueCrypt 4.3 Linux (re. bid 23180) 20070401 Re: Denial of Service Vulnerabilities in TrueCrypt 4.3 Linux (re. bid 23180) 2492 Heap-based buffer overflow in the LDAP server in IBM Lotus Domino before 6.5.6 and 7.x before 7.0.2 FP1 allows remote attackers to cause a denial of service (crash) via a long, malformed DN request, which causes only the lower 16 bits of the string length to be used in memory allocation. VU#927988 ADV-2007-1133 23173 http://www-1.ibm.com/support/docview.wss?uid=swg21257248 24633 20070328 IBM Lotus Domino Server LDAP Request Invalid DN Message Heap Overflow Vulnerability domino-ldap-bo(33278) 1017825 23174 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2006-4843. Reason: This candidate is a duplicate of CVE-2006-4843. Notes: All CVE users should reference CVE-2006-4843 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. This vulnerability is addressed in the following product release: Lotus Domino 6.5.6 and 7.0.2 Fix Pack 1 (FP1). For more information consult the following URL: http://www-1.ibm.com/support/docview.wss?uid=swg21257026 Multiple race conditions in suexec in Apache HTTP Server (httpd) 2.2.3 between directory and file validation, and their usage, allow local users to gain privileges and execute arbitrary code by renaming directories or performing symlink attacks. NOTE: the researcher, who is reliable, claims that the vendor disputes the issue because "the attacks described rely on an insecure server configuration" in which the user "has write access to the document root." apache-suexec-privilege-escalation(33584) 1017904 23438 38639 [apache-http-dev] 20070328 Re: [Fwd: iDefense Final Notice [IDEF1445]] [apache-http-dev] 20070328 [Fwd: iDefense Final Notice [IDEF1445]] 20070411 Apache HTTPD suEXEC Multiple Vulnerabilities suexec in Apache HTTP Server (httpd) 2.2.3 uses a partial comparison for verifying whether the current directory is within the document root, which might allow local users to perform unauthorized operations on incorrect directories, as demonstrated using "html_backup" and "htmleditor" under an "html" directory. NOTE: the researcher, who is reliable, claims that the vendor disputes the issue because "the attacks described rely on an insecure server configuration" in which the user "has write access to the document root." 1017904 38640 [apache-http-dev] 20070328 Re: [Fwd: iDefense Final Notice [IDEF1445]] [apache-http-dev] 20070328 [Fwd: iDefense Final Notice [IDEF1445]] 20070411 Apache HTTPD suEXEC Multiple Vulnerabilities suexec in Apache HTTP Server (httpd) 2.2.3 does not verify combinations of user and group IDs on the command line, which might allow local users to leverage other vulnerabilities to create arbitrary UID/GID owned files if /proc is mounted. NOTE: the researcher, who is reliable, claims that the vendor disputes the issue because "the attacks described rely on an insecure server configuration" in which the user "has write access to the document root." In addition, because this is dependent on other vulnerabilities, perhaps this is resultant and should not be included in CVE. From the vendor: "The attacks described rely on an insecure server configuration - that the unprivileged user the server runs as has write access to the document root. The suexec tool cannot detect all possible insecure configurations, nor can it protect against privilege "escalation" in all such cases. It is important to note that to be able to invoke suexec, the attacker must also first gain the ability to execute arbitrary code as the unprivileged server user." 1017904 [apache-http-dev] 20070328 Re: [Fwd: iDefense Final Notice [IDEF1445]] [apache-http-dev] 20070328 [Fwd: iDefense Final Notice [IDEF1445]] 20070411 Apache HTTPD suEXEC Multiple Vulnerabilities Directory traversal vulnerability in the Shared Folders feature for VMware Workstation before 5.5.4, when a folder is shared, allows users on the guest system to write to arbitrary files on the host system via the "Backdoor I/O Port" interface. Successful exploitation requires that a folder is shared. Although the "Shared Folders" feature is enabled by default, no folders are shared by default. http://www.vmware.com/support/ws55/doc/releasenotes_ws55.html#554 ADV-2007-1592 1017980 23721 20070518 VMSA-2007-0004.1 Updated: Multiple Denial-of-Service issues fixed and directory traversal vulnerability 20070507 VMSA-2007-0004 Multiple Denial-of-Service issues fixed 20070427 VMware Workstation Shared Folders Directory Traversal Vulnerability 25079 The chm_decompress_stream function in libclamav/chmunpack.c in Clam AntiVirus (ClamAV) before 0.90.2 leaks file descriptors, which has unknown impact and attack vectors involving a crafted CHM file, a different vulnerability than CVE-2007-0897. NOTE: some of these details are obtained from third party information. clamav-chmdecompressstream-dos(33636) ADV-2008-0924 ADV-2007-1378 23473 http://sourceforge.net/project/shownotes.php?release_id=500765 24891 34913 2007-0013 SUSE-SA:2007:026 MDKSA-2007:098 DSA-1281 http://support.novell.com/techcenter/psdb/50a5cb718f20761dd7e0b6b4e0935c52.html GLSA-200704-21 29420 25189 25028 25022 24996 24946 24920 APPLE-SA-2008-03-18 http://docs.info.apple.com/article.html?artnum=307562 Unspecified vulnerability in MSO.dll in Microsoft Office 2000 SP3, 2002 SP3, 2003 SP2, 2004 for Mac, and 2007 allows user-assisted remote attackers to execute arbitrary code via a malformed drawing object, which triggers memory corruption. TA07-128A VU#853184 MS07-025 office-drawing-code-execution(33908) ADV-2007-1710 1018014 23826 HPSBST02214 SSRT071422 34396 25178 oval:org.mitre.oval:def:2051 Stack-based buffer overflow in the RPC interface in the Domain Name System (DNS) Server Service in Microsoft Windows 2000 Server SP 4, Server 2003 SP 1, and Server 2003 SP 2 allows remote attackers to execute arbitrary code via a long zone name containing character constants represented by escape sequences. TA07-128A TA07-103A VU#555920 win-dns-rpc-bo(33629) ADV-2007-1366 1017910 23470 SSRT071422 HPSBST02214 20070415 Re: [exploits] RPC vuln in DNS Server (fwd) MS07-029 http://www.microsoft.com/technet/security/advisory/935964.mspx 24871 http://metasploit.com/svn/framework3/trunk/modules/exploits/windows/dcerpc/msdns_zonename.rb http://blogs.technet.com/msrc/archive/2007/04/12/microsoft-security-advisory-935964-posted.aspx oval:org.mitre.oval:def:1228 Integer underflow in the CDownloadSink class code in the Vector Markup Language (VML) component (VGX.DLL), as used in Internet Explorer 5.01, 6, and 7 allows remote attackers to execute arbitrary code via compressed content with an invalid buffer size, which triggers a heap-based buffer overflow. VU#468800 TA07-226A 25310 MS07-050 26409 ADV-2007-2874 1018568 20070814 EEYE: VGX.DLL Compressed Content Heap Overflow Vulnerability http://research.eeye.com/html/advisories/published/AD20070814a.html 3020 oval:org.mitre.oval:def:1784 Unspecified vulnerability in Microsoft Internet Explorer 6 allows remote attackers to execute arbitrary code via a crafted Cascading Style Sheets (CSS) tag that triggers memory corruption. TA07-163A ADV-2007-2153 HPSBST02231 MS07-033 ie-css-tag-code-execution(34619) 24423 HPSBST02231 1018235 25627 oval:org.mitre.oval:def:1396 Microsoft Internet Explorer 5.01, 6, and 7 allows remote attackers to execute arbitrary code by causing Internet Explorer to access an uninitialized or deleted object, related to prototype variables and table cells, aka "Uninitialized Memory Corruption Vulnerability." TA07-163A MS07-033 ie-uninitialized-object-code-execution(34626) http://www.zerodayinitiative.com/advisories/ZDI-07-038.html ADV-2007-2153 24418 HPSBST02231 HPSBST02231 20070612 ZDI-07-038: Microsoft Internet Explorer Prototype Dereference Code Execution Vulnerability 1018235 25627 oval:org.mitre.oval:def:1978 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2007-1499. Reason: This candidate is a duplicate of CVE-2007-1499. Notes: All CVE users should reference CVE-2007-1499 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. PUBCONV.DLL in Microsoft Office Publisher 2007 does not properly clear memory when transferring data from disk to memory, which allows user-assisted remote attackers to execute arbitrary code via a malformed .pub page via a certain negative value, which bypasses a sanitization procedure that initializes critical pointers to NULL, aka the "Publisher Invalid Memory Reference Vulnerability". TA07-191A ADV-2007-2479 1018353 20070710 EEYE: Microsoft Publisher 2007 Arbitrary Pointer Dereference MS07-037 25988 http://research.eeye.com/html/advisories/published/AD20070710.html SSRT071446 oval:org.mitre.oval:def:1871 Microsoft Excel 2000 SP3, 2002 SP3, 2003 SP2, 2003 Viewer, and Office Excel 2007 does not properly validate version information, which allows user-assisted remote attackers to execute arbitrary code via a crafted Excel file, aka "Calculation Error Vulnerability". TA07-191A MS07-036 ADV-2007-2478 excel-version-code-execution(35210) 1018352 24801 25995 SSRT071446 oval:org.mitre.oval:def:2123 Mozilla Firefox 2.0.0.1 through 2.0.0.3 does not canonicalize URLs before checking them against the phishing site blacklist, which allows remote attackers to bypass phishing protection via multiple / (slash) characters in the URL. 20070329 Re: Bypass phishing protection in Firefox / Opera 34535 The ATI kernel driver (atikmdag.sys) in Microsoft Windows Vista allows user-assisted remote attackers to cause a denial of service (crash) via a crafted JPG image, as demonstrated by a slideshow, possibly due to a buffer overflow. ADV-2007-1160 http://securityvulns.com/news/Microsoft/Vista/ATI.html 20070325 Microsoft Windows Vista Slideshow Unspecified Blue Screen Of Death Vulnerability windows-atikmdag-dos(33300) 33635 24667 http://leovilletownsquare.com/fusionbb/showtopic.php?fid/27/tid/17600/ Stack-based buffer overflow in FastStone Image Viewer 2.8 allows user-assisted remote attackers to execute arbitrary code via a crafted JPG image. 20070329 Re: [VulnWatch] Microsoft Windows Vista Slideshow Unspecified Blue Screen Of Death Vulnerability 42054 23196 2510 Unspecified vulnerability in Microsoft Windows 2000 SP4 through Vista allows remote attackers to execute arbitrary code or cause a denial of service (persistent reboot) via a malformed ANI file, which results in memory corruption when processing cursors, animated cursors, and icons, a similar issue to CVE-2005-0416, as originally demonstrated using Internet Explorer 6 and 7. NOTE: this issue might be a duplicate of CVE-2007-0038; if so, then use CVE-2007-0038 instead of this identifier. ADV-2007-1151 1017827 23194 20070331 Windows .ANI Stack Overflow Exploit 20070330 ANI Zeroday, Third Party Patch http://www.microsoft.com/technet/security/advisory/935423.mspx http://www.avertlabs.com/research/blog/?p=233 http://www.avertlabs.com/research/blog/?p=230 http://vil.nai.com/vil/content/v_141860.htm http://research.eeye.com/html/alerts/zeroday/20070328.html http://asert.arbornetworks.com/2007/03/any-ani-file-could-infect-you/ PHP remote file inclusion vulnerability in login/engine/db/profiledit.php in Advanced Login 0.76 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the root parameter. ADV-2007-1179 20070329 Advanced Login <= 0.7 (root) Remote File Inclusion Vulnerability 34587 advanced-profiledit-file-include(33321) 23197 2508 24695 3608 Unspecified vulnerability in (1) Deskbar.dll and (2) Toolbar.dll in AOL 9.0 before February 2007 allows remote attackers to cause a denial of service (browser crash) via unknown vectors. 35207 20070329 AOL 9.0 Deskbar.dll/Toolbar.dll DoS Vulnerability aol-deskbar-toolbar-dos(33309) Cross-site scripting (XSS) vulnerability in app/helpers/application_helper.rb in Mephisto 0.7.3 and Mephisto Edge 20070325 allows remote attackers to inject arbitrary web script or HTML via the author name field in a comment. mephisto-authorname-xss(33230) 23137 20070325 Mephisto blog is vulnerable to XSS 35309 2490 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2007-1873. Reason: This candidate is a duplicate of CVE-2007-1873. Notes: All CVE users should reference CVE-2007-1873 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Buffer overflow in the ArcSDE service (giomgr) in Environmental Systems Research Institute (ESRI) ArcGIS before 9.2 Service Pack 2, when using three tiered ArcSDE configurations, allows remote attackers to cause a denial of service (giomgr crash) and execute arbitrary code via long parameters in crafted requests. arcsde-tcpport-bo(33457) arcsde-three-tiered-dos(33282) ADV-2007-1140 1017874 23175 http://support.esri.com/index.cfm?fa=downloads.patchesServicePacks.viewPatch&PID=19&MetaID=1262 http://support.esri.com/index.cfm?fa=downloads.patchesServicePacks.viewPatch&PID=19&MetaID=1261 http://support.esri.com/index.cfm?fa=downloads.patchesServicePacks.viewPatch&PID=19&MetaID=1260 24639 20070404 ESRI ArcSDE Buffer Overflow Vulnerability PHP remote file inclusion vulnerability in manage/javascript/formjavascript.php in Ay System Solutions Web Content System (WCS) 2.7.1 allows remote attackers to execute arbitrary PHP code via a URL in the path[JavascriptEdit] parameter. ADV-2007-1139 23171 3592 24663 34500 wcs-formjavascript-file-include(33281) The FTP service in HP JetDirect print servers allows remote attackers to cause a denial of service (engine crash) via a RETR command with a long pathname. 23168 20070327 Remote DOS HP JetDirect Print Servers hp-jetdirect-rert-dos(33273) Multiple directory traversal vulnerabilities in aBitWhizzy allow remote attackers to list arbitrary directories via a .. (dot dot) in the d parameter to (1) whizzery/whizzypic.php or (2) whizzery/whizzylink.php, different vectors than CVE-2006-6384. abitwhizzy-multiple-directory-traversal(33277) ADV-2007-1136 23167 34506 34505 24679 http://lostmon.blogspot.com/2007/03/abitwhizzy-traversal-folder-enumeration.html http://downloads.securityfocus.com/vulnerabilities/exploits/23167.html Multiple cross-site scripting (XSS) vulnerabilities in aBitWhizzy allow remote attackers to inject arbitrary web script or HTML via the d parameter to (1) whizzery/whizzypic.php or (2) whizzery/whizzylink.php. abitwhizzy-multiple-xss(33279) ADV-2007-1136 23167 34508 34507 24679 http://lostmon.blogspot.com/2007/03/abitwhizzy-traversal-folder-enumeration.html http://downloads.securityfocus.com/vulnerabilities/exploits/23167.html Unrestricted file upload vulnerability in upload.php3 in JBrowser 2.4 and earlier allows remote attackers to upload and execute arbitrary PHP code via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 23166 43445 SQL injection vulnerability in index.php in the DesignForJoomla.com D4J eZine (com_ezine) 2.8 and earlier component for Joomla! allows remote attackers to execute arbitrary SQL commands via the article parameter in a read action. d4jezine-index-sql-injection(33249) ADV-2007-1135 23165 3590 24675 34511 Integer overflow in the zip_read_entry function in PHP 4 before 4.4.5 allows remote attackers to execute arbitrary code via a ZIP archive that contains an entry with a length value of 0xffffffff, which is incremented before use in an emalloc call, triggering a heap overflow. 23169 http://www.php-security.org/MOPB/MOPB-35-2007.html MDVSA-2008:130 DSA-1283 DSA-1282 25062 25025 PHP remote file inclusion vulnerability in db/mysql.php in the Eve-Nuke 0.1 (EN-Forums) module for PHP-Nuke allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter. ADV-2007-1138 3591 37195 evenuke-mysql-file-include(33285) 23176 Multiple SQL injection vulnerabilities in the MySQL back-end in Advanced Website Creator (AWC) before 1.9.0 might allow remote attackers to execute arbitrary SQL commands via unspecified parameters, related to use of mysql_escape_string instead of mysql_real_escape_string. 33875 http://forums.awcreator.com/viewtopic.php?t=45 23268 24685 Cross-site scripting (XSS) vulnerability in the DHT shell (owdhtshell) in Overlay Weaver 0.5.9 to 0.5.11, when invoked with the -x option, allows remote attackers to inject arbitrary web script or HTML via fields in certain input forms. ADV-2007-1167 24669 http://overlayweaver.sourceforge.net/news/ overlay-weaver-owdhtshell-xss(33340) 23195 JVN#62399483 Minna De Office 1.x and 2.x does not properly restrict user access to certain privileged actions, which allows local users to change the configuration or have other unspecified impact. NOTE: some of these details are obtained from third party information. ADV-2007-1162 http://www.aisantec.co.jp/mof/index.html 24691 34518 JVN#73258608 aisan-unspecified-privilege-escalation(33341) 23198 CruiseWorks 1.09e and earlier does not properly restrict user access to certain privileged actions, which allows local users to change the configuration or have other unspecified impact. NOTE: some of these details are obtained from third party information. ADV-2007-1163 http://www.kynos.co.jp/cws-support/index.html 24674 34543 JVN#73258608 cruiseworks-security-bypass(33323) 23198 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2007-1685. Reason: This candidate is a duplicate of CVE-2007-1685. Notes: All CVE users should reference CVE-2007-1685 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. The JNILoader ActiveX control (STJNILoader.ocx) 3.1.0.26 in IBM Lotus Notes Sametime before 7.5 allows remote attackers to load arbitrary DLL libraries and execute arbitrary code via arbitrary arguments to the loadLibrary function. This vulnerability is addressed in the following product advisory: http://www-1.ibm.com/support/docview.wss?uid=swg21257029 1017828 23201 http://www-1.ibm.com/support/docview.wss?uid=swg21257029 20070329 IBM Lotus Sametime JNILoader Arbitrary DLL Load Vulnerability sametime-stjniloader-code-execution(33314) The RPC service in mediasvr.exe in CA BrightStor ARCserve Backup 11.5 SP2 build 4237 allows remote attackers to execute arbitrary code via crafted xdr_handle_t data in RPC packets, which is used in calculating an address for a function call, as demonstrated using the 191 (0xbf) RPC request. VU#151305 ADV-2007-1161 http://www.shirkdog.us/shk-004.html http://www.shirkdog.us/camediasvrremote.py 23209 20070330 CA Brightstor Backup Mediasvr.exe Remote Code Vulnerability 24682 brightstor-mediasvr-code-execution(33316) 1017830 20070331 CA BrightStor ARCserve Backup Mediasvr.exe vulnerability http://supportconnectw.ca.com/public/storage/infodocs/babmedser-secnotice.asp 2509 SQL injection vulnerability in Hitachi Collaboration - Online Community Management 01-00 through 01-30, as used in Groupmax Collaboration Portal, Groupmax Collaboration Web Client, uCosminexus Collaboration Portal, Cosminexus Collaboration Portal, and uCosminexus Content Manager, allows remote attackers to execute arbitrary SQL commands via unspecified vectors. ADV-2007-1168 http://www.hitachi-support.com/security_e/vuls_e/HS07-008_e/index-e.html 24693 34544 hitachi-collaboration-sql-injection(33348) 23208 Multiple PHP remote file inclusion vulnerabilities in lib/timesheet.class.php in Softerra Time-Assistant 6.2 and earlier, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the (1) inc_dir or (2) lib_dir parameter. ADV-2007-1193 23203 3600 34626 http://advisories.echo.or.id/adv/adv80-K-159-2007.txt softerra-timesheetclass-file-include(33327) 20070330 [ECHO_ADV_80$2007] Softerra Time-Assistant <= 6.2 (inc_dir) Remote File Inclusion Vulnerability 24729 Flyspray 0.9.9, when output_buffering is disabled or "set to a low value," allows remote attackers to bypass authentication via a crafted post request. ADV-2007-1181 http://www.flyspray.org/fsa:1 24702 23214 Flyspray 0.9.9 allows remote attackers to obtain sensitive information (private project summaries) via direct requests. ADV-2007-1181 http://www.flyspray.org/changelog 24702 34591 23214 Multiple PHP remote file inclusion vulnerabilities in Kaqoo Auction Software Free Edition allow remote attackers to execute arbitrary PHP code via a URL in the install_root parameter to (1) support.inc.php, (2) function.inc.php, (3) rdal_object.inc.php, (4) rdal_editor.inc.php. (5) login.inc.php, (6) request.inc.php, and (7) categories.inc.php in include/core/; (8) save.inc.php, (9) preview.inc.php, (10) edit_item.inc.php, (11) new_item.inc.php, and (12) item_info.inc.php in include/display/item/; (13) search.inc.php, (14) item_edit.inc.php, (15) register_succsess.inc.php, (16) context_menu.inc.php, (17) item_repost.inc.php, (18) balance.inc.php, (19) featured.inc.php, (20) user.inc.php, (21) buynow.inc.php, (22) install_complete.inc.php, (23) fees_info.inc.php, (24) user_feedback.inc.php, (25) admin_balance.inc.php, (26) activate.inc.php, (27) user_info.inc.php, (28) member.inc.php, (29) add_bid.inc.php, (30) items_filter.inc.php, (31) my_info.inc.php, (32) register.inc.php, (33) leave_feedback.inc.php, and (34) user_auctions.inc.php in include/display/; and (35) design/form.inc.php, (36) processor.inc.php, (37) interfaces.inc.php (38) left_menu.inc.php, (39) login.inc.php, and (40) categories.inc.php in include/. kaqoo-installroot-file-include(33335) ADV-2007-1180 23211 34584 34583 34582 34581 34580 34579 34578 34577 34576 34575 34574 34573 34572 34571 34570 34569 34568 34567 34566 34565 34564 34563 34562 34561 34560 34559 34558 34557 34556 34555 34554 34553 34552 34551 34550 34549 34548 34547 34546 34545 3607 24696 SQL injection vulnerability in wall.php in Picture-Engine 1.2.0 and earlier allows remote attackers to execute arbitrary SQL commands via the cat parameter. 23205 3605 34936 pictureengine-wall-sql-injection(33325) libdayzero.dll in the Filter Hub Service (filter-hub.exe) in Symantec Mail Security for SMTP before 5.0.1 Patch 181 and Mail Security Appliance before 5.0.0-36 allows remote attackers to cause a denial of service (crash) via a crafted executable attachment in an e-mail, involving the detection of "PE-Shield v0.2" and "ASPack v1.00-1.08.02". http://securityresponse.symantec.com/avcenter/security/Content/2007.06.26.html 24632 ADV-2007-2335 http://secunia.com/secunia_research/2007-48/advisory/ 36110 symantec-mailsecurity-attachment-dos(35105) 1018301 24625 20070628 Secunia Research: Symantec Mail Security for SMTP Boundary Errors SPBBCDrv.sys in Symantec Norton Personal Firewall 2006 9.1.0.33 and 9.1.1.7 does not validate certain arguments before being passed to hooked SSDT function handlers, which allows local users to cause a denial of service (crash) or possibly execute arbitrary code via crafted arguments to the (1) NtCreateMutant and (2) NtOpenEvent functions. NOTE: it was later reported that Norton Internet Security 2008 15.0.0.60, and possibly other versions back to 2006, are also affected. 1017838 1017837 symantec-firewall-ssdt-dos(33352) ADV-2007-1192 1021389 1021388 1021387 1021386 23241 20070918 Plague in (security) software drivers & BSDOhook utility 20070401 Norton Multiple insufficient argument validation of hooked SSDT function Vulnerability http://www.matousec.com/projects/windows-personal-firewall-analysis/plague-in-security-software-drivers.php http://www.matousec.com/info/advisories/plague-in-security-software-drivers.php http://www.matousec.com/info/advisories/Norton-Multiple-insufficient-argument-validation-of-hooked-SSDT-functions.php http://securityresponse.symantec.com/avcenter/security/Content/2008.12.12.html 24677 34692 The Javascript engine in Mozilla 1.7 and earlier on Sun Solaris 8, 9, and 10 might allow remote attackers to execute arbitrary code via vectors involving garbage collection that causes deletion of a temporary object that is still being used. NOTE: this issue might be related to CVE-2006-3805. 102865 24624 ADV-2007-1178 JCcorp URLshrink 1.3.1 allows remote attackers to execute arbitrary PHP code via the email address field in an HTML link. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. http://developers.jccorp.net/modules/newbb/viewtopic.php?topic_id=33&forum=8 urlshrink-email-code-execution(33320) 23217 Multiple unspecified vulnerabilities in JCcorp URLshrink before 1.3.2 have unspecified attack vectors and impact. http://developers.jccorp.net/modules/newbb/viewtopic.php?topic_id=33&forum=8 34988 Multiple integer overflows in ImageMagick before 6.3.3-5 allow remote attackers to execute arbitrary code via (1) a crafted DCM image, which results in a heap-based overflow in the ReadDCMImage function, or (2) the (a) colors or (b) comments field in a crafted XWD image, which results in a heap-based overflow in the ReadXWDImage function, different issues than CVE-2007-1667. 20070331 Multiple Vendor ImageMagick DCM and XWD Buffer Overflow Vulnerabilities https://issues.rpath.com/browse/RPL-1205 https://issues.foresightlinux.org/browse/FL-222 imagemagick-readxwdimage-bo(33377) imagemagick-readdcmimage-bo(33376) ADV-2007-1200 USN-481-1 1017839 23347 23252 RHSA-2008:0165 RHSA-2008:0145 SUSE-SR:2007:008 MDKSA-2007:147 http://www.imagemagick.org/script/changelog.php DSA-1858 GLSA-200705-13 36260 29857 29786 26177 25992 25206 25072 24739 24721 oval:org.mitre.oval:def:9254 Buffer overflow in the drmgr command in IBM AIX 5.2 and 5.3 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a long path name. ibmaix-drmgr-bo(33354) ADV-2007-1186 1017841 IY96772 IY96753 IY95054 oval:org.mitre.oval:def:12575 34981 Directory traversal vulnerability in torrent.cpp in KTorrent before 2.1.3 only checks for the ".." string, which allows remote attackers to overwrite arbitrary files via modified ".." sequences in a torrent filename, as demonstrated by "../" sequences, due to an incomplete fix for CVE-2007-1384. https://bugs.gentoo.org/show_bug.cgi?id=170303 http://bugs.kde.org/show_bug.cgi?id=143637 USN-436-2 23745 SUSE-SR:2007:007 MDKSA-2007:095 DSA-1373 GLSA-200705-01 26773 25097 24995 Cisco Secure ACS does not require authentication when Cisco Trust Agent (CTA) transmits posture information, which might allow remote attackers to gain network access via a spoofed Network Endpoint Assessment posture, aka "NACATTACK." NOTE: this attack might be limited to authenticated users and devices. 20070330 NACATTACK Presentation http://www.blackhat.com/html/bh-europe-07/bh-eu-07-speakers.html#Dror 34123 Directory traversal vulnerability in inc/lang.php in sBLOG 0.7.3 Beta allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the conf_lang_default parameter, as demonstrated by injecting PHP sequences into an Apache HTTP Server log file, which is then included by inc/lang.php. sblog-inclang-file-include(33326) 23206 3601 35458 Cross-site scripting (XSS) vulnerability in MailDwarf 3.01 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. 23207 maildwarf-unspecified-xss(33322) ADV-2007-1166 24681 JVN#40511721 Unspecified vulnerability in MailDwarf 3.01 and earlier allows remote attackers to send e-mail to addresses different from the configured addresses. 23207 maildwarf-unspecified-security-bypass(33324) ADV-2007-1166 24681 JVN#08951968 PulseAudio 0.9.5 allows remote attackers to cause a denial of service (daemon crash) via (1) a PA_PSTREAM_DESCRIPTOR_LENGTH value of FRAME_SIZE_MAX_ALLOW sent on TCP port 9875, which triggers a p->export assertion failure in do_read; (2) a PA_PSTREAM_DESCRIPTOR_LENGTH value of 0 sent on TCP port 9875, which triggers a length assertion failure in pa_memblock_new; or (3) an empty packet on UDP port 9875, which triggers a t assertion failure in pa_sdp_parse; and allows remote authenticated users to cause a denial of service (daemon crash) via a crafted packet on TCP port 9875 that (4) triggers a maxlength assertion failure in pa_memblockq_new, (5) triggers a size assertion failure in pa_xmalloc, or (6) plays a certain sound file. http://aluigi.altervista.org/adv/pulsex-adv.txt pulseaudio-assert-dos(33315) ADV-2007-1214 http://aluigi.org/poc/pulsex.zip USN-465-1 23240 SUSE-SR:2007:013 MDVSA-2008:065 25787 25431 SQL injection vulnerability in genre.php in the debaser 0.92 and earlier module for Xoops allows remote attackers to execute arbitrary SQL commands via the genreid parameter. 3630 34466 xoops-debaser-genre-sql-injection(33372) 23253 SQL injection vulnerability in categos.php in the RM+Soft Gallery (rmgallery) 1.0 module for Xoops allows remote attackers to execute arbitrary SQL commands via the idcat parameter. 3633 xoops-rmsoft-categos-sql-injection(33370) 23250 24709 SQL injection vulnerability in modules/myalbum/viewcat.php in the myAlbum-P 2.0 and earlier module for Xoops allows remote attackers to execute arbitrary SQL commands via the cid parameter. ADV-2007-1202 3632 34465 xoops-myalbump-viewcat-sql-injection(33371) 23229 SQL injection vulnerability in show.php in the Camportail 1.1 and earlier module for Xoops allows remote attackers to execute arbitrary SQL commands via the camid parameter in a showcam action. ADV-2007-1201 3629 34456 xoops-camportail-show-sql-injection(33373) 23245 24748 Multiple PHP remote file inclusion vulnerabilities in GraFX Company WebSite Builder (CWB) PRO 1.5 allow remote attackers to execute arbitrary PHP code via a URL in the INCLUDE_PATH parameter to (1) cls_headline_prod.php, (2) cls_listorders.php, or (3) cls_viewpastorders.php in include/, different vectors than CVE-2007-1513. 3628 20070402 [true] CWB pro 1.5 INCLUDE_PATH RFI 35228 35227 35226 cwb-includepath-file-include(33351) 23242 SQL injection vulnerability in product_details.php in the Kshop 1.17 and earlier module for Xoops allows remote attackers to execute arbitrary SQL commands via the id parameter. ADV-2007-1211 3626 34455 xoops-kshop-productdetails-sql-injection(33374) 23272 24749 SQL injection vulnerability in index.php in the Tiny Event (tinyevent) 1.01 and earlier module for Xoops allows remote attackers to execute arbitrary SQL commands via the id parameter in a show action. 3625 34470 xoops-tinyevent-index-sql-injection(33359) PHP remote file inclusion vulnerability in utilitaires/gestion_sondage.php in BT-Sondage 112 allows remote attackers to execute arbitrary PHP code via a URL in the repertoire_visiteur parameter. ADV-2007-1183 3624 20070402 [true] BT-Sondage-v112 RFI 34597 btsondage-gestionsondage-file-include(33363) 23248 24701 SQL injection vulnerability in display.php in the eCal 2.24 and earlier module for Xoops allows remote attackers to execute arbitrary SQL commands via the katid parameter. 3623 34471 xoops-ecal-display-sql-injection(33369) SQL injection vulnerability in viewcat.php in the Core module for Xoops allows remote attackers to execute arbitrary SQL commands via the cid parameter, a different vector than CVE-2007-0377. 3620 34469 xoops-core-viewcat-sql-injection(33350) 23229 SQL injection vulnerability in viewcat.php in the Library module for Xoops allows remote attackers to execute arbitrary SQL commands via the cid parameter. 3619 34468 xoops-library-viewcat-sql-injection(33366) 23229 SQL injection vulnerability in viewcat.php in the Tutoriais module for Xoops allows remote attackers to execute arbitrary SQL commands via the cid parameter. 3621 34467 xoops-tutoriais-viewcat-sql-injection(33367) 23229 SQL injection vulnerability in index.php in the Lykos Reviews (lykos_reviews) 1.00 module for Xoops allows remote attackers to execute arbitrary SQL commands via the uid parameter in a u action. ADV-2007-1189 3618 34463 xoops-lykos-reviews-sql-injection(33365) 23232 PHP remote file inclusion vulnerability in MOD_forum_fields_parse.php in the Forum picture and META tags 1.7 module for phpBB allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter. ADV-2007-1188 3613 35445 phpbb-modforumfieldsparse-file-include(33346) 23222 Stack-based buffer overflow in the SPIDERLib.Loader ActiveX control (Spider90.ocx) 9.1.0.4353 in TestDirector (TD) for Mercury Quality Center 9.0 before Patch 12.1, and 8.2 SP1 before Patch 32, allows remote attackers to execute arbitrary code via a long ProgColor property. VU#589097 ADV-2007-1185 23239 http://webnotes.merc-int.com/patches.nsf/c4d68388a23535dc422567d0004bbae2/cf109e434c7765eac22572a4006c6e94?OpenDocument http://webnotes.merc-int.com/patches.nsf/c4d68388a23535dc422567d0004bbae2/7a0f7f0efc7905fdc225729f004cf387?OpenDocument 1017835 24692 20070402 Hewlett-Packard Mercury Quality Center ActiveX Control ProgColor Buffer Overflow Vulnerability HPSBGN02199 SSRT071312 Nortel Networks CallPilot and Meridian Mail voicemail systems, when a mailbox has auto logon enabled, allow remote attackers to retrieve or remove messages, or reconfigure the mailbox, by spoofing Calling Number Identification (CNID, aka Caller ID). Access complexity set to Medium because Nortel Networks voicemail systems do not hard code or default to this behavior. VU#726548 http://www.kb.cert.org/vuls/id/AAMN-5N2QFX 34983 Sprint Nextel Sprint voice mail systems allow remote attackers to retrieve or remove messages, or reconfigure mailboxes, by spoofing Calling Number Identification (CNID, aka Caller ID). VU#726548 34984 Alcatel-Lucent Lucent Technologies voice mail systems allow remote attackers to retrieve or remove messages, or reconfigure mailboxes, by spoofing Calling Number Identification (CNID, aka Caller ID). VU#726548 34985 T-Mobile voice mail systems allow remote attackers to retrieve or remove messages, or reconfigure mailboxes, by spoofing Calling Number Identification (CNID, aka Caller ID). VU#726548 34986 Buffer overflow in the php_stream_filter_create function in PHP 5 before 5.2.1 allows remote attackers to cause a denial of service (application crash) via a php://filter/ URL that has a name ending in the '.' character. 23237 http://www.php-security.org/MOPB/MOPB-42-2007.html USN-455-1 SUSE-SA:2007:032 DSA-1283 25062 25057 25056 Buffer overflow in the imap_mail_compose function in PHP 5 before 5.2.1, and PHP 4 before 4.4.5, allows remote attackers to execute arbitrary code via a long boundary string in a type.parameters field. NOTE: as of 20070411, it appears that this issue might be subsumed by CVE-2007-0906.3. 23234 http://www.php-security.org/MOPB/MOPB-40-2007.html oval:org.mitre.oval:def:10377 Unspecified vulnerability in the IPSec Manager Service for Cisco Unified CallManager (CUCM) 5.0 before 5.0(4a)SU1 and Cisco Unified Presence Server (CUPS) 1.0 before 1.0(3) allows remote attackers to cause a denial of service (loss of cluster services) via a "specific UDP packet" to UDP port 8500, aka bug ID CSCsg60949. 23181 20070328 Multiple Cisco Unified CallManager and Presence Server Denial of Service Vulnerabilities 1017826 24690 ADV-2007-1144 34919 Multiple unspecified vulnerabilities in form input validation in web-app.org WebAPP before 0.9.9.6 allow remote authenticated users to corrupt data files, gain access to private files, and execute arbitrary code via "certain characters." http://www.web-app.org/cgi-bin/index.cgi?action=viewnews&id=254 http://www.web-app.org/cgi-bin/index.cgi?action=viewnews&id=252 20070322 WebAPP Audit 24227 ADV-2007-0720 45396 Multiple cross-site scripting (XSS) vulnerabilities in web-app.org WebAPP before 0.9.9.6 allow remote authenticated users to inject arbitrary web script or HTML via (1) the QUERY_STRING corresponding to drop downs or (2) various forms. http://www.web-app.org/cgi-bin/index.cgi?action=viewnews&id=254 http://www.web-app.org/cgi-bin/index.cgi?action=viewnews&id=252 20070322 WebAPP Audit ADV-2007-0720 24227 35215 35214 Multiple unspecified vulnerabilities in web-app.net WebAPP have unknown impact and attack vectors, described as "[having] other [security] issues too, not as bad as letting users take over your admin account, but bad too." http://www.web-app.net/cgi-bin/index.cgi?action=forum&board=public_security&op=display&num=10380 35213 Unspecified vulnerability in the Username Hijacking Patch 20070312 for web-app.org WebAPP 0.9.9.6 allows remote attackers to obtain administrative access via unknown vectors, related to "something overlooked in the original that was still overlooked in the patch", and possibly related to copying files to the user-lib and the "XSS and cookies exploit." http://www.web-app.org/cgi-bin/index.cgi?action=viewnews&id=259 35212 web-app.org WebAPP before 0.9.9.6 allows remote authenticated users to open files and write "wrong data" via a crafted QUERY_STRING. 24227 http://www.web-app.org/cgi-bin/index.cgi?action=viewnews&id=254 http://www.web-app.org/cgi-bin/index.cgi?action=viewnews&id=252 ADV-2007-0720 20070322 WebAPP Audit 45395 web-app.org WebAPP before 0.9.9.6 allows remote authenticated users to upload certain files (1) via a crafted filename or (2) by "using percent encoding in forms." 24227 http://www.web-app.org/cgi-bin/index.cgi?action=viewnews&id=254 http://www.web-app.org/cgi-bin/index.cgi?action=viewnews&id=252 ADV-2007-0720 20070322 WebAPP Audit The Skinny Call Control Protocol (SCCP) implementation in Cisco Unified CallManager (CUCM) 3.3 before 3.3(5)SR2a, 4.1 before 4.1(3)SR4, 4.2 before 4.2(3)SR1, and 5.0 before 5.0(4a)SU1 allows remote attackers to cause a denial of service (loss of voice services) by sending crafted packets to the (1) SCCP (2000/tcp) or (2) SCCPS (2443/tcp) port. 20070328 Multiple Cisco Unified CallManager and Presence Server Denial of Service Vulnerabilities 1017826 24665 ADV-2007-1144 23181 Cisco Unified CallManager (CUCM) 5.0 before 5.0(4a)SU1 and Cisco Unified Presence Server (CUPS) 1.0 before 1.0(3) allow remote attackers to cause a denial of service (loss of voice services) via a flood of ICMP echo requests, aka bug ID CSCsf12698. 20070328 Multiple Cisco Unified CallManager and Presence Server Denial of Service Vulnerabilities 1017826 24690 ADV-2007-1144 23181 PHP 4 before 4.4.5 and PHP 5 before 5.2.1, when using an empty session save path (session.save_path), uses the TMPDIR default after checking the restrictions, which allows local users to bypass open_basedir restrictions. ADV-2007-2374 ADV-2007-1991 23183 http://www.php-security.org/MOPB/MOPB-36-2007.html SSRT071429 SSRT071423 25850 25423 HPSBTU02232 SSRT071423 The command line administration interface in Data Domain OS before 4.0.3.6 allows remote authenticated users to execute arbitrary commands via shell metacharacters in certain arguments to various commands, as demonstrated by the interface argument to the (1) ifconfig and (2) ping commands. 20070328 Arbitrary Command Execution in DataDomain Administrator Interface 23182 34537 2516 24666 Multiple PHP remote file inclusion vulnerabilities in MangoBery CMS 0.5.5 allow remote attackers to execute arbitrary PHP code via a URL in the Site_Path parameter to (1) boxes/quotes.php or (2) templates/mangobery/footer.sample.php. http://mangobery.svn.sourceforge.net/viewvc/mangobery?view=rev&revision=70 ADV-2007-1147 3598 24686 34510 34509 mangoberycms-quotes-file-include(33290) 23187 SQL injection vulnerability in view.php in the Friendfinder 3.3 and earlier module for Xoops allows remote attackers to execute arbitrary SQL commands via the id parameter. ADV-2007-1146 23184 3597 xoops-friendfinder-view-sql-injection(33292) 20070329 Xoops Module Friendfinder <= 3.3 (view.php id) BLIND SQL Injection Exploit Multiple PHP remote file inclusion vulnerabilities in CodeBB 1.1b3 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter to (1) pass_code.php or (2) lang_select. ADV-2007-1148 3599 35423 35422 codebb-passcode-file-include(33293) 23185 lib/modules.inc in LDAP Account Manager (LAM) before 1.3.0 does not escape HTML special characters in LDAP data, which allows remote attackers to have an unknown impact, probably cross-site scripting (XSS). http://lam.cvs.sourceforge.net/lam/lam/lib/modules.inc?r1=1.173&r2=1.174 ADV-2007-1149 http://lam.sourceforge.net/changelog/index.htm DSA-1287 23190 25157 24687 The isakmp_info_recv function in src/racoon/isakmp_inf.c in racoon in Ipsec-tools before 0.6.7 allows remote attackers to cause a denial of service (tunnel crash) via crafted (1) DELETE (ISAKMP_NPTYPE_D) and (2) NOTIFY (ISAKMP_NPTYPE_N) messages. [Ipsec-tools-devel] 20070406 Ipsec-tools 0.6.7 released RHSA-2007:0342 ipsectools-isakmpinforecv-dos(33541) ADV-2007-1310 USN-450-1 23394 SUSE-SR:2007:008 http://sourceforge.net/project/shownotes.php?release_id=499192&group_id=74601 GLSA-200705-09 25322 25142 25072 24833 24826 24815 oval:org.mitre.oval:def:10504 1018086 MDKSA-2007:084 DSA-1299 25560 Directory traversal vulnerability in login.php in JSBoard before 2.0.12 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the table parameter, as demonstrated by injecting PHP sequences into an Apache HTTP Server log file, a related issue to CVE-2006-2019. ADV-2007-1182 23223 3614 37365 http://kldp.net/plugins/scmcvs/cvsweb.php/jsboard-2/login.php.diff?r1=1.8;r2=1.9;cvsroot=jsboard jsboard-login-file-include(33338) PHP remote file inclusion vulnerability in gmapfactory/params.php in MapLab 2.2.1, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the gszAppPath parameter. maplab-params-file-include(33360) ADV-2007-1203 23249 20070402 Re: Maplab <= 2.2.1 (gszAppPath) Remote File Inclusion Vulnerability 20070402 Re: Maplab <= 2.2.1 (gszAppPath) Remote File InclusionVulnerability 20070402 Maplab <= 2.2.1 (gszAppPath) Remote File Inclusion Vulnerability 3638 24715 34620 Multiple PHP remote file inclusion vulnerabilities in Aardvark Topsites PHP 5 allow remote attackers to execute arbitrary PHP code via a URL in the path parameter to (1) button/settings_sql.php, (2) settings_sql.php, and (3) sources/misc/new_day.php. 20070331 Remot File Include In Aardvark Topsites PHP 5 35225 35224 35223 aardvark-settingssql-newday-file-include(33342) 2515 SQL injection vulnerability in show_event.php in the Expanded Calendar (calendar_panel) 2.00 module for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the m_month parameter. ADV-2007-1191 23225 20070331 PHP-Fusion 'Calendar_Panel' Module show_event.PHP (m_month) SQL Injection Exploit And PoC 24718 36310 phpfusion-showevent-sql-injection(33336) 2514 SQL injection vulnerability in index.php in the MyAds 2.04jp and earlier module for Xoops allows remote attackers to execute arbitrary SQL commands via the cid parameter, different vectors than CVE-2006-3341. xoops-myads-index-sql-injection(33334) 23212 37372 3603 SQL injection vulnerability in viewcat.php in the Repository module for Xoops allows remote attackers to execute arbitrary SQL commands via the cid parameter. 23221 3612 37373 xoops-viewcatphp-sql-injection(33344) Cross-site scripting (XSS) vulnerability in admin/classes/ui.dta.php in Drake CMS allows remote attackers to inject arbitrary web script or HTML via the desc[][title] field. NOTE: Drake CMS has only a beta version available, and the vendor has previously stated "We do not consider security reports valid until the first official release of Drake CMS." drakecms-uidta-xss(33332) 23216 20070330 DrakeCMS multiple vulerabilities 2522 Directory traversal vulnerability in 404.php in Drake CMS allows remote attackers to include and execute arbitrary local arbitrary files via a .. (dot dot) in the d_private parameter. NOTE: some of these details are obtained from third party information. NOTE: Drake CMS has only a beta version available, and the vendor has previously stated "We do not consider security reports valid until the first official release of Drake CMS." drakecms-dprivate-file-include(33331) 23215 20070330 DrakeCMS multiple vulerabilities Directory traversal vulnerability in classes/captcha/captcha.jpg.php in Drake CMS allows remote attackers to read arbitrary files or list arbitrary directories, and obtain the installation path, via a .. (dot dot) in the d_private parameter. NOTE: Drake CMS has only a beta version available, and the vendor has previously stated "We do not consider security reports valid until the first official release of Drake CMS." drakecms-dprivate-directory-traversal(33333) 20070330 DrakeCMS multiple vulerabilities 2522 Multiple directory traversal vulnerabilities in Really Simple PHP and Ajax (RSPA) 2007-03-23 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the __class parameter to (1) Controller_v4.php or (2) Controller_v5.php. ADV-2007-1190 3641 http://www.bugtraq.ir/articles/advisory/RSPA_File_Inclusion/6 24671 rspa-class-file-include(33357) ** DISPUTED ** Multiple PHP remote file inclusion vulnerabilities in 2BGal 3.1.1 allow remote attackers to execute arbitrary PHP code via a URL in the lang_filename parameter to (1) index.php or (2) backupdb.inc.php in admin/, or other unspecified files, different vectors than CVE-2006-5505. NOTE: this issue has been disputed by CVE, since the lang_filename variable is defined before it is used. 2bgal-langfilename-file-include(33375) 20070331 2BGal 3.1.1 <= (admin/index.php) Remote File Include Vulnerability 20070427 FALSE -> 2bgal RFI 2517 Unspecified vulnerability in Hitachi JP1/HiCommand DeviceManager, Global Link Availability Manager, Replication Monitor, Tiered Storage Manager, and Tuning Manager allows local users to obtain authentication information via unspecified vectors. hitachi-hicommand-information-disclosure(33328) ADV-2007-1169 23210 http://www.hitachi-support.com/security_e/vuls_e/HS07-007_e/index-e.html 24684 34590 Unspecified vulnerability in Hitachi Cosminexus Component Container 07-00 through 07-00-10, and 07-10 through 07-10-03, as used in uCosminexus Application Server Enterprise and Standard; uCosminexus Service Platform; uCosminexus Developer Standard and Professional; uCosminexus Service Architect; Electronic Form Workflow Standard Set, Professional Library Set, and Developer Client Set; and uCosminexus ERP Integrator, does not properly manage session information, which has an unspecified impact related to "unintended other requests." hitachi-container-information-disclosure(33318) ADV-2007-1170 23213 http://www.hitachi-support.com/security_e/vuls_e/HS07-006_e/index-e.html 24683 34768 Multiple PHP remote file inclusion vulnerabilities in smarty/smarty_class.php in Shop-Script FREE allow remote attackers to execute arbitrary PHP code via a URL in the (1) _smarty_compile_path, (2) smarty_compile_path, (3) get_plugin_filepath, (4) smarty_dir, and (5) filename parameters. NOTE: this issue might be related to CVE-2006-7105. 20070331 Remot File Include In Shop-SCRIPT FREE 35222 shopscriptfree-smarty-file-include(33339) 2520 Vixie Cron before 4.1-r10 on Gentoo Linux is installed with insecure permissions, which allows local users to cause a denial of service (cron failure) by creating hard links, which results in a failed st_nlink check in database.c. ADV-2007-3229 23520 GLSA-200704-11 oval:org.mitre.oval:def:11463 1018081 SUSE-SR:2007:007 MDKSA-2007:234 http://support.avaya.com/elmodocs2/security/ASA-2007-261.htm 27886 27706 26909 25723 25321 24995 24905 RHSA-2007:0345 20070920 VMSA-2007-0006 Critical security updates for all supported versions of VMware ESX Server, VMware Server, VMware Workstation, VMware ACE, and VMware Player The default SSL cipher configuration in Apache Tomcat 4.1.28 through 4.1.31, 5.0.0 through 5.0.30, and 5.5.0 through 5.5.17 uses certain insecure ciphers, including the anonymous cipher, which allows remote attackers to obtain sensitive information or have other, unspecified impacts. http://tomcat.apache.org/security-5.html http://tomcat.apache.org/security-4.html tomcat-ssl-security-bypass(34212) ADV-2009-0233 ADV-2007-1729 20090127 CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities (Updated - v1.1) 20090124 CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540 44183 33668 34882 http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx 28482 http://support.avaya.com/elmodocs2/security/ASA-2007-206.htm 29392 SUSE-SR:2008:007 XScreenSaver 4.10, when using a remote directory service for credentials, does not properly handle the results from the getpwuid function in drivers/lock.c when there is no network connectivity, which causes XScreenSaver to crash and unlock the screen and allows local users to bypass authentication. RHSA-2007:0322 https://issues.rpath.com/browse/RPL-1293 xscreensaver-getpwuid-authentication-bypass(34054) USN-474-1 1017996 23783 SUSE-SR:2007:009 MDKSA-2007:097 GLSA-200705-14 25610 25225 25119 25118 25116 25105 25065 oval:org.mitre.oval:def:11459 mod_jk in Apache Tomcat JK Web Server Connector 1.2.x before 1.2.23 decodes request URLs within the Apache HTTP Server before passing the URL to Tomcat, which allows remote attackers to access protected pages via a crafted prefix JkMount, possibly involving double-encoded .. (dot dot) sequences and directory traversal, a related issue to CVE-2007-0450. http://tomcat.apache.org/security-jk.html http://tomcat.apache.org/connectors-doc/news/20070301.html#20070518.1 25383 tomcat-jkconnector-security-bypass(34496) ADV-2007-3386 ADV-2007-2732 ADV-2007-1941 1018138 25159 24147 RHSA-2008:0261 RHSA-2007:0379 34877 DSA-1312 GLSA-200708-15 29242 27037 26512 26235 25701 oval:org.mitre.oval:def:6002 SUSE-SR:2008:005 APPLE-SA-2007-07-31 SSRT071447 SSRT071447 http://docs.info.apple.com/article.html?artnum=306172 The nl_fib_lookup function in net/ipv4/fib_frontend.c in Linux Kernel before 2.6.20.8 allows attackers to cause a denial of service (kernel panic) via NETLINK_FIB_LOOKUP replies, which trigger infinite recursion and a stack overflow. https://issues.rpath.com/browse/RPL-1309 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=237913 kernel-netlinkfiblookup-dos(34014) ADV-2007-1595 USN-489-1 USN-486-1 23677 20070508 FLEA-2007-0016-1: kernel 20070615 rPSA-2007-0124-1 kernel xen RHSA-2007:0347 SUSE-SA:2007:043 MDKSA-2007:171 DSA-1289 26620 26139 26133 25961 25691 25288 25228 25083 25030 oval:org.mitre.oval:def:11616 http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20.8 The recall_headers function in mod_mem_cache in Apache 2.2.4 does not properly copy all levels of header data, which can cause Apache to return HTTP headers containing previously used data, which could be used by remote attackers to obtain potentially sensitive information. ADV-2007-2727 ADV-2007-2231 http://people.apache.org/~covener/2.2.x-mod_memcache-poolmgmt.diff 38641 http://issues.apache.org/bugzilla/show_bug.cgi?id=41551 24553 FEDORA-2007-2214 MDKSA-2007:127 GLSA-200711-06 27563 26842 26273 http://httpd.apache.org/security/vulnerabilities_22.html http://bugs.gentoo.org/show_bug.cgi?id=186219 cache_util.c in the mod_cache module in Apache HTTP Server (httpd), when caching is enabled and a threaded Multi-Processing Module (MPM) is used, allows remote attackers to cause a denial of service (child processing handler crash) via a request with the (1) s-maxage, (2) max-age, (3) min-fresh, or (4) max-stale Cache-Control headers without a value. TA08-150A ADV-2008-1697 ADV-2008-0233 ADV-2007-3386 ADV-2007-3283 ADV-2007-2727 24649 20090821 VMSA-2009-0010 VMware Hosted products update libpng and Apache HTTP Server http://svn.apache.org/viewvc?view=rev&revision=535617 RHSA-2007:0556 RHSA-2007:0534 oval:org.mitre.oval:def:9824 [security-announce] 20090820 VMSA-2009-0010 VMware Hosted products update libpng and Apache HTTP Server SSRT071447 http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244658 RHSA-2007:0533 https://issues.rpath.com/browse/RPL-1500 USN-499-1 2007-0026 1018303 RHSA-2007:0557 FEDORA-2007-2214 SUSE-SA:2007:061 MDKSA-2007:141 MDKSA-2007:140 http://www.fujitsu.com/global/support/software/security/products-f/interstage-200802e.html PK52702 PK49355 http://support.avaya.com/elmodocs2/security/ASA-2007-353.htm GLSA-200711-06 30430 28606 27732 27563 27037 26993 26842 26822 26508 26443 26273 25920 25873 25830 APPLE-SA-2008-05-28 http://httpd.apache.org/security/vulnerabilities_22.html http://httpd.apache.org/security/vulnerabilities_20.html SSRT071447 http://bugs.gentoo.org/show_bug.cgi?id=186219 Buffer overflow in the bundled libxmlrpc library in PHP before 4.4.7, and 5.x before 5.2.2, has unknown impact and remote attack vectors. http://us2.php.net/releases/5_2_2.php http://us2.php.net/releases/4_4_7.php RHSA-2007:0348 ADV-2007-2187 2007-0017 1018024 RHSA-2007:0355 RHSA-2007:0349 25255 25191 25187 oval:org.mitre.oval:def:11257 https://issues.rpath.com/browse/RPL-1693 USN-485-1 23813 MDKSA-2007:103 MDKSA-2007:102 DSA-1331 DSA-1330 http://support.avaya.com/elmodocs2/security/ASA-2007-231.htm GLSA-200705-19 27377 26102 26048 25945 25938 25660 25445 SUSE-SA:2007:044 ** DISPUTED ** The ipv6_getsockopt_sticky function in the kernel in Red Hat Enterprise Linux (RHEL) Beta 5.1.0 allows local users to obtain sensitive information (kernel memory contents) via a negative value of the len parameter. NOTE: this issue has been disputed in a bug comment, stating that "len is ignored when copying header info to the user's buffer." https://bugzilla.redhat.com/show_bug.cgi?id=232045 45909 Stack-based buffer overflow in the dns_decode_reverse_name function in dns_decode.c in dproxy-nexgen allows remote attackers to execute arbitrary code by sending a crafted packet to port 53/udp, a different issue than CVE-2007-1465. ADV-2007-1194 24688 20070331 Re: dproxy-nexgen remote 20070331 dproxy-nexgen remote http://dproxy.cvs.sourceforge.net/dproxy/dproxy-nexgen/dns_decode.c?revision=1.10&view=markup 2518 Buffer overflow in IrfanView 3.99 allows remote attackers to execute arbitrary code via a crafted animated cursor (ANI) file. ADV-2007-1210 23262 24725 3648 irfanview-ani-bo(33386) The management service in IBM Tivoli Provisioning Manager for OS Deployment before 5.1 Fix Pack 2 does not properly handle multipart/form-data in HTTP POST requests, which allows remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via crafted POST requests to port 8080/tcp or 443/tcp. http://www-1.ibm.com/support/docview.wss?uid=swg24015347 24717 20070331 IBM Tivoli Provisioning Manager for OS Deployment Multiple Vulnerabilities ADV-2007-1199 23264 1017840 lighttpd 1.4.12 and 1.4.13 allows remote attackers to cause a denial of service (cpu and resource consumption) by disconnecting while lighttpd is parsing CRLF sequences, which triggers an infinite loop and file descriptor consumption. http://www.lighttpd.net/assets/2007/4/13/lighttpd_sa2007_01.txt ADV-2007-1399 20070420 FLEA-2007-0011-1: lighttpd 24886 https://issues.rpath.com/browse/RPL-1218 lighttpd-rnrn-dos(33671) 23515 SUSE-SR:2007:007 DSA-1303 GLSA-200705-07 25613 25166 24995 24947 lighttpd before 1.4.14 allows attackers to cause a denial of service (crash) via a request to a file whose mtime is 0, which results in a NULL pointer dereference. 24886 ADV-2007-1399 20070420 FLEA-2007-0011-1: lighttpd http://www.lighttpd.net/assets/2007/4/13/lighttpd_sa2007_02.txt https://issues.rpath.com/browse/RPL-1218 lighttpd-mtime-dos(33678) 23515 SUSE-SR:2007:007 DSA-1303 GLSA-200705-07 25613 25166 24995 24947 Cross-site scripting (XSS) vulnerability in chcounter 3.1.3 allows remote attackers to inject arbitrary web script or HTML via the login_name parameter to /stats/. Successful exploitation requires that the target user is not logged in. ADV-2007-1371 23462 20070411 CVE-2007-1871: Cross site scripting in chcounter 3.1.3 24879 34910 http://int21.de/cve/CVE-2007-1871-chcounter.txt 2569 Cross-site scripting (XSS) vulnerability in toendaCMS 1.5.3 allows remote attackers to inject arbitrary web script or HTML via the searchword parameter in a search id. ADV-2007-1372 23453 20070411 CVE-2007-1872: Cross site scripting in toendaCMS 1.5.3 24869 34898 http://int21.de/cve/CVE-2007-1872-toendacms.txt toendacms-search-xss(33622) 2568 Cross-site scripting (XSS) vulnerability in mephisto 0.7.3 allows remote attackers to inject arbitrary web script or HTML via the q parameter to the search script. ADV-2007-1373 20070412 Re: Cross site scripting in mephisto 0.7.3 20070411 Cross site scripting in mephisto 0.7.3 34911 http://int21.de/cve/CVE-2007-1873-mephisto.txt mephisto-search-xss(33620) 23141 24870 Adobe ColdFusion MX 7 for Linux and Solaris uses insecure permissions for certain scripts and directories, which allows local users to execute arbitrary code or obtain sensitive information via the (1) CFMX7DreamWeaverExtensions.mxp, (2) CFReportBuilderInstaller.exe, (3) .com.zerog.registry.xml, (4) uninstall.lax, (5) license.txt, (6) Readme.htm, (7) .com.zerog.registry.xml, (8) k2adminstop, or (9) k2adminstart files; or (10) certain files in lib/wsconfig/. http://www.adobe.com/support/security/bulletins/apsb07-08.html ADV-2007-1341 24850 34930 20070410 Adobe Macromedia ColdFusion MX7 Insecure File Permissions Vulnerability coldfusion-verity-privilege-escalation(33571) 1017899 23405 VMware Workstation before 5.5.4, when running a 64-bit Windows guest on a 64-bit host, allows local users to "corrupt the virtual machine's register context" by debugging a local program and stepping into a "syscall instruction." http://www.vmware.com/support/ws55/doc/releasenotes_ws55.html#554 vmware-windebugging-unspecified(33993) ADV-2007-1592 1018011 20070518 VMSA-2007-0004.1 Updated: Multiple Denial-of-Service issues fixed and directory traversal vulnerability 20070507 VMSA-2007-0004 Multiple Denial-of-Service issues fixed 25079 35509 23732 VMware Workstation before 5.5.4 allows attackers to cause a denial of service against the guest OS by causing the virtual machine process (VMX) to store malformed configuration information. http://www.vmware.com/support/ws55/doc/releasenotes_ws55.html#554 ADV-2007-1592 20070518 VMSA-2007-0004.1 Updated: Multiple Denial-of-Service issues fixed and directory traversal vulnerability 20070507 VMSA-2007-0004 Multiple Denial-of-Service issues fixed vmware-vmx-dos(33992) 1018011 23732 25079 Cross-zone scripting vulnerability in the DOM templates (domplates) used by the console.log function in the Firebug extension before 1.03 for Mozilla Firefox allows remote attackers to bypass zone restrictions, read arbitrary file:// URIs, or execute arbitrary code in the browser chrome, as demonstrated via the runFile function, related to lack of HTML escaping in the property name. http://www.getfirebug.com/blog/2007/04/04/security-update/ firefox-firebug-console-security-bypass(33451) ADV-2007-1272 23315 20070404 Re: [WEB SECURITY] Firefox extensions go Evil - Critical Vulnerabilities in Firefox/Firebug 20070404 Firefox extensions go Evil - Critical Vulnerabilities in Firefox/Firebug http://www.gnucitizen.org/blog/firebug-goes-evil 24743 http://larholm.com/2007/04/06/0day-vulnerability-in-firebug/ 2525 The StartUploading function in KL.SysInfo ActiveX control (AxKLSysInfo.dll) in Kaspersky Anti-Virus 6.0 and Internet Security 6.0 before Maintenance Pack 2 build 6.0.2.614 allows remote attackers to read arbitrary files by triggering an outbound anonymous FTP session that invokes the PUT command. NOTE: this issue might be related to CVE-2007-1112. ADV-2007-1268 1017871 23325 http://www.kaspersky.com/technews?id=203038694 24778 20070404 Kaspersky AntiVirus SysInfo ActiveX Control Information Disclosure Vulnerability kaspersky-startuploading-info-disclosure(33464) Integer overflow in the _NtSetValueKey function in klif.sys in Kaspersky Anti-Virus, Anti-Virus for Workstations, Anti-Virus for File Server 6.0, and Internet Security 6.0 before Maintenance Pack 2 build 6.0.2.614 allows context-dependent attackers to execute arbitrary code via a large, unsigned "data size argument," which results in a heap overflow. The vendor has addressed this vulnerability within Maintenance Pack 2. More information is available from the following link: http://www.kaspersky.com/technews?id=203038693 ADV-2007-1268 1017873 23326 http://www.kaspersky.com/technews?id=203038694 http://www.kaspersky.com/technews?id=203038693 24778 20070404 Kaspersky Internet Security Suite klif.sys Heap Overflow Vulnerability kaspersky-klif-bo(33460) 1017872 33851 Unspecified vulnerability in KLIF (klif.sys) in Kaspersky Anti-Virus, Anti-Virus for Workstations, and Anti-Virus for File Servers 6.0, and Internet Security 6.0 before Maintenance Pack 2 build 6.0.2.614 allows local users to gain Ring-0 privileges via unspecified vectors. ADV-2007-1268 http://www.kaspersky.com/technews?id=203038694 http://www.kaspersky.com/technews?id=203038693 24778 33852 qcbin/servlet/tdservlet/TDAPI_GeneralWebTreatment in HP Mercury Quality Center 9.0 build 9.1.0.4352 allows remote authenticated users to execute arbitrary SQL commands via the RunQuery method. hpmercuryquality-sql-command-execution(33385) ADV-2007-1246 1017842 24730 34630 20070403 HP Mercury Quality Center Any SQL execution 2527 PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 allows context-dependent attackers to read arbitrary memory locations via an interruption that triggers a user space error handler that changes a parameter to an arbitrary pointer, as demonstrated via the iptcembed function, which calls certain convert_to_* functions with its input parameters. http://www.php-security.org/MOPB/MOPB-37-2007.html 24542 GLSA-200710-02 27102 Multiple integer signedness errors in the printf function family in PHP 4 before 4.4.5 and PHP 5 before 5.2.1 on 64 bit machines allow context-dependent attackers to execute arbitrary code via (1) certain negative argument numbers that arise in the php_formatted_print function because of 64 to 32 bit truncation, and bypass a check for the maximum allowable value; and (2) a width and precision of -1, which make it possible for the php_sprintf_appendstring function to place an internal buffer at an arbitrary memory location. http://www.php.net/releases/5_2_1.php ADV-2007-2374 ADV-2007-1991 23219 http://www.php-security.org/MOPB/MOPB-38-2007.html HPSBTU02232 HPSBMA02215 34767 33955 25850 25423 HPSBTU02232 SSRT071423 Integer overflow in the str_replace function in PHP 4 before 4.4.5 and PHP 5 before 5.2.1 allows context-dependent attackers to execute arbitrary code via a single character search string in conjunction with a long replacement string, which overflows a 32 bit length counter. NOTE: this is probably the same issue as CVE-2007-0906.6. ADV-2007-2374 ADV-2007-1991 23233 http://www.php.net/releases/5_2_1.php http://www.php-security.org/MOPB/MOPB-39-2007.html SSRT071429 SSRT071423 25850 25423 HPSBTU02232 SSRT071423 Integer overflow in the str_replace function in PHP 4.4.5 and PHP 5.2.1 allows context-dependent attackers to have an unknown impact via a single character search string in conjunction with a single character replacement string, which causes an "off by one overflow." http://www.php-security.org/MOPB/MOPB-39-2007.html ADV-2007-2374 ADV-2007-1991 SSRT071429 SSRT071423 25850 25423 SSRT071429 SSRT071423 Buffer overflow in the sqlite_decode_binary function in the bundled sqlite library in PHP 4 before 4.4.5 and PHP 5 before 5.2.1 allows context-dependent attackers to execute arbitrary code via an empty value of the in parameter, as demonstrated by calling the sqlite_udf_decode_binary function with a 0x01 character. http://www.php.net/releases/5_2_1.php ADV-2007-3386 ADV-2007-2016 23235 http://www.php-security.org/MOPB/MOPB-41-2007.html oval:org.mitre.oval:def:5348 SSRT071447 FEDORA-2007-2215 USN-455-1 http://www.php.net/releases/5_2_3.php MDKSA-2007:089 MDKSA-2007:088 GLSA-200710-02 DSA-1283 27110 27102 27037 25062 25057 24909 SSRT071447 Buffer overflow in the sqlite_decode_binary function in src/encode.c in SQLite 2, as used by PHP 4.x through 5.x and other applications, allows context-dependent attackers to execute arbitrary code via an empty value of the in parameter. NOTE: some PHP installations use a bundled version of sqlite without this vulnerability. The SQLite developer has argued that this issue could be due to a misuse of the sqlite_decode_binary() API. http://www.php-security.org/MOPB/MOPB-41-2007.html USN-455-1 http://www.sqlite.org/cvstrac/rlog?f=sqlite/src/encode.c 20070422 vendor ack/clarification for CVE-2007-1888 (SQLite) 25057 39177 MDKSA-2007:091 Integer signedness error in the _zend_mm_alloc_int function in the Zend Memory Manager in PHP 5.2.0 allows remote attackers to execute arbitrary code via a large emalloc request, related to an incorrect signed long cast, as demonstrated via the HTTP SOAP client in PHP, and via a call to msg_receive with the largest positive integer value of maxsize. http://www.php-security.org/MOPB/MOPB-43-2007.html http://www.php-security.org/MOPB/MOPB-44-2007.html SUSE-SA:2007:032 DSA-1283 25062 25056 Integer overflow in the msg_receive function in PHP 4 before 4.4.5 and PHP 5 before 5.2.1, on FreeBSD and possibly other platforms, allows context-dependent attackers to execute arbitrary code via certain maxsize values, as demonstrated by 0xffffffff. 23236 http://www.php-security.org/MOPB/MOPB-43-2007.html Stack-based buffer overflow in the GetPrivateProfileSectionW function in Akamai Technologies Download Manager ActiveX Control (DownloadManagerV2.ocx) after 2.0.4.4 but before 2.2.1.0 allows remote attackers to execute arbitrary code, related to misinterpretation of the nSize parameter as a byte count instead of a wide character count. VU#120241 20070416 Akamai Technologies Security Advisory 2007-0001 20070416 Akamai Download Manager ActiveX Stack Buffer Overflow Vulnerability ADV-2007-1415 23522 1017925 34323 24900 Stack-based buffer overflow in Akamai Technologies Download Manager ActiveX Control (DownloadManagerV2.ocx) before 2.2.1.0 allows remote attackers to execute arbitrary code via unspecified vectors, a different issue than CVE-2007-1891. 20070416 Akamai Technologies Security Advisory 2007-0001 ADV-2007-1415 23522 akamai-download-manager-bo(33697) 34324 24900 xmlrpc (xmlrpc.php) in WordPress 2.1.2, and probably earlier, allows remote authenticated users with the contributor role to bypass intended access restrictions and invoke the publish_posts functionality, which can be used to "publish a previously saved post." 24751 wordpress-xmlrpc-security-bypass(33470) ADV-2007-1245 http://www.notsosecure.com/folder2/2007/04/03/wordpress-212-xmlrpc-security-issues/ DSA-1285 http://trac.wordpress.org/ticket/4091 25108 Cross-site scripting (XSS) vulnerability in wp-includes/general-template.php in WordPress before 20070309 allows remote attackers to inject arbitrary web script or HTML via the year parameter in the wp_title function. 22902 24485 20070309 WordPress XSS under function wp_title() http://trac.wordpress.org/ticket/4093 http://trac.wordpress.org/changeset/5003 http://chxsecurity.org/advisories/adv-1-mid.txt DSA-1285 2526 25108 PHP remote file inclusion vulnerability in chat.php in Sky GUNNING MySpeach 3.0.7 and earlier, when used with PHP 5, allows remote attackers to execute arbitrary PHP code via an ftp URL in a my_ms[root] cookie, a different vector than CVE-2007-0491 and CVE-2006-4630. ADV-2007-1261 3657 34145 24760 Directory traversal vulnerability in chat.php in Sky GUNNING MySpeach 3.0.7 and earlier allows remote attackers to include arbitrary local files via a .. (dot dot) and trailing %00 (NULL) in a my_ms[root] cookie. ADV-2007-1261 3657 34146 24766 24760 SQL injection vulnerability in xmlrpc (xmlrpc.php) in WordPress 2.1.2, and probably earlier, allows remote authenticated users to execute arbitrary SQL commands via a string parameter value in an XML RPC mt.setPostCategories method call, related to the post_id variable. This vulnerability has been addressed by the vendor with the release of the following product update: http://wordpress.org/development/2007/04/wordpress-213-and-2010/ 24751 ADV-2007-1245 23294 http://www.notsosecure.com/folder2/2007/04/03/wordpress-212-xmlrpc-security-issues/ 3656 DSA-1285 http://trac.wordpress.org/ticket/4091 25108 formmail.php in Jetbox CMS 2.1 allows remote attackers to send arbitrary e-mails (spam) via modified recipient, _SETTINGS[allowed_email_hosts][], and subject parameters. jetbox-formmail-mail-relay(34292) ADV-2007-1831 1018063 23989 20070515 Jetbox CMS version 2.1 E-Mail Injection Vulnerability 34088 http://www.netvigilance.com/advisory0026 2710 Multiple SQL injection vulnerabilities in myWebland myBloggie 2.1.6 allow remote attackers to execute arbitrary SQL commands via (1) the user_id parameter in a viewuser action to index.php, and allow remote authenticated administrators to execute arbitrary SQL commands via (2) the post_id parameter in an edit action to admin.php. http://www.netvigilance.com/advisory0040 5975 30892 http://descriptions.securescout.com/tc/17969 CRLF injection vulnerability in the FILTER_VALIDATE_EMAIL filter in ext/filter in PHP 5.2.0 and 5.2.1 allows context-dependent attackers to inject arbitrary e-mail headers via an e-mail address with a '\n' character, which causes a regular expression to ignore the subsequent part of the address string. ADV-2007-3386 ADV-2007-2016 23359 http://www.php-security.org/MOPB/PMOPB-45-2007.html 24824 oval:org.mitre.oval:def:6067 SSRT071447 FEDORA-2007-2215 php-filtervalidateemail-header-injection(33510) USN-455-1 2007-0023 http://www.php.net/releases/5_2_3.php 33962 SUSE-SA:2007:032 GLSA-200710-02 DSA-1283 SSA:2007-152-01 GLSA-200705-19 27110 27102 27037 26231 25535 25445 25062 25057 25056 SSRT071447 SonicBB 1.0 allows remote attackers to obtain sensitive information via the (1) by[] parameter to search.php, (2) p[] parameter to viewforum.php, and the (3) id parameter to (a) viewforum.php or (b) members.php, which reveal the installation path in the resulting error message. Successful exploitation requires that "magic_quotes_gpc" is disabled. ADV-2007-1816 33906 http://www.netvigilance.com/advisory0018 34703 34702 34701 20070514 SonicBB version 1.0 Multiple Path Disclosure Vulnerabilities sonicbb-multiple-path-disclosure(34259) 20070514 SonicBB version 1.0 Multiple Path Disclosure Vulnerabilities 25279 Multiple SQL injection vulnerabilities in SonicBB 1.0 allow remote attackers to execute arbitrary SQL commands via the (1) part and (2) by parameters to (a) search.php, or the (2) id parameter to (b) viewforum.php. Successful exploitation requires that "magic_quotes_gpc" is disabled. ADV-2007-1816 33907 http://www.netvigilance.com/advisory0019 20070514 SonicBB version 1.0 Multiple SQL Injection Vulnerabilities sonicbb-search-sql-injection(34258) 23964 20070514 SonicBB version 1.0 Multiple SQL Injection Vulnerabilities 25279 Cross-site scripting (XSS) vulnerability in search.php in SonicBB 1.0 allows remote attackers to inject arbitrary web script or HTML via the part parameter. Successful exploitation requires that "magic_quotes_gpc" is disabled. ADV-2007-1816 34042 http://www.netvigilance.com/advisory0020 20070514 SonicBB version 1.0 XSS Attack Vulnerabilities sonicbb-search-xss(34256) 23963 20070514 SonicBB version 1.0 XSS Attack Vulnerabilities 25279 Directory traversal vulnerability in AOL Instant Messenger (AIM) 5.9 and earlier, and ICQ 5.1 and probably earlier, allows user-assisted remote attackers to write files to arbitrary locations via a .. (dot dot) in a filename in a file transfer operation. ADV-2007-1307 ADV-2007-1306 23391 20070409 AOL AIM and ICQ File Transfer Path-Traversal Vulnerability aim-icq-filetransfer-directory-traversal(33538) 1017891 1017890 24803 24747 Cross-site scripting (XSS) vulnerability in auth.php in Pineapple Technologies QuizShock 1.6.1 and earlier allows remote attackers to inject arbitrary web script or HTML via encoded special characters in the forward_to parameter, as demonstrated using "&lt;&quot;&lt;". quizshock-auth-xss(33523) ADV-2007-1319 23368 2554 24831 http://john-martinelli.com/work/quizshock.txt 20070408 QuizShock 1.6.1 - Cross-Site Scripting Vulnerability Directory traversal vulnerability in richedit/keyboard.php in eCardMAX HotEditor (Hot Editor) 4.0, and the HotEditor plugin for MyBB, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the first parameter. hoteditor-keyboard-file-include(33521) ADV-2007-1315 23377 20070409 Hot Editor v4.0 Local File Inclusion 20070409 Mybb Hot Editor Plugin Local File Inclusion http://www.expw0rm.com/mybb-hot-editor-plugin-local-file-inclusion_no114.html http://www.expw0rm.com/hot-editor-v40-local-file-inclusion_no113.html 34776 2533 24825 PHP remote file inclusion vulnerability in warn.php in Pathos Content Management System (CMS) 0.92-2 allows remote attackers to execute arbitrary PHP code via a URL in the file parameter. ADV-2007-1321 3696 37394 pathoscms-warn-file-include(33536) 23393 PHP file inclusion vulnerability in php121db.php in PHP121 Instant Messenger 2.2 allows remote attackers to execute arbitrary PHP code via a UNC share pathname or a local file pathname in the php121dir parameter, which is accessed by the file_exists function. ADV-2007-1314 3694 34720 php121-php121db-file-include(33525) 23392 24818 SQL injection vulnerability in login.php in Ryan Haudenschilt Battle.net Clan Script for PHP 1.5.1 and earlier allows remote attackers to execute arbitrary SQL commands via the (1) user or (2) pass parameter. ADV-2007-1313 23383 3691 34747 24838 Buffer overflow in wwlib.dll in Microsoft Word 2007 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted document, as demonstrated by file789-1.doc. 23380 3690 1017902 Multiple unspecified vulnerabilities in Microsoft Word 2007 allow remote attackers to cause a denial of service (CPU consumption) via crafted documents, as demonstrated by (1) file798-1.doc and (2) file613-1.doc, possibly related to a buffer overflow. 3690 Heap-based buffer overflow in Microsoft Windows allows user-assisted remote attackers to have an unknown impact via a crafted .HLP file. 23382 3693 1017901 The TRUSTED_SYSTEM_SECURITY function in the SAP RFC Library 6.40 and 7.00 before 20061211 allows remote attackers to verify the existence of users and groups on systems and domains via unspecified vectors, a different vulnerability than CVE-2006-6010. NOTE: This information is based upon a vague initial disclosure. Details will be updated after the grace period has ended. sap-rfc-syssecurity-information-disclosure(33423) ADV-2007-1270 23305 20070404 CYBSEC Pre-Advisory: SAP TRUSTED_SYSTEM_SECURITY RFC Function Information Disclosure http://www.cybsec.com/vuln/CYBSEC-Security_Advisory_SAP_TRUSTED_SYSTEM_SECURITY_RFC_Function_Information_Disclosure.pdf 24722 2535 The RFC_START_PROGRAM function in the SAP RFC Library 6.40 and 7.00 before 20061211 allows remote attackers to obtain sensitive information (external RFC server configuration data) via unspecified vectors, a different vulnerability than CVE-2006-6010. NOTE: This information is based upon a vague initial disclosure. Details will be updated after the grace period has ended. http://www.cybsec.com/vuln/CYBSEC-Security_Advisory_SAP_RFC_START_PROGRAM_RFC_Function_Multiple_Vulnerabilities.pdf sap-rfc-startprogram-information-disclosure(33422) ADV-2007-1270 23313 20070404 CYBSEC Security Pre-Advisory: SAP RFC_START_PROGRAM RFC Function Multiple Vulnerabilities 24722 2538 Buffer overflow in the RFC_START_PROGRAM function in the SAP RFC Library 6.40 and 7.00 before 20061211 allows remote attackers to execute arbitrary code via unspecified vectors. NOTE: This information is based upon a vague initial disclosure. Details will be updated after the grace period has ended. sap-rfc-startprogram-bo(33421) ADV-2007-1270 23313 20070404 CYBSEC Security Pre-Advisory: SAP RFC_START_PROGRAM RFC Function Multiple Vulnerabilities http://www.cybsec.com/vuln/CYBSEC-Security_Advisory_SAP_RFC_START_PROGRAM_RFC_Function_Multiple_Vulnerabilities.pdf 24722 2538 Buffer overflow in the RFC_START_GUI function in the SAP RFC Library 6.40 and 7.00 before 20061211 allows remote attackers to execute arbitrary code via unspecified vectors. NOTE: This information is based upon a vague initial disclosure. Details will be updated after the grace period has ended. sap-rfc-startgui-bo(33420) ADV-2007-1270 23304 20070404 CYBSEC Security Pre-Advisory: SAP RFC_START_GUI RFC Function Buffer Overflow http://www.cybsec.com/vuln/CYBSEC-Security_Advisory_SAP_RFC_START_GUI_RFC_Function_Buffer_Overflow.pdf 24722 2537 Buffer overflow in the SYSTEM_CREATE_INSTANCE function in the SAP RFC Library 6.40 and 7.00 before 20061211 allows remote attackers to execute arbitrary code via unspecified vectors. NOTE: This information is based upon a vague initial disclosure. Details will be updated after the grace period has ended. sap-rfc-createinstance-bo(33416) ADV-2007-1270 23307 20070404 CYBSEC Security Pre-Advisory: SAP SYSTEM_CREATE_INSTANCE RFC Function Buffer Overflow http://www.cybsec.com/vuln/CYBSEC-Security_Advisory_SAP_SYSTEM_CREATE_INSTANCE_RFC_Function_Buffer_Overflow.pdf 24722 2536 The RFC_SET_REG_SERVER_PROPERTY function in the SAP RFC Library 6.40 and 7.00 before 20070109 implements an option for exclusive access to an RFC server, which allows remote attackers to cause a denial of service (client lockout) via unspecified vectors. NOTE: This information is based upon a vague initial disclosure. Details will be updated after the grace period has ended. sap-rfc-setregserverproperty-dos(33418) ADV-2007-1270 23309 20070404 CYBSEC Security Pre-Advisory: SAP RFC_SET_REG_SERVER_PROPERTY RFC Function Denial Of Service http://www.cybsec.com/vuln/CYBSEC-Security_Advisory_SAP_RFC_SET_REG_SERVER_PROPERTY_RFC_Function_Denial_of_Service.pdf 24722 2540 Cross-site scripting (XSS) vulnerability in index.php in Arizona Dream Livre d'or (livor) 2.5 allows remote attackers to inject arbitrary web script or HTML via the page parameter. livor-index-xss(33490) 23353 20070406 livor 2.5 Cross-Site Scripting Vulnerability 35280 SQL injection vulnerability in index.php in the aktualnosci module in SmodBIP 1.06 and earlier allows remote attackers to execute arbitrary SQL commands via the zoom parameter, possibly related to home.php. smodbip-index-sql-injection(33476) ADV-2007-1298 23356 3678 24802 34745 LIBSNDFILE.DLL, as used by AOL Nullsoft Winamp 5.33 and possibly other products, allows remote attackers to execute arbitrary code via a crafted .MAT (MATLAB sound) file that contains a value that is used as an offset, which triggers memory corruption. To exploit this issue, an attacker must entice an unsuspecting user to use the affected application to open a specially crafted file. ADV-2007-1286 23351 20070406 AOL Nullsoft Winamp LIBSNDFILE.DLL Remote Memory Corruption (Off By Zero) http://www.piotrbania.com/all/adv/nullsoft-winamp-libsndfile-adv.txt 34432 winamp-libsndfile-code-execution(33481) 1017886 2541 24766 [dailydave] 20070406 AOL Nullsoft Winamp LIBSNDFILE.DLL Remote Memory Corruption (Off By Zero) The Impulse Tracker (IT) and ScreamTracker 3 (S3M) modules in IN_MOD.DLL in AOL Nullsoft Winamp 5.33 allows remote attackers to execute arbitrary code via a crafted (1) .IT or (2) .S3M file containing integer values that are used as memory offsets, which triggers memory corruption. http://www.piotrbania.com/all/adv/nullsoft-winamp-it_module-in_mod-adv.txt winamp-inmod-code-execution(33480) ADV-2007-1286 1017886 23350 20070406 AOL Nullsoft Winamp IT Module "IN_MOD.DLL" Remote Heap Memory Corruption 20070406 AOL Nullsoft Winamp S3M Module "IN_MOD.DLL" Remote Heap Memory Corruption http://www.piotrbania.com/all/adv/nullsoft-winamp-s3m_module-in_mod-adv.txt 34431 34430 [dailydave] 20070406 AOL Nullsoft Winamp S3M Module "IN_MOD.DLL" Remote Heap Memory Corruption [dailydave] 20070406 AOL Nullsoft Winamp IT Module "IN_MOD.DLL" Remote Heap Memory Corruption 2532 (1) LedgerSMB and (2) DWS Systems SQL-Ledger implement access control lists by changing the set of URLs linked from menus, which allows remote attackers to access restricted functionality via direct requests. 23352 20070406 ACLS ineffective in SQL-Ledger and LedgerSMB 38218 38217 sqlledger-acl-weak-security(33494) 2552 ** DISPUTED ** Multiple PHP remote file inclusion vulnerabilities in phpContact allow remote attackers to execute arbitrary PHP code via a URL in the include_path parameter to (1) contact_business.php or (2) contact_person.php. NOTE: this issue is disputed by CVE and a reliable third party, because include_path is initialized to a fixed value before use. 20070406 phpContact Multiple Remote File Inclusion Vulnerabilities 20070406 false: phpContact Multiple Remote File Inclusion Vulnerabilities 2528 The borrado function in modules/Your_Account/index.php in Tru-Zone Nuke ET 3.4 before fix 7 does not verify that account deletion requests come from the account owner, which allows remote authenticated users to delete arbitrary accounts via a modified cookie. http://truzone.org/modules.php?name=Forums&file=viewtopic&p=287012 nukeet-youraccount-data-manipulation(33483) ADV-2007-1285 23354 http://truzone.org/modules.php?name=News&file=article&sid=1613 24800 34665 Cross-site scripting (XSS) vulnerability in JBMC Software DirectAdmin before 1.293 does not properly display log files, which allows remote authenticated users to inject arbitrary web script or HTML via (1) http or (2) ftp requests logged in /var/log/directadmin/security.log; (3) allows context-dependent attackers to inject arbitrary web script or HTML into /var/log/messages via a PHP script that invokes /usr/bin/logger; (4) allows local users to inject arbitrary web script or HTML into /var/log/messages by invoking /usr/bin/logger at the command line; and allows remote attackers to inject arbitrary web script or HTML via remote requests logged in the (5) /var/log/exim/rejectlog, (6) /var/log/exim/mainlog, (7) /var/log/proftpd/auth.log, (8) /var/log/httpd/error_log, (9) /var/log/httpd/access_log, (10) /var/log/directadmin/error.log, and (11) /var/log/directadmin/security.log files. http://www.directadmin.com/versions.php 24728 20070401 DirectAdmin persistant XSS [takeover an Administrator`s account] http://www.directadmin.com/features.php?id=760 2534 Cross-site scripting (XSS) vulnerability in signup.asp in CmailServer WebMail 5.3.4 and earlier allows remote attackers to inject arbitrary web script or HTML via the POP3Mail parameter. 23360 20070407 CmailServer WebMail <= V.5.3.4 (signup) Remote XSS Exploit 34119 cmailserver-signup-xss(33501) 2529 24812 Directory traversal vulnerability in index.php in witshare 0.9 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the menu parameter. ADV-2007-1303 23358 20070407 witshare 0.9 Remote File Include Vulnerabilitiy witshare-index-file-include(33496) 2539 24813 Directory traversal vulnerability in downloadpic.php in Beryo 2.0, and possibly other versions including 2.4, allows remote attackers to read arbitrary files via a .. (dot dot) in the chemin parameter. beryo-downloadpic-directory-traversal(33479) ADV-2007-1296 23387 3676 24811 34778 Directory traversal vulnerability in download2.php in cattaDoc 2.21, and possibly other versions including 3.0, allows remote attackers to read arbitrary files via a .. (dot dot) in the fn1 parameter. cattadoc-download2-directory-traversal(33474) ADV-2007-1297 23390 3677 24807 34736 SQL injection vulnerability in index.php in the slownik module in SmodCMS 2.10 and earlier allows remote attackers to execute arbitrary SQL commands via the ssid parameter. smodcms-ssid-sql-injection(33477) ADV-2007-1299 3679 37395 Directory traversal vulnerability in scarnews.inc.php in ScarNews 1.2.1 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the sn_admin_dir parameter. ADV-2007-1304 3687 scarnews-scarnewsinc-file-include(33492) 23375 24796 Multiple directory traversal vulnerabilities in PcP-Guestbook (PcP-Book) 3.0 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the lang parameter to (1) index.php, (2) gb.php, or (3) faq.php. pcpguestbook-lang-file-include(33491) 38461 38460 38459 Directory traversal vulnerability in member.php in the eBoard 1.0.7 module for PHP-Nuke allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the GLOBALS[name] parameter. ADV-2007-1301 3683 34806 eboard-member-file-include(33493) 23365 24806 PHP file inclusion vulnerability in admin/index.php in ScarAdControl (ScarAdController) 1.1 allows remote attackers to execute arbitrary PHP code via a UNC share pathname or a local file pathname in the site parameter, which is accessed by the file_exists function. 3682 37403 PHP remote file inclusion vulnerability in scaradcontrol.php in ScarAdControl (ScarAdController) 1.1 allows remote attackers to execute arbitrary PHP code via a URL in the sac_config_dir parameter. 3682 37547 PHP remote file inclusion vulnerability in smilies.php in Scorp Book 1.0 allows remote attackers to execute arbitrary PHP code via a URL in the config parameter. ADV-2007-1300 3681 34754 scorp-smilies-file-include(33495) 20070408 Scorp Book <== v1.0 (smilies.php) Remote File Include Exploit 24809 Ichitaro 2005 through 2007, and possibly related products, allows remote attackers to have an unknown impact via unspecified vectors in a document distributed through e-mail or a web site, possibly due to a buffer overflow or cross-site scripting (XSS). ichitaro-unspecified-code-execution(33507) ADV-2007-1287 1017887 23386 http://www.justsystem.co.jp/info/pd7002.html http://vil.mcafeesecurity.com/vil/content/v_141950.htm 24780 34759 Cross-site scripting (XSS) vulnerability in the embedded webserver in Daniel Naber LanguageTool before 0.8.9 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving an error message, possibly the demultiplex method in HTTPServer.java. ADV-2007-1759 http://www.danielnaber.de/languagetool/download/CHANGES.txt IBM Tivoli Business Service Manager (TBSM) 4.1 before Interim Fix 1 logs passwords in plaintext, which allows local users to obtain sensitive information by reading (1) ncisetup.db or (2) msi.log. ADV-2007-1248 1017869 23298 IY96572 24763 34770 Cross-site scripting (XSS) vulnerability in the Active Content Filter feature in Domino Web Access (DWA) in IBM Lotus Notes before 6.5.6 and 7.x before 7.0.2 FP1 allows remote attackers to inject arbitrary web script or HTML via a multipart/related e-mail message, a different issue than CVE-2006-4843. 1017870 http://www.intrinsec.com/Advisory_DWA_XSS_200704.txt http://www-1.ibm.com/support/docview.wss?rs=477&uid=swg21247201 23421 Integer overflow in FastStone Image Viewer 2.9 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via a crafted BMP image, as demonstrated by wh3intof.bmp and wh4intof.bmp. 23312 20070404 Several Windows image viewers vulnerabilities 24784 34664 http://ifsec.blogspot.com/2007/04/several-windows-image-viewers.html 2558 Integer overflow in ACDSee Photo Manager 9.0 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via large width image sizes in a crafted BMP image, as demonstrated by w3intof.bmp and w4intof.bmp. ADV-2007-1283 23317 20070404 Several Windows image viewers vulnerabilities 24779 34663 http://ifsec.blogspot.com/2007/04/several-windows-image-viewers.html http://www.acdsee.com/support/knowledgebase/article?id=2800 2558 The Java Message Service (JMS) in IBM WebSphere Application Server (WAS) before 6.1.0.7 allows attackers to cause a denial of service via unknown vectors involving the "double release [of] a bytebuffer input stream," possibly a double free vulnerability. http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg27007951#6107 ADV-2007-1282 24852 Unspecified vulnerability in the Servlet Engine/Web Container in IBM WebSphere Application Server (WAS) before 6.1.0.7 has unknown impact and attack vectors. PK36447 http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg27007951#6107 websphere-servlet-information-disclosure(33471) ADV-2007-1282 24852 41605 Integer overflow in Windows Explorer in Microsoft Windows XP SP1 might allow user-assisted remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large width dimension in a crafted BMP image, as demonstrated by w4intof.bmp. 23321 20070404 Several Windows image viewers vulnerabilities 41553 http://ifsec.blogspot.com/2007/04/several-windows-image-viewers.html 2558 Cross-zone scripting vulnerability in the DOM templates (domplates) used by the console.log function in the Firebug extension before 1.04 for Mozilla Firefox allows remote attackers to bypass zone restrictions, read arbitrary file:// URIs, or execute arbitrary code in the browser chrome by overwriting the toString function via a certain function declaration, related to incorrect identification of anonymous JavaScript functions, a different issue than CVE-2007-1878. http://larholm.com/2007/04/06/more-0day-in-firebug/#comment-6 20070406 Re: Firefox extensions go Evil - Critical Vulnerabilities in Firefox/Firebug http://larholm.com/2007/04/06/more-0day-in-firebug/ Buffer overflow in IrfanView 3.99 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via the (1) xoffset or (2) yoffset RLE command, or (3) large non-RLE encoded blocks in a crafted BMP image, as demonstrated by rle8of3.bmp and rle8of4.bmp. ADV-2007-1284 20070404 Several Windows image viewers vulnerabilities 41554 http://ifsec.blogspot.com/2007/04/several-windows-image-viewers.html 2558 Session fixation vulnerability in WebBlizzard CMS allows remote attackers to hijack web sessions by setting a PHPSESSID cookie. webblizzardcms-cookie-session-hijack(33499) 20070407 [MajorSecurity Advisory #42]webblizzard CMS - Cross Site Scripting and Session fixation Issues http://www.majorsecurity.de/index_2.php?major_rls=major_rls42 2557 Cross-site scripting (XSS) vulnerability in index_cms.php in WebBlizzard CMS allows remote attackers to inject arbitrary web script or HTML via the Suchzeile parameter. 20070407 [MajorSecurity Advisory #42]webblizzard CMS - Cross Site Scripting and Session fixation Issues http://www.majorsecurity.de/index_2.php?major_rls=major_rls42 webblizzardcms-indexcms-xss(33498) 2557 Session fixation vulnerability in onelook obo Shop allows remote attackers to hijack web sessions by setting a PHPSESSID cookie. oboshop-phpsessid-security-bypass(33500) 20070406 [MajorSecurity Advisory #40]onelook oboShop - Session fixation Issue http://www.majorsecurity.de/index_2.php?major_rls=major_rls40 Session fixation vulnerability in onelook onebyone CMS allows remote attackers to hijack web sessions by setting a PHPSESSID cookie. onebyonecms-phpsessid-security-bypass(33497) 20070406 [MajorSecurity Advisory #39]onelook onebyone CMS - Session fixation Issue http://www.majorsecurity.de/index_2.php?major_rls=major_rls39 2546 Session fixation vulnerability in onelook courts on-line allows remote attackers to hijack web sessions by setting a PHPSESSID cookie. courtsonline-phpsessid-security-bypass(33502) 20070406 [MajorSecurity Advisory #41]onelook courts online - Session fixation Issue http://www.majorsecurity.de/index_2.php?major_rls=major_rls41 Multiple directory traversal vulnerabilities in ArchiveXpert 2.02 build 80 allow remote attackers to create files in arbitrary directories via a .. (dot dot) in a (1) .gz, (2) .jar, (3) .rar, (4) .tar.gz, (5) .zip, or (6) .tar file. ADV-2007-1311 http://www.bugtraq.ir/articles/advisory/archivexpert_directory_traversal/8 24827 archivexpert-archive-directory-traversal(33539) 23372 Multiple stack-based buffer overflows in the SignKorea SKCrypAX ActiveX control module 5.4.1.2 allow remote attackers to execute arbitrary code via a long string in unspecified arguments to the (1) DownloadCert, (2) DecryptFileByKey, and (3) EncryptFileByKey functions, a different module and vectors than CVE-2007-1722. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 24820 34322 23374 SQL injection vulnerability in ubbthreads.php in Groupee UBB.threads 6.1.1 and earlier allows remote attackers to execute arbitrary SQL commands via the C parameter. 20070408 UBB.threads (<= 6.1.1) SQL Injection Vulnerability ubbthreads-ubbthreads-sql-injection(33509) 23369 2545 Multiple PHP remote file inclusion vulnerabilities in Guernion Sylvain Portail Web Php (aka Gsylvain35 Portail Web, PwP) allow remote attackers to execute arbitrary PHP code via a URL in the pageAll parameter to index.php in (1) template/Vert/, or (2) template/Noir/. 20070408 Gsylvain35 Portail Web Remote File Include Vulnerabilities 35290 2543 Buffer overflow in TinyMUX before 2.4 allows attackers to cause a denial of service via unspecified vectors related to "too many substring matches in a regexp $-command." NOTE: some of these details are obtained from third party information. ADV-2007-1213 http://www.tinymux.org/changes.txt Unspecified vulnerability in the process_cmdent function in command.cpp in TinyMUX before 2.4 has unknown impact and attack vectors, related to lack of the "'other half' of buffer overflow protection." ADV-2007-1213 http://www.tinymux.org/changes.txt SQL injection vulnerability in visit.php in the Rha7 Downloads (rha7downloads) 1.0 module for XOOPS, and possibly other versions up to 1.10, allows remote attackers to execute arbitrary SQL commands via the lid parameter. 23320 3666 24790 34460 PHP remote file inclusion vulnerability in mutant_functions.php in the Mutant 0.9.2 portal for phpBB 2.2 allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter. ADV-2007-1265 23319 3665 37396 SQL injection vulnerability in index.php in the WF-Snippets 1.02 and earlier module for XOOPS allows remote attackers to execute arbitrary SQL commands via the c parameter in a cat action. xoops-wfsnippets-index-sql-injection(33425) ADV-2007-1263 3663 24781 34459 SQL injection vulnerability in the create_session function in class_session.php in MyBB (aka MyBulletinBoard) 1.2.3 and earlier allows remote attackers to execute arbitrary SQL commands via the Client-IP HTTP header, as utilized by index.php, a related issue to CVE-2006-3775. 24689 ADV-2007-1244 20070403 MyBulletinBoard (MyBB) <= 1.2.3 Remote Code Execution Exploit 3653 34657 http://community.mybboard.net/showthread.php?tid=18002 http://community.mybboard.net/attachment.php?aid=5842 member.php in MyBB (aka MyBulletinBoard), when debug mode is available, allows remote authenticated users to change the password of any account by providing the account's registered e-mail address in a debug request for a do_lostpw action, which prints the change password verification code in the debug output. 20070330 Mybb Change Password Vulnerability 2544 Multiple cross-site scripting (XSS) vulnerabilities in eXV2 CMS 2.0.4.3 and earlier allow remote attackers to inject arbitrary web script or HTML via the set_lang parameter to (1) archive.php, (2) article.php, (3) index.php, or (4) topics.php. 23314 http://www.majorsecurity.de/index_2.php?major_rls=major_rls38 20070404 [MajorSecurity Advisory #38]eXV2 CMS - Session fixation and Cross-Site-Scripting Issues Session fixation vulnerability in eXV2 CMS 2.0.4.3 and earlier allows remote attackers to hijack web sessions by setting the PHPSESSID cookie. http://www.majorsecurity.de/index_2.php?major_rls=major_rls38 20070404 [MajorSecurity Advisory #38]eXV2 CMS - Session fixation and Cross-Site-Scripting Issues ** DISPUTED ** PHP remote file inclusion vulnerability in index.php in stat12 allows remote attackers to execute arbitrary PHP code via a URL in the langpath parameter. NOTE: this issue was published by an unreliable researcher, and there is little information to determine which product is actually affected. This is probably an invalid report based on analysis by CVE and a third party. 20070403 Remote File Include In Script stat12 20070411 [false] Remote File Include In Script stat12 20070403 [false] Remote File Include In Script stat12 2555 PHP remote file inclusion vulnerability in games.php in Sam Crew MyBlog, possibly 1.0 through 1.6, allows remote attackers to execute arbitrary PHP code via a URL in the scoreid parameter. ADV-2007-1302 23311 20070404 MyBlog: PHP and MySQL Blog/CMS software Remote File Include Vulnerabilitiy 20070410 True: MyBlog games.php RFI 3685 2548 Cross-site scripting (XSS) vulnerability in admin/modify.php in Sam Crew MyBlog remote attackers to inject arbitrary web script or HTML via the id parameter. 20070404 MyBlog: PHP and MySQL Blog/CMS software Cross-Site Scripting Vulnerabilitiy 2549 Mozilla Firefox does not warn the user about HTTP elements on an HTTPS page when the HTTP elements are dynamically created by a delayed document.write, which allows remote attackers to supply unauthenticated content and conduct phishing attacks. 20070404 Mozilla Firefox Insecure Element Stealth Injection Vulnerability 34536 SQL injection vulnerability in fotokategori.asp in Gazi Okul Sitesi 2007 allows remote attackers to execute arbitrary SQL commands via the query string. 23316 20070404 Gazi Okul Sitesi 2007(tr)(fotokategori.asp) Remote SQL Injection 35266 2547 ** DISPUTED ** PatrolAgent.exe in BMC Performance Manager does not require authentication for requests to modify configuration files, which allows remote attackers to execute arbitrary code via a request on TCP port 3181 for modification of the masterAgentName and masterAgentStartLine SNMP parameters. NOTE: the vendor disputes this vulnerability, stating that it does not exist when the system is properly configured. http://www.zerodayinitiative.com/advisories/ZDI-07-020.html ADV-2007-1458 23559 20070418 ZDI-07-020: BMC Performance Manager SNMP Command Execution Vulnerability 1017935 20070419 Re: ZDI-07-020: BMC Performance Manager SNMP Command Execution Vulnerability 2599 Race condition in the Virtual DOS Machine (VDM) in the Windows Kernel in Microsoft Windows NT 4.0 allows local users to modify memory and gain privileges via the temporary \Device\PhysicalMemory section handle, a related issue to CVE-2007-1206. 20070410 EEYE: Windows VDM Zero Page Race Condition Privilege Escalation http://research.eeye.com/html/advisories/published/AD20070410a.html 37635 2563 SQL injection vulnerability in the getArticle function in class/wfsarticle.php in WF-Section (aka WF-Sections) 1.0.1, as used in Xoops modules such as (1) Zmagazine 1.0, (2) Happy Linux XFsection 1.07 and earlier, and possibly other modules, allows remote attackers to execute arbitrary SQL commands via the articleid parameter to print.php. http://www.xoops.org/modules/news/article.php?storyid=3717 http://addons.zarilia.com/index.php?page_type=static&id=43 xoops-xfsection-print-sql-injection(33380) xoops-zmagazine-print-sql-injection(33379) xoops-wfsection-print-sql-injection(33378) http://www.xoops.org/modules/newbb/viewtopic.php?viewmode=flat&order=ASC&topic_id=58229&forum=4&move=next&topic_time=1176217411 ADV-2007-1209 ADV-2007-1208 ADV-2007-1207 23261 23259 23258 3646 3645 3644 20070411 WF-Sections SQL injection vendor ack; shows up in other modules 52230 41387 20080218 XOOPS Module section SQL Injection(articleid) Multiple PHP remote file inclusion vulnerabilities in SLAED CMS 2 allow remote attackers to execute arbitrary PHP code via a URL in the (1) path parameter to admin/admin.php or the (2) modpath parameter to index.php. slaed-index-admin-file-include(33343) 20070331 Remot File Include In SLAED_CMS_2 35221 35220 2567 ** DISPUTED ** PHP remote file inclusion vulnerability in index.php in the Virii Info 1.10 and earlier module for Xoops allows remote attackers to execute arbitrary PHP code via a URL in the xoopsConfig[root_path] parameter. NOTE: the issue has been disputed by a reliable third party, stating that the application's checkSuperglobals function defends against the attack. xoops-virii-index-file-include(33368) ADV-2007-1206 3642 20070403 Bogus - [Xoops Module Virii Info <= 1.10 (index.php) Remote File Include Exploit] 20070403 Bogus - [Xoops Module Virii Info <= 1.10 (index.php) Remote File Include Exploit] 37429 Cross-site scripting (XSS) vulnerability in index_cms.php in holaCMS 1.4.10 allows remote attackers to inject arbitrary web script or HTML via the acuparam parameter. http://www.majorsecurity.de/index_2.php?major_rls=major_rls37 24656 34685 holacms-indexcms-xss(33392) 23288 20070403 [MajorSecurity Advisory #37]HolaCMS - Cross Site Scripting Issue SQL injection vulnerability in index.php in the Arcade 1.00 module for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the cid parameter in a view_game_list action. phpfusion-arcade-index-sql-injection(33361) ADV-2007-1205 3640 37410 SQL injection vulnerability in index.php in the PopnupBlog 2.52 and earlier module for Xoops allows remote attackers to execute arbitrary SQL commands via the postid parameter, possibly involving the get_blogid_from_postid function in class/PopnupBlogUtils.php. NOTE: later versions such as 3.03 and 3.05 might also be affected. ADV-2007-1206 23286 3655 24761 SQL injection vulnerability in index.php in the Topliste 1.0 module for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the cid parameter. phpfusion-topliste-index-sql-injection(33364) ADV-2007-1204 23256 3639 37411 The safevoid_vsnprintf function in Metamod-P 1.19p29 and earlier on Windows allows remote attackers to cause a denial of service (daemon crash) via a long meta list command. http://sourceforge.net/forum/forum.php?forum_id=681753 ADV-2007-1247 http://sourceforge.net/project/shownotes.php?release_id=498782 24738 Multiple PHP remote file inclusion vulnerabilities in Really Simple PHP and Ajax (RSPA) 2007-03-23 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the (1) __IncludeFilePHPClass, (2) __ClassPath, and (3) __class parameters to (a) rspa/framework/Controller_v5.php, and (b) rspa/framework/Controller_v4.php. rspa-controller-file-include(33356) ADV-2007-1190 23246 3641 http://www.bugtraq.ir/articles/advisory/RSPA_File_Inclusion/6 24671 PHP remote file inclusion vulnerability in include/default_header.php in Cyboards PHP Lite 1.21 allows remote attackers to execute arbitrary PHP code via a URL in the script_path parameter, a different vector than CVE-2006-2871. cyboards-defaultheader-file-include(33406) 23306 3660 20070411 Cyboards PHP RFI: true for 1.21, fixed in at least 1.25 35300 PHP remote file inclusion vulnerability in index.php in lite-cms 0.2.1 allows remote attackers to execute arbitrary PHP code via a URL in the inc parameter. 20070404 lite-cms-0.2.1 Remote File Include Vulnerabilities 2559 Multiple PHP remote file inclusion vulnerabilities in phpexplorator.php in phpexplorator 2.0 allow remote attackers to execute arbitrary PHP code via a URL in the (1) cmd or (2) lang_path parameter. 20070404 Remot File Include In phpexplorator_2_0 2564 Multiple PHP remote file inclusion vulnerabilities in barnraiser AROUNDMe 0.7.7 allow remote attackers to execute arbitrary PHP code via a URL in the (1) language_path_core parameter to inc/core_profile.header.php, the (2) template_path_core parameter to template/barnraiser_01/maint_contact_view.tpl.php, and the (3) template_path parameter to template/barnraiser_01/default.tpl.php. NOTE: this issue might overlap CVE-2006-5533. ADV-2007-1262 23303 3659 34625 34624 34623 aroundme-multiple-file-include(33427) 24773 ** DISPUTED ** Multiple PHP remote file inclusion vulnerabilities in PHPEcho CMS 2.0 allow remote attackers to execute arbitrary PHP code via a URL in the (1) _plugin_file parameter to smarty/internals/core.load_pulgins.php or the (2) root_path parameter to index.php. NOTE: CVE disputes (1) because the inclusion occurs within a function that is not called during a direct request. CVE disputes (2) because root_path is defined in config.php before use. 20070404 phpechocms2 Remote File Include Vulnerabilities 34117 2551 Cross-site scripting (XSS) vulnerability in kernel/filters.inc.php in PHPEcho CMS 2.0 allows remote attackers to inject arbitrary web script or HTML via the id parameter. 20070404 phpechocms v.2 Cross-Site Scripting Vulnerabilitiy 35262 2550 Multiple cross-site scripting (XSS) vulnerabilities in DotClear before 1.2.6 allow remote attackers to inject arbitrary web script or HTML via the (1) post_id parameter to ecrire/trackback.php or the (2) tool_url parameter to tools/thememng/index.php. NOTE: some of these details are obtained from third party information. http://www.dotclear.net/log/post/2007/04/10/Dotclear-126 http://www.dotclear.net/forum/viewtopic.php?id=26573 ADV-2007-1338 24829 dotclear-tools-xss(33616) dotclear-trackback-xss(33615) 23411 20070412 Dotclear 1.* Cross Site Scripting Vulnerability PHP remote file inclusion vulnerability in games.php in Sam Crew MyBlog, possibly 1.0 through 1.6, allows remote attackers to execute arbitrary PHP code via a URL in the id parameter, a different vector than CVE-2007-1968. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. ADV-2007-1302 37432 Cross-site scripting (XSS) vulnerability in mail/signup.asp in CmailServer WebMail 5.4.3, and possibly earlier, allows remote attackers to inject arbitrary web script or HTML via the Comment parameter, a different vector than CVE-2007-1927. cmailserver-signup-xss(33501) 23363 24812 Multiple PHP remote file inclusion vulnerabilities in the com_zoom 2.5 beta 2 and earlier module for Mambo allow remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter to (1) EXIF_Makernote.php or (2) EXIF.php in classes/iptc/. ADV-2007-1353 23415 3706 zmg-exif-file-include(33580) Buffer overflow in the pfs_mountd.rpc RPC daemon in the Portable File System (PFS) in HP-UX B.11.00, B.11.11, and B.11.23 allows remote attackers to execute arbitrary code by sending "a call to procedure 5, followed by a crafted payload to procedure 2." HPSBUX02203 ADV-2007-1343 1017893 23401 24855 oval:org.mitre.oval:def:5751 20070412 Hewlett Packard HP-UX Remote pfs_mountd.rpc Buffer Overflow Vulnerability HPSBUX02203 Unspecified vulnerability in the Address and Routing Parameter Area (ARPA) transport functionality in HP-UX B.11.00 allows local users to cause a denial of service via unknown vectors. NOTE: due to lack of vendor details, it is not clear whether this is the same as CVE-2007-0916. SSRT061120 ADV-2007-1358 1017892 23410 oval:org.mitre.oval:def:5624 HPSBUX02205 bgpd/bgp_attr.c in Quagga 0.98.6 and earlier, and 0.99.6 and earlier 0.99 versions, does not validate length values in the MP_REACH_NLRI and MP_UNREACH_NLRI attributes, which allows remote attackers to cause a denial of service (daemon crash or exit) via crafted UPDATE messages that trigger an assertion error or out of bounds read. quagga-bgpattributes-dos(33547) ADV-2008-1195 ADV-2007-1336 USN-461-1 2007-0017 1018142 23417 RHSA-2007:0389 http://www.quagga.net/news2.php?y=2007&m=4&d=8#id1176073740 OpenPKG-SA-2007.015 SUSE-SR:2007:009 MDKSA-2007:096 DSA-1293 236141 GLSA-200705-05 29743 25428 25312 25293 25255 25119 25084 24808 oval:org.mitre.oval:def:11048 http://bugzilla.quagga.net/show_bug.cgi?id=355 http://bugzilla.quagga.net/show_bug.cgi?id=354 PHP remote file inclusion vulnerability in codebreak.php in CodeBreak, probably 1.1.2 and earlier, allows remote attackers to execute arbitrary PHP code via a URL in the process_method parameter. ADV-2007-1355 23425 20070411 CodeBreak (codebreak.php process_method) - Remote File Inclusion Vulnerability 2562 24846 Integer signedness error in the (1) cab_unstore and (2) cab_extract functions in libclamav/cab.c in Clam AntiVirus (ClamAV) before 0.90.2 allow remote attackers to execute arbitrary code via a crafted CHM file that contains a negative integer, which passes a signed comparison and leads to a stack-based buffer overflow. 23473 http://sourceforge.net/project/shownotes.php?release_id=500765 24891 clamav-cabunstore-cabextract-bo(33637) ADV-2008-0924 ADV-2007-1378 20070416 Clam AntiVirus ClamAV CAB File Unstore Buffer Overflow Vulnerability 2007-0013 1017921 SUSE-SA:2007:026 MDKSA-2007:098 DSA-1281 http://support.novell.com/techcenter/psdb/50a5cb718f20761dd7e0b6b4e0935c52.html GLSA-200704-21 29420 25189 25028 25022 24996 24946 24920 APPLE-SA-2008-03-18 http://docs.info.apple.com/article.html?artnum=307562 Direct static code injection vulnerability in HIOX Guest Book (HGB) 4.0 allows remote attackers to inject arbitrary PHP code via the Email field, which results in code execution through a direct request to gb.php. ADV-2007-1333 3697 hgb-gb-command-execution(33540) 24835 PHP remote file inclusion vulnerability in index.php in Weatimages 1.7.1 and earlier, when weatimages.ini is missing, allows remote attackers to execute arbitrary PHP code via a URL in the ini[langpack] parameter. ADV-2007-1335 3700 34807 weatimages-index-file-include(33553) 24863 Multiple SQL injection vulnerabilities in admin/admin.php in Crea-Book 1.0 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) pseudo or (2) passe parameter. ADV-2007-1344 3701 creabook-admin-sql-injection(33555) 34816 24862 Multiple direct static code injection vulnerabilities in admin/configurer2.php in Crea-Book 1.0 and earlier allow remote authenticated administrators to execute arbitrary PHP code via the "Fond de la page" (background color) field and other unspecified fields, which injects into config.inc.php3. 3701 34817 24862 InoutMailingListManager 3.1 and earlier allows remote attackers to access certain restricted functionality, and upload and execute arbitrary PHP code, by setting an arbitrary admin cookie. ADV-2007-1345 3702 24842 InoutMailingListManager 3.1 and earlier sends a Location redirect header but does not exit after an authorization check fails, which allows remote attackers to access certain restricted functionality, and upload and execute arbitrary PHP code, by ignoring the redirect. ADV-2007-1345 3702 24842 Multiple SQL injection vulnerabilities in InoutMailingListManager 3.1 and earlier allow remote attackers to execute arbitrary SQL commands via the id parameter to changename.php and other unspecified vectors. ADV-2007-1345 3702 24842 Multiple PHP remote file inclusion vulnerabilities in the Taskhopper 1.1 component for Mambo and Joomla! allow remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter to (1) contact_type.php, (2) itemstatus_type.php, (3) projectstatus_type.php, (4) request_type.php, (5) responses_type.php, (6) timelog_type.php, or (7) urgency_type.php in inc/. taskhopper-mosconfigabsolute-file-include(33552) ADV-2007-1346 23408 3703 34801 34800 34799 34798 34797 34796 34795 20070411 Confirm: Joomla/Mambo Component Taskhopper 1.1 RFI Vulnerabilities Multiple SQL injection vulnerabilities in login.php in pL-PHP beta 0.9 allow remote attackers to execute arbitrary SQL commands via the (1) login or (2) pass parameter. ADV-2007-1352 3704 20070411 pL-PHP beta 0.9 - Multiple Vulnerabilities admin.php in pL-PHP beta 0.9 allows remote attackers to bypass authentication by setting the is_admin parameter to 1. ADV-2007-1352 3704 20070411 pL-PHP beta 0.9 - Multiple Vulnerabilities Directory traversal vulnerability in admin.php in pL-PHP beta 0.9 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the lang parameter. ADV-2007-1352 3704 20070411 pL-PHP beta 0.9 - Multiple Vulnerabilities PHP remote file inclusion vulnerability in index.php in SimpCMS Light 04.10.2007 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the site parameter. ADV-2007-1348 3705 20070412 true: SimpCMS Light RFI simpcms-index-file-include(33572) 23439 20070411 New bug :) 24851 Double free vulnerability in bftpd before 1.8 allows remote authenticated users to cause a denial of service (daemon crash) via a (1) get or (2) mget command. 24864 bftpd-getmget-dos(33594) ADV-2007-1347 23406 34889 http://bftpd.sourceforge.net/downloads/CHANGELOG http://bftpd.sourceforge.net/ Cross-site scripting (XSS) vulnerability in login.php in DeskPro 2.0.1 allows remote attackers to inject arbitrary web script or HTML via the username parameter. ADV-2007-1320 23381 20070408 DeskPRO v2.0.1 - Cross-Site Scripting Vulnerability 24844 34721 2556 http://john-martinelli.com/work/deskpro.txt Multiple directory traversal vulnerabilities in MimarSinan CompreXX 4.1 allow remote attackers to create files in arbitrary directories via a .. (dot dot) in a (1) .rar, (2) .jar or (3) .zip archive. ADV-2007-1312 23362 http://www.bugtraq.ir/articles/advisory/comprexx_directory_traversal/7 24840 comprexx-archive-directory-traversal(33551) Cross-site scripting (XSS) vulnerability in index.php in JEx-Treme Einfacher Passworschutz allows remote attackers to inject arbitrary web script or HTML via the msg parameter. Einfacher-passwortschutz-msg-xss(33542) ADV-2007-1316 35000 http://hackberry.ath.cx/research/1.txt 23395 24922 PHP remote file inclusion vulnerability in include/blocks/week_events.php in MyNews 4.2.2 allows remote attackers to execute arbitrary PHP code via a URL in the myNewsConf[path][sys][index] parameter, a different vector than CVE-2007-0633. ADV-2007-1317 37425 http://hackberry.ath.cx/research/3.txt PHP remote file inclusion vulnerability in index.php in Request It 1.0b allows remote attackers to execute arbitrary PHP code via a URL in the id parameter. ADV-2007-1318 23370 20070409 Request It : Song Request System 1.0b - remote file inclusion 20070411 true: Request It : Song Request System 1.0b RFI 24832 34722 http://hackberry.ath.cx/research/2.txt 2553 Cross-site scripting (XSS) vulnerability in mysql/phpinfo.php in phpMyAdmin 2.6.1 allows remote attackers to inject arbitrary web script or HTML via the lang[] parameter. 20070408 phpMyAdmin 2.6.1 Local Cross Site Scripting 35049 2560 siteadmin/useredit.php in AlstraSoft Video Share Enterprise does not check authentication, which allows remote attackers to obtain or modify user information via a direct request. ADV-2007-1331 23409 24836 alstrasoft-vse-useredit-insecure-permissions(33548) 20070710 Vendor ACK: CVE-2007-2017 (AlstraSoft useredit.php auth bypass) http://www.alstrasoft.com/videoshare_fix.zip http://pridels0.blogspot.com/2007/03/alstrasoft-video-share-enterprise.html SQL injection vulnerability in msg.php in AlstraSoft Video Share Enterprise allows remote authenticated users to execute arbitrary SQL commands via the id parameter. ADV-2007-1331 23409 24836 alstrasoft-vse-msg-sql-injection(33546) http://pridels0.blogspot.com/2007/03/alstrasoft-video-share-enterprise.html PHP remote file inclusion vulnerability in init.gallery.php in phpGalleryScript 1.0 allows remote attackers to execute arbitrary PHP code via a URL in the include_class parameter. ADV-2007-1334 20070409 phpGalleryScript 1.0 - File Inclusion Vulnerabilities 20070410 false: phpGalleryScript 1.0 - File Inclusion Vulnerabilities 34811 phpgalleryscript-gallery-file-include(33545) 2566 24860 ** DISPUTED ** Unspecified vulnerability in administration.php in xodagallery allows remote attackers to execute arbitrary code via the cmd parameter. NOTE: CVE disputes this vulnerability because administration.php does not use the cmd parameter for inclusion. xodagallery-administration-code-execution(33522) 20070408 xodagallery Remote Code Execution Vulnerability 20070412 probably false: xodagallery execution claim 35291 2561 Multiple PHP remote file inclusion vulnerabilities in Pineapple Technologies Lore 1 allow remote attackers to execute arbitrary PHP code via a URL in the (1) lang_path parameter to third_party/phpmailer/class.phpmailer.php or the (2) get_plugin_file_path parameter to third_party/smarty/libs/plugins/function.html_checkboxes.php. NOTE: the affected files might be from other software packages, so this might not be a vulnerability in Lore itself. NOTE: (1) might be the same issue as CVE-2006-5734.4. 20070408 Remot File Include In Script Lore v1 2565 Adobe Macromedia Flash Player 7 and 9, when used with Opera before 9.20 or Konqueror before 20070613, allows remote attackers to obtain sensitive information (browser keystrokes), which are leaked to the Flash Player applet. TA07-192A https://issues.rpath.com/browse/RPL-1462 opera-flash-player-unspecified(33595) ADV-2007-4190 ADV-2007-2497 ADV-2007-1361 1017903 23437 RHSA-2007:0494 http://www.opera.com/support/search/view/858/ SUSE-SA:2007:046 SUSE-SA:2007:028 SUSE-SR:2007:012 MDKSA-2007:138 GLSA-200708-01 http://www.adobe.com/support/security/bulletins/apsb07-12.html http://www.adobe.com/support/security/advisories/apsa07-03.html 201506 103167 28068 26860 26357 26118 26027 25933 25894 25669 25662 25432 25027 24877 oval:org.mitre.oval:def:9332 20070602-01-P USB20.dll in Secustick USB flash drive decouples the authorization and file access routines, which allows local users to bypass authentication requirements by altering the return value of the VerifyPassWord function. http://tweakers.net/reviews/683 http://tweakers.net/reviews/682 41592 Unrestricted file upload vulnerability in the UpLoad feature (lib/plugin/UpLoad.php) in PhpWiki 1.3.x allows remote attackers to upload arbitrary PHP files with a (1) php3, (2) php4, or (3) php5 extension. "Successful exploitation requires being logged in and that the webserver is configured to execute PHP scripts with such extensions. In the default configuration of PhpWiki, no registration or validation is necessary to log in." VU#914793 ADV-2007-1400 20070412 RE: Critical phpwiki c99shell exploit 20070412 Re: Critical phpwiki c99shell exploit 20070412 Critical phpwiki c99shell exploit [phpwiki-talk] 20070413 Fwd: Critical phpwiki c99shell exploit 24888 GLSA-200705-16 DSA-1371 26784 25307 Unrestricted file upload vulnerability in the UpLoad feature (lib/plugin/UpLoad.php) in PhpWiki 1.3.11p1 allows remote attackers to upload arbitrary PHP files with a double extension, as demonstrated by .php.3, which is interpreted by Apache as being a valid PHP file. https://sourceforge.net/forum/message.php?msg_id=4249177 [phpwiki-talk] 20070408 Important UpLoad security fix! was [Fwd: [phpwiki - Open Discussion] RE: upload security risk] GLSA-200705-16 DSA-1371 26784 25307 The gnu regular expression code in file 4.20 allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted document with a large number of line feed characters, which is not well handled by OS/2 REXX regular expressions that use wildcards, as originally reported for AMaViS. https://bugs.gentoo.org/show_bug.cgi?id=174217 ADV-2007-2071 20070524 FLEA-2007-0022-1: file http://sourceforge.net/mailarchive/forum.php?thread_name=755AF709E5B77E6EA58479D5%40foxx.lsit.ucsb.edu&forum_name=amavis-user https://issues.rpath.com/browse/RPL-1311 24146 MDKSA-2007:114 GLSA-200704-13 http://www.amavis.org/security/asa-2007-3.txt 25578 25544 25394 24918 Untrusted search path vulnerability in the add_filename_to_string function in intl/gettext/loadmsgcat.c for Elinks 0.11.1 allows local users to cause Elinks to use an untrusted gettext message catalog (.po file) in a "../po" directory, which can be leveraged to conduct format string attacks. An untrusted message catalog might lead to a format-string attack when an attacker tricks user into launching links from a particular directory. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235411 ADV-2007-1686 USN-457-1 23844 GLSA-200706-03 25550 25255 25198 25169 oval:org.mitre.oval:def:9741 35668 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=417789 Memory leak in freeRADIUS 1.1.5 and earlier allows remote attackers to cause a denial of service (memory consumption) via a large number of EAP-TTLS tunnel connections using malformed Diameter format attributes, which causes the authentication request to be rejected but does not reclaim VALUE_PAIR data structures. ADV-2007-1369 http://www.freeradius.org/security.html oval:org.mitre.oval:def:11156 2007-0013 1018042 23466 SUSE-SR:2007:010 MDKSA-2007:085 GLSA-200704-14 25220 25201 24996 24917 24907 24849 RHSA-2007:0338 File descriptor leak in the PDF handler in Clam AntiVirus (ClamAV) allows remote attackers to cause a denial of service via a crafted PDF file. 23656 DSA-1281 25028 clamav-pdfhandler-dos(34083) MDKSA-2007:098 25189 34916 lharc.c in lha does not securely create temporary files, which might allow local users to read or write files by creating a file before LHA is invoked. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=236585 37049 lha-lharc-symlink(34063) 24336 MDKSA-2007:117 25519 Buffer overflow in the HTTP proxy service for 3proxy 0.5 to 0.5.3g, and 0.6b-devel before 20070413, might allow remote attackers to execute arbitrary code via crafted transparent requests. http://3proxy.ru/0.5.3h/Changelog.txt 3proxy-transparent-requests-bo(33841) ADV-2007-1442 23545 20070423 3proxy 0.5.3i bugfix release GLSA-200704-17 25001 24961 Cisco Wireless Control System (WCS) before 4.0.96.0 has a hard-coded FTP username and password for backup operations, which allows remote attackers to read and modify arbitrary files via unspecified vectors related to "properties of the FTP server," aka Bug ID CSCse93014. 20070412 Multiple Vulnerabilities in the Cisco Wireless Control System cisco-wcs-ftp-unauthorized-access(33614) ADV-2007-1367 23460 1017907 24865 34132 Unspecified vulnerability in Cisco Wireless Control System (WCS) before 4.0.81.0 allows remote authenticated users to read any configuration page by changing the group membership of user accounts, aka Bug ID CSCse78596. cisco-wcs-account-privilege-escalation(33612) ADV-2007-1367 23460 20070412 Multiple Vulnerabilities in the Cisco Wireless Control System 1017907 24865 34129 Unspecified vulnerability in Cisco Wireless Control System (WCS) before 4.0.87.0 allows remote authenticated users to gain the privileges of the SuperUsers group, and manage the application and its networks, related to the group membership of user accounts, aka Bug ID CSCsg05190. cisco-wcs-account-privilege-escalation(33612) ADV-2007-1367 23460 34130 20070412 Multiple Vulnerabilities in the Cisco Wireless Control System 1017907 24865 Cisco Wireless Control System (WCS) before 4.0.66.0 stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain network organization data via a direct request for files in certain directories, aka Bug ID CSCsg04301. cisco-wcs-password-information-disclosure(33606) ADV-2007-1367 23460 20070412 Multiple Vulnerabilities in the Cisco Wireless Control System 1017907 24865 34131 The SNMP implementation in the Cisco Wireless LAN Controller (WLC) before 20070419 uses the default read-only community public, and the default read-write community private, which allows remote attackers to read and modify SNMP variables, aka Bug ID CSCse02384. 20070412 Multiple Vulnerabilities in the Cisco Wireless LAN Controller and Cisco Lightweight Access Points cisco-wlc-default-snmp(33604) ADV-2007-1368 23461 1017908 34134 Cisco Wireless LAN Controller (WLC) before 3.2.116.21, and 4.0.x before 4.0.155.0, allows remote attackers on a local network to cause a denial of service (device crash) via malformed Ethernet traffic. 20070412 Multiple Vulnerabilities in the Cisco Wireless LAN Controller and Cisco Lightweight Access Points cisco-wlc-ethernet-traffic-dos(33607) ADV-2007-1368 23461 1017908 34135 The Network Processing Unit (NPU) in the Cisco Wireless LAN Controller (WLC) before 3.2.193.5, 4.0.x before 4.0.206.0, and 4.1.x allows remote attackers on a local wireless network to cause a denial of service (loss of packet forwarding) via (1) crafted SNAP packets, (2) malformed 802.11 traffic, or (3) packets with certain header length values, aka Bug ID CSCsg36361. cisco-wlc-npu-traffic-dos(33609) ADV-2007-1368 23461 20070412 Multiple Vulnerabilities in the Cisco Wireless LAN Controller and Cisco Lightweight Access Points 1017908 34136 The Network Processing Unit (NPU) in the Cisco Wireless LAN Controller (WLC) before 3.2.171.5, 4.0.x before 4.0.206.0, and 4.1.x allows remote attackers on a local wireless network to cause a denial of service (loss of packet forwarding) via (1) crafted SNAP packets, (2) malformed 802.11 traffic, or (3) packets with certain header length values, aka Bug IDs CSCsg15901 and CSCsh10841. 20070412 Multiple Vulnerabilities in the Cisco Wireless LAN Controller and Cisco Lightweight Access Points cisco-wlc-npu-traffic-dos(33609) ADV-2007-1368 23461 1017908 34139 34137 Cisco Aironet 1000 Series and 1500 Series Lightweight Access Points before 3.2.185.0, and 4.0.x before 4.0.206.0, have a hard-coded password, which allows attackers with physical access to perform arbitrary actions on the device, aka Bug ID CSCsg15192. 20070412 Multiple Vulnerabilities in the Cisco Wireless LAN Controller and Cisco Lightweight Access Points ADV-2007-1368 23461 1017908 cisco-aironet-default-password(33610) 34133 Cisco Wireless LAN Controller (WLC) before 4.0.206.0 saves the WLAN ACL configuration with an invalid checksum, which prevents WLAN ACLs from being loaded at boot time, and might allow remote attackers to bypass intended access restrictions, aka Bug ID CSCse58195. cisco-wlc-acl-weak-security(33611) ADV-2007-1368 23461 20070412 Multiple Vulnerabilities in the Cisco Wireless LAN Controller and Cisco Lightweight Access Points 1017908 34138 Multiple PHP remote file inclusion vulnerabilities in the Avant-Garde Solutions MOSMedia Lite 1.0.6 and earlier module for Mambo allow remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter to (1) support.html.php or (2) info.html.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. ADV-2007-1357 37431 37430 Multiple PHP remote file inclusion vulnerabilities in the Avant-Garde Solutions MOSMedia (com_mosmedia) 1.08 and earlier module for Mambo and Joomla! allow remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter to (1) media.tab.php or (2) media.divs.php. ADV-2007-1357 23432 3714 37434 37433 PHP remote file inclusion vulnerability in mod_weather.php in the Antonis Ventouris Weather module for Mambo and Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the absolute_path parameter. ADV-2007-1356 3712 37435 Unspecified vulnerability in the IP implementation in Sun Solaris 8 and 9 allows remote attackers to cause a denial of service (CPU consumption) via crafted IP packets, probably related to fragmented packets with duplicate or missing fragments. 102866 ADV-2007-1375 34901 solaris-ip-packet-dos(33597) 1017911 23468 http://support.avaya.com/elmodocs2/security/ASA-2007-165.htm 24987 24857 oval:org.mitre.oval:def:9127 Multiple CRLF injection vulnerabilities in adclick.php in (a) Openads (phpAdsNew) 2.0.11 and earlier and (b) Openads for PostgreSQL (phpPgAds) 2.0.11 and earlier allow remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in (1) the dest parameter and (2) the Referer HTTP header. NOTE: some of these details are obtained from third party information. 24876 http://forum.openads.org/index.php?showtopic=503413399&pid=39136 ADV-2007-1364 http://sourceforge.net/project/shownotes.php?release_id=500343 http://sourceforge.net/forum/forum.php?forum_id=685278 CRLF injection vulnerability in www/delivery/ck.php in Openads 2.3 (aka Max Media Manager, MMM) before 0.3.31-alpha-pr3 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the destination parameter. NOTE: some of these details are obtained from third party information. http://forum.openads.org/index.php?showtopic=503413399&pid=39136 ADV-2007-1365 Directory traversal vulnerability in /console in the Management Console in webMethods Glue 6.5.1 and earlier allows remote attackers to read arbitrary system files via a .. (dot dot) in the resource parameter. ADV-2007-1363 23423 20070507 Updated: webMethods Security Advisory: Glue console directory traversal vulnerability 20070411 webMethods Glue Management Console Directory Traversal http://www.aushack.com/advisories/200704-webmethods.txt 1017926 20070417 webMethods Security Advisory: Glue console directory traversal vulnerability 2589 24933 Multiple PHP remote file inclusion vulnerabilities in the Calendar Module (com_calendar) 1.5.5 for Mambo allow remote attackers to execute arbitrary PHP code via a URL in the absolute_path parameter to (1) com_calendar.php or (2) mod_calendar.php. 23435 3713 37584 37583 Multiple directory traversal vulnerabilities in header.php in RicarGBooK 1.2.1 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in (1) a lang cookie or (2) the language parameter. ADV-2007-1370 3718 24858 34909 ricargbook-header-file-include(33596) 23450 Buffer overflow in the parsecmd function in bftpd before 1.8 has unknown impact and attack vectors related to the confstr variable. http://sourceforge.net/project/shownotes.php?release_id=500238&group_id=32077 ADV-2007-1347 34890 Off-by-one error in the PyLocale_strxfrm function in Modules/_localemodule.c for Python 2.4 and 2.5 causes an incorrect buffer size to be used for the strxfrm function, which allows context-dependent attackers to read portions of memory via unknown manipulations that trigger a buffer over-read due to missing null termination. https://issues.rpath.com/browse/RPL-1358 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235093 ADV-2009-3316 ADV-2008-0637 ADV-2007-1465 http://www.vmware.com/security/advisories/VMSA-2009-0016.html 2007-0019 23887 20091120 VMSA-2009-0016 VMware vCenter and ESX update release and vMA patch release address multiple security issue in third party components 20070521 FLEA-2007-0019-1: python RHSA-2008:0629 RHSA-2007:1077 RHSA-2007:1076 http://www.python.org/download/releases/2.5.1/NEWS.txt SUSE-SR:2007:013 MDKSA-2007:099 DSA-1620 37471 31492 31255 28050 28027 25787 25353 25233 25217 25190 oval:org.mitre.oval:def:8353 oval:org.mitre.oval:def:11716 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=416934 USN-585-1 20080221 VMSA-2008-0003 Moderate: Updated aacraid driver and samba and python service console updates DSA-1551 29889 29303 29032 [Security-announce] 20080221 VMSA-2008-0003 Moderate: Updated aacraid driver and samba and python service console updates Multiple stack-based buffer overflows in AFFLIB before 2.2.6 allow remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via (1) a long LastModified value in an S3 XML response in lib/s3.cpp; (2) a long (a) path or (b) bucket in an S3 URL in lib/vnode_s3.cpp; or (3) a long (c) EFW, (d) AFD, or (c) aimage file path. NOTE: the aimage vector (3c) has since been recalled from the researcher's original advisory, since the code is not called in any version of AFFLIB. The vendor has addressed this issue through a product update: http://www.afflib.org/downloads/ http://www.vsecurity.com/bulletins/advisories/2007/afflib-overflows.txt 23695 20070427 AFFLIB(TM): Multiple Buffer Overflows 35615 35614 35613 afflib-multiple-bo(33961) 2655 Multiple format string vulnerabilities in AFFLIB before 2.2.6 allow remote attackers to execute arbitrary code via certain command line parameters, which are used in (1) warn and (2) err calls in (a) lib/s3.cpp, (b) tools/afconvert.cpp, (c) tools/afcopy.cpp, (d) tools/afinfo.cpp, (e) aimage/aimage.cpp, (f) aimage/imager.cpp, and (g) tools/afxml.cpp. NOTE: the aimage.cpp vector (e) has since been recalled from the researcher's original advisory, since the code is not called in any version of AFFLIB. The vendor has addressed this issue through the following product update: http://www.afflib.org/downloads/ http://www.vsecurity.com/bulletins/advisories/2007/afflib-fmtstr.txt 20070427 AFFLIB(TM): Multiple Format String Injections afflib-multiple-format-string(33969) 2657 AFFLIB 2.2.8 and earlier allows attackers to execute arbitrary commands via shell metacharacters involving (1) certain command line parameters in tools/afconvert.cpp and (2) arguments to the get_parameter function in aimage/ident.cpp. NOTE: it is unknown if the get_parameter vector (2) is ever called. The vendor has addressed this issue through a product update which can be found at: http://www.afflib.org/downloads/ http://www.vsecurity.com/bulletins/advisories/2007/afflib-shellinject.txt 20070427 AFFLIB(TM): Multiple Shell Metacharacter Injections 35608 afflib-multiple-command-execution(33964) 2656 ** REJECT ** The getlock function in aimage/aimage.cpp in AFFLIB 2.2.8 and earlier allows local users to overwrite arbitrary files via a symlink attack on temporary lock files (aka "time-of-check-time-of-use file race"). NOTE: the researcher has retracted the original advisory, stating that "the portion of vulnerable code is not called in any current version of AFFLIB and is therefore not exploitable." Stack-based buffer overflow in aircrack-ng airodump-ng 0.7 allows remote attackers to execute arbitrary code via crafted 802.11 authentication packets. VU#349828 aircrackng-airodumpng-bo(33626) ADV-2007-1379 23467 20070412 Aircrack-ng (airodump-ng) remote buffer overflow vulnerability http://www.nop-art.net/advisories/airodump-ng.txt 24880 34931 DSA-1280 2584 GLSA-200704-16 24982 24964 Directory traversal vulnerability in Acubix PicoZip 4.02 allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in the file path in an (1) GZ, (2) TAR, (3) RAR, (4) JAR, or (5) ZIP archive. picozip-archive-directory-traversal(33639) ADV-2007-1377 23471 http://www.bugtraq.ir/articles/advisory/picozip_directory_traversal/9 24868 Multiple buffer overflows in the ESA protocol implementation in eIQnetworks Enterprise Security Analyzer (ESA) 2.5 allow remote attackers to execute arbitrary code via a long parameter to the (1) DELETESEARCHFOLDER, (2) DELTASK, (3) HMGR_CHECKHOSTSCSV, (4) TASKUPDATEDUSER, (5) VERIFYUSERKEY, or (6) VERIFYPWD command. 24881 eiqnetworks-esa-multiple-commands-bo(33646) ADV-2007-1380 20070412 INFIGO-2007-04-05: Enterprise Security Analyzer server remotebuffer overflows http://www.infigo.hr/en/in_focus/advisories/INFIGO-2007-04-05 Cross-zone scripting vulnerability in the Wizz RSS Reader before 2.1.9 extension to Mozilla Firefox allows remote attackers to execute arbitrary Javascript in the browser chrome via the RSS feed DOM. VU#319464 https://addons.mozilla.org/en-US/firefox/addon/424 ADV-2007-1425 http://www.kb.cert.org/vuls/id/MIMG-6ZKP4T http://wizzrss.blat.co.za/2009/11/17/so-much-for-nsiscriptableunescapehtmlparsefragment/ 34534 firefox-wizz-rssfeed-xss(33693) 23523 24913 Cross-site scripting (XSS) vulnerability in check_login.asp in AfterLogic MailBee WebMail Pro 3.4 allows remote attackers to inject arbitrary web script or HTML via the username parameter. mailbee-checklogin-xss(33645) ADV-2007-1416 23481 20070413 [MajorSecurity Advisory #44]MailBee WebMail Pro - Cross Site Scripting Issue http://www.majorsecurity.de/index_2.php?major_rls=major_rls44 34974 2572 24882 Stack-based buffer overflow in VCDGear 3.55 and 3.56 BETA allows user-assisted remote attackers to execute arbitrary code via a long FILE argument in a CUE file. vcdgear-seh-bo(33642) 23475 20070414 VCDGear <= 3.56 Build 050213 (FILE) Local Code Execution Exploit 24884 3727 SSH Tectia Server for IBM z/OS before 5.4.0 uses insecure world-writable permissions for (1) the server pid file, which allows local users to cause arbitrary processes to be stopped, or (2) when _BPX_BATCH_UMASK is missing from the environment, creates HFS files with insecure permissions, which allows local users to read or modify these files and have other unknown impact. 24916 ssh-tectia-pid-hfs-privilege-escalation(33699) ADV-2007-1414 http://www.ssh.com/documents/33/SSH_Tectia_Server_5.4.0_zOS_releasenotes.txt 23508 35014 1017913 34998 Multiple PHP remote file inclusion vulnerabilities in Robert Ladstaetter ActionPoll 1.1.0, and possibly 1.1.1, allow remote attackers to execute arbitrary PHP code via a URL in (1) the CONFIG_POLLDB parameter to actionpoll.php or (2) the CONFIG_DB parameter to db/DataReaderWriter.php, different vectors than CVE-2001-1297. 20788 23504 20070415 ActionPoll Script (actionpoll.php) Remote File Include // starhack.org actionpoll-multiple-file-include(33691) 2587 PHP remote file inclusion vulnerability in db/PollDB.php in Robert Ladstaetter ActionPoll 1.1.1 allows remote attackers to execute arbitrary PHP code via a URL in the CONFIG_DATAREADERWRITER parameter, a different vector than CVE-2001-1297. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 20788 UseBB before 1.0.6 allows remote attackers to obtain sensitive information via a request with unspecified GET or POST parameters to an unspecified script, which reveals the path in an error message. http://www.usebb.net/community/topic.php?id=1541 http://www.netvigilance.com/advisory0016 24837 Multiple PHP remote file inclusion vulnerabilities in Marco Antonio Islas Cruz Web Slider (WebSlider) 0.6 allow remote attackers to execute arbitrary PHP code via a URL in the path parameter to (1) index.php, (2) modules/pdf.php, (3) plugins/highlight.php, or (4) include/modules.php. webslider-path-file-include(33689) ADV-2007-1397 3745 37439 37438 37437 37436 Multiple PHP remote file inclusion vulnerabilities in the StoreFront mods for Gallery allow remote attackers to execute arbitrary PHP code via a URL in the GALLERY_BASEDIR parameter to (1) mods/business_functions.php or (2) mods/ui_functions.php. ADV-2007-1423 23516 3749 34970 34969 storefront-functions-file-include(33701) 24890 Directory traversal vulnerability in scr/soustab.php in openMairie 1.11 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the dsn[phptype] parameter. ADV-2007-1421 23505 3747 37416 openmairie-soustab-file-include(33700) Multiple PHP remote file inclusion vulnerabilities in Turnkey Web Tools SunShop Shopping Cart before 3.5.1 allow remote attackers to execute arbitrary PHP code via a URL in the abs_path parameter to (1) index.php or (2) checkout.php. sunshop-index-checkout-file-include(33670) ADV-2007-1422 23511 3748 37415 37414 Multiple cross-site scripting (XSS) vulnerabilities in Open-gorotto 2.0a 2006/02/08 edition, 2006/03/19 edition, and 2006/04/07 edition before 20070416 allow remote attackers to inject arbitrary web script or HTML via unspecified parameters to (1) pub/modules/d/_top.html; (2) /pub/modules/a/_access.html; (3) _circletop.html or (4) _cir66.html in pub/modules/ci/; or (5) _fri66.html, (6) _inv66.html, (7) _top.html, (8) _friends.html, or (9) _fri33.html in pub/modules/f/. ADV-2007-1398 23507 http://release.open-gorotto.jp/openg_patch_20070416.tar.gz http://release.open-gorotto.jp/ 37601 37600 37599 37598 37597 37596 37595 37594 37593 JVN#84646028 ** DISPUTED ** PHP remote file inclusion vulnerability in index.php in Ivan Gallery Script 0.1 allows remote attackers to execute arbitrary PHP code via a URL in the dir parameter. NOTE: this issue has been disputed by third party researchers for 0.3, stating that the dir variable is properly initialized before use. 23519 20070416 Ivan Gallery Script V.0.1 (index.php) Remote File Include Exploit 35395 20070417 Not Quite: Ivan Gallery Script V.0.1 (index.php) Remote File Include Exploit 2580 PHP remote file inclusion vulnerability in index.php in Ivan Gallery Script 0.3 allows remote attackers to execute arbitrary PHP code via a URL in the gallery parameter in a new session. 35396 20070417 Not Quite: Ivan Gallery Script V.0.1 (index.php) Remote File Include Exploit Certain programs in containers in ScramDisk 4 Linux before 1.0-1 execute with SUID permissions, which allows local users to gain privileges via mounted containers. scramdisk-mount-privilege-escalation(33674) ADV-2007-1418 23495 http://sourceforge.net/tracker/index.php?func=detail&aid=1696777&group_id=101952&atid=630783 24903 34965 ScramDisk 4 Linux before 1.0-1 does not perform permission checks on mount points, which allows local users to gain privileges by using a system directory as a mount point for a container. http://sourceforge.net/tracker/index.php?func=detail&aid=1696780&group_id=101952&atid=630783 ADV-2007-1418 23495 24903 34966 scramdisk-directory-privilege-escalation(33677) PHP remote file inclusion vulnerability in index.php in Maian Gallery 1.0 allows remote attackers to execute arbitrary PHP code via a URL in the path_to_folder parameter. NOTE: this issue was disputed by a third party researcher, but confirmed by the vendor, stating "this problem existed only briefly in v1.0." maiangallery-pathtofolder-file-include(33692) 20070414 Re: Maian Gallery v1.0 20070414 Maian Gallery v1.0 20070415 false: Maian Gallery v1.0 34149 20070415 Re: phpMyChat-0.14.5 PHP remote file inclusion vulnerability in search.php in Maian Search 1.1 allows remote attackers to execute arbitrary PHP code via a URL in the path_to_folder parameter. NOTE: this issue was disputed by a third party researcher, but confirmed by the vendor, stating "this issue was fixed last year and [no] is longer a problem." 20070414 Re: Maian Search v1.1 20070414 Maian Search v1.1 20070414 false: Maian Search v1.1 34150 20070415 Re: phpMyChat-0.14.5 ** DISPUTED ** PHP remote file inclusion vulnerability in index.php in Maian Weblog 3.1 allows remote attackers to execute arbitrary PHP code via a URL in the path_to_folder parameter. NOTE: this issue was disputed by a third party researcher, since the path_to_folder variable is initialized before use. 20070414 Maian Weblog v3.1 35360 20070415 false: Maian Weblog v3.1 maianweblog-pathtofolder-file-include(33708) 2582 20070415 Re: phpMyChat-0.14.5 The ADONewConnection Connect function in adodb.php in XAMPP 1.6.0a and earlier for Windows uses untrusted input for the database server hostname, which allows remote attackers to trigger a library buffer overflow and execute arbitrary code via a long host parameter, or have other unspecified impact. NOTE: it could be argued that this is an issue in mssql_connect (CVE-2007-1411.1) in PHP, or an issue in the ADOdb Library, and the proper fix should be in one of these products; if so, then this should not be treated as a vulnerability in XAMPP. Failed exploit attempts will likely crash the webserver, denying service to legitimate users. Additionally, this issue is remotely exploitable only if the installation is not secured as described in the manual. xampp-mssqlconnect-bo(33683) 23491 3738 41594 Multiple SQL injection vulnerabilities in XAMPP 1.6.0a for Windows allow remote attackers to execute arbitrary SQL commands via unspecified vectors in certain test scripts. 3738 37440 MyBlog 0.9.8 and earlier allows remote attackers to bypass authentication requirements via the admin cookie parameter to certain admin files, as demonstrated by admin/settings.php. 23521 20070415 MyBlog <= 0.9.8 Remote Command Execution Exploit 41593 myblog-admin-cookie-authentication-bypass(34025) 2581 Direct static code injection vulnerability in admin/settings.php in MyBlog 0.9.8 and earlier allows remote authenticated admin users to inject arbitrary PHP code via the content parameter, which can be executed by accessing index.php. NOTE: a separate vulnerability could be leveraged to make this issue exploitable by remote unauthenticated attackers. 20070415 MyBlog <= 0.9.8 Remote Command Execution Exploit 35392 myblog-settings-code-execution(33707) 2581 vsdatant.sys in Check Point Zone Labs ZoneAlarm Pro before 7.0.302.000 does not validate certain arguments before being passed to hooked SSDT function handlers, which allows local users to cause a denial of service (system crash) or possibly execute arbitrary code via crafted arguments to the (1) NtCreateKey and (2) NtDeleteFile functions. 20070415 ZoneAlarm Multiple insufficient argument validation of hooked SSDT function Vulnerability http://www.matousec.com/info/advisories/ZoneAlarm-Multiple-insufficient-argument-validation-of-hooked-SSDT-functions.php zonealarm-vsdatant-dos(33664) 35239 2591 ** DISPUTED ** PHP remote file inclusion vulnerability in MobilePublisherphp 1.1.2 allows remote attackers to execute arbitrary PHP code via a URL in the auth_method parameter to (1) index.php, (2) list.php, (3) postreview.php, (4) reindex.php, (5) sections.php, (6) templates.php, (7) userinfo.php, (8) users.php, and (9) view.php in admin/. NOTE: this issue has been disputed by a reliable third party, who states that $auth_method is defined before use. mobilepublisher-authmethod-file-include(33679) 20070414 MobilePublisherphp v1.1.2 Remote File Include Vulnerabilities 35325 2583 20070414 true until installed: MobilePublisherphp v1.1.2 Remote File Include Vulnerabilities Cross-site scripting (XSS) vulnerability in oe2edit.cgi in oe2edit CMS allows remote attackers to inject arbitrary web script or HTML via the q parameter. An attacker can exploit this issue by enticing an unsuspecting user to follow a malicious URI which indicates a Medium Access Complexity. ADV-2007-1417 23512 http://www.majorsecurity.de/index_2.php?major_rls=major_rls45 24919 34972 oe2editcms-oe2edit-xss(33690) 20070415 [MajorSecurity Advisory #45]oe2edit CMS - Cross Site Scripting and Cookie Manipulation Issue Multiple PHP remote file inclusion vulnerabilities in CNStats 2.9 allow remote attackers to execute arbitrary PHP code via a URL in the bj parameter to (1) who_r.php or (2) who_s.php in reports/. cnstats-whor-file-include(33672) 23501 24902 3741 Multiple PHP remote file inclusion vulnerabilities in CNStats 2.12, when register_globals is enabled and .htaccess is not recognized, allow remote attackers to execute arbitrary PHP code via a URL in the bn parameter to (1) who_r.php or (2) who_s.php in reports/. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. Successful exploitation requires that "register_globals" is enabled and support for ".htaccess" files is disabled. 24902 cnstats-bn-file-include(33977) Multiple PHP remote file inclusion vulnerabilities in Sitebar 3.3.5 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the (1) writerFile parameter to index.php and the (2) file parameter to Integrator.php. sitebar-index-integrator-file-include(33688) 20070414 Sitebar 3.3.5 (index.php writerFile)Remote File Include Vulnerabilities 35394 35393 2586 Multiple PHP remote file inclusion vulnerabilities in the Jx Development Article 1.1 and earlier component for Mambo and Joomla! allow remote attackers to execute arbitrary PHP code via a URL in the absolute_path parameter to com_articles.php in (1) components/ or (2) classes/html/. newarticle-comarticles-file-include(33663) ADV-2007-1394 23513 3736 20070415 Mambo/Joomla Component New Article Component RFI Cross-site scripting (XSS) vulnerability in index.php in TuMusika Evolution 1.6 allows remote attackers to inject arbitrary web script or HTML via the msg parameter. tumusika-index-xss(33593) ADV-2007-1374 20070412 TuMusika Evolution 1.6 Cross Site Scripting Vulnerabilitiy 24874 2585 PHP remote file inclusion vulnerability in blocks/tsdisplay4xoops_block2.php in tsdisplay4xoops (TSD4XOOPS, aka the TeamSpeak display module) 0.1 allows remote attackers to execute arbitrary PHP code via a URL in the xoops_url parameter. xoops-tsdisplay4xoopsblock2-file-include(33695) ADV-2007-1424 23518 3750 37413 Direct static code injection vulnerability in index.php in Limesoft Guestbook (LS Simple Guestbook) allows remote attackers to inject arbitrary PHP code into posts.txt via the name parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. ADV-2007-1393 Direct static code injection vulnerability in index.php in Limesoft Guestbook (LS Simple Guestbook) 1.0 allows remote attackers to inject arbitrary PHP code into posts.txt via the message parameter. lsguestbook-index-code-execution(33666) ADV-2007-1393 23503 20070415 LS simple guestbook - arbitrary code execution 3735 24904 2590 PHP remote file inclusion vulnerability in index.php in Anthologia 0.5.2 allows remote attackers to execute arbitrary PHP code via a URL in the ads_file parameter. ADV-2007-1427 23524 3751 anthologia-adsfile-file-include(33705) 34083 24908 PHP remote file inclusion vulnerability in chat.php in MySpeach 1.9 allows remote attackers to execute arbitrary PHP code via a URL in the my[root] parameter, a different vector than CVE-2007-0498. 20070414 MySpeach v1.9 2592 PHP remote file inclusion vulnerability in common.php in Hinton Design PHPHD Download System (phphd_downloads) allows remote attackers to execute arbitrary PHP code via a URL in the phphd_real_path parameter. NOTE: this issue may be present in versions from 2006. 20070417 Remot File Include In Script phphd_downloads phphd-common-code-execution(33724) 2588 ** DISPUTED ** Multiple PHP remote file inclusion vulnerabilities in OpenConcept Back-End CMS 0.4.7 allow remote attackers to execute arbitrary PHP code via a URL in the includes_path parameter to (1) click.php or (2) pollcollector.php in htdocs/; or (3) index.php, (4) articlepages.php, (5) articles.php, (6) articleform.php, (7) articlesections.php, (8) createArticlesPage.php, (9) guestbook.php, (10) helpguide.php, (11) helpguideeditor.php, (12) links.php, (13) upload.php, (14) sitestatistics.php, (15) nav.php, (16) tpl_upload.php, (17) linksections, or (18) pophelp.php in htdocs/site-admin