Samba 3.2.0 through 3.2.6, when registry shares are enabled, allows remote authenticated users to access the root filesystem via a crafted connection request that specifies a blank share name. Patch Information - http://www.samba.org/samba/history/security.html FEDORA-2009-0268 samba-file-system-security-bypass(47733) USN-702-1 1021513 33118 http://www.samba.org/samba/security/CVE-2009-0022.html MDVSA-2009:042 ADV-2009-0017 33431 33392 33379 51152 http://master.samba.org/samba/ftp/patches/security/samba-3.2.6-CVE-2009-0022.patch NTP 4.2.4 before 4.2.4p5 and 4.2.5 before 4.2.5p150 does not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys, a similar vulnerability to CVE-2008-5077. Note that versions 4.2.5 before 4.2.5p150 are development versions and not production versions. Development versions are not included in the CPE configuration for CVEs. TA09-133A ADV-2009-0042 [announce] 20090108 NTP 4.2.4p6 Released ADV-2009-1297 1021533 RHSA-2009:0046 http://www.ocert.org/advisories/ocert-2008-016.html http://support.apple.com/kb/HT3549 SSA:2009-014-03 35074 34642 33648 33558 33406 SUSE-SR:2009:008 SUSE-SR:2009:005 APPLE-SA-2009-05-12 BIND 9.6.0, 9.5.1, 9.5.0, 9.4.3, and earlier does not properly check the return value from the OpenSSL DSA_verify function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. TA09-133A FEDORA-2009-0350 https://www.isc.org/node/373 https://issues.rpath.com/browse/RPL-2938 ADV-2009-1297 ADV-2009-0904 http://www.vmware.com/security/advisories/VMSA-2009-0004.html 20090401 VMSA-2009-0004 ESX Service Console updates for openssl, bind, and vim 20090120 rPSA-2009-0009-1 bind bind-utils http://www.openbsd.org/errata44.html#008_bind http://www.ocert.org/advisories/ocert-2008-016.html ADV-2009-0366 ADV-2009-0043 http://wiki.rpath.com/Advisories:rPSA-2009-0009 http://support.avaya.com/elmodocs2/security/ASA-2009-045.htm http://support.apple.com/kb/HT3549 250846 SSA:2009-014-02 FreeBSD-SA-09:04 35074 33882 33683 33559 33551 33546 33494 APPLE-SA-2009-05-12 http://groups.google.com/group/comp.protocols.dns.bind/browse_thread/thread/49ef622c8329fd33 Sun GridEngine 5.3 and earlier does not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys, a similar vulnerability to CVE-2008-5077. http://www.ocert.org/advisories/ocert-2008-016.html ADV-2009-0045 Gale 0.99 and earlier does not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys, a similar vulnerability to CVE-2008-5077. http://www.ocert.org/advisories/ocert-2008-016.html ADV-2009-0046 OpenEvidence 1.0.6 and earlier does not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys, a similar vulnerability to CVE-2008-5077. http://www.ocert.org/advisories/ocert-2008-016.html ADV-2009-0047 Belgian eID middleware (eidlib) 2.6.0 and earlier does not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys, a similar vulnerability to CVE-2008-5077. http://www.ocert.org/advisories/ocert-2008-016.html 34029 SUSE-SR:2009:005 Lasso 2.2.1 and earlier does not properly check the return value from the OpenSSL DSA_verify function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. openssl-dsa-verify-security-bypass(47837) http://www.ocert.org/advisories/ocert-2008-016.html ZXID 0.29 and earlier does not properly check the return value from the OpenSSL DSA_verify function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. openssl-dsa-verify-security-bypass(47837) http://www.ocert.org/advisories/ocert-2008-016.html Buffer overflow in net/sctp/sm_statefuns.c in the Stream Control Transmission Protocol (sctp) implementation in the Linux kernel before 2.6.28-git8 allows remote attackers to have an unknown impact via an FWD-TSN (aka FORWARD-TSN) chunk with a large stream ID. FEDORA-2009-0816 https://bugzilla.redhat.com/show_bug.cgi?id=478800 ADV-2009-2193 USN-751-1 1022698 33113 RHSA-2009:1055 RHSA-2009:0331 RHSA-2009:0053 [oss-security] 20090105 CVE request: kernel: sctp: memory overflow when FWD-TSN chunk is received with bad stream ID ADV-2009-0029 DSA-1794 DSA-1787 DSA-1749 http://support.avaya.com/elmodocs2/security/ASA-2009-114.htm 36191 35394 35390 35174 35011 34981 34762 34680 34394 34252 33858 33854 33674 RHSA-2009:0264 http://patchwork.ozlabs.org/patch/15024/ SUSE-SA:2009:031 SUSE-SA:2009:030 SUSE-SA:2009:010 HPSBNS02449 HPSBNS02449 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=9fcb95a105758b81ef0131cd18e2db5149f13e95 Multiple unspecified vulnerabilities in Intel system software for Trusted Execution Technology (TXT) allow attackers to bypass intended loader integrity protections, as demonstrated by exploitation of tboot. NOTE: as of 20090107, the only disclosure is a vague pre-advisory with no actionable information. However, because it is from a well-known researcher, it is being assigned a CVE identifier for tracking purposes. 33119 http://theinvisiblethings.blogspot.com/2009/01/attacking-intel-trusted-execution.html http://invisiblethingslab.com/press/itl-press-2009-01.pdf http://blackhat.com/html/bh-dc-09/bh-dc-09-speakers.html#Wojtczuk Interaction error in xdg-open allows remote attackers to execute arbitrary code by sending a file with a dangerous MIME type but using a safe type that Firefox sends to xdg-open, which causes xdg-open to process the dangerous file type through automatic type detection, as demonstrated by overwriting the .desktop file. https://bugs.freedesktop.org/show_bug.cgi?id=19377 33137 [oss-security] 20090106 Fwd: Using xdg-open in /etc/mailcap causes hole in Firefox (Demonstration/Exploit included) Unspecified vulnerability in the nfs4rename_persistent_fh function in the NFS 4 (aka NFSv4) client in the kernel in Sun Solaris 10 and OpenSolaris before snv_102 allows local users to cause a denial of service (recursive mutex_enter and panic) via unspecified vectors. http://sunsolve.sun.com/search/document.do?assetkey=1-21-139466-02-1 solaris-nfs4client-dos(47750) 1021519 33128 ADV-2009-0030 248566 33361 [onnv-notify] 20081021 6300710 recursive mutex_enter in nfs4rename_persistent_fh() The smmsnmpd service in CA Service Metric Analysis r11.0 through r11.1 SP1 and Service Level Management 3.5 does not properly restrict access, which allows remote attackers to execute arbitrary commands via unspecified vectors. https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=196148 33161 20090107 CA20090107-01: CA Service Metric Analysis and CA Service Level Management smmsnmpd Arbitrary Command Execution Vulnerability ADV-2009-0053 4887 http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/07.aspx Integer signedness error in Apple Safari allows remote attackers to read the contents of arbitrary memory locations, cause a denial of service (application crash), and probably have unspecified other impact via the array index of the arguments array in a JavaScript function, possibly a related issue to CVE-2008-2307. safari-array-memory-disclosure(48214) 7673 Mozilla Firefox 3.0.5 and earlier 3.0.x versions, when designMode is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a certain (a) replaceChild or (b) removeChild call, followed by a (1) queryCommandValue, (2) queryCommandState, or (3) queryCommandIndeterm call. NOTE: it was later reported that 3.0.6 and 3.0.7 are also affected. https://bugzilla.mozilla.org/show_bug.cgi?id=472507 https://bugzilla.mozilla.org/show_bug.cgi?id=456727 https://bugzilla.mozilla.org/show_bug.cgi?id=448329 33154 8219 8091 20090107 Re: Firefox 3.0.5 remote vulnerability via queryCommandState 20090107 Re: Firefox 3.0.5 remote vulnerability via queryCommandState 20090107 Firefox 3.0.5 remote vulnerability via queryCommandState Microsoft Internet Explorer 6.0 through 8.0 beta2 allows remote attackers to cause a denial of service (application crash) via an onload=screen[""] attribute value in a BODY element. ie-javascript-screen-dos(47788) 33149 http://skypher.com/index.php/2009/01/07/msie-screen-null-ptr-dos-details/ Multiple PHP remote file inclusion vulnerabilities in playSMS 0.9.3 allow remote attackers to execute arbitrary PHP code via a URL in the (1) apps_path[plug] parameter to plugin/gateway/gnokii/init.php, the (2) apps_path[themes] parameter to plugin/themes/default/init.php, and the (3) apps_path[libs] parameter to lib/function.php. 33138 7687 4888 33386 SQL injection vulnerability in index.php in EZpack 4.2b2 allows remote attackers to execute arbitrary SQL commands via the qType parameter in a webboard prog action. 33131 7680 4890 Cross-site scripting (XSS) vulnerability in index.php in EZpack 4.2b2 allows remote attackers to inject arbitrary web script or HTML via the mdfd parameter in a prog action. 33131 7680 4890 SQL injection vulnerability in profile.php in PHPAuctions (aka PHPAuctionSystem) allows remote attackers to execute arbitrary SQL commands via the user_id parameter. phpauctions-profile-sql-injection(43264) 33115 33331 51144 7672 Cross-site scripting (XSS) vulnerability in profile.php in PHPAuctions (aka PHPAuctionSystem) allows remote attackers to inject arbitrary web script or HTML via the user_id parameter. 33115 33331 51145 7672 PHPAuctions (aka PHPAuctionSystem) allows remote attackers to bypass authentication and gain administrative access via modified (1) PHPAUCTION_RM_ID, (2) PHPAUCTION_RM_NAME, (3) PHPAUCTION_RM_USERNAME, and (4) PHPAUCTION_RM_EMAIL cookies. 33120 7674 4891 33331 51146 SQL injection vulnerability in index.php in RiotPix 0.61 and earlier allows remote attackers to execute arbitrary SQL commands via the username parameter. NOTE: some of these details are obtained from third party information. 33132 7682 4892 33395 SQL injection vulnerability in read.php in RiotPix 0.61 and earlier allows remote attackers to execute arbitrary SQL commands via the forumid parameter. 33129 7679 4893 33395 SQL injection vulnerability in frontpage.php in Goople CMS 1.8.2 and earlier allows remote attackers to execute arbitrary SQL commands via the username parameter. 33135 7683 4894 33393 Cross-site request forgery (CSRF) vulnerability in admin/agent_edit.asp in PollPro 3.0 allows remote attackers to create or modify accounts as administrators via the username, password, and name parameters. pollpro-unspecified-csrf(47754) 4895 33319 20090103 PollPro 3.0 XSRF VuLn Directory traversal vulnerability in attachmentlibrary.php in the XStandard component for Joomla! 1.5.8 and earlier allows remote attackers to list arbitrary directories via a .. (dot dot) in the X_CMS_LIBRARY_PATH HTTP header. 33143 7691 4896 33377 The sys_remap_file_pages function in mm/fremap.c in the Linux kernel before 2.6.24.1 allows local users to cause a denial of service or gain privileges via unspecified vectors, related to the vm_file structure member, and the mmap_region and do_munmap functions. 33211 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.24.1 [oss-security] 20090112 CVE-2009-0024 kernel: local privilege escalation in sys_remap_file_pages http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.24.y.git;a=commit;h=8a459e44ad837018ea5c34a9efe8eb4ad27ded26 IAX2 in Asterisk Open Source 1.2.x before 1.2.31, 1.4.x before 1.4.23-rc4, and 1.6.x before 1.6.0.3-rc2; Business Edition A.x.x, B.x.x before B.2.5.7, C.1.x.x before C.1.10.4, and C.2.x.x before C.2.1.2.1; and s800i 1.2.x before 1.3.0 responds differently to a failed login attempt depending on whether the user account exists, which allows remote attackers to enumerate valid usernames. Vendor Advisory: http://downloads.digium.com/pub/security/AST-2009-001.html 33174 1021549 20090108 AST-2009-001: Information leak in IAX2 authentication ADV-2009-0063 4910 GLSA-200905-01 34982 33453 http://downloads.digium.com/pub/security/AST-2009-001.html Buffer overflow in Microsoft Windows XP SP3 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a crafted .chm file. 33204 7720 4912 The IBM WebSphere DataPower XML Security Gateway XS40 with firmware 3.6.1.5 allows remote attackers to cause a denial of service (device reboot) by sending data over an established SSL connection, as demonstrated by the abc\r\n\r\n string data. 1021547 33169 20090108 [IBM Datapower XS40] Denial of Service ADV-2009-0111 4911 SQL injection vulnerability in frontpage.php in Goople CMS 1.8.2 allows remote attackers to execute arbitrary SQL commands via the password parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 33393 The ABI in the Linux kernel 2.6.28 and earlier on s390, powerpc, sparc64, and mips 64-bit platforms requires that a 32-bit argument in a 64-bit register was properly sign extended when sent from a user-mode application, but cannot verify this, which allows local users to cause a denial of service (crash) or possibly gain privileges via a crafted system call. FEDORA-2009-0816 https://bugzilla.redhat.com/show_bug.cgi?id=479969 33275 MDVSA-2009:135 DSA-1794 DSA-1787 DSA-1749 35011 34981 34394 33674 33477 [linux-kernel] 20090110 Re: [PATCH -v7][RFC]: mutex: implement adaptive spinning SUSE-SA:2009:010 hplip.postinst in HP Linux Imaging and Printing (HPLIP) 2.7.7 and 2.8.2 on Ubuntu allows local users to change the ownership of arbitrary files via unspecified manipulations in advance of an HPLIP installation or upgrade by an administrator, related to the product's attempt to correct the ownership of its configuration files within home directories. 33249 https://launchpad.net/bugs/191299 USN-708-1 33539 Unspecified vulnerability in Apple Safari on Mac OS X 10.5 and Windows allows remote attackers to read arbitrary files on a client machine via vectors related to the association of Safari with the (1) feed, (2) feeds, and (3) feedsearch URL types for RSS feeds. NOTE: as of 20090114, the only disclosure is a vague pre-advisory. However, because it is from a well-known researcher, it is being assigned a CVE identifier for tracking purposes. safari-rss-feed-info-disclosure(47917) 1021581 33234 33458 http://isc.sans.org/diary.html?storyid=5689 http://brian.mastenbrook.net/display/27 The tqsl_verifyDataBlock function in openssl_cert.cpp in American Radio Relay League (ARRL) tqsllib 2.0 does not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. FEDORA-2009-0543 https://bugzilla.redhat.com/show_bug.cgi?id=479650 33543 [oss-security] 20090112 CVE Request -- tsqllib, slurm-llnl, libnasl, libcrypt-openssl-dsa-perl, erlang, boinc-client, m2crypto http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511509 ** DISPUTED ** NOTE: this issue has been disputed by the upstream vendor. nasl/nasl_crypto2.c in the Nessus Attack Scripting Language library (aka libnasl) 2.2.11 does not properly check the return value from the OpenSSL DSA_do_verify function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. NOTE: the upstream vendor has disputed this issue, stating "while we do misuse this function (this is a bug), it has absolutely no security ramification." https://bugzilla.redhat.com/show_bug.cgi?id=479655 20090120 CVE-2009-0125 (fwd) [oss-security] 20090112 CVE Request -- tsqllib, slurm-llnl, libnasl, libcrypt-openssl-dsa-perl, erlang, boinc-client, m2crypto SUSE-SR:2009:003 http://cvs.fedoraproject.org/viewvc/rpms/libnasl/F-10/libnasl.spec?r1=1.16&r2=1.17 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511517 The decrypt_public function in lib/crypt.cpp in the client in Berkeley Open Infrastructure for Network Computing (BOINC) 6.2.14 and 6.4.5 does not check the return value from the OpenSSL RSA_public_decrypt function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. FEDORA-2009-0578 https://bugzilla.redhat.com/show_bug.cgi?id=479664 33828 33806 [oss-security] 20090112 CVE Request -- tsqllib, slurm-llnl, libnasl, libcrypt-openssl-dsa-perl, erlang, boinc-client, m2crypto SUSE-SR:2009:003 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511521 http://boinc.berkeley.edu/trac/ticket/823 http://boinc.berkeley.edu/trac/changeset/16883 ** DISPUTED ** M2Crypto does not properly check the return value from the OpenSSL EVP_VerifyFinal, DSA_verify, ECDSA_verify, DSA_do_verify, and ECDSA_do_verify functions, which might allow remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. NOTE: a Linux vendor disputes the relevance of this report to the M2Crypto product because "these functions are not used anywhere in m2crypto." https://bugzilla.redhat.com/show_bug.cgi?id=479676 [oss-security] 20090112 CVE Request -- tsqllib, slurm-llnl, libnasl, libcrypt-openssl-dsa-perl, erlang, boinc-client, m2crypto http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511515 plugins/crypto/openssl/crypto_openssl.c in Simple Linux Utility for Resource Management (aka SLURM or slurm-llnl) does not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. [oss-security] 20090112 CVE Request -- tsqllib, slurm-llnl, libnasl, libcrypt-openssl-dsa-perl, erlang, boinc-client, m2crypto http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511511 libcrypt-openssl-dsa-perl does not properly check the return value from the OpenSSL DSA_verify and DSA_do_verify functions, which might allow remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. [oss-security] 20090112 CVE Request -- tsqllib, slurm-llnl, libnasl, libcrypt-openssl-dsa-perl, erlang, boinc-client, m2crypto http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511519 ** DISPUTED ** lib/crypto/c_src/crypto_drv.c in erlang does not properly check the return value from the OpenSSL DSA_do_verify function, which might allow remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. NOTE: a package maintainer disputes this issue, reporting that there is a proper check within the only code that uses the applicable part of crypto_drv.c, and thus "this report is invalid." [oss-security] 20090112 CVE Request -- tsqllib, slurm-llnl, libnasl, libcrypt-openssl-dsa-perl, erlang, boinc-client, m2crypto http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511520 The UFS implementation in the kernel in Sun OpenSolaris snv_29 through snv_90 allows local users to cause a denial of service (panic) via the single posix_fallocate test in the SUSv3 POSIX test suite, related to an F_ALLOCSP fcntl call. 1021600 33267 239188 http://bugs.opensolaris.org/view_bug.do?bug_id=6711995 Integer overflow in the aio_suspend function in Sun Solaris 8 through 10 and OpenSolaris, when 32-bit mode is enabled, allows local users to cause a denial of service (panic) via a large integer value in the second argument (aka nent argument). 33188 http://sunsolve.sun.com/search/document.do?assetkey=1-21-117350-59-1 http://www.trapkit.de/advisories/TKADV2009-001.txt 1021553 ADV-2009-0099 247986 33516 Buffer overflow in Microsoft HTML Help Workshop 4.74 and earlier allows context-dependent attackers to execute arbitrary code via a .hhp file with a long "Index file" field, possibly a related issue to CVE-2006-0564. 7727 4914 Insecure method vulnerability in the EasyGrid.SGCtrl.32 ActiveX control in EasyGrid.ocx 1.0.0.1 in AAA EasyGrid ActiveX 3.51 allows remote attackers to create and overwrite arbitrary files via the (1) DoSaveFile or (2) DoSaveHtmlFile method. NOTE: vector 1 could be leveraged for code execution by creating executable files in Startup folders or by accessing files using hcp:// URLs. NOTE: some of these details are obtained from third party information. easygrid-activex-dosavefile-file-overwrite(47946) 33272 7779 4913 33537 Multiple integer overflows in the Audible::Tag::readTag function in metadata/audible/audibletag.cpp in Amarok 1.4.10 through 2.0.1 allow remote attackers to execute arbitrary code via an Audible Audio (.aa) file with a large (1) nlen or (2) vlen Tag value, each of which triggers a heap-based buffer overflow. FEDORA-2009-0715 https://bugzilla.redhat.com/show_bug.cgi?id=479946 https://bugzilla.redhat.com/show_bug.cgi?id=479560 USN-739-1 1021558 33210 20090111 [TKADV2009-002] Amarok Integer Overflow and Unchecked Allocation Vulnerabilities MDVSA-2009:030 ADV-2009-0100 DSA-1706 http://websvn.kde.org/?view=rev&revision=908415 http://websvn.kde.org/?view=rev&revision=908401 http://websvn.kde.org/?view=rev&revision=908391 http://trapkit.de/advisories/TKADV2009-002.txt 4915 GLSA-200903-34 34407 34315 33819 33640 33522 33505 [oss-security] 20090114 CVE Request -- amarok SUSE-SR:2009:003 http://bugs.gentoo.org/show_bug.cgi?id=254896 http://amarok.kde.org/en/releases/2.0.1.1 Multiple array index errors in the Audible::Tag::readTag function in metadata/audible/audibletag.cpp in Amarok 1.4.10 through 2.0.1 allow remote attackers to cause a denial of service (application crash) or execute arbitrary code via an Audible Audio (.aa) file with a crafted (1) nlen or (2) vlen Tag value, each of which can lead to an invalid pointer dereference, or the writing of a 0x00 byte to an arbitrary memory location, after an allocation failure. FEDORA-2009-0715 https://bugzilla.redhat.com/show_bug.cgi?id=479946 https://bugzilla.redhat.com/show_bug.cgi?id=479560 USN-739-1 1021558 33210 20090111 [TKADV2009-002] Amarok Integer Overflow and Unchecked Allocation Vulnerabilities MDVSA-2009:030 ADV-2009-0100 DSA-1706 http://websvn.kde.org/?view=rev&revision=908415 http://websvn.kde.org/?view=rev&revision=908401 http://websvn.kde.org/?view=rev&revision=908391 http://trapkit.de/advisories/TKADV2009-002.txt 4915 GLSA-200903-34 34407 34315 33819 33640 33522 33505 [oss-security] 20090114 CVE Request -- amarok SUSE-SR:2009:003 http://bugs.gentoo.org/show_bug.cgi?id=254896 http://amarok.kde.org/en/releases/2.0.1.1 PXE Encryption in Cisco IronPort Encryption Appliance 6.2.4 before 6.2.4.1.1, 6.2.5, 6.2.6, 6.2.7 before 6.2.7.7, 6.3 before 6.3.0.4, and 6.5 before 6.5.0.2; and Cisco IronPort PostX 6.2.1 before 6.2.1.1 and 6.2.2 before 6.2.2.3; allows remote attackers to obtain the decryption key via unspecified vectors, related to a "logic error." 33268 ADV-2009-0140 20090114 IronPort Encryption Appliance / PostX and PXE Encryption Vulnerabilities 1021593 33479 51395 PXE Encryption in Cisco IronPort Encryption Appliance 6.2.4 before 6.2.4.1.1, 6.2.5, 6.2.6, 6.2.7 before 6.2.7.7, 6.3 before 6.3.0.4, and 6.5 before 6.5.0.2; and Cisco IronPort PostX 6.2.1 before 6.2.1.1 and 6.2.2 before 6.2.2.3; allows remote attackers to capture credentials by tricking a user into reading a modified or crafted e-mail message. 33268 ADV-2009-0140 20090114 IronPort Encryption Appliance / PostX and PXE Encryption Vulnerabilities 1021593 33479 51396 Cross-site request forgery (CSRF) vulnerability in the administration interface in Cisco IronPort Encryption Appliance 6.2.4 before 6.2.4.1.1, 6.2.5, 6.2.6, 6.2.7 before 6.2.7.7, 6.3 before 6.3.0.4, and 6.5 before 6.5.0.2; and Cisco IronPort PostX 6.2.1 before 6.2.1.1 and 6.2.2 before 6.2.2.3; allows remote attackers to modify appliance preferences as arbitrary users via unspecified vectors. 33268 ADV-2009-0140 20090114 IronPort Encryption Appliance / PostX and PXE Encryption Vulnerabilities 1021594 33479 51397 Cross-site request forgery (CSRF) vulnerability in the administration interface in Cisco IronPort Encryption Appliance 6.2.4 before 6.2.4.1.1, 6.2.5, 6.2.6, 6.2.7 before 6.2.7.7, 6.3 before 6.3.0.4, and 6.5 before 6.5.0.2; and Cisco IronPort PostX 6.2.1 before 6.2.1.1 and 6.2.2 before 6.2.2.3; allows remote attackers to execute commands and modify appliance preferences as arbitrary users via a logout action. 33268 ADV-2009-0140 20090114 IronPort Encryption Appliance / PostX and PXE Encryption Vulnerabilities 1021594 33479 51398 Unspecified vulnerability in lpadmin in Sun Solaris 10 and OpenSolaris snv_61 through snv_106 allows local users to cause a denial of service via unspecified vectors, related to enumeration of "wrong printers," aka a "Temporary file vulnerability." http://sunsolve.sun.com/search/document.do?assetkey=1-21-139390-01-1 1021601 33269 ADV-2009-0155 http://support.avaya.com/elmodocs2/security/ASA-2009-026.htm 249306 33705 33488 oval:org.mitre.oval:def:6175 http://opensolaris.org/os/bug_reports/request_sponsor/ Unspecified vulnerability in ppdmgr in Sun Solaris 10 and OpenSolaris snv_61 through snv_106 allows local users to cause a denial of service via unspecified vectors, related to a failure to "include all cache files," and improper handling of temporary files. 249306 http://sunsolve.sun.com/search/document.do?assetkey=1-21-139390-01-1 solaris-ppdmgr-dos(48143) 1021601 33269 ADV-2009-0155 http://support.avaya.com/elmodocs2/security/ASA-2009-026.htm 33705 33488 oval:org.mitre.oval:def:5503 http://opensolaris.org/os/bug_reports/request_sponsor/ Sun Java System Access Manager 7.1 allows remote authenticated sub-realm administrators to gain privileges, as demonstrated by creating the amadmin account in the sub-realm, and then logging in as amadmin in the root realm. 33266 http://sunsolve.sun.com/search/document.do?assetkey=1-21-126356-02-1 sun-jsam-subrealm-privilege-escalation(47944) 1021604 ADV-2009-0157 249106 Sun Java System Access Manager 6.3 2005Q1, 7 2005Q4, and 7.1 allows remote authenticated users with console privileges to discover passwords, and obtain unspecified other "access to resources," by visiting the Configuration Items component in the console. 33265 242166 http://sunsolve.sun.com/search/document.do?assetkey=1-21-126356-02-1 sun-jsam-password-info-disclosure(47942) 1021605 ADV-2009-0156 The Sun SPARC Enterprise M4000 and M5000 Server, within a certain range of serial numbers, allows remote attackers to use the manufacturing root password, perform a root login to the eXtended System Control Facility Unit (aka XSCFU or Service Processor), and have unspecified other impact. 1021602 33280 ADV-2009-0207 249126 Unspecified vulnerability in IBM DB2 8 before FP17a, 9.1 before FP6a, and 9.5 before FP3a allows remote attackers to cause a denial of service (infinite loop) via a crafted CONNECT data stream. 33258 http://www-01.ibm.com/support/docview.wss?uid=swg21363936 ibm-db2-connect-stream-dos(47931) ADV-2009-0137 IZ37696 1021591 33529 ftp://ftp.software.ibm.com/ps/products/db2/fixes/english-us/aparlist/db2_v95/APARLIST.TXT ftp://ftp.software.ibm.com/ps/products/db2/fixes/english-us/aparlist/db2_v91/APARLIST.TXT ftp://ftp.software.ibm.com/ps/products/db2/fixes/english-us/aparlist/db2_v82/APARLIST.TXT Unspecified vulnerability in the server in IBM DB2 8 before FP17a, 9.1 before FP6a, and 9.5 before FP3a allows remote authenticated users to cause a denial of service (trap) via a crafted data stream. http://www-01.ibm.com/support/docview.wss?uid=swg21363936 ibm-db2-datastream-dos(47934) 33258 ADV-2009-0137 IZ39652 1021591 33529 ftp://ftp.software.ibm.com/ps/products/db2/fixes/english-us/aparlist/db2_v95/APARLIST.TXT ftp://ftp.software.ibm.com/ps/products/db2/fixes/english-us/aparlist/db2_v91/APARLIST.TXT ftp://ftp.software.ibm.com/ps/products/db2/fixes/english-us/aparlist/db2_v82/APARLIST.TXT Stack-based buffer overflow in VUPlayer 2.49 allows remote attackers to execute arbitrary code via a long .asf URI in the HREF attribute of a REF element in a .asx file. vuplayer-asx-bo(47851) 33185 7715 7714 7713 7709 4918 Heap-based buffer overflow in Heathco Software MP3 TrackMaker 1.5 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a long string in an invalid .mp3 file. mp3trackmaker-mp3-bo(47852) 33183 7708 4920 Multiple heap-based buffer overflows in the PDF distiller in the Attachment Service in Research in Motion (RIM) BlackBerry Enterprise Server (BES) 4.1.3 through 4.1.6, BlackBerry Professional Software 4.1.4, and BlackBerry Unite! before 1.0.3 bundle 28 allow user-assisted remote attackers to execute arbitrary code via (1) a crafted stream in a .pdf file, related to "symWidths"; or (2) a crafted data stream in a .pdf file, related to "bitmaps." 33224 http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB17119 http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB17118 33534 20090113 RIM BlackBerry Enterprise Server Attachment Service PDF Distiller 'bitmaps' Heap Overflow Vulnerability 20090113 RIM BlackBerry Enterprise Server Attachment Service PDF Distiller 'symWidths' Heap Overflow Vulnerability vmwarebase.dll, as used in the vmware-authd service (aka vmware-authd.exe), in VMware Workstation 6.5.1 build 126130, 6.5.1 and earlier; VMware Player 2.5.1 build 126130, 2.5.1 and earlier; VMware ACE 2.5.1 and earlier; VMware Server 2.0.x before 2.0.1 build 156745; and VMware Fusion before 2.0.2 build 147997 allows remote attackers to cause a denial of service (daemon crash) via a long (1) USER or (2) PASS command. http://www.vmware.com/security/advisories/VMSA-2009-0005.html ADV-2009-0024 20090403 VMSA-2009-0005 VMware Hosted products, VI Client and patches for ESX and ESXi resolve multiple security issues [security-announce] 20090403 VMSA-2009-0005 VMware Hosted products, VI Client and patches for ESX and ESXi resolve multiple security issues ADV-2009-0944 1021512 34373 34601 33372 51180 7647 Unspecified vulnerability in IBM Hardware Management Console (HMC) 7 release 3.2.0 SP1 has unknown impact and attack vectors. ibm-hmc-unspecified(48010) http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4521 33293 ADV-2009-0158 33518 51432 libmikmod 3.1.11 through 3.2.0, as used by MikMod and possibly other products, allows user-assisted attackers to cause a denial of service (application crash) by loading an XM file. FEDORA-2009-9112 FEDORA-2009-9095 https://bugzilla.redhat.com/show_bug.cgi?id=479833 33240 34259 [oss-security] 20090113 CVE Request -- libmikmod SUSE-SR:2009:006 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=476339 Certain Fedora build scripts for nfs-utils before 1.1.2-9.fc9 on Fedora 9, and before 1.1.4-6.fc10 on Fedora 10, omit TCP Wrapper support, which might allow remote attackers to bypass intended access restrictions, possibly a related issue to CVE-2008-1376. FEDORA-2009-0297 FEDORA-2009-0266 https://bugzilla.redhat.com/show_bug.cgi?id=477864 nfsutils-tcpwrapper-security-bypass(48058) 33294 33545 Buffer overflow in VUPlayer allows user-assisted attackers to have an unknown impact via a long file, as demonstrated by a file composed entirely of 'A' characters. vuplayer-file-bo(48169) 20090106 VUPLAYER BufferOver flow POC 4921 Buffer overflow in VUPlayer 2.49 and earlier allows user-assisted attackers to execute arbitrary code via a long URL in a File line in a .pls file, as demonstrated by an http URL on a File1 line. vuplayer-fileline-bo(48170) 7695 4923 The PDF distiller in the Attachment Service in Research in Motion (RIM) BlackBerry Enterprise Server (BES) 4.1.3 through 4.1.6, BlackBerry Professional Software 4.1.4, and BlackBerry Unite! before 1.0.3 bundle 28 performs delete operations on uninitialized pointers, which allows user-assisted remote attackers to execute arbitrary code via a crafted data stream in a .pdf file. 1021559 33250 http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB17119 http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB17118 33534 20090113 RIM BlackBerry Enterprise Server Attachment Service PDF Distiller Uninitialized Memory Vulnerability Memory leak in the keyctl_join_session_keyring function (security/keys/keyctl.c) in Linux kernel 2.6.29-rc2 and earlier allows local users to cause a denial of service (kernel memory consumption) via unknown vectors related to a "missing kfree." USN-751-1 RHSA-2009:0360 RHSA-2009:0331 [oss-security] 20090119 CVE-2009-0031 kernel: local denial of service in keyctl_join_session_keyring DSA-1794 DSA-1787 DSA-1749 http://support.avaya.com/elmodocs2/security/ASA-2009-114.htm 35011 34981 34762 34502 34394 34252 33858 RHSA-2009:0264 51501 SUSE-SA:2009:010 http://git2.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=0d54ee1c7850a954026deec4cd4885f331da35cc listing.php in WebSVN 2.0 and possibly 1.7 beta, when using an SVN authz file, allows remote authenticated users to read changelogs or diffs for restricted projects via a modified repname parameter. websvn-listing-information-disclosure(48171) [oss-security] 20090118 CVE request: WebSVN GLSA-200903-20 34191 32338 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=512191 Stack-based buffer overflow in the process_path function in gmetad/server.c in Ganglia 3.1.1 allows remote attackers to cause a denial of service (crash) via a request to the gmetad service with a long pathname. 33299 [Ganglia-developers] 20090113 patches for: [Sec] Gmetad server BoF and network overload + [Feature] multiple requests per conn on interactive port GLSA-200903-22 35416 34228 33506 SUSE-SR:2009:011 http://bugzilla.ganglia.info/cgi-bin/bugzilla/show_bug.cgi?id=223 ** REJECT ** gmetad in Ganglia 3.1.1, when supporting multiple requests per connection on an interactive port, allows remote attackers to cause a denial of service via a request to the gmetad service with a path does not exist, which causes Ganglia to (1) perform excessive CPU computation and (2) send the entire tree, which consumes network bandwidth. NOTE: the vendor and original researcher have disputed this issue, since legitimate requests can generate the same amount of resource consumption. CVE concurs with the dispute, so this identifier should not be used. Heap-based buffer overflow in Apple QuickTime before 7.6 allows remote attackers to cause a denial of service (application termination) and possibly execute arbitrary code via a crafted RTSP URL. TA09-022A APPLE-SA-2009-01-21 quicktime-rtspurl-bo(48154) 33385 ADV-2009-0212 http://support.apple.com/kb/HT3403 33632 oval:org.mitre.oval:def:6135 Heap-based buffer overflow in Apple QuickTime before 7.6 allows remote attackers to cause a denial of service (application termination) and possibly execute arbitrary code via a QTVR movie file with crafted THKD atoms. TA09-022A APPLE-SA-2009-01-21 http://www.zerodayinitiative.com/advisories/ZDI-09-005/ 33384 ADV-2009-0212 http://support.apple.com/kb/HT3403 33632 oval:org.mitre.oval:def:5646 51525 20090121 ZDI-09-005: Apple QuickTime VR Track Header Atom Heap Corruption Vulnerability Heap-based buffer overflow in Apple QuickTime before 7.6 allows remote attackers to cause a denial of service (application termination) and execute arbitrary code via an AVI movie file with an invalid nBlockAlign value in the _WAVEFORMATEX structure. TA09-022A APPLE-SA-2009-01-21 http://www.zerodayinitiative.com/advisories/ZDI-09-006/ 33387 ADV-2009-0212 http://support.apple.com/kb/HT3403 33632 oval:org.mitre.oval:def:6218 51526 Buffer overflow in Apple QuickTime before 7.6 allows remote attackers to cause a denial of service (application termination) and possibly execute arbitrary code via a crafted MP3 audio file. TA09-022A ADV-2009-0212 http://support.apple.com/kb/HT3403 APPLE-SA-2009-01-21 quicktime-mpeg2-bo(48157) 33632 oval:org.mitre.oval:def:6211 Unspecified vulnerability in Apple QuickTime before 7.6 allows remote attackers to cause a denial of service (application termination) and possibly execute arbitrary code via a crafted H.263 encoded movie file that triggers memory corruption. TA09-022A APPLE-SA-2009-01-21 quicktime-h263-movie-code-execution(48158) 33386 ADV-2009-0212 http://support.apple.com/kb/HT3403 33632 oval:org.mitre.oval:def:6187 Integer signedness error in Apple QuickTime before 7.6 allows remote attackers to cause a denial of service (application termination) and possibly execute arbitrary code via a Cinepak encoded movie file with a crafted MDAT atom that triggers a heap-based buffer overflow. TA09-022A APPLE-SA-2009-01-21 http://www.zerodayinitiative.com/advisories/ZDI-09-007/ 33388 20090124 Re: ZDI-09-007: Apple QuickTime Cinepak Codec MDAT Heap Corruption Vulnerability ADV-2009-0212 http://support.apple.com/kb/HT3403 33632 oval:org.mitre.oval:def:6153 51529 20090121 ZDI-09-007: Apple QuickTime Cinepak Codec MDAT Heap Corruption Vulnerability Heap-based buffer overflow in Apple QuickTime before 7.6 allows remote attackers to cause a denial of service (application termination) and possibly execute arbitrary code via a QuickTime movie file containing invalid image width data in JPEG atoms within STSD atoms. TA09-022A APPLE-SA-2009-01-21 http://www.zerodayinitiative.com/advisories/ZDI-09-008/ 33390 ADV-2009-0212 http://support.apple.com/kb/HT3403 33632 oval:org.mitre.oval:def:6132 51530 Multiple cross-site scripting (XSS) vulnerabilities in Apache Jackrabbit before 1.5.2 allow remote attackers to inject arbitrary web script or HTML via the q parameter to (1) search.jsp or (2) swr.jsp. https://issues.apache.org/jira/browse/JCR-1925 jackrabbit-search-swr-xss(48110) 33360 20090120 [ANNOUNCE] Apache Jackrabbit 1.5.2 released ADV-2009-0177 http://www.apache.org/dist/jackrabbit/RELEASE-NOTES-1.5.2.txt 4942 33576 A certain Red Hat patch for SquirrelMail 1.4.8 sets the same SQMSESSID cookie value for all sessions, which allows remote authenticated users to access other users' folder lists and configuration data in opportunistic circumstances by using the standard webmail.php interface. NOTE: this vulnerability exists because of an incorrect fix for CVE-2008-3663. RHSA-2009:0057 https://bugzilla.redhat.com/show_bug.cgi?id=480488 https://bugzilla.redhat.com/show_bug.cgi?id=480224 squirrelmail-sessionid-session-hijacking(48115) 33354 1021611 33611 SUSE-SR:2009:004 Microsoft Windows does not properly enforce the Autorun and NoDriveTypeAutoRun registry values, which allows physically proximate attackers to execute arbitrary code by (1) inserting CD-ROM media, (2) inserting DVD media, (3) connecting a USB device, and (4) connecting a Firewire device; (5) allows user-assisted remote attackers to execute arbitrary code by mapping a network drive; and allows user-assisted attackers to execute arbitrary code by clicking on (6) an icon under My Computer\Devices with Removable Storage and (7) an option in an AutoPlay dialog, related to the Autorun.inf file. NOTE: vectors 1 and 3 on Vista are already covered by CVE-2008-0951. TA09-020A 1021629 http://isc.sans.org/diary.html?storyid=5695 Directory traversal vulnerability in the OBEX FTP Service in the Microsoft Bluetooth stack in Windows Mobile 6 Professional, and probably Windows Mobile 5.0 for Pocket PC and 5.0 for Pocket PC Phone Edition, allows remote authenticated users to list arbitrary directories, and create or read arbitrary files, via a .. (dot dot) in a pathname. NOTE: this can be leveraged for code execution by writing to a Startup folder. per: http://www.seguridadmobile.com/windows-mobile/windows-mobile-security/Microsoft-Bluetooth-Stack-Directory-Traversal.html "Non vulnerable products: Windows Mobile devices 5.0 and 6 not using Microsoft Bluetooth Stack (for example: ASUS P525, ASUS P535, ... using Widcomm/Broadcom Bluetooth Stack)" winmobile-obexftp-directory-traversal(48124) http://www.seguridadmobile.com/windows-mobile/windows-mobile-security/Microsoft-Bluetooth-Stack-Directory-Traversal.html 33359 20090119 Microsoft Bluetooth Stack OBEX Directory Traversal 4938 33598 Cross-site scripting (XSS) vulnerability in Usagi Project MyNETS 1.2.0.1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different issue than CVE-2008-4629. http://usagi-project.org/PRESS/archives/57 33145 33409 JVNDB-2009-000001 JVN#36802959 Stack-based buffer overflow in easyHDR PRO 1.60.2 allows user-assisted attackers to execute arbitrary code via an invalid Radiance RGBE (aka .hdr) file. easyhdrpro-hdr-bo(48119) 33363 20090120 Secunia Research: EasyHDR Pro Radiance RGBE Buffer Overflow ADV-2009-0190 4941 http://secunia.com/secunia_research/2008-61/ 33468 51609 http://easyhdr.com/version.php The server for 53KF Web IM 2009 Home, Professional, and Enterprise editions relies on client-side protection mechanisms against cross-site scripting (XSS), which allows remote attackers to conduct XSS attacks by using a modified client to send a crafted IM message, related to the msg variable. 53kfwebim-msg-xss(48096) 33341 20090119 53KF Web IM 2009 Cross-Site Scripting Vulnerabilities Cross-site scripting (XSS) vulnerability in rankup.asp in Katy Whitton RankEm allows remote attackers to inject arbitrary web script or HTML via the siteID parameter. rankem-siteid-xss(48072) rankem-rankup-xss(48071) 33324 7805 Katy Whitton RankEm stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing credentials via a direct request for database/topsites.mdb. rankem-topsites-information-disclosure(48070) 7805 Ryneezy phoSheezy 0.2 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the file containing the administrator's password hash via a direct request for config/password. phosheezy-configpassword-info-disclosure(48056) 7780 4935 33531 51411 Static code injection vulnerability in admin.php in Ryneezy phoSheezy 0.2 allows remote authenticated administrators to inject arbitrary PHP code into config/footer via the footer parameter. NOTE: this can be exploited by unauthenticated attackers by leveraging CVE-2009-0250. NOTE: some of these details are obtained from third party information. 7780 4935 33531 51412 Multiple SQL injection vulnerabilities in default.asp in Enthrallweb eReservations allow remote attackers to execute arbitrary SQL commands via the (1) Login parameter (aka username field) or the (2) Password parameter (aka password field). NOTE: some of these details are obtained from third party information. ereservations-login-sql-injection(48062) 33321 7801 33578 51456 Unspecified vulnerability in Apple QuickTime MPEG-2 Playback Component before 7.60.92.0 on Windows allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via a crafted MPEG-2 movie. per http://lists.apple.com/archives/security-announce//2009/Jan/msg00001.html "This issue does not affect systems running Mac OS X." quicktime-mpeg2playback-code-execution(48162) 1021621 33393 ADV-2009-0211 http://support.apple.com/kb/HT3404 33642 oval:org.mitre.oval:def:5974 APPLE-SA-2009-01-21 The Certificate Authority Proxy Function (CAPF) service in Cisco Unified Communications Manager 5.x before 5.1(3e) and 6.x before 6.1(3) allows remote attackers to cause a denial of service (voice service outage) by sending malformed input over a TCP session in which the "client terminates prematurely." cucm-capf-dos-var1(48139) 1021620 33379 ADV-2009-0213 20090121 Cisco Unified Communications Manager CAPF Denial of Service Vulnerability 33588 Mozilla Firefox 3.0.5 allows remote attackers to trick a user into visiting an arbitrary URL via an onclick action that moves a crafted element to the current mouse position, related to a "Status Bar Obfuscation" and "Clickjacking" attack. firefox-onclickaction-click-hijacking(48212) 7842 4936 Stack-based buffer overflow in easyHDR PRO 1.60.2 allows user-assisted attackers to execute arbitrary code via an invalid Flexible Image Transport System (FITS) file. NOTE: some of these details are obtained from third party information. 33363 ADV-2009-0190 33468 51608 http://easyhdr.com/version.php The System extension Install tool in TYPO3 4.0.0 through 4.0.9, 4.1.0 through 4.1.7, and 4.2.0 through 4.2.3 creates the encryption key with an insufficiently random seed, which makes it easier for attackers to crack the key. typo3-installtool-weak-security(48132) 33376 DSA-1711 http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-001/ 33679 33617 Session fixation vulnerability in the authentication library in TYPO3 4.0.0 through 4.0.9, 4.1.0 through 4.1.7, and 4.2.0 through 4.2.3 allows remote attackers to hijack web sessions via unspecified vectors related to (1) frontend and (2) backend authentication. typo3-library-session-hijacking(48133) 33376 DSA-1711 http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-001/ 33679 33617 Multiple cross-site scripting (XSS) vulnerabilities in TYPO3 4.0.0 through 4.0.9, 4.1.0 through 4.1.7, and 4.2.0 through 4.2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) name and (2) content of indexed files to the (a) Indexed Search Engine (indexed_search) system extension; (b) unspecified test scripts in the ADOdb system extension; and (c) unspecified vectors in the Workspace module. typo3-adodb-xss(48137) typo3-workspace-xss(48136) typo3-indexedsearchengine-xss(48135) typo3-library-session-hijacking(48133) 33376 DSA-1711 http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-001/ 33679 33617 The Indexed Search Engine (indexed_search) system extension in TYPO3 4.0.0 through 4.0.9, 4.1.0 through 4.1.7, and 4.2.0 through 4.2.3 allows remote attackers to execute arbitrary commands via a crafted filename containing shell metacharacters, which is not properly handled by the command-line indexer. typo3-indexedsearch-command-execution(48138) 33376 [oss-security] 20090123 Re: CVE id request: typo3 SA-2009-001 DSA-1711 http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-001/ 33679 33617 The Word processor in OpenOffice.org 1.1.2 through 1.1.5 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted (1) .doc, (2) .wri, or (3) .rtf Word 97 file that triggers memory corruption, as exploited in the wild in December 2008, as demonstrated by 2008-crash.doc.rar, and a similar issue to CVE-2008-4841. openoffice-wordprocessor-code-execution(48213) 33383 [oss-security] 20090121 CVE Request -- openoffice.org (CVE-2008-4841) 6560 http://milw0rm.com/sploits/2008-crash.doc.rar Multiple cross-site scripting (XSS) vulnerabilities in action/AttachFile.py in MoinMoin before 1.8.1 allow remote attackers to inject arbitrary web script or HTML via an AttachFile action to the WikiSandBox component with (1) the rename parameter or (2) the drawing parameter (aka the basename variable). 33365 moinmoin-attachfilepy-xss(48126) USN-716-1 20090120 MoinMoin Wiki Engine XSS Vulnerability ADV-2009-0195 33755 33716 33593 51485 http://moinmo.in/SecurityFixes#moin1.8.1 DSA-1715 http://hg.moinmo.in/moin/1.8/rev/8cb4d34ccbc1 Stack-based buffer overflow in EffectMatrix Total Video Player 1.31 allows user-assisted attackers to execute arbitrary code via a Skins\DefaultSkin\DefaultSkin.ini file with a large ColumnHeaderSpan value. totalvideoplayer-defaultskin-bo(48140) 33373 7839 Stack-based buffer overflow in Triologic Media Player 7 and 8.0.0.0 allows user-assisted remote attackers to execute arbitrary code via a long string in a .m3u playlist file. NOTE: some of these details are obtained from third party information. 33221 ADV-2009-0097 33496 7737 Multiple buffer overflows in Winamp 5.541 and earlier allow remote attackers to cause a denial of service and possibly execute arbitrary code via (1) a large Common Chunk (COMM) header value in an AIFF file and (2) a large invalid value in an MP3 file. 33226 ADV-2009-0113 33478 7742 Buffer overflow in the Registry Setting Tool in Fujitsu SystemcastWizard Lite 2.0A, 2.0, 1.9, and earlier has unknown impact and attack vectors. http://www.fujitsu.com/global/services/computing/server/primequest/products/os/windows-server-2008-2.html systemcast-registrytool-bo(48315) 33644 Internet Systems Consortium (ISC) BIND 9.6.0 and earlier does not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077 and CVE-2009-0025. https://www.isc.org/node/373 MDVSA-2009:037 ADV-2009-0043 SSA:2009-014-02 33559 http://groups.google.com/group/comp.protocols.dns.bind/browse_thread/thread/49ef622c8329fd33 Stack-based buffer overflow in Triologic Media Player 8.0.0.0 allows user-assisted remote attackers to execute arbitrary code via a long string in a .m3l playlist file. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 33496 libike in Sun Solaris 9 and 10, and OpenSolaris before snv_100, does not properly check packets, which allows remote attackers to cause a denial of service (in.iked daemon crash) via an unspecified IKE packet, a different vulnerability than CVE-2007-2989. 33407 247406 http://sunsolve.sun.com/search/document.do?assetkey=1-21-113451-15-1 sun-solaris-libike-dos(48178) http://support.avaya.com/elmodocs2/security/ASA-2009-032.htm 33702 oval:org.mitre.oval:def:6116 Race condition in the pseudo-terminal (aka pty) driver module in Sun Solaris 8 through 10, and OpenSolaris before snv_103, allows local users to cause a denial of service (panic) via unspecified vectors related to lack of "properly sequenced code" in ptc and ptsl. 33406 249586 http://sunsolve.sun.com/search/document.do?assetkey=1-21-113685-07-1 solaris-pseudo-terminal-dos(48179) 1021640 http://support.avaya.com/elmodocs2/security/ASA-2009-034.htm 33708 oval:org.mitre.oval:def:6061 fs/ecryptfs/inode.c in the eCryptfs subsystem in the Linux kernel before 2.6.28.1 allows local users to cause a denial of service (fault or memory corruption), or possibly have unspecified other impact, via a readlink call that results in an error, leading to use of a -1 return value as an array index. 33412 [ecryptfs-devel] 20081222 Re: [PATCH, v5] eCryptfs: check readlink result was not an error before using it [ecryptfs-devel] 20081222 Re: [PATCH, v5] eCryptfs: check readlink result was not an error before using it linux-kernel-readlink-bo(48188) USN-751-1 RHSA-2009:0360 RHSA-2009:0326 MDVSA-2009:118 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.28.1 DSA-1787 DSA-1749 35394 35390 34981 34502 34394 33758 SUSE-SA:2009:031 SUSE-SA:2009:030 SUSE-SA:2009:010 http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.27.y.git;a=commit;h=a17d5232de7b53d34229de79ec22f4bb04adb7e4 Stack-based buffer overflow in PXEService.exe in Fujitsu SystemcastWizard Lite 2.0A, 2.0, 1.9, and earlier allows remote attackers to execute arbitrary code via a large PXE protocol request in a UDP packet. http://www.fujitsu.com/global/services/computing/server/primequest/products/os/windows-server-2008-2.html http://www.wintercore.com/advisories/advisory_W010109.html 33342 20090119 [Wintercore Research ] Fujitsu SystemcastWizard Lite PXEService Remote Buffer Overflow. ADV-2009-0176 33594 51486 Directory traversal vulnerability in the TFTP service in Fujitsu SystemcastWizard Lite 2.0A, 2.0, 1.9, and earlier allows remote attackers to read arbitrary files via directory traversal sequences in unspecified vectors. 33344 http://www.fujitsu.com/global/services/computing/server/primequest/products/os/windows-server-2008-2.html ADV-2009-0176 33594 51487 Static code injection vulnerability in admin.php in Ryneezy phoSheezy 0.2 allows remote authenticated administrators to inject arbitrary PHP code into config/header via the header parameter. NOTE: this can be exploited by unauthenticated attackers by leveraging CVE-2009-0250. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 51412 33531 Unspecified vulnerability in the kernel in OpenSolaris snv_100 through snv_102 on the Sun UltraSPARC T2 and T2+ sun4v platforms allows local users to cause a denial of service (panic) via unknown vectors. 250066 solaris-ultrasparct2-dos(48164) 33398 ADV-2009-0209 Sun Java System Application Server (AS) 8.1 and 8.2 allows remote attackers to read the Web Application configuration files in the (1) WEB-INF or (2) META-INF directory via a malformed request. 245446 http://sunsolve.sun.com/search/document.do?assetkey=1-21-119166-35-1 javasystem-webinf-metainf-info-disclosure(48161) 33397 ADV-2009-0208 33725 51604 SQL injection vulnerability in comentar.php in Pardal CMS 0.2.0 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter. pardalcms-comentar-sql-injection(48175) 33404 7851 Asp Project Management 1.0 allows remote attackers to bypass authentication and gain administrative access by setting the crypt cookie to 1. aspproject-cookie-security-bypass(48172) 33401 20090122 Asp-project Cookie Handling 7850 SQL injection vulnerability in login.aspx in WarHound Walking Club allows remote attackers to execute arbitrary SQL commands via the (1) username and (2) password parameters. walkingclub-login-sql-injection(48061) 33317 7802 Integer overflow in Ralink Technology USB wireless adapter (RT73) 3.08 for Windows, and other wireless card drivers including rt2400, rt2500, rt2570, and rt61, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a Probe Request packet with a long SSID, possibly related to an integer signedness error. 33340 20090118 Ralinktech wireless cards drivers vulnerability DSA-1714 DSA-1713 DSA-1712 GLSA-200907-08 35743 33699 33592 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=512995 Cross-site scripting (XSS) vulnerability in err.asp in Oblog allows remote attackers to inject arbitrary web script or HTML via the message parameter. 33416 20090124 Re: Oblog XSS valnerability 20090123 Oblog XSS valnerability SQL injection vulnerability in category.php in Flax Article Manager 1.1 allows remote attackers to execute arbitrary SQL commands via the cat_id parameter. 33422 7862 http://www.flaxweb.com/products/articles 33625 Cross-site scripting (XSS) vulnerability in error.asp in BBSXP 5.13 and earlier allows remote attackers to inject arbitrary web script or HTML via the message parameter. bbsxp-error-xss(48187) 33411 20090123 BBSxp Xss vulnerability Directory traversal vulnerability in upgrade/index.php in OpenGoo 1.1, when register_globals is enabled and magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the form_data[script_class] parameter. 33421 7863 51635 SQL injection vulnerability in lib/patUser.php in KEEP Toolkit before 2.5.1 allows remote attackers to execute arbitrary SQL commands via the (1) username and (2) password. 33425 http://sourceforge.net/project/shownotes.php?release_id=655845&group_id=227492 33652 51623 http://keeptoolkit.svn.sourceforge.net/viewvc/keeptoolkit?view=rev&revision=56 Directory traversal vulnerability in k23productions TFTPUtil GUI 1.2.0 and 1.3.0 allows remote attackers to read arbitrary files outside the TFTP root directory via directory traversal sequences in a GET request. 33287 http://sourceforge.net/forum/forum.php?forum_id=894598 tftputil-tftpget-directory-traversal(48019) 20090115 TFTPUtil GUI TFTP Directory Traversal http://www.princeofnigeria.org/blogs/index.php/2009/01/14/tftputil-gui-tftp-directory-traversal 33561 k23productions TFTPUtil GUI 1.2.0 and 1.3.0 allows remote attackers to cause a denial of service (service crash) via a long filename in a crafted request. 33289 http://sourceforge.net/forum/forum.php?forum_id=894598 20090115 TFTPUtil GUI TFTP Server Denial of Service Vulnerability http://www.princeofnigeria.org/blogs/index.php/2009/01/14/tftputil-gui-tftp-server-denial-of-servi?blog=1 Directory traversal vulnerability in common.php in SIR GNUBoard 4.31.03 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the g4_path parameter. NOTE: in some environments, this can be leveraged for remote code execution via a data: URI or a UNC share pathname. gnuboard-common-file-include(48015) 33304 7792 33564 CUPS on Mandriva Linux 2008.0, 2008.1, 2009.0, Corporate Server (CS) 3.0 and 4.0, and Multi Network Firewall (MNF) 2.0 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/pdf.log temporary file. cups-pdflog-symlink(48210) 33418 MDVSA-2009:029 MDVSA-2009:028 MDVSA-2009:027 1021637 Directory traversal vulnerability in fc.php in OpenX 2.6.3 allows remote attackers to include and execute arbitrary files via a .. (dot dot) in the MAX_type parameter. 33458 20090127 OpenX 2.6.3 - Local File Inclusion 7883 SQL injection vulnerability in show_cat2.php in SHOP-INET 4 allows remote attackers to execute arbitrary SQL commands via the grid parameter. 7874 33660 51615 SQL injection vulnerability in profile_view.php in Wazzum Dating Software, possibly 2.0, allows remote attackers to execute arbitrary SQL commands via the userid parameter. 33461 7877 33654 51625 Multiple PHP remote file inclusion vulnerabilities in WB News 2.0.1, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the config[installdir] parameter to (1) search.php, (2) archive.php, (3) comments.php, and (4) news.php; (5) News.php, (6) SendFriend.php, (7) Archive.php, and (8) Comments.php in base/; and possibly other components, different vectors than CVE-2007-1288. 33434 20090125 WB News v2.0.X Remote File include .. 33691 SQL injection vulnerability in index.php in Information Technology Light Poll Information (ITLPoll) 2.7 Stable 2, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the id parameter. 33452 7867 33666 51616 SQL injection vulnerability in shop_display_products.php in Script Toko Online 5.01 allows remote attackers to execute arbitrary SQL commands via the cat_id parameter. 7873 33661 51630 SQL injection vulnerability in login_check.asp in ClickAuction allows remote attackers to execute arbitrary SQL commands via the (1) txtEmail and (2) txtPassword parameters. NOTE: some of these details are obtained from third party information. 7880 33647 51626 Heap-based buffer overflow in MW6 Technologies Barcode ActiveX control (Barcode.MW6Barcode.1, Barcode.dll) 3.0.0.1 allows remote attackers to execute arbitrary code via a long Supplement property. 33451 7869 33663 SQL injection vulnerability in index.php in Groone GLinks 2.1 allows remote attackers to execute arbitrary SQL commands via the cat parameter. 33460 9236 7878 33649 51628 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2006-2636. Reason: This candidate is a duplicate of CVE-2006-2636. Notes: All CVE users should reference CVE-2006-2636 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Multiple insecure method vulnerabilities in the FlexCell.Grid ActiveX control (FlexCell.ocx) in FlexCell Grid Control 5.6.9 allow remote attackers to create and overwrite arbitrary files via the (1) SaveFile and (2) ExportToXML methods. 33453 7868 33664 SQL injection vulnerability in the Downloads 8.0 module for PHP-Nuke, when register_globals is enabled and magic_quotes_gpc is disabled, allows remote authenticated users to execute arbitrary SQL commands via the url parameter in the Add operation to modules.php. downloads-module-sql-injection(48186) 33410 20090123 PHP-Nuke 8.0 Downloads Blind Sql Injection 51633 Cross-site scripting (XSS) vulnerability in Web Help Desk before 9.1.18 allows remote attackers to inject arbitrary web script or HTML via vectors related to "encoded JavaScript" and Helpdesk.woa. 33429 http://updates.webhelpdesk.com/weblog/updates/StableReleases/2009/01/23/911812309.html 33651 The kernel in Sun Solaris 10 and 11 snv_101b, and OpenSolaris before snv_108, allows remote attackers to cause a denial of service (system crash) via a crafted IPv6 packet, related to an "insufficient validation security vulnerability," as demonstrated by SunOSipv6.c. sun-solaris-ipv6packets-dos(48208) 33435 7865 ADV-2009-0232 251006 1021635 33605 20090126 Solaris Devs Are Smoking Pot The Backbone service (ftbackbone.exe) in EMC AutoStart before 5.3 SP2 allows remote attackers to execute arbitrary code via a packet with a crafted value that is dereferenced as a function pointer. http://zerodayinitiative.com/advisories/ZDI-09-009/ autostart-backbone-code-execution(48197) 1021636 33415 20090123 ZDI-09-009: EMC AutoStart Backbone Engine Trusted Pointer Code Execution Vulnerability 33667 51566 Multiple unspecified vulnerabilities in the Arclib library (arclib.dll) before 7.3.0.15 in the CA Anti-Virus engine for CA Anti-Virus for the Enterprise 7.1, r8, and r8.1; Anti-Virus 2007 v8 and 2008; Internet Security Suite 2007 v3 and 2008; and other CA products allow remote attackers to bypass virus detection via a malformed archive file. ca-antivirus-engine-security-bypass(48261) 1021639 33464 20090127 CA20090126-01: CA Anti-Virus Engine Detection Evasion Multiple Vulnerabilities ADV-2009-0270 http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197601 http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/26/ca20090126-01-ca-anti-virus-engine-detection-evasion-multiple-vulnerabilities.aspx Cross-site scripting (XSS) vulnerability in the antispam feature (security/antispam.py) in MoinMoin 1.7 and 1.8.1 allows remote attackers to inject arbitrary web script or HTML via crafted, disallowed content. moinmoin-antispam-xss(48306) USN-716-1 [oss-security] 20090127 CVE Request: MoinMoin 33755 33716 51632 http://moinmo.in/SecurityFixes#moin1.8.1 DSA-1715 http://hg.moinmo.in/moin/1.8/rev/89b91bf87dad http://hg.moinmo.in/moin/1.7/rev/89b91bf87dad winetricks before 20081223 allows local users to overwrite arbitrary files via a symlink attack on the x_showmenu.txt temporary file. winetricks-xshowmenu-symlink(48320) 33474 51619 SUSE-SR:2009:004 http://code.google.com/p/winezeug/source/detail?r=253 Untrusted search path vulnerability in the Python module in gedit allows local users to execute arbitrary code via a Trojan horse Python file in the current working directory, related to a vulnerability in the PySys_SetArgv function (CVE-2008-5983). FEDORA-2009-1189 https://bugzilla.redhat.com/show_bug.cgi?id=481556 gedit-pysyssetargv-privilege-escalation(48271) 33445 [oss-security] 20090126 CVE request -- Python < 2.6 PySys_SetArgv issues (epiphany, csound, dia, eog, gedit, xchat, vim, nautilus-python, Gnumeric) GLSA-200903-41 34522 33769 33759 http://bugzilla.gnome.org/show_bug.cgi?id=569214 Untrusted search path vulnerability in the Python module in xchat allows local users to execute arbitrary code via a Trojan horse Python file in the current working directory, related to a vulnerability in the PySys_SetArgv function (CVE-2008-5983). https://bugzilla.redhat.com/show_bug.cgi?id=481560 33444 [oss-security] 20090126 CVE request -- Python < 2.6 PySys_SetArgv issues (epiphany, csound, dia, eog, gedit, xchat, vim, nautilus-python, Gnumeric) MDVSA-2009:059 Untrusted search path vulnerability in src/if_python.c in the Python interface in Vim before 7.2.045 allows local users to execute arbitrary code via a Trojan horse Python file in the current working directory, related to a vulnerability in the PySys_SetArgv function (CVE-2008-5983), as demonstrated by an erroneous search path for plugin/bike.vim in bicyclerepair. https://svn.pardus.org.tr/pardus/2008/applications/editors/vim/files/official/7.2.045 https://bugzilla.redhat.com/show_bug.cgi?id=481565 vim-pysyssetargv-privilege-escalation(48275) 33447 [oss-security] 20090126 CVE request -- Python < 2.6 PySys_SetArgv issues (epiphany, csound, dia, eog, gedit, xchat, vim, nautilus-python, Gnumeric) [debian-bugs-rc] 20080805 Bug#484305: bicyclerepair: bike.vim imports untrusted python files from cwd MDVSA-2009:047 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=493937 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=484305 Untrusted search path vulnerability in the Python language bindings for Nautilus (nautilus-python) allows local users to execute arbitrary code via a Trojan horse Python file in the current working directory, related to a vulnerability in the PySys_SetArgv function (CVE-2008-5983). https://bugzilla.redhat.com/show_bug.cgi?id=481570 33442 [oss-security] 20090126 CVE request -- Python < 2.6 PySys_SetArgv issues (epiphany, csound, dia, eog, gedit, xchat, vim, nautilus-python, Gnumeric) Untrusted search path vulnerability in the GObject Python interpreter wrapper in Gnumeric allows local users to execute arbitrary code via a Trojan horse Python file in the current working directory, related to a vulnerability in the PySys_SetArgv function (CVE-2008-5983). FEDORA-2009-1295 https://bugzilla.redhat.com/show_bug.cgi?id=481572 33438 [oss-security] 20090126 CVE request -- Python < 2.6 PySys_SetArgv issues (epiphany, csound, dia, eog, gedit, xchat, vim, nautilus-python, Gnumeric) MDVSA-2009:043 GLSA-200904-03 33823 33707 http://bugzilla.gnome.org/show_bug.cgi?id=569648 Unspecified vulnerability in the autofs module in the kernel in Sun Solaris 8 through 10, and OpenSolaris before snv_108, allows local users to cause a denial of service (autofs mount outage) or possibly gain privileges via vectors related to "xdr processing problems." 249966 http://sunsolve.sun.com/search/document.do?assetkey=1-21-128624-09-1 solaris-autofs-code-execution(48234) 1021644 33459 ADV-2009-0363 ADV-2009-0256 http://support.avaya.com/elmodocs2/security/ASA-2009-041.htm 33665 oval:org.mitre.oval:def:5977 Microsoft Windows XP, Server 2003 and 2008, and Vista exposes I/O activity measurements of all processes, which allows local users to obtain sensitive information, as demonstrated by reading the I/O Other Bytes column in Task Manager (aka taskmgr.exe) to estimate the number of characters that a different user entered at a runas.exe password prompt, related to a "benchmarking attack." 33440 20090124 Benchmarking attacks and major security weakness on all recent Windows versions up to Windows 200 Apple Safari 3.2.1 (aka AppVer 3.525.27.1) on Windows allows remote attackers to cause a denial of service (infinite loop or access violation) via a link to an http URI in which the authority (aka hostname) portion is either a (1) . (dot) or (2) .. (dot dot) sequence. safari-httpuri-dos(48284) 33481 oval:org.mitre.oval:def:6091 http://lostmon.blogspot.com/2009/01/safari-for-windows-321-remote-http-uri.html drivers/firmware/dell_rbu.c in the Linux kernel before 2.6.27.13, and 2.6.28.x before 2.6.28.2, allows local users to cause a denial of service (system crash) via a read system call that specifies zero bytes from the (1) image_type or (2) packet_size file in /sys/devices/platform/dell_rbu/. 33428 USN-751-1 RHSA-2009:0360 RHSA-2009:0331 RHSA-2009:0326 DSA-1794 DSA-1787 DSA-1749 http://support.avaya.com/elmodocs2/security/ASA-2009-114.htm 35394 35390 35011 34981 34762 34680 34502 34394 34252 33758 33656 SUSE-SA:2009:031 SUSE-SA:2009:030 SUSE-SA:2009:010 http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.28.2 http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.27.13 http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.27.y.git;a=commit;h=81156928f8fe31621e467490b9d441c0285998c3 Multiple stack-based buffer overflows in W3C Amaya Web Browser 10.0 and 11.0 allow remote attackers to execute arbitrary code via (1) a long type parameter in an input tag, which is not properly handled by the EndOfXmlAttributeValue function; (2) an "HTML GI" in a start tag, which is not properly handled by the ProcessStartGI function; and unspecified vectors in (3) html2thot.c and (4) xml2thot.c, related to the msgBuffer variable. NOTE: these are different vectors than CVE-2008-6005. amaya-html-tags-bo(48325) 20090128 CORE-2008-1211: Amaya web editor XML and HTML parser vulnerabilities 7902 http://www.coresecurity.com/content/amaya-buffer-overflows Multiple SQL injection vulnerabilities in BibCiter 1.4 allow remote attackers to execute arbitrary SQL commands via the (1) idp parameter to reports/projects.php, the (2) idc parameter to reports/contacts.php, and the (3) idu parameter to reports/users.php. bibciter-projects-sql-injection(48080) 33329 7814 33555 http://bibciter.sourceforge.net/?p=35 Directory traversal vulnerability in entries/index.php in Ninja Blog 4.8, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the cat parameter. https://www.push55.co.uk/poclibrary/ninjadesignscouk-1.txt 33351 http://www.push55.co.uk/index.php?s=ad&id=6 7831 33573 SQL injection vulnerability in login.php in Dark Age CMS 0.2c beta allows remote attackers to execute arbitrary SQL commands via the (1) username and (2) password parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. darkagecms-login-sql-injection(48095) 33271 SQL injection vulnerability in readbible.php in Free Bible Search PHP Script 1.0 allows remote attackers to execute arbitrary SQL commands via the version parameter. http://www.seraphimtech.net/repository/Changes.txt 33301 7798 33595 http://freshmeat.net/projects/freebiblesearch/?branch_id=77256&release_id=292446 ROBS-PROJECTS Digital Sales IPN (aka DS-IPN.NET or DS-IPN Paypal Shop) stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the database file containing user credentials via a direct request for Database/Sales.mdb. digitalsales-sales-information-disclosure(48082) 7816 33602 SQL injection vulnerability in the PcCookBook (com_pccookbook) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the recipe_id parameter in a viewrecipe action to index.php, a different vector than CVE-2008-0844. pccookbook-recipeid-sql-injection(48088) 33346 7824 Directory traversal vulnerability in index.php in Simple Content Management System (SCMS) 1 allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the p parameter. scms-index-file-include(48081) 33330 7818 33608 Directory traversal vulnerability in gallery/comment.php in Enhanced Simple PHP Gallery (ESPG) 1.72 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter. NOTE: the vulnerability may be in my little homepage Comment script. If so, then this should not be treated as a vulnerability in ESPG. espg-comment-directory-traversal(48087) 33335 7819 Multiple SQL injection vulnerabilities in AV Book Library before 1.1 allow remote attackers to execute arbitrary SQL commands via unspecified parameters to (1) admin/edit.php, (2) admin/add.php, (3) lib/book_search.php, and possibly other components. avbook-edit-sql-injection(48084) http://sourceforge.net/tracker/index.php?func=detail&aid=2219743&group_id=209711&atid=1010816 http://sourceforge.net/project/shownotes.php?release_id=654214 33583 SQL injection vulnerability in the WebAmoeba (WA) Ticket System (com_waticketsystem) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the catid parameter in a category action to index.php. 33353 33577 7833 SQL injection vulnerability in index.asp in Katy Whitton BlogIt! allows remote attackers to execute arbitrary SQL commands via the day parameter in an archive action. blogit-index-sql-injection(48074) 33325 7806 33572 Cross-site scripting (XSS) vulnerability in index.asp in Katy Whitton BlogIt! allows remote attackers to inject arbitrary web script or HTML via the view parameter. blogit-index-xss(48073) 33325 7806 33572 Katy Whitton BlogIt! stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the database file containing user credentials via a direct request for database/Blog.mdb. NOTE: some of these details are obtained from third party information. blogit-blog-information-disclosure(48075) 7806 SQL injection vulnerability in index.asp in Katy Whitton BlogIt! allows remote attackers to execute arbitrary SQL commands via the (1) month and (2) year parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 7806 33572 Cross-site scripting (XSS) vulnerability in inc_webblogmanager.asp in DMXReady Blog Manager allows remote attackers to inject arbitrary web script or HTML via the CategoryID parameter in a refer action. blogmanager-incwebblogmanager-xss(48053) 33314 20090116 DMXReady Blog Manager (SQL/XSS) 33601 http://dmxready.helpserve.com/index.php?_m=news&_a=viewnews&newsid=12 SQL injection vulnerability in inc_webblogmanager.asp in DMXReady Blog Manager allows remote attackers to execute arbitrary SQL commands via the itemID parameter in a view action. blogmanager-incwebblogmanager-sql-injection(48054) 33314 20090116 DMXReady Blog Manager (SQL/XSS) 33601 http://dmxready.helpserve.com/index.php?_m=news&_a=viewnews&newsid=12 Multiple directory traversal vulnerabilities in Simple PHP Newsletter 1.5 allow remote attackers to read arbitrary files via a .. (dot dot) in the olang parameter to (1) mail.php and (2) mailbar.php. simplephpnewsletter-mail-file-include(48089) 33327 7813 The shell32 module in Microsoft Internet Explorer 7.0 on Windows XP SP3 might allow remote attackers to execute arbitrary code via a long VALUE attribute in an INPUT element, possibly related to a stack consumption vulnerability. 33494 20090128 Internet explorer 7.0 stack overflow Niels Provos Systrace before 1.6f on the x86_64 Linux platform allows local users to bypass intended access restrictions by making a 64-bit syscall with a syscall number that corresponds to a policy-compliant 32-bit syscall. 33417 20090123 Problems with syscall filtering technologies on Linux http://www.citi.umich.edu/u/provos/systrace/ http://scarybeastsecurity.blogspot.com/2009/01/bypassing-syscall-filtering.html http://scary.beasts.org/security/CESA-2009-001.html Niels Provos Systrace 1.6f and earlier on the x86_64 Linux platform allows local users to bypass intended access restrictions by making a 32-bit syscall with a syscall number that corresponds to a policy-compliant 64-bit syscall, related to race conditions that occur in monitoring 64-bit processes. 33417 20090123 Problems with syscall filtering technologies on Linux http://www.citi.umich.edu/u/provos/systrace/ http://scarybeastsecurity.blogspot.com/2009/01/bypassing-syscall-filtering.html http://scary.beasts.org/security/CESA-2009-001.html Unspecified vulnerability in the Embedded Lights Out Manager (ELOM) on the Sun Fire X2100 M2 and X2200 M2 x86 platforms before SP/BMC firmware 3.20 allows remote atta