Search Results (Refine Search)

Search Parameters:
  • Keyword (text search): Apache
There are 2,385 matching records.
Displaying matches 2,161 through 2,180.
Vuln ID Summary CVSS Severity
CVE-2006-3918

http_protocol.c in (1) IBM HTTP Server 6.0 before 6.0.2.13 and 6.1 before 6.1.0.1, and (2) Apache HTTP Server 1.3 before 1.3.35, 2.0 before 2.0.58, and 2.2 before 2.2.2, does not sanitize the Expect header from an HTTP request when it is reflected back in an error message, which might allow cross-site scripting (XSS) style attacks using web client components that can send arbitrary headers in requests, as demonstrated using a Flash SWF file.

Published: July 27, 2006; 8:04:00 PM -0400
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2006-3835

Apache Tomcat 5 before 5.5.17 allows remote attackers to list directories via a semicolon (;) preceding a filename with a mapped extension, as demonstrated by URLs ending with /;index.jsp and /;help.do.

Published: July 25, 2006; 9:22:00 AM -0400
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2006-3362

Unrestricted file upload vulnerability in connectors/php/connector.php in FCKeditor mcpuk file manager, as used in (1) Geeklog 1.4.0 through 1.4.0sr3, (2) toendaCMS 1.0.0 Shizouka Stable and earlier, (3) WeBid 0.5.4, and possibly other products, when installed on Apache with mod_mime, allows remote attackers to upload and execute arbitrary PHP code via a filename with a .php extension and a trailing extension that is allowed, such as .zip.

Published: July 06, 2006; 4:05:00 PM -0400
V3.x:(not available)
V2.0: 5.1 MEDIUM
CVE-2006-3102

Race condition in articles/BitArticle.php in Bitweaver 1.3, when run on Apache with the mod_mime extension, allows remote attackers to execute arbitrary PHP code by uploading arbitrary files with double extensions, which are stored for a small period of time under the webroot in the temp/articles directory.

Published: June 20, 2006; 9:02:00 PM -0400
V3.x:(not available)
V2.0: 5.1 MEDIUM
CVE-2006-3070

write_ok.php in Zeroboard 4.1 pl8, when installed on Apache with mod_mime, allows remote attackers to bypass restrictions for uploading files with executable extensions by uploading a .htaccess file that with an AddType directive that assigns an executable module to files with assumed-safe extensions, as demonstrated by assigning the txt extension to be handled by application/x-httpd-php.

Published: June 19, 2006; 6:02:00 AM -0400
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2006-2447

SpamAssassin before 3.1.3, when running with vpopmail and the paranoid (-P) switch, allows remote attackers to execute arbitrary commands via a crafted message that is not properly handled when invoking spamd with the virtual pop username.

Published: June 06, 2006; 5:06:00 PM -0400
V3.x:(not available)
V2.0: 5.1 MEDIUM
CVE-2006-2831

Drupal 4.6.x before 4.6.8 and 4.7.x before 4.7.2, when running under certain Apache configurations such as when FileInfo overrides are disabled within .htaccess, allows remote attackers to execute arbitrary code by uploading a file with multiple extensions, a variant of CVE-2006-2743.

Published: June 05, 2006; 8:02:00 PM -0400
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2006-2806

The SMTP server in Apache Java Mail Enterprise Server (aka Apache James) 2.2.0 allows remote attackers to cause a denial of service (CPU consumption) via a long argument to the MAIL command.

Published: June 05, 2006; 1:02:00 PM -0400
V3.x:(not available)
V2.0: 7.8 HIGH
CVE-2006-2743

Drupal 4.6.x before 4.6.7 and 4.7.0, when running on Apache with mod_mime, does not properly handle files with multiple extensions, which allows remote attackers to upload, modify, or execute arbitrary files in the files directory.

Published: June 01, 2006; 6:02:00 AM -0400
V3.x:(not available)
V2.0: 5.1 MEDIUM
CVE-2006-2514

Coppermine galleries before 1.4.6, when running on Apache with mod_mime installed, allows remote attackers to upload arbitrary files via a filename with multiple file extensions.

Published: May 22, 2006; 6:02:00 PM -0400
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2006-2330

PHP-Fusion 6.00.306 and earlier, running under Apache HTTP Server 1.3.27 and PHP 4.3.3, allows remote authenticated users to upload files of arbitrary types using a filename that contains two or more extensions that ends in an assumed-valid extension such as .gif, which bypasses the validation, as demonstrated by uploading then executing an avatar file that ends in ".php.gif" and contains PHP code in EXIF metadata.

Published: May 11, 2006; 8:02:00 PM -0400
V3.x:(not available)
V2.0: 6.4 MEDIUM
CVE-2006-1777

Directory traversal vulnerability in doc/index.php in Jeremy Ashcraft Simplog 0.9.2 and earlier allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the s parameter, as demonstrated by injecting PHP sequences into an Apache error_log file, which is then included by doc/index.php.

Published: April 13, 2006; 6:02:00 AM -0400
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2006-1564

Untrusted search path vulnerability in libapache2-svn 1.3.0-4 for Subversion in Debian GNU/Linux includes RPATH values under the /tmp/svn directory for the (1) mod_authz_svn.so and (2) mod_dav_svn.so modules, which might allow local users to gain privileges by installing malicious libraries in that directory.

Published: March 31, 2006; 6:06:00 AM -0500
V3.x:(not available)
V2.0: 4.6 MEDIUM
CVE-2006-1546

Apache Software Foundation (ASF) Struts before 1.2.9 allows remote attackers to bypass validation via a request with a 'org.apache.struts.taglib.html.Constants.CANCEL' parameter, which causes the action to be canceled but would not be detected from applications that do not use the isCancelled check.

Published: March 30, 2006; 5:02:00 PM -0500
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2006-1547

ActionForm in Apache Software Foundation (ASF) Struts before 1.2.9 with BeanUtils 1.7 allows remote attackers to cause a denial of service via a multipart/form-data encoded form with a parameter name that references the public getMultipartRequestHandler method, which provides further access to elements in the CommonsMultipartRequestHandler implementation and BeanUtils.

Published: March 30, 2006; 5:02:00 PM -0500
V3.x:(not available)
V2.0: 7.8 HIGH
CVE-2006-1548

Cross-site scripting (XSS) vulnerability in (1) LookupDispatchAction and possibly (2) DispatchAction and (3) ActionDispatcher in Apache Software Foundation (ASF) Struts before 1.2.9 allows remote attackers to inject arbitrary web script or HTML via the parameter name, which is not filtered in the resulting error message.

Published: March 30, 2006; 5:02:00 PM -0500
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2006-1393

Multiple cross-site scripting (XSS) vulnerabilities in the mod_pubcookie Apache application server module in University of Washington Pubcookie 1.x, 3.0.0, 3.1.0, 3.1.1, 3.2 before 3.2.1b, and 3.3 before 3.3.0a allow remote attackers to inject arbitrary web script or HTML via unspecified attack vectors.

Published: March 26, 2006; 6:06:00 PM -0500
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2006-1346

Directory traversal vulnerability in inc/setLang.php in Greg Neustaetter gCards 1.45 and earlier allows remote attackers to include and execute arbitrary local files via directory traversal sequences in a lang[*][file] parameter, as demonstrated by injecting PHP sequences into an Apache access_log file, which is then included by index.php.

Published: March 21, 2006; 8:02:00 PM -0500
V3.x:(not available)
V2.0: 6.4 MEDIUM
CVE-2006-1292

Directory traversal vulnerability in Jim Hu and Chad Little PHP iCalendar 2.21 and earlier allows remote attackers to include and execute arbitrary local files via directory traversal sequences and a NUL (%00) character in the phpicalendar[cookie_language] and phpicalendar[cookie_style] cookies, as demonstrated by injecting PHP sequences into an Apache access_log file, which is then included by day.php.

Published: March 19, 2006; 6:02:00 PM -0500
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2006-1243

Directory traversal vulnerability in install05.php in Simple PHP Blog (SPB) 0.4.7.1 and earlier allows remote attackers to include and execute arbitrary local files via directory traversal sequences and a NUL (%00) character in the blog_language parameter, as demonstrated by injecting PHP sequences into an Apache access_log file, which is then included using install05.php.

Published: March 15, 2006; 12:06:00 PM -0500
V3.x:(not available)
V2.0: 7.5 HIGH