Bulletin (SB07-078)
Vulnerability Summary for the Week of March 12, 2007
The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.
The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
- High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0
- Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9
- Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9
Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.
| High Vulnerabilities |
|---|
| Primary Vendor -- Product | Description |
| CVSS Score | Source & Patch Info | Apple -- Mac OS X Server Apple -- Mac OS X | Stack-based buffer overflow in the Apple-specific Samba module (SMB File Server) in Apple Mac OS X 10.4 through 10.4.8 allows context-dependent attackers to execute arbitrary code via a long ACL. |
| 8.0 | CVE-2007-0731 APPLE | Apple -- ImageIO | Unspecified vulnerability in ImageIO in Apple Mac OS X 10.3.9 and 10.4 through 10.4.8 allows remote user-assisted attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted RAW image that triggers memory corruption. |
| 8.0 | CVE-2007-0733 APPLE | betaparticle -- betaparticle blog | SQL injection vulnerability in the heme preview feature for default.asp in BP Blog 7.0 through 7.0.2 allows remote attackers to execute arbitrary SQL commands via the layout parameter. |
| 7.0 | CVE-2007-1445 MILW0RM OTHER-REF FRSIRT SECUNIA | Bitesser -- MySQL Commander | PHP remote file inclusion vulnerability in ressourcen/dbopen.php in bitesser MySQL Commander 2.7 and earlier, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the home parameter. |
| 8.0 | CVE-2007-1439 BUGTRAQ MILW0RM OTHER-REF BID | CARE2X -- CARE2X | Multiple PHP remote file inclusion vulnerabilities in CARE2X 1.1 allow remote attackers to execute arbitrary PHP code via a URL in the root_path parameter to (1) inc_checkdate_lang.php, (2) inc_charset_fx.php, (3) inc_config_color.php, (4) inc_currency_set.php, (5) inc_db_makelink.php, (6) inc_diagnostics_report_fx.php, (7) inc_environment_global.php, (8) inc_front_chain_lang.php, (9) inc_init_crypt.php, (10) inc_load_copyrite.php, or (11) inc_news_save.php in include/; (12) diagnostics-report-index.php, (13) config_options_mascot.php, (14) barcode-labels.php, (15) chg-color.php, or (16) config_options_gui_template.php in main/; or unspecified other files. |
| 10.0 | CVE-2007-1458 OTHER-REF BID | Christian Scheurer -- URARFileLib Christian Scheurer -- unrarlib | Buffer overflow in the urarlib_get function in Christian Scheurer UniquE RAR File Library (unrarlib, aka URARFileLib) 0.4 allows context-dependent attackers to execute arbitrary code via unspecified vectors in applications linked with this library. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
| 10.0 | CVE-2007-1457 BID | Clip-Share -- ClipShare | PHP remote file inclusion vulnerability in include/adodb-connection.inc.php in ClipShare 1.5.3 allows remote attackers to execute arbitrary PHP code via a URL in the cmd parameter. |
| 7.0 | CVE-2007-1430 BUGTRAQ | Coppermine -- Coppermine Photo Gallery | Multiple PHP remote file inclusion vulnerabilities in Coppermine Photo Gallery (CPG) allow remote attackers to execute arbitrary PHP code via a URL in the (1) cmd parameter to (a) image_processor.php or (b) picmgmt.inc.php, or the (2) path parameter to (c) include/functions.php, (d) include/plugin_api.inc.php, (e) index.php, or (f) pluginmgr.php. |
| 10.0 | CVE-2007-1414 BUGTRAQ BID XF | D-Link -- TFTP Server | Buffer overflow in D-Link TFTP Server 1.0 allows remote attackers to cause a denial of service (crash) via a long (1) GET or (2) PUT request, which triggers memory corruption. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
| 10.0 | CVE-2007-1435 BID SECUNIA | Duyuru Scripti -- Duyuru Scripti | SQL injection vulnerability in goster.asp in fystyq Duyuru Scripti allows remote attackers to execute arbitrary SQL commands via the id parameter, a different vector than CVE-2007-0688. |
| 7.0 | CVE-2007-1422 BUGTRAQ BID | Dynaliens -- Dynaliens | dynaliens 2.0 and 2.1 allows remote attackers to bypass authentication and perform certain privileged actions via a direct request for (1) validlien.php3 (2) supprlien.php3 (3) supprub.php3 (4) validlien.php3 (5) confsuppr.php3 (6) modiflien.php3, or (7) confmodif.php3 in admin/. |
| 7.0 | CVE-2007-1389 BUGTRAQ OTHER-REF BID | Edgewall Software -- Trac | Trac before 0.10.3.1 does not send a Content-Disposition HTTP header specifying an attachment in certain "unsafe" situations, which has unknown impact and remote attack vectors. |
| 7.0 | CVE-2007-1406 OTHER-REF | Fish -- Fish | Multiple stack-based buffer overflows in the (1) ExtractRnick and (2) decrypt_topic_332 functions in FiSH allow remote attackers to execute arbitrary code via long strings. |
| 10.0 | CVE-2007-1397 OTHER-REF BID | Flat Chat -- Flat Chat | Direct static code injection vulnerability in startsession.php in Flat Chat 2.0 allows remote attackers to execute arbitrary PHP code via the Chat Name field, which is inserted into online.txt and included by users.php. NOTE: some of these details are obtained from third party information. |
| 10.0 | CVE-2007-1394 MILW0RM BID FRSIRT SECUNIA | GaziYapBoz -- Game Portal | SQL injection vulnerability in kategori.asp in GaziYapBoz Game Portal allows remote attackers to execute arbitrary SQL commands via the kategori parameter. |
| 7.0 | CVE-2007-1410 MILW0RM BID FRSIRT | Geo Soft -- Magic CMS | PHP remote file inclusion vulnerability in mysave.php in Magic CMS 4.2.747 allows remote attackers to execute arbitrary PHP code via a URL in the file parameter. |
| 10.0 | CVE-2007-1393 MILW0RM BID FRSIRT | GNOME -- Ekiga | Format string vulnerability in Ekiga 2.0.3, and probably other versions, allows remote attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2007-1006. |
| 8.0 | CVE-2007-0999 MANDRIVA UBUNTU | Grayscale -- Grayscale Blog | Grayscale Blog 0.8.0, and possibly earlier versions, allows remote attackers to gain privileges via direct requests with modified arguments in (1) the user_permissions parameter to add_users.php, and unspecified parameters to (2) addblog.php, (3) editblog.php, (4) editlinks.php, (5) edit_users.php, and (6) add_links.php. |
| 7.0 | CVE-2007-1432 BUGTRAQ BID FRSIRT | Grayscale -- Grayscale Blog | SQL injection vulnerability in Grayscale Blog 0.8.0, and possibly earlier versions, might allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to (a) userdetail.php, id and (2) url parameter to (b) jump.php, and id variable to (c) detail.php. |
| 7.0 | CVE-2007-1434 BUGTRAQ BID FRSIRT | HC Design -- NewsSystem | SQL injection vulnerability in index.php in HC NEWSSYSTEM 1.0-4 allows remote attackers to execute arbitrary SQL commands via the ID parameter in a komm aktion. |
| 7.0 | CVE-2007-1417 BUGTRAQ BID | JCcorp -- URLshrink | PHP remote file inclusion vulnerability in createurl.php in JCcorp (aka James Coyle) URLshrink allows remote attackers to execute arbitrary PHP code via a URL in the formurl parameter. |
| 10.0 | CVE-2007-1416 BUGTRAQ BID | JGBBS -- JGBBS | SQL injection vulnerability in search.asp in JGBBS 3.0 Beta 1 allows remote attackers to execute arbitrary SQL commands via the author parameter. |
| 7.0 | CVE-2007-1440 BUGTRAQ MILW0RM BID | Joris Guisson -- KTorrent | chunkcounter.cpp in KTorrent before 2.1.2 allows remote attackers to cause a denial of service (crash) and heap corruption via a negative or large idx value. |
| 7.0 | CVE-2007-1385 MLIST OTHER-REF OTHER-REF | LedgerSMB -- LedgerSMB SQL-Ledger -- SQL-Ledger | Unspecified vulnerability in admin.pl in SQL-Ledger before 2.6.26 and LedgerSMB before 1.1.9 allows remote attackers to bypass authentication via unknown vectors that prevents a password check from occurring. |
| 7.0 | CVE-2007-1436 BUGTRAQ BID SECUNIA SECUNIA | Linux -- Kernel | The ipv6_getsockopt_sticky function in net/ipv6/ipv6_sockglue.c in the Linux kernel before 2.6.20.2 allows local users to read arbitrary kernel memory via certain getsockopt calls that trigger a NULL dereference. |
| 7.0 | CVE-2007-1000 OTHER-REF OTHER-REF BID | Macromedia -- Shockwave | Multiple stack-based buffer overflows in an ActiveX control in SwDir.dll 10.1.4.20 in Macromedia Shockwave allow remote attackers to cause a denial of service (Internet Explorer 7 crash) and possibly execute arbitrary code via a long (1) BGCOLOR, (2) SRC, (3) AutoStart, (4) Sound, (5) DrawLogo, or (6) DrawProgress property value, different vectors than CVE-2006-6885. |
| 7.0 | CVE-2007-1403 MILW0RM | Mercury -- Mail Transport System | Stack-based buffer overflow in Mercury/32 (aka Mercury Mail Transport System) 4.01b and earlier allows remote attackers to execute arbitrary code via a long LOGIN command. NOTE: this might be the same issue as CVE-2006-5961. |
| 10.0 | CVE-2007-1373 FULLDISC SECUNIA XF | Moodle -- moodle | Multiple PHP remote file inclusion vulnerabilities in Moodle 1.7.1 allow remote attackers to execute arbitrary PHP code via a URL in the cmd parameter to (1) admin/utfdbmigrate.php or (2) filter.php. |
| 7.0 | CVE-2007-1429 BUGTRAQ | Open Education System -- Open Education System | Multiple PHP remote file inclusion vulnerabilities in Open Education System (OES) 0.1beta allow remote attackers to execute arbitrary PHP code via a URL in the CONF_INCLUDE_PATH parameter to (1) lib-account.inc.php, (2) lib-file.inc.php, (3) lib-group.inc.php, (4) lib-log.inc.php, (5) lib-mydb.inc.php, (6) lib-template-mod.inc.php, and (7) lib-themes.inc.php in includes/. |
| 10.0 | CVE-2007-1446 BUGTRAQ OTHER-REF BID FRSIRT | Open Solution -- Quick.Cart | Unspecified vulnerability in OpenSolution Quick.Cart before 2.1 has unknown impact and attack vectors, related to a "low critical exploit." |
| 7.0 | CVE-2007-1407 OTHER-REF OTHER-REF | OpenBSD -- OpenBSD | Unspecified vulnerability in kern/uipc_mbuf2.c in OpenBSD 3.9 and 4.0 has unspecified impact and remote attack vectors related to "Incorrect mbuf handling for ICMP6 packets." |
| 7.0 | CVE-2007-1365 MLIST OPENBSD OPENBSD SECTRACK | Oracle -- Oracle10g Database Server | Oracle Database 10g uses a NULL pDacl parameter when calling the SetSecurityDescriptorDacl function to create discretionary access control lists (DACLs), which allows local users to gain privileges. |
| 7.0 | CVE-2007-1442 OTHER-REF BID SECUNIA | PECL Zip -- 1.8.3 PHP -- PHP | Stack-based buffer overflow in the zip:// URL wrapper in PECL ZIP 1.8.3 and earlier, as bundled with PHP 5.2.0 and 5.2.1, allows remote attackers to execute arbitrary code via a long zip:// URL, as demonstrated by actively triggering URL access from a remote PHP interpreter via avatar upload or blog pingback. |
| 10.0 | CVE-2007-1399 OTHER-REF BID | PHP -- PHP | The shmop functions in PHP before 4.4.5, and before 5.2.1 in the 5.x series, do not verify that their arguments correspond to a shmop resource, which allows context-dependent attackers to read and write arbitrary memory locations via arguments associated with an inappropriate resource, as demonstrated by a GD Image resource. |
| 7.0 | CVE-2007-1376 MILW0RM MILW0RM OTHER-REF BID | PHP -- PHP | The ovrimos_longreadlen function in the Ovrimos extension for PHP before 4.4.5 allows context-dependent attackers to write to arbitrary memory locations via the result_id and length arguments. |
| 10.0 | CVE-2007-1378 OTHER-REF BID | PHP -- PHP | The ovrimos_close function in the Ovrimos extension for PHP before 4.4.5 can trigger efree of an arbitrary address, which might allow context-dependent attackers to execute arbitrary code. |
| 10.0 | CVE-2007-1379 OTHER-REF BID | PHP -- CVS | The wddx_deserialize function in wddx.c in PHP CVS as of 20070304 calls strlcpy where strlcat was intended and uses improper arguments, which allows context-dependent attackers to execute arbitrary code via a WDDX packet with a malformed overlap of a STRING element, which triggers a buffer overflow. |
| 8.0 | CVE-2007-1381 OTHER-REF | PHP -- PHP | Integer overflow in the 16 bit variable reference counter in PHP 4 allows context-dependent attackers to execute arbitrary code by overflowing this counter, which causes the same variable to be destroyed twice, a related issue to CVE-2007-1286. |
| 8.0 | CVE-2007-1383 OTHER-REF | PHP -- PHP | The import_request_variables function in PHP 4.0.7 through 5.2.1, when called without a prefix, does not prevent the (1) GET, (2) POST, (3) COOKIE, (4) FILES, (5) SERVER, (6) SESSION, and other superglobals from being overwritten, which allows remote attackers to spoof source IP address and Referer data, and have other unspecified impact. NOTE: it could be argued that this is a design limitation of PHP and that only the misuse of this feature, i.e. implementation bugs in applications, should be included in CVE. |
| 10.0 | CVE-2007-1396 BUGTRAQ | PHP -- PHP | Buffer overflow in PHP 4.4.6 and earlier, and unspecified PHP 5 versions, allows local and possibly remote attackers to execute arbitrary code via long server name arguments to the (1) mssql_connect and (2) mssql_pconnect functions. |
| 10.0 | CVE-2007-1411 BUGTRAQ OTHER-REF BID | PHP -- PHP | Buffer overflow in the snmpget function in the snmp extension in PHP 4.4.6 allows context-dependent attackers to execute arbitrary code via a long value in the third argument (object id). |
| 10.0 | CVE-2007-1413 MILW0RM BID | PHP -- PHP | Buffer underflow in the PHP_FILTER_TRIM_DEFAULT macro in the filtering extension (ext/filter) in PHP 5.2.0 allows context-dependent attackers to execute arbitrary code by calling filter_var with certain modes such as FILTER_VALIDATE_INT, which causes filter to write a null byte in whitespace that precedes the buffer. |
| 7.0 | CVE-2007-1453 OTHER-REF OTHER-REF BID | PHP Labs -- JobSitePro | SQL injection vulnerability in search.php in PHP Labs JobSitePro 1.0 allows remote attackers to execute arbitrary SQL commands via the salary parameter. |
| 7.0 | CVE-2007-1428 MILW0RM BID SECUNIA | PHP-Nuke -- PHP-Nuke | SQL injection vulnerability in mainfile.php in PHP-Nuke 8.0 and earlier allows remote attackers to execute arbitrary SQL commands in the Top or News module via the lang parameter. |
| 7.0 | CVE-2007-1450 BUGTRAQ BID | phpAlbum.net -- phpalbum | ** DISPUTED ** PHP remote file inclusion vulnerability in common.php in PHP Photo Album allows remote attackers to execute arbitrary PHP code via a URL in the db_file parameter. NOTE: CVE disputes this vulnerability, because versions 0.3.2.6 and 0.4.1beta do not contain this file. |
| 10.0 | CVE-2007-1456 BUGTRAQ VIM | PMB Services -- PMB Services | Multiple PHP remote file inclusion vulnerabilities in PMB Services 3.0.13 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the (1) class_path parameter to (a) includes/resa_func.inc.php (b) admin/notices/perso.inc.php, or (c) admin/quotas/main.inc.php; the (2) base_path parameter to (d) opac_css/rec_panier.php or (e) opac_css/includes/author_see.inc.php; or the (3) include_path parameter to (f) bull_info.inc.php or (g) misc.inc.php in includes/; (h) options_date_box.php, (i) options_file_box.php, (j) options_list.php, (k) options_query_list.php, or (l) options_text.php in includes/options/; (m) options.php, (n) options_comment.php, (o) options_date_box.php, (p) options_list.php, (q) options_query_list.php, or (r) options_text.php in includes/options_empr/; or (s) admin/import/iimport_expl.php, (t) admin/netbase/clean.php, (u) admin/param/param_func.inc.php, (v) admin/sauvegarde/lieux.inc.php, (w) autorites.php, (x) account.php, (y) cart.php! , or (z) edit.php. |
| 10.0 | CVE-2007-1415 MILW0RM OTHER-REF BID XF | PostGuestbook -- PostGuestbook | PHP remote file inclusion vulnerability in styles/internal/header.php in the PostGuestbook 0.6.1 module for PHP-Nuke allows remote attackers to execute arbitrary PHP code via a URL in the tpl_pgb_moddir parameter. |
| 10.0 | CVE-2007-1372 MILW0RM BID XF | Premod SubDog -- Premod SubDog | Multiple PHP remote file inclusion vulnerabilities in Premod SubDog 2 allow remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter to (1) functions_kb.php, (2) themen_portal_mitte.php, or (3) logger_engine.php in includes/. |
| 10.0 | CVE-2007-1421 BUGTRAQ BID | Rediff -- Toolbar | The Rediff Toolbar 2.0 ActiveX control in redifftoolbar.dll allows remote attackers to cause a denial of service via unspecified manipulations, possibly involving improper initialization or blank arguments. |
| 7.0 | CVE-2007-1402 OTHER-REF BID | Softnews Media Group -- DataLife Engine | Multiple PHP remote file inclusion vulnerabilities in Softnews Media Group DataLife Engine allow remote attackers to execute arbitrary PHP code via a URL in the root_dir parameter to (1) init.php and (2) Ajax/editnews.php. NOTE: some of these details are obtained from third party information. |
| 7.0 | CVE-2007-1424 BUGTRAQ BID | Triexa -- SonicMailer Pro | SQL injection vulnerability in index.php in Triexa SonicMailer Pro 3.2.3 and earlier allows remote attackers to execute arbitrary SQL commands via the list parameter in an archive action. |
| 7.0 | CVE-2007-1425 MILW0RM BID SECUNIA | Vallheru -- Vallheru | Multiple vulnerabilities in (1) bank.php, (2) landfill.php, (3) outposts.php, (4) tribes.php, (5) house.php, (6) tribearmor.php, (7) tribeastral.php, (8) tribeware.php, and (9) includes/head.php in Bartek Jasicki Vallheru before 1.3 beta have unknown impact and remote attack vectors, probably related to large integer values containing more than 15 digits. NOTE: the original vendor report is for integer overflows, but this is probably an incorrect usage of the term. |
| 7.0 | CVE-2007-1408 OTHER-REF OTHER-REF OTHER-REF | WebCreator -- WebCreator | Multiple PHP remote file inclusion vulnerabilities in WebCreator 0.2.6-rc3 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the moddir parameter to (1) content/load.inc.php, (2) config/load.inc.php, (3) http/load.inc.php, and unspecified other files. |
| 10.0 | CVE-2007-1459 OTHER-REF BID | Webo -- Webo | PHP remote file inclusion vulnerability in modules/abook/foldertree.php in Leo West WEBO (aka weborganizer) 1.0 allows remote attackers to execute arbitrary PHP code via a URL in the baseDir parameter. |
| 10.0 | CVE-2007-1391 MILW0RM OTHER-REF BID FRSIRT XF | WORK system e-commerce -- WORK system e-commerce | Multiple PHP remote file inclusion vulnerabilities in WORK system e-commerce 3.0.5 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the g_include parameter to include/include_top.php and certain other PHP scripts. |
| 8.0 | CVE-2007-1423 MILW0RM BID SECUNIA | X-Ice -- X-Ice News System | SQL injection vulnerability in devami.asp in X-Ice News System 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter. |
| 7.0 | CVE-2007-1438 MILW0RM BID |
|---|
| Medium Vulnerabilities |
|---|
| Primary Vendor -- Product | Description |
| CVSS Score | Source & Patch Info | Apple -- Mac OS X Server Apple -- Mac OS X | Stack-based buffer overflow in Apple Mac OS X 10.3.9 and 10.4 through 10.4.8 allows remote user-assisted attackers to execute arbitrary code via an image with a crafted ColorSync profile. |
| 5.6 | CVE-2007-0719 APPLE | Apple -- Mac OS X Server Apple -- Mac OS X | Unspecified vulnerability in diskimages-helper in Apple Mac OS X 10.3.9 and 10.4 through 10.4.8 allows remote user-assisted attackers to execute arbitrary code via a crafted compressed disk image that triggers memory corruption. |
| 5.6 | CVE-2007-0721 APPLE | Apple -- Mac OS X Server Apple -- Mac OS X | Integer overflow in Apple Mac OS X 10.3.9 and 10.4 through 10.4.8 allows remote user-assisted attackers to execute arbitrary code via a crafted AppleSingleEncoding disk image. |
| 5.6 | CVE-2007-0722 APPLE | Apple -- Mac OS X Server Apple -- Mac OS X | Unspecified vulnerability in the authentication feature for DirectoryService (DS Plug-Ins) for Apple Mac OS X 10.3.9 and 10.4 through 10.4.8 allows remote authenticated LDAP users to modify the root password and gain privileges via unknown vectors. |
| 4.8 | CVE-2007-0723 APPLE | Apple -- Mac OS X Server Apple -- Mac OS X | The IOKit HID interface in Apple Mac OS X 10.3.9 and 10.4 through 10.4.8 does not sufficiently limit access to certain controls, which allows local users to gain privileges by using HID device events to read keystrokes from the console. |
| 5.6 | CVE-2007-0724 APPLE | Apple -- Server Manager | Server Manager (servermgrd) in Apple Mac OS X 10.3.9 and 10.4 through 10.4.8 does not sufficiently validate authentication credentials, which allows remote attackers to bypass authentication and modify system configuration. |
| 5.6 | CVE-2007-0730 APPLE | cPanel-Host -- Fantastico De Luxe | Multiple absolute path traversal vulnerabilities in Fantastico, as used with cPanel 10.x, allow remote authenticated users to include and execute arbitrary local files via (1) the userlanguage parameter to includes/load_language.php or (2) the fantasticopath parameter to includes/mysqlconfig.php and certain other files. |
| 6.0 | CVE-2007-1455 BUGTRAQ | dreameesoft -- Password Master | DreameeSoft Password Master 1.0 stores the database in an unencrypted format when the master password is set, which allows attackers with physical access to read the database contents via an unspecified authentication bypass. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
| 5.6 | CVE-2006-7163 BID | GuppY -- GuppY | GuppY 4.0 allows remote attackers to delete arbitrary files via a direct request to install/install.php, then selecting "Installation propre" (cleanup.php) and then "Suppression des fichiers d'installation" (delete.php). |
| 4.7 | CVE-2007-1451 BUGTRAQ OTHER-REF | Joris Guisson -- KTorrent | Directory traversal vulnerability in torrent.cpp in KTorrent before 2.1.2 allows remote attackers to overwrite arbitrary files via ".." sequences in a torrent filename. |
| 4.7 | CVE-2007-1384 MLIST OTHER-REF OTHER-REF | LedgerSMB -- LedgerSMB SQL-Ledger -- SQL-Ledger | Unspecified vulnerability in LedgerSMB before 1.1.5 and SQL-Ledger before 2.6.25 allows remote attackers to overwrite files and possibly bypass authentication, and remote authenticated users to execute unauthorized code, by calling a custom error function that returns from execution. |
| 6.0 | CVE-2007-1437 BUGTRAQ SECUNIA SECUNIA | Linux -- Omnikey Cardman | Multiple buffer overflows in the (1) read and (2) write functions in the Omnikey CardMan 4040 driver in the Linux kernel before 2.6.21-rc3 allow local users to gain privileges. |
| 5.6 | CVE-2007-0005 OTHER-REF | Mplayer -- Mplayer | The DirectShow loader (loader/dshow/DS_VideoDecoder.c) in MPlayer 1.0rc1 and earlier, as used in xine-lib, does not set the biSize before use in a memcpy, which allows user-assisted remote attackers to cause a buffer overflow and possibly execute arbitrary code, a different vulnerability than CVE-2007-1246. |
| 4.8 | CVE-2007-1387 OTHER-REF OTHER-REF UBUNTU SECUNIA | Navision -- Financials Server | Integer overflow in the ktruser function in NetBSD-current before 20061022, NetBSD 3 aand 3-0 before 20061024, and NetBSD 2 before 20070209, when the kernel is built with the COMPAT_FREEBSD or COMPAT_DARWIN option, allows local users to cause a denial of service and possibly gain privileges. |
| 5.6 | CVE-2007-1273 NETBSD BID | PHP -- COM extensions | The PHP COM extensions for PHP on Windows systems allow context-dependent attackers to execute arbitrary code via a WScript.Shell COM object, as demonstrated by using the Run method of this object to execute cmd.exe, which bypasses PHP's safe mode. |
| 4.2 | CVE-2007-1382 MILW0RM | PHP -- PHP | Buffer overflow in the crack extension (CrackLib), as bundled with PHP 4.4.6 and other versions before 5.0.0, might allow local users to gain privileges via a long argument to the crack_opendict function. |
| 5.6 | CVE-2007-1401 BUGTRAQ MILW0RM OTHER-REF | Plesh -- Plesh | Plash permits sandboxed processes to open /dev/tty, which allows local users to escape sandbox restrictions and execute arbitrary commands by sending characters to a shell process on the same termimal via the TIOCSTI ioctl. |
| 5.6 | CVE-2007-1400 MLIST OTHER-REF OSVDB | ProSysInfo -- TFTP Server TFTPDWIN | tftpd.exe in ProSysInfo TFTP Server TFTPDWIN 0.4.2 allows remote attackers to cause a denial of service via a long UDP packet that is not properly handled in a recv_from call. NOTE: this issue might be related to CVE-2006-4948. |
| 5.3 | CVE-2007-1404 MILW0RM SECUNIA | Radscan -- Conquest | Multiple buffer overflows in Conquest 8.2a and earlier (1) allow local users to gain privileges by querying a metaserver that sends a long server entry processed by metaGetServerList and allow remote metaservers to execute arbitrary code via a long server entry processed by metaGetServerList; (2) allow attackers to have an unknown impact by exceeding the configured number of metaservers; and allow remote attackers to corrupt memory via a SP_CLIENTSTAT packet with certain values of (3) unum or (4) snum, different vulnerabilities than CVE-2003-0933. |
| 5.6 | CVE-2007-1371 BUGTRAQ MLIST BID FRSIRT SECUNIA XF XF |
|---|
| Low Vulnerabilities |
|---|
| Primary Vendor -- Product | Description |
| CVSS Score | Source & Patch Info | Adobe -- Acrobat Reader Mozilla -- Firefox Netscape -- Netscape Opera Software -- Opera | AcroPDF.DLL in Adobe Reader 8.0, when accessed from Mozilla Firefox, Netscape, or Opera, allows remote attackers to cause a denial of service (unspecified resource consumption) via a .pdf URL with an anchor identifier that begins with search= followed by many %n sequences, a different vulnerability than CVE-2006-6027 and CVE-2006-6236. |
| 2.3 | CVE-2007-1377 OTHER-REF BID | Apple -- Mac OS X Server Apple -- Mac OS X | The CUPS service in Apple Mac OS X 10.3.9 and 10.4 through 10.4.8 allows remote attackers to cause a denial of service (service hang) via a "partially-negotiated" SSL connection, which prevents other requests from being accepted. |
| 2.3 | CVE-2007-0720 APPLE | Apple -- Mac OS X Server Apple -- Mac OS X | The SSH key generation process in OpenSSH in Apple Mac OS X 10.3.9 and 10.4 through 10.4.8 allows remote attackers to cause a denial of service by connecting to the server before SSH has finished creating keys, which causes the keys to be regenerated and can break trust relationships that were based on the original keys. |
| 2.3 | CVE-2007-0726 APPLE | Apple -- Mac OS X Server Apple -- Mac OS X | Unspecified vulnerability in Apple Mac OS X 10.3.9 and 10.4 through 10.4.8 creates files insecurely while initializing a USB printer, which allows local users to create or overwrite arbitrary files. |
| 3.9 | CVE-2007-0728 APPLE | AssetMan -- AssetMan | Directory traversal vulnerability in download_pdf.php in AssetMan 2.4a and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the pdf_file parameter. |
| 2.3 | CVE-2007-1427 BUGTRAQ MILW0RM BID | AstroCam -- AstroCam | AstroCam before 2.6.6 allows remote attackers to cause a denial of service (daemon shutdown) via certain requests to the web interface. |
| 3.3 | CVE-2007-1426 OTHER-REF FRSIRT SECUNIA | Avaya -- S8700 Avaya -- S8300 Avaya -- S8710 Avaya -- S8500 | Cross-site scripting (XSS) vulnerability in the login page in Avaya Communications Manager (CM) S87XX, S8500, and S8300 products before 3.1.3 allows remote attackers to inject arbitrary web script or HTML via the Login field. |
| 1.9 | CVE-2007-1367 OTHER-REF BID SECUNIA | Computer Associates -- eTrust Admin | Unspecified vulnerability in cube.exe in the GINA component for CA (Computer Associates) eTrust Admin 8.1.0 through 8.1.2 allows attackers with physical interactive or Remote Desktop access to bypass authentication and gain privileges via the password reset interface. |
| 2.3 | CVE-2007-1345 BUGTRAQ OTHER-REF BID FRSIRT OSVDB SECTRACK SECUNIA XF | Drupal -- Drupal Project Issue Tracking | The Project issue tracking module before 4.7.x-1.3, 4.7.x-2.* before 4.7.x-2.3, and 5 before 5.x-0.2-beta for Drupal allows remote authenticated users, with "access project issues" permission, to read the contents of a private node via a URL with a modified node identifier. |
| 1.1 | CVE-2007-1368 OTHER-REF OTHER-REF BID FRSIRT SECUNIA | Dynaliens -- Dynaliens | Multiple cross-site scripting (XSS) vulnerabilities in dynaliens 2.0 and 2.1 allow remote attackers to inject arbitrary web script or HTML via unspecified parameters to (1) recherche.php3 or (2) ajouter.php3. |
| 1.9 | CVE-2007-1390 BUGTRAQ OTHER-REF BID | Edgewall Software -- Trac | Cross-site scripting (XSS) vulnerability in the "download wiki page as text" feature in Trac before 0.10.3.1, when Microsoft Internet Explorer is used, allows remote attackers to inject arbitrary web script or HTML via unspecified parameters. |
| 1.9 | CVE-2007-1405 OTHER-REF SECUNIA | Grayscale -- Grayscale Blog | Cross-site scripting (XSS) vulnerability in Grayscale Blog 0.8.0, and possibly earlier versions, allows remote attackers to inject arbitrary web script or HTML via the comment fields to (1) scripts/addblog_comment.php and (2) detail.php. |
| 1.9 | CVE-2007-1433 BUGTRAQ BID FRSIRT | Linux -- Kernel | The do_ipv6_setsockopt function in net/ipv6/ipv6_sockglue.c in Linux kernel 2.6.17, and possibly other versions, allows local users to cause a denial of service (oops) by calling setsockopt with the IPV6_RTHDR option name and possibly a zero option length or invalid option value, which triggers a NULL pointer dereference. |
| 1.1 | CVE-2007-1388 OTHER-REF | Linux -- Conga | The luci server component in conga preserves the password between page loads for the Add System/Cluster task flow by storing the password in the Value attribute of a password entry field, which allows attackers to steal the password by performing a "view source" or other operation to obtain the web page. NOTE: there are limited circumstances under which such an attack is feasible. |
| 1.9 | CVE-2007-1462 OTHER-REF | Mindtouch -- DekiWiki | Cross-site scripting (XSS) vulnerability in skins/ace/popup-notopic.php in MindTouch OpenGarden DekiWiki before Gooseberry++ allows remote attackers to inject arbitrary web script or HTML via the message parameter. |
| 1.9 | CVE-2007-1418 OTHER-REF BID SECUNIA XF | MySQL -- MySQL | MySQL 5.x before 5.0.37 allows local users to cause a denial of service (database crash) by using a combination of certain string functions, information_schema table subselects, and ORDER BY result sorting, which prevents certain structure elements from being initialized and triggers a NULL dereference in the filesort function. |
| 2.3 | CVE-2007-1420 BUGTRAQ OTHER-REF BID | netForo! -- netForo! | Directory traversal vulnerability in down.php in netForo! 0.1g allows remote attackers to read arbitrary files via a .. (dot dot) in the file_to_download parameter. |
| 2.3 | CVE-2007-1392 MILW0RM BID FRSIRT XF | Netperf -- Netperf | netserver in netperf 2.4.3 allows local users to overwrite arbitrary files via a symlink attack on /tmp/netperf.debug. |
| 3.9 | CVE-2007-1444 OTHER-REF BID FRSIRT SECUNIA | PennMUSH -- PennMUSH | Multiple unspecified vulnerabilities in PennMUSH 1.8.3 before 1.8.3p1 and 1.8.2 before 1.8.2p3 allow attackers to cause a denial of service (crash) related to the (1) speak and (2) buy functions. |
| 3.3 | CVE-2007-1431 MLIST BID FRSIRT SECUNIA | PHP -- PHP | Integer overflow in the substr_compare function in PHP 5.2.1 and earlier allows context-dependent attackers to read sensitive memory via a large value in the length argument, a different vulnerability than CVE-2006-1991. |
| 2.3 | CVE-2007-1375 MILW0RM OTHER-REF BID | PHP -- PHP | The php_binary serialization handler in the session extension in PHP before 4.4.5, and 5.x before 5.2.1, allows context-dependent attackers to obtain sensitive information (memory contents) via a serialized variable entry with a large length value, which triggers a buffer over-read. |
| 3.3 | CVE-2007-1380 MILW0RM OTHER-REF | PHP -- PHP | The cpdf_open function in the ClibPDF (cpdf) extension in PHP 4.4.6 allows context-dependent attackers to obtain sensitive information (script source code) via a long string in the second argument. |
| 3.3 | CVE-2007-1412 MILW0RM BID | PHP -- PHP | The FDF support (ext/fdf) in PHP 5.2.0 and earlier does not implement the input filtering hooks for ext/filter, which allows remote attackers to bypass web site filters via an application/vnd.fdf formatted POST. |
| 2.3 | CVE-2007-1452 OTHER-REF BID | PHP -- PHP | ext/filter in PHP 5.2.0, when FILTER_SANITIZE_STRING is used with the FILTER_FLAG_STRIP_LOW flag, does not properly strip HTML tags, which allows remote attackers to conduct cross-site scripting (XSS) attacks via HTML with a '<' character followed by certain whitespace characters, which passes one filter but is collapsed into a valid tag, as demonstrated using %0b. |
| 1.9 | CVE-2007-1454 OTHER-REF | PHP -- PHP | The zip:// URL wrapper provided by the PECL zip extension in PHP 5.2.0 and 5.2.1 does not implement safemode or open_basedir checks, which allows remote attackers to read ZIP archives located outside of the intended directories. |
| 2.3 | CVE-2007-1460 OTHER-REF | PHP -- PHP | The compress.bzip2:// URL wrapper provided by the bz2 extension in PHP 5.2.1 and earlier does not implement safemode or open_basedir checks, which allows remote attackers to read bzip2 archives located outside of the intended directories. |
| 3.3 | CVE-2007-1461 OTHER-REF | PHP-Nuke -- PHP-Nuke | Directory traversal vulnerability in mainfile.php in PHP-Nuke 8.0 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the lang parameter. |
| 1.9 | CVE-2007-1449 BUGTRAQ BUGTRAQ BID SECUNIA | phpMyAdmin -- phpMyAdmin | Incomplete blacklist vulnerability in index.php in phpMyAdmin 2.8.0 through 2.9.2 allows remote attackers to conduct cross-site scripting (XSS) attacks by injecting arbitrary JavaScript or HTML in a (1) db or (2) table parameter value followed by an uppercase end tag, which bypasses the protection against lowercase . |
| 1.9 | CVE-2007-1395 BUGTRAQ OTHER-REF XF | RIM -- Blackberry | The 4thPass browser on the RIM BlackBerry 8100 (Pearl) before 4.2.1 allows remote attackers to cause a denial of service (temporary functionality loss) via a long href attribute in a link in a WML page. |
| 2.3 | CVE-2007-1441 BUGTRAQ | Snitz Communications -- Snitz Forums 2000 | Cross-site scripting (XSS) vulnerability in pop_profile.asp in Snitz Forums 2000 3.4.06 allows remote attackers to inject arbitrary web script or HTML via the MSN parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
| 1.9 | CVE-2007-1374 BID SECUNIA XF | Snort -- Snort | The frag3 preprocessor in Snort 2.6.1.1, 2.6.1.2, and 2.7.0 beta, when configured for inline use on Linux without the ip_conntrack module loaded, allows remote attackers to cause a denial of service (segmentation fault and application crash) via certain UDP packets produced by send_morefrag_packet and send_overlap_packet. |
| 2.7 | CVE-2007-1398 MILW0RM BID | Sun -- Java Dynamic Management Kit | The Java Management Extensions Remote API Remote Method Invocation over Internet Inter-ORB Protocol (JMX RMI-IIOP) API in Java Dynamic Management Kit 5.1 before 20070309 does not properly enforce the java.policy, which allows local users to obtain certain MBeans data access by operating a server application accessed by a privileged remote authenticated user. |
| 2.9 | CVE-2007-1419 SUNALERT | Woltlab -- Burning Board Woltlab -- Burning Board Lite | Multiple cross-site scripting (XSS) vulnerabilities in register.php in Woltlab Burning Board (wBB) 2.3.6 and Burning Board Lite 1.0.2pl3e allow remote attackers to inject arbitrary web script or HTML via the (1) r_username, (2) r_email, (3) r_password, (4) r_confirmpassword, (5) r_homepage, (6) r_icq, (7) r_aim, (8) r_yim, (9) r_msn, (10) r_year, (11) r_month, (12) r_day, (13) r_gender, (14) r_signature, (15) r_usertext, (16) r_invisible, (17) r_usecookies, (18) r_admincanemail, (19) r_emailnotify, (20) r_notificationperpm, (21) r_receivepm, (22) r_emailonpm, (23) r_pmpopup, (24) r_showsignatures, (25) r_showavatars, (26) r_showimages, (27) r_daysprune, (28) r_umaxposts, (29) r_dateformat, (30) r_timeformat, (31) r_startweek, (32) r_timezoneoffset, (33) r_usewysiwyg, (34) r_styleid, (35) r_langid, (36) key_string, (37) key_number, (38) disablesmilies, (39) disablebbcode, (40) disableimages, (41) field[1], (42) field[2], and (43) field[3] parameters. NOTE: a third-part! y researcher has disputed some of these vectors, stating that only the r_dateformat and r_timeformat parameters in Burning Board 2.3.6 are affected. |
| 1.9 | CVE-2007-1443 BUGTRAQ BUGTRAQ FRSIRT SECUNIA SECUNIA | WordPress -- WordPress | WordPress allows remote attackers to obtain sensitive information via a direct request for wp-admin/admin-functions.php, which reveals the path in an error message. |
| 2.3 | CVE-2007-1409 BUGTRAQ BUGTRAQ | Zend -- Zend Platform | ini_modifier (sgid-zendtech) in Zend Platform 2.2.3 and earlier allows local users to modify the system php.ini file by editing a copy of php.ini file using the -f parameter, and then performing a symlink attack using the directory that contains the attacker-controlled php.ini file, and linking this directory to /usr/local/Zend/etc. |
| 3.9 | CVE-2007-1369 OTHER-REF OTHER-REF BID FRSIRT XF |
|---|
This product is provided subject to this Notification and this Privacy & Use policy.
