View Previous Bulletins

Bulletin (SB07-085)

Vulnerability Summary for the Week of March 19, 2007

Original Release date: Mar 26, 2007 | Last revised: -

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.


High Vulnerabilities
Primary
Vendor -- Product		Description
Discovered
Published
CVSS ScoreSource & Patch Info
Asterisk -- Asterisk
The Asterisk Extension Language (AEL) in pbx/pbx_ael.c in Asterisk does not properly generate extensions, which allows remote attackers to execute arbitrary extensions and have an unknown impact by specifying an invalid extension in a certain form.
unknown
2007-03-22
7.0CVE-2007-1595
OTHER-REF
OTHER-REF
Atrium Software -- MERCUR Messaging 2005
Atrium Software -- Mercur IMAPD
Stack-based buffer overflow in Atrium MERCUR IMAPD allows remote attackers to have an unknown impact via a certain SUBSCRIBE command. NOTE: As of 20070321, this disclosure has no actionable information. However, since it is from a reliable researcher, it is being assigned a CVE identifier for tracking purposes.
unknown
2007-03-21
7.0CVE-2007-1579
OTHER-REF
OTHER-REF
BID
Avant Force -- Avant Browser
Stack-based buffer overflow in Avant Browser 11.0 build 26 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long Content-Type HTTP header.
unknown
2007-03-19
8.0CVE-2007-1501
MILW0RM
BID
Carbonize -- Lazarus Guestbook
PHP remote file inclusion vulnerability in template.class.php in Carbonize Lazarus Guestbook before 1.7.3 allows remote attackers to execute arbitrary PHP code via a URL in the include_path parameter to admin.php, probably due to a dynamic variable evaluation vulnerability.
unknown
2007-03-16
10.0CVE-2007-1486
BUGTRAQ
BUGTRAQ
OTHER-REF
VIM
FRSIRT
Computer Associates -- BrightStor ARCServe Backup
The Tape Engine in CA (formerly Computer Associates) BrightStor ARCserve Backup 11.5 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via certain RPC procedure arguments, which result in memory corruption, a different vulnerability than CVE-2006-6076.
unknown
2007-03-16
10.0CVE-2007-1447
OTHER-REF
OTHER-REF
OSVDB
DaanSystems -- NewsReactor
Stack-based buffer overflow in DaanSystems NewsReactor 20070220.21 allows remote attackers to execute arbitrary code via a yEnc (yEncode) encoded article with a long filename.
unknown
2007-03-21
10.0CVE-2007-1568
MILW0RM
MILW0RM
FRSIRT
SECUNIA
F-Secure -- F-Secure Anti-Virus Client Security
Format string vulnerability in F-Secure Anti-Virus Client Security 6.02 allows local users to cause a denial of service and possibly gain privileges via format string specifiers in the Management Server name field on the Communication settings page.
unknown
2007-03-20
7.0CVE-2007-1557
BUGTRAQ
OTHER-REF
BID
file -- file
Integer underflow in the file_printf function in file before 4.20 allows user-assisted attackers to execute arbitrary code via a file that triggers a heap-based buffer overflow.
unknown
2007-03-20
8.0CVE-2007-1536
MLIST
OTHER-REF
SECUNIA
IBM -- WebSphere Application Server
CRLF injection vulnerability in IBM WebSphere Application Server (WAS) before 6.0.2.19 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a single CRLF sequence in a context that is not a valid multi-line header.
unknown
2007-03-22
7.0CVE-2007-1608
AIXAPAR
BID
SECUNIA
inkscape -- inkscape
Format string vulnerability in Inkscape before 0.45.1 allows user-assisted remote attackers to execute arbitrary code via format string specifiers in a URI, which is not properly handled by certain dialogs.
unknown
2007-03-21
8.0CVE-2007-1463
BID
OTHER-REF
UBUNTU
InterVations -- FileCOPA
Stack-based buffer overflow in InterVations FileCOPA FTP Server 1.01 allows remote attackers to execute arbitrary code via unspecified vectors, as demonstrated by filecopa.tar by Immunity. NOTE: some of these details are obtained from third party information. NOTE: As of 20070322, this disclosure has no actionable information. However, since it is from a reliable researcher, it is being assigned a CVE identifier for tracking purposes.
unknown
2007-03-22
8.0CVE-2007-1598
OTHER-REF
OTHER-REF
BID
Katalog Plyt Audio -- Katalog Plyt Audio
SQL injection vulnerability in index.php in Katalog Plyt Audio 1.0 and earlier allows remote attackers to execute arbitrary SQL commands via the kolumna parameter.
unknown
2007-03-22
7.0CVE-2007-1612
MILW0RM
SECUNIA
Koan Software -- Mega Mall
Multiple SQL injection vulnerabilities in Koan Software Mega Mall allow remote attackers to execute arbitrary SQL commands via the (1) t, (2) productId, (3) sk, (4) x, or (5) so parameter to (a) product_review.php; or the (6) orderNo parameter to (b) order-track.php.
unknown
2007-03-20
7.0CVE-2006-7170
BUGTRAQ
BID
XF
Lasse Laaksonen -- MPM Chat
Directory traversal vulnerability in view.php in MPM Chat 2.5 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the logi parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
unknown
2007-03-22
7.0CVE-2007-1613
BID
lbstone -- Active PHP Bookmark Notes
PHP remote file inclusion vulnerability in templates/head.php in Active PHP Bookmark Notes (APB) 0.2.5 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the APB_SETTINGS[template_path] parameter. NOTE: this issue might be related to CVE-2003-1254.
unknown
2007-03-22
10.0CVE-2007-1621
MILW0RM
BID
FRSIRT
Linux -- Kernel
nf_conntrack in netfilter in the Linux kernel before 2.6.20.3 does not set nfctinfo during reassembly of fragmented packets, which leaves the default value as IP_CT_ESTABLISHED and might allow remote attackers to bypass certain rulesets using IPv6 fragments.
unknown
2007-03-16
7.0CVE-2007-1497
OTHER-REF
SECUNIA
McAfee -- ePolicy Orchestrator
McAfee -- ProtectionPilot
Multiple stack-based buffer overflows in the SiteManager.SiteMgr.1 ActiveX control (SiteManager.dll) in the ePO management console in McAfee ePolicy Orchestrator (ePO) before 3.6.1 Patch 1 and ProtectionPilot (PRP) before 1.5.0 HotFix allow remote attackers to execute arbitrary code via a long argument to the (1) ExportSiteList and (2) VerifyPackageCatalog functions, and (3) unspecified vectors involving a swprintf function call.
unknown
2007-03-16
10.0CVE-2007-1498
FULLDISC
OTHER-REF
OTHER-REF
BID
FRSIRT
SECUNIA
McAfee -- VirusScan Enterprise
** DISPUTED ** McAfee VirusScan Enterprise 8.5.0.i uses insecure permissions for certain Windows Registry keys, which allows local users to bypass local password protection via the UIP value in (1) HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\DesktopProtection or (2) HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\VirusScan Entreprise\CurrentVersion. NOTE: this issue has been disputed by third-party researchers, stating that the default permissions for HKEY_LOCAL_MACHINE\SOFTWARE does not allow for write access and the product does not modify the inherited permissions. There might be an interaction error with another product.
unknown
2007-03-20
7.0CVE-2007-1538
BUGTRAQ
BUGTRAQ
BUGTRAQ
OTHER-REF
OTHER-REF
SECTRACK
MetaForum -- MetaForum
Unrestricted file upload vulnerability in usercp.php in MetaForum 0.513 Beta restricts file types based on the MIME type in the Content-type HTTP header, which allows remote attackers to upload and execute arbitrary scripts via an image MIME type with a filename containing an executable extension such as .php.
unknown
2007-03-20
7.0CVE-2007-1552
BUGTRAQ
OTHER-REF
BID
Microsoft -- Visual Studio .NET
Stack-based buffer overflow in the AfxOleSetEditMenu function in the MFC component in Microsoft Windows 2000 SP4, XP SP2, and Server 2003 Gold and SP1, and Visual Studio .NET 2002 Gold and SP1, and 2003 Gold and SP1 allows user-assisted remote attackers to have an unknown impact (probably crash) via an RTF file with a malformed OLE object, which results in writing two 0x00 characters past the end of szBuffer, aka the "MFC42u.dll Off-by-Two Overflow." NOTE: this issue is due to an incomplete patch (MS07-012) for CVE-2007-0025.
unknown
2007-03-20
10.0CVE-2007-1512
BUGTRAQ
Microsoft -- Windows Vista
DFSR.exe in Windows Meeting Space in Microsoft Windows Vista remains available for remote connections on TCP port 5722 after Windows Meeting Space is closed, which allows remote attackers to have an unknown impact by connecting to this port.
unknown
2007-03-20
7.0CVE-2007-1534
BUGTRAQ
OTHER-REF
Microsoft -- Windows Vista
Microsoft Windows Vista establishes a Teredo address without user action upon connection to the Internet, contrary to documentation that Teredo is inactive without user action, which increases the attack surface and allows remote attackers to communicate via Teredo.
unknown
2007-03-20
7.0CVE-2007-1535
BUGTRAQ
OTHER-REF
Minerva -- Minerva
SQL injection vulnerability in forum.php in the Minerva mod 2.0.21 build 238a and earlier for phpBB allows remote attackers to execute arbitrary SQL commands via the c parameter.
unknown
2007-03-20
7.0CVE-2007-1555
MILW0RM
BID
myServer -- myServer
server.cpp in MyServer 0.8.5 calls Process::setuid before calling Process::setgid and thus does not properly drop privileges, which might allow remote attackers to execute CGI programs with unintended privileges.
unknown
2007-03-21
7.0CVE-2007-1588
MLIST
OTHER-REF
NetBSD -- NetBSD
Heap-based buffer overflow in the kernel in NetBSD 3.0, certain versions of FreeBSD and OpenBSD, and possibly other BSD derived operating systems allows local users to have an unknown impact. NOTE: this information is based upon a vague pre-advisory with no actionable information. Details will be updated after 20070329.
unknown
2007-03-20
7.0CVE-2007-1523
OTHER-REF
OTHER-REF
BID
NetVIOS -- NetVIOS
SQL injection vulnerability in News/page.asp in NetVIOS Portal allows remote attackers to execute arbitrary SQL commands via the NewsID parameter. NOTE: this issue might be the same as CVE-2006-5954.
unknown
2007-03-21
7.0CVE-2007-1566
MILW0RM
BID
XF
NETxAutomation -- NETxEIB
NETxAutomation NETxEIB OPC Server before 3.0.1300 does not properly validate OLE for Process Control (OPC) server handles, which allows attackers to cause a denial of service or possibly execute arbitrary code via unspecified vectors that allow access of arbitrary memory. NOTE: the vectors might be limited to attackers with physical access.
unknown
2007-03-21
8.0CVE-2007-1313
OTHER-REF
CERT-VN
BID
FRSIRT
SECUNIA
NewsBin Pro -- NewsBin Pro
Stack-based buffer overflow in NewsBin Pro 4.32 allows remote attackers to cause a denial of service or execute arbitrary code via a yEnc (yEncode) encoded article with a long filename, as demonstrated using a .nzb file. NOTE: some of these details are obtained from third party information.
unknown
2007-03-21
10.0CVE-2007-1569
MILW0RM
BID
FRSIRT
SECUNIA
NukeScripts -- NukeSentinel
nukesentinel.php in NukeSentinel 2.5.06 and earlier uses a permissive regular expression to validate an IP address, which allows remote attackers to execute arbitrary SQL commands via the Client-IP HTTP header, due to an incomplete patch for CVE-2007-1172.
unknown
2007-03-16
7.0CVE-2007-1493
BUGTRAQ
VIM
NukeScripts -- NukeSentinel
Cross-site scripting (XSS) vulnerability in NukeSentinel before 2.5.06 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to the "filters for https:// and http://".
unknown
2007-03-16
7.0CVE-2007-1494
OTHER-REF
OpenAFS -- OpenAFS
The default configuration in OpenAFS 1.4.x before 1.4.4 and 1.5.x before 1.5.17 supports setuid programs within the local cell, which might allow attackers to gain privileges.
unknown
2007-03-20
7.0CVE-2007-1507
MLIST
MLIST
OpenOffice -- OpenOffice
Stack-based buffer overflow in the StarCalc parser in OpenOffice.org (OOo) Office Suite allows user-assisted remote attackers to execute arbitrary code via a crafted document.
unknown
2007-03-21
8.0CVE-2007-0238
DEBIAN
FRSIRT
SECTRACK
OpenOffice -- OpenOffice
OpenOffice.org (OOo) Office Suite allows user-assisted remote attackers to execute arbitrary commands via shell metacharacters in a prepared link in a crafted document.
unknown
2007-03-21
8.0CVE-2007-0239
DEBIAN
FRSIRT
SECTRACK
Particle Blogger -- Particle Blogger
SQL injection vulnerability in post.php in Particle Blogger 1.0.0 through 1.2.0 allows remote attackers to execute arbitrary SQL commands via the postid parameter.
unknown
2007-03-20
7.0CVE-2007-1510
BUGTRAQ
BID
Paul Knierim -- WSN Guest
SQL injection vulnerability in comments.php in WSN Guest 1.02 and 1.21 allows remote attackers to execute arbitrary SQL commands via the id parameter.
unknown
2007-03-20
7.0CVE-2007-1517
BUGTRAQ
BID
PHP DB Designer -- PHP DB Designer
Multiple PHP remote file inclusion vulnerabilities in PHP DB Designer 1.02 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the (1) _SESSION[SITE_PATH] parameter to (a) wind/help.php or (b) wind/about.php, or the (2) _SESSION[DRIVER] parameter to (c) db/session.php.
unknown
2007-03-22
10.0CVE-2007-1620
MILW0RM
FRSIRT
XF
PHP-Stats -- PHP-Stats
Multiple SQL injection vulnerabilities in php-stats.recphp.php in PHP-Stats 0.1.9.1b and earlier allow remote attackers to execute arbitrary code via a leading dotted-quad IP address string in the (1) PC-REMOTE-ADDR HTTP header, which is inserted into $_SERVER['HTTP_PC_REMOTE_ADDR'], or (2) ip parameter.
unknown
2007-03-20
7.0CVE-2006-7172
MILW0RM
MILW0RM
FRSIRT
SECUNIA
XF
PHP-Stats -- PHP-Stats
Direct static code injection vulnerability in admin.php in PHP-Stats 0.1.9.1b and earlier allows remote attackers to execute arbitrary PHP code via a crafted option_new[report_w_day] parameter in a preferenze action, which can be later accessed via option/php-stats-options.php.
unknown
2007-03-20
10.0CVE-2006-7173
MILW0RM
FRSIRT
SECUNIA
phpBB -- Dimension
PHP remote file inclusion vulnerability in includes/functions.php in the Dimension module of phpBB allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter. NOTE: this may be the same issue as CVE-2006-5235.
unknown
2007-03-21
10.0CVE-2006-7174
BUGTRAQ
BUGTRAQ
PHProjekt -- PHProjekt
Multiple SQL injection vulnerabilities in PHProjekt 5.2.0, when magic_quotes_gpc is disabled, allow remote authenticated users to execute arbitrary SQL commands via (1) unspecified vectors to the (a) calendar and (2) search modules, and an (2) unspecified cookie when the user logs out.
unknown
2007-03-21
7.0CVE-2007-1575
BUGTRAQ
OTHER-REF
OTHER-REF
BID
SECUNIA
PHPX -- PHPX
Multiple SQL injection vulnerabilities in phpx 3.5.15 allow remote attackers to execute arbitrary SQL commands via the (1) image_id or (2) cat_id parameter to (a) gallery.php; the (3) news_id parameter to (b) news.php or (c) print.php; (4) the news_cat_id parameter to news.php; the (5) cat_id, (6) topic_id, or (7) post_id parameter to (d) forums.php; or (8) the user_id parameter to (e) users.php.
unknown
2007-03-20
7.0CVE-2007-1550
BUGTRAQ
BID
ProRat -- Server
Unspecified vulnerability in ProRat Server 1.9 Fix2 allows remote attackers to bypass the authentication mechanism for remote login via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
unknown
2007-03-20
7.0CVE-2006-7167
BID
Radscan -- Network Audio System
Stack-based buffer overflow in the accept_att_local function in server/os/connection.c in Network Audio System (NAS) before 1.8a SVN 237 allows remote attackers to execute arbitrary code via a long path slave name in a USL socket connection.
unknown
2007-03-20
10.0CVE-2007-1543
OTHER-REF
BID
FRSIRT
SECUNIA
XF
Rhapsody IRC -- Rhapsody IRC
Multiple format string vulnerabilities in comm.c in Rhapsody IRC 0.28b allow remote attackers to execute arbitrary code via format string specifiers to the create_ctcp_message function using the message argument to the (1) me or (2) ctcp commands, and possibly related vectors involving the (3) whois, (4) mode, and (5) topic commands.
unknown
2007-03-19
7.0CVE-2007-1503
BUGTRAQ
BID
Roxio -- CinePlayer
InterActual Technologies -- InterActual Player
Stack-based buffer overflow in the IASystemInfo.dll ActiveX control in InterActual Player 2.60.12.0717 and Roxio CinePlayer 3.2 allows remote attackers to execute arbitrary code via a long ApplicationType property.
unknown
2007-03-21
8.0CVE-2007-0348
OTHER-REF
FRSIRT
FRSIRT
SECUNIA
SECUNIA
ScriptMagix -- Scriptmagix Jokes
SQL injection vulnerability in index.php in ScriptMagix Jokes 2.0 and earlier allows remote attackers to execute arbitrary SQL commands via the catid parameter.
unknown
2007-03-22
7.0CVE-2007-1615
MILW0RM
SECUNIA
ScriptMagix -- ScriptMagix Lyrics
SQL injection vulnerability in index.php in ScriptMagix Lyrics 2.0 and earlier allows remote attackers to execute arbitrary SQL commands via the recid parameter.
unknown
2007-03-22
7.0CVE-2007-1616
MILW0RM
SECUNIA
ScriptMagix -- ScriptMagix Recipes
SQL injection vulnerability in index.php in ScriptMagix Recipes 2.0 and earlier allows remote attackers to execute arbitrary SQL commands via the catid parameter.
unknown
2007-03-22
7.0CVE-2007-1617
MILW0RM
FRSIRT
SECUNIA
ScriptMagix -- ScriptMagix FAQ Builder
SQL injection vulnerability in index.php in ScriptMagix FAQ Builder 2.0 and earlier allows remote attackers to execute arbitrary SQL commands via the catid parameter.
unknown
2007-03-22
7.0CVE-2007-1618
MILW0RM
FRSIRT
ScriptMagix -- ScriptMagix Photo Rating
SQL injection vulnerability in viewcomments.php in ScriptMagix Photo Rating 2.0 and earlier allows remote attackers to execute arbitrary SQL commands via the phid parameter.
unknown
2007-03-22
7.0CVE-2007-1619
MILW0RM
FRSIRT
SQL-Ledger -- SQL-Ledger
Directory traversal vulnerability in am.pl in SQL-Ledger 2.6.27 only checks for the presence of a NULL (%00) character to protect against directory traversal attacks, which allows remote attackers to run arbitrary executables and bypass authentication via a .. (dot dot) sequence in the login parameter.
unknown
2007-03-20
7.0CVE-2007-1541
BUGTRAQ
OTHER-REF
BID
SECUNIA
Sun -- Java System Web Server
Unspecified vulnerability in Sun Java System Web Server 6.0 and 6.1 before 20070315 allows remote attackers to "gain unauthorized access to data", possibly involving direct requests for certain URLs.
unknown
2007-03-16
7.0CVE-2007-1488
SUNALERT
BID
FRSIRT
SECUNIA
Takebishi Corporation -- DeviceXPlorer OPC Server
Unspecified vulnerability in the OPCDA interface in Takebishi Electric DeviceXPlorer OLE for Process Control (OPC) Server before 3.12 Build3 allows remote attackers to execute arbitrary code via unspecified vectors involving access to arbitrary memory.
unknown
2007-03-19
7.0CVE-2007-1319
OTHER-REF
CERT-VN
thecreativeheads.de -- Creative Files
SQL injection vulnerability in kommentare.php in Creative Files 1.2 allows remote attackers to execute arbitrary SQL commands via the dlid parameter.
unknown
2007-03-20
7.0CVE-2007-1556
MILW0RM
BID
XF
Tim Soderstrom -- StatsDawg
templates/config/mail.tpl in Tim Soderstrom StatsDawg 0.92 allows remote attackers to execute arbitrary programs by specifying the program name in the qshapeLocation parameter.
unknown
2007-03-21
10.0CVE-2007-1587
OTHER-REF
War FTP Daemon -- War FTP Daemon
Stack-based buffer overflow in War FTP Daemon 1.65, and possibly earlier, allows remote attackers to cause a denial of service or execute arbitrary code via unspecified vectors, as demonstrated by warftp_165.tar by Immunity. NOTE: this might be the same issue as CVE-1999-0256, CVE-2000-0131, or CVE-2006-2171, but due to Immunity's lack of details, this cannot be certain.
unknown
2007-03-21
10.0CVE-2007-1567
OTHER-REF
BID
FRSIRT
SECUNIA
Web Wiz Forums -- Web Wiz Forums
SQL injection vulnerability in functions/functions_filters.asp in Web Wiz Forums before 8.05a (MySQL version) does not properly filter certain characters being used in SQL commands, which allows remote attackers to execute arbitrary SQL commands via \"' (slash double-quote quote) sequences, which are collapsed into \', as demonstrated via the name parameter to forum/pop_up_member_search.asp.
unknown
2007-03-20
7.0CVE-2007-1548
BUGTRAQ
OTHER-REF
OTHER-REF
BID
Weekly Drawing Contest -- Weekly Drawing Contest
SQL injection vulnerability in check_vote.php in Weekly Drawing Contest 0.0.1 allows remote attackers to execute arbitrary SQL commands via the order parameter.
unknown
2007-03-22
7.0CVE-2007-1602
BUGTRAQ
Weekly Drawing Contest -- Weekly Drawing Contest
admin/contest.php in Weekly Drawing Contest 0.0.1 allows remote attackers to bypass authentication, and insert new contest information into a database, via a direct POST request.
unknown
2007-03-22
7.0CVE-2007-1603
BUGTRAQ
Woltlab -- Burning Board
SQL injection vulnerability in usergroups.php in Woltlab Burning Board (wBB) 2.x allows remote attackers to execute arbitrary SQL commands via the array index of the applicationids array.
unknown
2007-03-20
7.0CVE-2007-1518
BUGTRAQ
BID
X MultiMedia System -- X MultiMedia System
Integer overflow in X MultiMedia System (xmms) 1.2.10, and possibly other versions, allows user-assisted remote attackers to execute arbitrary code via crafted header information in a skin bitmap image, which triggers memory corruption.
unknown
2007-03-21
8.0CVE-2007-0653
OTHER-REF
BID
FRSIRT
SECUNIA
X MultiMedia System -- X MultiMedia System
Integer underflow in X MultiMedia System (xmms) 1.2.10 allows user-assisted remote attackers to execute arbitrary code via crafted header information in a skin bitmap image, which results in a stack-based buffer overflow.
unknown
2007-03-21
8.0CVE-2007-0654
OTHER-REF
BID
FRSIRT
SECUNIA
X-Ice -- Haber Sistemi
X-Ice -- News System
SQL injection vulnerability in devami.asp in X-ice Haber Sistemi (aka News System) 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter.
unknown
2007-03-21
7.0CVE-2007-1570
MILW0RM
FRSIRT
SECUNIA
ZZipLib -- ZZipLib
Stack-based buffer overflow in the zzip_open_shared_io function in zzip/file.c in ZZIPlib Library before 0.13.49 allows user-assisted remote attackers to cause a denial of service (application crash) or execute arbitrary code via a long filename.
unknown
2007-03-22
8.0CVE-2007-1614
OTHER-REF
OTHER-REF
FRSIRT
SECUNIA
Back to top

Medium Vulnerabilities
Primary
Vendor -- Product		Description
Discovered
Published
CVSS ScoreSource & Patch Info
Atrium Software -- Mercur IMAPD
Multiple integer signedness errors in the NTLM implementation in Atrium MERCUR IMAPD (mcrimap4.exe) 5.00.14, with SP4, allow remote attackers to execute arbitrary code via a long NTLMSSP argument that triggers a stack-based buffer overflow.
unknown
2007-03-21
5.6CVE-2007-1578
FULLDISC
MILW0RM
OTHER-REF
BID
SECTRACK
Avaya -- S8700 Series
Avaya -- SIP Enablement Services
Avaya -- S8300
Avaya -- S8500
Apache Tomcat in Avaya S87XX, S8500, and S8300 before CM 3.1.3, and Avaya SES allows connections from external interfaces via port 8009, which exposes it to attacks from outside parties.
unknown
2007-03-16
4.2CVE-2007-1491
OTHER-REF
SECUNIA
Cicoandcico -- CcMail
PHP remote file inclusion vulnerability in functions/update.php in Cicoandcico CcMail 1.0 allows remote attackers to execute arbitrary PHP code via a URL in the functions_dir parameter.
unknown
2007-03-20
5.6CVE-2007-1516
MILW0RM
BID
Dayfox Designs -- Dayfox Blog
Direct static code injection vulnerability in postpost.php in Dayfox Blog (dfblog) 4 allows remote attackers to execute arbitrary PHP code via the cat parameter, which can be executed via a request to posts.php.
unknown
2007-03-20
5.6CVE-2007-1525
MILW0RM
Digital Eye Gallery -- Digital Eye Gallery
PHP remote file inclusion vulnerability in module.php in Digital Eye Gallery 1.1 Beta (aka 0.1.1b) allows remote attackers to execute arbitrary PHP code via a URL in the menu parameter.
unknown
2007-03-22
5.6CVE-2007-1600
MILW0RM
BID
Evolution -- Shared Memo
Format string vulnerability in the write_html function in calendar/gui/e-cal-component-memo-preview.c in Evolution Shared Memo 2.8.2.1, and possibly earlier versions, allows user-assisted remote attackers to execute arbitrary code via format specifiers in the categories of a crafted shared memo.
unknown
2007-03-21
5.6CVE-2007-1002
OTHER-REF
SECUNIA
XF
FrontBase -- Relational Database Server
Buffer overflow in FrontBase Relational Database Server 4.2.7 and earlier allows remote authenticated users, with privileges for creating a stored procedure, to execute arbitrary code via a CREATE PROCEDURE request with a long procedure name.
unknown
2007-03-20
4.8CVE-2007-1511
BUGTRAQ
BID
GraFX -- Company Website Builder Pro
PHP remote file inclusion vulnerability in comanda.php in GraFX Company WebSite Builder (CWB) PRO 1.9.8, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the INCLUDE_PATH parameter.
unknown
2007-03-20
5.6CVE-2007-1513
BUGTRAQ
MILW0RM
OTHER-REF
BID
Guestbara -- Guestbara
Direct static code injection vulnerability in admin/configuration.php in Guestbara 1.2 and earlier allows remote authenticated users to inject arbitrary PHP code into config.php via the (1) admin_mail, (2) emotpatch, (3) login, (4) pass, and unspecified other parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
unknown
2007-03-20
5.6CVE-2007-1554
FRSIRT
inkscape -- inkscape
Format string vulnerability in the whiteboard Jabber protocol in Inkscape before 0.45.1 allows user-assisted remote attackers to execute arbitrary code via unspecified vectors.
unknown
2007-03-21
5.6CVE-2007-1464
OTHER-REF
KDE -- Konqueror
The FTP protocol implementation in Konqueror 3.5.5 allows remote servers to force the client to connect to other servers, perform a proxied port scan, or obtain sensitive information by specifying an alternate server address in a FTP PASV command.
unknown
2007-03-21
5.6CVE-2007-1564
OTHER-REF
Lookup -- Lookup
The ndeb-binary feature in Lookup (lookup-el) allows local users to overwrite arbitrary files via a symlink attack on temporary files.
unknown
2007-03-19
4.9CVE-2007-0237
DEBIAN
SECUNIA
SECUNIA
Mambo -- NFN Address Book
Joomla! -- NFN Address Book
Multiple PHP remote file inclusion vulnerabilities in the NFN Address Book (com_nfn_addressbook) 0.4 component for Mambo and Joomla! allow remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter to (1) components/com_nfn_addressbook/nfnaddressbook.php or (2) administrator/components/com_nfn_addressbook/nfnaddressbook.php.
unknown
2007-03-22
5.6CVE-2007-1596
MILW0RM
BID
Microsoft -- Windows Vista
The neighbor discovery implementation in Microsoft Windows Vista allows remote attackers to conduct a redirect attack by (1) responding to queries by sending spoofed Neighbor Advertisements or (2) blindly sending Neighbor Advertisements.
unknown
2007-03-20
4.7CVE-2007-1532
BUGTRAQ
OTHER-REF
Mozilla -- Firefox
The FTP protocol implementation in Mozilla Firefox before 1.5.0.11 and 2.x before 2.0.0.3 allows remote attackers to force the client to connect to other servers, perform a proxied port scan, or obtain sensitive information by specifying an alternate server address in a FTP PASV command.
unknown
2007-03-21
5.6CVE-2007-1562
OTHER-REF
OTHER-REF
OTHER-REF
FRSIRT
Opera Software -- Opera
The FTP protocol implementation in Opera 9.10 allows remote attackers to allows remote servers to force the client to connect to other servers, perform a proxied port scan, or obtain sensitive information by specifying an alternate server address in a FTP PASV command.
unknown
2007-03-21
5.6CVE-2007-1563
OTHER-REF
PHP -- PHP
PHP remote file inclusion vulnerability in includes/not_mem.php in the Add Name module for PHP allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.
unknown
2007-03-20
5.6CVE-2006-7168
BUGTRAQ
BID
XF
PHP -- PHP
Double free vulnerability in PHP 5.2.1 and earlier allows context-dependent attackers to execute arbitrary code by interrupting the session_regenerate_id function, as demonstrated by calling a userspace error handler or triggering a memory limit violation.
unknown
2007-03-20
5.6CVE-2007-1521
OTHER-REF
BID
PHP -- PHP
Double free vulnerability in the session extension in PHP 5.2.0 and 5.2.1 allows context-dependent attackers to execute arbitrary code via illegal characters in a session identifier, which is rejected by an internal session storage module, which calls the session identifier generator with an improper environment, leading to code execution when the generator is interrupted, as demonstrated by triggering a memory limit violation or certain PHP errors.
unknown
2007-03-20
5.6CVE-2007-1522
OTHER-REF
PHP -- PHP
The resource system in PHP 5.0.0 through 5.2.1 allows context-dependent attackers to execute arbitrary code by interrupting the hash_update_file function via a userspace (1) error or (2) stream handler, which can then be used to destroy and modify internal resources.
unknown
2007-03-21
5.6CVE-2007-1581
MILW0RM
OTHER-REF
BID
PHP -- PHP
The resource system in PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 allows context-dependent attackers to execute arbitrary code by interrupting certain functions in the GD (ext/gd) extension and unspecified other extensions via a userspace error handler, which can be used to destroy and modify internal resources.
unknown
2007-03-21
5.6CVE-2007-1582
MILW0RM
OTHER-REF
BID
PHP -- PHP
The mb_parse_str function in PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 sets the internal register_globals flag and does not disable it in certain cases when a script terminates, which allows remote attackers to invoke available PHP scripts with register_globals functionality that is not detectable by these scripts, as demonstrated by forcing a memory_limit violation.
unknown
2007-03-21
5.6CVE-2007-1583
OTHER-REF
BID
PHP -- PHP
Buffer underflow in the header function in PHP 5.2.0 allows context-dependent attackers to execute arbitrary code by passing an all-whitespace string to this function, which causes it to write '\0' characters in whitespace that precedes the string.
unknown
2007-03-21
5.6CVE-2007-1584
MILW0RM
OTHER-REF
PHPX -- PHPX
Unrestricted file upload vulnerability in gallery.php in phpx 3.5.15 allows remote attackers to upload and execute arbitrary PHP scripts via an addImage action, which places scripts into the gallery/shelties/ directory.
unknown
2007-03-20
5.6CVE-2007-1549
BUGTRAQ
BID
Radical Designs -- Activist Mobilization Platform
PHP remote file inclusion vulnerability in includes/base.php in Radical Designs Activist Mobilization Platform (AMP) 3.2, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the base_path parameter.
unknown
2007-03-21
5.6CVE-2007-1571
MILW0RM
OTHER-REF
FRSIRT
Rhapsody IRC -- Rhapsody IRC
Multiple buffer overflows in Rhapsody IRC 0.28b allow remote attackers to execute arbitrary code via a (1) long command, (2) long server argument to the (a) connect or (b) server commands, (3) long nick argument to the (c) nick command, or a long (4) nick or (5) message argument to the (d) ctcp, (e) chat, (f) notice, (g) message (msg), or (h) query commands.
unknown
2007-03-19
5.6CVE-2007-1502
BUGTRAQ
BID
SourceForge -- JGBBS
SQL injection vulnerability in search.asp in JGBBS 3.0 Beta 1 and earlier allows remote attackers to execute arbitrary SQL commands via the title parameter, a different vector than CVE-2007-1440. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
unknown
2007-03-21
5.6CVE-2007-1572
FRSIRT
Ultimate PHP Board -- Ultimate PHP Board
PHP remote file inclusion vulnerability in includes/header_simple.php in Ultimate PHP Board (UPB) 2.0 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the _CONFIG[skin_dir] parameter.
unknown
2007-03-20
5.6CVE-2006-7169
MILW0RM
BID
XF
ViperWeb -- Portal
PHP remote file inclusion vulnerability in index.php in ViperWeb Portal alpha 0.1 allows remote attackers to execute arbitrary PHP code via a URL in the modpath parameter.
unknown
2007-03-20
5.6CVE-2007-1514
BUGTRAQ
BID
W-Agora -- W-Agora
Multiple unrestricted file upload vulnerabilities in w-Agora (Web-Agora) allow remote attackers to upload and execute arbitrary PHP code (1) via a forum message with an attached file, which is stored under forums/hello/hello/notes/ or (2) by using browse_avatar.php to upload a file with a double extension, as demonstrated by .php.jpg.
unknown
2007-03-22
5.6CVE-2007-1604
BUGTRAQ
BID
SECUNIA
WebAPP -- WebAPP
Unspecified vulnerability in WebAPP 0.9.9.6 before 20070312 allows remote attackers to obtain admin access by modifying cookies and performing "certain consecutive actions," possibly due to a cross-site request forgery (CSRF) vulnerability.
unknown
2007-03-16
5.6CVE-2007-1489
OTHER-REF
SECUNIA
Back to top

Low Vulnerabilities
Primary
Vendor -- Product		Description
Discovered
Published
CVSS ScoreSource & Patch Info
Apache Software Foundation -- Apache HTTP Server
Apache Software Foundation -- Tomcat
Directory traversal vulnerability in Apache HTTP Server and Tomcat 5.x before 5.5.22 and 6.x before 6.0.10, when using certain proxy modules (mod_proxy, mod_rewrite, mod_jk), allows remote attackers to read arbitrary files via a .. (dot dot) sequence with combinations of (1) "/" (slash), (2) "\" (backslash), and (3) URL-encoded backslash (%5C) characters in the URL, which are valid separators in Tomcat but not in Apache.
unknown
2007-03-16
3.3CVE-2007-0450
BID
BUGTRAQ
OTHER-REF
OTHER-REF
Asterisk -- Asterisk
Asterisk before 1.2.17 and 1.4.x before 1.4.2 allows remote attackers to cause a denial of service (crash) via a SIP INVITE message with an SDP containing one valid and one invalid IP address.
unknown
2007-03-21
3.3CVE-2007-1561
FULLDISC
BID
FRSIRT
SECTRACK
XF
Asterisk -- Asterisk
The handle_response function in chan_sip.c in Asterisk before 1.2.17 and 1.4.x before 1.4.2 allows remote attackers to cause a denial of service (crash) via a SIP Response code 0 in a SIP packet.
unknown
2007-03-22
2.3CVE-2007-1594
BUGTRAQ
MLIST
OTHER-REF
OTHER-REF
OTHER-REF
OTHER-REF
BID
SECUNIA
Avaya -- Communication Manager
Unspecified maintenance web pages in Avaya S87XX, S8500, and S8300 before CM 3.1.3, and Avaya SES allow remote authenticated users to execute arbitrary commands via shell metacharacters in unspecified vectors (aka "shell command injection").
unknown
2007-03-16
3.4CVE-2007-1490
OTHER-REF
SECUNIA
CARE2X -- CARE2X
CARE2X 2.2, and possibly earlier, allows remote attackers to obtain configuration information via a direct request to phpinfo.php, which calls the phpinfo function. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
unknown
2007-03-21
2.3CVE-2007-1574
SECUNIA
Cisco -- Security Device Manager
Cisco -- Call Manager
Cisco -- Network Analysis Module
Cisco -- Unified MeetingPlace
Cisco -- Wireless LAN Solution Engine
Cisco -- MeetingPlace
Cisco -- Unified Videoconferencing Manager
Cisco -- ACS Solution Engine
Cisco -- Unified MeetingPlace Express
Cisco -- Unified Video Advantage
Cisco -- 2006 Wireless LAN Controllers
Cisco -- WAN Manager
Cisco -- VPN Client
Cisco -- Unified Personal Communicator
Cisco -- CiscoWorks
Cisco -- Wireless Control System
Cisco -- IP Communicator
Cisco -- Unified Videoconferencing
Multiple cross-site scripting (XSS) vulnerabilities in (1) PreSearch.html and (2) PreSearch.class in Cisco Secure Access Control Server (ACS), VPN Client, Unified Personal Communicator, MeetingPlace, Unified MeetingPlace, Unified MeetingPlace Express, CallManager, IP Communicator, Unified Video Advantage, Unified Videoconferencing 35xx products, Unified Videoconferencing Manager, WAN Manager, Security Device Manager, Network Analysis Module (NAM), CiscoWorks and related products, Wireless LAN Solution Engine (WLSE), 2006 Wireless LAN Controllers (WLC), and Wireless Control System (WCS) allow remote attackers to inject arbitrary web script or HTML via the text field of the search form.
unknown
2007-03-16
1.1CVE-2007-1467
BUGTRAQ
BUGTRAQ
CISCO
BID
Cisco -- 7960
Cisco -- 7940
Unspecified vulnerability in the Cisco IP Phone 7940 and 7960 running firmware before POS8-6-0 allows remote attackers to cause a denial of service via the Remote-Party-ID sipURI field in a SIP INVITE request. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
unknown
2007-03-20
2.3CVE-2007-1542
BID
FRSIRT
SECUNIA
Cyber Inside -- WebLog
Sascha Schroeder -- WebLog
CyberTeddy -- WebLog
Directory traversal vulnerability in index.php in Sascha Schroeder (aka CyberTeddy or Cyber-inside) WebLog allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter in a showarticles action.
unknown
2007-03-16
2.3CVE-2007-1487
MILW0RM
FRSIRT
SECUNIA
FTPDMIN -- FTPDMIN
FTPDMIN 0.96 allows remote attackers to cause a denial of service (daemon crash) via a long LIST command. NOTE: some of these details are obtained from third party information.
unknown
2007-03-21
1.9CVE-2007-1580
MILW0RM
BID
XF
Fujitsu -- Interstage Apworks
Fujitsu -- Interstage Application Server
Cross-site scripting (XSS) vulnerability in the Servlet Service in Fujitsu Interstage Application Server (IJServer) 8.0.2 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly involving web.xml and HTTP 404 and 500 status codes.
unknown
2007-03-19
1.9CVE-2007-1504
OTHER-REF
OTHER-REF
OTHER-REF
FRSIRT
SECUNIA
Fujitsu -- Systemwalker Desktop Encryption
Fujitsu -- FENCE-Pro
Fujistu FENCE-Pro before V5L01, and Systemwalker Desktop Encryption V12.0L10, V12.0L10A, V12.0L10B, V12.0L20 and V13.0.0 allows local users to obtain sensitive information by extracting the decoding password from certain "self-decoding" file types.
unknown
2007-03-19
1.6CVE-2007-1505
OTHER-REF
OTHER-REF
OTHER-REF
BID
SECUNIA
SECUNIA
Geblog -- Geblog
Directory traversal vulnerability in index.php in GeBlog 0.1 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the GLOBALS[tplname] parameter, as demonstrated by injecting PHP sequences into an Apache HTTP Server log file, which is then included by index.php.
unknown
2007-03-21
2.3CVE-2007-1577
MILW0RM
BID
XF
Gentoo -- Linux
The Linux Security Auditing Tool (LSAT) allows local users to overwrite arbitrary files via a symlink attack on temporary files, as demonstrated using /tmp/lsat1.lsat.
unknown
2007-03-19
2.9CVE-2007-1500
OTHER-REF
GENTOO
SECUNIA
Glue Software -- NewsGlue
Cross-site scripting (XSS) vulnerability in the RSS reader in Glue Software NewsGlue before 1.3.4 allows remote attackers to inject arbitrary web script or HTML via a feed.
unknown
2007-03-22
1.9CVE-2007-1610
OTHER-REF
OTHER-REF
Grandstream -- BudgeTone 200
The Grandstream BudgeTone 200 IP phone, with program 1.1.1.14 and bootloader 1.1.1.5, allows remote attackers to cause a denial of service (device crash) via SIP (1) INVITE, (2) CANCEL, or unspecified other messages with a WWW-Authenticate header containing a crafted Digest domain.
unknown
2007-03-21
2.3CVE-2007-1590
FULLDISC
FRSIRT
SECUNIA
Guestbara -- Guestbara
admin/configuration.php in Guestbara 1.2 and earlier allows remote attackers to modify the e-mail, name, and password of the admin account by setting the zapis parameter to "ok" and providing modified admin_mail, login, and pass parameters.
unknown
2007-03-20
2.3CVE-2007-1553
MILW0RM
Holtstraeter -- ROT 13
Directory traversal vulnerability in enkrypt.php in Sascha Schroeder krypt (aka Holtstraeter Rot 13) allows remote attackers to read arbitrary files via a .. (dot dot) in the datei parameter.
unknown
2007-03-20
1.9CVE-2007-1509
BUGTRAQ
BID
Horde -- IMP
Multiple cross-site scripting (XSS) vulnerabilities in Horde IMP H3 4.1.3, and possibly earlier, allow remote attackers to inject arbitrary web script or HTML via (1) the email Subject header in thread.php, (2) the edit_query parameter in search.php, or other unspecified parameters in search.php. NOTE: some of these details are obtained from third party information.
unknown
2007-03-20
1.9CVE-2007-1515
BUGTRAQ
FULLDISC
MLIST
BID
SECUNIA
IBM -- Websphere Application Server
SimpleFileServlet in IBM WebSphere Application Server 5.0.1 through 5.0.2.7 on Linux and UNIX does not block certain invalid URIs and does not issue a security challenge, which allows remote attackers to read secure files and obtain sensitive information via certain requests.
unknown
2007-03-20
1.9CVE-2006-7164
AIXAPAR
IBM -- WebSphere Application Server
IBM WebSphere Application Server (WAS) 5.0 through 5.1.1.0 allows remote attackers to obtain JSP source code and other sensitive information via certain "special URIs."
unknown
2007-03-20
1.9CVE-2006-7165
OTHER-REF
AIXAPAR
BID
FRSIRT
SECUNIA
IBM -- WebSphere Application Server
IBM WebSphere Application Server (WAS) 5.1.1.9 and earlier allows remote attackers to obtain JSP source code and other sensitive information via "a specific JSP URL."
unknown
2007-03-20
2.3CVE-2006-7166
OTHER-REF
AIXAPAR
BID
FRSIRT
SECUNIA
JBMC Software -- DirectAdmin
Cross-site scripting (XSS) vulnerability in CMD_USER_STATS in DirectAdmin allows remote attackers to inject arbitrary web script or HTML via the RESULT parameter, a different vector than CVE-2006-5983.
unknown
2007-03-20
1.9CVE-2007-1508
BUGTRAQ
BID
Jelsoft -- vBulletin
SQL injection vulnerability in admincp/attachment.php in Jelsoft vBulletin 3.6.5 allows remote authenticated administrators to execute arbitrary SQL commands via the "Attached Before" field. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
unknown
2007-03-21
3.4CVE-2007-1573
SECUNIA
KDE -- Konqueror
Konqueror 3.5.5 allows remote attackers to cause a denial of service (crash) by using JavaScript to read a child iframe having an ftp:// URI.
unknown
2007-03-21
3.3CVE-2007-1565
OTHER-REF
Koan Software -- Mega Mall
product_review.php in Koan Software Mega Mall allows remote attackers to obtain the installation path via a request with an empty value of the x[] parameter.
unknown
2007-03-20
2.3CVE-2006-7171
BUGTRAQ
XF
LedgerSMB -- LedgerSMB
SQL-Ledger -- SQL-Ledger
Directory traversal vulnerability in am.pl in SQL-Ledger 2.6.27 and earlier, and LedgerSMB before 1.2.0 allows remote attackers to run arbitrary executables and bypass authentication via a .. (dot dot) sequence and trailing NULL (%00) in the login parameter. NOTE: this issue was reportedly addressed in SQL-Ledger 2.6.27, however third-party researchers claim that the file is still executed even though an error is generated.
unknown
2007-03-20
1.9CVE-2007-1540
BUGTRAQ
OTHER-REF
OTHER-REF
BID
SECUNIA
SECUNIA
Linksys -- WAG200G
The Linksys WAG200G with firmware 1.01.01 allows remote attackers to obtain sensitive information (passwords and configuration data) via a packet to UDP port 916.
unknown
2007-03-21
2.3CVE-2007-1585
BUGTRAQ
BID
Linux -- Kernel
nfnetlink_log in netfilter in the Linux kernel before 2.6.20.3 allows attackers to cause a denial of service (crash) via unspecified vectors involving the (1) nfulnl_recv_config function, (2) using "multiple packets per netlink message", and (3) bridged packets, which trigger a NULL pointer dereference.
unknown
2007-03-16
3.3CVE-2007-1496
OTHER-REF
BID
SECUNIA
Linux -- Kernel
net/ipv6/tcp_ipv6.c in Linux kernel 2.4 and 2.6.x up to 2.6.21-rc3 inadvertently copies the ipv6_fl_socklist from a listening TCP socket to child sockets, which allows local users to cause a denial of service (OOPS) or double-free by opening a listeing IPv6 socket, attaching a flow label, and connecting to that socket.
unknown
2007-03-22
2.3CVE-2007-1592
MLIST
Microsoft -- Windows XP
winmm.dll in Microsoft Windows XP allows user-assisted remote attackers to cause a denial of service (infinite loop) via a large cch argument value to the mmioRead function, as demonstrated by a crafted WAV file.
unknown
2007-03-16
2.7CVE-2007-1492
VULNWATCH
BID
Microsoft -- Internet Explorer
Cross-site scripting (XSS) vulnerability in Microsoft Internet Explorer 7.0 on Windows XP and Vista allows remote attackers to conduct phishing attacks via a res: URI to navcancl.htm page with an arbitrary URL as an argument, which displays the URL in the location bar of the "Navigation Canceled" page and injects the script into the "Refresh the page" link.
unknown
2007-03-17
1.9CVE-2007-1499
BUGTRAQ
OTHER-REF
OTHER-REF
Microsoft -- Windows Vista
The LLTD Mapper in Microsoft Windows Vista does not verify that an IP address in a TLV type 0x07 field in a HELLO packet corresponds to a valid IP address for the local network, which allows remote attackers to trick users into communicating with an external host by sending a HELLO packet with the MW characteristic and a spoofed TLV type 0x07 field, aka the "Spoof and Management URL IP Redirect" attack.
unknown
2007-03-20
2.3CVE-2007-1527
BUGTRAQ
OTHER-REF
Microsoft -- Windows Vista
The LLTD Mapper in Microsoft Windows Vista allows remote attackers to spoof hosts, and nonexistent bridge relationships, into the network topology map by using a MAC address that differs from the MAC address provided in the Real Source field of the LLTD BASE header of a HELLO packet, aka the "Spoof on Bridge" attack.
unknown
2007-03-20
2.3CVE-2007-1528
BUGTRAQ
OTHER-REF
Microsoft -- Windows Vista
The LLTD Responder in Microsoft Windows Vista does not send the Mapper a response to a DISCOVERY packet if another host has sent a spoofed response first, which allows remote attackers to spoof arbitrary hosts via a network-based race condition, aka the "Total Spoof" attack.
unknown
2007-03-20
1.9CVE-2007-1529
BUGTRAQ
OTHER-REF
Microsoft -- Windows Vista
The LLTD Mapper in Microsoft Windows Vista does not properly gather responses to EMIT packets, which allows remote attackers to cause a denial of service (mapping failure) by omitting an ACK response, which triggers an XML syntax error.
unknown
2007-03-20
2.3CVE-2007-1530
BUGTRAQ
OTHER-REF
Microsoft -- Windows Vista
Microsoft Windows Vista overwrites ARP table entries included in gratuitous ARP, which allows remote attackers to cause a denial of service (loss of network access) by sending a gratuitous ARP for the address of the Vista host.
unknown
2007-03-20
2.3CVE-2007-1531
BUGTRAQ
OTHER-REF
Microsoft -- Windows Vista
The Teredo implementation in Microsoft Windows Vista uses the same nonce for communication with different UDP ports within a solicitation session, which makes it easier for remote attackers to spoof the nonce through brute force attacks.
unknown
2007-03-20
2.3CVE-2007-1533
BUGTRAQ
OTHER-REF
Microsoft -- Windows 2003
Microsoft -- Windows XP
\Device\NdisTapi (NDISTAPI.sys) in Microsoft Windows XP SP2 and 2003 SP2 uses weak permissions, which allows local users to write to the device and cause a denial of service, as demonstrated by using an IRQL to acquire a spinlock on paged memory via the NdisTapiDispatch function.
unknown
2007-03-20
3.3CVE-2007-1537
BUGTRAQ
OTHER-REF
BID
Oracle -- Application Server Portal 10g
Cross-site scripting (XSS) vulnerability in PORTAL.wwv_main.render_warning_screen in the Oracle Portal 10g allows remote attackers to inject arbitrary web script or HTML via the (1) p_oldurl and (2) p_newurl parameters.
unknown
2007-03-19
1.9CVE-2007-1506
BUGTRAQ
BID
Oracle -- Oracle Application Server
Cross-site scripting (XSS) vulnerability in servlet/Spy in Dynamic Monitoring Services (DMS) in Oracle Application Server (OAS) 10g 10.1.2.0.0 allows remote attackers to inject arbitrary web script or HTML via the table parameter. NOTE: This may be related to CVE-2002-0563.
unknown
2007-03-22
1.9CVE-2007-1609
BUGTRAQ
PHP-Nuke -- PHP-Nuke
Cross-site scripting (XSS) vulnerability in modules.php in PHP-Nuke 8.0 allows remote attackers to inject arbitrary web script or HTML via the query parameter in a search operation in the Downloads module, a different product than CVE-2006-3948.
unknown
2007-03-20
1.9CVE-2007-1519
BUGTRAQ
OTHER-REF
OTHER-REF
OTHER-REF
PHP-Nuke -- PHP-Nuke
The cross-site request forgery (CSRF) protection in PHP-Nuke 8.0 does not ensure the SERVER superglobal is an array before validating the HTTP_REFERER, which allows remote attackers to conduct CSRF attacks.
unknown
2007-03-20
1.9CVE-2007-1520
BUGTRAQ
BUGTRAQ
BUGTRAQ
OTHER-REF
OTHER-REF
OTHER-REF
PHProjekt -- PHProjekt
Multiple cross-site scripting (XSS) vulnerabilities in PHProjekt 5.2.0, when magic_quotes_gpc is disabled, allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors to the (1) Projects, (2) Contacts, (3) Helpdesk, (4) Search (only Gecko engine driven Browsers), and (5) Notes modules; the (6) Mail summary page; and unspecified other files.
unknown
2007-03-21
1.9CVE-2007-1576
BUGTRAQ
OTHER-REF
OTHER-REF
BID
SECUNIA
PHPX -- PHPX
Multiple cross-site scripting (XSS) vulnerabilities in phpx 3.5.15 allow remote attackers to inject arbitrary web script or HTML via (1) the signature in "dans profile," or (2) search.php.
unknown
2007-03-20
1.9CVE-2007-1551
BUGTRAQ
BID
PragmaMX -- Landkarten
Directory traversal vulnerability in inc/map.func.php in pragmaMX Landkarten 2.1 module allows remote attackers to include arbitrary files via a .. (dot dot) sequence in the module_name parameter, as demonstrated via a static PHP code injection attack in an Apache log file.
unknown
2007-03-20
1.9CVE-2007-1539
MILW0RM
SECUNIA
Radscan -- Network Audio System
Integer overflow in the ProcAuWriteElement function in server/dia/audispatch.c in Network Audio System (NAS) before 1.8a SVN 237 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large max_samples value.
unknown
2007-03-20
2.3CVE-2007-1544
OTHER-REF
BID
FRSIRT
SECUNIA
XF
Radscan -- Network Audio System
The AddResource function in server/dia/resource.c in Network Audio System (NAS) before 1.8a SVN 237 allows remote attackers to cause a denial of service (server crash) via a nonexistent client ID.
unknown
2007-03-20
2.3CVE-2007-1545
OTHER-REF
BID
FRSIRT
SECUNIA
XF
Radscan -- Network Audio System
Array index error in Network Audio System (NAS) before 1.8a SVN 237 allows remote attackers to cause a denial of service (crash) via (1) large num_action values in the ProcAuSetElements function in server/dia/audispatch.c or (2) a large inputNum parameter to the compileInputs function in server/dia/auutil.c.
unknown
2007-03-20
2.3CVE-2007-1546
OTHER-REF
BID
FRSIRT
SECUNIA
XF
Radscan -- Network Audio System
The ReadRequestFromClient function in server/os/io.c in Network Audio System (NAS) before 1.8a SVN 237 allows remote attackers to cause a denial of service (crash) via multiple simultaneous connections, which triggers a NULL pointer dereference.
unknown
2007-03-20
3.3CVE-2007-1547
OTHER-REF
BID
FRSIRT
SECUNIA
XF
SourceNext -- IKANARI JIJYOU
Cross-site scripting (XSS) vulnerability in the RSS reader in a certain SOURCENEXT product, probably IKANARI JIJYOU 1.0.0 and 1.0.1, allows remote attackers to inject arbitrary web script or HTML via the title of an article in a feed.
unknown
2007-03-22
1.9CVE-2007-1611
OTHER-REF
OTHER-REF
Squid -- Squid
The clientProcessRequest() function in squid/src/client_side.c in Squid 2.6 before 2.6.STABLE12 allows remote attackers to cause a denial of service (system crash) via crafted TRACE requests that trigger an assertion error.
unknown
2007-03-21
3.3CVE-2007-1560
OTHER-REF
OTHER-REF
FRSIRT
SECUNIA
Sun -- Java System Web Server
Sun Java System Web Server 6.1 before 20070314 allows remote authenticated users with revoked client certificates to bypass the Certificate Revocation List (CRL) authorization control and access secure web server instances running under an account different from that used for the admin server via unspecified vectors.
unknown
2007-03-20
3.4CVE-2007-1526
SUNALERT
Symantec -- Norton Personal Firewall
The \Device\SymEvent driver in Symantec Norton Personal Firewall 2006 9.1.1.7, and possibly other products using symevent.sys 12.0.0.20, allows local users to cause a denial of service (system crash) via invalid data, as demonstrated by calling DeviceIoControl to send the data, a reintroduction of CVE-2006-4855.
unknown
2007-03-16
2.3CVE-2007-1495
BUGTRAQ
BID
Trend Micro -- Trend Micro AntiVirus
VsapiNT.sys in the Scan Engine 8.0 for Trend Micro AntiVirus 14.10.1041, and other products, allows remote attackers to cause a denial of service (kernel fault and system crash) via a crafted UPX file with a certain field that triggers a divide-by-zero error.
unknown
2007-03-22
2.3CVE-2007-1591
IDEFENSE
OTHER-REF
TrueCrypt Foundation -- TrueCrypt
TrueCrypt before 4.3, when set-euid mode is used on Linux, allows local users to cause a denial of service (filesystem unavailability) by dismounting a volume mounted by a different user.
unknown
2007-03-21
1.6CVE-2007-1589
OTHER-REF
Unclassified NewsBoard -- Unclassified NewsBoard
Unclassified NewsBoard 1.6.3 stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain (1) the board log via a direct request for logs/board-YYYY-MM-DD.log, (2) the mail and private message (PM) log via a direct request for logs/email-YY-MM-DD-HH-MM-SS.log, (3) the SQL error message log via a direct request for logs/error-YY-MM.log, and (4) the IP log via a direct request for logs/ip.log.
unknown
2007-03-22
2.3CVE-2007-1597
BUGTRAQ
W-Agora -- W-Agora
w-agora 4.2.1 allows remote attackers to obtain sensitive information by via the (1) bn[] array parameter to index.php, which expects a string, and (2) certain parameters to delete_forum.php, which displays the path name in the resulting error message.
unknown
2007-03-21
2.3CVE-2007-0606
BUGTRAQ
OTHER-REF
OSVDB
OSVDB
XF
W-Agora -- W-Agora
W-Agora (Web-Agora) 4.2.1, when register_globals is enabled, stores globals.inc under the web document root with insufficient access control, which allows remote attackers to obtain application path information via a direct request.
unknown
2007-03-20
1.9CVE-2007-0607
BUGTRAQ
OTHER-REF
OSVDB
W-Agora -- W-Agora
w-Agora (Web-Agora) allows remote attackers to obtain sensitive information via a request to rss.php with an invalid (1) site or (2) bn parameter, (3) a certain value of the site[] parameter, or (4) an empty value of the bn[] parameter; a request to index.php with a certain value of the (5) site[] or (6) sort[] parameter; (7) a request to profile.php with an empty value of the site[] parameter; or a request to search.php with (8) an empty value of the bn[] parameter or a certain value of the (9) pattern[] or (10) search_date[] parameter, which reveal the path in various error messages, probably related to variable type inconsistencies. NOTE: the bn[] parameter to index.php is already covered by CVE-2007-0606.1.
unknown
2007-03-22
2.3CVE-2007-1605
BUGTRAQ
BID
SECUNIA
W-Agora -- W-Agora
Multiple cross-site scripting (XSS) vulnerabilities in w-Agora (Web-Agora) allow remote attackers to inject arbitrary web script or HTML via (1) the showuser parameter to profile.php, the (2) search_forum or (3) search_user parameter to search.php, or (4) the userid parameter to change_password.php.
unknown
2007-03-22
1.9CVE-2007-1606
BUGTRAQ
BID
SECUNIA
W-Agora -- W-Agora
search.php in w-Agora (Web-Agora) allows remote attackers to obtain potentially sensitive information via a ' (quote) value followed by certain SQL sequences in the (1) search_forum or (2) search_user parameter, which force a SQL error.
unknown
2007-03-22
2.3CVE-2007-1607
BUGTRAQ
BID
SECUNIA
Weekly Drawing Contest -- Weekly Drawing Contest
** DISPUTED ** Directory traversal vulnerability in check_vote.php in Weekly Drawing Contest 0.0.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the order parameter. NOTE: another researcher disputes this vulnerability, noting that the order variable is not used in any context that allows opening files.
unknown
2007-03-22
2.3CVE-2007-1601
BUGTRAQ
BUGTRAQ
WordPress -- WordPress
wp-login.php in WordPress allows remote attackers to redirect authenticated users to other websites and potentially obtain sensitive information via the redirect_to parameter.
unknown
2007-03-22
1.4CVE-2007-1599
BUGTRAQ
OTHER-REF
Xen -- Qemu
The VNC server implementation in QEMU allows local users of a guest operating system to read arbitrary files on the host operating system via unspecified vectors related to QEMU monitor mode, as demonstrated by mapping files to a CDROM device. NOTE: some of these details are obtained from third party information.
unknown
2007-03-20
1.9CVE-2007-0998
REDHAT
BID
SECTRACK
Zomplog -- Zomplog
Directory traversal vulnerability in themes/default/ in ZomPlog 3.7.6 and earlier allows remote attackers to include arbitrary local files via a .. (dot dot) in the settings[skin] parameter, as demonstrated by injecting PHP code into an Apache HTTP Server log file, which can then included via themes/default/.
unknown
2007-03-20
2.3CVE-2007-1524
MILW0RM
BID
Zope -- Zope
Cross-site scripting (XSS) vulnerability in Zope 2.10.2 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors in a HTTP GET request.
unknown
2007-03-22
1.9CVE-2007-0240
OTHER-REF
FRSIRT
ZyXEL -- ZyNOS
ZynOS 3.40 allows remote attackers to cause a denial of service (link restart) by sending a request for the name \M via the SMB Mail Slot Protocol.
unknown
2007-03-21
2.3CVE-2007-1586
BUGTRAQ
BID
SECTRACK
Back to top

This product is provided subject to this Notification and this Privacy & Use policy.

Document Feedback

Was this document helpful?  Yes  |   Somewhat  |   No