Bulletin (SB07-225)
Vulnerability Summary for the Week of August 6, 2007
The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.
The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
- High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0
- Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9
- Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9
Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.
| High Vulnerabilities |
|---|
| Primary Vendor -- Product | Description |
| CVSS Score | Source & Patch Info | AceBoard -- AceBoard Forum | SQL injection vulnerability in Recherche.php in Aceboard forum allows remote attackers to execute arbitrary SQL commands via unspecified vectors. |
| 7.5 | CVE-2007-4209 BUGTRAQ BID | AL-Athkar -- AL-Athkar | Multiple PHP remote file inclusion vulnerabilities in AL-Athkar 2.0 allow remote attackers to execute arbitrary PHP code via a URL in the (1) include parameter to (a) Main.php and (b) get.php and the (2) exec parameter to (c) count.php. |
| 10.0 | CVE-2007-4170 BUGTRAQ | AL-Caricatier -- AL-Caricatier | PHP remote file inclusion vulnerability in cat_viewed.php in AL-Caricatier 2.5 allows remote attackers to execute arbitrary PHP code via a URL in the CatName parameter. |
| 7.5 | CVE-2007-4167 BUGTRAQ | Andreas Robertz -- php news | PHP remote file inclusion vulnerability in admin/inc/change_action.php in Andreas Robertz PHPNews 0.93 allows remote attackers to execute arbitrary PHP code via a URL in the format_menue parameter. |
| 7.5 | CVE-2007-4232 MILW0RM BID XF | Astaro -- Security Gateway | The pop3 Proxy in Astaro Security Gateway (ASG) 7 does not perform virus scanning of attachments that exceed the maximum attachment size, and passes these attachments, which allows remote attackers to bypass this scanning via a large attachment. |
| 7.5 | CVE-2007-4242 BUGTRAQ XF | Astaro -- Security_Gateway | Unspecified vulnerability in pfilter-reporter.pl in Astaro Security Gateway (ASG) 7 allows remote attackers to cause a denial of service (CPU consumption) via certain network traffic, as demonstrated by P2P and iTunes applications that download large amounts of data. |
| 7.8 | CVE-2007-4243 BUGTRAQ OTHER-REF OTHER-REF OTHER-REF OTHER-REF OTHER-REF OTHER-REF OTHER-REF OTHER-REF OTHER-REF XF | auraCMS -- Modul Forum Sederhana | SQL injection vulnerability in komentar.php in the Forum Module for auraCMS (Modul Forum Sederhana) allows remote attackers to execute arbitrary SQL commands via the id parameter to the default URI. NOTE: some of these details are obtained from third party information. |
| 7.5 | CVE-2007-4171 MILW0RM SECUNIA | BlueCat Networks -- Adonis | Directory traversal vulnerability in the BlueCat Networks Proteus IPAM appliance 2.0.2.0 (Adonis DNS/DHCP appliance 5.0.2.8) allows remote authenticated administrators, with certain TFTP privileges, to create and overwrite arbitrary files via a .. (dot dot) in a pathname. NOTE: this can be leveraged for administrative access by overwriting /etc/shadow. |
| 8.5 | CVE-2007-4226 BUGTRAQ BID SECTRACK XF | Cisco -- IOS | Buffer overflow in the Next Hop Resolution Protocol (NHRP) functionality in Cisco IOS 12.0 through 12.4 allows remote attackers to cause a denial of service (restart) and execute arbitrary code via unknown vectors. |
| 9.3 | CVE-2007-4286 CISCO BID FRSIRT | Cisco -- IOS | Cisco IOS 12.0 through 12.4 allows remote attackers to cause a denial of service via (1) a malformed MGCP packet, which causes a device hang, aka CSCsf08998; a malformed H.323 packet, which causes a device crash, as identified by (2) CSCsi60004 with Proxy Unregistration and (3) CSCsg70474; and a malformed Real-time Transport Protocol (RTP) packet, which causes a device crash, as identified by (4) CSCse68138, related to VOIP RTP Lib, and (5) CSCse05642, related to I/O memory corruption. |
| 7.1 | CVE-2007-4291 CISCO BID SECTRACK SECUNIA | Cisco -- IOS | Multiple memory leaks in Cisco IOS 12.0 through 12.4 allow remote attackers to cause a denial of service (device crash) via a malformed SIP packet, aka (1) CSCsf11855, (2) CSCeb21064, (3) CSCse40276, (4) CSCse68355, (5) CSCsf30058, (6) CSCsb24007, and (7) CSCsc60249. |
| 7.1 | CVE-2007-4292 CISCO BID SECTRACK SECUNIA | Cisco -- IOS | Cisco IOS 12.0 through 12.4 allows remote attackers to cause a denial of service (device crash) via (1) "abnormal" MGCP messages, aka CSCsd81407; and (2) a large facsimile packet, aka CSCej20505. |
| 7.1 | CVE-2007-4293 CISCO BID SECTRACK SECUNIA | Coppermine -- Coppermine Photo Gallery | PHP remote file inclusion vulnerability in bridge/yabbse.inc.php in Coppermine Photo Gallery (CPG) 1.3.1 allows remote attackers to execute arbitrary PHP code via a URL in the sourcedir parameter. |
| 7.5 | CVE-2007-4283 BUGTRAQ | Envolution -- Envolution | SQL injection vulnerability in the News module in modules.php in Envolution 1.1.0 and earlier allows remote attackers to execute arbitrary SQL commands via the topic parameter, a different vector than CVE-2005-4263. |
| 7.5 | CVE-2007-4253 MILW0RM | EZ photo sales -- EZ photo sales | EZPhotoSales 1.9.3 and earlier stores sensitive information under the web root with insufficient access control, which allows remote attackers to download (1) a file containing cleartext passwords via a direct request for OnlineViewing/data/galleries.txt, or (2) a file containing username hashes and password hashes via a direct request for OnlineViewing/configuration/config.dat/. NOTE: vector 2 can be leveraged for administrative access because authentication does not require knowledge of cleartext values, but instead uses the username hash in the ConfigLogin parameter and the password hash in the ConfigPassword parameter. |
| 10.0 | CVE-2007-4261 BUGTRAQ OTHER-REF OTHER-REF OTHER-REF | EZ photo sales -- EZ photo sales | Unrestricted file upload vulnerability in EZPhotoSales 1.9.3 and earlier allows remote authenticated administrators to upload and execute arbitrary PHP code under OnlineViewing/galleries/. |
| 8.5 | CVE-2007-4262 BUGTRAQ OTHER-REF OTHER-REF OTHER-REF | FishCart -- FishCart | PHP remote file inclusion vulnerability in fc_functions/fc_example.php in FishCart 3.2 RC2 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the docroot parameter. |
| 7.5 | CVE-2007-4287 MILW0RM VIM | FrontAccounting -- FrontAccounting | PHP remote file inclusion vulnerability in config.php in FrontAccounting 1.12 Build 31 allows remote attackers to execute arbitrary PHP code via a URL in the path_to_root parameter. |
| 7.5 | CVE-2007-4279 MILW0RM BID SECUNIA | Help Center Live -- Help Center Live | The check_logout function in class/auth.php in Help Center Live (hcl) 2.1.3a sends a redirect to the web browser but does not exit when administrative credentials are missing, which allows remote attackers to delete administrative users and have other unspecified impact via certain requests to (1) admin/departments.php, (2) admin/operators.php, and other unspecified scripts. NOTE: some of these details are obtained from third party information. |
| 8.3 | CVE-2007-4240 BID SECUNIA XF | HP -- Shared Trace Service HP -- OpenView Operations | Multiple stack-based buffer overflows in the Shared Trace Service (OVTrace) service for HP OpenView Operations A.07.50 for Windows, and possibly earlier versions, allow remote attackers to execute arbitrary code via certain crafted requests. |
| 9.3 | CVE-2007-3872 IDEFENSE HP HP | HP -- HP-UX | Buffer overflow in ldcconn in Hewlett-Packard (HP) Controller for Cisco Local Director on HP-UX 11.11i allows remote attackers to execute arbitrary code via a long string to TCP port 17781. |
| 10.0 | CVE-2007-4241 IDEFENSE BID | Hunkaray Okul -- Portaly | SQL injection vulnerability in duyuruoku.asp in Hunkaray Okul Portali 1.1 allows remote attackers to execute arbitrary SQL commands via the id parameter, a different vector than CVE-2007-3080. |
| 7.5 | CVE-2007-4173 BUGTRAQ OTHER-REF BID SECUNIA | Index Script -- Index Script | Multiple SQL injection vulnerabilities in IndexScript 2.7 and 2.8 before 20070726 allow remote attackers to execute arbitrary SQL commands via the (1) cat_id, (2) start_id, (3) row[parent_id], and (4) row[cat_id] parameters to unspecified components, related to use of these parameters within include/utils.php. NOTE: the show_cat.php cat_id vector is already covered by CVE-2007-4069. |
| 7.5 | CVE-2007-4163 OTHER-REF | Jem's Scripts -- BellaBiblio | ** DISPUTED ** BellaBiblio allows remote attackers to gain administrative privileges via a bellabiblio cookie with the value "administrator." NOTE: this issue is disputed by CVE and multiple third parties because the cookie value must be an MD5 hash. |
| 7.5 | CVE-2007-4230 BUGTRAQ VIM VIM VIM BID | Joomla -- Joomla | SQL injection vulnerability in administrator/popups/pollwindow.php in Joomla! 1.0.12 allows remote attackers to execute arbitrary SQL commands via the pollid parameter. |
| 7.5 | CVE-2007-4184 BUGTRAQ | Joomla -- Tour de France Pool | PHP remote file inclusion vulnerability in admin.tour_toto.php in the Tour de France Pool (com_tour_toto) 1.0.1 module for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter. |
| 7.5 | CVE-2007-4186 BUGTRAQ OTHER-REF BID | Joomla -- Joomla | Multiple eval injection vulnerabilities in the com_search component in Joomla! 1.5 beta before RC1 (aka Mapya) allow remote attackers to execute arbitrary PHP code via PHP sequences in the searchword parameter, related to default_results.php in (1) components/com_search/views/search/tmpl/ and (2) templates/beez/html/com_search/search/. |
| 7.5 | CVE-2007-4187 BUGTRAQ OTHER-REF | Joomla -- Joomla | Session fixation vulnerability in Joomla! before 1.0.13 (aka Sunglow) allows remote attackers to hijack administrative web sessions via unspecified vectors. |
| 9.3 | CVE-2007-4188 OTHER-REF FRSIRT SECUNIA | Joomla -- J_Reactions | PHP remote file inclusion vulnerability in langset.php in the J! Reactions (com_jreactions) component for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the comPath parameter. |
| 7.5 | CVE-2007-4244 BUGTRAQ OTHER-REF BID | Linux-HA -- heartbeat | XHA (Linux-HA) on the BlueCat Networks Adonis DNS/DHCP Appliance 5.0.2.8 allows remote attackers to cause a denial of service (heartbeat control process crash) via a UDP packet to port 694. NOTE: this may be the same as CVE-2006-3121. |
| 7.1 | CVE-2007-4205 BUGTRAQ BUGTRAQ FRSIRT SECTRACK SECUNIA | Mambo -- Mambo Open Source | Session fixation vulnerability in Mambo 4.6.2 CMS allows remote attackers to hijack web sessions by setting the Cookie parameter. |
| 9.3 | CVE-2007-4203 BUGTRAQ | Morgan IDS -- Next Gen Portfolio Manager | SQL injection vulnerability in default.asp in Next Gen Portfolio Manager allows remote attackers to execute arbitrary SQL commands via the (1) Users_Email or (2) Users_Password parameter in an ExecuteTheLogin action. |
| 7.5 | CVE-2007-4208 BUGTRAQ BID | PHP -- PHP | Buffer overflow in the mSQL extension in PHP 5.2.3 allows context-dependent attackers to execute arbitrary code via a long first argument to the msql_connect function. |
| 7.5 | CVE-2007-4255 MILW0RM | PHP Arena -- paBugs | SQL injection vulnerability in main.php in paBugs 2.0 Beta 3 and earlier allows remote attackers to execute arbitrary SQL commands via the cid parameter to index.php. |
| 7.5 | CVE-2007-4183 MILW0RM BID XF | ProZIlla -- ProZilla Pub site | SQL injection vulnerability in directory.php in Prozilla Pub Site Directory allows remote attackers to execute arbitrary SQL commands via the cat parameter. |
| 7.5 | CVE-2007-4258 MILW0RM BID | RedLine Software -- LANAI CMS | Multiple SQL injection vulnerabilities in module.php in LANAI (la-nai) CMS 1.2.14 allow remote attackers to execute arbitrary SQL commands via (1) the mid parameter in an faqviewgroup action in the FAQ Modules, (2) the cid parameter in the EZSHOPINGCART Modules, or (3) the gid parameter in a view action in the GALLERY Modules. |
| 7.5 | CVE-2007-4210 BUGTRAQ BID | STADTAUS -- Guestbook Script | Multiple PHP remote file inclusion vulnerabilities in Guestbook Script 1.9 allow remote attackers to execute arbitrary PHP code via a URL in the script_root parameter to (1) delete.php, (2) edit.php, (3) inc/common.inc.php, or (4) database.php, (5) entries.php, (6) index.php, (7) logout.php, or (8) settings.php in admin/. |
| 7.5 | CVE-2007-4290 BUGTRAQ | Sun -- Java System Web Server | CRLF injection vulnerability in the redirect feature in Sun Java System Web Server 6.1 and 7.0 before 20070802, when the redirect Server Application Function (SAF) uses the url-prefix parameter and escape is disabled, or an Error directive uses the url-prefix parameter in obj.conf, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks. |
| 7.5 | CVE-2007-4164 SUNALERT BID FRSIRT SECTRACK SECUNIA XF | The Sleuth Kit -- The Sleuth Kit | Use-after-free vulnerability in ext2fs.c in Brian Carrier The Sleuth Kit (TSK) before 2.09 allows user-assisted remote attackers to cause a denial of service (application crash) and prevent examination of certain ext2fs files via a malformed ext2fs image. |
| 7.5 | CVE-2007-4195 BUGTRAQ BUGTRAQ MLIST OTHER-REF BID | vgallite -- vgallite | ** DISPUTED ** Multiple PHP remote file inclusion vulnerabilities in vgallite allow remote attackers to execute arbitrary PHP code via a URL in the (1) dirpath parameter to _functions.php or the (2) lang parameter to index.php. NOTE: CVE disputes vector 2 because "lang" is a constant string within an include_once, not a variable. The researcher is also unreliable. |
| 7.5 | CVE-2007-4169 BUGTRAQ | VietPHP -- VietPHP | Multiple PHP remote file inclusion vulnerabilities in VietPHP allow remote attackers to execute arbitrary PHP code via a URL in (1) the dirpath parameter to (a) _functions.php, or (2) the language parameter to (b) admin/index.php or (c) index.php. |
| 9.3 | CVE-2007-4235 BUGTRAQ BID | WikiWebWeaver -- WikiWebWeaver | Unrestricted file upload vulnerability in index.php in WikiWebWeaver 1.1 and earlier allows remote attackers to upload and execute arbitrary PHP code via an upload action specifying a filename with a double extension such as .gif.php, which is accessible from data/documents/. |
| 7.5 | CVE-2007-4182 BUGTRAQ BID XF |
|---|
| Medium Vulnerabilities |
|---|
| Primary Vendor -- Product | Description |
| CVSS Score | Source & Patch Info | Advanced Searchbar -- Advanced Searchbar | The isChecked function in Toolbar.DLL in Advanced Searchbar allows remote attackers to cause a denial of service (NULL dereference and browser crash) via unspecified vectors. |
| 4.3 | CVE-2007-4250 BUGTRAQ | AMG Soft -- Webdirector | Cross-site scripting (XSS) vulnerability in index.php in WebDirector 2.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the deslocal parameter. |
| 5.0 | CVE-2007-4178 OTHER-REF BID SECUNIA | Apache -- Tomcat | Multiple cross-site scripting (XSS) vulnerabilities in examples/servlet/CookieExample in Apache Tomcat 3.3 through 3.3.2 allow remote attackers to inject arbitrary web script or HTML via the (1) Name or (2) Value field, related to error messages. |
| 4.3 | CVE-2007-3384 BUGTRAQ OTHER-REF BID SECTRACK | Atheros -- wireless adapter drivers | Unspecified vulnerability in Atheros 802.11 a/b/g wireless adapter drivers before 5.3.0.35, and 6.x before 6.0.3.67, on Windows allows remote attackers to cause a denial of service via a crafted 802.11 management frame. |
| 5.0 | CVE-2007-2927 CERT-VN BID FRSIRT | BlueSky -- BlueSkychat | Heap-based buffer overflow in the BlueSkychat (BlueSkyCat) ActiveX control (V2.V2Ctrl.1) in v2.ocx 8.1.2.0 and earlier allows remote attackers to execute arbitrary code via a long string in the second argument to the ConnecttoServer method. |
| 4.3 | CVE-2007-4145 BUGTRAQ FULLDISC OTHER-REF OTHER-REF BID XF | Brian Carrier -- The Slueth Kit | icat in Brian Carrier The Sleuth Kit (TSK) before 2.09 misinterprets a certain memory location as the holder of a loop iteration count, which allows user-assisted remote attackers to cause a denial of service (long loop) and prevent examination of certain NTFS files via a malformed NTFS image. |
| 5.0 | CVE-2007-4196 BUGTRAQ BUGTRAQ MLIST OTHER-REF BID | Brian Carrier -- The Slueth Kit | icat in Brian Carrier The Sleuth Kit (TSK) before 2.09 omits NULL pointer checks in certain code paths, which allows user-assisted remote attackers to cause a denial of service (NULL dereference and application crash) and prevent examination of certain NTFS files via a malformed NTFS image. |
| 4.3 | CVE-2007-4197 BUGTRAQ BUGTRAQ MLIST OTHER-REF BID | Brian Carrier -- The Slueth Kit | The fs_data_put_str function in ntfs.c in fls in Brian Carrier The Sleuth Kit (TSK) before 2.09 does not validate a certain length value, which allows user-assisted remote attackers to cause a denial of service (application crash) and prevent examination of certain NTFS files via a malformed NTFS image, which triggers a buffer over-read. |
| 4.3 | CVE-2007-4198 BUGTRAQ BUGTRAQ MLIST OTHER-REF BID | Brian Carrier -- The Slueth Kit | Brian Carrier The Sleuth Kit (TSK) before 2.09 allows user-assisted remote attackers to cause a denial of service (application crash) and prevent examination of certain NTFS files via a malformed NTFS image that triggers (1) dereference of a certain integer value by ntfs_dent.c in fls, or (2) dereference of a certain other integer value by ntfs.c in fsstat. |
| 4.3 | CVE-2007-4199 BUGTRAQ BUGTRAQ MLIST OTHER-REF BID | Brian Carrier -- The Slueth Kit | ntfs.c in fsstat in Brian Carrier The Sleuth Kit (TSK) before 2.09 interprets a certain variable as a byte count rather than a count of 32-bit integers, which allows user-assisted remote attackers to cause a denial of service (application crash) and prevent examination of certain NTFS files via a malformed NTFS image. |
| 4.3 | CVE-2007-4200 BUGTRAQ BUGTRAQ MLIST OTHER-REF BID | C-SAM -- OneWallet | Cross-site scripting (XSS) vulnerability in user/forgotPassStep2.jsp in the admin interface in C-SAM oneWallet 210_07062007;1.0 allows remote attackers to inject arbitrary web script or HTML via the loginID parameter. |
| 4.3 | CVE-2007-4239 BUGTRAQ BID | Camera Life -- Camera Life | Multiple unspecified vulnerabilities in Camera Life before 2.6 allow attackers to cause a denial of service via unknown vectors. |
| 4.3 | CVE-2007-4233 OTHER-REF OTHER-REF BID | Camera Life -- Camera Life | Unspecified vulnerability in Camera Life before 2.6 allows remote attackers to download private photos via unspecified vectors associated with the names of the photos. NOTE: some of these details are obtained from third party information. |
| 4.3 | CVE-2007-4234 OTHER-REF OTHER-REF SECUNIA | Chilkat Software -- ASP String | Absolute path traversal vulnerability in a certain ActiveX control in CkString.dll 1.1 and earlier in CHILKAT ASP String allows remote attackers to create or overwrite arbitrary files via a full pathname in the first argument to the SaveToFile method, a different vulnerability than CVE-2007-3633. |
| 5.8 | CVE-2007-4252 MILW0RM | Cisco -- IOS | Unspecified vulnerability in the server side of the Secure Copy (SCP) implementation in Cisco 12.2-based IOS allows remote authenticated users to read, write or overwrite any file on the device's filesystem via unknown vectors. |
| 6.0 | CVE-2007-4263 CISCO BID XF | Cisco -- MeetingPlace Web Confrencing | Multiple cross-site scripting (XSS) vulnerabilities in Cisco Unified MeetingPlace Web Conferencing (MP) 5.3.235.0 and earlier allow remote attackers to inject arbitrary HTML and web script via the (1) Success Template (STPL) and (2) Failure Template (FTPL) parameters, which are not properly handled in an error message. |
| 4.3 | CVE-2007-4284 BUGTRAQ BUGTRAQ FULLDISC CISCO BID FRSIRT XF | Cisco -- IOS | Unspecified vulnerability in Cisco IOS and Cisco IOS XR 12.x up to 12.3, including some versions before 12.3(15) and 12.3(14)T, allows remote attackers to obtain sensitive information or cause a denial of service (router or component crash) via crafted IPv6 packets with a Type 0 routing header. |
| 5.8 | CVE-2007-4285 CISCO FRSIRT | Cisco -- Unified Communications Manager | Unspecified vulnerability in Cisco Unified Communications Manager (CUCM) 5.0, 5.1, and 6.0, and IOS 12.0 through 12.4, allows remote attackers to execute arbitrary code via a malformed SIP packet, aka CSCsi80102. |
| 6.8 | CVE-2007-4294 CISCO BID SECTRACK SECUNIA | Cisco -- IOS | Unspecified vulnerability in Cisco IOS 12.0 through 12.4 allows remote attackers to execute arbitrary code via a malformed SIP packet, aka CSCsi80749. |
| 6.8 | CVE-2007-4295 CISCO BID SECTRACK SECUNIA | DiMeMa -- CONTENTdm | Cross-site scripting (XSS) vulnerability in Search.php in DiMeMa CONTENTdm (CDM) allows remote attackers to inject arbitrary web script or HTML via a search. |
| 4.3 | CVE-2007-4245 BUGTRAQ BID | Dovecot -- Dovecot | The ACL plugin in Dovecot before 1.0.3 allows remote authenticated users with the insert right to save certain flags via a (1) COPY or (2) APPEND command. |
| 6.0 | CVE-2007-4211 MLIST BID SECUNIA XF | EQdkp -- EQdkp plus | Multiple unspecified vulnerabilities in EQDKP Plus before 0.4.4.5 have unknown impact and attack vectors. |
| 6.8 | CVE-2007-4176 OTHER-REF SECUNIA | ExportNation -- ExportNation Toolbar | The isChecked function in Toolbar.DLL in the ExportNation toolbar for Internet Explorer allows remote attackers to cause a denial of service (NULL dereference and browser crash) via unspecified vectors. |
| 4.3 | CVE-2007-4249 BUGTRAQ XF | EZ photo sales -- EZ photo sales | EZPhotoSales 1.9.3 and earlier allows remote attackers to download arbitrary image files via (1) a direct request for a URL under OnlineViewing/galleries/ or (2) navigation of the gallery user interface with JavaScript disabled. |
| 5.0 | CVE-2007-4259 BUGTRAQ OTHER-REF OTHER-REF OTHER-REF | EZ photo sales -- EZ photo sales | EZPhotoSales 1.9.3 and earlier has a default "admin" account for galleries, which allows remote attackers to access arbitrary galleries by specifying this username. |
| 5.0 | CVE-2007-4260 BUGTRAQ OTHER-REF OTHER-REF OTHER-REF | Guidance Software -- EnCase | Guidance Software EnCase 5.0 allows user-assisted remote attackers to cause a denial of service (stack memory consumption) and possibly have other unspecified impact via a malformed file, related to "EnCase's file system parsing." NOTE: this information is based upon a vague pre-advisory. It might overlap CVE-2007-4036. |
| 4.3 | CVE-2007-4194 BUGTRAQ | Guidance Software -- EnCase | Guidance Software EnCase 6.2 and 6.5 does not properly handle a volume with more than 25 partitions, which might allow remote attackers to prevent examination of certain data, a related issue to CVE-2007-4035. |
| 5.0 | CVE-2007-4201 BUGTRAQ BUGTRAQ OTHER-REF | Guidance Software -- EnCase | Guidance Software EnCase Enterprise Edition (EEE) 6 does not properly verify the identity of the acquisition target during communication with the EnCase Servlet (EEE servlet), which might allow remote attackers to spoof the disk image. |
| 4.3 | CVE-2007-4202 BUGTRAQ BUGTRAQ OTHER-REF | IBM -- AIX | Buffer overflow in lpd in bos.rte.printers in AIX 5.2 and 5.3 allows local users with printq group privileges to gain root privileges. |
| 6.9 | CVE-2007-4236 AIXAPAR AIXAPAR FRSIRT SECTRACK | IBM -- AIX | Buffer overflow in the atm subset in arp in devices.common.IBM.atm.rte in AIX 5.2 and 5.3 allows local users to gain root privileges. |
| 6.9 | CVE-2007-4237 AIXAPAR AIXAPAR FRSIRT SECTRACK | IBM -- AIX | AIX 5.2 and 5.3 install pioinit with user and group ownership of bin, which allows local users with bin or possibly printq privileges to gain root privileges by modifying pioinit. |
| 6.9 | CVE-2007-4238 AIXAPAR AIXAPAR FRSIRT SECTRACK | IDE Group -- DVD Rental System DRS | Multiple cross-site scripting (XSS) vulnerabilities in IDE Group DVD Rental System (DRS) 5.1 before 20070801 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: it is not clear whether IDE Group updates all DRS installations in its role as an application service provider. If so, then this issue should not be included in CVE. |
| 4.3 | CVE-2007-4192 FULLDISC BID | IDE Group -- DVD Rental System DRS | Multiple cross-site request forgery (CSRF) vulnerabilities in index.php in IDE Group DVD Rental System (DRS) 5.1 before 20070801 allow remote attackers to perform certain actions as arbitrary users, as demonstrated by (1) modifying data or (2) canceling a subscription. NOTE: it is not clear whether IDE Group updates all DRS installations in its role as an application service provider. If so, then this issue should not be included in CVE. |
| 4.3 | CVE-2007-4193 FULLDISC | iDevspot -- PHPHostBot | PHP remote file inclusion vulnerability in order/login.php in IDevSpot PhpHostBot 1.06 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the svr_rootscript parameter, a different vector than CVE-2007-4094 and CVE-2006-3776. |
| 6.8 | CVE-2007-4231 MILW0RM BID XF | Interact -- Interact | Multiple cross-site scripting (XSS) vulnerabilities in Interact before 2.4 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: this might overlap CVE-2007-3328. |
| 4.3 | CVE-2007-4177 OTHER-REF OTHER-REF SECUNIA | Joomla -- Joomla | Joomla! 1.0.12 allows remote attackers to obtain sensitive information via a direct request for (1) Stat.php (2) OutputFilter.php, (3) OutputCache.php, (4) Modifier.php, (5) Reader.php, and (6) TemplateCache.php in includes/patTemplate/patTemplate/; (7) includes/Cache/Lite/Output.php; and other unspecified components, which reveal the path in various error messages. |
| 5.0 | CVE-2007-4185 BUGTRAQ | Joomla -- Joomla | Multiple cross-site scripting (XSS) vulnerabilities in Joomla! before 1.0.13 (aka Sunglow) allow remote attackers to inject arbitrary web script or HTML via unspecified vectors in the (1) com_search, (2) com_content, and (3) mod_login components. NOTE: some of these details are obtained from third party information. |
| 4.3 | CVE-2007-4189 OTHER-REF FRSIRT SECUNIA | Joomla -- Joomla | CRLF injection vulnerability in Joomla! before 1.0.13 (aka Sunglow) allows remote attackers to inject arbitrary HTTP headers and probably conduct HTTP response splitting attacks via CRLF sequences in the url parameter. NOTE: this can be leveraged for cross-site scripting (XSS) attacks. NOTE: some of these details are obtained from third party information. |
| 4.3 | CVE-2007-4190 OTHER-REF FRSIRT SECUNIA | Justsystem -- Ichitaro | Unspecified vulnerability, possibly a buffer overflow, in Justsystem Ichitaro 2007 and earlier allows remote attackers to execute arbitrary code via a modified document, as actively exploited in August 2007 by malware such as Tarodrop.D (Tarodrop.Q), a different vulnerability than CVE-2006-4326, CVE-2006-5424, CVE-2006-6400, and CVE-2007-1938. |
| 6.8 | CVE-2007-4246 OTHER-REF OTHER-REF OTHER-REF BID SECUNIA | Kai Blankenhorn Bitfolge -- Simple and Nice Index File | Multiple cross-site scripting (XSS) vulnerabilities in index.php in Kai Blankenhorn Bitfolge simple and nice index file (aka snif) 1.5.2 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) path and (2) download parameters. |
| 4.3 | CVE-2007-4264 OTHER-REF BID XF | Kaspersky Lab -- Kaspersky Anti-Spam | Kaspersky Anti-Spam 3.0 MP1 before Critical Fix 2 (3.0.278.4) sets incorrect permissions for application files in certain upgrade scenarios, which might allow local users to gain privileges. |
| 4.4 | CVE-2007-4206 OTHER-REF BID SECUNIA XF | KDE -- Konqueror | KDE Konqueror 3.5.7 allows remote attackers to spoof the URL address bar by calling setInterval with a small interval and changing the window.location property. |
| 6.8 | CVE-2007-4224 FULLDISC | KDE -- Konqueror | Visual truncation vulnerability in KDE Konqueror 3.5.7 allows remote attackers to spoof the URL address bar via an http URI with a large amount of whitespace in the user/password portion. |
| 6.8 | CVE-2007-4225 FULLDISC | KDE -- Konqueror | Unspecified vulnerability in KDE Konqueror 3.5.7 and earlier allows remote attackers to cause a denial of service (failed assertion and application crash) via certain malformed HTML, as demonstrated by a document containing TEXTAREA, BUTTON, BR, BDO, PRE, FRAMESET, and A tags. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
| 4.3 | CVE-2007-4229 OTHER-REF BID | Kerberos Internet Services -- Gallery In A Box | SQL injection vulnerability in admin_console/index.asp in Gallery In A Box allows remote attackers to execute arbitrary SQL commands via the (1) Username or (2) Password field. |
| 6.4 | CVE-2007-4207 BUGTRAQ BID | knowledgetree -- Open Source | Cross-site scripting (XSS) vulnerability in KnowledgeTree Open Source 3.4 and 3.4.1 allows remote attackers to inject arbitrary web script or HTML via the login field on the login page, and other unspecified vectors. |
| 4.3 | CVE-2007-4281 OTHER-REF OTHER-REF OTHER-REF FRSIRT SECUNIA | LFS -- Live for speed | Multiple buffer overflows in Live for Speed (LFS) S1 and S2 allow user-assisted remote attackers to execute arbitrary code via (1) a .spr file (single player replay file) containing a long user name or (2) a .ply file containing a long number plate string, different vectors than CVE-2007-4140. |
| 6.8 | CVE-2007-4257 MILW0RM MILW0RM | Linux -- Kernel | The Linux kernel before 2.6.23-rc1 checks the wrong global variable for the CIFS sec mount option, which might allow remote attackers to spoof CIFS network traffic that the client configured for security signatures, as demonstrated by lack of signing despite sec=ntlmv2i in a SetupAndX request. |
| 5.8 | CVE-2007-3843 OTHER-REF OTHER-REF SECUNIA | Microsoft -- Internet Explorer | Microsoft Windows Explorer (explorer.exe) allows user-assisted remote attackers to cause a denial of service via a certain JPG file, as demonstrated by something.jpg. NOTE: this issue might be related to CVE-2007-3958. |
| 4.3 | CVE-2007-4227 BUGTRAQ BID | Microsoft -- windows | Windows Calendar on Microsoft Windows Vista allows remote attackers to cause a denial of service (NULL dereference and persistent application crash) via a malformed ICS file. |
| 4.3 | CVE-2007-4247 BUGTRAQ BID | Microsoft -- Windows Media Player | Microsoft Windows Media Player 11 (wmplayer.exe) allows user-assisted remote attackers to cause a denial of service (application crash) via a crafted .au file that triggers a divide-by-zero error, as demonstrated by iapetus.au. |
| 4.3 | CVE-2007-4288 BUGTRAQ OTHER-REF BID | Mozilla -- SeaMonkey Mozilla -- Firefox Mozilla -- Thunderbird | Mozilla Firefox 2.0.0.5, Thunderbird 2.0.0.5 and before 1.5.0.13, and SeaMonkey 1.1.3 allows remote attackers to conduct cross-site scripting (XSS) attacks with chrome privileges via an addon that inserts a (1) javascript: or (2) data: link into an about:blank document loaded by chrome via (a) the window.open function or (b) a content.location assignment, aka "Cross Context Scripting." NOTE: this issue is caused by a CVE-2007-3089 regression. |
| 4.3 | CVE-2007-3844 OTHER-REF OTHER-REF BID SECTRACK SECTRACK SECTRACK SECUNIA | Mozilla -- SeaMonkey Mozilla -- Firefox Mozilla -- Thunderbird | Mozilla Firefox before 2.0.0.6, Thunderbird before 1.5.0.13 and 2.x before 2.0.0.6, and SeaMonkey before 1.1.4 allow remote attackers to execute arbitrary commands via certain vectors associated with launching "a file handling program based on the file extension at the end of the URI," a variant of CVE-2007-4041. NOTE: the vendor states that "it is still possible to launch a filetype handler based on extension rather than the registered protocol handler." |
| 6.5 | CVE-2007-3845 OTHER-REF OTHER-REF | Open WebMail -- Open WebMail | Multiple cross-site scripting (XSS) vulnerabilities in Open Webmail (OWM) 2.52 20060831 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) searchtype, (2) longpage, and (3) page parameters to (a) openwebmail-main.pl; the (4) prefs_caller, (5) userfirsttime, (6) page, (7) sort, (8) folder, and (9) message_id parameters to (b) openwebmail-prefs.pl; the (10) compose_caller, (11) msgdatetype, (12) keyword, (13) searchtype, (14) folder, (15) page, and (16) sort parameters to (c) openwebmail-send.pl; the (17) folder, (18) page, and (19) sort parameters to (d) openwebmail-folder.pl; the (20) searchtype, (21) page, (22) filesort, (23) singlepage, (24) showhidden, (25) showthumbnail, and (26) message_id parameters to (e) openwebmail-webdisk.pl; the (27) folder parameteter to (f) openwebmail-advsearch.pl; and the (28) abookcollapse, (29) abooksearchtype, (30) abooksort, (31) abooklongpage, (32) abookpage, (33) message_id, (34) searchtype, (35) ! msgdatetype, (36) sort, (37) page, (38) rootxowmuid, and (39) listviewmode parameters to (g) openwebmail-abook.pl, different vectors than CVE-2005-2863, CVE-2006-2190, CVE-2006-3229, and CVE-2006-3233. |
| 4.3 | CVE-2007-4172 OTHER-REF BID XF | OpenOffice -- OpenOffice | OpenOffice.org (OOo) 2.2 does not properly handle files with multiple extensions, which allows user-assisted remote attackers to cause a denial of service. |
| 4.3 | CVE-2007-4251 BUGTRAQ | OpenRat -- OpenRat CMS | Multiple cross-site scripting (XSS) vulnerabilities in index.php in OpenRat CMS 0.8-beta1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) subaction and (2) action parameters. |
| 4.3 | CVE-2007-4175 OTHER-REF BID | OpenSSL Project -- OpenSSL | The BN_from_montgomery function in crypto/bn/bn_mont.c in OpenSSL 0.9.8e and earlier does not properly perform Montgomery multiplication, which might allow local users to conduct a side-channel attack and retrieve RSA private keys. |
| 4.7 | CVE-2007-3108 OTHER-REF OTHER-REF OTHER-REF CERT-VN BID FRSIRT | Panda -- Panda AntiVirus | Panda Antivirus 2008 stores service executables under the product's installation directory with weak permissions, which allows local users to obtain LocalSystem privileges by modifying PAVSRV51.EXE or other unspecified files, a related issue to CVE-2006-4657. |
| 6.9 | CVE-2007-4191 BUGTRAQ BID | PHP -- PHP-Nuke | Multiple cross-site scripting (XSS) vulnerabilities in the Search Module in PHP-Nuke allow remote attackers to inject arbitrary web script or HTML via a trailing "<" instead of a ">" in (1) the onerror attribute of an IMG element, (2) the onload attribute of an IFRAME element, or (3) redirect users to other sites via the the META tag. |
| 5.0 | CVE-2007-4212 BUGTRAQ BID | Pluck -- Pluck | ** DISPUTED ** Directory traversal vulnerability in data/inc/theme.php in Pluck 4.3, when register_globals is enabled, allows remote attackers to read arbitrary local files via a .. (dot dot) in the file parameter. NOTE: CVE and a reliable third party dispute this vulnerability because the code uses a a fixed argument when invoking fputs, which cannot be used to read files. |
| 5.0 | CVE-2007-4180 BUGTRAQ OTHER-REF VIM | Pluck -- Pluck | ** DISPUTED ** PHP remote file inclusion vulnerability in data/inc/theme.php in Pluck 4.3, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the dir parameter. NOTE: A reliable third party disputes this vulnerability because the applicable include is within a function that does not receive the dir parameter from an HTTP request. |
| 6.8 | CVE-2007-4181 BUGTRAQ OTHER-REF VIM | Serendipity -- Serendipity | The "Extended properties for entries" (entryproperties) plugin in serendipity_event_entryproperties.php in Serendipity 1.1.3 allows remote authenticated users to bypass password protection and "deliver custom entryproperties settings to the Serendipity Frontend" via a certain request that modifies the password being checked. |
| 5.0 | CVE-2007-4282 OTHER-REF OTHER-REF OTHER-REF OTHER-REF SECUNIA | Sun -- Java System Portal Server | Sun Java System Portal Server 7.0 does not properly process XSLT stylesheets in XSLT transforms in XML signatures, which allows context-dependent attackers to execute an arbitrary Java method via a crafted stylesheet, a related issue to CVE-2007-3715. |
| 6.8 | CVE-2007-4289 BUGTRAQ OTHER-REF OTHER-REF SUNALERT SECTRACK SECUNIA XF | Symantec -- Norton Internet Security Symantec -- Norton System Works Symantec -- Norton Antivirus | Multiple unspecified "input validation error" vulnerabilities in multiple ActiveX controls in NavComUI.dll, as used in multiple Norton AntiVirus, Internet Security, and System Works products for 2006, allows remote attackers to execute arbitrary code via (1) the AnomalyList property to AxSysListView32 and (2) Anomaly property to AxSysListView32OAA. |
| 6.8 | CVE-2007-2955 OTHER-REF OTHER-REF | Toolbar Gaming -- Toolbar Gaming | The CallCmd function in toolbar_gaming.dll in the Toolbar Gaming toolbar for Internet Explorer allows remote attackers to cause a denial of service (NULL dereference and browser crash) via unspecified vectors. |
| 4.3 | CVE-2007-4248 BUGTRAQ | Tor -- Tor | Unspecified vulnerability in Tor before 0.1.2.16, when ControlPort is enabled, might allow remote attackers to modify the torrc configuration file, compromise anonymity, and have other unspecified impact, related to improper handling of multiple ControlPort authentication attempts. |
| 5.8 | CVE-2007-4174 MLIST BID FRSIRT SECUNIA | Visionera AB -- VisionProject | Multiple cross-site scripting (XSS) vulnerabilities in VisionProject 3.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) projectIssueId parameter in EditProjectIssue.do, the (2) projectId parameter in ProjectSelected.do, the (3) folderId parameter in ProjectDocuments.do and the (4) sortField parameter in ProjectIssues.do. |
| 4.3 | CVE-2007-4265 OTHER-REF BID SECUNIA XF | WordPress -- WordPress | SQL injection vulnerability in options.php in WordPress 2.2.1 allows remote authenticated administrators to execute arbitrary SQL commands via the page_options parameter to (1) options-general.php, (2) options-writing.php, (3) options-reading.php, (4) options-discussion.php, (5) options-privacy.php, (6) options-permalink.php, (7) options-misc.php, and possibly other unspecified components. |
| 6.5 | CVE-2007-4154 OTHER-REF | WordPress -- WordPress Xu Yiyang -- Blue Memories Theme | Cross-site scripting (XSS) vulnerability in index.php in the Blue Memories theme 1.5 for WordPress allows remote attackers to inject arbitrary web script or HTML via the s parameter, possibly a related issue to CVE-2007-2757 and CVE-2007-4014. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
| 4.3 | CVE-2007-4165 SECUNIA | WordPress -- Unamed Theme WordPress -- Unamed Theme SE | Cross-site scripting (XSS) vulnerability in index.php in the Unnamed theme 1.217, and Special Edition (SE) 1.02, before 20070804 for WordPress allows remote attackers to inject arbitrary web script or HTML via the s parameter, possibly a related issue to CVE-2007-2757, CVE-2007-4014, and CVE-2007-4165. NOTE: some of these details are obtained from third party information. |
| 5.0 | CVE-2007-4166 OTHER-REF SECUNIA | ynp -- Portal Systems | Directory traversal vulnerability in showpage.cgi in YNP Portal System 2.2.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the p parameter. |
| 5.0 | CVE-2007-4256 MILW0RM |
|---|
| Low Vulnerabilities |
|---|
| Primary Vendor -- Product | Description |
| CVSS Score | Source & Patch Info | Stack-based buffer overflow in a certain ActiveX control in VDT70.DLL in Microsoft Visual Database Tools Database Designer 7.0 for Microsoft Visual Studio 6 allows remote attackers to execute arbitrary code via a long argument to the NotSafe method. NOTE: this may overlap CVE-2007-2885 or CVE-2005-2127. |
| 0.0 | CVE-2007-4254 MILW0RM | Asterisk -- s800i Asterisk -- AsteriskNOW Asterisk -- Asterisk Asterisk -- Asterisk Appliance Developer Kit | The Skinny channel driver (chan_skinny) in Asterisk Open Source before 1.4.10, AsteriskNOW before beta7, Appliance Developer Kit before 0.7.0, and Appliance s800i before 1.0.3 allows remote authenticated users to cause a denial of service (application crash) via a CAPABILITIES_RES_MESSAGE packet with a capabilities count larger than the capabilities_res_message array population. |
| 3.5 | CVE-2007-4280 OTHER-REF BID FRSIRT SECUNIA | GNOME -- Display Manager | The GDM daemon in GNOME Display Manager (GDM) before 2.14.13, 2.16.x before 2.16.7, 2.18.x before 2.18.4, and 2.19.x before 2.19.5 does not properly handle NULL return values from the g_strsplit function, which allows local users to cause a denial of service (persistent daemon crash) via a crafted command to the daemon's socket, related to (1) gdm.c and (2) gdmconfig.c in daemon/, and (3) gdmconfig.c and (4) gdmflexiserver.c in gui/. |
| 1.5 | CVE-2007-3381 OTHER-REF SECUNIA | Hitachi -- Groupmax Collaboration Web Client Hitachi -- Groupmax Collaboration Portal Hitachi -- uCosminexus Collaboration Portal | Hitachi Groupmax Collaboration - Schedule, as used in Groupmax Collaboration Portal 07-32 through 07-32-/B, uCosminexus Collaboration Portal 06-32 through 06-32-/B, and Groupmax Collaboration Web Client - Mail/Schedule 07-32 through 07-32-/A, can assign schedule data to the wrong user under unspecified conditions, which might allow remote authenticated users to obtain sensitive information. |
| 3.5 | CVE-2007-4204 OTHER-REF FRSIRT XF | HP -- Address and Routing Parameter Area(ARPA) transport | Unspecified vulnerability in the Address and Routing Parameter Area (ARPA) transport functionality in HP-UX B.11.11 and B.11.23 allows local users to cause an unspecified denial of service via unknown vectors. NOTE: this is probably different from CVE-2007-0916, but this is not certain due to lack of vendor details. |
| 1.5 | CVE-2007-4179 HP BID FRSIRT SECTRACK SECUNIA | IBM -- AIX | rmpvc on IBM AIX 4.3 allows local users to cause a denial of service (system crash) via long port logical name (-l) argument. |
| 1.9 | CVE-2007-4228 AIXAPAR FRSIRT SECUNIA |
|---|
This product is provided subject to this Notification and this Privacy & Use policy.
