Computer Security
[EN] securityvulns.ru no-pyccku


Axigen Mail Server DoS
Published:08.02.2007
Source:
SecurityVulns ID:7197
Type:remote
Threat Level:
5/10
Description:Off-by-one overflow in POP3 CRAM-MD5 authentication, NULL pointer dereference in IMAP APPEND command.
Affected:AXIGEN : Axigen 1.2
 AXIGEN : Axigen 2.0
CVE:CVE-2007-0887 (axigen 1.2.6 through 2.0.0b1 does not properly parse login credentials, which allows remote attackers to cause a denial of service (NULL dereference and application crash) via a base64-encoded "*\x00" sequence on the imap port (143/tcp).)
 CVE-2007-0886 (Heap-based buffer underflow in axigen 1.2.6 through 2.0.0b1 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via certain base64-encoded data on the pop3 port (110/tcp), which triggers an integer overflow.)
Original documentdocumentNeil Kettle, [Full-disclosure] Axigen <2.0.0b1 DoS (08.02.2007)
Files:axigen 1.2.6 - 2.0.0b1 DoS (x86-lnx)
 axigen 1.2.6 - 2.0.0b1 DoS (x86-lnx)

Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
Published:08.02.2007
Source:
SecurityVulns ID:7198
Type:remote
Threat Level:
5/10
Description:PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.
Affected:ADVANCEDPOLL : Advanced Poll 2.0
 SYSCP : SysCP 1.2
 WEBMATIC : WebMatic 2.6
 LUSHI : LushiNews 1.01
 LUSHI : LushiWarPlaner 1.0
 AGERMENU : AgerMenu 0.01
 OTSCMS : OTSCMS 2.1
 MAIAN : Maian Recipe 1.0
 LIGHTRO : LightRO CMS 1.0
 BTITTRACKER : BtitTracker 1.3
 SITEASSISTANT : Site-Assistant 0990
 MOINMOIN : MoinMoin 1.5
 VBDRUPAL : vbDrupal 4.7
CVE:CVE-2007-0904 (SQL injection vulnerability in projects.php in LightRO CMS 1.0 allows remote attackers to execute arbitrary SQL commands via the ID parameter to index.php.)
 CVE-2007-0902 (Unspecified vulnerability in the "Show debugging information" feature in MoinMoin 1.5.7 allows remote attackers to obtain sensitive information. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.)
 CVE-2007-0901 (Multiple cross-site scripting (XSS) vulnerabilities in Info pages in MoinMoin 1.5.7 allow remote attackers to inject arbitrary web script or HTML via the (1) hitcounts and (2) general parameters, different vectors than CVE-2007-0857. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.)
 CVE-2007-0867 (PHP remote file inclusion vulnerability in classes/menu.php in Site-Assistant 0990 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the paths[version] parameter.)
 CVE-2007-0865 (SQL injection vulnerability in comments.php in LushiNews 1.01 and earlier allows remote authenticated users to inject arbitrary SQL commands via the id parameter.)
 CVE-2007-0864 (SQL injection vulnerability in register.php in LushiWarPlaner 1.0 allows remote attackers to inject arbitrary SQL commands via the id parameter.)
 CVE-2007-0857 (Multiple cross-site scripting (XSS) vulnerabilities in MoinMoin before 1.5.7 allow remote attackers to inject arbitrary web script or HTML via (1) the page info, or the page name in a (2) AttachFile, (3) RenamePage, or (4) LocalSiteMap action.)
 CVE-2007-0854 (Remote file inclusion vulnerability in scripts2/objcache in cPanel WebHost Manager (WHM) allows remote attackers to execute arbitrary code via a URL in the obj parameter. NOTE: a third party claims that this issue is not file inclusion because the contents are not parsed, but the attack can be used to overwrite files in /var/cpanel/objcache or provide unexpected web page contents.)
 CVE-2007-0850 (scripts/cronscript.php in SysCP 1.2.15 and earlier includes and executes arbitrary PHP scripts that are referenced by the panel_cronscript table in the SysCP database, which allows attackers with database write privileges to execute arbitrary code by constructing a PHP file and adding its filename to this table.)
 CVE-2007-0849 (scripts/cronscript.php in SysCP 1.2.15 and earlier does not properly quote pathnames in user home directories, which allows local users to gain privileges by placing shell metacharacters in a directory name, and then using the control panel to protect this directory, a different vulnerability than CVE-2005-2568.)
 CVE-2007-0848 (PHP remote file inclusion vulnerability in classes/class_mail.inc.php in Maian Recipe 1.0 allows remote attackers to execute arbitrary PHP code via a URL in the path_to_folder parameter.)
 CVE-2007-0847 (SQL injection vulnerability in mod/PM/reply.php in Open Tibia Server CMS (OTSCMS) 2.1.5 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter to priv.php.)
 CVE-2007-0846 (Cross-site scripting (XSS) vulnerability in forum.php in Open Tibia Server CMS (OTSCMS) 2.1.5 and earlier allows remote attackers to inject arbitrary HTML or web script via the name parameter.)
 CVE-2007-0845 (admin/index.php in Advanced Poll 2.0.0 through 2.0.5-dev allows remote attackers to bypass authentication and gain administrator privileges by obtaining a valid session identifier and setting the uid parameter to 1.)
 CVE-2007-0841 (Multiple unspecified vulnerabilities in vbDrupal before 4.7.6.0 have unknown impact and remote attack vectors. NOTE: the vector related to Drupal is covered by CVE-2007-0626. These vulnerabilities might be associated with other CVE identifiers.)
 CVE-2007-0839:
 CVE-2007-0839 (Multiple PHP remote file inclusion vulnerabilities in index/index_album.php in Valarsoft WebMatic 2.6 allow remote attackers to execute arbitrary PHP code via a URL in the (1) P_LIB and (2) P_INDEX parameters.)
 CVE-2007-0837 (PHP remote file inclusion vulnerability in examples/inc/top.inc.php in AgerMenu 0.03 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the rootdir parameter.)
 CVE-2007-0828 (PHP remote file inclusion vulnerability in affichearticles.php3 in MySQLNewsEngine allows remote attackers to execute arbitrary PHP code via a URL in the newsenginedir parameter.)
 CVE-2007-0824 (PHP remote file inclusion vulnerability in inhalt.php in LightRO CMS 1.0 allows remote attackers to execute arbitrary PHP code via a URL in the dateien[news] parameter.)
 CVE-2007-0821 (Multiple directory traversal vulnerabilities in Cedric CLAIRE PortailPhp 2 allow remote attackers to read arbitrary files via a .. (dot dot) in the chemin parameter to (1) mod_news/index.php or (2) mod_news/goodies.php. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information.)
 CVE-2007-0820 (Multiple PHP remote file inclusion vulnerabilities in Cedric CLAIRE PortailPhp 2 allow remote attackers to execute arbitrary PHP code via a URL in the chemin parameter to (1) mod_news/index.php, (2) mod_news/goodies.php, or (3) mod_search/index.php. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information.)
 CVE-2006-6974 (Headstart Solutions DeskPRO stores sensitive information under the web root with insufficient access control, which allows remote attackers to (1) list files in the includes/ directory; obtain the SQL username and password via a direct request for (2) config.php and (3) config.php.bak in includes/; read files in (4) email/, (5) admin/graphs/, (6) includes/javascript/, and (7) certain other includes/ directories via direct requests; and download SQL database data via direct requests for (8) data.sql, (9) install.sql, (10) settings.sql, and possibly other files in install/v2data/.)
 CVE-2006-6973 (Headstart Solutions DeskPRO does not require authentication for certain files and directories associated with administrative activities, which allows remote attackers to (1) reinstall the application via a direct request for install/index.php; (2) delete the database via a do=delete_database QUERY_STRING to a renamed copy of install/index.php; or access the administration system, after guessing a filename, via a direct request for a file in (3) admin/ or (4) tech/.)
 CVE-2006-6972 (SQL injection in torrents.php in BtitTracker 1.3.2 and earlier allows remote attackers to execute arbitrary SQL commands via the (1) by and (2) order parameters. NOTE: it is not clear whether this issue is exploitable.)
Original documentdocumentDenven, Maian Recipe 1.0 (path_to_folder) Remote File Include Vulnerability (08.02.2007)
 documentGregStar, OTSCMS <= 2.1.5 (SQL/XSS) Multiple Remote Vulnerabilities (08.02.2007)
 documentGolD_M, AgerMenu 0.01 (top.inc.php rootdir) Remote File Include Vulnerability (08.02.2007)
 documentMadNet, WebMatic 2.6 (index_album.php) Remote File Include Vulnerability (08.02.2007)
 documentflo_(at)_syscp.org, Ability to inject and execute any code as root in SysCP (08.02.2007)
 documentgokhankaya_(at)_hotmail.com, XLNC1 Radio Classical Music Nuke Portal Remote File Inc. Vuln. (08.02.2007)
 documentali_(at)_hackerz.ir, remote file include in whm (all version) (08.02.2007)
Files:LightRO CMS 1.0 (index.php projectid) Remote SQL Injection Exploit
 LushiNews <= 1.01 (comments.php) Remote SQL Injection Exploit
 LushiWarPlaner 1.0 (register.php) Remote SQL Injection Exploit
 Advanced Poll 2.0.0 >= 2.0.5-dev textfile admin session gen.
 Site-Assistant <= v0990(paths[version])Remote File Include Exploit

3proxy user account locking
Published:08.02.2007
Source:
SecurityVulns ID:7199
Type:remote
Threat Level:
4/10
Description:It's possible to lock user's account if user's password is stored as NT-hash via HTTP proxy. Service restart or configuration reload is required to restore account in working state. In addition, Basic authentication is offered as first authentication protocol, it can lead to shoosing weak (cleartext) authentication protocol even if stronger one (NTLM) supported. Vulnerability is fixed in 0.5.3 version.
Affected:3PROXY : 3proxy 0.5
CVE:CVE-2006-6982 (3proxy 0.5 to 0.5.2 does not offer NTLM authentication before basic authentication, which might cause browsers with incomplete RFC2616/RFC2617 support to use basic cleartext authentication even if NTLM is available, which makes it easier for attackers to steal credentials.)
 CVE-2006-6981 (3proxy 0.5 to 0.5.2, when NT-encoded passwords are being used, allows remote attackers to cause a denial of service (blocked account) via unspecified vectors related to NTLM authentication, which causes a password hash to be overwritten.)
Files:3proxy 0.5.3g Changelog

WinRAR / unrar buffer overflow
Published:08.02.2007
Source:
SecurityVulns ID:7201
Type:local
Threat Level:
3/10
Description:Buffer overflow on password protected archives parsing.
Affected:RARLABS : unrar 3.60
 RARLABS : unrar 3.61
CVE:CVE-2007-0855 (Stack-based buffer overflow in RARLabs Unrar, as packaged in WinRAR and possibly other products, allows user-assisted remote attackers to execute arbitrary code via a crafted, password-protected archive.)
Original documentdocumentIDEFENSE, iDefense Security Advisory 02.07.07: RARLabs Unrar Password Prompt Buffer Overflow Vulnerability (08.02.2007)

pam_ssh allow_blank_passphrase protection bypass
Published:08.02.2007
Source:
SecurityVulns ID:7204
Type:library
Threat Level:
5/10
Description:The allow_blank_passphrase option was defeatable by entering a random but non-blank passphrase.
Affected:PAMSSH : pam_ssh 1.91
CVE:CVE-2007-0844 (The auth_via_key function in pam_ssh.c in pam_ssh before 1.92, when the allow_blank_passphrase option is disabled, allows remote attackers to bypass authentication restrictions and use private encryption keys requiring a blank passphrase by entering a non-blank passphrase.)

Trend Micro Antivirus multiple security vulnerabilities
updated since 08.02.2007
Published:11.02.2007
Source:
SecurityVulns ID:7200
Type:remote
Threat Level:
5/10
Description:Buffer overflow on UPX-packed executables parsing. Privilege escalation through \\.\TmComm DOS-device.
Affected:TM : PC-Cillin Internet Security 2007
 TM : Trend Micro ServerProtect for Linux 2.5
 TM : Trend Micro AntiVirus 2007
 TM : Trend Micro Anti-Spyware for SMB 3.2
 TM : Trend Micro Anti-Spyware for Enterprise 3.0
 TM : Trend Micro Anti-Spyware for Consumer 3.5
CVE:CVE-2007-0856 (TmComm.sys 1.5.0.1052 in the Trend Micro Anti-Rootkit Common Module (RCM), with the VsapiNI.sys 3.320.0.1003 scan engine, as used in Trend Micro PC-cillin Internet Security 2007, Antivirus 2007, Anti-Spyware for SMB 3.2 SP1, Anti-Spyware for Consumer 3.5, Anti-Spyware for Enterprise 3.0 SP2, Client / Server / Messaging Security for SMB 3.5, Damage Cleanup Services 3.2, and possibly other products, assigns Everyone write permission for the \\.\TmComm DOS device interface, which allows local users to access privileged IOCTLs and execute arbitrary code or overwrite arbitrary memory in the kernel context.)
 CVE-2007-0851 (Buffer overflow in the Trend Micro Scan Engine 8.000 and 8.300 before virus pattern file 4.245.00, as used in other products such as Cyber Clean Center (CCC) Cleaner, allows remote attackers to execute arbitrary code via a malformed UPX compressed executable.)
Original documentdocumentReversemode, [Reversemode Advisory] TrendMicro Products - multiple privilege escalation vulnerabilities. (11.02.2007)
 documentIDEFENSE, iDefense Security Advisory 02.07.07: Trend Micro TmComm Local Privilege Escalation Vulnerability (08.02.2007)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod