Computer Security
[EN] securityvulns.ru no-pyccku


Microsoft Windows files and folders management problems
updated since 07.03.2007
Published:10.03.2007
Source:
SecurityVulns ID:7357
Type:local
Threat Level:
6/10
Description:During file operations conditions exist for attacker to gain access to content of protected or locked files. It's also possible to create unmanageble file.
Affected:MICROSOFT : Windows 2000 Server
 MICROSOFT : Windows 2000 Professional
 MICROSOFT : Windows XP
 MICROSOFT : Windows 2003 Server
 MICROSOFT : Windows Vista
Original documentdocument3APA3A, Pre-open files attack agains locked file (10.03.2007)
 document3APA3A, Microsoft Windows Vista/2003/XP/2000 file management security issues (07.03.2007)

Mozilla Firefox integer overflow
Published:10.03.2007
Source:
SecurityVulns ID:7369
Type:client
Threat Level:
5/10
Description:Integer overflow on large GIF image size values.
Affected:MOZILLA : Firefox 2.0
Original documentdocumentValdis.Kletnieks_(at)_vt.edu, Re: [Full-disclosure] firefox 2.0.0.2 crash (10.03.2007)
 documentTonu Samuel, [Full-disclosure] firefox 2.0.0.2 crash (10.03.2007)

Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
Published:10.03.2007
Source:
SecurityVulns ID:7370
Type:remote
Threat Level:
5/10
Description:PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.
Affected:SNITZ : Snitz Forums 2000 3.4
 JELSOFT : vBulletin 3.5
 WEBCALENDAR : WebCalendar 1.0
 SQLLEDGER : SQL-Ledger 2.6
 VBULLETIN : vBulletin 3.6
 WORDPRESS : WordPress 2.1
 DRUPAL : Drupal Project issue tracking Module 4.7
 LEDGERSMB : LedgerSMB 1.1
 PHPNUKE : PHP-Nuke 8.0
 HCDESIGN : HC NEWSSYSTEM 1.0
 WORDPRESS : WordPress 2.2
 WWWPAINTBOAR : wwwpaintboar 1.0
 PMBSERVICES : PMB Services 3.0
 GSBLOGGER : Grayscale Blog 0.8
 NETFORO : netForo 0.1
 PHPNUKE : PostGuestbook 0.6 PHP-Nuke module
 EZSTREAM : EZStream 0.2
 ISPUTIL : ISPUtil 3.32
CVE:CVE-2007-1450 (SQL injection vulnerability in mainfile.php in PHP-Nuke 8.0 and earlier allows remote attackers to execute arbitrary SQL commands in the Top or News module via the lang parameter.)
 CVE-2007-1449 (Directory traversal vulnerability in mainfile.php in PHP-Nuke 8.0 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the lang parameter.)
 CVE-2007-1437 (Unspecified vulnerability in LedgerSMB before 1.1.5 and SQL-Ledger before 2.6.25 allows remote attackers to overwrite files and possibly bypass authentication, and remote authenticated users to execute unauthorized code, by calling a custom error function that returns from execution.)
 CVE-2007-1436 (Unspecified vulnerability in admin.pl in SQL-Ledger before 2.6.26 and LedgerSMB before 1.1.9 allows remote attackers to bypass authentication via unknown vectors that prevents a password check from occurring.)
 CVE-2007-1434 (SQL injection vulnerability in Grayscale Blog 0.8.0, and possibly earlier versions, might allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to (a) userdetail.php, id and (2) url parameter to (b) jump.php, and id variable to (c) detail.php.)
 CVE-2007-1433 (Cross-site scripting (XSS) vulnerability in Grayscale Blog 0.8.0, and possibly earlier versions, allows remote attackers to inject arbitrary web script or HTML via the comment fields to (1) scripts/addblog_comment.php and (2) detail.php.)
 CVE-2007-1432 (Grayscale Blog 0.8.0, and possibly earlier versions, allows remote attackers to gain privileges via direct requests with modified arguments in (1) the user_permissions parameter to add_users.php, and unspecified parameters to (2) addblog.php, (3) editblog.php, (4) editlinks.php, (5) edit_users.php, and (6) add_links.php.)
 CVE-2007-1424 (Multiple PHP remote file inclusion vulnerabilities in Softnews Media Group DataLife Engine allow remote attackers to execute arbitrary PHP code via a URL in the root_dir parameter to (1) init.php and (2) Ajax/editnews.php. NOTE: some of these details are obtained from third party information.)
 CVE-2007-1421 (Multiple PHP remote file inclusion vulnerabilities in Premod SubDog 2 allow remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter to (1) functions_kb.php, (2) themen_portal_mitte.php, or (3) logger_engine.php in includes/.)
 CVE-2007-1417 (SQL injection vulnerability in index.php in HC NEWSSYSTEM 1.0-4 allows remote attackers to execute arbitrary SQL commands via the ID parameter in a komm aktion.)
 CVE-2007-1415 (Multiple PHP remote file inclusion vulnerabilities in PMB Services 3.0.13 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the (1) class_path parameter to (a) includes/resa_func.inc.php (b) admin/notices/perso.inc.php, or (c) admin/quotas/main.inc.php; the (2) base_path parameter to (d) opac_css/rec_panier.php or (e) opac_css/includes/author_see.inc.php; or the (3) include_path parameter to (f) bull_info.inc.php or (g) misc.inc.php in includes/; (h) options_date_box.php, (i) options_file_box.php, (j) options_list.php, (k) options_query_list.php, or (l) options_text.php in includes/options/; (m) options.php, (n) options_comment.php, (o) options_date_box.php, (p) options_list.php, (q) options_query_list.php, or (r) options_text.php in includes/options_empr/; or (s) admin/import/iimport_expl.php, (t) admin/netbase/clean.php, (u) admin/param/param_func.inc.php, (v) admin/sauvegarde/lieux.inc.php, (w) autorites.php, (x) account.php, (y) cart.php, or (z) edit.php.)
 CVE-2007-1410 (SQL injection vulnerability in kategori.asp in GaziYapBoz Game Portal allows remote attackers to execute arbitrary SQL commands via the kategori parameter.)
 CVE-2007-1409 (WordPress allows remote attackers to obtain sensitive information via a direct request for wp-admin/admin-functions.php, which reveals the path in an error message.)
 CVE-2007-1392 (Directory traversal vulnerability in down.php in netForo! 0.1g allows remote attackers to read arbitrary files via a .. (dot dot) in the file_to_download parameter.)
 CVE-2007-1374 (Cross-site scripting (XSS) vulnerability in pop_profile.asp in Snitz Forums 2000 3.4.06 allows remote attackers to inject arbitrary web script or HTML via the MSN parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.)
 CVE-2007-1372 (PHP remote file inclusion vulnerability in styles/internal/header.php in the PostGuestbook 0.6.1 module for PHP-Nuke allows remote attackers to execute arbitrary PHP code via a URL in the tpl_pgb_moddir parameter.)
 CVE-2007-1368 (The Project issue tracking module before 4.7.x-1.3, 4.7.x-2.* before 4.7.x-2.3, and 5 before 5.x-0.2-beta for Drupal allows remote authenticated users, with "access project issues" permission, to read the contents of a private node via a URL with a modified node identifier.)
 CVE-2007-1361 (Cross-site scripting (XSS) vulnerability in virtuemart_parser.php in VirtueMart before 20070213 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: this issue is probably different than CVE-2007-0376.)
 CVE-2007-1360 (Unspecified vulnerability in the Nodefamily module for Drupal 5.x before 5.x-1.0 allows remote authenticated users to access and modify other users' profiles via unspecified URL parameters.)
 CVE-2007-1344 (Multiple buffer overflows in src/ezstream.c in Ezstream before 0.3.0 allow remote attackers to execute arbitrary code via a crafted XML configuration file processed by the (1) urlParse function, which causes a stack-based overflow and the (2) ReplaceString function, which causes a heap-based overflow. NOTE: some of these details are obtained from third party information.)
 CVE-2007-1343 (includes/functions.php in Craig Knudsen WebCalendar before 1.0.5 does not protect the noSet variable from external modification, which allows remote attackers to set arbitrary global variables via a URL with modified values in the noSet parameter, which leads to resultant vulnerabilities that probably include remote file inclusion and other issues.)
 CVE-2007-1341 (include/auth/auth.php in Simple Invoices before 2007 03 05 does not use the login system to protect print preview pages for invoices, which might allow attackers to obtain sensitive information.)
 CVE-2007-1300 (DOURAN Software Technologies ISPUtil 3.32.84.1, and possibly earlier versions, stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain user and reseller data via a direct request for scripts/activesessions.ini. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.)
 CVE-2007-1292 (SQL injection vulnerability in inlinemod.php in Jelsoft vBulletin before 3.5.8, and before 3.6.5 in the 3.6.x series, might allow remote authenticated users to execute arbitrary SQL commands via the postids parameter. NOTE: the vendor states that the attack is feasible only in circumstances "almost impossible to achieve.")
Original documentdocumentCyberGhost, GaziYapBoz Game Portal Remote SQL Injection Vulnerability (10.03.2007)
 documentGolD_M, PostGuestbook 0.6.1(tpl_pgb_moddir)Remote File Include Expliot (10.03.2007)
 documentGolD_M, netForo 0.1g(file_to_download)Remote File Disclosure Exploit (10.03.2007)
 documentomnipresent_(at)_email.it, Security Advisory - Multiple Vulnerabilities in Grayscale Blog 0.8.0 (10.03.2007)
 documenteufrato_(at)_gmail.com, [ECHO_ADV_68$2007] PMB Services <= 3.0.13 Multiple Remote File Inclusion Vulnerability (10.03.2007)
 documentRaeD Hasadya, Remote File Include In Script SoftNews Media Group (10.03.2007)
 documentRaeD Hasadya, Remote File Include In Script Premod SubDog 2 (10.03.2007)
 documentprogrammer_(at)_serbiansite.com, PHP-Nuke <= 8.0 Cookie Manipulation (lang) (10.03.2007)
 documentChris Travers, Security bypass vulnerability in LedgerSMB and SQL-Ledger (fixes released today) (10.03.2007)
 documentsaw_xyz_(at)_yahoo.com, wwwpaintboar(newsfile) Remote File Inclusion Vulnerability (10.03.2007)
 documentg30rg3_x, WordPress XSS under function wp_title() (10.03.2007)
 documentUniqu3 Cr4ck, HC NEWSSYSTEM 1.0-4 (index.php "ID") Blind SQL Injection (10.03.2007)

Oracle for Windows privilege escalation
Published:10.03.2007
Source:
SecurityVulns ID:7371
Type:local
Threat Level:
6/10
Description:Weak permissions for memories sections and named pipes inside oracle process allow code execution with local system account.
CVE:CVE-2007-1442 (Oracle Database 10g uses a NULL pDacl parameter when calling the SetSecurityDescriptorDacl function to create discretionary access control lists (DACLs), which allows local users to gain privileges.)
Original documentdocumentc c, [Argeniss] Practical 10 minutes security audit: Oracle Case (Paper) (10.03.2007)
Files:Oracle Database local elevation of privileges PoC exploit
 Practical 10 minutes security audit: Oracle Case

snort packets reassembly DoS
Published:10.03.2007
Source:
SecurityVulns ID:7372
Type:remote
Threat Level:
6/10
Description:Invalid packets reassembly on connection tracking causes application to crash.
Affected:SNORT : snort 2.6
CVE:CVE-2007-1398 (The frag3 preprocessor in Snort 2.6.1.1, 2.6.1.2, and 2.7.0 beta, when configured for inline use on Linux without the ip_conntrack module loaded, allows remote attackers to cause a denial of service (segmentation fault and application crash) via certain UDP packets produced by send_morefrag_packet and send_overlap_packet.)
Files:DOS Snort Inline

PHP shmop information leak
Published:10.03.2007
Source:
SecurityVulns ID:7373
Type:local
Threat Level:
5/10
Description:By using shared memory via shmop() function, script can obtain content of parent application's memory.
Affected:PHP : PHP 4.4
 PHP : PHP 5.2
CVE:CVE-2007-1376 (The shmop functions in PHP before 4.4.5, and before 5.2.1 in the 5.x series, do not verify that their arguments correspond to a shmop resource, which allows context-dependent attackers to read and write arbitrary memory locations via arguments associated with an inappropriate resource, as demonstrated by a GD Image resource.)
Original documentdocumentPHP-SECURITY, MOPB-15-2007:PHP shmop Functions Resource Verification Vulnerability (10.03.2007)
Files:PHP ext/shmop Code Execution Exploit
 PHP ext/shmop SSL RSA Private-Key Disclosure Exploit

PHP substr_compare information leak
Published:10.03.2007
Source:
SecurityVulns ID:7374
Type:remote
Threat Level:
5/10
Description:Integer overflow allows memory reading behind variable boundaries.
Affected:PHP : PHP 5.2
CVE:CVE-2007-1375 (Integer overflow in the substr_compare function in PHP 5.2.1 and earlier allows context-dependent attackers to read sensitive memory via a large value in the length argument, a different vulnerability than CVE-2006-1991.)
Original documentdocumentPHP-SECURITY, MOPB-14-2007:PHP substr_compare() Information Leak Vulnerability (10.03.2007)
Files:Exploits PHP 5 - substr_compare Information Leak Vulnerability

PHP zip:// URL buffer overflow
Published:10.03.2007
Source:
SecurityVulns ID:7375
Type:library
Threat Level:
5/10
Description:Stack buffer overflow (stack overrun) on oversized URL.
Affected:PHP : PHP 5.2
 PECLZIP : PECL ZIP 1.8
CVE:CVE-2007-1460 (The zip:// URL wrapper provided by the PECL zip extension in PHP before 4.4.7, and 5.2.0 and 5.2.1, does not implement safemode or open_basedir checks, which allows remote attackers to read ZIP archives located outside of the intended directories.)
 CVE-2007-1399 (Stack-based buffer overflow in the zip:// URL wrapper in PECL ZIP 1.8.3 and earlier, as bundled with PHP 5.2.0 and 5.2.1, allows remote attackers to execute arbitrary code via a long zip:// URL, as demonstrated by actively triggering URL access from a remote PHP interpreter via avatar upload or blog pingback.)
Original documentdocumentPHP-SECURITY, MOPB-16-2007:PHP zip:// URL Wrapper Buffer Overflow Vulnerability (10.03.2007)
Files:Exploits PHP zip:// URL Wrapper Stack Buffer Overflow

PHP FDF POST request filtering protection bypass
Published:10.03.2007
Source:
SecurityVulns ID:7376
Type:remote
Threat Level:
4/10
Description:FDF extension doesn't support filtering.
Affected:PHP : PHP 5.2
Original documentdocumentPHP-SECURITY, MOPB-17-2007:PHP ext/filter FDF Post Bypass Vulnerability (10.03.2007)
Files:PHP ext/filtet FDF POST Filter Bybass Exploit

PHP SNMP extension snmpget() buffer overflow
Published:10.03.2007
Source:
SecurityVulns ID:7377
Type:library
Threat Level:
5/10
Description:Buffer overflow on oversized ID.
Affected:PHP : PHP 4.4
CVE:CVE-2007-1413 (Buffer overflow in the snmpget function in the snmp extension in PHP 4.4.6 allows context-dependent attackers to execute arbitrary code via a long value in the third argument (object id).)
Files:PHP 4.4.6 snmpget() object id local buffer overflow poc exploit

PHP CDFP extension cpdf_open information leak
Published:10.03.2007
Source:
SecurityVulns ID:7378
Type:library
Threat Level:
5/10
Description:Fragment of source code is printed in diagnostics message.
Affected:PHP : PHP 4.4
CVE:CVE-2007-1452 (The FDF support (ext/fdf) in PHP 5.2.0 and earlier does not implement the input filtering hooks for ext/filter, which allows remote attackers to bypass web site filters via an application/vnd.fdf formatted POST.)
 CVE-2007-1412 (The cpdf_open function in the ClibPDF (cpdf) extension in PHP 4.4.6 allows context-dependent attackers to obtain sensitive information (script source code) via a long string in the second argument.)
Files:PHP 4.4.6 cpdf_open() source code disclosure poc

PHP COM extension safe_mode protection bypass
Published:10.03.2007
Source:
SecurityVulns ID:7379
Type:local
Threat Level:
5/10
Description:WScript.Shell COM object allows execution of any commands.
CVE:CVE-2007-1382 (The PHP COM extensions for PHP on Windows systems allow context-dependent attackers to execute arbitrary code via a WScript.Shell COM object, as demonstrated by using the Run method of this object to execute cmd.exe, which bypasses PHP's safe mode.)
Files:PHP COM extensions (inconsistent Win32) safe_mode bypass

Acrobat Reader plugin DoS
Published:10.03.2007
Source:
SecurityVulns ID:7380
Type:client
Threat Level:
4/10
Description:Request to PDF file with large number of %n causes CPU and memory exhaustion.
Affected:ADOBE : Acrobat Reader 8.0
CVE:CVE-2007-1377 (AcroPDF.DLL in Adobe Reader 8.0, when accessed from Mozilla Firefox, Netscape, or Opera, allows remote attackers to cause a denial of service (unspecified resource consumption) via a .pdf URL with an anchor identifier that begins with search= followed by many %n sequences, a different vulnerability than CVE-2006-6027 and CVE-2006-6236.)
Files:Exploits Adobe PDF Reader plug-in AcroPDF.dll ver. 8.0.0.0 Resource Consumption

Avaya Communications Manager crossite scripting
Published:10.03.2007
Source:
SecurityVulns ID:7381
Type:remote
Threat Level:
5/10
Affected:AVAYA : Avaya Communications Manager 8300
 AVAYA : Avaya Communications Manager 8500
 AVAYA : Avaya Communications Manager 8700
CVE:CVE-2007-1367 (Cross-site scripting (XSS) vulnerability in the login page in Avaya Communications Manager (CM) S87XX, S8500, and S8300 products before 3.1.3 allows remote attackers to inject arbitrary web script or HTML via the Login field.)

Microsoft Windows OLE files DoS
Published:10.03.2007
Source:
SecurityVulns ID:7382
Type:local
Threat Level:
4/10
Description:Crash on OLE file (.DOC) preview.
Affected:MICROSOFT : Windows 2000 Server
 MICROSOFT : Windows 2000 Professional
 MICROSOFT : Windows XP
 MICROSOFT : Windows 2003 Server
CVE:CVE-2007-1347 (Microsoft Windows Explorer on Windows 2000 SP4 FR and XP SP2 FR, and possibly other versions and platforms, allows remote attackers to cause a denial of service (memory corruption and crash) via an Office file with crafted document summary information, which causes an error in Ole32.dll.)

Sun SunFire ipmitool privilege escalation
Published:10.03.2007
Source:
SecurityVulns ID:7383
Type:local
Threat Level:
5/10
Affected:SUN : Sun Fire X2100M2
 SUN : Sun Fire X2200M2
CVE:CVE-2007-1346 (Unspecified vulnerability in ipmitool for Sun Fire X2100M2 and X2200M2 allows local users to gain privileges and reset or turn off the server.)

Apple Airport IPv6 weak default configuration
Published:10.03.2007
Source:
SecurityVulns ID:7384
Type:remote
Threat Level:
5/10
Description:IPv6 tunneling support is enabled by default and no filtering rules are applied to tunelled traffic.
CVE:CVE-2007-1338 (The default configuration of the AirPort utility in Apple AirPort Extreme creates an IPv6 tunnel but does not enable the "Block incoming IPv6 connections" setting, which might allow remote attackers to bypass intended access restrictions by establishing IPv6 sessions that would have been rejected over IPv4.)

SnapGear packets flood DoS
Published:10.03.2007
Source:
SecurityVulns ID:7385
Type:remote
Threat Level:
5/10
Affected:SNAPGEAR : SnapGear 560
 SNAPGEAR : SnapGear 585
 SNAPGEAR : SnapGear 580
 SNAPGEAR : SnapGear 640
 SNAPGEAR : SnapGear 710
 SNAPGEAR : SnapGear 720
CVE:CVE-2007-1324 (SnapGear 560, 585, 580, 640, 710, and 720 appliances before the 3.1.4u5 firmware allow remote attackers to cause a denial of service (complete packet loss) via a packet flood, a different vulnerability than CVE-2006-4613.)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod