Computer Security
[EN] securityvulns.ru no-pyccku


Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
Published:17.03.2007
Source:
SecurityVulns ID:7414
Type:remote
Threat Level:
5/10
Description:PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.
Affected:WEBCALENDAR : WebCalendar 0.9
 HORDE : IMP 3.1
 HORDE : IMP 3.2
 HORDE : Horde 3.0
 WOLTLAB : Woltlab Burning Board 2.3
 WEBAPP : WebAPP 0.9
 PHPSTATS : php-stats 0.1
 HORDE : Horde 3.1
 VBULLETIN : vBulletin 3.6
 HORDE : IMP 3.0
 HORDE : IMP 2.3
 OSCOMMERCE : PHP Point Of Sale 1.1
 ROT13 : Rot 13
 CLBOX : CLBOX 1.01
 MPMCHAT : MPM Chat 2.5
 PHPDBDESIGNED : PHP DB Designer 1.02
 CREATIVEHEADS : Creative Files 1.2
 MCGALLERY : McGallery 0.5
 CREATIVEHEADS : Creative Guestbook 1.0
 DEYFOXDESIGNS : Dayfox Blog 4
 CARBONIZE : Lazarus Guestbook 1.7
 WOLTLAB : Burning Board Lite 1.0
 GROUPIT : Groupit 2.0
 BPBLOG : BP Blog 7.0
CVE:CVE-2007-1631 (** DISPUTED ** PHP remote file inclusion vulnerability in signup.php in CLBOX 1.01 allows remote attackers to execute arbitrary PHP code via a URL in the header parameter. NOTE: this issue has been disputed by a reliable third party, stating that header is defined through an include file before use.)
 CVE-2007-1620 (Multiple PHP remote file inclusion vulnerabilities in PHP DB Designer 1.02 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the (1) _SESSION[SITE_PATH] parameter to (a) wind/help.php or (b) wind/about.php, or the (2) _SESSION[DRIVER] parameter to (c) db/session.php.)
 CVE-2007-1613 (Directory traversal vulnerability in view.php in MPM Chat 2.5 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the logi parameter.)
 CVE-2007-1556 (SQL injection vulnerability in kommentare.php in Creative Files 1.2 allows remote attackers to execute arbitrary SQL commands via the dlid parameter.)
 CVE-2007-1525 (Direct static code injection vulnerability in postpost.php in Dayfox Blog (dfblog) 4 allows remote attackers to execute arbitrary PHP code via the cat parameter, which can be executed via a request to posts.php.)
 CVE-2007-1518 (SQL injection vulnerability in usergroups.php in Woltlab Burning Board (wBB) 2.x allows remote attackers to execute arbitrary SQL commands via the array index of the applicationids array.)
 CVE-2007-1515 (Multiple cross-site scripting (XSS) vulnerabilities in Horde IMP H3 4.1.3, and possibly earlier, allow remote attackers to inject arbitrary web script or HTML via (1) the email Subject header in thread.php, (2) the edit_query parameter in search.php, or other unspecified parameters in search.php. NOTE: some of these details are obtained from third party information.)
 CVE-2007-1514 (PHP remote file inclusion vulnerability in index.php in ViperWeb Portal alpha 0.1 allows remote attackers to execute arbitrary PHP code via a URL in the modpath parameter.)
 CVE-2007-1513 (PHP remote file inclusion vulnerability in comanda.php in GraFX Company WebSite Builder (CWB) PRO 1.9.8, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the INCLUDE_PATH parameter.)
 CVE-2007-1510 (SQL injection vulnerability in post.php in Particle Blogger 1.0.0 through 1.2.0 allows remote attackers to execute arbitrary SQL commands via the postid parameter.)
 CVE-2007-1509 (Directory traversal vulnerability in enkrypt.php in Sascha Schroeder krypt (aka Holtstraeter Rot 13) allows remote attackers to read arbitrary files via a .. (dot dot) in the datei parameter.)
 CVE-2007-1508 (Cross-site scripting (XSS) vulnerability in CMD_USER_STATS in DirectAdmin allows remote attackers to inject arbitrary web script or HTML via the RESULT parameter, a different vector than CVE-2006-5983.)
 CVE-2007-1489 (Unspecified vulnerability in web-app.org Web Automated Perl Portal (WebAPP) 0.9.9.4 to 0.9.9.6 allows remote attackers to obtain admin access by modifying cookies and performing "certain consecutive actions," possibly due to a cross-site request forgery (CSRF) vulnerability.)
 CVE-2007-1487 (Directory traversal vulnerability in index.php in Sascha Schroeder (aka CyberTeddy or Cyber-inside) WebLog allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter in a showarticles action.)
 CVE-2007-1486 (PHP remote file inclusion vulnerability in template.class.php in Carbonize Lazarus Guestbook before 1.7.3 allows remote attackers to execute arbitrary PHP code via a URL in the include_path parameter to admin.php, probably due to a dynamic variable evaluation vulnerability.)
 CVE-2007-1483 (Multiple PHP remote file inclusion vulnerabilities in WebCalendar 0.9.45 allow remote attackers to execute arbitrary PHP code via a URL in the includedir parameter to (1) login.php, (2) get_reminders.php, or (3) get_events.php.)
 CVE-2007-1482 (Cross-site scripting (XSS) vulnerability in index.php in WBBlog allows remote attackers to inject arbitrary web script or HTML via the e_id parameter in a viewentry cmd.)
 CVE-2007-1481 (SQL injection vulnerability in index.php in WBBlog allows remote attackers to execute arbitrary SQL commands via the e_id parameter in a viewentry cmd.)
 CVE-2007-1480 (Creative Guestbook 1.0 allows remote attackers to add an administrative account via a direct request to createadmin.php with Name, Email, and PASSWORD parameters set.)
 CVE-2007-1479 (Cross-site scripting (XSS) vulnerability in Guestbook.php in Creative Guestbook 1.0 allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter.)
 CVE-2007-1478 (download.php in McGallery 0.5b allows remote attackers to read arbitrary files and obtain script source code via the filename parameter.)
 CVE-2007-1477 (** DISPUTED ** Directory traversal vulnerability in index.php in PHP Point Of Sale for osCommerce 1.1 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the cfg_language parameter. NOTE: this issue has been disputed by CVE, since the cfg_language variable is configured upon proper product installation.)
 CVE-2007-1474 (Argument injection vulnerability in the cleanup cron script in Horde Project Horde and IMP before Horde Application Framework 3.1.4 allows local users to delete arbitrary files and possibly gain privileges via multiple space-delimited pathnames.)
 CVE-2007-1472 (Variable overwrite vulnerability in groupit/base/groupit.start.inc in Groupit 2.00b5 allows remote attackers to conduct remote file inclusion attacks and execute arbitrary PHP code via arguments that are written to $_GLOBALS, as demonstrated using a URL in the c_basepath parameter to (1) content.php, (2) userprofile.php, (3) password.php, (4) dispatch.php, and (5) deliver.php in html/, and possibly (6) load.inc.php and related files.)
 CVE-2007-1462 (The luci server component in conga preserves the password between page loads for the Add System/Cluster task flow by storing the password in the Value attribute of a password entry field, which allows attackers to steal the password by performing a "view source" or other operation to obtain the web page. NOTE: there are limited circumstances under which such an attack is feasible.)
 CVE-2007-1455 (Multiple absolute path traversal vulnerabilities in Fantastico, as used with cPanel 10.x, allow remote authenticated users to include and execute arbitrary local files via (1) the userlanguage parameter to includes/load_language.php or (2) the fantasticopath parameter to includes/mysqlconfig.php and certain other files.)
 CVE-2007-1445 (SQL injection vulnerability in the heme preview feature for default.asp in BP Blog 7.0 through 7.0.2 allows remote attackers to execute arbitrary SQL commands via the layout parameter.)
 CVE-2007-1443 (Multiple cross-site scripting (XSS) vulnerabilities in register.php in Woltlab Burning Board (wBB) 2.3.6 and Burning Board Lite 1.0.2pl3e allow remote attackers to inject arbitrary web script or HTML via the (1) r_username, (2) r_email, (3) r_password, (4) r_confirmpassword, (5) r_homepage, (6) r_icq, (7) r_aim, (8) r_yim, (9) r_msn, (10) r_year, (11) r_month, (12) r_day, (13) r_gender, (14) r_signature, (15) r_usertext, (16) r_invisible, (17) r_usecookies, (18) r_admincanemail, (19) r_emailnotify, (20) r_notificationperpm, (21) r_receivepm, (22) r_emailonpm, (23) r_pmpopup, (24) r_showsignatures, (25) r_showavatars, (26) r_showimages, (27) r_daysprune, (28) r_umaxposts, (29) r_dateformat, (30) r_timeformat, (31) r_startweek, (32) r_timezoneoffset, (33) r_usewysiwyg, (34) r_styleid, (35) r_langid, (36) key_string, (37) key_number, (38) disablesmilies, (39) disablebbcode, (40) disableimages, (41) field[1], (42) field[2], and (43) field[3] parameters. NOTE: a third-party researcher has disputed some of these )
 CVE-2006-7173 (Direct static code injection vulnerability in admin.php in PHP-Stats 0.1.9.1b and earlier allows remote attackers to execute arbitrary PHP code via a crafted option_new[report_w_day] parameter in a preferenze action, which can be later accessed via option/php-stats-options.php.)
 CVE-2006-7172 (Multiple SQL injection vulnerabilities in php-stats.recphp.php in PHP-Stats 0.1.9.1b and earlier allow remote attackers to execute arbitrary code via a leading dotted-quad IP address string in the (1) PC-REMOTE-ADDR HTTP header, which is inserted into $_SERVER['HTTP_PC_REMOTE_ADDR'], or (2) ip parameter.)
Original documentdocumentDj7xpl, WebLog (index.php file) Remote File Disclosure Vulnerability (17.03.2007)
 documentDj7xpl, Creative Guestbook 1.0 Multiple Remote Vulnerabilities (17.03.2007)
 documentpiker.ther00t_(at)_gmail.com, McGallery 0.5b Arbitrary File Download Vulnerability (17.03.2007)
 documentXORON, WBBlog (XSS/SQL) Multiple Remote Vulnerabilities (17.03.2007)
 documentXORON, Creative Files 1.2 (kommentare.php) Remote SQL Injection Vulnerabilities (17.03.2007)
 documentGolD_M, PHP DB Designer <= 1.02 Remote File Include Exploit (17.03.2007)
 documentGolD_M, MPM Chat 2.5 (view.php logi) Local File Include Exploit (17.03.2007)
 documentBorN To K!LL BorN To K!LL, CLBOX <= (signup.php header) Remote File Include Vulnerability (17.03.2007)
 documentSea Shark, Oracle Portal PORTAL.wwv_main.render_warning_screen XSS (17.03.2007)
 documentBorN To K!LL BorN To K!LL, Rot 13 <= (enkrypt.php) Remote File Disclosure Vulnerability (17.03.2007)
 documentdisfigure, vbulletin admincp sql injection (17.03.2007)
 documentBorN To K!LL BorN To K!LL, PHP Point Of Sale for osCommerce <= (index.php) Remote File Include Vuln (17.03.2007)
 documentIDEFENSE, iDefense Security Advisory 03.15.07: Horde Project Cleanup Script Arbitrary File Deletion Vulnerability (17.03.2007)
 documentasamad_(at)_arpatech.com, Remote File Inclusion in ViperWeb (17.03.2007)
 documenterdc_(at)_echo.or.id, [ECHO_ADV_75$2007] Groupit 2.00b5 (c_basepath) Remote File Inclusion Vulnerability (17.03.2007)
 documenterdc_(at)_echo.or.id, [ECHO_ADV_76$2007] Company WebSite Builder PRO (INCLUDE_PATH) Remote File Inclusion Vulnerability (17.03.2007)
 documentMandr4ke.root_(at)_gmail.com, DirectAdmin Cross Site Scripting XSS (17.03.2007)
Files:Particle Blogger All Version Post.PHP (PostID) Remote SQL Injection Exploit
 Php-Stats <= 0.1.9.1b admin 2 exec() exploit
 Php-Stats <= 0.1.9.1b "ip" urldecode()/ ereg() / sql injection / cleat text admin pass disclosure exploit (method ii)
 Php-Stats <= 0.1.9.1b PC-REMOTE-ADDR sql injection / cleat text admin pass
 Exploits Dayfox Blog 4 remote code execution

IBM Rational ClearQuest Web crossite scripting
Published:17.03.2007
Source:
SecurityVulns ID:7415
Type:remote
Threat Level:
5/10
Description:Crossite scripting on text attachments.
Affected:IBM : Rational ClearQuest Web 7.0
CVE:CVE-2007-1468 (Cross-site scripting (XSS) vulnerability in IBM Rational ClearQuest (CQ) Web 7.0.0.0 allows remote attackers to inject arbitrary web script or HTML via an attachment to a defect log entry.)
Original documentdocumentjames_(at)_clarkee.co.uk, IBM Rational ClearQuest Web - Cross Site Scripting (17.03.2007)

PHP ibase_connect function buffer overflow
Published:17.03.2007
Source:
SecurityVulns ID:7416
Type:library
Threat Level:
5/10
Description:Buffer overflow on oversized function argument.
Affected:PHP : PHP 4.4
CVE:CVE-2007-1475 (Multiple buffer overflows in the (1) ibase_connect and (2) ibase_pconnect functions in the interbase extension in PHP 4.4.6 and earlier allow context-dependent attackers to execute arbitrary code via a long argument.)
Original documentdocumentretrog_(at)_alice.it, PHP <= 4.4.6 ibase_connect() local buffer overflow (17.03.2007)
Files:PHP <= 4.4.6 ibase_connect() & ibase_pconnect() local buffer overflow

Multiple libft p / GFTP security vulnerabilities
Published:17.03.2007
Source:
SecurityVulns ID:7417
Type:library
Threat Level:
5/10
Description:Multiple buffer overflows of different types.
Affected:LIBFTP : LIBFtp 5.0
 LIBFTP : LIBFtp 3.1
CVE:CVE-2007-1485 (** DISPUTED ** Buffer overflow in the set_umask function in QFTP in LIBFtp 3.1-1 allows local users to execute arbitrary code via a long -m argument. NOTE: CVE disputes this issue because QFTP is not setuid, and it is unlikely that there are web interfaces to QFTP that would accept untrusted command line arguments.)
 CVE-2007-1470 (Multiple buffer overflows in LIBFtp 5.0 allow user-assisted remote attackers to execute arbitrary code via certain long arguments to the (1) FtpArchie, (2) FtpDebugDebug, (3) FtpOpenDir, (4) FtpSize, or (5) FtpChmod function.)
Original documentdocumentstarcadi starcadi, QFTP (LIBFtp 3.1-1) (command line) sprintf() local buffer overflow (17.03.2007)
 documentstarcadi starcadi, LIBFtp 5.0 (sprintf(), strcpy()) Multiple local buffer overflow (17.03.2007)

libwpd /OpenOffice / AbiWord multiple security vulnerabilities
Published:17.03.2007
Source:
SecurityVulns ID:7418
Type:library
Threat Level:
6/10
Description:Multiple buffer overflows on Word Perfect documents parsing.
Affected:OPENOFFICE : OpenOffice 2.0
 OPENOFFICE : OpenOffice 2.1
 LIBWPD : libwpd 0.8
CVE:CVE-2007-1466 (Integer overflow in the the WP6GeneralTextPacket::_readContents function in WordPerfect Document importer/exporter (libwpd) before 0.8.9 allows user-assisted remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted WordPerfect file, a different vulnerability than CVE-2007-0002.)
 CVE-2007-0002 (Multiple heap-based buffer overflows in WordPerfect Document importer/exporter (libwpd) before 0.8.9 allow user-assisted remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted WordPerfect file in which values to loop counters are not properly handled in the (1) WP3TablesGroup::_readContents and (2) WP5DefinitionGroup_DefineTablesSubGroup::WP5DefinitionGroup_DefineTablesSubGroup functions. NOTE: the integer overflow has been split into CVE-2007-1466.)
Original documentdocumentIDEFENSE, iDefense Security Advisory 03.16.07: Multiple Vendor libwpd Multiple Buffer Overflow Vulnerabilities (17.03.2007)

FrontBase Database server buffer overflow
Published:17.03.2007
Source:
SecurityVulns ID:7419
Type:local
Threat Level:
5/10
Description:Buffer overflow in 'CREATE PROCEDURE' SQL command.
Affected:FRONTBASE : FrontBase Server 4.2
CVE:CVE-2007-1511 (Buffer overflow in FrontBase Relational Database Server 4.2.7 and earlier allows remote authenticated users, with privileges for creating a stored procedure, to execute arbitrary code via a CREATE PROCEDURE request with a long procedure name.)
Original documentdocument[email protected], [NETRAGARD-20070316 SECURITY ADVISORY][FrontBase Database <= 4.2.7 ALL PLATFORMS][REMOTE BUFFER OVERFLOW CONDITION][LEVEL: EASY][RISK:MEDIUM] (17.03.2007)
Files:FrontBase Database remote Proof Of Concept

PHP compress.bzip2:// URL safe mode protection bypass
Published:17.03.2007
Source:
SecurityVulns ID:7420
Type:local
Threat Level:
5/10
Description:Safe mode and open_basedir limitations are not checked.
Affected:PHP : PHP 4.4
 PHP : PHP 5.2
CVE:CVE-2007-1461 (The compress.bzip2:// URL wrapper provided by the bz2 extension in PHP before 4.4.7, and 5.x before 5.2.2, does not implement safemode or open_basedir checks, which allows remote attackers to read bzip2 archives located outside of the intended directories.)
Original documentdocumentPHP-SECURITY, MOPB-21-2007:PHP compress.bzip2:// URL Wrapper safemode and open_basedir Bypass Vulnerability (17.03.2007)

PHP invalid session id and session_regenerate_id() function double free() vulnerability
Published:17.03.2007
Source:
SecurityVulns ID:7421
Type:library
Threat Level:
5/10
Description:Race conditions on session identifier freeing can lead to double free() operation.
Affected:PHP : PHP 5.2
CVE:CVE-2007-1522 (Double free vulnerability in the session extension in PHP 5.2.0 and 5.2.1 allows context-dependent attackers to execute arbitrary code via illegal characters in a session identifier, which is rejected by an internal session storage module, which calls the session identifier generator with an improper environment, leading to code execution when the generator is interrupted, as demonstrated by triggering a memory limit violation or certain PHP errors.)
 CVE-2007-1521 (Double free vulnerability in PHP before 4.4.7, and 5.x before 5.2.2, allows context-dependent attackers to execute arbitrary code by interrupting the session_regenerate_id function, as demonstrated by calling a userspace error handler or triggering a memory limit violation.)
Original documentdocumentPHP-SECURITY, MOPB-23-2007:PHP 5 Rejected Session Identifier Double Free Vulnerability (17.03.2007)
 documentPHP-SECURITY, MOPB-22-2007:PHP session_regenerate_id() Double Free Vulnerability (17.03.2007)
Files:PHP 5 session_regenerate_id() Double Free Exploit
 PHP 5 Rejected Session ID Double Free Exploit

PHP array_user_key_compare() function memory corruption
Published:17.03.2007
Source:
SecurityVulns ID:7422
Type:library
Threat Level:
5/10
Description:Reference are left to freed buffer. It may lead to de-allocated memory space usage.
Affected:PHP : PHP 4.4
 PHP : PHP 5.2
CVE:CVE-2007-1484 (The array_user_key_compare function in PHP 4.4.6 and earlier, and 5.x up to 5.2.1, makes erroneous calls to zval_dtor, which triggers memory corruption and allows local users to bypass safe_mode and execute arbitrary code via a certain unset operation after array_user_key_compare has been called.)
Original documentdocumentPHP-SECURITY, MOPB-24-2007:PHP array_user_key_compare() Double DTOR Vulnerability (17.03.2007)
Files:PHP 4/5 - array_user_key_compare() ZVAL dtor exploit

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod