Microsoft Help Workshop buffer overflow updated since 18.01.2007
Published:		20.01.2007
Source:		BUGTRAQ
SecurityVulns ID:		7068
Type:		local
Level:		5/10
Description:		Buffer overflow on .cnt / .hpj files parsing.

Affected:		MICROSOFT : Microsoft Help Workshop 4.03
CVE:		CVE-2007-0427 (Stack-based buffer overflow in Microsoft Help Workshop 4.03.0002 allows user-assisted remote attackers to execute arbitrary code via a help project (.HPJ) file with a long HLP field in the OPTIONS section.)
		CVE-2007-0352 (Stack-based buffer overflow in Microsoft Help Workshop 4.03.0002 allows user-assisted remote attackers to execute arbitrary code via a crafted .cnt file composed of lines that begin with an integer followed by a space and a long string.)

Original document		porkythepig_(at)_anspi.pl, Help project files (.HPJ) buffer overflow vulnerability in Microsoft Help Workshop (20.01.2007)
		porkythepig_(at)_anspi.pl, Microsoft Help Workshop .CNT contents files buffer overflow vulnerability (18.01.2007)

Files:		PoC exploit for .cnt files buffer overflow vulnerability in Microsoft Help Workshop v4.03.0002
		PoC exploit for (.HPJ) project files buffer overflow vulnerability in Microsoft Help Workshop v4.03.0002
Discuss:		Read or add your comments to this news (0 comments)

HP-UX ipfilter DoS
Published:		20.01.2007
Source:		BUGTRAQ
SecurityVulns ID:		7070
Type:		remote
Level:		6/10
Description:		System crash on malcrafted packet.

Affected:		HP : HP-UX 11.23
CVE:		CVE-2007-0818 (** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2007-0396. Reason: This candidate is a duplicate of CVE-2007-0396. Notes: All CVE users should reference CVE-2007-0396 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.)
		CVE-2007-0396 (Unspecified vulnerability in HP-UX B.11.23, when running IPFilter in combination with PHNE_34474, allows remote attackers to cause a denial of service (system crash) via unspecified vectors.)

Original document

HP, [security bulletin] HPSBUX02181 SSRT061289 rev.1 - HP-UX Running IPFilter, Remote Unauthorized Denial of Service (DoS) (20.01.2007)

Discuss:

Read or add your comments to this news (0 comments)

Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
Published:		20.01.2007
Source:
SecurityVulns ID:		7072
Type:		remote
Level:		5/10
Description:		PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.

Affected:		SIMPLEMACHINES : Simple Machines Forum 1.1
		ARSDIGITA : Ars Digita Community System 4.2
		ARSDIGITA : ACS-Java 3.4
		ARSDIGITA : ACS-Java 4.0
		ARSDIGITA : ACS-Java 4.7
		SUBROSUS : sabros.us 1.7
		EASYEBAYRESOURCE : Login Manager 3.0
CVE:		CVE-2007-0468 (Stack-based buffer overflow in rcdll.dll in msdev.exe in Visual C++ (MSVC) in Microsoft Visual Studio 6.0 SP6 allows user-assisted remote attackers to execute arbitrary code via a long file path in the "1 TYPELIB MOVEABLE PURE" option in an RC file.)
		CVE-2007-0403 (SQL injection vulnerability in admin/memberlist.php in Easebay Resources Paypal Subscription Manager allows remote attackers to execute arbitrary SQL commands via the keyword parameter.)
		CVE-2007-0402 (Cross-site scripting (XSS) vulnerability in admin/edit_member.php in Easebay Resources Paypal Subscription Manager allows remote attackers to inject arbitrary web script or HTML via the username parameter.)
		CVE-2007-0401 (SQL injection vulnerability in admin/memberlist.php in Easebay Resources Login Manager 3.0 allows remote attackers to execute arbitrary SQL commands via the init_row parameter.)
		CVE-2007-0400 (Cross-site scripting (XSS) vulnerability in admin/memberlist.php in Easebay Resources Login Manager 3.0 allows remote attackers to inject arbitrary web script or HTML via the keyword parameter.)
		CVE-2007-0399 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Simple Machines Forum (SMF) 1.1 RC3 allow remote authenticated users to inject arbitrary web script or HTML via the (1) recipient or (2) BCC field when selecting send in a pm action.)
		CVE-2007-0398 (Multiple cross-site scripting (XSS) vulnerabilities in forum.php3 in Arnaud Guyonne (aka Arnotic) a-forum allow remote attackers to inject arbitrary web script or HTML via the (1) Sujet or (2) Pseudo field.)
		CVE-2007-0390 (Cross-site scripting (XSS) vulnerability in index.php in sabros.us 1.7 allows remote attackers to inject arbitrary web script or HTML via the tag parameter.)
		CVE-2007-0389 (Directory traversal vulnerability in ArsDigita Community System (ACS) 3.4.10 and earlier, and ArsDigita Community Education Solution (ACES) 1.1, allows remote attackers to read arbitrary files via .%252e/ (double-encoded dot dot slash) sequences in the URI.)

Original document		Advisory_(at)_Aria-Security.net, SMF "index.php?action=pm" Cross Site-Scripting (20.01.2007)
		Hackers Center Security Group, Paypal Subscription Manager Multiple HTML Injections (20.01.2007)
		Hackers Center Security Group, Login Manager Multiple HTML Injections (20.01.2007)
		sn0oPy_(at)_avenir-geopolitique.net, a-forum xss (20.01.2007)
		CorryL, [x0n3-h4ck] sabros.us 1.7 XSS Exploit (20.01.2007)
		Hackers Center Security Group, MyShoutBox Multiple Cross-Site Scripting Vulnerability (20.01.2007)
		Elliot Kendall, Directory Traversal in ArsDigita Community System (20.01.2007)

Discuss:

Read or add your comments to this news (0 comments)

Mac OS X syscall DoS
Published:		20.01.2007
Source:		BUGTRAQ
SecurityVulns ID:		7074
Type:		local
Level:		5/10
Description:		Arguments of shared_region_map_file_np() syscall are not checking, making it's possible to exhaust all available memory.

Affected:		APPLE : Mac OS X 10.4
CVE:		CVE-2007-0430 (The shared_region_map_file_np function in Apple Mac OS X 10.4.8 and earlier kernel allows local users to cause a denial of service (memory corruption) via a large mappingCount value.)

Original document

RISE Security, [RISE-2007001] Apple Mac OS X 10.4.x kernel shared_region_map_file_np() memory corruption vulnerability (20.01.2007)

Files:		Exploits Mac OS X 10.4.x kernel shared_region_map_file_np() memory exhaustion
Discuss:		Read or add your comments to this news (0 comments)

BitDefender client format string vulnerability
Published:		20.01.2007
Source:		BUGTRAQ
SecurityVulns ID:		7073
Type:		local
Level:		5/10
Description:		Format string vulnerability on scan settings logging.

Affected:		BITDEFENDER : BitDefender Client Professional 8.02
CVE:		CVE-2007-0391 (Format string vulnerability in the log creation functionality of BitDefender Client Professional Plus 8.02 allows attackers to execute arbitrary code via certain scan job settings.)

Original document

Deral Heiland, Layered Defense Research Advisory: BitDefender Client 8.02 Format String Vulnerability (20.01.2007)

Discuss:

Read or add your comments to this news (0 comments)

AVM Fritz!Box VoIP router DoS
Published:		20.01.2007
Source:		BUGTRAQ
SecurityVulns ID:		7075
Type:		remote
Level:		5/10
Description:		Crash on empty UDP packet to UDP/5060 (SIP) port.

Affected:		AVM : Fritz!Box 750
CVE:		CVE-2007-0431 (AVM Fritz!Box 7050, and possibly other product models, allows remote attackers to cause a denial of service (VoIP application crash) via a zero-length UDP packet to the SIP port (port 5060).)

Original document

Collin R. Mulliner, DoS against AVM Fritz!Box 7050 (and others) (20.01.2007)

Discuss:

Read or add your comments to this news (0 comments)

grsecurity privilege escalation updated since 12.01.2007
Published:		20.01.2007
Source:		BUGTRAQ
SecurityVulns ID:		7045
Type:		local
Level:		7/10
Description:		Privilege escalation with expand_stack().

Affected:		GRSECURITY : grsecurity 2.1
CVE:		CVE-2007-0257 (** DISPUTED ** Unspecified vulnerability in the expand_stack function in grsecurity PaX allows local users to gain privileges via unspecified vectors. NOTE: the grsecurity developer has disputed this issue, stating that "the function they claim the vulnerability to be in is a trivial function, which can, and has been, easily checked for any supposed vulnerabilities." The developer also cites a past disclosure that was not proven. As of 20070120, the original researcher has released demonstration code.)
		CVE-2007-0253 (** DISPUTED ** Unspecified vulnerability in the grsecurity patch has unspecified impact and remote attack vectors, a different vulnerability than the expand_stack vulnerability from the Digital Armaments 20070110 pre-advisory. NOTE: the grsecurity developer has disputed this issue, stating that "the function they claim the vulnerability to be in is a trivial function, which can, and has been, easily checked for any supposed vulnerabilities." The developer also cites a past disclosure that was not proven.)

Original document		info_(at)_digitalarmaments.com, Digital Armaments Security Advisory 20.01.2007: Grsecurity Kernel PaX Vulnerability (20.01.2007)
		info_(at)_digitalarmaments.com, Digital Armaments Security Pre-Advisory 11.01.2007: Grsecurity Kernel PaX - Local root vulnerability (12.01.2007)

Discuss:

Read or add your comments to this news (0 comments)

Cisco CS MARS and Cisco ADSM TLS, SSL, SSH certificates validation problem
Published:		20.01.2007
Source:		BUGTRAQ
SecurityVulns ID:		7071
Type:		remote
Level:		6/10
Description:		On connecting to managed device, device certificate is not validated.

Affected:		CISCO : CS-MARS 4.2
		CISCO : ASDM 5.2
CVE:		CVE-2007-0397 (The Cisco Security Monitoring, Analysis and Response System (CS-MARS) before 4.2.3 and Adaptive Security Device Manager (ASDM) before 5.2(2.54) do not validate the SSL/TLS certificates or SSH public keys when connecting to devices, which allows remote attackers to spoof those devices to obtain sensitive information or generate incorrect information.)

Original document

CISCO, Cisco Security Advisory: SSL/TLS Certificate and SSH Public Key Validation Vulnerability (20.01.2007)

Discuss:

Read or add your comments to this news (0 comments)