Computer Security
[EN] securityvulns.ru no-pyccku


Oracle Dynamic Monitoring Services crossite scripting
Published:22.03.2007
Source:
SecurityVulns ID:7439
Type:remote
Threat Level:
5/10
Description:Crossite scripting with /servlet/Spy.
Affected:ORACLE : Oracle 10g
CVE:CVE-2007-1609 (Cross-site scripting (XSS) vulnerability in servlet/Spy in Dynamic Monitoring Services (DMS) in Oracle Application Server (OAS) 10g 10.1.2.0.0 allows remote attackers to inject arbitrary web script or HTML via the table parameter. NOTE: This may be related to CVE-2002-0563.)
Original documentdocumentSea Shark, Oracle 10g Dynamic Monitoring Services XSS /servlet/Spy (22.03.2007)

Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
Published:22.03.2007
Source:
SecurityVulns ID:7440
Type:remote
Threat Level:
5/10
Description:PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.
Affected:PHPROJEKT : PHProjekt 5.2
 WEBWIZ : Web Wiz Forums 8.05
 SUBHUB : SubHub 2.3
 STUDIEWIJZER : Study planner 0.15
CVE:CVE-2007-1646 (Multiple cross-site scripting (XSS) vulnerabilities in SubHub 2.3.0 allow remote attackers to inject arbitrary web script or HTML via (1) the searchtext parameter to (a) /search, or the (2) message parameter to (b) /calendar or (c) /subscribe.)
 CVE-2007-1639 (Unrestricted file upload vulnerability in PHProjekt 5.2.0, when magic_quotes_gpc is disabled, allows remote authenticated users to upload and execute arbitrary PHP code via a file with an executable extension, which is then accessed by the (1) calendar or (2) file management module, or possibly unspecified other files.)
 CVE-2007-1638 (Multiple cross-site request forgery (CSRF) vulnerabilities in the check_csrftoken function in lib/lib.inc.php in PHProjekt 5.2.0, when magic_quotes_gpc is disabled, allow remote attackers to perform unauthorized actions as an arbitrary user via the (1) Projects, (2) Contacts, (3) Helpdesk, (4) Notes, (5) Search, (6) Mail, or (7) Filemanager module; the (9) summary page; or unspecified other files.)
 CVE-2007-1628 (Multiple PHP remote file inclusion vulnerabilities in Study planner (Studiewijzer) 0.15 and earlier, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the SPL_CFG[dirroot] parameter to (1) service.alert.inc.php or (2) settings.ses.php in inc/; (3) db/mysql/db.inc.php; (4) integration/shortstat/configuration.php; (5) ali.class.php or (6) cat.class.php in methodology/traditional/class/; (7) cat_browse.inc.php, (8) chr_browse.inc.php, (9) chr_display.inc.php, or (10) dash_browse.inc.php in methodology/traditional/ui/inc/; (11) spl.webservice.php or (12) konfabulator/gateway_admin.php in ws/; or other unspecified files.)
 CVE-2007-1599 (wp-login.php in WordPress allows remote attackers to redirect authenticated users to other websites and potentially obtain sensitive information via the redirect_to parameter.)
 CVE-2007-1576 (Multiple cross-site scripting (XSS) vulnerabilities in PHProjekt 5.2.0, when magic_quotes_gpc is disabled, allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors to the (1) Projects, (2) Contacts, (3) Helpdesk, (4) Search (only Gecko engine driven Browsers), and (5) Notes modules; the (6) Mail summary page; and unspecified other files.)
 CVE-2007-1575 (Multiple SQL injection vulnerabilities in PHProjekt 5.2.0, when magic_quotes_gpc is disabled, allow remote authenticated users to execute arbitrary SQL commands via (1) unspecified vectors to the (a) calendar and (2) search modules, and an (2) unspecified cookie when the user logs out.)
 CVE-2007-1548 (SQL injection vulnerability in functions/functions_filters.asp in Web Wiz Forums before 8.05a (MySQL version) does not properly filter certain characters in SQL commands, which allows remote attackers to execute arbitrary SQL commands via \"' (backslash double-quote quote) sequences, which are collapsed into \'', as demonstrated via the name parameter to forum/pop_up_member_search.asp.)
Original documentdocumentAditya K Sood, [Full-disclosure] IntraProgrammed Search Engines Are XSS Driven (22.03.2007)
 documenterdc_(at)_echo.or.id, [ECHO_ADV_77$2007] Study planner (Studiewijzer) <= 0.15 Remote File Inclusion Vulnerability (22.03.2007)
 documentanon_(at)_anon.com, **SubHub v2.3.0** (22.03.2007)
 documentMetaeye SG, Advisory - Redirection Vulnerability in wp-login.php. (22.03.2007)
 documentifsecure_(at)_gmail.com, Web Wiz Forums 8.05 (MySQL version) SQL Injection (22.03.2007)

Linksys wireless routers information leak
Published:22.03.2007
Source:
SecurityVulns ID:7441
Type:remote
Threat Level:
6/10
Description:Configuration information, including whole set of password is returned by request to UDP/916 port.
Affected:CISCO : Linksys WAG200G
CVE:CVE-2007-1585 (The Linksys WAG200G with firmware 1.01.01, WRT54GC 2 with firmware 1.00.7, and WRT54GC 1 with firmware 1.03.0 and earlier allow remote attackers to obtain sensitive information (passwords and configuration data) via a packet to UDP port 916. NOTE: some of these details are obtained from third party information.)
Original documentdocumentdniggebrugge_(at)_hotmail.com, Linksys WAG200G - Information disclosure (22.03.2007)

Network Audio System DoS
Published:22.03.2007
Source:
SecurityVulns ID:7442
Type:remote
Affected:NAS : Network Audio System 1.8
CVE:CVE-2007-1547 (The ReadRequestFromClient function in server/os/io.c in Network Audio System (NAS) before 1.8a SVN 237 allows remote attackers to cause a denial of service (crash) via multiple simultaneous connections, which triggers a NULL pointer dereference.)
 CVE-2007-1546 (Array index error in Network Audio System (NAS) before 1.8a SVN 237 allows remote attackers to cause a denial of service (crash) via (1) large num_action values in the ProcAuSetElements function in server/dia/audispatch.c or (2) a large inputNum parameter to the compileInputs function in server/dia/auutil.c.)
 CVE-2007-1545 (The AddResource function in server/dia/resource.c in Network Audio System (NAS) before 1.8a SVN 237 allows remote attackers to cause a denial of service (server crash) via a nonexistent client ID.)
 CVE-2007-1544 (Integer overflow in the ProcAuWriteElement function in server/dia/audispatch.c in Network Audio System (NAS) before 1.8a SVN 237 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large max_samples value.)
 CVE-2007-1543 (Stack-based buffer overflow in the accept_att_local function in server/os/connection.c in Network Audio System (NAS) before 1.8a SVN 237 allows remote attackers to execute arbitrary code via a long path slave name in a USL socket connection.)
Original documentdocumentSECURITEAM, [NEWS] Multiple Vulnerabilities In NAS (22.03.2007)
Files:Exploits Network Audio System <= 1.8a (svn 231) multiple vulnerabilities

XMMS multimedia player multiple integer overflows
Published:22.03.2007
Source:
SecurityVulns ID:7443
Type:remote
Threat Level:
5/10
Description:Multiple integer overflows on different multimedia file formats parsing.
Affected:XMMS : xmms 1.2
CVE:CVE-2007-0654 (Integer underflow in X MultiMedia System (xmms) 1.2.10 allows user-assisted remote attackers to execute arbitrary code via crafted header information in a skin bitmap image, which results in a stack-based buffer overflow.)
 CVE-2007-0653 (Integer overflow in X MultiMedia System (xmms) 1.2.10, and possibly other versions, allows user-assisted remote attackers to execute arbitrary code via crafted header information in a skin bitmap image, which triggers memory corruption.)
Original documentdocumentSECUNIA, Secunia Research: XMMS Integer Overflow and Underflow Vulnerabilities (22.03.2007)

Gnome Evolution calendar format string vulnerability
Published:22.03.2007
Source:
SecurityVulns ID:7444
Type:client
Threat Level:
6/10
Description:Format string vulnerability on shared memo parsing.
Affected:GNOME : Evolution 2.8
CVE:CVE-2007-1002 (Format string vulnerability in the write_html function in calendar/gui/e-cal-component-memo-preview.c in Evolution Shared Memo 2.8.2.1, and possibly earlier versions, allows user-assisted remote attackers to execute arbitrary code via format specifiers in the categories of a crafted shared memo.)
Original documentdocumentSECUNIA, Secunia Research: Evolution Shared Memo Categories Format String Vulnerability (22.03.2007)

InterActual Player / CinePlayer ActiveX buffer overflow
Published:22.03.2007
Source:
SecurityVulns ID:7445
Type:client
Threat Level:
5/10
Description:Buffer overflow in IASystemInfo.dll ActiveX element.
Affected:INTERACTUAL : InterActual Player 2.60
 ROXIO : CinePlayer 3.2
CVE:CVE-2007-0348 (Stack-based buffer overflow in the IASystemInfo.dll ActiveX control in (1) InterActual Player 2.60.12.0717, (2) Roxio CinePlayer 3.2, (3) WinDVD 7.0.27.172, and possibly other products, allows remote attackers to execute arbitrary code via a long ApplicationType property.)
Original documentdocumentSECUNIA, Secunia Research: InterActual Player / CinePlayer IASystemInfo.dll ActiveX Control Buffer Overflow (22.03.2007)

Atrium Mercur Mailserver IMAPD buffer overflow
Published:22.03.2007
Source:
SecurityVulns ID:7446
Type:remote
Threat Level:
6/10
Description:Multiple buffer overflows in IMAP NTLM authentication implementation. Buffer overflow in SUBSCRIBE command.
Affected:ATRIUM : Mercur Mailserver 5.0
CVE:CVE-2007-1579 (Stack-based buffer overflow in Atrium MERCUR IMAPD allows remote attackers to have an unknown impact via a certain SUBSCRIBE command.)
 CVE-2007-1578 (Multiple integer signedness errors in the NTLM implementation in Atrium MERCUR IMAPD (mcrimap4.exe) 5.00.14, with SP4, allow remote attackers to execute arbitrary code via a long NTLMSSP argument that triggers a stack-based buffer overflow.)
 CVE-2003-1322 (Multiple stack-based buffer overflows in Atrium MERCUR IMAPD in MERCUR Mailserver before 4.2.15.0 allow remote attackers to execute arbitrary code via a long (1) EXAMINE, (2) DELETE, (3) SUBSCRIBE, (4) RENAME, (5) UNSUBSCRIBE, (6) LIST, (7) LSUB, (8) STATUS, (9) LOGIN, (10) CREATE, or (11) SELECT command.)
Original documentdocumentmu-b, [Full-disclosure] Mercur SP4 IMAPD (22.03.2007)
Files:Mercur v5.00.14 (win32) remote exploit
 Exploits Mercur Messaging 2005 SP3 IMAP service - Egghunter mod
 Remote exploit for the stack overflow vulnerability in Mercur Messaging 2005 SP3 IMAP service

Microsoft Internet Explorer DoS
Published:22.03.2007
Source:
SecurityVulns ID:7447
Type:client
Threat Level:
3/10
Description:Memory exhaustion with appendChild method.
Affected:MICROSOFT : Windows 2000 Server
 MICROSOFT : Windows 2000 Professional
 MICROSOFT : Windows XP
 MICROSOFT : Windows 2003 Server
Original documentdocumentsaied hackeriran, [Full-disclosure] Microsoft Internet Explorer Multiple Vulnerabilities(mshtml.dll) (22.03.2007)

Grandstream Budge Tone VOIP phones DoS
Published:22.03.2007
Source:
SecurityVulns ID:7448
Type:remote
Threat Level:
5/10
Description:Crash on SIP protocol INVITE message parsing.
Affected:GRANDSTREAM : BudgeTone 200
CVE:CVE-2007-1590 (The Grandstream BudgeTone 200 IP phone, with program 1.1.1.14 and bootloader 1.1.1.5, allows remote attackers to cause a denial of service (device crash) via SIP (1) INVITE, (2) CANCEL, or unspecified other messages with a WWW-Authenticate header containing a crafted Digest domain.)
Original documentdocumentRadu State, [Full-disclosure] Grandstream Budge Tone-200 denial of service vulnerability (22.03.2007)

PHP header() function memory corruption
Published:22.03.2007
Source:
SecurityVulns ID:7449
Type:library
Threat Level:
5/10
Description:Heap memory page coruption allows code execution on big endian systems.
Affected:PHP : PHP 5.2
CVE:CVE-2007-1584 (Buffer underflow in the header function in PHP 5.2.0 allows context-dependent attackers to execute arbitrary code by passing an all-whitespace string to this function, which causes it to write '\0' characters in whitespace that precedes the string.)
Original documentdocumentPHP-SECURITY, MOPB-25-2007:PHP header() Space Trimming Buffer Underflow Vulnerability (22.03.2007)
Files:PHP header() Space Trimming Buffer Underflow Vulnerability

mb_parse_str() exceptional conditions protection bypass
Published:22.03.2007
Source:
SecurityVulns ID:7450
Type:library
Threat Level:
5/10
Description:Exceptional conditions during function invocation may lead to enabling register_globals.
Affected:PHP : PHP 4.4
 PHP : PHP 5.2
CVE:CVE-2007-1583 (The mb_parse_str function in PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 sets the internal register_globals flag and does not disable it in certain cases when a script terminates, which allows remote attackers to invoke available PHP scripts with register_globals functionality that is not detectable by these scripts, as demonstrated by forcing a memory_limit violation.)
Original documentdocumentPHP-SECURITY, MOPB-26-2007:PHP mb_parse_str() register_globals Activation Vulnerability (22.03.2007)
Files:PHP mb_parse_str() register_globals Activation Exploit

PHP ext/gd use after free() vulnerability
Published:22.03.2007
Source:
SecurityVulns ID:7451
Type:library
Threat Level:
6/10
Description:During exceptional conditions handling, some resourceses aree free()ed and later accessed.
Affected:PHP : PHP 4.4
 PHP : PHP 5.2
CVE:CVE-2007-1582 (The resource system in PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 allows context-dependent attackers to execute arbitrary code by interrupting certain functions in the GD (ext/gd) extension and unspecified other extensions via a userspace error handler, which can be used to destroy and modify internal resources.)
Original documentdocumentPHP-SECURITY, MOPB-27-2007:PHP ext/gd Already Freed Resource Access Vulnerability (22.03.2007)
Files:PHP gd already freed resource usage exploit

PHP hash_update_file() function use after free() vulnerability
Published:22.03.2007
Source:
SecurityVulns ID:7452
Type:library
Threat Level:
6/10
Description:Race conditions allows to free resource processed by function.
Affected:PHP : PHP 5.2
CVE:CVE-2007-1581 (The resource system in PHP 5.0.0 through 5.2.1 allows context-dependent attackers to execute arbitrary code by interrupting the hash_update_file function via a userspace (1) error or (2) stream handler, which can then be used to destroy and modify internal resources.)
Original documentdocumentPHP-SECURITY, MOPB-28-2007:PHP hash_update_file() Already Freed Resource Access Vulnerability (22.03.2007)
Files:PHP hash_update_file() freed resource usage exploit

0IRC client DoS
Published:22.03.2007
Source:
SecurityVulns ID:7453
Type:client
Threat Level:
5/10
Description:NULL pointer dereference on oversized server message.
Affected:DEV0 : 0irc 1.3
CVE:CVE-2007-1648 (0irc 1345 build 20060823 allows remote attackers to cause a denial of service (application crash) by operating an IRC server that sends a long string to a client, which triggers a NULL pointer dereference.)
Original documentdocumentDiGitalX, DoS Exploit (22.03.2007)
Files:0irc-client v1345 build 20060823 DoS Exploit By DiGitalX

Asterisk PBX SIP DoS
updated since 04.03.2007
Published:22.03.2007
Source:
SecurityVulns ID:7344
Type:remote
Threat Level:
6/10
Description:Application crash on malcrafted SIP packet.
Affected:ASTERISK : Asterisk 1.2
 DIGIUM : Asterisk 1.4
CVE:CVE-2007-1595 (The Asterisk Extension Language (AEL) in pbx/pbx_ael.c in Asterisk does not properly generate extensions, which allows remote attackers to execute arbitrary extensions and have an unknown impact by specifying an invalid extension in a certain form.)
 CVE-2007-1594 (The handle_response function in chan_sip.c in Asterisk before 1.2.17 and 1.4.x before 1.4.2 allows remote attackers to cause a denial of service (crash) via a SIP Response code 0 in a SIP packet.)
 CVE-2007-1561 (The channel driver in Asterisk before 1.2.17 and 1.4.x before 1.4.2 allows remote attackers to cause a denial of service (crash) via a SIP INVITE message with an SDP containing one valid and one invalid IP address.)
 CVE-2007-1306 (Asterisk 1.4 before 1.4.1 and 1.2 before 1.2.16 allows remote attackers to cause a denial of service (crash) by sending a Session Initiation Protocol (SIP) packet without a URI and SIP-version header, which results in a NULL pointer dereference.)
Original documentdocumentMatt Riddell (IT), Two new DoS Vulnerabilities in Asterisk Fixed (22.03.2007)
 documentRadu State, [Full-disclosure] Asterisk SDP DOS vulnerability (19.03.2007)
 documentnoreply_(at)_musecurity.com, [Full-disclosure] [MU-200703-01] Remote DOS in Asterisk SIP (09.03.2007)
 documentAnonymous Person, [Full-disclosure] asterisk remote pre-auth denial of service (04.03.2007)
Files:Exploits Asterisk SIP DoS vulnerability
 Exploits Asterisk INVITE SIP message DoS

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod