Computer Security
[EN] securityvulns.ru no-pyccku


Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
updated since 24.01.2007
Published:24.01.2007
Source:
SecurityVulns ID:7090
Type:remote
Threat Level:
5/10
Description:PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.
Affected:PHPADSNEW : phpAdsNew 2.0
 PHPOPENADS : phpPgAds 2.0
 PHPNUKE : PHP-Nuke 7.9
 WEBSITEBAKER : Website Baker 2.6
 BITWEAVER : bitweaver 1.3
 FREEFORUM : FreeForum 0.9
 CMSIMPLE : cmsimple 2.7
 PHPLINKDIRECTORY : PHP Link Directory 3.0
 OPENREALTY : Open-Realty 2.3
 UPLOADSCRIPT : UploadScript 1.02
 UPLOADSERVICE : Upload Service 1.0
 ADVANCEDGUESTBOO : Advanced Guestbook 2.4
 SCRIPTSEZ : Random PHP Quote 1.0
 YANAFRAMEWORK : Yana Framework 2.8
 INDISGUISE : Enthusiast 3.1
 PHPXD : phpxd 0.3
 BBCLONE : bbclone 0.31
 RPW : RPW 1.0
 ASPEDGE : ASP EDGE 1.2
 ASPNEWS : ASP NEWS 3
 VOTEPRO : Vote-Pro 4.0
 FREEWEBSHOP : FreeWebshop.org Script 2.2
 DRUPAL : Drupal Acidfree Module 4.6
 OPENADS : Openads 2.0
 WEBGUI : WebGUI 7.3
 DJANGO : django 0.95
 ZIXFORUM : ZixForum 1.14
 MAXTRICITY : Maxtricity Tagger 0.1
CVE:CVE-2007-0629 (The www_purgeList method in Plain Black WebGUI before 7.3.8 does not properly check user permissions, which allows attackers to delete unauthorized assets. NOTE: some of these details are obtained from third party information.)
 CVE-2007-0610 (Cross-site scripting (XSS) vulnerability in the mailform feature in CMSimple 2.7 fix1 allows remote attackers to inject arbitrary web script or HTML via the sender parameter. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information.)
 CVE-2007-0566 (SQL injection vulnerability in news_detail.asp in ASP NEWS 3 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter.)
 CVE-2007-0560 (SQL injection vulnerability in user.asp in ASP EDGE 1.2b and earlier allows remote attackers to execute arbitrary SQL commands via the user parameter.)
 CVE-2007-0559 (PHP remote file inclusion vulnerability in config.php in RPW 1.0.2 allows remote attackers to execute arbitrary PHP code via a URL in the sql_language parameter.)
 CVE-2007-0551 (Multiple PHP remote file inclusion vulnerabilities in cmsimple/cms.php in CMSimple 2.7 allow remote attackers to execute arbitrary PHP code via a URL in the (1) pth[file][config] and (2) pth[file][image] parameters.)
 CVE-2007-0546 (Toxiclab Shoutbox 1 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for db.mdb.)
 CVE-2007-0545 (Maxtricity Tagger 0.1 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for tagger.mdb.)
 CVE-2007-0543 (ZixForum 1.14 and earlier stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for Zixforum.mdb. NOTE: a followup post suggests that this issue only occurs if the administrator does not properly follow installation directions.)
 CVE-2007-054
 CVE-2007-0535 (Multiple eval injection vulnerabilities in Vote! Pro 4.0, and possibly earlier, allow remote attackers to execute arbitrary code via requests to unspecified PHP scripts with the poll_id parameter, which is supplied to eval function calls, a different set of vectors than CVE-2007-0504. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information.)
 CVE-2007-0533 (The AToZed IntraWeb component 8.0 and earlier for Borland Delphi and Kylix, and IntraWeb 9.0 before build (9.0.12), allows remote attackers to cause a denial of service (thread hang or CPU consumption) via a crafted HTTP request, related to the OnBeforeDispatch function in the TIWServerController object.)
 CVE-2007-0531 (PHP remote file inclusion vulnerability in includes/login.php in FreeWebShop 2.2.3 and 2.2.4 before 20070123 allows remote attackers to execute arbitrary PHP code via a URL in the lang_file parameter.)
 CVE-2007-0530 (** DISPUTED ** Multiple PHP remote file inclusion vulnerabilities in Advanced Guestbook 2.4.2 allow remote attackers to execute arbitrary PHP code via a URL in the include_path parameter to (1) index.php, (2) addentry.php, or (3) picture.php, a different set of vectors than CVE-2006-5804. NOTE: this issue has been disputed by third party researchers, stating that the include_path variable is instantiated before use.)
 CVE-2007-0529 (Cross-site scripting (XSS) vulnerability in index.html (aka the administration page) in PHP Link Directory (phpLD) 3.0.6 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted link, which is triggered when the administrator uses the "Validate Links" functionality.)
 CVE-2007-0527 (SQL injection vulnerability in the is_remembered function in class.login.php in Website Baker 2.6.5 and earlier allows remote attackers to execute arbitrary SQL commands via the REMEMBER_KEY cookie parameter. NOTE: some of these details are obtained from third party information.)
 CVE-2007-0526 (Multiple cross-site scripting (XSS) vulnerabilities in Bitweaver 1.3.1 allow remote attackers to inject arbitrary web script or HTML via the URL (PATH_INFO) to (1) articles/edit.php, (2) articles/list.php, (3) blogs/list_blogs.php, or (4) blogs/rankings.php.)
 CVE-2007-0520 (SQL injection vulnerability in banner.php in Unique Ads (UDS) 1.x allows remote attackers to execute arbitrary SQL commands via the bid parameter.)
 CVE-2007-0516 (Yana Framework before 2.8.5a allows remote authenticated users with permissions to modify a guestbook profile to modify or delete arbitrary guestbook profiles via unspecified vectors. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information.)
 CVE-2007-0511 (Multiple PHP remote file inclusion vulnerabilities in phpXMLDOM (phpXD) 0.3 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the path parameter to (1) dom.php, (2) dtd.php, or (3) parser.php in include/.)
 CVE-2007-0508 (PHP remote file inclusion vulnerability in lib/selectlang.php in BBClone 0.31 allows remote attackers to execute arbitrary PHP code via a URL in the BBC_LANGUAGE_PATH parameter.)
 CVE-2007-0507 (SQL injection vulnerability in the Acidfree module for Drupal before 4.6.x-1.0, and before 4.7.x-1.0 in the 4.7 series, allows remote authenticated users with "create acidfree albums" privileges to execute arbitrary SQL commands via node titles.)
 CVE-2007-0504 (Eval injection vulnerability in poll_frame.php in Vote! Pro 4.0, and possibly other scripts, allows remote attackers to execute arbitrary code via the poll_id parameter, which is supplied to an eval function call, a different vulnerability type than CVE-2005-4632.)
 CVE-2007-0490 (index.php in Open-Realty 2.3.4 allows remote attackers to obtain sensitive information (the full path) via an invalid listingID parameter in a listingview action.)
 CVE-2007-0487 (** DISPUTED ** PHP remote file inclusion vulnerability in index.php in FreeForum 0.9.0 allows remote attackers to execute arbitrary PHP code via a URL in the fpath parameter. NOTE: this issue has been disputed by third party researchers, stating that fpath variable is initialized before being used.)
 CVE-2007-0486 (** DISPUTED ** Multiple PHP remote file inclusion vulnerabilities in Openads (aka phpAdsNew) 2.0.7 allow remote attackers to execute arbitrary PHP code via a URL in the (1) phpAds_geoPlugin parameter to libraries/lib-remotehost.inc, the (2) filename parameter to admin/report-index, or the (3) phpAds_config[my_footer] parameter to admin/lib-gui.inc. NOTE: the vendor has disputed this issue, stating that the relevant variables are used within function definitions.)
 CVE-2007-0484 (Multiple SQL injection vulnerabilities in Enthusiast 3.1 allow remote attackers to execute arbitrary SQL commands via the cat parameter to (1) show_owned.php, (2) show_joined.php, and possibly other files. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information.)
 CVE-2007-0483 (Multiple cross-site scripting (XSS) vulnerabilities in Enthusiast 3.1 allow remote attackers to inject arbitrary web script or HTML via the URI for (1) show_owned.php or (2) show_joined.php. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information.)
 CVE-2007-0477 (Cross-site scripting (XSS) vulnerability in Openads 2.0.x before 2.0.10, 2.3 before 2.3.31 (aka Max Media Manager before 0.3.31-alpha-pr2), and phpAdsNew/phpPgAds before 2.0.9-pr1 allows remote attackers to inject arbitrary web script or HTML via (1) the keyword parameter in admin-search.php and (2) affiliate-search.php. NOTE: this issue may overlap CVE-2007-0363.)
 CVE-2007-0407 (Cross-site scripting (XSS) vulnerability in Operation/User.pm in Plain Black WebGUI before 7.3.5 (beta) allows remote attackers to inject arbitrary web script or HTML via the username parameter during anonymous registration, a different vector than CVE-2007-0308. NOTE: it is possible that a separate "WikiPage titles" issue was also fixed.)
 CVE-2007-0405 (The LazyUser class in the AuthenticationMiddleware for Django 0.95 does not properly cache the user name across requests, which allows remote authenticated users to gain the privileges of a different user.)
 CVE-2007-0404 (bin/compile-messages.py in Django 0.95 does not quote argument strings before invoking the msgfmt program through the os.system function, which allows attackers to execute arbitrary commands via shell metacharacters in a (1) .po or (2) .mo file.)
 CVE-2007-0363 (Cross-site scripting (XSS) vulnerability in admin-search.php in (1) Openads for PostgreSQL (aka phpPgAds) before 2.0.10 and (2) Openads (aka phpAdsNew) before 2.0.10 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters.)
 CVE-2007-0308 (Cross-site scripting (XSS) vulnerability in Plain Black WebGUI before 7.3.4 (beta) allows remote attackers to inject arbitrary web script or HTML via Wiki Page titles.)
Original documentdocumentbeks, Maxtricity Tagger Password Disclosure Vulnerability (24.01.2007)
 documentme you, ZixForum <= 1.14 (Zixforum.mdb) Remote Password Disclosure Vulnerability (24.01.2007)
 documentMatteo Beccati, [Full-disclosure] [OPENADS-SA-2007-001] phpAdsNew and phpPgAds 2.0.9-pr1 vulnerability fixed (24.01.2007)
 documentbeks, Toxiclab Shoutbox Password Disclosure Vulnerability (24.01.2007)
 documentSECUNIA, [SA23826] Django Two Vulnerabilities (24.01.2007)
 documentSECUNIA, [SA23754] WebGUI User Name Script Insertion Vulnerability (24.01.2007)
 documentSECUNIA, [SA23720] Openads / Openads for PostgreSQL Cross-Site Scripting Vulnerability (24.01.2007)
 documentPHPNUKE, [SA23748] PHP-Nuke "cat" Old Articles Block SQL Injection (24.01.2007)
 documentSECUNIA, [SA23895] Drupal Acidfree Module "node titles" SQL Injection Vulnerability (24.01.2007)
 documentSECUNIA, [SA23898] FreeWebShop.org "lang_file" File Inclusion Vulnerability (24.01.2007)
 documentAdvisory_(at)_Aria-Security.net, [Aria-Security Team] MyBB Cross-Site Scripting (24.01.2007)
 documentajannhwt_(at)_hotmail.com, ASP NEWS <= V3 (news_detail.asp) Remote SQL Injection Vulnerability (24.01.2007)
 documentajannhwt_(at)_hotmail.com, ASP EDGE <= V1.2b (user.asp) Remote SQL Injection Vulnerability (24.01.2007)
 documentDr Max Virus, phpXD <= 0.3 (path) Remote File Inclusion Vulnerability (24.01.2007)
 documentDr Max Virus, BBClone 0.31 (selectlang.php) Remote File Inclusion Vulnerability (24.01.2007)
 documentDr Max Virus, RPW 1.0.2 (config.php sql_language) Remote File Inclusion Vulnerability: (24.01.2007)
 documentSECUNIA, [SA23865] Enthusiast Cross-Site Scripting and SQL Injection (24.01.2007)
 documentSECUNIA, [SA23855] Yana Framework Guestbook Profile Security Bypass (24.01.2007)
 documentthe.tiger100_(at)_gmail.com, subscribe (pwd.txt) Remote Password Disclosur (24.01.2007)
 documentthe.tiger100_(at)_gmail.com, RANDOM PHP QUOTE 1.0 (pwd.txt) Remote Password Disclosur (24.01.2007)
 documentC0r3 1mp4ct, AToZed Software Intraweb Component for Borland Delphi and Kylix DoS vulnerability (24.01.2007)
 documentme you, Advanced Guestbook <=- 2.4.2 (include_path) Remote File Include Vulnerability (24.01.2007)
 documenty3dips_(at)_gmail.com, [ECHO_ADV_62$2007] Upload Service 1.0 remote file inclusion (24.01.2007)
 documentRolf Huisman, SQL Injection by using Cookie Poisoning for Website Baker Version 2.6.5 and before (24.01.2007)
 documentme you, Uploader <= (userdata/user_1.txt) Password Disclosure Vulnerability (24.01.2007)
 documentme you, UploadScript <=- v1.02 (password.txt) Remote Password Disclosure Vulnerability (24.01.2007)
 documentCorryL, [x0n3-h4ck] bitweaver 1.3.1 XSS Exploit (24.01.2007)
 documentxx_hack_xx_2004_(at)_hotmail.com, Full Path Disclosure in Open-Realty ( v2.3.4 ) (24.01.2007)
 documentjussi.vuokko_(at)_smilehouse.com, PHP Link Directory XSS Vulnerability version <= 3.0.6 (24.01.2007)
 documentmr alkomandoz, phpAdsNew 2.0.7 Remote File Include (24.01.2007)
 documentmr alkomandoz, cmsimple 2.7 Remote File Include (24.01.2007)
 documentxx_hack_xx_2004_(at)_hotmail.com, SQL Injection in Unique Ads ( UDS ) (24.01.2007)
 documentxx_hack_xx_2004_(at)_hotmail.com, XSS in Guestbook ( v.4.00 beta ) (24.01.2007)
 documentAdvisory_(at)_Aria-Security.net, XMB "U2U Instant Messenger" Cross-Site Scripting (24.01.2007)
 documentme you, FreeForum 0.9.0 <=- (index.php fpath) Remote File Include Vulnerability (24.01.2007)
 documentlaurent gaffié, FishCart [injection sql] (24.01.2007)
Files:Vote-Pro Code Injection Exploit

Apple Safari / Konqueror SCRIPT tag filtering bypass
Published:24.01.2007
Source:
SecurityVulns ID:7091
Type:client
Threat Level:
3/10
Description:Brower follows <script> tags within HTML comment. It violates HTML standard.
Affected:KDE : KDE 3.5
 APPLE : MacOS X 10.4
 KDE : Konqueror 3.5
CVE:CVE-2007-0537 (The KDE HTML library (kdelibs), as used by Konqueror 3.5.5, does not properly parse HTML comments, which allows remote attackers to conduct cross-site scripting (XSS) attacks and bypass some XSS protection schemes by embedding certain HTML tags within a comment in a title tag, a related issue to CVE-2007-0478.)
 CVE-2007-0478 (Apple Safari does not properly parse HTML comments, which allows remote attackers to conduct cross-site scripting (XSS) attacks and bypass some XSS protection schemes by embedding certain HTML tags within an HTML comment.)
Original documentdocumentJose Avila III, Safari Improperly Parses HTML Documents & BlogSpot XSS vulnerability (24.01.2007)

Multiple mobile phones bluetooth DoS
Published:24.01.2007
Source:
SecurityVulns ID:7092
Type:remote
Threat Level:
4/10
Description:Flood with ussp-push messages causes user interface blocking by multiple download prompt messages.
Affected:NOKIA : Nokia N70
 SONYERICSSON : Sony Ericsson K700i
 MOTOROLLA : MOTORAZR V3
 SONYERICSSON : Sony Ericsson W810i
 LG : Chocolate KG800
CVE:CVE-2007-0524 (The LG Chocolate KG800 phone allows remote attackers to cause a denial of service (continual modal dialogs and UI unavailability) by repeatedly trying to OBEX push a file over Bluetooth, as demonstrated by ussp-push.)
 CVE-2007-0523 (The Nokia N70 phone allows remote attackers to cause a denial of service (continual modal dialogs and UI unavailability) by repeatedly trying to OBEX push a file over Bluetooth, as demonstrated by ussp-push.)
 CVE-2007-0522 (The Motorola MOTORAZR V3 phone allows remote attackers to cause a denial of service (continual modal dialogs and UI unavailability) by repeatedly trying to OBEX push a file over Bluetooth, as demonstrated by ussp-push.)
 CVE-2007-0521 (The Sony Ericsson K700i and W810i phones allow remote attackers to cause a denial of service (continual modal dialogs and UI unavailability) by repeatedly trying to OBEX push a file over Bluetooth, as demonstrated by ussp-push.)
Original documentdocumentArmin Hornung, Bluetooth DoS by obex push (24.01.2007)
Files:Bluetooth DoS by obex push PoC

xine-ui format string vulnerability
Published:24.01.2007
Source:
SecurityVulns ID:7093
Type:client
Threat Level:
5/10
Description:Format string vulnerability in errors_create_window() on media files parsing.
Affected:XINE : xine-ui 0.99
CVE:CVE-2007-0254 (Format string vulnerability in the errors_create_window function in errors.c in xine-ui allows attackers to execute arbitrary code via unknown vectors.)
Original documentdocumentsaik0pod_(at)_yahoo.com, Xine-ui format string Vulnerabilties. (24.01.2007)

OpenLDAP installation symbolic links vulnerability
Published:24.01.2007
Source:
SecurityVulns ID:7094
Type:remote
Threat Level:
4/10
Description:gencert.sh installation script insecure tempoary files creation.
Affected:OPENLDAP : OpenLDAP 2.2
 OPENLDAP : OpenLDAP 2.1
 OPENLDAP : OpenLDAP 2.3
CVE:CVE-2007-0476 (The gencert.sh script, when installing OpenLDAP before 2.1.30-r10, 2.2.x before 2.2.28-r7, and 2.3.x before 2.3.30-r2 as an ebuild in Gentoo Linux, does not create temporary directories in /tmp securely during emerge, which allows local users to overwrite arbitrary files via a symlink attack.)
Original documentdocumentGENTOO, [ GLSA 200701-19 ] OpenLDAP: Insecure usage of /tmp during installation (24.01.2007)

Multiple IP Phones unauthorized access
Published:24.01.2007
Source:
SecurityVulns ID:7095
Type:remote
Threat Level:
5/10
Description:After administrative login it's possible to access administration interface from any IP without password validation.
Affected:ATCOM : ATCOM AT-320ED
 ATCOM : ATCOM AT-323
 IPLINK : JR168_100B
 IPLINK : JR168_100W
 IPLINK : JR168_200
 NETWEBGROUP : Netweb 401
 NETWEBGROUP : Netweb 402
 WUCHAN : Wuchuan HOP-1001
 WUCHAN : Wuchuan HOP-1002
 WUCHAN : Wuchuan HOP-1003
 GIPTEL : Giptel G100
 SIPTRONIC : Siptronic ST-100
 SIPTRONIC : Siptronic ST-150
 MERITLINE : KE1020 Netphone
 MERITLINE : Meritline ML210
 INTEGRATEDNETWOR : Integrated Networks IN-1002
 ARTDIO : ArtDio IPF-2000
 ARTDIO : ArtDio IPF-2002L
 PERFECTONE : Perfectone IP300
CVE:CVE-2007-0528 (The admin web console implemented by the Centrality Communications (aka Aredfox) PA168 chipset and firmware 1.54 and earlier, as provided by various IP phones, does not require passwords or authentication tokens when using HTTP, which allows remote attackers to connect to existing superuser sessions and obtain sensitive information (passwords and configuration data).)
Original documentdocumentProCheckUp Research, PR06-14: IP Phones based on Centrality Communications/Aredfox PA168 chipset weak session management vulnerability (24.01.2007)
Files:Multiple IP phones remote administrator login check

Microsoft Visual Studio buffer overflow
Published:24.01.2007
Source:
SecurityVulns ID:7096
Type:local
Threat Level:
3/10
Description:Buffer overflows on oversized filename in different paramters.
Affected:MICROSOFT : Visual Studio 6.0
CVE:CVE-2007-0468 (Stack-based buffer overflow in rcdll.dll in msdev.exe in Visual C++ (MSVC) in Microsoft Visual Studio 6.0 SP6 allows user-assisted remote attackers to execute arbitrary code via a long file path in the "1 TYPELIB MOVEABLE PURE" option in an RC file.)
Original documentdocumentporkythepig_(at)_anspi.pl, Microsoft Visual C++ (.RC) resource files buffer overflow vulnerability (24.01.2007)
Files:Microsoft Visual C++ 6.0 SP6 resource compiler buffer overflow vulnerability .rc resource files exploit

Cisco routers memory leak DoS
Published:24.01.2007
Source:
SecurityVulns ID:7097
Type:remote
Threat Level:
6/10
Description:Memory leak on incoming TCP packets.
Affected:CISCO : IOS 12.0
 CISCO : IOS 12.1
 CISCO : IOS 12.2
 CISCO : IOS 12.3
 CISCO : IOS 12.4
CVE:CVE-2007-0479 (Memory leak in the TCP listener in Cisco IOS 9.x, 10.x, 11.x, and 12.x allows remote attackers to cause a denial of service by sending crafted TCP traffic to an IPv4 address on the IOS device.)
Original documentdocumentCISCO, [Full-disclosure] Cisco Security Advisory: Crafted TCP Packet Can Cause Denial of Service (24.01.2007)

Sienzo Digital Music Mentor ActiveX buffer overflow
Published:24.01.2007
Source:
SecurityVulns ID:7098
Type:client
Threat Level:
5/10
Description:Buffer overflow in NCTAudioFile2.AudioFile SetFormatLikeSample() method.
Affected:SIENZO : Sienzo Digital Music Mentor 2.6
CVE:CVE-2007-0018 (Stack-based buffer overflow in the NCTAudioFile2.AudioFile ActiveX control (NCTAudioFile2.dll), as used by multiple products, allows remote attackers to execute arbitrary code via a long argument to the SetFormatLikeSample function. NOTE: the products include (1) NCTsoft NCTAudioStudio, NCTAudioEditor, and NCTDialogicVoice; (2) Magic Audio Recorder, Music Editor, and Audio Converter; (3) Aurora Media Workshop; DB Audio Mixer And Editor; (4) J. Hepple Products including Fx Audio Editor and others; (5) EXPStudio Audio Editor; (6) iMesh; (7) Quikscribe; (8) RMBSoft AudioConvert and SoundEdit Pro 2.1; (9) CDBurnerXP; (10) Code-it Software Wave MP3 Editor and aBasic Editor; (11) Movavi VideoMessage, DVD to iPod, and others; (12) SoftDiv Software Dexster, iVideoMAX, and others; (13) Sienzo Digital Music Mentor (DMM); (14) MP3 Normalizer; (15) Roemer Software FREE and Easy Hi-Q Recorder, and Easy Hi-Q Converter; (16) Audio Edit Magic; (17) Joshua Video and Audio Converter; (18) Virtual CD; (19) Cheetah CD and DVD B)
Original documentdocumentSECUNIA, [Full-disclosure] Secunia Research: Sienzo Digital Music Mentor NCTAudioFile2 ActiveX Control Buffer Overflow (24.01.2007)

Cisco routers IPv6 DoS
Published:24.01.2007
Source:
SecurityVulns ID:7100
Type:remote
Threat Level:
6/10
Description:Router crash on parsing IPv6 packet RH (routing header).
Affected:CISCO : IOS 12.0
 CISCO : IOS 12.1
 CISCO : IOS 12.2
 CISCO : IOS 12.3
 CISCO : IOS 12.4
CVE:CVE-2007-0481 (Cisco IOS allows remote attackers to cause a denial of service (crash) via a crafted IPv6 Type 0 Routing header.)
Original documentdocumentCISCO, [Full-disclosure] Cisco Security Advisory: IPv6 Routing Header Vulnerability (24.01.2007)

Apple Mac OS X UserNotificationCenter privilege escalation
Published:24.01.2007
Source:
SecurityVulns ID:7101
Type:local
Threat Level:
6/10
Description:Application doesn't droup wheel group privileges.
Affected:APPLE : Mac OS X 10.4
CVE:CVE-2007-0023 (The CFUserNotificationSendRequest function in UserNotificationCenter.app in Apple Mac OS X 10.4.8, when used in combination with diskutil, allows local users to gain privileges via a malicious InputManager in Library/InputManagers in a user's home directory, which is executed when Cocoa applications attempt to notify the user.)
Original documentdocumentMOAB, MOAB-22-01-2007: Apple UserNotificationCenter Privilege Escalation Vulnerability (24.01.2007)
Files:"Exploit" for Apple UserNotificationCenter Privilege Escalation Vulnerability

Apple QuickDraw libraries memory corruption
Published:24.01.2007
Source:
SecurityVulns ID:7102
Type:library
Threat Level:
6/10
Description:Memory corruption on maleformed PICT image ARGB record.
Affected:APPLE : Mac OS X 10.4
CVE:CVE-2007-0588 (The InternalUnpackBits function in Apple QuickDraw, as used by Quicktime 7.1.3 and other applications on Mac OS X 10.4.8 and earlier, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted PICT file that triggers memory corruption in the _GetSrcBits32ARGB function. NOTE: this issue might overlap CVE-2007-0462.)
 CVE-2007-0462 (The _GetSrcBits32ARGB function in Apple QuickDraw, as used by Quicktime 7.1.3 and other applications on Mac OS X 10.4.8 and earlier, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted PICT image with a malformed Alpha RGB (ARGB) record, which triggers memory corruption.)
Original documentdocumentMOAB, MOAB-23-01-2007: Apple QuickDraw GetSrcBits32ARGB() Memory Corruption Vulnerability (24.01.2007)
Files:Exploits Apple QuickDraw GetSrcBits32ARGB() Memory Corruption Vulnerability

Sun Solaris tip privilege escalation
Published:24.01.2007
Source:
SecurityVulns ID:7103
Type:local
Threat Level:
5/10
Description:Privilege escalation to 'uucp' user.
Affected:ORACLE : Solaris 8
 ORACLE : Solaris 9
 ORACLE : Solaris 10
CVE:CVE-2007-0470 (Multiple unspecified vulnerabilities in tip in Sun Solaris 8, 9, and 10 allow local users to gain uucp account privileges via unspecified vectors.)
Original documentdocumentSECUNIA, [SA23821] Sun Solaris "tip" Command Privilege Escalation (24.01.2007)

pam unauthorized access
Published:24.01.2007
Source:
SecurityVulns ID:7104
Type:remote
Threat Level:
5/10
Description:Any password is accepted if password hash contains some set of characters.
Affected:PAM : pam 0.99
CVE:CVE-2007-0003 (pam_unix.so in Linux-PAM 0.99.7.0 allows context-dependent attackers to log into accounts whose password hash, as stored in /etc/passwd or /etc/shadow, has only two characters.)
Original documentdocumentSECUNIA, [SA23858] Linux-PAM Login Bypass Security Vulnerability (24.01.2007)

OpenBSD IPv6 ICMPv6 DoS
Published:24.01.2007
Source:
SecurityVulns ID:7105
Type:remote
Threat Level:
5/10
Description:Infinite loop on ICMPv6 packet parsing.
Affected:OPENBSD : OpenBSD 3.9
 OPENBSD : OpenBSD 4.0
CVE:CVE-2007-0343 (OpenBSD before 20070116 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via certain IPv6 ICMP (aka ICMP6) echo request packets.)
Original documentdocumentSECUNIA, [SA23830] OpenBSD ICMP6 Denial of Service Vulnerability (24.01.2007)

Sun Ray Server password information leak
Published:24.01.2007
Source:
SecurityVulns ID:7106
Type:local
Threat Level:
5/10
Description:/cgi-bin/mail scripts records utadmin administrator's password is recorded into log file.
Affected:SUN : Sun Ray Server Software 3.0
 SUN : Sun Ray Server Software 2.0
CVE:CVE-2007-0482 (cgi-bin/main in Sun Ray Server Software 2.0 and 3.0 before 20070123 allows local users to obtain the utadmin password by reading a web server's log file, or by conducting a different, unspecified local attack.)
Original documentdocumentSECUNIA, [SA23900] Sun Ray Server Software Password Disclosure (24.01.2007)

Cisco routers and code execution with IP options DoS
Published:24.01.2007
Source:
SecurityVulns ID:7107
Type:remote
Threat Level:
10/10
Description:ICMP, UDP or TCP packets with some IP options set can cause device reload and potentially code execution.
Affected:CISCO : IOS 12.0
 CISCO : IOS 12.1
 CISCO : IOS 12.2
 CISCO : IOS 12.3
 CISCO : IOS XR 3.2
 CISCO : IOS XR 3.4
CVE:CVE-2007-0480 (Cisco IOS 9.x, 10.x, 11.x, and 12.x and IOS XR 2.0.x, 3.0.x, and 3.2.x allows remote attackers to cause a denial of service or execute arbitrary code via a crafted IP option in the IP header in a (1) ICMP, (2) PIMv2, (3) PGM, or (4) URD packet.)
Original documentdocumentCISCO, [Full-disclosure] Cisco Security Advisory: Crafted IP Option Vulnerability (24.01.2007)

NCTsoft multiple applications ActiveX buffer overflow
updated since 24.01.2007
Published:11.05.2007
Source:
SecurityVulns ID:7099
Type:client
Threat Level:
5/10
Description:Buffer overflow in NCTAudioFile2.AudioFile SetFormatLikeSample() method.
Affected:NCTSOFT : NCTAudioStudio 2.7
 NCTSOFT : NCTAudioEditor 2.7
 NCTSOFT : NCTDialogicVoice 2.7
 BEARSHARE : BearShare 6.0
CVE:CVE-2007-0018 (Stack-based buffer overflow in the NCTAudioFile2.AudioFile ActiveX control (NCTAudioFile2.dll), as used by multiple products, allows remote attackers to execute arbitrary code via a long argument to the SetFormatLikeSample function. NOTE: the products include (1) NCTsoft NCTAudioStudio, NCTAudioEditor, and NCTDialogicVoice; (2) Magic Audio Recorder, Music Editor, and Audio Converter; (3) Aurora Media Workshop; DB Audio Mixer And Editor; (4) J. Hepple Products including Fx Audio Editor and others; (5) EXPStudio Audio Editor; (6) iMesh; (7) Quikscribe; (8) RMBSoft AudioConvert and SoundEdit Pro 2.1; (9) CDBurnerXP; (10) Code-it Software Wave MP3 Editor and aBasic Editor; (11) Movavi VideoMessage, DVD to iPod, and others; (12) SoftDiv Software Dexster, iVideoMAX, and others; (13) Sienzo Digital Music Mentor (DMM); (14) MP3 Normalizer; (15) Roemer Software FREE and Easy Hi-Q Recorder, and Easy Hi-Q Converter; (16) Audio Edit Magic; (17) Joshua Video and Audio Converter; (18) Virtual CD; (19) Cheetah CD and DVD B)
Original documentdocumentSECUNIA, Secunia Research: BearShare NCTAudioFile2 ActiveX Control Buffer Overflow (11.05.2007)
 documentSECUNIA, [Full-disclosure] Secunia Research: NCTsoft Products NCTAudioFile2 ActiveX Control Buffer Overflow (24.01.2007)
Files:[PoC] 79 Exes's / IE NCTAudioFile2.AudioFile ActiveX Remote Stack Overfl0w
 E NCTAudioFile2.AudioFile ActiveX Remote Stack Overfl0w

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod