Computer Security
[EN] securityvulns.ru no-pyccku


ReactOS multiple security vulnerabilities
Published:29.03.2007
Source:
SecurityVulns ID:7489
Type:remote
Threat Level:
5/10
Affected:REACTOS : ReactOS 0.3
CVE:CVE-2007-1724 (Unspecified vulnerability in ReactOS 0.3.1 has unknown impact and attack vectors, related to a fix for "dozens of win32k bugs and failures," in which the fix itself introduces a vulnerability, possibly related to user-mode and kernel-mode copy failures.)

FreeBSD eject buffer overflow
Published:29.03.2007
Source:
SecurityVulns ID:7490
Type:remote
Threat Level:
5/10
Description:Buffer overflow in -t option.
Affected:MCWEJECT : mcweject 0.9
CVE:CVE-2007-1719 (Buffer overflow in eject.c in Jason W. Bacon mcweject 0.9 on FreeBSD, and possibly other versions, allows local users to execute arbitrary code via a long command line argument, possibly involving the device name.)
Files:local root exploit for bsd's eject.c

PHP mail() function invalid characters processing
Published:29.03.2007
Source:
SecurityVulns ID:7491
Type:library
Threat Level:
5/10
Description:Unfiltered \r\n and \0 characters allows strings injection and header truncation.
Affected:PHP : PHP 4.4
 PHP : PHP 5.2
CVE:CVE-2007-1718 (CRLF injection vulnerability in the mail function in PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 allows remote attackers to inject arbitrary e-mail headers and possibly conduct spam attacks via a control character immediately following folding of the (1) Subject or (2) To parameter, as demonstrated by a parameter containing a "\r\n\t\n" sequence, related to an increment bug in the SKIP_LONG_HEADER_SEP macro.)
 CVE-2007-1717 (The mail function in PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 truncates e-mail messages at the first ASCIIZ ('\0') byte, which might allow context-dependent attackers to prevent intended information from being delivered in e-mail messages. NOTE: this issue might be security-relevant in cases when the trailing contents of e-mail messages are important, such as logging information or if the message is expected to be well-formed.)
Original documentdocumentPHP-SECURITY, MOPB-34-2007:PHP mail() Header Injection Through Subject and To Parameters (29.03.2007)
 documentPHP-SECURITY, MOPB-33-2007:PHP mail() Message ASCIIZ Byte Truncation (29.03.2007)

PHP read_file safe_mode protection bypass
Published:29.03.2007
Source:
SecurityVulns ID:7493
Type:local
Threat Level:
6/10
Description:It's possible to bypass protection by using php://../../ prefix to filename.
Affected:PHP : PHP 4.4
 PHP : PHP 5.2
CVE:CVE-2007-1710 (The readfile function in PHP 4.4.4, 5.1.6, and 5.2.1 allows context-dependent attackers to bypass safe_mode restrictions and read arbitrary files by referring to local files with a certain URL syntax instead of a pathname syntax, as demonstrated by a filename preceded a "php://../../" sequence.)
Original documentdocumentxp1o_(at)_msn.com, readfile() Safe Mode Bypass PHP 5.2.1/ 5.1.6 / 4.4.4 (29.03.2007)

Linux pam_console privilege escalation
Published:29.03.2007
Source:
SecurityVulns ID:7494
Type:local
Threat Level:
5/10
Description:Invalid device permissions handling if few users are logged in.
CVE:CVE-2007-1716 (pam_console does not properly restore ownership for certain console devices when there are multiple users logged into the console and one user logs out, which might allow local users to gain privileges.)

B21Soft BASP21 SMTP lines injections
Published:29.03.2007
Source:
SecurityVulns ID:7495
Type:remote
Threat Level:
5/10
Description:Invalid handling of "." character allows to inject SMTP commands into message.
Affected:B21SOFT : BASP21 2003.0211
 B21SOFT : BASP21 Pro 1.0
CVE:CVE-2007-1713 (CRLF injection vulnerability in BSMTP.DLL in B21Soft BASP21 2003.0211, and BASP21 Pro 1.0.702.27 and earlier, allows remote attackers to inject arbitrary headers into e-mail messages via CRLF sequences in Subject lines.)

ZZIPlib / zzcat buffer overflow
Published:29.03.2007
Source:
SecurityVulns ID:7496
Type:library
Threat Level:
5/10
Description:Stack buffer overflow (stack overrun) on oversized filename.
Affected:ZZIPLIB : ZZIPlib 0.13
CVE:CVE-2007-1614 (Stack-based buffer overflow in the zzip_open_shared_io function in zzip/file.c in ZZIPlib Library before 0.13.49 allows user-assisted remote attackers to cause a denial of service (application crash) or execute arbitrary code via a long filename.)

Linux IPv6 socket double memory free vulnerability
Published:29.03.2007
Source:
SecurityVulns ID:7497
Type:remote
Threat Level:
5/10
Description:Double memory free in ipv6_fl_socklist.
Affected:LINUX : kernel 2.4
 LINUX : kernel 2.6
CVE:CVE-2007-1592 (net/ipv6/tcp_ipv6.c in Linux kernel 2.6.x up to 2.6.21-rc3 inadvertently copies the ipv6_fl_socklist from a listening TCP socket to child sockets, which allows local users to cause a denial of service (OOPS) or double-free by opening a listening IPv6 socket, attaching a flow label, and connecting to that socket.)

MyServer privilege escalation
Published:29.03.2007
Source:
SecurityVulns ID:7498
Type:local
Threat Level:
5/10
Description:suid() is called before sgid() for CGI applications.
Affected:MYSERVER : MyServer 0.8
CVE:CVE-2007-1588 (server.cpp in MyServer 0.8.5 calls Process::setuid before calling Process::setgid and thus does not properly drop privileges, which might allow remote attackers to execute CGI programs with unintended privileges.)

FTPDMIN special DOS device access
Published:29.03.2007
Source:
SecurityVulns ID:7499
Type:remote
Threat Level:
5/10
Description:Access to special devices (like //A:) causes DoS against application.
Affected:FTPDMIN : ftpdmin 0.96
CVE:CVE-2007-1580 (FTPDMIN 0.96 allows remote attackers to cause a denial of service (daemon crash) via a LIST command for a Windows drive letter, as demonstrated using "//A:". NOTE: this has been reported as a buffer overflow by some sources, but there is not a long argument.)

Inkscape multiple security vulnerabilities
Published:29.03.2007
Source:
SecurityVulns ID:7500
Type:client
Threat Level:
5/10
Description:Format string vulnerability in URIs displaying, security problems with Jabber protocol.
Affected:INCSCAPE : Inkscape 0.45
CVE:CVE-2007-1464 (Format string vulnerability in the whiteboard Jabber protocol in Inkscape before 0.45.1 allows user-assisted remote attackers to execute arbitrary code via unspecified vectors.)
 CVE-2007-1463 (Format string vulnerability in Inkscape before 0.45.1 allows user-assisted remote attackers to execute arbitrary code via format string specifiers in a URI, which is not properly handled by certain dialogs.)

Avant Browser buffer overflow
Published:29.03.2007
Source:
SecurityVulns ID:7503
Type:client
Threat Level:
6/10
Description:Buffer overflow on oversized Content-Type: header.
Affected:AVANT : Avant Browser 11.0
CVE:CVE-2007-1501 (Stack-based buffer overflow in Avant Browser 11.0 build 26 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long Content-Type HTTP header.)
Files:Avant Browser (ALL Version) Remote Stack OverFlow (Crash)

Microsoft Vista ATI drivers vulnerability
Published:29.03.2007
Source:
SecurityVulns ID:7504
Type:library
Threat Level:
6/10
Description:Blue Screen of Death whiel displaying images.
Affected:MICROSOFT : Windows Vista
CVE:CVE-2007-1763 (The ATI kernel driver (atikmdag.sys) in Microsoft Windows Vista allows user-assisted remote attackers to cause a denial of service (crash) via a crafted JPG image, as demonstrated by a slideshow, possibly due to a buffer overflow.)
Original documentdocumentMichaŃ– Majchrowicz, [VulnWatch] Microsoft Windows Vista Slideshow Unspecified Blue Screen Of Death Vulnerability (29.03.2007)
Files:Vista ATI drivers BSOD

FastStone Viewer buffer overflow
Published:29.03.2007
Source:
SecurityVulns ID:7505
Type:client
Threat Level:
5/10
Description:Stack memory overflow on JPEG parsing.
Affected:FASTSTONE : FastStone Image Viewer 2.8
CVE:CVE-2007-1764 (Stack-based buffer overflow in FastStone Image Viewer 2.8 allows user-assisted remote attackers to execute arbitrary code via a crafted JPG image.)
Original documentdocument3APA3A, Re: [VulnWatch] Microsoft Windows Vista Slideshow Unspecified Blue Screen Of Death Vulnerability (29.03.2007)
Files:Vista ATI drivers BSOD

Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
Published:29.03.2007
Source:
SecurityVulns ID:7506
Type:remote
Threat Level:
5/10
Description:PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.
Affected:MSXSTUDIOS : Advanced Login 0.7
 XOOPS : Friendfinder 3.3 Xoops Module
CVE:CVE-2007-1766 (PHP remote file inclusion vulnerability in login/engine/db/profiledit.php in Advanced Login 0.76 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the root parameter.)
Original documentdocumentBithedz_(at)_gmail.com, Advanced Login <= 0.7 (root) Remote File Inclusion Vulnerability (29.03.2007)
Files:Xoops Module Friendfinder <= 3.3 (view.php id) BLIND SQL Injection Exploit

DataDomain Web interface unfiltered shell characters
Published:29.03.2007
Source:
SecurityVulns ID:7507
Type:local
Threat Level:
5/10
Description:Unfiltered shell characters vulnerability in multiple Web interface commands.
Affected:DATADOMAIN : Data Domain 4.0
CVE:CVE-2007-1836 (The command line administration interface in Data Domain OS before 4.0.3.6 allows remote authenticated users to execute arbitrary commands via shell metacharacters in certain arguments to various commands, as demonstrated by the interface argument to the (1) ifconfig and (2) ping commands.)
Original documentdocumentElliot Kendall, Arbitrary Command Execution in DataDomain Administrator Interface (29.03.2007)

PHP zip_entry_read() function integer overflow
updated since 29.03.2007
Published:31.03.2007
Source:
SecurityVulns ID:7492
Type:library
Threat Level:
6/10
Description:Integer overflow leads to heap memory buffer overflow.
Affected:PHP : PHP 4.4
CVE:CVE-2007-1777 (Integer overflow in the zip_read_entry function in PHP 4 before 4.4.5 allows remote attackers to execute arbitrary code via a ZIP archive that contains an entry with a length value of 0xffffffff, which is incremented before use in an emalloc call, triggering a heap overflow.)
Original documentdocumentPHP-SECURITY, MOPB-35-2007:PHP 4 zip_entry_read() Integer Overflow Vulnerability (29.03.2007)
Files:PHP 4 zip_entry_read() Integer Overflow Vulnerability
 PHP 4 zip_entry_read() Integer Overflow Vulnerability (test archive)

Microsoft Vista IPv6 multiple security vulnerability
updated since 29.03.2007
Published:04.04.2007
Source:
SecurityVulns ID:7502
Type:remote
Threat Level:
6/10
Description:Multiple DoS conditions and spoof possibilities.
Affected:MICROSOFT : Windows Vista
CVE:CVE-2007-1535 (Microsoft Windows Vista establishes a Teredo address without user action upon connection to the Internet, contrary to documentation that Teredo is inactive without user action, which increases the attack surface and allows remote attackers to communicate via Teredo.)
 CVE-2007-1534 (DFSR.exe in Windows Meeting Space in Microsoft Windows Vista remains available for remote connections on TCP port 5722 for 2 minutes after Windows Meeting Space is closed, which allows remote attackers to have an unknown impact by connecting to this port during the time window.)
 CVE-2007-1533 (The Teredo implementation in Microsoft Windows Vista uses the same nonce for communication with different UDP ports within a solicitation session, which makes it easier for remote attackers to spoof the nonce through brute force attacks.)
 CVE-2007-1532 (The neighbor discovery implementation in Microsoft Windows Vista allows remote attackers to conduct a redirect attack by (1) responding to queries by sending spoofed Neighbor Advertisements or (2) blindly sending Neighbor Advertisements.)
 CVE-2007-1531 (Microsoft Windows XP and Vista overwrites ARP table entries included in gratuitous ARP, which allows remote attackers to cause a denial of service (loss of network access) by sending a gratuitous ARP for the address of the Vista host.)
 CVE-2007-1530 (The LLTD Mapper in Microsoft Windows Vista does not properly gather responses to EMIT packets, which allows remote attackers to cause a denial of service (mapping failure) by omitting an ACK response, which triggers an XML syntax error.)
 CVE-2007-1529 (The LLTD Responder in Microsoft Windows Vista does not send the Mapper a response to a DISCOVERY packet if another host has sent a spoofed response first, which allows remote attackers to spoof arbitrary hosts via a network-based race condition, aka the "Total Spoof" attack.)
 CVE-2007-1528 (The LLTD Mapper in Microsoft Windows Vista allows remote attackers to spoof hosts, and nonexistent bridge relationships, into the network topology map by using a MAC address that differs from the MAC address provided in the Real Source field of the LLTD BASE header of a HELLO packet, aka the "Spoof on Bridge" attack.)
 CVE-2007-1527 (The LLTD Mapper in Microsoft Windows Vista does not verify that an IP address in a TLV type 0x07 field in a HELLO packet corresponds to a valid IP address for the local network, which allows remote attackers to trick users into communicating with an external host by sending a HELLO packet with the MW characteristic and a spoofed TLV type 0x07 field, aka the "Spoof and Management URL IP Redirect" attack.)
Original documentdocumentJim Hoagland, Nine Vista CVEs, including Microsoft inaccurate Teredo use case documentation (04.04.2007)
Files:New report on Windows Vista network attack surface

Multiple OpenOffice security vulnerabilities
updated since 29.03.2007
Published:05.04.2007
Source:
SecurityVulns ID:7501
Type:client
Threat Level:
6/10
Description:Shell characters problem on document open, code execution.
Affected:OPENOFFICE : OpenOffice 1.1
 OPENOFFICE : OpenOffice 2.0
 OPENOFFICE : OpenOffice 2.1
CVE:CVE-2007-0239 (OpenOffice.org (OOo) Office Suite allows user-assisted remote attackers to execute arbitrary commands via shell metacharacters in a prepared link in a crafted document.)
 CVE-2007-0238 (Stack-based buffer overflow in filter\starcalc\scflt.cxx in the StarCalc parser in OpenOffice.org (OOo) Office Suite before 2.2, and 1.x before 1.1.5 Patch, allows user-assisted remote attackers to execute arbitrary code via a document with a long Note.)
Original documentdocumentNGSSoftware Insight Security Research Advisory (NISR), High Risk Vulnerability in OpenOffice (05.04.2007)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod