 |
|
|
|
| PHP session.save_path open_basedir protection bypass | | Published: |  | 31.03.2007 | | Source: |  | BUGTRAQ | | SecurityVulns ID: |  | 7513 | | Type: |  | library | | Level: |  | 5/10 | | Description: |  | It's possible to create file in any directory by using environment variables. |
| Affected: |  | PHP : PHP 4.4 | | | | PHP : PHP 5.2 | | CVE: |  | CVE-2007-1835 (PHP 4 before 4.4.5 and PHP 5 before 5.2.1, when using an empty session save path (session.save_path), uses the TMPDIR default after checking the restrictions, which allows local users to bypass open_basedir restrictions.) |
| PHP printf() integer overflow | | Published: | | 31.03.2007 | | Source: | | PHP-SECURITY | | SecurityVulns ID: | | 7515 | | Type: | | library | | Level: | | 6/10 | | Description: | | Integer overflow on 64-bit systems. |
| Affected: | | PHP : PHP 4.4 | | | | PHP : PHP 5.2 | | CVE: | | CVE-2007-1884 (Multiple integer signedness errors in the printf function family in PHP 4 before 4.4.5 and PHP 5 before 5.2.1 on 64 bit machines allow context-dependent attackers to execute arbitrary code via (1) certain negative argument numbers that arise in the php_formatted_print function because of 64 to 32 bit truncation, and bypass a check for the maximum allowable value; and (2) a width and precision of -1, which make it possible for the php_sprintf_appendstring function to place an internal buffer at an arbitrary memory location.) |
dproxy DNS proxy buffer overflow
updated since 23.03.2007 | | Published: | | 31.03.2007 | | Source: | | FULL-DISCLOSURE | | SecurityVulns ID: | | 7455 | | Type: | | remote | | Level: | | 6/10 | | Description: | | Buffer overflow on oversized DNS request UDP packet (UDP/53). |
| Affected: | | DPROXY : dproxy 0.5 | | | | DPROXY : dproxy-nexgen | | CVE: | | CVE-2007-1866 (Stack-based buffer overflow in the dns_decode_reverse_name function in dns_decode.c in dproxy-nexgen allows remote attackers to execute arbitrary code by sending a crafted packet to port 53/udp, a different issue than CVE-2007-1465.) | | | | CVE-2007-1465 (Stack-based buffer overflow in dproxy.c for dproxy 0.1 through 0.5 allows remote attackers to execute arbitrary code via a long DNS query packet to UDP port 53.) |
PHP zip_entry_read() function integer overflow
updated since 29.03.2007 | | Published: | | 31.03.2007 | | Source: | | PHP-SECURITY | | SecurityVulns ID: | | 7492 | | Type: | | library | | Level: | | 6/10 | | Description: | | Integer overflow leads to heap memory buffer overflow. |
| Affected: | | PHP : PHP 4.4 | | CVE: | | CVE-2007-1777 (Integer overflow in the zip_read_entry function in PHP 4 before 4.4.5 allows remote attackers to execute arbitrary code via a ZIP archive that contains an entry with a length value of 0xffffffff, which is incremented before use in an emalloc call, triggering a heap overflow.) |
| America Online SuperBuddy ActiveX memory corruption | | Published: | | 31.03.2007 | | Source: | | BUGTRAQ | | SecurityVulns ID: | | 7512 | | Type: | | remote | | Level: | | 5/10 | | Description: | | One of methods allows execute some actions under controllable address. |
| Affected: | | AOL : AOL 9.0 | | CVE: | | CVE-2006-5820 (The LinkSBIcons method in the SuperBuddy ActiveX control (Sb.SuperBuddy.1) in America Online 9.0 Security Edition dereferences an arbitrary function pointer, which allows remote attackers to execute arbitrary code via a modified pointer value.) |
| PHP iptcembed() function information leak | | Published: | | 31.03.2007 | | Source: | | PHP-SECURITY | | SecurityVulns ID: | | 7514 | | Type: | | remote | | Level: | | 5/10 | | Description: | | Uninitialized memory region is returned on invalid function termination. |
| Affected: | | PHP : PHP 4.4 | | | | PHP : PHP 5.2 | | CVE: | | CVE-2007-1883 (PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 allows context-dependent attackers to read arbitrary memory locations via an interruption that triggers a user space error handler that changes a parameter to an arbitrary pointer, as demonstrated via the iptcembed function, which calls certain convert_to_* functions with its input parameters.) |
|
|
|
|
|
|
|
|
