Vulnerability Summary for the Week of December 17, 2007

Primary

Vendor — Product Description CVSS Score Source & Patch Info Adobe — Flash Player Unspecified vulnerability in Adobe Flash Player 9.0.48.0 and earlier might allow remote attackers to execute arbitrary code via unknown vectors, related to “input validation errors.” 9.3 CVE-2007-6242

OTHER-REF Adobe — Flash Player Adobe Flash Player 9.x up to 9.0.48.0, 8.x up to 8.0.35.0, and 7.x up to 7.0.70.0 does not sufficiently restrict the interpretation and usage of cross-domain policy files, which makes it easier for remote attackers to conduct cross-domain and cross-site scripting (XSS) attacks. 9.3 CVE-2007-6243

OTHER-REF

OTHER-REF AdultScript — AdultScript admin/administrator.php in Adult Script 1.6 and earlier sends a redirect to the web browser but does not exit, which allows remote attackers to bypass authentication and obtain administrative credentials via a direct request. NOTE: this can be leveraged for arbitrary code execution through a request to admin/videolinks_view.php. 7.5 CVE-2007-6414

MILW0RM

BID

SECUNIA Aertherwide — exiftags Unspecified vulnerability in exiftags before 1.01 has unknown impact and attack vectors, resulting from a “field offset overflow,” a different vulnerability than CVE-2007-6355. 10.0 CVE-2007-6354

OTHER-REF

SECUNIA Aertherwide — exiftags Unspecified vulnerability in exiftags before 1.01 has unknown impact and attack vectors, resulting from a “field offset overflow,” a different vulnerability than CVE-2007-6354. 10.0 CVE-2007-6355

OTHER-REF

SECUNIA Apple — Mac OS X Format string vulnerability in Address Book in Apple Mac OS X 10.4.11 allows remote attackers to execute arbitrary code via the URL handler. 9.3 CVE-2007-4708

APPLE Apple — Mac OS X Directory traversal vulnerability in CFNetwork in Apple Mac OS X 10.5.1 allows remote attackers to overwrite arbitrary files via a crafted HTTP response. 8.8 CVE-2007-4709

APPLE Apple — Mac OS X Unspecified vulnerability in ColorSync in Apple Mac OS X 10.4.11 allows remote attackers to cause a denial of service (application termination) or execute arbitrary code via an image with a crafted ColorSync profile, which triggers memory corruption. 9.3 CVE-2007-4710

APPLE Apple — Mac OS X Buffer overflow in CUPS in Apple Mac OS X 10.4.11 allows local admin users to execute arbitrary code via a crafted URI to the CUPS service. 7.2 CVE-2007-5848

APPLE Apple — Mac OS X Integer underflow in CUPS in Apple Mac OS X 10.5.1, when SNMP is enabled, allows remote attackers to execute arbitrary code via a crafted SNMP response that triggers a stack-based buffer overflow. 9.3 CVE-2007-5849

APPLE Apple — Mac OS X Heap-based buffer overflow in Desktop Services in Apple Mac OS X 10.4.11 allows user-assisted attackers to execute arbitrary code via a directory with a crafted .DS_Store file. 8.8 CVE-2007-5850

APPLE Apple — Mac OS X Unspecified vulnerability in IO Storage Family in Apple Mac OS X 10.4.11 allows user-assisted attackers to cause a denial of service (system shutdown) or execute arbitrary code via a disk image with crafted GUID partition maps, which triggers memory corruption. 9.3 CVE-2007-5853

APPLE Apple — Mac OS X Quick Look Apple Mac OS X 10.5.1, when previewing an HTML file, does not prevent plug-ins from making network requests, which might allow remote attackers to obtain sensitive information. 9.4 CVE-2007-5856

APPLE Apple — Safari Unspecified vulnerability in Safari RSS in Apple Mac OS X 10.4.11 allows remote attackers to cause a denial of service (application termination) or execute arbitrary code via a crafted feed: URL that triggers memory corruption. 9.3 CVE-2007-5859

APPLE Apple — Mac OS X Server

Apple — Mac OS X Unspecified vulnerability in Spin Tracer in Apple Mac OS X 10.5.1 allows local users to execute arbitrary code via unspecified output files, involving an “insecure file operation.” 7.2 CVE-2007-5860

APPLE Apple — Mac OS X Java in Mac OS X 10.4 through 10.4.11 allows remote attackers to bypass Keychain access controls and add or delete arbitrary Keychain items via a crafted Java applet. 9.4 CVE-2007-5862

OTHER-REF

APPLE

BID

FRSIRT

SECUNIA Apple — Mac OS X Server

Apple — Mac OS X Software Update in Apple Mac OS X 10.5.1 allows remote attackers to execute arbitrary commands via a man-in-the-middle (MITM) attack between the client and the server, using a modified distribution definition file with the “allow-external-scripts” option. 9.3 CVE-2007-5863

APPLE Cisco — IP Phone Model 7940 Cisco IP Phone 7940 with firmware P0S3-08-7-00 allows remote attackers to cause a denial of service (“486 Busy” responses or device reboot) via a sequence of SIP INVITE transactions in which the Request-URI lacks a user name, a different vulnerability than CVE-2007-4459. 7.8 CVE-2007-5583

FULLDISC

MILW0RM

BID

XF Cisco — FWSM Unspecified vulnerability in Cisco Firewall Services Module (FWSM) 3.2(3) allows remote attackers to cause a denial of service (device reload) via crafted “data in the control-plane path with Layer 7 Application Inspections.” 7.8 CVE-2007-5584

CISCO

BID

XF Cisco — IP Phone Model 7940 Cisco IP Phone 7940 with firmware P0S3-08-7-00 allows remote attackers to cause a denial of service (“486 Busy” responses or device reboot) via a sequence of SIP INVITE transactions in which the Request-URI lacks a user name, a different vulnerability than CVE-2007-4459. 7.8 CVE-2007-6370

FULLDISC

MILW0RM

BID

XF Clam Anti-Virus — ClamAV Integer overflow in libclamav in ClamAV before 0.92 allows remote attackers to execute arbitrary code via a crafted MEW packed PE file, which triggers a heap-based buffer overflow. 7.5 CVE-2007-6335

IDEFENSE

DEBIAN

SECUNIA Ethereal Group — Ethereal

Wireshark — Wireshark Wireshark (formerly Ethereal) 0.8.16 to 0.99.6 allows remote attackers to cause a denial of service (crash) via a malformed RPC Portmap packet. 7.8 CVE-2007-6449

OTHER-REF exiv2 — exiv2 Integer overflow in exif.cpp in exiv2 library allows context-dependent attackers to execute arbitrary code via a crafted EXIF file that triggers a heap-based buffer overflow. 7.5 CVE-2007-6353

OTHER-REF

SECUNIA Falcon — Series One CMS Multiple cross-site scripting (XSS) vulnerabilities in Falcon Series One CMS 1.4.3 allow remote attackers to inject arbitrary web script or HTML via the (1) gb_mail, (2) gb_name, and (3) gb_text parameters in a guestbook action to index.php, and unspecified other vectors. 7.5 CVE-2007-6489

MILW0RM

FRSIRT

SECUNIA FreeWebShop — FreeWebShop Multiple SQL injection vulnerabilities in index.php in FreeWebshop 2.2.1 allow remote attackers to execute arbitrary SQL commands via (1) the prod parameter in a details action, (2) the cat parameter in a browse list action, or (3) the group parameter in a categories action. 7.5 CVE-2007-6466

OTHER-REF

BID Gesytec Easylon — OPC Server Gesytec Easylon OPC Server before 2.3.44 does not properly validate server handles, which allows remote attackers to execute arbitrary code or cause a denial of service via unspecified network traffic to the OLE for Process Control (OPC) interface, probably related to free operations on arbitrary memory addresses through certain Remove functions, and read and write operations on arbitrary memory addresses through certain Set, Read, and Write functions. 10.0 CVE-2007-4473

OTHER-REF

OTHER-REF

CERT-VN Hammer of Thyrion — Hammer of Thyrion Buffer overflow in the HuffDecode function in hw_utils/hwrcon/huffman.c and hexenworld/Client/huffman.c in Hammer of Thyrion 1.4.2 allows remote attackers to execute arbitrary code or cause a denial of service via a crafted huffman encoded packet. NOTE: some of these details are obtained from third party information. 9.3 CVE-2007-6468

OTHER-REF

OTHER-REF

OTHER-REF

SECUNIA Hosting Controller — Hosting Controller Hosting Controller 6.1 Hot fix 3.3 and earlier allows remote attackers to obtain login access via a request to hosting/addreseller.asp with a username in the reseller parameter, followed by a request to AdminSettings/displays.asp with the DecideAction and ChangeSkin parameters. 10.0 CVE-2007-6494

BUGTRAQ

MILW0RM

BID

XF Hosting Controller — Hosting Controller Hosting Controller 6.1 Hot fix 3.3 and earlier (1) allows remote attackers to change arbitrary user profiles via a request to Hosting/Addreseller.asp with modified loginname and email parameters; and (2) allows remote authenticated users to change a credit amount and increase a discount via an UpdateUser action to Accounts/AccountActions.asp with modified UserName, FullName, CreditLimit, and DefaultDiscount parameters, a related issue to CVE-2005-2219. 7.5 CVE-2007-6497

BUGTRAQ

MILW0RM

BID Hosting Controller — Hosting Controller Multiple SQL injection vulnerabilities in Hosting Controller 6.1 Hot fix 3.3 and earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) email and (2) loginname parameters to Hosting/Addreseller.asp, (3) the sortfield parameter to accounts/accountmanager.asp, (4) the GateWayID parameter to OpenApi/GatewayVariables.asp, and possibly (5) unspecified vectors to IIS/iibind.asp. 7.5 CVE-2007-6498

BUGTRAQ

MILW0RM

BID

XF HP — Software Update The HPRulesEngine.ContentCollection.1 ActiveX Control in RulesEngine.dll for HP Software Update 3.0.8.4 allows remote attackers to (1) overwrite and corrupt arbitrary files via arguments to the SaveToFile method, and possibly (2) access arbitrary files via the LoadDataFromFile method. 9.3 CVE-2007-6506

OTHER-REF

BID

FRSIRT

SECTRACK

SECUNIA iMesh.com — iMesh The IMWeb.IMWebControl.1 ActiveX control in IMWeb.dll 7.0.0.x, and possibly IMWebControl.dll, in iMesh 7.1.0.x and earlier allows remote attackers to cause a denial of service (Internet Explorer 7 crash) via an empty string in the argument to the ProcessRequestEx method. 7.1 CVE-2007-6492

OTHER-REF

SECUNIA iMesh.com — iMesh The IMWeb.IMWebControl.1 ActiveX control in IMWeb.dll 7.0.0.x, and possibly IMWebControl.dll, in iMesh 7.1.0.x and earlier allows remote attackers to execute arbitrary code via a certain argument to the SetHandler method. 10.0 CVE-2007-6493

OTHER-REF

SECUNIA JBoss — Seam The getRenderedEjbql method in the org.jboss.seam.framework.Query class in JBoss Seam 2.x before 2.0.0.CR3 allows remote attackers to inject and execute arbitrary EJBQL commands via the order parameter. 7.5 CVE-2007-6433

OTHER-REF

OTHER-REF

FRSIRT

SECUNIA Justsystem — Ichitaro Stack-based buffer overflow in JSGCI.DLL in JustSystems Ichitaro 2005, 2006, and 2007 allows user-assisted remote attackers to execute arbitrary code via a crafted document, as actively exploited in December 2007 by the Tarodrop.F trojan. NOTE: some of these details are obtained from third party information. 9.3 CVE-2007-6436

OTHER-REF

FRSIRT

SECUNIA

XF Kvaliitti — WebDoc CMS Multiple SQL injection vulnerabilities in Kvaliitti WebDoc 3.0 CMS allow remote attackers to execute arbitrary SQL commands via (1) the cat_id parameter to categories.asp; and probably (2) the document_id parameter to categories.asp, and the (3) cat_id and (4) document_id parameters to subcategory.asp. 10.0 CVE-2007-6491

BUGTRAQ Linux — Kernel Linux kernel 2.6.22 and earlier, and possibly other versions, does not properly validate the hop-by-hop IPv6 extended header, which allows remote attackers to cause a denial of service (kernel panic) via a crafted IPv6 packet. 7.8 CVE-2007-4567

UBUNTU Linux — Kernel Integer overflow in the hrtimer_start function in kernel/hrtimer.c in the Linux kernel before 2.6.23.10 allows local users to execute arbitrary code or cause a denial of service (panic) via a large relative timeout value. NOTE: some of these details are obtained from third party information. 7.2 CVE-2007-5966

OTHER-REF

BID

FRSIRT

SECUNIA Linux — Kernel The shmem_getpage function (mm/shmem.c) in Linux kernel 2.6.11 through 2.6.23 does not properly allocate memory in some circumstances, which might allow local users to read sensitive kernel data or cause a denial of service (crash). 7.2 CVE-2007-6417

MLIST

MLIST

MLIST MKPortal — MKPortal SQL injection vulnerability in index.php in MKPortal 1.1 RC1 allows remote attackers to execute arbitrary SQL commands via the ida parameter in a gallery foto_show action. 7.5 CVE-2007-6467

BUGTRAQ

BID

XF my123tkShop — e-Commerce-Suite SQL injection vulnerability in shop/mainfile.php in 123tkShop 0.9.1 allows remote attackers to execute arbitrary SQL commands via a base64-encoded value of the admin parameter to shop/admin.php. 7.5 CVE-2007-6458

MILW0RM

BID Novell — Groupwise Stack-based buffer overflow in Novell GroupWise before 6.5.7, when HTML preview of e-mail is enabled, allows user-assisted remote attackers to execute arbitrary code via a long SRC attribute in an IMG element when forwarding or replying to a crafted e-mail. 9.3 CVE-2007-6435

BUGTRAQ

OTHER-REF

BID

SECTRACK

XF PeerCast — PeerCast Heap-based buffer overflow in the handshakeHTTP function in servhs.cpp in PeerCast 0.1217 and earlier, and SVN 344 and earlier, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long SOURCE request. 10.0 CVE-2007-6454

BUGTRAQ

OTHER-REF

BID

FRSIRT

SECUNIA

XF Perforce — P4Web P4Webs.exe in Perforce P4Web 2006.2 and earlier, when running on Windows, allows remote attackers to cause a denial of service (CPU consumption) via an HTTP request with an empty body and a Content-Length greater than 0. 7.8 CVE-2007-6349

BUGTRAQ

OTHER-REF

BID

SECUNIA PHP Real Estate Classifieds — PHP Real Estate Classifieds Premium Plus SQL injection vulnerability in fullnews.php in PHP Real Estate Classifieds allows remote attackers to execute arbitrary SQL commands via the id parameter. 7.5 CVE-2007-6462

MILW0RM

OTHER-REF

BID phpMyRealty — phpMyRealty Multiple SQL injection vulnerabilities in phpMyRealty (PMR) 1.0.9 allow (1) remote attackers to execute arbitrary SQL commands via the type parameter to search.php and (2) remote authenticated administrators to execute arbitrary SQL commands via the listing_updated_days parameter to admin/findlistings.php. NOTE: some of these details are obtained from third party information. 7.5 CVE-2007-6472

MILW0RM

SECUNIA phpRPG — phpRPG SQL injection vulnerability in index.php in phpRPG 0.8, when magic_qutoes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the username parameter. NOTE: some of these details are obtained from third party information. 9.3 CVE-2007-6469

BUGTRAQ

BID

SECUNIA Planamesa — NeoOffice Unspecified vulnerability in OpenOffice.org code in Planamesa NeoOffice 2.2.2 before Patch 4 has unknown impact and attack vectors related to MacOS 10.3.9 .odb files. NOTE: it is not clear whether this issue is a vulnerability. 10.0 CVE-2007-6456

OTHER-REF

BID

SECUNIA

XF St. Bernard — Open File Manager Heap-based buffer overflow in Open File Manager service (ofmnt.exe) in St. Bernard Open File Manager 9.5 allows remote attackers to execute arbitrary code via a long request. 10.0 CVE-2007-6281

FULLDISC

OTHER-REF

BID

SECUNIA Sun — Solaris Sun Solaris 10 with the 120011-04 and 120012-04 patches, and later 120011-* and 120012-* patches, allows remote attackers to bypass certain netgroup restrictions and obtain root access to a filesystem via NFS requests from a client root user. 9.3 CVE-2007-6413

SUNALERT

FRSIRT

SECUNIA Sun — Management Center The Oracle database component in Sun Management Center (Sun MC) 3.6.1, 3.6, and 3.5 Update 1 has a default account, which allows remote attackers to obtain database access and execute arbitrary code. 9.4 CVE-2007-6480

SUNALERT

SECUNIA Sun — Ray Server Software Unspecified vulnerability in the Device Manager daemon (utdevmgrd) in Sun Ray Server Software 2.0, 3.0, 3.1, and 3.1.1 allows remote attackers to cause a denial of service (daemon crash) via unspecified vectors. 7.8 CVE-2007-6482

SUNALERT

BID

SECUNIA Trend Micro — ServerProtect SpntSvc.exe daemon in Trend Micro ServerProtect 5.58 for Windows, before Security Patch 4, exposes unspecified dangerous sub-functions from StRpcSrv.dll in the DCE/RPC interface, which allows remote attackers to obtain “full file system access” and execute arbitrary code. 10.0 CVE-2007-6507

BUGTRAQ

OTHER-REF

OTHER-REF

BID

SECUNIA Wireshark — Wireshark Wireshark (formerly Ethereal) 0.99.6 allows remote attackers to cause a denial of service (infinite or large loop) via the (1) Firebird/Interbase, (2) DCP ETSI, (3) IPv6, or (4) USB dissector, which can trigger resource consumption or a crash. 7.8 CVE-2007-6439

OTHER-REF Wireshark — Wireshark Wireshark (formerly Ethereal) 0.99.6 allows remote attackers to cause a denial of service (crash) via unknown vectors related to “unaligned access on some platforms.” 7.8 CVE-2007-6441

OTHER-REF Wireshark — Wireshark Wireshark (formerly Ethereal) 0.99.5 to 0.99.6 allows remote attackers to cause a denial of service (large loop) via a malformed DNP packet. 7.8 CVE-2007-6444

OTHER-REF Wireshark — Wireshark Unspecified vulnerability in the HTTP dissector for Wireshark (formerly Ethereal) 0.10.14 to 0.99.6, when running on “some systems,” allows remote attackers to cause a denial of service (crash) via crafted chunked messages. 7.8 CVE-2007-6445

OTHER-REF Wireshark — Wireshark Buffer overflow in the iSeries (OS/400) Communication trace file parser in Wireshark (formerly Ethereal) 0.99.0 to 0.99.6 might allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code unknown vectors. 7.5 CVE-2007-6447

OTHER-REF Wireshark — Wireshark The Bluetooth SDP dissector in Wireshark (formerly Ethereal) 0.99.2 to 0.99.6 allows remote attackers to cause a denial of service (infinite loop) via unknown vectors. 7.8 CVE-2007-6448

OTHER-REF Wireshark — Wireshark The RPL dissector in Wireshark (formerly Ethereal) 0.9.8 to 0.99.6 allows remote attackers to cause a denial of service (infinite loop) via unknown vectors. 7.8 CVE-2007-6450

OTHER-REF Wireshark — Wireshark Unspecified vulnerability in the CIP dissector in Wireshark (formerly Ethereal) 0.9.14 to 0.99.6 allows remote attackers to cause a denial of service (crash) via unknown vectors that trigger allocation of large amounts of memory. 7.8 CVE-2007-6451

OTHER-REF xeCMS — xeCMS Directory traversal vulnerability in view.php in xeCMS 1.0 allows remote attackers to read arbitrary files via a ..%2F (dot dot slash) in the list parameter. 7.5 CVE-2007-6508

BUGTRAQ

MILW0RM

BID Xen — Xen The copy_to_user function in the PAL emulation functionality for Xen 3.1.2 and earlier, when running on ia64 systems, allows HVM guest users to access arbitrary physical memory by triggering certain mapping operations. 7.5 CVE-2007-6416

OTHER-REF

Primary

Vendor — Product Description CVSS Score Source & Patch Info Adobe — Flash Player Multiple cross-site scripting (XSS) vulnerabilities in Adobe Flash Player 9.x up to 9.0.48.0 and 8.x up to 8.0.35.0 allow remote attackers to inject arbitrary web script or HTML via (1) a SWF file that uses the asfunction: protocol or (2) the navigateToURL function when used with the Flash Player ActiveX Control in Internet Explorer. 4.3 CVE-2007-6244

OTHER-REF Adobe — Flash Player Adobe Flash Player 9.x up to 9.0.48.0, 8.x up to 8.0.35.0, and 7.x up to 7.0.70.0 allows remote attackers to modify HTTP headers for client requests and conduct HTTP Request Splitting attacks. 5.8 CVE-2007-6245

OTHER-REF Adobe — Flash Player Adobe Flash Player 9.x up to 9.0.48.0, 8.x up to 8.0.35.0, and 7.x up to 7.0.70.0, when running on Linux, uses insecure permissions for memory, which might allow local users to gain privileges. 6.9 CVE-2007-6246

OTHER-REF Aertherwide — exiftags exiftags before 1.01 allows attackers to cause a denial of service (infinite loop) via recursive IFD references in the EXIF data in a JPEG image. 5.0 CVE-2007-6356

OTHER-REF

SECUNIA Anon Proxy Server — Anon Proxy Server Anon Proxy Server 0.100, and probably 0.101, allows remote attackers to execute arbitrary commands via shell metacharacters in (1) the host parameter to diagdns.php, and (2) the host parameter and possibly (3) the port parameter to diagconnect.php, a different vulnerability than CVE-2007-6460. 6.8 CVE-2007-6459

BUGTRAQ

MILW0RM

BID Anon Proxy Server — Anon Proxy Server Multiple cross-site scripting (XSS) vulnerabilities in Anon Proxy Server before 0.101 allow remote attackers to inject arbitrary web script or HTML via the URI, which is later displayed by (1) log.php or (2) logerror.php, a different vulnerability than CVE-2007-6459. 4.3 CVE-2007-6460

OTHER-REF

OTHER-REF

OTHER-REF

OTHER-REF Apple — Mac OS X Stack-based buffer overflow in SMB in Apple Mac OS X 10.4.11 allows local users to execute arbitrary code via crafted command line arguments to (1) mount_smbfs and (2) smbutil. 6.6 CVE-2007-3876

APPLE Apple — Mac OS X Race condition in the CFURLWriteDataAndPropertiesToResource API in Core Foundation in Apple Mac OS X 10.4.11 creates files with insecure permissions, which might allow local users to obtain sensitive information. 6.6 CVE-2007-5847

APPLE Apple — Mac OS X Launch Services in Apple Mac OS X 10.4.11 and 10.5.1 does not treat HTML files as unsafe content, which allows attackers to conduct cross-site scripting (XSS) attacks or obtain sensitive information via a crafted HTML file. 4.3 CVE-2007-5854

APPLE Apple — Mac OS X Mail in Apple Mac OS X 10.4.11 and 10.5.1, when an SMTP account has been set up using Account Assistant, can use plaintext authentication even when MD5 Challenge-Response authentication is available, which makes it easier for remote attackers to sniff account activity. 6.4 CVE-2007-5855

APPLE Apple — Mac OS X Quick Look in Apple Mac OS X 10.5.1 does not prevent a movie from accessing URLs when the movie file is previewed or if an icon is created, which might allow remote attackers to obtain sensitive information via HREFTrack. 6.4 CVE-2007-5857

APPLE Apple — Safari WebKit in Safari in Apple Mac OS X 10.4.11 and 10.5.1 allows remote attackers to “navigate the subframes of any other page,” which can be leveraged to conduct cross-site scripting (XSS) attacks and obtain sensitive information. 4.3 CVE-2007-5858

APPLE Apple — Mac OS X Unspecified vulnerability in Spotlight in Apple Mac OS X 10.4.11 allows user-assisted attackers to cause a denial of service (application termination) or execute arbitrary code via a crafted .XLS file that triggers memory corruption in the Microsoft Office Spotlight Importer. 6.8 CVE-2007-5861

APPLE Asterisk — Asterisk Business Edition

Asterisk — Open Source Asterisk Open Source 1.2.x before 1.2.26 and 1.4.x before 1.4.16, and Business Edition B.x.x before B.2.3.6 and C.x.x before C.1.0-beta8, when using database-based registrations (“realtime”) and host-based authentication, does not check the IP address when the username is correct and there is no password, which allows remote attackers to bypass authentication using a valid username. 4.3 CVE-2007-6430

BUGTRAQ

OTHER-REF

BID

FRSIRT

SECTRACK

SECUNIA

XF Balabit — syslog-ng Premium Edition

Balabit — syslog-ng Open Source Edition Balabit syslog-ng 2.0.x before 2.0.6 and 2.1.x before 2.1.8 allows remote attackers to cause a denial of service (crash) via a message with a timestamp that does not contain a trailing space, which triggers a NULL pointer dereference. 5.0 CVE-2007-6437

BUGTRAQ

FRSIRT

SECTRACK

SECUNIA

XF Bitweaver — Bitweaver Direct static code injection vulnerability in wiki/index.php in Bitweaver 2.0.0 and earlier, when comments are enabled, allows remote attackers to inject arbitrary PHP code via an editcomments action. 6.8 CVE-2007-6412

BUGTRAQ

OTHER-REF

BID Centreon — Centreon Multiple PHP remote file inclusion vulnerabilities in Centreon 1.4.1 (aka Oreon 1.4) allow remote attackers to execute arbitrary PHP code via a URL in the fileOreonConf parameter to (1) MakeXML.php or (2) MakeXML4statusCounter.php in include/monitoring/engine/. 6.8 CVE-2007-6485

BUGTRAQ

MILW0RM

BID

XF Citrix — Web Interface Cross-site scripting (XSS) vulnerability in the on-line help feature in Citrix Web Interface 2.0 and earlier, and NFuse, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. 4.3 CVE-2007-6477

OTHER-REF

FRSIRT

SECUNIA Clam Anti-Virus — ClamAV Off-by-one error in ClamAV before 0.92 allows remote attackers to execute arbitrary code via a crafted MS-ZIP file. 6.8 CVE-2007-6336

DEBIAN

BID Dokeos — Dokeos Unrestricted file upload vulnerability in the “My productions” component for main/auth/profile.php (aka the “My profile” page) in Dokeos 1.8.4 allows remote authenticated users to upload and execute arbitrary PHP files via a filename with a double extension, which can then be accessed through a URI under main/upload/users/. 4.9 CVE-2007-6479

MILW0RM

SECUNIA Falcon — Series One CMS Multiple PHP remote file inclusion vulnerabilities in Falcon Series One CMS 1.4.3 allow remote attackers to execute arbitrary PHP code via a URL in (1) the dir[classes] parameter to sitemap.xml.php or (2) the error parameter to errors.php. 6.8 CVE-2007-6488

MILW0RM

FRSIRT

SECUNIA Falcon — Series One CMS Cross-site request forgery (CSRF) vulnerability in Falcon Series One CMS 1.4.3 allows remote attackers to change a password via a certain changepass action to index.php. 4.3 CVE-2007-6490

MILW0RM

FRSIRT

SECUNIA Flyspray — Flyspray Multiple cross-site scripting (XSS) vulnerabilities in index.php in Flyspray 0.9.9 through 0.9.9.3 allow remote attackers to inject arbitrary web script or HTML via (1) the query string in an index action, related to the savesearch JavaScript function; and (2) the details parameter in a details action, related to the History tab and the getHistory JavaScript function. 4.3 CVE-2007-6461

OTHER-REF

SECUNIA Fonality — Trixbox registry.pl in Fonality Trixbox 2.0 PBX products, when running in certain environments, reads and executes a set of commands from a remote web site without sufficiently validating the origin of the commands, which allows remote attackers to disable trixbox and execute arbitrary commands via a DNS spoofing attack. 4.3 CVE-2007-6424

MLIST

OTHER-REF

OTHER-REF Form Tools — Form Tools Multiple PHP remote file inclusion vulnerabilities in Form tools 1.5.0b allow remote attackers to execute arbitrary PHP code via a URL in the g_root_dir parameter to (1) admin_page_open.php and (2) client_page_open.php in global/templates/. 6.8 CVE-2007-6464

MILW0RM Ganglia — Ganglia Multiple cross-site scripting (XSS) vulnerabilities in ganglia-web in Ganglia before 3.0.6 allow remote attackers to inject arbitrary web script or HTML via the (1) c and (2) h parameters to (a) web/host_gmetrics.php; the (3) G, (4) me, (5) x, (6) n, (7) v, (8) l, (9) vl, and (10) st parameters to (b) web/graph.php; and the (11) c, (12) G, (13) h, (14) r, (15) m, (16) s, (17) cr, (18) hc, (19) sh, (20) p, (21) t, (22) jr, (23) js, (24) gw, (25) z, and (26) gs parameters to (c) web/get_context.php. NOTE: some of these details are obtained from third party information. 4.3 CVE-2007-6465

OTHER-REF

SECUNIA Geek-Palace.com — LineShout Multiple cross-site scripting (XSS) vulnerabilities in shout.php (aka the shoutbox) in LineShout 1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) username (nickname) or (2) message parameter. NOTE: some of these details are obtained from third party information. 4.3 CVE-2007-6486

OTHER-REF

BID

SECUNIA GF_3Xplorer — GF_3Xplorer Multiple cross-site scripting (XSS) vulnerabilities in GF-3XPLORER 2.4 allow remote attackers to inject arbitrary web script or HTML via the newdir parameter to index_3x.php, and unspecified other vectors. 4.3 CVE-2007-6474

MILW0RM

SECUNIA GF_3Xplorer — GF_3Xplorer Multiple directory traversal vulnerabilities in GF-3XPLORER 2.4 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the lang_sel parameter to (1) updater.php and (2) thumber.php. 6.4 CVE-2007-6475

MILW0RM GF_3Xplorer — GF_3Xplorer GF-3XPLORER 2.4 allows remote attackers to obtain configuration information via a direct request to explorer/phpinfo.php, which calls the phpinfo function. 5.0 CVE-2007-6476

MILW0RM

SECUNIA Google — Google Web Toolkit Unspecified vulnerability in the benchmark reporting system in Google Web Toolkit (GWT) before 1.4.61 has unknown impact and attack vectors, possibly related to cross-site scripting (XSS). 4.3 CVE-2007-6452

OTHER-REF

BID

FRSIRT

SECUNIA Hosting Controller — Hosting Controller inc_newuser.asp in Hosting Controller 6.1 Hot fix 3.3 and earlier allows remote authenticated users to change the permissions of directories named (1) db, (2) www, (3) Special, and (4) log at arbitrary locations under the web root via a modified Dirroot parameter in an AddUser action to accounts/AccountActions.asp. NOTE: this can be leveraged for remote code execution by changing the permissions of Forumdb, which is configured for execution of ASP scripts with administrative privileges, and then uploading a script to Forumdb. 6.5 CVE-2007-6495

BUGTRAQ

MILW0RM

BID Hosting Controller — Hosting Controller Hosting Controller 6.1 Hot fix 3.3 and earlier allows remote attackers to register arbitrary users via a request to hosting/addsubsite.asp with the loginname and password parameters set, when preceded by certain requests to hosting/default.asp and hosting/selectdomain.asp, a related issue to CVE-2005-1654. 6.8 CVE-2007-6496

BUGTRAQ

MILW0RM

BID

XF Hosting Controller — Hosting Controller Unspecified vulnerability in Hosting Controller 6.1 Hot fix 3.3 and earlier allows remote authenticated users to uninstall the FrontPage extensions of an arbitrary account via a request to fp2002/UNINSTAL.asp with a “host id (IIS) value.” 5.5 CVE-2007-6499

BUGTRAQ

MILW0RM

BID

XF Hosting Controller — Hosting Controller Unspecified vulnerability in Hosting Controller 6.1 Hot fix 3.3 and earlier allows remote authenticated users to delete “gateway information” via a request to OpenApi/GatewayVariables.asp. 4.9 CVE-2007-6500

BUGTRAQ

MILW0RM

BID

XF Hosting Controller — Hosting Controller Unspecified vulnerability in Hosting Controller 6.1 Hot fix 3.3 and earlier allows remote authenticated users to enable or disable “pay type” via a request to adminsettings/choosetranstype.asp. 5.5 CVE-2007-6501

BUGTRAQ

MILW0RM

BID

XF Hosting Controller — Hosting Controller Hosting Controller 6.1 Hot fix 3.3 and earlier allows remote authenticated users to obtain sensitive information via (1) the AdminName and AdminLevel parameters to fp2000/NEWSRVR.asp, which discloses usernames; and (2) certain XML HTTP requests to hosting/css.asp using Microsoft.XMLHTTP or MSXML2.XMLHTTP objects, which trigger a response with the setup directory pathname in the HTML source; and (3) might allow remote attackers to obtain sensitive information via a request for /admin/forum/, which reveals the path in an error message when a forum is not found. 5.5 CVE-2007-6502

BUGTRAQ

MILW0RM

BID

XF

XF Hosting Controller — Hosting Controller Multiple unspecified vulnerabilities in Hosting Controller 6.1 Hot fix 3.3 and earlier allow remote authenticated users to (1) import an arbitrary plan via a request to hosting/importhostingplans.asp; or (2) change an arbitrary plan via a request to hosting/AutoSignUpPlans.asp with the (a) save, (b) 30, and (c) d_30 parameters. 5.5 CVE-2007-6503

BUGTRAQ

MILW0RM

BID

XF Hosting Controller — Hosting Controller Unspecified vulnerability in IIS/iibind.asp in Hosting Controller 6.1 Hot fix 3.3 and earlier allows remote authenticated users to change the headers of arbitrary hosts via an unspecified parameter. 5.5 CVE-2007-6504

BUGTRAQ

MILW0RM

BID

XF Ingres — Ingres Ingres 2.5 and 2.6 on Windows, as used in multiple CA products and possibly other products, assigns the privileges and identity of users to be the same as the first user, which allows remote attackers to gain privileges. 5.0 CVE-2007-6334

OTHER-REF

OTHER-REF

BID

SECUNIA

SECUNIA KDE — KDE Unspecified vulnerability in kdebase allows local users to cause a denial of service (KDM login inaccessible, or resource consumption) via unknown vectors. 4.7 CVE-2007-5963

BUGTRAQ

OTHER-REF libexif — libexif libexif 0.6.16 and earlier allows context-dependent attackers to cause a denial of service (infinite recursion) via an image file with crafted EXIF tags. 4.3 CVE-2007-6351

OTHER-REF

REDHAT libexif — libexif Integer overflow in libexif 0.6.16 and earlier allows context-dependent attackers to execute arbitrary code via an image with crafted EXIF tags. 6.8 CVE-2007-6352

REDHAT

REDHAT

BID Mambo — Mambo Multiple cross-site scripting (XSS) vulnerabilities in index.php in Mambo 4.6.2 allow remote attackers to inject arbitrary web script or HTML via the (1) Itemid parameter in a com_frontpage option and the (2) option parameter. 4.3 CVE-2007-6455

BUGTRAQ Net_DNS — Net_DNS Net/DNS/RR/A.pm in Net::DNS 0.60 build 654, as used in packages such as SpamAssassin and OTRS, allows remote attackers to cause a denial of service (program “croak”) via a crafted DNS response. 5.0 CVE-2007-6341

OTHER-REF

OTHER-REF

BID

SECTRACK NetWin — SurgeMail Stack-based buffer overflow in the webmail feature in SurgeMail 38k4 allows remote attackers to cause a denial of service (crash) via a long Host header. 5.0 CVE-2007-6457

BUGTRAQ

OTHER-REF

BID

FRSIRT

SECUNIA

XF PHP Real Estate Script — Classifieds Multiple cross-site scripting (XSS) vulnerabilities in the admin panel in PHP Real Estate Classifieds allow remote attackers to inject arbitrary web script or HTML via unspecified “text areas/boxes.” 4.3 CVE-2007-6463

OTHER-REF phPay — phPay Incomplete blacklist vulnerability in main.php in phPay 2.02.01 on Windows allows remote attackers to conduct directory traversal attacks and include and execute arbitrary local files via a .. (dot dot backslash) in the config parameter. 5.8 CVE-2007-6471

BUGTRAQ

BID

FRSIRT

SECUNIA

XF phpRPG — phpRPG phpRPG 0.8 stores sensitive information under the web root with insufficient access control, which allows remote attackers to read session ID values in files under tmp/, and then hijack sessions via PHPSESSID cookies. 6.4 CVE-2007-6470

BUGTRAQ

BID

SECUNIA phpRPG — phpRPG SQL injection vulnerability in index.php in phpRPG 0.8 allows remote attackers to execute arbitrary SQL commands via the password parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 6.8 CVE-2007-6484

SECUNIA Plain Black — WebGUI Unspecified vulnerability in Plain Black WebGUI 7.4.0 through 7.4.17 allows remote authenticated users with Secondary Admin privileges to create Admin accounts, a different vulnerability than CVE-2006-0680. 4.9 CVE-2007-6487

OTHER-REF

OTHER-REF

SECUNIA

XF Raiden Professional Servers — RaidenHTTPD Directory traversal vulnerability in raidenhttpd-admin/workspace.php in RaidenHTTPD 2.0.19, when the WebAdmin function is enabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the ulang parameter. 6.4 CVE-2007-6453

BUGTRAQ

OTHER-REF

BID

SECUNIA Red Hat — Enterprise Linux

Red Hat — Fedora Red Hat Enterprise Linux 5 and Fedora install the Bind /etc/rndc.key file with world-readable permissions, which allows local users to perform unauthorized named commands, such as causing a denial of service by stopping named. 4.9 CVE-2007-6283

OTHER-REF Rosoft Engineering — Rosoft Media Player Stack-based buffer overflow in Rosoft Media Player 4.1.7 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a long string in a .M3U file. NOTE: some of these details are obtained from third party information. 6.8 CVE-2007-6478

BUGTRAQ

BID

FRSIRT

SECUNIA

XF SafeNet — Sentinel Protection Server

SafeNet — Sentinel Keys Server Directory traversal vulnerability in SafeNet Sentinel Protection Server 7.0.0 through 7.4.0 and possibly earlier versions, and Sentinel Keys Server 1.0.3 and possibly earlier versions, allows remote attackers to read arbitrary files via a .. (dot dot) in the query string. 5.0 CVE-2007-6483

BUGTRAQ

BUGTRAQ

OTHER-REF

BID

FRSIRT

SECTRACK

SECUNIA

XF Sun — Ray Server Software Unspecified vulnerability in the Device Manager daemon (utdevmgrd) in Sun Ray Server Software 2.0, 3.0, 3.1, and 3.1.1 allows remote attackers to create or delete arbitrary directories via unspecified vectors. 6.4 CVE-2007-6481

SUNALERT

BID

SECUNIA Texas Imperial Software — WFTPD Pro Explorer Heap-based buffer overflow in Texas Imperial Software WFTPD Pro Explorer 1.0 allows remote FTP servers to execute arbitrary code via a long reply to a LIST command. 5.8 CVE-2007-6473

MILW0RM

SECUNIA Wireshark — Wireshark Multiple unspecified vulnerabilities in Wireshark (formerly Ethereal) 0.99.6 allow remote attackers to cause a denial of service via (1) a crafted MP3 file, (2) the NCP dissector, or (3) the SMB dissector. 5.0 CVE-2007-6438

OTHER-REF Wireshark — Wireshark Buffer overflow in the PPP dissector in Wireshark (formerly Ethereal) 0.99.6 might allow remote attackers to cause a denial of service and possibly execute arbitrary code via unknown vectors. 5.0 CVE-2007-6440

OTHER-REF Wireshark — Wireshark Buffer overflow in the SSL dissector in Wireshark (formerly Ethereal) 0.99.0 to 0.99.6 might allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors. 5.0 CVE-2007-6442

OTHER-REF Wireshark — Wireshark Buffer overflow in the ANSI MAP dissector in Wireshark (formerly Ethereal) 0.99.5 to 0.99.6, when running on some unspecified platforms, might allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors. 5.0 CVE-2007-6443

OTHER-REF Wireshark — Wireshark The MEGACO dissector in Wireshark (formerly Ethereal) 0.9.14 to 0.99.6 allows remote attackers to cause a denial of service (large loop and resource consumption) via unknown vectors. 5.0 CVE-2007-6446

OTHER-REF