Vulnerability Summary for the Week of September 18, 2006

Primary

Vendor — Product Description CVSS Score Source & Patch Info AEwebworks — aeDating Multiple PHP remote file inclusion vulnerabilities in AEDating 4.1, and possibly earlier versions, allow remote attackers to execute arbitrary PHP code via a URL in the dir[inc] parameter in (1) inc/design.inc.php or (2) inc/admin_design.inc.php. 7.0 CVE-2006-4870

OTHER-REF

BID

FRSIRT

SECUNIA

XF All Enthusiast Inc — ReviewPost PHP Pro PHP remote file inclusion vulnerability in index.php in All Enthusiast ReviewPost 2.5 allows remote attackers to execute arbitrary PHP code via a URL in the RP_PATH parameter. 7.0 CVE-2006-4864

BUGTRAQ

OTHER-REF

FRSIRT

SECUNIA

XF AlstraSoft — E-Friends Directory traversal vulnerability in chat/getStartOptions.php in AlstraSoft E-friends 4.85 allows remote attackers to include arbitrary local files and possibly execute arbitrary code via a .. (dot dot) sequence and trailing null (%00) byte in the lang parameter, as demonstrated by injecting PHP code into a log file. 7.0 CVE-2006-4913

OTHER-REF

BID

FRSIRT

SECUNIA

XF Apple — Mac OS X Server

Apple — Mac OS X Multiple stack-based buffer overflows in the AirPort wireless driver on Apple Mac OS X 10.3.9 and 10.4.7 allow physically proximate attackers to execute arbitrary code by injecting crafted frames into a wireless network. 7.0 CVE-2006-3507

APPLE

BID

FRSIRT

SECUNIA Apple — Mac OS X Server

Apple — Mac OS X Heap-based buffer overflow in the AirPort wireless driver on Apple Mac OS X 10.4.7 allows physically proximate attackers to cause a denial of service (crash), gain privileges, and execute arbitrary code via a crafted frame that is not properly handled during scan cache updates. 7.0 CVE-2006-3508

APPLE

BID

FRSIRT

SECUNIA Apple — Mac OS X Server

Apple — Mac OS X Integer overflow in the API for the AirPort wireless driver on Apple Mac OS X 10.4.7 might allow physically proximate attackers to cause a denial of service (crash) or execute arbitrary code in third-party wireless software that uses the API via crafted frames. 7.0 CVE-2006-3509

APPLE

BID

FRSIRT

SECUNIA Artmedic Webdesign — Artmedic Links PHP remote file inclusion vulnerability in index.php in Artmedic Links 5.0 allows remote attackers to execute arbitrary PHP code via a URL in the id parameter, which is processed by the readfile function. 7.0 CVE-2006-4905

BUGTRAQ

OTHER-REF

SECTRACK

XF ASP Indir — Tekman Portal SQL injection vulnerability in uye_profil.asp in Tekman Portal (TR) 1.0 allows remote attackers to execute arbitrary SQL commands via the uye_id parameter. 7.0 CVE-2006-4916

OTHER-REF

BID

XF

FRSIRT

SECUNIA Blojsom — Blojsom Multiple cross-site scripting (XSS) vulnerabilities in David Czarnecki Blojsom 2.31 allow remote attackers to inject arbitrary web script or HTML via the (1) blog-category-description, (2) blog-entry-title, (3) rss-enclosure-url, (4) technorati-tagsi, or (5) blog-category-name parameter in a blog post. 7.0 CVE-2006-4829

BUGTRAQ

CERT-VN

BID

FRSIRT

SECUNIA

XF Blojsom — Blojsom Directory traversal vulnerability in EditBlogTemplatesPlugin.java in David Czarnecki Blojsom 2.30 allows remote attackers to have an unknown impact by sending an HTTP request with a certain value of blogTemplate. 7.0 CVE-2006-4830

OTHER-REF BolinOS — BolinOS PHP remote file inclusion vulnerability in system/_b/contentFiles/gBHTMLEditor.php in BolinOS 4.5.5 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the gBRootPath parameter. NOTE: the provenance of this information is unknown; the details are obtained from third party information. 7.0 CVE-2006-4851

FRSIRT

XF Cisco — Intrusion Prevention System Unspecified vulnerability in Cisco IPS 5.0 before 5.0(6p2) and 5.1 before 5.1(2), when running in inline or promiscuous mode, allows remote attackers to bypass traffic inspection via a “crafted sequence of fragmented IP packets”. 7.0 CVE-2006-4911

CISCO

CERT-VN

BID

FRSIRT

SECTRACK

SECUNIA

XF Codeworx Technologies — DCP-Portal Multiple PHP remote file inclusion vulnerabilities in DCP-Portal SE 6.0 allow remote attackers to execute arbitrary PHP code via a URL in the root parameter in (1) library/lib.php and (2) library/editor/editor.php. NOTE: the same primary issue can be used for full path disclosure with an invalid parameter that reveals the installation path in an error message. 7.0 CVE-2006-4837

BUGTRAQ

BID EasyPageCMS — EasyPageCMS SQL injection vulnerability in default.aspx in easypage allows remote attackers to execute arbitrary SQL commands via the srch parameter in the Search page. 7.0 CVE-2006-4862

BUGTRAQ guanxiCRM — guanxiCRM Business Solution PHP remote file inclusion vulnerability in include/phpxd/phpXD.php in guanxiCRM 0.9.1 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the appconf[rootpath] parameter. 7.0 CVE-2006-4898

OTHER-REF

BID

XF Haberx — Haberx SQL injection vulnerability in kategorix.asp in Haberx 1.02 through 1.1 allows remote attackers to execute arbitrary SQL commands via the id parameter in kategorihaberx.asp. 7.0 CVE-2006-4853

OTHER-REF

OTHER-REF

BID

FRSIRT

SECUNIA

XF Hitweb — Hitweb Multiple PHP remote file inclusion vulnerabilities in Brian Fraval Hitweb 3.0 allow remote attackers to execute arbitrary PHP code via a URL in the REP_CLASS parameter to (1) index.php, (2) arbo.php, (3) framepoint.php, (4) genpage.php, (5) lienvalider.php, (6) appreciation.php, (7) partenariat.php, (8) rechercher.php, (9) projet.php, (10) propoexample.php, (11) refererpoint.php, or (12) top50.php. 7.0 CVE-2006-4848

BUGTRAQ

BID iDevSpot — NixieAffiliate IDevSpot NexieAffiliate 1.9 and earlier allows remote attackers to delete arbitrary affiliates via a modified id parameter to delete.php. 7.0 CVE-2006-4895

BUGTRAQ

BID Iodine — Iodine Unspecified vulnerability in IP over DNS is now easy (iodine) before 0.3.2 has unknown impact and attack vectors, related to “potential security problems.” 7.0 CVE-2006-4831

OTHER-REF

BID

FRSIRT

SECUNIA Marc Cagninacci — mcLinksCounter ** DISPUTED ** Multiple PHP remote file inclusion vulnerabilities in Marc Cagninacci mcLinksCounter 1.1 allow remote attackers to execute arbitrary PHP code via a URL in the langfile parameter in (1) login.php, (2) stats.php, (3) detail.php, or (4) erase.php. NOTE: CVE and a third party dispute this vulnerability, because the langfile parameter is set to english.php in each file. 7.0 CVE-2006-4863

BUGTRAQ

BUGTRAQ MobilePublisherPHP — MobilePublisherPHP PHP remote file inclusion vulnerability in header.php in MobilePublisherPHP 1.5 RC2 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the abspath parameter. 7.0 CVE-2006-4849

Milw0rm

SECUNIA

BID

FRSIRT

XF Mohammed Mehdi Panjwani — Complain Center SQL injection vulnerability in loginprocess.asp in Mohammed Mehdi Panjwani Complain Center 1 allows remote attackers to execute arbitrary SQL commands via the (1) TxtUser (aka Username) and (2) TxtPass (aka Password) parameters in login.asp. 7.0 CVE-2006-4861

BUGTRAQ Mozilla — SeaMonkey

Mozilla — Firefox

Mozilla — Thunderbird Heap-based buffer overflow in Mozilla Firefox before 1.5.0.7, Thunderbird before 1.5.0.7, and SeaMonkey before 1.0.5 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a JavaScript regular expression with a “minimal quantifier.” 7.0 CVE-2006-4565

OTHER-REF

REDHAT

REDHAT

SECUNIA

SECUNIA

REDHAT

BID

FRSIRT

SECTRACK

SECTRACK

SECTRACK

SECUNIA

SECUNIA

SECUNIA

SECUNIA

SECUNIA

XF

SGI

UBUNTU

SECUNIA Mozilla — SeaMonkey

Mozilla — Firefox Mozilla Firefox before 1.5.0.7 and SeaMonkey before 1.0.5 allows remote attackers to bypass the security model and inject content into the sub-frame of another site via targetWindow.frames[n].document.open(), which facilitates spoofing and other attacks. 7.0 CVE-2006-4568

OTHER-REF

REDHAT

SECUNIA

SECUNIA

REDHAT

BID

FRSIRT

SECTRACK

SECTRACK

SECUNIA

SECUNIA

SECUNIA

XF

SGI

SECUNIA Mozilla — SeaMonkey

Mozilla — Thunderbird Multiple unspecified vulnerabilities in Firefox before 1.5.0.7, Thunderbird before 1.5.0.7, and SeaMonkey before 1.0.5 allow remote attackers to cause a denial of service (crash), corrupt memory, and possibly execute arbitrary code via unspecified vectors, some of which involve JavaScript, and possibly large images or plugin data. 7.0 CVE-2006-4571

OTHER-REF

REDHAT

REDHAT

SECUNIA

SECUNIA

REDHAT

BID

FRSIRT

SECTRACK

SECTRACK

SECTRACK

SECUNIA

SECUNIA

SECUNIA

SECUNIA

SECUNIA

SGI

UBUNTU

SECUNIA PhotoPost — PHP Pro PHP remote file inclusion vulnerability in zipndownload.php in PhotoPost 4.0 through 4.6 allows remote attackers to execute arbitrary PHP code via a URL in the PP_PATH parameter. 7.0 CVE-2006-4828

BUGTRAQ

BID

XF PHP DocWriter — PHP DocWriter PHP remote file inclusion vulnerability in PHP DocWriter 0.3 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the script parameter. 7.0 CVE-2006-4912

OTHER-REF

BID

FRSIRT

XF phpBB XS — phpBB XS PHP remote file inclusion vulnerability in bb_usage_stats/includes/bb_usage_stats.php in phpBB XS 0.58 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter, a different vector than CVE-2006-4780. 7.0 CVE-2006-4893

BUGTRAQ

OTHER-REF

BID

FRSIRT

SECUNIA phpQuiz — phpQuiz PHP remote file inclusion vulnerability in index.php in Jule Slootbeek phpQuiz 0.01 allows remote attackers to execute arbitrary PHP code via a URL in the pagename parameter. 7.0 CVE-2006-4834

BUGTRAQ

OTHER-REF

BID

FRSIRT

XF phpunity.postcard — phpunity-postcard PHP remote file inclusion vulnerability in phpunity-postcard.php in phpunity.postcard allows remote attackers to execute arbitrary PHP code via a URL in the gallery_path parameter. 7.0 CVE-2006-4869

OTHER-REF

BID

FRSIRT

OSVDB

SECUNIA Qualiteam — X-Cart Dynamic variable evaluation vulnerability in cmpi.php in Qualiteam X-Cart 4.1.3 and earlier allows remote attackers to overwrite arbitrary program variables and execute arbitrary PHP code, as demonstrated by PHP remote file inclusion via the xcart_dir parameter. 7.0 CVE-2006-4904

OTHER-REF

BID

FRSIRT

SECUNIA

XF Quicksilver Forums — Quicksilver Forums PHP remote file inclusion vulnerability in lib/activeutil.php in Quicksilver Forums (QSF) 1.2.1 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the set[include_path] parameter. 7.0 CVE-2006-4824

OTHER-REF

OTHER-REF

BID

FRSIRT

SECUNIA

XF Reamday Enterprises — Magic News Pro PHP remote file inclusion vulnerability in scripts/news_page.php in Reamday Enterprises Magic News Pro 1.0.3 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the script_path parameter. 7.0 CVE-2006-4823

OTHER-REF

BID

FRSIRT

SECUNIA

BUGTRAQ

XF Shadowed Portal — Shadowed Portal PHP remote file inclusion vulnerability in bottom.php in Shadowed Portal 5.599 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the root parameter. 7.0 CVE-2006-4826

Milw0rm

BID

XF

OSVDB

SECUNIA Shadowed Portal — Shadowed Portal PHP remote file inclusion vulnerability in Shadowed Portal 5.599 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the root parameter in (1) footer.php and (2) header.php. NOTE: the provenance of this information is unknown; the details are obtained from third party information. The bottom.php parameter is already covered by CVE-2006-4826. 7.0 CVE-2006-4885

SECUNIA Simple Discussion Board — Simple Discussion Board Multiple PHP remote file inclusion vulnerabilities in Simple Discussion Board 0.1.0 allow remote attackers to execute arbitrary PHP code via a URL in the (1) env_dir parameter to (a) blank.php, (b) admin.php, or (c) builddb.php, and the (2) script_root parameter to blank.php. 7.0 CVE-2006-4918

OTHER-REF

BID

XF Site@School — Site@School Multiple PHP remote file inclusion vulnerabilities in Site@School (S@S) 2.4.02 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the cmsdir parameter to (1) starnet/modules/sn_allbum/slideshow.php, and (2) starnet/themes/editable/main.inc.php. 7.0 CVE-2006-4920

BUGTRAQ

OTHER-REF

BID

FRSIRT

SECUNIA

OSVDB

OSVDB Site@School — Site@School PHP remote file inclusion vulnerability in Site@School (S@S) 2.4.03 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the cmsdir parameter to starnet/modules/include/include.php. NOTE: some of these details are obtained from third party information. 7.0 CVE-2006-4921

BUGTRAQ

FRSIRT

SECUNIA

OSVDB Techno Dreams — Articles & Papers Package SQL injection vulnerability in ArticlesTableview.asp in Techno Dreams Articles & Papers Package 2.0 and earlier allows remote attackers to execute arbitrary SQL commands via the key parameter. 7.0 CVE-2006-4891

BUGTRAQ

OTHER-REF

BID

SECUNIA

XF

FRSIRT Techno Dreams — FAQ Manager Package SQL injection vulnerability in faqview.asp in Techno Dreams FAQ Manager Package 1.0 allows remote attackers to execute arbitrary SQL commands via the key parameter. 7.0 CVE-2006-4892

BUGTRAQ

OTHER-REF

BID

SECUNIA

XF

FRSIRT Unak — Unak CMS Multiple PHP remote file inclusion vulnerabilities in UNAK-CMS 1.5 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the dirroot parameter to (1) fckeditor/editor/filemanager/browser/default/connectors/php/connector.php or (2) fckeditor/editor/dialog/fck_link.php. 7.0 CVE-2006-4890

OTHER-REF

OTHER-REF

BID

FRSIRT

SECUNIA

XF Verso NetPerformer — Frame Relay Access Device ACT Buffer overflow in the telnet service in Verso NetPerformer FRAD ACT SDM-95xx 7.xx (R1) and earlier, SDM-93xx 10.x.x (R2) and earlier, and SDM-92xx 9.x.x (R1) and earlier allows remote attackers to cause a denial of service (reboot) and possibly execute arbitrary code via a long username. 8.0 CVE-2006-4832

BUGTRAQ

FULLDISC

BID

FRSIRT

SECUNIA

XF

Primary

Vendor — Product Description CVSS Score Source & Patch Info Apple — Mac OS X Server

Apple — Mac OS X Buffer overflow in kextload in Apple OS X, as used by TDIXSupport in Roxio Toast Titanium and possibly other products, allows local users to execute arbitrary code via a long extension argument. 4.9 CVE-2006-4866

FULLDISC

OTHER-REF

BID Apple — Remote Desktop Apple Remote Desktop (ARD) for Mac OS X 10.2.8 and later does not drop privileges on the remote machine while installing certain applications, which allows local users to bypass authentication and gain privileges by selecting the icon during installation. 4.9 CVE-2006-4887

BUGTRAQ

BID

XF BolinOS — BlinOS PHP remote file inclusion vulnerability in system/_b/contentFiles/gBIndex.php in BolinOS 4.5.5 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the gBRootPath parameter. 5.6 CVE-2006-4850

BUGTRAQ

Milw0rm

BID

FRSIRT

SECUNIA

XF Cisco — Cisco Guard DDos Mitigation Appliance Cross-site scripting (XSS) vulnerability in Cisco Guard DDoS Mitigation Appliance before 5.1(6), when anti-spoofing is enabled, allows remote attackers to inject arbitrary web script or HTML via certain character sequences in a URL that are not properly handled when the appliance sends a meta-refresh. 4.7 CVE-2006-4909

CISCO

BID

FRSIRT

SECTRACK

SECUNIA

XF Citrix — Access Gateway AAC Unspecified vulnerability in Citrix Access Gateway with Advanced Access Control (AAC) 4.2 before 20060914, when AAC is configured to use LDAP authentication, allows remote attackers to bypass authentication via unknown vectors. 5.6 CVE-2006-4846

CITRIX

CITRIX

BID

FRSIRT

SECTRACK

SECUNIA

XF Claroline — Claroline

Dokeos — Open Source Learning & Knowledge Management Tool PHP remote file inclusion vulnerability in inc/claro_init_local.inc.php in Claroline 1.7.7 and earlier, as used in Dokeos and possibly other products, allows remote attackers to execute arbitrary PHP code via a URL in the extAuthSource[newUser] parameter. 5.6 CVE-2006-4844

OTHER-REF

OTHER-REF

BID

FRSIRT

SECUNIA

XF

OTHER-REF

FRSIRT

SECUNIA ClickTech — ClickBlog SQL injection vulnerability in default.asp (aka the login page) in ClickTech ClickBlog 2.0 allows remote attackers to execute arbitrary SQL commands via the (1) username and (2) form_codeword (aka the Password field) parameters. 4.7 CVE-2006-4857

BUGTRAQ

BID

FRSIRT

SECUNIA

XF Codeworx Technologies — DCP-Portal SQL injection vulnerability in login.php in DCP-Portal SE 6.0 allows remote attackers to execute arbitrary SQL commands via the username parameter. NOTE: The lostpassword.php and calendar.php vectors are already covered by CVE-2005-3365, and the search.php vector is already covered by CVE-2005-4227. 5.6 CVE-2006-4836

BUGTRAQ

BID David Bennett — PHP-Post SQL injection vulnerability in profile.php in David Bennett PHP-Post (PHPp) 1.0 and earlier allows remote attackers to execute arbitrary SQL commands via the user parameter. 4.7 CVE-2006-4879

BUGTRAQ

BID David Bennett — PHP-Post Multiple cross-site scripting (XSS) vulnerabilities in David Bennett PHP-Post (PHPp) 1.0 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the replyuser parameter in (a) pm.php; (2) the txt_jumpto parameter in (b) dropdown.php; the (3) txt_error and (4) txt_templatenotexist parameters in (c) template.php; the (5) split parameter in certain files, as demonstrated by (d) editprofile.php, (e) search.php, (f) index.php, and (g) pm.php; and the (6) txt_login parameter in (h) loginline.php; and allow remote authenticated users to inject arbitrary web script or HTML via the (7) txt_logout parameter in (i) loginline.php. 4.7 CVE-2006-4881

BUGTRAQ

BID Doctor Web Ltd — Dr.WebScanner Heap-based buffer overflow in SpIDer for Dr.Web Scanner for Linux 4.33, and possibly earlier versions, allows remote attackers to execute arbitrary code via an LHA archive with an extended header that contains a long directory name. 4.7 CVE-2006-4438

FULLDISC

FRSIRT

SECUNIA George Lewe — TeamCal Pro PHP remote file inclusion vulnerability in includes/footer.html.inc.php in TeamCal Pro 2.8.001 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the tc_config[app_root] parameter. 5.6 CVE-2006-4845

OTHER-REF

BID

BID

FRSIRT

SECUNIA

XF Gnu — Mailman ** DISPUTED ** Format string vulnerability in Mailman before 2.1.9 allows attackers to execute arbitrary code via unspecified vectors. NOTE: the vendor has disputed this vulnerability, stating that it is “unexploitable.” 4.7 CVE-2006-2191

MLIST

MLIST GNUTurk — GNUTurk SQL injection vulnerability in mods.php in GNUTurk 2G and earlier allows remote attackers to execute arbitrary SQL commands via the t_id parameter when the go parameter is “Forum.” 4.7 CVE-2006-4867

OTHER-REF

OTHER-REF

BID

FRSIRT

SECUNIA gzip — gzip Array index error in the make_table function in unlzh.c in the LZH decompression component in gzip 1.3.5, when running on certain platforms, allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted GZIP archive that triggers an out-of-bounds write, aka a “stack modification vulnerability.” 4.7 CVE-2006-4335

OTHER-REF

REDHAT

UBUNTU

DEBIAN

FREEBSD

SLACKWARE

SECUNIA

SECUNIA

SECUNIA

SECUNIA

SECUNIA

MANDRIVA

CERT-VN

FRSIRT

SECUNIA

SECUNIA

XF gzip — gzip Buffer underflow in the build_tree function in unpack.c in gzip 1.3.5 allows context-dependent attackers to execute arbitrary code via a crafted leaf count table that causes a write to a negative index. 4.7 CVE-2006-4336

OTHER-REF

REDHAT

UBUNTU

DEBIAN

FREEBSD

SLACKWARE

SECUNIA

SECUNIA

SECUNIA

SECUNIA

SECUNIA

MANDRIVA

CERT-VN

FRSIRT

SECUNIA

SECUNIA

XF gzip — gzip Buffer overflow in the make_table function in the LHZ component in gzip 1.3.5 allows context-dependent attackers to execute arbitrary code via a crafted decoding table in a GZIP archive. 4.7 CVE-2006-4337

OTHER-REF

REDHAT

UBUNTU

DEBIAN

FREEBSD

SLACKWARE

SECUNIA

SECUNIA

SECUNIA

SECUNIA

SECUNIA

MANDRIVA

FRSIRT

SECUNIA

SECUNIA IDevSpot — BizDirectory Multiple cross-site scripting (XSS) vulnerabilities in IDevSpot BizDirectory allow remote attackers to inject arbitrary web script or HTML via (1) the stylesheet parameter in Feed.php or (2) the message parameter in status.php. 4.7 CVE-2006-4883

BUGTRAQ

BID

XF

FRSIRT

SECTRACK

SECUNIA IDevSpot — iSupport Multiple cross-site scripting (XSS) vulnerabilities in IDevSpot iSupport 1.8 allow remote attackers to inject arbitrary web script or HTML via (1) the suser parameter in support/rightbar.php, (2) the ticket_id parameter in support/open_tickets.php, and (3) the cons_page_title parameter in index.php. NOTE: the provenance of this information is unknown; the details are obtained from third party information. 4.7 CVE-2006-4884

BID Ipswitch — WS_FTP Server Multiple buffer overflows in Ipswitch WS_FTP Server 5.05 before Hotfix 1 allow remote authenticated users to execute arbitrary code via long (1) XCRC, (2) XSHA1, or (3) XMD5 commands. 4.2 CVE-2006-4847

IPSWITCH

FRSIRT

SECUNIA

XF

BID

OSVDB Julian Roberts — Charon Cart SQL injection vulnerability in Review.asp in Julian Roberts Charon Cart 3 allows remote attackers to execute arbitrary SQL commands via the ProductID parameter. 4.7 CVE-2006-4882

BUGTRAQ

BID

FRSIRT

SECTRACK

SECUNIA

XF Jupiter CMS — Jupiter CMS Multiple cross-site scripting (XSS) vulnerabilities in Jupiter CMS allow remote attackers to inject arbitrary web script or HTML via the (1) language[Admin name] and (2) language[Admin back] parameters in (a) modules/blocks.php; the (3) language[Register title] and (4) language[Register title2] parameters in (b) modules/register.php; the (5) language[Mass-Email form title], (6) language[Mass-Email form desc], (7) language[Mass-Email form desc2] (8) language[Mass-Email form desc3], and (9) language[Mass-Email form desc4] parameters in (c) modules/mass-email.php; the (10) language[Forgotten title], (11) language[Forgotten desc], (12) language[Forgotten desc2], (13) language[Forgotten desc3], (14) language[Forgotten desc4], and (15) language[Forgotten desc5] parameters in (d) modules/register.php; and the (16) language[Search view desc], (17) language[Search view desc2], (18) language[Search view desc3], (19) language[Search view desc4], (20) language[Search view desc5], (21) language[Search view desc6], (22) language[Search view desc7], and (23) language[Search view desc8] parameters in (e) modules/search.php. 4.7 CVE-2006-4874

BUGTRAQ

BID Jupiter CMS — Jupiter CMS Multiple SQL injection vulnerabilities in Jupiter CMS allow remote attackers to execute arbitrary SQL commands via (1) the user name during login, or the (2) key or (3) fpwusername parameters in modules/register. 4.7 CVE-2006-4876

BUGTRAQ

BID Keyvan Janghorbani — EShoppingPro SQL injection vulnerability in search_run.asp in Keyvan1 (aka Keyvan Janghorbani) EShoppingPro 1.0 allows remote attackers to execute arbitrary SQL commands via the order parameter. 4.7 CVE-2006-4871

BUGTRAQ

BID

FRSIRT

SECTRACK

SECUNIA

XF Keyvan Janghorbani — ECardPro SQL injection vulnerability in search.asp in Keyvan1 (aka Keyvan Janghorbani) ECardPro 2.0 allows remote attackers to execute arbitrary SQL commands via the keyword parameter. 4.7 CVE-2006-4872

BUGTRAQ

BID

FRSIRT

SECTRACK

SECUNIA

XF Limbo CMS — Limbo CMS Multiple unspecified vulnerabilities in (1) index.php, (2) minixml.inc.php, (3) doc.inc.php, (4) element.inc.php, (5) node.inc.php, (6) treecomp.inc.php, (7) forum.html.php, (8) forum.php, (9) antihack.php, (10) content.php, (11) initglobals.php, and (12) imanager.php in Limbo (aka Lite Mambo) CMS 1.0.4.2 before 20060311 have unknown impact and attack vectors. 4.9 CVE-2006-4860

OTHER-REF

OTHER-REF MamboXChange — Serverstat component PHP remote file inclusion vulnerability in install.serverstat.php in the Serverstat (com_serverstat) 0.4.4 and earlier component for Mambo allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter. 5.6 CVE-2006-4858

BUGTRAQ

OTHER-REF

BID

FRSIRT

SECUNIA

XF Marc Logemann — More.groupware SQL injection vulnerability in modules/calendar/week.php in More.groupware 0.74 allows remote attackers to execute arbitrary SQL commands via the new_calendarid parameter. 4.7 CVE-2006-4906

OTHER-REF

BID

XF

FRSIRT

SECUNIA Microsoft — Internet Explorer Stack-based buffer overflow in the Vector Graphics Rendering engine (vgx.dll), as used in Microsoft Outlook and Internet Explorer 6.0 on Windows XP SP2, and possibly other versions, allows remote attackers to execute arbitrary code via a Vector Markup Language (VML) file with a long fill parameter within a rect tag. 4.7 CVE-2006-4868

OTHER-REF

CERT-VN

BID

FRSIRT

SECUNIA

XF

OTHER-REF

SECTRACK

BUGTRAQ

BUGTRAQ

BUGTRAQ

BUGTRAQ

OTHER-REF

OSVDB Telekorn — SignKorn Guestbook Multiple PHP remote file inclusion vulnerabilities in Telekorn SignKorn Guestbook (SL) 1.3 and earlier, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the dir_path parameter in (1) index.php, (2) includes/functions.gb.php, (3) includes/functions.admin.php, (4) includes/admin.inc.php, (5) help.php, (6) smile.php, (7) entry.php; (8) adminhelp0.php, (9) adminhelp1.php, (10) adminhelp2.php, and (11) adminhelp3.php in (a) help/en and (b) help/de directories; and the (12) preview.php, (13) log.php, (14) index.php, (15) config.php, and (16) admin.php in the (c) admin directory, a different set of vectors than CVE-2006-4788. 5.6 CVE-2006-4889

BUGTRAQ

OTHER-REF

BID

XF Vmist — Downstat Multiple PHP remote file inclusion vulnerabilities in Vmist Downstat 1.8 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the art parameter to (1) admin.php, (2) chart.php, (3) modes.php, or (4) stats.php. 5.6 CVE-2006-4827

Milw0rm

BID

FRSIRT

SECUNIA

XF

Primary

Vendor — Product Description CVSS Score Source & Patch Info A.l-Pifou — A.l-Pifou Directory traversal vulnerability in A.l-Pifou 1.8p2 allows remote attackers to read arbitrary files via “..” sequences in the ze_langue_02 cookie, as demonstrated by using the choix_lng parameter to choix_langue.php to indirectly set the cookie, then accessing livre_dor.php to trigger the inclusion from inc/change_lang_ck.php, possibly related to livre_livre.php. NOTE: the livre_livre.php relationship has been reported by some third party sources. 1.9 CVE-2006-4914

FULLDISC

OSVDB

SECUNIA

BID

FRSIRT Bluview — Blue Magic Board Bluview Blue Magic Board (BMB) (aka BMForum) 5.5 allows remote attackers to obtain sensitive information via a direct request to (1) footer.php, (2) header.php, (3) db_mysql_error.php, (4) langlist.php, (5) sendmail.php, or (6) style.php, which reveals the path in various error messages. 2.3 CVE-2006-4835

BUGTRAQ

XF Cisco — Cisco IDS

Cisco — Cisco IPS The web administration interface (mainApp) to Cisco IDS before 4.1(5c), and IPS 5.0 before 5.0(6p1) and 5.1 before 5.1(2) allows remote attackers to cause a denial of service (unresponsive device) via a crafted SSLv2 Client Hello packet. 2.3 CVE-2006-4910

CISCO

BID

FRSIRT

SECTRACK

SECUNIA

XF CMtextS — CMtextS CMtextS 1.0 and earlier stores users_logins/admin.txt under the web document root with insufficient access control, which allows remote attackers to obtain the administrator password. 2.3 CVE-2006-4897

OTHER-REF

FRSIRT

SECUNIA

XF Codeworx Technologies — DCP-Portal Multiple cross-site scripting (XSS) vulnerabilities in DCP-Portal SE 6.0 allow remote attackers to inject arbitrary web script or HTML via the (1) root_url and (2) dcp_version parameters in (a) admin/inc/footer.inc.php, and the root_url, (3) page_top_name, (4) page_name, and (5) page_options parameters in (b) admin/inc/header.inc.php. 2.3 CVE-2006-4838

BUGTRAQ

BID David Bennett — PHP-Post Variable overwrite vulnerability in David Bennett PHP-Post (PHPp) 1.0 and earlier allows remote attackers to overwrite arbitrary program variables via multiple vectors that use the extract function, as demonstrated by the table_prefix parameter in (1) index.php, (2) profile.php, and (3) header.php. 2.3 CVE-2006-4877

BUGTRAQ

BID David Bennett — PHP-Post Directory traversal vulnerability in footer.php in David Bennett PHP-Post (PHPp) 1.0 and earlier allows remote attackers to read arbitrary local files via a .. (dot dot) sequence in the template parameter. 2.3 CVE-2006-4878

BUGTRAQ

BID David Bennett — PHP-Post David Bennett PHP-Post (PHPp) 1.0 and earlier allows remote attackers to obtain sensitive information via a direct request for (1) footer.php, (2) template.php, or (3) lastvisit.php, which reveals the installation path in various error messages. 2.3 CVE-2006-4880

BUGTRAQ

BID Drupal — Drupal Userreview module Cross-site scripting (XSS) vulnerability in the Drupal 4.7 Userreview module before 1.19 2006/09/12 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. 2.3 CVE-2006-4821

OTHER-REF

FRSIRT

SECUNIA

BID

XF eMuSOFT — emuCMS Multiple cross-site scripting (XSS) vulnerabilities in index.php in eMuSOFT emuCMS 0.3 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) query or (2) page parameters. 2.3 CVE-2006-4822

OTHER-REF

BID

FRSIRT

SECUNIA

OSVDB eSyndiCat Portal System — eSyndiCat Portal System Cross-site scripting (XSS) vulnerability in search.php in eSyndiCat Portal System allows remote attackers to inject arbitrary web script or HTML via the what parameter. 2.3 CVE-2006-4923

BUGTRAQ

BID

XF

FRSIRT

SECUNIA gzip — gzip Unspecified vulnerability in gzip 1.3.5 allows context-dependent attackers to cause a denial of service (crash) via a crafted GZIP (gz) archive, which results in a NULL dereference. 2.3 CVE-2006-4334

OTHER-REF

REDHAT

UBUNTU

DEBIAN

FREEBSD

SLACKWARE

SECUNIA

SECUNIA

SECUNIA

SECUNIA

SECUNIA

MANDRIVA

CERT-VN

SECUNIA

SECUNIA

XF gzip — gzip unlzh.c in the LHZ component in gzip 1.3.5 allows context-dependent attackers to cause a denial of service (infinite loop) via a crafted GZIP archive. 2.3 CVE-2006-4338

OTHER-REF

REDHAT

UBUNTU

DEBIAN

FREEBSD

SLACKWARE

SECUNIA

SECUNIA

SECUNIA

SECUNIA

SECUNIA

MANDRIVA

FRSIRT

OSVDB

SECUNIA

SECUNIA HP — HP-UX Unspecified vulnerability in X.25 on HP-UX B.11.00, B.11.11, and B.11.23 allows local users to cause an unspecified denial of service via unknown vectors. 1.6 CVE-2006-4820

HP

BID

FRSIRT

SECTRACK

SECUNIA

XF iDevSpot — NixieAffiliate Cross-site scripting (XSS) vulnerability in forms/lostpassword.php in iDevSpot NixieAffiliate 1.9 and earlier allows remote attackers to inject arbitrary web script or HTML via the error parameter. 2.3 CVE-2006-4894

BUGTRAQ

BID Innovate Portal — Innovate Portal Cross-site scripting (XSS) vulnerability in index.php in Innovate Portal 2.0 allows remote attackers to inject arbitrary web script or HTML via the content parameter. 2.3 CVE-2006-4915

BUGTRAQ

BID

XF Jupiter CMS — Jupiter CMS Jupiter CMS allows remote attackers to obtain sensitive information via a direct request for (1) includes/functions.php, (2) modules/register.php, (3) modules/poll.php, (4) modules/panel.php, (5) modules/pm.php, (6) modules/news.php, (7) modules/templates_change.php, (8) modules/users.php, (9) modules/misc.php, (10) modules/masspm.php, (11) modules/mass-email.php, (12) modules/main-nav.php, (13) modules/login.php, (14) modules/layout.php, (15) modules/hq.php, (16) modules/forum.php, (17) modules/forum-admin.php, (18) modules/events.php, (19) modules/emoticons.php, (20) modules/download.php, (21) modules/blocks.php, (22) modules/ban.php, (23) modules/badwords.php, (24) modules/ads.php, or (25) modules/admin.php, which reveals the installation path in various error messages. NOTE: The modules/online.php vector is already covered by CVE-2006-1679. 2.3 CVE-2006-4873

BUGTRAQ

BID Jupiter CMS — Jupiter CMS Unrestricted file upload vulnerability in modules/galleryuploadfunction.php in Jupiter CMS allows remote attackers to upload picture files, and possibly files with arbitrary extensions, to gallery/albums/public. 2.3 CVE-2006-4875

BUGTRAQ

BID Limbo CMS — Limbo CMS Unrestricted file upload vulnerability in contact.html.php in the Contact (com_contact) component in Limbo (aka Lite Mambo) CMS 1.0.4.2L and earlier allows remote attackers to upload PHP code to the images/contact folder via a filename with a double extension in the contact_attach parameter in a contact option in index.php, which bypasses an insufficiently restrictive regular expression. 2.3 CVE-2006-4859

OTHER-REF

BID Linux — Linux kernel The Linux kernel 2.6.17.10 and 2.6.17.11 and 2.6.18-rc5 allows local users to cause a denial of service (crash) via an SCTP socket with a certain SO_LINGER value, possibly related to the patch for CVE-2006-3745. NOTE: older kernel versions for specific Linux distributions are also affected, due to backporting of the CVE-2006-3745 patch. 2.3 CVE-2006-4535

OTHER-REF

UBUNTU

BID

OTHER-REF

SECUNIA

XF McAfee — VirusScan Enterprise

McAfee — McAfee Scan Engine The VirusScan On-Access Scan component in McAfee VirusScan Enterprise 7.1.0 and Scan Engine 4.4.00 allows local privileged users to bypass security restrictions and disable the On-Access Scan option by opening the program via the task bar and quickly clicking the Disable button, possibly due to an interface-related race condition. 3.9 CVE-2006-4886

BUGTRAQ

XF Microsoft — Internet Explorer Microsoft Internet Explorer 6 and earlier allows remote attackers to cause a denial of service (application hang) via a CSS-formatted HTML INPUT element within a DIV element that has a larger size than the INPUT. 2.3 CVE-2006-4888

BUGTRAQ

OTHER-REF

OSVDB Mozilla — Network Security Services (NSS)

Mozilla — SeaMonkey

Mozilla — Firefox

Mozilla — Thunderbird Mozilla Network Security Service (NSS) library before 3.11.3, as used in Mozilla Firefox before 1.5.0.7, Thunderbird before 1.5.0.7, and SeaMonkey before 1.0.5, when using an RSA key with exponent 3, does not properly handle extra data in a signature, which allows remote attackers to forge signatures for SSL/TLS and email certificates, a similar vulnerability to CVE-2006-4339. 2.3 CVE-2006-4340

MLIST

OTHER-REF

OTHER-REF

REDHAT

REDHAT

SECUNIA

SECUNIA

REDHAT

FRSIRT

FRSIRT

SECTRACK

SECTRACK

SECTRACK

SECUNIA

SECUNIA

SECUNIA

SECUNIA

SECUNIA

SECUNIA

SGI

UBUNTU

SECUNIA Mozilla — SeaMonkey

Mozilla — Firefox

Mozilla — Thunderbird Mozilla Firefox before 1.5.0.7, Thunderbird before 1.5.0.7, and SeaMonkey before 1.0.5 allows remote attackers to cause a denial of service (crash) via a malformed JavaScript regular expression that ends with a backslash in an unterminated character set (“[\”), which leads to a buffer over-read. 2.3 CVE-2006-4566

OTHER-REF

REDHAT

REDHAT

SECUNIA

SECUNIA

REDHAT

BID

FRSIRT

SECTRACK

SECTRACK

SECTRACK

SECUNIA

SECUNIA

SECUNIA

SECUNIA

SECUNIA

XF

SGI

UBUNTU

SECUNIA Mozilla — Firefox

Mozilla — Thunderbird Mozilla Firefox before 1.5.0.7 and Thunderbird before 1.5.0.7 makes it easy for users to accept self-signed certificates for the auto-update mechanism, which might allow remote user-assisted attackers to use DNS spoofing to trick users into visiting a malicious site and accepting a malicious certificate for the Mozilla update site, which can then be used to install arbitrary code on the next update. 1.9 CVE-2006-4567

OTHER-REF

REDHAT

SECUNIA

SECUNIA

REDHAT

BID

FRSIRT

SECTRACK

SECTRACK

SECUNIA

SECUNIA

SECUNIA

XF

UBUNTU Mozilla — Firefox The popup blocker in Mozilla Firefox before 1.5.0.7 opens the “blocked popups” display in the context of the Location bar instead of the subframe from which the popup originated, which might make it easier for remote user-assisted attackers to conduct cross-site scripting (XSS) attacks. 2.3 CVE-2006-4569

OTHER-REF

SECUNIA

REDHAT

BID

SECTRACK

SECUNIA

XF Mozilla — SeaMonkey

Mozilla — Thunderbird Mozilla Thunderbird before 1.5.0.7 and SeaMonkey before 1.0.5, with “Load Images” enabled, allows remote user-assisted attackers to bypass settings that disable JavaScript via a remote XBL file in a message that is loaded when the user views, forwards, or replies to the original message. 1.9 CVE-2006-4570

OTHER-REF

REDHAT

REDHAT

BID

SECTRACK

SECTRACK

SECUNIA

SECUNIA

SECUNIA

SECUNIA

XF

SGI

UBUNTU

SECUNIA Ohio State University — server OSU 3.11alpha and 3.10a allows remote attackers to obtain sensitive information via a URL to a non-existent file, which displays the web root path in the resulting error message. 2.3 CVE-2006-4907

BUGTRAQ

SECUNIA

XF Ohio State University — OSU httpd OSU 3.11alpha and 3.10a allows remote attackers to obtain sensitive information via a URL containing an * (asterisk) wildcard, which displays all matching file and directory information. 2.3 CVE-2006-4908

BUGTRAQ

SECUNIA

XF phpQuiz — phpQuiz Walter Beschmout PhpQuiz allows remote attackers to obtain sensitive information via a direct request to cfgphpquiz/install.php and other unspecified vectors. 2.3 CVE-2006-4865

BUGTRAQ PT News — PT News Cross-site scripting (XSS) vulnerability in search.php in PT News 1.7.8 allows remote attackers to inject arbitrary web script or HTML via the pgname parameter. 2.3 CVE-2006-4917

BUGTRAQ

BID

FRSIRT

SECUNIA

XF QuadComm — Q-Shop SQL injection vulnerability in browse.asp in QuadComm Q-Shop 3.5 allows remote attackers to execute arbitrary SQL commands via the OrderBy parameter. 2.3 CVE-2006-4852

BUGTRAQ

Milw0rm

BID

SECUNIA

XF

FRSIRT

OSVDB Roller WebLogger — Roller WebLogger Multiple cross-site scripting (XSS) vulnerabilities in Roller WebLogger 2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) name, (2) email, or (3) url parameters; (4) certain content parameters in the preview method; or (5) the q parameter in (a) sitesearch.do. 2.3 CVE-2006-4856

BUGTRAQ

OTHER-REF

OTHER-REF

CERT-VN

BID

FRSIRT

SECUNIA Site@School — Site@School Directory traversal vulnerability in starnet/editors/htmlarea/popups/images.php in Site@School (S@S) 2.4.02 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the dir parameter. 1.9 CVE-2006-4919

BUGTRAQ

OTHER-REF

BID

FRSIRT

SECUNIA Site@School — Site@School Unrestricted file upload vulnerability in starnet/editors/htmlarea/popups/images.php in Site@School (S@S) 2.4.02 and earlier allows remote attackers to upload and execute arbitrary files with executable extensions. 2.3 CVE-2006-4922

BUGTRAQ

OTHER-REF

BID SoftComplex — PHP Event Calendar Multiple cross-site scripting (XSS) vulnerabilities in cl_files/index.php in SoftComplex PHP Event Calendar 1.5.1, and possibly earlier, allow remote attackers to inject arbitrary web script or HTML via the (1) ti, (2) bi, or (3) cbgi parameters. 2.3 CVE-2006-4825

BUGTRAQ

BID

SECUNIA

XF Symantec — Norton Personal Firewall

Symantec — Norton Internet Security The DeviceSymEvent driver in Symantec Norton Personal Firewall 2006 9.1.0.33, and possibly other versions of Norton Personal Firewall and Norton Internet Security, allows local users to cause a denial of service (system crash) via invalid data, as demonstrated by calling DeviceIoControl to send the data. 2.3 CVE-2006-4855

BUGTRAQ

OTHER-REF

BID

FRSIRT

SECUNIA Usermin — Usermin Usermin before 1.220 (20060629) allows remote attackers to read arbitrary files, possibly related to chfn/save.cgi not properly handling an empty shell parameter, which results in changing root’s shell instead of the shell of a specified user. 3.3 CVE-2006-4246

OTHER-REF

SOURCEFORGE

OTHER-REF

DEBIAN

BID

SECUNIA

SECUNIA

FRSIRT

XF Verso NetPerformer — Frame Relay Access Device ACT Verso NetPerformer FRAD ACT SDM-95xx 7.xx (R1) and earlier, SDM-93xx 10.x.x (R2) and earlier, and SDM-92xx 9.x.x (R1) and earlier allow remote attackers to cause a denial of service (hang or reboot) via an ICMP packet with the same destination and source address and port, aka the “Land” vulnerability. 3.3 CVE-2006-4833

BUGTRAQ

FULLDISC

BID

FRSIRT

SECUNIA

XF Zope — Zope The docutils module in Zope (Zope2) 2.7.0 through 2.7.9 and 2.8.0 through 2.8.8 does not properly handle web pages with reStructuredText (reST) markup, which allows remote attackers to read arbitrary files via a csv_table directive, a different vulnerability than CVE-2006-3458. 2.3 CVE-2006-4684

MLIST

OTHER-REF

DEBIAN

FRSIRT

SECUNIA

SECUNIA