Skip to content

Home  |   FAQ  |   Contact  |   Privacy & Use

customize
National Cyber Alert System
Cyber Security Bulletin SB07-274 archive

Vulnerability Summary for the Week of September 24, 2007

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cyber Security Division (NCSD) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0

  • Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9

  • Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.


High Vulnerabilities
Primary
Vendor -- Product		Description
Discovered
Published
CVSS ScoreSource & Patch Info
Adam Scheinberg -- Flip
account.php in Adam Scheinberg Flip 3.0 and earlier allows remote attackers to create administrative accounts via the un parameter in a register action.
unknown
2007-09-24
7.5CVE-2007-5062
MILW0RM
BID
XF
ADOdb Lite -- ADOdb Lite
CMS Made Simple -- CMS Made Simple
Eval injection vulnerability in adodb-perf-module.inc.php in ADOdb Lite 1.42 and earlier, as used in products including CMS Made Simple 1.1.2, allows remote attackers to execute arbitrary code via PHP sequences in the last_module parameter.
unknown
2007-09-24
7.5CVE-2007-5056
MILW0RM
VIM
Alexander Palmo -- Simple PHP Blog
Incomplete blacklist vulnerability in upload_img_cgi.php in Simple PHP Blog before 0.5.1 allows remote attackers to upload dangerous files, as demonstrated by a .htaccess file, a different vector than CVE-2005-2733. NOTE: the vulnerability was also present in a 0.5.1 download available in the early morning of 20070923. NOTE: the original 20070920 disclosure provided an incorrect filename, img_upload_cgi.php.
unknown
2007-09-24
7.5CVE-2007-5071
BUGTRAQ
OTHER-REF
OTHER-REF
BID
Alexander Palmo -- Simple PHP Blog
Unspecified vulnerability in Simple PHP Blog before 0.5.1 has unknown impact and attack vectors, related to "the way themes get their color definitions from the configuration files," aka the user_colors issue, a different vulnerability than CVE-2007-????.
unknown
2007-09-24
7.5CVE-2007-5072
OTHER-REF
OTHER-REF
Apple -- iPhone
Apple iPhone 1.1.1, with Bluetooth enabled, allows physically proximate attackers to cause a denial of service (application termination) and execute arbitrary code via crafted Service Discovery Protocol (SDP) packets, related to insufficient input validation.
unknown
2007-09-27
7.5CVE-2007-3753
APPLE
Apple -- Safari
Safari in Apple iPhone 1.1.1, when requested to disable Javascript, does not disable it until Safari is restarted, which might leave Safari open to attacks that the user does not expect.
unknown
2007-09-27
7.5CVE-2007-3759
APPLE
ask.com -- Ask Toolbar
Stack-based buffer overflow in the AskJeevesToolBar.SettingsPlugin.1 ActiveX control in askBar.dll in IAC Search & Media ask.com Ask Toolbar 4.0.2.53 and earlier allows remote attackers to execute arbitrary code via a long ShortFormat property value. NOTE: some of these details are obtained from third party information.
unknown
2007-09-26
9.3CVE-2007-5107
BUGTRAQ
MILW0RM
BID
FRSIRT
SECUNIA
ask.com -- Ask Toolbar
Unspecified vulnerability in IAC Search & Media ask.com toolbar has unknown impact and remote attack vectors. NOTE: this information is based upon a vague advisory by a vulnerability information sales organization that does not coordinate with vendors or release actionable advisories. A CVE has been assigned for tracking purposes, but duplicates with other CVEs are difficult to determine. NOTE: this might be the same issue as CVE-2007-5107.
unknown
2007-09-26
10.0CVE-2007-5108
BUGTRAQ
OTHER-REF
bcoos -- bcoos
SQL injection vulnerability in index.php in the Arcade module in bcoos 1.0.10 allows remote attackers to execute arbitrary SQL commands via the gid parameter in a play_game action. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
unknown
2007-09-26
7.5CVE-2007-5104
SECUNIA
Clansphere -- Clansphere
SQL injection vulnerability in mods/banners/navlist.php in Clansphere 2007.4 allows remote attackers to execute arbitrary SQL commands via the cat_id parameter to index.php in a banners action.
unknown
2007-09-24
7.5CVE-2007-5061
MILW0RM
BID
David Watters -- Helplink
PHP remote file inclusion vulnerability in show.php in David Watters Helplink 0.1.0 allows remote attackers to execute arbitrary PHP code via a URL in the file parameter.
unknown
2007-09-26
7.5CVE-2007-5099
MILW0RM
SECUNIA
Dibbler -- Dibbler
Dibbler 0.6.0 on Linux uses weak world-writable permissions for unspecified files in /var/lib/dibbler, which has unknown impact and local attack vectors.
unknown
2007-09-21
7.5CVE-2007-5028
OTHER-REF
EB Design Pty Ltd -- ebCrypt
Absolute path traversal vulnerability in the EbCrypt.eb_c_PRNGenerator.1 ActiveX control in EBCRYPT.DLL 2.0.0.2087 and earlier in EB Design ebCrypt allows remote attackers to create or overwrite arbitrary files via a full pathname in the argument to the SaveToFile method. NOTE: some of these details are obtained from third party information.
unknown
2007-09-26
7.5CVE-2007-5110
MILW0RM
OTHER-REF
BID
SECUNIA
Ekke Doerre -- Mods 4 Xoops Contenido eZ publish
Multiple PHP remote file inclusion vulnerabilities in Ekke Doerre Contenido 42VariablVersion (42VV10) in contenido_hacks in Mods 4 Xoops Contenido eZ publish (pdf4cms) allow remote attackers to execute arbitrary PHP code via a URL in the cfgPathInc parameter to (1) main_upl.php, (2) main_con_editside.php, (3) main_news_rcp.php, (4) main_mod.php, (5) main_tplinput_edit.php, (6) main_con.php, (7) main_tpl.php, (8) main_con_sidelist.php, (9) main_str.php, (10) main_news.php, (11) main_tplinput.php, (12) main_lang.php, (13) main_mod_edit.php, (14) main_lay.php, (15) main_lay_edit.php, (16) main_news_send.php, (17) main_con_edittpl.php, (18) main_stat.php, (19) main_tpl_edit.php, (20) main_news_edit.php, or (21) inc/upl_show_uploads.inc.php; the (a) cfgPathContenido or (b) cfgPathTpl parameter to (22) con_show_sidelist.inc.php, (23) mod_show_modules.inc.php, (24) con_edit_form.inc.php, (25) lay_show_layouts.inc.php, (26) con_show_tree.inc.php, (27) news_show_newsletters.inc! .php, (28) str_show_tree.inc.php, (29) tpl_show_templates.inc.php, (30) stat_show_tree.inc.php, (31) con_editcontent.inc.php, or (32) news_show_recipients.inc.php in inc/; or the cfgPathTpl parameter to (33) main_user_md5.php3, or (34) actions_mod.php, (35) actions_lay.php, (36) actions_upl.php, (37) actions_stat.php, (38) actions_news.php, (39) actions_str.php, (40) header.php, (41) actions_con_sidelist.php, (42) main_top.inc.php, (43) actions_tpl.php, or (44) actions_con.php in tpl/. NOTE: vectors 21, 24, 26, 27, 32, 34, 35, 36, 37, 38, 39, 40, 41, 43, and 44 are disputed by CVE because PHP encounters a fatal function-call error on a direct request for the file, before reaching the include statement.
unknown
2007-09-26
7.5CVE-2007-5115
OTHER-REF
furquim -- ChironFS
ChironFS before 1.0 RC7 sets user/group ownership to the mounter account instead of the creator account when files are created, which allows local users to gain privileges.
unknown
2007-09-26
7.2CVE-2007-5101
OTHER-REF
OTHER-REF
SECUNIA
guanxiCRM -- guanxiCRM Business Solution
PHP remote file inclusion vulnerability in modules/webmail2/inc/rfc822.php in guanxiCRM Business Solution 0.9.1 allows remote attackers to execute arbitrary PHP code via a URL in the webmail2_inc_dir parameter.
unknown
2007-09-26
7.5CVE-2007-5096
OTHER-REF
IBM -- Tivoli Storage Manager Client
Buffer overflow in the Client Acceptor Daemon (CAD), dsmcad.exe, in certain IBM Tivoli Storage Manager (TSM) clients 5.1 before 5.1.8.1, 5.2 before 5.2.5.2, 5.3 before 5.3.5.3, and 5.4 before 5.4.1.2 allows remote attackers to execute arbitrary code via crafted HTTP headers, aka IC52905.
unknown
2007-09-27
10.0CVE-2007-4880
BUGTRAQ
OTHER-REF
OTHER-REF
AIXAPAR
BID
FRSIRT
SECTRACK
SECUNIA
XF
IBM -- Tivoli Storage Manager Client
Buffer overflow in the Client Acceptor Daemon (CAD) in certain IBM Tivoli Storage Manager (TSM) clients 5.1 before 5.1.8.1, 5.2 before 5.2.5.2, 5.3 before 5.3.5.3, and 5.4 before 5.4.1.2 allows remote attackers to execute arbitrary code via unspecified vectors, aka IC52905.
unknown
2007-09-21
10.0CVE-2007-5021
OTHER-REF
AIXAPAR
BID
FRSIRT
SECUNIA
XF
IBM -- DB2
Microsoft -- SQL Server
IBM -- Rational ClearQuest
Unspecified vulnerability in IBM Rational ClearQuest (CQ), when a Microsoft SQL Server or an IBM DB2 database is used, allows attackers to corrupt data via unspecified vectors.
unknown
2007-09-26
7.5CVE-2007-5090
OTHER-REF
FRSIRT
SECUNIA
ImageMagick -- ImageMagick
Multiple integer overflows in ImageMagick before 6.3.5-9 allow context-dependent attackers to execute arbitrary code via a crafted (1) .dcm, (2) .dib, (3) .xbm, (4) .xcf, or (5) .xwd image file, which triggers a heap-based buffer overflow.
unknown
2007-09-24
7.5CVE-2007-4986
IDEFENSE
MLIST
BID
ImageMagick -- ImageMagick
Off-by-one error in the ReadBlobString function in blob.c in ImageMagick before 6.3.5-9 allows context-dependent attackers to execute arbitrary code via a crafted image file, which triggers the writing of a '\0' character to an out-of-bounds address.
unknown
2007-09-24
9.3CVE-2007-4987
IDEFENSE
MLIST
BID
Imatix -- Xitami
Multiple buffer overflows in iMatix Xitami Web Server 2.5c2 allow remote attackers to execute arbitrary code via a long If-Modified-Since header to (1) xigui32.exe or (2) xitami.exe.
unknown
2007-09-24
7.5CVE-2007-5067
MILW0RM
BID
SECUNIA
Interspire -- ActiveKB
SQL injection vulnerability in index.php in Interspire ActiveKB NX 2.x allows remote attackers to execute arbitrary SQL commands via the catId parameter in a browse action.
unknown
2007-09-27
7.5CVE-2007-5131
MILW0RM
BID
Ipswitch -- IMail
Heap-based buffer overflow in iaspam.dll in the SMTP Server in Ipswitch IMail Server 8.01 through 8.11 allows remote attackers to execute arbitrary code via a set of four different e-mail messages with a long boundary parameter in a certain malformed Content-Type header line, the string "MIME" by itself on a line in the header, and a long Content-Transfer-Encoding header line.
unknown
2007-09-26
7.5CVE-2007-5094
MILW0RM
OTHER-REF
BID
iziContents -- iziContents
Multiple incomplete blacklist vulnerabilities in iziContents 1 RC6 and earlier allow remote attackers to execute arbitrary PHP code via a URL in (1) the admin_home parameter to modules/poll/poll_summary.php or (2) the rootdp parameter to include/db.php; or a URL in the language_home parameter to (3) search/search.php, (4) poll/inlinepoll.php, (5) poll/showpoll.php, (6) links/showlinks.php, or (7) links/submit_links.php in modules/; related to missing checks in (a) modules/moduleSec.php and (b) include/includeSec.php for inclusion of certain URLs, as demonstrated by an ftps:// URL.
unknown
2007-09-24
7.5CVE-2007-5053
MILW0RM
iziContents -- iziContents
Multiple PHP remote file inclusion vulnerabilities in iziContents 1 RC6 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the gsLanguage parameter to (1) search/search.php, (2) poll/inlinepoll.php, (3) poll/showpoll.php, (4) links/showlinks.php, or (5) links/submit_links.php in modules/.
unknown
2007-09-24
7.5CVE-2007-5054
MILW0RM
iziContents -- iziContents
Multiple directory traversal vulnerabilities in iziContents 1 RC6 and earlier allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in (1) the admin_home parameter to modules/poll/poll_summary.php or (2) the rootdp parameter to include/db.php.
unknown
2007-09-24
7.5CVE-2007-5055
MILW0RM
Lhaplus -- Lhaplus
Heap-based buffer overflow in Lhaplus before 1.55 allows remote attackers to execute arbitrary code via a long filename in an ARJ archive.
unknown
2007-09-23
7.5CVE-2007-5048
OTHER-REF
OTHER-REF
OTHER-REF
BID
SECUNIA
Linux -- Kernel
The IA32 system call emulation functionality in Linux kernel 2.4.x and 2.6.x before 2.6.22.7, when running on the x86_64 architecture, does not zero extend the eax register after the 32bit entry path to ptrace is used, which might allow local users to gain privileges by triggering an out-of-bounds access to the system call table using the %RAX register.
unknown
2007-09-24
7.2CVE-2007-4573
FULLDISC
MLIST
MLIST
OTHER-REF
Microsoft -- Windows Media Player
Microsoft Windows Media Player (WMP) 9 on Windows XP SP2 invokes Internet Explorer to render HTML documents contained inside some media files, regardless of what default web browser is configured, which might allow remote attackers to exploit vulnerabilities in software that the user does not expect to run, as demonstrated by the HTMLView parameter in an .asx file.
unknown
2007-09-26
7.5CVE-2007-5095
BUGTRAQ
BUGTRAQ
BUGTRAQ
BUGTRAQ
OTHER-REF
Microsoft -- windows-nt
3ware -- 3DM Disk Management Software
Microsoft Windows Explorer (explorer.exe) allows user-assisted remote attackers to cause a denial of service (CPU consumption) via a certain PNG file with a large tEXt chunk that possibly triggers an integer overflow in PNG chunk size handling, as demonstrated by badlycrafted.png.
unknown
2007-09-27
7.1CVE-2007-5133
BUGTRAQ
BUGTRAQ
BID
Mozilla -- Bugzilla
The offer_account_by_email function in User.pm in the WebService for Bugzilla before 3.0.2, and 3.1.x before 3.1.2, does not check the value of the createemailregexp parameter, which allows remote attackers to bypass intended restrictions on account creation.
unknown
2007-09-23
7.5CVE-2007-5038
OTHER-REF
OTHER-REF
FRSIRT
SECUNIA
Mozilla -- Firefox
Apple -- Quicktime
Argument injection vulnerability in Apple QuickTime 7.1.5 and earlier, when running on systems with Mozilla Firefox before 2.0.0.7 installed, allows remote attackers to execute arbitrary commands via a QuickTime Media Link (QTL) file with an embed XML element and a qtnext parameter containing the Firefox "-chrome" argument. NOTE: this is a related issue to CVE-2006-4965 and the result of an incomplete fix for CVE-2007-3670.
unknown
2007-09-23
9.3CVE-2007-5045
BUGTRAQ
OTHER-REF
OTHER-REF
OTHER-REF
FRSIRT
SECUNIA
NetSupport -- NetSupport Manager Client
NetSupport Manager Client before 10.20.0004 allows remote attackers to bypass the (1) basic and (2) authentication schemes by spoofing the NetSupport Manager.
unknown
2007-09-24
10.0CVE-2007-5057
BUGTRAQ
OTHER-REF
BID
Neuron News -- Neuron News
Directory traversal vulnerability in index.php in Neuron News 1.0 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the q parameter.
unknown
2007-09-23
7.5CVE-2007-5050
MILW0RM
NukeScripts -- NukeSentinel
SQL injection vulnerability in includes/nsbypass.php in NukeSentinel 2.5.11 allows remote attackers to execute arbitrary SQL commands via base64-encoded data in an admin cookie.
unknown
2007-09-27
7.5CVE-2007-5125
BUGTRAQ
OTHER-REF
BID
Online Fantasy Football League -- OFFL
** DISPUTED ** PHP remote file inclusion vulnerability in lib/classes/offl_nflteam.php in Online Fantasy Football League (OFFL) 0.2.6 allows remote attackers to execute arbitrary PHP code via a URL in the DOC_ROOT parameter. NOTE: this issue is disputed by CVE because a __FILE__ test protects offl_nflteam.php against direct requests.
unknown
2007-09-26
7.5CVE-2007-5097
OTHER-REF
openEngine -- openEngine
** DISPUTED ** PHP remote file inclusion vulnerability in html/modules/extranet_profile/main.php in openEngine 1.9 beta1 allows remote attackers to execute arbitrary PHP code via a URL in the this_module_path parameter. NOTE: this issue is disputed by CVE because PHP encounters a fatal function-call error on a direct request for the file, before reaching the include statement.
unknown
2007-09-23
7.5CVE-2007-5035
OTHER-REF
BID
OpenSSL Project -- OpenSSL
Off-by-one error in the SSL_get_shared_ciphers function in OpenSSL 0.9.7l and 0.9.8d might allow remote attackers to execute arbitrary code via a crafted packet that triggers a one-byte buffer underflow.
unknown
2007-09-27
7.5CVE-2007-5135
BUGTRAQ
PHP-Nuke -- Mobile Entertainment module
Directory traversal vulnerability in data/compatible.php in the Nuke Mobile Entertainment 1 addon for PHP-Nuke allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the module_name parameter.
unknown
2007-09-24
7.5CVE-2007-5069
MILW0RM
phpFullAnnu -- phpFullAnnu
SQL injection vulnerability in index.php in phpFullAnnu (PFA) 6.0 allows remote attackers to execute arbitrary SQL commands via the mod parameter.
unknown
2007-09-24
7.5CVE-2007-5068
MILW0RM
Quiksoft -- EasyMail MessagePrinter Object
Heap-based buffer overflow in the EasyMailMessagePrinter ActiveX control in emprint.DLL 6.0.1.0 in the Quiksoft EasyMail MessagePrinter Object allows remote attackers to execute arbitrary code via a long string in the first argument to the SetFont method.
unknown
2007-09-24
10.0CVE-2007-5070
MILW0RM
redhat -- linux
Red Hat Enterprise Linux 4 does not properly compile and link gdm with tcp_wrappers on x86_64 platforms, which might allow remote attackers to bypass intended access restrictions.
unknown
2007-09-24
10.0CVE-2007-5079
OTHER-REF
sk.log -- sk.log
PHP remote file inclusion vulnerability in php-inc/log.inc.php in sk.log 0.5.3 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the SKIN_URL parameter.
unknown
2007-09-26
7.5CVE-2007-5089
BUGTRAQ
VIM
MILW0RM
BID
FRSIRT
softbizscripts -- classifieds plus script
SQL injection vulnerability in store_info.php in SoftBiz Classifieds PLUS allows remote attackers to execute arbitrary SQL commands via the id parameter.
unknown
2007-09-27
7.5CVE-2007-5122
MILW0RM
Solidweb -- Novus
SQL injection vulnerability in notas.asp in Novus 1.0 allows remote attackers to execute arbitrary SQL commands via the nota_id parameter.
unknown
2007-09-27
7.5CVE-2007-5123
MILW0RM
BID
Symantec -- Norton Internet Security
Norton Internet Security 2008 15.0.0.60 does not properly validate certain parameters to System Service Descriptor Table (SSDT) function handlers, which allows local users to cause a denial of service (crash) and possibly gain privileges via the NtOpenSection kernel SSDT hook. NOTE: the NtCreateMutant and NtOpenEvent function hooks are already covered by CVE-2007-1793.
unknown
2007-09-23
7.2CVE-2007-5047
BUGTRAQ
OTHER-REF
OTHER-REF
Symantec -- Veritas Backup Exec
Unspecified vulnerability in the client in Symantec Veritas Backup Exec for Windows Servers 11d has unknown impact and remote attack vectors. NOTE: this information is based upon a vague advisory by a vulnerability information sales organization that does not coordinate with vendors or release actionable advisories. A CVE has been assigned for tracking purposes, but duplicates with other CVEs are difficult to determine.
unknown
2007-09-27
10.0CVE-2007-5126
OTHER-REF
BID
VMWare -- VMWare Player
VMWare -- ACE
VMWare -- ACE 2
VMWare -- VMware Server
VMWare -- VMWare Player 2
VMWare -- VMWare Workstation
The DHCP server in EMC VMware Workstation before 5.5.5 Build 56455 and 6.x before 6.0.1 Build 55017, Player before 1.0.5 Build 56455 and Player 2 before 2.0.1 Build 55017, ACE before 1.0.3 Build 54075 and ACE 2 before 2.0.1 Build 55017, and Server before 1.0.4 Build 56528 allows remote attackers to execute arbitrary code via a malformed packet that triggers "corrupt stack memory."
unknown
2007-09-21
10.0CVE-2007-0061
ISS
OTHER-REF
OTHER-REF
OTHER-REF
OTHER-REF
OTHER-REF
OTHER-REF
OTHER-REF
BID
XF
VMWare -- VMWare Workstation
VMWare -- ACE
VMWare -- VMware Server
VMWare -- Player
Integer overflow in the DHCP server in EMC VMware Workstation before 5.5.5 Build 56455 and 6.x before 6.0.1 Build 55017, Player before 1.0.5 Build 56455 and Player 2 before 2.0.1 Build 55017, ACE before 1.0.3 Build 54075 and ACE 2 before 2.0.1 Build 55017, and Server before 1.0.4 Build 56528 allows remote attackers to execute arbitrary code via a malformed DHCP packet that triggers a stack-based buffer overflow.
unknown
2007-09-21
10.0CVE-2007-0062
ISS
OTHER-REF
OTHER-REF
OTHER-REF
OTHER-REF
OTHER-REF
OTHER-REF
OTHER-REF
BID
XF
VMWare -- VMWare Player
VMWare -- ESX Server
VMWare -- ACE
VMWare -- ACE 2
VMWare -- VMware Server
VMWare -- VMWare Player 2
VMWare -- VMWare Workstation
Integer underflow in the DHCP server in EMC VMware Workstation before 5.5.5 Build 56455 and 6.x before 6.0.1 Build 55017, Player before 1.0.5 Build 56455 and Player 2 before 2.0.1 Build 55017, ACE before 1.0.3 Build 54075 and ACE 2 before 2.0.1 Build 55017, and Server before 1.0.4 Build 56528 allows remote attackers to execute arbitrary code via a malformed DHCP packet that triggers a stack-based buffer overflow.
unknown
2007-09-21
10.0CVE-2007-0063
ISS
OTHER-REF
OTHER-REF
OTHER-REF
OTHER-REF
OTHER-REF
OTHER-REF
OTHER-REF
BID
XF
VMWare -- ACE
Unspecified vulnerability in EMC VMware ACE before 1.0.3 Build 54075 allows attackers to have an unknown impact via an unspecified manipulation of "images stored in virtual machines downloaded by the user."
unknown
2007-09-21
9.3CVE-2007-5025
OTHER-REF
webmaster-tips -- Flash Slide Show
Joomla -- Joomla
PHP remote file inclusion vulnerability in admin.slideshow1.php in the Flash Slide Show (com_slideshow) component for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_live_site parameter.
unknown
2007-09-24
7.5CVE-2007-5065
MILW0RM
BID
Xpdf -- Xpdf
Stack-based buffer overflow in the StreamPredictor::getNextLine function in xpdf, as used in (1) poppler before 0.5.91, (2) gpdf, (3) kpdf, (4) kdegraphics, (5) CUPS, and other products, might allow remote attackers to execute arbitrary code via a crafted PDF file, a different vulnerability than CVE-2007-3387.
unknown
2007-09-23
7.5CVE-2007-5049
GENTOO
FRSIRT
Back to top

Medium Vulnerabilities
Primary
Vendor -- Product		Description
Discovered
Published
CVSS ScoreSource & Patch Info
Adam Scheinberg -- Flip
Adam Scheinberg Flip 3.0 and earlier stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a file containing login credentials via a direct request for var/users.txt.
unknown
2007-09-24
5.0CVE-2007-5063
MILW0RM
Adobe -- Acrobat
Adobe -- Reader
Unspecified vulnerability in Adobe Acrobat and Reader 8.1 on Windows allows remote attackers to execute arbitrary code via a crafted PDF file. NOTE: this information is based upon a vague pre-advisory by a reliable researcher.
unknown
2007-09-21
6.8CVE-2007-5020
BUGTRAQ
OTHER-REF
Agnitum -- Outpost Firewall
Outpost Firewall Pro 4.0.1025.7828 does not properly validate certain parameters to System Service Descriptor Table (SSDT) function handlers, which allows local users to cause a denial of service (crash) and possibly gain privileges via the (1) NtCreateKey, (2) NtDeleteFile, (3) NtLoadDriver, (4) NtOpenProcess, (5) NtOpenSection, (6) NtOpenThread, and (7) NtUnloadDriver kernel SSDT hooks, a partial regression of CVE-2006-7160.
unknown
2007-09-23
4.6CVE-2007-5042
BUGTRAQ
OTHER-REF
OTHER-REF
AirDefense -- Airsensor
Multiple buffer overflows in the AirDefense Airsensor M520 with firmware 4.3.1.1 and 4.4.1.4 allow remote authenticated users to cause a denial of service (HTTPS service outage) via a crafted query string in an HTTPS request to (1) adLog.cgi, (2) post.cgi, or (3) ad.cgi, related to the "files filter."
unknown
2007-09-23
5.0CVE-2007-5036
MILW0RM
OTHER-REF
BID
SECUNIA
AOL -- Instant Messenger
The embedded Internet Explorer server control in AOL Instant Messenger (AIM) 6.5.3.12 and earlier allows remote attackers to execute arbitrary code via unspecified web script or HTML in an instant message, related to AIM's filtering of "specific tags and attributes" and the lack of Local Machine Zone lockdown. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2007-4901.
unknown
2007-09-27
6.8CVE-2007-5124
BUGTRAQ
OTHER-REF
Apache Software Foundation -- Geronimo
Unspecified vulnerability in the management EJB (MEJB) in Apache Geronimo before 2.0.2 allows remote attackers to bypass authentication and obtain "access to Geronimo internals" via unspecified vectors.
unknown
2007-09-26
5.0CVE-2007-5085
OTHER-REF
OTHER-REF
SECUNIA
Apple -- iPhone
Mail in Apple iPhone 1.1.1, when using SSL, does not warn the user when the mail server changes or is not trusted, which might allow remote attackers to steal credentials and read email via a man-in-the-middle (MITM) attack.
unknown
2007-09-27
4.3CVE-2007-3754
APPLE
Apple -- iPhone
Mail in Apple iPhone 1.1.1 allows remote user-assisted attackers to force the iPhone user to make calls to arbitrary telephone numbers via a "tel:" link, which does not prompt the user before dialing the number.
unknown
2007-09-27
4.3CVE-2007-3755
APPLE
Apple -- Safari
Safari in Apple iPhone 1.1.1 allows remote attackers to obtain sensitive information via a crafted web page that identifies the URL of the parent window, even when the parent window is in a different domain.
unknown
2007-09-27
4.3CVE-2007-3756
APPLE
Apple -- Safari
Safari in Apple iPhone 1.1.1 allows remote user-assisted attackers to trick the iPhone user into making calls to arbitrary telephone numbers via a crafted "tel:" link that causes iPhone to display a different number than the number that will be dialed.
unknown
2007-09-27
4.3CVE-2007-3757
APPLE
Apple -- Safari
Safari in Apple iPhone 1.1.1 allows remote attackers to set Javascript window properties for web pages that are in a different domain, which can be leveraged to conduct cross-site scripting (XSS) attacks.
unknown
2007-09-27
4.3CVE-2007-3758
APPLE
Apple -- Safari
Cross-site scripting (XSS) vulnerability in Safari in Apple iPhone 1.1.1 allows remote attackers to inject arbitrary web script or HTML via frame tags.
unknown
2007-09-27
4.3CVE-2007-3760
APPLE
Apple -- Safari
Cross-site scripting (XSS) vulnerability in Safari in Apple iPhone 1.1.1 allows remote attackers to inject arbitrary web script or HTML by causing Javascript events to be applied to a frame in another domain.
unknown
2007-09-27
4.3CVE-2007-3761
APPLE
Apple -- Safari
Unspecified vulnerability in Safari in Apple iPhone 1.1.1 allows remote attackers to "alter or access" HTTPS content via an HTTP session with a crafted web page that causes Javascript to be applied to HTTPS pages from the same domain.
unknown
2007-09-27
6.8CVE-2007-4671
APPLE
Barracuda Networks -- Barracuda Spam Firewall
Cross-site scripting (XSS) vulnerability in the Monitor Web Syslog screen in the Web administration interface in Barracuda Spam Firewall before firmware 3.5.10.016 allows remote attackers to inject arbitrary web script or HTML via the username field in a login attempt, related to the Monitor Web Syslog component.
unknown
2007-09-24
4.3CVE-2007-5058
BUGTRAQ
OTHER-REF
BID
XF
boesch-it -- SimpNews
Multiple cross-site scripting (XSS) vulnerabilities in SimpNews 2.41.03 allow remote attackers to inject arbitrary web script or HTML via the (1) username parameter to admin/layout2b.php, and the (2) backurl parameter to comment.php.
unknown
2007-09-26
4.3CVE-2007-4874
BUGTRAQ
OTHER-REF
OTHER-REF
boesch-it -- SimpNews
PHP -- PHP
SimpNews 2.41.03 on Windows, when PHP before 5.0.0 is used, allows remote attackers to obtain sensitive information via an certain link_date parameter to events.php, which reveals the path in an error message due to an unsupported argument type for the mktime function on Windows.
unknown
2007-09-27
5.0CVE-2007-5128
BUGTRAQ
OTHER-REF
OTHER-REF
boesch-it -- SimpGB
SimpGB 1.46.02 stores sensitive information under the web root with insufficient access control, which allows remote attackers to (1) obtain sensitive configuration information via a direct request for admin/cfginfo.php; and (2) download arbitrary .inc files via a direct request, as demonstrated by admin/includes/dbtables.inc.
unknown
2007-09-27
6.4CVE-2007-5129
BUGTRAQ
BUGTRAQ
OTHER-REF
OTHER-REF
OTHER-REF
SECUNIA
XF
XF
boesch-it -- SimpGB
SimpGB 1.46.02 allows remote attackers to obtain sensitive information via (1) an invalid lang parameter to admin/index.php or (2) a direct request to admin/trailer.php, which reveals the path in various error messages.
unknown
2007-09-27
5.0CVE-2007-5130
BUGTRAQ
OTHER-REF
OTHER-REF
XF
Cisco -- Catalyst 7600
Cisco -- Catalyst 6500
Cisco Catalyst 6500 and Cisco 7600 series devices use 127/8 IP addresses for Ethernet Out-of-Band Channel (EOBC) internal communication, which might allow remote attackers to send packets to an interface for which network exposure was unintended.
unknown
2007-09-27
5.0CVE-2007-5134
FULLDISC
CISCO
BID
SECTRACK
dBlog -- dBlog CMS
dBlog CMS, probably 2.0, stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing an admin password hash via a direct request for dblog.mdb.
unknown
2007-09-21
5.0CVE-2007-5026
BUGTRAQ
OTHER-REF
Dibbler -- Dibbler
Dibbler 0.6.0 does not verify that certain length parameters are appropriate for buffer sizes, which allows remote attackers to trigger a buffer over-read and cause a denial of service (daemon crash), as demonstrated by incorrect behavior of the TSrvMsg constructor in SrvMessages/SrvMsg.cpp when (1) reading the option code and option length and (2) parsing options.
unknown
2007-09-21
5.0CVE-2007-5029
FULLDISC
OTHER-REF
BID
SECUNIA
Dibbler -- Dibbler
Multiple integer overflows in Dibbler 0.6.0 allow remote attackers to cause a denial of service (daemon crash) via packets containing options with large lengths, which trigger attempts at excessive memory allocation, as demonstrated by (1) the TSrvMsg constructor in SrvMessages/SrvMsg.cpp; the (2) TClntMsg, (3) TClntOptIAAddress, (4) TClntOptIAPrefix, (5) TOptVendorSpecInfo, and (6) TOptOptionRequest constructors; and the (7) TRelIfaceMgr::decodeRelayRepl, (8) TRelMsg::decodeOpts, and (9) TSrvIfaceMgr::decodeRelayForw methods.
unknown
2007-09-21
5.0CVE-2007-5030
FULLDISC
OTHER-REF
BID
SECUNIA
Dibbler -- Dibbler
The TSrvOptIA_NA::rebind method in SrvOptions/SrvOptIA_NA.cpp in Dibbler 0.6.0 allows remote attackers to cause a denial of service (NULL dereference and daemon crash) via an invalid IA_NA option in a REBIND message.
unknown
2007-09-21
5.0CVE-2007-5031
FULLDISC
OTHER-REF
BID
SECUNIA
dragonfrugal -- DFD Cart
Multiple PHP remote file inclusion vulnerabilities in DFD Cart 1.1.4 and earlier, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the set_depth parameter to (1) app.lib/product.control/core.php/product.control.config.php, or (2) customer.browse.list.php or (3) customer.browse.search.php in app.lib/product.control/core.php/customer.area/.
unknown
2007-09-26
6.8CVE-2007-5098
MILW0RM
SECUNIA
EB Design Pty Ltd -- ebCrypt
A certain ActiveX control in EBCRYPT.DLL 2.0 in EB Design ebCrypt allows remote attackers to cause a denial of service (crash) via a string argument to the AddString method.
unknown
2007-09-26
4.3CVE-2007-5111
MILW0RM
OTHER-REF
BID
eGroupWare -- eGroupWare
Multiple cross-site scripting (XSS) vulnerabilities in eGroupWare 1.4.001 allow remote attackers to inject arbitrary web script or HTML via the cat_data[color] parameter to (1) preferences/inc/class.uicategories.inc.php and (2) admin/inc/class.uicategories.inc.php.
unknown
2007-09-26
4.3CVE-2007-5091
OTHER-REF
OTHER-REF
OTHER-REF
SECUNIA
Elinks -- Elinks
ELinks before 0.11.3, when sending a POST request for an https URL, appends the body and content headers of the POST request to the CONNECT request in cleartext, which allows remote attackers to sniff sensitive data that would have been protected by TLS. NOTE: this issue only occurs when a proxy is defined for https.
unknown
2007-09-21
4.3CVE-2007-5034
OTHER-REF
OTHER-REF
FlatNuke -- FlatNuke
Cross-site request forgery (CSRF) vulnerability in index.php in FlatNuke 2.6, and possibly 3, allows remote attackers to change the password and privilege level of arbitrary accounts via the user parameter and modified (1) regpass and (2) level parameters in a none_Login action, as demonstrated by using a Flash object to automatically make the request.
unknown
2007-09-26
4.3CVE-2007-5109
BUGTRAQ
Francisco Burzi -- PHP-Nuke
Cross-site request forgery (CSRF) vulnerability in admin.php in Francisco Burzi PHP-Nuke allows remote attackers to add administrative accounts via an AddAuthor action with modified add_name and add_radminsuper parameters.
unknown
2007-09-21
5.1CVE-2007-5032
BUGTRAQ
FrontAccounting -- FrontAccounting
Multiple PHP remote file inclusion vulnerabilities in FrontAccounting (FA) 1.13., when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the path_to_root parameter to (1) access/login.php and (2) includes/lang/language.php, different vectors than CVE-2007-4279.
unknown
2007-09-27
6.8CVE-2007-5117
MILW0RM
BID
SECUNIA
gdata -- InternetSecurity 2007
G DATA InternetSecurity 2007 does not properly validate certain parameters to System Service Descriptor Table (SSDT) function handlers, which allows local users to cause a denial of service (crash) and possibly gain privileges via the (1) NtCreateKey and (2) NtOpenProcess kernel SSDT hooks.
unknown
2007-09-23
4.6CVE-2007-5041
BUGTRAQ
OTHER-REF
OTHER-REF
GreenSQL -- GreenSQL
Multiple cross-site scripting (XSS) vulnerabilities in GreenSQL allow remote attackers to inject arbitrary web script or HTML via several vectors, as demonstrated by the (1) uname and (2) pass parameters in a login form, and (3) an unspecified "url value," leading to storage of XSS sequences in the database and display of these sequences in the alert section of the admin panel.
unknown
2007-09-24
4.3CVE-2007-5059
BUGTRAQ
BID
IBM -- Tivoli Storage Manager Client
Unspecified vulnerability in certain IBM Tivoli Storage Manager (TSM) clients 5.1 before 5.1.8.1, 5.2 before 5.2.5.2, 5.3 before 5.3.5.3, and 5.4 before 5.4.1.2, when using "server-initiated prompted scheduling," allows remote attackers to read a client's data, aka IC53616.
unknown
2007-09-21
5.0CVE-2007-5022
OTHER-REF
AIXAPAR
BID
FRSIRT
SECUNIA
XF
IceWarp -- Merak Mail Server
Cross-site scripting (XSS) vulnerability in the Webmail interface for IceWarp Merak Mail Server before 9.0.0 allows remote attackers to inject arbitrary JavaScript via a javascript: URI in an attribute of an element in an email message body, as demonstrated by the onload attribute in a BODY element.
unknown
2007-09-23
4.3CVE-2007-5046
OTHER-REF
BID
SECUNIA
ImageMagick -- ImageMagick
ImageMagick before 6.3.5-9 allows context-dependent attackers to cause a denial of service via a crafted image file that triggers (1) an infinite loop in the ReadDCMImage function, related to ReadBlobByte function calls; or (2) an infinite loop in the ReadXCFImage function, related to ReadBlobMSBLong function calls.
unknown
2007-09-24
4.3CVE-2007-4985
IDEFENSE
MLIST
BID
ImageMagick -- ImageMagick
Sign extension error in the ReadDIBImage function in ImageMagick before 6.3.5-9 allows context-dependent attackers to execute arbitrary code via a crafted width value in an image file, which triggers an integer overflow and a heap-based buffer overflow.
unknown
2007-09-24
6.8CVE-2007-4988
IDEFENSE
MLIST
BID
Inotify -- Inotify-tools
Buffer overflow in the inotifytools_snprintf function in src/inotifytools.c in the inotify-tools library before 3.11 allows context-dependent attackers to execute arbitrary code via a long filename.
unknown
2007-09-23
6.8CVE-2007-5037
OTHER-REF
SECUNIA
JSPWiki -- JSPWiki
JSPWiki 2.4.103 and 2.5.139-beta allows remote attackers to obtain sensitive information (full path) via an invalid integer in the version parameter to the default URI under attach/Main/.
unknown
2007-09-27
4.3CVE-2007-5119
BUGTRAQ
FULLDISC
OTHER-REF
SECUNIA
XF
JSPWiki -- JSPWiki
Multiple cross-site scripting (XSS) vulnerabilities in JSPWiki 2.4.103 and 2.5.139-beta allow remote attackers to inject arbitrary web script or HTML via the (1) group and (2) members parameters in (a) NewGroup.jsp; the (3) edittime parameter in (b) Edit.jsp; the (4) edittime, (5) author, and (6) link parameters in (c) Comment.jsp; the (7) loginname, (8) wikiname, (9) fullname, and (10) email parameters in (d) UserPreferences.jsp and (e) Login.jsp; the (11) r1 and (12) r2 parameters in (f) Diff.jsp; and the (13) changenote parameter in (g) PageInfo.jsp.
unknown
2007-09-27
4.3CVE-2007-5120
BUGTRAQ
FULLDISC
OTHER-REF
BID
SECUNIA
XF
JSPWiki -- JSPWiki
Cross-site scripting (XSS) vulnerability in JSPWiki 2.5.139-beta allows remote attackers to inject arbitrary web script or HTML via the redirect parameter to wiki-3/Login.jsp and unspecified other components.
unknown
2007-09-27
4.3CVE-2007-5121
BUGTRAQ
FULLDISC
OTHER-REF
BID
SECUNIA
XF
Kaspersky Lab -- Kaspersky Internet Security
Kaspersky Internet Security 7.0.0.125 does not properly validate certain parameters to System Service Descriptor Table (SSDT) function handlers, which allows local users to (1) cause a denial of service (crash) and possibly gain privileges via the NtCreateSection kernel SSDT hook or (2) cause a denial of service (avp.exe service outage) via the NtLoadDriver kernel SSDT hook. NOTE: this issue may partially overlap CVE-2006-3074.
unknown
2007-09-23
4.4CVE-2007-5043
BUGTRAQ
OTHER-REF
OTHER-REF
KDE -- KDE
backend/session.c in KDM in KDE 3.3.0 through 3.5.7, when autologin is configured and "shutdown with password" is enabled, allows remote attackers to bypass the password requirement and login to arbitrary accounts via unspecified vectors.
unknown
2007-09-21
6.8CVE-2007-4569
OTHER-REF
BID
Level One -- WBR3404TX
Multiple cross-site scripting (XSS) vulnerabilities in cgi-bin/ddns in the web management panel for the WBR3404TX broadband router with firmware R1.94p0vTIG allow remote attackers to inject arbitrary web script or HTML via the (1) DD or (2) DU parameter.
unknown
2007-09-21
4.3CVE-2007-5027
BUGTRAQ
Linux -- Kernel
The ATM module in the Linux kernel before 2.4.35.3, when CLIP support is enabled, allows local users to cause a denial of service (kernel panic) by reading /proc/net/atm/arp before the CLIP module has been loaded.
unknown
2007-09-26
4.9CVE-2007-5087
OTHER-REF
OTHER-REF
OTHER-REF
FRSIRT
Linux -- Kernel
The disconnect method in the Philips USB Webcam (pwc) driver in Linux kernel 2.6.x before 2.6.22.6 "relies on user space to close the device," which allows user-assisted local attackers to cause a denial of service (USB subsystem hang and CPU consumption in khubd) by not closing the device after the disconnect is invoked. NOTE: this rarely crosses privilege boundaries, unless the attacker can convince the victim to unplug the affected device.
unknown
2007-09-26
4.0CVE-2007-5093
MLIST
MLIST
OTHER-REF
BID
Microsoft -- ISA Server
The SOCKS4 Proxy in Microsoft Internet Security and Acceleration (ISA) Server 2004 SP1 and SP2 allows remote attackers to obtain potentially sensitive information (the destination IP address of another user's session) via an empty packet.
unknown
2007-09-21
5.0CVE-2007-4991
OTHER-REF
BID
multimedia -- Dance Music module for phpNuke
Directory traversal vulnerability in index.php in the Dance Music module for phpNuke, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in an ACCEPT_FILE array parameter to modules.php.
unknown
2007-09-26
6.8CVE-2007-5092
BUGTRAQ
OTHER-REF
phpBB -- phpBB Plus
Multiple PHP remote file inclusion vulnerabilities in phpBB Plus 1.53, and 1.53a before 20070922, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter to (1) language/lang_german/lang_admin_album.php, (2) language/lang_english/lang_main_album.php, and (3) language/lang_english/lang_admin_album.php, different vectors than CVE-2007-5009.
unknown
2007-09-26
6.8CVE-2007-5100
OTHER-REF
FRSIRT
SECUNIA
phpBB XS -- phpBB XS
Cross-site scripting (XSS) vulnerability in profile.php in phpBB XS 2 allows remote attackers to inject arbitrary web script or HTML via the selfdes parameter in a profile_info editprofile action.
unknown
2007-09-21
6.8CVE-2007-5033
BUGTRAQ
BID
XF
phpMyProfiler -- phpMyProfiler
** DISPUTED ** PHP remote file inclusion vulnerability in include/plugin/block.t.php in Peter Schmidt phpmyProfiler 0.9.6b allows remote attackers to execute arbitrary PHP code via a URL in the pmp_rel_path parameter. NOTE: this issue is disputed by CVE because the applicable require_once is in a function that is not called on a direct request.
unknown
2007-09-26
6.8CVE-2007-5114
OTHER-REF
ROI Revolution -- Urchin
Cross-site scripting (XSS) vulnerability in session.cgi (aka the login page) in Google Urchin 5 5.7.03 and earlier allows remote attackers to inject arbitrary web script or HTML via the query string, a different vulnerability than CVE-2007-4713. NOTE: this can be leveraged to capture login credentials in some browsers that support remembered (auto-completed) passwords.
unknown
2007-09-26
4.3CVE-2007-5112
BUGTRAQ
OTHER-REF
OTHER-REF
OTHER-REF
OTHER-REF
BID
ROI Revolution -- Urchin
report.cgi in Google Urchin allows remote attackers to bypass authentication and obtain sensitive information (web server logs) via certain modified query parameters, as demonstrated using the profile, rid, prefs, n, vid, bd, ed, dt, and gtype parameters, a different vulnerability than CVE-2007-5112.
unknown
2007-09-26
5.0CVE-2007-5113