Vulnerability Summary for the Week of September 18, 2006
Released
Sep 25, 2006
Document ID
SB06-268
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded in the past week. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores.
Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
- High: vulnerabilities with a CVSS base score of 7.0–10.0
- Medium: vulnerabilities with a CVSS base score of 4.0–6.9
- Low: vulnerabilities with a CVSS base score of 0.0–3.9
Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis.
Vulnerability Severity:
| High Vulnerabilities |
|---|
| Primary Vendor -- Product | Description |
| CVSS Score | Source & Patch Info | ||
|---|---|---|---|---|---|---|
| AEwebworks -- aeDating | Multiple PHP remote file inclusion vulnerabilities in AEDating 4.1, and possibly earlier versions, allow remote attackers to execute arbitrary PHP code via a URL in the dir[inc] parameter in (1) inc/design.inc.php or (2) inc/admin_design.inc.php. |
| 7.0 | CVE-2006-4870 OTHER-REF BID FRSIRT SECUNIA XF | ||
| All Enthusiast Inc -- ReviewPost PHP Pro | PHP remote file inclusion vulnerability in index.php in All Enthusiast ReviewPost 2.5 allows remote attackers to execute arbitrary PHP code via a URL in the RP_PATH parameter. |
| 7.0 | CVE-2006-4864 BUGTRAQ OTHER-REF FRSIRT SECUNIA XF | ||
| AlstraSoft -- E-Friends | Directory traversal vulnerability in chat/getStartOptions.php in AlstraSoft E-friends 4.85 allows remote attackers to include arbitrary local files and possibly execute arbitrary code via a .. (dot dot) sequence and trailing null (%00) byte in the lang parameter, as demonstrated by injecting PHP code into a log file. |
| 7.0 | CVE-2006-4913 OTHER-REF BID FRSIRT SECUNIA XF | ||
| Apple -- Mac OS X Server Apple -- Mac OS X | Multiple stack-based buffer overflows in the AirPort wireless driver on Apple Mac OS X 10.3.9 and 10.4.7 allow physically proximate attackers to execute arbitrary code by injecting crafted frames into a wireless network. |
| 7.0 | CVE-2006-3507 APPLE BID FRSIRT SECUNIA | ||
| Apple -- Mac OS X Server Apple -- Mac OS X | Heap-based buffer overflow in the AirPort wireless driver on Apple Mac OS X 10.4.7 allows physically proximate attackers to cause a denial of service (crash), gain privileges, and execute arbitrary code via a crafted frame that is not properly handled during scan cache updates. |
| 7.0 | CVE-2006-3508 APPLE BID FRSIRT SECUNIA | ||
| Apple -- Mac OS X Server Apple -- Mac OS X | Integer overflow in the API for the AirPort wireless driver on Apple Mac OS X 10.4.7 might allow physically proximate attackers to cause a denial of service (crash) or execute arbitrary code in third-party wireless software that uses the API via crafted frames. |
| 7.0 | CVE-2006-3509 APPLE BID FRSIRT SECUNIA | ||
| Artmedic Webdesign -- Artmedic Links | PHP remote file inclusion vulnerability in index.php in Artmedic Links 5.0 allows remote attackers to execute arbitrary PHP code via a URL in the id parameter, which is processed by the readfile function. |
| 7.0 | CVE-2006-4905 BUGTRAQ OTHER-REF SECTRACK XF | ||
| ASP Indir -- Tekman Portal | SQL injection vulnerability in uye_profil.asp in Tekman Portal (TR) 1.0 allows remote attackers to execute arbitrary SQL commands via the uye_id parameter. |
| 7.0 | CVE-2006-4916 OTHER-REF BID XF FRSIRT SECUNIA | ||
| Blojsom -- Blojsom | Multiple cross-site scripting (XSS) vulnerabilities in David Czarnecki Blojsom 2.31 allow remote attackers to inject arbitrary web script or HTML via the (1) blog-category-description, (2) blog-entry-title, (3) rss-enclosure-url, (4) technorati-tagsi, or (5) blog-category-name parameter in a blog post. |
| 7.0 | CVE-2006-4829 BUGTRAQ CERT-VN BID FRSIRT SECUNIA XF | ||
| Blojsom -- Blojsom | Directory traversal vulnerability in EditBlogTemplatesPlugin.java in David Czarnecki Blojsom 2.30 allows remote attackers to have an unknown impact by sending an HTTP request with a certain value of blogTemplate. |
| 7.0 | CVE-2006-4830 OTHER-REF | ||
| BolinOS -- BolinOS | PHP remote file inclusion vulnerability in system/_b/contentFiles/gBHTMLEditor.php in BolinOS 4.5.5 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the gBRootPath parameter. NOTE: the provenance of this information is unknown; the details are obtained from third party information. |
| 7.0 | CVE-2006-4851 FRSIRT XF | ||
| Cisco -- Intrusion Prevention System | Unspecified vulnerability in Cisco IPS 5.0 before 5.0(6p2) and 5.1 before 5.1(2), when running in inline or promiscuous mode, allows remote attackers to bypass traffic inspection via a "crafted sequence of fragmented IP packets". |
| 7.0 | CVE-2006-4911 CISCO CERT-VN BID FRSIRT SECTRACK SECUNIA XF | ||
| Codeworx Technologies -- DCP-Portal | Multiple PHP remote file inclusion vulnerabilities in DCP-Portal SE 6.0 allow remote attackers to execute arbitrary PHP code via a URL in the root parameter in (1) library/lib.php and (2) library/editor/editor.php. NOTE: the same primary issue can be used for full path disclosure with an invalid parameter that reveals the installation path in an error message. |
| 7.0 | CVE-2006-4837 BUGTRAQ BID | ||
| EasyPageCMS -- EasyPageCMS | SQL injection vulnerability in default.aspx in easypage allows remote attackers to execute arbitrary SQL commands via the srch parameter in the Search page. |
| 7.0 | CVE-2006-4862 BUGTRAQ | ||
| guanxiCRM -- guanxiCRM Business Solution | PHP remote file inclusion vulnerability in include/phpxd/phpXD.php in guanxiCRM 0.9.1 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the appconf[rootpath] parameter. |
| 7.0 | CVE-2006-4898 OTHER-REF BID XF | ||
| Haberx -- Haberx | SQL injection vulnerability in kategorix.asp in Haberx 1.02 through 1.1 allows remote attackers to execute arbitrary SQL commands via the id parameter in kategorihaberx.asp. |
| 7.0 | CVE-2006-4853 OTHER-REF OTHER-REF BID FRSIRT SECUNIA XF | ||
| Hitweb -- Hitweb | Multiple PHP remote file inclusion vulnerabilities in Brian Fraval Hitweb 3.0 allow remote attackers to execute arbitrary PHP code via a URL in the REP_CLASS parameter to (1) index.php, (2) arbo.php, (3) framepoint.php, (4) genpage.php, (5) lienvalider.php, (6) appreciation.php, (7) partenariat.php, (8) rechercher.php, (9) projet.php, (10) propoexample.php, (11) refererpoint.php, or (12) top50.php. |
| 7.0 | CVE-2006-4848 BUGTRAQ BID | ||
| iDevSpot -- NixieAffiliate | IDevSpot NexieAffiliate 1.9 and earlier allows remote attackers to delete arbitrary affiliates via a modified id parameter to delete.php. |
| 7.0 | CVE-2006-4895 BUGTRAQ BID | ||
| Iodine -- Iodine | Unspecified vulnerability in IP over DNS is now easy (iodine) before 0.3.2 has unknown impact and attack vectors, related to "potential security problems." |
| 7.0 | CVE-2006-4831 OTHER-REF BID FRSIRT SECUNIA | ||
| Marc Cagninacci -- mcLinksCounter | ** DISPUTED ** Multiple PHP remote file inclusion vulnerabilities in Marc Cagninacci mcLinksCounter 1.1 allow remote attackers to execute arbitrary PHP code via a URL in the langfile parameter in (1) login.php, (2) stats.php, (3) detail.php, or (4) erase.php. NOTE: CVE and a third party dispute this vulnerability, because the langfile parameter is set to english.php in each file. |
| 7.0 | CVE-2006-4863 BUGTRAQ BUGTRAQ | ||
| MobilePublisherPHP -- MobilePublisherPHP | PHP remote file inclusion vulnerability in header.php in MobilePublisherPHP 1.5 RC2 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the abspath parameter. |
| 7.0 | CVE-2006-4849 Milw0rm SECUNIA BID FRSIRT XF | ||
| Mohammed Mehdi Panjwani -- Complain Center | SQL injection vulnerability in loginprocess.asp in Mohammed Mehdi Panjwani Complain Center 1 allows remote attackers to execute arbitrary SQL commands via the (1) TxtUser (aka Username) and (2) TxtPass (aka Password) parameters in login.asp. |
| 7.0 | CVE-2006-4861 BUGTRAQ | ||
| Mozilla -- SeaMonkey Mozilla -- Firefox Mozilla -- Thunderbird | Heap-based buffer overflow in Mozilla Firefox before 1.5.0.7, Thunderbird before 1.5.0.7, and SeaMonkey before 1.0.5 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a JavaScript regular expression with a "minimal quantifier." |
| 7.0 | CVE-2006-4565 OTHER-REF REDHAT REDHAT SECUNIA SECUNIA REDHAT BID FRSIRT SECTRACK SECTRACK SECTRACK SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA XF SGI UBUNTU SECUNIA | ||
| Mozilla -- SeaMonkey Mozilla -- Firefox | Mozilla Firefox before 1.5.0.7 and SeaMonkey before 1.0.5 allows remote attackers to bypass the security model and inject content into the sub-frame of another site via targetWindow.frames[n].document.open(), which facilitates spoofing and other attacks. |
| 7.0 | CVE-2006-4568 OTHER-REF REDHAT SECUNIA SECUNIA REDHAT BID FRSIRT SECTRACK SECTRACK SECUNIA SECUNIA SECUNIA XF SGI SECUNIA | ||
| Mozilla -- SeaMonkey Mozilla -- Thunderbird | Multiple unspecified vulnerabilities in Firefox before 1.5.0.7, Thunderbird before 1.5.0.7, and SeaMonkey before 1.0.5 allow remote attackers to cause a denial of service (crash), corrupt memory, and possibly execute arbitrary code via unspecified vectors, some of which involve JavaScript, and possibly large images or plugin data. |
| 7.0 | CVE-2006-4571 OTHER-REF REDHAT REDHAT SECUNIA SECUNIA REDHAT BID FRSIRT SECTRACK SECTRACK SECTRACK SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SGI UBUNTU SECUNIA | ||
| PhotoPost -- PHP Pro | PHP remote file inclusion vulnerability in zipndownload.php in PhotoPost 4.0 through 4.6 allows remote attackers to execute arbitrary PHP code via a URL in the PP_PATH parameter. |
| 7.0 | CVE-2006-4828 BUGTRAQ BID XF | ||
| PHP DocWriter -- PHP DocWriter | PHP remote file inclusion vulnerability in PHP DocWriter 0.3 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the script parameter. |
| 7.0 | CVE-2006-4912 OTHER-REF BID FRSIRT XF | ||
| phpBB XS -- phpBB XS | PHP remote file inclusion vulnerability in bb_usage_stats/includes/bb_usage_stats.php in phpBB XS 0.58 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter, a different vector than CVE-2006-4780. |
| 7.0 | CVE-2006-4893 BUGTRAQ OTHER-REF BID FRSIRT SECUNIA | ||
| phpQuiz -- phpQuiz | PHP remote file inclusion vulnerability in index.php in Jule Slootbeek phpQuiz 0.01 allows remote attackers to execute arbitrary PHP code via a URL in the pagename parameter. |
| 7.0 | CVE-2006-4834 BUGTRAQ OTHER-REF BID FRSIRT XF | ||
| phpunity.postcard -- phpunity-postcard | PHP remote file inclusion vulnerability in phpunity-postcard.php in phpunity.postcard allows remote attackers to execute arbitrary PHP code via a URL in the gallery_path parameter. |
| 7.0 | CVE-2006-4869 OTHER-REF BID FRSIRT OSVDB SECUNIA | ||
| Qualiteam -- X-Cart | Dynamic variable evaluation vulnerability in cmpi.php in Qualiteam X-Cart 4.1.3 and earlier allows remote attackers to overwrite arbitrary program variables and execute arbitrary PHP code, as demonstrated by PHP remote file inclusion via the xcart_dir parameter. |
| 7.0 | CVE-2006-4904 OTHER-REF BID FRSIRT SECUNIA XF | ||
| Quicksilver Forums -- Quicksilver Forums | PHP remote file inclusion vulnerability in lib/activeutil.php in Quicksilver Forums (QSF) 1.2.1 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the set[include_path] parameter. |
| 7.0 | CVE-2006-4824 OTHER-REF OTHER-REF BID FRSIRT SECUNIA XF | ||
| Reamday Enterprises -- Magic News Pro | PHP remote file inclusion vulnerability in scripts/news_page.php in Reamday Enterprises Magic News Pro 1.0.3 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the script_path parameter. |
| 7.0 | CVE-2006-4823 OTHER-REF BID FRSIRT SECUNIA BUGTRAQ XF | ||
| Shadowed Portal -- Shadowed Portal | PHP remote file inclusion vulnerability in bottom.php in Shadowed Portal 5.599 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the root parameter. |
| 7.0 | CVE-2006-4826 Milw0rm BID XF OSVDB SECUNIA | ||
| Shadowed Portal -- Shadowed Portal | PHP remote file inclusion vulnerability in Shadowed Portal 5.599 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the root parameter in (1) footer.php and (2) header.php. NOTE: the provenance of this information is unknown; the details are obtained from third party information. The bottom.php parameter is already covered by CVE-2006-4826. |
| 7.0 | CVE-2006-4885 SECUNIA | ||
| Simple Discussion Board -- Simple Discussion Board | Multiple PHP remote file inclusion vulnerabilities in Simple Discussion Board 0.1.0 allow remote attackers to execute arbitrary PHP code via a URL in the (1) env_dir parameter to (a) blank.php, (b) admin.php, or (c) builddb.php, and the (2) script_root parameter to blank.php. |
| 7.0 | CVE-2006-4918 OTHER-REF BID XF | ||
| Site@School -- Site@School | Multiple PHP remote file inclusion vulnerabilities in Site@School (S@S) 2.4.02 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the cmsdir parameter to (1) starnet/modules/sn_allbum/slideshow.php, and (2) starnet/themes/editable/main.inc.php. |
| 7.0 | CVE-2006-4920 BUGTRAQ OTHER-REF BID FRSIRT SECUNIA OSVDB OSVDB | ||
| Site@School -- Site@School | PHP remote file inclusion vulnerability in Site@School (S@S) 2.4.03 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the cmsdir parameter to starnet/modules/include/include.php. NOTE: some of these details are obtained from third party information. |
| 7.0 | CVE-2006-4921 BUGTRAQ FRSIRT SECUNIA OSVDB | ||
| Techno Dreams -- Articles & Papers Package | SQL injection vulnerability in ArticlesTableview.asp in Techno Dreams Articles & Papers Package 2.0 and earlier allows remote attackers to execute arbitrary SQL commands via the key parameter. |
| 7.0 | CVE-2006-4891 BUGTRAQ OTHER-REF BID SECUNIA XF FRSIRT | ||
| Techno Dreams -- FAQ Manager Package | SQL injection vulnerability in faqview.asp in Techno Dreams FAQ Manager Package 1.0 allows remote attackers to execute arbitrary SQL commands via the key parameter. |
| 7.0 | CVE-2006-4892 BUGTRAQ OTHER-REF BID SECUNIA XF FRSIRT | ||
| Unak -- Unak CMS | Multiple PHP remote file inclusion vulnerabilities in UNAK-CMS 1.5 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the dirroot parameter to (1) fckeditor/editor/filemanager/browser/default/connectors/php/connector.php or (2) fckeditor/editor/dialog/fck_link.php. |
| 7.0 | CVE-2006-4890 OTHER-REF OTHER-REF BID FRSIRT SECUNIA XF | ||
| Verso NetPerformer -- Frame Relay Access Device ACT | Buffer overflow in the telnet service in Verso NetPerformer FRAD ACT SDM-95xx 7.xx (R1) and earlier, SDM-93xx 10.x.x (R2) and earlier, and SDM-92xx 9.x.x (R1) and earlier allows remote attackers to cause a denial of service (reboot) and possibly execute arbitrary code via a long username. |
| 8.0 | CVE-2006-4832 BUGTRAQ FULLDISC BID FRSIRT SECUNIA XF |
| Medium Vulnerabilities |
|---|
| Primary Vendor -- Product | Description |
| CVSS Score | Source & Patch Info | ||
|---|---|---|---|---|---|---|
| Apple -- Mac OS X Server Apple -- Mac OS X | Buffer overflow in kextload in Apple OS X, as used by TDIXSupport in Roxio Toast Titanium and possibly other products, allows local users to execute arbitrary code via a long extension argument. |
| 4.9 | CVE-2006-4866 FULLDISC OTHER-REF BID | ||
| Apple -- Remote Desktop | Apple Remote Desktop (ARD) for Mac OS X 10.2.8 and later does not drop privileges on the remote machine while installing certain applications, which allows local users to bypass authentication and gain privileges by selecting the icon during installation. |
| 4.9 | CVE-2006-4887 BUGTRAQ BID XF | ||
| BolinOS -- BlinOS | PHP remote file inclusion vulnerability in system/_b/contentFiles/gBIndex.php in BolinOS 4.5.5 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the gBRootPath parameter. |
| 5.6 | CVE-2006-4850 BUGTRAQ Milw0rm BID FRSIRT SECUNIA XF | ||
| Cisco -- Cisco Guard DDos Mitigation Appliance | Cross-site scripting (XSS) vulnerability in Cisco Guard DDoS Mitigation Appliance before 5.1(6), when anti-spoofing is enabled, allows remote attackers to inject arbitrary web script or HTML via certain character sequences in a URL that are not properly handled when the appliance sends a meta-refresh. |
| 4.7 | CVE-2006-4909 CISCO BID FRSIRT SECTRACK SECUNIA XF | ||
| Citrix -- Access Gateway AAC | Unspecified vulnerability in Citrix Access Gateway with Advanced Access Control (AAC) 4.2 before 20060914, when AAC is configured to use LDAP authentication, allows remote attackers to bypass authentication via unknown vectors. |
| 5.6 | CVE-2006-4846 CITRIX CITRIX BID FRSIRT SECTRACK SECUNIA XF | ||
| Claroline -- Claroline Dokeos -- Open Source Learning & Knowledge Management Tool | PHP remote file inclusion vulnerability in inc/claro_init_local.inc.php in Claroline 1.7.7 and earlier, as used in Dokeos and possibly other products, allows remote attackers to execute arbitrary PHP code via a URL in the extAuthSource[newUser] parameter. |
| 5.6 | CVE-2006-4844 OTHER-REF OTHER-REF BID FRSIRT SECUNIA XF OTHER-REF FRSIRT SECUNIA | ||
| ClickTech -- ClickBlog | SQL injection vulnerability in default.asp (aka the login page) in ClickTech ClickBlog 2.0 allows remote attackers to execute arbitrary SQL commands via the (1) username and (2) form_codeword (aka the Password field) parameters. |
| 4.7 | CVE-2006-4857 BUGTRAQ BID FRSIRT SECUNIA XF | ||
| Codeworx Technologies -- DCP-Portal | SQL injection vulnerability in login.php in DCP-Portal SE 6.0 allows remote attackers to execute arbitrary SQL commands via the username parameter. NOTE: The lostpassword.php and calendar.php vectors are already covered by CVE-2005-3365, and the search.php vector is already covered by CVE-2005-4227. |
| 5.6 | CVE-2006-4836 BUGTRAQ BID | ||
| David Bennett -- PHP-Post | SQL injection vulnerability in profile.php in David Bennett PHP-Post (PHPp) 1.0 and earlier allows remote attackers to execute arbitrary SQL commands via the user parameter. |
| 4.7 | CVE-2006-4879 BUGTRAQ BID | ||
| David Bennett -- PHP-Post | Multiple cross-site scripting (XSS) vulnerabilities in David Bennett PHP-Post (PHPp) 1.0 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the replyuser parameter in (a) pm.php; (2) the txt_jumpto parameter in (b) dropdown.php; the (3) txt_error and (4) txt_templatenotexist parameters in (c) template.php; the (5) split parameter in certain files, as demonstrated by (d) editprofile.php, (e) search.php, (f) index.php, and (g) pm.php; and the (6) txt_login parameter in (h) loginline.php; and allow remote authenticated users to inject arbitrary web script or HTML via the (7) txt_logout parameter in (i) loginline.php. |
| 4.7 | CVE-2006-4881 BUGTRAQ BID | ||
| Doctor Web Ltd -- Dr.WebScanner | Heap-based buffer overflow in SpIDer for Dr.Web Scanner for Linux 4.33, and possibly earlier versions, allows remote attackers to execute arbitrary code via an LHA archive with an extended header that contains a long directory name. |
| 4.7 | CVE-2006-4438 FULLDISC FRSIRT SECUNIA | ||
| George Lewe -- TeamCal Pro | PHP remote file inclusion vulnerability in includes/footer.html.inc.php in TeamCal Pro 2.8.001 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the tc_config[app_root] parameter. |
| 5.6 | CVE-2006-4845 OTHER-REF BID BID FRSIRT SECUNIA XF | ||
| Gnu -- Mailman | ** DISPUTED ** Format string vulnerability in Mailman before 2.1.9 allows attackers to execute arbitrary code via unspecified vectors. NOTE: the vendor has disputed this vulnerability, stating that it is "unexploitable." |
| 4.7 | CVE-2006-2191 MLIST MLIST | ||
| GNUTurk -- GNUTurk | SQL injection vulnerability in mods.php in GNUTurk 2G and earlier allows remote attackers to execute arbitrary SQL commands via the t_id parameter when the go parameter is "Forum." |
| 4.7 | CVE-2006-4867 OTHER-REF OTHER-REF BID FRSIRT SECUNIA | ||
| gzip -- gzip | Array index error in the make_table function in unlzh.c in the LZH decompression component in gzip 1.3.5, when running on certain platforms, allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted GZIP archive that triggers an out-of-bounds write, aka a "stack modification vulnerability." |
| 4.7 | CVE-2006-4335 OTHER-REF REDHAT UBUNTU DEBIAN FREEBSD SLACKWARE SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA MANDRIVA CERT-VN FRSIRT SECUNIA SECUNIA XF | ||
| gzip -- gzip | Buffer underflow in the build_tree function in unpack.c in gzip 1.3.5 allows context-dependent attackers to execute arbitrary code via a crafted leaf count table that causes a write to a negative index. |
| 4.7 | CVE-2006-4336 OTHER-REF REDHAT UBUNTU DEBIAN FREEBSD SLACKWARE SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA MANDRIVA CERT-VN FRSIRT SECUNIA SECUNIA XF | ||
| gzip -- gzip | Buffer overflow in the make_table function in the LHZ component in gzip 1.3.5 allows context-dependent attackers to execute arbitrary code via a crafted decoding table in a GZIP archive. |
| 4.7 | CVE-2006-4337 OTHER-REF REDHAT UBUNTU DEBIAN FREEBSD SLACKWARE SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA MANDRIVA FRSIRT SECUNIA SECUNIA | ||
| IDevSpot -- BizDirectory | Multiple cross-site scripting (XSS) vulnerabilities in IDevSpot BizDirectory allow remote attackers to inject arbitrary web script or HTML via (1) the stylesheet parameter in Feed.php or (2) the message parameter in status.php. |
| 4.7 | CVE-2006-4883 BUGTRAQ BID XF FRSIRT SECTRACK SECUNIA | ||
| IDevSpot -- iSupport | Multiple cross-site scripting (XSS) vulnerabilities in IDevSpot iSupport 1.8 allow remote attackers to inject arbitrary web script or HTML via (1) the suser parameter in support/rightbar.php, (2) the ticket_id parameter in support/open_tickets.php, and (3) the cons_page_title parameter in index.php. NOTE: the provenance of this information is unknown; the details are obtained from third party information. |
| 4.7 | CVE-2006-4884 BID | ||
| Ipswitch -- WS_FTP Server | Multiple buffer overflows in Ipswitch WS_FTP Server 5.05 before Hotfix 1 allow remote authenticated users to execute arbitrary code via long (1) XCRC, (2) XSHA1, or (3) XMD5 commands. |
| 4.2 | CVE-2006-4847 IPSWITCH FRSIRT SECUNIA XF BID OSVDB | ||
| Julian Roberts -- Charon Cart | SQL injection vulnerability in Review.asp in Julian Roberts Charon Cart 3 allows remote attackers to execute arbitrary SQL commands via the ProductID parameter. |
| 4.7 | CVE-2006-4882 BUGTRAQ BID FRSIRT SECTRACK SECUNIA XF | ||
| Jupiter CMS -- Jupiter CMS | Multiple cross-site scripting (XSS) vulnerabilities in Jupiter CMS allow remote attackers to inject arbitrary web script or HTML via the (1) language[Admin name] and (2) language[Admin back] parameters in (a) modules/blocks.php; the (3) language[Register title] and (4) language[Register title2] parameters in (b) modules/register.php; the (5) language[Mass-Email form title], (6) language[Mass-Email form desc], (7) language[Mass-Email form desc2] (8) language[Mass-Email form desc3], and (9) language[Mass-Email form desc4] parameters in (c) modules/mass-email.php; the (10) language[Forgotten title], (11) language[Forgotten desc], (12) language[Forgotten desc2], (13) language[Forgotten desc3], (14) language[Forgotten desc4], and (15) language[Forgotten desc5] parameters in (d) modules/register.php; and the (16) language[Search view desc], (17) language[Search view desc2], (18) language[Search view desc3], (19) language[Search view desc4], (20) language[Search view desc5], (21) language[Search view desc6], (22) language[Search view desc7], and (23) language[Search view desc8] parameters in (e) modules/search.php. |
| 4.7 | CVE-2006-4874 BUGTRAQ BID | ||
| Jupiter CMS -- Jupiter CMS | Multiple SQL injection vulnerabilities in Jupiter CMS allow remote attackers to execute arbitrary SQL commands via (1) the user name during login, or the (2) key or (3) fpwusername parameters in modules/register. |
| 4.7 | CVE-2006-4876 BUGTRAQ BID | ||
| Keyvan Janghorbani -- EShoppingPro | SQL injection vulnerability in search_run.asp in Keyvan1 (aka Keyvan Janghorbani) EShoppingPro 1.0 allows remote attackers to execute arbitrary SQL commands via the order parameter. |
| 4.7 | CVE-2006-4871 BUGTRAQ BID FRSIRT SECTRACK SECUNIA XF | ||
| Keyvan Janghorbani -- ECardPro | SQL injection vulnerability in search.asp in Keyvan1 (aka Keyvan Janghorbani) ECardPro 2.0 allows remote attackers to execute arbitrary SQL commands via the keyword parameter. |
| 4.7 | CVE-2006-4872 BUGTRAQ BID FRSIRT SECTRACK SECUNIA XF | ||
| Limbo CMS -- Limbo CMS | Multiple unspecified vulnerabilities in (1) index.php, (2) minixml.inc.php, (3) doc.inc.php, (4) element.inc.php, (5) node.inc.php, (6) treecomp.inc.php, (7) forum.html.php, (8) forum.php, (9) antihack.php, (10) content.php, (11) initglobals.php, and (12) imanager.php in Limbo (aka Lite Mambo) CMS 1.0.4.2 before 20060311 have unknown impact and attack vectors. |
| 4.9 | CVE-2006-4860 OTHER-REF OTHER-REF | ||
| MamboXChange -- Serverstat component | PHP remote file inclusion vulnerability in install.serverstat.php in the Serverstat (com_serverstat) 0.4.4 and earlier component for Mambo allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter. |
| 5.6 | CVE-2006-4858 BUGTRAQ OTHER-REF BID FRSIRT SECUNIA XF | ||
| Marc Logemann -- More.groupware | SQL injection vulnerability in modules/calendar/week.php in More.groupware 0.74 allows remote attackers to execute arbitrary SQL commands via the new_calendarid parameter. |
| 4.7 | CVE-2006-4906 OTHER-REF BID XF FRSIRT SECUNIA | ||
| Microsoft -- Internet Explorer | Stack-based buffer overflow in the Vector Graphics Rendering engine (vgx.dll), as used in Microsoft Outlook and Internet Explorer 6.0 on Windows XP SP2, and possibly other versions, allows remote attackers to execute arbitrary code via a Vector Markup Language (VML) file with a long fill parameter within a rect tag. |
| 4.7 | CVE-2006-4868 OTHER-REF CERT-VN BID FRSIRT SECUNIA XF OTHER-REF SECTRACK BUGTRAQ BUGTRAQ BUGTRAQ BUGTRAQ OTHER-REF OSVDB | ||
| Telekorn -- SignKorn Guestbook | Multiple PHP remote file inclusion vulnerabilities in Telekorn SignKorn Guestbook (SL) 1.3 and earlier, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the dir_path parameter in (1) index.php, (2) includes/functions.gb.php, (3) includes/functions.admin.php, (4) includes/admin.inc.php, (5) help.php, (6) smile.php, (7) entry.php; (8) adminhelp0.php, (9) adminhelp1.php, (10) adminhelp2.php, and (11) adminhelp3.php in (a) help/en and (b) help/de directories; and the (12) preview.php, (13) log.php, (14) index.php, (15) config.php, and (16) admin.php in the (c) admin directory, a different set of vectors than CVE-2006-4788. |
| 5.6 | CVE-2006-4889 BUGTRAQ OTHER-REF BID XF | ||
| Vmist -- Downstat | Multiple PHP remote file inclusion vulnerabilities in Vmist Downstat 1.8 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the art parameter to (1) admin.php, (2) chart.php, (3) modes.php, or (4) stats.php. |
| 5.6 | CVE-2006-4827 Milw0rm BID FRSIRT SECUNIA XF |
| Low Vulnerabilities |
|---|
| Primary Vendor -- Product | Description |
| CVSS Score | Source & Patch Info | ||
|---|---|---|---|---|---|---|
| A.l-Pifou -- A.l-Pifou | Directory traversal vulnerability in A.l-Pifou 1.8p2 allows remote attackers to read arbitrary files via ".." sequences in the ze_langue_02 cookie, as demonstrated by using the choix_lng parameter to choix_langue.php to indirectly set the cookie, then accessing livre_dor.php to trigger the inclusion from inc/change_lang_ck.php, possibly related to livre_livre.php. NOTE: the livre_livre.php relationship has been reported by some third party sources. |
| 1.9 | CVE-2006-4914 FULLDISC OSVDB SECUNIA BID FRSIRT | ||
| Bluview -- Blue Magic Board | Bluview Blue Magic Board (BMB) (aka BMForum) 5.5 allows remote attackers to obtain sensitive information via a direct request to (1) footer.php, (2) header.php, (3) db_mysql_error.php, (4) langlist.php, (5) sendmail.php, or (6) style.php, which reveals the path in various error messages. |
| 2.3 | CVE-2006-4835 BUGTRAQ XF | ||
| Cisco -- Cisco IDS Cisco -- Cisco IPS | The web administration interface (mainApp) to Cisco IDS before 4.1(5c), and IPS 5.0 before 5.0(6p1) and 5.1 before 5.1(2) allows remote attackers to cause a denial of service (unresponsive device) via a crafted SSLv2 Client Hello packet. |
| 2.3 | CVE-2006-4910 CISCO BID FRSIRT SECTRACK SECUNIA XF | ||
| CMtextS -- CMtextS | CMtextS 1.0 and earlier stores users_logins/admin.txt under the web document root with insufficient access control, which allows remote attackers to obtain the administrator password. |
| 2.3 | CVE-2006-4897 OTHER-REF FRSIRT SECUNIA XF | ||
| Codeworx Technologies -- DCP-Portal | Multiple cross-site scripting (XSS) vulnerabilities in DCP-Portal SE 6.0 allow remote attackers to inject arbitrary web script or HTML via the (1) root_url and (2) dcp_version parameters in (a) admin/inc/footer.inc.php, and the root_url, (3) page_top_name, (4) page_name, and (5) page_options parameters in (b) admin/inc/header.inc.php. |
| 2.3 | CVE-2006-4838 BUGTRAQ BID | ||
| David Bennett -- PHP-Post | Variable overwrite vulnerability in David Bennett PHP-Post (PHPp) 1.0 and earlier allows remote attackers to overwrite arbitrary program variables via multiple vectors that use the extract function, as demonstrated by the table_prefix parameter in (1) index.php, (2) profile.php, and (3) header.php. |
| 2.3 | CVE-2006-4877 BUGTRAQ BID | ||
| David Bennett -- PHP-Post | Directory traversal vulnerability in footer.php in David Bennett PHP-Post (PHPp) 1.0 and earlier allows remote attackers to read arbitrary local files via a .. (dot dot) sequence in the template parameter. |
| 2.3 | CVE-2006-4878 BUGTRAQ BID | ||
| David Bennett -- PHP-Post | David Bennett PHP-Post (PHPp) 1.0 and earlier allows remote attackers to obtain sensitive information via a direct request for (1) footer.php, (2) template.php, or (3) lastvisit.php, which reveals the installation path in various error messages. |
| 2.3 | CVE-2006-4880 BUGTRAQ BID | ||
| Drupal -- Drupal Userreview module | Cross-site scripting (XSS) vulnerability in the Drupal 4.7 Userreview module before 1.19 2006/09/12 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
| 2.3 | CVE-2006-4821 OTHER-REF FRSIRT SECUNIA BID XF | ||
| eMuSOFT -- emuCMS | Multiple cross-site scripting (XSS) vulnerabilities in index.php in eMuSOFT emuCMS 0.3 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) query or (2) page parameters. |
| 2.3 | CVE-2006-4822 OTHER-REF BID FRSIRT SECUNIA OSVDB | ||
| eSyndiCat Portal System -- eSyndiCat Portal System | Cross-site scripting (XSS) vulnerability in search.php in eSyndiCat Portal System allows remote attackers to inject arbitrary web script or HTML via the what parameter. |
| 2.3 | CVE-2006-4923 BUGTRAQ BID XF FRSIRT SECUNIA | ||
| gzip -- gzip | Unspecified vulnerability in gzip 1.3.5 allows context-dependent attackers to cause a denial of service (crash) via a crafted GZIP (gz) archive, which results in a NULL dereference. |
| 2.3 | CVE-2006-4334 OTHER-REF REDHAT UBUNTU DEBIAN FREEBSD SLACKWARE SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA MANDRIVA CERT-VN SECUNIA SECUNIA XF | ||
| gzip -- gzip | unlzh.c in the LHZ component in gzip 1.3.5 allows context-dependent attackers to cause a denial of service (infinite loop) via a crafted GZIP archive. |
| 2.3 | CVE-2006-4338 OTHER-REF REDHAT UBUNTU DEBIAN FREEBSD SLACKWARE SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA MANDRIVA FRSIRT OSVDB SECUNIA SECUNIA | ||
| HP -- HP-UX | Unspecified vulnerability in X.25 on HP-UX B.11.00, B.11.11, and B.11.23 allows local users to cause an unspecified denial of service via unknown vectors. |
| 1.6 | CVE-2006-4820 HP BID FRSIRT SECTRACK SECUNIA XF | ||
| iDevSpot -- NixieAffiliate | Cross-site scripting (XSS) vulnerability in forms/lostpassword.php in iDevSpot NixieAffiliate 1.9 and earlier allows remote attackers to inject arbitrary web script or HTML via the error parameter. |
| 2.3 | CVE-2006-4894 BUGTRAQ BID | ||
| Innovate Portal -- Innovate Portal | Cross-site scripting (XSS) vulnerability in index.php in Innovate Portal 2.0 allows remote attackers to inject arbitrary web script or HTML via the content parameter. |
| 2.3 | CVE-2006-4915 BUGTRAQ BID XF | ||
| Jupiter CMS -- Jupiter CMS | Jupiter CMS allows remote attackers to obtain sensitive information via a direct request for (1) includes/functions.php, (2) modules/register.php, (3) modules/poll.php, (4) modules/panel.php, (5) modules/pm.php, (6) modules/news.php, (7) modules/templates_change.php, (8) modules/users.php, (9) modules/misc.php, (10) modules/masspm.php, (11) modules/mass-email.php, (12) modules/main-nav.php, (13) modules/login.php, (14) modules/layout.php, (15) modules/hq.php, (16) modules/forum.php, (17) modules/forum-admin.php, (18) modules/events.php, (19) modules/emoticons.php, (20) modules/download.php, (21) modules/blocks.php, (22) modules/ban.php, (23) modules/badwords.php, (24) modules/ads.php, or (25) modules/admin.php, which reveals the installation path in various error messages. NOTE: The modules/online.php vector is already covered by CVE-2006-1679. |
| 2.3 | CVE-2006-4873 BUGTRAQ BID | ||
| Jupiter CMS -- Jupiter CMS | Unrestricted file upload vulnerability in modules/galleryuploadfunction.php in Jupiter CMS allows remote attackers to upload picture files, and possibly files with arbitrary extensions, to gallery/albums/public. |
| 2.3 | CVE-2006-4875 BUGTRAQ BID | ||
| Limbo CMS -- Limbo CMS | Unrestricted file upload vulnerability in contact.html.php in the Contact (com_contact) component in Limbo (aka Lite Mambo) CMS 1.0.4.2L and earlier allows remote attackers to upload PHP code to the images/contact folder via a filename with a double extension in the contact_attach parameter in a contact option in index.php, which bypasses an insufficiently restrictive regular expression. |
| 2.3 | CVE-2006-4859 OTHER-REF BID | ||
| Linux -- Linux kernel | The Linux kernel 2.6.17.10 and 2.6.17.11 and 2.6.18-rc5 allows local users to cause a denial of service (crash) via an SCTP socket with a certain SO_LINGER value, possibly related to the patch for CVE-2006-3745. NOTE: older kernel versions for specific Linux distributions are also affected, due to backporting of the CVE-2006-3745 patch. |
| 2.3 | CVE-2006-4535 OTHER-REF UBUNTU BID OTHER-REF SECUNIA XF | ||
| McAfee -- VirusScan Enterprise McAfee -- McAfee Scan Engine | The VirusScan On-Access Scan component in McAfee VirusScan Enterprise 7.1.0 and Scan Engine 4.4.00 allows local privileged users to bypass security restrictions and disable the On-Access Scan option by opening the program via the task bar and quickly clicking the Disable button, possibly due to an interface-related race condition. |
| 3.9 | CVE-2006-4886 BUGTRAQ XF | ||
| Microsoft -- Internet Explorer | Microsoft Internet Explorer 6 and earlier allows remote attackers to cause a denial of service (application hang) via a CSS-formatted HTML INPUT element within a DIV element that has a larger size than the INPUT. |
| 2.3 | CVE-2006-4888 BUGTRAQ OTHER-REF OSVDB | ||
| Mozilla -- Network Security Services (NSS) Mozilla -- SeaMonkey Mozilla -- Firefox Mozilla -- Thunderbird | Mozilla Network Security Service (NSS) library before 3.11.3, as used in Mozilla Firefox before 1.5.0.7, Thunderbird before 1.5.0.7, and SeaMonkey before 1.0.5, when using an RSA key with exponent 3, does not properly handle extra data in a signature, which allows remote attackers to forge signatures for SSL/TLS and email certificates, a similar vulnerability to CVE-2006-4339. |
| 2.3 | CVE-2006-4340 MLIST OTHER-REF OTHER-REF REDHAT REDHAT SECUNIA SECUNIA REDHAT FRSIRT FRSIRT SECTRACK SECTRACK SECTRACK SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SGI UBUNTU SECUNIA | ||
| Mozilla -- SeaMonkey Mozilla -- Firefox Mozilla -- Thunderbird | Mozilla Firefox before 1.5.0.7, Thunderbird before 1.5.0.7, and SeaMonkey before 1.0.5 allows remote attackers to cause a denial of service (crash) via a malformed JavaScript regular expression that ends with a backslash in an unterminated character set ("[\\"), which leads to a buffer over-read. |
| 2.3 | CVE-2006-4566 OTHER-REF REDHAT REDHAT SECUNIA SECUNIA REDHAT BID FRSIRT SECTRACK SECTRACK SECTRACK SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA XF SGI UBUNTU SECUNIA | ||
| Mozilla -- Firefox Mozilla -- Thunderbird | Mozilla Firefox before 1.5.0.7 and Thunderbird before 1.5.0.7 makes it easy for users to accept self-signed certificates for the auto-update mechanism, which might allow remote user-assisted attackers to use DNS spoofing to trick users into visiting a malicious site and accepting a malicious certificate for the Mozilla update site, which can then be used to install arbitrary code on the next update. |
| 1.9 | CVE-2006-4567 OTHER-REF REDHAT SECUNIA SECUNIA REDHAT BID FRSIRT SECTRACK SECTRACK SECUNIA SECUNIA SECUNIA XF UBUNTU | ||
| Mozilla -- Firefox | The popup blocker in Mozilla Firefox before 1.5.0.7 opens the "blocked popups" display in the context of the Location bar instead of the subframe from which the popup originated, which might make it easier for remote user-assisted attackers to conduct cross-site scripting (XSS) attacks. |
| 2.3 | CVE-2006-4569 OTHER-REF SECUNIA REDHAT BID SECTRACK SECUNIA XF | ||
| Mozilla -- SeaMonkey Mozilla -- Thunderbird | Mozilla Thunderbird before 1.5.0.7 and SeaMonkey before 1.0.5, with "Load Images" enabled, allows remote user-assisted attackers to bypass settings that disable JavaScript via a remote XBL file in a message that is loaded when the user views, forwards, or replies to the original message. |
| 1.9 | CVE-2006-4570 OTHER-REF REDHAT REDHAT BID SECTRACK SECTRACK SECUNIA SECUNIA SECUNIA SECUNIA XF SGI UBUNTU SECUNIA | ||
| Ohio State University -- server | OSU 3.11alpha and 3.10a allows remote attackers to obtain sensitive information via a URL to a non-existent file, which displays the web root path in the resulting error message. |
| 2.3 | CVE-2006-4907 BUGTRAQ SECUNIA XF | ||
| Ohio State University -- OSU httpd | OSU 3.11alpha and 3.10a allows remote attackers to obtain sensitive information via a URL containing an * (asterisk) wildcard, which displays all matching file and directory information. |
| 2.3 | CVE-2006-4908 BUGTRAQ SECUNIA XF | ||
| phpQuiz -- phpQuiz | Walter Beschmout PhpQuiz allows remote attackers to obtain sensitive information via a direct request to cfgphpquiz/install.php and other unspecified vectors. |
| 2.3 | CVE-2006-4865 BUGTRAQ | ||
| PT News -- PT News | Cross-site scripting (XSS) vulnerability in search.php in PT News 1.7.8 allows remote attackers to inject arbitrary web script or HTML via the pgname parameter. |
| 2.3 | CVE-2006-4917 BUGTRAQ BID FRSIRT SECUNIA XF | ||
| QuadComm -- Q-Shop | SQL injection vulnerability in browse.asp in QuadComm Q-Shop 3.5 allows remote attackers to execute arbitrary SQL commands via the OrderBy parameter. |
| 2.3 | CVE-2006-4852 BUGTRAQ Milw0rm BID SECUNIA XF FRSIRT OSVDB | ||
| Roller WebLogger -- Roller WebLogger | Multiple cross-site scripting (XSS) vulnerabilities in Roller WebLogger 2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) name, (2) email, or (3) url parameters; (4) certain content parameters in the preview method; or (5) the q parameter in (a) sitesearch.do. |
| 2.3 | CVE-2006-4856 BUGTRAQ OTHER-REF OTHER-REF CERT-VN BID FRSIRT SECUNIA | ||
| Site@School -- Site@School | Directory traversal vulnerability in starnet/editors/htmlarea/popups/images.php in Site@School (S@S) 2.4.02 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the dir parameter. |
| 1.9 | CVE-2006-4919 BUGTRAQ OTHER-REF BID FRSIRT SECUNIA | ||
| Site@School -- Site@School | Unrestricted file upload vulnerability in starnet/editors/htmlarea/popups/images.php in Site@School (S@S) 2.4.02 and earlier allows remote attackers to upload and execute arbitrary files with executable extensions. |
| 2.3 | CVE-2006-4922 BUGTRAQ OTHER-REF BID | ||
| SoftComplex -- PHP Event Calendar | Multiple cross-site scripting (XSS) vulnerabilities in cl_files/index.php in SoftComplex PHP Event Calendar 1.5.1, and possibly earlier, allow remote attackers to inject arbitrary web script or HTML via the (1) ti, (2) bi, or (3) cbgi parameters. |
| 2.3 | CVE-2006-4825 BUGTRAQ BID SECUNIA XF | ||
| Symantec -- Norton Personal Firewall Symantec -- Norton Internet Security | The \Device\SymEvent driver in Symantec Norton Personal Firewall 2006 9.1.0.33, and possibly other versions of Norton Personal Firewall and Norton Internet Security, allows local users to cause a denial of service (system crash) via invalid data, as demonstrated by calling DeviceIoControl to send the data. |
| 2.3 | CVE-2006-4855 BUGTRAQ OTHER-REF BID FRSIRT SECUNIA | ||
| Usermin -- Usermin | Usermin before 1.220 (20060629) allows remote attackers to read arbitrary files, possibly related to chfn/save.cgi not properly handling an empty shell parameter, which results in changing root's shell instead of the shell of a specified user. |
| 3.3 | CVE-2006-4246 OTHER-REF SOURCEFORGE OTHER-REF DEBIAN BID SECUNIA SECUNIA FRSIRT XF | ||
| Verso NetPerformer -- Frame Relay Access Device ACT | Verso NetPerformer FRAD ACT SDM-95xx 7.xx (R1) and earlier, SDM-93xx 10.x.x (R2) and earlier, and SDM-92xx 9.x.x (R1) and earlier allow remote attackers to cause a denial of service (hang or reboot) via an ICMP packet with the same destination and source address and port, aka the "Land" vulnerability. |
| 3.3 | CVE-2006-4833 BUGTRAQ FULLDISC BID FRSIRT SECUNIA XF | ||
| Zope -- Zope | The docutils module in Zope (Zope2) 2.7.0 through 2.7.9 and 2.8.0 through 2.8.8 does not properly handle web pages with reStructuredText (reST) markup, which allows remote attackers to read arbitrary files via a csv_table directive, a different vulnerability than CVE-2006-3458. |
| 2.3 | CVE-2006-4684 MLIST OTHER-REF DEBIAN FRSIRT SECUNIA SECUNIA |
Please share your thoughts
We recently updated our anonymous product survey; we’d welcome your feedback.