Weekly Vulnerabilities Reports > October 9 to 15, 2006

Overview

123 new vulnerabilities reported during this period, including 14 critical vulnerabilities and 54 high severity vulnerabilities. This weekly summary report vulnerabilities in 145 products from 92 vendors including Microsoft, SUN, Invision Power Services, Eazy Cart, and Adobe. Vulnerabilities are notably categorized as "Code Injection", "Improper Restriction of Operations within the Bounds of a Memory Buffer", "SQL Injection", "Cross-site Scripting", and "Use After Free".

  • 112 reported vulnerabilities are remotely exploitables.
  • 54 reported vulnerabilities have public exploit available.
  • 4 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 120 reported vulnerabilities are exploitable by an anonymous user.
  • Microsoft has the most reported vulnerabilities, with 17 reported vulnerabilities.
  • Microsoft has the most reported critical vulnerabilities, with 10 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

14 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2006-10-13 CVE-2006-5288 Cisco Unspecified vulnerability in Cisco 2700 Wireless Location Appliance 1.1.73.0

Cisco 2700 Series Wireless Location Appliances before 2.1.34.0 have a default administrator username "root" and password "password," which allows remote attackers to obtain administrative privileges, aka Bug ID CSCsb92893.

10.0
2006-10-10 CVE-2006-4812 PHP Code Injection vulnerability in PHP

Integer overflow in PHP 5 up to 5.1.6 and 4 before 4.3.0 allows remote attackers to execute arbitrary code via an argument to the unserialize PHP function with a large value for the number of array elements, which triggers the overflow in the Zend Engine ecalloc function (Zend/zend_alloc.c).

10.0
2006-10-10 CVE-2006-4693 Microsoft Remote Code Execution vulnerability in Microsoft Word Mac

Unspecified vulnerability in Microsoft Word 2004 for Mac and v.X for Mac allows remote user-assisted attackers to execute arbitrary code via a crafted string in a Word file, a different issue than CVE-2006-3647 and CVE-2006-3651.

9.3
2006-10-10 CVE-2006-3877 Microsoft Code Injection vulnerability in Microsoft products

Unspecified vulnerability in PowerPoint in Microsoft Office 2000, Office 2002, Office 2003, Office 2004 for Mac, and Office v.X for Mac allows user-assisted attackers to execute arbitrary code via an unspecified "crafted file," a different vulnerability than CVE-2006-3435, CVE-2006-4694, and CVE-2006-3876.

9.3
2006-10-10 CVE-2006-3864 Microsoft Remote Code Execution vulnerability in Microsoft Office Malformed Record

Unspecified vulnerability in mso.dll in Microsoft Office 2000, XP, and 2003, and Microsoft PowerPoint 2000, XP, and 2003, allows remote user-assisted attackers to execute arbitrary code via a malformed record in a (1) .DOC, (2) .PPT, or (3) .XLS file that triggers memory corruption, related to an "array boundary condition" (possibly an array index overflow), a different vulnerability than CVE-2006-3434, CVE-2006-3650, and CVE-2006-3868.

9.3
2006-10-10 CVE-2006-3651 Microsoft Remote Code Execution vulnerability in Microsoft Word Mail Merge

Unspecified vulnerability in Microsoft Word 2000, 2002, and Office 2003 allows remote user-assisted attackers to execute arbitrary code via a crafted mail merge file, a different vulnerability than CVE-2006-3647 and CVE-2006-4693.

9.3
2006-10-10 CVE-2006-3650 Microsoft Code Injection vulnerability in Microsoft Office

Microsoft Office 2000, XP, 2003, 2004 for Mac, and v.X for Mac do not properly parse the length of a chart record, which allows remote user-assisted attackers to execute arbitrary code via a Word document with an embedded malformed chart record that triggers an overwrite of pointer values with values from the document, a different vulnerability than CVE-2006-3434, CVE-2006-3864, and CVE-2006-3868.

9.3
2006-10-10 CVE-2006-3647 Microsoft Numeric Errors vulnerability in Microsoft Office

Integer overflow in Microsoft Word 2000, 2002, 2003, 2004 for Mac, and v.X for Mac allows remote user-assisted attackers to execute arbitrary code via a crafted string in a Word document, which overflows a 16-bit integer length value, aka "Memmove Code Execution," a different vulnerability than CVE-2006-3651 and CVE-2006-4693.

9.3
2006-10-10 CVE-2006-3434 Microsoft Remote Code Execution vulnerability in Microsoft Office Improper Memory Access

Unspecified vulnerability in Microsoft Office 2000, XP, 2003, 2004 for Mac, and v.X for Mac allows remote user-assisted attackers to execute arbitrary code via a crafted string that triggers memory corruption.

9.3
2006-10-10 CVE-2006-3876 Microsoft Code Injection vulnerability in Microsoft Office

Unspecified vulnerability in PowerPoint in Microsoft Office 2000, Office 2002, Office 2003, Office 2004 for Mac, and Office v.X for Mac allows user-assisted attackers to execute arbitrary code via a crafted Data record in a PPT file, a different vulnerability than CVE-2006-3435 and CVE-2006-4694.

9.3
2006-10-10 CVE-2006-3435 Microsoft Code Injection vulnerability in Microsoft Office

PowerPoint in Microsoft Office 2000, XP, 2003, 2004 for Mac, and v.X for Mac does not properly parse the slide notes field in a document, which allows remote user-assisted attackers to execute arbitrary code via crafted data in this field, which triggers an erroneous object pointer calculation that uses data from within the document.

9.3
2006-10-10 CVE-2006-5177 Mailenable Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Mailenable Enterprise and Mailenable Professional

The NTLM authentication in MailEnable Professional 2.0 and Enterprise 2.0 allows remote attackers to (1) execute arbitrary code via unspecified vectors involving crafted base64 encoded NTLM Type 3 messages, or (2) cause a denial of service via crafted base64 encoded NTLM Type 1 messages, which trigger a buffer over-read.

9.3
2006-10-10 CVE-2006-5176 Mailenable Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Mailenable Enterprise and Mailenable Professional

Buffer overflow in NTLM authentication in MailEnable Professional 2.0 and Enterprise 2.0 allows remote attackers to execute arbitrary code via "the signature field of NTLM Type 1 messages".

9.3
2006-10-10 CVE-2006-4696 Microsoft Code Injection vulnerability in Microsoft Windows 2000, Windows 2003 Server and Windows XP

Unspecified vulnerability in the Server service in Microsoft Windows 2000 SP4, Server 2003 SP1 and earlier, and XP SP2 and earlier allows remote attackers to execute arbitrary code via a crafted packet, aka "SMB Rename Vulnerability."

9.0

54 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2006-10-12 CVE-2006-5248 Eazy Cart Information Disclosure vulnerability in Eazy Cart Eazy Cart 2.01

Eazy Cart stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a customer database via a direct request for admin/config/customer.dat.

7.8
2006-10-11 CVE-2006-5233 Polycom Denial Of Service vulnerability in Polycom Soundpoint IP 301 1.4.1.0040

Polycom SoundPoint IP 301 VoIP Desktop Phone, firmware version 1.4.1.0040, allows remote attackers to cause a denial of service (reboot) via (1) a long URL sent to the HTTP daemon and (2) unspecified manipulations as demonstrated by the Nessus http_fingerprinting_hmap.nasl script.

7.8
2006-10-11 CVE-2006-5231 Grandstream Denial Of Service vulnerability in Grandstream Gxp-2000 1.1.0.5

Grandstream GXP-2000 VoIP Desktop Phone, firmware version 1.1.0.5, allows remote attackers to cause a denial of service (hang or reboot) via a large amount of ASCII data sent to port (1) 5060/UDP, (2) 5062/UDP, (3) 5064/UDP, (4) 5066/UDP, (5) 9876/UDP, or (6) 26789/UDP.

7.8
2006-10-10 CVE-2006-5196 Motorola Remote Denial of Service vulnerability in Motorola Surfboard Sb4200

The HTTP interface in the Motorola SURFboard SB4200 Cable Modem allows remote attackers to cause a denial of service (device crash) via a request with MfcISAPICommand set to SecretProc and a long string in the Secret parameter.

7.8
2006-10-10 CVE-2006-5175 Buffalotech Cross-Site Request Forgery (CSRF) vulnerability in Buffalotech Terastation Hd-Htgl Firmware 2.05Beta1

Cross-site request forgery (CSRF) vulnerability in the administrative interface for the TeraStation HD-HTGL firmware 2.05 beta 1 and earlier allows remote attackers to modify configurations or delete arbitrary data via unspecified vectors.

7.6
2006-10-13 CVE-2006-5290 Xerox Unspecified vulnerability in Xerox products

The ESS/ Network Controller and MicroServer Web Server components of Xerox WorkCentre and WorkCentre Pro 232, 238, 245, 255, 265 and 275 allow remote attackers to bypass authentication and execute arbitrary code via "WebUI command injection on TCP/IP hostname."

7.5
2006-10-13 CVE-2006-5289 Vtiger Remote File Include vulnerability in Vtiger CRM 4.2

Multiple PHP remote file inclusion vulnerabilities in Vtiger CRM 4.2 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the calpath parameter to (1) modules/Calendar/admin/update.php, (2) modules/Calendar/admin/scheme.php, or (3) modules/Calendar/calendar.php.

7.5
2006-10-13 CVE-2006-5285 Xeoport SQL Injection vulnerability in XeoPort

SQL injection vulnerability in index.php in XeoPort 0.81, and possibly earlier, allows remote attackers to execute arbitrary SQL commands via the xp_body_text parameter.

7.5
2006-10-13 CVE-2006-5283 Minichat Remote File Include vulnerability in Minichat 6.0

PHP remote file inclusion vulnerability in ftag.php in Minichat 6.0 allows remote attackers to execute arbitrary PHP code via a URL in the mostrar parameter.

7.5
2006-10-13 CVE-2006-5282 SH News Remote File Include vulnerability in SH-News Scriptpath Parameter

Multiple PHP remote file inclusion vulnerabilities in SH-News 3.1 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the scriptpath parameter to (1) report.php, (2) archive.php, (3) comments.php, (4) init.php, or (5) news.php.

7.5
2006-10-13 CVE-2006-5281 Navyism Remote File Include vulnerability in N@Board Naboard_PNR.PHP

PHP remote file inclusion vulnerability in naboard_pnr.php in n@board 3.1.9e and earlier allows remote attackers to execute arbitrary PHP code via a URL in the skin parameter.

7.5
2006-10-12 CVE-2006-5263 Phpmyagenda Local File Include vulnerability in PhpMyAgenda Language

Directory traversal vulnerability in templates/header.php3 in phpMyAgenda 3.1 and earlier allows remote attackers to include and execute arbitrary local files via a ..

7.5
2006-10-12 CVE-2006-5261 Phpmynews Remote File Include vulnerability in PHPMyNews CFG_INCLUDE_DIR

Multiple PHP remote file inclusion vulnerabilities in PHPMyNews 1.4 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the cfg_include_dir parameter in (1) disp_form.php3, (2) disp_smileys.php3, (3) little_news.php3, and (4) index.php3 in include/.

7.5
2006-10-12 CVE-2006-5260 Compteur Remote Security vulnerability in Compteur 2

PHP remote file inclusion vulnerability in compteur.php in Compteur 2 allows remote attackers to execute arbitrary PHP code via a URL in the cp parameter.

7.5
2006-10-12 CVE-2006-5259 Compteur Remote File Include vulnerability in Compteur 2

PHP remote file inclusion vulnerability in param_editor.php in Compteur 2 allows remote attackers to execute arbitrary PHP code via a URL in the folder parameter.

7.5
2006-10-12 CVE-2006-5257 Ciamos Remote File Include vulnerability in Ciamos CMS Config.PHP

PHP remote file inclusion vulnerability in modules/forum/include/config.php in Ciamos Content Management System (CMS) 0.9.6b and earlier allows remote attackers to execute arbitrary PHP code via a URL in the module_cache_path parameter.

7.5
2006-10-12 CVE-2006-5256 Claroline Remote File Include vulnerability in Claroline Import.lib.PHP

PHP remote file inclusion vulnerability in claroline/inc/lib/import.lib.php in Claroline 1.8.0 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the includePath parameter.

7.5
2006-10-12 CVE-2006-5254 Mamboxchange Remote File Include vulnerability in Extended Registration Component mosConfig_absolute_path

PHP remote file inclusion vulnerability in registration_detailed.inc.php in Mark Van Bellen Detailed User Registration (com_registration_detailed), aka regdetailed, 4.1 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter.

7.5
2006-10-12 CVE-2006-5253 Dayana Networks Remote Security vulnerability in Dayana Networks PHPonline 2.1

PHP remote file inclusion vulnerability in strload.php in Dayana Networks phpOnline (aka PHP-Online) 2.1 allows remote attackers to execute arbitrary PHP code via a URL in the LangFile parameter.

7.5
2006-10-12 CVE-2006-5251 Deep CMS Remote File Include vulnerability in Deep CMS Deep CMS 2.0A

PHP remote file inclusion vulnerability in index.php in Deep CMS 2.0a allows remote attackers to execute arbitrary PHP code via a URL in the ConfigDir parameter.

7.5
2006-10-12 CVE-2006-5249 Tagit Remote File Include vulnerability in Tagit Tagboard 2.1.Bbuild2

PHP remote file inclusion vulnerability in tagmin/delTagUser.php in TagIt! Tagboard 2.1.B Build 2 (tagit2b) allows remote attackers to execute arbitrary PHP code via a URL in the configpath parameter.

7.5
2006-10-12 CVE-2006-5245 Eazy Cart Security Bypass vulnerability in Eazy Cart

Eazy Cart allows remote attackers to bypass authentication and gain administrative access via a direct request for admin/home/index.php, and possibly other PHP scripts under admin/.

7.5
2006-10-12 CVE-2006-5243 Opendock Remote File Include vulnerability in Easy Doc Doc_Directory Parameter

Multiple PHP remote file inclusion vulnerabilities in OpenDock Easy Doc 1.4 and earlier, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the doc_directory parameter in (1) down_stat.php, (2) file.php, (3) find_file.php, (4) lib_file.php, and (5) lib_form_file.php in sw/lib_up_file/; (6) find_comment.php, (7) comment.php, and (8) lib_comment.php in sw/lib_comment/; (9) sw/lib_find/find.php; and other unspecified PHP scripts.

7.5
2006-10-12 CVE-2006-5242 Etomite SQL Injection vulnerability in Etomite 0.6

SQL injection vulnerability in Etomite Content Management System (CMS) before 0.6.1.1 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

7.5
2006-10-11 CVE-2006-5235 Dimension OF Phpbb Remote Security vulnerability in Dimension of phpBB

PHP remote file inclusion vulnerability in includes/functions_kb.php in Dimension of phpBB 0.2.6 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.

7.5
2006-10-11 CVE-2006-5230 Freeforum Remote File Include vulnerability in FreeForum FPath Variable

PHP remote file inclusion vulnerability in forum.php in FreeForum 0.9.7 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the fpath parameter.

7.5
2006-10-10 CVE-2006-3888 AOL Buffer Overflow vulnerability in AOL You've Got Pictures ActiveX Controls

Buffer overflow in AOL You've Got Pictures (YGP) Pic Downloader YGPPDownload ActiveX control (AOL.PicDownloadCtrl.1, YGPPicDownload.dll), as used in America Online 9.0 Security Edition, allows remote attackers to execute arbitrary code via a long argument to the SetAlbumName method.

7.5
2006-10-10 CVE-2006-3887 AOL Buffer Overflow vulnerability in AOL You've Got Pictures ActiveX Controls

Buffer overflow in AOL You've Got Pictures (YGP) Screensaver ActiveX control allows remote attackers to execute arbitrary code via unspecified vectors.

7.5
2006-10-10 CVE-2006-4686 Microsoft Buffer Overrun vulnerability in Microsoft XML Core Services and XML Parser

Buffer overflow in the Extensible Stylesheet Language Transformations (XSLT) processing in Microsoft XML Parser 2.6 and XML Core Services 3.0 through 6.0 allows remote attackers to execute arbitrary code via a crafted Web page.

7.5
2006-10-10 CVE-2006-5228 ROB Hensley SQL Injection vulnerability in Ackertodo 4.0/4.2

Multiple SQL injection vulnerabilities in the Google Gadget login.php (gadget/login.php) in Rob Hensley ackerTodo 4.2 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) up_login, (2) up_pass, or (3) up_num_tasks parameters.

7.5
2006-10-10 CVE-2006-5226 Freenews Remote File Include vulnerability in Freenews 1.1

PHP remote file inclusion vulnerability in moteur/moteur.php in Prologin.fr Freenews 1.1 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the chemin parameter.

7.5
2006-10-10 CVE-2006-5225 AAI Portal SQL Injection vulnerability in Aai-Portal Aaiportal 1.3.2

Multiple SQL injection vulnerabilities in AAIportal before 1.4.0 allow remote attackers to execute arbitrary SQL commands via unspecified vectors.

7.5
2006-10-10 CVE-2006-5224 Dimitri Seitz Remote File Include vulnerability in Dimitri Seitz Security Suite IP Logger 1.0.0

PHP remote file inclusion vulnerability in includes/logger_engine.php in Dimitri Seitz Security Suite IP Logger 1.0.0 in dwingmods for phpBB allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.

7.5
2006-10-10 CVE-2006-5223 Nivisec Remote File Include vulnerability in Nivisec User Viewed Posts Tracker 1.0

PHP remote file inclusion vulnerability in includes/functions_user_viewed_posts.php in the Nivisec User Viewed Posts Tracker module 1.0 and earlier for phpBB allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.

7.5
2006-10-10 CVE-2006-5222 Dimension OF Phpbb Remote File Include vulnerability in Dimension of PHPbb Dimension of PHPbb 0.2.6

Multiple PHP remote file inclusion vulnerabilities in Dimension of phpBB 0.2.6 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter in (1) includes/themen_portal_mitte.php or (2) includes/logger_engine.php.

7.5
2006-10-10 CVE-2006-5221 Cahier DE Textes SQL Injection vulnerability in Cahier DE Textes Cahier DE Textes 2.0

Multiple SQL injection vulnerabilities in Cahier de texte 2.0 allow remote attackers to execute arbitrary SQL commands via the (1) matiere_ID parameter in lire.php or the (2) classe_ID parameter in lire_a_faire.php.

7.5
2006-10-10 CVE-2006-5217 Emek Portal SQL Injection vulnerability in Emek Portal Emek Portal 2.1

SQL injection vulnerability in giris_yap.asp in Emek Portal 2.1 allows remote attackers to execute arbitrary SQL commands by simultaneously injecting into the user name and pass fields in uyegiris.asp, also known as the Kullanici Adi (k_a) and Sifre (sifre) parameters.

7.5
2006-10-10 CVE-2006-5216 Sergey Lyubka Remote Buffer Overflow vulnerability in Sergey Lyubka Simple Httpd 1.34

Stack-based buffer overflow in Sergey Lyubka Simple HTTPD (shttpd) 1.34 allows remote attackers to execute arbitrary code via a long URI.

7.5
2006-10-10 CVE-2006-5209 Phpbb Group Remote Security vulnerability in phpBB

PHP remote file inclusion vulnerability in admin/admin_topic_action_logging.php in Admin Topic Action Logging Mod 0.95 and earlier, as used in phpBB 2.0 up to 2.0.21, allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.

7.5
2006-10-10 CVE-2006-5208 Deltascripts SQL Injection vulnerability in Deltascripts PHP Classifieds 7.1

Multiple SQL injection vulnerabilities in PHP Classifieds 7.1 allow remote attackers to execute arbitrary SQL commands via (1) the catid_search parameter in search.php and (2) the catid parameter in index.php.

7.5
2006-10-10 CVE-2006-5206 Invision Power Services SQL Injection vulnerability in Invision Gallery

SQL injection vulnerability in Invision Gallery 2.0.7 allows remote attackers to execute arbitrary SQL commands via the album parameter in (1) index.php and (2) forum/index.php, when the rate command in the gallery automodule is used.

7.5
2006-10-10 CVE-2006-5193 Wikyblog Remote File Include vulnerability in RETIRED: WikyBlog

PHP remote file inclusion vulnerability in index.php in Josh Schmidt WikyBlog 1.2.3 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the includeDir parameter.

7.5
2006-10-10 CVE-2006-5192 Phpgreetz Remote File Include vulnerability in PHPGreetz Footer.PHP

PHP remote file inclusion vulnerability in includes/footer.php in phpGreetz 0.99 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the PHPGREETZ_INCLUDE_DIR parameter.

7.5
2006-10-10 CVE-2006-5189 Klinza Remote File Include vulnerability in Klinza Professional CMS Show_Hlp.PHP

PHP remote file inclusion vulnerability in funzioni/lib/show_hlp.php in klinza professional cms 5.0.1 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the appl[APPL] parameter.

7.5
2006-10-10 CVE-2006-5187 Bulletin Board ACE Remote File Include vulnerability in Bulletin Board ACE Bulletin Board ACE 3.4

PHP remote file inclusion vulnerability in includes/functions.php in Bulletin Board Ace (BBaCE) 3.5 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.

7.5
2006-10-10 CVE-2006-5185 Hamweather Unspecified vulnerability in Hamweather 3.9.8.3

Eval injection vulnerability in Template.php in HAMweather 3.9.8.4 and earlier allows remote attackers to execute arbitrary code via a modified query string, which is supplied to an eval function call within the do_parse_code function.

7.5
2006-10-10 CVE-2006-5183 Dayfox Designs Remote Security vulnerability in Dayfox Designs Dayfox Blog 2.0

Multiple PHP remote file inclusion vulnerabilities in Dayfox Designs Dayfox Blog 2.0 allow remote attackers to execute arbitrary PHP code via a URL in the slogin parameter in the (1) adminlog.php, (2) postblog.php, (3) index.php, or (4) index2.php script in /edit.

7.5
2006-10-10 CVE-2006-5182 DAN Jensen Remote File Include vulnerability in Travelsized CMS Frontpage.PHP

PHP remote file inclusion vulnerability in frontpage.php in Dan Jensen Travelsized CMS 0.4 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the setup_folder parameter.

7.5
2006-10-10 CVE-2006-5181 Joshua Muheim Unspecified vulnerability in Joshua Muheim PHPmywebmin 1.0

Multiple PHP remote file inclusion vulnerabilities in Joshua Muheim phpMyWebmin 1.0 allow remote attackers to execute arbitrary PHP code via a URL in the target parameter in (1) change_preferences2.php, (2) create_file.php, (3) upload_local.php, and (4) upload_multi.php, different vectors than CVE-2006-5124.

7.5
2006-10-10 CVE-2006-5180 Baumedia Remote Security vulnerability in Newswriter 1.40/1.41

PHP remote file inclusion vulnerability in include/main.inc.php in Sebastian Baumann and Philipp Wolfer Newswriter SW 1.42 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the NWCONF_SYSTEM[server_path] parameter, a different vector than CVE-2006-5102.

7.5
2006-10-10 CVE-2006-5170 Redhat
Fedoraproject
Debian
Improper Handling of Exceptional Conditions vulnerability in multiple products

pam_ldap in nss_ldap on Red Hat Enterprise Linux 4, Fedora Core 3 and earlier, and possibly other distributions does not return an error condition when an LDAP directory server responds with a PasswordPolicyResponse control response, which causes the pam_authenticate function to return a success code even if authentication has failed, as originally reported for xscreensaver.

7.5
2006-10-10 CVE-2006-5143 Broadcom
CA
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

Multiple buffer overflows in CA BrightStor ARCserve Backup r11.5 SP1 and earlier, r11.1, and 9.01; BrightStor ARCserve Backup for Windows r11; BrightStor Enterprise Backup 10.5; Server Protection Suite r2; and Business Protection Suite r2 allow remote attackers to execute arbitrary code via crafted data on TCP port 6071 to the Backup Agent RPC Server (DBASVR.exe) using the RPC routines with opcode (1) 0x01, (2) 0x02, or (3) 0x18; invalid stub data on TCP port 6503 to the RPC routines with opcode (4) 0x2b or (5) 0x2d in ASCORE.dll in the Message Engine RPC Server (msgeng.exe); (6) a long hostname on TCP port 41523 to ASBRDCST.DLL in the Discovery Service (casdscsvc.exe); or unspecified vectors related to the (7) Job Engine Service.

7.5
2006-10-10 CVE-2006-5142 Broadcom Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Broadcom Brightstor Arcserve Backup 11.5

Stack-based buffer overflow in CA BrightStor ARCserve Backup R11.5 client and server allows remote attackers to execute arbitrary code via long messages to the CheyenneDS Mailslot.

7.5
2006-10-10 CVE-2006-4997 Linux
Canonical
Redhat
Use After Free vulnerability in multiple products

The clip_mkip function in net/atm/clip.c of the ATM subsystem in Linux kernel allows remote attackers to cause a denial of service (panic) via unknown vectors that cause the ATM subsystem to access the memory of socket buffers after they are freed (freed pointer dereference).

7.5

47 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2006-10-13 CVE-2006-5280 Cuttlefish Multimedia LTD Code Injection vulnerability in Cuttlefish Multimedia Ltd. Leicestershire Communityportals

PHP remote file inclusion vulnerability in includes/import-archive.php in Leicestershire communityPortals 1.0 build 20051018 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the cp_root_path parameter.

6.8
2006-10-12 CVE-2006-5264 Mysqldumper Cross-Site Scripting vulnerability in Mysqldumper 1.21

Cross-site scripting (XSS) vulnerability in sql.php in MysqlDumper 1.21 b6 allows remote attackers to inject arbitrary web script or HTML via the db parameter.

6.8
2006-10-12 CVE-2006-5247 Eazy Cart Cross-Site Scripting vulnerability in Eazy Cart

Multiple cross-site scripting (XSS) vulnerabilities in Eazy Cart allow remote attackers to inject arbitrary web script or HTML via easycart.php, possibly related to the (1) des and (2) qty parameters in an add action, and via other unspecified vectors.

6.8
2006-10-10 CVE-2006-5227 Torrentflux Cross-Site Scripting vulnerability in Torrentflux 2.1

Cross-site scripting (XSS) vulnerability in admin.php in TorrentFlux 2.1 allows remote attackers to inject arbitrary web script or HTML via (1) the $user_agent variable, probably obtained from the User-Agent HTTP header, and possibly (2) the $ip_resolved variable.

6.8
2006-10-10 CVE-2006-5195 Wheatblog HTML Injection vulnerability in Wheatblog 1.0/1.1

Multiple cross-site scripting (XSS) vulnerabilities in Wheatblog 1.0 and 1.1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

6.8
2006-10-12 CVE-2006-5262 Hastymail Unspecified vulnerability in Hastymail

CRLF injection vulnerability in lib/session.php in Hastymail 1.5 and earlier before 20061008 allows remote authenticated users to send arbitrary IMAP commands via a CRLF sequence in a mailbox name.

6.5
2006-10-10 CVE-2006-5211 Trend Micro Unspecified vulnerability in Trend Micro Officescan Corporate Edition 6.5/7.0/7.3

Trend Micro OfficeScan 6.0 in Client/Server/Messaging (CSM) Suite for SMB 2.0 before 6.0.0.1385, and OfficeScan Corporate Edition (OSCE) 6.5 before 6.5.0.1418, 7.0 before 7.0.0.1257, and 7.3 before 7.3.0.1053 allow remote attackers to remove OfficeScan clients via a certain HTTP request that invokes the OfficeScan CGI program.

6.4
2006-10-10 CVE-2006-5178 PHP Race Condition vulnerability in PHP

Race condition in the symlink function in PHP 5.1.6 and earlier allows local users to bypass the open_basedir restriction by using a combination of symlink, mkdir, and unlink functions to change the file path after the open_basedir check and before the file is opened by the underlying system, as demonstrated by symlinking a symlink into a subdirectory, to point to a parent directory via ..

6.2
2006-10-10 CVE-2006-5072 Mono Unspecified vulnerability in Mono 1.0/2.0

The System.CodeDom.Compiler classes in Novell Mono create temporary files with insecure permissions, which allows local users to overwrite arbitrary files or execute arbitrary code via a symlink attack.

6.2
2006-10-10 CVE-2006-5179 Intoto Denial-Of-Service vulnerability in Intoto Igateway Ssl-Vpn and Igateway VPN

Intoto iGateway VPN and iGateway SSL-VPN allow context-dependent attackers to cause a denial of service (CPU consumption) via parasitic public keys with large (1) "public exponent" or (2) "public modulus" values in X.509 certificates that require extra time to process when using RSA signature verification, a related issue to CVE-2006-2940.

5.4
2006-10-13 CVE-2006-5287 Xeobook SQL Injection vulnerability in Xeobook 0.93

Multiple SQL injection vulnerabilities in sign.php in Xeobook 0.93 allow remote attackers to execute arbitrary SQL commands via (1) the User-Agent HTTP header, or the (2) gb_entry_text, (3) gb_location, (4) gb_fullname, or (5) gb_sex parameters.

5.1
2006-10-13 CVE-2006-5284 PHP News Reader Remote File Include vulnerability in PHP News Reader PHP News Reader 2.6.2

PHP remote file inclusion vulnerability in auth/phpbb.inc.php in Shen Cheng-Da PHP News Reader (aka pnews) 2.6.4 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the CFG[auth_phpbb_path] parameter.

5.1
2006-10-12 CVE-2006-5258 Asbru Software Code Injection vulnerability in Asbru Software products

The spell checking component of (1) Asbru Web Content Management before 6.1.22, (2) Asbru Web Content Editor before 6.0.22, and (3) Asbru Website Manager before 6.0.22 allows remote attackers to execute arbitrary commands via an unspecified parameter that is not sanitized before Aspell is invoked.

5.1
2006-10-12 CVE-2006-5252 Webmedia Explorer Remote File Include vulnerability in Webmedia Explorer Webmedia Explorer 2.8.7

PHP remote file inclusion vulnerability in includes/core.lib.php in Webmedia Explorer 2.8.7 allows remote attackers to execute arbitrary PHP code via a URL in the path_include parameter.

5.1
2006-10-12 CVE-2006-5250 Blueshoes Remote File Include vulnerability in BlueShoes Framework GoogleSearch.PHP

PHP remote file inclusion vulnerability in lib/googlesearch/GoogleSearch.php in BlueShoes 4.6_public and earlier allows remote attackers to execute arbitrary PHP code via a URL in the APP[path][lib] parameter, a different vector than CVE-2006-2864.

5.1
2006-10-12 CVE-2006-5244 Opendock Remote File Include vulnerability in Easy Blog Doc_Directory Parameter

Multiple PHP remote file inclusion vulnerabilities in OpenDock Easy Blog 1.4 and earlier, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the doc_directory parameter in (1) down_stat.php, (2) file.php, (3) find_file.php, (4) lib_read_file.php, and (5) lib_form_file.php in sw/lib_up_file; (6) find_comment.php, (7) comment.php, and (8) lib_comment.php in sw/lib_comment/; (9) sw/lib_find/find.php; and other unspecified vectors.

5.1
2006-10-12 CVE-2006-5241 Opendock Remote File Include vulnerability in Easy Gallery Doc_Directory Parameter

Multiple PHP remote file inclusion vulnerabilities in OpenDock Easy Gallery 1.4 and earlier, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the doc_directory parameter in (1) file.php; (2) find_user.php, (3) lib_user.php, (4) lib_form_user.php, and (5) user.php in sw/lib_user/; (6) find_session.php and (7) session.php in sw/lib_session/; (8) comment.php and (9) lib_comment.php in sw/lib_comment/; and other unspecified PHP scripts.

5.1
2006-10-12 CVE-2006-5240 Docmint Remote File Include vulnerability in Docmint Required.php

PHP remote file inclusion vulnerability in engine/require.php in Docmint 2.0 and earlier, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the MY_ENV[BASE_ENGINE_LOC] parameter.

5.1
2006-10-10 CVE-2006-3875 Microsoft Remote Code Execution vulnerability in Microsoft Excel COLINFO

Unspecified vulnerability in Microsoft Excel 2000, 2002, 2003, 2004 for Mac, v.X for Mac, and Excel Viewer 2003 allows user-assisted attackers to execute arbitrary code via a crafted COLINFO record in an XLS file, a different vulnerability than CVE-2006-2387 and CVE-2006-3867.

5.1
2006-10-10 CVE-2006-3868 Microsoft Remote Code Execution vulnerability in Microsoft Office Smart Tag

Unspecified vulnerability in Microsoft Office XP and 2003 allows remote user-assisted attackers to execute arbitrary code via a malformed Smart Tag.

5.1
2006-10-10 CVE-2006-3867 Microsoft Remote Code Execution vulnerability in Microsoft Excel Lotus 1-2-3 File Handling

Unspecified vulnerability in Microsoft Excel 2000, 2002, 2003, 2004 for Mac, v.X for Mac, and Excel Viewer 2003 allows user-assisted attackers to execute arbitrary code via a crafted Lotus 1-2-3 file, a different vulnerability than CVE-2006-2387 and CVE-2006-3875.

5.1
2006-10-10 CVE-2006-2387 Microsoft Remote Code Execution vulnerability in Microsoft Excel DATETIME

Unspecified vulnerability in Microsoft Excel 2000, 2002, 2003, 2004 for Mac, v.X for Mac, Excel Viewer 2003, and Microsoft Works Suite 2004 through 2006 allows user-assisted attackers to execute arbitrary code via a crafted DATETIME record in an XLS file, a different vulnerability than CVE-2006-3867 and CVE-2006-3875.

5.1
2006-10-10 CVE-2006-5220 Objective Development Code Injection vulnerability in Objective Development Webyep 1.1.9

Multiple PHP remote file inclusion vulnerabilities in WebYep 1.1.9, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via the webyep_sIncludePath in (1) files in the programm/lib/ directory including (a) WYApplication.php, (b) WYDocument.php, (c) WYEditor.php, (d) WYElement.php, (e) WYFile.php, (f) WYHTMLTag.php, (g) WYImage.php, (h) WYLanguage.php, (i) WYLink.php, (j) WYPath.php, (k) WYPopupWindowLink.php, (l) WYSelectMenu.php, and (m) WYTextArea.php; (2) files in the programm/elements/ directory including (n) WYGalleryElement.php, (o) WYGuestbookElement.php, (p) WYImageElement.php, (q) WYLogonButtonElement.php, (r) WYLongTextElement.php, (s) WYLoopElement.php, (t) WYMenuElement.php, and (u) WYShortTextElement.php; and (3) programm/webyep.php.

5.1
2006-10-10 CVE-2006-5219 Moodle SQL Injection vulnerability in Moodle 1.6.2

SQL injection vulnerability in blog/index.php in the blog module in Moodle 1.6.2 allows remote attackers to execute arbitrary SQL commands via a double-encoded tag parameter.

5.1
2006-10-10 CVE-2006-5207 Phpmyteam Remote Security vulnerability in PHPmyteam 2.0

PHP remote file inclusion vulnerability in images/smileys/smileys_packs.php in phpMyTeam 2.0, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the smileys_dir parameter.

5.1
2006-10-10 CVE-2006-5203 Invision Power Services Cross-Site Scripting vulnerability in Invision Power Board

Invision Power Board (IPB) 2.1.7 and earlier allows remote restricted administrators to inject arbitrary web script or HTML, or execute arbitrary SQL commands, via a forum description that contains a crafted image with PHP code, which is executed when the user visits the "Manage Forums" link in the Admin control panel.

5.1
2006-10-10 CVE-2006-5191 Phpbb Code Injection vulnerability in PHPbb

PHP remote file inclusion vulnerability in includes/functions_static_topics.php in the Nivisec Static Topics module for phpBB 1.0 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.

5.1
2006-10-10 CVE-2006-5186 Phpmyprofiler Remote File Include vulnerability in PHPMyProfiler Functions.PHP

PHP remote file inclusion vulnerability in functions.php in phpMyProfiler 0.9.6 and earlier, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the pmp_rel_path parameter.

5.1
2006-10-10 CVE-2006-5169 Powerportal Cross-Site Scripting vulnerability in Powerportal 1.1

Cross-site scripting (XSS) vulnerability in John Himmelman (aka DaRk2k1) PowerPortal 1.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly related to registering a user.

5.1
2006-10-13 CVE-2006-5286 Novell Remote Denial Of Service vulnerability in Novell Bordermanager 3.8

Unspecified vulnerability in IKE.NLM in Novell BorderManager 3.8 allows attackers to cause a denial of service (crash) via unknown attack vectors related to "VPN issues" for certain "IKE and IPsec settings."

5.0
2006-10-12 CVE-2006-5246 Eazy Cart Denial-Of-Service vulnerability in Eazy Cart

Eazy Cart allows remote attackers to change prices and other critical fields via unspecified vectors to easycart.php, probably including the price parameter.

5.0
2006-10-10 CVE-2006-5200 Adobe Directory Traversal vulnerability in Adobe Breeze

Unspecified vulnerability in Adobe Breeze 5 Licensed Server and Breeze 5.1 Licensed Server allows attackers to read arbitrary files via unknown vectors related to "URL parsing."

5.0
2006-10-10 CVE-2006-5212 Trend Micro Unspecified vulnerability in Trend Micro Officescan

Trend Micro OfficeScan 6.0 in Client/Server/Messaging (CSM) Suite for SMB 2.0 before 6.0.0.1385, and OfficeScan Corporate Edition (OSCE) 6.5 before 6.5.0.1418, 7.0 before 7.0.0.1257, and 7.3 before 7.3.0.1053 allow remote attackers to delete files via a modified filename parameter in a certain HTTP request that invokes the OfficeScan CGI program.

5.0
2006-10-10 CVE-2006-5205 Invision Power Services Directory Traversal vulnerability in Invision Gallery

Directory traversal vulnerability in Invision Gallery 2.0.7 allows remote attackers to read arbitrary files via a ..

5.0
2006-10-10 CVE-2006-5202 Linksys Authentication Bypass vulnerability in Linksys Wrt54G 1.00.9

Linksys WRT54g firmware 1.00.9 does not require credentials when making configuration changes, which allows remote attackers to modify arbitrary configurations via a direct request to Security.tri, as demonstrated using the SecurityMode and layout parameters, a different issue than CVE-2006-2559.

5.0
2006-10-10 CVE-2006-5197 Pdshoppro Information Disclosure vulnerability in Pdshoppro

PDshopPro stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for (1) /pdshoppro.mdb, (2) /data/pdshoppro.mdb, or (3) /shoppro/data/pdshoppro.mdb.

5.0
2006-10-10 CVE-2006-5188 Webgeneius Directory Traversal vulnerability in Webgeneius Goop Gallery 2.0.2

Directory traversal vulnerability in download.php in webGENEius GOOP Gallery 2.0.2 allows remote attackers to read or list data from certain files or directories via unspecified vectors.

5.0
2006-10-12 CVE-2006-4516 Freebsd Local Denial of Service vulnerability in Freebsd 6.0

Integer signedness error in FreeBSD 6.0-RELEASE allows local users to cause a denial of service (memory corruption and kernel panic) via a PT_LWPINFO ptrace command with a large negative data value that satisfies a signed maximum value check but is used in an unsigned copyout function call.

4.9
2006-10-10 CVE-2006-3978 Adobe Local Privilege Escalation vulnerability in Adobe Coldfusion 7.0/7.0.1/7.0.2

Unspecified vulnerability in a Verity third party library, as used on Adobe ColdFusion MX 7 through MX 7.0.2 and possibly other products, allows local users to execute arbitrary code via unknown attack vectors.

4.6
2006-10-10 CVE-2006-5218 Netbsd
Openbsd
Local Integer Overflow vulnerability in OpenBSD Systrace STRIOCREPLACE

Integer overflow in the systrace_preprepl function (STRIOCREPLACE) in systrace in OpenBSD 3.9 and NetBSD 3 allows local users to cause a denial of service (crash), gain privileges, or read arbitrary kernel memory via large numeric arguments to the systrace ioctl.

4.6
2006-10-10 CVE-2006-4927 Symantec Privilege Escalation vulnerability in Symantec AntiVirus IOCTL Kernel

The (a) NAVENG (NAVENG.SYS) and (b) NAVEX15 (NAVEX15.SYS) device drivers 20061.3.0.12 and later, as used in Symantec AntiVirus and security products, allow local users to gain privileges by overwriting critical system addresses using a crafted Irp to the IOCTL functions (1) 0x222AD3, (2) 0x222AD7, and (3) 0x222ADB.

4.6
2006-10-12 CVE-2006-5239 Expblog Cross-Site Scripting vulnerability in Expblog

Multiple cross-site scripting (XSS) vulnerabilities in eXpBlog 0.3.5 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the query string (PHP_SELF) in kalender.php or (2) the captcha_session_code parameter in pre_details.php.

4.3
2006-10-10 CVE-2006-3436 Microsoft Cross-Site Scripting vulnerability in Microsoft .Net Framework 2.0

Cross-site scripting (XSS) vulnerability in Microsoft .NET Framework 2.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving "ASP.NET controls that set the AutoPostBack property to true".

4.3
2006-10-10 CVE-2006-5194 Net2Ftp Cross-Site Scripting vulnerability in Net2Ftp 0.93

Cross-site scripting (XSS) vulnerability in index.php in net2ftp 0.93 allows remote attackers to inject arbitrary web script or HTML via the username parameter.

4.3
2006-10-10 CVE-2006-5190 Oscommerce Cross-Site Scripting vulnerability in osCommerce

Multiple cross-site scripting (XSS) vulnerabilities in osCommerce 2.2 Milestone 2 Update 060817 allow remote attackers to inject arbitrary web script or HTML via the (1) page parameter in the (a) banner_manager.php, (b) banner_statistics.php, (c) countries.php, (d) currencies.php, (e) languages.php, (f) manufacturers.php, (g) newsletters.php, (h) orders_status.php, (i) products_attributes.php, (j) products_expected.php, (k) reviews.php, (l) specials.php, (m) stats_products_purchased.php, (n) stats_products_viewed.php, (o) tax_classes.php, (p) tax_rates.php, or (q) zones.php scripts in /admin, and the (2) zpage parameter in (r) admin/geo_zones.php.

4.3
2006-10-10 CVE-2006-5168 Simon Brown Cross-Site Scripting vulnerability in Simon Brown Pebble 2.0.0

Cross-site scripting (XSS) vulnerability in the search functionality in Simon Brown Pebble 2.0.0 RC1 and RC2 allows remote attackers to inject arbitrary web script or HTML via the query string.

4.3
2006-10-10 CVE-2006-5201 SUN Remote Security vulnerability in JRE

Multiple packages on Sun Solaris, including (1) NSS; (2) Java JDK and JRE 5.0 Update 8 and earlier, SDK and JRE 1.4.x up to 1.4.2_12, and SDK and JRE 1.3.x up to 1.3.1_19; (3) JSSE 1.0.3_03 and earlier; (4) IPSec/IKE; (5) Secure Global Desktop; and (6) StarOffice, when using an RSA key with exponent 3, removes PKCS-1 padding before generating a hash, which allows remote attackers to forge a PKCS #1 v1.5 signature that is signed by that RSA key and prevents these products from correctly verifying X.509 and other certificates that use PKCS #1.

4.0

8 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2006-10-12 CVE-2006-4842 Netscape
SUN
Improper Input Validation vulnerability in multiple products

The Netscape Portable Runtime (NSPR) API 4.6.1 and 4.6.2, as used in Sun Solaris 10, trusts user-specified environment variables for specifying log files even when running from setuid programs, which allows local users to create or overwrite arbitrary files.

3.6
2006-10-10 CVE-2006-5213 SUN Local Insecure Permissions vulnerability in SUN Solaris 10.0

Sun Solaris 10 before 20061006 uses "incorrect and insufficient permission checks" that allow local users to intercept or spoof packets by creating a raw socket on a link aggregation (network device aggregation).

3.6
2006-10-10 CVE-2006-5229 Openbsd
Novell
Information Exposure vulnerability in Openbsd Openssh 4.1

OpenSSH portable 4.1 on SUSE Linux, and possibly other platforms and versions, and possibly under limited configurations, allows remote attackers to determine valid usernames via timing discrepancies in which responses take longer for valid usernames than invalid ones, as demonstrated by sshtime.

2.6
2006-10-10 CVE-2006-4685 Microsoft Information Disclosure vulnerability in Microsoft XML Core Services and XML Parser

The XMLHTTP ActiveX control in Microsoft XML Parser 2.6 and XML Core Services 3.0 through 6.0 does not properly handle HTTP server-side redirects, which allows remote user-assisted attackers to access content from other domains.

2.6
2006-10-10 CVE-2006-5215 X ORG
Netbsd
SUN
Local Security vulnerability in NetBSD

The Xsession script, as used by X Display Manager (xdm) in NetBSD before 20060212, X.Org before 20060317, and Solaris 8 through 10 before 20061006, allows local users to overwrite arbitrary files, or read another user's Xsession errors file, via a symlink attack on a /tmp/xses-$USER file.

2.6
2006-10-10 CVE-2006-5199 Adobe Local Information Disclosure vulnerability in Adobe Contribute Publishing Server

Adobe Contribute Publishing Server leaks the administrator password in logs that are created during product installation, which allows local users to gain privileges to the server.

2.1
2006-10-10 CVE-2006-5204 Invision Power Services Cross-Site Scripting vulnerability in Invision Power Board

Cross-site scripting (XSS) vulnerability in action_admin/member.php in Invision Power Board (IPB) 2.1.7 and earlier allows remote authenticated users to inject arbitrary web script or HTML via a reference to a script in the avatar setting, which can be leveraged for a cross-site request forgery (CSRF) attack involving forced SQL execution by an admin.

2.1
2006-10-10 CVE-2006-5214 Netbsd
SUN
Race condition in the Xsession script, as used by X Display Manager (xdm) in NetBSD before 20060212, X.Org before 20060225, and Solaris 8 through 10 before 20061006, causes a user's Xsession errors file to have weak permissions before a chmod is performed, which allows local users to read Xsession errors files of other users.
1.2