Weekly Vulnerabilities Reports > April 2 to 8, 2007

Overview

104 new vulnerabilities reported during this period, including 20 critical vulnerabilities and 47 high severity vulnerabilities. This weekly summary report vulnerabilities in 109 products from 67 vendors including PHP, Microsoft, Xoops, WEB APP NET, and Kaspersky LAB. Vulnerabilities are notably categorized as "Numeric Errors", "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Improper Input Validation", "Resource Management Errors", and "Code Injection".

  • 92 reported vulnerabilities are remotely exploitables.
  • 24 reported vulnerabilities have public exploit available.
  • 90 reported vulnerabilities are exploitable by an anonymous user.
  • PHP has the most reported vulnerabilities, with 12 reported vulnerabilities.
  • Kaspersky LAB has the most reported critical vulnerabilities, with 3 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

20 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2007-04-06 CVE-2007-1112 Kaspersky LAB Unspecified vulnerability in Kaspersky LAB Kaspersky Anti-Virus and Kaspersky Internet Security

Kaspersky Anti-Virus 6.0 and Internet Security 6.0 exposes unsafe methods in the (a) AXKLPROD60Lib.KAV60Info (AxKLProd60.dll) and (b) AXKLSYSINFOLib.SysInfo (AxKLSysInfo.dll) ActiveX controls, which allows remote attackers to "download" or delete arbitrary files via crafted arguments to the (1) DeleteFile, (2) StartBatchUploading, (3) StartStrBatchUploading, or (4) StartUploading methods.

10.0
2007-04-06 CVE-2007-0445 Kaspersky LAB Remote Heap Overflow vulnerability in Kaspersky Antivirus Engine ARJ Archive

Heap-based buffer overflow in the arj.ppl module in the OnDemand Scanner in Kaspersky Anti-Virus, Anti-Virus for Workstations, and Anti-Virus for File Servers 6.0, and Internet Security 6.0 before Maintenance Pack 2 build 6.0.2.614 allows remote attackers to execute arbitrary code via crafted ARJ archives.

10.0
2007-04-04 CVE-2007-1868 IBM Stack Buffer Overflow vulnerability in IBM Tivoli Provisioning Manager OS Deployment 5.1.0.116

The management service in IBM Tivoli Provisioning Manager for OS Deployment before 5.1 Fix Pack 2 does not properly handle multipart/form-data in HTTP POST requests, which allows remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via crafted POST requests to port 8080/tcp or 443/tcp.

10.0
2007-04-04 CVE-2007-1867 Irfanview Remote Buffer Overflow vulnerability in Irfanview 3.99

Buffer overflow in IrfanView 3.99 allows remote attackers to execute arbitrary code via a crafted animated cursor (ANI) file.

10.0
2007-04-04 CVE-2007-1866 Dproxy Remote Security vulnerability in Dproxy Nexgen

Stack-based buffer overflow in the dns_decode_reverse_name function in dns_decode.c in dproxy-nexgen allows remote attackers to execute arbitrary code by sending a crafted packet to port 53/udp, a different issue than CVE-2007-1465.

10.0
2007-04-02 CVE-2007-1823 T Mobile Remote Security vulnerability in Voice Mail Systems

T-Mobile voice mail systems allow remote attackers to retrieve or remove messages, or reconfigure mailboxes, by spoofing Calling Number Identification (CNID, aka Caller ID).

10.0
2007-04-02 CVE-2007-1822 Alcatel Lucent Remote Security vulnerability in Voice Mail System

Alcatel-Lucent Lucent Technologies voice mail systems allow remote attackers to retrieve or remove messages, or reconfigure mailboxes, by spoofing Calling Number Identification (CNID, aka Caller ID).

10.0
2007-04-02 CVE-2007-1821 Sprint Remote Security vulnerability in Sprint Voice

Sprint Nextel Sprint voice mail systems allow remote attackers to retrieve or remove messages, or reconfigure mailboxes, by spoofing Calling Number Identification (CNID, aka Caller ID).

10.0
2007-04-02 CVE-2007-1796 Jccorp Remote Security vulnerability in URLshrink

Multiple unspecified vulnerabilities in JCcorp URLshrink before 1.3.2 have unspecified attack vectors and impact.

10.0
2007-04-02 CVE-2007-1795 Jccorp Remote Code Execution vulnerability in Jccorp Urlshrink 1.3.1

JCcorp URLshrink 1.3.1 allows remote attackers to execute arbitrary PHP code via the email address field in an HTML link.

10.0
2007-04-02 CVE-2007-1794 SUN
Mozilla
Remote Security vulnerability in Browser

The Javascript engine in Mozilla 1.7 and earlier on Sun Solaris 8, 9, and 10 might allow remote attackers to execute arbitrary code via vectors involving garbage collection that causes deletion of a temporary object that is still being used.

10.0
2007-04-06 CVE-2007-1684 Solidworks Unspecified vulnerability in Solidworks Sldimdownload Activex Control 16.0.0.5

The Run function in SolidWorks sldimdownload ActiveX control in sldimdownload.dll before 16.0.0.6 allows remote attackers to execute arbitrary commands via the (1) installerpath and (2) applicationarguments arguments.

9.3
2007-04-06 CVE-2007-1680 Yahoo Remote Buffer Overflow vulnerability in Yahoo! Messenger Audio Conferencing ActiveX Control

Stack-based buffer overflow in the createAndJoinConference function in the AudioConf ActiveX control (yacscom.dll) in Yahoo! Messenger before 20070313 allows remote attackers to execute arbitrary code via long (1) socksHostname and (2) hostname properties.

9.3
2007-04-06 CVE-2007-1879 Kaspersky LAB Unspecified vulnerability in Kaspersky LAB Kaspersky Anti-Virus and Kaspersky Internet Security

The StartUploading function in KL.SysInfo ActiveX control (AxKLSysInfo.dll) in Kaspersky Anti-Virus 6.0 and Internet Security 6.0 before Maintenance Pack 2 build 6.0.2.614 allows remote attackers to read arbitrary files by triggering an outbound anonymous FTP session that invokes the PUT command.

9.3
2007-04-02 CVE-2007-1820 Nortel Remote Security vulnerability in Meridian Mail

Nortel Networks CallPilot and Meridian Mail voicemail systems, when a mailbox has auto logon enabled, allow remote attackers to retrieve or remove messages, or reconfigure the mailbox, by spoofing Calling Number Identification (CNID, aka Caller ID).

9.3
2007-04-02 CVE-2007-1819 HP Buffer Errors vulnerability in HP Mercury Quality Center 8.2/9.0

Stack-based buffer overflow in the SPIDERLib.Loader ActiveX control (Spider90.ocx) 9.1.0.4353 in TestDirector (TD) for Mercury Quality Center 9.0 before Patch 12.1, and 8.2 SP1 before Patch 32, allows remote attackers to execute arbitrary code via a long ProgColor property.

9.3
2007-04-02 CVE-2006-5820 AOL Remote Code Execution vulnerability in AOL 9.0

The LinkSBIcons method in the SuperBuddy ActiveX control (Sb.SuperBuddy.1) in America Online 9.0 Security Edition dereferences an arbitrary function pointer, which allows remote attackers to execute arbitrary code via a modified pointer value.

9.3
2007-04-06 CVE-2007-1003 X ORG Local Integer Overflow vulnerability in X.Org X11 7.11.1.0

Integer overflow in ALLOCATE_LOCAL in the ProcXCMiscGetXIDList function in the XC-MISC extension in the X.Org X11 server (xserver) 7.1-1.1.0, and other versions before 20070403, allows remote authenticated users to execute arbitrary code via a large expression, which results in memory corruption.

9.0
2007-04-06 CVE-2007-0957 MIT Stack Buffer Overflow vulnerability in MIT Kerberos 5 KAdminD Server

Stack-based buffer overflow in the krb5_klog_syslog function in the kadm5 library, as used by the Kerberos administration daemon (kadmind) and Key Distribution Center (KDC), in MIT krb5 before 1.6.1 allows remote authenticated users to execute arbitrary code and modify the Kerberos key database via crafted arguments, possibly involving certain format string specifiers.

9.0
2007-04-03 CVE-2007-1836 Data Domain Local Privilege Escalation vulnerability in Data Domain Administration Interface

The command line administration interface in Data Domain OS before 4.0.3.6 allows remote authenticated users to execute arbitrary commands via shell metacharacters in certain arguments to various commands, as demonstrated by the interface argument to the (1) ifconfig and (2) ping commands.

9.0

47 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2007-04-06 CVE-2007-1351 Ubuntu
X ORG
Xfree86 Project
Rpath
Redhat
Openbsd
Mandrakesoft
Numeric Errors vulnerability in multiple products

Integer overflow in the bdfReadCharacters function in bdfread.c in (1) X.Org libXfont before 20070403 and (2) freetype 2.3.2 and earlier allows remote authenticated users to execute arbitrary code via crafted BDF fonts, which result in a heap overflow.

8.5
2007-04-06 CVE-2007-1216 MIT Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in MIT Kerberos

Double free vulnerability in the GSS-API library (lib/gssapi/krb5/k5unseal.c), as used by the Kerberos administration daemon (kadmind) in MIT krb5 before 1.6.1, when used with the authentication method provided by the RPCSEC_GSS RPC library, allows remote authenticated users to execute arbitrary code and modify the Kerberos key database via a message with an "an invalid direction encoding".

8.5
2007-04-06 CVE-2007-1883 PHP Denial-Of-Service vulnerability in PHP

PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 allows context-dependent attackers to read arbitrary memory locations via an interruption that triggers a user space error handler that changes a parameter to an arbitrary pointer, as demonstrated via the iptcembed function, which calls certain convert_to_* functions with its input parameters.

7.8
2007-04-03 CVE-2007-1834 Cisco Remote Denial Of Service vulnerability in Cisco Unified Callmanager and Unified Presence Server

Cisco Unified CallManager (CUCM) 5.0 before 5.0(4a)SU1 and Cisco Unified Presence Server (CUPS) 1.0 before 1.0(3) allow remote attackers to cause a denial of service (loss of voice services) via a flood of ICMP echo requests, aka bug ID CSCsf12698.

7.8
2007-04-02 CVE-2007-1826 Cisco Remote Denial Of Service vulnerability in Cisco Unified Callmanager and Unified Presence Server

Unspecified vulnerability in the IPSec Manager Service for Cisco Unified CallManager (CUCM) 5.0 before 5.0(4a)SU1 and Cisco Unified Presence Server (CUPS) 1.0 before 1.0(3) allows remote attackers to cause a denial of service (loss of cluster services) via a "specific UDP packet" to UDP port 8500, aka bug ID CSCsg60949.

7.8
2007-04-02 CVE-2007-1804 Pulseaudio Remote Denial of Service vulnerability in Pulseaudio 0.9.5

PulseAudio 0.9.5 allows remote attackers to cause a denial of service (daemon crash) via (1) a PA_PSTREAM_DESCRIPTOR_LENGTH value of FRAME_SIZE_MAX_ALLOW sent on TCP port 9875, which triggers a p->export assertion failure in do_read; (2) a PA_PSTREAM_DESCRIPTOR_LENGTH value of 0 sent on TCP port 9875, which triggers a length assertion failure in pa_memblock_new; or (3) an empty packet on UDP port 9875, which triggers a t assertion failure in pa_sdp_parse; and allows remote authenticated users to cause a denial of service (daemon crash) via a crafted packet on TCP port 9875 that (4) triggers a maxlength assertion failure in pa_memblockq_new, (5) triggers a size assertion failure in pa_xmalloc, or (6) plays a certain sound file.

7.8
2007-04-06 CVE-2007-0956 Debian
Rpath
MIT
Authentication Bypass vulnerability in MIT Kerberos 5 Telnet Daemon

The telnet daemon (telnetd) in MIT krb5 before 1.6.1 allows remote attackers to bypass authentication and gain system access via a username beginning with a '-' character, a similar issue to CVE-2007-0882.

7.6
2007-04-06 CVE-2007-1890 PHP Integer Overflow vulnerability in PHP Msg_Receive() Memory Allocation

Integer overflow in the msg_receive function in PHP 4 before 4.4.5 and PHP 5 before 5.2.1, on FreeBSD and possibly other platforms, allows context-dependent attackers to execute arbitrary code via certain maxsize values, as demonstrated by 0xffffffff.

7.5
2007-04-06 CVE-2007-1889 PHP Buffer Overflow vulnerability in PHP 5.2.0

Integer signedness error in the _zend_mm_alloc_int function in the Zend Memory Manager in PHP 5.2.0 allows remote attackers to execute arbitrary code via a large emalloc request, related to an incorrect signed long cast, as demonstrated via the HTTP SOAP client in PHP, and via a call to msg_receive with the largest positive integer value of maxsize.

7.5
2007-04-06 CVE-2007-1888 PHP Unspecified vulnerability in PHP

Buffer overflow in the sqlite_decode_binary function in src/encode.c in SQLite 2, as used by PHP 4.x through 5.x and other applications, allows context-dependent attackers to execute arbitrary code via an empty value of the in parameter.

7.5
2007-04-06 CVE-2007-1887 PHP Buffer Overflow vulnerability in PHP sqlite_udf_decode_binary() Function

Buffer overflow in the sqlite_decode_binary function in the bundled sqlite library in PHP 4 before 4.4.5 and PHP 5 before 5.2.1 allows context-dependent attackers to execute arbitrary code via an empty value of the in parameter, as demonstrated by calling the sqlite_udf_decode_binary function with a 0x01 character.

7.5
2007-04-06 CVE-2007-1885 PHP Integer Overflow vulnerability in PHP Str_Replace()

Integer overflow in the str_replace function in PHP 4 before 4.4.5 and PHP 5 before 5.2.1 allows context-dependent attackers to execute arbitrary code via a single character search string in conjunction with a long replacement string, which overflows a 32 bit length counter.

7.5
2007-04-03 CVE-2007-1855 Webasyst LLC Remote Security vulnerability in Shop-Script

Multiple PHP remote file inclusion vulnerabilities in smarty/smarty_class.php in Shop-Script FREE allow remote attackers to execute arbitrary PHP code via a URL in the (1) _smarty_compile_path, (2) smarty_compile_path, (3) get_plugin_filepath, (4) smarty_dir, and (5) filename parameters.

7.5
2007-04-03 CVE-2007-1851 Really Simple PHP AND Ajax File-Upload vulnerability in Really Simple PHP and Ajax Really Simple PHP and Ajax 20070323

Multiple directory traversal vulnerabilities in Really Simple PHP and Ajax (RSPA) 2007-03-23 allow remote attackers to include and execute arbitrary local files via a ..

7.5
2007-04-03 CVE-2007-1849 Drake Team Local File Include vulnerability in Drake Team Drake CMS 0.3.7/0.3.7Beta

Directory traversal vulnerability in 404.php in Drake CMS allows remote attackers to include and execute arbitrary local arbitrary files via a ..

7.5
2007-04-03 CVE-2007-1847 Xoops SQL Injection vulnerability in XOOPS Module Repository ViewCat.PHP

SQL injection vulnerability in viewcat.php in the Repository module for Xoops allows remote attackers to execute arbitrary SQL commands via the cid parameter.

7.5
2007-04-03 CVE-2007-1846 Xoops SQL Injection vulnerability in Malaika System MyAds Xoops Module

SQL injection vulnerability in index.php in the MyAds 2.04jp and earlier module for Xoops allows remote attackers to execute arbitrary SQL commands via the cid parameter, different vectors than CVE-2006-3341.

7.5
2007-04-03 CVE-2007-1845 PHP Fusion SQL Injection vulnerability in PHP Fusion Expanded Calendar Module 2.0

SQL injection vulnerability in show_event.php in the Expanded Calendar (calendar_panel) 2.00 module for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the m_month parameter.

7.5
2007-04-03 CVE-2007-1844 Avatic Remote Security vulnerability in Avatic Aardvark Topsites PHP 5

Multiple PHP remote file inclusion vulnerabilities in Aardvark Topsites PHP 5 allow remote attackers to execute arbitrary PHP code via a URL in the path parameter to (1) button/settings_sql.php, (2) settings_sql.php, and (3) sources/misc/new_day.php.

7.5
2007-04-03 CVE-2007-1842 Jsboard Local File Include vulnerability in JSBoard

Directory traversal vulnerability in login.php in JSBoard before 2.0.12 allows remote attackers to include and execute arbitrary local files via a ..

7.5
2007-04-03 CVE-2007-1839 Codebb Remote File Include vulnerability in CodeBB PHPBB_Root_Path

Multiple PHP remote file inclusion vulnerabilities in CodeBB 1.1b3 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter to (1) pass_code.php or (2) lang_select.

7.5
2007-04-03 CVE-2007-1838 Xoops SQL Injection vulnerability in Xoops Friendfinder Module View.PHP

SQL injection vulnerability in view.php in the Friendfinder 3.3 and earlier module for Xoops allows remote attackers to execute arbitrary SQL commands via the id parameter.

7.5
2007-04-03 CVE-2007-1837 Mangobery CMS Remote File Include vulnerability in Mangobery CMS Mangobery CMS 0.5.5

Multiple PHP remote file inclusion vulnerabilities in MangoBery CMS 0.5.5 allow remote attackers to execute arbitrary PHP code via a URL in the Site_Path parameter to (1) boxes/quotes.php or (2) templates/mangobery/footer.sample.php.

7.5
2007-04-03 CVE-2007-1829 WEB APP NET Remote Security vulnerability in Web-App.Net Webapp 0.9.9.6

Multiple unspecified vulnerabilities in web-app.net WebAPP have unknown impact and attack vectors, described as "[having] other [security] issues too, not as bad as letting users take over your admin account, but bad too."

7.5
2007-04-02 CVE-2007-1825 PHP Buffer Overflow vulnerability in PHP Imap_Mail_Compose() Function

Buffer overflow in the imap_mail_compose function in PHP 5 before 5.2.1, and PHP 4 before 4.4.5, allows remote attackers to execute arbitrary code via a long boundary string in a type.parameters field.

7.5
2007-04-02 CVE-2007-1818 Forum Picture AND Meta Tags Remote File Include vulnerability in Forum Picture and Meta Tags Forum Picture and Meta Tags 1.7

PHP remote file inclusion vulnerability in MOD_forum_fields_parse.php in the Forum picture and META tags 1.7 module for phpBB allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.

7.5
2007-04-02 CVE-2007-1817 Lykoszine SQL Injection vulnerability in Lykoszine Lykos Reviews Module 1.00

SQL injection vulnerability in index.php in the Lykos Reviews (lykos_reviews) 1.00 module for Xoops allows remote attackers to execute arbitrary SQL commands via the uid parameter in a u action.

7.5
2007-04-02 CVE-2007-1816 Xoops SQL-Injection vulnerability in Tutoriais Module

SQL injection vulnerability in viewcat.php in the Tutoriais module for Xoops allows remote attackers to execute arbitrary SQL commands via the cid parameter.

7.5
2007-04-02 CVE-2007-1815 Xoops SQL-Injection vulnerability in Library Module

SQL injection vulnerability in viewcat.php in the Library module for Xoops allows remote attackers to execute arbitrary SQL commands via the cid parameter.

7.5
2007-04-02 CVE-2007-1814 Xoops SQL-Injection vulnerability in Core Module

SQL injection vulnerability in viewcat.php in the Core module for Xoops allows remote attackers to execute arbitrary SQL commands via the cid parameter, a different vector than CVE-2007-0377.

7.5
2007-04-02 CVE-2007-1813 Inconnueteam SQL-Injection vulnerability in Inconnueteam Ecal 2.24

SQL injection vulnerability in display.php in the eCal 2.24 and earlier module for Xoops allows remote attackers to execute arbitrary SQL commands via the katid parameter.

7.5
2007-04-02 CVE-2007-1812 BT Sondage Remote File Include vulnerability in Bt-Sondage 1.12

PHP remote file inclusion vulnerability in utilitaires/gestion_sondage.php in BT-Sondage 112 allows remote attackers to execute arbitrary PHP code via a URL in the repertoire_visiteur parameter.

7.5
2007-04-02 CVE-2007-1811 Chapi SQL-Injection vulnerability in Tiny Event

SQL injection vulnerability in index.php in the Tiny Event (tinyevent) 1.01 and earlier module for Xoops allows remote attackers to execute arbitrary SQL commands via the id parameter in a show action.

7.5
2007-04-02 CVE-2007-1810 Kaotik SQL Injection vulnerability in XOOPS KShop Module Product_Details.PHP

SQL injection vulnerability in product_details.php in the Kshop 1.17 and earlier module for Xoops allows remote attackers to execute arbitrary SQL commands via the id parameter.

7.5
2007-04-02 CVE-2007-1809 Grafx Software Remote File Include vulnerability in Grafx Software Company Website Builder 1.5

Multiple PHP remote file inclusion vulnerabilities in GraFX Company WebSite Builder (CWB) PRO 1.5 allow remote attackers to execute arbitrary PHP code via a URL in the INCLUDE_PATH parameter to (1) cls_headline_prod.php, (2) cls_listorders.php, or (3) cls_viewpastorders.php in include/, different vectors than CVE-2007-1513.

7.5
2007-04-02 CVE-2007-1808 Camportail SQL Injection vulnerability in XOOPS Module Camportail Show.PHP

SQL injection vulnerability in show.php in the Camportail 1.1 and earlier module for Xoops allows remote attackers to execute arbitrary SQL commands via the camid parameter in a showcam action.

7.5
2007-04-02 CVE-2007-1807 Peak Xoops Modules ViewCat.PHP SQL Injection vulnerability in XOOPS

SQL injection vulnerability in modules/myalbum/viewcat.php in the myAlbum-P 2.0 and earlier module for Xoops allows remote attackers to execute arbitrary SQL commands via the cid parameter.

7.5
2007-04-02 CVE-2007-1806 RED Mexico SQL Injection vulnerability in RED Mexico Rm+Soft Gallery 1.0

SQL injection vulnerability in categos.php in the RM+Soft Gallery (rmgallery) 1.0 module for Xoops allows remote attackers to execute arbitrary SQL commands via the idcat parameter.

7.5
2007-04-02 CVE-2007-1805 Myxoops SQL Injection vulnerability in XOOPS Debaser Module Genre.PHP

SQL injection vulnerability in genre.php in the debaser 0.92 and earlier module for Xoops allows remote attackers to execute arbitrary SQL commands via the genreid parameter.

7.5
2007-04-02 CVE-2007-1801 Sblog Local File Include vulnerability in Sblog 0.7.3Beta

Directory traversal vulnerability in inc/lang.php in sBLOG 0.7.3 Beta allows remote attackers to include and execute arbitrary local files via a ..

7.5
2007-04-02 CVE-2007-1800 Cisco Remote Security vulnerability in Cisco Secure ACS

Cisco Secure ACS does not require authentication when Cisco Trust Agent (CTA) transmits posture information, which might allow remote attackers to gain network access via a spoofed Network Endpoint Assessment posture, aka "NACATTACK." NOTE: this attack might be limited to authenticated users and devices.

7.5
2007-04-04 CVE-2007-1215 Microsoft Local Privilege Escalation vulnerability in Microsoft Windows Graphics Rendering Engine GDI

Buffer overflow in the Graphics Device Interface (GDI) in Microsoft Windows 2000 SP4; XP SP2; Server 2003 Gold, SP1, and SP2; and Vista allows local users to gain privileges via certain "color-related parameters" in crafted images.

7.2
2007-04-04 CVE-2007-1213 Microsoft Local Privilege Escalation vulnerability in Microsoft Windows Graphics Device Interface Font Rasterizer

The TrueType Fonts rasterizer in Microsoft Windows 2000 SP4 allows local users to gain privileges via crafted TrueType fonts, which result in an uninitialized function pointer.

7.2
2007-04-04 CVE-2006-5586 Microsoft Local Privilege Escalation vulnerability in Microsoft Windows 2000 and Windows XP

The Graphics Rendering Engine in Microsoft Windows 2000 SP4 and XP SP2 allows local users to gain privileges via "invalid application window sizes" in layered application windows, aka the "GDI Invalid Window Size Elevation of Privilege Vulnerability."

7.2
2007-04-03 CVE-2006-7191 Ldap Account Manager Local Privilege Escalation vulnerability in LDAP Account Manager Modified Path

Untrusted search path vulnerability in lamdaemon.pl in LDAP Account Manager (LAM) before 1.0.0 allows local users to gain privileges via a modified PATH that points to a malicious rm program.

7.2
2007-04-02 CVE-2007-1798 IBM Denial-Of-Service vulnerability in AIX 5.2/5.3

Buffer overflow in the drmgr command in IBM AIX 5.2 and 5.3 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a long path name.

7.2
2007-04-04 CVE-2007-1211 Microsoft Resource Management Errors vulnerability in Microsoft Windows 2000, Windows 2003 Server and Windows XP

Unspecified kernel GDI functions in Microsoft Windows 2000 SP4; XP SP2; and Server 2003 Gold, SP1, and SP2 allows user-assisted remote attackers to cause a denial of service (possibly persistent restart) via a crafted Windows Metafile (WMF) image that causes an invalid dereference of an offset in a kernel structure, a related issue to CVE-2005-4560.

7.1

35 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2007-04-06 CVE-2007-1886 PHP Unspecified vulnerability in PHP 4.4.5/5.2.1

Integer overflow in the str_replace function in PHP 4.4.5 and PHP 5.2.1 allows context-dependent attackers to have an unknown impact via a single character search string in conjunction with a single character replacement string, which causes an "off by one overflow."

6.8
2007-04-06 CVE-2007-1884 PHP
Apple
Linux
Microsoft
Format String vulnerability in PHP Printf() Function 64bit Casting

Multiple integer signedness errors in the printf function family in PHP 4 before 4.4.5 and PHP 5 before 5.2.1 on 64 bit machines allow context-dependent attackers to execute arbitrary code via (1) certain negative argument numbers that arise in the php_formatted_print function because of 64 to 32 bit truncation, and bypass a check for the maximum allowable value; and (2) a width and precision of -1, which make it possible for the php_sprintf_appendstring function to place an internal buffer at an arbitrary memory location.

6.8
2007-04-06 CVE-2007-1881 Kaspersky LAB Local Security vulnerability in Kaspersky Internet Security

Unspecified vulnerability in KLIF (klif.sys) in Kaspersky Anti-Virus, Anti-Virus for Workstations, and Anti-Virus for File Servers 6.0, and Internet Security 6.0 before Maintenance Pack 2 build 6.0.2.614 allows local users to gain Ring-0 privileges via unspecified vectors.

6.8
2007-04-06 CVE-2007-1878 Parakey INC Unspecified vulnerability in Parakey Inc. Firebug 1.01/1.02

Cross-zone scripting vulnerability in the DOM templates (domplates) used by the console.log function in the Firebug extension before 1.03 for Mozilla Firefox allows remote attackers to bypass zone restrictions, read arbitrary file:// URIs, or execute arbitrary code in the browser chrome, as demonstrated via the runFile function, related to lack of HTML escaping in the property name.

6.8
2007-04-06 CVE-2007-1001 PHP Numeric Errors vulnerability in PHP

Multiple integer overflows in the (1) createwbmp and (2) readwbmp functions in wbmp.c in the GD library (libgd) in PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 allow context-dependent attackers to execute arbitrary code via Wireless Bitmap (WBMP) images with large width or height values.

6.8
2007-04-03 CVE-2007-1852 Ben3W Unspecified vulnerability in Ben3W 2Bgal 3.1.1

** DISPUTED ** Multiple PHP remote file inclusion vulnerabilities in 2BGal 3.1.1 allow remote attackers to execute arbitrary PHP code via a URL in the lang_filename parameter to (1) index.php or (2) backupdb.inc.php in admin/, or other unspecified files, different vectors than CVE-2006-5505.

6.8
2007-04-03 CVE-2007-1843 Maptools Code Injection vulnerability in Maptools Maplab 2.2.1

PHP remote file inclusion vulnerability in gmapfactory/params.php in MapLab 2.2.1, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the gszAppPath parameter.

6.8
2007-04-02 CVE-2007-1802 Maildwarf Input Validation vulnerability in MailDwarf

Cross-site scripting (XSS) vulnerability in MailDwarf 3.01 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

6.8
2007-04-02 CVE-2007-1797 Imagemagick Numeric Errors vulnerability in Imagemagick

Multiple integer overflows in ImageMagick before 6.3.3-5 allow remote attackers to execute arbitrary code via (1) a crafted DCM image, which results in a heap-based overflow in the ReadDCMImage function, or (2) the (a) colors or (b) comments field in a crafted XWD image, which results in a heap-based overflow in the ReadXWDImage function, different issues than CVE-2007-1667.

6.8
2007-04-06 CVE-2007-1880 Kaspersky LAB Local Heap Overflow vulnerability in Kaspersky Internet Security Suite Klif.SYS Driver

Integer overflow in the _NtSetValueKey function in klif.sys in Kaspersky Anti-Virus, Anti-Virus for Workstations, Anti-Virus for File Server 6.0, and Internet Security 6.0 before Maintenance Pack 2 build 6.0.2.614 allows context-dependent attackers to execute arbitrary code via a large, unsigned "data size argument," which results in a heap overflow.

6.6
2007-04-06 CVE-2007-1271 Vmware Buffer Overflow vulnerability in VMWare ESX 3.0.0/3.0.1

Buffer overflow in VMware ESX Server 3.0.0 and 3.0.1 might allow attackers to gain privileges or cause a denial of service (application crash) via unspecified vectors.

6.6
2007-04-04 CVE-2007-1212 Microsoft Privilege Escalation vulnerability in Microsoft Windows Graphics Rendering Engine EMF File

Buffer overflow in the Graphics Device Interface (GDI) in Microsoft Windows 2000 SP4; XP SP2; Server 2003 Gold, SP1, and SP2; and Vista allows local users to gain privileges via a crafted Enhanced Metafile (EMF) image format file.

6.6
2007-04-06 CVE-2007-1882 HP SQL-Injection vulnerability in HP Mercury Quality Center 9.0

qcbin/servlet/tdservlet/TDAPI_GeneralWebTreatment in HP Mercury Quality Center 9.0 build 9.1.0.4352 allows remote authenticated users to execute arbitrary SQL commands via the RunQuery method.

6.5
2007-04-02 CVE-2007-1799 Joris Guisson Remote Directory Traversal Variant vulnerability in Ktorrent 2.1.1/2.1.2

Directory traversal vulnerability in torrent.cpp in KTorrent before 2.1.3 only checks for the ".." string, which allows remote attackers to overwrite arbitrary files via modified ".." sequences in a torrent filename, as demonstrated by "../" sequences, due to an incomplete fix for CVE-2007-1384.

6.4
2007-04-03 CVE-2007-1831 WEB APP ORG Remote Security vulnerability in WebAPP

web-app.org WebAPP before 0.9.9.6 allows remote authenticated users to open files and write "wrong data" via a crafted QUERY_STRING.

6.0
2007-04-03 CVE-2007-1827 WEB APP ORG Remote Security vulnerability in WebAPP

Multiple unspecified vulnerabilities in form input validation in web-app.org WebAPP before 0.9.9.6 allow remote authenticated users to corrupt data files, gain access to private files, and execute arbitrary code via "certain characters."

6.0
2007-04-02 CVE-2007-1824 PHP Buffer Overflow vulnerability in PHP 5 PHP_Stream_Filter_Create() Function

Buffer overflow in the php_stream_filter_create function in PHP 5 before 5.2.1 allows remote attackers to cause a denial of service (application crash) via a php://filter/ URL that has a name ending in the '.' character.

5.1
2007-04-06 CVE-2007-1270 Vmware Numeric Errors vulnerability in VMWare ESX and ESX Server

Double free vulnerability in VMware ESX Server 3.0.0 and 3.0.1 allows attackers to cause a denial of service (crash), obtain sensitive information, or possibly execute arbitrary code via unspecified vectors.

5.0
2007-04-03 CVE-2007-1854 Hitachi Remote Unauthorized Access vulnerability in Hitachi uCosminexus Application Server Session Information

Unspecified vulnerability in Hitachi Cosminexus Component Container 07-00 through 07-00-10, and 07-10 through 07-10-03, as used in uCosminexus Application Server Enterprise and Standard; uCosminexus Service Platform; uCosminexus Developer Standard and Professional; uCosminexus Service Architect; Electronic Form Workflow Standard Set, Professional Library Set, and Developer Client Set; and uCosminexus ERP Integrator, does not properly manage session information, which has an unspecified impact related to "unintended other requests."

5.0
2007-04-03 CVE-2007-1853 Hitachi Local Information Disclosure vulnerability in Multiple Hitachi JP1/HiCommand Products

Unspecified vulnerability in Hitachi JP1/HiCommand DeviceManager, Global Link Availability Manager, Replication Monitor, Tiered Storage Manager, and Tuning Manager allows local users to obtain authentication information via unspecified vectors.

5.0
2007-04-03 CVE-2007-1850 Drake Team Directory Traversal vulnerability in Drake Cms

Directory traversal vulnerability in classes/captcha/captcha.jpg.php in Drake CMS allows remote attackers to read arbitrary files or list arbitrary directories, and obtain the installation path, via a ..

5.0
2007-04-03 CVE-2007-1833 Cisco Remote Denial Of Service vulnerability in Cisco Unified CallManager And Unified Server

The Skinny Call Control Protocol (SCCP) implementation in Cisco Unified CallManager (CUCM) 3.3 before 3.3(5)SR2a, 4.1 before 4.1(3)SR4, 4.2 before 4.2(3)SR1, and 5.0 before 5.0(4a)SU1 allows remote attackers to cause a denial of service (loss of voice services) by sending crafted packets to the (1) SCCP (2000/tcp) or (2) SCCPS (2443/tcp) port.

5.0
2007-04-03 CVE-2007-1832 WEB APP ORG Remote Security vulnerability in WebAPP

web-app.org WebAPP before 0.9.9.6 allows remote authenticated users to upload certain files (1) via a crafted filename or (2) by "using percent encoding in forms."

5.0
2007-04-03 CVE-2006-7188 WEB APP NET Unspecified vulnerability in Web-App.Net Webapp 0.9.9.6

The search function in cgi-lib/user-lib/search.pl in web-app.net WebAPP before 20060909 allows remote attackers to read internal forum posts via certain requests, possibly related to the $info{'forum'} variable.

5.0
2007-04-03 CVE-2006-7186 WEB APP NET Unspecified vulnerability in Web-App.Net Webapp

cgi-lib/subs.pl in web-app.net WebAPP before 0.9.9.3.5 allows attackers to open list files in "profile and other functions," a different vulnerability than CVE-2005-0927.

5.0
2007-04-02 CVE-2007-1803 Maildwarf Improper Input Validation vulnerability in Maildwarf

Unspecified vulnerability in MailDwarf 3.01 and earlier allows remote attackers to send e-mail to addresses different from the configured addresses.

5.0
2007-04-02 CVE-2007-1793 Symantec Improper Input Validation vulnerability in Symantec products

SPBBCDrv.sys in Symantec Norton Personal Firewall 2006 9.1.0.33 and 9.1.1.7 does not validate certain arguments before being passed to hooked SSDT function handlers, which allows local users to cause a denial of service (crash) or possibly execute arbitrary code via crafted arguments to the (1) NtCreateMutant and (2) NtOpenEvent functions.

4.9
2007-04-03 CVE-2007-1835 PHP Unspecified vulnerability in PHP

PHP 4 before 4.4.5 and PHP 5 before 5.2.1, when using an empty session save path (session.save_path), uses the TMPDIR default after checking the restrictions, which allows local users to bypass open_basedir restrictions.

4.6
2007-04-03 CVE-2007-1848 Drake Team Cross-Site Scripting vulnerability in Drake Team Drake CMS 0.3.7/0.3.7Beta

Cross-site scripting (XSS) vulnerability in admin/classes/ui.dta.php in Drake CMS allows remote attackers to inject arbitrary web script or HTML via the desc[][title] field.

4.3
2007-04-03 CVE-2007-0242 QT Unspecified vulnerability in QT 3.3.8/4.2.3

The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters.

4.3
2007-04-03 CVE-2007-1840 Ldap Account Manager HTML Injection vulnerability in LDAP Account Manager

lib/modules.inc in LDAP Account Manager (LAM) before 1.3.0 does not escape HTML special characters in LDAP data, which allows remote attackers to have an unknown impact, probably cross-site scripting (XSS).

4.3
2007-04-03 CVE-2007-1830 WEB APP ORG Cross-Site Scripting vulnerability in Web-App.Org Webapp 0.9.9.6

Unspecified vulnerability in the Username Hijacking Patch 20070312 for web-app.org WebAPP 0.9.9.6 allows remote attackers to obtain administrative access via unknown vectors, related to "something overlooked in the original that was still overlooked in the patch", and possibly related to copying files to the user-lib and the "XSS and cookies exploit."

4.3
2007-04-03 CVE-2006-7190 WEB APP NET Unspecified vulnerability in Web-App.Net Webapp 0.9.9.6

Cross-site scripting (XSS) vulnerability in cgi-bin/user-lib/topics.pl in web-app.net WebAPP before 20060515 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors in the viewnews function, related to use of doubbctopic instead of doubbc.

4.3
2007-04-03 CVE-2006-7189 WEB APP NET Unspecified vulnerability in Web-App.Net Webapp 0.9.9.6

Cross-site scripting (XSS) vulnerability in cgi-bin/admin/logs.cgi in web-app.net WebAPP before 20060403 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to the Statistics Log Viewer.

4.3
2007-04-03 CVE-2006-7187 WEB APP NET Unspecified vulnerability in Web-App.Net Webapp

Cross-site scripting (XSS) vulnerability in the show_recent_searches function in cgi-lib/user-lib/search.pl in web-app.net WebAPP before 20060909 allows remote attackers to inject arbitrary web script or HTML via the srch variable.

4.3

2 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2007-04-06 CVE-2007-1352 Mandrakesoft
X ORG
Redhat
Slackware
Turbolinux
Ubuntu
Rpath
Openbsd
Local Integer Overflow vulnerability in X.Org LibXFont

Integer overflow in the FontFileInitTable function in X.Org libXfont before 20070403 allows remote authenticated users to execute arbitrary code via a long first line in the fonts.dir file, which results in a heap overflow.

3.8
2007-04-03 CVE-2007-1828 WEB APP ORG Cross-Site Scripting vulnerability in WebAPP

Multiple cross-site scripting (XSS) vulnerabilities in web-app.org WebAPP before 0.9.9.6 allow remote authenticated users to inject arbitrary web script or HTML via (1) the QUERY_STRING corresponding to drop downs or (2) various forms.

3.5