Weekly Vulnerabilities Reports > August 20 to 26, 2007

Overview

97 new vulnerabilities reported during this period, including 5 critical vulnerabilities and 28 high severity vulnerabilities. This weekly summary report vulnerabilities in 95 products from 69 vendors including Toribash, Joomla, Wordpress, Trend Micro, and PHP. Vulnerabilities are notably categorized as "Improper Input Validation", "Code Injection", "SQL Injection", "Permissions, Privileges, and Access Controls", and "Numeric Errors".

  • 85 reported vulnerabilities are remotely exploitables.
  • 15 reported vulnerabilities have public exploit available.
  • 4 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 91 reported vulnerabilities are exploitable by an anonymous user.
  • Toribash has the most reported vulnerabilities, with 7 reported vulnerabilities.
  • Trend Micro has the most reported critical vulnerabilities, with 3 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

5 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2007-08-23 CVE-2007-4493 EZ Unspecified vulnerability in eZ Publish No Policy Function

eZ publish before 3.8.9, and 3.9 before 3.9.3, does not properly check permissions on module views that lack a policy function, which has unknown impact and attack vectors, as demonstrated by a vulnerability in the discount functionality in the shop module.

10.0
2007-08-22 CVE-2007-4490 Trend Micro Denial-Of-Service vulnerability in Trend Micro Serverprotect 5.58

Multiple buffer overflows in EarthAgent.exe in Trend Micro ServerProtect 5.58 for Windows before Security Patch 4 allow remote attackers to have an unknown impact via certain RPC function calls to (1) RPCFN_EVENTBACK_DoHotFix or (2) CMD_CHANGE_AGENT_REGISTER_INFO.

10.0
2007-08-22 CVE-2007-4219 Trend Micro Numeric Errors vulnerability in Trend Micro Serverprotect 5.58

Integer overflow in the RPCFN_SYNC_TASK function in StRpcSrv.dll, as used by the ServerProtect service (SpntSvc.exe), in Trend Micro ServerProtect for Windows before 5.58 Security Patch 4 allows remote attackers to execute arbitrary code via a certain integer field in a request packet to TCP port 5168, which triggers a heap-based buffer overflow.

10.0
2007-08-22 CVE-2007-4218 Trend Micro Improper Input Validation vulnerability in Trend Micro Serverprotect 5.58

Multiple buffer overflows in the ServerProtect service (SpntSvc.exe) in Trend Micro ServerProtect for Windows before 5.58 Security Patch 4 allow remote attackers to execute arbitrary code via certain RPC requests to certain TCP ports that are processed by the (1) RPCFN_ENG_NewManualScan, (2) RPCFN_ENG_TimedNewManualScan, and (3) RPCFN_SetComputerName functions in (a) StRpcSrv.dll; the (4) RPCFN_CMON_SetSvcImpersonateUser and (5) RPCFN_OldCMON_SetSvcImpersonateUser functions in (b) Stcommon.dll; the (6) RPCFN_ENG_TakeActionOnAFile and (7) RPCFN_ENG_AddTaskExportLogItem functions in (c) Eng50.dll; the (8) NTF_SetPagerNotifyConfig function in (d) Notification.dll; or the (9) RPCFN_CopyAUSrc function in the (e) ServerProtect Agent service.

10.0
2007-08-21 CVE-2007-3618 EMC Remote Exec Service Stack Buffer Overflow vulnerability in EMC Legato Networker

Stack-based buffer overflow in the NetWorker Remote Exec Service (nsrexecd.exe) in EMC Software NetWorker 7.x.x allows remote attackers to execute arbitrary code via a (1) poll or (2) kill request with a "long invalid subcmd."

9.3

28 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2007-08-25 CVE-2007-4529 Teamspeak Privilege Escalation vulnerability in Teamspeak web Server 2.0.20.1

The WebAdmin interface in TeamSpeak Server 2.0.20.1 allows remote authenticated users with the ServerAdmin flag to assign Registered users certain privileges, resulting in a privilege set that extends beyond that ServerAdmin's own servers, as demonstrated by the (1) AdminAddServer, (2) AdminDeleteServer, (3) AdminStartServer, and (4) AdminStopServer privileges; and administration of arbitrary virtual servers via a request to a .tscmd URI with a modified serverid parameter, as demonstrated by (a) add_server.tscmd, (b) ask_delete_server.tscmd, (c) start_server.tscmd, and (d) stop_server.tscmd.

8.5
2007-08-25 CVE-2007-4532 Michal Marcinkowski Remote Denial of Service vulnerability in Michal Marcinkowski Soldat Dedicated Server and Soldat Game Server

Soldat game server 1.4.2 and earlier, and dedicated server 2.6.2 and earlier, allows remote attackers to cause a denial of service (client lockout) via a series of UDP join packets from a spoofed IP address, which triggers temporary blacklisting of this IP address.

7.8
2007-08-23 CVE-2007-4498 Grandstream Remote Denial of Service vulnerability in Grandstream SIP Phone Gxv3000

The Grandstream SIP Phone GXV-3000 with firmware 1.0.1.7, Loader 1.0.0.6, and Boot 1.0.0.18 allows remote attackers to force silent call completion, eavesdrop on the phone's local environment, and cause a denial of service (blocked call reception) via a certain SIP INVITE message followed by a certain "SIP/2.0 183 Session Progress" message.

7.8
2007-08-25 CVE-2007-4534 Vavoom Remote vulnerability in Vavoom

Buffer overflow in the VThinker::BroadcastPrintf function in p_thinker.cpp in Vavoom 1.24 and earlier allows remote attackers to execute arbitrary code via (1) a long string in a chat message and possibly (2) a long name field.

7.5
2007-08-25 CVE-2007-4527 Phphq Unspecified vulnerability in PHPhq Phuploader 1.2

Unrestricted file upload vulnerability in phUploader.php in phphq.Net phUploader 1.2 allows remote attackers to upload and execute arbitrary code via unspecified vectors.

7.5
2007-08-25 CVE-2007-4525 Spip Code Injection vulnerability in Spip 1.7.2

** DISPUTED ** PHP remote file inclusion vulnerability in inc-calcul.php3 in SPIP 1.7.2 allows remote attackers to execute arbitrary PHP code via a URL in the squelette_cache parameter, a different vector than CVE-2006-1702.

7.5
2007-08-25 CVE-2007-4524 Phpress Local File Include vulnerability in PHPress 0.2.0

PHP remote file inclusion vulnerability in adisplay.php in PhPress 0.2.0 allows remote attackers to execute arbitrary PHP code via a URL in the lang parameter.

7.5
2007-08-23 CVE-2007-4509 Joomla SQL-Injection vulnerability in Eventlist

SQL injection vulnerability in index.php in the EventList component (com_eventlist) 0.8 and earlier for Joomla! allows remote attackers to execute arbitrary SQL commands via the did parameter in a details action.

7.5
2007-08-23 CVE-2007-4506 Joomla SQL Injection vulnerability in Joomla NeoRecruit Component

SQL injection vulnerability in index.php in the NeoRecruit component (com_neorecruit) 1.4 and earlier for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in an offer_view action.

7.5
2007-08-23 CVE-2007-4505 Mambo
Mamboserver
SQL-Injection vulnerability in Mambo

SQL injection vulnerability in index.php in the RemoSitory component (com_remository) for Mambo allows remote attackers to execute arbitrary SQL commands via the cat parameter in a selectcat action.

7.5
2007-08-23 CVE-2007-4503 Joomla SQL Injection vulnerability in Nice Talk Joomla! Component 'tagid' Parameter

SQL injection vulnerability in index.php in the Nice Talk component (com_nicetalk) 0.9.3 and earlier for Joomla! allows remote attackers to execute arbitrary SQL commands via the tagid parameter.

7.5
2007-08-23 CVE-2007-4502 Joomla SQL-Injection vulnerability in Bibtex

SQL injection vulnerability in index.php in the BibTeX component (com_jombib) 1.3 and earlier for Joomla! allows remote attackers to execute arbitrary SQL commands via the afilter parameter.

7.5
2007-08-23 CVE-2007-4491 Gurur Haber SQL Injection vulnerability in Gurur Haber Gurur Haber 2.0

SQL injection vulnerability in uyeler2.php in Gurur haber 2.0 allows remote attackers to execute arbitrary SQL commands via the id parameter.

7.5
2007-08-22 CVE-2007-4486 Linkliste Remote File Include vulnerability in Linkliste 1.2

Multiple PHP remote file inclusion vulnerabilities in index.php in Linkliste 1.2 allow remote attackers to execute arbitrary PHP code via a URL in the (1) styl[top], (2) url_eintrag, or (3) styl[themen] parameter.

7.5
2007-08-22 CVE-2007-4484 MY Referer Remote Security vulnerability in MY Referer MY Referer 1.08

PHP remote file inclusion vulnerability in login.php in My_REFERER 1.08 allows remote attackers to execute arbitrary PHP code via a URL in the value parameter.

7.5
2007-08-21 CVE-2007-4458 Firesoft Code Injection vulnerability in Firesoft

PHP remote file inclusion vulnerability in includes/class/class_tpl.php in Firesoft allows remote attackers to execute arbitrary PHP code via a URL in the cache_file parameter.

7.5
2007-08-21 CVE-2007-4456 Mambo
Parkview Consultants
SQL Injection vulnerability in multiple products

SQL injection vulnerability in index.php in the SimpleFAQ (com_simplefaq) 2.11 component for Mambo allows remote attackers to execute arbitrary SQL commands via the aid parameter.

7.5
2007-08-21 CVE-2007-4447 Toribash Multiple vulnerability in Toribash

Multiple buffer overflows in the client in Toribash 2.71 and earlier allow remote attackers to (1) execute arbitrary code via a long game command in a replay (.rpl) file and (2) cause a denial of service (application crash) via a long SAY command that omits a required LF character; and allow remote Toribash servers to execute arbitrary code via (3) a long game command and (4) a long SAY command that omits a required LF character.

7.5
2007-08-21 CVE-2007-4446 Toribash Multiple vulnerability in Toribash

Format string vulnerability in the server in Toribash 2.71 and earlier allows remote attackers to execute arbitrary code via format string specifiers in the NICK command (client nickname) when entering a game.

7.5
2007-08-21 CVE-2007-4445 Rfactor Multiple vulnerability in Rfactor 1150/1250

Image Space rFactor 1.250 and earlier allows remote attackers to cause a denial of service (daemon crash) via (1) an ID 0x30 packet, (2) an ID 0x38 packet, and an invalid 13-bit integer in (3) an ID 0x60 packet and (4) an ID 0x68 packet; and a denial of service (UDP port block) via (5) an ID 0x20 packet and (6) an ID 0x28 packet.

7.5
2007-08-21 CVE-2007-4444 Rfactor Multiple vulnerability in Rfactor 1150/1250

Multiple buffer overflows in Image Space rFactor 1.250 and earlier allow remote attackers to execute arbitrary code via a packet with ID (1) 0x80 or (2) 0x88 to UDP port 34297, related to the buffer containing the server version number.

7.5
2007-08-21 CVE-2007-4440 Pmail Buffer Errors vulnerability in Pmail Mercury Mail Transport System 4.51

Stack-based buffer overflow in the MercuryS SMTP server in Mercury Mail Transport System, possibly 4.51 and earlier, allows remote attackers to execute arbitrary code via a long AUTH CRAM-MD5 string.

7.5
2007-08-21 CVE-2007-4439 Lighthouse Development Remote File Include vulnerability in Squirrelcart Popup_Window.PHP

PHP remote file inclusion vulnerability in popup_window.php in Squirrelcart 1.x.x and earlier allows remote attackers to execute arbitrary PHP code via a URL in the site_isp_root parameter, probably related to cart.php.

7.5
2007-08-20 CVE-2007-4435 Torrenttrader SQL Injection vulnerability in TorrentTrader

Multiple SQL injection vulnerabilities in TorrentTrader before 1.07 allow remote attackers to execute arbitrary SQL commands via unspecified parameters to (1) account-inbox.php, (2) account-settings.php, and possibly (3) backend/functions.php.

7.5
2007-08-21 CVE-2007-4460 Id3Lib Unspecified vulnerability in Id3Lib 3.8.3

The RenderV2ToFile function in tag_file.cpp in id3lib (aka libid3) 3.8.3 allows local users to overwrite arbitrary files via a symlink attack on a temporary file whose name is constructed from the name of a file being tagged.

7.2
2007-08-21 CVE-2007-4216 Checkpoint Improper Input Validation vulnerability in Checkpoint Zonealarm 5.0.63.0/6.1.744.001/7.0.337.0

vsdatant.sys 6.5.737.0 in Check Point Zone Labs ZoneAlarm before 7.0.362 allows local users to gain privileges via a crafted Interrupt Request Packet (Irp) in a METHOD_NEITHER (1) IOCTL 0x8400000F or (2) IOCTL 0x84000013 request, which can be used to overwrite arbitrary memory locations.

7.2
2007-08-21 CVE-2007-4459 Cisco Improper Input Validation vulnerability in Cisco Voip Phone Cp-7940 and Voip Phone Cp-7960

Cisco IP Phone 7940 and 7960 with P0S3-08-6-00 firmware, and other SIP firmware before 8.7(0), allows remote attackers to cause a denial of service (device reboot) via (1) a certain sequence of 10 invalid SIP INVITE and OPTIONS messages; or (2) a certain invalid SIP INVITE message that contains a remote tag, followed by a certain set of two related SIP OPTIONS messages.

7.1
2007-08-21 CVE-2007-4213 Palm
Treo
Remote Denial of Service vulnerability in Palm OS Treo Smartphone

Palm OS on Treo 650, 680, 700p, and 755p Smart phones allows remote attackers to cause a denial of service (device reset or hang) via a flood of large ICMP echo requests.

7.1

59 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2007-08-23 CVE-2007-4501 Sshkeychain Local Privilege Escalation and Information Disclosure vulnerability in SSHKeychain

Unspecified vulnerability in PassphraseRequester in SSHKeychain before 0.8.2 beta allows attackers to obtain sensitive information (passwords) via unknown vectors, related to "poor protection."

6.9
2007-08-23 CVE-2007-4500 Sshkeychain Local Privilege Escalation and Information Disclosure vulnerability in SSHKeychain

Unspecified vulnerability in TunnelRunner in SSHKeychain before 0.8.2 beta, and possibly later versions, allows local users to gain privileges via unspecified vectors.

6.9
2007-08-22 CVE-2007-3873 Trend Micro Local Stack Buffer Overflow vulnerability in Trend Micro Antispyware and Pc-Cillin Internet Security 2007

Stack-based buffer overflow in vstlib32.dll 1.2.0.1012 in the SSAPI Engine 5.0.0.1066 through 5.2.0.1012 in Trend Micro AntiSpyware 3.5 and PC-Cillin Internet Security 2007 15.0 through 15.3, when the Venus Spy Trap (VST) feature is enabled, allows local users to cause a denial of service (service crash) or execute arbitrary code via a file with a long pathname, which triggers the overflow during a ReadDirectoryChangesW callback notification.

6.9
2007-08-25 CVE-2007-4533 Vavoom Remote vulnerability in Vavoom

Format string vulnerability in the Say command in sv_main.cpp in Vavoom 1.24 and earlier allows remote attackers to execute arbitrary code via format string specifiers in a chat message, related to a call to the BroadcastPrintf function.

6.8
2007-08-25 CVE-2007-4131 Redhat
Rpath
GNU
Remote Directory Traversal vulnerability in GNU Tar Dot_Dot Function

Directory traversal vulnerability in the contains_dot_dot function in src/names.c in GNU tar allows user-assisted remote attackers to overwrite arbitrary files via certain //..

6.8
2007-08-23 CVE-2007-4508 Rebellion
Rival Interactive
Remote Stack Buffer Overflow vulnerability in Asura Engine Challenge B Query

Stack-based buffer overflow in Rebellion Asura engine, as used for the server in Rogue Trooper 1.0 and earlier and Prism 1.1.1.0 and earlier, allows remote attackers to execute arbitrary code via a long string in a 0xf007 packet for the challenge B query.

6.8
2007-08-23 CVE-2007-4507 PHP Denial-Of-Service vulnerability in PHP 5.2.3

Multiple buffer overflows in the php_ntuser component for PHP 5.2.3 allow context-dependent attackers to cause a denial of service or execute arbitrary code via long arguments to the (1) ntuser_getuserlist, (2) ntuser_getuserinfo, (3) ntuser_getusergroups, or (4) ntuser_getdomaincontroller functions.

6.8
2007-08-23 CVE-2007-4499 American Financing Unspecified vulnerability in American Financing Email Image Upload 4.1

Unrestricted file upload vulnerability in output.php in American Financing eMail Image Upload 4.1 allows remote attackers to upload and execute arbitrary code via unspecified vectors.

6.8
2007-08-22 CVE-2007-4489 Ecentrex Buffer Overflow vulnerability in eCentrex VOIP Client UACOMX.OCX ActiveX Control

Buffer overflow in the IUAComFormX ActiveX control in uacomx.ocx 2.0.1 in the eCentrex VOIP Client module allows remote attackers to execute arbitrary code via a long Username argument to the ReInit method.

6.8
2007-08-22 CVE-2007-4485 Butterfly Remote Security vulnerability in Butterfly 1.08

PHP remote file inclusion vulnerability in visitor.php in Butterfly online visitors counter 1.08, when used with certain older versions of PHP with improper SERVER superglobal handling, allows remote attackers to execute arbitrary PHP code via a URL in the _SERVER[DOCUMENT_ROOT] parameter.

6.8
2007-08-21 CVE-2007-4454 Olate Unspecified vulnerability in Olate Olatedownload 3.4.1

Eval injection vulnerability in environment.php in Olate Download (od) 3.4.1 allows context-dependent attackers to execute arbitrary code via a crafted version string, as referenced by the (1) PDO::ATTR_SERVER_VERSION or (2) PDO::ATTR_CLIENT_VERSION attribute.

6.8
2007-08-20 CVE-2007-4438 Ampache Improper Authentication vulnerability in Ampache

Session fixation vulnerability in Ampache before 3.3.3.5 allows remote attackers to hijack web sessions via unspecified vectors.

6.8
2007-08-20 CVE-2007-4437 Ampache SQL Injection vulnerability in Ampache Albums.PHP

SQL injection vulnerability in albums.php in Ampache before 3.3.3.5 allows remote attackers to execute arbitrary SQL commands via the match parameter.

6.8
2007-08-20 CVE-2007-4431 Apple Unspecified vulnerability in Apple Safari 3.0.0B/3.0.1B/3.0.2B

Cross-domain vulnerability in Apple Safari for Windows 3.0.3 and earlier allows remote attackers to bypass the Same Origin Policy, with access from local zones to external domains, via a certain body.innerHTML property value, aka "classic JavaScript frame hijacking."

6.8
2007-08-20 CVE-2007-4428 Lhaz Remote Code Execution vulnerability in Lhaz 1.33

Lhaz 1.33 allows remote attackers to execute arbitrary code via unknown vectors, as actively exploited in August 2007 by the Exploit-LHAZ.a gzip file, a different issue than CVE-2006-4116.

6.8
2007-08-21 CVE-2007-4457 Florian Mahieu Path Traversal vulnerability in Florian Mahieu Dalai Forum 1.1

Directory traversal vulnerability in forumreply.php in Dalai Forum 1.1 allows remote attackers to include and execute arbitrary local files via a ..

6.4
2007-08-25 CVE-2007-4522 Ripe Website Manager SQL and HTML Injection vulnerability in Ripe Website Manager 0.8.4/0.8.9

Multiple SQL injection vulnerabilities in Ripe Website Manager 0.8.9 and earlier allow remote authenticated users to execute arbitrary SQL commands via one or more of the following vectors: the (1) id parameter to (a) pages/delete_page.php, (b) navigation/delete_menu.php, and (c) navigation/delete_item.php in admin/; the (2) menu_id, (3) name, (3) page_id, and (4) url parameters in (d) admin/navigation/do_new_item.php; the (5) new_menuname parameter in (e) admin/navigation/do_new_nav.php; and (6) area1, name, and url parameters to (f) admin/pages/do_new_page.php.

6.0
2007-08-20 CVE-2007-4425 Live FOR Speed Multiple vulnerability in Live FOR Speed Live for Speed Demo/S1/S2

Multiple buffer overflows in Live for Speed (LFS) demo, S1, and S2 allow remote authenticated users to (1) cause a denial of service (server crash) and probably execute arbitrary code via an ID 3 packet with a long nickname field, and (2) cause a denial of service (server crash) via an ID 10 packet containing a long string corresponding to an unavailable track.

6.0
2007-08-25 CVE-2007-4531 Michal Marcinkowski Remote Denial of Service vulnerability in Michal Marcinkowski Soldat Dedicated Server and Soldat Game Server

Soldat game server 1.4.2 and earlier, and dedicated server 2.6.2 and earlier, allows remote attackers to cause a client denial of service (crash) via (1) a long string to the file transfer port or (2) a long chat message, or (3) a server denial of service (continuous beep and slowdown) via a string containing many 0x07 or other control characters to the file transfer port.

5.0
2007-08-23 CVE-2007-3847 Apache Unspecified vulnerability in Apache Http Server 2.3.0

The date handling code in modules/proxy/proxy_util.c (mod_proxy) in Apache 2.3.0, when using a threaded MPM, allows remote origin servers to cause a denial of service (caching forward proxy process crash) via crafted date headers that trigger a buffer over-read.

5.0
2007-08-23 CVE-2007-4511 SUN Unspecified vulnerability in SUN Java System Application Server 9.00.1

The Sun Admin Console in Sun Application Server 9.0_0.1 does not apply certain configuration changes persistently, which causes the (1) SSL and (2) SSL_MutualAuth ORB listener services to enable all protocols and ciphers after the services are restarted, possibly allowing remote attackers to bypass intended policy.

5.0
2007-08-23 CVE-2007-4504 Joomla Directory Traversal vulnerability in RSFiles

Directory traversal vulnerability in index.php in the RSfiles component (com_rsfiles) 1.0.2 and earlier for Joomla! allows remote attackers to read arbitrary files via a ..

5.0
2007-08-23 CVE-2007-4494 EZ Unspecified vulnerability in EZ Publish

The tipafriend function in eZ publish before 3.8.9, and 3.9 before 3.9.3, does not limit access by anonymous users, which allows remote attackers to conduct spam attacks.

5.0
2007-08-22 CVE-2007-4477 Planet Technology Corp Remote Denial Of Service vulnerability in Planet VC-200M VDSL2 Router Administration Interface

The administration interface in the Planet VC-200M VDSL2 router allows remote attackers to cause a denial of service (administration interface outage) via an HTTP request without a Host header.

5.0
2007-08-22 CVE-2007-4455 Asterisk Remote Denial of Service vulnerability in Asterisk products

The SIP channel driver (chan_sip) in Asterisk Open Source 1.4.x before 1.4.11, AsteriskNOW before beta7, Asterisk Appliance Developer Kit 0.x before 0.8.0, and s800i (Asterisk Appliance) 1.x before 1.0.3 allows remote attackers to cause a denial of service (memory exhaustion) via a SIP dialog that causes a large number of history entries to be created.

5.0
2007-08-21 CVE-2007-4463 Fransois Gannier
Ghisler
PE File Denial of Service vulnerability in Total Commander FileInfo Plugin

The Fileinfo 2.0.9 plugin for Total Commander allows user-assisted remote attackers to cause a denial of service (unhandled exception) via an invalid RVA address function pointer in (1) an IMAGE_THUNK_DATA structure, involving the (a) OriginalFirstThunk and (b) FirstThunk IMAGE_IMPORT_DESCRIPTOR fields, or (2) the AddressOfNames IMAGE_EXPORT_DIRECTORY field in a PE file.

5.0
2007-08-21 CVE-2007-4452 Toribash Denial-Of-Service vulnerability in Toribash

The client in Toribash 2.71 and earlier allows remote attackers to cause a denial of service (disconnection) via a long (1) emote or (2) SPEC command.

5.0
2007-08-21 CVE-2007-4451 Toribash Multiple vulnerability in Toribash

The server in Toribash 2.71 and earlier on Windows allows remote attackers to cause a denial of service (continuous beep and server hang) via certain commands that contain many 0x07 or other invalid characters.

5.0
2007-08-21 CVE-2007-4450 Toribash Improper Input Validation vulnerability in Toribash

The server in Toribash 2.71 and earlier does not properly handle long commands, which allows remote attackers to trigger a protocol violation in which data is sent to other clients without a required LF character, as demonstrated by a SAY command.

5.0
2007-08-21 CVE-2007-4449 Toribash Multiple vulnerability in Toribash

The client in Toribash 2.71 and earlier allows remote attackers to cause a denial of service (application hang) via a command without an LF character, as demonstrated by a SAY command.

5.0
2007-08-21 CVE-2007-4448 Toribash Multiple vulnerability in Toribash

The server in Toribash 2.71 and earlier does not properly handle partially joined clients that are temporarily assigned the ID of -1, which allows remote attackers to cause a denial of service (daemon crash) via a GRIP command with the ID of -1.

5.0
2007-08-21 CVE-2007-4443 Epic Games Denial-Of-Service vulnerability in Epic Games Unreal Engine 2003/2004

The UCC dedicated server for the Unreal engine, possibly 2003 and 2004, on Windows allows remote attackers to cause a denial of service (continuous beep and server slowdown) via a string containing many 0x07 characters in (1) a request to the images/ directory, (2) the Content-Type field, (3) a HEAD request, and possibly other unspecified vectors.

5.0
2007-08-21 CVE-2007-4442 Epic Games Remote Denial of Service vulnerability in Epic Games Unreal Engine 2003/2004

Stack-based buffer overflow in the logging function in the Unreal engine, possibly 2003 and 2004, as used in the internal web server, allows remote attackers to cause a denial of service (application crash) via a request for a long .gif filename in the images/ directory, related to conversion from Unicode to ASCII.

5.0
2007-08-20 CVE-2007-4436 Drupal Permissions, Privileges, and Access Controls vulnerability in Drupal Project and Project Issue Tracking Module

The Drupal Project module before 5.x-1.0, 4.7.x-2.3, and 4.7.x-1.3 and Project issue tracking module before 5.x-1.0, 4.7.x-2.4, and 4.7.x-1.4 do not properly enforce permissions, which allows remote attackers to (1) obtain sensitive via the Tracker Module and the Recent posts page; (2) obtain project names via unspecified vectors; (3) obtain sensitive information via the statistics pages; and (4) read CVS project activity.

5.0
2007-08-20 CVE-2007-4430 Cisco Improper Input Validation vulnerability in Cisco products

Unspecified vulnerability in Cisco IOS 12.0 through 12.4 allows context-dependent attackers to cause a denial of service (device restart and BGP routing table rebuild) via certain regular expressions in a "show ip bgp regexp" command.

5.0
2007-08-20 CVE-2007-4429 Skype Technologies Denial-Of-Service vulnerability in Skype

Unspecified vulnerability in Skype allows remote attackers to cause a denial of service (server hang) via unknown vectors related to sending long URIs, as claimed to be actively exploited on 20070817 using a "call to a specific number." NOTE: this identifier is for the en.securitylab.ru disclosure.

5.0
2007-08-20 CVE-2007-4426 Live FOR Speed Denial-Of-Service vulnerability in Live for Speed

Live for Speed (LFS) S1 and S2 allows remote attackers to cause a denial of service (server crash) via (1) a certain 0x00 byte in a pre-login ID 3 packet, which triggers a NULL dereference; or (2) a pre-login ID 5 packet that lacks certain strings, which triggers an invalid pointer dereference.

5.0
2007-08-23 CVE-2007-4495 SUN Denial-Of-Service vulnerability in SUN Solaris 10.0/8.0/9.0

Unspecified vulnerability in the ata disk driver in Sun Solaris 10 on the x86 platform before 20070821 allows local users to cause a denial of service (system panic) via an unspecified ioctl function, aka Bug 6433124.

4.9
2007-08-23 CVE-2007-4492 SUN Local Denial Of Service vulnerability in SUN Solaris 10.0/8.0/9.0

Multiple unspecified vulnerabilities in the ata disk driver in Sun Solaris 8, 9, and 10 on the x86 platform before 20070821 allow local users to cause a denial of service (system panic) via unspecified ioctl functions, aka Bug 6433123.

4.9
2007-08-25 CVE-2007-4536 Torrenttrader Local Privilege Escalation vulnerability in TorrentTrader Insecure File Permission

TorrentTrader 1.07 and earlier sets insecure permissions for files in the root directory, which allows attackers to execute arbitrary PHP code by modifying (1) disclaimer.txt, (2) sponsors.txt, and (3) banners.txt, which are used in an include call.

4.6
2007-08-21 CVE-2007-4441 PHP Local Buffer Overflow vulnerability in PHP Win32std Extension

Buffer overflow in php_win32std.dll in the win32std extension for PHP 5.2.0 and earlier allows context-dependent attackers to execute arbitrary code via a long string in the filename argument to the win_browse_file function.

4.6
2007-08-20 CVE-2007-4432 Novell
Suse
Local Security vulnerability in Linux

Untrusted search path vulnerability in the wrapper scripts for the (1) rug, (2) zen-updater, (3) zen-installer, and (4) zen-remover programs on SUSE Linux 10.1 and Enterprise 10 allows local users to gain privileges via modified (a) LD_LIBRARY_PATH and (b) MONO_GAC_PREFIX environment variables.

4.6
2007-08-25 CVE-2007-4535 Vavoom Remote vulnerability in Vavoom

The VStr::Resize function in str.cpp in Vavoom 1.24 and earlier allows remote attackers to cause a denial of service (daemon crash) via a string with a negative NewLen value within a certain UDP packet that triggers an assertion error.

4.3
2007-08-25 CVE-2007-4530 Teamspeak Scripts Multiple Cross-Site Scripting vulnerability in Teamspeak web Server 2.0.20.1

Multiple cross-site scripting (XSS) vulnerabilities in TeamSpeak Server 2.0.20.1 allow remote attackers to inject arbitrary web script or HTML via (1) the error_text parameter to error_box.html or (2) the ok_title parameter to ok_box.html.

4.3
2007-08-25 CVE-2007-4528 PHP Remote Security vulnerability in PHP 5.0.5

The Foreign Function Interface (ffi) extension in PHP 5.0.5 does not follow safe_mode restrictions, which allows context-dependent attackers to execute arbitrary code by loading an arbitrary DLL and calling a function, as demonstrated by kernel32.dll and the WinExec function.

4.3
2007-08-23 CVE-2007-4510 Clam Anti Virus
Kolab
Remote Denial of Service vulnerability in ClamAV

ClamAV before 0.91.2, as used in Kolab Server 2.0 through 2.2beta1 and other products, allows remote attackers to cause a denial of service (application crash) via (1) a crafted RTF file, which triggers a NULL dereference in the cli_scanrtf function in libclamav/rtf.c; or (2) a crafted HTML document with a data: URI, which triggers a NULL dereference in the cli_html_normalise function in libclamav/htmlnorm.c.

4.3
2007-08-22 CVE-2007-4488 Siemens Cross-Site Scripting vulnerability in Siemens Gigaset Se361 Wlan Router 0

Multiple cross-site scripting (XSS) vulnerabilities in the Siemens Gigaset SE361 WLAN router with firmware 1.00.0 allow remote attackers to inject arbitrary web script or HTML via the portion of the URI immediately following the filename for (1) a GIF filename, which triggers display of the GIF file in text format and an unspecified denial of service (crash); or (2) the login.tri filename, which triggers a continuous loop of the browser attempting to visit the login page.

4.3
2007-08-22 CVE-2007-4487 Dscripting COM Cross-Site Scripting vulnerability in D22-Shoutbox

Cross-site scripting (XSS) vulnerability in D22-Shoutbox for Invision Power Board (IPB or IP.Board) allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2007-08-22 CVE-2007-4483 Wordpress Cross-Site Scripting vulnerability in Wordpress Wordpressclassic 1.5

Cross-site scripting (XSS) vulnerability in index.php in the WordPress Classic 1.5 theme in WordPress before 2.1.3 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO (PHP_SELF).

4.3
2007-08-22 CVE-2007-4482 Wordpress Cross-Site Scripting vulnerability in Wordpress Pool 1.0.7

Cross-site scripting (XSS) vulnerability in index.php in the Pool 1.0.7 theme for WordPress allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO (PHP_SELF).

4.3
2007-08-22 CVE-2007-4481 Wordpress Cross-Site Scripting vulnerability in Blix

Cross-site scripting (XSS) vulnerability in index.php in the (1) Blix 0.9.1 and (2) Blix 0.9.1 Rus themes for WordPress allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO (PHP_SELF).

4.3
2007-08-22 CVE-2007-4480 Wordpress Cross-Site Scripting vulnerability in Wordpress Sirius 1.0

Cross-site scripting (XSS) vulnerability in index.php in the Sirius 1.0 theme for WordPress allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO (PHP_SELF).

4.3
2007-08-22 CVE-2007-4479 Aleadsoft COM Cross-Site Scripting vulnerability in Aleadsoft.Com Search Engine Builder Professional 2.40

Cross-site scripting (XSS) vulnerability in search.html in Search Engine Builder allows remote attackers to inject arbitrary web script or HTML via the searWords parameter.

4.3
2007-08-22 CVE-2007-4478 Microsoft Unspecified vulnerability in Microsoft Internet Explorer 6.0

Cross-site scripting (XSS) vulnerability in Microsoft Internet Explorer 6.0 and 7 allows user-assisted remote attackers to inject arbitrary web script or HTML in the local zone via a URI, when the document at the associated URL is saved to a local file, which then contains the URI string along with the document's original content.

4.3
2007-08-21 CVE-2007-4464 Fransois Gannier
Ghisler
Code Injection vulnerability in multiple products

CRLF injection vulnerability in the Fileinfo 2.0.9 plugin for Total Commander allows user-assisted remote attackers to spoof the information in the Image File Header tab via strings with CRLF sequences in the IMAGE_EXPORT_DIRECTORY array in a PE file, which could complicate forensics investigations.

4.3
2007-08-21 CVE-2007-4461 Nufw Unspecified vulnerability in Nufw 2.2.3

NuFW 2.2.3, and certain other versions after 2.0, allows remote attackers to bypass time-based packet filtering rules via certain "out of period" choices of packet transmission time.

4.3
2007-08-21 CVE-2007-4453 Jelsoft Unspecified vulnerability in Jelsoft Vbulletin 3.6.8

** DISPUTED ** Multiple cross-site scripting (XSS) vulnerabilities in vBulletin 3.6.8 allow remote attackers to inject arbitrary web code or HTML via the (1) s parameter to index.php, and the (2) q parameter to (a) faq.php, (b) member.php, (c) memberlist.php, (d) calendar.php, (e) search.php, (f) forumdisplay.php, (g) showgroups.php, (h) online.php, and (i) sendmessage.php.

4.3
2007-08-20 CVE-2007-4434 Aspindir Cross-Site Scripting vulnerability in Aspindir Text File Search 0

Cross-site scripting (XSS) vulnerability in textfilesearch.asp in the Text File Search ASP (Classic) edition allows remote attackers to inject arbitrary web script or HTML via the query parameter.

4.3
2007-08-20 CVE-2007-4433 Aspindir Cross-Site Scripting vulnerability in Aspindir Text File Search 0

Cross-site scripting (XSS) vulnerability in textfilesearch.aspx in the Text File Search ASP.NET edition allows remote attackers to inject arbitrary web script or HTML via the search field.

4.3

5 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2007-08-25 CVE-2007-4523 Ripe Website Manager Cross-Site Scripting vulnerability in Ripe Website Manager 0.8.4/0.8.9

Multiple cross-site scripting (XSS) vulnerabilities in Ripe Website Manager 0.8.9 and earlier allow remote authenticated users to inject arbitrary web script or HTML via one or more of the following vectors: the (1) id parameter to (a) pages/delete_page.php, (b) navigation/delete_menu.php, and (c) navigation/delete_item.php in admin/; the (2) menu_id, (3) name, (3) page_id, and (4) url parameters in (d) admin/navigation/do_new_item.php; the (5) new_menuname parameter in (e) admin/navigation/do_new_nav.php; and (6) area1, name, and url parameters to (f) admin/pages/do_new_page.php, probably involving the Title or textarea field as reachable through admin/pages/new_page.php.

3.5
2007-08-20 CVE-2007-4427 Intersystems Remote Security vulnerability in Intersystems Cache Database 2007.1.0.369.0/2007.1.1.420.0

Unspecified vulnerability in the login page redirection logic in the Cache' Server Page (CSP) implementation in InterSystems Cache' 2007.1.0.369.0 and 2007.1.1.420.0 allows remote authenticated users to modify data on a server, related to encoding of certain parameter values by this redirection logic, aka MAK2116.

3.5
2007-08-20 CVE-2007-0437 Intersystems Cross-Site Scripting vulnerability in Cache Database

Multiple cross-site scripting (XSS) vulnerabilities in the sample Cache' Server Page (CSP) scripts in InterSystems Cache' allow remote attackers to inject arbitrary web script or HTML via (1) the TO parameter to loop.csp, (2) the VALUE parameter to cookie.csp, and (3) the PAGE parameter to showsource.csp in csp/samples/; and allow remote authenticated users to inject arbitrary web script or HTML via (4) the ERROR parameter to csp/samples/xmlclasseserror.csp, and unspecified vectors in (5) object.csp and (6) lotteryhistory.csp in csp/samples/.

3.5
2007-08-21 CVE-2007-4462 Po4A Local Privilege Escalation vulnerability in po4a GetTextization.Failed.PO

lib/Locale/Po4a/Po.pm in po4a before 0.32 allows local users to overwrite arbitrary files via a symlink attack on the gettextization.failed.po temporary file.

3.3
2007-08-25 CVE-2007-4526 Netiq
Novell
Credentials Management vulnerability in multiple products

The Client Login Extension (CLE) in Novell Identity Manager before 3.5.1 20070730 stores the username and password in a local file, which allows local users to obtain sensitive information by reading this file.

2.1