Weekly Vulnerabilities Reports > September 24 to 30, 2007

Overview

116 new vulnerabilities reported during this period, including 10 critical vulnerabilities and 32 high severity vulnerabilities. This weekly summary report vulnerabilities in 107 products from 85 vendors including Apple, Microsoft, Linux, Imagemagick, and Boesch IT. Vulnerabilities are notably categorized as "Cross-site Scripting", "Code Injection", "Improper Input Validation", "Permissions, Privileges, and Access Controls", and "Improper Restriction of Operations within the Bounds of a Memory Buffer".

  • 99 reported vulnerabilities are remotely exploitables.
  • 34 reported vulnerabilities have public exploit available.
  • 39 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 114 reported vulnerabilities are exploitable by an anonymous user.
  • Apple has the most reported vulnerabilities, with 11 reported vulnerabilities.
  • ASK COM has the most reported critical vulnerabilities, with 2 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

10 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2007-09-28 CVE-2007-4880 IBM Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in IBM Tivoli Storage Manager Client

Buffer overflow in the Client Acceptor Daemon (CAD), dsmcad.exe, in certain IBM Tivoli Storage Manager (TSM) clients 5.1 before 5.1.8.1, 5.2 before 5.2.5.2, 5.3 before 5.3.5.3, and 5.4 before 5.4.1.2 allows remote attackers to execute arbitrary code via crafted HTTP headers, aka IC52905.

10.0
2007-09-27 CVE-2007-5126 Symantec Unspecified vulnerability in Symantec Veritas Backup Exec 11D

Unspecified vulnerability in the client in Symantec Veritas Backup Exec for Windows Servers 11d has unknown impact and remote attack vectors.

10.0
2007-09-26 CVE-2007-5108 ASK COM Remote Security vulnerability in Ask Toolbar

Unspecified vulnerability in IAC Search & Media ask.com toolbar has unknown impact and remote attack vectors.

10.0
2007-09-24 CVE-2007-5070 Quiksoft Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Quiksoft Easymail Messageprinter Object

Heap-based buffer overflow in the EasyMailMessagePrinter ActiveX control in emprint.DLL 6.0.1.0 in the Quiksoft EasyMail MessagePrinter Object allows remote attackers to execute arbitrary code via a long string in the first argument to the SetFont method.

10.0
2007-09-24 CVE-2007-5057 Netsupport Improper Authentication vulnerability in Netsupport Manager Client

NetSupport Manager Client before 10.20.0004 allows remote attackers to bypass the (1) basic and (2) authentication schemes by spoofing the NetSupport Manager.

10.0
2007-09-27 CVE-2007-5117 Frontaccounting Code Injection vulnerability in Frontaccounting 1.13

Multiple PHP remote file inclusion vulnerabilities in FrontAccounting (FA) 1.13, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the path_to_root parameter to (1) access/login.php and (2) includes/lang/language.php, different vectors than CVE-2007-4279.

9.3
2007-09-26 CVE-2007-5107 ASK COM Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Ask.Com ASK Toolbar

Stack-based buffer overflow in the AskJeevesToolBar.SettingsPlugin.1 ActiveX control in askBar.dll in IAC Search & Media ask.com Ask Toolbar 4.0.2.53 and earlier allows remote attackers to execute arbitrary code via a long ShortFormat property value.

9.3
2007-09-24 CVE-2007-4987 Imagemagick Numeric Errors vulnerability in Imagemagick

Off-by-one error in the ReadBlobString function in blob.c in ImageMagick before 6.3.5-9 allows context-dependent attackers to execute arbitrary code via a crafted image file, which triggers the writing of a '\0' character to an out-of-bounds address.

9.3
2007-09-24 CVE-2007-5045 Apple
Mozilla
Code Injection vulnerability in multiple products

Argument injection vulnerability in Apple QuickTime 7.1.5 and earlier, when running on systems with Mozilla Firefox before 2.0.0.7 installed, allows remote attackers to execute arbitrary commands via a QuickTime Media Link (QTL) file with an embed XML element and a qtnext parameter containing the Firefox "-chrome" argument.

9.3
2007-09-24 CVE-2007-5066 Webmin Improper Input Validation vulnerability in Webmin

Unspecified vulnerability in Webmin before 1.370 on Windows allows remote authenticated users to execute arbitrary commands via a crafted URL.

9.0

32 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2007-09-27 CVE-2007-3753 Apple Improper Input Validation vulnerability in Apple Iphone 1.0/1.0.1/1.0.2

Apple iPhone 1.1.1, with Bluetooth enabled, allows physically proximate attackers to cause a denial of service (application termination) and execute arbitrary code via crafted Service Discovery Protocol (SDP) packets, related to insufficient input validation.

7.5
2007-09-27 CVE-2007-5131 Interspire SQL Injection vulnerability in Interspire Activekb NX 2/2.6

SQL injection vulnerability in index.php in Interspire ActiveKB NX 2.x allows remote attackers to execute arbitrary SQL commands via the catId parameter in a browse action.

7.5
2007-09-27 CVE-2007-5123 Solidweb SQL Injection vulnerability in Solidweb Novus 1.0

SQL injection vulnerability in notas.asp in Novus 1.0 allows remote attackers to execute arbitrary SQL commands via the nota_id parameter.

7.5
2007-09-27 CVE-2007-5122 Softbizscripts SQL Injection vulnerability in Softbizscripts Classifieds Plus Script

SQL injection vulnerability in store_info.php in SoftBiz Classifieds PLUS allows remote attackers to execute arbitrary SQL commands via the id parameter.

7.5
2007-09-26 CVE-2007-5115 Ekke Doerre Code Injection vulnerability in Ekke Doerre Mods 4 Xoops Contenido EZ Publish

Multiple PHP remote file inclusion vulnerabilities in Ekke Doerre Contenido 42VariablVersion (42VV10) in contenido_hacks in Mods 4 Xoops Contenido eZ publish (pdf4cms) allow remote attackers to execute arbitrary PHP code via a URL in the cfgPathInc parameter to (1) main_upl.php, (2) main_con_editside.php, (3) main_news_rcp.php, (4) main_mod.php, (5) main_tplinput_edit.php, (6) main_con.php, (7) main_tpl.php, (8) main_con_sidelist.php, (9) main_str.php, (10) main_news.php, (11) main_tplinput.php, (12) main_lang.php, (13) main_mod_edit.php, (14) main_lay.php, (15) main_lay_edit.php, (16) main_news_send.php, (17) main_con_edittpl.php, (18) main_stat.php, (19) main_tpl_edit.php, (20) main_news_edit.php, or (21) inc/upl_show_uploads.inc.php; the (a) cfgPathContenido or (b) cfgPathTpl parameter to (22) con_show_sidelist.inc.php, (23) mod_show_modules.inc.php, (24) con_edit_form.inc.php, (25) lay_show_layouts.inc.php, (26) con_show_tree.inc.php, (27) news_show_newsletters.inc.php, (28) str_show_tree.inc.php, (29) tpl_show_templates.inc.php, (30) stat_show_tree.inc.php, (31) con_editcontent.inc.php, or (32) news_show_recipients.inc.php in inc/; or the cfgPathTpl parameter to (33) main_user_md5.php3, or (34) actions_mod.php, (35) actions_lay.php, (36) actions_upl.php, (37) actions_stat.php, (38) actions_news.php, (39) actions_str.php, (40) header.php, (41) actions_con_sidelist.php, (42) main_top.inc.php, (43) actions_tpl.php, or (44) actions_con.php in tpl/.

7.5
2007-09-26 CVE-2007-5110 EB Design PTY LTD Path Traversal vulnerability in EB Design PTY LTD Ebcrypt 2.0.0.2087

Absolute path traversal vulnerability in the EbCrypt.eb_c_PRNGenerator.1 ActiveX control in EBCRYPT.DLL 2.0.0.2087 and earlier in EB Design ebCrypt allows remote attackers to create or overwrite arbitrary files via a full pathname in the argument to the SaveToFile method.

7.5
2007-09-26 CVE-2007-5104 Bcoos SQL Injection vulnerability in Bcoos 1.0.10

SQL injection vulnerability in index.php in the Arcade module in bcoos 1.0.10 allows remote attackers to execute arbitrary SQL commands via the gid parameter in a play_game action.

7.5
2007-09-26 CVE-2007-5099 David Watters Code Injection vulnerability in David Watters Helplink 0.1.0

PHP remote file inclusion vulnerability in show.php in David Watters Helplink 0.1.0 allows remote attackers to execute arbitrary PHP code via a URL in the file parameter.

7.5
2007-09-26 CVE-2007-5097 Online Fantasy Football League Code Injection vulnerability in Online Fantasy Football League Offl 0.2.6

** DISPUTED ** PHP remote file inclusion vulnerability in lib/classes/offl_nflteam.php in Online Fantasy Football League (OFFL) 0.2.6 allows remote attackers to execute arbitrary PHP code via a URL in the DOC_ROOT parameter.

7.5
2007-09-26 CVE-2007-5096 Guanxicrm Code Injection vulnerability in Guanxicrm Business Solution 0.9.1

PHP remote file inclusion vulnerability in modules/webmail2/inc/rfc822.php in guanxiCRM Business Solution 0.9.1 allows remote attackers to execute arbitrary PHP code via a URL in the webmail2_inc_dir parameter.

7.5
2007-09-26 CVE-2007-5095 Microsoft Improper Input Validation vulnerability in Microsoft Windows Media Player 9

Microsoft Windows Media Player (WMP) 9 on Windows XP SP2 invokes Internet Explorer to render HTML documents contained inside some media files, regardless of what default web browser is configured, which might allow remote attackers to exploit vulnerabilities in software that the user does not expect to run, as demonstrated by the HTMLView parameter in an .asx file.

7.5
2007-09-26 CVE-2007-5094 Ipswitch Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Ipswitch Imail

Heap-based buffer overflow in iaspam.dll in the SMTP Server in Ipswitch IMail Server 8.01 through 8.11 allows remote attackers to execute arbitrary code via a set of four different e-mail messages with a long boundary parameter in a certain malformed Content-Type header line, the string "MIME" by itself on a line in the header, and a long Content-Transfer-Encoding header line.

7.5
2007-09-26 CVE-2007-5090 IBM
Microsoft
Permissions, Privileges, and Access Controls vulnerability in multiple products

Unspecified vulnerability in IBM Rational ClearQuest (CQ), when a Microsoft SQL Server or an IBM DB2 database is used, allows attackers to corrupt data via unspecified vectors.

7.5
2007-09-26 CVE-2007-5089 SK LOG Code Injection vulnerability in Sk.Log 0.5.3

PHP remote file inclusion vulnerability in php-inc/log.inc.php in sk.log 0.5.3 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the SKIN_URL parameter.

7.5
2007-09-24 CVE-2007-5071 Alexander Palmo Configuration vulnerability in Alexander Palmo Simple PHP Blog

Incomplete blacklist vulnerability in upload_img_cgi.php in Simple PHP Blog before 0.5.1 allows remote attackers to upload dangerous files and execute arbitrary code, as demonstrated by a filename ending in .php.

7.5
2007-09-24 CVE-2007-5069 Massimo Chioni Path Traversal vulnerability in Massimo Chioni Mobile Entertainment Module 1

Directory traversal vulnerability in data/compatible.php in the Nuke Mobile Entertainment 1 addon for PHP-Nuke allows remote attackers to include and execute arbitrary local files via a ..

7.5
2007-09-24 CVE-2007-5068 Phpfullannu SQL Injection vulnerability in PHPfullannu 6.0

SQL injection vulnerability in index.php in phpFullAnnu (PFA) 6.0 allows remote attackers to execute arbitrary SQL commands via the mod parameter.

7.5
2007-09-24 CVE-2007-5067 Imatix Buffer Errors vulnerability in Imatix Xitami 2.5C2

Multiple buffer overflows in iMatix Xitami Web Server 2.5c2 allow remote attackers to execute arbitrary code via a long If-Modified-Since header to (1) xigui32.exe or (2) xitami.exe.

7.5
2007-09-24 CVE-2007-5065 Joomla
Webmaster Tips
Code Injection vulnerability in multiple products

PHP remote file inclusion vulnerability in admin.slideshow1.php in the Flash Slide Show (com_slideshow) component for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_live_site parameter.

7.5
2007-09-24 CVE-2007-5062 Adam Scheinberg Permissions, Privileges, and Access Controls vulnerability in Adam Scheinberg Flip

account.php in Adam Scheinberg Flip 3.0 and earlier allows remote attackers to create administrative accounts via the un parameter in a register action.

7.5
2007-09-24 CVE-2007-5061 Clansphere SQL Injection vulnerability in Clansphere 2007.4

SQL injection vulnerability in mods/banners/navlist.php in Clansphere 2007.4 allows remote attackers to execute arbitrary SQL commands via the cat_id parameter to index.php in a banners action.

7.5
2007-09-24 CVE-2007-5055 Izicontents Path Traversal vulnerability in Izicontents

Multiple directory traversal vulnerabilities in iziContents 1 RC6 and earlier allow remote attackers to include and execute arbitrary local files via a ..

7.5
2007-09-24 CVE-2007-5054 Izicontents Code Injection vulnerability in Izicontents

Multiple PHP remote file inclusion vulnerabilities in iziContents 1 RC6 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the gsLanguage parameter to (1) search/search.php, (2) poll/inlinepoll.php, (3) poll/showpoll.php, (4) links/showlinks.php, or (5) links/submit_links.php in modules/.

7.5
2007-09-24 CVE-2007-5053 Izicontents Code Injection vulnerability in Izicontents

Multiple incomplete blacklist vulnerabilities in iziContents 1 RC6 and earlier allow remote attackers to execute arbitrary PHP code via a URL in (1) the admin_home parameter to modules/poll/poll_summary.php or (2) the rootdp parameter to include/db.php; or a URL in the language_home parameter to (3) search/search.php, (4) poll/inlinepoll.php, (5) poll/showpoll.php, (6) links/showlinks.php, or (7) links/submit_links.php in modules/; related to missing checks in (a) modules/moduleSec.php and (b) include/includeSec.php for inclusion of certain URLs, as demonstrated by an ftps:// URL.

7.5
2007-09-24 CVE-2007-5050 Neuron News Path Traversal vulnerability in Neuron News Neuron News 1.0

Directory traversal vulnerability in index.php in Neuron News 1.0 allows remote attackers to include and execute arbitrary local files via a ..

7.5
2007-09-24 CVE-2007-5048 Lhaplus Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Lhaplus 1.52/1.53

Heap-based buffer overflow in Lhaplus before 1.55 allows remote attackers to execute arbitrary code via a long filename in an ARJ archive.

7.5
2007-09-24 CVE-2007-5038 Mozilla Permissions, Privileges, and Access Controls vulnerability in Mozilla Bugzilla

The offer_account_by_email function in User.pm in the WebService for Bugzilla before 3.0.2, and 3.1.x before 3.1.2, does not check the value of the createemailregexp parameter, which allows remote attackers to bypass intended restrictions on account creation.

7.5
2007-09-24 CVE-2007-5035 Openengine Improper Input Validation vulnerability in Openengine 1.9Beta1/1.9Beta2/1.9Beta3

** DISPUTED ** PHP remote file inclusion vulnerability in html/modules/extranet_profile/main.php in openEngine 1.9 beta1 allows remote attackers to execute arbitrary PHP code via a URL in the this_module_path parameter.

7.5
2007-09-26 CVE-2007-5101 Furquim Permissions, Privileges, and Access Controls vulnerability in Furquim Chironfs

ChironFS before 1.0 RC7 sets user/group ownership to the mounter account instead of the creator account when files are created, which allows local users to gain privileges.

7.2
2007-09-24 CVE-2007-4573 Linux Permissions, Privileges, and Access Controls vulnerability in Linux Kernel

The IA32 system call emulation functionality in Linux kernel 2.4.x and 2.6.x before 2.6.22.7, when running on the x86_64 architecture, does not zero extend the eax register after the 32bit entry path to ptrace is used, which might allow local users to gain privileges by triggering an out-of-bounds access to the system call table using the %RAX register.

7.2
2007-09-24 CVE-2007-5047 Symantec Improper Input Validation vulnerability in Symantec Norton Internet Security 200815.0.0.60

Norton Internet Security 2008 15.0.0.60 does not properly validate certain parameters to System Service Descriptor Table (SSDT) function handlers, which allows local users to cause a denial of service (crash) and possibly gain privileges via the NtOpenSection kernel SSDT hook.

7.2
2007-09-27 CVE-2007-5133 Microsoft
3Ware
Resource Management Errors vulnerability in multiple products

Microsoft Windows Explorer (explorer.exe) allows user-assisted remote attackers to cause a denial of service (CPU consumption) via a certain PNG file with a large tEXt chunk that possibly triggers an integer overflow in PNG chunk size handling, as demonstrated by badlycrafted.png.

7.1

70 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2007-09-27 CVE-2007-4993 Xensource INC Improper Input Validation vulnerability in Xensource INC XEN 3.0.3

pygrub (tools/pygrub/src/GrubConf.py) in Xen 3.0.3, when booting a guest domain, allows local users with elevated privileges in the guest domain to execute arbitrary commands in domain 0 via a crafted grub.conf file whose contents are used in exec statements.

6.9
2007-09-24 CVE-2007-5044 Zonelabs Permissions, Privileges, and Access Controls vulnerability in Zonelabs Zonealarm 7.0.362.000

ZoneAlarm Pro 7.0.362.000 does not properly validate certain parameters to System Service Descriptor Table (SSDT) function handlers, which allows local users to cause a denial of service (crash) and possibly gain privileges via the (1) NtCreatePort and (2) NtDeleteFile kernel SSDT hooks, a partial regression of CVE-2007-2083.

6.9
2007-09-28 CVE-2007-5141 Sitex SQL Injection vulnerability in Sitex CMS 0.7.3Beta

SQL injection vulnerability in search.php in SiteX CMS 0.7.3 Beta allows remote attackers to execute arbitrary SQL commands via the search parameter.

6.8
2007-09-28 CVE-2007-5140 Integramod Code Injection vulnerability in Integramod Nederland 1.4.2

PHP remote file inclusion vulnerability in includes/archive/archive_topic.php in IntegraMOD Nederland 1.4.2 allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.

6.8
2007-09-28 CVE-2007-5139 Chupix Code Injection vulnerability in Chupix CMS 0.2.3

PHP remote file inclusion vulnerability in admin/include/header.php in chupix 0.2.3, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the repertoire parameter.

6.8
2007-09-28 CVE-2007-5138 Lustig Code Injection vulnerability in Lustig Lustig.Cms 2.5Beta

PHP remote file inclusion vulnerability in forum/forum.php in lustig.cms BETA 2.5 allows remote attackers to execute arbitrary PHP code via a URL in the view parameter.

6.8
2007-09-28 CVE-2007-5137 TCL TK Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in TCL TK TCL TK 8.4.13/8.4.14/8.4.15

Buffer overflow in the ReadImage function in generic/tkImgGIF.c in Tcl (Tcl/Tk) 8.4.13 through 8.4.15 allows remote attackers to execute arbitrary code via multi-frame interlaced GIF files in which later frames are smaller than the first.

6.8
2007-09-27 CVE-2007-4671 Apple
Microsoft
Improper Input Validation vulnerability in Apple Safari

Unspecified vulnerability in Safari in Apple iPhone 1.1.1, and Safari 3 before Beta Update 3.0.4 on Windows and Mac OS X 10.4 through 10.4.10, allows remote attackers to "alter or access" HTTPS content via an HTTP session with a crafted web page that causes Javascript to be applied to HTTPS pages from the same domain.

6.8
2007-09-27 CVE-2007-3759 Apple Configuration vulnerability in Apple Safari

Safari in Apple iPhone 1.1.1, when requested to disable Javascript, does not disable it until Safari is restarted, which might leave Safari open to attacks that the user does not expect.

6.8
2007-09-27 CVE-2007-5135 Openssl Numeric Errors vulnerability in Openssl

Off-by-one error in the SSL_get_shared_ciphers function in OpenSSL 0.9.7 up to 0.9.7l, and 0.9.8 up to 0.9.8f, might allow remote attackers to execute arbitrary code via a crafted packet that triggers a one-byte buffer underflow.

6.8
2007-09-27 CVE-2007-5124 AOL Code Injection vulnerability in AOL Instant Messenger

The embedded Internet Explorer server control in AOL Instant Messenger (AIM) 6.5.3.12 and earlier allows remote attackers to execute arbitrary code via unspecified web script or HTML in an instant message, related to AIM's filtering of "specific tags and attributes" and the lack of Local Machine Zone lockdown.

6.8
2007-09-26 CVE-2007-5114 Phpmyprofiler Code Injection vulnerability in PHPmyprofiler 0.9.6B

** DISPUTED ** PHP remote file inclusion vulnerability in include/plugin/block.t.php in Peter Schmidt phpmyProfiler 0.9.6b allows remote attackers to execute arbitrary PHP code via a URL in the pmp_rel_path parameter.

6.8
2007-09-26 CVE-2007-5103 Wordsmith Path Traversal vulnerability in Wordsmith 1.0Rc1

Directory traversal vulnerability in config.inc.php in Wordsmith 1.0 RC1, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via a ..

6.8
2007-09-26 CVE-2007-5102 Wordsmith Code Injection vulnerability in Wordsmith 1.0Rc1

PHP remote file inclusion vulnerability in config.inc.php in Wordsmith 1.0 RC1, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the _path parameter.

6.8
2007-09-26 CVE-2007-5100 Phpbb Code Injection vulnerability in PHPbb Plus 1.53

Multiple PHP remote file inclusion vulnerabilities in phpBB Plus 1.53, and 1.53a before 20070922, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter to (1) language/lang_german/lang_admin_album.php, (2) language/lang_english/lang_main_album.php, and (3) language/lang_english/lang_admin_album.php, different vectors than CVE-2007-5009.

6.8
2007-09-26 CVE-2007-5098 Dragonfrugal Code Injection vulnerability in Dragonfrugal DFD Cart

Multiple PHP remote file inclusion vulnerabilities in DFD Cart 1.1.4 and earlier, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the set_depth parameter to (1) app.lib/product.control/core.php/product.control.config.php, or (2) customer.browse.list.php or (3) customer.browse.search.php in app.lib/product.control/core.php/customer.area/.

6.8
2007-09-26 CVE-2007-5092 Multimedia Path Traversal vulnerability in Multimedia Dance Music Module FOR PHPnuke

Directory traversal vulnerability in index.php in the Dance Music module for phpNuke, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via a ..

6.8
2007-09-24 CVE-2007-5064 Xunlei Buffer Errors vulnerability in Xunlei web Thunder 5.6.9.344

Buffer overflow in a certain ActiveX control in Xunlei Web Thunder 5.6.9.344, possibly the DapPlayer ActiveX control in DapPlayer_Now.dll, allows remote attackers to execute arbitrary code via a long first argument to the DownURL2 method.

6.8
2007-09-24 CVE-2007-5056 Adodb Lite
Cmsmadesimple
Journalness
Open Realty
Pacercms
Sapid
Code Injection vulnerability in multiple products

Eval injection vulnerability in adodb-perf-module.inc.php in ADOdb Lite 1.42 and earlier, as used in products including CMS Made Simple, SAPID CMF, Journalness, PacerCMS, and Open-Realty, allows remote attackers to execute arbitrary code via PHP sequences in the last_module parameter.

6.8
2007-09-24 CVE-2007-4988 Imagemagick Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Imagemagick

Sign extension error in the ReadDIBImage function in ImageMagick before 6.3.5-9 allows context-dependent attackers to execute arbitrary code via a crafted width value in an image file, which triggers an integer overflow and a heap-based buffer overflow.

6.8
2007-09-24 CVE-2007-4986 Imagemagick Numeric Errors vulnerability in Imagemagick

Multiple integer overflows in ImageMagick before 6.3.5-9 allow context-dependent attackers to execute arbitrary code via a crafted (1) .dcm, (2) .dib, (3) .xbm, (4) .xcf, or (5) .xwd image file, which triggers a heap-based buffer overflow.

6.8
2007-09-24 CVE-2007-5037 Inotify Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Inotify Inotify-Tools

Buffer overflow in the inotifytools_snprintf function in src/inotifytools.c in the inotify-tools library before 3.11 allows context-dependent attackers to execute arbitrary code via a long filename.

6.8
2007-09-25 CVE-2007-5079 Redhat Unspecified vulnerability in Redhat Linux 4.0

Red Hat Enterprise Linux 4 does not properly compile and link gdm with tcp_wrappers on x86_64 platforms, which might allow remote attackers to bypass intended access restrictions.

6.0
2007-09-27 CVE-2007-5134 Cisco Permissions, Privileges, and Access Controls vulnerability in Cisco products

Cisco Catalyst 6500 and Cisco 7600 series devices use 127/8 IP addresses for Ethernet Out-of-Band Channel (EOBC) internal communication, which might allow remote attackers to send packets to an interface for which network exposure was unintended.

5.0
2007-09-27 CVE-2007-5129 Boesch IT Information Exposure vulnerability in Boesch-It Simpgb 1.46.02

SimpGB 1.46.02 stores sensitive information under the web root with insufficient access control, which allows remote attackers to (1) obtain sensitive configuration information via a direct request for admin/cfginfo.php; and (2) download arbitrary .inc files via a direct request, as demonstrated by admin/includes/dbtables.inc.

5.0
2007-09-27 CVE-2007-5128 Boesch IT
PHP
Improper Input Validation vulnerability in multiple products

SimpNews 2.41.03 on Windows, when PHP before 5.0.0 is used, allows remote attackers to obtain sensitive information via an certain link_date parameter to events.php, which reveals the path in an error message due to an unsupported argument type for the mktime function on Windows.

5.0
2007-09-27 CVE-2007-4873 Simplenews Permissions, Privileges, and Access Controls vulnerability in Simplenews 2.41.03

SimpNews 2.41.03 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download arbitrary .inc files via a direct request, as demonstrated by admin/includes/dbtables.inc.

5.0
2007-09-27 CVE-2007-4872 Simplenews Information Disclosure vulnerability in Simplenews 2.41.03

SimpNews 2.41.03 allows remote attackers to obtain sensitive information via (1) an invalid lang parameter to admin/index.php; or a direct request to (2) admin/dbg_infos.php, (3) admin/heading.php, or (4) evsearch.php; which reveals the path in various error messages.

5.0
2007-09-26 CVE-2007-5113 ROI Revolution Improper Authentication vulnerability in ROI Revolution Urchin

report.cgi in Google Urchin allows remote attackers to bypass authentication and obtain sensitive information (web server logs) via certain modified query parameters, as demonstrated using the profile, rid, prefs, n, vid, bd, ed, dt, and gtype parameters, a different vulnerability than CVE-2007-5112.

5.0
2007-09-26 CVE-2007-5085 Apache Improper Authentication vulnerability in Apache Geronimo 2.0.1/2.1

Unspecified vulnerability in the management EJB (MEJB) in Apache Geronimo before 2.0.2 allows remote attackers to bypass authentication and obtain "access to Geronimo internals" via unspecified vectors.

5.0
2007-09-24 CVE-2007-5063 Adam Scheinberg Credentials Management vulnerability in Adam Scheinberg Flip

Adam Scheinberg Flip 3.0 and earlier stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a file containing login credentials via a direct request for var/users.txt.

5.0
2007-09-24 CVE-2007-5036 Airdefense Improper Input Validation vulnerability in Airdefense Airsensor M520

Multiple buffer overflows in the AirDefense Airsensor M520 with firmware 4.3.1.1 and 4.4.1.4 allow remote authenticated users to cause a denial of service (HTTPS service outage) via a crafted query string in an HTTPS request to (1) adLog.cgi, (2) post.cgi, or (3) ad.cgi, related to the "files filter."

5.0
2007-09-27 CVE-2007-5132 SUN Race Condition vulnerability in SUN Solaris 10.0/8.0/9.0

Race condition in the kernel in Sun Solaris 8 through 10 allows local users to cause a denial of service (panic) via unspecified vectors related to "the handling of thread contexts."

4.9
2007-09-26 CVE-2007-5087 Linux Permissions, Privileges, and Access Controls vulnerability in Linux Kernel

The ATM module in the Linux kernel before 2.4.35.3, when CLIP support is enabled, allows local users to cause a denial of service (kernel panic) by reading /proc/net/atm/arp before the CLIP module has been loaded.

4.9
2007-09-27 CVE-2007-5118 SUN Local Denial of Service vulnerability in SUN Solaris 10.0/8.0/9.0

Unspecified vulnerability in the HID (Human Interface Device) class driver in Sun Solaris 8, 9, and 10 before 20070925 allows local users to cause a denial of service (panic) via unspecified vectors.

4.7
2007-09-24 CVE-2007-5042 Agnitum Permissions, Privileges, and Access Controls vulnerability in Agnitum Outpost Firewall 4.0.1025.7828

Outpost Firewall Pro 4.0.1025.7828 does not properly validate certain parameters to System Service Descriptor Table (SSDT) function handlers, which allows local users to cause a denial of service (crash) and possibly gain privileges via the (1) NtCreateKey, (2) NtDeleteFile, (3) NtLoadDriver, (4) NtOpenProcess, (5) NtOpenSection, (6) NtOpenThread, and (7) NtUnloadDriver kernel SSDT hooks, a partial regression of CVE-2006-7160.

4.6
2007-09-24 CVE-2007-5041 Gdata Improper Input Validation vulnerability in Gdata Internetsecurity 2007

G DATA InternetSecurity 2007 does not properly validate certain parameters to System Service Descriptor Table (SSDT) function handlers, which allows local users to cause a denial of service (crash) and possibly gain privileges via the (1) NtCreateKey and (2) NtOpenProcess kernel SSDT hooks.

4.6
2007-09-24 CVE-2007-5043 Kaspersky LAB Improper Input Validation vulnerability in Kaspersky LAB Kaspersky Internet Security 7.0.0.125

Kaspersky Internet Security 7.0.0.125 does not properly validate certain parameters to System Service Descriptor Table (SSDT) function handlers, which allows local users to (1) cause a denial of service (crash) and possibly gain privileges via the NtCreateSection kernel SSDT hook or (2) cause a denial of service (avp.exe service outage) via the NtLoadDriver kernel SSDT hook.

4.4
2007-09-24 CVE-2007-3916 SKK Openlab Link Following vulnerability in SKK Openlab SKK Tools 1.2

The main function in skkdic-expr.c in SKK Tools 1.2 allows local users to overwrite or delete arbitrary files via a symlink attack on a skkdic$PID temporary file.

4.4
2007-09-28 CVE-2007-5142 Solidweb Cross-Site Scripting vulnerability in Solidweb Novus 1.0

Cross-site scripting (XSS) vulnerability in buscar.asp in Solidweb Novus 1.0 allows remote attackers to inject arbitrary web script or HTML via the p parameter.

4.3
2007-09-28 CVE-2007-5136 Dragonfrugal Cross-Site Scripting vulnerability in Dragonfrugal DFD Cart

Cross-site scripting (XSS) vulnerability in DFD Cart 1.1.4 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2007-09-27 CVE-2007-3761 Apple Cross-Site Scripting vulnerability in Apple Safari

Cross-site scripting (XSS) vulnerability in Safari in Apple iPhone 1.1.1 allows remote attackers to inject arbitrary web script or HTML by causing Javascript events to be applied to a frame in another domain.

4.3
2007-09-27 CVE-2007-3760 Apple
Microsoft
Cross-Site Scripting vulnerability in Apple Safari

Cross-site scripting (XSS) vulnerability in Safari in Apple iPhone 1.1.1, and Safari 3 before Beta Update 3.0.4 on Windows and Mac OS X 10.4 through 10.4.10, allows remote attackers to inject arbitrary web script or HTML via frame tags.

4.3
2007-09-27 CVE-2007-3758 Apple
Microsoft
Cross-Site Scripting vulnerability in Apple Safari

Safari in Apple iPhone 1.1.1, and Safari 3 before Beta Update 3.0.4 on Windows and in Mac OS X 10.4 through 10.4.10, allows remote attackers to set Javascript window properties for web pages that are in a different domain, which can be leveraged to conduct cross-site scripting (XSS) attacks.

4.3
2007-09-27 CVE-2007-3757 Apple Improper Input Validation vulnerability in Apple Safari

Safari in Apple iPhone 1.1.1 allows remote user-assisted attackers to trick the iPhone user into making calls to arbitrary telephone numbers via a crafted "tel:" link that causes iPhone to display a different number than the number that will be dialed.

4.3
2007-09-27 CVE-2007-3756 Apple
Microsoft
Information Exposure vulnerability in Apple Safari

Safari in Apple iPhone 1.1.1, and Safari 3 before Beta Update 3.0.4 on Windows and Mac OS X 10.4 through 10.4.10, allows remote attackers to obtain sensitive information via a crafted web page that identifies the URL of the parent window, even when the parent window is in a different domain.

4.3
2007-09-27 CVE-2007-3755 Apple Improper Input Validation vulnerability in Apple Iphone 1.0/1.0.1/1.0.2

Mail in Apple iPhone 1.1.1 allows remote user-assisted attackers to force the iPhone user to make calls to arbitrary telephone numbers via a "tel:" link, which does not prompt the user before dialing the number.

4.3
2007-09-27 CVE-2007-3754 Apple Improper Authentication vulnerability in Apple Iphone 1.0/1.0.1/1.0.2

Mail in Apple iPhone 1.1.1, when using SSL, does not warn the user when the mail server changes or is not trusted, which might allow remote attackers to steal credentials and read email via a man-in-the-middle (MITM) attack.

4.3
2007-09-27 CVE-2007-5130 Boesch IT Improper Input Validation vulnerability in Boesch-It Simpgb 1.46.02

SimpGB 1.46.02 allows remote attackers to obtain sensitive information via (1) an invalid lang parameter to admin/index.php or (2) a direct request to admin/trailer.php, which reveals the path in various error messages.

4.3
2007-09-27 CVE-2007-5127 Simpgb Cross-Site Scripting vulnerability in Simpgb 1.46.02

Multiple cross-site scripting (XSS) vulnerabilities in SimpGB 1.46.02 allow remote attackers to inject arbitrary web script or HTML via (1) the l_username parameter to the default URI under admin/ or (2) the l_emoticonlist parameter to admin/emoticonlist.php.

4.3
2007-09-27 CVE-2007-5121 Jspwiki Cross-Site Scripting vulnerability in Jspwiki 2.5.139Beta

Cross-site scripting (XSS) vulnerability in JSPWiki 2.5.139-beta allows remote attackers to inject arbitrary web script or HTML via the redirect parameter to wiki-3/Login.jsp and unspecified other components.

4.3
2007-09-27 CVE-2007-5120 Jspwiki Cross-Site Scripting vulnerability in Jspwiki 2.4.103/2.5.139Beta

Multiple cross-site scripting (XSS) vulnerabilities in JSPWiki 2.4.103 and 2.5.139-beta allow remote attackers to inject arbitrary web script or HTML via the (1) group and (2) members parameters in (a) NewGroup.jsp; the (3) edittime parameter in (b) Edit.jsp; the (4) edittime, (5) author, and (6) link parameters in (c) Comment.jsp; the (7) loginname, (8) wikiname, (9) fullname, and (10) email parameters in (d) UserPreferences.jsp and (e) Login.jsp; the (11) r1 and (12) r2 parameters in (f) Diff.jsp; and the (13) changenote parameter in (g) PageInfo.jsp.

4.3
2007-09-27 CVE-2007-5119 Jspwiki Improper Input Validation vulnerability in Jspwiki 2.4.103/2.5.139Beta

JSPWiki 2.4.103 and 2.5.139-beta allows remote attackers to obtain sensitive information (full path) via an invalid integer in the version parameter to the default URI under attach/Main/.

4.3
2007-09-26 CVE-2007-5112 ROI Revolution Cross-Site Scripting vulnerability in ROI Revolution Urchin

Cross-site scripting (XSS) vulnerability in session.cgi (aka the login page) in Google Urchin 5 5.7.03 and earlier allows remote attackers to inject arbitrary web script or HTML via the query string, a different vulnerability than CVE-2007-4713.

4.3
2007-09-26 CVE-2007-5111 EB Design PTY LTD Denial of Service vulnerability in ebCrypt ActiveX Control AddString

A certain ActiveX control in EBCRYPT.DLL 2.0 in EB Design ebCrypt allows remote attackers to cause a denial of service (crash) via a string argument to the AddString method.

4.3
2007-09-26 CVE-2007-5109 Flatnuke Cross-Site Request Forgery (CSRF) vulnerability in Flatnuke 2.6

Cross-site request forgery (CSRF) vulnerability in index.php in FlatNuke 2.6, and possibly 3, allows remote attackers to change the password and privilege level of arbitrary accounts via the user parameter and modified (1) regpass and (2) level parameters in a none_Login action, as demonstrated by using a Flash object to automatically make the request.

4.3
2007-09-26 CVE-2007-5106 Wordpress Cross-Site Scripting vulnerability in Wordpress 2.0

Cross-site scripting (XSS) vulnerability in wp-register.php in WordPress 2.0 allows remote attackers to inject arbitrary web script or HTML via the user_login parameter.

4.3
2007-09-26 CVE-2007-5105 Wordpress Cross-Site Scripting vulnerability in Wordpress 2.0/2.0.1

Cross-site scripting (XSS) vulnerability in wp-register.php in WordPress 2.0 and 2.0.1 allows remote attackers to inject arbitrary web script or HTML via the user_email parameter.

4.3
2007-09-26 CVE-2007-5091 Egroupware Cross-Site Scripting vulnerability in Egroupware 1.4.001

Multiple cross-site scripting (XSS) vulnerabilities in eGroupWare 1.4.001 allow remote attackers to inject arbitrary web script or HTML via the cat_data[color] parameter to (1) preferences/inc/class.uicategories.inc.php and (2) admin/inc/class.uicategories.inc.php.

4.3
2007-09-26 CVE-2007-5088 Sisd Cross-Site Scripting vulnerability in Sisd Freeside 1.7.2

Cross-site scripting (XSS) vulnerability in search/cust_bill_event.cgi in Freeside 1.7.2 allows remote attackers to inject arbitrary web script or HTML via the failed parameter.

4.3
2007-09-26 CVE-2007-4874 Boesch IT Cross-Site Scripting vulnerability in Boesch-It Simpnews 2.41.03

Multiple cross-site scripting (XSS) vulnerabilities in SimpNews 2.41.03 allow remote attackers to inject arbitrary web script or HTML via the (1) l_username parameter to admin/layout2b.php, and the (2) backurl parameter to comment.php.

4.3
2007-09-24 CVE-2007-5072 Alexander Palmo Cross-Site Scripting vulnerability in Alexander Palmo Simple PHP Blog

Multiple cross-site scripting (XSS) vulnerabilities in Simple PHP Blog (SPHPBlog) before 0.5.1, when register_globals is enabled, allow remote attackers to inject arbitrary web script or HTML via certain user_colors array parameters to certain user_style.php files under themes/, as demonstrated by the user_colors[bg_color] parameter.

4.3
2007-09-24 CVE-2007-5060 Xcms Cross-Site Request Forgery (CSRF) vulnerability in Xcms

Cross-site request forgery (CSRF) vulnerability in the cpass functionality in an admin action in index.php in XCMS allows remote attackers to change arbitrary passwords via certain password_ and rpassword_ parameters, possibly related to timestamp values.

4.3
2007-09-24 CVE-2007-5059 Greensql Cross-Site Scripting vulnerability in Greensql 0.2.2

Multiple cross-site scripting (XSS) vulnerabilities in GreenSQL allow remote attackers to inject arbitrary web script or HTML via several vectors, as demonstrated by the (1) uname and (2) pass parameters in a login form, and (3) an unspecified "url value," leading to storage of XSS sequences in the database and display of these sequences in the alert section of the admin panel.

4.3
2007-09-24 CVE-2007-5058 Barracuda Networks Cross-Site Scripting vulnerability in Barracuda Networks Barracuda Spam Firewall

Cross-site scripting (XSS) vulnerability in the Web administration interface in Barracuda Spam Firewall before firmware 3.5.10.016 allows remote attackers to inject arbitrary web script or HTML via the username field in a login attempt, which is not properly handled when the Monitor Web Syslog screen is open.

4.3
2007-09-24 CVE-2007-4985 Imagemagick Resource Management Errors vulnerability in Imagemagick

ImageMagick before 6.3.5-9 allows context-dependent attackers to cause a denial of service via a crafted image file that triggers (1) an infinite loop in the ReadDCMImage function, related to ReadBlobByte function calls; or (2) an infinite loop in the ReadXCFImage function, related to ReadBlobMSBLong function calls.

4.3
2007-09-24 CVE-2007-5052 Itcms Cross-Site Scripting vulnerability in Itcms Vigile CMS 1.8

Multiple cross-site scripting (XSS) vulnerabilities in index.php in Vigile CMS 1.8 allow remote attackers to inject arbitrary web script or HTML via a request to the wiki module with (1) the title parameter or (2) a "title=" sequence in the PATH_INFO, or a request to the download module with (3) the cat parameter or (4) a "cat=" sequence in the PATH_INFO.

4.3
2007-09-24 CVE-2007-5051 Phpgedview Cross-Site Scripting vulnerability in PHPgedview 4.1.1

Multiple cross-site scripting (XSS) vulnerabilities in PhpGedView 4.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) box_width, (2) PEDIGREE_GENERATIONS, and (3) rootid parameters in ancestry.php, and the (4) newpid parameter in timeline.php.

4.3
2007-09-24 CVE-2007-5046 Icewarp Cross-Site Scripting vulnerability in Icewarp Merak Mail Server 8.9.1/8.9.2

Cross-site scripting (XSS) vulnerability in the Webmail interface for IceWarp Merak Mail Server before 9.0.0 allows remote attackers to inject arbitrary JavaScript via a javascript: URI in an attribute of an element in an email message body, as demonstrated by the onload attribute in a BODY element.

4.3
2007-09-26 CVE-2007-5093 Linux Resource Management Errors vulnerability in Linux Kernel

The disconnect method in the Philips USB Webcam (pwc) driver in Linux kernel 2.6.x before 2.6.22.6 "relies on user space to close the device," which allows user-assisted local attackers to cause a denial of service (USB subsystem hang and CPU consumption in khubd) by not closing the device after the disconnect is invoked.

4.0

4 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2007-09-26 CVE-2007-5086 Kaspersky LAB Improper Input Validation vulnerability in Kaspersky LAB Kaspersky Anti-Virus and Kaspersky Internet Security

Kaspersky Anti-Virus (KAV) and Internet Security 7.0 build 125 do not properly validate certain parameters to System Service Descriptor Table (SSDT) and Shadow SSDT function handlers, which allows local users to cause a denial of service (crash) via the (1) NtUserSendInput, (2) LoadLibraryA, (3) NtOpenProcess, (4) NtOpenThread, (5) NtTerminateProcess, (6) NtUserFindWindowEx, and (7) NtUserBuildHwndList kernel SSDT hooks in kylif.sys; the (8) NtDuplicateObject (DuplicateHandle) kernel SSDT hook; and possibly other kernel SSDT hooks.

2.1
2007-09-26 CVE-2007-4571 Linux Local Proc File Information Disclosure vulnerability in Linux Kernel ALSA snd-page-alloc

The snd_mem_proc_read function in sound/core/memalloc.c in the Advanced Linux Sound Architecture (ALSA) in the Linux kernel before 2.6.22.8 does not return the correct write size, which allows local users to obtain sensitive information (kernel memory contents) via a small count argument, as demonstrated by multiple reads of /proc/driver/snd-page-alloc.

2.1
2007-09-24 CVE-2007-5040 Ghostsecurity Improper Input Validation vulnerability in Ghostsecurity Ghost Security Suite Alpha1.200

Ghost Security Suite alpha 1.200 does not properly validate certain parameters to System Service Descriptor Table (SSDT) function handlers, which allows local users to cause a denial of service (crash) and possibly gain privileges via the (1) NtCreateKey, (2) NtCreateThread, (3) NtDeleteValueKey, (4) NtQueryValueKey, (5) NtSetSystemInformation, and (6) NtSetValueKey kernel SSDT hooks.

2.1
2007-09-24 CVE-2007-5039 Ghostsecurity Improper Input Validation vulnerability in Ghostsecurity Ghost Security Suite 1.110Beta

Ghost Security Suite beta 1.110 does not properly validate certain parameters to System Service Descriptor Table (SSDT) function handlers, which allows local users to cause a denial of service (crash) and possibly gain privileges via the (1) NtCreateKey, (2) NtDeleteValueKey, (3) NtQueryValueKey, (4) NtSetSystemInformation, and (5) NtSetValueKey kernel SSDT hooks.

2.1