Weekly Vulnerabilities Reports > October 1 to 7, 2007

Overview

112 new vulnerabilities reported during this period, including 20 critical vulnerabilities and 18 high severity vulnerabilities. This weekly summary report vulnerabilities in 124 products from 93 vendors including SUN, Broadcom, Microsoft, CA, and Axis. Vulnerabilities are notably categorized as "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Code Injection", "Cross-site Scripting", "Permissions, Privileges, and Access Controls", and "SQL Injection".

  • 104 reported vulnerabilities are remotely exploitables.
  • 25 reported vulnerabilities have public exploit available.
  • 33 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 109 reported vulnerabilities are exploitable by an anonymous user.
  • SUN has the most reported vulnerabilities, with 10 reported vulnerabilities.
  • Broadcom has the most reported critical vulnerabilities, with 6 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

20 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2007-10-06 CVE-2007-5257 Edraw Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Edraw Office Viewer Component

Stack-based buffer overflow in the EDraw.OfficeViewer ActiveX control in officeviewer.ocx in EDraw Office Viewer Component 5.3.220.1 and earlier allows remote attackers to execute arbitrary code via long strings in the first and second arguments to the FtpDownloadFile method, a different vector than CVE-2007-4821 and CVE-2007-3169.

10.0
2007-10-06 CVE-2007-5252 Netsupport Buffer Errors vulnerability in Netsupport products

Buffer overflow in NetSupport Manager (NSM) Client 10.00 and 10.20, and NetSupport School Student (NSS) 9.00, allows remote NSM servers to cause a denial of service or possibly execute arbitrary code via crafted data in the configuration exchange phase of an initial connection setup.

10.0
2007-10-06 CVE-2007-5246 Firebirdsql Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Firebirdsql Firebird 2.0.0.12748/2.0.1.12855

Multiple stack-based buffer overflows in Firebird LI 2.0.0.12748 and 2.0.1.12855, and WI 2.0.0.12748 and 2.0.1.12855, allow remote attackers to execute arbitrary code via (1) a long attach request on TCP port 3050 to the isc_attach_database function or (2) a long create request on TCP port 3050 to the isc_create_database function.

10.0
2007-10-06 CVE-2007-5245 Firebirdsql Buffer Errors vulnerability in Firebirdsql Firebird 1.5.3.4870/1.5.4.4910

Multiple stack-based buffer overflows in Firebird LI 1.5.3.4870 and 1.5.4.4910, and WI 1.5.3.4870 and 1.5.4.4910, allow remote attackers to execute arbitrary code via (1) a long service attach request on TCP port 3050 to the SVC_attach function or (2) unspecified vectors involving the INET_connect function.

10.0
2007-10-01 CVE-2007-5083 Broadcom Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Broadcom Brightstor Hierarchical Storage Manager 11.5

Multiple integer overflows in Computer Associates (CA) BrightStor Hierarchical Storage Manager (HSM) before r11.6 allow remote attackers to execute arbitrary code via unspecified CsAgent service commands that trigger a heap-based buffer overflow.

10.0
2007-10-01 CVE-2007-5082 Broadcom Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Broadcom Brightstor Hierarchical Storage Manager 11.5

Multiple stack-based buffer overflows in Computer Associates (CA) BrightStor Hierarchical Storage Manager (HSM) before r11.6 allow remote attackers to execute arbitrary code via unspecified CsAgent service commands with certain opcodes, related to missing validation of a length parameter.

10.0
2007-10-01 CVE-2007-5006 Broadcom
CA
Improper Authentication vulnerability in multiple products

Multiple command handlers in CA (Computer Associates) BrightStor ARCserve Backup for Laptops and Desktops r11.0 through r11.5 do not verify if a peer is authenticated, which allows remote attackers to add and delete users, and start client restores.

10.0
2007-10-01 CVE-2007-5005 Broadcom
CA
Path Traversal vulnerability in multiple products

Directory traversal vulnerability in rxRPC.dll in CA (Computer Associates) BrightStor ARCserve Backup for Laptops and Desktops r11.0 through r11.5 allows remote attackers to upload and overwrite arbitrary files via a ..\ (dot dot backslash) sequence in the destination filename argument to sub-function 8 in the rxrReceiveFileFromServer command.

10.0
2007-10-01 CVE-2007-5003 Broadcom
CA
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

Multiple stack-based buffer overflows in CA (Computer Associates) BrightStor ARCserve Backup for Laptops and Desktops r11.0 through r11.5 allow remote attackers to execute arbitrary code via a long (1) username or (2) password to the rxrLogin command in rxRPC.dll, or a long (3) username argument to the GetUserInfo function.

10.0
2007-10-06 CVE-2007-5248 ID Software
Take2Games
USE of Externally-Controlled Format String vulnerability in multiple products

Multiple format string vulnerabilities in the ID Software Doom 3 engine, as used by Doom 3 1.3.1 and earlier, Quake 4 1.4.2 and earlier, and Prey 1.3 and earlier, when Punkbuster (PB) is enabled, allow remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via format string specifiers in (1) a PB_Y packet to the YPG server or (2) a PB_U packet to UCON.

9.3
2007-10-06 CVE-2007-5247 Monolith Productions USE of Externally-Controlled Format String vulnerability in Monolith Productions First Encounter Assault Recon

Multiple format string vulnerabilities in the Monolith Lithtech engine, as used by First Encounter Assault Recon (F.E.A.R.) 1.08 and earlier, when Punkbuster (PB) is enabled, allow remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via format string specifiers in (1) a PB_Y packet to the YPG server on UDP port 27888 or (2) a PB_U packet to UCON on UDP port 27888, different vectors than CVE-2004-1500.

9.3
2007-10-06 CVE-2007-5244 Borland Software Buffer Errors vulnerability in Borland Software Interbase Li8.0.0.253/Li8.0.0.53/Li8.0.0.54

Stack-based buffer overflow in Borland InterBase LI 8.0.0.53 through 8.1.0.253 on Linux, and possibly unspecified versions on Solaris, allows remote attackers to execute arbitrary code via a long attach request on TCP port 3050 to the open_marker_file function.

9.3
2007-10-06 CVE-2007-5243 Borland Software Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Borland Software Interbase

Multiple stack-based buffer overflows in Borland InterBase LI 8.0.0.53 through 8.1.0.253, and WI 5.1.1.680 through 8.1.0.257, allow remote attackers to execute arbitrary code via (1) a long service attach request on TCP port 3050 to the (a) SVC_attach or (b) INET_connect function, (2) a long create request on TCP port 3050 to the (c) isc_create_database or (d) jrd8_create_database function, (3) a long attach request on TCP port 3050 to the (e) isc_attach_database or (f) PWD_db_aliased function, or unspecified vectors involving the (4) jrd8_attach_database or (5) expand_filename2 function.

9.3
2007-10-05 CVE-2007-3699 Symantec Remote vulnerability in Symantec AntiVirus Malformed CAB and RAR Compression

The Decomposer component in multiple Symantec products allows remote attackers to cause a denial of service (infinite loop) via a certain value in the PACK_SIZE field of a RAR archive file header.

9.3
2007-10-05 CVE-2007-0447 Symantec Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Symantec products

Heap-based buffer overflow in the Decomposer component in multiple Symantec products allows remote attackers to execute arbitrary code via multiple crafted CAB archives.

9.3
2007-10-04 CVE-2007-5213 Axis Cross-Site Request Forgery (CSRF) vulnerability in Axis 2100 Network Camera and 2100 Network Camera Firmware

Multiple cross-site request forgery (CSRF) vulnerabilities in the AXIS 2100 Network Camera 2.02 with firmware 2.43 and earlier allow remote attackers to perform actions as administrators, as demonstrated by (1) an SMTP server change through the conf_SMTP_MailServer1 parameter to ServerManager.srv and (2) a hostname change through the conf_Network_HostName parameter on the Network page.

9.3
2007-10-04 CVE-2007-5209 Centertools Buffer Errors vulnerability in Centertools Drivelock 5.0

Stack-based buffer overflow in DriveLock.exe in CenterTools DriveLock 5.0 allows remote attackers to execute arbitrary code via a long HTTP request to TCP port 6061.

9.3
2007-10-04 CVE-2007-4673 Apple OS Command Injection vulnerability in Apple Quicktime 7.2

Argument injection vulnerability in Apple QuickTime 7.2 for Windows XP SP2 and Vista allows remote attackers to execute arbitrary commands via a URL in the qtnext field in a crafted QTL file.

9.3
2007-10-01 CVE-2007-5004 Broadcom
CA
Numeric Errors vulnerability in multiple products

Integer overflow in CA (Computer Associates) BrightStor ARCserve Backup for Laptops and Desktops r11.0 through r11.5 allows remote attackers to execute arbitrary code via a long username and a certain "useless" password.

9.3
2007-10-01 CVE-2007-5155 Iceows Improper Input Validation vulnerability in Iceows 4.20B

IceGUI.DLL in ICEOWS 4.20b invokes a function with incorrect arguments, which allows user-assisted remote attackers to execute arbitrary code via a long filename in the header of an ACE archive, which triggers a stack-based buffer overflow.

9.3

18 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2007-10-06 CVE-2007-5256 Mcdu Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Mcdu FSD 2.052D9/3.000D9

Multiple stack-based buffer overflows in FSD 2.052 d9 and earlier, and FSFDT FSD 3.000 d9 and earlier, allow (1) remote attackers to execute arbitrary code via a long HELP command on TCP port 3010 to the sysuser::exechelp function in sysuser.cc and (2) remote authenticated users to execute arbitrary code via long commands on TCP port 6809 to the servinterface::sendmulticast function in servinterface.cc, as demonstrated by a PIcallsign command.

7.5
2007-10-05 CVE-2007-5233 Deonixscripts SQL Injection vulnerability in Deonixscripts web Template Management System 1.3

SQL injection vulnerability in index.php in Web Template Management System 1.3 allows remote attackers to execute arbitrary SQL commands via the id parameter in a readmore action.

7.5
2007-10-05 CVE-2007-5230 Zomplog Permissions, Privileges, and Access Controls vulnerability in Zomplog

admin/upload_files.php in Zomplog 3.8.1 and earlier does not check for administrative credentials, which allows remote attackers to perform administrative actions via a direct request.

7.5
2007-10-05 CVE-2007-4990 X ORG Numeric Errors vulnerability in X.Org X Font Server

The swap_char2b function in X.Org X Font Server (xfs) before 1.0.5 allows context-dependent attackers to execute arbitrary code via (1) QueryXBitmaps and (2) QueryXExtents protocol requests with crafted size values that specify an arbitrary number of bytes to be swapped on the heap, which triggers heap corruption.

7.5
2007-10-05 CVE-2007-5220 ASP Product Catalog SQL Injection vulnerability in ASP Product Catalog ASP Product Catalog 1.0

SQL injection vulnerability in catalog.asp in ASP Product Catalog allows remote attackers to execute arbitrary SQL commands via the cid parameter and possibly other parameters.

7.5
2007-10-03 CVE-2007-5189 X Script SQL Injection vulnerability in X-Script Guestbook 1.3A

Multiple SQL injection vulnerabilities in mes_add.php in x-script GuestBook 1.3a, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) name, (2) email, (3) icq, and (4) website parameters.

7.5
2007-10-03 CVE-2007-5188 Xoops Unspecified vulnerability in Xoops

Unspecified vulnerability in the XOOPS uploader class in Xoops 2.0.17.1-RC1 and earlier allows remote attackers to upload arbitrary files via unspecified vectors related to improper upload configuration settings in class/uploader.php and class/mimetypes.inc.php, possibly an incomplete blacklist that omits the .php4 extension.

7.5
2007-10-03 CVE-2007-5187 PHP Fusion SQL Injection vulnerability in PHP-Fusion Expanded Calendar Module and PHP-Fusion

SQL injection vulnerability in infusions/calendar_events_panel/show_single.php in the Expanded Calendar 2.x module for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the sel parameter.

7.5
2007-10-03 CVE-2007-5184 Smbftpd USE of Externally-Controlled Format String vulnerability in Smbftpd 0.96

Format string vulnerability in the SMBDirList function in dirlist.c in SmbFTPD 0.96 allows remote attackers to execute arbitrary code via format string specifiers in a directory name.

7.5
2007-10-03 CVE-2007-5181 Netkamp SQL Injection vulnerability in Netkamp Emlak Scripti

SQL injection vulnerability in detay.asp in Netkamp Emlak Scripti allows remote attackers to execute arbitrary SQL commands via the ilan_id parameter.

7.5
2007-10-03 CVE-2007-5180 Ohesa Emlak Portali SQL Injection vulnerability in Ohesa Emlak Portali Ohesa Emlak Portali

Multiple SQL injection vulnerabilities in Ohesa Emlak Portali allow remote attackers to execute arbitrary SQL commands via the (1) Kategori parameter in satilik.asp and the (2) Emlak parameter in detay.asp.

7.5
2007-10-03 CVE-2007-5177 Mambads
Mambo
SQL Injection vulnerability in multiple products

SQL injection vulnerability in index.php in the MambAds (com_mambads) 1.5 and earlier component for Mambo allows remote attackers to execute arbitrary SQL commands via the caid parameter.

7.5
2007-10-03 CVE-2007-5174 Actsite Path Traversal vulnerability in Actsite 1.56

Directory traversal vulnerability in phpinc/news.php in actSite 1.56 allows remote attackers to include and execute arbitrary local files via a ..

7.5
2007-10-01 CVE-2007-5152 SUN Improper Authentication vulnerability in SUN products

Sun Java System Access Manager 7.1, when installed in a Sun Java System Application Server 9.1 container, does not demand authentication after a container restart, which allows remote attackers to perform administrative tasks.

7.5
2007-10-01 CVE-2007-5151 Nukescripts SQL Injection vulnerability in Nukescripts Nukesentinel 2.5.12

SQL injection vulnerability in the abget_admin function in includes/nukesentinel.php in NukeSentinel 2.5.12 allows remote attackers to execute arbitrary SQL commands via base64-encoded data in an admin cookie.

7.5
2007-10-01 CVE-2007-5150 Nukescripts SQL Injection vulnerability in Nukescripts Nukesentinel 2.5.11

SQL injection vulnerability in the is_god function in includes/nukesentinel.php in NukeSentinel 2.5.11 allows remote attackers to execute arbitrary SQL commands via base64-encoded data in an admin cookie, a different vector than CVE-2007-5125.

7.5
2007-10-06 CVE-2007-5254 Virusblokada Permissions, Privileges, and Access Controls vulnerability in Virusblokada Vba32 Antivirus 3.12.2

VirusBlokAda Vba32 AntiVirus 3.12.2 uses weak permissions (Everyone:Write) for its installation directory, which allows local users to gain privileges by replacing application programs, as demonstrated by replacing vba32ldr.exe.

7.2
2007-10-06 CVE-2007-5237 SUN Permissions, Privileges, and Access Controls vulnerability in SUN JDK and JRE

Java Web Start in Sun JDK and JRE 6 Update 2 and earlier does not properly enforce access restrictions for untrusted applications, which allows user-assisted remote attackers to read and modify local files via an untrusted application, aka "two vulnerabilities."

7.1

70 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2007-10-04 CVE-2007-5194 Rpath Permissions, Privileges, and Access Controls vulnerability in Rpath Rmake 1.0.11

The Chroot server in rMake 1.0.11 creates a /dev/zero device file with read/write permissions for the rMake user and the same minor device number as /dev/port, which might allow local users to gain root privileges.

6.9
2007-10-05 CVE-2007-5224 Jimmac Code Injection vulnerability in Jimmac Original Photo Gallery

inc/exif.inc.php in Original Photo Gallery 0.11.2 and earlier allows remote attackers to execute arbitrary programs via the exif_prog parameter, which is specified in an exec function call.

6.8
2007-10-05 CVE-2007-5223 Alstrasoft Permissions, Privileges, and Access Controls vulnerability in Alstrasoft Affiliate Network PRO 8.0

Multiple unspecified vulnerabilities in AlstraSoft Affiliate Network Pro allow remote attackers to include local files and have other unspecified impact, related to incorrect input validation or other defects involving (1) admin/backupstart.php, (2) a .sql filename under admin/admin/dump/, (3) a .sql filename in the fl parameter to admin/downloadbackup.php, and (4) a ..

6.8
2007-10-05 CVE-2007-5221 Poppawid Code Injection vulnerability in Poppawid 2.7

PHP remote file inclusion vulnerability in mail/childwindow.inc.php in Poppawid 2.7 allows remote attackers to execute arbitrary PHP code via a URL in the form parameter.

6.8
2007-10-05 CVE-2007-5217 Altnet
Grokster
Kazaa
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

Stack-based buffer overflow in the ADM4 ActiveX control in adm4.dll in Altnet Download Manager 4.0.0.6, as used in (1) Kazaa 3.2.7 and (2) Grokster, allows remote attackers to execute arbitrary code via a long argument to the Install method.

6.8
2007-10-04 CVE-2007-5216 E ARK Code Injection vulnerability in E-Ark 1.0

Multiple PHP remote file inclusion vulnerabilities in eArk (e-Ark) 1.0 allow remote attackers to execute arbitrary PHP code via a URL in (1) the cfg_vcard_path parameter to src/vcard_inc.php or (2) the cfg_phpmailer_path parameter to src/email_inc.php.

6.8
2007-10-04 CVE-2007-5215 Jacob Hinkle Code Injection vulnerability in Jacob Hinkle Godsend 0.6

Multiple PHP remote file inclusion vulnerabilities in Jacob Hinkle GodSend 0.6 allow remote attackers to execute arbitrary PHP code via a URL in the SCRIPT_DIR parameter to (1) gtk/main.inc.php or (2) cmdline.inc.php.

6.8
2007-10-04 CVE-2007-5198 Nagios Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Nagios Plugins

Buffer overflow in the redir function in check_http.c in Nagios Plugins before 1.4.10, when running with the -f (follow) option, allows remote web servers to execute arbitrary code via Location header responses (redirects) with a large number of leading "L" characters.

6.8
2007-10-03 CVE-2007-5186 Segue CMS Code Injection vulnerability in Segue CMS Segue CMS

PHP remote file inclusion vulnerability in index.php in Segue CMS 1.8.4 and earlier, when register_globals is disabled, allows remote attackers to execute arbitrary PHP code via a URL in the themesdir parameter, a different vector than CVE-2006-5497.

6.8
2007-10-03 CVE-2007-5185 Phpwcms XT Code Injection vulnerability in PHPwcms-Xt

Multiple PHP remote file inclusion vulnerabilities in phpWCMS XT 0.0.7 BETA and earlier allow remote attackers to execute arbitrary PHP code via a URL in the HTML_MENU_DirPath parameter to (1) config_HTML_MENU.php and (2) config_PHPLM.php in phpwcms_template/inc_script/frontend_render/navigation/.

6.8
2007-10-03 CVE-2007-5178 Mxbb Code Injection vulnerability in Mxbb MX Glance 2.3.3

contrib/mx_glance_sdesc.php in the mx_glance 2.3.3 module for mxBB places a critical security check within a comment because of a missing comment delimiter, which allows remote attackers to conduct remote file inclusion attacks and execute arbitrary PHP code via a URL in the mx_root_path parameter.

6.8
2007-10-03 CVE-2007-5175 Actsite Code Injection vulnerability in Actsite 1.991Beta

PHP remote file inclusion vulnerability lib/base.php in actSite 1.991 Beta allows remote attackers to execute arbitrary PHP code via a URL in the BaseCfg[BaseDir] parameter.

6.8
2007-10-03 CVE-2007-5173 Openid
Phpbb
Code Injection vulnerability in multiple products

PHP remote file inclusion vulnerability in includes/openid/Auth/OpenID/BBStore.php in phpBB Openid 0.2.0 allows remote attackers to execute arbitrary PHP code via a URL in the openid_root_path parameter.

6.8
2007-10-01 CVE-2007-5084 Broadcom SQL Injection vulnerability in Broadcom Brightstor Hierarchical Storage Manager 11.5

Multiple SQL injection vulnerabilities in Computer Associates (CA) BrightStor Hierarchical Storage Manager (HSM) before r11.6 allow remote attackers to execute arbitrary SQL commands via CsAgent service commands with opcodes (1) 0x07, (2) 0x08, (3) 0x09, (4) 0x1E, (5) 0x32, (6) 0x36, (7) 0x40, and possibly others.

6.8
2007-10-01 CVE-2007-5168 Clanlite Improper Input Validation vulnerability in Clanlite 1.23.01.2005

Multiple PHP remote file inclusion vulnerabilities in ClanLite 1.23.01.2005 allow remote attackers to execute arbitrary PHP code via a URL in the root_path parameter to (1) modules/serveur_jeux.php or (2) conf/conf-php.php.

6.8
2007-10-01 CVE-2007-5167 Phplister Code Injection vulnerability in PHPlister 0.5Pre2

PHP remote file inclusion vulnerability in .systeme/fonctions.php in phpLister 0.5-pre2 allows remote attackers to execute arbitrary PHP code via a URL in the nom_rep_systeme parameter.

6.8
2007-10-01 CVE-2007-5166 Sitesys Code Injection vulnerability in Sitesys 1.0A

Multiple PHP remote file inclusion vulnerabilities in SiteSys 1.0a allow remote attackers to execute arbitrary PHP code via a URL in the doc_root parameter to (1) inc/pagehead.inc.php or (2) inc/pageinit.inc.php.

6.8
2007-10-01 CVE-2007-5160 Restaurant Management System Code Injection vulnerability in Restaurant Management System Restaurant Management System 0.5

Multiple PHP remote file inclusion vulnerabilities in Thierry Leriche Restaurant Management System (ReMaSys) 0.5 allow remote attackers to execute arbitrary PHP code via a URL in (1) the DIR_ROOT parameter to (a) global.php, or the (2) DIR_PAGE parameter to (b) template/fr/page.php or (c) page/fr/boxConnection.php.

6.8
2007-10-01 CVE-2007-5157 PHP Fidonet Tosser
Phpfidonode
Code Injection vulnerability in multiple products

PHP remote file inclusion vulnerability in phfito-post.php in Alex Kocharin PHP Fidonet Tosser (PhFiTo) 1.3.0 in phpFidoNode allows remote attackers to execute arbitrary PHP code via a URL in the SRC_PATH parameter to phfito-post.

6.8
2007-10-01 CVE-2007-5156 Apache
Fckeditor
Sitex
Incomplete blacklist vulnerability in editor/filemanager/upload/php/upload.php in FCKeditor, as used in SiteX CMS 0.7.3.beta, La-Nai CMS, Syntax CMS, Cardinal Cms, and probably other products, allows remote attackers to upload and execute arbitrary PHP code via a file whose name contains ".php." and has an unknown extension, which is recognized as a .php file by the Apache HTTP server, a different vulnerability than CVE-2006-0658 and CVE-2006-2529.
6.8
2007-10-01 CVE-2007-5153 SUN Code Injection vulnerability in SUN products

Unspecified vulnerability in Sun Java System Access Manager 7.1, when installed in a Sun Java System Application Server 8.x container, allows remote attackers to execute arbitrary code via unspecified vectors.

6.8
2007-10-01 CVE-2007-5149 North Country Public Radio Code Injection vulnerability in North Country Public Radio Public Media Manager 1.3

PHP remote file inclusion vulnerability in NewsCMS/news/newstopic_inc.php in North Country Public Radio Public Media Manager (PMM) 1.3 allows remote attackers to execute arbitrary PHP code via a URL in the indir parameter.

6.8
2007-10-01 CVE-2007-5147 Puzzle Apps CMS Code Injection vulnerability in Puzzle Apps CMS Puzzle Apps CMS 2.2.1

Multiple PHP remote file inclusion vulnerabilities in Puzzle Apps CMS 2.2.1 allow remote attackers to execute arbitrary PHP code via a URL in the MODULEDIR parameter to (1) core/modules/my/my.module.php or (2) core/modules/xml/xml.module.php; the COREROOT parameter to (3) config.loader.php, (4) platform.loader.php, (5) core.loader.php, (6) person.loader.php, or (7) module.loader.php in core/ or (8) install/steps/step_3.php; or the THISDIR parameter to (9) people.lib.php, (10) general.lib.php, (11) content.lib.php, or (12) templates.lib.php in core/modules/admin/libs/ or (13) core/modules/webstat/MEC/index.php.

6.8
2007-10-01 CVE-2007-5146 DER Dirigent Code Injection vulnerability in DER Dirigent DER Dirigent 1.0

Multiple PHP remote file inclusion vulnerabilities in dedi-group Der Dirigent 1.0 allow remote attackers to execute arbitrary PHP code via a URL in the dedi_path parameter to (1) inc.generate_code.php, (2) fnc.type_forms.php, or (3) fnc.type.php in backend/inc/, or (4) frontend.php or (5) backend.php in projekt01/cms/inc/; or (6) the this_dir parameter to backend/inc/class.filemanager.php.

6.8
2007-10-06 CVE-2007-5261 Iscripts SQL Injection vulnerability in Iscripts Multicart 1.0

Multiple SQL injection vulnerabilities in MultiCart 1.0 allow remote attackers to execute arbitrary SQL commands via the (1) catid parameter to categorydetail.php and the (2) ddlCategory parameter to search.php.

6.4
2007-10-05 CVE-2007-5229 Feedburner Cross-Site Request Forgery (CSRF) vulnerability in Feedburner Feedsmith 2.2

Cross-site request forgery (CSRF) vulnerability in the FeedBurner FeedSmith 2.2 plugin for WordPress allows remote attackers to change settings and hijack blog feeds via a request to wp-admin/options-general.php that submits parameter values to FeedBurner_FeedSmith_Plugin.php, as demonstrated by the (1) feedburner_url and (2) feedburner_comments_url parameters.

6.4
2007-10-05 CVE-2007-5219 Cyberlink Path Traversal vulnerability in Cyberlink Powerdvd 7.0

Directory traversal vulnerability in the CLAVSetting.CLSetting.1 ActiveX control in CLAVSetting.DLL 1.00.1829 in the CLAVSetting module in CyberLink PowerDVD 7.0 allows remote attackers to create or overwrite arbitrary files via a ..

6.4
2007-10-04 CVE-2007-5210 Arbor Networks Permissions, Privileges, and Access Controls vulnerability in Arbor Networks Peakflow SP 3.5.1/3.6.1

Arbor Networks Peakflow SP before 3.5.1 patch 14, and 3.6.x before 3.6.1 patch 5, allows remote authenticated users to bypass access restrictions and read or write unspecified data via unknown vectors.

6.0
2007-10-01 CVE-2007-5154 Aimluck Race Condition vulnerability in Aimluck Aipo and Aipo ASP

Session fixation vulnerability in Aipo and Aipo ASP 3.0.1.0 and earlier allows remote attackers to hijack web sessions via unspecified vectors.

5.8
2007-10-06 CVE-2007-5236 SUN Permissions, Privileges, and Access Controls vulnerability in SUN Jdk, JRE and SDK

Java Web Start in Sun JDK and JRE 5.0 Update 12 and earlier, and SDK and JRE 1.4.2_15 and earlier, on Windows does not properly enforce access restrictions for untrusted applications, which allows user-assisted remote attackers to read local files via an untrusted application.

5.4
2007-10-06 CVE-2007-5260 ASP CMS Permissions, Privileges, and Access Controls vulnerability in Asp-Cms 1.0

ASP-CMS 1.0 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing the username and password via a direct request for mdb-database/ASP-CMS_v100.mdb.

5.0
2007-10-06 CVE-2007-5253 Mcmurtrey Whitaker AND Associates Improper Input Validation vulnerability in Mcmurtrey Whitaker and Associates Cart32

c32web.exe in McMurtrey/Whitaker Cart32 before 6.4 allows remote attackers to read arbitrary files via the ImageName parameter in a GetImage action, by appending a NULL byte (%00) sequence followed by an image file extension, as demonstrated by a request for a ".txt%00.gif" file.

5.0
2007-10-06 CVE-2007-5241 HP Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in HP Openvms

Buffer overflow in NET$CSMACD.EXE in HP OpenVMS 8.3 and earlier allows local users to cause a denial of service (machine crash) via the "MCR MCL SHOW CSMA-CD Port * All" command, which overwrites a Non-Paged Pool Packet.

5.0
2007-10-06 CVE-2007-5240 SUN Unspecified vulnerability in SUN Jdk, JRE and SDK

Visual truncation vulnerability in the Java Runtime Environment in Sun JDK and JRE 6 Update 2 and earlier, JDK and JRE 5.0 Update 12 and earlier, SDK and JRE 1.4.2_15 and earlier, and SDK and JRE 1.3.1_20 and earlier allows remote attackers to circumvent display of the untrusted-code warning banner by creating a window larger than the workstation screen.

5.0
2007-10-05 CVE-2007-5226 Dircproxy Improper Input Validation vulnerability in Dircproxy

irc_server.c in dircproxy 1.2.0 and earlier allows remote attackers to cause a denial of service (segmentation fault) via an ACTION command without a parameter, which triggers a NULL pointer dereference, as demonstrated using a blank /me message from irssi.

5.0
2007-10-04 CVE-2007-5193 Debian
Twiki
Information Disclosure vulnerability in Twiki 4.1.2

The default configuration for twiki 4.1.2 on Debian GNU/Linux, and possibly other operating systems, specifies the work area directory (cfg{RCS}{WorkAreaDir}) under the web document root, which might allow remote attackers to obtain sensitive information when .htaccess restrictions are not applied.

5.0
2007-10-01 CVE-2007-5172 Quicksilver Forums Information Exposure vulnerability in Quicksilver Forums Quicksilver Forums

Quicksilver Forums before 1.4.1 allows remote attackers to obtain sensitive information by causing unspecified connection errors, which reveals the database password in the resulting error message.

5.0
2007-10-01 CVE-2007-5171 Quicksilver Forums Permissions, Privileges, and Access Controls vulnerability in Quicksilver Forums Quicksilver Forums

Unspecified vulnerability in Quicksilver Forums before 1.4.1 allows remote attackers to delete arbitrary PMs via unspecified vectors.

5.0
2007-10-01 CVE-2007-5170 SUN Permissions, Privileges, and Access Controls vulnerability in SUN Embedded Lights OUT Manager

Unspecified vulnerability in the embedded service processor (SP) before 3.09 in Sun Fire X2100 M2 and X2200 M2 Embedded Lights Out Manager (ELOM) allows remote attackers to send arbitrary network traffic and use ELOM as a spam proxy.

5.0
2007-10-05 CVE-2007-5225 SUN Numeric Errors vulnerability in SUN Sunos 5.10/5.8/5.9

Integer signedness error in FIFO filesystems (named pipes) on Sun Solaris 8 through 10 allows local users to read the contents of unspecified memory locations via a negative maximum length value to the I_PEEK ioctl.

4.9
2007-10-04 CVE-2007-4133 Linux Local Denial Of Service vulnerability in Linux Kernel HugeTLB

The (1) hugetlb_vmtruncate_list and (2) hugetlb_vmtruncate functions in fs/hugetlbfs/inode.c in the Linux kernel before 2.6.19-rc4 perform certain prio_tree calculations using HPAGE_SIZE instead of PAGE_SIZE units, which allows local users to cause a denial of service (panic) via unspecified vectors.

4.7
2007-10-05 CVE-2007-5231 Zomplog Improper Input Validation vulnerability in Zomplog

Unrestricted file upload vulnerability in admin/upload_files.php in Zomplog 3.8.1 and earlier allows remote authenticated administrators to upload and execute arbitrary .php files by sending a modified MIME type.

4.6
2007-10-04 CVE-2007-5201 Duplicity Project Information Exposure vulnerability in Duplicity Project Duplicity

The FTP backend for Duplicity before 0.4.9 sends the password as a command line argument when calling ncftp, which might allow local users to read the password by listing the process and its arguments.

4.6
2007-10-01 CVE-2007-5159 Redhat
Ntfs 3G
Ubuntu
Permissions, Privileges, and Access Controls vulnerability in Ntfs-3G

The ntfs-3g package before 1.913-2.fc7 in Fedora 7, and an ntfs-3g package in Ubuntu 7.10/Gutsy, assign incorrect permissions (setuid root) to mount.ntfs-3g, which allows local users with fuse group membership to read from and write to arbitrary block devices, possibly involving a file descriptor leak.

4.6
2007-10-06 CVE-2007-5259 Ilient Cross-Site Request Forgery (CSRF) vulnerability in Ilient Sysaid 4.5.03/4.5.04

Cross-site request forgery (CSRF) vulnerability in Ilient SysAid 4.5.03 and 4.5.04 allows remote attackers to perform some actions as administrators, as demonstrated by changing the administrator password.

4.3
2007-10-06 CVE-2007-5255 Google Cross-Site Scripting vulnerability in Google Mini Search Appliance 3.4.14

Cross-site scripting (XSS) vulnerability in Google Mini Search Appliance 3.4.14 allows remote attackers to inject arbitrary web script or HTML via the ie parameter to the /search URI.

4.3
2007-10-06 CVE-2007-5251 Webhost Automation Cross-Site Request Forgery (CSRF) vulnerability in Webhost Automation Helm web Hosting Control Panel 3.2.16

Multiple cross-site scripting (XSS) vulnerabilities in Helm 3.2.16 allow remote attackers to inject arbitrary web script or HTML via (1) the showOption parameter to domain.asp, or the (2) Folder or (3) StartPath parameter to FileManager.asp.

4.3
2007-10-06 CVE-2007-5250 Americasarmy Numeric Errors vulnerability in Americasarmy America'S Army and America'S Army Special Forces

The Windows dedicated server for the Unreal engine, as used by America's Army and America's Army Special Forces 2.8.2 and earlier, when Punkbuster (PB) is enabled, allows remote attackers to cause a denial of service (server hang) via packets containing 0x07 characters or other unspecified invalid characters.

4.3
2007-10-06 CVE-2007-5249 Americasarmy Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Americasarmy America'S Army and America'S Army Special Forces

Multiple buffer overflows in the logging function in the Unreal engine, as used by America's Army and America's Army Special Forces 2.8.2 and earlier, when Punkbuster (PB) is enabled, allow remote attackers to cause a denial of service (daemon crash) via a long (1) PB_Y packet to the YPG server on UDP port 1716 or (2) PB_U packet to UCON on UDP port 1716, different vectors than CVE-2007-4442.

4.3
2007-10-06 CVE-2007-5242 HP Denial of Service vulnerability in OpenVMS

Unspecified vulnerability in (1) SYS$EI1000.EXE and (2) SYS$EI1000_MON.EXE in HP OpenVMS 8.3 and earlier allows remote attackers to cause a denial of service (machine crash) via an "oversize" packet, which is not properly discarded if "the device has no remaining buffers after receipt of the first buffer segment."

4.3
2007-10-06 CVE-2007-5235 Uebimiau Cross-Site Scripting vulnerability in Uebimiau 2.7.10/2.7.2/2.7.9

Cross-site scripting (XSS) vulnerability in index.php in Uebimiau 2.7.2 through 2.7.10 allows remote attackers to inject arbitrary web script or HTML via the f_email parameter.

4.3
2007-10-05 CVE-2007-5227 Blackboard Cross-Site Scripting vulnerability in Blackboard Learning and Community Post Systems 6.3.1.593

Multiple cross-site scripting (XSS) vulnerabilities in messaging/course/composeMessage.jsp in BlackBoard Learning System 6.3.1.593 and earlier in BlackBoard Academic Suite allow remote attackers to inject arbitrary web script or HTML via the (1) subject_t and (2) body_text parameters.

4.3
2007-10-05 CVE-2007-3918 Gforge Cross-Site Scripting vulnerability in Gforge 4.6B2

Cross-site scripting (XSS) vulnerability in account/verify.php in GForge 4.6b2 allows remote attackers to inject arbitrary web script or HTML via the confirm_hash parameter.

4.3
2007-10-05 CVE-2007-5218 DON Barnes Cross-Site Scripting vulnerability in DON Barnes Drbguestbook 1.1.13

Cross-site scripting (XSS) vulnerability in index.php in Don Barnes DRBGuestbook 1.1.13 allows remote attackers to inject arbitrary web script or HTML via the action parameter.

4.3
2007-10-05 CVE-2007-5078 Egov Cross-Site Scripting vulnerability in Egov Manger

Multiple cross-site scripting (XSS) vulnerabilities in eGov Manager allow remote attackers to inject arbitrary web script or HTML via unspecified "user-supplied input" to (1) center.exe or (2) Index.exe.

4.3
2007-10-04 CVE-2007-5214 Axis Cross-Site Scripting vulnerability in Axis 2100 Network Camera

Multiple cross-site scripting (XSS) vulnerabilities in the AXIS 2100 Network Camera 2.02 with firmware 2.43 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the PATH_INFO to the default URI associated with a directory, as demonstrated by (a) the root directory and (b) the view/ directory; (2) parameters associated with saved settings, as demonstrated by (c) the conf_Network_HostName parameter on the Network page and (d) the conf_Layout_OwnTitle parameter to ServerManager.srv; and (3) the query string to ServerManager.srv, which is displayed on the logs page.

4.3
2007-10-04 CVE-2007-5212 Axis Cross-Site Scripting vulnerability in Axis 2100 Network Camera and 2100 Network Camera Firmware

Multiple cross-site scripting (XSS) vulnerabilities in the AXIS 2100 Network Camera 2.02 with firmware before 2.43 allow remote attackers to inject arbitrary web script or HTML via (1) parameters associated with saved settings, as demonstrated by the conf_SMTP_MailServer1 parameter to ServerManager.srv; or (2) the subpage parameter to wizard/first/wizard_main_first.shtml.

4.3
2007-10-04 CVE-2007-5211 Arbor Networks Cross-Site Scripting vulnerability in Arbor Networks Peakflow SP 3.5.1/3.6.1

Multiple cross-site scripting (XSS) vulnerabilities in Arbor Networks Peakflow SP 3.5.1 before patch 14, and 3.6.1 before patch 5, when scope accounts are enabled, allow remote attackers to inject arbitrary web script or HTML via unspecified vectors involving GET or POST requests.

4.3
2007-10-03 CVE-2007-5183 Megasol Cross-Site Scripting vulnerability in Megasol Odysseysuite

Cross-site scripting (XSS) vulnerability in Mailbox.mws in OdysseySuite, possibly 4.0.729, allows remote attackers to inject arbitrary web script or HTML via the idkey parameter.

4.3
2007-10-03 CVE-2007-5182 Netkamp Cross-Site Scripting vulnerability in Netkamp Emlak Scripti

Cross-site scripting (XSS) vulnerability in mail.asp in Netkamp Emlak Scripti allows remote attackers to inject arbitrary web script or HTML via the (1) Email parameter, and possibly the (2) Ad, (3) Soyad, (4) Konu, and (5) Mesaj parameters to iletisim.asp.

4.3
2007-10-03 CVE-2007-5179 Y K Iletisim Formu Cross-Site Scripting vulnerability in Y&K Iletisim Formu Y&K Iletisim Formu

Multiple cross-site scripting (XSS) vulnerabilities in iletisim.asp in Y&K Iletisim Formu allow remote attackers to inject arbitrary web script or HTML via the (1) ad, (2) sehir, (3) yas, (4) cins, (5) tel, (6) mail, and (7) mesaj parameters.

4.3
2007-10-03 CVE-2007-5176 Grouplink Cross-Site Scripting vulnerability in Grouplink Ehelpdesk 6.2.2

Multiple cross-site scripting (XSS) vulnerabilities in GroupLink eHelpDesk 6.2.2 allow remote attackers to inject arbitrary web script or HTML via the (1) NA_DISPLAYNAME parameter in helpdesk/user/rf_create.jsp and the (2) username and (3) LDAPError parameters in index2.jsp.

4.3
2007-10-01 CVE-2007-4996 Pidgin Remote Denial Of Service vulnerability in Pidgin 2.2.0

libpurple in Pidgin before 2.2.1 does not properly handle MSN nudge messages from users who are not on the receiver's buddy list, which allows remote attackers to cause a denial of service (crash) via a nudge message that triggers an access of "an invalid memory location."

4.3
2007-10-01 CVE-2007-5162 Ruby Lang Improper Authentication vulnerability in Ruby-Lang Ruby 1.8.5/1.8.6

The connect method in lib/net/http.rb in the (1) Net::HTTP and (2) Net::HTTPS libraries in Ruby 1.8.5 and 1.8.6 does not verify that the commonName (CN) field in a server certificate matches the domain name in an HTTPS request, which makes it easier for remote attackers to intercept SSL transmissions via a man-in-the-middle attack or spoofed web site.

4.3
2007-10-01 CVE-2007-5161 I Systems INC Cross-Site Scripting vulnerability in I-Systems Inc. Feedreader 3.10

Cross-zone scripting vulnerability in the internal browser in i-Systems Feedreader 3.10 allows remote attackers to inject arbitrary web script or HTML via an item in a feed, as demonstrated by a WordPress blog update.

4.3
2007-10-01 CVE-2007-5158 Microsoft Unspecified vulnerability in Microsoft Internet Explorer 6.0

The focus handling for the onkeydown event in Microsoft Internet Explorer 6.0 allows remote attackers to change field focus and copy keystrokes via a certain use of a JavaScript htmlFor attribute, as demonstrated by changing focus from a textarea to a file upload field, a related issue to CVE-2007-3511.

4.3
2007-10-01 CVE-2007-5145 Microsoft Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Microsoft Windows XP

Multiple buffer overflows in system DLL files in Microsoft Windows XP, as used by Microsoft Windows Explorer (explorer.exe) 6.00.2900.2180, Don Ho Notepad++, unspecified Adobe Macromedia applications, and other programs, allow user-assisted remote attackers to cause a denial of service (application crash) via long strings in the (1) author, (2) title, (3) subject, and (4) comment Properties fields of a file, possibly involving improper handling of extended file attributes by the (a) NtQueryInformationFile, (b) NtQueryDirectoryFile, (c) NtSetInformationFile, (d) FileAllInformation, (e) FileNameInformation, and other FILE_INFORMATION_CLASS functions in ntdll.dll and the (f) GetFileAttributesExW and (g) GetFileAttributesW functions in kernel32.dll, a related issue to CVE-2007-1347.

4.3
2007-10-01 CVE-2007-5144 Microsoft Buffer Errors vulnerability in Microsoft Windows Live Messenger 8.1

Buffer overflow in the GDI engine in Windows Live Messenger, as used for Windows MSN Live 8.1, allows user-assisted remote attackers to cause a denial of service (application crash or system crash) and possibly execute arbitrary code by placing a malformed file in a new folder under the Sharing Folders path, and triggering a synchronize operation through the Windows MSN Live online service, possibly related to extended file attributes and possibly related to an incomplete fix for MS07-046, as demonstrated by a (1) .jpg, (2) .gif, (3) .wmf, (4) .doc, or (5) .ico file.

4.3
2007-10-06 CVE-2007-5239 SUN Permissions, Privileges, and Access Controls vulnerability in SUN Jdk, JRE and SDK

Java Web Start in Sun JDK and JRE 6 Update 2 and earlier, JDK and JRE 5.0 Update 12 and earlier, SDK and JRE 1.4.2_15 and earlier, and SDK and JRE 1.3.1_20 and earlier does not properly enforce access restrictions for untrusted (1) applications and (2) applets, which allows user-assisted remote attackers to copy or rename arbitrary files when local users perform drag-and-drop operations from the untrusted application or applet window onto certain types of desktop applications.

4.0
2007-10-05 CVE-2007-5232 SUN Unspecified vulnerability in SUN Jdk, JRE and SDK

Sun Java Runtime Environment (JRE) in JDK and JRE 6 Update 2 and earlier, JDK and JRE 5.0 Update 12 and earlier, SDK and JRE 1.4.2_15 and earlier, and SDK and JRE 1.3.1_20 and earlier, when applet caching is enabled, allows remote attackers to violate the security model for an applet's outbound connections via a DNS rebinding attack.

4.0

4 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2007-10-05 CVE-2007-5228 Drupal Cross-Site Scripting vulnerability in Drupal Project Issue Tracking

Cross-site scripting (XSS) vulnerability in the subscription functionality in the Project issue tracking module before 4.7.x-1.5, 4.7.x-2.x before 4.7.x-2.5, and 5.x-1.x before 5.x-1.1 for Drupal allows remote authenticated users with project create or edit permissions to inject arbitrary web script or HTML via unspecified vectors involving a (1) individual or (2) overview form.

3.5
2007-10-04 CVE-2007-5207 Debian Link Following vulnerability in Debian Guilt 0.27

guilt 0.27 allows local users to overwrite arbitrary files via a symlink attack on a guilt.log.[PID] temporary file.

3.3
2007-10-06 CVE-2007-5238 SUN Permissions, Privileges, and Access Controls vulnerability in SUN Jdk, JRE and SDK

Java Web Start in Sun JDK and JRE 6 Update 2 and earlier, JDK and JRE 5.0 Update 12 and earlier, and SDK and JRE 1.4.2_15 and earlier does not properly enforce access restrictions for untrusted applications, which allows user-assisted remote attackers to obtain sensitive information (the Java Web Start cache location) via an untrusted application, aka "three vulnerabilities."

2.6
2007-10-01 CVE-2007-5143 Microsoft
F Secure
Unspecified vulnerability in F-Secure Anti-Virus 7.00

F-Secure Anti-Virus for Windows Servers 7.0 64-bit edition allows local users to bypass virus scanning by using the system32 directory to store a crafted (1) archive or (2) packed executable.

1.9