Информационная безопасность
[RU] switch to English


Ежедневная сводка ошибок в Web-приложениях (PHP, ASP, JSP, CGI, Perl )
Опубликовано:8 февраля 2007 г.
Источник:
SecurityVulns ID:7198
Тип:удаленная
Уровень опасности:
5/10
Описание:Инъекции PHP, инъекции SQL, обратный путь в каталогах, межсайтовый скриптинг, утечка информации и т.д.
Затронутые продукты:ADVANCEDPOLL : Advanced Poll 2.0
 SYSCP : SysCP 1.2
 WEBMATIC : WebMatic 2.6
 LUSHI : LushiNews 1.01
 LUSHI : LushiWarPlaner 1.0
 AGERMENU : AgerMenu 0.01
 OTSCMS : OTSCMS 2.1
 MAIAN : Maian Recipe 1.0
 LIGHTRO : LightRO CMS 1.0
 BTITTRACKER : BtitTracker 1.3
 SITEASSISTANT : Site-Assistant 0990
 MOINMOIN : MoinMoin 1.5
 VBDRUPAL : vbDrupal 4.7
CVE:CVE-2007-0904 (SQL injection vulnerability in projects.php in LightRO CMS 1.0 allows remote attackers to execute arbitrary SQL commands via the ID parameter to index.php.)
 CVE-2007-0902 (Unspecified vulnerability in the "Show debugging information" feature in MoinMoin 1.5.7 allows remote attackers to obtain sensitive information. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.)
 CVE-2007-0901 (Multiple cross-site scripting (XSS) vulnerabilities in Info pages in MoinMoin 1.5.7 allow remote attackers to inject arbitrary web script or HTML via the (1) hitcounts and (2) general parameters, different vectors than CVE-2007-0857. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.)
 CVE-2007-0867 (PHP remote file inclusion vulnerability in classes/menu.php in Site-Assistant 0990 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the paths[version] parameter.)
 CVE-2007-0865 (SQL injection vulnerability in comments.php in LushiNews 1.01 and earlier allows remote authenticated users to inject arbitrary SQL commands via the id parameter.)
 CVE-2007-0864 (SQL injection vulnerability in register.php in LushiWarPlaner 1.0 allows remote attackers to inject arbitrary SQL commands via the id parameter.)
 CVE-2007-0857 (Multiple cross-site scripting (XSS) vulnerabilities in MoinMoin before 1.5.7 allow remote attackers to inject arbitrary web script or HTML via (1) the page info, or the page name in a (2) AttachFile, (3) RenamePage, or (4) LocalSiteMap action.)
 CVE-2007-0854 (Remote file inclusion vulnerability in scripts2/objcache in cPanel WebHost Manager (WHM) allows remote attackers to execute arbitrary code via a URL in the obj parameter. NOTE: a third party claims that this issue is not file inclusion because the contents are not parsed, but the attack can be used to overwrite files in /var/cpanel/objcache or provide unexpected web page contents.)
 CVE-2007-0850 (scripts/cronscript.php in SysCP 1.2.15 and earlier includes and executes arbitrary PHP scripts that are referenced by the panel_cronscript table in the SysCP database, which allows attackers with database write privileges to execute arbitrary code by constructing a PHP file and adding its filename to this table.)
 CVE-2007-0849 (scripts/cronscript.php in SysCP 1.2.15 and earlier does not properly quote pathnames in user home directories, which allows local users to gain privileges by placing shell metacharacters in a directory name, and then using the control panel to protect this directory, a different vulnerability than CVE-2005-2568.)
 CVE-2007-0848 (PHP remote file inclusion vulnerability in classes/class_mail.inc.php in Maian Recipe 1.0 allows remote attackers to execute arbitrary PHP code via a URL in the path_to_folder parameter.)
 CVE-2007-0847 (SQL injection vulnerability in mod/PM/reply.php in Open Tibia Server CMS (OTSCMS) 2.1.5 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter to priv.php.)
 CVE-2007-0846 (Cross-site scripting (XSS) vulnerability in forum.php in Open Tibia Server CMS (OTSCMS) 2.1.5 and earlier allows remote attackers to inject arbitrary HTML or web script via the name parameter.)
 CVE-2007-0845 (admin/index.php in Advanced Poll 2.0.0 through 2.0.5-dev allows remote attackers to bypass authentication and gain administrator privileges by obtaining a valid session identifier and setting the uid parameter to 1.)
 CVE-2007-0841 (Multiple unspecified vulnerabilities in vbDrupal before 4.7.6.0 have unknown impact and remote attack vectors. NOTE: the vector related to Drupal is covered by CVE-2007-0626. These vulnerabilities might be associated with other CVE identifiers.)
 CVE-2007-0839:
 CVE-2007-0839 (Multiple PHP remote file inclusion vulnerabilities in index/index_album.php in Valarsoft WebMatic 2.6 allow remote attackers to execute arbitrary PHP code via a URL in the (1) P_LIB and (2) P_INDEX parameters.)
 CVE-2007-0837 (PHP remote file inclusion vulnerability in examples/inc/top.inc.php in AgerMenu 0.03 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the rootdir parameter.)
 CVE-2007-0828 (PHP remote file inclusion vulnerability in affichearticles.php3 in MySQLNewsEngine allows remote attackers to execute arbitrary PHP code via a URL in the newsenginedir parameter.)
 CVE-2007-0824 (PHP remote file inclusion vulnerability in inhalt.php in LightRO CMS 1.0 allows remote attackers to execute arbitrary PHP code via a URL in the dateien[news] parameter.)
 CVE-2007-0821 (Multiple directory traversal vulnerabilities in Cedric CLAIRE PortailPhp 2 allow remote attackers to read arbitrary files via a .. (dot dot) in the chemin parameter to (1) mod_news/index.php or (2) mod_news/goodies.php. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information.)
 CVE-2007-0820 (Multiple PHP remote file inclusion vulnerabilities in Cedric CLAIRE PortailPhp 2 allow remote attackers to execute arbitrary PHP code via a URL in the chemin parameter to (1) mod_news/index.php, (2) mod_news/goodies.php, or (3) mod_search/index.php. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information.)
 CVE-2006-6974 (Headstart Solutions DeskPRO stores sensitive information under the web root with insufficient access control, which allows remote attackers to (1) list files in the includes/ directory; obtain the SQL username and password via a direct request for (2) config.php and (3) config.php.bak in includes/; read files in (4) email/, (5) admin/graphs/, (6) includes/javascript/, and (7) certain other includes/ directories via direct requests; and download SQL database data via direct requests for (8) data.sql, (9) install.sql, (10) settings.sql, and possibly other files in install/v2data/.)
 CVE-2006-6973 (Headstart Solutions DeskPRO does not require authentication for certain files and directories associated with administrative activities, which allows remote attackers to (1) reinstall the application via a direct request for install/index.php; (2) delete the database via a do=delete_database QUERY_STRING to a renamed copy of install/index.php; or access the administration system, after guessing a filename, via a direct request for a file in (3) admin/ or (4) tech/.)
 CVE-2006-6972 (SQL injection in torrents.php in BtitTracker 1.3.2 and earlier allows remote attackers to execute arbitrary SQL commands via the (1) by and (2) order parameters. NOTE: it is not clear whether this issue is exploitable.)
Оригинальный текстdocumentDenven, Maian Recipe 1.0 (path_to_folder) Remote File Include Vulnerability (08.02.2007)
 documentGregStar, OTSCMS <= 2.1.5 (SQL/XSS) Multiple Remote Vulnerabilities (08.02.2007)
 documentGolD_M, AgerMenu 0.01 (top.inc.php rootdir) Remote File Include Vulnerability (08.02.2007)
 documentMadNet, WebMatic 2.6 (index_album.php) Remote File Include Vulnerability (08.02.2007)
 documentflo_(at)_syscp.org, Ability to inject and execute any code as root in SysCP (08.02.2007)
 documentgokhankaya_(at)_hotmail.com, XLNC1 Radio Classical Music Nuke Portal Remote File Inc. Vuln. (08.02.2007)
 documentali_(at)_hackerz.ir, remote file include in whm (all version) (08.02.2007)
Файлы:LushiWarPlaner 1.0 (register.php) Remote SQL Injection Exploit
 Advanced Poll 2.0.0 >= 2.0.5-dev textfile admin session gen.
 Site-Assistant <= v0990(paths[version])Remote File Include Exploit
 LightRO CMS 1.0 (index.php projectid) Remote SQL Injection Exploit
 LushiNews <= 1.01 (comments.php) Remote SQL Injection Exploit

Блокировка учетной записи в 3proxy (account locking)
Опубликовано:8 февраля 2007 г.
Источник:
SecurityVulns ID:7199
Тип:удаленная
Уровень опасности:
4/10
Описание:При хранении паролей учетной записи в виде хэша NT, возможно заблокировать учетную запись до перезапуска прокси-сервера или перезагрузки конфигурации через HTTP прокси. В качестве первого протокола аутентификации предлагает Basic, что может привести к использованию аутентификации в открытом тексте, даже если обе стороны используют NTLM. Уязвимость устранена в версии 0.5.3.
Затронутые продукты:3PROXY : 3proxy 0.5
CVE:CVE-2006-6982 (3proxy 0.5 to 0.5.2 does not offer NTLM authentication before basic authentication, which might cause browsers with incomplete RFC2616/RFC2617 support to use basic cleartext authentication even if NTLM is available, which makes it easier for attackers to steal credentials.)
 CVE-2006-6981 (3proxy 0.5 to 0.5.2, when NT-encoded passwords are being used, allows remote attackers to cause a denial of service (blocked account) via unspecified vectors related to NTLM authentication, which causes a password hash to be overwritten.)
Файлы:3proxy 0.5.3g Changelog

Переполнение буфера в WinRAR / unrar (buffer overflow)
Опубликовано:8 февраля 2007 г.
Источник:
SecurityVulns ID:7201
Тип:локальная
Уровень опасности:
3/10
Описание:Переполнение буфера при разборе архивов, закрытых паролем.
Затронутые продукты:RARLABS : unrar 3.60
 RARLABS : unrar 3.61
CVE:CVE-2007-0855 (Stack-based buffer overflow in RARLabs Unrar, as packaged in WinRAR and possibly other products, allows user-assisted remote attackers to execute arbitrary code via a crafted, password-protected archive.)
Оригинальный текстdocumentIDEFENSE, iDefense Security Advisory 02.07.07: RARLabs Unrar Password Prompt Buffer Overflow Vulnerability (08.02.2007)

Обход опции allow_blank_passphrase в pam_ssh (protection bypass)
Опубликовано:8 февраля 2007 г.
Источник:
SecurityVulns ID:7204
Тип:библиотека
Уровень опасности:
5/10
Описание:Можно обойти опцию allow_blank_passphraseпутем ввода произвольной, но не пустой парольной фразы.
Затронутые продукты:PAMSSH : pam_ssh 1.91
CVE:CVE-2007-0844 (The auth_via_key function in pam_ssh.c in pam_ssh before 1.92, when the allow_blank_passphrase option is disabled, allows remote attackers to bypass authentication restrictions and use private encryption keys requiring a blank passphrase by entering a non-blank passphrase.)

DoS против Axigen Mail Server
Опубликовано:8 февраля 2007 г.
Источник:
SecurityVulns ID:7197
Тип:удаленная
Уровень опасности:
5/10
Описание:Однобайтовое переполнение буфера в аутентификации CRAM-MD5 протокола POP3, обращение по нулевому указателю в команде IMAP APPEND.
Затронутые продукты:AXIGEN : Axigen 1.2
 AXIGEN : Axigen 2.0
CVE:CVE-2007-0887 (axigen 1.2.6 through 2.0.0b1 does not properly parse login credentials, which allows remote attackers to cause a denial of service (NULL dereference and application crash) via a base64-encoded "*\x00" sequence on the imap port (143/tcp).)
 CVE-2007-0886 (Heap-based buffer underflow in axigen 1.2.6 through 2.0.0b1 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via certain base64-encoded data on the pop3 port (110/tcp), which triggers an integer overflow.)
Оригинальный текстdocumentNeil Kettle, [Full-disclosure] Axigen <2.0.0b1 DoS (08.02.2007)
Файлы:axigen 1.2.6 - 2.0.0b1 DoS (x86-lnx)
 axigen 1.2.6 - 2.0.0b1 DoS (x86-lnx)

Многочисленные уязвимости в антивирусе Trend Micro (multiple bugs)
дополнено с 8 февраля 2007 г.
Опубликовано:11 февраля 2007 г.
Источник:
SecurityVulns ID:7200
Тип:удаленная
Уровень опасности:
5/10
Описание:Переполнение буфера при разборе PE-файлов упакованых UPX, повышение привилегий через устройство \\.\TmComm.
Затронутые продукты:TM : PC-Cillin Internet Security 2007
 TM : Trend Micro ServerProtect for Linux 2.5
 TM : Trend Micro AntiVirus 2007
 TM : Trend Micro Anti-Spyware for SMB 3.2
 TM : Trend Micro Anti-Spyware for Enterprise 3.0
 TM : Trend Micro Anti-Spyware for Consumer 3.5
CVE:CVE-2007-0856 (TmComm.sys 1.5.0.1052 in the Trend Micro Anti-Rootkit Common Module (RCM), with the VsapiNI.sys 3.320.0.1003 scan engine, as used in Trend Micro PC-cillin Internet Security 2007, Antivirus 2007, Anti-Spyware for SMB 3.2 SP1, Anti-Spyware for Consumer 3.5, Anti-Spyware for Enterprise 3.0 SP2, Client / Server / Messaging Security for SMB 3.5, Damage Cleanup Services 3.2, and possibly other products, assigns Everyone write permission for the \\.\TmComm DOS device interface, which allows local users to access privileged IOCTLs and execute arbitrary code or overwrite arbitrary memory in the kernel context.)
 CVE-2007-0851 (Buffer overflow in the Trend Micro Scan Engine 8.000 and 8.300 before virus pattern file 4.245.00, as used in other products such as Cyber Clean Center (CCC) Cleaner, allows remote attackers to execute arbitrary code via a malformed UPX compressed executable.)
Оригинальный текстdocumentReversemode, [Reversemode Advisory] TrendMicro Products - multiple privilege escalation vulnerabilities. (11.02.2007)
 documentIDEFENSE, iDefense Security Advisory 02.07.07: Trend Micro TmComm Local Privilege Escalation Vulnerability (08.02.2007)

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород