Информационная безопасность
[RU] switch to English


Обход PHP safe mode через URL compress.bzip2:// в PHP (protection bypass)
Опубликовано:17 марта 2007 г.
Источник:
SecurityVulns ID:7420
Тип:локальная
Уровень опасности:
5/10
Описание:Не проверяются ограничения безопасного режима и open_basedir.
Затронутые продукты:PHP : PHP 4.4
 PHP : PHP 5.2
CVE:CVE-2007-1461 (The compress.bzip2:// URL wrapper provided by the bz2 extension in PHP before 4.4.7, and 5.x before 5.2.2, does not implement safemode or open_basedir checks, which allows remote attackers to read bzip2 archives located outside of the intended directories.)
Оригинальный текстdocumentPHP-SECURITY, MOPB-21-2007:PHP compress.bzip2:// URL Wrapper safemode and open_basedir Bypass Vulnerability (17.03.2007)

Двойное освобождение памяти при некорректном идентификаторе сеанса и в функции session_regenerate_id() PHP (double free)
Опубликовано:17 марта 2007 г.
Источник:
SecurityVulns ID:7421
Тип:библиотека
Уровень опасности:
5/10
Описание:Кратковременные условия при которых возможно двойное освобождение памяти.
Затронутые продукты:PHP : PHP 5.2
CVE:CVE-2007-1522 (Double free vulnerability in the session extension in PHP 5.2.0 and 5.2.1 allows context-dependent attackers to execute arbitrary code via illegal characters in a session identifier, which is rejected by an internal session storage module, which calls the session identifier generator with an improper environment, leading to code execution when the generator is interrupted, as demonstrated by triggering a memory limit violation or certain PHP errors.)
 CVE-2007-1521 (Double free vulnerability in PHP before 4.4.7, and 5.x before 5.2.2, allows context-dependent attackers to execute arbitrary code by interrupting the session_regenerate_id function, as demonstrated by calling a userspace error handler or triggering a memory limit violation.)
Оригинальный текстdocumentPHP-SECURITY, MOPB-23-2007:PHP 5 Rejected Session Identifier Double Free Vulnerability (17.03.2007)
 documentPHP-SECURITY, MOPB-22-2007:PHP session_regenerate_id() Double Free Vulnerability (17.03.2007)
Файлы:PHP 5 session_regenerate_id() Double Free Exploit
 PHP 5 Rejected Session ID Double Free Exploit

Многочисленные уязвимости в библиотеке libftp / QFTP (multiple bugs)
Опубликовано:17 марта 2007 г.
Источник:
SecurityVulns ID:7417
Тип:библиотека
Уровень опасности:
5/10
Описание:Многочисленные переполнения буфера различного типа.
Затронутые продукты:LIBFTP : LIBFtp 5.0
 LIBFTP : LIBFtp 3.1
CVE:CVE-2007-1485 (** DISPUTED ** Buffer overflow in the set_umask function in QFTP in LIBFtp 3.1-1 allows local users to execute arbitrary code via a long -m argument. NOTE: CVE disputes this issue because QFTP is not setuid, and it is unlikely that there are web interfaces to QFTP that would accept untrusted command line arguments.)
 CVE-2007-1470 (Multiple buffer overflows in LIBFtp 5.0 allow user-assisted remote attackers to execute arbitrary code via certain long arguments to the (1) FtpArchie, (2) FtpDebugDebug, (3) FtpOpenDir, (4) FtpSize, or (5) FtpChmod function.)
Оригинальный текстdocumentstarcadi starcadi, QFTP (LIBFtp 3.1-1) (command line) sprintf() local buffer overflow (17.03.2007)
 documentstarcadi starcadi, LIBFtp 5.0 (sprintf(), strcpy()) Multiple local buffer overflow (17.03.2007)

Многочисленные уязвимости в библиотеке libwpd /OpenOffice / AbiWord (multiple bugs)
Опубликовано:17 марта 2007 г.
Источник:
SecurityVulns ID:7418
Тип:библиотека
Уровень опасности:
6/10
Описание:Многочисленные переполнения буфера при разборе документов Word Perfect.
Затронутые продукты:OPENOFFICE : OpenOffice 2.0
 OPENOFFICE : OpenOffice 2.1
 LIBWPD : libwpd 0.8
CVE:CVE-2007-1466 (Integer overflow in the the WP6GeneralTextPacket::_readContents function in WordPerfect Document importer/exporter (libwpd) before 0.8.9 allows user-assisted remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted WordPerfect file, a different vulnerability than CVE-2007-0002.)
 CVE-2007-0002 (Multiple heap-based buffer overflows in WordPerfect Document importer/exporter (libwpd) before 0.8.9 allow user-assisted remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted WordPerfect file in which values to loop counters are not properly handled in the (1) WP3TablesGroup::_readContents and (2) WP5DefinitionGroup_DefineTablesSubGroup::WP5DefinitionGroup_DefineTablesSubGroup functions. NOTE: the integer overflow has been split into CVE-2007-1466.)
Оригинальный текстdocumentIDEFENSE, iDefense Security Advisory 03.16.07: Multiple Vendor libwpd Multiple Buffer Overflow Vulnerabilities (17.03.2007)

Переполнение буфера в SQL-сервере FrontBase Database (buffer overflow)
Опубликовано:17 марта 2007 г.
Источник:
SecurityVulns ID:7419
Тип:локальная
Уровень опасности:
5/10
Описание:Переполнение буфера в коммаде CREATE PROCEDURE.
Затронутые продукты:FRONTBASE : FrontBase Server 4.2
CVE:CVE-2007-1511 (Buffer overflow in FrontBase Relational Database Server 4.2.7 and earlier allows remote authenticated users, with privileges for creating a stored procedure, to execute arbitrary code via a CREATE PROCEDURE request with a long procedure name.)
Оригинальный текстdocument[email protected], [NETRAGARD-20070316 SECURITY ADVISORY][FrontBase Database <= 4.2.7 ALL PLATFORMS][REMOTE BUFFER OVERFLOW CONDITION][LEVEL: EASY][RISK:MEDIUM] (17.03.2007)
Файлы:FrontBase Database remote Proof Of Concept

Переполнение буфера в функции ibase_connect в PHP
Опубликовано:17 марта 2007 г.
Источник:
SecurityVulns ID:7416
Тип:библиотека
Уровень опасности:
5/10
Описание:Переполнение буфера при длинном аргументе функции.
Затронутые продукты:PHP : PHP 4.4
CVE:CVE-2007-1475 (Multiple buffer overflows in the (1) ibase_connect and (2) ibase_pconnect functions in the interbase extension in PHP 4.4.6 and earlier allow context-dependent attackers to execute arbitrary code via a long argument.)
Оригинальный текстdocumentretrog_(at)_alice.it, PHP <= 4.4.6 ibase_connect() local buffer overflow (17.03.2007)
Файлы:PHP <= 4.4.6 ibase_connect() & ibase_pconnect() local buffer overflow

Ежедневная сводка ошибок в Web-приложениях (PHP, ASP, JSP, CGI, Perl )
Опубликовано:17 марта 2007 г.
Источник:
SecurityVulns ID:7414
Тип:удаленная
Уровень опасности:
5/10
Описание:Инъекции PHP, инъекции SQL, обратный путь в каталогах, межсайтовый скриптинг, утечка информации и т.д.
Затронутые продукты:CARBONIZE : Lazarus Guestbook 1.7
 WOLTLAB : Burning Board Lite 1.0
 GROUPIT : Groupit 2.0
 BPBLOG : BP Blog 7.0
 WEBCALENDAR : WebCalendar 0.9
 HORDE : IMP 3.1
 HORDE : IMP 3.2
 HORDE : Horde 3.0
 WOLTLAB : Woltlab Burning Board 2.3
 WEBAPP : WebAPP 0.9
 PHPSTATS : php-stats 0.1
 HORDE : Horde 3.1
 VBULLETIN : vBulletin 3.6
 HORDE : IMP 3.0
 HORDE : IMP 2.3
 OSCOMMERCE : PHP Point Of Sale 1.1
 ROT13 : Rot 13
 CLBOX : CLBOX 1.01
 MPMCHAT : MPM Chat 2.5
 PHPDBDESIGNED : PHP DB Designer 1.02
 CREATIVEHEADS : Creative Files 1.2
 MCGALLERY : McGallery 0.5
 CREATIVEHEADS : Creative Guestbook 1.0
 DEYFOXDESIGNS : Dayfox Blog 4
CVE:CVE-2007-1631 (** DISPUTED ** PHP remote file inclusion vulnerability in signup.php in CLBOX 1.01 allows remote attackers to execute arbitrary PHP code via a URL in the header parameter. NOTE: this issue has been disputed by a reliable third party, stating that header is defined through an include file before use.)
 CVE-2007-1620 (Multiple PHP remote file inclusion vulnerabilities in PHP DB Designer 1.02 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the (1) _SESSION[SITE_PATH] parameter to (a) wind/help.php or (b) wind/about.php, or the (2) _SESSION[DRIVER] parameter to (c) db/session.php.)
 CVE-2007-1613 (Directory traversal vulnerability in view.php in MPM Chat 2.5 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the logi parameter.)
 CVE-2007-1556 (SQL injection vulnerability in kommentare.php in Creative Files 1.2 allows remote attackers to execute arbitrary SQL commands via the dlid parameter.)
 CVE-2007-1525 (Direct static code injection vulnerability in postpost.php in Dayfox Blog (dfblog) 4 allows remote attackers to execute arbitrary PHP code via the cat parameter, which can be executed via a request to posts.php.)
 CVE-2007-1518 (SQL injection vulnerability in usergroups.php in Woltlab Burning Board (wBB) 2.x allows remote attackers to execute arbitrary SQL commands via the array index of the applicationids array.)
 CVE-2007-1515 (Multiple cross-site scripting (XSS) vulnerabilities in Horde IMP H3 4.1.3, and possibly earlier, allow remote attackers to inject arbitrary web script or HTML via (1) the email Subject header in thread.php, (2) the edit_query parameter in search.php, or other unspecified parameters in search.php. NOTE: some of these details are obtained from third party information.)
 CVE-2007-1514 (PHP remote file inclusion vulnerability in index.php in ViperWeb Portal alpha 0.1 allows remote attackers to execute arbitrary PHP code via a URL in the modpath parameter.)
 CVE-2007-1513 (PHP remote file inclusion vulnerability in comanda.php in GraFX Company WebSite Builder (CWB) PRO 1.9.8, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the INCLUDE_PATH parameter.)
 CVE-2007-1510 (SQL injection vulnerability in post.php in Particle Blogger 1.0.0 through 1.2.0 allows remote attackers to execute arbitrary SQL commands via the postid parameter.)
 CVE-2007-1509 (Directory traversal vulnerability in enkrypt.php in Sascha Schroeder krypt (aka Holtstraeter Rot 13) allows remote attackers to read arbitrary files via a .. (dot dot) in the datei parameter.)
 CVE-2007-1508 (Cross-site scripting (XSS) vulnerability in CMD_USER_STATS in DirectAdmin allows remote attackers to inject arbitrary web script or HTML via the RESULT parameter, a different vector than CVE-2006-5983.)
 CVE-2007-1489 (Unspecified vulnerability in web-app.org Web Automated Perl Portal (WebAPP) 0.9.9.4 to 0.9.9.6 allows remote attackers to obtain admin access by modifying cookies and performing "certain consecutive actions," possibly due to a cross-site request forgery (CSRF) vulnerability.)
 CVE-2007-1487 (Directory traversal vulnerability in index.php in Sascha Schroeder (aka CyberTeddy or Cyber-inside) WebLog allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter in a showarticles action.)
 CVE-2007-1486 (PHP remote file inclusion vulnerability in template.class.php in Carbonize Lazarus Guestbook before 1.7.3 allows remote attackers to execute arbitrary PHP code via a URL in the include_path parameter to admin.php, probably due to a dynamic variable evaluation vulnerability.)
 CVE-2007-1483 (Multiple PHP remote file inclusion vulnerabilities in WebCalendar 0.9.45 allow remote attackers to execute arbitrary PHP code via a URL in the includedir parameter to (1) login.php, (2) get_reminders.php, or (3) get_events.php.)
 CVE-2007-1482 (Cross-site scripting (XSS) vulnerability in index.php in WBBlog allows remote attackers to inject arbitrary web script or HTML via the e_id parameter in a viewentry cmd.)
 CVE-2007-1481 (SQL injection vulnerability in index.php in WBBlog allows remote attackers to execute arbitrary SQL commands via the e_id parameter in a viewentry cmd.)
 CVE-2007-1480 (Creative Guestbook 1.0 allows remote attackers to add an administrative account via a direct request to createadmin.php with Name, Email, and PASSWORD parameters set.)
 CVE-2007-1479 (Cross-site scripting (XSS) vulnerability in Guestbook.php in Creative Guestbook 1.0 allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter.)
 CVE-2007-1478 (download.php in McGallery 0.5b allows remote attackers to read arbitrary files and obtain script source code via the filename parameter.)
 CVE-2007-1477 (** DISPUTED ** Directory traversal vulnerability in index.php in PHP Point Of Sale for osCommerce 1.1 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the cfg_language parameter. NOTE: this issue has been disputed by CVE, since the cfg_language variable is configured upon proper product installation.)
 CVE-2007-1474 (Argument injection vulnerability in the cleanup cron script in Horde Project Horde and IMP before Horde Application Framework 3.1.4 allows local users to delete arbitrary files and possibly gain privileges via multiple space-delimited pathnames.)
 CVE-2007-1472 (Variable overwrite vulnerability in groupit/base/groupit.start.inc in Groupit 2.00b5 allows remote attackers to conduct remote file inclusion attacks and execute arbitrary PHP code via arguments that are written to $_GLOBALS, as demonstrated using a URL in the c_basepath parameter to (1) content.php, (2) userprofile.php, (3) password.php, (4) dispatch.php, and (5) deliver.php in html/, and possibly (6) load.inc.php and related files.)
 CVE-2007-1462 (The luci server component in conga preserves the password between page loads for the Add System/Cluster task flow by storing the password in the Value attribute of a password entry field, which allows attackers to steal the password by performing a "view source" or other operation to obtain the web page. NOTE: there are limited circumstances under which such an attack is feasible.)
 CVE-2007-1455 (Multiple absolute path traversal vulnerabilities in Fantastico, as used with cPanel 10.x, allow remote authenticated users to include and execute arbitrary local files via (1) the userlanguage parameter to includes/load_language.php or (2) the fantasticopath parameter to includes/mysqlconfig.php and certain other files.)
 CVE-2007-1445 (SQL injection vulnerability in the heme preview feature for default.asp in BP Blog 7.0 through 7.0.2 allows remote attackers to execute arbitrary SQL commands via the layout parameter.)
 CVE-2007-1443 (Multiple cross-site scripting (XSS) vulnerabilities in register.php in Woltlab Burning Board (wBB) 2.3.6 and Burning Board Lite 1.0.2pl3e allow remote attackers to inject arbitrary web script or HTML via the (1) r_username, (2) r_email, (3) r_password, (4) r_confirmpassword, (5) r_homepage, (6) r_icq, (7) r_aim, (8) r_yim, (9) r_msn, (10) r_year, (11) r_month, (12) r_day, (13) r_gender, (14) r_signature, (15) r_usertext, (16) r_invisible, (17) r_usecookies, (18) r_admincanemail, (19) r_emailnotify, (20) r_notificationperpm, (21) r_receivepm, (22) r_emailonpm, (23) r_pmpopup, (24) r_showsignatures, (25) r_showavatars, (26) r_showimages, (27) r_daysprune, (28) r_umaxposts, (29) r_dateformat, (30) r_timeformat, (31) r_startweek, (32) r_timezoneoffset, (33) r_usewysiwyg, (34) r_styleid, (35) r_langid, (36) key_string, (37) key_number, (38) disablesmilies, (39) disablebbcode, (40) disableimages, (41) field[1], (42) field[2], and (43) field[3] parameters. NOTE: a third-party researcher has disputed some of these )
 CVE-2006-7173 (Direct static code injection vulnerability in admin.php in PHP-Stats 0.1.9.1b and earlier allows remote attackers to execute arbitrary PHP code via a crafted option_new[report_w_day] parameter in a preferenze action, which can be later accessed via option/php-stats-options.php.)
 CVE-2006-7172 (Multiple SQL injection vulnerabilities in php-stats.recphp.php in PHP-Stats 0.1.9.1b and earlier allow remote attackers to execute arbitrary code via a leading dotted-quad IP address string in the (1) PC-REMOTE-ADDR HTTP header, which is inserted into $_SERVER['HTTP_PC_REMOTE_ADDR'], or (2) ip parameter.)
Оригинальный текстdocumentDj7xpl, WebLog (index.php file) Remote File Disclosure Vulnerability (17.03.2007)
 documentDj7xpl, Creative Guestbook 1.0 Multiple Remote Vulnerabilities (17.03.2007)
 documentpiker.ther00t_(at)_gmail.com, McGallery 0.5b Arbitrary File Download Vulnerability (17.03.2007)
 documentXORON, WBBlog (XSS/SQL) Multiple Remote Vulnerabilities (17.03.2007)
 documentXORON, Creative Files 1.2 (kommentare.php) Remote SQL Injection Vulnerabilities (17.03.2007)
 documentGolD_M, PHP DB Designer <= 1.02 Remote File Include Exploit (17.03.2007)
 documentGolD_M, MPM Chat 2.5 (view.php logi) Local File Include Exploit (17.03.2007)
 documentBorN To K!LL BorN To K!LL, CLBOX <= (signup.php header) Remote File Include Vulnerability (17.03.2007)
 documentSea Shark, Oracle Portal PORTAL.wwv_main.render_warning_screen XSS (17.03.2007)
 documentBorN To K!LL BorN To K!LL, Rot 13 <= (enkrypt.php) Remote File Disclosure Vulnerability (17.03.2007)
 documentdisfigure, vbulletin admincp sql injection (17.03.2007)
 documentBorN To K!LL BorN To K!LL, PHP Point Of Sale for osCommerce <= (index.php) Remote File Include Vuln (17.03.2007)
 documentIDEFENSE, iDefense Security Advisory 03.15.07: Horde Project Cleanup Script Arbitrary File Deletion Vulnerability (17.03.2007)
 documentasamad_(at)_arpatech.com, Remote File Inclusion in ViperWeb (17.03.2007)
 documenterdc_(at)_echo.or.id, [ECHO_ADV_75$2007] Groupit 2.00b5 (c_basepath) Remote File Inclusion Vulnerability (17.03.2007)
 documenterdc_(at)_echo.or.id, [ECHO_ADV_76$2007] Company WebSite Builder PRO (INCLUDE_PATH) Remote File Inclusion Vulnerability (17.03.2007)
 documentMandr4ke.root_(at)_gmail.com, DirectAdmin Cross Site Scripting XSS (17.03.2007)
Файлы:Particle Blogger All Version Post.PHP (PostID) Remote SQL Injection Exploit
 Exploits Dayfox Blog 4 remote code execution
 Php-Stats <= 0.1.9.1b admin 2 exec() exploit
 Php-Stats <= 0.1.9.1b "ip" urldecode()/ ereg() / sql injection / cleat text admin pass disclosure exploit (method ii)
 Php-Stats <= 0.1.9.1b PC-REMOTE-ADDR sql injection / cleat text admin pass

Межсайтовый скриптинг в IBM Rational ClearQuest Web (crossite scripting)
Опубликовано:17 марта 2007 г.
Источник:
SecurityVulns ID:7415
Тип:удаленная
Уровень опасности:
5/10
Описание:Межсайтовый скриптинг при отображении текстовых документов.
Затронутые продукты:IBM : Rational ClearQuest Web 7.0
CVE:CVE-2007-1468 (Cross-site scripting (XSS) vulnerability in IBM Rational ClearQuest (CQ) Web 7.0.0.0 allows remote attackers to inject arbitrary web script or HTML via an attachment to a defect log entry.)
Оригинальный текстdocumentjames_(at)_clarkee.co.uk, IBM Rational ClearQuest Web - Cross Site Scripting (17.03.2007)

Повреждение памяти в функции PHP array_user_key_compare() (memory corruption)
Опубликовано:17 марта 2007 г.
Источник:
SecurityVulns ID:7422
Тип:библиотека
Уровень опасности:
5/10
Описание:Освобождение области памяти, на которую имеются ссылки, что может привести к использованию освобожденной памяти.
Затронутые продукты:PHP : PHP 4.4
 PHP : PHP 5.2
CVE:CVE-2007-1484 (The array_user_key_compare function in PHP 4.4.6 and earlier, and 5.x up to 5.2.1, makes erroneous calls to zval_dtor, which triggers memory corruption and allows local users to bypass safe_mode and execute arbitrary code via a certain unset operation after array_user_key_compare has been called.)
Оригинальный текстdocumentPHP-SECURITY, MOPB-24-2007:PHP array_user_key_compare() Double DTOR Vulnerability (17.03.2007)
Файлы:PHP 4/5 - array_user_key_compare() ZVAL dtor exploit

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород