CVE-2006-2014
published 2006-04-25CVE-2006-2014: Directory traversal vulnerability in gallerie.php in SL_site 1.0 allows remote attackers to list images in arbitrary directories via ".." sequences in the rep…
PriorityP418medium5CVSS 2.0
AVNACLAuNCPINAN
EPSS
1.93%
77.5th percentile
Directory traversal vulnerability in gallerie.php in SL_site 1.0 allows remote attackers to list images in arbitrary directories via ".." sequences in the rep parameter, which is used to construct a directory name in admin/config.inc.php. NOTE: this issue could be used to produce resultant XSS from an error message.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| web-provence | sl_site | — | — |
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vendor_redhat5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4wrr-xw2g-w6m2: Directory traversal vulnerability in gallerie
ghsa_unreviewed·2022-05-01
CVE-2006-2014 [MEDIUM] GHSA-4wrr-xw2g-w6m2: Directory traversal vulnerability in gallerie
Directory traversal vulnerability in gallerie.php in SL_site 1.0 allows remote attackers to list images in arbitrary directories via ".." sequences in the rep parameter, which is used to construct a directory name in admin/config.inc.php. NOTE: this issue could be used to produce resultant XSS from an error message.
Red Hat
strongswan: authentication bypass in verify_emsa_pkcs1_signature() in gmp_rsa_public_key.c
vendor_redhat·2018-09-24·CVSS 5.0
CVE-2018-16152 [MEDIUM] CWE-287 strongswan: authentication bypass in verify_emsa_pkcs1_signature() in gmp_rsa_public_key.c
strongswan: authentication bypass in verify_emsa_pkcs1_signature() in gmp_rsa_public_key.c
In verify_emsa_pkcs1_signature() in gmp_rsa_public_key.c in the gmp plugin in strongSwan 4.x and 5.x before 5.7.0, the RSA implementation based on GMP does not reject excess data in the digestAlgorithm.parameters field during PKCS#1 v1.5 signature verification. Consequently, a remote attacker can forge signatures when small public exponents are being used, which could lead to impersonation when only an RSA signature is used for IKEv2 authentication. This is a variant of CVE-2006-4790 and CVE-2014-1568.
Package: strongimcv (Red Hat Enterprise Linux 7) - Not affected
No detection rules found.
Exploit-DB
Easy File Sharing FTP Server 3.5 - Remote Stack Buffer Overflow
exploitdb·2014-05-27·CVSS 7.5
CVE-2006-3952 [HIGH] Easy File Sharing FTP Server 3.5 - Remote Stack Buffer Overflow
Easy File Sharing FTP Server 3.5 - Remote Stack Buffer Overflow
---
#!/usr/bin/env python
# Exploit Title: Easy File Sharing FTP Server 3.5 stack buffer overflow
# Date: 27 May 2014
# Exploit Author: superkojiman - http://www.techorganic.com
# Vulnerability discovered by: h07
# CVE: CVE-2006-3952
# OSVDB: 27646
# Vendor Homepage: http://www.efssoft.com
# Software Link: http://www.efssoft.com/ftpserver.htm
# Version: 3.5
# Tested on: Windows 8.1 Enterprise , English
# : Windows 7 Enterprise SP1, English
# : Windows XP SP3, English
#
# Description:
# A buffer overflow is triggered when when a large password is sent to the
# server.
#
# h07 found this bug in 2006, targetting EFS FTP Server 2.0. The original
# exploits relied on OS DLLs to reference a pop/pop/retn address to leverage a
# SEH
Exploit-DB
MP3Info 0.8.5a - Local Buffer Overflow (SEH)
exploitdb·2014-03-19
CVE-2006-2465 MP3Info 0.8.5a - Local Buffer Overflow (SEH)
MP3Info 0.8.5a - Local Buffer Overflow (SEH)
---
# Exploit Title: mp3info SEH exploit
# Date: 18 March 2014
# Exploit Author: Ayman Sagy
# Vendor Homepage: http://ibiblio.org/mp3info/
# Software Link: https://www.exploit-db.com/apps/cb7b619a10a40aaac2113b87bb2b2ea2-mp3info-0.8.5a.tgz
# Version: MP3Info 0.8.5
# Tested on: Windows 7 Ultimate 64 and 32 bit
# CVE : 2006-2465
# Original POC: http://www.exploit-db.com/exploits/31220/
#
# The process memory region starts with a null byte but exploitation is still possible because of
# the little endian architecture provided that the return address gets placed at the end of the buffer,
# this however confines us in the tiny 4-byte area after pop/pop/retn
# Using a couple of trampolines I jumped back to the beginning of the buffer which is 533 by
Bugzilla
CVE-2018-16152 strongswan: authentication bypass in verify_emsa_pkcs1_signature() in gmp_rsa_public_key.c
bugzilla·2018-10-03·CVSS 5.0
CVE-2018-16152 [MEDIUM] CVE-2018-16152 strongswan: authentication bypass in verify_emsa_pkcs1_signature() in gmp_rsa_public_key.c
CVE-2018-16152 strongswan: authentication bypass in verify_emsa_pkcs1_signature() in gmp_rsa_public_key.c
A flaw was found in strongSwan 4.x and 5.x before 5.7.0. In verify_emsa_pkcs1_signature() in gmp_rsa_public_key.c in the gmp plugin, the RSA implementation based on GMP does not reject excess data in the digestAlgorithm.parameters field during PKCS#1 v1.5 signature verification. Consequently, a remote attacker can forge signatures when small public exponents are being used, which could lead to impersonation when only an RSA signature is used for IKEv2 authentication. This is a variant of CVE-2006-4790 and CVE-2014-1568.
References:
https://www.strongswan.org/blog/2018/09/24/strongswan-vulnerability-(cve-2018-16151,-cve-2018-16152).html
Discussion:
Created strongswan tracking bugs
Bugzilla
CVE-2015-4025 php: CVE-2006-7243 regressions in 5.4+
bugzilla·2015-05-20·CVSS 5.0
CVE-2015-4025 [MEDIUM] CVE-2015-4025 php: CVE-2006-7243 regressions in 5.4+
CVE-2015-4025 php: CVE-2006-7243 regressions in 5.4+
Regressions of parts of the CVE-2006-7243 fix were found in PHP >= 5.4. This issue is similar to CVE-2015-2348 (bug 1207682) and CVE-2014-5120 (bug 1132793).
Upstream report:
https://bugs.php.net/bug.php?id=69418
Upstream fix:
http://git.php.net/?p=php-src.git;a=commitdiff;h=be9b2a95adb504abd5acdc092d770444ad6f6854
Discussion:
Created php tracking bugs for this issue:
Affects: fedora-all [bug 1223447]
---
I noted CVE-2006-7243 (see bug 662707) regressions in PHP 5.4+ for the following functions in the upstream bug report:
- set_include_path()
- tempnam() - second argument only
- rmdir()
- readlink()
readlink() was already fixed in 5.4.40 / 5.5.24 / 5.6.8, see bug 1213407 comment 5.
Linked upstream commit includes additional fi
Bugzilla
CVE-2014-3495 duplicity: improper verification of SSL certificates
bugzilla·2014-06-16·CVSS 7.5
CVE-2014-3495 [HIGH] CVE-2014-3495 duplicity: improper verification of SSL certificates
CVE-2014-3495 duplicity: improper verification of SSL certificates
Eric Christensen of Red Hat Product Security reported [1] that Duplicity did not handle wildcard certificates properly. If Duplicity were to connect to a remote host that used a wildcard certificate, and the hostname does not match the wildcard, it would still consider the connection valid. The example of which is provided:
$ openssl s_client -connect s3-1-w.amazonaws.com:443 -crlf
CONNECTED(00000003)
depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority
verify return:1
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify return:1
depth=1 C = U
http://secunia.com/advisories/19792http://securitytracker.com/id?1015972http://www.osvdb.org/24897http://www.securityfocus.com/bid/17667http://www.securityfocus.com/bid/17672http://www.vupen.com/english/advisories/2006/1487https://exchange.xforce.ibmcloud.com/vulnerabilities/26037http://secunia.com/advisories/19792http://securitytracker.com/id?1015972http://www.osvdb.org/24897http://www.securityfocus.com/bid/17667http://www.securityfocus.com/bid/17672http://www.vupen.com/english/advisories/2006/1487https://exchange.xforce.ibmcloud.com/vulnerabilities/26037
2006-04-25
Published