diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index cbad24e49a33..7edce7063a09 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -1103,7 +1103,7 @@ Note: Please add new entries to the beginning of this file.

This vulnerability exists in the file upload functionality and allows attackers to upload and execute PHP code of - their choice.

+ their choice.

@@ -1250,7 +1250,7 @@ Note: Please add new entries to the beginning of this file.

Gustavo Noronha Silva reports:

-

With help from Vincent Danen and other members of the Red Hat +

With help from Vincent Danen and other members of the Red Hat security team, the following CVE's where fixed.

@@ -1442,12 +1442,13 @@ Note: Please add new entries to the beginning of this file. -

The get1 command, as used by lftpget, in LFTP before 4.0.6 does not - properly validate a server-provided filename before determining the - destination filename of a download, which allows remote servers to create - or overwrite arbitrary files via a Content-Disposition header that - suggests a crafted filename, and possibly execute arbitrary code as a - consequence of writing to a dotfile in a home directory.

+

The get1 command, as used by lftpget, in LFTP before 4.0.6 does + not properly validate a server-provided filename before determining + the destination filename of a download, which allows remote servers + to create or overwrite arbitrary files via a Content-Disposition + header that suggests a crafted filename, and possibly execute + arbitrary code as a consequence of writing to a dotfile in a home + directory.

 @@ -1471,12 +1472,13 @@ Note: Please add new entries to the beginning of this file. -

GNU Wget 1.12 and earlier uses a server-provided filename instead - of the original URL to determine the destination filename of a download, - which allows remote servers to create or overwrite arbitrary files via - a 3xx redirect to a URL with a .wgetrc filename followed by a 3xx redirect - to a URL with a crafted filename, and possibly execute arbitrary code - as a consequence of writing to a dotfile in a home directory.

+

GNU Wget version 1.12 and earlier uses a server-provided filename + instead of the original URL to determine the destination filename of + a download, which allows remote servers to create or overwrite + arbitrary files via a 3xx redirect to a URL with a .wgetrc filename + followed by a 3xx redirect to a URL with a crafted filename, and + possibly execute arbitrary code as a consequence of writing to a + dotfile in a home directory.

 @@ -1499,12 +1501,12 @@ Note: Please add new entries to the beginning of this file. -

lwp-download in libwww-perl before 5.835 does not reject downloads - to filenames that begin with a . (dot) character, which allows remote - servers to create or overwrite files via a 3xx redirect to a URL with - a crafted filename or a Content-Disposition header that suggests - a crafted filename, and possibly execute arbitrary code as a - consequence of writing to a dotfile in a home directory.

+

lwp-download in libwww-perl before 5.835 does not reject downloads + to filenames that begin with a `.' (dot) character, which allows + remote servers to create or overwrite files via a 3xx redirect to a + URL with a crafted filename or a Content-Disposition header that + suggests a crafted filename, and possibly execute arbitrary code as + a consequence of writing to a dotfile in a home directory.

 @@ -1541,7 +1543,7 @@ Note: Please add new entries to the beginning of this file. Quagga's bgpd daemon parsed paths of autonomous systems (AS). A configured BGP peer could send a BGP update AS path request with unknown AS type, which could lead to - denial of service (bgpd daemon crash).

+ denial of service (bgpd daemon crash).

@@ -1632,7 +1634,7 @@ Note: Please add new entries to the beginning of this file.

When multiple commands are queued (at the server) for execution in the next game tick and an client joins the server can get into an infinite loop. With the default settings triggering this bug - is difficult (if not impossible), however the larger value of + is difficult (if not impossible), however the larger value of the "frame_freq" setting is easier it is to trigger the bug.

@@ -1777,11 +1779,11 @@ Note: Please add new entries to the beginning of this file.
-

isolate currently suffers from some bad security bugs! These +

Isolate currently suffers from some bad security bugs! These are local root privilege escalation bugs. Thanks to the helpful person who reported them (email Chris if you want credit!). We're working to fix them ASAP, but until then, isolate is - unsafe and you should uninstall it. Sorry!

+ unsafe and you should uninstall it. Sorry!

 @@ -3013,7 +3015,7 @@ Note: Please add new entries to the beginning of this file.

If the wiki is configured to allow user scripts, say with "$wgAllowUserJs = true" in LocalSettings.php, then the attacker can proceed to mount a phishing-style - attack against the victim to obtain their password.

+ attack against the victim to obtain their password.

@@ -4906,7 +4908,7 @@ Note: Please add new entries to the beginning of this file. "improper input validation" vulnerability in the Monkey web server that allows an attacker to perform denial of service attacks by repeatedly crashing worker threads - that process HTTP requests.

+ that process HTTP requests.

@@ -5009,7 +5011,7 @@ Note: Please add new entries to the beginning of this file. privileges via a table with crafted index functions, as demonstrated by functions that modify (1) search_path or (2) a prepared statement, a related issue to CVE-2007-6600 - and CVE-2009-3230.

+ and CVE-2009-3230.

@@ -6573,9 +6575,9 @@ Note: Please add new entries to the beginning of this file.

Olly Betts reports:

-

There's a cross-site scripting issue in Omega - exception - messages don't currently get HTML entities escaped, but can contain - CGI parameter values in some cases.

+

There's a cross-site scripting issue in Omega - exception + messages don't currently get HTML entities escaped, but can + contain CGI parameter values in some cases.

@@ -8343,7 +8345,7 @@ Note: Please add new entries to the beginning of this file.

xine developers report:

    -
  • Fix broken size checks in various input plugins (ref. +
  • Fix broken size checks in various input plugins (ref. CVE-2008-5239).
  • More malloc checking (ref. CVE-2008-5240).
@@ -9255,7 +9257,8 @@ Note: Please add new entries to the beginning of this file. configuration file. Combined with ability to save files on server, this can allow unauthenticated users to execute arbitrary PHP code. This issue is on different parameters than PMASA-2009-3 and it was - missed out of our radar because it was not existing in 2.11.x branch.

+ missed out of our radar because it was not existing in 2.11.x + branch.

@@ -9328,7 +9331,7 @@ Note: Please add new entries to the beginning of this file.

NOTE: Users with the "Advanced" user level are able to include and execute uploaded PHP code via the "pivot_path" parameter in extensions/bbclone_tools/getkey.php when - extensions/bbclone_tools/hr_conf.php can be deleted.

+ extensions/bbclone_tools/hr_conf.php can be deleted.

@@ -11911,12 +11914,12 @@ Note: Please add new entries to the beginning of this file.

Secunia reports:

-

A security issue has been reported in Ampache, which can be - exploited by malicious, local users to perform certain actions +

A security issue has been reported in Ampache, which can be + exploited by malicious, local users to perform certain actions with escalated privileges.

The security issue is caused due to the "gather-messages.sh" script handling temporary files in an insecure manner. - This can be exploited via symlink attacks to overwrite arbitrary + This can be exploited via symlink attacks to overwrite arbitrary files with the privileges of the user running the script.

@@ -12161,9 +12164,9 @@ Note: Please add new entries to the beginning of this file.

The phpMyAdmin Team reports:

-

A logged-in user can be subject of SQL injection through cross site - request forgery. Several scripts in phpMyAdmin are vulnerable and the - attack can be made through table parameter.

+

A logged-in user can be subject of SQL injection through cross + site request forgery. Several scripts in phpMyAdmin are + vulnerable and the attack can be made through table parameter.

@@ -13156,7 +13159,7 @@ Note: Please add new entries to the beginning of this file. pollution

MFSA 2008-38 nsXMLDocument::OnChannelRedirect() same-origin violation

-

MFSA 2008-37 UTF-8 URL stack buffer overflow

+

MFSA 2008-37 UTF-8 URL stack buffer overflow

@@ -13358,10 +13361,10 @@ Note: Please add new entries to the beginning of this file.

The VLC Team reports:

-

The VLC media player contains a stack overflow vulnerability while - parsing malformed cue files. The vulnerability may be exploited by a (remote) - attacker to execute arbitrary code in the context of VLC media player. -

+

The VLC media player contains a stack overflow vulnerability + while parsing malformed cue files. The vulnerability may be + exploited by a (remote) attacker to execute arbitrary code in + the context of VLC media player.

@@ -13770,11 +13773,12 @@ Note: Please add new entries to the beginning of this file.

Adobe Product Security Incident Response Team reports:

-

Potential vulnerabilities have been identified in Adobe Flash +

Potential vulnerabilities have been identified in Adobe Flash Player 9.0.124.0 and earlier that could allow an attacker who - successfully exploits these potential vulnerabilities to bypass Flash - Player security controls. Adobe recommends users update to the most - current version of Flash Player available for their platform.

+ successfully exploits these potential vulnerabilities to bypass + Flash Player security controls. Adobe recommends users update + to the most current version of Flash Player available for their + platform.

@@ -14219,14 +14223,14 @@ Note: Please add new entries to the beginning of this file.

Hanno Boeck reports:

When configuring a web application to use only ssl (e.g. by - forwarding all http-requests to https), a user would expect that - sniffing and hijacking the session is impossible.

-

Though, for this to be secure, one needs to set the session cookie - to have the secure flag. Else the cookie will be transferred through - http if the victim's browser does a single http-request on the same - domain.

-

Squirrelmail does not set that flag. It is fixed in the 1.5 test - versions, but current 1.4.15 is vulnerable.

+ forwarding all http-requests to https), a user would expect that + sniffing and hijacking the session is impossible.

+

Though, for this to be secure, one needs to set the session + cookie to have the secure flag. Otherwise the cookie will be + transferred through HTTP if the victim's browser does a single + HTTP request on the same domain.

+

Squirrelmail does not set that flag. It is fixed in the 1.5 + test versions, but current 1.4.15 is vulnerable.

@@ -14292,11 +14296,10 @@ Note: Please add new entries to the beginning of this file.

Secunia reports:

An error exists in the "PMA_escapeJsString()" function in - libraries/js_escape.lib.php, which can be exploited to bypass certain - filters and execute arbitrary HTML and script code in a user's browser - session in context of an affected site when e.g. Microsoft Internet - Explorer is used. -

+ libraries/js_escape.lib.php, which can be exploited to bypass + certain filters and execute arbitrary HTML and script code in a + user's browser session in context of an affected site when e.g. + Microsoft Internet Explorer is used.

@@ -15898,8 +15901,7 @@ Note: Please add new entries to the beginning of this file. (CVE-2007-0071). This exploit does NOT appear to include a new, unpatched vulnerability as has been reported elsewhere - customers with Flash Player 9.0.124.0 should not be vulnerable to this - exploit. -

+ exploit.

@@ -17773,9 +17775,9 @@ Note: Please add new entries to the beginning of this file.

zenphoto project reports:

-

A new zenphoto version is now available. This release contains - security fixes for HTML, XSS, and SQL injection vulnerabilities. -

+

A new zenphoto version is now available. This release contains + security fixes for HTML, XSS, and SQL injection vulnerabilities. +

@@ -21940,7 +21942,7 @@ Note: Please add new entries to the beginning of this file. 2007-07-17 2007-07-19 - 2008-06-21 + 2008-06-21 @@ -23132,8 +23134,7 @@ Note: Please add new entries to the beginning of this file.

The APOP protocol allows remote attackers to guess the first 3 characters of a password via man-in-the-middle (MITM) attacks - that use crafted message IDs and MD5 collisions. -

+ that use crafted message IDs and MD5 collisions.

@@ -23589,11 +23590,10 @@ Note: Please add new entries to the beginning of this file.

"Moritz Jodeit reports:

-

There's an exploitable buffer overflow in the current version of - MPlayer (v1.0rc1) which can be exploited with a maliciously crafted - video file. It's hidden in the function DMO_VideoDecoder() in the - file loader/dmo/DMO_VideoDecoder.c. -

+

There's an exploitable buffer overflow in the current version + of MPlayer (v1.0rc1) which can be exploited with a maliciously + crafted video file. It is hidden in the DMO_VideoDecoder() + function of `loader/dmo/DMO_VideoDecoder.c' file.

@@ -23624,11 +23624,10 @@ Note: Please add new entries to the beginning of this file.

Secunia reports:

The vulnerability is caused due to an error within the - "download wiki page as text" function, which can be exploited - to execute arbitrary HTML and script code in a user's browser - session in context of an affected site.

-

Successful exploitation may require that the victim uses IE. -

+ "download wiki page as text" function, which can be exploited + to execute arbitrary HTML and script code in a user's browser + session in context of an affected site.

+

Successful exploitation may require that the victim uses IE.

@@ -27766,8 +27765,7 @@ Note: Please add new entries to the beginning of this file.

Some vulnerabilities have been reported in Horde, which can be exploited by malicious people to conduct phishing - and cross-site scripting attacks. -

+ and cross-site scripting attacks.

  1. Input passed to the "url" parameter in index.php isn't properly verified before it is being used to include an @@ -28822,17 +28820,14 @@ Note: Please add new entries to the beginning of this file.

    SecurityFocus reports:

    -

    - Mutt is prone to a remote buffer-overflow vulnerability. +

    Mutt is prone to a remote buffer-overflow vulnerability. This issue is due to the application's failure to properly bounds-check user-supplied input before copying it to an - insufficiently sized memory buffer. - - This issue may allow remote attackers to execute arbitrary + insufficiently sized memory buffer.

    +

    This issue may allow remote attackers to execute arbitrary machine code in the context of the affected application. Failed exploit attempts will likely crash the application, - denying further service to legitimate users. -

    + denying further service to legitimate users.

    @@ -30395,8 +30390,7 @@ Note: Please add new entries to the beginning of this file. execute code on the system of a remote user running the media player against a malicious playlist file. By passing a format specifier in the path of a file that is embedded - in a remote playlist, it is possible to trigger this bug. -

    + in a remote playlist, it is possible to trigger this bug.

@@ -33449,13 +33443,12 @@ Note: Please add new entries to the beginning of this file.

The fetchmail team reports:

Fetchmail contains a bug that causes an application crash - when fetchmail is configured for multidrop mode and the - upstream mail server sends a message without headers. As - fetchmail does not record this message as "previously fetched", - it will crash with the same message if it is re-executed, so it - cannot make progress. A malicious or broken-into upstream server - could thus cause a denial of service in fetchmail clients. -

+ when fetchmail is configured for multidrop mode and the + upstream mail server sends a message without headers. As + fetchmail does not record this message as "previously fetched", + it will crash with the same message if it is re-executed, so it + cannot make progress. A malicious or broken-into upstream server + could thus cause a denial of service in fetchmail clients.

@@ -34632,8 +34625,7 @@ Note: Please add new entries to the beginning of this file. ESC characters to certain data, to support Asian character sets. However, it does not check if it writes outside of the char array buf, and that causes a remote stack-based - buffer overflow. -

+ buffer overflow.

@@ -36879,7 +36871,7 @@ Note: Please add new entries to the beginning of this file.

A phpMyAdmin security announcement reports:

The convcharset parameter was not correctly validated, - opening the door to a XSS attack.

+ opening the door to a XSS attack.

@@ -42933,7 +42925,7 @@ Note: Please add new entries to the beginning of this file. whereby a remote attacker could potentially cause arbitrary code to be executed with the privileges of the supfilesrv process (this process does not run - automatically by default).

+ automatically by default).

@@ -46077,7 +46069,7 @@ http_access deny Gopher

A buffer overflow vulnerability exists in the playlist processing of mpg123. A specially crafted playlist entry can cause a stack overflow that can be used to inject - arbitrary code into the mpg123 process

+ arbitrary code into the mpg123 process.

Note that a malicious playlist, demonstrating this vulnerability, was released by the bug finder and may be used as a template by attackers.

@@ -46760,7 +46752,7 @@ http_access deny Gopher

When a user is granted access to a database with a name containing an underscore and the underscore is not escaped then that user might also be able to access other, similarly named, databases on the - affected system.

+ affected system.

The problem is that the underscore is seen as a wildcard by MySQL and therefore it is possible that an admin might accidently GRANT a user access to multiple databases.

@@ -46829,10 +46821,10 @@ http_access deny Gopher

A special crafted MySQL FTS request can cause the server to crash. Malicious MySQL users can abuse this bug in a denial of service - attack against systems running an affected MySQL daemon.

+ attack against systems running an affected MySQL daemon.

Note that because this bug is related to the parsing of requests, it may happen that this bug is triggered accidently by a user when he - or she makes a typo.

+ or she makes a typo.

@@ -47486,13 +47478,11 @@ http_access deny Gopher -

- The Sun Java Plugin capability in Java 2 Runtime Environment - (JRE) 1.4.2_01, 1.4.2_04, and possibly earlier versions, does - not properly restrict access between Javascript and Java - applets during data transfer, which allows remote attackers - to load unsafe classes and execute arbitrary code. -

+

The Sun Java Plugin capability in Java 2 Runtime Environment + (JRE) 1.4.2_01, 1.4.2_04, and possibly earlier versions, does + not properly restrict access between Javascript and Java + applets during data transfer, which allows remote attackers to + load unsafe classes and execute arbitrary code.

 @@ -50549,7 +50539,7 @@ http_access deny Gopher protected areas such as paths and log messages. This may or may not be important to your organization, depending on how you're using path-based authorization, and the - sensitivity of the metadata.

+ sensitivity of the metadata.

@@ -51220,7 +51210,7 @@ http_access deny Gopher constructs in .htaccess or httpd.conf files. The function ap_resolve_env() in server/util.c copies data from environment variables to the character array tmp with - strcat(3), leading to a buffer overflow.

+ strcat(3), leading to a buffer overflow.

@@ -52327,8 +52317,7 @@ http_access deny Gopher used to support the "mangling method = hash" smb.conf option. The default setting for this parameter is "mangling method = hash2" and therefore not vulnerable. Versions - between 2.2.0 through 2.2.9 and 3.0.0 through 3.0.4 are affected. -

+ between 2.2.0 through 2.2.9 and 3.0.0 through 3.0.4 are affected.

@@ -54307,7 +54296,7 @@ http_access deny Gopher This could allow a local attacker to gain read or write access to a portion of kernel memory, resulting in sensitive information disclosure, bypass of access control mechanisms, - or privilege escalation.

+ or privilege escalation.

@@ -54342,7 +54331,7 @@ http_access deny Gopher

A process with superuser privileges inside a jail could change its root directory to that of a different jail, and thus gain full read and write access to files and - directories within the target jail.

+ directories within the target jail.

@@ -54377,7 +54366,7 @@ http_access deny Gopher such services, including HTTP, SMTP, and FTP). By sending many out-of-sequence TCP segments, the attacker can cause the target machine to consume all available memory buffers - (``mbufs''), likely leading to a system crash.

+ (``mbufs''), likely leading to a system crash.