The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.
History of vulnerabilities analyzed by Vigil@nce:

vulnerability bulletin CVE-2007-0427

Windows: buffer overflow of HPJ files

Synthesis of the vulnerability

When Microsoft Visual Studio or Microsoft Help Workshop is installed, opening a HPJ file can lead to code execution.
Impacted products: Windows (platform) ~ not comprehensive.
Severity: 1/4.
Consequences: user access/rights.
Provenance: document.
Creation date: 22/01/2007.
Identifiers: BID-22135, CVE-2007-0427, VIGILANCE-VUL-6483.

Description of the vulnerability

The HLP help files are generated by Microsoft Help Workshop (Visual Studio) from HPJ project files. A HPJ file for example contains:
  [OPTIONS]
  REPORT=Yes
  HLP=filename

When Help Workshop reads a HPJ file, messages are stored in a 256 bytes array without checking size. An overflow can thus occur.

An attacker can therefore create a malicious HPJ file and invite victim to open it, to execute code on his computer.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2006-6678

Netrik: command execution

Synthesis of the vulnerability

An attacker can create a website containing a form with a special name in order to execute code on computer of victim using Netrik.
Impacted products: Debian, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: user access/rights.
Provenance: internet server.
Creation date: 22/01/2007.
Identifiers: 404233, CERTA-2002-AVI-065, CVE-2006-6678, DSA-1251-1, VIGILANCE-VUL-6482.

Description of the vulnerability

The Netrik program is a text mode web browser with vi like keybindings.

The form-file.c file contains the edit_textarea() function which is called when user enters data in a TEXTAREA field of a HTML form. This function creates a temporary file named netrik-textarea-name_of_form-random, then calls system() to execute the editor. When user leaves editor, data from file are copied in the TEXTAREA of the HTML page.

However, special characters from form name are not filtered. An attacker can for example create a form with name " `/bin/rm /tmp/file` " in order to force system() function to delete the file.

This vulnerability therefore permits attacker to execute shell commands on computer of Netrik users who edit a form.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2007-0235

libgtop: overflow in glibtop_get_proc_map_s

Synthesis of the vulnerability

A local attacker can generate an overflow in glibtop_get_proc_map_s() in order to elevate his privileges.
Impacted products: Debian, Fedora, Mandriva Linux, RHEL, Unix (platform) ~ not comprehensive.
Severity: 1/4.
Consequences: user access/rights.
Provenance: user shell.
Creation date: 19/01/2007.
Identifiers: 396477, CERTA-2002-AVI-065, CVE-2007-0235, DSA-1255-1, FEDORA-2007-657, MDKSA-2007:023, RHSA-2007:0765-01, VIGILANCE-VUL-6481.

Description of the vulnerability

The gtop program is the Gnome version of the process statistic tool. With Linux kernel version 2.6.14 or superior, gtop reads these information from /proc/pid/smaps.

The format of /proc/pid/smaps is:
  start-end flags offset majordevice:minordevice inode program
For example:
  00400000-00408000 r-xp 00000000 01:02 3 /usr/bin/prog

However, when gtop analyzes this line, it copies the program name in a 215 bytes array, without checking its size. An overflow can thus occurs.

A local attacker can therefore start a malicious process in order to execute code with privileges of victims using gtop.
Full Vigil@nce bulletin... (Free trial)

vulnerability 6480

Windows: buffer overflow of CNT files

Synthesis of the vulnerability

When Microsoft Visual Studio or Microsoft Help Workshop is installed, opening a CNT file can lead to code execution.
Impacted products: Windows (platform) ~ not comprehensive.
Severity: 1/4.
Consequences: user access/rights.
Provenance: document.
Creation date: 18/01/2007.
Identifiers: BID-22100, VIGILANCE-VUL-6480.

Description of the vulnerability

The HLP help files are generated by Microsoft Help Workshop (Visual Studio) from CNT files. A CNT file for example contains:
  :Base
  :Title hello
  1 message
  2 message=mapid

When Help Workshop reads a CNT file, messages are stored in a 512 bytes array without checking size. An overflow can thus occur.

An attacker can therefore create a malicious CNT file and invite victim to open it, to execute code on his computer.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2007-0396

HP-UX: denial of service of IPFilter

Synthesis of the vulnerability

When the PHNE_34474 patch is installed, a remote attacker can generate a denial of service on IPFilter.
Impacted products: HP-UX.
Severity: 2/4.
Consequences: denial of service on server.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 18/01/2007.
Identifiers: BID-22103, c00837319, CVE-2007-0396, CVE-2007-0818-REJECT, HPSBUX02181, PHNE_34474, SSRT061289, VIGILANCE-VUL-6479.

Description of the vulnerability

The DPLI interface (Data Link Provider Interface) is an abstraction layer for network devices. The PHNE_34474 patch, published in august 2006, corrects 6 bugs mainly related to DLPI.

When this patch is installed, and when IPFilter is installed, a remote attacker can generate a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2006-6939

GNU ed: file corruption

Synthesis of the vulnerability

A local attacker can alter a file during GNU ed usage.
Impacted products: Fedora, Unix (platform) ~ not comprehensive.
Severity: 1/4.
Consequences: data creation/edition.
Provenance: user shell.
Creation date: 17/01/2007.
Identifiers: BID-22129, CVE-2006-6939, FEDORA-2007-099, FEDORA-2007-100, VIGILANCE-VUL-6478.

Description of the vulnerability

The GNU ed program is a text mode editor.

The open_sbuf() function of GNU ed uses mktemp() instead of mkstemp() or tmpfile(). A local attacker can therefore create a symbolic link from a file named /tmp/ed... to a system file. This file will be corrupted with rights and temporary data of user of ed.

This vulnerability therefore permits a local attacker to alter a file with rights of victims using GNU ed.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2007-0408 CVE-2007-0409 CVE-2007-0410

WebLogic: several vulnerabilities

Synthesis of the vulnerability

An attacker can exploit several vulnerabilities of WebLogic Server and Express.
Impacted products: WebLogic.
Severity: 3/4.
Consequences: user access/rights, data reading, data creation/edition, denial of service on service.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 23.
Creation date: 17/01/2007.
Identifiers: BEA07-107.02, BEA07-125.01, BEA07-134.00, BEA07-135.00, BEA07-136.00, BEA07-137.00, BEA07-138.00, BEA07-139.00, BEA07-140.00, BEA07-141.00, BEA07-142.00, BEA07-143.00, BEA07-144.00, BEA07-145.00, BEA07-146.00, BEA07-147.00, BEA07-148.00, BEA07-149.00, BEA07-150.00, BEA07-152.00, BEA07-155.00, BEA07-60.01, BEA07-75.01, BID-22077, BID-22082, CERTA-2007-AVI-044, CVE-2007-0408, CVE-2007-0409, CVE-2007-0410, CVE-2007-0411, CVE-2007-0412, CVE-2007-0413, CVE-2007-0414, CVE-2007-0415, CVE-2007-0416, CVE-2007-0417, CVE-2007-0418, CVE-2007-0419, CVE-2007-0420, CVE-2007-0421, CVE-2007-0422, CVE-2007-0424, CVE-2007-0425, CVE-2007-4613, CVE-2007-4614, VIGILANCE-VUL-6477.

Description of the vulnerability

An attacker can exploit several vulnerabilities of WebLogic Server and Express.

An attacker with Admin or Operator role, but with a restricted access, can start or stop service. [severity:3/4; BEA07-60.01]

An attacker with Monitor role can configure JDBC connection pools. [severity:3/4; BEA07-75.01]

An attacker can conduct a brute force attack without locking the account. [severity:3/4; BEA07-107.02]

Several services expose private information. [severity:3/4; BEA07-125.01]

An attacker can obtain fragments of data encapsulated in SSL. [severity:3/4; BEA07-134.00, CVE-2007-4613]

In some cases, server does not correctly validate the X.509 client certificate. [severity:3/4; BEA07-135.00, CERTA-2007-AVI-044, CVE-2007-0408]

Password of JDBCDataSourceFactory MBean is not encrypted. [severity:3/4; BEA07-136.00, CVE-2007-0409]

Some sequences lead to a thread hanging, and thus to a service hang. [severity:3/4; BEA07-137.00, CVE-2007-0410]

An attacker can create a Man-In-The-Middle attack when WS-Security is used. [severity:3/4; BEA07-138.00, CVE-2007-0411]

An attacker can access application files via an .ear. [severity:3/4; BEA07-139.00, CVE-2007-0412]

When administrator edits config.xml to store sensitive data, they are not secured on service start. [severity:3/4; BEA07-140.00, CVE-2007-0413]

In some cases, an error in error pages management leads to a denial of service. [severity:3/4; BEA07-141.00, CVE-2007-0414]

A dynamic update of an application deployed as exploded jars leads to incorrect access permissions. [severity:3/4; BEA07-142.00, CVE-2007-0415]

The WSSE runtime incorrectly manages decryption of messages. [severity:3/4; BEA07-143.00, CVE-2007-0416]

In version 6.1 compatibility mode, some EJB are executed with administrative privileges. [severity:3/4; BEA07-144.00, CVE-2007-0417]

An attacker can send special parameters to an EJB in order to elevate his privileges. [severity:3/4; BEA07-145.00, CVE-2007-0418]

In some cases, the proxy plug-in for Apache can generate a denial of service. [severity:3/4; BEA07-146.00, CVE-2007-0419]

A malformed HTTP query may permit to access to data of previous queries. [severity:3/4; BEA07-147.00, CVE-2007-0420]

An attacker can use specific headers in order to alter log files or to fill disk. [severity:3/4; BEA07-148.00, CVE-2007-0421]

Policy changes may not be replicated. [severity:3/4; BEA07-149.00, CVE-2007-4614]

Under Solaris 9, an attacker can manipulate sockets in order to generate a denial of service. [severity:3/4; BEA07-150.00, CVE-2007-0422]

Several vulnerabilities affect the proxy plug-in for Netscape Enterprise Server. [severity:3/4; BEA07-152.00, CVE-2007-0424]

An attacker can execute code via an overflow of JRockit. [severity:3/4; BEA07-155.00, BID-22077, CVE-2007-0425]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2007-0243

Java SDK/JRE/JDK: memory corruption via a GIF image

Synthesis of the vulnerability

An attacker can create a Java applet loading a special GIF image in order to execute code on victim's computer.
Impacted products: HP-UX, NLD, OES, openSUSE, Java Oracle, RHEL, SLES, TurboLinux.
Severity: 3/4.
Consequences: user access/rights.
Provenance: document.
Creation date: 17/01/2007.
Revision date: 22/01/2007.
Identifiers: 102686, 102760, 6445518, 6466389, 6469538, BID-22085, c00876579, CERTA-2007-AVI-033, CVE-2007-0243, HPSBUX02196, RHSA-2007:0166-01, RHSA-2007:0167-01, RHSA-2007:0956-01, RHSA-2008:0261-01, RHSA-2008:0524-01, SSRT07138, SUSE-SA:2007:045, TLSA-2007-8, VIGILANCE-VUL-6476, VU#388289, ZDI-07-005.

Description of the vulnerability

A GIF image is composed of several blocks, each one supporting up to 256 colors. A GIF image can thus contain 400 colors by splitting image in two parts. Most software only support one block, so 256 colors, because compression of several independent blocks generates files of greater size than other image formats.

When an image contains two blocks, the JRE/JDK/SDK allocates memory size indicated by the second, but copies data from first. If size of the second block is for example null, memory is thus corrupted.

An attacker can therefore create a Java applet loading a special GIF image in order to execute code on victim's computer.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2001-0729 CVE-2007-0275 CVE-2007-0280

Oracle AS: several vulnerabilities of January 2007

Synthesis of the vulnerability

Several vulnerabilities are corrected by CPU of January 2007.
Impacted products: Oracle AS.
Severity: 3/4.
Consequences: data reading, data creation/edition, denial of service on service.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 12.
Creation date: 17/01/2007.
Revision date: 22/01/2007.
Identifiers: BID-22083, cpujan2007, CVE-2001-0729, CVE-2007-0275, CVE-2007-0280, CVE-2007-0281, CVE-2007-0282, CVE-2007-0283, CVE-2007-0284, CVE-2007-0285, CVE-2007-0286, CVE-2007-0287, CVE-2007-0288, INTERNET SECURITY AUDITORS ALERT 2007-001, SYMSA-2007-001, VIGILANCE-VUL-6475.

Description of the vulnerability

CPU (Critical Patch Update) of January 2007 corrects several vulnerabilities of Oracle Application Server. Oracle's announce contains a detailed table, summarized below.

An attacker can alter information or generate a denial of service by generating an overflow via ONS service. [severity:3/4; CVE-2007-0280]

An attacker via HTTP can obtain or alter information. [severity:3/4; CVE-2007-0283]

An attacker via HTTP can obtain information. [severity:3/4; CVE-2007-0284]

An attacker via HTTP can alter information. [severity:3/4; CVE-2007-0284]

An attacker via HTTP can alter information. [severity:3/4; CVE-2001-0729, CVE-2007-0281]

An attacker via HTTP can alter information. [severity:3/4; CVE-2007-0281]

An attacker via HTTP can alter information. [severity:3/4; CVE-2007-0285, INTERNET SECURITY AUDITORS ALERT 2007-001]

An authenticated attacker can obtain or alter information via ONS. [severity:3/4; CVE-2007-0282]

An attacker via HTTP can obtain information. [severity:3/4; CVE-2007-0286]

An authenticated attacker can alter information via HTTP. [severity:3/4; CVE-2007-0275]

A local authenticated attacker can obtain information. [severity:3/4; CVE-2007-0287]

An authenticated attacker can obtain information via LDAP. [severity:3/4; CVE-2007-0288]
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2007-0268 CVE-2007-0269 CVE-2007-0270

Oracle Database: several vulnerabilities of January 2007

Synthesis of the vulnerability

Several vulnerabilities are corrected by CPU of January 2007.
Impacted products: OpenView, Oracle DB.
Severity: 3/4.
Consequences: data reading, data creation/edition, denial of service on service.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 17.
Creation date: 17/01/2007.
Revisions dates: 22/01/2007, 25/01/2007, 30/01/2007, 06/03/2007, 02/04/2007.
Identifiers: BID-22083, c00727143, cpujan2007, CVE-2007-0268, CVE-2007-0269, CVE-2007-0270, CVE-2007-0271, CVE-2007-0272, CVE-2007-0273, CVE-2007-0274, CVE-2007-0275, CVE-2007-0276, CVE-2007-0277, CVE-2007-0278, HPSBMA02133, NGS00402, SSRT061201, VIGILANCE-VUL-6474, VU#221788.

Description of the vulnerability

CPU (Critical Patch Update) of January 2007 corrects several vulnerabilities of Oracle Database. Oracle's announce contains a detailed table, summarized below.

An authenticated attacker with execute privilege on sys.dbms_aq can obtain or alter information via a SQL injection in DBMS_AQ_INV. [severity:3/4; CVE-2007-0268, VU#221788]

An authenticated attacker with execute privilege on sys.dbms_cdc_subscribe can obtain or alter information. [severity:3/4; CVE-2007-0269]

An authenticated attacker with execute privilege on sys.dbms_drs can alter information or generate a denial of service, by using a buffer overflow in DBMS_DRS.GET_PROPERTY function. [severity:3/4; CVE-2007-0270]

An authenticated attacker with execute privilege on sys.dbms_logmnr (announce indicates sys.dbms_log_mnr) can alter information or generate a denial of service, by exploiting a buffer overflow in DBMS_LOGMNR.ADD_LOGFILE procedure. [severity:3/4; CVE-2007-0271]

An authenticated attacker with execute privilege on mdsys.md can alter information or generate a denial of service, by exploiting overflows in its procedures. [severity:3/4; CVE-2007-0272]

A HTTP attacker can alter information via a Cross Site Scripting. [severity:3/4; CVE-2007-0273]

An authenticated attacker with execute privilege on sys.dbms_repcat_untrusted can generate a denial of service, by exploiting a buffer overflow in DBMS_REPCAT_UNTRUSTED.UNREGISTER_SNAPSHOT procedure. Code execution may be possible. [severity:3/4; CVE-2007-0268]

An authenticated attacker with execute privilege on sys.dbms_logrep_util can generate a denial of service, by exploiting a buffer overflow in DBMS_LOGREP_UTIL.GET_OBJECT_NAME procedure. Code execution may be possible. [severity:3/4; CVE-2007-0274]

An authenticated attacker with execute privilege on sys.dbms_capture_adm_internal can generate a denial of service, by exploiting overflos in CREATE_CAPTURE, ALTER_CAPTURE and ABORT_TABLE_INSTANTIATION procedures. Code execution may be possible. [severity:3/4; CVE-2007-0274]

An authenticated HTTP attacker can alter information. [severity:3/4; CVE-2007-0275]

An local attacker can use oklist or okdstry programs to exploit a vulnerability. [severity:3/4; CVE-2007-0276]

An local attacker can use expdp or impdp programs to exploit a vulnerability. [severity:3/4; CVE-2007-0277]

An local attacker can use lmsgen program to exploit a vulnerability. [severity:3/4; CVE-2007-0278]

An local attacker can use tnslsnr program to exploit a vulnerability. [severity:3/4; CVE-2007-0276]

An local attacker can use ctxkbtc program to exploit a vulnerability. [severity:3/4; CVE-2007-0278]

An local attacker can use ctxload program to exploit a vulnerability. [severity:3/4; CVE-2007-0268]

An local attacker can use oklist program to exploit a vulnerability. [severity:3/4; CVE-2007-0276]
Full Vigil@nce bulletin... (Free trial)

Previous page   Next page

Direct access to page 1 21 41 61 81 101 121 141 161 181 201 221 241 261 281 301 321 341 361 381 401 421 441 461 481 501 521 541 561 581 601 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 641 661 681 701 721 741 761 781 801 821 841 861 881 901 921 941 961 981 1001 1021 1041 1061 1081 1101 1121 1141 1161 1181 1201 1221 1241 1261 1281 1301 1321 1341 1361 1381 1401 1421 1441 1461 1481 1501 1521 1541 1561 1581 1601 1621 1641 1661 1681 1701 1721 1741 1761 1781 1801 1821 1841 1861 1881 1901 1921 1941 1961 1981 2001 2021 2041 2061 2081 2101 2121 2141 2161 2181 2201 2221 2241 2261 2281 2301 2321 2341 2361 2381 2401 2421 2441 2461 2481 2501 2521 2541 2561 2581 2601 2621 2641 2661 2681 2701 2721 2741 2761 2781 2801 2821 2841 2861 2868