The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Debian Woody

vulnerability announce CVE-2006-6678

Netrik: command execution

Synthesis of the vulnerability

An attacker can create a website containing a form with a special name in order to execute code on computer of victim using Netrik.
Impacted products: Debian, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: user access/rights.
Provenance: internet server.
Creation date: 22/01/2007.
Identifiers: 404233, CERTA-2002-AVI-065, CVE-2006-6678, DSA-1251-1, VIGILANCE-VUL-6482.

Description of the vulnerability

The Netrik program is a text mode web browser with vi like keybindings.

The form-file.c file contains the edit_textarea() function which is called when user enters data in a TEXTAREA field of a HTML form. This function creates a temporary file named netrik-textarea-name_of_form-random, then calls system() to execute the editor. When user leaves editor, data from file are copied in the TEXTAREA of the HTML page.

However, special characters from form name are not filtered. An attacker can for example create a form with name " `/bin/rm /tmp/file` " in order to force system() function to delete the file.

This vulnerability therefore permits attacker to execute shell commands on computer of Netrik users who edit a form.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2007-0235

libgtop: overflow in glibtop_get_proc_map_s

Synthesis of the vulnerability

A local attacker can generate an overflow in glibtop_get_proc_map_s() in order to elevate his privileges.
Impacted products: Debian, Fedora, Mandriva Linux, RHEL, Unix (platform) ~ not comprehensive.
Severity: 1/4.
Consequences: user access/rights.
Provenance: user shell.
Creation date: 19/01/2007.
Identifiers: 396477, CERTA-2002-AVI-065, CVE-2007-0235, DSA-1255-1, FEDORA-2007-657, MDKSA-2007:023, RHSA-2007:0765-01, VIGILANCE-VUL-6481.

Description of the vulnerability

The gtop program is the Gnome version of the process statistic tool. With Linux kernel version 2.6.14 or superior, gtop reads these information from /proc/pid/smaps.

The format of /proc/pid/smaps is:
  start-end flags offset majordevice:minordevice inode program
For example:
  00400000-00408000 r-xp 00000000 01:02 3 /usr/bin/prog

However, when gtop analyzes this line, it copies the program name in a 215 bytes array, without checking its size. An overflow can thus occurs.

A local attacker can therefore start a malicious process in order to execute code with privileges of victims using gtop.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2006-5876

libsoup: denial of service via a GET

Synthesis of the vulnerability

An attacker can use a malformed query in order to generate a denial of service on softwares compiled with libsoup.
Impacted products: Debian, Fedora, Mandriva Linux, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: intranet client.
Creation date: 15/01/2007.
Identifiers: 405197, BID-22034, CVE-2006-5876, DSA-1248-1, FEDORA-2007-109, MDKSA-2007:029, VIGILANCE-VUL-6468.

Description of the vulnerability

The libsoup library implements the HTTP protocol.

A HTTP query of GET type has the following general syntax:
  GET /file HTTP/version

When filename contains a null character, libsoup incorrectly computes size of data, which generates an error.

A remote attacker can thus stop applications compiled with libsoup to provide a web service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2007-0157

neon: denial of service via an uri

Synthesis of the vulnerability

When the ne_uri_parse() function of libneon library analyzes an uri containing non ASCII7 characters, an error occurs.
Impacted products: Debian, openSUSE, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: denial of service on service, denial of service on client.
Provenance: intranet client.
Creation date: 15/01/2007.
Identifiers: 404723, BID-22035, CVE-2007-0157, MDKSA-2007:013, SUSE-SR:2007:002, VIGILANCE-VUL-6466.

Description of the vulnerability

The neon library implements HTTP and WebDAV protocols.

The ne_uri_parse() function analyzes uris. It uses the uri_lookup() macro which does not correctly manage characters above 127. This error, caused by a bad cast, stops the software on 64 bit computers.

An attacker can therefore generate a denial of service in applications linked to libneon, for example via PROPFIND.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2006-6799

Cacti: command injections

Synthesis of the vulnerability

An attacker can inject SQL and shell commands via the cmd.php and copy_cacti_user.php scripts of Cacti.
Impacted products: Cacti, Debian, openSUSE, Unix (platform) ~ not comprehensive.
Severity: 3/4.
Consequences: user access/rights.
Provenance: intranet client.
Creation date: 12/01/2007.
Identifiers: BID-21799, CERTA-2002-AVI-065, CERTA-2007-AVI-001, CVE-2006-6799, DSA-1250-1, MDKSA-2007:015, SUSE-SA:2007:007, VIGILANCE-VUL-6465.

Description of the vulnerability

The Cacti web server displays network statistic graphics, and is written in PHP language.

Several scripts contains parameter check errors. An attacker can inject SQL or shell commands. These vulnerabilities can be exploited when the register_argc_argv PHP variable is set.

An attacker can thus execute code on server.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2006-6101 CVE-2006-6102 CVE-2006-6103

XFree86, X.org: several vulnerabilities

Synthesis of the vulnerability

A local attacker can obtain root privileges by exploiting XFree86 and X.org vulnerabilities.
Impacted products: Debian, Fedora, HP-UX, Mandriva Linux, NetBSD, openSUSE, Solaris, Trusted Solaris, RHEL, Slackware, TurboLinux, Unix (platform) ~ not comprehensive, XOrg Bundle ~ not comprehensive.
Severity: 2/4.
Consequences: administrator access/rights.
Provenance: user account.
Number of vulnerabilities in this bulletin: 3.
Creation date: 10/01/2007.
Identifiers: 102803, 4915967, 6502073, 6504408, BID-21968, CERTA-2007-AVI-025, CVE-2006-6101, CVE-2006-6102, CVE-2006-6103, DSA-1249-1, emr_na-c01075678-1, FEDORA-2007-035, FEDORA-2007-036, HPSBUX02225, iDefense Security Advisory 01.09.07, MDKSA-2007-005, NetBSD-SA2007-002, NetBSD Security Advisory 2007-002, RHSA-2007:0002-01, RHSA-2007:0003-01, SSA:2007-066-02, SSRT071295, SUSE-SA:2007:008, TLSA-2007-14, VIGILANCE-VUL-6450.

Description of the vulnerability

The XFree86 or X.org server is run with root privileges. It has three vulnerabilities permitting a local attacker to elevate his privileges.

The ProcRenderAddGlyphs() function of Render extension does not correctly check its parameters. [severity:2/4; CERTA-2007-AVI-025, CVE-2006-6101, iDefense Security Advisory 01.09.07]

The ProcDbeGetVisualInfo() function of DBE extension does not correctly check its parameters. [severity:2/4; CVE-2006-6102, iDefense Security Advisory 01.09.07]

The ProcDbeSwapBuffers() function of DBE extension does not correctly check its parameters. [severity:2/4; CVE-2006-6103, iDefense Security Advisory 01.09.07]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2006-5867 CVE-2006-5974

fetchmail: several vulnerabilities

Synthesis of the vulnerability

An attacker can generate a denial of service or obtain sensitive information via fetchmail.
Impacted products: Debian, Fedora, Mandriva Linux, openSUSE, RHEL, Slackware, TurboLinux, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: data reading, denial of service on service.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 6.
Creation date: 08/01/2007.
Identifiers: 20070201-01-P, BID-21902, BID-21903, CERTA-2002-AVI-065, CERTA-2007-AVI-020, CVE-2006-5867, CVE-2006-5974, DSA-1259-1, FEDORA-2007-041, FEDORA-2007-042, fetchmail-SA-2006-02, fetchmail-SA-2006-03, fetchmail-SA-2007-01, MDKSA-2007:016, RHSA-2007:0018-01, SSA:2007-024-01, SUSE-SR:2007:004, TLSA-2007-3, VIGILANCE-VUL-6437.

Description of the vulnerability

The fetchmail application retrieves mails from POP, IMAP, ETRN or ODMR servers to forward them to a local mail server. It contains several vulnerabilities.

When fetchmail refuses a message via MDA, a NULL pointer is dereferenced in ferror() and fflush(). [severity:2/4; BID-21902, CERTA-2007-AVI-020, CVE-2006-5974, fetchmail-SA-2006-03]

When sslcertck/sslfingerprint options are activated, TLS negotiation is not enforced. [severity:2/4; BID-21903, CVE-2006-5867, fetchmail-SA-2006-02]

When "sslproto tls1" is activated, session can be done without TLS. [severity:2/4; BID-21903, CVE-2006-5867, fetchmail-SA-2006-02]

In POP3, TLS options can be ignored, because CAPAbilities are not negotiated. [severity:2/4; BID-21903, CVE-2006-5867, fetchmail-SA-2006-02]

In POP3, plain text passwords can be used even if strong authentication is configured. [severity:2/4; BID-21903, CVE-2006-5867, fetchmail-SA-2006-02]

User is not warned about authentications unsupported by POP2. [severity:2/4; BID-21903, CVE-2006-5867, fetchmail-SA-2006-02]
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2005-4816

ProFTPD: denial of service of mod_radius

Synthesis of the vulnerability

When the mod_radius module is activated, an attacker can use a long password in order to generate a denial of service.
Impacted products: Debian, ProFTPD.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: intranet client.
Creation date: 08/01/2007.
Identifiers: 2658, BID-16535, CVE-2005-4816, DSA-1245-1, VIGILANCE-VUL-6434.

Description of the vulnerability

The mod_radius module activates Radius authentication on the FTP server.

When password is too long, this module overwrites a memory area. As this area is used, its values are modified, which alters behaviour of module and leads to a crash.

A remote network attacker can thus enter a long password in order to generate a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2006-5870

OpenOffice, StarOffice: integer overflow of WMF/EMF

Synthesis of the vulnerability

An attacker can create a document containing a WMF/EMF image in order to execute code on victim's computer.
Impacted products: OpenOffice, Debian, Fedora, Mandriva Linux, Windows (platform) ~ not comprehensive, openSUSE, Solaris, Trusted Solaris, RHEL, SLES, Unix (platform) ~ not comprehensive.
Severity: 3/4.
Consequences: user access/rights.
Provenance: document.
Creation date: 04/01/2007.
Revision date: 05/01/2007.
Identifiers: 102735, 20070101-01-P, 6498220, 6498221, 6498574, CERTA-2007-AVI-005, CVE-2006-5870, DSA-1246-1, FEDORA-2007-005, MDKSA-2007:006, RHSA-2007:0001-01, SUSE-SA:2007:001, VIGILANCE-VUL-6430, VU#220288.

Description of the vulnerability

The OpenOffice/StarOffice suite can import Microsoft Office documents containing WMF/EMF images (Windows/Enhanced Meta File).

The source/filter.vcl/wmf/enhwmf.cxx and source/filter.vcl/wmf/winwmf.cxx files of do not check integer overflows occurring when a text or a polygon is displayed.

An attacker can thus create a malicious document and invite victim to open it, in order to execute code on his computer.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2006-6373 CVE-2006-6374 CVE-2006-6942

phpMyAdmin: several Cross Site Scripting

Synthesis of the vulnerability

An attacker can use several PHP pages in order to inject HTML code in phpMyAdmin.
Impacted products: Debian, phpMyAdmin.
Severity: 2/4.
Consequences: client access/rights, data reading.
Provenance: user shell.
Number of vulnerabilities in this bulletin: 6.
Creation date: 17/11/2006.
Revision date: 03/01/2007.
Identifiers: BID-21137, CVE-2006-6373, CVE-2006-6374, CVE-2006-6942, CVE-2006-6943, DSA-1370-1, MDKA-2006:061, PMASA-2006-7, PMASA-2006-8, PMASA-2006-9, VIGILANCE-VUL-6325.

Description of the vulnerability

The phpMyAdmin program is used to administer a MySQL database. It has several vulnerabilities.

An attacker can create a Cross Site Scripting attack by adding a comment to a table in db_operations.php. [severity:2/4; PMASA-2006-7]

An attacker can create a Cross Site Scripting attack by using the db variable of db_create.php. [severity:2/4; PMASA-2006-7]

An attacker can create a Cross Site Scripting attack by using the newname variable of db_operations.php. [severity:2/4; PMASA-2006-7]

An attacker can create a Cross Site Scripting attack by using the query_history_latest, query_history_latest_db and querydisplay_tab variables of querywindow.php. [severity:2/4; PMASA-2006-7]

An attacker can create a Cross Site Scripting attack by using the pos variable of sql.php. [severity:2/4; PMASA-2006-7]

An attacker can obtain the full installation path by generating errors in check_lang.php, layout.inc.php, index.php, left.php, server_databases.php, db_printview.php and sql.php. [severity:2/4; CVE-2006-6373, PMASA-2006-8]
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Debian Woody: