Ultimate PHP Board chat/login.php username Parameter Arbitrary Command Execution

The remote host is running Ultimate PHP Board UPB. The version of UPB installed on the remote host does not sanitize input to the 'username' parameter of the 'chat/login.php' script before writing it to 'chat/text.php'. Regardless of PHP's settings, an attacker can leverage this flaw to inject...

Microsoft Office for Mac未明安全漏洞

Microsoft Office for Mac是一款微软开发的使用在苹果系统上的办公软件。 Microsoft Office for Mac存在未明错误，远程攻击者可以利用漏洞以应用程序进程权限执行任意指令。 目前没有详细漏洞细节提供。 Microsoft Office X for Mac 0 Microsoft Office 2004 for Mac 0 目前没有详细解决方案提供： http://www.microsoft.com/mac/products/office2004/office2004.aspx?pid=office2004...

NOD32 Anti-Virus多个文件解析漏洞

NOD32 Anti-Virus是一款流行的反病毒软件。 NOD32 Anti-Virus处理多个文件存在问题，远程攻击者可以利用漏洞以应用程序进程权限执行任意指令。 当处理畸形.chm文件时，可导致除零错误而使应用程序崩溃。特殊构建的.doc文件，可导致整数溢出而以应用程序进程权限执行任意指令。 目前没有详细漏洞细节提供。 Eset Software NOD32 Antivirus 可参考如下安全公告获得补丁信息： http://eset.com/support/updates.php?pageno=63...

CVE-2006-6678

The edittextarea function in form-file.c in Netrik 1.15.4 and earlier does not properly verify temporary filenames when editing textarea fields, which allows attackers to execute arbitrary commands via shell metacharacters in the filename...

TYPO3 'spell-check-logic.php' 'userUid' Parameter Arbitrary Command Execution

The remote host is running TYPO3, an open source content management system written in PHP. The version of TYPO3 installed on the remote host fails to sanitize user-supplied input to the 'userUid' parameter before using it in the 'spell-check-logic.php' script to execute a command. An...

Joomla X-shop远程文件包含漏洞

Joomla X-shop是一款基于PHP的电子购物程序。 Joomla X-shop不正确过滤用户提交的URI数据，远程攻击者可以利用漏洞以WEB进程权限执行任意命令。 问题是脚本对用户提交的WEB参数缺少过滤，提交恶意的远程服务器作为包含对象，可导致以WEB进程权限执行任意PHP代码。 Joomla X-Shop 1.7 http://mamboxchange.com/projects/x-shop/...

Invisionix Roaming System Remote Pageheaderdefault.Inc.PHP远程文件包含漏洞

Invisionix Roaming System是一款基于PHP的WEB应用程序。 Invisionix Roaming System不正确过滤用户提交的URI数据，远程攻击者可以利用漏洞以WEB进程权限执行任意命令。 问题是'Pageheaderdefault.Inc.PHP'脚本对用户提交的WEB参数缺少过滤，提交恶意的远程服务器作为包含对象，可导致以WEB进程权限执行任意PHP代码。 Invisionix Systems Invisionix Roaming System Remote 0.2 http://www.invisionix.org/...

CVE-2006-6289

Woltlab Burning Board wBB Lite 1.0.2 does not properly unset variables when the input data includes a numeric parameter with a value matching an alphanumeric parameter's hash value, which allows remote attackers to execute arbitrary SQL commands via the wbbuserid parameter to the top-level URI...

Novell ZENworks Asset Management MSG.DLL远程整数溢出漏洞

Novell Inc's ZENworks是一套用于自动IT管理和在各个电脑资源中进行商务处理的工具。 Novell Inc's ZENworks Asset Management存在一个整数溢出，远程攻击者可以利用漏洞以应用程序进程权限执行任意指令。 当处理特殊的包发送给Task服务器或者Collection服务守护程序时存在堆溢出，当分配内存给远程提供的数据时可以应用程序进程权限执行任意指令。 Novell ZENworks Asset Management 7.0 SP1 补丁下载： Novell ZENworks Asset Management 7.0 SP1 Novell...

IBM Tivoli Storage Manager多个远程安全内存访问拷贝漏洞

Tivoli Storage Manager是一种遵循ANSI SAN标准的可扩展解决方案，用于发现、监控和管理企业SAN架构组件，并可分配和自动操纵企业的附加磁盘存储资源。 Tivoli Storage Manager服务在处理发送到TCP/1500端口的消息时存在多个内存访问拷贝漏洞，远程攻击者可能利用这些漏洞导致服务崩溃或执行任意指令。 能够触发漏洞的消息格式为indexsize，其中index字段指定了到消息体特定字段的整数偏移，size字段指定了index字段的大小。由于没有验证index字段，因此攻击者可以强制服务读过报文的末尾，到达未分配的内存，导致拒绝服务。...

CVE-2006-6244

Coalescent Systems freePBX (formerly Asterisk Management Portal) before 2.2.0rc1 is vulnerable to arbitrary command execution via shell metacharacters in CALLERID(name) or CALLERID(number). Root cause: improper handling of shell metacharacters in these fields. The available sources document this ...

Sisfo Kampus文件包含及目录遍历漏洞

Sisfo Kampus是一款系统信息管理系统。 Sisfo Kampus在处理用户请求时存在输入验证漏洞，远程攻击者可能利用此漏洞在服务器上以Web进程权限执行任意命令。 Sisfo Kampus的index.php和print.php脚本没有过滤slnt参数的输入，允许攻击者通过包含本地或外部资源的任意文件导致执行任意代码。 index.php中漏洞代码如下： -------------------------Line 27----------------------------- ?php if $exec=='main.php' &&...

MailEnable IMAP服务未明缓冲区溢出漏洞

MailEnable是一款流行的邮件服务程序. MailEnable IMAP服务存在未明缓冲区溢出，远程攻击者可以利用漏洞以应用程序进程权限执行任意指令。 目前没有详细漏洞细节提供。 MailEnable MailEnable Professional 2.0-2.32 MailEnable MailEnable Professional 1.9-1.82 MailEnable MailEnable Enterprise Edition 2.0-2.32 MailEnable MailEnable Enterprise Edition 1.1-1.30 补丁下载：...

CVE-2006-5957

INFINICART is affected by multiple SQL injection vulnerabilities reported as CVE-2006-5957. Public details specify that remote attackers could manipulate SQL by supplying crafted input in the following parameters: groupid (browse_group.asp), productid (added_to_cart.asp), and catid/subid (browses...

Sky Software FileView ActiveX control allows arbitrary command execution via unsafe methods

Overview The Sky Software FileView ActiveX control contains unsafe methods, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Description The Sky Software FileView object is an ActiveX control that is provided with several applications, such as...

Oracle Security Component sys.pbsde buffer overflow

Added: 11/07/2006 CVE: CVE-2005-3438 BID: 15134 OSVDB: 20612 Background pbsde is a package of stored procedures which is part of the base installation of Oracle Database. Problem A buffer overflow in the sys.pbsde.init procedure allows database users to execute arbitrary commands. Resolution Appl...

eIQNetworks Enterprise Security Analyzer Monitoring.exe多个缓冲区溢出漏洞

eIQnetworks Enterprise Security Analyzer（ESA）是一款企业级的安全管理平台。 ESA的Monitoring.exe进程中存在两个缓冲区溢出漏洞，远程攻击者可能利用此漏洞在服务器上执行任意指令。 第一个漏洞存在于Monitoring.exe中负责处理TCP 9999端口上用户数据的例程中。如果连接到这个端口，用户就会立即被提示输入口令。这时可以发送HELP命令获得各种命令帮助： --------------------------------------------------------- Usage: QUERYMONITOR: to fetc...

Serv-U FTP Server MDTM timezone buffer overflow

Added: 10/27/2006 CVE: CVE-2004-0330 BID: 9751 OSVDB: 4073 Background Serv-U FTP Server supports the MDTM command which allows users to modify the time stamp on files. Problem A buffer overflow in Serv-U FTP Server allows remote authenticated attackers to execute arbitrary commands by sending the...

Ingo Foldername Arbitrary Command Execution

According to its version number, the instance of Ingo installed on the remote host fails to properly sanitize mailbox destinations in filter rules. By using a folder name beginning with '|' as a mailbox destination, an authenticated, remote attacker may be able to exploit this issue to execute...

Debian DSA-933-1 : hylafax - arbitrary command execution

Patrice Fournier found that hylafax passes unsanitized user data in the notify script, allowing users with the ability to submit jobs to run arbitrary commands with the privileges of the hylafax server. %NASLMINLEVEL 70300 C Tenable Network Security, Inc. The descriptive text and package checks i...