Security Vulnerabilities, CVEs, Published In June 2007

Stack-based buffer overflow in the BeginPrint method in a certain ActiveX control in RKD Software (barcodetools.com) BarCodeAx.dll 4.9 allows remote attackers to execute arbitrary code via a long argument.

Wireshark before 0.99.6 allows remote attackers to cause a denial of service (crash) via a crafted chunked encoding in an HTTP response, possibly related to a zero-length payload.

Stack-based buffer overflow in peviewer.spl in Altap Servant Salamander 2.5 with Portable Executable Viewer 2.02 (English Trial), and 2.0 with Portable Executable Viewer 1.00 (English Trial), allows remote attackers to execute arbitrary code via a long PDB debug filename in a PE file.

The Database Link library (dblink) in PostgreSQL 8.1 implements functions via CREATE statements that map to arbitrary libraries based on the C programming language, which allows remote authenticated superusers to map and execute a function from any library, as demonstrated by using the system function in libc.so.6 to gain shell access.

Multiple buffer overflows in the LGServer component of CA (Computer Associates) BrightStor ARCserve Backup for Laptops and Desktops r11.1 allow remote attackers to execute arbitrary code via crafted arguments to the (1) rxsAddNewUser, (2) rxsSetUserInfo, (3) rxsRenameUser, (4) rxsSetMessageLogSettings, (5) rxsExportData, (6) rxsSetServerOptions, (7) rxsRenameFile, (8) rxsACIManageSend, (9) rxsExportUser, (10) rxsImportUser, (11) rxsMoveUserData, (12) rxsUseLicenseIni, (13) rxsLicGetSiteId, (14) rxsGetLogFileNames, (15) rxsGetBackupLog, (16) rxsBackupComplete, (17) rxsSetDataProtectionSecurityData, (18) rxsSetDefaultConfigName, (19) rxsGetMessageLogSettings, (20) rxsHWDiskGetTotal, (21) rxsHWDiskGetFree, (22) rxsGetSubDirs, (23) rxsGetServerDBPathName, (24) rxsSetServerOptions, (25) rxsDeleteFile, (26) rxsACIManageSend, (27) rxcReadBackupSetList, (28) rxcWriteConfigInfo, (29) rxcSetAssetManagement, (30) rxcWriteFileListForRestore, (31) rxcReadSaveSetProfile, (32) rxcInitSaveSetProfile, (33) rxcAddSaveSetNextAppList, (34) rxcAddSaveSetNextFilesPathList, (35) rxcAddNextBackupSetIncWildCard, (36) rxcGetRevisions, (37) rxrAddMovedUser, (38) rxrSetClientVersion, or (39) rxsSetDataGrowthScheduleAndFilter commands.

Buffer overflow in the Yahoo! Webcam Upload ActiveX control in ywcupl.dll 2.0.1.4 for Yahoo! Messenger 8.1.0.249 allows remote attackers to execute arbitrary code via a long server property value to the send method. NOTE: some of these details are obtained from third party information.

Stack-based buffer overflow in DVD X Player 4.1 Professional allows remote attackers to execute arbitrary code via a PLF playlist containing a long filename.

Multiple buffer overflows in certain ActiveX controls in sasatl.dll in Zenturi ProgramChecker allow remote attackers to execute arbitrary code via unspecified vectors, possibly involving the (1) DebugMsgLog or (2) DoFileProperties methods.

Multiple stack-based buffer overflows in the FViewerLoading ActiveX control (FlipViewerX.dll) in E-Book Systems FlipViewer before 4.1 allow remote attackers to cause a denial of service (crash) or execute arbitrary code via long (1) UID, (2) Opf, (3) PAGENO, (4) LaunchMode, (5) SubID, (6) BookID, (7) LibraryID, (8) SubURL, and (9) LoadOpf properties.

Multiple stack-based buffer overflows in ActiveX controls (1) VibeC in (a) vibecontrol.dll, (2) CallManager and (3) ViewerClient in (b) StarClient.dll, (4) ComLink in (c) uicomlink.dll, and (5) WebCamXMP in (d) wcamxmp.dll in Logitech VideoCall allow remote attackers to cause a denial of service (browser crash) and execute arbitrary code via unspecified vectors.

Stack-based buffer overflow in the Anti-Virus engine before content update 30.6 in multiple CA (formerly Computer Associates) products allows remote attackers to execute arbitrary code via a large invalid value of the coffFiles field in a .CAB file.

Microsoft Windows Graphics Device Interface (GDI+, GdiPlus.dll) allows context-dependent attackers to cause a denial of service (crash) via an ICO file with an InfoHeader containing a Height of zero, which triggers a divide-by-zero error.

Directory traversal vulnerability in the PersistenceService in Sun Java Web Start in JDK and JRE 5.0 Update 11 and earlier, and Java Web Start in SDK and JRE 1.4.2_13 and earlier, for Windows allows remote attackers to perform unauthorized actions via an application that grants file overwrite privileges to itself. NOTE: this can be leveraged to execute arbitrary code by overwriting a .java.policy file.

The Javadoc tool in Sun JDK 6 and JDK 5.0 Update 11 can generate HTML documentation pages that contain cross-site scripting (XSS) vulnerabilities, which allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Unspecified vulnerability in the web-based product configuration system in Kaspersky Anti-Spam before 3.0 MP1 allows remote attackers to obtain access to certain directories.

Cross-site scripting (XSS) vulnerability in CMD_USER_STATS in DirectAdmin 1.30.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the domain parameter, a different vector than CVE-2007-1508.

Xeweb XEForum allows remote attackers to gain privileges via a modified xeforum cookie.

SlackRoll before 8 accepts gpg exit codes other than 0 and 1 as evidence of a valid signature, which allows remote Slackware mirror sites or man-in-the-middle attackers to cause a denial of service (data inconsistency) or possibly install Trojan horse packages via malformed gpg signatures.

Cross-site scripting (XSS) vulnerability in smoketests/configForm.php in HTML Purifier before 2.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "unescaped print_r output."

Microsoft Internet Explorer 7 allows remote attackers to determine the existence of page history via the history.length JavaScript variable.

Cross-site scripting (XSS) vulnerability in SAP Web Dynpro Java (BC-WD-JAV) in SAP NetWeaver Nw04 SP15 through SP19 and Nw04s SP7 through SP11, aka SAP Java Technology Services 640 before SP20 and SAP Web Dynpro Runtime Core Components 700 before SP12, allows remote attackers to inject arbitrary web script or HTML via the User-Agent HTTP header.

Multiple cross-site scripting (XSS) vulnerabilities in the SAP Internet Communication Framework (BC-MID-ICF) in the SAP Basis component 700 before SP12, and 640 before SP20, allow remote attackers to inject arbitrary web script or HTML via certain parameters associated with the default login error page.

Papoo CMS 3.6, and possibly earlier, does not verify user privileges when accessing the backend administration plugins, which allows remote authenticated users to (1) read the entire database by accessing the database backup plugin via a devtools/templates/newdump_backend.html argument in the template parameter to interna/plugin.php, (2) create plugins, (3) remove plugins, (4) enable debug mode, and have other unspecified impact.

A certain ActiveX control in NCTWavChunksEditor2.dll 2.6.1.148 in NCTAudioStudio (NCTAudioStudio2) 2.7, as used by Sienzo DMM and probably other products, allows remote attackers to create or overwrite arbitrary files via a full pathname in the argument to the CreateFile method, a different product than CVE-2007-3400.

Conti FtpServer 1.0 allows remote authenticated users to cause a denial of service (daemon crash) via a certain string containing "//A:" in the argument to the LIST command.