Author: stef-guest
Date: 2007-05-16 20:35:35 +0000 (Wed, 16 May 2007)
New Revision: 5850
Modified:
data/CVE/list
Log:
CVE-2007-1401: new php4 issue
add some info about possible javascript hijacking vulns
NFUs
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2007-05-16 19:48:50 UTC (rev 5849)
+++ data/CVE/list 2007-05-16 20:35:35 UTC (rev 5850)
@@ -437,15 +437,34 @@
RESERVED
CVE-2007-2385 (The Yahoo! UI framework exchanges data using JavaScript Object
...)
TODO: check yui
- TODO: see
http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf
+ NOTE: see
http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf
+ NOTE: This allows to steal data from affected websites. Therefore web
applications should
+ NOTE: only be considered vunerabile if they process confidential data.
+ NOTE: The frameworks should be fixed in any case.
CVE-2007-2384 (The Script.aculo.us framework exchanges data using JavaScript
Object ...)
TODO: check glpi knowledgeroot mt-daapd op-panel python-webhelpers qwik
rails wordpress
+ NOTE: see
http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf
+ NOTE: This allows to steal data from affected websites. Therefore web
applications should
+ NOTE: only be considered vunerabile if they process confidential data.
+ NOTE: The frameworks should be fixed in any case.
CVE-2007-2383 (The Prototype (prototypejs) framework exchanges data using
JavaScript ...)
TODO: check glpi hobix knowledgeroot libbio-ruby1.8 mt-daapd op-panel
poker-web python-webhelpers qwik rails wordpress
+ NOTE: see
http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf
+ NOTE: This allows to steal data from affected websites. Therefore web
applications should
+ NOTE: only be considered vunerabile if they process confidential data.
+ NOTE: The frameworks should be fixed in any case.
CVE-2007-2382 (The Moo.fx framework exchanges data using JavaScript Object
Notation ...)
- NOT-FOR-US: MochiKit framework
+ TODO: check
+ NOTE: see
http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf
+ NOTE: This allows to steal data from affected websites. Therefore web
applications should
+ NOTE: only be considered vunerabile if they process confidential data.
+ NOTE: The frameworks should be fixed in any case.
CVE-2007-2381 (The MochiKit framework exchanges data using JavaScript Object
Notation ...)
TODO: check python-paste
+ NOTE: see
http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf
+ NOTE: This allows to steal data from affected websites. Therefore web
applications should
+ NOTE: only be considered vunerabile if they process confidential data.
+ NOTE: The frameworks should be fixed in any case.
CVE-2007-2380 (The Microsoft Atlas framework exchanges data using JavaScript
Object ...)
NOT-FOR-US: Microsoft Atlas
CVE-2007-2379 (The jQuery framework exchanges data using JavaScript Object
Notation ...)
@@ -2701,7 +2720,8 @@
CVE-2007-1402 (The Rediff Toolbar 2.0 ActiveX control in redifftoolbar.dll
allows ...)
NOT-FOR-US: Rediff Toolbar ActiveX control
CVE-2007-1401 (Buffer overflow in the crack extension (CrackLib), as bundled
with PHP ...)
- TODO: check
+ - php4 <unfixed>
+ TODO: check php5
CVE-2007-1400 (Plash permits sandboxed processes to open /dev/tty, which
allows local ...)
NOT-FOR-US: Plash
CVE-2007-1399 (Stack-based buffer overflow in the zip:// URL wrapper in PECL
ZIP ...)
@@ -5661,7 +5681,7 @@
CVE-2007-0324 (Multiple buffer overflows in the LizardTech DjVu Browser
Plug-in ...)
NOT-FOR-US: LizardTech DjVu Browser Plug-in
CVE-2007-0323 (Buffer overflow in the SetLanguage function in Research In
Motion ...)
- TODO: check
+ NOT-FOR-US: Research In Motion (RIM) TeamOn Import Object ActiveX
control
CVE-2007-0322
RESERVED
CVE-2007-0321 (Buffer overflow in the Update Service Agent ActiveX Control in
...)
@@ -5903,9 +5923,9 @@
CVE-2007-0222 (Directory traversal vulnerability in the EmChartBean server
side ...)
NOT-FOR-US: Oracle Application Server
CVE-2007-0221 (IMAP support in Microsoft Exchange Server 2000 SP3 allows
remote ...)
- TODO: check
+ NOT-FOR-US: Microsoft
CVE-2007-0220 (Cross-site scripting (XSS) vulnerability in Outlook Web Access
(OWA) ...)
- TODO: check
+ NOT-FOR-US: Microsoft
CVE-2007-0219 (Microsoft Internet Explorer 5.01, 6, and 7 uses certain COM
objects ...)
NOT-FOR-US: Microsoft
CVE-2007-0218
@@ -5919,7 +5939,7 @@
CVE-2007-0214 (The HTML Help ActiveX control (Hhctrl.ocx) in Microsoft Windows
2000 ...)
NOT-FOR-US: Microsoft
CVE-2007-0213 (Microsoft Exchange Server 2000 SP3, 2003 SP1 and SP2, and 2007
does ...)
- TODO: check
+ NOT-FOR-US: Microsoft
CVE-2007-0212
RESERVED
CVE-2007-0211 (The hardware detection functionality in the Windows Shell in
Microsoft ...)
@@ -6504,7 +6524,7 @@
CVE-2007-0040
RESERVED
CVE-2007-0039 (The Exchange Collaboration Data Objects (EXCDO) functionality
in ...)
- TODO: check
+ NOT-FOR-US: Microsoft
CVE-2007-0038 (Stack-based buffer overflow in the animated cursor code in
Microsoft ...)
NOT-FOR-US: Microsoft
CVE-2007-0037
_______________________________________________
Secure-testing-commits mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
