Unspecified vulnerability in Oracle MySQL Server 5.1.62 and earlier and 5.5.23 and earlier allows remote authenticated users to affect availability, related to GIS Extension.

CVE-2012-0540: Oracle Critical Patch Update - July 2012

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.61 and earlier, and 5.5.21 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server Optimizer, a different vulnerability than CVE-2012-1703.

CVE-2012-1690: Oracle Critical Patch Update - April 2012

Multiple SQL injection vulnerabilities in Dolibarr CMS 3.2.0 Alpha and earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) memberslist parameter (aka Member List) in list.php or (2) rowid parameter to adherents/fiche.php.

Image

Featured Details

**Multiple ways to consume Secunia Research**

Secunia delivers software security research that provides reliable, curated and actionable vulnerability intelligence. Organizations can expect to receive standardized, validated and enriched vulnerability research on a specific version of a software product. Secunia Research supports four solutions:

SVG

**Data Platform**

Data Platform leverages Secunia Research to provide high-level insights based on major or minor versions of software in your normalized inventory

Learn More

SVG

**Flexera One**

Flexera One utilizes Secunia Research (alongside public NVD data) to provide more granular matching of build-level versions of software in your normalized inventory within its IT Asset Management and IT Visibility solutions

Learn More

How it works

**Accurate, reliable vulnerability insights at your fingertips**

The Secunia Research team from Flexera is comprised of several security specialists who conduct vulnerability research in various products in addition to testing, verifying and validating public vulnerability reports. Since its inception in 2002, the goal of the Secunia Research team is to provide the most accurate and reliable source of vulnerability intelligence.

Delivering the world’s best vulnerability intelligence requires skill and passion. Team members continually develop their skills exploring various high-profile closed and open-source software using a variety of approaches, focusing chiefly on thorough code audits and binary analysis. The team has received industry recognition, including naming members to Microsoft’s Most Valuable Security Researchers list.

Secunia researchers discover hard-to-find vulnerabilities that aren’t normally identified with techniques such as fuzzing, and the results have been impressive. Members of the Secunia Research team have discovered critical vulnerabilities in products from vendors including Microsoft, Symantec, IBM, Adobe, RealNetworks, Trend Micro, HP, Blue Coat, Samba, CA, Mozilla and Apple.

The team produces invaluable security advisories based on research of the vulnerabilities affecting any given software update. Sometimes a single update can address multiple vulnerabilities of varying criticalities and threats; but these advisories aggregate and distill findings down to a single advisory perfect for the prioritization of patching efforts within Software Vulnerability Manager. Criticality scores are consistently applied along with details around attack vector and other valuable details within Software Vulnerability Research. Illegitimate vulnerability reports are also investigated and rejected so you can focus only on what truly matters.

Informing IT, Transforming IT

**Industry insights to help keep you informed**

CVE-2012-1225: About Secunia Research | Flexera

Multiple SQL injection vulnerabilities in Dolibarr 3.1.0 RC and probably earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) sortfield, (2) sortorder, and (3) sall parameters to user/index.php and (b) user/group/index.php; the id parameter to (4) info.php, (5) perms.php, (6) param_ihm.php, (7) note.php, and (8) fiche.php in user/; and (9) rowid parameter to admin/boxes.php.

CVE-2011-4802

Ruby on Rails 3.0.x before 3.0.4 does not ensure that arguments to the limit function specify integer values, which makes it easier for remote attackers to conduct SQL injection attacks via a non-numeric argument.

For full functionality of this site it is necessary to enable JavaScript. Here are the instructions how to enable JavaScript in your web browser.

CVE-2011-0448

The utf8_decode function in PHP before 5.3.4 does not properly handle non-shortest form UTF-8 encoding and ill-formed subsequences in UTF-8 data, which makes it easier for remote attackers to bypass cross-site scripting (XSS) and SQL injection protection mechanisms via a crafted string.

Well, here I am developing ACS, finding that this project resembles at some degree the creation of a browser.. but anyway, it's close to a working beta (yay!).

In any case, a couple of bugs came to my attention, some of them are public, some of them are not.

First of all, I want to describe the PHP vulnerability I made public on my presentation with David Lindsay, at Blackhat USA 2009, that apparently only Chris Weber, Giorgio Maone (creator of NoScript), Mario Heiderich (creator of PHP-IDS) and the Acunetix security team have realized the danger of it.

It has been reported, well, more than enough times to the PHP team (I made another attempt today, hoping this will get fixed in some time soon.. if at all). This issue affects all PHP versions Mario Heiderich and me could test, and endangers practically all PHP programs that use the utf8\_decode() function for decoding (as recommended by OWASP guidelines).

> The disclosure timeline follows:  
> \* Reported by root@80sec.com: May 11 2009  
> \* Discovered by webmaster@lapstore.de: June 19 2009  
> \* Discovered by Giorgio Maone / Eduardo Vela: July 14 2009  
> \* Reported and Fixed on PHPIDS: July 14 2009  
> \* Microsoft notified of a XSS Filter bypass: July 14 2009  
> \* Fixed XSS Filter bypass on NoScript 1.9.6:  July 20 2009  
> \* Vulnerability disclosed on BlackHat USA 2009: July 29 2009  
> \* Added signature to Acunetix WVS: August 14 2009  
> \* Re-reported by sird@rckc.at: September 27 2009  
> \* Vendor claims it was fixed on 5.2.11: September 29 2009  
> \* Re-re-reported by sird@rckc.at after checking 5.2.11: October 16 2009  
> \* Published sirdarckcat.blogspot.com: October 16 2009  

You can check the bug here:  
http://bugs.php.net/bug.php?id=49687

In reality there are several vulns in just a couple of lines, so I'll describe them here:  
1.- **Overlong UTF-8:**

> As REQUIRED by UNICODE 3.1, and noted in the Unicode Technical Report #36, UTF-8 is forbidden to interpretate a character's non-shortest form.  

   

http://www.unicode.org/reports/tr36/#UTF-8\_Exploit

**VULN: _PHP makes no checks whatsoever on this matter._**

**Why is this a vulnerability?**

A filter (such as addslashes, htmlentities, escapeshellarg, etc.) will NOT be able to detect&escape such byte sequences, and so an application that relies on them for security checks wont be protected at all. Because it allows an attacker to encode "dangerous" chars, such as ', ", <, ;, &, \\0 in different ways:

' = %27 = %c0%a7 = %e0%80%a7 = %f0%80%80%a7  
" = %22 = %c0%a2 = %e0%80%a2 = %f0%80%80%a2  
< = %3c = %c0%bc = %e0%80%bc = %f0%80%80%bc  
; = %3b = %c0%bb = %e0%80%bb = %f0%80%80%bb  
& = %26 = %c0%a6 = %e0%80%a6 = %f0%80%80%a6  
\\0= % 00 = %c0%80 = %e0%80%80 = %f0%80%80%80

Use hackvertor to generate them.

Enabling attacks on systems that use addslashes for example (but almost all encoding functions would be vulnerable):

> // add slashes!  
> foreach($\_GET as $k=>$v)$\_GET\[$k\]=**addslashes**("$v");
> 
> //  .... some code ...
> 
> // $name is encoded in utf8  
> $name=**utf8\_decode**($\_GET\['name'\]);  
> mysql\_query("SELECT \* FROM table WHERE name='$name';");
> 
> ?>

2.- **Ill formed sequences**:  
As REQUIRED by UNICODE 3.0, and noted in the Unicode Technical Report #36, if a leading byte is followed by an invalid successor byte, then it should NOT consume it.  
    http://www.unicode.org/reports/tr36/#Ill-Formed\_Subsequences

**VULN: _PHP will consume invalid bytes._**

**Why is this a vulnerability?**

It will allow an attacker to "eat" controll chars. For example:

> // htmlentities  
> foreach($\_GET as $k=>$v)$\_GET\[$k\]=**htmlentities**("$v",ENT\_QUOTES);
> 
> //  ... some code ...
> 
> $name=$\_GET\['name'\];  
> $url=$\_GET\['url'\];
> 
> //  ... some code ...
> 
> $profileImage="<img alt=\\"Photo of $name\\" src=\\"http://$url\\" />";
> 
> // ... some code ...  
> echo **utf8\_decode**($profileImage);  
> ?>

A request such as:

?name=%90&src=%20onerror=alert(1)%20

Will execute the code "alert(1)" when the page loads.

Note that htmlpurifier does a utf8\_decode function call at the end of the decoding, BUT they are safe because of a pre-encoding made by htmlpurifier.. other codes that do the same wont be so lucky.

Bogdan Calin from Acunetix WVS described a couple of other potential attack scenarios:

>   

Where an attacker could fool the filter by doing a request like:  
vuln.php?input=**%F6%3Cimg+onmouseover=prompt(/xss/)//%F6%3E**

And:

>   

  

>   

Where an attacker could fool the filter by doing a request like:  
index.php?username=**test%FC%27%27+or+1=1+–+**&password=a

3.- **Integer overflow:**  
Unsigned short has a size of 16 bits (2 bytes), that is UNCAPABLE of storing unicode characters of 21 bits, and represented on UTF with 4 bytes (1111 0xxx 10xx xxxx 10xx xxxx 10xx xxxx). PHP attempts to sum a 21 bits value to a 16 bits-size variable, and then makes no checks on the value.

The affected code follows:

> //  php/ext/xml/xml.c#558  
> PHPAPI char \*xml\_utf8\_decode(    //  ...  
> {  
>     int pos = len;  
>     char \*newbuf = emallo    //  ...  
>     unsigned short c;          // **sizeof(unsigned short)==16** bits  
>     char (\*decoder)(unsig    //  ...  
>     xml\_encoding \*enc = x    //  ...  
> //  ...  
> //  #580  
>     c = (unsigned char)(\*s);  
>     if (c >= 0xf0) {         /\* **four bytes encoded, 21** bits \*/  
>         if(pos-4 >= 0) {  
>             c = (**(s\[0\]&7)<<18) | ((s\[1\]&63)<<12)** | ((s\[2\]&63)<<6) | (s\[3\]&63);  
>         } else {  
>             c = '?';     
>         }  
>         s += 4;  
>         pos -= 4;  
> //  ...  

The relevant part of the code is of course, the declaration of c as an unsigned int, the comment specifing that the char is 21 bits, and this:

> x= ((s\[0\]&7)<<18) | ...  

s\[0\]&7<<18 means it will move 3 bits, 18 bits to the right. As we noted before.. c's size is only 16 bits.

> (xxxx xxxx & 0000 0111) << 18  

Also, this part:

> ...  ((s\[1\]&63)<<12) | ...  

s\[1\]&63<<12 means it will move 6 bits, 12 bits to the right. So, 2 bits are going to be lost.

> (xxxx xxxx & 0011 1111) << 12  

This allows us to make something even more interesting.

Code like this:

**%FF%F0%40%FC** that is invalid unicode, overlong, and all you want (definatelly NOT valid), will be casted as a "lower than" simbol (<).

http://eaea.sirdarckcat.net/xss.php?unicode&html\_xss=%FF%F0%40%FC

This besides the already mentioned problems, and the possibility of bypassing quite a lot of WAFs and Filters.. demonstrate the problem of a bad unicode implementation on PHP.

I hope the PHP development team acknowledges all this issues that have been reported before, and were explained some months ago on Blackhat USA (and the developers were noticed to check the ppt more than once), and now are explained yet another time.

**This was fixed on 5.2.11 :) on my birthday!! Sept 17**

Anyway.. that's not all, now to finish this post I want to publish a overlong utf-8 exception on Firefox (actually, Mozilla's).

**The firefox one**

Firefox is supposed to consider the non-shortest form exception (point #1 in the PHP vulnerabilities), and section 3.1 of the Unicode Technical Report #36 but apparently there's a flaw on it. This is specially problematic for the reasons that an overlong unicode sequence not taken into consideration may allow several types of filter bypasses.

Anyway, the severity of this vulnerability is not as high as the PHP ones, but is worth mentioning. The following non-shortest form for the char U+1000:

> 0xF0 0x81 0x80 0x80

is allowed, as well as the correct shortest form:

> 0xE1 0x80 0x80

Note that this problem is only present on the 4 bytes representation.

You can track this bug at:  
https://bugzilla.mozilla.org/show\_bug.cgi?id=522634

Anyway, that's all! Thanks for your time :)

Greetings!!

CVE-2010-3870: A couple of unicode issues on PHP and Firefox

WebKit in Apple iOS before 4 on the iPhone and iPod touch does not properly implement the history.replaceState method in certain situations involving IFRAME elements, which allows remote attackers to obtain sensitive information via a crafted HTML document.

CVE-2010-1407: About the security content of iOS 4

SQL injection vulnerability in cisco/services/PhonecDirectory.php in Fonality Trixbox 2.2.4 allows remote attackers to execute arbitrary SQL commands via the ID parameter.

CVE-2010-0702: Files ≈ Packet Storm

Heap-based buffer overflow in the GIFLZWDecompressor::GIFLZWDecompressor function in filter.vcl/lgif/decode.cxx in OpenOffice.org (OOo) before 3.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted GIF file, related to LZW decompression.

**If you want to stay up to date on Apache OpenOffice security announcements, please subscribe to our security-alerts mailing list.**

**Fixed in Apache OpenOffice 4.1.11**

*   CVE-2021-28129: DEB packaging installed with a non-root userid and groupid
*   CVE-2021-33035: Buffer overflow from a crafted DBF file
*   CVE-2021-40439: "Billion Laughs" fixed in Expat >=2.4.0
*   CVE-2021-41830: #1 Content Manipulation with Certificate Double Attack
*   CVE-2021-41830: #2 Macro Manipulation with Certificate Double Attack
*   CVE-2021-41831: #3 Timestamp Manipulation with Signature Wrapping
*   CVE-2021-41832: #4 Content Manipulation with Certificate Validation Attack

**Fixed in Apache OpenOffice 4.1.10**

*   CVE-2021-30245: Code execution in Apache OpenOffice via non-http(s) schemes in Hyperlinks

**Fixed in Apache OpenOffice 4.1.8**

*   CVE-2020-13958: Unrestricted actions leads to arbitrary code execution in crafted documents

**Fixed in Apache OpenOffice 4.1.7**

*   CVE-2019-9853: Insufficient URL decoding flaw in categorizing macro location

**Fixed in Apache OpenOffice 4.1.6**

*   CVE-2018-11790: Arithmetic overflow and wrap around during string length calculation

**Fixed in Apache OpenOffice 4.1.5**

*   No security vulnerabilities fixed in this release

**Fixed in Apache OpenOffice 4.1.4**

*   CVE-2017-3157: Arbitrary file disclosure in Calc and Writer
*   CVE-2017-9806: Out-of-Bounds Write in Writer's WW8Fonts Constructor
*   CVE-2017-12607: Out-of-Bounds Write in Impress' PPT Filter
*   CVE-2017-12608: Out-of-Bounds Write in Writer's ImportOldFormatStyles

**Fixed in Apache OpenOffice 4.1.3**

*   CVE-2016-1513: Memory Corruption Vulnerability (Impress Presentations)
*   CVE-2016-6803: Windows Installer Can Enable Privileged Trojan Execution
*   CVE-2016-6804: Windows Installer Execution of Arbitrary Code with Elevated Privileges

**Fixed in Apache OpenOffice 4.1.2**

*   CVE-2015-1774: Out-of-Bounds Write in HWP File Filter
*   CVE-2015-4551: Targeted Data Disclosure
*   CVE-2015-5212: ODF Printer Settings Vulnerability
*   CVE-2015-5213: .DOC Document Vulnerability
*   CVE-2015-5214: .DOC Bookmarks Vulnerability

**Fixed in Apache OpenOffice 4.1.1**

*   CVE-2014-3575: Targeted Data Exposure Using Crafted OLE Objects in Apache OpenOffice
*   CVE-2014-3524: Calc Command Injection Vulnerability in Apache OpenOffice

**Fixed in Apache OpenOffice 4.0.0**

*   CVE-2013-2189: DOC Memory Corruption Vulnerability in Apache OpenOffice
*   CVE-2013-4156: DOCM Memory Corruption Vulnerability in Apache OpenOffice

**Fixed in Apache OpenOffice 3.4.1**

*   CVE-2012-2665: Manifest-processing errors in Apache OpenOffice 3.4.0
*   CVE-2013-1571: Frame Injection Vulnerability in SDK JavaDoc

**Fixed in Apache OpenOffice 3.4.0**

*   CVE-2012-1149: OpenOffice.org integer overflow error in vclmi.dll module when allocating memory for an embedded image object
*   CVE-2012-2149: OpenOffice.org memory overwrite vulnerability
*   CVE-2012-2334: Vulnerabilities related to malformed Powerpoint files in OpenOffice.org 3.3.0

**Patches for OpenOffice.org 3.3**

*   CVE-2012-0037: OpenOffice.org data leakage vulnerability

**Fixed in OpenOffice.org 3.3**

*   CVE-2010-2935 / CVE-2010-2936: Security Vulnerability in OpenOffice.org related to PowerPoint document processing
*   CVE-2010-3450: Security Vulnerability in OpenOffice.org related to Extensions and filter package files
*   CVE-2010-3451 / CVE-2010-3452: Security Vulnerability in OpenOffice.org related to RTF document processing
*   CVE-2010-3453 / CVE-2010-3454: Security Vulnerability in OpenOffice.org related to Word document processing
*   CVE-2010-3689: Insecure LD\_LIBRARY\_PATH usage in OpenOffice.org shell scripts
*   CVE-2010-3702 / CVE-2010-3704: Security Vulnerability in OpenOffice.org's PDF Import extension resulting from 3rd party library XPDF
*   CVE-2010-4008 / CVE-2010-4494: Possible Security Vulnerability in OpenOffice.org resulting from 3rd party library LIBXML2
*   CVE-2010-4253: Security Vulnerability in OpenOffice.org related to PNG file processing
*   CVE-2010-4643: Security Vulnerability in OpenOffice.org related to TGA file processing

**Fixed in OpenOffice.org 3.2.1**

*   CVE-2009-3555: OpenOffice.org 2 and 3 may be affected by the TLS/SSL Renegotiation Issue in 3rd Party Libraries
*   CVE-2010-0395: Security vulnerability in OpenOffice.org related to python scripting

**Fixed in OpenOffice.org 3.2**

*   CVE-2006-4339: Potential vulnerability from 3rd party libxml2 libraries
*   CVE-2009-0217: Potential vulnerability from 3rd party libxmlsec libraries
*   CVE-2009-2493: OpenOffice.org 3 for Windows bundles a vulnerable version of MSVC Runtime
*   CVE-2009-2949: Potential vulnerability related to XPM file processing
*   CVE-2009-2950: Potential vulnerability related to GIF file processing
*   CVE-2009-3301/2: Potential vulnerability related to MS-Word document processing

**Fixed in OpenOffice.org 3.1.1**

*   CVE-2009-0200 / CVE-2009-0201: Manipulated Microsoft Word files can lead to heap overflows and arbitrary code execution
*   CVE-2009-2414 / CVE-2009-2416: Manipulated XML documents can lead to arbitrary code execution

**Fixed in OpenOffice.org 3.1**

*   No security vulnerabilities fixed in this release

**Fixed in OpenOffice.org 3.0.1**

*   No security vulnerabilities fixed in this release

**Fixed in OpenOffice.org 3.0**

*   No security vulnerabilities fixed in this release

**Fixed in OpenOffice.org 2.4.3**

*   CVE-2009-0200 / CVE-2009-0201: Manipulated Microsoft Word files can lead to heap overflows and arbitrary code execution
*   CVE-2009-2414 / CVE-2009-2416: Manipulated XML documents can lead to arbitrary code execution

**Fixed in OpenOffice.org 2.4.2**

*   CVE-2008-2237: Manipulated WMF files can lead to heap overflows and arbitrary code execution
*   CVE-2008-2238: Manipulated EMF files can lead to heap overflows and arbitrary code execution

**Fixed in OpenOffice.org 2.4.1**

*   CVE-2008-2152: Different kinds of manipulated files may lead to heap overflows and arbitrary code execution

**Fixed in OpenOffice.org 2.4**

*   CVE-2007-4770/4771: Manipulated ODF text documents containing XForms can lead to heap overflows and arbitrary code execution
*   CVE-2007-5745/5747: Manipulated Quattro Pro files can lead to heap overflows and arbitrary code execution
*   CVE-2007-5746: Manipulated EMF files can lead to heap overflows and arbitrary code execution
*   CVE-2008-0320: Manipulated OLE files can lead to heap overflows and arbitrary code execution

**Fixed in OpenOffice.org 2.3.1**

*   CVE-2007-4575: Potential arbitrary code execution vulnerability in 3rd party module (HSQLDB)

**Fixed in OpenOffice.org 2.3**

*   CVE-2007-2834: Manipulated TIFF files can lead to heap overflows and arbitrary code execution

**Fixed in OpenOffice.org 2.2.1**

*   CVE-2007-2754: Integer overflow and heap-based buffer overflow vulnerability in 3rd party module (freetype)
*   CVE-2007-0245: Manipulated RTF files can lead to heap overflows and arbitrary code execution

**Fixed in OpenOffice.org 2.2**

*   CVE-2007-0239: URL Handling Security Vulnerability (Linux/Solaris)
*   CVE-2007-0238: StarCalc Vulnerability
*   CVE-2007-002: WordPerfect Import Vulnerability

**Fixed in OpenOffice.org 2.1**

*   CVE-2006-5870: WMF/EMF Processing Failures

**Fixed in OpenOffice.org 2.0.3**

*   CVE-2006-2199: Java Applets
*   CVE-2006-2198: Macro
*   CVE-2006-3117: File Format

Security Home -> Bulletin

Tag

#sql