Christian Hoffmann

Name of the Vulnerable Software and Affected Versions: phpCollab versions 2.5 rc3 and earlier Description: The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the `loginForm` parameter to the "general/login.php" endpoint, and potentially other vectors. Recommendations: For phpCollab versions 2.5 rc3 and earlier, consider updating to a newer version that contains a fix for this issue, if available. As a temporary workaround, restrict access to the "general/login.php" endpoint to minimize the risk of exploitation. Avoid using the `loginForm` parameter in the affected endpoint until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: phpCollab versions 2.5 rc3 and earlier Description: The issue allows remote attackers to execute arbitrary commands via shell metacharacters in unspecified input related to the `SSL CLIENT CERT` environment variable. In some environments, `SSL CLIENT CERT` always has a base64-encoded string value, which may impose constraints on injection for typical shells. Recommendations: For phpCollab versions 2.5 rc3 and earlier, consider restricting access to the `general/login.php` file until a fix is available. As a temporary workaround, avoid using the `SSL CLIENT CERT` environment variable in sensitive operations.

**Name of the Vulnerable Software and Affected Versions** Lazarus version 0.9.24 **Description** The issue allows local users to overwrite or delete arbitrary files via a symlink attack on a (1) /tmp/lazarus.tgz temporary file or a (2) /tmp/lazarus temporary directory. **Recommendations** For Lazarus version 0.9.24, as a temporary workaround, consider restricting access to the create lazarus export tgz.sh script until a patch is available. Avoid using the script to prevent potential symlink attacks on temporary files or directories.

**Name of the Vulnerable Software and Affected Versions** twiki version 4.1.2 **Description** The issue allows local users to overwrite arbitrary files via a symlink attack on the /tmp/twiki temporary file. The vendor disputes this issue, stating it is invalid. **Recommendations** For twiki version 4.1.2, consider restricting access to the postinst script to minimize the risk of exploitation. As a temporary workaround, monitor the /tmp/twiki temporary file for any suspicious activity until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Postfix version 2.5.2 **Description** The issue allows local users to overwrite arbitrary files via a symlink attack on the `/tmp/postfix groups.stdout`, `/tmp/postfix groups.stderr`, and `/tmp/postfix groups.message` temporary files. The vendor disputes this issue, stating that users would have to edit a script under `/usr/lib` to enable it. **Recommendations** For Postfix version 2.5.2, consider restricting access to the temporary files `/tmp/postfix groups.stdout`, `/tmp/postfix groups.stderr`, and `/tmp/postfix groups.message` to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Video Disk Recorder (aka vdr-dbg or vdr) version 1.6.0 **Description** The issue allows local users to overwrite arbitrary files via a symlink attack on the /tmp/memleaktest.log temporary file. **Recommendations** For version 1.6.0, consider restricting access to the `vdrleaktest` function to prevent exploitation until a patch is available. Avoid using the `vdrleaktest` in sensitive environments to minimize the risk of arbitrary file overwrites.

**Name of the Vulnerable Software and Affected Versions** rkhunter version 1.3.2 **Description** The issue allows local users to overwrite arbitrary files via a symlink attack on the /tmp/rkhunter-debug temporary file. **Recommendations** For rkhunter version 1.3.2, consider restricting access to the /tmp/rkhunter-debug file to prevent symlink attacks until a patch is available.

**Name of the Vulnerable Software and Affected Versions** mafft version 6.240 **Description** The issue allows local users to overwrite arbitrary files via a symlink attack on several temporary files in the /tmp directory, including (1) /tmp/ vf#?????, (2) /tmp/ if#?????, (3) /tmp/ pf#?????, (4) /tmp/ af#?????, (5) /tmp/ rid#?????, (6) /tmp/ res#?????, (7) /tmp/ q#?????, and (8) /tmp/ bf#?????. **Recommendations** For version 6.240, consider restricting access to the temporary files in the /tmp directory to minimize the risk of exploitation. As a temporary workaround, avoid using the mafft-homologs feature in mafft until a patch is available.

**Name of the Vulnerable Software and Affected Versions** mgetty version 1.1.36 **Description** The issue allows local users to overwrite arbitrary files via a symlink attack on a /tmp/faxsp##### temporary file created by faxspool in mgetty. **Recommendations** For mgetty version 1.1.36, consider restricting access to the faxspool functionality until a patch is available, or apply a workaround to prevent symlink attacks on temporary files.

**Name of the Vulnerable Software and Affected Versions** aview version 1.3.0 **Description** The issue allows local users to overwrite arbitrary files via a symlink attack on a /tmp/aview#####.pgm temporary file created by asciiview in aview. **Recommendations** For aview version 1.3.0, consider restricting access to the temporary files created by asciiview to minimize the risk of exploitation. As a temporary workaround, avoid using asciiview until a patch is available. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** OpenOffice.org (OOo) version 2.4.1 **Description** The issue allows local users to overwrite arbitrary files via a symlink attack on a /tmp/log.obr temporary file. This is related to the `senddoc` functionality in OpenOffice.org. **Recommendations** For OpenOffice.org (OOo) version 2.4.1, consider restricting access to the `senddoc` functionality until a patch is available. As a temporary workaround, avoid using the `senddoc` feature to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** fwbuilder version 2.1.19 **Description** The issue allows local users to overwrite arbitrary files via a symlink attack on a temporary file, specifically targeting the /tmp/ssh-agent file through the fwb install component. **Recommendations** For fwbuilder version 2.1.19, consider restricting access to the fwb install component until a patch is available, and avoid using the /tmp/ssh-agent temporary file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Mantis versions prior to 1.1.3 **Description** The issue makes it easier for remote attackers to hijack sessions because the session cookie is not unset during logout. **Recommendations** For versions prior to 1.1.3, update to version 1.1.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Mantis versions prior to 1.1.3 **Description** The issue concerns a lack of privilege checking in the composition of links with issue data. This allows remote attackers to discover sensitive information, such as an issue's title and status, by modifying the issue number in a request. **Recommendations** For versions prior to 1.1.3, update to version 1.1.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** qemu version 0.9.1-5 **Description** The issue allows local users to overwrite arbitrary files via a symlink attack on temporary files and directories. This is related to the qemu-make-debian-root functionality in qemu on Debian GNU/Linux systems. **Recommendations** For qemu version 0.9.1-5, consider restricting access to the qemu-make-debian-root functionality until a patch is available to prevent local users from overwriting arbitrary files via a symlink attack.

**Name of the Vulnerable Software and Affected Versions** R version 2.7.2 **Description** The issue allows local users to overwrite arbitrary files via a symlink attack on temporary files created by the javareconf functionality. **Recommendations** For R version 2.7.2, consider restricting access to the javareconf functionality until a patch is available to prevent exploitation.

**Name of the Vulnerable Software and Affected Versions** PHP versions 4.4.x before 4.4.9 PHP versions 5.2 before 5.2.6-r6 **Description** The issue is related to a buffer overflow in the `imageloadfont` function, which can be triggered by a crafted font file. This could allow attackers to cause a denial of service (crash) and possibly execute arbitrary code. **Recommendations** For PHP versions 4.4.x before 4.4.9, update to version 4.4.9 or later to resolve the issue. For PHP versions 5.2 before 5.2.6-r6, update to version 5.2.6-r6 or later to resolve the issue.