Weekly Vulnerabilities Reports > May 13 to 19, 2002

Overview

43 new vulnerabilities reported during this period, including 1 critical vulnerabilities and 23 high severity vulnerabilities. This weekly summary report vulnerabilities in 46 products from 37 vendors including Microsoft, SGI, SAS, Xoops, and Etype. Vulnerabilities are notably categorized as and "Incorrect Calculation of Buffer Size".

  • 32 reported vulnerabilities are remotely exploitables.
  • 42 reported vulnerabilities are exploitable by an anonymous user.
  • Microsoft has the most reported vulnerabilities, with 4 reported vulnerabilities.
  • Paul L Daniels has the most reported critical vulnerabilities, with 1 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

1 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2002-05-16 CVE-2002-0198 Paul L Daniels Buffer Overflow vulnerability in Paul L Daniels Inflex and Ripmime

Buffer overflow in plDaniels ripMime 1.2.6 and earlier, as used in other programs such as xamime and inflex, allows remote attackers to execute arbitrary code via an attachment in a long filename.

10.0

23 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2002-05-16 CVE-2002-0184 Sudo Project
Debian
Incorrect Calculation of Buffer Size vulnerability in multiple products

Sudo before 1.6.6 contains an off-by-one error that can result in a heap-based buffer overflow that may allow local users to gain root privileges via special characters in the -p (prompt) argument, which are not properly expanded.

7.8
2002-05-16 CVE-2002-1056 Microsoft Unspecified vulnerability in Microsoft Outlook and Word

Microsoft Outlook 2000 and 2002, when configured to use Microsoft Word as the email editor, does not block scripts that are used while editing email messages in HTML or Rich Text Format (RTF), which could allow remote attackers to execute arbitrary scripts via an email that the user forwards or replies to.

7.5
2002-05-16 CVE-2002-0231 Khaled Mardam BEY Buffer Overflow vulnerability in MIRC Nick

Buffer overflow in mIRC 5.91 and earlier allows a remote server to execute arbitrary code on the client via a long nickname.

7.5
2002-05-16 CVE-2002-0229 PHP Unspecified vulnerability in PHP

Safe Mode feature (safe_mode) in PHP 3.0 through 4.1.0 allows attackers with access to the MySQL database to bypass Safe Mode access restrictions and read arbitrary files using "LOAD DATA INFILE LOCAL" SQL statements.

7.5
2002-05-16 CVE-2002-0226 Dcscripts Unspecified vulnerability in Dcscripts Dcforum

retrieve_password.pl in DCForum 6.x and 2000 generates predictable new passwords based on a sessionID, which allows remote attackers to request a new password on behalf of another user and use the sessionID to calculate the new password for that user.

7.5
2002-05-16 CVE-2002-0223 Infopop
Wired Community Software
Infopop UBB.Threads 5.4 and Wired Community Software WWWThreads 5.0 through 5.0.9 allows remote attackers to upload arbitrary files by using a filename that contains an accepted extension, but ends in a different extension.
7.5
2002-05-16 CVE-2002-0222 Etype Unspecified vulnerability in Etype Eserv 2.97

Etype Eserv 2.97 allows remote attackers to redirect traffic to other sites (aka FTP bounce) via the PORT command.

7.5
2002-05-16 CVE-2002-0220 Phpsmssend Remote Shell Command Execution vulnerability in PHPsmssend 1.0

phpsmssend.php in PhpSmsSend 1.0 allows remote attackers to execute arbitrary commands via an SMS message containing shell metacharacters.

7.5
2002-05-16 CVE-2002-0217 Xoops Unspecified vulnerability in Xoops 1.0Rc1

Cross-site scripting (CSS) vulnerabilities in the Private Message System for XOOPS 1.0 RC1 allow remote attackers to execute Javascript on other web clients via (1) the Title field or a Private Message Box or (2) the image field parameter in pmlite.php.

7.5
2002-05-16 CVE-2002-0212 Hosting Controller Information Disclosure vulnerability in Hosting Controller

The login for Hosting Controller 1.1 through 1.4.1 returns different error messages when a valid or invalid user is provided, which allows remote attackers to determine the existence of valid usernames and makes it easier to conduct a brute force attack.

7.5
2002-05-16 CVE-2002-0207 Realnetworks Buffer Overflow vulnerability in Real Media RealPlayer Media File

Buffer overflow in Real Networks RealPlayer 8.0 and earlier allows remote attackers to execute arbitrary code via a header length value that exceeds the actual length of the header.

7.5
2002-05-16 CVE-2002-0206 Francisco Burzi Remote Arbitrary File Include vulnerability in PHPNuke

index.php in Francisco Burzi PHP-Nuke 5.3.1 and earlier, and possibly other versions before 5.5, allows remote attackers to execute arbitrary PHP code by specifying a URL to the malicious code in the file parameter.

7.5
2002-05-16 CVE-2002-0205 Plumtree Cross-Site Scripting vulnerability in Plumtree Corporate Portal

Cross-site scripting (CSS) vulnerability in error.asp for Plumtree Corporate Portal 3.5 through 4.5 allows remote attackers to execute arbitrary script on other clients via the "Description" parameter.

7.5
2002-05-16 CVE-2002-0204 GNU Buffer Overflow vulnerability in GNU Chess 5.02

Buffer overflow in GNU Chess (gnuchess) 5.02 and earlier, if modified or used in a networked capacity contrary to its own design as a single-user application, may allow local or remote attackers to execute arbitrary code via a long command.

7.5
2002-05-16 CVE-2002-0199 Nullsoft Denial Of Service vulnerability in Nullsoft Shoutcast Server 1.8.3

Buffer overflow in admin.cgi for Nullsoft Shoutcast Server 1.8.3 allows remote attackers to cause a denial of service and possibly execute arbitrary code via an argument with a large number of backslashes.

7.5
2002-05-16 CVE-2002-0197 Psychoid Unspecified vulnerability in Psychoid Psybnc

psyBNC 2.3 beta and earlier allows remote attackers to spoof encrypted, trusted messages by sending lines that begin with the "[B]" sequence, which makes the message appear legitimate.

7.5
2002-05-16 CVE-2002-0185 Apache Unspecified vulnerability in Apache MOD Python

mod_python version 2.7.6 and earlier allows a module indirectly imported by a published module to then be accessed via the publisher, which allows remote attackers to call possibly dangerous functions from the imported module.

7.5
2002-05-16 CVE-2002-0171 SGI Unspecified vulnerability in SGI Irisconsole 2.0

IRISconsole 2.0 may allow users to log into the icadmin account with an incorrect password in some circumstances, which could allow users to gain privileges.

7.5
2002-05-16 CVE-2002-0154 Microsoft Unspecified vulnerability in Microsoft SQL Server 2000/7.0

Buffer overflows in extended stored procedures for Microsoft SQL Server 7.0 and 2000 allow remote attackers to cause a denial of service or execute arbitrary code via a database query with certain long arguments.

7.5
2002-05-16 CVE-2002-0219 SAS Buffer Overflow vulnerability in SAS SASTCPD Command Line Argument

Buffer overflow in (1) sastcpd in SAS/Base 8.0 and 8.1 or (2) objspawn in SAS/Integration Technologies 8.0 and 8.1 allows local users to execute arbitrary code via large command line argument.

7.2
2002-05-16 CVE-2002-0218 SAS Unspecified vulnerability in SAS Base and SAS Integration Technologies

Format string vulnerability in (1) sastcpd in SAS/Base 8.0 and 8.1 or (2) objspawn in SAS/Integration Technologies 8.0 and 8.1 allows local users to execute arbitrary code via format specifiers in a command line argument.

7.2
2002-05-16 CVE-2002-0210 Tolis Group Symbolic Link vulnerability in Tolis Group BRU 17.0

setlicense for TOLIS Group Backup and Restore Utility (BRU) 17.0 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/brutest.$$ temporary file.

7.2
2002-05-16 CVE-2002-0173 SGI Buffer Overflow vulnerability in SGI IRIX CPR

Buffer overflow in cpr for the eoe.sw.cpr SGI Checkpoint-Restart Software package on SGI IRIX 6.5.10 and earlier may allow local users to gain root privileges.

7.2

15 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2002-05-16 CVE-2002-0196 ACD Incorporated Unspecified vulnerability in ACD Incorporated Cwpapi 1.1

GetRelativePath in ACD Incorporated CwpAPI 1.1 only verifies if the server root is somewhere within the path, which could allow remote attackers to read or write files outside of the web root, in other directories whose path includes the web root.

6.4
2002-05-19 CVE-2001-1334 Phpslash Unspecified vulnerability in PHPslash 0.5.3.2/0.6.1

Block_render_url.class in PHPSlash 0.6.1 allows remote attackers with PHPSlash administrator privileges to read arbitrary files by creating a block and specifying the target file as the source URL.

5.0
2002-05-17 CVE-2002-1280 ISS Denial-Of-Service vulnerability in ISS Realsecure Event Collector 6.5

Memory leak in RealSecure Event Collector 6.5 allows attackers to cause a denial of service (memory consumption and crash).

5.0
2002-05-16 CVE-2002-0230 FAQ O Matic Cross-Site Scripting vulnerability in Faq-O-Matic 2.712

Cross-site scripting vulnerability in fom.cgi of Faq-O-Matic 2.712 allows remote attackers to execute arbitrary Javascript on other clients via the cmd parameter, which causes the script to be inserted into an error message.

5.0
2002-05-16 CVE-2002-0228 Microsoft Information Disclosure vulnerability in Microsoft MSN ActiveX Object

Microsoft MSN Messenger allows remote attackers to use Javascript that references an ActiveX object to obtain sensitive information such as display names and web site navigation, and possibly more when the user is connected to certain Microsoft sites (or DNS-spoofed sites).

5.0
2002-05-16 CVE-2002-0227 Kicq
KDE
Denial of Service vulnerability in kicq 2.0.0b1 Invalid ICQ Packet

KICQ 2.0.0b1 allows remote attackers to cause a denial of service (crash) via a malformed message.

5.0
2002-05-16 CVE-2002-0224 Microsoft Denial of Service vulnerability in Microsoft products

The MSDTC (Microsoft Distributed Transaction Service Coordinator) for Microsoft Windows 2000, Microsoft IIS 5.0 and SQL Server 6.5 through SQL 2000 0.0 allows remote attackers to cause a denial of service (crash or hang) via malformed (random) input.

5.0
2002-05-16 CVE-2002-0221 Etype Denial of Service vulnerability in Etype Eserv 2.97

Etype Eserv 2.97 allows remote attackers to cause a denial of service (resource exhaustion) via a large number of PASV commands that consume ports 1024 through 5000, which prevents the server from accepting valid PASV.

5.0
2002-05-16 CVE-2002-0216 Xoops Remote SQL Injection vulnerability in Xoops 1.0Rc1

userinfo.php in XOOPS 1.0 RC1 allows remote attackers to obtain sensitive information via a SQL injection attack in the "uid" parameter.

5.0
2002-05-16 CVE-2002-0215 Steve Kneizys Path Disclosure vulnerability in Agora.CGI Debug Mode

Agora.cgi 3.2r through 4.0 while in debug mode allows remote attackers to determine the full pathname of the agora.cgi file by requesting a non-existent .html file, which leaks the pathname in an error message.

5.0
2002-05-16 CVE-2002-0209 Nortel Unspecified vulnerability in Nortel Alteon Acedirector 9.0

Nortel Alteon ACEdirector WebOS 9.0, with the Server Load Balancing (SLB) and Cookie-Based Persistence features enabled, allows remote attackers to determine the real IP address of a web server with a half-closed session, which causes ACEdirector to send packets from the server without changing the address to the virtual IP address.

5.0
2002-05-16 CVE-2002-0201 Cyberstop Unspecified vulnerability in Cyberstop web Server

Cyberstop Web Server for Windows 0.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long HTTP GET request, possibly triggering a buffer overflow.

5.0
2002-05-16 CVE-2002-0200 Cyberstop Denial of Service vulnerability in Cyberstop Web Server MS-DOS Device

Cyberstop Web Server for Windows 0.1 allows remote attackers to cause a denial of service via an HTTP request for an MS-DOS device name.

5.0
2002-05-16 CVE-2002-0225 Cisco Unspecified vulnerability in Cisco Tacacs+ F4.0.4Alpha

tac_plus Tacacs+ daemon F4.0.4.alpha, originally maintained by Cisco, creates files from the accounting directive with world-readable and writable permissions, which allows local users to access and modify sensitive files.

4.6
2002-05-16 CVE-2002-0157 Eazel Local File Corruption vulnerability in Eazel Nautilus 1.0.4

Nautilus 1.0.4 and earlier allows local users to overwrite arbitrary files via a symlink attack on the .nautilus-metafile.xml metadata file.

4.6

4 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2002-05-16 CVE-2002-0202 Paintbbs Unspecified vulnerability in Paintbbs 1.2

PaintBBS 1.2 installs certain files and directories with insecure permissions, which allows local users to (1) obtain the encrypted server password via the world-readable oekakibbs.conf file, or (2) modify the server configuration via the world-writeable /oekaki/ folder.

3.6
2002-05-16 CVE-2002-0214 Intel Information Disclosure vulnerability in Compaq Intel PRO/Wireless 2011B LAN USB Device Driver 1.5.16.0/1.5.18.0

Compaq Intel PRO/Wireless 2011B LAN USB Device Driver 1.5.16.0 through 1.5.18.0 stores the 128-bit WEP (Wired Equivalent Privacy) key in plaintext in a registry key with weak permissions, which allows local users to decrypt network traffic by reading the WEP key from the registry key.

2.1
2002-05-16 CVE-2002-0213 Xinet
SGI
xkas in Xinet K-AShare 0.011.01 for IRIX allows local users to read arbitrary files via a symlink attack on the VOLICON file, which is copied to the .HSicon file in a shared directory.
2.1
2002-05-16 CVE-2002-0172 SGI Unspecified vulnerability in SGI Irix

/dev/ipfilter on SGI IRIX 6.5 is installed by /dev/MAKEDEV with insecure default permissions (644), which could allow a local user to cause a denial of service (traffic disruption).

2.1