Weekly Vulnerabilities Reports > October 7 to 13, 2002

Overview

42 new vulnerabilities reported during this period, including 0 critical vulnerabilities and 18 high severity vulnerabilities. This weekly summary report vulnerabilities in 47 products from 24 vendors including Microsoft, Apache, Surfcontrol, Oracle, and IBM. Vulnerabilities are notably categorized as "Improper Restriction of Operations within the Bounds of a Memory Buffer", and "Improper Input Validation".

  • 36 reported vulnerabilities are remotely exploitables.
  • 42 reported vulnerabilities are exploitable by an anonymous user.
  • Microsoft has the most reported vulnerabilities, with 15 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

0 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS

18 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2002-10-11 CVE-2002-1174 Fetchmail Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Fetchmail

Buffer overflows in Fetchmail 6.0.0 and earlier allow remote attackers to cause a denial of service (crash) or execute arbitrary code via (1) long headers that are not properly processed by the readheaders function, or (2) via long Received: headers, which are not properly parsed by the parse_received function.

7.5
2002-10-11 CVE-2002-1166 John Franks Buffer Overflow vulnerability in WN Server Malformed GET Request

Buffer overflow in John Franks WN Server 1.18.2 through 2.0.0 allows remote attackers to execute arbitrary code via a long GET request.

7.5
2002-10-11 CVE-2002-1152 KDE Unspecified vulnerability in KDE 3.0/3.0.1/3.0.2

Konqueror in KDE 3.0 through 3.0.2 does not properly detect the "secure" flag in an HTTP cookie, which could cause Konqueror to send the cookie across an unencrypted channel, which could allow remote attackers to steal the cookie via sniffing.

7.5
2002-10-11 CVE-2002-1151 KDE Unspecified vulnerability in KDE and Konqueror

The cross-site scripting protection for Konqueror in KDE 2.2.2 and 3.0 through 3.0.3 does not properly initialize the domains on sub-frames and sub-iframes, which can allow remote attackers to execute script and steal cookies from subframes that are in other domains.

7.5
2002-10-11 CVE-2002-1138 Microsoft Unspecified vulnerability in Microsoft Data Engine and SQL Server

Microsoft SQL Server 7.0 and 2000, including Microsoft Data Engine (MSDE) 1.0 and Microsoft Desktop Engine (MSDE) 2000, writes output files for scheduled jobs under its own privileges instead of the entity that launched it, which allows attackers to overwrite system files, aka "Flaw in Output File Handling for Scheduled Jobs."

7.5
2002-10-11 CVE-2002-1137 Microsoft Buffer Overflow vulnerability in Microsoft Data Engine and SQL Server

Buffer overflow in the Database Console Command (DBCC) that handles user inputs in Microsoft SQL Server 7.0 and 2000, including Microsoft Data Engine (MSDE) 1.0 and Microsoft Desktop Engine (MSDE) 2000, allows attackers to execute arbitrary code via a long SourceDB argument in a "non-SQL OLEDB data source" such as FoxPro, a variant of CAN-2002-0644.

7.5
2002-10-11 CVE-2002-0866 Microsoft Unspecified vulnerability in Microsoft Virtual Machine

Java Database Connectivity (JDBC) classes in Microsoft Virtual Machine (VM) up to and including 5.0.3805 allow remote attackers to load and execute DLLs (dynamic link libraries) via a Java applet that calls the constructor for com.ms.jdbc.odbc.JdbcOdbc with the desired DLL terminated by a null string, aka "DLL Execution via JDBC Classes."

7.5
2002-10-11 CVE-2002-0865 Microsoft Unspecified vulnerability in Microsoft Virtual Machine

A certain class that supports XML (Extensible Markup Language) in Microsoft Virtual Machine (VM) 5.0.3805 and earlier, probably com.ms.osp.ospmrshl, exposes certain unsafe methods, which allows remote attackers to execute unsafe code via a Java applet, aka "Inappropriate Methods Exposed in XML Support Classes."

7.5
2002-10-11 CVE-2002-0843 Apache
Oracle
Buffer overflows in the ApacheBench benchmark support program (ab.c) in Apache before 1.3.27, and Apache 2.x before 2.0.43, allow a malicious web server to cause a denial of service and possibly execute arbitrary code via a long response.
7.5
2002-10-10 CVE-2002-0709 Surfcontrol SQL Injection vulnerability in Surfcontrol Superscout web Filter and web Filter

SQL injection vulnerabilities in the Web Reports Server for SurfControl SuperScout WebFilter allow remote attackers to execute arbitrary SQL queries via the RunReport option to SimpleBar.dll, and possibly other DLLs.

7.5
2002-10-10 CVE-2002-0706 Surfcontrol Remote Security vulnerability in Surfcontrol Superscout web Filter and web Filter

UserManager.js in the Web Reports Server for SurfControl SuperScout WebFilter uses weak encryption for administrator functions, which allows remote attackers to decrypt the administrative password using a hard-coded key in a Javascript function.

7.5
2002-10-10 CVE-2002-0705 Surfcontrol Information Disclosure vulnerability in Surfcontrol Superscout web Filter and web Filter

The Web Reports Server for SurfControl SuperScout WebFilter stores the "scwebusers" username and password file in a web-accessible directory, which allows remote attackers to obtain valid usernames and crack the passwords.

7.5
2002-10-10 CVE-2002-0694 Microsoft Unspecified vulnerability in Microsoft products

The HTML Help facility in Microsoft Windows 98, 98 Second Edition, Millennium Edition, NT 4.0, NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP uses the Local Computer Security Zone when opening .chm files from the Temporary Internet Files folder, which allows remote attackers to execute arbitrary code via HTML mail that references or inserts a malicious .chm file containing shortcuts that can be executed, aka "Code Execution via Compiled HTML Help File."

7.5
2002-10-10 CVE-2002-0693 Microsoft Buffer Overflow vulnerability in Microsoft Windows Help Facility ActiveX Control

Buffer overflow in the HTML Help ActiveX Control (hhctrl.ocx) in Microsoft Windows 98, 98 Second Edition, Millennium Edition, NT 4.0, NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP allows remote attackers to execute code via (1) a long parameter to the Alink function, or (2) script containing a long argument to the showHelp function.

7.5
2002-10-10 CVE-2002-0692 Microsoft Buffer Overflow vulnerability in Microsoft products

Buffer overflow in SmartHTML Interpreter (shtml.dll) in Microsoft FrontPage Server Extensions (FPSE) 2000 and 2002 allows remote attackers to cause a denial of service (CPU consumption) or run arbitrary code, respectively, via a certain type of web file request.

7.5
2002-10-10 CVE-2002-0370 Allume Systems Division
IBM
Verity
Winzip
Microsoft
Buffer Overflow vulnerability in Multiple Vendor ZIP Files Long Filename

Buffer overflow in the ZIP capability for multiple products allows remote attackers to cause a denial of service or execute arbitrary code via ZIP files containing entries with long filenames, including (1) Microsoft Windows 98 with Plus! Pack, (2) Windows XP, (3) Windows ME, (4) Lotus Notes R4 through R6 (pre-gold), (5) Verity KeyView, and (6) Stuffit Expander before 7.0.

7.5
2002-10-11 CVE-2002-0839 Apache
Debian
The shared memory scoreboard in the HTTP daemon for Apache 1.3.x before 1.3.27 allows any user running as the Apache UID to send a SIGUSR1 signal to any process as root, resulting in a denial of service (process kill) or possibly other behaviors that would not normally be allowed, by modifying the parent[].pid and parent[].last_rtime segments in the scoreboard.
7.2
2002-10-11 CVE-2002-1147 HP Denial Of Service vulnerability in HP Procurve 4000M Switch Device Reset

The HTTP administration interface for HP Procurve 4000M Switch firmware before C.09.16, with stacking features and remote administration enabled, does not authenticate requests to reset the device, which allows remote attackers to cause a denial of service via a direct request to the device_reset CGI program.

7.1

24 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2002-10-11 CVE-2002-0840 Apache
Oracle
Cross-site scripting (XSS) vulnerability in the default error page of Apache 2.0 before 2.0.43, and 1.3.x up to 1.3.26, when UseCanonicalName is "Off" and support for wildcard DNS is present, allows remote attackers to execute script as other web page visitors via the Host: header, a different vulnerability than CAN-2002-1157.
6.8
2002-10-11 CVE-2002-1178 Jetty Unspecified vulnerability in Jetty Http Server

Directory traversal vulnerability in the CGIServlet for Jetty HTTP server before 4.1.0 allows remote attackers to execute arbitrary commands via ..\ (dot-dot backslash) sequences in an HTTP request to the cgi-bin directory.

5.0
2002-10-11 CVE-2002-1175 Fetchmail Improper Input Validation vulnerability in Fetchmail

The getmxrecord function in Fetchmail 6.0.0 and earlier does not properly check the boundary of a particular malformed DNS packet from a malicious DNS server, which allows remote attackers to cause a denial of service (crash) when Fetchmail attempts to read data beyond the expected boundary.

5.0
2002-10-11 CVE-2002-1170 NET Snmp Denial Of Service vulnerability in Net-Snmp 5.0.1/5.0.3/5.0.4Pre2

The handle_var_requests function in snmp_agent.c for the SNMP daemon in the Net-SNMP (formerly ucd-snmp) package 5.0.1 through 5.0.5 allows remote attackers to cause a denial of service (crash) via a NULL dereference.

5.0
2002-10-11 CVE-2002-1156 Apache Unspecified vulnerability in Apache Http Server 2.0.42

Apache 2.0.42 allows remote attackers to view the source code of a CGI script via a POST request to a directory with both WebDAV and CGI enabled.

5.0
2002-10-11 CVE-2002-1154 Stephen Turner Denial-Of-Service vulnerability in Analog

anlgform.pl in Analog before 5.23 does not restrict access to the PROGRESSFREQ progress update command, which allows remote attackers to cause a denial of service (disk consumption) by using the command to report updates more frequently and fill the web server error log.

5.0
2002-10-11 CVE-2002-1153 IBM Buffer Overflow vulnerability in IBM Websphere Application Server 4.0.3

IBM Websphere 4.0.3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an HTTP request with long HTTP headers, such as "Host".

5.0
2002-10-11 CVE-2002-1149 Invision Power Services Information Disclosure vulnerability in Invision Board 1.0/1.0.1

The installation procedure for Invision Board suggests that users install the phpinfo.php program under the web root, which leaks sensitive information such as absolute pathnames, OS information, and PHP settings.

5.0
2002-10-11 CVE-2002-1148 Apache Unspecified vulnerability in Apache Tomcat

The default servlet (org.apache.catalina.servlets.DefaultServlet) in Tomcat 4.0.4 and 4.1.10 and earlier allows remote attackers to read source code for server files via a direct request to the servlet.

5.0
2002-10-11 CVE-2002-1146 GNU Unspecified vulnerability in GNU Glibc

The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such as glibc 2.2.5 and earlier, libc, and libresolv, use the maximum buffer size instead of the actual size when processing a DNS response, which causes the stub resolvers to read past the actual boundary ("read buffer overflow"), allowing remote attackers to cause a denial of service (crash).

5.0
2002-10-11 CVE-2002-1141 Microsoft Denial Of Service vulnerability in Microsoft Services 3.0

An input validation error in the Sun Microsystems RPC library Services for Unix 3.0 Interix SD, as implemented on Microsoft Windows NT4, 2000, and XP, allows remote attackers to cause a denial of service via malformed fragmented RPC client packets, aka "Denial of service by sending an invalid RPC request."

5.0
2002-10-11 CVE-2002-1140 Microsoft Buffer Overflow vulnerability in Microsoft Services 3.0

The Sun Microsystems RPC library Services for Unix 3.0 Interix SD, as implemented on Microsoft Windows NT4, 2000, and XP, allows remote attackers to cause a denial of service (service hang) via malformed packet fragments, aka "Improper parameter size check leading to denial of service."

5.0
2002-10-11 CVE-2002-1139 Microsoft Unspecified vulnerability in Microsoft Windows 98 Plus Pack, Windows ME and Windows XP

The Compressed Folders feature in Microsoft Windows 98 with Plus! Pack, Windows Me, and Windows XP does not properly check the destination folder during the decompression of ZIP files, which allows attackers to place an executable file in a known location on a user's system, aka "Incorrect Target Path for Zipped File Decompression."

5.0
2002-10-11 CVE-2002-0867 Microsoft Unspecified vulnerability in Microsoft Virtual Machine

Microsoft Virtual Machine (VM) up to and including build 5.0.3805 allows remote attackers to cause a denial of service (crash) in Internet Explorer via invalid handle data in a Java applet, aka "Handle Validation Flaw."

5.0
2002-10-11 CVE-2002-0864 Microsoft Remote Desktop Denial Of Service vulnerability in Microsoft Windows XP Professional

The Remote Data Protocol (RDP) version 5.1 in Microsoft Windows XP allows remote attackers to cause a denial of service (crash) when Remote Desktop is enabled via a PDU Confirm Active data packet that does not set the Pattern BLT command, aka "Denial of Service in Remote Desktop."

5.0
2002-10-11 CVE-2002-0863 Microsoft Unspecified vulnerability in Microsoft products

Remote Data Protocol (RDP) version 5.0 in Microsoft Windows 2000 and RDP 5.1 in Windows XP does not encrypt the checksums of plaintext session data, which could allow a remote attacker to determine the contents of encrypted sessions via sniffing, aka "Weak Encryption in RDP Protocol."

5.0
2002-10-10 CVE-2002-0708 Surfcontrol Unspecified vulnerability in Surfcontrol Superscout web Filter and web Filter

Directory traversal vulnerability in the Web Reports Server for SurfControl SuperScout WebFilter allows remote attackers to read arbitrary files via an HTTP request containing ...

5.0
2002-10-10 CVE-2002-0707 Surfcontrol Unspecified vulnerability in Surfcontrol Superscout web Filter and web Filter

The Web Reports Server for SurfControl SuperScout WebFilter allows remote attackers to cause a denial of service (CPU consumption) via large GET requests, possibly due to a buffer overflow.

5.0
2002-10-10 CVE-2002-0399 GNU Unspecified vulnerability in GNU TAR 1.13.25

Directory traversal vulnerability in GNU tar 1.13.19 through 1.13.25, and possibly later versions, allows attackers to overwrite arbitrary files during archive extraction via a (1) "/.." or (2) "./.." string, which removes the leading slash but leaves the "..", a variant of CVE-2001-1267.

5.0
2002-10-11 CVE-2002-1189 Cisco Unspecified vulnerability in Cisco Unity Server

The default configuration of Cisco Unity 2.x and 3.x does not block international operator calls in the predefined restriction tables, which could allow authenticated users to place international calls using call forwarding.

4.6
2002-10-11 CVE-2002-1165 Sendmail
Netbsd
Sendmail Consortium's Restricted Shell (SMRSH) in Sendmail 8.12.6, 8.11.6-15, and possibly other versions after 8.11 from 5/19/1998, allows attackers to bypass the intended restrictions of smrsh by inserting additional commands after (1) "||" sequences or (2) "/" characters, which are not properly filtered or verified.
4.6
2002-10-11 CVE-2002-1150 Microsoft Local Session Hijacking vulnerability in Microsoft Netmeeting 3.01

The Remote Desktop Sharing (RDS) Screen Saver Protection capability for Microsoft NetMeeting 3.01 through SP2 (4.4.3396) allows attackers with physical access to hijack remote sessions by entering certain logoff or shutdown sequences (such as CTRL-ALT-DEL) and canceling out of the resulting user confirmation prompts, such as when the remote user is editing a document.

4.6
2002-10-11 CVE-2002-0969 Oracle Local Buffer Overflow vulnerability in Oracle Mysql 3.23.49/4.0.0/4.0.1

Buffer overflow in MySQL daemon (mysqld) before 3.23.50, and 4.0 beta before 4.02, on the Win32 platform, allows local users to execute arbitrary code via a long "datadir" parameter in the my.ini initialization file, whose permissions on Windows allow Full Control to the Everyone group.

4.6
2002-10-10 CVE-2002-0838 GGV
Ghostview
GV
Buffer Overflow vulnerability in GV Malformed PDF/PS File

Buffer overflow in (1) gv 3.5.8 and earlier, (2) gvv 1.0.2 and earlier, (3) ggv 1.99.90 and earlier, (4) gnome-gv, and (5) kghostview in kdegraphics 2.2.2 and earlier, allows attackers to execute arbitrary code via a malformed (a) PDF or (b) PostScript file, which is processed by an unsafe call to sscanf.

4.6

0 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS