Weekly Vulnerabilities Reports > December 30, 2002 to January 5, 2003
Overview
34 new vulnerabilities reported during this period, including 4 critical vulnerabilities and 21 high severity vulnerabilities. This weekly summary report vulnerabilities in 38 products from 33 vendors including Microsoft, PGP, Apache, Dlink, and Cisco. Vulnerabilities are notably categorized as "Inadequate Encryption Strength", "Incomplete Cleanup", "Improper Locking", "Off-by-one Error", and "Incorrect Default Permissions".
- 23 reported vulnerabilities are remotely exploitables.
- 12 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 24 reported vulnerabilities are exploitable by an anonymous user.
- Microsoft has the most reported vulnerabilities, with 3 reported vulnerabilities.
- Novell has the most reported critical vulnerabilities, with 1 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
4 Critical Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2002-12-31 | CVE-2002-2119 | Novell | Improper Handling of Case Sensitivity vulnerability in Novell Edirectory 8.6.2/8.7 Novell eDirectory 8.6.2 and 8.7 use case insensitive passwords, which makes it easier for remote attackers to conduct brute force password guessing. | 9.8 |
| 2002-12-31 | CVE-2002-1820 | Ultimate PHP Board Project | Improper Handling of Case Sensitivity vulnerability in Ultimate PHP Board Project Ultimate PHP Board 1.0 register.php in Ultimate PHP Board (UPB) 1.0 and 1.0b uses an administrative account Admin with a capital "A," but allows a remote attacker to impersonate the administrator by registering an account name of admin with a lower case "a." | 9.8 |
| 2002-12-31 | CVE-2002-1816 | Redshift | Off-by-one Error vulnerability in Redshift Atphttpd 0.4B Off-by-one buffer overflow in the sock_gets function in sockhelp.c for ATPhttpd 0.4b and earlier allows remote attackers to execute arbitrary code via a long HTTP GET request. | 9.8 |
| 2002-12-31 | CVE-2002-1798 | Midicart | Forced Browsing vulnerability in Midicart PHP, Midicart PHP Maxi and Midicart PHP Plus MidiCart PHP, PHP Plus, and PHP Maxi allows remote attackers to (1) upload arbitrary php files via a direct request to admin/upload.php or (2) access sensitive information via a direct request to admin/credit_card_info.php. | 9.1 |
21 High Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2002-12-31 | CVE-2002-1844 | Microsoft | Incorrect Default Permissions vulnerability in Microsoft Windows Media Player 6.3 Microsoft Windows Media Player (WMP) 6.3, when installed on Solaris, installs executables with world-writable permissions, which allows local users to delete or modify the executables to gain privileges. | 7.8 |
| 2002-12-31 | CVE-2002-1796 | HP | Improper Verification of Cryptographic Signature vulnerability in HP Chaivm Ezloader ChaiVM EZloader for HP color LaserJet 4500 and 4550 and HP LaserJet 4100 and 8150 does not properly verify JAR signatures for new services, which allows local users to load unauthorized Chai services. | 7.8 |
| 2002-12-31 | CVE-2002-2323 | SUN | Improper Preservation of Permissions vulnerability in SUN Solaris PC Netlink 1.0/1.1/1.2 Sun PC NetLink 1.0 through 1.2 does not properly set the access control list (ACL) for files and directories that use symbolic links and have been restored from backup, which could allow local or remote attackers to bypass intended access restrictions. | 7.5 |
| 2002-12-31 | CVE-2002-2070 | Accessdata | Incomplete Cleanup vulnerability in Accessdata Secureclean 3 SecureClean 3 build 2.0 does not clear Windows alternate data streams that are attached to files on NTFS file systems, which allows attackers to recover sensitive information that was supposed to be deleted. | 7.5 |
| 2002-12-31 | CVE-2002-2069 | PGP | Incomplete Cleanup vulnerability in PGP Personal Privacy PGP 6.x and 7.x does not clear Windows alternate data streams that are attached to files on NTFS file systems, which allows attackers to recover sensitive information that was supposed to be deleted. | 7.5 |
| 2002-12-31 | CVE-2002-2068 | Tolvanen | Incomplete Cleanup vulnerability in Tolvanen Eraser 5.3 Eraser 5.3 does not clear Windows alternate data streams that are attached to files on NTFS file systems, which allows attackers to recover sensitive information that was supposed to be deleted. | 7.5 |
| 2002-12-31 | CVE-2002-2067 | East TEC | Incomplete Cleanup vulnerability in East-Tec Eraser 2002 East-Tec Eraser 2002 does not clear Windows alternate data streams that are attached to files on NTFS file systems, which allows attackers to recover sensitive information that was supposed to be deleted. | 7.5 |
| 2002-12-31 | CVE-2002-2066 | Jetico | Incomplete Cleanup vulnerability in Jetico Bcwipe 1.0.7/2.0/2.35.1 BestCrypt BCWipe 1.0.7 and 2.0 through 2.35.1 does not clear Windows alternate data streams that are attached to files on NTFS file systems, which allows attackers to recover sensitive information that was supposed to be deleted. | 7.5 |
| 2002-12-31 | CVE-2002-2058 | Teekai | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Teekai Tracking Online 1.0 TeeKai Tracking Online 1.0 uses weak encryption of web usage statistics in data/userlog/log.txt, which allows remote attackers to identify IP's visiting the site by dividing each octet by the MD5 hash of '20'. | 7.5 |
| 2002-12-31 | CVE-2002-1949 | Iomega | Cleartext Transmission of Sensitive Information vulnerability in Iomega NAS A300U Firmware The Network Attached Storage (NAS) Administration Web Page for Iomega NAS A300U transmits passwords in cleartext, which allows remote attackers to sniff the administrative password. | 7.5 |
| 2002-12-31 | CVE-2002-1912 | Skystream | NULL Pointer Dereference vulnerability in Skystream Emr5000 1.16/1.17/1.18 SkyStream EMR5000 1.16 through 1.18 does not drop packets or disable the Ethernet interface when the buffers are full, which allows remote attackers to cause a denial of service (null pointer exception and kernel panic) via a large number of packets. | 7.5 |
| 2002-12-31 | CVE-2002-1910 | Click 2 | Inadequate Encryption Strength vulnerability in Click-2 Ingenium Learning Management System 5.1/6.1 Click2Learn Ingenium Learning Management System 5.1 and 6.1 uses weak encryption for passwords (reversible algorithm), which allows attackers to obtain passwords. | 7.5 |
| 2002-12-31 | CVE-2002-1872 | Microsoft | Inadequate Encryption Strength vulnerability in Microsoft SQL Server Microsoft SQL Server 6.0 through 2000, with SQL Authentication enabled, uses weak password encryption (XOR), which allows remote attackers to sniff and decrypt the password. | 7.5 |
| 2002-12-31 | CVE-2002-1850 | Apache | Improper Locking vulnerability in Apache Http Server 2.0.39/2.0.40 mod_cgi in Apache 2.0.39 and 2.0.40 allows local users and possibly remote attackers to cause a denial of service (hang and memory consumption) by causing a CGI script to send a large amount of data to stderr, which results in a read/write deadlock between httpd and the CGI script. | 7.5 |
| 2002-12-31 | CVE-2002-1810 | Dlink | Missing Authentication for Critical Function vulnerability in Dlink Dwl-900Ap+ Firmware 2.1/2.2 D-Link DWL-900AP+ Access Point 2.1 and 2.2 allows remote attackers to access the TFTP server without authentication and read the config.img file, which contains sensitive information such as the administrative password, the WEP encryption keys, and network configuration information. | 7.5 |
| 2002-12-31 | CVE-2002-1800 | Phprank | Cleartext Storage of Sensitive Information vulnerability in PHPrank 1.8 phpRank 1.8 stores the administrative password in plaintext on the server and in the "ap" cookie, which allows remote attackers to retrieve the administrative password. | 7.5 |
| 2002-12-31 | CVE-2002-1745 | Microsoft | Off-by-one Error vulnerability in Microsoft Internet Information Services 5.0 Off-by-one error in the CodeBrws.asp sample script in Microsoft IIS 5.0 allows remote attackers to view the source code for files with extensions containing with one additional character after .html, .htm, .asp, or .inc, such as .aspx files. | 7.5 |
| 2002-12-31 | CVE-2002-1721 | Pldaniels | Off-by-one Error vulnerability in Pldaniels Altermime 0.1.10/0.1.11 Off-by-one error in alterMIME 0.1.10 and 0.1.11 allows remote attackers to cause a denial of service (crash) via an x-header that causes snprintf overwrite the FFGET_FILE variable with a (null) byte. | 7.5 |
| 2002-12-31 | CVE-2002-1706 | Cisco | Improper Verification of Cryptographic Signature vulnerability in Cisco IOS Cisco IOS software 11.3 through 12.2 running on Cisco uBR7200 and uBR7100 series Universal Broadband Routers allows remote attackers to modify Data Over Cable Service Interface Specification (DOCSIS) settings via a DOCSIS file without a Message Integrity Check (MIC) signature, which is approved by the router. | 7.5 |
| 2002-12-31 | CVE-2002-1697 | Vtun Project | Inadequate Encryption Strength vulnerability in Vtun Project Vtun 2.0/2.5 Electronic Code Book (ECB) mode in VTun 2.0 through 2.5 uses a weak encryption algorithm that produces the same ciphertext from the same plaintext blocks, which could allow remote attackers to gain sensitive information. | 7.5 |
| 2002-12-31 | CVE-2002-1657 | Postgresql | Use of Password Hash With Insufficient Computational Effort vulnerability in Postgresql 7.3.19 PostgreSQL uses the username for a salt when generating passwords, which makes it easier for remote attackers to guess passwords via a brute force attack. | 7.5 |
8 Medium Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2002-12-31 | CVE-2002-1975 | Sharp | Inadequate Encryption Strength vulnerability in Sharp Zaurus Sl-5000D Firmware and Zaurus Sl-5500 Firmware Sharp Zaurus PDA SL-5000D and SL-5500 uses a salt of "A0" to encrypt the screen-locking password as stored in the Security.conf file, which makes it easier for local users to guess the password via brute force methods. | 5.5 |
| 2002-12-31 | CVE-2002-1946 | Tata | Inadequate Encryption Strength vulnerability in Tata Integrated Dialer 1.2.000 Videsh Sanchar Nigam Limited (VSNL) Integrated Dialer Software 1.2.000, when the "Save Password" option is used, stores the password with a weak encryption scheme (one-to-one mapping) in a registry key, which allows local users to obtain and decrypt the password. | 5.5 |
| 2002-12-31 | CVE-2002-1915 | Openbsd Netbsd Freebsd | Improper Locking vulnerability in multiple products tip on multiple BSD-based operating systems allows local users to cause a denial of service (execution prevention) by using flock() to lock the /var/log/acculog file. | 5.5 |
| 2002-12-31 | CVE-2002-1914 | Dump Project | Improper Locking vulnerability in Dump Project Dump 0.4 dump 0.4 b10 through b29 allows local users to cause a denial of service (execution prevention) by using flock() to lock the /etc/dumpdates file. | 5.5 |
| 2002-12-31 | CVE-2002-1739 | Mdaemon | Inadequate Encryption Strength vulnerability in Mdaemon 5.0/5.0.6 Alt-N Technologies Mdaemon 5.0 through 5.0.6 uses a weak encryption algorithm to store user passwords, which allows local users to crack passwords. | 5.5 |
| 2002-12-31 | CVE-2002-1713 | Mandrakesoft | Incorrect Default Permissions vulnerability in Mandrakesoft Mandrake Linux 8.2 The Standard security setting for Mandrake-Security package (msec) in Mandrake 8.2 installs home directories with world-readable permissions, which could allow local users to read other user's files. | 5.5 |
| 2002-12-31 | CVE-2002-1696 | PGP | Cleartext Storage of Sensitive Information vulnerability in PGP Personal Privacy 7.0/7.0.3/7.0.4 Microsoft Outlook plug-in PGP version 7.0, 7.0.3, and 7.0.4 silently saves a decrypted copy of a message to hard disk when "Automatically decrypt/verify when opening messages" option is checked, "Always use Secure Viewer when decrypting" option is not checked, and the user replies to an encrypted message. | 5.5 |
| 2002-12-31 | CVE-2002-1682 | Daansystems | Inadequate Encryption Strength vulnerability in Daansystems Newsreactor 1.0 NewsReactor 1.0 uses a weak encryption scheme, which could allow local users to decrypt the passwords and gain access to other users' newsgroup accounts. | 5.5 |
1 Low Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2002-12-31 | CVE-2002-1869 | Heysoft | Improper Locking vulnerability in Heysoft Eventsave and Eventsave+ Heysoft EventSave 5.1 and 5.2 and Heysoft EventSave+ 5.1 and 5.2 does not check whether the log file can be written to, which allows attackers to prevent events from being recorded by opening the log file using an application such as Microsoft's Event Viewer. | 3.3 |