Weekly Vulnerabilities Reports > August 18 to 24, 2003
Overview
57 new vulnerabilities reported during this period, including 6 critical vulnerabilities and 25 high severity vulnerabilities. This weekly summary report vulnerabilities in 57 products from 44 vendors including Microsoft, SGI, IBM, Early Impact, and Digi FX. Vulnerabilities are notably categorized as "Link Following", "Off-by-one Error", "Information Exposure", and "Improper Input Validation".
- 38 reported vulnerabilities are remotely exploitables.
- 55 reported vulnerabilities are exploitable by an anonymous user.
- Microsoft has the most reported vulnerabilities, with 7 reported vulnerabilities.
- Digi FX has the most reported critical vulnerabilities, with 2 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
6 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2003-08-19 | CVE-2003-1202 | Omail | Remote Command Execution vulnerability in Omail Webmail 0.97.3/0.98.4 The checklogin function in omail.pl for omail webmail 0.98.4 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in a (1) password, (2) domainname, or (3) username. | 10.0 |
2003-08-18 | CVE-2003-0589 | Digi FX | Security Bypass vulnerability in Digi-Fx Digi-News 1.1 admin.php in Digi-ads 1.1 allows remote attackers to bypass authentication via a cookie with the username set to the name of the administrator, which satisfies an improper condition in admin.php that does not require a correct password. | 10.0 |
2003-08-18 | CVE-2003-0588 | Digi FX | Security Bypass vulnerability in Digi-Fx Digi-News 1.1 admin.php in Digi-news 1.1 allows remote attackers to bypass authentication via a cookie with the username set to the name of the administrator, which satisfies an improper condition in admin.php that does not require a correct password. | 10.0 |
2003-08-18 | CVE-2003-0560 | Virtual Programming | SQL Injection vulnerability in Virtual Programming Vp-Asp 5.0 SQL injection vulnerability in shopexd.asp for VP-ASP allows remote attackers to gain administrator privileges via the id parameter. | 10.0 |
2003-08-18 | CVE-2003-0522 | Early Impact | SQL-Injection vulnerability in ProductCart Multiple SQL injection vulnerabilities in ProductCart 1.5 through 2 allow remote attackers to (1) gain access to the admin control panel via the idadmin parameter to login.asp or (2) gain other privileges via the Email parameter to Custva.asp. | 10.0 |
2003-08-18 | CVE-2003-0252 | Linux NFS | Off-by-one Error vulnerability in Linux-Nfs Nfs-Utils Off-by-one error in the xlog function of mountd in the Linux NFS utils package (nfs-utils) before 1.0.4 allows remote attackers to cause a denial of service and possibly execute arbitrary code via certain RPC requests to mountd that do not contain newlines. | 9.8 |
25 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2003-08-18 | CVE-2003-0578 | IBM | Link Following vulnerability in IBM U2 Universe 10.0.0.9 cci_dir in IBM U2 UniVerse 10.0.0.9 and earlier creates hard links and unlinks files as root, which allows local users to gain privileges by deleting and overwriting arbitrary files. | 7.8 |
2003-08-18 | CVE-2003-0567 | Cisco | Improper Input Validation vulnerability in Cisco products Cisco IOS 11.x and 12.0 through 12.2 allows remote attackers to cause a denial of service (traffic block) by sending a particular sequence of IPv4 packets to an interface on the device, causing the input queue on that interface to be marked as full. | 7.8 |
2003-08-20 | CVE-2003-1063 | SUN | Unspecified vulnerability in SUN Solaris and Sunos The patches (1) 105693-13, (2) 108800-02, (3) 105694-13, and (4) 108801-02 for cachefs on Solaris 2.6 and 7 overwrite the inetd.conf file, which may silently reenable services and allow remote attackers to bypass the intended security policy. | 7.5 |
2003-08-18 | CVE-2003-0586 | Brooky | Remote Security vulnerability in Brooky Estore 1.0.2B Brooky eStore 1.0.1 through 1.0.2b allows remote attackers to obtain sensitive path information via a direct HTTP request to settings.inc.php. | 7.5 |
2003-08-18 | CVE-2003-0585 | Brooky | SQL-Injection vulnerability in Brooky Estore 1.0.2B SQL injection vulnerability in login.asp of Brooky eStore 1.0.1 through 1.0.2b allows remote attackers to bypass authentication and execute arbitrary SQL code via the (1) user or (2) pass parameters. | 7.5 |
2003-08-18 | CVE-2003-0581 | Xfstt | Unspecified vulnerability in Xfstt 1.2.1/1.4 X Fontserver for Truetype fonts (xfstt) 1.4 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a (1) FS_QueryXExtents8 or (2) FS_QueryXBitmaps8 packet, and possibly other types of packets, with a large num_ranges value, which causes an out-of-bounds array access. | 7.5 |
2003-08-18 | CVE-2003-0577 | Mpg123 | Unspecified vulnerability in Mpg123 0.59R/Pre0.59S mpg123 0.59r allows remote attackers to cause a denial of service and possibly execute arbitrary code via an MP3 file with a zero bitrate, which creates a negative frame size. | 7.5 |
2003-08-18 | CVE-2003-0561 | Iglooftp | Remote Security vulnerability in Iglooftp PRO 3.8 Multiple buffer overflows in IglooFTP PRO 3.8 allow remote FTP servers to execute arbitrary code via (1) a long FTP banner, or long responses to the client commands (2) USER, (3) PASS, (4) ACCT, and possibly other commands. | 7.5 |
2003-08-18 | CVE-2003-0559 | Phpforum | Remote Security vulnerability in PHPforum 2.0Rc1 mainfile.php in phpforum 2 RC-1, and possibly earlier versions, allows remote attackers to execute arbitrary PHP code by modifying the MAIN_PATH parameter to reference a URL on a remote web server that contains the code. | 7.5 |
2003-08-18 | CVE-2003-0558 | Leapware | Remote Security vulnerability in Leapware Leapftp 2.7.3.600 Buffer overflow in LeapFTP 2.7.3.600 allows remote FTP servers to execute arbitrary code via a long IP address response to a PASV request. | 7.5 |
2003-08-18 | CVE-2003-0557 | Lagarde | Unspecified vulnerability in Lagarde Storefront SQL injection vulnerability in login.asp for StoreFront 6.0, and possibly earlier versions, allows remote attackers to obtain sensitive user information via SQL statements in the password field. | 7.5 |
2003-08-18 | CVE-2003-0555 | Imagemagick | Denial-Of-Service vulnerability in Imagemagick 5.4.3 ImageMagick 5.4.3.x and earlier allows attackers to cause a denial of service (crash) and possibly execute arbitrary code via a "%x" filename, possibly triggering a format string vulnerability. | 7.5 |
2003-08-18 | CVE-2003-0553 | Netscape | Remote Security vulnerability in Netscape Navigator 7.0.2 Buffer overflow in the Client Detection Tool (CDT) plugin (npcdt.dll) for Netscape 7.02 allows remote attackers to execute arbitrary code via an attachment with a long filename. | 7.5 |
2003-08-18 | CVE-2003-0538 | Mozart | Remote Security vulnerability in Mozart 1.2.3/1.2.5 The mailcap file for mozart 1.2.5 and earlier causes Oz applications to be passed to the Oz interpreter, which allows remote attackers to execute arbitrary Oz programs in a MIME-aware client program. | 7.5 |
2003-08-18 | CVE-2003-0516 | Gert Doering | Remote Security vulnerability in mgetty cnd.c in mgetty 1.1.28 and earlier does not properly filter non-printable characters and quotes, which may allow remote attackers to execute arbitrary commands via shell metacharacters in (1) caller ID or (2) caller name strings. | 7.5 |
2003-08-18 | CVE-2003-0515 | Teapop | Unspecified vulnerability in Teapop 0.3.4/0.3.5 SQL injection vulnerabilities in the (1) PostgreSQL or (2) MySQL authentication modules for teapop 0.3.5 and earlier allow attackers to execute arbitrary SQL and possibly gain privileges. | 7.5 |
2003-08-18 | CVE-2003-0352 | Microsoft | Buffer Overrun vulnerability in Microsoft Windows DCOM RPC Interface Buffer overflow in a certain DCOM interface for RPC in Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a malformed message, as exploited by the Blaster/MSblast/LovSAN and Nachi/Welchia worms. | 7.5 |
2003-08-18 | CVE-2003-0345 | Microsoft | Buffer Overflow vulnerability in Microsoft Windows 2000, Windows NT and Windows XP Buffer overflow in the SMB capability for Microsoft Windows XP, 2000, and NT allows remote attackers to cause a denial of service and possibly execute arbitrary code via an SMB packet that specifies a smaller buffer length than is required. | 7.5 |
2003-08-18 | CVE-2003-0584 | Tolis Group | Local Security vulnerability in BRU Format string vulnerability in Backup and Restore Utility for Unix (BRU) 17.0 and earlier, when running setuid, allows local users to execute arbitrary code via format string specifiers in a command line argument. | 7.2 |
2003-08-18 | CVE-2003-0583 | Tolis Group | Local Security vulnerability in BRU Buffer overflow in Backup and Restore Utility for Unix (BRU) 17.0 and earlier, when running setuid, allows local users to execute arbitrary code via a long command line argument. | 7.2 |
2003-08-18 | CVE-2003-0580 | IBM | Local Security vulnerability in IBM U2 Universe 10.0.0.9 Buffer overflow in uvadmsh in IBM U2 UniVerse 10.0.0.9 and earlier allows the uvadm user to execute arbitrary code via a long -uv.install command line argument. | 7.2 |
2003-08-18 | CVE-2003-0574 | SGI | Unspecified vulnerability in SGI Irix Unknown vulnerability in SGI IRIX 6.5.x through 6.5.20, and possibly earlier versions, allows local users to cause a core dump in scheme and possibly gain privileges via certain environment variables, a different vulnerability than CVE-2001-0797 and CVE-1999-0028. | 7.2 |
2003-08-18 | CVE-2003-0535 | Xblockout | Unspecified vulnerability in Xblockout XBL 1.0I/1.0K/1.1 Buffer overflow in xbl 1.0k and earlier allows local users to gain privileges via a long -display command line option. | 7.2 |
2003-08-18 | CVE-2003-0496 | Microsoft | Unspecified vulnerability in Microsoft Windows 2000 and Windows 2000 Terminal Services Microsoft SQL Server before Windows 2000 SP4 allows local users to gain privileges as the SQL Server user by calling the xp_fileexist extended stored procedure with a named pipe as an argument instead of a normal file. | 7.2 |
2003-08-18 | CVE-2003-0590 | Splatt | Cross-Site Scripting vulnerability in Splatt Forum Cross-site scripting (XSS) vulnerability in Splatt Forum allows remote attackers to insert arbitrary HTML and web script via the post icon (image_subject) field. | 7.1 |
25 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2003-08-18 | CVE-2003-0587 | Infopop | Cross-Site Scripting vulnerability in Infopop Ultimate Bulletin Board 6 Cross-site scripting (XSS) vulnerability in Infopop Ultimate Bulletin Board (UBB) 6.x allows remote authenticated users to execute arbitrary web script and gain administrative access via the "displayed name" attribute of the "ubber" cookie. | 6.9 |
2003-08-18 | CVE-2003-0526 | Microsoft | Unspecified vulnerability in Microsoft ISA Server 2000 Cross-site scripting (XSS) vulnerability in Microsoft Internet Security and Acceleration (ISA) Server 2000 allows remote attackers to inject arbitrary web script via a URL containing the script in the domain name portion, which is not properly cleansed in the default error pages (1) 500.htm for "500 Internal Server error" or (2) 404.htm for "404 Not Found." | 6.8 |
2003-08-18 | CVE-2003-0523 | Early Impact | Cross-Site Scripting vulnerability in ProductCart Cross-site scripting (XSS) vulnerability in msg.asp for certain versions of ProductCart allow remote attackers to execute arbitrary web script via the message parameter. | 6.8 |
2003-08-18 | CVE-2003-0521 | Cpanel | Cross-Site Scripting vulnerability in cPanel Cross-site scripting (XSS) vulnerability in cPanel 6.4.2 allows remote attackers to insert arbitrary HTML and possibly gain cPanel administrator privileges via script in a URL that is logged but not properly quoted when displayed via the (1) Error Log or (2) Latest Visitors screens. | 6.8 |
2003-08-18 | CVE-2003-0524 | Knoppix | Local Security vulnerability in Knoppix 3.1 Qt in Knoppix 3.1 Live CD allows local users to overwrite arbitrary files via a symlink attack on the qt_plugins_3.0rc temporary file in the .qt directory. | 6.2 |
2003-08-18 | CVE-2003-0517 | Mgetty Project | Link Following vulnerability in Mgetty Project Mgetty 1.1.28 faxrunqd.in in mgetty 1.1.28 and earlier allows local users to overwrite files via a symlink attack on JOB files. | 5.5 |
2003-08-18 | CVE-2003-0573 | SGI | Remote Security vulnerability in IRIX The DNS callbacks in nsd in SGI IRIX 6.5.x through 6.5.20f, and possibly earlier versions, do not perform sufficient sanity checking, with unknown impact. | 5.0 |
2003-08-18 | CVE-2003-0572 | SGI | Denial-Of-Service vulnerability in IRIX Unknown vulnerability in nsd in SGI IRIX 6.5.x through 6.5.20f, and possibly earlier versions, allows attackers to cause a denial of service (memory consumption). | 5.0 |
2003-08-18 | CVE-2003-0556 | Polycom | Unspecified vulnerability in Polycom Mgc-100, Mgc-25 and Mgc-50 Polycom MGC 25 allows remote attackers to cause a denial of service (crash) via a large number of "user" requests to the control port 5003, as demonstrated using the blast TCP stress tester. | 5.0 |
2003-08-18 | CVE-2003-0554 | Neomodus | Unspecified vulnerability in Neomodus Direct Connect 1.0 NeoModus Direct Connect 1.0 build 9, and possibly other versions, allows remote attackers to cause a denial of service (connection and possibly memory exhaustion) via a flood of ConnectToMe requests containing arbitrary IP addresses and ports. | 5.0 |
2003-08-18 | CVE-2003-0520 | Cerulean Studios | Denial Of Service vulnerability in Cerulean Studios Trillian 0.74/1.0 Trillian 1.0 Pro and 0.74 Freeware allows remote attackers to cause a denial of service (crash) via a TypingUser message in which the "TypingUser" string has been modified. | 5.0 |
2003-08-18 | CVE-2003-0519 | Microsoft | Unspecified vulnerability in Microsoft Internet Explorer 5.0/6.0 Certain versions of Internet Explorer 5 and 6, in certain Windows environments, allow remote attackers to cause a denial of service (freeze) via a URL to C:\aux (MS-DOS device name) and possibly other devices. | 5.0 |
2003-08-18 | CVE-2003-0465 | Linux | Unspecified vulnerability in Linux Kernel 2.4.0/2.5.0 The kernel strncpy function in Linux 2.4 and 2.5 does not %NUL pad the buffer on architectures other than x86, as opposed to the expected behavior of strncpy as implemented in libc, which could lead to information leaks. | 5.0 |
2003-08-18 | CVE-2003-0456 | Deerfield | Information Exposure vulnerability in Deerfield Visnetic Website 3.5.13/3.5.15/3.5.17 VisNetic WebSite 3.5 allows remote attackers to obtain the full pathname of the server via a request containing a folder that does not exist, which leaks the pathname in an error message, as demonstrated using _vti_bin/fpcount.exe. | 5.0 |
2003-08-18 | CVE-2003-0176 | SGI | Denial-Of-Service vulnerability in IRIX The Name Service Daemon (nsd), when running on an NIS master on SGI IRIX 6.5.x through 6.5.20f, and possibly earlier versions, allows remote attackers to cause a denial of service (crash) via a UDP port scan. | 5.0 |
2003-08-18 | CVE-2003-0142 | Adobe | Remote Security vulnerability in Adobe Acrobat Reader 6.0 Adobe Acrobat Reader (acroread) 6, under certain circumstances when running with the "Certified plug-ins only" option disabled, loads plug-ins with signatures used for older versions of Acrobat, which can allow attackers to cause Acrobat to enter Certified mode and run untrusted plugins by modifying the CTIsCertifiedMode function. | 5.0 |
2003-08-18 | CVE-2001-1410 | Microsoft | Unspecified vulnerability in Microsoft Internet Explorer 5.5/6.0 Internet Explorer 6 and earlier allows remote attackers to create chromeless windows using the Javascript window.createPopup method, which could allow attackers to simulate a victim's display and conduct unauthorized activities or steal sensitive data via social engineering. | 5.0 |
2003-08-18 | CVE-2003-0579 | IBM | Local Security vulnerability in IBM U2 Universe 10.0.0.9 uvadmsh in IBM U2 UniVerse 10.0.0.9 and earlier trusts the user-supplied -uv.install command line option to find and execute the uv.install program, which allows local users to gain privileges by providing a pathname that is under control of the user. | 4.6 |
2003-08-18 | CVE-2003-0539 | Ddskk Redhat SKK | skk (Simple Kana to Kanji conversion program) 12.1 and earlier, and the ddskk package which is based on skk, creates temporary files insecurely, which allows local users to overwrite arbitrary files. | 4.6 |
2003-08-18 | CVE-2003-0537 | Daiki Ueno | Unspecified vulnerability in Daiki Ueno Liece Emacs IRC Client The liece Emacs IRC client 2.0+0.20030527 and earlier creates temporary files insecurely, which could allow local users to overwrite arbitrary files as other users. | 4.6 |
2003-08-18 | CVE-2003-0518 | Apple | Unspecified vulnerability in Apple mac OS X and mac OS X Server The screen saver in MacOS X allows users with physical access to cause the screen saver to crash and gain access to the underlying session via a large number of characters in the password field, possibly triggering a buffer overflow. | 4.6 |
2003-08-18 | CVE-2003-0458 | HP | Privilege Elevation vulnerability in HP NonStop SeeView Server Gateway Unknown vulnerability in HP NonStop Server D40.00 through D48.03, and G01.00 through G06.20, allows local users to gain additional privileges. | 4.6 |
2003-08-18 | CVE-2003-0440 | Semi Debian | The (1) semi MIME library 1.14.5 and earlier, and (2) wemi 1.14.0 and possibly other versions, allows local users to overwrite arbitrary files via a symlink attack on temporary files. | 4.6 |
2003-08-18 | CVE-2003-0350 | Microsoft | Privilege Escalation vulnerability in Microsoft Windows Accessibility Utility Manager The control for listing accessibility options in the Accessibility Utility Manager on Windows 2000 (ListView) does not properly handle Windows messages, which allows local users to execute arbitrary code via a "Shatter" style message to the Utility Manager that references a user-controlled callback function. | 4.6 |
2003-08-18 | CVE-2003-0177 | SGI | Local Security vulnerability in IRIX SGI IRIX 6.5.x through 6.5.20f, and possibly earlier versions, does not follow "-" entries in the /etc/group file, which may cause subsequent group membership entries to be processed inadvertently. | 4.6 |
1 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2003-08-18 | CVE-2003-0536 | Phpsysinfo | Unspecified vulnerability in PHPsysinfo 2.0/2.1 Directory traversal vulnerability in phpSysInfo 2.1 and earlier allows attackers with write access to a local directory to read arbitrary files as the PHP user or cause a denial of service via .. | 3.6 |