Weekly Vulnerabilities Reports > August 18 to 24, 2003

Overview

60 new vulnerabilities reported during this period, including 6 critical vulnerabilities and 24 high severity vulnerabilities. This weekly summary report vulnerabilities in 57 products from 44 vendors including Microsoft, SGI, IBM, Apache, and Gert Doering. Vulnerabilities are notably categorized as "Information Exposure", and "Improper Input Validation".

  • 41 reported vulnerabilities are remotely exploitables.
  • 60 reported vulnerabilities are exploitable by an anonymous user.
  • Microsoft has the most reported vulnerabilities, with 7 reported vulnerabilities.
  • Digi FX has the most reported critical vulnerabilities, with 2 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

6 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2003-08-19 CVE-2003-1202 Omail Remote Command Execution vulnerability in Omail Webmail 0.97.3/0.98.4

The checklogin function in omail.pl for omail webmail 0.98.4 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in a (1) password, (2) domainname, or (3) username.

10.0
2003-08-18 CVE-2003-0589 Digi FX Security Bypass vulnerability in Digi-Fx Digi-News 1.1

admin.php in Digi-ads 1.1 allows remote attackers to bypass authentication via a cookie with the username set to the name of the administrator, which satisfies an improper condition in admin.php that does not require a correct password.

10.0
2003-08-18 CVE-2003-0588 Digi FX Security Bypass vulnerability in Digi-Fx Digi-News 1.1

admin.php in Digi-news 1.1 allows remote attackers to bypass authentication via a cookie with the username set to the name of the administrator, which satisfies an improper condition in admin.php that does not require a correct password.

10.0
2003-08-18 CVE-2003-0560 Virtual Programming SQL Injection vulnerability in Virtual Programming Vp-Asp 5.0

SQL injection vulnerability in shopexd.asp for VP-ASP allows remote attackers to gain administrator privileges via the id parameter.

10.0
2003-08-18 CVE-2003-0522 Early Impact SQL-Injection vulnerability in ProductCart

Multiple SQL injection vulnerabilities in ProductCart 1.5 through 2 allow remote attackers to (1) gain access to the admin control panel via the idadmin parameter to login.asp or (2) gain other privileges via the Email parameter to Custva.asp.

10.0
2003-08-18 CVE-2003-0252 NFS Remote Buffer Overrun vulnerability in NFS-Utils Xlog

Off-by-one error in the xlog function of mountd in the Linux NFS utils package (nfs-utils) before 1.0.4 allows remote attackers to cause a denial of service and possibly execute arbitrary code via certain RPC requests to mountd that do not contain newlines.

10.0

24 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2003-08-18 CVE-2003-0567 Cisco Improper Input Validation vulnerability in Cisco products

Cisco IOS 11.x and 12.0 through 12.2 allows remote attackers to cause a denial of service (traffic block) by sending a particular sequence of IPv4 packets to an interface on the device, causing the input queue on that interface to be marked as full.

7.8
2003-08-20 CVE-2003-1063 SUN Unspecified vulnerability in SUN Solaris and Sunos

The patches (1) 105693-13, (2) 108800-02, (3) 105694-13, and (4) 108801-02 for cachefs on Solaris 2.6 and 7 overwrite the inetd.conf file, which may silently reenable services and allow remote attackers to bypass the intended security policy.

7.5
2003-08-18 CVE-2003-0586 Brooky Remote Security vulnerability in Brooky Estore 1.0.2B

Brooky eStore 1.0.1 through 1.0.2b allows remote attackers to obtain sensitive path information via a direct HTTP request to settings.inc.php.

7.5
2003-08-18 CVE-2003-0585 Brooky SQL-Injection vulnerability in Brooky Estore 1.0.2B

SQL injection vulnerability in login.asp of Brooky eStore 1.0.1 through 1.0.2b allows remote attackers to bypass authentication and execute arbitrary SQL code via the (1) user or (2) pass parameters.

7.5
2003-08-18 CVE-2003-0581 Xfstt Unspecified vulnerability in Xfstt 1.2.1/1.4

X Fontserver for Truetype fonts (xfstt) 1.4 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a (1) FS_QueryXExtents8 or (2) FS_QueryXBitmaps8 packet, and possibly other types of packets, with a large num_ranges value, which causes an out-of-bounds array access.

7.5
2003-08-18 CVE-2003-0577 Mpg123 Unspecified vulnerability in Mpg123 0.59R/Pre0.59S

mpg123 0.59r allows remote attackers to cause a denial of service and possibly execute arbitrary code via an MP3 file with a zero bitrate, which creates a negative frame size.

7.5
2003-08-18 CVE-2003-0561 Iglooftp Remote Security vulnerability in Iglooftp PRO 3.8

Multiple buffer overflows in IglooFTP PRO 3.8 allow remote FTP servers to execute arbitrary code via (1) a long FTP banner, or long responses to the client commands (2) USER, (3) PASS, (4) ACCT, and possibly other commands.

7.5
2003-08-18 CVE-2003-0559 Phpforum Remote Security vulnerability in PHPforum 2.0Rc1

mainfile.php in phpforum 2 RC-1, and possibly earlier versions, allows remote attackers to execute arbitrary PHP code by modifying the MAIN_PATH parameter to reference a URL on a remote web server that contains the code.

7.5
2003-08-18 CVE-2003-0558 Leapware Remote Security vulnerability in Leapware Leapftp 2.7.3.600

Buffer overflow in LeapFTP 2.7.3.600 allows remote FTP servers to execute arbitrary code via a long IP address response to a PASV request.

7.5
2003-08-18 CVE-2003-0557 Lagarde Unspecified vulnerability in Lagarde Storefront

SQL injection vulnerability in login.asp for StoreFront 6.0, and possibly earlier versions, allows remote attackers to obtain sensitive user information via SQL statements in the password field.

7.5
2003-08-18 CVE-2003-0555 Imagemagick Denial-Of-Service vulnerability in Imagemagick 5.4.3

ImageMagick 5.4.3.x and earlier allows attackers to cause a denial of service (crash) and possibly execute arbitrary code via a "%x" filename, possibly triggering a format string vulnerability.

7.5
2003-08-18 CVE-2003-0553 Netscape Remote Security vulnerability in Netscape Navigator 7.0.2

Buffer overflow in the Client Detection Tool (CDT) plugin (npcdt.dll) for Netscape 7.02 allows remote attackers to execute arbitrary code via an attachment with a long filename.

7.5
2003-08-18 CVE-2003-0538 Mozart Remote Security vulnerability in Mozart 1.2.3/1.2.5

The mailcap file for mozart 1.2.5 and earlier causes Oz applications to be passed to the Oz interpreter, which allows remote attackers to execute arbitrary Oz programs in a MIME-aware client program.

7.5
2003-08-18 CVE-2003-0516 Gert Doering Remote Security vulnerability in mgetty

cnd.c in mgetty 1.1.28 and earlier does not properly filter non-printable characters and quotes, which may allow remote attackers to execute arbitrary commands via shell metacharacters in (1) caller ID or (2) caller name strings.

7.5
2003-08-18 CVE-2003-0515 Teapop Unspecified vulnerability in Teapop 0.3.4/0.3.5

SQL injection vulnerabilities in the (1) PostgreSQL or (2) MySQL authentication modules for teapop 0.3.5 and earlier allow attackers to execute arbitrary SQL and possibly gain privileges.

7.5
2003-08-18 CVE-2003-0352 Microsoft Buffer Overrun vulnerability in Microsoft Windows DCOM RPC Interface

Buffer overflow in a certain DCOM interface for RPC in Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a malformed message, as exploited by the Blaster/MSblast/LovSAN and Nachi/Welchia worms.

7.5
2003-08-18 CVE-2003-0345 Microsoft Buffer Overflow vulnerability in Microsoft Windows 2000, Windows NT and Windows XP

Buffer overflow in the SMB capability for Microsoft Windows XP, 2000, and NT allows remote attackers to cause a denial of service and possibly execute arbitrary code via an SMB packet that specifies a smaller buffer length than is required.

7.5
2003-08-18 CVE-2003-0584 Tolis Group Local Security vulnerability in BRU

Format string vulnerability in Backup and Restore Utility for Unix (BRU) 17.0 and earlier, when running setuid, allows local users to execute arbitrary code via format string specifiers in a command line argument.

7.2
2003-08-18 CVE-2003-0583 Tolis Group Local Security vulnerability in BRU

Buffer overflow in Backup and Restore Utility for Unix (BRU) 17.0 and earlier, when running setuid, allows local users to execute arbitrary code via a long command line argument.

7.2
2003-08-18 CVE-2003-0580 IBM Local Security vulnerability in IBM U2 Universe 10.0.0.9

Buffer overflow in uvadmsh in IBM U2 UniVerse 10.0.0.9 and earlier allows the uvadm user to execute arbitrary code via a long -uv.install command line argument.

7.2
2003-08-18 CVE-2003-0574 SGI Unspecified vulnerability in SGI Irix

Unknown vulnerability in SGI IRIX 6.5.x through 6.5.20, and possibly earlier versions, allows local users to cause a core dump in scheme and possibly gain privileges via certain environment variables, a different vulnerability than CVE-2001-0797 and CVE-1999-0028.

7.2
2003-08-18 CVE-2003-0535 Xblockout Unspecified vulnerability in Xblockout XBL 1.0I/1.0K/1.1

Buffer overflow in xbl 1.0k and earlier allows local users to gain privileges via a long -display command line option.

7.2
2003-08-18 CVE-2003-0496 Microsoft Unspecified vulnerability in Microsoft Windows 2000 and Windows 2000 Terminal Services

Microsoft SQL Server before Windows 2000 SP4 allows local users to gain privileges as the SQL Server user by calling the xp_fileexist extended stored procedure with a named pipe as an argument instead of a normal file.

7.2
2003-08-18 CVE-2003-0590 Splatt Cross-Site Scripting vulnerability in Splatt Forum

Cross-site scripting (XSS) vulnerability in Splatt Forum allows remote attackers to insert arbitrary HTML and web script via the post icon (image_subject) field.

7.1

28 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2003-08-18 CVE-2003-0587 Infopop Cross-Site Scripting vulnerability in Infopop Ultimate Bulletin Board 6

Cross-site scripting (XSS) vulnerability in Infopop Ultimate Bulletin Board (UBB) 6.x allows remote authenticated users to execute arbitrary web script and gain administrative access via the "displayed name" attribute of the "ubber" cookie.

6.9
2003-08-18 CVE-2003-0526 Microsoft Unspecified vulnerability in Microsoft ISA Server 2000

Cross-site scripting (XSS) vulnerability in Microsoft Internet Security and Acceleration (ISA) Server 2000 allows remote attackers to inject arbitrary web script via a URL containing the script in the domain name portion, which is not properly cleansed in the default error pages (1) 500.htm for "500 Internal Server error" or (2) 404.htm for "404 Not Found."

6.8
2003-08-18 CVE-2003-0523 Early Impact Cross-Site Scripting vulnerability in ProductCart

Cross-site scripting (XSS) vulnerability in msg.asp for certain versions of ProductCart allow remote attackers to execute arbitrary web script via the message parameter.

6.8
2003-08-18 CVE-2003-0521 Cpanel Cross-Site Scripting vulnerability in cPanel

Cross-site scripting (XSS) vulnerability in cPanel 6.4.2 allows remote attackers to insert arbitrary HTML and possibly gain cPanel administrator privileges via script in a URL that is logged but not properly quoted when displayed via the (1) Error Log or (2) Latest Visitors screens.

6.8
2003-08-18 CVE-2003-0192 Apache Unspecified vulnerability in Apache Http Server

Apache 2 before 2.0.47, and certain versions of mod_ssl for Apache 1.3, do not properly handle "certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one," which could cause Apache to use the weak ciphersuite.

6.4
2003-08-18 CVE-2003-0524 Knoppix Local Security vulnerability in Knoppix 3.1

Qt in Knoppix 3.1 Live CD allows local users to overwrite arbitrary files via a symlink attack on the qt_plugins_3.0rc temporary file in the .qt directory.

6.2
2003-08-18 CVE-2003-0573 SGI Remote Security vulnerability in IRIX

The DNS callbacks in nsd in SGI IRIX 6.5.x through 6.5.20f, and possibly earlier versions, do not perform sufficient sanity checking, with unknown impact.

5.0
2003-08-18 CVE-2003-0572 SGI Denial-Of-Service vulnerability in IRIX

Unknown vulnerability in nsd in SGI IRIX 6.5.x through 6.5.20f, and possibly earlier versions, allows attackers to cause a denial of service (memory consumption).

5.0
2003-08-18 CVE-2003-0556 Polycom Unspecified vulnerability in Polycom Mgc-100, Mgc-25 and Mgc-50

Polycom MGC 25 allows remote attackers to cause a denial of service (crash) via a large number of "user" requests to the control port 5003, as demonstrated using the blast TCP stress tester.

5.0
2003-08-18 CVE-2003-0554 Neomodus Unspecified vulnerability in Neomodus Direct Connect 1.0

NeoModus Direct Connect 1.0 build 9, and possibly other versions, allows remote attackers to cause a denial of service (connection and possibly memory exhaustion) via a flood of ConnectToMe requests containing arbitrary IP addresses and ports.

5.0
2003-08-18 CVE-2003-0520 Cerulean Studios Denial Of Service vulnerability in Cerulean Studios Trillian 0.74/1.0

Trillian 1.0 Pro and 0.74 Freeware allows remote attackers to cause a denial of service (crash) via a TypingUser message in which the "TypingUser" string has been modified.

5.0
2003-08-18 CVE-2003-0519 Microsoft Unspecified vulnerability in Microsoft Internet Explorer 5.0/6.0

Certain versions of Internet Explorer 5 and 6, in certain Windows environments, allow remote attackers to cause a denial of service (freeze) via a URL to C:\aux (MS-DOS device name) and possibly other devices.

5.0
2003-08-18 CVE-2003-0465 Linux Unspecified vulnerability in Linux Kernel 2.4.0/2.5.0

The kernel strncpy function in Linux 2.4 and 2.5 does not %NUL pad the buffer on architectures other than x86, as opposed to the expected behavior of strncpy as implemented in libc, which could lead to information leaks.

5.0
2003-08-18 CVE-2003-0456 Deerfield Information Exposure vulnerability in Deerfield Visnetic Website 3.5.13/3.5.15/3.5.17

VisNetic WebSite 3.5 allows remote attackers to obtain the full pathname of the server via a request containing a folder that does not exist, which leaks the pathname in an error message, as demonstrated using _vti_bin/fpcount.exe.

5.0
2003-08-18 CVE-2003-0254 Apache Unspecified vulnerability in Apache Http Server

Apache 2 before 2.0.47, when running on an IPv6 host, allows attackers to cause a denial of service (CPU consumption by infinite loop) when the FTP proxy server fails to create an IPv6 socket.

5.0
2003-08-18 CVE-2003-0253 Apache Unspecified vulnerability in Apache Http Server

The prefork MPM in Apache 2 before 2.0.47 does not properly handle certain errors from accept, which could lead to a denial of service.

5.0
2003-08-18 CVE-2003-0176 SGI Denial-Of-Service vulnerability in IRIX

The Name Service Daemon (nsd), when running on an NIS master on SGI IRIX 6.5.x through 6.5.20f, and possibly earlier versions, allows remote attackers to cause a denial of service (crash) via a UDP port scan.

5.0
2003-08-18 CVE-2003-0142 Adobe Remote Security vulnerability in Adobe Acrobat Reader 6.0

Adobe Acrobat Reader (acroread) 6, under certain circumstances when running with the "Certified plug-ins only" option disabled, loads plug-ins with signatures used for older versions of Acrobat, which can allow attackers to cause Acrobat to enter Certified mode and run untrusted plugins by modifying the CTIsCertifiedMode function.

5.0
2003-08-18 CVE-2001-1410 Microsoft Unspecified vulnerability in Microsoft Internet Explorer 5.5/6.0

Internet Explorer 6 and earlier allows remote attackers to create chromeless windows using the Javascript window.createPopup method, which could allow attackers to simulate a victim's display and conduct unauthorized activities or steal sensitive data via social engineering.

5.0
2003-08-18 CVE-2003-0579 IBM Local Security vulnerability in IBM U2 Universe 10.0.0.9

uvadmsh in IBM U2 UniVerse 10.0.0.9 and earlier trusts the user-supplied -uv.install command line option to find and execute the uv.install program, which allows local users to gain privileges by providing a pathname that is under control of the user.

4.6
2003-08-18 CVE-2003-0578 IBM Local Security vulnerability in IBM U2 Universe 10.0.0.9

cci_dir in IBM U2 UniVerse 10.0.0.9 and earlier creates hard links and unlinks files as root, which allows local users to gain privileges by deleting and overwriting arbitrary files.

4.6
2003-08-18 CVE-2003-0539 Ddskk
Redhat
SKK
skk (Simple Kana to Kanji conversion program) 12.1 and earlier, and the ddskk package which is based on skk, creates temporary files insecurely, which allows local users to overwrite arbitrary files.
4.6
2003-08-18 CVE-2003-0537 Daiki Ueno Unspecified vulnerability in Daiki Ueno Liece Emacs IRC Client

The liece Emacs IRC client 2.0+0.20030527 and earlier creates temporary files insecurely, which could allow local users to overwrite arbitrary files as other users.

4.6
2003-08-18 CVE-2003-0518 Apple Unspecified vulnerability in Apple mac OS X and mac OS X Server

The screen saver in MacOS X allows users with physical access to cause the screen saver to crash and gain access to the underlying session via a large number of characters in the password field, possibly triggering a buffer overflow.

4.6
2003-08-18 CVE-2003-0458 HP Privilege Elevation vulnerability in HP NonStop SeeView Server Gateway

Unknown vulnerability in HP NonStop Server D40.00 through D48.03, and G01.00 through G06.20, allows local users to gain additional privileges.

4.6
2003-08-18 CVE-2003-0440 Semi
Debian
The (1) semi MIME library 1.14.5 and earlier, and (2) wemi 1.14.0 and possibly other versions, allows local users to overwrite arbitrary files via a symlink attack on temporary files.
4.6
2003-08-18 CVE-2003-0350 Microsoft Privilege Escalation vulnerability in Microsoft Windows Accessibility Utility Manager

The control for listing accessibility options in the Accessibility Utility Manager on Windows 2000 (ListView) does not properly handle Windows messages, which allows local users to execute arbitrary code via a "Shatter" style message to the Utility Manager that references a user-controlled callback function.

4.6
2003-08-18 CVE-2003-0177 SGI Local Security vulnerability in IRIX

SGI IRIX 6.5.x through 6.5.20f, and possibly earlier versions, does not follow "-" entries in the /etc/group file, which may cause subsequent group membership entries to be processed inadvertently.

4.6

2 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2003-08-18 CVE-2003-0536 Phpsysinfo Unspecified vulnerability in PHPsysinfo 2.0/2.1

Directory traversal vulnerability in phpSysInfo 2.1 and earlier allows attackers with write access to a local directory to read arbitrary files as the PHP user or cause a denial of service via ..

3.6
2003-08-18 CVE-2003-0517 Gert Doering Local Security vulnerability in mgetty

faxrunqd.in in mgetty 1.1.28 and earlier allows local users to overwrite files via a symlink attack on JOB files.

2.1