Weekly Vulnerabilities Reports > August 25 to 31, 2003

Overview

95 new vulnerabilities reported during this period, including 7 critical vulnerabilities and 34 high severity vulnerabilities. This weekly summary report vulnerabilities in 85 products from 50 vendors including Microsoft, Redhat, Apple, Novell, and Linux. Vulnerabilities are notably categorized as "Permissions, Privileges, and Access Controls", and "Cryptographic Issues".

  • 67 reported vulnerabilities are remotely exploitables.
  • 95 reported vulnerabilities are exploitable by an anonymous user.
  • Microsoft has the most reported vulnerabilities, with 12 reported vulnerabilities.
  • Apple has the most reported critical vulnerabilities, with 4 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

7 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2003-08-27 CVE-2003-0640 BEA Remote Security vulnerability in Weblogic Server

BEA WebLogic Server and Express, when using NodeManager to start servers, provides Operator users with privileges to overwrite usernames and passwords, which may allow Operators to gain Admin privileges.

10.0
2003-08-27 CVE-2003-0599 Phpgroupware Remote Security vulnerability in PHPgroupware 0.9.16Prerc

Unknown vulnerability in the Virtual File System (VFS) capability for phpGroupWare 0.9.16preRC and versions before 0.9.14.004 with unknown implications, related to the VFS path being under the web document root.

10.0
2003-08-27 CVE-2003-0575 SGI Privilege Escalation vulnerability in SGI IRIX NSD AUTH_UNIX GID List

Heap-based buffer overflow in the name services daemon (nsd) in SGI IRIX 6.5.x through 6.5.21f, and possibly earlier versions, allows attackers to gain root privileges via the AUTH_UNIX gid list.

10.0
2003-08-27 CVE-2003-0502 Apple Denial-Of-Service vulnerability in Darwin Streaming Server

Apple QuickTime / Darwin Streaming Server before 4.1.3g allows remote attackers to cause a denial of service (crash) via a ..

10.0
2003-08-27 CVE-2003-0466 Redhat
Washington University
Apple
Freebsd
Netbsd
Openbsd
SUN
Buffer Overflow vulnerability in Multiple Vendor C Library realpath() Off-By-One

Off-by-one error in the fb_realpath() function, as derived from the realpath function in BSD, may allow attackers to execute arbitrary code, as demonstrated in wu-ftpd 2.5.0 through 2.6.2 via commands that cause pathnames of length MAXPATHLEN+1 to trigger a buffer overflow, including (1) STOR, (2) RETR, (3) APPE, (4) DELE, (5) MKD, (6) RMD, (7) STOU, or (8) RNTO.

10.0
2003-08-27 CVE-2003-0426 Apple Remote Security vulnerability in Apple Darwin Streaming Server 4.1.3

The installation of Apple QuickTime / Darwin Streaming Server before 4.1.3f starts the administration server with a "Setup Assistant" page that allows remote attackers to set the administrator password and gain privileges before the real administrator.

10.0
2003-08-27 CVE-2003-0421 Apple Denial-Of-Service vulnerability in Apple Darwin Streaming Server 4.1.3

Apple QuickTime / Darwin Streaming Server before 4.1.3f allows remote attackers to cause a denial of service (crash) via an MS-DOS device name (e.g.

10.0

34 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2003-08-27 CVE-2003-0701 Microsoft Unspecified vulnerability in Microsoft IE and Internet Explorer

Buffer overflow in Internet Explorer 6 SP1 for certain languages that support double-byte encodings (e.g., Japanese) allows remote attackers to execute arbitrary code via the Type property of an Object tag, a variant of CVE-2003-0344.

7.5
2003-08-27 CVE-2003-0699 Redhat Remote Security vulnerability in Linux Advanced Work Station

The C-Media PCI sound driver in Linux before 2.4.21 does not use the get_user function to access userspace, which crosses security boundaries and may facilitate the exploitation of vulnerabilities, a different vulnerability than CVE-2003-0700.

7.5
2003-08-27 CVE-2003-0685 Netris Unspecified vulnerability in Netris 0.3/0.4/0.5

Buffer overflow in Netris 0.52 and earlier, and possibly other versions, allows remote malicious Netris servers to execute arbitrary code on netris clients via a long server response.

7.5
2003-08-27 CVE-2003-0672 Leon J Breedt Unspecified vulnerability in Leon J Breedt Pam-Pgsql 0.5.1/0.5.2

Format string vulnerability in pam-pgsql 0.5.2 and earlier allows remote attackers to execute arbitrary code via the username that isp rovided during authentication, which is not properly handled when recording a log message.

7.5
2003-08-27 CVE-2003-0657 Phpgroupware SQL-Injection vulnerability in Phpgroupware

Multiple SQL injection vulnerabilities in the infolog module for phpgroupware 0.9.14 and earlier could allow remote attackers to conduct unauthorized database actions.

7.5
2003-08-27 CVE-2003-0654 Autorespond Unspecified vulnerability in Autorespond 2.0.2

Buffer overflow in autorespond may allow remote attackers to execute arbitrary code as the autorespond user via qmail.

7.5
2003-08-27 CVE-2003-0651 MOD Mylo Buffer Overflow vulnerability in MOD Mylo MOD Mylo 0.1/2.0/2.1

Buffer overflow in the mylo_log logging function for mod_mylo 0.2.1 and earlier allows remote attackers to execute arbitrary code via a long HTTP GET request.

7.5
2003-08-27 CVE-2003-0650 Gamespy File Corruption vulnerability in Gamespy Arcade GSAPAK.EXE .APK Extraction

Directory traversal vulnerability in GSAPAK.EXE for GameSpy Arcade, possibly versions before 1.3e, allows remote attackers to overwrite arbitrary files and execute arbitrary code via ..

7.5
2003-08-27 CVE-2003-0647 Cisco Remote Security vulnerability in IOS

Buffer overflow in the HTTP server for Cisco IOS 12.2 and earlier allows remote attackers to execute arbitrary code via an extremely long (2GB) HTTP GET request.

7.5
2003-08-27 CVE-2003-0646 Trend Micro Unspecified vulnerability in Trend Micro Damage Cleanup Server and Housecall

Multiple buffer overflows in ActiveX controls used by Trend Micro HouseCall 5.5 and 5.7, and Damage Cleanup Server 1.0, allow remote attackers to execute arbitrary code via long parameter strings.

7.5
2003-08-27 CVE-2003-0638 Novell Denial-Of-Service vulnerability in Novell Ichain 2.1

Multiple buffer overflows in Novell iChain 2.1 before Field Patch 3, and iChain 2.2 before Field Patch 1a, allow attackers to cause a denial of service (ABEND) and possibly execute arbitrary code via (1) a long user name or (2) an unknown attack related to a "special script against login."

7.5
2003-08-27 CVE-2003-0636 Novell Remote Security vulnerability in Novell Ichain 2.2

Novell iChain 2.2 before Support Pack 1 does not properly verify that URL redirects match the DNS name of an accelerator, which allows attackers to redirect URLs to malicious web sites.

7.5
2003-08-27 CVE-2003-0634 Oracle Buffer Overflow vulnerability in Oracle Database Server EXTPROC

Stack-based buffer overflow in the PL/SQL EXTPROC functionality for Oracle9i Database Release 2 and 1, and Oracle 8i, allows authenticated database users, and arbitrary database users in some cases, to execute arbitrary code via a long library name.

7.5
2003-08-27 CVE-2003-0632 Oracle Remote Security vulnerability in Oracle Applications and E-Business Suite

Buffer overflow in the Oracle Applications Web Report Review (FNDWRR) CGI program (FNDWRR.exe) of Oracle E-Business Suite 11.0 and 11.5.1 through 11.5.8 may allow remote attackers to execute arbitrary code via a long URL.

7.5
2003-08-27 CVE-2003-0616 Mcafee Unspecified vulnerability in Mcafee Epolicy Orchestrator 2.0/2.5/2.5.1

Format string vulnerability in ePO service for McAfee ePolicy Orchestrator 2.0, 2.5, and 2.5.1 allows remote attackers to execute arbitrary code via a POST request with format strings in the computerlist parameter, which are used when logging a failed name resolution.

7.5
2003-08-27 CVE-2003-0605 Microsoft Unspecified vulnerability in Microsoft Windows 2000

The RPC DCOM interface in Windows 2000 SP3 and SP4 allows remote attackers to cause a denial of service (crash), and local attackers to use the DoS to hijack the epmapper pipe to gain privileges, via certain messages to the __RemoteGetClassObject interface that cause a NULL pointer to be passed to the PerformScmStage function.

7.5
2003-08-27 CVE-2003-0604 Microsoft Security Bypass vulnerability in Windows Media Player 7/8

Windows Media Player (WMP) 7 and 8, as running on Internet Explorer and possibly other Microsoft products that process HTML, allows remote attackers to bypass zone restrictions and access or execute arbitrary files via an IFRAME tag pointing to an ASF file whose Content-location contains a File:// URL.

7.5
2003-08-27 CVE-2003-0595 Witango Remote Security vulnerability in Witango Tango Server and Witango Server

Buffer overflow in WiTango Application Server and Tango 2000 allows remote attackers to execute arbitrary code via a long cookie to Witango_UserReference.

7.5
2003-08-27 CVE-2003-0546 Redhat Unspecified vulnerability in Redhat Up2Date 3.0.71/3.1.231

up2date 3.0.7 and 3.1.23 does not properly verify RPM GPG signatures, which could allow remote attackers to cause unsigned packages to be installed from the Red Hat Network, if that network is compromised.

7.5
2003-08-27 CVE-2003-0532 Microsoft Unspecified vulnerability in Microsoft IE and Internet Explorer

Internet Explorer 5.01 SP3 through 6.0 SP1 does not properly determine object types that are returned by web servers, which could allow remote attackers to execute arbitrary code via an object tag with a data parameter to a malicious file hosted on a server that returns an unsafe Content-Type, aka the "Object Type" vulnerability.

7.5
2003-08-27 CVE-2003-0531 Microsoft Unspecified vulnerability in Microsoft IE and Internet Explorer

Internet Explorer 5.01 SP3 through 6.0 SP1 allows remote attackers to access and execute script in the My Computer domain using the browser cache via crafted Content-Type and Content-Disposition headers, aka the "Browser Cache Script Execution in My Computer Zone" vulnerability.

7.5
2003-08-27 CVE-2003-0530 Microsoft Unspecified vulnerability in Microsoft IE and Internet Explorer

Buffer overflow in the BR549.DLL ActiveX control for Internet Explorer 5.01 SP3 through 6.0 SP1 allows remote attackers to execute arbitrary code.

7.5
2003-08-27 CVE-2003-0353 Microsoft Buffer Overflow vulnerability in Microsoft Data Access Components ODBC

Buffer overflow in a component of SQL-DMO for Microsoft Data Access Components (MDAC) 2.5 through 2.7 allows remote attackers to execute arbitrary code via a long response to a broadcast request to UDP port 1434.

7.5
2003-08-27 CVE-2003-0346 Microsoft Unspecified vulnerability in Microsoft Directx

Multiple integer overflows in a Microsoft Windows DirectX MIDI library (QUARTZ.DLL) allow remote attackers to execute arbitrary code via a MIDI (.mid) file with (1) large length for a Text or Copyright string, or (2) a large number of tracks, which leads to a heap-based buffer overflow.

7.5
2003-08-27 CVE-2003-0149 Mcafee Unspecified vulnerability in Mcafee Epolicy Orchestrator 2.0/2.5/2.5.1

Heap-based buffer overflow in ePO agent for McAfee ePolicy Orchestrator 2.0, 2.5, and 2.5.1 allows remote attackers to execute arbitrary code via a POST request containing long parameters.

7.5
2003-08-27 CVE-2003-0671 Jeremy Elson Unspecified vulnerability in Jeremy Elson Tcpflow

Format string vulnerability in tcpflow, when used in a setuid context, allows local users to execute arbitrary code via the device name argument, as demonstrated in Sustworks IPNetSentryX and IPNetMonitorX the setuid program RunTCPFlow.

7.2
2003-08-27 CVE-2003-0655 Cdrtools Local Security vulnerability in Cdrtools 2.0/2.0.3

rscsi in cdrtools 2.01 and earlier allows local users to overwrite arbitrary files and gain root privileges by specifying the target file as a command line argument, which is modified while rscsi is running with privileges.

7.2
2003-08-27 CVE-2003-0649 Xpcd Unspecified vulnerability in Xpcd

Buffer overflow in xpcd-svga for xpcd 2.08 and earlier allows local users to execute arbitrary code via a long HOME environment variable.

7.2
2003-08-27 CVE-2003-0631 Vmware Local Security vulnerability in Workstation

VMware GSX Server 2.5.1 build 4968 and earlier, and Workstation 4.0 and earlier, allows local users to gain root privileges via certain enivronment variables that are used when launching a virtual machine session.

7.2
2003-08-27 CVE-2003-0609 SUN Unspecified vulnerability in SUN Solaris and Sunos

Stack-based buffer overflow in the runtime linker, ld.so.1, on Solaris 2.6 through 9 allows local users to gain root privileges via a long LD_PRELOAD environment variable.

7.2
2003-08-27 CVE-2003-0597 SCO Unspecified vulnerability in SCO Openserver 5.0.6/5.0.7

Unknown vulnerability in display of Merge before 5.3.23a in UnixWare 7.1.x allows local users to gain root privileges.

7.2
2003-08-27 CVE-2003-0232 Microsoft Unspecified vulnerability in Microsoft Data Engine and SQL Server

Microsoft SQL Server 7, 2000, and MSDE allows local users to execute arbitrary code via a certain request to the Local Procedure Calls (LPC) port that leads to a buffer overflow.

7.2
2003-08-27 CVE-2003-0230 Microsoft Permissions, Privileges, and Access Controls vulnerability in Microsoft Data Engine and SQL Server

Microsoft SQL Server 7, 2000, and MSDE allows local users to gain privileges by hijacking a named pipe during the authentication of another user, aka the "Named Pipe Hijacking" vulnerability.

7.2
2003-08-27 CVE-2003-0148 Mcafee Unspecified vulnerability in Mcafee Epolicy Orchestrator

The default installation of MSDE via McAfee ePolicy Orchestrator 2.0 through 3.0 allows attackers to execute arbitrary code via a series of steps that (1) obtain the database administrator username and encrypted password in a configuration file from the ePO server using a certain request, (2) crack the password due to weak cryptography, and (3) use the password to pass commands through xp_cmdshell.

7.2

44 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2003-08-27 CVE-2003-0602 Mozilla Local Dependency Graph HTML Injection vulnerability in Bugzilla

Multiple cross-site scripting vulnerabilities (XSS) in Bugzilla 2.16.x before 2.16.3 and 2.17.x before 2.17.4 allow remote attackers to insert arbitrary HTML or web script via (1) multiple default German and Russian HTML templates or (2) ALT and NAME attributes in AREA tags as used by the GraphViz graph generation feature for local dependency graphs.

6.8
2003-08-27 CVE-2003-0625 Xfstt Memory Disclosure vulnerability in Xfstt 1.2.1/1.4

Off-by-one error in certain versions of xfstt allows remote attackers to read potentially sensitive memory via a malformed client request in the connection handshake, which leaks the memory in the server's response.

6.4
2003-08-27 CVE-2003-0677 Cisco Denial-Of-Service vulnerability in Cisco Webns 5.00.038S

Cisco CSS 11000 routers on the CS800 chassis allow remote attackers to cause a denial of service (CPU consumption or reboot) via a large number of TCP SYN packets to the circuit IP address, aka "ONDM Ping failure."

5.0
2003-08-27 CVE-2003-0676 SUN Directory Traversal vulnerability in SUN Iplanet Directory Server and ONE Directory Server

Directory traversal vulnerability in ViewLog for iPlanet Administration Server 5.1 (aka Sun ONE) allows remote attackers to read arbitrary files via "..%2f" (partially encoded dot dot) sequences.

5.0
2003-08-27 CVE-2003-0653 Netbsd Denial-Of-Service vulnerability in NetBSD

The OSI networking kernel (sys/netiso) in NetBSD 1.6.1 and earlier does not use a BSD-required "PKTHDR" mbuf when sending certain error responses to the sender of an OSI packet, which allows remote attackers to cause a denial of service (kernel panic or crash) via certain OSI packets.

5.0
2003-08-27 CVE-2003-0639 Novell Remote Security vulnerability in Novell Ichain 2.1

Unknown vulnerability in Novell iChain 2.2 before Support Pack 1 allows users to access restricted or secure pages without authentication.

5.0
2003-08-27 CVE-2003-0637 Novell Remote Security vulnerability in Novell Ichain 2.2

Novell iChain 2.2 before Support Pack 1 uses a shorter timeout for a non-existent user than a valid user, which makes it easier for remote attackers to guess usernames and conduct brute force password guessing.

5.0
2003-08-27 CVE-2003-0635 Novell Remote Security vulnerability in Novell Ichain 2.2

Unknown vulnerability or vulnerabilities in Novell iChain 2.2 before Support Pack 1, with unknown impact, possibly related to unauthorized access to (1) NCPIP.NLM and (2) JSTCP.NLM.

5.0
2003-08-27 CVE-2003-0633 Oracle Information Disclosure vulnerability in Oracle Applications and E-Business Suite

Multiple vulnerabilities in aoljtest.jsp of Oracle Applications AOL/J Setup Test Suite in Oracle E-Business Suite 11.5.1 through 11.5.8 allow a remote attacker to obtain sensitive information without authentication, such as the GUEST user password and the application server security key.

5.0
2003-08-27 CVE-2003-0619 Linux Unspecified vulnerability in Linux Kernel

Integer signedness error in the decode_fh function of nfs3xdr.c in Linux kernel before 2.4.21 allows remote attackers to cause a denial of service (kernel panic) via a negative size value within XDR data of an NFSv3 procedure call.

5.0
2003-08-27 CVE-2003-0610 Mcafee Unspecified vulnerability in Mcafee Epolicy Orchestrator 3.0

Directory traversal vulnerability in ePO agent for McAfee ePolicy Orchestrator 3.0 allows remote attackers to read arbitrary files via a certain HTTP request.

5.0
2003-08-27 CVE-2003-0576 SGI Unspecified vulnerability in SGI Irix

Unknown vulnerability in the NFS daemon (nfsd) in SGI IRIX 6.5.19f and earlier allows remote attackers to cause a denial of service (kernel panic) via certain packets that cause XDR decoding errors, a different vulnerability than CVE-2003-0619.

5.0
2003-08-27 CVE-2003-0562 Novell Unspecified vulnerability in Novell Netware 5.1/6.0

Buffer overflow in the CGI2PERL.NLM PERL handler in Novell Netware 5.1 and 6.0 allows remote attackers to cause a denial of service (ABEND) via a long input string.

5.0
2003-08-27 CVE-2003-0552 Redhat Remote Security vulnerability in Redhat Linux 2.4.2

Linux 2.4.x allows remote attackers to spoof the bridge Forwarding table via forged packets whose source addresses are the same as the target.

5.0
2003-08-27 CVE-2003-0551 Redhat Denial-Of-Service vulnerability in Redhat Linux 2.4.2

The STP protocol implementation in Linux 2.4.x does not properly verify certain lengths, which could allow attackers to cause a denial of service.

5.0
2003-08-27 CVE-2003-0550 Redhat Remote Security vulnerability in Redhat Linux 2.4.2

The STP protocol, as enabled in Linux 2.4.x, does not provide sufficient security by design, which allows attackers to modify the bridge topology.

5.0
2003-08-27 CVE-2003-0549 Gnome
Redhat
Denial-Of-Service vulnerability in Kdebase

The X Display Manager Control Protocol (XDMCP) support for GDM before 2.4.1.6 allows attackers to cause a denial of service (daemon crash) via a short authorization key name.

5.0
2003-08-27 CVE-2003-0548 Gnome
Redhat
Denial-Of-Service vulnerability in Kdebase

The X Display Manager Control Protocol (XDMCP) support for GDM before 2.4.1.6 allows attackers to cause a denial of service (daemon crash) when a chosen host expires, a different issue than CVE-2003-0549.

5.0
2003-08-27 CVE-2003-0540 Wietse Venema
Conectiva
Denial of Service vulnerability in Multiple Postfix

The address parser code in Postfix 1.1.12 and earlier allows remote attackers to cause a denial of service (lock) via (1) a malformed envelope address to a local host that would generate a bounce and contains the ".!" string in the MAIL FROM or Errors-To headers, which causes nqmgr to lock up, or (2) via a valid MAIL FROM with a RCPT TO containing a ".!" string, which causes an instance of the SMTP listener to lock up.

5.0
2003-08-27 CVE-2003-0525 Microsoft Unspecified vulnerability in Microsoft Windows NT 4.0

The getCanonicalPath function in Windows NT 4.0 may free memory that it does not own and cause heap corruption, which allows attackers to cause a denial of service (crash) via requests that cause a long file name to be passed to getCanonicalPath, as demonstrated on the IBM JVM using a long string to the java.io.getCanonicalPath Java method.

5.0
2003-08-27 CVE-2003-0512 Cisco Cryptographic Issues vulnerability in Cisco IOS

Cisco IOS 12.2 and earlier generates a "% Login invalid" message instead of prompting for a password when an invalid username is provided, which allows remote attackers to identify valid usernames on the system and conduct brute force password guessing, as reported for the Aironet Bridge.

5.0
2003-08-27 CVE-2003-0511 Cisco Unspecified vulnerability in Cisco IOS

The web server for Cisco Aironet AP1x00 Series Wireless devices running certain versions of IOS 12.2 allow remote attackers to cause a denial of service (reload) via a malformed URL.

5.0
2003-08-27 CVE-2003-0468 Wietse Venema
Conectiva
Denial of Service vulnerability in Multiple Postfix

Postfix 1.1.11 and earlier allows remote attackers to use Postfix to conduct "bounce scans" or DDos attacks of other hosts via an email address to the local host containing the target IP address and service name followed by a "!" string, which causes Postfix to attempt to use SMTP to communicate with the target on the associated port.

5.0
2003-08-27 CVE-2003-0467 Linux Unspecified vulnerability in Linux Kernel 2.4.20/2.4.21

Unknown vulnerability in ip_nat_sack_adjust of Netfilter in Linux kernels 2.4.20, and some 2.5.x, when CONFIG_IP_NF_NAT_FTP or CONFIG_IP_NF_NAT_IRC is enabled, or the ip_nat_ftp or ip_nat_irc modules are loaded, allows remote attackers to cause a denial of service (crash) in systems using NAT, possibly due to an integer signedness error.

5.0
2003-08-27 CVE-2003-0460 Apache Unspecified vulnerability in Apache Http Server

The rotatelogs program on Apache before 1.3.28, for Windows and OS/2 systems, does not properly ignore certain control characters that are received over the pipe, which could allow remote attackers to cause a denial of service.

5.0
2003-08-27 CVE-2003-0459 KDE
Redhat
KDE Konqueror for KDE 3.1.2 and earlier does not remove authentication credentials from URLs of the "user:[email protected]" form in the HTTP-Referer header, which could allow remote web sites to steal the credentials for pages that link to the sites.
5.0
2003-08-27 CVE-2003-0425 Apple Unspecified vulnerability in Apple Darwin Streaming Server 4.1.3

Directory traversal vulnerability in Apple QuickTime / Darwin Streaming Server before 4.1.3f allows remote attackers to read arbitrary files via a ...

5.0
2003-08-27 CVE-2003-0424 Apple Unspecified vulnerability in Apple Darwin Streaming Server 4.1.3

Apple QuickTime / Darwin Streaming Server before 4.1.3f allows remote attackers to obtain the source code for scripts by appending encoded space (%20) or .

5.0
2003-08-27 CVE-2003-0423 Apple Unspecified vulnerability in Apple Darwin Streaming Server 4.1.3

parse_xml.cgi in Apple QuickTime / Darwin Streaming Server before 4.1.3g allows remote attackers to obtain the source code for parseable files via the filename parameter.

5.0
2003-08-27 CVE-2003-0422 Apple Unspecified vulnerability in Apple Darwin Streaming Server 4.1.3

Apple QuickTime / Darwin Streaming Server before 4.1.3f allows remote attackers to cause a denial of service (crash) via a request to view_broadcast.cgi that does not contain the required parameters.

5.0
2003-08-27 CVE-2003-0231 Microsoft Unspecified vulnerability in Microsoft Data Engine and SQL Server

Microsoft SQL Server 7, 2000, and MSDE allows local or remote authenticated users to cause a denial of service (crash or hang) via a long request to a named pipe.

5.0
2003-08-27 CVE-2003-0187 Linux Unspecified vulnerability in Linux Kernel 2.4.20

The connection tracking core of Netfilter for Linux 2.4.20, with CONFIG_IP_NF_CONNTRACK enabled or the ip_conntrack module loaded, allows remote attackers to cause a denial of service (resource consumption) due to an inconsistency with Linux 2.4.20's support of linked lists, which causes Netfilter to fail to identify connections with an UNCONFIRMED status and use large timeouts.

5.0
2003-08-27 CVE-2002-1566 Netris Remote Memory Corruption vulnerability in Netris 0.3/0.4/0.5

netris 0.5, and possibly other versions before 0.52, when running with the -w (wait) option, allows remote attackers to cause a denial of service (crash) via a long string to port 9284.

5.0
2003-08-27 CVE-2003-0652 Xtokkaetama Local Security vulnerability in Xtokkaetama 1.0B6

Buffer overflow in xtokkaetama allows local users to gain privileges via a long -nickname command line argument, a different vulnerability than CVE-2003-0611.

4.6
2003-08-27 CVE-2003-0645 Andries Brouwer Unspecified vulnerability in Andries Brouwer MAN 2.3.20/2.4.1

man-db 2.3.12 and 2.3.18 to 2.4.1 uses certain user-controlled DEFINE directives from the ~/.manpath file, even when running setuid, which could allow local users to gain privileges.

4.6
2003-08-27 CVE-2003-0641 Watchguard Unspecified vulnerability in Watchguard Serverlock 2.0/2.0.1/2.0.2

WatchGuard ServerLock for Windows 2000 before SL 2.0.3 allows local users to load arbitrary modules via the OpenProcess() function, as demonstrated using (1) a DLL injection attack, (2) ZwSetSystemInformation, and (3) API hooking in OpenProcess.

4.6
2003-08-27 CVE-2003-0620 Andries Brouwer Unspecified vulnerability in Andries Brouwer MAN

Multiple buffer overflows in man-db 2.4.1 and earlier, when installed setuid, allow local users to gain privileges via (1) MANDATORY_MANPATH, MANPATH_MAP, and MANDB_MAP arguments to add_to_dirlist in manp.c, (2) a long pathname to ult_src in ult_src.c, (3) a long .so argument to test_for_include in ult_src.c, (4) a long MANPATH environment variable, or (5) a long PATH environment variable.

4.6
2003-08-27 CVE-2003-0617 Hugo Rabson Unspecified vulnerability in Hugo Rabson Mindi 0.58R5

mindi 0.58 and earlier does not properly create temporary files, which allows local users to overwrite arbitrary files.

4.6
2003-08-27 CVE-2003-0613 Zblast Local Security vulnerability in zblast

Buffer overflow in zblast-svgalib of zblast 1.2.1 and earlier allows local users to execute arbitrary code via the high score file.

4.6
2003-08-27 CVE-2003-0611 Xtokkaetama Buffer Overflow vulnerability in Xtokkaetama 1.0B6

Multiple buffer overflows in xtokkaetama 1.0 allow local users to gain privileges via a long (1) -display command line argument or (2) XTOKKAETAMADIR environment variable.

4.6
2003-08-27 CVE-2003-0606 Cvsup
SUP
sup 1.8 and earlier does not properly create temporary files, which allows local users to overwrite arbitrary files.
4.6
2003-08-27 CVE-2003-0464 Redhat Local Security vulnerability in Linux

The RPC code in Linux kernel 2.4 sets the reuse flag when sockets are created, which could allow local users to bind to UDP ports that are used by privileged services such as nfsd.

4.6
2003-08-27 CVE-2003-0615 CGI PM
Openpkg
Debian
Cross-Site Scripting vulnerability in CGI.pm Start_Form

Cross-site scripting (XSS) vulnerability in start_form() of CGI.pm allows remote attackers to insert web script via a URL that is fed into the form's action parameter.

4.3
2003-08-27 CVE-2003-0614 Gallery Project Unspecified vulnerability in Gallery Project Gallery

Cross-site scripting (XSS) vulnerability in search.php of Gallery 1.1 through 1.3.4 allows remote attackers to insert arbitrary web script via the searchstring parameter.

4.3

10 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2003-08-27 CVE-2003-0596 Fdclone Unspecified vulnerability in Fdclone 2.00A

FDclone 2.00a, and other versions before 2.02a, creates temporary directories with predictable names and uses them if they already exist, which allows local users to read or modify files of other fdclone users by creating the directory ahead of time.

3.6
2003-08-27 CVE-2003-0679 SGI Unspecified vulnerability in SGI Irix

Unknown vulnerability in the libcpr library for the Checkpoint/Restart (cpr) system on SGI IRIX 6.5.21f and earlier allows local users to truncate or overwrite certain files.

2.1
2003-08-27 CVE-2003-0670 Sustainable Softworks Local Security vulnerability in Sustainable Softworks Ipnetmonitorx and Ipnetsentryx

Sustworks IPNetSentryX and IPNetMonitorX allow local users to sniff network packets via the setuid helper applications (1) RunTCPDump, which calls tcpdump, and (2) RunTCPFlow, which calls tcpflow.

2.1
2003-08-27 CVE-2003-0656 Eroaster Unspecified vulnerability in Eroaster 2.0.0/2.1.0/2.2.0

eroaster before 2.2.0 allows local users to overwrite arbitrary files via a symlink attack on a temporary file that is used as a lockfile.

2.1
2003-08-27 CVE-2003-0642 Watchguard Unspecified vulnerability in Watchguard Serverlock

WatchGuard ServerLock for Windows 2000 before SL 2.0.4 allows local users to access kernel memory via a symlink attack on \Device\PhysicalMemory.

2.1
2003-08-27 CVE-2003-0603 Mozilla Unspecified vulnerability in Mozilla Bugzilla

Bugzilla 2.16.x before 2.16.3, 2.17.x before 2.17.4, and earlier versions allows local users to overwrite arbitrary files via a symlink attack on temporary files that are created in directories with group-writable or world-writable permissions.

2.1
2003-08-27 CVE-2003-0547 Gnome
Redhat
GDM before 2.4.1.6, when using the "examine session errors" feature, allows local users to read arbitrary files via a symlink attack on the ~/.xsession-errors file.
2.1
2003-08-27 CVE-2003-0461 Redhat Unspecified vulnerability in Redhat Linux

/proc/tty/driver/serial in Linux 2.4.x reveals the exact number of characters used in serial links, which could allow local users to obtain potentially sensitive information such as the length of passwords.

2.1
2003-08-27 CVE-2003-0669 SUN Denial-Of-Service vulnerability in Solaris

Unknown vulnerability in Solaris 2.6 through 9 causes a denial of service (system panic) via "a rare race condition" or an attack by local users.

1.2
2003-08-27 CVE-2003-0462 Mandrakesoft
Linux
A race condition in the way env_start and env_end pointers are initialized in the execve system call and used in fs/proc/base.c on Linux 2.4 allows local users to cause a denial of service (crash).
1.2