Weekly Vulnerabilities Reports > October 20 to 26, 2003

Overview

50 new vulnerabilities reported during this period, including 6 critical vulnerabilities and 22 high severity vulnerabilities. This weekly summary report vulnerabilities in 65 products from 41 vendors including Microsoft, Phpwebsite, Redhat, SAP, and Cisco. Vulnerabilities are notably categorized as and "Use of Externally-Controlled Format String".

  • 46 reported vulnerabilities are remotely exploitables.
  • 1 reported vulnerabilities have public exploit available.
  • 50 reported vulnerabilities are exploitable by an anonymous user.
  • Microsoft has the most reported vulnerabilities, with 5 reported vulnerabilities.
  • Cisco has the most reported critical vulnerabilities, with 2 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

6 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2003-10-20 CVE-2003-0755 Gtkftpd Remote Security vulnerability in Gtkftpd Gtkftp 1.0.2/1.0.3/1.0.4

Buffer overflow in sys_cmd.c for gtkftpd 1.0.4 and earlier allows remote attackers to execute arbitrary code by creating long directory names and listing them with a LIST command.

10.0
2003-10-20 CVE-2003-0745 Castle Rock Computing Unspecified vulnerability in Castle Rock Computing Snmpc

SNMPc 6.0.8 and earlier performs authentication to the server on the client side, which allows remote attackers to gain privileges by decrypting the password that is returned by the server.

10.0
2003-10-20 CVE-2003-0734 Padl Software Remote Security vulnerability in Pam Ldap

Unknown vulnerability in the pam_filter mechanism in pam_ldap before version 162, when LDAP based authentication is being used, allows users to bypass host-based access restrictions and log onto the system.

10.0
2003-10-20 CVE-2003-0732 Cisco Denial-Of-Service vulnerability in Resource Manager

CiscoWorks Common Management Foundation (CMF) 2.1 and earlier allows the guest user to obtain restricted information and possibly gain administrative privileges by changing the "guest" user to the Admin user on the Modify or delete users pages.

10.0
2003-10-20 CVE-2003-0731 Cisco Remote Security vulnerability in Resource Manager

CiscoWorks Common Management Foundation (CMF) 2.1 and earlier allows the guest user to gain administrative privileges via a certain POST request to com.cisco.nm.cmf.servlet.CsAuthServlet, possibly involving the "cmd" parameter with a modifyUser value and a modified "priviledges" parameter.

10.0
2003-10-20 CVE-2003-0347 Microsoft Buffer Overrun vulnerability in Microsoft Visual Basic For Applications Document Handling

Heap-based buffer overflow in VBE.DLL and VBE6.DLL of Microsoft Visual Basic for Applications (VBA) SDK 5.0 through 6.3 allows remote attackers to execute arbitrary code via a document with a long ID parameter.

10.0

22 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2003-10-20 CVE-2003-0738 Phpwebsite USE of Externally-Controlled Format String vulnerability in PHPwebsite

The calendar module in phpWebSite 0.9.x and earlier allows remote attackers to cause a denial of service (crash) via a long year parameter.

7.8
2003-10-25 CVE-2003-1148 LES Visiteurs Remote File Include vulnerability in LES Visiteurs LES Visiteurs 2.0.1

Multiple PHP remote file inclusion vulnerabilities in J-Pierre DEZELUS Les Visiteurs 2.0.1, as used in phpMyConferences (phpMyConference) 8.0.2 and possibly other products, allow remote attackers to execute arbitrary PHP code via a URL in the lvc_include_dir parameter to (1) config.inc.php or (2) new-visitor.inc.php in common/visiteurs/include/.

7.5
2003-10-20 CVE-2003-0754 Newsphp Security Bypass vulnerability in newsPHP

nphpd.php in newsPHP 216 and earlier allows remote attackers to bypass authentication via an HTTP request with a modified nphp_users array, which is used for authentication.

7.5
2003-10-20 CVE-2003-0752 Attila PHP NET SQL-Injection vulnerability in Attilaphp

SQL injection vulnerability in global.php3 of AttilaPHP 3.0, and possibly earlier versions, allows remote attackers to bypass authentication via a modified cook_id parameter.

7.5
2003-10-20 CVE-2003-0751 PY Membres SQL-Injection vulnerability in Py-Membres 4.0/4.1/4.2

SQL injection vulnerability in pass_done.php for PY-Membres 4.2 and earlier allows remote attackers to execute arbitrary SQL queries via the email parameter.

7.5
2003-10-20 CVE-2003-0750 PY Membres Security Bypass vulnerability in Py-Membres 4.0/4.1/4.2

secure.php in PY-Membres 4.2 and earlier allows remote attackers to bypass authentication by setting the adminpy parameter.

7.5
2003-10-20 CVE-2003-0743 University OF Cambridge Unspecified vulnerability in University of Cambridge Exim

Heap-based buffer overflow in smtp_in.c for Exim 3 (exim3) before 3.36 and Exim 4 (exim4) before 4.21 may allow remote attackers to execute arbitrary code via an invalid (1) HELO or (2) EHLO argument with a large number of spaces followed by a NULL character and a newline, which is not properly trimmed before the "(no argument given)" string is appended to the buffer.

7.5
2003-10-20 CVE-2003-0735 Phpwebsite SQL-Injection vulnerability in Phpwebsite

SQL injection vulnerability in the Calendar module of phpWebSite 0.9.x and earlier allows remote attackers to execute arbitrary SQL queries, as demonstrated using the year parameter.

7.5
2003-10-20 CVE-2003-0730 Xfree86 Project
Netbsd
Integer Overflow vulnerability in XFree86

Multiple integer overflows in the font libraries for XFree86 4.3.0 allow local or remote attackers to cause a denial of service or execute arbitrary code via heap-based and stack-based buffer overflow attacks.

7.5
2003-10-20 CVE-2003-0729 Tellurian Unspecified vulnerability in Tellurian Tftpdnt 1.8/2.0

Buffer overflow in Tellurian TftpdNT 1.8 allows remote attackers to execute arbitrary code via a TFTP request with a long filename.

7.5
2003-10-20 CVE-2003-0725 Realnetworks Remote Buffer Overflow vulnerability in Real Networks Helix Universal Server

Buffer overflow in the RTSP protocol parser for the View Source plug-in (vsrcplin.so or vsrcplin3260.dll) for RealNetworks Helix Universal Server 9 and RealSystem Server 8, 7 and RealServer G2 allows remote attackers to execute arbitrary code.

7.5
2003-10-20 CVE-2003-0724 Compaq Authentication Bypass vulnerability in HP Tru64 SSH Undisclosed RSA Key Potential

ssh on HP Tru64 UNIX 5.1B and 5.1A does not properly handle RSA signatures when digital certificates and RSA keys are used, which could allow local and remote attackers to gain privileges.

7.5
2003-10-20 CVE-2003-0723 Gkrellm Remote Security vulnerability in Gkrellm 2.1.13/2.1.7

Buffer overflow in gkrellmd for gkrellm 2.1.x before 2.1.14 may allow remote attackers to execute arbitrary code.

7.5
2003-10-20 CVE-2003-0709 Whois Remote Security vulnerability in Whois 4.5.7/4.6.6

Buffer overflow in the whois client, which is not setuid but is sometimes called from within CGI programs, may allow remote attackers to execute arbitrary code via a long command line option.

7.5
2003-10-20 CVE-2003-0708 Tomi Manninen Denial-Of-Service vulnerability in Linuxnode

Format string vulnerability in LinuxNode (node) before 0.3.2 may allow attackers to cause a denial of service or execute arbitrary code.

7.5
2003-10-20 CVE-2003-0707 Tomi Manninen Remote Security vulnerability in Linuxnode

Buffer overflow in LinuxNode (node) before 0.3.2 allows remote attackers to execute arbitrary code.

7.5
2003-10-20 CVE-2003-0689 Redhat Unspecified vulnerability in Redhat Enterprise Linux 2.1

The getgrouplist function in GNU libc (glibc) 2.2.4 and earlier allows attackers to cause a denial of service (segmentation fault) and execute arbitrary code when a user is a member of a large number of groups, which can cause a buffer overflow.

7.5
2003-10-20 CVE-2003-0686 Dave Airlie
Redhat
Buffer overflow in PAM SMB module (pam_smb) 1.1.6 and earlier, when authenticating to a remote service, allows remote attackers to execute arbitrary code.
7.5
2003-10-20 CVE-2003-0666 Microsoft Unspecified vulnerability in Microsoft Wordperfect Converter

Buffer overflow in Microsoft Wordperfect Converter allows remote attackers to execute arbitrary code via modified data offset and data size parameters in a Corel WordPerfect file.

7.5
2003-10-20 CVE-2003-0665 Microsoft Buffer Overflow vulnerability in Microsoft Access 2000/2002/97

Buffer overflow in the ActiveX control for Microsoft Access Snapshot Viewer for Access 97, 2000, and 2002 allows remote attackers to execute arbitrary code via long parameters to the control.

7.5
2003-10-20 CVE-2003-0664 Microsoft Unspecified vulnerability in Microsoft Word and Works

Microsoft Word 2002, 2000, 97, and 98(J) does not properly check certain properties of a document, which allows attackers to bypass the macro security model and automatically execute arbitrary macros via a malicious document.

7.5
2003-10-20 CVE-2003-0630 Atari800 Unspecified vulnerability in Atari800

Multiple buffer overflows in the atari800.svgalib setuid program of the Atari 800 emulator (atari800) before 1.2.2 allow local users to gain privileges via long command line arguments, as demonstrated with the -osa_rom argument.

7.2

21 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2003-10-20 CVE-2003-0749 SAP Cross-Site Scripting vulnerability in SAP Internet Transaction Server 4620.2.0.323011

Cross-site scripting (XSS) vulnerability in wgate.dll for SAP Internet Transaction Server (ITS) 4620.2.0.323011 allows remote attackers to insert arbitrary web script and steal cookies via the ~service parameter.

6.8
2003-10-20 CVE-2003-0736 Phpwebsite Cross-Site Scripting vulnerability in Phpwebsite

Multiple cross-site scripting (XSS) vulnerabilities in phpWebSite 0.9.x and earlier allow remote attackers to execute arbitrary web script via (1) the day parameter in the calendar module, (2) the fatcat_id parameter in the fatcat module, (3) the PAGE_id parameter in the pagemaster module, (4) the PDA_limit parameter in the search, and (5) possibly other parameters in the calendar, fatcat, and pagemaster modules.

6.8
2003-10-20 CVE-2003-0733 BEA Cross-Site Scripting vulnerability in Bea WebLogic/Liquid Data

Multiple cross-site scripting (XSS) vulnerabilities in WebLogic Integration 7.0 and 2.0, Liquid Data 1.1, and WebLogic Server and Express 5.1 through 7.0, allow remote attackers to execute arbitrary web script and steal authentication credentials via (1) a forward instruction to the Servlet container or (2) other vulnerabilities in the WebLogic Server console application.

6.8
2003-10-20 CVE-2003-0728 Horde Remote Security vulnerability in Horde

Horde before 2.2.4 allows remote malicious web sites to steal session IDs and read or create arbitrary email by stealing the ID from a referrer URL.

6.4
2003-10-20 CVE-2003-0726 Realnetworks Unspecified vulnerability in Realnetworks products

RealOne player allows remote attackers to execute arbitrary script in the "My Computer" zone via a SMIL presentation with a URL that references a scripting protocol, which is executed in the security context of the previously loaded URL, as demonstrated using a "javascript:" URL in the area tag.

5.1
2003-10-25 CVE-2003-1181 Advanced Poll Unspecified vulnerability in Advanced Poll Advanced Poll 2.0.2

Advanced Poll 2.0.2 allows remote attackers to obtain sensitive information via an HTTP request to info.php, which invokes the phpinfo() function.

5.0
2003-10-20 CVE-2003-0757 Checkpoint Unspecified vulnerability in Checkpoint Firewall-1 4.0/4.1

Check Point FireWall-1 4.0 and 4.1 before SP5 allows remote attackers to obtain the IP addresses of internal interfaces via certain SecuRemote requests to TCP ports 256 or 264, which leaks the IP addresses in a reply packet.

5.0
2003-10-20 CVE-2003-0756 Sitebuilder Directory Traversal vulnerability in Sitebuilder 1.4

Directory traversal vulnerability in sitebuilder.cgi in SiteBuilder 1.4 allows remote attackers to read arbitrary files via ..

5.0
2003-10-20 CVE-2003-0753 Newsphp Remote Security vulnerability in newsPHP

nphpd.php in newsPHP 216 and earlier allows remote attackers to read arbitrary files via a full pathname to the target file in the nphp_config[LangFile] parameter.

5.0
2003-10-20 CVE-2003-0748 SAP Directory Traversal File Disclosure vulnerability in SAP Internet Transaction Server 4620.2.0.323011

Directory traversal vulnerability in wgate.dll for SAP Internet Transaction Server (ITS) 4620.2.0.323011 allows remote attackers to read arbitrary files via ..\ (dot-dot backslash) sequences in the ~theme parameter and a ~template parameter with a filename followed by space characters, which can prevent SAP from effectively adding a .html extension to the filename.

5.0
2003-10-20 CVE-2003-0747 SAP Information Disclosure vulnerability in SAP Internet Transaction Server 4620.2.0.323011

wgate.dll in SAP Internet Transaction Server (ITS) 4620.2.0.323011 allows remote attackers to obtain potentially sensitive information such as directory structure and operating system via incorrect parameters (1) ~service, (2) ~templatelanguage, (3) ~language, (4) ~theme, or (5) ~template, which leaks the information in the resulting error message.

5.0
2003-10-20 CVE-2003-0746 HP Denial-Of-Service vulnerability in HP OpenView

Various Distributed Computing Environment (DCE) implementations, including HP OpenView, allow remote attackers to cause a denial of service (process hang or termination) via certain malformed inputs, as triggered by attempted exploits against the vulnerabilities CVE-2003-0352 or CVE-2003-0605, such as the Blaster/MSblast/LovSAN worm.

5.0
2003-10-20 CVE-2003-0744 Leafnode Remote Denial of Service vulnerability in Leafnode fetchnews Client

The fetchnews NNTP client in leafnode 1.9.3 to 1.9.41 allows remote attackers to cause a denial of service (process hang and termination) via certain malformed Usenet news articles that cause fetchnews to hang while waiting for input.

5.0
2003-10-20 CVE-2003-0737 Phpwebsite Remote Security vulnerability in Phpwebsite

The calendar module in phpWebSite 0.9.x and earlier allows remote attackers to obtain the full pathname of phpWebSite via an invalid year, which generates an error from localtime() in TimeZone.php of the Pear library.

5.0
2003-10-20 CVE-2003-0702 ISS Unspecified vulnerability in ISS Realsecure Server Sensor 7.0

Unknown vulnerability in an ISAPI plugin for ISS Server Sensor 7.0 XPU 20.16, 20.18, and possibly other versions before 20.19, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code in Internet Information Server (IIS) via a certain URL through SSL.

5.0
2003-10-20 CVE-2003-0688 Redhat
Sendmail
SGI
Compaq
Freebsd
Openbsd
The DNS map code in Sendmail 8.12.8 and earlier, when using the "enhdnsbl" feature, does not properly initialize certain data structures, which allows remote attackers to cause a denial of service (process crash) via an invalid DNS response that causes Sendmail to free incorrect data.
5.0
2003-10-20 CVE-2003-0661 Microsoft Unspecified vulnerability in Microsoft products

The NetBT Name Service (NBNS) for NetBIOS in Windows NT 4.0, 2000, XP, and Server 2003 may include random memory in a response to a NBNS query, which could allow remote attackers to obtain sensitive information.

5.0
2003-10-20 CVE-2003-0658 Caldera
SCO
Docview before 1.1-18 in Caldera OpenLinux 3.1.1, SCO Linux 4.0, OpenServer 5.0.7, configures the Apache web server in a way that allows remote attackers to read arbitrary publicly readable files via a certain URL, possibly related to rewrite rules.
5.0
2003-10-20 CVE-2003-0740 Stunnel Unspecified vulnerability in Stunnel

Stunnel 4.00, and 3.24 and earlier, leaks a privileged file descriptor returned by listen(), which allows local users to hijack the Stunnel server.

4.6
2003-10-20 CVE-2003-0739 Vmware Local Security vulnerability in Workstation

VMware Workstation 4.0.1 for Linux, build 5289 and earlier, allows local users to delete arbitrary files via a symlink attack.

4.6
2003-10-23 CVE-2003-1136 CHI Kien Uong HTML Injection vulnerability in CHI Kien Uong CHI Kien Uong Guestbook 1.51

Cross-site scripting (XSS) vulnerability in Chi Kien Uong Guestbook 1.51 allows remote attackers to inject arbitrary web script or HTML via (1) HTML in a posted message or (2) Javascript in an onmouseover attribute in an e-mail address or URL.

4.3

1 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2003-10-20 CVE-2003-0727 Oracle Unspecified vulnerability in Oracle Database Server

Multiple buffer overflows in the XML Database (XDB) functionality for Oracle 9i Database Release 2 allow local users to cause a denial of service or hijack user sessions.

2.1