Weekly Vulnerabilities Reports > October 20 to 26, 2003
Overview
49 new vulnerabilities reported during this period, including 6 critical vulnerabilities and 22 high severity vulnerabilities. This weekly summary report vulnerabilities in 62 products from 41 vendors including Microsoft, Phpwebsite, Redhat, SAP, and Cisco. Vulnerabilities are notably categorized as and "Use of Externally-Controlled Format String".
- 45 reported vulnerabilities are remotely exploitables.
- 1 reported vulnerabilities have public exploit available.
- 49 reported vulnerabilities are exploitable by an anonymous user.
- Microsoft has the most reported vulnerabilities, with 5 reported vulnerabilities.
- Cisco has the most reported critical vulnerabilities, with 2 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
6 Critical Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2003-10-20 | CVE-2003-0755 | Gtkftpd | Remote Security vulnerability in Gtkftpd Gtkftp 1.0.2/1.0.3/1.0.4 Buffer overflow in sys_cmd.c for gtkftpd 1.0.4 and earlier allows remote attackers to execute arbitrary code by creating long directory names and listing them with a LIST command. | 10.0 |
| 2003-10-20 | CVE-2003-0745 | Castle Rock Computing | Unspecified vulnerability in Castle Rock Computing Snmpc SNMPc 6.0.8 and earlier performs authentication to the server on the client side, which allows remote attackers to gain privileges by decrypting the password that is returned by the server. | 10.0 |
| 2003-10-20 | CVE-2003-0734 | Padl Software | Remote Security vulnerability in Pam Ldap Unknown vulnerability in the pam_filter mechanism in pam_ldap before version 162, when LDAP based authentication is being used, allows users to bypass host-based access restrictions and log onto the system. | 10.0 |
| 2003-10-20 | CVE-2003-0732 | Cisco | Denial-Of-Service vulnerability in Resource Manager CiscoWorks Common Management Foundation (CMF) 2.1 and earlier allows the guest user to obtain restricted information and possibly gain administrative privileges by changing the "guest" user to the Admin user on the Modify or delete users pages. | 10.0 |
| 2003-10-20 | CVE-2003-0731 | Cisco | Remote Security vulnerability in Resource Manager CiscoWorks Common Management Foundation (CMF) 2.1 and earlier allows the guest user to gain administrative privileges via a certain POST request to com.cisco.nm.cmf.servlet.CsAuthServlet, possibly involving the "cmd" parameter with a modifyUser value and a modified "priviledges" parameter. | 10.0 |
| 2003-10-20 | CVE-2003-0347 | Microsoft | Buffer Overrun vulnerability in Microsoft Visual Basic For Applications Document Handling Heap-based buffer overflow in VBE.DLL and VBE6.DLL of Microsoft Visual Basic for Applications (VBA) SDK 5.0 through 6.3 allows remote attackers to execute arbitrary code via a document with a long ID parameter. | 10.0 |
22 High Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2003-10-20 | CVE-2003-0738 | Phpwebsite | USE of Externally-Controlled Format String vulnerability in PHPwebsite The calendar module in phpWebSite 0.9.x and earlier allows remote attackers to cause a denial of service (crash) via a long year parameter. | 7.8 |
| 2003-10-25 | CVE-2003-1148 | LES Visiteurs | Remote File Include vulnerability in LES Visiteurs LES Visiteurs 2.0.1 Multiple PHP remote file inclusion vulnerabilities in J-Pierre DEZELUS Les Visiteurs 2.0.1, as used in phpMyConferences (phpMyConference) 8.0.2 and possibly other products, allow remote attackers to execute arbitrary PHP code via a URL in the lvc_include_dir parameter to (1) config.inc.php or (2) new-visitor.inc.php in common/visiteurs/include/. | 7.5 |
| 2003-10-20 | CVE-2003-0754 | Newsphp | Security Bypass vulnerability in newsPHP nphpd.php in newsPHP 216 and earlier allows remote attackers to bypass authentication via an HTTP request with a modified nphp_users array, which is used for authentication. | 7.5 |
| 2003-10-20 | CVE-2003-0752 | Attila PHP NET | SQL-Injection vulnerability in Attilaphp SQL injection vulnerability in global.php3 of AttilaPHP 3.0, and possibly earlier versions, allows remote attackers to bypass authentication via a modified cook_id parameter. | 7.5 |
| 2003-10-20 | CVE-2003-0751 | PY Membres | SQL-Injection vulnerability in Py-Membres 4.0/4.1/4.2 SQL injection vulnerability in pass_done.php for PY-Membres 4.2 and earlier allows remote attackers to execute arbitrary SQL queries via the email parameter. | 7.5 |
| 2003-10-20 | CVE-2003-0750 | PY Membres | Security Bypass vulnerability in Py-Membres 4.0/4.1/4.2 secure.php in PY-Membres 4.2 and earlier allows remote attackers to bypass authentication by setting the adminpy parameter. | 7.5 |
| 2003-10-20 | CVE-2003-0743 | University OF Cambridge | Unspecified vulnerability in University of Cambridge Exim Heap-based buffer overflow in smtp_in.c for Exim 3 (exim3) before 3.36 and Exim 4 (exim4) before 4.21 may allow remote attackers to execute arbitrary code via an invalid (1) HELO or (2) EHLO argument with a large number of spaces followed by a NULL character and a newline, which is not properly trimmed before the "(no argument given)" string is appended to the buffer. | 7.5 |
| 2003-10-20 | CVE-2003-0735 | Phpwebsite | SQL-Injection vulnerability in Phpwebsite SQL injection vulnerability in the Calendar module of phpWebSite 0.9.x and earlier allows remote attackers to execute arbitrary SQL queries, as demonstrated using the year parameter. | 7.5 |
| 2003-10-20 | CVE-2003-0730 | Xfree86 Project Netbsd | Integer Overflow vulnerability in XFree86 Multiple integer overflows in the font libraries for XFree86 4.3.0 allow local or remote attackers to cause a denial of service or execute arbitrary code via heap-based and stack-based buffer overflow attacks. | 7.5 |
| 2003-10-20 | CVE-2003-0729 | Tellurian | Unspecified vulnerability in Tellurian Tftpdnt 1.8/2.0 Buffer overflow in Tellurian TftpdNT 1.8 allows remote attackers to execute arbitrary code via a TFTP request with a long filename. | 7.5 |
| 2003-10-20 | CVE-2003-0725 | Realnetworks | Remote Buffer Overflow vulnerability in Real Networks Helix Universal Server Buffer overflow in the RTSP protocol parser for the View Source plug-in (vsrcplin.so or vsrcplin3260.dll) for RealNetworks Helix Universal Server 9 and RealSystem Server 8, 7 and RealServer G2 allows remote attackers to execute arbitrary code. | 7.5 |
| 2003-10-20 | CVE-2003-0724 | Compaq | Authentication Bypass vulnerability in HP Tru64 SSH Undisclosed RSA Key Potential ssh on HP Tru64 UNIX 5.1B and 5.1A does not properly handle RSA signatures when digital certificates and RSA keys are used, which could allow local and remote attackers to gain privileges. | 7.5 |
| 2003-10-20 | CVE-2003-0723 | Gkrellm | Remote Security vulnerability in Gkrellm 2.1.13/2.1.7 Buffer overflow in gkrellmd for gkrellm 2.1.x before 2.1.14 may allow remote attackers to execute arbitrary code. | 7.5 |
| 2003-10-20 | CVE-2003-0709 | Whois | Remote Security vulnerability in Whois 4.5.7/4.6.6 Buffer overflow in the whois client, which is not setuid but is sometimes called from within CGI programs, may allow remote attackers to execute arbitrary code via a long command line option. | 7.5 |
| 2003-10-20 | CVE-2003-0708 | Tomi Manninen | Denial-Of-Service vulnerability in Linuxnode Format string vulnerability in LinuxNode (node) before 0.3.2 may allow attackers to cause a denial of service or execute arbitrary code. | 7.5 |
| 2003-10-20 | CVE-2003-0707 | Tomi Manninen | Remote Security vulnerability in Linuxnode Buffer overflow in LinuxNode (node) before 0.3.2 allows remote attackers to execute arbitrary code. | 7.5 |
| 2003-10-20 | CVE-2003-0689 | Redhat | Unspecified vulnerability in Redhat Enterprise Linux 2.1 The getgrouplist function in GNU libc (glibc) 2.2.4 and earlier allows attackers to cause a denial of service (segmentation fault) and execute arbitrary code when a user is a member of a large number of groups, which can cause a buffer overflow. | 7.5 |
| 2003-10-20 | CVE-2003-0686 | Dave Airlie Redhat | Buffer overflow in PAM SMB module (pam_smb) 1.1.6 and earlier, when authenticating to a remote service, allows remote attackers to execute arbitrary code. | 7.5 |
| 2003-10-20 | CVE-2003-0666 | Microsoft | Unspecified vulnerability in Microsoft Wordperfect Converter Buffer overflow in Microsoft Wordperfect Converter allows remote attackers to execute arbitrary code via modified data offset and data size parameters in a Corel WordPerfect file. | 7.5 |
| 2003-10-20 | CVE-2003-0665 | Microsoft | Buffer Overflow vulnerability in Microsoft Access 2000/2002/97 Buffer overflow in the ActiveX control for Microsoft Access Snapshot Viewer for Access 97, 2000, and 2002 allows remote attackers to execute arbitrary code via long parameters to the control. | 7.5 |
| 2003-10-20 | CVE-2003-0664 | Microsoft | Unspecified vulnerability in Microsoft Word and Works Microsoft Word 2002, 2000, 97, and 98(J) does not properly check certain properties of a document, which allows attackers to bypass the macro security model and automatically execute arbitrary macros via a malicious document. | 7.5 |
| 2003-10-20 | CVE-2003-0630 | Atari800 | Unspecified vulnerability in Atari800 Multiple buffer overflows in the atari800.svgalib setuid program of the Atari 800 emulator (atari800) before 1.2.2 allow local users to gain privileges via long command line arguments, as demonstrated with the -osa_rom argument. | 7.2 |
20 Medium Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2003-10-20 | CVE-2003-0749 | SAP | Cross-Site Scripting vulnerability in SAP Internet Transaction Server 4620.2.0.323011 Cross-site scripting (XSS) vulnerability in wgate.dll for SAP Internet Transaction Server (ITS) 4620.2.0.323011 allows remote attackers to insert arbitrary web script and steal cookies via the ~service parameter. | 6.8 |
| 2003-10-20 | CVE-2003-0736 | Phpwebsite | Cross-Site Scripting vulnerability in Phpwebsite Multiple cross-site scripting (XSS) vulnerabilities in phpWebSite 0.9.x and earlier allow remote attackers to execute arbitrary web script via (1) the day parameter in the calendar module, (2) the fatcat_id parameter in the fatcat module, (3) the PAGE_id parameter in the pagemaster module, (4) the PDA_limit parameter in the search, and (5) possibly other parameters in the calendar, fatcat, and pagemaster modules. | 6.8 |
| 2003-10-20 | CVE-2003-0733 | BEA | Cross-Site Scripting vulnerability in Bea WebLogic/Liquid Data Multiple cross-site scripting (XSS) vulnerabilities in WebLogic Integration 7.0 and 2.0, Liquid Data 1.1, and WebLogic Server and Express 5.1 through 7.0, allow remote attackers to execute arbitrary web script and steal authentication credentials via (1) a forward instruction to the Servlet container or (2) other vulnerabilities in the WebLogic Server console application. | 6.8 |
| 2003-10-20 | CVE-2003-0728 | Horde | Remote Security vulnerability in Horde Horde before 2.2.4 allows remote malicious web sites to steal session IDs and read or create arbitrary email by stealing the ID from a referrer URL. | 6.4 |
| 2003-10-25 | CVE-2003-1181 | Advanced Poll | Unspecified vulnerability in Advanced Poll Advanced Poll 2.0.2 Advanced Poll 2.0.2 allows remote attackers to obtain sensitive information via an HTTP request to info.php, which invokes the phpinfo() function. | 5.0 |
| 2003-10-20 | CVE-2003-0757 | Checkpoint | Unspecified vulnerability in Checkpoint Firewall-1 4.0/4.1 Check Point FireWall-1 4.0 and 4.1 before SP5 allows remote attackers to obtain the IP addresses of internal interfaces via certain SecuRemote requests to TCP ports 256 or 264, which leaks the IP addresses in a reply packet. | 5.0 |
| 2003-10-20 | CVE-2003-0756 | Sitebuilder | Directory Traversal vulnerability in Sitebuilder 1.4 Directory traversal vulnerability in sitebuilder.cgi in SiteBuilder 1.4 allows remote attackers to read arbitrary files via .. | 5.0 |
| 2003-10-20 | CVE-2003-0753 | Newsphp | Remote Security vulnerability in newsPHP nphpd.php in newsPHP 216 and earlier allows remote attackers to read arbitrary files via a full pathname to the target file in the nphp_config[LangFile] parameter. | 5.0 |
| 2003-10-20 | CVE-2003-0748 | SAP | Directory Traversal File Disclosure vulnerability in SAP Internet Transaction Server 4620.2.0.323011 Directory traversal vulnerability in wgate.dll for SAP Internet Transaction Server (ITS) 4620.2.0.323011 allows remote attackers to read arbitrary files via ..\ (dot-dot backslash) sequences in the ~theme parameter and a ~template parameter with a filename followed by space characters, which can prevent SAP from effectively adding a .html extension to the filename. | 5.0 |
| 2003-10-20 | CVE-2003-0747 | SAP | Information Disclosure vulnerability in SAP Internet Transaction Server 4620.2.0.323011 wgate.dll in SAP Internet Transaction Server (ITS) 4620.2.0.323011 allows remote attackers to obtain potentially sensitive information such as directory structure and operating system via incorrect parameters (1) ~service, (2) ~templatelanguage, (3) ~language, (4) ~theme, or (5) ~template, which leaks the information in the resulting error message. | 5.0 |
| 2003-10-20 | CVE-2003-0746 | HP | Denial-Of-Service vulnerability in HP OpenView Various Distributed Computing Environment (DCE) implementations, including HP OpenView, allow remote attackers to cause a denial of service (process hang or termination) via certain malformed inputs, as triggered by attempted exploits against the vulnerabilities CVE-2003-0352 or CVE-2003-0605, such as the Blaster/MSblast/LovSAN worm. | 5.0 |
| 2003-10-20 | CVE-2003-0744 | Leafnode | Remote Denial of Service vulnerability in Leafnode fetchnews Client The fetchnews NNTP client in leafnode 1.9.3 to 1.9.41 allows remote attackers to cause a denial of service (process hang and termination) via certain malformed Usenet news articles that cause fetchnews to hang while waiting for input. | 5.0 |
| 2003-10-20 | CVE-2003-0737 | Phpwebsite | Remote Security vulnerability in Phpwebsite The calendar module in phpWebSite 0.9.x and earlier allows remote attackers to obtain the full pathname of phpWebSite via an invalid year, which generates an error from localtime() in TimeZone.php of the Pear library. | 5.0 |
| 2003-10-20 | CVE-2003-0702 | ISS | Unspecified vulnerability in ISS Realsecure Server Sensor 7.0 Unknown vulnerability in an ISAPI plugin for ISS Server Sensor 7.0 XPU 20.16, 20.18, and possibly other versions before 20.19, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code in Internet Information Server (IIS) via a certain URL through SSL. | 5.0 |
| 2003-10-20 | CVE-2003-0688 | Redhat Sendmail SGI Compaq Freebsd Openbsd | The DNS map code in Sendmail 8.12.8 and earlier, when using the "enhdnsbl" feature, does not properly initialize certain data structures, which allows remote attackers to cause a denial of service (process crash) via an invalid DNS response that causes Sendmail to free incorrect data. | 5.0 |
| 2003-10-20 | CVE-2003-0661 | Microsoft | Unspecified vulnerability in Microsoft products The NetBT Name Service (NBNS) for NetBIOS in Windows NT 4.0, 2000, XP, and Server 2003 may include random memory in a response to a NBNS query, which could allow remote attackers to obtain sensitive information. | 5.0 |
| 2003-10-20 | CVE-2003-0658 | Caldera SCO | Docview before 1.1-18 in Caldera OpenLinux 3.1.1, SCO Linux 4.0, OpenServer 5.0.7, configures the Apache web server in a way that allows remote attackers to read arbitrary publicly readable files via a certain URL, possibly related to rewrite rules. | 5.0 |
| 2003-10-20 | CVE-2003-0740 | Stunnel | Unspecified vulnerability in Stunnel Stunnel 4.00, and 3.24 and earlier, leaks a privileged file descriptor returned by listen(), which allows local users to hijack the Stunnel server. | 4.6 |
| 2003-10-20 | CVE-2003-0739 | Vmware | Local Security vulnerability in Workstation VMware Workstation 4.0.1 for Linux, build 5289 and earlier, allows local users to delete arbitrary files via a symlink attack. | 4.6 |
| 2003-10-23 | CVE-2003-1136 | CHI Kien Uong | HTML Injection vulnerability in CHI Kien Uong CHI Kien Uong Guestbook 1.51 Cross-site scripting (XSS) vulnerability in Chi Kien Uong Guestbook 1.51 allows remote attackers to inject arbitrary web script or HTML via (1) HTML in a posted message or (2) Javascript in an onmouseover attribute in an e-mail address or URL. | 4.3 |
1 Low Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2003-10-20 | CVE-2003-0727 | Oracle | Unspecified vulnerability in Oracle Database Server Multiple buffer overflows in the XML Database (XDB) functionality for Oracle 9i Database Release 2 allow local users to cause a denial of service or hijack user sessions. | 2.1 |