Weekly Vulnerabilities Reports > November 17 to 23, 2003
Overview
59 new vulnerabilities reported during this period, including 6 critical vulnerabilities and 27 high severity vulnerabilities. This weekly summary report vulnerabilities in 49 products from 36 vendors including Microsoft, Openssl, IBM, Apple, and GNU. Vulnerabilities are notably categorized as "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Resource Exhaustion", "Resource Management Errors", "Out-of-bounds Write", and "SQL Injection".
- 41 reported vulnerabilities are remotely exploitables.
- 2 reported vulnerabilities have public exploit available.
- 2 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 57 reported vulnerabilities are exploitable by an anonymous user.
- Microsoft has the most reported vulnerabilities, with 11 reported vulnerabilities.
- PHP has the most reported critical vulnerabilities, with 2 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
6 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2003-11-17 | CVE-2003-0861 | PHP | Remote Security vulnerability in PHP Integer overflows in (1) base64_encode and (2) the GD library for PHP before 4.3.3 have unknown impact and unknown attack vectors. | 10.0 |
2003-11-17 | CVE-2003-0860 | PHP | Unspecified vulnerability in PHP Buffer overflows in PHP before 4.3.3 have unknown impact and unknown attack vectors. | 10.0 |
2003-11-17 | CVE-2003-0786 | Openbsd | Unspecified vulnerability in Openbsd Openssh 3.7.1/3.7.1P1 The SSH1 PAM challenge response authentication in OpenSSH 3.7.1 and 3.7.1p1, when Privilege Separation is disabled, does not check the result of the authentication attempt, which can allow remote attackers to gain privileges. | 10.0 |
2003-11-17 | CVE-2003-0545 | Openssl | Double Free vulnerability in Openssl 0.9.6/0.9.7 Double free vulnerability in OpenSSL 0.9.7 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an SSL client certificate with a certain invalid ASN.1 encoding. | 9.8 |
2003-11-17 | CVE-2003-0662 | Microsoft | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Microsoft Windows 2000 Buffer overflow in Troubleshooter ActiveX Control (Tshoot.ocx) in Microsoft Windows 2000 SP4 and earlier allows remote attackers to execute arbitrary code via an HTML document with a long argument to the RunQuery2 method. | 9.3 |
2003-11-17 | CVE-2003-0831 | Proftpd Project | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Proftpd Project Proftpd ProFTPD 1.2.7 through 1.2.9rc2 does not properly translate newline characters when transferring files in ASCII mode, which allows remote attackers to execute arbitrary code via a buffer overflow using certain files. | 9.0 |
27 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2003-11-23 | CVE-2003-1195 | Vienuke | SQL-Injection vulnerability in VieBoard SQL injection vulnerability in getmember.asp in VieBoard 2.6 Beta 1 allows remote attackers to execute arbitrary SQL commands via the msn variable. | 7.5 |
2003-11-17 | CVE-2003-0896 | SUN | Unspecified vulnerability in SUN JRE 1.3.0/1.4.1 The loadClass method of the sun.applet.AppletClassLoader class in the Java Virtual Machine (JVM) in Sun SDK and JRE 1.4.1_03 and earlier allows remote attackers to bypass sandbox restrictions and execute arbitrary code via a loaded class name that contains "/" (slash) instead of "." (dot) characters, which bypasses a call to the Security Manager's checkPackageAccess method. | 7.5 |
2003-11-17 | CVE-2003-0870 | Opera | Out-of-bounds Write vulnerability in Opera Browser 7.11/7.20 Heap-based buffer overflow in Opera 7.11 and 7.20 allows remote attackers to execute arbitrary code via an HREF with a large number of escaped characters in the server name. | 7.5 |
2003-11-17 | CVE-2003-0865 | Mpg123 | Remote File Play Heap Corruption vulnerability in Mpg123 0.59R/0.59S Heap-based buffer overflow in readstring of httpget.c for mpg123 0.59r and 0.59s allows remote attackers to execute arbitrary code via a long request. | 7.5 |
2003-11-17 | CVE-2003-0863 | PHP | Unspecified vulnerability in PHP 4.3.0/4.3.1/4.3.2 The php_check_safe_mode_include_dir function in fopen_wrappers.c of PHP 4.3.x returns a success value (0) when the safe_mode_include_dir variable is not specified in configuration, which differs from the previous failure value and may allow remote attackers to exploit file include vulnerabilities in PHP applications. | 7.5 |
2003-11-17 | CVE-2003-0850 | DUG Song Rafal Wojtczuk | The TCP reassembly functionality in libnids before 1.18 allows remote attackers to cause "memory corruption" and possibly execute arbitrary code via "overlarge TCP packets." | 7.5 |
2003-11-17 | CVE-2003-0849 | GNU | Remote Security vulnerability in Cfengine Buffer overflow in net.c for cfengine 2.x before 2.0.8 allows remote attackers to execute arbitrary code via certain packets with modified length values, which is trusted by the ReceiveTransaction function when using a buffer provided by the BusyWithConnection function. | 7.5 |
2003-11-17 | CVE-2003-0845 | Jboss | SQL Injection vulnerability in Jboss 3.0.8/3.2.1 Unknown vulnerability in the HSQLDB component in JBoss 3.2.1 and 3.0.8 on Java 1.4.x platforms, when running in the default configuration, allows remote attackers to conduct unauthorized activities and possibly execute arbitrary code via certain SQL statements to (1) TCP port 1701 in JBoss 3.2.1, and (2) port 1476 in JBoss 3.0.8. | 7.5 |
2003-11-17 | CVE-2003-0843 | DAG APT Repository | Remote Security vulnerability in Mod Gzip Format string vulnerability in mod_gzip_printf for mod_gzip 1.3.26.1a and earlier, and possibly later official versions, when running in debug mode and using the Apache log, allows remote attackers to execute arbitrary code via format string characters in an HTTP GET request with an "Accept-Encoding: gzip" header. | 7.5 |
2003-11-17 | CVE-2003-0842 | DAG APT Repository | Remote Security vulnerability in DAG APT Repository MOD Gzip 1.3.26.1A Stack-based buffer overflow in mod_gzip_printf for mod_gzip 1.3.26.1a and earlier, and possibly later official versions, when running in debug mode, allows remote attackers to execute arbitrary code via a long filename in a GET request with an "Accept-Encoding: gzip" header. | 7.5 |
2003-11-17 | CVE-2003-0838 | Microsoft | Unspecified vulnerability in Microsoft IE and Internet Explorer Internet Explorer allows remote attackers to bypass zone restrictions to inject and execute arbitrary programs by creating a popup window and inserting ActiveX object code with a "data" tag pointing to the malicious code, which Internet Explorer treats as HTML or Javascript, but later executes as an HTA application, a different vulnerability than CVE-2003-0532, and as exploited using the QHosts Trojan horse (aka Trojan.Qhosts, QHosts-1, VBS.QHOSTS, or aolfix.exe). | 7.5 |
2003-11-17 | CVE-2003-0837 | IBM | Buffer Overflow vulnerability in IBM DB2 Universal Database 7.2 Stack-based buffer overflow in IBM DB2 Universal Data Base 7.2 for Windows, before Fixpak 10a, allows attackers with "Connect" privileges to execute arbitrary code via the INVOKE command. | 7.5 |
2003-11-17 | CVE-2003-0836 | IBM | Unspecified vulnerability in IBM DB2 Universal Database 7.2/8.1 Stack-based buffer overflow in IBM DB2 Universal Data Base 7.2 before Fixpak 10 and 10a, and 8.1 before Fixpak 2, allows attackers with "Connect" privileges to execute arbitrary code via a LOAD command. | 7.5 |
2003-11-17 | CVE-2003-0835 | Mplayer | Unspecified vulnerability in Mplayer Multiple buffer overflows in asf_http_request of MPlayer before 0.92 allows remote attackers to execute arbitrary code via an ASX header with a long hostname. | 7.5 |
2003-11-17 | CVE-2003-0833 | Webfs | Unspecified vulnerability in Webfs Stack-based buffer overflow in webfs before 1.20 allows attackers to execute arbitrary code by creating directories that result in a long pathname. | 7.5 |
2003-11-17 | CVE-2003-0809 | Microsoft | Unspecified vulnerability in Microsoft IE and Internet Explorer Internet Explorer 5.01 through 6.0 does not properly handle object tags returned from a Web server during XML data binding, which allows remote attackers to execute arbitrary code via an HTML e-mail message or web page. | 7.5 |
2003-11-17 | CVE-2003-0787 | Openbsd | Unspecified vulnerability in Openbsd Openssh 3.7.1/3.7.1P1 The PAM conversation function in OpenSSH 3.7.1 and 3.7.1p1 interprets an array of structures as an array of pointers, which allows attackers to modify the stack and possibly gain privileges. | 7.5 |
2003-11-17 | CVE-2003-0717 | Microsoft | Buffer Overrun vulnerability in Microsoft Windows Messenger Service The Messenger Service for Windows NT through Server 2003 does not properly verify the length of the message, which allows remote attackers to execute arbitrary code via a buffer overflow attack. | 7.5 |
2003-11-17 | CVE-2003-0714 | Microsoft | Resource Exhaustion vulnerability in Microsoft Exchange Server 2000/5.5 The Internet Mail Service in Exchange Server 5.5 and Exchange 2000 allows remote attackers to cause a denial of service (memory exhaustion) by directly connecting to the SMTP service and sending a certain extended verb request, possibly triggering a buffer overflow in Exchange 2000. | 7.5 |
2003-11-17 | CVE-2003-0711 | Microsoft | Buffer Overflow vulnerability in Microsoft Windows Help And Support Center URI Handler Stack-based buffer overflow in the PCHealth system in the Help and Support Center function in Windows XP and Windows Server 2003 allows remote attackers to execute arbitrary code via a long query in an HCP URL. | 7.5 |
2003-11-17 | CVE-2003-0660 | Microsoft | Unspecified vulnerability in Microsoft products The Authenticode capability in Microsoft Windows NT through Server 2003 does not prompt the user to download and install ActiveX controls when the system is low on memory, which could allow remote attackers to execute arbitrary code without user approval. | 7.5 |
2003-11-17 | CVE-2002-1569 | Ghostview GV | gv 3.5.8, and possibly earlier versions, allows remote attackers to execute arbitrary commands via shell metacharacters in the filename for (1) a PDF file or (2) a gzip file. | 7.5 |
2003-11-20 | CVE-2003-1059 | SUN | Privilege Escalation vulnerability in Sun Solaris PGX32 Libraries Unspecific Unknown vulnerability in the libraries for the PGX32 frame buffer in Solaris 2.5.1 and 2.6 through 9 allows local users to gain root access. | 7.2 |
2003-11-17 | CVE-2003-0840 | HP | Local Security vulnerability in HP Hp-Ux 11.00 Buffer overflow in dtprintinfo on HP-UX 11.00, and possibly other operating systems, allows local users to gain root privileges via a long DISPLAY environment variable. | 7.2 |
2003-11-17 | CVE-2003-0659 | Microsoft | Buffer Overrun vulnerability in Microsoft ListBox/ComboBox Control User32.dll Function Buffer overflow in a function in User32.dll on Windows NT through Server 2003 allows local users to execute arbitrary code via long (1) LB_DIR messages to ListBox or (2) CB_DIR messages to ComboBox controls in a privileged application. | 7.2 |
2003-11-17 | CVE-2001-1411 | Apple | Local Security vulnerability in Apple mac OS X 10.4.9 Format string vulnerability in gm4 (aka m4) on Mac OS X may allow local users to gain privileges if gm4 is called by setuid programs. | 7.2 |
2003-11-17 | CVE-2003-0844 | Schroepl | Link Following vulnerability in Schroepl MOD Gzip mod_gzip 1.3.26.1a and earlier, and possibly later official versions, when running in debug mode without the Apache log, allows local users to overwrite arbitrary files via (1) a symlink attack on predictable temporary filenames on Unix systems, or (2) an NTFS hard link on Windows systems when the "Strengthen default permissions of internal system objects" policy is not enabled. | 7.1 |
20 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2003-11-17 | CVE-2003-0874 | Deskpro | SQL Injection vulnerability in Deskpro 1.1.0 Multiple SQL injection vulnerabilities in DeskPRO 1.1.0 and earlier allow remote attackers to insert arbitrary SQL and conduct unauthorized activities via (1) the cat parameter in faq.php, (2) the article parameter in faq.php, (3) the tickedid parameter in view.php, and (4) the Password entry on the logon screen. | 5.0 |
2003-11-17 | CVE-2003-0864 | Ircnet | Local Buffer Overflow vulnerability in IRCnet IRCD Buffer overflow in m_join in channel.c for IRCnet IRCD 2.10.x to 2.10.3p3 allows remote attackers to cause a denial of service. | 5.0 |
2003-11-17 | CVE-2003-0853 | GNU Washington University | Integer Overflow vulnerability in Coreutils LS Width Argument An integer overflow in ls in the fileutils or coreutils packages may allow local users to cause a denial of service or execute arbitrary code via a large -w value, which could be remotely exploited via applications that use ls, such as wu-ftpd. | 5.0 |
2003-11-17 | CVE-2003-0852 | Sylpheed Sylpheed Claws | Format string vulnerability in send_message.c for Sylpheed-claws 0.9.4 through 0.9.6 allows remote SMTP servers to cause a denial of service (crash) in sylpheed via format strings in an error message. | 5.0 |
2003-11-17 | CVE-2003-0841 | Oracle | Remote Security vulnerability in Oracle Peopletools 8.42 The grid option in PeopleSoft 8.42 stores temporary .xls files in guessable directories under the web document root, which allows remote attackers to steal search results by directly accessing the files via a URL request. | 5.0 |
2003-11-17 | CVE-2003-0839 | Microsoft | Directory Traversal vulnerability in Microsoft Windows 2003 Server R2 Directory traversal vulnerability in the "Shell Folders" capability in Microsoft Windows Server 2003 allows remote attackers to read arbitrary files via .. | 5.0 |
2003-11-17 | CVE-2003-0832 | Webfs | Unspecified vulnerability in Webfs Directory traversal vulnerability in webfs before 1.20 allows remote attackers to read arbitrary files via .. | 5.0 |
2003-11-17 | CVE-2003-0804 | Apple Freebsd Openbsd | The arplookup function in FreeBSD 5.1 and earlier, Mac OS X before 10.2.8, and possibly other BSD-based systems, allows remote attackers on a local subnet to cause a denial of service (resource starvation and panic) via a flood of spoofed ARP requests. | 5.0 |
2003-11-17 | CVE-2003-0792 | Fetchmail | Resource Management Errors vulnerability in Fetchmail Fetchmail 6.2.4 and earlier does not properly allocate memory for long lines, which allows remote attackers to cause a denial of service (crash) via a certain email. | 5.0 |
2003-11-17 | CVE-2003-0544 | Openssl | Unspecified vulnerability in Openssl 0.9.6/0.9.7 OpenSSL 0.9.6 and 0.9.7 does not properly track the number of characters in certain ASN.1 inputs, which allows remote attackers to cause a denial of service (crash) via an SSL client certificate that causes OpenSSL to read past the end of a buffer when the long form is used. | 5.0 |
2003-11-17 | CVE-2003-0543 | Openssl | Unspecified vulnerability in Openssl 0.9.6/0.9.7 Integer overflow in OpenSSL 0.9.6 and 0.9.7 allows remote attackers to cause a denial of service (crash) via an SSL client certificate with certain ASN.1 tag values. | 5.0 |
2003-11-17 | CVE-2002-1568 | Openssl | Unspecified vulnerability in Openssl 0.9.6E OpenSSL 0.9.6e uses assertions when detecting buffer overflow attacks instead of less severe mechanisms, which allows remote attackers to cause a denial of service (crash) via certain messages that cause OpenSSL to abort from a failed assertion, as demonstrated using SSLv2 CLIENT_MASTER_KEY messages, which are not properly handled in s2_srvr.c. | 5.0 |
2003-11-17 | CVE-2003-0898 | IBM | Local Security vulnerability in Db2 Universal Database 7.1/8.0 IBM DB2 7.2 before FixPak 10a, and earlier versions including 7.1, allows local users to overwrite arbitrary files and gain privileges via a symlink attack on (1) db2job and (2) db2job2. | 4.6 |
2003-11-17 | CVE-2003-0897 | Microsoft | Local Security vulnerability in Windows XP Gold "Shatter" vulnerability in CommCtl32.dll in Windows XP may allow local users to execute arbitrary code by sending (1) BCM_GETTEXTMARGIN or (2) BCM_SETTEXTMARGIN button control messages to privileged applications. | 4.6 |
2003-11-17 | CVE-2003-0894 | Oracle | Local Buffer Overflow vulnerability in Oracle Database Server Oracle Binary Buffer overflow in the (1) oracle and (2) oracleO programs in Oracle 9i Database 9.0.x and 9.2.x before 9.2.0.4 allows local users to execute arbitrary code via a long command line argument. | 4.6 |
2003-11-17 | CVE-2003-0848 | Slocate | Unspecified vulnerability in Slocate Heap-based buffer overflow in main.c of slocate 2.6, and possibly other versions, may allow local users to gain privileges via a modified slocate database that causes a negative "pathlen" value to be used. | 4.6 |
2003-11-17 | CVE-2003-0847 | Suse | Local Security vulnerability in Suse Linux 8.2 SuSEconfig.susewm in the susewm package on SuSE Linux 8.2Pro allows local users to overwrite arbitrary files via a symlink attack on the susewm.$$ temporary file. | 4.6 |
2003-11-17 | CVE-2003-0846 | Suse | Local Security vulnerability in Suse Linux 7.3 SuSEconfig.javarunt in the javarunt package on SuSE Linux 7.3Pro allows local users to overwrite arbitrary files via a symlink attack on the .java_wrapper temporary file. | 4.6 |
2003-11-17 | CVE-2003-0830 | Marbles | Unspecified vulnerability in Marbles 1.0.1 Buffer overflow in marbles 1.0.2 and earlier allows local users to gain privileges via a long HOME environment variable. | 4.6 |
2003-11-17 | CVE-2003-0712 | Microsoft | Cross-Site Scripting vulnerability in Microsoft Exchange Server 5.5 Cross-site scripting (XSS) vulnerability in the HTML encoding for the Compose New Message form in Microsoft Exchange Server 5.5 Outlook Web Access (OWA) allows remote attackers to execute arbitrary web script. | 4.3 |
6 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2003-11-17 | CVE-2003-0875 | Openslp | Local Security vulnerability in OpenSLP Symbolic link vulnerability in the slpd script slpd.all_init for OpenSLP before 1.0.11 allows local users to overwrite arbitrary files via the route.check temporary file. | 2.1 |
2003-11-17 | CVE-2003-0872 | SCO | Unspecified vulnerability in SCO Openserver 5.0.5 Certain scripts in OpenServer before 5.0.6 allow local users to overwrite files and conduct other unauthorized activities via a symlink attack on temporary files. | 2.1 |
2003-11-17 | CVE-2003-0854 | GNU Washington University | ls in the fileutils or coreutils packages allows local users to consume a large amount of memory via a large -w value, which can be remotely exploited via applications that use ls, such as wu-ftpd. | 2.1 |
2003-11-17 | CVE-2003-0794 | Gnome | Local Denial Of Service vulnerability in Multiple GDM GDM 2.4.4.x before 2.4.4.4, and 2.4.1.x before 2.4.1.7, does not limit the number or duration of commands and uses a blocking socket connection, which allows attackers to cause a denial of service (resource exhaustion) by sending commands and not reading the results. | 2.1 |
2003-11-17 | CVE-2003-0793 | Gnome | Local Denial Of Service vulnerability in Multiple GDM GDM 2.4.4.x before 2.4.4.4, and 2.4.1.x before 2.4.1.7, does not restrict the size of input, which allows attackers to cause a denial of service (memory consumption). | 2.1 |
2003-11-17 | CVE-2001-1412 | Apple | Unspecified vulnerability in Apple mac OS X 10.4.9 nidump on MacOS X before 10.3 allows local users to read the encrypted passwords from the password file by specifying passwd as a command line argument. | 2.1 |