Weekly Vulnerabilities Reports > March 1 to 7, 2004

Overview

49 new vulnerabilities reported during this period, including 8 critical vulnerabilities and 18 high severity vulnerabilities. This weekly summary report vulnerabilities in 46 products from 33 vendors including Apple, Linux, Openbsd, ROB Flynn, and Redhat. Vulnerabilities are notably categorized as and "Improper Input Validation".

  • 34 reported vulnerabilities are remotely exploitables.
  • 49 reported vulnerabilities are exploitable by an anonymous user.
  • Apple has the most reported vulnerabilities, with 6 reported vulnerabilities.
  • Openbsd has the most reported critical vulnerabilities, with 2 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

8 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2004-03-03 CVE-2004-0097 Openh323 Project Unspecified vulnerability in Openh323 Project Pwlib

Multiple vulnerabilities in PWLib before 1.6.0 allow remote attackers to cause a denial of service and possibly execute arbitrary code, as demonstrated by the NISCC/OUSPG PROTOS test suite for the H.225 protocol.

10.0
2004-03-03 CVE-2004-0092 Apple Unspecified vulnerability in Apple mac OS X 10.2.8/10.3.2

Unknown vulnerability in Safari web browser in Mac OS X 10.2.8 and 10.3.2, with unknown impact.

10.0
2004-03-03 CVE-2004-0084 Xfree86 Project
Openbsd
Buffer Overflow vulnerability in XFree86 CopyISOLatin1Lowered Font_Name

Buffer overflow in the ReadFontAlias function in XFree86 4.1.0 to 4.3.0, when using the CopyISOLatin1Lowered function, allows local or remote authenticated users to execute arbitrary code via a malformed entry in the font alias (font.alias) file, a different vulnerability than CVE-2004-0083 and CVE-2004-0106.

10.0
2004-03-03 CVE-2004-0083 Xfree86 Project
Openbsd
Buffer Overflow vulnerability in XFree86 Font Information File

Buffer overflow in ReadFontAlias from dirfile.c of XFree86 4.1.0 through 4.3.0 allows local users and remote attackers to execute arbitrary code via a font alias file (font.alias) with a long token, a different vulnerability than CVE-2004-0084 and CVE-2004-0106.

10.0
2004-03-03 CVE-2004-0040 Checkpoint Buffer Overflow vulnerability in Check Point VPN-1/SecuRemote ISAKMP Large Certificate Request Payload

Stack-based buffer overflow in Check Point VPN-1 Server 4.1 through 4.1 SP6 and Check Point SecuRemote/SecureClient 4.1 through 4.1 build 4200 allows remote attackers to execute arbitrary code via an ISAKMP packet with a large Certificate Request packet.

10.0
2004-03-03 CVE-2004-0039 Checkpoint Remote Format String vulnerability in Multiple Check Point Firewall-1 HTTP Security Server

Multiple format string vulnerabilities in HTTP Application Intelligence (AI) component in Check Point Firewall-1 NG-AI R55 and R54, and Check Point Firewall-1 HTTP Security Server included with NG FP1, FP2, and FP3 allows remote attackers to execute arbitrary code via HTTP requests that cause format string specifiers to be used in an error message, as demonstrated using the scheme of a URI.

10.0
2004-03-03 CVE-2004-0002 Freebsd Unspecified vulnerability in Freebsd

The TCP MSS (maximum segment size) functionality in netinet allows remote attackers to cause a denial of service (resource exhaustion) via (1) a low MTU, which causes a large number of small packets to be produced, or (2) via a large number of packets with a small TCP payload, which cause a large number of calls to the resource-intensive sowakeup function.

10.0
2004-03-03 CVE-2003-0825 Microsoft Improper Input Validation vulnerability in Microsoft Windows 2000, Windows 2003 Server and Windows NT

The Windows Internet Naming Service (WINS) for Microsoft Windows Server 2003, and possibly Windows NT and Server 2000, does not properly validate the length of certain packets, which allows attackers to cause a denial of service and possibly execute arbitrary code.

9.3

18 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2004-03-03 CVE-2004-0132 Visualshapers Unspecified vulnerability in Visualshapers Ezcontents

Multiple PHP remote file inclusion vulnerabilities in ezContents 2.0.2 and earlier allow remote attackers to execute arbitrary PHP code from a remote web server, as demonstrated using (1) the GLOBALS[rootdp] parameter to db.php, or (2) the GLOBALS[language_home] parameter to archivednews.php, and a malicious version of lang_admin.php.

7.5
2004-03-03 CVE-2004-0128 Phpgedview Remote File Include vulnerability in PhpGedView [GED_File]_conf.php

PHP remote file inclusion vulnerability in the GEDCOM configuration script for phpGedView 2.65.1 and earlier allows remote attackers to execute arbitrary PHP code by modifying the PGV_BASE_DIRECTORY parameter to reference a URL on a remote web server that contains a malicious theme.php script.

7.5
2004-03-03 CVE-2004-0127 Phpgedview Directory Traversal vulnerability in PhpGedView Editconfig_gedcom.php

Directory traversal vulnerability in editconfig_gedcom.php for phpGedView 2.65.1 and earlier allows remote attackers to read arbitrary files or execute arbitrary PHP programs on the server via ..

7.5
2004-03-03 CVE-2004-0105 Metamail Corporation
SGI
Redhat
Buffer Overflow/Format String Handling vulnerability in Metamail

Multiple buffer overflows in Metamail 2.7 and earlier allow remote attackers to execute arbitrary code.

7.5
2004-03-03 CVE-2004-0104 Metamail Corporation
SGI
Redhat
Buffer Overflow/Format String Handling vulnerability in Metamail

Multiple format string vulnerabilities in Metamail 2.7 and earlier allow remote attackers to execute arbitrary code.

7.5
2004-03-03 CVE-2004-0082 Samba Unspecified vulnerability in Samba 3.0.0/3.0.1

The mksmbpasswd shell script (mksmbpasswd.sh) in Samba 3.0.0 and 3.0.1, when creating an account but marking it as disabled, may overwrite the user password with an uninitialized buffer, which could enable the account with a more easily guessable password.

7.5
2004-03-03 CVE-2004-0078 Mutt Remote Buffer Overflow vulnerability in Mutt Menu Drawing

Buffer overflow in the index menu code (menu_pad_string of menu.c) for Mutt 1.4.1 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via certain mail messages.

7.5
2004-03-03 CVE-2004-0009 Apache SSL Unspecified vulnerability in Apache-Ssl

Apache-SSL 1.3.28+1.52 and earlier, with SSLVerifyClient set to 1 or 3 and SSLFakeBasicAuth enabled, allows remote attackers to forge a client certificate by using basic authentication with the "one-line DN" of the target user.

7.5
2004-03-03 CVE-2004-0008 ROB Flynn
Ultramagnetic
Integer overflow in Gaim 0.74 and earlier, and Ultramagnetic before 0.81, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a directIM packet that triggers a heap-based buffer overflow.
7.5
2004-03-03 CVE-2004-0007 ROB Flynn
Ultramagnetic
Remote Boundary Condition Error vulnerability in Gaim

Buffer overflow in the Extract Info Field Function for (1) MSN and (2) YMSG protocol handlers in Gaim 0.74 and earlier, and Ultramagnetic before 0.81, allows remote attackers to cause a denial of service and possibly execute arbitrary code.

7.5
2004-03-03 CVE-2004-0006 ROB Flynn
Ultramagnetic
Remote Boundary Condition Error vulnerability in Gaim

Multiple buffer overflows in Gaim 0.75 and earlier, and Ultramagnetic before 0.81, allow remote attackers to cause a denial of service and possibly execute arbitrary code via (1) cookies in a Yahoo web connection, (2) a long name parameter in the Yahoo login web page, (3) a long value parameter in the Yahoo login page, (4) a YMSG packet, (5) the URL parser, and (6) HTTP proxy connect.

7.5
2004-03-03 CVE-2004-0005 ROB Flynn Denial-Of-Service vulnerability in Gaim

Multiple buffer overflows in Gaim 0.75 allow remote attackers to cause a denial of service and possibly execute arbitrary code via (1) octal encoding in yahoo_decode that causes a null byte to be written beyond the buffer, (2) octal encoding in yahoo_decode that causes a pointer to reference memory beyond the terminating null byte, (3) a quoted printable string to the gaim_quotedp_decode MIME decoder that causes a null byte to be written beyond the buffer, and (4) quoted printable encoding in gaim_quotedp_decode that causes a pointer to reference memory beyond the terminating null byte.

7.5
2004-03-03 CVE-2003-0987 Apache Unspecified vulnerability in Apache Http Server

mod_digest for Apache before 1.3.31 does not properly verify the nonce of a client response by using a AuthNonce secret.

7.5
2004-03-03 CVE-2003-0818 Microsoft Unspecified vulnerability in Microsoft products

Multiple integer overflows in Microsoft ASN.1 library (MSASN1.DLL), as used in LSASS.EXE, CRYPT32.DLL, and other Microsoft executables and libraries on Windows NT 4.0, 2000, and XP, allow remote attackers to execute arbitrary code via ASN.1 BER encodings with (1) very large length fields that cause arbitrary heap data to be overwritten, or (2) modified bit strings.

7.5
2004-03-03 CVE-2004-0106 Xfree86 Project
Openbsd
Multiple unknown vulnerabilities in XFree86 4.1.0 to 4.3.0, related to improper handling of font files, a different set of vulnerabilities than CVE-2004-0083 and CVE-2004-0084.
7.2
2004-03-03 CVE-2004-0077 Redhat
Linux
Netwosix
Trustix
Local Privilege Escalation vulnerability in Linux Kernel do_mremap Function VMA Limit

The do_mremap function for the mremap system call in Linux 2.2 to 2.2.25, 2.4 to 2.4.24, and 2.6 to 2.6.2, does not properly check the return value from the do_munmap function when the maximum number of VMA descriptors is exceeded, which allows local users to gain root privileges, a different vulnerability than CAN-2003-0985.

7.2
2004-03-03 CVE-2004-0010 Linux Local Privilege Escalation vulnerability in Linux Kernel NCPFS ncp_lookup()

Stack-based buffer overflow in the ncp_lookup function for ncpfs in Linux kernel 2.4.x allows local users to gain privileges.

7.2
2004-03-03 CVE-2003-0441 Orville Write Buffer Overrun vulnerability in Orville-Write 2.53

Multiple buffer overflows in Orville Write (orville-write) 2.53 and earlier allow local users to gain privileges.

7.2

21 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2004-03-03 CVE-2004-1990 Aldo Vargas Input Validation vulnerability in Aldo Vargas Aldos web Server 1.5

Aldo's Web Server (aweb) 1.5 allows remote attackers to gain sensitive information via an arbitrary character, which reveals the full path and the user running the aweb process, possibly due to a malformed request.

5.0
2004-03-03 CVE-2004-0164 Kame Unspecified vulnerability in Kame Racoon Allversions

KAME IKE daemon (racoon) does not properly handle hash values, which allows remote attackers to delete certificates via (1) a certain delete message that is not properly handled in isakmp.c or isakmp_inf.c, or (2) a certain INITIAL-CONTACT message that is not properly handled in isakmp_inf.c.

5.0
2004-03-03 CVE-2004-0143 Nokia Remote Denial Of Service vulnerability in Multiple Nokia Object Exchange Protocol Message

Multiple vulnerabilities in Nokia 6310(i) Mobile phones allow remote attackers to cause a denial of service (reset) via malformed Bluetooth OBject EXchange (OBEX) messages, probably triggering buffer overflows.

5.0
2004-03-03 CVE-2004-0131 GNU Remote Denial Of Service vulnerability in GNU Radius 1.1

The rad_print_request function in logger.c for GNU Radius daemon (radiusd) before 1.2 allows remote attackers to cause a denial of service (crash) via a UDP packet with an Acct-Status-Type attribute without a value and no Acct-Session-Id attribute, which causes a null dereference.

5.0
2004-03-03 CVE-2004-0130 Phpgedview Information Disclosure vulnerability in PhpGedView

login.php in phpGedView 2.65 and earlier allows remote attackers to obtain sensitive information via an HTTP request to login.php that does not contain the required username or password parameters, which causes the information to be leaked in an error message.

5.0
2004-03-03 CVE-2004-0129 Phpmyadmin Unspecified vulnerability in PHPmyadmin

Directory traversal vulnerability in export.php in phpMyAdmin 2.5.5 and earlier allows remote attackers to read arbitrary files via ..

5.0
2004-03-03 CVE-2004-0096 Apache Unspecified vulnerability in Apache MOD Python 2.7.9

Unknown vulnerability in mod_python 2.7.9 allows remote attackers to cause a denial of service (httpd crash) via a certain query string, a variant of CAN-2003-0973.

5.0
2004-03-03 CVE-2004-0086 Apple Unspecified vulnerability in Apple mac OS X 10.3.2

Unknown vulnerability in the Mail application for Mac OS X 10.3.2 has unknown impact and attack vectors, a different vulnerability than CVE-2004-0085.

5.0
2004-03-03 CVE-2004-0085 Apple Unspecified vulnerability in Apple mac OS X 10.1.5/10.2.8

Unknown vulnerability in the Mail application for Mac OS X 10.1.5 and 10.2.8 with unknown impact, a different vulnerability than CVE-2004-0086.

5.0
2004-03-03 CVE-2004-0080 Andries Brouwer Unspecified vulnerability in Andries Brouwer Util-Linux

The login program in util-linux 2.11 and earlier uses a pointer after it has been freed and reallocated, which could cause login to leak sensitive data.

5.0
2004-03-03 CVE-2003-0991 GNU
SGI
Remote Denial Of Service vulnerability in GNU Mailman Malformed Message

Unknown vulnerability in the mail command handler in Mailman before 2.0.14 allows remote attackers to cause a denial of service (crash) via malformed e-mail commands.

5.0
2004-03-03 CVE-2002-1575 MIT Unspecified vulnerability in MIT Cgiemail 1.6

cgiemail allows remote attackers to use cgiemail as a spam proxy via CRLF injection of encoded newline (%0a) characters in parameters such as "required-subject," which can be used to modify the CC, BCC, and other header fields in the generated email message.

5.0
2004-03-04 CVE-2004-1359 SUN Local UUCP Buffer Overrun vulnerability in Sun Solaris

Multiple buffer overflows in uucp for Sun Solaris 2.6, 7, 8, and 9 allow local users to execute arbitrary code as the uucp user.

4.6
2004-03-03 CVE-2004-0115 Microsoft Privilege Escalation vulnerability in Microsoft Virtual PC 6.0/6.1/6.2

VirtualPC_Services in Microsoft Virtual PC for Mac 6.0 through 6.1 allows local attackers to truncate and overwrite arbitrary files, and execute arbitrary code, via a symlink attack on the VPCServices_Log temporary file.

4.6
2004-03-03 CVE-2004-0114 Freebsd
Netbsd
Openbsd
Privilege Escalation vulnerability in BSD Kernel SHMAT System Call

The shmat system call in the System V Shared Memory interface for FreeBSD 5.2 and earlier, NetBSD 1.3 and earlier, and OpenBSD 2.6 and earlier, does not properly decrement a shared memory segment's reference count when the vm_map_find function fails, which could allow local users to gain read or write access to a portion of kernel memory and gain privileges.

4.6
2004-03-03 CVE-2004-0103 Linley Henzell Local Buffer Overflow vulnerability in Linley Henzell Dungeon Crawl

crawl before 4.0.0 beta23 does not properly "apply a size check" when copying a certain environment variable, which may allow local users to gain privileges, possibly as a result of a buffer overflow.

4.6
2004-03-03 CVE-2004-0099 Freebsd Unspecified vulnerability in Freebsd 5.1/5.2.1

mksnap_ffs in FreeBSD 5.1 and 5.2 only sets the snapshot flag when creating a snapshot for a file system, which causes default values for other flags to be used, possibly disabling security-critical settings and allowing a local user to bypass intended access restrictions.

4.6
2004-03-03 CVE-2004-0089 Apple Local Buffer Overflow vulnerability in Apple mac OS X 10.2.8/10.3.9

Buffer overflow in TruBlueEnvironment in Mac OS X 10.3.x and 10.2.x allows local users to gain privileges via a long environment variable.

4.6
2004-03-03 CVE-2004-0047 Yamamoto Hirotaka Privilege Escalation vulnerability in Yamamoto Hirotaka Trr19 1.0

Multiple programs in trr19 1.0 do not properly drop privileges before executing a system command, which could allow local users to gain privileges.

4.6
2004-03-03 CVE-2004-0003 Linux Privilege Escalation vulnerability in Linux Kernel R128 Device Driver

Unknown vulnerability in Linux kernel before 2.4.22 allows local users to gain privileges, related to "R128 DRI limits checking."

4.6
2004-03-03 CVE-2002-1574 Linux Unspecified vulnerability in Linux Kernel

Buffer overflow in the ixj telephony card driver in Linux before 2.4.20 has unknown impact and attack vectors.

4.6

2 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2004-03-03 CVE-2004-0088 Apple Unspecified vulnerability in Apple mac OS X 10.2.8

The System Configuration subsystem in Mac OS 10.2.8 allows local users to modify network settings, a different vulnerability than CVE-2004-0087.

2.1
2004-03-03 CVE-2004-0087 Apple Unspecified vulnerability in Apple mac OS X 10.2.8/10.3.2

The System Configuration subsystem in Mac OS 10.2.8 and 10.3.2 allows local users to modify network settings, a different vulnerability than CVE-2004-0088.

2.1