Weekly Vulnerabilities Reports > March 1 to 7, 2004
Overview
49 new vulnerabilities reported during this period, including 8 critical vulnerabilities and 18 high severity vulnerabilities. This weekly summary report vulnerabilities in 46 products from 33 vendors including Apple, Linux, Openbsd, ROB Flynn, and Microsoft. Vulnerabilities are notably categorized as and "Improper Input Validation".
- 34 reported vulnerabilities are remotely exploitables.
- 49 reported vulnerabilities are exploitable by an anonymous user.
- Apple has the most reported vulnerabilities, with 6 reported vulnerabilities.
- Openbsd has the most reported critical vulnerabilities, with 2 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
8 Critical Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2004-03-03 | CVE-2004-0097 | Openh323 Project | Unspecified vulnerability in Openh323 Project Pwlib Multiple vulnerabilities in PWLib before 1.6.0 allow remote attackers to cause a denial of service and possibly execute arbitrary code, as demonstrated by the NISCC/OUSPG PROTOS test suite for the H.225 protocol. | 10.0 |
| 2004-03-03 | CVE-2004-0092 | Apple | Unspecified vulnerability in Apple mac OS X 10.2.8/10.3.2 Unknown vulnerability in Safari web browser in Mac OS X 10.2.8 and 10.3.2, with unknown impact. | 10.0 |
| 2004-03-03 | CVE-2004-0084 | Xfree86 Project Openbsd | Buffer Overflow vulnerability in XFree86 CopyISOLatin1Lowered Font_Name Buffer overflow in the ReadFontAlias function in XFree86 4.1.0 to 4.3.0, when using the CopyISOLatin1Lowered function, allows local or remote authenticated users to execute arbitrary code via a malformed entry in the font alias (font.alias) file, a different vulnerability than CVE-2004-0083 and CVE-2004-0106. | 10.0 |
| 2004-03-03 | CVE-2004-0083 | Xfree86 Project Openbsd | Buffer Overflow vulnerability in XFree86 Font Information File Buffer overflow in ReadFontAlias from dirfile.c of XFree86 4.1.0 through 4.3.0 allows local users and remote attackers to execute arbitrary code via a font alias file (font.alias) with a long token, a different vulnerability than CVE-2004-0084 and CVE-2004-0106. | 10.0 |
| 2004-03-03 | CVE-2004-0040 | Checkpoint | Buffer Overflow vulnerability in Check Point VPN-1/SecuRemote ISAKMP Large Certificate Request Payload Stack-based buffer overflow in Check Point VPN-1 Server 4.1 through 4.1 SP6 and Check Point SecuRemote/SecureClient 4.1 through 4.1 build 4200 allows remote attackers to execute arbitrary code via an ISAKMP packet with a large Certificate Request packet. | 10.0 |
| 2004-03-03 | CVE-2004-0039 | Checkpoint | Remote Format String vulnerability in Multiple Check Point Firewall-1 HTTP Security Server Multiple format string vulnerabilities in HTTP Application Intelligence (AI) component in Check Point Firewall-1 NG-AI R55 and R54, and Check Point Firewall-1 HTTP Security Server included with NG FP1, FP2, and FP3 allows remote attackers to execute arbitrary code via HTTP requests that cause format string specifiers to be used in an error message, as demonstrated using the scheme of a URI. | 10.0 |
| 2004-03-03 | CVE-2004-0002 | Freebsd | Unspecified vulnerability in Freebsd The TCP MSS (maximum segment size) functionality in netinet allows remote attackers to cause a denial of service (resource exhaustion) via (1) a low MTU, which causes a large number of small packets to be produced, or (2) via a large number of packets with a small TCP payload, which cause a large number of calls to the resource-intensive sowakeup function. | 10.0 |
| 2004-03-03 | CVE-2003-0825 | Microsoft | Improper Input Validation vulnerability in Microsoft Windows 2000, Windows 2003 Server and Windows NT The Windows Internet Naming Service (WINS) for Microsoft Windows Server 2003, and possibly Windows NT and Server 2000, does not properly validate the length of certain packets, which allows attackers to cause a denial of service and possibly execute arbitrary code. | 9.3 |
18 High Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2004-03-03 | CVE-2004-0132 | Visualshapers | Unspecified vulnerability in Visualshapers Ezcontents Multiple PHP remote file inclusion vulnerabilities in ezContents 2.0.2 and earlier allow remote attackers to execute arbitrary PHP code from a remote web server, as demonstrated using (1) the GLOBALS[rootdp] parameter to db.php, or (2) the GLOBALS[language_home] parameter to archivednews.php, and a malicious version of lang_admin.php. | 7.5 |
| 2004-03-03 | CVE-2004-0128 | Phpgedview | Remote File Include vulnerability in PhpGedView [GED_File]_conf.php PHP remote file inclusion vulnerability in the GEDCOM configuration script for phpGedView 2.65.1 and earlier allows remote attackers to execute arbitrary PHP code by modifying the PGV_BASE_DIRECTORY parameter to reference a URL on a remote web server that contains a malicious theme.php script. | 7.5 |
| 2004-03-03 | CVE-2004-0127 | Phpgedview | Directory Traversal vulnerability in PhpGedView Editconfig_gedcom.php Directory traversal vulnerability in editconfig_gedcom.php for phpGedView 2.65.1 and earlier allows remote attackers to read arbitrary files or execute arbitrary PHP programs on the server via .. | 7.5 |
| 2004-03-03 | CVE-2004-0105 | Metamail Corporation SGI Redhat | Buffer Overflow/Format String Handling vulnerability in Metamail Multiple buffer overflows in Metamail 2.7 and earlier allow remote attackers to execute arbitrary code. | 7.5 |
| 2004-03-03 | CVE-2004-0104 | Metamail Corporation SGI Redhat | Buffer Overflow/Format String Handling vulnerability in Metamail Multiple format string vulnerabilities in Metamail 2.7 and earlier allow remote attackers to execute arbitrary code. | 7.5 |
| 2004-03-03 | CVE-2004-0082 | Samba | Unspecified vulnerability in Samba 3.0.0/3.0.1 The mksmbpasswd shell script (mksmbpasswd.sh) in Samba 3.0.0 and 3.0.1, when creating an account but marking it as disabled, may overwrite the user password with an uninitialized buffer, which could enable the account with a more easily guessable password. | 7.5 |
| 2004-03-03 | CVE-2004-0078 | Mutt | Remote Buffer Overflow vulnerability in Mutt Menu Drawing Buffer overflow in the index menu code (menu_pad_string of menu.c) for Mutt 1.4.1 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via certain mail messages. | 7.5 |
| 2004-03-03 | CVE-2004-0009 | Apache SSL | Unspecified vulnerability in Apache-Ssl Apache-SSL 1.3.28+1.52 and earlier, with SSLVerifyClient set to 1 or 3 and SSLFakeBasicAuth enabled, allows remote attackers to forge a client certificate by using basic authentication with the "one-line DN" of the target user. | 7.5 |
| 2004-03-03 | CVE-2004-0008 | ROB Flynn Ultramagnetic | Integer overflow in Gaim 0.74 and earlier, and Ultramagnetic before 0.81, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a directIM packet that triggers a heap-based buffer overflow. | 7.5 |
| 2004-03-03 | CVE-2004-0007 | ROB Flynn Ultramagnetic | Remote Boundary Condition Error vulnerability in Gaim Buffer overflow in the Extract Info Field Function for (1) MSN and (2) YMSG protocol handlers in Gaim 0.74 and earlier, and Ultramagnetic before 0.81, allows remote attackers to cause a denial of service and possibly execute arbitrary code. | 7.5 |
| 2004-03-03 | CVE-2004-0006 | ROB Flynn Ultramagnetic | Remote Boundary Condition Error vulnerability in Gaim Multiple buffer overflows in Gaim 0.75 and earlier, and Ultramagnetic before 0.81, allow remote attackers to cause a denial of service and possibly execute arbitrary code via (1) cookies in a Yahoo web connection, (2) a long name parameter in the Yahoo login web page, (3) a long value parameter in the Yahoo login page, (4) a YMSG packet, (5) the URL parser, and (6) HTTP proxy connect. | 7.5 |
| 2004-03-03 | CVE-2004-0005 | ROB Flynn | Denial-Of-Service vulnerability in Gaim Multiple buffer overflows in Gaim 0.75 allow remote attackers to cause a denial of service and possibly execute arbitrary code via (1) octal encoding in yahoo_decode that causes a null byte to be written beyond the buffer, (2) octal encoding in yahoo_decode that causes a pointer to reference memory beyond the terminating null byte, (3) a quoted printable string to the gaim_quotedp_decode MIME decoder that causes a null byte to be written beyond the buffer, and (4) quoted printable encoding in gaim_quotedp_decode that causes a pointer to reference memory beyond the terminating null byte. | 7.5 |
| 2004-03-03 | CVE-2003-0987 | Apache | Unspecified vulnerability in Apache Http Server mod_digest for Apache before 1.3.31 does not properly verify the nonce of a client response by using a AuthNonce secret. | 7.5 |
| 2004-03-03 | CVE-2003-0818 | Microsoft | Unspecified vulnerability in Microsoft products Multiple integer overflows in Microsoft ASN.1 library (MSASN1.DLL), as used in LSASS.EXE, CRYPT32.DLL, and other Microsoft executables and libraries on Windows NT 4.0, 2000, and XP, allow remote attackers to execute arbitrary code via ASN.1 BER encodings with (1) very large length fields that cause arbitrary heap data to be overwritten, or (2) modified bit strings. | 7.5 |
| 2004-03-03 | CVE-2004-0106 | Xfree86 Project Openbsd | Multiple unknown vulnerabilities in XFree86 4.1.0 to 4.3.0, related to improper handling of font files, a different set of vulnerabilities than CVE-2004-0083 and CVE-2004-0084. | 7.2 |
| 2004-03-03 | CVE-2004-0077 | Redhat Linux Netwosix Trustix | Local Privilege Escalation vulnerability in Linux Kernel do_mremap Function VMA Limit The do_mremap function for the mremap system call in Linux 2.2 to 2.2.25, 2.4 to 2.4.24, and 2.6 to 2.6.2, does not properly check the return value from the do_munmap function when the maximum number of VMA descriptors is exceeded, which allows local users to gain root privileges, a different vulnerability than CAN-2003-0985. | 7.2 |
| 2004-03-03 | CVE-2004-0010 | Linux | Local Privilege Escalation vulnerability in Linux Kernel NCPFS ncp_lookup() Stack-based buffer overflow in the ncp_lookup function for ncpfs in Linux kernel 2.4.x allows local users to gain privileges. | 7.2 |
| 2004-03-03 | CVE-2003-0441 | Orville Write | Buffer Overrun vulnerability in Orville-Write 2.53 Multiple buffer overflows in Orville Write (orville-write) 2.53 and earlier allow local users to gain privileges. | 7.2 |
21 Medium Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2004-03-03 | CVE-2004-1990 | Aldo Vargas | Input Validation vulnerability in Aldo Vargas Aldos web Server 1.5 Aldo's Web Server (aweb) 1.5 allows remote attackers to gain sensitive information via an arbitrary character, which reveals the full path and the user running the aweb process, possibly due to a malformed request. | 5.0 |
| 2004-03-03 | CVE-2004-0164 | Kame | Unspecified vulnerability in Kame Racoon Allversions KAME IKE daemon (racoon) does not properly handle hash values, which allows remote attackers to delete certificates via (1) a certain delete message that is not properly handled in isakmp.c or isakmp_inf.c, or (2) a certain INITIAL-CONTACT message that is not properly handled in isakmp_inf.c. | 5.0 |
| 2004-03-03 | CVE-2004-0143 | Nokia | Remote Denial Of Service vulnerability in Multiple Nokia Object Exchange Protocol Message Multiple vulnerabilities in Nokia 6310(i) Mobile phones allow remote attackers to cause a denial of service (reset) via malformed Bluetooth OBject EXchange (OBEX) messages, probably triggering buffer overflows. | 5.0 |
| 2004-03-03 | CVE-2004-0131 | GNU | Remote Denial Of Service vulnerability in GNU Radius 1.1 The rad_print_request function in logger.c for GNU Radius daemon (radiusd) before 1.2 allows remote attackers to cause a denial of service (crash) via a UDP packet with an Acct-Status-Type attribute without a value and no Acct-Session-Id attribute, which causes a null dereference. | 5.0 |
| 2004-03-03 | CVE-2004-0130 | Phpgedview | Information Disclosure vulnerability in PhpGedView login.php in phpGedView 2.65 and earlier allows remote attackers to obtain sensitive information via an HTTP request to login.php that does not contain the required username or password parameters, which causes the information to be leaked in an error message. | 5.0 |
| 2004-03-03 | CVE-2004-0129 | Phpmyadmin | Unspecified vulnerability in PHPmyadmin Directory traversal vulnerability in export.php in phpMyAdmin 2.5.5 and earlier allows remote attackers to read arbitrary files via .. | 5.0 |
| 2004-03-03 | CVE-2004-0096 | Apache | Unspecified vulnerability in Apache MOD Python 2.7.9 Unknown vulnerability in mod_python 2.7.9 allows remote attackers to cause a denial of service (httpd crash) via a certain query string, a variant of CAN-2003-0973. | 5.0 |
| 2004-03-03 | CVE-2004-0086 | Apple | Unspecified vulnerability in Apple mac OS X 10.3.2 Unknown vulnerability in the Mail application for Mac OS X 10.3.2 has unknown impact and attack vectors, a different vulnerability than CVE-2004-0085. | 5.0 |
| 2004-03-03 | CVE-2004-0085 | Apple | Unspecified vulnerability in Apple mac OS X 10.1.5/10.2.8 Unknown vulnerability in the Mail application for Mac OS X 10.1.5 and 10.2.8 with unknown impact, a different vulnerability than CVE-2004-0086. | 5.0 |
| 2004-03-03 | CVE-2004-0080 | Andries Brouwer | Unspecified vulnerability in Andries Brouwer Util-Linux The login program in util-linux 2.11 and earlier uses a pointer after it has been freed and reallocated, which could cause login to leak sensitive data. | 5.0 |
| 2004-03-03 | CVE-2003-0991 | GNU SGI | Remote Denial Of Service vulnerability in GNU Mailman Malformed Message Unknown vulnerability in the mail command handler in Mailman before 2.0.14 allows remote attackers to cause a denial of service (crash) via malformed e-mail commands. | 5.0 |
| 2004-03-03 | CVE-2002-1575 | MIT | Unspecified vulnerability in MIT Cgiemail 1.6 cgiemail allows remote attackers to use cgiemail as a spam proxy via CRLF injection of encoded newline (%0a) characters in parameters such as "required-subject," which can be used to modify the CC, BCC, and other header fields in the generated email message. | 5.0 |
| 2004-03-04 | CVE-2004-1359 | SUN | Local UUCP Buffer Overrun vulnerability in Sun Solaris Multiple buffer overflows in uucp for Sun Solaris 2.6, 7, 8, and 9 allow local users to execute arbitrary code as the uucp user. | 4.6 |
| 2004-03-03 | CVE-2004-0115 | Microsoft | Privilege Escalation vulnerability in Microsoft Virtual PC 6.0/6.1/6.2 VirtualPC_Services in Microsoft Virtual PC for Mac 6.0 through 6.1 allows local attackers to truncate and overwrite arbitrary files, and execute arbitrary code, via a symlink attack on the VPCServices_Log temporary file. | 4.6 |
| 2004-03-03 | CVE-2004-0114 | Freebsd Netbsd Openbsd | Privilege Escalation vulnerability in BSD Kernel SHMAT System Call The shmat system call in the System V Shared Memory interface for FreeBSD 5.2 and earlier, NetBSD 1.3 and earlier, and OpenBSD 2.6 and earlier, does not properly decrement a shared memory segment's reference count when the vm_map_find function fails, which could allow local users to gain read or write access to a portion of kernel memory and gain privileges. | 4.6 |
| 2004-03-03 | CVE-2004-0103 | Linley Henzell | Local Buffer Overflow vulnerability in Linley Henzell Dungeon Crawl crawl before 4.0.0 beta23 does not properly "apply a size check" when copying a certain environment variable, which may allow local users to gain privileges, possibly as a result of a buffer overflow. | 4.6 |
| 2004-03-03 | CVE-2004-0099 | Freebsd | Unspecified vulnerability in Freebsd 5.1/5.2.1 mksnap_ffs in FreeBSD 5.1 and 5.2 only sets the snapshot flag when creating a snapshot for a file system, which causes default values for other flags to be used, possibly disabling security-critical settings and allowing a local user to bypass intended access restrictions. | 4.6 |
| 2004-03-03 | CVE-2004-0089 | Apple | Local Buffer Overflow vulnerability in Apple mac OS X 10.2.8/10.3.9 Buffer overflow in TruBlueEnvironment in Mac OS X 10.3.x and 10.2.x allows local users to gain privileges via a long environment variable. | 4.6 |
| 2004-03-03 | CVE-2004-0047 | Yamamoto Hirotaka | Privilege Escalation vulnerability in Yamamoto Hirotaka Trr19 1.0 Multiple programs in trr19 1.0 do not properly drop privileges before executing a system command, which could allow local users to gain privileges. | 4.6 |
| 2004-03-03 | CVE-2004-0003 | Linux | Privilege Escalation vulnerability in Linux Kernel R128 Device Driver Unknown vulnerability in Linux kernel before 2.4.22 allows local users to gain privileges, related to "R128 DRI limits checking." | 4.6 |
| 2004-03-03 | CVE-2002-1574 | Linux | Unspecified vulnerability in Linux Kernel Buffer overflow in the ixj telephony card driver in Linux before 2.4.20 has unknown impact and attack vectors. | 4.6 |
2 Low Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2004-03-03 | CVE-2004-0088 | Apple | Unspecified vulnerability in Apple mac OS X 10.2.8 The System Configuration subsystem in Mac OS 10.2.8 allows local users to modify network settings, a different vulnerability than CVE-2004-0087. | 2.1 |
| 2004-03-03 | CVE-2004-0087 | Apple | Unspecified vulnerability in Apple mac OS X 10.2.8/10.3.2 The System Configuration subsystem in Mac OS 10.2.8 and 10.3.2 allows local users to modify network settings, a different vulnerability than CVE-2004-0088. | 2.1 |