Weekly Vulnerabilities Reports > April 12 to 18, 2004
Overview
48 new vulnerabilities reported during this period, including 0 critical vulnerabilities and 29 high severity vulnerabilities. This weekly summary report vulnerabilities in 57 products from 33 vendors including SAP, SGI, Microsoft, Redhat, and Symantec. Vulnerabilities are notably categorized as "SQL Injection", "Link Following", "Path Traversal", and "Improper Input Validation".
- 35 reported vulnerabilities are remotely exploitables.
- 2 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 47 reported vulnerabilities are exploitable by an anonymous user.
- SAP has the most reported vulnerabilities, with 11 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
0 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|
29 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2004-04-15 | CVE-2004-1934 | Isesam | Remote File Include Command Injection vulnerability in Isesam Gemitel 3.50 PHP remote file inclusion vulnerability in affich.php in Gemitel 3.50 allows remote attackers to execute arbitrary PHP code via the base parameter. | 7.5 |
2004-04-15 | CVE-2004-0364 | Symantec | Remote Command Execution vulnerability in Symantec Norton Internet Security 2004 The WrapNISUM ActiveX component (WrapUM.dll) in Norton Internet Security 2004 is marked safe for scripting, which allows remote attackers to execute arbitrary programs via the LaunchURL method. | 7.5 |
2004-04-15 | CVE-2004-0363 | Symantec | Buffer Overrun vulnerability in Symantec Norton Antispam 2004 Stack-based buffer overflow in the SymSpamHelper ActiveX component (symspam.dll) in Norton AntiSpam 2004, as used in Norton Internet Security 2004, allows remote attackers to execute arbitrary code via a long parameter to the LaunchCustomRuleWizard method. | 7.5 |
2004-04-15 | CVE-2004-0362 | ISS | Buffer Overflow vulnerability in Internet Security Systems Protocol Analysis Module ICQ Parsing Multiple stack-based buffer overflows in the ICQ parsing routines of the ISS Protocol Analysis Module (PAM) component, as used in various RealSecure, Proventia, and BlackICE products, allow remote attackers to execute arbitrary code via a SRV_MULTI response containing a SRV_USER_ONLINE response packet and a SRV_META_USER response packet with long (1) nickname, (2) firstname, (3) lastname, or (4) email address fields, as exploited by the Witty worm. | 7.5 |
2004-04-15 | CVE-2004-0224 | Double Precision Incorporated Inter7 Gentoo | Remote Buffer Overflow vulnerability in Courier Multiple buffer overflows in (1) iso2022jp.c or (2) shiftjis.c for Courier-IMAP before 3.0.0, Courier before 0.45, and SqWebMail before 4.0.0 may allow remote attackers to execute arbitrary code "when Unicode character is out of BMP range." | 7.5 |
2004-04-15 | CVE-2004-0153 | Emil | Remote Security vulnerability in Emil 2.0.4/2.0.5/2.1.0Beta9 Multiple format string vulnerabilities in emil 2.1.0 and earlier may allow remote attackers to execute arbitrary code by triggering certain error messages. | 7.5 |
2004-04-15 | CVE-2004-0152 | Emil | Remote Security vulnerability in Emil 2.0.4/2.0.5/2.1.0Beta9 Multiple stack-based buffer overflows in (1) the encode_mime function, (2) the encode_uuencode function, (3) or the decode_uuencode function for emil 2.1.0 and earlier allow remote attackers to execute arbitrary code via e-mail messages containing attachments with filenames. | 7.5 |
2004-04-15 | CVE-2003-1039 | SAP | Remote Security vulnerability in Mysap Business Suite Multiple buffer overflows in the mySAP.com architecture for SAP allow remote attackers to execute arbitrary code via a long HTTP Host header to (1) Message Server, (2) Web Dispatcher, or (3) Application Server. | 7.5 |
2004-04-15 | CVE-2003-1037 | SAP | Remote Security vulnerability in Internet Transaction Server 4620.2.0.323011 Format string vulnerability in the WGate component for SAP Internet Transaction Server (ITS) allows remote attackers to execute arbitrary code via a high "trace level." | 7.5 |
2004-04-15 | CVE-2003-1036 | SAP | Remote Security vulnerability in Internet Transaction Server 4620.2.0.323011 Multiple buffer overflows in the AGate component for SAP Internet Transaction Server (ITS) allow remote attackers to execute arbitrary code via long (1) ~command, (2) ~runtimemode, or (3) ~session parameters, or (4) a long HTTP Content-Type header. | 7.5 |
2004-04-15 | CVE-2003-1035 | SAP | Unspecified vulnerability in SAP R 3 and Sapgui The default installation of SAP R/3 46C/D allows remote attackers to bypass account locking by using the RFC API instead of the SAPGUI to conduct a brute force password guessing attack, which does not lock out the account like the SAPGUI does. | 7.5 |
2004-04-15 | CVE-2003-0594 | Mozilla | Unspecified vulnerability in Mozilla Mozilla allows remote attackers to bypass intended cookie access restrictions on a web application via "%2e%2e" (encoded dot dot) directory traversal sequences in a URL, which causes Mozilla to send the cookie outside the specified URL subsets, e.g. | 7.5 |
2004-04-15 | CVE-2003-0593 | Opera | Path Traversal vulnerability in Opera Browser Opera allows remote attackers to bypass intended cookie access restrictions on a web application via "%2e%2e" (encoded dot dot) directory traversal sequences in a URL, which causes Opera to send the cookie outside the specified URL subsets, e.g. | 7.5 |
2004-04-15 | CVE-2003-0592 | KDE | Unspecified vulnerability in KDE Konqueror and Konqueror Embedded Konqueror in KDE 3.1.3 and earlier (kdelibs) allows remote attackers to bypass intended cookie access restrictions on a web application via "%2e%2e" (encoded dot dot) directory traversal sequences in a URL, which causes Konqueror to send the cookie outside the specified URL subsets, e.g. | 7.5 |
2004-04-15 | CVE-2003-0514 | Apple | Unspecified vulnerability in Apple Safari 1.0/1.1 Apple Safari allows remote attackers to bypass intended cookie access restrictions on a web application via "%2e%2e" (encoded dot dot) directory traversal sequences in a URL, which causes Safari to send the cookie outside the specified URL subsets, e.g. | 7.5 |
2004-04-15 | CVE-2003-0513 | Microsoft | Unspecified vulnerability in Microsoft IE and Internet Explorer Microsoft Internet Explorer allows remote attackers to bypass intended cookie access restrictions on a web application via "%2e%2e" (encoded dot dot) directory traversal sequences in a URL, which causes Internet Explorer to send the cookie outside the specified URL subsets, e.g. | 7.5 |
2004-04-15 | CVE-2002-1578 | SAP | Unspecified vulnerability in SAP R 3 The default installation of SAP R/3, when using Oracle and SQL*net V2 3.x, 4.x, and 6.10, allows remote attackers to obtain arbitrary, sensitive SAP data by directly connecting to the Oracle database and executing queries against the database, which is not password-protected. | 7.5 |
2004-04-15 | CVE-2002-1577 | SAP | Remote Security vulnerability in SAP R 3 2.0Bto4.6D SAP R/3 2.0B to 4.6D installs several clients with default users and passwords, which allows remote attackers to gain privileges via the (1) SAP*, (2) SAPCPIC, (3) DDIC, (4) EARLYWATCH, or (5) TMSADM accounts. | 7.5 |
2004-04-14 | CVE-2004-1936 | Zonelabs | Unspecified vulnerability in Zonelabs Zonealarm ZoneAlarm Pro 4.5.538.001 and possibly other versions allows remote attackers to bypass e-mail protection via attachments whose names contain certain non-English characters. | 7.5 |
2004-04-13 | CVE-2004-1929 | Francisco Burzi | SQL Injection vulnerability in PHP-Nuke SQL injection vulnerability in the bblogin function in functions.php in PHP-Nuke 6.x through 7.2 allows remote attackers to bypass authentication and gain access by injecting base64-encoded SQL code into the user parameter. | 7.5 |
2004-04-12 | CVE-2004-1932 | Francisco Burzi | SQL-Injection vulnerability in PHP-Nuke SQL injection vulnerability in (1) auth.php and (2) admin.php in PHP-Nuke 6.x through 7.2 allows remote attackers to execute arbitrary SQL code and create an administrator account via base64-encoded SQL in the admin parameter. | 7.5 |
2004-04-12 | CVE-2004-1928 | Tiki | Improper Input Validation vulnerability in Tiki Tikiwiki Cms/Groupware 1.6.1/1.8.1 The image upload feature in Tiki CMS/Groupware (TikiWiki) 1.8.1 and earlier allows remote attackers to upload and possibly execute arbitrary files via the img/wiki_up URL. | 7.5 |
2004-04-12 | CVE-2004-1925 | Tiki | SQL Injection vulnerability in Tiki Tikiwiki Cms/Groupware 1.6.1/1.8.1 Multiple SQL injection vulnerabilities in Tiki CMS/Groupware (TikiWiki) 1.8.1 and earlier allow remote attackers to execute arbitrary SQL commands via the sort_mode parameter in (1) tiki-usermenu.php, (2) tiki-list_file_gallery.php, (3) tiki-directory_ranking.php, (4) tiki-browse_categories.php, (5) tiki-index.php, (6) tiki-user_tasks.php, (7) tiki-directory_ranking.php, (8) tiki-directory_search.php, (9) tiki-file_galleries.php, (10) tiki-list_faqs.php, (11) tiki-list_trackers.php, (12) tiki-list_blogs.php, or via the offset parameter in (13) tiki-usermenu.php, (14) tiki-browse_categories.php, (15) tiki-index.php, (16) tiki-user_tasks.php, (17) tiki-list_faqs.php, (18) tiki-list_trackers.php, or (19) tiki-list_blogs.php. | 7.5 |
2004-04-15 | CVE-2004-0151 | Xintercepttalk | Privilege Escalation vulnerability in Xintercepttalk Xitalk 1.1.11 Unknown vulnerability in xitalk 1.1.11 and earlier allows local users to execute arbitrary commands. | 7.2 |
2004-04-15 | CVE-2004-0148 | SGI Washington University | wu-ftpd 2.6.2 and earlier, with the restricted-gid option enabled, allows local users to bypass access restrictions by changing the permissions to prevent access to their home directory, which causes wu-ftpd to use the root directory instead. | 7.2 |
2004-04-15 | CVE-2003-1033 | SAP | Unspecified vulnerability in SAP DB 7.3.00/7.4 The (1) instdbmsrv and (2) instlserver programs in SAP DB Development Tools 7.x trust the user-provided INSTROOT environment variable as a path when assigning setuid permissions to the lserver program, which allows local users to gain root privileges via a modified INSTROOT that points to a malicious dbmsrv or lserver program. | 7.2 |
2004-04-15 | CVE-2003-0257 | IBM | Unspecified vulnerability in IBM AIX Format string vulnerability in the printer capability for IBM AIX .3, 5.1, and 5.2 allows local users to gain printq or root privileges. | 7.2 |
2004-04-15 | CVE-2002-1576 | SAP | Symbolic Link vulnerability in SAP DB 7.3.00 lserver in SAP DB 7.3 and earlier uses the current working directory to find and execute the lserversrv program, which allows local users to gain privileges with a malicious lserversrv that is called from a directory that has a symlink to the lserver program. | 7.2 |
2004-04-15 | CVE-2004-0217 | Symantec | Link Following vulnerability in Symantec Antivirus Scan Engine 4.0/4.3 The LiveUpdate capability (liveupdate.sh) in Symantec AntiVirus Scan Engine 4.0 and 4.3 for Red Hat Linux allows local users to create or append to arbitrary files via a symlink attack on /tmp/LiveUpdate.log. | 7.0 |
17 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2004-04-15 | CVE-2004-0173 | Apache | Directory Traversal vulnerability in Apache Cygwin Directory traversal vulnerability in Apache 1.3.29 and earlier, and Apache 2.0.48 and earlier, when running on Cygwin, allows remote attackers to read arbitrary files via a URL containing "..%5C" (dot dot encoded backslash) sequences. | 5.0 |
2004-04-15 | CVE-2004-0122 | Microsoft | Information Disclosure vulnerability in Microsoft MSN Messenger 6.0/6.1 Microsoft MSN Messenger 6.0 and 6.1 does not properly handle certain requests, which allows remote attackers to read arbitrary files. | 5.0 |
2004-04-15 | CVE-2004-0111 | Gnome Redhat SGI | Bitmap Handling Denial Of Service vulnerability in GdkPixbuf gdk-pixbuf before 0.20 allows attackers to cause a denial of service (crash) via a malformed bitmap (BMP) file. | 5.0 |
2004-04-15 | CVE-2003-1038 | SAP | Information Disclosure vulnerability in Internet Transaction Server 4620.2.0.323011 The AGate component for SAP Internet Transaction Server (ITS) allows remote attackers to obtain sensitive information via a ~command parameter with an AgateInstallCheck value, which provides a list of installed DLLs and full pathnames. | 5.0 |
2004-04-15 | CVE-2003-0905 | Microsoft | Remote Denial of Service vulnerability in Microsoft Windows Media Services 4.1 Unknown vulnerability in Windows Media Station Service and Windows Media Monitor Service components of Windows Media Services 4.1 allows remote attackers to cause a denial of service (disallowing new connections) via a certain sequence of TCP/IP packets. | 5.0 |
2004-04-15 | CVE-2002-1579 | SAP | Denial of Service vulnerability in SAP SAPgui SAP GUI (Sapgui) 4.6D allows remote attackers to cause a denial of service (crash) via a connection to a high-numbered port, which generates an "unknown connection data" error. | 5.0 |
2004-04-14 | CVE-2004-1944 | Qualcomm | Denial of Service vulnerability in Qualcomm Eudora MIME Message Nesting Eudora 6.1 and 6.0.3 for Windows allows remote attackers to cause a denial of service (crash) via a deeply nested multipart MIME message. | 5.0 |
2004-04-13 | CVE-2004-1756 | BEA | Unspecified vulnerability in BEA Weblogic Server 7.0/8.1 BEA WebLogic Server and WebLogic Express 8.1 SP2 and earlier, and 7.0 SP4 and earlier, when using 2-way SSL with a custom trust manager, may accept a certificate chain even if the trust manager rejects it, which allows remote attackers to spoof other users or servers. | 5.0 |
2004-04-12 | CVE-2004-1060 | Icmp TCP | Remote Denial Of Service vulnerability in Multiple Vendor TCP/IP Implementation ICMP Multiple TCP/IP and ICMP implementations, when using Path MTU (PMTU) discovery (PMTUD), allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via forged ICMP ("Fragmentation Needed and Don't Fragment was Set") packets with a low next-hop MTU value, aka the "Path MTU discovery attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. | 5.0 |
2004-04-15 | CVE-2004-0108 | Redhat SGI Sysstat | The isag utility, which processes sysstat data, allows local users to overwrite arbitrary files via a symlink attack on temporary files, a different vulnerability than CAN-2004-0107. | 4.6 |
2004-04-15 | CVE-2004-0107 | Redhat SGI Sysstat | The (1) post and (2) trigger scripts in sysstat 4.0.7 and earlier allow local users to overwrite arbitrary files via symlink attacks on temporary files, a different vulnerability than CVE-2004-0108. | 4.6 |
2004-04-15 | CVE-2003-1034 | SAP | The RPM installation of SAP DB 7.x creates the (1) dbmsrv or (2) lserver programs with world-writable permissions, which allows local users to gain privileges by modifying those programs. | 4.6 |
2004-04-15 | CVE-2003-0202 | Brian Renaud | Local File Creation vulnerability in Brian Renaud Metrics 1.0 The (1) halstead and (2) gather_stats scripts in metrics 1.0 allow local users to overwrite arbitrary files via a symlink attack on temporary files. | 4.6 |
2004-04-13 | CVE-2004-1758 | BEA | Unspecified vulnerability in BEA Weblogic Server 6.1/7.0/8.1 BEA WebLogic Server and WebLogic Express version 8.1 up to SP2, 7.0 up to SP4, and 6.1 up to SP6 may store the database username and password for an untargeted JDBC connection pool in plaintext in config.xml, which allows local users to gain privileges. | 4.6 |
2004-04-15 | CVE-2004-1935 | SCT Corporation | Unspecified vulnerability in SCT Corporation Campus Pipeline Cross-site scripting (XSS) vulnerability in SCT Campus Pipeline allows remote attackers to inject arbitrary web script or HTML via onload, onmouseover, and other Javascript events in an e-mail attachment. | 4.3 |
2004-04-14 | CVE-2004-1939 | Rhinosoft | Cross-Site Scripting vulnerability in Rhino Software Zaep Antispam 2.0/2.0.0.1 Cross-site scripting (XSS) vulnerability in Zaep AntiSpam 2.0 allows remote attackers to inject arbitrary web script or HTML via double encoded slashes (%252F) in the key parameter. | 4.3 |
2004-04-12 | CVE-2004-1930 | Francisco Burzi | Cross-Site Scripting vulnerability in PHP-Nuke CookieDecode Cross-site scripting (XSS) vulnerability in the cookiedecode function in mainfile.php for PHP-Nuke 6.x through 7.2, when themes are used, allows remote attackers to inject arbitrary web script or HTML via a base64-encoded user parameter or cookie. | 4.3 |
2 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2004-04-15 | CVE-2004-0372 | Xine | Unspecified vulnerability in Xine xine allows local users to overwrite arbitrary files via a symlink attack on a bug report email that is generated by the (1) xine-bugreport or (2) xine-check scripts. | 2.1 |
2004-04-12 | CVE-2004-1933 | Citadel | Citadel/UX 5.00 through 6.14 installs the database directory and files with world-read permissions, which could allow local users to bypass access controls and read unauthorized messages. | 2.1 |