Weekly Vulnerabilities Reports > April 12 to 18, 2004

Overview

48 new vulnerabilities reported during this period, including 0 critical vulnerabilities and 29 high severity vulnerabilities. This weekly summary report vulnerabilities in 57 products from 33 vendors including SAP, SGI, Microsoft, Redhat, and Symantec. Vulnerabilities are notably categorized as "SQL Injection", "Link Following", "Path Traversal", and "Improper Input Validation".

  • 35 reported vulnerabilities are remotely exploitables.
  • 2 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 47 reported vulnerabilities are exploitable by an anonymous user.
  • SAP has the most reported vulnerabilities, with 11 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

0 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS

29 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2004-04-15 CVE-2004-1934 Isesam Remote File Include Command Injection vulnerability in Isesam Gemitel 3.50

PHP remote file inclusion vulnerability in affich.php in Gemitel 3.50 allows remote attackers to execute arbitrary PHP code via the base parameter.

7.5
2004-04-15 CVE-2004-0364 Symantec Remote Command Execution vulnerability in Symantec Norton Internet Security 2004

The WrapNISUM ActiveX component (WrapUM.dll) in Norton Internet Security 2004 is marked safe for scripting, which allows remote attackers to execute arbitrary programs via the LaunchURL method.

7.5
2004-04-15 CVE-2004-0363 Symantec Buffer Overrun vulnerability in Symantec Norton Antispam 2004

Stack-based buffer overflow in the SymSpamHelper ActiveX component (symspam.dll) in Norton AntiSpam 2004, as used in Norton Internet Security 2004, allows remote attackers to execute arbitrary code via a long parameter to the LaunchCustomRuleWizard method.

7.5
2004-04-15 CVE-2004-0362 ISS Buffer Overflow vulnerability in Internet Security Systems Protocol Analysis Module ICQ Parsing

Multiple stack-based buffer overflows in the ICQ parsing routines of the ISS Protocol Analysis Module (PAM) component, as used in various RealSecure, Proventia, and BlackICE products, allow remote attackers to execute arbitrary code via a SRV_MULTI response containing a SRV_USER_ONLINE response packet and a SRV_META_USER response packet with long (1) nickname, (2) firstname, (3) lastname, or (4) email address fields, as exploited by the Witty worm.

7.5
2004-04-15 CVE-2004-0224 Double Precision Incorporated
Inter7
Gentoo
Remote Buffer Overflow vulnerability in Courier

Multiple buffer overflows in (1) iso2022jp.c or (2) shiftjis.c for Courier-IMAP before 3.0.0, Courier before 0.45, and SqWebMail before 4.0.0 may allow remote attackers to execute arbitrary code "when Unicode character is out of BMP range."

7.5
2004-04-15 CVE-2004-0153 Emil Remote Security vulnerability in Emil 2.0.4/2.0.5/2.1.0Beta9

Multiple format string vulnerabilities in emil 2.1.0 and earlier may allow remote attackers to execute arbitrary code by triggering certain error messages.

7.5
2004-04-15 CVE-2004-0152 Emil Remote Security vulnerability in Emil 2.0.4/2.0.5/2.1.0Beta9

Multiple stack-based buffer overflows in (1) the encode_mime function, (2) the encode_uuencode function, (3) or the decode_uuencode function for emil 2.1.0 and earlier allow remote attackers to execute arbitrary code via e-mail messages containing attachments with filenames.

7.5
2004-04-15 CVE-2003-1039 SAP Remote Security vulnerability in Mysap Business Suite

Multiple buffer overflows in the mySAP.com architecture for SAP allow remote attackers to execute arbitrary code via a long HTTP Host header to (1) Message Server, (2) Web Dispatcher, or (3) Application Server.

7.5
2004-04-15 CVE-2003-1037 SAP Remote Security vulnerability in Internet Transaction Server 4620.2.0.323011

Format string vulnerability in the WGate component for SAP Internet Transaction Server (ITS) allows remote attackers to execute arbitrary code via a high "trace level."

7.5
2004-04-15 CVE-2003-1036 SAP Remote Security vulnerability in Internet Transaction Server 4620.2.0.323011

Multiple buffer overflows in the AGate component for SAP Internet Transaction Server (ITS) allow remote attackers to execute arbitrary code via long (1) ~command, (2) ~runtimemode, or (3) ~session parameters, or (4) a long HTTP Content-Type header.

7.5
2004-04-15 CVE-2003-1035 SAP Unspecified vulnerability in SAP R 3 and Sapgui

The default installation of SAP R/3 46C/D allows remote attackers to bypass account locking by using the RFC API instead of the SAPGUI to conduct a brute force password guessing attack, which does not lock out the account like the SAPGUI does.

7.5
2004-04-15 CVE-2003-0594 Mozilla Unspecified vulnerability in Mozilla

Mozilla allows remote attackers to bypass intended cookie access restrictions on a web application via "%2e%2e" (encoded dot dot) directory traversal sequences in a URL, which causes Mozilla to send the cookie outside the specified URL subsets, e.g.

7.5
2004-04-15 CVE-2003-0593 Opera Path Traversal vulnerability in Opera Browser

Opera allows remote attackers to bypass intended cookie access restrictions on a web application via "%2e%2e" (encoded dot dot) directory traversal sequences in a URL, which causes Opera to send the cookie outside the specified URL subsets, e.g.

7.5
2004-04-15 CVE-2003-0592 KDE Unspecified vulnerability in KDE Konqueror and Konqueror Embedded

Konqueror in KDE 3.1.3 and earlier (kdelibs) allows remote attackers to bypass intended cookie access restrictions on a web application via "%2e%2e" (encoded dot dot) directory traversal sequences in a URL, which causes Konqueror to send the cookie outside the specified URL subsets, e.g.

7.5
2004-04-15 CVE-2003-0514 Apple Unspecified vulnerability in Apple Safari 1.0/1.1

Apple Safari allows remote attackers to bypass intended cookie access restrictions on a web application via "%2e%2e" (encoded dot dot) directory traversal sequences in a URL, which causes Safari to send the cookie outside the specified URL subsets, e.g.

7.5
2004-04-15 CVE-2003-0513 Microsoft Unspecified vulnerability in Microsoft IE and Internet Explorer

Microsoft Internet Explorer allows remote attackers to bypass intended cookie access restrictions on a web application via "%2e%2e" (encoded dot dot) directory traversal sequences in a URL, which causes Internet Explorer to send the cookie outside the specified URL subsets, e.g.

7.5
2004-04-15 CVE-2002-1578 SAP Unspecified vulnerability in SAP R 3

The default installation of SAP R/3, when using Oracle and SQL*net V2 3.x, 4.x, and 6.10, allows remote attackers to obtain arbitrary, sensitive SAP data by directly connecting to the Oracle database and executing queries against the database, which is not password-protected.

7.5
2004-04-15 CVE-2002-1577 SAP Remote Security vulnerability in SAP R 3 2.0Bto4.6D

SAP R/3 2.0B to 4.6D installs several clients with default users and passwords, which allows remote attackers to gain privileges via the (1) SAP*, (2) SAPCPIC, (3) DDIC, (4) EARLYWATCH, or (5) TMSADM accounts.

7.5
2004-04-14 CVE-2004-1936 Zonelabs Unspecified vulnerability in Zonelabs Zonealarm

ZoneAlarm Pro 4.5.538.001 and possibly other versions allows remote attackers to bypass e-mail protection via attachments whose names contain certain non-English characters.

7.5
2004-04-13 CVE-2004-1929 Francisco Burzi SQL Injection vulnerability in PHP-Nuke

SQL injection vulnerability in the bblogin function in functions.php in PHP-Nuke 6.x through 7.2 allows remote attackers to bypass authentication and gain access by injecting base64-encoded SQL code into the user parameter.

7.5
2004-04-12 CVE-2004-1932 Francisco Burzi SQL-Injection vulnerability in PHP-Nuke

SQL injection vulnerability in (1) auth.php and (2) admin.php in PHP-Nuke 6.x through 7.2 allows remote attackers to execute arbitrary SQL code and create an administrator account via base64-encoded SQL in the admin parameter.

7.5
2004-04-12 CVE-2004-1928 Tiki Improper Input Validation vulnerability in Tiki Tikiwiki Cms/Groupware 1.6.1/1.8.1

The image upload feature in Tiki CMS/Groupware (TikiWiki) 1.8.1 and earlier allows remote attackers to upload and possibly execute arbitrary files via the img/wiki_up URL.

7.5
2004-04-12 CVE-2004-1925 Tiki SQL Injection vulnerability in Tiki Tikiwiki Cms/Groupware 1.6.1/1.8.1

Multiple SQL injection vulnerabilities in Tiki CMS/Groupware (TikiWiki) 1.8.1 and earlier allow remote attackers to execute arbitrary SQL commands via the sort_mode parameter in (1) tiki-usermenu.php, (2) tiki-list_file_gallery.php, (3) tiki-directory_ranking.php, (4) tiki-browse_categories.php, (5) tiki-index.php, (6) tiki-user_tasks.php, (7) tiki-directory_ranking.php, (8) tiki-directory_search.php, (9) tiki-file_galleries.php, (10) tiki-list_faqs.php, (11) tiki-list_trackers.php, (12) tiki-list_blogs.php, or via the offset parameter in (13) tiki-usermenu.php, (14) tiki-browse_categories.php, (15) tiki-index.php, (16) tiki-user_tasks.php, (17) tiki-list_faqs.php, (18) tiki-list_trackers.php, or (19) tiki-list_blogs.php.

7.5
2004-04-15 CVE-2004-0151 Xintercepttalk Privilege Escalation vulnerability in Xintercepttalk Xitalk 1.1.11

Unknown vulnerability in xitalk 1.1.11 and earlier allows local users to execute arbitrary commands.

7.2
2004-04-15 CVE-2004-0148 SGI
Washington University
wu-ftpd 2.6.2 and earlier, with the restricted-gid option enabled, allows local users to bypass access restrictions by changing the permissions to prevent access to their home directory, which causes wu-ftpd to use the root directory instead.
7.2
2004-04-15 CVE-2003-1033 SAP Unspecified vulnerability in SAP DB 7.3.00/7.4

The (1) instdbmsrv and (2) instlserver programs in SAP DB Development Tools 7.x trust the user-provided INSTROOT environment variable as a path when assigning setuid permissions to the lserver program, which allows local users to gain root privileges via a modified INSTROOT that points to a malicious dbmsrv or lserver program.

7.2
2004-04-15 CVE-2003-0257 IBM Unspecified vulnerability in IBM AIX

Format string vulnerability in the printer capability for IBM AIX .3, 5.1, and 5.2 allows local users to gain printq or root privileges.

7.2
2004-04-15 CVE-2002-1576 SAP Symbolic Link vulnerability in SAP DB 7.3.00

lserver in SAP DB 7.3 and earlier uses the current working directory to find and execute the lserversrv program, which allows local users to gain privileges with a malicious lserversrv that is called from a directory that has a symlink to the lserver program.

7.2
2004-04-15 CVE-2004-0217 Symantec Link Following vulnerability in Symantec Antivirus Scan Engine 4.0/4.3

The LiveUpdate capability (liveupdate.sh) in Symantec AntiVirus Scan Engine 4.0 and 4.3 for Red Hat Linux allows local users to create or append to arbitrary files via a symlink attack on /tmp/LiveUpdate.log.

7.0

17 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2004-04-15 CVE-2004-0173 Apache Directory Traversal vulnerability in Apache Cygwin

Directory traversal vulnerability in Apache 1.3.29 and earlier, and Apache 2.0.48 and earlier, when running on Cygwin, allows remote attackers to read arbitrary files via a URL containing "..%5C" (dot dot encoded backslash) sequences.

5.0
2004-04-15 CVE-2004-0122 Microsoft Information Disclosure vulnerability in Microsoft MSN Messenger 6.0/6.1

Microsoft MSN Messenger 6.0 and 6.1 does not properly handle certain requests, which allows remote attackers to read arbitrary files.

5.0
2004-04-15 CVE-2004-0111 Gnome
Redhat
SGI
Bitmap Handling Denial Of Service vulnerability in GdkPixbuf

gdk-pixbuf before 0.20 allows attackers to cause a denial of service (crash) via a malformed bitmap (BMP) file.

5.0
2004-04-15 CVE-2003-1038 SAP Information Disclosure vulnerability in Internet Transaction Server 4620.2.0.323011

The AGate component for SAP Internet Transaction Server (ITS) allows remote attackers to obtain sensitive information via a ~command parameter with an AgateInstallCheck value, which provides a list of installed DLLs and full pathnames.

5.0
2004-04-15 CVE-2003-0905 Microsoft Remote Denial of Service vulnerability in Microsoft Windows Media Services 4.1

Unknown vulnerability in Windows Media Station Service and Windows Media Monitor Service components of Windows Media Services 4.1 allows remote attackers to cause a denial of service (disallowing new connections) via a certain sequence of TCP/IP packets.

5.0
2004-04-15 CVE-2002-1579 SAP Denial of Service vulnerability in SAP SAPgui

SAP GUI (Sapgui) 4.6D allows remote attackers to cause a denial of service (crash) via a connection to a high-numbered port, which generates an "unknown connection data" error.

5.0
2004-04-14 CVE-2004-1944 Qualcomm Denial of Service vulnerability in Qualcomm Eudora MIME Message Nesting

Eudora 6.1 and 6.0.3 for Windows allows remote attackers to cause a denial of service (crash) via a deeply nested multipart MIME message.

5.0
2004-04-13 CVE-2004-1756 BEA Unspecified vulnerability in BEA Weblogic Server 7.0/8.1

BEA WebLogic Server and WebLogic Express 8.1 SP2 and earlier, and 7.0 SP4 and earlier, when using 2-way SSL with a custom trust manager, may accept a certificate chain even if the trust manager rejects it, which allows remote attackers to spoof other users or servers.

5.0
2004-04-12 CVE-2004-1060 Icmp
TCP
Remote Denial Of Service vulnerability in Multiple Vendor TCP/IP Implementation ICMP

Multiple TCP/IP and ICMP implementations, when using Path MTU (PMTU) discovery (PMTUD), allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via forged ICMP ("Fragmentation Needed and Don't Fragment was Set") packets with a low next-hop MTU value, aka the "Path MTU discovery attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability.

5.0
2004-04-15 CVE-2004-0108 Redhat
SGI
Sysstat
The isag utility, which processes sysstat data, allows local users to overwrite arbitrary files via a symlink attack on temporary files, a different vulnerability than CAN-2004-0107.
4.6
2004-04-15 CVE-2004-0107 Redhat
SGI
Sysstat
The (1) post and (2) trigger scripts in sysstat 4.0.7 and earlier allow local users to overwrite arbitrary files via symlink attacks on temporary files, a different vulnerability than CVE-2004-0108.
4.6
2004-04-15 CVE-2003-1034 SAP The RPM installation of SAP DB 7.x creates the (1) dbmsrv or (2) lserver programs with world-writable permissions, which allows local users to gain privileges by modifying those programs.
4.6
2004-04-15 CVE-2003-0202 Brian Renaud Local File Creation vulnerability in Brian Renaud Metrics 1.0

The (1) halstead and (2) gather_stats scripts in metrics 1.0 allow local users to overwrite arbitrary files via a symlink attack on temporary files.

4.6
2004-04-13 CVE-2004-1758 BEA Unspecified vulnerability in BEA Weblogic Server 6.1/7.0/8.1

BEA WebLogic Server and WebLogic Express version 8.1 up to SP2, 7.0 up to SP4, and 6.1 up to SP6 may store the database username and password for an untargeted JDBC connection pool in plaintext in config.xml, which allows local users to gain privileges.

4.6
2004-04-15 CVE-2004-1935 SCT Corporation Unspecified vulnerability in SCT Corporation Campus Pipeline

Cross-site scripting (XSS) vulnerability in SCT Campus Pipeline allows remote attackers to inject arbitrary web script or HTML via onload, onmouseover, and other Javascript events in an e-mail attachment.

4.3
2004-04-14 CVE-2004-1939 Rhinosoft Cross-Site Scripting vulnerability in Rhino Software Zaep Antispam 2.0/2.0.0.1

Cross-site scripting (XSS) vulnerability in Zaep AntiSpam 2.0 allows remote attackers to inject arbitrary web script or HTML via double encoded slashes (%252F) in the key parameter.

4.3
2004-04-12 CVE-2004-1930 Francisco Burzi Cross-Site Scripting vulnerability in PHP-Nuke CookieDecode

Cross-site scripting (XSS) vulnerability in the cookiedecode function in mainfile.php for PHP-Nuke 6.x through 7.2, when themes are used, allows remote attackers to inject arbitrary web script or HTML via a base64-encoded user parameter or cookie.

4.3

2 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2004-04-15 CVE-2004-0372 Xine Unspecified vulnerability in Xine

xine allows local users to overwrite arbitrary files via a symlink attack on a bug report email that is generated by the (1) xine-bugreport or (2) xine-check scripts.

2.1
2004-04-12 CVE-2004-1933 Citadel Citadel/UX 5.00 through 6.14 installs the database directory and files with world-read permissions, which could allow local users to bypass access controls and read unauthorized messages.
2.1