Weekly Vulnerabilities Reports > July 5 to 11, 2004
Overview
31 new vulnerabilities reported during this period, including 5 critical vulnerabilities and 7 high severity vulnerabilities. This weekly summary report vulnerabilities in 38 products from 26 vendors including Microsoft, Apple, Symantec, SGI, and BEA. Vulnerabilities are notably categorized as "Resource Management Errors", "Incorrect Calculation of Buffer Size", and "Argument Injection or Modification".
- 25 reported vulnerabilities are remotely exploitables.
- 1 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 31 reported vulnerabilities are exploitable by an anonymous user.
- Microsoft has the most reported vulnerabilities, with 5 reported vulnerabilities.
- Microsoft has the most reported critical vulnerabilities, with 1 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
5 Critical Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2004-07-07 | CVE-2004-0469 | Checkpoint | Remote Buffer Overflow vulnerability in Check Point VPN-1 ISAKMP Buffer overflow in the ISAKMP functionality for Check Point VPN-1 and FireWall-1 NG products, before VPN-1/FireWall-1 R55 HFA-03, R54 HFA-410 and NG FP3 HFA-325, or VPN-1 SecuRemote/SecureClient R56, may allow remote attackers to execute arbitrary code during VPN tunnel negotiation. | 10.0 |
| 2004-07-07 | CVE-2004-0444 | Symantec | Buffer Overflow vulnerability in Symantec Client Firewall NetBIOS Name Service Response Multiple vulnerabilities in SYMDNS.SYS for Symantec Norton Internet Security and Professional 2002 through 2004, Norton Personal Firewall 2002 through 2004, Norton AntiSpam 2004, Client Firewall 5.01 and 5.1.1, and Client Security 1.0 through 2.0 allow remote attackers to cause a denial of service or execute arbitrary code via (1) a manipulated length byte in the first-level decoding routine for NetBIOS Name Service (NBNS) that modifies an index variable and leads to a stack-based buffer overflow, (2) a heap-based corruption problem in an NBNS response that is missing certain RR fields, and (3) a stack-based buffer overflow in the DNS component via a Resource Record (RR) with a long canonical name (CNAME) field composed of many smaller components. | 10.0 |
| 2004-07-07 | CVE-2004-0420 | Microsoft | Unspecified vulnerability in Microsoft IE and Internet Explorer The Windows Shell application in Windows 98, Windows ME, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by spoofing the type of a file via a CLSID specifier in the filename, as demonstrated using Internet Explorer 6.0.2800.1106 on Windows XP. | 10.0 |
| 2004-07-07 | CVE-2004-0401 | Free Software Foundation INC | Unspecified vulnerability in Free Software Foundation Inc. Libtasn1 Unknown vulnerability in libtasn1 0.1.x before 0.1.2, and 0.2.x before 0.2.7, related to the DER parsing functions. | 10.0 |
| 2004-07-07 | CVE-2004-0434 | Heimdal Project Debian | Incorrect Calculation of Buffer Size vulnerability in multiple products k5admind (kadmind) for Heimdal allows remote attackers to execute arbitrary code via a Kerberos 4 compatibility administration request whose framing length is less than 2, which leads to a heap-based buffer overflow. | 9.8 |
7 High Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2004-07-07 | CVE-2004-0486 | Apple | Remote Code Execution vulnerability in Apple Mac OS X Help Protocol HelpViewer in Mac OS X 10.3.3 and 10.2.8 processes scripts that it did not initiate, which can allow attackers to execute arbitrary code, an issue that was originally reported as a directory traversal vulnerability in the Safari web browser using the runscript parameter in a help: URI handler. | 7.6 |
| 2004-07-07 | CVE-2004-0470 | BEA | Unspecified vulnerability in BEA Weblogic Server 7.0/8.1 BEA WebLogic Server and WebLogic Express 7.0 through SP5 and 8.1 through SP2, when editing weblogic.xml using WebLogic Builder or the SecurityRoleAssignmentMBean.toXML method, inadvertently removes security-role-assignment tags when weblogic.xml does not have a principal-name tag, which can remove intended access restrictions for the associated web application. | 7.5 |
| 2004-07-07 | CVE-2004-0400 | University OF Cambridge | Unspecified vulnerability in University of Cambridge Exim Stack-based buffer overflow in Exim 4 before 4.33, when the headers_check_syntax option is enabled, allows remote attackers to cause a denial of service and possibly execute arbitrary code during the header check. | 7.5 |
| 2004-07-07 | CVE-2004-0399 | University OF Cambridge | Unspecified vulnerability in University of Cambridge Exim 3.35 Stack-based buffer overflow in Exim 3.35, and other versions before 4, when the sender_verify option is true, allows remote attackers to cause a denial of service and possibly execute arbitrary code during sender verification. | 7.5 |
| 2004-07-07 | CVE-2004-0398 | Cadaver Neon Openoffice Subversion | Heap Overflow vulnerability in Neon WebDAV Client Library ne_rfc1036_parse Function Heap-based buffer overflow in the ne_rfc1036_parse date parsing function for the neon library (libneon) 0.24.5 and earlier, as used by cadaver before 0.22, allows remote WebDAV servers to execute arbitrary code on the client. | 7.5 |
| 2004-07-07 | CVE-2004-0397 | Subversion | Buffer Overflow vulnerability in Subversion 1.0/1.0.1/1.0.2 Stack-based buffer overflow during the apr_time_t data conversion in Subversion 1.0.2 and earlier allows remote attackers to execute arbitrary code via a (1) DAV2 REPORT query or (2) get-dated-rev svn-protocol command. | 7.5 |
| 2004-07-07 | CVE-2004-0424 | SGI Linux Slackware | Integer Overflow vulnerability in Linux Kernel Setsockopt MCAST_MSFILTER Integer overflow in the ip_setsockopt function in Linux kernel 2.4.22 through 2.4.25 and 2.6.1 through 2.6.3 allows local users to cause a denial of service (crash) or execute arbitrary code via the MCAST_MSFILTER socket option. | 7.2 |
11 Medium Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2004-07-07 | CVE-2004-0475 | Microsoft | Unspecified vulnerability in Microsoft IE 6.0 The showHelp function in Internet Explorer 6 on Windows XP Pro allows remote attackers to execute arbitrary local .CHM files via a double backward slash ("\\") before the target CHM file, as demonstrated using an "ms-its" URL to ntshared.chm. | 5.1 |
| 2004-07-07 | CVE-2004-0474 | Microsoft | Unspecified vulnerability in Microsoft Windows XP Help Center (HelpCtr.exe) may allow remote attackers to read or execute arbitrary files via an "http://" or "file://" argument to the topic parameter in an hcp:// URL. | 5.1 |
| 2004-07-07 | CVE-2004-0431 | Apple | Unspecified vulnerability in Apple Quicktime Integer overflow in Apple QuickTime (QuickTime.qts) before 6.5.1 allows attackers to execute arbitrary code via a large "number of entries" field in the sample-to-chunk table data for a .mov movie file, which leads to a heap-based buffer overflow. | 5.1 |
| 2004-07-07 | CVE-2004-0430 | Apple | Unspecified vulnerability in Apple mac OS X and mac OS X Server Stack-based buffer overflow in AppleFileServer for Mac OS X 10.3.3 and earlier allows remote attackers to execute arbitrary code via a LoginExt packet for a Cleartext Password User Authentication Method (UAM) request with a PathName argument that includes an AFPName type string that is longer than the associated length field. | 5.1 |
| 2004-07-07 | CVE-2004-0485 | Apple | Unspecified vulnerability in Apple mac OS X 10.2.8/10.3.3 The default protocol helper for the disk: URI on Mac OS X 10.3.3 and 10.2.8 allows remote attackers to write arbitrary files by causing a disk image file (.dmg) to be mounted as a disk volume. | 5.0 |
| 2004-07-07 | CVE-2004-0483 | SGI | Remote Denial of Service vulnerability in SGI Irix 6.5.24 Unknown vulnerability in rpc.mountd for SGI IRIX 6.5.24 allows remote attackers to cause a denial of service (infinite loop) via certain RPC requests. | 5.0 |
| 2004-07-07 | CVE-2004-0479 | Microsoft | Unspecified vulnerability in Microsoft IE 6 Internet Explorer 6 allows remote attackers to cause a denial of service (crash) via Javascript that creates a new popup window and disables the imagetoolbar functionality with a META tag, which triggers a null dereference. | 5.0 |
| 2004-07-07 | CVE-2004-0459 | Ieee | Remote Denial Of Service vulnerability in Multiple Vendor IEEE 802.11 Protocol The Clear Channel Assessment (CCA) algorithm in the IEEE 802.11 wireless protocol, when using DSSS transmission encoding, allows remote attackers to cause a denial of service via a certain RF signal that causes a channel to appear busy (aka "jabber"), which prevents devices from transmitting data. | 5.0 |
| 2004-07-07 | CVE-2004-0437 | South River Technologies | Denial-Of-Service vulnerability in South River Technologies Titan FTP Server 3.01Build163 Titan FTP Server version 3.01 build 163, and possibly other versions before build 169, allows remote authenticated users to cause a denial of service (crash) by disconnecting from the system during a "LIST -L" command, which causes Titan to access an invalid socket. | 5.0 |
| 2004-07-07 | CVE-2004-0426 | Andrew Tridgell | Unspecified vulnerability in Andrew Tridgell Rsync rsync before 2.6.1 does not properly sanitize paths when running a read/write daemon without using chroot, which allows remote attackers to write files outside of the module's path. | 5.0 |
| 2004-07-07 | CVE-2004-0402 | Xpcd Mandrakesoft | Buffer Overflow vulnerability in XPCD XPCD-SVGA Buffer overflow in xpcd-svga in xpcd before 2.08, and possibly other versions, may allow local users to execute arbitrary code. | 4.6 |
8 Low Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2004-07-07 | CVE-2004-0484 | Microsoft | Unspecified vulnerability in Microsoft Internet Explorer 6.0.2900 mshtml.dll in Microsoft Internet Explorer 6.0.2800 allows remote attackers to cause a denial of service (crash) via a table containing a form that crosses multiple td elements, and whose "float: left" class is defined in a link to a CSS stylesheet after the end of the table, which may trigger a null dereference. | 2.6 |
| 2004-07-07 | CVE-2004-0478 | Mozilla | Resource Management Errors vulnerability in Mozilla Unknown versions of Mozilla allow remote attackers to cause a denial of service (high CPU/RAM consumption) using Javascript with an infinite loop that continues to add input to a form, possibly as the result of inserting control characters, as demonstrated using an embedded ctrl-U. | 2.6 |
| 2004-07-07 | CVE-2004-0473 | Opera | Argument Injection or Modification vulnerability in Opera Browser Argument injection vulnerability in Opera before 7.50 does not properly filter "-" characters that begin a hostname in a telnet URI, which allows remote attackers to insert options to the resulting command line and overwrite arbitrary files via (1) the "-f" option on Windows XP or (2) the "-n" option on Linux. | 2.6 |
| 2004-07-07 | CVE-2004-0445 | Symantec | Remote DNS Response Denial Of Service vulnerability in Symantec Client Firewall The SYMDNS.SYS driver in Symantec Norton Internet Security and Professional 2002 through 2004, Norton Personal Firewall 2002 through 2004, Norton AntiSpam 2004, Client Firewall 5.01 and 5.1.1, and Client Security 1.0 through 2.0 allows remote attackers to cause a denial of service (CPU consumption from infinite loop) via a DNS response with a compressed name pointer that points to itself. | 2.6 |
| 2004-07-07 | CVE-2004-0471 | BEA | Denial of Service vulnerability in BEA Weblogic Server 7.0/8.1 BEA WebLogic Server and WebLogic Express 7.0 through SP5 and 8.1 through SP2 does not enforce site restrictions for starting and stopping servers for users in the Admin and Operator security roles, which allows unauthorized users to cause a denial of service (service shutdown). | 2.1 |
| 2004-07-07 | CVE-2004-0423 | Ssmtp | Local Security vulnerability in ssmtp The log_event function in ssmtp 2.50.6 and earlier allows local users to overwrite arbitrary files via a symlink attack on the ssmtp.log temporary log file. | 2.1 |
| 2004-07-07 | CVE-2004-0422 | GNU | Unspecified vulnerability in GNU Flim 1.14.2 flim before 1.14.3 creates temporary files insecurely, which allows local users to overwrite arbitrary files of the Emacs user via a symlink attack. | 2.1 |
| 2004-07-07 | CVE-2004-0404 | Psionic | Unspecified vulnerability in Psionic Logcheck logcheck before 1.1.1 allows local users to overwrite arbitrary files via a symlink attack on a temporary directory in /var/tmp. | 1.2 |