Weekly Vulnerabilities Reports > October 18 to 24, 2004

Overview

70 new vulnerabilities reported during this period, including 1 critical vulnerabilities and 32 high severity vulnerabilities. This weekly summary report vulnerabilities in 65 products from 52 vendors including F Secure, Clearswift, Paul L Daniels, Saleslogix Corporation, and Best Software. Vulnerabilities are notably categorized as "Use of Externally-Controlled Format String", "Permissions, Privileges, and Access Controls", "Improper Restriction of Operations within the Bounds of a Memory Buffer", and "Improper Input Validation".

  • 61 reported vulnerabilities are remotely exploitables.
  • 1 reported vulnerabilities have public exploit available.
  • 69 reported vulnerabilities are exploitable by an anonymous user.
  • F Secure has the most reported vulnerabilities, with 8 reported vulnerabilities.
  • Pizzashack has the most reported critical vulnerabilities, with 1 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

1 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2004-10-23 CVE-2004-1628 Pizzashack USE of Externally-Controlled Format String vulnerability in Pizzashack Rssh

Format string vulnerability in log.c in rssh before 2.2.2 allows remote authenticated users to execute arbitrary code.

9.0

32 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2004-10-23 CVE-2004-1629 Distinct WEB Creations SQL Injection vulnerability in DWC_Articles

Multiple SQL injection vulnerabilities in Dwc_articles 1.6 and earlier allow remote attackers to execute arbitrary SQL statements.

7.5
2004-10-22 CVE-2004-1627 Code Crafters Remote Buffer Overflow vulnerability in Code-Crafters Ability Server 2.2.5/2.3.2/2.3.4

Buffer overflow in Ability Server 2.25, 2.32, 2.34, and possibly other versions, allows remote attackers to execute arbitrary code via a long APPE command.

7.5
2004-10-21 CVE-2004-1622 Ubbcentral SQL Injection vulnerability in Ubbcentral Ubb.Threads 3.4/3.5

SQL injection vulnerability in dosearch.php in UBB.threads 3.4.x allows remote attackers to execute arbitrary SQL statements via the Name parameter.

7.5
2004-10-20 CVE-2004-1619 Akella Remote Buffer Overflow vulnerability in Akella Privateers Bounty AGE of Sail II 1.4.51/1.55/1.56

Buffer overflow in Privateer's Bounty: Age of Sail II allows remote attackers to execute arbitrary code via a long nickname.

7.5
2004-10-20 CVE-2004-0798 Ipswitch Remote Buffer Overflow vulnerability in Ipswitch WhatsUp Gold

Buffer overflow in the _maincfgret.cgi script for Ipswitch WhatsUp Gold before 8.03 Hotfix 1 allows remote attackers to execute arbitrary code via a long instancename parameter.

7.5
2004-10-20 CVE-2004-0785 ROB Flynn Multiple vulnerability in Gaim

Multiple buffer overflows in Gaim before 0.82 allow remote attackers to cause a denial of service and possibly execute arbitrary code via (1) Rich Text Format (RTF) messages, (2) a long hostname for the local system as obtained from DNS, or (3) a long URL that is not properly handled by the URL decoder.

7.5
2004-10-20 CVE-2004-0784 ROB Flynn Unspecified vulnerability in ROB Flynn Gaim

The smiley theme functionality in Gaim before 0.82 allows remote attackers to execute arbitrary commands via shell metacharacters in the filename of the tar file that is dragged to the smiley selector.

7.5
2004-10-20 CVE-2004-0783 Gnome
GTK
Multiple vulnerability in GDK-Pixbuf

Stack-based buffer overflow in xpm_extract_color (io-xpm.c) in the XPM image decoder for gtk+ 2.4.4 (gtk2) and earlier, and gdk-pixbuf before 0.22, may allow remote attackers to execute arbitrary code via a certain color string.

7.5
2004-10-20 CVE-2004-0782 Gnome
GTK
Multiple vulnerability in GDK-Pixbuf

Integer overflow in pixbuf_create_from_xpm (io-xpm.c) in the XPM image decoder for gtk+ 2.4.4 (gtk2) and earlier, and gdk-pixbuf before 0.22, allows remote attackers to execute arbitrary code via certain n_col and cpp values that enable a heap-based buffer overflow.

7.5
2004-10-20 CVE-2004-0777 Inter7 USE of Externally-Controlled Format String vulnerability in Inter7 Courier-Imap

Format string vulnerability in the auth_debug function in Courier-IMAP 1.6.0 through 2.2.1 and 3.x through 3.0.3, when login debugging (DEBUG_LOGIN) is enabled, allows remote attackers to execute arbitrary code.

7.5
2004-10-20 CVE-2004-0775 Widcomm Unspecified vulnerability in Widcomm Bluetooth Communication Software and Btstackserver

Buffer overflow in WIDCOMM Bluetooth Connectivity Software, as used in products such as BTStackServer 1.3.2.7 and 1.4.2.10, Windows XP and Windows 98 with MSI Bluetooth Dongles, and HP IPAQ 5450 running WinCE 3.0, allows remote attackers to execute arbitrary code via certain service requests.

7.5
2004-10-20 CVE-2004-0772 MIT Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in MIT Kerberos and Kerberos 5

Double free vulnerabilities in error handling code in krb524d for MIT Kerberos 5 (krb5) 1.2.8 and earlier may allow remote attackers to execute arbitrary code.

7.5
2004-10-20 CVE-2004-0768 Greg Roelofs Unspecified vulnerability in Greg Roelofs Libpng3

libpng 1.2.5 and earlier does not properly calculate certain buffer offsets, which could allow remote attackers to execute arbitrary code via a buffer overflow attack.

7.5
2004-10-20 CVE-2004-0754 ROB Flynn Multiple vulnerability in Gaim

Integer overflow in Gaim before 0.82 allows remote attackers to cause a denial of service and possibly execute arbitrary code via the size variable in Groupware server messages.

7.5
2004-10-20 CVE-2004-0750 Redhat Unspecified vulnerability in Redhat Enterprise Linux and Enterprise Linux Desktop

Unknown vulnerability in redhat-config-nfs before 1.0.13, when shares are exported to multiple hosts, can produce incorrect permissions and prevent the all_squash option from being applied.

7.5
2004-10-20 CVE-2004-0746 KDE
Gentoo
Mandrakesoft
Suse
Konqueror in KDE 3.2.3 and earlier allows web sites to set cookies for country-specific top-level domains, such as .ltd.uk, .plc.uk and .firm.in, which could allow remote attackers to perform a session fixation attack and hijack a user's HTTP session.
7.5
2004-10-20 CVE-2004-0688 X ORG
Xfree86 Project
Openbsd
Suse
Remote Buffer Overflow vulnerability in libXpm Image Decoding

Multiple integer overflows in (1) the xpmParseColors function in parse.c, (2) XpmCreateImageFromXpmImage, (3) CreateXImage, (4) ParsePixels, and (5) ParseAndPutPixels for libXpm before 6.8.1 may allow remote attackers to execute arbitrary code via a malformed XPM image file.

7.5
2004-10-20 CVE-2004-0687 X ORG
Xfree86 Project
Openbsd
Suse
Remote Buffer Overflow vulnerability in libXpm Image Decoding

Multiple stack-based buffer overflows in (1) xpmParseColors in parse.c, (2) ParseAndPutPixels in create.c, and (3) ParsePixels in parse.c for libXpm before 6.8.1 allow remote attackers to execute arbitrary code via a malformed XPM image file.

7.5
2004-10-20 CVE-2004-0162 Clearswift
F Secure
Paul L Daniels
Multiple content security gateway and antivirus products allow remote attackers to bypass content restrictions via MIME encapsulation that uses RFC822 comment fields, which may be interpreted as other fields by mail clients.
7.5
2004-10-20 CVE-2004-0161 Clearswift
F Secure
Paul L Daniels
Multiple content security gateway and antivirus products allow remote attackers to bypass content restrictions via MIME messages that use RFC2231 encoding, which may be interpreted differently by mail clients.
7.5
2004-10-20 CVE-2004-0053 Clearswift
F Secure
Paul L Daniels
Multiple content security gateway and antivirus products allow remote attackers to bypass content restrictions via MIME messages that use fields that use RFC2047 encoding, which may be interpreted differently by mail clients.
7.5
2004-10-20 CVE-2004-0052 Clearswift
F Secure
Paul L Daniels
Multiple content security gateway and antivirus products allow remote attackers to bypass content restrictions via MIME messages that use non-standard separator characters, or use standard separators incorrectly, within MIME headers, fields, parameters, or values, which may be interpreted differently by mail clients.
7.5
2004-10-20 CVE-2004-0051 Clearswift
F Secure
Paul L Daniels
Multiple content security gateway and antivirus products allow remote attackers to bypass content restrictions via MIME messages that use non-standard but frequently supported Content-Transfer-Encoding values such as (1) uuencode, (2) mac-binhex40, and (3) yenc, which may be interpreted differently by mail clients.
7.5
2004-10-20 CVE-2003-1016 Clearswift
F Secure
Paul L Daniels
Multiple content security gateway and antivirus products allow remote attackers to bypass content restrictions via MIME messages that use malformed quoting in MIME headers, parameters, and values, including (1) fields that should not be quoted, (2) duplicate quotes, or (3) missing leading or trailing quote characters, which may be interpreted differently by mail clients.
7.5
2004-10-20 CVE-2003-1015 Clearswift
F Secure
Paul L Daniels
Multiple content security gateway and antivirus products allow remote attackers to bypass content restrictions via MIME messages that use whitespace in an unusual fashion, which may be interpreted differently by mail clients.
7.5
2004-10-20 CVE-2003-1014 Clearswift
F Secure
Paul L Daniels
Multiple content security gateway and antivirus products allow remote attackers to bypass content restrictions via MIME messages that use multiple MIME fields with the same name, which may be interpreted differently by mail clients.
7.5
2004-10-18 CVE-2004-1610 Best Software
Saleslogix Corporation
Remote Security vulnerability in SalesLogix

SalesLogix 6.1 uses client-specified pathnames for writing certain files, which might allow remote authenticated users to create arbitrary files and execute code via the (1) vMME.AttachmentPath or (2) vMME.LibraryPath variables.

7.5
2004-10-18 CVE-2004-1608 Best Software
Saleslogix Corporation
Remote vulnerability in Best Software SalesLogix

SQL injection vulnerability in SalesLogix 6.1 allows remote attackers to execute arbitrary SQL statements via the id parameter in a view operation.

7.5
2004-10-21 CVE-2004-1624 Altiris Local Privilege Escalation vulnerability in Altiris Carbon Copy Remote Control System

Carbon Copy 6.0.5257 does not drop system privileges when opening external programs through the help topic interface, which allows local users to gain privileges via (1) the help topic interface in CCW32.exe, which launches Notepad, or (2) the help button in the Carbon Copy Scheduler (CCSched.exe).

7.2
2004-10-20 CVE-2004-0795 IBM Remote Command Server Privilege Escalation vulnerability in IBM DB2 Universal Database 8.1

DB2 8.1 remote command server (DB2RCMD.EXE) executes the db2rcmdc.exe program as the db2admin administrator, which allows local users to gain privileges via the DB2REMOTECMD named pipe.

7.2
2004-10-20 CVE-2004-0793 Debian Permissions, Privileges, and Access Controls vulnerability in Debian Bsdmainutils

The calendar program in bsdmainutils 6.0 through 6.0.14 does not drop root privileges when executed with the -a flag, which allows attackers to execute arbitrary commands via a calendar event file.

7.2
2004-10-19 CVE-2004-1353 SUN Local Privilege Escalation vulnerability in Sun Solaris LDAP RBAC

Unknown vulnerability in LDAP on Sun Solaris 8 and 9, when using Role Based Access Control (RBAC), allows local users to execute certain commands with additional privileges.

7.2

32 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2004-10-20 CVE-2004-0792 Andrew Tridgell Unspecified vulnerability in Andrew Tridgell Rsync

Directory traversal vulnerability in the sanitize_path function in util.c for rsync 2.6.2 and earlier, when chroot is disabled, allows attackers to read or write certain files.

6.4
2004-10-18 CVE-2004-1606 Best Software
Saleslogix Corporation
Remote vulnerability in Best Software SalesLogix

slxweb.dll in SalesLogix 6.1 allows remote attackers to cause a denial service (application crash) via an invalid HTTP request, which might also leak sensitive information in the ErrorLogMsg cookie.

6.4
2004-10-20 CVE-2004-0794 Luke Mewburn Unspecified vulnerability in Luke Mewburn Lukemftp and Tnftpd

Multiple signal handler race conditions in lukemftpd (aka tnftpd before 20040810) allow remote authenticated attackers to cause a denial of service or execute arbitrary code.

5.1
2004-10-18 CVE-2004-1611 Best Software
Saleslogix Corporation
Remote vulnerability in Best Software SalesLogix

SalesLogix 6.1 does not verify if a user is authenticated before performing sensitive operations, which could allow remote attackers to (1) execute arbitrary SLX commands on the server or spoof the server via a man-in-the-middle (MITM) attack, or (2) obtain the database password via a GetConnection request to TCP port 1707.

5.1
2004-10-24 CVE-2004-1635 Mozilla Authentication Bypass and Information Disclosure vulnerability in Mozilla Bugzilla

Bugzilla 2.17.1 through 2.18rc2 and 2.19 from cvs, when using the insidergroup feature, does not sufficiently protect private attachments when there are changes to the metadata, such as filename, description, MIME type, or review flags, which allows remote authenticated users to obtain sensitive information when (1) viewing the bug activity log or (2) receiving bug change notification mails.

5.0
2004-10-22 CVE-2004-1626 Code Crafters Remote Buffer Overflow vulnerability in Code-Crafters Ability Server 2.2.5/2.3.2/2.3.4

Buffer overflow in Ability Server 2.34, and possibly other versions, allows remote attackers to execute arbitrary code via a long STOR command.

5.0
2004-10-22 CVE-2004-1625 Pgina Denial-Of-Service vulnerability in Pgina 1.7.6

pGina 1.7.6 and possibly older versions, when the Restart or Shutdown options are enabled on the login screen, allows remote attackers to cause a denial of service by connecting via Remote Desktop and clicking restart or shutdown.

5.0
2004-10-22 CVE-2004-1623 Microsoft Denial Of Service vulnerability in Microsoft Windows XP WAV File Handler

The WAV file property handler in Windows XP SP1 allows remote attackers to cause a denial of service (infinite loop in Explorer) via a WAV file with an invalid file header whose fmt chunk length is set to 0xFFFFFFFF.

5.0
2004-10-21 CVE-2004-1620 S9Y Unspecified vulnerability in S9Y Serendipity

CRLF injection vulnerability in Serendipity before 0.7rc1 allows remote attackers to perform HTTP Response Splitting attacks to modify expected HTML content from the server via the url parameter in (1) index.php and (2) exit.php, or (3) the HTTP Referer field in comment.php.

5.0
2004-10-20 CVE-2004-1381 Mozilla Remote Security vulnerability in Browser

Firefox before 1.0 and Mozilla before 1.7.5 allow inactive (background) tabs to focus on input being entered in the active tab, as originally reported using form fields, which allows remote attackers to steal sensitive data that is intended for other sites, which could facilitate phishing attacks.

5.0
2004-10-20 CVE-2004-1380 Mozilla Unspecified vulnerability in Mozilla Firefox and Mozilla

Firefox before 1.0 and Mozilla before 1.7.5 allows inactive (background) tabs to launch dialog boxes, which can allow remote attackers to spoof the dialog boxes from web sites in other windows and facilitate phishing attacks, aka the "Dialog Box Spoofing Vulnerability."

5.0
2004-10-20 CVE-2004-0799 Ipswitch Unspecified vulnerability in Ipswitch Whatsup Gold

The HTTP daemon in Ipswitch WhatsUp Gold 8.03 and 8.03 Hotfix 1 allows remote attackers to cause a denial of service (server crash) via a GET request containing an MS-DOS device name, as demonstrated using "prn.htm".

5.0
2004-10-20 CVE-2004-0796 Spamassassin Remote Denial Of Service vulnerability in SpamAssassin Malformed Email

SpamAssassin 2.5x, and 2.6x before 2.64, allows remote attackers to cause a denial of service via certain malformed messages.

5.0
2004-10-20 CVE-2004-0788 Gnome
GTK
Multiple vulnerability in GDK-Pixbuf

Integer overflow in the ICO image decoder for (1) gdk-pixbuf before 0.22 and (2) gtk2 before 2.2.4 allows remote attackers to cause a denial of service (application crash) via a crafted ICO file.

5.0
2004-10-20 CVE-2004-0786 Apache Unspecified vulnerability in Apache Http Server

The IPv6 URI parsing routines in the apr-util library for Apache 2.0.50 and earlier allow remote attackers to cause a denial of service (child process crash) via a certain URI, as demonstrated using the Codenomicon HTTP Test Tool.

5.0
2004-10-20 CVE-2004-0778 CVS Information Disclosure vulnerability in CVS Undocumented History Flag

CVS 1.11.x before 1.11.17, and 1.12.x before 1.12.9, allows remote attackers to determine the existence of arbitrary files and directories via the -X command for an alternate history file, which causes different error messages to be returned.

5.0
2004-10-20 CVE-2004-0753 Gnome
GTK
Multiple vulnerability in GDK-Pixbuf

The BMP image processor for (1) gdk-pixbuf before 0.22 and (2) gtk2 before 2.2.4 allows remote attackers to cause a denial of service (infinite loop) via a crafted BMP file.

5.0
2004-10-20 CVE-2004-0751 Apache Unspecified vulnerability in Apache Http Server

The char_buffer_read function in the mod_ssl module for Apache 2.x, when using reverse proxying to an SSL server, allows remote attackers to cause a denial of service (segmentation fault).

5.0
2004-10-20 CVE-2004-0748 Apache Unspecified vulnerability in Apache Http Server

mod_ssl in Apache 2.0.50 and earlier allows remote attackers to cause a denial of service (CPU consumption) by aborting an SSL connection in a way that causes an Apache child process to enter an infinite loop.

5.0
2004-10-19 CVE-2004-1618 Vypress Remote Denial Of Service vulnerability in Vypress Tonecast

Vypress Tonecast 1.3 and earlier allows remote attackers to cause a denial of service (application crash) via a malformed mp2 stream.

5.0
2004-10-18 CVE-2004-1617 University OF Kansas Improper Input Validation vulnerability in University of Kansas Lynx

Lynx, lynx-ssl, and lynx-cur before 2.8.6dev.8 allow remote attackers to cause a denial of service (infinite loop) via a web page or HTML email that contains invalid HTML including (1) a TEXTAREA tag with a large COLS value and (2) a large tag name in an element that is not terminated, as demonstrated by mangleme.

5.0
2004-10-18 CVE-2004-1616 Links Denial Of Service vulnerability in Links Malformed Table

Links allows remote attackers to cause a denial of service (memory consumption) via a web page or HTML email that contains a table with a td element and a large rowspan value,as demonstrated by mangleme.

5.0
2004-10-18 CVE-2004-1614 Mozilla Unspecified vulnerability in Mozilla

Mozilla allows remote attackers to cause a denial of service (application crash from invalid memory access) via an "unusual combination of visual elements," including several large MARQUEE tags with large height parameters, as demonstrated by mangleme.

5.0
2004-10-18 CVE-2004-1613 Mozilla
SGI
Redhat
Memory Corruption vulnerability in Mozilla

Mozilla allows remote attackers to cause a denial of service (application crash from null dereference or infinite loop) via a web page that contains a (1) TEXTAREA, (2) INPUT, (3) FRAMESET or (4) IMG tag followed by a null character and some trailing characters, as demonstrated by mangleme.

5.0
2004-10-18 CVE-2004-1612 Saleslogix Corporation Remote vulnerability in Saleslogix Corporation Saleslogix 2000.0

Directory traversal vulnerability in SalesLogix 6.1 allows remote attackers to upload arbitrary files via a ..

5.0
2004-10-18 CVE-2004-1609 Best Software
Saleslogix Corporation
Remote vulnerability in Best Software SalesLogix

SalesLogix 6.1 includes usernames, passwords, and other sensitive information in the headers of an HTTP response, which could allow remote attackers to gain access.

5.0
2004-10-18 CVE-2004-1607 Best Software
Saleslogix Corporation
Remote vulnerability in Best Software SalesLogix

slxweb.dll in SalesLogix 6.1 allows remote attackers to obtain sensitive information via a (1) Library or (2) Attachment request with an invalid file parameter, which reveals the path in an error message.

5.0
2004-10-18 CVE-2004-1603 Cpanel Remote Backup Information Disclosure vulnerability in Cpanel 9.4.1R64

cPanel 9.4.1-RELEASE-64 follows hard links, which allows local users to (1) read arbitrary files via the backup feature or (2) chown arbitrary files via the .htaccess file when Front Page extensions are enabled or disabled.

5.0
2004-10-20 CVE-2004-0747 Apache Unspecified vulnerability in Apache Http Server

Buffer overflow in Apache 2.0.50 and earlier allows local users to gain apache privileges via a .htaccess file that causes the overflow during expansion of environment variables.

4.6
2004-10-20 CVE-2004-0787 Openca HTML Injection vulnerability in OpenCA

Cross-site scripting (XSS) vulnerability in the web frontend in OpenCA 0.9.1-8 and earlier, and 0.9.2 RC6 and earlier, allows remote attackers to inject arbitrary web script or HTML via the form input fields.

4.3
2004-10-20 CVE-2004-0781 Icecast Cross-Site Scripting vulnerability in Icecast Server Status Display

Cross-site scripting (XSS) vulnerability in list.cgi in the Icecast internal web server (icecast-server) 1.3.12 and earlier allows remote attackers to inject arbitrary web script via the UserAgent parameter.

4.3
2004-10-18 CVE-2004-1621 IBM Cross-Site Scripting and HTML Injection vulnerability in IBM Lotus Domino

** DISPUTED ** NOTE: this issue has been disputed by the vendor.

4.3

5 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2004-10-18 CVE-2004-1615 Opera Software Denial Of Service vulnerability in Opera Browser TBODY COL SPAN Memory Corruption

Opera allows remote attackers to cause a denial of service (invalid memory reference and application crash) via a web page or HTML email that contains a TBODY tag with a large COL SPAN value, as demonstrated by mangleme.

2.6
2004-10-20 CVE-2004-0797 GNU Denial Of Service vulnerability in GNU Zlib 1.2.1

The error handling in the (1) inflate and (2) inflateBack functions in ZLib compression library 1.2.x allows local users to cause a denial of service (application crash).

2.1
2004-10-20 CVE-2004-0755 Yukihiro Matsumoto Unspecified vulnerability in Yukihiro Matsumoto Ruby 1.6/1.8

The FileStore capability in CGI::Session for Ruby before 1.8.1, and possibly PStore, creates files with insecure permissions, which can allow local users to steal session information and hijack sessions.

2.1
2004-10-20 CVE-2004-0752 Openoffice Local File Disclosure vulnerability in Openoffice 1.1.2

OpenOffice (OOo) 1.1.2 creates predictable directory names with insecure permissions during startup, which may allow local users to read or list files of other users.

2.1
2004-10-20 CVE-2004-0559 Usermin
Webmin
Mandrakesoft
The maketemp.pl script in Usermin 1.070 and 1.080 allows local users to overwrite arbitrary files at install time via a symlink attack on the /tmp/.usermin directory.
2.1