Weekly Vulnerabilities Reports > December 6 to 12, 2004

Overview

51 new vulnerabilities reported during this period, including 15 critical vulnerabilities and 9 high severity vulnerabilities. This weekly summary report vulnerabilities in 78 products from 56 vendors including Gentoo, Redhat, Mandrakesoft, Debian, and Linux. Vulnerabilities are notably categorized as "Configuration", and "Classic Buffer Overflow".

  • 41 reported vulnerabilities are remotely exploitables.
  • 1 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 51 reported vulnerabilities are exploitable by an anonymous user.
  • Gentoo has the most reported vulnerabilities, with 10 reported vulnerabilities.
  • GNU has the most reported critical vulnerabilities, with 2 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

15 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2004-12-07 CVE-2004-1351 SUN Remote Code Execution vulnerability in Sun Solaris IN.RWHOD(1M) Daemon

Unknown vulnerability in the rwho daemon (in.rwhod) for Solaris 7 through 9 allows remote attackers to execute arbitrary code.

10.0
2004-12-06 CVE-2004-0628 Mysql Denial Of Service vulnerability in Mysql 4.1.0

Stack-based buffer overflow in MySQL 4.1.x before 4.1.3, and 5.0, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long scramble string.

10.0
2004-12-06 CVE-2004-0627 Mysql Unspecified vulnerability in Mysql 4.1.0

The check_scramble_323 function in MySQL 4.1.x before 4.1.3, and 5.0, allows remote attackers to bypass authentication via a zero-length scrambled string.

10.0
2004-12-06 CVE-2004-0623 GNU Unspecified vulnerability in GNU Gnats

Format string vulnerability in misc.c in GNU GNATS 4.00 may allow remote attackers to execute arbitrary code via format string specifiers in a string that gets logged by syslog.

10.0
2004-12-06 CVE-2004-0621 Zaireweb Solutions Authentication Bypass vulnerability in ZaireWeb Solutions Newsletter ZWS Administrative Interface

admin.php in Newsletter ZWS allows remote attackers to gain administrative privileges via a list_user operation with the ulevel parameter set to 1 (administrator level), which lists all users and their passwords.

10.0
2004-12-06 CVE-2004-0608 Arush
Dreamforge
Epic Games
Infogrames
ION Storm
Nerf Arena Blast
Rage Software
Robert Jordan
Running With Scissors
Gentoo
The Unreal Engine, as used in DeusEx 1.112fm and earlier, Devastation 390 and earlier, Mobile Forces 20000 and earlier, Nerf Arena Blast 1.2 and earlier, Postal 2 1337 and earlier, Rune 107 and earlier, Tactical Ops 3.4.0 and earlier, Unreal 1 226f and earlier, Unreal II XMP 7710 and earlier, Unreal Tournament 451b and earlier, Unreal Tournament 2003 2225 and earlier, Unreal Tournament 2004 before 3236, Wheel of Time 333b and earlier, and X-com Enforcer, allows remote attackers to execute arbitrary code via a UDP packet containing a secure query with a long value, which overwrites memory.
10.0
2004-12-06 CVE-2004-0607 Ipsec Tools
Kame
Redhat
The eay_check_x509cert function in KAME Racoon successfully verifies certificates even when OpenSSL validation fails, which could allow remote attackers to bypass authentication.
10.0
2004-12-06 CVE-2004-0603 GNU Unspecified vulnerability in GNU Gzip

gzexe in gzip 1.3.3 and earlier will execute an argument when the creation of a temp file fails instead of exiting the program, which could allow remote attackers or local users to execute arbitrary commands, a different vulnerability than CVE-1999-1332.

10.0
2004-12-06 CVE-2004-0590 Frees WAN
Openswan
Strongswan
FreeS/WAN 1.x and 2.x, and other related products including superfreeswan 1.x, openswan 1.x before 1.0.6, openswan 2.x before 2.1.4, and strongSwan before 2.1.3, allows remote attackers to authenticate using spoofed PKCS#7 certificates in which a self-signed certificate identifies an alternate Certificate Authority (CA) and spoofed issuer and subject.
10.0
2004-12-06 CVE-2004-0480 IBM Remote Code Execution vulnerability in IBM Lotus Notes URI Handler

Argument injection vulnerability in IBM Lotus Notes 6.0.3 and 6.5 allows remote attackers to execute arbitrary code via a notes: URI that uses a UNC network share pathname to provide an alternate notes.ini configuration file to notes.exe.

10.0
2004-12-06 CVE-2004-0477 3Com Remote 812 ADSL Router Web Interface Authentication Bypass vulnerability in 3Com 3Cp4144 1.1.9.4

Unknown vulnerability in 3Com OfficeConnect Remote 812 ADSL Router allows remote attackers to bypass authentication via repeated attempts using any username and password.

10.0
2004-12-06 CVE-2004-0451 SUP
Debian
Remote Syslog Format String vulnerability in Sup

Multiple format string vulnerabilities in the (1) logquit, (2) logerr, or (3) loginfo functions in Software Upgrade Protocol (SUP) allows remote attackers to execute arbitrary code via format string specifiers in messages that are logged by syslog.

10.0
2004-12-06 CVE-2004-0448 Jftpgw Remote Syslog Format String vulnerability in JFTPGW

Format string vulnerability in the log function for jftpgw 0.13.4 and earlier allows remote authenticated users to execute arbitrary code via format string specifiers in certain syslog messages.

10.0
2004-12-06 CVE-2004-0393 Rlpr Multiple vulnerability in Rlpr msg() Function

Format string vulnerability in the msg function for rlpr daemon (rlprd) 2.0.4 allows remote attackers to execute arbitrary code via format string specifiers in a buffer that can not be resolved, which is provided to the syslog function.

10.0
2004-12-06 CVE-2002-1582 Mailreader COM Remote Command Execution vulnerability in Mailreader.Com 2.3.30/2.3.31

compose.cgi in Mailreader.com 2.3.30 and 2.3.31, when using Sendmail as the Mail Transfer Agent, allows remote attackers to execute arbitrary commands via shell metacharacters in the RealEmail configuration variable, which is used to call Sendmail in network.cgi.

10.0

9 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2004-12-06 CVE-2004-0456 Pavuk
Debian
Gentoo
Remote Stack-Based Buffer Overrun vulnerability in Pavuk

Stack-based buffer overflow in pavuk 0.9pl28, 0.9pl27, and possibly other versions allows remote web sites to execute arbitrary code via a long HTTP Location header.

7.6
2004-12-06 CVE-2004-0625 Websoft SQL Injection vulnerability in Websoft Infinity web 1.0

SQL injection vulnerability in Infinity WEB 1.0 allows remote attackers to bypass authentication and gain privileges via the login page.

7.5
2004-12-06 CVE-2004-0624 Artmedic Webdesign Unspecified vulnerability in Artmedic Webdesign Artmedic Links 5.0

PHP remote file inclusion vulnerability in index.php for Artmedic links 5.0 (artmedic_links5) allows remote attackers to execute arbitrary PHP code by modifying the id parameter to reference a URL on a remote web server that contains the code.

7.5
2004-12-06 CVE-2004-0613 Osticket Remote Command Execution vulnerability in Osticket STS 1.2

osTicket allows remote attackers to view sensitive uploaded files and possibly execute arbitrary code via an HTTP request that uploads a PHP file to the ticket attachments directory.

7.5
2004-12-06 CVE-2004-0619 Redhat Integer Overflow vulnerability in Linux Kernel Broadcom 5820 Cryptonet Driver

Integer overflow in the ubsec_keysetup function for Linux Broadcom 5820 cryptonet driver allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a negative add_dsa_buf_bytes variable, which leads to a buffer overflow.

7.2
2004-12-06 CVE-2004-0496 Mandrakesoft
Suse
Gentoo
Linux
SUN
Multiple unknown vulnerabilities in Linux kernel 2.6 allow local users to gain privileges or access kernel memory, a different set of vulnerabilities than those identified in CVE-2004-0495, as found by the Sparse source code checking tool.
7.2
2004-12-06 CVE-2004-0455 WWW SQL Project
Debian
Classic Buffer Overflow vulnerability in multiple products

Buffer overflow in cgi.c in www-sql before 0.5.7 allows local users to execute arbitrary code via a web page that is processed by www-sql.

7.2
2004-12-06 CVE-2004-0454 Rlpr Multiple vulnerability in Rlpr msg() Function

Buffer overflow in the msg function for rlpr daemon (rlprd) 2.04 allows local users to execute arbitrary code.

7.2
2004-12-06 CVE-2004-0395 Gatos Privilege Escalation vulnerability in Gatos .5

The xatitv program in the gatos package does not properly drop root privileges when the configuration file does not exist, which allows local users to execute arbitrary commands via shell metacharacters in a system call.

7.2

22 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2004-12-06 CVE-2004-0617 Arbitroweb Cross-Site Scripting vulnerability in Arbitroweb 0.5/0.6

Cross-site scripting (XSS) vulnerability in ArbitroWeb 0.6 allows remote attackers to inject arbitrary script or HTML via the rawURL parameter.

6.8
2004-12-06 CVE-2004-0606 Infoblox Unspecified vulnerability in Infoblox DNS ONE Appliance 2.4.0.8/2.4.0.8A

Cross-site scripting (XSS) vulnerability in Infoblox DNS One running firmware 2.4.0-8 and earlier allows remote attackers to execute arbitrary scripts as other users via the (1) CLIENTID or (2) HOSTNAME option of a DHCP request.

6.8
2004-12-06 CVE-2004-0614 Osticket Remote Security vulnerability in osTicket STS

osTicket trusts a hidden form field in the submit form to limit the upload size of a document, which could allow remote attackers to upload a file of any size.

6.4
2004-12-06 CVE-2004-0615 D Link Unspecified vulnerability in D-Link Di-614+, Di-624 and Di-704P

Cross-site scripting (XSS) vulnerability in D-Link DI-614+ SOHO router running firmware 2.30, and DI-704 SOHO router running firmware 2.60B2, and DI-624, allows remote attackers to inject arbitrary script or HTML via the DHCP HOSTNAME option in a DHCP request.

5.1
2004-12-06 CVE-2004-0612 Zonelabs Security Bypass vulnerability in Zonelabs Zonealarm 5.0.590.015

The Mobile Code filter in ZoneAlarm Pro 5.0.590.015 does not filter mobile code within an SSL encrypted session, which could allow remote attackers to bypass the mobile code filtering.

5.1
2004-12-06 CVE-2004-0635 Ethereal Group
Gentoo
Mandrakesoft
Redhat
The SNMP dissector in Ethereal 0.8.15 through 0.10.4 allows remote attackers to cause a denial of service (process crash) via a (1) malformed or (2) missing community string, which causes an out-of-bounds read.
5.0
2004-12-06 CVE-2004-0634 Ethereal Group
Gentoo
Mandrakesoft
Redhat
The SMB SID snooping capability in Ethereal 0.9.15 to 0.10.4 allows remote attackers to cause a denial of service (process crash) via a handle without a policy name, which causes a null dereference.
5.0
2004-12-06 CVE-2004-0633 Ethereal Group
Gentoo
Mandrakesoft
Redhat
The iSNS dissector for Ethereal 0.10.3 through 0.10.4 allows remote attackers to cause a denial of service (process abort) via an integer overflow.
5.0
2004-12-06 CVE-2004-0626 Conectiva
Gentoo
Linux
Suse
The tcp_find_option function of the netfilter subsystem in Linux kernel 2.6, when using iptables and TCP options rules, allows remote attackers to cause a denial of service (CPU consumption by infinite loop) via a large option length that produces a negative integer after a casting operation to the char type.
5.0
2004-12-06 CVE-2004-0616 BT Information Disclosure vulnerability in BT Voyager 2000 Wireless ADSL Router SNMP Community String

The BT Voyager 2000 Wireless ADSL Router has a default public SNMP community name, which allows remote attackers to obtain sensitive information such as the password, which is stored in plaintext.

5.0
2004-12-06 CVE-2004-0611 Netgear Denial Of Service vulnerability in Multiple Vendor Broadband Router Web-Based Administration

Web-Based Administration in Netgear FVS318 VPN Router allows remote attackers to cause a denial of service (no new connections) via a large number of open HTTP connections.

5.0
2004-12-06 CVE-2004-0610 Microsoft Denial Of Service vulnerability in Multiple Vendor Broadband Router Web-Based Administration

The Web administration interface in Microsoft MN-500 Wireless Router allows remote attackers to cause a denial of service (connection refusal) via a large number of open HTTP connections.

5.0
2004-12-06 CVE-2004-0609 Rssh Information Disclosure vulnerability in Rssh 2.0/2.1

rssh 2.0 through 2.1.x expands command line arguments before entering a chroot jail, which allows remote authenticated users to determine the existence of files in a directory outside the jail.

5.0
2004-12-06 CVE-2004-0605 Ircd Hybrid
Ircd Ratbox
Configuration vulnerability in multiple products

Non-registered IRC users using (1) ircd-hybrid 7.0.1 and earlier, (2) ircd-ratbox 1.5.1 and earlier, or (3) ircd-ratbox 2.0rc6 and earlier do not have a rate-limit imposed, which could allow remote attackers to cause a denial of service by repeatedly making requests, which are slowly dequeued.

5.0
2004-12-06 CVE-2004-0604 Gift Fasttrack
Gentoo
Remote Denial Of Service vulnerability in giFT-FastTrack HTTP Header Parser

The HTTP client and server in giFT-FastTrack 0.8.6 and earlier allows remote attackers to cause a denial of service (crash), possibly via an empty search query, which triggers a NULL dereference.

5.0
2004-12-06 CVE-2004-0578 Qbik Unspecified vulnerability in Qbik Wingate 5.0.5/5.2.3/6.0Beta2

WinGate 5.2.3 build 901 and 6.0 beta 2 build 942, and other versions such as 5.0.5, allows remote attackers to read arbitrary files via leading slash (//) characters in a URL request to the wingate-internal directory.

5.0
2004-12-06 CVE-2004-0577 Qbik Unspecified vulnerability in Qbik Wingate 5.0.5/5.2.3/6.0Beta2

WinGate 5.2.3 build 901 and 6.0 beta 2 build 942, and other versions such as 5.0.5, allows remote attackers to read arbitrary files from the root directory via a URL request to the wingate-internal directory.

5.0
2004-12-06 CVE-2004-0576 GNU Unspecified vulnerability in GNU Radius 1.1

The radius daemon (radiusd) for GNU Radius 1.1, when compiled with the -enable-snmp option, allows remote attackers to cause a denial of service (server crash) via malformed SNMP messages containing an invalid OID.

5.0
2004-12-06 CVE-2004-0468 Juniper Unspecified vulnerability in Juniper Junos

Memory leak in Juniper JUNOS Packet Forwarding Engine (PFE) allows remote attackers to cause a denial of service (memory exhaustion and device reboot) via certain IPv6 packets.

5.0
2004-12-06 CVE-2002-1581 Mailreader COM
Debian
Directory traversal vulnerability in nph-mr.cgi in Mailreader.com 2.3.20 through 2.3.31 allows remote attackers to view arbitrary files via ..
5.0
2004-12-10 CVE-2004-1059 Mnogosearch Cross-Site Scripting vulnerability in mnoGoSearch

Multiple cross-site scripting (XSS) vulnerabilities in mnoGoSearch 3.2.26 and earlier allow remote attackers to inject arbitrary HTML and web script via the (1) next and (2) prev result search pages, and the (3) extended and (4) simple search forms.

4.3
2004-12-06 CVE-2004-0620 Jelsoft Module HTML Injection vulnerability in Jelsoft Vbulletin 3.0.1

Cross-site scripting (XSS) vulnerability in (1) newreply.php or (2) newthread.php in vBulletin 3.0.1 allows remote attackers to inject arbitrary HTML or script as other users via the Edit-panel.

4.3

5 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2004-12-06 CVE-2004-0622 Apple Information Disclosure vulnerability in Apple mac OS X 10.3.4/10.4/10.5

Apple Mac OS X 10.3.4, 10.4, 10.5, and possibly other versions does not properly clear memory for login (aka Loginwindow.app), Keychain, or FileVault passwords, which could allow the root user or an attacker with physical access to obtain sensitive information by reading memory.

2.1
2004-12-06 CVE-2004-0618 Freebsd Denial Of Service vulnerability in Freebsd 4.10/5.1/5.2.1

FreeBSD 5.1 for the Alpha processor allows local users to cause a denial of service (crash) via an execve system call with an unaligned memory address as an argument.

2.1
2004-12-06 CVE-2004-0602 Freebsd Unspecified vulnerability in Freebsd 4.0/5.0

The binary compatibility mode for FreeBSD 4.x and 5.x does not properly handle certain Linux system calls, which could allow local users to access kernel memory to gain privileges or cause a system panic.

2.1
2004-12-06 CVE-2004-0565 Mandrakesoft
Gentoo
Linux
Trustix
Floating point information leak in the context switch code for Linux 2.4.x only checks the MFH bit but does not verify the FPH owner, which allows local users to read register values of other processes by setting the MFH bit.
2.1
2004-12-06 CVE-2004-0497 Mandrakesoft
Conectiva
Gentoo
Linux
Redhat
Suse
Trustix
Unknown vulnerability in Linux kernel 2.x may allow local users to modify the group ID of files, such as NFS exported files in kernel 2.4.
2.1