Weekly Vulnerabilities Reports > December 6 to 12, 2004
Overview
45 new vulnerabilities reported during this period, including 13 critical vulnerabilities and 9 high severity vulnerabilities. This weekly summary report vulnerabilities in 72 products from 53 vendors including Gentoo, Linux, Debian, Redhat, and GNU. Vulnerabilities are notably categorized as "Configuration", and "Classic Buffer Overflow".
- 35 reported vulnerabilities are remotely exploitables.
- 1 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 45 reported vulnerabilities are exploitable by an anonymous user.
- Gentoo has the most reported vulnerabilities, with 7 reported vulnerabilities.
- GNU has the most reported critical vulnerabilities, with 2 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
13 Critical Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2004-12-06 | CVE-2004-0628 | Mysql | Denial Of Service vulnerability in Mysql 4.1.0 Stack-based buffer overflow in MySQL 4.1.x before 4.1.3, and 5.0, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long scramble string. | 10.0 |
| 2004-12-06 | CVE-2004-0627 | Mysql | Unspecified vulnerability in Mysql 4.1.0 The check_scramble_323 function in MySQL 4.1.x before 4.1.3, and 5.0, allows remote attackers to bypass authentication via a zero-length scrambled string. | 10.0 |
| 2004-12-06 | CVE-2004-0623 | GNU | Unspecified vulnerability in GNU Gnats Format string vulnerability in misc.c in GNU GNATS 4.00 may allow remote attackers to execute arbitrary code via format string specifiers in a string that gets logged by syslog. | 10.0 |
| 2004-12-06 | CVE-2004-0621 | Zaireweb Solutions | Authentication Bypass vulnerability in ZaireWeb Solutions Newsletter ZWS Administrative Interface admin.php in Newsletter ZWS allows remote attackers to gain administrative privileges via a list_user operation with the ulevel parameter set to 1 (administrator level), which lists all users and their passwords. | 10.0 |
| 2004-12-06 | CVE-2004-0608 | Arush Dreamforge Epic Games Infogrames ION Storm Nerf Arena Blast Rage Software Robert Jordan Running With Scissors Gentoo | The Unreal Engine, as used in DeusEx 1.112fm and earlier, Devastation 390 and earlier, Mobile Forces 20000 and earlier, Nerf Arena Blast 1.2 and earlier, Postal 2 1337 and earlier, Rune 107 and earlier, Tactical Ops 3.4.0 and earlier, Unreal 1 226f and earlier, Unreal II XMP 7710 and earlier, Unreal Tournament 451b and earlier, Unreal Tournament 2003 2225 and earlier, Unreal Tournament 2004 before 3236, Wheel of Time 333b and earlier, and X-com Enforcer, allows remote attackers to execute arbitrary code via a UDP packet containing a secure query with a long value, which overwrites memory. | 10.0 |
| 2004-12-06 | CVE-2004-0607 | Ipsec Tools Kame Redhat | The eay_check_x509cert function in KAME Racoon successfully verifies certificates even when OpenSSL validation fails, which could allow remote attackers to bypass authentication. | 10.0 |
| 2004-12-06 | CVE-2004-0603 | GNU | Unspecified vulnerability in GNU Gzip gzexe in gzip 1.3.3 and earlier will execute an argument when the creation of a temp file fails instead of exiting the program, which could allow remote attackers or local users to execute arbitrary commands, a different vulnerability than CVE-1999-1332. | 10.0 |
| 2004-12-06 | CVE-2004-0590 | Frees WAN Openswan Strongswan | FreeS/WAN 1.x and 2.x, and other related products including superfreeswan 1.x, openswan 1.x before 1.0.6, openswan 2.x before 2.1.4, and strongSwan before 2.1.3, allows remote attackers to authenticate using spoofed PKCS#7 certificates in which a self-signed certificate identifies an alternate Certificate Authority (CA) and spoofed issuer and subject. | 10.0 |
| 2004-12-06 | CVE-2004-0477 | 3Com | Remote 812 ADSL Router Web Interface Authentication Bypass vulnerability in 3Com 3Cp4144 1.1.9.4 Unknown vulnerability in 3Com OfficeConnect Remote 812 ADSL Router allows remote attackers to bypass authentication via repeated attempts using any username and password. | 10.0 |
| 2004-12-06 | CVE-2004-0451 | SUP Debian | Remote Syslog Format String vulnerability in Sup Multiple format string vulnerabilities in the (1) logquit, (2) logerr, or (3) loginfo functions in Software Upgrade Protocol (SUP) allows remote attackers to execute arbitrary code via format string specifiers in messages that are logged by syslog. | 10.0 |
| 2004-12-06 | CVE-2004-0448 | Jftpgw | Remote Syslog Format String vulnerability in JFTPGW Format string vulnerability in the log function for jftpgw 0.13.4 and earlier allows remote authenticated users to execute arbitrary code via format string specifiers in certain syslog messages. | 10.0 |
| 2004-12-06 | CVE-2004-0393 | Rlpr | Multiple vulnerability in Rlpr msg() Function Format string vulnerability in the msg function for rlpr daemon (rlprd) 2.0.4 allows remote attackers to execute arbitrary code via format string specifiers in a buffer that can not be resolved, which is provided to the syslog function. | 10.0 |
| 2004-12-06 | CVE-2002-1582 | Mailreader COM | Remote Command Execution vulnerability in Mailreader.Com 2.3.30/2.3.31 compose.cgi in Mailreader.com 2.3.30 and 2.3.31, when using Sendmail as the Mail Transfer Agent, allows remote attackers to execute arbitrary commands via shell metacharacters in the RealEmail configuration variable, which is used to call Sendmail in network.cgi. | 10.0 |
9 High Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2004-12-06 | CVE-2004-0456 | Pavuk Debian Gentoo | Remote Stack-Based Buffer Overrun vulnerability in Pavuk Stack-based buffer overflow in pavuk 0.9pl28, 0.9pl27, and possibly other versions allows remote web sites to execute arbitrary code via a long HTTP Location header. | 7.6 |
| 2004-12-06 | CVE-2004-0625 | Websoft | SQL Injection vulnerability in Websoft Infinity web 1.0 SQL injection vulnerability in Infinity WEB 1.0 allows remote attackers to bypass authentication and gain privileges via the login page. | 7.5 |
| 2004-12-06 | CVE-2004-0624 | Artmedic Webdesign | Unspecified vulnerability in Artmedic Webdesign Artmedic Links 5.0 PHP remote file inclusion vulnerability in index.php for Artmedic links 5.0 (artmedic_links5) allows remote attackers to execute arbitrary PHP code by modifying the id parameter to reference a URL on a remote web server that contains the code. | 7.5 |
| 2004-12-06 | CVE-2004-0613 | Osticket | Remote Command Execution vulnerability in Osticket STS 1.2 osTicket allows remote attackers to view sensitive uploaded files and possibly execute arbitrary code via an HTTP request that uploads a PHP file to the ticket attachments directory. | 7.5 |
| 2004-12-06 | CVE-2004-0619 | Redhat | Integer Overflow vulnerability in Linux Kernel Broadcom 5820 Cryptonet Driver Integer overflow in the ubsec_keysetup function for Linux Broadcom 5820 cryptonet driver allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a negative add_dsa_buf_bytes variable, which leads to a buffer overflow. | 7.2 |
| 2004-12-06 | CVE-2004-0496 | Mandrakesoft Suse Gentoo Linux SUN | Multiple unknown vulnerabilities in Linux kernel 2.6 allow local users to gain privileges or access kernel memory, a different set of vulnerabilities than those identified in CVE-2004-0495, as found by the Sparse source code checking tool. | 7.2 |
| 2004-12-06 | CVE-2004-0455 | WWW SQL Project Debian | Classic Buffer Overflow vulnerability in multiple products Buffer overflow in cgi.c in www-sql before 0.5.7 allows local users to execute arbitrary code via a web page that is processed by www-sql. | 7.2 |
| 2004-12-06 | CVE-2004-0454 | Rlpr | Multiple vulnerability in Rlpr msg() Function Buffer overflow in the msg function for rlpr daemon (rlprd) 2.04 allows local users to execute arbitrary code. | 7.2 |
| 2004-12-06 | CVE-2004-0395 | Gatos | Privilege Escalation vulnerability in Gatos .5 The xatitv program in the gatos package does not properly drop root privileges when the configuration file does not exist, which allows local users to execute arbitrary commands via shell metacharacters in a system call. | 7.2 |
18 Medium Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2004-12-06 | CVE-2004-0617 | Arbitroweb | Cross-Site Scripting vulnerability in Arbitroweb 0.5/0.6 Cross-site scripting (XSS) vulnerability in ArbitroWeb 0.6 allows remote attackers to inject arbitrary script or HTML via the rawURL parameter. | 6.8 |
| 2004-12-06 | CVE-2004-0606 | Infoblox | Unspecified vulnerability in Infoblox DNS ONE Appliance 2.4.0.8/2.4.0.8A Cross-site scripting (XSS) vulnerability in Infoblox DNS One running firmware 2.4.0-8 and earlier allows remote attackers to execute arbitrary scripts as other users via the (1) CLIENTID or (2) HOSTNAME option of a DHCP request. | 6.8 |
| 2004-12-06 | CVE-2004-0614 | Osticket | Remote Security vulnerability in osTicket STS osTicket trusts a hidden form field in the submit form to limit the upload size of a document, which could allow remote attackers to upload a file of any size. | 6.4 |
| 2004-12-06 | CVE-2004-0612 | Zonelabs | Security Bypass vulnerability in Zonelabs Zonealarm 5.0.590.015 The Mobile Code filter in ZoneAlarm Pro 5.0.590.015 does not filter mobile code within an SSL encrypted session, which could allow remote attackers to bypass the mobile code filtering. | 5.1 |
| 2004-12-06 | CVE-2004-0626 | Conectiva Gentoo Linux Suse | The tcp_find_option function of the netfilter subsystem in Linux kernel 2.6, when using iptables and TCP options rules, allows remote attackers to cause a denial of service (CPU consumption by infinite loop) via a large option length that produces a negative integer after a casting operation to the char type. | 5.0 |
| 2004-12-06 | CVE-2004-0616 | BT | Information Disclosure vulnerability in BT Voyager 2000 Wireless ADSL Router SNMP Community String The BT Voyager 2000 Wireless ADSL Router has a default public SNMP community name, which allows remote attackers to obtain sensitive information such as the password, which is stored in plaintext. | 5.0 |
| 2004-12-06 | CVE-2004-0611 | Netgear | Denial Of Service vulnerability in Multiple Vendor Broadband Router Web-Based Administration Web-Based Administration in Netgear FVS318 VPN Router allows remote attackers to cause a denial of service (no new connections) via a large number of open HTTP connections. | 5.0 |
| 2004-12-06 | CVE-2004-0610 | Microsoft | Denial Of Service vulnerability in Multiple Vendor Broadband Router Web-Based Administration The Web administration interface in Microsoft MN-500 Wireless Router allows remote attackers to cause a denial of service (connection refusal) via a large number of open HTTP connections. | 5.0 |
| 2004-12-06 | CVE-2004-0609 | Rssh | Information Disclosure vulnerability in Rssh 2.0/2.1 rssh 2.0 through 2.1.x expands command line arguments before entering a chroot jail, which allows remote authenticated users to determine the existence of files in a directory outside the jail. | 5.0 |
| 2004-12-06 | CVE-2004-0605 | Ircd Hybrid Ircd Ratbox | Configuration vulnerability in multiple products Non-registered IRC users using (1) ircd-hybrid 7.0.1 and earlier, (2) ircd-ratbox 1.5.1 and earlier, or (3) ircd-ratbox 2.0rc6 and earlier do not have a rate-limit imposed, which could allow remote attackers to cause a denial of service by repeatedly making requests, which are slowly dequeued. | 5.0 |
| 2004-12-06 | CVE-2004-0604 | Gift Fasttrack Gentoo | Remote Denial Of Service vulnerability in giFT-FastTrack HTTP Header Parser The HTTP client and server in giFT-FastTrack 0.8.6 and earlier allows remote attackers to cause a denial of service (crash), possibly via an empty search query, which triggers a NULL dereference. | 5.0 |
| 2004-12-06 | CVE-2004-0578 | Qbik | Unspecified vulnerability in Qbik Wingate 5.0.5/5.2.3/6.0Beta2 WinGate 5.2.3 build 901 and 6.0 beta 2 build 942, and other versions such as 5.0.5, allows remote attackers to read arbitrary files via leading slash (//) characters in a URL request to the wingate-internal directory. | 5.0 |
| 2004-12-06 | CVE-2004-0577 | Qbik | Unspecified vulnerability in Qbik Wingate 5.0.5/5.2.3/6.0Beta2 WinGate 5.2.3 build 901 and 6.0 beta 2 build 942, and other versions such as 5.0.5, allows remote attackers to read arbitrary files from the root directory via a URL request to the wingate-internal directory. | 5.0 |
| 2004-12-06 | CVE-2004-0576 | GNU | Unspecified vulnerability in GNU Radius 1.1 The radius daemon (radiusd) for GNU Radius 1.1, when compiled with the -enable-snmp option, allows remote attackers to cause a denial of service (server crash) via malformed SNMP messages containing an invalid OID. | 5.0 |
| 2004-12-06 | CVE-2004-0468 | Juniper | Unspecified vulnerability in Juniper Junos Memory leak in Juniper JUNOS Packet Forwarding Engine (PFE) allows remote attackers to cause a denial of service (memory exhaustion and device reboot) via certain IPv6 packets. | 5.0 |
| 2004-12-06 | CVE-2002-1581 | Mailreader COM Debian | Directory traversal vulnerability in nph-mr.cgi in Mailreader.com 2.3.20 through 2.3.31 allows remote attackers to view arbitrary files via .. | 5.0 |
| 2004-12-10 | CVE-2004-1059 | Mnogosearch | Cross-Site Scripting vulnerability in mnoGoSearch Multiple cross-site scripting (XSS) vulnerabilities in mnoGoSearch 3.2.26 and earlier allow remote attackers to inject arbitrary HTML and web script via the (1) next and (2) prev result search pages, and the (3) extended and (4) simple search forms. | 4.3 |
| 2004-12-06 | CVE-2004-0620 | Jelsoft | Module HTML Injection vulnerability in Jelsoft Vbulletin 3.0.1 Cross-site scripting (XSS) vulnerability in (1) newreply.php or (2) newthread.php in vBulletin 3.0.1 allows remote attackers to inject arbitrary HTML or script as other users via the Edit-panel. | 4.3 |
5 Low Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2004-12-06 | CVE-2004-0622 | Apple | Information Disclosure vulnerability in Apple mac OS X 10.3.4/10.4/10.5 Apple Mac OS X 10.3.4, 10.4, 10.5, and possibly other versions does not properly clear memory for login (aka Loginwindow.app), Keychain, or FileVault passwords, which could allow the root user or an attacker with physical access to obtain sensitive information by reading memory. | 2.1 |
| 2004-12-06 | CVE-2004-0618 | Freebsd | Denial Of Service vulnerability in Freebsd 4.10/5.1/5.2.1 FreeBSD 5.1 for the Alpha processor allows local users to cause a denial of service (crash) via an execve system call with an unaligned memory address as an argument. | 2.1 |
| 2004-12-06 | CVE-2004-0602 | Freebsd | Unspecified vulnerability in Freebsd 4.0/5.0 The binary compatibility mode for FreeBSD 4.x and 5.x does not properly handle certain Linux system calls, which could allow local users to access kernel memory to gain privileges or cause a system panic. | 2.1 |
| 2004-12-06 | CVE-2004-0565 | Mandrakesoft Gentoo Linux Trustix | Floating point information leak in the context switch code for Linux 2.4.x only checks the MFH bit but does not verify the FPH owner, which allows local users to read register values of other processes by setting the MFH bit. | 2.1 |
| 2004-12-06 | CVE-2004-0497 | Mandrakesoft Conectiva Gentoo Linux Redhat Suse Trustix | Unknown vulnerability in Linux kernel 2.x may allow local users to modify the group ID of files, such as NFS exported files in kernel 2.4. | 2.1 |