Weekly Vulnerabilities Reports > December 20 to 26, 2004
Overview
41 new vulnerabilities reported during this period, including 1 critical vulnerabilities and 17 high severity vulnerabilities. This weekly summary report vulnerabilities in 88 products from 44 vendors including Microsoft, Linux, Apple, Avaya, and Debian. Vulnerabilities are notably categorized as "Permissions, Privileges, and Access Controls", "Integer Underflow (Wrap or Wraparound)", "Incorrect Default Permissions", and "SQL Injection".
- 27 reported vulnerabilities are remotely exploitables.
- 1 reported vulnerabilities have public exploit available.
- 1 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 39 reported vulnerabilities are exploitable by an anonymous user.
- Microsoft has the most reported vulnerabilities, with 5 reported vulnerabilities.
- Macromedia has the most reported critical vulnerabilities, with 1 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
1 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2004-12-23 | CVE-2004-0646 | Macromedia | Remote vulnerability in Macromedia Coldfusion and Jrun Buffer overflow in the WriteToLog function for JRun 3.0 through 4.0 web server connectors, such as (1) mod_jrun and (2) mod_jrun20 for Apache, with verbose logging enabled, allows remote attackers to execute arbitrary code via a long HTTP header Content-Type field or other fields. | 10.0 |
17 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2004-12-23 | CVE-2004-1373 | Nullsoft | Unspecified vulnerability in Nullsoft Shoutcast Server 1.9.4 Format string vulnerability in SHOUTcast 1.9.4 allows remote attackers to cause a denial of service (application crash) and execute arbitrary code via format string specifiers in a content URL, as demonstrated in the filename portion of a .mp3 file. | 7.5 |
2004-12-23 | CVE-2004-0998 | Telnetd | Unspecified vulnerability in Telnetd and Telnetd-Ssl Format string vulnerability in telnetd-ssl 0.17 and earlier allows remote attackers to execute arbitrary code. | 7.5 |
2004-12-23 | CVE-2004-0873 | Apple | Unspecified vulnerability in Apple Ichat and Ichat AV Apple iChat AV 2.1, AV 2.0, and 1.0.1 allows remote attackers to execute arbitrary programs via a "link" that references the program. | 7.5 |
2004-12-23 | CVE-2004-0867 | KDE Microsoft Mozilla Suse | Permissions, Privileges, and Access Controls vulnerability in multiple products Mozilla Firefox 0.9.2 allows web sites to set cookies for country-specific top-level domains, such as .ltd.uk, .plc.uk, and .sch.uk, which could allow remote attackers to perform a session fixation attack and hijack a user's HTTP session. | 7.5 |
2004-12-23 | CVE-2004-0842 | Microsoft Avaya | Internet Explorer 6.0 SP1 and earlier, and possibly other versions, allows remote attackers to cause a denial of service (application crash from "memory corruption") via certain malformed Cascading Style Sheet (CSS) elements that trigger heap-based buffer overflows, as demonstrated using the "<STYLE>@;/*" string, possibly due to a missing comment terminator that may cause an invalid length to trigger a large memory copy operation, aka the "CSS Heap Memory Corruption Vulnerability." | 7.5 |
2004-12-23 | CVE-2004-0833 | Debian | Unspecified vulnerability in Debian Linux 3.0 Sendmail before 8.12.3 on Debian GNU/Linux, when using sasl and sasl-bin, uses a Sendmail configuration script with a fixed username and password, which could allow remote attackers to use Sendmail as an open mail relay and send spam messages. | 7.5 |
2004-12-23 | CVE-2004-0816 | Linux | Integer Underflow (Wrap or Wraparound) vulnerability in Linux Kernel Integer underflow in the firewall logging rules for iptables in Linux before 2.6.8 allows remote attackers to cause a denial of service (application crash) via a malformed IP packet. | 7.5 |
2004-12-23 | CVE-2004-0805 | Mpg123 Mandrakesoft | Remote Stereo Boundary Buffer Overflow vulnerability in MPG123 Buffer overflow in layer2.c in mpg123 0.59r and possibly mpg123 0.59s allows remote attackers to execute arbitrary code via a certain (1) mp3 or (2) mp2 file. | 7.5 |
2004-12-23 | CVE-2004-0803 | Libtiff Pdflib Wxgtk2 Apple KDE Mandrakesoft Redhat Suse Trustix | Buffer Overflow vulnerability in LibTIFF Multiple vulnerabilities in the RLE (run length encoding) decoders for libtiff 3.6.1 and earlier, related to buffer overflows and integer overflows, allow remote attackers to execute arbitrary code via TIFF files. | 7.5 |
2004-12-23 | CVE-2004-0601 | Distcc | Unspecified vulnerability in Distcc distcc before 2.16, when running on 64-bit platforms, does not interpret IP-based access control rules correctly, which could allow remote attackers to bypass intended restrictions. | 7.5 |
2004-12-23 | CVE-2001-1413 | Ncompress | Unspecified vulnerability in Ncompress Stack-based buffer overflow in the comprexx function for ncompress 4.2.4 and earlier, when used in situations that cross security boundaries (such as FTP server), may allow remote attackers to execute arbitrary code via a long filename argument. | 7.5 |
2004-12-21 | CVE-2004-1307 | Avaya F5 Libtiff SGI Conectiva Apple Gentoo Mandrakesoft SCO SUN | Integer overflow in the TIFFFetchStripThing function in tif_dirread.c for libtiff 3.6.1 allows remote attackers to execute arbitrary code via a TIFF file with the STRIPOFFSETS flag and a large number of strips, which causes a zero byte buffer to be allocated and leads to a heap-based buffer overflow. | 7.5 |
2004-12-20 | CVE-2004-0852 | Htget | Unspecified vulnerability in Htget 0.93 Buffer overflow in htget 0.93 allows remote attackers to execute arbitrary code via a crafted URL. | 7.5 |
2004-12-23 | CVE-2004-1337 | GNU Conectiva Ubuntu | The POSIX Capability Linux Security Module (LSM) for Linux kernel 2.6 does not properly handle the credentials of a process that is launched before the module is loaded, which allows local users to gain privileges. | 7.2 |
2004-12-23 | CVE-2004-0850 | Joerg Schilling | Local SetUID vulnerability in Joerg Schilling Star Tape Archiver 1.5A45 Star before 1.5_alpha46 does not drop the effective user ID (euid) before calling external programs, which could allow local users to gain privileges by modifying the RSH environment variable to reference a malicious program. | 7.2 |
2004-12-20 | CVE-2004-1329 | IBM | Local Privilege Escalation vulnerability in IBM AIX Diag Untrusted execution path vulnerability in the diag commands (1) lsmcode, (2) diag_exec, (3) invscout, and (4) invscoutd in AIX 5.1 through 5.3 allows local users to execute arbitrary programs by modifying the DIAGNOSTICS environment variable to point to a malicious Dctrl program. | 7.2 |
2004-12-20 | CVE-2004-1326 | Ultrix | Local Buffer Overflow vulnerability in Ultrix DXTerm Setup Parameter Buffer overflow in dxterm in Ultrix 4.5 allows local users to execute arbitrary code via a long -setup parameter. | 7.2 |
16 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2004-12-23 | CVE-2004-0875 | Phpgroupware | Unspecified vulnerability in PHPgroupware Multiple cross-site scripting (XSS) vulnerabilities in Phpgroupware (aka webdistro) 0.9.16.002 and earlier allow remote attackers to insert arbitrary HTML or web script, as demonstrated with a request to the wiki module. | 6.8 |
2004-12-23 | CVE-2004-1339 | Oracle | SQL Injection vulnerability in Oracle Database Server and Oracle9I SQL injection vulnerability in the (1) MDSYS.SDO_GEOM_TRIG_INS1 and (2) MDSYS.SDO_LRS_TRIG_INS default triggers in Oracle 9i and 10g allows remote attackers to execute arbitrary SQL commands via the new.table_name or new.column_name parameters. | 6.5 |
2004-12-23 | CVE-2004-1338 | Oracle | Permissions, Privileges, and Access Controls vulnerability in Oracle Database Server and Oracle9I The triggers in Oracle 9i and 10g allow local users to gain privileges by using a sequence of partially privileged actions: using CCBKAPPLROWTRIG or EXEC_CBK_FN_DML to add arbitrary functions to the SDO_CMT_DBK_FN_TABLE and SDO_CMT_CBK_DML_TABLE, then performing a DELETE on the SDO_TXN_IDX_INSERTS table, which causes the SDO_CMT_CBK_TRIG trigger to execute the user-supplied functions. | 6.5 |
2004-12-23 | CVE-2004-1361 | Microsoft | Integer Overflow vulnerability in Microsoft Windows winhlp32 Phrase Integer underflow in winhlp32.exe in Windows NT, Windows 2000 through SP4, Windows XP through SP2, and Windows 2003 allows remote attackers to execute arbitrary code via a malformed .hlp file, which leads to a heap-based buffer overflow. | 5.0 |
2004-12-23 | CVE-2004-1305 | Nortel Microsoft | The Windows Animated Cursor (ANI) capability in Windows NT, Windows 2000 through SP4, Windows XP through SP1, and Windows 2003 allow remote attackers to cause a denial of service via (1) the frame number set to zero, which causes an invalid memory address to be used and leads to a kernel crash, or (2) the rate number set to zero, which leads to resource exhaustion and hang. | 5.0 |
2004-12-23 | CVE-2004-0849 | GNU | Unspecified vulnerability in GNU Radius Integer overflow in the asn_decode_string() function defined in asn1.c in radiusd for GNU Radius 1.1 and 1.2 before 1.2.94, when compiled with the --enable-snmp option, allows remote attackers to cause a denial of service (daemon crash) via certain SNMP requests. | 5.0 |
2004-12-23 | CVE-2004-0841 | Microsoft Avaya | Internet Explorer 6.x allows remote attackers to install arbitrary programs via mousedown events that call the Popup.show method and use drag-and-drop actions in a popup window, aka "HijackClick 3" and the "Script in Image Tag File Download Vulnerability." | 5.0 |
2004-12-23 | CVE-2004-0810 | Netopia | Remote Buffer Overflow vulnerability in Netopia Timbuktu PRO mac 6.0.1 Buffer overflow in Netopia Timbuktu 7.0.3 allows remote attackers to cause a denial of service (server process crash) via a certain data string that is sent to multiple simultaneous client connections to TCP port 407. | 5.0 |
2004-12-23 | CVE-2004-0749 | Subversion Gentoo | Information Disclosure vulnerability in Subversion Mod_Authz_Svn Metadata The mod_authz_svn module in Subversion 1.0.7 and earlier does not properly restrict access to all metadata on unreadable paths, which could allow remote attackers to gain sensitive information via (1) svn log -v, (2) svn propget, or (3) svn blame, and other commands that follow renames. | 5.0 |
2004-12-22 | CVE-2005-0068 | TCP | Remote Denial Of Service vulnerability in Multiple Vendor TCP/IP Implementation ICMP The original design of ICMP does not require authentication for host-generated ICMP error messages, which makes it easier for attackers to forge ICMP error messages for specific TCP connections and cause a denial of service, as demonstrated using (1) blind connection-reset attacks with forged "Destination Unreachable" messages, (2) blind throughput-reduction attacks with forged "Source Quench" messages, or (3) blind throughput-reduction attacks with forged ICMP messages that cause the Path MTU to be reduced. | 5.0 |
2004-12-22 | CVE-2005-0067 | TCP | Remote Denial Of Service vulnerability in Multiple Vendor TCP/IP Implementation ICMP The original design of TCP does not require that port numbers be assigned randomly (aka "Port randomization"), which makes it easier for attackers to forge ICMP error messages for specific TCP connections and cause a denial of service, as demonstrated using (1) blind connection-reset attacks with forged "Destination Unreachable" messages, (2) blind throughput-reduction attacks with forged "Source Quench" messages, or (3) blind throughput-reduction attacks with forged ICMP messages that cause the Path MTU to be reduced. | 5.0 |
2004-12-22 | CVE-2005-0066 | TCP | Remote Denial Of Service vulnerability in Multiple Vendor TCP/IP Implementation ICMP The original design of TCP does not check that the TCP Acknowledgement number in an ICMP error message generated by an intermediate router is within the range of possible values for data that has already been acknowledged (aka "TCP acknowledgement number checking"), which makes it easier for attackers to forge ICMP error messages for specific TCP connections and cause a denial of service, as demonstrated using (1) blind connection-reset attacks with forged "Destination Unreachable" messages, (2) blind throughput-reduction attacks with forged "Source Quench" messages, or (3) blind throughput-reduction attacks with forged ICMP messages that cause the Path MTU to be reduced. | 5.0 |
2004-12-23 | CVE-2004-1375 | HP | Privilege Escalation vulnerability in HP-UX System Administration Manager Unknown vulnerability in System Administration Manager (SAM) in HP-UX B.11.00, B.11.11, B.11.22, and B.11.23 allows local users to gain privileges. | 4.6 |
2004-12-23 | CVE-2004-0685 | Linux Redhat Trustix | Information Disclosure vulnerability in Linux Kernel USB Driver Uninitialized Structure Certain USB drivers in the Linux 2.4 kernel use the copy_to_user function on uninitialized structures, which could allow local users to obtain sensitive information by reading memory that was not cleared from previous usage. | 4.6 |
2004-12-22 | CVE-2004-1778 | Skype | Incorrect Default Permissions vulnerability in Skype 0.92.0.12/1.0.0.1 Skype 0.92.0.12 and 1.0.0.1 for Linux, and possibly other versions, creates the /usr/share/skype/lang directory with world-writable permissions, which allows local users to modify language files and possibly conduct social engineering or other attacks. | 4.6 |
2004-12-23 | CVE-2004-2130 | Phpbb Group | Cross-Site Scripting vulnerability in PHPbb Group PHPbb 2.0.6 Multiple cross-site scripting (XSS) vulnerabilities in privmsg.php in phpBB 2.0.6 allow remote attackers to execute arbitrary script or HTML via the (1) folder or (2) mode variables. | 4.3 |