Weekly Vulnerabilities Reports > December 27, 2004 to January 2, 2005

Cross-site request forgery (CSRF) vulnerability in Php-Nuke 6.x through 7.1.0 allows remote attackers to gain administrative privileges via an img tag with a URL to admin.php.

Unrestricted file upload vulnerability in the Administration Panel for NewsPHP allows remote authenticated administrators to upload and execute arbitrary code instead of video files.

Stack-based buffer overflow in the site chmod command in Serv-U FTP Server before 4.2 allows remote attackers to execute arbitrary code via a long filename.

Buffer overflow in the KSDWRTB function in the dbms_system package (dbms_system.ksdwrt) for Oracle 9i Database Server Release 2 9.2.0.3 and 9.2.0.4, 9i Release 1 9.0.1.4 and 9.0.1.5, and 8i Release 1 8.1.7.4, allows remote authorized users to execute arbitrary code via a long second argument.

Directory traversal vulnerability in Anteco Visual Technologies OwnServer 1.0 and earlier allows remote attackers to read arbitrary files via a ..

Check Point Firewall-1 4.1 up to NG AI R55 allows remote attackers to obtain potentially sensitive information by sending an Internet Key Exchange (IKE) with a certain Vendor ID payload that causes Firewall-1 to return a response containing version and other information.

The DecodeTCPOptions function in decode.c in Snort before 2.3.0, when printing TCP/IP options using FAST output or verbose mode, allows remote attackers to cause a denial of service (crash) via packets with invalid TCP/IP options, which trigger a null dereference.

Multiple vulnerabilities in the H.323 protocol implementation for First Virtual Communications Click to Meet Express (when used with H.323 conferencing endpoints), Click to Meet Premier, Conference Server, and V-Gate allow remote attackers to cause a denial of service, as demonstrated by the NISCC/OUSPG PROTOS test suite for the H.225 protocol.

SMTP service in SmarterTools SmarterMail 1.6.1511 and 1.6.1529 allows remote attackers to cause a denial of service (CPU consumption) via a large number of simultaneous open connections to TCP port 25.

Unknown vulnerability in Network Appliance NetCache 5.2 and Data ONTAP 6.0 allows remote attackers to cause a denial of service (panic and reboot) and possibly other impacts via unknown attack vectors, possibly related to unspecified worms, as identified by bug ID

Fastream NETFile Server 7.1.2 does not properly handle keep-alive connection timeouts and does not close the connection after a HEAD request, which allows remote attackers to perform a denial of service (connection consumption) by sending a large number HTTP HEAD requests.

X.509 Certificate Signature Verification in Gnu transport layer security library (GnuTLS) 1.0.16 allows remote attackers to cause a denial of service (CPU consumption) via certificates containing long chains and signed with large RSA keys.

Unspecified vulnerability in Hitachi Web Page Generator and Web Page Generator Enterprise 4.01 and earlier allows remote attackers to cause a denial of service via unknown attack vectors when a web site is "improperly accessed."

The HTTP daemon in OpenText FirstClass 7.1 and 8.0 allows remote attackers to cause a denial of service (service availability loss) via a large number of POST requests to /Search.

The (1) Webmail, (2) admin, and (3) SMTP services in Ability Mail Server 1.18 allow remote attackers to cause a denial of service (CPU consumption) via a large number of simultaneous connections to the service.

Integer overflow in the SCTP_SOCKOPT_DEBUG_NAME SCTP socket option in socket.c in the Linux kernel 2.4.25 and earlier allows local users to execute arbitrary code via an optlen value of -1, which causes kmalloc to allocate 0 bytes of memory.

Heap-based buffer overflow in in_mod.dll in Nullsoft Winamp 2.91 through 5.02 allows remote attackers to execute arbitrary code via a Fasttracker 2 (.xm) mod media file.

Multiple unspecified vulnerabilities in the H.323 protocol implementation for Sun SunForum 3.2 and 3D 1.0 allow remote attackers to cause a denial of service (segmentation fault and process crash), as demonstrated by the NISCC/OUSPG PROTOS test suite for the H.225 protocol.

SQL injection vulnerability in SSI.php in YaBB SE 1.5.4, 1.5.3, and possibly other versions before 1.5.5 allows remote attackers to execute arbitrary SQL commands via the ID_MEMBER parameter to the (1) recentTopics and (2) welcome functions.

SQL injection vulnerability in adminlogin.asp in XTREME ASP Photo Gallery 2.0 allows remote attackers to execute arbitrary SQL commands via the (1) username and (2) password parameters.

The setup routine (setup.php) in PHProjekt 4.2.1 and earlier allows remote attackers to modify system configuration via unknown attack vectors.

SQL injection vulnerability in problist.asp in NetSupport DNA HelpDesk 1.01 allows remote attackers to execute arbitrary SQL commands via the where parameter.

Multiple SQL injection vulnerabilities in usersL.php3 in PHPMyChat 0.14.5 allow remote attackers to execute arbitrary SQL commands via the (1) sortBy, (2) sortOrder, (3) startReg, (4) U, (5) LastCheck , and (6) R parameters.

edituser.php3 in PHPMyChat 0.14.5 allow remote attackers to bypass authentication and gain administrative privileges by setting the do_not_login parameter to false.

Multiple buffer overflows in Gyach Enhanced (Gyach-E) before 1.0.2 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to "avatar retrieval."

Multiple buffer overflows in Gyach Enhanced (Gyach-E) before 1.0.3 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to (1) sending certain typing statuses or (2) setting the chat room status bar to the current chat room name.

Buffer overflow in the strip_html_tags method for Gyach Enhanced (Gyach-E) before 1.0.4 allows remote attackers to cause a denial of service and possibly execute arbitrary code via unknown vectors involving HTML tags.

Multiple unspecified vulnerabilities in Gyach Enhanced (Gyach-E) before 1.0.5 have unknown impact and attack vectors related to "several security flaws," probably related to buffer overflows in HTTP server responses.

SQL injection vulnerability in the Authorize.net callback code (subscriptions/authorize.php) in Jelsoft vBulletin 3.0 through 3.0.3 allows remote attackers to execute arbitrary SQL statements via the x_invoice_num parameter.

Buffer overflow in YoungZSoft CCProxy 6.2 and earlier allows remote attackers to execute arbitrary code via a long address in a ping (p) command to the Telnet proxy service, a different vector than CVE-2004-2416.

PeerSec MatrixSSL before 1.1 caches session keys for an indefinitely long time, which might make it easier for remote attackers to hijack a session.

Format string vulnerability in qwik-smtpd.c in QwikMail SMTP (qwik-smtpd) 0.3 and earlier allows remote attackers to execute arbitrary code via format specifiers in the (1) clientRcptTo array, and the (2) Received and (3) messageID variables, possibly involving HELO and hostname arguments.

Unspecified vulnerability in ArGoSoft FTP server before 1.4.2.2 allows attackers to upload .lnk files via unknown vectors.

Multiple SQL injection vulnerabilities in Land Down Under (LDU) v701 allow remote attackers to execute arbitrary SQL commands or obtain the installation path via parameters including (1) s, w, and d in users.php, (2) id in comments.php, (3) rusername in auth.php, or (4) h in plug.php.

SQL injection vulnerability in Interchange before 4.8.9 allows remote attackers to execute arbitrary SQL commands via unknown vectors.

The (1) SetDebugging and (2) RunEgatherer methods in IBM Access Support eGatherer ActiveX control 2.0.0.16 allow remote attackers to create files with arbitrary content, as demonstrated by creating a .hta file in a Startup folder.

Unspecified vulnerability in PD9 Software MegaBBS 2.0 and 2.1 allows attackers to gain privileges via unknown vectors involving (1) admin/userlevelmembers-edit.asp and (2) admin/edit-groups.asp.

Unspecified vulnerability in Journalness 3.0.7 and earlier allows remote attackers to create or modify posts via unknown attack vectors.

The Admin Access With Levels plugin in osCommerce 1.5.1 allows remote attackers to access files in the "admin/" directory by modifying the in_login parameter to a non-zero value.

An ActiveX control for McAfee Security Installer Control System 4.0.0.81 allows remote attackers to access the Windows registry via web pages that use the control's RegQueryValue() method.

phpMyAdmin 2.5.1 up to 2.5.7 allows remote attackers to modify configuration settings and gain unauthorized access to MySQL servers via modified $cfg['Servers'] variables.

Eval injection vulnerability in left.php in phpMyAdmin 2.5.1 up to 2.5.7, when LeftFrameLight is FALSE, allows remote attackers to execute arbitrary PHP code via a crafted table name.

The MIME transformation system (transformations/text_plain__external.inc.php) in phpMyAdmin 2.5.0 up to 2.6.0-pl1 allows remote attackers to execute arbitrary commands via shell metacharacters in unspecified vectors.

ripMIME 1.3.2.3 and earlier allows remote attackers to bypass e-mail protection via a base64 MIME encoded attachment containing invalid characters that are not properly extracted.

Buffer overflow in MyWeb 3.3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long HTTP GET request.

BNC 2.9.0 only grants access when an incorrect password is provided, which allows remote attackers to use the functionality intended for authorized users.

The Web interface in Linksys WRT54G 2.02.7 and BEFSR41 version 3, with the firewall disabled, allows remote attackers to attempt to login to an administration web page, even when the configuration specifies that remote administration is disabled.

Buffer overflow in command-packet processing of Quake II server before R1Q2, as used in multiple products, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a packet with a long cmd_args buffer.

ACLCHECK module in Novell iChain 2.3 allows attackers to bypass access control rules of an unspecified component via an unspecified attack vector involving a string that contains escape sequences represented with "overlong UTF-8 encoding."

PHP remote file inclusion vulnerability in tables_update.inc.php in phpGroupWare 0.9.14.005 and earlier allows remote attackers to execute arbitrary PHP code via an external URL in the appdir parameter.

Multiple buffer overflows in EnderUNIX isoqlog 2.1.1 allow remote attackers to execute arbitrary code via the (1) parseQmailFromBytesLine, (2) parseQmailToRemoteLine, (3) parseQmailToLocalLine, (4) parseSendmailFromBytesLine, (5) parseSendmailToLine, (6) parseEximFromBytesLine, and (7) parseEximToLine functions in Parser.c; allow local users to execute arbitrary code via the (8) lowercase and (9) check_syslog_date functions in Parser.c, and (10) unspecified functions in Dir.c; and allow unspecified attackers to execute arbitrary code via the (11) loadconfig and (12) removespaces functions in loadconfig.c, the (13) loadLang function in LangCfg.c, and (14) unspecified functions in Html.c.

Multiple SQL injection vulnerabilities in ReciPants 1.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) user id, (2) recipe id, (3) category id, and (4) other ID number fields.

Multiple SQL injection vulnerabilities in Internet Software Sciences Web+Center 4.0.1 allow remote attackers to execute arbitrary SQL commands via (1) the ISS_TECH_CENTER_LOGIN cookie in search.asp and (2) one or more cookies in DoCustomerOptions.asp.

DokuWiki before 2004-10-19, when used on a web server that permits execution based on file extension, allows remote attackers to execute arbitrary code by uploading a file with an appropriate extension such as ".php" or ".cgi".

DokuWiki before 2004-10-19 allows remote attackers to access administrative functionality including (1) Mediaselectiondialog, (2) Recent changes, (3) feed, and (4) search, possibly due to the lack of ACL checks.

Unspecified vulnerability in IBM Tivoli SecureWay Policy Director 3.8, Access Manager for e-business 3.9 to 5.1, Access Manager Identity Manager Solution 5.1, Configuration Manager 4.2, Configuration Manager for Automated Teller Machines 2.1.0, and IBM WebSphere Everyplace Server, Service Provider Offering for Multi-platforms 2.1.3 to 2.15 allow remote attackers to hijack sessions of authenticated users via unknown attack vectors involving certain cookies, aka "Potential Credential Impersonation Attack."

Multiple SQL injection vulnerabilities in Layton HelpBox 3.0.1 allow remote attackers to execute arbitrary SQL commands via (1) the sys_comment_id parameter in editcommentenduser.asp, (2) the sys_suspend_id parameter in editsuspensionuser.asp, (3) the table parameter in export_data.asp, (4) the sys_analgroup parameter in manageanalgrouppreference.asp, (5) the sys_asset_id parameter in quickinfoassetrequests.asp, (6) the sys_eusername parameter in quickinfoenduserrequests.asp, and the sys_request_id parameter in (7) requestauditlog.asp, (8) requestcommentsenduser.asp, (9) selectrequestapplytemplate.asp, and (10) selectrequestlink.asp, resulting in an ability to create a new HelpBox user account and read, modify, or delete data from the backend database.

Multiple SQL injection vulnerabilities in Dynix (formerly known as epixtech) WebPAC allow remote attackers to execute arbitrary SQL commands via unknown attack vectors, resulting in an ability to execute stored procedures, bypass login authentication, and cause an unspecified denial of service to backend databases.

The exit_thread function (process.c) in Linux kernel 2.6 through 2.6.5 does not invalidate the per-TSS io_bitmap pointers if a process obtains IO access permissions from the ioperm function but does not drop those permissions when it exits, which allows other processes to access the per-TSS pointers, access restricted memory locations, and possibly gain privileges.

Buffer overflow in the IMAP service of MailEnable Professional Edition 1.52 and Enterprise Edition 1.01 allows remote attackers to execute arbitrary code via (1) a long command string or (2) a long string to the MEIMAP service and then terminating the connection.

The DSS verification code in Dropbear SSH Server before 0.43 frees uninitialized variables, which might allow remote attackers to gain access.

Unspecified vulnerability in Jetty HTTP Server, as used in (1) IBM Trading Partner Interchange before 4.2.4, (2) CA Unicenter Web Services Distributed Management (WSDM) before 3.11, and possibly other products, allows remote attackers to read arbitrary files via a ..

SQL injection vulnerability in PHPNews 1.2.3 allows remote attackers to execute arbitrary SQL commands via the mid parameter to sendtofriend.php.

SQL injection vulnerability in the sloth TCL script in QuoteEngine before 1.2.0 allow remote attackers to execute arbitrary SQL commands via unknown vectors.

Buffer overflow in pop3.c in gnubiff before 2.0.0 allows attackers to cause a denial of service (crash) and possibly execute arbitrary code.

SQL injection vulnerability in index.php in miniBB 1.7f and earlier allows remote attackers to execute arbitrary SQL commands via the user parameter in a userinfo action.

Sweex Wireless Broadband Router/Accesspoint 802.11g (LC000060) allows remote attackers to obtain sensitive information and gain privileges by using TFTP to download the nvram file, then extracting the username, password, and other data from the file.

Jaws 0.3 allows remote attackers to bypass authentication and via an HTTP request to admin.php with the logged cookie set to the MD5 hash of a null password, which is compared against the logged session variable by the logged_on function in application.php.

SQL injection vulnerability in PHP-Fusion 4.01 allows remote attackers to execute arbitrary SQL commands via the rowstart parameter to (1) index.php or (2) members.php, or (3) the comment_id parameter to comments.php.

Buffer overflow in the IsValidFile function in the ADM ActiveX control for Altnet Download Manager 4.0.0.4 and earlier, as used in Kazaa Media Desktop 1.3 through 2.6.4 and Grokkster 1.3 through 2.6, allows remote attackers to execute arbitrary code via a long bstrFilepath parameter.

Unknown vulnerability in The Ignition Project ignitionServer 0.1.2 through 0.3.1, with the linking service enabled, allows remote attackers to bypass authentication.

Multiple stack-based and heap-based buffer overflows in EnderUNIX spamGuard before 1.7-BETA allow remote attackers to execute arbitrary code via the (1) qmail_parseline and (2) sendmail_parseline functions in parser.c, (3) loadconfig and (4) removespaces functions in loadconfig.c, and possibly (5) unspecified functions in functions.c.

Axis Network Camera 2.40 and earlier, and Video Server 3.12 and earlier, allows remote attackers to execute arbitrary commands via accent (`) and possibly other shell metacharacters in the query string to virtualinput.cgi.

Format string vulnerability in smtp.c for smtp.proxy 1.1.3 and earlier allows remote attackers to execute arbitrary code via format string specifiers in the (1) client hostname or (2) message-id, which are injected into a syslog message.

Buffer overflow in the logging component of CCProxy allows remote attackers to execute arbitrary code via a long HTTP GET request.

SQL injection vulnerability in VP-ASP Shopping Cart 4.0 through 5.0 allows remote attackers to execute arbitrary SQL commands via the (1) Processed0 and (2) Processed1 parameters in a POST request to shopproductselect.asp.

Multiple SQL injection vulnerabilities in VP-ASP Shopping Cart 4.0 through 5.0 allow remote attackers to execute arbitrary SQL commands via the catalogid parameter in (1) shopreviewlist.asp and (2) shopreviewadd.asp.

Stack-based buffer overflow in Ipswitch IMail Express Web Messaging before 8.05 might allow remote attackers to execute arbitrary code via an HTML message with long "tag text."

The web-based Management Console in Blue Coat Security Gateway OS 3.0 through 3.1.3.13 and 3.2.1, when importing a private key, stores the key and its passphrase in plaintext in a log file, which allows attackers to steal digital certificates.

Java Secure Socket Extension (JSSE) 1.0.3 through 1.0.3_2 does not properly validate the certificate chain of a client or server, which allows remote attackers to falsely authenticate peers for SSL/TLS.

Buffer overflow in the HandleCPCCommand function of sercd before 2.3.1 and sredird 2.2.1 and earlier allows remote attackers to execute arbitrary code.

Format string vulnerability in the LogMsg function in sercd before 2.3.1 and sredird 2.2.1 and earlier allows remote attackers to execute arbitrary code via format string specifiers passed from the HandleCPCCommand function.

Buffer overflow in postfile.exe for Twilight Utilities Web Server 2.0.0.0 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a URL request with a long attfile attribute.

Buffer overflow in the POP3 server in 1st Class Mail Server 4.0 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an APOP USER command with a long second parameter (digest).

The Buddy icon file for AOL Instant Messenger (AIM) 4.3 through 5.5 is created in a predictable location, which may allow remote attackers to use a shell: URI to exploit other vulnerabilities that involve predictable locations.

Stack-based buffer overflow in Trillian 0.71 through 0.74f and Trillian Pro 1.0 through 2.01 allows remote attackers to execute arbitrary code via a Yahoo Messenger packet with a long key name.

SQL injection vulnerability in search.php for phpBB 1.0 through 2.0.6 allows remote attackers to execute arbitrary SQL and gain privileges via the search_results parameter.

Multiple SQL injection vulnerabilities in Tunez before 1.20-pre2 allow remote attackers to execute arbitrary SQL queries.

blog.cgi in Leif M.

PHP file include injection vulnerability in isearch.inc.php for iSearch allows remote attackers to execute arbitrary code via the isearch_path parameter.

** UNVERIFIABLE ** SQL injection vulnerability in PunkBuster Screenshot Database (PB-DB) Alpha 6 allows remote attackers to execute arbitrary SQL commands via the username and password fields of the login form.

OpenBSD 3.3 and 3.4 does not properly parse Accept and Deny rules without netmasks on big-endian 64-bit platforms such as SPARC64, which may allow remote attackers to bypass access restrictions.

SQL injection vulnerability in IP3 Networks NetAccess Appliance before firmware 3.1.18b13 allows remote attackers to bypass authentication via the (1) login or (2) password.

SQL injection vulnerability in DotNetNuke (formerly IBuySpy Workshop) 1.0.6 through 1.0.10d allows remote attackers to modify the backend database via the (1) table and (2) field parameters in LinkClick.aspx.

SQL injection vulnerability in the (1) announce and (2) notes modules of phpWebSite before 0.9.3-2 allows remote attackers to execute arbitrary SQL queries, as demonstrated using the ANN_id parameter to the announce module.

The Telnet listener for Novell iChain Server before 2.2 Field Patch 3b 2.2.116 does not have a password by default, which allows remote attackers to gain access.

Integer overflow in Trillian 0.74 and earlier, and Trillian Pro 2.01 and earlier, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a directIM packet that triggers a heap-based buffer overflow.

Buffer overflow in Omnicron OmniHTTPd 3.0a and earlier allows remote attackers to execute arbitrary code via an HTTP GET request with a long Range header.

SQL injection vulnerability in the Reviews module in PHP-Nuke 6.0 to 7.3 allows remote attackers to execute arbitrary SQL commands via the order parameter.

Microsoft Windows Internet Explorer 5.5 and 6.0 allows remote attackers to execute arbitrary code via an embedded script that uses Shell Helper objects and a shortcut (link) to execute the target script.

Integer overflow in the duplication operator in ActivePerl allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large multiplier, which may trigger a buffer overflow.

Buffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to execute arbitrary code via a long HTTP GET request.

SQL injection vulnerability in Ansel 2.1 and earlier allows remote attackers to modify SQL statements via the image parameter.

SQL injection vulnerability in the valid function in fr_left.php in PlaySMS 0.7 and earlier allows remote attackers to modify SQL statements via the vc2 cookie.

SurgeLDAP 1.0g (Build 12), and possibly other versions before 1.0h, allows remote attackers to bypass authentication for the administration interface via a direct request to admin.cgi with a modified utoken parameter.

Unknown vulnerability in the "access code" in RemoteEditor before 0.1.6 has unknown impact and attack vectors, possibly involving a bypass of IP address restrictions.

Unknown vulnerability in the "access code" in SecureEditor before 0.1.2 has unknown impact and attack vectors, possibly involving a bypass of IP address restrictions.

Phorum allows remote attackers to hijack sessions of other users by stealing and replaying the session hash in the phorum_uriauth parameter, as demonstrated using profile.php.

Multiple SQL injection vulnerabilities in Phorum 5.0.11 and earlier allow remote attackers to modify SQL statements via (1) the query string in read.php or (2) unknown vectors in file.php.

Buffer overflow in vsybase.c in vpopmail 5.4.2 and earlier might allow attackers to cause a denial of service or execute arbitrary code.

Buffer overflow in SoftCart.exe in Mercantec SoftCart 4.00b allows remote attackers to execute arbitrary code via a long parameter in an HTTP GET request.

SQL injection vulnerability in pmwh.php in PHPMyWebHosting 0.3.4 and earlier allows remote attackers to modify SQL statements via the password parameter.

SQL injection vulnerability in forum.asp in AliveSites Forums 2.0 allows remote attackers to execute arbitrary SQL commands via the forum_id parameter.

SQL injection vulnerability in Ideal Science IdealBB 1.4.9 through 1.5.3 allows remote attackers to execute arbitrary SQL commands via unknown vectors.

SQL injection vulnerability in NatterChat 1.12 allows remote attackers to execute arbitrary SQL commands via unknown vectors.

Ansel 1.2 through 2.0 uses insecure default permissions, which allows remote attackers to gain access to web readable directories.

Multiple SQL injection vulnerabilities in DUware DUclassified 4.0 through 4.2 allows remote attackers to bypass authentication and execute other commands on the server's underlying database via the (1) cat_id or (2) sub_id parameters in adDetail.asp, or (2) the password parameter in the login form.

SQL injection vulnerability in DUware DUforum 3.0 through 3.1 allows remote attackers to execute arbitrary SQL commands via the FOR_ID parameter in messages.asp, (2) MSG_ID parameter in messageDetail.asp, or (3) password parameter in the login form.

SQL injection vulnerability in tttadmin/settings.php in Turbo Traffic Trader PHP 1.0 allows remote attackers to execute arbitrary SQL commands via the ttt_admin parameter.

SQL injection vulnerability in DMXReady Site Chassis Manager allows remote attackers to execute arbitrary SQL commands via unknown vectors.

SQL injection vulnerability in MediaWiki 1.3.5 allows remote attackers to execute arbitrary SQL commands via SpecialMaintenance.

Unknown vulnerability in WeHelpBUS 0.1 allows remote attackers to execute arbitrary shell commands via the query string.

Session fixation vulnerability in Macromedia JRun 4.0 allows remote attackers to hijack user sessions by pre-setting the user session ID information used by the session server.

Multiple SQL injection vulnerabilities in WowBB Forum 1.61 allow remote attackers to execute arbitrary SQL commands via the (1) sort_by or (2) page parameters to view_user.php, or the (3) forum_id parameter to view_topic.php.

SQL injection vulnerability in DevoyBB Web Forum 1.0.0 allows remote attackers to execute arbitrary SQL commands via unknown vectors.

Multiple SQL injection vulnerabilities in ReviewPost PHP Pro allow remote attackers to execute arbitrary SQL commands via the (1) product parameter to showproduct.php or (2) cat parameter to showcat.php.

SQL injection vulnerability in advSearch_h.asp in EarlyImpact ProductCart allows remote attackers to execute arbitrary SQL commands via the priceUntil parameter.

EarlyImpact ProductCart uses a weak encryption scheme to encrypt passwords, which allows remote attackers to obtain the password via a chosen plaintext attack.

Multiple buffer overflows in LaTeX2rtf 1.9.15, and possibly other versions, allow remote attackers to execute arbitrary code via (1) the expandmacro function, and possibly (2) Environments and (3) TranslateCommand.

The print-from-email feature in the Canon ImageRUNNER (iR) 5000i and C3200 digital printer, when not using IP address range filtering, allows remote attackers to print arbitrary text without authentication via a text/plain email to TCP port 25.

login_radius on OpenBSD 3.2, 3.5, and possibly other versions does not verify the shared secret in a response packet from a RADIUS server, which allows remote attackers to bypass authentication by spoofing server replies.

SQL injection vulnerability in file_overview.php in TUTOS 1.1 allows remote attackers to execute arbitrary SQL commands via the link_id parameter.

SQL injection vulnerability in Serendipity 0.7-beta1 allows remote attackers to execute arbitrary SQL commands via the entry_id parameter to (1) exit.php or (2) comment.php.

Online-bookmarks before 0.4.6 allows remote attackers to bypass its authentication mechanism via a direct request to (1) config/*, (2) bookmarks.php, (3) footer.php, (4) main.php, (5) tree.php, or (6) functions.php.

SQL injection vulnerability in PD9 Software MegaBBS 2 and 2.1 allows remote attackers to execute arbitrary SQL commands via the (1) sortdir or (2) criteria parameter to ladder-log.asp or the (3) memberid or (4) teamid parameter to view-profile.asp.

SQL injection vulnerability in the ReMOSitory Server add-on module to Mambo Portal 4.5.1 (1.09) and earlier allows remote attackers to execute arbitrary SQL commands via the filecatid parameter in the com_remository option.

SQL injection vulnerability in register.php in Phorum before 3.4.6 allows remote attackers to execute arbitrary SQL commands via the hide_email parameter.

Multiple SQL injection vulnerabilities in QuadComm Q-Shop allow remote attackers to execute arbitrary SQL commands via certain parameters to (1) search.asp, (2) browse.asp, (3) details.asp, (4) showcat.asp, (5) users.asp, (6) addtomylist.asp, (7) modline.asp, (8) cart.asp, or (9) newuser.asp.

Finjan SurfinGate 6.0 and 7.0, when running in proxy mode, does not authenticate FHTTP commands on TCP port 3141, which allows remote attackers to use the finjan-parameter-type header to (1) restart the service, (2) use the getlastmsg command to view log information, or (3) use the online command to force a policy update from the database server.

Macallan Mail Solution 2.8.4.6 (Build 260), and possibly earlier versions, allows remote attackers to bypass authentication in the web interface via an HTTP GET request with two slashes ("//") after the server name.

DansGuardian 2.8 and earlier allows remote attackers to bypass the extension filtering rule via a hex encoded extension or .

SQL injection vulnerability in antiboard.php in AntiBoard 0.7.2 and earlier allows remote attackers to execute arbitrary SQL via the (1) thread_id, (2) parent_id, or (3) mode parameters.

SQL injection vulnerability in ASPRunner 2.4 allows remote attackers to execute arbitrary SQL statements.

SQL injection vulnerability in action.php in Nucleus CMS 3.01 allows remote attackers to execute arbitrary SQL statements via the itemid parameter.

eSeSIX Thintune thin clients running firmware 2.4.38 and earlier accept any password that begins with the actual password, which makes it easier for users to conduct brute force password guessing.

Format string vulnerability in the logmsg function in svc.c for Pound 1.5 and earlier allows remote attackers to execute arbitrary code via format string specifiers in syslog messages.

SQL injection vulnerability in application_top.php for Zen Cart 1.1.3 before patch 2 may allow remote attackers to execute arbitrary SQL commands via the products_id parameter.

The distribution of Zen Cart 1.1.4 before patch 2 includes certain debugging code in the Admin password retrieval functionality, which allows attackers to gain administrative privileges via password_forgotten.php.

SQL injection vulnerability in login.php in Zen Cart 1.1.2d, 1.1.4 before patch 1, and possibly other versions allows remote attackers to execute arbitrary SQL via the (1) admin_name or (2) admin_pass parameters.

PHP remote file inclusion vulnerability in index.php in Php-Nuke 6.x through 7.3 allows remote attackers to execute arbitrary PHP code by modifying the modpath parameter to reference a URL on a remote web server that contains the code.

Stack-based buffer overflow in the HTTP server in NetChat 7.3 and earlier allows remote attackers to execute arbitrary code via a long GET request.

PHP remote file inclusion vulnerability in index.php in phpShop 0.7.1 and earlier allows remote attackers to execute arbitrary PHP code by modifying the base_dir parameter to reference a URL on a remote web server that contains phpshop.cfg.

Multiple SQL injection vulnerabilities in Open Bulletin Board (OpenBB) 1.0.6 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) FID parameter in board.php, (2) sortorder, perpage, or id parameters in member.php, (3) forums parameter in search.php, or (4) PID or FID parameters in post.php.

SQL injection vulnerability in index.php in Protector System 1.15b1 allows remote attackers to bypass SQL injection filters by using "/**/" sequences in the targeted fields.

SQL injection vulnerability in modules.php in phProfession 2.5 allows remote attackers to execute arbitrary SQL code via the offset parameter.

SQL injection vulnerability in PostNuke 7.2.6 and earlier allows remote attackers to execute arbitrary SQL via (1) the sif parameter to index.php in the Comments module or (2) timezoneoffset parameter to changeinfo.php in the Your_Account module.

SQL injection vulnerability in modules.php in NukeCalendar 1.1.a, as used in PHP-Nuke, allows remote attackers to execute arbitrary SQL commands via the eid parameter.

Buffer overflow in ascontrol.dll in Panda ActiveScan 5.0 allows remote attackers to execute arbitrary code via the Internacional property followed by a long string.

Format string vulnerability in the logging function in IGI 2 Covert Strike server 1.3 and earlier allows remote attackers to execute arbitrary code via format string specifiers in RCON commands.

Stack-based buffer overflow in DecodeBase16 function, as used in the (1) IRC module and (2) web server in eMule 0.42d, allows remote attackers to execute arbitrary code via a long string.

display.cgi in Aborior Encore WebForum allows remote to execute arbitrary commands via shell metacharacters in the file variable.

SQL injection vulnerability in (1) mailorder.asp or (2) payonline.asp in CactuShop 5.x allows remote attackers to execute arbitrary SQL commands via the strItems parameter.

SQL injection vulnerability in MS Analysis module 2.0 for PHP-Nuke allows remote attackers to execute arbitrary SQL via the referer field in an HTTP request.

SQL injection vulnerability in index.php in Invision Power Top Site List 1.1 RC 2 and earlier allows remote attackers to execute arbitrary SQL via the id parameter of the comments action.

Multiple SQL injection vulnerabilities in index.php in Invision Gallery 1.0.1 allow remote attackers to execute arbitrary SQL via the (1) img, (2) cat, (3) sort_key, (4) order_key, (5) user, or (6) album parameters.

VocalTec VGW4/8 Gateway 8.0 allows remote attackers to bypass authentication via an HTTP request to home.asp with a trailing slash (/).

The SSL HTTP Server in HP Web-enabled Management Software 5.0 through 5.92, with anonymous access enabled, allows remote attackers to compromise the trusted certificates by uploading their own certificates.

SQL injection vulnerability in index.cfm in CFWebstore 5.0 allows remote attackers to execute SQL commands via the (1) category_id, (2) product_id, or (3) feature_id parameters.

Unknown vulnerability in Sysbotz SimpleData 4.0.1 and possibly earlier versions allows remote attackers to gain access via a crafted URL and a certain cookie.

PF in certain OpenBSD versions, when stateful filtering is enabled, does not limit packets for a session to the original interface, which allows remote attackers to bypass intended packet filters via spoofed packets to other interfaces.

PHP remote file inclusion vulnerability in HotNews 0.7.2 and earlier allows remote attackers to execute arbitrary PHP code via the (1) config[header] parameter to hotnews-engine.inc.php3 or (2) config[incdir] parameter to hnmain.inc.php3.

Stack-based buffer overflow in swnet.dll in YaSoft Switch Off 2.3 and earlier allows remote authenticated users to execute arbitrary code via a long message parameter in a SendMsg action to action.htm.

The web management interface in Edimax AR-6004 ADSL Routers uses a default administrator name and password, which also appear as the default login text for the management interface, which allows remote attackers to gain access.

SQL injection vulnerability in PostCalendar 4.0.0 allows remote attackers to execute arbitrary SQL commands via search queries.

Directory traversal vulnerability in Net2Soft Flash FTP Server 1.0 allows remote attackers to read and create arbitrary files via a /..

athenareg.php in Athena Web Registration allows remote attackers to execute arbitrary commands via shell metacharacters in the pass parameter.

Multiple buffer overflows in sharutils 4.2.1 and earlier may allow attackers to execute arbitrary code via (1) long output from wc to shar, or (2) unknown vectors in unshar.

Off-by-one buffer overflow in ModSecurity (mod_security) 1.7.4 for Apache 2.x, when SecFilterScanPost is enabled, allows remote attackers to execute arbitrary code via crafted POST requests.

Unknown vulnerability in F-Secure Anti-Virus (FSAV) 4.52 for Linux before Hotfix 3 allows the Sober.D worm to bypass FASV.

The Web Services fat client for BEA WebLogic Server and Express 7.0 SP4 and earlier, when using 2-way SSL and multiple certificates to connect to the same URL, may use the incorrect identity after the first connection, which could allow users to gain privileges.

PHP remote file inclusion vulnerability in Mantis 0.19.0a allows remote attackers to execute arbitrary PHP code by modifying the (1) t_core_path parameter to bug_api.php or (2) t_core_dir parameter to relationship_api.php to reference a URL on a remote web server that contains the code.

Stack-based buffer overflow in xvbmp.c in XV allows remote attackers to execute arbitrary code via a crafted image file.

Buffer overflow in the MSN module in Trillian 0.74i allows remote MSN servers to execute arbitrary code via a long string that ends in a newline character.

PHP remote file inclusion vulnerability in index.php in ocPortal 1.0.3 and earlier allows remote attackers to execute arbitrary PHP code by modifying the req_path parameter to reference a URL on a remote web server that contains a malicious funcs.php script.

The web interface for Micronet Wireless Broadband Router SP916BM running firmware before 1.9 08/04/2004 resets the password to the default password when the router is shut off, which could allow remote attackers to gain access.

SQL injection vulnerability in GoSmart Message Board allows remote attackers to execute arbitrary SQL code via the (1) QuestionNumber and Category parameters to Forum.asp or (2) Username and Password parameter to Login_Exec.asp.

SQL injection vulnerability in index.php in CubeCart 2.0.1 allows remote attackers to execute arbitrary SQL commands via the cat_id parameter.

Buffer overflow in Vypress Messenger 3.5.1 and earlier allows remote attackers to execute arbitrary code via a message with a long first field.

SQL injection vulnerability in bBlog 0.7.2 and 0.7.3 allows remote attackers to execute arbitrary SQL commands via the p parameter.

profile.php in Silent Storm Portal 2.1 and 2.2 allows remote attackers to gain privileges by setting the mail parameter to 1, which is the value for an administrator.

SQL injection vulnerability in redir_url.php in w-Agora 4.1.6a allows remote attackers to execute arbitrary SQL commands via the key parameter.

Buffer overflow in Icecast 2.0.1 and earlier allows remote attackers to execute arbitrary code via an HTTP request with a large number of headers.

Multiple stack-based buffer overflows in YPOPs! (aka YahooPOPS) 0.4 through 0.6 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long (1) POP3 USER command or (2) SMTP request.

Multiple SQL injection vulnerabilities in BroadBoard Instant ASP Message Board allow remote attackers to run arbitrary SQL commands via the (1) keywords parameter to search.asp, (2) handle parameter to profile.asp, (3) txtUserHandle parameter to reg2.asp or (4) txtUserEmail parameter to forgot.asp.

PHP remote file inclusion vulnerability in livre_include.php in @lex Guestbook allows remote attackers to execute arbitrary PHP code by modifying the chem_absolu parameter to reference a URL on a remote web server that contains the code.

SQL injection vulnerability in aspWebAlbum allows remote attackers to execute arbitrary SQL statements via (1) the username field on the login page or (2) the cat parameter to album.asp.

SQL injection vulnerability in aspWebCalendar allows remote attackers to execute arbitrary SQL statements via (1) the username field on the login page or (2) the eventid parameter to calendar.asp.

Motorola Wireless Router WR850G running firmware 4.03 allows remote attackers to bypass authentication, log on as an administrator, and obtain sensitive information by repeatedly making an HTTP request for ver.asp until an administrator logs on.

SecureCRT 4.0, 4.1, and possibly other versions, allows remote attackers to execute arbitrary commands via a telnet:// URL that uses the /F option to specify a configuration file on a samba share.

SQL injection vulnerability in include.php in PHPKIT 1.6.03 through 1.6.1 allows remote attackers to execute arbitrary SQL commands via the id parameter.

SQL injection vulnerability in index.php in the ibProArcade module for Invision Power Board (IPB) 1.x and 2.x allows remote attackers to execute arbitrary SQL commands via the cat parameter.

PHP remote file inclusion vulnerability in admin_cash.php for the Cash Mod module for phpBB allows remote attackers to execute arbitrary PHP code by modifying the phpbb_root_path parameter to reference a URL on a remote web server that contains the code.

AppServ 2.5.x and earlier installs a default username and password, which allows remote attackers to gain access.

SQL injection vulnerability in post.php in Invision Power Board (IPB) 2.0.0 through 2.0.2 allows remote attackers to execute arbitrary SQL commands via the qpid parameter.

SQL injection vulnerability in the Event Calendar module 2.13 for PHP-Nuke allows remote attackers to execute arbitrary SQL commands via the (1) eid or (2) cid parameters.

Hired Team: Trial 2.0 and earlier and 2.200 does not limit how game players can kick other players off the server, including the administrator.

SQL injection vulnerability in bug.php in phpBugTracker 0.9.1 allows remote attackers to execute arbitrary SQL commands via (1) the bug_id parameter in a viewvotes operation or (2) the project parameter in an add operation.

Zone Labs IMsecure and IMsecure Pro before 1.5 allow remote attackers to bypass Active Link Filtering via an instant message containing a URL with hex encoded file extensions.

SQL injection vulnerability in (1) ttlast.php and (2) last10.php in vBulletin 3.0.x allows remote attackers to execute arbitrary SQL statements via the fsel parameter, as demonstrated using last.php.

WebCalendar allows remote attackers to gain privileges by modifying critical parameters to (1) view_entry.php or (2) upcoming.php.

init.php in WebCalendar allows remote attackers to execute arbitrary local PHP scripts via the user_inc parameter.

Directory traversal vulnerability in index.php in Just Another Flat file (JAF) CMS 3.0RC allows remote attackers to read arbitrary files and possibly execute PHP code via a ..

SQL injection vulnerability in the compose message form in HELM 3.1.19 and earlier allows remote attackers to execute arbitrary SQL commands via the messageToUserAccNum parameter.

Buffer overflow in the TFTP client in InetUtils 1.4.2 allows remote malicious DNS servers to execute arbitrary code via a large DNS response that is handled by the gethostbyname function.

The sbuf_getmsg function in BNC incorrectly handles backspace characters, which could allow remote attackers to bypass authentication and gain access to arbitrary scripts.

Unknown vulnerability in the management station in HP StorageWorks Command View XP 1.8B and earlier allows remote attackers to bypass access restrictions.

JRun 4.0 does not properly generate and handle the JSESSIONID, which allows remote attackers to perform a session fixation attack and hijack a user's HTTP session.

The set_time_limit function in Gallery before 1.4.4_p2 deletes non-image files in a temporary directory every 30 seconds after they have been uploaded using save_photos.php, which allows remote attackers to upload and execute execute arbitrary scripts before they are deleted, if the temporary directory is under the web root.

Unknown vulnerability in MoinMoin 1.2.2 and earlier allows remote attackers to gain unauthorized access to administrator functions such as (1) revert and (2) delete.

Cisco Secure Access Control Server (ACS) 3.2(3) and earlier spawns a separate unauthenticated TCP connection on a random port when a user authenticates to the ACS GUI, which allows remote attackers to bypass authentication by connecting to that port from the same IP address.

Cisco Secure Access Control Server (ACS) 3.2(3) and earlier, when configured with an anonymous bind in Novell Directory Services (NDS) and authenticating NDS users with NDS, allows remote attackers to gain unauthorized access to AAA clients via a blank password.

filediff in CVStrac allows remote attackers to execute arbitrary commands via shell metacharacters in rcsinfo.

Multiple heap-based buffer overflows in the modpow function in PuTTY before 0.55 allow (1) remote attackers to execute arbitrary code via an SSH2 packet with a base argument that is larger than the mod argument, which causes the modpow function to write memory before the beginning of its buffer, and (2) remote malicious servers to cause a denial of service (client crash) and possibly execute arbitrary code via a large bignum during authentication.

Buffer overflow in BlackJumboDog 3.x allows remote attackers to execute arbitrary code via long FTP commands such as (1) USER, (2) PASS, (3) RETR,(4) CWD, (5) XMKD, and (6) XRMD.

Multiple buffer overflows in the digest authentication functionality in Pavuk 0.9.28-r2 and earlier allow remote attackers to execute arbitrary code.

The Transaction Language 1 (TL1) login interface in Cisco ONS 15327 4.6(0) and 4.6(1) and 15454 and 15454 SDH 4.6(0) and 4.6(1), when a user account is configured with a blank password, allows remote attackers to gain unauthorized access by logging in with a password larger than 10 characters.

SQL injection vulnerability in the show_stats module in Arcade.php in IbProArcade allows remote attackers to execute arbitrary SQL code via the gameid parameter.

ArGoSoft FTP 1.4.2.4 and earlier does not limit the number of times that a bad password can be entered, which makes it easier for remote attackers to guess passwords via a brute force attack.

PHP remote file inclusion vulnerability in main.inc in KorWeblog 1.6.2-cvs and earlier allows remote attackers to execute arbitrary PHP code by modifying the G_PATH parameter to reference a URL on a remote web server that contains the code, as demonstrated in index.php when using ..

Multiple PHP remote file inclusion vulnerabilities in Sean Proctor PHP-Calendar before 0.10.1, as used in Commonwealth of Massachusetts Virtual Law Office (VLO) and other products, allow remote attackers to execute arbitrary PHP code via a URL in the phpc_root_path parameter to (1) includes/calendar.php or (2) includes/setup.php.

Multiple PHP remote file inclusion vulnerabilities (1) step_one.php, (2) step_one_tables.php, (3) step_two_tables.php in WHM AutoPilot 2.4.6.5 and earlier allow remote attackers to execute arbitrary PHP code by modifying the server_inc parameter to reference a URL on a remote web server that contains the code.

The addImage method for admin.class.php in Image Gallery Web Application 0.9.10 does not properly check filenames, which allows remote attackers to upload and execute arbitrary files.

SQL injection vulnerability in ikonboard.cgi in Ikonboard 3.1.0 through 3.1.3 allows remote attackers to inject arbitrary SQL commands via the (1) st or (2) keywords parameter.

MediaWiki 1.3.8 and earlier, when used with Apache mod_mime, does not properly handle files with two file extensions, such as .php.rar, which allows remote attackers to upload and execute arbitrary code.

Attachment Mod 2.3.10 module for phpBB, when used with Apache mod_mime, does not properly handle files with multiple file extensions, such as .php.rar, which allows remote attackers to upload and execute arbitrary code.

PHP remote file inclusion vulnerability in index.php in GNUBoard 3.39 and earlier allows remote attackers to execute arbitrary PHP code by modifying the doc parameter to reference a URL on a remote web server that contains the code.

SQL injection vulnerability in verify.asp in Asp-rider allows remote attackers to execute arbitrary SQL statements and bypass authentication via the username parameter.

The control panel in ASP Calendar does not require authentication to access, which allows remote attackers to gain unauthorized access via a direct request to main.asp.

TikiWiki before 1.8.4.1 does not properly verify uploaded images, which could allow remote attackers to upload and execute arbitrary PHP scripts, a different vulnerability than CVE-2005-0200.

Multiple SQL injection vulnerabilities in phpGroupWare 0.9.16.003 and earlier allow remote attackers to execute arbitrary SQL statements via the (1) order, (2) project_id, (3) pro_main, or (4) hours_id parameters to index.php or (5) ticket_id to viewticket_details.php.

Stack-based buffer overflow in the FTP daemon in HP-UX 11.11i, with the -v (debug) option enabled, allows remote attackers to execute arbitrary code via a long command request.

Buffer overflow in Crystal FTP Client 2.8 allows remote malicious servers to execute arbitrary code via a response to a LIST command that contains a file name with a long extension.

hfaxd in HylaFAX before 4.2.1, when installed with a "weak" hosts.hfaxd file, allows remote attackers to authenticate and bypass intended access restrictions via a crafted (1) username or (2) hostname that satisfies a regular expression that is matched against a hosts.hfaxd entry without a password.

Internet Explorer 6 allows remote attackers to bypass the popup blocker via the document object model (DOM) methods in the DHTML Dynamic HTML (DHTML) Editing Component (DEC) and Javascript that calls showModalDialog.

CRLF injection vulnerability in Microsoft Internet Explorer 6.0.2800.1106 and earlier allows remote attackers to execute arbitrary FTP commands via an ftp:// URL that contains a URL-encoded newline ("%0a") before the FTP command, which causes the commands to be inserted into the resulting FTP session, as demonstrated using a PORT command.

Internet Explorer 5.01 through 6 allows remote attackers to spoof arbitrary web sites by injecting content from one window into another window whose name is known but resides in a different domain, as demonstrated using a pop-up window on a trusted web site, aka the "window injection" vulnerability.

The password generation in mailman before 2.1.5 generates only 5 million unique passwords, which makes it easier for remote attackers to guess passwords via a brute force attack.

Microsoft Internet Explorer 6.0 SP2 allows remote attackers to spoof a legitimate URL in the status bar and conduct a phishing attack via a web page that contains a BASE element that points to the legitimate site, followed by an anchor (a) element with an empty "href" attribute, and a FORM whose action points to a malicious URL, and an INPUT submit element that is modified to look like a legitimate URL.

The make_recovery command for the TFTP server in HP Ignite-UX before C.6.2.241 makes a copy of the password file in the TFTP directory tree, which allows remote attackers to obtain sensitive information.

Heap-based buffer overflow in Netscape Network Security Services (NSS) library allows remote attackers to execute arbitrary code via a modified record length field in an SSLv2 client hello message.

Multiple heap-based buffer overflows in the imlib BMP image handler allow remote attackers to execute arbitrary code via a crafted BMP file.

The Windows Internet Naming Service (WINS) in Windows NT Server 4.0 SP 6a, NT Terminal Server 4.0 SP 6, Windows 2000 Server SP3 and SP4, and Windows Server 2003 does not properly validate the computer name value in a WINS packet, which allows remote attackers to execute arbitrary code or cause a denial of service (server crash), which results in an "unchecked buffer" and possibly triggers a buffer overflow, aka the "Name Validation Vulnerability."

Format string vulnerability in the log routine for gopher daemon (gopherd) 3.0.3 allows remote attackers to cause a denial of service and possibly execute arbitrary code.

Integer overflow in gopher daemon (gopherd) 3.0.3 allows remote attackers to cause a denial of service and possibly execute arbitrary code via crafted content of a certain size that triggers the overflow.

Buffer overflow in (1) queue.c and (2) queued.c in queue before 1.30.1 may allow remote attackers to execute arbitrary code.

SCO OpenServer 5.0.5 through 5.0.7 only supports Xauthority style access control when users log in using scologin, which allows remote attackers to gain unauthorized access to an X session via other X login methods.

Buffer overflow in Entrust LibKmp ISAKMP library, as used by Symantec Enterprise Firewall 7.0 through 8.0, Gateway Security 5300 1.0, Gateway Security 5400 2.0, and VelociRaptor 1.5, allows remote attackers to execute arbitrary code via a crafted ISAKMP payload.

Multiple SQL injection vulnerabilities in XMB 1.8 Final SP2 allow remote attackers to inject arbitrary SQL and gain privileges via the (1) ppp parameter in viewthread.php, (2) desc parameter in misc.php, (3) tpp parameter in forumdisplay.php, (4) ascdesc parameter in forumdisplay.php, or (5) the addon parameter in stats.php.

Stack-based buffer overflow in doexec.c in Netcat for Windows 1.1, when running with the -e option, allows remote attackers to execute arbitrary code via a long DNS command.

HP-UX B.11.00 and B.11.11 with B6848AB GTK+ Support Libraries installed uses insecure directory permissions, which allows local users to gain privileges via files in /opt/gnome/src/GLib/.

Directory traversal vulnerability in the vfs_getvfssw function in Solaris 2.6, 7, 8, and 9 allows local users to load arbitrary kernel modules via crafted (1) mount or (2) sysfs system calls.

The Spy Sweeper Enterprise Client (SpySweeperTray.exe) in WebRoot Spy Sweeper before 2.0 does not drop privileges when using the help functionality, which allows local users to gain privileges.

Novell Client Firewall (NCF) 2.0, as based on the Agnitum Outpost Firewall, allows local users to execute arbitrary code with SYSTEM privileges by opening the NCF tray icon and using the Help functionality to launch programs with SYSTEM privileges.

Format string vulnerability in VMware Workstation 4.5.2 build-8848, if running with elevated privileges, might allow local users to execute arbitrary code via format string specifiers in command line arguments.

The GUI in Alt-N Technologies MDaemon 7.2 and earlier, including 6.8, executes child processes such as NOTEPAD.EXE with SYSTEM privileges when users create new files, which allows local users with physical access to gain privileges.

Trend OfficeScan Corporate Edition 5.58 and possibly earler does not drop privileges when opening a help window from a virus detection pop-up window, which allows local users to gain SYSTEM privileges.

Buffer overflow in the sh_hash_compdata function for Samhain 1.8.9 through 2.0.1, when running in update mode ("-t update"), might allow attackers to execute arbitrary code.

Buffer overflow in Bochs before 2.1.1, if installed setuid, allows local users to execute arbitrary code via a long HOME environment variable, which is used if the .bochsrc, bochsrc, and bochsrc.txt cannot be found in a known path.

The Macromedia installers and e-licensing client on Mac OS X, as used for Macromedia Contribute 2, Director, Dreamweaver, Fireworks, Flash, and Studio, install the AuthenticationService setuid and writable by other users, which allows local users to gain privileges by modifying the program.

Kerio Personal Firewall (KPF) 2.1.5 allows local users to execute arbitrary code with SYSTEM privileges via the Load button in the Firewall Configuration Files option, which does not drop privileges before opening the file loading dialog box.

Buffer overflow in GNU make for IBM AIX 4.3.3, when installed setgid, allows local users to gain privileges via a long CC argument.

Buffer overflow in snmpd in ucd-snmp 4.2.6 and earlier, when installed setuid root, allows local users to execute arbitrary code via a long -p command line argument.

Unknown vulnerability in IBM Parallel Environment (PE) 3.2 and 4.1 allows attackers to execute arbitrary commands as root via unknown vectors in the sample code.

Stack-based buffer overflow in pads.c in Passive Asset Detection System (Pads) might allow local users to execute arbitrary code via a long report file name argument.

UUDeview 0.5.20 and earlier handles temporary files insecurely during decoding, with unknown attack vectors and impact.

Unknown vulnerability in Veritas Cluster Server 1.0.1 through 4.0 allows local users to gain root access via unspecified vectors.

Macromedia ColdFusion MX 6.0 and 6.1 application server, when running with the CreateObject function or CFOBJECT tag enabled, allows local users to conduct unauthorized activities and obtain administrative passwords by creating CFML scripts that use CreateObject or CFOBJECT.

kdocker.cpp in kdocker 0.1 through 0.8 does not properly check the ownership of files, which could allow local users to execute arbitrary programs.

Unknown local vulnerability in the "change user" feature of Slava Astashonok Fprobe 1.0.5 and earlier has unknown impact and attack vectors.

The systrace_exit function in the systrace utility for NetBSD-current and 2.0 before April 16, 2004, and certain FreeBSD ports, does not verify the owner of the /dec/systrace connection before setting euid to 0, which allows local users to gain root privileges.

The kernel in Solaris 2.6, 7, 8, and 9 allows local users to gain privileges by loading arbitrary loadable kernel modules (LKM), possibly involving the modload function.

Format string vulnerability in the log function in SUS 2.0.2, and other versions before 2.0.6, allows local users to execute arbitrary code via format string specifiers in a command line argument that is passed directly to syslog.

Tomcat before 5.0.27-r3 in Gentoo Linux sets the default permissions on the init scripts as tomcat:tomcat, but executes the scripts with root privileges, which could allow local users in the tomcat group to execute arbitrary commands as root by modifying the scripts.

Buffer overflow in paginit in AIX 5.1 through 5.3 allows local users to execute arbitrary code via a long username.

Unknown vulnerability in newgrp in HP-UX B.11.00, B.11.04, and B.11.11 allows local users to gain elevated privileges.

The add_to_history function in svr_principal.c in libkadm5srv for MIT Kerberos 5 (krb5) up to 1.3.5, when performing a password change, does not properly track the password policy's history count and the maximum number of keys, which can cause an array index out-of-bounds error and may allow authenticated users to execute arbitrary code via a heap-based buffer overflow.

Unknown vulnerability in the 32bit emulation code in Linux 2.4 on AMD64 systems allows local users to gain privileges.

Unknown vulnerability in the dotlock implementation in mailutils before 1:0.5-4 on Debian GNU/Linux allows attackers to gain privileges.

The CFPlugIn in Core Foundation framework in Mac OS X allows user supplied libraries to be loaded, which could allow local users to gain privileges.

cdrecord in the cdrtools package before 2.01, when installed setuid root, does not properly drop privileges before executing a program specified in the RSH environment variable, which allows local users to gain privileges.

Buffer overflow in uustat in Sun Solaris 8 and 9 allows local users to execute arbitrary code via a long -S command line argument.

LionMax Software Chat Anywhere 2.72a allows remote attackers to cause a denial of service (server crash and client CPU consumption) via a username beginning with percent (%) followed by a null character.

Unspecified vulnerability in 3Com SuperStack 3 4400 switches with firmware version before 3.31 allows remote attackers to cause a denial of service (device reset) via a crafted request to the web management interface.

Format string vulnerability in wrapper.c in CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16 allows remote attackers with CVSROOT commit access to cause a denial of service (application crash) and possibly execute arbitrary code via format string specifiers in a wrapper line.

Race condition in IMWheel 1.0.0pre11 and earlier, when running with the -k option, allows local users to cause a denial of service (IMWheel crash) and possibly modify arbitrary files via a symlink attack on the imwheel.pid file.

The Inventory Scout daemon (invscoutd) 1.3.0.0 and 2.0.2 for AIX 4.3.3 and 5.1 allows local users to gain privileges via a symlink attack on a command line argument (log file).

Buffer overflow in Cscope 15.5, and possibly multiple overflows, allows remote attackers to execute arbitrary code via a C file with a long #include line that is later browsed by the target.

sshd in OpenSSH 3.5p1, when PermitRootLogin is disabled, immediately closes the TCP connection after a root login attempt with the correct password, but leaves the connection open after an attempt with an incorrect password, which makes it easier for remote attackers to guess the password by observing the connection state, a different vulnerability than CVE-2003-0190.

SQL injection vulnerability in the members_list module in PostNuke 0.726, and possibly earlier, allows remote attackers to execute arbitrary SQL commands via the sortby parameter.

Buffer overflow in the UrlToLocal function in PunyLib.dll of Foxmail 5.0.300 allows remote attackers to execute arbitrary code via a mail message with a long From field, a different issue than CVE-2005-0339.

ArGoSoft FTP Server before 1.4.1.6 allows remote authenticated users to cause a denial of service (crash) via a SITE PASS command with a long password parameter, which causes the database to be corrupted.

Directory traversal vulnerability in ArGoSoft FTP Server before 1.4.1.6 allows remote authenticated users to determine the existence of arbitrary files via ".." sequences in the SITE UNZIP argument.

Multiple cross-site scripting (XSS) vulnerabilities in mod.php in eNdonesia 8.3 allow remote attackers to inject arbitrary web script or HTML via (1) the mod parameter in a viewcat operation or (2) the query parameter in a search operation in the publisher module.

Cross-site scripting (XSS) vulnerability in Lotus Domino 6.0.x before 6.0.4 and 6.5.x before 6.5.2 allows remote attackers to inject arbitrary web script or HTML via unknown attack vectors.

PHP remote file inclusion vulnerability in UberTec Help Center Live (HCL) before 1.2.7 allows remote attackers to execute arbitrary PHP code via a URL in the HCL_path parameter to pipe.php.

SQL injection vulnerability in 4nGuestbook 0.92 for PHP-Nuke 6.5 through 6.9 allows remote attackers to modify SQL statements via the entry parameter to modules.php, which can also facilitate cross-site scripting (XSS) attacks when MySQL errors are triggered.

Multiple cross-site scripting (XSS) vulnerabilities in MediaWiki 1.3.5 allow remote attackers to execute arbitrary scripts and/or SQL queries via (1) the UnicodeConverter extension, (2) raw page views, (3) SpecialIpblocklist, (4) SpecialEmailuser, (5) SpecialMaintenance, and (6) ImagePage.

Cross-site scripting (XSS) vulnerability in BRS WebWeaver 1.07 allows remote attackers to execute arbitrary script as other users via the query string to ISAPISkeleton.dll.

Multiple cross-site scripting (XSS) vulnerabilities in Oracle HTTP Server 1.3.22, based on Apache, allow remote attackers to execute arbitrary script as other users via the (1) action, (2) username, or (3) password parameters in an isqlplus request.

Multiple cross-site scripting (XSS) vulnerabilities in (1) imagezoom.asp or (2) recommend.asp in Q-Shop allow remote attackers to execute arbitrary script and steal the user session ID via Javascript in a URL.

Cross-site scripting (XSS) vulnerability in index.php for Mambo Open Source 4.6, and possibly earlier versions, allows remote attackers to execute script on other clients via the Itemid parameter.

PHP remote file inclusion vulnerability in ZeroBoard 4.1pl4 and earlier allows remote attackers to execute arbitrary PHP code by modifying the (1) _zb_path parameter to outlogin.php or (2) dir parameter to write.php to reference a URL on a remote web server that contains the code.

Direct static code injection vulnerability in the PCG simple application generation in phpCodeGenie before 3.0.2 allows remote authenticated users to execute arbitrary code via the (1) header or (2) footer.

Format string vulnerability in the msg command (cat_message function in msg.c) in OpenFTPD 0.30.2 and earlier allows remote authenticated users to execute arbitrary code via format string specifiers in the message argument.

Unknown multiple vulnerabilities in Oracle9i Database Server 9.0.1.4, 9.0.1.5, 9.2.0.3, and 9.2.0.4 allow local users with the ability to invoke SQL to cause a denial of service or obtain sensitive information.

Cross-Site Request Forgery (CSRF) vulnerability in FuseTalk 2.0 allows remote attackers to create arbitrary accounts via a link to adduser.cfm.

upload.cgi in Mega Upload Progress Bar before 1.45 allows remote attackers to copy or overwrite arbitrary files via unspecified parameters related to names of uploaded files.

Yeemp 0.9.9 and earlier does not properly encrypt inbound files, which allows remote attackers to spoof the identity of the sender.

The NAT implementation in Zonet ZSR1104WE Wireless Router Runtime Code Version 2.41 converts IP addresses of inbound connections to the IP address of the router, which allows remote attackers to bypass intended security restrictions.

PHP remote file inclusion vulnerability in UberTec Help Center Live (HCL) allows remote attackers to read local files and possibly execute PHP code via a URL in the SKIN_inner parameter to inc/skin.php.

Multiple memory leaks in Samba before 3.0.6 allow attackers to cause a denial of service (memory consumption).

Kerio WinRoute Firewall before 6.0.9 uses information from PTR queries in response to A queries, which allows remote attackers to poison the DNS cache or cause a denial of service (connection loss).

Buffer overflow in multiple F-Secure Anti-Virus products, including F-Secure Anti-Virus 5.42 and earlier, allows remote attackers to bypass scanning or cause a denial of service (crash or module restart), depending on the product, via a malformed LHA archive.

Directory traversal vulnerability in webadmin.nsf for Lotus Domino R6 6.5.1 allows attackers to create and detect directories via a ..

The embedded MySQL 4.0 server for Proofpoint Protection Server does not require a password for the root user of MySQL, which allows remote attackers to read or modify the backend database.

Novell Internet Messaging System (NIMS) 2.6 and 3.0, and NetMail 3.1 and 3.5, is installed with a default NMAP authentication credential, which allows remote attackers to read and write mail store data if the administrator does not change the credential by using the NMAP Credential Generator.

Unknown vulnerability in Jigsaw before 2.2.4 has unknown impact and attack vectors, possibly related to the parsing of the URI.

Directory traversal vulnerability in phpMyFAQ 1.3.12 allows remote attackers to read arbitrary files, and possibly execute local PHP files, via the action variable, which is used as part of a template filename.

account.asp in DUware DUclassmate 1.0 through 1.1 allows remote attackers to change the passwords for arbitrary users by modifying the MM_recordId parameter on the "My Account" page.

Directory traversal vulnerability in Digicraft Yak! server 2.0 through 2.1.2 allows remote attackers to read or write arbitrary files via "../" or "..\" sequences in commands such as (1) dir or (2) put.

Format string vulnerability in xml_elem.c for XMLStarlet Command Line XML Toolkit 0.9.3 may allow attackers to cause a denial of service or execute arbitrary code.

Directory traversal vulnerability in the FTP server in TriDComm 1.3 and earlier allows remote attackers to read or write arbitrary files via a ..

MyWebServer 1.0.3 allows remote attackers to bypass authentication, modify configuration, and read arbitrary files via a direct HTTP request to (1) /admin or (2) ServerProperties.html.

HP-UX B.11.00 through B.11.23, when running Ignite-UX and using the add_new_client command, causes the TFTP server to set world-writable permissions on part of the directory tree, which allows remote attackers to modify data or cause disk consumption.

The (1) bos.rte.serv_aid or (2) bos.rte.console filesets in IBM AIX 5.1 and 5.2 allow local users to overwrite arbitrary files via a symlink attack on temporary files via unknown attack vectors.

Unspecified vulnerability in Window Maker 0.80.2 and earlier allows attackers to perform unknown actions via format string specifiers in a font specification in WMGLOBAL, probably a format string vulnerability.

The Ignition Project ignitionServer 0.1.2 through 0.1.2-R2 allows remote authenticated users with local IRC operator privileges to obtain global IRC operator privileges by using the unofficial umode command with the +ORD argument.

Unknown vulnerability in the Veritas NetBackup Administrative Assistant interface for NetBackup BusinesServer 3.4, 3.4.1, and 4.5, DataCenter 3.4, 3.4.1, and 4.5, Enterprise Server 5.1, and NetBackup Server 5.0 and 5.1, allows attackers to execute arbitrary commands via the bpjava-susvc process, possibly related to the call-back feature.

Cisco IOS 12.2(15) and earlier allows remote attackers to cause a denial of service (refused VTY (virtual terminal) connections), via a crafted TCP connection to the Telnet or reverse Telnet port.

Web Wiz Forums 7.7a uses invalid logic to determine user privileges, which allows remote attackers to (1) block arbitrary IP addresses via pop_up_ip_blocking.asp or (2) modify topics via pop_up_topic_admin.asp.

Microsoft Outlook Express 6.0 allows remote attackers to bypass intended access restrictions, load content from arbitrary sources into the Outlook context, and facilitate phishing attacks via a "BASE HREF" with the target set to "_top".

PeerSec MatrixSSL before 1.1 does not implement RSA blinding, which allows context-dependent attackers to obtain the server's private key by determining factors using timing differences on (1) the number of extra reductions during Montgomery reduction, and (2) the use of different integer multiplication algorithms ("Karatsuba" and normal), a related issue to CVE-2003-0147.

Eudora 6.1.0.6 allows remote attackers to obfuscate URLs displayed in the status bar by inserting a large number of characters (e.g.

Cross-site scripting (XSS) vulnerability in Novell iChain 2.3 allows remote attackers to obtain login credentials via unspecified vectors.

Serena TeamTrack 6.1.1 allows remote attackers to obtain sensitive information such as user names, versions, and database information, and conduct cross-site scripting (XSS) attacks, via a direct request to tmtrack.dll with modified LoginPage and Template parameters.

The default configuration of BEA WebLogic Server and Express 8.1 SP2 and earlier, 7.0 SP4 and earlier, 6.1 through SP6, and 5.1 through SP13 responds to the HTTP TRACE request, which can allow remote attackers to steal information using cross-site tracing (XST) attacks in applications that are vulnerable to cross-site scripting.

Unspecified vulnerability in SharedX in HP-UX B.11.00, B.11.11, and B.11.22 allows local users to access unspecified files or cause a denial of service via unknown vectors related to handling of "files in a potentially insecure manner."

BEA WebLogic Server and WebLogic Express 6.1, 7.0, and 8.1, when using Remote Method Invocation (RMI) over Internet Inter-ORB Protocol (IIOP), does not properly handle when multiple logins for different users coming from the same client, which could cause an "unexpected user identity" to be used in an RMI call.

ColdFusion MX 6.1 and 6.1 J2EE allows local users to bypass sandbox security restrictions and obtain sensitive information by using Java reflection methods to access trusted Java objects without using the CreateObject function or cfobject tag.

Portage before 2.0.50-r3 allows local users to overwrite arbitrary files via a hard link attack on the lockfiles.

rdesktop 1.3.1 with xscreensaver 4.14, and possibly other versions, when running on Fedora and possibly other platforms, does not release the keyboard focus when xscreensaver starts, which causes the password to be entered into the active window when the user unlocks the screen.

Unspecified vulnerability in HP Tru64 UNIX 5.1B PK2(BL22) and PK3(BL24), and 5.1A PK6(BL24), when using IPsec/IKE (Internet Key Exchange) with Certificates, allows remote attackers to gain privileges via unknown attack vectors.

Unspecified vulnerability in Sesamie 1.0 allows remote anonymous attackers to gain access to repositories of other users via unknown vectors.

Cross-site scripting (XSS) vulnerability in Outblaze Email allows remote attackers to inject arbitrary web script or HTML via Javascript in an attribute of an IMG tag.

Microsoft Internet Explorer 5.0 through 6.0 allows remote attackers to bypass cross-frame scripting restrictions and capture keyboard events from other domains via an HTML document with Javascript that is outside a frameset that includes the target domain, then forcing the frameset to maintain focus.

Buffer overflow in Need for Speed Hot Pursuit 2.0 client (NFSHP2), version 242 and earlier, allows remote attackers (servers) to execute arbitrary code via long (1) gamename, (2) gamever, (3) hostname, (4) gametype, (5) mapname or (6) gamemode commands.

RealOne player 6.0.11.868 allows remote attackers to execute arbitrary script in the "My Computer" zone via a Synchronized Multimedia Integration Language (SMIL) presentation with a "file:javascript:" URL, which is executed in the security context of the previously loaded URL, a different vulnerability than CVE-2003-0726.

Integer overflow in pnen3260.dll in RealPlayer 8 through 10.5 (6.0.12.1040) and earlier, and RealOne Player 1 or 2 on Windows or Mac OS, allows remote attackers to execute arbitrary code via a SMIL file and a .rm movie file with a large length field for the data chunk, which leads to a heap-based buffer overflow.

Stack-based buffer overflow in the VideoCD (VCD) code in xine-lib 1-rc2 through 1-rc5, as derived from libcdio, allows attackers to execute arbitrary code via a VideoCD with an unterminated disk label.

Multiple stack-based buffer overflows in xine-lib 1-rc2 through 1-rc5 allow attackers to execute arbitrary code via (1) long VideoCD vcd:// MRLs or (2) long subtitle lines.

Stack-based buffer overflow in Xine-lib-rc5 in xine-lib 1_rc5-r2 and earlier allows remote attackers to execute arbitrary code via crafted playlists that result in a long vcd:// URL.

Heap-based buffer overflow in winhlp32.exe in Windows NT, Windows 2000 through SP4, Windows XP through SP2, and Windows 2003 allows remote attackers to execute arbitrary code via a crafted .hlp file.

Stack-based buffer overflow in the in_cdda.dll plugin for Winamp 5.0 through 5.08c allows attackers to execute arbitrary code via a cda:// URL with a long (1) device name or (2) sound track number, as demonstrated with a .m3u or .pls playlist file.

Integer overflow in the LoadImage API of the USER32 Lib for Microsoft Windows allows remote attackers to execute arbitrary code via a .bmp, .cur, .ico or .ani file with a large image size field, which leads to a buffer overflow, aka the "Cursor and Icon Format Handling Vulnerability."

Mozilla Firefox before the Preview Release, Mozilla before 1.7.3, and Thunderbird before 0.8 may allow remote attackers to trick users into performing unexpected actions, including installing software, via signed scripts that request enhanced abilities using the enablePrivilege parameter, then modify the meaning of certain security-relevant dialog messages.

Buffer overflow in the BMP loader in imlib2 before 1.1.2 allows remote attackers to execute arbitrary code via a specially-crafted BMP image, a different vulnerability than CVE-2004-0817.

Directory traversal vulnerability in browser.php in JBrowser 1.0 through 2.1 allows remote attackers to read arbitrary files via the directory parameter.

Unspecified vulnerability in Tincan Limited PHPlist before 2.8.12 has unknown impact and attack vectors, related to a "security update release."

Polar HelpDesk 3.0 allows remote attackers to bypass authentication by setting the UserId and UserType values in a cookie.

HTTPMail service in MailEnable Professional 1.18 does not properly handle arguments to the Authorization header, which allows remote attackers to cause a denial of service (null dereference and application crash).

Buffer overflow in Gyach Enhanced (Gyach-E) before 1.0.0-SneakPeek-3 allows remote attackers to cause a denial of service (crash) via unspecified vectors related to "URL data."

Gyach Enhanced (Gyach-E) before 1.0.0 stores passwords in plaintext, which allows attackers to obtain user passwords by reading the configuration file.

Unspecified vulnerability in Gyach Enhanced (Gyach-E) before 1.0.4 allows remote attackers to cause a denial of service (crash) via conference packets with error messages.

mod.php in eNdonesia 8.3 allows remote attackers to obtain sensitive information via certain direct requests, and certain requests with invalid parameter values, which reveal the path in various error messages, as demonstrated by the (1) mod and (2) cid parameters.

Mantis before 20041016 provides a complete Issue History (Bug History) in the web interface regardless of view_history_threshold, which allows remote attackers to obtain sensitive information (private bug details) by visiting a bug's web page.

John Lim ADOdb Library for PHP before 4.23 allows remote attackers to obtain sensitive information via direct requests to certain scripts that result in an undefined value of ADODB_DIR, which reveals the installation path in an error message.

Soft3304 04WebServer before 1.41 allows remote attackers to cause a denial of service (resource consumption or crash) via certain data related to OpenSSL, which causes a thread to terminate but continue to hold resources.

Soft3304 04WebServer before 1.41 does not properly check file names, which allows remote attackers to obtain sensitive information (CGI source code).

The clientAbortBody function in client_side.c in Squid Web Proxy Cache before 2.6 STABLE6 allows remote attackers to cause a denial of service (segmentation fault) via unspecified vectors that trigger a null dereference.

Free Web Chat 2.0 allows remote attackers to cause a denial of service (CPU consumption) via multiple connections from the same user.

The addUser function in UserManager.java in Free Web Chat 2.0 allows remote attackers to cause a denial of service (uncaught NullPointerException) via unknown attack vectors that cause the usrName variable to be null.

Unspecified vulnerability in Sun Fire 3800/4800/4810/6800, Sun Fire V1280, and Netra 1280 allows remote attackers to cause a denial of service (system controller hang) via IP Packets With Type of Service (TOS) Bits set.

Directory traversal vulnerability in lstat.cgi in LinuxStat before 2.3.1 allows remote attackers to read arbitrary files via (1) ..

Multiple directory traversal vulnerabilities in thttpd 2.07 beta 0.4, when running on Windows, allow remote attackers to read arbitrary files via a URL that contains (1) a hex-encoded backslash dot-dot sequence ("%5C..") or (2) a drive letter (such as "C:").

The MIMEH_read_headers function in ripMIME 1.3.1.0 does not properly handle trailing "\r" and "\n" characters in headers, which leads to a buffer underflow.

Directory traversal vulnerability in Pegasi Web Server (PWS) 0.2.2 allows remote attackers to read files outside of the web root via a ..

SmartWebby Smart Guest Book stores SmartGuestBook.mdb (aka the "news database") under the web document root with insufficient access control, which allows remote attackers to obtain sensitive information such as the unencrypted username and password of the administrator's account.

Quake II server before R1Q2, as used in multiple products, allows remote attackers to corrupt the server's client state data structure by exiting a session without a valid disconnect command, then reconnecting, which prevents a mod from being notified of changes in the client state.

Quake II server before R1Q2, as used in multiple products, allows remote attackers to bypass IP-based access control rules via a userinfo string that already contains an "ip" key/value pair but is also long enough to cause a new key/value pair to be truncated, which interferes with the server's ability to find the client's IP address.

Quake II server before R1Q2, as used in multiple products, allows remote attackers to cause a denial of service (exhaustion of connection slots) via a large number of connections from the same IP address.

Absolute path traversal vulnerability in Quake II server before R1Q2 on Linux, as used in multiple products, allows remote attackers to cause a denial of service (application crash) via a download command with a full pathname for a directory in the argument, which causes the server to crash when it cannot read data.

Absolute path traversal vulnerability in Quake II server before R1Q2 on Windows, as used in multiple products, allows remote attackers to read arbitrary files via a "\/" in a pathname argument, as demonstrated by "download \/server.cfg".

Quake II server before R1Q2, as used in multiple products, allows remote attackers to cause a denial of service (application crash) via a modified client that asks the server to send data stored at a negative array offset, which is not handled when processing Configstrings and Baselines.

Gaim before 0.82 allows remote servers to cause a denial of service (application crash) via a long HTTP Content-Length header, which causes Gaim to abort when attempting to allocate memory.

Intentional information leak in phpinfo.php in XMB (aka extreme message board) 1.9 beta (aka Nexus beta) allows remote attackers to obtain sensitive information such as the configuration of the web server and the PHP application.

login.aspx in SmarterTools SmarterMail 1.6.1511 and 1.6.1529 allows remote attackers to cause a denial of service via a long txtusername parameter, possibly due to a buffer overflow.

Directory traversal vulnerability in frmGetAttachment.aspx in SmarterTools SmarterMail 1.6.1511 and 1.6.1529 allows remote attackers to read arbitrary files via the filename parameter.

Novell iChain 2.3 includes the build number in the VIA line of the proxy server's HTTP headers, which allows remote attackers to obtain sensitive information.

Novell iChain 2.3 allows attackers to cause a denial of service via a URL with a "specific string."

phpGroupWare before 0.9.16.002 transmits the (1) header admin and (2) setup passwords in plaintext via cookies, which allows remote attackers to sniff passwords.

The acl_check function in phpGroupWare 0.9.16RC2 always returns True, even when mkdir does not behave as expected, which could allow remote attackers to obtain sensitive information via WebDAV from users' home directories that lack .htaccess files, and possibly has other unknown impacts.

class.vfs_dav.inc.php in phpGroupWare 0.9.16.000 does not create .htaccess files to enable authorization checks for access to users' home-directory files, which allows remote attackers to obtain sensitive information from these files.

phpGroupWare 0.9.14.005 and earlier allow remote attackers to obtain sensitive information via a direct request to (1) hook_admin.inc.php, (2) hook_home.inc.php, (3) class.holidaycalc.inc.php, and (4) setup.inc.php.sample, which reveals the path in an error message.

AMAX Magic Winmail Server 3.6 allows remote attackers to obtain sensitive information by entering (1) invalid characters such as "()" or (2) a large number of characters in the Lookup field on the netaddressbook.php web form, which reveals the path in an ldaplib.php error message when the ldap_search function fails, due to improper processing of the $keyword variable.

Opera before 7.54 allows remote attackers to modify properties and methods of the location object and execute Javascript to read arbitrary files from the client's local filesystem or display a false URL to the user.

Multiple directory traversal vulnerabilities in Sambar Server 6.1 Beta 2 on Windows, and possibly other versions on Linux, when the administrative IP address restrictions have been modified from the default, allow remote authenticated users to read arbitrary files via (1) a "..\" (dot dot backslash) in the file parameter to showini.asp, or (2) an absolute path with drive letter in the log parameter to showlog.asp.

NetGear WG602 (aka WG602v1) Wireless Access Point 1.7.14 has a hardcoded account of username "superman" and password "21241036", which allows remote attackers to modify the configuration.

NetGear WG602 (aka WG602v1) Wireless Access Point firmware 1.04.0 and 1.5.67 has a hardcoded account of username "super" and password "5777364", which allows remote attackers to modify the configuration.

Nortel Wireless LAN (WLAN) Access Point (AP) 2220, 2221, and 2225 allow remote attackers to cause a denial of service (service crash) via a TCP request with a large string, followed by 8 newline characters, to (1) the Telnet service on TCP port 23 and (2) the HTTP service on TCP port 80, possibly due to a buffer overflow.

Secure Computing Corporation Sidewinder G2 6.1.0.01 allows remote attackers to cause a denial of service (SMTP proxy failure) via unknown attack vendors involving an "extremely busy network." NOTE: this might not be a vulnerability because the embedded monitoring sub-system automatically restarts after the failure.

Secure Computing Corporation Sidewinder G2 6.1.0.01 might allow remote attackers to cause a denial of service (proxy failure) via invalid traffic to the (1) T.120 or (2) RTSP proxy, or (3) invalid MIME messages to the mail filter.

readObject in (1) Java Runtime Environment (JRE) and (2) Software Development Kit (SDK) 1.4.0 through 1.4.2_05 allows remote attackers to cause a denial of service (JVM unresponsive) via crafted serialized data.

The person-to-person secure messaging feature in Sticker before 3.1.0 beta 2 allows remote attackers to post messages to unauthorized private groups by using the group's public encryption key.

Serv-U FTP Server 4.1 (possibly 4.0) allows remote attackers to cause a denial of service (application crash) via a SITE CHMOD command with a "\\...\" followed by a short string, causing partial memory corruption, a different vulnerability than CVE-2004-2111.

Gadu-Gadu allows remote attackers to bypass the "image send" option by sending a very small image file, which could be used in conjunction with image-related vulnerabilities.

Directory traversal vulnerability in ldacgi.exe in IBM Tivoli Directory Server 4.1 and earlier allows remote attackers to view arbitrary files via a ..

clogin.php in Benchmark Designs' WHM AutoPilot 2.4.5 and earlier allows remote attackers to obtain plaintext username and password credentials by using the clogin_e and base64_encode functions to encode the desired user ID in the c parameter, then read the plaintext values in the resulting form.

myServer 0.7.1 allows remote attackers to cause a denial of service (crash) via a long HTTP POST request in a View=Logon operation to index.html.

Directory traversal vulnerability in myServer 0.7 allows remote attackers to list arbitrary directories via an HTTP GET command with a large number of "./" sequences followed by "../" sequences.

Absolute path traversal vulnerability in main.cgi in Linksys WVC11B Wireless-B Internet Video Camera allows remote attackers to read arbitrary files via an absolute pathname in the next_file parameter.

Unparsed web content delivery vulnerability in WIKINDX before 0.9.9g allows remote attackers to obtain sensitive information via a direct HTTP request to the config.inc file.

Macromedia ColdFusion MX before 6.1 does not restrict the size of error messages, which allows remote attackers to cause a denial of service (memory consumption and crash) by sending repeated GET or POST requests that trigger error messages that use long strings of data.

INweb Mail Server 2.40 allows remote attackers to cause a denial of service (crash) via a large number of connect/disconnect actions to the (1) POP3 and (2) SMTP services.

Unspecified vulnerability in the error handler in Hitachi Web Page Generator and Web Page Generator Enterprise 4.01 and earlier, when using the default error template and debug mode is set to ON, allows remote attackers to determine internal directory structures via unknown attack vectors.

Unspecified vulnerability in PHP Live! before 2.8.2, due to a "major security problem," allows remote attackers to include arbitrary files and directories via unspecified attack vectors.

Microsoft Outlook 2000 and 2003, when configured to use Microsoft Word 2000 or 2003 as the e-mail editor and when forwarding e-mail, does not properly handle an opening OBJECT tag that does not have a closing OBJECT tag, which causes Outlook to automatically download the URI in the data property of the OBJECT tag and might allow remote attackers to execute arbitrary code.

Squid Web Proxy Cache 2.3.STABLE5 allows remote attackers to bypass security controls and access arbitrary websites via "@@" sequences in a URL within Internet Explorer.

Squid Web Proxy Cache 2.5 might allow remote attackers to obtain sensitive information via URLs containing invalid hostnames that cause DNS operations to fail, which results in references to previously used error messages.

Agnitum Outpost Pro Firewall 2.1 allows remote attackers to cause a denial of service (CPU consumption) via a flood of small, invalid packets, which can not be processed quickly enough by Outpost Pro.

Unspecified vulnerability in Reservation.class.php for phpScheduleIt 1.01 and earlier allows attackers to modify or delete reservations.

chat.ghp in Easy Chat Server 1.2 allows remote attackers to add a large number of fake users, then eventually cause a denial of service (server crash).

chat.ghp in Easy Chat Server 1.2 allows remote attackers to cause a denial of service (server crash) via a long username parameter, possibly due to a buffer overflow.

Unknown vulnerability in POP3 in gnubiff before 2.0.0 allows remote attackers to cause a denial of service (application crash) via an "infinite" Unique IDentification Listing (UIDL) list.

Open WebMail 2.30 and earlier, when use_syshomedir is disabled or create_syshomedir is enabled, creates new directories before authenticating, which allows remote attackers to create arbitrary directories.

Unspecified vulnerability in 3Com OfficeConnect ADSL 11g Router allows remote attackers to cause a denial of service (crash) via a large amount of UDP traffic.

Unknown vulnerability in Hitachi Cosminexus Portal Framework 01-00, 01-01, 01-02, 02-01, 02-02, 02-03, and other versions allows remote attackers to obtain sensitive information in the <ut:cache> tag library.

Roger Wilco 1.4.1.6 and earlier, or Roger Wilco Base Station 0.30a or earlier, allows remote attackers to send audio to arbitrary channels, aka the "Voices from the deep" bug.

The client and server for Roger Wilco 1.4.1.6 and earlier or Roger Wilco Base Station 0.30a and earlier report sensitive information such as IDs and source IP addresses, which allows remote attackers to obtain sensitive information.

Roger Wilco 1.4.1.6 and earlier or Roger Wilco Base Station 0.30a and earlier allows remote attackers to cause a denial of service (application crash) via a long, malformed UDP datagram.

S-Mart Shopping Cart or RediCart 3.9.5b stores smart.cfg under the web document root with insufficient access control, which allows remote attackers to obtain sensitive information such as the database name.

Directory traversal vulnerability in 1st Class Mail Server 4.01 allows remote attackers to read arbitrary files via a ".." (dot dot) sequences in unknown vectors.

Directory traversal vulnerability in index.php in Jaws 0.3 BETA allows remote attackers to view arbitrary files via a ..

Multiple interpretation error in various F-Secure Anti-Virus products, including Workstation 5.43 and earlier, Windows Servers 5.50 and earlier, MIMEsweeper 5.50 and earlier, Anti-Virus for Linux Servers and Gateways 4.61 and earlier, and other products, allows remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on the target system.

The remote upgrade capability in HP LaserJet 4200 and 4300 printers does not require a password, which allows remote attackers to upgrade firmware.

Microsoft Internet Explorer 6.0 SP1 allows remote attackers to cause a denial of service (browser crash) via a link with "::{" (colon colon left brace), which triggers a null dereference when the user attempts to save the link using "Save As" and Internet Explorer prepares an error message with an attacker-controlled format string.

WinAgents TFTP Server 3.0 allows remote attackers to cause a denial of service (crash) via a request for a file with a long file name, possibly due to an off-by-one buffer overflow.

Abczone.it WWWguestbook 1.1 stores db/dbase.mdb under the web document root with insufficient access control, which allows remote attackers to obtain sensitive information such as the plaintext username and password.

Directory traversal vulnerability in Axis Network Camera 2.40 and earlier, and Video Server 3.12 and earlier, allows remote attackers to bypass authentication via a ..

BEA WebLogic Server and WebLogic Express 8.1 through 8.1 SP2 allow remote attackers to cause a denial of service (network port consumption) via unknown actions in HTTPS sessions, which prevents the server from releasing the network port when the session ends.

Unknown vulnerability in the Web calendaring component of Ipswitch IMail Server before 8.13 allows remote attackers to cause a denial of service (crash) via "specific content."

Multiple features in Ipswitch IMail Server before 8.13 allow remote attackers to cause a denial of service (crash) via (1) a long sender field to the Queue Manager or (2) a long To field to the Web Messaging component.

Hitachi Job Management Partner (JP1) JP1/File Transmission Server/FTP 6 and 7 allows remote attackers to cause a denial of service (daemon halt) via a port scan involving reset packets.

Davenport before 0.9.10 allows attackers to cause a denial of service (resource consumption) via (1) a very large XML file or (2) entity expansion attacks.

Secure Computing Corporation Sidewinder G2 6.1.0.01 allows remote attackers to cause a denial of service (CPU consumption) via delayed responses to DNS queries.

libuser 0.51.7 allows attackers to cause a denial of service (crash or disk consumption) via unknown attack vectors, related to read failures and other bugs.

Jabber Gadu-Gadu Transport (a.k.a.

The roster import functionality in Jabber Gadu-Gadu Transport (a.k.a.

Unknown vulnerability in Jabber Gadu-Gadu Transport (a.k.a.

EMU Webmail 5.2.7 allows remote attackers to obtain sensitive path information (home directory) via an HTTP request for init.emu.

NullSoft Winamp 5.02 allows remote attackers to cause a denial of service (crash) by creating a file with a long filename, which causes the victim's player to crash when the file is opened from the command line.

The PerfectNav plugin for Microsoft Internet Explorer allows remote attackers to cause a denial of service (browser crash) via a malformed URL such as "?".

HttpRequest.java in Jetty HTTP Server before 4.2.19 allows remote attackers to cause denial of service (memory usage and application crash) via HTTP requests with a large Content-Length.

Directory traversal vulnerability in postfile.exe for Twilight Utilities Web Server 2.0.0.0 allows remote attackers to write arbitrary files via a ..

Alcatel OmniSwitch 7000 and 7800 allows remote attackers to cause a denial of service (reboot) via certain network scans, as demonstrated using a Nessus port scan of ports 1 through 1024 with safe-checks disabled.

BadBlue 2.4 allows remote attackers to obtain the location of the server installation path via a request for phptest.php, which includes the pathname in the source of the resulting HTML.

Multiple Red Storm web-based games, including Ghost Recon 1.4 and earlier, Desert Siege, and The Sum of all Fears 1.1.1.0 and earlier, do not properly check return values from certain functions, which allows remote attackers to cause a denial of service (hang) via packets that contain text strings with incorrect size values.

The Control Panel applet in WFTPD and WFTPD Pro 3.21 R1 and R2 allows remote authenticated users to cause a denial of service (crash) via a long FTP command.

Buffer overflow in GlobalSCAPE Secure FTP Server 2.0 B03.11.2004.2 allows remote attackers to cause a denial of service (crash) via a SITE command with a long argument.

Digital Reality game engine, as used in Haegemonia 1.0 through 1.0.7 and Desert Rats vs.

Targem Battle Mages 1.0 allows remote attackers to cause a denial of service (infinite loop) via a UDP packet with incomplete data, which causes the server to enter an infinite loop while waiting to read the rest of the data that is not sent.

Early termination vulnerability in Fizmez Web Server 1.0 allows remote attackers to cause a denial of service (crash) by connecting to the server and then disconnecting without sending any data, which triggers a null pointer dereference.

Sybari AntiGen for Domino 7.0 Build 722 SR2 allows remote attackers to cause a denial of service (hang) via an encrypted ZIP file with the "include full path info" option set, as used by certain variants of the Beagle/Bagle worm.

Unknown vulnerability in the ASN.1/H.323/H.225 stack of VocalTec VGW120 and VGW480 allows remote attackers to cause a denial of service.

ChatterBox 2.0 allows remote attackers to cause a denial of service (server crash) via a malformed request to the server, as demonstrated using "aaaaaa".

Bodington 2.1.0 RC1 and earlier does not secure the file upload area, which allows remote attackers to read uploaded files.

ColdFusion MX 6.1 and 6.1 J2EE allows remote attackers to cause a denial of service via an HTTP request containing a large number of form fields.

Clearswift MAILsweeper for SMTP before 4.3_13 allows remote attackers to cause a denial of service (infinite loop) via an e-mail with a crafted RAR archive attached.

Vizer Web Server 1.9.1 allows remote attackers to cause a denial of service (crash) via multiple malformed requests including (1) requests without GET, (2) GET requests without HTTP, (3) or long GET requests.

DotNetNuke (formerly IBuySpy Workshop) 1.0.6 through 1.0.10d allows remote attackers to obtain sensitive information, including the SQL server username and password, via a GET request for source or configuration files such as Web.config.

The administrative interface (surgeftpmgr.cgi) for SurgeFTP Server 1.0b through 2.2k1 allows remote attackers to cause a temporary denial of service (crash) via requests with two percent (%) signs in the CMD parameter.

Information leak in Mbedthis AppWeb HTTP server 1.0 through 1.1.2 allows remote attackers to obtain sensitive information via a user message that is generated when Mbedthis denies access.

Mbedthis AppWeb HTTP server before 1.0.2 allows remote attackers to cause a denial of service (crash) via a GET request containing an MS-DOS device name such as COM1.

Mbedthis AppWeb HTTP server before 1.0.2 allows remote attackers to cause a denial of service (crash) via an empty OPTIONS request.

Inter7 SqWebMail 3.4.1 through 3.6.1 generates different error messages for incorrect passwords versus correct passwords on non-mail-enabled accounts (such as root), which allows remote attackers to guess the root password via brute force attacks.

Microsoft Internet Explorer 6.0.2600 on Windows XP allows remote attackers to cause a denial of service (browser crash) via a shell: URI with double backslashes (\\) in an HTML tag such as IFRAME or A.

Computer Associates eTrust Antivirus EE 6.0 through 7.0 allows remote attackers to bypass virus scanning by including a password-protected file in a ZIP file, which causes eTrust to scan only the password protected file and skip the other files.

The Reviews module in PHP-Nuke 6.0 to 7.3 allows remote attackers to cause a denial of service (CPU and memory consumption) via a large, out-of-range score parameter.

The preview_review function in the Reviews module in PHP-Nuke 6.0 to 7.3, when running on Windows systems, allows remote attackers to obtain sensitive information via an invalid date parameter, which generates an error message.

Buffer overflow in Alt-N MDaemon 7.0.1 allows remote attackers to cause a denial of service (application crash) via a long STATUS command to the IMAP server.

Directory traversal vulnerability in explorer.php in DSM Light Web File Browser 2.0 allows remote attackers to read arbitrary files via ..

Unknown vulnerability in DansGuardian before 2.6.1-13 allows remote attackers to bypass URL filters via a crafted request that causes a page to be added to the clean page cache.

DansGuardian before 2.7.7-2 allows remote attackers to bypass URL filters via a ".." in the request.

Buffer overflow in IBM Lotus Notes 6.5.x before 6.5.3 and 6.0.x before 6.0.5 allows remote attackers to cause a denial of service (crash) via unknown vectors related to Java applets, as identified by KSPR62F4KN.

Buffer overflow in aGSM Half-Life client allows remote Half-Life servers to cause a denial of service (crash) and possibly execute arbitrary code via a long server response.

efFingerD 0.2.12 allows remote attackers to cause a denial of service (daemon crash) via a packet with a single byte, which triggers a "Wrong protocol or connection state" error.

Buffer overflow in the sockFinger_DataArrival function in efFingerD 0.2.12 allows remote attackers to cause a denial of service (daemon crash) via a long finger command.

PimenGest2 before 1.1.1 allows remote attackers to obtain the database password via debug information in rowLatex.inc.php.

Opera Browser 7.23, and other versions before 7.50, updates the address bar as soon as the user clicks a link, which allows remote attackers to redirect to other sites via the onUnload attribute.

vsftpd before 1.2.2, when under heavy load, allows attackers to cause a denial of service (crash) via a SIGCHLD signal during a malloc or free call, which is not re-entrant.

Directory traversal vulnerability in phpMyFAQ 1.4.0 alpha allows remote attackers to read arbitrary files, and possibly execute local PHP files, via ..

Directory traversal vulnerability in user.cgi in SurgeLDAP 1.0g and earlier allows remote attackers to read arbitrary files via a ..

The PPTP server in Astaro Security Linux before 4.024 provides information about its version, which makes it easier for remote attackers to construct specialized attacks.

The XML parser in Oracle 9i Application Server Release 2 9.0.3.0 and 9.0.3.1, 9.0.2.3 and earlier, and Release 1 1.0.2.2 and 1.0.2.2.2, and Database Server Release 2 9.2.0.1 and later, allows remote attackers to cause a denial of service (CPU and memory consumption) via a SOAP message containing a crafted DTD.

Mozilla Firefox before 1.0 truncates long filenames in the file download dialog box, which makes it easier for remote attackers to trick users into downloading files with dangerous extensions.

Mozilla Mail 1.7.1 and 1.7.3, and Thunderbird before 0.9, when HTML-Mails is enabled, allows remote attackers to determine valid e-mail addresses via an HTML e-mail that references a Cascading Style Sheets (CSS) document on the attacker's server.

Mozilla Firefox before 0.10.1 allows remote attackers to delete arbitrary files in the download directory via a crafted data: URI that is not properly handled when the user clicks the Save button.

Appfoundry Message Foundry 2.75 .0003 allows remote attackers to cause a denial of service (crash) via an HTTP GET request that contains MS-DOS device names such as com1.

FsPHPGallery before 1.2 allows remote attackers to cause a denial of service via an image with a large size attribute, which causes a crash when the server attempts to resize the image.

F-Secure Anti-Virus for Microsoft Exchange 6.30 and 6.31 does not properly detect certain password-protected files in a ZIP file, which allows remote attackers to bypass anti-virus protection.

Multiple unknown vulnerabilities in yhttpd in yChat before 0.7 allow remote attackers to cause a denial of service (segmentation fault) via unknown vectors.

Unknown vulnerability in Sun Java System Web Server 6.0 SP7 and earlier and 6.1 SP1 and earlier, and Application Server 7 Update 4 and earlier, allows remote attackers to cause a denial of service (crash) via a malformed client certificate.

Mbedthis AppWeb HTTP server before 1.1.3 allows remote attackers to obtain the source code for scripts via a (1) trailing dot (".") or (2) trailing space in an HTTP request.

CRLF injection vulnerability in Ideal Science IdealBB 1.4.9 through 1.5.3 allows remote attackers to conduct HTTP response splitting attacks via unknown vectors.

Zanfi CMS lite 1.1 allows remote attackers to obtain the full path of the web server via direct requests without required arguments to (1) adm_pages.php, (2) corr_pages.php, (3) del_block.php, (4) del_page.php, (5) footer.php, (6) home.php, and others.

PHP remote file inclusion vulnerability in index.php in Zanfi CMS lite 1.1 allows remote attackers to execute arbitrary PHP code via the inc parameter.

MailEnable Professional Edition before 1.53 and Enterprise Edition before 1.02 allows remote attackers to cause a denial of service (crash) via malformed (1) SMTP or (2) IMAP commands.

Directory traversal vulnerability in Unzoo 4.4-2 has unknown impact and attack vectors.

Unknown vulnerability in ImagePage for MediaWiki 1.3.5, related to "filename validation," has unknown impact and attack vectors.

asycpict.dll, as used in Microsoft products such as Front Page 97 and 98, allows remote attackers to cause a denial of service (hang) via a JPEG image with maximum height and width values.

Directory traversal vulnerability in sample_showcode.html in Caravan 2.00/03d and earlier allows remote attackers to read arbitrary files via the fname parameter.

BaSoMail 1.24 allows remote attackers to cause a denial of service (CPU consumption) via multiple connections to TCP port (1) 25 (SMTP) or (2) 110 (POP3).

Lords of the Realm III 1.01 and earlier, when in the lobby stage, allows remote attackers to cause a denial of service (crash from unallocated memory write) via a long user nickname.

shoprestoreorder.asp in VP-ASP 5.0 does not close the database connection when a user restores a previous order, which allows remote attackers to cause a denial of service (connection consumption).

Chatman 1.1.1 RC1 and earlier allows remote attackers to cause a denial of service (memory consumption or application crash) via a very large data size.

Buffer overflow in the prepared statements API in libmysqlclient for MySQL 4.1.3 beta and 4.1.4 allows remote attackers to cause a denial of service via a large number of placeholders.

Unknown versions of Symantec Norton AntiVirus and Microsoft Outlook allow attackers to cause a denial of service (crash) via malformed e-mail messages (1) without a body or (2) without a carriage return ("\n") separating the headers from the body.

CRLF injection vulnerability in PD9 Software MegaBBS 2 and 2.1 allows attackers to conduct HTTP response splitting attacks via the fid parameter in a writenew action to thread-post.asp.

Outlook Express 6.0, when sending multipart e-mail messages using the "Break apart messages larger than" setting, leaks the BCC recipients of the message to the addresses listed in the To and CC fields, which may allow remote attackers to obtain sensitive information.

SurfNOW 2.2 allows remote attackers to cause a denial of service (crash) via a series of long HTTP GET requests, possibly triggering a buffer overflow.

The register_globals simulation capability in Gallery 1.3.1 through 1.4.1 allows remote attackers to modify the HTTP_POST_VARS variable and conduct a PHP remote file inclusion attack via the GALLERY_BASEDIR parameter, a different vulnerability than CVE-2002-1412.

Multiple directory traversal vulnerabilities in Borland Web Server (BWS) 1.0b3 and earlier allow remote attackers to read and download arbitrary files via (1) multi-dot "......" sequences, or (2) "%5c%2e%2e" (encoded "\..") sequences, in the URL.

Directory traversal vulnerability in BremsServer 1.2.4 allows remote attackers to read arbitrary files via ".." (dot dot) sequences in the URL.

Novell NetWare Enterprise Web Server 5.1 and 6.0 allows remote attackers to list directories via a direct request to (1) /com/, (2) /com/novell/, (3) /com/novell/webaccess, or (4) /ns-icons/.

The webacc servlet in Novell NetWare Enterprise Web Server 5.1 and 6.0 allows remote attackers to read arbitrary .htt files via a full pathname in the error parameter.

Novell NetWare Enterprise Web Server 5.1 and 6.0 allows remote attackers to obtain sensitive server information, including the internal IP address, via a direct request to (1) snoop.jsp, (2) SnoopServlet, (3) env.bas, or (4) lcgitest.nlm.

The sysinfo script in GeoHttpServer allows remote attackers to cause a denial of service (crash) via a long pwd parameter, possibly triggering a buffer overflow.

GeoHttpServer, when configured to authenticate users, allows remote attackers to bypass authentication and access unauthorized files via a URL that contains %0a%0a (encoded newlines).

Honeyd before 0.8 replies to TCP packets with the SYN and RST flags set, which allows remote attackers to identify IP addresses that are being simulated by Honeyd.

The samiftp.dll library in Sami FTP Server 1.1.3 allows local users to cause a denial of service (pmsystem.exe crash) by issuing (1) a CD command with a tilde (~) character or dot dot (/../) or (2) a GET command for an unavailable file.

Sophos Anti-Virus 3.78 allows remote attackers to cause a denial of service (infinite loop) via a MIME header that is not properly terminated.

Format string vulnerability in Dream FTP 1.02 allows local users to cause a denial of service (crash) via format string specifiers in the (1) PASS or (2) RETR commands.

sshd.c in OpenSSH 3.6.1p2 and 3.7.1p2 and possibly other versions, when using privilege separation, does not properly signal the non-privileged process when a session has been terminated after exceeding the LoginGraceTime setting, which leaves the connection open and allows remote attackers to cause a denial of service (connection consumption).

fetchnews in leafnode 1.9.47 and earlier allows remote attackers to cause a denial of service (process hang) via an empty NNTP news article with missing mandatory headers.

ASPRunner 2.4 stores the database under the web root in the db directory, which may allow remote attackers to obtain the database via a direct request to the database filename, which is predictable based on table and field names.

Multiple cross-site scripting vulnerabilities in ASPRunner 2.4 allow remote attackers to inject arbitrary web script or HTML via the (1) SearchFor parameter in [TABLE-NAME]_search.asp, (2) SQL parameter in [TABLE-NAME]_edit.asp, (3) SearchFor parameter in [TABLE]_list.asp, or (4) SQL parameter in export.asp.

ASPRunner 2.4 allows remote attackers to gain sensitive information via (1) hidden form fields or (2) error messages.

CRLF injection vulnerability in PhpBB 2.0.4 and 2.0.9 allows remote attackers to perform HTTP Response Splitting attacks to modify expected HTML content from the server via (1) the mode parameter to privmsg.php or (2) the redirect parameter to login.php.

Unknown vulnerability in APC PowerChute Business Edition 6.0 through 7.0.1 allows remote attackers to cause a denial of service via unknown attack vectors.

The HTTP administration interface on Conceptronic CADSLR1 ADSL router running firmware 3.04n allows remote attackers to cause a denial of service (device reboot) via an HTTP request with a long username.

The WebLinks module in Php-Nuke 6.x through 7.3 allows remote attackers to obtain sensitive information via an invalid show parameter, which displays the full path in a PHP error message.

Directory traversal vulnerability in manifest.ini in Unreal engine allows remote attackers to overwrite arbitrary files via ..

phProfession 2.5 allows remote attackers to gain sensitive information via a direct HTTP request to upload.php, which reveals the path in a PHP error message.

xine 1.x alpha, 1.x beta, and 1.0rc through 1.0rc3a, and xine-ui 0.9.21 to 0.9.23 allows remote attackers to overwrite arbitrary files via the (1) audio.sun_audio_device or (2) dxr3.devicename options in an MRL link.

Multiple directory traversal vulnerabilities in Nuked-KlaN 1.4b and 1.5b allow remote attackers to read or include arbitrary files via ..

The (1) modules.php, (2) block-Calendar.php, (3) block-Calendar1.php, (4) block-Calendar_center.php scripts in NukeCalendar 1.1.a, as used in PHP-Nuke, allow remote attackers to obtain sensitive information via a URL with an invalid argument, which reveals the full path in an error message.

rufsi.dll in Symantec Virus Detection allows remote attackers to cause a denial of service (crash) via a long string to the GetPrivateProfileString function.

McFreeScan.CoMcFreeScan.1 ActiveX object in Mcafee FreeScan allows remote attackers to obtain sensitive information via the GetSpecialFolderLocation function with certain parameters.

Mcafee FreeScan allows remote attackers to cause a denial of service and possibly arbitrary code via a long string in the ScanParam property of a COM object, which may trigger a buffer overflow.

ascontrol.dll in Panda ActiveScan 5.0 allows remote attackers to cause a denial of service (crash) by calling the SetSitesFile function.

The administration interface in Monit 1.4 through 4.2 allows remote attackers to cause an off-by-one overflow via a POST that contains 1024 bytes.

Administration interface in Monit 1.4 through 4.2 allows remote attackers to cause a denial of service (segmentation fault) by sending a Basic Authentication request without a password, which causes Monit to decrement a null pointer and perform an out-of-bounds read.

Dreamweaver MX, when "Using Driver On Testing Server" or "Using DSN on Testing Server" is selected, uploads the mmhttpdb.asp script to the web site but does not require authentication, which allows remote attackers to obtain sensitive information and possibly execute arbitrary SQL commands via a direct request to mmhttpdb.asp.

The ftp_syslog function in ftpd in SGI IRIX 6.5.20 "doesn't work with anonymous FTP," which has an unknown impact, possibly preventing the actions of anonymous users from being logged.

Unknown vulnerability in ftpd in SGI IRIX 6.5.20 through 6.5.23 allows remote attackers to cause a denial of service (hang) via a link failure with Microsoft Windows.

Ada Image Server (ImgSvr) 0.4 allows remote attackers to view directories or download files via an HTTP request with a trailing %00 (null).

Memory leak in the back-bdb backend for OpenLDAP 2.1.12 and earlier allows remote attackers to cause a denial of service (memory consumption).

Etherlords I 1.07 and earlier and Etherlords II 1.03 and earlier allows remote attackers to cause a denial of service (crash) by sending a packet that specifies the size for the next packet, then sending a larger packet than specified, which causes Etherlords to read unallocated memory.

Buffer overflow in Check Point SmartDashboard in Check Point NG AI R54 and R55 allows remote authenticated users to cause a denial of service (server disconnect) and possibly execute arbitrary code via a large filter on a column when using SmartView Tracker.

Buffer overflow in the GUI admin service in Mac OS X Server 10.3 allows remote attackers to cause a denial of service (crash and restart) via a large amount of data to TCP port 660.

Buffer overflow in Chrome 1.2.0.0 and earlier allows remote attackers to cause a denial of service (crash) via a packet with a large length value, which leads to a null dereference or out-of-bounds read.