Weekly Vulnerabilities Reports > February 28 to March 6, 2005
Overview
59 new vulnerabilities reported during this period, including 11 critical vulnerabilities and 16 high severity vulnerabilities. This weekly summary report vulnerabilities in 83 products from 65 vendors including Gentoo, Debian, Suse, Ubuntu, and Redhat. Vulnerabilities are notably categorized as "Permissions, Privileges, and Access Controls", and "Integer Underflow (Wrap or Wraparound)".
- 44 reported vulnerabilities are remotely exploitables.
- 1 reported vulnerabilities have public exploit available.
- 59 reported vulnerabilities are exploitable by an anonymous user.
- Gentoo has the most reported vulnerabilities, with 12 reported vulnerabilities.
- Gentoo has the most reported critical vulnerabilities, with 5 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
11 Critical Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2005-03-02 | CVE-2005-0636 | Foxmail | Remote vulnerability in Foxmail Email Server 2.0 Format string vulnerability in Foxmail Server 2.0 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format strings in the USER command. | 10.0 |
| 2005-03-01 | CVE-2004-1053 | Freebsd | Remote Buffer Overflow vulnerability in FreeBSD Fetch Integer overflow in fetch on FreeBSD 4.1 through 5.3 allows remote malicious servers to execute arbitrary code via certain HTTP headers in an HTTP response, which lead to a buffer overflow. | 10.0 |
| 2005-03-01 | CVE-2004-1052 | BNC Debian Gentoo | Buffer Overflow vulnerability in BNC getnickuserhost IRC Server Response Buffer overflow in the getnickuserhost function in BNC 2.8.9, and possibly other versions, allows remote IRC servers to execute arbitrary code via an IRC server response that contains many (1) ! (exclamation) or (2) @ (at sign) characters. | 10.0 |
| 2005-03-01 | CVE-2004-1037 | Twiki Gentoo | Remote Arbitrary Command Execution vulnerability in TWiki Search Shell Metacharacter The search function in TWiki 20030201 allows remote attackers to execute arbitrary commands via shell metacharacters in a search string. | 10.0 |
| 2005-03-01 | CVE-2004-1034 | Kaffeine Xine Gentoo | Remote Buffer Overflow vulnerability in Kaffeine Buffer overflow in the http_open function in Kaffeine before 0.5, whose code is also used in gxine before 0.3.3, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a long Content-Type header for a Real Audio Media (.ram) playlist file. | 10.0 |
| 2005-03-01 | CVE-2004-1010 | Info ZIP | Remote Recursive Directory Compression Buffer Overflow vulnerability in Info-Zip ZIP 2.3 Buffer overflow in Info-Zip 2.3 and possibly earlier versions, when using recursive folder compression, allows remote attackers to execute arbitrary code via a ZIP file containing a long pathname. | 10.0 |
| 2005-03-01 | CVE-2004-1006 | ISC | Remote Format String vulnerability in ISC DHCPD Format string vulnerability in the log functions in dhcpd for dhcp 2.x allows remote DNS servers to execute arbitrary code via certain DNS messages, a different vulnerability than CVE-2002-0702. | 10.0 |
| 2005-03-01 | CVE-2004-0992 | Proxytunnel | Remote Format String vulnerability in Proxytunnel Format string vulnerability in the -a option (daemon mode) in Proxytunnel before 1.2.3 allows remote attackers to execute arbitrary code via format string specifiers in an invalid proxy answer. | 10.0 |
| 2005-03-01 | CVE-2004-0990 | GD Graphics Library Openpkg Gentoo Suse Trustix | Remote Integer Overflow vulnerability in GD Graphics Library Integer overflow in GD Graphics Library libgd 2.0.28 (libgd2), and possibly other versions, allows remote attackers to cause a denial of service and possibly execute arbitrary code via PNG image files with large image rows values that lead to a heap-based buffer overflow in the gdImageCreateFromPngCtx function, a different set of vulnerabilities than CVE-2004-0941. | 10.0 |
| 2005-03-01 | CVE-2004-0989 | Xmlsoft Xmlstarlet Redhat Trustix Ubuntu | Remote Stack Buffer Overflow vulnerability in Libxml2 Multiple buffer overflows in libXML 2.6.12 and 2.6.13 (libxml2), and possibly other versions, may allow remote attackers to execute arbitrary code via (1) a long FTP URL that is not properly handled by the xmlNanoFTPScanURL function, (2) a long proxy URL containing FTP data that is not properly handled by the xmlNanoFTPScanProxy function, and other overflows related to manipulation of DNS length values, including (3) xmlNanoFTPConnect, (4) xmlNanoHTTPConnectHost, and (5) xmlNanoHTTPConnectHost. | 10.0 |
| 2005-03-01 | CVE-2004-1029 | HP SUN Symantec Conectiva Gentoo | Permissions, Privileges, and Access Controls vulnerability in multiple products The Sun Java Plugin capability in Java 2 Runtime Environment (JRE) 1.4.2_01, 1.4.2_04, and possibly earlier versions, does not properly restrict access between Javascript and Java applets during data transfer, which allows remote attackers to load unsafe classes and execute arbitrary code by using the reflection API to access private Java packages. | 9.3 |
16 High Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2005-03-06 | CVE-2005-0691 | Socialmpn | Remote Security vulnerability in SocialMPN PHP remote file inclusion vulnerability in article mode for modules.php in SocialMPN allows remote attackers to execute arbitrary PHP code by modifying the name parameter to reference a URL on a remote web server that contains the code. | 7.5 |
| 2005-03-06 | CVE-2005-0687 | Hashcash | Denial-Of-Service vulnerability in Hashcash 1.14/1.15/1.16 Format string vulnerability in Hashcash 1.16 allows remote attackers to cause a denial of service (memory consumption) and possibly execute arbitrary code via format string specifiers in a reply address, which is not properly handled when printing the header. | 7.5 |
| 2005-03-04 | CVE-2005-0668 | Christian Hilgers | Remote Security vulnerability in Http Anti Virus Proxy %28Havp%29 Unknown vulnerability in HTTP Anti Virus Proxy (HAVP) before 0.51 prevents viruses from being properly detected in certain files such as (1) .CAB or (2) .ZIP files. | 7.5 |
| 2005-03-03 | CVE-2005-0671 | Ca3De | Remote vulnerability in Ca3DE Format string vulnerability in Carsten's 3D Engine (Ca3DE), March 2004 version and earlier, allows remote attackers to execute arbitrary code via format string specifiers in a command. | 7.5 |
| 2005-03-02 | CVE-2005-0639 | XLI Altlinux Suse | Multiple vulnerabilities in xli before 1.17 may allow remote attackers to execute arbitrary code via "buffer management errors" from certain image properties, some of which may be related to integer overflows in PPM files. | 7.5 |
| 2005-03-02 | CVE-2005-0638 | XLI Altlinux Suse | xloadimage before 4.1-r2, and xli before 1.17, allows attackers to execute arbitrary commands via shell metacharacters in filenames for compressed images, which are not properly quoted when calling the gunzip command. | 7.5 |
| 2005-03-02 | CVE-2005-0633 | Cerulean Studios | Remote PNG Image File Parsing Buffer Overflow vulnerability in Cerulean Studios Trillian and Trillian PRO Buffer overflow in Trillian 3.0 and Pro 3.0 allows remote attackers to execute arbitrary code via a crafted PNG image file. | 7.5 |
| 2005-03-02 | CVE-2005-0605 | Lesstif SGI X ORG Xfree86 Project Altlinux Mandrakesoft Redhat Suse | Integer Overflow vulnerability in libXPM Bitmap_unit scan.c for LibXPM may allow attackers to execute arbitrary code via a negative bitmap_unit value that leads to a buffer overflow. | 7.5 |
| 2005-03-01 | CVE-2005-0623 | Raidenhttpd | Remote Security vulnerability in Raidenhttpd 1.1.32 Buffer overflow in RaidenHTTPD 1.1.32, and possibly other versions before 1.1.34, allows remote attackers to execute arbitrary code via a long URL. | 7.5 |
| 2005-03-01 | CVE-2004-1021 | Apple | Unspecified vulnerability in Apple Ical 1.5.3 iCal before 1.5.4 on Mac OS X 10.2.3, and other later versions, does not alert the user when handling calendars that use alarms, which allows attackers to execute programs and send e-mail via alarms. | 7.5 |
| 2005-03-01 | CVE-2004-1002 | Samba Canonical | Integer Underflow (Wrap or Wraparound) vulnerability in multiple products Integer underflow in pppd in cbcp.c for ppp 2.4.1 allows remote attackers to cause a denial of service (daemon crash) via a CBCP packet with an invalid length value that causes pppd to access an incorrect memory location. | 7.5 |
| 2005-03-01 | CVE-2004-0986 | Suse Debian Linux Redhat | Iptables before 1.2.11, under certain conditions, does not properly load the required modules at system startup, which causes the firewall rules to fail to load and protect the system from remote attackers. | 7.5 |
| 2005-02-28 | CVE-2005-0608 | Webmod | Denial-Of-Service vulnerability in Webmod 0.47 Heap-based buffer overflow in server.cpp for WebMod 0.47 allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a POST request with a Content-Length that is less than the amount of data that is actually sent. | 7.5 |
| 2005-03-01 | CVE-2004-1051 | Mandrakesoft Todd Miller Debian Trustix Ubuntu | sudo before 1.6.8p2 allows local users to execute arbitrary commands by using "()" style environment variables to create functions that have the same name as any program within the bash script that is called without using the program's full pathname. | 7.2 |
| 2005-03-01 | CVE-2004-1038 | Ieee | Local Security vulnerability in Ieee Firewire Ieee 1394 A design error in the IEEE1394 specification allows attackers with physical access to a device to read and write to sensitive memory using a modified FireWire/IEEE 1394 client, thus bypassing intended restrictions that would normally require greater degrees of physical access to exploit. | 7.2 |
| 2005-03-01 | CVE-2004-1031 | Thibault Godouet Gentoo | Local vulnerability in Fcron FCronTab/FCronSighUp fcronsighup in Fcron 2.0.1, 2.9.4, and possibly earlier versions allows local users to bypass access restrictions and load an arbitrary configuration file by starting an suid process and pointing the fcronsighup configuration file to a /proc entry that is owned by root but modifiable by the user, such as /proc/self/cmdline or /proc/self/environ. | 7.2 |
22 Medium Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2005-03-01 | CVE-2004-1055 | Phpmyadmin Gentoo | Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 2.6.0-pl2 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the PmaAbsoluteUri parameter, (2) the zero_rows parameter in read_dump.php, (3) the confirm form, or (4) an error message generated by the internal phpMyAdmin parser. | 6.8 |
| 2005-03-01 | CVE-2004-1036 | Squirrelmail Gentoo | Cross-site scripting (XSS) vulnerability in the decoding of encoded text in certain headers in mime.php for SquirrelMail 1.4.3a and earlier, and 1.5.1-cvs before 23rd October 2004, allows remote attackers to execute arbitrary web script or HTML. | 6.8 |
| 2005-03-01 | CVE-2004-1035 | Imap Proxy | Denial-Of-Service vulnerability in Imap Proxy Imap Proxy 1.2.2 Multiple integer signedness errors in (1) imapcommon.c, (2) main.c, (3) request.c, and (4) select.c for up-imapproxy IMAP proxy 1.2.2 allow remote attackers to cause a denial of service (server crash) and possibly leak sensitive information via certain literal values that are not properly handled when using the IMAP_Line_Read function. | 6.4 |
| 2005-03-06 | CVE-2005-0681 | Nokia | Remote Denial Of Service vulnerability in Nokia Series 60 Nokia Symbian 60 allows remote attackers to cause a denial of service (phone restart) via a Bluetooth nickname. | 5.0 |
| 2005-03-05 | CVE-2005-0688 | Microsoft | Unspecified vulnerability in Microsoft Windows 2003 Server and Windows XP Windows Server 2003 and XP SP2, with Windows Firewall turned off, allows remote attackers to cause a denial of service (CPU consumption) via a TCP packet with the SYN flag set and the same destination and source address and port, aka a reoccurrence of the "Land" vulnerability (CVE-1999-0016). | 5.0 |
| 2005-03-01 | CVE-2005-0632 | Phpnews | Remote File Include vulnerability in PHPnews 1.2.3/1.2.4 PHP remote file inclusion vulnerability in auth.php in PHPNews 1.2.4 and possibly 1.2.3, allows remote attackers to execute arbitrary PHP code via the path parameter. | 5.0 |
| 2005-03-01 | CVE-2005-0622 | Raidenhttpd | Remote Security vulnerability in Raidenhttpd 1.1.32 RaidenHTTPD 1.1.32, and possibly other versions before 1.1.34, allows remote attackers to view the PHP source code via an HTTP GET request for a filename with a trailing (1) . | 5.0 |
| 2005-03-01 | CVE-2004-1007 | Bogofilter Ubuntu | The quoted-printable decoder in bogofilter 0.17.4 to 0.92.7 allows remote attackers to cause a denial of service (application crash) via mail headers that cause a line feed (LF) to be replaced by a null byte that is written to an incorrect memory address. | 5.0 |
| 2005-03-01 | CVE-2004-1003 | Trend Micro | Unspecified vulnerability in Trend Micro Scanmail Domino 2.51/2.6 Trend ScanMail allows remote attackers to obtain potentially sensitive information or disable the anti-virus capability via the smency.nsf file. | 5.0 |
| 2005-03-01 | CVE-2004-0988 | Apple | Unspecified vulnerability in Apple Quicktime Integer overflow on Apple QuickTime before 6.5.2, when running on Windows systems, allows remote attackers to cause a denial of service (memory consumption) via certain inputs that cause a large memory operation. | 5.0 |
| 2005-03-01 | CVE-2004-0983 | Yukihiro Matsumoto Gentoo Mandrakesoft Ubuntu | Denial Of Service vulnerability in Yukihiro Matsumoto Ruby CGI Module The CGI module in Ruby 1.6 before 1.6.8, and 1.8 before 1.8.2, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a certain HTTP request. | 5.0 |
| 2005-02-28 | CVE-2005-0613 | Fckeditor | Unspecified vulnerability in Fckeditor 2.0Rc2 Unknown vulnerability in FCKeditor 2.0 RC2, when used with PHP-Nuke, allows remote attackers to upload arbitrary files. | 5.0 |
| 2005-02-28 | CVE-2004-0945 | Mitel | Denial-Of-Service vulnerability in Mitel 3300 Integrated Communication Platform The web management interface for Mitel 3300 Integrated Communications Platform (ICP) before 4.2.2.11 allows remote authenticated users to cause a denial of service (resource exhaustion) via a large number of active sessions, which exceeds ICP's maximum. | 5.0 |
| 2005-03-05 | CVE-2005-0109 | Freebsd Redhat SCO SUN Ubuntu | Information Disclosure vulnerability in Multiple Vendor Hyper-Threading Technology Hyper-Threading technology, as used in FreeBSD and other operating systems that are run on Intel Pentium and other processors, allows local users to use a malicious thread to create covert channels, monitor the execution of other threads, and obtain sensitive information such as cryptographic keys, via a timing attack on memory cache misses. | 4.7 |
| 2005-03-02 | CVE-2005-0640 | Broadcom | Unspecified vulnerability in Broadcom Unicenter Asset Management 4.0 Computer Associates (CA) Unicenter Asset Management (UAM) 4.0 does not properly initialize the "Change Credentials for Database" window, which allows local users to recover the SQL Admin password via certain methods. | 4.6 |
| 2005-03-01 | CVE-2004-1001 | Debian | Unspecified vulnerability in Debian Shadow 4.0.4.1 Unknown vulnerability in the passwd_check function in Shadow 4.0.4.1, and possibly other versions before 4.0.5, allows local users to conduct unauthorized activities when an error from a pam_chauthtok function call is not properly handled. | 4.6 |
| 2005-03-06 | CVE-2005-0692 | PHP Fusion | Cross-Site Scripting vulnerability in PHP Fusion PHP Fusion 5.0 Cross-site scripting (XSS) vulnerability in fusion_core.php for PHP-Fusion 5.x allows remote attackers to inject arbitrary web script or HTML via a message with IMG bbcode containing character-encoded Javascript. | 4.3 |
| 2005-03-03 | CVE-2005-0674 | PHP Arena | HTML Injection vulnerability in PHP Arena Pabox 1.6 Cross-site scripting (XSS) vulnerability in the News module for paBox 1.6 allows remote attackers to inject arbitrary web script or HTML via the text hidden parameter in an HTTP POST request. | 4.3 |
| 2005-03-02 | CVE-2005-0641 | Broadcom | Unspecified vulnerability in Broadcom Unicenter Asset Management 4.0 Cross-site scripting (XSS) vulnerability in the Reporter for Computer Associates (CA) Unicenter Asset Management (UAM) 4.0 allows remote attackers to inject arbitrary HTML or web script via the (1) name or (2) description in a report template. | 4.3 |
| 2005-03-01 | CVE-2005-0629 | 427Bb | Remote HTML Injection vulnerability in 427BB Multiple cross-site scripting (XSS) vulnerabilities in profile.php in 427BB 2.2 allow remote attackers to inject arbitrary web script or HTML via the (1) user or (2) Avatar parameters. | 4.3 |
| 2005-03-01 | CVE-2005-0628 | Demof | Remote Input Validation vulnerability in Demof Forumwa V1 Multiple cross-site scripting (XSS) vulnerabilities in Forumwa 1.0 allow remote attackers to inject arbitrary web script or HTML via (1) the keyword parameter in search.php or the (2) body or (3) subject of a forum message. | 4.3 |
| 2005-02-28 | CVE-2005-0616 | Postnuke Software Foundation | Cross-Site Scripting vulnerability in Download module for PostNuke Multiple cross-site scripting (XSS) vulnerabilities in the Download module for PostNuke 0.750 and 0.760-RC2 allow remote attackers to inject arbitrary web script or HTML via the (1) Program name, (2) File link, (3) Author name (4) Author e-mail address, (5) File size, (6) Version, or (7) Home page variables. | 4.3 |
10 Low Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2005-03-04 | CVE-2005-0593 | Mozilla | Remote vulnerability in Mozilla Suite Firefox before 1.0.1 and Mozilla before 1.7.6 allows remote attackers to spoof the SSL "secure site" lock icon via (1) a web site that does not finish loading, which shows the lock of the previous site, (2) a non-HTTP server that uses SSL, which causes the lock to be displayed when the SSL handshake is completed, or (3) a URL that generates an HTTP 204 error, which updates the icon and location information but does not change the display of the original site. | 2.6 |
| 2005-03-02 | CVE-2005-0620 | Bfriendly COM | Local Security vulnerability in Einstein Einstein 1.0 stores credit card information in plaintext in the world-readable wallets.dat file, which allows local users to steal the information. | 2.1 |
| 2005-03-01 | CVE-2005-0631 | Pblang | Unspecified vulnerability in Pblang delpm.php in PBLang 4.63 allows remote authenticated users to delete arbitrary PM files by modifying the "id" and "a" parameters. | 2.1 |
| 2005-03-01 | CVE-2005-0630 | Pblang | Directory Traversal vulnerability in PBLang Bulletin Board System sendpm.php in PBLang 4.63 allows remote authenticated users to read arbitrary files via a full pathname in the orig parameter. | 2.1 |
| 2005-03-01 | CVE-2004-1033 | Thibault Godouet Gentoo | Local vulnerability in Fcron FCronTab/FCronSighUp Fcron 2.0.1, 2.9.4, and possibly earlier versions leak file descriptors of open files, which allows local users to bypass access restrictions and read fcron.allow and fcron.deny via the EDITOR environment variable. | 2.1 |
| 2005-03-01 | CVE-2004-1032 | Thibault Godouet Gentoo | fcronsighup in Fcron 2.0.1, 2.9.4, and possibly earlier versions allows local users to delete arbitrary files or create arbitrary empty files via a target filename with a large number of leading slash (/) characters such that fcronsighup does not properly append the intended fcrontab.sig to the resulting string. | 2.1 |
| 2005-03-01 | CVE-2004-1030 | Thibault Godouet Gentoo | Local vulnerability in Fcron FCronTab/FCronSighUp fcronsighup in Fcron 2.0.1, 2.9.4, and possibly earlier versions allows local users to gain sensitive information by calling fcronsighup with an arbitrary file, which reveals the contents of the file that can not be parsed in an error message. | 2.1 |
| 2005-02-28 | CVE-2005-0625 | Debian | Information Disclosure vulnerability in Debian Reportbug 2.60/2.61/3.2 reportbug 3.2 includes settings from .reportbugrc in bug reports, which exposes sensitive information such as smtpuser and smtppasswd. | 2.1 |
| 2005-02-28 | CVE-2005-0624 | Debian | Local Security vulnerability in Debian Reportbug 2.60/2.61 reportbug before 2.62 creates the .reportbugrc configuration file with world-readable permissions, which allows local users to obtain email smarthost passwords. | 2.1 |
| 2005-02-28 | CVE-2005-0619 | Bfriendly COM | Information Disclosure vulnerability in Einstein Einstein 1.0.1 stores sensitive information such as usernames and passwords in plaintext in the registry, which allows local users to gain privileges. | 2.1 |