Weekly Vulnerabilities Reports > March 7 to 13, 2005

Overview

39 new vulnerabilities reported during this period, including 0 critical vulnerabilities and 13 high severity vulnerabilities. This weekly summary report vulnerabilities in 58 products from 38 vendors including Linux, Redhat, Conectiva, Ethereal Group, and Hosting Controller. Vulnerabilities are notably categorized as "Code Injection", and "Improper Restriction of Operations within the Bounds of a Memory Buffer".

  • 29 reported vulnerabilities are remotely exploitables.
  • 39 reported vulnerabilities are exploitable by an anonymous user.
  • Linux has the most reported vulnerabilities, with 5 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

0 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS

13 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2005-03-07 CVE-2005-0177 Linux Buffer Errors vulnerability in Linux Kernel 2.6.8.1

nls_ascii.c in Linux before 2.6.8.1 uses an incorrect table size, which allows attackers to cause a denial of service (kernel crash) via a buffer overflow.

7.8
2005-03-10 CVE-2005-0774 Photopost Remote vulnerability in Photopost PHP PRO 5.0Rc3

SQL injection vulnerability in member.php and possibly other scripts in PhotoPost PHP 5.0 RC3 allows remote attackers to execute arbitrary SQL commands via the uid parameter.

7.5
2005-03-10 CVE-2005-0748 Webinsta Code Injection vulnerability in Webinsta Mailing Manager 1.3D

PHP remote file inclusion vulnerability in initdb.php for WEBInsta Mailing list manager 1.3d allows remote attackers to execute arbitrary PHP code by modifying the absolute_path parameter to reference a URL on a remote web server that contains the code.

7.5
2005-03-08 CVE-2005-0725 WF Sections SQL-Injection vulnerability in Wf-Sections 1.07

SQL injection vulnerability in the getAllbyArticle function in wfsfiles.php for WF-Sections (wfsections) 1.07 allows remote attackers to execute arbitrary SQL commands via the articleid parameter to article.php.

7.5
2005-03-08 CVE-2005-0720 Mcnews Code Injection vulnerability in Mcnews 1.3

PHP remote file inclusion vulnerability in admin/header.php in PHP mcNews 1.3 allows remote attackers to execute arbitrary PHP code by modifying the skinfile parameter to reference a URL on a remote web server that contains the code.

7.5
2005-03-08 CVE-2005-0699 Ethereal Group
Conectiva
Altlinux
Redhat
Buffer Overflow vulnerability in Ethereal RADIUS Authentication Dissection

Multiple buffer overflows in the dissect_a11_radius function in the CDMA A11 (3G-A11) dissector (packet-3g-a11.c) for Ethereal 0.10.9 and earlier allow remote attackers to execute arbitrary code via RADIUS authentication packets with large length values.

7.5
2005-03-08 CVE-2005-0696 Argosoft Remote Buffer Overrun vulnerability in Argosoft FTP Server 1.4.2.29/1.4.2.8/1.4.3.5

Buffer overflow in ArGoSoft FTP Server 1.4.2.8 allows remote authenticated users to execute arbitrary code via a long DELE command.

7.5
2005-03-08 CVE-2005-0685 Outstart Access Validation vulnerability in Outstart Participate Enterprise 3

Multiple access validation errors in OutStart Participate Enterprise (PE) allow remote attackers to (1) browse arbitrary directory trees by modifying the rootFolder parameter to displaynavigator.jsp, (2) rename arbitrary directory objects by modifying the selectedObject parameter to renamepopup.jsp, (3) delete arbitrary directory objects by modifying the selectedObjectsCSV parameter to displaydeletenavigator.jsp, and conduct other unauthorized activities via the (4) showDeleteView, (5) showWebFolderView, (6) showLibraryView, (7) showMyLibraryView, (8) singleSelectObject, (9) processRadioSelection, (10) processCheckboxSelection, (11) singleSelectObject, (12) addToSelectedObjects, or (13) removeFromSelectedObjects commands.

7.5
2005-03-07 CVE-2005-0697 BRT SQL-Injection vulnerability in BRT Copperexport 0.1/0.2

SQL injection vulnerability in the process_picture function xp_publish.php in CopperExport 0.2.1 allows remote attackers to execute arbitrary SQL commands, possibly via the (1) title, (2) caption, or (3) keywords parameters.

7.5
2005-03-07 CVE-2005-0693 Jowood Productions Remote Buffer Overflow vulnerability in JoWood Chaser 1.0/1.50

Buffer overflow in JoWood Chaser 1.50 and earlier allows remote attackers to cause a denial of service (client or server crash) and execute arbitrary code via a long nickname.

7.5
2005-03-07 CVE-2005-0689 Jimmy Remote Command Execution vulnerability in The Includer 1.0/1.1

includer.cgi in The Includer allows remote attackers to execute arbitrary commands via shell metacharacters in (1) the URL or (2) the template parameter.

7.5
2005-03-07 CVE-2005-0686 Mlterm Remote Security vulnerability in mlterm

Integer overflow in mlterm 2.5.0 through 2.9.1, with gdk-pixbuf support enabled, allows remote attackers to execute arbitrary code via a large image file that is used as a background.

7.5
2005-03-07 CVE-2005-0680 Stadtaus PHP remote file inclusion vulnerability in download_center_lite.inc.php for Download Center Lite 1.6 allows remote attackers to execute arbitrary PHP code by modifying the script_root parameter to reference a URL on a remote web server that contains the code.
7.5

19 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2005-03-07 CVE-2005-0178 Netkit
Vserver
Linux
Multiple vulnerability in Linux Kernel

Race condition in the setsid function in Linux before 2.6.8.1 allows local users to cause a denial of service (crash) and possibly access portions of kernel memory, related to TTY changes, locking, and semaphores.

6.2
2005-03-07 CVE-2005-0667 Sylpheed
Sylpheed Claws
Altlinux
Gentoo
Redhat
Buffer overflow in Sylpheed before 1.0.3 and other versions before 1.9.5 allows remote attackers to execute arbitrary code via an e-mail message with certain headers containing non-ASCII characters that are not properly handled when the user replies to the message.
5.1
2005-03-12 CVE-2005-0780 PHP Arena Unspecified vulnerability in PHP Arena Pafiledb

paFileDB 3.1 and earlier allows remote attackers to obtain sensitive information via a direct request to (1) auth.php, (2) login.php, (3) category.php, (4) file.php, (5) team.php, (6) license.php, (7) custom.php, (8) admins.php, or (9) backupdb.php, which reveal the path in a PHP error message.

5.0
2005-03-12 CVE-2005-0765 Ethereal Group Unspecified vulnerability in Ethereal Group Ethereal 0.10.9

Unknown vulnerability in the JXTA dissector in Ethereal 0.10.9 allows remote attackers to cause a denial of service (application crash).

5.0
2005-03-10 CVE-2005-0731 PY Software Denial-Of-Service vulnerability in PY Software Active Webcam 5.5

PY Software Active Webcam WebServer (webcam.exe) 5.5 allows remote attackers to cause a denial of service (CPU consumption) via a direct request to Filelist.html.

5.0
2005-03-08 CVE-2005-0747 Applyyourself Information Disclosure vulnerability in I-Class

ApplyYourself i-Class allows remote attackers to obtain sensitive information about their own applications by reusing the hidden ID field, as demonstrated using the id parameter to ApplicantDecision.asp.

5.0
2005-03-07 CVE-2005-0722 Experience2 Remote Security vulnerability in Experience2

eXPerience2 allows remote attackers to obtain the full path for the web root via a direct request to modules.php without any parameters, which leaks the path in a PHP error message.

5.0
2005-03-07 CVE-2005-0703 Xerox Remote Security vulnerability in WorkCentre 40 Color

Xerox MicroServer Web Server for various WorkCentre products including M35/M45/M55 2.028.11.000 through 2.97.20.032 and 4.84.16.000 through 4.97.20.032, Pro 35/45/55 3.028.11.000 through 3.97.20.032, Pro 65/75/90 1.001.00.060 through 1.001.02.084, and others, has an "unauthenticated account," which allows remote attackers to modify system configuration, a different vulnerability than CVE-2005-1179.

5.0
2005-03-07 CVE-2005-0702 Phpmyfaq SQL-Injection vulnerability in phpMyFAQ

SQL injection vulnerability in phpMyFAQ 1.4 and 1.5 allows remote attackers to add FAQ records to the database via the username field in forum messages.

5.0
2005-03-07 CVE-2005-0701 Oracle Unspecified vulnerability in Oracle Database Server

Directory traversal vulnerability in Oracle Database Server 8i and 9i allows remote attackers to read or rename arbitrary files via "\\.\\.." (modified dot dot backslash) sequences to UTL_FILE functions such as (1) UTL_FILE.FOPEN or (2) UTL_FILE.frename.

5.0
2005-03-07 CVE-2005-0700 Aztek Forum Unspecified vulnerability in Aztek Forum Aztek Forum 4.0

The export_index action in myadmin.php for Aztek Forum 4.0 allows remote attackers to obtain database files, possibly by setting the ATK_ADMIN cookie.

5.0
2005-03-07 CVE-2005-0695 Hosting Controller Remote Security vulnerability in Hosting Controller

The password recovery feature (forgotpassword.asp) in Hosting Controller 6.1 Hotfix 1.7 and earlier allows remote attackers to determine the owner's e-mail address by providing a portion of the domain name to the "login ID" field.

5.0
2005-03-07 CVE-2005-0694 Hosting Controller Information Disclosure vulnerability in Hosting Controller

Hosting Controller 6.1 Hotfix 1.7 and earlier stores log files under the web root, which allows remote attackers to obtain sensitive information via a direct request to HCDiskQuotaService.csv.

5.0
2005-03-09 CVE-2005-0745 Utstarcom Local Security vulnerability in Ian-02Ex Voip Ata

UTStarcom iAN-02EX VoIP Analog Terminal Adaptor (ATA) allows local users to bypass ATA access restrictions by dialing "*#26845#" and causing a device reset.

4.6
2005-03-08 CVE-2005-0098 Abuse Unspecified vulnerability in Abuse Abuse-Sdl

Multiple buffer overflows in the SDL port of abuse (abuse-SDL) before 2.00 allow local users to execute arbitrary code via the command line.

4.6
2005-03-07 CVE-2005-0698 Jason Hines Remote File Include vulnerability in Jason Hines PHPWebLog

PHP remote file inclusion vulnerability in PHPWebLog 0.5.3 and earlier allows remote attackers to execute arbitrary PHP code by modifying the (1) G_PATH parameter to init.inc.php or the (2) PATH parameter to index.php to reference a URL on a remote web server that contains the code.

4.6
2005-03-08 CVE-2005-0741 Yabb Remote UsersRecentPosts Cross-Site Scripting vulnerability in Yabb 2.0Rc1

Cross-site scripting (XSS) vulnerability in YaBB.pl for YaBB 2.0 RC1 allows remote attackers to inject arbitrary web script or HTML via the username parameter in a usersrecentposts action.

4.3
2005-03-08 CVE-2005-0723 PHP Arena Cross-Site Scripting vulnerability in PHP Arena Pafiledb 3.1

Cross-site scripting (XSS) vulnerability in the jumpmenu function in functions.php for paFileDB 3.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the URL parameters, which is not properly cleansed in the $pageurl variable, as demonstrated using pafiledb.php.

4.3
2005-03-07 CVE-2005-0548 SUN Unspecified vulnerability in SUN Solaris Answerbook2

Cross-site scripting (XSS) vulnerability in Solaris AnswerBook2 Documentation 1.4.4 and earlier allows remote attackers to inject arbitrary web script or HTML via the Search function.

4.3

7 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2005-03-07 CVE-2005-0180 Linux Integer Overflow vulnerability in Linux Kernel SCSI IOCTL

Multiple integer signedness errors in the sg_scsi_ioctl function in scsi_ioctl.c for Linux 2.6.x allow local users to read or modify kernel memory via negative integers in arguments to the scsi ioctl, which bypass a maximum length check before calling the copy_from_user and copy_to_user functions.

3.6
2005-03-08 CVE-2005-0626 Squid Information Disclosure vulnerability in Squid 2.5.Stable5/2.5.Stable6/2.5.Stable7

Race condition in Squid 2.5.STABLE7 to 2.5.STABLE9, when using the Netscape Set-Cookie recommendations for handling cookies in caches, may cause Set-Cookie headers to be sent to other users, which allows attackers to steal the related cookies.

2.6
2005-03-09 CVE-2005-0736 Conectiva
Linux
Redhat
Local Integer Overflow vulnerability in Linux Kernel SYS_EPoll_Wait

Integer overflow in sys_epoll_wait in eventpoll.c for Linux kernel 2.6 to 2.6.11 allows local users to overwrite kernel memory via a large number of events.

2.1
2005-03-09 CVE-2005-0719 HP Denial Of Service vulnerability in HP Tru64 Message Queue Local

Unknown vulnerability in the systems message queue in HP Tru64 Unix 4.0F PK8 through 5.1B-2/PK4 allows local users to cause a denial of service (process crash) for processes such as nfsstat, pfstat, arp, ogated, rarpd, route, sendmail, srconfig, strsetup, trpt, netstat, and xntpd.

2.1
2005-03-08 CVE-2005-0099 Abuse Unspecified vulnerability in Abuse Abuse-Sdl

The SDL port of abuse (abuse-SDL) before 2.00 does not properly drop privileges before creating certain files, which allows local users to create or overwrite arbitrary files.

2.1
2005-03-07 CVE-2005-0690 Gene6 Remote Default Install Code Execution vulnerability in Gene6 FTP Server

Gene6 FTP Server does not properly restrict access to the control console, which allows local users to modify the server configuration and gain privileges, as demonstrated by defining a SITE command.

2.1
2005-03-07 CVE-2005-0179 Linux Unspecified vulnerability in Linux Kernel

Linux kernel 2.4.x and 2.6.x allows local users to cause a denial of service (CPU and memory consumption) and bypass RLIM_MEMLOCK limits via the mlockall call.

2.1