Weekly Vulnerabilities Reports > April 11 to 17, 2005

Overview

57 new vulnerabilities reported during this period, including 1 critical vulnerabilities and 21 high severity vulnerabilities. This weekly summary report vulnerabilities in 70 products from 45 vendors including Redhat, Suse, Debian, Gentoo, and Midnight Commander. Vulnerabilities are notably categorized as "Use of Externally-Controlled Format String", and "Resource Management Errors".

  • 45 reported vulnerabilities are remotely exploitables.
  • 57 reported vulnerabilities are exploitable by an anonymous user.
  • Redhat has the most reported vulnerabilities, with 15 reported vulnerabilities.
  • Salim Gasmi has the most reported critical vulnerabilities, with 1 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

1 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2005-04-12 CVE-2005-1099 Salim Gasmi Unspecified vulnerability in Salim Gasmi GLD

Multiple buffer overflows in the HandleChild function in server.c in Greylisting daemon (GLD) 1.3 and 1.4, when GLD is listening on a network interface, allow remote attackers to execute arbitrary code.

10.0

21 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2005-04-15 CVE-2005-1308 Inter7 Unspecified vulnerability in Inter7 Sqwebmail

SqWebMail allows remote attackers to inject arbitrary web script or HTML via CRLF sequences in the redirect parameter followed by the desired script or HTML.

7.5
2005-04-15 CVE-2005-1142 Gocr Remote Security vulnerability in Optical Character Recognition Utility

Heap-based buffer overflow in the readpgm function in pnm.c for GOCR 0.40, when it is not using netpbm, allows remote attackers to execute arbitrary code via a P3 format PNM file with more data than implied by its width and height values.

7.5
2005-04-15 CVE-2005-1141 Gocr Remote Security vulnerability in Optical Character Recognition Utility

Integer overflow in the readpgm function in pnm.c for GOCR 0.40, when using the netpbm library, allows remote attackers to execute arbitrary code via a PNM file with large width and height values, which leads to a heap-based buffer overflow.

7.5
2005-04-14 CVE-2005-1139 Opera Software Unspecified vulnerability in Opera Software Opera web Browser 8Beta3

Opera 8 Beta 3, when using first-generation vetted digital certificates, displays the Organizational information of an SSL certificate, which is easily spoofed and can facilitate phishing attacks.

7.5
2005-04-14 CVE-2005-1122 Monkey Project USE of Externally-Controlled Format String vulnerability in Monkey-Project Monkey

Format string vulnerability in cgi.c for Monkey daemon (monkeyd) before 0.9.1 allows remote attackers to cause a denial of service and possibly execute arbitrary code via an HTTP GET request containing double-encoded format string specifiers (aka "double expansion error").

7.5
2005-04-14 CVE-2005-0130 Berlios Remote vulnerability in Berlios Konversation 0.15

Certain Perl scripts in Konversation 0.15 allow remote attackers to execute arbitrary commands via shell metacharacters in (1) channel names or (2) song names that are not properly quoted when the user runs IRC scripts.

7.5
2005-04-14 CVE-2005-0129 Berlios Remote vulnerability in Berlios Konversation 0.15

The Quick Buttons feature in Konversation 0.15 allows remote attackers to execute certain IRC commands via a channel name containing "%" variables, which are recursively expanded by the Server::parseWildcards function when the Part Button is selected.

7.5
2005-04-14 CVE-2004-1176 Midnight Commander
Debian
Gentoo
Redhat
Suse
Turbolinux
Buffer underflow in extfs.c in Midnight Commander (mc) 4.5.55 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code.
7.5
2005-04-14 CVE-2004-1175 Midnight Commander
Debian
Gentoo
Redhat
Suse
Turbolinux
fish.c in midnight commander allows remote attackers to execute arbitrary programs via "insecure filename quoting," possibly using shell metacharacters.
7.5
2005-04-14 CVE-2004-1005 Midnight Commander
Debian
Gentoo
Redhat
Suse
Turbolinux
Multiple buffer overflows in Midnight Commander (mc) 4.5.55 and earlier allow remote attackers to have an unknown impact.
7.5
2005-04-14 CVE-2004-1004 Midnight Commander
Debian
Gentoo
Redhat
Suse
Turbolinux
Multiple format string vulnerabilities in Midnight Commander (mc) 4.5.55 and earlier allow remote attackers to have an unknown impact.
7.5
2005-04-13 CVE-2005-1149 Acnews SQL Injection vulnerability in ACNews Login.ASP

SQL injection vulnerability in admin/login.asp in aspclick.it ACNews 1.0 allows remote attackers to execute arbitrary SQL commands via the (1) username or (2) password parameters.

7.5
2005-04-13 CVE-2005-1134 S9Y SQL injection vulnerability in S9Y Serendipity Exit.PHP

SQL injection vulnerability in exit.php for Serendipity 0.8 and earlier allows remote attackers to execute arbitrary SQL commands via the (1) url_id or (2) entry_id parameters.

7.5
2005-04-12 CVE-2005-1078 Xampp Unspecified vulnerability in Xampp Apache Distribution

XAMPP 1.4.x has multiple default or null passwords, which allows attackers to gain privileges.

7.5
2005-04-12 CVE-2005-1071 Jportal SQL injection vulnerability in banner.inc.php in JPortal Web Portal 2.3.1 allows remote attackers to execute arbitrary SQL commands via the haslo parameter.
7.5
2005-04-12 CVE-2005-0562 Microsoft Unspecified vulnerability in Microsoft MSN Messenger 6.2

GIF file validation error in MSN Messenger 6.2 allows remote attackers in a user's contact list to execute arbitrary code via a GIF image with an improper height and width.

7.5
2005-04-12 CVE-2005-0555 Microsoft Unspecified vulnerability in Microsoft Internet Explorer 5.01/5.5/6.0

Buffer overflow in the Content Advisor in Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a crafted Content Advisor file, aka "Content Advisor Memory Corruption Vulnerability."

7.5
2005-04-11 CVE-2005-1070 Invision Power Services SQL Injection vulnerability in Invision Power Board ST Parameter

SQL injection vulnerability in index.php in Invision Power Board 1.3.1 Final and earlier allows remote attackers to execute arbitrary SQL commands via the st parameter.

7.5
2005-04-14 CVE-2005-0020 Playmidi
Mandrakesoft
Local Buffer Overflow vulnerability in PlayMidi

Buffer overflow in playmidi before 2.4 allows local users to execute arbitrary code.

7.2
2005-04-14 CVE-2005-0016 Gatos Unspecified vulnerability in Gatos 0.0.5

Buffer overflow in the exported_display function in xatitv in gatos before 0.0.5 allows local users to execute arbitrary code.

7.2
2005-04-12 CVE-2005-0610 Freebsd Local Insecure Temporary File Handling vulnerability in FreeBSD PortUpgrade

Multiple symlink vulnerabilities in portupgrade before 20041226_2 in FreeBSD allow local users to (1) overwrite arbitrary files and possibly replace packages to execute arbitrary code via pkg_fetch, (2) overwrite arbitrary files via temporary files when portupgrade upgrades a port or package, or (3) create arbitrary zero-byte files via the pkgdb.fixme temporary file.

7.2

29 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2005-04-14 CVE-2004-1235 Avaya
Linux
Mandrakesoft
Redhat
Suse
Ubuntu
Conectiva
Local Privilege Escalation vulnerability in Linux kernel Uselib()

Race condition in the (1) load_elf_library and (2) binfmt_aout function calls for uselib in Linux kernel 2.4 through 2.429-rc2 and 2.6 through 2.6.10 allows local users to execute arbitrary code by manipulating the VMA descriptor.

6.2
2005-04-14 CVE-2005-1136 Sphpblog Information Disclosure vulnerability in Sphpblog 0.4.0

Simple PHP Blog (sphpBlog) 0.4.0 stores the (1) password.txt and (2) config.txt files under the web document root, which allows remote attackers to obtain sensitive information and crack passwords via a direct request to these files.

5.0
2005-04-14 CVE-2005-1043 PHP
SGI
Conectiva
Apple
Peachtree
Suse
exif.c in PHP before 4.3.11 allows remote attackers to cause a denial of service (memory consumption and crash) via an EXIF header with a large IFD nesting level, which causes significant stack recursion.
5.0
2005-04-14 CVE-2005-0718 Squid Remote Denial Of Service vulnerability in Squid Proxy Aborted Connection

Squid 2.5.STABLE7 and earlier allows remote attackers to cause a denial of service (segmentation fault) by aborting the connection during a (1) PUT or (2) POST request, which causes Squid to access previously freed memory.

5.0
2005-04-14 CVE-2005-0131 Berlios Remote vulnerability in Berlios Konversation 0.15

The Quick Connection dialog in Konversation 0.15 inadvertently uses the user-provided password as the nickname instead of the user-provided nickname when connecting to the IRC server, which could leak the password to other users.

5.0
2005-04-14 CVE-2005-0112 3Com Information Disclosure vulnerability in 3Com OfficeConnect Wireless 11g Access Point 3Crwe454G72 1.0.2/1.0.2.11/1.0.3.5

The web-based administrative interface for 3Com OfficeConnect Wireless 11g Access Point (AP) 1.00.08, and possibly earlier versions before 1.03.07A, allows remote attackers to bypass authentication and obtain sensitive information by directly accessing the (1) config.bin (2) profile.wlp?PN=ggg or (3) event.logs URLs.

5.0
2005-04-14 CVE-2005-0082 Mysql Denial-Of-Service vulnerability in MaxDB

The sapdbwa_GetUserData function in MySQL MaxDB 7.5.0.0, and other versions before 7.5.0.21, allows remote attackers to cause a denial of service (crash) via invalid parameters to the WebDAV handler code, which triggers a null dereference that causes the SAP DB Web Agent to crash.

5.0
2005-04-14 CVE-2005-0081 Mysql Unspecified vulnerability in Mysql Maxdb

MySQL MaxDB 7.5.0.0, and other versions before 7.5.0.21, allows remote attackers to cause a denial of service (crash) via an HTTP request with invalid headers.

5.0
2005-04-14 CVE-2004-1174 Midnight Commander
Debian
Gentoo
Redhat
Suse
Turbolinux
direntry.c in Midnight Commander (mc) 4.5.55 and earlier allows attackers to cause a denial of service by "manipulating non-existing file handles."
5.0
2005-04-14 CVE-2004-1093 Midnight Commander
Debian
Gentoo
Redhat
Suse
Turbolinux
Midnight commander (mc) 4.5.55 and earlier allows remote attackers to cause a denial of service via "use of already freed memory."
5.0
2005-04-14 CVE-2004-1092 Midnight Commander
Debian
Gentoo
Redhat
Suse
Turbolinux
Midnight commander (mc) 4.5.55 and earlier allows remote attackers to cause a denial of service by causing mc to free unallocated memory.
5.0
2005-04-14 CVE-2004-1091 Midnight Commander
Debian
Gentoo
Redhat
Suse
Turbolinux
Midnight commander (mc) 4.5.55 and earlier allows remote attackers to cause a denial of service by triggering a null dereference.
5.0
2005-04-14 CVE-2004-1090 Midnight Commander
Debian
Gentoo
Redhat
Suse
Turbolinux
Midnight commander (mc) 4.5.55 and earlier allows remote attackers to cause a denial of service via "a corrupt section header."
5.0
2005-04-14 CVE-2004-1009 Midnight Commander
Debian
Gentoo
Redhat
Suse
Turbolinux
Midnight commander (mc) 4.5.55 and earlier allows remote attackers to cause a denial of service (infinite loop) via unknown attack vectors.
5.0
2005-04-12 CVE-2005-1147 Calendarscript calendar.pl in CalendarScript 3.20 allows remote attackers to obtain sensitive information via invalid (1) calendar or (2) template parameters, which leaks the full pathname and debug information.
5.0
2005-04-12 CVE-2005-1144 Easyphpcalendar Information Disclosure vulnerability in EasyPHPCalendar

popup.php in EasyPHPCalendar before 6.2.8 allows remote attackers to obtain sensitive information via an invalid ev parameter, which reveals the full pathname of the web server in a PHP error message.

5.0
2005-04-12 CVE-2004-0791 SUN Remote Denial Of Service vulnerability in Multiple Vendor TCP/IP Implementation ICMP

Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via a blind throughput-reduction attack using spoofed Source Quench packets, aka the "ICMP Source Quench attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability.

5.0
2005-04-12 CVE-2004-0790 Microsoft
SUN
Remote Denial Of Service vulnerability in Multiple Vendor TCP/IP Implementation ICMP

Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (reset TCP connections) via spoofed ICMP error messages, aka the "blind connection-reset attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability.

5.0
2005-04-11 CVE-2005-1089 DC Unspecified vulnerability in Dc++

Unknown vulnerability in DC++ before 0.674 allows attackers to append data to arbitrary files.

5.0
2005-04-14 CVE-2005-0004 Mysql
Oracle
Debian
Gentoo
Redhat
Local Insecure Temporary File Creation vulnerability in MySQL Database MySQLAccess

The mysqlaccess script in MySQL 4.0.23 and earlier, 4.1.x before 4.1.10, 5.0.x before 5.0.3, and other versions including 3.x, allows local users to overwrite arbitrary files or read temporary files via a symlink attack on temporary files.

4.6
2005-04-14 CVE-2004-1181 Toshiaki Kanosue Symbolic Link vulnerability in Toshiaki Kanosue Htmlheadline 21.8

htmlheadline before 21.8 allows local users to overwrite arbitrary files via a symlink attack on temporary files.

4.6
2005-04-12 CVE-2005-1103 Sygate Technologies Unspecified vulnerability in Sygate Technologies Security Agent

Sygate Security Agent (SSA) in Sygate Secure Enterprise 3.5 through 4.1 does not prevent the security policy from being updated by unprivileged users, which allows local users to modify the policy by exporting the policy file, changing it, and importing it back into SSA.

4.6
2005-04-15 CVE-2005-1140 Mywebland HTML Injection vulnerability in Mywebland Mybloggie 2.1.1

Cross-site scripting (XSS) vulnerability in myBloggie 2.1.1 allows remote attackers to inject arbitrary web script or HTML via the comments.

4.3
2005-04-14 CVE-2005-1118 RSA Remote Cross-Site Scripting vulnerability in RSA Authentication Agent for web 5.2

Cross-site scripting (XSS) vulnerability in IISWebAgentIF.dll in the RSA Authentication Agent for Web 5.2 allows remote attackers to inject arbitrary web script or HTML via the postdata parameter.

4.3
2005-04-12 CVE-2005-1146 Calendarscript Unspecified vulnerability in Calendarscript 3.20

** DISPUTED ** NOTE: this issue has been disputed by the vendor.

4.3
2005-04-12 CVE-2005-1145 Calendarscript Unspecified vulnerability in Calendarscript 3.20

** DISPUTED ** NOTE: this issue has been disputed by the vendor.

4.3
2005-04-12 CVE-2005-1143 Easyphpcalendar Cross-Site Scripting vulnerability in EasyPHPCalendar

Cross-site scripting (XSS) vulnerability in index.php in EasyPHPCalendar before 6.2.8 allows remote attackers to inject arbitrary web script or HTML via the yr parameter.

4.3
2005-04-12 CVE-2005-1130 Desert DOG Software Cross-Site Scripting vulnerability in Pinnacle Cart

Cross-site scripting (XSS) vulnerability in index.php in Pinnacle Cart allows remote attackers to inject arbitrary web script or HTML via the pg parameter.

4.3
2005-04-12 CVE-2005-1077 Xampp Remote HTML Injection vulnerability in XAMPP CDS.PHP

Multiple cross-site scripting (XSS) vulnerabilities in XAMPP 1.4.x allow remote attackers to inject arbitrary web script or HTML via (1) cds.php, (2) Guestbook-EN.pl, or (3) phonebook.php.

4.3

6 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2005-04-13 CVE-2005-1301 Nprotect Remote Security vulnerability in Nprotect Netizen 2005.3.17.1

nProtect:Netizen 2005.3.17.1 does not properly verify that the update module is downloaded from an authorized site, which allows remote malicious web sites to write arbitrary files.

2.6
2005-04-15 CVE-2005-1126 Freebsd Resource Management Errors vulnerability in Freebsd

The SIOCGIFCONF ioctl (ifconf function) in FreeBSD 4.x through 4.11 and 5.x through 5.4 does not properly clear a buffer before using it, which allows local users to obtain portions of sensitive kernel memory.

2.1
2005-04-14 CVE-2005-0124 Linux Local Buffer Overflow vulnerability in Linux Kernel Coda_Pioctl

The coda_pioctl function in the coda functionality (pioctl.c) for Linux kernel 2.6.9 and 2.4.x before 2.4.29 may allow local users to cause a denial of service (crash) or execute arbitrary code via negative vi.in_size or vi.out_size values, which may trigger a buffer overflow.

2.1
2005-04-14 CVE-2005-0003 Avaya
Linux
Mandrakesoft
Redhat
Local Denial of Service vulnerability in Linux Kernel User Triggerable BUG()

The 64 bit ELF support in Linux kernel 2.6 before 2.6.10, on 64-bit architectures, does not properly check for overlapping VMA (virtual memory address) allocations, which allows local users to cause a denial of service (system crash) or execute arbitrary code via a crafted ELF or a.out file.

2.1
2005-04-14 CVE-2004-1237 Linux
Redhat
Suse
Unknown vulnerability in the system call filtering code in the audit subsystem for Red Hat Enterprise Linux 3 allows local users to cause a denial of service (system crash) via unknown vectors.
2.1
2005-04-14 CVE-2004-0812 Linux
Redhat
Local TSS Vulnerability For AMD64 And EMT64T Architectures in Linux Kernel

Unknown vulnerability in the Linux kernel before 2.4.23, on the AMD AMD64 and Intel EM64T architectures, associated with "setting up TSS limits," allows local users to cause a denial of service (crash) and possibly execute arbitrary code.

2.1