Weekly Vulnerabilities Reports > April 11 to 17, 2005
Overview
53 new vulnerabilities reported during this period, including 2 critical vulnerabilities and 20 high severity vulnerabilities. This weekly summary report vulnerabilities in 71 products from 47 vendors including Suse, Redhat, Debian, Gentoo, and Midnight Commander. Vulnerabilities are notably categorized as "Use of Externally-Controlled Format String", "Resource Management Errors", "Integer Overflow or Wraparound", and "Link Following".
- 43 reported vulnerabilities are remotely exploitables.
- 53 reported vulnerabilities are exploitable by an anonymous user.
- Suse has the most reported vulnerabilities, with 13 reported vulnerabilities.
- Optical Character Recognition Project has the most reported critical vulnerabilities, with 1 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
2 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2005-04-12 | CVE-2005-1099 | Salim Gasmi | Unspecified vulnerability in Salim Gasmi GLD Multiple buffer overflows in the HandleChild function in server.c in Greylisting daemon (GLD) 1.3 and 1.4, when GLD is listening on a network interface, allow remote attackers to execute arbitrary code. | 10.0 |
2005-04-15 | CVE-2005-1141 | Optical Character Recognition Project | Integer Overflow or Wraparound vulnerability in Optical Character Recognition Project Optical Character Recognition 0.40 Integer overflow in the readpgm function in pnm.c for GOCR 0.40, when using the netpbm library, allows remote attackers to execute arbitrary code via a PNM file with large width and height values, which leads to a heap-based buffer overflow. | 9.8 |
20 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2005-04-15 | CVE-2005-1308 | Inter7 | Unspecified vulnerability in Inter7 Sqwebmail SqWebMail allows remote attackers to inject arbitrary web script or HTML via CRLF sequences in the redirect parameter followed by the desired script or HTML. | 7.5 |
2005-04-15 | CVE-2005-1142 | Gocr | Remote Security vulnerability in Optical Character Recognition Utility Heap-based buffer overflow in the readpgm function in pnm.c for GOCR 0.40, when it is not using netpbm, allows remote attackers to execute arbitrary code via a P3 format PNM file with more data than implied by its width and height values. | 7.5 |
2005-04-14 | CVE-2005-1139 | Opera | Unspecified vulnerability in Opera Browser 8.0 Opera 8 Beta 3, when using first-generation vetted digital certificates, displays the Organizational information of an SSL certificate, which is easily spoofed and can facilitate phishing attacks. | 7.5 |
2005-04-14 | CVE-2005-1122 | Monkey Project | USE of Externally-Controlled Format String vulnerability in Monkey-Project Monkey Format string vulnerability in cgi.c for Monkey daemon (monkeyd) before 0.9.1 allows remote attackers to cause a denial of service and possibly execute arbitrary code via an HTTP GET request containing double-encoded format string specifiers (aka "double expansion error"). | 7.5 |
2005-04-14 | CVE-2005-0130 | Berlios | Remote vulnerability in Berlios Konversation 0.15 Certain Perl scripts in Konversation 0.15 allow remote attackers to execute arbitrary commands via shell metacharacters in (1) channel names or (2) song names that are not properly quoted when the user runs IRC scripts. | 7.5 |
2005-04-14 | CVE-2005-0129 | Berlios | Remote vulnerability in Berlios Konversation 0.15 The Quick Buttons feature in Konversation 0.15 allows remote attackers to execute certain IRC commands via a channel name containing "%" variables, which are recursively expanded by the Server::parseWildcards function when the Part Button is selected. | 7.5 |
2005-04-14 | CVE-2004-1176 | Midnight Commander Debian Gentoo Redhat Suse Turbolinux | Buffer underflow in extfs.c in Midnight Commander (mc) 4.5.55 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code. | 7.5 |
2005-04-14 | CVE-2004-1175 | Midnight Commander Debian Gentoo Redhat Suse Turbolinux | fish.c in midnight commander allows remote attackers to execute arbitrary programs via "insecure filename quoting," possibly using shell metacharacters. | 7.5 |
2005-04-14 | CVE-2004-1005 | Midnight Commander Debian Gentoo Redhat Suse Turbolinux | Multiple buffer overflows in Midnight Commander (mc) 4.5.55 and earlier allow remote attackers to have an unknown impact. | 7.5 |
2005-04-14 | CVE-2004-1004 | Midnight Commander Debian Gentoo Redhat Suse Turbolinux | Multiple format string vulnerabilities in Midnight Commander (mc) 4.5.55 and earlier allow remote attackers to have an unknown impact. | 7.5 |
2005-04-13 | CVE-2005-1149 | Acnews | SQL Injection vulnerability in ACNews Login.ASP SQL injection vulnerability in admin/login.asp in aspclick.it ACNews 1.0 allows remote attackers to execute arbitrary SQL commands via the (1) username or (2) password parameters. | 7.5 |
2005-04-13 | CVE-2005-1134 | S9Y | SQL injection vulnerability in S9Y Serendipity Exit.PHP SQL injection vulnerability in exit.php for Serendipity 0.8 and earlier allows remote attackers to execute arbitrary SQL commands via the (1) url_id or (2) entry_id parameters. | 7.5 |
2005-04-12 | CVE-2005-1078 | Xampp | Unspecified vulnerability in Xampp Apache Distribution XAMPP 1.4.x has multiple default or null passwords, which allows attackers to gain privileges. | 7.5 |
2005-04-12 | CVE-2005-1071 | Jportal | SQL injection vulnerability in banner.inc.php in JPortal Web Portal 2.3.1 allows remote attackers to execute arbitrary SQL commands via the haslo parameter. | 7.5 |
2005-04-12 | CVE-2005-0562 | Microsoft | Unspecified vulnerability in Microsoft MSN Messenger 6.2 GIF file validation error in MSN Messenger 6.2 allows remote attackers in a user's contact list to execute arbitrary code via a GIF image with an improper height and width. | 7.5 |
2005-04-12 | CVE-2005-0555 | Microsoft | Unspecified vulnerability in Microsoft Internet Explorer 5.01/5.5/6.0 Buffer overflow in the Content Advisor in Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a crafted Content Advisor file, aka "Content Advisor Memory Corruption Vulnerability." | 7.5 |
2005-04-11 | CVE-2005-1070 | Invision Power Services | SQL Injection vulnerability in Invision Power Board ST Parameter SQL injection vulnerability in index.php in Invision Power Board 1.3.1 Final and earlier allows remote attackers to execute arbitrary SQL commands via the st parameter. | 7.5 |
2005-04-14 | CVE-2005-0020 | Playmidi Mandrakesoft | Local Buffer Overflow vulnerability in PlayMidi Buffer overflow in playmidi before 2.4 allows local users to execute arbitrary code. | 7.2 |
2005-04-14 | CVE-2005-0016 | Gatos | Unspecified vulnerability in Gatos 0.0.5 Buffer overflow in the exported_display function in xatitv in gatos before 0.0.5 allows local users to execute arbitrary code. | 7.2 |
2005-04-12 | CVE-2005-0610 | Freebsd | Local Insecure Temporary File Handling vulnerability in FreeBSD PortUpgrade Multiple symlink vulnerabilities in portupgrade before 20041226_2 in FreeBSD allow local users to (1) overwrite arbitrary files and possibly replace packages to execute arbitrary code via pkg_fetch, (2) overwrite arbitrary files via temporary files when portupgrade upgrades a port or package, or (3) create arbitrary zero-byte files via the pkgdb.fixme temporary file. | 7.2 |
27 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2005-04-14 | CVE-2004-1235 | Avaya Linux Mandrakesoft Redhat Suse Ubuntu Conectiva | Local Privilege Escalation vulnerability in Linux kernel Uselib() Race condition in the (1) load_elf_library and (2) binfmt_aout function calls for uselib in Linux kernel 2.4 through 2.429-rc2 and 2.6 through 2.6.10 allows local users to execute arbitrary code by manipulating the VMA descriptor. | 6.2 |
2005-04-14 | CVE-2005-1136 | Sphpblog | Information Disclosure vulnerability in Sphpblog 0.4.0 Simple PHP Blog (sphpBlog) 0.4.0 stores the (1) password.txt and (2) config.txt files under the web document root, which allows remote attackers to obtain sensitive information and crack passwords via a direct request to these files. | 5.0 |
2005-04-14 | CVE-2005-1043 | PHP SGI Conectiva Apple Peachtree Suse | exif.c in PHP before 4.3.11 allows remote attackers to cause a denial of service (memory consumption and crash) via an EXIF header with a large IFD nesting level, which causes significant stack recursion. | 5.0 |
2005-04-14 | CVE-2005-0718 | Squid | Remote Denial Of Service vulnerability in Squid Proxy Aborted Connection Squid 2.5.STABLE7 and earlier allows remote attackers to cause a denial of service (segmentation fault) by aborting the connection during a (1) PUT or (2) POST request, which causes Squid to access previously freed memory. | 5.0 |
2005-04-14 | CVE-2005-0131 | Berlios | Remote vulnerability in Berlios Konversation 0.15 The Quick Connection dialog in Konversation 0.15 inadvertently uses the user-provided password as the nickname instead of the user-provided nickname when connecting to the IRC server, which could leak the password to other users. | 5.0 |
2005-04-14 | CVE-2005-0112 | 3Com | Information Disclosure vulnerability in 3Com OfficeConnect Wireless 11g Access Point 3Crwe454G72 1.0.2/1.0.2.11/1.0.3.5 The web-based administrative interface for 3Com OfficeConnect Wireless 11g Access Point (AP) 1.00.08, and possibly earlier versions before 1.03.07A, allows remote attackers to bypass authentication and obtain sensitive information by directly accessing the (1) config.bin (2) profile.wlp?PN=ggg or (3) event.logs URLs. | 5.0 |
2005-04-14 | CVE-2005-0082 | Mysql | Denial-Of-Service vulnerability in MaxDB The sapdbwa_GetUserData function in MySQL MaxDB 7.5.0.0, and other versions before 7.5.0.21, allows remote attackers to cause a denial of service (crash) via invalid parameters to the WebDAV handler code, which triggers a null dereference that causes the SAP DB Web Agent to crash. | 5.0 |
2005-04-14 | CVE-2005-0081 | Mysql | Unspecified vulnerability in Mysql Maxdb MySQL MaxDB 7.5.0.0, and other versions before 7.5.0.21, allows remote attackers to cause a denial of service (crash) via an HTTP request with invalid headers. | 5.0 |
2005-04-14 | CVE-2004-1174 | Midnight Commander Debian Gentoo Redhat Suse Turbolinux | direntry.c in Midnight Commander (mc) 4.5.55 and earlier allows attackers to cause a denial of service by "manipulating non-existing file handles." | 5.0 |
2005-04-14 | CVE-2004-1093 | Midnight Commander Debian Gentoo Redhat Suse Turbolinux | Midnight commander (mc) 4.5.55 and earlier allows remote attackers to cause a denial of service via "use of already freed memory." | 5.0 |
2005-04-14 | CVE-2004-1092 | Midnight Commander Debian Gentoo Redhat Suse Turbolinux | Midnight commander (mc) 4.5.55 and earlier allows remote attackers to cause a denial of service by causing mc to free unallocated memory. | 5.0 |
2005-04-14 | CVE-2004-1091 | Midnight Commander Debian Gentoo Redhat Suse Turbolinux | Midnight commander (mc) 4.5.55 and earlier allows remote attackers to cause a denial of service by triggering a null dereference. | 5.0 |
2005-04-14 | CVE-2004-1090 | Midnight Commander Debian Gentoo Redhat Suse Turbolinux | Midnight commander (mc) 4.5.55 and earlier allows remote attackers to cause a denial of service via "a corrupt section header." | 5.0 |
2005-04-14 | CVE-2004-1009 | Midnight Commander Debian Gentoo Redhat Suse Turbolinux | Midnight commander (mc) 4.5.55 and earlier allows remote attackers to cause a denial of service (infinite loop) via unknown attack vectors. | 5.0 |
2005-04-12 | CVE-2005-1147 | Calendarscript | calendar.pl in CalendarScript 3.20 allows remote attackers to obtain sensitive information via invalid (1) calendar or (2) template parameters, which leaks the full pathname and debug information. | 5.0 |
2005-04-12 | CVE-2005-1144 | Easyphpcalendar | Information Disclosure vulnerability in EasyPHPCalendar popup.php in EasyPHPCalendar before 6.2.8 allows remote attackers to obtain sensitive information via an invalid ev parameter, which reveals the full pathname of the web server in a PHP error message. | 5.0 |
2005-04-12 | CVE-2004-0791 | SUN | Remote Denial Of Service vulnerability in Multiple Vendor TCP/IP Implementation ICMP Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via a blind throughput-reduction attack using spoofed Source Quench packets, aka the "ICMP Source Quench attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. | 5.0 |
2005-04-12 | CVE-2004-0790 | Microsoft SUN | Remote Denial Of Service vulnerability in Multiple Vendor TCP/IP Implementation ICMP Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (reset TCP connections) via spoofed ICMP error messages, aka the "blind connection-reset attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. | 5.0 |
2005-04-11 | CVE-2005-1089 | DC | Unspecified vulnerability in Dc++ Unknown vulnerability in DC++ before 0.674 allows attackers to append data to arbitrary files. | 5.0 |
2005-04-14 | CVE-2005-0004 | Oracle Debian Mariadb | Link Following vulnerability in multiple products The mysqlaccess script in MySQL 4.0.23 and earlier, 4.1.x before 4.1.10, 5.0.x before 5.0.3, and other versions including 3.x, allows local users to overwrite arbitrary files or read temporary files via a symlink attack on temporary files. | 4.6 |
2005-04-14 | CVE-2004-1181 | Toshiaki Kanosue | Symbolic Link vulnerability in Toshiaki Kanosue Htmlheadline 21.8 htmlheadline before 21.8 allows local users to overwrite arbitrary files via a symlink attack on temporary files. | 4.6 |
2005-04-12 | CVE-2005-1103 | Sygate Technologies | Unspecified vulnerability in Sygate Technologies Security Agent Sygate Security Agent (SSA) in Sygate Secure Enterprise 3.5 through 4.1 does not prevent the security policy from being updated by unprivileged users, which allows local users to modify the policy by exporting the policy file, changing it, and importing it back into SSA. | 4.6 |
2005-04-15 | CVE-2005-1140 | Mywebland | HTML Injection vulnerability in Mywebland Mybloggie 2.1.1 Cross-site scripting (XSS) vulnerability in myBloggie 2.1.1 allows remote attackers to inject arbitrary web script or HTML via the comments. | 4.3 |
2005-04-14 | CVE-2005-1118 | RSA | Remote Cross-Site Scripting vulnerability in RSA Authentication Agent for web 5.2 Cross-site scripting (XSS) vulnerability in IISWebAgentIF.dll in the RSA Authentication Agent for Web 5.2 allows remote attackers to inject arbitrary web script or HTML via the postdata parameter. | 4.3 |
2005-04-12 | CVE-2005-1143 | Easyphpcalendar | Cross-Site Scripting vulnerability in EasyPHPCalendar Cross-site scripting (XSS) vulnerability in index.php in EasyPHPCalendar before 6.2.8 allows remote attackers to inject arbitrary web script or HTML via the yr parameter. | 4.3 |
2005-04-12 | CVE-2005-1130 | Desert DOG Software | Cross-Site Scripting vulnerability in Pinnacle Cart Cross-site scripting (XSS) vulnerability in index.php in Pinnacle Cart allows remote attackers to inject arbitrary web script or HTML via the pg parameter. | 4.3 |
2005-04-12 | CVE-2005-1077 | Xampp | Remote HTML Injection vulnerability in XAMPP CDS.PHP Multiple cross-site scripting (XSS) vulnerabilities in XAMPP 1.4.x allow remote attackers to inject arbitrary web script or HTML via (1) cds.php, (2) Guestbook-EN.pl, or (3) phonebook.php. | 4.3 |
4 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2005-04-13 | CVE-2005-1301 | Nprotect | Remote Security vulnerability in Nprotect Netizen 2005.3.17.1 nProtect:Netizen 2005.3.17.1 does not properly verify that the update module is downloaded from an authorized site, which allows remote malicious web sites to write arbitrary files. | 2.6 |
2005-04-15 | CVE-2005-1126 | Freebsd | Resource Management Errors vulnerability in Freebsd The SIOCGIFCONF ioctl (ifconf function) in FreeBSD 4.x through 4.11 and 5.x through 5.4 does not properly clear a buffer before using it, which allows local users to obtain portions of sensitive kernel memory. | 2.1 |
2005-04-14 | CVE-2005-0124 | Linux | Local Buffer Overflow vulnerability in Linux Kernel Coda_Pioctl The coda_pioctl function in the coda functionality (pioctl.c) for Linux kernel 2.6.9 and 2.4.x before 2.4.29 may allow local users to cause a denial of service (crash) or execute arbitrary code via negative vi.in_size or vi.out_size values, which may trigger a buffer overflow. | 2.1 |
2005-04-14 | CVE-2004-1237 | Linux Redhat Suse | Unknown vulnerability in the system call filtering code in the audit subsystem for Red Hat Enterprise Linux 3 allows local users to cause a denial of service (system crash) via unknown vectors. | 2.1 |