Weekly Vulnerabilities Reports > June 6 to 12, 2005
Overview
65 new vulnerabilities reported during this period, including 1 critical vulnerabilities and 25 high severity vulnerabilities. This weekly summary report vulnerabilities in 58 products from 52 vendors including Apple, Novell, Yapig, Invision Power Services, and Flatnuke. Vulnerabilities are notably categorized as "Link Following", "Resource Management Errors", "Integer Underflow (Wrap or Wraparound)", "Incorrect Default Permissions", and "Improper Authentication".
- 51 reported vulnerabilities are remotely exploitables.
- 1 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 62 reported vulnerabilities are exploitable by an anonymous user.
- Apple has the most reported vulnerabilities, with 5 reported vulnerabilities.
- Flexcast has the most reported critical vulnerabilities, with 1 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
1 Critical Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2005-06-09 | CVE-2005-1897 | Flexcast | Remote Security vulnerability in Flexcast Audio Video Streaming Server Unknown vulnerability in FlexCast Audio Video Streaming Server before 2.0 has unknown impact and attack vectors. | 10.0 |
25 High Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2005-06-08 | CVE-2005-1941 | Silvercity Project | Incorrect Default Permissions vulnerability in Silvercity Project Silvercity SilverCity before 0.9.5-r1 installs (1) cgi-styler-form.py, (2) cgi-styler.py, and (3) source2html.py with read and write world permissions, which allows local users to execute arbitrary code. | 7.8 |
| 2005-06-12 | CVE-2005-1959 | Jammail | Remote Arbitrary Command Execution vulnerability in Jammail 1.8 jammail.pl in jamchen JamMail 1.8 allows remote attackers to execute arbitrary commands via shell metacharacters in the mail parameter. | 7.5 |
| 2005-06-12 | CVE-2005-1957 | Adam Mmedici | Improper Authentication vulnerability in Adam Mmedici File Upload Manager mtnpeak.net File Upload Manager does not properly check user authentication for certain actions, which allows remote attackers to provide a modified base64-encoded file parameter and (1) read arbitrary files via the "view" action or (2) delete arbitrary files via the del action. | 7.5 |
| 2005-06-11 | CVE-2005-1953 | Pico Server | Remote Security vulnerability in Pico Server Pico Server 3.3 Heap-based buffer overflow in the CGI extension for Pico Server (pServ) 3.3 allows remote attackers to execute arbitrary code via a long HTTP request. | 7.5 |
| 2005-06-10 | CVE-2005-1966 | E107 | Remote Command Execution vulnerability in E107 1.0.1 The eTrace_validaddr function in eTrace plugin for e107 portal allows remote attackers to execute arbitrary commands via shell metacharacters after a valid argument to the etrace_host parameter. | 7.5 |
| 2005-06-10 | CVE-2005-1942 | Cisco | Security Bypass vulnerability in Catalyst Cisco switches that support 802.1x security allow remote attackers to bypass port security and gain access to the VLAN via spoofed Cisco Discovery Protocol (CDP) messages. | 7.5 |
| 2005-06-09 | CVE-2005-1964 | Cantico | Remote Security vulnerability in Cantico Ovidentia FX PHP remote file inclusion vulnerability in utilit.php for Ovidentia Portal allows remote attackers to execute arbitrary PHP code via the babInstallPath parameter. | 7.5 |
| 2005-06-09 | CVE-2005-1950 | Darryl Burgdorf | Remote Command Execution vulnerability in Darryl Burgdorf Webhints 1.3 hints.pl in Webhints 1.03 allows remote attackers to execute arbitrary commands via shell metacharacters in the argument. | 7.5 |
| 2005-06-09 | CVE-2005-1948 | Invision Power Services | SQL Injection vulnerability in Invision Power Services Invision Gallery 1.0.1/1.3 Multiple SQL injection vulnerabilities in Invision Gallery before 1.3.1 allow remote attackers to execute arbitrary SQL commands via (1) the comment parameter in an editcomment action or (2) the rating parameter when voting on a photo. | 7.5 |
| 2005-06-09 | CVE-2005-1946 | Invision Power Services | SQL-Injection vulnerability in Invision Community Blog 1.0/1.1 Multiple SQL injection vulnerabilities in Invision Blog before 1.1.2 Final allow remote attackers to execute arbitrary SQL commands via the (1) eid parameter to an editentry, replyentry, or editcomment action, or (2) the mid parameter to an aboutme action. | 7.5 |
| 2005-06-09 | CVE-2005-1908 | Perception | Security Bypass vulnerability in Perception Liteweb 2.5 Perception LiteWeb allows remote attackers to bypass access controls for files via an extra leading / (slash) or leading \ (backslash) in the URL. | 7.5 |
| 2005-06-09 | CVE-2005-1900 | Sawmill | Security Bypass vulnerability in Sawmill Sawmill before 7.1.6 allows remote attackers to bypass authentication and (1) gain administrative privileges or (2) add a license. | 7.5 |
| 2005-06-09 | CVE-2005-1891 | AOL | Integer Underflow (Wrap or Wraparound) vulnerability in AOL AIM The GIF parser in ateimg32.dll in AOL Instant Messenger (AIM) 5.9.3797 and earlier allows remote attackers to cause a denial of service (crash) via a malformed buddy icon that causes an integer underflow in a loop counter variable. | 7.5 |
| 2005-06-09 | CVE-2005-1882 | Yapig | Remote Security vulnerability in Yapig 0.93U/0.94U PHP remote file inclusion vulnerability in last_gallery.php in YaPiG 0.93u and 0.94u allows remote attackers to execute arbitrary PHP code via the YAPIG_PATH parameter. | 7.5 |
| 2005-06-09 | CVE-2005-1873 | Crob | Remote Security vulnerability in Crob FTP 3.6.1 Multiple buffer overflows in Crob FTP 3.6.1, and possibly earlier versions, allow remote attackers to execute arbitrary code via (1) an FTP command with a large string followed by the RMD command with a long string or (2) a globbing ("*") character followed by a long string. | 7.5 |
| 2005-06-09 | CVE-2005-1871 | Drupal | Remote Security vulnerability in Drupal Unknown vulnerability in the privilege system in Drupal 4.4.0 through 4.6.0, when public registration is enabled, allows remote attackers to gain privileges, due to an "input check" that "is not implemented properly." | 7.5 |
| 2005-06-09 | CVE-2005-1867 | Symantec | Remote Security vulnerability in Brightmail Anti-Spam Symantec Brightmail AntiSpam before 6.0.2 has a hard-coded database administrator password, which allows remote attackers to gain privileges. | 7.5 |
| 2005-06-08 | CVE-2005-1960 | C J Steele | The getemails function in C.J. | 7.5 |
| 2005-06-08 | CVE-2005-1943 | Loki | SQL Injection vulnerability in Loki Download Manager Default.ASP Multiple SQL injection vulnerabilities in Loki download manager 2.0 allow remote attackers to execute arbitrary SQL commands via the (1) password field to default.asp or (2) cat parameter to catinfo.asp. | 7.5 |
| 2005-06-08 | CVE-2005-1758 | Novell | Remote vulnerability in Novell NetMail Buffer overflow in the IMAP command continuation function in Novell NetMail 3.52 before 3.52C may allow remote attackers to execute arbitrary code. | 7.5 |
| 2005-06-08 | CVE-2005-1757 | Novell | Remote vulnerability in Novell NetMail Buffer overflow in the Modweb agent for Novell NetMail 3.52 before 3.52C, when renaming folders, may allow attackers to execute arbitrary code. | 7.5 |
| 2005-06-08 | CVE-2005-1724 | Apple | Unspecified vulnerability in Apple mac OS X Server 10.4/10.4.1 NFS on Apple Mac OS X 10.4.x up to 10.4.1 does not properly obey the -network or -mask flags for a filesystem and exports it to everyone, which allows remote attackers to bypass intended access restrictions. | 7.5 |
| 2005-06-08 | CVE-2005-1723 | Apple | Unspecified vulnerability in Apple mac OS X Server 10.4/10.4.1 LaunchServices in Apple Mac OS X 10.4.x up to 10.4.1 does not properly mark file extensions and MIME types as unsafe if an Apple Uniform Type Identifier (UTI) is not created when the type is added to the database of unsafe types, which could allow attackers to bypass intended restrictions. | 7.5 |
| 2005-06-09 | CVE-2005-1905 | Kaspersky LAB | Privilege Escalation vulnerability in Kaspersky LAB products The klif.sys driver in Kaspersky Labs Anti-Virus 5.0.227, 5.0.228, and 5.0.335 on Windows 2000 allows local users to gain privileges by modifying certain critical code addresses that are later accessed by privileged programs. | 7.2 |
| 2005-06-09 | CVE-2005-1763 | Novell Suse | Buffer overflow in ptrace in the Linux Kernel for 64-bit architectures allows local users to write bytes into kernel memory. | 7.2 |
33 Medium Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2005-06-09 | CVE-2005-1884 | Yapig | Directory Traversal vulnerability in Yapig 0.92B/0.93U/0.94U Directory traversal vulnerability in the (1) rmdir or (2) mkdir commands in upload.php in YaPiG 0.92b, 0.93u and 0.94u allows remote attackers to create or delete arbitrary directories via a .. | 6.4 |
| 2005-06-09 | CVE-2005-1879 | Lutel | Link Following vulnerability in Lutel Lutelwall LutelWall 0.97 and earlier allows local users to overwrite arbitrary files via a symlink attack on a temporary file created by a system call to wget. | 5.5 |
| 2005-06-06 | CVE-2005-1880 | Everybuddy | Link Following vulnerability in Everybuddy 0.4.3 everybuddy 0.4.3 and earlier allows local users to overwrite arbitrary files via a symlink attack on a temporary file created by a system call to wget. | 5.5 |
| 2005-06-12 | CVE-2005-1956 | File Upload Manager | File-Upload vulnerability in File Upload Manager File Upload Manager allows remote attackers to upload arbitrary files by modifying the test variable to contain a value of '~~~~~~' (six tildes), which bypasses the file extension checks. | 5.0 |
| 2005-06-12 | CVE-2005-1729 | Novell | Denial-Of-Service vulnerability in Novell Edirectory 8.7.3 Novell eDirectory 8.7.3 allows remote attackers to cause a denial of service (application crash) via a URL containing an MS-DOS device name such as AUX, CON, PRN, COM1, or LPT1. | 5.0 |
| 2005-06-10 | CVE-2005-1267 | LBL Gentoo Mandrakesoft Redhat Trustix | Denial Of Service vulnerability in tcpdump BGP Decoding Routines The bgp_update_print function in tcpdump 3.x does not properly handle a -1 return value from the decode_prefix4 function, which allows remote attackers to cause a denial of service (infinite loop) via a crafted BGP packet. | 5.0 |
| 2005-06-09 | CVE-2005-1911 | Leafnode | Unspecified vulnerability in Leafnode The fetchnews NNTP client in leafnode 1.11.2 and earlier can hang while waiting for input that never arrives, which allows remote NNTP servers to cause a denial of service (news loss). | 5.0 |
| 2005-06-09 | CVE-2005-1899 | Rakkarsoft | Remote Denial of Service vulnerability in Rakkarsoft RakNet Rakkarsoft RakNet network library 2.33 and earlier, when released before 30 May 2005, and as used in multiple products including nFusion Elite Warriors: Vietnam, allows remote attackers to cause a denial of service (infinite loop) via a zero-byte UDP packet. | 5.0 |
| 2005-06-09 | CVE-2005-1898 | Phpthumb | Information Disclosure vulnerability in PHPThumb Arbitrary File The passthrough functionality in phpThumb.php in phpThumb() before 1.5.4 allows remote attackers to read files that are not images. | 5.0 |
| 2005-06-09 | CVE-2005-1896 | Flatnuke | Directory Traversal vulnerability in Flatnuke 2.5.3 Directory traversal vulnerability in thumb.php in FlatNuke 2.5.3 allows remote attackers to read arbitrary images or obtain the installation path via the image parameter. | 5.0 |
| 2005-06-09 | CVE-2005-1893 | Flatnuke | Information Disclosure vulnerability in Flatnuke 2.5.3 FlatNuke 2.5.3 allows remote attackers to obtain sensitive information via invalid parameters to certain scripts, which leaks the web document root in an error message. | 5.0 |
| 2005-06-09 | CVE-2005-1883 | Yapig | Remote Security vulnerability in Yapig 0.92B global.php in YaPiG 0.92b allows remote attackers to include arbitrary local files via the BASE_DIR parameter. | 5.0 |
| 2005-06-09 | CVE-2005-1874 | Evan Wagner | Directory traversal vulnerability in Dzip before 2.9 allows remote attackers to create arbitrary files via a filename containing a .. | 5.0 |
| 2005-06-09 | CVE-2005-1870 | Popper | Remote Security vulnerability in Popper 1.41R2 PHP remote file inclusion vulnerability in childwindow.inc.php in Popper 1.41-r2 and earlier allows remote attackers to execute arbitrary PHP code via the form parameter. | 5.0 |
| 2005-06-09 | CVE-2005-1864 | Vincent HOR | Remote Security vulnerability in Vincent HOR Calendarix Advanced 1.5 PHP remote file inclusion vulnerability in cal_admintop.php in Calendarix Advanced 1.5 allows remote attackers to execute arbitrary PHP code via the calpath parameter. | 5.0 |
| 2005-06-07 | CVE-2005-1890 | Mortiforo | Remote Security vulnerability in Mortiforo Unknown vulnerability in Mortiforo before 0.9.1 allows users to access private forums via unknown attack vectors. | 5.0 |
| 2005-06-07 | CVE-2005-1889 | SUN | Remote Security vulnerability in SUN Java System web Server 6.0/6.1 Unknown vulnerability in Sun ONE Application Server 6.5 SP1 Maintenance Update 6 and earlier allows attackers to read files. | 5.0 |
| 2005-06-06 | CVE-2005-1885 | Yapig | Information Disclosure vulnerability in Yapig 0.92B/0.93U/0.94U view.php in YaPiG 0.92b, 0.93u and 0.94u allows remote attackers to obtain sensitive information via a phid parameter that is not an integer, which reveals the path in an error message. | 5.0 |
| 2005-06-09 | CVE-2005-1887 | SUN | Local Security vulnerability in SUN Solaris 10.0 Unknown vulnerability in the Sun Solaris C library (libc and libproject) in Solaris 10 allows local users to gain privileges. | 4.6 |
| 2005-06-08 | CVE-2005-1728 | Apple | Unspecified vulnerability in Apple mac OS X 10.4/10.4.1 MCX Client for Apple Mac OS X 10.4.x up to 10.4.1 insecurely logs Portable Home Directory credentials, which allows local users to obtain the credentials. | 4.6 |
| 2005-06-07 | CVE-2005-1961 | Objectweb | Security Bypass vulnerability in Consortium C-Jdbc Unknown vulnerability in ObjectWeb Consortium C-JDBC before 1.3.1 allows local users to bypass intended access restrictions and obtain the cache results from another user. | 4.6 |
| 2005-06-12 | CVE-2005-1955 | Singapore | Cross-Site Scripting vulnerability in Singapore 0.9.11Beta Cross-site scripting (XSS) vulnerability in index.php in singapore 0.9.11 allows remote attackers to inject arbitrary web script or HTML via the gallery parameter. | 4.3 |
| 2005-06-09 | CVE-2005-1947 | Invisioncommunity | Cross-Site Request Forgery (CSRF) vulnerability in Invisioncommunity Gallery Cross-site request forgery (CSRF) vulnerability in Invision Gallery before 1.3.1 allows remote attackers to delete albums and images as another user via a link or IMG tag to the (1) albums or (2) delimg actions. | 4.3 |
| 2005-06-09 | CVE-2005-1945 | Invision Power Services | Cross-Site Scripting vulnerability in Invision Community Blog 1.0/1.1 Cross-site scripting (XSS) vulnerability in the convert_highlite_words function in Invision Blog before 1.1.2 Final allows remote attackers to inject arbitrary web script or HTML via double hex encoded highlight data. | 4.3 |
| 2005-06-09 | CVE-2005-1909 | Software602 | Unspecified vulnerability in Software602 602Lan Suite 2004 The web server control panel in 602LAN SUITE 2004 allows remote attackers to make it more difficult for the administrator to read portions of log files via a "</pre><!-" sequence in an HTTP GET request in the logon, possibly due to a cross-site scripting (XSS) vulnerability. | 4.3 |
| 2005-06-09 | CVE-2005-1901 | Sawmill | Cross-Site Scripting vulnerability in Sawmill Multiple cross-site scripting (XSS) vulnerabilities in Sawmill before 7.1.6 allow remote attackers to inject arbitrary web script or HTML via (1) the username in the Add User window or (2) the license key in the Licensing page. | 4.3 |
| 2005-06-09 | CVE-2005-1895 | Flatnuke | Cross-Site Scripting vulnerability in Flatnuke 2.5.3 Cross-site scripting (XSS) vulnerability in FlatNuke 2.5.3 allows remote attackers to inject arbitrary web script or HTML via the border or back parameters to (1) help.php or (2) footer.php. | 4.3 |
| 2005-06-09 | CVE-2005-1886 | Yapig | Cross-Site Scripting vulnerability in Yapig 0.92B/0.93U/0.94U Cross-site scripting (XSS) vulnerability in view.php in YaPiG 0.92b, 0.93u and 0.94u allows remote attackers to inject arbitrary web script or HTML via (1) the phid parameter or (2) unknown parameters when posting a new comment. | 4.3 |
| 2005-06-08 | CVE-2005-1968 | Early Impact | Cross-Site Scripting vulnerability in Early Impact Productcart 2.7 Cross-site scripting (XSS) vulnerability in ProductCart Ecommerce before 2.7 allows remote attackers to inject arbitrary web script or HTML via the error parameter to techErr.asp. | 4.3 |
| 2005-06-08 | CVE-2005-1756 | Novell | Remote vulnerability in Novell NetMail Cross-site scripting (XSS) vulnerability in the ModWeb agent for Novell NetMail 3.52 before 3.52C allows remote attackers to inject arbitrary web script or HTML via calendar display fields. | 4.3 |
| 2005-06-07 | CVE-2005-1969 | Pragma Systems | Unspecified vulnerability in Pragma Systems Pragma Telnetserver 6.0 Cross-site scripting (XSS) vulnerability in Pragma Systems Telnetserver 6.0 allows remote attackers to inject arbitrary web script or HTML, and hide activities in log files, via a "<!--" (HTML comment) in a session. | 4.3 |
| 2005-06-06 | CVE-2005-1888 | Mediawiki | HTML Injection vulnerability in MediaWiki Page Template Cross-site scripting (XSS) vulnerability in MediaWiki before 1.4.5 allows remote attackers to inject arbitrary web script via HTML attributes in page templates. | 4.3 |
| 2005-06-06 | CVE-2005-1877 | Lpanel | Input Validation vulnerability in Lpanel 1.59 Cross-site scripting (XSS) vulnerability in view_ticket.php in Lpanel 1.59 and earlier allows remote attackers to inject arbitrary web script or HTML and obtain sensitive information via the pid parameter. | 4.3 |
6 Low Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2005-06-08 | CVE-2005-1727 | Apple | Unspecified vulnerability in Apple mac OS X Server 10.4/10.4.1 Apple Mac OS X 10.4.x up to 10.4.1 sets insecure world- and group-writable permissions for the (1) system cache folder and (2) Dashboard system widgets, which allows local users to conduct unauthorized file operations via "file race conditions." | 3.7 |
| 2005-06-09 | CVE-2005-1902 | E Post Corporation | Directory Traversal vulnerability in E-Post Corporation Spa-Pro Mail Atsolomon 4.00 Directory traversal vulnerability in the IMAP service for SPA-PRO Mail @Solomon 4.00 allows remote authenticated users to read other users' mail and perform operations on arbitrary directories via .. | 3.6 |
| 2005-06-09 | CVE-2005-1944 | Xmysqladmin | Local Security vulnerability in Xmysqladmin 1.0 xmysqladmin 1.0 and earlier allows local users to delete arbitrary files via a symlink attack on a database backup file in /tmp. | 2.1 |
| 2005-06-08 | CVE-2005-1725 | Apple | Unspecified vulnerability in Apple mac OS X Server 10.4/10.4.1 launchd 106 in Apple Mac OS X 10.4.x up to 10.4.1 allows local users to overwrite arbitrary files via a symlink attack on the socket file in an insecure temporary directory. | 2.1 |
| 2005-06-08 | CVE-2005-0756 | Linux | Resource Management Errors vulnerability in Linux Kernel 2.6.8.1 ptrace in Linux kernel 2.6.8.1 does not properly verify addresses on the amd64 platform, which allows local users to cause a denial of service (kernel crash). | 2.1 |
| 2005-06-09 | CVE-2005-1878 | Giptables | Local Security vulnerability in Giptables Firewall GIPTables Firewall 1.1 and earlier allows local users to overwrite arbitrary files via a symlink attack on the temp.ip.addresses temporary file. | 1.2 |