Weekly Vulnerabilities Reports > July 4 to 10, 2005

Overview

70 new vulnerabilities reported during this period, including 1 critical vulnerabilities and 18 high severity vulnerabilities. This weekly summary report vulnerabilities in 62 products from 55 vendors including Wordpress, Microsoft, Mozilla, IBM, and Adobe. Vulnerabilities are notably categorized as "Resource Management Errors", "Link Following", and "Cleartext Storage of Sensitive Information".

  • 60 reported vulnerabilities are remotely exploitables.
  • 1 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 69 reported vulnerabilities are exploitable by an anonymous user.
  • Wordpress has the most reported vulnerabilities, with 4 reported vulnerabilities.
  • THE Cacti Group has the most reported critical vulnerabilities, with 1 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

1 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2005-07-06 CVE-2005-2149 THE Cacti Group Unspecified vulnerability in the Cacti Group Cacti

config.php in Cacti 0.8.6e and earlier allows remote attackers to set the no_http_headers switch, then modify session information to gain privileges and disable the use of addslashes to conduct SQL injection attacks.

10.0

18 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2005-07-06 CVE-2005-2165 Globalnotescript Remote Security vulnerability in GlobalNoteScript

read.cgi in GlobalNoteScript allows remote attackers to execute arbitrary commands via shell metacharacters in the file parameters.

7.5
2005-07-06 CVE-2005-2164 Covide Groupware CRM SQL-Injection vulnerability in Covide Groupware-Crm Covide 5.2

SQL injection vulnerability in Covide Groupware-CRM allows remote attackers to execute arbitrary SQL commands via unknown attack vectors.

7.5
2005-07-06 CVE-2005-2160 Ipswitch Cleartext Storage of Sensitive Information vulnerability in Ipswitch Imail 2006

IMail stores usernames and passwords in cleartext in a cookie, which allows remote attackers to obtain sensitive information.

7.5
2005-07-06 CVE-2005-2158 Jboss Remote Security vulnerability in Jboss Jbpm 2.0

A regression error in the embedded HSQLDB in JBoss jBPM 2.0 allows remote attackers to execute arbitrary comands, a re-introduction of a vulnerability that was originally identified by CVE-2003-0845.

7.5
2005-07-06 CVE-2005-2156 Phpnews SQL Injection vulnerability in PHPnews 1.2.5

SQL injection vulnerability in news.php in PHPNews 1.2.5 allows remote attackers to execute arbitrary SQL commands via the prevnext parameter.

7.5
2005-07-06 CVE-2005-2155 Easyphpcalendar Remote Security vulnerability in Easyphpcalendar 6.1.5

PHP remote file inclusion vulnerability in EasyPHPCalendar 6.1.5 and earlier allows remote attackers to execute arbitrary code via the serverPath parameter.

7.5
2005-07-06 CVE-2005-2154 Osticket Input Validation vulnerability in OSTicket

PHP local file inclusion vulnerability in (1) view.php and (2) open.php in osTicket 1.3.1 beta and earlier allows remote attackers to include and possibly execute arbitrary local files via the inc parameter.

7.5
2005-07-06 CVE-2005-2153 Osticket Input Validation vulnerability in OSTicket

SQL injection vulnerability in class.ticket.php in osTicket 1.3.1 beta and earlier allows remote attackers to execute arbitrary SQL commands via the ticket variable.

7.5
2005-07-06 CVE-2005-2152 Geeklog SQL-Injection vulnerability in Geeklog

SQL injection vulnerability in Geeklog before 1.3.11 allows remote attackers to execute arbitrary SQL commands via user comments for an article.

7.5
2005-07-06 CVE-2005-2148 THE Cacti Group SQL Injection vulnerability in RaXnet Cacti Input Filter

Cacti 0.8.6e and earlier does not perform proper input validation to protect against common attacks, which allows remote attackers to execute arbitrary commands or SQL by sending a legitimate value in a POST request or cookie, then specifying the attack string in the URL, which causes the get_request_var function to return the wrong value in the $_REQUEST variable, which is cleansed while the original malicious $_GET value remains unmodified, as demonstrated in (1) graph_image.php and (2) graph.php.

7.5
2005-07-06 CVE-2005-2096 Zlib Unspecified vulnerability in Zlib 1.2.0/1.2.1/1.2.2

zlib 1.2 and later versions allows remote attackers to cause a denial of service (crash) via a crafted compressed stream with an incomplete code description of a length greater than 1, which leads to a buffer overflow, as demonstrated using a crafted PNG file.

7.5
2005-07-05 CVE-2005-2135 Etoshop SQL-Injection vulnerability in Etoshop Dynamic BIZ Website Builder Quickweb 1.0

SQL injection vulnerability in verify.asp in EtoShop Dynamic Biz Website Builder (QuickWeb) 1.0 allows remote attackers to execute arbitrary SQL commands via the (1) T1 or (2) T2 parameters.

7.5
2005-07-05 CVE-2005-2113 Xoops SQL-Injection vulnerability in Xoops

SQL injection vulnerability in the loginUser function in the XMLRPC server in XOOPS 2.0.11 and earlier allows remote attackers to execute arbitrary SQL commands and bypass authentication via crafted values in an XML file, as demonstrated using the blogger.getPost method.

7.5
2005-07-05 CVE-2005-2111 Community Link PRO WEB Editor Remote Security vulnerability in Community Link Pro Web Editor

login.cgi in Community Link Pro Web Editor allows remote attackers to execute arbitrary commands via the file parameter.

7.5
2005-07-05 CVE-2005-2108 Wordpress SQL-Injection vulnerability in WordPress

SQL injection vulnerability in XMLRPC server in WordPress 1.5.1.2 and earlier allows remote attackers to execute arbitrary SQL commands via input that is not filtered in the HTTP_RAW_POST_DATA variable, which stores the data in an XML file.

7.5
2005-07-05 CVE-2005-2105 Cisco Security Bypass vulnerability in IOS

Cisco IOS 12.2T through 12.4 allows remote attackers to bypass Authentication, Authorization, and Accounting (AAA) RADIUS authentication, if the fallback method is set to none, via a long username.

7.5
2005-07-05 CVE-2005-2086 Phpbb Group Remote Security vulnerability in PHPbb Group PHPbb 2.0.15

PHP remote file inclusion vulnerability in viewtopic.php in phpBB 2.0.15 and earlier allows remote attackers to execute arbitrary PHP code.

7.5
2005-07-05 CVE-2005-0393 Crip Unspecified vulnerability in Crip 3.5

The helper scripts for crip 3.5 do not properly use temporary files, which allows local users to have an unknown impact with unknown attack vectors.

7.2

43 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2005-07-09 CVE-2005-2176 Novell Unspecified vulnerability in Novell Netmail

Novell NetMail automatically processes HTML in an attachment without prompting the user to save or open it, which makes it easier for remote attackers to conduct web-based attacks and steal cookies.

6.4
2005-07-06 CVE-2005-2147 Edgewall Software Unspecified vulnerability in Edgewall Software Trac 0.7.1/0.8.1/0.8.3

Trac before 0.8.4 allows remote attackers to read or upload arbitrary files via a full pathname in the id parameter to the (1) upload or (2) attachment viewer scripts.

6.4
2005-07-06 CVE-2005-1916 EKG Project
Debian
Link Following vulnerability in multiple products

linki.py in ekg 2005-06-05 and earlier allows local users to overwrite or create arbitrary files via a symlink attack on temporary files.

5.5
2005-07-09 CVE-2005-2175 IBM Remote Security vulnerability in Lotus Notes

The web interface for Lotus Notes mail automatically processes HTML in an attachment without prompting the user to save or open it, which makes it easier for remote attackers to conduct web-based attacks and steal cookies.

5.0
2005-07-08 CVE-2005-2173 Mozilla Unspecified vulnerability in Mozilla Bugzilla

The Flag::validate and Flag::modify functions in Bugzilla 2.17.1 to 2.18.1 and 2.19.1 to 2.19.3 do not verify that the flag ID is appropriate for the given bug or attachment ID, which allows users to change flags on arbitrary bugs and obtain a bug summary via process_bug.cgi.

5.0
2005-07-06 CVE-2005-2169 KAF Oseo Directory Traversal vulnerability in KAF Oseo Quick and Dirty PHPsource Printer 1.1

Directory traversal vulnerability in source.php in Quick & Dirty PHPSource Printer 1.1 and earlier allows remote attackers to read arbitrary files via ".../...//" sequences in the file parameter, which are reduced to "../" when PHPSource Printer uses a regular expression to remove "../" sequences.

5.0
2005-07-06 CVE-2005-2162 Levcgi COM Remote Security vulnerability in Levcgi.Com Myguestbook 0.6.1

PHP remote file inclusion vulnerability in form.inc.php3 in MyGuestbook 0.6.1 allows remote attackers to execute arbitrary PHP code via the lang parameter.

5.0
2005-07-06 CVE-2005-2159 Planetdns Remote Buffer Overflow vulnerability in Planetdns Planetfileserver 2.0.1.3

mshftp.dll in PlanetDNS PlanetFileServer 2.0.1.3 allows remote attackers to cause a denial of service (application crash) via a long request.

5.0
2005-07-06 CVE-2005-2157 Nabocorp Remote Security vulnerability in Nabocorp Nabopoll 1.2

PHP remote file inclusion vulnerability in survey.inc.php for nabopoll 1.2 allows remote attackers to execute arbitrary PHP code via the path parameter.

5.0
2005-07-06 CVE-2005-2151 Double Precision Incorporated Unspecified vulnerability in Double Precision Incorporated Courier Mail Server

spf.c in Courier Mail Server does not properly handle DNS failures when looking up Sender Policy Framework (SPF) records, which could allow attackers to cause memory corruption.

5.0
2005-07-05 CVE-2005-2143 Microsoft Unspecified vulnerability in Microsoft Frontpage

Microsoft Front Page allows attackers to cause a denial of service (crash) via a crafted style tag in a web page.

5.0
2005-07-05 CVE-2005-2141 Jollybox DE Denial-Of-Service vulnerability in Jollybox.De TCP Chat 1.0

TCP Chat 1.0 allows remote attackers to cause a denial of service (crash) via a long string to the chat service, possibly triggering a buffer overflow.

5.0
2005-07-05 CVE-2005-2140 Fsboard Directory Traversal vulnerability in Fsboard 2.0

Directory traversal vulnerability in default.asp for FSboard 2.0 allows remote attackers to read arbitrary files via ".." sequences in the filename parameter.

5.0
2005-07-05 CVE-2005-2139 Pavsta Remote Security vulnerability in Pavsta Auto Site

PHP remote file inclusion vulnerability in user_check.php for Pavsta Auto Site allows remote attackers to execute arbitrary PHP code via the sitepath parameter.

5.0
2005-07-05 CVE-2005-2137 Nateon Unspecified vulnerability in Nateon Messenger 3.0

Unknown vulnerability in NateOn Messenger 3.0 allows remote attackers to list arbitrary directories via unknown attack vectors.

5.0
2005-07-05 CVE-2005-2115 Raven Software Denial-Of-Service vulnerability in Soldier Of Fortune 2

Soldier of Fortune II 1.02x and 1.03 allows remote attackers to cause a denial of service (server crash) via a large ID value in the ignore command, which is used as an array index and causes an out-of-bounds operation.

5.0
2005-07-05 CVE-2005-2114 Mozilla Denial-Of-Service vulnerability in Firefox

Mozilla 1.7.8, Firefox 1.0.4, Camino 0.8.4, Netscape 8.0.2, and K-Meleon 0.9, and possibly other products that use the Gecko engine, allow remote attackers to cause a denial of service (application crash) via JavaScript that repeatedly calls an empty function.

5.0
2005-07-05 CVE-2005-2110 Wordpress Information Disclosure vulnerability in WordPress

WordPress 1.5.1.2 and earlier allows remote attackers to obtain sensitive information via (1) a direct request to menu-header.php or a "1" value in the feed parameter to (2) wp-atom.php, (3) wp-rss.php, or (4) wp-rss2.php, which reveal the path in an error message.

5.0
2005-07-05 CVE-2005-2109 Wordpress Denial-Of-Service vulnerability in WordPress

wp-login.php in WordPress 1.5.1.2 and earlier allows remote attackers to change the content of the forgotten password e-mail message via the message variable, which is not initialized before use.

5.0
2005-07-05 CVE-2005-2106 Drupal Unspecified vulnerability in Drupal

Unknown vulnerability in Drupal 4.5.0 through 4.5.3, 4.6.0, and 4.6.1 allows remote attackers to execute arbitrary PHP code via a public comment or posting.

5.0
2005-07-05 CVE-2005-2087 Microsoft Resource Management Errors vulnerability in Microsoft IE and Internet Explorer

Internet Explorer 5.01 SP4 up to 6 on various Windows operating systems, including IE 6.0.2900.2180 on Windows XP, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not ActiveX controls, as demonstrated using the JVIEW Profiler (Javaprxy.dll).

5.0
2005-07-05 CVE-2005-2085 Infradig Systems Denial-Of-Service vulnerability in Infradig Systems Inframail Advantage Server6.0/Server6.7

Buffer overflow in Inframail Advantage Server Edition 6.0 through 6.7 allows remote attackers to cause a denial of service (process crash) via a long (1) SMTP FROM field or possibly (2) FTP NLST command.

5.0
2005-07-05 CVE-2005-2083 Truenorth Software Denial-Of-Service vulnerability in Ia Emailserver

Format string vulnerability in IMAP4 in IA eMailServer Corporate Edition 5.2.2 build 1051 allows remote attackers to cause a denial of service (application crash) via a LIST command with format string specifiers as the second argument.

5.0
2005-07-05 CVE-2005-2082 CGI Club Remote Security vulnerability in Cgi-Club Imtrset 1.02

im_trbbs.cgi in imTRSET 1.02 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the df parameter.

5.0
2005-07-05 CVE-2005-2081 Digium Unspecified vulnerability in Digium Asterisk 1.0.7

Stack-based buffer overflow in the function that parses commands in Asterisk 1.0.7, when the 'write = command' option is enabled, allows remote attackers to execute arbitrary code via a command that has two double quotes followed by a tab character.

5.0
2005-07-05 CVE-2005-2068 Freebsd Unspecified vulnerability in Freebsd

FreeBSD 4.x through 4.11 and 5.x through 5.4 allows remote attackers to modify certain TCP options via a TCP packet with the SYN flag set for an already established session.

5.0
2005-07-05 CVE-2005-2019 Freebsd Unspecified vulnerability in Freebsd 5.4

ipfw in FreeBSD 5.4, when running on Symmetric Multi-Processor (SMP) or Uni Processor (UP) systems with the PREEMPTION kernel option enabled, does not sufficiently lock certain resources while performing table lookups, which can cause the cache results to be corrupted during multiple concurrent lookups, allowing remote attackers to bypass intended access restrictions.

5.0
2005-07-05 CVE-2005-1931 Goodtech Systems Denial-Of-Service vulnerability in Goodtech Systems Goodtech Smtp Server 5.14

GoodTech SMTP Server 5.14 allows remote attackers to cause a denial of service (application crash) via a RCPT TO command with an invalid argument, as demonstrated using an "A" character.

5.0
2005-07-05 CVE-2005-1922 Clam Anti Virus Unspecified vulnerability in Clam Anti-Virus Clamav

The MS-Expand file handling in Clam AntiVirus (ClamAV) before 0.86 allows remote attackers to cause a denial of service (file descriptor and memory consumption) via a crafted file that causes repeated errors in the cli_msexpand function.

5.0
2005-07-05 CVE-2005-1625 Adobe Unspecified vulnerability in Adobe Acrobat Reader 5.0.10/5.0.9

Stack-based buffer overflow in the UnixAppOpenFilePerform function in Adobe Reader 5.0.9 and 5.0.10 for Unix allows remote attackers to execute arbitrary code via a PDF document with a long /Filespec tag.

5.0
2005-07-05 CVE-2005-0360 Microsoft Remote Security vulnerability in Log Sink Class Activex Control

The Microsoft Log Sink Class ActiveX control in pkmcore.dll is marked as "safe for scripting" for Internet Explorer, which allows remote attackers to create or append to arbitrary files.

5.0
2005-07-05 CVE-2005-2146 SSH Local Security vulnerability in SSH Tectia Server 4.3.1

SSH Tectia Server 4.3.1 and earlier, and SSH Secure Shell for Windows Servers, uses insecure permissions when generating the Secure Shell host identification key, which allows local users to access the key and spoof the server.

4.6
2005-07-05 CVE-2005-2145 Prevx Local Security vulnerability in Prevx PRO 2005 1.0

The kernel driver in Prevx Pro 2005 1.0 does not verify the source of certain messages, which allows local users to bypass protection by sending certain messages to the driver, as demonstrated by sending an "allow" message to bypass a warning message.

4.6
2005-07-06 CVE-2005-2163 Autoindex Cross-Site Scripting vulnerability in Autoindex PHP Script 1.5.2

Cross-site scripting (XSS) vulnerability in index.php in AutoIndex PHP Script 1.5.2 allows remote attackers to inject arbitrary web script or HTML via the search parameter.

4.3
2005-07-06 CVE-2005-2161 Phpbb Group Unspecified vulnerability in PHPbb Group PHPbb 2.0.16

Cross-site scripting (XSS) vulnerability in phpBB 2.0.16 allows remote attackers to inject arbitrary web script or HTML via nested [url] tags.

4.3
2005-07-05 CVE-2005-2138 Comdev Cross-Site Scripting vulnerability in Comdev Ecommerce 3.0/3.1

Cross-site scripting (XSS) vulnerability in index.php in Comdev eCommerce 3.0 and 3.1 allows remote attackers to inject arbitrary web script or HTML via Javascript in the onMouseOver event of an "A" tag in a review message.

4.3
2005-07-05 CVE-2005-2112 Xoops Cross-Site Scripting vulnerability in Xoops

Multiple cross-site scripting (XSS) vulnerabilities in XOOPS 2.0.11 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) order parameter to edit.php or (2) cid parameter to comment_edit.php.

4.3
2005-07-05 CVE-2005-2107 Wordpress Cross-Site Scripting vulnerability in WordPress

Multiple cross-site scripting (XSS) vulnerabilities in post.php in WordPress 1.5.1.2 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) p or (2) comment parameter.

4.3
2005-07-05 CVE-2005-2094 SUN Cross-Site Scripting vulnerability in SUN ONE web Server 6.1

Sun SunONE web server 6.1 SP1 allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, which causes SunONE to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka "HTTP Request Smuggling."

4.3
2005-07-05 CVE-2005-2093 Oracle Unspecified vulnerability in Oracle Application Server 9.0.2

Oracle 9i Application Server (Oracle9iAS) 9.0.2 allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, which causes Application Server to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka "HTTP Request Smuggling."

4.3
2005-07-05 CVE-2005-2092 BEA Cross-Site Scripting vulnerability in BEA Weblogic Server 8.1

BEA Systems WebLogic 8.1 SP1 allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, which causes WebLogic to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka "HTTP Request Smuggling."

4.3
2005-07-05 CVE-2005-2091 IBM Cross-Site Scripting vulnerability in Websphere Application Server 5.0/5.1.0

IBM WebSphere 5.1 and WebSphere 5.0 allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, which causes WebSphere to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka "HTTP Request Smuggling."

4.3
2005-07-05 CVE-2005-2084 Telligent Systems Cross-Site Scripting vulnerability in Community Server Forums

Cross-site scripting (XSS) vulnerability in SearchResults.aspx in Community Forum allows remote attackers to inject arbitrary web script or HTML via the q parameter.

4.3

8 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2005-07-08 CVE-2005-2174 Mozilla Unspecified vulnerability in Mozilla Bugzilla

Bugzilla 2.17.x, 2.18 before 2.18.2, 2.19.x, and 2.20 before 2.20rc1 inserts a bug into the database before it is marked private, which introduces a race condition and allows attackers to access information about the bug via buglist.cgi before MySQL replication is complete.

2.6
2005-07-05 CVE-2005-1923 Clam Anti Virus Unspecified vulnerability in Clam Anti-Virus Clamav

The ENSURE_BITS macro in mszipd.c for Clam AntiVirus (ClamAV) 0.83, and other versions vefore 0.86, allows remote attackers to cause a denial of service (CPU consumption by infinite loop) via a cabinet (CAB) file with the cffile_FolderOffset field set to 0xff, which causes a zero-length read.

2.6
2005-07-07 CVE-2005-1841 Adobe Unspecified vulnerability in Adobe Acrobat Reader 5.0.10/5.0.9

The control for Adobe Reader 5.0.9 and 5.0.10 on Linux, Solaris, HP-UX, and AIX creates temporary files with the permissions as specified in a user's umask, which could allow local users to read PDF documents of that user if the umask allows it.

2.1
2005-07-05 CVE-2005-2144 Prevx Local Security vulnerability in Prevx PRO 2005 1.0

Prevx Pro 2005 1.0 allows local users to bypass file protection and modify files by using MapViewOfFile to perform memory mapping on the file.

2.1
2005-07-05 CVE-2005-2142 Kmint21 Software Directory Traversal vulnerability in Kmint21 Software Golden FTP Server 2.60

Directory traversal vulnerability in Golden FTP Server 2.60 allows remote authenticated attackers to list arbitrary directories via a "\.." (backslash dot dot) in an LS (LIST) command.

2.1
2005-07-05 CVE-2005-2134 Netbsd Denial-Of-Service vulnerability in NetBSD

The (1) clcs and (2) emuxki drivers in NetBSD 1.6 through 2.0.2 allow local users to cause a denial of service (kernel crash) by using the set-parameters ioctl on an audio device to change the block size and set the pause state to "unpaused" in the same ioctl, which causes a divide-by-zero error.

2.1
2005-07-05 CVE-2005-1932 Lpanel Input Validation vulnerability in LPanel

Lpanel 1.59 and earlier, and other versions before 1.597, allows remote authenticated users to modify certain critical variables and (1) modify DNS settings for arbitrary domains via the domain parameter to diagnose.php, (2) close, open, or respond to arbitrary support tickets via the close, open, or pid parameter to view_ticket.php, (3) obtain sensitive information on arbitrary invoices via the inv parameter to viewreceipt.php, or (4) modify domain information for arbitrary domains via the editdomain parameter to domains.php.

2.1
2005-07-05 CVE-2005-1917 Kpopper Unspecified vulnerability in Kpopper 1.0

kpopper 1.0 and earlier allows local users to create and overwrite arbitrary files via a symlink attack on the .popper-new temporary file.

2.1