Weekly Vulnerabilities Reports > July 18 to 24, 2005

Overview

61 new vulnerabilities reported during this period, including 7 critical vulnerabilities and 12 high severity vulnerabilities. This weekly summary report vulnerabilities in 60 products from 43 vendors including Clever Copy, ESI Products, Oracle, Microsoft, and Apple. Vulnerabilities are notably categorized as "Resource Exhaustion", "Incomplete Cleanup", "Inadequate Encryption Strength", "Improper Restriction of Operations within the Bounds of a Memory Buffer", and "Double Free".

  • 46 reported vulnerabilities are remotely exploitables.
  • 1 reported vulnerabilities have public exploit available.
  • 1 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 60 reported vulnerabilities are exploitable by an anonymous user.
  • Clever Copy has the most reported vulnerabilities, with 5 reported vulnerabilities.
  • EKG has the most reported critical vulnerabilities, with 2 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

7 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2005-07-20 CVE-2005-2334 Y SAK Remote Arbitrary Command Execution vulnerability in Y.SAK Scripts

Y.SAK allows remote attackers to execute arbitrary commands via shell metacharacters in the $no variable to (1) w_s3mbfm.cgi, (2) w_s3adix.cgi, or (3) w_s3sbfm.cgi.

10.0
2005-07-19 CVE-2005-1851 EKG Unspecified vulnerability in EKG

A certain contributed script for ekg Gadu Gadu client 1.5 and earlier allows attackers to execute shell commands via unknown attack vectors.

10.0
2005-07-19 CVE-2005-1850 EKG Unspecified vulnerability in EKG

Certain contributed scripts for ekg Gadu Gadu client 1.5 and earlier create temporary files insecurely, with unknown impact and attack vectors, a different vulnerability than CVE-2005-1916.

10.0
2005-07-18 CVE-2005-2290 WPS Remote Command Execution vulnerability in WPS Wps_shop.CGI

wps_shop.cgi in WPS Web Portal System 0.7.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) art and (2) cat variables.

10.0
2005-07-18 CVE-2005-2286 ESI Products Unspecified vulnerability in ESI products Webeoc

WebEOC before 6.0.2 does not properly check user authorization, which allows remote attackers to gain privileges via a direct request to a resource.

10.0
2005-07-18 CVE-2005-1689 MIT
Apple
Debian
Double Free vulnerability in multiple products

Double free vulnerability in the krb5_recvauth function in MIT Kerberos 5 (krb5) 1.4.1 and earlier allows remote attackers to execute arbitrary code via certain error conditions.

9.8
2005-07-19 CVE-2005-2310 Nullsoft Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Nullsoft Winamp

Buffer overflow in Winamp 5.03a, 5.09 and 5.091, and other versions before 5.094, allows remote attackers to execute arbitrary code via an MP3 file with a long ID3v2 tag such as (1) ARTIST or (2) TITLE.

9.3

12 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2005-07-19 CVE-2005-2323 Class 1
Clever Copy
SQL-Injection vulnerability in Class-1 Forum

Multiple SQL injection vulnerabilities in Class-1 Forum 0.24.4 and 0.23.2, and Clever Copy with forums installed, allow remote attackers to modify SQL statements via the (1) id parameter to viewattach.php, (2) viewuser_id parameter to users.php, or the (3) id or (4) forum parameter to viewforum.php.

7.5
2005-07-19 CVE-2005-2320 Webcalendar Unspecified vulnerability in Webcalendar

WebCalendar before 1.0.0 does not properly restrict access to assistant_edit.php, which allows remote attackers to gain privileges.

7.5
2005-07-19 CVE-2005-2317 Shorewall Unspecified vulnerability in Shorewall

Shorewall 2.4.x before 2.4.1, 2.2.x before 2.2.5, and 2.0.x before 2.0.17, when MACLIST_TTL is greater than 0 or MACLIST_DISPOSITION is set to ACCEPT, allows remote attackers with an accepted MAC address to bypass other firewall rules or policies.

7.5
2005-07-19 CVE-2005-2314 Phpsftpd Privilege Escalation vulnerability in PHPsFTPd Inc.Login.PHP

inc.login.php in PHPsFTPd 0.2 through 0.4 allows remote attackers to obtain the administrator's username and password by setting the do_login parameter and performing an edit action using user.php, which causes the login check to be bypassed and leaks the password in the response.

7.5
2005-07-19 CVE-2005-2312 Realnode Unspecified vulnerability in Realnode Emilda

management.php in Realnode Emilda 1.2.2 and earlier allows remote attackers to perform actions as other users by modifying the user_id parameter.

7.5
2005-07-19 CVE-2005-2308 Microsoft Denial Of Service vulnerability in Microsoft IE 6.0

The JPEG decoder in Microsoft Internet Explorer allows remote attackers to cause a denial of service (CPU consumption or crash) and possibly execute arbitrary code via certain crafted JPEG images, as demonstrated using (1) mov_fencepost.jpg, (2) cmp_fencepost.jpg, (3) oom_dos.jpg, or (4) random.jpg.

7.5
2005-07-19 CVE-2005-2305 DG Remote Denial of Service vulnerability in DG Remote Control Server 1.6.2

DG Remote Control Server 1.6.2 allows remote attackers to cause a denial of service (crash or CPU consumption) and possibly execute arbitrary code via a long message to TCP port 1071 or 1073, possibly due to a buffer overflow.

7.5
2005-07-18 CVE-2005-2284 ESI Products Unspecified vulnerability in ESI products Webeoc

Multiple SQL injection vulnerabilities in WebEOC before 6.0.2 allow remote attackers to modify SQL statements via unknown attack vectors.

7.5
2005-07-18 CVE-2005-2281 Juvare Inadequate Encryption Strength vulnerability in Juvare Webeoc

WebEOC before 6.0.2 uses a weak encryption scheme for passwords, which makes it easier for attackers to crack passwords.

7.5
2005-07-18 CVE-2005-1175 MIT Remote Single Byte Heap Overflow vulnerability in MIT Kerberos 5 Key Distribution Center

Heap-based buffer overflow in the Key Distribution Center (KDC) in MIT Kerberos 5 (krb5) 1.4.1 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a certain valid TCP or UDP request.

7.5
2005-07-19 CVE-2005-2313 Checkpoint Local Information Disclosure vulnerability in Check Point SecuRemote NG

Check Point SecuRemote NG with Application Intelligence R54 allows attackers to obtain credentials and gain privileges via unknown attack vectors.

7.2
2005-07-18 CVE-2005-2278 Mailenable Unspecified vulnerability in Mailenable Professional 1.54

Stack-based buffer overflow in the IMAP daemon (imapd) in MailEnable Professional 1.54 allows remote authenticated users to execute arbitrary code via the status command with a long mailbox name.

7.2

33 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2005-07-18 CVE-2005-2293 Oracle Incomplete Cleanup vulnerability in Oracle Forms Builder 9.0.4

Oracle Formsbuilder 9.0.4 stores database usernames and passwords in a temporary file, which is not deleted after it is used, which allows local users to obtain sensitive information.

5.5
2005-07-20 CVE-2005-2331 Moosegallery Unspecified vulnerability in Moosegallery 1.0.1/1.0.2

PHP remote file inclusion vulnerability in display.php in MooseGallery allows remote attackers to execute arbitrary PHP code via the type parameter.

5.0
2005-07-20 CVE-2005-2328 Laffer Unspecified vulnerability in Laffer 0.3.2.6/0.3.2.7

PHP remote file inclusion vulnerability in im.php in Laffer 0.3.2.6 and 0.3.2.7 allows remote attackers to execute arbitrary PHP code via the CFG_PATH variable.

5.0
2005-07-19 CVE-2005-2325 Clever Copy Remote Security vulnerability in Clever Copy 2.0/2.0A

Clever Copy 2.0 and 2.0a allows remote attackers to obtain the full path of the web root via a direct request to (1) ticker.php, (2) menu.php, (3) banned.php, (4) endlayout.php, (5) randomhlinesblock.php, (6) showlast.php, (7) showlast5class1.php, (8) showlast5phorum.php, (9) showlast5phorumblock.php, (10) showlastforumbb2.php, or (11) showlastforumbb2block.php.

5.0
2005-07-19 CVE-2005-2319 Yawp Remote File Include vulnerability in Yawp Conf_Path

PHP remote file include vulnerability in Yawp library 1.0.6 and earlier, as used in YaWiki and possibly other products, allows remote attackers to include arbitrary files via the _Yawp[conf_path] parameter.

5.0
2005-07-19 CVE-2005-2309 Opera Resource Exhaustion vulnerability in Opera Browser 8.01

Opera 8.01 allows remote attackers to cause a denial of service (CPU consumption) via a crafted JPEG image, as demonstrated using random.jpg.

5.0
2005-07-19 CVE-2005-2307 Microsoft Local Denial of Service vulnerability in Microsoft Windows 2000 and Windows XP

netman.dll in Microsoft Windows Connections Manager Library allows local users to cause a denial of service (Network Connections Service crash) via a large integer argument to a particular function, aka "Network Connection Manager Vulnerability."

5.0
2005-07-19 CVE-2005-2304 Microsoft Unspecified vulnerability in Microsoft Internet Explorer and Live Messenger

Microsoft MSN Messenger 9.0 and Internet Explorer 6.0 allows remote attackers to cause a denial of service (crash) via an image with an ICC Profile with a large Tag Count.

5.0
2005-07-19 CVE-2005-2301 Powerdns Unspecified vulnerability in Powerdns

PowerDNS before 2.9.18, when running with an LDAP backend, does not properly escape LDAP queries, which allows remote attackers to cause a denial of service (failure to answer ldap questions) and possibly conduct an LDAP injection attack.

5.0
2005-07-19 CVE-2005-2298 Softwin Security Bypass vulnerability in Bitdefender Engine

BitDefender Engine 1.6.1 and earlier does not properly scan all attachments, which allows remote attackers to bypass virus scanning via begin and end commands in the body of the e-mail, which BitDefender treats as a uuencoded attachment and stops scanning afterwards.

5.0
2005-07-19 CVE-2005-1530 Sophos Remote Denial Of Service vulnerability in Sophos Anti-Virus BZip2 Archive Handling

Sophos Anti-Virus 5.0.1, with "Scan inside archive files" enabled, allows remote attackers to cause a denial of service (CPU consumption by infinite loop) via a Bzip2 archive with a large 'Extra field length' value.

5.0
2005-07-18 CVE-2005-2296 Yabb Information Disclosure vulnerability in Yabb 1.5.5C

YabbSE 1.5.5c allows remote attackers to obtain sensitive information via a direct request to ssi_examples.php, which reveals the path.

5.0
2005-07-18 CVE-2005-2295 Pyrosoft INC Remote Denial of Service vulnerability in Pyrosoft INC Netpanzer 0.8

NetPanzer 0.8 and earlier allows remote attackers to cause a denial of service (infinite loop) via a packet with a zero datablock size.

5.0
2005-07-18 CVE-2005-2289 Phpcounter Information Disclosure vulnerability in PHPcounter 7.2

PHPCounter 7.2 allows remote attackers to obtain sensitive information via a direct request to prelims.php, which reveals the path in an error message.

5.0
2005-07-18 CVE-2005-2287 Softiacom Denial-Of-Service vulnerability in Wmailserver 1.0/2.0

SoftiaCom wMailServer 1.0 and 2.0 allows remote attackers to cause a denial of service (application crash) via a large TCP packet with a leading space, possibly triggering a buffer overflow.

5.0
2005-07-18 CVE-2005-2285 ESI Products Unspecified vulnerability in ESI products Webeoc

WebEOC before 6.0.2 stores sensitive information in locations such as URIs, web pages, and configuration files, which allows remote attackers to obtain information such as Usernames, Passwords, Emergency information, medical information, and system configuration.

5.0
2005-07-18 CVE-2005-2280 Cisco Unspecified vulnerability in Cisco Security Agent 4.5

Cisco Security Agent (CSA) 4.5 allows remote attackers to cause a denial of service (system crash) via a crafted IP packet.

5.0
2005-07-18 CVE-2005-2279 Cisco Remote Denial Of Service vulnerability in Cisco ONS 15216 OADM Management Plane Telnet Service

Cisco ONS 15216 Optical Add/Drop Multiplexer (OADM) running firmware 2.2.2 and earlier allows remote attackers to cause a denial of service (management plane session loss) via crafted telnet data.

5.0
2005-07-18 CVE-2005-2195 Apple Denial-Of-Service vulnerability in Darwin Streaming Server

Apple Darwin Streaming Server 5.5 and earlier allows remote attackers to cause a denial of service (application crash) via a URL with a filename containing a .cgi extension and an MS-DOS device name such as AUX, CON, PRN, COM1, or LPT1, a different vulnerability than CVE-2003-0421 and CVE-2003-0502.

5.0
2005-07-18 CVE-2005-1174 MIT Remote Denial of Service vulnerability in MIT Kerberos 5 Key Distribution Center

MIT Kerberos 5 (krb5) 1.3 through 1.4.1 Key Distribution Center (KDC) allows remote attackers to cause a denial of service (application crash) via a certain valid TCP connection that causes a free of unallocated memory.

5.0
2005-07-20 CVE-2005-2329 MRV Communications MRV Communications In-Reach LX-8000S, LX-4000S, and LX-1000S 3.5.0, when using SSH public key authentication, does not properly restrict access to ports, which allows remote authenticated users to access the consoles of other users.
4.6
2005-07-19 CVE-2005-2297 Sybase Local Security vulnerability in EAServer

Stack-based buffer overflow in TreeAction.do in Sybase EAServer 4.2.5 through 5.2 allows remote authenticated users to execute arbitrary code via a large javascript parameter.

4.6
2005-07-18 CVE-2005-2291 Oracle Information Disclosure vulnerability in Oracle Jdeveloper 10.1.2/9.0.4/9.0.5

Oracle JDeveloper 9.0.4, 9.0.5, and 10.1.2 passes the cleartext password as a parameter when starting sqlplus, which allows local users to gain sensitive information.

4.6
2005-07-20 CVE-2005-2333 SEO Board Cross-Site Scripting vulnerability in Seo-Board 1.0

Cross-site scripting (XSS) vulnerability in smilies_popup.php in SEO-Board 1.0 allows remote attackers to inject arbitrary web script or HTML via the doc parameter.

4.3
2005-07-20 CVE-2005-2332 PHP Warpedweb NET Cross-Site Scripting vulnerability in PHP.Warpedweb.Net PHPpageprotect 1.0.0A

Cross-site scripting (XSS) vulnerability in PHPPageProtect 1.0.0a allows remote attackers to inject arbitrary web script or HTML via the username parameter to (1) admin.php or (2) login.php.

4.3
2005-07-20 CVE-2005-2327 E107 Cross-Site Scripting vulnerability in E107

Cross-site scripting (XSS) vulnerability in e107 0.617 and earlier allows remote attackers to inject arbitrary web script or HTML via nested [url] BBCode tags.

4.3
2005-07-19 CVE-2005-2326 Clever Copy Cross-Site Scripting vulnerability in Clever Copy 2.0/2.0A

Cross-site scripting (XSS) vulnerability in Clever Copy 2.0 and 2.0a allows remote attackers to inject arbitrary web script or HTML via the yr parameter to calendar.php.

4.3
2005-07-19 CVE-2005-2324 Clever Copy Cross-Site Scripting vulnerability in Clever Copy 2.0/2.0A

Cross-site scripting (XSS) vulnerability in Clever Copy 2.0 and 2.0a allows remote attackers to inject arbitrary web script or HTML via the searchtype or searchterm parameters to (1) results.php or (2) categorysearch.php.

4.3
2005-07-19 CVE-2005-2322 Class 1
Clever Copy
Cross-Site Scripting vulnerability in Class-1 Forum

Cross-site scripting (XSS) vulnerability in Class-1 Forum 0.24.4 and 0.23.2, and Clever Copy with forums installed, allows remote attackers to inject arbitrary web script or HTML via the (1) viewuser_id or (2) group parameter to users.php.

4.3
2005-07-19 CVE-2005-2318 Dvbbs Cross-Site Scripting vulnerability in Dvbbs 7.1/7.1Sp2

Cross-site scripting (XSS) vulnerability in showerr.asp in DVBBS 7.1 SP2 allows remote attackers to inject arbitrary web script or HTML via the action parameter.

4.3
2005-07-19 CVE-2005-2299 MAN AND Machine LTD Cross-Site Scripting vulnerability in Simple Message Board Forum.CFM

Multiple cross-site scripting (XSS) vulnerabilities in Simple Message Board Version 2.0 Beta 1 allow remote attackers to inject arbitrary web script or HTML via the (1) FID parameter to forum.cfm, (2) UID parameter to user.cfm, (3) TID parameter to thread.cfm, or (4) PostDate parameter to search.cfm.

4.3
2005-07-18 CVE-2005-2288 Phpcounter Unspecified vulnerability in PHPcounter 7.2

Cross-site scripting (XSS) vulnerability in PHPCounter 7.2 allows remote attackers to inject arbitrary web script or HTML via the EpochPrefix parameter.

4.3
2005-07-18 CVE-2005-2282 ESI Products Unspecified vulnerability in ESI products Webeoc 6.0.2

Multiple cross-site scripting (XSS) vulnerabilities in WebEOC before 6.0.2 allow remote attackers to inject arbitrary web script and HTML via unknown vectors.

4.3

9 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2005-07-19 CVE-2005-2306 Macromedia Local Security vulnerability in Macromedia Coldfusion and Jrun

Race condition in Macromedia JRun 4.0, ColdFusion MX 6.1 and 7.0, when under heavy load, causes JRun to assign a duplicate authentication token to multiple sessions, which could allow authenticated users to gain privileges as other users.

3.7
2005-07-19 CVE-2005-2311 SMS Local Security vulnerability in SMS

SMS 1.9.2m and earlier allows local users to overwrite arbitrary files via a symlink attack on the (1) request1 or (2) request2 temporary files.

2.1
2005-07-19 CVE-2005-2302 Powerdns Unspecified vulnerability in Powerdns

PowerDNS before 2.9.18, when allowing recursion to a restricted range of IP addresses, does not properly handle questions from clients that are denied recursion, which could cause a "blank out" of answers to those clients that are allowed to use recursion.

2.1
2005-07-19 CVE-2005-2300 Skype Technologies Local Security vulnerability in Skype

Skype 1.1.0.20 and earlier allows local users to overwrite arbitrary files via a symlink attack on the skype_profile.jpg temporary file.

2.1
2005-07-19 CVE-2005-2196 Apple Unspecified vulnerability in Apple Airport Card

The Apple AirPort card uses a default WEP key when not connected to a known or trusted network, which can cause it to automatically connect to a malicious network.

2.1
2005-07-18 CVE-2005-2294 Oracle Information Disclosure vulnerability in Forms And Reports

Oracle Forms 4.5, 6.0, 6i, and 9i on Unix, when a large number of records are retrieved by an Oracle form, stores a copy of the database tables in a world-readable temporary file, which allows local users to gain sensitive information such as credit card numbers.

2.1
2005-07-18 CVE-2005-2292 Oracle Information Disclosure vulnerability in Oracle Jdeveloper 10.1.2/9.0.4/9.0.5

Oracle JDeveloper 9.0.4, 9.0.5, and 10.1.2 stores cleartext passwords in (1) IDEConnections.xml, (2) XSQLConfig.xml and (3) settings.xml, which allows local users to obtain sensitive information.

2.1
2005-07-18 CVE-2005-2283 ESI Products Unspecified vulnerability in ESI products Webeoc

WebEOC before 6.0.2 does not properly restrict the size of an uploaded file, which allows remote authenticated users to cause a denial of service (system and database resource consumption) via a large file.

2.1
2005-07-18 CVE-2005-1914 Centericq Unspecified vulnerability in Centericq

CenterICQ 4.20.0 and earlier creates temporary files with predictable file names, which allows local users to overwrite arbitrary files via a symlink attack on the gg.token.PID temporary file.

2.1