Weekly Vulnerabilities Reports > September 5 to 11, 2005

Overview

59 new vulnerabilities reported during this period, including 0 critical vulnerabilities and 21 high severity vulnerabilities. This weekly summary report vulnerabilities in 48 products from 48 vendors including Barracuda Networks, Flatnuke, Linux, Openbsd, and Squid. Vulnerabilities are notably categorized as "Permissions, Privileges, and Access Controls", "Incorrect Comparison", "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Cross-site Scripting", and "Improper Input Validation".

  • 48 reported vulnerabilities are remotely exploitables.
  • 1 reported vulnerabilities have public exploit available.
  • 1 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 59 reported vulnerabilities are exploitable by an anonymous user.
  • Barracuda Networks has the most reported vulnerabilities, with 3 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

0 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS

21 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2005-09-09 CVE-2005-2871 Mozilla Remote Buffer Overflow vulnerability in Mozilla/Netscape/Firefox Browsers Domain Name

Buffer overflow in the International Domain Name (IDN) support in Mozilla Firefox 1.0.6 and earlier, and Netscape 8.0.3.3 and 7.2, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a hostname with all "soft" hyphens (character 0xAD), which is not properly handled by the NormalizeIDN call in nsStandardURL::BuildNormalizedSpec.

7.5
2005-09-08 CVE-2005-2870 SUN Remote Security vulnerability in SUN Solaris 10.0

Unknown vulnerability in the net-svc script on Solaris 10 allows remote authenticated users to execute arbitrary code on a DHCP client via certain DHCP responses.

7.5
2005-09-08 CVE-2005-2867 Bluewhalecrm SQL Injection vulnerability in BlueWhaleCRM AccountID

SQL injection vulnerability in BlueWhaleCRM allows remote attackers to execute arbitrary SQL commands via the Account ID field.

7.5
2005-09-08 CVE-2005-2865 Amember Remote Security vulnerability in Amember 2.3.4

Multiple PHP remote file inclusion vulnerabilities in aMember Pro 2.3.4 allow remote attackers to execute arbitrary PHP code via the config[root_dir] parameter to (1) mysql.inc.php, (2) efsnet.inc.php, (3) theinternetcommerce.inc.php, (4) cdg.inc.php, (5) compuworld.inc.php, (6) directone.inc.php, (7) authorize_aim.inc.php, (8) beanstream.inc.php, (9) config.inc.php, (10) eprocessingnetwork.inc.php, (11) eway.inc.php, (12) linkpoint.inc.php, (13) logiccommerce.inc.php, (14) netbilling.inc.php, (15) payflow_pro.inc.php, (16) paymentsgateway.inc.php, (17) payos.inc.php, (18) payready.inc.php, or (19) plugnplay.inc.php.

7.5
2005-09-08 CVE-2005-2862 Road Runner Remote Security vulnerability in Road Runner Adsl Road Runner Modem Annexa

ADSL Road Runner modem in the Annex A family has a service running on port 224, which allows remote attackers to login to the modem with a blank password and gain unauthorized access.

7.5
2005-09-08 CVE-2005-2857 Softstack Remote Security vulnerability in Softstack Free Smtp Server 2.2

Free SMTP Server 2.2 allows remote attackers to use the server as an open mail relay (spam proxy).

7.5
2005-09-08 CVE-2005-2856 Winace Buffer Errors vulnerability in Winace 2.6.0.0

Stack-based buffer overflow in the WinACE UNACEV2.DLL third-party compression utility before 2.6.0.0, as used in multiple products including (1) ALZip 5.51 through 6.11, (2) Servant Salamander 2.0 and 2.5 Beta 1, (3) WinHKI 1.66 and 1.67, (4) ExtractNow 3.x, (5) Total Commander 6.53, (6) Anti-Trojan 5.5.421, (7) PowerArchiver before 9.61, (8) UltimateZip 2.7,1, 3.0.3, and 3.1b, (9) Where Is It (WhereIsIt) 3.73.501, (10) FilZip 3.04, (11) IZArc 3.5 beta3, (12) Eazel 1.0, (13) Rising Antivirus 18.27.21 and earlier, (14) AutoMate 6.1.0.0, (15) BitZipper 4.1 SR-1, (16) ZipTV, and other products, allows user-assisted attackers to execute arbitrary code via a long filename in an ACE archive.

7.5
2005-09-08 CVE-2005-2847 Barracuda Networks Remote Command Execution vulnerability in Barracuda Networks Barracuda Spam Firewall 3.1.16/3.1.17

img.pl in Barracuda Spam Firewall running firmware 3.1.16 and 3.1.17 allows remote attackers to execute arbitrary commands via shell metacharacters in the f parameter.

7.5
2005-09-08 CVE-2005-2844 Indiatimes Messenger Remote Buffer Overflow vulnerability in Indiatimes Messenger Indiatimes Messenger 6.0

Buffer overflow in MMClient.exe in Indiatimes Messenger 6.0 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a long group name argument to the RenameGroup function in the MMClient.MunduMessenger.1 ActiveX object.

7.5
2005-09-08 CVE-2005-2843 Helpdesk Software Authentication Bypass vulnerability in Helpdesk Software Hesk 0.92

Helpdesk software Hesk 0.92 does not properly verify usernames and passwords, which allows remote attackers to bypass authentication via a direct request to admin_main.php.

7.5
2005-09-08 CVE-2005-2842 Dameware Development Buffer Overflow vulnerability in DameWare Mini Remote Control

Buffer overflow in dwrcs.exe in DameWare Mini Remote Control before 4.9.0 allows remote attackers to execute arbitrary code via the username.

7.5
2005-09-08 CVE-2005-2841 Cisco Denial-Of-Service vulnerability in IOS

Buffer overflow in Firewall Authentication Proxy for FTP and/or Telnet Sessions for Cisco IOS 12.2ZH and 12.2ZL, 12.3 and 12.3T, and 12.4 and 12.4T allows remote attackers to cause a denial of service and possibly execute arbitrary code via crafted user authentication credentials.

7.5
2005-09-07 CVE-2005-2838 Mywebland SQL Injection vulnerability in Mywebland Mybloggie 2.1.1/2.1.2/2.1.3Beta

SQL injection vulnerability in login.php in myBloggie 2.1.3-beta and earlier allows remote attackers to execute arbitrary SQL commands via the username parameter.

7.5
2005-09-07 CVE-2005-2819 Eric Fichot Permissions, Privileges, and Access Controls vulnerability in Eric Fichot Downfile 1.3

DownFile 1.3 allows remote attackers to gain administrator privileges via a direct request to (1) update.php, (2) del.php, and (3) add_form.php.

7.5
2005-09-07 CVE-2005-2812 Man2Web Scripts Command Execution vulnerability in Man2Web 0.87/0.88

man2web allows remote attackers to execute arbitrary commands via -P arguments.

7.5
2005-09-07 CVE-2005-2808 Frox Security Bypass vulnerability in Frox 0.7.16/0.7.17

frox 0.7.16 and 0.7.17 does not properly parse certain Deny ACLs, which might allow attackers to bypass intended restrictions and access blocked hosts.

7.5
2005-09-06 CVE-2005-2763 Openttd Unspecified vulnerability in Openttd

Multiple format string vulnerabilities in OpenTTD before 0.4.0.1 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unspecified vectors.

7.5
2005-09-06 CVE-2005-2801 Linux Incorrect Comparison vulnerability in Linux Kernel 2.6.0

xattr.c in the ext2 and ext3 file system code for Linux kernel 2.6 does not properly compare the name_index fields when sharing xattr blocks, which could prevent default ACLs from being applied.

7.5
2005-09-07 CVE-2005-2810 Urban Local Security vulnerability in Urban

Multiple stack-based buffer overflows in urban before 1.5.3 allow local users to gain privileges via a long HOME environment variable to (1) config.cc, (2) game.cc, (3) highscor.cc, or (4) meny.cc.

7.2
2005-09-07 CVE-2005-2807 Frox Unspecified vulnerability in Frox 0.7.18

frox 0.7.18, when running setuid root, does not properly drop privileges when reading a configuration file, which allows local users to read portions of arbitrary files via the -f command line option.

7.2
2005-09-06 CVE-2005-2494 KDE Local Privilege Escalation vulnerability in KDE kcheckpass

kcheckpass in KDE 3.2.0 up to 3.4.2 allows local users to gain root access via a symlink attack on lock files.

7.2

33 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2005-09-08 CVE-2005-2849 Barracuda Networks Remote Security vulnerability in Barracuda Networks Barracuda Spam Firewall 3.1.16/3.1.17

Argument injection vulnerability in Barracuda Spam Firewall running firmware 3.1.16 and 3.1.17 allows remote attackers to (1) read portions of source code via the -f option to Dig (dig_device.cgi), (2) determine file existence via the -r argument to Tcpdump (tcpdump_device.cgi) or (3) modify files in the cgi-bin directory via the -w argument to Tcpdump.

6.4
2005-09-07 CVE-2005-2815 Flatnuke Denial-Of-Service vulnerability in Flatnuke 2.5.6

print.php in FlatNuke 2.5.6 allows remote attackers to obtain sensitive information (path disclosure on error) or cause a denial of service (resource consumption) via an MS-DOS device name in the news parameter to print.php, such as (1) AUX, (2) CON, (3) PRN, (4) COM1, or (5) LPT1.

6.4
2005-09-08 CVE-2005-2854 Thesitewizard COM Unspecified vulnerability in Thesitewizard.Com Chfeedback.Pl Feedback Form Perl Script 2.0.1

CRLF injection vulnerability in thesitewizard.com chfeedback.pl Feedback Form Perl Script 2.0.1 allows remote attackers to use the script as a mail relay (spam proxy) via CRLF sequences in the (1) name or (2) email fields, which are injected into mail headers.

5.0
2005-09-08 CVE-2005-2852 Novell Denial-Of-Service vulnerability in Novell Netware 5.1/6.0/6.5

Unknown vulnerability in CIFS.NLM in Novell Netware 6.5 SP2 and SP3, 5.1, and 6.0 allows remote attackers to cause a denial of service (ABEND) via an incorrect password length, as exploited by the "worm.rbot.ccc" worm.

5.0
2005-09-08 CVE-2005-2850 Whitsoft Development Denial-Of-Service vulnerability in Whitsoft Development Slimftpd 3.17

SlimFTPd 3.17 allows remote attackers to cause a denial of service (crash) via certain (1) USER and (2) PASS commands, possibly due to a buffer overflow or off-by-one error.

5.0
2005-09-08 CVE-2005-2848 Barracuda Networks Remote Directory Traversal vulnerability in Barracuda Networks Barracuda Spam Firewall 3.1.16/3.1.17

Directory traversal vulnerability in img.pl in Barracuda Spam Firewall running firmware 3.1.16 and 3.1.17 allows remote attackers to read arbitrary files via a ..

5.0
2005-09-08 CVE-2005-2845 Ariba Information Disclosure vulnerability in Ariba Spend Management Solutions

Ariba Spend Management System sends the username and password to the server in plaintext in a POST request, which allows remote attackers to obtain sensitive information.

5.0
2005-09-08 CVE-2005-2020 3Com Unspecified vulnerability in 3Com 3C15100D 5.0.2

Directory traversal vulnerability in the web server for 3Com Network Supervisor 5.0.2 allows remote attackers to read arbitrary files via ".." sequences in the URL to TCP port 21700.

5.0
2005-09-07 CVE-2005-2817 Simple Machines Information Disclosure vulnerability in Simple Machines Simple Machines Forum 1.0.5

Simple Machines Forum (SMF) 1-0-5 and earlier supports the use of URLs for avatar images, which allows remote attackers to monitor sensitive information of forum visitors such as IP address and user agent, as demonstrated using a PHP script on a malicious server.

5.0
2005-09-07 CVE-2005-2813 Flatnuke Directory Traversal vulnerability in Flatnuke 2.5.6

Directory traversal vulnerability in FlatNuke 2.5.6 and possibly earlier allows remote attackers to read arbitrary files via ".." sequences and "%00" (trailing null byte) characters in the id parameter to the read mod in index.php.

5.0
2005-09-07 CVE-2005-2796 Squid Remote Denial Of Service vulnerability in Squid Proxy SSLConnectTimeout

The sslConnectTimeout function in ssl.c for Squid 2.5.STABLE10 and earlier allows remote attackers to cause a denial of service (segmentation fault) via certain crafted requests.

5.0
2005-09-07 CVE-2005-2794 Squid Remote Denial Of Service vulnerability in Squid Proxy Aborted Requests

store.c in Squid 2.5.STABLE10 and earlier allows remote attackers to cause a denial of service (crash) via certain aborted requests that trigger an assert error related to STORE_PENDING.

5.0
2005-09-06 CVE-2005-2806 Trevor Hogan Improper Input Validation vulnerability in Trevor Hogan Bnbt 7.5Betarelease2/7.5Betarelease3/7.720041027R3

client.cpp in BNBT EasyTracker 7.7r3.2004.10.27 and earlier allows remote attackers to cause a denial of service (application hang) via an HTTP header containing only a ":" (colon), possibly leading to an integer signedness error due to a missing field name or value.

5.0
2005-09-06 CVE-2005-2805 E107 Unspecified vulnerability in E107 0.603/0.616/0.617

forum_post.php in e107 0.6 allows remote attackers to post to non-existent forums by modifying the forum number.

5.0
2005-09-06 CVE-2005-2798 Openbsd Unspecified vulnerability in Openbsd Openssh

sshd in OpenSSH before 4.2, when GSSAPIDelegateCredentials is enabled, allows GSSAPI credentials to be delegated to clients who log in using non-GSSAPI methods, which could cause those credentials to be exposed to untrusted users or hosts.

5.0
2005-09-06 CVE-2005-2797 Openbsd Unspecified vulnerability in Openbsd Openssh 4.0

OpenSSH 4.0, and other versions before 4.2, does not properly handle dynamic port forwarding ("-D" option) when a listen address is not provided, which may cause OpenSSH to enable the GatewayPorts functionality.

5.0
2005-09-08 CVE-2005-2866 Mercora Mercora IMRadio 4.0.0.0 stores usernames and passwords in plaintext in the MercoraClient\Profiles registry key, which allows local users to gain privileges.
4.6
2005-09-08 CVE-2005-2859 Savant Local Security vulnerability in Savant Webserver 3.1

Savant Web Server stores user credentials in plaintext in the Savant\Users registry key, which allows local users to gain privileges.

4.6
2005-09-07 CVE-2005-2811 NET Snmp Local Security vulnerability in Net-SNMP

Untrusted search path vulnerability in Net-SNMP 5.2.1.2 and earlier, on Gentoo Linux, installs certain Perl modules with an insecure DT_RPATH, which could allow local users to gain privileges.

4.6
2005-09-08 CVE-2005-2869 Phpmyadmin Unspecified vulnerability in PHPmyadmin

Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before 2.6.4 allow remote attackers to inject arbitrary web script or HTML via (1) the Username to libraries/auth/cookie.auth.lib.php or (2) the error parameter to error.php.

4.3
2005-09-08 CVE-2005-2863 Open Webmail Cross-Site Scripting vulnerability in Open Webmail Open Webmail 2.41

Cross-site scripting (XSS) vulnerability in openwebmail-main.pl in OpenWebMail 2.41 allows remote attackers to inject arbitrary web script or HTML via the sessionid parameter.

4.3
2005-09-08 CVE-2005-2861 N Stalker HTML Injection vulnerability in N-Stalker N-Stealth Commercial5.8/Free5.8

Cross-site scripting (XSS) vulnerability in N-Stealth Commercial Edition before 5.8.0.38 and Free Edition before 5.8.1.03 allows remote attackers to inject arbitrary web script or HTML via the Server field in an HTTP response header, which is directly injected into an HTML report.

4.3
2005-09-08 CVE-2005-2860 Nikto HTML Injection vulnerability in Multiple Vendor Web Vulnerability Scanners

Cross-site scripting (XSS) vulnerability in Nikto 1.35 and earlier allows remote attackers to inject arbitrary web script or HTML via the Server field in an HTTP response header, which is directly injected into an HTML report.

4.3
2005-09-08 CVE-2005-2855 Unclassified Newsboard HTML Injection vulnerability in Unclassified Newsboard Unclassified Newsboard 1.5.3

Cross-site scripting (XSS) vulnerability in Unclassified NewsBoard 1.5.3 allows remote attackers to inject arbitrary web script or HTML via the description field.

4.3
2005-09-08 CVE-2005-2853 Guppy HTML Injection vulnerability in Guppy 4.5/4.5.3/4.5.3A

Multiple cross-site scripting (XSS) vulnerabilities in GuppY 4.5.3a and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the pg parameter to printfaq.php, or the (2) Referer or (3) User-Agent HTTP headers, which are not properly handled by error.php.

4.3
2005-09-07 CVE-2005-2839 Maxdev Cross-Site Scripting vulnerability in Maxdev Md-Pro 1.0.72

Multiple cross-site scripting (XSS) vulnerabilities in MAXdev MD-Pro 1.0.72 allow remote attackers to inject arbitrary web script or HTML via (1) dl-search.php or (2) wl-search.php.

4.3
2005-09-07 CVE-2005-2836 Phorum Cross-Site Scripting vulnerability in Phorum

Multiple cross-site scripting (XSS) vulnerabilities in Phorum 5.0.17a and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the username parameter to register.php or (2) a signature of a logged-in user in "My Control Center," which is not properly handled by control.php.

4.3
2005-09-07 CVE-2005-2820 Inter7 Unspecified vulnerability in Inter7 Sqwebmail 5.0.4

Cross-site scripting (XSS) vulnerability in SqWebMail 5.0.4 allows remote attackers to inject arbitrary web script or HTML via an e-mail message containing Internet Explorer "Conditional Comments" such as "[if]" and "[endif]".

4.3
2005-09-07 CVE-2005-2818 Eric Fichot Cross-Site Scripting vulnerability in Eric Fichot Downfile 1.3

Cross-site scripting (XSS) vulnerability in DownFile 1.3 allows remote attackers to inject arbitrary web script or HTML via the id parameter to (1) email.php,(2) index.php, (3) del.php, or (4) add_form.php.

4.3
2005-09-07 CVE-2005-2816 Greymatter Cross-Site Scripting vulnerability in Greymatter

Cross-site scripting (XSS) vulnerability in Greymatter allows remote attackers to inject arbitrary web script or HTML via a post comment, which is recorded in a log file but not properly handled when the administrator uses "View Control Panel Log" to read the log file.

4.3
2005-09-07 CVE-2005-2814 Flatnuke Cross-Site Scripting vulnerability in Flatnuke 2.5.6

Cross-site scripting (XSS) vulnerability in FlatNuke 2.5.6 allows remote attackers to inject arbitrary web script or HTML via the usr parameter in a vis_reg operation to index.php.

4.3
2005-09-06 CVE-2005-2803 Hiki Cross-Site Scripting vulnerability in Hiki 0.8.0/0.8.1/0.8.2

Cross-site scripting (XSS) vulnerability in Hiki 0.8.1 to 0.8.2 allows remote attackers to inject arbitrary web script or HTML via a page name in a Login link, a different vulnerability than CVE-2005-2336.

4.3
2005-09-06 CVE-2005-2336 Hiki Cross-Site Scripting vulnerability in Hiki 0.8.0/0.8.1/0.8.2

Cross-site scripting (XSS) vulnerability in Hiki 0.8.0 to 0.8.2 allows remote attackers to inject arbitrary web script or HTML via "missing pages" in which the page name is not properly escaped, a different vulnerability than CVE-2005-2803.

4.3

5 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2005-09-09 CVE-2005-2873 Linux Remote Denial of Service vulnerability in Linux Kernel Netfilter Ipt_recent

The ipt_recent kernel module (ipt_recent.c) in Linux kernel 2.6.12 and earlier does not properly perform certain time tests when the jiffies value is greater than LONG_MAX, which can cause ipt_recent netfilter rules to block too early, a different vulnerability than CVE-2005-2872.

2.1
2005-09-08 CVE-2005-2864 Urban Local Security vulnerability in Urban

URBAN 1.5.3_1 allows local users to overwrite arbitrary files via a symlink attack on the (1) high score or (2) save game files.

2.1
2005-09-08 CVE-2005-2851 Smb4K Unspecified vulnerability in Smb4K 0.4/0.5/0.6

smb4k 0.4 and other versions before 0.6.3 allows local users to read sensitive files via a symlink attack on the (1) smb4k.tmp or (2) sudoers temporary files.

2.1
2005-09-07 CVE-2005-2809 Silc Unspecified vulnerability in Silc Secure Internet Live Conferencing

silc daemon (silcd.c) in Secure Internet Live Conferencing (SILC) 1.0 and earlier allows local users to overwrite arbitrary files via a symlink attack on the silcd.[PID].stats temporary file.

2.1
2005-09-06 CVE-2005-2656 Polygen Local Denial of Service vulnerability in Polygen 1.0.6

Polygen before 1.0.6 generates precompiled grammar objects with world-writable permissions, which allows local users to cause a denial of service (disk consumption) and possibly perform other unauthorized activities.

2.1