Weekly Vulnerabilities Reports > September 12 to 18, 2005

Overview

56 new vulnerabilities reported during this period, including 0 critical vulnerabilities and 21 high severity vulnerabilities. This weekly summary report vulnerabilities in 41 products from 40 vendors including Linksys, Pblang, Linux, Maxdev, and Adaptive Technology Resource Centre. Vulnerabilities are notably categorized as "Use of a Broken or Risky Cryptographic Algorithm", "Permissions, Privileges, and Access Controls", and "Numeric Errors".

  • 44 reported vulnerabilities are remotely exploitables.
  • 1 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 56 reported vulnerabilities are exploitable by an anonymous user.
  • Linksys has the most reported vulnerabilities, with 5 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

0 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS

21 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2005-09-16 CVE-2005-2957 Avira Remote Buffer Overflow vulnerability in Avira Desktop 1.00.00.68

Stack-based buffer overflow in AVIRA Desktop for Windows 1.00.00.68 with AVPACK32.DLL 6.31.0.3, when archive scanning is enabled, allows remote attackers to execute arbitrary code via a long filename in an ACE archive.

7.5
2005-09-16 CVE-2005-2954 Adaptive Technology Resource Centre SQL Injection vulnerability in Adaptive Technology Resource Centre Atutor 1.5.1

SQL injection vulnerability in password_reminder.php in ATutor before 1.5.1 pl1 allows remote attackers to execute arbitrary SQL commands via the email field.

7.5
2005-09-16 CVE-2005-2951 Azerbaijan Development Group Directory Traversal vulnerability in Azerbaijan Development Group Azdgdating 2.1.3

Directory traversal vulnerability in security.inc.php in AzDGDatingLite 2.1.3, and possibly earlier versions, allows remote attackers to execute arbitrary PHP commands via ".." sequences and "%00" (trailing null byte) characters in the l parameter, which is used in an include_once statement.

7.5
2005-09-16 CVE-2005-2949 Mark D Roth Authentication Bypass vulnerability in Mark D. Roth PAM PER User 0.1/0.2/0.3

pam_per_user before 0.4 does not verify if the user name changes between authentication attempts and uses the same subrequest handle, which allows remote attackers or local users to login as other users by using certain applications that allow the username to be changed during authentication, such as /bin/login.

7.5
2005-09-16 CVE-2005-2946 Openssl
Canonical
Use of a Broken or Risky Cryptographic Algorithm vulnerability in multiple products

The default configuration on OpenSSL before 0.9.8 uses MD5 for creating message digests instead of a more cryptographically strong algorithm, which makes it easier for remote attackers to forge certificates with a valid certificate authority signature.

7.5
2005-09-16 CVE-2005-2877 Twiki Remote Arbitrary Command Execution vulnerability in TWiki TWikiUsers

The history (revision control) function in TWiki 02-Sep-2004 and earlier allows remote attackers to execute arbitrary code via shell metacharacters, as demonstrated via the rev parameter to TWikiUsers.

7.5
2005-09-15 CVE-2005-2799 Linksys Remote Security vulnerability in Linksys Wrt54G 3.01.3/3.03.6

Buffer overflow in apply.cgi in Linksys WRT54G 3.01.03, 3.03.6, and possibly other versions before 4.20.7, allows remote attackers to execute arbitrary code via a long HTTP POST request.

7.5
2005-09-15 CVE-2005-2658 Softwolves Software Remote Buffer Overflow vulnerability in Softwolves Software Turquoise Superstat 2.2.4

Buffer overflow in utility.cpp in Turquoise SuperStat (turqstat) 2.2.4 and earlier might allow remote NNTP servers to execute arbitrary code via a date with a long month.

7.5
2005-09-14 CVE-2005-2914 Linksys Remote Security vulnerability in Linksys Wrt54G 2.04.4/3.01.3/3.03.6

ezconfig.asp in Linksys WRT54G router 3.01.03, 3.03.6, non-default configurations of 2.04.4, and possibly other versions, does not use an authentication initialization function, which allows remote attackers to obtain encrypted configuration information and, if the key is known, modify the configuration.

7.5
2005-09-14 CVE-2005-2903 Eset Software Remote Buffer Overflow vulnerability in Eset Software Nod32 Antivirus 2.5

Heap-based buffer overflow in NOD32 2.5 with nod32.002 1.033 build 1127, with active scanning enabled, allows remote attackers to execute arbitrary code via an ARJ archive containing a file with a long filename.

7.5
2005-09-14 CVE-2005-2902 Class 1 SQL Injection vulnerability in Class-1 Forum

SQL injection vulnerability in class-1 Forum Software 0.24.4 allows remote attackers to execute arbitrary SQL commands and bypass the file extension check via SQL code in the file extension of an uploaded file.

7.5
2005-09-14 CVE-2005-2896 Stylemotion SQL Injection vulnerability in Stylemotion web News 1.4

SQL injection vulnerability in WEB//NEWS 1.4 allows remote attackers to execute arbitrary SQL commands via the (1) wn_userpw parameter to startup.php, (2) cat, (3) id, or (4) stof parameter to news.php, or (5) id parameter to print.php.

7.5
2005-09-14 CVE-2005-2893 Pblang Remote Security vulnerability in Pblang 4.65

Direct static code injection vulnerability in setcookie.php in PBLang 4.65, and possibly earlier versions, allows remote attackers to execute arbitrary PHP code via the username (u parameter), which is directly injected into a file that is later executed upon login.

7.5
2005-09-14 CVE-2005-2889 Checkpoint Security Bypass vulnerability in Checkpoint Connectra NGX R60

Check Point NGX R60 does not properly verify packets against the predefined service group "CIFS" rule, which allows remote attackers to bypass intended restrictions.

7.5
2005-09-14 CVE-2005-2888 Mybulletinboard SQL-Injection vulnerability in MyBB

Multiple SQL injection vulnerabilities in MyBulletinBoard (MyBB) Preview Release 2 allow remote attackers to execute arbitrary SQL commands via the (1) fid parameter to misc.php or (2) Content-Disposition field in the HTTP header to newreply.php.

7.5
2005-09-14 CVE-2005-2885 Maxdev Remote File Upload vulnerability in Maxdev Md-Pro 1.0.73

The Downloads page in MAXdev MD-Pro 1.0.73, and possibly earlier versions, uses an incomplete blacklist to check for dangerous file extensions, which could allow remote attackers to bypass file extension checks and execute arbitrary commands by uploading a file with a different extension, as demonstrated using .inc files.

7.5
2005-09-14 CVE-2005-2881 Phpcommunitycalendar Security Bypass vulnerability in PHPcommunitycalendar 4.0.3

phpCommunityCalendar 4.0.3 allows remote attackers to bypass authentication and gain unauthorized access via a direct request to the admin directory.

7.5
2005-09-14 CVE-2005-2880 Phpcommunitycalendar SQL Injection vulnerability in PHPcommunitycalendar 4.0/4.0.1/4.0.3

Multiple SQL injection vulnerabilities in phpCommunityCalendar 4.0.3, and possibly earlier versions, allow remote attackers to execute arbitrary SQL commands via the (1) login field in login.php or (2) LocationID parameter to week.php.

7.5
2005-09-13 CVE-2005-2878 GNU Remote Format String vulnerability in GNU Mailutils 0.6

Format string vulnerability in search.c in the imap4d server in GNU Mailutils 0.6 allows remote authenticated users to execute arbitrary code via format string specifiers in the SEARCH command.

7.5
2005-09-13 CVE-2005-2875 Py2Play Remote Python Code Execution vulnerability in Py2Play Object Unpickling

Py2Play allows remote attackers to execute arbitrary Python code via pickled objects, which Py2Play unpickles and executes.

7.5
2005-09-13 CVE-2005-2876 Andries Brouwer Unspecified vulnerability in Andries Brouwer Util-Linux

umount in util-linux 2.8 to 2.12q, 2.13-pre1, and 2.13-pre2, and other packages such as loop-aes-utils, allows local users with unmount permissions to gain privileges via the -r (remount) option, which causes the file system to be remounted with just the read-only flag, which effectively clears the nosuid, nodev, and other flags.

7.2

30 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2005-09-14 CVE-2005-2891 Csystems Unspecified vulnerability in Csystems Webarchivex 5.5.0.76

WebArchiveX.dll 5.5.0.76 installed before September 6th, 2005 is marked safe for scripting by default, which allows remote attackers to read or write to arbitrary files via the (1) MakeArchive or (2) MakeArchiveStr methods.

6.4
2005-09-16 CVE-2005-2947 Killprocess Local Privilege Escalation vulnerability in KillProcess

Buffer overflow in KillProcess 2.20 and earlier allows user-assisted attackers to execute arbitrary code via an exe file with a long FileDescription in the version resource.

5.1
2005-09-15 CVE-2005-2495 Xfree86 Project Numeric Errors vulnerability in Xfree86 Project Xfree86

Multiple integer overflows in XFree86 before 4.3.0 allow user-assisted attackers to execute arbitrary code via a crafted pixmap image.

5.1
2005-09-16 CVE-2005-2956 Adaptive Technology Resource Centre Remote Information Disclosure vulnerability in Adaptive Technology Resource Centre Atutor 1.5.1

ATutor 1.5.1, and possibly earlier versions, stores temporary chat logs under the web document root with insufficient access control and predictable filenames, which allows remote attackers to obtain user chat conversations via direct requests to those files.

5.0
2005-09-16 CVE-2005-2952 Subscribe ME PRO Remote Directory Traversal vulnerability in Subscribe Me Pro S.PL

Directory traversal vulnerability in s.pl in Subscribe Me Pro 2.044.09P and earlier allows remote attackers to read arbitrary files via a ..

5.0
2005-09-15 CVE-2005-2918 Gtkdiskfree Unspecified vulnerability in Gtkdiskfree

The open_cmd_tube function in mount.c for gtkdiskfree 1.9.3 and earlier allows local users to overwrite arbitrary files via a symlink attack on the gtkdiskfree temporary file.

5.0
2005-09-14 CVE-2005-2916 Linksys Remote Security vulnerability in Linksys Wrt54G 3.01.3/3.03.6/4.00.7

Linksys WRT54G 3.01.03, 3.03.6, 4.00.7, and possibly other versions before 4.20.7, does not verify user authentication until after an HTTP POST request has been processed, which allows remote attackers to (1) modify configuration using restore.cgi or (2) upload new firmware using upgrade.cgi.

5.0
2005-09-14 CVE-2005-2915 Linksys Remote Security vulnerability in Linksys Wrt54G 2.04.4Nondefault/3.01.3/3.03.6

ezconfig.asp in Linksys WRT54G router 3.01.03, 3.03.6, non-default configurations of 2.04.4, and possibly other versions, uses weak encryption (XOR encoding with a fixed byte mask) for configuration information, which could allow attackers to decrypt the information and possibly re-encrypt it in conjunction with CVE-2005-2914.

5.0
2005-09-14 CVE-2005-2912 Linksys Denial-Of-Service vulnerability in Linksys Wrt54G 3.01.3/3.03.6/4.00.7

Linksys WRT54G router allows remote attackers to cause a denial of service (CPU consumption and server hang) via an HTTP POST request with a negative Content-Length value.

5.0
2005-09-14 CVE-2005-2904 Zebedee Remote Denial Of Service vulnerability in Zebedee 2.4.1

Zebedee 2.4.1, when "allowed redirection port" is not set, allows remote attackers to cause a denial of service (application crash) via a zero in the port number of the protocol option header, which triggers an assert error in the makeConnection function in zebedee.c.

5.0
2005-09-14 CVE-2005-2897 Stylemotion Information Disclosure vulnerability in Stylemotion web News 1.4

WEB//NEWS 1.4 allows remote attackers to obtain sensitive information via a direct request to files in the actions directory, which reveal the path in an error message, as demonstrated using cat.add.php.

5.0
2005-09-14 CVE-2005-2895 Pblang Information Disclosure vulnerability in Pblang 4.65

setcookie.php in PBLang 4.65, and possibly earlier versions, allows remote attackers to obtain sensitive information via a %00 (a null byte) in the u parameter, which reveals the path in an error message.

5.0
2005-09-14 CVE-2005-2892 Pblang Directory Traversal vulnerability in Pblang 4.65

Directory traversal vulnerability in setcookie.php in PBLang 4.65, and possibly earlier versions, allows remote attackers to read arbitrary files via ".." sequences and "%00" (trailing null byte) in the u parameter.

5.0
2005-09-14 CVE-2005-2887 Maxdev Information Disclosure vulnerability in Maxdev Md-Pro 1.0.73

MAXdev MD-Pro 1.0.73, and possibly earlier versions, allows remote attackers to obtain sensitive information via a direct request to (1) wiki.php, (2) AutoTheme directory, (3) Blocks directory, (4) admin.php, (5) pnadmin.php, or (6) Topics directory, which reveal the path in an error message.

5.0
2005-09-13 CVE-2005-2874 Easy Software Products Unspecified vulnerability in Easy Software products Cups

The is_path_absolute function in scheduler/client.c for the daemon in CUPS before 1.1.23 allows remote attackers to cause a denial of service (CPU consumption by tight loop) via a "..\.." URL in an HTTP request.

5.0
2005-09-16 CVE-2005-2955 Adaptive Technology Resource Centre Local Security vulnerability in Adaptive Technology Resource Centre Atutor 1.5.1

config.inc.php in ATutor 1.5.1, and possibly earlier versions, uses an incomplete blacklist to check for dangerous file extensions, which allows authenticated administrators or educators to execute arbitrary code by uploading files with other executable extensions such as .inc, .php4, or others.

4.6
2005-09-16 CVE-2005-2657 Common Lisp Controller Unspecified vulnerability in Common-Lisp-Controller 4.18

Unknown vulnerability in common-lisp-controller 4.18 and earlier allows local users to gain privileges by compiling arbitrary code in the cache directory, which is executed by another user if the user has not run Common Lisp before.

4.6
2005-09-16 CVE-2005-2944 Brent ELY Local Security vulnerability in Brent ELY Gnome Workstation Command Center 0.9.8

The perform_file_save function in GNOME Workstation Command Center (gwcc) 0.9.6 and earlier allows local users to create and overwrite arbitrary files via a symlink attack on the gwcc_out.txt temporary file.

4.6
2005-09-15 CVE-2005-2935 Microsoft Local Security vulnerability in Microsoft AntiSpyware

Unquoted Windows search path vulnerability in Microsoft AntiSpyware might allow local users to execute code via a malicious c:\program.exe file, which is run by AntiSpywareMain.exe when it attempts to execute gsasDtServ.exe.

4.6
2005-09-14 CVE-2005-2890 Secureol Unspecified vulnerability in Secureol VE2 1.05.1008

SecureOL VE2 1.05.1008 does not properly restrict public access to physical memory, which allows local users to bypass intended restrictions and gain access to the secured environment via direct access to the PhysicalMemory device.

4.6
2005-09-14 CVE-2005-2490 Linux Local Buffer Overflow vulnerability in Linux Kernel Sendmsg()

Stack-based buffer overflow in the sendmsg function call in the Linux kernel 2.6 before 2.6.13.1 allows local users to execute arbitrary code by calling sendmsg and modifying the message contents in another thread.

4.6
2005-09-16 CVE-2005-2953 Miva Cross-Site Scripting vulnerability in Miva Merchant 5.0

Cross-site scripting (XSS) vulnerability in merchant.mvc in MIVA Merchant 5 allows remote attackers to inject arbitrary web script or HTML via the Customer_Login parameter.

4.3
2005-09-16 CVE-2005-2950 Sawmill Cross-Site Scripting vulnerability in Sawmill

Cross-site scripting (XSS) vulnerability in Sawmill 7.0.0 through 7.1.13 allows remote attackers to inject arbitrary web script or HTML via the query string in an HTTP GET request.

4.3
2005-09-14 CVE-2005-2901 CJ Desing Unspecified vulnerability in CJ Desing Cjweb2Mail 3.0

Multiple Cross-site scripting (XSS) vulnerabilities in CjWeb2Mail 3.0 allow remote attackers to inject arbitrary web script or HTML via the (1) name, (2) message, or (3) ip parameter to thankyou.php or (4) emsg parameter to web2mail.php.

4.3
2005-09-14 CVE-2005-2900 CJ Desing Unspecified vulnerability in CJ Desing Cjlinkout 1.0

Cross-site scripting (XSS) vulnerability in top.php in CjLinkOut 1.0 allows remote attackers to inject arbitrary web script or HTML via the 123 parameter.

4.3
2005-09-14 CVE-2005-2899 CJ Design Unspecified vulnerability in CJ Design CJ TAG Board 3.0

Multiple cross-site scripting (XSS) vulnerabilities in details.php in CjTagBoard 3.0 allow remote attackers to inject arbitrary web script or HTML via the (1) date, (2) time, (3) name, (4) ip, (5) agent, or (6) msg parameter.

4.3
2005-09-14 CVE-2005-2894 Pblang HTML Injection vulnerability in Pblang 4.65

Cross-site scripting (XSS) vulnerability in the user registration in PBLang 4.65, and possibly earlier versions, allows remote attackers to inject arbitrary web script or PHP via the location field.

4.3
2005-09-14 CVE-2005-2886 Maxdev Cross-Site Scripting vulnerability in MAXdev MD-Pro

Multiple cross-site scripting (XSS) vulnerabilities in MAXdev MD-Pro 1.0.73, and possibly earlier versions, allow remote attackers to inject arbitrary web script or HTML via (1) the print parameter to the print module, the sitename parameter to (2) bb_smilies or (3) bbcode_ref module, or (4) the hlpfile parameter to openwindow.php.

4.3
2005-09-14 CVE-2005-2884 Neocrome HTML Injection vulnerability in Land Down Under

Cross-site scripting (XSS) vulnerability in events.php in Land Down Under (LDU) 801 and earlier allows remote attackers to inject arbitrary web script or HTML via the Description field in an event.

4.3
2005-09-14 CVE-2005-2882 Phpcommunitycalendar Remote Cross-Site Scripting vulnerability in PHPcommunitycalendar 4.0/4.0.1/4.0.3

Multiple cross-site scripting (XSS) vulnerabilities in phpCommunityCalendar 4.0.3, and possibly earlier versions, allow remote attackers to inject arbitrary web script or HTML via the LocationID parameter to (1) thankyou.php or (2) day.php, font parameter to (3) calDaily.php, (4) calMonthly.php, (5) calMonthlyP.php, (6) calWeekly.php, (7) calWeeklyP.php, (8) calYearly.php, (9) calYearlyP.php, (10) day.php, or (11) week.php, or (12) CeTi, (13) Contact, (14) Description, (15) ShowAddress parameter to event.php, and other attack vectors.

4.3

5 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2005-09-14 CVE-2005-2492 Canonical
Redhat
Linux
Permissions, Privileges, and Access Controls vulnerability in multiple products

The raw_sendmsg function in the Linux kernel 2.6 before 2.6.13.1 allows local users to cause a denial of service (change hardware state) or read from arbitrary memory via crafted input.

3.6
2005-09-16 CVE-2005-2948 Killprocess KillProcess 2.20 and earlier allows local users to bypass kill list restrictions by launching multiple processes at the same time, which are not all killed by KillProcess.
2.1
2005-09-16 CVE-2005-2945 ARC Unspecified vulnerability in ARC

arc 5.21j and earlier create temporary files with world-readable permissions, which allows local users to read sensitive information from files created by (1) arc (arc.c) or (2) marc (marc.c).

2.1
2005-09-14 CVE-2005-2879 Advansysperu Software Information Disclosure vulnerability in Advansysperu Software USB Lock Auto-Protect 1.5

Advansysperu Software USB Lock Auto-Protect (AP) 1.5 uses a weak encryption scheme to encrypt passwords, which allows local users to gain sensitive information and bypass USB interface protection.

2.1
2005-09-14 CVE-2005-1913 Linux Local Denial Of Service vulnerability in Linux Kernel Subthread Exec

The Linux kernel 2.6 before 2.6.12.1 allows local users to cause a denial of service (kernel panic) via a non group-leader thread executing a different program than was pending in itimer, which causes the signal to be delivered to the old group-leader task, which does not exist.

2.1