Weekly Vulnerabilities Reports > September 12 to 18, 2005
Overview
56 new vulnerabilities reported during this period, including 0 critical vulnerabilities and 21 high severity vulnerabilities. This weekly summary report vulnerabilities in 41 products from 40 vendors including Linksys, Pblang, Linux, Maxdev, and Adaptive Technology Resource Centre. Vulnerabilities are notably categorized as "Use of a Broken or Risky Cryptographic Algorithm", "Permissions, Privileges, and Access Controls", and "Numeric Errors".
- 44 reported vulnerabilities are remotely exploitables.
- 1 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 56 reported vulnerabilities are exploitable by an anonymous user.
- Linksys has the most reported vulnerabilities, with 5 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
0 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|
21 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2005-09-16 | CVE-2005-2957 | Avira | Remote Buffer Overflow vulnerability in Avira Desktop 1.00.00.68 Stack-based buffer overflow in AVIRA Desktop for Windows 1.00.00.68 with AVPACK32.DLL 6.31.0.3, when archive scanning is enabled, allows remote attackers to execute arbitrary code via a long filename in an ACE archive. | 7.5 |
2005-09-16 | CVE-2005-2954 | Adaptive Technology Resource Centre | SQL Injection vulnerability in Adaptive Technology Resource Centre Atutor 1.5.1 SQL injection vulnerability in password_reminder.php in ATutor before 1.5.1 pl1 allows remote attackers to execute arbitrary SQL commands via the email field. | 7.5 |
2005-09-16 | CVE-2005-2951 | Azerbaijan Development Group | Directory Traversal vulnerability in Azerbaijan Development Group Azdgdating 2.1.3 Directory traversal vulnerability in security.inc.php in AzDGDatingLite 2.1.3, and possibly earlier versions, allows remote attackers to execute arbitrary PHP commands via ".." sequences and "%00" (trailing null byte) characters in the l parameter, which is used in an include_once statement. | 7.5 |
2005-09-16 | CVE-2005-2949 | Mark D Roth | Authentication Bypass vulnerability in Mark D. Roth PAM PER User 0.1/0.2/0.3 pam_per_user before 0.4 does not verify if the user name changes between authentication attempts and uses the same subrequest handle, which allows remote attackers or local users to login as other users by using certain applications that allow the username to be changed during authentication, such as /bin/login. | 7.5 |
2005-09-16 | CVE-2005-2946 | Openssl Canonical | Use of a Broken or Risky Cryptographic Algorithm vulnerability in multiple products The default configuration on OpenSSL before 0.9.8 uses MD5 for creating message digests instead of a more cryptographically strong algorithm, which makes it easier for remote attackers to forge certificates with a valid certificate authority signature. | 7.5 |
2005-09-16 | CVE-2005-2877 | Twiki | Remote Arbitrary Command Execution vulnerability in TWiki TWikiUsers The history (revision control) function in TWiki 02-Sep-2004 and earlier allows remote attackers to execute arbitrary code via shell metacharacters, as demonstrated via the rev parameter to TWikiUsers. | 7.5 |
2005-09-15 | CVE-2005-2799 | Linksys | Remote Security vulnerability in Linksys Wrt54G 3.01.3/3.03.6 Buffer overflow in apply.cgi in Linksys WRT54G 3.01.03, 3.03.6, and possibly other versions before 4.20.7, allows remote attackers to execute arbitrary code via a long HTTP POST request. | 7.5 |
2005-09-15 | CVE-2005-2658 | Softwolves Software | Remote Buffer Overflow vulnerability in Softwolves Software Turquoise Superstat 2.2.4 Buffer overflow in utility.cpp in Turquoise SuperStat (turqstat) 2.2.4 and earlier might allow remote NNTP servers to execute arbitrary code via a date with a long month. | 7.5 |
2005-09-14 | CVE-2005-2914 | Linksys | Remote Security vulnerability in Linksys Wrt54G 2.04.4/3.01.3/3.03.6 ezconfig.asp in Linksys WRT54G router 3.01.03, 3.03.6, non-default configurations of 2.04.4, and possibly other versions, does not use an authentication initialization function, which allows remote attackers to obtain encrypted configuration information and, if the key is known, modify the configuration. | 7.5 |
2005-09-14 | CVE-2005-2903 | Eset Software | Remote Buffer Overflow vulnerability in Eset Software Nod32 Antivirus 2.5 Heap-based buffer overflow in NOD32 2.5 with nod32.002 1.033 build 1127, with active scanning enabled, allows remote attackers to execute arbitrary code via an ARJ archive containing a file with a long filename. | 7.5 |
2005-09-14 | CVE-2005-2902 | Class 1 | SQL Injection vulnerability in Class-1 Forum SQL injection vulnerability in class-1 Forum Software 0.24.4 allows remote attackers to execute arbitrary SQL commands and bypass the file extension check via SQL code in the file extension of an uploaded file. | 7.5 |
2005-09-14 | CVE-2005-2896 | Stylemotion | SQL Injection vulnerability in Stylemotion web News 1.4 SQL injection vulnerability in WEB//NEWS 1.4 allows remote attackers to execute arbitrary SQL commands via the (1) wn_userpw parameter to startup.php, (2) cat, (3) id, or (4) stof parameter to news.php, or (5) id parameter to print.php. | 7.5 |
2005-09-14 | CVE-2005-2893 | Pblang | Remote Security vulnerability in Pblang 4.65 Direct static code injection vulnerability in setcookie.php in PBLang 4.65, and possibly earlier versions, allows remote attackers to execute arbitrary PHP code via the username (u parameter), which is directly injected into a file that is later executed upon login. | 7.5 |
2005-09-14 | CVE-2005-2889 | Checkpoint | Security Bypass vulnerability in Checkpoint Connectra NGX R60 Check Point NGX R60 does not properly verify packets against the predefined service group "CIFS" rule, which allows remote attackers to bypass intended restrictions. | 7.5 |
2005-09-14 | CVE-2005-2888 | Mybulletinboard | SQL-Injection vulnerability in MyBB Multiple SQL injection vulnerabilities in MyBulletinBoard (MyBB) Preview Release 2 allow remote attackers to execute arbitrary SQL commands via the (1) fid parameter to misc.php or (2) Content-Disposition field in the HTTP header to newreply.php. | 7.5 |
2005-09-14 | CVE-2005-2885 | Maxdev | Remote File Upload vulnerability in Maxdev Md-Pro 1.0.73 The Downloads page in MAXdev MD-Pro 1.0.73, and possibly earlier versions, uses an incomplete blacklist to check for dangerous file extensions, which could allow remote attackers to bypass file extension checks and execute arbitrary commands by uploading a file with a different extension, as demonstrated using .inc files. | 7.5 |
2005-09-14 | CVE-2005-2881 | Phpcommunitycalendar | Security Bypass vulnerability in PHPcommunitycalendar 4.0.3 phpCommunityCalendar 4.0.3 allows remote attackers to bypass authentication and gain unauthorized access via a direct request to the admin directory. | 7.5 |
2005-09-14 | CVE-2005-2880 | Phpcommunitycalendar | SQL Injection vulnerability in PHPcommunitycalendar 4.0/4.0.1/4.0.3 Multiple SQL injection vulnerabilities in phpCommunityCalendar 4.0.3, and possibly earlier versions, allow remote attackers to execute arbitrary SQL commands via the (1) login field in login.php or (2) LocationID parameter to week.php. | 7.5 |
2005-09-13 | CVE-2005-2878 | GNU | Remote Format String vulnerability in GNU Mailutils 0.6 Format string vulnerability in search.c in the imap4d server in GNU Mailutils 0.6 allows remote authenticated users to execute arbitrary code via format string specifiers in the SEARCH command. | 7.5 |
2005-09-13 | CVE-2005-2875 | Py2Play | Remote Python Code Execution vulnerability in Py2Play Object Unpickling Py2Play allows remote attackers to execute arbitrary Python code via pickled objects, which Py2Play unpickles and executes. | 7.5 |
2005-09-13 | CVE-2005-2876 | Andries Brouwer | Unspecified vulnerability in Andries Brouwer Util-Linux umount in util-linux 2.8 to 2.12q, 2.13-pre1, and 2.13-pre2, and other packages such as loop-aes-utils, allows local users with unmount permissions to gain privileges via the -r (remount) option, which causes the file system to be remounted with just the read-only flag, which effectively clears the nosuid, nodev, and other flags. | 7.2 |
30 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2005-09-14 | CVE-2005-2891 | Csystems | Unspecified vulnerability in Csystems Webarchivex 5.5.0.76 WebArchiveX.dll 5.5.0.76 installed before September 6th, 2005 is marked safe for scripting by default, which allows remote attackers to read or write to arbitrary files via the (1) MakeArchive or (2) MakeArchiveStr methods. | 6.4 |
2005-09-16 | CVE-2005-2947 | Killprocess | Local Privilege Escalation vulnerability in KillProcess Buffer overflow in KillProcess 2.20 and earlier allows user-assisted attackers to execute arbitrary code via an exe file with a long FileDescription in the version resource. | 5.1 |
2005-09-15 | CVE-2005-2495 | Xfree86 Project | Numeric Errors vulnerability in Xfree86 Project Xfree86 Multiple integer overflows in XFree86 before 4.3.0 allow user-assisted attackers to execute arbitrary code via a crafted pixmap image. | 5.1 |
2005-09-16 | CVE-2005-2956 | Adaptive Technology Resource Centre | Remote Information Disclosure vulnerability in Adaptive Technology Resource Centre Atutor 1.5.1 ATutor 1.5.1, and possibly earlier versions, stores temporary chat logs under the web document root with insufficient access control and predictable filenames, which allows remote attackers to obtain user chat conversations via direct requests to those files. | 5.0 |
2005-09-16 | CVE-2005-2952 | Subscribe ME PRO | Remote Directory Traversal vulnerability in Subscribe Me Pro S.PL Directory traversal vulnerability in s.pl in Subscribe Me Pro 2.044.09P and earlier allows remote attackers to read arbitrary files via a .. | 5.0 |
2005-09-15 | CVE-2005-2918 | Gtkdiskfree | Unspecified vulnerability in Gtkdiskfree The open_cmd_tube function in mount.c for gtkdiskfree 1.9.3 and earlier allows local users to overwrite arbitrary files via a symlink attack on the gtkdiskfree temporary file. | 5.0 |
2005-09-14 | CVE-2005-2916 | Linksys | Remote Security vulnerability in Linksys Wrt54G 3.01.3/3.03.6/4.00.7 Linksys WRT54G 3.01.03, 3.03.6, 4.00.7, and possibly other versions before 4.20.7, does not verify user authentication until after an HTTP POST request has been processed, which allows remote attackers to (1) modify configuration using restore.cgi or (2) upload new firmware using upgrade.cgi. | 5.0 |
2005-09-14 | CVE-2005-2915 | Linksys | Remote Security vulnerability in Linksys Wrt54G 2.04.4Nondefault/3.01.3/3.03.6 ezconfig.asp in Linksys WRT54G router 3.01.03, 3.03.6, non-default configurations of 2.04.4, and possibly other versions, uses weak encryption (XOR encoding with a fixed byte mask) for configuration information, which could allow attackers to decrypt the information and possibly re-encrypt it in conjunction with CVE-2005-2914. | 5.0 |
2005-09-14 | CVE-2005-2912 | Linksys | Denial-Of-Service vulnerability in Linksys Wrt54G 3.01.3/3.03.6/4.00.7 Linksys WRT54G router allows remote attackers to cause a denial of service (CPU consumption and server hang) via an HTTP POST request with a negative Content-Length value. | 5.0 |
2005-09-14 | CVE-2005-2904 | Zebedee | Remote Denial Of Service vulnerability in Zebedee 2.4.1 Zebedee 2.4.1, when "allowed redirection port" is not set, allows remote attackers to cause a denial of service (application crash) via a zero in the port number of the protocol option header, which triggers an assert error in the makeConnection function in zebedee.c. | 5.0 |
2005-09-14 | CVE-2005-2897 | Stylemotion | Information Disclosure vulnerability in Stylemotion web News 1.4 WEB//NEWS 1.4 allows remote attackers to obtain sensitive information via a direct request to files in the actions directory, which reveal the path in an error message, as demonstrated using cat.add.php. | 5.0 |
2005-09-14 | CVE-2005-2895 | Pblang | Information Disclosure vulnerability in Pblang 4.65 setcookie.php in PBLang 4.65, and possibly earlier versions, allows remote attackers to obtain sensitive information via a %00 (a null byte) in the u parameter, which reveals the path in an error message. | 5.0 |
2005-09-14 | CVE-2005-2892 | Pblang | Directory Traversal vulnerability in Pblang 4.65 Directory traversal vulnerability in setcookie.php in PBLang 4.65, and possibly earlier versions, allows remote attackers to read arbitrary files via ".." sequences and "%00" (trailing null byte) in the u parameter. | 5.0 |
2005-09-14 | CVE-2005-2887 | Maxdev | Information Disclosure vulnerability in Maxdev Md-Pro 1.0.73 MAXdev MD-Pro 1.0.73, and possibly earlier versions, allows remote attackers to obtain sensitive information via a direct request to (1) wiki.php, (2) AutoTheme directory, (3) Blocks directory, (4) admin.php, (5) pnadmin.php, or (6) Topics directory, which reveal the path in an error message. | 5.0 |
2005-09-13 | CVE-2005-2874 | Easy Software Products | Unspecified vulnerability in Easy Software products Cups The is_path_absolute function in scheduler/client.c for the daemon in CUPS before 1.1.23 allows remote attackers to cause a denial of service (CPU consumption by tight loop) via a "..\.." URL in an HTTP request. | 5.0 |
2005-09-16 | CVE-2005-2955 | Adaptive Technology Resource Centre | Local Security vulnerability in Adaptive Technology Resource Centre Atutor 1.5.1 config.inc.php in ATutor 1.5.1, and possibly earlier versions, uses an incomplete blacklist to check for dangerous file extensions, which allows authenticated administrators or educators to execute arbitrary code by uploading files with other executable extensions such as .inc, .php4, or others. | 4.6 |
2005-09-16 | CVE-2005-2657 | Common Lisp Controller | Unspecified vulnerability in Common-Lisp-Controller 4.18 Unknown vulnerability in common-lisp-controller 4.18 and earlier allows local users to gain privileges by compiling arbitrary code in the cache directory, which is executed by another user if the user has not run Common Lisp before. | 4.6 |
2005-09-16 | CVE-2005-2944 | Brent ELY | Local Security vulnerability in Brent ELY Gnome Workstation Command Center 0.9.8 The perform_file_save function in GNOME Workstation Command Center (gwcc) 0.9.6 and earlier allows local users to create and overwrite arbitrary files via a symlink attack on the gwcc_out.txt temporary file. | 4.6 |
2005-09-15 | CVE-2005-2935 | Microsoft | Local Security vulnerability in Microsoft AntiSpyware Unquoted Windows search path vulnerability in Microsoft AntiSpyware might allow local users to execute code via a malicious c:\program.exe file, which is run by AntiSpywareMain.exe when it attempts to execute gsasDtServ.exe. | 4.6 |
2005-09-14 | CVE-2005-2890 | Secureol | Unspecified vulnerability in Secureol VE2 1.05.1008 SecureOL VE2 1.05.1008 does not properly restrict public access to physical memory, which allows local users to bypass intended restrictions and gain access to the secured environment via direct access to the PhysicalMemory device. | 4.6 |
2005-09-14 | CVE-2005-2490 | Linux | Local Buffer Overflow vulnerability in Linux Kernel Sendmsg() Stack-based buffer overflow in the sendmsg function call in the Linux kernel 2.6 before 2.6.13.1 allows local users to execute arbitrary code by calling sendmsg and modifying the message contents in another thread. | 4.6 |
2005-09-16 | CVE-2005-2953 | Miva | Cross-Site Scripting vulnerability in Miva Merchant 5.0 Cross-site scripting (XSS) vulnerability in merchant.mvc in MIVA Merchant 5 allows remote attackers to inject arbitrary web script or HTML via the Customer_Login parameter. | 4.3 |
2005-09-16 | CVE-2005-2950 | Sawmill | Cross-Site Scripting vulnerability in Sawmill Cross-site scripting (XSS) vulnerability in Sawmill 7.0.0 through 7.1.13 allows remote attackers to inject arbitrary web script or HTML via the query string in an HTTP GET request. | 4.3 |
2005-09-14 | CVE-2005-2901 | CJ Desing | Unspecified vulnerability in CJ Desing Cjweb2Mail 3.0 Multiple Cross-site scripting (XSS) vulnerabilities in CjWeb2Mail 3.0 allow remote attackers to inject arbitrary web script or HTML via the (1) name, (2) message, or (3) ip parameter to thankyou.php or (4) emsg parameter to web2mail.php. | 4.3 |
2005-09-14 | CVE-2005-2900 | CJ Desing | Unspecified vulnerability in CJ Desing Cjlinkout 1.0 Cross-site scripting (XSS) vulnerability in top.php in CjLinkOut 1.0 allows remote attackers to inject arbitrary web script or HTML via the 123 parameter. | 4.3 |
2005-09-14 | CVE-2005-2899 | CJ Design | Unspecified vulnerability in CJ Design CJ TAG Board 3.0 Multiple cross-site scripting (XSS) vulnerabilities in details.php in CjTagBoard 3.0 allow remote attackers to inject arbitrary web script or HTML via the (1) date, (2) time, (3) name, (4) ip, (5) agent, or (6) msg parameter. | 4.3 |
2005-09-14 | CVE-2005-2894 | Pblang | HTML Injection vulnerability in Pblang 4.65 Cross-site scripting (XSS) vulnerability in the user registration in PBLang 4.65, and possibly earlier versions, allows remote attackers to inject arbitrary web script or PHP via the location field. | 4.3 |
2005-09-14 | CVE-2005-2886 | Maxdev | Cross-Site Scripting vulnerability in MAXdev MD-Pro Multiple cross-site scripting (XSS) vulnerabilities in MAXdev MD-Pro 1.0.73, and possibly earlier versions, allow remote attackers to inject arbitrary web script or HTML via (1) the print parameter to the print module, the sitename parameter to (2) bb_smilies or (3) bbcode_ref module, or (4) the hlpfile parameter to openwindow.php. | 4.3 |
2005-09-14 | CVE-2005-2884 | Neocrome | HTML Injection vulnerability in Land Down Under Cross-site scripting (XSS) vulnerability in events.php in Land Down Under (LDU) 801 and earlier allows remote attackers to inject arbitrary web script or HTML via the Description field in an event. | 4.3 |
2005-09-14 | CVE-2005-2882 | Phpcommunitycalendar | Remote Cross-Site Scripting vulnerability in PHPcommunitycalendar 4.0/4.0.1/4.0.3 Multiple cross-site scripting (XSS) vulnerabilities in phpCommunityCalendar 4.0.3, and possibly earlier versions, allow remote attackers to inject arbitrary web script or HTML via the LocationID parameter to (1) thankyou.php or (2) day.php, font parameter to (3) calDaily.php, (4) calMonthly.php, (5) calMonthlyP.php, (6) calWeekly.php, (7) calWeeklyP.php, (8) calYearly.php, (9) calYearlyP.php, (10) day.php, or (11) week.php, or (12) CeTi, (13) Contact, (14) Description, (15) ShowAddress parameter to event.php, and other attack vectors. | 4.3 |
5 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2005-09-14 | CVE-2005-2492 | Canonical Redhat Linux | Permissions, Privileges, and Access Controls vulnerability in multiple products The raw_sendmsg function in the Linux kernel 2.6 before 2.6.13.1 allows local users to cause a denial of service (change hardware state) or read from arbitrary memory via crafted input. | 3.6 |
2005-09-16 | CVE-2005-2948 | Killprocess | KillProcess 2.20 and earlier allows local users to bypass kill list restrictions by launching multiple processes at the same time, which are not all killed by KillProcess. | 2.1 |
2005-09-16 | CVE-2005-2945 | ARC | Unspecified vulnerability in ARC arc 5.21j and earlier create temporary files with world-readable permissions, which allows local users to read sensitive information from files created by (1) arc (arc.c) or (2) marc (marc.c). | 2.1 |
2005-09-14 | CVE-2005-2879 | Advansysperu Software | Information Disclosure vulnerability in Advansysperu Software USB Lock Auto-Protect 1.5 Advansysperu Software USB Lock Auto-Protect (AP) 1.5 uses a weak encryption scheme to encrypt passwords, which allows local users to gain sensitive information and bypass USB interface protection. | 2.1 |
2005-09-14 | CVE-2005-1913 | Linux | Local Denial Of Service vulnerability in Linux Kernel Subthread Exec The Linux kernel 2.6 before 2.6.12.1 allows local users to cause a denial of service (kernel panic) via a non group-leader thread executing a different program than was pending in itimer, which causes the signal to be delivered to the old group-leader task, which does not exist. | 2.1 |