Weekly Vulnerabilities Reports > September 26 to October 2, 2005

Overview

65 new vulnerabilities reported during this period, including 2 critical vulnerabilities and 16 high severity vulnerabilities. This weekly summary report vulnerabilities in 54 products from 44 vendors including Linux, SIX Apart, AVI Alkalay, Debian, and Mantis. Vulnerabilities are notably categorized as "Resource Management Errors", "Improper Restriction of Operations within the Bounds of a Memory Buffer", and "Improper Input Validation".

  • 45 reported vulnerabilities are remotely exploitables.
  • 64 reported vulnerabilities are exploitable by an anonymous user.
  • Linux has the most reported vulnerabilities, with 8 reported vulnerabilities.
  • Opera Software has the most reported critical vulnerabilities, with 1 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

2 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2005-09-27 CVE-2005-3068 Eric Integrated Development Environment Arbitrary Code Execution vulnerability in Eric3

Unspecified vulnerability in Eric Integrated Development Environment (eric3) before 3.7.2 has unknown impact and attack vectors related to a "potential security exploit."

10.0
2005-09-26 CVE-2005-3059 Opera Software Remote Security vulnerability in Opera Web Browser

Multiple unspecified vulnerabilities in Opera 8.50 on Linux and Windows have unknown impact and attack vectors, related to (1) " handling of must-revalidate cache directive for HTTPS pages" or (2) a "display issue with cookie comment encoding."

10.0

16 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2005-09-30 CVE-2005-3114 Nateon Buffer Overflow vulnerability in NateOn Messenger Arbitrary File Download And

Buffer overflow in the ActiveX control for NateOn Messenger (NateonDownloadManager.ocx) allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long third argument to the GotNate.Excute method.

7.5
2005-09-30 CVE-2005-3113 Nateon Buffer Overflow vulnerability in NateOn Messenger Arbitrary File Download And

The ActiveX control for NateOn Messenger (NateonDownloadManager.ocx) allows remote attackers to download and execute arbitrary programs by setting the arguments to the GotNate.Excute method.

7.5
2005-09-28 CVE-2005-3096 AVI Alkalay Scripts Arbitrary Remote Command Execution vulnerability in Alkalay.Net

Avi Alkalay nslookup.cgi program, dated 16 June 2002, allows remote attackers to execute arbitrary commands via shell metacharacters in the query parameter.

7.5
2005-09-28 CVE-2005-3095 AVI Alkalay Scripts Arbitrary Remote Command Execution vulnerability in Alkalay.Net

Avi Alkalay notify program, dated 19 Aug 2001, allows remote attackers to execute arbitrary commands via shell metacharacters in the from parameter.

7.5
2005-09-28 CVE-2005-3094 AVI Alkalay Scripts Arbitrary Remote Command Execution vulnerability in Alkalay.Net

Avi Alkalay man-cgi script allows remote attackers to execute arbitrary code via shell metacharacters in the topic parameter.

7.5
2005-09-28 CVE-2005-3092 Image Line Software Heap Overflow vulnerability in Image-Line Software FL Studio 5.0.1

Heap-based buffer overflow in Image-Line Software FL Studio 5.0.1 allows remote attackers to execute arbitrary code via a .flp file that contains a long path to a (1) .mid or (2) .wav file.

7.5
2005-09-28 CVE-2005-2964 Abisource Buffer Overflow vulnerability in AbiWord RTF File Processing

Stack-based buffer overflow in AbiWord before 2.2.10 allows attackers to execute arbitrary code via the RTF import mechanism.

7.5
2005-09-27 CVE-2005-3082 SEO Board SQL Injection vulnerability in SEO-Board

SQL injection vulnerability in admin.php in SEO-Board 1.0.2 allows remote attackers to execute arbitrary SQL commands via the user_pass_sha1 value in a cookie.

7.5
2005-09-27 CVE-2005-3076 Simplog SQL Injection vulnerability in Simplog 0.9.1

Simplog 0.9.1 might allow remote attackers to execute arbitrary SQL commands or trigger SQL error messages via invalid (1) pid, (2) blogid, (3) cid, or (4) m parameters to archive.php, or the (5) blogid parameter to blogadmin.php.

7.5
2005-09-27 CVE-2005-3075 MPC Donkey SQL-Injection vulnerability in Zengaia

SQL injection vulnerability in Zengaia before 0.2 allows remote attackers to execute arbitrary SQL commands via unknown vectors.

7.5
2005-09-27 CVE-2005-3074 Rsyslog SQL-Injection vulnerability in Rsyslogd

SQL injection vulnerability in rsyslogd in RSyslog before 1.0.1 and before 1.10.1 allows remote attackers to execute arbitrary SQL commands via crafted syslog messages.

7.5
2005-09-27 CVE-2005-3072 Interchange Development Group Multiple vulnerability in Interchange

SQL injection vulnerability in pages/forum/submit.html in Interchange 4.9.3 up to 5.2.0 allows remote attackers to execute arbitrary SQL commands via unknown vectors.

7.5
2005-09-27 CVE-2005-3063 UNU Networks SQL Injection vulnerability in UNU Networks Mailgust 1.9

SQL injection vulnerability in MailGust 1.9 allows remote attackers to execute arbitrary SQL commands via the email field on the password reminder page.

7.5
2005-09-27 CVE-2005-3062 Alstrasoft Remote File Include vulnerability in Alstrasoft E-Friends 4.0

PHP remote file inclusion vulnerability in index.php in AlstraSoft E-Friends 4.0 allows remote attackers to execute arbitrary PHP code via the mode parameter.

7.5
2005-09-27 CVE-2005-3061 Powerarchiver Buffer Overflow vulnerability in PowerArchiver Long Filename

Multiple stack-based buffer overflows in PowerArchiver 8.10 through 9.5 Beta 4 and Beta 5 allow remote attackers to execute arbitrary code via a long filename in a (1) ACE or (2) ARJ archive.

7.5
2005-09-30 CVE-2005-3060 IBM Local Buffer Overflow vulnerability in IBM AIX Getconf

Buffer overflow in getconf in IBM AIX 5.2 to 5.3 allows local users to execute arbitrary code via unknown vectors.

7.2

28 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2005-09-27 CVE-2005-3086 Contentserv Local File Include vulnerability in Contentserv 3.1

Directory traversal vulnerability in admin/about.php in contentServ 3.1 allows remote attackers to read or include arbitrary files via ".." sequences in the ctsWebsite parameter.

6.4
2005-09-27 CVE-2005-2710 Realnetworks Unspecified vulnerability in Realnetworks Helix Player and Realplayer

Format string vulnerability in Real HelixPlayer and RealPlayer 10 allows remote attackers to execute arbitrary code via the (1) image handle or (2) timeformat attribute in a RealPix (.rp) or RealText (.rt) file.

5.1
2005-09-30 CVE-2005-2917 Squid Denial Of Service vulnerability in Squid 2.5.9

Squid 2.5.STABLE10 and earlier, while performing NTLM authentication, does not properly handle certain request sequences, which allows attackers to cause a denial of service (daemon restart).

5.0
2005-09-28 CVE-2005-3102 SIX Apart The administrative interface in Movable Type allows attackers to upload files with arbitrary extensions under the web root.
5.0
2005-09-28 CVE-2005-3101 SIX Apart Information Disclosure vulnerability in SIX Apart Movable Type 3.17

The password reset feature in Movable Type before 3.2 generates different error messages depending on whether a user exists or not, which allows remote attackers to determine valid usernames.

5.0
2005-09-28 CVE-2005-3100 Astaro Remote Denial of Service vulnerability in Astaro Security Linux 4.027

Unspecified "PPTP Remote DoS Vulnerability" in Astaro Security Linux 4.027 allows attackers to cause a denial of service.

5.0
2005-09-28 CVE-2005-3097 AVI Alkalay Directory Traversal vulnerability in AVI Alkalay Contribute.Cgi 16Jun2002

Directory traversal vulnerability in Avi Alkalay contribute.cgi (aka contribute.pl), dated 16 Jun 2002, allows remote attackers to overwrite arbitrary files via ".." sequences in the contribdir variable.

5.0
2005-09-28 CVE-2005-3093 Nokia Remote OBEX Denial Of Service vulnerability in Nokia 3210 And 7610

Nokia 7610 and 3210 phones allows attackers to cause a denial of service via certain characters in the filename of a Bluetooth OBEX transfer.

5.0
2005-09-27 CVE-2005-3087 Securew2 Remote Security vulnerability in Securew2 3.0

The SecureW2 3.0 TLS implementation uses weak random number generators (rand and srand from system time) during generation of the pre-master secret (PMS), which makes it easier for attackers to guess the secret and decrypt sensitive data.

5.0
2005-09-27 CVE-2005-3084 Sony Denial-Of-Service vulnerability in Sony Playstation Portable 2.0Firmware

Buffer overflow in the TIFF library in the Photo Viewer for Sony PSP 2.0 firmware allows remote attackers to cause a denial of service via a crafted TIFF image.

5.0
2005-09-27 CVE-2005-3080 Geshi Local File Include vulnerability in GeSHI

contrib/example.php in GeSHi before 1.0.7.3 allows remote attackers to read arbitrary files via the language field without a source field set.

5.0
2005-09-27 CVE-2005-3077 Microsoft Denial of Service vulnerability in Microsoft IE for Macintosh 5.2.3

Microsoft Internet Explorer 5.2.3 for Mac OS allows remote attackers to cause a denial of service (crash) via a web page with malformed attributes in a BGSOUND tag, possibly involving double-quotes in an about: URI.

5.0
2005-09-27 CVE-2005-3073 Interchange Development Group Multiple vulnerability in Interchange Development Group Interchange 4.9.3/5.0/5.2

Unspecified vulnerability in Interchange 5.0.1 allows attackers 4.9.3, 5.0 before 5.0.2, and 5.2, when a catalog has been created using the (1) "mike", (2) "standard", or (3) "foundation" demo, allows attackers to inject Interchange Tag Language (ITL) elements into the forum/submit.html page.

5.0
2005-09-27 CVE-2005-3065 Multitheftauto Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Multitheftauto

MultiTheftAuto 0.5 patch 1 and earlier allows remote attackers to cause a denial of service (application crash) via a crafted command 40 that causes a -1 length to be used and triggers an out-of-bounds read.

5.0
2005-09-27 CVE-2005-3064 Multitheftauto Denial-Of-Service vulnerability in MultiTheftAuto

MultiTheftAuto 0.5 patch 1 and earlier does not properly verify client privileges when running command 40, which allows remote attackers to change or delete the message of the day (motd.txt).

5.0
2005-09-28 CVE-2005-3099 SUN Local Security vulnerability in Solaris

Unspecified vulnerability in the (1) Xsun and (2) Xprt commands in Solaris 7, 8, 9, and 10 allows local users to execute arbitrary code.

4.6
2005-09-28 CVE-2005-3098 Qualcomm Local Arbitrary File Modification vulnerability in Qualcomm Qpopper 4.0.8

poppassd in Qualcomm qpopper 4.0.8 allows local users to modify arbitrary files and gain privileges via the -t (trace file) command line argument.

4.6
2005-09-27 CVE-2005-3081 Wzdftpd Unspecified vulnerability in Wzdftpd 0.5.4

wzdftpd 0.5.4 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the SITE command.

4.6
2005-09-27 CVE-2005-3079 Punbb Remote Security vulnerability in Punbb

PunBB before 1.2.8 allows remote attackers to perform "code inclusion" via the user language selection.

4.6
2005-09-28 CVE-2005-3103 SIX Apart Cross-Site Scripting vulnerability in SIX Apart Movable Type 3.16

Cross-site scripting (XSS) vulnerability in Movable Type before 3.2 allows remote attackers to inject arbitrary web script or HTML via the (1) title, (2) category, (3) body, (4) extended body, and (5) excerpt form fields in new blog entries.

4.3
2005-09-28 CVE-2005-3091 Mantis Remote vulnerability in Mantis

Cross-site scripting (XSS) vulnerability in Mantis before 1.0.0rc1 allows remote attackers to inject arbitrary web script or HTML via unknown attack vectors, as identified by bug#0005751 "thraxisp".

4.3
2005-09-28 CVE-2005-3090 Mantis Cross-Site Scripting vulnerability in Mantis

Cross-site scripting (XSS) vulnerability in bug_actiongroup_page.php in Mantis 0.19.0a1 through 1.0.0a3 allows remote attackers to inject arbitrary web script or HTML via the summary of the bug, which is not quoted when view_all_bug_page.php is used to delete the bug, as identified by bug#0006002, a different vulnerability than CVE-2005-2557.

4.3
2005-09-28 CVE-2005-2557 Mantis
Debian
Gentoo
Input Validation vulnerability in Mantis

Cross-site scripting (XSS) vulnerability in view_all_set.php in Mantis 0.19.0a1 through 1.0.0a3 allows remote attackers to inject arbitrary web script or HTML via the dir parameter, as identified by bug#0005959, and a different vulnerability than CVE-2005-3090.

4.3
2005-09-27 CVE-2005-3085 Riverdark Studios Cross-Site Scripting vulnerability in Riverdark Studios RSS Syndicator Module 2.1.7

Multiple cross-site scripting (XSS) vulnerabilities in rss.php in Riverdark Studios RSS Syndicator module 2.1.7 allow remote attackers to inject arbitrary web script or HTML via the (1) forum or (2) topic parameters.

4.3
2005-09-27 CVE-2005-3083 Cmsmadesimple Cross-Site Scripting vulnerability in Cmsmadesimple CMS Made Simple 0.10

Cross-site scripting (XSS) vulnerability in index.php in CMS Made Simple 0.10 allows remote attackers to inject arbitrary web script or HTML via the page parameter.

4.3
2005-09-27 CVE-2005-3078 Punbb Cross-Site Scripting vulnerability in Punbb

Cross-site scripting (XSS) vulnerability in PunBB before 1.2.8 allows remote attackers to inject arbitrary web script or HTML via the "forgotten e-mail" feature.

4.3
2005-09-27 CVE-2005-3067 Scriptsolutions Cross-Site Scripting vulnerability in PerlDiver

Cross-site scripting (XSS) vulnerability in perldiver.cgi in PerlDiver 2.x allows remote attackers to inject arbitrary web script or HTML via the module parameter.

4.3
2005-09-27 CVE-2005-3066 Scriptsolutions Cross-Site Scripting vulnerability in PerlDiver

Cross-site scripting (XSS) vulnerability in perldiver.pl in PerlDiver 1.x allows remote attackers to inject arbitrary web script or HTML via the query string.

4.3

19 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2005-09-27 CVE-2005-3070 Hylafax Unspecified vulnerability in Hylafax

HylaFax 4.2.1 and earlier does not create or verify ownership of the UNIX domain socket, which might allow local users to read faxes and cause a denial of service by creating the socket using the hyla.unix temporary file.

3.6
2005-09-30 CVE-2005-3110 Linux Multiple Security vulnerability in Linux Kernel 2.6.0

Race condition in ebtables netfilter module (ebtables.c) in Linux 2.6, when running on an SMP system that is operating under a heavy load, might allow remote attackers to cause a denial of service (crash) via a series of packets that cause a value to be modified after it has been read but before it has been locked.

2.6
2005-09-28 CVE-2005-3104 SIX Apart Remote Security vulnerability in SIX Apart Movable Type 3.16

mt-comments.cgi in Movable Type before 3.2 allows attackers to redirect users to other web sites via URLs in comments.

2.6
2005-09-28 CVE-2005-3089 Mozilla Remote Denial of Service vulnerability in Multiple Browser Proxy Auto-Config Script Handling

Firefox 1.0.6 allows attackers to cause a denial of service (crash) via a Proxy Auto-Config (PAC) script that uses an eval statement.

2.6
2005-09-30 CVE-2005-2660 Apachetop Unspecified vulnerability in Apachetop

apachetop 0.12.5 and earlier, when running in debug mode, allows local users to create or append to arbitrary files via a symlink attack on atop.debug.

2.1
2005-09-30 CVE-2005-3115 Mpeg Tools Unspecified vulnerability in Mpeg-Tools

mpeg-tools before 1.5b-r2 creates multiple temporary files insecurely, which allows local users to overwrite arbitrary files via (1) ts.stat, (2) ts.mpg, (3) foobar, (4) blockbar, or (5) foobar[NNN].

2.1
2005-09-30 CVE-2005-2962 Ntlmaps Unspecified vulnerability in Ntlmaps

The post-installation script for ntlmaps before 0.9.9 sets world-readable permissions for the configuration file, which allows local users to obtain the username and password.

2.1
2005-09-30 CVE-2005-3112 Macromedia Unspecified vulnerability in Macromedia Breeze 5

The "reset password" feature in Macromedia Breeze 5.0 stores passwords in plaintext in the database instead of the hash, which allows attackers with access to the database to obtain the passwords.

2.1
2005-09-30 CVE-2005-3111 Debian Unspecified vulnerability in Debian Backupninja 0.8

The handler code for backupninja 0.8 and earlier creates temporary files with predictable filenames, which allows local users to modify arbitrary files via a symlink attack.

2.1
2005-09-30 CVE-2005-3109 Linux Resource Management Errors vulnerability in Linux Kernel 2.6.0

The HFS and HFS+ (hfsplus) modules in Linux 2.6 allow attackers to cause a denial of service (oops) by using hfsplus to mount a filesystem that is not hfsplus.

2.1
2005-09-30 CVE-2005-3108 Linux Multiple Security vulnerability in Linux Kernel 2.6.0

mm/ioremap.c in Linux 2.6 on 64-bit x86 systems allows local users to cause a denial of service or an information leak via an ioremap on a certain memory map that causes the iounmap to perform a lookup of a page that does not exist.

2.1
2005-09-30 CVE-2005-3107 Linux Multiple Security vulnerability in Linux Kernel 2.6.0

fs/exec.c in Linux 2.6, when one thread is tracing another thread that shares the same memory map, might allow local users to cause a denial of service (deadlock) by forcing a core dump when the traced thread is in the TASK_TRACED state.

2.1
2005-09-30 CVE-2005-3105 Linux Denial-Of-Service vulnerability in Linux Kernel 2.6.0

The mprotect code (mprotect.c) in Linux 2.6 on Itanium IA64 Montecito processors does not properly maintain cache coherency as required by the architecture, which allows local users to cause a denial of service and possibly corrupt data by modifying PTE protections.

2.1
2005-09-27 CVE-2005-3071 SUN Denial-Of-Service vulnerability in Solaris

Unspecified vulnerability in Unix File System (UFS) on Solaris 8 and 9, when logging is enabled, allows local users to cause a denial of service ("soft hang") via certain write operations to UFS.

2.1
2005-09-27 CVE-2005-3069 Hylafax Unspecified vulnerability in Hylafax 4.2.1

xferfaxstats in HylaFax 4.2.1 and earlier allows local users to overwrite arbitrary files via a symlink attack on the xferfax$$ temporary file.

2.1
2005-09-26 CVE-2005-3055 Linux
Debian
Improper Input Validation vulnerability in multiple products

Linux kernel 2.6.8 to 2.6.14-rc2 allows local users to cause a denial of service (kernel OOPS) via a userspace process that issues a USB Request Block (URB) to a USB device and terminates before the URB is finished, which leads to a stale pointer reference.

2.1
2005-09-26 CVE-2005-3054 PHP Unspecified vulnerability in PHP 4.4.0

fopen_wrappers.c in PHP 4.4.0, and possibly other versions, does not properly restrict access to other directories when the open_basedir directive includes a trailing slash, which allows PHP scripts in one directory to access files in other directories whose names are substrings of the original directory.

2.1
2005-09-26 CVE-2005-3053 Linux Multiple Security vulnerability in Linux Kernel 2.6.0

The sys_set_mempolicy function in mempolicy.c in Linux kernel 2.6.x allows local users to cause a denial of service (kernel BUG()) via a negative first argument.

2.1
2005-09-30 CVE-2005-3106 Linux Multiple Security vulnerability in Linux Kernel 2.6.0

Race condition in Linux 2.6, when threads are sharing memory mapping via CLONE_VM (such as linuxthreads and vfork), might allow local users to cause a denial of service (deadlock) by triggering a core dump while waiting for a thread that has just performed an exec.

1.2