Weekly Vulnerabilities Reports > October 3 to 9, 2005
Overview
56 new vulnerabilities reported during this period, including 2 critical vulnerabilities and 18 high severity vulnerabilities. This weekly summary report vulnerabilities in 46 products from 38 vendors including Microsoft, PHP Fusion, Suse, Mediawiki, and Icewarp. Vulnerabilities are notably categorized as "Use of Externally-Controlled Format String", and "Cleartext Transmission of Sensitive Information".
- 43 reported vulnerabilities are remotely exploitables.
- 1 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 56 reported vulnerabilities are exploitable by an anonymous user.
- Microsoft has the most reported vulnerabilities, with 9 reported vulnerabilities.
- Symantec has the most reported critical vulnerabilities, with 1 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
2 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2005-10-05 | CVE-2005-3142 | Kaspersky LAB | Remote Heap Overflow vulnerability in Kaspersky Anti-Virus Library CAB Record Heap-based buffer overflow in Kaspersky Antivirus (KAV) 5.0 and Kaspersky Personal Security Suite 1.1 allows remote attackers to execute arbitrary code via a CAB file with large records after the header. | 10.0 |
2005-10-05 | CVE-2005-2758 | Symantec | Buffer Overflow vulnerability in Symantec products Integer signedness error in the administrative interface for Symantec AntiVirus Scan Engine 4.0 and 4.3 allows remote attackers to execute arbitrary code via crafted HTTP headers with negative values, which lead to a heap-based buffer overflow. | 10.0 |
18 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2005-10-07 | CVE-2005-2337 | Yukihiro Matsumoto | Unspecified vulnerability in Yukihiro Matsumoto Ruby Ruby 1.6.x up to 1.6.8, 1.8.x up to 1.8.2, and 1.9.0 development up to 2005-09-01 allows attackers to bypass safe level and taint flag protections and execute disallowed code when Ruby processes a program through standard input (stdin). | 7.5 |
2005-10-06 | CVE-2005-3118 | William Stearns | Unspecified vulnerability in William Stearns Mason 1.0.0 Mason before 1.0.0 does not install the init script after the user uses Mason to configure a firewall, which causes the system to run without a firewall after a reboot. | 7.5 |
2005-10-06 | CVE-2005-3176 | Microsoft | Remote Security vulnerability in Windows 2000 Advanced Server Microsoft Windows 2000 before Update Rollup 1 for SP4 does not record the IP address of a Windows Terminal Services client in a security log event if the client connects successfully, which could make it easier for attackers to escape detection. | 7.5 |
2005-10-06 | CVE-2005-3168 | Microsoft | Remote Security vulnerability in Windows 2000 Advanced Server The SECEDIT command on Microsoft Windows 2000 before Update Rollup 1 for SP4, when using a security template to set Access Control Lists (ACLs) on folders, does not apply ACLs on folders that are listed after a long folder entry, which could result in less secure permissions than specified by the template. | 7.5 |
2005-10-06 | CVE-2005-3161 | PHP Fusion | SQL Injection vulnerability in PHP-Fusion Register.PHP And FAQ.PHP Multiple SQL injection vulnerabilities in PHP-Fusion before 6.00.110 allow remote attackers to execute arbitrary SQL commands via (1) the activate parameter in register.php and (2) the cat_id parameter in faq.php. | 7.5 |
2005-10-06 | CVE-2005-3160 | PHP Fusion | SQL-Injection vulnerability in PHP Fusion Multiple SQL injection vulnerabilities in photogallery.php in PHP-Fusion allow remote attackers to execute arbitrary SQL commands via the (1) album and (2) photo parameters. | 7.5 |
2005-10-06 | CVE-2005-3158 | PHP Fusion | SQL-Injection vulnerability in PHP Fusion 6.00.106/6.00.107 SQL injection vulnerability in messages.php in PHP-Fusion 6.00.106 and 6.00.107 allows remote attackers to execute arbitrary SQL commands via the (1) pm_email_notify and (2) pm_save_sent parameters, a different vulnerability than CVE-2005-3157 and CVE-2005-3159. | 7.5 |
2005-10-06 | CVE-2005-3157 | PHP Fusion | Unspecified vulnerability in PHP Fusion PHP Fusion 6.00.109 SQL injection vulnerability in messages.php in PHP-Fusion 6.00.109 allows remote attackers to execute arbitrary SQL commands via the msg_send parameter, a different vulnerability than CVE-2005-3158 and CVE-2005-3159. | 7.5 |
2005-10-05 | CVE-2005-3155 | Mailenable | Buffer Overflow vulnerability in MailEnable W3C Logging Buffer overflow in the W3C logging for MailEnable Enterprise 1.1 and Professional 1.6 allows remote attackers to execute arbitrary code. | 7.5 |
2005-10-05 | CVE-2005-3154 | Softwin | USE of Externally-Controlled Format String vulnerability in Softwin Bitdefender 7.2/8.0/9.0 Format string vulnerability in the logging functionality in BitDefender AntiVirus 7.2 through 9 allows remote attackers to cause a denial of service and possibly execute arbitrary code via format string specifiers in file or directory name. | 7.5 |
2005-10-05 | CVE-2005-3153 | Mywebland | SQL-Injection vulnerability in Mywebland Mybloggie 2.1.3Beta login.php in myBloggie 2.1.3 beta and earlier allows remote attackers to bypass a whitelist regular expression and conduct SQL injection attacks via a username parameter with SQL after a null character, which causes the whitelist check to succeed but injects the SQL into a query string, a different vulnerability than CVE-2005-2838. | 7.5 |
2005-10-05 | CVE-2005-3151 | Blender | Buffer Overflow vulnerability in Blender 2.37A Buffer overflow in blenderplay in Blender Player 2.37a allows attackers to execute arbitrary code via a long command line argument. | 7.5 |
2005-10-05 | CVE-2005-3150 | Weex | Remote Format String vulnerability in Weex Log_Flush() Function Format string vulnerability in the Log_Flush function in Weex 2.6.1.5, 2.6.1, and possibly other versions allows remote FTP servers to execute arbitrary code via format strings in filenames. | 7.5 |
2005-10-05 | CVE-2005-3140 | Procom | Cleartext Transmission of Sensitive Information vulnerability in Procom Netforce 800 Firmware 4.02 Procom NetFORCE 800 4.02 M10 Build 20 and possibly other versions sends the NIS password map (passwd.nis) as a file attachment in diagnostic e-mail messages, which allows remote attackers to obtain the cleartext NIS password hashes. | 7.5 |
2005-10-05 | CVE-2005-2961 | Prozilla | Buffer Overflow vulnerability in Prozilla Download Accelerator 1.3.7.4 Buffer overflow in the get_string_ahref function for ProZilla 1.3.7.4 and possibly earlier, with the -ftpsearch option enabled, allows remote servers to execute arbitrary code via a search response with a crafted string in the HREF field of an <A> tag. | 7.5 |
2005-10-04 | CVE-2005-3135 | Virtools | Buffer Overflow vulnerability in Virtools Web Player Buffer overflow in Virtools Web Player 3.0.0.100 and earlier allows remote attackers to execute arbitrary code via a long filename. | 7.5 |
2005-10-04 | CVE-2005-3130 | Lucidcms | SQL Injection vulnerability in Lucidcms 1.0.11 SQL injection vulnerability in lucidCMS 1.0.11 allows remote attackers to execute arbitrary SQL commands via the login field. | 7.5 |
2005-10-06 | CVE-2005-3175 | Microsoft | Local Security vulnerability in Windows 2000 Advanced Server Microsoft Windows 2000 before Update Rollup 1 for SP4 allows a local administrator to unlock a computer even if it has been locked by a domain administrator, which allows the local administrator to access the session as the domain administrator. | 7.2 |
30 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2005-10-07 | CVE-2005-3178 | XLI Xloadimage | Remote Buffer Overflow vulnerability in XLoadImage Buffer overflow in xloadimage 4.1 and earlier, and xli, might allow user-assisted attackers to execute arbitrary code via a long title name in a NIFF file, which triggers the overflow during (1) zoom, (2) reduce, or (3) rotate operations. | 5.1 |
2005-10-05 | CVE-2005-2966 | DIA | Remote Arbitrary Code Execution vulnerability in DIA 0.91/0.92.2/0.93 The Python SVG import plugin (diasvg_import.py) for DIA 0.94 and earlier allows user-assisted attackers to execute arbitrary commands via a crafted SVG file. | 5.1 |
2005-10-04 | CVE-2005-3129 | S9Y | Cross-Site Request Forgery vulnerability in Serendipity Cross-site request forgery (CSRF) vulnerability in Serendipity 0.8.4 and earlier allows remote attackers to perform unauthorized actions as a logged in user via a link or IMG tag to serendipity_admin.php. | 5.1 |
2005-10-06 | CVE-2005-3172 | Microsoft | Remote Security vulnerability in Microsoft Windows 2000 The WideCharToMultiByte function in Microsoft Windows 2000 before Update Rollup 1 for SP4 does not properly convert strings with Japanese composite characters in the last character, which could prevent the string from being null terminated and lead to data corruption or enable buffer overflow attacks. | 5.0 |
2005-10-06 | CVE-2005-3169 | Microsoft | Remote Security vulnerability in Windows 2000 Advanced Server Microsoft Windows 2000 before Update Rollup 1 for SP4, when the "audit directory service access" policy is enabled, does not record a 565 event message for File Delete Child operations on an Active Directory object in the security event log, which could allow attackers to conduct unauthorized activities without detection. | 5.0 |
2005-10-06 | CVE-2005-3166 | Mediawiki | Denial-Of-Service vulnerability in Mediawiki Unspecified vulnerability in "edit submission handling" for MediaWiki 1.4.x before 1.4.10 and 1.3.x before 1.3.16 allows remote attackers to cause a denial of service (corruption of the previous submission) via a crafted URL. | 5.0 |
2005-10-06 | CVE-2005-3163 | Polipo | Unspecified vulnerability in Polipo Unspecified vulnerability in Polipo 0.9.8 and earlier allows attackers to read files outside of the web root. | 5.0 |
2005-10-05 | CVE-2005-3145 | Standards Based Linux Instrumentation | Denial-Of-Service vulnerability in Standards Based Linux Instrumentation Sblim-Sfcb 0.9.1 httpAdapter.c in sblim-sfcb before 0.9.2 allows remote attackers to cause a denial of service (resource consumption) by connecting to sblim-sfcb but not sending any data. | 5.0 |
2005-10-05 | CVE-2005-3144 | Standards Based Linux Instrumentation | Denial Of Service vulnerability in Standards Based Linux Instrumentation Sblim-Sfcb 0.9.1 httpAdapter.c in sblim-sfcb before 0.9.2 allows remote attackers to cause a denial of service via long HTTP headers. | 5.0 |
2005-10-05 | CVE-2005-3143 | 4D | Remote IMAP Denial of Service vulnerability in 4D WebStar Unspecified vulnerability in the Mailbox Server for 4D WebStar before 5.3.5 allows attackers to cause a denial of service (crash) via IMAP clients on Mac OS X 10.4 Mail 2. | 5.0 |
2005-10-05 | CVE-2005-3141 | Cerulean Studios | Denial-Of-Service vulnerability in Cerulean Studios Trillian 3.0 Cerulean Studios Trillian 3.0 allows remote attackers to cause a denial of service (crash) via a reverse direct connection from a different client, as demonstrated using LICQ. | 5.0 |
2005-10-05 | CVE-2005-3139 | Mozilla | Information Disclosure vulnerability in Bugzilla User-Matching Bugzilla 2.19.1 through 2.20rc2 and 2.21, with user matching turned on in substring mode, allows attackers to list all users whose names match an arbitrary substring, even when the usevisibilitygroups parameter is set. | 5.0 |
2005-10-05 | CVE-2005-3138 | Mozilla | Information Disclosure vulnerability in Bugzilla config.cgi Bugzilla 2.18rc1 through 2.18.3, 2.19 through 2.20rc2, and 2.21 allows remote attackers to obtain sensitive information such as the list of installed products via the config.cgi file, which is accessible even when the requirelogin parameter is set. | 5.0 |
2005-10-04 | CVE-2005-3136 | Virtools | Directory Traversal vulnerability in Virtools Web Player Directory traversal vulnerability in Virtools Web Player 3.0.0.100 and earlier allows remote attackers to overwrite arbitrary files via a .. | 5.0 |
2005-10-04 | CVE-2005-3133 | Icewarp Merak | Directory Traversal vulnerability in IceWarp Web Mail Multiple directory traversal vulnerabilities in MERAK Mail Server 8.2.4r with Icewarp Web Mail 5.5.1, and possibly earlier versions, allows remote attackers to (1) delete arbitrary files or directories via a relative path to the id parameter to logout.html or (2) include arbitrary PHP files or other files via the helpid parameter to help.html. | 5.0 |
2005-10-04 | CVE-2005-3132 | Icewarp Merak | Information Disclosure vulnerability in Web Mail MERAK Mail Server 8.2.4r with Icewarp Web Mail 5.5.1, and possibly earlier versions, allows remote attackers to obtain sensitive information via a direct request to bwlist_inc.html, which reveals the path in an error message. | 5.0 |
2005-10-04 | CVE-2005-2804 | Novell | Local Integer Overflow vulnerability in Novell Groupwise 6.5.3 Integer overflow in the registry parsing code in GroupWise 6.5.3, and possibly earlier version, allows remote attackers to cause a denial of service (application crash) via a large TCP/IP port in the Windows registry key. | 5.0 |
2005-10-06 | CVE-2005-3177 | Microsoft | Local Security vulnerability in Microsoft Windows 2000, Windows 2003 Server and Windows XP CHKDSK in Microsoft Windows 2000 before Update Rollup 1 for SP4, Windows XP, and Windows Server 2003, when running in fix mode, does not properly handle security descriptors if the master file table contains a large number of files or if the descriptors do not satisfy certain NTFS conventions, which could cause ACLs for some files to be reverted to less secure defaults, or cause security descriptors to be removed. | 4.6 |
2005-10-06 | CVE-2005-3174 | Microsoft | Local Security vulnerability in Windows 2000 Advanced Server Microsoft Windows 2000 before Update Rollup 1 for SP4 allows users to log on to the domain, even when their password has expired, if the fully qualified domain name (FQDN) is 8 characters long. | 4.6 |
2005-10-06 | CVE-2005-3173 | Microsoft | Local Security vulnerability in Windows 2000 Advanced Server Microsoft Windows 2000 before Update Rollup 1 for SP4 does not apply group policies if the user logs on using UPN credentials with a trailing dot, which prevents Windows 2000 from finding the correct domain controller and could allow the user to bypass intended restrictions. | 4.6 |
2005-10-06 | CVE-2005-3171 | Microsoft | Local Security vulnerability in Windows 2000 Advanced Server Microsoft Windows 2000 before Update Rollup 1 for SP4 records Event ID 1704 to indicate that Group Policy security settings were successfully updated, even when the processing fails such as when Ntuser.pol cannot be accessed, which could cause system administrators to believe that the system is compliant with the specified settings. | 4.6 |
2005-10-05 | CVE-2005-3149 | UIM | Unspecified vulnerability in UIM Uim 0.4.x before 0.4.9.1 and 0.5.0 and earlier does not properly handle the LIBUIM_VANILLA environment variable when a suid or sgid application is linked to libuim, such as immodule for Qt, which allows local users to gain privileges. | 4.6 |
2005-10-05 | CVE-2005-3148 | Storebackup Suse | Local Security vulnerability in storeBackup StoreBackup before 1.19 does not properly set the uid and guid for symbolic links (1) that are backed up by storeBackup.pl, or (2) recovered by storeBackupRecover.pl, which could cause files to be restored with incorrect ownership. | 4.6 |
2005-10-06 | CVE-2005-3167 | Mediawiki | Cross-Site Scripting vulnerability in MediaWiki HTML Inline Style Attributes Incomplete blacklist vulnerability in MediaWiki before 1.4.11 does not properly remove certain CSS inputs (HTML inline style attributes) that are processed as active content by Internet Explorer, which allows remote attackers to conduct cross-site scripting (XSS) attacks. | 4.3 |
2005-10-06 | CVE-2005-3165 | Mediawiki | Unspecified vulnerability in Mediawiki Multiple cross-site scripting (XSS) vulnerabilities in MediaWiki before 1.4.9 allow remote attackers to inject arbitrary web script or HTML via (1) <math> tags or (2) Extension or <nowiki> sections that "bypass HTML style attribute restrictions" that are intended to protect against XSS vulnerabilities in Internet Explorer clients. | 4.3 |
2005-10-05 | CVE-2005-3156 | Easyguppy | Unspecified vulnerability in Easyguppy 4.5.4/4.5.5 Directory traversal vulnerability in printfaq.php in EasyGuppy (Guppy for Windows) 4.5.4 and 4.5.5 allows remote attackers to read arbitrary files via ".." sequences in the pg parameter, which is cleansed for XSS but not directory traversal. | 4.3 |
2005-10-05 | CVE-2005-3152 | Devellion | Cross-Site Scripting vulnerability in Devellion Cubecart 3.0.3/3.0.7Pl1 Multiple cross-site scripting (XSS) vulnerabilities in CubeCart 3.0.3 allow remote attackers to inject arbitrary web script or HTML via the redir parameter to (1) cart.php or (2) index.php, or (3) the searchStr parameter in a viewCat action to index.php. | 4.3 |
2005-10-04 | CVE-2005-3131 | Icewarp Merak | Cross-Site Scripting vulnerability in IceWarp Multiple cross-site scripting (XSS) vulnerabilities in MERAK Mail Server 8.2.4r with Icewarp Web Mail 5.5.1, and possibly earlier versions, allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to blank.html, or the createdataCX parameter to (2) calendar_d.html, (3) calendar_m.html, or (4) calendar_w.html. | 4.3 |
2005-10-04 | CVE-2005-3128 | Squirrelmail | Cross-Site Scripting vulnerability in SquirrelMail Address Add Plugin 1.9/2.0 Cross-site scripting (XSS) vulnerability in add.php in Address Add Plugin 1.9 and 2.0 for Squirrelmail allows remote attackers to inject arbitrary web script or HTML via the IMG tag. | 4.3 |
2005-10-04 | CVE-2005-3127 | Lucidcms | Cross-Site Scripting vulnerability in Lucidcms 1.0.11 Cross-site scripting (XSS) vulnerability in index.php in lucidCMS 1.0.11 allows remote attackers to inject arbitrary web script or HTML via the query string. | 4.3 |
6 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2005-10-07 | CVE-2005-2104 | Redhat | Unspecified vulnerability in Redhat Sysreport sysreport before 1.3.7 allows local users to obtain sensitive information via a symlink attack on a temporary directory. | 2.1 |
2005-10-05 | CVE-2005-3147 | Storebackup Suse | Information Disclosure vulnerability in storeBackup StoreBackup before 1.19 creates the backup root with world-readable permissions, which allows local users to obtain sensitive information. | 2.1 |
2005-10-05 | CVE-2005-3146 | Storebackup Suse | StoreBackup before 1.19 allows local users to perform unauthorized operations on arbitrary files via a symlink attack on temporary files. | 2.1 |
2005-10-05 | CVE-2005-0023 | Gnome | Unspecified vulnerability in Gnome Libvte4 and Libzvt2 gnome-pty-helper in GNOME libzvt2 and libvte4 allows local users to spoof the logon hostname via a modified DISPLAY environment variable. | 2.1 |
2005-10-05 | CVE-2005-3137 | GNU | Unspecified vulnerability in GNU Cfengine 1.6.5 The (1) cfmailfilter and (2) cfcron.in files for cfengine 1.6.5 allow local users to overwrite arbitrary files via a symlink attack on temporary files, a different vulnerability than CVE-2005-2960. | 2.1 |
2005-10-05 | CVE-2005-2960 | GNU Debian | cfengine 1.6.5 and 2.1.16 allows local users to overwrite arbitrary files via a symlink attack on temporary files used by vicf.in, a different vulnerability than CVE-2005-3137. | 2.1 |