Weekly Vulnerabilities Reports > October 3 to 9, 2005

Overview

61 new vulnerabilities reported during this period, including 2 critical vulnerabilities and 19 high severity vulnerabilities. This weekly summary report vulnerabilities in 51 products from 43 vendors including Microsoft, PHP Fusion, Mediawiki, Suse, and Icewarp. Vulnerabilities are notably categorized as "Use of Externally-Controlled Format String", and "Information Exposure".

  • 47 reported vulnerabilities are remotely exploitables.
  • 61 reported vulnerabilities are exploitable by an anonymous user.
  • Microsoft has the most reported vulnerabilities, with 10 reported vulnerabilities.
  • Symantec has the most reported critical vulnerabilities, with 1 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

2 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2005-10-05 CVE-2005-3142 Kaspersky LAB Remote Heap Overflow vulnerability in Kaspersky Anti-Virus Library CAB Record

Heap-based buffer overflow in Kaspersky Antivirus (KAV) 5.0 and Kaspersky Personal Security Suite 1.1 allows remote attackers to execute arbitrary code via a CAB file with large records after the header.

10.0
2005-10-05 CVE-2005-2758 Symantec Buffer Overflow vulnerability in Symantec products

Integer signedness error in the administrative interface for Symantec AntiVirus Scan Engine 4.0 and 4.3 allows remote attackers to execute arbitrary code via crafted HTTP headers with negative values, which lead to a heap-based buffer overflow.

10.0

19 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2005-10-07 CVE-2005-2337 Yukihiro Matsumoto Unspecified vulnerability in Yukihiro Matsumoto Ruby

Ruby 1.6.x up to 1.6.8, 1.8.x up to 1.8.2, and 1.9.0 development up to 2005-09-01 allows attackers to bypass safe level and taint flag protections and execute disallowed code when Ruby processes a program through standard input (stdin).

7.5
2005-10-06 CVE-2005-3118 William Stearns Unspecified vulnerability in William Stearns Mason 1.0.0

Mason before 1.0.0 does not install the init script after the user uses Mason to configure a firewall, which causes the system to run without a firewall after a reboot.

7.5
2005-10-06 CVE-2005-3176 Microsoft Remote Security vulnerability in Windows 2000 Advanced Server

Microsoft Windows 2000 before Update Rollup 1 for SP4 does not record the IP address of a Windows Terminal Services client in a security log event if the client connects successfully, which could make it easier for attackers to escape detection.

7.5
2005-10-06 CVE-2005-3168 Microsoft Remote Security vulnerability in Windows 2000 Advanced Server

The SECEDIT command on Microsoft Windows 2000 before Update Rollup 1 for SP4, when using a security template to set Access Control Lists (ACLs) on folders, does not apply ACLs on folders that are listed after a long folder entry, which could result in less secure permissions than specified by the template.

7.5
2005-10-06 CVE-2005-3161 PHP Fusion SQL Injection vulnerability in PHP-Fusion Register.PHP And FAQ.PHP

Multiple SQL injection vulnerabilities in PHP-Fusion before 6.00.110 allow remote attackers to execute arbitrary SQL commands via (1) the activate parameter in register.php and (2) the cat_id parameter in faq.php.

7.5
2005-10-06 CVE-2005-3160 PHP Fusion SQL-Injection vulnerability in PHP Fusion

Multiple SQL injection vulnerabilities in photogallery.php in PHP-Fusion allow remote attackers to execute arbitrary SQL commands via the (1) album and (2) photo parameters.

7.5
2005-10-06 CVE-2005-3159 PHP Fusion SQL Injection vulnerability in PHP-Fusion Messages.PHP

SQL injection vulnerability in messages.php in PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the msg_view parameter, a different vulnerability than CVE-2005-3157 and CVE-2005-3158.

7.5
2005-10-06 CVE-2005-3158 PHP Fusion SQL-Injection vulnerability in PHP Fusion 6.00.106/6.00.107

SQL injection vulnerability in messages.php in PHP-Fusion 6.00.106 and 6.00.107 allows remote attackers to execute arbitrary SQL commands via the (1) pm_email_notify and (2) pm_save_sent parameters, a different vulnerability than CVE-2005-3157 and CVE-2005-3159.

7.5
2005-10-06 CVE-2005-3157 PHP Fusion Unspecified vulnerability in PHP Fusion PHP Fusion 6.00.109

SQL injection vulnerability in messages.php in PHP-Fusion 6.00.109 allows remote attackers to execute arbitrary SQL commands via the msg_send parameter, a different vulnerability than CVE-2005-3158 and CVE-2005-3159.

7.5
2005-10-05 CVE-2005-3155 Mailenable Buffer Overflow vulnerability in MailEnable W3C Logging

Buffer overflow in the W3C logging for MailEnable Enterprise 1.1 and Professional 1.6 allows remote attackers to execute arbitrary code.

7.5
2005-10-05 CVE-2005-3154 Softwin USE of Externally-Controlled Format String vulnerability in Softwin Bitdefender 7.2/8.0/9.0

Format string vulnerability in the logging functionality in BitDefender AntiVirus 7.2 through 9 allows remote attackers to cause a denial of service and possibly execute arbitrary code via format string specifiers in file or directory name.

7.5
2005-10-05 CVE-2005-3153 Mywebland SQL-Injection vulnerability in Mywebland Mybloggie 2.1.3Beta

login.php in myBloggie 2.1.3 beta and earlier allows remote attackers to bypass a whitelist regular expression and conduct SQL injection attacks via a username parameter with SQL after a null character, which causes the whitelist check to succeed but injects the SQL into a query string, a different vulnerability than CVE-2005-2838.

7.5
2005-10-05 CVE-2005-3151 Blender Buffer Overflow vulnerability in Blender 2.37A

Buffer overflow in blenderplay in Blender Player 2.37a allows attackers to execute arbitrary code via a long command line argument.

7.5
2005-10-05 CVE-2005-3150 Weex Remote Format String vulnerability in Weex Log_Flush() Function

Format string vulnerability in the Log_Flush function in Weex 2.6.1.5, 2.6.1, and possibly other versions allows remote FTP servers to execute arbitrary code via format strings in filenames.

7.5
2005-10-05 CVE-2005-2961 Prozilla Buffer Overflow vulnerability in Prozilla Download Accelerator 1.3.7.4

Buffer overflow in the get_string_ahref function for ProZilla 1.3.7.4 and possibly earlier, with the -ftpsearch option enabled, allows remote servers to execute arbitrary code via a search response with a crafted string in the HREF field of an <A> tag.

7.5
2005-10-04 CVE-2005-3135 Virtools Buffer Overflow vulnerability in Virtools Web Player

Buffer overflow in Virtools Web Player 3.0.0.100 and earlier allows remote attackers to execute arbitrary code via a long filename.

7.5
2005-10-04 CVE-2005-3134 Citrix Unspecified vulnerability in Citrix Metaframe 3.0/4.0

Citrix Metaframe Presentation Server 3.0 and 4.0 allows remote attackers to bypass policy restrictions by downloading the launch.ica file and changing the client device name (ClientName).

7.5
2005-10-04 CVE-2005-3130 Lucidcms SQL Injection vulnerability in Lucidcms 1.0.11

SQL injection vulnerability in lucidCMS 1.0.11 allows remote attackers to execute arbitrary SQL commands via the login field.

7.5
2005-10-06 CVE-2005-3175 Microsoft Local Security vulnerability in Windows 2000 Advanced Server

Microsoft Windows 2000 before Update Rollup 1 for SP4 allows a local administrator to unlock a computer even if it has been locked by a domain administrator, which allows the local administrator to access the session as the domain administrator.

7.2

32 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2005-10-07 CVE-2005-3178 XLI
Xloadimage
Remote Buffer Overflow vulnerability in XLoadImage

Buffer overflow in xloadimage 4.1 and earlier, and xli, might allow user-assisted attackers to execute arbitrary code via a long title name in a NIFF file, which triggers the overflow during (1) zoom, (2) reduce, or (3) rotate operations.

5.1
2005-10-06 CVE-2005-3170 Microsoft Remote Security vulnerability in Windows 2000 Advanced Server

The LDAP client on Microsoft Windows 2000 before Update Rollup 1 for SP4 accepts certificates using LDAP Secure Sockets Layer (LDAPS) even when the Certificate Authority (CA) is not trusted, which could allow attackers to trick users into believing that they are accessing a trusted site.

5.1
2005-10-05 CVE-2005-2966 DIA Remote Arbitrary Code Execution vulnerability in DIA 0.91/0.92.2/0.93

The Python SVG import plugin (diasvg_import.py) for DIA 0.94 and earlier allows user-assisted attackers to execute arbitrary commands via a crafted SVG file.

5.1
2005-10-04 CVE-2005-3129 S9Y Cross-Site Request Forgery vulnerability in Serendipity

Cross-site request forgery (CSRF) vulnerability in Serendipity 0.8.4 and earlier allows remote attackers to perform unauthorized actions as a logged in user via a link or IMG tag to serendipity_admin.php.

5.1
2005-10-06 CVE-2005-3172 Microsoft Remote Security vulnerability in Microsoft Windows 2000

The WideCharToMultiByte function in Microsoft Windows 2000 before Update Rollup 1 for SP4 does not properly convert strings with Japanese composite characters in the last character, which could prevent the string from being null terminated and lead to data corruption or enable buffer overflow attacks.

5.0
2005-10-06 CVE-2005-3169 Microsoft Remote Security vulnerability in Windows 2000 Advanced Server

Microsoft Windows 2000 before Update Rollup 1 for SP4, when the "audit directory service access" policy is enabled, does not record a 565 event message for File Delete Child operations on an Active Directory object in the security event log, which could allow attackers to conduct unauthorized activities without detection.

5.0
2005-10-06 CVE-2005-3166 Mediawiki Denial-Of-Service vulnerability in Mediawiki

Unspecified vulnerability in "edit submission handling" for MediaWiki 1.4.x before 1.4.10 and 1.3.x before 1.3.16 allows remote attackers to cause a denial of service (corruption of the previous submission) via a crafted URL.

5.0
2005-10-06 CVE-2005-3163 Polipo Unspecified vulnerability in Polipo

Unspecified vulnerability in Polipo 0.9.8 and earlier allows attackers to read files outside of the web root.

5.0
2005-10-05 CVE-2005-3145 Standards Based Linux Instrumentation Denial-Of-Service vulnerability in Standards Based Linux Instrumentation Sblim-Sfcb 0.9.1

httpAdapter.c in sblim-sfcb before 0.9.2 allows remote attackers to cause a denial of service (resource consumption) by connecting to sblim-sfcb but not sending any data.

5.0
2005-10-05 CVE-2005-3144 Standards Based Linux Instrumentation Denial Of Service vulnerability in Standards Based Linux Instrumentation Sblim-Sfcb 0.9.1

httpAdapter.c in sblim-sfcb before 0.9.2 allows remote attackers to cause a denial of service via long HTTP headers.

5.0
2005-10-05 CVE-2005-3143 4D Remote IMAP Denial of Service vulnerability in 4D WebStar

Unspecified vulnerability in the Mailbox Server for 4D WebStar before 5.3.5 allows attackers to cause a denial of service (crash) via IMAP clients on Mac OS X 10.4 Mail 2.

5.0
2005-10-05 CVE-2005-3141 Cerulean Studios Denial-Of-Service vulnerability in Cerulean Studios Trillian 3.0

Cerulean Studios Trillian 3.0 allows remote attackers to cause a denial of service (crash) via a reverse direct connection from a different client, as demonstrated using LICQ.

5.0
2005-10-05 CVE-2005-3140 Procom Technology Information Disclosure vulnerability in Procom Technology NetFORCE 800

Procom NetFORCE 800 4.02 M10 Build 20 and possibly other versions sends the NIS password map (passwd.nis) as a file attachment in diagnostic e-mail messages, which allows remote attackers to obtain the cleartext NIS password hashes.

5.0
2005-10-05 CVE-2005-3139 Mozilla Information Disclosure vulnerability in Bugzilla User-Matching

Bugzilla 2.19.1 through 2.20rc2 and 2.21, with user matching turned on in substring mode, allows attackers to list all users whose names match an arbitrary substring, even when the usevisibilitygroups parameter is set.

5.0
2005-10-05 CVE-2005-3138 Mozilla Information Disclosure vulnerability in Bugzilla config.cgi

Bugzilla 2.18rc1 through 2.18.3, 2.19 through 2.20rc2, and 2.21 allows remote attackers to obtain sensitive information such as the list of installed products via the config.cgi file, which is accessible even when the requirelogin parameter is set.

5.0
2005-10-04 CVE-2005-3136 Virtools Directory Traversal vulnerability in Virtools Web Player

Directory traversal vulnerability in Virtools Web Player 3.0.0.100 and earlier allows remote attackers to overwrite arbitrary files via a ..

5.0
2005-10-04 CVE-2005-3133 Icewarp
Merak
Directory Traversal vulnerability in IceWarp Web Mail

Multiple directory traversal vulnerabilities in MERAK Mail Server 8.2.4r with Icewarp Web Mail 5.5.1, and possibly earlier versions, allows remote attackers to (1) delete arbitrary files or directories via a relative path to the id parameter to logout.html or (2) include arbitrary PHP files or other files via the helpid parameter to help.html.

5.0
2005-10-04 CVE-2005-3132 Icewarp
Merak
Information Disclosure vulnerability in Web Mail

MERAK Mail Server 8.2.4r with Icewarp Web Mail 5.5.1, and possibly earlier versions, allows remote attackers to obtain sensitive information via a direct request to bwlist_inc.html, which reveals the path in an error message.

5.0
2005-10-04 CVE-2005-2804 Novell Local Integer Overflow vulnerability in Novell Groupwise 6.5.3

Integer overflow in the registry parsing code in GroupWise 6.5.3, and possibly earlier version, allows remote attackers to cause a denial of service (application crash) via a large TCP/IP port in the Windows registry key.

5.0
2005-10-06 CVE-2005-3177 Microsoft Local Security vulnerability in Microsoft Windows 2000, Windows 2003 Server and Windows XP

CHKDSK in Microsoft Windows 2000 before Update Rollup 1 for SP4, Windows XP, and Windows Server 2003, when running in fix mode, does not properly handle security descriptors if the master file table contains a large number of files or if the descriptors do not satisfy certain NTFS conventions, which could cause ACLs for some files to be reverted to less secure defaults, or cause security descriptors to be removed.

4.6
2005-10-06 CVE-2005-3174 Microsoft Local Security vulnerability in Windows 2000 Advanced Server

Microsoft Windows 2000 before Update Rollup 1 for SP4 allows users to log on to the domain, even when their password has expired, if the fully qualified domain name (FQDN) is 8 characters long.

4.6
2005-10-06 CVE-2005-3173 Microsoft Local Security vulnerability in Windows 2000 Advanced Server

Microsoft Windows 2000 before Update Rollup 1 for SP4 does not apply group policies if the user logs on using UPN credentials with a trailing dot, which prevents Windows 2000 from finding the correct domain controller and could allow the user to bypass intended restrictions.

4.6
2005-10-06 CVE-2005-3171 Microsoft Local Security vulnerability in Windows 2000 Advanced Server

Microsoft Windows 2000 before Update Rollup 1 for SP4 records Event ID 1704 to indicate that Group Policy security settings were successfully updated, even when the processing fails such as when Ntuser.pol cannot be accessed, which could cause system administrators to believe that the system is compliant with the specified settings.

4.6
2005-10-05 CVE-2005-3149 UIM Unspecified vulnerability in UIM

Uim 0.4.x before 0.4.9.1 and 0.5.0 and earlier does not properly handle the LIBUIM_VANILLA environment variable when a suid or sgid application is linked to libuim, such as immodule for Qt, which allows local users to gain privileges.

4.6
2005-10-05 CVE-2005-3148 Storebackup
Suse
Local Security vulnerability in storeBackup

StoreBackup before 1.19 does not properly set the uid and guid for symbolic links (1) that are backed up by storeBackup.pl, or (2) recovered by storeBackupRecover.pl, which could cause files to be restored with incorrect ownership.

4.6
2005-10-06 CVE-2005-3167 Mediawiki Cross-Site Scripting vulnerability in MediaWiki HTML Inline Style Attributes

Incomplete blacklist vulnerability in MediaWiki before 1.4.11 does not properly remove certain CSS inputs (HTML inline style attributes) that are processed as active content by Internet Explorer, which allows remote attackers to conduct cross-site scripting (XSS) attacks.

4.3
2005-10-06 CVE-2005-3165 Mediawiki Unspecified vulnerability in Mediawiki

Multiple cross-site scripting (XSS) vulnerabilities in MediaWiki before 1.4.9 allow remote attackers to inject arbitrary web script or HTML via (1) <math> tags or (2) Extension or <nowiki> sections that "bypass HTML style attribute restrictions" that are intended to protect against XSS vulnerabilities in Internet Explorer clients.

4.3
2005-10-05 CVE-2005-3156 Easyguppy Unspecified vulnerability in Easyguppy 4.5.4/4.5.5

Directory traversal vulnerability in printfaq.php in EasyGuppy (Guppy for Windows) 4.5.4 and 4.5.5 allows remote attackers to read arbitrary files via ".." sequences in the pg parameter, which is cleansed for XSS but not directory traversal.

4.3
2005-10-05 CVE-2005-3152 Devellion Cross-Site Scripting vulnerability in Devellion Cubecart 3.0.3/3.0.7Pl1

Multiple cross-site scripting (XSS) vulnerabilities in CubeCart 3.0.3 allow remote attackers to inject arbitrary web script or HTML via the redir parameter to (1) cart.php or (2) index.php, or (3) the searchStr parameter in a viewCat action to index.php.

4.3
2005-10-04 CVE-2005-3131 Icewarp
Merak
Cross-Site Scripting vulnerability in IceWarp

Multiple cross-site scripting (XSS) vulnerabilities in MERAK Mail Server 8.2.4r with Icewarp Web Mail 5.5.1, and possibly earlier versions, allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to blank.html, or the createdataCX parameter to (2) calendar_d.html, (3) calendar_m.html, or (4) calendar_w.html.

4.3
2005-10-04 CVE-2005-3128 Squirrelmail Cross-Site Scripting vulnerability in SquirrelMail Address Add Plugin 1.9/2.0

Cross-site scripting (XSS) vulnerability in add.php in Address Add Plugin 1.9 and 2.0 for Squirrelmail allows remote attackers to inject arbitrary web script or HTML via the IMG tag.

4.3
2005-10-04 CVE-2005-3127 Lucidcms Cross-Site Scripting vulnerability in Lucidcms 1.0.11

Cross-site scripting (XSS) vulnerability in index.php in lucidCMS 1.0.11 allows remote attackers to inject arbitrary web script or HTML via the query string.

4.3

8 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2005-10-06 CVE-2005-3164 Apache
Apache Software Foundation
Hitachi
Information Exposure vulnerability in multiple products

The AJP connector in Apache Tomcat 4.0.1 through 4.0.6 and 4.1.0 through 4.1.36, as used in Hitachi Cosminexus Application Server and standalone, does not properly handle when a connection is broken before request body data is sent in a POST request, which can lead to an information leak when "unsuitable request body data" is used for a different request, possibly related to Java Servlet pages.

2.6
2005-10-07 CVE-2005-2104 Redhat Unspecified vulnerability in Redhat Sysreport

sysreport before 1.3.7 allows local users to obtain sensitive information via a symlink attack on a temporary directory.

2.1
2005-10-07 CVE-2005-1764 Linux Local Denial of Service vulnerability in Linux Kernel 2.6.11

Linux 2.6.11 on 64-bit x86 (x86_64) platforms does not use a guard page for the 47-bit address page to protect against an AMD K8 bug, which allows local users to cause a denial of service.

2.1
2005-10-05 CVE-2005-3147 Storebackup
Suse
Information Disclosure vulnerability in storeBackup

StoreBackup before 1.19 creates the backup root with world-readable permissions, which allows local users to obtain sensitive information.

2.1
2005-10-05 CVE-2005-3146 Storebackup
Suse
StoreBackup before 1.19 allows local users to perform unauthorized operations on arbitrary files via a symlink attack on temporary files.
2.1
2005-10-05 CVE-2005-0023 Gnome Unspecified vulnerability in Gnome Libvte4 and Libzvt2

gnome-pty-helper in GNOME libzvt2 and libvte4 allows local users to spoof the logon hostname via a modified DISPLAY environment variable.

2.1
2005-10-05 CVE-2005-3137 GNU Unspecified vulnerability in GNU Cfengine 1.6.5

The (1) cfmailfilter and (2) cfcron.in files for cfengine 1.6.5 allow local users to overwrite arbitrary files via a symlink attack on temporary files, a different vulnerability than CVE-2005-2960.

2.1
2005-10-05 CVE-2005-2960 GNU
Debian
cfengine 1.6.5 and 2.1.16 allows local users to overwrite arbitrary files via a symlink attack on temporary files used by vicf.in, a different vulnerability than CVE-2005-3137.
2.1