Weekly Vulnerabilities Reports > October 17 to 23, 2005
Overview
52 new vulnerabilities reported during this period, including 5 critical vulnerabilities and 18 high severity vulnerabilities. This weekly summary report vulnerabilities in 49 products from 38 vendors including Microsoft, HP, Versatilebulletinboard, Linux, and Suse. Vulnerabilities are notably categorized as "Resource Management Errors", "Permissions, Privileges, and Access Controls", "NULL Pointer Dereference", "Incorrect Calculation of Buffer Size", and "Improper Restriction of Operations within the Bounds of a Memory Buffer".
- 38 reported vulnerabilities are remotely exploitables.
- 1 reported vulnerabilities have public exploit available.
- 1 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 51 reported vulnerabilities are exploitable by an anonymous user.
- Microsoft has the most reported vulnerabilities, with 4 reported vulnerabilities.
- HP has the most reported critical vulnerabilities, with 2 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
5 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2005-10-23 | CVE-2005-3296 | HP | The FTP server in HP-UX 10.20, B.11.00, and B.11.11, allows remote attackers to list arbitrary directories as root by running the LIST command before logging in. | 10.0 |
2005-10-21 | CVE-2005-3277 | HP | Unspecified vulnerability in HP Hp-Ux 10.20/11.00/11.11 The LPD service in HP-UX 10.20 11.11 (11i) and earlier allows remote attackers to execute arbitrary code via shell metacharacters ("`" or single backquote) in a request that is not properly handled when an error occurs, as demonstrated by killing the connection, a different vulnerability than CVE-2002-1473. | 10.0 |
2005-10-21 | CVE-2005-2122 | Microsoft | Remote Code Execution vulnerability in Microsoft Windows 2000, Windows 2003 Server and Windows XP Windows Shell for Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 allows remote attackers to execute arbitrary commands via a shortcut (.lnk) file with long font properties that lead to a buffer overflow in the Client/Server Runtime Server Subsystem (CSRSS), a different vulnerability than CVE-2005-2118. | 10.0 |
2005-10-18 | CVE-2005-3254 | Nathan Neulinger | Remote Security vulnerability in CGIWrap The CGIwrap program before 3.9 on Debian GNU/Linux uses an incorrect minimum value of 100 for a UID to determine whether it can perform a seteuid operation, which could allow attackers to execute code as other system UIDs that are greater than the minimum value, which should be 1000 on Debian systems. | 10.0 |
2005-10-17 | CVE-2005-3120 | Invisible Island Debian | Incorrect Calculation of Buffer Size vulnerability in multiple products Stack-based buffer overflow in the HTrjis function in Lynx 2.8.6 and earlier allows remote NNTP servers to execute arbitrary code via certain article headers containing Asian characters that cause Lynx to add extra escape (ESC) characters. | 9.8 |
18 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2005-10-23 | CVE-2005-3298 | Suse | Remote Buffer Overflow vulnerability in Suse Linux 9.0 Multiple buffer overflows in OpenWBEM on SuSE Linux 9 allow remote attackers to execute arbitrary code via unknown vectors. | 7.5 |
2005-10-23 | CVE-2005-3297 | Suse | Remote Buffer Overflow vulnerability in OpenWBEM Multiple integer overflows in OpenWBEM on SuSE Linux 9 allow remote attackers to execute arbitrary code via unknown vectors. | 7.5 |
2005-10-23 | CVE-2005-3290 | Accelerated Enterprise Solutions | SQL Injection vulnerability in Accelerated Mortgage Manager Password Field SQL injection vulnerability in Accelerated Mortgage Manager allows remote attackers to execute arbitrary SQL commands via the password field. | 7.5 |
2005-10-23 | CVE-2005-3284 | Ahnlab | Archive Format Handling Remote Buffer Overflow vulnerability in Ahnlab Myv3, V3Net and V3Pro 2004 Multiple buffer overflows in AhnLab V3 AntiVirus V3Pro 2004 before 6.0.0.488, V3Net for Windows Server 6.0 before 6.0.0.488, and MyV3, with compressed file scanning enabled, allow remote attackers to execute arbitrary code via crafted (1) ALZ, (2) UUE, or (3) XXE archives. | 7.5 |
2005-10-23 | CVE-2005-3282 | Splatt | Remote Authentication Bypass vulnerability in Splatt Forums Splatt Forum 3.0 to 3.2 allows remote attackers to bypass authentication via unknown vectors. | 7.5 |
2005-10-23 | CVE-2005-3280 | Paros | Remote Authentication Bypass vulnerability in Paros 3.2.5 Paros 3.2.5 uses a default password for the "sa" account in the underlying HSQLDB database and does not restrict access to the local machine, which allows remote attackers to gain privileges. | 7.5 |
2005-10-20 | CVE-2005-3269 | SUN | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in SUN products Stack-based buffer overflow in help.cgi in the HTTP administrative interface for (1) Sun Java System Directory Server 5.2 2003Q4, 2004Q2, and 2005Q1, (2) Red Hat Directory Server and (3) Certificate Server before 7.1 SP1, (4) Sun ONE Directory Server 5.1 SP4 and earlier, and (5) Sun ONE Administration Server 5.2 allows remote attackers to cause a denial of service (admin server crash), or local users to gain root privileges. | 7.5 |
2005-10-20 | CVE-2005-3263 | Rarlab | Remote vulnerability in RARLAB WinRAR Stack-based buffer overflow in UNACEV2.DLL for RARLAB WinRAR 2.90 through 3.50 allows remote attackers to execute arbitrary code via an ACE archive containing a file with a long name. | 7.5 |
2005-10-20 | CVE-2005-3262 | Rarlab | Remote vulnerability in RARLAB WinRAR Format string vulnerability in RARLAB WinRAR 2.90 through 3.50 allows remote attackers to execute arbitrary code via format string specifiers in a UUE/XXE file, which are not properly handled when WinRAR displays diagnostic errors related to an invalid filename. | 7.5 |
2005-10-20 | CVE-2005-3259 | Versatilebulletinboard | SQL Injection vulnerability in Versatilebulletinboard 1.0.0.Rc2 Multiple SQL injection vulnerabilities in versatileBulletinBoard (vBB) 1.0.0 RC2 allow remote attackers to execute arbitrary SQL commands and bypass authentication via the (1) login field, (2) "search this thread" feature, (3) "search for posts" feature, (4) "forgot password" feature, (5) list parameter in userlistpre.php, and the (6) select, (7) categ, and (8) to parameters in index.php. | 7.5 |
2005-10-20 | CVE-2005-3182 | GFI | Remote Buffer Overflow vulnerability in GFI Mailsecurity 8.1 Buffer overflow in the HTTP management interface for GFI MailSecurity 8.1 allows remote attackers to execute arbitrary code via long headers such as (1) Host and (2) Accept in HTTP requests. | 7.5 |
2005-10-20 | CVE-2005-2971 | KDE | Remote Buffer Overflow vulnerability in KDE KOffice KWord RTF Import Heap-based buffer overflow in the KWord RTF importer for KOffice 1.2.0 through 1.4.1 allows remote attackers to execute arbitrary code via a crafted RTF file. | 7.5 |
2005-10-18 | CVE-2005-2978 | Netpbm | Buffer Overflow vulnerability in NetPBM PNMToPNG pnmtopng in netpbm before 10.25, when using the -trans option, uses uninitialized size and index variables when converting Portable Anymap (PNM) images to Portable Network Graphics (PNG), which might allow attackers to execute arbitrary code by modifying the stack. | 7.5 |
2005-10-18 | CVE-2005-3252 | Sourcefire | Remote Stack Buffer Overflow vulnerability in Sourcefire Snort 2.4.0/2.4.1/2.4.2 Stack-based buffer overflow in the Back Orifice (BO) preprocessor for Snort before 2.4.3 allows remote attackers to execute arbitrary code via a crafted UDP packet. | 7.5 |
2005-10-23 | CVE-2005-3279 | JAN Kybic | Local Security vulnerability in JAN Kybic Bitmap Viewer 1.2 Stack-based buffer overflow in the vgasco_printf function in Jan Kybic BitMap Viewer (BMV) 1.2, when compiled with the M_UNIX flag and running setuid, allows local users to gain privileges via a long filename in the -b command line option. | 7.2 |
2005-10-23 | CVE-2005-3278 | JAN Kybic | Integer Overflow vulnerability in JAN Kybic Bitmap Viewer 1.2 Integer overflow in the openpsfile function in gsinterf.c for Jan Kybic BitMap Viewer (BMV) 1.2 allows local users to execute arbitrary code via a PostScript (PS) file containing a large number of pages value, which leads to a resultant buffer overflow. | 7.2 |
2005-10-21 | CVE-2005-3270 | Symantec | Local Privilege Escalation vulnerability in Symantec Norton Antivirus 9.0.3 Untrusted search path vulnerability in DiskMountNotify for Symantec Norton AntiVirus 9.0.3 allows local users to gain privileges by modifying the PATH to reference a malicious (1) ps or (2) grep file. | 7.2 |
2005-10-20 | CVE-2005-2759 | Symantec | Local Privilege Escalation vulnerability in Symantec Norton Antivirus 9.0.3 ** SPLIT ** The jlucaller program in LiveUpdate for Symantec Norton AntiVirus 9.0.3 on Macintosh runs setuid when executing Java programs, which allows local users to gain privileges. | 7.2 |
22 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2005-10-17 | CVE-2005-3251 | Gallery Project | Directory Traversal vulnerability in Gallery Directory traversal vulnerability in the gallery script in Gallery 2.0 (G2) allows remote attackers to read or include arbitrary files via ".." sequences in the g2_itemId parameter. | 6.4 |
2005-10-21 | CVE-2005-2118 | Microsoft | Remote Code Execution Variant vulnerability in Microsoft Windows 2000, Windows 2003 Server and Windows XP Windows Shell for Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 allows remote user-assisted attackers to execute arbitrary commands via a crafted shortcut (.lnk) file with long font properties that lead to a buffer overflow when the user views the file's properties using Windows Explorer, a different vulnerability than CVE-2005-2122. | 5.1 |
2005-10-21 | CVE-2005-2117 | Microsoft | Unspecified vulnerability in Microsoft products Web View in Windows Explorer on Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 does not properly handle certain HTML characters in preview fields, which allows remote user-assisted attackers to execute arbitrary code. | 5.1 |
2005-10-23 | CVE-2005-3300 | Phpmyadmin | Local File Inclusion vulnerability in PHPmyadmin 2.6.4Pl3 The register_globals emulation layer in grab_globals.php for phpMyAdmin before 2.6.4-pl3 does not perform safety checks on values in the _FILES array for uploaded files, which allows remote attackers to include arbitrary files by using direct requests to library scripts that do not use grab_globals.php, then modifying certain configuration values for the theme. | 5.0 |
2005-10-23 | CVE-2005-3299 | Phpmyadmin | Local File Include vulnerability in PHPmyadmin 2.6.4/2.6.4Pl1 PHP file inclusion vulnerability in grab_globals.lib.php in phpMyAdmin 2.6.4 and 2.6.4-pl1 allows remote attackers to include local files via the $__redirect parameter, possibly involving the subform array. | 5.0 |
2005-10-23 | CVE-2005-3294 | Typsoft | Resource Management Errors vulnerability in Typsoft FTP Server Typsoft FTP Server 1.11, with "Sub Directory Include" enabled, allows remote attackers to cause a denial of service (crash) by sending multiple RETR commands. | 5.0 |
2005-10-23 | CVE-2005-3293 | Xerver | Input Validation vulnerability in Xerver 4.17H Xerver 4.17 allows remote attackers to (1) obtain source code of scripts via a request with a trailing "." (dot) or (2) list directory contents via a trailing null character. | 5.0 |
2005-10-23 | CVE-2005-3287 | Rockliffe | Remote Security vulnerability in MailSite Express Incomplete blacklist vulnerability in Mailsite Express allows remote attackers to upload and possibly execute files via attachments with executable extensions such as ASPX, which are not converted to .TXT like other dangerous extensions, and which can be directly requested from the cache directory. | 5.0 |
2005-10-23 | CVE-2005-3281 | Nukefixes | Directory Traversal vulnerability in Nukefixes 3.1 Directory traversal vulnerability in NukeFixes 3.1 for PHP-Nuke 7.8 allows remote attackers to include arbitrary files via the file parameter. | 5.0 |
2005-10-20 | CVE-2005-3261 | Versatilebulletinboard | Information Disclosure vulnerability in Versatilebulletinboard 1.0.0.Rc2 getversions.php in versatileBulletinBoard (vBB) 1.0.0 RC2 lists the versions of all installed scripts, which allows remote attackers to obtain sensitive information via a direct request. | 5.0 |
2005-10-20 | CVE-2005-3258 | Squid | Unspecified vulnerability in Squid The rfc1738_do_escape function in ftp.c for Squid 2.5 STABLE11 and earlier allows remote FTP servers to cause a denial of service (segmentation fault) via certain "odd" responses. | 5.0 |
2005-10-18 | CVE-2005-3256 | Enigmail | Unspecified vulnerability in Enigmail The key selection dialogue in Enigmail before 0.92.1 can incorrectly select a key with a user ID that does not have additional information, which allows parties with that key to decrypt the message. | 5.0 |
2005-10-18 | CVE-2005-3255 | Nathan Neulinger | The (1) cgiwrap and (2) php-cgiwrap packages before 3.9 in Debian GNU/Linux provide access to debugging CGIs under the web document root, which allows remote attackers to obtain sensitive information via direct requests to those CGIs. | 5.0 |
2005-10-18 | CVE-2005-2969 | Openssl | Unspecified vulnerability in Openssl The SSL/TLS server implementation in OpenSSL 0.9.7 before 0.9.7h and 0.9.8 before 0.9.8a, when using the SSL_OP_MSIE_SSLV2_RSA_PADDING option, disables a verification step that is required for preventing protocol version rollback attacks, which allows remote attackers to force a client and server to use a weaker protocol than needed via a man-in-the-middle attack. | 5.0 |
2005-10-21 | CVE-2005-3274 | Linux Debian | NULL Pointer Dereference vulnerability in multiple products Race condition in ip_vs_conn_flush in Linux 2.6 before 2.6.13 and 2.4 before 2.4.32-pre2, when running on SMP systems, allows local users to cause a denial of service (null dereference) by causing a connection timer to expire while the connection table is being flushed before the appropriate lock is acquired. | 4.7 |
2005-10-23 | CVE-2005-3291 | Stani | Unspecified vulnerability in Stani Stanis Python Editor 0.7.5 Stani's Python Editor (SPE) 0.7.5 is installed with world-writable permissions, which allows local users to gain privileges by modifying executable files. | 4.6 |
2005-10-20 | CVE-2005-2469 | Novell | Remote Buffer Overflow vulnerability in Novell Netmail 3.5.2 Stack-based buffer overflow in the NMAP Agent for Novell NetMail 3.52C and possibly earlier versions allows local users to execute arbitrary code via a long user name in the USER command. | 4.6 |
2005-10-18 | CVE-2005-3257 | Linux | Permissions, Privileges, and Access Controls vulnerability in Linux Kernel 2.6.12/2.6.14.4 The VT implementation (vt_ioctl.c) in Linux kernel 2.6.12, and possibly other versions including 2.6.14.4, allows local users to use the KDSKBSENT ioctl on terminals of other users and gain privileges, as demonstrated by modifying key bindings using loadkeys. | 4.6 |
2005-10-23 | CVE-2005-3292 | Xeobook | HTML Injection vulnerability in Xeobook 0.93 Multiple cross-site scripting (XSS) vulnerabilities in Xeobook 0.93 allow remote attackers to inject arbitrary web script or HTML via Javascript events in tages such as <b>. | 4.3 |
2005-10-23 | CVE-2005-3285 | Comersus Open Technologies | Cross-Site Scripting vulnerability in Comersus BackOffice Plus Cross-site scripting (XSS) vulnerability in comersus_backoffice_searchItemForm.asp in Comersus BackOffice Plus allows remote attackers to inject arbitrary web script or HTML via the (1) forwardTo1, (2) forwardTo2, (3) nameFT1, or (4) nameFT2 parameters. | 4.3 |
2005-10-23 | CVE-2005-3283 | Tiki | Cross-Site Scripting vulnerability in Tiki Tikiwiki Cms/Groupware Cross-site scripting (XSS) vulnerability in TikiWiki before 1.9.1.1 allows remote attackers to inject arbitrary web script or HTML via unknown vectors. | 4.3 |
2005-10-20 | CVE-2005-3260 | Versatilebulletinboard | Cross-Site Scripting vulnerability in Versatilebulletinboard 1.0.0.Rc2 Multiple cross-site scripting (XSS) vulnerabilities in versatileBulletinBoard (vBB) 1.0.0 RC2 allow remote attackers to inject arbitrary web script or HTML via (1) the url parameter in dereferrer.php and (2) the file parameter in imagewin.php. | 4.3 |
7 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2005-10-21 | CVE-2005-2126 | Microsoft | Unspecified vulnerability in Microsoft products The FTP client in Windows XP SP1 and Server 2003, and Internet Explorer 6 SP1 on Windows 2000 SP4, when "Enable Folder View for FTP Sites" is enabled and the user manually initiates a file transfer, allows user-assisted, remote FTP servers to overwrite files in arbitrary locations via crafted filenames. | 2.6 |
2005-10-23 | CVE-2005-3295 | HP | Local Denial Of Service vulnerability in HP Hp-Ux 11.23 Unspecified vulnerability in HP-UX B.11.23 on Itanium platforms allows local users to cause a denial of service due to a "specific stack size." | 2.1 |
2005-10-23 | CVE-2005-3289 | IBM | Unspecified vulnerability in IBM AIX 5.2/5.3 LSCFG in IBM AIX 5.2 and 5.3 does not create temporary files securely, which allows local users to corrupt /etc/passwd and possibly other system files via the trace file. | 2.1 |
2005-10-23 | CVE-2005-3286 | Kerio | Local Denial of Service vulnerability in Kerio Personal Firewall and ServerFirewall The FWDRV driver in Kerio Personal Firewall 4.2 and Server Firewall 1.1.1 allows local users to cause a denial of service (crash) by setting the PAGE_NOACCESS or PAGE_GUARD protection on the Page Environment Block (PEB), which triggers an exception, aka the "PEB lockout vulnerability." | 2.1 |
2005-10-20 | CVE-2005-3268 | Raphael Bossek | Unspecified vulnerability in Raphael Bossek Yiff Server 2.14.2.7 yiff server (yiff-server) 2.14.2 on Debian GNU/Linux runs as root and does not properly verify ownership of files that it opens, which allows local users to read arbitrary files. | 2.1 |
2005-10-20 | CVE-2005-3121 | Eduard Bloch | Unspecified vulnerability in Eduard Bloch Module-Assistant A rule file in module-assistant before 0.9.10 causes a temporary file to be created insecurely, which allows local users to conduct unauthorized operations. | 2.1 |
2005-10-17 | CVE-2005-3250 | SUN | Local Denial Of Service vulnerability in SUN Solaris 10.0 Unknown vulnerability in Solaris 10 allows local users to cause a denial of service (panic) via unknown vectors related to the "/proc" filesystem, which trigger a null dereference. | 2.1 |