Weekly Vulnerabilities Reports > October 17 to 23, 2005

Overview

52 new vulnerabilities reported during this period, including 5 critical vulnerabilities and 18 high severity vulnerabilities. This weekly summary report vulnerabilities in 49 products from 38 vendors including Microsoft, HP, Versatilebulletinboard, Linux, and Debian. Vulnerabilities are notably categorized as "Resource Management Errors", "Permissions, Privileges, and Access Controls", "NULL Pointer Dereference", "Incorrect Calculation of Buffer Size", and "Improper Restriction of Operations within the Bounds of a Memory Buffer".

  • 38 reported vulnerabilities are remotely exploitables.
  • 1 reported vulnerabilities have public exploit available.
  • 1 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 51 reported vulnerabilities are exploitable by an anonymous user.
  • Microsoft has the most reported vulnerabilities, with 4 reported vulnerabilities.
  • HP has the most reported critical vulnerabilities, with 2 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

5 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2005-10-23 CVE-2005-3296 HP The FTP server in HP-UX 10.20, B.11.00, and B.11.11, allows remote attackers to list arbitrary directories as root by running the LIST command before logging in.
10.0
2005-10-21 CVE-2005-3277 HP Unspecified vulnerability in HP Hp-Ux 10.20/11.00/11.11

The LPD service in HP-UX 10.20 11.11 (11i) and earlier allows remote attackers to execute arbitrary code via shell metacharacters ("`" or single backquote) in a request that is not properly handled when an error occurs, as demonstrated by killing the connection, a different vulnerability than CVE-2002-1473.

10.0
2005-10-21 CVE-2005-2122 Microsoft Remote Code Execution vulnerability in Microsoft Windows 2000, Windows 2003 Server and Windows XP

Windows Shell for Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 allows remote attackers to execute arbitrary commands via a shortcut (.lnk) file with long font properties that lead to a buffer overflow in the Client/Server Runtime Server Subsystem (CSRSS), a different vulnerability than CVE-2005-2118.

10.0
2005-10-18 CVE-2005-3254 Nathan Neulinger Remote Security vulnerability in CGIWrap

The CGIwrap program before 3.9 on Debian GNU/Linux uses an incorrect minimum value of 100 for a UID to determine whether it can perform a seteuid operation, which could allow attackers to execute code as other system UIDs that are greater than the minimum value, which should be 1000 on Debian systems.

10.0
2005-10-17 CVE-2005-3120 Invisible Island
Debian
Incorrect Calculation of Buffer Size vulnerability in multiple products

Stack-based buffer overflow in the HTrjis function in Lynx 2.8.6 and earlier allows remote NNTP servers to execute arbitrary code via certain article headers containing Asian characters that cause Lynx to add extra escape (ESC) characters.

9.8

18 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2005-10-23 CVE-2005-3298 Suse Remote Buffer Overflow vulnerability in Suse Linux 9.0

Multiple buffer overflows in OpenWBEM on SuSE Linux 9 allow remote attackers to execute arbitrary code via unknown vectors.

7.5
2005-10-23 CVE-2005-3297 Suse Remote Buffer Overflow vulnerability in OpenWBEM

Multiple integer overflows in OpenWBEM on SuSE Linux 9 allow remote attackers to execute arbitrary code via unknown vectors.

7.5
2005-10-23 CVE-2005-3290 Accelerated Enterprise Solutions SQL Injection vulnerability in Accelerated Mortgage Manager Password Field

SQL injection vulnerability in Accelerated Mortgage Manager allows remote attackers to execute arbitrary SQL commands via the password field.

7.5
2005-10-23 CVE-2005-3284 Ahnlab Archive Format Handling Remote Buffer Overflow vulnerability in Ahnlab Myv3, V3Net and V3Pro 2004

Multiple buffer overflows in AhnLab V3 AntiVirus V3Pro 2004 before 6.0.0.488, V3Net for Windows Server 6.0 before 6.0.0.488, and MyV3, with compressed file scanning enabled, allow remote attackers to execute arbitrary code via crafted (1) ALZ, (2) UUE, or (3) XXE archives.

7.5
2005-10-23 CVE-2005-3282 Splatt Remote Authentication Bypass vulnerability in Splatt Forums

Splatt Forum 3.0 to 3.2 allows remote attackers to bypass authentication via unknown vectors.

7.5
2005-10-23 CVE-2005-3280 Paros Remote Authentication Bypass vulnerability in Paros 3.2.5

Paros 3.2.5 uses a default password for the "sa" account in the underlying HSQLDB database and does not restrict access to the local machine, which allows remote attackers to gain privileges.

7.5
2005-10-20 CVE-2005-3269 SUN Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in SUN products

Stack-based buffer overflow in help.cgi in the HTTP administrative interface for (1) Sun Java System Directory Server 5.2 2003Q4, 2004Q2, and 2005Q1, (2) Red Hat Directory Server and (3) Certificate Server before 7.1 SP1, (4) Sun ONE Directory Server 5.1 SP4 and earlier, and (5) Sun ONE Administration Server 5.2 allows remote attackers to cause a denial of service (admin server crash), or local users to gain root privileges.

7.5
2005-10-20 CVE-2005-3263 Rarlab Remote vulnerability in RARLAB WinRAR

Stack-based buffer overflow in UNACEV2.DLL for RARLAB WinRAR 2.90 through 3.50 allows remote attackers to execute arbitrary code via an ACE archive containing a file with a long name.

7.5
2005-10-20 CVE-2005-3262 Rarlab Remote vulnerability in RARLAB WinRAR

Format string vulnerability in RARLAB WinRAR 2.90 through 3.50 allows remote attackers to execute arbitrary code via format string specifiers in a UUE/XXE file, which are not properly handled when WinRAR displays diagnostic errors related to an invalid filename.

7.5
2005-10-20 CVE-2005-3259 Versatilebulletinboard SQL Injection vulnerability in Versatilebulletinboard 1.0.0.Rc2

Multiple SQL injection vulnerabilities in versatileBulletinBoard (vBB) 1.0.0 RC2 allow remote attackers to execute arbitrary SQL commands and bypass authentication via the (1) login field, (2) "search this thread" feature, (3) "search for posts" feature, (4) "forgot password" feature, (5) list parameter in userlistpre.php, and the (6) select, (7) categ, and (8) to parameters in index.php.

7.5
2005-10-20 CVE-2005-3182 GFI Remote Buffer Overflow vulnerability in GFI Mailsecurity 8.1

Buffer overflow in the HTTP management interface for GFI MailSecurity 8.1 allows remote attackers to execute arbitrary code via long headers such as (1) Host and (2) Accept in HTTP requests.

7.5
2005-10-20 CVE-2005-2971 KDE Remote Buffer Overflow vulnerability in KDE KOffice KWord RTF Import

Heap-based buffer overflow in the KWord RTF importer for KOffice 1.2.0 through 1.4.1 allows remote attackers to execute arbitrary code via a crafted RTF file.

7.5
2005-10-18 CVE-2005-2978 Netpbm Buffer Overflow vulnerability in NetPBM PNMToPNG

pnmtopng in netpbm before 10.25, when using the -trans option, uses uninitialized size and index variables when converting Portable Anymap (PNM) images to Portable Network Graphics (PNG), which might allow attackers to execute arbitrary code by modifying the stack.

7.5
2005-10-18 CVE-2005-3252 Sourcefire Remote Stack Buffer Overflow vulnerability in Sourcefire Snort 2.4.0/2.4.1/2.4.2

Stack-based buffer overflow in the Back Orifice (BO) preprocessor for Snort before 2.4.3 allows remote attackers to execute arbitrary code via a crafted UDP packet.

7.5
2005-10-23 CVE-2005-3279 JAN Kybic Local Security vulnerability in JAN Kybic Bitmap Viewer 1.2

Stack-based buffer overflow in the vgasco_printf function in Jan Kybic BitMap Viewer (BMV) 1.2, when compiled with the M_UNIX flag and running setuid, allows local users to gain privileges via a long filename in the -b command line option.

7.2
2005-10-23 CVE-2005-3278 JAN Kybic Integer Overflow vulnerability in JAN Kybic Bitmap Viewer 1.2

Integer overflow in the openpsfile function in gsinterf.c for Jan Kybic BitMap Viewer (BMV) 1.2 allows local users to execute arbitrary code via a PostScript (PS) file containing a large number of pages value, which leads to a resultant buffer overflow.

7.2
2005-10-21 CVE-2005-3270 Symantec Local Privilege Escalation vulnerability in Symantec Norton Antivirus 9.0.3

Untrusted search path vulnerability in DiskMountNotify for Symantec Norton AntiVirus 9.0.3 allows local users to gain privileges by modifying the PATH to reference a malicious (1) ps or (2) grep file.

7.2
2005-10-20 CVE-2005-2759 Symantec Local Privilege Escalation vulnerability in Symantec Norton Antivirus 9.0.3

** SPLIT ** The jlucaller program in LiveUpdate for Symantec Norton AntiVirus 9.0.3 on Macintosh runs setuid when executing Java programs, which allows local users to gain privileges.

7.2

22 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2005-10-17 CVE-2005-3251 Gallery Project Directory Traversal vulnerability in Gallery

Directory traversal vulnerability in the gallery script in Gallery 2.0 (G2) allows remote attackers to read or include arbitrary files via ".." sequences in the g2_itemId parameter.

6.4
2005-10-21 CVE-2005-2118 Microsoft Remote Code Execution Variant vulnerability in Microsoft Windows 2000, Windows 2003 Server and Windows XP

Windows Shell for Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 allows remote user-assisted attackers to execute arbitrary commands via a crafted shortcut (.lnk) file with long font properties that lead to a buffer overflow when the user views the file's properties using Windows Explorer, a different vulnerability than CVE-2005-2122.

5.1
2005-10-21 CVE-2005-2117 Microsoft Unspecified vulnerability in Microsoft products

Web View in Windows Explorer on Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 does not properly handle certain HTML characters in preview fields, which allows remote user-assisted attackers to execute arbitrary code.

5.1
2005-10-23 CVE-2005-3300 Phpmyadmin Local File Inclusion vulnerability in PHPmyadmin 2.6.4Pl3

The register_globals emulation layer in grab_globals.php for phpMyAdmin before 2.6.4-pl3 does not perform safety checks on values in the _FILES array for uploaded files, which allows remote attackers to include arbitrary files by using direct requests to library scripts that do not use grab_globals.php, then modifying certain configuration values for the theme.

5.0
2005-10-23 CVE-2005-3299 Phpmyadmin Local File Include vulnerability in PHPmyadmin 2.6.4/2.6.4Pl1

PHP file inclusion vulnerability in grab_globals.lib.php in phpMyAdmin 2.6.4 and 2.6.4-pl1 allows remote attackers to include local files via the $__redirect parameter, possibly involving the subform array.

5.0
2005-10-23 CVE-2005-3294 Typsoft Resource Management Errors vulnerability in Typsoft FTP Server

Typsoft FTP Server 1.11, with "Sub Directory Include" enabled, allows remote attackers to cause a denial of service (crash) by sending multiple RETR commands.

5.0
2005-10-23 CVE-2005-3293 Xerver Input Validation vulnerability in Xerver 4.17H

Xerver 4.17 allows remote attackers to (1) obtain source code of scripts via a request with a trailing "." (dot) or (2) list directory contents via a trailing null character.

5.0
2005-10-23 CVE-2005-3287 Rockliffe Remote Security vulnerability in MailSite Express

Incomplete blacklist vulnerability in Mailsite Express allows remote attackers to upload and possibly execute files via attachments with executable extensions such as ASPX, which are not converted to .TXT like other dangerous extensions, and which can be directly requested from the cache directory.

5.0
2005-10-23 CVE-2005-3281 Nukefixes Directory Traversal vulnerability in Nukefixes 3.1

Directory traversal vulnerability in NukeFixes 3.1 for PHP-Nuke 7.8 allows remote attackers to include arbitrary files via the file parameter.

5.0
2005-10-20 CVE-2005-3261 Versatilebulletinboard Information Disclosure vulnerability in Versatilebulletinboard 1.0.0.Rc2

getversions.php in versatileBulletinBoard (vBB) 1.0.0 RC2 lists the versions of all installed scripts, which allows remote attackers to obtain sensitive information via a direct request.

5.0
2005-10-20 CVE-2005-3258 Squid Unspecified vulnerability in Squid

The rfc1738_do_escape function in ftp.c for Squid 2.5 STABLE11 and earlier allows remote FTP servers to cause a denial of service (segmentation fault) via certain "odd" responses.

5.0
2005-10-18 CVE-2005-3256 Enigmail Unspecified vulnerability in Enigmail

The key selection dialogue in Enigmail before 0.92.1 can incorrectly select a key with a user ID that does not have additional information, which allows parties with that key to decrypt the message.

5.0
2005-10-18 CVE-2005-3255 Nathan Neulinger The (1) cgiwrap and (2) php-cgiwrap packages before 3.9 in Debian GNU/Linux provide access to debugging CGIs under the web document root, which allows remote attackers to obtain sensitive information via direct requests to those CGIs.
5.0
2005-10-18 CVE-2005-2969 Openssl Unspecified vulnerability in Openssl

The SSL/TLS server implementation in OpenSSL 0.9.7 before 0.9.7h and 0.9.8 before 0.9.8a, when using the SSL_OP_MSIE_SSLV2_RSA_PADDING option, disables a verification step that is required for preventing protocol version rollback attacks, which allows remote attackers to force a client and server to use a weaker protocol than needed via a man-in-the-middle attack.

5.0
2005-10-21 CVE-2005-3274 Linux
Debian
NULL Pointer Dereference vulnerability in multiple products

Race condition in ip_vs_conn_flush in Linux 2.6 before 2.6.13 and 2.4 before 2.4.32-pre2, when running on SMP systems, allows local users to cause a denial of service (null dereference) by causing a connection timer to expire while the connection table is being flushed before the appropriate lock is acquired.

4.7
2005-10-23 CVE-2005-3291 Stani Unspecified vulnerability in Stani Stanis Python Editor 0.7.5

Stani's Python Editor (SPE) 0.7.5 is installed with world-writable permissions, which allows local users to gain privileges by modifying executable files.

4.6
2005-10-20 CVE-2005-2469 Novell Remote Buffer Overflow vulnerability in Novell Netmail 3.5.2

Stack-based buffer overflow in the NMAP Agent for Novell NetMail 3.52C and possibly earlier versions allows local users to execute arbitrary code via a long user name in the USER command.

4.6
2005-10-18 CVE-2005-3257 Linux Permissions, Privileges, and Access Controls vulnerability in Linux Kernel 2.6.12/2.6.14.4

The VT implementation (vt_ioctl.c) in Linux kernel 2.6.12, and possibly other versions including 2.6.14.4, allows local users to use the KDSKBSENT ioctl on terminals of other users and gain privileges, as demonstrated by modifying key bindings using loadkeys.

4.6
2005-10-23 CVE-2005-3292 Xeobook HTML Injection vulnerability in Xeobook 0.93

Multiple cross-site scripting (XSS) vulnerabilities in Xeobook 0.93 allow remote attackers to inject arbitrary web script or HTML via Javascript events in tages such as <b>.

4.3
2005-10-23 CVE-2005-3285 Comersus Open Technologies Cross-Site Scripting vulnerability in Comersus BackOffice Plus

Cross-site scripting (XSS) vulnerability in comersus_backoffice_searchItemForm.asp in Comersus BackOffice Plus allows remote attackers to inject arbitrary web script or HTML via the (1) forwardTo1, (2) forwardTo2, (3) nameFT1, or (4) nameFT2 parameters.

4.3
2005-10-23 CVE-2005-3283 Tiki Cross-Site Scripting vulnerability in Tiki Tikiwiki Cms/Groupware

Cross-site scripting (XSS) vulnerability in TikiWiki before 1.9.1.1 allows remote attackers to inject arbitrary web script or HTML via unknown vectors.

4.3
2005-10-20 CVE-2005-3260 Versatilebulletinboard Cross-Site Scripting vulnerability in Versatilebulletinboard 1.0.0.Rc2

Multiple cross-site scripting (XSS) vulnerabilities in versatileBulletinBoard (vBB) 1.0.0 RC2 allow remote attackers to inject arbitrary web script or HTML via (1) the url parameter in dereferrer.php and (2) the file parameter in imagewin.php.

4.3

7 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2005-10-21 CVE-2005-2126 Microsoft Unspecified vulnerability in Microsoft products

The FTP client in Windows XP SP1 and Server 2003, and Internet Explorer 6 SP1 on Windows 2000 SP4, when "Enable Folder View for FTP Sites" is enabled and the user manually initiates a file transfer, allows user-assisted, remote FTP servers to overwrite files in arbitrary locations via crafted filenames.

2.6
2005-10-23 CVE-2005-3295 HP Local Denial Of Service vulnerability in HP Hp-Ux 11.23

Unspecified vulnerability in HP-UX B.11.23 on Itanium platforms allows local users to cause a denial of service due to a "specific stack size."

2.1
2005-10-23 CVE-2005-3289 IBM Unspecified vulnerability in IBM AIX 5.2/5.3

LSCFG in IBM AIX 5.2 and 5.3 does not create temporary files securely, which allows local users to corrupt /etc/passwd and possibly other system files via the trace file.

2.1
2005-10-23 CVE-2005-3286 Kerio Local Denial of Service vulnerability in Kerio Personal Firewall and ServerFirewall

The FWDRV driver in Kerio Personal Firewall 4.2 and Server Firewall 1.1.1 allows local users to cause a denial of service (crash) by setting the PAGE_NOACCESS or PAGE_GUARD protection on the Page Environment Block (PEB), which triggers an exception, aka the "PEB lockout vulnerability."

2.1
2005-10-20 CVE-2005-3268 Raphael Bossek Unspecified vulnerability in Raphael Bossek Yiff Server 2.14.2.7

yiff server (yiff-server) 2.14.2 on Debian GNU/Linux runs as root and does not properly verify ownership of files that it opens, which allows local users to read arbitrary files.

2.1
2005-10-20 CVE-2005-3121 Eduard Bloch Unspecified vulnerability in Eduard Bloch Module-Assistant

A rule file in module-assistant before 0.9.10 causes a temporary file to be created insecurely, which allows local users to conduct unauthorized operations.

2.1
2005-10-17 CVE-2005-3250 SUN Local Denial Of Service vulnerability in SUN Solaris 10.0

Unknown vulnerability in Solaris 10 allows local users to cause a denial of service (panic) via unknown vectors related to the "/proc" filesystem, which trigger a null dereference.

2.1