Unknown vulnerability in the eflags checking in the 32-bit ptrace emulation for the Linux kernel on AMD64 systems allows local users to gain privileges. GLSA-200402-06 VU#337238 RHSA-2004:017 9429 linux-ptrace-gain-privilege(14888) oval:org.mitre.oval:def:868 The TCP MSS (maximum segment size) functionality in netinet allows remote attackers to cause a denial of service (resource exhaustion) via (1) a low MTU, which causes a large number of small packets to be produced, or (2) via a large number of packets with a small TCP payload, which cause a large number of calls to the resource-intensive sowakeup function. http://lists.freebsd.org/pipermail/cvs-src/2004-January/016271.html Unknown vulnerability in Linux kernel before 2.4.22 allows local users to gain privileges, related to "R128 DRI limits checking." O-082 O-121 O-126 O-127 O-145 DSA-479 DSA-480 DSA-481 DSA-482 DSA-489 DSA-491 DSA-495 http://www.linuxcompatible.org/print25630.html MDKSA-2004:029 SuSE-SA:2004:005 RHSA-2004:044 RHSA-2004:065 RHSA-2004:106 RHSA-2004:166 9570 TLSA-2004-14 linux-r128-gain-priviliges(15029) oval:org.mitre.oval:def:1017 oval:org.mitre.oval:def:834 oval:org.mitre.oval:def:9204 The libCheckSignature function in crypto-utils.lib for OpenCA 0.9.1.6 and earlier only compares the serial of the signer's certificate and the one in the database, which can cause OpenCA to incorrectly accept a signature if the certificate's chain is trusted by OpenCA's chain directory, allowing remote attackers to spoof requests from other users. 20040116 [OpenCA Advisory] Vulnerability in signature verification VU#336446 http://www.openca.org/news/CAN-2004-0004.txt 9435 openca-improper-signature-verification(14847) Multiple buffer overflows in Gaim 0.75 allow remote attackers to cause a denial of service and possibly execute arbitrary code via (1) octal encoding in yahoo_decode that causes a null byte to be written beyond the buffer, (2) octal encoding in yahoo_decode that causes a pointer to reference memory beyond the terminating null byte, (3) a quoted printable string to the gaim_quotedp_decode MIME decoder that causes a null byte to be written beyond the buffer, and (4) quoted printable encoding in gaim_quotedp_decode that causes a pointer to reference memory beyond the terminating null byte. 20040126 Advisory 01/2004: 12 x Gaim remote overflows CLA-2004:813 20040126 Advisory 01/2004: 12 x Gaim remote overflows http://security.e-matters.de/advisories/012004.html DSA-434 VU#190366 VU#226974 VU#404470 VU#655974 SuSE-SA:2004:004 1008850 SSA:2004-026 gaim-yahoodecode-offbyone-bo(14935) gaim-sscanf-oob(14938) gaim-mime-decoder-bo(14942) gaim-mime-decoder-oob(14944) GLSA-200401-04 Multiple buffer overflows in Gaim 0.75 and earlier, and Ultramagnetic before 0.81, allow remote attackers to cause a denial of service and possibly execute arbitrary code via (1) cookies in a Yahoo web connection, (2) a long name parameter in the Yahoo login web page, (3) a long value parameter in the Yahoo login page, (4) a YMSG packet, (5) the URL parser, and (6) HTTP proxy connect. 20040201-01-U 20040202-01-U 20040126 Advisory 01/2004: 12 x Gaim remote overflows CLA-2004:813 20040126 Advisory 01/2004: 12 x Gaim remote overflows 20040127 Ultramagnetic Advisory #001: Multiple vulnerabilities in Gaim code http://security.e-matters.de/advisories/012004.html GLSA-200401-04 http://ultramagnetic.sourceforge.net/advisories/001.html DSA-434 VU#297198 VU#371382 VU#444158 VU#503030 VU#527142 VU#871838 MDKSA-2004:006 SuSE-SA:2004:004 RHSA-2004:032 RHSA-2004:033 RHSA-2004:045 9489 1008850 SSA:2004-026 gaim-yahoowebpending-cookie-bo(14939) gaim-login-name-bo(14940) gaim-login-value-bo(14941) gaim-yahoopacketread-keyname-bo(14943) gaim-urlparser-bo(14945) gaim-http-proxy-bo(14947) oval:org.mitre.oval:def:10222 oval:org.mitre.oval:def:818 Buffer overflow in the Extract Info Field Function for (1) MSN and (2) YMSG protocol handlers in Gaim 0.74 and earlier, and Ultramagnetic before 0.81, allows remote attackers to cause a denial of service and possibly execute arbitrary code. 20040126 Advisory 01/2004: 12 x Gaim remote overflows CLA-2004:813 20040126 Advisory 01/2004: 12 x Gaim remote overflows 20040127 Ultramagnetic Advisory #001: Multiple vulnerabilities in Gaim code http://security.e-matters.de/advisories/012004.html GLSA-200401-04 http://ultramagnetic.sourceforge.net/advisories/001.html DSA-434 VU#197142 MDKSA-2004:006 RHSA-2004:032 RHSA-2004:033 SuSE-SA:2004:004 9489 1008850 SSA:2004-026 gaim-extractinfo-bo(14946) oval:org.mitre.oval:def:819 oval:org.mitre.oval:def:9906 Integer overflow in Gaim 0.74 and earlier, and Ultramagnetic before 0.81, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a directIM packet that triggers a heap-based buffer overflow. 20040201-01-U 20040202-01-U 20040126 Advisory 01/2004: 12 x Gaim remote overflows CLA-2004:813 20040126 Advisory 01/2004: 12 x Gaim remote overflows 20040127 [slackware-security] GAIM security update (SSA:2004-026-01) 20040127 Ultramagnetic Advisory #001: Multiple vulnerabilities in Gaim code http://security.e-matters.de/advisories/012004.html GLSA-200401-04 http://ultramagnetic.sourceforge.net/advisories/001.html DSA-434 VU#779614 MDKSA-2004:006 RHSA-2004:032 RHSA-2004:033 RHSA-2004:045 1008850 gaim-directim-bo(14937) oval:org.mitre.oval:def:820 oval:org.mitre.oval:def:9469 Apache-SSL 1.3.28+1.52 and earlier, with SSLVerifyClient set to 1 or 3 and SSLFakeBasicAuth enabled, allows remote attackers to forge a client certificate by using basic authentication with the "one-line DN" of the target user. 20040206 [apache-ssl] Apache-SSL security advisory - apache_1.3.28+ssl_1.52 and prior 20040206 Apache-SSL security advisory - apache_1.3.28+ssl_1.52 and prior http://www.apache-ssl.org/advisory-20040206.txt 9590 apachessl-default-password(15065) Stack-based buffer overflow in the ncp_lookup function for ncpfs in Linux kernel 2.4.x allows local users to gain privileges. CLA-2004:820 FEDORA-2004-079 O-082 DSA-479 DSA-480 DSA-481 DSA-482 DSA-489 DSA-491 DSA-495 MDKSA-2004:015 SuSE-SA:2004:005 RHSA-2004:065 RHSA-2004:069 RHSA-2004:188 TLSA-2004-05 9691 linux-ncplookup-gain-privileges(15250) oval:org.mitre.oval:def:1035 oval:org.mitre.oval:def:11388 oval:org.mitre.oval:def:835 Buffer overflow in fsp before 2.81.b18 allows remote users to execute arbitrary code. O-048 DSA-416 9377 fsp-boundry-error-bo(14155) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2004. Notes: none. jabber 1.4.2, 1.4.2a, and possibly earlier versions, does not properly handle SSL connections, which allows remote attackers to cause a denial of service (crash). DSA-414 MDKSA-2004:005 9376 jabber-ssl-connections-dos(14158) Multiple buffer overflows in the nd WebDAV interface 0.8.2 and earlier allows remote web servers to execute arbitrary code via certain long strings. DSA-412 9365 1008616 nd-long-string-bo(14141) vbox3 0.1.8 and earlier does not properly drop privileges before executing a user-provided TCL script, which allows local users to gain privileges. DSA-418 9381 vbox3-gain-privileges(14170) The calendar module for phpgroupware 0.9.14 does not enforce the "save extension" feature for holiday files, which allows remote attackers to create and execute PHP files. DSA-419 9387 phpgroupware-calendar-file-include(13489) Multiple SQL injection vulnerabilities in the (1) calendar and (2) infolog modules for phpgroupware 0.9.14 allow remote attackers to perform unauthorized database operations. DSA-419 9386 1008662 jitterbug 1.6.2 does not properly sanitize inputs, which allows remote authenticated users to execute arbitrary commands. DSA-420 9397 jitterbug-execute-code(14207) Lotus Notes Domino 6.0.2 on Linux installs the notes.ini configuration file with world-writable permissions, which allows local users to modify the Notes configuration and gain privileges. 20040106 Lotus Notes Domino 6.0.2 (linux) faulty default permissions http://www.excluded.org/advisories/advisory05.txt 9366 1008623 lotus-notes-insecure-permissions(14153) PHP remote file inclusion vulnerability in (1) functions.php, (2) authentication_index.php, and (3) config_gedcom.php for PHPGEDVIEW 2.61 allows remote attackers to execute arbitrary PHP code by modifying the PGV_BASE_DIRECTORY parameter to reference a URL on a remote web server that contains the code. 20040106 Vuln in PHPGEDVIEW 2.61 Multi-Problem 9368 1008632 phpgedview-pgvbasedirectory-file-include(14159) PHPGEDVIEW 2.61 allows remote attackers to reinstall the software and change the administrator password via a direct HTTP request to editconfig.php. 20040106 Vuln in PHPGEDVIEW 2.61 Multi-Problem phpgedview-modify-admin-password(14161) Cross-site scripting (XSS) vulnerability in search.php in PHPGEDVIEW 2.61 allows remote attackers to inject arbitrary HTML and web script via the firstname parameter. 20040106 Vuln in PHPGEDVIEW 2.61 Multi-Problem 9369 phpgedview-search-xss(14160) admin.php in PHPGEDVIEW 2.61 allows remote attackers to obtain sensitive information via an action parameter with a phpinfo command. 20040106 Vuln in PHPGEDVIEW 2.61 Multi-Problem 9371 phpgedview-admin-info-disclosure(14162) Multiple cross-site scripting (XSS) vulnerabilities in Phorum 3.4.5 and earlier allow remote attackers to inject arbitrary HTML or web script via (1) the phorum_check_xss function in common.php, (2) the EditError variable in profile.php, and (3) the Error variable in login.php. 20040105 Multiple Vulnerabilities in Phorum 3.4.5 http://phorum.org/ 9361 1008633 phorum-common-xss(14145) SQL injection vulnerability in register.php for Phorum 3.4.5 and earlier allows remote attackers to execute arbitrary SQL commands via the hide_email parameter. 20040105 Multiple Vulnerabilities in Phorum 3.4.5 9363 phorum-register-sql-injection(14146) SQL injection vulnerability in calendar.php for vBulletin Forum 2.3.x before 2.3.4 allows remote attackers to steal sensitive information via the eventid parameter. 20040105 vBulletin Forum 2.3.xx calendar.php SQL Injection 9360 http://www.vbulletin.com/forum/showthread.php?postid=588825 vbulletin-calendar-sql-injection(14144) FirstClass Desktop Client 7.1 allows remote attackers to execute arbitrary commands via hyperlinks in FirstClass RTF messages. 20040105 FirstClass Client 7.1: Command Execution via Email Web Link 9370 1008609 firstclassclient-execute-code(14151) McAfee ePolicy Orchestrator (ePO) 2.5.1 Patch 13 and 3.0 SP2a Patch 3 allows remote attackers to execute arbitrary commands via certain HTTP POST requests to the spipe/file handler on ePO TCP port 81. http://download.nai.com/products/patches/ePO/v2.x/Patch14.txt 10200 20040510 McAfee ePolicy Orchestrator Remote Compromise Vulnerability epolicy-execute-commands(14166) Multiple format string vulnerabilities in HTTP Application Intelligence (AI) component in Check Point Firewall-1 NG-AI R55 and R54, and Check Point Firewall-1 HTTP Security Server included with NG FP1, FP2, and FP3 allows remote attackers to execute arbitrary code via HTTP requests that cause format string specifiers to be used in an error message, as demonstrated using the scheme of a URI. 20040205 Two checkpoint fw-1/vpn-1 vulns http://www.checkpoint.com/techsupport/alerts/security_server.html O-072 VU#790771 9581 TA04-036A 20040204 Checkpoint Firewall-1 HTTP Parsing Format String Vulnerabilities fw1-format-string(14149) Stack-based buffer overflow in Check Point VPN-1 Server 4.1 through 4.1 SP6 and Check Point SecuRemote/SecureClient 4.1 through 4.1 build 4200 allows remote attackers to execute arbitrary code via an ISAKMP packet with a large Certificate Request packet. 20040205 Two checkpoint fw-1/vpn-1 vulns O-073 VU#873334 9582 20040204 Checkpoint VPN-1/SecureClient ISAKMP Buffer Overflow vpn1-ike-bo(14150) The mod_auth_shadow module 1.4 and earlier does not properly enforce the expiration of a user account and password, which could allow remote authenticated users to bypass intended access restrictions. DSA-421 9404 1008675 vsftpd 1.1.3 generates different error messages depending on whether or not a valid username exists, which allows remote attackers to identify valid usernames. 1008628 Buffer overflow in Yahoo Instant Messenger 5.6.0.1351 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long filename in the download feature. 20040108 Yahoo Instant Messenger Long Filename Downloading Buffer Overflow 20040108 Yahoo Instant Messenger Long Filename Downloading Buffer Overflow 9383 1008651 yahoo-messenger-filename-bo(14171) Cisco Personal Assistant 1.4(1) and 1.4(2) disables password authentication when "Allow Only Cisco CallManager Users" is enabled and the Corporate Directory settings refer to the directory service being used by Cisco CallManager, which allows remote attackers to gain access with a valid username. 20040108 Cisco Personal Assistant User Password Bypass Vulnerability 9384 ciscopersonalassistant-config-file-access(14172) Buffer overflow in the ARTpost function in art.c in the control message handling code for INN 2.4.0 may allow remote attackers to execute arbitrary code. 20040107 [SECURITY] INN: Buffer overflow in control message handling 20040108 [OpenPKG-SA-2004.001] OpenPKG Security Advisory (inn) VU#759020 9382 SSA:2004-014-02 inn-artpost-control-message-bo(14190) Cross-site scripting (XSS) vulnerability in SnapStream PVS LITE allows remote attackers to inject arbitrary web script or HTML via a GET request containing a terminating '"' (double quote) character. 20040106 SnapStream PVS LITE Cross Site Scripting Vulnerabillity 1008646 9375 snapstream-quotation-xss(14164) Multiple programs in trr19 1.0 do not properly drop privileges before executing a system command, which could allow local users to gain privileges. DSA-430 9520 1008875 trr19-gain-privileges(14975) Helix Universal Server/Proxy 9 and Mobile Server 10 allow remote attackers to cause a denial of service via certain HTTP POST messages to the Administration System port. 20040318 ptl-2004-02: RealNetworks Helix Server 9 Administration Server Buffer Overflow http://service.real.com/help/faq/security/040112_dos/ http://service.real.com/help/faq/security/security022604.html 20040318 ptl-2004-02: RealNetworks Helix Server 9 Administration Server Buffer Overflow 9421 Verity Ultraseek before 5.2.2 allows remote attackers to obtain the full pathname of the document root via an MS-DOS device name in the web search option, such as (1) NUL, (2) CON, (3) AUX, (4) COM1, (5) COM2, and others. 20040505 Corsaire Security Advisory - Verity Ultraseek path disclosure issue 20040505 Corsaire Security Advisory - Verity Ultraseek path disclosure issue 20040505 Corsaire Security Advisory - Verity Ultraseek path disclosure issue ultraseek-error-path-disclosure(16066) Multiple content security gateway and antivirus products allow remote attackers to bypass content restrictions via MIME messages that use non-standard but frequently supported Content-Transfer-Encoding values such as (1) uuencode, (2) mac-binhex40, and (3) yenc, which may be interpreted differently by mail clients. 20040914 Corsaire Security Advisory - Multiple vendor MIME Content-Transfer-Encoding mechanism issue http://www.uniras.gov.uk/vuls/2004/380375/mime.htm mime-contenttransfer-filter-bypass(17337) Multiple content security gateway and antivirus products allow remote attackers to bypass content restrictions via MIME messages that use non-standard separator characters, or use standard separators incorrectly, within MIME headers, fields, parameters, or values, which may be interpreted differently by mail clients. 20040914 Corsaire Security Advisory - Multiple vendor MIME separator issue http://www.uniras.gov.uk/vuls/2004/380375/mime.htm mime-separator-filtering-bypass(17334) Multiple content security gateway and antivirus products allow remote attackers to bypass content restrictions via MIME messages that use fields that use RFC2047 encoding, which may be interpreted differently by mail clients. 20040914 Corsaire Security Advisory - Multiple vendor MIME RFC2047 encoding issue http://www.uniras.gov.uk/vuls/2004/380375/mime.htm mime-rfc2047-filtering-bypass(17331) Multiple vulnerabilities in the H.323 protocol implementation for Cisco IOS 11.3T through 12.2T allow remote attackers to cause a denial of service and possibly execute arbitrary code, as demonstrated by the NISCC/OUSPG PROTOS test suite for the H.225 protocol. CA-2004-01 20040113 Vulnerabilities in H.323 Message Processing VU#749342 9406 1008685 http://www.uniras.gov.uk/vuls/2004/006489/h323.htm oval:org.mitre.oval:def:4884 The print_attr_string function in print-radius.c for tcpdump 3.8.1 and earlier allows remote attackers to cause a denial of service (segmentation fault) via a RADIUS attribute with a large length value. CSSA-2004-008.0 SCOSA-2004.9 20040103-01-U 20040202-01-U CLSA-2003:832 APPLE-SA-2004-02-23 2004-0004 20040131 [FLSA-2004:1222] Updated tcpdump resolves security vulnerabilites (resend with correct paths) [tcpdump-workers] multiple vulnerabilities in tcpdump 3.8.1 DSA-425 VU#955526 MDKSA-2004:008 FEDORA-2004-090 FEDORA-2004-092 [fedora-announce-list] 20040311 Re: [SECURITY] Fedora Core 1 Update: tcpdump-3.7.2-8.fc1.1 FLSA:1222 RHSA-2004:008 7090 1008735 oval:org.mitre.oval:def:850 oval:org.mitre.oval:def:853 oval:org.mitre.oval:def:9989 Multiple vulnerabilities in the H.323 protocol implementation for Nortel Networks Business Communications Manager (BCM), Succession 1000 IP Trunk and IP Peer Networking, and 802.11 Wireless IP Gateway allow remote attackers to cause a denial of service and possibly execute arbitrary code, as demonstrated by the NISCC/OUSPG PROTOS test suite for the H.225 protocol. CA-2004-01 VU#749342 9406 1008687 http://www.uniras.gov.uk/vuls/2004/006489/h323.htm The rawprint function in the ISAKMP decoding routines (print-isakmp.c) for tcpdump 3.8.1 and earlier allows remote attackers to cause a denial of service (segmentation fault) via malformed ISAKMP packets that cause invalid "len" or "loc" values to be used in a loop, a different vulnerability than CVE-2003-0989. CSSA-2004-008.0 SCOSA-2004.9 20040103-01-U 20040202-01-U APPLE-SA-2004-02-23 2004-0004 ESA-20040119-002 20040131 [FLSA-2004:1222] Updated tcpdump resolves security vulnerabilites (resend with correct paths) [tcpdump-workers] multiple vulnerabilities in tcpdump 3.8.1 DSA-425 VU#174086 MDKSA-2004:008 FEDORA-2004-090 FEDORA-2004-092 [fedora-announce-list] 20040311 Re: [SECURITY] Fedora Core 1 Update: tcpdump-3.7.2-8.fc1.1 FLSA:1222 RHSA-2004:007 RHSA-2004:008 20040119 [ESA-20040119-002] 'tcpdump' multiple vulnerabilities. 9423 1008716 tcpdump-rawprint-isakmp-dos(14837) oval:org.mitre.oval:def:11197 oval:org.mitre.oval:def:851 oval:org.mitre.oval:def:854 Antivir / Linux 2.0.9-9, and possibly earlier versions, allows local users to overwrite arbitrary files via a symlink attack on the .pid_antivir_$$ temporary file. 20040113 symlink vul for Antivir / Linux Version 2.0.9-9 (maybe lower) 1008702 antivir-tmpfile-insecure(14214) Directory traversal vulnerability in upload capability of WWW File Share Pro 2.42 and earlier allows remote attackers to overwrite arbitrary files via .. (dot dot) sequences in the filename parameter of a Content-Disposition: header. 20040114 Multiple vulnerabilities in WWW Fileshare Pro <= 2.42 1008779 WWW File Share Pro 2.42 and earlier allows remote attackers to cause a denial of service (crash) via a large POST request. 20040114 Multiple vulnerabilities in WWW Fileshare Pro <= 2.42 1008779 WWW File Share Pro 2.42 and earlier allows remote attackers to bypass directory access restrictions via (1) a URL with a trailing . (dot), or (2) a URI with a leading slash or backslash character. 20040114 Multiple vulnerabilities in WWW Fileshare Pro <= 2.42 1008779 Integer overflow in the rnd arithmetic rounding function for various versions of FishCart before 3.1 allows remote attackers to "cause negative totals" via an order with a large quantity. 20040114 FishCart Integer Overflow / Rounding Error 1008731 The SPP_VerifyPVV function in nCipher payShield SPP library 1.3.12, 1.5.18 and 1.6.18 returns a Status_OK value even if the HSM returns a different status code, which could cause applications to make incorrect security-critical decisions, e.g. by accepting an invalid PIN number. 20040114 nCipher Advisory #8: payShield library may verify bad requests http://www.ncipher.com/support/advisories/advisory8_payshield.html 9422 payshield-incorrect-request-verification(14832) The SuSEconfig.gnome-filesystem script for YaST in SuSE 9.0 allows local users to overwrite arbitrary files via a symlink attack on files within the tmp.SuSEconfig.gnome-filesystem.$RANDOM temporary directory. 20040113 SuSE linux 9.0 YaST config Skribt [exploit] 9411 1008703 Multiple SQL injection vulnerabilities in phpGedView before 2.65 allow remote attackers to execute arbitrary SQL via (1) timeline.php and (2) placelist.php. 20040112 More phpGedView Vulnerabilities 11910 11925 phpGedView before 2.65 allows remote attackers to obtain the absolute path of the web server via malformed parameters to (1) indilist.php, (2) famlist.php, (3) placelist.php, (4) imageview.php, (5) timeline.php, (6) clippings.php, (7) login.php, and (8) gdbi.php. 20040112 More phpGedView Vulnerabilities phpgedview-path-disclosure(14215) Multiple cross-site scripting (XSS) vulnerabilities in phpGedView before 2.65 allow remote attackers to inject arbitrary HTML or web script via (1) descendancy.php, (2) index.php, (3) individual.php, (4) login.php, (5) relationship.php, (6) source.php, (7) imageview.php, (8) calendar.php, (9) gedrecord.php, (10) login.php, and (11) gdbi_interface.php. NOTE: some aspects of vector 10 were later reported to affect 4.1. 20040112 More phpGedView Vulnerabilities 1018613 20070827 PhpGedView login page multiple XSS 11868 11880 11882 11888 11890 11891 11894 11903 11904 11905 11906 11907 ADV-2007-2995 phpgedview-multiple-xss(14212) phpgedview-login-xss(36285) PHP remote file inclusion vulnerability in config.php for PhpDig 1.6.5 and earlier allows remote attackers to execute arbitrary PHP code by modifying the $relative_script_path parameter to reference a URL on a remote web server that contains the code. 20040114 PhpDig 1.6.x: remote command execution http://www.phpdig.net/showthread.php?s=58bcc71c822830ec3bbdaae6d56846e0&threadid=393 9424 phpdig-config-file-include(14826) Format string vulnerability in HD Soft Windows FTP Server 1.6 and earlier allows remote attackers to execute arbitrary code via format string specifiers in the username, which is processed by the wscanf function. 20040108 Windows FTP Server Format String Vulnerability 20040113 exploit for HD Soft Windows FTP Server 1.6 9385 1008658 PHP remote file inclusion vulnerability in module.php for ezContents allows remote attackers to execute arbitrary PHP code by modifying the link parameter to reference a URL on a remote web server that contains the code. 20040110 Remote Code Execution in ezContents http://www.ezcontents.org/forum/viewtopic.php?t=361 9396 ezcontents-php-file-include(14199) Directory traversal vulnerability in buildManPage in class.manpagelookup.php for PHP Man Page Lookup 1.2.0 allows remote attackers to read arbitrary files via the command parameter ($cmd variable) to index.php. 20040110 PHP Manpage lookup directory transversal / file disclosing 9395 1008689 manpagelookup-directory-traversal(14203) Directory traversal vulnerability in Accipiter Direct Server 6.0 allows remote attackers to read arbitrary files via encoded \.. (backslash .., "%5c%2e%2e") sequences in an HTTP request. 20040109 Directory Traversal in Accipiter Direct Server 6.0 20040109 Directory Traversal in Accipiter Direct Server 6.0 9389 accipterdirectserver-directory-traversal(14198) PHP remote file inclusion vulnerability in (1) config.php and (2) config_page.php for EasyDynamicPages 2.0 allows remote attackers to execute arbitrary PHP code by modifying the edp_relative_path parameter to reference a URL on a remote web server that contains a malicious serverdata.php script. 20040102 include() vuln in EasyDynamicPages v.2.0 1008584 9338 easydynamicpages-php-file-include(14136) Multiple buffer overflows in xsok 1.02 allows local users to gain privileges via (1) a long LANG environment variable, or (2) a long -xsokdir command line argument, a different vulnerability than CVE-2003-0949. 20040102 xsok local games exploit 20040103 xsok local games exploit (2) 9341 9352 xsok-long-xsokdir-bo(14906) xsok-lang-bo(14910) The Vicam USB driver in Linux before 2.4.25 does not use the copy_from_user function when copying data from userspace to kernel space, which crosses security boundaries and allows local users to cause a denial of service. CLA-2004:846 MDKSA-2004:015 O-082 SuSE-SA:2004:005 RHSA-2004:065 RHSA-2005:293 9690 linux-vicam-dos(15246) oval:org.mitre.oval:def:836 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was removed from consideration by its Candidate Numbering Authority. Notes: none. The do_mremap function for the mremap system call in Linux 2.2 to 2.2.25, 2.4 to 2.4.24, and 2.6 to 2.6.2, does not properly check the return value from the do_munmap function when the maximum number of VMA descriptors is exceeded, which allows local users to gain root privileges, a different vulnerability than CAN-2003-0985. 20040218 Second critical mremap() bug found in all Linux kernels CLA-2004:820 FEDORA-2004-079 MDKSA-2004:015 http://isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt 20040218 Second critical mremap() bug found in all Linux kernels 2004-0007 2004-0008 GLSA-200403-02 O-082 DSA-438 DSA-439 DSA-440 DSA-441 DSA-442 DSA-444 DSA-450 DSA-453 DSA-454 DSA-456 DSA-466 DSA-470 DSA-475 DSA-514 VU#981222 SuSE-SA:2004:005 RHSA-2004:065 RHSA-2004:066 RHSA-2004:069 RHSA-2004:106 9686 SSA:2004-049 linux-mremap-gain-privileges(15244) oval:org.mitre.oval:def:825 oval:org.mitre.oval:def:837 Buffer overflow in the index menu code (menu_pad_string of menu.c) for Mutt 1.4.1 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via certain mail messages. CSSA-2004-013.0 http://bugs.debian.org/126336 20040211 Mutt-1.4.2 fixes buffer overflow. 20040215 LNSA-#2004-0001: mutt remote crash 20040309 [OpenPKG-SA-2004.005] OpenPKG Security Advisory (mutt) MDKSA-2004:010 RHSA-2004:050 RHSA-2004:051 9641 SSA:2004-043 mutt-index-menu-bo(15134) oval:org.mitre.oval:def:811 oval:org.mitre.oval:def:838 The do_change_cipher_spec function in OpenSSL 0.9.6c to 0.9.6k, and 0.9.7a to 0.9.7c, allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference. FreeBSD-SA-04:05 NetBSD-SA2004-005 SCOSA-2004.10 CLA-2004:834 http://docs.info.apple.com/article.html?artnum=61798 FEDORA-2004-095 APPLE-SA-2005-08-17 APPLE-SA-2005-08-15 http://lists.apple.com/mhonarc/security-announce/msg00045.html 20040317 New OpenSSL releases fix denial of service attacks [17 March 2004] SSRT4717 GLSA-200403-03 57524 http://support.avaya.com/elmodocs2/security/ASA-2005-239.htm http://support.lexmark.com/index?page=content&id=TE88&locale=EN&userlocale=EN_US O-101 20040317 Cisco OpenSSL Implementation Vulnerability DSA-465 VU#288574 ESA-20040317-003 MDKSA-2004:023 SuSE-SA:2004:007 http://www.openssl.org/news/secadv_20040317.txt FEDORA-2005-1042 RHSA-2004:120 RHSA-2004:121 RHSA-2004:139 RHSA-2005:829 RHSA-2005:830 9899 SSA:2004-077 2004-0012 http://www.uniras.gov.uk/vuls/2004/224012/index.htm TA04-078A openssl-dochangecipherspec-dos(15505) oval:org.mitre.oval:def:2621 oval:org.mitre.oval:def:5770 oval:org.mitre.oval:def:870 oval:org.mitre.oval:def:975 oval:org.mitre.oval:def:9779 The login program in util-linux 2.11 and earlier uses a pointer after it has been freed and reallocated, which could cause login to leak sensitive data. 20040201-01-U 20040406-01-U 20040331 OpenLinux: util-linux could leak sensitive data 20040408 LNSA-#2004-0010: login may leak sensitive data GLSA-200404-06 VU#801526 RHSA-2004:056 9558 utillinux-information-leak(15016) OpenSSL 0.9.6 before 0.9.6d does not properly handle unknown message types, which allows remote attackers to cause a denial of service (infinite loop), as demonstrated using the Codenomicon TLS Test Tool. SCOSA-2004.10 20040304-01-U CLA-2004:834 FEDORA-2004-095 20040317 Re: New OpenSSL releases fix denial of service attacks [17 March 2004] 20040508 [FLSA-2004:1395] Updated OpenSSL resolves security vulnerability RHSA-2004:119 GLSA-200403-03 57524 20040317 Cisco OpenSSL Implementation Vulnerability DSA-465 VU#465542 ESA-20040317-003 RHSA-2004:120 RHSA-2004:121 RHSA-2004:139 9899 2004-0012 http://www.uniras.gov.uk/vuls/2004/224012/index.htm TA04-078A openssl-tls-dos(15509) oval:org.mitre.oval:def:11755 oval:org.mitre.oval:def:871 oval:org.mitre.oval:def:902 The mksmbpasswd shell script (mksmbpasswd.sh) in Samba 3.0.0 and 3.0.1, when creating an account but marking it as disabled, may overwrite the user password with an uninitialized buffer, which could enable the account with a more easily guessable password. http://us1.samba.org/samba/ftp/WHATSNEW-3.0.2a.txt O-078 RHSA-2004:064 9637 http://www.vuxml.org/freebsd/3388eff9-5d6e-11d8-80e3-0020ed76ef5a.html samba-mksmbpasswd-gain-access(15132) oval:org.mitre.oval:def:827 Buffer overflow in ReadFontAlias from dirfile.c of XFree86 4.1.0 through 4.3.0 allows local users and remote attackers to execute arbitrary code via a font alias file (font.alias) with a long token, a different vulnerability than CVE-2004-0084 and CVE-2004-0106. CLA-2004:821 20040210 iDEFENSESecurityAdvisory02.10.04: XFree86FontInformationFileBufferOverflow 20040211 XFree86 vulnerability exploit FLSA:2314 GLSA-200402-02 57768 DSA-443 http://www.idefense.com/application/poi/display?id=72 VU#820006 MDKSA-2004:012 SuSE-SA:2004:006 RHSA-2004:059 RHSA-2004:060 RHSA-2004:061 9636 SSA:2004-043 http://www.xfree86.org/cvs/changes xfree86-fontalias-bo(15130) oval:org.mitre.oval:def:806 oval:org.mitre.oval:def:830 oval:org.mitre.oval:def:9612 Buffer overflow in the ReadFontAlias function in XFree86 4.1.0 to 4.3.0, when using the CopyISOLatin1Lowered function, allows local or remote authenticated users to execute arbitrary code via a malformed entry in the font alias (font.alias) file, a different vulnerability than CVE-2004-0083 and CVE-2004-0106. CLA-2004:821 20040212 iDEFENSE Security Advisory 02.11.04: XFree86 Font Information File Buffer Overflow II FLSA:2314 57768 DSA-443 http://www.idefense.com/application/poi/display?id=73 VU#667502 MDKSA-2004:012 SuSE-SA:2004:006 RHSA-2004:059 RHSA-2004:060 RHSA-2004:061 9652 SSA:2004-043 xfree86-copyisolatin1lLowered-bo(15200) oval:org.mitre.oval:def:10405 oval:org.mitre.oval:def:807 oval:org.mitre.oval:def:831 Unknown vulnerability in the Mail application for Mac OS X 10.1.5 and 10.2.8 with unknown impact, a different vulnerability than CVE-2004-0086. APPLE-SA-2004-01-26 9504 macosx-mail-undisclosed(14992) Unknown vulnerability in the Mail application for Mac OS X 10.3.2 has unknown impact and attack vectors, a different vulnerability than CVE-2004-0085. APPLE-SA-2004-01-26 9504 The System Configuration subsystem in Mac OS 10.2.8 and 10.3.2 allows local users to modify network settings, a different vulnerability than CVE-2004-0088. APPLE-SA-2004-01-26 9504 macosx-configd-file-manipulation(14997) The System Configuration subsystem in Mac OS 10.2.8 allows local users to modify network settings, a different vulnerability than CVE-2004-0087. APPLE-SA-2004-01-26 9504 Buffer overflow in TruBlueEnvironment in Mac OS X 10.3.x and 10.2.x allows local users to gain privileges via a long environment variable. APPLE-SA-2004-01-26 A012704-1 VU#902374 9509 macosx-trublue-environmentvariable-bo(14968) Unknown vulnerability in Windows File Sharing for Mac OS X 10.1.5 through 10.3.2 does not "shutdown properly," which has unknown impact and attack vectors. APPLE-SA-2004-01-26 ESB-2004.0072 9504 ** DISPUTED ** NOTE: this issue has been disputed by the vendor. Cross-site scripting (XSS) vulnerability in register.php for unknown versions of vBulletin allows remote attackers to inject arbitrary HTML or web script via the reg_site (or possibly regsite) parameter. NOTE: the vendor has disputed this issue, saying "There is no hidden field called 'reg_site', nor any $reg_site variable anywhere in the vBulletin 2 or vBulletin 3 source code or templates, nor has it ever existed. We can only assume that this vulnerability was found in a site running code modified from that supplied by Jelsoft." 20040120 vBulletin Security Vulnerability 20040120 vBulletin Security Vulnerability 20040120 Re: vBulletin Security Vulnerability 20040123 RE: vBulletin Security Vulnerability 1008780 Unknown vulnerability in Safari web browser in Mac OS X 10.2.8 and 10.3.2, with unknown impact. APPLE-SA-2004-01-26 9504 XFree86 4.1.0 allows remote attackers to cause a denial of service and possibly execute arbitrary code via an out-of-bounds array index when using the GLX extension and Direct Rendering Infrastructure (DRI). 20040406-01-U CLSA-2004:824 DSA-443 RHSA-2004:152 9701 xfree86-glx-array-dos(15272) Integer signedness errors in XFree86 4.1.0 allow remote attackers to cause a denial of service and possibly execute arbitrary code when using the GLX extension and Direct Rendering Infrastructure (DRI). 20040406-01-U CLSA-2004:824 DSA-443 RHSA-2004:152 9701 xfree86-glx-integer-dos(15273) McAfee ePolicy Orchestrator agent allows remote attackers to cause a denial of service (memory consumption and crash) and possibly execute arbitrary code via an HTTP POST request with an invalid Content-Length value, possibly triggering a buffer overflow. http://download.nai.com/products/patches/ePO/v3.1.0/EPO3013.zip 9476 epolicy-contentlength-post-dos(14989) Unknown vulnerability in mod_python 2.7.9 allows remote attackers to cause a denial of service (httpd crash) via a certain query string, a variant of CAN-2003-0973. GLSA-200401-03 [mod_python] 20040122 [ANNOUNCE] Mod_python 2.7.10 RHSA-2004:058 RHSA-2004:063 Multiple vulnerabilities in PWLib before 1.6.0 allow remote attackers to cause a denial of service and possibly execute arbitrary code, as demonstrated by the NISCC/OUSPG PROTOS test suite for the H.225 protocol. CA-2004-01 DSA-448 VU#749342 RHSA-2004:047 9406 pwlib-message-dos(15202) oval:org.mitre.oval:def:10056 oval:org.mitre.oval:def:803 oval:org.mitre.oval:def:826 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2004. Notes: none. mksnap_ffs in FreeBSD 5.1 and 5.2 only sets the snapshot flag when creating a snapshot for a file system, which causes default values for other flags to be used, possibly disabling security-critical settings and allowing a local user to bypass intended access restrictions. FreeBSD-SA-04:01 9533 freebsd-mksnapffs-bypass-security(15005) crawl before 4.0.0 beta23 does not properly "apply a size check" when copying a certain environment variable, which may allow local users to gain privileges, possibly as a result of a buffer overflow. DSA-432 9566 crawl-long-environment-bo(15032) Multiple format string vulnerabilities in Metamail 2.7 and earlier allow remote attackers to execute arbitrary code. 20040218 metamail format string bugs and buffer overflows 20040218 metamail format string bugs and buffer overflows O-083 DSA-449 VU#518518 MDKSA-2004:014 RHSA-2004:073 9692 SSA:2004-049 metamail-contenttype-format-string(15245) metamail-printheader-format-string(15259) Multiple buffer overflows in Metamail 2.7 and earlier allow remote attackers to execute arbitrary code. 20040218 metamail format string bugs and buffer overflows 20040218 metamail format string bugs and buffer overflows O-083 DSA-449 VU#513062 MDKSA-2004:014 RHSA-2004:073 9692 SSA:2004-049 metamail-printheader-nonascii-bo(15247) metamail-splitmail-subject-bo(15258) Multiple unknown vulnerabilities in XFree86 4.1.0 to 4.3.0, related to improper handling of font files, a different set of vulnerabilities than CVE-2004-0083 and CVE-2004-0084. CLA-2004:821 FLSA:2314 DSA-443 MDKSA-2004:012 SuSE-SA:2004:006 RHSA-2004:059 RHSA-2004:060 RHSA-2004:061 SSA:2004-043 xfree86-multiple-font-improper-handling(15206) oval:org.mitre.oval:def:11111 oval:org.mitre.oval:def:809 oval:org.mitre.oval:def:832 The (1) post and (2) trigger scripts in sysstat 4.0.7 and earlier allow local users to overwrite arbitrary files via symlink attacks on temporary files, a different vulnerability than CVE-2004-0108. 20040302-01-U O-097 RHSA-2004:053 RHSA-2004:093 9838 sysstat-post-trigger-symlink(15428) oval:org.mitre.oval:def:10737 oval:org.mitre.oval:def:849 oval:org.mitre.oval:def:862 The isag utility, which processes sysstat data, allows local users to overwrite arbitrary files via a symlink attack on temporary files, a different vulnerability than CAN-2004-0107. 20040302-01-U DSA-460 RHSA-2004:053 9844 sysstat-isag-symlink(15437) Buffer overflow in the ISO9660 file system component for Linux kernel 2.4.x, 2.5.x and 2.6.x, allows local users with physical access to overflow kernel memory and execute arbitrary code via a malformed CD containing a long symbolic link entry. 20040405-01-U 20040504-01-U CLA-2004:846 2004-0020 RHSA-2004:166 11429 GLSA-200407-02 O-121 O-127 DSA-479 DSA-480 DSA-481 DSA-482 DSA-489 DSA-491 DSA-495 http://www.idefense.com/application/poi/display?id=101&type=vulnerabilities ESA-20040428-004 MDKSA-2004:029 SuSE-SA:2004:009 RHSA-2004:105 RHSA-2004:106 RHSA-2004:183 10141 TLSA-2004-14 linux-iso9660-bo(15866) oval:org.mitre.oval:def:10733 oval:org.mitre.oval:def:940 Buffer overflow in the (1) nanohttp or (2) nanoftp modules in XMLSoft Libxml 2 (Libxml2) 2.6.0 through 2.6.5 allow remote attackers to execute arbitrary code via a long URL. 20040305 [OpenPKG-SA-2004.003] OpenPKG Security Advisory (libxml) 20040306 TSLSA-2004-0010 - libxml2 RHSA-2004:090 GLSA-200403-01 O-086 DSA-455 VU#493966 SUSE-SR:2005:001 RHSA-2004:091 RHSA-2004:650 9718 http://www.xmlsoft.org/news.html libxml2-nanohttp-bo(15301) libxml2-nanoftp-bo(15302) oval:org.mitre.oval:def:11626 oval:org.mitre.oval:def:833 oval:org.mitre.oval:def:875 gdk-pixbuf before 0.20 allows attackers to cause a denial of service (crash) via a malformed bitmap (BMP) file. DSA-464 MDKSA-2004:020 RHSA-2004:102 RHSA-2004:103 9842 FLSA:2005 gdk-pixbuf-bitmap-dos(15426) oval:org.mitre.oval:def:845 oval:org.mitre.oval:def:846 The SSL/TLS handshaking code in OpenSSL 0.9.7a, 0.9.7b, and 0.9.7c, when using Kerberos ciphersuites, does not properly check the length of Kerberos tickets during a handshake, which allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that causes an out-of-bounds read. NetBSD-SA2004-005 SCOSA-2004.10 CLA-2004:834 http://docs.info.apple.com/article.html?artnum=61798 APPLE-SA-2005-08-17 APPLE-SA-2005-08-15 http://lists.apple.com/mhonarc/security-announce/msg00045.html 20040317 New OpenSSL releases fix denial of service attacks [17 March 2004] SSRT4717 GLSA-200403-03 57524 O-101 20040317 Cisco OpenSSL Implementation Vulnerability VU#484726 MDKSA-2004:023 SuSE-SA:2004:007 http://www.openssl.org/news/secadv_20040317.txt RHSA-2004:120 RHSA-2004:121 9899 SSA:2004-077 2004-0012 http://www.uniras.gov.uk/vuls/2004/224012/index.htm TA04-078A openssl-kerberos-ciphersuites-dos(15508) oval:org.mitre.oval:def:1049 oval:org.mitre.oval:def:928 oval:org.mitre.oval:def:9580 Memory leak in ssl_engine_io.c for mod_ssl in Apache 2 before 2.0.49 allows remote attackers to cause a denial of service (memory consumption) via plain HTTP requests to the SSL port of an SSL-enabled server. CLSA-2004:839 http://issues.apache.org/bugzilla/show_bug.cgi?id=27106 [apache-cvs] 20040307 cvs commit: httpd-2.0/modules/ssl ssl_engine_io.c 20040325 LNSA-#2004-0006: bug workaround for Apache 2.0.48 APPLE-SA-2004-05-03 SSRT4717 GLSA-200403-04 http://www.apacheweek.com/features/security-20 MDKSA-2004:043 RHSA-2004:084 RHSA-2004:182 9826 2004-0017 apache-modssl-plain-dos(15419) [httpd-cvs] 20190815 svn commit: r1048742 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html [httpd-cvs] 20190815 svn commit: r1048743 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html oval:org.mitre.oval:def:876 The shmat system call in the System V Shared Memory interface for FreeBSD 5.2 and earlier, NetBSD 1.3 and earlier, and OpenBSD 2.6 and earlier, does not properly decrement a shared memory segment's reference count when the vm_map_find function fails, which could allow local users to gain read or write access to a portion of kernel memory and gain privileges. FreeBSD-SA-04:02 NetBSD-SA2004-004 20040205 [PINE-CERT-20040201] reference count overflow in shmat() http://www.openbsd.org/errata33.html#sysvshm http://www.pine.nl/press/pine-cert-20040201.txt 9586 bsd-shmat-gain-privileges(15061) VirtualPC_Services in Microsoft Virtual PC for Mac 6.0 through 6.1 allows local attackers to truncate and overwrite arbitrary files, and execute arbitrary code, via a symlink attack on the VPCServices_Log temporary file. A021004-1 O-076 9632 MS04-005 virtual-pc-gain-privileges(15113) An Activation function in the RPCSS Service involved with DCOM activation for Microsoft Windows 2000, XP, and 2003 allows remote attackers to cause a denial of service (memory consumption) via an activation request with a large length field. 1009758 O-115 AD20040413A VU#417052 10127 TA04-104A MS04-012 win-rpcss-rpcmessage-dos(15708) oval:org.mitre.oval:def:955 oval:org.mitre.oval:def:957 oval:org.mitre.oval:def:958 Unknown vulnerability in the H.323 protocol implementation in Windows 98, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code. O-114 VU#353956 TA04-104A MS04-011 win-h323-bo(15710) oval:org.mitre.oval:def:907 oval:org.mitre.oval:def:946 oval:org.mitre.oval:def:964 The component for the Virtual DOS Machine (VDM) subsystem in Windows NT 4.0 and Windows 2000 does not properly validate system structures, which allows local users to access protected kernel memory and execute arbitrary code. 20040413 EEYE: Windows VDM TIB Local Privilege Escalation O-114 AD20040413E VU#783748 10117 TA04-104A MS04-011 win-vdm-gain-privileges(15714) oval:org.mitre.oval:def:1512 oval:org.mitre.oval:def:1718 The Negotiate Security Software Provider (SSP) interface in Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service (crash from null dereference) or execute arbitrary code via a crafted SPNEGO NegTokenInit request during authentication protocol selection. 20040414 NSFOCUS SA2004-01 : DoS Vulnerability in Microsoft Windows SPNEGO Protocol Decoding O-114 VU#638548 10113 TA04-104A MS04-011 win-spp-bo(15715) oval:org.mitre.oval:def:1808 oval:org.mitre.oval:def:1962 oval:org.mitre.oval:def:1997 The Microsoft Secure Sockets Layer (SSL) library, as used in Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service via malformed SSL messages. O-114 VU#150236 10115 TA04-104A MS04-011 ssl-message-dos(15712) oval:org.mitre.oval:def:885 oval:org.mitre.oval:def:886 oval:org.mitre.oval:def:892 Argument injection vulnerability in Microsoft Outlook 2002 does not sufficiently filter parameters of mailto: URLs when using them as arguments when calling OUTLOOK.EXE, which allows remote attackers to use script code in the Local Machine zone and execute arbitrary programs. 20040310 Outlook mailto: URL argument injection vulnerability O-096 20040309 Microsoft Outlook "mailto:" Parameter Passing Vulnerability VU#305206 9827 TA04-070A MS04-009 outlook-mailtourl-execute-code(15414) outlook-ms04009-patch(15429) oval:org.mitre.oval:def:843 Microsoft MSN Messenger 6.0 and 6.1 does not properly handle certain requests, which allows remote attackers to read arbitrary files. VU#688094 9828 MS04-010 msn-request-view-files(15415) msn-ms04010-patch(15427) oval:org.mitre.oval:def:844 Double free vulnerability in the ASN.1 library as used in Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service and possibly execute arbitrary code. O-114 VU#255924 10118 TA04-104A MS04-011 win-asn1-double-free(15713) oval:org.mitre.oval:def:1007 oval:org.mitre.oval:def:1076 oval:org.mitre.oval:def:924 The DCOM RPC interface for Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to cause network communications via an "alter context" call that contains additional data, aka the "Object Identity Vulnerability." O-115 VU#212892 10121 TA04-104A MS04-012 win-objectidentifier-open-port(15711) oval:org.mitre.oval:def:1041 oval:org.mitre.oval:def:1062 oval:org.mitre.oval:def:1066 oval:org.mitre.oval:def:1072 The jail system call in FreeBSD 4.x before 4.10-RELEASE does not verify that an attempt to manipulate routing tables originated from a non-jailed process, which could allow local users to modify the routing table. FreeBSD-SA-04:12 10485 freebsd-jailed-table-modify(16342) The jail_attach system call in FreeBSD 5.1 and 5.2 changes the directory of a calling process even if the process doesn't have permission to change directory, which allows local users to gain read/write privileges to files and directories within another jail. FreeBSD-SA-04:03 9762 freebsd-jailattach-gain-privileges(15344) Directory traversal vulnerability in editconfig_gedcom.php for phpGedView 2.65.1 and earlier allows remote attackers to read arbitrary files or execute arbitrary PHP programs on the server via .. (dot dot) sequences in the gedcom_config parameter. 20040129 PHP Code Injection Vulnerabilities in phpGedView 2.65.1 and prior 9529 1008892 phpgedview-editconfig-directory-traversal(15129) PHP remote file inclusion vulnerability in the GEDCOM configuration script for phpGedView 2.65.1 and earlier allows remote attackers to execute arbitrary PHP code by modifying the PGV_BASE_DIRECTORY parameter to reference a URL on a remote web server that contains a malicious theme.php script. http://sourceforge.net/project/shownotes.php?release_id=141517 20040129 PHP Code Injection Vulnerabilities in phpGedView 2.65.1 and prior 9531 phpgedview-gedfilconf-file-include(14987) Directory traversal vulnerability in export.php in phpMyAdmin 2.5.5 and earlier allows remote attackers to read arbitrary files via .. (dot dot) sequences in the what parameter. 20040203 Arbitrary File Disclosure Vulnerability in phpMyAdmin 2.5.5-pl1 and prior GLSA-200402-05 http://sourceforge.net/forum/forum.php?forum_id=350228 http://www.phpmyadmin.net/home_page/relnotes.php?rel=0 9564 phpmyadmin-dotdot-directory-traversal(15021) login.php in phpGedView 2.65 and earlier allows remote attackers to obtain sensitive information via an HTTP request to login.php that does not contain the required username or password parameters, which causes the information to be leaked in an error message. 1008844 http://www.netvigilance.com/advisory0001 http://www.securiteam.com/unixfocus/5NP0M1PBPQ.html phpgedview-loginphp-path-disclosure(15128) The rad_print_request function in logger.c for GNU Radius daemon (radiusd) before 1.2 allows remote attackers to cause a denial of service (crash) via a UDP packet with an Acct-Status-Type attribute without a value and no Acct-Session-Id attribute, which causes a null dereference. http://ftp.gnu.org/gnu/radius/radius-1.2.tar.gz 20040204 GNU Radius Remote Denial of Service Vulnerability VU#277396 9578 radius-radprintrequest-dos(15046) Multiple PHP remote file inclusion vulnerabilities in ezContents 2.0.2 and earlier allow remote attackers to execute arbitrary PHP code from a remote web server, as demonstrated using (1) the GLOBALS[rootdp] parameter to db.php, or (2) the GLOBALS[language_home] parameter to archivednews.php, and a malicious version of lang_admin.php. 20040210 PHP Code Injection Vulnerabilities in ezContents 2.0.2 and prior ezcontents-multiple-file-include(15135) The XFS file system code in Linux 2.4.x has an information leak in which in-memory data is written to the device for the XFS file system, which allows local users to obtain sensitive information by reading the raw device. 20040405-01-U 2004-0020 GLSA-200407-02 ESA-20040428-004 MDKSA-2004:029 10151 linux-xfs-info-disclosure(15901) cpr (libcpr) in SGI IRIX before 6.5.25 allows local users to gain privileges by loading a user provided library while restarting the checkpointed process. 20040507-01-P 10418 irix-cpr-gain-privileges(16259) The syssgi SGI_IOPROBE system call in IRIX 6.5.20 through 6.5.24 allows local users to gain privileges by reading and writing to kernel memory. 20040601-01-P irix-sgiioprobe-gain-privileges(16413) The mapelf32exec function call in IRIX 6.5.20 through 6.5.24 allows local users to cause a denial of service (system crash) via a "corrupted binary." 20040601-01-P 10547 irix-mapelf32exec-dos(16416) Unknown vulnerability in init for IRIX 6.5.20 through 6.5.24 allows local users to cause a denial of service (system panic) as a result of "page invalidation issues." 20040601-01-P 10549 irix-page-dos(16417) The ELF loader in Linux kernel 2.4 before 2.4.25 allows local users to cause a denial of service (crash) via a crafted ELF file with an interpreter with an invalid arch (architecture), which triggers a BUG() when an invalid VMA is unmapped. http://kernel.debian.net/debian/pool/main/kernel-source-2.4.17/kernel-source-2.4.17_2.4.17-1woody4_ia64.changes http://kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.25 http://linux.bkbits.net:8080/linux-2.4/cset@4021346f79nBb-4X_usRikR3Iyb4Vg DSA-1067 DSA-1069 DSA-1070 DSA-1082 RHSA-2004:504 RHSA-2004:549 18174 linux-kernel-elfloader-dos(43124) oval:org.mitre.oval:def:10123 Unknown vulnerability in the bsd.a kernel networking for SGI IRIX 6.5.22 through 6.5.25, and possibly earlier versions, in which "t_unbind changes t_bind's behavior," has unknown impact and attack vectors. 20040905-01-P 11276 irix-bsda-kernel(17547) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2004. Notes: none. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2004. Notes: none. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2004. Notes: none. Multiple vulnerabilities in Nokia 6310(i) Mobile phones allow remote attackers to cause a denial of service (reset) via malformed Bluetooth OBject EXchange (OBEX) messages, probably triggering buffer overflows. 20040209 ptl-2004-01: Multiple vulnerabilities in Nokia phones 20040209 ptl-2004-01: Multiple vulnerabilities in Nokia phones http://www.pentest.co.uk/documents/ptl-2004-01.html 9603 nokia-obex-dos(15107) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2004. Notes: none. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2004. Notes: none. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2004. Notes: none. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2004. Notes: none. wu-ftpd 2.6.2 and earlier, with the restricted-gid option enabled, allows local users to bypass access restrictions by changing the permissions to prevent access to their home directory, which causes wu-ftpd to use the root directory instead. SSRT4704 102356 DSA-457 ADV-2006-1867 RHSA-2004:096 9832 wuftpd-restrictedgid-gain-access(15423) oval:org.mitre.oval:def:1147 oval:org.mitre.oval:def:1636 oval:org.mitre.oval:def:1637 oval:org.mitre.oval:def:648 Multiple buffer overflows in xboing before 2.4 allow local users to gain privileges. DSA-451 9764 xboing-bo(15347) Buffer overflow in the getaddrinfo function in Python 2.2 before 2.2.2, when IPv6 support is disabled, allows remote attackers to execute arbitrary code via an IPv6 address that is obtained using DNS. DSA-458 GLSA-200409-03 MDKSA-2004:019 9836 python-getaddrinfo-bo(15409) Unknown vulnerability in xitalk 1.1.11 and earlier allows local users to execute arbitrary commands. http://shellcode.org/Advisories/XITALK.txt DSA-462 9851 xitalk-gain-privileges(15456) Multiple stack-based buffer overflows in (1) the encode_mime function, (2) the encode_uuencode function, (3) or the decode_uuencode function for emil 2.1.0 and earlier allow remote attackers to execute arbitrary code via e-mail messages containing attachments with filenames. 20040325 Re: [SECURITY] [DSA 468-1] New emil packages fix multiple vulnerabilities DSA-468 emil-email-bo(15601) Multiple format string vulnerabilities in emil 2.1.0 and earlier may allow remote attackers to execute arbitrary code by triggering certain error messages. 20040325 Re: [SECURITY] [DSA 468-1] New emil packages fix multiple vulnerabilities DSA-468 emil-format-string(15602) rpc.mountd in nfs-utils after 1.0.3 and before 1.0.6 allows attackers to cause a denial of service (crash) via an NFS mount of a directory from a client whose reverse DNS lookup name is different from the forward lookup name. http://bugzilla.redhat.com/bugzilla/long_list.cgi?buglist=114535 RHSA-2004:072 9813 2004-0009 nfs-utils-dns-dos(15418) oval:org.mitre.oval:def:861 oval:org.mitre.oval:def:9673 The KAME IKE Daemon Racoon, when authenticating a peer during Phase 1, validates the X.509 certificate but does not verify the RSA signature authentication, which allows remote attackers to establish unauthorized IP connections or conduct man-in-the-middle attacks using a valid, trusted X.509 certificate. SCOSA-2005.10 20040407 CAN-2004-0155: The KAME IKE Daemon Racoon does not verify RSA Signatures during Phase 1, allows man-in-the-middle attacks and unauthorized connections APPLE-SA-2004-05-03 GLSA-200406-17 VU#552398 MDKSA-2004:069 MDKSA-2004:027 RHSA-2004:165 10072 oval:org.mitre.oval:def:9291 oval:org.mitre.oval:def:945 Format string vulnerabilities in the (1) die or (2) log_event functions for ssmtp before 2.50.6 allow remote mail relays to cause a denial of service and possibly execute arbitrary code. 20040507 [OpenPKG-SA-2004.020] OpenPKG Security Advisory (ssmtp) GLSA-200404-18 1009788 DSA-485 10150 ssmtp-die-logevent-format-string(15872) x11.c in xonix 1.4 and earlier uses the current working directory to find and execute the rmail program, which allows local users to execute arbitrary code by modifying the path to point to a malicious rmail program. 1009789 http://shellcode.org/Advisories/XONIX.txt DSA-484 10149 xonix-privilege-dropping(15873) Buffer overflow in lbreakout2 allows local users to gain 'games' group privileges via a large HOME environment variable to (1) editor.c, (2) theme.c, (3) manager.c, (4) config.c, (5) game.c, (6) levels.c, or (7) main.c. 20040222 lbreakout2 < 2.4beta-2 local exploit http://security.debian.org/pool/updates/main/l/lbreakout2/lbreakout2_2.2.2-1woody1.diff.gz DSA-445 9712 breakout2-home-bo(15229) Format string vulnerability in hsftp 1.11 allows remote authenticated users to cause a denial of service and possibly execute arbitrary code via file names containing format string characters that are not properly handled when executing an "ls" command. 20040223 Re: [SECURITY] [DSA 447-1] New hsftp packages fix format string vulnerability 9715 hsftp-format-string(15276) DSA-447 Synaesthesia 2.2 and earlier allows local users to execute arbitrary code via a symlink attack on the configuration file. DSA-446 9713 synaesthesia-configuration-symlink-attack(15279) Multiple content security gateway and antivirus products allow remote attackers to bypass content restrictions via MIME messages that use RFC2231 encoding, which may be interpreted differently by mail clients. 20040914 Corsaire Security Advisory - Multiple vendor MIME RFC2231 encoding issue http://www.uniras.gov.uk/vuls/2004/380375/mime.htm mime-tools-parameter-encoding(9274) Multiple content security gateway and antivirus products allow remote attackers to bypass content restrictions via MIME encapsulation that uses RFC822 comment fields, which may be interpreted as other fields by mail clients. 20040914 Corsaire Security Advisory - Multiple vendor MIME RFC822 comment issue http://www.uniras.gov.uk/vuls/2004/380375/mime.htm mime-rfc822-filtering-bypass(17332) Sygate Secure Enterprise (SSE) 3.5MR3 and earlier does not change the key used to encrypt data, which allows remote attackers to cause a denial of service (resource exhaustion) by capturing a session and repeatedly replaying the session. 20040810 Corsaire Security Advisory - Sygate Secure Enterprise replay issue http://www.corsaire.com/advisories/c031120-002.txt sse-replay-dos(16945) KAME IKE daemon (racoon) does not properly handle hash values, which allows remote attackers to delete certificates via (1) a certain delete message that is not properly handled in isakmp.c or isakmp_inf.c, or (2) a certain INITIAL-CONTACT message that is not properly handled in isakmp_inf.c. NetBSD-SA2004-001 APPLE-SA-2004-02-23 20040113 unauthorized deletion of IPsec (and ISAKMP) SAs in racoon 20040114 Re: unauthorized deletion of IPsec (and ISAKMP) SAs in racoon 9416 9417 openbsd-isakmp-invalidspi-delete-sa(14117) openbsd-isakmp-initialcontact-delete-sa(14118) oval:org.mitre.oval:def:947 oval:org.mitre.oval:def:9737 Format string vulnerability in Point-to-Point Protocol (PPP) daemon (pppd) 2.4.0 for Mac OS X 10.3.2 and earlier allows remote attackers to read arbitrary pppd process data, including PAP or CHAP authentication credentials, to gain privileges. APPLE-SA-2004-02-23 A022304-1 VU#841742 9730 macos-pppd-format-string(15297) Unknown vulnerability in Safari web browser for Mac OS X 10.2.8 related to "the display of URLs in the status bar." APPLE-SA-2004-02-23 VU#194238 macosx-safari-unknown(14993) DiskArbitration in Mac OS X 10.2.8 and 10.3.2 does not properly initialize writeable removable media. APPLE-SA-2004-02-23 VU#578886 9731 macos-diskarbitration-unknown(15300) Unknown vulnerability in CoreFoundation for Mac OS X 10.3.2, related to "notification logging." APPLE-SA-2004-02-23 macos-corefoundation-unknown(15299) QuickTime Streaming Server in MacOS X 10.2.8 and 10.3.2 allows remote attackers to cause a denial of service (crash) via DESCRIBE requests with long User-Agent fields, which causes an Assert error to be triggered in the BufferIsFull function. APPLE-SA-2004-02-23 20040223 Darwin Streaming Server Remote Denial of Service Vulnerability VU#460350 9735 darwin-describe-request-dos(15291) FreeBSD 5.1 and earlier, and Mac OS X before 10.3.4, allows remote attackers to cause a denial of service (resource exhaustion of memory buffers and system crash) via a large number of out-of-sequence TCP packets, which prevents the operating system from creating new connections. FreeBSD-SA-04:04 APPLE-SA-2004-05-28 20040302 FreeBSD Memory Buffer Exhaustion Denial of Service Vulnerability VU#395670 9792 freebsd-mbuf-dos(15369) Heap-based buffer overflow in the search_for_command function of ltrace 0.3.10, if it is installed setuid, could allow local users to execute arbitrary code via a long filename. NOTE: It is unclear whether there are any packages that install ltrace as a setuid program, so this candidate might be REJECTed. 20031008 ltrace bug 20031008 ltrace bug 1007896 8790 ltrace-searchforcommand-bo(13389) Directory traversal vulnerability in Apache 1.3.29 and earlier, and Apache 2.0.48 and earlier, when running on Cygwin, allows remote attackers to read arbitrary files via a URL containing "..%5C" (dot dot encoded backslash) sequences. http://issues.apache.org/bugzilla/show_bug.cgi?id=26152 20040224 STG Security Advisory: [SSA-20040217-06] Apache for cygwin directory traversal vulnerability 20040224 STG Security Advisory: [SSA-20040217-06] Apache for cygwin http://www.apacheweek.com/issues/04-03-12 9733 apache-cygwin-directory-traversal(15293) Apache 1.4.x before 1.3.30, and 2.0.x before 2.0.49, when using multiple listening sockets on certain platforms, allows remote attackers to cause a denial of service (blocked new connections) via a "short-lived connection on a rarely-accessed listening socket." 20040319 [ANNOUNCE] Apache HTTP Server 2.0.49 Released (fwd) 2004-0017 APPLE-SA-2004-05-03 20040512 [OpenPKG-SA-2004.021] OpenPKG Security Advisory (apache) SSRT4717 GLSA-200405-22 101555 57628 http://www.apache.org/dist/httpd/CHANGES_1.3 VU#132110 MDKSA-2004:046 RHSA-2004:405 9921 1009495 SSA:2004-133 2004-0027 apache-socket-starvation-dos(15540) [httpd-cvs] 20190815 svn commit: r1048742 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html [httpd-cvs] 20190815 svn commit: r1048743 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html oval:org.mitre.oval:def:100110 oval:org.mitre.oval:def:1982 Directory traversal vulnerability in scp for OpenSSH before 3.4p1 allows remote malicious servers to overwrite arbitrary files. NOTE: this may be a rediscovery of CVE-2000-0992. SCOSA-2006.11 CLSA-2004:831 O-212 http://www.juniper.net/support/security/alerts/adv59739.txt MDKSA-2005:100 MDVSA-2008:191 SuSE-SA:2004:009 RHSA-2005:074 RHSA-2005:106 RHSA-2005:165 RHSA-2005:481 RHSA-2005:495 RHSA-2005:562 RHSA-2005:567 9986 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=120147 openssh-scp-file-overwrite(16323) oval:org.mitre.oval:def:10184 Multiple buffer overflows in Ethereal 0.8.13 to 0.10.2 allow remote attackers to cause a denial of service and possibly execute arbitrary code via the (1) NetFlow, (2) IGAP, (3) EIGRP, (4) PGM, (5) IrDA, (6) BGP, (7) ISUP, or (8) TCAP dissectors. CLA-2004:835 20040323 Advisory 03/2004: Multiple (13) Ethereal remote overflows 20040329 LNSA-#2004-0007: Multiple security problems in Ethereal 20040416 [OpenPKG-SA-2004.015] OpenPKG Security Advisory (ethereal) http://security.e-matters.de/advisories/032004.html GLSA-200403-07 DSA-511 http://www.ethereal.com/appnotes/enpa-sa-00013.html VU#119876 VU#125156 VU#433596 VU#591820 VU#644886 VU#659140 VU#740188 VU#864884 VU#931588 MDKSA-2004:024 RHSA-2004:136 RHSA-2004:137 ethereal-multiple-dissectors-bo(15569) oval:org.mitre.oval:def:10187 oval:org.mitre.oval:def:878 oval:org.mitre.oval:def:887 The ext3 code in Linux 2.4.x before 2.4.26 does not properly initialize journal descriptor blocks, which causes an information leak in which in-memory data is written to the device for the ext3 file system, which allows privileged users to obtain portions of kernel memory by reading the raw device. CLA-2004:846 http://linux.bkbits.net:8080/linux-2.4/cset@4056b368s6vpJbGWxDD_LhQNYQrdzQ 2004-0020 RHSA-2004:166 GLSA-200407-02 O-121 O-126 O-127 DSA-479 DSA-480 DSA-481 DSA-482 DSA-489 DSA-491 DSA-495 ESA-20040428-004 MDKSA-2004:029 RHSA-2004:504 RHSA-2004:505 RHSA-2005:293 10152 FLSA:2336 linux-ext3-info-disclosure(15867) oval:org.mitre.oval:def:10556 The OSS code for the Sound Blaster (sb16) driver in Linux 2.4.x before 2.4.26, when operating in 16 bit mode, does not properly handle certain sample sizes, which allows local users to cause a denial of service (crash) via a sample with an odd number of bytes. 20040804-01-U CLA-2004:846 http://linux.bkbits.net:8080/linux-2.4/cset@404ce5967rY2Ryu6Z_uNbYh643wuFA GLSA-200407-02 O-121 O-127 O-193 DSA-479 DSA-480 DSA-481 DSA-482 DSA-489 DSA-491 DSA-495 MDKSA-2004:029 RHSA-2004:413 RHSA-2004:437 9985 linux-sound-blaster-dos(15868) oval:org.mitre.oval:def:9427 Multiple format string vulnerabilities in (1) neon 0.24.4 and earlier, and other products that use neon including (2) Cadaver, (3) Subversion, and (4) OpenOffice, allow remote malicious WebDAV servers to execute arbitrary code. 20040404-01-U SuSE-SA:2004:009 SuSE-SA:2004:008 20040416 [OpenPKG-SA-2004.016] OpenPKG Security Advisory (neon) 20040416 void.at - neon format string bugs GLSA-200405-01 GLSA-200405-04 DSA-487 MDKSA-2004:032 RHSA-2004:157 RHSA-2004:158 RHSA-2004:159 RHSA-2004:160 10136 FEDORA-2004-1552 oval:org.mitre.oval:def:1065 oval:org.mitre.oval:def:10913 The client for CVS before 1.11 allows a remote malicious CVS server to create arbitrary files using certain RCS diff files that use absolute pathnames during checkouts or updates, a different vulnerability than CVE-2004-0405. FreeBSD-SA-04:07 ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/002_cvs.patch 20040404-01-U FEDORA-2004-1620 GLSA-200404-13 DSA-486 MDKSA-2004:028 RHSA-2004:153 RHSA-2004:154 SSA:2004-108-02 cvs-rcs-create-files(15864) oval:org.mitre.oval:def:1042 oval:org.mitre.oval:def:9462 The JFS file system code in Linux 2.4.x has an information leak in which in-memory data is written to the device for the JFS file system, which allows local users to obtain sensitive information by reading the raw device. 2004-0020 GLSA-200407-02 ESA-20040428-004 MDKSA-2004:029 RHSA-2004:504 RHSA-2005:663 10143 TLSA-2004-14 ADV-2005-1878 linux-jfs-info-disclosure(15902) oval:org.mitre.oval:def:10329 Mailman before 2.0.13 allows remote attackers to cause a denial of service (crash) via an email message with an empty subject field. 20040404-01-U RHSA-2004:156 TCPDUMP 3.8.1 and earlier allows remote attackers to cause a denial of service (crash) via ISAKMP packets containing a Delete payload with a large number of SPI's, which causes an out-of-bounds read, as demonstrated by the Striker ISAKMP Protocol Test Suite. 20040330 R7-0017: TCPDUMP ISAKMP payload handling denial-of-service vulnerabilities 1009593 DSA-478 VU#240790 http://www.rapid7.com/advisories/R7-0017.html RHSA-2004:219 10003 http://www.tcpdump.org/tcpdump-changes.txt 2004-0015 FEDORA-2004-1468 tcpdump-isakmp-delete-bo(15680) oval:org.mitre.oval:def:972 oval:org.mitre.oval:def:9971 Integer underflow in the isakmp_id_print for TCPDUMP 3.8.1 and earlier allows remote attackers to cause a denial of service (crash) via an ISAKMP packet with an Identification payload with a length that becomes less than 8 during byte order conversion, which causes an out-of-bounds read, as demonstrated by the Striker ISAKMP Protocol Test Suite. 20040330 R7-0017: TCPDUMP ISAKMP payload handling denial-of-service vulnerabilities 1009593 DSA-478 VU#492558 http://www.rapid7.com/advisories/R7-0017.html RHSA-2004:219 10004 http://www.tcpdump.org/tcpdump-changes.txt 2004-0015 FEDORA-2004-1468 tcpdump-isakmp-integer-underflow(15679) oval:org.mitre.oval:def:9581 oval:org.mitre.oval:def:976 Buffer overflow in the skey_challenge function in ftpd.c for wu-ftp daemon (wu-ftpd) 2.6.2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a s/key (SKEY) request with a long name. ftp://ftp.wu-ftpd.org/pub/wu-ftpd/patches/apply_to_2.6.2/skeychallenge.patch http://unixpunx.org/txt/exploits_archive/packetstorm/0310-advisories/wuftpd-skey.txt DSA-457 RHSA-2004:096 http://www.securiteam.com/unixfocus/6X00Q1P8KC.html 8893 wuftpd-skey-bo(13518) smbmnt in Samba 2.x and 3.x on Linux 2.6, when installed setuid, allows local users to gain root privileges by mounting a Samba share that contains a setuid root program, whose setuid attributes are not cleared when the share is mounted. 20040209 Samba 3.x + kernel 2.6.x local root vulnerability 20040211 Re: Samba 3.x + kernel 2.6.x local root vulnerability DSA-463 9619 samba-smbmnt-gain-privileges(15131) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2004-0185. Reason: This candidate is a reservation duplicate of CVE-2004-0185. Notes: All CVE users should reference CVE-2004-0185 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Heap-based buffer overflow in Calife 2.8.5 and earlier may allow local users to execute arbitrary code via a long password. 20040227 Calife heap corrupt / potential local root exploit DSA-461 9756 9776 calife-long-password-bo(15335) The "%xx" URL decoding function in Squid 2.5STABLE4 and earlier allows remote attackers to bypass url_regex ACLs via a URL with a NULL ("%00") character, which causes Squid to use only a portion of the requested URL when comparing it against the access control lists. SCOSA-2005.16 20040404-01-U CLA-2004:838 20040401 [OpenPKG-SA-2004.008] OpenPKG Security Advisory (squid) GLSA-200403-11 DSA-474 MDKSA-2004:025 RHSA-2004:133 RHSA-2004:134 9778 http://www.squid-cache.org/Advisories/SQUID-2004_1.txt squid-urlregex-acl-bypass(15366) oval:org.mitre.oval:def:877 oval:org.mitre.oval:def:941 Symantec FireWall/VPN Appliance model 200 records a cleartext password for the password administration page, which may be cached on the administrator's local system or in a proxy, which allows attackers to steal the password and gain privileges. 20040216 Symantec FireWall/VPN Appliance model 200 leak of security 20040216 Symantec FireWall/VPN Appliance model 200 leak of security 9784 symantec-firewallvpn-password-plaintext(15212) Mozilla before 1.4.2 executes Javascript events in the context of a new page while it is being loaded, allowing it to interact with the previous page (zombie document) and enable cross-domain and cross-site scripting (XSS) attacks, as demonstrated using onmousemove events. http://bugzilla.mozilla.org/show_bug.cgi?id=227417 20040225 Sandblad #13: Cross-domain exploit on zombie document with event handlers SSRT4722 RHSA-2004:110 RHSA-2004:112 9747 mozilla-event-handler-xss(15322) oval:org.mitre.oval:def:874 oval:org.mitre.oval:def:937 Cross-site scripting (XSS) vulnerability in the Management Service for Symantec Gateway Security 2.0 allows remote attackers to steal cookies and hijack a management session via a /sgmi URL that contains malicious script, which is not quoted in the resulting error page. 20040227 Symantec Gateway Security Management Service Cross Site Scripting 9755 symantecgateway-error-xss(15330) Heap-based buffer overflow in the ISS Protocol Analysis Module (PAM), as used in certain versions of RealSecure Network 7.0 and Server Sensor 7.0, Proventia A, G, and M Series, RealSecure Desktop 7.0 and 3.6, RealSecure Guard 3.6, RealSecure Sentry 3.6, BlackICE PC Protection 3.6, and BlackICE Server Protection 3.6, allows remote attackers to execute arbitrary code via an SMB packet containing an authentication request with a long username. 20040227 EEYE: RealSecure/BlackICE Server Message Block (SMB) Processing Overflow AD20040226 http://www.eeye.com/html/Research/Upcoming/20040213.html VU#150326 9752 20040226 Vulnerability in SMB Parsing in ISS Products pam-smb-protocol-bo(15207) Stack-based buffer overflow in the OutputDebugString function for Adobe Acrobat Reader 5.1 allows remote attackers to execute arbitrary code via a PDF document with XML Forms Data Format (XFDF) data. 20040303 Adobe Acrobat Reader XML Forms Data Format Buffer Overflow 20040303 Abobe Reader 5.1 XFDF Buffer Overflow Vulnerability http://www.nextgenss.com/advisories/adobexfdf.txt 9802 acrobatreader-xfdf-bo(15384) Buffer overflow in Microsoft Jet Database Engine 4.0 allows remote attackers to execute arbitrary code via a specially-crafted database query. VU#740716 10112 TA04-104A MS04-014 msjet-query-execute-code(15703) oval:org.mitre.oval:def:968 Help and Support Center in Microsoft Windows XP and Windows Server 2003 SP1 does not properly validate HCP URLs, which allows remote attackers to execute arbitrary code, as demonstrated using certain hcp:// URLs that access the DVD Upgrade capability (dvdupgrd.htm). 20040512 MS04-015 - Windows Help Center - Dvdupgrade 20040512 MS04-015 - Windows Help Center - Dvdupgrade http://www.exploitlabs.com/files/advisories/EXPL-A-2004-001-helpctr.txt VU#484814 10321 MS04-015 win-hcp-code-execution(16095) oval:org.mitre.oval:def:1008 oval:org.mitre.oval:def:1032 Buffer overflow in the JPEG (JPG) parsing engine in the Microsoft Graphic Device Interface Plus (GDI+) component, GDIPlus.dll, allows remote attackers to execute arbitrary code via a JPEG image with a small JPEG COM field length that is normalized to a large integer length before a memory copy operation. 20040914 Microsoft GDIPlus.DLL JPEG Parsing Engine Buffer Overflow VU#297462 TA04-260A MS04-028 win-jpeg-bo(16304) oval:org.mitre.oval:def:1105 oval:org.mitre.oval:def:1721 oval:org.mitre.oval:def:2706 oval:org.mitre.oval:def:3038 oval:org.mitre.oval:def:3082 oval:org.mitre.oval:def:3320 oval:org.mitre.oval:def:3810 oval:org.mitre.oval:def:3881 oval:org.mitre.oval:def:4003 oval:org.mitre.oval:def:4216 oval:org.mitre.oval:def:4307 Heap-based buffer overflow in the HtmlHelp program (hh.exe) in HTML Help for Microsoft Windows 98, Me, NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary commands via a .CHM file with a large length field, a different vulnerability than CVE-2003-1041. 20040714 HtmlHelp - .CHM File Heap Overflow VU#920060 TA04-196A MS04-023 win-htmlhelp-execute-code(16586) oval:org.mitre.oval:def:1503 oval:org.mitre.oval:def:1530 oval:org.mitre.oval:def:2155 oval:org.mitre.oval:def:3179 IDirectPlay4 Application Programming Interface (API) of Microsoft DirectPlay 7.0a thru 9.0b, as used in Windows Server 2003 and earlier allows remote attackers to cause a denial of service (application crash) via a malformed packet. 10487 MS04-016 ms-directx-directplay-dos(16306) oval:org.mitre.oval:def:1027 oval:org.mitre.oval:def:2190 oval:org.mitre.oval:def:2413 oval:org.mitre.oval:def:2516 oval:org.mitre.oval:def:2705 Cross-site scripting (XSS) vulnerability in Outlook Web Access for Exchange Server 5.5 Service Pack 4 allows remote attackers to insert arbitrary script and spoof content in HTML email or web caches via an HTML redirect query. VU#948750 MS04-026 exchange-owa-execute-code(16583) oval:org.mitre.oval:def:2016 Directory traversal vulnerability in the web viewers for Business Objects Crystal Reports 9 and 10, and Crystal Enterprise 9 or 10, as used in Visual Studio .NET 2003 and Outlook 2003 with Business Contact Manager, Microsoft Business Solutions CRM 1.2, and other products, allows remote attackers to read and delete arbitrary files via ".." sequences in the dynamicimag argument to crystalimagehandler.aspx. 20040502 Crystal Reports Vulnerabilities 20040608 Vulnerability: Arbitrary File Access & DoS in Crystal Reports http://support.businessobjects.com/fix/hot/critical/bulletins/security_bulletin_june04.asp 10260 MS04-017 crystalreports-file-deletion(16044) oval:org.mitre.oval:def:1157 Buffer overflow in Microsoft Internet Information Server (IIS) 4.0 allows local users to execute arbitrary code via the redirect function. O-179 VU#717748 10706 TA04-196A MS04-021 iis-redirect-bo(16578) oval:org.mitre.oval:def:2204 Network Dynamic Data Exchange (NetDDE) services for Microsoft Windows 98, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows attackers to remotely execute arbitrary code or locally gain privileges via a malicious message or application that involves an "unchecked buffer," possibly a buffer overflow. 20041013 Microsoft Windows NetDDE Service Buffer Overflow VU#640488 11372 MS04-031 win-netdde-bo(16556) win-ms04031-patch(17657) oval:org.mitre.oval:def:1852 oval:org.mitre.oval:def:2394 oval:org.mitre.oval:def:3120 oval:org.mitre.oval:def:3242 oval:org.mitre.oval:def:4592 oval:org.mitre.oval:def:5074 oval:org.mitre.oval:def:6788 "Shatter" style vulnerability in the Window Management application programming interface (API) for Microsoft Windows 98, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows local users to gain privileges by using certain API functions to change properties of privileged programs using the SetWindowLong and SetWIndowLongPtr API functions. 20041013 SetWindowLong Shatter Attacks VU#218526 MS04-032 win-mngmt-api-gain-privileges(16579) win-ms04032-patch(17658) The Virtual DOS Machine (VDM) subsystem of Microsoft Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows local users to access kernel memory and gain privileges via a malicious program that modified some system structures in a way that is not properly validated by privileged operating system functions. 20041013 EEYE: Windows VDM #UD Local Privilege Escalation VU#910998 MS04-032 win-vdm-gain-privilege(16580) win-ms04032-patch(17658) oval:org.mitre.oval:def:1751 oval:org.mitre.oval:def:3161 oval:org.mitre.oval:def:3953 oval:org.mitre.oval:def:4316 oval:org.mitre.oval:def:4762 Unknown vulnerability in the Graphics Rendering Engine processes of Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code via (1) Windows Metafile (WMF) or (2) Enhanced Metafile (EMF) image formats that involve "an unchecked buffer." 20041019 [EXPL] (MS04-032) Microsoft Windows XP Metafile (.emf) Heap Overflow VU#806278 11375 MS04-032 win-emf-bo(16581) win-ms04032-patch(17658) oval:org.mitre.oval:def:1872 oval:org.mitre.oval:def:2114 oval:org.mitre.oval:def:2428 The POSIX component of Microsoft Windows NT and Windows 2000 allows local users to execute arbitrary code via certain parameters, possibly by modifying message length values and causing a buffer overflow. VU#647436 TA04-196A MS04-020 win-posix-bo(16590) oval:org.mitre.oval:def:2166 oval:org.mitre.oval:def:2847 The kernel for Microsoft Windows Server 2003 does not reset certain values in CPU data structures, which allows local users to cause a denial of service (system crash) via a malicious program. VU#119262 MS04-032 win2k3-kernel-cpu-dos(16582) win-ms04032-patch(17658) oval:org.mitre.oval:def:4893 Stack-based buffer overflow in the Task Scheduler for Windows 2000 and XP, and Internet Explorer 6 on Windows NT 4.0, allows local or remote attackers to execute arbitrary code via a .job file containing long parameters, as demonstrated using Internet Explorer and accessing a .job file on an anonymous share. 20040714 Microsoft Windows Task Scheduler '.job' Stack Overflow 20040714 Unchecked buffer in mstask.dll VU#228028 http://www.ngssoftware.com/advisories/mstaskjob.txt TA04-196A MS04-022 win-taskscheduler-bo(16591) oval:org.mitre.oval:def:1344 oval:org.mitre.oval:def:1781 oval:org.mitre.oval:def:1964 oval:org.mitre.oval:def:3428 Utility Manager in Windows 2000 launches winhlp32.exe while Utility Manager is running with raised privileges, which allows local users to gain system privileges via a "Shatter" style attack that sends a Windows message to cause Utility Manager to launch winhlp32 by directly accessing the context sensitive help and bypassing the GUI, then sending another message to winhlp32 in order to open a user-selected file, a different vulnerability than CVE-2003-0908. 20040713 Microsoft Window Utility Manager Local Elevation of Privileges VU#868580 TA04-196A MS04-019 win-utilitymanager-gain-privileges(16592) oval:org.mitre.oval:def:2495 Buffer overflow in Microsoft Internet Explorer and Explorer on Windows XP SP1, WIndows 2000, Windows 98, and Windows Me may allow remote malicious servers to cause a denial of service (application crash) and possibly execute arbitrary code via long share names, as demonstrated using Samba. 20040425 Microsoft's Explorer and Internet Explorer long share name buffer overflow. 20040425 Microsoft's Explorer and Internet Explorer long share name buffer overflow. 1011647 322857 VU#616200 http://www.securiteam.com/windowsntfocus/5JP0M1PCKI.html 10213 MS04-037 win-long-fileshare-bo(15956) win-ms04037-patch(17662) oval:org.mitre.oval:def:1601 oval:org.mitre.oval:def:1749 oval:org.mitre.oval:def:2638 oval:org.mitre.oval:def:4345 oval:org.mitre.oval:def:5307 Microsoft Outlook Express 5.5 and 6 allows attackers to cause a denial of service (application crash) via a malformed e-mail header. VU#869640 TA04-196A MS04-018 outlook-malformed-email-header-dos(16585) oval:org.mitre.oval:def:1950 oval:org.mitre.oval:def:2137 oval:org.mitre.oval:def:2657 oval:org.mitre.oval:def:3376 Integer overflow in the Install Engine (inseng.dll) for Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a malicious website or HTML email with a long .CAB file name, which triggers the integer overflow when calculating a buffer length and leads to a heap-based buffer overflow. 20041012 Microsoft Internet Explorer Install Engine Control Buffer Overflow 20050119 Microsoft Internet Explorer Install Engine Control Buffer Overflow (#NISR19012005a) 20050119 Microsoft Internet Explorer Install Engine Control Buffer Overflow (#NISR19012005a) VU#637760 http://www.ngssoftware.com/advisories/msinsengfull.txt TA04-293A MS04-038 ie-installenginectl-setciffile-bo(17620) ie-ms04038-patch(17651) oval:org.mitre.oval:def:5316 oval:org.mitre.oval:def:5329 oval:org.mitre.oval:def:6100 oval:org.mitre.oval:def:6600 oval:org.mitre.oval:def:7717 oval:org.mitre.oval:def:7865 The LiveUpdate capability (liveupdate.sh) in Symantec AntiVirus Scan Engine 4.0 and 4.3 for Red Hat Linux allows local users to create or append to arbitrary files via a symlink attack on /tmp/LiveUpdate.log. 20040216 Possible race condition in Symantec AntiVirus Scan Engine for Red 9662 symantec-scanengine-race-condition(15215) isakmpd in OpenBSD 3.4 and earlier allows remote attackers to cause a denial of service (infinite loop) via an ISAKMP packet with a zero-length payload, as demonstrated by the Striker ISAKMP Protocol Test Suite. 20040323 R7-0018: OpenBSD isakmpd payload handling denial-of-service vulnerabilities VU#349113 20040317 015: RELIABILITY FIX: March 17, 2004 http://www.rapid7.com/advisories/R7-0018.html 10028 1009468 openbsd-isakmp-zerolength-dos(15518) isakmpd in OpenBSD 3.4 and earlier allows remote attackers to cause a denial of service (crash) via an ISAKMP packet with a malformed IPSEC SA payload, as demonstrated by the Striker ISAKMP Protocol Test Suite. 20040323 R7-0018: OpenBSD isakmpd payload handling denial-of-service vulnerabilities VU#785945 20040317 015: RELIABILITY FIX: March 17, 2004 http://www.rapid7.com/advisories/R7-0018.html 9907 1009468 openbsd-isakmp-ipsec-dos(15628) isakmpd in OpenBSD 3.4 and earlier allows remote attackers to cause a denial of service via an ISAKMP packet with a malformed Cert Request payload, which causes an integer underflow that is used in a malloc operation that is not properly handled, as demonstrated by the Striker ISAKMP Protocol Test Suite. 20040323 R7-0018: OpenBSD isakmpd payload handling denial-of-service vulnerabilities VU#223273 20040317 015: RELIABILITY FIX: March 17, 2004 http://www.rapid7.com/advisories/R7-0018.html 9907 1009468 openbsd-isakmp-integer-underflow(15629) isakmpd in OpenBSD 3.4 and earlier allows remote attackers to cause a denial of service (crash) via an ISAKMP packet with a delete payload containing a large number of SPIs, which triggers an out-of-bounds read error, as demonstrated by the Striker ISAKMP Protocol Test Suite. 20040323 R7-0018: OpenBSD isakmpd payload handling denial-of-service vulnerabilities VU#524497 20040317 015: RELIABILITY FIX: March 17, 2004 http://www.rapid7.com/advisories/R7-0018.html 9907 1009468 openbsd-isakmp-delete-dos(15630) Multiple memory leaks in isakmpd in OpenBSD 3.4 and earlier allow remote attackers to cause a denial of service (memory exhaustion) via certain ISAKMP packets, as demonstrated by the Striker ISAKMP Protocol Test Suite. 20040323 R7-0018: OpenBSD isakmpd payload handling denial-of-service vulnerabilities VU#996177 20040317 015: RELIABILITY FIX: March 17, 2004 http://www.rapid7.com/advisories/R7-0018.html 10028 1009468 openbsd-isakmp-memory-leak(15519) Multiple buffer overflows in (1) iso2022jp.c or (2) shiftjis.c for Courier-IMAP before 3.0.0, Courier before 0.45, and SqWebMail before 4.0.0 may allow remote attackers to execute arbitrary code "when Unicode character is out of BMP range." http://sourceforge.net/project/shownotes.php?release_id=5767 9845 courier-codeset-converter-bo(15434) Multiple buffer overflows in Midnight Commander (mc) before 4.6.0 may allow attackers to cause a denial of service or execute arbitrary code. GLSA-200405-21 DSA-497 MDKSA-2004:039 SuSE-SA:2004:012 RHSA-2004:172 midnight-commander-local-privileges(16016) Buffer overflow in the zms script in ZoneMinder before 1.19.2 may allow a remote attacker to execute arbitrary code via a long query string. 10340 http://www.zoneminder.com/index.php?id=20&type=0&backPID=20&tt_news=29 zoneminder-zms-bo(16136) Integer signedness error in the cpufreq proc handler (cpufreq_procctl) in Linux kernel 2.6 allows local users to gain privileges. CLA-2004:852 FEDORA-2004-111 GLSA-200407-02 MDKSA-2004:050 SuSE-SA:2004:010 linux-cpufreq-info-disclosure(15951) The framebuffer driver in Linux kernel 2.6.x does not properly use the fb_copy_cmap function, with unknown impact. CLA-2004:852 GLSA-200407-02 MDKSA-2004:037 SuSE-SA:2004:010 10211 linux-framebuffer(15974) TCP, when using a large Window Size, makes it easier for remote attackers to guess sequence numbers and cause a denial of service (connection loss) to persistent TCP connections by repeatedly injecting a TCP RST packet, especially in protocols that use long-lived connections, such as BGP. <a href="https://cwe.mitre.org/data/definitions/331.html">CWE-331: Insufficient Entropy</a> NetBSD-SA2004-006 SCOSA-2005.3 SCOSA-2005.9 SCOSA-2005.14 20040403-01-A http://kb.juniper.net/JSA10638 20040425 Perl code exploting TCP not checking RST ACK. SSRT4696 20040420 TCP Vulnerabilities in Multiple IOS-Based Cisco Products VU#415294 http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html SSRT061264 10183 http://www.uniras.gov.uk/vuls/2004/236929/index.htm TA04-111A ADV-2006-3983 MS05-019 MS06-064 tcp-rst-dos(15886) https://kc.mcafee.com/corporate/index?page=content&id=SB10053 oval:org.mitre.oval:def:2689 oval:org.mitre.oval:def:270 oval:org.mitre.oval:def:3508 oval:org.mitre.oval:def:4791 oval:org.mitre.oval:def:5711 Multiple vulnerabilities in Midnight Commander (mc) before 4.6.0, with unknown impact, related to "Insecure temporary file and directory creations." GLSA-200405-21 DSA-497 MDKSA-2004:039 SuSE-SA:2004:012 RHSA-2004:172 midnight-commander-insecure-files(16020) Multiple format string vulnerabilities in Midnight Commander (mc) before 4.6.0 may allow attackers to cause a denial of service or execute arbitrary code. GLSA-200405-21 DSA-497 MDKSA-2004:039 SuSE-SA:2004:012 RHSA-2004:172 midnight-commander-format-string(16021) Utempter allows device names that contain .. (dot dot) directory traversal sequences, which allows local users to overwrite arbitrary files via a symlink attack on device names in combination with an application that trusts the utmp or wtmp files. GLSA-200405-05 1000752 MDKSA-2004:031 RHSA-2004:174 RHSA-2004:175 10178 SSA:2004-110 utemper-symlink(15904) oval:org.mitre.oval:def:10115 oval:org.mitre.oval:def:979 Multiple stack-based buffer overflows in the get_header function in header.c for LHA 1.14, as used in products such as Barracuda Spam Firewall, allow remote attackers or local users to execute arbitrary code via long directory or file names in an LHA archive, which triggers the overflow when testing or extracting the archive. 20060403 Barracuda LHA archiver security bug leads to remote compromise CLA-2004:840 20040501 LHa buffer overflows and directory traversal problems 20040502 Lha local stack overflow Proof Of Concept Code 20040510 [Ulf Harnhammar]: LHA Advisory + Patch GLSA-200405-02 1015866 DSA-515 http://www.guay-leroux.com/projects/barracuda-advisory-LHA.txt FEDORA-2004-119 RHSA-2004:178 RHSA-2004:179 10243 ADV-2006-1220 FLSA:1833 lha-multiple-bo(16012) oval:org.mitre.oval:def:977 oval:org.mitre.oval:def:9881 Multiple directory traversal vulnerabilities in LHA 1.14 allow remote attackers or local users to create arbitrary files via an LHA archive containing filenames with (1) .. sequences or (2) absolute pathnames with double leading slashes ("//absolute/path"). CLA-2004:840 20040501 LHa buffer overflows and directory traversal problems 20040510 [Ulf Harnhammar]: LHA Advisory + Patch GLSA-200405-02 DSA-515 FEDORA-2004-119 RHSA-2004:178 RHSA-2004:179 10243 FLSA:1833 lha-directory-traversal(16013) oval:org.mitre.oval:def:10409 oval:org.mitre.oval:def:978 SQL injection vulnerability in login.asp in thePHOTOtool allows remote attackers to gain unauthorized access via the password field. 20040131 Advisory ! 1008906 9884 thephototool-login-sql-injection(15007) Directory traversal vulnerability in index.php in Aprox PHP Portal allows remote attackers to read arbitrary files via a full pathname in the show parameter. 20040131 Directory Traversal in Aprox PHP Portal. 1008915 9540 aproxphpportal-index-directory-traversal(15014) Multiple buffer overflows in Overkill (0verkill) 0.15pre3 might allow local users to execute arbitrary code in the client via a long HOME environment variable in the (1) load_cfg and (2) save_cfg functions; possibly allow remote attackers to execute arbitrary code via long strings to (3) the send_message function; and, in the server, via (4) the parse_command_line function. 20040202 0verkill - little simple vulnerability. 20040202 0verkill - little simple vulnerability. http://www.securiteam.com/securitynews/5AP010KC0C.html 9550 overkill-client-multiple-bo(14999) overkill-server-parsecommandline-bo(15000) SQL injection vulnerability in showphoto.php in PhotoPost PHP Pro 4.6 and earlier allows remote attackers to gain unauthorized access via the photo variable. 20040202 ZH2004-03SA (security advisory): Photopost PHP Pro 4.6 Sql http://www.securiteam.com/securitynews/5KP010UC0W.html 9557 photopostphp-sql-injection(15008) Directory traversal vulnerability in X-Cart 3.4.3 allows remote attackers to view arbitrary files via a .. (dot dot) in the shop_closed_file argument to auth.php. 20040203 X-Cart vulnerability xcart-dotdot-directory-traversal(15033) X-Cart 3.4.3 allows remote attackers to execute arbitrary commands via the perl_binary argument in (1) upgrade.php or (2) general.php. 20040203 X-Cart vulnerability 9560 xcart-perlbinary-execute-commands(15034) X-Cart 3.4.3 allows remote attackers to gain sensitive information via a mode parameter with (1) phpinfo command or (2) perlinfo command. 20040203 X-Cart vulnerability 9563 xcart-generalphp-obtain-information(15036) AIX 4.3.3 through AIX 5.1, when direct remote login is disabled, displays a different message if the password is correct, which allows remote attackers to guess the password via brute force methods. 20040206 AIX password enumeration possible 20040203 Re: sqwebmail web login aix-password-enumeration(15172) Cisco 6000, 6500, and 7600 series systems with Multilayer Switch Feature Card 2 (MSFC2) and a FlexWAN or OSM module allow local users to cause a denial of service (hang or reset) by sending a layer 2 frame packet that encapsulates a layer 3 packet, but has inconsistent length values with that packet. 20040203 Cisco 6000/6500/7600 Crafted Layer 2 Frame Vulnerability VU#810062 9562 cisco-malformed-frame-dos(15013) oval:org.mitre.oval:def:5828 Web Crossing 4.x and 5.x allows remote attackers to cause a denial of service (crash) by sending a HTTP POST request with a large or negative Content-Length, which causes an integer divide-by-zero. 20040203 Web Crossing 4.x/5.x Denial of Service Vulnerability 9576 webcrossing-contentlength-post-dos(15022) Multiple PHP remote file inclusion vulnerabilities in (1) fonctions.lib.php, (2) derniers_commentaires.php, and (3) admin.php in Les Commentaires 2.0 allow remote attackers to execute arbitrary PHP code via the rep parameter. 20040203 Les Commentaires (PHP) Include file 9536 lescommentaires-multiple-file-include(15010) The client and server of Chaser 1.50 and earlier allow remote attackers to cause a denial of service (crash via exception) via a UDP packet with a length field that is greater than the actual data length, which causes Chaser to read unexpected memory. 20040203 Remote crash of Chaser game <= 1.50 9567 chaser-memory-dos(15031) Cross-site scripting vulnerability (XSS) in PHPX 3.2.3 allows remote attackers to execute arbitrary script as other users by injecting arbitrary HTML or script into (1) keywords argument of main.inc.php, (2) body argument of help.inc.php, or (3) the subject field in Personal Messages and Forum. This vulnerability is addressed in the following product release: PHPX, PHPX, 3.2.4 20040203 Multiple Vulnerabilities in PHPX 9569 phpx-subject-html-injection(15050) phpx-main-help-xss(15051) PHPX 2.0 through 3.2.4 allows remote attackers to gain access to other accounts by modifying the cookie's PXL variable to reference another userID. 20040316 PHPX 2.x - 3.2.4 20040203 Multiple Vulnerabilities in PHPX 9569 phpx-cookie-account-hijacking(15052) phpx-session-hijack(15512) SQL injection vulnerability in PhotoPost PHP Pro 4.6 and earlier allows remote attackers to gain privileges via (1) the product parameter in showproduct.php or (2) the cat parameter in showcat.php. 20040204 ZH2004-04SA (security advisory): Multiple Sql Injection 9557 http://www.zone-h.org/en/advisories/read/id=3864/ photopostphp-sql-injection(15008) Cross-site scripting (XSS) vulnerability in rxgoogle.cgi allows remote attackers to execute arbitrary script as other users via the query parameter. 20040204 rxgoogle.cgi XSS Vulnerability. 9575 rxgoogle-query-xss(15043) TYPSoft FTP Server 1.10 allows remote attackers to cause a denial of service (CPU consumption) via an empty USER name. 20040204 TYPSoft FTP Server 1.10 may be crashed 9573 1008943 typsoft-empty-username-dos(15048) IBM Cloudscape 5.1 running jdk 1.4.2_03 allows remote attackers to execute arbitrary programs or cause a denial of service via certain SQL code, possibly due to a SQL injection vulnerability. 20040205 IBM cloudscape SQL Database (DB2J) vulnerable to remote command 9583 cloudscape-sql-injection(15067) Cross-site scripting (XSS) vulnerability in Discuz! Board 2.x and 3.x allows remote attackers to execute arbitrary script as other users via an img tag. 20040205 Possible Cross Site Scripting in Discuz! Board 9584 discuzboard-image-tag-xss(15066) Xlight 1.52, with log to screen enabled, allows remote attackers to cause a denial of service by requesting a long directory consisting of . (dot) and / (slash) characters, which causes the server to crash when the administrator views the log file, possibly triggering a buffer overflow. 20040205 Remote crash Xlight ftp server 1.52 9585 xlight-long-string-dos(15064) GNU libtool before 1.5.2, during compile time, allows local users to overwrite arbitrary files via a symlink attack on libtool directories in /tmp. CLA-2004:811 http://www.geocrawler.com/mail/msg.php3?msg_id=3438808&list=405 20040130 Symlink Vulnerability in GNU libtool <1.5.2 9530 libtool-insecure-temp-directory(15017) OpenBSD 3.4 and NetBSD 1.6 and 1.6.1 allow remote attackers to cause a denial of service (crash) by sending an IPv6 packet with a small MTU to a listening port and then issuing a TCP connect to that port. NetBSD-SA2004-002 20040204 Remote openbsd crash with ip6, yet still openbsd much better than windows 20040205 OpenBSD IPv6 remote kernel crash http://www.guninski.com/obsdmtu.html http://www.openbsd.org/cgi-bin/cvsweb/src/sys/netinet6/ip6_output.c 9577 openbsd-ipv6-dos(15044) Multiple buffer overflows in RealOne Player, RealOne Player 2.0, RealOne Enterprise Desktop, and RealPlayer Enterprise allow remote attackers to execute arbitrary code via malformed (1) .RP, (2) .RT, (3) .RAM, (4) .RPM or (5) .SMIL files. 20040204 [VulnWatch] Multiple File Format Vulnerabilities (Overruns) in REALOne & RealPlayer 20040204 Multiple File Format Vulnerabilities (Overruns) in REALOne & RealPlayer O-075 VU#473814 http://www.nextgenss.com/advisories/realone.txt 9579 http://www.service.real.com/help/faq/security/040123_player/EN/ realoneplayer-multiple-file-bo(15040) The check_referer() function in Formmail.php 5.0 and earlier allows remote attackers to bypass access restrictions via an empty or spoofed HTTP Referer, as demonstrated using an application on the same web server that contains a cross-site scripting (XSS) issue. 20040206 formmail (PHP) Upload file using CSS 9591 jack-formmail-file-upload(15079) The AddToMailingList function in CactuSoft CactuShop 5.0 Lite contains a backdoor that allows remote attackers to delete arbitrary files via an email address that starts with |||. 20040206 CactuSoft CactuShop 5.0 Lite shopping cart software backdoor 20040206 CactuSoft CactuShop 5.0 Lite shopping cart software backdoor 9589 cactushoplite-backdoor(15063) oj.cgi in OpenJournal 2.0 through 2.0.5 allows remote attackers to bypass authentication and access the control panel via a 0 in the uid parameter. 20040206 Open Journal Blog Authenticaion Bypassing Vulnerability http://www.grohol.com/downloads/oj/latest/changelog.txt 9598 openjournal-uid-admin-access(15069) Stack-based buffer overflow in The Palace 3.5 and earlier client allows remote attackers to execute arbitrary code via a link to a palace:// url followed by a long server address string. 20040207 The Palace 3.x (Client) Stack Overflow Vulnerability 20040207 The Palace 3.x (Client) Stack Overflow Vulnerability http://www.elitehaven.net/thepalace.txt 9602 palace-server-address-bo(15074) PHP 4.3.4 and earlier in Apache 1.x and 2.x (mod_php) can leak global variables between virtual hosts that are handled by the same Apache child process but have different settings, which could allow remote attackers to obtain sensitive information. GLSA-200402-01 9599 php-virtualhost-info-disclosure(15072) palmhttpd for PalmOS allows remote attackers to cause a denial of service (crash) by establishing two simultaneous HTTP connections, which exceeds the PalmOS accept queue. 20040208 PalmOS httpd accept() queue overflow DoS vulnerability. 9608 palmhttpd-accept-bo(15090) Cross-site scripting (XSS) vulnerability in modules.php for Php-Nuke 6.x-7.1.0 allows remote attackers to execute arbitrary script as other users via URL-encoded (1) title or (2) fname parameters in the News or Reviews modules. 20040208 [waraxe-2004-SA#002] - Cross-Site Scripting (XSS) in Php-Nuke 7.1.0 9605 9613 phpnuke-mulitple-xss(15076) SQL injection vulnerability in the "public message" capability (public_message) for Php-Nuke 6.x to 7.1.0 allows remote attackers to obtain the administrator password via the c_mid parameter. 20040208 [waraxe-2004-SA#003] - SQL injection in Php-Nuke 7.1.0 9615 phpnuke-publicmessage-sql-injection(15080) The (1) inoregupdate, (2) uniftest, or (3) unimove scripts in eTrust InoculateIT for Linux 6.0 allow local users to overwrite arbitrary files via a symlink attack on files in /tmp. 20040209 [local problems] eTrust Virus Protection 6.0 InoculateIT for linux http://www.excluded.org/advisories/advisory10.txt 9616 etrust-inoculateit-symlink(15102) Multiple buffer overflows in EvolutionX 3921 and 3935 allow remote attackers to cause a denial of service (hang) via (1) a long cd command to the FTP server, or (2) a long dir command to the telnet server. 20040210 XBOX EvolutionX ftp 'cd' command and telnet 'dir' buffer overflow 20040210 XBOX EvolutionX ftp 'cd' command and telnet 'dir' buffer overflow 9631 evolutionx-command-line-dos(15104) SQL injection vulnerability in PHP-Nuke 6.9 and earlier, and possibly 7.x, allows remote attackers to inject arbitrary SQL code and gain sensitive information via (1) the category variable in the Search module or (2) the admin variable in the Web_Links module. 20040210 [SCAN Associates Sdn Bhd Security Advisory] PHPNuke 6.9 > and below SQL Injection in multiple module http://www.scan-associates.net/papers/phpnuke69.txt 9630 phpnuke-modules-sql-injection(15115) libclamav in Clam AntiVirus 0.65 allows remote attackers to cause a denial of service (crash) via a uuencoded e-mail message with an invalid line length (e.g., a lowercase character), which causes an assert error in clamd that terminates the calling program. 20040209 clamav 0.65 remote DOS exploit GLSA-200402-07 http://www.freebsd.org/cgi/query-pr.cgi?pr=62586 9610 clam-antivirus-uuencoded-dos(15077) Multiple cross-site scripting vulnerabilities (XSS) in MaxWebPortal allow remote attackers to execute arbitrary web script as other users via (1) the sub_name parameter of dl_showall.asp, (2) the SendTo parameter in Personal Messages, (3) the HTTP_REFERER for down.asp, or (4) the image name of an Avatar in the register form. This vulnerability is addressed in the following product release: MaxWebPortal, MaxWebPortal, 1.32 20040210 XSS, Sql Injection and Avatar ScriptCode Injection in MaxWebPortal 9625 maxwebportal-multiple-xss(15120) maxwebportal-register-xss(15122) SQL injection vulnerability in MaxWebPortal allows remote attackers to inject arbitrary SQL code and gain sensitive information via the SendTo parameter in Personal Messages. 20040210 XSS, Sql Injection and Avatar ScriptCode Injection in MaxWebPortal 9625 maxwebportal-personalmesssages-sql-injection(15121) Directory traversal vulnerability in RealOne Player, RealOne Player 2.0, and RealOne Enterprise Desktop allows remote attackers to upload arbitrary files via an RMP file that contains .. (dot dot) sequences in a .rjs skin file. 20040210 Directory traversal in RealPlayer allows code execution http://service.real.com/help/faq/security/040123_player/EN/ VU#514734 9580 realoneplayer-rmp-directory-traversal(15123) Share.mod in Eggheads Eggdrop IRC bot 1.6.10 through 1.6.15 can mistakenly assign STAT_OFFERED status to a bot that is not a sharebot, which allows remote attackers to use STAT_OFFERED to promote a bot to a sharebot and conduct unauthorized activities. 20040208 Eggrop bug 20040210 Re: Eggrop bug http://mogan.nonsoloirc.com/egg_advisory.txt http://www.eggheads.org/news/2004/04/10/26 9606 eggdrop-sharemod-gain-access(15084) SQL injection vulnerability in calendar_download.php in BosDates 3.2 and earlier allows remote attackers to obtain sensitive information and gain access via the calendar parameter. 20040211 ZH2004-05SA (security advisory): Sql Injection Vulnerability in BosDates 9639 http://www.zone-h.org/en/advisories/read/id=3925/ bosdates-calendar-sql-injection(15133) The get_real_string function in Monkey HTTP Daemon (monkeyd) 0.8.1 and earlier allows remote attackers to cause a denial of service (crash) via an HTTP request with a sequence of "%" characters and a missing Host field. http://aluigi.altervista.org/poc/monkeydos.zip 20040211 Denial of Service in Monkey httpd <= 0.8.1 http://monkeyd.sourceforge.net/ 9642 monkey-getrealstring-dos(15187) Format string vulnerability in Dream FTP 1.02 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format string specifiers in the username. 20040207 DreamFTP Server 1.02 Buffer Overflow 20040211 Re: [Full-Disclosure] DreamFTP Server 1.02 Buffer Overflow 9600 http://www.security-protocols.com/modules.php?name=News&file=article&sid=1722 dreamftp-username-format-string(15070) Ratbag game engine, as used in products such as Dirt Track Racing, Leadfoot, and World of Outlaws Spring Cars, allows remote attackers to cause a denial of service (CPU consumption) via a TCP packet that specifies the length of data to read and then sends a second TCP packet that contains less data than specified, which causes Ratbag to repeatedly check the socket for more data. 20040211 Denial of Service in Ratbag's game engine 9644 ratbag-data-length-dos(15188) AIM Sniff (aimSniff.pl) 0.9b allows local users to overwrite arbitrary files via a symlink attack on /tmp/AS.log. 20040212 aimSniff.pl file "deletion" (local) 9653 aim-sniff-symlink(15199) Caucho Technology Resin 2.1.12 allows remote attackers to view JSP source via an HTTP request to a .jsp file that ends in a "%20" (encoded space character), e.g. index.jsp%20. 20040205 Apache Http Server Reveals Script Source Code to Remote Users And Any Users Can Access Resin Forbidden Directory ("/WEB-INF/") 9614 resin-source-disclosure(15085) Caucho Technology Resin 2.1.12 allows remote attackers to gain sensitive information and view the contents of the /WEB-INF/ directory via an HTTP request for "WEB-INF..", which is equivalent to "WEB-INF" in Windows. 20040205 Apache Http Server Reveals Script Source Code to Remote Users And Any Users Can Access Resin Forbidden Directory ("/WEB-INF/") 9617 resin-dotdot-directory-traversal(15087) Crob FTP daemon 3.5.2 allows remote attackers to cause a denial of service (crash) by repeatedly connecting to and disconnecting from the server. 20040212 crob ftpd Denial of Service 9651 crob-multiple-connections-dos(15201) Mailmgr 1.2.3 allows local users to overwrite arbitrary files via a symlink attack on (1) /tmp/mailmgr.unsort, (2) /tmp/mailmgr.tmp, or (3) /tmp/mailmgr.sort. 20040212 Symlink vulnerabilities in mailmgr 9654 mailmgr-insecure-temp-directory(15203) Microsoft Internet Explorer 6.0, Outlook 2002, and Outlook 2003 allow remote attackers to cause a denial of service (CPU consumption), if "Do not save encrypted pages to disk" is disabled, via a web site or HTML e-mail that contains two null characters (%00) after the host name. 20040210 ASPR #2004-01-20-1: Internet Explorer/Outlook double null character DoS 9629 ie-host-null-dos(15127) PHP remote file inclusion vulnerabilities in include/footer.inc.php in (1) AllMyVisitors, (2) AllMyLinks, and (3) AllMyGuests allow remote attackers to execute arbitrary PHP code via a URL in the _AMVconfig[cfg_serverpath] parameter. 20040214 AllMyGuests PHP Code Injection vulnerability 20040214 AllMyVisitors PHP Code Injection vulnerability 20040214 AllMyLinks PHP Code Injection vulnerability 9664 allmylinks-file-include(15226) allmyguests-php-file-include(15227) allmyvisitors-file-include(15228) Buffer overflow in RobotFTP 1.0 and 2.0 beta 1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long username. 20040215 buffer overflow in Robot FTP Server 9672 robot-username-bo(15225) Xlight FTP server 1.52 allows remote authenticated users to cause a denial of service (crash) via a RETR command with a long argument containing a large number of / (slash) characters, possibly triggering a buffer overflow. 20040215 Xlight ftp server 1.52 RETR bug 9668 xlight-retr-dos(15220) Buffer overflow in the UdmDocToTextBuf function in mnoGoSearch 3.2.13 through 3.2.15 could allow remote attackers to execute arbitrary code by indexing a large document. 20040215 Buffer overflow in mnoGoSearch 9667 mnogosearch-udmdoctotextbuf-bo(15209) Buffer overflow in sdbscan in SignatureDB 0.1.1 allows local users to cause a denial of service (segmentation fault) via a database file that contains a large key parameter. 20040215 problems with database files in 'SignatureDB' 9661 signaturedb-sdbscan-bo(15217) Buffer overflow in Purge Jihad 2.0.1 and earlier allows remote game servers to execute arbitrary code via an information packet that contains large (1) battle type and (2) map name fields. 20040216 Broadcast client buffer-overflow in Purge Jihad <= 2.0.1 http://purge.worthplaying.com/phpbb/viewtopic.php?t=1167 9671 purge-battletype-map-bo(15216) SQL injection vulnerability in post.php for YaBB SE 1.5.4 and 1.5.5 allows remote attackers to obtain hashed passwords via the quote parameter. 20040216 Another YabbSE SQL Injection 9674 yabb-post-sql-injection(15224) Buffer overflow in KarjaSoft Sami HTTP Server 1.0.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long HTTP GET request. 20040217 KarjaSoft Sami HTTP Server 1.0.4 Buffer Overflow 9679 http://www.security-protocols.com/modules.php?name=News&file=article&sid=1746 sami-http-get-bo(15237) Directory traversal vulnerability in ShopCartCGI 2.3 allows remote attackers to retrieve arbitrary files via a .. (dot dot) in a HTTP request to (1) gotopage.cgi or (2) genindexpage.cgi. 20040217 ZH2004-06SA (security advisory): ShopCartCGI v2.3 Remote 9670 http://www.zone-h.org/en/advisories/read/id=3962/ shopcartcgi-dotdot-directory-traversal(14982) YaBB 1 SP 1.3.1 displays different error messages when a user exists or not, which makes it easier for remote attackers to identify valid users and conduct a brute force password guessing attack. 20040217 YABB information leakage on failed login 9677 yabb-invalidmessage-obtain-information(15236) TsFtpSrv.exe in Broker FTP 6.1.0.0 allows remote attackers to cause a denial of service (CPU consumption) via an open idle connection. 20040217 Broker FTP DoS (Message Server) http://www.securiteam.com/windowsntfocus/5IP0B0AC1I.html 9680 broker-ftp-tsftpsrv-dos(15242) TsFtpSrv.exe in Broker FTP 6.1.0.0 allows remote attackers to cause a TsFtpSrv.exe to exit with an exception by opening and immediately closing a connection. 20040217 Broker FTP DoS (Message Server) http://www.securiteam.com/windowsntfocus/5IP0B0AC1I.html 9680 broker-ftp-dos(15241) Buffer overflow in the Lightweight Directory Access Protocol (LDAP) daemon (iLDAP.exe 3.9.15.10) in Ipswitch IMail Server 8.03 allows remote attackers to cause a denial of service (crash) and execute arbitrary code via an LDAP message with a large tag length. 20040217 Ipswitch IMail LDAP Daemon Remote Buffer Overflow http://www.ipswitch.com/support/imail/releases/imail_professional/im805HF2.html VU#972334 9682 imail-ldap-tag-bo(15243) CesarFTP 0.99e allows remote attackers to cause a denial of service (CPU consumption) via a long RETR parameter. 20040217 CesarFTP 0.99 : 100% employment of computer resources 9666 cesarftp-userpass-dos(15252) Buffer overflow in smallftpd 0.99 allows local users to cause a denial of service (crash) via an FTP request with a large number of "/" (slash) characters. 20040217 Smallftpd 1.0.3 DoS 9684 smallftpd-forwardslash-dos(15262) SQL injection vulnerability in Online Store Kit 3.0 allows remote attackers to inject arbitrary SQL and gain unauthorized access via (1) the cat parameter in shop.php, (2) the id parameter in more.php, (3) the cat_manufacturer parameter in shop_by_brand.php, or (4) the id parameter in listing.php. 20040218 ZH2004-07SA (security advisory): Multiple Sql injection 1009092 9676 9687 http://www.systemsecure.org/advisories/ssadvisory16022004.php http://www.zone-h.org/en/advisories/read/id=3972/ onlinestorekit-more-sql-injection(15232) Cross-site scripting (XSS) vulnerability in more.php for Online Store Kit 3.0 allows remote attackers to inject arbitrary HTML via the id parameter. 1009079 9676 http://www.systemsecure.org/advisories/ssadvisory16022004.php onlinestorekit-more-xss(15235) Directory traversal vulnerability in OWLS 1.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the (1) file parameter in index.php, (2) editfile in glossary.php, or (3) editfile in newmultiplechoice.php. 20040218 ZH2004-08SA (security advisory): OWLS 1.0 Remote arbitrary files 9689 http://www.zone-h.org/en/advisories/read/id=3973/ owls-file-retrieval(15249) OWLS 1.0 allows remote attackers to retrieve arbitrary files via absolute pathnames in (1) the file parameter in /glossaries/index.php, (2) the filename parameter in /readings/index.php, or (3) the filename parameter in /multiplechoice/resultsignore.php, as demonstrated using /etc/passwd. 20040218 ZH2004-08SA (security advisory): OWLS 1.0 Remote arbitrary files 9689 http://www.zone-h.org/en/advisories/read/id=3973/ owls-file-retrieval(15249) SQL injection vulnerability in browse_items.asp in WebCortex WebStores 2000 6.0 allows remote attackers to gain unauthorized access and execute arbitrary commands via the Search_Text parameter. 20040218 WebCortex Webstores2000 version 6.0 multiple security vulnerabilities 7766 http://www.s-quadra.com/advisories/Adv-20040218.txt webstores-browseitems-sql-injection(15253) Cross-site scripting (XSS) vulnerability in error.asp in WebCortex WebStores 2000 6.0 allows remote attackers to execute arbitrary script as other users and steal session IDs via the Message_id parameter. 20040218 WebCortex Webstores2000 version 6.0 multiple security vulnerabilities 9693 webstores-error-xss(15254) Cisco ONS 15327 before 4.1(3), ONS 15454 before 4.6(1), ONS 15454 SD before 4.1(3), and Cisco ONS 15600 before 1.3(0) enable TFTP service on UDP port 69 by default, which allows remote attackers to GET or PUT ONS system files on the current active TCC in the /flash0 or /flash1 directories. 20040219 Cisco ONS 15327, ONS 15454, ONS 15454 SDH, and ONS 15600 Vulnerabilities 9699 cisco-ons-file-upload(15264) Cisco ONS 15327 before 4.1(3), ONS 15454 before 4.6(1), and ONS 15454 SD before 4.1(3) allows remote attackers to cause a denial of service (reset) by not sending the ACK portion of the TCP three-way handshake and sending an invalid response instead. 20040219 Cisco ONS 15327, ONS 15454, ONS 15454 SDH, and ONS 15600 Vulnerabilities 9699 cisco-ons-ack-dos(15265) Unknown vulnerability in Cisco ONS 15327 before 4.1(3), ONS 15454 before 4.6(1), ONS 15454 SD before 4.1(3), and Cisco ONS15600 before 1.3(0) allows a superuser whose account is locked out, disabled, or suspended to gain unauthorized access via a Telnet connection to the VxWorks shell. 20040219 Cisco ONS 15327, ONS 15454, ONS 15454 SDH, and ONS 15600 Vulnerabilities 9699 cisco-ons-gain-access(15266) Stack-based buffer overflow in the SMTP service support in vsmon.exe in Zone Labs ZoneAlarm before 4.5.538.001, ZoneLabs Integrity client 4.0 before 4.0.146.046, and 4.5 before 4.5.085, allows remote attackers to execute arbitrary code via a long RCPT TO argument. http://download.zonelabs.com/bin/free/securityAlert/8.html 20040219 EEYE: ZoneLabs SMTP Processing Buffer Overflow O-084 VU#619982 9696 zonelabs-multiple-products-bo(14991) Cross-site scripting (XSS) vulnerability in LiveJournal 1.0 and 1.1 allows remote attackers to execute Javascript as other users via the stylesheet, which does not strip the semicolon or parentheses, as demonstrated using a background:url. 20040219 LiveJournal XSS 9700 livejournal-url-xss(15268) American Power Conversion (APC) Web/SNMP Management SmartSlot Card 3.0 through 3.0.3 and 3.21 are shipped with a default password of TENmanUFactOryPOWER, which allows remote attackers to gain unauthorized access. 20040216 APC 9606 SmartSlot Web/SNMP management card "backdoor" 20040219 Re: Fw: APC 9606 SmartSlot Web/SNMP management card "backdoor" http://nam-en.apc.com/cgi-bin/nam_en.cfg/php/enduser/std_adp.php?p_faqid=3131&p_created=1077139129 9681 apc-smartslot-default-password(15238) Linksys WAP55AG 1.07 allows remote attackers with access to an SNMP read only community string to gain access to read/write communtiy strings via a query for OID 1.3.6.1.4.1.3955.2.1.13.1.2. 20040217 SNMP community string disclosure in Linksys WAP55AG 20040219 Re: SNMP community string disclosure in Linksys WAP55AG 9688 linksys-snmp-strings-disclosure(15257) Buffer overflow in PSOProxy 0.91 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long HTTP request, as demonstrated using a long (1) GET argument or (2) method name. 20040220 Remote Buffer Overflow in PSOProxy 0.91 9706 psoproxy-long-get-bo(15275) Cross-site scripting (XSS) vulnerability in done.jsp in WebzEdit 1.9 and earlier allows remote attackers to execute arbitrary script as other users via the message parameter. 20040221 Cross Site Scripting in WebzEdit webzedit-done-xss(15289) Buffer overflow in Avirt Voice 4.0 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long GET request on port 1080. 20040223 Remote Buffer Overflow in Avirt Voice 4.0 9721 avirt-voice-get-bo(15288) Buffer overflow in Avirt Soho 4.3 allows remote attackers to cause a denial of service (crash) via (1) a large GET request to port 1080 or (2) a large GET request of % characters to port 8080. 20030223 Multiple Remote Buffer Overflow in Avirt Soho 4.3 9722 9723 avirt-soho-multiple-bo(15286) Buffer overflow in eauth in Load Sharing Facility 4.x, 5.x, and 6.x allows local users or remote attackers within the LSF cluster to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a long LSF_From_PC parameter. 20040223 Lam3rZ Security Advisory #1/2004: LSF eauth vulnerability leads to remote code execution 9719 lsf-eauth-execute-code(15282) Load Sharing Facility (LSF) 4.x, 5.x, and 6.x uses the LSF_EAUTH_UID environment variable, if it exists, instead of the real UID of the user, which could allow remote attackers within the local cluster to gain privileges. 20040223 Lam3rZ Security Advisory #2/2004: LSF eauth vulnerability leads to a possibility of controlling cluster jobs on behalf of other users 9724 lsf-eauth-process-hijack(15278) Cross-site scripting (XSS) vulnerability in the font tag in ezBoard 7.3u allows remote attackers to execute arbitrary script as other users, as demonstrated using the background:url in a (1) font color or (2) font face argument. 20040223 ezBoard Cross Site Scripting Vulnerability 9725 ezboard-font-xss(15287) Unknown vulnerability in nCipher Hardware Security Modules (HSM) 1.67.x through 1.99.x allows local users to access secrets stored in the module's run-time memory via certain sequences of commands. 20040223 nCipher Advisory #9: Host-side attackers can access secret data 9717 ncipher-hsm-obtain-info(15281) Team Factor 1.25 and earlier allows remote attackers to cause a denial of service (crash) via a packet that uses a negative number to specify the size of the data block that follows, which causes Team Factor to read unallocated memory. 20040223 Remote server crash in Team Factor <= 1.25 9708 http://www.zone-h.org/advisories/read/id=4006 teamfactor-packet-dos(15274) Multiple cross-site scripting (XSS) vulnerabilities in XMB 1.8 Final SP2 allow remote attackers to execute arbitrary script as other users via the (1) member parameter in member.php, (2) uid parameter in u2uadmin.php, (3) user parameter in editprofile.php, (4) an onmouseover event in an align tag when bbcode is allowed, or (5) img tag where bbcode is allowed. 20040225 Re: [waraxe-2004-SA#004] - Multiple vulnerabilities in XMB 1.8 Partagium Final SP2 20040223 [waraxe-2004-SA#004] - Multiple vulnerabilities in XMB 1.8 Partagium Final SP2 9726 http://www.xmbforum.com/community/boards/viewthread.php?tid=746859 xmb-multiple-scripts-xss(15292) xmb-bbcode-execute-code(15294) Multiple SQL injection vulnerabilities in XMB 1.8 Final SP2 allow remote attackers to inject arbitrary SQL and gain privileges via the (1) ppp parameter in viewthread.php, (2) desc parameter in misc.php, (3) tpp parameter in forumdisplay.php, (4) ascdesc parameter in forumdisplay.php, or (5) the addon parameter in stats.php. NOTE: it has also been shown that item (3) is also in XMB 1.9 beta. 20040225 Re: [waraxe-2004-SA#004] - Multiple vulnerabilities in XMB 1.8 Partagium Final SP2 20040326 [waraxe-2004-SA#012 - Multiple vulnerabilities in XMB Forum 1.8 SP3 and 1.9 beta] 20040223 [waraxe-2004-SA#004] - Multiple vulnerabilities in XMB 1.8 Partagium Final SP2 9726 http://www.xmbforum.com/community/boards/viewthread.php?tid=746859 xmb-multiple-sql-injection(15295) Confirm 0.62 and earlier could allow remote attackers to execute arbitrary code via an e-mail header that contains shell metacharacters such as ", `, |, ;, or $. 20040223 Lam3rZ Security Advisory #3/2004: A bug in Confirm leads to remote command execution 9728 confirm-header-gain-access(15290) TYPSoft FTP Server 1.10 allows remote authenticated users to cause a denial of service (CPU consumption) via "//../" arguments to (1) mkd, (2) xmkd, (3) dele, (4) size, (5) retr, (6) stor, (7) appe, (8) rnfr, (9) rnto, (10) rmd, or (11) xrmd, as demonstrated using "//../qwerty". 20040223 TYPSoft FTP Server 1.10 multiple vulnerabilities 9702 typsoft-ftp-command-dos(15306) Buffer overflow in the web proxy for GateKeeper Pro 4.7 allows remote attackers to execute arbitrary code via a long GET request. 20040222 GateKeeper Pro 4.7 buffer overflow 20040222 GateKeeper Pro 4.7 buffer overflow 9716 gatekeeper-long-get-bo(15277) Directory traversal vulnerability in functions.php in PhpNewsManager 1.46 allows remote attackers to retrieve arbitrary files via .. (dot dot) sequences in the clang parameter. 20040223 ZH2004-09SA (security advisory): PhpNewsManager Remote arbitrary 9720 http://www.zone-h.org/advisories/read/id=4024 phpnewsmanager-dotdot-directory-traversal(15283) Gigabyte Gn-B46B 2.4Ghz wireless broadband router firmware 1.003.00 allows local users on the same local network as the router to bypass authentication by using a copy of the router's html menu on a separate system. 20040224 Gigabyte Broadband Router - Multiple Vulnerabilities 9740 gigabyte-gnb46b-bypass-authentication(15313) FreeChat 1.1.1a allows remote attackers to cause a denial of service (crash) via certain unexpected strings, as demonstrated using "aaaaa". 20040226 Denial Of Service in FreeChat 1.1.1a 9744 freechat-string-dos(15321) Buffer overflow in Serv-U ftp before 5.0.0.4 allows remote authenticated users to execute arbitrary code via a long time zone argument to the MDTM command. 20040226 [vulnwatch] Serv-U MDTM Command Buffer Overflow Vulnerability http://www.cnhonker.com/advisory/serv-u.mdtm.txt 9751 servu-mdtm-bo(15323) Heap-based buffer overflow in Dell OpenManage Web Server 3.4.0 allows remote attackers to cause a denial of service (crash) via a HTTP POST with a long application variable. 20040226 Dell OpenManage Web Server Heap Overflow (Pre-Auth) http://sh0dan.org/files/domadv.txt 9750 dell-openmanage-ocsgetoeminpathfile-bo(15325) Extremail 1.5.9 does not check passwords correctly when they are all digits or begin with a digit, which allows remote attackers to gain privileges. 20040226 Extremail Security Problem 9754 extremail-password-gain-access(15329) Buffer overflow in the UUDeview package, as used in WinZip 6.2 through WinZip 8.1 SR-1, and possibly other packages, allows remote attackers to execute arbitrary code via a MIME archive with certain long MIME parameters. This was fixed in WinZip 8.1 SR-2 in March of 2004. You can find more information on the subject on the following pages of the winzip site: http://www.winzip.com/wz81sr2.htm http://www.winzip.com/fmwz90.htm O-092 20040227 WinZip MIME Parsing Buffer Overflow Vulnerability VU#116182 http://www.openpkg.org/security/OpenPKG-SA-2004.006-uudeview.html 9758 http://www.winzip.com/fmwz90.htm winzip-mime-bo(15336) uudeview-multiple-bo(15490) InnoMedia VideoPhone allows remote attackers to bypass Basic Authorization via an HTTP request to (1) videophone_admindetail.asp, (2) videophone_syscfg.asp, (3) videophone_upgrade.asp, or (4) videophone_sysctrl.asp that contains a trailing / (slash). NOTE: the original report mentioned AXIS 2100 Network Camera, but this was likely a cut-and-paste error. 20040227 InnoMedia VideoPhone Authorization Bypass 1009522 InnoMedia-videophone-bypass-authentication(15636) LAN SUITE Web Mail 602Pro, when configured to use the "Directory browsing" feature, allows remote attackers to obtain a directory listing via an HTTP request to (1) index.html, (2) cgi-bin/, or (3) users/. 20040310 Re: LAN SUITE Web Mail 602Pro Multiple Vulnerabilities 20040228 LAN SUITE Web Mail 602Pro Multiple Vulnerabilities 9780 602pro-directory-listing(15349) LAN SUITE Web Mail 602Pro allows remote attackers to gain sensitive information via the mail login form, which contains the path to the mail directory. 20040310 Re: LAN SUITE Web Mail 602Pro Multiple Vulnerabilities 20040228 LAN SUITE Web Mail 602Pro Multiple Vulnerabilities 9781 602pro-path-disclosure(15350) Cross-site scripting (XSS) vulnerability in LAN SUITE Web Mail 602Pro allows remote attackers to execute arbitrary script or HTML as other users via a URL to index.html, followed by a / (slash) and the desired script. NOTE: the vendor states that this bug could not be reproduced, so this issue may be REJECTed in the future. 20040310 Re: LAN SUITE Web Mail 602Pro Multiple Vulnerabilities 20040228 LAN SUITE Web Mail 602Pro Multiple Vulnerabilities 9777 602pro-index-xss(15351) SQL injection vulnerability in search.php for Invision Board Forum allows remote attackers to execute arbitrary SQL queries via the st parameter. 20040228 Invision Power Board SQL injection! 9766 invision-search-sql-injection(15343) Cross-site scripting (XSS) vulnerability in ViewTopic.php in phpBB, possibly 2.0.6c and earlier, allows remote attackers to execute arbitrary script or HTML as other users via the postorder parameter. This vulnerability is addressed in the following product release: phpBB Group, phpBB, 2.0.7 20040228 New phpBB ViewTopic.php Cross Site Scripting Vulnerability 9765 phpbb-viewtopicphp-xss(15348) Stack-based buffer overflow in WFTPD Pro Server 3.21 Release 1, Pro Server 3.20 Release 2, Server 3.21 Release 1, and Server 3.10 allows local users to execute arbitrary code via long (1) LIST, (2) NLST, or (3) STAT commands. 20040228 Critical WFTPD buffer overflow vulnerability 9767 wftpd-ftp-commands-bo(15340) WFTPD Pro Server 3.21 Release 1 allocates memory for a command until a 0Ah byte (newline) is sent, which allows local users to cause a denial of service (CPU consumption) by continuing to send a long command that does not contain a newline. 20040228 Multiple WFTPD Denial of Service vulnerabilities 9767 wftpd-string-0Ahbyte-dos(15341) WFTPD Pro Server 3.21 Release 1, with the XeroxDocutech option enabled, allows local users to cause a denial of service (crash) via a (1) MKD or (2) XMKD command that causes an absolute path of 260 characters to be used, which overwrites a cookie with a null character, possibly due to an off-by-one error. 20040228 Multiple WFTPD Denial of Service vulnerabilities 9767 wftpd-ftp-command-dos(15342) Multiple SQL injection vulnerabilities in YaBB SE 1.5.4 through 1.5.5b allow remote attackers to execute arbitrary SQL via (1) the msg parameter in ModifyMessage.php or (2) the postid parameter in ModifyMessage.php. 20040301 YabbSE (3 on 1) 9774 yabb-multiple-sql-injection(15354) Directory traversal vulnerability in ModifyMessage.php in YaBB SE 1.5.4 through 1.5.5b allows remote attackers to delete arbitrary files via a .. (dot dot) in the attachOld parameter. 20040301 YabbSE (3 on 1) 9774 Buffer overflow in Red Faction client 1.20 and earlier allows remote servers to execute arbitrary code via a long server name. 20040301 Clients broadcast buffer overflow in Red Faction <= 1.20 9775 redfaction-bo(15353) Off-by-one buffer overflow in _xlate_ascii_write() in ProFTPD 1.2.7 through 1.2.9rc2p allows local users to gain privileges via a 1024 byte RETR command. 20040302 The Cult of a Cardinal Number 9782 proftpd-offbyone-bo(15387) Cross-site scripting (XSS) vulnerability in delhomepage.cgi in NetScreen-SA 5000 Series running firmware 3.3 Patch 1 (build 4797) allows remote authenticated users to execute arbitrary script as other users via the row parameter. 20040302 03-02-04 XSS Bug in NetScreen-SA 5000 Series of SSL VPN appliance 20040302 03-02-04 XSS Bug in NetScreen-SA 5000 Series of SSL VPN appliance 20040304 NetScreen Advisory 58412: XSS Bug in NetScreen-SA SSL VPN VU#114070 9791 netscreen-delhomepagecgi-xss(15368) SQL injection vulnerability in viewCart.asp in SpiderSales shopping cart software allows remote attackers to execute arbitrary SQL via the userId parameter. 20040303 Spider Sales shopping cart software multiple security vulnerabilities 9799 http://www.s-quadra.com/advisories/Adv-20040303.txt spidersales-userid-sql-injection(15371) Directory traversal vulnerability in GWeb HTTP Server 0.6 allows remote attackers to view arbitrary files via a .. (dot dot) in the URL. 20040303 directory traversal in GWeb 0.6 9742 gweb-dotdot-directory-traversal(15381) SpiderSales shopping cart does not enforce a minimum length for the private key, which can make it easier for local users to obtain the private key by factoring. 20040303 Spider Sales shopping cart software multiple security vulnerabilities 20040303 Spider Sales shopping cart software multiple security vulnerabilities 9799 http://www.s-quadra.com/advisories/Adv-20040303.txt spidersales-weak-encryption(15370) Spider Sales shopping cart stores the private key in the same database and table as the public key, which allows local users with access to the database to decrypt data. 20040303 Spider Sales shopping cart software multiple security vulnerabilities 20040303 Spider Sales shopping cart software multiple security vulnerabilities 9799 spidersales-weak-encryption(15370) Cisco 11000 Series Content Services Switches (CSS) running WebNS 5.0(x) before 05.0(04.07)S, and 6.10(x) before 06.10(02.05)S allow remote attackers to cause a denial of service (device reset) via a malformed packet to UDP port 5002. 20040304 Cisco CSS 11000 Series Content Services Switches Malformed UDP Packet Vulnerability VU#363374 9806 cisco-css-udp-dos(15388) Multiple buffer overflows in auth_ident() function in auth.c for GNU Anubis 3.6.0 through 3.6.2, 3.9.92 and 3.9.93 allow remote attackers to gain privileges via a long string. [bug-anubis] 20040228 Important security update 20040304 GNU Anubis buffer overflows and format string bugs 20040310 GNU Anubis 3.6.2 remote root exploit 9772 anubis-ident-bo(15345) Multiple format string vulnerabilities in GNU Anubis 3.6.0 through 3.6.2, 3.9.92 and 3.9.93 allow remote attackers to execute arbitrary code via format string specifiers in strings passed to (1) the info function in log.c, (2) the anubis_error function in errs.c, or (3) the ssl_error function in ssl.c. [bug-anubis] 20040228 Important security update 20040304 GNU Anubis buffer overflows and format string bugs 9772 anubis-format-string(15346) Invision Power Board 1.3 Final allows remote attackers to gain sensitive information by selecting a file for "Personal Photo" that is not an image file, which displays the installation path in an error message. 20040305 Invision Power Board 1.3 Final Path Disclosure Vulnerability 9810 invision-invalid-path-disclosure(15400) Stack-based buffer overflow in Supervisor Report Center in SL Mail Pro 2.0.9 and earlier allows remote attackers to execute arbitrary code via an HTTP request with a long HTTP sub-version. http://216.26.170.92/Download/webfiles/Patches/SLMPPatch-2.0.14.pdf 20040305 SLMail Pro Supervisor Report Center Buffer Overflow (#NISR05022004a) http://www.nextgenss.com/advisories/slmailsrc.txt 9809 slmail-src-stack-bo(15398) Stack-based buffer overflows in SL Mail Pro 2.0.9 allow remote attackers to execute arbitrary code via (1) user.dll, (2) loadpageadmin.dll or (3) loadpageuser.dll. http://216.26.170.92/Download/webfiles/Patches/SLMPPatch-2.0.14.pdf 20040305 SLWebMail Multiple Buffer Overflow Vulnerabilities (#NISR05022004b) http://www.nextgenss.com/advisories/slmailwm.txt 9808 slmail-slwebmail-bo(15399) Cross-site scripting (XSS) vulnerability in VirtuaNews Admin Panel Pro 1.0.3 allows remote attackers to execute arbitrary script as other users via (1) the mainnews parameter in admin.php, (2) the expand parameter in admin.php, (3) the id parameter in admin.php, (4) the catid parameter in admin.php, or (5) an unnamed parameter during the newslogo_upload action in admin.php. 20040307 RE: VirtuaNews Admin Panel 1.0.3 Pro Cross Site Scripting Vulnerabillity 20040305 VirtuaNews Admin Panel 1.0.3 Pro Cross Site Scripting Vulnerabillity 9812 9819 virtuanews-multiple-xss(15402) Cross-site scripting (XSS) vulnerability in index.php for Invision Power Board 1.3 final allows remote attackers to execute arbitrary script as other users via the (1) c, (2) f, (3) showtopic, (4) showuser, or (5) username parameters. 20040305 Invision Power Board v1.3 Final Cross Site Scripting Vulnerabillity 9768 invision-xss(15403) Unknown vulnerability in passwd(1) in Solaris 8.0 and 9.0 allows local users to gain privileges via unknown attack vectors. 200470305 O-088: Sun passwd(1) Command Vulnerability 57454 O-088 VU#694782 9757 solaris-passwd-gain-privileges(15327) The Javascript engine in Safari 1.2 and earlier allows remote attackers to cause a denial of service (segmentation fault) by creating a new Array object with a large size value, then writing into that array. 20040306 Safari javascript array overflow http://www.insecure.ws/article.php?story=2004021918172533 9815 safari-array-dos(15413) Multiple stack-based buffer overflows in the ICQ parsing routines of the ISS Protocol Analysis Module (PAM) component, as used in various RealSecure, Proventia, and BlackICE products, allow remote attackers to execute arbitrary code via a SRV_MULTI response containing a SRV_USER_ONLINE response packet and a SRV_META_USER response packet with long (1) nickname, (2) firstname, (3) lastname, or (4) email address fields, as exploited by the Witty worm. 20040318 EEYE: Internet Security Systems PAM ICQ Server Response Processing Vulnerability O-104 AD20040318 VU#947254 9913 20040318 Vulnerability in ICQ Parsing in ISS Products pam-icq-parsing-bo(15442) witty-worm-propagation(15543) Stack-based buffer overflow in the SymSpamHelper ActiveX component (symspam.dll) in Norton AntiSpam 2004, as used in Norton Internet Security 2004, allows remote attackers to execute arbitrary code via a long parameter to the LaunchCustomRuleWizard method. 20040319 Norton AntiSpam Remote Buffer Overrun (#NISR19042004a) 20040319 Ref: NGSSoftware Advisories NISR19042004a and NISR19042004b VU#344718 http://www.nextgenss.com/advisories/antispam.txt http://www.sarc.com/avcenter/security/Content/2004.03.19.html 9916 nas-launchcustomrulewizard-bo(15536) The WrapNISUM ActiveX component (WrapUM.dll) in Norton Internet Security 2004 is marked safe for scripting, which allows remote attackers to execute arbitrary programs via the LaunchURL method. 20040319 Norton Internet Security Remote Command Execution (#NISR19042004b) 20040319 Ref: NGSSoftware Advisories NISR19042004a and NISR19042004b VU#549054 http://www.nextgenss.com/advisories/nisrce.txt http://www.sarc.com/avcenter/security/Content/2004.03.19.html 9915 norton-is-launchurl-command-execution(15538) The dissect_attribute_value_pairs function in packet-radius.c for Ethereal 0.8.13 to 0.10.2 allows remote attackers to cause a denial of service (crash) via a malformed RADIUS packet that triggers a null dereference. CLA-2004:835 20040329 LNSA-#2004-0007: Multiple security problems in Ethereal 20040416 [OpenPKG-SA-2004.015] OpenPKG Security Advisory (ethereal) [ethereal-dev] 20040318 ethereal radius dissector vulnerability GLSA-200403-07 http://www.ethereal.com/appnotes/enpa-sa-00013.html VU#124454 MDKSA-2004:024 RHSA-2004:136 RHSA-2004:137 ethereal-radius-dos(15571) oval:org.mitre.oval:def:879 oval:org.mitre.oval:def:891 oval:org.mitre.oval:def:9196 SQL injection vulnerability in the libpam-pgsql library before 0.5.2 allows attackers to execute arbitrary SQL statements. DSA-469 10266 pam-pgsql-sql-injection(15651) Ethereal 0.10.1 to 0.10.2 allows remote attackers to cause a denial of service (crash) via a zero-length Presentation protocol selector. CLA-2004:835 20040329 LNSA-#2004-0007: Multiple security problems in Ethereal GLSA-200403-07 http://www.ethereal.com/appnotes/enpa-sa-00013.html [Ethereal-dev] 20040416 Possibly incorrect CVE entry CAN-2004-0367 VU#792286 MDKSA-2004:024 RHSA-2004:136 RHSA-2004:137 ethereal-zero-presentation-dos(15570) oval:org.mitre.oval:def:11071 oval:org.mitre.oval:def:880 oval:org.mitre.oval:def:905 Double free vulnerability in dtlogin in CDE on Solaris, HP-UX, and other operating systems allows remote attackers to execute arbitrary code via a crafted XDMCP packet. 20040801-01-P 20040323 how much fun can you have with UDP? [Dailydave] 20040323 dtlogin advisory 101478 57539 HPSBUX01038 O-129 http://www.immunitysec.com/downloads/dtlogin.sxw.pdf VU#179804 9958 cde-dtlogin-double-free(15581) oval:org.mitre.oval:def:1436 Buffer overflow in Entrust LibKmp ISAKMP library, as used by Symantec Enterprise Firewall 7.0 through 8.0, Gateway Security 5300 1.0, Gateway Security 5400 2.0, and VelociRaptor 1.5, allows remote attackers to execute arbitrary code via a crafted ISAKMP payload. http://securityresponse.symantec.com/avcenter/security/Content/2004.08.26.html ESB-2004.0538 O-206 11039 20040826 Entrust LibKmp Library Buffer Overflow isakmp-spi-size-bo(15669) The setsockopt call in the KAME Project IPv6 implementation, as used in FreeBSD 5.2, does not properly handle certain IPv6 socket options, which could allow attackers to read kernel memory and cause a system panic. FreeBSD-SA-04:06 9992 freebsd-ipv6-dos(15662) Heimdal 0.6.x before 0.6.1 and 0.5.x before 0.5.3 does not properly perform certain consistency checks for cross-realm requests, which allows remote attackers with control of a realm to impersonate others in the cross-realm trust path. FreeBSD-SA-04:08 20040530 009: SECURITY FIX: May 30, 2004 GLSA-200404-09 DSA-476 http://www.pdc.kth.se/heimdal/advisory/2004-04-01/ heimdal-cross-realm-spoofing(15701) xine allows local users to overwrite arbitrary files via a symlink attack on a bug report email that is generated by the (1) xine-bugreport or (2) xine-check scripts. 20040320 xine-check/xine-bugreport symlink vulnerability. GLSA-200404-20 DSA-477 9939 xine-xinebugreport-xinecheck-symlink(15564) Interchange before 5.0.1 allows remote attackers to "expose the content of arbitrary variables" and read or modify sensitive SQL information via an HTTP request ending with the "__SQLUSER__" string. http://ftp.icdevgroup.org/interchange/5.0/WHATSNEW DSA-471 [interchange-announce] 20040329 Security Problem in Interchange 10005 interchange-url-obtain-information(15670) SYMNDIS.SYS in Symantec Norton Internet Security 2003 and 2004, Norton Personal Firewall 2003 and 2004, Client Firewall 5.01 and 5.1.1, and Client Security 1.0 and 1.1 allow remote attackers to cause a denial of service (infinite loop) via a TCP packet with (1) SACK option or (2) Alternate Checksum Data option followed by a length of zero. 20040423 EEYE: Symantec Multiple Firewall TCP Options Denial of Service 1009379 1009380 http://www.eeye.com/html/Research/Upcoming/20040309.html 9912 http://www.symantec.com/avcenter/security/Content/2004.04.20.html norton-firewalls-dos(15433) symantec-firewall-tcp-dos(15936) oftpd 0.3.6 and earlier allows remote attackers to cause a denial of service (crash) via a PORT command with a large value. GLSA-200403-08 DSA-473 9980 http://www.time-travellers.org/oftpd/oftpd-dos.html oftpd-port-dos(15622) Buffer overflow in the win32_stat function for (1) ActiveState's ActivePerl and (2) Larry Wall's Perl before 5.8.3 allows local or remote attackers to execute arbitrary commands via filenames that end in a backslash character. 20040405 iDEFENSE Security Advisory 04.05.04: Perl win32_stat Function 20040405 [Full-Disclosure] iDEFENSE Security Advisory 04.05.04: Perl win32_stat Function http://public.activestate.com/cgi-bin/perlbrowse?patch=22552 http://www.idefense.com/application/poi/display?id=93&type=vulnerabilities VU#722414 perl-win32stat-bo(15732) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2004. Notes: none. Multiple cross-site scripting (XSS) vulnerabilities in Microsoft SharePoint Portal Server 2001 allow remote attackers to process arbitrary web content and steal cookies via certain server scripts. 20040405 Multiple XSS vulnerabilities in Microsoft SharePoint Portal Server 2001 sharepoint-portal-xss(15729) The MHTML protocol handler in Microsoft Outlook Express 5.5 SP2 through Outlook Express 6 SP1 allows remote attackers to bypass domain restrictions and execute arbitrary code, as demonstrated on Internet Explorer using script in a compiled help (CHM) file that references the InfoTech Storage (ITS) protocol handlers such as (1) ms-its, (2) ms-itss, (3) its, or (4) mk:@MSITStore, aka the "MHTML URL Processing Vulnerability." VU#323070 http://www.k-otik.net/bugtraq/02.18.InternetExplorer.php 20040219 Microsoft Internet Explorer Unspecified CHM File Processing Arbitrary Code Execution Vulnerability (bid 9658) 20040328 IE ms-its: and mk:@MSITStore: vulnerability 9105 9658 TA04-104A MS04-013 outlook-mhtml-execute-code(15705) oval:org.mitre.oval:def:1010 oval:org.mitre.oval:def:1028 oval:org.mitre.oval:def:882 oval:org.mitre.oval:def:990 mysqlbug in MySQL allows local users to overwrite arbitrary files via a symlink attack on the failed-mysql-bugreport temporary file. 20040324 mysqlbug tmpfile/symlink vulnerability. 20040414 [OpenPKG-SA-2004.014] OpenPKG Security Advisory (mysql) GLSA-200405-20 P-018 DSA-483 MDKSA-2004:034 RHSA-2004:569 RHSA-2004:597 9976 mysql-mysqlbug-symlink(15617) oval:org.mitre.oval:def:11557 Unknown vulnerability in the CUPS printing system in Mac OS X 10.3.3 and Mac OS X 10.2.8 with unknown impact, possibly related to a configuration file setting. http://docs.info.apple.com/article.html?artnum=61798 http://lists.apple.com/mhonarc/security-announce/msg00047.html macos-cups-configuration-unknown(15769) Unknown vulnerability in Mail for Mac OS X 10.3.3 and 10.2.8, with unknown impact, related to "the handling of HTML-formatted email." http://docs.info.apple.com/article.html?artnum=61798 http://lists.apple.com/mhonarc/security-announce/msg00047.html macos-mail-unknown(15768) Heap-based buffer overflow in Oracle 9i Application Server Web Cache 9.0.4.0.0, 9.0.3.1.0, 9.0.2.3.0, and 9.0.0.4.0 allows remote attackers to execute arbitrary code via a long HTTP request method header to the Web Cache listener. NOTE: due to the vagueness of the Oracle advisory, it is not clear whether there are additional issues besides this overflow, although the advisory alludes to multiple "vulnerabilities." 20040408 Heap Overflow in Oracle 9iAS / 10g Application Server Web Cache 20040316 new security alert #66 issued in Oracle web cache 20040408 Heap Overflow in Oracle 9iAS / 10g Application Server Web Cache http://otn.oracle.com/deploy/security/pdf/2004alert66.pdf http://www.inaccessnetworks.com/ian/services/secadv01.txt VU#413006 9868 oracle-web-cache-vulnerabilities(15463) Buffer overflow in the HTTP parser for MPlayer 1.0pre3 and earlier, 0.90, and 0.91 allows remote attackers to execute arbitrary code via a long Location header. 20040330 MPlayer Security Advisory #002 - HTTP parsing vulnerability GLSA-200403-13 VU#723910 MDKSA-2004:026 http://www.mplayerhq.hu/homepage/design6/news.html 20040330 Heap overflow in MPlayer 10008 mplayer-header-bo(15675) Stack-based buffer overflow in the RT3 plugin, as used in RealPlayer 8, RealOne Player, RealOne Player 10 beta, and RealOne Player Enterprise, allows remote attackers to execute arbitrary code via a malformed .R3T file. 20040307 REAL One Player R3T File Format Stack Overflow 20040307 REAL One Player R3T File Format Stack Overflow http://www.ngssoftware.com/advisories/realr3t.txt 10070 http://www.service.real.com/help/faq/security/040406_r3t/en/ realplayer-r3t-bo(15774) The mysqld_multi script in MySQL allows local users to overwrite arbitrary files via a symlink attack. http://dev.mysql.com/doc/mysql/en/news-4-1-2.html 20040414 [OpenPKG-SA-2004.014] OpenPKG Security Advisory (mysql) GLSA-200405-20 1009784 P-018 DSA-483 MDKSA-2004:034 RHSA-2004:569 RHSA-2004:597 10142 mysql-mysqldmulti-symlink(15883) oval:org.mitre.oval:def:10559 RealNetworks Helix Universal Server 9.0.1 and 9.0.2 allows remote attackers to cause a denial of service (crash) via malformed requests that trigger a null dereference, as demonstrated using (1) GET_PARAMETER or (2) DESCRIBE requests. 20040415 RealNetworks Helix Universal Server Denial of Service Vulnerability 10157 helix-get-dos(15880) SCO OpenServer 5.0.5 through 5.0.7 only supports Xauthority style access control when users log in using scologin, which allows remote attackers to gain unauthorized access to an X session via other X login methods. 20040510 OpenServer 5.0.5 OpenServer 5.0.6 OpenServer 5.0.7 : X sessions which are not started by scologin cannot use the X authorization protocol SCOSA-2004.5 openserver-x-session-insecure(16113) Cisco Wireless LAN Solution Engine (WLSE) 2.0 through 2.5 and Hosting Solution Engine (HSE) 1.7 through 1.7.3 have a hardcoded username and password, which allows remote attackers to add new users, modify existing users, and change configuration. O-111 20040407 A Default Username and Password in WLSE and HSE Devices VU#659228 10076 cisco-default-password(15773) racoon before 20040407b allows remote attackers to cause a denial of service (infinite loop and dropped connections) via an IKE message with a malformed Generic Payload Header containing invalid (1) "Security Association Next Payload" and (2) "RESERVED" fields. SCOSA-2005.10 http://orange.kame.net/dev/query-pr.cgi?pr=555 http://www.vuxml.org/freebsd/40fcf20f-8891-11d8-90d1-0020ed76ef5a.html racoon-isakmp-dos(15893) Format string vulnerability in the msg function for rlpr daemon (rlprd) 2.0.4 allows remote attackers to execute arbitrary code via format string specifiers in a buffer that can not be resolved, which is provided to the syslog function. 20040624 Rlpr Advisory DSA-524 10578 rlpr-msg-format-string(16453) A "potential" buffer overflow exists in the panic() function in Linux 2.4.x, although it may not be exploitable due to the functionality of panic. 20040504-01-U 20040505-01-U CLA-2004:846 [fedora-announce] 20040422 Fedora alert FEDORA-2004-111 (kernel) GLSA-200407-02 DSA-1067 DSA-1069 DSA-1070 DSA-1082 ESA-20040428-004 MDKSA-2004:037 SuSE-SA:2004:010 10233 linux-panic-bo(15953) The xatitv program in the gatos package does not properly drop root privileges when the configuration file does not exist, which allows local users to execute arbitrary commands via shell metacharacters in a system call. DSA-509 10437 gatos-xatitv-gain-privileges(16273) Heap-based buffer overflow in CVS 1.11.x up to 1.11.15, and 1.12.x up to 1.12.7, when using the pserver mechanism allows remote attackers to execute arbitrary code via Entry lines. FreeBSD-SA-04:10 NetBSD-SA2004-008 20040519 Advisory 07/2004: CVS remote vulnerability 20040519 Advisory 07/2004: CVS remote vulnerability SuSE-SA:2004:013 20040519 Advisory 07/2004: CVS remote vulnerability 20040519 [OpenPKG-SA-2004.022] OpenPKG Security Advisory (cvs) FEDORA-2004-1620 20040520 cvs server buffer overflow vulnerability http://security.e-matters.de/advisories/072004.html GLSA-200405-12 O-147 DSA-505 VU#192038 MDKSA-2004:048 RHSA-2004:190 10384 SSA:2004-140-01 TA04-147A cvs-entry-line-bo(16193) oval:org.mitre.oval:def:9058 oval:org.mitre.oval:def:970 Stack-based buffer overflow during the apr_time_t data conversion in Subversion 1.0.2 and earlier allows remote attackers to execute arbitrary code via a (1) DAV2 REPORT query or (2) get-dated-rev svn-protocol command. 20040519 Advisory 08/2004: Subversion remote vulnerability 20040519 Advisory 08/2004: Subversion remote vulnerability http://security.e-matters.de/advisories/082004.html http://subversion.tigris.org/svn-sscanf-advisory.txt GLSA-200405-14 FEDORA-2004-128 20040519 [OpenPKG-SA-2004.023] OpenPKG Security Advisory (subversion) 10386 FLSA:1748 subversion-date-parsing-command-execution(16191) Heap-based buffer overflow in the ne_rfc1036_parse date parsing function for the neon library (libneon) 0.24.5 and earlier, as used by cadaver before 0.22, allows remote WebDAV servers to execute arbitrary code on the client. 20040519 Advisory 06/2004: libneon date parsing vulnerability CLA-2004:841 20040519 Advisory 06/2004: libneon date parsing vulnerability 20040519 [OpenPKG-SA-2004.024] OpenPKG Security Advisory (neon) GLSA-200405-13 GLSA-200405-15 O-148 DSA-506 DSA-507 MDKSA-2004:049 RHSA-2004:191 10385 FEDORA-2004-1552 neon-library-nerfc1036parse-bo(16192) Stack-based buffer overflow in Exim 3.35, and other versions before 4, when the sender_verify option is true, allows remote attackers to cause a denial of service and possibly execute arbitrary code during sender verification. 20040506 Buffer overflows in exim, yet still exim much better than windows DSA-501 DSA-502 http://www.guninski.com/exim1.html exim-requireverify-bo(16079) Stack-based buffer overflow in Exim 4 before 4.33, when the headers_check_syntax option is enabled, allows remote attackers to cause a denial of service and possibly execute arbitrary code during the header check. 20040506 Buffer overflows in exim, yet still exim much better than windows DSA-501 DSA-502 http://www.guninski.com/exim1.html exim-headerschecksyntax-bo(16077) Unknown vulnerability in libtasn1 0.1.x before 0.1.2, and 0.2.x before 0.2.7, related to the DER parsing functions. http://packages.debian.org/changelogs/pool/main/libt/libtasn1-2/libtasn1-2_0.2.13-1/changelog 1010159 http://www.backports.org/changelog.html 10360 libtasn1-der-parsing(16157) Buffer overflow in xpcd-svga in xpcd before 2.08, and possibly other versions, may allow local users to execute arbitrary code. DSA-508 MDKSA-2004:053 10403 xpcd-svga-pcdopen-bo(16236) Racoon before 20040408a allows remote attackers to cause a denial of service (memory consumption) via an ISAKMP packet with a large length field. SCOSA-2005.10 20040506-01-U APPLE-SA-2004-05-03 GLSA-200404-17 1009937 http://sourceforge.net/project/shownotes.php?release_id=232288 http://www.kame.net/dev/cvsweb2.cgi/kame/kame/kame/racoon/isakmp.c.diff?r1=1.180&r2=1.181 MDKSA-2004:069 RHSA-2004:165 10172 http://www.vuxml.org/freebsd/ccd698df-8e20-11d8-90d1-0020ed76ef5a.html racoon-isakmp-dos(15893) oval:org.mitre.oval:def:11220 oval:org.mitre.oval:def:984 logcheck before 1.1.1 allows local users to overwrite arbitrary files via a symlink attack on a temporary directory in /var/tmp. DSA-488 MDKSA-2004:155 10162 logcheck-directory-symlink(15888) CVS before 1.11 allows CVS clients to read arbitrary files via .. (dot dot) sequences in filenames via CVS client requests, a different vulnerability than CVE-2004-0180. FreeBSD-SA-04:07 20040404-01-U FEDORA-2004-1620 GLSA-200404-13 DSA-486 SSA:2004-108-02 cvs-dotdot-directory-traversal(15891) oval:org.mitre.oval:def:1060 oval:org.mitre.oval:def:10818 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2004. Notes: none. The HTML form upload capability in ColdFusion MX 6.1 does not reclaim disk space if an upload is interrupted, which allows remote attackers to cause a denial of service (disk consumption) by repeatedly uploading files and interrupting the uploads before they finish. 20040416 [securityzone@macromedia.com: New Macromedia Security Zone Bulletin Posted] 1009825 http://www.macromedia.com/devnet/security/security_zone/mpsb04-06.html 10158 coldfusion-upload-file-dos(15882) Buffer overflow in the child_service function in the ident2 ident daemon allows remote attackers to execute arbitrary code. DSA-494 10192 ident2-childservice-bo(15938) Stack-based buffer overflow in the Socks-5 proxy code for XChat 1.8.0 to 2.0.8, with socks5 traversal enabled, allows remote attackers to execute arbitrary code. [xchat-announce] 20040405 xchat 2.0.x Socks5 Vulnerability GLSA-200404-15 FLSA:123013 RHSA-2004:177 RHSA-2004:585 http://www.xchat.org/ oval:org.mitre.oval:def:11312 DSA-493 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. The URI handlers in Konqueror for KDE 3.2.2 and earlier do not properly filter "-" characters that begin a hostname in a (1) telnet, (2) rlogin, (3) ssh, or (4) mailto URI, which allows remote attackers to manipulate the options that are passed to the associated programs, possibly to read arbitrary files or execute arbitrary code. CLA-2004:843 20040517 KDE Security Advisory: URI Handler Vulnerabilities GLSA-200405-11 O-146 DSA-518 http://www.kde.org/info/security/advisory-20040517-1.txt SuSE-SA:2003:014 RHSA-2004:222 FEDORA-2004-121 FEDORA-2004-122 20040513 Opera Telnet URI Handler Vulnerability also applies to other browsers 10358 SSA:2004-238 kde-url-handler-gain-access(16163) oval:org.mitre.oval:def:954 Mailman before 2.1.5 allows remote attackers to obtain user passwords via a crafted email request to the Mailman server. CLA-2004:842 [Mailman-Announce] 20040515 RELEASED Mailman 2.1.5 FEDORA-2004-1734 GLSA-200406-04 MDKSA-2004:051 10412 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=123559 mailman-obtain-password(16256) libsvn_ra_svn in Subversion 1.0.4 trusts the length field of (1) svn://, (2) svn+ssh://, and (3) other svn protocol URL strings, which allows remote attackers to cause a denial of service (memory consumption) and possibly execute arbitrary code via an integer overflow that leads to a heap-based buffer overflow. http://subversion.tigris.org/security/CAN-2004-0413-advisory.txt GLSA-200406-07 SuSE-SA:2004:018 FEDORA-2004-165 20041012 [FMADV] Subversion <= 1.04 Heap Overflow 10519 FLSA:1748 subversion-svn-bo(16396) CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, does not properly handle malformed "Entry" lines, which prevents a NULL terminator from being used and may lead to a denial of service (crash), modification of critical program data, or arbitrary code execution. 20040604-01-U 20040605-01-U 20040609 Advisory 09/2004: More CVS remote vulnerabilities 20040611 [OpenPKG-SA-2004.027] OpenPKG Security Advisory (cvs) http://security.e-matters.de/advisories/092004.html GLSA-200406-06 DSA-517 MDKSA-2004:058 RHSA-2004:233 oval:org.mitre.oval:def:10575 oval:org.mitre.oval:def:993 Linux kernel does not properly convert 64-bit file offset pointers to 32 bits, which allows local users to access portions of kernel memory. 20040804-01-U CLA-2004:879 GLSA-200408-24 MDKSA-2004:087 RHSA-2004:413 RHSA-2004:418 linux-pointer-info-disclosure(16877) oval:org.mitre.oval:def:9965 Double free vulnerability for the error_prog_name string in CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, may allow remote attackers to execute arbitrary code. 20040604-01-U 20040605-01-U 20040609 Advisory 09/2004: More CVS remote vulnerabilities 20040611 [OpenPKG-SA-2004.027] OpenPKG Security Advisory (cvs) http://security.e-matters.de/advisories/092004.html GLSA-200406-06 DSA-519 MDKSA-2004:058 RHSA-2004:233 oval:org.mitre.oval:def:10070 oval:org.mitre.oval:def:994 Integer overflow in the "Max-dotdot" CVS protocol command (serve_max_dotdot) for CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, may allow remote attackers to cause a server crash, which could cause temporary data to remain undeleted and consume disk space. 20040605-01-U 20040609 Advisory 09/2004: More CVS remote vulnerabilities 20040611 [OpenPKG-SA-2004.027] OpenPKG Security Advisory (cvs) http://security.e-matters.de/advisories/092004.html GLSA-200406-06 DSA-519 MDKSA-2004:058 RHSA-2004:233 oval:org.mitre.oval:def:1001 oval:org.mitre.oval:def:11145 serve_notify in CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, does not properly handle empty data lines, which may allow remote attackers to perform an "out-of-bounds" write for a single byte to execute arbitrary code or modify critical program data. 20040604-01-U 20040605-01-U 20040609 Advisory 09/2004: More CVS remote vulnerabilities 20040611 [OpenPKG-SA-2004.027] OpenPKG Security Advisory (cvs) http://security.e-matters.de/advisories/092004.html GLSA-200406-06 DSA-519 MDKSA-2004:058 RHSA-2004:233 oval:org.mitre.oval:def:1003 oval:org.mitre.oval:def:11242 XDM in XFree86 opens a chooserFd TCP socket even when DisplayManager.requestPort is 0, which could allow remote attackers to connect to the port, in violation of the intended restrictions. http://bugs.xfree86.org/show_bug.cgi?id=1376 1010306 P-001 GLSA-200407-05 MDKSA-2004:073 20040526 008: SECURITY FIX: May 26, 2004 RHSA-2004:478 10423 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=124900 xdm-socket-gain-access(16264) oval:org.mitre.oval:def:10161 The Windows Shell application in Windows 98, Windows ME, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by spoofing the type of a file via a CLSID specifier in the filename, as demonstrated using Internet Explorer 6.0.2800.1106 on Windows XP. VU#106324 20040127 RE: GOOROO CROSSING: File Spoofing Internet Explorer 6 20040127 GOOROO CROSSING: File Spoofing Internet Explorer 6 9510 TA04-196A MS04-024 ie-clsid-file-extension-spoofing(14964) oval:org.mitre.oval:def:2245 oval:org.mitre.oval:def:2381 oval:org.mitre.oval:def:2894 oval:org.mitre.oval:def:3386 oval:org.mitre.oval:def:3533 oval:org.mitre.oval:def:3604 The Portable Network Graphics library (libpng) 1.0.15 and earlier allows attackers to cause a denial of service (crash) via a malformed PNG image file that triggers an error that causes an out-of-bounds read when creating the error message. APPLE-SA-2004-09-09 20040429 [OpenPKG-SA-2004.017] OpenPKG Security Advisory (png) 2004-0025 FEDORA-2004-105 FEDORA-2004-106 DSA-498 MDKSA-2004:040 MDKSA-2006:212 MDKSA-2006:213 RHSA-2004:180 RHSA-2004:181 10244 libpng-png-dos(16022) oval:org.mitre.oval:def:11710 oval:org.mitre.oval:def:971 flim before 1.14.3 creates temporary files insecurely, which allows local users to overwrite arbitrary files of the Emacs user via a symlink attack. DSA-500 RHSA-2004:344 flim-insecure-temporary-file(16027) The log_event function in ssmtp 2.50.6 and earlier allows local users to overwrite arbitrary files via a symlink attack on the ssmtp.log temporary log file. 20040418 ssmtp insecure file creation Integer overflow in the ip_setsockopt function in Linux kernel 2.4.22 through 2.4.25 and 2.6.1 through 2.6.3 allows local users to cause a denial of service (crash) or execute arbitrary code via the MCAST_MSFILTER socket option. 20040504-01-U CLA-2004:852 20040420 Linux kernel setsockopt MCAST_MSFILTER integer overflow http://www.isec.pl/vulnerabilities/isec-0015-msfilter.txt ESA-20040428-004 MDKSA-2004:037 SuSE-SA:2004:010 RHSA-2004:183 10179 SSA:2004-119 linux-ipsetsockopt-integer-bo(15907) oval:org.mitre.oval:def:11214 oval:org.mitre.oval:def:939 Heap-based buffer overflow in SiteMinder Affiliate Agent 4.x allows remote attackers to execute arbitrary code via a large SMPROFILE cookie. A042204-1 10198 siteminder-affiliate-smprofile-bo(15950) rsync before 2.6.1 does not properly sanitize paths when running a read/write daemon without using chroot, which allows remote attackers to write files outside of the module's path. 20040521 [OpenPKG-SA-2004.025] OpenPKG Security Advisory (rsync) http://rsync.samba.org/ O-134 O-212 DSA-499 GLSA-200407-10 MDKSA-2004:042 RHSA-2004:192 10247 SSA:2004-124-01 TSL-2004-0024 rsync-write-files(16014) oval:org.mitre.oval:def:9495 oval:org.mitre.oval:def:967 The do_fork function in Linux 2.4.x before 2.4.26, and 2.6.x before 2.6.6, does not properly decrement the mm_count counter when an error occurs after the mm_struct for a child process has been activated, which triggers a memory leak that allows local users to cause a denial of service (memory exhaustion) via the clone (CLONE_VM) system call. 20040504-01-U 20040505-01-U CLA-2004:846 FEDORA-2004-111 http://linux.bkbits.net:8080/linux-2.4/cset@407bf20eDeeejm8t36_tpvSE-8EFHA http://linux.bkbits.net:8080/linux-2.6/cset@407b1217x4jtqEkpFW2g_-RcF0726A [linux-kernel] 20040408 [PATCH]: 2.4/2.6 do_fork() error path memory leak GLSA-200407-02 O-164 DSA-1067 DSA-1069 DSA-1070 DSA-1082 MDKSA-2004:037 SuSE-SA:2004:010 RHSA-2004:255 RHSA-2004:260 RHSA-2004:327 10221 TLSA-2004-14 linux-dofork-memory-leak(16002) oval:org.mitre.oval:def:10297 oval:org.mitre.oval:def:2819 Unknown vulnerability in CoreFoundation in Mac OS X 10.3.3 and Mac OS X 10.3.3 Server, related to "the handling of an environment variable," has unknown attack vectors and unknown impact. APPLE-SA-2004-05-03 1010045 ESB-2004.0314 10270 macos-corefoundation-environment(16051) Unknown vulnerability related to "the handling of large requests" in RAdmin for Apple Mac OS X 10.3.3 and Mac OS X 10.2.8 may allow attackers to have unknown impact via unknown attack vectors. APPLE-SA-2004-05-03 20040503 [product-security@apple.com: APPLE-SA-2004-05-03 Security Update 2004-05-03] 1010045 ESB-2004.0314 O-138 macos-radmin-large-request(16053) Stack-based buffer overflow in AppleFileServer for Mac OS X 10.3.3 and earlier allows remote attackers to execute arbitrary code via a LoginExt packet for a Cleartext Password User Authentication Method (UAM) request with a PathName argument that includes an AFPName type string that is longer than the associated length field. APPLE-SA-2004-05-03 1010039 A050304-1 VU#648406 http://www.securiteam.com/securitynews/5QP0115CUO.html applefileserver-afp-pathname-bo(16049) Integer overflow in Apple QuickTime (QuickTime.qts) before 6.5.1 allows attackers to execute arbitrary code via a large "number of entries" field in the sample-to-chunk table data for a .mov movie file, which leads to a heap-based buffer overflow. APPLE-SA-2004-04-30 20040502 EEYE: Apple QuickTime (QuickTime.qts) Heap Overflow 20040502 EEYE: Apple QuickTime (QuickTime.qts) Heap Overflow VU#782958 quicktime-heap-bo(16026) ProFTPD 1.2.9 treats the Allow and Deny directives for CIDR based ACL entries as if they were AllowAll, which could allow FTP clients to bypass intended access restrictions. http://bugs.proftpd.org/show_bug.cgi?id=2267 2004-0025 20040430 [OpenPKG-SA-2004.018] OpenPKG Security Advisory (proftpd) MDKSA-2004:041 10252 proftpd-cidr-acl-bypass(16038) Multiple buffer overflows in the Real-Time Streaming Protocol (RTSP) client for (1) MPlayer before 1.0pre4 and (2) xine lib (xine-lib) before 1-rc4, when playing Real RTSP (realrtsp) streams, allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via (a) long URLs, (b) long Real server responses, or (c) long Real Data Transport (RDT) packets. GLSA-200405-24 http://www.xinehq.de/index.php/security/XSA-2004-3 mplayer-rtsp-rdt-bo(16019) k5admind (kadmind) for Heimdal allows remote attackers to execute arbitrary code via a Kerberos 4 compatibility administration request whose framing length is less than 2, which leads to a heap-based buffer overflow. FreeBSD-SA-04:09 20040506 Advisory: Heimdal kadmind version4 remote heap overflow 20040505 Advisory: Heimdal kadmind version4 remote heap overflow GLSA-200405-23 DSA-504 heimdal-kadmind-bo(16071) Certain "programming errors" in the msync system call for FreeBSD 5.2.1 and earlier, and 4.10 and earlier, do not properly handle the MS_INVALIDATE operation, which leads to cache consistency problems that allow a local user to prevent certain changes to files from being committed to disk. FreeBSD-SA-04:11 10416 freebsd-msync-gain-privileges(16254) Titan FTP Server version 3.01 build 163, and possibly other versions before build 169, allows remote authenticated users to cause a denial of service (crash) by disconnecting from the system during a "LIST -L" command, which causes Titan to access an invalid socket. 20040505 Titan FTP Server Aborted LIST DoS 20040505 Titan FTP Server Aborted LIST DoS http://www.securiteam.com/windowsntfocus/5RP0215CUU.html titan-list-command-dos(16057) Multiple vulnerabilities in SYMDNS.SYS for Symantec Norton Internet Security and Professional 2002 through 2004, Norton Personal Firewall 2002 through 2004, Norton AntiSpam 2004, Client Firewall 5.01 and 5.1.1, and Client Security 1.0 through 2.0 allow remote attackers to cause a denial of service or execute arbitrary code via (1) a manipulated length byte in the first-level decoding routine for NetBIOS Name Service (NBNS) that modifies an index variable and leads to a stack-based buffer overflow, (2) a heap-based corruption problem in an NBNS response that is missing certain RR fields, and (3) a stack-based buffer overflow in the DNS component via a Resource Record (RR) with a long canonical name (CNAME) field composed of many smaller components. 20040512 EEYE: Symantec Multiple Firewall NBNS Response Processing Stack Overflow 20040512 EEYE: Symantec Multiple Firewall Remote DNS KERNEL Overflow 20040512 EEYE: Symantec Multiple Firewall NBNS Response Remote Heap Corruption http://securityresponse.symantec.com/avcenter/security/Content/2004.05.12.html 1010144 1010145 1010146 O-141 VU#294998 VU#634414 VU#637318 10333 10334 10335 symantec-nbns-response-bo(16134) symantec-firewalls-nbns-bo(16135) symantec-dns-response-bo(16137) The SYMDNS.SYS driver in Symantec Norton Internet Security and Professional 2002 through 2004, Norton Personal Firewall 2002 through 2004, Norton AntiSpam 2004, Client Firewall 5.01 and 5.1.1, and Client Security 1.0 through 2.0 allows remote attackers to cause a denial of service (CPU consumption from infinite loop) via a DNS response with a compressed name pointer that points to itself. 20040512 EEYE: Symantec Multiple Firewall DNS Response Denial-of-Service http://securityresponse.symantec.com/avcenter/security/Content/2004.05.12.html 1010144 1010145 1010146 O-141 VU#682110 10336 symantec-firewall-dns-dos(16132) Unknown vulnerability in Linux before 2.4.26 for IA64 allows local users to cause a denial of service, with unknown impact. NOTE: due to a typo, this issue was accidentally assigned CVE-2004-0477. This is the proper candidate to use for the Linux local DoS. 20040804-01-U [owl-users] 20040619 Linux 2.4.26-ow2 GLSA-200407-16 O-193 DSA-1067 DSA-1069 DSA-1070 DSA-1082 RHSA-2004:413 10783 linux-ia64-dos(16661) oval:org.mitre.oval:def:10918 Format string vulnerability in the log function for jftpgw 0.13.4 and earlier allows remote authenticated users to execute arbitrary code via format string specifiers in certain syslog messages. DSA-510 10438 jftpgw-log-format-string(16271) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2004. Notes: none. Format string vulnerability in the printlog function in log2mail before 0.2.5.2 allows local users or remote attackers to execute arbitrary code via format string specifiers in a logfile monitored by log2mail. http://felinemenace.org/~jaguar/advisories/log2mail.txt DSA-513 10460 log2mail-syslog-format-string(16311) Multiple format string vulnerabilities in the (1) logquit, (2) logerr, or (3) loginfo functions in Software Upgrade Protocol (SUP) allows remote attackers to execute arbitrary code via format string specifiers in messages that are logged by syslog. 1010539 DSA-521 10571 sup-format-string(16459) Race condition in the rmtree function in the File::Path module in Perl 5.6.1 and 5.8.4 sets read/write permissions for the world, which allows local users to delete arbitrary files and directories, and possibly read files and directories, via a symlink attack. 20060101-01-U FLSA-2006:152845 20050111 [OpenPKG-SA-2005.001] OpenPKG Security Advisory (perl) DSA-620 GLSA-200501-38 RHSA-2005:103 RHSA-2005:105 12072 perl-filepathrmtree-insecure-permissions(18650) oval:org.mitre.oval:def:9938 USN-44-1 Format string vulnerability in the monitor "memory dump" command in VICE 1.6 to 1.14 allows local users to cause a denial of service (emulator crash) and possibly execute arbitrary code via format string specifiers in an output string. 20040614 VICE emulator format string vulnerability 10543 vice-memory-dump-format-string(16404) Buffer overflow in the msg function for rlpr daemon (rlprd) 2.04 allows local users to execute arbitrary code. DSA-524 10578 rlpr-msg-bo(16454) Buffer overflow in cgi.c in www-sql before 0.5.7 allows local users to execute arbitrary code via a web page that is processed by www-sql. DSA-523 10577 wwwsql-cgi-command-execution(16455) Stack-based buffer overflow in pavuk 0.9pl28, 0.9pl27, and possibly other versions allows remote web sites to execute arbitrary code via a long HTTP Location header. 20040702 pavuk buffer overflow GLSA-200406-22 DSA-527 10633 pavuk-location-bo(16551) The mysqlhotcopy script in mysql 4.0.20 and earlier, when using the scp method from the mysql-server package, allows local users to overwrite arbitrary files via a symlink attack on temporary files. P-018 DSA-540 RHSA-2004:597 mysql-mysqlhotcopy-insecure-file(17030) oval:org.mitre.oval:def:10693 mah-jong before 1.6.2 allows remote attackers to cause a denial of service (server crash) via a missing argument, which triggers a null pointer dereference. DSA-503 10343 mah-jong-null-dos(16143) The Clear Channel Assessment (CCA) algorithm in the IEEE 802.11 wireless protocol, when using DSSS transmission encoding, allows remote attackers to cause a denial of service via a certain RF signal that causes a channel to appear busy (aka "jabber"), which prevents devices from transmitting data. 20040513 802.11b (others) single packet DoS 1010152 http://support.avaya.com/elmodocs2/security/ASA-2004-009.pdf AA-2004.02 VU#106678 10342 ieee80211-cca-dos(16138) Buffer overflow in the logging capability for the DHCP daemon (DHCPD) for ISC DHCP 3.0.1rc12 and 3.0.1rc13 allows remote attackers to cause a denial of service (server crash) and possibly execute arbitrary code via multiple hostname options in (1) DISCOVER, (2) OFFER, (3) REQUEST, (4) ACK, or (5) NAK messages, which can generate a long string when writing to a log file. 20040622 DHCP Vuln // no code 0day // 20040628 ISC DHCP overflows 20040708 [OpenPKG-SA-2004.031] OpenPKG Security Advisory (dhcpd) VU#317350 MDKSA-2004:061 SuSE-SA:2004:019 10590 TA04-174A http://www.xerox.com/downloads/usa/en/c/cert_XRX06_004_v11.pdf dhcp-ascii-log-bo(16475) The DHCP daemon (DHCPD) for ISC DHCP 3.0.1rc12 and 3.0.1rc13, when compiled in environments that do not provide the vsnprintf function, uses C include files that define vsnprintf to use the less safe vsprintf function, which can lead to buffer overflow vulnerabilities that enable a denial of service (server crash) and possibly execute arbitrary code. 20040622 DHCP Vuln // no code 0day // 20040628 ISC DHCP overflows 20040708 [OpenPKG-SA-2004.031] OpenPKG Security Advisory (dhcpd) VU#654390 MDKSA-2004:061 SuSE-SA:2004:019 10591 TA04-174A http://www.xerox.com/downloads/usa/en/c/cert_XRX06_004_v11.pdf dhcp-c-include-bo(16476) The built-in web servers for multiple networking devices do not set the Secure attribute for sensitive cookies in HTTPS sessions, which could cause the user agent to send those cookies in plaintext over an HTTP session with the same server. VU#546483 network-device-secure-plaintext(17702) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2004. Notes: none. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2004. Notes: none. Directory traversal vulnerability in jretest.html in WebConnect 6.5 and 6.4.4, and possibly earlier versions, allows remote attackers to read keys within arbitrary INI formatted files via "..//" sequences in the WCP_USER parameter. 20050220 The WebConnect 6.4.4 and 6.5 contains several vulnerabilities http://www.cirt.dk/advisories/cirt-29-advisory.pdf VU#628411 http://www.kb.cert.org/vuls/id/JSHA-69HVPK webconnect-wcpuser-directory-traversal(19394) WebConnect 6.5, 6.4.4, and possibly earlier versions allows remote attackers to cause a denial of service (hang) via a URL containing an MS-DOS device name such as (1) AUX, (2) CON, (3) PRN, (4) COM1, or (5) LPT1. 20050220 The WebConnect 6.4.4 and 6.5 contains several vulnerabilities http://www.cirt.dk/advisories/cirt-29-advisory.pdf VU#552561 http://www.kb.cert.org/vuls/id/JSHA-69FVMM webconnect-device-name-dos(19393) Juniper JUNOS 5.x through JUNOS 7.x allows remote attackers to cause a denial of service (routing disabled) via a large number of MPLS packets, which are not filtered or verified before being sent to the Routing Engine, which reduces the speed at which other packets are processed. 1013039 VU#409555 http://www.kb.cert.org/vuls/id/JSHA-68ZJCQ http://www.niscc.gov.uk/niscc/docs/al-20050126-00067.html?lang=en RHSA-2005:081 12379 junos-dos(19094) Memory leak in Juniper JUNOS Packet Forwarding Engine (PFE) allows remote attackers to cause a denial of service (memory exhaustion and device reboot) via certain IPv6 packets. http://www.jpcert.or.jp/at/2004/at040009.txt VU#658859 http://www.kb.cert.org/vuls/id/JSHA-6253CC juniper-ipv6-dos(16548) Buffer overflow in the ISAKMP functionality for Check Point VPN-1 and FireWall-1 NG products, before VPN-1/FireWall-1 R55 HFA-03, R54 HFA-410 and NG FP3 HFA-325, or VPN-1 SecuRemote/SecureClient R56, may allow remote attackers to execute arbitrary code during VPN tunnel negotiation. 20040504 ISAKMP Vulnerability 10273 vpn1-isakmp-bo(16060) BEA WebLogic Server and WebLogic Express 7.0 through SP5 and 8.1 through SP2, when editing weblogic.xml using WebLogic Builder or the SecurityRoleAssignmentMBean.toXML method, inadvertently removes security-role-assignment tags when weblogic.xml does not have a principal-name tag, which can remove intended access restrictions for the associated web application. http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_59.00.jsp 1010128 VU#950070 10328 weblogic-application-unauth-access(16123) BEA WebLogic Server and WebLogic Express 7.0 through SP5 and 8.1 through SP2 does not enforce site restrictions for starting and stopping servers for users in the Admin and Operator security roles, which allows unauthorized users to cause a denial of service (service shutdown). http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_60.00.jsp 1010129 10327 weblogic-server-policy-bypass(16121) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate is a reservation duplicate of CVE-2004-0434. Notes: All CVE users should reference CVE-2004-0434 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Argument injection vulnerability in Opera before 7.50 does not properly filter "-" characters that begin a hostname in a telnet URI, which allows remote attackers to insert options to the resulting command line and overwrite arbitrary files via (1) the "-f" option on Windows XP or (2) the "-n" option on Linux. GLSA-200405-19 1010142 20040512 Opera Telnet URI Handler File Creation/Truncation Vulnerability http://www.opera.com/linux/changelogs/750/index.dml 10341 opera-telnet-file-overwrite(16139) Help Center (HelpCtr.exe) may allow remote attackers to read or execute arbitrary files via an "http://" or "file://" argument to the topic parameter in an hcp:// URL. NOTE: since the initial report of this problem, several researchers have been unable to reproduce this issue. 20040210 Re: HelpCtr - allow open any page or run 20040210 Re: HelpCtr - allow open any page or run 20040213 Re: HelpCtr - allow open any page or run 20040211 Re: HelpCtr - allow open any page or run 20040207 HelpCtr - allow open any page or run 9621 winxp-helpctr-hcp-xss(15101) The showHelp function in Internet Explorer 6 on Windows XP Pro allows remote attackers to execute arbitrary local .CHM files via a double backward slash ("\\") before the target CHM file, as demonstrated using an "ms-its" URL to ntshared.chm. NOTE: this bug may overlap CVE-2003-1041. 20040513 Showhelp() local CHM file execution 10348 ie-showhelp-chm-execution(16147) Buffer overflow in 3Com OfficeConnect Remote 812 ADSL Router 1.1.9.4 allows remote attackers to cause a denial of service (reboot or packet loss) via a long string containing Telnet escape characters to the Telnet port. 20040526 OfficeConnect Remote 812 ADSL Router Telnet Protocol DoS Vulnerability 10419 3com-officeconnect-telnet-bo(16257) Unknown vulnerability in 3Com OfficeConnect Remote 812 ADSL Router allows remote attackers to bypass authentication via repeated attempts using any username and password. NOTE: this identifier was inadvertently re-used for another issue due to a typo; that issue was assigned CVE-2004-0447. This candidate is ONLY for the ADSL router bypass. 20040527 iDEFENSE Security Advisory 05.27.04: 3Com OfficeConnect Remote 812 ADSL Router Authentication Bypass Vulnerability 10426 3com-officeconnect-gain-access(16267) Unknown versions of Mozilla allow remote attackers to cause a denial of service (high CPU/RAM consumption) using Javascript with an infinite loop that continues to add input to a form, possibly as the result of inserting control characters, as demonstrated using an embedded ctrl-U. http://bugzilla.mozilla.org/show_bug.cgi?id=243540 [Dailydave] 20040514 Mozilla bug might even get fixed! mozilla-javascript-dos(16225) Internet Explorer 6 allows remote attackers to cause a denial of service (crash) via Javascript that creates a new popup window and disables the imagetoolbar functionality with a META tag, which triggers a null dereference. 20040514 IE Crash - Anyone Seen This Before? 20040514 IE Crash - Anyone Seen This Before? 20040516 Re: IE Crash - Anyone Seen This Before? Argument injection vulnerability in IBM Lotus Notes 6.0.3 and 6.5 allows remote attackers to execute arbitrary code via a notes: URI that uses a UNC network share pathname to provide an alternate notes.ini configuration file to notes.exe. 20040627 Lotus Notes URL argument injection vulnerability http://www.idefense.com/application/poi/display?id=111&type=vulnerabilities 10600 http://www-1.ibm.com/support/docview.wss?rs=475/context=SSKTWP&uid=swg21169510 lotus-notes-xss(16496) The logging feature in kcms_configure in the KCMS package on Solaris 8 and 9, and possibly other versions, allows local users to corrupt arbitrary files via a symlink attack on the KCS_ClogFile file. 57706 20050223 Sun Solaris kcms_configure Arbitrary File Corruption Vulnerability Multiple integer overflows in (1) procfs_cmdline.c, (2) procfs_fpregs.c, (3) procfs_linux.c, (4) procfs_regs.c, (5) procfs_status.c, and (6) procfs_subr.c in procfs for OpenBSD 3.5 and earlier allow local users to read sensitive kernel memory and possibly perform other unauthorized activities. ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/020_procfs.patch ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/006_procfs.patch 20040517 OpenBSD procfs [openbsd-security-announce] 20040513 procfs vulnerability http://www.deprotect.com/advisories/DEPROTECT-20041305.txt 20040513 [3.4] 020: SECURITY FIX: May 13, 2004 20040513 [3.5] 006: SECURITY FIX: May 13, 2004 openbsd-procfs-gain-privileges(16226) Unknown vulnerability in rpc.mountd for SGI IRIX 6.5.24 allows remote attackers to cause a denial of service (infinite loop) via certain RPC requests. 20040503-01-P 1010185 10372 rpcmountd-rpc-dos(16175) mshtml.dll in Microsoft Internet Explorer 6.0.2800 allows remote attackers to cause a denial of service (crash) via a table containing a form that crosses multiple td elements, and whose "float: left" class is defined in a link to a CSS stylesheet after the end of the table, which may trigger a null dereference. 20040518 Unknown IE bug with css-styles 10382 ie-css-dos(16189) The default protocol helper for the disk: URI on Mac OS X 10.3.3 and 10.2.8 allows remote attackers to write arbitrary files by causing a disk image file (.dmg) to be mounted as a disk volume. http://fundisom.com/owned/warning APPLE-SA-2004-05-21 APPLE-SA-2004-05-28 VU#210606 macos-runscript-code-execution(16166) HelpViewer in Mac OS X 10.3.3 and 10.2.8 processes scripts that it did not initiate, which can allow attackers to execute arbitrary code, an issue that was originally reported as a directory traversal vulnerability in the Safari web browser using the runscript parameter in a help: URI handler. 20040516 Vuln. MacOSX/Safari: Remote help-call, execute scripts APPLE-SA-2004-05-21 1010167 http://www.fundisom.com/owned/warning VU#578798 10356 macos-runscript-code-execution(16166) A certain ActiveX control in Symantec Norton AntiVirus 2004 allows remote attackers to cause a denial of service (resource consumption) and possibly execute arbitrary programs. 20040521 [SNS Advisory No.72] Symantec Norton AntiVirus 2004 ActiveX Control Vulnerability O-149 VU#312510 http://www.lac.co.jp/security/csl/intelligence/SNSadvisory_e/72_e.html 10392 http://www.symantec.com/avcenter/security/Content/2004.05.20.html nav-activex-code-execution(16220) Stack-based buffer overflow in the ssl_util_uuencode_binary function in ssl_util.c for Apache mod_ssl, when mod_ssl is configured to trust the issuing CA, may allow remote attackers to execute arbitrary code via a client certificate with a long subject DN. 20040605-01-U 20040517 mod_ssl ssl_util_uuencode_binary potential problem 20040527 [OpenPKG-SA-2004.026] OpenPKG Security Advisory (apache) 20040601 TSSA-2004-008 - apache SSRT4777 SSRT4788 RHSA-2004:245 GLSA-200406-05 DSA-532 MDKSA-2004:054 MDKSA-2004:055 RHSA-2004:342 RHSA-2004:405 RHSA-2005:816 10355 2004-0031 FLSA:1888 apache-modssl-uuencode-bo(16214) [httpd-cvs] 20190815 svn commit: r1048742 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html [httpd-cvs] 20190815 svn commit: r1048743 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html oval:org.mitre.oval:def:11458 Argument injection vulnerability in the SSH URI handler for Safari on Mac OS 10.3.3 and earlier allows remote attackers to (1) execute arbitrary code via the ProxyCommand option or (2) conduct port forwarding via the -R option. 20040524 SSH URI handler remote arbitrary code execution http://www.insecure.ws/article.php?story=200405222251133 macos-ssh-code-execution(16242) cPanel, when compiling Apache 1.3.29 and PHP with the mod_phpsuexec option, does not set the --enable-discard-path option, which causes php to use the SCRIPT_FILENAME variable to find and execute a script instead of the PATH_TRANSLATED variable, which allows local users to execute arbitrary PHP code as other users via a URL that references the attacker's script after the user's script, which executes the attacker's script with the user's privileges, a different vulnerability than CVE-2004-0529. http://bugzilla.cpanel.net/show_bug.cgi?id=283 http://bugzilla.cpanel.net/show_bug.cgi?id=664 http://www.a-squad.com/audit/explain10.html http://www.securiteam.com/tools/5TP0N15CUA.html 20040524 cPanel mod_phpsuexec Vulnerability 10407 cpanel-modphpsuexec-execute-commands(16239) The linux-2.4.21-mlock.patch in Red Hat Enterprise Linux 3 does not properly maintain the mlock page count when one process unlocks pages that belong to another process, which allows local users to mlock more memory than specified by the rlimit. 20060402-01-U [linux-kernel] 20040402 Re: disable-cap-mlock RHSA-2005:472 13769 oval:org.mitre.oval:def:10672 oval:org.mitre.oval:def:1117 Heap-based buffer overflow in proxy_util.c for mod_proxy in Apache 1.3.25 to 1.3.31 allows remote attackers to cause a denial of service (process crash) and possibly execute arbitrary code via a negative Content-Length HTTP header field, which causes a large amount of data to be copied. 20040605-01-U 20040611 [OpenPKG-SA-2004.029] OpenPKG Security Advisory (apache) SSRT090208 RHSA-2004:245 20040610 Buffer overflow in apache mod_proxy,yet still apache much better than windows 101555 101841 57628 DSA-525 http://www.guninski.com/modproxy1.html VU#541310 MDKSA-2004:065 FLSA:1737 apache-modproxy-contentlength-bo(16387) oval:org.mitre.oval:def:100112 oval:org.mitre.oval:def:4863 The ap_get_mime_headers_core function in Apache httpd 2.0.49 allows remote attackers to cause a denial of service (memory exhaustion), and possibly an integer signedness error leading to a heap-based buffer overflow on 64 bit systems, via long header lines with large numbers of space or tab characters. 20040628 DoS in apache httpd 2.0.49, yet still apache much better than windows 20040629 TSSA-2004-012 - apache SSRT4777 GLSA-200407-03 http://www.apacheweek.com/features/security-20 http://www.guninski.com/httpd1.html MDKSA-2004:064 RHSA-2004:342 10619 2004-0039 apache-apgetmimeheaderscore-dos(16524) [httpd-cvs] 20190815 svn commit: r1048742 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html [httpd-cvs] 20190815 svn commit: r1048743 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html oval:org.mitre.oval:def:10605 Multiple extfs backend scripts for GNOME virtual file system (VFS) before 1.0.1 may allow remote attackers to perform certain unauthorized actions via a gnome-vfs URI. http://rpmfind.net/linux/RPM/suse/9.3/i386/suse/i586/gnome-vfs-1.0.5-816.2.i586.html RHSA-2004:373 FLSA:1944 gnome-vfs-extfs-gain-access(16897) oval:org.mitre.oval:def:9854 Multiple unknown vulnerabilities in Linux kernel 2.4 and 2.6 allow local users to gain privileges or access kernel memory, as found by the Sparse source code checking tool. CLA-2004:845 CLA-2004:846 FEDORA-2004-186 GLSA-200407-02 MDKSA-2004:066 SUSE-SA:2004:020 RHSA-2004:255 RHSA-2004:260 10566 linux-drivers-gain-privileges(16449) oval:org.mitre.oval:def:10155 oval:org.mitre.oval:def:2961 Multiple unknown vulnerabilities in Linux kernel 2.6 allow local users to gain privileges or access kernel memory, a different set of vulnerabilities than those identified in CVE-2004-0495, as found by the Sparse source code checking tool. SUSE-SA:2004:020 linux-gain-privileges(16625) Unknown vulnerability in Linux kernel 2.x may allow local users to modify the group ID of files, such as NFS exported files in kernel 2.4. CLA-2004:852 MDKSA-2004:066 SUSE-SA:2004:020 RHSA-2004:354 RHSA-2004:360 linux-fchown-groupid-modify(16599) oval:org.mitre.oval:def:9867 The H.323 protocol agent in StoneSoft firewall engine 2.2.8 and earlier allows remote attackers to cause a denial of service (crash) via crafted H.323 packets. http://www.stonesoft.com/support/Security_Advisories/6735.html http://www.uniras.gov.uk/niscc/docs/re-20041026-00956.pdf?lang=en ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none. Buffer overflow in the MSN protocol plugins (1) object.c and (2) slp.c for Gaim before 0.82 allows remote attackers to cause a denial of service and possibly execute arbitrary code via MSNSLP protocol messages that are not properly handled in a strncpy call. http://gaim.sourceforge.net/security/?id=0 FEDORA-2004-278 FEDORA-2004-279 GLSA-200408-12 GLSA-200408-27 MDKSA-2004:081 SUSE-SA:2004:025 RHSA-2004:400 10865 gaim-msn-bo(16920) oval:org.mitre.oval:def:9429 Outlook 2003 allows remote attackers to bypass intended access restrictions and cause Outlook to request a URL from a remote site via an HTML e-mail message containing a Vector Markup Language (VML) entity whose src parameter points to the remote site, which could allow remote attackers to know when a message has been read, verify valid e-mail addresses, and possibly leak other information. 20040511 PING: Outlook 2003 Spam 20040604 RE: PING: Outlook 2003 Spam 20040604 RE: PING: Outlook 2003 Spam 10323 outlook-vml-obtain-information(16116) Outlook 2003, when replying to an e-mail message, stores certain files in a predictable location for the "src" of an img tag of the original message, which allows remote attackers to bypass zone restrictions and exploit other issues that rely on predictable locations, as demonstrated using a shell: URI. 20040509 OUTLOOK 2003: OuchLook 20040604 RE: PING: Outlook 2003 Spam 20040604 RE: PING: Outlook 2003 Spam 10307 outlook-file-location-predictable(16104) Microsoft Outlook 2003 allows remote attackers to bypass the default zone restrictions and execute script within media files via a Rich Text Format (RTF) message containing an OLE object for the Windows Media Player, which bypasses Media Player's setting to disallow scripting and may lead to unprompted installation of an executable when exploited in conjunction with predictable-file-location exposures such as CVE-2004-0502. 20040517 ROCKET SCIENCE: Outllook 2003 20040517 ROCKET SCIENCE: Outllook 2003 10369 outlook-ole-restriction-bypass(16173) Ethereal 0.10.3 allows remote attackers to cause a denial of service (crash) via certain SIP messages between Hotsip servers and clients. 20040604-01-U 20040605-01-U CLA-2005:916 GLSA-200406-01 1010158 O-150 http://www.ethereal.com/appnotes/enpa-sa-00014.html [Ethereal-users] 20040503 Re: HotSIP sip-messages crasching ethereal RHSA-2004:234 10347 ethereal-sip-packet-dos(16148) oval:org.mitre.oval:def:9769 oval:org.mitre.oval:def:982 The AIM dissector in Ethereal 0.10.3 allows remote attackers to cause a denial of service (assert error) via unknown attack vectors. 20040604-01-U 20040605-01-U CLA-2005:916 GLSA-200406-01 1010158 O-150 http://www.ethereal.com/appnotes/enpa-sa-00014.html RHSA-2004:234 10347 ethereal-aim-dissector-dos(16150) oval:org.mitre.oval:def:9433 oval:org.mitre.oval:def:986 The SPNEGO dissector in Ethereal 0.9.8 to 0.10.3 allows remote attackers to cause a denial of service (crash) via unknown attack vectors that cause a null pointer dereference. 20040604-01-U 20040605-01-U CLA-2005:916 GLSA-200406-01 1010158 O-150 http://www.ethereal.com/appnotes/enpa-sa-00014.html RHSA-2004:234 10347 ethereal-spnego-dos(16151) oval:org.mitre.oval:def:9695 oval:org.mitre.oval:def:987 Buffer overflow in the MMSE dissector for Ethereal 0.10.1 to 0.10.3 allows remote attackers to cause a denial of service and possibly execute arbitrary code. 20040604-01-U 20040605-01-U CLA-2005:916 RHSA-2004:234 GLSA-200406-01 1010158 O-150 http://www.ethereal.com/appnotes/enpa-sa-00014.html 10347 ethereal-mmse-bo(16152) oval:org.mitre.oval:def:11026 oval:org.mitre.oval:def:988 Multiple buffer overflows in MMDF on OpenServer 5.0.6 and 5.0.7, and possibly other operating systems, may allow attackers to execute arbitrary code, as demonstrated via the execmail program. SCOSA-2004.7 20041027 MMDF deliver local root exploit for SCO OpenServer 5.0.7 x86 http://www.deprotect.com/advisories/DEPROTECT-20040206.txt 10758 openserver-mmdf-bo(16738) Multiple unknown vulnerabilities in MMDF on OpenServer 5.0.6 and 5.0.7, and possibly other operating systems, may allow attackers to cause a denial of service by triggering a null dereference. SCOSA-2004.7 10758 openserver-mmdf-name-dos(16739) Multiple unknown vulnerabilities in MMDF on OpenServer 5.0.6 and 5.0.7, and possibly other operating systems, may allow attackers to cause a denial of service by triggering a core dump. SCOSA-2004.7 10758 openserver-mmdf-dos(16740) Unspecified vulnerability in Mac OS X before 10.3.4 has unknown impact and attack vectors related to "logging when tracing system calls." APPLE-SA-2004-05-28 10432 1010329 macosx-nfs-logging(16291) Unknown vulnerability in LoginWindow for Mac OS X 10.3.4, related to "handling of directory services lookups." APPLE-SA-2004-05-28 1010330 VU#174790 10432 macosx-loginwindow-gain-privileges(16289) Unknown vulnerability in LoginWindow for Mac OS X 10.3.4, related to "handling of console log files." APPLE-SA-2004-05-28 1010330 10432 macosx-loginwindow-gain-privileges(16289) Unknown vulnerability in Mac OS X 10.3.4, related to "package installation scripts," a different vulnerability than CVE-2004-0517. APPLE-SA-2004-05-28 1010331 10432 macosx-package-installation(16290) Unknown vulnerability in Mac OS X 10.3.4, related to "handling of process IDs during package installation," a different vulnerability than CVE-2004-0516. APPLE-SA-2004-05-28 1010331 10432 macosx-package-installation(16290) Unknown vulnerability in AppleFileServer for Mac OS X 10.3.4, related to "the use of SSH and reporting errors," has unknown impact and attack vectors. APPLE-SA-2004-05-28 1010333 applefileserver-reporting-error(16288) Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.2 allow remote attackers to execute arbitrary script as other users and possibly steal authentication information via multiple attack vectors, including the mailbox parameter in compose.php. 20040604-01-U CLA-2004:858 20040429 SquirrelMail Cross Scripting Attacks.... RHSA-2004:240 GLSA-200405-16 DSA-535 SUSE-SR:2005:019 FEDORA-2004-160 20040430 Re: SquirrelMail Cross Scripting Attacks.... 10246 FEDORA-2004-1733 squirrel-composephp-xss(16025) oval:org.mitre.oval:def:1006 oval:org.mitre.oval:def:10274 Cross-site scripting (XSS) vulnerability in mime.php for SquirrelMail before 1.4.3 allows remote attackers to insert arbitrary HTML and script via the content-type mail header, as demonstrated using read_body.php. 20040604-01-U CLA-2004:858 20040530 RS-2004-1: SquirrelMail "Content-Type" XSS vulnerability [squirrelmail-cvs] 20040523 [SM-CVS] CVS: squirrelmail/functions mime.php,1.265.2.27,1.265.2.28 RHSA-2004:240 DSA-535 GLSA-200406-08 http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-1.txt FEDORA-2004-160 10439 FEDORA-2004-1733 oval:org.mitre.oval:def:1012 oval:org.mitre.oval:def:10766 SQL injection vulnerability in SquirrelMail before 1.4.3 RC1 allows remote attackers to execute unauthorized SQL statements, with unknown impact, probably via abook_database.php. 20040604-01-U CLA-2004:858 [squirrelmail-cvs] 20040427 [SM-CVS] CVS: squirrelmail/functions abook_database.php,1.15.2.1,1.15.2.2 [squirrelmail-devel] 20040511 [SM-DEVEL] SquirrelMail 1.4.3-RC1 Release RHSA-2004:240 GLSA-200405-16 O-212 DSA-535 FEDORA-2004-160 APPLE-SA-2004-09-07 10397 FEDORA-2004-1733 squirrelmail-sql-injection(16235) oval:org.mitre.oval:def:1033 oval:org.mitre.oval:def:11446 Gallery 1.4.3 and earlier allows remote attackers to bypass authentication and obtain Gallery administrator privileges. GLSA-200406-10 DSA-512 10451 gallery-user-bypass-authentication(16301) Multiple buffer overflows in krb5_aname_to_localname for MIT Kerberos 5 (krb5) 1.3.3 and earlier allow remote attackers to execute arbitrary code as root. 20040604-01-U 20040605-01-U CLA-2004:860 FEDORA-2004-149 20040601 MITKRB5-SA-2004-001: buffer overflows in krb5_aname_to_localname 20040602 TSSA-2004-009 - kerberos5 2004-0032 101512 DSA-520 GLSA-200406-21 VU#686862 MDKSA-2004:056 RHSA-2004:236 10448 Kerberos-krb5anametolocalname-bo(16268) oval:org.mitre.oval:def:10295 oval:org.mitre.oval:def:2002 oval:org.mitre.oval:def:724 oval:org.mitre.oval:def:991 Buffer overflow in the chpasswd command in the Change_passwd plugin before 4.0, as used in SquirrelMail, allows local users to gain root privileges via a long user name. 20040417 Squirrelmail Chpasswod bof 20040427 Re: Squirrelmail Chpasswod bof 10166 http://www.squirrelmail.org/plugin_view.php?id=117 squirrelmail-chpasswd-binary-bo(15889) HP Integrated Lights-Out (iLO) 1.10 and other versions before 1.55 allows remote attackers to cause a denial of service (hang) by accessing iLO using the TCP/IP reserved port zero. SSRT4724 10415 ilo-port-zero-dos(16251) Unknown versions of Internet Explorer and Outlook allow remote attackers to spoof a legitimate URL in the status bar via A HREF tags with modified "alt" values that point to the legitimate site, combined with an image map whose href points to the malicious site, which facilitates a "phishing" attack. 20040517 Microsoft Internet Explorer ImageMap URL Spoof Vulnerability 20040510 DEEP SEA PHISHING: Internet Explorer / Outlook Express http://www.kurczaba.com/securityadvisories/0405132poc.htm 10308 ie-ahref-url-spoofing(16102) KDE Konqueror 2.1.1 and 2.2.2 allows remote attackers to spoof a legitimate URL in the status bar via A HREF tags with modified "alt" values that point to the legitimate site, combined with an image map whose href points to the malicious site, which facilitates a "phishing" attack. 10383 ie-ahref-url-spoofing(16102) Netscape Navigator 7.1 allows remote attackers to spoof a legitimate URL in the status bar via A HREF tags with modified "alt" values that point to the legitimate site, combined with an image map whose href points to the malicious site, which facilitates a "phishing" attack. 10389 ie-ahref-url-spoofing(16102) The modified suexec program in cPanel, when configured for mod_php and compiled for Apache 1.3.31 and earlier without mod_phpsuexec, allows local users to execute untrusted shared scripts and gain privileges, as demonstrated using untainted scripts such as (1) proftpdvhosts or (2) addalink.cgi, a different vulnerability than CVE-2004-0490. http://bugzilla.cpanel.net/show_bug.cgi?id=668 20040605 cPanel mod_php suEXEC Taint Vulnerability 1010411 10478 cpanel-suexec-command-execute(16347) The PHP package in Slackware 8.1, 9.0, and 9.1, when linked against a static library, includes /tmp in the search path, which allows local users to execute arbitrary code as the PHP user by inserting shared libraries into the appropriate path. 10461 SSA:2004-154 linux-php-gain-privileges(16310) Business Objects WebIntelligence 2.7.0 through 2.7.4 only enforces access controls on the client, which allows remote authenticated users to delete arbitrary files on the server via a crafted delete request using the InfoView web client. 20040917 Corsaire Security Advisory - Business Objects WebIntelligence arbitrary document deletion issue 20040907 Corsaire Security Advisory - Business Objects WebIntelligence arbitrary document deletion issue 11208 webintelligence-url-delete-files(17422) Cross-site scripting (XSS) vulnerability in Business Objects InfoView 5.1.4 through 5.1.8 for WebIntelligence 2.7.0 through 2.7.4 allows remote attackers to inject arbitrary web script or HTML via document names when uploading a document. 20040917 Corsaire Security Advisory - Business Objects WebIntelligence XSS issue 20040907 Corsaire Security Advisory - Business Objects WebIntelligence XSS issue 11209 webintelligence-input-document-xss(17419) The e1000 driver for Linux kernel 2.4.26 and earlier does not properly initialize memory before using it, which allows local users to read portions of kernel memory. NOTE: this issue was originally incorrectly reported as a "buffer overflow" by some sources. 20040804-01-U http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=125168 CLA-2004:845 FEDORA-2004-186 GLSA-200407-02 http://www.kernel.org/pub/linux/kernel/v2.4/testing/patch-2.4.27.log MDKSA-2004:062 SUSE-SA:2004:020 RHSA-2004:413 RHSA-2004:418 10352 linux-e1000-bo(16159) oval:org.mitre.oval:def:11136 Format string vulnerability in Tripwire commercial 4.0.1 and earlier, including 2.4, and open source 2.3.1 and earlier, allows local users to gain privileges via format string specifiers in a file name, which is used in the generation of an email report. 20040602 Format String Vulnerability in Tripwire 20040603 Re: Format String Vulnerability in Tripwire GLSA-200406-02 RHSA-2004:244 10454 tripwire-fprintf-format-string(16309) Opera 7.50 and earlier allows remote web sites to provide a "Shortcut Icon" (favicon) that is wider than expected, which could allow the web sites to spoof a trusted domain and facilitate phishing attacks using a wide icon and extra spaces. 20040603 Phishing for Opera (GM#007-OP) 20040603 Phishing for Opera (GM#007-OP) http://security.greymagic.com/security/advisories/gm007-op/ http://www.opera.com/linux/changelogs/751/index.dml 10452 opera-favicon-spoofing(16307) LaunchServices in Mac OS X 10.3.4 and 10.2.8 automatically registers and executes new applications, which could allow attackers to execute arbitrary code without warning the user. APPLE-SA-2004-06-07 The "Show in Finder" button in the Safari web browser in Mac OS X 10.3.4 and 10.2.8 may execute downloaded applications, which could allow remote attackers to execute arbitrary code. APPLE-SA-2004-06-07 VU#773190 Microsoft Windows 2000, when running in a domain whose Fully Qualified Domain Name (FQDN) is exactly 8 characters long, does not prevent users with expired passwords from logging on to the domain. 830847 Buffer overflow in the ntlm_check_auth (NTLM authentication) function for Squid Web Proxy Cache 2.5.x and 3.x, when compiled with NTLM handlers enabled, allows remote attackers to execute arbitrary code via a long password ("pass" variable). 20040604-01-U FLSA-2006:152809 GLSA-200406-13 http://www.idefense.com/application/poi/display?id=107&type=vulnerabilities RHSA-2004:242 10500 2004-0033 squid-ntlm-bo(16360) oval:org.mitre.oval:def:10722 oval:org.mitre.oval:def:980 PHP before 4.3.7 on Win32 platforms does not properly filter all shell metacharacters, which allows local or remote attackers to execute arbitrary code, overwrite files, and access internal environment variables via (1) the "%", "|", or ">" characters to the escapeshellcmd function, or (2) the "%" character to the escapeshellarg function. http://www.idefense.com/application/poi/display?id=108 http://www.php.net/release_4_3_7.php php-escapeshellarg-execute-command(16331) Multiple SQL injection vulnerabilities in Oracle Applications 11.0 and Oracle E-Business Suite 11.5.1 through 11.5.8 allow remote attackers to execute arbitrary SQL procedures and queries. 20040604 Integrigy Security Alert - Multiple SQL Injection Vulnerabilities in Oracle E-Business Suite 20040604 Integrigy Security Alert - Multiple SQL Injection Vulnerabilities in Oracle E-Business Suite http://otn.oracle.com/deploy/security/pdf/2004alert67.pdf O-153 http://www.integrigy.com/alerts/OraAppsSQLInjection.htm VU#961579 10465 TA04-160A oracle-ebusiness-sql-injection(16324) Multiple buffer overflows in LVM for AIX 5.1 and 5.2 allow local users to gain privileges via the (1) putlvcb or (2) getlvcb commands. O-131 9905 9906 MSS-OAR-E01-2004.0544 IY55681 IY55682 aix-putlvcb-bo(15555) aix-getlvcb-bo(18317) LVM for AIX 5.1 and 5.2 allows local users to overwrite arbitrary files via a symlink attack. O-131 10230 MSS-OAR-E01-2004.0544 aix-lvm-commands-symlink(16011) Buffer overflow in the ODBC driver for PostgreSQL before 7.2.1 allows remote attackers to cause a denial of service (crash). DSA-516 MDKSA-2004:072 postgresql-odbc-bo(16329) Multiple stack-based buffer overflows in the word-list-compress functionality in compress.c for Aspell allow local users to execute arbitrary code via a long entry in the wordlist that is not properly handled when using the (1) "c" compress option or (2) "d" decompress option. 20040608 Aspell 'word-list-compress' stack overflow vulnerability GLSA-200406-14 http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html 10497 The WebBrowser ActiveX control, or the Internet Explorer HTML rendering engine (MSHTML), as used in Internet Explorer 6, allows remote attackers to execute arbitrary code in the Local Security context by using the showModalDialog method and modifying the location to execute code such as Javascript, as demonstrated using (1) delayed HTTP redirect operations, and an HTTP response with a Location: header containing a "URL:" prepended to a "ms-its" protocol URI, or (2) modifying the location attribute of the window, as exploited by the Download.ject (aka Scob aka Toofer) using the ADODB.Stream object. http://62.131.86.111/analysis.htm 20040602 180 Solutions Exploits and Toolbars Hacking Patched Users(I.E Exploits) 20040606 Internet explorer 6 execution of arbitrary code (An analysis of the 180 Solutions Trojan) 20040621 IE/0DAY -> Insider Prototype 20040628 JS.Scob.Trojan Source Code ... http://umbrella.name/originalvuln/msie/InsiderPrototype/ VU#713878 TA04-163A TA04-184A TA04-212A MS04-025 ie-location-restriction-bypass(16348) oval:org.mitre.oval:def:1133 oval:org.mitre.oval:def:207 oval:org.mitre.oval:def:241 oval:org.mitre.oval:def:519 Buffer overflow in Real Networks RealPlayer 10 allows remote attackers to execute arbitrary code via a URL with a large number of "." (period) characters. http://www.idefense.com/application/poi/display?id=109&type=vulnerabilities&flashstatus=false realplayer-dot-file-bo(16388) Cisco CatOS 5.x before 5.5(20) through 8.x before 8.2(2) and 8.3(2)GLX, as used in Catalyst switches, allows remote attackers to cause a denial of service (system crash and reload) by sending invalid packets instead of the final ACK portion of the three-way handshake to the (1) Telnet, (2) HTTP, or (3) SSH services, aka "TCP-ACK DoS attack." 20040609 Cisco CatOS Telnet, HTTP and SSH Vulnerability VU#245190 cisco-catalyst-ack-dos(16370) Sophos Small Business Suite 1.00 on Windows does not properly handle files whose names contain reserved MS-DOS device names such as (1) LPT1, (2) COM1, (3) AUX, (4) CON, or (5) PRN, which can allow malicious code to bypass detection when it is installed, copied, or executed. 20040922 Sophos Small Business Suite Reserved Device Name Handling Vulnerability http://www.seifried.org/security/advisories/kssa-005.html sophos-business-security-bypass(17468) Linux kernel 2.4.x and 2.6.x for x86 allows local users to cause a denial of service (system crash), possibly via an infinite loop that triggers a signal handler with a certain sequence of fsave and frstor instructions, as originally demonstrated using a "crash.c" program. CLA-2004:845 http://gcc.gnu.org/bugzilla/show_bug.cgi?id=15905 http://linuxreviews.org/news/2004-06-11_kernel_crash/index.html FEDORA-2004-186 20040620 TSSA-2004-011 - kernel ESA-20040621-005 [linux-kernel] 20040609 timer + fpu stuff locks my console race GLSA-200407-02 DSA-1067 DSA-1069 DSA-1070 DSA-1082 VU#973654 MDKSA-2004:062 SuSE-SA:2004:017 RHSA-2004:255 RHSA-2004:260 10538 2004-0034 linux-dos(16412) oval:org.mitre.oval:def:2915 oval:org.mitre.oval:def:9426 Buffer overflow in (1) queue.c and (2) queued.c in queue before 1.30.1 may allow remote attackers to execute arbitrary code. 1012929 DSA-643 queue-bo(18945) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2004. Notes: none. Multiple buffer overflows in the st_wavstartread function in wav.c for Sound eXchange (SoX) 12.17.2 through 12.17.4 allow remote attackers to execute arbitrary code via certain WAV file header fields. 20040728 SoX buffer overflows when handling .WAV files CLA-2004:855 FEDORA-2004-235 FEDORA-2004-244 20040728 SoX buffer overflows when handling .WAV files DSA-565 GLSA-200407-23 MDKSA-2004:076 RHSA-2004:409 10819 FLSA:1945 sox-wav-bo(16827) oval:org.mitre.oval:def:9801 The Internet Printing Protocol (IPP) implementation in CUPS before 1.1.21 allows remote attackers to cause a denial of service (service hang) via a certain UDP packet to the IPP port. CLA-2004:872 APPLE-SA-2004-09-30 SCOSA-2004.15 57646 201005 1000757 DSA-545 RHSA-2004:449 11183 SUSE-SA:2004:031 2004-0047 FLSA:2072 cups-udp-dos(17389) https://github.com/fibonascii/CVE-2004-0558 oval:org.mitre.oval:def:11732 The maketemp.pl script in Usermin 1.070 and 1.080 allows local users to overwrite arbitrary files at install time via a symlink attack on the /tmp/.usermin directory. GLSA-200409-15 11153 http://www.webmin.com/uchanges-1.089.html usermin-installation-unspecified(17299) Integer overflow in gopher daemon (gopherd) 3.0.3 allows remote attackers to cause a denial of service and possibly execute arbitrary code via crafted content of a certain size that triggers the overflow. DSA-638 Format string vulnerability in the log routine for gopher daemon (gopherd) 3.0.3 allows remote attackers to cause a denial of service and possibly execute arbitrary code. DSA-638 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2004. Notes: none. The tspc.conf configuration file in freenet6 before 0.9.6 and before 1.0 on Debian Linux has world readable permissions, which could allow local users to gain sensitive information, such as a username and password. 1011460 DSA-555 11280 freenet6-world-readable(17544) Roaring Penguin pppoe (rp-ppoe), if installed or configured to run setuid root contrary to its design, allows local users to overwrite arbitrary files. NOTE: the developer has publicly disputed the claim that this is a vulnerability because pppoe "is NOT designed to run setuid-root." Therefore this identifier applies *only* to those configurations and installations under which pppoe is run setuid root despite the developer's warnings. MDKSA-2004:145 20041208 Re: MDKSA-2004:145 - Updated rp-pppoe packages fix vulnerability DSA-557 FLSA:152794 11315 pppoe-file-overwrite(17576) Floating point information leak in the context switch code for Linux 2.4.x only checks the MFH bit but does not verify the FPH owner, which allows local users to read register values of other processes by setting the MFH bit. [owl-users] 20040619 Linux 2.4.26-ow2 DSA-1067 DSA-1069 DSA-1070 DSA-1082 MDKSA-2004:066 RHSA-2004:504 10687 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=124734 linux-ia64-info-disclosure(16644) oval:org.mitre.oval:def:10714 Integer overflow in imgbmp.cxx for Windows 2000 allows remote attackers to execute arbitrary code via a BMP image with a large bfOffBits value. 20040215 GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution VU#266926 TA04-212A MS04-025 ie-bmp-integer-overflow(15210) oval:org.mitre.oval:def:216 oval:org.mitre.oval:def:306 oval:org.mitre.oval:def:322 oval:org.mitre.oval:def:507 oval:org.mitre.oval:def:515 The Windows Internet Naming Service (WINS) in Windows NT Server 4.0 SP 6a, NT Terminal Server 4.0 SP 6, Windows 2000 Server SP3 and SP4, and Windows Server 2003 does not properly validate the computer name value in a WINS packet, which allows remote attackers to execute arbitrary code or cause a denial of service (server crash), which results in an "unchecked buffer" and possibly triggers a buffer overflow, aka the "Name Validation Vulnerability." 1012517 P-054 VU#378160 11922 MS04-045 wins-memory-pointer-hijack(18259) HyperTerminal application for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the length of a value that is saved in a session file, which allows remote attackers to execute arbitrary code via a malicious HyperTerminal session file (.ht), web site, or Telnet URL contained in an e-mail message, triggering a buffer overflow. 20041214 HyperTerminal - Buffer Overflow In .ht File MS04-043 win-hyperterminal-session-bo(18336) oval:org.mitre.oval:def:1603 oval:org.mitre.oval:def:2545 oval:org.mitre.oval:def:3138 oval:org.mitre.oval:def:3973 oval:org.mitre.oval:def:4508 oval:org.mitre.oval:def:4741 The RPC Runtime Library for Microsoft Windows NT 4.0 allows remote attackers to read active memory or cause a denial of service (system crash) via a malicious message, possibly related to improper length values. 20041013 BindView Advisory: Memory Leak and DoS in NT4 RPC server MS04-029 wins-rpc-obtain-information(17646) win-ms04029-patch(17663) oval:org.mitre.oval:def:2505 oval:org.mitre.oval:def:5277 Microsoft Word for Windows 6.0 Converter does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Table Conversion Vulnerability," a different vulnerability than CVE-2004-0901. MS04-041 win-converter-table-code-execution(18337) oval:org.mitre.oval:def:1168 oval:org.mitre.oval:def:1417 oval:org.mitre.oval:def:1959 oval:org.mitre.oval:def:1976 oval:org.mitre.oval:def:3416 oval:org.mitre.oval:def:3743 oval:org.mitre.oval:def:4328 oval:org.mitre.oval:def:685 Buffer overflow in the Windows Program Group Converter (grpconv.exe) may allow remote attackers to execute arbitrary code via a shell: URL with a long filename and a .grp extension, which is not properly handled when the shell capability launches grpconv.exe. 20040707 Re: shell:windows command question VU#543864 10677 MS04-037 win-grpconv-bo(16664) win-ms04037-patch(17662) oval:org.mitre.oval:def:1279 oval:org.mitre.oval:def:1837 oval:org.mitre.oval:def:1843 oval:org.mitre.oval:def:2753 oval:org.mitre.oval:def:3071 oval:org.mitre.oval:def:3768 oval:org.mitre.oval:def:3822 oval:org.mitre.oval:def:4244 oval:org.mitre.oval:def:4493 Buffer overflow in the converter for Microsoft WordPerfect 5.x on Office 2000, Office XP, Office 2003, and Works Suites 2001 through 2004 allows remote attackers to execute arbitrary code via a malicious document or website. 20040914 Microsoft Office WordPerfect Converter Buffer Overflow Vulnerability 1011249 1011250 1011251 1011252 VU#449438 MS04-027 wordperfect-converter-message-bo(17306) oval:org.mitre.oval:def:2670 oval:org.mitre.oval:def:3311 oval:org.mitre.oval:def:3333 oval:org.mitre.oval:def:4005 oval:org.mitre.oval:def:5021 The Network News Transfer Protocol (NNTP) component of Microsoft Windows NT Server 4.0, Windows 2000 Server, Windows Server 2003, Exchange 2000 Server, and Exchange Server 2003 allows remote attackers to execute arbitrary code via XPAT patterns, possibly related to improper length validation and an "unchecked buffer," leading to off-by-one and heap-based buffer overflows. 20041012 CORE-2004-0802: IIS NNTP Service XPAT Command Vulnerabilities P-012 http://www.coresecurity.com/common/showdoc.php?idx=420&idxseccion=10 VU#203126 MS04-036 win-nntp-bo(17641) win-ms04036-patch(17661) oval:org.mitre.oval:def:246 oval:org.mitre.oval:def:4392 oval:org.mitre.oval:def:5021 oval:org.mitre.oval:def:5070 oval:org.mitre.oval:def:5926 Integer overflow in DUNZIP32.DLL for Microsoft Windows XP, Windows XP 64-bit Edition, Windows Server 2003, and Windows Server 2003 64-bit Edition allows remote attackers to execute arbitrary code via compressed (zipped) folders that involve an "unchecked buffer" and improper length validation. 20041013 EEYE: Windows Shell ZIP File Decompression DUNZIP32.DLL Buffer Overflow Vulnerability 1011637 P-010 http://www.eeye.com/html/research/advisories/AD20041012A.html VU#649374 MS04-034 win-compressed-folders-bo(17624) win-ms04034-patch(17659) oval:org.mitre.oval:def:1053 oval:org.mitre.oval:def:3913 oval:org.mitre.oval:def:4276 oval:org.mitre.oval:def:6397 The radius daemon (radiusd) for GNU Radius 1.1, when compiled with the -enable-snmp option, allows remote attackers to cause a denial of service (server crash) via malformed SNMP messages containing an invalid OID. 20040621 [Full-Disclosure] iDEFENSE Security Advisory 06.21.04 - GNU Radius SNMP Invalid OID Denial of Service Vulnerability http://www.idefense.com/application/poi/display?id=110&type=vulnerabilities radius-snmp-oid-dos(16466) WinGate 5.2.3 build 901 and 6.0 beta 2 build 942, and other versions such as 5.0.5, allows remote attackers to read arbitrary files from the root directory via a URL request to the wingate-internal directory. 20040701 iDEFENSE Security Advisory 07.01.04: WinGate Information Disclosure http://www.idefense.com/application/poi/display?id=113 wingate-directory-traversal(16589) WinGate 5.2.3 build 901 and 6.0 beta 2 build 942, and other versions such as 5.0.5, allows remote attackers to read arbitrary files via leading slash (//) characters in a URL request to the wingate-internal directory. 20040701 iDEFENSE Security Advisory 07.01.04: WinGate Information Disclosure http://www.idefense.com/application/poi/display?id=113 wingate-directory-traversal(16589) Format string vulnerability in super before 3.23 allows local users to execute arbitrary code as root. DSA-522 super-format-string(16458) DHCP on Linksys BEFSR11, BEFSR41, BEFSR81, and BEFSRU31 Cable/DSL Routers, firmware version 1.45.7, does not properly clear previously used buffer contents in a BOOTP reply packet, which allows remote attackers to obtain sensitive information. 20040607 Linksys BEFSR41 DHCP vulnerability server leaks network data 1010288 10329 linksys-etherfast-bootp-dos(16142) ksymoops-gznm script in Mandrake Linux 9.1 through 10.0, and Corporate Server 2.1, allows local users to delete arbitrary files via a symlink attack on files in /tmp. MDKSA-2004:060 10516 ksymoops-symlink(16392) Unknown vulnerability in Webmin 1.140 allows remote attackers to bypass access control rules and gain read access to configuration information for a module. CLA-2004:848 20040611 [SNS Advisory No.74] Webmin Access Control Rule Bypass Vulnerability DSA-526 GLSA-200406-12 http://www.lac.co.jp/security/csl/intelligence/SNSadvisory_e/74_e.html MDKSA-2004:074 10474 10522 http://www.webmin.com/changes-1.150.html webmin-bypass-security(16333) The account lockout functionality in (1) Webmin 1.140 and (2) Usermin 1.070 does not parse certain character strings, which allows remote attackers to conduct a brute force attack to guess user IDs and passwords. 20040611 [SNS Advisory No.75] Webmin/Usermin Account Lockout Bypass Vulnerability DSA-526 GLSA-200406-12 GLSA-200406-15 http://www.lac.co.jp/security/csl/intelligence/SNSadvisory_e/75_e.html MDKSA-2004:074 10474 10523 http://www.webmin.com/changes-1.150.html webmin-username-password-dos(16334) Unknown vulnerability in Horde IMP 3.2.3 and earlier, before a "security fix," does not properly validate input, which allows remote attackers to execute arbitrary script as other users via script or HTML in an e-mail message, possibly triggering a cross-site scripting (XSS) vulnerability. GLSA-200406-11 http://www.horde.org/imp/3.2/ 10501 imp-content-type-xss(16357) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2004-0589. Reason: This candidate is a duplicate of CVE-2004-0589. Notes: All CVE users should reference CVE-2004-0589 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. acpRunner ActiveX 1.2.5.0 allows remote attackers to execute arbitrary code via the (1) DownLoadURL, (2) SaveFilePath, and (3) Download ActiveX methods. 20040616 IBM acpRunner Activex Dangerous Methods Vulnerability http://www-306.ibm.com/pc/support/site.wss/document.do?lndocid=MIGR-54588 ibm-acprunner-execute-code(16429) Insecure permissions for the /proc/scsi/qla2300/HbaApiNode file in Linux allows local users to cause a denial of service. 20040804-01-U FEDORA-2004-186 1010057 MDKSA-2004:066 SuSE-SA:2004:010 RHSA-2004:413 RHSA-2004:418 10279 suse-hbaapinode-dos(16062) oval:org.mitre.oval:def:9398 Cross-site scripting (XSS) vulnerability in the web mail module for Usermin 1.070 allows remote attackers to insert arbitrary HTML and script via e-mail messages. This vulnerability is addressed in the following product update: Usermin, Usermin, 1.080 20040611 [SNS Advisory No.73] Usermin Cross-site Scripting Vulnerability GLSA-200406-15 http://www.lac.co.jp/security/csl/intelligence/SNSadvisory_e/73_e.html 10521 usermin-email-xss(16494) Cisco IOS 11.1(x) through 11.3(x) and 12.0(x) through 12.2(x), when configured for BGP routing, allows remote attackers to cause a denial of service (device reload) via malformed BGP (1) OPEN or (2) UPDATE messages. 20040616 Cisco IOS Malformed BGP Packet Causes Reload VU#784540 cisco-ios-bgp-packet-dos(16427) oval:org.mitre.oval:def:4948 FreeS/WAN 1.x and 2.x, and other related products including superfreeswan 1.x, openswan 1.x before 1.0.6, openswan 2.x before 2.1.4, and strongSwan before 2.1.3, allows remote attackers to authenticate using spoofed PKCS#7 certificates in which a self-signed certificate identifies an alternate Certificate Authority (CA) and spoofed issuer and subject. GLSA-200406-20 MDKSA-2004:070 http://www.openswan.org/support/vuln/can-2004-0590/ ipsec-verifyx509cert-auth-bypass(16515) Cross-site scripting (XSS) vulnerability in the print_header_uc function for SqWebMail 4.0.4 and earlier, and possibly 3.x, allows remote attackers to inject arbitrary web script or HRML via (1) e-mail headers or (2) a message with a "message/delivery-status" MIME Content-Type. This vulnerability is addressed in the following product release: Inter7, SqWebMail, 4.0.5 20040621 XSS vulnerability in Sqwebmail 4.0.4 DSA-533 GLSA-200408-02 10588 sqwebmail-print-header-xss(16467) The tcp_find_option function of the netfilter subsystem for IPv6 in the SUSE Linux 2.6.5 kernel with USAGI patches, when using iptables and TCP options rules, allows remote attackers to cause a denial of service (CPU consumption by infinite loop) via a large option length that produces a negative integer after a casting operation to the char type, a similar flaw to CVE-2004-0626. 20040703 Re: SUSE Security Announcement: kernel (SUSE-SA:2004:020) SUSE-SA:2004:020 linux-kernel-tcpfindoption-dos(43137) Sygate Enforcer 3.5MR1 and earlier passes broadcast traffic before authentication, which could allow remote attackers to bypass filtering rules. 20040810 Corsaire Security Advisory - Sygate Enforcer unauthenticated broadcast issue http://www.corsaire.com/advisories/c031120-003.txt 10908 sygate-enforcer-filter-bypass(16948) The memory_limit functionality in PHP 4.x up to 4.3.7, and 5.x up to 5.0.0RC3, under certain conditions such as when register_globals is enabled, allows remote attackers to execute arbitrary code by triggering a memory_limit abort during execution of the zend_hash_init function and overwriting a HashTable destructor pointer before the initialization of key data structures is complete. CLA-2004:847 20040714 Advisory 11/2004: PHP memory_limit remote vulnerability 20040713 Advisory 11/2004: PHP memory_limit remote vulnerability 20040714 TSSA-2004-013 - php 20040722 [OpenPKG-SA-2004.034] OpenPKG Security Advisory (php) SSRT4777 DSA-531 DSA-669 GLSA-200407-13 MDKSA-2004:068 SUSE-SA:2004:021 RHSA-2004:392 RHSA-2004:395 RHSA-2004:405 RHSA-2005:816 10725 2004-0039 php-memorylimit-code-execution(16693) oval:org.mitre.oval:def:10896 The strip_tags function in PHP 4.x up to 4.3.7, and 5.x up to 5.0.0RC3, does not filter null (\0) characters within tag names when restricting input to allowed tags, which allows dangerous tags to be processed by web browsers such as Internet Explorer and Safari, which ignore null characters and facilitate the exploitation of cross-site scripting (XSS) vulnerabilities. CLA-2004:847 20040714 Advisory 12/2004: PHP strip_tags() bypass vulnerability 20040713 Advisory 11/2004: PHP memory_limit remote vulnerability 20040714 TSSA-2004-013 - php 20040722 [OpenPKG-SA-2004.034] OpenPKG Security Advisory (php) SSRT4777 DSA-531 DSA-669 GLSA-200407-13 MDKSA-2004:068 SUSE-SA:2004:021 RHSA-2004:392 RHSA-2004:395 RHSA-2004:405 RHSA-2005:816 10724 php-strip-tag-bypass(16692) oval:org.mitre.oval:def:10619 The Equalizer Load-balancer for serial network interfaces (eql.c) in Linux kernel 2.6.x up to 2.6.7 allows local users to cause a denial of service via a non-existent device name that triggers a null dereference. http://linux.bkbits.net:8080/linux-2.6/cset@40d4aa72hPLWy-jMLr0eJAXMxHcNZg 10730 linux-eql-dos(16694) Multiple buffer overflows in libpng 1.2.5 and earlier, as used in multiple products, allow remote attackers to execute arbitrary code via malformed PNG images in which (1) the png_handle_tRNS function does not properly validate the length of transparency chunk (tRNS) data, or the (2) png_handle_sBIT or (3) png_handle_hIST functions do not perform sufficient bounds checking. SCOSA-2005.49 CLA-2004:856 20040804 [OpenPKG-SA-2004.035] OpenPKG Security Advisory (png) SSRT4778 SCOSA-2004.16 FLSA:2089 20050209 MSN Messenger PNG Image Buffer Overflow Download Shellcoded Exploit http://scary.beasts.org/security/CESA-2004-001.txt 200663 http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-114816-02-1 http://www.adobe.com/support/downloads/detail.jsp?ftpID=2679 http://www.coresecurity.com/common/showdoc.php?idx=421&idxseccion=10 DSA-536 GLSA-200408-03 GLSA-200408-22 VU#388984 VU#817368 MDKSA-2004:079 MDKSA-2006:212 MDKSA-2006:213 http://www.mozilla.org/projects/security/known-vulnerabilities.html SUSE-SA:2004:023 RHSA-2004:402 RHSA-2004:421 RHSA-2004:429 10857 15495 2004-0040 TA04-217A TA05-039A FLSA:1943 MS05-009 libpng-pnghandle-bo(16894) oval:org.mitre.oval:def:11284 oval:org.mitre.oval:def:2274 oval:org.mitre.oval:def:2378 oval:org.mitre.oval:def:4492 oval:org.mitre.oval:def:594 oval:org.mitre.oval:def:7709 The png_handle_iCCP function in libpng 1.2.5 and earlier allows remote attackers to cause a denial of service (application crash) via a certain PNG image that triggers a null dereference. CLA-2004:856 20040804 [OpenPKG-SA-2004.035] OpenPKG Security Advisory (png) SSRT4778 SCOSA-2004.16 http://scary.beasts.org/security/CESA-2004-001.txt 200663 DSA-536 GLSA-200408-03 GLSA-200408-22 VU#236656 MDKSA-2004:079 MDKSA-2006:212 MDKSA-2006:213 http://www.mozilla.org/projects/security/known-vulnerabilities.html SUSE-SA:2004:023 RHSA-2004:402 RHSA-2004:429 10857 2004-0040 TA04-217A FLSA:1943 libpng-pnghandleiccp-dos(16895) oval:org.mitre.oval:def:10203 oval:org.mitre.oval:def:2572 Multiple integer overflows in the (1) png_read_png in pngread.c or (2) png_handle_sPLT functions in pngrutil.c or (3) progressive display image reading capability in libpng 1.2.5 and earlier allow remote attackers to cause a denial of service (application crash) via a malformed PNG image. SCOSA-2005.49 CLA-2004:856 APPLE-SA-2004-09-09 20040804 [OpenPKG-SA-2004.035] OpenPKG Security Advisory (png) SSRT4778 SCOSA-2004.16 FLSA:2089 http://scary.beasts.org/security/CESA-2004-001.txt 200663 DSA-536 DSA-570 DSA-571 GLSA-200408-03 GLSA-200408-22 VU#160448 VU#286464 VU#477512 MDKSA-2004:079 MDKSA-2006:212 MDKSA-2006:213 http://www.mozilla.org/projects/security/known-vulnerabilities.html SUSE-SA:2004:023 RHSA-2004:402 RHSA-2004:421 RHSA-2004:429 10857 15495 2004-0040 TA04-217A FLSA:1943 lilbpng-integer-bo(16896) oval:org.mitre.oval:def:10938 oval:org.mitre.oval:def:1479 Buffer overflow in the Samba Web Administration Tool (SWAT) in Samba 3.0.2 to 3.0.4 allows remote attackers to execute arbitrary code via an invalid base-64 character during HTTP basic authentication. CLA-2004:851 CLA-2004:854 20040722 Security Release - Samba 3.0.5 and 2.2.10 20040722 [OpenPKG-SA-2004.033] OpenPKG Security Advisory (samba) 20040722 Samba 3.x swat preauthentication buffer overflow 20040722 TSSA-2004-014 - samba 20040722 SWAT PreAuthorization PoC GLSA-200407-21 MDKSA-2004:071 SUSE-SA:2004:022 RHSA-2004:259 2004-0039 samba-swat-base64-bo(16785) oval:org.mitre.oval:def:11445 distcc before 2.16, when running on 64-bit platforms, does not interpret IP-based access control rules correctly, which could allow remote attackers to bypass intended restrictions. http://distcc.samba.org/ftp/distcc/distcc-2.17.NEWS 11319 distcc-ip-gain-privileges(17581) The binary compatibility mode for FreeBSD 4.x and 5.x does not properly handle certain Linux system calls, which could allow local users to access kernel memory to gain privileges or cause a system panic. FreeBSD-SA-04:13 10643 freebsd-binary-information-disclosure(16558) gzexe in gzip 1.3.3 and earlier will execute an argument when the creation of a temp file fails instead of exiting the program, which could allow remote attackers or local users to execute arbitrary commands, a different vulnerability than CVE-1999-1332. http://bugs.gentoo.org/show_bug.cgi?id=54890 GLSA-200406-18 10603 gzip-gzexe-tmpfile(16506) The HTTP client and server in giFT-FastTrack 0.8.6 and earlier allows remote attackers to cause a denial of service (crash), possibly via an empty search query, which triggers a NULL dereference. http://developer.berlios.de/bugs/?func=detailbug&bug_id=1573&group_id=809 http://gift-fasttrack.berlios.de/ GLSA-200406-19 10604 gift-fasttrack-daemon-dos(16508) Non-registered IRC users using (1) ircd-hybrid 7.0.1 and earlier, (2) ircd-ratbox 1.5.1 and earlier, or (3) ircd-ratbox 2.0rc6 and earlier do not have a rate-limit imposed, which could allow remote attackers to cause a denial of service by repeatedly making requests, which are slowly dequeued. 20040618 ircd-hybrid-7 / ircd-ratbox low-bandwidth DoS 10572 ircd-parseclientqueued-dos(16457) Cross-site scripting (XSS) vulnerability in Infoblox DNS One running firmware 2.4.0-8 and earlier allows remote attackers to execute arbitrary scripts as other users via the (1) CLIENTID or (2) HOSTNAME option of a DHCP request. 20040619 Script injection in DNSONE appliance 10573 dnsone-dhcp-report-xss(16456) The eay_check_x509cert function in KAME Racoon successfully verifies certificates even when OpenSSL validation fails, which could allow remote attackers to bypass authentication. SCOSA-2005.10 20040614 authentication bug in KAME's racoon 20040615 Re: authentication bug in KAME's racoon GLSA-200406-17 1010495 http://sourceforge.net/project/shownotes.php?release_id=245982 RHSA-2004:308 10546 racoon-eaycheckx509cert-auth-bypass(16414) oval:org.mitre.oval:def:9163 The Unreal Engine, as used in DeusEx 1.112fm and earlier, Devastation 390 and earlier, Mobile Forces 20000 and earlier, Nerf Arena Blast 1.2 and earlier, Postal 2 1337 and earlier, Rune 107 and earlier, Tactical Ops 3.4.0 and earlier, Unreal 1 226f and earlier, Unreal II XMP 7710 and earlier, Unreal Tournament 451b and earlier, Unreal Tournament 2003 2225 and earlier, Unreal Tournament 2004 before 3236, Wheel of Time 333b and earlier, and X-com Enforcer, allows remote attackers to execute arbitrary code via a UDP packet containing a secure query with a long value, which overwrites memory. http://aluigi.altervista.org/adv/unsecure-adv.txt 20040618 Code execution in the Unreal Engine through \secure\ packet GLSA-200407-14 10570 unreal-secure-query-command-execute(16451) rssh 2.0 through 2.1.x expands command line arguments before entering a chroot jail, which allows remote authenticated users to determine the existence of files in a directory outside the jail. 20040619 Security flaw in rssh 10574 rssh-jail-obtain-info(16470) The Web administration interface in Microsoft MN-500 Wireless Router allows remote attackers to cause a denial of service (connection refusal) via a large number of open HTTP connections. 20040621 Microsoft MN-500 Wireless Router Web-Based Administration DoS http://www.kurczaba.com/securityadvisories/0406213.htm 10585 mn500-web-admin-dos(16448) Web-Based Administration in Netgear FVS318 VPN Router allows remote attackers to cause a denial of service (no new connections) via a large number of open HTTP connections. 20040621 NETGEAR FVS318 Web-Based Administration DoS 10585 netgear-fvs318-dos(16462) The Mobile Code filter in ZoneAlarm Pro 5.0.590.015 does not filter mobile code within an SSL encrypted session, which could allow remote attackers to bypass the mobile code filtering. NOTE: it has been disputed by the vendor that this behavior is required by the SSL specification. 20040625 Zone Labs response to "ZoneAlarm Pro 'Mobile Code' Bypass Vulnerability" 20040621 ZoneAlarm Pro 'Mobile Code' Bypass Vulnerability 10584 zonealarm-mobile-code-bypass(16471) osTicket allows remote attackers to view sensitive uploaded files and possibly execute arbitrary code via an HTTP request that uploads a PHP file to the ticket attachments directory. 20040621 Multiple osTicket exploits! 10586 osticket-php-file-upload(16477) osticket-view-attachments(16478) osTicket trusts a hidden form field in the submit form to limit the upload size of a document, which could allow remote attackers to upload a file of any size. 20040621 Multiple osTicket exploits! osticket-php-file-upload(16477) Cross-site scripting (XSS) vulnerability in D-Link DI-614+ SOHO router running firmware 2.30, and DI-704 SOHO router running firmware 2.60B2, and DI-624, allows remote attackers to inject arbitrary script or HTML via the DHCP HOSTNAME option in a DHCP request. 20040701 DLINK 624, script injection vulnerability 20040621 DLINK 614+, script injection vulnerability 20040621 DLINK 704, script injection vulnerability 1010562 10587 dlink614-dhcp-xss(16468) The BT Voyager 2000 Wireless ADSL Router has a default public SNMP community name, which allows remote attackers to obtain sensitive information such as the password, which is stored in plaintext. 20040622 Wireless Modem (BT Voyager 2000 Wireless ADSL Router cleartext password) 20040622 Wireless Modem (BT Voyager 2000 Wireless ADSL Router cleartext password) 10589 bt-voyager-password-plaintext(16472) Cross-site scripting (XSS) vulnerability in ArbitroWeb 0.6 allows remote attackers to inject arbitrary script or HTML via the rawURL parameter. 20040622 ArbitroWeb v0.6 Javascript injection vulnerability 10592 arbitroweb-rawurl-xss(16481) FreeBSD 5.1 for the Alpha processor allows local users to cause a denial of service (crash) via an execve system call with an unaligned memory address as an argument. 20040623 Security Advisory : FreeBSD local DoS 10596 freebsd-execve-dos(16499) Integer overflow in the ubsec_keysetup function for Linux Broadcom 5820 cryptonet driver allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a negative add_dsa_buf_bytes variable, which leads to a buffer overflow. 20040623 Linux Broadcom 5820 Cryptonet Driver Integer Overflow P-047 RHSA-2004:549 RHSA-2005:283 10599 bcm5820-adddsabufbytes-integer-bo(16459) oval:org.mitre.oval:def:9773 Cross-site scripting (XSS) vulnerability in (1) newreply.php or (2) newthread.php in vBulletin 3.0.1 allows remote attackers to inject arbitrary HTML or script as other users via the Edit-panel. 20040624 vBulletin HTML Injection Vuln 10602 vbulletin-newreply-newthread-xss(16502) admin.php in Newsletter ZWS allows remote attackers to gain administrative privileges via a list_user operation with the ulevel parameter set to 1 (administrator level), which lists all users and their passwords. 20040624 ZWS Newsletter & Mailing List Manager 10605 zws-gain-admin-access(16507) Apple Mac OS X 10.3.4, 10.4, 10.5, and possibly other versions does not properly clear memory for login (aka Loginwindow.app), Keychain, or FileVault passwords, which could allow the root user or an attacker with physical access to obtain sensitive information by reading memory. http://citp.princeton.edu/pub/coldboot.pdf 20040625 Mac OS X stores login/Keychain/FileVault passwords on disk 20080228 Loginwindow.app and Mac OS X 20080229 Re: Loginwindow.app and Mac OS X macos-memory-view-passwords(16557) Format string vulnerability in misc.c in GNU GNATS 4.00 may allow remote attackers to execute arbitrary code via format string specifiers in a string that gets logged by syslog. 20040625 format string vulnerability in Gnats 10609 gnats-format-string(16517) PHP remote file inclusion vulnerability in index.php for Artmedic links 5.0 (artmedic_links5) allows remote attackers to execute arbitrary PHP code by modifying the id parameter to reference a URL on a remote web server that contains the code. 20040625 artmedic_links5 PHP Script (include path) vuln artmedic-url-file-disclosure(16518) SQL injection vulnerability in Infinity WEB 1.0 allows remote attackers to bypass authentication and gain privileges via the login page. 20040627 ZH2004-14SA (security advisory):Sql Injection in Infinity WEB 20040627 ZH2004-14SA (security advisory):Sql Injection in Infinity WEB 10614 http://www.zone-h.org/en/advisories/read/id=4892/ infinity-web-sql-injection(16513) The tcp_find_option function of the netfilter subsystem in Linux kernel 2.6, when using iptables and TCP options rules, allows remote attackers to cause a denial of service (CPU consumption by infinite loop) via a large option length that produces a negative integer after a casting operation to the char type. CLA-2004:852 FEDORA-2004-202 20040630 Remote DoS vulnerability in Linux kernel 2.6.x GLSA-200407-12 SUSE-SA:2004:020 linux-tcpfindoption-dos(16554) The check_scramble_323 function in MySQL 4.1.x before 4.1.3, and 5.0, allows remote attackers to bypass authentication via a zero-length scrambled string. 20040705 MySQL Authentication Bypass 20040705 MySQL Authentication Bypass VU#184030 Stack-based buffer overflow in MySQL 4.1.x before 4.1.3, and 5.0, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long scramble string. 20040705 MySQL Authentication Bypass 20040705 MySQL Authentication Bypass VU#645326 mysql-myrnd-bo(16612) Buffer overflow in the ActiveX component (pdf.ocx) for Adobe Acrobat 5.0.5 and Acrobat Reader, and possibly other versions, allows remote attackers to execute arbitrary code via a URI for a PDF file with a null terminator (%00) followed by a long string. http://www.adobe.com/support/techdocs/330527.html GLSA-200408-14 20040813 Adobe Acrobat/Acrobat Reader ActiveX Control Buffer Overflow Vulnerability 10947 acrobat-reader-activex-bo(16998) The uudecoding feature in Adobe Acrobat Reader 5.0.5 and 5.0.6 for Unix and Linux, and possibly other versions including those before 5.0.9, allows remote attackers to execute arbitrary code via shell metacharacters ("`" or backtick) in the filename of the PDF file that is provided to the uudecode command. GLSA-200408-14 http://www.adobe.com/support/techdocs/322914.html 20040812 Adobe Acrobat Reader (Unix) Shell Metacharacter Code Execution Vulnerability RHSA-2004:432 10931 acrobat-reader-execute-code(16973) Buffer overflow in the uudecoding feature for Adobe Acrobat Reader 5.0.5 and 5.0.6 for Unix and Linux, and possibly other versions including those before 5.0.9, allows remote attackers to execute arbitrary code via a long filename for the PDF file that is provided to the uudecode command. GLSA-200408-14 http://www.adobe.com/support/techdocs/322914.html 20040812 Adobe Acrobat Reader (Unix) 5.0 Uudecode Filename Buffer Overflow Vulnerability RHSA-2004:432 10932 adobe-acrobat-uudecode-bo(16972) Adobe Reader 6.0 does not properly handle null characters when splitting a filename path into components, which allows remote attackers to execute arbitrary code via a file with a long extension that is not normally handled by Reader, triggering a buffer overflow. http://www.adobe.com/support/techdocs/330527.html http://www.adobe.com/support/techdocs/34222.htm 20040712 Adobe Reader 6.0 Filename Handler Buffer Overflow Vulnerability adobe-acrobat-null-bo(16667) The iSNS dissector for Ethereal 0.10.3 through 0.10.4 allows remote attackers to cause a denial of service (process abort) via an integer overflow. http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=127381 CLA-2005:916 1010655 http://www.ethereal.com/appnotes/enpa-sa-00015.html GLSA-200407-08 VU#829422 MDKSA-2004:067 FEDORA-2004-219 FEDORA-2004-220 RHSA-2004:378 ethereal-isns-dos(16630) oval:org.mitre.oval:def:9931 The SMB SID snooping capability in Ethereal 0.9.15 to 0.10.4 allows remote attackers to cause a denial of service (process crash) via a handle without a policy name, which causes a null dereference. http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=127381 CLA-2005:916 1010655 http://www.ethereal.com/appnotes/enpa-sa-00015.html GLSA-200407-08 VU#518782 MDKSA-2004:067 FEDORA-2004-219 FEDORA-2004-220 RHSA-2004:378 ethereal-smb-sid-dos(16631) oval:org.mitre.oval:def:10252 The SNMP dissector in Ethereal 0.8.15 through 0.10.4 allows remote attackers to cause a denial of service (process crash) via a (1) malformed or (2) missing community string, which causes an out-of-bounds read. http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=127381 CLA-2005:916 1010655 DSA-528 http://www.ethereal.com/appnotes/enpa-sa-00015.html GLSA-200407-08 VU#835846 MDKSA-2004:067 FEDORA-2004-219 FEDORA-2004-220 RHSA-2004:378 ethereal-snmp-community-dos(16632) oval:org.mitre.oval:def:9721 Buffer overflow in the goaway function in the aim:goaway URI handler for AOL Instant Messenger (AIM) 5.5, including 5.5.3595, allows remote attackers to execute arbitrary code via a long Away message. http://www.idefense.com/application/poi/display?id=121&type=vulnerabilities VU#735966 aim-away-bo(16926) Oracle Database Server 8.1.7.4 through 9.2.0.4 allows local users to execute commands with additional privileges via the ctxsys.driload package, which is publicly accessible. 20040902 Oracle Database Server ctxsys.driload Access Validation Vulnerability VU#316206 11099 Buffer overflow in the KSDWRTB function in the dbms_system package (dbms_system.ksdwrt) for Oracle 9i Database Server Release 2 9.2.0.3 and 9.2.0.4, 9i Release 1 9.0.1.4 and 9.0.1.5, and 8i Release 1 8.1.7.4, allows remote authorized users to execute arbitrary code via a long second argument. 20040905 Buffer Overflow in DBMS_SYSTEM.KSDWRT() in Oracle8i - 9i 20040902 Oracle Database Server dbms_system.ksdwrt Buffer Overflow Vulnerability http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf http://www.red-database-security.com/advisory/advisory_20040903_3.htm 11100 oracle-dbmssystem-bo(17254) Multiple cross-site scripting (XSS) vulnerabilities in Squirrelmail 1.2.10 and earlier allow remote attackers to inject arbitrary HTML or script via (1) the $mailer variable in read_body.php, (2) the $senderNames_part variable in mailbox_display.php, and possibly other vectors including (3) the $event_title variable or (4) the $event_text variable. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=257973 CLA-2004:858 20040530 RS-2004-1: SquirrelMail "Content-Type" XSS vulnerability DSA-535 http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-1.txt 10450 squirrelmail-from-header-xss(16285) Format string vulnerability in the SSL_set_verify function in telnetd.c for SSLtelnet daemon (SSLtelnetd) 0.13 allows remote attackers to execute arbitrary code. DSA-529 http://www.idefense.com/application/poi/display?id=114&type=vulnerabilities ssltelnetd-format-string(16653) Thomson SpeedTouch 510 ADSL Router with firmware GV8BAA3.270, and possibly earlier versions, generates predictable TCP Initial Sequence Numbers (ISNs), which allows remote attackers to spoof or hijack TCP connections. ESB-2004.0504 20040805 Thompson SpeedTouch Home ADSL Modem Predictable TCP ISN Generation 10881 speedtouch-hijack-connection(16919) Double free vulnerabilities in the error handling code for ASN.1 decoders in the (1) Key Distribution Center (KDC) library and (2) client library for MIT Kerberos 5 (krb5) 1.3.4 and earlier may allow remote attackers to execute arbitrary code. CLA-2004:860 20040913 [OpenPKG-SA-2004.039] OpenPKG Security Advisory (kerberos) RHSA-2004:350 http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2004-002-dblfree.txt DSA-543 GLSA-200409-09 VU#795632 11078 2004-0045 TA04-247A kerberos-kdc-double-free(17157) oval:org.mitre.oval:def:10709 oval:org.mitre.oval:def:4936 Double free vulnerability in the krb5_rd_cred function for MIT Kerberos 5 (krb5) 1.3.1 and earlier may allow local users to execute arbitrary code. CLA-2004:860 20040913 [OpenPKG-SA-2004.039] OpenPKG Security Advisory (kerberos) RHSA-2004:350 http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2004-002-dblfree.txt DSA-543 GLSA-200409-09 VU#866472 11078 2004-0045 TA04-247A kerberos-krb5rdcred-double-free(17159) oval:org.mitre.oval:def:10267 oval:org.mitre.oval:def:3322 The asn1buf_skiptail function in the ASN.1 decoder library for MIT Kerberos 5 (krb5) 1.2.2 through 1.3.4 allows remote attackers to cause a denial of service (infinite loop) via a certain BER encoding. CLA-2004:860 20040913 [OpenPKG-SA-2004.039] OpenPKG Security Advisory (kerberos) RHSA-2004:350 http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2004-003-asn1.txt DSA-543 GLSA-200409-09 VU#550464 11079 2004-0045 TA04-247A kerberos-asn1-library-dos(17160) oval:org.mitre.oval:def:10014 oval:org.mitre.oval:def:2139 Buffer overflow in the wvHandleDateTimePicture function in wv library (wvWare) 0.7.4 through 0.7.6 and 1.0.0 allows remote attackers to execute arbitrary code via a document with a long DateTime field. http://cpan.cybercomm.nl/pub/gentoo-portage/app-text/wv/files/wv-1.0.0-fix_overflow.patch CLA-2004:863 GLSA-200407-11 DSA-579 http://www.freebsd.org/ports/portaudit/7a5430df-d562-11d8-b479-02e0185c0b53.html 20040709 wvWare Library Buffer Overflow Vulnerability MDKSA-2004:077 FLSA:1906 wvware-wvhandledatetimepicture-bo(16660) Buffer overflow in the WriteToLog function for JRun 3.0 through 4.0 web server connectors, such as (1) mod_jrun and (2) mod_jrun20 for Apache, with verbose logging enabled, allows remote attackers to execute arbitrary code via a long HTTP header Content-Type field or other fields. VU#990200 http://www.macromedia.com/devnet/security/security_zone/mpsb04-08.html http://www.macromedia.com/devnet/security/security_zone/mpsb04-09.html 20040929 iDEFENSE Security Advisory 09.29.04 - Macromedia JRun 4 mod_jrun Apache Module Buffer Overflow Vulnerability 11245 coldfusion-jrun-verbose-bo(17485) shorewall 1.4.10c and earlier, and 2.0.x before 2.0.3a, allows local users to overwrite arbitrary files via a symlink attack on the chains-$$ temporary file. [Shorewall-announce] 20040628 URGENT: Shorewall Security Vulnerability GLSA-200407-07 MDKSA-2004:080 shorewall-symlink(16651) Mozilla (Suite) before 1.7.1, Firefox before 0.9.2, and Thunderbird before 0.7.2 allow remote attackers to launch arbitrary programs via a URI referencing the shell: protocol. 20040707 shell:windows command question 20040708 Mozilla Security Advisory 2004-07-08 O-175 VU#927014 http://www.mozilla.org/projects/security/known-vulnerabilities.html http://www.mozilla.org/security/shell.html mozilla-shell-program-execution(16655) Buffer overflow in write_packet in control.c for l2tpd may allow remote attackers to execute arbitrary code. 20040604 bss-based buffer overflow in l2tpd GLSA-200407-17 DSA-530 l2tpd-writepacket-bo(16326) UploadServlet in Cisco Collaboration Server (CCS) running ServletExec before 3.0E allows remote attackers to upload and execute arbitrary files via a direct call to the UploadServlet URL. 20040630 Cisco Collaboration Server Vulnerability VU#718896 10639 ccs-servletexec-gain-privileges(16553) Unknown vulnerability in Sun Java Runtime Environment (JRE) 1.4.2 through 1.4.2_03 allows remote attackers to cause a denial of service (virtual machine hang). HPSBUX01044 57555 VU#118558 SSRT4749 10301 sun-java-dos(16085) BEA WebLogic Server and WebLogic Express 7.0 through 7.0 Service Pack 4, and 8.1 through 8.1 Service Pack 2, allows attackers to obtain the username and password for booting the server by directly accessing certain internal methods. http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_55.00.jsp 1009766 VU#352110 10133 bea-gain-privileges(15865) Solaris 9, when configured as a Kerberos client with patch 112908-12 or 115168-03 and using pam_krb5 as an "auth" module with the debug feature enabled, records passwords in plaintext, which could allow local users to gain other user's passwords by reading log files. 57587 101519 O-172 VU#523710 10606 solaris-kerberos-password-plaintext(16450) oval:org.mitre.oval:def:2065 oval:org.mitre.oval:def:255 Unknown vulnerability in the Basic Security Module (BSM), when configured to audit either the Administrative (ad) or the System-Wide Administration (as) audit class in Solaris 7, 8, and 9, allows local users to cause a denial of service (kernel panic). 57497 VU#901582 10594 solaris-bsm-audit-dos(16483) oval:org.mitre.oval:def:2426 eupdatedb in esearch 0.6.1 and earlier allows local users to create arbitrary files via a symlink attack on the esearchdb.py.tmp temporary file. GLSA-200407-01 10644 esearch-eupdatedb-symlink(16584) The accept_client function in PureFTPd 1.0.18 and earlier allows remote attackers to cause a denial of service by exceeding the maximum number of connections. GLSA-200407-04 http://www.pureftpd.org/ pure-ftpd-acceptclient-dos(16611) Integer overflow in the NTP daemon (NTPd) before 4.0 causes the NTP server to return the wrong date/time offset when a client requests a date/time that is more than 34 years away from the server's time. SSRT4718 VU#584606 ntp-integer-bo(15406) Integer overflow in the hpsb_alloc_packet function (incorrectly reported as alloc_hpsb_packet) in IEEE 1394 (Firewire) driver 2.4 and 2.6 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via the functions (1) raw1394_write, (2) state_connected, (3) handle_remote_request, or (4) hpsb_make_writebpacket. 20040622 linux kernel IEEE1394(Firewire) driver integer overflow linux-1394-integer-bo(16480) Buffer overflow in TranslateFilename for common.c in MPlayer 1.0pre4 allows remote attackers to execute arbitrary code via a long file name. 20040627 MPlayer MeMPlayer.c GLSA-200408-01 10615 mplayer-common-bo(16532) Cross-site scripting (XSS) vulnerability in (1) show_archives.php, (2) show_news.php, and possibly other php files in CuteNews 1.3.1 allows remote attackers to inject arbitrary script or HTML via the id parameter. 20040628 Cross-Site Scripting CuteNews cutenews-id-xss(16525) Integer signedness error in D-Link AirPlus DI-614+ running firmware 2.30 and earlier allows remote attackers to cause a denial of service (IP lease depletion) via a DHCP request with the LEASETIME option set to -1, which makes the DHCP lease valid for thirteen or more years. 20040628 DLINK 614+ - SOHO routers, DHCP service DOS 20040629 Re: DLINK 614+ - SOHO routers, system DOS 10621 dlink-dhcp-request-dos(16531) PowerPortal 1.x allows remote attackers to gain sensitive information via invalid or missing parameters in HTTP requests to (1) resize.php or (2) modules.php, which reveals the path in an error message. 20040628 Multiple vulnerabilities PowerPortal 10622 http://www.swp-zone.org/archivos/advisory-07.txt powerportal-path-disclosure(16529) Cross-site scripting (XSS) vulnerability in modules.php in PowerPortal 1.x allows remote attackers to inject arbitrary script or HTML via the (1) id parameter to the (a) private_messages module; (2) search parameter to the (b) links and (c) content modules; and (3) files parameter to the gallery module. 20040628 Multiple vulnerabilities PowerPortal powerportal-multiple-xss(16528) Directory traversal vulnerability in modules.php in PowerPortal 1.x allows remote attackers to list arbitrary directories via a .. (dot dot) in the files parameter. 20040628 Multiple vulnerabilities PowerPortal 10622 http://www.swp-zone.org/archivos/advisory-07.txt powerportal-dotdot-directory-traversal(16530) csFAQ.cgi in csFAQ allows remote attackers to gain sensitive information via an invalid database parameter, which reveals the path to the web server in an error message. 20040628 Full path disclosure csFAQ 10618 http://www.swp-zone.org/archivos/advisory-08.txt csfaq-path-disclosure(16526) Off-by-one error in the POP3_readmsg function in popclient 3.0b6 allows remote attackers to cause a denial of service (application crash) via an e-mail message with a certain line length, which leads to a buffer overflow. 20040629 DoS in popclient 3.0b6 20040629 DoS in popclient 3.0b6 http://www.grok.org.uk/advisories/popclient.html 10625 popclient-pop3readmsg-offbyone-bo(16538) Rule Set Based Access Control (RSBAC) 1.2.2 through 1.2.3 allows access to sys_creat, sys_open, and sys_mknod inside jails, which could allow local users to gain elevated privileges. 20040630 rsbac 1.2.3 jail security problems 20040702 Announce: RSBAC v1.2.3 released http://www.rsbac.org/download/bugfixes/ 10640 rsbac-jail-gain-privileges(16552) Web Access in Lotus Domino 6.5.1 allows remote attackers to cause a denial of service (server crash) via a large e-mail message, as demonstrated using a large image attachment. 20040630 DoS against Domino 6.5.1 10641 lotus-domino-web-dos(16596) Lotus Domino 6.5.0 and 6.5.1, with IMAP enabled, allows remote authenticated users to change their quota by using the IMAP setquota command. 20040630 Unprevileged user can change quota on Domino 10642 lotus-quota-change(16575) Prestige 650HW-31 running Rompager 4.7 software allows remote attackers to cause a denial of service (device reboot) via a long password. 20040630 DSL router Prestige 650HW-31 20040630 DSL router Prestige 650HW-31 10638 zyxel-long-password-dos(16547) Brightmail Spamfilter 6.0 and earlier beta releases allows remote attackers to read mail from other users by modifying the id parameter in a viewMsgDetails.do request. 20040701 Brightmail leaks other user's spam 20040714 Ref: http://www.securityfocus.com/archive/1/367866, Jul 1 2004 1:19PM, Subj: Brightmail 10657 symantec-brightmail-view-mail(16609) Multiple cross-site scripting (XSS) vulnerabilities in the primary and management web interfaces in Netegrity IdentityMinder Web Edition 5.6 allows remote attackers to execute script as other users via (1) script that starts with %00 in the numOfExpressions parameter or (2) the mobjtype parameter. 20040701 [HW-MED] XSS in Netegrity IdentityMinder 10645 identityminder-xss(16618) Cross-site scripting (XSS) vulnerability in SCI Photo Chat Server 3.4.9 allows remote attackers to execute arbitrary web script as other users via an invalid request that is echoed in the resulting error message. 20040702 XSS in SCI Photo Chat Server 3.4.9 10648 sci-server-xss(16602) Enterasys XSR-1800 series Security Routers, when running firmware 7.0.0.0 and using Policy-Based Routing, allow remote attackers to cause a denial of service (crash) via a packet with the IP record route option set. 20040702 Enterasys XSR Security Routers DoS http://www.enterasys.com/support/security/incidents/2004/07/11036.html 10653 xsr-ip-record-dos(16616) Cross-site scripting (XSS) vulnerability in (1) cart32.exe or (2) c32web.exe in Cart32 shopping cart allows remote attackers to execute arbitrary web script via the cart32 parameter to a GetLatestBuilds command. 20040703 Cart32 Input Validation Flaw in 'GetLatestBuilds?cart32=' Permits Remote Cross-Site Scripting Attacks 10617 cart32-getlatestbuilds-xss(16535) Directory traversal vulnerability in Fastream NETFile FTP/Web Server 6.7.2.1085 and earlier allows remote attackers to create or delete arbitrary files via .. (dot dot) and // (double slash) sequences in the filename parameter. 20040704 Fastream NETFile FTP/Web Server Input validation Errors http://www.haxorcitos.com/Fastream_advisory.txt 10658 fastream-mkdir-file-upload(16613) Fastream NETFile FTP Server 6.7.2.1085 and earlier allows remote attackers to cause a denial of service (temporary hang) via the cd command with an unusual argument, possibly due to multiple leading slashes and/or an access to the floppy drive ("A"). 20040704 Fastream NETFile FTP/Web Server Input validation Errors fastream-cd-dos(16615) Cross-site scripting (XSS) in one2planet.infolet.InfoServlet in 12Planet Chat Server 2.9 allows remote attackers to execute arbitrary script as other users via the page parameter. 20040705 XSS in 12Planet Chat Server 2.9 10659 12planet-chat-server-xss(16605) The IP cloaking feature (cloak.c) in UnrealIRCd 3.2, and possibly other versions, uses a weak hashing scheme to hide IP addresses, which could allow remote attackers to use brute force methods to gain other user's IP addresses. 20040705 unreal ircd ip cloaking subsystem vulnerability 560 http://www.bandecon.com/advisory/unreal.txt 10663 http://www.unrealircd.com/ unreal-ircd-information-disclosure(16610) Zoom X3 ADSL modem has a terminal running on port 254 that can be accessed using the default HTML management password, even if the password has been changed for the HTTP interface, which could allow remote attackers to gain unauthorized access. 20040706 backdoor menu on conexant chipset dsl router (Zoom X3) 10669 conexant-chipset-settings-restore(16639) Multiple cross-site scripting (XSS) vulnerabilities in (1) comersus_customerAuthenticateForm.asp, (2) comersus_backoffice_message.asp, (3) comersus_supportError.asp, or (4) comersus_message.asp in Comersus Cart 5.09 allow remote attackers to execute web script as other users via the message parameter. This vulnerability is addressed in the following product update: Comersus Open Technologies, Comersus Cart, 5.098 20040707 Comersus Cart Cross-Site Scripting Vulnerability 10674 comersus-cart-xss(16646) comersus_gatewayPayPal.asp in Comersus Cart 5.09, and possibly other versions before 5.098, allows remote attackers to change the prices of items by directly modifying them in the URL. 20040707 Comersus Cart Improper Request Handling 10674 comersus-cart-price-modification(16645) Symantec Norton AntiVirus 2002 and 2003 allows remote attackers to cause a denial of service (CPU consumption) via a compressed archive that contains a large number of directories. 20040709 Norton AntiVirus Denial Of Service Vulnerability [Part: !!!] nav-compressed-dos(16658) WebSphere Edge Component Caching Proxy in WebSphere Edge Server 5.02, with the JunctionRewrite directive enabled, allows remote attackers to cause a denial of service via an HTTP GET request without any parameters. 20040708 CYBSEC - Security Advisory: Denial of Service in IBM WebSphere http://www.cybsec.com/vuln/IBM-WebSphere-Edge-Server-DOS.pdf ibm-edge-caching-dos(16607) Certain USB drivers in the Linux 2.4 kernel use the copy_to_user function on uninitialized structures, which could allow local users to obtain sensitive information by reading memory that was not cleared from previous usage. http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=127921 DSA-1067 DSA-1069 DSA-1070 DSA-1082 GLSA-200408-24 VU#981134 RHSA-2004:504 RHSA-2004:505 10892 http://www.securityspace.com/smysecure/catid.html?id=14580 2004-0041 FLSA:2336 linux-usb-gain-privileges(16931) oval:org.mitre.oval:def:10665 Buffer overflow in Samba 2.2.x to 2.2.9, and 3.0.0 to 3.0.4, when the "mangling method = hash" option is enabled in smb.conf, has unknown impact and attack vectors. CLA-2004:851 CLA-2004:854 20040722 Security Release - Samba 3.0.5 and 2.2.10 20040722 [OpenPKG-SA-2004.033] OpenPKG Security Advisory (samba) 20040722 TSSA-2004-014 - samba SSRT4782 FLSA:2102 101584 57664 GLSA-200407-21 MDKSA-2004:071 SUSE-SA:2004:022 RHSA-2004:259 2004-0039 samba-mangling-method-bo(16786) oval:org.mitre.oval:def:10461 Multiple stack-based buffer overflows in (1) xpmParseColors in parse.c, (2) ParseAndPutPixels in create.c, and (3) ParsePixels in parse.c for libXpm before 6.8.1 allow remote attackers to execute arbitrary code via a malformed XPM image file. CLA-2005:924 http://ftp.x.org/pub/X11R6.8.0/patches/README.xorg-CAN-2004-0687-0688.patch APPLE-SA-2005-05-03 20040915 CESA-2004-004: libXpm http://scary.beasts.org/security/CESA-2004-003.txt 57653 DSA-560 GLSA-200409-34 GLSA-200502-07 VU#882750 MDKSA-2004:098 SUSE-SA:2004:034 FLSA-2006:152803 RHSA-2004:537 RHSA-2005:004 HPSBUX02119 11196 TA05-136A ADV-2006-1914 libxpm-multiple-stack-bo(17414) oval:org.mitre.oval:def:9187 USN-27-1 Multiple integer overflows in (1) the xpmParseColors function in parse.c, (2) XpmCreateImageFromXpmImage, (3) CreateXImage, (4) ParsePixels, and (5) ParseAndPutPixels for libXpm before 6.8.1 may allow remote attackers to execute arbitrary code via a malformed XPM image file. CLA-2005:924 http://ftp.x.org/pub/X11R6.8.0/patches/README.xorg-CAN-2004-0687-0688.patch APPLE-SA-2005-05-03 20040915 CESA-2004-004: libXpm http://scary.beasts.org/security/CESA-2004-003.txt 57653 DSA-560 GLSA-200409-34 GLSA-200502-07 VU#537878 MDKSA-2004:098 SUSE-SA:2004:034 FLSA-2006:152803 RHSA-2004:537 RHSA-2005:004 HPSBUX02119 11196 TA05-136A ADV-2006-1914 libxpm-xpmfile-integer-overflow(17416) oval:org.mitre.oval:def:11796 USN-27-1 KDE before 3.3.0 does not properly handle when certain symbolic links point to "stale" locations, which could allow local users to create or truncate arbitrary files. CLA-2004:864 20040811 KDE Security Advisories: Temporary File and Konqueror Frame Injection Vulnerabilities 200408-13 DSA-539 http://www.kde.org/info/security/advisory-20040811-1.txt kde-application-symlink(16963) oval:org.mitre.oval:def:9334 The DCOPServer in KDE 3.2.3 and earlier allows local users to gain unauthorized access via a symlink attack on DCOP files in the /tmp directory. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=261386 CLA-2004:864 20040811 KDE Security Advisories: Temporary File and Konqueror Frame Injection Vulnerabilities 200408-13 VU#330638 http://www.kde.org/info/security/advisory-20040811-2.txt MDKSA-2004:086 10924 kde-dcopserver-symlink(16962) Heap-based buffer overflow in the BMP image format parser for the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code. 20040818 CESA-2004-004: qt GLSA-200408-20 201610 DSA-542 MDKSA-2004:085 SUSE-SA:2004:027 RHSA-2004:414 qt-bmp-bo(17040) oval:org.mitre.oval:def:9485 The XPM parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0693. FLSA:2314 GLSA-200408-20 201610 DSA-542 MDKSA-2004:085 SUSE-SA:2004:027 RHSA-2004:414 qt-xpm-dos(17041) oval:org.mitre.oval:def:10327 The GIF parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0692. GLSA-200408-20 201610 DSA-542 MDKSA-2004:085 SUSE-SA:2004:027 RHSA-2004:414 qt-gif-dos(17042) oval:org.mitre.oval:def:10883 Buffer overflow in LHA 1.14 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors related to "command line processing," a different vulnerability than CVE-2004-0771. NOTE: this issue may be REJECTED if there are not any cases in which LHA is setuid or is otherwise used across security boundaries. RHSA-2004:323 RHSA-2004:440 oval:org.mitre.oval:def:9981 Stack-based buffer overflow in the FTP service for 4D WebSTAR 5.3.2 and earlier allows remote attackers to execute arbitrary code via a long FTP command. ftp://ftp.4d.com/ACI_PRODUCT_REFERENCE_LIBRARY/4D_PRODUCT_DOCUMENTATION/PDF_Docs_by_4D_Product_A-Z/4D_WebSTAR/Software_Change_History.txt A071304-1 4dwebstar-long-ftp-bo(16686) The ShellExample.cgi script in 4D WebSTAR 5.3.2 and earlier allows remote attackers to list arbitrary directories via a URL with the desired path and a "*" (asterisk) character. ftp://ftp.4d.com/ACI_PRODUCT_REFERENCE_LIBRARY/4D_PRODUCT_DOCUMENTATION/PDF_Docs_by_4D_Product_A-Z/4D_WebSTAR/Software_Change_History.txt A071304-1 10721 4dwebstar-view-directory-listing(16687) Unknown vulnerability in 4D WebSTAR 5.3.2 and earlier allows remote attackers to read the php.ini configuration file and possibly obtain sensitive information. ftp://ftp.4d.com/ACI_PRODUCT_REFERENCE_LIBRARY/4D_PRODUCT_DOCUMENTATION/PDF_Docs_by_4D_Product_A-Z/4D_WebSTAR/Software_Change_History.txt A071304-1 4dwebstar-view-phpini-files(16688) 4D WebSTAR 5.3.2 and earlier allows local users to read and modify arbitrary files via a symlink attack. ftp://ftp.4d.com/ACI_PRODUCT_REFERENCE_LIBRARY/4D_PRODUCT_DOCUMENTATION/PDF_Docs_by_4D_Product_A-Z/4D_WebSTAR/Software_Change_History.txt A071304-1 4dwebstar-symlink(16689) Heap-based buffer overflow in ASN.1 decoding library in Check Point VPN-1 products, when Aggressive Mode IKE is implemented, allows remote attackers to execute arbitrary code by initiating an IKE negotiation and then sending an IKE packet with malformed ASN.1 data. 1010799 http://www.checkpoint.com/techsupport/alerts/asn1.html O-190 VU#435358 10820 20040728 Check Point VPN-1 ASN.1 Decoding Remote Compromise vpn1-asn1-decoding-bo(16824) Format string vulnerability in the mod_proxy hook functions function in ssl_engine_log.c in mod_ssl before 2.8.19 for Apache before 1.3.31 may allow remote attackers to execute arbitrary messages via format string specifiers in certain log messages for HTTPS that are handled by the ssl_log function. CLA-2004:857 [apache-modssl] 20040716 [ANNOUNCE] mod_ssl 2.8.19 for Apache 1.3.31 20040716 [OpenPKG-SA-2004.032] OpenPKG Security Advisory (apache) http://packetstormsecurity.org/0407-advisories/modsslFormat.txt http://virulent.siyahsapka.org/ DSA-532 VU#303448 MDKSA-2004:075 RHSA-2004:405 RHSA-2004:408 10736 USN-177-1 FLSA:1888 apache-modssl-format-string(16705) Sun Ray Server Software (SRSS) 1.3 and 2.0 for Solaris 2.6, 7 and 8 does not properly detect a smartcard removal when the card is quickly removed, reinserted, and removed again, which could cause a user session to stay logged in and allow local users to gain unauthorized access. 53922 VU#100780 7457 sun-ray-session-access(11905) DBI in Bugzilla 2.17.1 through 2.17.7 displays the database password in an error message when the SQL server is not running, which could allow remote attackers to gain sensitive information. 20040710 [BUGZILLA] Multiple vulnerabilities in Bugzilla 2.16.5 and 2.17.7 10698 bugzilla-database-password-disclosure(16673) Unknown vulnerability in the administrative controls in Bugzilla 2.17.1 through 2.17.7 allows users with "grant membership" privileges to grant memberships to groups that the user does not control. 20040710 [BUGZILLA] Multiple vulnerabilities in Bugzilla 2.16.5 and 2.17.7 10698 bugzilla-editusers-gain-privileges(16672) Unknown vulnerability in (1) duplicates.cgi and (2) buglist.cgi in Bugzilla 2.16.x before 2.16.6, 2.18 before 2.18rc1, when configured to hide products, allows remote attackers to view hidden products. 20040710 [BUGZILLA] Multiple vulnerabilities in Bugzilla 2.16.5 and 2.17.7 10698 bugzilla-product-name-disclosure(16671) Multiple cross-site scripting (XSS) vulnerabilities in (1) editcomponents.cgi, (2) editgroups.cgi, (3) editmilestones.cgi, (4) editproducts.cgi, (5) editusers.cgi, and (6) editversions.cgi in Bugzilla 2.16.x before 2.16.6, and 2.18 before 2.18rc1, allow remote attackers to execute arbitrary JavaScript as other users via a URL parameter. http://bugzilla.mozilla.org/show_bug.cgi?id=235265 20040710 [BUGZILLA] Multiple vulnerabilities in Bugzilla 2.16.5 and 2.17.7 10698 bugzilla-edit-xss(16670) Bugzilla 2.17.5 through 2.17.7 embeds the password in an image URL, which could allow local users to view the password in the web server log files. http://bugzilla.mozilla.org/show_bug.cgi?id=235510 20040710 [BUGZILLA] Multiple vulnerabilities in Bugzilla 2.16.5 and 2.17.7 10698 bugzilla-chart-view-password(16669) SQL injection vulnerability in editusers.cgi in Bugzilla 2.16.x before 2.16.6, and 2.18 before 2.18rc1, allows remote attackers with privileges to grant membership to any group to execute arbitrary SQL. http://bugzilla.mozilla.org/show_bug.cgi?id=244272 20040710 [BUGZILLA] Multiple vulnerabilities in Bugzilla 2.16.5 and 2.17.7 10698 bugzilla-editusers-sql-injection(16668) MoinMoin 1.2.1 and earlier allows remote attackers to gain privileges by creating a user with the same name as an existing group that has higher privileges. http://sourceforge.net/tracker/index.php?func=detail&aid=948103&group_id=8482&atid=108482 GLSA-200407-09 10568 moinmoin-gain-admin-access(16465) HP OpenView Select Access 5.0 through 6.0 does not correctly decode UTF-8 encoded unicode characters in a URL, which could allow remote attackers to bypass access restrictions. VU#205766 SSRT4719 10414 openview-select-gain-access(16247) IP Security VPN Services Module (VPNSM) in Cisco Catalyst 6500 Series Switch and the Cisco 7600 Series Internet Routers running IOS before 12.2(17b)SXA, before 12.2(17d)SXB, or before 12.2(14)SY03 could allow remote attackers to cause a denial of service (device crash and reload) via a malformed Internet Key Exchange (IKE) packet. 20040408 Cisco IPSec VPN Services Module Malformed IKE Packet Vulnerability VU#904310 10083 cisco-vpnsm-ike-dos(15797) oval:org.mitre.oval:def:5696 The URL pattern matching feature in BEA WebLogic Server 6.x matches illegal patterns ending in "*" as wildcards as if they were the legal "/*" pattern, which could cause WebLogic 7.x to allow remote attackers to bypass intended access restrictions because the illegal patterns are properly rejected. http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_56.00.jsp VU#184558 10184 weblogic-urlpattern-obtain-information(15927) The configuration tools (1) config.sh in Unix or (2) config.cmd in Windows for BEA WebLogic Server 8.1 through SP2 create a log file that contains the administrative username and password in cleartext, which could allow local users to gain privileges. http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_58.00.jsp VU#574222 10188 weblogic-admin-password-plaintext(15926) The remove method in a stateful Enterprise JavaBean (EJB) in BEA WebLogic Server and WebLogic Express version 8.1 through SP2, 7.0 through SP4, and 6.1 through SP6, does not properly check EJB permissions before unexporting a bean, which allows remote authenticated users to remove EJB objects from remote views before the security exception is thrown. http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_57.00.jsp VU#658878 10185 weblogic-ejb-object-deletion(15928) Cisco Internetwork Operating System (IOS) 12.0S through 12.3T attempts to process SNMP solicited operations on improper ports (UDP 162 and a randomly chosen UDP port), which allows remote attackers to cause a denial of service (device reload and memory corruption). 20040420 Vulnerabilities in SNMP Message Processing VU#162451 10186 TA04-111B cisco-ios-snmp-udp-dos(15921) oval:org.mitre.oval:def:5845 The WebLogic Authentication provider for BEA WebLogic Server and WebLogic Express 8.1 through SP2 and 7.0 through SP4 does not properly clear member relationships when a group is deleted, which can cause a new group with the same name to have the members of the old group, which allows group members to gain privileges. http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_52.01.jsp 1009763 VU#470470 10130 weblogic-authentication-gain-privileges(15861) Buffer overflow in the DCE daemon (DCED) for the DCE endpoint mapper (epmap) on HP-UX 11 allows remote attackers to execute arbitrary code via a request with a small fragment length and a large amount of data. http://support.entegrity.com/private/patches/dce/ssrt4741.asp A072204-1 Opera 7.51 for Windows and 7.50 for Linux does not properly prevent a frame in one domain from injecting content into a frame that belongs to another domain, which facilitates web site spoofing and other attacks, aka the frame injection vulnerability. http-frame-spoof(1598) The (1) Mozilla 1.6, (2) Firebird 0.7, (3) Firefox 0.8, and (4) Netscape 7.1 web browsers do not properly prevent a frame in one domain from injecting content into a frame that belongs to another domain, which facilitates web site spoofing and other attacks, aka the frame injection vulnerability. SCOSA-2005.49 http://bugzilla.mozilla.org/show_bug.cgi?id=246448 FLSA:2089 DSA-777 DSA-810 MDKSA-2004:082 SUSE-SA:2004:036 RHSA-2004:421 15495 http-frame-spoof(1598) oval:org.mitre.oval:def:4756 oval:org.mitre.oval:def:9997 Internet Explorer for Mac 5.2.3, Internet Explorer 6 on Windows XP, and possibly other versions, does not properly prevent a frame in one domain from injecting content into a frame that belongs to another domain, which facilitates web site spoofing and other attacks, aka the frame injection vulnerability. http-frame-spoof(1598) Safari 1.2.2 does not properly prevent a frame in one domain from injecting content into a frame that belongs to another domain, which facilitates web site spoofing and other attacks, aka the frame injection vulnerability. http-frame-spoof(1598) Konqueror 3.1.3, 3.2.2, and possibly other versions does not properly prevent a frame in one domain from injecting content into a frame that belongs to another domain, which facilitates web site spoofing and other attacks, aka the frame injection vulnerability. CLA-2004:864 20040811 KDE Security Advisories: Temporary File and Konqueror Frame Injection Vulnerabilities 200408-13 http://www.kde.org/info/security/advisory-20040811-3.txt http-frame-spoof(1598) oval:org.mitre.oval:def:11371 Integer overflow in the SOAPParameter object constructor in (1) Netscape version 7.0 and 7.1 and (2) Mozilla 1.6, and possibly earlier versions, allows remote attackers to execute arbitrary code. SCOSA-2005.49 http://bugzilla.mozilla.org/show_bug.cgi?id=236618 http://www.idefense.com/application/poi/display?id=117&type=vulnerabilities SUSE-SA:2004:036 RHSA-2004:421 15495 mozilla-netscape-soapparameter-bo(16862) oval:org.mitre.oval:def:4629 oval:org.mitre.oval:def:9378 Microsoft Java virtual machine (VM) 5.0.0.3810 allows remote attackers to bypass sandbox restrictions to read or write certain data between applets from different domains via the "GET/Key" and "PUT/Key/Value" commands, aka "cross-site Java." 20040710 Covert Channels allow Cross-Site-Java in Microsoft VM 10688 msjvm-sandbox-bypass(16666) The Half-Life engine before July 7 2004 allows remote attackers to cause a denial of service (server or client crash) via an empty fragmented packet. 20040712 Remote crash of Half-Life servers and clients (versions before the 07 July 2004) 10700 halflife-packet-dos(16674) Cross-site scripting (XSS) vulnerability in help.php in Moodle 1.3.2 and 1.4 dev allows remote attackers to inject arbitrary web script or HTML via the file parameter. http://cvs.sourceforge.net/viewcvs.py/moodle/moodle/help.php 20040713 Moodle XSS Vulnerability 10718 moodle-help-file-xss(16684) The Windows Media Player control in Microsoft Windows 2000 allows remote attackers to execute arbitrary script in the local computer zone via an ASX filename that contains javascript, which is executed in the local context in a preview panel. 20040711 Media Preview Script Execution Vulnerability 10693 win2k-media-code-execution(16704) Microsoft Internet Explorer 6.0.2800.1106 on Microsoft Windows XP SP2, and other versions including 5.01 and 5.5, allows remote web servers to bypass zone restrictions and execute arbitrary code in the local computer zone by redirecting a function to another function with the same name, as demonstrated by SimilarMethodNameRedir, aka the "Similar Method Name Redirection Cross Domain Vulnerability." http://freehost07.websamba.com/greyhats/similarmethodnameredir.htm 20040711 MSIE Similar Method Name Redirection Cross Site/Zone Scripting VU#207264 TA04-293A MS04-038 ie-function-redirect-xss(16681) oval:org.mitre.oval:def:4702 oval:org.mitre.oval:def:6829 oval:org.mitre.oval:def:7084 oval:org.mitre.oval:def:7448 oval:org.mitre.oval:def:7496 oval:org.mitre.oval:def:7906 The Remote Control Client service in Microsoft's Systems Management Server (SMS) 2.50.2726.0 allows remote attackers to cause a denial of service (crash) via a data packet to TCP port 2702 that causes the server to read or write to an invalid memory address. 20040714 [HV-MED] DoS in Microsoft SMS Client sms-remote-service-dos(16696) PhpBB 2.0.8 allows remote attackers to gain sensitive information via an invalid (1) category_rows parameter to index.php, (2) faq parameter to faq.php, or (3) ranksrow parameter to profile.php, which reveal the full path in an error message. 20040716 [waraxe-2004-SA#034 - XSS and path full path disclosure in PhpBB 2.0.8] http://www.waraxe.us/index.php?modname=sa&id=34 phpbb-indexphp-path-disclosure(16716) phpbb-lang-faq-path-disclosure(16720) phpbb-usercpviewprofile-path-disclosure(16723) Multiple cross-site scripting (XSS) vulnerabilities in PhpBB 2.0.8 allow remote attackers to inject arbitrary web script or HTML via (1) the cat_title parameter in index.php, (2) the faq[0][0] parameter in lang_faq.php as accessible from faq.php, or (3) the faq[0][0] parameter in lang_bbcode.php as accessible from faq.php. 20040716 [waraxe-2004-SA#034 - XSS and path full path disclosure in PhpBB 2.0.8] 10738 http://www.waraxe.us/index.php?modname=sa&id=34 phpbb-indexphp-xss(16724) phpbb-lang-faq-xss(16725) phpbb-lang-bbcode-xss(16726) Cross-site scripting (XSS) vulnerability in index.php in the Search module for Php-Nuke allows remote attackers to inject arbitrary script as other users via the input field. 20040716 [waraxe-2004-SA#035 - Multiple security holes in PhpNuke - part 2] http://www.waraxe.us/index.php?modname=sa&id=35 phpnuke-search-module-xss(16721) SQL injection vulnerability in index.php in the Search module for Php-Nuke allows remote attackers to execute arbitrary SQL statements via the instory parameter. 20040716 [waraxe-2004-SA#035 - Multiple security holes in PhpNuke - part 2] http://www.waraxe.us/index.php?modname=sa&id=35 phpnuke-search-module-sql-injection(16728) Format string vulnerability in OllyDbg 1.10 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format string specifiers that are directly provided to the OutputDebugString function call. 20040717 [FMADV] Format String Bug in OllyDbg 1.10 20040717 [FMADV] Format String Bug in OllyDbg 1.10 10742 ollydbg-outputdebugstring-format-string(16711) 3757 Web_Store.cgi allows remote attackers to execute arbitrary commands via shell metacharacters in the page parameter. 20040717 Web_Store.cgi allows Command Execution 10744 extropia-webstore-command-execution(16710) Buffer overflow in Medal of Honor (1) Allied Assault 1.11v9 and earlier, (2) Breakthrough 2.40b and earlier, and (3) Spearhead 2.15 and earlier, when playing on a Local Area Network (LAN), allows remote attackers to execute arbitrary code via vectors such as (1) the getinfo query, (2) the connect packet, and other unknown vectors. 20040717 Medal of Honor remote buffer-overflow 10743 medalofhonor-packet-bo(16715) The search module in Php-Nuke allows remote attackers to gain sensitive information via the (1) "**" or (2) "+" search patterns, which reveals the path in an error message. 20040718 [waraxe-2004-SA#036 - Multiple security holes in PhpNuke - part 3] phpnuke-asterisk-plus-path-disclosure(16736) Multiple cross-site scripting vulnerabilities in index.php in the Search module for Php-Nuke allows remote attackers to inject arbitrary web script or HTML via the (1) sid, (2) max, (3) sel1, (4) sel2, (5) sel3, (6) sel4, (7) sel5, (8) match, (9) mod1, (10) mod2, or (11) mod3 parameters. 20040718 [waraxe-2004-SA#036 - Multiple security holes in PhpNuke - part 3] phpnuke-search-module-xss(16721) Multiple SQL injection vulnerabilities in the Search module in Php-Nuke allow remote attackers to execute arbitrary SQL via the (1) min or (2) categ parameters. 20040718 [waraxe-2004-SA#036 - Multiple security holes in PhpNuke - part 3] phpnuke-search-min-sql-injection(16737) Buffer overflow in Whisper FTP Surfer 1.0.7 allows remote FTP servers to cause a denial of service (client crash) and possibly execute arbitrary code via a long filename. 20040719 Buffer overflow in Whisper FTP Surfer 1.0.7 20040719 Buffer overflow in Whisper FTP Surfer 1.0.7 whisper-long-file-name-bo(16742) The HTTP server in Lexmark T522 and possibly other models allows remote attackers to cause a denial of service (server crash, reload, or hang) via an HTTP header with a long Host field, possibly triggering a buffer overflow. 20040720 Denial of Service vulnerability in several Lexmark HTTP servers lexmark-long-host-bo(16752) LionMax Software WWW File Share Pro 2.60 allows remote attackers to cause a denial of service (crash or hang) via a long URL, possibly triggering a buffer overflow. 20040720 dos_in_file_share_2.6 wwwfilesharepro-http-get-dos(16754) Sun Java System Portal Server 6.2 (formerly Sun ONE) allows remote authenticated users to obtain Calendar Server privileges and modify Calendar data by changing the display options to a non-default view. 57586 VU#881254 10788 sunjavaportal-calendar-gain-access(16776) Safari in Mac OS X before 10.3.5, after sending form data using the POST method, may re-send the data to a GET method URL if that URL is redirected after the POST data and the user uses the forward or backward buttons, which may cause an information leak. APPLE-SA-2004-09-09 VU#128414 safari-web-info-disclosure(16944) The TCP/IP Networking component in Mac OS X before 10.3.5 allows remote attackers to cause a denial of service (memory and resource consumption) via a "Rose Attack" that involves sending a subset of small IP fragments that do not form a complete, larger packet. http://digital.net/~gandalf/Rose_Frag_Attack_Explained.txt 20040331 IPv4 fragmentation --> The Rose Attack 20040427 Source Code To Test IPv4 fragmentation --> The Rose Attack APPLE-SA-2004-09-09 macos-tcp-ip-dos(16946) LHA 1.14 and earlier allows attackers to execute arbitrary commands via a directory with shell metacharacters in its name. GLSA-200409-13 RHSA-2004:323 RHSA-2004:440 FLSA:1833 lha-metacharacter-command-execution(17198) oval:org.mitre.oval:def:11088 Konqueror in KDE 3.2.3 and earlier allows web sites to set cookies for country-specific top-level domains, such as .ltd.uk, .plc.uk and .firm.in, which could allow remote attackers to perform a session fixation attack and hijack a user's HTTP session. CLA-2004:864 20040823 KDE Security Advisory: Konqueror Cross-Domain Cookie Injection http://www.kde.org/info/security/advisory-20040823-1.txt MDKSA-2004:086 10991 kde-konqueror-cookie-set(17063) oval:org.mitre.oval:def:11281 Buffer overflow in Apache 2.0.50 and earlier allows local users to gain apache privileges via a .htaccess file that causes the overflow during expansion of environment variables. 1011303 http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=205147 GLSA-200409-21 VU#481998 MDKSA-2004:096 SUSE-SA:2004:032 RHSA-2004:463 2004-0047 ADV-2009-1233 apache-env-configuration-bo(17384) [httpd-cvs] 20190815 svn commit: r1048742 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html [httpd-cvs] 20190815 svn commit: r1048743 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html oval:org.mitre.oval:def:11561 mod_ssl in Apache 2.0.50 and earlier allows remote attackers to cause a denial of service (CPU consumption) by aborting an SSL connection in a way that causes an Apache child process to enter an infinite loop. GLSA-200409-21 MDKSA-2004:096 SUSE-SA:2004:030 RHSA-2004:349 2004-0047 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=130750 apache-modssl-dos(17200) [httpd-cvs] 20190815 svn commit: r1048742 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html [httpd-cvs] 20190815 svn commit: r1048743 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html oval:org.mitre.oval:def:11126 The mod_authz_svn module in Subversion 1.0.7 and earlier does not properly restrict access to all metadata on unreadable paths, which could allow remote attackers to gain sensitive information via (1) svn log -v, (2) svn propget, or (3) svn blame, and other commands that follow renames. FEDORA-2004-318 http://subversion.tigris.org/security/CAN-2004-0749-advisory.txt GLSA-200409-35 11243 subversion-information-disclosure(17472) Unknown vulnerability in redhat-config-nfs before 1.0.13, when shares are exported to multiple hosts, can produce incorrect permissions and prevent the all_squash option from being applied. RHSA-2004:434 FLSA:152787 11240 red-hat-permission-gain-privileges(17478) oval:org.mitre.oval:def:10696 The char_buffer_read function in the mod_ssl module for Apache 2.x, when using reverse proxying to an SSL server, allows remote attackers to cause a denial of service (segmentation fault). 20040911 Remote buffer overflow in Apache mod_ssl when reverse proxying SSL http://issues.apache.org/bugzilla/show_bug.cgi?id=30134 GLSA-200409-21 MDKSA-2004:096 SUSE-SA:2004:030 RHSA-2004:463 2004-0047 apache-modssl-speculative-dos(17273) [httpd-cvs] 20190815 svn commit: r1048742 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html [httpd-cvs] 20190815 svn commit: r1048743 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html oval:org.mitre.oval:def:11864 OpenOffice (OOo) 1.1.2 creates predictable directory names with insecure permissions during startup, which may allow local users to read or list files of other users. 20040910 OpenOffice World-Readable Temporary Files Disclose Files to Local Users 1011205 http://www.openoffice.org/issues/show_bug.cgi?id=33357 RHSA-2004:446 11151 openofficeorg-tmpfile-insecure-permissions(17312) oval:org.mitre.oval:def:10294 The BMP image processor for (1) gdk-pixbuf before 0.22 and (2) gtk2 before 2.2.4 allows remote attackers to cause a denial of service (infinite loop) via a crafted BMP file. CLA-2004:875 DSA-546 VU#825374 MDKSA-2004:095 MDKSA-2005:214 RHSA-2004:447 RHSA-2004:466 FLSA-2005:155510 11195 FLSA:2005 gtk-bmp-dos(17383) oval:org.mitre.oval:def:10585 Integer overflow in Gaim before 0.82 allows remote attackers to cause a denial of service and possibly execute arbitrary code via the size variable in Groupware server messages. http://gaim.sourceforge.net/security/?id=2 1011083 FEDORA-2004-278 FEDORA-2004-279 GLSA-200408-27 RHSA-2004:400 11056 gaim-groupware-integer-overflow(17140) oval:org.mitre.oval:def:10220 The FileStore capability in CGI::Session for Ruby before 1.8.1, and possibly PStore, creates files with insecure permissions, which can allow local users to steal session information and hijack sessions. DSA-537 GLSA-200409-08 MDKSA-2004:128 ruby-filestore-pstore-insecure-permission(16996) oval:org.mitre.oval:def:11128 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2004. Notes: none. Heap-based buffer overflow in the SendUidl in the POP3 capability for Mozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7, may allow remote POP3 mail servers to execute arbitrary code. SCOSA-2005.49 http://bugzilla.mozilla.org/show_bug.cgi?id=229374 FLSA:2089 VU#561022 http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7 SUSE-SA:2004:036 RHSA-2004:421 15495 mozilla-senduidl-pop3-bo(16869) oval:org.mitre.oval:def:11042 oval:org.mitre.oval:def:3250 Mozilla 1.5 through 1.7 allows a CA certificate to be imported even when their DN is the same as that of the built-in CA root certificate, which allows remote attackers to cause a denial of service to SSL pages because the malicious certificate is treated as invalid. SCOSA-2005.49 http://bugzilla.mozilla.org/show_bug.cgi?id=249004 FLSA:2089 GLSA-200408-22 VU#784278 http://www.mozilla.org/projects/security/known-vulnerabilities.html SUSE-SA:2004:036 RHSA-2004:421 15495 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=127186 mozilla-certificate-dos(16706) oval:org.mitre.oval:def:10304 oval:org.mitre.oval:def:3134 Mozilla before 1.7 allows remote web servers to read arbitrary files via Javascript that sets the value of an <input type="file"> tag. SCOSA-2005.49 http://bugzilla.mozilla.org/show_bug.cgi?id=241924 FLSA:2089 http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7 SUSE-SA:2004:036 RHSA-2004:421 15495 mozilla-warning-file-upload(16870) oval:org.mitre.oval:def:11153 Mozilla allows remote attackers to cause Mozilla to open a URI as a different MIME type than expected via a null character (%00) in an FTP URI. SCOSA-2005.49 http://bugzilla.mozilla.org/show_bug.cgi?id=250906 FLSA:2089 SUSE-SA:2004:036 RHSA-2004:421 15495 mozilla-modify-mime-type(16691) oval:org.mitre.oval:def:11090 oval:org.mitre.oval:def:1227 Mozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7, allow remote attackers to use certain redirect sequences to spoof the security lock icon that makes a web page appear to be encrypted. SCOSA-2005.49 http://bugzilla.mozilla.org/show_bug.cgi?id=240053 FLSA:2089 http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7 SUSE-SA:2004:036 RHSA-2004:421 15495 mozilla-redirect-ssl-spoof(16871) oval:org.mitre.oval:def:3603 oval:org.mitre.oval:def:9240 Mozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7, allow remote web sites to install arbitrary extensions by using interactive events to manipulate the XPInstall Security dialog box. SCOSA-2005.49 20040407 Race conditions in security dialogs http://bugzilla.mozilla.org/show_bug.cgi?id=162020 FLSA:2089 http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7 SUSE-SA:2004:036 RHSA-2004:421 15495 http://www.squarefree.com/2004/07/01/race-conditions-in-security-dialogs/ mozilla-dialog-code-execution(16623) oval:org.mitre.oval:def:10032 oval:org.mitre.oval:def:4403 Mozilla Firefox 0.9.1 and 0.9.2 allows remote web sites to spoof certificates of trusted web sites via redirects and Javascript that uses the "onunload" method. SCOSA-2005.49 http://bugzilla.mozilla.org/show_bug.cgi?id=253121 20040725 Mozilla Firefox Certificate Spoofing 20040726 Mozilla Firefox Certificate Spoofing FLSA:2089 http://www.cipher.org.uk/index.php?p=advisories/Certificate_Spoofing_Mozilla_FireFox_25-07-2004.advisory GLSA-200408-22 http://www.mozilla.org/projects/security/known-vulnerabilities.html SUSE-SA:2004:036 RHSA-2004:421 15495 mozilla-ssl-certificate-spoofing(16796) oval:org.mitre.oval:def:3989 oval:org.mitre.oval:def:9436 Mozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7, allow remote web sites to hijack the user interface via the "chrome" flag and XML User Interface Language (XUL) files. SCOSA-2005.49 http://bugzilla.mozilla.org/show_bug.cgi?id=244965 FLSA:2089 VU#262350 http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7 SUSE-SA:2004:036 RHSA-2004:421 10832 15495 mozilla-user-interface-spoofing(16837) oval:org.mitre.oval:def:2418 oval:org.mitre.oval:def:9419 The cert_TestHostName function in Mozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7, only checks the hostname portion of a certificate when the hostname portion of the URI is not a fully qualified domain name (FQDN), which allows remote attackers to spoof trusted certificates. http://bugzilla.mozilla.org/show_bug.cgi?id=234058 FLSA:2089 http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7 SUSE-SA:2004:036 RHSA-2004:421 mozilla-certtesthostname-certificate-spoof(16868) oval:org.mitre.oval:def:11162 NGSEC StackDefender 2.0 allows attackers to cause a denial of service (system crash) via an invalid address for the BaseAddress parameter to the hooks for the (1) ZwAllocateVirtualMemory or (2) ZwProtectVirtualMemory functions. http://www.idefense.com/application/poi/display?id=119&type=vulnerabilities&flashstatus=false stackdefender-baseaddress-dos(16892) NGSEC StackDefender 1.10 allows attackers to cause a denial of service (system crash) via an invalid address for the ObjectAttribues parameter to the hooks for the (1) ZwCreateFile or (2) ZwOpenFile functions. http://www.idefense.com/application/poi/display?id=118&type=vulnerabilities&flashstatus=false stackdefender-objectattributes-dos(16879) libpng 1.2.5 and earlier does not properly calculate certain buffer offsets, which could allow remote attackers to execute arbitrary code via a buffer overflow attack. GLSA-200812-15 DSA-536 FLSA:1943 libpng-offset-bo(16914) Buffer overflow in LHA allows remote attackers to execute arbitrary code via long pathnames in LHarc format 2 headers for a .LHZ archive, as originally demonstrated using the "x" option but also exploitable through "l" and "v", and fixed in header.c, a different issue than CVE-2004-0771. http://bugs.gentoo.org/show_bug.cgi?id=51285 http://lw.ftw.zamosc.pl/lha-exploit.txt 20040616 Re: [SECURITY] [DSA 515-1] New lha packages fix several vulnerabilities; Re: GLSA-200409-13 RHSA-2004:323 RHSA-2004:440 FLSA:1833 lha-long-pathname-bo(16917) oval:org.mitre.oval:def:11047 romload.c in DGen Emulator 1.23 and earlier allows local users to overwrite arbitrary files via a symlink attack on temporary files during decompression of (1) gzip or (2) bzip ROM files. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=263282&archive=yes 10855 dgen-rom-decompression-symlink(16884) Buffer overflow in the extract_one function from lhext.c in LHA may allow attackers to execute arbitrary code via a long w (working directory) command line option, a different issue than CVE-2004-0769. NOTE: this issue may be REJECTED if there are not any cases in which LHA is setuid or is otherwise used across security boundaries. http://bugs.gentoo.org/show_bug.cgi?id=51285 20040606 Re: [SECURITY] [DSA 515-1] New lha packages fix several GLSA-200409-13 RHSA-2004:323 RHSA-2004:440 20040515 lha buffer overflow(s) again 10354 FLSA:1833 lha-extractone-bo(16196) oval:org.mitre.oval:def:9595 Double free vulnerabilities in error handling code in krb524d for MIT Kerberos 5 (krb5) 1.2.8 and earlier may allow remote attackers to execute arbitrary code. CLA-2004:860 20040913 [OpenPKG-SA-2004.039] OpenPKG Security Advisory (kerberos) http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2004-002-dblfree.txt DSA-543 GLSA-200409-09 VU#350792 MDKSA-2004:088 11078 2004-0045 TA04-247A kerberos-krb524d-double-free(17158) oval:org.mitre.oval:def:4661 RealNetworks Helix Universal Server 9.0.2 for Linux and 9.0.3 for Windows allows remote attackers to cause a denial of service (CPU and memory exhaustion) via a POST request with a Content-Length header set to -1. 20041007 RealNetworks Helix Server Content-Length Denial of Service Vulnerability helix-post-dos(17648) Buffer overflow in WIDCOMM Bluetooth Connectivity Software, as used in products such as BTStackServer 1.3.2.7 and 1.4.2.10, Windows XP and Windows 98 with MSI Bluetooth Dongles, and HP IPAQ 5450 running WinCE 3.0, allows remote attackers to execute arbitrary code via certain service requests. 20040811 ptl-2004-03: WIDCOMM Bluetooth Connectivity Software Buffer Overflows 20040811 ptl-2004-03: WIDCOMM Bluetooth Connectivity Software Buffer Overflows http://www.internetnews.com/security/article.php/3394181 http://www.pentest.co.uk/documents/ptl-2004-03.html 20051204 have you ever been BluePIMped? bluetooth-btw-service-bo(16953) Format string vulnerability in the auth_debug function in Courier-IMAP 1.6.0 through 2.2.1 and 3.x through 3.0.3, when login debugging (DEBUG_LOGIN) is enabled, allows remote attackers to execute arbitrary code. GLSA-200408-19 10976 2004-0043 20040818 Courier-IMAP Remote Format String Vulnerability courierimap-authdebug-format-string(17034) CVS 1.11.x before 1.11.17, and 1.12.x before 1.12.9, allows remote attackers to determine the existence of arbitrary files and directories via the -X command for an alternate history file, which causes different error messages to be returned. 20040816 CVS Undocumented Flag Information Disclosure Vulnerability VU#579225 MDKSA-2004:108 10955 cvs-history-info-disclosure(17001) oval:org.mitre.oval:def:10688 The (1) Mozilla 1.6, (2) Firebird 0.7 and (3) Firefox 0.8 web browsers do not properly verify that cached passwords for SSL encrypted sites are only sent via SSL encrypted sessions to the site, which allows a remote attacker to cause a cached password to be sent in cleartext to a spoofed site. http://bugzilla.mozilla.org/show_bug.cgi?id=226278 MDKSA-2004:082 http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7 mozilla-plaintext-password(17018) Buffer overflow in uustat in Sun Solaris 8 and 9 allows local users to execute arbitrary code via a long -S command line argument. 1015455 101933 http://support.avaya.com/elmodocs2/security/ASA-2006-056.htm 20060110 Sun Solaris uustat Buffer Overflow Vulnerability 16193 ADV-2006-0113 solaris-uustat-bo(24045) Cross-site scripting (XSS) vulnerability in list.cgi in the Icecast internal web server (icecast-server) 1.3.12 and earlier allows remote attackers to inject arbitrary web script via the UserAgent parameter. DSA-541 11021 icecast-list-useragent-xss(17086) Integer overflow in pixbuf_create_from_xpm (io-xpm.c) in the XPM image decoder for gtk+ 2.4.4 (gtk2) and earlier, and gdk-pixbuf before 0.22, allows remote attackers to execute arbitrary code via certain n_col and cpp values that enable a heap-based buffer overflow. NOTE: this identifier is ONLY for gtk+. It was incorrectly referenced in an advisory for a different issue (CVE-2004-0687). CLA-2004:875 20040915 CESA-2004-005: gtk+ XPM decoder http://scary.beasts.org/security/CESA-2004-005.txt 101776 DSA-546 VU#729894 MDKSA-2004:095 MDKSA-2005:214 RHSA-2004:447 RHSA-2004:466 FLSA-2005:155510 11195 FLSA:2005 gtk-xpm-pixbufcreatefromxpm-bo(17386) oval:org.mitre.oval:def:11539 oval:org.mitre.oval:def:1617 Stack-based buffer overflow in xpm_extract_color (io-xpm.c) in the XPM image decoder for gtk+ 2.4.4 (gtk2) and earlier, and gdk-pixbuf before 0.22, may allow remote attackers to execute arbitrary code via a certain color string. NOTE: this identifier is ONLY for gtk+. It was incorrectly referenced in an advisory for a different issue (CVE-2004-0688). CLA-2004:875 20040915 CESA-2004-005: gtk+ XPM decoder http://scary.beasts.org/security/CESA-2004-005.txt 101776 VU#369358 MDKSA-2004:095 MDKSA-2004:096 MDKSA-2005:214 RHSA-2004:447 RHSA-2004:466 FLSA-2005:155510 11195 FLSA:2005 gtk-xpm-xpmextractcolor-bo(17385) oval:org.mitre.oval:def:1786 oval:org.mitre.oval:def:9348 The smiley theme functionality in Gaim before 0.82 allows remote attackers to execute arbitrary commands via shell metacharacters in the filename of the tar file that is dragged to the smiley selector. http://gaim.sourceforge.net/security/?id=1 FEDORA-2004-278 FEDORA-2004-279 GLSA-200408-27 RHSA-2004:400 gaim-smiley-command-execution(17144) oval:org.mitre.oval:def:10008 Multiple buffer overflows in Gaim before 0.82 allow remote attackers to cause a denial of service and possibly execute arbitrary code via (1) Rich Text Format (RTF) messages, (2) a long hostname for the local system as obtained from DNS, or (3) a long URL that is not properly handled by the URL decoder. http://gaim.sourceforge.net/security/?id=3 http://gaim.sourceforge.net/security/?id=4 http://gaim.sourceforge.net/security/?id=5 1011083 FEDORA-2004-278 FEDORA-2004-279 GLSA-200408-27 RHSA-2004:400 11056 gaim-rtf-bo(17141) gaim-hostname-bo(17142) gaim-url-bo(17143) oval:org.mitre.oval:def:10907 The IPv6 URI parsing routines in the apr-util library for Apache 2.0.50 and earlier allow remote attackers to cause a denial of service (child process crash) via a certain URI, as demonstrated using the Codenomicon HTTP Test Tool. GLSA-200409-21 MDKSA-2004:096 SUSE-SA:2004:032 RHSA-2004:463 2004-0047 apache-ipv6-aprutil-dos(17382) [httpd-cvs] 20190815 svn commit: r1048742 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html [httpd-cvs] 20190815 svn commit: r1048743 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html oval:org.mitre.oval:def:11380 Cross-site scripting (XSS) vulnerability in the web frontend in OpenCA 0.9.1-8 and earlier, and 0.9.2 RC6 and earlier, allows remote attackers to inject arbitrary web script or HTML via the form input fields. 20040906 OpenCA Security Advisory: Cross Site Scripting vulnerability http://www.openca.org/news/CAN-2004-0787.txt 11113 openca-frontend-xss(17274) Integer overflow in the ICO image decoder for (1) gdk-pixbuf before 0.22 and (2) gtk2 before 2.2.4 allows remote attackers to cause a denial of service (application crash) via a crafted ICO file. CLA-2004:875 DSA-546 VU#577654 MDKSA-2004:095 MDKSA-2005:214 RHSA-2004:447 RHSA-2004:466 FLSA-2005:155510 11195 FLSA:2005 gtk-ico-integer-bo(17387) oval:org.mitre.oval:def:10506 Multiple implementations of the DNS protocol, including (1) Poslib 1.0.2-1 and earlier as used by Posadis, (2) Axis Network products before firmware 3.13, and (3) Men & Mice Suite 2.2x before 2.2.3 and 3.5.x before 3.5.2, allow remote attackers to cause a denial of service (CPU and network bandwidth consumption) by triggering a communications loop via (a) DNS query packets with localhost as a spoofed source address, or (b) a response packet that triggers a response packet. 1012157 http://www.niscc.gov.uk/niscc/docs/al-20041130-00862.html?lang=en http://www.niscc.gov.uk/niscc/docs/re-20041109-00957.pdf http://www.posadis.org/advisories/pos_adv_006.txt 11642 dns-localhost-dos(17997) Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (reset TCP connections) via spoofed ICMP error messages, aka the "blind connection-reset attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. SCOSA-2006.4 SSRT4743 19 57 101658 57746 http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html HPSBUX01164 SSRT061264 13124 http://www.uniras.gov.uk/niscc/docs/al-20050412-00308.html?lang=en ADV-2006-3983 http://www.watersprings.org/pub/id/draft-gont-tcpm-icmp-attacks-03.txt MS05-019 MS06-064 oval:org.mitre.oval:def:1177 oval:org.mitre.oval:def:176 oval:org.mitre.oval:def:1910 oval:org.mitre.oval:def:211 oval:org.mitre.oval:def:3458 oval:org.mitre.oval:def:412 oval:org.mitre.oval:def:4804 oval:org.mitre.oval:def:514 oval:org.mitre.oval:def:53 oval:org.mitre.oval:def:622 Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via a blind throughput-reduction attack using spoofed Source Quench packets, aka the "ICMP Source Quench attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. SCOSA-2006.4 SSRT4743 19 57 101658 57746 http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html RHSA-2005:016 RHSA-2005:017 RHSA-2005:043 HPSBUX01164 FLSA:157459-1 FLSA:157459-2 13124 http://www.uniras.gov.uk/niscc/docs/al-20050412-00308.html?lang=en http://www.watersprings.org/pub/id/draft-gont-tcpm-icmp-attacks-03.txt oval:org.mitre.oval:def:10228 oval:org.mitre.oval:def:1112 oval:org.mitre.oval:def:184 oval:org.mitre.oval:def:464 oval:org.mitre.oval:def:596 oval:org.mitre.oval:def:688 oval:org.mitre.oval:def:726 Directory traversal vulnerability in the sanitize_path function in util.c for rsync 2.6.2 and earlier, when chroot is disabled, allows attackers to read or write certain files. 20040816 TSSA-2004-020-ES - rsync 20040817 LNSA-#2004-0017: rsync (Aug, 17 2004) http://samba.org/rsync/#security_aug04 DSA-538 GLSA-200408-17 MDKSA-2004:083 SUSE-SA:2004:026 2004-0042 oval:org.mitre.oval:def:10561 The calendar program in bsdmainutils 6.0 through 6.0.14 does not drop root privileges when executed with the -a flag, which allows attackers to execute arbitrary commands via a calendar event file. 20040830 Possible root compromose with bsdmainutils 6.0.x < 6.0.15 (Debian testing/unstable) 11077 bsdmainutils-calendar-gain-privileges(17162) Multiple signal handler race conditions in lukemftpd (aka tnftpd before 20040810) allow remote authenticated attackers to cause a denial of service or execute arbitrary code. NetBSD-SA2004-009 20040817 Multiple remote vulnerabilities in lukemftpd aka. tnftpd DSA-551 http://www.vuxml.org/freebsd/c4b025bb-f05d-11d8-9837-000c41e2cdad.html tnftpd-gain-access(17020) DB2 8.1 remote command server (DB2RCMD.EXE) executes the db2rcmdc.exe program as the db2admin administrator, which allows local users to gain privileges via the DB2REMOTECMD named pipe. 20040309 IBM DB2 Remote Command Execution Privilege Upgrade (#NISR09032004) http://www.nextgenss.com/advisories/db2rmtcmd.txt 9821 IY53894 db2-rcs-gain-privileges(15420) SpamAssassin 2.5x, and 2.6x before 2.64, allows remote attackers to cause a denial of service via certain malformed messages. http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=129337 [spamassassin-announce] 20040805 [SA-Announce] SpamAssassin 2.64 is released! GLSA-200408-06 MDKSA-2004:084 10957 FLSA:2268 spamassassin-dos(16938) oval:org.mitre.oval:def:10413 The error handling in the (1) inflate and (2) inflateBack functions in ZLib compression library 1.2.x allows local users to cause a denial of service (application crash). SCOSA-2006.6 SCOSA-2004.17 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=252253 CLA-2004:865 CLA-2004:878 20040825 [OpenPKG-SA-2004.038] OpenPKG Security Advisory (zlib) GLSA-200408-26 1011085 VU#238678 MDKSA-2004:090 SUSE-SA:2004:029 11051 SSA:2004-278 FLSA:2043 zlib-inflate-inflateback-dos(17119) Buffer overflow in the _maincfgret.cgi script for Ipswitch WhatsUp Gold before 8.03 Hotfix 1 allows remote attackers to execute arbitrary code via a long instancename parameter. 20040825 Ipswitch WhatsUp Gold Remote Buffer Overflow Vulnerability http://www.ipswitch.com/Support/WhatsUp/patch-upgrades.html 11043 whatsup-maincfgret-bo(17111) 566 The HTTP daemon in Ipswitch WhatsUp Gold 8.03 and 8.03 Hotfix 1 allows remote attackers to cause a denial of service (server crash) via a GET request containing an MS-DOS device name, as demonstrated using "prn.htm". 20040916 Ipswitch WhatsUp Gold Remote Denial of Service Vulnerability http://www.ipswitch.com/Support/WhatsUp/patch-upgrades.html whatsup-get-prn-dos(17418) Format string vulnerability in CDE Mailer (dtmail) on Solaris 8 and 9 allows local users to gain privileges via format strings in the argv[0] value. O-202 20040824 CDE Mailer argv[0] Format String Vulnerability VU#928598 11027 dtmail-argv-format-string(17095) oval:org.mitre.oval:def:4030 Unknown vulnerability in foomatic-rip in Foomatic before 3.0.2 allows local users or remote attackers with access to CUPS to execute arbitrary commands. SCOSA-2005.12 CLA-2004:880 SUSE-SA:2006:026 201005 1000757 SUSE-SA:2004:031 11184 2004-0047 foomatic-command-execution(17388) Buffer overflow in the BMP loader in imlib2 before 1.1.2 allows remote attackers to execute arbitrary code via a specially-crafted BMP image, a different vulnerability than CVE-2004-0817. http://cvs.sourceforge.net/viewcvs.py/enlightenment/e17/libs/imlib2/ChangeLog?rev=1.20&view=markup CLA-2004:870 201611 GLSA-200409-12 11084 http://www.vuxml.org/freebsd/ba005226-fb5b-11d8-9837-000c41e2cdad.html imlib2-bmp-bo(17183) Multiple vulnerabilities in the RLE (run length encoding) decoders for libtiff 3.6.1 and earlier, related to buffer overflows and integer overflows, allow remote attackers to execute arbitrary code via TIFF files. CLA-2004:888 20041013 CESA-2004-006: libtiff http://scary.beasts.org/security/CESA-2004-006.txt 101677 201072 DSA-567 GLSA-200410-11 VU#948752 http://www.kde.org/info/security/advisory-20041209-2.txt MDKSA-2004:109 MDKSA-2005:052 SUSE-SA:2004:038 RHSA-2004:577 RHSA-2005:021 RHSA-2005:354 11406 libtiff-library-decoding-bo(17703) oval:org.mitre.oval:def:100114 oval:org.mitre.oval:def:8896 Vulnerability in tif_dirread.c for libtiff allows remote attackers to cause a denial of service (application crash) via a TIFF image that causes a divide-by-zero error when the number of row bytes is zero, a different vulnerability than CVE-2005-2452. http://bugzilla.remotesensing.org/show_bug.cgi?id=111 CLA-2004:888 101677 201072 DSA-567 VU#555304 http://www.kde.org/info/security/advisory-20041209-2.txt MDKSA-2004:109 MDKSA-2005:052 SUSE-SA:2004:038 RHSA-2004:577 RHSA-2005:021 RHSA-2005:354 libtiff-dos(17755) oval:org.mitre.oval:def:100115 oval:org.mitre.oval:def:11711 Buffer overflow in layer2.c in mpg123 0.59r and possibly mpg123 0.59s allows remote attackers to execute arbitrary code via a certain (1) mp3 or (2) mp2 file. 20040907 mpg123 buffer overflow vulnerability http://www.alighieri.org/advisories/advisory-mpg123.txt DSA-564 GLSA-200409-20 MDKSA-2004:100 20040916 mpg123 buffer overflow vulnerability 11121 mpg123-layer2c-bo(17287) cdrecord in the cdrtools package before 2.01, when installed setuid root, does not properly drop privileges before executing a program specified in the RSH environment variable, which allows local users to gain privileges. 20060401-01-U 20040909 Bugtraq: cdrecord local root exploit 1011091 20040910 CAU-EX-2004-0002: cdrecord-suidshell.sh VU#700326 MDKSA-2004:091 11075 FLSA:2058 cdrecord-rsh-gain-privileges(17303) oval:org.mitre.oval:def:9805 Samba 3.0.6 and earlier allows remote attackers to cause a denial of service (infinite loop and memory exhaustion) via certain malformed requests that cause new processes to be spawned and enter an infinite loop. CLA-2004:873 20040913 Samba 3.0 DoS Vulberabilities (CAN-2004-0807 & CAN-2004-0808) 20040915 [OpenPKG-SA-2004.040] OpenPKG Security Advisory (samba) GLSA-200409-16 20040913 Samba 3.x SMBD Remote Denial of Service Vulnerability RHSA-2004:467 2004-0046 oval:org.mitre.oval:def:11141 The process_logon_packet function in the nmbd server for Samba 3.0.6 and earlier, when domain logons are enabled, allows remote attackers to cause a denial of service via a SAM_UAS_CHANGE request with a length value that is larger than the number of structures that are provided. CLA-2004:873 20040913 Samba 3.0 DoS Vulberabilities (CAN-2004-0807 & CAN-2004-0808) 20040915 [OpenPKG-SA-2004.040] OpenPKG Security Advisory (samba) GLSA-200409-16 20040913 Samba nmbd Invalid Length Denial of Service Vulnerability RHSA-2004:467 2004-0046 oval:org.mitre.oval:def:10344 The mod_dav module in Apache 2.0.50 and earlier allows remote attackers to cause a denial of service (child process crash) via a certain sequence of LOCK requests for a location that allows WebDAV authoring access. http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/dav/fs/lock.c?r1=1.32&r2=1.33 DSA-558 GLSA-200409-21 RHSA-2004:463 2004-0047 apache-moddav-lock-dos(17366) [httpd-cvs] 20190815 svn commit: r1048742 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html [httpd-cvs] 20190815 svn commit: r1048743 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html oval:org.mitre.oval:def:9588 Buffer overflow in Netopia Timbuktu 7.0.3 allows remote attackers to cause a denial of service (server process crash) via a certain data string that is sent to multiple simultaneous client connections to TCP port 407. 20041119 Corsaire Security Advisory - Netopia Timbuktu remote buffer overflow issue http://www.corsaire.com/advisories/c040720-001.txt 11714 http://www.uniras.gov.uk/vuls/2004/190204/index.htm timbuktu-multiple-connections-dos(18172) Unknown vulnerability in Apache 2.0.51 prevents "the merging of the Satisfy directive," which could allow attackers to obtain access to restricted resources contrary to the specified authentication configuration. FEDORA-2004-313 GLSA-200409-33 http://www.apache.org/dist/httpd/patches/apply_to_2.0.51/CAN-2004-0811.patch http://www.apacheweek.com/features/security-20 11239 2004-0049 apache-satisfy-gain-access(17473) [httpd-cvs] 20190815 svn commit: r1048742 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html [httpd-cvs] 20190815 svn commit: r1048743 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html Unknown vulnerability in the Linux kernel before 2.4.23, on the AMD AMD64 and Intel EM64T architectures, associated with "setting up TSS limits," allows local users to cause a denial of service (crash) and possibly execute arbitrary code. http://linux.bkbits.net:8080/linux-2.6/cset@3fad673ber4GuU7iWppydzNIyLntEQ P-047 RHSA-2004:549 11794 linux-tss-gain-privilege(18346) oval:org.mitre.oval:def:11375 Unknown vulnerability in the SG_IO functionality in ide-cd allows local users to bypass read-only access and perform unauthorized write and erase operations. 20070602-01-P 20070920 VMSA-2007-0006 Critical security updates for all supported versions of VMware ESX Server, VMware Server, VMware Workstation, VMware ACE, and VMware Player http://lkml.org/lkml/2004/7/30/147 GLSA-200711-23 RHSA-2007:0465 25749 ADV-2007-3229 linux-sgio-gain-privileges(17505) oval:org.mitre.oval:def:10011 Multiple race conditions in the terminal layer in Linux 2.4.x, and 2.6.x before 2.6.9, allow (1) local users to obtain portions of kernel data via a TIOCSETD ioctl call to a terminal interface that is being accessed by another thread, or (2) remote attackers to cause a denial of service (panic) by switching from console to PPP line discipline, then quickly sending data that is received during the switch. http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=131672 http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=133110 20041214 [USN-38-1] Linux kernel vulnerabilities MDKSA-2005:022 RHSA-2005:293 20041020 CAN-2004-0814: Linux terminal layer races 11491 11492 FLSA:2336 linux-tiocsetd-race-condition(17816) oval:org.mitre.oval:def:10728 The unix_clean_name function in Samba 2.2.x through 2.2.11, and 3.0.x before 3.0.2a, trims certain directory names down to absolute paths, which could allow remote attackers to bypass the specified share restrictions and read, write, or list arbitrary files via "/.////" style sequences in pathnames. CLA-2004:873 20040930 Samba Security Announcement -- Potential Arbitrary File Access 101584 57664 200529 http://us4.samba.org/samba/news/#security_2.2.12 DSA-600 20040930 Samba Arbitrary File Access Vulnerability MDKSA-2004:104 SUSE-SA:2004:035 RHSA-2004:498 20041005 ERRATA: Potential Arbitrary File Access (CAN-2004-0815) 11281 2004-0051 FLSA:2102 samba-file-access(17556) Integer underflow in the firewall logging rules for iptables in Linux before 2.6.8 allows remote attackers to cause a denial of service (application crash) via a malformed IP packet. MDKSA-2005:022 SUSE-SA:2004:037 11488 linux-ip-packet-dos(17800) Multiple heap-based buffer overflows in the imlib BMP image handler allow remote attackers to execute arbitrary code via a crafted BMP file. CLA-2004:870 201611 DSA-548 GLSA-200409-12 MDKSA-2004:089 RHSA-2004:465 11084 imlib-bmp-bo(17182) oval:org.mitre.oval:def:8843 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2004. Notes: none. The bridge functionality in OpenBSD 3.4 and 3.5, when running a gateway configured as a bridging firewall with the link2 option for IPSec enabled, allows remote attackers to cause a denial of service (crash) via an ICMP echo (ping) packet. 20040825 Vulnerability: OpenBSD 3.5 Kernel Panic. 20040826 028: RELIABILITY FIX: August 26, 2004 openbsd-icmp-echo-dos(17129) Winamp before 5.0.4 allows remote attackers to execute arbitrary script in the Local computer zone via script in HTML files that are referenced from XML files contained in a .wsz skin file. ESB-2004.0537 http://www.frsirt.com/exploits/08252004.skinhead.php winamp-wsz-execute-code(17124) The CFPlugIn in Core Foundation framework in Mac OS X allows user supplied libraries to be loaded, which could allow local users to gain privileges. APPLE-SA-0024-09-07 O-212 VU#704110 11135 macos-corefoundation-gain-privileges(17291) Buffer overflow in The Core Foundation framework (CoreFoundation.framework) in Mac OS X 10.2.8, 10.3.4, and 10.3.5 allows local users to execute arbitrary code via a certain environment variable. O-212 VU#545446 APPLE-SA-2004-09-07 11136 macos-corefoundation-bo(17295) OpenLDAP 1.0 through 2.1.19, as used in Apple Mac OS 10.3.4 and 10.3.5 and possibly other operating systems, may allow certain authentication schemes to use hashed (crypt) passwords in the userPassword attribute as if they were plaintext passwords, which allows remote attackers to re-use hashed passwords without decrypting them. http://support.avaya.com/elmodocs2/security/ASA-2006-157.htm ESB-2004.0559 RHSA-2005:751 APPLE-SA-2004-09-07 11137 openldap-crypt-gain-access(17300) oval:org.mitre.oval:def:10703 PPPDialer for Mac OS X 10.2.8 through 10.3.5 allows local users to overwrite system files via a symlink attack on PPPDialer log files. 1011175 ESB-2004.0559 O-212 APPLE-SA-2004-09-07 11139 macosx-pppdialer-symlink(17298) QuickTime Streaming Server in Mac OS X Server 10.2.8, 10.3.4, and 10.3.5 allows remote attackers to cause a denial of service (application deadlock) via a certain sequence of operations. 20040908 Re: Apple, Apple Remote Desktop client [Multiple vulnerabilities] 1011176 O-212 VU#914870 APPLE-SA-2004-09-07 11138 quicktime-dos(17294) Heap-based buffer overflow in Netscape Network Security Services (NSS) library allows remote attackers to execute arbitrary code via a modified record length field in an SSLv2 client hello message. SSRT4779 11015 20040823 Netscape NSS Library Remote Compromise sslv2-client-hello-overflow(16314) Multiple buffer overflows in the ImageMagick graphics library 5.x before 5.4.4, and 6.x before 6.0.6.2, allow remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via malformed (1) AVI, (2) BMP, or (3) DIB files. 231321 201006 DSA-547 RHSA-2004:480 RHSA-2004:494 ADV-2008-0412 imagemagick-bmp-Bo(17173) oval:org.mitre.oval:def:11123 The ctstrtcasd program in RSCT 2.3.0.0 and earlier on IBM AIX 5.2 and 5.3 does not properly drop privileges before executing the -f option, which allows local users to modify or create arbitrary files. 1011429 11264 ctstrtcasd-file-overwrite(17514) smbd in Samba before 2.2.11 allows remote attackers to cause a denial of service (daemon crash) by sending a FindNextPrintChangeNotify request without a previous FindFirstPrintChangeNotify, as demonstrated by the SMB client in Windows XP SP2. http://samba.org/samba/history/samba-2.2.11.html 20040831 Samba FindNextPrintChangeNotify() Error Lets Remote Authenticated Users Crash smbd GLSA-200409-14 2004-0043 samba-findnextprintchangenotify-dos(17138) The Content Scanner Server in F-Secure Anti-Virus for Microsoft Exchange 6.21 and earlier, F-Secure Anti-Virus for Microsoft Exchange 6.01 and earlier, and F-Secure Internet Gatekeeper 6.32 and earlier allow remote attackers to cause a denial of service (service crash due to unhandled exception) via a certain malformed packet. 20040910 F-Secure Internet Gatekeeper Content Scanning Server Denial of Service Vulnerability http://www.f-secure.com/security/fsc-2004-2.shtml 20040909 F-Secure Internet Gatekeeper Content Scanning Server Denial of Service Vulnerability 11145 fsecure-content-scanner-dos(17307) McAfee VirusScan 4.5.1 does not drop SYSTEM privileges before allowing users to browse for files via the "System Scan" properties of the System Tray applet, which could allow local users to gain privileges. 20040915 McAfee VirusScan Privilege Escalation Vulnerability [iDEFENSE] 20040914 McAfee VirusScan Privilege Escalation Vulnerability mcafee-virusscan-gain-privileges(17367) The (1) ntlm_fetch_string and (2) ntlm_get_string functions in Squid 2.5.6 and earlier, with NTLM authentication enabled, allow remote attackers to cause a denial of service (application crash) via an NTLMSSP packet that causes a negative value to be passed to memcpy. FLSA-2006:152809 GLSA-200409-04 MDKSA-2004:093 11098 http://www.squid-cache.org/bugs/show_bug.cgi?id=1045 2004-0047 http://www1.uk.squid-cache.org/squid/Versions/v2/2.5/bugs/#squid-2.5.STABLE6-ntlm_fetch_string squid-ntlmssp-dos(17218) oval:org.mitre.oval:def:10489 Sendmail before 8.12.3 on Debian GNU/Linux, when using sasl and sasl-bin, uses a Sendmail configuration script with a fixed username and password, which could allow remote attackers to use Sendmail as an open mail relay and send spam messages. DSA-554 11262 sendmail-mail-relay(17531) Format string vulnerability in Speedtouch USB driver before 1.3.1 allows local users to execute arbitrary code via (1) modem_run, (2) pppoa2, or (3) pppoa3. http://sourceforge.net/project/showfiles.php?group_id=32758&package_id=28264&release_id=271734 http://speedtouch.sourceforge.net/index.php?/news.en.html http://www.mail-archive.com/speedtouch@ml.free.fr/msg06688.html speedtouch-format-string(17792) MySQL 3.x before 3.23.59, 4.x before 4.0.19, 4.1.x before 4.1.2, and 5.x before 5.0.1, checks the CREATE/INSERT rights of the original table instead of the target table in an ALTER TABLE RENAME operation, which could allow attackers to conduct unauthorized activities. http://bugs.mysql.com/bug.php?id=3270 CLA-2004:892 http://lists.mysql.com/internals/13073 1011606 101864 P-018 DSA-562 GLSA-200410-22 http://www.mysql.org/doc/refman/4.1/en/news-4-0-19.html http://www.mysql.org/doc/refman/4.1/en/news-4-1-2.html RHSA-2004:597 RHSA-2004:611 11357 2004-0054 mysql-alter-restriction-bypass(17666) Buffer overflow in the mysql_real_connect function in MySQL 4.x before 4.0.21, and 3.x before 3.23.49, allows remote DNS servers to cause a denial of service and possibly execute arbitrary code via a DNS response with a large address length (h_length). http://bugs.mysql.com/bug.php?id=4017 CLA-2004:892 http://lists.mysql.com/internals/14726 20041125 [USN-32-1] mysql vulnerabilities P-018 DSA-562 GLSA-200410-22 RHSA-2004:597 RHSA-2004:611 10981 2004-0054 mysql-realconnect-bo(17047) MySQL 4.x before 4.0.21, and 3.x before 3.23.49, allows attackers to cause a denial of service (crash or hang) via multiple threads that simultaneously alter MERGE table UNIONs. http://bugs.mysql.com/2408 CLA-2004:892 http://lists.mysql.com/internals/16168 http://lists.mysql.com/internals/16173 http://lists.mysql.com/internals/16174 20041125 [USN-32-1] mysql vulnerabilities http://mysql.bkbits.net:8080/mysql-3.23/diffs/myisammrg/myrg_open.c@1.15 1011606 101864 P-018 DSA-562 GLSA-200410-22 RHSA-2004:597 RHSA-2004:611 11357 2004-0054 mysql-union-dos(17667) Lexar Safe Guard for JumpDrive Secure 1.0 stores the password insecurely in memory using XOR encryption, which allows local users to read the password directly from the device and access the password protected part of the drive. A091304-1 11162 jumpdrive-safeguard-obtain-password(17342) Internet Explorer in Windows XP SP2, and other versions including 5.01 and 5.5, allows remote attackers to install arbitrary programs via a web page that uses certain styles and the AnchorClick behavior, popup windows, and drag-and-drop capabilities to drop the program in the local startup folder, as demonstrated by "wottapoop.html". 20040818 What A Drag II XP SP2 20040824 What A Drag! -revisited- 20040818 What A Drag II XP SP2 VU#526089 10973 TA04-293A MS04-038 ie-dragdrop-code-execution(17044) oval:org.mitre.oval:def:1563 oval:org.mitre.oval:def:2073 oval:org.mitre.oval:def:3773 oval:org.mitre.oval:def:4152 oval:org.mitre.oval:def:6272 oval:org.mitre.oval:def:7721 The SMTP (Simple Mail Transfer Protocol) component of Microsoft Windows XP 64-bit Edition, Windows Server 2003, Windows Server 2003 64-bit Edition, and the Exchange Routing Engine component of Exchange Server 2003, allows remote attackers to execute arbitrary code via a malicious DNS response message containing length values that are not properly validated. VU#394792 11374 MS04-035 win2k3-smtp-execute-code(17621) win-ms04035-patch(17660) oval:org.mitre.oval:def:2300 oval:org.mitre.oval:def:3460 oval:org.mitre.oval:def:5509 Internet Explorer 6.x allows remote attackers to install arbitrary programs via mousedown events that call the Popup.show method and use drag-and-drop actions in a popup window, aka "HijackClick 3" and the "Script in Image Tag File Download Vulnerability." 20040712 Brand New Hole: Internet Explorer: HijackClick 3 1010679 VU#413886 20040711 HijackClick 3 20040712 Re: HijackClick 3 10690 TA04-293A MS04-038 ie-popupshow-perform-actions(16675) oval:org.mitre.oval:def:2611 oval:org.mitre.oval:def:4363 oval:org.mitre.oval:def:5620 oval:org.mitre.oval:def:6031 oval:org.mitre.oval:def:6048 oval:org.mitre.oval:def:8077 Internet Explorer 6.0 SP1 and earlier, and possibly other versions, allows remote attackers to cause a denial of service (application crash from "memory corruption") via certain malformed Cascading Style Sheet (CSS) elements that trigger heap-based buffer overflows, as demonstrated using the "<STYLE>@;/*" string, possibly due to a missing comment terminator that may cause an invalid length to trigger a large memory copy operation, aka the "CSS Heap Memory Corruption Vulnerability." 20040728 Re: Crash IE with 11 bytes ;) 20040723 Crash IE with 11 bytes ;) 20040728 Re: Crash IE with 11 bytes ;) P-006 http://www.ecqurity.com/adv/IEstyle.html VU#291304 http://www.securiteam.com/exploits/5NP042KF5A.html 10816 TA04-293A MS04-038 ie-popupshow-perform-actions(16675) oval:org.mitre.oval:def:2906 oval:org.mitre.oval:def:3372 oval:org.mitre.oval:def:4169 oval:org.mitre.oval:def:5592 oval:org.mitre.oval:def:6579 Internet Explorer 5.5 and 6 does not properly handle plug-in navigation, which allows remote attackers to alter displayed address bars and thereby spoof web pages, facilitating phishing attacks, aka the "Plug-in Navigation Address Bar Spoofing Vulnerability." VU#625616 TA04-293A MS04-038 ie-ms04038-patch(17651) ie-plugin-address-spoofing(17655) oval:org.mitre.oval:def:2487 oval:org.mitre.oval:def:2537 oval:org.mitre.oval:def:3949 oval:org.mitre.oval:def:6313 oval:org.mitre.oval:def:7095 oval:org.mitre.oval:def:7194 Internet Explorer 6 on Double Byte Character Set (DBCS) systems allows remote attackers to alter displayed address bars and spoof web pages via a URL containing special characters, facilitating phishing attacks, aka the "Address Bar Spoofing on Double Byte Character Set Systems Vulnerability." 20041128 Address Bar Spoofing on Double Byte Character Set Locale Vulnerability (CAN-2004-0844) Patched in MS04-038 20041128 Address Bar Spoofing on Double Byte Character Set Locale Vulnerability (CAN-2004-0844) Patched in MS04-038 VU#431576 TA04-293A MS04-038 ie-ms04038-patch(17651) ie-dbcs-obtain-information(17652) oval:org.mitre.oval:def:2448 oval:org.mitre.oval:def:8127 Internet Explorer 5.01, 5.5, and 6 does not properly cache SSL content, which allows remote attackers to obtain information or spoof content via a web site with the same host name as the target web site, whose content is cached and reused when the user visits the target web site. 20041013 ACROS Security: Poisoning Cached HTTPS Documents in Internet Explorer http://www.acrossecurity.com/aspr/ASPR-2004-10-13-1-PUB.txt VU#795720 TA04-293A MS04-038 ie-ms04038-patch(17651) ie-cache-ssl-obtain-information(17654) oval:org.mitre.oval:def:2219 oval:org.mitre.oval:def:3872 oval:org.mitre.oval:def:5150 oval:org.mitre.oval:def:5520 oval:org.mitre.oval:def:5740 oval:org.mitre.oval:def:7611 Unknown vulnerability in Microsoft Excel 2000, 2002, 2001 for Mac, and v.X for Mac allows remote attackers to execute arbitrary code via a malicious file containing certain parameters that are not properly validated. 20041013 Buffer Overflow In Microsoft Excel P-009 VU#274496 MS04-033 excel-execute-code(17653) excel-ms04033-patch(17683) oval:org.mitre.oval:def:2673 oval:org.mitre.oval:def:4226 The Microsoft .NET forms authentication capability for ASP.NET allows remote attackers to bypass authentication for .aspx files in restricted directories via a request containing a (1) "\" (backslash) or (2) "%5C" (encoded backslash), aka "Path Validation Vulnerability." 20040914 Security bug in .NET Forms Authentication http://sourceforge.net/mailarchive/forum.php?thread_id=5671607&forum_id=24754 VU#283646 11342 TA05-039A MS05-004 windows-forms-security-bypass(17644) oval:org.mitre.oval:def:3556 oval:org.mitre.oval:def:4987 Buffer overflow in Microsoft Office XP allows remote attackers to execute arbitrary code via a link with a URL file location containing long inputs after (1) "%00 (null byte) in .doc filenames or (2) "%0a" (carriage return) in .rtf filenames. VU#416001 TA05-039A MS05-005 ms-url-bo(19107) oval:org.mitre.oval:def:2348 oval:org.mitre.oval:def:2738 oval:org.mitre.oval:def:4022 Integer overflow in the asn_decode_string() function defined in asn1.c in radiusd for GNU Radius 1.1 and 1.2 before 1.2.94, when compiled with the --enable-snmp option, allows remote attackers to cause a denial of service (daemon crash) via certain SNMP requests. [Info-gnu-radius] 20040915 GNU Radius 1.2.94. 20040915 GNU Radius SNMP String Length Integer Overflow Denial of Service Vulnerability radius-asndecodestring-bo(17391) Star before 1.5_alpha46 does not drop the effective user ID (euid) before calling external programs, which could allow local users to gain privileges by modifying the RSH environment variable to reference a malicious program. 1011195 GLSA-200409-11 VU#339089 11141 star-ssh-gain-privileges(17297) The (1) write_list and (2) dump_curr_list functions in Net-Acct before 0.71 allows local users to overwrite arbitrary files via a symlink attack on temporary files. http://exorsus.net/projects/net-acct/net-acct-notempfiles.patch 20040908 Insecure Temporary File Creation Vulnerability in Net-Acct DSA-559 11125 net-acct-tmp-symlink(17283) Buffer overflow in htget 0.93 allows remote attackers to execute arbitrary code via a crafted URL. DSA-611 htget-bo(18603) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2004. Notes: none. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2004. Notes: none. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2004. Notes: none. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2004. Notes: none. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2004. Notes: none. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2004. Notes: none. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2004. Notes: none. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2004. Notes: none. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2004. Notes: none. Internet Explorer 6.0 allows web sites to set cookies for country-specific top-level domains, such as .ltd.uk, .plc.uk, and .sch.uk, which could allow remote attackers to perform a session fixation attack and hijack a user's HTTP session. 20040916 wp-04-0001: Multiple Browser Cookie Injection Vulnerabilities 1011332 11186 web-browser-session-hijack(17415) Mozilla Firefox 0.9.2 allows web sites to set cookies for country-specific top-level domains, such as .ltd.uk, .plc.uk, and .sch.uk, which could allow remote attackers to perform a session fixation attack and hijack a user's HTTP session. NOTE: it was later reported that 2.x is also affected. http://kuza55.blogspot.com/2008/02/understanding-cookie-security.html 20040916 wp-04-0001: Multiple Browser Cookie Injection Vulnerabilities 1011331 11186 https://bugzilla.mozilla.org/show_bug.cgi?id=252342 web-browser-session-hijack(17415) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2004-0866. Reason: This candidate is a duplicate of CVE-2004-0866. Notes: The description for CVE-2004-0866 was inadvertently attached to this issue instead. All CVE users should reference CVE-2004-0866 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Internet Explorer does not prevent cookies that are sent over an insecure channel (HTTP) from also being sent over a secure channel (HTTPS/SSL) in the same domain, which could allow remote attackers to steal cookies and conduct unauthorized activities, aka "Cross Security Boundary Cookie Injection." 20040916 wp-04-0001: Multiple Browser Cookie Injection Vulnerabilities 1011332 http://www.westpoint.ltd.uk/advisories/wp-04-0001.txt web-browser-cookie-session-hijack(17417) KDE Konqueror does not prevent cookies that are sent over an insecure channel (HTTP) from also being sent over a secure channel (HTTPS/SSL) in the same domain, which could allow remote attackers to steal cookies and conduct unauthorized activities, aka "Cross Security Boundary Cookie Injection." 20040916 wp-04-0001: Multiple Browser Cookie Injection Vulnerabilities 1011330 http://www.westpoint.ltd.uk/advisories/wp-04-0001.txt web-browser-cookie-session-hijack(17417) Mozilla does not prevent cookies that are sent over an insecure channel (HTTP) from also being sent over a secure channel (HTTPS/SSL) in the same domain, which could allow remote attackers to steal cookies and conduct unauthorized activities, aka "Cross Security Boundary Cookie Injection." 20040916 wp-04-0001: Multiple Browser Cookie Injection Vulnerabilities 1011331 http://www.westpoint.ltd.uk/advisories/wp-04-0001.txt web-browser-cookie-session-hijack(17417) Opera does not prevent cookies that are sent over an insecure channel (HTTP) from also being sent over a secure channel (HTTPS/SSL) in the same domain, which could allow remote attackers to steal cookies and conduct unauthorized activities, aka "Cross Security Boundary Cookie Injection." 20040916 wp-04-0001: Multiple Browser Cookie Injection Vulnerabilities 1011329 http://www.westpoint.ltd.uk/advisories/wp-04-0001.txt web-browser-cookie-session-hijack(17417) Apple iChat AV 2.1, AV 2.0, and 1.0.1 allows remote attackers to execute arbitrary programs via a "link" that references the program. APPLE-SA-2004-09-16 ichatav-link-app-execute(17420) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2004-1123. Reason: This candidate is a reservation duplicate of CVE-2004-1123. Notes: All CVE users should reference CVE-2004-1123 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Multiple cross-site scripting (XSS) vulnerabilities in Phpgroupware (aka webdistro) 0.9.16.002 and earlier allow remote attackers to insert arbitrary HTML or web script, as demonstrated with a request to the wiki module. http://downloads.phpgroupware.org/changelog GLSA-200409-22 phpgroupware-xss(17289) getmail 4.x before 4.2.0, when run as root, allows local users to overwrite arbitrary files via a symlink attack on an mbox file. 20040919 Local root compromise possible with getmail GLSA-200409-32 DSA-553 http://www.qcc.ca/~charlesc/software/getmail-4/CHANGELOG getmail-mbox-race-condition(17437) getmail 4.x before 4.2.0, and other versions before 3.2.5, when run as root, allows local users to write files in arbitrary directories via a symlink attack on subdirectories in the maildir. 20040919 Local root compromise possible with getmail GLSA-200409-32 DSA-553 http://www.qcc.ca/~charlesc/software/getmail-4/CHANGELOG getmail-maildir-race-condition(17439) Buffer overflow in the QFILEPATHINFO request handler in Samba 3.0.x through 3.0.7 may allow remote attackers to execute arbitrary code via a TRANSACT2_QFILEPATHINFO request with a small "maximum data bytes" value. SCOSA-2005.17 20041201-01-P CLA-2004:899 APPLE-SA-2005-03-21 20041115 Advisory 13/2004: Samba 3.x QFILEPATHINFO unicode filename buffer overflow 20041115 [SAMBA] CAN-2004-0882: Possiebl Buffer Overrun in smbd 20041217 [OpenPKG-SA-2004.054] OpenPKG Security Advisory (samba) http://security.e-matters.de/advisories/132004.html 1012235 P-038 VU#457622 SUSE-SA:2004:040 2004-0058 samba-qfilepathinfo-bo(18070) oval:org.mitre.oval:def:9969 Multiple vulnerabilities in the samba filesystem (smbfs) in Linux kernel 2.4 and 2.6 allow remote samba servers to cause a denial of service (crash) or gain sensitive information from kernel memory via a samba server (1) returning more data than requested to the smb_proc_read function, (2) returning a data offset from outside the samba packet to the smb_proc_readX function, (3) sending a certain TRANS2 fragmented packet to the smb_receive_trans2 function, (4) sending a samba packet with a certain header size to the smb_proc_readX_data function, or (5) sending a certain packet based offset for the data in a packet to the smb_receive_trans2 function. 20041117 Advisory 14/2004: Linux 2.x smbfs multiple remote vulnerabilities 20041118 [USN-30-1] Linux kernel vulnerabilities http://security.e-matters.de/advisories/142004.html DSA-1067 DSA-1069 DSA-1070 DSA-1082 VU#726198 MDKSA-2005:022 RHSA-2004:504 RHSA-2004:505 RHSA-2004:537 11695 FLSA:2336 linux-smb-response-dos(18134) linux-smbprocreadxdata-dos(18135) linux-smbreceivetrans2-dos(18136) oval:org.mitre.oval:def:10330 The (1) libsasl and (2) libsasl2 libraries in Cyrus-SASL 2.1.18 and earlier trust the SASL_PATH environment variable to find all available SASL plug-ins, which allows local users to execute arbitrary code by modifying the SASL_PATH to point to malicious programs. http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=134657 APPLE-SA-2005-03-21 20050128 [OpenPKG-SA-2005.004] OpenPKG Security Advisory (sasl) RHSA-2004:546 P-003 DSA-563 DSA-568 GLSA-200410-05 MDKSA-2004:106 11347 2004-0053 FLSA:2137 cyrus-sasl-saslpath(17643) oval:org.mitre.oval:def:11678 The mod_ssl module in Apache 2.0.35 through 2.0.52, when using the "SSLCipherSuite" directive in directory or location context, allows remote clients to bypass intended restrictions by using any cipher suite that is allowed by the virtual host configuration. http://issues.apache.org/bugzilla/show_bug.cgi?id=31505 APPLE-SA-2005-08-17 APPLE-SA-2005-08-15 20041015 [OpenPKG-SA-2004.044] OpenPKG Security Advisory (modssl) 102198 http://support.avaya.com/elmodocs2/security/ASA-2006-081.htm http://www.apacheweek.com/features/security-20 RHSA-2004:562 RHSA-2004:600 RHSA-2005:816 RHSA-2008:0261 11360 USN-177-1 ADV-2006-0789 HPSBUX01123 apache-sslciphersuite-restriction-bypass(17671) [httpd-cvs] 20190815 svn commit: r1048742 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html [httpd-cvs] 20190815 svn commit: r1048743 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html oval:org.mitre.oval:def:10384 Multiple integer overflows in libtiff 3.6.1 and earlier allow remote attackers to cause a denial of service (crash or memory corruption) via TIFF images that lead to incorrect malloc calls. CLA-2004:888 OpenPKG-SA-2004.043 1011674 101677 201072 P-015 DSA-567 VU#687568 http://www.kde.org/info/security/advisory-20041209-2.txt MDKSA-2004:109 MDKSA-2005:052 SUSE-SA:2004:038 RHSA-2004:577 RHSA-2005:021 RHSA-2005:354 11406 2004-0054 libtiff-bo(17715) oval:org.mitre.oval:def:100116 oval:org.mitre.oval:def:9907 SUSE Linux Enterprise Server 9 on the S/390 platform does not properly handle a certain privileged instruction, which allows local users to gain root privileges. DSA-1018 SUSE-SA:2004:037 11489 linux-instruction-gain-privileges(17801) Multiple integer overflows in xpdf 2.0 and 3.0, and other packages that use xpdf code such as CUPS, gpdf, and kdegraphics, allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code, a different set of vulnerabilities than those identified by CVE-2004-0889. CLA-2004:886 SUSE-SA:2004:039 FLSA:2352 DSA-573 DSA-581 DSA-599 GLSA-200410-20 GLSA-200410-30 MDKSA-2004:113 MDKSA-2004:114 MDKSA-2004:115 MDKSA-2004:116 RHSA-2004:543 RHSA-2004:592 RHSA-2005:066 RHSA-2005:354 11501 FLSA:2353 xpdf-pdf-bo(17818) oval:org.mitre.oval:def:9714 USN-9-1 Multiple integer overflows in xpdf 3.0, and other packages that use xpdf code such as CUPS, allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code, a different set of vulnerabilities than those identified by CVE-2004-0888. SUSE-SA:2004:039 GLSA-200410-20 GLSA-200410-30 MDKSA-2004:113 11501 xpdf-pdf-file-bo(17819) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reasons: This candidate is a reservation duplicate of another candidate. Notes: All references and descriptions in this candidate have been removed to prevent accidental usage. Buffer overflow in the MSN protocol handler for gaim 0.79 to 1.0.1 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via an "unexpected sequence of MSNSLP messages" that results in an unbounded copy operation that writes to the wrong buffer. http://gaim.sourceforge.net/security/?id=9 GLSA-200410-23 RHSA-2004:604 FLSA:2188 gaim-msn-slp-bo(17786) gaim-msn-slp-dos(17787) gaim-file-transfer-dos(17790) oval:org.mitre.oval:def:11790 USN-8-1 Microsoft Proxy Server 2.0 and Microsoft ISA Server 2000 (which is included in Small Business Server 2000 and Small Business Server 2003 Premium Edition) allows remote attackers to spoof trusted Internet content on a specially crafted webpage via spoofed reverse DNS lookup results. 11605 MS04-039 isa-cache-reverse-spoof(17906) oval:org.mitre.oval:def:4264 oval:org.mitre.oval:def:4859 The Local Procedure Call (LPC) interface of the Windows Kernel for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the lengths of messages sent to the LPC port, which allows local users to gain privileges, aka "Windows Kernel Vulnerability." MS04-044 win-kernel-lpc-gain-privileges(18339) oval:org.mitre.oval:def:1321 oval:org.mitre.oval:def:1561 oval:org.mitre.oval:def:1581 oval:org.mitre.oval:def:1886 oval:org.mitre.oval:def:2008 oval:org.mitre.oval:def:4021 oval:org.mitre.oval:def:4458 oval:org.mitre.oval:def:450 LSASS (Local Security Authority Subsystem Service) of Windows 2000 Server and Windows Server 2003 does not properly validate connection information, which allows local users to gain privileges via a specially-designed program. MS04-044 win-lsass-gain-privileges(18340) oval:org.mitre.oval:def:1888 oval:org.mitre.oval:def:2062 oval:org.mitre.oval:def:3312 oval:org.mitre.oval:def:3325 oval:org.mitre.oval:def:4368 oval:org.mitre.oval:def:778 The Indexing Service for Microsoft Windows XP and Server 2003 does not properly validate the length of a message, which allows remote attackers to execute arbitrary code via a buffer overflow attack. 1012833 P-095 VU#657118 12228 MS05-003 oval:org.mitre.oval:def:2128 oval:org.mitre.oval:def:2447 The DHCP Server service for Microsoft Windows NT 4.0 Server and Terminal Server Edition, with DHCP logging enabled, does not properly validate the length of certain messages, which allows remote attackers to cause a denial of service (application crash) via a malformed DHCP message, aka "Logging Vulnerability." MS04-042 winnt-dhcp-machinename-dos(18341) oval:org.mitre.oval:def:2280 oval:org.mitre.oval:def:4282 The DHCP Server service for Microsoft Windows NT 4.0 Server and Terminal Server Edition does not properly validate the length of certain messages, which allows remote attackers to execute arbitrary code via a malformed DHCP message, aka the "DHCP Request Vulnerability." MS04-042 winnt-dhcp-hardwareaddress-code-execution(18342) oval:org.mitre.oval:def:3577 oval:org.mitre.oval:def:4846 Microsoft Word for Windows 6.0 Converter (MSWRD632.WPC), as used in WordPad, does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Font Conversion Vulnerability," a different vulnerability than CVE-2004-0571. P-055 20041214 Microsoft Word 6.0/95 Document Converter Buffer Overflow Vulnerability MS04-041 win-converter-font-code-execution(18338) oval:org.mitre.oval:def:1241 oval:org.mitre.oval:def:1655 oval:org.mitre.oval:def:3310 oval:org.mitre.oval:def:3882 oval:org.mitre.oval:def:4076 oval:org.mitre.oval:def:4576 oval:org.mitre.oval:def:4749 oval:org.mitre.oval:def:539 Multiple heap-based buffer overflows in Mozilla Firefox before the Preview Release, Mozilla before 1.7.3, and Thunderbird before 0.8 allow remote attackers to cause a denial of service (application crash) or execute arbitrary code via (1) the "Send page" functionality, (2) certain responses from a malicious POP3 server, or (3) a link containing a non-ASCII hostname. http://bugzilla.mozilla.org/show_bug.cgi?id=226669 http://bugzilla.mozilla.org/show_bug.cgi?id=245066 http://bugzilla.mozilla.org/show_bug.cgi?id=256316 http://bugzilla.mozilla.org/show_bug.cgi?id=258005 SSRT4826 FLSA:2089 GLSA-200409-26 http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7.3 SUSE-SA:2004:036 TA04-261A mozilla-netscape-nonascii-bo(17378) mozilla-nspop3protocol-bo(17379) oval:org.mitre.oval:def:11201 Stack-based buffer overflow in the writeGroup function in nsVCardObj.cpp for Mozilla Firefox before the Preview Release, Mozilla before 1.7.3, and Thunderbird before 0.8 allows remote attackers to execute arbitrary code via malformed VCard attachments that are not properly handled when previewing a message. http://bugzilla.mozilla.org/show_bug.cgi?id=257314 SSRT4826 FLSA:2089 GLSA-200409-26 VU#414240 http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7.3 SUSE-SA:2004:036 11174 TA04-261A mozilla-netscape-nsvcardobj-bo(17380) oval:org.mitre.oval:def:10873 Integer overflow in the bitmap (BMP) decoder for Mozilla Firefox before the Preview Release, Mozilla before 1.7.3, and Thunderbird before 0.8 allow remote attackers to execute arbitrary code via wide bitmap files that trigger heap-based buffer overflows. http://bugzilla.mozilla.org/show_bug.cgi?id=255067 SSRT4826 FLSA:2089 GLSA-200409-26 VU#847200 http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7.3 SUSE-SA:2004:036 11171 TA04-261A mozilla-netscape-bmp-bo(17381) oval:org.mitre.oval:def:10952 Mozilla Firefox before the Preview Release, Mozilla before 1.7.3, and Thunderbird before 0.8 allows remote attackers to perform cross-domain scripting and possibly execute arbitrary code by convincing a user to drag and drop javascript: links to a frame or page in another domain. http://bugzilla.mozilla.org/show_bug.cgi?id=250862 SSRT4826 FLSA:2089 GLSA-200409-26 VU#651928 http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7.3 SUSE-SA:2004:036 11177 TA04-261A mozilla-netscape-sameorigin-bypass(17374) oval:org.mitre.oval:def:10378 The XPInstall installer in Mozilla Firefox before the Preview Release, Mozilla before 1.7.3, and Thunderbird before 0.8 sets insecure permissions for certain installed files within xpi packages, which could allow local users to overwrite arbitrary files or execute arbitrary code. http://bugzilla.mozilla.org/show_bug.cgi?id=231083 http://bugzilla.mozilla.org/show_bug.cgi?id=235781 GLSA-200409-26 VU#653160 http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7.3 SUSE-SA:2004:036 RHSA-2005:323 11192 mozilla-insecure-file-permissions(17375) oval:org.mitre.oval:def:11668 The Linux install .tar.gz archives for Mozilla Firefox before the Preview Release, Mozilla before 1.7.3, and Thunderbird before 0.8, create certain files with insecure permissions, which could allow local users to overwrite those files and execute arbitrary code. http://bugzilla.mozilla.org/show_bug.cgi?id=254303 GLSA-200409-26 http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7.3 mozilla-tar-insecure-permissions(17373) Mozilla Firefox before the Preview Release, Mozilla before 1.7.3, and Thunderbird before 0.8 allows untrusted Javascript code to read and write to the clipboard, and possibly obtain sensitive information, via script-generated events such as Ctrl-Ins. http://bugzilla.mozilla.org/show_bug.cgi?id=257523 SSRT4826 FLSA:2089 GLSA-200409-26 VU#460528 http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7.3 SUSE-SA:2004:036 11179 mozilla-shortcut-clipboard-access(17376) oval:org.mitre.oval:def:9745 Mozilla Firefox before the Preview Release, Mozilla before 1.7.3, and Thunderbird before 0.8 may allow remote attackers to trick users into performing unexpected actions, including installing software, via signed scripts that request enhanced abilities using the enablePrivilege parameter, then modify the meaning of certain security-relevant dialog messages. http://bugzilla.mozilla.org/show_bug.cgi?id=253942 SSRT4826 GLSA-200409-26 VU#113192 http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7.3 SUSE-SA:2004:036 mozilla-enableprivilege-modify-dialog(17377) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2004-0815. Reason: This candidate is a reservation duplicate of CVE-2004-0815. Notes: All CVE users should reference CVE-2004-0815 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. telnetd for netkit 0.17 and earlier, and possibly other versions, on Debian GNU/Linux allows remote attackers to cause a denial of service (free of an invalid pointer), a different vulnerability than CVE-2001-0554. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=273694 DSA-556 20040918 Debian netkit telnetd vulnerability telnetd-netkit-bo(17540) Unknown vulnerability in ecartis 0.x before 0.129a+1.0.0-snap20020514-1.3 and 1.x before 1.0.0+cvs.20030911-8 allows attackers in the same domain to gain administrator privileges and modify configuration. ESB-2004.0669 DSA-572 11487 ecartis-gain-privileges(17809) Multiple vulnerabilities in libXpm for 6.8.1 and earlier, as used in XFree86 and other packages, include (1) multiple integer overflows, (2) out-of-bounds memory accesses, (3) directory traversal, (4) shell metacharacter, (5) endless loops, and (6) memory leaks, which could allow remote attackers to obtain sensitive information, cause a denial of service (application crash), or execute arbitrary code via a certain XPM image file. NOTE: it is highly likely that this candidate will be SPLIT into other candidates in the future, per CVE's content decisions. RHSA-2004:537 DSA-607 GLSA-200411-28 GLSA-200502-06 GLSA-200502-07 FEDORA-2004-433 MDKSA-2004:137 FLSA-2006:152803 RHSA-2004:610 RHSA-2005:004 11694 USN-83-1 USN-83-2 http://www.x.org/pub/X11R6.8.1/patches/README.xorg-681-CAN-2004-0914.patch HPSBTU01228 libxpm-image-bo(18142) libxpm-improper-memory-access(18144) libxpm-command-execution(18145) libxpm-directory-traversal(18146) libxpm-dos(18147) oval:org.mitre.oval:def:9943 Multiple unknown vulnerabilities in viewcvs before 0.9.2, when exporting a repository as a tar archive, does not properly implement the hide_cvsroot and forbidden settings, which could allow remote attackers to gain sensitive information. DSA-605 viewcvs-repository-weak-security(18369) Directory traversal vulnerability in cabextract before 1.1 allows remote attackers to overwrite arbitrary files via a cabinet file containing .. (dot dot) sequences in a filename. DSA-574 http://www.kyz.uklinux.net/cabextract.php#changes 11460 cabextract-directory-traversal(17766) The default installation of Vignette Application Portal installs the diagnostic utility without authentication requirements, which allows remote attackers to gain sensitive information, such as server and OS version, and conduct unauthorized activities via an HTTP request to /diag. 1011447 A092804-1 11267 vignette-diagnostic-obtain-info(17530) The asn_parse_header function (asn1.c) in the SNMP module for Squid Web Proxy Cache before 2.4.STABLE7 allows remote attackers to cause a denial of service (server restart) via certain SNMP packets with negative length fields that trigger a memory allocation error. SCOSA-2005.16 SUSE-SR:2008:014 OpenPKG-SA-2004.048 GLSA-200410-15 20041011 Squid Web Proxy Cache Remote Denial of Service Vulnerability RHSA-2004:591 11385 http://www.squid-cache.org/Advisories/SQUID-2004_3.txt http://www.squid-cache.org/Advisories/SQUID-2008_1.txt ADV-2008-1969 squid-snmp-asnparseheader-dos(17688) oval:org.mitre.oval:def:10931 FEDORA-2008-6045 The syscons CONS_SCRSHOT ioctl in FreeBSD 5.x allows local users to read arbitrary kernel memory via (1) negative coordinates or (2) large coordinates. FreeBSD-SA-04:15 VU#969078 11321 syscons-consscrshot-info-disclosure(17584) Symantec Norton AntiVirus 2004, and earlier versions, allows a virus or other malicious code to avoid detection or cause a denial of service (application crash) using a filename containing an MS-DOS device name. 20041005 Symantec Norton AntiVirus Reserved Device Name Handling Vulnerability http://www.seifried.org/security/advisories/kssa-010.html nav-antivirus-security-bypass(17603) AFP Server on Mac OS X 10.3.x to 10.3.5, when a guest has mounted an AFP volume, allows the guest to "terminate authenticated user mounts" via modified SessionDestroy packets. APPLE-SA-2004-09-30 11322 AFP Server on Mac OS X 10.3.x to 10.3.5, under certain conditions, does not properly set the guest group ID, which causes AFP to change a write-only AFP Drop Box to be read-write when the Drop Box is on a share that is mounted by a guest, which allows attackers to read the Drop Box. APPLE-SA-2004-09-30 11322 CUPS 1.1.20 and earlier records authentication information for a device URI in the error_log file, which allows local users to obtain user names and passwords. APPLE-SA-2004-09-30 P-002 DSA-566 VU#557062 MDKSA-2004:116 RHSA-2004:543 11324 cups-password-disclosure(17593) oval:org.mitre.oval:def:10710 NetInfo Manager on Mac OS X 10.3.x through 10.3.5, after an initial root login, reports the root account as being disabled, even when it has not. APPLE-SA-2004-09-30 11322 Postfix on Mac OS X 10.3.x through 10.3.5, with SMTPD AUTH enabled, does not properly clear the username between authentication attempts, which allows users with the longest username to prevent other valid users from being able to authenticate. APPLE-SA-2004-09-30 Heap-based buffer overflow in Apple QuickTime on Mac OS 10.2.8 through 10.3.5 may allow remote attackers to execute arbitrary code via a certain BMP image. APPLE-SA-2004-09-30 APPLE-SA-2004-10-27 11322 ServerAdmin in Mac OS X 10.2.8 through 10.3.5 uses the same example self-signed certificate on each system, which allows remote attackers to decrypt sessions. APPLE-SA-2004-09-30 11322 The Microsoft IIS Connector in JRun 4.0 and Macromedia ColdFusion MX 6.0, 6.1, and 6.1 J2EE allows remote attackers to bypass authentication and view source files, such as .asp, .pl, and .php files, via an HTTP request that ends in ";.cfm". 20040923 New Macromedia Security Zone Bulletins Posted 20041005 ColdFusion MX 6.1 on IIS File Contents Disclosure VU#977440 http://www.macromedia.com/devnet/security/security_zone/mpsb04-08.html http://www.macromedia.com/devnet/security/security_zone/mpsb04-09.html 11245 coldfusion-jrun-restriction-bypass(17484) Heap-based buffer overflow in the OJPEGVSetField function in tif_ojpeg.c for libtiff 3.6.1 and earlier, when compiled with the OJPEG_SUPPORT (old JPEG support) option, allows remote attackers to execute arbitrary code via a malformed TIFF image. 20041022 Novell SuSe Linux LibTIFF Heap Overflow Vulnerability VU#129910 SUSE-SA:2004:038 libtiff-ojpegvsetfield-bo(17843) The ms_fnmatch function in Samba 3.0.4 and 3.0.7 and possibly other versions allows remote authenticated users to cause a denial of service (CPU consumption) via a SAMBA request that contains multiple * (wildcard) characters. SCOSA-2005.17 20041201-01-P CLA-2004:899 APPLE-SA-2005-03-21 20041108 [SECURITY] CAN-2004-0930: Potential Remote Denial of Service Vulnerability OpenPKG-SA-2004.054 101783 GLSA 200411-21 20041108 Samba SMBD Remote Denial of Service Vulnerability MDKSA-2004:131 SUSE-SA:2004:040 11624 samba-msfnmatch-dos(17987) oval:org.mitre.oval:def:10936 USN-22-1 MySQL MaxDB before 7.5.00.18 allows remote attackers to cause a denial of service (crash) via an HTTP request to webdbm with high ASCII values in the Server field, which triggers an assert error in the IsAscii7 function. 20041006 MySQL MaxDB Web Agent WebDBMServer Name Denial of Service Vulnerability 11346 maxdb-isascii7dos(17633) McAfee Anti-Virus Engine DATS drivers before 4398 released on Oct 13th 2004 and DATS Driver before 4397 October 6th 2004 allows remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on a target system. 20041018 Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability 11448 antivirus-zip-protection-bypass(17761) Computer Associates (CA) InoculateIT 6.0, eTrust Antivirus r6.0 through r7.1, eTrust Antivirus for the Gateway r7.0 and r7.1, eTrust Secure Content Manager, eTrust Intrusion Detection, EZ-Armor 2.0 through 2.4, and EZ-Antivirus 6.1 through 6.3 allow remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on a target system. http://supportconnectw.ca.com/public/ca_common_docs/arclib_vuln.asp 20041018 Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability 11448 antivirus-zip-protection-bypass(17761) Kaspersky 3.x to 4.x allows remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on a target system. 20041018 Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability VU#968818 11448 antivirus-zip-protection-bypass(17761) Eset Anti-Virus before 1.020 (16th September 2004) allows remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on a target system. 20041018 Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability VU#968818 11448 antivirus-zip-protection-bypass(17761) RAV antivirus allows remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on a target system. 20041018 Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability VU#968818 11448 antivirus-zip-protection-bypass(17761) Sophos Anti-Virus before 3.87.0, and Sophos Anti-Virus for Windows 95, 98, and Me before 3.88.0, allows remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on a target system. 20041018 Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability VU#968818 11448 antivirus-zip-protection-bypass(17761) FreeRADIUS before 1.0.1 allows remote attackers to cause a denial of service (server crash) by sending an Ascend-Send-Secret attribute without the required leading packet. GLSA-200409-29 VU#541574 11222 freeradius-dos(17440) oval:org.mitre.oval:def:10837 oval:org.mitre.oval:def:1347 changepassword.cgi in Neoteris Instant Virtual Extranet (IVE) 3.x and 4.x, with LDAP authentication or NT domain authentication enabled, does not limit the number of times a bad password can be entered, which allows remote attackers to guess passwords via a brute force attack. 20041006 [GoSecure Advisory] Neoteris IVE Vulnerability 1011552 http://www.gosecure.ca/SecInfo/gosecure-2004-10.txt juniper-netscreen-password-bruteforce(17629) Buffer overflow in the get_tag function in mod_include for Apache 1.3.x to 1.3.32 allows local users who can create SSI documents to execute arbitrary code as the apache user via SSI (XSSI) documents that trigger a length calculation error. OpenPKG-SA-2004.047 1011783 102197 http://support.avaya.com/elmodocs2/security/ASA-2006-081.htm http://www.apacheweek.com/features/security-13 DSA-594 MDKSA-2004:134 RHSA-2004:600 RHSA-2005:816 11471 ADV-2006-0789 apache-modinclude-bo(17785) Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and earlier may allow remote attackers to execute arbitrary code via malformed image files that trigger the overflows due to improper calls to the gdMalloc function, a different set of vulnerabilities than CVE-2004-0990. P-071 DSA-601 MDKSA-2006:113 MDKSA-2006:114 MDKSA-2006:122 RHSA-2004:638 RHSA-2006:0194 11663 2004-0058 gd-graphics-gdmalloc-bo(18048) oval:org.mitre.oval:def:11176 oval:org.mitre.oval:def:1195 USN-25-1 USN-33-1 Apache webserver 2.0.52 and earlier allows remote attackers to cause a denial of service (CPU consumption) via an HTTP GET request with a MIME header containing multiple lines with a large number of space characters. APPLE-SA-2005-08-17 APPLE-SA-2005-08-15 20041101 DoS in Apache 2.0.52 ? SSRT4876 102198 http://support.avaya.com/elmodocs2/security/ASA-2006-081.htm MDKSA-2004:135 RHSA-2004:562 2004-0061 ADV-2006-0789 HPSBUX01123 apache-http-get-dos(17930) [httpd-cvs] 20190815 svn commit: r1048742 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html [httpd-cvs] 20190815 svn commit: r1048743 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html oval:org.mitre.oval:def:10962 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. The web management interface for Mitel 3300 Integrated Communications Platform (ICP) before 4.2.2.11 generates easily predictable web session IDs, which allows remote attackers to hijack other sessions via the parentsessionid cookie. http://www.corsaire.com/advisories/c040817-002.txt http://www.mitel.com/DocController?documentId=14223 http://www.niscc.gov.uk/niscc/docs/re-20050228-00178.pdf?lang=en The web management interface for Mitel 3300 Integrated Communications Platform (ICP) before 4.2.2.11 allows remote authenticated users to cause a denial of service (resource exhaustion) via a large number of active sessions, which exceeds ICP's maximum. http://www.corsaire.com/advisories/c040817-003.txt http://www.mitel.com/DocController?documentId=14223 http://www.niscc.gov.uk/niscc/docs/re-20050228-00178.pdf?lang=en rquotad in nfs-utils (rquota_server.c) before 1.0.6-r6 on 64-bit architectures does not properly perform an integer conversion, which leads to a stack-based buffer overflow and allows remote attackers to execute arbitrary code via a crafted NFS request. http://bugs.gentoo.org/show_bug.cgi?id=72113 GLSA-200412-08 VU#698302 MDKSA-2005:005 RHSA-2004:583 RHSA-2005:014 FLSA-2006:138098 11911 nfsutils-getquotainfo-bo(18455) oval:org.mitre.oval:def:10464 Buffer overflow in unarj before 2.63a-r2 allows remote attackers to execute arbitrary code via an arj archive that contains long filenames. FLSA:2272 DSA-652 GLSA-200411-29 RHSA-2005:007 11665 unarj-longfilename-bo(18044) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. It was a duplicate assignment before public disclosure. Notes: none. The smb_recv_trans2 function call in the samba filesystem (smbfs) in Linux kernel 2.4 and 2.6 does not properly handle the re-assembly of fragmented packets correctly, which could allow remote samba servers to (1) read arbitrary kernel information or (2) raise a counter value to an arbitrary number by sending the first part of the fragmented packet multiple times. 20041117 Advisory 14/2004: Linux 2.x smbfs multiple remote vulnerabilities http://security.e-matters.de/advisories/142004.html DSA-1067 DSA-1069 DSA-1070 DSA-1082 MDKSA-2005:022 RHSA-2004:504 RHSA-2004:505 RHSA-2004:537 11695 2004-0061 FLSA:2336 linux-smbrecvtrans2-memory-leak(18137) oval:org.mitre.oval:def:10360 USN-30-1 NetOp Host before 7.65 build 2004278 allows remote attackers to obtain sensitive hostname, username and local IP address information via (1) a NetOp HELO request, or (2) when responses are disabled, a "custom" HELO request. 20041119 Corsaire Security Advisory - Danware NetOp Host multiple information disclosure issues http://www.corsaire.com/advisories/c040619-001.txt 11710 danware-helo-obtain-information(18171) The make_recovery command for the TFTP server in HP Ignite-UX before C.6.2.241 makes a copy of the password file in the TFTP directory tree, which allows remote attackers to obtain sensitive information. 1014711 http://www.corsaire.com/advisories/c041123-001.txt 14568 hpigniteux-makerecovery-bypass-security(21858) HP-UX B.11.00 through B.11.23, when running Ignite-UX and using the add_new_client command, causes the TFTP server to set world-writable permissions on part of the directory tree, which allows remote attackers to modify data or cause disk consumption. 20050816 Corsaire Security Advisory: HP Ignite-UX filesystem permissions issue SSRT4874 1014711 hpigniteux-addnewclient-gain-access(21857) oval:org.mitre.oval:def:5775 Buffer overflow in the C2S module in the open source Jabber 2.x server (Jabberd) allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long username. 20041124 Jabberd2.x remote BuffJabberd2.x remote Buffer Overflowser Overflows 20041124 Jabberd2.x remote BuffJabberd2.x remote Buffer Overflowser Overflows 11741 jabberd2-c2s-bo(18238) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2004-0597. Reason: This candidate is a reservation duplicate of CVE-2004-0597. Notes: All CVE users should reference CVE-2004-0597 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2004-0599. Reason: This candidate is a reservation duplicate of CVE-2004-0599 (the first item listed in that candidate). Notes: All CVE users should reference CVE-2004-0599 instead of this candidate. All references and descriptions have been removed from this candidate to prevent accidental usage. MySQL before 4.0.20 allows remote attackers to cause a denial of service (application crash) via a MATCH AGAINST query with an opening double quote but no closing double quote. http://bugs.mysql.com/bug.php?id=3870 http://lists.mysql.com/packagers/202 GLSA-200410-22 SUSE-SR:2004:001 2004-0054 mysql-match-against-dos(17768) Unknown vulnerability in MySQL 3.23.58 and earlier, when a local user has privileges for a database whose name includes a "_" (underscore), grants privileges to other databases that have similar names, which can allow the user to conduct unauthorized activities. CLA-2005:947 P-018 DSA-707 MDKSA-2005:070 RHSA-2004:597 RHSA-2004:611 mysql-underscore-gain-priv(17783) USN-32-1 php_variables.c in PHP before 5.0.2 allows remote attackers to read sensitive memory contents via (1) GET, (2) POST, or (3) COOKIE GPC variables that end in an open bracket character, which causes PHP to calculate an incorrect string length. 20040915 [VulnWatch] PHP Vulnerability N. 1 20040915 PHP Vulnerability N. 1 1011279 RHSA-2004:687 FLSA:2344 php-phpinfo-disclose-memory(17393) oval:org.mitre.oval:def:10863 rfc1867.c in PHP before 5.0.2 allows local users to upload files to arbitrary locations via a PHP script with a certain MIME header that causes the "$_FILES" array to be modified. 20040915 Php Vulnerability N. 2 20040915 Php Vulnerability N. 2 1011307 RHSA-2004:687 FLSA:2344 php-mime-array-execute-code(17392) oval:org.mitre.oval:def:10961 FreeRADIUS before 1.0.1 allows remote attackers to cause a denial of service (core dump) via malformed USR vendor-specific attributes (VSA) that cause a memcpy operation with a -1 argument. GLSA-200409-29 VU#541574 11222 freeradius-dos(17440) oval:org.mitre.oval:def:11023 Memory leak in FreeRADIUS before 1.0.1 allows remote attackers to cause a denial of service (memory exhaustion) via a series of Access-Request packets with (1) Ascend-Send-Secret, (2) Ascend-Recv-Secret, or (3) Tunnel-Password attributes. GLSA-200409-29 VU#541574 11222 freeradius-dos(17440) oval:org.mitre.oval:def:10024 Apple Remote Desktop Client 1.2.4 executes a GUI application as root when it is started by an Apple Remote Desktop Administrator application, which allows remote authenticated users to execute arbitrary code when loginwindow is active via Fast User Switching. APPLE-SA-2004-10-27 Buffer overflow in Microsoft Word 2002 (10.6612.6714) SP3, and possibly other versions, allows remote attackers to cause a denial of service (application exception) and possibly execute arbitrary code in winword.exe via certain unexpected values in a .doc file, including (1) an offset that triggers an out-of-bounds memory access, (2) a certain value that causes a large memory copy as triggered by an integer conversion error, and other values. 20041006 [HV-HIGH] MS Word multiple exceptions, at least one exploitable MS05-023 word-file-parsing-bo(17635) oval:org.mitre.oval:def:1795 oval:org.mitre.oval:def:2105 oval:org.mitre.oval:def:2216 oval:org.mitre.oval:def:420 Buffer overflow in Zinf 2.2.1 on Windows, and other older versions for Linux, allows remote attackers or local users to execute arbitrary code via certain values in a .pls file. 20040924 Buffer overflow in Zinf 2.2.1 for Win32 20040927 Re: Buffer overflow in Zinf 2.2.1 for Win32+exploit 8341 DSA-587 11248 zinf-pls-bo(17491) stmkfont in HP-UX B.11.00 through B.11.23 relies on the user-specified PATH when executing certain commands, which allows local users to execute arbitrary code by modifying the PATH environment variable to point to malicious programs. 20041021 NSFOCUS SA2004-02 : HP-UX stmkfont Local Privilege Escalation Vulnerability http://www.nsfocus.com/english/homepage/research/0402.htm SSRT4807 11493 hpux-stmkfont-gain-privileges(17813) oval:org.mitre.oval:def:5538 The (1) autopoint and (2) gettextize scripts in the GNU gettext package 1.14 and later versions, as used in Trustix Secure Linux 1.5 through 2.1 and other operating systems, allows local users to overwrite files via a symlink attack on temporary files. http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136323 OpenPKG-SA-2004.055 GLSA-200410-10 FLSA:136323 11282 2004-0050 MDKSA-2006:051 script-temporary-file-overwrite(17583) USN-5-1 The (1) pj-gs.sh, (2) ps2epsi, (3) pv.sh, and (4) sysvlp.sh scripts in the ESP Ghostscript (espgs) package in Trustix Secure Linux 1.5 through 2.1, and other operating systems, allow local users to overwrite files via a symlink attack on temporary files. SCOSA-2006.19 SCOSA-2006.23 http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136321 RHSA-2005:081 11285 2004-0050 script-temporary-file-overwrite(17583) oval:org.mitre.oval:def:10284 USN-3-1 The catchsegv script in glibc 2.3.2 and earlier allows local users to overwrite files via a symlink attack on temporary files. http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136318 GLSA-200410-19 DSA-636 RHSA-2004:586 RHSA-2005:261 11286 2004-0050 script-temporary-file-overwrite(17583) oval:org.mitre.oval:def:9523 USN-4-1 The groffer script in the Groff package 1.18 and later versions, as used in Trustix Secure Linux 1.5 through 2.1, and possibly other operating systems, allows local users to overwrite files via a symlink attack on temporary files. http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136313 GLSA-200411-15 11287 2004-0050 MDKSA-2006:038 script-temporary-file-overwrite(17583) The (1) gzexe, (2) zdiff, and (3) znew scripts in the gzip package, as used by other packages such as ncompress, allows local users to overwrite files via a symlink attack on temporary files. NOTE: the znew vulnerability may overlap CVE-2003-0367. DSA-588 11288 2004-0050 http://www.zataz.net/adviso/ncompress-09052005.txt script-temporary-file-overwrite(17583) The krb5-send-pr script in the kerberos5 (krb5) package in Trustix Secure Linux 1.5 through 2.1, and possibly other operating systems, allows local users to overwrite files via a symlink attack on temporary files. http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136304 GLSA-200410-24 RHSA-2005:012 11289 2004-0050 script-temporary-file-overwrite(17583) oval:org.mitre.oval:def:10497 The lvmcreate_initrd script in the lvm package in Trustix Secure Linux 1.5 through 2.1, and possibly other operating systems, allows local users to overwrite files via a symlink attack on temporary files. http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136308 RHBA-2004:232 11290 2004-0050 script-temporary-file-overwrite(17583) oval:org.mitre.oval:def:10632 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2004-0457. Reason: This candidate is a reservation duplicate of CVE-2004-0457. Notes: All CVE users should reference CVE-2004-0457 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. The netatalk package in Trustix Secure Linux 1.5 through 2.1, and possibly other operating systems, allows local users to overwrite files via a symlink attack on temporary files. GLSA-200410-25 2004-0050 script-temporary-file-overwrite(17583) The der_chop script in the openssl package in Trustix Secure Linux 1.5 through 2.1 and other operating systems allows local users to overwrite files via a symlink attack on temporary files. http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136302 DSA-603 GLSA-200411-15 RHSA-2005:476 11293 2004-0050 script-temporary-file-overwrite(17583) oval:org.mitre.oval:def:10621 oval:org.mitre.oval:def:164 Multiple scripts in the perl package in Trustix Secure Linux 1.5 through 2.1 and other operating systems allows local users to overwrite files via a symlink attack on temporary files. FLSA-2006:152845 OpenPKG-SA-2005.001 DSA-620 MDKSA-2005:031 RHSA-2005:881 11294 2004-0050 script-temporary-file-overwrite(17583) oval:org.mitre.oval:def:9752 The make_oidjoins_check script in PostgreSQL 7.4.5 and earlier allows local users to overwrite files via a symlink attack on temporary files. http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136300 OpenPKG-SA-2004.046 GLSA-200410-16 DSA-577 MDKSA-2004:149 RHSA-2004:489 11295 2004-0050 script-temporary-file-overwrite(17583) oval:org.mitre.oval:def:11360 USN-6-1 Heap-based buffer overflow in the Hrtbeat.ocx (Heartbeat) ActiveX control for Internet Explorer 5.01 through 6, when users who visit online gaming sites that are associated with MSN, allows remote attackers to execute arbitrary code via the SetupData parameter. 20050119 MSN Heartbeat Control Buffer Overflow VU#673134 http://www.ngssoftware.com/advisories/heartbeatfull.txt 11367 MS04-038 heartbeat-activex(17714) Internet Explorer on Windows XP does not properly modify the "Drag and Drop or copy and paste files" setting when the user sets it to "Disable" or "Prompt," which may enable security-sensitive operations that are inconsistent with the user's intended configuration. VU#630720 TA04-293A MS04-038 ie-dragdrop-security-bypass(17820) Format string vulnerability in ez-ipupdate.c for ez-ipupdate 3.0.10 through 3.0.11b8, when running in daemon mode with certain service types in use, allows remote servers to execute arbitrary code. 20041111 ez-ipupdate format string bug DSA-592 GLSA-200411-20 MDKSA-2004:129 11657 eziupdate-showmessage-format-string(18032) Buffer overflow in the EXIF parsing routine in ImageMagick before 6.1.0 allows remote attackers to execute arbitrary code via a certain image file. GLSA-200411-11 http://www.imagemagick.org/www/Changelog.html 11548 imagemagick-exif-image-bo(17903) oval:org.mitre.oval:def:10472 USN-7-1 Buffer overflow in the getauthfromURL function in httpget.c in mpg123 pre0.59s and mpg123 0.59r could allow remote attackers or local users to execute arbitrary code via an mp3 file that contains a long string before the @ (at sign) in a URL. 20041019 mpg123 "getauthfromurl" buffer overflow 1011832 http://www.barrossecurity.com/advisories/mpg123_getauthfromurl_bof_advisory.txt DSA-578 GLSA-200410-27 11468 mpg123-getauthfromurl-bo(17574) The CGI module in Ruby 1.6 before 1.6.8, and 1.8 before 1.8.2, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a certain HTTP request. DSA-586 MDKSA-2004:128 RHSA-2004:635 11618 ruby-cgi-dos(17985) oval:org.mitre.oval:def:10268 USN-20-1 Unknown vulnerability in the dotlock implementation in mailutils before 1:0.5-4 on Debian GNU/Linux allows attackers to gain privileges. http://packages.debian.org/changelogs/pool/main/m/mailutils/mailutils_0.6-2/changelog Internet Explorer 6.x on Windows XP SP2 allows remote attackers to execute arbitrary code, as demonstrated using a document with a draggable file type such as .xml, .doc, .py, .cdf, .css, .pdf, or .ppt, and using ADODB.Connection and ADODB.recordset to write to a .hta file that is interpreted in the Local Zone by HTML Help. 20041020 Re: How to Break Windows XP SP2 + Internet Explorer 6 SP2 20041020 How to Break Windows XP SP2 + Internet Explorer 6 SP2 20041020 How to Break Windows XP SP2 + Internet Explorer 6 SP2 ie-anchorclick-command-execution(17824) Iptables before 1.2.11, under certain conditions, does not properly load the required modules at system startup, which causes the firewall rules to fail to load and protect the system from remote attackers. http://rpmfind.net/linux/RPM/suse/updates/9.2/i386/rpm/i586/iptables-1.2.11-4.2.i586.html P-026 DSA-580 MDKSA-2004:125 11570 FLSA:2252 iptables-module-dos(17928) USN-81-1 Buffer overflow in the process_menu function in yardradius 1.0.20 allows remote attackers to execute arbitrary code. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=278384 DSA-598 11753 yardradius-processmenu-bo(18270) Integer overflow on Apple QuickTime before 6.5.2, when running on Windows systems, allows remote attackers to cause a denial of service (memory consumption) via certain inputs that cause a large memory operation. APPLE-SA-2004-10-27 Multiple buffer overflows in libXML 2.6.12 and 2.6.13 (libxml2), and possibly other versions, may allow remote attackers to execute arbitrary code via (1) a long FTP URL that is not properly handled by the xmlNanoFTPScanURL function, (2) a long proxy URL containing FTP data that is not properly handled by the xmlNanoFTPScanProxy function, and other overflows related to manipulation of DNS length values, including (3) xmlNanoFTPConnect, (4) xmlNanoHTTPConnectHost, and (5) xmlNanoHTTPConnectHost. CLA-2004:890 APPLE-SA-2005-01-25 20041026 libxml2 remote buffer overflows (not in xml parsing code though) 1011941 P-029 DSA-582 GLSA-200411-05 SUSE-SR:2005:001 RHSA-2004:615 RHSA-2004:650 11526 libxml2-xmlnanoftpscanurl-bo(17870) libxml2-nanoftp-file-bo(17872) libxml2-xmlnanoftpscanproxy-bo(17875) libxml2-nanohttp-file-bo(17876) oval:org.mitre.oval:def:10505 oval:org.mitre.oval:def:1173 USN-89-1 Integer overflow in GD Graphics Library libgd 2.0.28 (libgd2), and possibly other versions, allows remote attackers to cause a denial of service and possibly execute arbitrary code via PNG image files with large image rows values that lead to a heap-based buffer overflow in the gdImageCreateFromPngCtx function, a different set of vulnerabilities than CVE-2004-0941. SUSE-SR:2006:003 20041026 libgd integer overflow P-071 DSA-589 DSA-591 DSA-601 DSA-602 MDKSA-2004:132 MDKSA-2006:113 MDKSA-2006:114 MDKSA-2006:122 RHSA-2004:638 11523 2004-0058 gd-png-bo(17866) https://issues.rpath.com/browse/RPL-939 oval:org.mitre.oval:def:1260 oval:org.mitre.oval:def:9952 USN-11-1 USN-25-1 Buffer overflow in mpg123 before 0.59s-r9 allows remote attackers to execute arbitrary code via frame headers in MP2 or MP3 files. GLSA-200501-14 MDKSA-2005:009 12218 Format string vulnerability in the -a option (daemon mode) in Proxytunnel before 1.2.3 allows remote attackers to execute arbitrary code via format string specifiers in an invalid proxy answer. http://proxytunnel.sourceforge.net/news.html GLSA-200411-07 11592 proxytunnel-message-format-string(17945) Buffer overflow in hpsockd before 0.6 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code. DSA-604 11800 hpsockd-bo(18359) Multiple integer overflows in xzgv 0.8 and earlier allow remote attackers to execute arbitrary code via images with large width and height values, which trigger a heap-based buffer overflow, as demonstrated in the read_prf_file function in readprf.c. NOTE: CVE-2004-0994 and CVE-2004-1095 identify sets of bugs that only partially overlap, despite having the same developer. Therefore, they should be regarded as distinct. 20041213 Multiple Vendor xzgv PRF Parsing Integer Overflow Vulnerability http://rus.members.beeb.net/xzgv-0.8-integer-overflow-fix.diff DSA-614 xzgv-readprffile-bo(18454) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2004. Notes: none. main.c in cscope 15-4 and 15-5 creates temporary files with predictable filenames, which allows local users to overwrite arbitrary files via a symlink attack. http://docs.info.apple.com/article.html?artnum=306172 APPLE-SA-2007-07-31 20041124 STG Security Advisory: [SSA-20041122-09] cscope insecure temp file creation vulnerability DSA-610 GLSA-200412-11 20041117 RX171104 Cscope v15.5 and minors - symlink vulnerability - advisory, exploit and patch. 20041118 Re: RX171104 Cscope v15.5 and minors - symlink vulnerability - advisory, exploit and patch. 20041118 Re: RX171104 Cscope v15.5 and minors - symlink vulnerability - advisory, exploit and patch. 11697 25159 ADV-2007-2732 cscope-tmp-race-condition(18125) Unspecified vulnerability in the ptrace MIPS assembly code in Linux kernel 2.4 before 2.4.17 allows local users to gain privileges via unknown vectors. This vulnerability is addressed in the following product release: Linux, Linux kernel, 2.4.17 http://kernel.debian.net/debian/pool/main/kernel-source-2.4.17/kernel-source-2.4.17_2.4.17-1woody4_ia64.changes http://svn.debian.org/wsvn/kernel/patch-tracking/CVE-2004-0997?op=file&rev=0&sc=0 DSA-1067 DSA-1069 DSA-1070 DSA-1082 18176 Format string vulnerability in telnetd-ssl 0.17 and earlier allows remote attackers to execute arbitrary code. DSA-616 VU#995038 netkit-telnetssl-format-string(18654) zgv 5.5.3 allows remote attackers to cause a denial of service (application crash via segmentation fault) via crafted multiple-image (animated) GIF images. DSA-608 11915 zgv-multiple-image-dos(18480) lintian 1.23 and earlier removes the working directory even if it was not created by lintian, which may allow local users to delete arbitrary files or directories via a symlink attack. lintian-symlink(18808) Unknown vulnerability in the passwd_check function in Shadow 4.0.4.1, and possibly other versions before 4.0.5, allows local users to conduct unauthorized activities when an error from a pam_chauthtok function call is not properly handled. CLA-2004:894 DSA-585 shadow-pwdcheck-modify-account(17902) Integer underflow in pppd in cbcp.c for ppp 2.4.1 allows remote attackers to cause a denial of service (daemon crash) via a CBCP packet with an invalid length value that causes pppd to access an incorrect memory location. 20041026 pppd out of bounds memory access, possible DOS ppp-ccp-headers-dos(17874) USN-12-1 Trend ScanMail allows remote attackers to obtain potentially sensitive information or disable the anti-virus capability via the smency.nsf file. http://cgi.nessus.org/plugins/dump.php3?id=14312 scanmail-file-access(17962) Multiple format string vulnerabilities in Midnight Commander (mc) 4.5.55 and earlier allow remote attackers to have an unknown impact. DSA-639 GLSA-200502-24 RHSA-2005:217 midnightcommander-format-string(18902) Multiple buffer overflows in Midnight Commander (mc) 4.5.55 and earlier allow remote attackers to have an unknown impact. DSA-639 GLSA-200502-24 RHSA-2005:217 midnight-commander-bo(18898) Format string vulnerability in the log functions in dhcpd for dhcp 2.x allows remote DNS servers to execute arbitrary code via certain DNS messages, a different vulnerability than CVE-2002-0702. 20041025 debian dhcpd, old format string bug 20041102 Re: debian dhcpd, old format string bug 20041105 Re: debian dhcpd, old format string bug DSA-584 VU#448384 RHSA-2005:212 11591 dhcp-log-format-string(17963) The quoted-printable decoder in bogofilter 0.17.4 to 0.92.7 allows remote attackers to cause a denial of service (application crash) via mail headers that cause a line feed (LF) to be replaced by a null byte that is written to an incorrect memory address. http://bogofilter.sourceforge.net/security/bogofilter-SA-2004-01 bogofilter-dos(17916) Integer signedness error in the ssh2_rdpkt function in PuTTY before 0.56 allows remote attackers to execute arbitrary code via a SSH2_MSG_DEBUG packet with a modified stringlen parameter, which leads to a buffer overflow. 20041027 PuTTY SSH client vulnerability http://www.chiark.greenend.org.uk/~sgtatham/putty/ GLSA-200410-29 20041027 PuTTY SSH2_MSG_DEBUG Buffer Overflow Vulnerability 11549 http://www-1.ibm.com/support/docview.wss?uid=ssg1S1002414 http://www-1.ibm.com/support/docview.wss?uid=ssg1S1002416 putty-ssh2msgdebug-bo(17886) Midnight commander (mc) 4.5.55 and earlier allows remote attackers to cause a denial of service (infinite loop) via unknown attack vectors. DSA-639 RHSA-2005:512 midnight-commander-dos(18903) Buffer overflow in Info-Zip 2.3 and possibly earlier versions, when using recursive folder compression, allows remote attackers to execute arbitrary code via a ZIP file containing a long pathname. 20041103 [HV-MED] Zip/Linux long path buffer overflow 20041103 [HV-MED] Zip/Linux long path buffer overflow GLSA-200411-16 P-072 DSA-624 http://www.hexview.com/docs/20041103-1.txt http://www.info-zip.org/FAQ.html MDKSA-2004:141 RHSA-2004:634 11603 TLSA-2005-18 FLSA:2255 infozip-compressed-folder-bo(17956) oval:org.mitre.oval:def:9848 USN-18-1 Stack-based buffer overflow in Cyrus IMAP Server 2.2.4 through 2.2.8, with the imapmagicplus option enabled, allows remote attackers to execute arbitrary code via a long (1) PROXY or (2) LOGIN command, a different vulnerability than CVE-2004-1015. [cyrus-announce] 20041122 Cyrus IMAPd 2.2.9 Released http://asg.web.cmu.edu/cyrus/download/imapd/changes.html 20041122 Advisory 15/2004: Cyrus IMAP Server multiple remote vulnerabilities http://security.e-matters.de/advisories/152004.html GLSA-200411-34 MDKSA-2004:139 cyrus-imap-username-bo(18198) The argument parser of the PARTIAL command in Cyrus IMAP Server 2.2.6 and earlier allows remote authenticated users to execute arbitrary code via a certain command ("body[p") that is treated as a different command ("body.peek") and causes an index increment error that leads to an out-of-bounds memory corruption. [cyrus-announce] 20041122 Cyrus IMAPd 2.2.9 Released http://asg.web.cmu.edu/cyrus/download/imapd/changes.html 20041122 Advisory 15/2004: Cyrus IMAP Server multiple remote vulnerabilities http://security.e-matters.de/advisories/152004.html GLSA-200411-34 DSA-597 MDKSA-2004:139 cyrus-imap-commands-execute-code(18199) USN-31-1 The argument parser of the FETCH command in Cyrus IMAP Server 2.2.x through 2.2.8 allows remote authenticated users to execute arbitrary code via certain commands such as (1) "body[p", (2) "binary[p", or (3) "binary[p") that cause an index increment error that leads to an out-of-bounds memory corruption. [cyrus-announce] 20041122 Cyrus IMAPd 2.2.9 Released http://asg.web.cmu.edu/cyrus/download/imapd/changes.html 20041122 Advisory 15/2004: Cyrus IMAP Server multiple remote vulnerabilities http://security.e-matters.de/advisories/152004.html GLSA-200411-34 DSA-597 MDKSA-2004:139 USN-31-1 statd in nfs-utils 1.257 and earlier does not ignore the SIGPIPE signal, which allows remote attackers to cause a denial of service (server process crash) via a TCP connection that is prematurely terminated. http://cvs.sourceforge.net/viewcvs.py/nfs/nfs-utils/ChangeLog?rev=1.258&view=markup DSA-606 RHSA-2004:583 RHSA-2005:014 FLSA-2006:138098 11785 2004-0065 nfs-utils-statd-dos(18332) oval:org.mitre.oval:def:10899 USN-36-1 Buffer overflow in proxyd for Cyrus IMAP Server 2.2.9 and earlier, with the imapmagicplus option enabled, may allow remote attackers to execute arbitrary code, a different vulnerability than CVE-2004-1011. [cyrus-announce] 20041123 Cyrus IMAPd 2.2.10 Released http://asg.web.cmu.edu/cyrus/download/imapd/changes.html GLSA-200411-34 MDKSA-2004:139 cyrus-magic-plus-bo(18274) The scm_send function in the scm layer for Linux kernel 2.4.x up to 2.4.28, and 2.6.x up to 2.6.9, allows local users to cause a denial of service (system hang) via crafted auxiliary messages that are passed to the sendmsg function, which causes a deadlock condition. http://isec.pl/vulnerabilities/isec-0019-scm.txt DSA-1067 DSA-1069 DSA-1070 DSA-1082 MDKSA-2005:022 SUSE-SA:2004:044 RHSA-2004:689 RHSA-2005:016 RHSA-2005:017 11921 FLSA:2336 linux-scmsend-dos(18483) oval:org.mitre.oval:def:11816 USN-38-1 Multiple "overflows" in the io_edgeport driver for Linux kernel 2.4.x have unknown impact and unknown attack vectors. DSA-1017 DSA-1067 DSA-1069 DSA-1070 DSA-1082 RHSA-2004:689 RHSA-2005:016 RHSA-2005:017 12102 FLSA:2336 linux-ioedgeport-bo(18433) oval:org.mitre.oval:def:9786 Multiple integer handling errors in PHP before 4.3.10 allow attackers to bypass safe mode restrictions, cause a denial of service, or execute arbitrary code via (1) a negative offset value to the shmop_write function, (2) an "integer overflow/underflow" in the pack function, or (3) an "integer overflow/underflow" in the unpack function. NOTE: this issue was originally REJECTed by its CNA before publication, but that decision is in active dispute. This candidate may change significantly in the future as a result of further discussion. 20041215 Advisory 01/2004: Multiple vulnerabilities in PHP 4/5 http://www.hardened-php.net/advisories/012004.txt MDKSA-2004:151 MDKSA-2005:072 http://www.php.net/release_4_3_10.php RHSA-2005:032 RHSA-2005:816 HPSBMA01212 20041219 PHP shmop.c module permits write of arbitrary memory. 12045 FLSA:2344 php-shmopwrite-outofbounds-memory(18515) oval:org.mitre.oval:def:10949 USN-99-1 The deserialization code in PHP before 4.3.10 and PHP 5.x up to 5.0.2 allows remote attackers to cause a denial of service and execute arbitrary code via untrusted data to the unserialize function that may trigger "information disclosure, double-free and negative reference index array underflow" results. SUSE-SU-2015:0365 openSUSE-SU-2015:0325 20041215 Advisory 01/2004: Multiple vulnerabilities in PHP 4/5 OpenPKG-SA-2004.053 http://www.hardened-php.net/advisories/012004.txt MDKSA-2004:151 SUSE-SA:2005:002 http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html http://www.php.net/release_4_3_10.php RHSA-2004:687 RHSA-2005:032 RHSA-2005:816 HPSBMA01212 FLSA:2344 php-unserialize-code-execution(18514) oval:org.mitre.oval:def:10511 The addslashes function in PHP 4.3.9 does not properly escape a NULL (/0) character, which may allow remote attackers to read arbitrary files in PHP applications that contain a directory traversal vulnerability in require or include statements, but are otherwise protected by the magic_quotes_gpc mechanism. NOTE: this issue was originally REJECTed by its CNA before publication, but that decision is in active dispute. This candidate may change significantly in the future as a result of further discussion. CLA-2005:915 GLSA-200412-14 MDKSA-2004:151 http://www.php.net/release_4_3_10.php HPSBMA01212 20041216 PHP Input Validation Vulnerabilities 11981 php-addslashes-view-files(18516) iCal before 1.5.4 on Mac OS X 10.2.3, and other later versions, does not alert the user when handling calendars that use alarms, which allows attackers to execute programs and send e-mail via alarms. APPLE-SA-2004-11-22 ical-calendar-authorization-bypass(18209) Kerio Winroute Firewall before 6.0.7, ServerFirewall before 1.0.1, and MailServer before 6.0.5 use symmetric encryption for user passwords, which allows attackers to decrypt the user database and obtain the passwords by extracting the secret key from within the software. 20041214 [CAN-2004-1022] Insecure Credential Storage on Kerio Software kerio-weak-encryption(18470) Kerio Winroute Firewall before 6.0.9, ServerFirewall before 1.0.1, and MailServer before 6.0.5, when installed on Windows based systems, do not modify the ACLs for critical files, which allows local users with Power Users privileges to modify programs, install malicious DLLs in the plug-ins folder, and modify XML files related to configuration. 20041214 [CAN-2004-1023] Insecure default file system permissions on Microsoft versions of Kerio Software kerio-insecure-permissions(18471) Multiple heap-based buffer overflows in imlib 1.9.14 and earlier, which is used by gkrellm and several window managers, allow remote attackers to cause a denial of service (application crash) and execute arbitrary code via certain image files. MDKSA-2005:007 RHSA-2004:651 11830 oval:org.mitre.oval:def:10786 Multiple integer overflows in the image handler for imlib 1.9.14 and earlier, which is used by gkrellm and several window managers, allow remote attackers to cause a denial of service (application crash) and execute arbitrary code via certain image files. DSA-628 GLSA-200412-03 MDKSA-2005:007 RHSA-2004:651 11830 oval:org.mitre.oval:def:10771 Directory traversal vulnerability in the -x (extract) command line option in unarj allows remote attackers to overwrite arbitrary files via an arj archive with filenames that contain .. (dot dot) sequences. 20041010 unarj dir-transversal bug (../../../..) FLSA:2272 GLSA-200411-29 DSA-628 DSA-652 RHSA-2005:007 11436 unarj-directory-traversal(17684) Untrusted execution path vulnerability in chcod on AIX IBM 5.1.0, 5.2.0, and 5.3.0 allows local users to execute arbitrary programs by modifying the PATH environment variable to point to a malicious "grep" program, which is executed from chcod. 20041220 IBM AIX chcod Local Privilege Escalation Vulnerability IY64354 IY64355 IY64356 aix-chcod-gain-privileges(18625) The Sun Java Plugin capability in Java 2 Runtime Environment (JRE) 1.4.2_01, 1.4.2_04, and possibly earlier versions, does not properly restrict access between Javascript and Java applets during data transfer, which allows remote attackers to load unsafe classes and execute arbitrary code by using the reflection API to access private Java packages. http://jouko.iki.fi/adv/javaplugin.html APPLE-SA-2005-02-22 http://rpmfind.net/linux/RPM/suse/updates/9.3/i386/rpm/i586/java-1_4_2-sun-src-1.4.2.08-0.1.i586.html 61 101523 57591 20041122 Sun Java Plugin Arbitrary Package Access Vulnerability VU#760344 12317 ADV-2008-0599 http://www-1.ibm.com/support/docview.wss?uid=swg21257249 sdk-jre-applet-restriction-bypass(18188) oval:org.mitre.oval:def:5674 fcronsighup in Fcron 2.0.1, 2.9.4, and possibly earlier versions allows local users to gain sensitive information by calling fcronsighup with an arbitrary file, which reveals the contents of the file that can not be parsed in an error message. GLSA-200411-27 20041115 Multiple Security Vulnerabilities in Fcron 11684 fcron-fcronsighup-obtain-info(18075) fcronsighup in Fcron 2.0.1, 2.9.4, and possibly earlier versions allows local users to bypass access restrictions and load an arbitrary configuration file by starting an suid process and pointing the fcronsighup configuration file to a /proc entry that is owned by root but modifiable by the user, such as /proc/self/cmdline or /proc/self/environ. GLSA-200411-27 20041115 Multiple Security Vulnerabilities in Fcron 11684 fcron-fcronsighup-restrictions-bypass(18076) fcronsighup in Fcron 2.0.1, 2.9.4, and possibly earlier versions allows local users to delete arbitrary files or create arbitrary empty files via a target filename with a large number of leading slash (/) characters such that fcronsighup does not properly append the intended fcrontab.sig to the resulting string. GLSA-200411-27 20041115 Multiple Security Vulnerabilities in Fcron fcron-fcronsighup-create-files(18077) Fcron 2.0.1, 2.9.4, and possibly earlier versions leak file descriptors of open files, which allows local users to bypass access restrictions and read fcron.allow and fcron.deny via the EDITOR environment variable. GLSA-200411-27 20041115 Multiple Security Vulnerabilities in Fcron 11684 fcron-fcrontab-obtain-info(18078) Buffer overflow in the http_open function in Kaffeine before 0.5, whose code is also used in gxine before 0.3.3, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a long Content-Type header for a Real Audio Media (.ram) playlist file. 20041025 Kaffeine Media Player Conteny Type overflow GLSA-200411-14 http://sourceforge.net/tracker/index.php?func=detail&aid=1060299&group_id=9655&atid=109655 11528 kaffeine-ram-bo(17849) Multiple integer signedness errors in (1) imapcommon.c, (2) main.c, (3) request.c, and (4) select.c for up-imapproxy IMAP proxy 1.2.2 allow remote attackers to cause a denial of service (server crash) and possibly leak sensitive information via certain literal values that are not properly handled when using the IMAP_Line_Read function. 20041107 up-imapproxy DoS vulnerabilities upimapproxy-dos(17999) Cross-site scripting (XSS) vulnerability in the decoding of encoded text in certain headers in mime.php for SquirrelMail 1.4.3a and earlier, and 1.5.1-cvs before 23rd October 2004, allows remote attackers to execute arbitrary web script or HTML. CLA-2004:905 APPLE-SA-2005-01-25 APPLE-SA-2005-03-21 20041110 [SquirrelMail Security Advisory] Cross Site Scripting in encoded text http://voxel.dl.sourceforge.net/sourceforge/squirrelmail/sm143a-xss.diff GLSA-200411-25 http://www.squirrelmail.org/ squirrelmail-mime-xss(18031) oval:org.mitre.oval:def:9592 The search function in TWiki 20030201 allows remote attackers to execute arbitrary commands via shell metacharacters in a search string. 20041116 Re: [Full-Disclosure] TWiki search function allows arbitrary shell command execution CLA-2005:918 20041112 TWiki search function allows arbitrary shell command execution GLSA-200411-33 http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithSearch P-039 11674 twik-search-command-execution(18062) A design error in the IEEE1394 specification allows attackers with physical access to a device to read and write to sensitive memory using a modified FireWire/IEEE 1394 client, thus bypassing intended restrictions that would normally require greater degrees of physical access to exploit. NOTE: this was reported in 2008 to affect Windows Vista, but some Linux-based operating systems have protection mechanisms against this attack. http://it.slashdot.org/article.pl?sid=08/03/04/1258210 20041026 pacsec.jp advisory: Firewire/IEEE 1394 Considered Harmful to Physical Security http://md.hudora.de/presentations/firewire/2005-firewire-cansecwest.pdf http://pacsec.jp/advisories.html http://storm.net.nz/projects/16 http://storm.net.nz/static/files/ab_firewire_rux2k6-final.pdf http://www.sec-consult.com/fileadmin/Whitepapers/Vista_Physical_Attacks.pdf 20080305 Firewire Attack on Windows Vista 20080305 Re: Firewire Attack on Windows Vista 20080305 RE: Firewire Attack on Windows Vista 20080306 Re: Firewire Attack on Windows Vista 20080306 RE: Firewire Attack on Windows Vista 20080307 Re: Firewire Attack on Windows Vista 20080308 Re: [Full-disclosure] Firewire Attack on Windows Vista 20080308 RE: [Full-disclosure] Firewire Attack on Windows Vista 20080309 Re: [Full-disclosure] Firewire Attack on Windows Vista 20080310 RE: [Full-disclosure] Firewire Attack on Windows Vista 20080309 Re: Firewire Attack on Windows Vista 20080310 Re: [Full-disclosure] Firewire Attack on Windows Vista http://www.theage.com.au/news/security/hack-into-a-windows-pc-no-password-needed/2008/03/04/1204402423638.html firewire-ieee1394-interface-installed(18041) The NFS mountd service on SCO UnixWare 7.1.1, 7.1.3, 7.1.4, and 7.0.1, and possibly other versions, when run from inetd, allows remote attackers to cause a denial of service (memory exhaustion) via a series of requests, which causes inetd to launch a separate process for each request. SCOSA-2005.1 20050111 [NILESA-20050101]: Denial of Service vulnerability due to the mountd bug 12225 Internet Explorer 6.0 on Windows XP SP2 allows remote attackers to execute arbitrary code by using the "Related Topics" command in the Help ActiveX Control (hhctrl.ocx) to open a Help popup window containing the PCHealth tools.htm file in the local zone and injecting Javascript to be executed, as demonstrated using "writehta.txt" and the ADODB recordset, which saves a .HTA file to the local system, aka the "HTML Help ActiveX control Cross Domain Vulnerability." 20041225 Microsoft Internet Explorer SP2 Fully Automated Remote Compromise VU#972415 TA05-012B MS05-001 ie-helpactivexcontrol-save-file(18311) oval:org.mitre.oval:def:1349 oval:org.mitre.oval:def:1963 oval:org.mitre.oval:def:2830 oval:org.mitre.oval:def:3496 Integer overflow in the LoadImage API of the USER32 Lib for Microsoft Windows allows remote attackers to execute arbitrary code via a .bmp, .cur, .ico or .ani file with a large image size field, which leads to a buffer overflow, aka the "Cursor and Icon Format Handling Vulnerability." 20041223 Microsoft Windows LoadImage API Integer Buffer overflow 1012684 P-094 VU#625856 12095 TA05-012A http://www.xfocus.net/flashsky/icoExp/index.html MS05-002 win-loadimage-bo(18668) oval:org.mitre.oval:def:2956 oval:org.mitre.oval:def:3097 oval:org.mitre.oval:def:3220 oval:org.mitre.oval:def:3355 oval:org.mitre.oval:def:4671 Heap-based buffer overflow in Internet Explorer 6 allows remote attackers to execute arbitrary code via long (1) SRC or (2) NAME attributes in IFRAME, FRAME, and EMBED elements, as originally discovered using the mangleme utility, aka "the IFRAME vulnerability" or the "HTML Elements Vulnerability." 20041023 python does mangleme (with IE bugs!) 20041025 python does mangleme (with IE bugs!) 20041102 MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC VU#842160 20041024 python does mangleme (with IE bugs!) 11515 TA04-315A TA04-336A MS04-040 ie-iframe-src-name-bo(17889) oval:org.mitre.oval:def:1294 sudo before 1.6.8p2 allows local users to execute arbitrary commands by using "()" style environment variables to create functions that have the same name as any program within the bash script that is called without using the program's full pathname. APPLE-SA-2005-05-03 20041112 Sudo version 1.6.8p2 now available (fwd) OpenPKG-SA-2005.002 DSA-596 MDKSA-2004:133 11668 http://www.sudo.ws/sudo/alerts/bash_functions.html 2004-0061 sudo-bash-command-execution(18055) USN-28-1 Buffer overflow in the getnickuserhost function in BNC 2.8.9, and possibly other versions, allows remote IRC servers to execute arbitrary code via an IRC server response that contains many (1) ! (exclamation) or (2) @ (at sign) characters. 20041110 BNC 2.8.9 remote buffer overflow http://security.lss.hr/en/index.php?page=details&ID=LSS-2004-11-03 DSA-595 11647 bnc-irc-getnickuserhost-bo(18013) Integer overflow in fetch on FreeBSD 4.1 through 5.3 allows remote malicious servers to execute arbitrary code via certain HTTP headers in an HTTP response, which lead to a buffer overflow. FreeBSD-SA-04:16 11702 fetch-http-header-bo(18160) Untrusted execution path vulnerability in invscout in IBM AIX 5.1.0, 5.2.0, and 5.3.0 allows local users to gain privileges by modifying the PATH environment variable to point to a malicious "uname" program, which is executed from lsvpd after lsvpd has been invoked by invscout. 20041220 IBM AIX invscout Local Command Execution Vulnerability IY64820 IY64852 IY64976 aix-invscout-gain-privileges(18619) Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 2.6.0-pl2 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the PmaAbsoluteUri parameter, (2) the zero_rows parameter in read_dump.php, (3) the confirm form, or (4) an error message generated by the internal phpMyAdmin parser. http://www.netvigilance.com/html/advisory0005.htm http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2004-3 phpmyadmin-multiple-xss(18158) Direct Rendering Manager (DRM) driver in Linux kernel 2.6 does not properly check the DMA lock, which could allow remote attackers or local users to cause a denial of service (X Server crash) and possibly modify the video output. RHSA-2005:092 RHSA-2005:529 RHSA-2005:551 RHSA-2005:663 ADV-2005-1878 FLSA:2336 linux-i810-dma-dos(15972) oval:org.mitre.oval:def:9795 USN-38-1 Multiple drivers in Linux kernel 2.4.19 and earlier do not properly mark memory with the VM_IO flag, which causes incorrect reference counts and may lead to a denial of service (kernel panic) when accessing freed kernel pages. http://www.kernel.org/pub/linux/kernel/people/andrea/kernels/v2.4/2.4.23aa3/00_VM_IO-4 RHSA-2005:016 RHSA-2005:017 RHSA-2006:0140 12338 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=137821 linux-kernel-vmio-dos(19275) oval:org.mitre.oval:def:11474 Race condition in Linux kernel 2.6 allows local users to read the environment variables of another process that is still spawning via /proc/.../cmdline. 20060402-01-U SUSE-SA:2006:012 DSA-1018 GLSA-200408-24 MDKSA-2005:022 RHSA-2005:293 RHSA-2006:0190 RHSA-2006:0191 11052 11937 FLSA:152532 linux-spawning-race-condition(17151) oval:org.mitre.oval:def:10427 USN-38-1 Multiple cross-site scripting (XSS) vulnerabilities in mnoGoSearch 3.2.26 and earlier allow remote attackers to inject arbitrary HTML and web script via the (1) next and (2) prev result search pages, and the (3) extended and (4) simple search forms. 20041223 Cross-Site Scripting - an industry-wide problem http://www.mikx.de/index.php?p=6 http://www.mnogosearch.org/history.html 11895 mnogosearch-search-xss(18434) Multiple TCP/IP and ICMP implementations, when using Path MTU (PMTU) discovery (PMTUD), allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via forged ICMP ("Fragmentation Needed and Don't Fragment was Set") packets with a low next-hop MTU value, aka the "Path MTU discovery attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. SCOSA-2006.4 SSRT4743 19 57 20050412 Crafted ICMP Messages Can Cause Denial of Service http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html HPSBUX01164 13124 http://www.uniras.gov.uk/niscc/docs/al-20050412-00308.html?lang=en MS05-019 oval:org.mitre.oval:def:181 oval:org.mitre.oval:def:196 oval:org.mitre.oval:def:2188 oval:org.mitre.oval:def:3826 oval:org.mitre.oval:def:405 oval:org.mitre.oval:def:5386 oval:org.mitre.oval:def:651 oval:org.mitre.oval:def:780 oval:org.mitre.oval:def:899 Cross-site scripting (XSS) vulnerability in Bugzilla before 2.18, including 2.16.x before 2.16.11, allows remote attackers to inject arbitrary HTML and web script via forced error messages, as demonstrated using the action parameter. CLSA-2005:1040 20041223 Cross-Site Scripting - an industry-wide problem http://www.mikx.de/index.php?p=6 12154 https://bugzilla.mozilla.org/show_bug.cgi?id=272620 bugzilla-xss(18728) Multiple cross-site scripting (XSS) vulnerabilities in ViewCVS 0.9.2 allow remote attackers to inject arbitrary HTML and web script via certain error messages. 20041223 Cross-Site Scripting - an industry-wide problem GLSA-200412-26 http://www.mikx.de/index.php?p=6 SUSE-SR:2005:001 viewcvs-xss(18718) PHP 4.x to 4.3.9, and PHP 5.x to 5.0.2, when running in safe mode on a multithreaded Unix webserver, allows local users to bypass safe_mode_exec_dir restrictions and execute commands outside of the intended safe_mode_exec_dir via shell metacharacters in the current directory name. NOTE: this issue was originally REJECTed by its CNA before publication, but that decision is in active dispute. This candidate may change significantly in the future as a result of further discussion. CLA-2005:915 GLSA-200412-14 http://www.hardened-php.net/advisories/012004.txt MDKSA-2004:151 MDKSA-2005:072 http://www.php.net/release_4_3_10.php HPSBMA01212 20041215 Advisory 01/2004: Multiple vulnerabilities in PHP 4/5 11964 php-safemodeexecdir-restriction-bypass(18511) USN-99-1 The safe mode checks in PHP 4.x to 4.3.9 and PHP 5.x to 5.0.2 truncate the file path before passing the data to the realpath function, which could allow attackers to bypass safe mode. NOTE: this issue was originally REJECTed by its CNA before publication, but that decision is in active dispute. This candidate may change significantly in the future as a result of further discussion. CLA-2005:915 GLSA-200412-14 http://www.hardened-php.net/advisories/012004.txt MDKSA-2004:151 MDKSA-2005:072 http://www.php.net/release_4_3_10.php HPSBMA01212 20041215 Advisory 01/2004: Multiple vulnerabilities in PHP 4/5 11964 php-realpath-safemode-bypass(18512) USN-99-1 USN-99-2 Buffer overflow in the exif_read_data function in PHP before 4.3.10 and PHP 5.x up to 5.0.2 allows remote attackers to execute arbitrary code via a long section name in an image file. OpenPKG-SA-2004.053 MDKSA-2004:151 SUSE-SA:2005:002 http://www.php.net/release_4_3_10.php RHSA-2004:687 RHSA-2005:032 HPSBMA01212 FLSA:2344 php-exifreaddata-bo(18517) oval:org.mitre.oval:def:10877 The cmdline pseudofiles in (1) procfs on FreeBSD 4.8 through 5.3, and (2) linprocfs on FreeBSD 5.x through 5.3, do not properly validate a process argument vector, which allows local users to cause a denial of service (panic) or read portions of kernel memory. NOTE: this candidate might be SPLIT into 2 separate items in the future. FreeBSD-SA-04:17 freebsd-profs-linprocfs-info-disclosure(18321) Off-by-one error in the mysasl_canon_user function in Cyrus IMAP Server 2.2.9 and earlier leads to a buffer overflow, which may allow remote attackers to execute arbitrary code via the username. http://asg.web.cmu.edu/cyrus/download/imapd/changes.html 11738 cyrus-mysaslcanonuser-offbyone-bo(18333) USN-37-1 A "missing serialization" error in the unix_dgram_recvmsg function in Linux 2.4.27 and earlier, and 2.6.x up to 2.6.9, allows local users to gain privileges via a race condition. 20060402-01-U 20041214 [USN-38-1] Linux kernel vulnerabilities DSA-1067 DSA-1069 DSA-1070 DSA-1082 MDKSA-2005:022 SUSE-SA:2004:044 RHSA-2004:504 RHSA-2004:505 RHSA-2004:537 20041119 Addendum, recent Linux <= 2.4.27 vulnerabilities 11715 FLSA:2336 linux-afunix-race-condition(18230) oval:org.mitre.oval:def:11384 Race condition in SELinux 2.6.x through 2.6.9 allows local users to cause a denial of service (kernel crash) via SOCK_SEQPACKET unix domain sockets, which are not properly handled in the sock_dgram_sendmsg function. 20041214 [USN-38-1] Linux kernel vulnerabilities [linux-kernel] 20041114 [PATCH] linux 2.9.10-rc1: Fix oops in unix_dgram_sendmsg when using MDKSA-2005:022 linux-sockdgramsendmsg-race-condition(18312) The load_elf_binary function in the binfmt_elf loader (binfmt_elf.c) in Linux kernel 2.4.x up to 2.4.27, and 2.6.x up to 2.6.8, does not properly check return values from calls to the kernel_read function, which may allow local users to modify sensitive memory in a setuid program and execute arbitrary code. 20060402-01-U DSA-1067 DSA-1069 DSA-1070 DSA-1082 http://www.isec.pl/vulnerabilities/isec-0017-binfmt_elf.txt MDKSA-2005:022 RHSA-2004:504 RHSA-2004:505 RHSA-2004:549 11646 FLSA:2336 linux-elf-setuid-gain-privileges(18025) oval:org.mitre.oval:def:9450 The binfmt_elf loader (binfmt_elf.c) in Linux kernel 2.4.x up to 2.4.27, and 2.6.x up to 2.6.8, does not properly handle a failed call to the mmap function, which causes an incorrect mapped image and may allow local users to execute arbitrary code. 20060402-01-U DSA-1067 DSA-1069 DSA-1070 DSA-1082 http://www.isec.pl/vulnerabilities/isec-0017-binfmt_elf.txt MDKSA-2005:022 RHSA-2004:504 RHSA-2004:505 RHSA-2004:537 11646 FLSA:2336 linux-elf-setuid-gain-privileges(18025) oval:org.mitre.oval:def:9917 The binfmt_elf loader (binfmt_elf.c) in Linux kernel 2.4.x up to 2.4.27, and 2.6.x up to 2.6.8, may create an interpreter name string that is not NULL terminated, which could cause strings longer than PATH_MAX to be used, leading to buffer overflows that allow local users to cause a denial of service (hang) and possibly execute arbitrary code. 20060402-01-U DSA-1067 DSA-1069 DSA-1070 DSA-1082 http://www.isec.pl/vulnerabilities/isec-0017-binfmt_elf.txt MDKSA-2005:022 RHSA-2004:504 RHSA-2004:505 RHSA-2004:537 RHSA-2005:275 11646 FLSA:2336 linux-elf-setuid-gain-privileges(18025) oval:org.mitre.oval:def:11195 The open_exec function in the execve functionality (exec.c) in Linux kernel 2.4.x up to 2.4.27, and 2.6.x up to 2.6.8, allows local users to read non-readable ELF binaries by using the interpreter (PT_INTERP) functionality. DSA-1067 DSA-1069 DSA-1070 DSA-1082 http://www.isec.pl/vulnerabilities/isec-0017-binfmt_elf.txt MDKSA-2005:022 RHSA-2004:504 RHSA-2004:505 RHSA-2004:549 RHSA-2005:293 RHSA-2006:0190 RHSA-2006:0191 11646 FLSA:2336 linux-elf-setuid-gain-privileges(18025) oval:org.mitre.oval:def:11503 The binfmt functionality in the Linux kernel, when "memory overcommit" is enabled, allows local users to cause a denial of service (kernel oops) via a malformed a.out binary. CLA-2005:930 20041216 [USN-39-1] Linux amd64 kernel vulnerability [linux-kernel] 20041111 a.out issue DSA-1067 DSA-1069 DSA-1070 DSA-1082 MDKSA-2005:022 11754 2005-0001 FLSA:2336 linux-aout-binary-dos(18290) oval:org.mitre.oval:def:9751 Cross-site scripting (XSS) vulnerability in standard_error_message.dtml for Zwiki after 0.10.0rc1 to 0.36.2 allows remote attackers to inject arbitrary HTML and web script via a malformed URL, which is not properly cleansed when generating an error message. 20041124 STG Security Advisory: [SSA-20041122-12] Zwiki XSS vulnerability 20041126 Re: STG Security Advisory: [SSA-20041122-12] Zwiki XSS vulnerability GLSA-200412-23 11745 http://zwiki.org/925ZwikiXSSVulnerability zwiki-link-xss(18237) Multiple buffer overflows in the RtConfigLoad function in rt-config.c for Atari800 before 1.3.4 allow local users to execute arbitrary code via large values in the configuration file. http://cvs.sourceforge.net/viewcvs.py/atari800/atari800/DOC/ChangeLog?view=markup 20041125 Atari800 - local root. 20041126 Re: Atari800 - local root. (fwd) DSA-609 11756 Citrix Program Neighborhood Agent for Win32 8.00.24737 and earlier and MetaFrame Presentation Server client for WinCE before 8.33 allows remote servers to create arbitrary shortcuts on the client via a full UNC path in the AppInStartmenu directive. http://support.citrix.com/kb/entry.jspa?externalID=CTX105650 20050426 Citrix Program Neighborhood Agent Arbitrary Shortcut Creation Vulnerability Stack-based buffer overflow in the client for Citrix Program Neighborhood Agent for Win32 8.00.24737 and earlier and Citrix MetaFrame Presentation Server client for WinCE before 8.33 allows remote attackers to execute arbitrary code via a long cached icon filename in the InName XML element. http://support.citrix.com/kb/entry.jspa?externalID=CTX105650 20050426 Citrix Program Neighborhood Agent Buffer Overflow Buffer overflow in (1) ncplogin and (2) ncpmap in nwclient.c for ncpfs 2.2.4, and possibly other versions, may allow local users to gain privileges via a long -T option. 20041129 ncpfs buffer overflow 20041129 ncpfs buffer overflow GLSA-200412-09 MDKSA-2005:028 FLSA:152904 11945 ncpfs-nwclientc-bo(18283) The WINS service (wins.exe) on Microsoft Windows NT Server 4.0, Windows 2000 Server, and Windows Server 2003 allows remote attackers to write to arbitrary memory locations and possibly execute arbitrary code via a modified memory pointer in a WINS replication packet to TCP port 42, aka the "Association Context Vulnerability." 20041126 Immunity, Inc Advisor 1012516 890710 P-054 http://www.immunitysec.com/downloads/instantanea.pdf VU#145134 11763 20041129 Microsoft WINS Server Vulnerability MS04-045 wins-memory-pointer-hijack(18259) oval:org.mitre.oval:def:1549 oval:org.mitre.oval:def:2541 oval:org.mitre.oval:def:2734 oval:org.mitre.oval:def:3677 oval:org.mitre.oval:def:4372 oval:org.mitre.oval:def:4831 The Application Framework (AppKit) for Apple Mac OS X 10.2.8 and 10.3.6 does not properly restrict access to a secure text input field, which allows local users to read keyboard input from other applications within the same window session. APPLE-SA-2004-12-02 P-049 11802 macos-appkit-obtain-info(18350) mod_digest_apple for Apache 1.3.31 and 1.3.32 on Mac OS X Server does not properly verify the nonce of a client response, which allows remote attackers to replay credentials. APPLE-SA-2004-12-02 P-049 9571 1012414 macos-moddigest-response-replay(18347) Apache for Apple Mac OS X 10.2.8 and 10.3.6 restricts access to files in a case sensitive manner, but the Apple HFS+ filesystem accesses files in a case insensitive manner, which allows remote attackers to read .DS_Store files and files beginning with ".ht" using alternate capitalization. APPLE-SA-2004-12-02 APPLE-SA-2005-08-17 APPLE-SA-2005-08-15 P-049 11802 apache-hfs-file-disclosure(18348) Apache for Apple Mac OS X 10.2.8 and 10.3.6 allows remote attackers to read files and resource fork content via HTTP requests to certain special file names related to multiple data streams in HFS+, which bypass Apache file handles. APPLE-SA-2004-12-02 APPLE-SA-2005-08-17 APPLE-SA-2005-08-15 P-049 11802 apache-hfs-obtain-info(18349) Human Interface Toolbox (HIToolBox) for Apple Mac 0S X 10.3.6 allows local users to exit applications via the force-quit key combination, even when the system is running in kiosk mode. APPLE-SA-2004-12-02 P-049 11802 macos-hitoolbox-kiosk-dos(18352) Buffer overflow in PSNormalizer for Apple Mac OS X 10.3.6 allows remote attackers to execute arbitrary code via a crafted PostScript input file. APPLE-SA-2004-12-02 P-049 11802 macos-psnormalizer-bo(18354) Terminal for Apple Mac OS X 10.3.6 may indicate that "Secure Keyboard Entry" is enabled even when it is not, which could result in a false sense of security for the user. APPLE-SA-2004-12-02 P-049 11802 macos-terminal-secure-improper(18355) Postfix server for Apple Mac OS X 10.3.6, when using CRAM-MD5, allows remote attackers to send mail without authentication by replaying authentication information. APPLE-SA-2004-12-02 P-049 11802 postfix-crammd5-auth-replay(18353) Unknown vulnerability in Apple Mac OS X 10.3.6 server, when using Kerberos authentication and Cyrus IMAP allows local users to access mailboxes of other users. APPLE-SA-2004-12-02 P-049 11802 cyrus-kerberos-gain-access(18351) Midnight commander (mc) 4.5.55 and earlier allows remote attackers to cause a denial of service via "a corrupt section header." DSA-639 RHSA-2005:512 midnight-commander-section-dos(18907) Midnight commander (mc) 4.5.55 and earlier allows remote attackers to cause a denial of service by triggering a null dereference. DSA-639 RHSA-2005:512 midnight-commander-find-dos(18908) Midnight commander (mc) 4.5.55 and earlier allows remote attackers to cause a denial of service by causing mc to free unallocated memory. DSA-639 GLSA-200502-24 midnight-commander-memory-allocation(18904) Midnight commander (mc) 4.5.55 and earlier allows remote attackers to cause a denial of service via "use of already freed memory." DSA-639 RHSA-2005:512 midnight-commander-key-dos(18905) Buffer overflow in InnerMedia DynaZip DUNZIP32.dll file version 5.00.03 and earlier allows remote attackers to execute arbitrary code via a ZIP file containing a file with a long filename, as demonstrated using (1) a .rjs (skin) file in RealPlayer 10 through RealPlayer 10.5 (6.0.12.1053), RealOne Player 1 and 2, (2) the Restore Backup function in CheckMark Software Payroll 2004/2005 3.9.6 and earlier, (3) CheckMark MultiLedger before 7.0.2, (4) dtSearch 6.x and 7.x, (5) mcupdmgr.exe and mghtml.exe in McAfee VirusScan 10 Build 10.0.21 and earlier, (6) IBM Lotus Notes before 6.5.5, and other products. NOTE: it is unclear whether this is the same vulnerability as CVE-2004-0575, although the data manipulations are the same. 20041027 EEYE: RealPlayer Zipped Skin File Buffer Overflow 20041027 High Risk Vulnerability in RealPlayer 296 653 1011944 1012297 1016817 http://service.real.com/help/faq/security/041026_player/EN/ VU#582498 http://www.networksecurity.fi/advisories/dtsearch.html http://www.networksecurity.fi/advisories/lotus-notes.html http://www.networksecurity.fi/advisories/mcafee-virusscan.html http://www.networksecurity.fi/advisories/multiledger.html http://www.networksecurity.fi/advisories/payroll.html http://www.securiteam.com/windowsntfocus/6Z00W00EAM.html 20051223 dtSearch DUNZIP32.dll Buffer Overflow Vulnerability 20060330 McAfee VirusScan DUNZIP32.dll Buffer Overflow Vulnerability 20060906 IBM Lotus Notes DUNZIP32.dll Buffer Overflow Vulnerability 11555 ADV-2005-2057 ADV-2006-1176 realplayer-dunzip32-bo(17879) payroll-dunzip32-bo(22737) Multiple integer overflows in (1) readbmp.c, (2) readgif.c, (3) readgif.c, (4) readmrf.c, (5) readpcx.c, (6) readpng.c,(7) readpnm.c, (8) readprf.c, (9) readtiff.c, (10) readxbm.c, (11) readxpm.c in zgv 5.8 allow remote attackers to execute arbitrary code via certain image headers that cause calculations to be overflowed and small buffers to be allocated, leading to buffer overflows. NOTE: CVE-2004-0994 and CVE-2004-1095 identify sets of bugs that only partially overlap, despite having the same developer. Therefore, they should be regarded as distinct. 20041026 zgv image viewing heap overflows 20041028 Re: zgv image viewing heap overflows GLSA-200411-12 11556 http://www.svgalib.org/rus/zgv/ http://www.svgalib.org/rus/zgv/zgv-5.8-integer-overflow-fix.diff zgv-image-header-bo(17871) Archive::Zip Perl module before 1.14, when used by antivirus programs such as amavisd-new, allows remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on a target system. GLSA-200410-31 20041018 Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability VU#492545 MDKSA-2004:118 11448 antivirus-zip-protection-bypass(17761) Format string vulnerability in the cherokee_logger_ncsa_write_string function in Cherokee 0.4.17 and earlier, when authenticating via auth_pam, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via format string specifiers in the URL. http://bugs.gentoo.org/show_bug.cgi?id=67667 GLSA-200411-02 11574 cherokee-format-string(17934) MIMEDefang in MIME-tools 5.414 allows remote attackers to bypass virus scanning capabilities via an e-mail attachment with a virus that contains an empty boundary string in the Content-Type header. 20041026 [Mimedefang] SECURITY: Patch for MIME-tools GLSA-200411-06 MDKSA-2004:123 11563 mimetools-boundary-virus-bypass(17940) Cisco Secure Access Control Server for Windows (ACS Windows) and Cisco Secure Access Control Server Solution Engine (ACS Solution Engine) 3.3.1, when the EAP-TLS protocol is enabled, does not properly handle expired or untrusted certificates, which allows remote attackers to bypass authentication and gain unauthorized access via a "cryptographically correct" certificate with valid fields such as the username. P-028 20041102 Vulnerability in Cisco Secure Access Control Server EAP-TLS Authentication 11577 ciscosecure-eaptls-auth-bypass(17936) Cross-site scripting (XSS) vulnerability in mailpost.exe in MailPost 5.1.1sv, and possibly earlier versions, when debug mode is enabled, allows remote attackers to execute arbitrary web script or HTML via the append parameter. Successful exploitation requires that debug mode is enabled. VU#107998 http://www.procheckup.com/security_info/vuln_pr0410.html 11596 mailpost-append-xss(17953) mailpost.exe in MailPost 5.1.1sv, and possibly earlier versions, allows remote attackers to cause a denial of service (server crash), leak sensitive pathname information in the resulting error message, and execute a cross-site scripting (XSS) attack via an HTTP request that contains a / (backslash) and arbitrary webscript before the requested file, which leaks the pathname and does not quote the script in the resulting Visual Basic error message. VU#596046 http://www.procheckup.com/security_info/vuln_pr0411.html 11598 mailpost-slash-xss(17951) MailPost 5.1.1sv, and possibly earlier versions, displays a different error message depending on whether the requested file exists or not, which allows remote attackers to gain sensitive information. VU#306086 http://www.procheckup.com/security_info/vuln_pr0408.html 11599 mailpost-get-info-disclosure(17954) MailPost 5.1.1sv, and possibly earlier versions, when debug mode is enabled, allows remote attackers to gain sensitive information via the debug parameter, which reveals information such as the path to the web root and the web server version. VU#858726 http://www.procheckup.com/security_info/vuln_pr0409.html 11595 mailpost-information-disclosure(17952) Microsoft Internet Explorer 6.0 SP2 allows remote attackers to spoof a legitimate URL in the status bar and conduct a phishing attack via a web page that contains a BASE element that points to the legitimate site, followed by an anchor (a) element with an empty "href" attribute, and a FORM whose action points to a malicious URL, and an INPUT submit element that is modified to look like a legitimate URL. VU#702086 20041030 Re: New URL spoofing bug in Microsoft Internet Explorer 20060218 Re: Internet Explorer Phishing mouseover issue 20060223 Re: Internet Explorer Phishing mouseover issue 11565 ie-ahref-status-spoofing(17938) Nortel Networks Contivity VPN Client displays a different error message depending on whether the username is valid or invalid, which could allow remote attackers to gain sensitive information. 20041110 Nortel Networks Contivity VPN Client information leakage vulnerability VU#830214 http://www.kb.cert.org/vuls/id/CRDY-626N7F http://www.nii.co.in/vuln/contivity.html 11623 nortel-contivity-info-disclosure(17988) Cross-site scripting (XSS) vulnerability in Gallery 1.4.4-pl3 and earlier allows remote attackers to execute arbitrary web script or HTML via "specially formed URLs," possibly via the include parameter in index.php. http://g3cko.info/gallery2-4.patch http://gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid=142&mode=thread&order=0&thold=0 DSA-642 GLSA-200411-10 11602 gallery-script-xss(17948) dispatch-conf in Portage 2.0.51-r2 and earlier allows local users to overwrite arbitrary files via a symlink attack on temporary files. http://bugs.gentoo.org/show_bug.cgi?id=69147 GLSA-200411-13 11616 portage-dispatchconf-symlink(17986) qpkg in Gentoolkit 0.2.0_pre10 and earlier allows local users to overwrite arbitrary files via a symlink attack on a temporary directory. http://bugs.gentoo.org/show_bug.cgi?id=68846 GLSA-200411-13 11617 gentoolkit-symlink(17968) The FWDRV.SYS driver in Kerio Personal Firewall 4.1.1 and earlier allows remote attackers to cause a denial of service (CPU consumption and system freeze from infinite loop) via a (1) TCP, (2) UDP, or (3) ICMP packet with a zero length IP Option field. AD20041109 http://www.kerio.com/security_advisory.html 11639 kerio-pf-packet-dos(17992) The mtink status monitor before 1.0.5 for Epson printers allows local users to overwrite arbitrary files via a symlink attack on the epson temporary file. http://bugs.gentoo.org/show_bug.cgi?id=70310 GLSA-200411-17 11640 mtink-tmp-file-symlink(18011) Cisco IOS 2.2(18)EW, 12.2(18)EWA, 12.2(14)SZ, 12.2(18)S, 12.2(18)SE, 12.2(18)SV, 12.2(18)SW, and other versions without the "no service dhcp" command, keep undeliverable DHCP packets in the queue instead of dropping them, which allows remote attackers to cause a denial of service (dropped traffic) via multiple undeliverable DHCP packets that exceed the input queue size. P-034 20041110 Cisco Security Advisory: Cisco IOS DHCP Blocked Interface Denial-of-Service VU#630104 TA04-316A cisco-ios-dhcp-dos(18021) oval:org.mitre.oval:def:5632 The buffer overflow trigger in Cisco Security Agent (CSA) before 4.0.3 build 728 waits five minutes for a user response before terminating the process, which could allow remote attackers to bypass the buffer overflow protection by sending additional buffer overflow attacks within the five minute timeout period. P-036 20041111 Crafted Timed Attack Evades Cisco Security Agent Protections 11659 csa-buffer-protection-bypass(18037) SQL injection vulnerability in SQLgrey Postfix greylisting service before 1.2.0 allows remote attackers to execute arbitrary SQL commands via the (1) sender or (2) recipient e-mail addresses. http://sourceforge.net/project/shownotes.php?release_id=281256 11633 2004-0058 sqlgrey-postfix-sql-injection(17998) Buffer overflow in the handling of command line arguments in Skype 1.0.x.94 through 1.0.x.98 allows remote attackers to execute arbitrary code via a callto:// URL with a long non-existent username, a different vulnerability than CVE-2004-1777. 20041116 Skype callto:// BoF technical details 20041116 Skype callto:// BoF technical details 20041115 Re: Skype callto:// BoF technical details 11682 http://www.skype.com/products/skype/windows/changelog.html http://www.skype.com/security/ssa-2004-02.html skype-callto-uri-bo(18063) The init scripts in Search for Extraterrestrial Intelligence (SETI) project 3.08-r3 and earlier execute user-owned programs with root privileges, which allows local users to gain privileges by modifying the programs. GLSA-200411-26 seti@home-gain-privileges(18149) The init scripts in Great Internet Mersenne Prime Search (GIMPS) 23.9 and earlier execute user-owned programs with root privileges, which allows local users to gain privileges by modifying the programs. GLSA-200411-26 seti@home-gain-privileges(18149) The init scripts in ChessBrain 20407 and earlier execute user-owned programs with root privileges, which allows local users to gain privileges by modifying the programs. GLSA-200411-26 seti@home-gain-privileges(18149) Buffer overflow in the WodFtpDLX.ocx (WeOnlyDo!) ActiveX component before 2.3.2.97, as used by CoffeeCup Direct FTP 6.2.0.62 and CoffeeCup Free FTP 3.0.0.10, and possibly other applications, allows remote attackers to execute arbitrary code via a long filename. 20041122 WeOnlyDo! COM Ftp DELUXE ActiveX Control Buffer Overflow Vulnerability 20041122 CoffeeCup FTP Clients Buffer Overflow Vulnerability 20041122 WeOnlyDo! COM Ftp DELUXE ActiveX Control Buffer Overflow Vulnerability 11721 wodftpdlx-long-filename-bo(18190) Stack-based buffer overflow in IN_CDDA.dll in Winamp 5.05, and possibly other versions including 5.06, allows remote attackers to execute arbitrary code via a certain .m3u playlist file. 20041126 Re: Winamp - Buffer Overflow In IN_CDDA.dll [Unpatched 20041123 Winamp - Buffer Overflow In IN_CDDA.dll 20041124 Winamp - Buffer Overflow In IN_CDDA.dll [Unpatched] 20041123 Winamp - Buffer Overflow In IN_CDDA.dll 20041124 Winamp - Buffer Overflow In IN_CDDA.dll [Unpatched] VU#986504 http://www.security-assessment.com/Papers/Winamp_IN_CDDA_Buffer_Overflow.pdf 11730 winamp-incddadll-bo(18197) Multiple buffer overflows in (1) http.c, (2) http-retr.c, (3) main.c and other code that handles network protocols in ProZilla 1.3.6-r2 and earlier allow remote servers to execute arbitrary code via a long Location header. http://bugs.gentoo.org/show_bug.cgi?id=70090 DSA-663 GLSA-200411-31 20041124 Prozilla Remote Exploit 11734 prozilla-bo(18210) Apple Safari 1.0 through 1.2.3 allows remote attackers to spoof the URL displayed in the status bar via TABLE tags. APPLE-SA-2004-12-02 VU#925430 11573 ie-table-status-spoofing(17909) Safari 1.x to 1.2.4, and possibly other versions, allows inactive windows to launch dialog boxes, which can allow remote attackers to spoof the dialog boxes from web sites in other windows, aka the "Dialog Box Spoofing Vulnerability," a different vulnerability than CVE-2004-1314. APPLE-SA-2004-12-02 Darwin Streaming Server 5.0.1, and possibly earlier versions, allows remote attackers to cause a denial of service (server crash) via a DESCRIBE request with a location that contains a null byte. 20041203 Apple Darwin Streaming Server DESCRIBE Null Byte Denial of Service Vulnerability darwin-describe-dos(18357) Unknown vulnerability in chroot on SCO UnixWare 7.1.1 through 7.1.4 allows local users to escape the chroot jail and conduct unauthorized activities. SCOSA-2005.22 SCOSA-2005.2 12300 chroot-jail-security-bypass(18970) Buffer overflow in the Gfx::doImage function in Gfx.cc for xpdf 3.00, and other products that share code such as tetex-bin and kpdf in KDE 3.2.x to 3.2.3 and 3.3.x to 3.3.2, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted PDF file that causes the boundaries of a maskColors array to be exceeded. ftp://ftp.foolabs.com/pub/xpdf/xpdf-3.00pl2.patch SCOSA-2005.42 CLA-2005:921 20041223 [USN-48-1] xpdf, tetex-bin vulnerabilities 20041228 KDE Security Advisory: kpdf Buffer Overflow Vulnerability 1012646 GLSA-200412-25 GLSA-200501-13 GLSA-200501-17 20041221 Multiple Vendor xpdf PDF Viewer Buffer Overflow Vulnerability http://www.kde.org/info/security/advisory-20041223-1.txt SUSE-SR:2005:001 RHSA-2005:013 RHSA-2005:018 RHSA-2005:026 RHSA-2005:034 RHSA-2005:053 RHSA-2005:057 RHSA-2005:066 RHSA-2005:354 12070 FLSA:2352 FLSA:2353 xpdf-gfx-doimage-bo(18641) oval:org.mitre.oval:def:10830 USN-50-1 Buffer overflow in Open Dc Hub 0.7.14 allows remote attackers, with administrator privileges, to execute arbitrary code via a long RedirectAll command. 20041124 Buffer Overflow in Open Dc Hub 0.7.14 20041124 Buffer Overflow in Open Dc Hub 0.7.14 GLSA-200411-37 11747 open-hub-redirectall-bo(18254) Buffer overflow in CMailCOM.dll in CMailServer 5.2 allows remote attackers to execute arbitrary code via an attachment with a long filename. 20041124 [SIG^2 G-TEC] CMailServer WebMail v5.2 Multiple Vulnerabilities http://www.security.org.sg/vuln/cmailserver52.html 11742 cmailserver-cmailcomdll-bo(18276) SQL injection vulnerability in (1) fdelmail.asp, (2) addressc.asp, and possibly (3) postmail.asp and (4) fmvmail.asp in CMailServer 5.2 allow remote attackers to inject arbitrary SQL commands and delete mail metadata or e-mail addresses of contacts via the indexOfMail parameter. 20041124 [SIG^2 G-TEC] CMailServer WebMail v5.2 Multiple Vulnerabilities http://www.security.org.sg/vuln/cmailserver52.html 11742 cmailserver-fdelmail-addressc-sql-injection(18281) Cross-site scripting (XSS) vulnerability in admin.asp in CMailServer 5.2 allows remote attackers to execute arbitrary web script or HTML via personal information fields, such as (1) username, (2) name, or (3) comments. This vulnerability is addressed in the following product release: YoungZSoft, CMailServer, 5.2.1 20041124 [SIG^2 G-TEC] CMailServer WebMail v5.2 Multiple Vulnerabilities http://www.security.org.sg/vuln/cmailserver52.html 11742 cmailserver-adminasp-xss(18280) Multiple buffer overflows in the enable command for SCO OpenServer 5.0.6 and 5.0.7 allow local users to execute arbitrary code via long command line arguments. SCOSA-2005.13 12474 openserver-enable-bo(19243) Multiple cross-site scripting (XSS) vulnerabilities in Microsoft W3Who ISAPI (w3who.dll) allow remote attackers to inject arbitrary HTML and web script via (1) HTTP headers such as "Connection" or (2) invalid parameters whose values are echoed in the resulting error message. 20041206 Multiple vulnerabilities in w3who ISAPI DLL w3who-http-error-xss(18375) Buffer overflow in the Microsoft W3Who ISAPI (w3who.dll) allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long query string. 20041206 Multiple vulnerabilities in w3who ISAPI DLL http://www.exaprobe.com/labs/advisories/esa-2004-1206.html w3who-bo(18377) Multiple buffer overflows in WS_FTP Server 5.03 2004.10.14 allow remote attackers to cause a denial of service (service crash) via long (1) SITE, (2) XMKD, (3) MKD, and (4) RNFR commands. 20041129 Multiple buffer overlows in WS_FTP Server Version 5.03, 2004.10.14. 20041129 Multiple buffer overlows in WS_FTP Server Version 5.03, 2004.10.14. http://www.securiteam.com/exploits/6D00L2KBPG.html wsftp-ftp-commands-bo(18296) Buffer overflow in CuteFTP Professional 6.0, and possibly other versions, allows remote FTP servers to cause a denial of service (application crash) via large replies to FTP commands. 20041129 CuteFTP 6.0 Professional Remote Buffer Overflow Vulnerability cuteftp-reply-bo(18309) Multiple vulnerabilities in the IGMP functionality for Linux kernel 2.4.22 to 2.4.28, and 2.6.x to 2.6.9, allow local and remote attackers to cause a denial of service or execute arbitrary code via (1) the ip_mc_source function, which decrements a counter to -1, or (2) the igmp_marksources function, which does not properly validate IGMP message parameters and performs an out-of-bounds read. CLA-2005:930 http://isec.pl/vulnerabilities/isec-0018-igmp.txt 20041214 [USN-38-1] Linux kernel vulnerabilities MDKSA-2005:022 SUSE-SA:2004:044 RHSA-2005:092 FLSA:2336 linux-ipmcsource-code-execution(18481) linux-igmpmarksources-dos(18482) oval:org.mitre.oval:def:11144 VIM before 6.3 and gVim before 6.3 allow local users to execute arbitrary commands via a file containing a crafted modeline that is executed when the file is viewed using options such as (1) termcap, (2) printdevice, (3) titleold, (4) filetype, (5) syntax, (6) backupext, (7) keymap, (8) patchmode, or (9) langmenu. OpenPKG-SA-2004.052 GLSA-200412-10 RHSA-2005:010 RHSA-2005:036 FLSA:2343 vim-modeline-gain-privileges(18503) oval:org.mitre.oval:def:9571 Unknown vulnerability in the DICOM dissector in Ethereal 0.10.4 through 0.10.7 allows remote attackers to cause a denial of service (application crash). CLA-2005:916 P-061 http://www.ethereal.com/appnotes/enpa-sa-00016.html GLSA-200412-15 MDKSA-2004:152 FLSA-2006:152922 RHSA-2005:037 11943 ethereal-dicom-dos(18484) oval:org.mitre.oval:def:11319 Ethereal 0.9.0 through 0.10.7 allows remote attackers to cause a denial of service (application hang) and possibly fill available disk space via an invalid RTP timestamp. CLA-2005:916 P-061 http://www.ethereal.com/appnotes/enpa-sa-00016.html GLSA-200412-15 MDKSA-2004:152 FLSA-2006:152922 RHSA-2005:037 11943 Ethereal-rtp-dos(18485) oval:org.mitre.oval:def:10484 The HTTP dissector in Ethereal 0.10.1 through 0.10.7 allows remote attackers to cause a denial of service (application crash) via a certain packet that causes the dissector to access previously-freed memory. CLA-2005:916 P-061 http://www.ethereal.com/appnotes/enpa-sa-00016.html GLSA-200412-15 MDKSA-2004:152 FLSA-2006:152922 RHSA-2005:037 11943 ethereal-http-dissector-dos(18487) oval:org.mitre.oval:def:9473 Ethereal 0.9.0 through 0.10.7 allows remote attackers to cause a denial of service (CPU consumption) via a certain malformed SMB packet. CLA-2005:916 P-061 DSA-613 http://www.ethereal.com/appnotes/enpa-sa-00016.html GLSA-200412-15 MDKSA-2004:152 FLSA-2006:152922 RHSA-2005:037 11943 ethereal-smb-dos(18488) oval:org.mitre.oval:def:11278 The password generation in mailman before 2.1.5 generates only 5 million unique passwords, which makes it easier for remote attackers to guess passwords via a brute force attack. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=286796 20050110 [USN-59-1] mailman vulnerabilities SUSE-SA:2005:007 mailman-weak-encryption(18857) Unknown vulnerability in the 32bit emulation code in Linux 2.4 on AMD64 systems allows local users to gain privileges. SUSE-SA:2004:046 RHSA-2004:689 linux-32bit-emulation-gain-privileges(18686) oval:org.mitre.oval:def:10439 Multiple vulnerabilities in Konqueror in KDE 3.3.1 and earlier (1) allow access to restricted Java classes via JavaScript and (2) do not properly restrict access to certain Java classes from the Java applet, which allows remote attackers to bypass sandbox restrictions and read or write arbitrary files. 20041220 KDE Security Advisory: Konqueror Java Vulnerability GLSA-200501-16 http://www.heise.de/security/dienste/browsercheck/tests/java.shtml VU#420222 http://www.kde.org/info/security/advisory-20041220-1.txt MDKSA-2004:154 RHSA-2005:065 konqueror-sandbox-restriction-bypass(18596) oval:org.mitre.oval:def:10173 Multiple cross-site scripting (XSS) vulnerabilities in (1) main.c and (2) login.c for CVSTrac before 1.1.5 allow remote attackers to inject arbitrary HTML and web script. 20041223 Cross-Site Scripting - an industry-wide problem OpenPKG-SA-2004.056 http://www.cvstrac.org/cvstrac/chngview?cn=320 http://www.cvstrac.org/cvstrac/chngview?cn=321 http://www.mikx.de/index.php?p=6 12017 cvstrac-main-login-xss(18726) phpMyAdmin 2.6.0-pl2, and other versions before 2.6.1, with external transformations enabled, allows remote attackers to execute arbitrary commands via shell metacharacters. 20041213 Multiple vulnerabilities in phpMyAdmin http://www.exaprobe.com/labs/advisories/esa-2004-1213.html phpmyadmin-command-execute(18441) phpMyAdmin before 2.6.1, when configured with UploadDir functionality, allows remote attackers to read arbitrary files via the sql_localfile parameter. 20041213 Multiple vulnerabilities in phpMyAdmin http://www.exaprobe.com/labs/advisories/esa-2004-1213.html phpmyadmin-command-execute(18441) Computer Associates eTrust EZ Antivirus 7.0.0 to 7.0.4, including 7.0.1.4, installs its files with insecure permissions (ACLs), which allows local users to gain privileges by replacing critical programs with malicious ones, as demonstrated using VetMsg.exe. http://crm.my-etrust.com/login.asp?username=guest&target=DOCUMENT&openparameter 20041215 Computer Associates eTrust EZ Antivirus Insecure File Permission Vulnerability etrust-antivirus-insecure-permissions(18502) Stack-based buffer overflow in the in_cdda.dll plugin for Winamp 5.0 through 5.08c allows attackers to execute arbitrary code via a cda:// URL with a long (1) device name or (2) sound track number, as demonstrated with a .m3u or .pls playlist file. 20050127 NSFOCUS SA2005-01 : Buffer Overflow in WinAMP in_cdda.dll CDA Device Name http://www.nsfocus.com/english/homepage/research/0501.htm 12381 http://www.winamp.com/player/version_history.php winamp-incdda-bo(18840) Multiple buffer overflows in the (1) sys32_ni_syscall and (2) sys32_vm86_warning functions in sys_ia32.c for Linux 2.6.x may allow local attackers to modify kernel memory and gain privileges. http://linux.bkbits.net:8080/linux-2.6/cset@1.2079 http://linux.bkbits.net:8080/linux-2.6/gnupatch@41ae6af1cR3mJYlW6D8EHxCKSxuJiQ 20041214 [USN-38-1] Linux kernel vulnerabilities MDKSA-2005:022 SUSE-SA:2004:044 [linux-kernel] 20041130 Buffer overrun in arch/x86_64/sys_ia32.c:sys32_ni_syscall() Buffer overflow in the mailListIsPdf function in Adobe Acrobat Reader 5.09 for Unix allows remote attackers to execute arbitrary code via an e-mail message with a crafted PDF attachment. http://www.adobe.com/support/techdocs/331153.html 20041214 Adobe Acrobat Reader 5.0.9 mailListIsPdf() Buffer Overflow Vulnerability VU#253024 SUSE-SR:2005:001 adobe-acrobat-maillistlspdf-bo(18477) Format string vulnerability in Adobe Acrobat Reader 6.0.0 through 6.0.2 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via an .ETD document containing format string specifiers in (1) title or (2) baseurl fields. http://www.adobe.com/support/downloads/detail.jsp?ftpID=2679 20041214 Adobe Reader 6.0 .ETD File Format String Vulnerability adobe-acrobat-etd-format-string(18478) oval:org.mitre.oval:def:2919 Integer overflow in the Samba daemon (smbd) in Samba 2.x and 3.0.x through 3.0.9 allows remote authenticated users to cause a denial of service (application crash) and possibly execute arbitrary code via a Samba request with a large number of security descriptors that triggers a heap-based buffer overflow. SCOSA-2005.17 APPLE-SA-2005-03-21 101643 57730 DSA-701 20041216 Samba smbd Security Descriptor Integer Overflow Vulnerability VU#226184 SUSE-SA:2004:045 RHSA-2005:020 http://www.samba.org/samba/security/CAN-2004-1154.html 11973 samba-msrpc-heap-corruption(18519) oval:org.mitre.oval:def:10236 oval:org.mitre.oval:def:1459 oval:org.mitre.oval:def:642 Internet Explorer 5.01 through 6 allows remote attackers to spoof arbitrary web sites by injecting content from one window into another window whose name is known but resides in a different domain, as demonstrated using a pop-up window on a trusted web site, aka the "window injection" vulnerability. NOTE: later research shows that Internet Explorer 7 on Windows XP SP2 is also vulnerable. 20061025 IE7 status: 8 days after release, 3 unfixed issues 11855 Mozilla before 1.7.6, and Firefox before 1.0.1, allows remote attackers to spoof arbitrary web sites by injecting content from one window into a target window whose name is known but resides in a different domain, as demonstrated using a pop-up window on a trusted web site, aka the "window injection" vulnerability. GLSA-200503-10 GLSA-200503-30 http://www.mozilla.org/security/announce/mfsa2005-13.html RHSA-2005:176 RHSA-2005:384 oval:org.mitre.oval:def:100045 oval:org.mitre.oval:def:10117 Opera 7.x up to 7.54, and possibly other versions, allows remote attackers to spoof arbitrary web sites by injecting content from one window into a target window whose name is known but resides in a different domain, as demonstrated using a pop-up window on a trusted web site, aka the "window injection" vulnerability. GLSA-200502-17 Konqueror 3.x up to 3.2.2-6, and possibly other versions, allows remote attackers to spoof arbitrary web sites by injecting content from one window into a target window or tab whose name is known but resides in a different domain, as demonstrated using a pop-up window on a trusted web site, aka the "window injection" vulnerability. 20041213 KDE Security Advisory: Konqueror Window Injection Vulnerability http://www.kde.org/info/security/advisory-20041213-1.txt SUSE-SR:2005:001 RHSA-2005:009 11853 oval:org.mitre.oval:def:11056 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2004-1122, CVE-2004-1314. Reason: this was an out-of-band assignment duplicate intended for one issue, but the description and references inadvertently combined multiple issues. Notes: All CVE users should consult CVE-2004-1122 and CVE-2004-1314 to determine which ID is appropriate. All references and descriptions in this candidate have been removed to prevent accidental usage. Netscape 7.x to 7.2, and possibly other versions, allows remote attackers to spoof arbitrary web sites by injecting content from one window into a target window whose name is known but resides in a different domain, as demonstrated using a pop-up window on a trusted web site, aka the "window injection" vulnerability. 11852 rssh 2.2.2 and earlier does not properly restrict programs that can be run, which could allow remote authenticated users to bypass intended access restrictions and execute arbitrary programs via (1) rdist -P, (2) rsync, or (3) scp -S. 20041202 rssh and scponly arbitrary command execution 20050115 Re: rssh and scponly arbitrary command execution GLSA-200412-01 11792 The unison command in scponly before 4.0 does not properly restrict programs that can be run, which could allow remote authenticated users to bypass intended access restrictions and execute arbitrary programs via the (1) -rshcmd or (2) -sshcmd flags. 20041202 rssh and scponly arbitrary command execution 20050115 Re: rssh and scponly arbitrary command execution GLSA-200412-01 11791 http://www.sublimation.org/scponly/#relnotes scponly-commandline-command-execution(18362) Cisco CNS Network Registrar Central Configuration Management (CCM) server 6.0 through 6.1.1.3 allows remote attackers to cause a denial of service (CPU consumption) by ending a connection after sending a certain sequence of packets. 20041202 Cisco Network Registrar Denial of Service Vulnerability cisco-cns-ccm-dos(18327) The lock manager in Cisco CNS Network Registrar 6.0 through 6.1.1.3 allows remote attackers to cause a denial of service (process crash) via a certain "unexpected packet sequence." 20041202 Cisco Network Registrar Denial of Service Vulnerability 11793 cisco-cns-lock-dos(18328) Konqueror 3.3.1 allows remote attackers to execute arbitrary FTP commands via an ftp:// URL that contains a URL-encoded newline ("%0a") before the FTP command, which causes the commands to be inserted into the resulting FTP session, as demonstrated using a PORT command. 20041205 7a69Adv#16 - Konqueror FTP command injection DSA-631 GLSA-200501-18 MDKSA-2005:045 RHSA-2005:009 RHSA-2005:065 web-browser-ftp-command-execution(18384) oval:org.mitre.oval:def:9645 CRLF injection vulnerability in Microsoft Internet Explorer 6.0.2800.1106 and earlier allows remote attackers to execute arbitrary FTP commands via an ftp:// URL that contains a URL-encoded newline ("%0a") before the FTP command, which causes the commands to be inserted into the resulting FTP session, as demonstrated using a PORT command. 20041207 7a69Adv#15 - Internet Explorer FTP command injection 1012444 http://www.rapid7.com/advisories/R7-0032.jsp 20080313 Rapid7 Advisory R7-0032: Microsoft Internet Explorer FTP Command Injection Vulnerability 11826 28208 ADV-2006-3212 ADV-2008-0870 MS06-042 web-browser-ftp-command-execution(18384) oval:org.mitre.oval:def:462 mirrorselect before 0.89 creates temporary files in a world-writable location with predictable file names, which allows remote attackers to overwrite arbitrary files via a symlink attack. GLSA-200412-05 mirrorselect-symlink(18382) Stack-based buffer overflow in the WebDav handler in MaxDB WebTools 7.5.00.18 and earlier allows remote attackers to execute arbitrary code via a long Overwrite header. 20041207 MaxDB WebTools <= 7.5.00.18 buffer overflow and Denial of Service maxdb-webdav-bo(18386) MaxDB WebTools 7.5.00.18 and earlier allows remote attackers to cause a denial of service (application crash) via an HTTP GET request for a file that does not exist, followed by two carriage returns, which causes a NULL dereference. 20041207 MaxDB WebTools <= 7.5.00.18 buffer overflow and Denial of Service maxdb-dos(18387) a2ps 4.13 allows remote attackers to execute arbitrary commands via shell metacharacters in the filename. 20040824 a2ps executing shell commands from file name http://bugs.debian.org/283134 OpenPKG-SA-2005.003 57649 MDKSA-2004:140 SUSE-SA:2004:034 http://www.securiteam.com/unixfocus/5MP0N2KDPA.html FLSA:152870 11025 gnu-a2ps-gain-privileges(17127) KDE 3.2.x and 3.3.0 through 3.3.2, when saving credentials that are (1) manually entered by the user or (2) created by the SMB protocol handler, stores those credentials for plaintext in the user's .desktop file, which may be created with world-readable permissions, which could allow local users to obtain usernames and passwords for remote resources such as SMB shares. 20041129 Password Disclosure for SMB Shares in KDE's Konqueror 20041129 Password Disclosure for SMB Shares in KDE's Konqueror 20041209 KDE Security Advisory: plain text password exposure 1012471 P-051 GLSA-200412-16 VU#305294 http://www.kde.org/info/security/advisory-20041209-1.txt MDKSA-2004:150 http://www.sec-consult.com/index.php?id=118 11866 kde-smb-password-plaintext(18267) Stack-based buffer overflow in the Agent Browser in Veritas Backup Exec 8.x before 8.60.3878 Hotfix 68, and 9.x before 9.1.4691 Hotfix 40, allows remote attackers to execute arbitrary code via a registration request with a long hostname. http://seer.support.veritas.com/docs/273419.htm http://seer.support.veritas.com/docs/273420.htm http://seer.support.veritas.com/docs/273422.htm http://seer.support.veritas.com/docs/273850.htm http://www.frsirt.com/exploits/20050111.101_BXEC.cpp.php 20041216 Veritas Backup Exec Agent Browser Registration Request Buffer Overflow Vulnerability VU#907729 11974 netbackup-agent-browser-bo(18506) Internet Explorer 6 allows remote attackers to bypass the popup blocker via the document object model (DOM) methods in the DHTML Dynamic HTML (DHTML) Editing Component (DEC) and Javascript that calls showModalDialog. 20041210 HOW TO BREAK XP SP2 POPUP BLOCKER: kick it in the nut ! 20041210 HOW TO BREAK XP SP2 POPUP BLOCKER: kick it in the nut ! ie-popup-blocking-bypass(18444) direntry.c in Midnight Commander (mc) 4.5.55 and earlier allows attackers to cause a denial of service by "manipulating non-existing file handles." 1012903 DSA-639 RHSA-2005:512 midnight-commander-direntry-dos(18909) fish.c in midnight commander allows remote attackers to execute arbitrary programs via "insecure filename quoting," possibly using shell metacharacters. 1012903 DSA-639 RHSA-2005:512 midnight-commander-command-execution(18906) Buffer underflow in extfs.c in Midnight Commander (mc) 4.5.55 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code. 1012903 DSA-639 GLSA-200502-24 RHSA-2005:217 midnight-commander-extfs-dos(18911) Cross-site scripting (XSS) vulnerability in the driver script in mailman before 2.1.5 allows remote attackers to inject arbitrary web script or HTML via a URL, which is not properly escaped in the resulting error page. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=287555 20050110 [USN-59-1] mailman vulnerabilities DSA-674 MDKSA-2005:015 SUSE-SA:2005:007 RHSA-2005:235 mailman-script-driver-xss(18854) oval:org.mitre.oval:def:11113 The debstd script in debmake 3.6.x before 3.6.10 and 3.7.x before 3.7.7 allows local users to overwrite arbitrary files via a symlink attack on temporary directories. DSA-615 20041223 [USN-49-1] debmake vulnerability 12078 debmake-debstd-symlink(18646) Unknown vulnerability in the rwho daemon (rwhod) before 0.17, on little endian architectures, allows remote attackers to cause a denial of service (application crash). DSA-678 MDKSA-2005:039 htmlheadline before 21.8 allows local users to overwrite arbitrary files via a symlink attack on temporary files. 1012756 DSA-622 12147 htmlheadline-symlink(18737) hfaxd in HylaFAX before 4.2.1, when installed with a "weak" hosts.hfaxd file, allows remote attackers to authenticate and bypass intended access restrictions via a crafted (1) username or (2) hostname that satisfies a regular expression that is matched against a hosts.hfaxd entry without a password. 20050111 HylaFAX hfaxd unauthorized login vulnerability [hylafax-announce] 20050111 **ANOUNCE** hylafax-4.2.1 released GLSA-200501-21 MDKSA-2005:006 Integer overflow in the tiffdump utility for libtiff 3.7.1 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted TIFF file. CLA-2005:920 20050106 [USN-54-1] TIFF library tool vulnerability GLSA-200501-06 MDKSA-2005:001 MDKSA-2005:002 MDKSA-2005:052 SUSE-SA:2005:001 RHSA-2005:019 RHSA-2005:035 12173 libtiff-tiffdump-bo(18782) oval:org.mitre.oval:def:9743 The EPSF pipe support in enscript 1.6.3 allows remote attackers or local users to execute arbitrary commands via shell metacharacters. APPLE-SA-2009-05-12 1012965 http://support.apple.com/kb/HT3549 DSA-654 GLSA-200502-03 MDKSA-2005:033 RHSA-2005:040 FLSA:152892 20060526 rPSA-2006-0083-1 enscript 12329 TA09-133A ADV-2009-1297 enscript-epsf-command-ececution(19012) oval:org.mitre.oval:def:9658 USN-68-1 Enscript 1.6.3 does not sanitize filenames, which allows remote attackers or local users to execute arbitrary commands via crafted filenames. APPLE-SA-2009-05-12 1012965 http://support.apple.com/kb/HT3549 DSA-654 GLSA-200502-03 MDKSA-2005:033 RHSA-2005:040 FLSA:152892 20060526 rPSA-2006-0083-1 enscript 12329 TA09-133A ADV-2009-1297 enscript-filename-command-execution(19029) oval:org.mitre.oval:def:10808 USN-68-1 Multiple buffer overflows in enscript 1.6.3 allow remote attackers or local users to cause a denial of service (application crash). APPLE-SA-2009-05-12 1012965 http://support.apple.com/kb/HT3549 DSA-654 GLSA-200502-03 MDKSA-2005:033 RHSA-2005:040 FLSA:152892 20060526 rPSA-2006-0083-1 enscript 12329 TA09-133A ADV-2009-1297 enscript-multiple-bo(19033) oval:org.mitre.oval:def:11134 USN-68-1 Heap-based buffer overflow in the pnm_get_chunk function for xine 0.99.2, and other packages such as MPlayer that use the same code, allows remote attackers to execute arbitrary code via long PNA_TAG values, a different vulnerability than CVE-2004-1188. http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/input/pnm.c?r1=1.20&r2=1.21 20041221 Multiple Vendor Xine version 0.99.2 PNM Handler PNA_TAG Heap Overflow Vulnerability MDKSA-2005:011 http://www.mplayerhq.hu/MPlayer/patches/pnm_fix_20041215.diff xine-pnatag-bo(18640) The pnm_get_chunk function in xine 0.99.2 and earlier, and other packages such as MPlayer that use the same code, does not properly verify that the chunk size is less than the PREAMBLE_SIZE, which causes a read operation with a negative length that leads to a buffer overflow via (1) RMF_TAG, (2) DATA_TAG, (3) PROP_TAG, (4) MDPR_TAG, and (5) CONT_TAG values, a different vulnerability than CVE-2004-1187. http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/input/pnm.c?r1=1.20&r2=1.21 20041221 Multiple Vendor Xine version 0.99.2 PNM Handler Negative Read Length Heap Overflow Vulnerability MDKSA-2005:011 http://www.mplayerhq.hu/MPlayer/patches/pnm_fix_20041215.diff xine-pnmgetchunk-bo(18638) The add_to_history function in svr_principal.c in libkadm5srv for MIT Kerberos 5 (krb5) up to 1.3.5, when performing a password change, does not properly track the password policy's history count and the maximum number of keys, which can cause an array index out-of-bounds error and may allow authenticated users to execute arbitrary code via a heap-based buffer overflow. CLA-2005:917 APPLE-SA-2005-08-17 APPLE-SA-2005-08-15 20041220 MITKRB5-SA-2004-004: heap overflow in libkadm5srv 20050110 [USN-58-1] MIT Kerberos server vulnerability http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-004-pwhist.txt MDKSA-2004:156 RHSA-2005:012 RHSA-2005:045 2004-0069 kerberos-libkadm5srv-bo(18621) oval:org.mitre.oval:def:11911 SUSE Linux before 9.1 and SUSE Linux Enterprise Server before 9 do not properly check commands sent to CD devices that have been opened read-only, which could allow local users to conduct unauthorized write activities to modify the firmware of associated SCSI devices. SUSE-SA:2004:042 RHSA-2006:0101 11784 suse-scsi-firmware-overwrite(18370) oval:org.mitre.oval:def:9369 Race condition in SuSE Linux 8.1 through 9.2, when run on SMP systems that have more than 4GB of memory, could allow local users to read unauthorized memory from "foreign memory pages." SUSE-SA:2004:042 linux-smbrecvtrans2-memory-leak(18137) Format string vulnerability in the lprintf function in Citadel/UX 6.27 and earlier allows remote attackers to execute arbitrary code via format string specifiers sent to the server. 20041213 Citadel/UX <= v6.27 Remote Format String Vulnerability 20041214 Re: Citadel/UX <= v6.27 Remote Format String Vulnerability http://www.nosystem.com.ar/advisories/advisory-09.txt citadel-format-string(18429) Prevx Home 1.0 allows local users with administrator privileges to bypass the intrusion prevention features by directly writing to \device\physicalmemory, which restores the running kernel's original SDT ServiceTable. 20041122 [SIG^2 G-TEC] Prevx Home v1.0 Instrusion Prevention Features Can Be Disabled by Direct Service Table Restoration 20041124 Re: [SIG^2 G-TEC] Prevx Home v1.0 Instrusion Prevention Features Can Be Disabled by Direct Service Table Restoration 1012294 prevx-home-settings-disable(18195) Buffer overflow in Star Wars Battlefront 1.11 and earlier allows remote attackers to cause a denial of service (application crash) via a long nickname. 20041124 Limited buffer-overflow and arbitrary memory access in Star Wars 11750 star-wars-nickname-bo(18256) Star Wars Battlefront 1.11 and earlier allows remote attackers to cause a denial of service (application crash) via a join request that contains a memory address that causes the server to read arbitrary memory. 20041124 Limited buffer-overflow and arbitrary memory access in Star Wars Battlefront 1.1 11750 star-wars-packet-dos(18257) Cross-site scripting (XSS) vulnerability in inmail.pl in Insite Inmail allows remote attackers to inject arbitrary web script or HTML via the acao parameter. 20041124 XSS in Brazilian Insite products 11758 insite-inmail-inshop-xss(18268) Cross-site scripting (XSS) vulnerability in inshop.pl in Insite inShop allows remote attackers to inject arbitrary web script or HTML via the screen parameter. 20041124 XSS in Brazilian Insite products 11758 insite-inmail-inshop-xss(18268) Microsoft Internet Explorer allows remote attackers to cause a denial of service (application crash from memory consumption), as demonstrated using Javascript code that continuously creates nested arrays and then sorts the newly created arrays. 20041125 MSIE & FIREFOX flaws: "detailed" advisory and comments that you probably don't want to read anyway 20041125 MSIE flaws: nested array sort() loop Stack overflow exception 11751 web-browser-array-dos(18282) Safari 1.2.4 on Mac OS X 10.3.6 allows remote attackers to cause a denial of service (application crash from memory exhaustion), as demonstrated using Javascript code that continuously creates nested arrays and then sorts the newly created arrays. 20041125 More Browser flaws on MACOSX: nested array sort() loop Stack overflow exception 11759 web-browser-array-dos(18282) Firefox and Mozilla allow remote attackers to cause a denial of service (application crash from memory consumption), as demonstrated using Javascript code that continuously creates nested arrays and then sorts the newly created arrays. 20041125 FIREFOX flaws: nested array sort() loop Stack overflow exception 20041125 MSIE & FIREFOX flaws: "detailed" advisory and comments that you probably don't want to read anyway 11752 11760 web-browser-array-dos(18282) Opera 7.54 allows remote attackers to cause a denial of service (application crash from memory exhaustion), as demonstrated using Javascript code that continuously creates nested arrays and then sorts the newly created arrays. 20041125 Re: MSIE flaws: nested array sort() loop Stack overflow exception 20041125 Re: Opera flaws: nested array sort() loop Stack overflow exception 11762 web-browser-array-dos(18282) Cross-site scripting (XSS) vulnerability in parser.php in phpCMS 1.2.1 and earlier, with non-stealth and debug modes enabled, allows remote attackers to inject arbitrary web script or HTML via the file parameter. Successful exploitation requires that both the non-stealth and the debug modes are enabled. 20041126 phpCMS <= 1.2.1 Xss Vulnerability, Information disclosure 20041126 phpCMS <= 1.2.1 Xss Vulnerability, Information disclosure http://www.phpcms.de/download/index.en.html 11765 phpcms-parser-xss(18272) parser.php in phpCMS 1.2.1 and earlier, with non-stealth and debug modes enabled, allows remote attackers to gain sensitive information via an invalid file parameter, which reveals the web server's installation path. 20041126 phpCMS <= 1.2.1 Xss Vulnerability, Information disclosure 20041126 phpCMS <= 1.2.1 Xss Vulnerability, Information disclosure phpcms-parser-xss(18272) phpcms-parser-path-disclosure(18279) FluxBox 0.9.10 and earlier versions allows local users to cause a denial of service (application crash) by calling Xman with a long -title value, possibly triggering a buffer overflow. 20041126 FluxBox crash vulnerability fluxbox-xman-dos(18264) codebrowserpntm.php in PnTresMailer 6.03 allows remote attackers to gain sensitive information via an invalid filetohighlight parameter, which reveals the full path in an error message. 20041126 PnTresMailer code browser 6.03 Vulnerabilities pntresmailer-information-disclosure(18263) Directory traversal vulnerability in codebrowserpntm.php in pnTresMailer 6.0.3 allows remote attackers to read arbitrary files via a .. (dot dot) in the filetodownload parameter. 20041126 PnTresMailer code browser 6.03 Vulnerabilities 11767 pntresmailer-information-disclosure(18263) The Serious engine, as used in (1) Alpha Black Zero Intrepid Protocol 1.04 and earlier, (2) Nitro family, and (3) Serious Sam Second Encounter 1.07 allows remote attackers to cause a denial of service (server crash) via a large number of UDP join requests that exceeds the maximum player limit, as originally reported for Alpha Black Zero. 20040929 Crash in Alpha Black Zero 1.04 20041128 Players overflow in Serious engine UDP (was Alpha Black Zero, 29 Sep 2004) 1011454 11279 alphablackzero-udp-packet-dos(17545) Buffer overflow in Orbz 2.10 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a long password field in a join request. 20041129 Buffer-overflow in Orbz 2.10 11774 orbz-join-password-bo(18298) Verisign Payflow Link, when running with empty Accepted URL fields, does not properly verify the data in the hidden AMOUNT field, which allows remote attackers to modify the price of the items that they purchase. 20041129 [SHK-001]Payflow Link Default Config may lead to Hidden Field Modification payflow-link-modification(18299) Cross-site scripting (XSS) vulnerability in proxylog.dat in IPCop 1.4.1 and possibly other versions, allows remote attackers to inject arbitrary web script or HTML via the (1) url or (2) part variables. 20041201 [KA Advisory 0411291] IPCop Cross Site Scripting Vulnerability in proxylog.dat 11779 ipcop-proxylogdat-xss(18301) Multiple buffer overflows in the IMAP service in Mercury/32 4.01a allow remote authenticated users to cause a denial of service (application crash) and possibly execute arbitrary code via long arguments to the (1) EXAMINE, (2) SUBSCRIBE, (3) STATUS, (4) APPEND, (5) CHECK, (6) CLOSE, (7) EXPUNGE, (8) FETCH, (9) RENAME, (10) DELETE, (11) LIST, (12) SEARCH, (13) CREATE, or (14) UNSUBSCRIBE commands. http://home.kabelfoon.nl/~jaabogae/han/m_401b.html 20041201 Multiple buffer overflows exist in Mercury/32, v4.01a, Dec 8 2003. 20041201 Multiple buffer overflows exist in Mercury/32, v4.01a, Dec 8 2003. 11775 mercury-command-bo(18318) Directory traversal vulnerability in btdownload.php in Blog Torrent preview 0.8 allows remote attackers to download arbitrary files via a .. (dot dot) in the file argument. http://cvs.sourceforge.net/viewcvs.py/battletorrent/btorrent_server/btdownload.php?r1=1.6&r2=1.7 20041202 Blog Torrent preview 0.8 - arbitary file download 11795 blogtorrent-btdownloadphp-dir-traversal(18356) Cross-site scripting (XSS) vulnerability in index.php in Advanced Guestbook 2.3.1, 2.2, and possibly other versions allows remote attackers to inject arbitrary web script or HTML via the entry parameter. 20041202 Advanced Guestbook 20041204 Re: Advanced Guestbook 11798 advguestbook-indexphp-xss(18334) Format string vulnerability in Kreed 1.05 and earlier allows remote attackers to execute arbitrary code via format specifiers in (1) a nickname or (2) message text. 20041202 Multiple vulnerabilities in Kreed 1.05 11799 kreed-message-nickname-format-string(18343) Kreed 1.05 and earlier allows remote attackers to cause a denial of service (server disconnect) via a long UDP packet, which causes a "message too long" socket error. 20041202 Multiple vulnerabilities in Kreed 1.05 11799 kreed-udp-packet-dos(18344) The scripts that handle players in Kreed 1.05 and earlier allow remote attackers to cause a denial of service (server freeze) via a long (1) nickname or (2) model type, which generates dialog boxes on the server that must be manually handled before the server continues the game. 20041202 Multiple vulnerabilities in Kreed 1.05 11799 kreed-nickname-modeltype-dos(18345) Hosting Controller 6.1 Hotfix 1.4, and possibly other versions, allows remote attackers to view arbitrary directories by specifying the target pathname in the FilePath parameter to (1) Statsbrowse.asp or (2) Generalbrowse.asp. 20041205 Hosting Controller 11822 hosting-controller-view-files(18363) Remote Execute 2.30 allows remote attackers to cause a denial of service (application crash) by making 7 simultaneous connections. 20041206 DoS leading to crash of client in Remote Execute 2.30 VU#136424 11821 remote-execute-dos(18380) paFileDB 3.1, when using sessions authentication and while the administrator logs on, allows remote attackers to read the administrator's password hash and conduct brute force password guessing attacks by listing the contents of the sessions directory and reading the associated file for the administrator session. http://echo.or.id/adv/adv09-y3dips-2004.txt 20041207 Multiple Vulnerabilities in paFileDB 3.1 11818 pafiledb-session-information-disclosure(18364) Battlefield 1942 1.6.19 and earlier, and Battlefield Vietnam 1.2 and earlier, allows a remote master server to cause a denial of service (client crash) via a server reply that contains a large numplayers value, which triggers a null dereference. 20041207 Broadcast client crash in Battlefield 1942 1.6.19 and Vietnam 1.2 11838 battlefield-numplayers-dos(18400) battlefieldvietnam-numplayers-dos(18402) Directory traversal vulnerability in weblibs.pl in WebLibs 1.0 allows remote attackers to read arbitrary files via .. sequences in the TextFile parameter. 20041207 Remote Web Server Text File Viewing Vulnerability in WebLibs 1.0 11848 weblibs-directory-traversal(18399) weblibs.pl in WebLibs 1.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the TextFile parameter. 20041207 Remote Web Server Text File Viewing Vulnerability in WebLibs 1.0 11848 weblibs-directory-traversal(18399) The Management Agent in F-Secure Policy Manager 5.11.2810 allows remote attackers to gain sensitive information, such as the absolute path for the web server, via an HTTP request to fsmsh.dll without any parameters. 20041209 =?iso-8859-1?Q?F-Secure_Policy_Manager_-__physical_path_disclosure?= http://www.oliverkarow.de/research/f-secure.txt 11869 fsecure-url-obtain-information(18413) Off-by-one error in the mtr_curses_keyaction function for mtr 0.55 through 0.65 allows local users to hijack raw sockets, as demonstrated using the "s" keybinding, which leaves a buffer without a NULL terminator. 20041211 Local off-by-one in mtr versions 0.55 to 0.65 mtr-mtrcurseskeyaction-offbyone-bo(18428) SQL injection vulnerability in SugarCRM Sugar Sales before 2.0.1a allows remote attackers to execute arbitrary SQL commands and gain privileges via the record parameter in a DetailView action to index.php, and record parameters in other functionality. 20041213 SugarSales Multiple Vulnerabilities http://www.gulftech.org/?node=research&article_id=00053-120104 11740 sugarcrm-record-sql-injection(18325) SugarCRM Sugar Sales 2.0.1c and earlier allows remote attackers to gain sensitive information via certain requests to scripts that contain invalid input, which reveals the path in an error message, as demonstrated using phprint.php with an empty module parameter. 20041213 SugarSales Multiple Vulnerabilities sugar-sales-path-disclosure(18447) Directory traversal vulnerability in SugarCRM Sugar Sales 2.0.1c and earlier allows remote attackers to read arbitrary files and possibly execute arbitrary PHP code via .. (dot dot) sequences in the (1) module, (2) action, or (3) theme parameters to index.php, (4) the theme parameter to Login.php, and possibly other parameters or scripts. 20041213 SugarSales Multiple Vulnerabilities http://www.gulftech.org/?node=research&article_id=00053-120104 11740 sugarcrm-directory-traversal(18326) The install scripts in SugarCRM Sugar Sales 2.0.1c and earlier are not removed after installation, which allows attackers to obtain the MySQL administrative password in cleartext from an installation form, or to cause a denial of service by changing database settings to the default. 20041213 SugarSales Multiple Vulnerabilities sugar-sales-password-plaintext(18449) Cross-site scripting vulnerability in the parser for Gadu-Gadu allows remote attackers to inject arbitrary web script or HTML via (1) http:// or (2) news:// URLs, a different vulnerability than CVE-2004-1410. 20041213 Gadu-Gadu several vulnerabilities http://www.man.poznan.pl/~security/gg-adv.txt 11899 Gadu-Gadu allows remote attackers to gain sensitive information and read files from the _cache directory of other users via a DCC connection and a CTCP packet that contains a 1 as the type and a 4 as the subtype. 20041213 Gadu-Gadu several vulnerabilities http://www.man.poznan.pl/~security/gg-adv.txt gadu-gadu-dcc-ctcp-obtain-files(18461) Directory traversal vulnerability in Gadu-Gadu allows remote attackers to read arbitrary files via .. (dot dot) sequences in a DCC connection with a CTCP packet that contains a 1 as the type and a 4 as the subtype. 20041213 Gadu-Gadu several vulnerabilities http://www.man.poznan.pl/~security/gg-adv.txt gadu-gadu-dcc-ctcp-obtain-files(18461) Stack-based buffer overflow in the code that sends images in Gadu-Gadu allows remote attackers to execute arbitrary code via a large image filename. 20041213 Gadu-Gadu several vulnerabilities http://www.man.poznan.pl/~security/gg-adv.txt gadu-gadu-image-filename-bo(18462) Integer overflow in Gadu-Gadu allows remote attackers to cause a denial of service (disk consumption) via a user packet to the DCC file transfer capability with an invalid file length. 20041213 Gadu-Gadu several vulnerabilities http://www.man.poznan.pl/~security/gg-adv.txt gadu-gadu-dcc-bo(18465) load_elf_binary in Linux before 2.4.26 allows local users to cause a denial of service (system crash) via an ELF binary in which the interpreter is NULL. http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=142965 http://linux.bkbits.net:8080/linux-2.4/cset@4076466d_SqUm4azg4_v3FIG2-X6XQ DSA-1067 DSA-1069 DSA-1070 DSA-1082 RHSA-2004:689 RHSA-2005:016 RHSA-2005:017 12101 FLSA:2336 linux-loadelfbinary-dos(18687) oval:org.mitre.oval:def:10608 Race condition in the (1) load_elf_library and (2) binfmt_aout function calls for uselib in Linux kernel 2.4 through 2.429-rc2 and 2.6 through 2.6.10 allows local users to execute arbitrary code by manipulating the VMA descriptor. CLA-2005:930 http://isec.pl/vulnerabilities/isec-0021-uselib.txt 20050107 Linux kernel sys_uselib local root vulnerability DSA-1067 DSA-1069 DSA-1070 DSA-1082 MDKSA-2005:022 SUSE-SR:2005:001 RHSA-2005:016 RHSA-2005:017 RHSA-2005:043 RHSA-2005:092 http://www.securityfocus.com/advisories/7804 FEDORA-2005-014 FEDORA-2005-013 12190 2005-0001 FLSA:2336 linux-uselib-gain-privileges(18800) oval:org.mitre.oval:def:9567 Buffer overflow in the LDAP component for Netscape Directory Server (NDS) 3.6 on HP-UX and other operating systems allows remote attackers to execute arbitrary code. SSRT4867 57754 P-083 VU#258905 12099 nds-ldap-bo(18676) Unknown vulnerability in the system call filtering code in the audit subsystem for Red Hat Enterprise Linux 3 allows local users to cause a denial of service (system crash) via unknown vectors. RHSA-2005:043 oval:org.mitre.oval:def:11282 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2004. Notes: none. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2004. Notes: none. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2004. Notes: none. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2004. Notes: none. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2004. Notes: none. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2004. Notes: none. Windows Media Player 9 allows remote attackers to execute arbitrary code via a PNG file containing large (1) width or (2) height values, aka the "PNG Processing Vulnerability." VU#259890 TA05-039A MS05-009 win-ms05kb890261-update(19096) oval:org.mitre.oval:def:1306 oval:org.mitre.oval:def:1568 oval:org.mitre.oval:def:2379 WinRAR 3.40, and possibly earlier versions, allows remote attackers to execute arbitrary code via a ZIP file containing a file with a long filename, possibly causing an integer overflow that leads to a buffer overflow. http://www.frsirt.com/exploits/20041217.Winrar.c.php winrar-zip-file-bo(18569) Buffer overflow in the expandtabs function in 2fax 3.04 allows remote attackers to execute arbitrary code via a text file that is converted to TIFF. http://tigger.uic.edu/~jlongs2/holes/2fax.txt 2fax-bpcx-bo(10901) Multiple buffer overflows in the (1) event_text and (2) event_specific functions in abc2midi 2004.12.04 allow remote attackers to execute arbitrary code via crafted ABC files. http://tigger.uic.edu/~jlongs2/holes/abc2midi.txt abc2midi-eventtext-bo(18573) abc2midi-eventspecific-bo(18574) Buffer overflow in the process_abc function in abc.c for abc2mtex 1.6.1 allows remote attackers to execute arbitrary code via crafted ABC files. http://tigger.uic.edu/~jlongs2/holes/abc2mtex.txt abc2mtex-processabc-bo(18578) Buffer overflow in the put_words function in subs.c for abcm2ps 3.7.20 allows remote attackers to execute arbitrary code via crafted ABC files. http://tigger.uic.edu/~jlongs2/holes/abcm2ps.txt abcm2ps-putwords-bo(18579) Multiple buffer overflows in the handle_directive function in abcpp.c for abcpp 1.3.0 allow remote attackers to execute arbitrary code via crafted ABC files. http://tigger.uic.edu/~jlongs2/holes/abcpp.txt abcpp-handledirective-bo(18581) Multiple buffer overflows in the (1) write_heading function in subs.cpp or (2) trim_title function in parse.cpp for abctab2ps 1.6.3 allow remote attackers to execute arbitrary code via crafted ABC files. http://tigger.uic.edu/~jlongs2/holes/abctab2ps.txt abctab2ps-writeheading-bo(18583) abctab2ps-trimtitle-bo(18584) Multiple buffer overflows in the preparse function in asp2php 0.76.23 allow remote attackers to execute arbitrary code via crafted ASP scripts. http://tigger.uic.edu/~jlongs2/holes/asp2php.txt asp2php-preparse-bo(18585) Buffer overflow in the bsb_open_header function in libbsb for bsb2ppm 0.0.6 allows remote attackers to execute arbitrary code via crafted BSB pictures. http://tigger.uic.edu/~jlongs2/holes/bsb2ppm.txt bsb2ppm-bsbopenheader-bo(18586) changepassword.cgi in ChangePassword 0.8, when installed setuid, allows local users to execute arbitrary code by modifying the PATH environment variable to point to a malicious "make" program. http://tigger.uic.edu/~jlongs2/holes/changepassword.txt changepassword-gain-privileges(18593) Buffer overflow in the simplify_path function in config.c for ChBg 1.5 allows remote attackers to execute arbitrary code via a crafted chbg scenario file. http://tigger.uic.edu/~jlongs2/holes/chbg.txt DSA-644 MDKSA-2005:027 chbg-simplifypath-bo(18595) Buffer overflow in the readObjectChunk function in 3dsimp.cpp for the convex-tool program in Convex 3D 0.8pre1 allows remote attackers to execute arbitrary code via a crafted 3DS file. http://tigger.uic.edu/~jlongs2/holes/convex3d.txt convex-3d-readobjectchunk-bo(18601) Buffer overflow in the get_field_headers function in csv2xml.cpp for csv2xml 0.5.1 allows remote attackers to execute arbitrary code via a crafted CSV file. http://tigger.uic.edu/~jlongs2/holes/csv2xml.txt csv2xml-getfieldheaders-bo(18602) Buffer overflow in the ParseCommand function in hpgl-input.c in the hpgltops program for CUPS 1.1.22 allows remote attackers to execute arbitrary code via a crafted HPGL file. http://tigger.uic.edu/~jlongs2/holes/cups.txt GLSA-200412-25 MDKSA-2005:008 RHSA-2005:013 RHSA-2005:053 cups-parsecommand-hpgl-bo(18604) oval:org.mitre.oval:def:10620 USN-50-1 lppasswd in CUPS 1.1.22 ignores write errors when modifying the CUPS passwd file, which allows local users to corrupt the file by filling the associated file system and triggering the write errors. http://tigger.uic.edu/~jlongs2/holes/cups2.txt GLSA-200412-25 MDKSA-2005:008 RHSA-2005:013 RHSA-2005:053 cups-lppasswd-passwd-truncate(18606) oval:org.mitre.oval:def:10398 USN-50-1 lppasswd in CUPS 1.1.22 does not remove the passwd.new file if it encounters a file-size resource limit while writing to passwd.new, which causes subsequent invocations of lppasswd to fail. http://tigger.uic.edu/~jlongs2/holes/cups2.txt GLSA-200412-25 MDKSA-2005:008 RHSA-2005:013 RHSA-2005:053 cups-lppasswd-dos(18608) oval:org.mitre.oval:def:9545 USN-50-1 lppasswd in CUPS 1.1.22, when run in environments that do not ensure that file descriptors 0, 1, and 2 are open when lppasswd is called, does not verify that the passwd.new file is different from STDERR, which allows local users to control output to passwd.new via certain user input that triggers an error message. http://tigger.uic.edu/~jlongs2/holes/cups2.txt GLSA-200412-25 MDKSA-2005:008 RHSA-2005:013 RHSA-2005:053 cups-lppasswd-passwd-modify(18609) oval:org.mitre.oval:def:11507 USN-50-1 Buffer overflow in the dxfin function in d.c for dxfscope 0.2 allows remote attackers to execute arbitrary code via a crafted DXF file. http://tigger.uic.edu/~jlongs2/holes/dxfscope.txt dxfscope-dxfin-bo(18558) Buffer overflow in the save_embedded_address function in filter.c for elm/bolthole filter 2.6.1 allows remote attackers to execute arbitrary code via a crafted email message. http://tigger.uic.edu/~jlongs2/holes/elm-bolthole-filter.txt elm-bolthole-bo(18607) Buffer overflow in the DownloadLoop function in main.c for greed 0.81p allows remote attackers to execute arbitrary code via a GRX file containing a long filename. http://tigger.uic.edu/~jlongs2/holes/greed.txt greed-downloadloop-bo(18633) The DownloadLoop function in main.c for greed 0.81p allows remote attackers to execute arbitrary code via a GRX file containing a filename with shell metacharacters. http://tigger.uic.edu/~jlongs2/holes/greed.txt greed-downloadloop-command-execution(18634) Buffer overflow in the remove_quote function in convert.c for html2hdml 1.0.3 allows remote attackers to execute arbitrary code via a crafted HTML file. http://tigger.uic.edu/~jlongs2/holes/html2hdml.txt html2hdml-removequote-bo(18556) IglooFTP 0.6.1, when recursively uploading a directory, allows local users to overwrite the files that are being uploaded by creating temporary files with names generated by the tmpnam function, before the files are opened by IglooFTP. http://tigger.uic.edu/~jlongs2/holes/iglooftp.txt iglooftp-file-overwrites(18632) The download_selection_recursive() function in ftplist.c for IglooFTP 0.6.1 allows remote malicious FTP servers to overwrite arbitrary files via filenames that contain / (slash) characters. http://tigger.uic.edu/~jlongs2/holes/iglooftp2.txt iglooftp-file-overwrite(18561) Buffer overflow in the switch_voice function in parse.c for jcabc2ps 20040902 allows remote attackers to execute arbitrary code via a crafted ABC file. http://tigger.uic.edu/~jlongs2/holes/jcabc2ps.txt jcabc2ps-switchvoice-bo(18563) Buffer overflow in the get_file_list_stdin function in jpegtoavi 1.5 allows remote attackers to execute arbitrary code via a crafted set of JPEG files and filenames. http://tigger.uic.edu/~jlongs2/holes/jpegtoavi.txt jpegtoavi-getfileliststdin-bo(18565) The gui_popup_view_fly function in gui_tview_popup.c for junkie 0.3.1 allows remote malicious FTP servers to execute arbitrary commands via shell metacharacters in a filename. http://tigger.uic.edu/~jlongs2/holes/junkie.txt junkie-command-execution(18567) The ftp_retr function in junkie 0.3.1 allows remote malicious FTP servers to overwrite arbitrary files via .. (dot dot) sequences in a filename. http://tigger.uic.edu/~jlongs2/holes/junkie.txt junkie-ftpretr-command-execution(18568) Buffer overflow in the strexpand function in string.c for LinPopUp 1.2.0 allows remote attackers to execute arbitrary code via a crafted message that is not properly handled during a Reply operation. http://tigger.uic.edu/~jlongs2/holes/linpopup.txt DSA-632 linpopup-strexpand-bo(18627) Buffer overflow in the Mesh::type method in mesh.c for the mview program in Mesh Viewer 0.2.2 allows remote attackers to execute arbitrary code via crafted mesh files. http://tigger.uic.edu/~jlongs2/holes/meshviewer.txt mesh-type-bo(18616) Buffer overflow in the find_next_file function in playlist.c for mpg123 0.59r allows remote attackers to execute arbitrary code via a crafted MP3 playlist. http://tigger.uic.edu/~jlongs2/holes/mpg123.txt SUSE-SR:2005:001 mpg123-findnextfile-bo(18626) Buffer overflow in the get_header function in asf_mmst_streaming.c for MPlayer 1.0pre5 allows remote attackers to execute arbitrary code via a crafted ASF video stream. http://tigger.uic.edu/~jlongs2/holes/mplayer.txt mplayer-getdata-bo(18631) Buffer overflow in the auto_filter_extern function in auto.c for NapShare 1.2, with the extern filter enabled, allows remote attackers to execute arbitrary code via a crafted gnutella response. http://tigger.uic.edu/~jlongs2/holes/napshare.txt napshare-autofilterextern-bo(18630) Buffer overflow in the error function in preproc.c for NASM 0.98.38 1.2 allows attackers to execute arbitrary code via a crafted asm file, a different vulnerability than CVE-2005-1194. http://tigger.uic.edu/~jlongs2/holes/nasm.txt RHSA-2005:381 nasm-preprocc-bo(18540) oval:org.mitre.oval:def:11299 Buffer overflow in the parse_html function in o3read.c for o3read 0.0.3 allows remote attackers to execute arbitrary code via a crafted SXW file. http://tigger.uic.edu/~jlongs2/holes/o3read.txt GLSA-200501-20 o3read-parsehtml-bo(18547) Multiple buffer overflows in (1) the getline function in pcalutil.c and (2) the get_holiday function in readfile.c for pcal 4.7.1 allow remote attackers to execute arbitrary code via a crafted calendar file. http://tigger.uic.edu/~jlongs2/holes/pcal.txt pcal-getline-pcalutil-bo(18552) Buffer overflow in the process_moves function in pgn2web.c for pgn2web 0.3 allows remote attackers to execute arbitrary code via a crafted PGN file. http://tigger.uic.edu/~jlongs2/holes/pgn2web.txt pgn2web-pgn2webc-bo(18554) Buffer overflow in qwik-smtpd allows remote attackers to use the server as an SMTP spam relay via a long HELO command, which overwrites the adjacent localIP data buffer. http://tigger.uic.edu/~jlongs2/holes/qwik-smtpd.txt qwilmail-smtp-helo-open-relay(18555) Buffer overflow in the parse_emelody function in parse_emelody.c for ringtonetools 2.22 allows remote attackers to execute arbitrary code via a crafted eMelody file. http://tigger.uic.edu/~jlongs2/holes/ringtonetools.txt GLSA-200503-18 ringtonetools-parseemelody-bo(18557) Buffer overflow in the ReadFontTbl function in reader.c for rtf2latex2e 1.0fc2 allows remote attackers to execute arbitrary code via a crafted RTF file. http://tigger.uic.edu/~jlongs2/holes/rtf2latex2e.txt rtf2latex2e-reader-bo(18559) The mget function in cmds.c for tnftp 20030825 allows remote FTP servers to overwrite arbitrary files via FTP responses containing file names with / (slash) characters. http://tigger.uic.edu/~jlongs2/holes/tnftp.txt tnftp-mget-cmds-file-overwrite(18560) The slip_down function in slip.c for the uml_net program in uml-utilities 20030903, when uml_net is installed setuid root, does not verify whether the calling user has sufficient permission to disable an interface, which allows local users to cause a denial of service (network service disabled). http://tigger.uic.edu/~jlongs2/holes/uml-utilites.txt umlutilities-umtnet-slipdown-dos(18562) The (1) eqn2graph and (2) pic2graph scripts in groff 1.18.1 allow local users to overwrite arbitrary files via a symlink attack on temporary files. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=286371 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=286372 20041220 [USN-43-1] groff utility vulnerabilities MDKSA-2006:038 groff-eqn2graph-pic2graph-symlink(18660) Buffer overflow in the process_font_table function in convert.c for unrtf 0.19.3 allows remote attackers to execute arbitrary code via a crafted RTF file. http://tigger.uic.edu/~jlongs2/holes/unrtf.txt unrtf-processfonttable-convert-bo(18566) Buffer overflow in the parse function in vb2c.c for vb2c 0.02 allows remote attackers to execute arbitrary code via a crafted FRM file. http://tigger.uic.edu/~jlongs2/holes/vb2c.txt vb2c-gettoken-bo(18605) Buffer overflow in the get_attr function in html.c for vilistextum 2.6.6 allows remote attackers to execute arbitrary code via a crafted web page. http://tigger.uic.edu/~jlongs2/holes/vilistextum.txt vilistextum-getattr-bo(18610) Buffer overflow in the open_aiff_file function in demux_aiff.c for xine-lib (libxine) 1-rc7 allows remote attackers to execute arbitrary code via a crafted AIFF file. http://tigger.uic.edu/~jlongs2/holes/xine-lib.txt MDKSA-2005:011 xine-openaifffile-bo(18611) Buffer overflow in the book_format_sql function in format.c for xlreader 0.9.0 allows remote attackers to execute arbitrary code via a crafted Excel (XLS) file. http://tigger.uic.edu/~jlongs2/holes/xlreader.txt xlreader-bookformatsql-bo(18612) The id3tag_sort function in id3tag.c for YAMT 0.5 allows remote attackers to execute arbitrary commands via an MP3 file with double quotes in the Artist tag. http://rpmfind.net/linux/RPM/suse/updates/8.2/i386/rpm/i586/yamt-0.5-1277.i586.html 1012583 http://tigger.uic.edu/~jlongs2/holes/yamt.txt 11999 yamt-id3tagsort-bo(18614) Buffer overflow in the get function in get.c for Yanf 0.4 allows remote malicious web servers to execute arbitrary code via crafted HTTP responses. http://tigger.uic.edu/~jlongs2/holes/yanf.txt yanf-get-bo(18615) Stack-based buffer overflow in the ELF header parsing code in file before 4.12 allows attackers to execute arbitrary code via a crafted ELF file. 1012433 GLSA-200412-07 11771 2004-0063 file-elf-header-bo(18368) The Windows Animated Cursor (ANI) capability in Windows NT, Windows 2000 through SP4, Windows XP through SP1, and Windows 2003 allow remote attackers to cause a denial of service via (1) the frame number set to zero, which causes an invalid memory address to be used and leads to a kernel crash, or (2) the rate number set to zero, which leads to resource exhaustion and hang. 20041223 Microsoft Windows Kernel ANI File Parsing Crash and DOS Vulnerability VU#177584 VU#697136 TA05-012A http://www.xfocus.net/flashsky/icoExp/ MS05-002 win-ani-ratenumber-dos(18667) oval:org.mitre.oval:def:1304 oval:org.mitre.oval:def:2580 oval:org.mitre.oval:def:3216 oval:org.mitre.oval:def:3957 oval:org.mitre.oval:def:712 Heap-based buffer overflow in winhlp32.exe in Windows NT, Windows 2000 through SP4, Windows XP through SP2, and Windows 2003 allows remote attackers to execute arbitrary code via a crafted .hlp file. 20041223 Microsoft Windows winhlp32.exe Heap Overflow Vulnerability 12092 http://www.xfocus.net/flashsky/icoExp/ win-winhlp32-bo(18678) Integer overflow in the TIFFFetchStripThing function in tif_dirread.c for libtiff 3.6.1 allows remote attackers to execute arbitrary code via a TIFF file with the STRIPOFFSETS flag and a large number of strips, which causes a zero byte buffer to be allocated and leads to a heap-based buffer overflow. APPLE-SA-2005-05-03 101677 201072 20041221 libtiff STRIPOFFSETS Integer Overflow Vulnerability VU#539110 TA05-136A oval:org.mitre.oval:def:11175 Integer overflow in (1) tif_dirread.c and (2) tif_fax3.c for libtiff 3.5.7 and 3.7.0 allows remote attackers to execute arbitrary code via a TIFF file containing a TIFF_ASCII or TIFF_UNDEFINED directory entry with a -1 entry count, which leads to a heap-based buffer overflow. CLA-2005:920 APPLE-SA-2005-05-03 101677 201072 DSA-617 20041221 libtiff Directory Entry Count Integer Overflow Vulnerability VU#125598 MDKSA-2005:052 SUSE-SA:2005:001 RHSA-2005:019 RHSA-2005:035 TA05-136A libtiff-tiff-tdircount-bo(18637) oval:org.mitre.oval:def:100117 oval:org.mitre.oval:def:9392 Heap-based buffer overflow in the demux_open_bmp function in demux_bmp.c for Unix MPlayer 1.0pre5 allows remote attackers to execute arbitrary code via a bitmap (BMP) file containing a large biClrUsed field. 20041216 MPlayer Bitmap Parsing Remote Heap Overflow Vulnerability MDKSA-2004:157 http://www1.mplayerhq.hu/MPlayer/releases/ChangeLog mplayer-bitmap-bo(18527) Stack-based buffer overflow in the asf_mmst_streaming.c functionality for MPlayer 1.0pre5 allows remote attackers to execute arbitrary code via a large MMST stream packet. 20041216 MPlayer MMST Streaming Stack Overflow Vulnerability MDKSA-2004:157 http://www1.mplayerhq.hu/MPlayer/patches/mmst_fix_20041215.diff http://www1.mplayerhq.hu/MPlayer/releases/ChangeLog mplayer-mmst-bo(18526) Integer overflow in the real_setup_and_get_header function in real.c for Unix MPlayer 1.0pre5 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a Real RTSP streaming media file with a -1 content-length field, which leads to a heap-based buffer overflow. 20041216 MPlayer Remote RTSP Heap Overflow Vulnerability MDKSA-2004:157 http://www1.mplayerhq.hu/MPlayer/patches/rtsp_fix_20041215.diff http://www1.mplayerhq.hu/MPlayer/releases/ChangeLog mplayer-rtsp-bo(18525) A bug in the HTML parser in a certain Microsoft HTML library, as used in various third party products, may allow remote attackers to cause a denial of service via certain strings, as reported in GFI MailEssentials for Exchange 9 and 10, and GFI MailSecurity for Exchange 8, which causes emails to remain in IIS or Exchange mail queues. http://kbase.gfi.com/showarticle.asp?id=KBID002249 http://www.csis.dk/default.asp?m=1&a=194 12148 The Smc.exe process in My Firewall Plus 5.0 build 1117, and possibly other versions, does not drop privileges before invoking help, which allows local users to gain privileges. my-firewall-plus-gain-privileges(18622) Safari 1.x allows remote attackers to spoof arbitrary web sites by injecting content from one window into a target window whose name is known but resides in a different domain, as demonstrated using a pop-up window on a trusted web site, aka the "window injection" vulnerability, a different vulnerability than CVE-2004-1122. APPLE-SA-2005-01-25 web-browser-popup-spoofing(18397) viewtopic.php in phpBB 2.x before 2.0.11 improperly URL decodes the highlight parameter when extracting words and phrases to highlight, which allows remote attackers to execute arbitrary PHP code by double-encoding the highlight value so that special characters are inserted into the result, which is then processed by PHP exec, as exploited by the Santy.A worm. 20041112 phpBB Code EXEC (v2.0.10) 20041220 phpBB Worm 20041118 EXEC exploit in phpBB - fix VU#497400 http://www.phpbb.com/phpBB/viewtopic.php?t=240513 20041222 Re: phpBB Worm 10701 TA04-356A phpbb-view-sql-injection(18052) GLSA-200411-32 Heap-based buffer overflow in MSG_UnEscapeSearchUrl in nsNNTPProtocol.cpp for Mozilla 1.7.3 and earlier allows remote attackers to cause a denial of service (application crash) via an NNTP URL (news:) with a trailing '\' (backslash) character, which prevents a string from being NULL terminated. http://isec.pl/vulnerabilities/isec-0020-mozilla.txt 20041229 Heap overflow in Mozilla Browser <= 1.7.3 NNTP code. HPSBTU01114 http://www.mozilla.org/security/announce/mfsa2005-06.html SUSE-SA:2006:004 RHSA-2005:038 12131 mozilla-nntp-bo(18711) oval:org.mitre.oval:def:100052 oval:org.mitre.oval:def:9808 Stack-based buffer overflow in doexec.c in Netcat for Windows 1.1, when running with the -e option, allows remote attackers to execute arbitrary code via a long DNS command. 20041227 [HAT-SQUAD] NetCat Remote Critical Vulnerability, Poc included 20041228 Netcat v1.11 For Windows , New fixed version 20041228 Re: [HAT-SQUAD] NetCat Remote Critical Vulnerability, Poc included http://www.hat-squad.com/en/000142.html netcat-doexec-bo(18681) Cross-site scripting (XSS) vulnerability in namazu.cgi for Namazu 2.0.13 and earlier allows remote attackers to inject arbitrary HTML and web script via a query that starts with a tab ("%09") character, which prevents the rest of the query from being properly sanitized. http://jvn.jp/jp/JVN%23904429FE.html 1012802 1012805 DSA-627 FEDORA-2004-557 http://www.namazu.org/security.html.en#xss-tab SUSE-SR:2005:001 HPSBMA01212 12053 namazu-tab-query-xss(18623) The DHTML Edit Control (dhtmled.ocx) allows remote attackers to inject arbitrary web script into other domains by setting a name for a window, opening a child page whose target is the window with the given name, then injecting the script from the parent into the child using execScript, as demonstrated by "AbusiveParent" in Internet Explorer 6.0.2900.2180. 20041215 MSIE DHTML Edit Control Cross Site Scripting Vulnerability VU#356600 11950 TA05-039A MS05-013 ie-dhtml-xss(18504) oval:org.mitre.oval:def:1114 oval:org.mitre.oval:def:1701 oval:org.mitre.oval:def:3464 oval:org.mitre.oval:def:3851 oval:org.mitre.oval:def:4758 Asante FM2008 running firmware 1.06 is shipped with a default username and password, which could allow remote attackers to gain unauthorized access. 20041215 Asante FM2008 10/100 Ethernet switch backdoor login 11947 asante-fm2008-default-account(18521) The configuration backup in Asante FM2008 running firmware 1.06 stores the username and password in cleartext, which could allow remote attackers to gain unauthorized access. 20041215 Asante FM2008 10/100 Ethernet switch backdoor login Cisco Unity 2.x, 3.x, and 4.x, when integrated with Microsoft Exchange, has several hard coded usernames and passwords, which allows remote attackers to gain unauthorized access and change configuration settings or read outgoing or incoming e-mail messages. P-060 20041215 Cisco Unity Integrated with Exchange Has Default Passwords 11954 cisco-unity-exchange-default-accounts(18489) Multiple syscalls in the compat subsystem for NetBSD before 2.0 allow local users to cause a denial of service (kernel crash) via a large signal number to (1) xxx_sys_kill, (2) xxx_sys_sigaction, and possibly other translation functions. http://gleg.net/advisory_netbsd2.shtml netbsd-compat-gain-privileges(18564) The Microsoft Windows Media Player 9.0 ActiveX control may allow remote attackers to execute arbitrary web script in the Local computer zone via the (1) artist or (2) song fields of a music file, if the file is processed using Internet Explorer. 20041218 MS Windows Media Player 9 Vulns (2) 12031 mediaplayer-mp3-code-execution(18576) The getItemInfoByAtom function in the ActiveX control for Microsoft Windows Media Player 9.0 returns a 0 if the file does not exist and the size of the file if the file exists, which allows remote attackers to determine the existence of files on the local system. 20041218 MS Windows Media Player 9 Vulns (2) 12032 mediaplayer-activex-information-disclosure(18587) Buffer overflow in dxterm in Ultrix 4.5 allows local users to execute arbitrary code via a long -setup parameter. 20041219 Exploit for Ultrix 4.5 dxterm http://www.frsirt.com/exploits/20041220.ultrix_dxterm_4.5_exploit.c.php 12049 ultrix-dxterm-bo(18613) Buffer overflow in Crystal FTP Client 2.8 allows remote malicious servers to execute arbitrary code via a response to a LIST command that contains a file name with a long extension. 20041220 Crystal FTP Pro Client Buffer Overflow 12038 crystal-ftp-list-bo(18594) Unknown vulnerability in newgrp in HP-UX B.11.00, B.11.04, and B.11.11 allows local users to gain elevated privileges. SSRT4687 12029 hp-newgrp-gain-privileges(18577) oval:org.mitre.oval:def:5622 Untrusted execution path vulnerability in the diag commands (1) lsmcode, (2) diag_exec, (3) invscout, and (4) invscoutd in AIX 5.1 through 5.3 allows local users to execute arbitrary programs by modifying the DIAGNOSTICS environment variable to point to a malicious Dctrl program. 20041220 AIX 5.1/5.2/5.3 local root exploits 20070330 AIX 4.3 lsmcode local root command execution 20070402 Re: AIX 4.3 lsmcode local root command execution 12041 IY64277 IY64389 aix-diagnostics-gain-privileges(18620) 701 Buffer overflow in paginit in AIX 5.1 through 5.3 allows local users to execute arbitrary code via a long username. 20041220 AIX 5.1/5.2/5.3 local root exploits http://www.frsirt.com/exploits/20041220.paginit.c.php 12043 IY64312 IY64358 IY64522 aix-paginit-username-bo(18618) The execCommand method in Microsoft Internet Explorer 6.0 SP2 allows remote attackers to bypass the "File Download - Security Warning" dialog and save arbitrary files with arbitrary extensions via the SaveAs command. 20041119 Microsoft Internet Explorer 6 SP2 Vulnerabilities / Full disclosure Vs. Security by Obscurity... 3220 http://www.frsirt.com/exploits/20041119.IESP2Unpatched.php VU#743974 11686 ie-execommand-warning-bypass(18181) Stack-based buffer overflow in the FTP daemon in HP-UX 11.11i, with the -v (debug) option enabled, allows remote attackers to execute arbitrary code via a long command request. HPSBUX01118 1012650 20041221 Hewlett Packard HP-UX ftpd Remote Buffer Overflow Vulnerability VU#647438 12077 hp-ftpd-bo(18636) oval:org.mitre.oval:def:5701 Integer overflow in the vc_resize function in the Linux kernel 2.4 and 2.6 before 2.6.10 allows local users to cause a denial of service (kernel crash) via a short new screen value, which leads to a buffer overflow. DSA-1067 DSA-1069 DSA-1070 DSA-1082 http://www.guninski.com/where_do_you_want_billg_to_go_today_2.html MDKSA-2005:218 MDKSA-2005:219 SUSE-SA:2005:018 11956 FLSA:152532 linux-vcresize-dos(18523) USN-47-1 Integer overflow in the ip_options_get function in the Linux kernel before 2.6.10 allows local users to cause a denial of service (kernel crash) via a cmsg_len that contains a -1, which leads to a buffer overflow. 20041215 [USN-47-1] Linux kernel vulnerabilities http://www.guninski.com/where_do_you_want_billg_to_go_today_2.html 11956 20041215 fun with linux kernel linux-ipoptionsget-dos(18522) Memory leak in the ip_options_get function in the Linux kernel before 2.6.10 allows local users to cause a denial of service (memory consumption) by repeatedly calling the ip_cmsg_send function. 20041215 [USN-47-1] Linux kernel vulnerabilities DSA-1067 DSA-1069 DSA-1070 DSA-1082 http://www.guninski.com/where_do_you_want_billg_to_go_today_2.html RHSA-2005:016 RHSA-2005:017 11956 20041215 fun with linux kernel linux-ipoptionsget-memory-leak(18524) oval:org.mitre.oval:def:11085 The xdvizilla script in tetex-bin 2.0.2 creates temporary files with predictable file names, which allows local users to overwrite arbitrary files via a symlink attack. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=286370 20041223 [USN-51-1] teTeX auxiliary script vulnerability 12100 xdvizilla-symlink(18708) The POSIX Capability Linux Security Module (LSM) for Linux kernel 2.6 does not properly handle the credentials of a process that is launched before the module is loaded, which allows local users to gain privileges. CLA-2005:930 20041223 Linux 2.6 Kernel Capability LSM Module Local Privilege Elevation 12093 linux-security-module-gain-privileges(18673) The triggers in Oracle 9i and 10g allow local users to gain privileges by using a sequence of partially privileged actions: using CCBKAPPLROWTRIG or EXEC_CBK_FN_DML to add arbitrary functions to the SDO_CMT_DBK_FN_TABLE and SDO_CMT_CBK_DML_TABLE, then performing a DELETE on the SDO_TXN_IDX_INSERTS table, which causes the SDO_CMT_CBK_TRIG trigger to execute the user-supplied functions. 20041223 Oracle Trigger Abuse (#NISR2122004I) http://www.ngssoftware.com/advisories/oracle23122004I.txt oracle-triggers-gain-privileges(18655) SQL injection vulnerability in the (1) MDSYS.SDO_GEOM_TRIG_INS1 and (2) MDSYS.SDO_LRS_TRIG_INS default triggers in Oracle 9i and 10g allows remote attackers to execute arbitrary SQL commands via the new.table_name or new.column_name parameters. 20041223 Oracle Trigger Abuse (#NISR2122004I) http://www.ngssoftware.com/advisories/oracle23122004I.txt oracle-triggers-gain-privileges(18655) Debian GNU/Linux 3.0 installs the libpam-radius-auth package with the pam_radius_auth.conf set to be world-readable, which allows local users to obtain sensitive information. 1013030 DSA-659 libpamradiusauth-insecure-permission(19087) Cross-site scripting (XSS) vulnerability in info2www before 1.2.2.9 allows remote attackers to inject arbitrary web script or HTML via the arguments to info2www. DSA-711 info2www-url-xss(20179) CVS 1.12 and earlier on Debian GNU/Linux, when using the repouid patch, allows remote attackers to bypass authentication via the pserver access method. DSA-715 CVS 1.12 and earlier on Debian GNU/Linux does not properly handle when a mapping for the current repository does not exist in the cvs-repouids file, which allows remote attackers to cause a denial of service (server crash). DSA-715 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2004. Notes: none. Unknown vulnerability in Sun StorEdge Enterprise Storage Manager (ESM) 2.1 for Solaris 8 and Solaris 9 allows local users with the "ESMUser" role to gain root access. 57581 O-166 VU#976470 10580 esm-esmuser-gain-privileges(16463) oval:org.mitre.oval:def:1707 The Sun Solaris Volume Manager (SVM) on Solaris 9 allows local users to cause a denial of service (kernel panic) via a malformed probe request to the SVM. 57598 ESB-2004.0463 VU#390742 10747 solaris-svm-dos(16729) oval:org.mitre.oval:def:3465 X Display Manager (XDM) on Solaris 8 allows remote attackers to cause a denial of service (XDM crash) via an invalid X Display Manager Control Protocol (XDMCP) request. 101549 57619 VU#139504 10911 xdm-xdmcp-dos(16940) oval:org.mitre.oval:def:100113 Unknown vulnerability in in.named on Solaris 8 allows remote attackers to cause a denial of service (process crash). 57614 ESB-2004.0565 11118 solaris-innamed-dynamic-dos(17269) oval:org.mitre.oval:def:3960 gzip before 1.3 in Solaris 8, when called with the -f or -force flags, will change the permissions of files that are hard linked to the target files, which allows local users to view or modify these files. 57600 VU#635998 11318 solaris-gzip-modify-privileges(17577) oval:org.mitre.oval:def:1654 Multiple buffer overflows in Sun Java System Web Proxy Server (formerly Sun ONE Proxy Server) 3.6 through 3.6 SP4 allow remote attackers to execute arbitrary code via unknown vectors, possibly CONNECT requests. 1012005 57606 ESB-2004.0691 P-027 VU#964401 http://www.pentest.co.uk/documents/ptl-2004-06.html 11566 sun-web-proxy-bo(17920) Unknown vulnerability in the rwho daemon (in.rwhod) for Solaris 7 through 9 allows remote attackers to execute arbitrary code. 57659 ESB-2004.0759 P-050 11840 solaris-inrwhod-command-execution(18385) oval:org.mitre.oval:def:592 Buffer overflow in the ping daemon of Sun Solaris 7 through 9 may allow local users to execute arbitrary code. 1012368 57675 ESB-2004.0749 P-045 11782 solaris-ping-bo(18310) oval:org.mitre.oval:def:3400 Unknown vulnerability in LDAP on Sun Solaris 8 and 9, when using Role Based Access Control (RBAC), allows local users to execute certain commands with additional privileges. 1011789 57657 ESB-2004.0661 P-017 11459 solaris-ldap-rbac-gain-priv(17757) oval:org.mitre.oval:def:4834 The Solaris Management Console (SMC) in Sun Solaris 8 and 9 generates different 404 error messages when a file does not exist versus when a file exists but is otherwise inaccessible, which could allow remote attackers to obtain sensitive information in conjunction with a directory traversal (..) attack. http://spoofed.org/files/text/solaris-smc-advisory.txt 57559 ESB-2004.0347 [focus-sun] 20031022 Information disclosure with SMC webserver on Solaris 9 10349 8873 smc-dotdot-directory-traversal(16146) oval:org.mitre.oval:def:1482 Unknown vulnerability in the TCP/IP stack for Sun Solaris 8 and 9 allows local users to cause a denial of service (system panic) via unknown vectors. 57545 ESB-2004.0308 10216 solaris-tcp-ip-dos(15955) oval:org.mitre.oval:def:2972 Unknown vulnerability in the sendfilev function in Sun Solaris 8 and 9 allows local users to cause a denial of service (system panic) via unknown vectors. 57470 ESB-2004.0307 10202 solaris-sendfilev-dos(15946) oval:org.mitre.oval:def:1684 The Secure Shell (SSH) Daemon (SSHD) in Sun Solaris 9 does not properly log IP addresses when SSHD is configured with the ListenAddress as 0.0.0.0, which makes it easier for remote attackers to hide the source of their activities. 57538 ESB-2004.0263 VU#737548 10080 solaris-sshd-log-bypass(15784) oval:org.mitre.oval:def:3505 The patches (1) 114332-08 and (2) 114929-06 for Sun Solaris 9 disable the auditing functionality of the Basic Security Module (BSM), which allows attackers to avoid having their activity logged. 57478 ESB-2004.0069 O-099 9852 solaris-patches-disable-bsm(14918) oval:org.mitre.oval:def:3567 Multiple buffer overflows in uucp for Sun Solaris 2.6, 7, 8, and 9 allow local users to execute arbitrary code as the uucp user. 57508 ESB-2004.0201 9837 solaris-uucp-multiple-bo(15425) oval:org.mitre.oval:def:1127 Unknown vulnerability in conv_fix in Sun Solaris 7 through 9, when invoked by conv_lpd, allows local users to overwrite arbitrary files. 57509 ESB-2004.0169 O-089 VU#412566 9759 solaris-covfix-gain-privileges(15331) oval:org.mitre.oval:def:1732 Integer underflow in winhlp32.exe in Windows NT, Windows 2000 through SP4, Windows XP through SP2, and Windows 2003 allows remote attackers to execute arbitrary code via a malformed .hlp file, which leads to a heap-based buffer overflow. 20041223 Microsoft Windows winhlp32.exe Heap Overflow Vulnerability 12091 http://www.xfocus.net/flashsky/icoExp/ win-winhlp32-bo(18678) The PL/SQL module for the Oracle HTTP Server in Oracle Application Server 10g, when using the WE8ISO8859P1 character set, does not perform character conversions properly, which allows remote attackers to bypass access restrictions for certain procedures via an encoded URL with "%FF" encoded sequences that are improperly converted to "Y" characters. 20041223 Oracle Character Conversion Bugs (#NISR2122004G) 101782 VU#435974 http://www.ngssoftware.com/advisories/oracle23122004G.txt http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf 10871 TA04-245A oracle-character-conversion-gain-privileges(18657) Buffer overflow in extproc in Oracle 10g allows remote attackers to execute arbitrary code via environment variables in the library name, which are expanded after the length check is performed. 20041223 Oracle extproc buffer overflow (#NISR23122004A) 101782 VU#316206 http://www.ngssoftware.com/advisories/oracle23122004.txt http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf 10871 TA04-245A oracle-extproc-library-bo(18659) Directory traversal vulnerability in extproc in Oracle 9i and 10g allows remote attackers to access arbitrary libraries outside of the $ORACLE_HOME\bin directory. 20041223 Oracle extproc directory traversal (#NISR23122004B) 101782 http://www.0xdeadbeef.info/exploits/raptor_oraextproc.sql VU#316206 http://www.ngssoftware.com/advisories/oracle23122004B.txt http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf 20061219 Oracle <= 9i / 10g (extproc) Local/Remote Command Execution Exploit 10871 TA04-245A oracle-extproc-directory-traversal(18658) Extproc in Oracle 9i and 10g does not require authentication to load a library or execute a function, which allows local users to execute arbitrary commands as the Oracle user. 20041223 Oracle extproc local command execution (#NISR23122004C) 101782 VU#316206 http://www.ngssoftware.com/advisories/oracle23122004C.txt 10871 TA04-245A oracle-extproc-command-execution(18662) Oracle 10g Database Server stores the password for the SYSMAN account in cleartext in the world-readable emoms.properties file, which could allow local users to gain DBA privileges. 101782 VU#316206 http://www.ngssoftware.com/advisories/oracle23122004D.txt http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf 20041223 Oracle clear text passwords (#NISR2122004D) 10871 TA04-245A oracle-sysman-password-plaintext(18661) Oracle 10g Database Server, when installed with a password that contains an exclamation point ("!") for the (1) DBSNMP or (2) SYSMAN user, generates an error that logs the password in the world-readable postDBCreation.log file, which could allow local users to obtain that password and use it against SYS or SYSTEM accounts, which may have been installed with the same password. 20041223 Oracle clear text passwords (#NISR2122004D) 101782 VU#316206 http://www.ngssoftware.com/advisories/oracle23122004D.txt http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf TA04-245A ISQL*Plus in Oracle 10g Application Server allows remote attackers to execute arbitrary files via an absolute pathname in the file parameter to the load.uix script. 20041223 Oracle ISQLPlus file access vulnerability (#NISR2122004E) 101782 VU#435974 http://www.ngssoftware.com/advisories/oracle23122004E.txt 10871 TA04-245A oracle-isqlplus-file-access(18656) The TNS Listener in Oracle 10g allows remote attackers to cause a denial of service (listener crash) via a malformed service_register_NSGR request containing a value that is used as an invalid offset for a pointer that references incorrect memory. 20041223 Oracle TNS Listener DoS (#NISR2122004F) 101782 VU#316206 http://www.ngssoftware.com/advisories/oracle23122004F.txt http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf 10871 TA04-245A oracle-tnslsnr-nsgr-dos(18664) Multiple SQL injection vulnerabilities in PL/SQL procedures that run with definer rights in Oracle 9i and 10g allow remote attackers to execute arbitrary SQL commands and gain privileges via (1) DBMS_EXPORT_EXTENSION, (2) WK_ACL.GET_ACL, (3) WK_ACL.STORE_ACL, (4) WK_ADM.COMPLETE_ACL_SNAPSHOT, (5) WK_ACL.DELETE_ACLS_WITH_STATEMENT, or (6) DRILOAD.VALIDATE_STMT. 20041223 Oracle multiple PL/SQL injection vulnerabilities (#NISR2122004H) 101782 VU#316206 http://www.ngssoftware.com/advisories/oracle23122004H.txt http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf 10871 TA04-245A oracle-procedure-sql-injection(18665) Stack-based buffer overflow in Oracle 9i and 10g allows remote attackers to execute arbitrary code via a long token in the text of a wrapped procedure. 20041223 Oracle wrapped procedure overflow (#NISR2122004J) 101782 VU#316206 http://www.ngssoftware.com/advisories/oracle23122004J.txt http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf 10871 TA04-245A oracle-wrapped-procedure-bo(18666) Multiple stack-based buffer overflows in IBM DB2 7.x and 8.1 allow local users to execute arbitrary code via (1) a long third argument to the rec2xml function or (2) a long filename argument to the generate_distfile procedure. 20041223 IBM DB2 generate_distfile buffer overflow vulnerability (#NISR2122004L) 20041223 IBM DB2 rec2xml buffer overflow vulnerability (#NISR2122004J) http://www.ngssoftware.com/advisories/db223122004K.txt http://www.ngssoftware.com/advisories/db223122004L.txt 11089 db2-generatedistfile-bo(18663) db2-rec2xml-bo(18682) Format string vulnerability in SHOUTcast 1.9.4 allows remote attackers to cause a denial of service (application crash) and execute arbitrary code via format string specifiers in a content URL, as demonstrated in the filename portion of a .mp3 file. 20041223 SHOUTcast remote format string vulnerability 20050219 exwormshoucast part of PTjob project: SHOUTcast v1.9.4 remote 1012675 GLSA-200501-04 12096 shoutcast-format-string(18669) Multiple buffer overflows in NetBSD kernel may allow local users to execute arbitrary code and gain privileges. http://gleg.net/advisory_netbsd2.shtml Unknown vulnerability in System Administration Manager (SAM) in HP-UX B.11.00, B.11.11, B.11.22, and B.11.23 allows local users to gain privileges. SSRT4699 P-085 12098 hp-sam-gain-privileges(18674) oval:org.mitre.oval:def:5435 Directory traversal vulnerability in Microsoft Internet Explorer 5.01, 5.5, and 6.0 allows remote malicious FTP servers to overwrite arbitrary files via .. (dot dot) sequences in filenames returned from a LIST command. 20041230 7a69Adv#17 - Internet Explorer FTP download path disclosure http://www.7a69ezine.org/node/view/176 The (1) fixps (aka fixps.in) and (2) psmandup (aka psmandup.in) scripts in a2ps before 4.13 allow local users to overwrite arbitrary files via a symlink attack on temporary files. GLSA-200501-02 12108 12109 http://www.vuxml.org/freebsd/9168253c-5a6d-11d9-a9e7-0001020eed82.html gnu-a2ps-fixpsin-symlink(18671) gnu-a2ps-psmanupin-symlink(18672) The expat XML parser code, as used in the open source Jabber (jabberd) 1.4.3 and earlier, jadc2s 0.9.0 and earlier, and possibly other packages, allows remote attackers to cause a denial of service (application crash) via a malformed packet to a socket that accepts XML connections. http://devel.amessage.info/jabberd14/ [jabberd] 20040919 Jabberd 1.4 critical bug 20040920 Possible DoS attack against jabberd 1.4.3 and jadc2s 0.9.0 1011383 1011384 GLSA-200409-31 11231 http://www.vuxml.org/freebsd/2e25d38b-54d1-11d9-b612-000c6e8f12ef.html jabberd-xml-dos(17466) jadc2s-xml-dos(17467) Heap-based buffer overflow in the DVD subpicture decoder in xine xine-lib 1-rc5 and earlier allows remote attackers to execute arbitrary code via a (1) DVD or (2) MPEG subpicture header where the second field reuses RLE data from the end of the first field. SSA:2004-266 DSA-657 GLSA-200409-30 20040906 XSA-2004-5: heap overflow in DVD subpicture decoder 11205 http://www.vuxml.org/freebsd/131bd7c4-64a3-11d9-829a-000a95bc6fae.html http://xinehq.de/index.php/security/XSA-2004-5 xine-dvd-subpicture-bo(17423) Firefox before 1.0 and Mozilla before 1.7.5 allows inactive (background) tabs to launch dialog boxes, which can allow remote attackers to spoof the dialog boxes from web sites in other windows and facilitate phishing attacks, aka the "Dialog Box Spoofing Vulnerability." http://www.mozilla.org/security/announce/mfsa2005-05.html RHSA-2005:323 RHSA-2005:335 web-browser-modal-spoofing(18864) oval:org.mitre.oval:def:100050 oval:org.mitre.oval:def:10211 Firefox before 1.0 and Mozilla before 1.7.5 allow inactive (background) tabs to focus on input being entered in the active tab, as originally reported using form fields, which allows remote attackers to steal sensitive data that is intended for other sites, which could facilitate phishing attacks. http://www.mozilla.org/security/announce/mfsa2005-05.html web-browser-inactive-info-disclosure(17789) oval:org.mitre.oval:def:100053 The glibcbug script in glibc 2.3.4 and earlier allows local users to overwrite arbitrary files via a symlink attack on temporary files, a different vulnerability than CVE-2004-0968. 20041028 [USN-4-1] Standard C library script vulnerabilities DSA-636 MDKSA-2004:159 RHSA-2005:261 Multiple SQL injection vulnerabilities in phpGroupWare 0.9.16.003 and earlier allow remote attackers to execute arbitrary SQL statements via the (1) order, (2) project_id, (3) pro_main, or (4) hours_id parameters to index.php or (5) ticket_id to viewticket_details.php. 20041215 Multiple phpGroupWare Vulnerabilities [ phpGroupWare 0.9.16.003 && Earlier ] GLSA-200501-08 http://www.gulftech.org/?node=research&article_id=00054-12142004 11952 phpgroupware-projectid-sql-injection(18498) Multiple cross-site scripting (XSS) vulnerabilities in phpGroupWare 0.9.16.003 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) kp3, (2) type, (3) msg, (4) forum_id, (5) pos, (6) cats_app, (7) cat_id, (8) msgball[msgnum], (9) fldball[acctnum] parameters to index.php or (10) ticket_id to viewticket_details.php. 20041215 Multiple phpGroupWare Vulnerabilities [ phpGroupWare 0.9.16.003 && Earlier ] GLSA-200501-08 http://www.gulftech.org/?node=research&article_id=00054-12142004 11952 phpgroupware-index-preferences-xss(18496) phpGroupWare 0.9.16.003 and earlier allows remote attackers to gain sensitive information via (1) unexpected characters in the session ID such as shell metacharacters, (2) an invalid appname parameter to preferences.php or (3) an invalid menuaction parameter to index.php, which reveals the web server path in an error message. 20041215 Multiple phpGroupWare Vulnerabilities [ phpGroupWare 0.9.16.003 && Earlier ] GLSA-200501-08 http://www.gulftech.org/?node=research&article_id=00054-12142004 phpgroupware-path-disclosure(18497) TikiWiki before 1.8.4.1 does not properly verify uploaded images, which could allow remote attackers to upload and execute arbitrary PHP scripts, a different vulnerability than CVE-2005-0200. 1012700 http://tikiwiki.org/tiki-read_article.php?articleId=97 P-084 GLSA-200501-12 12110 tikiwiki-image-command-execution(18691) The check_forensic script in apache-utils package 1.3.31 allows local users to overwrite or create arbitrary files via a symlink attack on temporary files. [debian-apache] 20050119 Bug#290974: marked as done (apache: Temporary usage bugs that can be used in symlink attacks) apache-checkforensic-symlink(18993) USN-65-1 Format string vulnerability in the gpsd_report function for BerliOS GPD daemon (gpsd, formerly pygps) 1.9.0 through 2.7 allows remote attackers to execute arbitrary code via certain GPS requests containing format string specifiers that are not properly handled in syslog calls. [Gpsd-announce] 20050127 Announcing release 2.8 of gpsd 20050126 DMA[2005-0125a] - 'berlios gpsd format string vulnerability' http://www.digitalmunition.com/DMA%5B2005-0125a%5D.txt http://www.mail-archive.com/debian-bugs-closed@lists.debian.org/msg02103.html gpsd-format-string(19079) Unknown vulnerability in the Veritas NetBackup Administrative Assistant interface for NetBackup BusinesServer 3.4, 3.4.1, and 4.5, DataCenter 3.4, 3.4.1, and 4.5, Enterprise Server 5.1, and NetBackup Server 5.0 and 5.1, allows attackers to execute arbitrary commands via the bpjava-susvc process, possibly related to the call-back feature. http://seer.support.veritas.com/docs/271727.htm P-020 VU#685456 11494 nebackup-bpjavasusvc-gain-privileges(17811) Multiple buffer overflows in the PPPoE daemon (PPPoEd) in QNX RTP 6.1 allow remote attackers to execute arbitrary code via a long argument to the (1) -F, (2) name, (3) en, (4) upscript, (5) downscript, (6) retries, (7) timeout, (8) scriptdetach, (9) noscript, (10) nodetach, (11) remote_mac, or (12) local_mac flags. 20040903 [RLSA_01-2004] QNX PPPoEd local root vulnerabilities VU#961686 11104 Qnx-rtp-pppoed-flags-bo(17280) Untrusted execution path vulnerability in the PPPoE daemon (PPPoEd) in QNX RTP 6.1 allows local users to execute arbitrary programs by modifying the PATH environment variable to point to a malicious mount program. 20040903 [RLSA_01-2004] QNX PPPoEd local root vulnerabilities VU#577566 11105 qnx-rtp-mount-command-execute(17284) PHP 4.0 with cURL functions allows remote attackers to bypass the open_basedir setting and read arbitrary files via a file: URL argument to the curl_init function. 20041027 PHP4 cURL functions bypass open_basedir 20050120 [USN-66-1] PHP vulnerabilities 1011984 RHSA-2005:405 RHSA-2005:406 11557 FLSA:2344 php-openbasedir-restriction-bypass(17900) oval:org.mitre.oval:def:9279 Unknown vulnerability in the tcsetattr function for Sun Solaris for SPARC 2.6, 7, and 8 allows local users to cause a denial of service (system hang). 57474 ESB-2004.0085 VU#379390 9548 solaris-tcsetattr-dos(14998) The pfexec function for Sun Solaris 8 and 9 does not properly handle when a custom profile contains an invalid entry in the exec_attr database, which may allow local users with custom rights profiles to execute profile commands with additional privileges. 57453 ESB-2004.0079 9534 1008893 solaris-pfexec-gain-privileges(14988) The Lithtech engine, as used in (1) Contract Jack 1.1 and earlier, (2) No one lives forever 2 1.3 and earlier, (3) Tron 2.0 1.042 and earlier, (4) F.E.A.R. (First Encounter Assault and Recon), and possibly other games, allows remote attackers to cause a denial of service (connection refused) via a UDP packet that causes recvfrom to generate a return code that causes the listening loop to exit, as demonstrated using zero byte packets or packets between 8193 and 12280 bytes, which result in conditions that are not "Operation would block." http://aluigi.altervista.org/adv/lithsock-adv.txt 20041213 Socket unreacheable in the Lithtech engine (new protocol) 20051021 F.E.A.R. 1.01 likes lithsock 20041213 Socket unreacheable in the Lithtech engine (new protocol) 11902 lithtech-engine-communication-dos(18456) Winamp 5.07 and possibly other versions, allows remote attackers to cause a denial of service (application crash or CPU consumption) via (1) an mp4 or m4a playlist file that contains invalid tag data or (2) an invalid .nsv or .nsa file. http://forums.winamp.com/showthread.php?s=&threadid=202007 20041213 Winamp 5.07 (latest version) Remote Crash + other stupid shizle 20041213 Winamp 5.07 (latest version) Remote Crash + other 1012525 VU#372968 11909 winamp-mp4-m4a-dos(18466) winamp-nsa-nsv-dos(18467) Cross-site scripting (XSS) vulnerability in UseModWiki 1.0 allows remote attackers to inject arbitrary web script or HTML via an argument to wiki.pl. 20041214 STG Security Advisory: [SSA-20041209-13] UseModWiki XSS vulnerability 11924 usemodwiki-wiki-xss(18458) Format string vulnerability in prelink.c in kextload in Apple OS X, as used by TDIXSupport in Roxio Toast Titanium and possibly other products, allows local users to execute arbitrary code via format string specifiers in the extension argument. 20060913 [NETRAGARD-20060822 SECURITY ADVISORY] [ APPLE COMPUTER CORPORATION KEXTLOAD VULNERABILITY + ROXIO TOAST TITANUM 7 HELPER APP - LOCAL ROOT COMROMISE] 20041214 Possible local root vulnerability in Roxio Toast on Mac OS X http://www.netragard.com/pdfs/research/apple-kext-tools-20060822.txt 11926 20031 roxio-toast-tdixsupport-format-string(18472) Directory traversal vulnerability in the Attachment module 2.3.10 and earlier for phpBB allows remote attackers to read arbitrary files via a .. (dot dot) in the filename. 20041214 phpBB Attachment Mod Directory Traversal HTTP POST Injection 11893 attachment-mod-directory-traversal(18437) The control panel in ASP Calendar does not require authentication to access, which allows remote attackers to gain unauthorized access via a direct request to main.asp. 20041214 ASP Calendar Vulnerability <www.ashiyane.com> 11931 asp-calendar-gain-access(18474) SQL injection vulnerability in verify.asp in Asp-rider allows remote attackers to execute arbitrary SQL statements and bypass authentication via the username parameter. 20041214 ASP-rider is vulnerable to sql injection attack 11933 asp-rider-verify-sql-injection(18479) SQL injection vulnerability in iWebNegar allows remote attackers to execute arbitrary SQL commands via (1) the string parameter for index.php, (2) comments.php, or (3) the administrator login page. 20041215 iwebnegar is vulnerable to all kind of sql injections 11946 iwebnegar-sql-injection(18505) PHP remote file inclusion vulnerability in index.php in GNUBoard 3.39 and earlier allows remote attackers to execute arbitrary PHP code by modifying the doc parameter to reference a URL on a remote web server that contains the code. 20041215 STG Security Advisory: [SSA-20041214-14] GNUBoard PHP injection vulnerability http://sir.co.kr/?doc=bbs/gnuboard.php&bo_table=pds&page=1&wr_id=1871 11948 gnuboard-doc-index-file-include(18494) Attachment Mod 2.3.10 module for phpBB, when used with Apache mod_mime, does not properly handle files with multiple file extensions, such as .php.rar, which allows remote attackers to upload and execute arbitrary code. 20041216 STG Security Advisory: [SSA-20041215-18] Vulnerability of uploading files with multiple extensions in phpBB Attachment Mod http://www.opentools.de/board/viewtopic.php?t=3590 11893 attachment-mod-file-upload(18438) MediaWiki 1.3.8 and earlier, when used with Apache mod_mime, does not properly handle files with two file extensions, such as .php.rar, which allows remote attackers to upload and execute arbitrary code. 20041216 STG Security Advisory: [SSA-20041215-19] Vulnerability of uploading files with multiple extensions in MediaWiki http://wikipedia.sourceforge.net/ 11985 SQL injection vulnerability in ikonboard.cgi in Ikonboard 3.1.0 through 3.1.3 allows remote attackers to inject arbitrary SQL commands via the (1) st or (2) keywords parameter. 20041216 [MaxPatrol] SQL-injection in Ikonboard 3.1.x 11982 ikonboard-ikonboard-sql-injection(18533) Multiple directory traversal vulnerabilities in singapore Image Gallery Web Application 0.9.10 allow remote attackers to (1) read arbitrary files via the showThumb method for thumb.php, or (2) delete arbitrary files via admin.class.php. 20041216 [SIG^2 G-TEC] singapore Image Gallery Web Application v0.9.10 Multiple Vulnerabilities http://www.security.org.sg/vuln/singapore0910.html 11990 singapore-thumb-directory-traversal(18528) singapore-adminclass-directory-traversal(18532) The addImage method for admin.class.php in Image Gallery Web Application 0.9.10 does not properly check filenames, which allows remote attackers to upload and execute arbitrary files. 20041216 [SIG^2 G-TEC] singapore Image Gallery Web Application v0.9.10 Multiple Vulnerabilities 11990 singapore-adminclass-file-upload(18531) Multiple cross-site scripting vulnerabilities in Image Gallery Web Application 0.9.10 allow remote attackers to inject arbitrary web script or HTML. 20041216 [SIG^2 G-TEC] singapore Image Gallery Web Application v0.9.10 Multiple Vulnerabilities 11990 Cross-site scripting (XSS) vulnerability in Gadu-Gadu build 155 and earlier allows remote attackers to inject arbitrary web script via a URL, which is echoed in a popup window that displays a parsing error message, a different vulnerability than CVE-2004-1229. 20041217 Gadu-Gadu, another two bugs 11998 Gadu-Gadu build 155 and earlier allows remote attackers to cause a denial of service (infinite loop) via a message that contains an image whose filename does not start with restricted characters. 20041217 Gadu-Gadu, another two bugs 11998 gadu-gadu-image-dos(18580) Cross-site scripting (XSS) vulnerability in index.php in Kayako eSupport 2.x allows remote attackers to inject arbitrary web script or HTML via the searchm parameter. 20041218 Multiple Vulnerabilities In Kayako eSupport v2.x http://www.gulftech.org/?node=research&article_id=00056-12182004 12037 kayako-index-xss(18571) Multiple SQL injection vulnerabilities in Kayako eSupport 2.x allow remote attackers to execute arbitrary SQL commands via the (1) subcat, (2) rate, (3) questiondetails, (4) ticketkey22, (5) email22 parameters to index.php, or (6) the e-mail field of the Forgot Key feature. 20041218 Multiple Vulnerabilities In Kayako eSupport v2.x http://www.gulftech.org/?node=research&article_id=00056-12182004 12037 kayako-sql-injection(18572) Gadu-Gadu 6.1 build 156 allows remote attackers to cause a denial of service (application hang) via a message that contains many special strings that are converted to images. 20041220 Gadu-Gadu Remote DoS (all versions) http://www.soltysiak.com/gg-dos.txt SQL injection vulnerability in (1) disp_album.php and possibly (2) disp_img.php in 2Bgal 2.4 and 2.5.1 allows remote attackers to execute arbitrary SQL commands via the id_album parameter. 20041222 2Bgal : 2.4 & 2.5.1 SQL injection Vulnerability 12083 2bgal-dispalbum-sql-injection(18645) pnxr3260.dll in the RealOne 2.0 build 6.0.11.868 browser plugin, as used in Internet Explorer, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted embed tag. 20041222 Realone2.0 "pnxr3260.dll" Lets Remote Users IE Browser Crash Cross-site scripting (XSS) vulnerability in login.php in PsychoStats 2.2.4 Beta and earlier allows remote attackers to inject arbitrary web script or HTML via the login parameter. 20041223 Cross Site Scripting In PsychoStats 2.2.4 Beta && Earlier http://www.gulftech.org/?node=research&article_id=00057-12222004 http://www.psychostats.com/forums/viewtopic.php?t=11022 12089 psychostats-login-xss(18651) Cross-site scripting (XSS) vulnerability in WPKontakt 3.0.1 and earlier allows remote attackers to inject arbitrary web script or HTML via an e-mail address, which is not quoted when a parsing error is generated. 20041223 WPkontakt message parsing error 12097 wpkontakt-email-command-execution(18685) PHP remote file inclusion vulnerability in ZeroBoard 4.1pl4 and earlier allows remote attackers to execute arbitrary PHP code by modifying the (1) _zb_path parameter to outlogin.php or (2) dir parameter to write.php to reference a URL on a remote web server that contains the code. requires that register_globals be enabled 20041223 STG Security Advisory: [SSA-20041220-16] PHP source injection and cross-site scripting vulnerabilities in ZeroBoard 20041224 STG Security Advisory: [SSA-20041220-16] PHP source injection and cross-site scripting vulnerabilities in ZeroBoard 1012677 12103 zeroboard-outlogin-file-include(18677) zeroboard-write-file-include(18679) Multiple cross-site scripting (XSS) vulnerabilities in header.php in WHM AutoPilot 2.4.6.5 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) site_title or (2) http_images parameter. 20041228 Multiple WHM Autopilot Vulnerabilities 20041231 WHM AutoPilot Security Release [ Plus Upgrade Instructions ] http://www.gulftech.org/?node=research&article_id=00059-12272004 12119 http://www.whmautopilot.com/forum/lofiversion/index.php/t6785.html whm-autopilot-header-xss(18700) Multiple PHP remote file inclusion vulnerabilities (1) step_one.php, (2) step_one_tables.php, (3) step_two_tables.php in WHM AutoPilot 2.4.6.5 and earlier allow remote attackers to execute arbitrary PHP code by modifying the server_inc parameter to reference a URL on a remote web server that contains the code. 20041228 Multiple WHM Autopilot Vulnerabilities 20041231 WHM AutoPilot Security Release [ Plus Upgrade Instructions ] 1012707 http://www.gulftech.org/?node=research&article_id=00059-12272004 12119 http://www.whmautopilot.com/forum/lofiversion/index.php/t6785.html whm-autopilot-php-file-include(18699) WHM AutoPilot 2.4.6.5 and earlier allows remote attackers to gain sensitive information via phpinfo, which reveals php settings. 20041228 Multiple WHM Autopilot Vulnerabilities 20041231 WHM AutoPilot Security Release [ Plus Upgrade Instructions ] http://www.gulftech.org/?node=research&article_id=00059-12272004 12119 http://www.whmautopilot.com/forum/lofiversion/index.php/t6785.html whm-autopilot-information-disclosure(18701) Multiple PHP remote file inclusion vulnerabilities in Sean Proctor PHP-Calendar before 0.10.1, as used in Commonwealth of Massachusetts Virtual Law Office (VLO) and other products, allow remote attackers to execute arbitrary PHP code via a URL in the phpc_root_path parameter to (1) includes/calendar.php or (2) includes/setup.php. 20041229 php-Calendar File Include Vulnerability [ Command Exec ] 1017107 http://sourceforge.net/project/shownotes.php?release_id=296020&group_id=46800 http://www.gulftech.org/?node=research&article_id=00060-12292004 20061021 Virtual Law Office (phpc_root_path) Remote File Include Vulnerability 12127 20657 ADV-2006-4145 php-calendar-file-include(18710) vlo-phpcrootpath-file-include(29710) 2608 Cross-site scripting (XSS) vulnerability in view.php in Moodle 1.4.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the search parameter. 20041227 Multiple Vulnerabilities in Moodle 20041230 Re: Multiple Vulnerabilities in Moodle 12120 moodle-view-search-xss(18702) Directory traversal vulnerability in file.php in Moodle 1.4.2 and earlier allows remote attackers to read arbitrary session files for known session IDs via a .. (dot dot) in the file parameter. 20041227 Multiple Vulnerabilities in Moodle 20041230 Re: Multiple Vulnerabilities in Moodle 12120 moodle-directory-traversal(18550) Directory traversal vulnerability in index.php in KorWeblog 1.6.2-cvs and earlier allows remote attackers to read arbitrary files and execute arbitrary PHP files via .. (dot dot) sequences in the lng parameter. 20041230 KorWeblog php injection Vulnerability 12132 PHP remote file inclusion vulnerability in main.inc in KorWeblog 1.6.2-cvs and earlier allows remote attackers to execute arbitrary PHP code by modifying the G_PATH parameter to reference a URL on a remote web server that contains the code, as demonstrated in index.php when using .. (dot dot) sequences in the lng parameter to cause main.inc to be loaded. 20041230 KorWeblog php injection Vulnerability 12132 korweblog-install-file-include(18717) ArGoSoft FTP before 1.4.2.1 generates an error message if the user name does not exist instead of prompting for a password, which allows remote attackers to determine valid usernames. 20041231 ArGoSoft FTP Server reveals valid usernames and allows for brute force attacks 1012744 http://www.argosoft.com/ftpserver/changelist.aspx http://www.lovebug.org/argosoft_advisory.txt 12139 argosoft-information-disclosure(18721) ArGoSoft FTP 1.4.2.4 and earlier does not limit the number of times that a bad password can be entered, which makes it easier for remote attackers to guess passwords via a brute force attack. 20041231 ArGoSoft FTP Server reveals valid usernames and allows for brute argosoft-bruteforce(18722) SQL injection vulnerability in the show_stats module in Arcade.php in IbProArcade allows remote attackers to execute arbitrary SQL code via the gameid parameter. 20041231 SQL Injection Vulnerability In IBProArcade 12138 ibproarcade-gameid-sql-injection(18720) FormMail.php 5.0, and possibly other versions, allows remote attackers to read arbitrary files via a full pathname in the ar_file (auto-reply) parameter. 20041231 Jacks FormMail.php remote file access vulnerability 12145 jack-formmail-arfile-view-files(18724) Multiple versions of Cisco ONS 15327, ONS 15454, and ONS 15454 SDH, including 4.6(0) and 4.6(1), 4.5(x), 4.1(0) to 4.1(3), 4.0(0) to 4.0(2), and earlier versions, allows remote attackers to cause a denial of service (control card reset) via malformed (1) IP or (2) ICMP packets. 20040721 Cisco ONS 15327, ONS 15454, ONS 15454 SDH, and ONS 15600 Malformed Packet Vulnerabilities VU#918920 VU#969344 10768 cisco-ons-ip-dos(16760) cisco-ons-icmp-dos(16761) Multiple versions of Cisco ONS 15327, ONS 15454, and ONS 15454 SDH, including 4.6(0) and 4.6(1), 4.5(x), 4.1(0) to 4.1(3), 4.0(0) to 4.0(2), and earlier versions, and ONS 15600 1.x(x), allows remote attackers to cause a denial of service (control card reset) via malformed (1) TCP and (2) UDP packets. 20040721 Cisco ONS 15327, ONS 15454, ONS 15454 SDH, and ONS 15600 Malformed Packet Vulnerabilities VU#486224 VU#800384 10768 cisco-ons-tcp-dos(16762) cisco-ons-udp-dos(16764) Multiple versions of Cisco ONS 15327, ONS 15454, and ONS 15454 SDH, including 4.1(0) to 4.1(2), 4.5(x), 4.0(0) to 4.0(2), and earlier versions, allows remote attackers to cause a denial of service (control card reset) via malformed SNMP packets. 20040721 Cisco ONS 15327, ONS 15454, ONS 15454 SDH, and ONS 15600 Malformed Packet Vulnerabilities VU#548968 10768 cisco-ons-snmp-dos(16765) Multiple versions of Cisco ONS 15327, ONS 15454, and ONS 15454 SDH, including 4.6(0) and 4.6(1), 4.5(x), 4.1(0) to 4.1(3), 4.0(0) to 4.0(2), and earlier versions, allows remote attackers to cause a denial of service (control card reset) via a large number of TCP connections with an invalid response instead of the final ACK (TCP-ACK). 20040721 Cisco ONS 15327, ONS 15454, ONS 15454 SDH, and ONS 15600 Malformed Packet Vulnerabilities VU#277048 10768 cisco-ons-tcp-ack-dos(16763) The Transaction Language 1 (TL1) login interface in Cisco ONS 15327 4.6(0) and 4.6(1) and 15454 and 15454 SDH 4.6(0) and 4.6(1), when a user account is configured with a blank password, allows remote attackers to gain unauthorized access by logging in with a password larger than 10 characters. 20040721 Cisco ONS 15327, ONS 15454, ONS 15454 SDH, and ONS 15600 Malformed Packet Vulnerabilities VU#760432 10768 cisco-ons-tl1-auth-bypass(16766) Multiple buffer overflows in the digest authentication functionality in Pavuk 0.9.28-r2 and earlier allow remote attackers to execute arbitrary code. GLSA-200407-19 10797 pavuk-digest-auth-bo(16807) The mod_authz_svn Apache module for Subversion 1.0.4-r1 and earlier allows remote authenticated users, with write access to the repository, to read unauthorized parts of the repository via the svn copy command. 60 1010779 http://svn.collab.net/repos/svn/tags/1.0.6/CHANGES GLSA-200407-20 10800 subversion-modauthzsvn-restriction-bypass(16803) Buffer overflow in BlackJumboDog 3.x allows remote attackers to execute arbitrary code via long FTP commands such as (1) USER, (2) PASS, (3) RETR,(4) CWD, (5) XMKD, and (6) XRMD. 20040910 BlackJumboDog FTP Server version 3.6.1 Buffer Overflow [Exploit included] VU#714584 http://www.security.org.sg/vuln/bjd361.html 10834 blackjumbodog-long-string-bo(16842) Multiple heap-based buffer overflows in the modpow function in PuTTY before 0.55 allow (1) remote attackers to execute arbitrary code via an SSH2 packet with a base argument that is larger than the mod argument, which causes the modpow function to write memory before the beginning of its buffer, and (2) remote malicious servers to cause a denial of service (client crash) and possibly execute arbitrary code via a large bignum during authentication. 20040804 CORE-2004-0705: Vulnerabilities in PuTTY and PSCP http://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-modpow.html GLSA-200408-04 10850 putty-code-execution(16885) Cross-site scripting (XSS) vulnerability in icq.cgi in Board Power 2.04PF allows remote attackers to inject arbitrary web script or HTML via the action parameter. 20040715 XSS in Board Power forum VU#744590 10734 boardpower-icq-xss(16698) Cross-site scripting (XSS) vulnerability in db2www CGI interpreter in IBM Net.Data 7 and 7.2 allows remote attackers to inject arbitrary web script or HTML via a macro filename, which is not properly handled by error messages such as "DTWP001E." 20040126 Secunia Research: IBM Net.Data Macro Name Cross-Site Scripting Vulnerability VU#197318 http://www.kb.cert.org/vuls/id/DMOA-5VNPEL 9488 1008845 ibm-netdata-db2wwwcomponent-xss(14925) Cross-site scripting (XSS) vulnerability in the inline MIME viewer in Horde-IMP (Internet Messaging Program) 3.2.4 and earlier, when used with Internet Explorer, allows remote attackers to inject arbitrary web script or HTML via an e-mail message. http://cvs.horde.org/diff.php/imp/docs/CHANGES?r1=1.389.2.106&r2=1.389.2.109&ty=h GLSA-200408-07 10845 imp-html-viewer-xss(16866) Directory traversal vulnerability in Roundup 0.6.4 and earlier allows remote attackers to view arbitrary files via .. (dot dot) sequences in an @@ command in an HTTP GET request. http://packetstormsecurity.nl/0406-exploits/roundUP.txt 1010415 http://sourceforge.net/tracker/index.php?func=detail&aid=961511&group_id=31577&atid=402788 GLSA-200408-09 10495 roundup-get-view-file(16350) A race condition in nessus-adduser in Nessus 2.0.11 and possibly earlier versions, if the TMPDIR environment variable is not set, allows local users to gain privileges. GLSA-200408-11 10784 nessus-adduser-race-condition(16768) Unknown vulnerability in ScreenOS in Juniper Networks NetScreen firewall 3.x through 5.x allows remote attackers to cause a denial of service (device reboot or hang) via a crafted SSH v1 packet. http://www.juniper.net/support/security/alerts/screenos-sshv1-2.txt VU#749870 10854 netscreen-screenos-sshv1-dos(16876) Jetbox One 2.0.8 and possibly other versions stores passwords in the database in plaintext, which could allow attackers to gain sensitive information. http://echo.or.id/adv/adv03-y3dips-2004.txt VU#586720 20040804 vulnerabilities in JetboxOne CMS 10858 jetbox-one-plaintext-password(16898) Jetbox One 2.0.8 and possibly other versions allow remote attackers with Author privileges in the IMAGES module to upload PHP files and execute arbitrary code. http://echo.or.id/adv/adv03-y3dips-2004.txt VU#417408 20040804 vulnerabilities in JetboxOne CMS 10859 jetbox-one-file-upload(16900) Mozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7 allows remote attackers to determine the location of files on a user's hard drive by obscuring a file upload control and tricking the user into dragging text into that control. http://bugzilla.mozilla.org/show_bug.cgi?id=206859#c0 Unknown vulnerability in LiveConnect in Mozilla 1.7 beta allows remote attackers to read arbitrary files in known locations. http://bugzilla.mozilla.org/show_bug.cgi?id=239122 http://www.mozilla.org/projects/security/known-vulnerabilities.html Mozilla before 1.6 does not display the entire URL in the status bar when a link contains %00, which could allow remote attackers to trick users into clicking on unknown or untrusted sites and facilitate phishing attacks. http://bugzilla.mozilla.org/show_bug.cgi?id=228176 http://www.mozilla.org/projects/security/known-vulnerabilities.html Tomcat before 5.0.27-r3 in Gentoo Linux sets the default permissions on the init scripts as tomcat:tomcat, but executes the scripts with root privileges, which could allow local users in the tomcat group to execute arbitrary commands as root by modifying the scripts. GLSA-200408-15 10951 gentoo-tomcat-gain-privileges(16993) GNU glibc 2.3.4 before 2.3.4.20040619, 2.3.3 before 2.3.3.20040420, and 2.3.2 before 2.3.2-r10 does not restrict the use of LD_DEBUG for a setuid program, which allows local users to gain sensitive information, such as the list of symbols used by the program. http://bugs.gentoo.org/show_bug.cgi?id=59526 GLSA-200408-16 RHSA-2005:256 RHSA-2005:261 10963 glibc-suid-info-disclosure(17006) oval:org.mitre.oval:def:10762 Cisco IOS 12.0S, 12.2, and 12.3, with Open Shortest Path First (OSPF) enabled, allows remote attackers to cause a denial of service (device reload) via a malformed OSPF packet. O-199 20040818 Cisco IOS Malformed OSPF Packet Causes Reload VU#989406 10971 cisco-ios-ospf-dos(17033) Stack-based buffer overflow in Xine-lib-rc5 in xine-lib 1_rc5-r2 and earlier allows remote attackers to execute arbitrary code via crafted playlists that result in a long vcd:// URL. 20040817 Open Security Group Advisory #6 GLSA-200408-18 10890 xine-vcd-identifier-bo(16930) filediff in CVStrac allows remote attackers to execute arbitrary commands via shell metacharacters in rcsinfo. 20040805 CVStrac Remote Arbitrary Code Execution exploit http://www.cvstrac.org/cvstrac/chngview?cn=316 http://www.cvstrac.org/cvstrac/tktview?tn=339 VU#770816 10878 cvstrac-command-execute(16929) The Virtual Private Network (VPN) capability in Novell Bordermanager 3.8 allows remote attackers to cause a denial of service (ABEND in IKE.NLM) via a malformed IKE packet, as sent by the Striker ISAKMP Protocol Test Suite. http://support.novell.com/cgi-bin/search/searchtid.cgi?/10093576.htm VU#432097 10727 novell-bordermanger-ikenlm-dos(16697) The CSAdmin web administration interface for Cisco Secure Access Control Server (ACS) 3.2(2) build 15 allows remote attackers to cause a denial of service (hang) via a flood of TCP connections to port 2002. O-203 20040825 Multiple Vulnerabilities in Cisco Secure Access Control Server 11047 ciscosecure-csadmin-tcp-dos(17114) Cisco Secure Access Control Server (ACS) 3.2, when configured as a Light Extensible Authentication Protocol (LEAP) RADIUS proxy, allows remote attackers to cause a denial of service (device crash) via certain LEAP authentication requests. 20040825 Multiple Vulnerabilities in Cisco Secure Access Control Server 11047 ciscosecure-leap-radius-dos(17116) Cisco Secure Access Control Server (ACS) 3.2(3) and earlier, when configured with an anonymous bind in Novell Directory Services (NDS) and authenticating NDS users with NDS, allows remote attackers to gain unauthorized access to AAA clients via a blank password. 20040825 Multiple Vulnerabilities in Cisco Secure Access Control Server 11047 ciscosecure-nds-blank-authentication(17117) Cisco Secure Access Control Server (ACS) 3.2(3) and earlier spawns a separate unauthenticated TCP connection on a random port when a user authenticates to the ACS GUI, which allows remote attackers to bypass authentication by connecting to that port from the same IP address. 20040825 Multiple Vulnerabilities in Cisco Secure Access Control Server 11047 ciscosecure-csadmin-auth-bypass(17118) Unknown vulnerability in MoinMoin 1.2.2 and earlier allows remote attackers to gain unauthorized access to administrator functions such as (1) revert and (2) delete. GLSA-200408-25 10805 moinmoin-acl-gain-privileges(16833) https://sourceforge.net/project/shownotes.php?group_id=8482&release_id=254801 Unknown vulnerability in the PageEditor in MoinMoin 1.2.2 and earlier, related to Access Control Lists (ACL), has unknown impact. http://sourceforge.net/project/shownotes.php?group_id=8482&release_id=254801 GLSA-200408-25 10801 moinmoin-pageeditor-gain-privilege(16832) Cisco IOS 12.2(15) and earlier allows remote attackers to cause a denial of service (refused VTY (virtual terminal) connections), via a crafted TCP connection to the Telnet or reverse Telnet port. 1011079 20040827 Cisco Telnet Denial of Service Vulnerability VU#384230 11060 cisco-ios-telnet-dos(17131) Multiple buffer overflows in WinZip 9.0 and earlier may allow attackers to execute arbitrary code via multiple vectors, including the command line. 20040901 WinZip Unspecified Buffer Overflows May Let Remote or Local Users Execute Arbitrary Code 1011132 O-211 11092 http://www.winzip.com/wz90sr1.htm winzip-code-execution(17192) winzip-command-line-bo(17197) The set_time_limit function in Gallery before 1.4.4_p2 deletes non-image files in a temporary directory every 30 seconds after they have been uploaded using save_photos.php, which allows remote attackers to upload and execute execute arbitrary scripts before they are deleted, if the temporary directory is under the web root. 20040817 Gallery 1.4.4 save_photos.php PHP Insertion Proof of Concept http://gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid=134&mode=thread&order=0&thold=0 GLSA-200409-05 10968 gallery-savephotos-file-upload(17021) Multiple cross-site scripting (XSS) vulnerabilities in eGroupWare 1.0.00.003 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) date or search text field in the calendar module, (2) Field parameter, Filter parameter, QField parameter, Start parameter or Search field in the address module, (3) Subject field in the message module or (4) Subject field in the Ticket module. http://sourceforge.net/forum/forum.php?forum_id=401807 GLSA-200409-06 20040822 Multiple Cross Site Scripting Vulnerabilities in eGroupWare 11013 egroupware-mult-modules-xss(17078) The web mail functionality in Usermin 1.x and Webmin 1.x allows remote attackers to execute arbitrary commands via shell metacharacters in an e-mail message. GLSA-200409-15 http://www.lac.co.jp/security/csl/intelligence/SNSadvisory_e/77_e.html 1122 usermin-web-mail-command-execution(17293) Format string vulnerability in the log function in SUS 2.0.2, and other versions before 2.0.6, allows local users to execute arbitrary code via format string specifiers in a command line argument that is passed directly to syslog. 20040914 SUS 2.0.2 local root vulnerability http://pdg.uow.edu.au/sus/CHANGES http://security.lss.hr/index.php?page=details&ID=LSS-2004-09-01 GLSA-200409-17 11176 sus-log-format-string(17361) CRLF injection vulnerability in SnipSnap 0.5.2a, and other versions before 1.0b1, allows remote attackers to perform HTTP Response Splitting attacks to modify expected HTML content from the server. 20040914 ADVISORY: http response splitting in snipsnap GLSA-200409-23 11180 http://www.snipsnap.org/space/start snipsnap-response-splitting(17364) Format string vulnerability in wrapper.c in CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16 allows remote attackers with CVSROOT commit access to cause a denial of service (application crash) and possibly execute arbitrary code via format string specifiers in a wrapper line. Failed exploit attempts will likely cause a denial of service condition. FreeBSD-SA-04:14 20040609 Advisory 09/2004: More CVS remote vulnerabilities 10499 cvs-wrapper-format-string(16365) Symantec Enterprise Firewall/VPN Appliances 100, 200, and 200R running firmware before 1.63 allow remote attackers to cause a denial of service (device freeze) via a fast UDP port scan on the WAN interface. 20040922 Multiple Vulnerabilities in Symantec Enterprise Firewall/Gateway Security Products http://securityresponse.symantec.com/avcenter/security/Content/2004.09.22.html VU#441078 11237 symantec-firewallvpn-udp-dos(17469) Symantec Enterprise Firewall/VPN Appliances 100, 200, and 200R running firmware before 1.63 and Gateway Security 320, 360, and 360R running firmware before 622 allow remote attackers to bypass filtering and determine whether the device is running services such as tftpd, snmpd, or isakmp via a UDP port scan with a source port of UDP 53. 20040922 Multiple Vulnerabilities in Symantec Enterprise Firewall/Gateway Security Products http://securityresponse.symantec.com/avcenter/security/Content/2004.09.22.html VU#329230 11237 symantec-udp-obtain-info(17470) Symantec Enterprise Firewall/VPN Appliances 100, 200, and 200R running firmware before 1.63 and Gateway Security 320, 360, and 360R running firmware before 622 uses a default read/write SNMP community string, which allows remote attackers to alter the firewall's configuration file. 20040922 Multiple Vulnerabilities in Symantec Enterprise Firewall/Gateway Security Products http://securityresponse.symantec.com/avcenter/security/Content/2004.09.22.html VU#173910 11237 symantec-default-snmp(17471) Multiple stack-based buffer overflows in xine-lib 1-rc2 through 1-rc5 allow attackers to execute arbitrary code via (1) long VideoCD vcd:// MRLs or (2) long subtitle lines. GLSA-200408-18 GLSA-200409-30 20040907 XSA-2004-4: multiple string overflows 11206 http://xinehq.de/index.php/security/XSA-2004-4 xine-videocd-mrl-bo(17430) xine-subtitle-bo(17432) Stack-based buffer overflow in the VideoCD (VCD) code in xine-lib 1-rc2 through 1-rc5, as derived from libcdio, allows attackers to execute arbitrary code via a VideoCD with an unterminated disk label. GLSA-200409-30 20040907 XSA-2004-4: multiple string overflows 11206 http://xinehq.de/index.php/security/XSA-2004-4 xine-videocd-disk-bo(17431) Cross-site scripting (XSS) vulnerability in the Management Console in JRun 4.0 allows remote attackers to execute arbitrary web script or HTML and possibly hijack a user's session. 20040923 New Macromedia Security Zone Bulletins Posted VU#668206 http://www.macromedia.com/devnet/security/security_zone/mpsb04-08.html 11245 jrun-management-console-xss(17483) JRun 4.0 does not properly generate and handle the JSESSIONID, which allows remote attackers to perform a session fixation attack and hijack a user's HTTP session. 20040923 New Macromedia Security Zone Bulletins Posted VU#584958 http://www.macromedia.com/devnet/security/security_zone/mpsb04-08.html 11245 jrun-jsessionid-hijack(17481) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2004-0928. Reason: This candidate is a duplicate of CVE-2004-0928. Notes: All CVE users should reference CVE-2004-0928 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Unknown vulnerability in the management station in HP StorageWorks Command View XP 1.8B and earlier allows remote attackers to bypass access restrictions. SSRT4794 1011407 11249 hp-storageworks-restriction-bypass(17490) Integer overflow in pnen3260.dll in RealPlayer 8 through 10.5 (6.0.12.1040) and earlier, and RealOne Player 1 or 2 on Windows or Mac OS, allows remote attackers to execute arbitrary code via a SMIL file and a .rm movie file with a large length field for the data chunk, which leads to a heap-based buffer overflow. 20041001 EEYE: RealPlayer pnen3260.dll Heap Overflow 11309 http://www.service.real.com/help/faq/security/040928_player/EN/ realplayer-rm-code-execution(17549) The sbuf_getmsg function in BNC incorrectly handles backspace characters, which could allow remote attackers to bypass authentication and gain access to arbitrary scripts. GLSA-200410-13 11355 bnc-backspace-command-execution(17672) Multiple unknown vulnerabilities in the ActiveX and HTML file browsers in Symantec Clientless VPN Gateway 4400 Series 5.0 have unknown attack vectors and unknown impact. ftp://ftp.symantec.com/public/english_us_canada/products/sym_clientless_vpn/sym_clientless_vpn_5/updates/hf3-readme.txt VU#760256 10903 symantec-clientless-file-browsers(16933) Format string vulnerability in the _msg function in error.c in socat 1.4.0.3 and earlier, when used as an HTTP proxy client and run with the -ly option, allows remote attackers or local users to execute arbitrary code via format string specifiers in a syslog message. http://www.dest-unreach.org/socat/advisory/socat-adv-1.html GLSA-200410-26 http://www.nosystem.com.ar/advisories/advisory-07.txt 11505 socat-format-string(17822) Buffer overflow in the TFTP client in InetUtils 1.4.2 allows remote malicious DNS servers to execute arbitrary code via a large DNS response that is handled by the gethostbyname function. 20041026 inetutils tftp client, DNS resolving bofs 11527 inetutils-tftp-dns-bo(17878) Unknown vulnerability in Serviceguard A.11.13 through A.11.16.00 and Cluster Object Manager A.01.03 and B.01.04 through B.03.00.01 on HP-UX, Serviceguard A.11.14.04 and A.11.15.04 and Cluster Object Manager B.02.01.02 and B.02.02.02 on HP Linux, allow remote attackers to gain privileges via unknown attack vectors. SSRT3526 11507 hp-cluster-serviceguard-gain-privileges(17867) wget 1.8.x and 1.9.x allows a remote malicious web server to overwrite certain files via a redirection URL containing a ".." that resolves to the IP address of the malicious server, which bypasses wget's filtering for ".." sequences. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=261755 20041209 wget: Arbitrary file overwriting/appending/creating and other vulnerabilities 1012472 RHSA-2005:771 11871 wget-file-overwrite(18420) oval:org.mitre.oval:def:11682 USN-145-1 wget 1.8.x and 1.9.x does not filter or quote control characters when displaying HTTP responses to the terminal, which may allow remote malicious web servers to inject terminal escape sequences and execute arbitrary code. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=261755 20041209 wget: Arbitrary file overwriting/appending/creating and other vulnerabilities 1012472 SUSE-SR:2006:016 RHSA-2005:771 11871 wget-terminal-overwrite(18421) oval:org.mitre.oval:def:9750 USN-145-1 Opera 7.54 and earlier does not properly limit an applet's access to internal Java packages from Sun, which allows remote attackers to gain sensitive information, such as user names and the installation directory. 20041119 Java Vulnerabilities in Opera 7.54 GLSA-200502-17 http://www.opera.com/linux/changelogs/754u1/ Opera 7.54 and earlier allows remote attackers to spoof file types in the download dialog via dots and non-breaking spaces (ASCII character code 160) in the (1) Content-Disposition or (2) Content-Type headers. GLSA-200502-17 http://www.opera.com/linux/changelogs/754u1/ 11883 opera-file-type-spoofing(18423) Opera 7.54 and earlier uses kfmclient exec to handle unknown MIME types, which allows remote attackers to execute arbitrary code via a shortcut or launcher that contains an Exec entry. SUSE-SR:2005:008 GLSA-200502-17 http://www.opera.com/linux/changelogs/754u2/ 11901 http://www.zone-h.org/advisories/read/id=6503 pera-kfmclient-command-execution(18457) Master of Orion III 1.2.5 and earlier allows remote attackers to cause a denial of service (game exit) via a data packet that contains a large size specifier, which causes a large memory allocation to fail. 20041027 Crashs in Master of Orion III 1.2.5 11550 master-of-orion-size-dos(17908) Master of Orion III 1.2.5 and earlier allows remote attackers to cause a denial of service (server crash) via multiple connections with long nicknames, possibly triggering a buffer overflow. 20041027 Crashs in Master of Orion III 1.2.5 http://packetstormsecurity.nl/0410-advisories/masterOrionIII.txt 11550 master-of-orion-nickname-dos(17884) Buffer overflow in the Screen Fetch option in XDICT 2002 through 2005 allows remote attackers to cause a denial of service ( CPU consumption or application exit) and possibly execute arbitrary code via a long string. 20041101 XDICT Buffer OverRun Vulnerability,funny :-) 20041101 XDICT Buffer OverRun Vulnerability,funny :-) http://secway.org/Advisory/Ad20041026EN.txt xdict-screen-fetch-bo(17929) The Repair Archive command in WinRAR 3.40 allows remote attackers to cause a denial of service (application crash) via a corrupt ZIP archive. 20041102 Medium Risk Vulnerability in WinRAR http://www.rarlabs.com/rarnew.htm 11581 winrar-repair-archive(17937) Directory traversal vulnerability in Web Forums Server 1.6 and 2.0 Power Pack allows remote attackers to read arbitrary files via a URL containing (1) "..\" (dot dot backslash), (2) "../" (dot dot slash), (3) "/%2E%2E%5C" (encoded dot dot backslash), or (4) "%2E%2E%2F" (encoded dot dot slash). 20041102 Multiple Vulnerabilities in Web Forums Server Web Forums Server 1.6 and 2.0 Power Pack stores passwords in plaintext in the Username.ini file, which allows local users to gain privileges. 20041102 Multiple Vulnerabilities in Web Forums Server SQL injection vulnerability in the compose message form in HELM 3.1.19 and earlier allows remote attackers to execute arbitrary SQL commands via the messageToUserAccNum parameter. 20041102 [Hat-Squad] SQL injection and XSS Vulnerabilities in HELM http://www.hat-squad.com/en/000077.html 11586 Cross-site scripting (XSS) vulnerability in the compose message form in HELM 3.1.19 and earlier allows remote attackers to execute arbitrary web script or HTML via the Subject field. 20041102 [Hat-Squad] SQL injection and XSS Vulnerabilities in HELM http://www.hat-squad.com/en/000077.html 11586 helm-subject-xss(17943) Format string vulnerability in the Lithtech engine, as used in multiple games, allows remote authenticated users to cause a denial of service (application crash) via format string specifiers in (1) a nickname or (2) a message. http://aluigi.altervista.org/adv/lithfs-adv.txt 20041105 In-game format string bug in the Lithtech engine 11610 lithtech-format-string(17972) The webmail service in 602 Lan Suite 2004.0.04.0909 and earlier allows remote attackers to cause a denial of service (CPU and memory consumption) by sending a POST request with a large Content-Length value, then disconnecting without sending that amount of data. 20041106 Resources consumption in 602 Lan Suite 2004.0.04.0909 602pro-mail-post-dos(17977) The Telnet proxy in 602 Lan Suite 2004.0.04.0909 and earlier allows remote attackers to cause a denial of service (socket exhaustion) via a Telnet request to an IP address of the proxy's network interface, which causes a loop. 20041106 Resources consumption in 602 Lan Suite 2004.0.04.0909 602pro-telnet-loopback-dos(17979) Integer overflow in the InitialDirContext in Java Runtime Environment (JRE) 1.4.2, 1.5.0 and possibly other versions allows remote attackers to cause a denial of service (Java exception and failed DNS requests) via a large number of DNS requests, which causes the xid variable to wrap around and become negative. 20041108 DOS against Java JNDI/DNS 11619 sun-jre-dns-dos(17990) The displaycontent function in config.php for Just Another Flat file (JAF) CMS 3.0RC allows remote attackers to gain sensitive information via a blank show parameter, which reveals the installation path in an error message, as demonstrated using index.php. http://echo.or.id/adv/adv08-y3dips-2004.txt 20041109 Vulnerabilities in JAF CMS jaf-cms-path-disclosure(18006) Directory traversal vulnerability in index.php in Just Another Flat file (JAF) CMS 3.0RC allows remote attackers to read arbitrary files and possibly execute PHP code via a .. (dot dot) in the show parameter. http://echo.or.id/adv/adv08-y3dips-2004.txt 20041109 Vulnerabilities in JAF CMS 11627 jaf-cms-file-inlcude(17983) Multiple cross-site scripting (XSS) vulnerabilities in WebCalendar allow remote attackers to inject arbitrary web script via (1) view_entry.php, (2) view_d.php, (3) usersel.php, (4) datesel.php, (5) trailer.php, or (6) styles.php, as demonstrated using img srg tags. 20041109 Multiple Vulnerabilities in WebCalendar 11651 webcalendar-img-src-xss(18026) CRLF injection vulnerability in login.php in WebCalendar allows remote attackers to inject CRLF sequences via the return_path parameter and perform HTTP Response Splitting attacks to modify expected HTML content from the server. 20041109 Multiple Vulnerabilities in WebCalendar 11651 webcalendar-response-splitting(18027) init.php in WebCalendar allows remote attackers to execute arbitrary local PHP scripts via the user_inc parameter. 20041109 Multiple Vulnerabilities in WebCalendar 11651 webcalendar-init-file-include(18028) validate.php in WebCalendar allows remote attackers to gain sensitive information via an invalid encoded_login parameter, which reveals the full path in an error message. 20041109 Multiple Vulnerabilities in WebCalendar 11651 webcalendar-encodedlogin-path-disclosure(18029) WebCalendar allows remote attackers to gain privileges by modifying critical parameters to (1) view_entry.php or (2) upcoming.php. 20041109 Multiple Vulnerabilities in WebCalendar 11651 webcalendar-scripts-gain-access(18030) Hotfoon 4.0 does not notify users before opening links in web browsers, which could allow remote attackers to execute arbitrary code via a certain link sent in a chat window. 20041110 Hotfoon Ver 4.0 Highv Risk hotfoon-url-command-execution(18038) Cross-site scripting (XSS) vulnerability in Response_default.html in 04WebServer 1.42 allows remote attackers to execute arbitrary web script or HTML via script code in the URL, which is not quoted in the resulting default error page. 20041110 04WebServer Three Vulnerabilities 20041115 Re: 04WebServer Three Vulnerabilities http://www.security.org.sg/vuln/04webserver142.html 11652 http://www.soft3304.net/04WebServer/Security.html 04webserver-error-xss(18033) 04WebServer 1.42 does not adequately filter data that is written to log files, which could allow remote attackers to inject carriage return characters into the log file and spoof log entries. 20041110 04WebServer Three Vulnerabilities 20041115 Re: 04WebServer Three Vulnerabilities http://www.security.org.sg/vuln/04webserver142.html 11652 http://www.soft3304.net/04WebServer/Security.html 04webserver-web-log-spoofing(18034) 04WebServer 1.42 allows remote attackers to cause a denial of service (fail to restart properly) via an HTTP request for an MS-DOS device name such as COM2. 20041110 04WebServer Three Vulnerabilities 20041115 Re: 04WebServer Three Vulnerabilities http://www.security.org.sg/vuln/04webserver142.html 11652 http://www.soft3304.net/04WebServer/Security.html 04webserver-dos-devices-dos(18036) SQL injection vulnerability in (1) ttlast.php and (2) last10.php in vBulletin 3.0.x allows remote attackers to execute arbitrary SQL statements via the fsel parameter, as demonstrated using last.php. 20041111 SQL injection in vBulletin forums (last10.php) CRLF injection vulnerability in index.php in phpWebSite 0.9.3-4 allows remote attackers to perform HTTP Response Splitting attacks to modify expected HTML content from the server via the block_username parameter in the user module. 20041111 security hole (http response splitting) in phpwebsite http://phpwebsite.appstate.edu/index.php?module=announce&ANN_id=863&ANN_user_op=view GLSA-200411-35 11673 phpwebsite-response-splitting(18046) Zone Labs IMsecure and IMsecure Pro before 1.5 allow remote attackers to bypass Active Link Filtering via an instant message containing a URL with hex encoded file extensions. http://download.zonelabs.com/bin/free/securityAlert/16.html 20041111 Zone Labs IMsecure Active Link Filter Bypass 11662 imsecure-active-link-bypass(18042) SQL injection vulnerability in follow.php in Phorum 5.0.12 and earlier allows remote authenticated users to execute arbitrary SQL command via the forum_id parameter. 20041111 [waraxe-2004-SA#037 - Sql injection bug in Phorum 5.0.12 and older versions] 20041111 [waraxe-2004-SA#037 - Sql injection bug in Phorum 5.0.12 and older versions] 11660 phorum-followphp-sql-injection(18045) SQL injection vulnerability in bug.php in phpBugTracker 0.9.1 allows remote attackers to execute arbitrary SQL commands via (1) the bug_id parameter in a viewvotes operation or (2) the project parameter in an add operation. 20041112 SQL Injection in phpBT (bug.php) 20041112 SQL Injection in phpBT (bug.php - Add) 20041112 SQL Injection in phpBT (bug.php) add project phpbugtracker-bug-sql-injection(18053) phpbugtracker-project-sql-injection(18079) Stack-based buffer overflow in IPSwitch IMail 8.13 allows remote authenticated users to execute arbitrary code via a long IMAP DELETE command. 20041112 IPSwitch-IMail-8.13 Stack Overflow in the DELETE Command 11675 ipswitch-delete-bo(18058) Eudora 6.2.0.14 does not issue a warning when a user forwards an e-mail message that contains base64 or quoted-printable encoded attachments, which makes it easier for remote attackers to read arbitrary files via spoofed "Converted" headers. 20041113 Eudora 6.2 attachment spoof 20041113 Eudora 6.2 attachment spoof http://packetstormsecurity.nl/0411-exploits/eudora62014.txt eudora-base64-attach-spoof-variant(18064) Format string vulnerability in Army Men RTS 1.0 allows remote attackers to cause a denial of service (application crash) via a nickname that contains format strings. 20041114 Format string bug in Army Men RTS 20041114 Format string bug in Army Men RTS 11679 army-men-rts-format-string(18065) Format string vulnerability in the game console in Hired Team: Trial 2.0 and earlier and 2.200 allows remote attackers to cause a denial of service (application crash) via format string specifiers in a message. 20041115 Multiple vulnerabilities in Hired Team: Trial (Shine engine) 11683 hired-team-format-string(18083) Hired Team: Trial 2.0 and earlier and 2.200 allows remote attackers to cause a denial of service (game interruption) via a malformed UDP packet sent to a game port, such as port 29200. 20041115 Multiple vulnerabilities in Hired Team: Trial (Shine engine) 11683 hired-team-udp-dos(18085) Hired Team: Trial 2.0 and earlier and 2.200 allows remote attackers to cause a denial of service (application crash) via the status command. 20041115 Multiple vulnerabilities in Hired Team: Trial (Shine engine) 11683 hired-team-status-dos(18086) Hired Team: Trial 2.0 and earlier and 2.200 does not limit how game players can kick other players off the server, including the administrator. 20041115 Multiple vulnerabilities in Hired Team: Trial (Shine engine) Microsoft Internet Explorer 6.0 SP1 does not properly handle certain character strings in the Path attribute, which can cause it to modify cookies in other domains when the attacker's domain name is within the target's domain name or when wildcard DNS is being used, which allows remote attackers to hijack web sessions. 20041115 [SNS Advisory No.79] A Possibility of Cookie Overwrite in Microsoft Internet Explorer http://www.lac.co.jp/business/sns/intelligence/SNSadvisory_e/79_e.html 11680 ie-path-cookie-overwrite(18073) The Event Calendar module 2.13 for PHP-Nuke allows remote attackers to gain sensitive information via an HTTP request to (1) config.php, (2) index.php, or (3) submit.php, which reveal the full path in an error message. 20041116 [waraxe-2004-SA#038 - Multiple vulnerabilities in Event Calendar module for PhpNuke] 11693 http://www.waraxe.us/index.php?modname=sa&id=38 event-calendar-path-disclosure(18105) Cross-site scripting (XSS) vulnerability in the Event Calendar module 2.13 for PHP-Nuke allows remote attackers to execute arbitrary web script via the (1) type, (2) day, (3) month, or (4) year parameters in a Preview operation, or (5) event comments. 20041116 [waraxe-2004-SA#038 - Multiple vulnerabilities in Event Calendar module for PhpNuke] 11693 http://www.waraxe.us/index.php?modname=sa&id=38 event-calendar-xss(18106) event-calendar-comment-xss(18107) SQL injection vulnerability in the Event Calendar module 2.13 for PHP-Nuke allows remote attackers to execute arbitrary SQL commands via the (1) eid or (2) cid parameters. 20041116 [waraxe-2004-SA#038 - Multiple vulnerabilities in Event Calendar module for PhpNuke] 11693 http://www.waraxe.us/index.php?modname=sa&id=38 event-calendar-sql-injection(18104) SQL injection vulnerability in post.php in Invision Power Board (IPB) 2.0.0 through 2.0.2 allows remote attackers to execute arbitrary SQL commands via the qpid parameter. http://forums.invisionpower.com/index.php?showtopic=154916 20041118 [MaxPatrol] SQL-injection in Invision Power Board 2.x 20050425 SQL-injections in Invision Power Board v2.0.1 20050427 Re: SQL-injections in Invision Power Board v2.0.1 11703 invisionpowerboard-sql-injection(18164) AppServ 2.5.x and earlier installs a default username and password, which allows remote attackers to gain access. 20041118 AppServ 2.5.x and Prior Exploit 11704 appserv-default-account(18163) Buffer overflow in pop3svr.exe for DMS POP3 1.5.3.27 and earlier allows remote attackers to cause a denial of service (service crash) via a long (1) username or (2) password. 20041118 Buffer overlow in DMS POP3 Server for Windows 2000/XP 1.5.3 build http://www.digitalmapping.sk.ca/pop3srv/Update.asp 11705 dms-pop3-username-bo(18161) ZoneAlarm and ZoneAlarm Pro before 5.5.062, with ad-blocking enabled, allows remote web sites to cause a denial of service (application instability or system hang) via certain JavaScript. http://download.zonelabs.com/bin/free/securityAlert/18.html 20041118 Zone Labs Ad-Blocking Instability 11706 zonealarm-adblock-dos(18159) PHP remote file inclusion vulnerability in admin_cash.php for the Cash Mod module for phpBB allows remote attackers to execute arbitrary PHP code by modifying the phpbb_root_path parameter to reference a URL on a remote web server that contains the code. 20041118 Vulnerabilities in forum phpBB2 with Cash_Mod (all ver.) 20041118 Re: Vulnerabilities in forum phpBB2 with Cash_Mod (all ver.) phpbb-admincashphp-file-include(18151) SQL injection vulnerability in index.php in the ibProArcade module for Invision Power Board (IPB) 1.x and 2.x allows remote attackers to execute arbitrary SQL commands via the cat parameter. 20041120 IpbProArace 2.5.x SQL injection. 1012292 11719 ibproarcade-category-sql-injection(18180) Cross-site scripting (XSS) vulnerability in popup.php in PHPKIT 1.6.03 through 1.6.1 allows remote attackers to execute arbitrary web script via the img parameter. 20041122 PHPKIT SQL Injection, XSS 11725 phpkit-popup-xss(18204) SQL injection vulnerability in include.php in PHPKIT 1.6.03 through 1.6.1 allows remote attackers to execute arbitrary SQL commands via the id parameter. 20041122 PHPKIT SQL Injection, XSS 11725 phpkit-include-sql-injection(18205) Halo: Combat Evolved 1.05 and earlier allows remote game servers to cause a denial of service (client crash) via a long value in a game server reply, which triggers a NULL dereference. 20041122 Broadcast client crash in Halo 1.05 11724 halo-long-reply-dos(18196) ZyXEL Prestige 623, 650, and 652 HW Routers, and possibly other versions, with HTTP Remote Administration enabled, does not require a password to access rpFWUpload.html, which allows remote attackers to reset the router configuration file. 20041121 Router ZyXEL Prestige 650 HW http remote admin. 20041124 Re: Router ZyXEL Prestige 650 HW http remote admin. 1012298 11723 zyxel-configuration-reset(18202) SecureCRT 4.0, 4.1, and possibly other versions, allows remote attackers to execute arbitrary commands via a telnet:// URL that uses the /F option to specify a configuration file on a samba share. 20041123 SecureCRT - Remote Command Execution 11731 securecrt-folder-command-execution(18201) Buffer overflow in Soldier of Fortune II 1.03 Gold and earlier allows remote attackers to cause a denial of service (server or client crash) via a long (1) query or (2) reply. 20041123 Broadcast memory corruption in Soldier of Fortune II 1.03 11735 soldier-fortune-bo(18211) Directory traversal vulnerability in viewimg.php in KorWeblog 1.6.2-cvs and earlier allows remote attackers to list arbitrary directories via a .. (dot dot) in the path parameter. 20041124 STG Security Advisory: [SSA-20041122-10] KorWeblog directory traversal vulnerability 20041124 STG Security Advisory: [SSA-20041122-10] KorWeblog directory traversal vulnerability 11744 korweblog-viewimg-directory-traversal(18234) Cross-site scripting (XSS) vulnerability in Search.jsp in JSPWiki 2.1.120-cvs and earlier allows remote attackers to execute arbitrary web script as other users via the query parameter. 20041124 STG Security Advisory: [SSA-20041122-11] JSPWiki XSS vulnerability 11746 jspwiki-query-xss(18236) UploadFile.php in MoniWiki 1.0.9.2 and earlier, when used with Apache mod_mime, does not properly handle files with two file extensions, such as .php.hwp, which allows remote attackers to upload and execute arbitrary code. 20041215 STG Security Advisory: [SSA-20041215-15] Vulnerability of uploading files with multiple extensions in MoniWiki http://kldp.net/scm/cvsweb.php/moniwiki/plugin/UploadFile.php.diff?cvsroot=moniwiki&only_with_tag=HEAD&r1=text&tr1=1.17&r2=text&tr2=1.16&f=h 20041215 STG Security Advisory: [SSA-20041215-15] Vulnerability of uploading files with multiple extensions in MoniWiki 11951 moniwiki-file-upload(18493) Multiple buffer overflows in MDaemon 6.5.1 allow remote attackers to cause a denial of service (application crash) via a long (1) SAML, SOML, SEND, or MAIL command to the SMTP server or (2) LIST command to the IMAP server. 20040922 Remote buffer overflow in MDaemon IMAP and SMTP server 20040922 Remote buffer overflow in MDaemon IMAP and SMTP server 11238 http://www.securitylab.ru/48146.html mdaemon-imap-list-bo(17476) mdaemon-smtp-bo(17477) The file server in ActivePost Standard 3.1 and earlier allows remote authenticated users to cause a denial of service (application crash) via a long filename, possibly triggering a buffer overflow. http://aluigi.altervista.org/adv/actp-adv.txt 20040923 Multiple vulnerabilities in ActivePost Standard 3.1 12642 1011406 11244 activepost-long-filename-dos(17482) Directory traversal vulnerability in the file server in ActivePost Standard 3.1 allows remote authenticated users to upload arbitrary files via a .. (dot dot) in the filename. http://aluigi.altervista.org/adv/actp-adv.txt 20040923 Multiple vulnerabilities in ActivePost Standard 3.1 1011406 11244 activepost-dotdot-directory-traversal(17488) The conference menu in ActivePost Standard 3.1 sends passwords of password-protected rooms in cleartext, which could allow remote attackers to gain sensitive information by sniffing the network connection. http://aluigi.altervista.org/adv/actp-adv.txt 20040923 Multiple vulnerabilities in ActivePost Standard 3.1 1011406 11244 activepost-plaintext-password(17486) Motorola Wireless Router WR850G running firmware 4.03 allows remote attackers to bypass authentication, log on as an administrator, and obtain sensitive information by repeatedly making an HTTP request for ver.asp until an administrator logs on. 20040923 Motorola Wireless Router WR850G Authentication Circumvention 20040924 Motorola Wireless Router WR850G Authentication Circumvention 11241 motorola-wr850g-gain-access(17474) Cross-site scripting (XSS) vulnerability in the (1) email or (2) file modules in paFileDB 3.1 Final allows remote attackers to execute arbitrary web script or HTML via the id parameter. 20040925 New XSS vulnerabilities in paFileDB 3.1 final pafiledb-pafiledb-xss(17504) SQL injection vulnerability in aspWebCalendar allows remote attackers to execute arbitrary SQL statements via (1) the username field on the login page or (2) the eventid parameter to calendar.asp. 20040923 aspWebCalendar /aspWebAlbum: SQL injection 11246 23098 ADV-2007-1093 aspwebcalendar-sql-injection(17506) aspwebcalendar-calendar-sql-injection(33157) 3546 SQL injection vulnerability in aspWebAlbum allows remote attackers to execute arbitrary SQL statements via (1) the username field on the login page or (2) the cat parameter to album.asp. NOTE: it was later reported that vector 1 affects aspWebAlbum 3.2, and the vector involves the txtUserName parameter in a processlogin action to album.asp, as reachable from the login action. 20040923 aspWebCalendar /aspWebAlbum: SQL injection 11246 30996 aspwebalbum-sql-injection(17507) aspwebalbum-image-file-upload(44876) aspwebalbum-album-sql-injection(44877) 6357 6420 PHP remote file inclusion vulnerability in livre_include.php in @lex Guestbook allows remote attackers to execute arbitrary PHP code by modifying the chem_absolu parameter to reference a URL on a remote web server that contains the code. 20040926 @lex Guestbook (PHP) Include file http://packetstormsecurity.nl/0410-exploits/alexPHP.txt 1011432 11260 @lex-guestbook-file-include(17516) Multiple SQL injection vulnerabilities in BroadBoard Instant ASP Message Board allow remote attackers to run arbitrary SQL commands via the (1) keywords parameter to search.asp, (2) handle parameter to profile.asp, (3) txtUserHandle parameter to reg2.asp or (4) txtUserEmail parameter to forgot.asp. 20040926 SQL injection in BroadBoard Instant ASP Message Board 1011419 11250 broadboard-searchasp-sql-injection(17498) broadboard-profileasp-sql-injection(17500) broadboard-reg2asp-sql-injection(17501) broadboard-forgotasp-sql-injection(17502) MyWebServer 1.0.3 allows remote attackers to cause a denial of service (application crash) via a large number of connections within a short time. 20040927 MyWebServer 1.0.3 1011461 11254 mywebserver-mult-connections-dos(17519) MyWebServer 1.0.3 allows remote attackers to bypass authentication, modify configuration, and read arbitrary files via a direct HTTP request to (1) /admin or (2) ServerProperties.html. 20040927 MyWebServer 1.0.3 1011461 11254 mywebserver-admin-access(17520) Multiple stack-based buffer overflows in YPOPs! (aka YahooPOPS) 0.4 through 0.6 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long (1) POP3 USER command or (2) SMTP request. http://dbeusee.home.comcast.net/history.html 20040927 [Hat-Squad] Remote Buffer overflow Vulnerability in YahooPOPS 1011426 20061020 vendor ACK for old YPOPs! issue http://www.hat-squad.com/en/000075.html 11256 ypops-pop3-bo(17515) ypops-smtp-bo(17518) Multiple cross-site scripting (XSS) vulnerabilities in Wordpress 1.2 allow remote attackers to inject arbitrary web script or HTML via the (1) redirect_to, text, popupurl, or popuptitle parameters to wp-login.php, (2) redirect_url parameter to admin-header.php, (3) popuptitle, popupurl, content, or post_title parameters to bookmarklet.php, (4) cat_ID parameter to categories.php, (5) s parameter to edit.php, or (6) s or mode parameter to edit-comments.php. 20040927 Multiple XSS Vulnerabilities in Wordpress 1.2 1011440 11268 wordpress-multiple-scripts-xss(17532) Microsoft SQL Server 7.0 allows remote attackers to cause a denial of service (mssqlserver service halt) via a long request to TCP port 1433, possibly triggering a buffer overflow. 20040928 MSSQL 7.0 DoS http://packetstormsecurity.nl/0410-exploits/mssql.7.0.dos.c 1011434 11265 mssql-data-buffer-dos(17542) Buffer overflow in Icecast 2.0.1 and earlier allows remote attackers to execute arbitrary code via an HTTP request with a large number of headers. http://aluigi.altervista.org/adv/iceexec-adv.txt 20040928 Code execution in Icecast 2.0.1 20041002 Re:2. Code execution in Icecast 2.0.1(exploit with shellcode) 1011439 http://www.securiteam.com/exploits/6X00315BFM.html 11271 icecast-http-bo(17538) SQL injection vulnerability in redir_url.php in w-Agora 4.1.6a allows remote attackers to execute arbitrary SQL commands via the key parameter. 20040930 Multiple vulnerabilities in w-agora forum 20040930 Multiple vulnerabilities in w-agora forum 1011463 11283 wagora-redirurl-sql-injection(17557) Multiple cross-site scripting (XSS) vulnerabilities in w-Agora 4.1.6a allow remote attackers to execute arbitrary web script or HTML via the (1) thread parameter to download_thread.php, (2) loginuser parameter to login.php, or (3) userid parameter to forgot_password.php. 20040930 Multiple vulnerabilities in w-agora forum 20040930 Multiple vulnerabilities in w-agora forum 1011463 11283 wagora-get-post-xss(17553) CRLF injection vulnerability in subscribe_thread.php in w-Agora 4.1.6a allows remote attackers to perform HTTP Response Splitting attacks to modify expected HTML content from the server via the thread parameter. 20040930 Multiple vulnerabilities in w-agora forum 20040930 Multiple vulnerabilities in w-agora forum 1011463 11283 wagora-response-splitting(17558) list.php in w-Agora 4.1.6a allows remote attackers to reveal the full path via a crafted HTTP request, possibly involving a malformed id parameter. 20040930 Multiple vulnerabilities in w-agora forum 20040930 Multiple vulnerabilities in w-agora forum 1011463 11283 Cross-site scripting (XSS) vulnerability in index.php in Silent Storm Portal 2.1 and 2.2 allows remote attackers to execute arbitrary web script or HTML via the module parameter. 20040930 Multiple Vulnerabilities in Silent Storm Portal 1011470 11284 silent-storm-xss(17554) profile.php in Silent Storm Portal 2.1 and 2.2 allows remote attackers to gain privileges by setting the mail parameter to 1, which is the value for an administrator. 20040930 Multiple Vulnerabilities in Silent Storm Portal 1011470 11284 silent-storm-gain-admin(17555) Directory traversal vulnerability in ParaChat Server 5.5 allows remote attackers to read arbitrary files via a ..%5C (hex-encoded dot dot) in the URL. 20040928 directory traversal in ParaChat Server 5.5 20040929 Re: directory traversal in ParaChat Server 5.5 20040929 directory traversal in ParaChat Server 5.5 20040930 Re: directory traversal in ParaChat Server 5.5 1011438 11272 parachat-directory-traversal(17541) Buffer overflow in (1) MusicConverter.exe, (2) playlist.exe, and (3) amp.exe in dBpowerAMP Audio Player 2.0 and dbPowerAmp Music Converter 10.0 allows remote attackers to cause a denial of service or execute arbitrary code via a .pls or .m3u playlist that contains long File1 (filename) fields. 20040930 dbPowerAmp Buffer Overflow And Dos Vulnerabilities http://www.gulftech.org/?node=research&article_id=00052-09272004 11266 dbpoweramp-player-filename-bo(17535) dbpoweramp-converter-filename-bo(17539) SQL injection vulnerability in bBlog 0.7.2 and 0.7.3 allows remote attackers to execute arbitrary SQL commands via the p parameter. 20041001 SQL Injection vulnerability in bBlog 0.7.3 11303 http://www.servers.co.nz/security/SCN200409-1.php bblog-array-sql-injection(17552) AJ-Fork 167 allows remote attackers to gain sensitive information via a direct request to (1) auto-acronyms.php, (2) auto-archive.php, (3) ount-article-views.php, (4) kses.php, (5) custom-quick-tags.php, (6) disable-all-comments.php, (7) easy-date-format.php, (8) enable-disable-comments.php, (9) filter-by-author.php, (10) format-switcher.php, (11) long-to-short.php, (12) prospective-posting.php, or (13) sort-by-xfield.php, which displays the full path in an error message. http://echo.or.id/adv/adv07-y3dips-2004.txt 20041001 Multiple Vulnerabilities in AJ-Fork aj-fork-path-disclosure(17568) AJ-Fork 167 does not restrict access to directories such as (1) data, (2) inc, (3) plugins, (4) skins, or (5) tools, which allows remote attackers to list files in those directories via a direct HTTP request. http://echo.or.id/adv/adv07-y3dips-2004.txt 20041001 Multiple Vulnerabilities in AJ-Fork 1011484 11301 af-fork-directory-disclosure(17569) The documentation for AJ-Fork 167 implies that users should set permissions for users.db.php to 777, which allows local users to execute arbitrary PHP code and gain privileges as the administrator. http://echo.or.id/adv/adv07-y3dips-2004.txt 20041001 Multiple Vulnerabilities in AJ-Fork 1011484 11301 aj-fork-usersdbphp-write-access(17571) Buffer overflow in Vypress Messenger 3.5.1 and earlier allows remote attackers to execute arbitrary code via a message with a long first field. http://aluigi.altervista.org/adv/vymesbof-adv.txt 20041001 Broadcast buffer-overflow in Vypress Messenger 3.5.1 1011489 11310 vypress-visual-bo(17572) The XML parser in Xerces-C++ 2.5.0 allows remote attackers to cause a denial of service (CPU consumption) via XML attributes in a crafted XML document. 20041002 Security advisory - Xerces-C++ 2.5.0: Attribute blowup 11312 xercescplusplus-xml-parser-dos(17575) Format string vulnerability in Judge Dredd: Dredd vs. Death 1.01 and earlier allows remote attackers to cause a denial of service (application crash) via format string specifiers in a chat message. 20041002 In-game format string in Judge Dredd vs. Death 1.01 judge-dredd-death-format-string(17579) index.php in PHP Links allows remote attackers to gain sensitive information via an invalid show parameter, which reveals the full path in an error message. 20041003 Full path disclosure in PHP Links phplinks-path-disclosure(17588) Cross-site scripting (XSS) vulnerability in index.php in Invision Power Board 2.0.0 allows remote attackers to execute arbitrary web script or HTML via the Referer field in the HTTP header. 20041005 [MAXPATROL Security Advisories] Cross site scripting in Invision Power Board 11332 invision-referer-header-xss(17604) index.php in CubeCart 2.0.1 allows remote attackers to gain sensitive information via an HTTP request with an invalid cat_id parameter, which reveals the full path in a PHP error message. 20041006 Full path disclosure and sql injection on CubeCart 2.0.1 cubecart-catid-path-disclosure(17630) SQL injection vulnerability in index.php in CubeCart 2.0.1 allows remote attackers to execute arbitrary SQL commands via the cat_id parameter. 20041006 Full path disclosure and sql injection on CubeCart 2.0.1 15278 11337 cubecart-catid-sql-injection(17632) BlackBoard 1.5.1 allows remote attackers to gain sensitive information via a direct request to (1) checkdb.inc.php, (2) admin.inc.php or (3) cp.inc.php, which reveals the path in a PHP error message. 20041006 Multiple vulnerabilities in BlackBoard blackboard-directory-traversal(17636) PHP remote file inclusion vulnerability in BlackBoard 1.5.1 allows remote attackers to execute arbitrary PHP code by modifying the libpath parameter (incorrectly called "libpach") to reference a URL on a remote web server that contains _more.php, as demonstrated using checkdb.inc.php. http://blackboard.unclassified.de/70,1#1031 20041006 Multiple vulnerabilities in BlackBoard 11336 blackboard-lang-file-include(17637) Directory traversal vulnerability in the FTP server in TriDComm 1.3 and earlier allows remote attackers to read or write arbitrary files via a .. (dot dot) in FTP commands such as (1) DIR, (2) GET, or (3) PUT. 20041006 Directory traversal in Tridcomm 1.3 11343 tridcomm-dotdot-directory-traversal(17631) CRLF injection vulnerability in wp-login.php in WordPress 1.2 allows remote attackers to perform HTTP Response Splitting attacks to modify expected HTML content from the server via the text parameter. 20041006 HTTP Response Splitting Vulnerability in Wordpress 1.2 http://wordpress.org/development/2004/10/wp-121/ GLSA-200410-12 11348 wordpress-response-splitting(17649) Flash Messaging 5.2.0g (rev 1.1.2) and earlier allows remote attackers to cause a denial of service (application crash) via certain wide characters. 20041007 Server crash in Flash Messaging 5.2.0g 1011569 11351 flash-messaging-dos(17647) Flash Messaging clients can ignore disconnecting commands such as "shutdown" from the Flash Messaging Server 5.2.0g (rev 1.1.2), which could allow remote attackers to stay connected. 20041007 Server crash in Flash Messaging 5.2.0g 1011569 Buffer overflow in Monolith games including (1) Alien versus Predator 2 1.0.9.6 and earlier, (2) Blood 2 2.1 and earlier, (3) No one lives forever 1.004 and earlier and (4) Shogo 2.2 and earlier allows remote attackers to cause a denial of service (application crash) via a long secure Gamespy query. 20041008 Limited \secure\ buffer-overflow in some old Monolith games 20041008 Limited \secure\ buffer-overflow in some old Monolith games 1011603 11354 avp2-long-query-bo(17665) blood2-long-query-bo(17668) nolf-long-query-bo(17669) shogo-long-query-bo(17670) SQL injection vulnerability in GoSmart Message Board allows remote attackers to execute arbitrary SQL code via the (1) QuestionNumber and Category parameters to Forum.asp or (2) Username and Password parameter to Login_Exec.asp. 20041011 [MAxpatrol Security Advisory] Multiple vulnerabilities in GoSmart Message Board 11361 gosmart-forum-loginexec-sql-injection(17678) Cross-site scripting (XSS) vulnerability in GoSmart Message Board allows remote attackers to execute inject web script or HTML via the (1) Category parameter to Forum.asp or (2) MainMessageID parameter to ReplyToQuestion.asp. 20041011 [MAxpatrol Security Advisory] Multiple vulnerabilities in GoSmart Message Board 11361 gosmart-forum-mainmessageid-xss(17679) Clientexec allows remote attackers to gain sensitive information via an HTTP request to phpinfo.php, which calls the phpinfo function. 20041012 Clientexec Billing Software clientexec-phpinfo-info-disclosure(17741) The web interface for Micronet Wireless Broadband Router SP916BM running firmware before 1.9 08/04/2004 resets the password to the default password when the router is shut off, which could allow remote attackers to gain access. 20041012 Micronet wireless broadband router SP916BM admin password reset when power off micronet-router-password-reset(17697) PHP remote file inclusion vulnerability in index.php in ocPortal 1.0.3 and earlier allows remote attackers to execute arbitrary PHP code by modifying the req_path parameter to reference a URL on a remote web server that contains a malicious funcs.php script. 20041012 [hackgen-2004-#002] - Remote file inclusion bug in ocPortal 1.0.3. http://www.hackgen.org/advisories/hackgen-2004-002.txt 11368 ocportal-reqpath-file-include(17699) Cross-site scripting (XSS) vulnerability in render.UserLayoutRootNode.uP in SCT Campus Pipeline allows remote attackers to inject arbitrary web script or HTML via the utf parameter. 20041013 XXS in SCT email client 11392 sct-campus-userlayoutrootnode-xss(17704) Cross-site scripting (XSS) vulnerability in FuseTalk 4.0 allows remote attackers to execute arbitrary web script via an img src tag. 20041013 XXS in fusetalk forum 12823 fusetalk-imgsrc-xss(17701) Buffer overflow in ShixxNote 6.net build 117 allows remote attackers to execute arbitrary code via a long font field. 20041013 Buffer-overflow in ShixxNOTE 6.net 11409 shixxnote-font-bo(17705) The 3COM Wireless router 3CRADSL72 running Boot Code 1.3d allows remote attackers to gain sensitive information such as passwords and router settings via a direct HTTP request to app_sta.stm. 20041013 3COM Wireless router (3CRADSL72) information disclosure 20041015 Re: 3COM Wireless router (3CRADSL72) information disclosure 20041015 More details on BID 11408 (3com 3cradsl72 wireless router) 11408 3com-officeconnect-obtain-info(17723) RIM Blackberry 7230 running RIM Blackberry OS 3.7 SP1 allows remote attackers to cause a denial of service (device reboot and possibly data corruption) via a calendar message with a long Location field, which triggers a watchdog while the message is being stored. 20041012 [HV-HIGH] RIM Blackberry buffer overflow, DoS, data loss 20041013 [HV-HIGH] RIM Blackberry buffer overflow, DoS, data loss 20041014 [HV-MED] UPDATE: RIM Blackberry DoS, data loss http://www.blackberry.com/knowledgecenterpublic/livelink.exe/fetch/2000/8021/7925/8142/Known_%20Issues_-_HexView_advisory_on_BlackBerry_buffer_overflow,_DoS,_and_data_loss.html?nodeid=737173&vernum=0 http://www.hexview.com/docs/20041012-1.txt 11389 blackberry-calendar-bo(17700) Adobe Acrobat and Acrobat Reader 6.0 allow remote attackers to read arbitrary files via a PDF file that contains an embedded Shockwave (swf) file that references files outside of the temporary directory. 20041012 Adobe acrobat / Adobe Reader 6 can read local files 20041014 Re: Adobe acrobat / Adobe Reader 6 can read local files 20041015 Re: Adobe acrobat / Adobe Reader 6 can read local files 11386 adobe-acrobat-swf-read-files(17694) Cross-site scripting (XSS) vulnerability in index.php in CoolPHP 1.0-stable allows remote attackers to execute arbitrary web script or HTML via the (1) query or (2) nick parameters. 20041016 Multiple Vulnerabilities in CoolPHP 1011748 11437 coolphp-multiple-xss(17742) index.php in CoolPHP 1.0-stable allows remote attackers to gain sensitive information via an invalid op parameter, which reveals the path in an error message. 20041016 Multiple Vulnerabilities in CoolPHP 1011748 coolphp-path-disclosure(17744) Directory traversal vulnerability in index.php in CoolPHP 1.0-stable allows remote attackers to access arbitrary files and execute local PHP scripts via a .. (dot dot) in the op parameter. 20041016 Multiple Vulnerabilities in CoolPHP 1011748 11437 coolphp-dotdot-directory-traversal(17745) ProFTPD 1.2.x, including 1.2.8 and 1.2.10, responds in a different amount of time when a given username exists, which allows remote attackers to identify valid usernames by timing the server response. 20041015 ProFTPD 1.2.x remote users enumeration bug http://security.lss.hr/index.php?page=details&ID=LSS-2004-10-02 1011687 11430 proftpd-info-disclosure(17724) cPanel 9.4.1-RELEASE-64 follows hard links, which allows local users to (1) read arbitrary files via the backup feature or (2) chown arbitrary files via the .htaccess file when Front Page extensions are enabled or disabled. 20041018 cPanel hardlink backup issue 20041018 cPanel hardlink chown issue 11449 11455 cpanel-backup-view-file(17779) cpanel-htaccess-modify-ownership(17780) cPanel 9.9.1-RELEASE-3 allows remote authenticated users to chmod arbitrary files via a symlink attack on the _private directory, which is created when Front Page extensions are enabled. 20041018 cPanel symlink chmod issue SalesLogix 6.1 allows remote attackers to bypass authentication by modifying the slxweb cookie to set user=Admin, teams=ADMIN!, and usertype=Administrator. 20041018 Multiple vulnerabilities in Sage Saleslogix 20041018 Multiple vulnerabilities in Sage Saleslogix 1011769 11450 saleslogix-cookie-admin-access(17749) slxweb.dll in SalesLogix 6.1 allows remote attackers to cause a denial service (application crash) via an invalid HTTP request, which might also leak sensitive information in the ErrorLogMsg cookie. 20041018 Multiple vulnerabilities in Sage Saleslogix 20041018 Multiple vulnerabilities in Sage Saleslogix 1011769 11450 saleslogix-info-disclosure(17750) slxweb.dll in SalesLogix 6.1 allows remote attackers to obtain sensitive information via a (1) Library or (2) Attachment request with an invalid file parameter, which reveals the path in an error message. 20041018 Multiple vulnerabilities in Sage Saleslogix 20041018 Multiple vulnerabilities in Sage Saleslogix 1011769 11450 saleslogix-filename-path-disclosure(17751) SQL injection vulnerability in SalesLogix 6.1 allows remote attackers to execute arbitrary SQL statements via the id parameter in a view operation. 20041018 Multiple vulnerabilities in Sage Saleslogix 20041018 Multiple vulnerabilities in Sage Saleslogix 1011769 11450 saleslogix-sql-injection(17752) SalesLogix 6.1 includes usernames, passwords, and other sensitive information in the headers of an HTTP response, which could allow remote attackers to gain access. 20041018 Multiple vulnerabilities in Sage Saleslogix 20041018 Multiple vulnerabilities in Sage Saleslogix 1011769 11450 saleslogix-obtain-passwords(17753) SalesLogix 6.1 uses client-specified pathnames for writing certain files, which might allow remote authenticated users to create arbitrary files and execute code via the (1) vMME.AttachmentPath or (2) vMME.LibraryPath variables. 20041018 Multiple vulnerabilities in Sage Saleslogix SalesLogix 6.1 does not verify if a user is authenticated before performing sensitive operations, which could allow remote attackers to (1) execute arbitrary SLX commands on the server or spoof the server via a man-in-the-middle (MITM) attack, or (2) obtain the database password via a GetConnection request to TCP port 1707. 20041018 Multiple vulnerabilities in Sage Saleslogix 20041018 Multiple vulnerabilities in Sage Saleslogix 1011769 11450 saleslogix-getconnection-account-disclosure(17754) Directory traversal vulnerability in SalesLogix 6.1 allows remote attackers to upload arbitrary files via a .. (dot dot) in a ProcessQueueFile request. 20041018 Multiple vulnerabilities in Sage Saleslogix 20041018 Multiple vulnerabilities in Sage Saleslogix 1011769 11450 saleslogix-processqueuefile-file-upload(17765) Mozilla allows remote attackers to cause a denial of service (application crash from null dereference or infinite loop) via a web page that contains a (1) TEXTAREA, (2) INPUT, (3) FRAMESET or (4) IMG tag followed by a null character and some trailing characters, as demonstrated by mangleme. http://lcamtuf.coredump.cx/mangleme/gallery/ 20041018 Web browsers - a mini-farce 20041018 Web browsers - a mini-farce 1011810 RHSA-2005:323 11439 mozilla-html-tags-dos(17805) oval:org.mitre.oval:def:10227 Mozilla allows remote attackers to cause a denial of service (application crash from invalid memory access) via an "unusual combination of visual elements," including several large MARQUEE tags with large height parameters, as demonstrated by mangleme. http://lcamtuf.coredump.cx/mangleme/gallery/ 20041018 Web browsers - a mini-farce 20041018 Web browsers - a mini-farce 1011810 11440 Opera allows remote attackers to cause a denial of service (invalid memory reference and application crash) via a web page or HTML email that contains a TBODY tag with a large COL SPAN value, as demonstrated by mangleme. This was fixed in version 7.60. http://lcamtuf.coredump.cx/mangleme/gallery/ 20041018 Web browsers - a mini-farce 20041018 Web browsers - a mini-farce 11441 opera-colspan-tbody-dos(17806) Links allows remote attackers to cause a denial of service (memory consumption) via a web page or HTML email that contains a table with a td element and a large rowspan value,as demonstrated by mangleme. http://lcamtuf.coredump.cx/mangleme/gallery/ 20041018 Web browsers - a mini-farce 20041018 Web browsers - a mini-farce 1011808 11442 links-large-table-dos(17803) Lynx, lynx-ssl, and lynx-cur before 2.8.6dev.8 allow remote attackers to cause a denial of service (infinite loop) via a web page or HTML email that contains invalid HTML including (1) a TEXTAREA tag with a large COLS value and (2) a large tag name in an element that is not terminated, as demonstrated by mangleme. NOTE: a followup suggests that the relevant trigger for this issue is the large COLS value. http://lcamtuf.coredump.cx/mangleme/gallery/ 20041018 Web browsers - a mini-farce 20041018 Web browsers - a mini-farce 1011809 DSA-1076 DSA-1077 DSA-1085 20060602 Re: [SECURITY] [DSA 1085-1] New lynx-cur packages fix several vulnerabilities 11443 lynx-dos(17804) Vypress Tonecast 1.3 and earlier allows remote attackers to cause a denial of service (application crash) via a malformed mp2 stream. http://aluigi.altervista.org/adv/toneboom-adv.txt 20041019 Broadcast crash in Vypress Tonecast 1.3 11462 vypress-tonecast-dos(17775) Buffer overflow in Privateer's Bounty: Age of Sail II allows remote attackers to execute arbitrary code via a long nickname. 20041020 Buffer-overflow in Age of Sail II 1.04.151 11479 age-of-sail-bo(17791) CRLF injection vulnerability in Serendipity before 0.7rc1 allows remote attackers to perform HTTP Response Splitting attacks to modify expected HTML content from the server via the url parameter in (1) index.php and (2) exit.php, or (3) the HTTP Referer field in comment.php. http://cvs.sourceforge.net/viewcvs.py/php-blog/serendipity/comment.php?rev=1.49&view=markup http://cvs.sourceforge.net/viewcvs.py/php-blog/serendipity/exit.php?rev=1.10&view=markup http://cvs.sourceforge.net/viewcvs.py/php-blog/serendipity/index.php?rev=1.52&view=markup 20041021 HTTP Response Splitting in Serendipity 0.7-beta4 1011864 http://sourceforge.net/project/shownotes.php?release_id=276694 http://www.s9y.org/5.html 11497 serendipity-response-splitting(17798) ** DISPUTED ** NOTE: this issue has been disputed by the vendor. Cross-site scripting (XSS) vulnerability in IBM Lotus Notes R6 and Domino R6, and possibly earlier versions, allows remote attackers to execute arbitrary web script or HTML via square brackets at the beginning and end of (1) computed for display, (2) computed when composed, or (3) computed text element fields. NOTE: the vendor has disputed this issue, saying that it is not a problem with Notes/Domino itself, but with the applications that do not properly handle this feature. 20041018 IBM Lotus Notes/Domino fails to encode Square Brackets ( [ ] ) 20041021 Re: IBM Lotus Notes/Domino fails to encode Square Brackets ( [ ] ) 1011779 11458 http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21187833 lotus-notes-xss(17758) SQL injection vulnerability in dosearch.php in UBB.threads 3.4.x allows remote attackers to execute arbitrary SQL statements via the Name parameter. 20041021 SQL Injection in UBB.threads 3.4.x 11502 ubbthreads-sql-injection(17821) The WAV file property handler in Windows XP SP1 allows remote attackers to cause a denial of service (infinite loop in Explorer) via a WAV file with an invalid file header whose fmt chunk length is set to 0xFFFFFFFF. 20041021 [HV-LOW] Unsafe WAV header handling can cause DoS on Windows 1011880 http://www.hexview.com/docs/20041021-1.txt 11503 windowsxp-explorer-wav-dos(17864) Carbon Copy 6.0.5257 does not drop system privileges when opening external programs through the help topic interface, which allows local users to gain privileges via (1) the help topic interface in CCW32.exe, which launches Notepad, or (2) the help button in the Carbon Copy Scheduler (CCSched.exe). 20041022 [Fwd: Altiris Carbon Copy Remote Control local SYSTEM exploitation.] 11500 carboncopy-help-gain-privileges(17838) pGina 1.7.6 and possibly older versions, when the Restart or Shutdown options are enabled on the login screen, allows remote attackers to cause a denial of service by connecting via Remote Desktop and clicking restart or shutdown. 20041022 Windows DoS in certain pGina configurations http://www.lovebug.org/pgina_dos.txt pgina-dos(17836) Buffer overflow in Ability Server 2.34, and possibly other versions, allows remote attackers to execute arbitrary code via a long STOR command. 20041022 Ability FTP Server 2.34 Buffer Overflow Exploit VU#857846 11508 abilityftpserver-stor-dos(17823) Buffer overflow in Ability Server 2.25, 2.32, 2.34, and possibly other versions, allows remote attackers to execute arbitrary code via a long APPE command. [0day] 20041208 Ability Server 2.25 - 2.34 FTP => 'APPE' Buffer Overflow - PnK:: DCN3T 1012464 11508 ability-appe-bo(18405) Format string vulnerability in log.c in rssh before 2.2.2 allows remote authenticated users to execute arbitrary code. 20041023 rssh: pizzacode security alert GLSA-200410-28 http://www.pizzashack.org/rssh/ rssh-format-string(17831) Multiple SQL injection vulnerabilities in Dwc_articles 1.6 and earlier allow remote attackers to execute arbitrary SQL statements. 20041023 dwc_articles possible sql injection 11509 dwc-articles-sql-injection(17830) Cross-site scripting (XSS) vulnerability in the login form in Open WorkFlow Engine (OpenWFE) 1.4.x allows remote attackers to execute arbitrary web script or HTML via the url parameter. 20041024 Two Vulnerabilities in OpenWFE Web Client 11514 openwfe-login-form-xss(17853) Open WorkFlow Engine (OpenWFE) 1.4.x allows remote attackers to conduct port scans of remote hosts by specifying the target in an rmi:// Worklist URL, then using the response times to infer the results. 20041024 Two Vulnerabilities in OpenWFE Web Client 11514 openwfe-rmi-obtain-information(17852) Cross-site scripting (XSS) vulnerability in wiki.php in MoniWiki 1.0.8 and earlier allows remote attackers to inject arbitrary web script or HTML via the arguments to wiki.php. 20041025 STG Security Advisory: [SSA-20041022-08] MoniWiki XSS vulnerability 11516 moniwiki-wiki-xss(17835) process_bug.cgi in Bugzilla 2.9 through 2.18rc2 and 2.19 from CVS does not check edit permissions on the keywords field, which allows remote authenticated users to modify the keywords in a bug via the keywordaction parameter. 20041025 [BUGZILLA] Vulnerabilities in Bugzilla 2.16.6 and 2.18rc2 https://bugzilla.mozilla.org/show_bug.cgi?id=252638 bugzilla-bug-change(17840) show_bug.cgi in Bugzilla 2.17.1 through 2.18rc2 and 2.19 from CVS, when using the insidergroup feature and exporting a bug to XML, shows comments and attachment summaries which are marked as private, which allows remote attackers to gain sensitive information. 20041025 [BUGZILLA] Vulnerabilities in Bugzilla 2.16.6 and 2.18rc2 11511 https://bugzilla.mozilla.org/show_bug.cgi?id=263780 bugzilla-xml-information-disclosure(17841) Bugzilla 2.17.1 through 2.18rc2 and 2.19 from cvs, when using the insidergroup feature, does not sufficiently protect private attachments when there are changes to the metadata, such as filename, description, MIME type, or review flags, which allows remote authenticated users to obtain sensitive information when (1) viewing the bug activity log or (2) receiving bug change notification mails. 20041025 [BUGZILLA] Vulnerabilities in Bugzilla 2.16.6 and 2.18rc2 11511 https://bugzilla.mozilla.org/show_bug.cgi?id=250605 https://bugzilla.mozilla.org/show_bug.cgi?id=253544 bugzila-metadata-information-disclosure(17842) Heap-based buffer overflow in the WvTFTPServer::new_connection function in wvtftpserver.cc for WvTftp 0.9 allows remote attackers to execute arbitrary code via a long option string in a TFTP packet. 20041026 wvtfpd remote root heap overflow 11525 wvtfpd-wvtftpservercc-bo(17869) The Hawking Technologies HAR11A modem/router allows remote attackers to obtain sensitive information by connecting to port 254, which displays a management interface and information on established connections. 20041026 Hawking Technologies HAR11A router considered insecure 11543 har11a-gain-unauth-access(17877) Buffer overflow in MailCarrier 2.51 allows remote attackers to execute arbitrary code via a long (1) EHLO and possibly (2) HELO command. 20041026 MailCarrier 2.51 SMTP server Buffer Overflow [PoC included] 11535 mailcarrier-ehlo-helo-bo(17861) Mozilla Firefox before 0.10, Mozilla 5.0, and Gecko 20040913 allows remote attackers to cause a denial of service (application crash or memory consumption) via a large binary file with a .html extension. 20041026 Rendering large binary file as HTML makes Mozilla Firefox stop responding or crash 20041026 Rendering large binary file as HTML makes Mozilla Firefox stop responding mozilla-html-dos(17839) Multiple cross-site scripting (XSS) vulnerabilities in XOOPS 0.94 and 1.0 allow remote attackers to execute arbitrary web script and HTML via the (1) terme parameter to search.php or (2) letter parameter to letter.php. http://cyruxnet.org/modulo_dic_xoops.htm 20040828 Cross Site Scripting in XOOPS Version 2.x Dictionary module 11064 xoops-dictionary-search-xss(17152) xoops-dictionary-letter-xss(17154) Heap-based buffer overflow in Titan FTP 3.21 and earlier allows remote attackers to cause a denial of service (crash) via a long FTP command such as (1) CWD, (2) STAT, or (3) LIST. 20040829 [vulnwatch] Titan FTP Server Long Command Heap Overflow Vulnerability 11069 titan-long-command-bo(17172) WFTPD Pro Server 3.21 allows remote authenticated users to cause a denial of service (crash) via a series of long MLIST commands. 20040829 [vulnwatch] WFTPD Pro Server 3.21 MLST Command Denial of Service Vulnerability 11067 wftpd-mlst-command-dos(17169) WS_FTP 5.0.2 allows remote authenticated users to cause a denial of service (CPU consumption) via a CD command that contains an invalid path with a "../" sequence. 20040829 [vulnwatch] WS_FTP Server Denial of Service Vulnerability 11065 wsftp-file-parsing-dos(17155) Xedus 1.0 allows remote attackers to cause a denial of service (refuse connections) by connecting multiple times from the same IP address. 20040830 Multiple Vulnerabilities In Xedus Webserver http://www.gulftech.org/?node=research&article_id=00047-08302004 11071 xedus-mult-connection-dos(17165) Cross-site scripting (XSS) vulnerability in Xedus 1.0 allows remote attackers to execute arbitrary web script or HTML via the (1) username parameter to test.x, (2) username parameter to TestServer.x, or (3) param parameter to testgetrequest.x. 20040830 Multiple Vulnerabilities In Xedus Webserver http://www.gulftech.org/?node=research&article_id=00047-08302004 11071 xedus-test-xss(17166) Directory traversal vulnerability in Xedus 1.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the URL. 20040830 Multiple Vulnerabilities In Xedus Webserver http://www.gulftech.org/?node=research&article_id=00047-08302004 11071 xedus-dotdot-directory-traversal(17167) SQL injection vulnerability in Password Protect allows remote attackers to execute arbitrary SQL statements and bypass authentication via (1) admin or Pass parameter to index_next.asp, (2) LoginId, OPass, or NPass to CPassChangePassword.asp, (3) users_edit.asp, or (4) users_add.asp. 20040830 Password Protect XSS and SQL-Injection vulnerabilities. http://www.criolabs.net/advisories/passprotect.txt 11073 password-protect-sql-injection(17188) Cross-site scripting (XSS) vulnerability in (1) index.asp, (2) ChangePassword.asp, (3) users_list.asp, (4) and users_add.asp in Password Protect allows remote attackers to inject arbitrary web script or HTML via the ShowMsg parameter. 20040830 Password Protect XSS and SQL-Injection vulnerabilities. http://www.criolabs.net/advisories/passprotect.txt 11073 password-protect-showmsg-xss(17187) Buffer overflow in Microsoft Msinfo32.exe might allow local users to execute arbitrary code via a long filename in the msinfo_file command line parameter. NOTE: this issue might not cross security boundaries, so it may be REJECTED in the future. 20040830 MSInfo Buffer Overflow 20040831 MSInfo Buffer Overflow 20040830 MSInfo Buffer Overflow msinfo-msinfofile-bo(17153) D-Link DCS-900 Internet Camera listens on UDP port 62976 for an IP address, which allows remote attackers to change the IP address of the camera via a UDP broadcast packet. 20040831 D-Link DCS-900 IP camera remote exploit that change the IP 1011100 11072 dlink-dcs900-ip-modification(17171) Multiple cross-site scripting (XSS) vulnerabilities in the registration page in phpScheduleIt 1.0.0 RC1 allow remote attackers to inject arbitrary web script or HTML via the (1) Name or (2) Lastname fields during new user registration, or (3) the Schedule Name field. 20040917 Re: Multiple Vulnerabilities in phpScheduleIt 20040831 Multiple Vulnerabilities in phpScheduleIt 1011127 11080 phpscheduleit-xss(17193) phpscheduleit-script-injection(17194) phpScheduleIt 1.0.0 RC1 does not clear administrative privileges if the administrator logs in as a normal user, which allows users with physical access to gain administrative privileges. 20040831 Multiple Vulnerabilities in phpScheduleIt phpscheduleit-gain-privileges(17195) The default configuration for OpenSSH enables AllowTcpForwarding, which could allow remote authenticated users to perform a port bounce, when configured with an anonymous access program such as AnonCVS. 20040831 SSHD / AnonCVS Nastyness 1011143 openssh-port-bounce(17213) SQL injection vulnerability in the calendar module in phpWebsite 0.9.3-4 and earlier allows remote attackers to execute arbitrary SQL commands via cal_template. 20040901 Multiple Vulnerabilities In phpWebsite http://www.gulftech.org/?node=research&article_id=00048-08312004 http://www.phpwebsite.appstate.edu/index.php?module=announce&ANN_user_op=view&ANN_id=822 11088 phpwebsite-calendar-module-sql-injection(17199) Cross-site scripting (XSS) vulnerability in phpWebsite 0.9.3-4 and earlier allows remote attackers to inject arbitrary web script or HTML via the (1) CM_pid parameter in the comments module or (2) the subject or message fields in the notes module. 20040901 Multiple Vulnerabilities In phpWebsite 1011120 http://www.gulftech.org/?node=research&article_id=00048-08312004 http://www.phpwebsite.appstate.edu/index.php?module=announce&ANN_user_op=view&ANN_id=822 11088 phpwebsite-comments-module-xss(17202) phpwebsite-notes-script-injection(17203) CRLF injection vulnerability in Comersus Shopping Cart 5.0991 allows remote attackers to perform HTTP Response Splitting attacks to modify expected HTML content from the server via the redirecturl parameter. 20040901 ADVISORY: http response splitting hole in Comersus shopping cart 11083 comersus-cart-response-splitting(17201) Cross-site scripting (XSS) vulnerability in the Activity and Events Viewer for Newtelligence DasBlog allows remote attackers to inject arbitrary web script or HTML via the (1) User Agent or (2) Referrer HTTP headers. 20040901 Cross-Site Scripting Vulnerability in Newtelligence DasBlog http://staff.newtelligence.net/clemensv/PermaLink.aspx?guid=69bce168-cb09-4f09-8d53-f0b97f11b198 11086 dasblog-useragent-referer-xss(17174) Kerio Personal Firewall 4.0 (KPF4) allows local users with administrative privileges to bypass the Application Security feature and execute arbitrary processes by directly writing to \device\physicalmemory to restore the running kernel's SDT ServiceTable. 20040902 Kerio Personal Firewall's Application Launch Protection Can Be Disabled by Direct Service Table Restoration http://www.security.org.sg/vuln/kerio4016.html 11096 kerio-pf-protection-dos(17270) Cross-site scripting (XSS) vulnerability in index.php in CuteNews 1.3.6 and earlier allows remote attackers with Administrator, Editor, Journalist or Commenter privileges to inject arbitrary web script or HTML via the mod parameter. 20040902 [hackgen-2004-#001] - Non-critacal Cross-Site Scripting bug in CuteNews 11097 cutenews-mod-xss(17214) PHP remote file inclusion vulnerability in CuteNews 1.3.6 and earlier allows remote attackers to execute arbitrary PHP code via the cutepath parameter to (1) show_archives.php or (2) show_news.php. 20040830 RE: CuteNews News.txt writable to world http://www.7a69ezine.org/node/view/130 cutenews-file-include(17288) MailWorks Professional allows remote attackers to bypass authentication and gain privileges via a cookie that contains "auth=1" and "uId=1." 20040902 MailWorks Professional - Authentication bypass 11095 mailworks-cookie-admin-access(17217) YaBB SE 1.5.1 allows remote attackers to obtain sensitive information via a direct HTTP request to Admin.php, which reveals the full path in a PHP error message. http://echo.or.id/adv/adv05-y3dips-2004.txt 20040904 FUll Path Disclosure in YABBSE yabb-admin-path-disclosure(17267) Engenio/LSI Logic storage controllers, as used in products such as Storagetek D280, and IBM DS4100 (formerly FastT 100) and Brocade SilkWorm Switches, allow remote attackers to cause a denial of service (freeze and possible data corruption) via crafted TCP packets. 20040904 Engenio/LSI Logic controllers denial of service/data corruption 11108 engenio-controller-tcp-dos(17290) Call of Duty 1.4 and earlier allows remote attackers to cause a denial of service (game end) via a large (1) query or (2) reply packet, which is not properly handled by the buffer overflow protection mechanism. NOTE: this issue might overlap CVE-2005-0430. 20040905 Broadcast shutdown in Call of Duty 1.4 11119 callofduty-dos(17286) Cross-site scripting (XSS) vulnerability in index.php in PsNews 1.1 allows remote attackers to inject arbitrary web script or HTML via the no parameter. 20040905 Bug XSS in PsNews 1.1 1011191 11124 psnews-xss(17302) Buffer overflow in the MSN module in Trillian 0.74i allows remote MSN servers to execute arbitrary code via a long string that ends in a newline character. 20040908 Cerulean Studios Trillian 0.74i Buffer Overflow in MSN module exploit http://unsecure.altervista.org/security/trillian.htm 11142 trillian-msn-bo(17292) Off-by-one error in Halo Combat Evolved 1.04 and earlier allows remote attackers to cause a denial of service (server crash) via a long client response. http://aluigi.altervista.org/adv/haloboom-adv.txt 20040909 Off-by-one bug in Halo 1.04 http://www.bungie.net/News/Story.aspx?link=hpc105 11147 halo-response-offbyone-bo(17310) Multiple SQL injection vulnerabilities in index.php in Subjects 2.0 Postnuke module allow remote attackers to execute arbitrary SQL commands via the (1) pageid, (2) subid, or (3) catid parameters. 20040910 SQL-Injection in Subjects 2.0 for Postnuke 11148 subjects-indexphp-sql-injection(17311) Cross-site scripting (XSS) vulnerability in MERAK Mail Server 7.4.5 with Icewarp Web Mail 5.2.7 and possibly other versions allows remote attackers to execute arbitrary web script or HTML via the (1) User name parameter to accountsettings.html or (2) Search string parameter to search.html. 20040910 Multiple vulnerabilities in Icewarp Web Mail 5.2.7 11371 merak-icewarp-xss(17313) Multiple directory traversal vulnerabilities Merak Mail Server 7.4.5 with Icewarp Web Mail 5.2.7, and possibly other versions, allow remote attackers to (1) create arbitrary directories via a .. (dot dot) in the user parameter to viewaction.html or (2) rename arbitrary files via a ....// (doubled dot dot) in the folderold or folder parameters to folders.html. 20040910 Multiple vulnerabilities in Icewarp Web Mail 5.2.7 11371 merak-icewarp-create-directory(17314) Merak Mail Server 7.4.5 with Icewarp Web Mail 5.2.7 and possibly other versions allows remote attackers to gain sensitive information via a direct request to (1) accountsettings_add.html or (2) topmenu.html. 20040910 Multiple vulnerabilities in Icewarp Web Mail 5.2.7 11371 merak-icewarp-path-disclosure(17315) attachment.html in Merak Mail Server 7.4.5 with Icewarp Web Mail 5.2.7 and possibly other versions allows remote attackers to view other users' attachments by specifying the username and message ID in an HTTP request. 20040910 Multiple vulnerabilities in Icewarp Web Mail 5.2.7 11371 merak-icewarp-view-attachment(17316) accountsettings_add.html in Merak Mail Server 7.4.5 with Icewarp Web Mail 5.2.7 and possibly other versions allow remote attackers to create text files with arbitrary content via the accountid parameter. 20040910 Multiple vulnerabilities in Icewarp Web Mail 5.2.7 11371 merak-icewarp-create-file(17317) viewaction.html in Merak Mail Server 7.4.5 with Icewarp Web Mail 5.2.7 and possibly other versions allows remote attackers to (1) delete arbitrary files via the originalfolder parameter or (2) move arbitrary files via the messageid parameter. 20040910 Multiple vulnerabilities in Icewarp Web Mail 5.2.7 11371 merak-icewarp-file-deletion(17976) Serv-U FTP server 4.x and 5.x allows remote attackers to cause a denial of service (application crash) via a STORE UNIQUE (STOU) command with an MS-DOS device name argument such as (1) COM1, (2) LPT1, (3) PRN, or (4) AUX. 20040911 Serv-U up to 5.2 Denial of Service 11155 servu-stou-dos(17329) Heap-based buffer overflow in the image sending feature in Gadu-Gadu 6.0 build 149 allows remote attackers to execute arbitrary code via a crafted GG_MSG_IMAGE_REPLY message. 20040912 Gadu-Gadu (all versions with image-send feature) Heap Overflow 11158 gadu-gadu-image-bo(17324) pdesk.cgi in PerlDesk allows remote attackers to gain sensitive information via an invalid lang parameter, which includes pathname information in an error message. 20040912 Posible Inclusion File in Perl Desk perldesk-lang-file-include(17343) Directory traversal vulnerability in pdesk.cgi in PerlDesk allows remote attackers to read portions of arbitrary files and possibly execute arbitrary Perl modules via ".." sequences terminated by a %00 (null) character in the lang parameter, which can leak portions of the requested files if a compilation error message occurs. 20040912 Posible Inclusion File in Perl Desk 11160 perldesk-directory-traversal(19712) Directory traversal vulnerability in TwinFTP 1.0.3 R2 allows remote attackers to create arbitrary files via a .../ (triple dot) in the (1) CWD, (2) STOR, or (3) RETR commands. 20040913 Directory Traversal Vulnerability in TwinFTP Server allows overwriting of files outside FTP directory http://www.security.org.sg/vuln/twinftp103r2.html 11159 twinftp-argument-directory-traversal(17323) application.cgi in the Pingtel Xpressa handset running firmware 2.1.11.24 allows remote authenticated users to cause a denial of service (VxWorks OS crash) via a long HTTP GET request, possibly triggering a buffer overflow. A091304-2 11161 xpressa-applicationcgi-dos(17346) Multiple buffer overflows in (1) phrelay-cfg, (2) phlocale, (3) pkg-installer, or (4) input-cfg in QNX Photon microGUI for QNX RTP 6.1 allow local users to gain privileges via a long -s (server) command line parameter. 20040913 [RLSA_02-2004] QNX Photon multiple buffer overflows http://www.rfdslabs.com.br/qnx-advs-03-2004.txt 11164 qnx-rtp-photon-bo(17339) Format string vulnerability in QNX 6.1 FTP client allows remote authenticated users to gain group bin privileges via format string specifiers in the QUOTE command. 20040913 [RLSA_03-2004] QNX ftp client format string bug http://www.rfdslabs.com.br/qnx-advs-04-2004.txt qnx-ftp-quote-format-string(17347) A race condition in crrtrap for QNX RTP 6.1 allows local users to gain privileges by modifying the PATH environment variable to reference a malicious io-graphics program before is executed by crrtrap. 20040913 [RLSA_04-2004] QNX crrtrap possible race condition vulnerability 11165 qnx-rtp-crttrap-race-condition(17345) Zyxel P681 running ZyNOS Vt020225a contains portions of memory in an ARP request, which allows remote attackers to obtain sensitive information by sniffing the network. 20040913 Zyxel Prestige 681 SDSL router information leak 11167 prestige-information-disclosure(17372) SMC routers SMC7004VWBR running firmware 1.00.014 and SMC7008ABR EU running firmware 1.42.003 allow remote attackers to bypass authentication by connecting to it from the same IP address as the administrator who is logged in, then accessing the setup_status.htm or status.HTM pages. 20040915 SMC7004VWBR / SMC7008ABR "spoofing" vulnerability. 11197 smc-router-security-bypass(17443) Internet Explorer 6.0 in Windows XP SP2 allows remote attackers to bypass the Information Bar prompt for ActiveX and Javascript via an XHTML page that contains an Internet Explorer formatted comment between the DOCTYPE tag and the HTML tag, as demonstrated using the DesignScience MathPlayer ActiveX plugin. 20040915 IE6 + XP SP2 Vulnerability 11200 ie-information-bar-bypass(20617) CRLF injection vulnerability in down.asp for Snitz Forums 2000 3.4.04 allows remote attackers to perform HTTP Response Splitting attacks to modify expected HTML content from the server via the location parameter. http://forum.snitz.com/forum/topic.asp?ARCHIVE=true&TOPIC_ID=54791 20040916 ADVISORY: security hole (http response splitting) in snitz forums 11201 snitz-response-splitting(17421) Pigeon Server 3.02.0143 and earlier allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a long login name sent to port 3103. 20040916 Freeze in Pigeon Server 3.02.0143 20040916 Freeze in Pigeon Server 3.02.0143 11203 pigeon-server-dos(17427) sudoedit (aka sudo -e) in sudo 1.6.8 opens a temporary file with root privileges, which allows local users to read arbitrary files via a symlink attack on the temporary file before quitting sudoedit. 20040916 [sudo-announce] Sudo version 1.6.8p1 now available (fwd) http://packetstormsecurity.nl/0409-exploits/sudoedit.txt O-219 VU#424358 11204 http://www.sudo.ws/sudo/alerts/sudoedit.html sudo-sudoedit-view-files(17424) Cross-site scripting (XSS) vulnerability in the Web Server in DNS4Me 3.0.0.4 allows remote attackers to execute arbitrary web script or HTML via the URL. 20040918 RhinoSoft DNS4ME HTTP Server Vulnerabilities 1011334 http://www.gulftech.org/?node=research&article_id=00049-09162004 11213 dns4me-xss(17425) The Web Server in DNS4Me 3.0.0.4 allows remote attackers to cause a denial of service (CPU consumption and crash) via a large amount of data. 20040918 RhinoSoft DNS4ME HTTP Server Vulnerabilities 1011334 http://www.gulftech.org/?node=research&article_id=00049-09162004 11213 dns4me-dos(17426) Cross-site scripting (XSS) vulnerability in index.php in Mambo 4.5 (1.0.9) allows remote attackers to inject arbitrary web script or HTML via the (1) Itemid, (2) mosmsg, or (3) limit parameters. http://mamboforge.net/frs/shownotes.php?release_id=1672 20040918 Vulnerabilities in TUTOS 11220 mambo-multiple-xss(20616) PHP remote file inclusion vulnerability in Function.php in Mambo 4.5 (1.0.9) allows remote attackers to execute arbitrary PHP code by modifying the mosConfig_absolute_path parameter to reference a URL on a remote web server that contains the code. 20040918 Vulnerabilities in TUTOS 1011365 11220 mambo-cachelibrary-execute-code(17449) Symantec ON Command CCM 5.4.x and iCommand 3.0.x has four default usernames and passwords, one of which is hardcoded, which allows remote attackers to gain unauthorized access. 20040920 Default username/password pairs in ON Command CCM 5.x database http://www.sarc.com/avcenter/security/Content/2004.09.29.html 11225 oncommand-multiple-default-accounts(17447) EmuLive Server4 Commerce Edition Build 7560 allows remote attackers to bypass authentication for the remote administration feature via a URL that contains an extra leading / (slash). 20040921 Multiple Vulnerabilities In EmuLive Server4 http://www.gulftech.org/?node=research&article_id=00051-09202004 11226 emuliveserver4-url-gain-access(17450) EmuLive Server4 Commerce Edition Build 7560 allows remote attackers to cause a denial of service (application crash) via a sequence of carriage returns sent to TCP port 66. 20040921 Multiple Vulnerabilities In EmuLive Server4 http://www.gulftech.org/?node=research&article_id=00051-09202004 11226 emulive-tcp-port-dos(17451) The "Forgot your Password" link in Computer Associates (CA) Unicenter Management Portal 2.0 and 3.1 displays different error messages for users that exist and users that do not exist, which could allow remote attackers to guess valid usernames. 20040921 CA UniCenter Management Portal Username Enumeration Vulnerability 11229 unicenter-management-username-bruteforce(17464) The Base64 function in PopMessenger 1.60 (before 20 Sep 2004) and earlier allows remote attackers to cause a denial of service (application crash) via invalid characters in a message, which causes several alert dialogs to be displayed and leads to a crash. 20040921 Broadcast crash in Popmessenger 1.60 (before 20 Sep 2004) 11230 popmessenger-base64-dos(17465) SettingsBase.php in Pinnacle ShowCenter 1.51 allows remote attackers to cause a denial of service (web interface errors) via an invalid Skin parameter. 20040921 Pinnacle ShowCenter Skin Denial of Service 20040922 Pinnacle ShowCenter 1.51 possible DoS 11232 pinnacle-showcenter-dos(17463) Cross-site scripting (XSS) vulnerability in SettingsBase.php in Pinnacle ShowCenter 1.51 build 121 allows remote attackers to inject arbitrary HTML or web script via the Skin parameter, which is echoed in an error message. 11415 pinnacle-showcenter-xss(17708) Heap-based buffer overflow in the AuthenticationDialogue function in cfservd for Cfengine 2.0.0 to 2.1.7p1 allows remote attackers to execute arbitrary code via a long SAUTH command during RSA authentication. 20040809 CORE-2004-0714: Cfengine RSA Authentication Heap Corruption 20050219 cfengine rsa heap remote exploit: part of PTjob project GLSA-200408-08 http://www.coresecurity.com/common/showdoc.php?idx=387&idxseccion=10 10899 cfengine-cfservd-command-execution(16935) The AuthenticationDialogue function in cfservd for Cfengine 2.0.0 to 2.1.7p1 does not properly check the return value of the ReceiveTransaction function, which leads to a failed malloc call and triggers to a null dereference, which allows remote attackers to cause a denial of service (crash). 20040809 CORE-2004-0714: Cfengine RSA Authentication Heap Corruption GLSA-200408-08 http://www.coresecurity.com/common/showdoc.php?idx=387&idxseccion=10 10900 cfengine-cfservd-dos(16937) Fusion News 3.6.1 allows remote attackers to add user accounts, if the administrator is logged in, via a comment that contains an img bbcode tag that calls index.php with the signup action, which is executed when the administrator's browser loads the page with the img tag. 20040729 Fusion News Yet Another Unauthorized Account Addition Vulnerability 1010829 10836 fusion-news-add-account(16853) WpQuiz 2.60b1 through 2.60b8 allows remote attackers to gain privileges via a direct request to adminrestore.php in the extras directory. 20040730 WpQuiz Gain Admin Rightd Exploit found wpquiz-extra-gain-access(16848) Buffer overflow in Citadel/UX 6.23 and earlier allows remote attackers to cause a denial of service via a long username. 20040731 Citadel/UX Remote DoS Vulnerability 20040731 Re: Citadel/UX Remote DoS Vulnerability 1010809 http://www.nosystem.com.ar/advisories/advisory-04.txt 10833 citadel-user-dos(16840) The U.S. Robotics USR808054 wireless access point allows remote attackers to cause a denial of service (device crash) and possibly execute arbitrary code via an HTTP GET request with a long version string. 20040802 7a69Adv#13 - USRobotics AP Wireless Denial of Service 10840 usrobotics-wireless-get-bo(16860) The (1) dbsnmp and (2) nmo programs in Oracle 8i, Oracle 9i, and Oracle IAS 9.0.2.0.1, on Unix systems, use a default path to find and execute library files while operating at raised privileges, which allows certain Oracle user accounts to gain root privileges via a modified libclntsh.so.9.0. 20040802 OPEN3S - Local Privilege Elevation through Oracle products (Unix Platform) 10829 oracle-libraries-gain-privileges(16839) Webbsyte Chat 0.9.0 allows remote attackers to cause a denial of service (crash) via a large number of connections. 20040803 DoS in Webbsyte Chat 0.9.0 10842 webbsyte-chat-dos(16852) Datakey Rainbow iKey2032 USB token, when using the CIP client package, does not encrypt communications between the token and the driver, which could allow local users to obtain the PINs of other users. 20040804 Clear text password exposure in Datakey's tokens and smartcards datakey-plaintext-pin(16887) page.cgi allows remote attackers to execute arbitrary commands via shell metacharacters in the url parameter. 20040806 Remote Command Execution pagecgi-url-command-execution(19713) Cross-site scripting (XSS) vulnerability in post.php in Moodle before 1.3 allows remote attackers to inject arbitrary web script or HTML via the reply parameter. 20040806 xss in moodle (post.php) 10884 moodle-post-xss(16924) Cross-site scripting (XSS) vulnerability in TypePad allows remote attackers to inject arbitrary Javascript via the name parameter. 20040806 Type xxs typepad-name-xss(19664) Unknown vulnerability in HP Process Resource Manager (PRM) C.02.01[.01] and earlier, as used by HP-UX Workload Manager (WLM), allows local users to corrupt data files. SSRT4785 10907 hp-prm-wlm-file-corruption(16928) BlackICE PC Protection and Server Protection installs (1) firewall.ini, (2) blackice.ini, (3) sigs.ini and (4) protect.ini with Everyone Full Control permissions, which allows local users to cause a denial of service (crash) or modify configuration, as demonstrated by modifying firewall.ini to contain a large firewall rule. 20040811 ISS BlackIce Server Protect Unprivileged User Attack 20040811 BlackICE unprivileged local user attack 10915 blackice-firewall-dos(16959) Directory traversal vulnerability in MIMEsweeper for Web before 5.0.4 allows remote attackers or local users to read arbitrary files via "..\\", "..\", and similar dot dot sequences in the URL. This was fixed in MIMEsweeper for Web v5.0.4. 20040811 Clearswift Mimesweeper Path Traversal Vulnerability 20040811 Re: Clearswift Mimesweeper Path Traversal Vulnerability http://packetstormsecurity.nl/0408-exploits/clearswift.txt 10918 mimesweeper-directory-traversal(16960) Cross-site scripting (XSS) vulnerability in PForum before 1.26 allows remote attackers to inject arbitrary web script or HTML via the (1) IRC Server or (2) AIM ID fields in the user profile. 20040814 pscript.de PFORUM XSS Vulnerability VU#674542 10954 pforum-irc-aim-xss(17003) Multiple buffer overflows in the psscan function in ps.c for gv (ghostview) allow remote attackers to execute arbitrary code via a Postscript file with a long (1) BoundingBox, (2) comment, (3) Orientation, (4) PageOrder, or (5) Pages value. 20040816 gv buffer overflows: here, there, and everywhere 10944 gv-psscan-header-bo(17019) The ZwOpenSection function in Integrity Protection Driver (IPD) 1.4 and earlier allows local users to cause a denial of service (crash) via an invalid pointer in the "oa" argument. 20040817 [NGSEC-2004-6] IPD, local system denial of service. http://www.ngsec.com/docs/advisories/NGSEC-2004-6.txt 10965 ipd-oa-pointer-dos(17010) Multiple cross-site scripting (XSS) vulnerabilities in Merak Webmail Server 5.2.7 allow remote attackers to inject arbitrary web script or HTML via the (1) category, (2) cserver, (3) ext, (4) global, (5) showgroups, (6) or showlite parameters to address.html, or the (7) spage or (8) autoresponder parameters to settings.html, the (9) folder parameter to readmail.html, or the (10) attachmentpage_text_error parameter to attachment.html, (11) folder, (12) ct, or (13) cv parameters to calendar.html, (14) an <img> tag, or (15) the subject of an e-mail message. 20040817 Vulnerabilities in Merak Webmail Server http://packetstormsecurity.nl/0408-exploits/merak527.txt 1010969 10966 merak-xss(17024) The (1) address.html and possibly (2) calendar.html pages in Merak Mail Server 5.2.7 allow remote attackers to gain sensitive information via an invalid HTTP request, which reveals the installation path. NOTE: it is unclear whether the calendar.html is an exposure, since the path is leaked in web logs that may only be available to the administrators, who would have access to the path through legitimate means. 20040817 Vulnerabilities in Merak Webmail Server http://packetstormsecurity.nl/0408-exploits/merak527.txt 1010969 10966 merak-address-calendar-path-disclosure(17027) The (1) function.php or (2) function.view.php scripts in Merak Mail Server 5.2.7 allow remote attackers to read arbitrary PHP files via a direct HTTP request to port 32000. 20040817 Vulnerabilities in Merak Webmail Server http://packetstormsecurity.nl/0408-exploits/merak527.txt 1010969 10966 merak-view-php-files(17029) SQL injection vulnerability in calendar.html in Merak Mail Server 5.2.7 allows remote attackers to execute arbitrary SQL statements via the schedule parameter. 20040817 Vulnerabilities in Merak Webmail Server http://packetstormsecurity.nl/0408-exploits/merak527.txt 1010969 10966 merak-calendarhtml-sql-injection(17022) The (1) updateuser.php and (2) forums_prune.php scripts in PHP-Fusion 4.00 allow remote attackers to obtain sensitive information via a direct HTTP request, which reveals the installation path in an error message. 20040818 Multiple vulnerabilities in PHP-FUSION phpfusion-path-disclosure(17036) The ReadMe First.txt file in PHP-Fusion 4.0 instructs users to set the permissions on the fusion_admin/db_backups directory to world read/write/execute (777), which allows remote attackers to download or view database backups, which have easily guessable filenames and contain the administrator username and password. 20040818 Multiple vulnerabilities in PHP-FUSION 10974 phpfusion-database-file-access(17037) Stack-based buffer overflow in xvbmp.c in XV allows remote attackers to execute arbitrary code via a crafted image file. 20040820 XV multiple buffer overflows, exploit included 10985 xv-image-bo(17053) Multiple integer overflows in (1) xviris.c, (2) xvpcx.c, and (3) xvpm.c in XV allow remote attackers to execute arbitrary code via a crafted image file that triggers a heap-based buffer overflow. 20040820 XV multiple buffer overflows, exploit included 10985 xv-image-bo(17053) BadBlue 2.5 allows remote attackers to cause a denial of service (refuse HTTP connections) via a large number of connections from the same IP address. 20040820 BadBlue Webserver v2.5 Denial Of Service Vulnerability http://www.gulftech.org/?node=research&article_id=00043-08202004 10983 badblue-mult-connection-dos(17064) Buffer overflow in British National Corpus SARA (sarad) allows remote attackers to execute arbitrary code by calling the client with a long string. 20040820 Buffer overflow in sarad 10984 sara-server-bo(17060) Cross-site scripting (XSS) vulnerability in Nihuo Web Log Analyzer 1.6 allows remote attackers to inject arbitrary web script or HTML via the User-Agent HTTP header. 20040820 Cross-Site Scripting (XSS) in Nihuo Web Log Analyzer 10988 nihuo-http-get-xss(17055) Cross-site scripting (XSS) vulnerability in Mantis bugtracker allows remote attackers to inject arbitrary web script or HTML via (1) the return parameter to login_page.php, (2) e-mail field in signup.php, (3) action parameter to login_select_proj_page.php, or (4) hide_status parameter to view_all_set.php. 20040820 Multiple Vulnerabilities in Mantis Bugtracker 10994 mantis-loginpage-xss(17066) mantis-signup-xss(17069) mantis-loginselectprojpage-xss(17070) mantis-viewallset-xss(17072) signup_page.php in Mantis bugtracker allows remote attackers to send e-mail bombs by creating multiple users and providing the same e-mail address. 20040820 Multiple Vulnerabilities in Mantis Bugtracker 10995 mantis-improper-account-validation(17093) SQL injection vulnerability in out.ViewFolder.php in MyDMS before 1.4.2 allows remote attackers to execute arbitrary SQL commands via the folderid parameter. This was fixed in version 1.4.2. 20040820 Multiple vulnerabilities in MyDMS 10996 mydms-folderld-sql-injection(17054) Directory traversal vulnerability in MyDMS 1.4.2 and other versions allows remote registered users to read arbitrary files via .. (dot dot) sequences in the URL. 20040820 Multiple vulnerabilities in MyDMS 10996 mydms-dotdot-file-download(17058) PHP remote file inclusion vulnerability in Mantis 0.19.0a allows remote attackers to execute arbitrary PHP code by modifying the (1) t_core_path parameter to bug_api.php or (2) t_core_dir parameter to relationship_api.php to reference a URL on a remote web server that contains the code. 20040820 Mantis Bugtracker Remote PHP Code Execution Vulnerability 10993 mantis-php-file-include(17065) Cross-site scripting (XSS) vulnerability in the create list option in Sympa 4.1.x and earlier allows remote authenticated users to inject arbitrary web script or HTML via the description field. 20040820 Cross Site Scripting Vulnerability in Sympa 10992 sympa-description-xss(17057) Cacti 0.8.5a allows remote attackers to gain sensitive information via an HTTP request to (1) auth.php, (2) auth_login.php, (3) auth_changepassword.php, and possibly other php files, which reveal the installation path in a PHP error message. 20040816 SQL Injection in CACTI 20040816 SQL Injection in CACTI cacti-error-path-disclosure(17014) SQL injection vulnerability in auth_login.php in Cacti 0.8.5a allows remote attackers to execute arbitrary SQL commands and bypass authentication via the (1) username or (2) password parameters. 20040816 SQL Injection in CACTI 20040816 SQL Injection in CACTI GLSA-200408-21 10960 cacti-authlogin-sql-injection(17011) Cross-site scripting (XSS) vulnerability in page.php in JShop allows remote attackers to inject arbitrary web script or HTML via the xPage parameter. http://indohack.sourceforge.net/drponidi/jshop-vuln.txt 20040823 JShop Input Validation Hole in 'page.php' Permits Cross-Site 1011020 jshop-page-xpage-xss(17075) Bird Chat 1.61 allows remote attackers to cause a denial of service (crash) via invalid users. This has been fixed in version 1.61 Security Release. 20040823 DoS in Bird Chat 1.61 http://www.autistici.org/fdonato/advisory/BirdChat1.61-adv.txt 11010 bird-chat-dos(17080) Music daemon (musicd) 0.0.3 and earlier allows remote attackers to read arbitrary files by calling LOAD with a full pathname, then calling SHOWLIST. 20040823 MusicDaemon <= 0.0.3 /etc/shadow Stealer / DoS Exploit http://musicdaemon.sourceforge.net/ 11006 musicd-commands-view-files(17067) Music daemon (musicd) 0.0.3 and earlier allows remote attackers to cause a denial of service (crash) by calling LOAD with a binary file as an argument, then calling SHOWLIST. 20040823 MusicDaemon <= 0.0.3 /etc/shadow Stealer / DoS Exploit http://musicdaemon.sourceforge.net/ 1011025 11006 musicd-load-showlist-dos(17068) Directory traversal vulnerability in WebAPP 0.9.9 allows remote attackers to view arbitrary files via a .. (dot dot) in the viewcat parameter. http://cornerstone.web-app.org/cgi-bin/index.cgi?action=downloadinfo&cat=updates&id=1 20040824 WebAPP directory traversal and ability to retrieve the DES encrypted password hash 11028 webapp-dotdot-directory-traversal(17100) Easy File Sharing (EFS) Webserver 1.25 allows remote attackers to view arbitrary files via an HTTP request for the disk_c virtual folder. 20040824 Easy File Sharing Webserver v1.25 Vulnerabilities 1011045 http://www.gulftech.org/?node=research&article_id=00045-08242004 11034 easyfilesharing-obtain-info(17109) Easy File Sharing (EFS) Webserver 1.25 allows remote attackers to cause a denial of service (CPU consumption or crash) via many large HTTP requests. 20040824 Easy File Sharing Webserver v1.25 Vulnerabilities 1011045 http://www.gulftech.org/?node=research&article_id=00045-08242004 11036 easyfilesharing-http-request-dos(17110) Buffer overflow in Painkiller 1.3.1 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long password. 20040824 Limited buffer overflow in Painkiller 1.31 11029 painkiller-long-password-bo(17101) Cross-site scripting (XSS) vulnerability in index.php in PHP Code Snippet Library allows remote attackers to inject arbitrary web script or HTML via the (1) cat_select or (2) show parameters. 20040824 PHP Code Snippet Library Multiple Cross-Site Scripting (XSS) 11038 snippet-index-xss(17108) Cross-site scripting (XSS) vulnerability in NetworkEverywhere NR041 running firmware 1.2 Release 03 allows remote attackers to inject arbitrary web script or HTML via the DHCP HOSTNAME option. 20040825 bug found 11046 network-everywhere-dhcp-gain-access(17120) NtRegmon before 6.12 allows local users to cause a denial of service (crash), while NtRegmon is running, via invalid pointers to hook functions such as ZwSetQueryValue. 20040825 [NGSEC-2004-7] NtRegmon, local system denial of service. http://www.ngsec.com/docs/advisories/NGSEC-2004-7.txt 11042 ntregmon-registry-dos(17106) Attack Mitigator IPS 5500 3.11.008, and possibly other versions, when configured in a one-armed routing configuration, allows remote attackers to cause a denial of service (CPU consumption) via a large number of HTTP requests. 20040825 IRM 010: Top Layer Attack Mitigator IPS 5500 Denial of Service 11049 am-ips5500-http-dos(17125) RealVNC 4.0 and earlier allows remote attackers to cause a denial of service (crash) via a large number of connections to port 5900. 20040825 RealVNC 4.0 DoS 11048 realvnc-multiple-connections-dos(17123) Ground Control II: Operation Exodus 1.0.0.7 and earlier allows remote servers to cause a denial of service (client or server crash) via a large packet, which generates a "Message too long" socket error that is treated as a critical error. http://aluigi.altervista.org/adv/gc2boom-adv.txt 20040826 Broadcast forced exit in Ground Control II 1.0.0.7 1011075 11058 ground-control-dos(17130) Stack-based buffer overflow in Gaucho 1.4 Build 145 allows remote attackers to execute arbitrary code via a POP3 email with a long Content-Type header. 20040826 Gaucho v1.4 Build 145 Buffer Overflow 1011032 http://www.security.org.sg/vuln/gaucho140.html 11023 gaucho-pop3-bo(17090) The Apple Java plugin, as used in Netscape 7.1 and 7.2, Mozilla 1.7.2, and Firefox 0.9.3 on MacOS X 10.3.5, when tabbed browsing is enabled, does not properly handle SetWindow(NULL) calls, which allows Java applets from one tab to draw to other tabs and facilitates phishing attacks that spoof tabs. http://bugzilla.mozilla.org/show_bug.cgi?id=162134 20040826 Netscape Navigator 7.2 failure to isolate browser tabs (was Re: Computer Network Defence Vulnerability Alert State) 20040827 Re: Netscape Navigator 7.2 failure to isolate browser tabs (was Re: Computer Network Defence Vulnerability Alert State) 20040827 Re: Netscape Navigator 7.2 failure to isolate browser tabs (was Re: Computer Network Defence Vulnerability Alert State) 11059 netscape-java-tab-spoofing(17137) The DNS proxy (DNSd) for multiple Symantec Gateway Security products allows remote attackers to poison the DNS cache via a malicious DNS server query response that contains authoritative or additional records. 20040615 Symantec Enterprise Firewall DNSD cache poisoning Vulnerability http://securityresponse.symantec.com/avcenter/security/Content/2004.06.21.html 10557 The Web Services fat client for BEA WebLogic Server and Express 7.0 SP4 and earlier, when using 2-way SSL and multiple certificates to connect to the same URL, may use the incorrect identity after the first connection, which could allow users to gain privileges. http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_47.00.jsp VU#858990 9502 weblogic-multiple-connection-gain-access(15826) BEA WebLogic Server and WebLogic Express 8.1 SP2 and earlier, and 7.0 SP4 and earlier, when using 2-way SSL with a custom trust manager, may accept a certificate chain even if the trust manager rejects it, which allows remote attackers to spoof other users or servers. http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_54.00.jsp 1009765 VU#566390 10132 weblogic-trust-certificate-spoofing(15862) BEA WebLogic Server and Express 8.1, SP1 and earlier, stores the administrator password in cleartext in config.xml, which allows local users to gain privileges. http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_50.00.jsp VU#350350 9501 weblogic-boot-password-disclosure(14957) BEA WebLogic Server and WebLogic Express version 8.1 up to SP2, 7.0 up to SP4, and 6.1 up to SP6 may store the database username and password for an untargeted JDBC connection pool in plaintext in config.xml, which allows local users to gain privileges. http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_53.00.jsp 1009764 VU#920238 10131 bea-configxml-plaintext-password(15860) Cisco voice products, when running the IBM Director Agent on IBM servers before OS 2000.2.6, allows remote attackers to cause a denial of service (CPU consumption) via arbitrary packets to TCP port 14247, as demonstrated using port scanning. O-066 20040121 Voice Product Vulnerabilities on IBM Servers VU#721092 9469 1008814 ciscovoice-ibmservers-dos(14901) The default installation of Cisco voice products, when running the IBM Director Agent on IBM servers before OS 2000.2.6, does not require authentication, which allows remote attackers to gain administrator privileges by connecting to TCP port 14247. O-066 20040121 Voice Product Vulnerabilities on IBM Servers VU#602734 9468 1008814 ciscovoice-ibmservers-admin-access(14900) Unknown vulnerability in Ethereal 0.8.13 to 0.10.2 allows attackers to cause a denial of service (segmentation fault) via a malformed color filter file. http://www.ethereal.com/appnotes/enpa-sa-00013.html VU#695486 RHSA-2004:136 ethereal-colour-filter-dos(15572) oval:org.mitre.oval:def:10013 Unknown vulnerability in F-Secure Anti-Virus (FSAV) 4.52 for Linux before Hotfix 3 allows the Sober.D worm to bypass FASV. http://support.f-secure.com/enu/corporate/downloads/hotfixes/av-linux-hotfixes.shtml VU#415734 fsecure-antivirus-protection-bypass(15432) Buffer overflow in hsrun.exe for HAHTsite Scenario Server 5.1 Patch 06 (build 91) allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long project name. 20040402 Buffer Overflow in HAHTsite Scenario Server 5.1 VU#705958 10033 hahtsite-long-request-bo(15717) Buffer overflow in CDE libDtSvc on HP-UX B.11.00, B.11.04, B.11.11, and B.11.22 allows local users to gain root privileges via unknown vectors. O-057 VU#406406 HPSBUX0401-308 hp-libdtsvc-bo(14828) oval:org.mitre.oval:def:5789 Off-by-one buffer overflow in ModSecurity (mod_security) 1.7.4 for Apache 2.x, when SecFilterScanPost is enabled, allows remote attackers to execute arbitrary code via crafted POST requests. 20040316 ModSecurity 1.7.4 for Apache 2.x remote off-by-one overflow VU#779438 http://www.modsecurity.org/ 9885 http://www.s-quadra.com/advisories/Adv-20040315.txt mod-security-offbyone-bo(15489) The default installation of NetScreen-Security Manager before Feature Pack 1 does not enable encryption for communication with devices running ScreenOS 5.0, which allows remote attackers to obtain sensitive information via sniffing. http://www.juniper.net/support/security/alerts/58290.txt VU#927630 http://www.kb.cert.org/vuls/id/CRDY-5VEU8N 9455 netscreen-information-disclosure(14886) The kernel in Solaris 2.6, 7, 8, and 9 allows local users to gain privileges by loading arbitrary loadable kernel modules (LKM), possibly involving the modload function. 57479 VU#702526 9477 solaris-kernel-module-gain-privilege(14917) oval:org.mitre.oval:def:4532 The character converters in the Spamhunter and Language ID modules for Symantec Brightmail AntiSpam 6.0.1 before patch 132 allow remote attackers to cause a denial of service (crash) via messages with the ISO-8859-10 character set, which is not recognized by the converters. ftp://ftp.symantec.com/public/english_us_canada/products/sba/sba_60x/updates/p132_notes.htm VU#697598 symantec-brightmail-spamhunter-dos(18530) The "Allow cPanel users to reset their password via email" feature in cPanel 9.1.0 build 34 and earlier, including 8.x, allows remote attackers to execute arbitrary code via the user parameter to resetpass. 20040311 cPanel Secuirty Advisory CPANEL-2004:01-01 VU#831534 20040311 Cpanel 8.*.* have a problem ? 9848 cpanel-resetpass-execute-commands(15443) The login page for cPanel 9.1.0, and possibly other versions, allows remote attackers to execute arbitrary code via shell metacharacters in the user parameter. 20040312 Cpanel 9.1.0 have a problem ? VU#831534 9855 cpanel-login-execute-commands(15486) Scalable OGo (SOGo) 1.0 allows remote authenticated users to bypass intended permissions and view private appointments of other users. http://bugzilla.opengroupware.org/bugzilla/show_bug.cgi?id=1060 1013553 ogo-permission-information-disclosure(19820) Stack-based buffer overflow in shar in GNU sharutils 4.2.1 allows local users to execute arbitrary code via a long -o command line argument. OpenPKG-SA-2004.011 RHSA-2005:377 20040406 GNU Sharutils buffer overflow vulnerability. 10066 FLSA:2155 sharutils-shar-bo(15759) oval:org.mitre.oval:def:11722 Multiple buffer overflows in sharutils 4.2.1 and earlier may allow attackers to execute arbitrary code via (1) long output from wc to shar, or (2) unknown vectors in unshar. GLSA-200410-01 RHSA-2005:377 11298 FLSA:2155 oval:org.mitre.oval:def:11093 Buffer overflow in the SDO_CODE_SIZE procedure of the MD2 package (MDSYS.MD2.SDO_CODE_SIZE) in Oracle 10g before 10.1.0.2 Patch 2 allows local users to execute arbitrary code via a long LAYER parameter. 20040902 [SHATTER Team Security Alert] Multiple vulnerabilities in Oracle Database Server http://www.appsecinc.com/resources/alerts/oracle/2004-0001/ http://www.frsirt.com/exploits/20050413.OracleExploit.sql.php http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf http://www.securiteam.com/securitynews/5CP010KE0W.html 13145 oracle-mdsysmd2sdocodesize-bo(20078) Cisco VACM (View-based Access Control MIB) for Catalyst Operating Software (CatOS) 5.5 and 6.1 and IOS 12.0 and 12.1 allows remote attackers to read and modify device configuration via the read-write community string. 20041008 Cisco IOS Software Multiple SNMP Community String Vulnerabilities VU#645400 5030 cisco-snmp-vacm(6179) Cisco IOS 12.1(3) and 12.1(3)T allows remote attackers to read and modify device configuration data via the cable-docsis read-write community string used by the Data Over Cable Service Interface Specification (DOCSIS) standard. 20041008 Cisco IOS Software Multiple SNMP Community String Vulnerabilities VU#840665 cisco-ios-cable-docsis(6180) A "range check error" in Skype for Windows before 0.98.0.28 allows local and remote attackers to cause a denial of service (application crash) via long command line arguments or a long callto:// URL, a different vulnerability than CVE-2004-1114. 20040615 Skype URI callto username overflow 1010490 http://www.skype.com/security/ssa-2004-01.html Skype 0.92.0.12 and 1.0.0.1 for Linux, and possibly other versions, creates the /usr/share/skype/lang directory with world-writable permissions, which allows local users to modify language files and possibly conduct social engineering or other attacks. 20041222 Permission problem in Skype BETA for linux 20050216 Re: Permission problem in Skype BETA for linux 12081 skype-lang-insecure-permissions(18644) Cross-site scripting (XSS) vulnerability in board.php for ThWboard before beta 2.84 allows remote attackers to inject arbitrary web script or HTML via the lastvisited parameter. http://cvs.sourceforge.net/viewcvs.py/thwb/thwb/board.php?r1=1.11&r2=1.12 1008617 http://sourceforge.net/project/shownotes.php?release_id=207893 9367 thwboard-board-xss(14143) Info Touch Surfnet kiosk allows local users to deposit extra time into Internet kiosk accounts via repeated authentication attempts. 9347 Info Touch Surfnet kiosk allows local users to crash Surfnet and access the underlying operating system via the CMD_CREDITCARD_CHARGE command. 9348 athenareg.php in Athena Web Registration allows remote attackers to execute arbitrary commands via shell metacharacters in the pass parameter. 9349 Directory traversal vulnerability in Net2Soft Flash FTP Server 1.0 allows remote attackers to read and create arbitrary files via a /.. (slash dot dot). 1008588 http://www.securiteam.com/windowsntfocus/5FP051FBPQ.html 9350 Buffer overflow in the web server of Webcam Watchdog 3.63 allows remote attackers to execute arbitrary code via a long HTTP GET request. http://www.elitehaven.net/webcamwatchdog.txt 20040103 Webcam Watchdog Stack Overflow Vulnerability 9351 http://www.webcamsoft.com/en/watchdog_h.html webcam-watchdog-get-bo(14131) SQL injection vulnerability in calendar.php for Invision Power Board 1.3 allows remote attackers to execute arbitrary SQL commands via the m parameter, which sets the $this->chosen_month variable. 20040103 [SCSA-025] Invision Power Board SQL Injection Vulnerability 9353 1008589 PortalApp places user credentials under the web root with insufficient access control, which allows remote attackers to gain access to sensitive information via a direct request to 8275.mdb. 1008627 9354 portalapp-url-access-database(14169) SQL injection vulnerability in PostCalendar 4.0.0 allows remote attackers to execute arbitrary SQL commands via search queries. http://news.postnuke.com/modules.php?op=modload&name=News&file=article&sid=2537 1008621 9372 postcalendar-search-sql-injection(14111) ASP-Nuke 1.3 and earlier places user credentials under the web document root with insufficient access control, which allows remote attackers to obtain sensitive information via a direct request to main.mdb. 9355 Cross-site scripting (XSS) vulnerability in the web management interface in ZyWALL 10 4.07 allows remote attackers to inject arbitrary web script or HTML via the rpAuth_1 page. 1008644 20040106 ZyXEL10 OF ZyWALL Series Router Cross Site Scripting Vulnerabillity 9373 zywall-xss(14163) Cross-site scripting (XSS) vulnerability in the web management interface in Edimax AR-6004 ADSL Routers allows remote attackers to inject arbitrary web script or HTML via the URL. 1008643 20040106 EDIMAX AR-6004 Full Rate ADSL Router Cross Site Scripting Vulnerabillity 9374 edimax-ar6004-xss(14165) The web management interface in Edimax AR-6004 ADSL Routers uses a default administrator name and password, which also appear as the default login text for the management interface, which allows remote attackers to gain access. 1008643 20040106 EDIMAX AR-6004 Full Rate ADSL Router Cross Site Scripting Vulnerabillity swnet.dll in YaSoft Switch Off 2.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a long packet with two CRLF sequences to the service management port (TCP 8000). 1008581 http://www.elitehaven.net/switchoff.txt 20040102 Switch Off Multiple Vulnerabilities 9339 switch-off-swnet-dos(14123) Stack-based buffer overflow in swnet.dll in YaSoft Switch Off 2.3 and earlier allows remote authenticated users to execute arbitrary code via a long message parameter in a SendMsg action to action.htm. 1008581 http://www.elitehaven.net/switchoff.txt 20040102 Switch Off Multiple Vulnerabilities 9340 switch-off-swnet-bo(14124) Cross-site scripting (XSS) vulnerability in the VCard4J Toolkit allows remote attackers to inject arbitrary web script or HTML via the NICKNAME tag in a vCard. 1008582 20040101 Possible XSS vuln in VCard4J 9343 vcard4j-nickname-xss(14120) Info Touch Surfnet kiosk allows local users to access the underlying filesystem via a 'file://' URI. 9346 PHP remote file inclusion vulnerability in HotNews 0.7.2 and earlier allows remote attackers to execute arbitrary PHP code via the (1) config[header] parameter to hotnews-engine.inc.php3 or (2) config[incdir] parameter to hnmain.inc.php3. 1008608 http://sourceforge.net/forum/forum.php?forum_id=342594 20040104 HotNews arbitary file inclusion 9357 hotnews-php-file-include(14140) Cross-site scripting (XSS) vulnerability in search.php for FreznoShop 1.3.0 RC1 and earlier allows remote attackers to inject arbitrary web script or HTML via the search parameter. 1008606 9359 freznoshop-searchphp-xss(14147) RealOne player 6.0.11.868 allows remote attackers to execute arbitrary script in the "My Computer" zone via a Synchronized Multimedia Integration Language (SMIL) presentation with a "file:javascript:" URL, which is executed in the security context of the previously loaded URL, a different vulnerability than CVE-2003-0726. 1008647 20040107 RealNetworks fails to address Cross-Site Scripting in RealOne Player 9378 realoneplayer-smil-xss(14168) PF in certain OpenBSD versions, when stateful filtering is enabled, does not limit packets for a session to the original interface, which allows remote attackers to bypass intended packet filters via spoofed packets to other interfaces. 20040105 firewall security bug? 9362 Unknown vulnerability in Sysbotz SimpleData 4.0.1 and possibly earlier versions allows remote attackers to gain access via a crafted URL and a certain cookie. 1008695 9380 simpledata-gain-unauth-access(14206) Directory traversal vulnerability in PWebServer 0.3.3 allows remote attackers to read arbitrary files via a .. (dot dot) in the URL. 20040308 directory traversal in PWebServer 0.3.3 http://www.autistici.org/fdonato/advisory/PWebServer0.3.3-adv.txt 9817 pwebserver-dotdot-directory-traversal(15404) Chat Anywhere 2.72 and earlier allows remote attackers to hide their IP address by using %00 before the nickname, which causes the IP address to be displayed as $IP$ on the administration web page. http://aluigi.altervista.org/adv/chatany-ghost-adv.txt 20040309 Ghost users in Chat Anywhere 2.72 http://www.lionmax.com/chatanywhere.htm 9823 chat-anywhere-admin-bypass(15416) wMCam server 2.1.348 allows remote attackers to cause a denial of service (no new connections) via multiple malformed HTTP requests without the GET command. 20040310 DoS in wMCam server 2.1.348 9839 wmcam-multiple-connections-dos(15431) Format string vulnerability in games using the Epic Games Unreal Engine 436 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format string specifiers in class names. http://aluigi.altervista.org/adv/unrfs-adv.txt 20040310 Format string bug in EpicGames Unreal engine 20040311 Re: Format string bug in EpicGames Unreal engine 9840 ut-class-format-string(15430) SQL injection vulnerability in index.cfm in CFWebstore 5.0 allows remote attackers to execute SQL commands via the (1) category_id, (2) product_id, or (3) feature_id parameters. 20040312 Dogpatch Software CFWebstore 5.0 shopping cart software multiple security vulnerabilities 1009403 9854 http://www.s-quadra.com/advisories/Adv-20040312.txt cfwebstore-index-sql-injection(15447) Cross-site scripting (XSS) vulnerability in index.cfm in CFWebstore 5.0 allows remote attackers to inject arbitrary web script or HTML via the URL. 20040312 Dogpatch Software CFWebstore 5.0 shopping cart software multiple security vulnerabilities 1009403 9856 http://www.s-quadra.com/advisories/Adv-20040312.txt cfwebstore-url-xss(15454) Extcompose in metamail does not verify the output file before writing to it, which allows local users to overwrite arbitrary files via a symlink attack. 20040312 Metamail 'extcompose' script Symlink Vulnerability 9850 metamail-extcompose-symlink(15460) Cross-site scripting (XSS) vulnerability in phpBB 2.0.6d and earlier allows remote attackers to inject arbitrary web script or HTML via the (1) postdays parameter to viewtopic.php or (2) topicdays parameter to viewforum.php. 20040313 phpBB 2.0.6d && Earlier Security Issues http://www.phpbb.com/support/documents.php?mode=changelog#206 9865 9866 phpbb-viewforum-viewtopic-xss(15464) The Javascript engine in Opera 7.23 allows remote attackers to cause a denial of service (crash) by creating a new Array object with a large size value, then writing into that array. 20040314 Opera Array Allocation Managment Exploit 9869 safari-array-dos(15413) The SSL HTTP Server in HP Web-enabled Management Software 5.0 through 5.92, with anonymous access enabled, allows remote attackers to compromise the trusted certificates by uploading their own certificates. 20040315 Immunity Advisory: Compaq Web Management vulnerability 20040314 Multiple Immunity Advisories O-100 http://www.immunitysec.com/downloads/hp_http.sxw.pdf SSRT4679 9859 HPSBMA01003 hp-http-certificate-upload(15466) Multiple stack-based buffer overflows in Agent Common Services (1) cam.exe and (2) awservices.exe in Unicenter TNG 2.4 allow remote attackers to execute arbitrary code. ftp://ftp.ca.com/CAproducts/unicenter/CCS31/nt/qi52764/QI52764.DB0 20040314 Multiple Immunity Advisories 20040315 Immunity Advisory: Computer Associates Unicenter TNG http://www.immunitysec.com/downloads/awservices.sxw.pdf 9863 unicentertng-awservices-cam-bo(15472) VocalTec VGW4/8 Gateway 8.0 allows remote attackers to bypass authentication via an HTTP request to home.asp with a trailing slash (/). 20040315 VocalTec Gateway 8 Reverse Directory Transversal + Authorization Bypass 9876 vgw48-gateway-directory-traversal(15476) Directory traversal vulnerability in VocalTec VGW4/8 Gateway 8.0 allows remote attackers to read protected files via .. (dot dot) sequences in an HTTP request, as demonstrated using home.asp. 20040315 VocalTec Gateway 8 Reverse Directory Transversal + Authorization Bypass 9876 vgw48-gateway-directory-traversal(15476) Unknown vulnerability in ColdFusion MX 6.0 and 6.1, and JRun 4.0, when a SOAP web service expects an array of objects as an argument, allows remote attackers to cause a denial of service (memory consumption). 20040315 Multiple Vendor SOAP server array DoS http://www.macromedia.com/devnet/security/security_zone/mpsb04-04.html 9877 soap-array-dos(15473) Unknown vulnerability in Sun Java System Application Server 7.0 Update 2 and earlier, when a SOAP web service expects an array of objects as an argument, allows remote attackers to cause a denial of service (memory consumption). 20040315 Multiple Vendor SOAP server array DoS 57517 201713 9877 soap-array-dos(15473) Cross-site scripting (XSS) vulnerability in modules.php in Php-Nuke 7.1.0 allows remote attackers to inject arbitrary web script or HTML via the (1) Your Name field, (2) e-mail field, (3) nicname field, (4) fname parameter, (5) ratenum parameter, or (6) search field. 20040315 [waraxe-2004-SA#005 - XSS in Php-Nuke 7.1.0 - part 2] 9879 phpnuke-multiple-parameters-xss(15491) Cross-site scripting (XSS) vulnerability in nmimage.php in 4nalbum 0.92 for PHP-Nuke 6.5 through 7.0 allows remote attackers to execute arbitrary script as other users by injecting arbitrary script into the z parameter. 20040315 [waraxe-2004-SA#006 - Multiple vulnerabilities in 4nalbum module for PhpNuke] 9881 4nalbum-nmimagephp-xss(15497) 4nalbum 0.92 for PHP-Nuke 6.5 through 7.0 allows remote attackers to obtain sensitive information via a direct request to displaycategory.php, which reveals the path in an error message. 20040315 [waraxe-2004-SA#006 - Multiple vulnerabilities in 4nalbum module for PhpNuke] 9881 4nalbum-error path-disclosure(15493) PHP remote file inclusion vulnerability in displaycategory.php in 4nalbum 0.92 for PHP-Nuke 6.5 through 7.0 allows remote attackers to execute arbitrary PHP code by modifying the basepath parameter to reference a URL on a remote web server that contains fileFunctions.php. 20040315 [waraxe-2004-SA#006 - Multiple vulnerabilities in 4nalbum module for PhpNuke] 9881 4nalbum-displaycategory-file-include(15496) SQL injection vulnerability in 4nalbum 0.92 for PHP-Nuke 6.5 through 7.0 allows remote attackers to gain privileges or perform unauthorized database operations via the gid parameter. 20040315 [waraxe-2004-SA#006 - Multiple vulnerabilities in 4nalbum module for PhpNuke] 9881 4nalbum-modulesphp-SQL-injection(15498) Multiple cross-site scripting (XSS) vulnerabilities in Phorum 3.1 through 5.0.3 beta allow remote attackers to inject arbitrary web script or HTML via the (1) HTTP_REFERER parameter to login.php, (2) HTTP_REFERER parameter to register.php, or (3) target parameter to profile.php. 20040315 Phorum 5.0.3 Beta && Earlier XSS Issues http://phorum.org/changelog.txt 1009433 9882 phorum-register-xss(15494) Multiple cross-site scripting (XSS) vulnerabilities in Jelsoft vBulletin 2.0 beta 3 through 3.0 can4 allows remote attackers to inject arbitrary web script or HTML via the (1) page parameter to showthread.php or (2) order parameter to forumdisplay.php. 20040316 JelSoft vBulletin Multiple XSS Vulnerabilities 1009440 9888 9889 vbulletin-showthread-xss(15495) Cross-site scripting (XSS) vulnerability in Jelsoft vBulletin before 3.0 allows remote attackers to inject arbitrary web script or HTML via the what parameter to memberlist.php. 20021121 XSS bug in vBulletin 20040316 JelSoft vBulletin Multiple XSS Vulnerabilities 1009440 vbulletin-memberlist-xss(10679) 6226 9887 vbulletin-showthread-xss(15495) Cross-site scripting (XSS) vulnerability in index.php in Mambo Open Source 4.5 stable 1.0.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the (1) return or (2) mos_change_template parameters. 20040316 Mambo Open Source Multiple Vulnerabilities 9890 mambo-return-moschangetemplate-xss(15499) SQL injection vulnerability in index.php in Mambo Open Source 4.5 stable 1.0.3 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter. 20040316 Mambo Open Source Multiple Vulnerabilities 9891 mambo-id-sql-injection(15500) Cross-site scripting (XSS) vulnerability in YaBB 1 Gold(SP1.3) and YaBB SE 1.5.1 Final allows remote attackers to inject arbitrary web script via the background:url property in (1) glow or (2) shadow tags. 20040314 YaBB/YaBBse Cross Site Scripting Vulnerability 20040316 RE: YaBB/YaBBse Cross Site Scripting Vulnerability 1009427 9873 http://www.yabbforum.com/community/YaBB.pl?board=general;action=display;num=1093133233 yabb-glow-shadow-xss(15488) Vcard 2.9 and possibly other versions does not require authorization to run uninstall.php, which could allow remote attackers to uninstall Vcard and delete database tables via a direct request to uninstall.php. 20040317 Vcard 2.8 uninstall script problem 9910 vcard-uninstall-delete-table(15522) Multiple cross-site scripting (XSS) vulnerabilities in error.php in Gijza.net Error Manager 2.1 for PHP-Nuke 6.0 allow remote attackers to inject arbitrary web script or HTML via the (1) pagetitle or (2) error parameters, or (3) certain parameters in the error log. 20040318 [waraxe-2004-SA#010 - Multiple vulnerabilities in Error Manager 9911 errormanager-error-xss(15529) errormanager-error-command-execution(15530) error.php in Error Manager 2.1 for PHP-Nuke 6.0 allows remote attackers to obtain sensitive information via an invalid (1) language, (2) newlang, or (3) lang parameter, which leaks the pathname in a PHP error message. 20040318 [waraxe-2004-SA#010 - Multiple vulnerabilities in Error Manager 9911 errormanager-error-path-disclosure(15524) Buffer overflow in Chrome 1.2.0.0 and earlier allows remote attackers to cause a denial of service (crash) via a packet with a large length value, which leads to a null dereference or out-of-bounds read. http://aluigi.altervista.org/adv/chrome-boom-adv.txt 20040318 Chrome 1.2.0.0 server crash 9898 chrome-malloc-memcpy-dos(15535) Buffer overflow in the GUI admin service in Mac OS X Server 10.3 allows remote attackers to cause a denial of service (crash and restart) via a large amount of data to TCP port 660. 20040318 mac osx- admin service buffer overflow 20040319 Re: mac osx- admin service buffer overflow 9914 macos-admin-servicebo(15533) The admin.ib file in Borland Interbase 7.1 for Linux has default world writable permissions, which allows local users to gain database administrative privileges. 1009500 20040319 Borland Interbase admin.ib Administrative Access Vulnerability 9929 interbase-admin-gain-privileges(15546) mod_disk_cache in Apache 2.0 through 2.0.49 stores client headers, including authentication information, on the hard disk, which could allow local users to gain sensitive information. 20040319 Apache mod_disk_cache stores client authentication credentials on disk 1009509 102198 http://support.avaya.com/elmodocs2/security/ASA-2006-081.htm RHSA-2004:562 9933 ADV-2006-0789 apache-moddiskcache-obtain-info(15547) [httpd-cvs] 20190815 svn commit: r1048742 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html [httpd-cvs] 20190815 svn commit: r1048743 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html oval:org.mitre.oval:def:11133 Multiple SQL injection vulnerabilities in index.php in Invision Gallery 1.0.1 allow remote attackers to execute arbitrary SQL via the (1) img, (2) cat, (3) sort_key, (4) order_key, (5) user, or (6) album parameters. 20040322 Invision Gallery SQL Injection Vulnerabilities 1009512 9944 invision-gallery-sql-injection(15566) SQL injection vulnerability in index.php in Invision Power Top Site List 1.1 RC 2 and earlier allows remote attackers to execute arbitrary SQL via the id parameter of the comments action. 20040322 Invision Power Top Site List SQL Injection Vulnerability 1009511 9945 invision-id-sql-injection(15568) Cross-site scripting (XSS) vulnerability in Mod_survey 3.0.x before 3.0.16-pre2 and 3.2.x before 3.2.0-pre4 allows remote attackers to inject arbitrary web script or HTML via the certain survey fields or error messages for malformed query strings. 20040322 Mod_Survey security advisory: Script injection bug 1009516 9941 modsurvey-xss(15582) Directory traversal vulnerability in xweb 1.0 allows remote attackers to download arbitrary files via a .. (dot dot) in the URL. 20040322 directory traversal in xweb 1.0 1009514 http://www.autistici.org/fdonato/advisory/xweb1.0-adv.txt 9937 xweb-dotdot-directory-traversal(15567) MS Analysis module 2.0 for PHP-Nuke allows remote attackers to obtain sensitive information via a direct request to (1) browsers.php, (2) mstrack.php, or (3) title.php, which reveal the full path in a PHP error message. 20040322 [waraxe-2004-SA#011 Multiple vulnerabilities in MS Analysis v2.0 module for PhpNuke] 9946 Multiple cross-site scripting (XSS) vulnerabilities in MS Analysis module 2.0 for PHP-Nuke allows remote attackers to inject arbitrary web script or HTML via the (1) screen parameter to modules.php, (2) module_name parameter to title.php, (3) sortby parameter to modules.php, or (4) overview parameter to modules.php. 20040322 [waraxe-2004-SA#011 Multiple vulnerabilities in MS Analysis v2.0 module for PhpNuke] 9947 msanalysis-modules-title-xss(15575) SQL injection vulnerability in MS Analysis module 2.0 for PHP-Nuke allows remote attackers to execute arbitrary SQL via the referer field in an HTTP request. 20040322 [waraxe-2004-SA#011 Multiple vulnerabilities in MS Analysis v2.0 module for PhpNuke] 9948 msanalysis-referer-sql-injection(15576) Cross-site request forgery (CSRF) vulnerability in Php-Nuke 6.x through 7.1.0 allows remote attackers to gain administrative privileges via an img tag with a URL to admin.php. 20040322 [waraxe-2004-SA#008 - easy way to get superadmin rights in PhpNuke 6.x-7.1.0] 9895 phpnuke-img-gain-privileges(15596) SQL injection vulnerability in Member Management System 2.1 allows remote attackers to execute arbitrary SQL via the ID parameter to (1) resend.asp or (2) news_view.asp. 20040322 Vulnerabilities in Member Management System 2.1 1009508 9931 mms-id-sql-injection(15551) Cross-site scripting (XSS) vulnerability in Member Management System 2.1 allows remote attackers to inject arbitrary web script or HTML via (1) the err parameter to error.asp or (2) register.asp. 20040322 Vulnerabilities in Member Management System 2.1 1009508 9932 mms-xss(15552) Multiple cross-site scripting (XSS) vulnerabilities in News Manager Lite 2.5 allow remote attackers to inject arbitrary web script or HTML via the (1) email parameter to comment_add.asp, (2) search parameter to search.asp, or (3) n parameter to category_news_headline.asp. 20040322 Vulnerabilities in News Manager Lite 2.5 & News Manager Lite administration 1009507 9935 news-manager-xss(15548) Multiple SQL injection vulnerabilities in News Manager Lite 2.5 allow remote attackers to execute arbitrary SQL code via the (1) ID parameter to more.asp, (2) ID parameter to category_news.asp, or (3) filter parameter to news_sort.asp. 20040322 Vulnerabilities in News Manager Lite 2.5 & News Manager Lite administration 1009507 9935 news-manager-sql-injection(15549) News Manager Lite 2.5 allows remote attackers to bypass authentication and gain administrator privileges by setting the ADMIN parameter in the NEWS_LOGIN cookie. 20040322 Vulnerabilities in News Manager Lite 2.5 & News Manager Lite administration 1009507 9935 news-manager-admin-access(15550) Ipswitch WS_FTP Server 4.0.2 allows remote attackers to cause a denial of service (disk consumption) and bypass file size restrictions via a REST command with a large size argument, followed by a STOR of a smaller file. 20040323 How to crash a harddisk - the Ipswitch WS_FTP Server way 1009529 9953 wsftp-rest-dos(15560) wsftp-rest-stor-dos(41831) Multiple cross-site scripting (XSS) vulnerabilities in cPanel 9.1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) email parameter to dodelautores.html or (2) handle parameter to addhandle.html. 20040323 More Cpanel Vuls (cross site scripting) 1009541 9965 cpanel-dodelautores-addhandle-xss(15517) The Rage 1.01 and earlier allows remote attackers to cause a denial of service (infinite loop) via a TCP packet with the port and IP address set to zero. http://aluigi.altervista.org/adv/ragefreeze-adv.txt 20040323 Server freeze in The Rage 1.01 1009540 9961 therage-packet-dos(15584) Dameware Mini Remote Control 4.1.0.0 uses insufficiently random data to create the encryption key, which makes it easier for remote attackers to obtain sensitive information via brute force guessing. 20030323 Dameware Passes Weak File Encryption Key in the Clear 1009557 9957 dameware-random-generator-weak(15587) DameWare Mini Remote Control 3.x before 3.74 and 4.x before 4.2 transmits the Blowfish encryption key in plaintext, which allows remote attackers to gain sensitive information. 20040323 Dameware Passes Weak File Encryption Key in the Clear 1009557 http://www.dameware.com/support/security/bulletin.asp?ID=SB3 9959 dameware-encryption-key-plaintext(15586) Buffer overflow in Terminator 3: War of the Machines 1.0 allows remote attackers to cause a denial of service via a long ServerInfo variable. http://aluigi.altervista.org/adv/t3cbof-adv.txt 20040323 Broadcast client buffer-overflow in Terminator 3 1.0 1009498 9918 terminator3-bo(15542) Buffer overflow in the logging function in Picophone 1.63 and earlier allows remote attackers to execute arbitrary code via a large packet. http://aluigi.altervista.org/adv/picobof-adv.txt 20040324 Buffer overflow in PicoPhone 1.63 1009551 9969 picophone-logging-function-bo(15595) Dark Age of Camelot before 1.68 live patch does not sign the RSA public key, which could allow remote malicious servers to gain sensitive information via a man-in-the-middle attack. http://capnbry.net/daoc/advisory20040323/ 20040323 Dark Age of Camelot login client vulnerability to man in the middle attack 20040324 Dark Age of Camelot login client vulnerability to man in the middle 9960 daoc-login-mitm(15597) devices_update_printer_fw_upload.hts in HP Web JetAdmin 7.5.2546, when no password is set, allows remote attackers to upload arbitrary files to the printer directory. 20040324 HP Web JetAdmin vulnerabilities. http://sh0dan.org/files/hpjadmadv.txt SSRT4700 9971 hp-jetadmin-file-upload(15605) Directory traversal vulnerability in setinfo.hts in HP Web Jetadmin 7.5.2546 allows remote authenticated attackers to read arbitrary files via a .. (dot dot) in the setinclude parameter. 20040324 HP Web JetAdmin vulnerabilities. SSRT4700 9972 hp-jetadmin-setinfo-directory-traversal(15606) HP Web Jetadmin 7.5.2546 allows remote attackers to cause a denial of service (crash) via a malformed request, possibly due to a stricmp() error from an invalid use of the "$" character. 20040324 HP Web JetAdmin vulnerabilities. SSRT4700 Directory traversal vulnerability in Trend Micro Interscan Web Viruswall in InterScan VirusWall 3.5x allows remote attackers to read arbitrary files via a .. (dot dot) in the URL. http://kb.trendmicro.com/solutions/search/main/search/solutionDetail.asp?solutionID=19257 20040324 TrendMacro Interscan Viruswall Directory Traversal 1009550 9966 interscan-dotdot-directory-traversal(15590) Buffer overflow in Check Point SmartDashboard in Check Point NG AI R54 and R55 allows remote authenticated users to cause a denial of service (server disconnect) and possibly execute arbitrary code via a large filter on a column when using SmartView Tracker. 20040325 Check Point SmartDashboard Buffer Overflow 1009490 9870 fw1-smartdashboard-bo(15539) Invision NetSupport School Pro uses a weak encryption algorithm to encrypt passwords, which allows local users to obtain passwords. 20040326 NetSupport School Pro: Password Encryption Weaknesses 9981 netsupportschoolpro-weak-encryption(15621) Multiple cross-site scripting (XSS) vulnerabilities in Extreme Messageboard (XMB) 1.8 SP3 and 1.9 beta allow remote attackers to inject arbitrary web script or HTML via the (1) xmbuser parameter to xmb.php, (2) folder parameter to u2u.php, (3) viewmost, replymost, or latest parameter to stats.php, (4) message or icons parameter to post.php, (5) threadlist, pagelinks, forumlist, navigation, or (6) forumdisplay parameter to forumdisplay.php. 20040326 [waraxe-2004-SA#012 - Multiple vulnerabilities in XMB Forum 1.8 Partagium SP3 and 1.9 Nexus Beta] 9983 xmb-forum-multiple-xss(15654) Multiple cross-site scripting (XSS) vulnerabilities in XMB (aka extreme message board) 1.9 beta (aka Nexus beta) allow remote attackers to inject arbitrary web script or HTML via (1) the u2uheader parameter in editprofile.php, the restrict parameter in (2) member.php, (3) misc.php, and (4) today.php, and (5) an arbitrary parameter in phpinfo.php. 20040326 [waraxe-2004-SA#012 - Multiple vulnerabilities in XMB Forum 1.8 Partagium SP3 and 1.9 Nexus Beta] 9983 xmb-forum-multiple-xss(15654) SQL injection vulnerability in Extreme Messageboard (XMB) 1.9 beta allows remote attackers to execute arbitrary SQL commands via the restrict parameter to (1) member.php, (2) misc.php, or (3) today.php. 20040326 [waraxe-2004-SA#012 - Multiple vulnerabilities in XMB Forum 1.8 SP3 and 1.9 beta] 1009561 9983 xmb-forum-sql-injection(15655) Cross-site scripting (XSS) vulnerability in the administration panel in bBlog 0.7.2 allows remote authenticated users with superuser privileges to inject arbitrary web script or HTML via a blog name ($blogname). NOTE: if administrators are normally allowed to add HTML by other means, e.g. through Smarty templates, then this issue would not give any additional privileges, and thus would not be considered a vulnerability. 20040326 bblog 0.7.2 cross site scripting 1009564 13397 bblog-name-xss(15635) nstxd in Nstx 1.1 beta3 and earlier allows remote attackers to cause a denial of service (crash) via a large packet, which triggers a null dereference. 20040326 Nstxd vulnerability http://nstx.dereference.de/nstx/nstx-1.1-beta4.tgz 1009567 9989 nstx-null-dos(15638) Cross-site scripting (XSS) vulnerability in guest.cgi in Fresh Guest Book allows remote attackers to inject arbitrary web script or HTML via the Name field. 20040328 vuln 9995 freshguestbook-guest-xss(15649) Stack-based buffer overflow in WinSig.exe in eSignal 7.5 and 7.6 allows remote attackers to execute arbitrary code via a long STREAMQUOTE tag. 20040406 Re: eSignal v7 remote buffer overflow 20040325 eSignal v7 remote buffer overflow (exploit) http://viziblesoft.com/insect/advisories/vz012004-esignal7.txt 9978 esignal-specs-bo(15624) Etherlords I 1.07 and earlier and Etherlords II 1.03 and earlier allows remote attackers to cause a denial of service (crash) by sending a packet that specifies the size for the next packet, then sending a larger packet than specified, which causes Etherlords to read unallocated memory. http://aluigi.altervista.org/adv/ethboom-adv.txt 20040325 Remote crash in Etherlords I 1.07 and II 1.03 9979 etherlords1-packet-dos(15618) etherlords2-packet-dos(15619) Multiple SQL injection vulnerabilities in PhotoPost PHP Pro 4.6.x and earlier allow remote attackers to gain users' passwords via the (1) photo parameter to addfav.php, (2) photo parameter to comments.php, (3) credit parameter to comments.php, (4) cat parameter to index.php, (5) ppuser parameter to showgallery.php, (6) cat parameter to showgallery.php, (7) cat parameter to uploadphoto.php, (8) albumid parameter to useralbums.php, or (9) albumid parameter to useralbums.php. 20040328 PhotoPost PHP Pro Multiple Vulnerabilities 1009571 9994 photopost-php-sql-injection(15642) Multiple cross-site scripting (XSS) vulnerabilities in PhotoPost PHP Pro 4.6.x and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) ppuser, (2) password, (3) stype, (4) perpage, (5) sort, (6) page, (7) si, or (8) cat parameters to showmembers.php, or the (9) photo name, (10) photo description, (11) album name, or (12) album description fields. 20040328 PhotoPost PHP Pro Multiple Vulnerabilities 1009571 9994 photopost-php-xss(15643) Cross-site scripting (XSS) vulnerability in WebCT Campus Edition 4.1.1.5 allows remote attackers to inject arbitrary web script or HTML via the @import URL function in a CSS style tag. 20040329 WebCT Campus Edition 4.1 - Cross site scripting using CSS @import 9999 webct-import-xss(15652) SQL injection vulnerability in category.asp in A-CART Pro and A-CART 2.0 allows remote attackers to gain privileges via the catcode parameter. 20040329 A-CART Pro & A-CART 2.0 Input Validation Holes http://s-a-p.ca/index.php?page=OurAdvisories&id=27 http://www.aria-security.com/forum/showthread.php?t=31 http://www.aria-security.com/forum/showthread.php?t=32 20061114 A-Cart pro[ injection sql (post&get)] 20061118 A-Cart 2.0 SQL Injection 20061118 A-Cart PRO SQL Injection 20061118 Re: A-Cart PRO SQL Injection 9997 acart-categoryasp-sql-injection(15661) Multiple cross-site scripting (XSS) vulnerabilities in (1) deliver.asp and (2) billing.asp in A-CART Pro and A-CART 2.0 allow remote attackers to inject arbitrary web script or HTML via the user information forms. 20040329 A-CART Pro & A-CART 2.0 Input Validation Holes 9997 acart-deliverasp-billingasp-xss(15660) Multiple cross-site scripting (XSS) vulnerabilities in cPanel 9.1.0-R85 allow remote attackers to inject arbitrary web script or HTML via the (1) email parameter to testfile.html, (2) file parameter to erredit.html, (3) dns parameter to dnslook.html, (4) account parameter to ignorelist.html, (5) account parameter to showlog.html, (6) db parameter to repairdb.html, (7) login parameter to doaddftp.html (8) account parameter to editmsg.htm, or (9) ip parameter to del.html. NOTE: the dnslook.html vector was later reported to exist in cPanel 10. 20040330 Exensive cPanel Cross Site Scripting http://www.aria-security.com/forum/showthread.php?t=30 http://www.cirt.net/advisories/cpanel_xss.shtml 10002 21142 ADV-2006-4658 cpanel-multiple-scripts-xss(15671) The "%f" feature in the VirusEvent directive in Clam AntiVirus daemon (clamd) before 0.70 allows local users to execute arbitrary commands via shell metacharacters in a file name. 20040330 clamd - NEVER use "%f" in your "VirusEvent" GLSA-200405-03 10007 clamantivirus-virusevent-gain-privileges(15692) The p_submit_url value in the sample login form in the Oracle 9i Application Server (9iAS) Single Sign-on Administrators Guide, Release 2(9.0.2) for Oracle SSO allows remote attackers to spoof the login page, which could allow users to inadvertently reveal their username and password. 20040330 Problem with customized login pages for Oracle SSO 10009 oracle-sso-login-spoofing(15676) LINBOX LIN:BOX allows remote attackers to bypass authentication, obtain sensitive information, or gain access via a direct request to admin/user.pl preceded by // (double leading slash). 20040330 Linbit linbox Multiple Vulnerabilities 10010 http://www.websec.org/adv/linbit.txt.html linbox-slashslash-security-bypass(15677) Cross-site scripting (XSS) vulnerability in PHPKIT 1.6.03 allows allows remote attackers to inject arbitrary web script or HTML via forum messages. 20040330 phpkit suffers (reale stupid) XSS vuln. 10013 phpkit-forum-message-xss(15681) Memory leak in the back-bdb backend for OpenLDAP 2.1.12 and earlier allows remote attackers to cause a denial of service (memory consumption). CLSA-2003:685 SQL injection vulnerability in (1) mailorder.asp or (2) payonline.asp in CactuShop 5.x allows remote attackers to execute arbitrary SQL commands via the strItems parameter. 20040331 CactuSoft CactuShop v5.x shopping cart software multiple security 1009601 10019 http://www.s-quadra.com/advisories/Adv-20040331.txt cactushop-multiple-sql-injection(15686) Cross-site scripting (XSS) vulnerability in popuplargeimage.asp in CactuShop 5.x allows remote attackers to inject arbitrary web script or HTML via the strImageTag parameter. 2004031 CactuSoft CactuShop v5.x shopping cart software multiple security vulnerabilities 20040331 CactuSoft CactuShop v5.x shopping cart software multiple security 1009601 10020 cactushop-popularlargeimageasp-xss(15687) Multiple buffer overflows in Ipswitch WS_FTP Server 4.0.2 (1) allow remote authenticated users to execute arbitrary code by causing a large error string to be generated by the ALLO handler, or (2) may allow remote FTP administrators to execute arbitrary code by causing a long hostname or username to be inserted into a reply to a STAT command while a file is being transferred. 20040323 ALLO ALLO WS_FTP Server 20040323 Think of the buffers! Won't somebody think of the buffers?! 9953 wsftp-allo-bo(15561) Ipswitch WS_FTP Server 4.0.2 has a backdoor XXSESS_MGRYY username with a default password, which allows remote attackers to gain access. 20040323 Open the WS_FTP Server backdoor to SYSTEM 9953 wftp-site-gain-priviliege(15558) Ipswitch WS_FTP Server 4.0.2 allows remote authenticated users to execute arbitrary programs as SYSTEM by using the SITE command to modify certain iFtpSvc options that are handled by iftpmgr.exe. 20040323 Open the WS_FTP Server backdoor to SYSTEM 9953 wftp-site-gain-priviliege(15558) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2004-1848. Reason: This candidate is a duplicate of CVE-2004-1848. Notes: All CVE users should reference CVE-2004-1848 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Ada Image Server (ImgSvr) 0.4 allows remote attackers to view directories or download files via an HTTP request with a trailing %00 (null). 20040401 Index viewing in imgSvr 0.4 http://sourceforge.net/project/shownotes.php?release_id=230023 http://www.autistici.org/fdonato/advisory/imgSvr0.4-adv.txt 10026 10027 imgsvr-obtain-information(15706) display.cgi in Aborior Encore WebForum allows remote to execute arbitrary commands via shell metacharacters in the file variable. 20040403 Remote Exploit for Aborior's Encore Web Forum 20060620 display.cgi 20060621 Re: display.cgi 10040 1009652 encore-display-command-execution(15725) Unknown vulnerability in ftpd in SGI IRIX 6.5.20 through 6.5.23 allows remote attackers to cause a denial of service (hang) via a link failure with Microsoft Windows. 20040401-01-P 10037 irix-ftpd-link-dos(15722) Unknown vulnerability in ftpd in SGI IRIX 6.5.20 through 6.5.23 allows remote attackers to cause a denial of service (hang) via the PORT mode. 20040401-01-P 10037 irix-ftpd-port-dos(15723) The ftp_syslog function in ftpd in SGI IRIX 6.5.20 "doesn't work with anonymous FTP," which has an unknown impact, possibly preventing the actions of anonymous users from being logged. 20040401-01-P Stack-based buffer overflow in DecodeBase16 function, as used in the (1) IRC module and (2) web server in eMule 0.42d, allows remote attackers to execute arbitrary code via a long string. 20040403 eMule v0.42d Buffer Overflow http://www.emule-project.net/home/perl/news.cgi?l=1&cat_id=22 10039 emule-decodebase16-bo(15730) Dreamweaver MX, when "Using Driver On Testing Server" or "Using DSN on Testing Server" is selected, uploads the mmhttpdb.asp script to the web site but does not require authentication, which allows remote attackers to obtain sensitive information and possibly execute arbitrary SQL commands via a direct request to mmhttpdb.asp. 20040403 [securityzone@macromedia.com: New Macromedia Security Zone Bulletin Posted] http://www.macromedia.com/devnet/security/security_zone/mpsb04-05.html http://www.nextgenss.com/advisories/dreamweaver.txt 10036 dreamweaver-test-script-sql-injection(15721) TEXutil in ConTEXt, when executed with the --silent option, allows local users to overwrite arbitrary files via a symlink attack on texutil.log. 20040404 Texutil symlink vulnerability. 20040404 Texutil symlink vulnerability. 1009661 10042 texutil-symlink-attack(15728) YaST Online Update (YOU) in SuSE 8.2 and 9.0 allows local users to overwrite arbitrary files via a symlink attack on you-$USER/cookies. 20040406 Re: SuSEs YaST Online Update - possible symlink attack 20040405 SuSEs YaST Online Update - possible symlink attack 1009668 10047 suse-you-symlink(15731) Heap-based buffer overflow in in_mod.dll in Nullsoft Winamp 2.91 through 5.02 allows remote attackers to execute arbitrary code via a Fasttracker 2 (.xm) mod media file. 20040405 NGSSoftware Insight Security Research Advisory 1009660 http://www.nextgenss.com/advisories/winampheap.txt 10045 winamp-inmod-bo(15727) Administration interface in Monit 1.4 through 4.2 allows remote attackers to cause a denial of service (segmentation fault) by sending a Basic Authentication request without a password, which causes Monit to decrement a null pointer and perform an out-of-bounds read. 20040405 Advisory: Multiple Vulnerabilities in Monit 10051 monit-basic-auth-dos(15734) Stack-based buffer overflow in the administration interface in Monit 1.4 through 4.2 allows remote attackers to execute arbitrary code via a long username. 20040405 Advisory: Multiple Vulnerabilities in Monit 10051 monit-offbyone-bo(15735) The administration interface in Monit 1.4 through 4.2 allows remote attackers to cause an off-by-one overflow via a POST that contains 1024 bytes. 20040405 Advisory: Multiple Vulnerabilities in Monit 10051 monit-post-offbyone-bo(15736) Format string vulnerability in the logging function in IGI 2 Covert Strike server 1.3 and earlier allows remote attackers to execute arbitrary code via format string specifiers in RCON commands. http://aluigi.altervista.org/adv/igi2fs-adv.txt 20040405 Format string bug in IGI 2: Covert Strike 1.3 1009667 10053 igi2covertstrike-rcon-format-string(15742) Portage before 2.0.50-r3 allows local users to overwrite arbitrary files via a hard link attack on the lockfiles. GLSA-200404-01 10060 portage-lockfile-hardlink(15754) The Citrix MetaFrame Password Manager 2.0, when a central credential store is not configured, does not encrypt passwords entered immediately after executing the First Time User Wizards, which allows local users to gain sensitive information. 20040406 Foundstone Labs Advisory: Citrix MetaFrame Password Manager 2.0 1009659 http://support.citrix.com/kb/entry.jspa?entryID=4062&categoryID=256 10049 metaframe-wizard-info-disclosure(15737) Buffer overflow in blaxxun 3D 7.0 allows remote attackers to execute arbitrary code via a long URL property inside an object tag. 20040406 blaxxun3D(blaxxun Platform) 7 - Remote Buffer Overflow 10064 blaxxun-applicationxcc3d-bo(15625) Buffer overflow in ascontrol.dll in Panda ActiveScan 5.0 allows remote attackers to execute arbitrary code via the Internacional property followed by a long string. 20040406 Panda ActiveScan 5.0 - Remote Buffer Overflow and A Crash(D.O.S) http://theinsider.deep-ice.com/texts/advisory53.txt 10065 panda-activescan-ascontrol-bo(15764) ascontrol.dll in Panda ActiveScan 5.0 allows remote attackers to cause a denial of service (crash) by calling the SetSitesFile function. 20040406 Panda ActiveScan 5.0 - Remote Buffer Overflow and A Crash(D.O.S) http://theinsider.deep-ice.com/texts/advisory53.txt 10067 panda-activescan-ascontrol-dos(15831) Mcafee FreeScan allows remote attackers to cause a denial of service and possibly arbitrary code via a long string in the ScanParam property of a COM object, which may trigger a buffer overflow. 20040407 Mcafee FreeScan - Remote Buffer Overflow and Private Information Disclosure 20040407 Symantec, McAfee and Panda ActiveX controls 20040407 Mcafee FreeScan - Remote Buffer Overflow and Private Information Disclosure http://theinsider.deep-ice.com/texts/advisory54.txt 10071 freescan-mcfscan-bo(15772) The Web Filtering functionality in Kerio Personal Firewall (KPF) 4.0.13 allows remote attackers to cause a denial of service (crash) by sending hex-encoded URLs containing "%13%12%13". 20040406 Kerio Personal Firewall 4 and IE 6 "Bug" 20040407 Kerio Personal Firewall 4.0.13 - Remote DoS (Crash) http://www.cipher.org.uk/index.php?p=advisories/HEX-Kerio_Personal_Firewall_Remote_DOS_7-04-2004.advisory 10075 kerio-pf-webfilter-dos(15821) McFreeScan.CoMcFreeScan.1 ActiveX object in Mcafee FreeScan allows remote attackers to obtain sensitive information via the GetSpecialFolderLocation function with certain parameters. 20040407 Mcafee FreeScan - Remote Buffer Overflow and Private Information Disclosure 20040407 Symantec, McAfee and Panda ActiveX controls 20040407 Mcafee FreeScan - Remote Buffer Overflow and Private Information Disclosure 20040407 McAfee Freescan ActiveX Information Disclosure [Additional Details & PoC] 10077 freescan-mcfscan-info-disclosure(15782) Claim Anti-Virus (ClamAV) 0.68 and earlier allows remote attackers to cause a denial of service (crash) via certain RAR archives, such as those generated by the Beagle/Bagle worm. http://freshmeat.net/projects/clamav/?branch_id=29355&release_id=154462 GLSA-200404-07 9897 clam-antivirus-rar-dos(15553) rufsi.dll in Symantec Virus Detection allows remote attackers to cause a denial of service (crash) via a long string to the GetPrivateProfileString function. NOTE: this issue was originally reported as a buffer overflow, but that specific claim is disputed by the vendor, although a crash is acknowledged. 20040407 Symantec, McAfee and Panda ActiveX controls 20040407 Symantec Virus Detection(Free ActiveX) - Remote Buffer Overflow 20040408 Re: Symantec Virus Detection(Free ActiveX) - Remote Buffer Overflow, Apr 7 10069 symantec-sc-rufsi-bo(15778) Cross-site scripting (XSS) vulnerability in AzDGDatingLite 2.1.1 allows remote attackers to inject arbitrary web script or HTML via the (1) l parameter (aka language variable) to index.php or (2) id parameter to view.php. 20040408 [waraxe-2004-SA#014 - Cross-Site Scripting aka XSS in AzDGDatingLite] 10084 azdgdating-index-view-xss(15796) The (1) modules.php, (2) block-Calendar.php, (3) block-Calendar1.php, (4) block-Calendar_center.php scripts in NukeCalendar 1.1.a, as used in PHP-Nuke, allow remote attackers to obtain sensitive information via a URL with an invalid argument, which reveals the full path in an error message. 20040408 [waraxe-2004-SA#015 - Multiple vulnerabilities in NukeCalendar v1.1.a] 10082 nuke-calendar-path-disclosure(15795) Cross-site scripting (XSS) vulnerability in modules.php in NukeCalendar 1.1.a, as used in PHP-Nuke, allows remote attackers to inject arbitrary web script or HTML via the eid parameter. 20040408 [waraxe-2004-SA#015 - Multiple vulnerabilities in NukeCalendar v1.1.a] 10082 nuke-calendar-modulesphp-xss(15798) SQL injection vulnerability in modules.php in NukeCalendar 1.1.a, as used in PHP-Nuke, allows remote attackers to execute arbitrary SQL commands via the eid parameter. 20040408 [waraxe-2004-SA#015 - Multiple vulnerabilities in NukeCalendar v1.1.a] 10082 nukecalendar-modulesphp-sql-injection(15799) Buffer overflow in the parse_all_client_messages function in LCDproc 0.4.x up to 0.4.4 allows remote attackers to execute arbitrary code via a large number of arguments. http://lists.omnipotent.net/pipermail/lcdproc/2004-April/008884.html 20040408 PSR - #2004-001 Remote - LCDProc GLSA-200404-19 10085 lcdproc-parseallclientmessages-bo(15803) Multiple buffer overflows in LCDProc 0.4.1, and possibly other 0.4.x versions up to 0.4.4, allows remote attackers to execute arbitrary code via (1) a long invalid command to parse_all_client_messages function, or (2) long argv command to test_func_func function. http://lists.omnipotent.net/pipermail/lcdproc/2004-April/008884.html 20040408 PSR - #2004-002 Remote - LCDProc GLSA-200404-19 10085 lcdproc-testfuncfunc-bo(15814) Format string vulnerability in test_func_func in LCDProc 0.4.1 and earlier allows remote attackers to execute arbitrary code via format string specifiers in the str variable. http://lists.omnipotent.net/pipermail/lcdproc/2004-April/008884.html 20040408 PSR - #2004-002 Remote - LCDProc GLSA-200404-19 10085 lcdproc-testfuncfunc-format-string(15817) RSniff 1.0 allows remote attackers to cause a denial of service (connection exhaustion) via a large number of connections with a command other than AUTHENTICATE, or without any data, which prevents the socket from being closed properly. http://aluigi.altervista.org/adv/rsniff-adv.txt 20040409 DoS in Rsniff 1.0 10093 rsniff-connection-dos(15823) The hash_strcmp function in hasch.c in Crackalaka 1.0.8 allows remote attackers to cause a denial of service (crash) via large malformed strings. 20040409 DoS in Crackalaka 1.0.8 10092 crackalaka-hashstrcmp-dos(15824) X-Micro WLAN 11b Broadband Router 1.2.2, 1.2.2.3, 1.2.2.4, and 1.6.0.0 has a hardcoded "super" username and password, which could allow remote attackers to gain access. 20040410 Backdoor in X-Micro WLAN 11b Broadband Router 10095 xmicro-router-default-account(15829) X-Micro WLAN 11b Broadband Router 1.6.0.1 has a hardcoded "1502" username and password, which could allow remote attackers to gain access. 20040416 Re: Backdoor in X-Micro WLAN 11b Broadband Router 20040416 NEW backdoor in X-Micro WLAN 11b Broadband Router 10095 xmicro-router-default-login(15890) Microsoft Internet Explorer 5.5 and 6.0 allocates memory based on the memory size written in the BMP file instead of the actual BMP file size, which allows remote attackers to cause a denial of service (memory consumption) via a small BMP file with has a large memory size. 20040411 Microsoft Internet Explorer BMP file memory DoS vulnerability Tiki CMS/Groupware (TikiWiki) 1.8.1 and earlier allows remote attackers to gain sensitive information via a direct request to (1) banner_click.php, (2) categorize.php, (3) tiki-admin_include_directory.php, (4) tiki-directory_search.php, which reveal the web server path in an error message. 20040412 Multiple Vulnerabilities In Tiki CMS/Groupware [ TikiWiki ] http://tikiwiki.org/tiki-read_article.php?articleId=66 10100 tikiwiki-path-disclosure(15847) Multiple cross-site scripting (XSS) vulnerabilities in Tiki CMS/Groupware (TikiWiki) 1.8.1 and earlier allow remote attackers to inject arbitrary web script or HTML via via the (1) theme parameter to tiki-switch_theme.php, (2) find and priority parameters to messu-mailbox.php, (3) flag, priority, flagval, sort_mode, or find parameters to messu-read.php, (4) articleId parameter to tiki-read_article.php, (5) parentId parameter to tiki-browse_categories.php, (6) comments_threshold parameter to tiki-index.php (7) articleId parameter to tiki-print_article.php, (8) galleryId parameter to tiki-list_file_gallery.php, (9) galleryId parameter to tiki-upload_file.php, (10) faqId parameter to tiki-view_faq.php, (11) chartId parameter to tiki-view_chart.php, or (12) surveyId parameter to tiki-survey_stats_survey.php. 20040412 Multiple Vulnerabilities In Tiki CMS/Groupware [ TikiWiki ] http://tikiwiki.org/tiki-read_article.php?articleId=66 10100 tikiwiki-xss(15846) Multiple SQL injection vulnerabilities in Tiki CMS/Groupware (TikiWiki) 1.8.1 and earlier allow remote attackers to execute arbitrary SQL commands via the sort_mode parameter in (1) tiki-usermenu.php, (2) tiki-list_file_gallery.php, (3) tiki-directory_ranking.php, (4) tiki-browse_categories.php, (5) tiki-index.php, (6) tiki-user_tasks.php, (7) tiki-directory_ranking.php, (8) tiki-directory_search.php, (9) tiki-file_galleries.php, (10) tiki-list_faqs.php, (11) tiki-list_trackers.php, (12) tiki-list_blogs.php, or via the offset parameter in (13) tiki-usermenu.php, (14) tiki-browse_categories.php, (15) tiki-index.php, (16) tiki-user_tasks.php, (17) tiki-list_faqs.php, (18) tiki-list_trackers.php, or (19) tiki-list_blogs.php. 20040411 Multiple Vulnerabilities In Tiki CMS/Groupware [ TikiWiki ] http://tikiwiki.org/tiki-read_article.php?articleId=66 10100 tikiwiki-sql-injection(15845) Tiki CMS/Groupware (TikiWiki) 1.8.1 and earlier allows remote attackers to inject arbitrary code via the (1) Theme, (2) Country, (3) Real Name, or (4) Displayed time zone fields in a User Profile, or the (5) Name, (6) Description, (7) URL, or (8) Country fields in a Directory/Add Site operation. 20040412 Multiple Vulnerabilities In Tiki CMS/Groupware [ TikiWiki ] http://tikiwiki.org/tiki-read_article.php?articleId=66 10100 Directory traversal vulnerability in the map feature (tiki-map.phtml) in Tiki CMS/Groupware (TikiWiki) 1.8.1 and earlier allows remote attackers to determine the existence of arbitrary files via .. (dot dot) sequences in the mapfile parameter. 20040412 Multiple Vulnerabilities In Tiki CMS/Groupware [ TikiWiki ] http://tikiwiki.org/tiki-read_article.php?articleId=66 10100 tikiwiki-tikimap-file-disclosure(15848) The image upload feature in Tiki CMS/Groupware (TikiWiki) 1.8.1 and earlier allows remote attackers to upload and possibly execute arbitrary files via the img/wiki_up URL. 20040412 Multiple Vulnerabilities In Tiki CMS/Groupware [ TikiWiki ] http://tikiwiki.org/tiki-read_article.php?articleId=66 10100 tikiwiki-file-upload(15849) SQL injection vulnerability in the bblogin function in functions.php in PHP-Nuke 6.x through 7.2 allows remote attackers to bypass authentication and gain access by injecting base64-encoded SQL code into the user parameter. 20040412 [waraxe-2004-SA#017 - User-level authentication bypass in phpnuke 6.x-7.2] 10135 http://www.waraxe.us/index.php?modname=sa&id=17 phpnuke-bypass-authentication(15839) Cross-site scripting (XSS) vulnerability in the cookiedecode function in mainfile.php for PHP-Nuke 6.x through 7.2, when themes are used, allows remote attackers to inject arbitrary web script or HTML via a base64-encoded user parameter or cookie. 20040412 [waraxe-2004-SA#016 - Cross-Site Scripting aka XSS in phpnuke 6.x-7.2 part 3] 10128 http://www.waraxe.us/index.php?modname=sa&id=16 phpnuke-cookiedecode-xss(15842) SQL injection vulnerability in (1) auth.php and (2) admin.php in PHP-Nuke 6.x through 7.2 allows remote attackers to execute arbitrary SQL code and create an administrator account via base64-encoded SQL in the admin parameter. 20040412 [waraxe-2004-SA#018 - Admin-level authentication bypass in phpnuke 6.x-7.2] http://www.waraxe.us/index.php?modname=sa&id=18 phpnuke-admin-bypass-authentication(15835) Citadel/UX 5.00 through 6.14 installs the database directory and files with world-read permissions, which could allow local users to bypass access controls and read unauthorized messages. 20040412 Citadel/UX 6.20 fixes local permissions vulnerability 10102 citadel-database-insecure-permissions(15850) PHP remote file inclusion vulnerability in affich.php in Gemitel 3.50 allows remote attackers to execute arbitrary PHP code via the base parameter. 20040415 Include vulnerability in GEMITEL v 3.50 1009824 10156 gemitel-spturnphpfile-include(15887) Cross-site scripting (XSS) vulnerability in SCT Campus Pipeline allows remote attackers to inject arbitrary web script or HTML via onload, onmouseover, and other Javascript events in an e-mail attachment. 20040415 SCT javascript execution vulnerability 10154 sct-campus-attachment-xss(15878) ZoneAlarm Pro 4.5.538.001 and possibly other versions allows remote attackers to bypass e-mail protection via attachments whose names contain certain non-English characters. 20040414 ZA Security Hole 20040420 Re: ZA Security Hole 10148 zonealarm-email-bypass-security(15884) Multiple directory traversal vulnerabilities in Nuked-KlaN 1.4b and 1.5b allow remote attackers to read or include arbitrary files via .. sequences in (1) the user_langue parameter to index.php or (2) the langue parameter to update.php, or modify arbitrary GLOBAL variables by causing globals.php to be loaded before conf.inc.php via (3) .. sequences in the file parameter with the page parameter set to globals, or (4) ../globals.php in the user_langue parameter, as demonstrated by modifying $nuked[prefix] in the Suggest module. 20040417 [SCSA-028] Nuked-Klan Multiple Vulnerabilities http://www.phpsecure.info/v2/tutos/frog/Nuked-KlaN.txt 10104 nuked-klan-file-include(15843) nuked-klan-configurtion-corruption(15844) SQL injection vulnerability in userlogin.php in Phorum 3.4.7 allows remote attackers to execute arbitrary SQL commands via doubly hex-encoded characters such as "%2527", which is translated to "'", as demonstrated using the phorum_uriauth parameter to list.php. 20040419 [waraxe-2004-SA#019 - Critical sql injection bug in Phorum 3.4.7] 10173 http://www.waraxe.us/index.php?modname=sa&id=19 phorum-userlogin-sql-injection(15894) Cross-site scripting (XSS) vulnerability in Zaep AntiSpam 2.0 allows remote attackers to inject arbitrary web script or HTML via double encoded slashes (%252F) in the key parameter. 20040419 Zaep AntiSpam Cross Site Scripting http://www.securiteam.com/windowsntfocus/5EP0I15CKK.html 10139 zaep-antispam-xss(15858) sipclient.cpp in KPhone 4.0.1 and earlier allows remote attackers to cause a denial of service (crash) via a STUN response packet with a large attrLen value that causes an out-of-bounds read. 20040419 KPhone STUN DoS (Malformed STUN Packets) http://www.securiteam.com/unixfocus/5PP0B1FCLY.html 10159 http://www.wirlab.net/kphone/changes-4.0.2.html kphone-stun-dos(15874) Fastream NETFile FTP/Web Server 6.5.1.980 allows remote attackers to cause a denial of service via a username that does not exist. 20040419 DoS in NETFile FTP/Web Server 1009868 http://www.autistici.org/fdonato/advisory/FastreamNETFileFWServer6.5.1.980-adv.txt 10169 fastream-user-pass-dos(15899) The Solaris 9 patches 113579-02 through 113579-05, and 114342-02 through 114342-05, prevent ypserv and ypxfrd from properly restricting access to secure NIS maps, which allows local users to use ypcat or ypmatch to extract the contents of a secure map such as passwd.adjunct.byname. 20040419 Solaris 9 patch 113579-03 introduces a NIS security bug 57554 O-144 10261 solaris-nis-unauth-privileges(15908) PHP remote file inclusion vulnerability in album_portal.php in phpBB modified by Przemo 1.8 allows remote attackers to execute arbitrary PHP code via the phpbb_root_path parameter. 20040419 phpBB modified by Przemo arbitary code execution 10177 phpbb-albumportal-file-include(15916) Eudora 6.1 and 6.0.3 for Windows allows remote attackers to cause a denial of service (crash) via a deeply nested multipart MIME message. 20040414 Eudora 6.0.3 nested MIME DoS 20040419 Eudora 6.1 is evil 10137 eudora-mime-message-dos(15857) Buffer overflow in Kinesphere eXchange POP3 allows remote attackers to execute arbitrary code via a long MAIL FROM field. 20040419 Exchange pop3 remote exploit 20040527 Re: Exchange pop3 remote exploit 1009882 10180 exchange-pop3-smtp-bo(15922) Format string vulnerability in the PRINT_ERROR function in common.c for Cherokee Web Server 0.4.16 and earlier allows local users to execute arbitrary code via format string specifiers in the -C command line argument. NOTE: it is not clear whether this issue could be exploited remotely, or if Cherokee is running at escalated privileges. Therefore it might not be a vulnerability. 20040420 Format String in Cherokee http://www.nosystem.com.ar/advisories/advisory-03.txt cherokee-printerror-format-string(15924) The AVXSCANONLINE.AvxScanOnlineCtrl.1 ActiveX control in BitDefender Scan Online allows remote attackers to (1) obtain sensitive information such as system drives and contents or (2) use the RequestFile method to download and execute arbitrary code via an object codebase that uses bitdefender.cab. 20040419 BitDefender Scan Online(ActiveX) - Remote File Download & Execute & Private Information Disclosure 20040420 Re: BitDefender Scan Online(ActiveX) - Remote File Download & Execute & Private Information Disclosure 1009862 10174 10175 bitdefender-avxscanonline-code-execution(15911) NcFTP client 3.1.6 and 3.1.7, when the username and password are included in an FTP URL that is provided on the command line, allows local users to obtain sensitive information via "ps aux," which displays the URL in the process list. 20040419 NcFTP - password leaking 10182 ncftp-info-disclosure(15919) SQL injection vulnerability in PostNuke 7.2.6 and earlier allows remote attackers to execute arbitrary SQL via (1) the sif parameter to index.php in the Comments module or (2) timezoneoffset parameter to changeinfo.php in the Your_Account module. 20040414 [SCAN Associates Sdn Bhd Security Advisory] Postnuke v 0.726 and below SQL injection 20040420 [PNSA 2004-2] PostNuke Security Advisory PNSA 2004-2 http://news.postnuke.com/Article2580.html 1009801 10146 postnuke-indexphp-sql-injection(15869) postnuke-changeinfo-sql-injection(15875) phpBB 2.0.8a and earlier trusts the IP address that is in the X-Forwarded-For in the HTTP header, which allows remote attackers to spoof IP addresses. 20040419 phpBB 2.0.8a and lower - IP spoofing vulnerability 20040419 Re: phpBB 2.0.8a and lower - IP spoofing vulnerability 10170 phbb-common-ip-spoofing(15909) xine 1.x alpha, 1.x beta, and 1.0rc through 1.0rc3a, and xine-ui 0.9.21 to 0.9.23 allows remote attackers to overwrite arbitrary files via the (1) audio.sun_audio_device or (2) dxr3.devicename options in an MRL link. GLSA-200404-20 10193 SSA:2004-111 http://www.xinehq.de/index.php/security/XSA-2004-1 http://www.xinehq.de/index.php/security/XSA-2004-2 xine-mrl-file-overwrite(15939) SQL injection vulnerability in Advanced Guestbook 2.2 allows remote attackers to execute arbitrary SQL commands and gain privileges via the password. 20050212 Re: Advanced Guestbook 2.2 -- SQL Injection Exploit 20040421 Advanced Guestbook 2.2 -- SQL Injection Exploit 10209 advancedguestbook-sql-injection(15892) phProfession 2.5 allows remote attackers to gain sensitive information via a direct HTTP request to upload.php, which reveals the path in a PHP error message. 20040421 [waraxe-2004-SA#021 - Multiple vulnerabilities in phprofession 2.5 module for PostNuke] 10190 http://www.waraxe.us/index.php?modname=sa&id=21 phprofession-upload-path-disclosure(15930) Cross-site scripting (XSS) vulnerability in modules.php in phProfession 2.5 allows remote attackers to inject arbitrary web script or HTML via the jcode parameter. 20040421 [waraxe-2004-SA#021 - Multiple vulnerabilities in phprofession 2.5 module for PostNuke] 10190 http://www.waraxe.us/index.php?modname=sa&id=21 phprofession-jcode-xss(15931) SQL injection vulnerability in modules.php in phProfession 2.5 allows remote attackers to execute arbitrary SQL code via the offset parameter. 20040421 [waraxe-2004-SA#021 - Multiple vulnerabilities in phprofession 2.5 module for PostNuke] 10190 http://www.waraxe.us/index.php?modname=sa&id=21 phprofession-offset-sql-injection(15932) PostNuke 0.7.2.6 allows remote attackers to gain information via a direct HTTP request to files in the (1) includes/blocks directory, (2) pnadodb directory, (3) NS-NewUser module, (4) NS-Your_Account, (5) NS-LostPassword module, or (6) NS-User module which reveals the path to the web server in a PHP error message. 20040421 [waraxe-2004-SA#022 - Multiple vulnerabilities in PostNuke 0.726 Phoenix - part 2] 10191 http://www.waraxe.us/index.php?modname=sa&id=22 postnuke-scripts-modules-path-disclosure(15933) Multiple cross-site scripting (XSS) vulnerabilities in PostNuke 0.726 allows remote attackers to inject arbitrary web script or HTML via the (1) lid and query parameters to the Downloads module, (2) query parameter to the Web_links module, or (3) hlpfile parameter to openwindow.php. 20040421 [waraxe-2004-SA#022 - Multiple vulnerabilities in PostNuke 0.726 Phoenix - part 2] 10191 http://www.waraxe.us/index.php?modname=sa&id=22 postnuke-openwindow-xss(15934) Directory traversal vulnerability in manifest.ini in Unreal engine allows remote attackers to overwrite arbitrary files via .. (dot dot) sequences in a UMOD (Unreal MOD) file. http://aluigi.altervista.org/adv/umod-adv.txt 20040422 Arbitrary file overwriting in Unreal engine through UMOD 10196 unreal-umod-dotdot-file-overwrite(15942) blocker_query.php in Protector System 1.15b1 for PHP-Nuke allows remote attackers to gain sensitive information via a string in the portNum parameter, which reveals the full path in an error message. 20040423 [waraxe-2004-SA#025 - Multiple vulnerabilities in Protector for PhpNuke] 10206 http://www.waraxe.us/index.php?modname=sa&id=25 protector-blockerquery-path-disclosure(15963) Cross-site scripting (XSS) vulnerability in blocker_query.php in Protector System 1.15b1 allows remote attackers to inject arbitrary web script or HTML via the (1) target or (2) portNum parameters. 20040423 [waraxe-2004-SA#025 - Multiple vulnerabilities in Protector System 1.15b1 for PhpNuke] 20040423 [waraxe-2004-SA#025 - Multiple vulnerabilities in Protector for PhpNuke] http://www.waraxe.us/index.php?modname=sa&id=25 protector-blockerquery-xss(15965) blocker.php in Protector System 1.15b1 allows remote attackers to bypass SQL injection protection and execute limited SQL commands via URL-encoded "'" characters ("%27"). 20040423 [waraxe-2004-SA#025 - Multiple vulnerabilities in Protector System 1.15b1 for PhpNuke] 20040423 [waraxe-2004-SA#025 - Multiple vulnerabilities in Protector for PhpNuke] http://www.waraxe.us/index.php?modname=sa&id=25 SQL injection vulnerability in index.php in Protector System 1.15b1 allows remote attackers to bypass SQL injection filters by using "/**/" sequences in the targeted fields. 20040423 [waraxe-2004-SA#025 - Multiple vulnerabilities in Protector System 1.15b1 for PhpNuke] 20040423 [waraxe-2004-SA#025 - Multiple vulnerabilities in Protector for PhpNuke] http://www.waraxe.us/index.php?modname=sa&id=25 protector-sql-filter-bypass(15969) nqt.php in Network Query Tool (NQT) 1.6 allows remote attackers to obtain sensitive information via a string in the portNum parameter, which reveals the full path in an error message. 20040423 [waraxe-2004-SA#024 - XSS and full path disclosure in Network Query Tool 1.6] http://www.waraxe.us/index.php?modname=sa&id=24 nqt-nqtphp-path-disclosure(15957) Cross-site scripting (XSS) vulnerability in nqt.php in Network Query Tool (NQT) 1.6 allows remote attackers to inject arbitrary web script or HTML via the portNum parameter. 20040423 [waraxe-2004-SA#024 - XSS and full path disclosure in Network Query Tool 1.6] 10205 http://www.waraxe.us/index.php?modname=sa&id=24 nqt-nqtphp-xss(15929) Multiple cross-site scripting (XSS) vulnerabilities in Open Bulletin Board (OpenBB) 1.0.6 and earlier allows remote attackers to inject arbitrary web script or HTML via the (1) redirect parameter to member.php, (2) to parameter to myhome.php (3) TID parameter to post.php, or (4) redirect parameter to index.php. 20040425 Multiple Vulnerabilities In OpenBB 1009935 10214 openbb-multiple-scripts-xss(15966) Multiple SQL injection vulnerabilities in Open Bulletin Board (OpenBB) 1.0.6 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) FID parameter in board.php, (2) sortorder, perpage, or id parameters in member.php, (3) forums parameter in search.php, or (4) PID or FID parameters in post.php. 20040425 Multiple Vulnerabilities In OpenBB 1009935 10214 openbb-multiplescripts-sql-injection(15964) Cross-site request forgery (CSRF) vulnerabilities in (1) cp_forums.php, (2) cp_usergroup.php, (3) cp_ipbans.php, (4) myhome.php, (5) post.php, or (6) moderator.php in Open Bulletin Board (OpenBB) 1.0.6 and earlier allow remote attackers to execute arbitrary code by including the code in an image tag or a link. 20040425 Multiple Vulnerabilities In OpenBB 1009935 openbb-tags-execute-code(15967) The readmsg action in myhome.php in Open Bulletin Board (OpenBB) 1.0.6 and earlier allows remote attackers to read arbitrary messages by modifying the id parameter. 20040425 Multiple Vulnerabilities In OpenBB 1009935 10217 openbb-myhomephp-obtain-information(15970) The avatar upload capability in Open Bulletin Board (OpenBB) 1.0.6 and earlier allows remote attackers to execute arbitrary script by uploading files that include scripting code such as Javascript. 20040425 Multiple Vulnerabilities In OpenBB 1009935 10218 openbb-file-upload(15971) Samsung SmartEther SS6215S switch, and possibly other Samsung switches, allows remote attackers and local users to gain administrative access by providing the admin username followed by a password that is the maximum allowed length, then pressing the enter key after the resulting error message. 20040426 Samsung SmartEther SS6215S Switch 10219 samsung-smartether-admin-access(15973) modules.php in PHP-Nuke Video Gallery Module 0.1 Beta 5 allows remote attackers to gain sensitive information via an HTTP request with an invalid (1) catid or (2) clipid parameter, which reveals the full path in an error message. 20040426 Multiple vulnerabilities PHP-Nuke Video Gallery Module for PHP-Nuke video-gallery-error-path-disclosure(15978) SQL injection vulnerability in modules.php in PHP-Nuke Video Gallery Module 0.1 Beta 5 allows remote attackers to execute arbitrary SQL code via the (1) clipid or (2) catid parameters in a viewclip, viewcat, or voteclip action. 20040426 Multiple vulnerabilities PHP-Nuke Video Gallery Module for PHP-Nuke 10215 video-gallery-sql-injection(15979) DiGi Web Server allows remote attackers to cause a denial of service (CPU consumption) via an HTTP GET request that contains a large number of / (slash) characters, which consumes resources when DiGi converts the slashes to \ (backslash) characters. 20040427 resources consumption in DiGi WWW Server 1009957 http://sourceforge.net/project/shownotes.php?release_id=234261 http://www.autistici.org/fdonato/advisory/DiGiWwwServerC1-adv.txt 10228 digi-www-slash-dos(15987) paFileDB 3.1 allows remote attackers to gain sensitive information via a direct request to (1) login.php, (2) category.php, (3) search.php, (4) main.php, (5) viewall.php, (6) download.php, (7) email.php, (8) file.php, (9) rate.php, or (10) stats.php, which reveals the path in an error message. 20040427 Multiple vulnerabilities paFileDB pafiledb-loginphp-path-disclosure(15990) Cross-site scripting (XSS) vulnerability in the category module in pafiledb.php for paFileDB 3.1 allows remote attackers to inject arbitrary web script or HTML via the id parameter, a vulnerability that is closely related to CVE-2004-1551. 20040427 Multiple vulnerabilities paFileDB 20040925 New XSS vulnerabilities in paFileDB 3.1 final 10229 pafiledb-pafiledbphp-xss(15992) SMC Barricade broadband router 7008ABR and 7004VBR enable remote administration by default, which allows remote attackers to gain access by connecting to port 1900. 20040605 SMC 7008ABRv2 and 7004VBRv1 updated firmware corrects port 1900 issue. 20040427 SMC Routers have remote administration enabled by default 20040428 SMC Routers have remote administration enabled by default 10232 barricade-router-gain-access(15993) 3com NBX IP VOIP NetSet Configuration Manager allows remote attackers to cause a denial of service (crash) via a Nessus scan in safeChecks mode. 20040429 3com NBX VOIP NetSet Denial of Service Attack 10240 3com-nbx-scan-dos(16015) Cross-site scripting (XSS) vulnerability in help.php in Moodle before 1.3 allows remote attackers to inject arbitrary HTML and web script via the text parameter. 20040430 Cross Site Scripting in Moodle < 1.3 1010008 10251 moodle-help-xss(16023) Cross-site scripting (XSS) vulnerability in do_search.php in PROPS 0.6.1 allows remote attackers to inject arbitrary HTML or web script via the search_string parameter. 20040501 Props 0.6.1 XSS and Remote File Viewing Vulnerability http://sourceforge.net/project/shownotes.php?group_id=29581&release_id=234433 10258 props-dosearch-xss(16035) Directory traversal vulnerability in glossary.php in PROPS 0.6.1 allows remote attackers to view arbitrary files via a .. (dot dot) in (1) module or (2) format variables. 20040501 Props 0.6.1 XSS and Remote File Viewing Vulnerability http://sourceforge.net/project/shownotes.php?group_id=29581&release_id=234433 props-glossary-obtain-information(16036) The web interface for Crystal Reports allows remote attackers to cause a denial of service (disk exhaustion) by repeatedly requesting reports without retrieving the associated image files, which are not cleared from the image file folder. 20040502 Crystal Reports Vulnerabilities 20040608 Vulnerability: Arbitrary File Access & DoS in Crystal Reports crystalreports-dos(16046) Post.pl in YaBB 1 Gold SP 1.2 allows remote attackers to modify records in the board's .txt file via carriage return characters in the subject field. 20040502 Vulnerability in YaBB forum (Perl version without SQL) 10263 http://www.yabbforum.com/community/YaBB.pl?board=general;action=display;num=1093133233 yabb-subject-modify-file(16050) The arch_get_unmapped_area function in mmap.c in the PaX patches for Linux kernel 2.6, when Address Space Layout Randomization (ASLR) is enabled, allows local users to cause a denial of service (infinite loop) via unknown attack vectors. 20040502 PaX Linux Kernel 2.6 Patches DoS Advisory 20040509 PaX DoS proof-of-concept http://pax.grsecurity.net/ GLSA-200407-02 10264 pax-aslr-enabled-dos(16037) Coppermine Photo Gallery 1.2.2b and 1.2.0 RC4 allows remote attackers to obtain sensitive information via a direct HTTP request to (1) phpinfo.php, (2) addpic.php, (3) config.php, (4) db_input.php, (5) displayecard.php, (6) ecard.php, (7) crop.inc.php, which reveal the full path in a PHP error message. 20040502 [waraxe-2004-SA#026 - Multiple vulnerabilities in Coppermine Photo Gallery for PhpNuke] 1010001 http://www.waraxe.us/index.php?modname=sa&id=26 coppermine-multiple-path-disclosure(16039) Cross-site scripting (XSS) vulnerability in menu.inc.php in Coppermine Photo Gallery 1.2.2b allows remote attackers to inject arbitrary HTML or web script via the CPG_URL parameter. 20040502 [waraxe-2004-SA#026 - Multiple vulnerabilities in Coppermine Photo Gallery for PhpNuke] 10253 http://www.waraxe.us/index.php?modname=sa&id=26 coppermine-menuincpho-xss(16040) Directory traversal vulnerability in modules.php in Coppermine Photo Gallery 1.2.2b and 1.2.0 RC4 allows remote attackers with administrative privileges to read arbitrary files via a .. (dot dot) in the startdir parameter. 20040502 [waraxe-2004-SA#026 - Multiple vulnerabilities in Coppermine Photo Gallery for PhpNuke] 1010001 10253 http://www.waraxe.us/index.php?modname=sa&id=26 coppermine-modulesphp-directory-traversal(16042) picmgmtbatch.inc.php in Coppermine Photo Gallery 1.2.2b and 1.2.0 RC4 allows remote attackers with administrative privileges to execute arbitrary commands via shell metacharacters in the (1) $CONFIG['impath'] or (2) $CONFIG['jpeg_qual'] parameters. 20040502 [waraxe-2004-SA#026 - Multiple vulnerabilities in Coppermine Photo Gallery for PhpNuke] 1010001 10253 http://www.waraxe.us/index.php?modname=sa&id=26 coppermine-parameters-execute-commands(16043) PHP remote file inclusion vulnerability in init.inc.php in Coppermine Photo Gallery 1.2.0 RC4 allows remote attackers to execute arbitrary PHP code by modifying the CPG_M_DIR to reference a URL on a remote web server that contains functions.inc.php. 20040502 [waraxe-2004-SA#026 - Multiple vulnerabilities in Coppermine Photo Gallery for PhpNuke] 1010001 10253 http://www.waraxe.us/index.php?modname=sa&id=26 coppermine-multiple-file-include(16041) PHP remote file inclusion vulnerability in theme.php in Coppermine Photo Gallery 1.2.2b allows remote attackers to execute arbitrary PHP code by modifying the THEME_DIR parameter to reference a URL on a remote web server that contains user_list_info_box.inc. 20040502 [waraxe-2004-SA#026 - Multiple vulnerabilities in Coppermine Photo Gallery for PhpNuke] 1010001 10253 http://www.waraxe.us/index.php?modname=sa&id=26 coppermine-multiple-file-include(16041) Aldo's Web Server (aweb) 1.5 allows remote attackers to gain sensitive information via an arbitrary character, which reveals the full path and the user running the aweb process, possibly due to a malformed request. 20040503 Multible_Vulnerabilites_in_Aldos_Webserver http://www.oliverkarow.de/research/AldosWebserverMultipleVulns.txt 10262 aweb-path-disclosure(16047) Directory traversal vulnerability in Aldo's Web Server (aweb) 1.5 allows remote attackers to view arbitrary files via a .. (dot dot) in an HTTP GET request. 20040503 Multible_Vulnerabilites_in_Aldos_Webserver http://www.oliverkarow.de/research/AldosWebserverMultipleVulns.txt 10262 aweb-dotdot-directory-traversal(16048) Buffer overflow in Serv-U FTP server before 5.0.0.6 allows remote attackers to cause a denial of service (crash) via a long -l parameter, which triggers an out-of-bounds read. 20040503 Serv-U LIST -l Parameter Buffer Overflow 20040503 Serv-U LIST -l Parameter Buffer Overflow 1009869 http://www.securiteam.com/windowsntfocus/5ZP0G2KCKA.html 10181 servu-list-command-bo(15913) The patch to the checklogin function in omail.pl for omail webmail 0.98.5 is incomplete, which allows remote attackers to execute arbitrary commands via shell metacharacters such as "`" (backticks) in the password. 20040504 remote root exec vulnerability in omail 10274 omailwebmail-checklogin-code-execution(12948) FuseTalk 4.0 allows remote attackers to ban other users via a direct request to banning.cfm. 20040505 Fuse Talk Vunerabilities 10278 fusetalk-banning-unauth-access(16081) Cross-Site Request Forgery (CSRF) vulnerability in FuseTalk 2.0 allows remote attackers to create arbitrary accounts via a link to adduser.cfm. 20040505 Fuse Talk Vunerabilities 1010080 10276 fusetalk-get-add-users(16080) Cross-site scripting (XSS) vulnerability in Simple Machines Forum (SMF) 1.0 allows remote attackers to inject arbitrary web script via the size tag. 20040505 SMF SIZE Tag Script Injection Vulnerability 10281 smf-size-html-injection(16067) Kolab stores OpenLDAP passwords in plaintext in the slapd.conf file, which may be installed world-readable, which allows local users to gain privileges. OpenPKG-SA-2004.019 http://www.erfrakon.de/projects/kolab/download/kolab-server-1.0/src/Changelog [kolab-users] 20040420 Possible Kolab LDAP configuration information disclosure MDKSA-2004:052 10277 kolab-root-password-plaintext(16068) The Downloads module in Php-Nuke 6.x through 7.2 allows remote attackers to gain sensitive information via an invalid show parameter to modules.php, which reveals the full path in a PHP error message. 20040505 [waraxe-2004-SA#027 - Once again - critical vulnerabilities in PhpNuke 6.x - 7.2] http://www.waraxe.us/index.php?modname=sa&id=27 Cross-site scripting (XSS) vulnerability in the Downloads module in Php-Nuke 6.x through 7.2 allows remote attackers to inject arbitrary HTML and web script via the (1) ttitle or (2) sid parameters to modules.php. 20040505 [waraxe-2004-SA#027 - Once again - critical vulnerabilities in PhpNuke 6.x - 7.2] http://www.waraxe.us/index.php?modname=sa&id=27 phpnuke-ttitle-sid-xss(16073) SQL injection vulnerability in the Downloads module in Php-Nuke 6.x through 7.2 allows remote attackers to execute arbitrary SQL via the (1) orderby or (2) sid parameters to modules.php. 20040505 [waraxe-2004-SA#027 - Once again - critical vulnerabilities in PhpNuke 6.x - 7.2] 20080221 PHP-Nuke Module Downloads SQL Injection(sid) 10282 27932 http://www.waraxe.us/index.php?modname=sa&id=27 phpnuke-orderby-sid-sql-injection(16074) ifconfig "-arp" in SGI IRIX 6.5 through 6.5.22m does not properly disable ARP requests from being sent or received. 20040502-01-P 10289 Unknown vulnerability in SGI IRIX 6.5 through 6.5.22m allows remote attackers to cause a denial of service via a certain UDP packet. 20040502-01-P 10287 irix-udp-dos(16158) Buffer overflow in the ssl_prcert function in the SSLway filter (sslway.c) for DeleGate 8.9.2 and earlier allows remote attackers to execute arbitrary code via a certificate with a long (1) subject or (2) issuer name field. 20040506 [0xbadc0ded #03] DeleGate (SSL-filter) <= 8.9.2 10295 delegate-sslway-bo(16078) The Live CD in SUSE LINUX 9.1 Personal edition is configured without a password for root, which allows remote attackers to gain privileges via SSH. 10297 livecd-ssh-gain-access(16084) Buffer overflow in Eudora for Windows 5.2.1, 6.0.3, and 6.1 allows remote attackers to execute arbitrary code via an e-mail with (1) a link to a long URL to the C drive or (2) a long attachment name. 20040507 Eudora file URL buffer overflow http://www.eudora.com/download/eudora/windows/6.1.1/RelNotes.txt 10298 eudora-long-url-bo(16086) Trend Micro OfficeScan 3.0 - 6.0 has default permissions of "Everyone Full Control" on the installation directory and registry keys, which allows local users to disable virus protection. 20040507 Security issue with Trend OfficeScan Corporate Edition 10300 officescan-configuration-modify(16092) Cross-site scripting (XSS) vulnerability in modules.php in NukeJokes 1.7 and 2 Beta allows remote attackers to inject arbitrary HTML or web script via the (1) cat parameter in a CatView function or (2) jokeid parameter in a JokeView function. 20040508 [waraxe-2004-SA#028 - Multiple vulnerabilities in NukeJokes module for PhpNuke] 10306 nukejokes-modules-xss(16096) SQL injection vulnerability in modules.php in NukeJokes 1.7 and 2 Beta allows remote attackers to execute arbitrary SQL via the jokeid parameter. 20040508 [waraxe-2004-SA#028 - Multiple vulnerabilities in NukeJokes module for PhpNuke] 10306 http://www.waraxe.us/index.php?modname=sa&id=28 nukejokes-sql-injection(16099) NukeJokes 1.7 and 2 Beta allows remote attackers to obtain the full path of the server via (1) a direct call to mainfunctions.php, (2) an invalid jokeid parameter in a JokeView function or (3) an invalid cat parameter in a CatView function, which reveals the path in a PHP error message. 20040508 [waraxe-2004-SA#028 - Multiple vulnerabilities in NukeJokes module for PhpNuke] nukejokes-multiple-path-disclosure(16094) PHP remote file inclusion vulnerability in index.php in phpShop 0.7.1 and earlier allows remote attackers to execute arbitrary PHP code by modifying the base_dir parameter to reference a URL on a remote web server that contains phpshop.cfg. 20040509 Arbitrary code inclusion in phpShop http://www.fribble.net/advisories/phpshop_29-04-04.txt 10313 phpshop-basedir-file-include(16107) msxml3.dll in Internet Explorer 6.0.2600.0 allows remote attackers to cause a denial of service (crash) via a single & (ampersand) in a <Ref href> link, which triggers a parsing error, possibly due to missing portions of the URI. 20040510 msxml3.dll Parsing Error Crashes Internet Explorer Remotely Upon Refresh msxml3-ampersand-dos(16112) The systrace_exit function in the systrace utility for NetBSD-current and 2.0 before April 16, 2004, and certain FreeBSD ports, does not verify the owner of the /dec/systrace connection before setting euid to 0, which allows local users to gain root privileges. 20040510 Advisory 04/2004: Net(Free)BSD Systrace local root vulnerabilitiy 10320 systrace-gain-privileges(16110) Integer overflow in the SCTP_SOCKOPT_DEBUG_NAME SCTP socket option in socket.c in the Linux kernel 2.4.25 and earlier allows local users to execute arbitrary code via an optlen value of -1, which causes kmalloc to allocate 0 bytes of memory. 20040511 Linux Kernel sctp_setsockopt() Integer Overflow 2004-0029 10326 linux-sctpsetsockopt-integer-bo(16117) Wget 1.9 and 1.9.1 allows local users to overwrite arbitrary files via a symlink attack on the name of the file being downloaded. 20040516 Wget race condition vulnerability [wget] 20040517 Wget race condition vulnerability (fwd) [wget] 20040517 Re: Wget race condition vulnerability (fwd) MDKSA-2005:204 RHSA-2005:771 10361 wget-lock-race-condition(16167) oval:org.mitre.oval:def:9830 USN-145-1 Cross-site scripting (XSS) vulnerability in WebCT Campus Edition allows remote attackers to inject arbitrary HTML or web script via (1) iframe, (2) img, or (3) object tags. 20040516 WebCT: Cross Site Scripting Vulnerability 20040517 WebCT: Cross Site Scripting Vulnerability 10357 webct-iframe-img-tags-xss(16156) Stack-based buffer overflow in the HTTP server in NetChat 7.3 and earlier allows remote attackers to execute arbitrary code via a long GET request. 20040517 NetChat HTTP Server Stack Overflow 10353 netchat-sprintf-bo(16165) Multiple cross-site scripting (XSS) vulnerabilities in Turbo Traffic Trader C (TTT-C) 1.0 allow remote attackers to inject arbitrary HTML or web script, as demonstrated via (1) the link parameter to ttt-out, (2) the X-Forwarded-For header in a GET request to ttt-in, (3) the Referer header in a GET request to ttt-in, or the (4) site name or (5) site URL fields in the main control panel. 20040517 Multiple TTT-C XSS vulnerabilities 10359 turbotraffictraderc-multiple-xss(16164) PHP remote file inclusion vulnerability in index.php in Php-Nuke 6.x through 7.3 allows remote attackers to execute arbitrary PHP code by modifying the modpath parameter to reference a URL on a remote web server that contains the code. 20040517 [waraxe-2004-SA#029 - Possible remote file inclusion in PhpNuke 6.x - 7.3] 20040517 [waraxe-2004-SA#029 - Possible remote file inclusion in PhpNuke 6.x - 7.3] 10365 http://www.waraxe.us/index.php?modname=sa&id=29 phpnuke-modpath-file-include(16218) The WebLinks module in Php-Nuke 6.x through 7.3 allows remote attackers to obtain sensitive information via an invalid show parameter, which displays the full path in a PHP error message. 20040517 [waraxe-2004-SA#030 - Multiple vulnerabilities in PhpNuke 6.x - 7.3] 10367 http://www.waraxe.us/index.php?modname=sa&id=29 phpnuke-show-weblink-path-disclosure(16170) Multiple cross-site scripting (XSS) vulnerabilities in Php-Nuke 6.x through 7.3 allow remote attackers to inject arbitrary HTML or web script into the (1) optionbox parameter in the News module, (2) date parameter in the Statistics module, (3) year, month, and month_1 parameters in the Stories_Archive module, (4) mode, order, and thold parameters in the Surveys module, or (5) a SQL statement to index.php, as processed by mainfile.php. 20040517 [waraxe-2004-SA#030 - Multiple vulnerabilities in PhpNuke 6.x - 7.3] 10367 http://www.waraxe.us/index.php?modname=sa&id=29 phpnuke-multi-xss(16172) Directory traversal vulnerability in file_manager.php in osCommerce 2.2 allows remote attackers to view arbitrary files via a .. (dot dot) in the filename argument. 20050322 osCommerce File Manager Directory Traversal Vulnerability 20040517 oscommerce 2.2 file_manager.php file browsing 1010176 http://www.excluded.org/advisories/advisory13.txt 10364 oscommerce-dotdot-directory-traversal(16174) ActivePerl 5.8.x and others, and Larry Wall's Perl 5.6.1 and others, when running on Windows systems, allows attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long argument to the system command, which leads to a stack-based buffer overflow. NOTE: it is unclear whether this bug is in Perl or the OS API that is used by Perl. 20040518 Re[2]: [Full-Disclosure] Buffer Overflow in ActivePerl ? 20040518 RE: [Full-Disclosure] Re: Buffer Overflow in ActivePerl ? 20040517 Buffer Overflow in ActivePerl ? 20040517 RE: Buffer Overflow in ActivePerl ? 20040518 Re: Buffer Overflow in ActivePerl ? http://www.oliverkarow.de/research/ActivePerlSystemBOF.txt http://www.perlmonks.org/index.pl?node_id=354145 10375 perl-system-bo(16169) SQL injection vulnerability in login.php in Zen Cart 1.1.2d, 1.1.4 before patch 1, and possibly other versions allows remote attackers to execute arbitrary SQL via the (1) admin_name or (2) admin_pass parameters. 20040518 Zen Cart login.php SQL Injection Vulnerability 1010172 http://www.packetstormsecurity.org/0405-advisories/zencart112d.txt 20060517 Re: Zen Cart login.php SQL Injection Vulnerability 10378 http://www.zen-cart.com/modules/ipb/index.php?showtopic=4835 http://www.zen-cart.com/modules/mydownloads/viewcat.php?cid=31&orderby=dateD zencart-login-sql-injection(16176) The distribution of Zen Cart 1.1.4 before patch 2 includes certain debugging code in the Admin password retrieval functionality, which allows attackers to gain administrative privileges via password_forgotten.php. http://www.zen-cart.com/modules/ipb/index.php?showtopic=4873 http://www.zen-cart.com/modules/mydownloads/viewcat.php?cid=31&orderby=dateD SQL injection vulnerability in application_top.php for Zen Cart 1.1.3 before patch 2 may allow remote attackers to execute arbitrary SQL commands via the products_id parameter. http://www.zen-cart.com/modules/ipb/index.php?showtopic=3731 http://www.zen-cart.com/modules/mydownloads/viewcat.php?cid=31&orderby=dateD Format string vulnerability in the logmsg function in svc.c for Pound 1.5 and earlier allows remote attackers to execute arbitrary code via format string specifiers in syslog messages. 20040507 Pound <=1.5 Remote Exploit (Format string bug) GLSA-200405-08 1010034 http://www.apsis.ch/pound/pound_list/archive/2003/2003-12/1070234315000#1070234315000 10267 pound-logmsg-format-string(16033) Buffer overflow in Icecast 2.0.0 and earlier allows remote attackers to cause a denial of service (crash) via a long Basic Authorization header that triggers an out-of-bounds read. 20040509 Icecast 2.0.0 preauth overflow GLSA-200405-10 10311 icecast-auth-request-bo(16103) Cross-site scripting (XSS) vulnerability in stats.php in e107 allows remote attackers to inject arbitrary web script or HTML via the referer parameter to log.php. 20040521 e107 web portal Referers HTTP Injection 10395 e107-log-xss(16231) The Util_DecodeHTTPAuth function in BNBT BitTorrent Tracker Beta 7.5 Release 2 and earlier allows remote attackers to cause a denial of service (crash) via a Basic Authorization HTTP request with a "A==" value. http://fux0r.phathookups.com/advisory/sp-x12-advisory.txt 20040522 BNBT BitTorrent Tracker Denial Of Service 1010254 10399 bittorrent-http-get-dos(16228) Multiple cross-site scripting (XSS) vulnerabilities in index.jsp for Liferay before 2.2.0 release 10/1/2004 allow remote attackers to inject arbitrary web script or HTML, as demonstrated using the message subject. 20040522 Liferay Cross Site Scripting Flaw 20041125 Re: Liferay Cross Site Scripting Flaw 1010259 http://sourceforge.net/project/shownotes.php?release_id=252060 10402 liferay-message-xss(16232) Cross-site scripting (XSS) vulnerability in user.php in e107 allows remote attackers to inject arbitrary web script or HTML via the (1) URL, (2) MSN, or (3) AIM fields. 20040522 e107 web portal user.php XSS (Cross Site Scripting) 10405 e107-user-xss(16241) Netgear RP114 allows remote attackers to bypass the keyword based URL filtering by requesting a long URL, as demonstrated using a large number of %20 (hex-encoded space) sequences. 20040524 Netgear RP114 URL filter fails if URL is too long 10404 netgearrp114-long-url-filter-bypass(16238) Orenosv 0.5.9f allows remote attackers to cause a denial of service (crash) via a long HTTP GET request. http://hp.vector.co.jp/authors/VA027031/orenosv/index_en.html 20040526 Orenosv HTTP/FTP Server Denial Of Service 10420 orenosv-http-get-dos(16250) Buffer overflow in the (1) WTHoster and (2) WebDriver modules in WildTangent Web Driver 4.0 allows remote attackers to execute arbitrary code via a long filename. 20040527 WildTangent Web Driver Long FileName Stack Overflow http://www.ngssoftware.com/advisories/wildtangent.txt 10421 wildtangent-wthoster-webdriver-bo(16266) MiniShare 1.3.2 allows remote attackers to cause a denial of service (crash) via a malformed HTTP GET or HEAD request without the proper number of trailing CRLF sequences. 20040527 DoS in MiniShare 1.3.2 http://sourceforge.net/project/shownotes.php?release_id=241158 http://www.autistici.org/fdonato/advisory/MiniShare1.3.2-adv.txt 10417 minishare-get-head-dos(16260) SQL injection vulnerability in the art_print function in print.inc.php in unknown versions of jPortal before 2.3.1 allows remote attackers to inject arbitrary SQL commands via the id parameter. 20040528 JPortal SQL Injects 1010327 http://www.securiteam.com/unixfocus/5HP020KD5K.html 10430 jportal-printincphp-sql-injection(16272) Buffer overflow in Mollensoft Lightweight FTP Server 3.6 allows remote authenticated users to cause a denial of service (crash) and possibly execute arbitrary code via a long CWD command, as demonstrated in one example by using the "cd" command in an interactive FTP client. 20040528 Mollensoft ftp Server ver 3.6 Buffer overflow 20040601 Mollensoft Lightweight FTP Server CWD Buffer Overflow 1010328 10409 10429 mollensoft-cwd-command-bo(16237) mollensoft-cd-bo(16303) Cross-site scripting (XSS) vulnerability in Land Down Under (LDU) before LDU 700 allows remote attackers to inject arbitrary web script or HTML via a BBcode img tag in (1) functions.php, (2) header.php or (3) auth.inc.php. 20040529 LDU (land down under) xss vulnerability 1010335 10435 ldu-bbcode-xss(16284) e107 0.615 allows remote attackers to obtain sensitive information via a direct request to (1) alt_news.php, (2) backend_menu.php, (3) clock_menu.php, (4) counter_menu.php, (5) login_menu.php, and other files, which reveal the full path in a PHP error message. 20040529 [waraxe-2004-SA#031 - Multiple vulnerabilities in e107 version 0.615] 20040529 [waraxe-2004-SA#031 - Multiple vulnerabilities in e107 version 0.615] 10436 http://www.waraxe.us/index.php?modname=sa&id=31 e107-multiplescripts-path-disclosure(16277) Multiple cross-site scripting (XSS) vulnerabilities in e107 0.615 allow remote attackers to inject arbitrary web script or HTML via the (1) LAN_407 parameter to clock_menu.php, (2) "email article to a friend" field, (3) "submit news" field, or (4) avmsg parameter to usersettings.php. 20040529 [waraxe-2004-SA#031 - Multiple vulnerabilities in e107 version 0.615] 20040529 [waraxe-2004-SA#031 - Multiple vulnerabilities in e107 version 0.615] 10436 http://www.waraxe.us/index.php?modname=sa&id=31 e107-clock-menu-xss(16279) e107-email-friend-xss(16280) e107-user-setting-xss(16281) PHP remote file inclusion vulnerability in secure_img_render.php in e107 0.615 allows remote attackers to execute arbitrary PHP code by modifying the p parameter to reference a URL on a remote web server that contains the code. 20040529 [waraxe-2004-SA#031 - Multiple vulnerabilities in e107 version 0.615] 20040529 [waraxe-2004-SA#031 - Multiple vulnerabilities in e107 version 0.615] 10436 http://www.waraxe.us/index.php?modname=sa&id=31 e107-secure-img-render-file-include(16282) Multiple SQL injection vulnerabilities in e107 0.615 allow remote attackers to inject arbitrary SQL code and gain sensitive information via (1) content parameter to content.php, (2) content_id parameter to content.php, or (3) list parameter to news.php. 20040529 [waraxe-2004-SA#031 - Multiple vulnerabilities in e107 version 0.615] 20040529 [waraxe-2004-SA#031 - Multiple vulnerabilities in e107 version 0.615] 10436 http://www.waraxe.us/index.php?modname=sa&id=31 e107-content-news-sql-injection(16283) Buffer overflow in ibserver for Firebird Database 1.0 and other versions before 1.5, and possibly other products that use the InterBase codebase, allows remote attackers to cause a denial of service (crash) via a long database name, as demonstrated using the gsec command. 20040602 Firebird [ AND Interbase 7 ] Database Remote Database Name Overflow 20040601 Firebird Database Remote Database Name Overflow 1010381 DSA-1014 http://www.securiteam.com/unixfocus/5AP0P0UCUO.html 10446 firebird-database-name-bo(16229) interbase-database-name-bo(16316) PHP-Nuke 7.3, and other products that use the PHP-Nuke codebase such as the Nuke Cops betaNC PHP-Nuke Bundle, OSCNukeLite 3.1, and OSC2Nuke 7x do not properly use the eregi() PHP function with $_SERVER['PHP_SELF'] to identify the calling script, which allows remote attackers to directly access scripts, obtain path information via a PHP error message, and possibly gain access, as demonstrated using an HTTP request that contains the "admin.php" string. 20040601 [Squid 2004-betaNC-001] Inadequate Security Checking in NukeCops betaNC Bundle 20040601 [Squid 2004-OSC2Nuke-001] Inadequate Security Checking in OSC2Nuke 20040601 [Squid 2004-betaNC-001] Inadequate Security Checking in NukeCops 20040601 [Squid 2004-Nuke-001] Inadequate Security Checking in PHPNuke 20040606 Re: [Squid 2004-Nuke-001] Inadequate Security Checking in PHPNuke 10447 phpnuke-eregi-path-disclosure(16294) osc2nuke-eregi-path-disclosure(16296) oscnukelite-eregi-path-disclosure(16297) nukecops-ergei-path-disclosure(16298) The HTTP administration interface on Conceptronic CADSLR1 ADSL router running firmware 3.04n allows remote attackers to cause a denial of service (device reboot) via an HTTP request with a long username. 20040721 Denial of Service in Conceptronic CADSLR1 Router 10769 http://www.shellsec.net/leer_advisory.php?id=5 conceptronic-long-username-dos(16746) Unknown vulnerability in APC PowerChute Business Edition 6.0 through 7.0.1 allows remote attackers to cause a denial of service via unknown attack vectors. 20040721 APC Security Advisory Denial of Service Vulnerability with PowerChute Business Edition 1010745 10777 powerchute-console-dos(16767) Directory traversal vulnerability in EasyWeb FileManager 1.0 RC-1 for PostNuke allows remote attackers to retrieve arbitrary files via a .. (dot dot) in the pathext parameter. 20040724 EasyWeb FileManager Directory Traversal http://www.cirt.net/advisories/ew_file_manager.shtml 10792 filemanager-pathext-view-directory-traversal(16806) radmin in eSeSIX Thintune thin clients running firmware 2.4.38 and earlier starts a process port 25072 that can be accessed with a default "jstwo" password, which allows remote attackers to gain access. 20040724 eSeSIX Thintune thin client multiple vulnerabilities 1010770 10794 thintune-password-gain-access(16790) eSeSIX Thintune thin clients running firmware 2.4.38 and earlier store sensitive usernames and passwords in cleartext in configuration files for the keeper library, which allows attackers to gain access. 20040724 eSeSIX Thintune thin client multiple vulnerabilities 1010770 10794 thintune-plaintext-passwords(16795) eSeSIX Thintune thin clients running firmware 2.4.38 and earlier allow local users to gain privileges by pressing CTRL-SHIFT-ALT-DEL and entering the "maertsJ" password, which is hard-coded into lshell. 20040724 eSeSIX Thintune thin client multiple vulnerabilities 1010770 10794 thintune-password-gain-privileges(16808) The Phoenix browser in eSeSIX Thintune thin clients running firmware 2.4.38 and earlier allows local users to read arbitrary files via a file:/// URL. 20040724 eSeSIX Thintune thin client multiple vulnerabilities 1010770 10794 thintune-url-obtain-information(16798) eSeSIX Thintune thin clients running firmware 2.4.38 and earlier accept any password that begins with the actual password, which makes it easier for users to conduct brute force password guessing. 20040724 eSeSIX Thintune thin client multiple vulnerabilities PHP remote file inclusion vulnerability in index.php in EasyIns Stadtportal 4 allows remote attackers to execute arbitrary PHP code via the site parameter. 20040724 Easyins Stadtportal 1010769 10795 easyins-php-file-include(16797) CRLF injection vulnerability in PhpBB 2.0.4 and 2.0.9 allows remote attackers to perform HTTP Response Splitting attacks to modify expected HTML content from the server via (1) the mode parameter to privmsg.php or (2) the redirect parameter to login.php. 20040720 PhpBB HTTP Response Splitting & Cross Site Scripting vulnerabilities 10753 phpbb-search-response-splitting(16759) Cross-site scripting (XSS) vulnerability in search.php for PhpBB 2.0.4 and 2.0.9 allows remote attackers to inject arbitrary HTMl or web script via the search_author parameter. 20040720 PhpBB HTTP Response Splitting & Cross Site Scripting vulnerabilities 10753 phpbb-search-searchauthor-xss(16758) SQL injection vulnerability in action.php in Nucleus CMS 3.01 allows remote attackers to execute arbitrary SQL statements via the itemid parameter. 20040725 NucleusCMS 3.01 SQL Injection Vulnerability nucleus-sql-injection(18002) SQL injection vulnerability in ASPRunner 2.4 allows remote attackers to execute arbitrary SQL statements. 20040726 ASPRunner Multiple Vulnerabilities http://ferruh.mavituna.com/article/?574 20040726 ASPRunner Multiple Vulnerabilities 1010777 10799 asprunner-sql-injection(16799) ASPRunner 2.4 allows remote attackers to gain sensitive information via (1) hidden form fields or (2) error messages. 20040726 ASPRunner Multiple Vulnerabilities http://ferruh.mavituna.com/article/?574 20040726 ASPRunner Multiple Vulnerabilities 1010777 10799 asprunner-information-disclosure(16800) Multiple cross-site scripting vulnerabilities in ASPRunner 2.4 allow remote attackers to inject arbitrary web script or HTML via the (1) SearchFor parameter in [TABLE-NAME]_search.asp, (2) SQL parameter in [TABLE-NAME]_edit.asp, (3) SearchFor parameter in [TABLE]_list.asp, or (4) SQL parameter in export.asp. 20040726 ASPRunner Multiple Vulnerabilities http://ferruh.mavituna.com/article/?574 20040726 ASPRunner Multiple Vulnerabilities 1010777 10799 asprunner-xss(16801) ASPRunner 2.4 stores the database under the web root in the db directory, which may allow remote attackers to obtain the database via a direct request to the database filename, which is predictable based on table and field names. 20040726 ASPRunner Multiple Vulnerabilities http://ferruh.mavituna.com/article/?574 20040726 ASPRunner Multiple Vulnerabilities 1010777 10799 asprunner-database-file-access(16802) RiSearch 1.0.01 and RiSearch Pro 3.2.06 allows remote attackers to use the show.pl script as an open proxy, or read arbitrary local files, by setting the url parameter to a (1) http://, (2) ftp://, or (3) file:// URL. 20040727 IRM 009: RiSearch and RiSearch ProPro are vulnerable to open FTP/HTTP proxy, directory listings and file disclosure vulnerabilities 1010788 10812 risearch-show-open-proxy(16817) SQL injection vulnerability in antiboard.php in AntiBoard 0.7.2 and earlier allows remote attackers to execute arbitrary SQL via the (1) thread_id, (2) parent_id, or (3) mode parameters. 20040728 AntiBoard <= 0.7.2 XSS/SQL Injection 10821 antiboard-get-sql-injection(16828) Cross-site scripting (XSS) vulnerability in antiboard.php in AntiBoard 0.7.2 and earlier allows remote attackers to inject arbitrary HTML or web script via the feedback parameter. 20040728 AntiBoard <= 0.7.2 XSS/SQL Injection 10821 antiboard-feedback-xss(16830) Cross-site scripting (XSS) vulnerability in lostBook 1.1 and earlier allows remote attackers to inject arbitrary web script via the (1) Email or (2) Website fields. 20040729 lostBook v1.1 Javascript Execution 1010812 10825 lostbook-email-website-xss(16835) DansGuardian 2.8 and earlier allows remote attackers to bypass the extension filtering rule via a hex encoded extension or . in the filename. http://dansguardian.org/?page=history 20040729 DansGuardian Hex Encoding URL Banned Extension Filter Bypass 1010817 10823 dansguardian-filename-bypass-filtering(16836) SQL injection vulnerability in session.php in LinPHA 0.9.4 allows remote attackers to execute arbitrary SQL code and bypass authentication via the (1) linpha_userid or (2) linpha_password cookies. 20040729 Linpha 0.9.4: authentication bypass 10827 linpha-cookie-gain-access(16834) SQL injection vulnerability in controlpanel.php in Jaws Framework and Content Management System 0.4 allows remote attackers to execute arbitrary SQL and bypass authentication via the (1) user, (2) password, or (3) crypted_password parameters. 20040729 Jaws 0.4: authentication bypass 1010815 10826 jaws-controlpanel-sql-injection(16847) fetchnews in leafnode 1.9.47 and earlier allows remote attackers to cause a denial of service (process hang) via an empty NNTP news article with missing mandatory headers. http://leafnode.sourceforge.net/leafnode-SA-2004-01.txt 20040109 leafnode -1.9.47 security announcement SA-2004-01 leafnode-fetchnews-nntp-dos(14189) sshd.c in OpenSSH 3.6.1p2 and 3.7.1p2 and possibly other versions, when using privilege separation, does not properly signal the non-privileged process when a session has been terminated after exceeding the LoginGraceTime setting, which leaves the connection open and allows remote attackers to cause a denial of service (connection consumption). [openssh-unix-dev] 20040127 OpenSSH - Connection problem when LoginGraceTime exceeds time [openssh-unix-dev] 20040128 Re: OpenSSH - Connection problem when LoginGraceTime exceeds time RHSA-2005:550 http://support.avaya.com/elmodocs2/security/ASA-2005-216.pdf http://support.avaya.com/elmodocs2/security/ASA-2005-223.pdf FLSA-2006:168935 20061113 VMSA-2006-0006 - VMware ESX Server 2.5.3 Upgrade Patch 4 20061113 VMSA-2006-0007 - VMware ESX Server 2.1.3 Upgrade Patch 2 20061113 VMSA-2006-0008 - VMware ESX Server 2.0.2 Upgrade Patch 2 14963 http://www.vmware.com/download/esx/esx-202-200610-patch.html http://www.vmware.com/download/esx/esx-213-200610-patch.html http://www.vmware.com/support/vi3/doc/esx-3069097-patch.html http://www.vmware.com/support/vi3/doc/esx-9986131-patch.html ADV-2006-4502 openssh-sshdc-logingracetime-dos(20930) oval:org.mitre.oval:def:11541 The Altiris Client Service for Windows 5.6 SP1 Hotfix E (5.6.181) allows local users to execute arbitrary commands by opening the AClient tray icon and using the View Log File option, a different vulnerability than CVE-2005-1590. 20041119 Privilege escalation flaw in AClient Service for Windows (Version 5.6.181). Macallan Mail Solution 2.8.4.6 (Build 260), and possibly earlier versions, allows remote attackers to bypass authentication in the web interface via an HTTP GET request with two slashes ("//") after the server name. 1009030 9646 macallan-gain-unauthorized-access(15194) Cross-site scripting (XSS) vulnerability in index.php for Mambo Open Source 4.6, and possibly earlier versions, allows remote attackers to execute script on other clients via the Itemid parameter. 9588 http://www.systemsecure.org/advisories/ssadvisory06022004.php mambo-itemid-xss(15062) Linux-VServer 1.24 allows local users with root privileges on a virtual server to gain access to the filesystem outside the virtual server via a modified chroot-again exploit using the chmod command. http://www.linux-vserver.org/index.php?page=ChangeLog 20040206 Linux 2.4.24 with vserver 1.24 exploit 9596 linux-vserver-gain-privileges(15073) Format string vulnerability in Dream FTP 1.02 allows local users to cause a denial of service (crash) via format string specifiers in the (1) PASS or (2) RETR commands. 1009295 9800 dreamftp-command-format-string(15380) Sophos Anti-Virus 3.78 allows remote attackers to cause a denial of service (infinite loop) via a MIME header that is not properly terminated. 1009042 9648 http://www.sophos.com/support/news/#mime-378 sophos-mime-header-dos(15191) Cross-site scripting (XSS) vulnerability in search.php for Jelsoft vBulletin 3.0.0 RC4 allows remote attackers to inject arbitrary web script or HTML via the query parameter. 20040213 vBulletin PHP Forum Version 9656 vbulletin-search-xss(15208) Nadeo Game Engine for Nadeo TrackMania and Nadeo Virtual Skipper 3 allows remote attackers to cause a denial of service (server crash) via malformed data to TCP port 2350, possibly due to long values or incorrect size fields. http://www.securiteinfo.com/attaques/hacking/trackmaniados.shtml 20040208 TrackMania Demo Denial of Service 20040209 Re: TrackMania Demo Denial of Service 9604 trackmania-dos(15081) Red-M Red-Alert 2.7.5 with software 3.1 build 24 allows remote attackers to cause a denial of service (reboot and loss of logged events) via a long request to TCP port 80, possibly triggering a buffer overflow. http://genhex.org/releases/031003.txt 20040209 Red-M Red-Alert Multiple Vulnerabilities 1009001 http://www.securiteam.com/securitynews/5SP0C0KC0A.html 20040209 Red-M Red-Alert Multiple Vulnerabilities 9618 redalert-long-request-dos(15086) Red-M Red-Alert 2.7.5 with software 3.1 build 24 binds authentication to IP addresses, which allows remote attackers to bypass authentication by connecting from the same IP address as an active authenticated user. http://genhex.org/releases/031003.txt 20040209 Red-M Red-Alert Multiple Vulnerabilities 1009001 http://www.securiteam.com/securitynews/5SP0C0KC0A.html 20040209 Red-M Red-Alert Multiple Vulnerabilities 9618 redalert-gain-access(15088) Red-M Red-Alert 2.7.5 with software 3.1 build 24 converts multiple spaces in a Service Set Identifier (SSID) to a single space, which prevents Red-Alert from correctly identifying the SSID. http://genhex.org/releases/031003.txt 20040209 Red-M Red-Alert Multiple Vulnerabilities 1009001 http://www.securiteam.com/securitynews/5SP0C0KC0A.html 20040209 Red-M Red-Alert Multiple Vulnerabilities 9618 redalert-bypass-security(15089) The samiftp.dll library in Sami FTP Server 1.1.3 allows local users to cause a denial of service (pmsystem.exe crash) by issuing (1) a CD command with a tilde (~) character or dot dot (/../) or (2) a GET command for an unavailable file. http://www.karja.com/samiftp/news.html 20040213 Sami FTP Server 1.1.3 multiple vulnerabilities 9657 sami-cd-get-dos(15204) The samiftp.dll library in Sami FTP Server 1.1.3 allows remote authenticated users to cause a denial of service (pmsystem.exe crash) via a GET request wit a large number of leading "/" (slash) characters. http://www.karja.com/samiftp/news.html 20040213 Sami FTP Server 1.1.3 multiple vulnerabilities 9657 sami-cd-get-dos(15204) Opera Web Browser 7.0 through 7.23 allows remote attackers to trick users into executing a malicious file by embedding a CLSID in the file name, which causes the malicious file to appear as a trusted file type, aka "File Download Extension Spoofing." http://www.opera.com/docs/changelogs/windows/750b1/ 9640 opera-cslid-extension-spoof(21698) Cross-site scripting (XSS) vulnerability in search.php in JShop E-Commerce Server allows remote attackers to inject arbitrary web script or HTML via the xSearch parameter. 1008988 9609 http://www.systemsecure.org/advisories/ssadvisory09022004.php jshop-searchphp-xss(15100) Multiple cross-site scripting (XSS) vulnerabilities in Brad Fears phpCodeCabinet 0.4 and earlier allow remote attackers to inject arbitrary web script or HTML via multiple parameters, including (1) the sid parameter to comments.php, (2) the cid, cf, or rfd parameters to category.php, or the cid parameter to (3) input.php, (4) browse.php, (5) themes/facade/header.php, or (6) themes/phpcc/header.php. http://cvs.sourceforge.net/viewcvs.py/phpcodecabinet/phpcc/browse.php?r1=1.5&r2=1.6 http://cvs.sourceforge.net/viewcvs.py/phpcodecabinet/phpcc/category.php?r1=1.4&r2=1.5 http://cvs.sourceforge.net/viewcvs.py/phpcodecabinet/phpcc/comments.php?r1=1.1&r2=1.2 http://cvs.sourceforge.net/viewcvs.py/phpcodecabinet/phpcc/input.php?r1=1.7&r2=1.8 http://cvs.sourceforge.net/viewcvs.py/phpcodecabinet/phpcc/themes/facade/header.php?r1=1.4&r2=1.5 http://cvs.sourceforge.net/viewcvs.py/phpcodecabinet/phpcc/themes/phpcc/header.php?r1=1.4&r2=1.5 1009012 http://sourceforge.net/project/shownotes.php?release_id=214860 9601 9645 phpcodecabinet-multiple-xss(15190) Stack-based buffer overflow in results.stm for Sambar Server before the 6.0 production release allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an HTTP POST request with a long query parameter. 1008979 http://www.sambar.com/security.htm 20040207 Sambar 6.0 stack overflow 9607 sambar-http-post-bo(15071) Unknown vulnerability in SandSurfer before 1.7.0 allows remote attackers to gain access as a logged-in user. 1009110 http://sourceforge.net/forum/forum.php?forum_id=351705 9647 sandsurfer-gain-access(15193) Sophos Anti-Virus 3.78 allows remote attackers to bypass virus scanning by using a qmail generated Delivery Status Notification (DSN) where the original email is not included in the bounce message. 1009042 9650 http://www.sophos.com/support/news/#mime-378 sophos-email-virus-undetected(15192) Matrix FTP Server allows remote attackers to cause a denial of service (crash) by logging in using four spaces as the username and password and then issuing a LIST command. 1008970 matrixftp-login-list-dos(15075) Microsoft Internet Explorer 5.0.1 through 6.0 allows remote attackers to determine the existence of arbitrary files via the VBScript LoadPicture method, which returns an error code if the file does not exist. 20040207 (no subject) 9611 ie-error-obtain-information(15078) Microsoft Baseline Security Analyzer (MBSA) 1.2 does not correctly identify systems that have been patched but remain vulnerable to exploit until the system is rebooted, possibly giving the administrator a false sense of security. 20040210 Another Low Blow From Microsoft: MBSA Failure! 9634 eTrust InoculateIT for Linux 6.0 uses insecure permissions for multiple files and directories, including the application's registry and tmp directories, which allows local users to delete, modify, or examine sensitive information. 20040209 [local problems] eTrust Virus Protection 6.0 InoculateIT for linux 9616 etrust-inoculateit-insecure-permissions(15103) Buffer overflow in the open_socket_out function in socket.c for rsync 2.5.7 and earlier allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a long RSYNC_PROXY environment variable. NOTE: since rsync is not setuid, this issue does not provide any additional privileges beyond those that are already available to the user. Therefore this issue may be REJECTED in the future. 20040209 rsync <= 2.5.7 local buffer overflow (no root today:) linux-rsync-opensocketout-bo(15108) Cross-site scripting (XSS) vulnerability in WebcamXP 1.06.945 allows remote attackers to inject arbitrary HTML or web script as other users via a URL that contains the script. 20040121 WebcamXP v1.06.945 Cross Site Scripting Vulnerabillity 9465 webcamxp-xss(14904) Honeyd before 0.8 replies to TCP packets with the SYN and RST flags set, which allows remote attackers to identify IP addresses that are being simulated by Honeyd. 20040121 Honeyd Security Advisory 2004-001: Remote Detection Via Simple Probe Packet 20040121 [ GLSA 200401-02 ] Honeyd remote detection vulnerability via a probe packet 9464 1008818 honeyd-nmap-information-disclosure(14905) Cross-site scripting (XSS) vulnerability in Mephistoles httpd 0.6.0 final allows remote attackers to execute arbitrary script as other users by injecting arbitrary HTML or script into the URL. 20040121 Mephistoles Httpd 0.6.0final XSS 9470 mephistoles-httpd-xss(14899) Multiple scripts on SuSE Linux 9.0 allow local users to overwrite arbitrary files via a symlink attack on (1) /tmp/fvwm-bug created by fvwm-bug, (2) /tmp/wmmenu created by wm-oldmenu2new, (3) /tmp/rates created by x11perfcomp, (4) /tmp/xf86debug.1.log created by xf86debug, (5) /tmp/.winpopup-new created by winpopup-send.sh, or (6) /tmp/initrd created by lvmcreate_initrd. 20040121 [SuSE 9.0] possible symlink attacks in some scripts 20040122 Re: [SuSE 9.0] possible symlink attacks in some scripts 1008781 9457 suse-multiple-symlink-attack(14963) Cross-site scripting (XSS) vulnerability in the banner engine (TBE) 5.0 allows remote attackers to execute arbitrary script as other users via the HTML banner view/preview capability. 20040122 TBE - the banner engine server-side script execution vulnerability 9472 tbe-xss(14911) Buffer overflow in Need for Speed Hot Pursuit 2.0 client (NFSHP2), version 242 and earlier, allows remote attackers (servers) to execute arbitrary code via long (1) gamename, (2) gamever, (3) hostname, (4) gametype, (5) mapname or (6) gamemode commands. http://aluigi.altervista.org/adv/nfshp2cbof-adv.txt 20040122 Need for Speed Hot pursuit 2 <= 242 client's buffer overflow 9473 hotpursuit2-bo(14909) GeoHttpServer, when configured to authenticate users, allows remote attackers to bypass authentication and access unauthorized files via a URL that contains %0a%0a (encoded newlines). 20040122 GeoHttpServer Authentification Bypass Vulnerability & D.O.S (Denial Of Service) The sysinfo script in GeoHttpServer allows remote attackers to cause a denial of service (crash) via a long pwd parameter, possibly triggering a buffer overflow. 20040122 GeoHttpServer Authentification Bypass Vulnerability & D.O.S (Denial Of Service) 1008807 geohttpserver-long-password-bo(14913) Cross-site scripting (XSS) vulnerability in FREESCO 2.05, a modified version of thttpd, allows remote attackers to inject arbitrary web script or HTML via the test parameter. 20040122 FREESCO public http server - Cross Site Scripting Vulnerabillity freesco-thttpd-xss(14916) Cross-site scripting (XSS) vulnerability in Novell NetWare Enterprise Web Server 5.1 and 6.0 allows remote attackers to process arbitrary script or HTML as other users via (1) a malformed request for a Perl program with script in the filename, (2) the User.id parameter to the webacc servlet, (3) the GWAP.version parameter to webacc, or (4) a URL request for a .bas file with script in the filename. 20040123 NetWare-Enterprise-Web-Server/5.1/6.0 Multiple Vulnerabilities http://support.novell.com/cgi-bin/search/searchtid.cgi?/10091529.htm netware-enterprise-cgi2perl-xss(14919) Novell NetWare Enterprise Web Server 5.1 and 6.0 allows remote attackers to obtain sensitive server information, including the internal IP address, via a direct request to (1) snoop.jsp, (2) SnoopServlet, (3) env.bas, or (4) lcgitest.nlm. 20040123 NetWare-Enterprise-Web-Server/5.1/6.0 Multiple Vulnerabilities 9479 netware-enterprise-path-disclosure(14921) The webacc servlet in Novell NetWare Enterprise Web Server 5.1 and 6.0 allows remote attackers to read arbitrary .htt files via a full pathname in the error parameter. 20040123 NetWare-Enterprise-Web-Server/5.1/6.0 Multiple Vulnerabilities Novell NetWare Enterprise Web Server 5.1 and 6.0 allows remote attackers to list directories via a direct request to (1) /com/, (2) /com/novell/, (3) /com/novell/webaccess, or (4) /ns-icons/. 20040123 NetWare-Enterprise-Web-Server/5.1/6.0 Multiple Vulnerabilities netware-enterprise-directory-disclosure(21749) Finjan SurfinGate 6.0 and 7.0, when running in proxy mode, does not authenticate FHTTP commands on TCP port 3141, which allows remote attackers to use the finjan-parameter-type header to (1) restart the service, (2) use the getlastmsg command to view log information, or (3) use the online command to force a policy update from the database server. 20040123 Finjan SurfinGate Vulnerability 20040123 Finjan SurfinGate Vulnerability 20040126 RE: Finjan SurfinGate Vulnerability 9478 finjan-surfingate-execute-commands(14934) Multiple SQL injection vulnerabilities in QuadComm Q-Shop allow remote attackers to execute arbitrary SQL commands via certain parameters to (1) search.asp, (2) browse.asp, (3) details.asp, (4) showcat.asp, (5) users.asp, (6) addtomylist.asp, (7) modline.asp, (8) cart.asp, or (9) newuser.asp. 20040123 QuadComm Q-Shop ASP Shopping Cart Software multiple security vulnerabilities 1008837 9481 http://www.s-quadra.com/advisories/Adv-20040123.txt qshop-multiple-sql-injection(14922) Multiple cross-site scripting (XSS) vulnerabilities in (1) imagezoom.asp or (2) recommend.asp in Q-Shop allow remote attackers to execute arbitrary script and steal the user session ID via Javascript in a URL. 20040123 QuadComm Q-Shop ASP Shopping Cart Software multiple security vulnerabilities 9480 qshop-url-xss(14923) SQL injection vulnerability in register.php in Phorum before 3.4.6 allows remote attackers to execute arbitrary SQL commands via the hide_email parameter. 20040123 Multiple Vulnerabilities in Phorum 3.4.5 http://phorum.org/ Stack-based buffer overflow in the site chmod command in Serv-U FTP Server before 4.2 allows remote attackers to execute arbitrary code via a long filename. 20040124 [SST]ServU MDTM command remote buffero verflow adv 20040126 Serv-U ftp 4.2 site chmod long_file_name exploit 1008841 9483 9675 servu-chmodcommand-execute-code(14931) Directory traversal vulnerability in BremsServer 1.2.4 allows remote attackers to read arbitrary files via ".." (dot dot) sequences in the URL. 20040126 Directory traversal and XSS in BremsServer 1.2.4 9493 1008853 bremsserver-dotdot-directory-traversal(14954) Cross-site scripting (XSS) vulnerability in BremsServer 1.2.4 allows remote attackers to inject arbitrary web script or HTML via the URL. 20040126 Directory traversal and XSS in BremsServer 1.2.4 9491 1008853 bremsserver-xss(14953) Stack-based and heap-based buffer overflows in ProxyNow! 2.75 and earlier allow remote attackers to execute arbitrary code via a GET request with a long ftp:// URL. 20040126 ProxyNow! 2.x Multiple Overflow Vulnerabilities 9500 proxynow-get-bo(14955) Multiple cross-site scripting (XSS) vulnerabilities in Oracle HTTP Server 1.3.22, based on Apache, allow remote attackers to execute arbitrary script as other users via the (1) action, (2) username, or (3) password parameters in an isqlplus request. 20040124 Oracle HTTP Server Cross Site Scripting Vulnerabillity 9484 oraclehttpserver-isqlplus-xss(14930) Directory traversal vulnerability in Tiny Server 1.1 allows remote attackers to read or download arbitrary files via a .. (dot dot) in the URL. 20040124 Tiny Server 1.1 (1.0.5) Multiple Vulnerabilities http://packetstormsecurity.com/files/129320/Tiny-Server-1.1.9-Arbitrary-File-Disclosure.html 9485 tinyserver-dotdot-directory-traversal(14927) tinyserver-windows-dir-traversal(99048) Tiny Server 1.1 allows remote attackers to cause a denial of service (crash) via malformed HTTP requests such as (1) a GET request without the HTTP version (HTTP/1.1), or (2) a request without GET or the HTTP version. 20040124 Tiny Server 1.1 (1.0.5) Multiple Vulnerabilities 9485 tinyserver-string-dos(14928) Tiny Server 1.1 allows remote attackers to cause a denial of service (crash) via a GET request with a long filename, possibly due to a buffer overflow. 20040124 Tiny Server 1.1 (1.0.5) Multiple Vulnerabilities 9485 tinyserver-string-dos(14928) Cross-site scripting (XSS) vulnerability in Tiny Server 1.1 allows remote attackers to inject arbitrary web script or HTML via the URL. 20040124 Tiny Server 1.1 (1.0.5) Multiple Vulnerabilities 9485 tinyserver-xss(14929) Reptile Web Server allows remote attackers to cause a denial of service (CPU consumption) via multiple incomplete GET requests without the HTTP version. 20040124 Resources consumption in Reptile webserver daily version 1008842 http://www.autistici.org/fdonato/advisory/reptilewsDailyVersion-adv.txt 9482 reptilewebserver-get-dos(14932) Multiple directory traversal vulnerabilities in Borland Web Server (BWS) 1.0b3 and earlier allow remote attackers to read and download arbitrary files via (1) multi-dot "......" sequences, or (2) "%5c%2e%2e" (encoded "\..") sequences, in the URL. 20040124 BWS v1.0b3 Directory Transversal Vulnerability 1008840 9486 bws-directory-traversal(14948) Cross-site scripting (XSS) vulnerability in intraforum_db.cgi in Intra Forum allows remote attackers to inject arbitrary web script or HTML via the (1) use_last_read or (2) forum parameters. 20040124 Inrtra Forum Cross Site Scripting Vulnerabillity 1008839 intraforum-intraforumcgi-xss(14933) Multiple cross-site scripting (XSS) vulnerabilities in Nextplace.com E-Commerce ASP Engine allow remote attackers to inject arbitrary web script or HTML via the (1) level parameter of productdetail.asp, (2) searchKey parameter of searchresults.asp, and possibly (3) level parameter of ListCategories.asp. 20040124 NextPlace.com E-Commerce ASP Engine nextplace-multiple-xss(14952) The register_globals simulation capability in Gallery 1.3.1 through 1.4.1 allows remote attackers to modify the HTTP_POST_VARS variable and conduct a PHP remote file inclusion attack via the GALLERY_BASEDIR parameter, a different vulnerability than CVE-2002-1412. http://gallery.menalto.com/modules.php?op=modload&name=News&file=index 20040127 Remote exploit in Gallery 1.3.1, 1.3.2, 1.3.3, 1.4 and 1.4.1 GLSA-200402-04 9490 gallery-gallerybasedir-file-include(14950) Buffer overflow in blackd.exe for BlackICE PC Protection 3.6 and other versions before 3.6.ccb, with application protection off, allows local users to gain system privileges by modifying the .INI file to contain a long packetLog.fileprefix value. [ISSForum] 20040128 Third party BlackICE advisory 20040128 SRT2004-01-17-0227 - BlackICE allows local users to become SYSTEM 9514 blackice-blackdexe-bo(14965) The upgrade for BlackICE PC Protection 3.6 and earlier sets insecure permissions for .INI files such as (1) blackice.ini, (2) firewall.ini, (3) protect.ini, or (4) sigs.ini, which allows local users to modify BlackICE configuration or possibly execute arbitrary code by exploiting vulnerabilities in the .INI parsers. 20040128 SRT2004-01-17-0227 - BlackICE allows local users to become SYSTEM 9513 Directory traversal vulnerability in Web Blog 1.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the file variable. 20040128 ZH2004-01SA (security advisory): Web Blog 1.1 Remote arbitrary 9517 http://www.zone-h.org/en/advisories/read/id=3822/ webblog-dotdot-directory-traversal(14978) Cross-site scripting (XSS) vulnerability in BRS WebWeaver 1.07 allows remote attackers to execute arbitrary script as other users via the query string to ISAPISkeleton.dll. 20040128 BRS WebWeaver Webserver Cross Site Scripting Vulnerability http://www.brswebweaver.com/modules.php?op=modload&name=News&file=article&sid=1 9516 1008880 webweaver-isapiskeleton-xss(14977) SurfNOW 2.2 allows remote attackers to cause a denial of service (crash) via a series of long HTTP GET requests, possibly triggering a buffer overflow. 20040128 Denial Of Service in SurfNOW 2.2 9519 surfnow-get-dos(14976) Multiple cross-site scripting (XSS) vulnerabilities in privmsg.php in phpBB 2.0.6 allow remote attackers to execute arbitrary script or HTML via the (1) folder or (2) mode variables. 20040128 phpBB privmsg.php XSS vulnerability patch. http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=161943 9290 Stack-based buffer overflow in ontape for IBM Informix Dynamic Server (IDS) 9.40.xC3 and earlier allows local users, with DSA privileges, to execute arbitrary code via a long ONCONFIG environment variable. 20040129 ----------========== OPEN3S-2003-08-08-eng-informix-ontape 9512 http://www-1.ibm.com/support/docview.wss?uid=swg21153336 informix-ontape-binary-bo(14970) Directory traversal vulnerability in PJreview_Neo.cgi in PJ CGI Neo review allows remote attackers to read arbitrary files via a .. (dot dot) in the p parameter. 20040129 ZH2004-02SA (security advisory): PJ CGI Neo review (NeoBoard review) Remote arbitrary file retrieving 9524 http://www.zone-h.org/advisories/read/id=3824 pjcgineoreview-dotdot-directory-traversal(14980) Certain third-party packages for CVSup 16.1h, such as SuSE Linux, contain untrusted paths in the ELF RPATH fields of certain executables, which could allow local users to execute arbitrary code by causing cvsup to link against malicious libraries that are created in world-writable directories such as /usr/src/packages. 20040129 Security Announcement: untrusted ELF library path in some cvsup binary RPMs 20040129 Security Announcement: untrusted ELF library path in some cvsup binary RPMs 9523 cvsup-rpath-gain-privileges(14994) Oracle toplink mapping workBench uses a weak encryption algorithm for passwords, which allows local users to decrypt the passwords. 20040128 Oracle toplink mapping workbench password algorithm http://www.planet-source-code.com/vb/scripts/ShowCode.asp?txtCodeId=803&lngWId=5 20040128 Re: Oracle toplink mapping workbench password algorithm 20040128 Re: Oracle toplink mapping workbench password algorithm 9515 cryptoloop on Linux kernel 2.6.x, when used on certain file systems with a block size 1024 or greater, has certain "IV computation" weaknesses that allow watermarked files to be detected without decryption. [linux-kernel] 20040219 Re: Oopsing cryptoapi (or loop device?) on 2.6.* http://mareichelt.de/pub/notmine/diskenc.pdf http://www.securiteam.com/exploits/5UP0P1PFPM.html 13775 dm-crypt on Linux kernel 2.6.x, when used on certain file systems with a block size 1024 or greater, has certain "IV computation" weaknesses that allow watermarked files to be detected without decryption. [linux-kernel] 20040219 Re: Oopsing cryptoapi (or loop device?) on 2.6.* http://mareichelt.de/pub/notmine/diskenc.pdf http://www.securiteam.com/exploits/5UP0P1PFPM.html Outlook Express 6.0, when sending multipart e-mail messages using the "Break apart messages larger than" setting, leaks the BCC recipients of the message to the addresses listed in the To and CC fields, which may allow remote attackers to obtain sensitive information. 1011067 843555 http://www.networksecurity.fi/advisories/outlook-bcc.html 11040 outlook-email-address-disclosure(17098) Cross-site scripting (XSS) vulnerability in AWSguest.php in AllWebScripts MySQLGuest allows remote attackers to inject arbitrary HTML and PHP code via the (1) Name, (2) Email, (3) Homepage or (4) Comments field. 1011376 http://www.computerknights.org/forum_viewtopic.php?2.122 11234 mysqlguest-awsguestphp-xss(17462) Unknown vulnerability in Adminedit.pl YaBB 1 Gold before 1.3.2 allows attackers to execute arbitrary code via settings.pl. 11235 http://www.yabbforum.com/community/YaBB.pl?board=general;action=display;num=1093133233 yabb-admineditpl-xss(17459) CRLF injection vulnerability in YaBB 1 Gold before 1.3.2 allows remote attackers to modify text file contents via the subject variable. http://www.yabbforum.com/community/YaBB.pl?board=general;action=display;num=1093133233 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2004-1827. Reason: This candidate is a duplicate of CVE-2004-1827. Notes: All CVE users should reference CVE-2004-1827 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Unknown vulnerability in the remote tape support (remote.c) in the RMT client for Jorg Schilling sdd 1.28 and 1.31 has unknown impact and attack vectors. ftp://ftp.berlios.de/pub/sdd/AN-1.52 sdd-rmt(17442) SQL injection vulnerability in the ReMOSitory Server add-on module to Mambo Portal 4.5.1 (1.09) and earlier allows remote attackers to execute arbitrary SQL commands via the filecatid parameter in the com_remository option. 20040917 Mambo Portal lasted version 4.5.1 (1.09) and lower vesion : SQL injection Vulnerability. 20040919 Re: Mambo Portal lasted version 4.5.1 (1.09) and lower vesion : SQL injection Vulnerability. 1011356 http://www.mamboportal.com/content/view/1615/ 11219 remository-filecatid-sql-injection(17441) Baal Smart Forms before 3.2 allows remote attackers to bypass authentication and obtain system access via a direct request to regadmin.php. 1011416 baal-admin-password-modify(17499) SQL injection vulnerability in PD9 Software MegaBBS 2 and 2.1 allows remote attackers to execute arbitrary SQL commands via the (1) sortdir or (2) criteria parameter to ladder-log.asp or the (3) memberid or (4) teamid parameter to view-profile.asp. 20040926 HTTP Response Splitting and SQL injection in megabbs forum 20040926 Re: HTTP Response Splitting and SQL injection in megabbs forum megabbs-sql-injection(17497) CRLF injection vulnerability in PD9 Software MegaBBS 2 and 2.1 allows attackers to conduct HTTP response splitting attacks via the fid parameter in a writenew action to thread-post.asp. 20040926 HTTP Response Splitting and SQL injection in megabbs forum 20040926 Re: HTTP Response Splitting and SQL injection in megabbs forum http://www.pd9soft.com/megabbs/forums/thread-view.asp?tid=4924 megabbs-response-splitting(17495) Unknown versions of Symantec Norton AntiVirus and Microsoft Outlook allow attackers to cause a denial of service (crash) via malformed e-mail messages (1) without a body or (2) without a carriage return ("\n") separating the headers from the body. 20040925 No body emails and Norton antivirus 11259 Unknown local vulnerability in the "change user" feature of Slava Astashonok Fprobe 1.0.5 and earlier has unknown impact and attack vectors. 1011417 http://sourceforge.net/project/shownotes.php?release_id=269807 11255 fprobe-change-user(17494) Buffer overflow in the prepared statements API in libmysqlclient for MySQL 4.1.3 beta and 4.1.4 allows remote attackers to cause a denial of service via a large number of placeholders. http://bugs.mysql.com/bug.php?id=5194 http://dev.mysql.com/doc/mysql/en/news-4-1-5.html 1011408 11261 mysql-libmysqlclient-insert-bo(17493) Nettica Corporation INTELLIPEER Email Server 1.01 displays different error messages for valid and invalid account names, which allows remote attackers to determine valid account names. 1011425 11257 intellipeer-username-obtain-information(17510) Chatman 1.1.1 RC1 and earlier allows remote attackers to cause a denial of service (memory consumption or application crash) via a very large data size. 1011431 20040927 Broadcast crash in Chatman 1.5.1 RC1 11263 chatman-dos(17513) Cross-site scripting (XSS) vulnerability in 'raw' page output mode for MediaWiki 1.3.4 and earlier allows remote attackers to inject arbitrary web script or HTML. http://sourceforge.net/project/shownotes.php?group_id=34373&release_id=271848 11302 mediawiki-raw-output-xss(17578) Multiple unknown vulnerabilities in Real Estate Management Software 1.0 have unknown impact and attack vectors. [fm-news] 20041001 Newsletter for Thursday, September 30th 2004 11304 real-estate-management-software(17598) CUPS before 1.1.21rc1 treats a Location directive in cupsd.conf as case sensitive, which allows attackers to bypass intended ACLs via a printer name containing uppercase or lowercase letters that are different from what is specified in the directive. http://www.cups.org/str.php?L700 SUSE-SR:2005:018 RHSA-2005:571 USN-185-1 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=162405 FLSA:163274 oval:org.mitre.oval:def:9940 Online-bookmarks before 0.4.6 allows remote attackers to bypass its authentication mechanism via a direct request to (1) config/*, (2) bookmarks.php, (3) footer.php, (4) main.php, (5) tree.php, or (6) functions.php. http://freshmeat.net/projects/onlinebookmarks/?branch_id=34962&release_id=174401 11305 online-bookmarks-resrtictions-bypass(17602) Multiple unknown vulnerabilities in Online Recruitment Agency 1.0 have unknown impact and attack vectors. http://archives.neohapsis.com/archives/apps/freshmeat/2004-09/0030.html 1011539 11306 online-recruitment-agency(17586) Cross-site scripting (XSS) vulnerability in Comment.php in Serendipity 0.7 beta1, and possibly other versions before 0.7-beta3, allows remote attackers to inject arbitrary HTML and PHP code via the (1) email or (2) username field. 20040928 Serendipity 0.7-beta1 SQL Injection PoC 1011448 11269 serendipity-commentphp-xss(17536) SQL injection vulnerability in Serendipity 0.7-beta1 allows remote attackers to execute arbitrary SQL commands via the entry_id parameter to (1) exit.php or (2) comment.php. 20040928 Serendipity 0.7-beta1 SQL Injection PoC 1011448 11269 serendipity-sql-injection(17533) Multiple buffer overflows in XMLStarlet Command Line XML Toolkit 0.9.3 have unknown impact and attack vectors via (1) xml_elem.c and (2) xml_select.c. 1011496 http://sourceforge.net/project/shownotes.php?release_id=268962 11270 xmlstarlet-bo(17580) Format string vulnerability in xml_elem.c for XMLStarlet Command Line XML Toolkit 0.9.3 may allow attackers to cause a denial of service or execute arbitrary code. http://cvs.sourceforge.net/viewcvs.py/xmlstar/xmlstarlet/src/xml_elem.c?r1=1.17&r2=1.18 http://sourceforge.net/project/shownotes.php?release_id=268962 SQL injection vulnerability in file_overview.php in TUTOS 1.1 allows remote attackers to execute arbitrary SQL commands via the link_id parameter. http://cvs.sourceforge.net/viewcvs.py/tutos/tutos/php/file/file_overview.php?r1=1.11.2.1&r2=1.11.2.2 1011363 DSA-980 20040918 Vulnerabilities in TUTOS 11221 tutos-sql-injection(17444) Multiple cross-site scripting (XSS) vulnerabilities in TUTOS 1.1 allow remote attackers to inject arbitrary web script or HTML via (1) the search field of the Address Module or (2) the t parameter to app_new.php. http://cvs.sourceforge.net/viewcvs.py/tutos/tutos/php/app_new.php?r1=1.58&r2=1.59 DSA-980 20040918 Vulnerabilities in TUTOS 11221 tutos-xss(17445) login_radius on OpenBSD 3.2, 3.5, and possibly other versions does not verify the shared secret in a response packet from a RADIUS server, which allows remote attackers to bypass authentication by spoofing server replies. 20040921 OpenBSD radius authentication vulnerability http://www.openbsd.org/errata35.html#radius http://www.reseau.nl/advisories/0400-openbsd-radius.txt 11227 openbsd-radius-auth-bypass(17456) shoprestoreorder.asp in VP-ASP 5.0 does not close the database connection when a user restores a previous order, which allows remote attackers to cause a denial of service (connection consumption). 11228 1011359 http://www.vpasp.com/virtprog/info/faq_securityfixes.htm vpasp-shoprestoreopenasp-dos(17436) Lords of the Realm III 1.01 and earlier, when in the lobby stage, allows remote attackers to cause a denial of service (crash from unallocated memory write) via a long user nickname. http://aluigi.altervista.org/adv/lotr3boom-adv.txt 20040914 Crash in Lords of the Realm III 1.01 1011361 11223 lordsoftherealm-username-dos(17438) The print-from-email feature in the Canon ImageRUNNER (iR) 5000i and C3200 digital printer, when not using IP address range filtering, allows remote attackers to print arbitrary text without authentication via a text/plain email to TCP port 25. 20040923 Promiscuous email printing in Canon imageRunner 11247 canon-imagerunner-dos(17512) Multiple buffer overflows in LaTeX2rtf 1.9.15, and possibly other versions, allow remote attackers to execute arbitrary code via (1) the expandmacro function, and possibly (2) Environments and (3) TranslateCommand. http://cvs.sourceforge.net/viewcvs.py/latex2rtf/latex2rtf/definitions.c?rev=1.22&view=log 11233 1011367 latex2rtf-expandmacro-bo(17460) latex2rtf-multiple-bo(17487) BaSoMail 1.24 allows remote attackers to cause a denial of service (CPU consumption) via multiple connections to TCP port (1) 25 (SMTP) or (2) 110 (POP3). http://members.lycos.co.uk/r34ct/main/Baso_mail/Baso_1.24.txt 1008912 basomail-multiple-connection-dos(15002) Application Access Server (A-A-S) 1.0.37 and earlier allows remote authenticated users to cause a denial of service (application crash) via a long file request. http://members.lycos.co.uk/r34ct/main/A-A-S/AAS1_0_3.TXT aas-longhttp-request-dos(15003) Directory traversal vulnerability in sample_showcode.html in Caravan 2.00/03d and earlier allows remote attackers to read arbitrary files via the fname parameter. http://members.lycos.co.uk/r34ct/main/Caravan/Caravan.txt 1008913 9555 caravan-dotdot-directory-traveral(15004) Cross-site scripting (XSS) vulnerability in Cherokee before 0.4.8 allows remote attackers to inject arbitrary web script or HTML via the URL, which is not properly quoted in the resulting error page. 9496 cherokee-error-xss(14936) EarlyImpact ProductCart uses a weak encryption scheme to encrypt passwords, which allows remote attackers to obtain the password via a chosen plaintext attack. 20040218 Re: EarlyImpact ProductCart shopping cart software multiple security vulnerabilities 20040216 EarlyImpact ProductCart shopping cart software multiple security vulnerabilities 1009085 http://www.earlyimpact.com/productcart/support/updates/ReadMe_ProductCart_Security_Patch_013004.txt 20040216 EarlyImpact ProductCart shopping cart software multiple security vulnerabilities 9669 http://www.s-quadra.com/advisories/Adv-20040216.txt productcart-keystream-obtain-information(15231) SQL injection vulnerability in advSearch_h.asp in EarlyImpact ProductCart allows remote attackers to execute arbitrary SQL commands via the priceUntil parameter. 20040218 Re: EarlyImpact ProductCart shopping cart software multiple security vulnerabilities 20040216 EarlyImpact ProductCart shopping cart software multiple security vulnerabilities 1009085 http://www.earlyimpact.com/productcart/support/updates/ReadMe_ProductCart_Security_Patch_013004.txt 20040216 EarlyImpact ProductCart shopping cart software multiple security vulnerabilities 9669 http://www.s-quadra.com/advisories/Adv-20040216.txt productcart-advsearchhasp-sql-injection(15233) Cross-site scripting (XSS) vulnerability in Custva.asp in EarlyImpact ProductCart allows remote attackers to inject arbitrary Javascript via the redirectUrl parameter. 20040218 Re: EarlyImpact ProductCart shopping cart software multiple security vulnerabilities 20040216 EarlyImpact ProductCart shopping cart software multiple security vulnerabilities 1009085 http://www.earlyimpact.com/productcart/support/updates/ReadMe_ProductCart_Security_Patch_013004.txt 9669 http://www.s-quadra.com/advisories/Adv-20040216.txt productcart-custva-xss(15234) Multiple SQL injection vulnerabilities in ReviewPost PHP Pro allow remote attackers to execute arbitrary SQL commands via the (1) product parameter to showproduct.php or (2) cat parameter to showcat.php. 20040204 ZH2004-04SA (security advisory): Multiple Sql Injection Vulnerabilities in ReviewPost PHP Pro 9574 http://www.zone-h.org/en/advisories/read/id=3864/ reviewpostpro-showproduct-sql-injection(15035) The Internet Connection Firewall (ICF) in Microsoft Windows XP SP2 is configured by default to trust sessmgr.exe, which allows local users to use sessmgr.exe to create a local listening port that bypasses the ICF access controls. 20041012 Writing Trojans that bypass Windows XP Service Pack 2 Firewall 11410 Cross-site scripting (XSS) vulnerability in DevoyBB Web Forum 1.0.0 allows remote attackers to inject arbitrary web script or HTML via unknown vectors. http://sourceforge.net/project/shownotes.php?release_id=273104 http://www.maxpatrol.com/advdetails.asp?id=11 11428 SQL injection vulnerability in DevoyBB Web Forum 1.0.0 allows remote attackers to execute arbitrary SQL commands via unknown vectors. http://sourceforge.net/project/shownotes.php?release_id=273104 http://www.maxpatrol.com/advdetails.asp?id=11 11428 asycpict.dll, as used in Microsoft products such as Front Page 97 and 98, allows remote attackers to cause a denial of service (hang) via a JPEG image with maximum height and width values. 20041014 New Remote Microsoft JPEG DoS Vulnerability + Other Potential Security Vulnerabilitys in asycpict.dll 1.0 Advisory 20041015 Re: New Remote Microsoft JPEG DoS Vulnerability + Other Potential Security Vulnerabilitys in asycpict.dll 1.0 Advisory 11412 Multiple cross-site scripting (XSS) vulnerabilities in WowBB Forum 1.61 allow remote attackers to inject arbitrary web script or HTML via the (1) country parameter to view_user.php, (2) show parameter to view_forum.php, (3) letter parameter to view_user.php, (4) highlight parameter to view_topic.php, (5) show parameter to index.php, (6) q parameter to search.php, (7) Referer header to admin.php, or the (8) user_email parameter to login.php. http://www.maxpatrol.com/advdetails.asp?id=7 11429 Multiple SQL injection vulnerabilities in WowBB Forum 1.61 allow remote attackers to execute arbitrary SQL commands via the (1) sort_by or (2) page parameters to view_user.php, or the (3) forum_id parameter to view_topic.php. NOTE: the sort_by vector was later reported to be present in WowBB 1.65. http://pridels0.blogspot.com/2005/11/wowbb-165-sql-vuln.html http://www.maxpatrol.com/advdetails.asp?id=7 11429 Session fixation vulnerability in Macromedia JRun 4.0 allows remote attackers to hijack user sessions by pre-setting the user session ID information used by the session server. MPSB04-08 11414 Unknown vulnerability in WeHelpBUS 0.1 allows remote attackers to execute arbitrary shell commands via the query string. http://sourceforge.net/project/shownotes.php?release_id=275295 11431 Directory traversal vulnerability in Digicraft Yak! server 2.0 through 2.1.2 allows remote attackers to read or write arbitrary files via "../" or "..\" sequences in commands such as (1) dir or (2) put. http://aluigi.altervista.org/adv/yak-adv.txt 20041015 Directory traversal in Yak! 2.1.2 1011708 20041015 Directory traversal in Yak! 2.1.2 11433 yak-directory-traversal(17740) Multiple cross-site scripting (XSS) vulnerabilities in MediaWiki 1.3.5 allow remote attackers to execute arbitrary scripts and/or SQL queries via (1) the UnicodeConverter extension, (2) raw page views, (3) SpecialIpblocklist, (4) SpecialEmailuser, (5) SpecialMaintenance, and (6) ImagePage. http://sourceforge.net/project/shownotes.php?release_id=275099 11416 SQL injection vulnerability in MediaWiki 1.3.5 allows remote attackers to execute arbitrary SQL commands via SpecialMaintenance. http://sourceforge.net/project/shownotes.php?release_id=275099 11416 Unknown vulnerability in ImagePage for MediaWiki 1.3.5, related to "filename validation," has unknown impact and attack vectors. http://sourceforge.net/project/shownotes.php?release_id=275099 11416 Cross-site scripting (XSS) vulnerability in DMXReady Site Chassis Manager allows remote attackers to inject arbitrary web script or HTML via unknown vectors. 11434 SQL injection vulnerability in DMXReady Site Chassis Manager allows remote attackers to execute arbitrary SQL commands via unknown vectors. http://www.maxpatrol.com/mp_advisory.asp 11434 Directory traversal vulnerability in Unzoo 4.4-2 has unknown impact and attack vectors. 1011673 11417 Cross-site scripting (XSS) vulnerability in ttt-webmaster.php in Turbo Traffic Trader PHP 1.0 allows remote attackers to inject arbitrary web script or HTML via the (1) msg[0] or (2) siteurl parameters. 20041011 Turbo Traffic Trader Nitro v1.0 SQL Injection & XSS Proofs of Concept 1011609 11358 turbo-traffic-xss(17673) SQL injection vulnerability in tttadmin/settings.php in Turbo Traffic Trader PHP 1.0 allows remote attackers to execute arbitrary SQL commands via the ttt_admin parameter. 20041011 Turbo Traffic Trader Nitro v1.0 SQL Injection & XSS Proofs of Concept 1011609 11358 turbo-traffic-trader-sql-injection(17676) Cross-site scripting (XSS) vulnerability in trade.php for CJOverkill 4.0.3 allows remote attackers to inject arbitrary web script or HTML via the (1) tms[0] or (2) url parameters. http://bbs.icefire.org/viewtopic.php?t=573 1011604 20041011 CJOverkill 4.0.3 XSS Proof of Concept 11359 cjoverkill-trade-xss(17675) MailEnable Professional Edition before 1.53 and Enterprise Edition before 1.02 allows remote attackers to cause a denial of service (crash) via malformed (1) SMTP or (2) IMAP commands. http://www.mailenable.com/enterprisehistory.asp http://www.mailenable.com/professionalhistory.asp 11418 PHP remote file inclusion vulnerability in index.php in Zanfi CMS lite 1.1 allows remote attackers to execute arbitrary PHP code via the inc parameter. 1011612 20041011 Multiple vulnerabilities in ZanfiCmsLite 11362 zanficmslite-inc-file-include(17691) Zanfi CMS lite 1.1 allows remote attackers to obtain the full path of the web server via direct requests without required arguments to (1) adm_pages.php, (2) corr_pages.php, (3) del_block.php, (4) del_page.php, (5) footer.php, (6) home.php, and others. 1011612 20041011 Multiple vulnerabilities in ZanfiCmsLite http://www.zanfi.nl/index1.php?flag=cmslite zanficmslite-error-path-disclosure(17687) kdocker.cpp in kdocker 0.1 through 0.8 does not properly check the ownership of files, which could allow local users to execute arbitrary programs. http://cvs.sourceforge.net/viewcvs.py/kdocker/kdocker/src/kdocker.cpp?r1=1.10&r2=1.11&sortby=log 1011688 http://sourceforge.net/forum/forum.php?forum_id=414631 11419 kdocker-kdockerccp-gain-privileges(17718) account.asp in DUware DUclassmate 1.0 through 1.1 allows remote attackers to change the passwords for arbitrary users by modifying the MM_recordId parameter on the "My Account" page. 11363 1011597 duclassmate-password-modification(17682) Cross-site scripting (XSS) vulnerability in DUware DUclassified 4.0 allows remote attackers to inject arbitrary web script or HTML via the message text. 11363 1011596 duclassified-message-xss(17686) Cross-site scripting (XSS) vulnerability in DUware DUforum 3.0 through 3.1 allows remote attackers to inject arbitrary web script or HTML via via the message text. 11363 1011595 duforum-xss(17681) SQL injection vulnerability in DUware DUforum 3.0 through 3.1 allows remote attackers to execute arbitrary SQL commands via the FOR_ID parameter in messages.asp, (2) MSG_ID parameter in messageDetail.asp, or (3) password parameter in the login form. 11363 1011595 duforum-sql-injection(17680) Multiple SQL injection vulnerabilities in DUware DUclassified 4.0 through 4.2 allows remote attackers to bypass authentication and execute other commands on the server's underlying database via the (1) cat_id or (2) sub_id parameters in adDetail.asp, or (2) the password parameter in the login form. 11363 1011596 duclassified-multiple-sql-injection(17685) Ansel 1.2 through 2.0 uses insecure default permissions, which allows remote attackers to gain access to web readable directories. 1011775 11420 ansell-gain-access(17767) Macromedia ColdFusion MX 6.0 and 6.1 application server, when running with the CreateObject function or CFOBJECT tag enabled, allows local users to conduct unauthorized activities and obtain administrative passwords by creating CFML scripts that use CreateObject or CFOBJECT. http://www.macromedia.com/devnet/security/security_zone/mpsb04-10.html 20040930 CFMX vulnerability 11364 coldfusion-gain-access(17567) Unknown vulnerability in Veritas Cluster Server 1.0.1 through 4.0 allows local users to gain root access via unspecified vectors. 1011693 http://seer.support.veritas.com/docs/271040.htm 11421 vcs-gain-unauth-access(17719) SQL injection vulnerability in NatterChat 1.12 allows remote attackers to execute arbitrary SQL commands via unknown vectors. http://www.maxpatrol.com/advdetails.asp?id=13 http://www.maxpatrol.com/mp_advisory.asp 11423 1011692 natterchat-sql-injection(17726) Cross-site scripting (XSS) vulnerability in Ideal Science IdealBB 1.4.9 through 1.5.3 allows remote attackers to inject arbitrary web script or HTML via unknown vectors. http://www.maxpatrol.com/advdetails.asp?id=14 http://www.maxpatrol.com/mp_advisory.asp 11424 CRLF injection vulnerability in Ideal Science IdealBB 1.4.9 through 1.5.3 allows remote attackers to conduct HTTP response splitting attacks via unknown vectors. http://www.maxpatrol.com/advdetails.asp?id=14 http://www.maxpatrol.com/mp_advisory.asp 11424 SQL injection vulnerability in Ideal Science IdealBB 1.4.9 through 1.5.3 allows remote attackers to execute arbitrary SQL commands via unknown vectors. http://www.maxpatrol.com/advdetails.asp?id=14 http://www.maxpatrol.com/mp_advisory.asp 11424 Multiple cross-site scripting (XSS) vulnerabilities in Express-Web Content Management System (CMS) allow remote attackers to steal cookie-based authentication information and possibly perform other exploits via the (1) n, (2) b, (3) e, or (4) a parameters to default.asp, (5) the Referer header in an HTTP request to login.asp, or (6) the email parameter to subscribe/default.asp. http://www.maxpatrol.com/advdetails.asp?id=12 http://www.maxpatrol.com/mp_advisory.asp 11426 Cross-site scripting (XSS) vulnerability in AliveSites Forums 2.0 allows remote attackers to inject arbitrary web script or HTML via the (1) forum_id, (2) method, or (3) forum_title parameters to post.asp, (4) the forum_title parameter to forum.asp, or (5) the id parameter to post.asp. http://www.maxpatrol.com/advdetails.asp?id=5 http://www.maxpatrol.com/mp_advisory.asp 11427 alivesites-xss(17725) SQL injection vulnerability in forum.asp in AliveSites Forums 2.0 allows remote attackers to execute arbitrary SQL commands via the forum_id parameter. http://www.maxpatrol.com/advdetails.asp?id=5 http://www.maxpatrol.com/mp_advisory.asp 11427 alivesites-sql-injection(17730) Mbedthis AppWeb HTTP server before 1.1.3 allows remote attackers to obtain the source code for scripts via a (1) trailing dot (".") or (2) trailing space in an HTTP request. http://www.mbedthis.com/products/appWeb/doc/product/newFeatures.html 10673 mbedthis-character-information-disclosure(16636) Mbedthis AppWeb HTTP server before 1.1.3 allows remote attackers to bypass access restrictions via a URI with mixed case characters. http://www.mbedthis.com/products/appWeb/doc/product/newFeatures.html 10673 mbedthis-uri-gain-access(16638) RXVT-Unicode 3.4 and 3.5 does not properly close file descriptors, which allows local users to access the terminals of other users and possibly gain privileges. http://cvs.schmorp.de/browse/rxvt-unicode/Changes?view=markup 10959 rxvt-unicode-open-file-handler(17000) Unknown vulnerability in Sun Java System Web Server 6.0 SP7 and earlier and 6.1 SP1 and earlier, and Application Server 7 Update 4 and earlier, allows remote attackers to cause a denial of service (crash) via a malformed client certificate. 101589 57669 11593 sun-java-web-application-dos(17941) Multiple unknown vulnerabilities in yhttpd in yChat before 0.7 allow remote attackers to cause a denial of service (segmentation fault) via unknown vectors. [fm-news] 20041102 Newsletter for Monday, November 01st 2004 1012043 11597 ychat-http-connection-dos(17942) SQL injection vulnerability in pmwh.php in PHPMyWebHosting 0.3.4 and earlier allows remote attackers to modify SQL statements via the password parameter. 20040814 Posible security bug in phpMyWebhosting 20040920 Re: Posible security bug in phpMyWebhosting 10942 phpmywebhosting-pmwh-sql-injection(17005) Microsoft Internet Explorer 6 allows remote attackers to spoof the address bar to facilitate phishing attacks via Javascript that uses an invalid URI, modifies the Location field, then uses history.back to navigate to the previous domain, aka NullyFake. 20040815 NullyFake - Site Spoofing in MSIE 1010957 ie-address-bar-spoofing(17007) F-Secure Anti-Virus for Microsoft Exchange 6.30 and 6.31 does not properly detect certain password-protected files in a ZIP file, which allows remote attackers to bypass anti-virus protection. ftp://ftp.f-secure.com/support/hotfix/fsav-mse/fsavmse63x-02_readme.txt 1012057 11600 fsecure-password-antivirus-bypass(17944) Buffer overflow in SoftCart.exe in Mercantec SoftCart 4.00b allows remote attackers to execute arbitrary code via a long parameter in an HTTP GET request. http://metasploit.com/projects/Framework/modules/exploits/mercantec_softcart.pm 10926 softcart-softcartexecgi-bo(17008) Directory traversal vulnerability in index.php in FsPHPGallery before 1.2 allows remote attackers to list arbitrary directories via the dir parameter. http://gallery.devrandom.org.uk/cgi-bin/viewcvs.cgi/fsphpgallery/ChangeLog?rev=HEAD&amp;content-type=text/vnd.viewcvs-markup 1012063 11594 fsphpgallery-information-disclosure(17950) FsPHPGallery before 1.2 allows remote attackers to cause a denial of service via an image with a large size attribute, which causes a crash when the server attempts to resize the image. 1012063 11594 fsphpgallery-size-dos(17947) Appfoundry Message Foundry 2.75 .0003 allows remote attackers to cause a denial of service (crash) via an HTTP GET request that contains MS-DOS device names such as com1. 1010047 http://www.oliverkarow.de/research/AppFoundryCOM1_Dos.txt messagefoundry-get-dos(16063) Mozilla Firefox before 0.10.1 allows remote attackers to delete arbitrary files in the download directory via a crafted data: URI that is not properly handled when the user clicks the Save button. 1011501 http://www.mozilla.org/projects/security/older-vulnerabilities.html#firefox0.10.1 11311 https://bugzilla.mozilla.org/show_bug.cgi?id=259708 Mozilla Mail 1.7.1 and 1.7.3, and Thunderbird before 0.9, when HTML-Mails is enabled, allows remote attackers to determine valid e-mail addresses via an HTML e-mail that references a Cascading Style Sheets (CSS) document on the attacker's server. 20041102 CSS in E-Mails possible E-Mail-Validity Check for Spammers? mozilla-css-obtain-emails(17949) Mozilla Firefox before 1.0 truncates long filenames in the file download dialog box, which makes it easier for remote attackers to trick users into downloading files with dangerous extensions. GLSA-200501-03 https://bugzilla.mozilla.org/show_bug.cgi?id=234416 mozilla-firefox-ext-spoof(18016) Mozilla Firefox before 1.0 is installed with world-writable permissions on Mac OS X, which allows local users to gain privileges. GLSA-200501-03 11644 mozilla-firefox-gain-privileges(18017) Multiple unknown vulnerabilities in Oracle 9i Lite Mobile Server 5.0.0.0.0 through 5.0.2.9.0 allow remote authenticated users to gain privileges. http://otn.oracle.com/deploy/security/pdf/2004alert63.pdf 9704 oracle-mobile-gain-access(15269) Heap-based buffer overflow in isakmpd on OpenBSD 3.4 through 3.6 allows local users to cause a denial of service (panic) and corrupt memory via IPSEC credentials on a socket. 1012511 20041214 007: SECURITY FIX: December 14, 2004 11928 openbsd-isakmpd-dos(18486) Zero G Software InstallAnywhere 5.0.6, 5.0.7, and earlier allows local users to overwrite arbitrary files via a symlink attack on the (1) persistent_state or (2) env.properties.X temporary files. http://vapid.dhs.org/zerogadv.txt 20030620 ZeroG InstallAnywhere5 Symlink Vulnerability 10808 installanywhere-symlink(16791) SQL injection vulnerability in sql.php in the Glossary module in Moodle 1.4.1 and earlier allows remote attackers to modify SQL statements. http://cvs.sourceforge.net/viewcvs.py/moodle/moodle/mod/glossary/sql.php?r1=1.15.2.2&amp;r2=1.15.2.3 1012113 11608 moodle-glossary-sql-injection(17965) Unknown "front page vulnerability with Moodle servers" for Moodle before 1.3.2 has unknown impact and attack vectors. http://moodle.org/doc/?file=releaseold.html 10697 moodle-php-front-page(16662) Unknown vulnerability in Moodle before 1.2 allows teachers to log in as administrators. http://moodle.org/doc/?file=releaseold.html Unknown vulnerability in Moodle before 1.2 has unknown impact and attack vectors, related to improper filtering of text. http://moodle.org/doc/?file=releaseold.html Unknown vulnerability in Moodle before 1.3.3 has unknown impact and attack vectors, related to language setting. http://moodle.org/doc/?file=releaseold.html Unknown vulnerability in Moodle before 1.3.4 has unknown impact and attack vectors, related to "strings in Moodle texts." http://moodle.org/doc/?file=releaseold.html ** DISPUTED ** Format string vulnerability in vsybase.c in vpopmail 5.4.2 and earlier has unknown impact and attack vectors. NOTE: in a followup post, it was observed that the source code used constants that, when compiled, became static format strings. Thus this is not a vulnerability. 20040817 vpopmail <= 5.4.2 (sybase vulnerability) 20040818 [2Cents on] vpopmail <= 5.4.2 (sybase vulnerability) 20040819 [Fwd: Re: [vchkpw] vpopmail <= 5.4.2 (sybase vulnerability) (fwd)] 10962 vpopmail-vsybase-format-string(17017) Buffer overflow in vsybase.c in vpopmail 5.4.2 and earlier might allow attackers to cause a denial of service or execute arbitrary code. 20040817 vpopmail <= 5.4.2 (sybase vulnerability) 20040818 [2Cents on] vpopmail <= 5.4.2 (sybase vulnerability) 20040819 [Fwd: Re: [vchkpw] vpopmail <= 5.4.2 (sybase vulnerability) (fwd)] 10962 vpopmail-vsybase-bo(17016) Multiple SQL injection vulnerabilities in Phorum 5.0.11 and earlier allow remote attackers to modify SQL statements via (1) the query string in read.php or (2) unknown vectors in file.php. http://phorum.org/cvs-changelog-5.txt 1011921 http://www.maxpatrol.com/advdetails.asp?id=15 http://www.maxpatrol.com/mp_advisory.asp 11538 phorum-sql-injection(17847) Cross-site scripting (XSS) vulnerability in Phorum 5.0.11 and earlier allows remote attackers to inject arbitrary HTML or web script via search.php. NOTE: some sources have reported that the affected file is read.php, but this is inconsistent with the vendor's patch. http://phorum.org/cvs-changelog-5.txt 1011921 11538 phorum-xss(17846) Cross-site scripting (XSS) vulnerability in search.php in Phorum, possibly 5.0.7 beta and earlier, allows remote attackers to inject arbitrary HTML or web script via the subject parameter. http://phorum.org/cvs-changelog-5.txt 1010787 10822 phorum-searchphp-xss(16831) Phorum allows remote attackers to hijack sessions of other users by stealing and replaying the session hash in the phorum_uriauth parameter, as demonstrated using profile.php. NOTE: the affected version was reported to be 4.3.7, but this may be erroneous. 20040519 Ph0rum phorum_uriauth replay attack 1010219 phorum-session-hijack(16215) The XML parser in Oracle 9i Application Server Release 2 9.0.3.0 and 9.0.3.1, 9.0.2.3 and earlier, and Release 1 1.0.2.2 and 1.0.2.2.2, and Database Server Release 2 9.2.0.1 and later, allows remote attackers to cause a denial of service (CPU and memory consumption) via a SOAP message containing a crafted DTD. http://otn.oracle.com/deploy/security/pdf/2004alert65.pdf 9703 oracle-soap-dos(15270) Cross-site scripting (XSS) vulnerability in Goollery 0.03 allows remote attackers to inject arbitrary HTML or web script via the (1) page parameter to viewalbum.php or (2) btopage parameter to viewpic.php. 1012062 11587 goollery-viewalbum-viewpic-xss(17957) Cross-site scripting (XSS) vulnerability in Goollery before 0.04b allows remote attackers to inject arbitrary HTML or web script via the conversation_id parameter to viewpic.php. Unknown vulnerability in the "admin of paypal email addresses" in AudienceConnect before 1.0.beta.21 has unknown impact and attack vectors. http://sourceforge.net/project/shownotes.php?group_id=98629&release_id=279700 Unknown vulnerability in RemoteEditor before 0.1.1 has unknown impact and attack vectors, related to "oversize submissions." 1012147 http://sourceforge.net/project/shownotes.php?group_id=98629&release_id=279743 remoteeditor-large-form(18010) Unknown vulnerability in the "access code" in SecureEditor before 0.1.2 has unknown impact and attack vectors, possibly involving a bypass of IP address restrictions. 1012066 http://sourceforge.net/project/shownotes.php?group_id=98629&release_id=279733 secureeditor-ip-address-gain-access(17958) Unknown vulnerability in the "access code" in RemoteEditor before 0.1.6 has unknown impact and attack vectors, possibly involving a bypass of IP address restrictions. 1012148 http://sourceforge.net/project/shownotes.php?group_id=98629&release_id=279743 remoteeditor-ip-address-gain-access(18009) The PPTP server in Astaro Security Linux before 4.024 provides information about its version, which makes it easier for remote attackers to construct specialized attacks. 1012065 http://www.astaro.org/showflat.php?Cat=&Number=51459&page=0&view=collapsed&sb=5&o=&fpart=1#51459 astaro-pptp-info-disclosure(17959) The firewall in Astaro Security Linux before 4.024 sends responses to SYN-FIN packets, which makes it easier for remote attackers to obtain information about the system and construct specialized attacks. 1012065 http://www.astaro.org/showflat.php?Cat=&Number=51459&page=0&view=collapsed&sb=5&o=&fpart=1#51459 astaro-firewall-info-disclosure(17960) Directory traversal vulnerability in user.cgi in SurgeLDAP 1.0g and earlier allows remote attackers to read arbitrary files via a .. in the page parameter of the show command. http://members.lycos.co.uk/r34ct/main/SurgeLDAP%201.0g.txt 10103 surgeldap-dotdot-directory-traversal(15851) SurgeLDAP 1.0g (Build 12), and possibly other versions before 1.0h, allows remote attackers to bypass authentication for the administration interface via a direct request to admin.cgi with a modified utoken parameter. http://netwinsite.com/surgeldap/updates.htm 1010113 1010068 10294 surgeldap-admin-auth-bypass(16076) Directory traversal vulnerability in phpMyFAQ 1.3.12 allows remote attackers to read arbitrary files, and possibly execute local PHP files, via the action variable, which is used as part of a template filename. 20040518 Advisory 05/2004: phpMyFAQ local file inclusion vulnerability 1010190 http://www.phpmyfaq.de/advisory_2004-05-18.php 10374 phpmyfaq-file-include(16177) Directory traversal vulnerability in phpMyFAQ 1.4.0 alpha allows remote attackers to read arbitrary files, and possibly execute local PHP files, via .. sequences in the lang (language) variable. 20040518 Advisory 05/2004: phpMyFAQ local file inclusion vulnerability 1010190 http://www.phpmyfaq.de/advisory_2004-05-18.php 20040518 Advisory 05/2004: phpMyFAQ local file inclusion vulnerability 10377 phpmyfaq-lang-directory-traversal(16223) phpMyFAQ 1.4.0 allows remote attackers to access the Image Manager to upload or delete images without authorization via a direct request. 1010795 http://www.phpmyfaq.de/advisory_2004-07-27.php 10813 phpmyfaq-authentication-bypass(16814) Xconfig in Hummingbird Exceed before 9.0.0.1, when the Screen Definition is password-protected, allows local users to access certain options by switching to another tab, then switching back to the original tab. http://support.hummingbird.com/customer/download.asp?r2=/exceed/900/xconfig_9002.zip 10393 exceed-xconfig-bypass-security(16221) vsftpd before 1.2.2, when under heavy load, allows attackers to cause a denial of service (crash) via a SIGCHLD signal during a malloc or free call, which is not re-entrant. ftp://vsftpd.beasts.org/users/cevans/untar/vsftpd-1.2.2/Changelog http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=119136 RHBA-2004-164 10394 vsftpd-connection-dos(16222) oval:org.mitre.oval:def:11049 Opera Browser 7.23, and other versions before 7.50, updates the address bar as soon as the user clicks a link, which allows remote attackers to redirect to other sites via the onUnload attribute. 10337 opera-onunload-url-spoofing(16131) Cross-site scripting (XSS) vulnerability in e107 allows remote attackers to inject arbitrary script or HTML via the "login name/author" field in the (1) news submit or (2) article submit functions. 1010084 10293 e107-news-submit-xss(16087) ImageManager in e107 before 0.617 does not properly check the types of uploaded files, which allows remote attackers to execute arbitrary code by uploading a PHP file via the upload parameter to images.php. http://e107.org/comment.php?comment.news.672 1012657 12111 e107-images-file-upload(18670) 704 SQL injection vulnerability in the valid function in fr_left.php in PlaySMS 0.7 and earlier allows remote attackers to modify SQL statements via the vc2 cookie. 1010984 http://sourceforge.net/project/shownotes.php?release_id=254915 http://www.securiteam.com/unixfocus/5UP0F2ADPS.html 10970 playsms-valid-sql-injection(17031) ** DISPUTED ** Format string bug in the open_altfile function in filename.c for GNU less 382, 381, and 358 might allow local users to cause a denial of service or possibly execute arbitrary code via format strings in the LESSOPEN environment variable. NOTE: since less is not setuid or setgid, then this is not a vulnerability unless there are plausible scenarios under which privilege boundaries could be crossed. 20040818 gnu-less Format String Vulnerability 20040818 Re: gnu-less Format String Vulnerability 1010988 less-filename-format-string(17032) UUDeview 0.5.20 and earlier handles temporary files insecurely during decoding, with unknown attack vectors and impact. 9857 uudeview-insecure-temporary-files(15492) SQL injection vulnerability in Ansel 2.1 and earlier allows remote attackers to modify SQL statements via the image parameter. 1012434 11824 ansel-image-sql-injection(18373) Cross-site scripting (XSS) vulnerability in Ansel 2.1 and earlier allows remote attackers to inject arbitrary HTML or web script via the album name. 1012434 11824 ansel-albumname-xss(18374) PimenGest2 before 1.1.1 allows remote attackers to obtain the database password via debug information in rowLatex.inc.php. ftp://ftp.pimentech.net/src/pimengest2/debian/changelog 1010257 10408 pimengest2-rowlatex-view-password(16234) Stack-based buffer overflow in pads.c in Passive Asset Detection System (Pads) might allow local users to execute arbitrary code via a long report file name argument. NOTE: since Pads is not normally installed setuid, this may not be a vulnerability. 20040819 PADS Simple Stack Overflow pads-bo(17038) Unknown vulnerability in IBM Parallel Environment (PE) 3.2 and 4.1 allows attackers to execute arbitrary commands as root via unknown vectors in the sample code. 1010109 10310 ibm-pe-gain-privileges(16093) https://techsupport.services.ibm.com/server/pseries.subscriptionSvcs?mode=18&ID=312 Buffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to execute arbitrary code via a long HTTP GET request. 20041107 [New VULNERABILTY + Exploit] MiniShare, Minimal HTTP Server for Windows, Remote Buffer Overflow Exploit 1012106 http://sourceforge.net/project/shownotes.php?release_id=241158 http://www.securiteam.com/exploits/6X00B1PBPC.html 11620 minishare-address-link-bo(17978) Buffer overflow in the sockFinger_DataArrival function in efFingerD 0.2.12 allows remote attackers to cause a denial of service (daemon crash) via a long finger command. http://members.lycos.co.uk/r34ct/main/efFingerD.txt 1010094 effingerd-sockfingerdataarrival-bo(16097) efFingerD 0.2.12 allows remote attackers to cause a denial of service (daemon crash) via a packet with a single byte, which triggers a "Wrong protocol or connection state" error. Unknown vulnerability in Jigsaw before 2.2.4 has unknown impact and attack vectors, possibly related to the parsing of the URI. 1009169 9711 http://www.w3.org/Jigsaw/RelNotes.html#2.2.4 jigsaw-url-execute-code(15298) i-mall.cgi in I-Mall Commerce allows remote attackers to execute arbitrary commands via shell metacharacters via the p parameter. http://www.securiteam.com/exploits/5UP0715FPC.html 10626 http://www.zone-h.org/advisories/read/id=4904 imall-commerce-command-execution(16540) F-Secure Anti-Virus 5.41 and 5.42 on Windows, Client Security 5.50 and 5.52, 4.60 for Samba Servers, and 4.52 and earlier for Linux does not properly detect certain viruses in a PKZip archive, which allows viruses such as Sober.D and Sober.G to bypass initial detection. http://support.f-secure.com/enu/corporate/downloads/hotfixes/av-linux-hotfixes.shtml http://support.f-secure.de/ger/home/downloads/hotfixes/av5-hotfixes.shtml fsecure-sober-detection-bypass(16243) Buffer overflow in aGSM Half-Life client allows remote Half-Life servers to cause a denial of service (crash) and possibly execute arbitrary code via a long server response. 1010989 http://www.security.nnov.ru/docs6620.html 10989 agsm-response-bo(17046) Unknown cross-site scripting (XSS) vulnerability in the web GUI in vHost before 3.10r1 has unknown impact and attack vectors. http://chaogic.com/vhost/ChangeLog.txt 1009404 9860 vhost-xss(15446) Cross-site scripting (XSS) vulnerability in Invision Power Board 1.3 Final allows remote attackers to execute arbitrary script as other users via the pop parameter in a chat action to index.php. 20040308 Invision Power Board v1.3 Final Cross Site Scripting 2 - Addon invision-indexphp-xss(15448) Buffer overflow in IBM Lotus Notes 6.5.x before 6.5.3 and 6.0.x before 6.0.5 allows remote attackers to cause a denial of service (crash) via unknown vectors related to Java applets, as identified by KSPR62F4KN. 10704 http://www-1.ibm.com/support/docview.wss?rs=475&context=SSKTWP&q1=Java&uid=swg21173910&loc=en_US&cs=utf-8&lang=en Multiple unknown vulnerabilities in IBM Lotus Notes 6.5.x before 6.5.4 and 6.0.x before 6.0.5 have unknown impact and attack vectors, related to Java applets, as identified by (1) KSPR5YS6GR and (2) KSPR62F4D3. 10704 http://www-1.ibm.com/support/docview.wss?rs=475&context=SSKTWP&q1=Java&uid=swg21173910&loc=en_US&cs=utf-8&lang=en DansGuardian before 2.7.7-2 allows remote attackers to bypass URL filters via a ".." in the request. Unknown vulnerability in DansGuardian before 2.6.1-13 allows remote attackers to bypass URL filters via a crafted request that causes a page to be added to the clean page cache. http://dansguardian.org/?page=history The read_list_from_file function in vacation.pl for OpenWebmail before 2.32 20040629 allows remote attackers to execute arbitrary commands via shell metacharacters in a filename argument. http://openwebmail.org/openwebmail/download/cert/advisories/SA-04:04.txt 1010605 10637 open-webmail-vacation-program-execution(16549) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2004-2022. Reason: This candidate is a duplicate of CVE-2004-2022. Notes: All CVE users should reference CVE-2004-2022 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Integer overflow in the duplication operator in ActivePerl allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large multiplier, which may trigger a buffer overflow. 20040517 RE: [Full-Disclosure] Buffer Overflow in ActivePerl ? 10380 perl-duplication-bo(16224) Directory traversal vulnerability in explorer.php in DSM Light Web File Browser 2.0 allows remote attackers to read arbitrary files via .. (dot dot) in the wdir parameter. 10381 Cross-site scripting (XSS) vulnerability in index.php in Jelsoft vBulletin allows remote attackers to spoof parts of a website via the loc parameter. http://www.infosecurity.org.cn/article/hacker/exploit/16557.html 10362 Microsoft Windows XP Explorer allows local users to execute arbitrary code via a system folder with a Desktop.ini file containing a .ShellClassInfo specifier with a CLSID value that is associated with an executable file. 20040517 Desktop.ini flaw results in executing folders http://www.freewebs.com/roozbeh_afrasiabi/xploit/execute.htm 10363 MS06-015 winxp-explorer-code-execution(16171) Microsoft Windows XP Explorer allows attackers to execute arbitrary code via a HTML and script in a self-executing folder that references an executable file within the folder, which is automatically executed when a user accesses the folder. 20040125 Self-Executing FOLDERS: Windows XP Explorer Part V 1008843 9487 win-folder-execute-code(14924) Microsoft Windows Internet Explorer 5.5 and 6.0 allows remote attackers to execute arbitrary code via an embedded script that uses Shell Helper objects and a shortcut (link) to execute the target script. 20040101 Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part 9335 Buffer overflow in Alt-N MDaemon 7.0.1 allows remote attackers to cause a denial of service (application crash) via a long STATUS command to the IMAP server. 20040512 Mdaemon 7.0.1 IMAP overflow. 10366 mdaemon-imap-status-bo(16118) Multiple cross-site scripting (XSS) vulnerabilities in PHP-Nuke 6.0 to 7.3 allow remote attackers to inject arbitrary web script or HTML via the (1) eid parameter or (2) query parameter to the Encyclopedia module, (3) preview_review function in the Reviews module as demonstrated by the url, cover, rlanguage, and hits parameters, or (4) savecomment function in the Reviews module, as demonstrated using the uname parameter. NOTE: the Faq/categories and Encyclopedia/ltr issues are already covered by CVE-2005-1023. 20040611 [waraxe-2004-SA#032 - Multiple security flaws in PhpNuke 6.x - 7.3] 10524 phpnuke-faq-encyclopedia-xss(16406) Canonicalize-before-filter error in the send_review function in the Reviews module for PHP-Nuke 6.0 to 7.3 allows remote attackers to inject arbitrary web script or HTML via hex-encoded XSS sequences in the text parameter, which is checked for dangerous sequences before it is canonicalized, leading to a cross-site scripting (XSS) vulnerability. 20040611 [waraxe-2004-SA#032 - Multiple security flaws in PhpNuke 6.x - 7.3] 10524 SQL injection vulnerability in the Reviews module in PHP-Nuke 6.0 to 7.3 allows remote attackers to execute arbitrary SQL commands via the order parameter. 20040611 [waraxe-2004-SA#032 - Multiple security flaws in PhpNuke 6.x - 7.3] 20040611 [waraxe-2004-SA#032 - Multiple security flaws in PhpNuke 6.x - 7.3] 10524 phpnuke-reviews-sql-injection(16407) The preview_review function in the Reviews module in PHP-Nuke 6.0 to 7.3, when running on Windows systems, allows remote attackers to obtain sensitive information via an invalid date parameter, which generates an error message. 20040611 [waraxe-2004-SA#032 - Multiple security flaws in PhpNuke 6.x - 7.3] 10524 phpnuke-reviews-path-disclosure(16408) The Reviews module in PHP-Nuke 6.0 to 7.3 allows remote attackers to cause a denial of service (CPU and memory consumption) via a large, out-of-range score parameter. 20040611 [waraxe-2004-SA#032 - Multiple security flaws in PhpNuke 6.x - 7.3] 20040611 [waraxe-2004-SA#032 - Multiple security flaws in PhpNuke 6.x - 7.3] 10524 phpnuke-reviews-dos(16409) Novell Internet Messaging System (NIMS) 2.6 and 3.0, and NetMail 3.1 and 3.5, is installed with a default NMAP authentication credential, which allows remote attackers to read and write mail store data if the administrator does not change the credential by using the NMAP Credential Generator. http://support.novell.com/cgi-bin/search/searchtid.cgi?/10095545.htm Buffer overflow in Omnicron OmniHTTPd 3.0a and earlier allows remote attackers to execute arbitrary code via an HTTP GET request with a long Range header. 20040518 Overflow@OmniHTTPd 10376 omnithttpd-range-header-bo(16190) Buffer overflow in snmpd in ucd-snmp 4.2.6 and earlier, when installed setuid root, allows local users to execute arbitrary code via a long -p command line argument. NOTE: it is not clear whether there are any standard configurations in which snmpd is installed setuid or setgid. If not, then this issue should not be included in CVE. http://www.packetstormsecurity.org/0405-advisories/snmpdadv.txt 10396 ucd-snmpd-command-bo(16245) Eudora before 6.1.1 allows remote attackers to cause a denial of service (crash) via an e-mail with a long "To:" field, possibly due to a buffer overflow. http://www.eudora.com/download/eudora/windows/6.1.1/RelNotes.txt 10398 eudora-to-field-dos(16246) Race condition in the sysfs_read_file and sysfs_write_file functions in Linux kernel before 2.6.10 allows local users to read kernel memory and cause a denial of service (crash) via large offsets in sysfs files. http://kernel.org/pub/linux/kernel/people/akpm/patches/2.6/2.6.10-rc1/2.6.10-rc1-mm1/broken-out/fix-race-in-sysfs_read_file-and-sysfs_write_file.patch http://linux.bkbits.net:8080/linux-2.6/cset%404186a4deVoR88JjTwMa3ZnIp-_YJsA DSA-922 MDKSA-2005:218 MDKSA-2005:219 SUSE-SA:2005:044 13091 MTools Mformat before 3.9.9, when installed setuid root, creates files with world-readable and world-writable permissions, which allows local users to read and overwrite files. MDKSA-2004:016 9746 mtools-mformat-insecure-permissions(15317) Integer overflow in Trillian 0.74 and earlier, and Trillian Pro 2.01 and earlier, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a directIM packet that triggers a heap-based buffer overflow. 20040224 Advisory 02/2004: Trillian remote overflows http://security.e-matters.de/advisories/022004.html 1009220 9489 trillian-directim-bo(15303) Computer Associates eTrust Antivirus EE 6.0 through 7.0 allows remote attackers to bypass virus scanning by including a password-protected file in a ZIP file, which causes eTrust to scan only the password protected file and skip the other files. 9665 1009074 etrust-antivirus-scan-bypass(15230) Sun Solaris 7 through 9, when Basic Security Module (BSM) is enabled and the SUNWscpu package has been removed as a result of security hardening, disables mail alerts from the audit_warn script, which might allow attackers to escape detection. 57483 O-070 13724 solaris-bsm-sunwscpu-weak-security(15042) Microsoft Internet Explorer 6.0.2600 on Windows XP allows remote attackers to cause a denial of service (browser crash) via a shell: URI with double backslashes (\\) in an HTML tag such as IFRAME or A. 20040319 Internet Explorer Causing Explorer.exe - Null Pointer Crash 9924 ie-shell-dos(15544) Cross-site scripting (XSS) vulnerability in cPanel 9.1.0 and possibly earlier allows remote attackers to inject arbitrary web script or HTML via the dir parameter in dohtaccess.html. 20040312 Cpanel Request Lets Authenticated Users Conduct Cross-Site Scripting Attacks 9853 cpanel-dir-xss(15485) Directory traversal vulnerability in Crob FTP Server 3.5.1 allows local users to browse outside the FTP root via multiple ../ (dot dot slash) in the DIR command. 20040201 Vulnerabilities in Crob FTP Server V3.5.1 9546 1008908 crob-dir-directory-traversal(15028) Cross-site scripting (XSS) vulnerability in webadmin.nsf in Lotus Domino R6 6.5.1 allows remote attackers to inject arbitrary web script or HTML via a Domino command in the Quick Console. http://members.lycos.co.uk/r34ct/main/ibm_lotus_domino/lotus.txt 9901 lotus-domino-webadmin-xss(15502) Directory traversal vulnerability in webadmin.nsf in Lotus Domino R6 6.5.1 allows local users to create folders or determine the existence of files via a .. (dot dot) in the new folder dialog. http://members.lycos.co.uk/r34ct/main/ibm_lotus_domino/lotus.txt 9900 lotus-webadmin-file-disclosure(15504) Buffer overflow in GNU make for IBM AIX 4.3.3, when installed setgid, allows local users to gain privileges via a long CC argument. 20040322 AIX 4.3.3 has make sgid 0? 20040323 Re: AIX 4.3.3 has make sgid 0? 9903 aix-make-cc-bo(15554) Inter7 SqWebMail 3.4.1 through 3.6.1 generates different error messages for incorrect passwords versus correct passwords on non-mail-enabled accounts (such as root), which allows remote attackers to guess the root password via brute force attacks. 20040131 sqwebmail web login 9541 sqwebmail-login-info-disclosure(15058) The Telnet listener for Novell iChain Server before 2.2 Field Patch 3b 2.2.116 does not have a password by default, which allows remote attackers to gain access. O-080 1008961 ichain-tcp-gain-access(15068) Mbedthis AppWeb HTTP server before 1.0.2 allows remote attackers to cause a denial of service (crash) via an empty OPTIONS request. 9494 mbedthis-multiple-dos(14926) Mbedthis AppWeb HTTP server before 1.0.2 allows remote attackers to cause a denial of service (crash) via a GET request containing an MS-DOS device name such as COM1. 9494 mbedthis-multiple-dos(14926) Information leak in Mbedthis AppWeb HTTP server 1.0 through 1.1.2 allows remote attackers to obtain sensitive information via a user message that is generated when Mbedthis denies access. http://www.mbedthis.com/products/appWeb/doc/product/newFeatures.html 10673 The administrative interface (surgeftpmgr.cgi) for SurgeFTP Server 1.0b through 2.2k1 allows remote attackers to cause a temporary denial of service (crash) via requests with two percent (%) signs in the CMD parameter. http://members.lycos.co.uk/r34ct/main/surge_FTP/surge-ftp.txt 1008898 9554 surgeftp-web-interface-dos(15001) IBM Informix Dynamic Server (IDS) before 9.40.xC3 allows local users to (1) create or overwrite files via the /001 log file to onedcu or (2) read arbitrary files via a symlink attack on a file in /tmp to onshowaudit. 20040129 ----------========== OPEN3S-2003-08-08-eng-informix-onedcu ==========---------- 9511 9512 http://www-1.ibm.com/support/docview.wss?uid=swg21153336 informix-onshowaudit-information-disclosure(14969) informix-onedcu-symlink-attack(14971) The default configuration of BEA WebLogic Server and Express 8.1 SP2 and earlier, 7.0 SP4 and earlier, 6.1 through SP6, and 5.1 through SP13 responds to the HTTP TRACE request, which can allow remote attackers to steal information using cross-site tracing (XST) attacks in applications that are vulnerable to cross-site scripting. BEA04-48.01 VU#867593 9506 1008866 weblogic-trace-xss(14959) BEA WebLogic Server and Express 8.1 SP1 and earlier allows local users in the Operator role to obtain administrator passwords via MBean attributes, including (1) ServerStartMBean.Password and (2) NodeManagerMBean.CertificatePassword. BEA04-49.00 9505 1008867 weblogic-operator-gain-access(14962) SQL injection vulnerability in the (1) announce and (2) notes modules of phpWebSite before 0.9.3-2 allows remote attackers to execute arbitrary SQL queries, as demonstrated using the ANN_id parameter to the announce module. http://sourceforge.net/tracker/index.php?func=detail&aid=892174&group_id=15539&atid=115539 1009045 http://www.systemsecure.org/advisories/ssadvisory13022004.php http://www.zone-h.com/advisories/read/id=3955 phpwebsite-announce-sql-injection(15219) DotNetNuke (formerly IBuySpy Workshop) 1.0.6 through 1.0.10d allows remote attackers to obtain sensitive information, including the SQL server username and password, via a GET request for source or configuration files such as Web.config. 20040128 Dotnetnuke Multiple Vulnerabilities 9518 dotnetnuke-get-information-disclosure(14972) SQL injection vulnerability in DotNetNuke (formerly IBuySpy Workshop) 1.0.6 through 1.0.10d allows remote attackers to modify the backend database via the (1) table and (2) field parameters in LinkClick.aspx. 20040128 Dotnetnuke Multiple Vulnerabilities 9518 dotnetnuke-multiple-sql-injection(14973) Cross-site scripting (XSS) vulnerability in EditModule.aspx for DotNetNuke (formerly IBuySpy Workshop) 1.0.6 through 1.0.10d allows remote attackers to inject arbitrary web script or HTML. 20040128 Dotnetnuke Multiple Vulnerabilities 9518 dotnetnuke-editmoduleaspxxss(14974) SQL injection vulnerability in IP3 Networks NetAccess Appliance before firmware 3.1.18b13 allows remote attackers to bypass authentication via the (1) login or (2) password. NOTE: this issue was later reported to also affect firmware 4.0.34. 20060424 Multiple vulnerabilities in IP3 Networks 'NetAccess' NA75 appliance 9858 ip3-na75-password-field-sql-injection(26106) Vizer Web Server 1.9.1 allows remote attackers to cause a denial of service (crash) via multiple malformed requests including (1) requests without GET, (2) GET requests without HTTP, (3) or long GET requests. 20040217 Denial Of Service in Vizer Web Server 1.9.1 9678 vizer-long-string-dos(15239) Clearswift MAILsweeper for SMTP before 4.3_13 allows remote attackers to cause a denial of service (infinite loop) via an e-mail with a crafted RAR archive attached. 9556 mailsweeper-smtp-rar-dos(14979) Kerio Personal Firewall (KPF) 2.1.5 allows local users to execute arbitrary code with SYSTEM privileges via the Load button in the Firewall Configuration Files option, which does not drop privileges before opening the file loading dialog box. 9525 1008870 http://www.tuneld.com/_images/other/kpf_system_privileges.png http://www.tuneld.com/news/?id=30 kerio-pf-gain-privileges(14981) ColdFusion MX 6.1 and 6.1 J2EE allows remote attackers to cause a denial of service via an HTTP request containing a large number of form fields. http://www.macromedia.com/devnet/security/security_zone/mpsb04-02.html 9522 coldfusion-mx-request-dos(14983) ColdFusion MX 6.1 and 6.1 J2EE allows local users to bypass sandbox security restrictions and obtain sensitive information by using Java reflection methods to access trusted Java objects without using the CreateObject function or cfobject tag. http://www.macromedia.com/devnet/security/security_zone/mpsb04-01.html 9521 coldfusion-mx-sandbox-bypass(14984) Multiple cross-site scripting (XSS) vulnerabilities in CPAN WWW::Form before 1.13 allow remote attackers to inject arbitrary web script or HTML via unknown vectors. http://www.securiteam.com/unixfocus/5IP0L2KBPM.html 9526 wwwform-xss(14985) Bodington 2.1.0 RC1 and earlier does not secure the file upload area, which allows remote attackers to read uploaded files. http://sourceforge.net/tracker/index.php?func=detail&aid=789761&group_id=87659&atid=583930 9528 bodington-uploadarea-obtain-information(14986) Multiple cross-site scripting (XSS) vulnerabilities in EMU Webmail 5.2.7 allow remote attackers to inject arbitrary web script or HTML via (1) a hex-encoded value to the variable parameter in emumail.fcgi, (2) the folder parameter in emumail.fcgi, or Javascript in the (3) username or (4) password field in the login page. http://members.lycos.co.uk/r34ct/main/emu/emu.txt 1009397 9861 http://www.zone-h.com/advisories/read/id=4141 emu-webmail-emumail-xss(15451) emu-webmail-login-xss(15452) The Macromedia installers and e-licensing client on Mac OS X, as used for Macromedia Contribute 2, Director, Dreamweaver, Fireworks, Flash, and Studio, install the AuthenticationService setuid and writable by other users, which allows local users to gain privileges by modifying the program. http://www.macromedia.com/devnet/security/security_zone/mpsb04-03.html 9862 elicensing-gain-privileges(15465) Unknown vulnerability in Novell GroupWise and GroupWise WebAccess 6.0 through 6.5, when running with Apache Web Server 1.3 for NetWare where Apache is loaded using GWAPACHE.CONF, allows remote attackers to read directories and files on the server. http://support.novell.com/cgi-bin/search/searchtid.cgi?/10091330.htm 9864 1009417 groupwise-obtain-information(15467) The /.inlook/.crypt file for inlook 0.7.3 and earlier is installed with world readable permissions, which allows local users to obtain user POP3 credentials. 9527 inlook-file-information-disclosure(14990) https://sourceforge.net/project/shownotes.php?release_id=213427 OpenBSD 3.3 and 3.4 does not properly parse Accept and Deny rules without netmasks on big-endian 64-bit platforms such as SPARC64, which may allow remote attackers to bypass access restrictions. http://www.openbsd.org/errata33.html http://www.openbsd.org/errata34.html 9867 ** DISPUTED ** Microsoft Windows 2000, XP, and possibly 2003 allows local users with the SeDebugPrivilege privilege to execute arbitrary code as kernel and read or write kernel memory via the NtSystemDebugControl function, which does not verify its pointer arguments. Note: this issue has been disputed, since Administrator privileges are typically required to exploit this issue, thus privilege boundaries are not crossed. 20040219 RE: Multiple WinXP kernel vulns can give user mode programs kernel mode privileges 20040219 RE: Multiple WinXP kernel vulns can give user mode programs kernel mode privileges 20040218 Multiple WinXP kernel vulns can give user mode programs kernel mode privileges 1009128 win-kernel-gain-privileges(15263) ** UNVERIFIABLE ** SQL injection vulnerability in PunkBuster Screenshot Database (PB-DB) Alpha 6 allows remote attackers to execute arbitrary SQL commands via the username and password fields of the login form. NOTE: the original vulnerability report contains several significant inconsistencies that make it unclear whether the report is accurate, including (1) PB-DB is really the "PunkBuster Screenshot Database" and not "PunkBuster" itself; (2) there is no apparent association between PunkBuster and "Punky Brewster"; (3) the claimed source code is not anywhere in Alpha 6. 1009145 20040219 PunkBuster SQL Injection Attack 9697 punkbuster-login-sql-injection(15267) PHP file include injection vulnerability in isearch.inc.php for iSearch allows remote attackers to execute arbitrary code via the isearch_path parameter. 1008900 isearch-isearchincphp-file-include(15009) ChatterBox 2.0 allows remote attackers to cause a denial of service (server crash) via a malformed request to the server, as demonstrated using "aaaaaa". http://www.autistici.org/fdonato/advisory/ChatterBox2.0-adv.txt 20040130 Denial Of Service in ChatterBox 2.0 9532 chatterbox-dos(15011) ** DISPUTED ** Apache HTTP Server 2.0.47 and earlier allows local users to bypass .htaccess file restrictions, as specified in httpd.conf with directives such as Deny From All, by using an ErrorDocument directive. NOTE: the vendor has disputed this issue, since the .htaccess mechanism is only intended to restrict external web access, and a local user already has the privileges to perform the same operations without using ErrorDocument. 20040131 BUG IN APACHE HTTPD SERVER (current version 2.0.47) 20040202 Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47) 20040204 Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47) apache-httpd-bypass-restriction(15015) Unknown vulnerability in the ASN.1/H.323/H.225 stack of VocalTec VGW120 and VGW480 allows remote attackers to cause a denial of service. 10411 http://www.securitylab.ru/45401.html vocaltec-gateway-dos(16240) Unknown multiple vulnerabilities in Oracle9i Database Server 9.0.1.4, 9.0.1.5, 9.2.0.3, and 9.2.0.4 allow local users with the ability to invoke SQL to cause a denial of service or obtain sensitive information. http://otn.oracle.com/deploy/security/pdf/2004alert64.pdf 9705 oracle9i-sql-dos(15271) Multiple cross-site scripting (XSS) vulnerabilities in Forum Web Server 1.6 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the Subject field in post1.htm and (2) the File Description field in postfile2.htm. 1008896 forumwebserver-multiple-xss(15018) blog.cgi in Leif M. Wright Web Blog 1.1 and 1.1.5 allows remote attackers to execute arbitrary commands via shell metacharacters such as '|' in the file parameter of ViewFile requests. http://leifwright.com/scripts/Blog.html 20040129 Web Blog 1.1 Remote Execute Commands Bug 9539 webblog-file-command-execution(15019) Sybari AntiGen for Domino 7.0 Build 722 SR2 allows remote attackers to cause a denial of service (hang) via an encrypted ZIP file with the "include full path info" option set, as used by certain variants of the Beagle/Bagle worm. 1009437 9880 antigen-zip-file-dos(15470) Multiple SQL injection vulnerabilities in Tunez before 1.20-pre2 allow remote attackers to execute arbitrary SQL queries. http://sourceforge.net/tracker/index.php?func=detail&aid=879391&group_id=2266&atid=102266 9565 tunez-multiple-sql-injection(15020) SQL injection vulnerability in search.php for phpBB 1.0 through 2.0.6 allows remote attackers to execute arbitrary SQL and gain privileges via the search_results parameter. 20040314 [SCAN Associates Sdn Bhd Security Advisory] phpBB 2.0.6 and below sql injection 9883 phpbb-config-sql-injection(15475) Cross-site scripting (XSS) vulnerability in GBook for Php-Nuke 1.0 allows remote attackers to inject arbitrary web script or HTML via multiple parameters, including (1) name, (2) email, (3) city, and (4) message, which do not use the <script> and <style> tags, which are filtered by PHP-Nuke. 1008930 20040202 [waraxe-2004-SA#001] - Script injection in GBook for Php-Nuke ver. 1.0 9559 gbook-message-html-injection(15027) Cross-site scripting (XSS) vulnerability in GBook for PHP-Nuke 1.0 allows remote attackers to inject arbitrary web script or HTML via cookies that are stored in the $_COOKIE PHP variable, which is not cleansed by PHP-Nuke. 1008930 20040202 [waraxe-2004-SA#001] - Script injection in GBook for Php-Nuke ver. 1.0 9559 gbook-message-html-injection(15027) BugPort before 1.099 stores its configuration file (conf/config.conf) under the web document root with a file extension that is not normally parsed by web servers, which allows remote attackers to obtain sensitive information. http://www.incogen.com/downloads/bugport/CHANGELOG.txt 9542 bugport-obtain-information(15030) SQL injection vulnerability in 4nGuestbook 0.92 for PHP-Nuke 6.5 through 6.9 allows remote attackers to modify SQL statements via the entry parameter to modules.php, which can also facilitate cross-site scripting (XSS) attacks when MySQL errors are triggered. 20040315 [waraxe-2004-SA#007 - XSS and SQL injection bugs in 4nguestbook module for PhpNuke] 4nguestbook-modules-xss(15478) Cross-site scripting (XSS) vulnerability in Crafty Syntax Live Help (CSLH) before 2.7.4 allows remote attackers to inject arbitrary web script or HTML via the name field of a livehelp or chat session. 20040603 Cross-site scripting vulnerability in Crafy Syntax Live Help 2.7.3 and below http://www.craftysyntax.com/CHANGELOG.txt 10463 cslh-chat-name-xss(16321) Early termination vulnerability in Fizmez Web Server 1.0 allows remote attackers to cause a denial of service (crash) by connecting to the server and then disconnecting without sending any data, which triggers a null pointer dereference. 1009451 http://www.autistici.org/fdonato/advisory/fws1.0-adv.txt 9894 fizmez-webserver-null-dos(15506) The embedded MySQL 4.0 server for Proofpoint Protection Server does not require a password for the root user of MySQL, which allows remote attackers to read or modify the backend database. 20040201 Proofpoint Protection Server remote MySQL root user vulnerability 20040223 Re: [Full-Disclosure] Proofpoint Protection Server remote MySQL root user vulnerability proofpoint-mysql-gain-access(15280) Cross-site scripting (XSS) vulnerability in admin_words.php for phpBB 2.0.6c allows remote attackers to inject arbitrary web script or HTML via the id parameter. 20040322 [waraxe-2004-SA#009 - Non-critical Sql injection and XSS bug in PhpBB 2.0.6c] 9896 phpbb-adminwords-xss(15579) Dell TrueMobile 1300 WLAN Mini-PCI Card Util TrayApplet 3.10.39.0 does not properly drop SYSTEM privileges when started from the systray applet, which allows local users to gain privileges by accessing the Help functionality. 20040222 Dell TrueMobile Wireless Help Privilege Escalation Vulnerability 1009174 9714 dell-truemobile-gain-privileges(15285) Targem Battle Mages 1.0 allows remote attackers to cause a denial of service (infinite loop) via a UDP packet with incomplete data, which causes the server to enter an infinite loop while waiting to read the rest of the data that is not sent. http://aluigi.altervista.org/adv/battlemages-adv.txt 20040311 Unreal engine updates and Battle Mages advisory 9849 battlemages-incomplete-data-dos(15487) Digital Reality game engine, as used in Haegemonia 1.0 through 1.0.7 and Desert Rats vs. Afrika Korps 1.0, allows remote attackers to cause a denial of service (crash) via a chat message with a large message size, which triggers an out-of-bounds read. http://aluigi.altervista.org/adv/hgmcrash-adv.txt 20040224 Remote server crash in Haegemonia <= 1.07 9736 haegemonia-long-packet-dos(15307) PHPX 3.2.6 and earlier allows remote attackers to obtain the physical path of PHPX via a null or invalid value in the limit parameter, which leaks the pathname in a database error message, as demonstrated using forums.php. 1010061 http://www.phpx.org/project.php?action=view&project_id=1 20040504 Vulnerabilities In PHPX 3.26 And Earlier phpx-limit-path-disclosure(16064) Validate-Before-Canonicalize vulnerability in the checkURI function in functions.inc.php in PHPX 3.0 through 3.2.6 allows remote attackers to conduct cross-site scripting (XSS) attacks via hex-encoded tags, which bypass the check for literal "<", ">", "(", and ")" characters, as demonstrated using the limit parameter to forums.php and a variety of other vectors. http://www.phpx.org/project.php?action=view&project_id=1 20040504 Vulnerabilities In PHPX 3.26 And Earlier 10283 phpx-xss(16065) Cross-site request forgery (CSRF) vulnerability in PHPX 3.0 through 3.2.6 allows remote attackers to execute arbitrary commands via URLs that are automatically executed on behalf of the administrator, as demonstrated using (1) admin/page.php, (2) admin/news.php, (3) admin/user.php, (4) admin/images.php, (5) admin/page.php, or (6) admin/forums.php. 1010061 http://www.phpx.org/project.php?action=view&project_id=1 20040504 Vulnerabilities In PHPX 3.26 And Earlier 10284 Memory leak in Microsoft Windows XP and Windows Server 2003 allows local users to cause a denial of service (memory exhaustion) by repeatedly creating and deleting directories using a non-standard tool such as smbmount. 20040202 smbmount disrupts Windows file sharing. win-linux-smbmount-dos(15057) Buffer overflow in GlobalSCAPE Secure FTP Server 2.0 B03.11.2004.2 allows remote attackers to cause a denial of service (crash) via a SITE command with a long argument. http://www.cuteftp.com/gsftps/history.asp http://www.securiteam.com/windowsntfocus/5KP0C20CAC.html 9904 secureftp-site-command-bo(15511) The Control Panel applet in WFTPD and WFTPD Pro 3.21 R1 and R2 allows remote authenticated users to cause a denial of service (crash) via a long FTP command. http://www.securiteam.com/windowsntfocus/5JP0B20CAY.html 9908 http://www.wftpd.com/bug_gpf.htm wftpd-gui-dos(15510) PHP remote file inclusion vulnerability in header.php in Opt-X 0.7.2 allows remote attackers to execute arbitrary PHP code via the systempath parameter. http://www.opt-x.org/index.php 9732 http://www.zone-h.org/en/advisories/read/id=4036/ optx-header-file-include(15296) Directory traversal vulnerability in webadmin.nsf for Lotus Domino R6 6.5.1 allows attackers to create and detect directories via a .. (dot dot) in the directory creation command. http://members.lycos.co.uk/r34ct/main/ibm_lotus_domino/lotus.txt 9900 lotus-dotdot-file-creation(15503) lotus-webadmin-file-disclosure(15504) Stack-based buffer overflow in Trillian 0.71 through 0.74f and Trillian Pro 1.0 through 2.01 allows remote attackers to execute arbitrary code via a Yahoo Messenger packet with a long key name. 20040224 Advisory 02/2004: Trillian remote overflows http://security.e-matters.de/advisories/022004.html 1009220 trillian-key-name-bo(15304) Multiple Red Storm web-based games, including Ghost Recon 1.4 and earlier, Desert Siege, and The Sum of all Fears 1.1.1.0 and earlier, do not properly check return values from certain functions, which allows remote attackers to cause a denial of service (hang) via packets that contain text strings with incorrect size values. http://aluigi.altervista.org/adv/grboom-adv.txt 20040224 Remote crash in Ghost Recon engine 9738 http://www.zone-h.org/advisories/read/id=4038 redstorm-games-dos(15305) Buffer overflow in Bochs before 2.1.1, if installed setuid, allows local users to execute arbitrary code via a long HOME environment variable, which is used if the .bochsrc, bochsrc, and bochsrc.txt cannot be found in a known path. NOTE: some external documents recommend that Bochs be installed setuid root, so this should be treated as a vulnerability. 1009219 http://sourceforge.net/project/shownotes.php?release_id=215733 http://www.securiteam.com/unixfocus/5XP0L1FC0M.html bochs-home-bo(15309) The Buddy icon file for AOL Instant Messenger (AIM) 4.3 through 5.5 is created in a predictable location, which may allow remote attackers to use a shell: URI to exploit other vulnerabilities that involve predictable locations. 20040219 Aol Instant Messenger/Microsoft Internet Explorer remote code execution 9698 aim-buddy-predictable-location(15310) BadBlue 2.4 allows remote attackers to obtain the location of the server installation path via a request for phptest.php, which includes the pathname in the source of the resulting HTML. 20040224 BadBlue 2.4 Local Path Disclosure By phptest.php 9737 badblue-phptestphp-path-disclosure(15311) Buffer overflow in the POP3 server in 1st Class Mail Server 4.0 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an APOP USER command with a long second parameter (digest). 1009279 http://www.digiti.be/jeffosz/advisories/1stclasspop3.txt 9794 http://www.zone-h.org/advisories/read/id=4047 1st-class-apop-dos(15314) Buffer overflow in postfile.exe for Twilight Utilities Web Server 2.0.0.0 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a URL request with a long attfile attribute. http://members.lycos.co.uk/r34ct/main/TW-webserver/TWwebserver.txt 1009443 twilight-postfile-attfile-bo(15515) Alcatel OmniSwitch 7000 and 7800 allows remote attackers to cause a denial of service (reboot) via certain network scans, as demonstrated using a Nessus port scan of ports 1 through 1024 with safe-checks disabled. 1009211 20040219 Alcatel Omniswitch 7000 series 9745 alcatel-omniswitch-nessus-dos(15318) @Mail 3.64 for Windows allows remote attackers to cause a denial of service ("unusable" server) via a large number of POP3 connections to the server. http://members.lycos.co.uk/r34ct/main/@mail_3.64/@mail_3.64.txt 9749 1009208 atmail-connection-dos(15320) Multiple cross-site scripting (XSS) vulnerabilities in @Mail 3.64 for Windows allow remote attackers to inject arbitrary web script or HTML via (1) the Displayed Name attribute in util.pl and (2) the Folder attribute in showmail.pl. http://members.lycos.co.uk/r34ct/main/@mail_3.64/@mail_3.64.txt 9748 1009208 atmail-util-xss(15324) Directory traversal vulnerability in postfile.exe for Twilight Utilities Web Server 2.0.0.0 allows remote attackers to write arbitrary files via a .. (dot dot) in the attfile parameter. http://members.lycos.co.uk/r34ct/main/TW-webserver/TWwebserver.txt 1009443 twilight-postfile-create-file(15523) HttpRequest.java in Jetty HTTP Server before 4.2.19 allows remote attackers to cause denial of service (memory usage and application crash) via HTTP requests with a large Content-Length. http://cvs.sourceforge.net/viewcvs.py/jetty/Jetty/src/org/mortbay/http/HttpRequest.java?r1=1.75&r2=1.76 http://sourceforge.net/project/shownotes.php?release_id=224743 9917 jetty-dos(15537) The PerfectNav plugin for Microsoft Internet Explorer allows remote attackers to cause a denial of service (browser crash) via a malformed URL such as "?". 20040226 PerfectNav Crashes IE http://securetarget.net/advisory.htm 1009218 9753 ie-perfect-nav-dos(15326) Microsoft Internet Explorer 5.0 through 6.0 allows remote attackers to bypass cross-frame scripting restrictions and capture keyboard events from other domains via an HTML document with Javascript that is outside a frameset that includes the target domain, then forcing the frameset to maintain focus. NOTE: the discloser claimed that the vendor does not categorize this as a vulnerability, but it can be used in a spoofing scenario; the discloser provides alternate scenarios. Spoofing scenarios are currently included in CVE. 20040227 Microsoft Internet Explorer Cross Frame Scripting Restriction Bypass 9761 ie-frame-domain-bypass(15337) NullSoft Winamp 5.02 allows remote attackers to cause a denial of service (crash) by creating a file with a long filename, which causes the victim's player to crash when the file is opened from the command line. 20040319 Winamp 5.02 Long Filename Buffer Overflow Vulnerability 20040320 Re: Winamp 5.02 Long Filename Buffer Overflow Vulnerability 9920 winamp-long-file-dos(15541) EMU Webmail 5.2.7 allows remote attackers to obtain sensitive path information (home directory) via an HTTP request for init.emu. http://members.lycos.co.uk/r34ct/main/emu/emu.txt 9861 emu-init-path-disclosure(15453) Format string vulnerability in the LogMsg function in sercd before 2.3.1 and sredird 2.2.1 and earlier allows remote attackers to execute arbitrary code via format string specifiers passed from the HandleCPCCommand function. http://cvs.lysator.liu.se/viewcvs/viewcvs.cgi/sercd/sercd.c?root=sercd 1011038 11002 11031 sredird-logmsg-format-string(17056) Buffer overflow in the HandleCPCCommand function of sercd before 2.3.1 and sredird 2.2.1 and earlier allows remote attackers to execute arbitrary code. http://cvs.lysator.liu.se/viewcvs/viewcvs.cgi/sercd/sercd.c?root=sercd 1011038 11002 11033 sredird-handlecpccommand-execute-code(17059) rexecd for AIX 4.3.3 does not properly use a local copy of the pwd structure when calling getpwnam, which may cause the structure to be overwritten by the authenticate function and assign privileges to the wrong user. O-102 9835 IY53507 rexecd-gain-privileges(15455) Unknown vulnerability in Jabber Gadu-Gadu Transport (a.k.a. jabber-gg-transport) 2.0.x before 2.0.8 allows remote attackers to cause a denial of service (infinite loop) via user re-registration. 1009248 http://www.jabberstudio.org/projects/jabber-gg-transport/releases/view.php?id=429 9710 jabber-gadugadu-dos(15319) The roster import functionality in Jabber Gadu-Gadu Transport (a.k.a. jabber-gg-transport) 2.0.x before 2.0.8, when using libgadu 1.0 and later, allows attackers to cause a denial of service via unknown vectors. http://www.jabberstudio.org/projects/jabber-gg-transport/releases/view.php?id=429 9710 jabber-gadugadu-dos(15319) Jabber Gadu-Gadu Transport (a.k.a. jabber-gg-transport) 2.0.x before 2.0.8 allows remote attackers to cause a denial of service a message with an empty <priority/> tag. http://www.jabberstudio.org/projects/jabber-gg-transport/releases/view.php?id=429 9710 jabber-gadugadu-dos(15319) libuser 0.51.7 allows attackers to cause a denial of service (crash or disk consumption) via unknown attack vectors, related to read failures and other bugs. 1010187 MDKSA-2004:044 RHSA-2005:770 10368 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=120168 libuser-dos(16188) Java Secure Socket Extension (JSSE) 1.0.3 through 1.0.3_2 does not properly validate the certificate chain of a client or server, which allows remote attackers to falsely authenticate peers for SSL/TLS. 1010193 57560 201724 1001273 10387 sun-jsse-improper-validation(16194) Off-by-one error in passwd 0.68 and earlier, when using the --stdin option, causes passwd to use the first 78 characters of a password instead of the first 79, which results in a small reduction of the search space required for brute force attacks. http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=120060 MDKSA-2004:045 10370 passwd-stdin-offbyone-bo(16178) Memory leak in passwd 0.68 allows local users to cause a denial of service (memory consumption) via a large number of failed read attempts from the password buffer. http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=120060 MDKSA-2004:045 10370 passwd-memory-leak(16180) passwd 0.68 does not check the return code for the pam_start function, which has unknown impact and attack vectors that may prevent "safe and proper operation" of PAM. http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=120060 MDKSA-2004:045 10370 passwd-pamstart-improper-validation(16179) The web-based Management Console in Blue Coat Security Gateway OS 3.0 through 3.1.3.13 and 3.2.1, when importing a private key, stores the key and its passphrase in plaintext in a log file, which allows attackers to steal digital certificates. http://www.bluecoat.com/support/knowledge/advisory_private_key_compromise.html 10371 bluecoat-sgos-key-plaintext(16182) Netenberg Fantastico De Luxe 2.8 uses database file names that contain the associated usernames, which allows local users to determine valid usernames and conduct brute force attacks by reading the file names from /var/lib/mysql, which is assigned world-readable permissions by cPanel 9.3.0 R5. 20040519 Non-logged Brute Force Attack Vulnerability for Fantastico-Created Databases on cPanel Based Hosts 10390 cpanel-fantastico-obtain-information(16197) Secure Computing Corporation Sidewinder G2 6.1.0.01 allows remote attackers to cause a denial of service (CPU consumption) via delayed responses to DNS queries. http://www.securecomputing.com/pdf/SW61002Rel_Notes_0512.pdf WinFTP Server 1.6 stores username and password credentials in plaintext in the data\user.wfd file, which allows local users to gain access to the credentials. 1012321 11749 win-ftp-password-plaintext(18247) Stack-based buffer overflow in Ipswitch IMail Express Web Messaging before 8.05 might allow remote attackers to execute arbitrary code via an HTML message with long "tag text." http://support.ipswitch.com/kb/IM-20031219-DF01.htm 10106 imail-express-message-bo(15841) Cross-site scripting (XSS) vulnerability in YaBB.pl in YaBB 1 GOLD SP 1.3.2 allows remote attackers to inject arbitrary web script or HTML via a hex-encoded to parameter. NOTE: some sources say that the board parameter is affected, but this is incorrect. 20040916 RE: www.proboards.com / YaBB XSS Vuln 11215 yabb-board-xss(17452) Cross-site request forgery (CSRF) vulnerability in YaBB 1 GOLD SP 1.3.2 allows remote attackers to perform unauthorized actions as the administrative user via a link or IMG tag to YaBB.pl that specifies the desired action, id, and moda parameters. 20040916 RE: www.proboards.com / YaBB XSS Vuln 11214 yabb-administrative-bypass(17453) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2004-2347. Reason: This candidate is a duplicate of CVE-2004-2347. Notes: All CVE users should reference CVE-2004-2347 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Buffer overflow in multiple F-Secure Anti-Virus products, including F-Secure Anti-Virus 5.42 and earlier, allows remote attackers to bypass scanning or cause a denial of service (crash or module restart), depending on the product, via a malformed LHA archive. http://www.f-secure.com/security/fsc-2004-1.shtml fsecure-lha-archive-bo(16258) Unknown "overflow" in the phpgw_config table for phpGroupWare before 0.9.14.002 has unknown attack vectors and impact. http://sourceforge.net/project/shownotes.php?release_id=153116 Unknown vulnerability in phpGroupWare before 0.9.14.002 has unknown attack vectors and impact, related to a "security hole" in the Setup/Config functionality. http://sourceforge.net/project/shownotes.php?release_id=153116 Linux VServer 1.27 and earlier, 1.3.9 and earlier, and 1.9.1 and earlier shares /proc permissions across all virtual and host servers, which allows local users with the ability to set permissions in /proc to obtain system information or cause a denial of service on other virtual servers or the host server. 20040703 Linux Virtual Server/Secure Context procfs shared permissions flaw http://linux-vserver.org/ChangeLog 1010643 10660 linux-vserver-modify-permissions(16626) Buffer overflow in the sh_hash_compdata function for Samhain 1.8.9 through 2.0.1, when running in update mode ("-t update"), might allow attackers to execute arbitrary code. 1012142 11635 samhain-update-bo(18000) Unknown vulnerability in sh_hash_compdata for Samhain 1.8.9 through 2.0.1 might allow attackers to cause a denial of service (null pointer dereference). 1012142 The CleanseMessage function in shop$db.asp for VP-ASP Shopping Cart 4.0 through 5.0 does not sufficiently cleanse inputs, which allows remote attackers to conduct cross-site scripting (XSS) attacks that do not use <script> tags, as demonstrated via javascript in IMG tags to (1) the cat parameter in shopdisplayproducts.asp or (2) the msg parameter in shoperror.asp, and possibly other vectors. 20040613 VP-ASP Shopping Cart Multiple Vulnerabilities http://www.providesecurity.com/research/advisories/06142004-01.asp 10530 10534 http://www.vpasp.com/virtprog/info/faq_securityfixes.htm vpasp-shoperror-xss(16411) Multiple SQL injection vulnerabilities in VP-ASP Shopping Cart 4.0 through 5.0 allow remote attackers to execute arbitrary SQL commands via the catalogid parameter in (1) shopreviewlist.asp and (2) shopreviewadd.asp. 9967 http://www.vpasp.com/virtprog/info/faq_securityfixes.htm vpasp-catalogid-sql-injection(15588) SQL injection vulnerability in VP-ASP Shopping Cart 4.0 through 5.0 allows remote attackers to execute arbitrary SQL commands via the (1) Processed0 and (2) Processed1 parameters in a POST request to shopproductselect.asp. 20040613 VP-ASP Shopping Cart Multiple Vulnerabilities 10536 vpasp-shopproductselect-sql-injection(16400) Novell NetWare 6.5 SP 1.1, when installing or upgrading using the Overlay CDs and performing a custom installation with OpenSSH, includes sensitive password information in the (1) NIOUTPUT.TXT and (2) NI.LOG log files, which might allow local users to obtain the passwords. http://support.novell.com/cgi-bin/search/searchtid.cgi?/2968534.htm 9934 netware-installation-file-disclosure(15600) Davenport before 0.9.10 allows attackers to cause a denial of service (resource consumption) via (1) a very large XML file or (2) entity expansion attacks. 1011030 http://sourceforge.net/mailarchive/forum.php?thread_id=5385243&forum_id=33977 http://sourceforge.net/project/shownotes.php?release_id=262497 11001 davenport-long-xml-dos(17062) Buffer overflow in the logging component of CCProxy allows remote attackers to execute arbitrary code via a long HTTP GET request. 1012189 http://www.securiteam.com/exploits/6E0032KBPM.html 11666 proxy-server-ccproxy-bo(18012) Format string vulnerability in smtp.c for smtp.proxy 1.1.3 and earlier allows remote attackers to execute arbitrary code via format string specifiers in the (1) client hostname or (2) message-id, which are injected into a syslog message. 20040610 [0xbadc0ded #04] smtp.proxy <= 1.1.3 10509 smtpproxy-format-string(16378) Buffer overflow in SlimFTPd 3.15 and earlier allows local users to execute arbitrary code via a long command, such as (1) CWD, (2) STOR, (3) MKD, and (4) STAT. 20041110 [Advisory + Exploit] SlimFTPd <= 3.15 1012167 11645 http://www.whitsoftdev.com/slimftpd/ slimftpd-multiple-command-bo(18014) Keene Digital Media Server 1.0.2 allows local users to obtain usernames and passwords by reading the dmscore.db file on the local system. 1010928 10933 keene-plaintext-password(16964) Hitachi Job Management Partner (JP1) JP1/File Transmission Server/FTP 6 and 7 allows remote attackers to cause a denial of service (daemon halt) via a port scan involving reset packets. 1011024 http://www.hitachi-support.com/security_e/vuls_e/HS04-005_e/01-e.html http://www.hitachi-support.com/security_e/vuls_e/HS04-005_e/index-e.html 11012 hitachi-jp1ftp-reset-dos(17071) Unknown vulnerability in Hitachi Job Management Partner (JP1) JP1/File Transmission Server/FTP 6 and 7, when running on HP-UX in trusted mode, allows attackers to bypass authentication and gain administrator rights. 1011023 http://www.hitachi-support.com/security_e/vuls_e/HS04-004_e/index-e.html 11012 hitachi-jp1ftp-authentication(17074) Multiple features in Ipswitch IMail Server before 8.13 allow remote attackers to cause a denial of service (crash) via (1) a long sender field to the Queue Manager or (2) a long To field to the Web Messaging component. 1011146 http://support.ipswitch.com/kb/IM-20040902-DM01.htm#FIXES 11106 ipswitch-queue-manager-dos(17219) ipswitch-web-messaging-dos(17222) Unknown vulnerability in the Web calendaring component of Ipswitch IMail Server before 8.13 allows remote attackers to cause a denial of service (crash) via "specific content." 1011146 http://support.ipswitch.com/kb/IM-20040902-DM01.htm#FIXES 11106 ipswitch-web-calendaring-dos(17220) BEA WebLogic Server and WebLogic Express 8.1 through 8.1 SP2 allow remote attackers to cause a denial of service (network port consumption) via unknown actions in HTTPS sessions, which prevents the server from releasing the network port when the session ends. BEA04-61.00 1010492 10544 weblogic-ssl-dos(16419) Axis Network Camera 2.40 and earlier, and Video Server 3.12 and earlier, allows remote attackers to execute arbitrary commands via accent (`) and possibly other shell metacharacters in the query string to virtualinput.cgi. 20040822 [PoC] Nasty bug(s) found in Axis Network Camera/Video Servers 20040831 Axis Network Camera and Video Server Security Advisory 1011056 11011 asix-command-execution(17076) Directory traversal vulnerability in Axis Network Camera 2.40 and earlier, and Video Server 3.12 and earlier, allows remote attackers to bypass authentication via a .. (dot dot) in an HTTP POST request to ServerManager.srv, then use these privileges to conduct other activities, such as modifying files using editcgi.cgi. 20040822 [PoC] Nasty bug(s) found in Axis Network Camera/Video Servers 20040831 Axis Network Camera and Video Server Security Advisory 1011056 11011 axis-directory-traversal(17079) Axis Network Camera 2.40 and earlier, and Video Server 3.12 and earlier, allows remote attackers to obtain sensitive information via direct requests to (1) admin/getparam.cgi, (2) admin/systemlog.cgi, (3) admin/serverreport.cgi, and (4) admin/paramlist.cgi, modify system information via (5) setparam.cgi and (6) factorydefault.cgi, or (7) cause a denial of service (reboot) via restart.cgi. 20040822 [PoC] Nasty bug(s) found in Axis Network Camera/Video Servers 1011056 Abczone.it WWWguestbook 1.1 stores db/dbase.mdb under the web document root with insufficient access control, which allows remote attackers to obtain sensitive information such as the plaintext username and password. 1011026 wwwguestbook-url-information-disclosure(17077) Multiple stack-based and heap-based buffer overflows in EnderUNIX spamGuard before 1.7-BETA allow remote attackers to execute arbitrary code via the (1) qmail_parseline and (2) sendmail_parseline functions in parser.c, (3) loadconfig and (4) removespaces functions in loadconfig.c, and possibly (5) unspecified functions in functions.c. 20040528 EnderUNIX Security Anouncement (Isoqlog and Spamguard) 1010342 http://www.enderunix.org/spamguard/spamguard-1.7/CHANGELOG 10434 spamguard-multiple-bo(16278) Trend OfficeScan Corporate Edition 5.58 and possibly earler does not drop privileges when opening a help window from a virus detection pop-up window, which allows local users to gain SYSTEM privileges. 20040609 Trend Officescan local privilege escalation http://uk.trendmicro-europe.com/enterprise/support/knowledge_base_detail.php?solutionId=20118 10503 officescan-service-gain-privileges(16375) Unknown vulnerability in The Ignition Project ignitionServer 0.1.2 through 0.3.1, with the linking service enabled, allows remote attackers to bypass authentication. 10525 ignition-server-password-bypass(16397) WinAgents TFTP Server 3.0 allows remote attackers to cause a denial of service (crash) via a request for a file with a long file name, possibly due to an off-by-one buffer overflow. 1010464 http://www.packetstormsecurity.org/0406-exploits/WinAgentsTFTP.txt 10526 winagents-tftp-filename-dos(16390) Buffer overflow in the IsValidFile function in the ADM ActiveX control for Altnet Download Manager 4.0.0.4 and earlier, as used in Kazaa Media Desktop 1.3 through 2.6.4 and Grokkster 1.3 through 2.6, allows remote attackers to execute arbitrary code via a long bstrFilepath parameter. 1011155 11101 adm-bstrfilepath-bo(17221) Microsoft Internet Explorer 6.0 SP1 allows remote attackers to cause a denial of service (browser crash) via a link with "::{" (colon colon left brace), which triggers a null dereference when the user attempts to save the link using "Save As" and Internet Explorer prepares an error message with an attacker-controlled format string. 20040614 Internet Explorer Remote Null Pointer Crash(mshtml.dll) 20040615 RE: Internet Explorer Remote Null Pointer Crash(mshtml.dll) 20040728 Re: Internet Explorer Remote Null Pointer Crash(mshtml.dll) 1010491 http://www.securiteam.com/windowsntfocus/5IP020KDPU.html ie-null-pointer-dos(16420) Cross-site scripting (XSS) vulnerability in PeopleSoft Human Resources Management System (HRMS) 7.0, when "web enabled" using HTML Access, allows remote attackers to inject arbitrary web script or HTML via unspecified (1) debugging or (2) utility scripts. AA-2004.03 11275 1011433 peoplesoft-hrms-xss(17543) Computer Associates Unicenter Common Services 3.0 and earlier stores the database "SA" password in cleartext in the TndAddNspTmp.bat file, which could allow local users to gain privileges. 1011468 11277 unicenter-tndaddnsptmp-information-disclosure(17562) SQL injection vulnerability in PHP-Fusion 4.01 allows remote attackers to execute arbitrary SQL commands via the rowstart parameter to (1) index.php or (2) members.php, or (3) the comment_id parameter to comments.php. 11296 phpfusion-sql-injection(17546) Cross-site scripting (XSS) vulnerability in PHP-Fusion 4.01 allows remote attackers to inject arbitrary web script or HTML via the (1) Submit News, (2) Submit Link or (3) Submit Article field. 11296 phpfusion-submit-xss(17548) The remote upgrade capability in HP LaserJet 4200 and 4300 printers does not require a password, which allows remote attackers to upgrade firmware. SSRT4840 1011671 11297 hp-laserjet-firmware-upgrade(17634) Unspecified vulnerability in cmdline.c in proxytunnel 1.1.3 and earlier allows local users to obtain proxy credentials (username or password) of other users. 1011486 http://sourceforge.net/project/shownotes.php?release_id=271699 11299 proxytunnel-information-disclosure(17566) Unspecified vulnerability in Kerio MailServer before 6.0.3 has unknown impact and unknown remote attack vectors, related to a "potential security issue." http://www.kerio.com/kms_history.html 11300 kerio-mailserver(17601) Multiple interpretation error in various F-Secure Anti-Virus products, including Workstation 5.43 and earlier, Windows Servers 5.50 and earlier, MIMEsweeper 5.50 and earlier, Anti-Virus for Linux Servers and Gateways 4.61 and earlier, and other products, allows remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on the target system. P-041 http://www.f-secure.com/security/fsc-2004-3.shtml VU#968818 11732 fsecure-zip-scan-bypass(18217) Jaws 0.3 allows remote attackers to bypass authentication and via an HTTP request to admin.php with the logged cookie set to the MD5 hash of a null password, which is compared against the logged session variable by the logged_on function in application.php. 20040706 Multiples vulnerabilities in JAWS 1010651 10670 jaws-cookie-bypass-authentication(16622) Cross-site scripting (XSS) vulnerability in index.php in Jaws 0.3 allows remote attackers to inject arbitrary web script or HTML via the action parameter. 20040705 Multiples vulnerabilities in JAWS 1010651 10670 jaws-indexphp-xss(16621) Directory traversal vulnerability in index.php in Jaws 0.3 BETA allows remote attackers to view arbitrary files via a .. (dot dot) in the gadget parameter. 20040705 Multiples vulnerabilities in JAWS 1010651 10670 jaws-index-file-disclosure(16620) Directory traversal vulnerability in 1st Class Mail Server 4.01 allows remote attackers to read arbitrary files via a ".." (dot dot) sequences in unknown vectors. http://members.lycos.co.uk/r34ct/main/1st%20Class%20mail%20server%204.01.txt 1009705 10089 1stclass-dotdot-directory-traversal(15812) Cross-site scripting (XSS) vulnerability in 1st Class Mail Server 4.01 allows remote attackers to inject arbitrary web script or HTML via the Mailbox parameter to (1) viewmail.tagz, (2) the index script under /user/, (3) members.tagz, (4) general.tagz, (5) advanced.tagz, or (6) list.tagz. 1009705 10089 1stclass-multiple-xss(15815) S-Mart Shopping Cart or RediCart 3.9.5b stores smart.cfg under the web document root with insufficient access control, which allows remote attackers to obtain sensitive information such as the database name. 1012306 smart-cart-information-disclosure(18219) Roger Wilco 1.4.1.6 and earlier or Roger Wilco Base Station 0.30a and earlier allows remote attackers to cause a denial of service (application crash) via a long, malformed UDP datagram. http://aluigi.altervista.org/adv/wilco-again-adv.txt 20040331 RogerWilco: new funny bugs 10022 roger-wilco-udp-dos(15716) The client and server for Roger Wilco 1.4.1.6 and earlier or Roger Wilco Base Station 0.30a and earlier report sensitive information such as IDs and source IP addresses, which allows remote attackers to obtain sensitive information. 20040331 RogerWilco: new funny bugs 10024 roger-wilco-obtain-information(15816) Roger Wilco 1.4.1.6 and earlier, or Roger Wilco Base Station 0.30a or earlier, allows remote attackers to send audio to arbitrary channels, aka the "Voices from the deep" bug. 20040331 RogerWilco: new funny bugs 10025 roger-wilco-audio-access(15819) Unknown vulnerability in Hitachi Cosminexus Portal Framework 01-00, 01-01, 01-02, 02-01, 02-02, 02-03, and other versions allows remote attackers to obtain sensitive information in the <ut:cache> tag library. 1011171 http://www.hitachi-support.com/security_e/vuls_e/HS04-006_e/01-e.html 11128 cosminexus-info-disclosure(17278) Unknown vulnerability in Tutti Nova 0.10 through 0.12 (Beta) and 0.9.4, when register_globals is enabled, has unknown impact and attack vectors. http://sourceforge.net/project/shownotes.php?release_id=265832 11127 tutti-nova-registerglobals-enabled(17279) aMSN 0.90 for Microsoft Windows allows local users to obtain sensitive information such as hashed passwords from (1) hotlog.htm and (2) config.xml. 1010555 http://sourceforge.net/tracker/index.php?func=detail&aid=976450&group_id=54091&atid=472655 amsn-hotlog-obtain-passwords(16479) Sweex Wireless Broadband Router/Accesspoint 802.11g (LC000060) allows remote attackers to obtain sensitive information and gain privileges by using TFTP to download the nvram file, then extracting the username, password, and other data from the file. 20040512 Sweex 802.11g router/accesspoint config disclosure / remote config 10339 1010143 sweex-router-obtain-information(16140) SQL injection vulnerability in index.php in miniBB 1.7f and earlier allows remote attackers to execute arbitrary SQL commands via the user parameter in a userinfo action. 1012164 http://www.minibb.net/forums/index.php?action=vthread&forum=1&topic=1767 http://www.minibb.net/forums/index.php?action=vthread&forum=9&topic=1854 11688 minibb-user-sql-injection(18080) Unspecified vulnerability in 3Com OfficeConnect ADSL 11g Router allows remote attackers to cause a denial of service (crash) via a large amount of UDP traffic. 11685 3com-officeconnect-udp-dos(18081) Open WebMail 2.30 and earlier, when use_syshomedir is disabled or create_syshomedir is enabled, creates new directories before authenticating, which allows remote attackers to create arbitrary directories. http://openwebmail.org/openwebmail/download/cert/patches/SA-04:02/openwebmail.pl.patch 10087 open-webmail-directory-creation(15822) Unknown vulnerability in gnubiff 1.2.0 and earlier allows local users to obtain passwords, related to the password table. http://sourceforge.net/project/shownotes.php?group_id=94176&release_id=248016 Unknown vulnerability in POP3 in gnubiff before 2.0.0 allows remote attackers to cause a denial of service (application crash) via an "infinite" Unique IDentification Listing (UIDL) list. http://gnubiff.sourceforge.net/changelog.php 11123 gnubiff-pop3-dos(17282) Buffer overflow in pop3.c in gnubiff before 2.0.0 allows attackers to cause a denial of service (crash) and possibly execute arbitrary code. http://gnubiff.sourceforge.net/changelog.php 11123 gnubiff-pop3-dos(17282) cplay 1.49 on Linux allows local users to overwrite arbitrary files via a symlink attack on the cplay_control temporary file. 1010574 10597 cplay-tmpfile-insecure(16482) Buffer overflow in ADA Image Server (ImgSvr) 0.4 allows remote attackers to cause a denial of service (web server crash) or execute arbitrary code via a long GET request. http://members.lycos.co.uk/r34ct/main/ADA%20Image%20Server%20(ImgSvr)%200.4.txt 10046 img-svr-get-bo(15827) imgsvr-get-bo(16679) Directory traversal vulnerability in ADA Image Server (ImgSvr) 0.4 allows remote attackers to read arbitrary files or list directories via hex-encoded "..//" sequences ("%2e%2e%2f%2f"). NOTE: it was later reported that 0.6.21 and earlier is also affected. http://members.lycos.co.uk/r34ct/main/ADA%20Image%20Server%20(ImgSvr)%200.4.txt 20071224 Double directory traversal in ImgSvr 0.6.21 10048 imgsvr-dotdot-directory-traversal(16680) Cross-site scripting (XSS) vulnerability in chat.ghp in Easy Chat Server 1.2 allows remote attackers to inject arbitrary web script or HTML via the username parameter. easychat-chatghp-xss(16634) chat.ghp in Easy Chat Server 1.2 allows remote attackers to cause a denial of service (server crash) via a long username parameter, possibly due to a buffer overflow. NOTE: it was later reported that 2.2 is also affected. 20040702 Multiple Vulnerabilities in Easy Chat Server 1.2 20040702 Multiple Vulnerabilities in Easy Chat Server 1.2 http://www.autistici.org/fdonato/advisory/EasyChatServer1.2-adv.txt 33326 25328 67384 ADV-2007-2901 easychat-chatghp-username-dos(16629) easychatserver-username-dos(36013) 4289 chat.ghp in Easy Chat Server 1.2 allows remote attackers to add a large number of fake users, then eventually cause a denial of service (server crash). 20040702 Multiple Vulnerabilities in Easy Chat Server 1.2 20040702 Multiple Vulnerabilities in Easy Chat Server 1.2 http://www.autistici.org/fdonato/advisory/EasyChatServer1.2-adv.txt easychat-multiple-chatghp-dos(16633) Cross-site scripting (XSS) vulnerability in SillySearch 2.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the search parameter. 1009598 sillysearch-search-xss(15683) Unspecified vulnerability in Reservation.class.php for phpScheduleIt 1.01 and earlier allows attackers to modify or delete reservations. 1012246 http://sourceforge.net/tracker/index.php?func=detail&aid=1051841&group_id=95547&atid=611778 11690 phpscheduleit-restrictions-bypass(18089) Unspecified vulnerability in MadBMS before 1.1.5 has unknown impact and attack vectors, related to logins. http://test.madgenius.com/madBMS/ChangeLog 10018 madbms-login(15684) SQL injection vulnerability in the sloth TCL script in QuoteEngine before 1.2.0 allow remote attackers to execute arbitrary SQL commands via unknown vectors. http://sourceforge.net/project/shownotes.php?release_id=227554 10017 quoteengine-sql-injection(15685) Agnitum Outpost Pro Firewall 2.1 allows remote attackers to cause a denial of service (CPU consumption) via a flood of small, invalid packets, which can not be processed quickly enough by Outpost Pro. 1010151 http://www.securiteam.com/windowsntfocus/5FP0E0KCUW.html 10338 outpost-packet-dos(16133) wmFrog weather monitor 0.1.6 and other versions before 0.2.0 allows local users to overwrite arbitrary files via a symlink attack on temporary files. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=294352 http://sourceforge.net/project/shownotes.php?release_id=516070&group_id=67429 http://wmfrog.svn.sourceforge.net/svnroot/wmfrog/wmfrog/CHANGES 11743 24504 ADV-2007-2238 wmfrog-symlink(18232) wmfrog-wmfrog-symlink(34924) SQL injection vulnerability in PHPNews 1.2.3 allows remote attackers to execute arbitrary SQL commands via the mid parameter to sendtofriend.php. http://newsphp.sourceforge.net/changelog/changelog_1.24.txt 11748 phpnews-sendtofriend-sql-injection(18233) Cross-site scripting (XSS) vulnerability in Google Toolbar 2.0.114.1 allows remote attackers to inject arbitrary web script via about.html in the About section. NOTE: some followup posts suggest that the demonstration code's use of the res:// protocol does not cross privilege boundaries, since it is not allowed in the Internet Zone. Thus this might not be a vulnerability. 20040917 GoogleToolbar:About -- Allows Script Injection 20040918 Re: GoogleToolbar:About -- Allows Script Injection 20040918 Re: GoogleToolbar:About -- Allows Script Injection 1011351 11210 google-toolbar-about-code-execution(17435) Microsoft Internet Explorer 6.0 allows remote attackers to cause a denial of service (infinite loop and crash) via an IFRAME with "?" as the file source. 20040406 Kerio Personal Firewall 4 and IE 6 "Bug" 20040407 Internet Explorer 6 - Crash 10073 ie-iframe-dos(15832) DiamondCS Process Guard Free 2.000 allows local users to disable the process guard protection system by overwriting the current Service Descriptor Table (SDT) in \device\physicalmemory with the original SDT found in ntoskrnl.exe. http://www.security.org.sg/vuln/procguard.html 10675 1010662 diamondcs-process-guard-disable-protection(16654) Unspecified vulnerability in Jetty HTTP Server, as used in (1) IBM Trading Partner Interchange before 4.2.4, (2) CA Unicenter Web Services Distributed Management (WSDM) before 3.11, and possibly other products, allows remote attackers to read arbitrary files via a .. (dot dot) in the URL. 20061003 [CAID 34661]: CA Unicenter WSDM File System Read Access Vulnerability 1011545 1016975 20061003 [CAID 34661]: CA Unicenter WSDM File System Read Access Vulnerability 11330 ADV-2006-3873 http://www-1.ibm.com/support/docview.wss?uid=swg21178665 trading-partner-gain-access(17600) Squid Web Proxy Cache 2.5 might allow remote attackers to obtain sensitive information via URLs containing invalid hostnames that cause DNS operations to fail, which results in references to previously used error messages. FLSA-2006:152809 1012466 RHSA-2005:766 11865 http://www.squid-cache.org/bugs/show_bug.cgi?id=1143 squid-hostname-obtain-info(18406) oval:org.mitre.oval:def:9711 Squid Web Proxy Cache 2.3.STABLE5 allows remote attackers to bypass security controls and access arbitrary websites via "@@" sequences in a URL within Internet Explorer. 20040510 a litle bypass with IE 10315 squid-url-bypass-security(16153) MyProxy 6.58 allows remote authenticated users in the Users Tab to connect to arbitrary hosts from the MyProxy server, possibly bypassing access restrictions, by connecting to the proxy and issuing a CONNECT command. 1012322 http://www.securitylab.ru/vulnerability/source/210758.php myproxy-connect-gain-access(18265) Microsoft Outlook 2000 and 2003, when configured to use Microsoft Word 2000 or 2003 as the e-mail editor and when forwarding e-mail, does not properly handle an opening OBJECT tag that does not have a closing OBJECT tag, which causes Outlook to automatically download the URI in the data property of the OBJECT tag and might allow remote attackers to execute arbitrary code. 20040708 Microsoft Word Email Object Data Vulnerability 10683 microsoft-object-gain-access(16663) Kerio WinRoute Firewall before 6.0.9 uses information from PTR queries in response to A queries, which allows remote attackers to poison the DNS cache or cause a denial of service (connection loss). http://www.kerio.com/security_advisory.html 11870 kerio-winroute-dns-cache-poisoning(18410) Cross-site scripting (XSS) vulnerability in PHP Gift Registry 1.3.5 and earlier allows remote attackers to inject arbitrary web script or HTML via the message parameter to (1) event.php or (2) index.php. http://cvs.sourceforge.net/viewcvs.py/phpgiftreg/src/event.php?r1=1.4&r2=1.5 http://cvs.sourceforge.net/viewcvs.py/phpgiftreg/src/index.php?r1=1.20&r2=1.21 http://sourceforge.net/project/shownotes.php?release_id=288731 11879 phpgiftregistry-message-xss(18412) Unspecified vulnerability in PHP Live! before 2.8.2, due to a "major security problem," allows remote attackers to include arbitrary files and directories via unspecified attack vectors. [fm-news] 20041123 Newsletter for Monday, November 22nd 2004 1012467 11863 php-live(18414) The DSS verification code in Dropbear SSH Server before 0.43 frees uninitialized variables, which might allow remote attackers to gain access. http://matt.ucc.asn.au/dropbear/CHANGES 20080213 Cisco Unified IP Phone Overflow and Denial of Service Vulnerabilities 10803 ADV-2008-0543 dropbear-dss-code-execution(16810) cisco-unifiedipphone-ssh-bo(40490) Directory traversal vulnerability in Nexgen FTP Server before 2.2.3.23 allows remote authenticated users to read or list arbitrary files via (1) "..", (2) "\..\" (backslash dot dot), or (3) "/../" sequences in (a) RETR (get), (b) NLST (ls), (c) LIST (ls), (d) RNFR, or (e) RNTO FTP commands. http://www.nexgenserver.com/cgi-bin/loadframe2.cgi?/History.html 9970 1009545 nexgen-dotdot-directory-traversal(15594) Directory traversal vulnerability in Nexgen FTP Server before 2.2.3.23 allows remote authenticated users to read or list arbitrary files via "C:" sequences in the (1) RETR (get), (2) NLST (ls), (3) LIST (ls), (4) RNFR, or (5) RNTO FTP commands. http://www.nexgenserver.com/cgi-bin/loadframe2.cgi?/History.html 9970 1009545 nexgen-dotdot-directory-traversal(15594) Format string vulnerability in IBM Informix Dynamic Server (IDS) before 9.40.xC3 allows local users to execute arbitrary code via a modified INFORMIXDIR environment variable that points to a file with format string specifiers in the filename. 20030314 SRT2004-01-18-0747 - IBM Informix IDS 9.4 contains multiple vulnerabilities 9511 http://www-1.ibm.com/support/docview.wss?uid=swg21153336 informix-informixdir-format-string(14967) Buffer overflow in IBM Informix Dynamic Server (IDS) 9.40.xC1 and 9.40.xC2 allows local users to execute arbitrary code via a long GL_PATH environment variable. 20030314 SRT2004-01-18-0747 - IBM Informix IDS 9.4 contains multiple vulnerabilities 9511 http://www-1.ibm.com/support/docview.wss?uid=swg21153336 informix-ids-glpath-bo(14949) A race condition in Opera web browser 7.53 Build 3850 causes Opera to fill in the address bar before the page has been loaded, which allows remote attackers to spoof the URL in the address bar via the window.open and location.replace HTML parameters, which facilitates phishing attacks. 20040726 Opera 7.53 (Build 3850) Address Bar Spoofing Issue http://www.opera.com/windows/changelogs/754/ 10810 opera-addressbar-spoofing(16816) Cross-site scripting (XSS) vulnerability in Groupmax World Wide Web (GmaxWWW) Desktop 5, 6, and Desktop for Jichitai 6, allows remote attackers to inject arbitrary web script or HTML via the QUERY parameter. http://www.hitachi-support.com/security_e/vuls_e/HS04-007_e/01-e.html 11773 groupmax-query-xss(18277) Directory traversal vulnerability in Groupmax World Wide Web (GmaxWWW) 2 and 3, and Desktop 5, 6, and Desktop for Jichitai allows remote authenticated users to read arbitrary .html files via the template name parameter. http://www.hitachi-support.com/security_e/vuls_e/HS04-007_e/01-e.html 11773 groupmax-directory-traversal(18278) Cross-site scripting (XSS) vulnerability in _error in Ability Mail Server 1.18 allows remote attackers to inject arbitrary web script or HTML via the erromsg parameter. http://members.lycos.co.uk/r34ct/main/Ability_mail_server_1.18.txt 1010672 10695 ability-errormsg-xss(16676) The (1) Webmail, (2) admin, and (3) SMTP services in Ability Mail Server 1.18 allow remote attackers to cause a denial of service (CPU consumption) via a large number of simultaneous connections to the service. http://members.lycos.co.uk/r34ct/main/Ability_mail_server_1.18.txt 1010672 10695 ability-mult-connection-dos(16677) The HTTP daemon in OpenText FirstClass 7.1 and 8.0 allows remote attackers to cause a denial of service (service availability loss) via a large number of POST requests to /Search. 20041214 OpenText FirstClass 8.0 HTTP Daemon /Search Remote DoS Vulnerability 1012478 11877 firstclass-dos(18424) Cross-site scripting (XSS) vulnerability in the error handler in Hitachi Web Page Generator and Web Page Generator Enterprise 4.01 and earlier, when using the default error template and debug mode is set to ON, allows remote attackers to inject arbitrary web script or HTML via unknown attack vectors. http://www.hitachi-support.com/security_e/vuls_e/HS04-003_e/index-e.html 10818 web-page-generator-xss(16822) Unspecified vulnerability in the error handler in Hitachi Web Page Generator and Web Page Generator Enterprise 4.01 and earlier, when using the default error template and debug mode is set to ON, allows remote attackers to determine internal directory structures via unknown attack vectors. http://www.hitachi-support.com/security_e/vuls_e/HS04-003_e/index-e.html 10818 web-page-generator-xss(16822) Unspecified vulnerability in Hitachi Web Page Generator and Web Page Generator Enterprise 4.01 and earlier allows remote attackers to cause a denial of service via unknown attack vectors when a web site is "improperly accessed." http://www.hitachi-support.com/security_e/vuls_e/HS04-002_e/index-e.html 10817 web-page-generator-dos(16821) Unknown vulnerability in IlohaMail before 0.8.14-rc1 has unknown impact and attack vectors. http://sourceforge.net/project/shownotes.php?group_id=54027&release_id=288409 11872 Ilohamail(18426) Buffer overflow in the IMAP service of MailEnable Professional Edition 1.52 and Enterprise Edition 1.01 allows remote attackers to execute arbitrary code via (1) a long command string or (2) a long string to the MEIMAP service and then terminating the connection. 20041125 Remote buffer overflow in MailEnable IMAP service [Hat-Squad Advisory] 1012327 http://www.hat-squad.com/en/000102.html 11755 mailenable-imap-bo(18285) mailenable-imap-code-execution(18286) im-switch before 11.4-46.1 in Fedora Core 2 allows local users to overwrite arbitrary files via a symlink attack on the imswitcher[PID] temporary file. http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=126940 http://packetstormsecurity.org/0407-advisories/fedora_im-switch_tempfile_race.txt 10717 fedora-imswitch-symlink(16682) INweb Mail Server 2.40 allows remote attackers to cause a denial of service (crash) via a large number of connect/disconnect actions to the (1) POP3 and (2) SMTP services. http://members.lycos.co.uk/r34ct/main/inwebmail.txt 1010680 10719 inweb-mult-connections-dos(16683) The GUI in Alt-N Technologies MDaemon 7.2 and earlier, including 6.8, executes child processes such as NOTEPAD.EXE with SYSTEM privileges when users create new files, which allows local users with physical access to gain privileges. 20041129 Privilege escalation flaw in MDaemon 7.2. 20041129 Privilege escalation flaw in MDaemon 7.2. 20041130 Re: Privilege escalation flaw in MDaemon 7.2. 1012350 11736 mdaemon-gain-privileges(18287) Macromedia ColdFusion MX before 6.1 does not restrict the size of error messages, which allows remote attackers to cause a denial of service (memory consumption and crash) by sending repeated GET or POST requests that trigger error messages that use long strings of data. 20040417 Network Intelligence Advisory - Denial of Service Vulnerability in ColdFusion MX 10163 coldfusion-file-upload-dos(15895) Unparsed web content delivery vulnerability in WIKINDX before 0.9.9g allows remote attackers to obtain sensitive information via a direct HTTP request to the config.inc file. http://sourceforge.net/project/shownotes.php?release_id=231421 wikindx-configinc-obtain-information(15885) Absolute path traversal vulnerability in main.cgi in Linksys WVC11B Wireless-B Internet Video Camera allows remote attackers to read arbitrary files via an absolute pathname in the next_file parameter. 20040606 Linksys Web Camera File Inclusion Vuln 1010489 10476 linksys-webcamera-file-include(16339) Cross-site scripting (XSS) vulnerability in main.cgi in Linksys WVC11B Wireless-B Internet Video Camera allows remote attackers to inject arbitrary web script or HTML via the next_file parameter. 20040613 Linksys Web Camera Cross-site Scripting Vuln 1010424 10533 linksys-webcamera-main-xss(16415) Cross-site scripting (XSS) vulnerabilities in (1) calendar.php, (2) login.php, and (3) online.php in Infopop UBB.Threads 6.2.3 and 6.5 allow remote attackers to inject arbitrary web script or HTML via the Cat parameter. 20041213 Multiple XSS Vulnerabilities in several UBB.Thread Versions 1012503 11900 ubbthreads-multiple-scripts-xss(18432) Cross-site scripting (XSS) vulnerability in showflat.php in Infopop UBB.Threads before 6.5 allows remote attackers to inject arbitrary web script or HTML via the Cat parameter. 20041213 Multiple XSS Vulnerabilities in several UBB.Thread Versions 1012503 11900 ubbthreads-multiple-scripts-xss(18432) Multiple cross-site scripting (XSS) vulnerabilities in DCP-Portal 5.3.2 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the year, (2) month, and (3) day parameters in calendar.php; (4) the cid and (5) url parameters in index.php; (6) the cid parameter in annoucement.php; (7) the cid parameter in news.php; (8) the cid parameter in contents.php; (9) the q parameter in search.php; and (10) the country parameter in register.php. 20041006 [Maxpatrol Security Advisory] Multiple vulnerabilities in DCP-Portal 1006351 11338 11339 dcpportal-get-xss(17638) dcpportal-post-xss(17639) CRLF injection vulnerability in calendar.php in DCP-Portal 5.3.2 and earlier allows remote attackers to conduct HTTP response splitting attacks to spoof web content and poison web caches via CRLF ("%0d%0a") sequences in the PHPSESSID parameter. 20041006 [Maxpatrol Security Advisory] Multiple vulnerabilities in DCP-Portal 1011481 11340 dcpportal-phpsessid-response-splitting(17640) Buffer overflow in the IMAP service of Mercury (Pegasus) Mail 4.01 allows remote attackers to execute arbitrary code via a long SELECT command. http://home.kabelfoon.nl/~jaabogae/han/m_401b.html pegasus-imap-select-bo(18295) 663 Cross-site scripting (XSS) vulnerability in modules/private_messages/index.php in PowerPortal 1.x allows remote attackers to inject arbitrary web script or HTML via the (1) SUBJECT or (2) MESSAGE field. 1010802 http://www.securiteam.com/unixfocus/5TP0O2ADFK.html 10835 powerportal-private-message-xss(16838) Format string vulnerability in VMware Workstation 4.5.2 build-8848, if running with elevated privileges, might allow local users to execute arbitrary code via format string specifiers in command line arguments. NOTE: it is not clear if there are any default or typical circumstances under which VMware would be running with privileges beyond those already available to the attackers, so this might not be a vulnerability. 20041129 Format string flaw in VMWare Workstation 4.5.2 build-8848. 11737 vmware-format-string(18297) Directory traversal vulnerability in myServer 0.7 allows remote attackers to list arbitrary directories via an HTTP GET command with a large number of "./" sequences followed by "../" sequences. 20040915 myServer 0.7 Directory Traversal Vulnerability 1011278 http://sourceforge.net/project/shownotes.php?release_id=267444 11189 myserver-get-directory-traversal(17390) myServer 0.7.1 allows remote attackers to cause a denial of service (crash) via a long HTTP POST request in a View=Logon operation to index.html. http://fux0r.phathookups.com/advisory/sp-x14-advisory.txt 1011427 http://sourceforge.net/project/shownotes.php?release_id=270736 myserver-http-post-dos(17496) Gattaca Server 2003 1.1.10.0 allows remote attackers to obtain sensitive information via (1) a trailing null byte ("%00") to a URL or (2) an invalid LANGUAGE parameter to web.tmpl, which reveals the full installation path in an error message. http://members.lycos.co.uk/r34ct/main/Gattaca%20Server%202003.txt 1010703 http://www.gattaca-server.com/cgi-bin/yabb/YaBB.pl?board=gattaca_discussion;action=display;num=1091194176;start=0#0 10729 gattaca-null-path-disclosure(16699) gattaca-language-path-disclosure(16700) Gattaca Server 2003 1.1.10.0 allows remote attackers to cause a denial of service (CPU consumption) via directory specifiers in the LANGUAGE parameter to (1) index.tmpl and (2) web.tmpl, such as (a) slash "/", (b) backslash "\", (c) dot ".",, (d) dot dot "..", and (e) internal slash "lang//en". http://members.lycos.co.uk/r34ct/main/Gattaca%20Server%202003.txt 1010703 http://www.gattaca-server.com/cgi-bin/yabb/YaBB.pl?board=gattaca_discussion;action=display;num=1091194176;start=0#0 10728 gattaca-language-path-disclosure(16700) POP3 protocol in Gattaca Server 2003 1.1.10.0 allows remote authenticated users to cause a denial of service (application crash) via a large numeric value in the (1) LIST, (2) RETR, or (3) UIDL commands. http://members.lycos.co.uk/r34ct/main/Gattaca%20Server%202003.txt 1010703 http://www.gattaca-server.com/cgi-bin/yabb/YaBB.pl?board=gattaca_discussion;action=display;num=1091194176;start=0#0 10728 gattaca-pop3-dos(16703) Mail server in Gattaca Server 2003 1.1.10.0 allows remote attackers to perform a denial of service (application crash) via a large number of connections to TCP port (1) 25 (SMTP) or (2) 110 (POP). http://members.lycos.co.uk/r34ct/main/Gattaca%20Server%202003.txt 1010703 http://www.gattaca-server.com/cgi-bin/yabb/YaBB.pl?board=gattaca_discussion;action=display;num=1091194176;start=0#0 gattaca-pop3-dos(16703) Cross-site scripting (XSS) vulnerability in web.tmpl in Gattaca Server 2003 1.1.10.0 allows remote attackers to inject arbitrary web script or HTML via the (1) template or (2) language parameter. http://members.lycos.co.uk/r34ct/main/Gattaca%20Server%202003.txt 1010703 http://www.gattaca-server.com/cgi-bin/yabb/YaBB.pl?board=gattaca_discussion;action=display;num=1091194176;start=0#0 10731 gattaca-web-xss(16701) Format string vulnerability in the msg command (cat_message function in msg.c) in OpenFTPD 0.30.2 and earlier allows remote authenticated users to execute arbitrary code via format string specifiers in the message argument. 20040729 [VSA0402] OpenFTPD format string vulnerability 20040803 EXPLOIT for Re: [VSA0402] OpenFTPD format string vulnerability 1010823 http://www.openftpd.org:9673/openftpd 10830 openftpd-ncftpformat-string(16843) clogin.php in Benchmark Designs' WHM AutoPilot 2.4.5 and earlier allows remote attackers to obtain plaintext username and password credentials by using the clogin_e and base64_encode functions to encode the desired user ID in the c parameter, then read the plaintext values in the resulting form. 20040802 Benchmark Designs' WHM Autopilot backdoor vulnerability to plain-text password. 1010833 10846 whmautopilot-clogin-gain-access(16849) Cross-site scripting (XSS) vulnerability in compat.php in Serendipity before 0.7.1 allows remote attackers to inject arbitrary web script or HTML via the searchTerm variable. 1012383 http://sourceforge.net/tracker/index.php?func=detail&aid=1076762&group_id=75065&atid=542822 11790 serendipity-combatphp-xss(18322) Directory traversal vulnerability in ldacgi.exe in IBM Tivoli Directory Server 4.1 and earlier allows remote attackers to view arbitrary files via a .. (dot dot) in the Template parameter. 20040802 IBM Directory Server - ldacgi.exe 1010831 http://www.oliverkarow.de/research/IDS_directory_traversal.txt 10841 IR52692 IR53631 tivoli-directory-directory-traversal(16850) The local and remote desktop login screens in Microsoft Windows XP before SP2 and 2003 allow remote attackers to cause a denial of service (CPU and memory consumption) by repeatedly using the WinKey+"U" key combination, which causes multiple copies of Windows Utility Manager to be loaded more quickly than they can be closed when the copies detect that another instance is running. The DoS flaw affects slower machines and those with less ram quicker than higher specification machines. On very hi-spec machines, the flaw does not seem to be exploitable. 20040801 Remotely Exploitable DoS Flaw in XP and 2003 1010836 win-winkey-u-dos(16851) Cross-site scripting (XSS) vulnerability in sresult.exe in Webcam Watchdog 4.0.1a allows remote attackers to inject arbitrary web script or HTML via the cam parameter. http://members.lycos.co.uk/r34ct/main/Webcam_watchdog_401a.txt 1010824 10837 webcam-watchdog-sresult-xss(16854) Gadu-Gadu allows remote attackers to bypass the "image send" option by sending a very small image file, which could be used in conjunction with image-related vulnerabilities. 20041213 Gadu-Gadu several vulnerabilities http://www.man.poznan.pl/~security/gg-adv.txt 11899 gadu-gadu-image-bypass-security(18463) Visual truncation vulnerability in Gadu-Gadu allows remote attackers to spoof the file extension on transmitted files via a filename with a large number of spaces followed by the real extension, which is not displayed in the dialog box. 20040821 GADU-GADU Instant messanger - long file name 1011037 11017 gadu-gadu-file-ext-spoof(17105) X.509 Certificate Signature Verification in Gnu transport layer security library (GnuTLS) 1.0.16 allows remote attackers to cause a denial of service (CPU consumption) via certificates containing long chains and signed with large RSA keys. [gnutls-dev] 20040802 gnutls 1.0.17 1010838 http://www.hornik.sk/SA/SA-20040802.txt 10839 gnutls-rsa-key-size-dos(16858) Serv-U FTP server before 5.1.0.0 has a default account and password for local administration, which allows local users to execute arbitrary commands by connecting to the server using the default administrator account, creating a new user, logging in as that new user, and then using the SITE EXEC command. 20040808 Serv-U 3.x, 4.x, 5.x local privilege escalation vulnerability 10886 servu-default-admin-account(16925) Serv-U FTP Server 4.1 (possibly 4.0) allows remote attackers to cause a denial of service (application crash) via a SITE CHMOD command with a "\\...\" followed by a short string, causing partial memory corruption, a different vulnerability than CVE-2004-2111. 1009086 9675 servu-sitechmod-command-dos(15251) Fastream NETFile Server 7.1.2 does not properly handle keep-alive connection timeouts and does not close the connection after a HEAD request, which allows remote attackers to perform a denial of service (connection consumption) by sending a large number HTTP HEAD requests. 1012267 http://users.pandora.be/bratax/advisories/b003.html 11687 fastream-head-request-dos(18192) The person-to-person secure messaging feature in Sticker before 3.1.0 beta 2 allows remote attackers to post messages to unauthorized private groups by using the group's public encryption key. This vulnerability is addressed in the following product update: Matthew Phillips, Sticker, 3.1.0 Beta 2 1011580 11333 http://www.tickertape.org/projects/sticker/release_notes-3.1.0b2.html sticker-unauth-message-posting(17664) The exit_thread function (process.c) in Linux kernel 2.6 through 2.6.5 does not invalidate the per-TSS io_bitmap pointers if a process obtains IO access permissions from the ioperm function but does not drop those permissions when it exits, which allows other processes to access the per-TSS pointers, access restricted memory locations, and possibly gain privileges. http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.6 10302 20040507 Bug in IO bitmap handling? Probably exploitable (2.6.5) 20040507 Re: Bug in IO bitmap handling? Probably exploitable (2.6.5) linux-exitthread-gain-privileges(16106) Unspecified vulnerability in SurgeMail before 2.2c10 has unknown impact and attack vectors, related to a "Webmail security bug." http://netwinsite.com/surgemail/help/updates.htm 12086 surgemail-webmail(18648) Direct static code injection vulnerability in the PCG simple application generation in phpCodeGenie before 3.0.2 allows remote authenticated users to execute arbitrary code via the (1) header or (2) footer. http://phpcodegenie.sourceforge.net/phpCodeGenie/docs/ChangeLog.txt 1011911 11524 phpcodegenie-header-footer-command-execution(17848) Unknown vulnerability in Network Appliance NetCache 5.2 and Data ONTAP 6.0 allows remote attackers to cause a denial of service (panic and reboot) and possibly other impacts via unknown attack vectors, possibly related to unspecified worms, as identified by bug ID 1010013 10319 netcache-ontap-dos(16032) readObject in (1) Java Runtime Environment (JRE) and (2) Software Development Kit (SDK) 1.4.0 through 1.4.2_05 allows remote attackers to cause a denial of service (JVM unresponsive) via crafted serialized data. 20050407 MacOSX Java Runtime Environment Remote Denial-of-Service (DoS) Vulnerability 57707 jre-sdk-readobject-dos(20027) Buffer overflow in Cscope 15.5, and possibly multiple overflows, allows remote attackers to execute arbitrary code via a C file with a long #include line that is later browsed by the target. http://docs.info.apple.com/article.html?artnum=306172 APPLE-SA-2007-07-31 http://sourceforge.net/tracker/index.php?func=detail&aid=1064875&group_id=4664&atid=104664 DSA-1064 GLSA-200606-10 RHSA-2009:1101 RHSA-2009:1102 18050 25159 ADV-2007-2732 https://bugzilla.redhat.com/show_bug.cgi?id=490667 oval:org.mitre.oval:def:10069 Multiple SQL injection vulnerabilities in Dynix (formerly known as epixtech) WebPAC allow remote attackers to execute arbitrary SQL commands via unknown attack vectors, resulting in an ability to execute stored procedures, bypass login authentication, and cause an unspecified denial of service to backend databases. 20040824 Dynix Webpac Input Validation 1011073 11037 webpac-sql-injection(17128) Secure Computing Corporation Sidewinder G2 6.1.0.01 might allow remote attackers to cause a denial of service (proxy failure) via invalid traffic to the (1) T.120 or (2) RTSP proxy, or (3) invalid MIME messages to the mail filter. NOTE: this might not be a vulnerability because the embedded monitoring sub-system automatically restarts after the failure. http://www.securecomputing.com/pdf/SW61002Rel_Notes_0512.pdf sidewinder-t120-dos(16183) sidewinder-rtsp-dos(16184) sidewinder-mail-filter-dos(16186) Admin Console in Secure Computing Corporation Sidewinder G2 6.1.0.01 exports private keys when exporting firewall certificates, which might allow attackers to obtain sensitive information. http://www.securecomputing.com/pdf/SW61002Rel_Notes_0512.pdf sidewinder-private-key-disclosure(24364) Secure Computing Corporation Sidewinder G2 6.1.0.01 allows remote attackers to cause a denial of service (SMTP proxy failure) via unknown attack vendors involving an "extremely busy network." NOTE: this might not be a vulnerability because the embedded monitoring sub-system automatically restarts after the failure. http://www.securecomputing.com/pdf/SW61002Rel_Notes_0512.pdf Multiple memory leaks in Samba before 3.0.6 allow attackers to cause a denial of service (memory consumption). http://www.samba.org/samba/history/samba-3.0.6.html 2004-0043 samba-memory-information-disclosure(17139) NetWin (1) SurgeMail before 2.0c and (2) WebMail allow remote attackers to obtain sensitive information via HTTP requests that (a) specify the / URI, (b) specify the /scripts/ URI, or (c) specify a non-existent file, which reveal the path in an error message. 20040603 Surgemail - Multiple Vulnerabilities http://www.exploitlabs.com/files/advisories/EXPL-A-2004-002-surgmail.txt http://www.netwinsite.com/surgemail/help/updates.htm 10483 surgemail-invalid-path-disclosure(16319) Multiple cross-site scripting (XSS) vulnerabilities in NetWin (1) SurgeMail before 2.0c and (2) WebMail allow remote attackers to inject arbitrary web script or HTML via (a) a URI containing the script, or (b) the username field in the login form. NOTE: it is possible that the first attack vector is resultant from the error message issue (CVE-2004-2547). 20040603 Surgemail - Multiple Vulnerabilities http://www.exploitlabs.com/files/advisories/EXPL-A-2004-002-surgmail.txt http://www.netwinsite.com/surgemail/help/updates.htm 10483 surgemail-username-xss(16320) Nortel Wireless LAN (WLAN) Access Point (AP) 2220, 2221, and 2225 allow remote attackers to cause a denial of service (service crash) via a TCP request with a large string, followed by 8 newline characters, to (1) the Telnet service on TCP port 23 and (2) the HTTP service on TCP port 80, possibly due to a buffer overflow. 20040301 Nortel Networks Wireless LAN Access Point 2200 DoS + PoC 1009294 9787 http://www116.nortelnetworks.com/docs/bvdoc/wlan/216109a.pdf nortel-accesspoint-telnet-dos(15373) Multiple cross-site scripting (XSS) vulnerabilities in unspecified Perl scripts in SandSurfer before 1.7.1 allow remote attackers to inject arbitrary web script or HTML, which is later executed by a target who views reports containing the injected data. http://sourceforge.net/forum/forum.php?forum_id=356882 9801 sandsurfer-xss(15377) Multiple SQL injection vulnerabilities in Layton HelpBox 3.0.1 allow remote attackers to execute arbitrary SQL commands via (1) the sys_comment_id parameter in editcommentenduser.asp, (2) the sys_suspend_id parameter in editsuspensionuser.asp, (3) the table parameter in export_data.asp, (4) the sys_analgroup parameter in manageanalgrouppreference.asp, (5) the sys_asset_id parameter in quickinfoassetrequests.asp, (6) the sys_eusername parameter in quickinfoenduserrequests.asp, and the sys_request_id parameter in (7) requestauditlog.asp, (8) requestcommentsenduser.asp, (9) selectrequestapplytemplate.asp, and (10) selectrequestlink.asp, resulting in an ability to create a new HelpBox user account and read, modify, or delete data from the backend database. http://www.securiteam.com/windowsntfocus/5VP0S0ADFW.html 10776 helpbox-multiple-sql-injection(16772) helpbox-url-gain-access(16774) Buffer overflow in XBoard 4.2.7 and earlier might allow local users to execute arbitrary code via a long -icshost command line argument. NOTE: since the program is not setuid and not normally called from remote programs, there may not be a typical attack vector for the issue that crosses privilege boundaries. Therefore this may not be a vulnerability. 20040301 Smashing "XBoard 4.2.7(All versions)" For Fun & Profit.*Unpublished Local Stack Overflow Vulnerablity! xboard-icshost-bo(15362) The Ignition Project ignitionServer 0.1.2 through 0.1.2-R2 allows remote authenticated users with local IRC operator privileges to obtain global IRC operator privileges by using the unofficial umode command with the +ORD argument. http://cvs.sourceforge.net/viewcvs.py/ignition/ignitionserver/docs/security/20040302-operator-privilege-escalation.txt?view=markup 1009301 http://sourceforge.net/tracker/index.php?func=detail&aid=891555&group_id=96071&atid=613526 9783 ignition-server-gain-privileges(15363) Novell Client Firewall (NCF) 2.0, as based on the Agnitum Outpost Firewall, allows local users to execute arbitrary code with SYSTEM privileges by opening the NCF tray icon and using the Help functionality to launch programs with SYSTEM privileges. 1008755 http://support.novell.com/cgi-bin/search/searchtid.cgi?/10090585.htm O-090 9441 ncf-tray-icon-gain-privileges(15367) Riverdeep FoolProof Security 3.9.x on Windows 98 and Windows ME uses weak cryptography (arithmetic and XOR operations) to relate the Control password to the Administrator password, which allows local users to calculate the Administrator password if they know the Control password and password recovery key. 20040604 [CYSA-0329] Password recovery vulnerability in FoolProof Security 3.9.x for Windows 95/9 10467 foolproof-admin-password-recovery(16327) NetGear WG602 (aka WG602v1) Wireless Access Point firmware 1.04.0 and 1.5.67 has a hardcoded account of username "super" and password "5777364", which allows remote attackers to modify the configuration. 20040603 Netgear WG602 Accesspoint vulnerability http://kbserver.netgear.com/kb_web_files/n101383.asp http://slashdot.org/articles/04/06/08/1319206.shtml?tid=126&tid=172 O-159 20040605 Re: Netgear WG602 Accesspoint vulnerability 10459 netgearwg602-default-account(16312) NetGear WG602 (aka WG602v1) Wireless Access Point 1.7.14 has a hardcoded account of username "superman" and password "21241036", which allows remote attackers to modify the configuration. 20040603 Netgear WG602 Accesspoint vulnerability http://kbserver.netgear.com/kb_web_files/n101383.asp http://slashdot.org/articles/04/06/08/1319206.shtml?tid=126&tid=172 O-159 20040605 Re: Netgear WG602 Accesspoint vulnerability 10459 netgearwg602-default-account(16312) Unspecified vulnerability in IBM Tivoli SecureWay Policy Director 3.8, Access Manager for e-business 3.9 to 5.1, Access Manager Identity Manager Solution 5.1, Configuration Manager 4.2, Configuration Manager for Automated Teller Machines 2.1.0, and IBM WebSphere Everyplace Server, Service Provider Offering for Multi-platforms 2.1.3 to 2.15 allow remote attackers to hijack sessions of authenticated users via unknown attack vectors involving certain cookies, aka "Potential Credential Impersonation Attack." 10449 http://www-1.ibm.com/support/docview.wss?uid=swg21168762 ibm-cookie-session-hijack(16315) DokuWiki before 2004-10-19 allows remote attackers to access administrative functionality including (1) Mediaselectiondialog, (2) Recent changes, (3) feed, and (4) search, possibly due to the lack of ACL checks. 1011802 http://wiki.splitbrain.org/wiki:old_changes dokuwiki-acl-gain-access(17799) DokuWiki before 2004-10-19, when used on a web server that permits execution based on file extension, allows remote attackers to execute arbitrary code by uploading a file with an appropriate extension such as ".php" or ".cgi". http://wiki.splitbrain.org/wiki:old_changes 11486 dokuwiki-file-upload(17899) Multiple SQL injection vulnerabilities in Internet Software Sciences Web+Center 4.0.1 allow remote attackers to execute arbitrary SQL commands via (1) the ISS_TECH_CENTER_LOGIN cookie in search.asp and (2) one or more cookies in DoCustomerOptions.asp. http://www.securiteam.com/windowsntfocus/5RP0N0ADGK.html 10771 webcenter-cookie-sql-injection(16775) SQL injection vulnerability in jobedit.asp in Leigh Business Enterprises (LBE) Web Helpdesk before 4.0.0.81 allows remote attackers to execute arbitrary SQL commands via the id parameter. http://www.lbehelpdesk.com/patch/web/history.txt http://www.securiteam.com/windowsntfocus/5QP0M0ADGI.html 10773 webhelpdesk-jobedit-sql-injection(16779) Serena TeamTrack 6.1.1 allows remote attackers to obtain sensitive information such as user names, versions, and database information, and conduct cross-site scripting (XSS) attacks, via a direct request to tmtrack.dll with modified LoginPage and Template parameters. http://www.securiteam.com/windowsntfocus/5SP0O0ADGG.html 10770 teamtrack-tmtrackdll-xss(16771) teamtrack-loginpage-information-disclosure(16777) Multiple cross-site scripting (XSS) vulnerabilities in Sambar Server 6.1 Beta 2 on Windows, and possibly other versions on Linux, allow remote attackers to inject arbitrary web script or HTML via (1) the show parameter in show.asp and (2) the title parameter in showperf.asp. 1010353 http://www.oliverkarow.de/research/sambar.txt 10444 sambar-show-showperf-xss(16286) Multiple directory traversal vulnerabilities in Sambar Server 6.1 Beta 2 on Windows, and possibly other versions on Linux, when the administrative IP address restrictions have been modified from the default, allow remote authenticated users to read arbitrary files via (1) a "..\" (dot dot backslash) in the file parameter to showini.asp, or (2) an absolute path with drive letter in the log parameter to showlog.asp. 1010353 http://www.oliverkarow.de/research/sambar.txt 10444 sambar-multiple-directory-traversal(16287) Multiple cross-site scripting (XSS) vulnerabilities in LiveWorld products, possibly including (1) LiveForum, (2) LiveQ&A, (3) LiveChat, and (4) LiveFocusGroup, allow remote attackers to inject arbitrary web script or HTML via the q parameter in (a) search.jsp, (b) findclub!execute.jspa, and (c) search!execute.jspa. 20040824 Possible Security Issues In LiveWorld Products 1011036 http://www.gulftech.org/?node=research&article_id=00044-08232004 liveworld-xss(17104) Multiple SQL injection vulnerabilities in ReciPants 1.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) user id, (2) recipe id, (3) category id, and (4) other ID number fields. 1009984 http://sourceforge.net/project/shownotes.php?group_id=90737&release_id=234415 10250 recipants-id-sql-injection(16024) Multiple cross-site scripting (XSS) vulnerabilities in ReciPants 1.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) user id, (2) recipe id, (3) category id, and (4) other ID number fields. 1009984 http://sourceforge.net/project/shownotes.php?group_id=90737&release_id=234415 10250 ipmenu 0.0.3 before Debian GNU/Linux ipmenu_0.0.3-5 allows local users to overwrite arbitrary files via a symlink attack on the ipmenu.log temporary file. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=244709 1010064 DSA-907 10269 ipmenu-symlink(16052) Opera before 7.54 allows remote attackers to modify properties and methods of the location object and execute Javascript to read arbitrary files from the client's local filesystem or display a false URL to the user. 20040805 Opera: Location, Location, Location GLSA-200408-05 http://www.greymagic.com/security/advisories/gm008-op/ http://www.opera.com/docs/changelogs/windows/754/ 10873 opera-location-method-overwrite(16904) Multiple buffer overflows in EnderUNIX isoqlog 2.1.1 allow remote attackers to execute arbitrary code via the (1) parseQmailFromBytesLine, (2) parseQmailToRemoteLine, (3) parseQmailToLocalLine, (4) parseSendmailFromBytesLine, (5) parseSendmailToLine, (6) parseEximFromBytesLine, and (7) parseEximToLine functions in Parser.c; allow local users to execute arbitrary code via the (8) lowercase and (9) check_syslog_date functions in Parser.c, and (10) unspecified functions in Dir.c; and allow unspecified attackers to execute arbitrary code via the (11) loadconfig and (12) removespaces functions in loadconfig.c, the (13) loadLang function in LangCfg.c, and (14) unspecified functions in Html.c. 20040528 EnderUNIX Security Anouncement (Isoqlog and Spamguard) 1010292 10433 isoqlog-multiple-bo(16308) AMAX Magic Winmail Server 3.6 allows remote attackers to obtain sensitive information by entering (1) invalid characters such as "()" or (2) a large number of characters in the Lookup field on the netaddressbook.php web form, which reveals the path in an ldaplib.php error message when the ldap_search function fails, due to improper processing of the $keyword variable. http://members.lycos.co.uk/r34ct/main/ldaplib/ldaplib.php%20reveal%20local%20path%20of%20Winmail%203.6%20webmail%20directory.txt http://www.magicwinmail.net/download/english-help.chm 9786 magic-winmail-path-disclosure(15361) PHP remote file inclusion vulnerability in tables_update.inc.php in phpGroupWare 0.9.14.005 and earlier allows remote attackers to execute arbitrary PHP code via an external URL in the appdir parameter. 12074 https://savannah.gnu.org/bugs/?func=detailitem&item_id=7478 Cross-site scripting (XSS) vulnerability in index.php in phpGroupWare 0.9.14.005 and earlier allows remote attackers to inject arbitrary web script or HTML via the date parameter in a calendar.uicalendar.planner menuaction. 12082 https://savannah.gnu.org/bugs/?func=detailitem&item_id=7478 phpGroupWare 0.9.14.005 and earlier allow remote attackers to obtain sensitive information via a direct request to (1) hook_admin.inc.php, (2) hook_home.inc.php, (3) class.holidaycalc.inc.php, and (4) setup.inc.php.sample, which reveals the path in an error message. https://savannah.gnu.org/bugs/?func=detailitem&item_id=7478 class.vfs_dav.inc.php in phpGroupWare 0.9.16.000 does not create .htaccess files to enable authorization checks for access to users' home-directory files, which allows remote attackers to obtain sensitive information from these files. phpgroupware-classvfsdavinc-security-bypass(19195) https://savannah.gnu.org/bugs/?func=detailitem&item_id=8359 The acl_check function in phpGroupWare 0.9.16RC2 always returns True, even when mkdir does not behave as expected, which could allow remote attackers to obtain sensitive information via WebDAV from users' home directories that lack .htaccess files, and possibly has other unknown impacts. 12237 https://savannah.gnu.org/bugs/?func=detailitem&item_id=7227 phpGroupWare before 0.9.16.002 transmits the (1) header admin and (2) setup passwords in plaintext via cookies, which allows remote attackers to sniff passwords. 10895 phpgroupware-plaintext-password(16970) ACLCHECK module in Novell iChain 2.3 allows attackers to bypass access control rules of an unspecified component via an unspecified attack vector involving a string that contains escape sequences represented with "overlong UTF-8 encoding." 1011074 http://support.novell.com/cgi-bin/search/searchtid.cgi?2972080.htm 11061 ichain-access-control-bypass(17132) Cross-site scripting (XSS) vulnerability in Novell iChain 2.3 allows remote attackers to obtain login credentials via unspecified vectors. 1011074 11061 ichain-xss(17133) Novell iChain 2.3 allows attackers to cause a denial of service via a URL with a "specific string." 1011074 http://support.novell.com/cgi-bin/search/searchtid.cgi?2972080.htm 11061 ichain-dos(17134) Novell iChain 2.3 includes the build number in the VIA line of the proxy server's HTTP headers, which allows remote attackers to obtain sensitive information. 1011074 http://support.novell.com/cgi-bin/search/searchtid.cgi?2972080.htm 11061 ichain-build-version-disclosure(17135) SMTP service in SmarterTools SmarterMail 1.6.1511 and 1.6.1529 allows remote attackers to cause a denial of service (CPU consumption) via a large number of simultaneous open connections to TCP port 25. http://members.lycos.co.uk/r34ct/main/smarter_mail%203.1/smarter_mail.txt http://www.zone-h.org/advisories/read/id=4098 smartermail-multiple-connection-dos(15391) frmAddfolder.aspx in SmarterTools SmarterMail 1.6.1511 and 1.6.1529 allows remote authenticated users to create a folder that SmarterMail cannot delete or rename via a folder name with a null byte ("%00"). NOTE: it is not clear whether this issue poses a vulnerability. smartermail-frmaddfolder-file-manipulation(15392) Cross-site scripting (XSS) vulnerability in frmCompose.aspx in SmarterTools SmarterMail 1.6.1511 and 1.6.1529 allows remote attackers to inject arbitrary web script or HTML via Javascript to the "check spelling" feature in the compose area. http://members.lycos.co.uk/r34ct/main/smarter_mail%203.1/smarter_mail.txt 1009307 9805 http://www.zone-h.org/advisories/read/id=4098 smartermail-spellchecker-xss(15393) Directory traversal vulnerability in frmGetAttachment.aspx in SmarterTools SmarterMail 1.6.1511 and 1.6.1529 allows remote attackers to read arbitrary files via the filename parameter. http://members.lycos.co.uk/r34ct/main/smarter_mail%203.1/smarter_mail.txt 1009307 http://www.zone-h.org/advisories/read/id=4098 smartermail-dotdot-directory-traversal(15389) login.aspx in SmarterTools SmarterMail 1.6.1511 and 1.6.1529 allows remote attackers to cause a denial of service via a long txtusername parameter, possibly due to a buffer overflow. http://members.lycos.co.uk/r34ct/main/smarter_mail%203.1/smarter_mail.txt http://www.zone-h.org/advisories/read/id=4098 smartermail-login-dos(15390) Intentional information leak in phpinfo.php in XMB (aka extreme message board) 1.9 beta (aka Nexus beta) allows remote attackers to obtain sensitive information such as the configuration of the web server and the PHP application. 20040326 [waraxe-2004-SA#012 - Multiple vulnerabilities in XMB Forum 1.8 SP3 and 1.9 beta] 20040326 [waraxe-2004-SA#012 - Multiple vulnerabilities in XMB Forum 1.8 Partagium SP3 and 1.9 Nexus Beta] 1009561 9983 xmb-phpinfo-obtain-information(15656) Gaim before 0.82 allows remote servers to cause a denial of service (application crash) via a long HTTP Content-Length header, which causes Gaim to abort when attempting to allocate memory. http://gaim.sourceforge.net/security/?id=6 1011083 11056 gaim-content-length-dos(17150) Unspecified vulnerability in meindlSOFT Cute PHP Library (aka cphplib) 0.46 has unknown impact and attack vectors, related to regular expressions. http://prdownloads.sourceforge.net/cphplib/cphplib-0.47.tar.gz?download 1011076 http://www.meindlsoft.com/cphplib_changelog.php 11062 cphplib-parameter-improper-validation(17145) The data-overwrite capability of ButtUglySoftware CleanCache 2.19 does not properly overwrite data in files, which allows attackers to recover the data. 20041225 CleanCache v2.19: False Sense of Security 1012701 12117 cleancache-information-disclosure(18692) Quake II server before R1Q2, as used in multiple products, allows remote attackers to cause a denial of service (application crash) via a modified client that asks the server to send data stored at a negative array offset, which is not handled when processing Configstrings and Baselines. 20041027 Multiple Vulnerabilites in Quake II Server http://secur1ty.net/advisories/001 1011979 http://web.archive.org/web/20041130092749/www.r1ch.net/stuff/r1q2/ 11551 quake-configstrings-baselines-dos(17890) Buffer overflow in command-packet processing of Quake II server before R1Q2, as used in multiple products, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a packet with a long cmd_args buffer. 20041027 Multiple Vulnerabilites in Quake II Server http://secur1ty.net/advisories/001 1011979 http://web.archive.org/web/20041130092749/www.r1ch.net/stuff/r1q2/ 11551 quake-cmdargs-bo(17891) Absolute path traversal vulnerability in Quake II server before R1Q2 on Windows, as used in multiple products, allows remote attackers to read arbitrary files via a "\/" in a pathname argument, as demonstrated by "download \/server.cfg". 20041027 Multiple Vulnerabilites in Quake II Server http://secur1ty.net/advisories/001 1011979 http://web.archive.org/web/20041130092749/www.r1ch.net/stuff/r1q2/ 11551 quake-path-information-disclosure(17892) Absolute path traversal vulnerability in Quake II server before R1Q2 on Linux, as used in multiple products, allows remote attackers to cause a denial of service (application crash) via a download command with a full pathname for a directory in the argument, which causes the server to crash when it cannot read data. 20041027 Multiple Vulnerabilites in Quake II Server http://secur1ty.net/advisories/001 1011979 http://web.archive.org/web/20041130092749/www.r1ch.net/stuff/r1q2/ 11551 quake-path-dos(17893) Quake II server before R1Q2, as used in multiple products, allows remote attackers to cause a denial of service (exhaustion of connection slots) via a large number of connections from the same IP address. 20041027 Multiple Vulnerabilites in Quake II Server http://secur1ty.net/advisories/001 1011979 http://web.archive.org/web/20041130092749/www.r1ch.net/stuff/r1q2/ 11551 quake-mult-conn-dos(17894) Quake II server before R1Q2, as used in multiple products, allows remote attackers to bypass IP-based access control rules via a userinfo string that already contains an "ip" key/value pair but is also long enough to cause a new key/value pair to be truncated, which interferes with the server's ability to find the client's IP address. 20041027 Multiple Vulnerabilites in Quake II Server http://secur1ty.net/advisories/001 1011979 http://web.archive.org/web/20041130092749/www.r1ch.net/stuff/r1q2/ 11551 quake-ip-spoofing(17895) Quake II server before R1Q2, as used in multiple products, allows remote attackers to corrupt the server's client state data structure by exiting a session without a valid disconnect command, then reconnecting, which prevents a mod from being notified of changes in the client state. NOTE: the impact of this issue will vary depending on which mod is being used. 20041027 Multiple Vulnerabilites in Quake II Server http://secur1ty.net/advisories/001 1011979 http://web.archive.org/web/20041130092749/www.r1ch.net/stuff/r1q2/ 11551 Multiple buffer overflows in Quake II server before R1Q2, as used in multiple products, allow local users to cause a denial of service (application crash) via the server console or rcon. 20041027 Multiple Vulnerabilites in Quake II Server http://secur1ty.net/advisories/001 1011979 http://web.archive.org/web/20041130092749/www.r1ch.net/stuff/r1q2/ quake-bo(17898) The firmware for Intelligent Platform Management Interface (IPMI) 1.5-based Intel Server Boards and Platforms is shipped with an Authentication Type Enables parameter set to an invalid None parameter, which allows remote attackers to obtain sensitive information when LAN management functionality is enabled. ftp://download.intel.com/support/motherboards/server/sb/aa6791invalidlanconfiguration040504.pdf http://support.intel.com/support/motherboards/server/sb/CS-010422.htm 10068 intel-ssu-gain-access(15775) PHP remote file inclusion vulnerability in UberTec Help Center Live (HCL) allows remote attackers to read local files and possibly execute PHP code via a URL in the SKIN_inner parameter to inc/skin.php. 1012685 http://www.gulftech.org/?node=research&article_id=00058-12242004 help-center-skin-php-file-include(18695) PHP remote file inclusion vulnerability in UberTec Help Center Live (HCL) before 1.2.7 allows remote attackers to execute arbitrary PHP code via a URL in the HCL_path parameter to pipe.php. Successful exploitation requires that "register_globals" is enabled. 1012685 http://www.gulftech.org/?node=research&article_id=00058-12242004 12105 http://www.ubertec.co.uk/forums/showthread/php?t=2376 help-center-php-file-include(18694) Cross-site scripting (XSS) vulnerability in the Search module in UberTec Help Center Live (HCL) allows remote attackers to inject arbitrary web script or HTML via the find parameter to index.php. 1012685 http://www.gulftech.org/?node=research&article_id=00058-12242004 12105 help-center-index-xss(18696) Cross-site scripting (XSS) vulnerability in index.php in PHProxy allows remote attackers to inject arbitrary web script or HTML via the error parameter. 1012702 12115 phproxy-error-xss(18697) aStats 1.6.5 allows local users to overwrite arbitrary files via a symlink attack on (1) the aStats-Graphic-Signature-Generation file and (2) certain PNG image files. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=287604 [Debian-audit] 20041229 More temporary filenames/dirs related bugs 12128 astats-symlink(18698) The Web interface in Linksys WRT54G 2.02.7 and BEFSR41 version 3, with the firewall disabled, allows remote attackers to attempt to login to an administration web page, even when the configuration specifies that remote administration is disabled. ftp://ftp.linksys.com/pub/network/wrt54g_2.02.8_US_code_beta.zip 20040531 LinkSys WRT54G administration page availble to WAN 20040601 Re: LinkSys WRT54G administration page availble to WAN 20040602 Additional information on WRT54G administration page 20040602 Re: The Linksys WRT54G "security problem" doesn't exist http://web.archive.org/web/20040823075750/http://www.linksys.com/download/firmware.asp?fwid=201 http://www.nwfusion.com/news/2004/0607confuse.html 20040604 The Linksys WRT54G "security problem" doesn't exist 20040604 RE: The Linksys WRT54G "security problem" doesn't exist 10441 linksys-remote-bypass-security(16274) A numeric casting discrepancy in sdla_xfer in Linux kernel 2.6.x up to 2.6.5 and 2.4 up to 2.4.29-rc1 allows local users to read portions of kernel memory via a large len argument, which is received as an int but cast to a short, which prevents a read loop from filling a buffer. DSA-1018 MDKSA-2006:072 16759 [linux-kernel] 20040416 Re: [CHECKER] Probable security holes in 2.6.5 [linux-kernel] 20040416 Re: [CHECKER] Probable security holes in 2.6.5 MDKSA-2006:044 SmartWebby Smart Guest Book stores SmartGuestBook.mdb (aka the "news database") under the web document root with insufficient access control, which allows remote attackers to obtain sensitive information such as the unencrypted username and password of the administrator's account. 1011084 smart-guestbook-database-file-access(17146) The stuffit.com executable on Symantec PowerQuest DeployCenter 5.5 boot disks allows local users to obtain sensitive information (an unencrypted password for a Windows domain account) via four "stuffit /f:stuffit.dat" invocations, possibly due to a buffer overflow. 20040827 Power Quest Deploy Center 5.5 boot disks 1011081 11068 powerquest-deploycenter-obtain-password(17147) mntd_mount.c in mntd before 0.4.2 might allow local users to gain privileges via shell metacharacters in a remount option in the configuration file. NOTE: It is not clear whether this is a vulnerability because there is not necessarily any common usage in which privilege boundaries are crossed. Typical usage would restrict write access to the configuration file. http://prdownloads.sourceforge.net/mntd/mntd-0.4.2.tar.gz?download 1011088 mntd-read-configuration-gain-privileges(17149) The Change Permissions function in the Sophster suite before 0.9.6 28 May 2004 (aka 0.9.6-r5), possibly including Sophster, FreeSophster, and FreeSophsterPAM, removes the (1) setuid, (2) setgid, and (3) sticky bits when changing a file, which might allow attackers to gain privileges or conduct other unauthorized activities. 1010431 http://www.schaefer.dhcp.biz/CHANGELOG.txt sophster-change-permissions-file-access(16359) BNC 2.9.0 only grants access when an incorrect password is provided, which allows remote attackers to use the functionality intended for authorized users. http://www.gotbnc.com/changes.html#2.9.1 11650 bnc-invalid-password-auth-bypass(18103) Unspecified vulnerability in procfs in the Linux-VServer stable branch for the 2.4 kernel before 1.23 and Linux-VServer development branch for the 2.4 kernel before 1.3.5 has unspecified impact and attack vectors, related to "write access to specific proc entries from a vserver context", a different vulnerability than CVE-2004-2408. http://linux-vserver.org/ChangeLog [Vserver] 20050108 [Advisory] procfs in vserver Buffer overflow in MyWeb 3.3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long HTTP GET request. http://fux0r.phathookups.com/advisory/sp-x11-advisory.txt http://security-protocols.com/modules.php?name=News&file=article&sid=1931 10303 myweb-long-get-bo(16101) The documentation for CuteNews 1.3.6 and possibly other versions specifies that files under cutenews/data must be manually given world-writable permissions, which allows local users to insert false news, delete news, and possibly gain privileges or have other unknown impact. 20040829 CuteNews News.txt writable to world 1011099 cutenews-newstxt-world-writable(17161) The file server in ActivePost Standard 3.1 and earlier allows remote authenticated users to obtain sensitive information by uploading a file, which reveals the path in a success message. http://aluigi.altervista.org/adv/actp-adv.txt 20040923 Multiple vulnerabilities in ActivePost Standard 3.1 20040923 Multiple vulnerabilities in ActivePost Standard 3.1 1011406 Directory traversal vulnerability in Pegasi Web Server (PWS) 0.2.2 allows remote attackers to read files outside of the web root via a .. (dot dot) directly after the initial '/' (slash) in the URI. 20040311 Multiple Vulnerabilities in PWS 0.2.2 20040314 Re: Multiple Vulnerabilities in PWS 0.2.2 http://sourceforge.net/forum/forum.php?forum_id=359660 http://www.autistici.org/fdonato/advisory/pws0.2.2-adv.txt 9847 pws-dotdot-directory-traversal(15435) Cross-site scripting (XSS) vulnerability in Pegasi Web Server (PWS) 0.2.2 allows remote attackers to inject arbitrary web script or HTML via the URI, directly after the initial '/' (slash). 20040311 Multiple Vulnerabilities in PWS 0.2.2 20040314 Re: Multiple Vulnerabilities in PWS 0.2.2 http://sourceforge.net/forum/forum.php?forum_id=359660 http://www.autistici.org/fdonato/advisory/pws0.2.2-adv.txt 9847 pws-xss(15436) ripMIME 1.3.2.3 and earlier allows remote attackers to bypass e-mail protection via a base64 MIME encoded attachment containing invalid characters that are not properly extracted. http://www.pldaniels.com/ripmime/CHANGELOG 10848 ripmime-attachment-filters-bypass(16867) The MIMEH_read_headers function in ripMIME 1.3.1.0 does not properly handle trailing "\r" and "\n" characters in headers, which leads to a buffer underflow. http://www.pldaniels.com/ripmime/CHANGELOG Nortel Contivity VPN Client 2.1.7, 3.00, 3.01, 4.91, and 5.01, when opening a VPN tunnel, does not check the gateway certificate until after a dialog box has been displayed to the user, which creates a race condition that allows remote attackers to perform a man-in-the-middle (MITM) attack. 1011846 11495 http://www130.nortelnetworks.com/cgi-bin/eserv/cs/main.jsp?level=6&category=8&subcategory=6&subtype=&DocumentOID=276620&RenditionID=REND159588 nortel-contivity-gain-access(17812) AClient.exe in Altiris Deployment Solution 6.x and 5.x does not require authentication from the first Deployment Server that it connects to, which allows remote malicious servers to gain administrator access. 20041021 Critical Vulnerability in Altiris Deployment Server architecture 20041025 RE: Critical Vulnerability in Altiris Deployment Server architecture http://packetstorm.linuxsecurity.com/0410-advisories/index2.html 1011862 http://www.altiris.com/support/forum/Framesearch.aspx?vpath=/aexkb/public%20articles/6.x/deployment%20solution/kb/ds%20client%20security%20kb%20article%2010-22-04.doc&art=AKB6859&source=Altiris%20Helpdesk&artID=23644&refpara=532392&key=akb6859 11498 altiris-gain-unauth-access(17814) Unknown vulnerability in Rippy the Aggregator before 0.10, when register_globals is enabled, has unknown attack vectors and impact, possibly related to the "user-controlled filter." http://ansuz.sooke.bc.ca/rippy/ChangeLog http://freshmeat.net/projects/rippy/?branch_id=30091&release_id=173997 1011582 rippy-aggregator-registerglobals-enabled(17674) Cross-site scripting (XSS) vulnerability in "TextSearch" in WackoWiki 3.5 allows remote attackers to inject arbitrary web script or HTML via the "phrase" parameter. http://wackowiki.com/WackoDownload/VersionHistory?v=yrv 10860 wackowiki-text-search-xss(16878) Cross-site scripting (XSS) vulnerability in Outblaze Email allows remote attackers to inject arbitrary web script or HTML via Javascript in an attribute of an IMG tag. 20040718 Cross-Site Scripting email Outblaze 1010735 http://www.securiteam.com/securitynews/5CP0O20DFI.html 10756 http://www.swp-zone.org/archivos/advisory-09.txt outblaze-email-xss(16788) GUI overlay vulnerability in the Java API in Siemens S55 cellular phones allows remote attackers to send unauthorized SMS messages by overlaying a confirmation message with a malicious message. 20040427 Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 ++++> 20040429 Re: Phenoelit Advisory 1009959 10227 siemens-unauth-sms-message(15995) Java 2 Micro Edition (J2ME) does not properly validate bytecode, which allows remote attackers to escape the Kilobyte Virtual Machine (KVM) sandbox and execute arbitrary code. 20041022 J2ME security vulnerabilities 20041022 J2ME security vulnerabilities 1011898 http://www.theregister.co.uk/2004/10/22/mobile_java_peril/ java2-command-execution(17825) Multiple directory traversal vulnerabilities in thttpd 2.07 beta 0.4, when running on Windows, allow remote attackers to read arbitrary files via a URL that contains (1) a hex-encoded backslash dot-dot sequence ("%5C..") or (2) a drive letter (such as "C:"). 20040804 Bug@thttpd 20040804 Bug@thttpd 1010850 http://www.acme.com/software/thttpd/#releasenotes 10862 thttpd-directory-traversal(16882) Multiple vulnerabilities in the H.323 protocol implementation for First Virtual Communications Click to Meet Express (when used with H.323 conferencing endpoints), Click to Meet Premier, Conference Server, and V-Gate allow remote attackers to cause a denial of service, as demonstrated by the NISCC/OUSPG PROTOS test suite for the H.225 protocol. http://support.fvc.com/eng/docs/misc_docs/H.323_Security_Bulletin.pdf CA-2004-01 http://www.uniras.gov.uk/vuls/2004/006489/h323.htm The MIME transformation system (transformations/text_plain__external.inc.php) in phpMyAdmin 2.5.0 up to 2.6.0-pl1 allows remote attackers to execute arbitrary commands via shell metacharacters in unspecified vectors. 20041018 phpMyAdmin: Vulnerability in MIME-based transformation 20041018: phpMyAdmin: Vulnerability in MIME-based transformation 1011761 GLSA-200410-14 http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2004-2 11391 phpmyadmin-command-execution(17698) Eval injection vulnerability in left.php in phpMyAdmin 2.5.1 up to 2.5.7, when LeftFrameLight is FALSE, allows remote attackers to execute arbitrary PHP code via a crafted table name. 20040628 php codes injection in phpMyAdmin version 2.5.7. 20040630 Re: php codes injection in phpMyAdmin version 2.5.7. http://eagle.kecapi.com/sec/fd/phpMyAdmin.html 20041018 phpMyAdmin: Vulnerability in MIME-based transformation 1010614 GLSA-200407-22 http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2004-1 http://www.securiteam.com/unixfocus/5QP040ADFW.html 10629 phpmyadmin-php-injection(16542) phpMyAdmin 2.5.1 up to 2.5.7 allows remote attackers to modify configuration settings and gain unauthorized access to MySQL servers via modified $cfg['Servers'] variables. 20040628 php codes injection in phpMyAdmin version 2.5.7. 20040630 Re: php codes injection in phpMyAdmin version 2.5.7. http://eagle.kecapi.com/sec/fd/phpMyAdmin.html 1010614 GLSA-200407-22 http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2004-1 10629 phpmyadmin-code-manipulation(16555) Unspecified vulnerability in Sesamie 1.0 allows remote anonymous attackers to gain access to repositories of other users via unknown vectors. 1009978 http://sourceforge.net/project/shownotes.php?release_id=234477 10239 sesame-servlets-repository-access(16006) The (1) bos.rte.serv_aid or (2) bos.rte.console filesets in IBM AIX 5.1 and 5.2 allow local users to overwrite arbitrary files via a symlink attack on temporary files via unknown attack vectors. 1009975 10231 IY55789 IY55790 aix-console-commands-symlink(16008) https://techsupport.services.ibm.com/server/pseries.subscriptionSvcs?mode=18&ID=279 An ActiveX control for McAfee Security Installer Control System 4.0.0.81 allows remote attackers to access the Windows registry via web pages that use the control's RegQueryValue() method. 20040425 McAfee VirusScan installer uses insecure ActiveX controls 10236 1009956 mcafee-virusscan-activex-gain-access(15994) TinyWeb 1.9 allows remote attackers to read source code of scripts via "/./" in the URL. 1010346 10445 tinyweb-get-download-scripts(16275) The NAT implementation in Zonet ZSR1104WE Wireless Router Runtime Code Version 2.41 converts IP addresses of inbound connections to the IP address of the router, which allows remote attackers to bypass intended security restrictions. 20040429 Zonet ZSR1104WE Router problem 1009967 10225 zonet-bypass-security(16005) The Admin Access With Levels plugin in osCommerce 1.5.1 allows remote attackers to access files in the "admin/" directory by modifying the in_login parameter to a non-zero value. http://secwatch.org/advisories/1007857 10235 oscommerce-plugin-bypass-security(16009) Unspecified vulnerability in Journalness 3.0.7 and earlier allows remote attackers to create or modify posts via unknown attack vectors. 1009909 journalness-data-manipulation(15923) https://sourceforge.net/project/shownotes.php?release_id=232566&group_id=101583 Directory traversal vulnerability in lstat.cgi in LinuxStat before 2.3.1 allows remote attackers to read arbitrary files via (1) .. (dot dot) sequences or (2) absolute paths to the template parameter. 1011920 http://sourceforge.net/project/shownotes.php?release_id=277371 11517 linuxstat-template-directory-traversal(17833) Unspecified vulnerability in Sun Fire 3800/4800/4810/6800, Sun Fire V1280, and Netra 1280 allows remote attackers to cause a denial of service (system controller hang) via IP Packets With Type of Service (TOS) Bits set. 1009888 http://sunsolve.sun.com/search/document.do?assetkey=1-26-57544-1 10189 sun-fire-ip-controller-dos(15925) Yeemp 0.9.9 and earlier does not properly encrypt inbound files, which allows remote attackers to spoof the identity of the sender. http://deekoo.net/technocracy/yeemp/#advisory http://deekoo.net/technocracy/yeemp/changes.html 1011586 11353 yeemp-message-spoofing(17692) Directory traversal vulnerability in Microsoft cabarc allows remote attackers to overwrite files via "../" sequences in file names in a CAB archive. 20041012 Microsoft cabarc directory traversal 20041012 Microsoft cabarc directory traversal http://packetstormsecurity.org/0410-exploits/cabarc.txt 1011626 11376 cabarc-dotdot-directory-traversal(17693) Unspecified vulnerability in ASN.1 Compiler (asn1c) before 0.9.7 has unknown impact and attack vectors when processing "ANY" type tags. 1011622 http://sourceforge.net/project/shownotes.php?group_id=103893&release_id=274592 11370 asn1c-any-type(17695) Unspecified vulnerability in ASN.1 Compiler (asn1c) before 0.9.7 has unknown impact and attack vectors when processing "CHOICE" types with "indefinite length structures." 1011622 http://sourceforge.net/project/shownotes.php?group_id=103893&release_id=274592 11370 asn1c-choice-type(17696) The addUser function in UserManager.java in Free Web Chat 2.0 allows remote attackers to cause a denial of service (uncaught NullPointerException) via unknown attack vectors that cause the usrName variable to be null. 20040804 Multiple Vulnerabilities in Free Web Chat 20040804 Multiple Vulnerabilities in Free Web Chat 1010851 10863 freewebchat-usermanager-dos(16893) Free Web Chat 2.0 allows remote attackers to cause a denial of service (CPU consumption) via multiple connections from the same user. 20040804 Multiple Vulnerabilities in Free Web Chat 20040804 Multiple Vulnerabilities in Free Web Chat 1010851 10863 freewebchat-mult-connection-dos(16901) FreezeX 1.00.100.0666 allows local users with administrator privileges to cause a denial of service (FreezeX application) by overwriting the db.fzx file. 20041220 FreezeX file access vulnerability 1012699 freezex-dbfzx-dos(18643) Eudora 6.1.0.6 allows remote attackers to obfuscate URLs displayed in the status bar by inserting a large number of characters (e.g. spaces coded as "&#32") in the middle of the URL. This vulnerability is addressed in the following product release: Qualcomm, Eudora, 6.1.2 20040508 Status bar exploit hides spoofed URLs Eudora, possibly other e-mail clients 1010117 http://www.eudora.com/download/eudora/windows/6.1.2/RelNotes.txt 10305 eudora-url-spoofing(16105) Spooler in Apache Foundation James 2.2.0 allows local users to cause a denial of service (memory consumption) by triggering various error conditions in the retrieve function, which prevents a lock from being released and causes a memory leak. http://issues.apache.org/jira/browse/JAMES-268 http://james.apache.org/changelog.html 15765 Multiple cross-site scripting (XSS) vulnerabilities in YaCy before 0.32 allow remote attackers to inject arbitrary web script or HTML via the (1) urlmaskfilter parameter to index.html or the (2) page parameter to Wiki.html. 20041224 XSS in yacy 0.31 1012686 12104 http://www.yacy.net/yacy/News.html yacy-index-xss(18688) yacy-wiki-xss(18690) The DecodeTCPOptions function in decode.c in Snort before 2.3.0, when printing TCP/IP options using FAST output or verbose mode, allows remote attackers to cause a denial of service (crash) via packets with invalid TCP/IP options, which trigger a null dereference. 1012656 http://taosecurity.blogspot.com/2004/12/details-on-snort-dos-condition-you-may.html http://www.frsirt.com/exploits/20041222.angelDust.c.php http://www.securiteam.com/exploits/6X00L20C0S.html 12084 http://www.snort.org/arc_news/ snort-tcpip-printing-dos(18689) Unspecified vulnerability in PD9 Software MegaBBS 2.0 and 2.1 allows attackers to gain privileges via unknown vectors involving (1) admin/userlevelmembers-edit.asp and (2) admin/edit-groups.asp. http://www.pd9soft.com/megabbs/forums/thread-view.asp?tid=4924 The clientAbortBody function in client_side.c in Squid Web Proxy Cache before 2.6 STABLE6 allows remote attackers to cause a denial of service (segmentation fault) via unspecified vectors that trigger a null dereference. NOTE: in a followup advisory, a researcher claimed that the issue was a buffer overflow that was not fixed in STABLE6. However, the vendor's bug report clearly shows that the researcher later retracted this claim, because the tested product was actually STABLE5. 1011214 20060223 old Squid clientAbortBody issue - NOT an overflow? http://www.securitylab.ru/47881.html http://www.squid-cache.org/bugs/show_bug.cgi?id=972 rdesktop 1.3.1 with xscreensaver 4.14, and possibly other versions, when running on Fedora and possibly other platforms, does not release the keyboard focus when xscreensaver starts, which causes the password to be entered into the active window when the user unlocks the screen. This vulnerability is addressed in the following product release: XScreenSaver, XScreenSaver, 4.18 20060602-01-U 1016150 1016151 http://support.avaya.com/elmodocs2/security/ASA-2006-107.htm http://www.derkeiler.com/Newsgroups/comp.os.linux.security/2004-08/0018.html http://www.jwz.org/xscreensaver/changelog.html MDKSA-2006:071 SUSE-SR:2006:023 RHSA-2006:0498 17471 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=188149 oval:org.mitre.oval:def:10096 USN-269-1 Multiple cross-site scripting (XSS) vulnerabilities in Slashdot Like Automated Storytelling Homepage (Slash) (aka Slashcode) before R_2_5_0_41 allow remote attackers to inject arbitrary web script or HTML via (1) the topic parameter in search.pl and (2) the filter parameter in submit.pl. 20041215 Security Advisory for CVS Slash 11993 http://www.slashcode.com/slash/04/12/20/1946225.shtml?tid=11&tid=5&tid=4 slashcode(18508) ** DISPUTED ** Mozilla Firefox 1.5.0.1, and possibly other versions, preserves some records of user activity even after uninstalling, which allows local users who share a Windows profile to view the records after a new installation of Firefox, as reported for the list of Passwords Never Saved web sites. NOTE: The vendor has disputed this issue, stating that "The uninstaller is primarily there to uninstall the application. It is not there to uninstall user data. For the moment I will stick by my module-owner decision." This vulnerability has been disputed by the vendor. 20060413 Firefox 1.5.0.1 Password Manager Arbtirary User Browsing History Disclosure 20060415 Re: Firefox 1.5.0.1 Password Manager Arbtirary User Browsing History Disclosure https://bugzilla.mozilla.org/show_bug.cgi?id=234680 https://bugzilla.mozilla.org/show_bug.cgi?id=330884 resmgr in SUSE CORE 9 does not properly identify terminal names, which allows local users to spoof terminals and login types. http://support.novell.com/techcenter/psdb/fa6c6a3e792bf79b1d85821c689ea578.html Opera offers an Open button to verify that a user wishes to execute a downloaded file, which allows user-assisted remote attackers to construct a race condition that tricks a user into clicking Open via a request for a different mouse or keyboard action very shortly before the Open dialog appears. NOTE: this is a different issue than CVE-2005-2407. 20040407 Race conditions in security dialogs http://www.squarefree.com/2004/07/01/race-conditions-in-security-dialogs/ Memory leak in direct-io.c in Linux kernel 2.6.x before 2.6.10 allows local users to cause a denial of service (memory consumption) via certain O_DIRECT (direct IO) write requests. This vulnerability is addressed in the following product release: Linux, Linux kernel, 2.6.10 http://linux.bkbits.net:8080/linux-2.6/cset@4182a613oVsK0-8eCWpyYFrUf8rhLA http://support.avaya.com/elmodocs2/security/ASA-2006-203.htm DSA-1184 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.10 RHSA-2006:0617 19665 oval:org.mitre.oval:def:10165 Soft3304 04WebServer before 1.41 does not properly check file names, which allows remote attackers to obtain sensitive information (CGI source code). http://www.soft3304.net/04WebServer/Security.html Soft3304 04WebServer before 1.41 allows remote attackers to cause a denial of service (resource consumption or crash) via certain data related to OpenSSL, which causes a thread to terminate but continue to hold resources. http://www.soft3304.net/04WebServer/Security.html The (1) SetDebugging and (2) RunEgatherer methods in IBM Access Support eGatherer ActiveX control 2.0.0.16 allow remote attackers to create files with arbitrary content, as demonstrated by creating a .hta file in a Startup folder. 20040616 "IBM Access Support" (eGatherer) Activex Dangerous Methods Vulnerability 20040616 "IBM Access Support" (eGatherer) Activex Dangerous Methods Vulnerability AD20040615B http://www.eeye.com/html/research/advisories/AD20040615B.html 10562 ibm-egatherer-execute-code(16428) John Lim ADOdb Library for PHP before 4.23 allows remote attackers to obtain sensitive information via direct requests to certain scripts that result in an undefined value of ADODB_DIR, which reveals the installation path in an error message. This vulnerability is addressed in the following product release: John Lim, ADOdb, 4.23 http://phplens.com/lens/adodb/docs-adodb.htm#changes Unspecified vulnerability in the Address and Routing Parameter Area (ARPA) transport software in HP-UX B.11.00, B.11.04, and B.11.11 before 20040628 allows local users to cause a denial of service via unspecified vectors. SSRT3552 oval:org.mitre.oval:def:5694 Mantis before 20041016 provides a complete Issue History (Bug History) in the web interface regardless of view_history_threshold, which allows remote attackers to obtain sensitive information (private bug details) by visiting a bug's web page. http://bugs.mantisbugtracker.com/view.php?id=4724 http://mantisbt.cvs.sourceforge.net/mantisbt/mantisbt/history_inc.php?r1=1.24&r2=1.25 http://mantisbt.cvs.sourceforge.net/mantisbt/mantisbt/history_inc.php?view=log Cross-site scripting (XSS) vulnerability in Lotus Domino 6.0.x before 6.0.4 and 6.5.x before 6.5.2 allows remote attackers to inject arbitrary web script or HTML via unknown attack vectors. http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21171253 SQL injection vulnerability in Interchange before 4.8.9 allows remote attackers to execute arbitrary SQL commands via unknown vectors. http://ftp.icdevgroup.org/interchange/4.8/WHATSNEW Multiple SQL injection vulnerabilities in Land Down Under (LDU) v701 allow remote attackers to execute arbitrary SQL commands or obtain the installation path via parameters including (1) s, w, and d in users.php, (2) id in comments.php, (3) rusername in auth.php, or (4) h in plug.php. 1012015 http://www.neocrome.net/index.php?m=single&id=91 http://www.neocrome.net/page.php?id=1573 http://www.ptsecurity.ru/advisory.asp 11569 land-down-under-sql-injection(17912) Multiple cross-site scripting (XSS) vulnerabilities in mod.php in eNdonesia 8.3 allow remote attackers to inject arbitrary web script or HTML via (1) the mod parameter in a viewcat operation or (2) the query parameter in a search operation in the publisher module. http://echo.or.id/adv/adv02-y3dips-2004.txt 1010864 20040804 Multiple vulnerabilities in eNdonesia CMS 10856 8506 endonesia-mod-xss(13041) mod.php in eNdonesia 8.3 allows remote attackers to obtain sensitive information via certain direct requests, and certain requests with invalid parameter values, which reveal the path in various error messages, as demonstrated by the (1) mod and (2) cid parameters. http://echo.or.id/adv/adv02-y3dips-2004.txt 1010864 20040804 Multiple vulnerabilities in eNdonesia CMS 8507 endonesia-mod-path-disclosure(13042) Unspecified vulnerability in ArGoSoft FTP server before 1.4.2.2 allows attackers to upload .lnk files via unknown vectors. This vulnerability is addressed in the following product release: ArGoSoft, FTP server, 1.4.2.2 http://www.argosoft.com/rootpages/FtpServer/ChangeList.aspx Multiple buffer overflows in ArGoSoft FTP Server before 1.4.1.6 allow remote authenticated users to cause a denial of service and possibly execute arbitrary code via (1) a SITE ZIP command with a long first or second argument, or (2) a SITE COPY with a long argument. http://www.argosoft.com/rootpages/FtpServer/ChangeList.aspx http://www.securiteam.com/windowsntfocus/5RP010KCAO.html 9770 argosoftftp-site-bo(15410) Directory traversal vulnerability in ArGoSoft FTP Server before 1.4.1.6 allows remote authenticated users to determine the existence of arbitrary files via ".." sequences in the SITE UNZIP argument. http://www.argosoft.com/rootpages/FtpServer/ChangeList.aspx http://www.securiteam.com/windowsntfocus/5RP010KCAO.html 9770 argosoftftp-unzip-file-disclosure(15411) ArGoSoft FTP Server before 1.4.1.6 allows remote authenticated users to cause a denial of service (crash) via a SITE PASS command with a long password parameter, which causes the database to be corrupted. http://www.argosoft.com/rootpages/FtpServer/ChangeList.aspx http://www.securiteam.com/windowsntfocus/5RP010KCAO.html 9770 argosoftftp-site-pass-dos(15412) The Spy Sweeper Enterprise Client (SpySweeperTray.exe) in WebRoot Spy Sweeper before 2.0 does not drop privileges when using the help functionality, which allows local users to gain privileges. 1012652 spy-sweeper-gain-privileges(18628) Format string vulnerability in qwik-smtpd.c in QwikMail SMTP (qwik-smtpd) 0.3 and earlier allows remote attackers to execute arbitrary code via format specifiers in the (1) clientRcptTo array, and the (2) Received and (3) messageID variables, possibly involving HELO and hostname arguments. http://qwikmail.sourceforge.net/smtpd/qwik-smtpd-0.3.patch 1012016 20070218 qwik-smtpd format string 11572 ADV-2007-0687 qwik-smtpd-format-string(17917) Unspecified vulnerability in HP Tru64 UNIX 5.1B PK2(BL22) and PK3(BL24), and 5.1A PK6(BL24), when using IPsec/IKE (Internet Key Exchange) with Certificates, allows remote attackers to gain privileges via unknown attack vectors. HPSBTU00030 1009329 9803 tru64-ipsec-ike-gain-access(15397) Check Point Firewall-1 4.1 up to NG AI R55 allows remote attackers to obtain potentially sensitive information by sending an Internet Key Exchange (IKE) with a certain Vendor ID payload that causes Firewall-1 to return a response containing version and other information. 20040616 Checkpoint Firewall-1 IKE Vendor ID information leakage http://www.nta-monitor.com/news/checkpoint2004/index.htm 10558 fw1-vendorid-info-disclosure(16434) mod_python (libapache2-mod-python) 3.1.4 and earlier does not properly handle when output filters process more than 16384 bytes, which can cause filter.read to return portions of previously freed memory. [httpd-python-dev] 20040416 Re: possible bug in filter.write() [httpd-python-dev] 20040416 possible bug in filter.write() [httpd-python-dev] 20040416 patch for filterobject.c http://svn.apache.org/viewvc/httpd/mod_python/trunk/src/filterobject.c?r1=102649&r2=103561&pathrev=103561 20070307 rPSA-2007-0051-1 mod_python 22849 USN-430-1 ADV-2007-0846 modpython-outputfilter-info-disclosure(14751) https://issues.rpath.com/browse/RPL-1105 https://launchpad.net/bugs/89308 PeerSec MatrixSSL before 1.1 caches session keys for an indefinitely long time, which might make it easier for remote attackers to hijack a session. http://www.matrixssl.org/archives/000076.html matrixssl-sessionkey-session-hijacking(40483) PeerSec MatrixSSL before 1.1 does not implement RSA blinding, which allows context-dependent attackers to obtain the server's private key by determining factors using timing differences on (1) the number of extra reductions during Montgomery reduction, and (2) the use of different integer multiplication algorithms ("Karatsuba" and normal), a related issue to CVE-2003-0147. http://www.matrixssl.org/archives/000075.html Unspecified vulnerability in the %XML.Utils.SchemaServer class in InterSystems Cache' 5.0 allows attackers to access arbitrary files on a server. [Cache-News] 20040305 Security Alert Correction [Cache-News] 20040303 Security Alert Unspecified vulnerability in the %template package in InterSystems Cache' 5.0 allows attackers to access certain files on a server, including (1) cache.key and (2) cache.dat, related to .csp files under (a) Dev\studio\templates and (b) Devuser\studio\templates. [Cache-News] 20040310 Updated Security Alert - %template [Cache-News] 20040309 Security Alert - %template Buffer overflow in YoungZSoft CCProxy 6.2 and earlier allows remote attackers to execute arbitrary code via a long address in a ping (p) command to the Telnet proxy service, a different vector than CVE-2004-2416. http://www.youngzsoft.net/ccproxy/whatsnew.htm 4360 621 Directory traversal vulnerability in the vfs_getvfssw function in Solaris 2.6, 7, 8, and 9 allows local users to load arbitrary kernel modules via crafted (1) mount or (2) sysfs system calls. NOTE: this might be the same issue as CVE-2004-1767, but there are insufficient details to be sure. 20040407 Solaris vfs_getvfssw() local kernel exploit 1008833 20040407 Solaris vfs_getvfssw() local kernel exploit http://www.immunitysec.com/downloads/solaris_kernel_vfs.sxw.pdf 9962 oval:org.mitre.oval:def:1381 distcc 2.x, as used in XCode 1.5 and others, when not configured to restrict access to the server port, allows remote attackers to execute arbitrary commands via compilation jobs, which are executed by the server without authorization checks. 20050310 XCode 1.5 and distcc 2.x Exploit http://distcc.samba.org/security.html [distcc] 20040826 Exploit in distcc ( got compromised ;( ) [distcc] 20040826 Exploit in distcc ( got compromised ;( ) http://www.metasploit.org/projects/Framework/exploits.html#distcc_exec Cross-site scripting (XSS) vulnerability in index.php in NewsPHP allows remote attackers to inject arbitrary web script or HTML via the cat_id parameter. NOTE: this issue might overlap vector 3 in CVE-2006-3358. 20040415 Re: XSS, Admin Access via Cookie and File Upload vulnerability in NewsPHP. 1009740 newsphp-index-xss(15837) NewsPHP allows remote attackers to gain unauthorized administrative access by setting a cookie to the "autorized=admin; root=admin" value. 20040415 Re: XSS, Admin Access via Cookie and File Upload vulnerability in NewsPHP. 1009740 newsphp-gain-admin-access(15836) Unrestricted file upload vulnerability in the Administration Panel for NewsPHP allows remote authenticated administrators to upload and execute arbitrary code instead of video files. 20040415 Re: XSS, Admin Access via Cookie and File Upload vulnerability in NewsPHP. 1009740 newsphp-file-upload(15838) Unspecified vulnerability in 3Com SuperStack 3 4400 switches with firmware version before 3.31 allows remote attackers to cause a denial of service (device reset) via a crafted request to the web management interface. NOTE: the provenance of this information is unknown; details are obtained from third party reports. 3com-superstack-mngmt-dos(16497) The exec_dir PHP patch (php-exec-dir) 4.3.2 through 4.3.7 with safe mode disabled allows remote attackers to bypass restrictions and execute arbitrary commands via a backtick operator, which is not handled using the php_escape_shell_cmd function. http://kyberdigi.cz/projects/execdir/english.html 20040708 php-exec-dir vulnerable after latest upgrade 20040708 RE: php-exec-dir vulnerable after latest upgrade 20040708 Re: php-exec-dir vulnerable after latest upgrade 10598 phpexecdir-semicolon-restriction-bypass(16498) HP-UX B.11.00 and B.11.11 with B6848AB GTK+ Support Libraries installed uses insecure directory permissions, which allows local users to gain privileges via files in /opt/gnome/src/GLib/. SSRT3613 HPSBUX01034 oval:org.mitre.oval:def:6105 Microsoft Outlook Express 6.0 allows remote attackers to bypass intended access restrictions, load content from arbitrary sources into the Outlook context, and facilitate phishing attacks via a "BASE HREF" with the target set to "_top". 20040513 POA: Outlook Expresss 6.00 SQL injection vulnerability in the Authorize.net callback code (subscriptions/authorize.php) in Jelsoft vBulletin 3.0 through 3.0.3 allows remote attackers to execute arbitrary SQL statements via the x_invoice_num parameter. NOTE: this issue might be related to CVE-2006-4267. http://www.securiteam.com/unixfocus/5BP0E15E0M.html 11193 http://www.vbulletin.com/forum/bugs.php?do=view&bugid=3379 http://www.vbulletin.com/forum/showthread.php?t=124876 vbulletin-itemnumber-sql-injection(17365) BEA WebLogic Server and WebLogic Express 6.1, 7.0, and 8.1, when using Remote Method Invocation (RMI) over Internet Inter-ORB Protocol (IIOP), does not properly handle when multiple logins for different users coming from the same client, which could cause an "unexpected user identity" to be used in an RMI call. BEA04-62.00 1010493 10545 weblogic-unexpected-user-identity(16421) The Inventory Scout daemon (invscoutd) 1.3.0.0 and 2.0.2 for AIX 4.3.3 and 5.1 allows local users to gain privileges via a symlink attack on a command line argument (log file). NOTE: this might be related to CVE-2006-5002. http://www.securiteam.com/exploits/5CP0F0UDFG.html 9982 http://www.xfocus.org/exploits/200403/31.html aix-invscoutd-gain-privileges(15620) Race condition in IMWheel 1.0.0pre11 and earlier, when running with the -k option, allows local users to cause a denial of service (IMWheel crash) and possibly modify arbitrary files via a symlink attack on the imwheel.pid file. 20040820 CAU-2004-0002 - imwheel Predictable PidFile Name Race Condition http://imwheel.sourceforge.net/files/DEVELOPMENT.txt 1011049 http://www.caughq.org/advisories/CAU-2004-0002.txt 11008 imwheel-race-condition(17082) deleteicon.aspx in AspDotNetStorefront 3.3 allows remote attackers to delete arbitrary product images via a modified ProductID parameter. 20040609 Advisory: ASPDOTNETSTOREFRONT Improper Session Validation 3206 20040609 [FULL DISCLOSURE] ASPDOTNETSTOREFRONT Improper Session Validation 10506 aspdotnetstorefront-improper-validation(16377) Unrestricted file upload vulnerability in AspDotNetStorefront 3.3 allows remote authenticated administrators to upload arbitrary files with executable extensions via admin/images.aspx. 20040609 ASPDOTNETSTOREFRONT ASPDOTNETSTOREFRONT Improper Upload Validation Cross-site scripting (XSS) vulnerability in signin.aspx for AspDotNetStorefront 3.3 allows remote attackers to inject arbitrary web script or HTML via the returnurl parameter. 20040609 [FULL DISCLOSURE] ASPDOTNETSTOREFRONT Cross-Site Scripting Vulnerability 20040609 [FULL DISCLOSURE] ASPDOTNETSTOREFRONT Cross-Site Scripting Vulnerability 10507 aspdotnetstorefront-signin-xss(16426) Cross-site scripting (XSS) vulnerability in login_up.php3 in Plesk 7.0 and 7.1 Reloaded allows remote attackers to inject arbitrary web script or HTML via the login_name parameter. NOTE: this might be the same vector as CVE-2006-6451. 20040824 XSS in Plesk 7.1 Reloaded 20040824 Re: [Full-Disclosure] XSS in Plesk 7.1 Reloaded 20041223 Plesk 7 Cross-Site Scripting 1011042 11024 plesk-loginname-xss(17085) Clearswift MIMEsweeper 5.0.5, when it has been upgraded from MAILsweeper for SMTP version 4.3 or MAILsweeper Business Suite I or II, allows remote attackers to bypass scanning by including encrypted data in a mail message, which causes the message to be marked as "Clean" instead of "Encrypted". http://download.mimesweeper.com/www/TechnicalDocumentation/MSWSMTP505UpdateReadMe.htm 11669 mimesweeper-smtp-scan-bypass(18035) Hastymail 1.0.1 and earlier (stable) and 1.1 and earlier (development) does not send the "attachment" parameter in the Content-Disposition field for attachments, which causes the attachment to be rendered inline by Internet Explorer when the victim clicks the download link, which facilitates cross-site scripting (XSS) and possibly other attacks. 20040824 Hastymail security update http://hastymail.sourceforge.net/security.php 1011054 11022 hastymail-html-script-execution(17091) Unspecified vulnerability in Player vs. Player Gaming Network (PvPGN) before 1.6.4 allows remote attackers to obtain attributes of arbitrary accounts, including the password hash, via certain statsreq packets. http://forums.pvpgn.org/index.php/topic,2655.0.html 1011050 11035 pvpgn-statsreq-info-disclosure(17094) Unspecified vulnerability in Gyach Enhanced (Gyach-E) before 1.0.4 allows remote attackers to cause a denial of service (crash) via conference packets with error messages. http://www.phrozensmoke.com/projects/pyvoicechat/changelog.php Multiple unspecified vulnerabilities in Gyach Enhanced (Gyach-E) before 1.0.5 have unknown impact and attack vectors related to "several security flaws," probably related to buffer overflows in HTTP server responses. 1011058 http://www.phrozensmoke.com/projects/pyvoicechat/changelog.php 10975 gyach-enhanced-dos(17096) Gyach Enhanced (Gyach-E) before 1.0.0 stores passwords in plaintext, which allows attackers to obtain user passwords by reading the configuration file. http://www.phrozensmoke.com/projects/pyvoicechat/changelog.php Buffer overflow in the strip_html_tags method for Gyach Enhanced (Gyach-E) before 1.0.4 allows remote attackers to cause a denial of service and possibly execute arbitrary code via unknown vectors involving HTML tags. http://www.phrozensmoke.com/projects/pyvoicechat/changelog.php Multiple buffer overflows in Gyach Enhanced (Gyach-E) before 1.0.3 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to (1) sending certain typing statuses or (2) setting the chat room status bar to the current chat room name. http://www.phrozensmoke.com/projects/pyvoicechat/changelog.php Multiple buffer overflows in Gyach Enhanced (Gyach-E) before 1.0.2 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to "avatar retrieval." http://www.phrozensmoke.com/projects/pyvoicechat/changelog.php Buffer overflow in Gyach Enhanced (Gyach-E) before 1.0.0-SneakPeek-3 allows remote attackers to cause a denial of service (crash) via unspecified vectors related to "URL data." http://www.phrozensmoke.com/projects/pyvoicechat/changelog.php ** DISPUTED ** Zone Alarm Pro 1.0 through 5.1 gives full access to %windir%\Internet Logs\* to the EVERYONE group, which allows local users to cause a denial of service by modifying the folder contents or permissions. NOTE: this issue has been disputed by the vendor, who claims that it does not affect product functionality since the same information is also saved in a protected file. 20040825 Check Point - Zone Labs Division - Response to "Weak Default Permissions Vulnerability" 20040819 Unsecure file permission of ZoneAlarm pro. 20040820 Re: Unsecure file permission of ZoneAlarm pro. 20040821 Re: Unsecure file permission of ZoneAlarm pro. zonealarm-insecure-file-permission(17099) Unspecified vulnerability in Window Maker 0.80.2 and earlier allows attackers to perform unknown actions via format string specifiers in a font specification in WMGLOBAL, probably a format string vulnerability. 1011918 11512 windowmaker-wmglobal-improper-validation(17845) edituser.php3 in PHPMyChat 0.14.5 allow remote attackers to bypass authentication and gain administrative privileges by setting the do_not_login parameter to false. 20040422 phpMyChat 0.14.5 1010515 10556 phpmychat-auth-bypass(16440) Multiple SQL injection vulnerabilities in usersL.php3 in PHPMyChat 0.14.5 allow remote attackers to execute arbitrary SQL commands via the (1) sortBy, (2) sortOrder, (3) startReg, (4) U, (5) LastCheck , and (6) R parameters. 20040422 phpMyChat 0.14.5 1010515 10556 phpmychat-sql-injection(16442) Multiple directory traversal vulnerabilities in admin.php3 in PHPMyChat 0.14.5 allow remote attackers with administrative privileges to read arbitrary files via a .. (dot dot) in the (1) sheet and (2) What parameters. 20040422 phpMyChat 0.14.5 1010515 10556 PHPMyChat 0.14.5 does not remove or protect setup.php3 after installation, which allows attackers to obtain sensitive information including database passwords via a direct request. http://www.securiteam.com/unixfocus/6D00S0KC0S.html Buffer overflow in the UrlToLocal function in PunyLib.dll of Foxmail 5.0.300 allows remote attackers to execute arbitrary code via a mail message with a long From field, a different issue than CVE-2005-0339. 9954 foxmail-punylib-bo(15640) 164 Cross-site scripting (XSS) vulnerability in register.asp in Snitz Forums 2000 3.4.04 and earlier allows remote attackers to inject arbitrary web script or HTML via javascript events in the Email parameter. http://forum.snitz.com/forum/topic.asp?TOPIC_ID=53360 3200 1010524 20040617 XSS in Snitz Forum 2000 10564 snitz-input-validation-xss(16444) The CheckGroup function in openSkat VTMF before 2.1 generates public key pairs in which the "p" variable might not be prime, which allows remote attackers to determine the private key and decrypt messages. http://freshmeat.net/projects/openskat/?branch_id=36295&release_id=178549 1012181 11667 openskat-vtmf-weak-encryption(18049) ** DISPUTED ** Nessus 2.0.10a stores account passwords in plaintext in .nessusrc files, which allows local users to obtain passwords. NOTE: the original researcher reports that the vendor has disputed this issue. 20040326 Nessus stores credentials in plain text 1009575 nessus-nessusrc-plaintext-password(15644) NessusWX 1.4.4 stores account passwords in plaintext in .session files, which allows local users to obtain passwords. 20040327 NessusWX stores credentials in plain text 1009577 9993 nessuswx-sessionfiles-plaintext-password(15641) LionMax Software Chat Anywhere 2.72a allows remote attackers to cause a denial of service (server crash and client CPU consumption) via a username beginning with percent (%) followed by a null character. 20040827 DoS in Chat Anywhere 2.72a 1011080 http://www.autistici.org/fdonato/advisory/ChatAnywhere2.72a-adv.txt chat-anywhere-username-dos(17148) Multiple cross-site scripting (XSS) vulnerabilities in Aztek Forum 4.0 allow remote attackers to inject arbitrary web script or HTML via (1) the search parameter in (a) search.php, (2) the email parameter in (b) subscribe.php, and (3) the return and (4) title parameters in (c) forum_2.php. 1012213 11654 aztek-forum-xss(18057) HTTPMail service in MailEnable Professional 1.18 does not properly handle arguments to the Authorization header, which allows remote attackers to cause a denial of service (null dereference and application crash). NOTE: This is a different vulnerability than CVE-2005-1348. 20040516 RE: Remote Buffer Overflow in MailEnable HTTPMail http://www.oliverkarow.de/research/MailWebHTTPAuthCrash.txt Buffer overflow in MEHTTPS (HTTPMail) of MailEnable Professional 1.5 through 1.7 allows remote attackers to cause a denial of service (application crash) via a long HTTP GET request. 1010107 10312 ADV-2005-0383 mailenable-enabled-mehttps-dos(16114) mailenable-disabled-mehttps-bo(16115) Buffer overflow in the FTP server of Hummingbird Connectivity 7.1 and 9.0 allows remote, authenticated users to cause a denial of service (application crash) via a long argument to the XCWD command. 1011942 11542 hummingbird-xwcd-dos(17855) Inetd32 Administration Tool of Hummingbird Connectivity 7.1 and 9.0 allows local users to execute arbitrary code by changing the program for handling incoming connections. 1011942 11539 hummingbird-inetd32-gain-privileges(17854) Sysinternals PsTools before 2.05, including (1) PsExec before 1.54, (2) PsGetsid before 1.41, (3) PsInfo before 1.61, (4) PsKill before 1.03, (5) PsList before 1.26, (6) PsLoglist before 2.51, (7) PsPasswd before 1.21, (8) PsService before 2.12, (9) PsSuspend before 1.05, and (10) PsShutdown before 2.32, does not properly disconnect from remote IPC$ and ADMIN$ shares, which allows local users to access the shares with elevated privileges by using the existing share mapping. 1010737 10759 http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=28304 pstools-gain-admin-access(16743) Multiple integer overflows in Sbus PROM driver (drivers/sbus/char/openprom.c) for the Linux kernel 2.4.x up to 2.4.27, 2.6.x up to 2.6.7, and possibly later versions, allow local users to execute arbitrary code by specifying (1) a small buffer size to the copyin_string function or (2) a negative buffer size to the copyin function. 20040629 linux kernel Sbus PROM driver multiple integer overflows 1010617 DSA-1503 http://www.securiteam.com/unixfocus/5GP0515DFW.html 10632 nbmember.cgi in Netbilling 2.0 allows remote attackers to obtain sensitive information via the cmd=test option, which can be leveraged to determine the access key. 1011881 http://web.archive.org/web/20041106200147/http://www.it-helpnet.de/bugless/bugs.php?mode=show&id=8&SID= 11504 netbilling-information-disclosure(17865) Web Wiz Forums 7.7a uses invalid logic to determine user privileges, which allows remote attackers to (1) block arbitrary IP addresses via pop_up_ip_blocking.asp or (2) modify topics via pop_up_topic_admin.asp. 20040430 Critical bug in Web Wiz Forum 1010012 10255 webwizforums-popuptopicadmin-modify(16030) webwizforums-unauth-ip-blocking(16031) webadmin-apache.conf in Novell Web Manager of Novell NetWare 6.5 uses an uppercase Alias tag with an inconsistent lowercase directory tag for a volume, which allows remote attackers to bypass access control to the WEB-INF folder. 1011012 http://support.novell.com/cgi-bin/search/searchtid.cgi?/10094233.htm 11000 novell-webadminapache-security-bypass(40478) Cross-site scripting (XSS) vulnerability in P4DB 2.01 and earlier allows remote attackers to inject arbitrary web script or HTML via (1) SET_PREFERENCES parameter in SetPreferences.cgi; (2) BRANCH parameter in branchView.cgi; (3) FSPC and (4) COMPLETE parameters in changeByUsers.cgi; (5) FSPC, (6) LABEL, (7) EXLABEL, (8) STATUS, (9) MAXCH, (10) FIRSTCH, (11) CHOFFSETDISP, (12) SEARCHDESC, (13) SEARCH_INVERT, (14) USER, (15) GROUP, and (16) CLIENT parameters in changeList.cgi; (17) CH parameter in changeView.cgi; (18) USER parameter in clientList.cgi; (19) CLIENT parameter in clientView.cgi; (20) FSPC parameter in depotTreeBrowser.cgi; (21) FSPC parameter in depotStats.cgi; (22) FSPC, (23) REV, (24) ACT, (25) FSPC2, (26) REV2, (27) CH, and (28) CONTEXT parameters in fileDiffView.cgi; (29) FSPC and (30) REV parameters in fileDownLoad.cgi; (31) FSPC, (32) LISTLAB, and (33) SHOWBRANCH parameters in fileLogView.cgi; (34) FSPC and (35) LABEL parameters in fileSearch.cgi; (36) FSPC, (37) REV, and (38) FORCE parameters in fileViewer.cgi; (39) FSPC parameter in filesChangedSince.cgi; (40) GROUP parameter in groupView.cgi; (41) TYPE, (42) FSPC, and (43) REV parameters in htmlFileView.cgi; (44) CMD parameter in javaDataView.cgi; (45) JOBVIEW and (46) FLD parameters in jobList.cgi; (47) JOB parameter in jobView.cgi; (48) LABEL1 and (49) LABEL2 parameters in labelDiffView.cgi; (50) LABEL parameter in labelView.cgi; (51) FSPC parameter in searchPattern.cgi; (52) TYPE, (53) FSPC, and (54) REV parameters in specialFileView.cgi; (55) GROUPSONLY parameter in userList.cgi; or (56) USER parameter in userView.cgi. 20040505 Multiple vulnerabilities in P4DB 1010078 10286 http://www.weak.org/~jammer/p4db_v2.01_patch_4.txt p4db-url-xss(16070) Polar HelpDesk 3.0 allows remote attackers to bypass authentication by setting the UserId and UserType values in a cookie. http://www.securiteam.com/windowsntfocus/5OP0K0ADGA.html 10775 polar-helpdesk-weak-security(16778) SQL injection vulnerability in problist.asp in NetSupport DNA HelpDesk 1.01 allows remote attackers to execute arbitrary SQL commands via the where parameter. http://www.securiteam.com/windowsntfocus/5PP0L0ADGE.html 10772 dnahelpdesk-problistasp-sql-injection(16782) Cross-site scripting (XSS) vulnerability in check_user_id.php in ZeroBoard 4.1pl4 and earlier allows remote attackers to inject arbitrary web script or HTML via the user_id parameter. 20041223 STG Security Advisory: [SSA-20041220-16] PHP source injection and cross-site scripting vulnerabilities in ZeroBoard 20041224 STG Security Advisory: [SSA-20041220-16] PHP source injection and cross-site scripting vulnerabilities in ZeroBoard 1012677 12103 zeroboard-checkuserid-xss(18680) The setup routine (setup.php) in PHProjekt 4.2.1 and earlier allows remote attackers to modify system configuration via unknown attack vectors. 1012369 GLSA-200412-06 SuSE-SR:2004:004 http://www.phprojekt.com/modules.php?op=modload&name=News&file=article&sid=189&mode=thread&order=0 11797 phprojekt-setup-command-execution(18320) PHP remote file inclusion vulnerability in authform.inc.php in PHProjekt 4.2.3 and earlier allows remote attackers to include arbitrary PHP code via a URL in the path_pre parameter. 1012708 GLSA-200412-27 http://www.phprojekt.com/modules.php?op=modload&name=News&file=article&sid=193 12116 phprojekt-pathpre-file-include(18683) Cross-site scripting (XSS) vulnerability in the "help window" (help.php) in Horde Application Framework 2.2.6 allows remote attackers to inject arbitrary web script or HTML via the (1) module, (2) topic, or (3) module parameters. http://cvs.horde.org/diff.php/horde/templates/help/index.inc?r1=1.9.2.4&r2=1.9.2.5&ty=u [horde-announce] 20041026 Horde 2.2.7 (final) 1011959 11546 horde-help-window-xss(17881) Cross-site scripting (XSS) vulnerability in the report viewer in Crystal Enterprise 8.5, 9, and 10 allows remote attackers to inject arbitrary web script or HTML via script in the URL to a report (RPT) file. 1012703 http://support.businessobjects.com/library/kbase/articles/c2016559.asp 12107 crystal-enterprise-report-xss(18684) upload.cgi in Mega Upload Progress Bar before 1.45 allows remote attackers to copy or overwrite arbitrary files via unspecified parameters related to names of uploaded files. 1011960 http://sourceforge.net/project/shownotes.php?release_id=277989 http://www.raditha.com/blog/archives/000547.html 11547 megaupload-upload(17882) Unspecified vulnerability in Tincan Limited PHPlist before 2.8.12 has unknown impact and attack vectors, related to a "security update release." 1011958 http://sourceforge.net/project/shownotes.php?release_id=277981 phplist(17883) Directory traversal vulnerability in Anteco Visual Technologies OwnServer 1.0 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in a URL. 3329 20040120 OwnServer 1.0 Directory Transversal Vulnerability 9461 1008800 SQL injection vulnerability in adminlogin.asp in XTREME ASP Photo Gallery 2.0 allows remote attackers to execute arbitrary SQL commands via the (1) username and (2) password parameters. 3346 1008745 http://www.pensacolawebdesigns.com/xtremeasp/readmore.asp 20040115 Xtreme ASP Photo Gallery 9438 xtremeaspphotogallery-or-sql-injection(14860) Directory traversal vulnerability in Pablo Software Solutions Quick 'n Easy FTP Server 1.77, and possibly earlier versions, allows remote authenticated users to determine the existence of arbitrary files via a .. (dot dot) in the DEL command, which triggers different error messages depending on whether the file exists or not. 20040118 Pablo Sofware Solutions FTP server can detect if a file exists outside the FTP root directory 9443 1008756 viewreport.pl in NetIQ WebTrends Reporting Center Enterprise Edition 6.1a allows remote attackers to determine the installation path via an invalid profileid parameter, which leaks the pathname in an error message. 3354 20040120 WebTrends Reporting Center Path Disclosure vulnerability 9460 1008799 Directory traversal vulnerability in wra/public/wralogin in 2Wire Gateway, possibly as used in HomePortal and other product lines, allows remote attackers to read arbitrary files via a .. (dot dot) in the return parameter. NOTE: this issue was reported as XSS, but this might be a terminology error. 20040120 2Wire-Gateway Cross Site Scripting and Directory Transversal bug in SSL Form 1008798 9463 homeportal-wralogin-directory-traversal(14894) Directory traversal vulnerability in browser.php in JBrowser 1.0 through 2.1 allows remote attackers to read arbitrary files via the directory parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 1008909 9535 SQL injection vulnerability in the members_list module in PostNuke 0.726, and possibly earlier, allows remote attackers to execute arbitrary SQL commands via the sortby parameter. 20030309 Postnuke v 0.723 SQL injection and directory traversing http://community.postnuke.com/Article2535.htm 1008629 20040102 PostNuke Issues (0.726 && Possibly Older) postnuke-memberslist-sql-injection(11500) Cross-site scripting (XSS) vulnerability in the Downloads module in PostNuke up to 0.726, and possibly later versions, allows remote attackers to inject arbitrary HTML and web script via the ttitle parameter in a viewdownloaddetails action. 1008629 20040102 PostNuke Issues (0.726 && Possibly Older) Unspecified vulnerability in SharedX in HP-UX B.11.00, B.11.11, and B.11.22 allows local users to access unspecified files or cause a denial of service via unknown vectors related to handling of "files in a potentially insecure manner." O-058 9420 1008712 SSRT3476 hp-sharedx-insecure-files(14838) SQL injection vulnerability in SSI.php in YaBB SE 1.5.4, 1.5.3, and possibly other versions before 1.5.5 allows remote attackers to execute arbitrary SQL commands via the ID_MEMBER parameter to the (1) recentTopics and (2) welcome functions. 3371 http://sourceforge.net/project/shownotes.php?release_id=210608&group_id=57105 20040119 Yabb SE SQL Injection 9449 1008764 http://www.yabbse.org/community/index.php?thread=27122 Cross-site scripting (XSS) vulnerability in Symantec Web Security 2.5, 3.0.0, and 3.0.1 before build 62 allows remote attackers to inject arbitrary web script or HTML via the query string in blocked URLs that are listed in (1) error or (2) block page messages. http://securityresponse.symantec.com/avcenter/security/Content/2004.01.13.html 9418 1008711 symantec-websecurity-blocked-xss(14825) Cross-site scripting (XSS) vulnerability in viewtopic.php in Xoops 2.x, possibly 2 through 2.0.5, allows remote attackers to inject arbitrary web script or HTML via the (1) forum and (2) topic_id parameters. 1008849 9497 Cross-site scripting (XSS) vulnerability in the failed login page in Novell iChain before 2.2 build 2.2.113 and 2.3 First Customer Ship (FCS) allows remote attackers to inject arbitrary web script or HTML via url parameter. http://support.novell.com/cgi-bin/search/searchtid.cgi?/10080762.htm 9412 ichain-url-xss(14873) Multiple unspecified vulnerabilities in the H.323 protocol implementation for Sun SunForum 3.2 and 3D 1.0 allow remote attackers to cause a denial of service (segmentation fault and process crash), as demonstrated by the NISCC/OUSPG PROTOS test suite for the H.225 protocol. 1008749 101429 57476 200181 1000135 CA-2004-01 VU#749342 C07h2250v4-attacktool-malformed-packets(14173) Shared Sun StorEdge QFS and SAM-QFS file systems, as used in Utilization Suite 4.0 through 4.1 and Performance Suite 4.0 through 4.1, might allow local users to read portions of deleted files by accessing data within sparse files. 101527 200184 11559 storedge-deleted-obtain-info(17901) sshd in OpenSSH 3.5p1, when PermitRootLogin is disabled, immediately closes the TCP connection after a root login attempt with the correct password, but leaves the connection open after an attempt with an incorrect password, which makes it easier for remote attackers to guess the password by observing the connection state, a different vulnerability than CVE-2003-0190. NOTE: it could be argued that in most environments, this does not cross privilege boundaries without requiring leverage of a separate vulnerability. 20040412 BID 7482, bug in OpenSSH (Still in FreeBSD-STABLE) 4100 20040413 Re: Fwd: [BID 7482, bug in OpenSSH (Still in FreeBSD-STABLE)] The MD5 Message-Digest Algorithm is not collision resistant, which makes it easier for context-dependent attackers to conduct spoofing attacks, as demonstrated by attacks on the use of MD5 in the signature algorithm of an X.509 certificate. There are four significant mitigating factors. 1) Most enterprise-class certificates, such as VeriSign’s Extended Validation SSL Certificates use the still secure SHA-1 hash function. 2) Certificates already issued with MD5 signatures are not at risk. The exploit only affects new certificate acquisitions. 3) CAs are quickly moving to replace MD5 with SHA-1. For example, VeriSign was planning to phase out MD5 by the end of January 2009. The date was pushed up due to the December proof of concept. On December 31, 2008, RapidSSL certificates shipped with SHA-1 digital signatures. 4)The researchers did not release the under-the-hood specifics of how the exploit was executed. Source - http://www.techrepublic.com/blog/it-security/the-new-md5-ssl-exploit-is-not-the-end-of-civilization-as-we-know-it/?tag=nl.e036 http://blog.mozilla.com/security/2008/12/30/md5-weaknesses-could-lead-to-certificate-forgery/ http://blogs.technet.com/swi/archive/2008/12/30/information-regarding-md5-collisions-problem.aspx 4866 1024697 20090115 MD5 Hashes May Allow for Certificate Spoofing http://www.doxpara.com/research/md5/md5_someday.pdf VU#836068 http://www.microsoft.com/technet/security/advisory/961509.mspx http://www.phreedom.org/research/rogue-ca/ 20081230 MD5 Considered Harmful Today: Creating a rogue CA certificate 33065 USN-740-1 http://www.win.tue.nl/hashclash/rogue-ca/ http://www.win.tue.nl/hashclash/SoftIntCodeSign/ https://blogs.verisign.com/ssl-blog/2008/12/on_md5_vulnerabilities_and_mit.php https://bugzilla.redhat.com/show_bug.cgi?id=648886 https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05289935 https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05336888 https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02 RHSA-2010:0837 RHSA-2010:0838 https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03814en_us FEDORA-2009-1276 The server in IBM Tivoli Storage Manager (TSM) 4.2.x on MVS, 5.1.9.x before 5.1.9.1, 5.1.x before 5.1.10, 5.2.2.x before 5.2.2.3, 5.2.x before 5.2.3, 5.3.x before 5.3.0, and 6.x before 6.1, when the HTTP communication method is enabled, allows remote attackers to cause a denial of service (daemon crash or hang) via unspecified HTTP traffic, as demonstrated by the IBM port scanner 1.3.1. 1021946 34285 ADV-2009-0881 http://www-01.ibm.com/support/docview.wss?uid=swg21246076 http://www-01.ibm.com/support/docview.wss?uid=swg21375360 IC39395 tsm-http-dos(49535) The default configuration of Sun ONE/iPlanet Web Server 4.1 SP1 through SP12 and 6.0 SP1 through SP5 responds to the HTTP TRACE request, which can allow remote attackers to steal information using cross-site tracing (XST) attacks in applications that are vulnerable to cross-site scripting. 50603 http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf VU#867593 Sun SDK and Java Runtime Environment (JRE) 1.4.2 through 1.4.2_04, 1.4.1 through 1.4.1_07, and 1.4.0 through 1.4.0_04 allows untrusted applets and unprivileged servlets to gain privileges and read data from other applets via unspecified vectors related to classes in the XSLT processor, aka "XML sniffing." 57613 SSRT4806 1011661 20040808 Java XSLT security advisory addendum 10844 sun-xslt-applet-gain-privileges(16864) Cross-site scripting (XSS) vulnerability in Webmail in Sun ONE Messaging Server 6.1 and iPlanet Messaging Server 5.2 before 5.2hf2.02, when Internet Explorer is used, allows remote attackers to inject arbitrary web script or HTML via a crafted e-mail message, a different vulnerability than CVE-2005-2022 and CVE-2006-5486. http://sunsolve.sun.com/search/document.do?assetkey=1-21-116568-56-1 201601 Webmail in Sun ONE Messaging Server 6.1 and iPlanet Messaging Server 5.2 before 5.2hf2.02 allows remote attackers to obtain unspecified "access" to e-mail via a crafted e-mail message, related to a "session hijacking" issue, a different vulnerability than CVE-2005-2022 and CVE-2006-5486. http://sunsolve.sun.com/search/document.do?assetkey=1-21-116568-55-1 201180 NWFTPD.nlm before 5.04.25 in the FTP server in Novell NetWare does not promptly close DS sessions, which allows remote attackers to cause a denial of service (connection slot exhaustion) by establishing many FTP sessions that persist for the lifetime of a DS session. http://www.novell.com/support/viewContent.do?externalId=3238588&sliceId=1 dpkg 1.9.21 does not properly reset the metadata of a file during replacement of the file in a package upgrade, which might allow local users to gain privileges by creating a hard link to a vulnerable (1) setuid file, (2) setgid file, or (3) device, a related issue to CVE-2010-2059. [isn] 20031215 The mysteriously persistently exploitable program explained. http://www.hackinglinuxexposed.com/articles/20031214.html https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=225692 https://bugzilla.redhat.com/show_bug.cgi?id=598775 dpkg-setgid-privilege-escalation(59428) Cerberus FTP Server before 4.0.3.0 allows remote authenticated users to list hidden files, even when the "Display hidden files" option is enabled, via the (1) MLSD or (2) MLST commands. http://www.cerberusftp.com/phpBB3/viewtopic.php?f=4&t=644 http://www.cerberusftp.com/releasenotes.html 41285 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2011-3389. Reason: This candidate is a duplicate of CVE-2011-3389. Notes: All CVE users should reference CVE-2011-3389 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Per http://ekoparty.org/2011/juliano-rizzo.php, 'Our exploit abuses a vulnerability present in the SSL/TLS implementation of major Web browsers at the time of writing.' The current configuration includes released versions of major browsers. List subject to change based on additional information as it becomes available. The expand function in fio.c in Heirloom mailx 12.5 and earlier and BSD mailx 8.1.2 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in an email address. http://linux.oracle.com/errata/ELSA-2014-1999.html RHSA-2014:1999 [oss-security] 20141216 mailx issues (CVE-2004-2771, CVE-2014-7844) DSA-3105 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=278748 GE Healthcare Centricity Image Vault 3.x has a password of (1) gemnet for the administrator account, (2) webadmin for the webadmin administrator account of the ASACA DVD library, (3) an empty value for the gemsservice account of the Ultrasound Database, and possibly (4) gemnet2002 for the gemnet2002 account of the GEMNet license server, which has unspecified impact and attack vectors. NOTE: it is not clear whether this password is default, hardcoded, or dependent on another system or product that requires a fixed value. http://apps.gehealthcare.com/servlet/ClientServlet/2010564-002E.pdf?REQ=RAA&DIRECTION=2010564-002&FILENAME=2010564-002E.pdf&FILEREV=E&DOCREV_ORG=E http://www.forbes.com/sites/thomasbrewster/2015/07/10/vulnerable-breasts/ https://ics-cert.us-cert.gov/advisories/ICSMA-18-037-02 https://twitter.com/digitalbond/status/619250429751222277 Ebuild in Gentoo may change directory and file permissions depending on the order of installed packages, which allows local users to read or write to restricted directories or execute restricted commands via navigating to the affected directories, or executing the affected commands. [oss-security] 20170128 Re: Gentoo: order of installed packages may result in vary directories permissions, leading to crontab not requiring cron group membership as example. https://bugs.gentoo.org/show_bug.cgi?id=141619 https://bugs.gentoo.org/show_bug.cgi?id=396153 https://bugs.gentoo.org/show_bug.cgi?id=58611 https://bugs.gentoo.org/show_bug.cgi?id=607426 https://bugs.gentoo.org/show_bug.cgi?id=607430 id3_utf16_deserialize() in utf16.c in libid3tag through 0.15.1b misparses ID3v2 tags encoded in UTF-16 with an odd number of bytes, triggering an endless loop allocating memory until an OOM condition is reached, leading to denial-of-service (DoS). https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=304913 https://bugzilla.gnome.org/show_bug.cgi?id=162647 https://sources.debian.org/patches/libid3tag/0.15.1b-13/10_utf16.dpatch/ ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate has been used as a placeholder by multiple organizations for multiple issues, but it is invalid. Notes: All CVE users should search CVE for the proper identifier. All references and descriptions in this candidate have been removed to prevent accidental usage. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate has been used as a placeholder by multiple organizations for multiple issues, but it is invalid. Notes: All CVE users should search CVE for the proper identifier. All references and descriptions in this candidate have been removed to prevent accidental usage.