Multiple ethernet Network Interface Card (NIC) device drivers do not pad frames with null bytes, which allows remote attackers to obtain information from previous packets or kernel memory by using malformed packets, as demonstrated by Etherleak.Ethernet frame padding information leakageNetwork device drivers reuse old frame buffer data to pad packetsbid 6535 More information regarding Etherleak20030110 More information regarding Etherleakhttp://www.atstake.com/research/advisories/2003/atstake_etherleak_report.pdfRHSA-2003:025OVAL2665RHSA-2003:0889962oval:org.mitre.oval:def:266520030106 Etherleak: Ethernet frame padding information leakage (A010603-1)799620030117 Re: More information regarding EtherleakCross-site scripting vulnerability (XSS) in ManualLogin.asp script for Microsoft Content Management Server (MCMS) 2001 allows remote attackers to execute arbitrary script via the REASONTXT parameter.CSS on Microsoft Content Management ServerCumulative Patch for Microsoft Content Management Server (810487)bid 5922mcms-manuallogin-reasontxt-xss (10318)5922Buffer overflow in the RPC Locator service for Microsoft Windows NT 4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP allows local users to execute arbitrary code via an RPC call to the service containing certain parameter information.Unchecked Buffer in Locator Service Could Lead to Code Execution (810833)Buffer Overflow in Windows Locator ServiceMicrosoft Locator service contains buffer overflowbid 6666Microsoft Windows Locator service buffer overflow20030130 Microsoft RPC Locator Buffer Overflow Vulnerability (#NISR29012003)20030130 Microsoft RPC Locator Buffer Overflow Vulnerability (#NISR29012003)6666oval:org.mitre.oval:def:103Buffer overflow in the Windows Redirector function in Microsoft Windows XP allows local users to execute arbitrary code via a long parameter.Unchecked Buffer in Windows Redirector Could Allow Privilege Elevation (810577)bid 677820030327 NSFOCUS SA2003-01: Microsoft Windows XP Redirector Local Buffer Overflow Vulnerability20030327 NSFOCUS SA2003-01: Microsoft Windows XP Redirector Local Buffer Overflow Vulnerability6778winxp-windows-redirector-bo(11260)Microsoft Outlook 2002 does not properly handle requests to encrypt email messages with V1 Exchange Server Security certificates, which causes Outlook to send the email in plaintext, aka "Flaw in how Outlook 2002 handles V1 Exchange Server Security Certificates could lead to Information Disclosure."Flaw in how Outlook 2002 handles V1 Exchange Server Security Certificates could lead to Information Disclosure (812262)bid 66676667outlook-v1-certificate-plaintext(11133)Cross-site scripting (XSS) vulnerability in Help and Support Center for Microsoft Windows Me allows remote attackers to execute arbitrary script in the Local Computer security context via an hcp:// URL with the malicious script in the topic parameter.Flaw in Windows Me Help and Support Center Could Enable Code Execution (812709)MS-Windows ME IE/Outlook/HelpCenter critical vulnerabilitybid 6966Windows Me HSC hcp:// buffer overflowN-047VU#4897216074Integer overflow in JsArrayFunctionHeapSort function used by Windows Script Engine for JScript (JScript.dll) on various Windows operating system allows remote attackers to execute arbitrary code via a malicious web page or HTML e-mail that uses a large array index value that enables a heap-based buffer overflow attack.Heap Overflow in Windows Script EngineFlaw in Windows Script Engine Could Allow Code Execution (814078)bid 714620030319 Windows Scripting Engine issueOVAL200OVAL794OVAL795OVAL134oval:org.mitre.oval:def:200oval:org.mitre.oval:def:794oval:org.mitre.oval:def:795oval:org.mitre.oval:def:13420030319 Heap Overflow in Windows Script EngineUnknown vulnerability in the DNS intrusion detection application filter for Microsoft Internet Security and Acceleration (ISA) Server 2000 allows remote attackers to cause a denial of service (blocked traffic to DNS servers) via a certain type of incoming DNS request that is not properly handled.Flaw In ISA Server DNS Intrusion Detection Filter Can Cause Denial Of Service (331065)bid 7145The data collection script for Bugzilla 2.14.x before 2.14.5, 2.16.x before 2.16.2, and 2.17.x before 2.17.3 sets world-writable permissions for the data/mining directory when it runs, which allows local users to modify or delete the data.Security Advisory - remote database password disclosurebid 6502Bugzilla data/mining directory changes to world writableDSA-230RHSA-2003:0126502The default .htaccess scripts for Bugzilla 2.14.x before 2.14.5, 2.16.x before 2.16.2, and 2.17.x before 2.17.3 do not include filenames for backup copies of the localconfig file that are made from editors such as vi and Emacs, which could allow remote attackers to obtain a database password by directly accessing the backup file.Security Advisory - remote database password disclosurebid 6501DSA-230-1 bugzilla -- insecure permissions, spurious backup files6501bugzilla-htaccess-database-password(10970)6351gsinterf.c in bmv 1.2 and earlier allows local users to overwrite arbitrary files via a symlink attack on temporary files.For the stable distribution this problem has been fixed in version 1.2-14.2. For the unstable distribution this problem has been fixed in version 1.2-17.http://packages.debian.org/changelogs/pool/main/b/bmv/bmv_1.2-14.2/changelogDSA-63312229bmv-symlink(18823)10128471379313796Double-free vulnerability in CVS 1.11.4 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via a malformed Directory request, as demonstrated by bypassing write checks to execute Update-prog and Checkin-prog commands.CVS malformed directory name CVS remote vulnerabilityUpdated CVS packages availablebid 6650Concurrent Versions System (CVS) server improperly deallocates memoryhttp://lists.netsys.com/pipermail/full-disclosure/2003-January/003606.html20030120 Advisory 01/2003: CVS remote vulnerability20030124 Test program for CVS double-free.20030202 Exploit for CVS double free() for Linux pserverCA-2003-02DSA-233FreeBSD-SA-03:01MDKSA-2003:009RHSA-2003:01220030122 [security@slackware.com: [slackware-security] New CVS packages available]N-0326650Apache before 2.0.44, when running on unpatched Windows 9x and Me operating systems, allows remote attackers to cause a denial of service or execute arbitrary code via an HTTP request containing MS-DOS device names.http://www.apacheweek.com/issues/03-01-24#securityApache 2.0.44 Releasedbid 6659bid 6662VU#979793VU#8251776659apache-device-name-dos(11124)apache-device-code-execution(11125)Apache 2.0 before 2.0.44 on Windows platforms allows remote attackers to obtain certain files via an HTTP request that ends in certain illegal characters such as ">", which causes a different filename to be processed and served.Apache 2.0.44 Releasedbid 6660Linux kernel 2.4.10 through 2.4.21-pre4 does not properly handle the O_DIRECT feature, which allows local attackers with write privileges to read portions of previously deleted files, or cause file system corruption.Updated 2.4 kernel fixes various vulnerabilitiesbid 6763Linux kernel O_DIRECT information leakDSA-423-1 linux-kernel-2.4.17-ia64 -- several vulnerabilitiesDSA-358MDKSA-2003:0146763uml_net in the kernel-utils package for Red Hat Linux 8.0 has incorrect setuid root privileges, which allows local users to modify network interfaces, e.g. by modifying ARP entries or placing interfaces into promiscuous mode.Updated kernel-utils packages fix setuid vulnerabilitybid 6801Red Hat Linux uml_net utility could allow an attacker to gain privilegesVU#134025N-0446801Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences.Terminal Emulator Security IssuesApache Error Log Escape Sequence Injection VulnerabilityApache HTTP Server error log terminal escape sequence injection20030224 Terminal Emulator Security IssuesAPPLE-SA-2004-05-03GLSA-200405-22SSRT4717MDKSA-2003:050MDKSA-2004:046RHSA-2003:082RHSA-2003:083RHSA-2003:104RHSA-2003:139RHSA-2003:243RHSA-2003:244SSA:2004-133576281015552004-00172004-002720040512 [OpenPKG-SA-2004.021] OpenPKG Security Advisory (apache)oval:org.mitre.oval:def:150oval:org.mitre.oval:def:4114oval:org.mitre.oval:def:100109The "screen dump" feature in Eterm 0.9.1 and earlier allows attackers to overwrite arbitrary files via a certain character escape sequence when it is echoed to a user's terminal, e.g. when the user views a file containing the malicious sequence.Terminal Emulator Security Issuesbid 6936Multiple vendor terminal emulator screen dump file overwrite20030224 Terminal Emulator Security IssuesMDKSA-2003:0406936The "screen dump" feature in rxvt 2.7.8 allows attackers to overwrite arbitrary files via a certain character escape sequence when it is echoed to a user's terminal, e.g. when the user views a file containing the malicious sequence.Terminal Emulator Security Issuesbid 6938Multiple vendor terminal emulator screen dump file overwrite20030224 Terminal Emulator Security IssuesMDKSA-2003:034RHSA-2003:054RHSA-2003:0556938The menuBar feature in rxvt 2.7.8 allows attackers to modify menu options and execute arbitrary commands via a certain character escape sequence that inserts the commands into the menu.Terminal Emulator Security Issuesbid 6947Multiple vendor terminal emulator menuBar modification command execution20030224 Terminal Emulator Security IssuesMDKSA-2003:034RHSA-2003:055RHSA-2003:0546947The menuBar feature in aterm 0.42 allows attackers to modify menu options and execute arbitrary commands via a certain character escape sequence that inserts the commands into the menu.Terminal Emulator Security Issuesbid 6949Multiple vendor terminal emulator menuBar modification command execution20030224 Terminal Emulator Security Issues6949Multiple SQL injection vulnerabilities in IMP 2.2.8 and earlier allow remote attackers to perform unauthorized database activities and possibly gain privileges via certain database functions such as check_prefs() in db.pgsql, as demonstrated using mailbox.php3.imp -- SQL injectionIMP 2.x SQL injection vulnerabilitiesbid 655920030108 Re: IMP 2.x SQL injection vulnerabilities6559100590480878177Multiple stack-based buffer overflows in the error handling routines of the minires library, as used in the NSUPDATE capability for ISC DHCPD 3.0 through 3.0.1RC10, allow remote attackers to execute arbitrary code via a DHCP message containing a long hostname.CERT Advisory CA-2003-01 Buffer Overflows in ISC DHCPD Minires LibraryISC DHCPD minires library contains multiple buffer overflowsUpdated dhcp packages fix security vulnerabilitiesDSA-231-1 dhcp3 -- stack overflowsMDKSA-2003:007SuSE-SA:2003:000620030122 [securityslackware.com: [slackware-security] New DHCP packages available]N-031dhcpd-minires-multiple-bo(11073)CLA-2003:562MDKSA-2003:007OpenPKG-SA-2003.00266271005924Directory traversal vulnerability in Sun Kodak Color Management System (KCMS) library service daemon (kcms_server) allows remote attackers to read arbitrary files via the KCS_OPEN_PROFILE procedure.KCMS Library Service Daemon Arbitrary File Retrieval VulnerabilitySun KCMS library service daemon does not adequately validate location of KCMS profilesbid 666520030122 Entercept Ricochet Advisory: Sun Solaris KCMS Library Service Daemon Arbitrary File Retrieval Vulner501046665solaris-kcms-directory-traversal(11129)oval:org.mitre.oval:def:120oval:org.mitre.oval:def:195oval:org.mitre.oval:def:2592Integer overflow in the xdrmem_getbytes() function, and possibly other functions, of XDR (external data representation) libraries derived from SunRPC, including libnsl, libc, glibc, and dietlibc, allows remote attackers to execute arbitrary code via certain integer values in length fields, a different vulnerability than CVE-2002-0391. [slackware-security] glibc XDR overflow fix (SSA:2003-141-03)XDR Integer Overflowbid 7123CERT Advisory CA-2003-10 Integer overflow in Sun RPC XDR library routines20030319 EEYE: XDR Integer Overflow20030319 EEYE: XDR Integer OverflowVU#516825DSA-282RHSA-2003:051RHSA-2003:052RHSA-2003:089RHSA-2003:09120030319 MITKRB5-SA-2003-003: faulty length checks in xdrmem_getbytesESA-20030321-010DSA-266DSA-27220030325 GLSA: glibc (200303-22)MDKSA-2003:037NetBSD-SA2003-008SuSE-SA:2003:0272003-001420030522 [slackware-security] glibc XDR overflow fix (SSA:2003-141-03)OVAL230oval:org.mitre.oval:def:23020030331 GLSA: dietlibc (200303-29)20030331 GLSA: krb5 & mit-krb5 (200303-28)MDKSA-2003:03720030319 RE: EEYE: XDR Integer OverflowBuffer overflows in protegrity.dll of Protegrity Secure.Data Extension Feature (SEF) before 2.2.3.9 allow attackers with SQL access to execute arbitrary code via the extended stored procedures (1) xp_pty_checkusers, (2) xp_pty_insert, or (3) xp_pty_select.Protegrity Secure.Data for Microsoft SQL Server 2000 contains buffer overflows in extended stored proceduresProtegrity buffer overflowbid 7084bid 7085bid 70838294Multiple buffer overflows in libmcrypt before 2.5.5 allow attackers to cause a denial of service (crash).Multiple libmcrypt vulnerabilitieslibmcrypt -- buffer overflows and memory leakbid 651020030105 GLSA: libmcryptCLA-2003:56765101006181Memory leak in libmcrypt before 2.5.5 allows attackers to cause a denial of service (memory exhaustion) via a large number of requests to the application, which causes libmcrypt to dynamically load algorithms via libtool.Multiple libmcrypt vulnerabilitieslibmcrypt -- buffer overflows and memory leakbid 6512libmcrypt libtool memory leak20030105 GLSA: libmcryptCLA-2003:5676512Buffer overflow in the RPC preprocessor for Snort 1.8 and 1.9.x before 1.9.1 allows remote attackers to execute arbitrary code via fragmented RPC packets.Snort RPC Preprocessing Vulnerabilitysnort-rpc-fragment-bo(10956)bid 6963Buffer overflow in Snort RPC preprocessor20030303 Snort RPC Vulnerability (fwd)DSA-297ESA-20030307-007GLSA-200304-06GLSA-200303-6.1MDKSA-2003:029CA-2003-134418Buffer overflow in the mtink status monitor, as included in the printer-drivers package in Mandrake Linux, allows local users to execute arbitrary code via a long HOME environment variable.Buffer Overflows in Mandrake Linux printer-drivers Packageprinter-driversbid 665620030121 iDEFENSE Security Advisory 01.21.03: Buffer Overflows in Mandrake Linux printer-drivers PackageMDKSA-2003:010MDKSA-2003:01066561005959Buffer overflow in escputil, as included in the printer-drivers package in Mandrake Linux, allows local users to execute arbitrary code via a long printer-name command line argument.Buffer Overflows in Mandrake Linux printer-drivers Packagebid 6658printer-drivers20030121 iDEFENSE Security Advisory 01.21.03: Buffer Overflows in Mandrake Linux printer-drivers PackageMDKSA-2003:010MDKSA-2003:01020030121 iDEFENSE Security Advisory 01.21.03: Buffer Overflows in Mandrake Linux printer-drivers Package66581005959ml85p, as included in the printer-drivers package for Mandrake Linux, allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable filenames of the form "mlg85p%d".Buffer Overflows in Mandrake Linux printer-drivers Packageprinter-drivers20030121 iDEFENSE Security Advisory 01.21.03: Buffer Overflows in Mandrake Linux printer-drivers PackageMDKSA-2003:010MDKSA-2003:01020030121 iDEFENSE Security Advisory 01.21.03: Buffer Overflows in Mandrake Linux printer-drivers Package1005959Buffer overflows in noffle news server 1.0.1 and earlier allow remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code.noffle -- buffer overflowsbid 66956695noffle-multiple-bo(11181)7955Cross-site scripting (XSS) vulnerability in options.py for Mailman 2.1 allows remote attackers to inject script or HTML into web pages via the (1) email or (2) language parameters.Mailman: cross-site scripting bugDSA-436-1 mailman -- several vulnerabilities667792051005987mailman-email-variable-xss(11152)ISC dhcrelay (dhcp-relay) 3.0rc9 and earlier, and possibly other versions, allows remote attackers to cause a denial of service (packet storm) via a certain BOOTP packet that is forwarded to a broadcast MAC address, causing an infinite loop that is not restricted by a hop count.DoS against DHCP infrastructure with isc dhcrelayignored counter boundaryISC DHCP dhcrelay (dhcp-relay) denial of serviceCLSA-2003:616RHSA-2003:034TLSA-2003-2620030219 [OpenPKG-SA-2003.012] OpenPKG Security Advisory (dhcpd)VU#1499536628SQL injection vulnerability in the PostgreSQL auth module for courier 0.40 and earlier allows remote attackers to execute SQL code via the user name.courier-ssl -- missing input sanitizingbid 6738courierimap-authmysqllib-sql-injection(11213)Kerberos FTP client allows remote FTP sites to execute arbitrary code via a pipe (|) character in a filename that is retrieved by the client.Updated kerberos packages fix vulnerability in ftp client20030128 MIT Kerberos FTP client remote shell commands executionMDKSA-2003:021MDKSA-2003:02179798114Jakarta Tomcat before 3.3.1a, when used with JDK 1.3.1 or earlier, allows remote attackers to list directories even with an index.html or other file present, or obtain unprocessed source code for a JSP file, via a URL containing a null character.Apache Tomcat 3.3.1abid 6721Apache Jakarta Tomcat 3 URL parsing vulnerabilityDSA-246-1 tomcat -- information exposure, cross site scriptingHPSBUX0303-249N-0606721tomcat-null-directory-listing(11194)79727977Jakarta Tomcat before 3.3.1a, when used with JDK 1.3.1 or earlier, uses trusted privileges when processing the web.xml file, which could allow remote attackers to read portions of some files through the web.xml file.Apache Tomcat 3.3.1abid 6722Apache Tomcat web.xml could be used to read filesDSA-246HPSBUX0303-249N-0606722Multiple cross-site scripting (XSS) vulnerabilities in the (1) examples and (2) ROOT web applications for Jakarta Tomcat 3.x through 3.3.1a allow remote attackers to insert arbitrary web script or HTML.Apache Tomcat 3.3.1abid 6720DSA-246-1 tomcat -- information exposure, cross site scriptingHPSBUX0303-249N-0606720tomcat-web-app-xss(11196)920392047972Jakarta Tomcat before 3.3.1a on certain Windows systems may allow remote attackers to cause a denial of service (thread hang and resource consumption) via a request for a JSP page containing an MS-DOS device name, such as aux.jsp.Apache Tomcat 3.3.1aJakarta Tomcat MS-DOS device name request denial of serviceAbsoluteTelnet SSH2 client does not clear logon credentials from memory, including plaintext passwords, which could allow attackers with access to memory to steal the SSH credentials.SSH2 Clients Insecurely Store Passwordsbid 6725Celestial Software AbsoluteTelnet version 2.12 RC1320030129 iDEFENSE Security Advisory 01.28.03: SSH2 Clients Insecurely Store Passwords672510060137686SSH2 clients for VanDyke (1) SecureCRT 4.0.2 and 3.4.7, (2) SecureFX 2.1.2 and 2.0.4, and (3) Entunnel 1.0.2 and earlier, do not clear logon credentials from memory, including plaintext passwords, which could allow attackers with access to memory to steal the SSH credentials.SSH2 Clients Insecurely Store Passwordsbid 672620030129 iDEFENSE Security Advisory 01.28.03: SSH2 Clients Insecurely Store Passwords672667276728100601010060111006012PuTTY 0.53b and earlier does not clear logon credentials from memory, including plaintext passwords, which could allow attackers with access to memory to steal the SSH credentials.SSH2 Clients Insecurely Store Passwordsbid 672420030129 iDEFENSE Security Advisory 01.28.03: SSH2 Clients Insecurely Store Passwords67241006014Apple File Protocol (AFP) in Mac OS X before 10.2.4 allows administrators to log in as other users by using the administrator password.Apple Security Updatesbid 6860Mac OS X Apple File Protocol (AFP) unauthorized accesshttp://lists.apple.com/archives/security-announce/2003/Feb/25/applesa20030225macosx102.txt68601006107parse_xml.cgi in Apple Darwin Streaming Administration Server 4.1.2 and QuickTime Streaming Server 4.1.1 allows remote attackers to execute arbitrary code via shell metacharacters.http://lists.apple.com/archives/security-announce/2003/Feb/25/applesa20030225macosx102.txtQuickTime/Darwin Streaming Administration Server Multiple vulnerabilitiesQuickTime and Darwin Streaming Server parse_xml.cgi command executionbid 69546954parse_xml.cgi in Apple Darwin Streaming Administration Server 4.1.2 and QuickTime Streaming Server 4.1.1 allows remote attackers to obtain the physical path of the server's installation path via a NULL file parameter.http://lists.apple.com/archives/security-announce/2003/Feb/25/applesa20030225macosx102.txtQuickTime/Darwin Streaming Administration Server Multiple vulnerabilitiesQuickTime and Darwin Streaming Server parse_xml.cgi path disclosurebid 69566956parse_xml.cgi in Apple Darwin Streaming Administration Server 4.1.2 and QuickTime Streaming Server 4.1.1 allows remote attackers to list arbitrary directories.http://lists.apple.com/archives/security-announce/2003/Feb/25/applesa20030225macosx102.txtQuickTime/Darwin Streaming Administration Server Multiple vulnerabilitiesQuickTime and Darwin Streaming Server parse_xml.cgi directory disclosurebid 69556955Cross-site scripting (XSS) vulnerability in parse_xml.cgi in Apple Darwin Streaming Administration Server 4.1.2 and QuickTime Streaming Server 4.1.1 allows remote attackers to insert arbitrary script via the filename parameter, which is inserted into an error message.http://lists.apple.com/archives/security-announce/2003/Feb/25/applesa20030225macosx102.txtQuickTime/Darwin Streaming Administration Server Multiple vulnerabilitiesQuickTime and Darwin Streaming Server parse_xml.cgi cross-site scriptingbid 69586958Apple Darwin Streaming Administration Server 4.1.2 and QuickTime Streaming Server 4.1.1 allows remote attackers to execute certain code via a request to port 7070 with the script in an argument to the rtsp DESCRIBE method, which is inserted into a log file and executed when the log is viewed using a browser.http://lists.apple.com/archives/security-announce/2003/Feb/25/applesa20030225macosx102.txtQuickTime/Darwin Streaming Administration Server Multiple vulnerabilitiesQuickTime and Darwin Streaming Server RTSP DESCRIBE cross-site scriptingbid 69606960Buffer overflow in the MP3 broadcasting module of Apple Darwin Streaming Administration Server 4.1.2 and QuickTime Streaming Server 4.1.1 allows remote attackers to execute arbitrary code via a long filename.http://lists.apple.com/archives/security-announce/2003/Feb/25/applesa20030225macosx102.txtQuickTime/Darwin Streaming Administration Server Multiple vulnerabilitiesQuickTime and Darwin Streaming Server MP3 broadcasting buffer overflowbid 69576957Buffer overflow in secure locate (slocate) before 2.7 allows local users to execute arbitrary code via a long (1) -c or (2) -r command line argument.DSA-252-1 slocate -- buffer overflowUSG Security Advisory (slocate)GLSA: slocatebid 6676MDKSA-2003:01520030124 [USG- SA- 2003.001] USG Security Advisory (slocate)20030125 Re: [USG- SA- 2003.001] USG Security Advisory (slocate)CSSA-2003-009.0CLA-2003:643MDKSA-2003:015RHSA-2004:04120040202-01-U79828007823610720794781188749Multiple buffer overflows in Hypermail 2 before 2.1.6 allows remote attackers to cause a denial of service and possibly execute arbitrary code (1) via a long attachment filename that is not properly handled by the hypermail executable, or (2) by connecting to the mail CGI program from an IP address that reverse-resolves to a long hostname.Hypermail buffer overflowsbid 6689bid 669020030126 Hypermail buffer overflowsDSA-24866896690hypermail-mail-attachment-bo(11157)hypermail-long-hostname-bo(11158)8030MIT Kerberos V5 Key Distribution Center (KDC) before 1.2.5 allows remote authenticated attackers to cause a denial of service (crash) on KDCs within the same realm via a certain protocol request that causes a null dereference.MIT krb5 Security Advisory 2003-001MIT Kerberos V5 KDC vulnerable to denial-of-service via null pointer dereferencebid 6683CLSA-2003:639MDKSA-2003:043RHSA-2003:051RHSA-2003:052RHSA-2003:16850142oval:org.mitre.oval:def:1110kerberos-kdc-null-pointer-dos(10099)Unknown vulnerability in the chk_trans.c of the libkrb5 library for MIT Kerberos V5 before 1.2.5 allows users from one realm to impersonate users in other realms that have the same inter-realm keys.MIT krb5 Security Advisory 2003-001MIT Kerberos V5 allows inter-realm user impersonation by malicious realm controllers with shared keysbid 6714CLSA-2003:639MDKSA-2003:043RHSA-2003:051RHSA-2003:052RHSA-2003:168kerberos-kdc-user-spoofing(11188)Format string vulnerabilities in the logging routines for MIT Kerberos V5 Key Distribution Center (KDC) before 1.2.5 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format string specifiers in Kerberos principal names.MIT krb5 Security Advisory 2003-001MIT Kerberos V5 KDC logging routines use unsafe format stringsbid 6712kerberos-kdc-format-string(11189)4879CLSA-2003:639Buffer overflow in passwd for HP UX B.10.20 allows local users to execute arbitrary commands with root privileges via a long LANG environment variable.20030203 HP UX passwd Binary Buffer Overflow VulnerabilityBuffer overflow in Eset Software NOD32 for UNIX before 1.013 allows local users to execute arbitrary code via a long path name.NOD32 for UNIX long pathname buffer overflowBuffer Overflow In NOD32 Antivirus Software for Unixbid 680320030210 iDEFENSE Security Advisory 02.10.03: Buffer Overflow In NOD32 Antivirus Software for Unix6803The xterm terminal emulator in XFree86 4.2.0 and earlier allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands.Terminal Emulator Security Issuesbid 6940Multiple vendor terminal emulator window title command execution20030224 Terminal Emulator Security IssuesDSA-380RHSA-2003:064RHSA-2003:065RHSA-2003:066RHSA-2003:0676940The dtterm terminal emulator allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands.Terminal Emulator Security Issuesbid 6942Multiple vendor terminal emulator window title command execution20030224 Terminal Emulator Security IssuesHPSBUX0401-3096942The uxterm terminal emulator allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands.Terminal Emulator Security Issuesbid 6945Multiple vendor terminal emulator window title command execution20030224 Terminal Emulator Security Issues6945The rxvt terminal emulator 2.7.8 and earlier allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands.Terminal Emulator Security Issuesbid 6953Multiple vendor terminal emulator window title command execution20030224 Terminal Emulator Security Issues200303-16MDKSA-2003:003RHSA-2003:054RHSA-2003:0556953The aterm terminal emulator 0.42 allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands.Terminal Emulator Security IssuesMultiple vendor terminal emulator window title command execution20030224 Terminal Emulator Security IssuesThe Eterm terminal emulator 0.9.1 and earlier allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands.Terminal Emulator Security Issuesbid 6941Multiple vendor terminal emulator window title command execution20030224 Terminal Emulator Security IssuesDSA-496MDKSA-2003:04010237The PuTTY terminal emulator 0.53 allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands.Terminal Emulator Security IssuesMultiple vendor terminal emulator window title command execution20030224 Terminal Emulator Security Issues8347VTE, as used by default in gnome-terminal terminal emulator 2.2 and as an option in gnome-terminal 2.0, allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands.Terminal Emulator Security Issuesbid 6948Multiple vendor terminal emulator window title command execution20030224 Terminal Emulator Security IssuesRHSA-2003:053GLSA-200303-2The DEC UDK processing feature in the xterm terminal emulator in XFree86 4.2.99.4 and earlier allows attackers to cause a denial of service via a certain character escape sequence that causes the terminal to enter a tight loop.Terminal Emulator Security Issuesbid 6950Multiple vendor terminal emulator DEC UDK denial of service20030224 Terminal Emulator Security IssuesDSA-380RHSA-2003:064RHSA-2003:065RHSA-2003:066RHSA-2003:0676950The Key Distribution Center (KDC) in Kerberos 5 (krb5) 1.2.7 and earlier allows remote, authenticated attackers to cause a denial of service (crash) on KDCs within the same realm using a certain protocol request that causes an out-of-bounds read of an array (aka "array overrun").Buffer overrun and underrun in principal name handlingkrb5 -- severalRHSA-2003:051RHSA-2003:05220030331 GLSA: krb5 & mit-krb5 (200303-28)540427184Double-free vulnerability in mysqld for MySQL before 3.23.55 allows attackers with MySQL access to cause a denial of service (crash) via mysql_change_user.Changes in release 3.23.55MYSQLOpenPKG Security Advisory (mysql)bid 6718DSA-303-1 mysql -- privilege escalationCLA-2003:743ESA-20030220-004MDKSA-2003:013RHSA-2003:093RHSA-2003:094RHSA-2003:1666718mysql-mysqlchangeuser-doublefree-dos(11199)oval:org.mitre.oval:def:436Format string vulnerability in mpmain.c for plpnfsd of the plptools package allows remote attackers to execute arbitrary code via the functions (1) debuglog, (2) errorlog, and (3) infolog.Local root vuln in SuSE 8.0 plptools packageRe: Local root vuln in SuSE 8.0 plptools packagebid 6715plptools-plpnsfd-format-string(11193)Integer signedness error in the myFseek function of samplein.c for Blade encoder (BladeEnc) 0.94.2 and earlier allows remote attackers to execute arbitrary code via a negative offset value following a "fmt" wave chunk.BladeEnc myFseek() code executionBladeenc 0.94.2 code executionGLSA: bladeencbid 674520030202 Bladeenc 0.94.2 code executionUnknown vulnerability in the directory parser for Direct Connect 4 Linux (dcgui) before 0.2.2 allows remote attackers to read files outside the sharelist.Security bug in versions < 0.2.2GLSA: qt-dcguiqt-dcgui directory parser could allow attacker to download filesThe hanterm (hanterm-xf) terminal emulator 2.0.5 and earlier, and possibly later versions, allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands.Terminal Emulator Security IssuesMultiple vendor terminal emulator window title command execution20030224 Terminal Emulator Security IssuesRHSA-2003:070RHSA-2003:0714917ssl3_get_record in s3_pkt.c for OpenSSL before 0.9.7a and 0.9.6 before 0.9.6i does not perform a MAC computation if an incorrect block cipher padding is used, which causes an information leak (timing discrepancy) that may make it easier to launch cryptographic attacks that rely on distinguishing between padding and MAC verification errors, possibly leading to extraction of the original plaintext, aka the "Vaudenay timing attack."OpenSSL Security AdvisoryDSA-253-1 openssl -- information leak OpenPKG Security Advisory (openssl)bid 6884Multiple SSL/TLS implementation CBC ciphersuites information leak20030219 OpenSSL 0.9.7a and 0.9.6i releasedCLSA-2003:570ESA-20030220-005GLSA-200302-10RHSA-2003:062RHSA-2003:063RHSA-2003:082RHSA-2003:104RHSA-2003:20520030501-01-I2003-0005MDKSA-2003:020NetBSD-SA2003-001N-05168843945The DEC UDK processing feature in the hanterm (hanterm-xf) terminal emulator before 2.0.5 allows attackers to cause a denial of service via a certain character escape sequence that causes the terminal to enter a tight loop.Terminal Emulator Security Issuesbid 6944Multiple vendor terminal emulator DEC UDK denial of service20030224 Terminal Emulator Security IssuesRHSA-2003:070RHSA-2003:07169444918The iptables ruleset in Gnome-lokkit in Red Hat Linux 8.0 does not include any rules in the FORWARD chain, which could allow attackers to bypass intended access restrictions if packet forwarding is enabled.Updated Gnome-lokkit packages fix vulnerabilitybid 7128GNOME Lokkit FORWARD chain bypasses firewall4400Format string vulnerability in packet-socks.c of the SOCKS dissector for Ethereal 0.8.7 through 0.9.9 allows remote attackers to execute arbitrary code via SOCKS packets containing format string specifiers.Ethereal format string bug, yet still ethereal much better than windowsSOCKS string format vulnerability in Ethereal 0.9.9bid 7049ethereal -- format string vulnerability20030308 Ethereal format string bug, yet still ethereal much better than windowsCLSA-2003:627GLSA-200303-10MDKSA-2003:051RHSA-2003:076RHSA-2003:077SuSE-SA:2003:019ethereal-socks-format-string(11497)oval:org.mitre.oval:def:54The Key Distribution Center (KDC) in Kerberos 5 (krb5) 1.2.7 and earlier allows remote, authenticated attackers to cause a denial of service (crash) on KDCs within the same realm using a certain protocol request that causes the KDC to corrupt its heap (aka "buffer underrun").Buffer overrun and underrun in principal name handlingkrb5 -- severalRHSA-2003:051RHSA-2003:052RHSA-2003:091OVAL244OVAL2536OVAL4430oval:org.mitre.oval:def:244oval:org.mitre.oval:def:2536oval:org.mitre.oval:def:443020030331 GLSA: krb5 & mit-krb5 (200303-28)540427185Apache 1.3 before 1.3.25 and Apache 2.0 before version 2.0.46 does not filter terminal escape sequences from its access logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences, a different vulnerability than CVE-2003-0020.CVS log for apache-1.3/src/modules/standard/mod_log_config.cLNSA-#2004-0006: bug workaround for Apache 2.0.48Updated httpd packages fix security vulnerabilities.http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/loggers/mod_log_config.c?only_with_tag=APACHE_2_0_BRANCHOVAL15120040325 GLSA200403-04 Multiple security vulnerabilities in Apache 2oval:org.mitre.oval:def:1518146mod_auth_any package in Red Hat Enterprise Linux 2.1 and other operating systems does not properly escape arguments when calling other programs, which allows attackers to execute arbitrary commands via shell metacharacters.Updated mod_auth_any packages are availablebid 7448RHSA-2003:113http://www.itlab.musc.edu/webNIS/mod_auth_any.htmlN-090modauthany-command-execution(11893)Buffer overflow in the SMB/CIFS packet fragment re-assembly code for SMB daemon (smbd) in Samba before 2.2.8, and Samba-TNG before 0.3.1, allows remote attackers to execute arbitrary code.Security Bugfix for Samba - Samba 2.2.8 Releasedsamba -- remote exploitGLSA: samba (200303-11)bid 7106MDKSA-2003:032RHSA-2003:095SuSE-SA:2003:01620030302-01-IOVAL552VU#29823320030318 [OpenPKG-SA-2003.021] OpenPKG Security Advisory (samba)oval:org.mitre.oval:def:55220030325 Fwd: APPLE-SA-2003-03-24 Samba, OpenSSL20030401 Immunix Secured OS 7+ samba updateGLSA-200303-11MDKSA-2003:03282998303RHSA-2003:096The code for writing reg files in Samba before 2.2.8 allows local users to overwrite arbitrary files via a race condition involving chown.samba -- remote exploitGLSA: samba (200303-11)bid 7107MDKSA-2003:032RHSA-2003:095SuSE-SA:2003:01620030302-01-IOVAL55420030318 [OpenPKG-SA-2003.021] OpenPKG Security Advisory (samba)oval:org.mitre.oval:def:55420030325 Fwd: APPLE-SA-2003-03-24 Samba, OpenSSLGLSA-200303-11MDKSA-2003:03282998303RHSA-2003:096Buffer overflow in libIM library (libIM.a) for National Language Support (NLS) on AIX 4.3 through 5.2 allows local users to gain privileges via several possible attack vectors, including a long -im argument to aixterm.Buffer Overflow in AIX libIM.abid 684020030212 iDEFENSE Security Advisory 02.12.03: Buffer Overflow in AIX libIM.a20030212 iDEFENSE Security Advisory 02.12.03: Buffer Overflow in AIX libIM.a20030212 libIM.a buffer overflow vulnerabilityIY40307IY40317IY403206840aix-aixterm-libim-bo(11309)7996TruBlueEnvironment for MacOS 10.2.3 and earlier allows local users to overwrite or create arbitrary files and gain root privileges by setting a certain environment variable that is used to write debugging information.http://docs.info.apple.com/article.html?artnum=61798http://lists.apple.com/archives/security-announce/2003/Feb/25/applesa20030225macosx102.txtTruBlueEnvironment Privilege Escalation Attackbid 6859Mac OS X TruBlueEnvironment privilege elevation6859Buffer overflow in the Software Distributor utilities for HP-UX B.11.00 and B.11.11 allows local users to execute arbitrary code via a long LANG environment variable to setuid programs such as (1) swinstall and (2) swmodify.HP-UX Software Distributor Buffer Overflow VulnerabilityBuffer overflow in Software Distributor (SD) for HP-UXbid 8986HP-UX SD utilities buffer overflow20031113 NSFOCUS SA2003-07: HP-UX Software Distributor Buffer Overflow Vulnerability** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2000-0844. Reason: This candidate is a duplicate of CVE-2000-0844. Notes: All CVE users should reference CVE-2000-0844 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.Stack-based buffer overflow in the bsd_queue() function for lpq on Solaris 2.6 and 7 allows local users to gain root privilege.Solaris lpq Stack Buffer Overflow VulnerabilityOVAL438352443N-0688713oval:org.mitre.oval:def:438320030331 NSFOCUS SA2003-02: Solaris lpq Stack Buffer Overflow VulnerabilityHeap-based buffer overflow in dtsession for Solaris 2.5.1 through Solaris 9 allows local users to gain root privileges via a long HOME environment variable.Solaris dtsession Heap Buffer Overflow VulnerabilityOVAL1905oval:org.mitre.oval:def:190520030331 NSFOCUS SA2003-03: Solaris dtsession Heap Buffer Overflow Vulnerability523887240The RADIUS decoder in tcpdump 3.6.2 and earlier allows remote attackers to cause a denial of service (crash) via an invalid RADIUS packet with a header length field of 0, which causes tcpdump to generate data within an infinite loop.tcpdump can crash a machine when it sees certain udp packetstcpdump-radius-decoder-dos (11324)DSA-261MDKSA-2003:027RHSA-2003:032RHSA-2003:033RHSA-2003:214tcpdump-radius-decoder-dos(11324)A patch for mcookie in the util-linux package for Mandrake Linux 8.2 and 9.0 uses /dev/urandom instead of /dev/random, which causes mcookie to use an entropy source that is more predictable than expected, which may make it easier for certain types of attacks to succeed.util-linuxbid 6855util-linux mcookie utility generates predictable cookiesMDKSA-2003:0166855Buffer overflow in ORACLE.EXE for Oracle Database Server 9i, 8i, 8.1.7, and 8.0.6 allows remote attackers to execute arbitrary code via a long username that is provided during login, as exploitable through client applications that perform their own authentication, as demonstrated using LOADPSP.Oracle unauthenticated remote system compromise (#NISR16022003a)bid 6849CERT Advisory CA-2003-05 Multiple Vulnerabilities in Oracle ServersOracle unauthenticated remote system compromise (#NISR16022003a)Oracle Database Server ORACLE.EXE username buffer overflowVU#953746N-04668496319Multiple buffer overflows in Oracle 9i Database release 2, Release 1, 8i, 8.1.7, and 8.0.6 allow remote attackers to execute arbitrary code via (1) a long conversion string argument to the TO_TIMESTAMP_TZ function, (2) a long time zone argument to the TZ_OFFSET function, or (3) a long DIRECTORY parameter to the BFILENAME function.bid 6847bid 6848bid 6850Oracle Database Server TO_TIMESTAMP_TZ() buffer overflowOracle9i Database contains remotely exploitable buffer overflow in "TO_TIMESTAMP_TZ" functionhttp://otn.oracle.com/deploy/security/pdf/2003alert50.pdfhttp://otn.oracle.com/deploy/security/pdf/2003alert49.pdfVU#743954http://otn.oracle.com/deploy/security/pdf/2003alert48.pdfVU#663786CA-2003-05oracle-bfilename-directory-bo(11325)oracle-tzoffset-bo(11326)20030217 Oracle TO_TIMESTAMP_TZ Remote System Buffer Overrun (#NISR16022003b)20030217 Oracle TZ_OFFSET Remote System Buffer Overrun (#NISR16022003c)20030217 Oracle bfilename function buffer overflow vulnerability (#NISR16022003e)20030217 Oracle TZ_OFFSET Remote System Buffer Overrun (#NISR16022003c)20030217 Oracle bfilename function buffer overflow vulnerability (#NISR16022003e)20030217 Oracle unauthenticated remote system compromise (#NISR16022003a)N-046684768486850Unknown vulnerability in CGI module for PHP 4.3.0 allows attackers to access arbitrary files as the PHP user, and possibly execute PHP code, by bypassing the CGI force redirect settings (cgi.force_redirect or --enable-force-cgi-redirect).http://www.slackware.com/changelog/current.php?cpu=i386CGI vulnerability in PHP version 4.3.0bid 6875GLSA: mod_php phpPHP could allow access to the CGI SAPIGLSA-200302-09.16875Unknown vulnerability in apcupsd before 3.8.6, and 3.10.x before 3.10.5, allows remote attackers to gain root privileges, possibly via format strings in a request to a slave server.apcupsdDiff for /apcupsd/apcupsd/src/apcnisd.c between version 1.5 and 1.6Apcupsd Format String Flaw May Let Remote Users Gain Root AccessDSA-277-1 apcupsd -- buffer overflows, format stringhttp://hsj.shadowpenguin.org/misc/apcupsd_exp.txthttp://sourceforge.net/project/shownotes.php?release_id=137900MDKSA-2003:018SuSE-SA:2003:022CSSA-2003-015.07200apcupsd-logevent-format-string(11334)1006108MDKSA-2003:0186828Multiple buffer overflows in apcupsd before 3.8.6, and 3.10.x before 3.10.5, may allow attackers to cause a denial of service or execute arbitrary code, related to usage of the vsprintf function.apcupsdApcupsd UPS control software: Release Notesbid 6828DSA-277-1 apcupsd -- buffer overflows, format stringApcupsd vsprintf() multiple buffer overflowshttp://sourceforge.net/project/shownotes.php?release_id=137892MDKSA-2003:0187200CSSA-2003-015.0MDKSA-2003:018SuSE-SA:2003:0221006108Buffer overflow in Cisco IOS 11.2.x to 12.0.x allows remote attackers to cause a denial of service and possibly execute commands via a large number of OSPF neighbor announcements.Cisco IOS OSPF exploitRe: Cisco IOS OSPF exploitbid 6895Cisco IOS OSPF neighbor buffer overflow6895miniserv.pl in (1) Webmin before 1.070 and (2) Usermin before 1.000 does not properly handle metacharacters such as line feeds and carriage returns (CRLF) in Base-64 encoded strings during Basic authentication, which allows remote attackers to spoof a session ID and gain root privileges.Webmin/Usermin Session ID Spoofing Vulnerability Webmin version 1.070 released - fixes security holebid 6915Webmin and Usermin session ID spoofing root accessMDKSA-2003:025http://www.lac.co.jp/security/english/snsadv_e/62_e.htmlDSA-319ESA-20030225-006HPSBUX0303-25020030602-01-IN-058691520030224 GLSA: usermin (200302-14)20030224 Webmin 1.050 - 1.060 remote exploitMDKSA-2003:025811581631006160Buffer overflow in tryelf() in readelf.c of the file command allows attackers to execute arbitrary code as the user running file, possibly via a large entity size value in an ELF header (elfhdr.e_shentsize).Locally Exploitable Buffer Overflow in file(1)bid 7008bid 700920030304 iDEFENSE Security Advisory 03.04.03: Locally Exploitable Buffer Overflow in file(1)DSA-260IMNX-2003-7+-012-01MDKSA-2003:030NetBSD-SA2003-003SuSE-SA:2003:017RHSA-2003:086RHSA-2003:087VU#611865file-afctr-read-bo(11469)Format string vulnerability in Nokia 6210 handset allows remote attackers to cause a denial of service (crash, lockup, or restart) via a Multi-Part vCard with fields containing a large number of format string specifiers.bid 6952nokia-6210-vcard-dos(11421)Directory traversal vulnerability in PeopleTools 8.10 through 8.18, 8.40, and 8.41 allows remote attackers to overwrite arbitrary files via the SchedulerTransfer servlet.PeopleSoft PeopleTools Remote Command Execution Vulnerabilitypeoplesoft-schedulertransfer-create-files(10962)bid 7053ServerMask 2.2 and earlier does not obfuscate (1) ETag, (2) HTTP Status Message, or (3) Allow HTTP responses, which could tell remote attackers that the web server is an IIS server.Port80 Software ServerMask inconsistenciesServerMask header field obtain information20040810 Corsaire Security Advisory - Port80 Software ServerMask inconsistenciesThe HTTP proxy for Symantec Enterprise Firewall (SEF) 7.0 allows proxy users to bypass pattern matching for blocked URLs via requests that are URL-encoded with escapes, Unicode, or UTF-8.Symantec Enterprise Firewall (SEF) H TTP URL pattern evasion issueHow to protect against directory traversal and URL overflow attacksbid 719620030326 Corsaire Security Advisory - Symantec Enterprise Firewall (SEF) H TTP URL pattern evasion issue20030326 Corsaire Security Advisory - Symantec Enterprise Firewall (SEF) H TTP URL pattern evasion issueBuffer overflow in the gzprintf function in zlib 1.1.4, when zlib is compiled without vsnprintf or when long inputs are truncated using vsnprintf, allows attackers to cause a denial of service or possibly execute arbitrary code.buffer overrun in zlib 1.1.4oc zlib sploit just for fun :)bid 6913zlib gzprintf() buffer overflowhttp://lists.apple.com/mhonarc/security-announce/msg00038.html20030224 Re: buffer overrun in zlib 1.1.420030225 [sorcerer-spells] ZLIB-SORCERER2003-02-25CSSA-2003-011.0CLSA-2003:619GLSA-200303-25MDKSA-2003:033NetBSD-SA2003-004RHSA-2003:079RHSA-2003:08157405VU#14212169136599isakmp_sub_print in tcpdump 3.6 through 3.7.1 allows remote attackers to cause a denial of service (CPU consumption) via a certain malformed ISAKMP packet to UDP port 500, which causes tcpdump to enter an infinite loop.bid 6974TCPDUMP Denial of Service Vulnerability in ISAKMP Packet Parsingtcpdump -- infinite looptcpdump ISAKMP parsing denial of service20030227 iDEFENSE Security Advisory 02.27.03: TCPDUMP Denial of Service Vulnerability in ISAKMP Packet ParsinCLA-2003:629MDKSA-2003:027RHSA-2003:032RHSA-2003:085RHSA-2003:214SuSE-SA:2003:001520030304 [OpenPKG-SA-2003.014] OpenPKG Security Advisory (tcpdump)Buffer overflow in ntdll.dll on Microsoft Windows NT 4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP allows remote attackers to execute arbitrary code, as demonstrated via a WebDAV request to IIS 5.0.Microsoft IIS WebDAV Remote Compromise VulnerabilityUnchecked Buffer In Windows Component Could Cause Web Server Compromise (815021)CERT Advisory CA-2003-09 Buffer Overflow in Core Microsoft Windows DLLMicrosoft IIS WebDAV long request buffer overflowbid 7116Q815021http://www.nextgenss.com/papers/ms03-007-ntdll.pdfOVAL109VU#11739420030321 New attack vectors and a vulnerability dissection of MS03-00720030321 New attack vectors and a vulnerability dissection of MS03-00720030325 IIS 5.0 WebDAV -Proof of concept-. Fully documented.20030326 WebDAV exploit: using wide character decoder scheme20030328 Fate Research Labs Presents: Analysis of the NTDLL.DLL Exploit20030708 WDAV exploit without netcat and with pretty magic numberoval:org.mitre.oval:def:109The Winsock Proxy service in Microsoft Proxy Server 2.0 and the Microsoft Firewall service in Internet Security and Acceleration (ISA) Server 2000 allow remote attackers to cause a denial of service (CPU consumption or packet storm) via a spoofed, malformed packet to UDP port 1745.Denial of Service in Microsoft Proxy Server and Internet Security and Acceleration Server 2000Flaw In Winsock Proxy Service And ISA Firewall Service Can Cause Denial Of Service (331066)bid 7314OVAL40620030409 iDEFENSE Security Advisory 04.09.03: Denial of Service in Microsoft Proxy Server and Internet Security and Acceleration Server 2000 oval:org.mitre.oval:def:406The ByteCode Verifier component of Microsoft Virtual Machine (VM) build 5.0.3809 and earlier, as used in Windows and Internet Explorer, allows remote attackers to bypass security checks and execute arbitrary code via a malicious Java applet, aka "Flaw in Microsoft VM Could Enable System Compromise."Flaw in Microsoft VM Could Enable System Compromise (816093)Microsoft Windows Virtual Machine (VM) ByteCode Verifier fails to properly check Java applets for malicious codebid 6221msvm-bytecode-improper-validation(11751)OVAL136oval:org.mitre.oval:def:136Buffer overflow in Windows Kernel allows local users to gain privileges by causing certain error messages to be passed to a debugger.Buffer Overrun in Windows Kernel Message Handling could Lead to Elevated Privileges (811493)bid 7370VU#446338OVAL1264OVAL142OVAL262OVAL779win-kernel-lpcrequestwaitreplyport-bo(11803)OVAL2022OVAL2265OVAL3145oval:org.mitre.oval:def:1264oval:org.mitre.oval:def:142oval:org.mitre.oval:def:262oval:org.mitre.oval:def:779oval:org.mitre.oval:def:2022oval:org.mitre.oval:def:2265oval:org.mitre.oval:def:3145Buffer overflow in URLMON.DLL in Microsoft Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers to execute arbitrary code via an HTTP response containing long values in (1) Content-type and (2) Content-encoding fields.Buffer overflow in Internet Explorer's HTTP parsing codeCumulative Patch for Internet Explorer (813489)bid 7419OVAL926VU#16975320030701 URLMON.DLL buffer overflow - technical detailsoval:org.mitre.oval:def:926The file upload control in Microsoft Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to automatically upload files from the local system via a web page containing a script to upload the files. internet explorer local file readingCumulative Patch for Internet Explorer (813489)bid 6749OVAL963oval:org.mitre.oval:def:963Microsoft Internet Explorer 5.01, 5.5 and 6.0 does not properly check parameters that are passed during third party rendering, which could allow remote attackers to execute arbitrary web script, aka the "Third Party Plugin Rendering" vulnerability, a different vulnerability than CVE-2003-0233.Cumulative Patch for Internet Explorer (813489)bid 7491Microsoft Internet Explorer improper rendering of third party file types could allow code executionMicrosoft Internet Explorer 5.01, 5.5 and 6.0 does not properly check the Cascading Style Sheet input parameter for Modal dialogs, which allows remote attackers to read files on the local system via a web page containing script that creates a dialog and then accesses the target files, aka "Modal Dialog script execution."Cumulative Patch for Internet Explorer (813489)bid 630620021203 Poisonous Style for Dialog window turns the zone off.VU#244729Buffer overflow in the HTTP receiver function (BizTalkHTTPReceive.dll ISAPI) of Microsoft BizTalk Server 2002 allows attackers to execute arbitrary code via a certain request to the HTTP receiver.Cumulative Patch for BizTalk Server (815206)bid 746920030505 Microsoft Biztalk Server ISAPI HTTP Receive function buffer overflowSQL injection vulnerability in the Document Tracking and Administration (DTA) website of Microsoft BizTalk Server 2000 and 2002 allows remote attackers to execute operating system commands via a request to (1) rawdocdata.asp or (2) RawCustomSearchField.asp containing an embedded SQL statement.Cumulative Patch for BizTalk Server (815206)bid 747020030505 Microsoft Biztalk Server DTA vulnerable to SQL injectionThe secldapclntd daemon in AIX 4.3, 5.1 and 5.2 uses an Internet socket when communicating with the loadmodule, which allows remote attackers to directly connect to the daemon and conduct unauthorized activities.IBM AIX "secldapclntd" daemon authentication vulnerabilitybid 7264MSS-OAR-E01-2003:0245.18221adb2mhc in the mhc-utils package before 0.25+20010625-7.1 allows local users to overwrite arbitrary files via a symlink attack on a default temporary directory with a predictable name.mhc -- insecure temporary file6978mhc-adb2mhc-insecure-tmp(11439)Clearswift MAILsweeper 4.x allows remote attackers to bypass attachment detection via an attachment that does not specify a MIME-Version header field, which is processed by some mail clients.Clearswift MAILsweeper MIME attachment evasion issuebid 704420030326 RE: Corsaire Security Advisory - Clearswift MAILsweeper MIME attachment evasion issueBuffer overflow in Notes server before Lotus Notes R4, R5 before 5.0.11, and early R6 allows remote attackers to execute arbitrary code via a long distinguished name (DN) during NotesRPC authentication and an outer field length that is less than that of the DN field.Buffer Overflow in Lotus Notes Protocol AuthenticationBuffer Overflow During Notes Authentication to Domino Serverbid 7037http://www.rapid7.com/advisories/R7-0010.html20030313 R7-0010: Buffer Overflow in Lotus Notes Protocol AuthenticationCA-2003-11VU#433489N-065lotus-nrpc-bo(11526)Buffer overflow in Web Retriever client for Lotus Notes/Domino R4.5 through R6 allows remote malicious web servers to cause a denial of service (crash) via a long HTTP status line.Lotus Notes/Domino Web Retriever HTTP Status Buffer OverflowWeb Retriever Buffer Overflow May Cause Denial of Servicebid 7038http://www.rapid7.com/advisories/R7-0011.htmlCA-2003-11VU#411489N-065lotus-web-retriever-bo(11525)man before 1.5l allows attackers to execute arbitrary code via a malformed man file with improper quotes, which causes the my_xsprintf function to return a string with the value "unsafe," which is then executed as a program via a system call if it is in the search path of the user who runs man.Vulnerability in man < 1.5lbid 7066CLSA-2003:620GLSA-200303-13RHSA-2003:133RHSA-2003:134man-myxsprintf-code-execution(11512)Buffer overflow in the web interface for SOHO Routefinder 550 before firmware 4.63 allows remote attackers to cause a denial of service (reboot) and execute arbitrary code via a long GET /OPTIONS value.SOHO Routefinder 550 VPN, DoS and Buffer OverflowSOHO Routefinder 550 VPN, DoS and Buffer Overflow7067routefinder-vpn-options-bo(11514)The web interface for SOHO Routefinder 550 firmware 4.63 and earlier, and possibly later versions, has a default "admin" account with a blank password, which could allow attackers on the LAN side to conduct unauthorized activities.SOHO Routefinder 550 VPN, DoS and Buffer OverflowThe kernel module loader in Linux kernel 2.2.x before 2.2.25, and 2.4.x before 2.4.21, allows local users to gain root privileges by using ptrace to attach to a child process that is spawned by the kernel.Updated 2.4 kernel fixes vulnerabilitybid 7112ptrace contains vulnerability allowing for local root compromiseRHSA-2003:088DSA-270DSA-276DSA-311DSA-312DSA-332DSA-336DSA-423DSA-495MDKSA-2003:038MDKSA-2003:039CSSA-2003-020.0RHSA-2003:145GLSA-200303-17OVAL25420030317 Fwd: Ptrace hole / Linux 2.2.25ESA-20030515-017oval:org.mitre.oval:def:254RHSA-2003:103MDKSA-2003:038MDKSA-2003:039The try_uudecoding function in mail-format.c for Ximian Evolution Mail User Agent 1.2.2 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a malicious uuencoded (UUE) header, possibly triggering a heap-based buffer overflow.Multiple vulnerabilities in Ximian's Evolution Mail User Agentbid 711720030319 CORE-2003-03-04-01: Multiple vulnerabilities in Ximian 's Evolution Mail User AgentRHSA-2003:108MDKSA-2003:045OVAL107CLA-2003:64820030321 GLSA: evolution (200303-18)oval:org.mitre.oval:def:107GLSA-200303-18MDKSA-2003:045Ximian Evolution Mail User Agent 1.2.2 and earlier allows remote attackers to cause a denial of service (memory consumption) via a mail message that is uuencoded multiple times.GLSA: evolution (200303-18)Multiple vulnerabilities in Ximian 's Evolution Mail User Agentbid 711820030319 CORE-2003-03-04-01: Multiple vulnerabilities in Ximian 's Evolution Mail User AgentRHSA-2003:108MDKSA-2003:045OVAL108CLA-2003:648oval:org.mitre.oval:def:108GLSA-200303-18MDKSA-2003:045The handle_image function in mail-format.c for Ximian Evolution Mail User Agent 1.2.2 and earlier does not properly escape HTML characters, which allows remote attackers inject arbitrary data and HTML via a MIME Content-ID header in a MIME-encoded image. GLSA: evolution (200303-18)Multiple vulnerabilities in Ximian 's Evolution Mail User Agentbid 711920030319 CORE-2003-03-04-01: Multiple vulnerabilities in Ximian 's Evolution Mail User AgentRHSA-2003:108MDKSA-2003:045OVAL111CLA-2003:648oval:org.mitre.oval:def:111GLSA-200303-18MDKSA-2003:045The SSL and TLS components for OpenSSL 0.9.6i and earlier, 0.9.7, and 0.9.7a allow remote attackers to perform an unauthorized RSA private key operation via a modified Bleichenbacher attack that uses a large number of SSL or TLS connections using PKCS #1 v1.5 padding that cause OpenSSL to leak information regarding the relationship between ciphertext and the associated plaintext, aka the "Klima-Pokorny-Rosa attack."Klima-Pokorny-Rosa attack on PKCS #1 v1.5 paddingAttacking RSA-based Sessions in SSL/TLSbid 7148SSL/TLS implementations disclose side channel information via PKCS #1 v1.5 version number extensionMDKSA-2003:035NetBSD-SA2003-007RHSA-2003:101RHSA-2003:102DSA-28820030501-01-Ihttp://lists.apple.com/mhonarc/security-announce/msg00028.htmlhttp://www.openssl.org/news/secadv_20030319.txtIMNX-2003-7+-001-01SuSE-SA:2003:024OVAL46120030324 GLSA: openssl (200303-20)CLA-2003:6252003-0013oval:org.mitre.oval:def:46120030327 Immunix Secured OS 7+ openssl updateCSSA-2003-014.0GLSA-200303-20OpenPKG-SA-2003.026MDKSA-2003:035SuSE-SA:2003:024A memory leak in Apache 2.0 through 2.0.44 allows remote attackers to cause a denial of service (memory consumption) via large chunks of linefeed characters, which causes Apache to allocate 80 bytes for each linefeed.Apache 2.0.45 Releasedbid 7254http://www.idefense.com/advisory/04.08.03.txtRHSA-2003:139http://lists.apple.com/mhonarc/security-announce/msg00028.htmlOVAL156VU#20653720030408 iDEFENSE Security Advisory 04.08.03: Denial of Service in Apache HTTP Server 2.x20030408 Exploit Code Released for Apache 2.x Memory Leak20030409 GLSA: apache (200304-01)20030410 working apache <= 2.0.44 DoS exploit for linux.20030411 PATCH: [CAN-2003-0132] Apache 2.0.44 Denial of Serviceoval:org.mitre.oval:def:156GtkHTML, as included in Evolution before 1.2.4, allows remote attackers to cause a denial of service (crash) via certain malformed messages.Updated gtkhtml packages fix vulnerabilitygtkhtmlbid 7350MDKSA-2003:046OVAL138CLA-2003:737oval:org.mitre.oval:def:138MDKSA-2003:046Unknown vulnerability in filestat.c for Apache running on OS2, versions 2.0 through 2.0.45, allows unknown attackers to cause a denial of service via requests related to device names.Apache 2.0.45 Released20030528 [SECURITY] [ANNOUNCE] Apache 2.0.46 releasedvsftpd FTP daemon in Red Hat Linux 9 is not compiled against TCP wrappers (tcp_wrappers) but is installed as a standalone service, which inadvertently prevents vsftpd from restricting access as intended.Updated vsftpd packages re-enable tcp_wrappers supportbid 7253OVAL634oval:org.mitre.oval:def:634psbanner in the LPRng package allows local users to overwrite arbitrary files via a symbolic link attack on the /tmp/before file.lprng -- insecure temporary filebid 7334Updated LPRng packages fix psbanner vulnerabilityOVAL423oval:org.mitre.oval:def:423SNMP daemon in the DX200 based network element for Nokia Serving GPRS support node (SGSN) allows remote attackers to read SNMP options via arbitrary community strings.Nokia SGSN (DX200 Based Network Element) SNMP issuebid 70818301Version 4 of the Kerberos protocol (krb4), as used in Heimdal and other packages, allows an attacker to impersonate any principal in a realm via a chosen-plaintext attack.DSA-266-1 krb5 -- several vulnerabilitiesCryptographic weaknesses in Kerberos v4 protocolCryptographic weakness in Kerberos Version 4 protocolDSA-269DSA-273RHSA-2003:051RHSA-2003:052RHSA-2003:091OVAL24820030319 MITKRB5-SA-2003-004: Cryptographic weaknesses in Kerberos v4oval:org.mitre.oval:def:24820030331 GLSA: krb5 & mit-krb5 (200303-28)7113Certain weaknesses in the implementation of version 4 of the Kerberos protocol (krb4) in the krb5 distribution, when triple-DES keys are used to key krb4 services, allow an attacker to create krb4 tickets for unauthorized principals using a cut-and-paste attack and "ticket splicing."MITKRB5-SA-2003-004: Cryptographic weaknesses in Kerberos v4Cryptographic weaknesses in Kerberos v4 protocolMIT Kerberos vulnerable to ticket splicing when using Kerberos4 triple DES service ticketsDSA-266DSA-273RHSA-2003:051RHSA-2003:052RHSA-2003:091OVAL250oval:org.mitre.oval:def:25020030330 GLSA: openafs (200303-26)20030331 GLSA: krb5 & mit-krb5 (200303-28)Buffer overflow in Mutt 1.4.0 and possibly earlier versions, 1.5.x up to 1.5.3, and other programs that use Mutt code such as Balsa before 2.0.10, allows a remote malicious IMAP server to cause a denial of service (crash) and possibly execute arbitrary code via a crafted folder.Vulnerability in Mutt Mail User Agentmutt-1.4.1 fixes a buffer overflow.bid 7120Mutt long folder name buffer overflowDSA-268SuSE-SA:2003:020MDKSA-2003:041RHSA-2003:109OVAL2OVAL434CLA-2003:626CLA-2003:63020030320 [OpenPKG-SA-2003.025] OpenPKG Security Advisory (mutt)20030322 GLSA: mutt (200303-19)20030430 GLSA: balsa (200304-10)oval:org.mitre.oval:def:2oval:org.mitre.oval:def:434GLSA-200303-19MDKSA-2003:041The PNG deflate algorithm in RealOne Player 6.0.11.x and earlier, RealPlayer 8/RealPlayer Plus 8 6.0.9.584, and other versions allows remote attackers to corrupt the heap and overwrite arbitrary memory via a PNG graphic file format containing compressed data using fixed trees that contain the length values 286-287, which are treated as a very large length.RealPlayer PNG deflate heap corruption vulnerabilityBID 717720030328 CORE-2003-0306: RealPlayer PNG deflate heap corruption vulnerability20030328 CORE-2003-0306: RealPlayer PNG deflate heap corruption vulnerabilityhttp://www.coresecurity.com/common/showdoc.php?idx=311&idxseccion=10VU#705761Adobe Acrobat Reader (acroread) 6, under certain circumstances when running with the "Certified plug-ins only" option disabled, loads plug-ins with signatures used for older versions of Acrobat, which can allow attackers to cause Acrobat to enter Certified mode and run untrusted plugins by modifying the CTIsCertifiedMode function.20030708 Adobe Acrobat and PDF security: no improvements for 2 yearsVU#689835The pop_msg function in qpopper 4.0.x before 4.0.5fc2 does not null terminate a message buffer after a call to Qvsnprintf, which could allow authenticated users to execute arbitrary code via a buffer overflow in a mdef command with a long macro name.QPopper 4.0.x buffer overflow vulnerabilityqpopper -- mail user privilege escalationbid 7058Qpopper pop_msg () long macroname buffer overflow20030312 Re: QPopper 4.0.x buffer overflow vulnerabilityGLSA-200303-12SuSE-SA:2003:01820030314 [OpenPKG-SA-2003.018] OpenPKG Security Advisory (qpopper)Buffer overflow in the lprm command in the lprold lpr package on SuSE 7.1 through 7.3, OpenBSD 3.2 and earlier, and possibly other operating systems, allows local users to gain root privileges via long command line arguments such as (1) request ID or (2) user name.lproldbid 7025OpenBSD lprm buffer overflowftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/010_lprm.patchDSA-267DSA-275MDKSA-2003:05920030406-02-PSuSE-SA:2003:001420030305 potential buffer overflow in lprm (fwd)20030308 OpenBSD lprm(1) exploitMDKSA-2003:0598293Unknown vulnerability in tcpdump before 3.7.2 related to an inability to "Handle unknown RADIUS attributes properly," allows remote attackers to cause a denial of service (infinite loop), a different vulnerability than CAN-2003-0093.DSA-261MDKSA-2003:027RHSA-2003:032RHSA-2003:151RHSA-2003:214tcpdump-radius-attribute-dos(11857)Multiple vulnerabilities in NetPBM 9.20 and earlier, and possibly other versions, may allow remote attackers to cause a denial of service or execute arbitrary code via "maths overflow errors" such as (1) integer signedness errors or (2) integer overflows, which lead to buffer overflows.NetPBM, multiple vulnerabilitiesnetpbm-free -- math overflow errorsRHSA-2003:060VU#6304336979netpbm-multiple-bo(11463)CLSA-2003:656OpenSSL does not use RSA blinding by default, which allows local and remote attackers to obtain the server's private key by determining factors using timing differences on (1) the number of extra reductions during Montgomery reduction, and (2) the use of different integer multiplication algorithms ("Karatsuba" and normal).Vulnerability in OpenSSLOpenSSL Private Key DisclosureTiming Attack on OpenSSLCryptographic libraries and applications do not adequately defend against timing attacksbid 7101http://www.openssl.org/news/secadv_20030317.txthttp://crypto.stanford.edu/~dabo/papers/ssl-timing.pdfDSA-288MDKSA-2003:035RHSA-2003:101RHSA-2003:10220030501-01-IOVAL466CLA-2003:625GLSA-200303-24GLSA-200303-1520030320 [OpenPKG-SA-2003.026] OpenPKG Security Advisory (openssl)oval:org.mitre.oval:def:46620030325 Fwd: APPLE-SA-2003-03-24 Samba, OpenSSL20030327 Immunix Secured OS 7+ openssl updateCSSA-2003-014.0GLSA-200303-23OpenPKG-SA-2003.019The default installation of MSDE via McAfee ePolicy Orchestrator 2.0 through 3.0 allows attackers to execute arbitrary code via a series of steps that (1) obtain the database administrator username and encrypted password in a configuration file from the ePO server using a certain request, (2) crack the password due to weak cryptography, and (3) use the password to pass commands through xp_cmdshell.ePolicy Orchestrator Multiple VulnerabilitiesNetwork Associates Security Bulletin 07/31/03bid 8319Heap-based buffer overflow in ePO agent for McAfee ePolicy Orchestrator 2.0, 2.5, and 2.5.1 allows remote attackers to execute arbitrary code via a POST request containing long parameters.ePolicy Orchestrator Multiple VulnerabilitiesNetwork Associates Security Bulletin 07/31/03bid 8316MySQL 3.23.55 and earlier creates world-writeable files and allows mysql users to gain root privileges by using the "SELECT * INFO OUTFILE" operator to overwrite a configuration file and cause mysql to run as root upon restart, as demonstrated by modifying my.cnf.MySQL_user_can_be_changed_to_root?bid 7052OpenPKG Security Advisory (mysql)20030308 MySQL_user_can_be_changed_to_root?20030310 Re: MySQL user can be changed to rootCLA-2003:743DSA-303ESA-20030324-012RHSA-2003:093RHSA-2003:094MDKSA-2003:05720030318 [OpenPKG-SA-2003.022] OpenPKG Security Advisory (mysql)20030318 GLSA: mysql (200303-14)VU#203897mysql-datadir-root-privileges(11510)OVAL442oval:org.mitre.oval:def:442MDKSA-2003:057BEA WebLogic Server and Express 6.0 through 7.0 does not properly restrict access to certain internal servlets that perform administrative functions, which allows remote attackers to read arbitrary files or execute arbitrary code.Remote Administration of BEA WebLogic Server and ExpressMultiple vulnerabilities in BEA WebLogic Serverhttp://www.s21sec.com/en/avisos/s21sec-011-en.txthttp://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA03-28.jsp71227124Unknown vulnerability in bonsai Mozilla CVS query tool allows remote attackers to execute arbitrary commands as the www-data user.bonsai -- severalbid 7162bonsai Mozilla CVS query tool leaks the absolute pathname of the tool in certain error messages generated by (1) cvslog.cgi, (2) cvsview2.cgi, or (3) multidiff.cgi.Bonsai XSS and Physical Path Revealing Vulnerabilitiesbonsai -- severalbid 5517http://bugzilla.mozilla.org/show_bug.cgi?id=187230bonsai-path-disclosure(9921)5517Cross-site scripting vulnerabilities (XSS) in bonsai Mozilla CVS query tool allow remote attackers to execute arbitrary web script via (1) the file, root, or rev parameters to cvslog.cgi, (2) the file or root parameters to cvsblame.cgi, (3) various parameters to cvsquery.cgi, (4) the person parameter to showcheckins.cgi, (5) the module parameter to cvsqueryform.cgi, and (6) possibly other attack vectors as identified by Mozilla bug #146244.Bonsai XSS and Physical Path Revealing Vulnerabilitiesbonsai -- severalbid 5516http://bugzilla.mozilla.org/show_bug.cgi?id=163573http://bugzilla.mozilla.org/show_bug.cgi?id=146244bonsai-error-message-xss(9920)bonsai Mozilla CVS query tool allows remote attackers to gain access to the parameters page without authentication.bonsai -- severalbid 7163Directory traversal vulnerability in Cross-Referencing Linux (LXR) allows remote attackers to read arbitrary files via .. (dot dot) sequences in the v parameter.Cross-Referencing Linux vulnerabilitylxr -- missing filename sanitizingbid 7062** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2003-0138. Reason: This candidate is a reservation duplicate of CVE-2003-0138 due to incomplete coordination. Notes: All CVE users should reference CVE-2003-0138 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2003-0139. Reason: This candidate is a reservation duplicate of CVE-2003-0139 due to incomplete coordination. Notes: All CVE users should reference CVE-2003-0139 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.Heap-based buffer overflow in the NTLMSSP code for Ethereal 0.9.9 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code.SOCKS string format vulnerability in Ethereal 0.9.9etherealbid 7050SuSE-SA:2003:019MDKSA-2003:051OVAL5520030309 GLSA: ethereal (200303-10)RHSA-2003:077oval:org.mitre.oval:def:55MDKSA-2003:051Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail before 1.2.11 allow remote attackers to inject arbitrary HTML code and steal information from a client's web browser.SquirrelMail 1.2.11 has been releasedRHSA-2003:112OVAL614oval:org.mitre.oval:def:614The prescan() function in the address parser (parseaddr.c) in Sendmail before 8.12.9 does not properly handle certain conversions from char and int types, which can cause a length check to be disabled when Sendmail misinterprets an input value as a special "NOCHAR" control value, allowing attackers to cause a denial of service and possibly execute arbitrary code via a buffer overflow attack using messages, a different vulnerability than CVE-2002-1337.Sendmail: -1 gone wildCERT Advisory CA-2003-12 Buffer Overflow in Sendmailbid 7230Updated sendmail packages fix vulnerability20030329 Sendmail: -1 gone wildVU#897604FreeBSD-SA-03:07RHSA-2003:121SCOSA-2004.1120030401-01-PCSSA-2003-016.0DSA-278DSA-290http://lists.apple.com/mhonarc/security-announce/msg00028.html20030329 sendmail 8.12.9 availableCLA-2003:61420030330 [OpenPKG-SA-2003.027] OpenPKG Security Advisory (sendmail)20030520 [Fwd: 127 Research and Development: 127 Day!]20030331 GLSA: sendmail (200303-27)20030401 Immunix Secured OS 7+ openssl updateGLSA-200303-275262052700Ecartis 1.0.0 (formerly listar) before snapshot 20030227 allows remote attackers to reset passwords of other users and gain privileges by modifying hidden form fields in the HTML page.Ecartis password resetEcardis Password Reseting Vulnerabilitybid 6971DSA-27120030227 Ecardis Password Reseting Vulnerabilitydecrypt_msg for the Gaim-Encryption GAIM plugin 1.15 and earlier does not properly validate a message length parameter, which allows remote attackers to cause a denial of service (crash) via a negative length, which overwrites arbitrary heap memory with a zero byte.Heap Corruption in Gaim-Encryption Pluginbid 718220030412 R7-0013: Heap Corruption in Gaim-Encryption PluginFormat string vulnerability in Eye Of Gnome (EOG) allows attackers to execute arbitrary code via format string specifiers in a command line argument for the file to display.Updated Eye of GNOME packages fix vulnerabilitybid 712120030328 CORE-2003-0304-03: Vulnerability in GNOME's Eye of Gnome20030328 Vulnerability in GNOME's Eye of GnomeMDKSA-2003:048OVAL52VU#363001oval:org.mitre.oval:def:52MDKSA-2003:048Integer signedness error in emalloc() function for PHP before 4.3.2 allow remote attackers to cause a denial of service (memory consumption) and possibly execute arbitrary code via negative arguments to functions such as (1) socket_recv, (2) socket_recvfrom, and possibly other functions.nteger overflow in PHP memory allocatorbid 7197bid 7198bid 719920030327 RE: FUD-ALARM: @(#)Mordred Labs advisory - Integer overflow in PHP memory allocator20030402 Inaccurate Reports Concerning PHP VulnerabilitiesCLSA-2003:691Multiple off-by-one buffer overflows in the IMAP capability for Mutt 1.3.28 and earlier, and Balsa 1.2.4 and earlier, allow a remote malicious IMAP server to cause a denial of service (crash) and possibly execute arbitrary code via a specially crafted mail folder, a different vulnerability than CVE-2003-0140.mutt -- buffer overflowbid 7229DSA-300Buffer overflow in Apple QuickTime Player 5.x and 6.0 for Windows allows remote attackers to execute arbitrary code via a long QuickTime URL.[VulnWatch] iDEFENSE Security Advisory 03.31.03: Buffer Overflow in Windows QuickTime Playerhttp://www.idefense.com/advisory/03.31.03.txthttp://lists.apple.com/mhonarc/security-announce/msg00027.htmlVU#11255320030401 Fwd: QuickTime 6.1 for Windows is available20030401 iDEFENSE Security Advisory 03.31.03: Buffer Overflow in Windows QuickTime Player724710561quicktime-url-bo(11671)hpnst.exe in the GoAhead-Webs webserver for HP Instant TopTools before 5.55 allows remote attackers to cause a denial of service (CPU consumption) via a request to hpnst.exe that calls itself, which causes an infinite loop.Malformed request causes denial of service in HP Instant TopToolsbid 724620030331 [DDI-1012] Malformed request causes denial of service in HP Instant TopToolsUnknown vulnerability in ftpd in IBM AIX 5.2, when configured to use Kerberos 5 for authentication, allows remote attackers to gain privileges via unknown attack vectors.NATIVE GSSAPI FTPD INCORRECTLY AUTHENTICATES USERbid 7346Aix ftpd (File Transfer Protocol Daemon) Kerberos 5 authentication allows unauthorized accessMSS-OAR-E01-2003.0469.14878DirectoryServices in MacOS X trusts the PATH environment variable to locate and execute the touch command, which allows local users to execute arbitrary commands by modifying the PATH to point to a directory containing a malicious touch program.MacOS X DirectoryService Privilege Escalation and DoS Attackbid 7322http://lists.apple.com/mhonarc/security-announce/msg00028.htmlBuffer overflow in openlog function for PHP 4.3.1 on Windows operating system, and possibly other OSes, allows remote attackers to cause a crash and possibly execute arbitrary code via a long filename argument.PHP for Win32: buffer overflow in openlog() functionbid 721020030402 Inaccurate Reports Concerning PHP Vulnerabilities20030327 Re: @(#)Mordred Labs advisory - PHP for Win32: buffer overflow in openlog() function20041222 PHP v4.3.x exploit for Windows.2113php-openlog-stack-bo(11637)xfsdq in xfsdump does not create quota information files securely, which allows local users to gain root privileges.xfsdump creates files insecurelybid 7321xfsdump -- insecure file creationMDKSA-2003:047VU#111673MDKSA-2003:047The LDAP name service (nsd) in IRIX 6.5.19 and earlier does not properly verify if the USERPASSWORD attribute has been provided by an LDAP server, which could allow attackers to log in without a password.Vulnerability in nsd LDAP Implementationbid 7442N-084irix-ldap-authentication-bypass(11860)SGI IRIX before 6.5.21 allows local users to cause a denial of service (kernel panic) via a certain call to the PIOCSWATCH ioctl.SGI IRIX vulnerable to DoS when user space program calls the PIOCSWATCH ioctl() functionSGI IRIX PIOCSWATCH ioctl() denial of servicebid 78681008770The Name Service Daemon (nsd), when running on an NIS master on SGI IRIX 6.5.x through 6.5.20f, and possibly earlier versions, allows remote attackers to cause a denial of service (crash) via a UDP port scan.20030701-01-PSGI IRIX 6.5.x through 6.5.20f, and possibly earlier versions, does not follow "-" entries in the /etc/group file, which may cause subsequent group membership entries to be processed inadvertently.20030701-01-PMultiple buffer overflows in Lotus Domino Web Server before 6.0.1 allow remote attackers to cause a denial of service or execute arbitrary code via (1) the s_ViewName option in the PresetFields parameter for iNotes, (2) the Foldername option in the PresetFields parameter for iNotes, or (3) a long Host header, which is inserted into a long Location header and used during a redirect operation.Lotus Domino Web Server iNotes Overflow (#NISR17022003b)Lotus Domino Web Server vulnerable to buffer overflow via non-existent bid 6871Lotus Domino Host: header redirect buffer overflowhttp://www.nextgenss.com/advisories/lotus-hostlocbo.txthttp://www.nextgenss.com/advisories/lotus-inotesoflow.txtCA-2003-11VU#206361VU#542873N-065lotus-domino-inotes-bo(11336)687020030217 Lotus Domino Web Server iNotes Overflow (#NISR17022003b)20030217 Lotus Domino Web Server Host/Location Buffer Overflow Vulnerability (#NISR17022003a)20030217 Lotus Domino Web Server Host/Location Buffer Overflow Vulnerability (#NISR17022003a)20030217 Domino Advisories UPDATE20030217 Domino Advisories UPDATE20030217 Lotus Domino Web Server Host/Location Buffer Overflow Vulnerability (#NISR17022003a)20030217 Lotus Domino Web Server iNotes Overflow (#NISR17022003b)20030217 Lotus iNotes Client ActiveX Control Buffer Overrun (#NISR17022003c)Buffer overflow in the COM Object Control Handler for Lotus Domino 6.0.1 and earlier allows remote attackers to execute arbitrary code via multiple attack vectors, as demonstrated using the InitializeUsingNotesUserName method in the iNotes ActiveX control.Lotus iNotes Client ActiveX Control Buffer OverrunLotus Notes and Domino COM Object Control Handler contains buffer overflowbid 687220030217 Lotus iNotes Client ActiveX Control Buffer Overrun (#NISR17022003c)http://www.nextgenss.com/advisories/lotus-inotesclientaxbo.txthttp://www-1.ibm.com/support/docview.wss?uid=swg21104543CA-2003-11N-065lotus-notes-activex-bo(11339)20030217 Lotus iNotes Client ActiveX Control Buffer Overrun (#NISR17022003c)20030217 Domino Advisories UPDATE20030217 Domino Advisories UPDATELotus Domino Web Server (nhttp.exe) before 6.0.1 allows remote attackers to cause a denial of service via an incomplete POST request, as demonstrated using the h_PageUI form.LOTUS DOMINO Denial Of Service Attacks 1 & 2CERT Advisory CA-2003-11 Multiple Vulnerabilities in Lotus Notes and DominoLotus Domino Web Server vulnerable to denial of service via incomplete POST request20030218 More Lotus Domino Advisorieshttp://www.nextgenss.com/advisories/lotus-60dos.txthttp://www-1.ibm.com/support/docview.wss?uid=swg21104528N-065lotus-incomplete-post-dos(11360)6951Lotus Domino Web Server (nhttp.exe) before 6.0.1 allows remote attackers to cause a denial of service via a "Fictionary Value Field POST request" as demonstrated using the s_Validation form with a long, unknown parameter name.LOTUS DOMINO Denial Of Service Attacks 1 & 2CERT Advisory CA-2003-11 Multiple Vulnerabilities in Lotus Notes and Domino20030218 More Lotus Domino Advisorieshttp://www-1.ibm.com/support/docview.wss?uid=swg21104528lotus-invalid-field-dos(11361)6951The connection tracking core of Netfilter for Linux 2.4.20, with CONFIG_IP_NF_CONNTRACK enabled or the ip_conntrack module loaded, allows remote attackers to cause a denial of service (resource consumption) due to an inconsistency with Linux 2.4.20's support of linked lists, which causes Netfilter to fail to identify connections with an UNCONFIRMED status and use large timeouts.Netfilter Security Advisory: Conntrack list_del() DoSbid 8331OVAL260oval:org.mitre.oval:def:260lv reads a .lv file from the current working directory, which allows local users to execute arbitrary commands as other lv users by placing malicious .lv files into other directories.RHSA-2003:169DSA-304RHSA-2003:167TLSA-2003-35OVAL430oval:org.mitre.oval:def:430The authentication module for Apache 2.0.40 through 2.0.45 on Unix does not properly handle threads safely when using the crypt_r or crypt functions, which allows remote attackers to cause a denial of service (failed Basic authentication with valid usernames and passwords) when a threaded MPM is used.20030528 [SECURITY] [ANNOUNCE] Apache 2.0.46 releasedRHSA-2003:186VU#47926877258881apache-aprpasswordvalidate-dos(12091)CLA-2003:661OpenSSH-portable (OpenSSH) 3.6.1p1 and earlier with PAM support enabled immediately sends an error message when a user does not exist, which allows remote attackers to determine valid usernames via a timing attack.OpenSSH/PAM timing attack allows remote users identificationOpenSSH/PAM timing attack allows remote users identificationbid 746720030430 OpenSSH/PAM timing attack allows remote users identification20030430 OpenSSH/PAM timing attack allows remote users identificationhttp://lab.mediaservice.net/advisory/2003-01-openssh.txtRHSA-2003:222RHSA-2003:22420030806 [OpenPKG-SA-2003.035] OpenPKG Security Advisory (openssh)TLSA-2003-31OVAL445oval:org.mitre.oval:def:445Apache 2 before 2.0.47, and certain versions of mod_ssl for Apache 1.3, do not properly handle "certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one," which could cause Apache to use the weak ciphersuite.20030709 [ANNOUNCE][SECURITY] Apache 2.0.47 releasedBID: 8134Updated httpd packages fix Apache security vulnerabilitiesMDKSA-2003:075RHSA-2003:243SCOSA-2004.6OVAL169RHSA-2003:244oval:org.mitre.oval:def:169MDKSA-2003:075msxlsview.sh in xlsview for catdoc 0.91 and earlier allows local users to overwrite arbitrary files via a symlink attack on predictable temporary file names ("word$$.html").DSA-57511560111931302113022catdoc-xlsview-symlink(16335)tcpdump does not properly drop privileges to the pcap user when starting up.RHSA-2003:174RHSA-2003:151CUPS before 1.1.19 allows remote attackers to cause a denial of service via a partial printing request to the IPP port (631), which does not time out.Updated CUPS packages fix denial of service attackDSA-317-1 cupsys -- denial of serviceMDKSA-2003:062SuSE-SA:2003:028TLSA-2003-33OVAL620030529 [slackware-security] CUPS DoS vulnerability fixed (SSA:2003-149-01)CLSA-2003:6787637oval:org.mitre.oval:def:6MDKSA-2003:062Multiple buffer overflows in Samba before 2.2.8a may allow remote attackers to execute arbitrary code or cause a denial of service, as discovered by the Samba team and a different vulnerability than CVE-2003-0201.samba -- buffer overflowbid 7295OpenPKG Security Advisory (samba)New samba packages fix security vulnerabilityMDKSA-2003:044OVAL56420030407 Immunix Secured OS 7+ samba updateoval:org.mitre.oval:def:564MDKSA-2003:044Buffer overflow gds_lock_mgr of Interbase Database 6.x allows local users to gain privileges via a long ISC_LOCK_ENV environment variable (INTERBASE_LOCK).Interbase ISC_LOCK_ENV overflowbid 726620030403 SRT2003-04-03-1300 - Interbase ISC_LOCK_ENV overflow20030403 SRT2003-04-03-1300 - Interbase ISC_LOCK_ENV overflowMac OS X before 10.2.5 allows guest users to modify the permissions of the DropBox folder and read unauthorized files.bid 7324http://lists.apple.com/mhonarc/security-announce/msg00028.htmlBuffer overflow in the call_trans2open function in trans2.c for Samba 2.2.x before 2.2.8a, 2.0.10 and earlier 2.0.x versions, and Samba-TNG before 0.3.2, allows remote attackers to execute arbitrary code.Buffer Overflow in Samba allows remote root compromisesamba -- buffer overflowbid 7294http://www.digitaldefense.net/labs/advisories/DDI-1013.txtSuSE-SA:2003:025MDKSA-2003:044RHSA-2003:13720030403-01-POVAL567OVAL2163VU#267873CLA-2003:62420030409 GLSA: samba (200304-02)20030407 Immunix Secured OS 7+ samba update20030408 [Sorcerer-spells] SAMBA--SORCERER2003-04-08oval:org.mitre.oval:def:567oval:org.mitre.oval:def:2163MDKSA-2003:044The (1) halstead and (2) gather_stats scripts in metrics 1.0 allow local users to overwrite arbitrary files via a symlink attack on temporary files.metrics -- insecure temporary file creationmetrics tmpfile symlink attackbid 7293Buffer overflow in moxftp 2.2 and earlier allows remote malicious FTP servers to execute arbitrary code via a long FTP banner.moxftp arbitrary code execution poc/advisorybid 6921moxftp FTP welcome banner buffer overflowDSA-28120030223 moxftp arbitrary code execution poc/advisory813620030223 moxftp arbitrary code execution poc/advisory1006156KDE 2 and KDE 3.1.1 and earlier 3.x versions allows attackers to execute arbitrary commands via (1) PostScript (PS) or (2) PDF files, related to missing -dPARANOIDSAFER and -dSAFER arguments when using the kghostview Ghostscript viewer.PS/PDF file handling vulnerabilitykdegraphics -- insecure executionbid 7318http://bugs.kde.org/show_bug.cgi?id=56808http://bugs.kde.org/show_bug.cgi?id=53343DSA-293DSA-296MDKSA-2003:049RHSA-2003:002CLA-2003:668CLA-2003:74720030410 GLSA: kde-3.x (200304-04)20030411 GLSA: kde-2.x (200304-05)20030414 GLSA: kde-2.x (200304-05.1)20030412 [Sorcerer-spells] KDE-SORCERER2003-04-12MDKSA-2003:049gkrellm-newsticker gkrellm plugin before 0.3-3.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the ticker title of a URI.Security problems in gkrellm-newstickerbid 7415gkrellm-newsticker -- missing quoting, incomplete parsergkrellm-newsticker gkrellm plugin before 0.3-3.1 allows remote attackers to cause a denial of service (crash) via (1) link or (2) title elements that contain multiple lines.Security problems in gkrellm-newstickerbid 7414gkrellm-newsticker -- missing quoting, incomplete parserps2epsi creates insecure temporary files when calling ghostscript, which allows local attackers to overwrite arbitrary files.gs-common -- insecure temporary filebid 7337Cross-site scripting (XSS) vulnerability in Macromedia Flash ad user tracking capability allows remote attackers to insert arbitrary Javascript via the clickTAG field.Misuse of Macromedia Flash Ads clickTAG Option May Lead to Privacy BreachPrivacy and Macromedia Flash Ad Tracking20030413 Misuse of Macromedia Flash Ads clickTAG Option May Lead to Privacy Breach20030413 Misuse of Macromedia Flash Ads clickTAG Option May Lead to Privacy BreachInteger overflow in the TCP stream reassembly module (stream4) for Snort 2.0 and earlier allows remote attackers to execute arbitrary code via large sequence numbers in packets, which enable a heap-based buffer overflow.Heap overflow in Snort bid 717820030415 CORE-2003-0307: Snort TCP Stream Reassembly Integer Overflow Vulnerability20030423 Snort <=1.9.1 exploit20030422 GLSA: snort (200304-05)20030428 GLSA: snort (200304-06)DSA-297ESA-20030430-013MDKSA-2003:052CA-2003-13MDKSA-2003:052Buffer overflow in the administration service (CSAdmin) for Cisco Secure ACS before 3.1.2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long user parameter to port 2002.Remote Buffer Overflow Vulnerability in Web Management Interface of Cisco Secure ACSbid 7413Cisco Secure Access Control Server for Windows Admin Buffer Overflow VulnerabilityVU#69704920030424 NSFOCUS SA2003-04 : Remote Buffer Overflow Vulnerability in Web Management Interface of Cisco Secure ACSMemory leak in xinetd 2.3.10 allows remote attackers to cause a denial of service (memory consumption) via a large number of rejected connections.xinetd leaks memorybid 7382Xinetd 2.3.10 Memory LeaksRHSA-2003:160MDKSA-2003:056OVAL657CLA-2003:782oval:org.mitre.oval:def:657MDKSA-2003:056handleAccept in rinetd before 0.62 does not properly resize the connection list when it becomes full and sets an array index incorrectly, which allows remote attackers to cause a denial of service and possibly execute arbitrary code via a large number of connections.Vulnerability in rinetdbid 7377rinetd -- incorrect memory resizingctrlpacket.c in PoPToP PPTP server before 1.1.4-b3 allows remote attackers to cause a denial of service via a length field of 0 or 1, which causes a negative value to be fed into a read operation, leading to a buffer overflow.PoPToP PPTP server remotely exploitable buffer overflowpptpd -- buffer overflowbid 7316Exploit for PoPToP PPTP serverSuSE-SA:2003:029VU#67399320030428 GLSA: pptpd (200304-08)20030422 Re: Exploit for PoPToP PPTP server - Linux versionrun-mailcap in mime-support 3.22 and earlier allows local users to overwrite arbitrary files via a symlink attack on temporary files.mime-support -- insecure temporary file creationSQL injection vulnerability in bttlxeForum 2.0 beta 3 and earlier allows remote attackers to bypass authentication via the (1) username and (2) password fields, and possibly other fields.SQL injection in BttlxeForumbttlxeForum Input Validation Flaw in Login Process Lets Remote Users Gain Access Without AuthenticatingSQL injection attack allowing users to gain full control over the forum softwarebid 74161006632Unknown vulnerability in Cisco Catalyst 7.5(1) allows local users to bypass authentication and gain access to the enable mode without a password.Cisco Catalyst Enable Password Bypass Vulnerability20030424 Cisco Security Advisory: Cisco Catalyst Enable Password Bypass VulnerabilityVU#443257Cross-site scripting (XSS) vulnerability in Neoteris Instant Virtual Extranet (IVE) 3.01 and earlier allows remote attackers to insert arbitrary web script and bypass authentication via a certain CGI script.XSS In Neoteris IVE Allows Session Hijackingbid 7510Buffer overflow in PostMethod() function for Monkey HTTP Daemon (monkeyd) 0.6.1 and earlier allows remote attackers to execute arbitrary code via a POST request with a large body.GLSA: monkeyd (200304-07.1)Monkey HTTPd Remote Buffer Overflowbid 7202http://monkeyd.sourceforge.net/Changelog.txt20030420 Monkey HTTPd Remote Buffer OverflowKerio Personal Firewall (KPF) 2.1.4 and earlier allows remote attackers to execute administrator commands by sniffing packets from a valid session and replaying them against the remote administration server. Vulnerabilities in Kerio Personal FirewallVU#641012717920030428 CORE-2003-0305-02: Vulnerabilities in Kerio Personal FirewallBuffer overflow in the administrator authentication process for Kerio Personal Firewall (KPF) 2.1.4 and earlier allows remote attackers to execute arbitrary code via a handshake packet.Vulnerabilities in Kerio Personal FirewallVU#454716718020030428 CORE-2003-0305-02: Vulnerabilities in Kerio Personal FirewallThe (1) dupatch and (2) setld utilities in HP Tru64 UNIX 5.1B PK1 and earlier allows local users to overwrite files and possibly gain root privileges via a symlink attack.SSRT34717452tru64-dupatch-setld-symlink(11892)Stack-based buffer overflow in Oracle Net Services for Oracle Database Server 9i release 2 and earlier allows attackers to execute arbitrary code via a "CREATE DATABASE LINK" query containing a connect string with a long USING parameter.Buffer Overflow in Oracle Net Services for Oracle Database Serverbid 745320030429 Oracle Database Server Buffer Overflow Vulnerability (#NISR29042003)N-085oracle-database-link-bo(11885)20030429 Oracle Database Server Buffer Overflow Vulnerability (#NISR29042003)Cross-site scripting vulnerability (XSS) in the ASP function responsible for redirection in Microsoft Internet Information Server (IIS) 4.0, 5.0, and 5.1 allows remote attackers to embed a URL containing script in a redirection message.MS03-018OVAL66oval:org.mitre.oval:def:66Buffer overflow in ssinc.dll for Microsoft Internet Information Services (IIS) 5.0 allows local users to execute arbitrary code via a web page with a Server Side Include (SSI) directive with a long filename, aka "Server Side Include Web Pages Buffer Overrun."MS03-018OVAL48320030530 NSFOCUS SA2003-05: Microsoft IIS ssinc.dll Over-long Filename Buffer Overflow Vulnerabilityoval:org.mitre.oval:def:483The ASP function Response.AddHeader in Microsoft Internet Information Server (IIS) 4.0 and 5.0 does not limit memory requests when constructing headers, which allow remote attackers to generate a large header to cause a denial of service (memory consumption) with an ASP page.MS03-018http://www.aqtronix.com/Advisories/AQ-2003-01.txtOVAL37320030418 Microsoft Active Server Pages DoSoval:org.mitre.oval:def:373Microsoft Internet Information Services (IIS) 5.0 and 5.1 allows remote attackers to cause a denial of service via a long WebDAV request with a (1) PROPFIND or (2) SEARCH method, which generates an error condition that is not properly handled.20030528 Internet Information Services 5.0 Denial of serviceMS03-018OVAL93320030528 Internet Information Services 5.0 Denial of service20030529 IIS WEBDAV Denial of Service attacksoval:org.mitre.oval:def:933The logging capability for unicast and multicast transmissions in the ISAPI extension for Microsoft Windows Media Services in Microsoft Windows NT 4.0 and 2000, nsiislog.dll, allows remote attackers to cause a denial of service in Internet Information Server (IIS) and execute arbitrary code via a certain network request.MS03-019OVAL936OVAL96620030528 MS03-019: DoS or Code of Choice20030528 Re: Alert: MS03-019, Microsoft... wrong, again.20030528 RE: Alert: MS03-019, Microsoft... wrong, again.oval:org.mitre.oval:def:936oval:org.mitre.oval:def:966Directory traversal vulnerability in Microsoft Windows Media Player 7.1 and Windows Media Player for Windows XP allows remote attackers to execute arbitrary code via a skins file with a URL containing hex-encoded backslash characters (%5C) that causes an executable to be placed in an arbitrary location.Windows Media Player directory traversal vulnerabilityFlaw in Windows Media Player Skins Downloading could allow Code Execution (817787)bid 7517OVAL321VU#384932mediaplayer-skin-code-execution(11953)20030507 Windows Media Player directory traversal vulnerability20030508 why i love xs4all + mediaplayer thingieoval:org.mitre.oval:def:321Microsoft SQL Server 7, 2000, and MSDE allows local users to gain privileges by hijacking a named pipe during the authentication of another user, aka the "Named Pipe Hijacking" vulnerability.BID: 8276MS03-031OVAL235VU#556356oval:org.mitre.oval:def:235Microsoft SQL Server 7, 2000, and MSDE allows local or remote authenticated users to cause a denial of service (crash or hang) via a long request to a named pipe.BID: 8274A072303-2MS03-031OVAL299VU#918652oval:org.mitre.oval:def:299Microsoft SQL Server 7, 2000, and MSDE allows local users to execute arbitrary code via a certain request to the Local Procedure Calls (LPC) port that leads to a buffer overflow.BID: 8275A072303-3MS03-031OVAL303VU#584868oval:org.mitre.oval:def:303Heap-based buffer overflow in plugin.ocx for Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers to execute arbitrary code via the Load() method, a different vulnerability than CVE-2003-0115.Internet Explorer Plugin.ocx heap overflow (#NISR24042003)Cumulative Patch for Internet Explorer (813489)bid 7420Microsoft Internet Explorer plug-in.ocx Load method buffer overflowOVAL1094oval:org.mitre.oval:def:1094Format string vulnerability in POP3 client for Mirabilis ICQ Pro 2003a allows remote malicious servers to execute arbitrary code via format strings in the response to a UIDL command.Multiple Vulnerabilities in Mirabilis ICQ Pro 2003a clientbid 746120030505 CORE-2003-0303: Multiple Vulnerabilities in Mirabilis ICQ clienticq-pop3-format-string(11938)20030505 CORE-2003-0303: Multiple Vulnerabilities in Mirabilis ICQ clientInteger signedness errors in the POP3 client for Mirabilis ICQ Pro 2003a allow remote attackers to execute arbitrary code via the (1) Subject or (2) Date headers.Multiple Vulnerabilities in Mirabilis ICQ Pro 2003a clientbid 7462bid 746320030505 CORE-2003-0303: Multiple Vulnerabilities in Mirabilis ICQ clienticq-pop3-email-bo(11939)20030505 CORE-2003-0303: Multiple Vulnerabilities in Mirabilis ICQ clientThe "ICQ Features on Demand" functionality for Mirabilis ICQ Pro 2003a does not properly verify the authenticity of software upgrades, which allows remote attackers to install arbitrary software via a spoofing attack.Multiple Vulnerabilities in Mirabilis ICQ Pro 2003a clientbid 746420030505 CORE-2003-0303: Multiple Vulnerabilities in Mirabilis ICQ clienticq-features-no-auth(11944)20030505 CORE-2003-0303: Multiple Vulnerabilities in Mirabilis ICQ clientThe Message Session window in Mirabilis ICQ Pro 2003a allows remote attackers to cause a denial of service (CPU consumption) by spoofing the address of an ADS server and sending HTML with a -1 width in a table tag.Multiple Vulnerabilities in Mirabilis ICQ Pro 2003a clientbid 746520030505 CORE-2003-0303: Multiple Vulnerabilities in Mirabilis ICQ clienticq-table-tag-dos(11947)20030505 CORE-2003-0303: Multiple Vulnerabilities in Mirabilis ICQ clienticqateimg32.dll parsing/rendering library in Mirabilis ICQ Pro 2003a allows remote attackers to cause a denial of service via malformed GIF89a headers that do not contain a GCT (Global Color Table) or an LCT (Local Color Table) after an Image Descriptor.Multiple Vulnerabilities in Mirabilis ICQ Pro 2003a clientbid 746620030505 CORE-2003-0303: Multiple Vulnerabilities in Mirabilis ICQ clienticq-gif89a-header-dos(11948)20030505 CORE-2003-0303: Multiple Vulnerabilities in Mirabilis ICQ clientThe web-based administration capability for various Axis Network Camera products allows remote attackers to bypass access restrictions and modify configuration via an HTTP request to the admin/admin.shtml containing a leading // (double slash).VU#799060765210068548876axis-admin-authentication-bypass(12104)20030527 CORE-2003-0403: Axis Network Camera HTTP Authentication Bypass4804FrontRange GoldMine mail agent 5.70 and 6.00 before 30503 directly sends HTML to the default browser without setting its security zone or otherwise labeling it untrusted, which allows remote attackers to execute arbitrary code via a message that is rendered in IE using a less secure zone.20030528 SECNAP Security Advisory: Invalid HTML processing in GoldMine(tm)IPSec in Mac OS X before 10.2.6 does not properly handle certain incoming security policies that match by port, which could allow traffic that is not explicitly allowed by the policies.VU#869548762810067968798macos-ipsec-acl-bypass(12027)Happycgi.com Happymall 4.3 and 4.4 allows remote attackers to execute arbitrary commands via shell metacharacters in the file parameter for the (1) normal_html.cgi or (2) member_html.cgi scripts.Happymall E-Commerce Input Validation Flaw Lets Remote Users Execute Arbitrary Commandsbid 7530bid 752920030507 Happymall E-Commerce Remote Command Execution1006707The route cache implementation in Linux 2.4, and the Netfilter IP conntrack module, allows remote attackers to cause a denial of service (CPU consumption) via packets with forged source addresses that cause a large number of hash table collisions.Updated kernel fixes security vulnerabilities and updates driversDSA-311-1 linux-kernel-2.4.18 -- several vulnerabilitiesDate Reported:20030517 Algorithmic Complexity Attacks and the Linux Networking Codehttp://www.enyo.de/fw/security/notes/linux-dst-cache-dos.htmlRHSA-2003:147RHSA-2003:172ESA-20030515-017DSA-312DSA-332DSA-336DSA-442MDKSA-2003:066MDKSA-2003:07420030618 [slackware-security] 2.4.21 kernels available (SSA:2003-168-01)OVAL26176018786data-algorithmic-complexity-dos(15382)oval:org.mitre.oval:def:261MDKSA-2003:066MDKSA-2003:074Vulnerability in the apr_psprintf function in the Apache Portable Runtime (APR) library for Apache 2.0.37 through 2.0.45 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via long strings, as demonstrated using XML objects to mod_dav, and possibly other vectors.20030528 [SECURITY] [ANNOUNCE] Apache 2.0.46 releasedRHSA-2003:186Apache Portable Runtime contains heap buffer overflow in apr_psprintf()Apache HTTP Server apr_psprintf code execution20030530 iDEFENSE Security Advisory 05.30.03: Apache Portable Runtime Denial of Service and Arbitrary Code Execution Vulnerabilityhttp://www.idefense.com/advisory/05.30.03.txt MDKSA-2003:0637723CLA-2003:661MDKSA-2003:063The ioperm system call in Linux kernel 2.4.20 and earlier does not properly restrict privileges, which allows local users to gain read or write access to certain I/O ports.RHSA-2003:172ESA-20030515-017bid 7600DSA-311-1 linux-kernel-2.4.18 -- several vulnerabilitiesRHSA-2003:147DSA-312DSA-332DSA-336DSA-442MDKSA-2003:066MDKSA-2003:074TLSA-2003-4120030520 Linux 2.4 kernel ioperm vulnOVAL278oval:org.mitre.oval:def:278MDKSA-2003:066MDKSA-2003:074Unknown vulnerability in the TTY layer of the Linux kernel 2.4 allows attackers to cause a denial of service ("kernel oops").Updated 2.4 kernel fixes vulnerabilities and driver bugsDSA-311-1 linux-kernel-2.4.18 -- several vulnerabilitiesRHSA-2003:195RHSA-2003:198DSA-312DSA-332DSA-336DSA-442MDKSA-2003:066MDKSA-2003:074TLSA-2003-41OVAL284oval:org.mitre.oval:def:284MDKSA-2003:066MDKSA-2003:074The mxcsr code in Linux kernel 2.4 allows attackers to modify CPU state registers via a malformed address.DSA-332DSA-336DSA-442MDKSA-2003:074TLSA-2003-41OVAL292oval:org.mitre.oval:def:292MDKSA-2003:066MDKSA-2003:074Updated 2.4 kernel fixes vulnerabilities and driver bugsDebian Security Advisory DSA-311-1 linux-kernel-2.4.18 -- severalUpdated kernel packages fix multiple vulnerabilitiesRHSA-2003:195DSA-312** DISPUTED ** PHP treats unknown methods such as "PoSt" as a GET request, which could allow attackers to intended access restrictions if PHP is running on a server that passes on all methods, such as Apache httpd 2.0, as demonstrated using a Limit directive. NOTE: this issue has been disputed by the Apache security team, saying "It is by design that PHP allows scripts to process any request method. A script which does not explicitly verify the request method will hence be processed as normal for arbitrary methods. It is therefore expected behaviour that one cannot implement per-method access control using the Apache configuration alone, which is the assumption made in this report."20030625 PHP/Apache .htaccess Authentication Bypass Vulnerabilityypserv NIS server before 2.7 allows remote attackers to cause a denial of service via a TCP client request that does not respond to the server, which causes ypserv to block.RHSA-2003:173MDKSA-2003:072MDKSA-2003:07255600TLSA-2003-43OVAL667HPSBTU021328031ADV-2006-2873101651721112RHSA-2003:201oval:org.mitre.oval:def:667MDKSA-2003:072Off-by-one error in the xlog function of mountd in the Linux NFS utils package (nfs-utils) before 1.0.4 allows remote attackers to cause a denial of service and possibly execute arbitrary code via certain RPC requests to mountd that do not contain newlines.20030714 Linux nfs-utils xlog() off-by-one bug20030714 Linux nfs-utils xlog() off-by-one bug20030714 Reality of the rpc.mountd bug20030715 [slackware-security] nfs-utils packages replaced (SSA:2003-195-01b)20030716 Immunix Secured OS 7+ nfs-utils update -- bugtraqhttp://isec.pl/vulnerabilities/isec-0010-linux-nfs-utils.txtDSA-349RHSA-2003:206RHSA-2003:207SuSE-SA:2003:031MDKSA-2003:076TLSA-2003-44OVAL443VU#258564817910071879259nfs-utils-offbyone-bo(12600)oval:org.mitre.oval:def:443MDKSA-2003:076The prefork MPM in Apache 2 before 2.0.47 does not properly handle certain errors from accept, which could lead to a denial of service.20030709 [ANNOUNCE][SECURITY] Apache 2.0.47 releasedUpdated httpd packages fix Apache security vulnerabilitiesMDKSA-2003:075OVAL173oval:org.mitre.oval:def:173MDKSA-2003:075Apache 2 before 2.0.47, when running on an IPv6 host, allows attackers to cause a denial of service (CPU consumption by infinite loop) when the FTP proxy server fails to create an IPv6 socket.20030709 [ANNOUNCE][SECURITY] Apache 2.0.47 releasedUpdated httpd packages fix Apache security vulnerabilitiesMDKSA-2003:075OVAL183oval:org.mitre.oval:def:183MDKSA-2003:075The key validation code in GnuPG before 1.2.2 does not properly determine the validity of keys with multiple user IDs and assigns the greatest validity of the most valid user ID, which prevents GnuPG from warning the encrypting user when a user ID does not have a trusted path.Key validity bug in GnuPG 1.2.1 and earlierUpdated gnupg packages fix validation bugRHSA-2003:176MDKSA-2003:061OVAL135VU#39760474974947gnupg-invalid-key-acceptance(11930)TLSA200334CLA-2003:694ESA-20030515-01620030516 [OpenPKG-SA-2003.029] OpenPKG Security Advisory (gnupg)20030522 [slackware-security] GnuPG key validation fix (SSA:2003-141-04)oval:org.mitre.oval:def:13520030515-016MDKSA-2003:061The GnuPG plugin in kopete before 0.6.2 does not properly cleanse the command line when executing gpg, which allows remote attackers to execute arbitrary commands.kopetebid 7536MDKSA-2003:055CLA-2003:665MDKSA-2003:055Format string vulnerability in the printer capability for IBM AIX .3, 5.1, and 5.2 allows local users to gain printq or root privileges.Printer commands format string vulnerabilityIBM AIX print utilities format string attackbid 7604Cisco VPN 3000 series concentrators and Cisco VPN 3002 Hardware Client 3.5.x through 4.0.REL, when enabling IPSec over TCP for a port on the concentrator, allow remote attackers to reach the private network without authentication.Cisco VPN 3000 Concentrator Vulnerabilitiesbid 7516VU#727780cisco-vpn-unauth-access(11954)Cisco VPN 3000 series concentrators and Cisco VPN 3002 Hardware Client 2.x.x through 3.6.7 allows remote attackers to cause a denial of service (reload) via a malformed SSH initialization packet.Cisco, VPN 3000 Concentrator, Vulnerabilitiesbid 7522VU#317348cisco-vpn-ssh-dos(11955)Cisco VPN 3000 series concentrators and Cisco VPN 3002 Hardware Client 2.x.x through 3.6.7A allow remote attackers to cause a denial of service (slowdown and possibly reload) via a flood of malformed ICMP packets.Cisco VPN 3000 Concentrator Vulnerabilitiesbid 7523VU#221164cisco-vpn-icmp-dos(11956)fuzz 0.6 and earlier creates temporary files insecurely, which could allow local users to gain root privileges.fuzz -- privilege escalationbid 7521leksbot 1.2.3 in Debian GNU/Linux installs the KATAXWR as setuid root, which allows local users to gain root privileges by exploiting unknown vulnerabilities related to the escalated privileges, which KATAXWR is not designed to have.leksbot -- improper setuid-root execution7505kataxwr-gain-privileges(11945)Multiple buffer overflows in Floosietek FTGate Pro Mail Server (FTGatePro) 1.22 allow remote attackers to execute arbitrary code via long (1) MAIL FROM or (2) RCPT TO commands.Multiple Buffer Overflow Vulnerabilities Found in FTGate Pro Mail Server v. 1.22 (1328)bid 7506bid 750820030506 Multiple Buffer Overflow Vulnerabilities Found in FTGate Pro Mail Server v. 1.22 (1328)ftgate-mailfrom-rcptto-bo(11951)Multiple buffer overflows in SLMail 5.1.0.4420 allows remote attackers to execute arbitrary code via (1) a long EHLO argument to slmail.exe, (2) a long XTRN argument to slmail.exe, (3) a long string to POPPASSWD, or (4) a long password to the POP3 server.Multiple Buffer Overflows in SLMail20030507 Multiple Buffer Overflow Vulnerabilities in SLMail (#NISR07052003A)20030507 Multiple Buffer Overflow Vulnerabilities in SLMail (#NISR07052003A)Race condition in SDBINST for SAP database 7.3.0.29 creates critical files with world-writable permissions before initializing the setuid bits, which allows local attackers to gain root privileges by modifying the files before the permissions are changed.bid 742120030507 SAP database local root vulnerability during installation. (fwd)Multiple buffer overflows in SLWebMail 3 on Windows systems allows remote attackers to cause a denial of service and possibly execute arbitrary code via (1) a long Language parameter to showlogin.dll, (2) a long CompanyID parameter to recman.dll, (3) a long CompanyID parameter to admin.dll, or (4) a long CompanyID parameter to globallogin.dll.Multiple Vulnerabilities in SLWebMail20030507 Multiple Vulnerabilities in SLWebmail20030507 Multiple Vulnerabilities in SLWebmailShowGodLog.dll in SLWebMail 3 on Windows systems allows remote attackers to read arbitrary files by directly calling ShowGodLog.dll with an argument specifying the full path of the target file.bid 7513Multiple Vulnerabilities in SLWebMail20030507 Multiple Vulnerabilities in SLWebmail20030507 Multiple Vulnerabilities in SLWebmailSLWebMail 3 on Windows systems allows remote attackers to identify the full path of the server via invalid requests to DLLs such as WebMailReq.dll, which reveals the path in an error message.Multiple Vulnerabilities in SLWebMail20030507 Multiple Vulnerabilities in SLWebmail20030507 Multiple Vulnerabilities in SLWebmailBuffer overflow in youbin allows local users to gain privileges via a long HOME environment variable.youbin local root exploit + advisorybid 750320030506 youbin local root exploit + advisory20030506 youbin local root exploit + advisoryyoubin-home-bo(11949)20030506 youbin local root exploit + advisoryThe administration capability for Apple AirPort 802.11 wireless access point devices uses weak encryption (XOR with a fixed key) for protecting authentication credentials, which could allow remote attackers to obtain administrative access via sniffing when the capability is available via Ethernet or non-WEP connections.A051203-1bid 755410067428773airport-auth-credentials-disclosure(11980)Buffer overflow in Personal FTP Server allows remote attackers to execute arbitrary code via a long USER argument.Personal FTP ServerRemote Stack Overflow exploit for Personal FTPDhttp://security.nnov.ru/search/document.asp?docid=4309admin.php in miniPortail allows remote attackers to gain administrative privileges by setting the miniPortailAdmin cookie to an "adminok" value.miniPortail (PHP) : Admin Accessbid 7532http://www.frog-man.org/tutos/miniPortail.txtCross-site scripting (XSS) vulnerability in the web interface for Request Tracker (RT) 1.0 through 1.0.7 allows remote attackers to execute script via message bodies.w: [rt-users] [rt-announce] RT 1.0.7 vulnerable to Cross Site Scripting attacksbid 750920030508 Fw: [rt-users] [rt-announce] RT 1.0.7 vulnerable to Cross Site Scripting attacksBuffer overflow in catmail for ListProc 8.2.09 and earlier allows remote attackers to execute arbitrary code via a long ULISTPROC_UMASK value.ListProc mailing list ULISTPROC_UMASK overflowbid 7533SSI.php in YaBB SE 1.5.2 allows remote attackers to execute arbitrary PHP code by modifying the sourcedir parameter to reference a URL on a remote web server that contains the code.20030509 II-Labs Advisory: Remote code execution in YaBBse 1.5.2 (php version)Buffer overflow in Pi3Web 2.0.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a GET request with a large number of / characters.Pi3Web 2.0.1 DoSUnix Version of the Pi3web DoS7555pi3web-get-request-bo(11889)Directory traversal vulnerability in normal_html.cgi in Happycgi.com Happymall 4.3 and 4.4 allows remote attackers to read arbitrary files via .. (dot dot) sequences in the file parameter.7559happymall-dotdot-directory-traversal(11987)20030512 One more flaw in HappymallCross-site scripting (XSS) vulnerability in normal_html.cgi in Happycgi.com Happymall 4.3 and 4.4 allows remote attackers to insert arbitrary web script via the file parameter.One more flaw in Happymall7557happymall-normalhtml-xss(11988)Multiple SQL injection vulnerabilities in the Web_Links module for PHP-Nuke 5.x through 6.5 allows remote attackers to steal sensitive information via numeric fields, as demonstrated using (1) the viewlink function and cid parameter, or (2) index.php.Lot of SQL injection on PHP-Nuke 6.5 (secure weblog!)7558phpnuke-web-sql-injection(11984)20030513 More and More SQL injection on PHP-Nuke 6.5.7588Multiple buffer overflows in the SMTP Service for ESMTP CMailServer 4.0.2003.03.27 allow remote attackers to execute arbitrary code via long (1) MAIL FROM or (2) RCPT TO commands.Multiple Buffer Overflow Vulnerabilities Found in CMailServer 4.020030510 Multiple Buffer Overflow Vulnerabilities Found in CMailServer 4.075477548cmailserver-smtp-bo(11975)Buffer overflow in Firebird 1.0.2 and other versions before 1.5, and possibly other products that use the InterBase codebase, allows local users to execute arbitrary code via a long INTERBASE environment variable when calling (1) gds_inet_server, (2) gds_lock_mgr, or (3) gds_drop.Firebird Local exploit20020617 Interbase 6.0 malloc() issuesGLSA-200405-1875468758firebird-interbase-bo(11977)Directory traversal vulnerability in UnZip 5.50 allows attackers to overwrite arbitrary files via invalid characters between two . (dot) characters, which are filtered and result in a ".." sequence.unzip directory traversal revisitedInfo-ZIP UnZip Encoded Character Hostile Destination Path VulnerabilityUpdated unzip packages fix trojan vulnerabilityRHSA-2003:200IMNX-2003-7+-017-01MDKSA-2003:073DSA-344TLSA-2003-42CSSA-2003-031.0OVAL619N-111unzip-dotdot-directory-traversal(12004)CLA-2003:67220030710 [OpenPKG-SA-2003.033] OpenPKG Security Advisory (infozip)oval:org.mitre.oval:def:619MDKSA-2003:073Cross-site scripting (XSS) vulnerability in Phorum before 3.4.3 allows remote attackers to inject arbitrary web script and HTML tags via a message with a "<<" before a tag name in the (1) subject, (2) author's name, or (3) author's e-mail.20030509 Re: A Phorum's bug...7545phorum-message-html-injection(11974)20030509 A Phorum's bug...